Finally the real thing- no more ripoffs!

Enhancement Patches are hot right now, VERY hot!

Unfortunately, most are cheap imitiations and do very little to increase your size and stamina.

Well this is the real thing, not an imitation!

One of the very originals, the absolutely strongest Patch available, anywhere!

Check out the site for more info TODAY, you'll be glad you did ;)

0rder now

Remove you e-mail

Is there any more debug options I can use to figure this one out? Thanks, Donald Donald Dawson Baker Botts L.L.P. Security Administrator 713-229-2183 Classification: UNCLASSIFIED Caveats: NONE From stinkybob at gmail.com Mon Aug 20 15:59:24 2007 From: stinkybob at gmail.com (Eugene MacDougal) Date: Mon Aug 20 15:59:31 2007 Subject: f-prot-autoupdate patch Message-ID: <2579c6b20708200759g210ec2anbedea995c9ddfb20@mail.gmail.com> Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: f-prot-autoupdate.patch Type: application/octet-stream Size: 440 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070820/ec271262/f-prot-autoupdate.obj From MailScanner at ecs.soton.ac.uk Mon Aug 20 18:14:46 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Aug 20 18:15:32 2007 Subject: f-prot-autoupdate patch In-Reply-To: <2579c6b20708200759g210ec2anbedea995c9ddfb20@mail.gmail.com> References: <2579c6b20708200759g210ec2anbedea995c9ddfb20@mail.gmail.com> Message-ID: <46C9CC06.8080107@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 It will be in the next release. Good idea. Eugene MacDougal wrote: > It looks like f-prot-autoupdate does not have any path set. This was > a problem on my system (Solaris 10) because I have wget in > /usr/sfw/bin and root's crontab only receives a limited path on my > system. I set the PATH environment variable in the script and it > seems to help a lot. Please consider including this patch. > > Thanks, > -Gene Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.3 (Build 3017) Charset: ISO-8859-1 wj8DBQFGycwGEfZZRxQVtlQRAocLAJ9T1ft+um7HpUqYrwveeBkYw/6XvQCdEImE 8QV6DMccd6Yxsbl75Yf8n4s= =q+ZP -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From gmane at tippingmar.com Mon Aug 20 18:56:12 2007 From: gmane at tippingmar.com (Mark Nienberg) Date: Mon Aug 20 18:56:56 2007 Subject: sophos update installs crontab entry Message-ID: I noticed that the following recently appeared in my root crontab, presumably after MailScanner updated sophos v5: 3-59/5 * * * * /opt/sophos-av/bin/savupdate This runs a sophos update every 5 minutes and doesn't do the locking that MailScanner does, so it is probably best to delete it and allow MailScanner to take care of updates. I wonder if it is possible to modify the sophos-autoupdate script to remove this entry if savupdate creates it? Mark From a.peacock at chime.ucl.ac.uk Mon Aug 20 19:02:07 2007 From: a.peacock at chime.ucl.ac.uk (Anthony Peacock) Date: Mon Aug 20 19:02:17 2007 Subject: sophos update installs crontab entry In-Reply-To: References: Message-ID: <46C9D71F.3010005@chime.ucl.ac.uk> Hi, Mark Nienberg wrote: > I noticed that the following recently appeared in my root crontab, > presumably after MailScanner updated sophos v5: > > 3-59/5 * * * * /opt/sophos-av/bin/savupdate > > This runs a sophos update every 5 minutes and doesn't do the locking > that MailScanner does, so it is probably best to delete it and allow > MailScanner to take care of updates. > > I wonder if it is possible to modify the sophos-autoupdate script to > remove this entry if savupdate creates it? -1 Please don't. I really don't want MailScanner messing with my Sophos install thank you very much. -- Anthony Peacock CHIME, Royal Free & University College Medical School WWW: http://www.chime.ucl.ac.uk/~rmhiajp/ "I'm in shape. - ROUND is a shape" From donald.dawson at bakerbotts.com Mon Aug 20 19:18:12 2007 From: donald.dawson at bakerbotts.com (donald.dawson@bakerbotts.com) Date: Mon Aug 20 19:18:23 2007 Subject: temp files not being processed - score=0 (UNCLASSIFIED) In-Reply-To: <88991ECEE371C644986F0C8837C207B701CC314C@ARLABML01.DS.ARL.ARMY.MIL> Message-ID: That fixed the problem! I ran sa-learn clear also, but that was probably unnecessary to clear Bayes. Thank you so much! Donald -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Kash, Howard (Civ, ARL/CISD) Sent: Monday, August 20, 2007 9:42 AM To: MailScanner discussion Subject: RE: temp files not being processed - score=0 (UNCLASSIFIED) Classification: UNCLASSIFIED Caveats: NONE I've had the "(not cached, score=0, required 5, autolearn=)" problem several times myself. Typically restarting MailScanner fixed the problem. Last time it happened, simply restarting didn't help so I tried removing SpamAssassin.cache.db and the problem stopped. Can't say for sure removing the cache was the fix, but worth a try. BTW, is there something similar to db_verify that can be run on the SpamAssassin cache to check for consistency? Howard -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of donald.dawson@bakerbotts.com Sent: Monday, August 20, 2007 9:46 AM To: mailscanner@lists.mailscanner.info Subject: FW: temp files not being processed - score=0 <> I have posted this problem before, but I have not found a solution, and I really need the forum's help. One of our MX servers is leaving files in /var/spool/MailScanner/incoming/SpamAssassin-Temp. It appears that each one being left is getting a 0 score. I ran this by Julian recently, and he said he was at least the same issue of files being left in that dir. I added an entry in cron to remove them, but it is just cleaning up the files leftover from a real problem: 1 * * * * /usr/bin/find /var/spool/MailScanner/incoming/SpamAssassin-Temp -type f -mtime +1 -print | /usr/bin/xargs rm -f # delete leftover temp files Here are the number of files in the for today and yesterday: root@houmx05:/var/spool/MailScanner/incoming/SpamAssassin-Temp # ls -la | grep -c ' Aug 19 ' 2409 # ls -la | grep -c ' Aug 18 ' 2135 Although not perfect, here is a count of 'score=0' lines from the maillog for the respective days: # zcat /var/log/maillog.1.gz | grep -c score=0 1221 # zcat /var/log/maillog.2.gz | grep -c score=0 1400 I have already lowered the MX priority of this server to try and receive less email, but it's still delivering emails (not all) with a zero score. I have included MailScanner -v and an output from MailScanner --debug --debug-sa as well (attached ms.zxp - rename to .zip to extract) as the contents of the email. I saw one possible discrepancy in processing the 2nd email via the debug option where it did not end with 'I am generating a hash using the input of'. The output show two emails being processed. The last one was definitely spam, but was scored as 0 and was left in the /var/spool/MailScanner/incoming/SpamAssassin-Temp dir. # MailScanner -v Running on Linux houmx05.bakerbotts.com 2.6.9-1.667smp #1 SMP Tue Nov 2 14:59:52 EST 2004 i686 i686 i386 GNU/Linux This is Fedora Core release 3 (Heidelberg) This is Perl version 5.008005 (5.8.5) This is MailScanner version 4.62.9 Module versions are: 1.00 AnyDBM_File 1.18 Archive::Zip 1.03 Carp 1.119 Convert::BinHex 1.00 DirHandle 1.05 Fcntl 2.73 File::Basename 2.08 File::Copy 2.01 FileHandle 1.06 File::Path 0.18 File::Temp 0.90 Filesys::Df 1.35 HTML::Entities 3.56 HTML::Parser 2.37 HTML::TokeParser 1.21 IO 1.10 IO::File 1.123 IO::Pipe 1.71 Mail::Header 1.86 Math::BigInt 3.05 MIME::Base64 5.420 MIME::Decoder 5.420 MIME::Decoder::UU 5.420 MIME::Head 5.420 MIME::Parser 3.03 MIME::QuotedPrint 5.420 MIME::Tools 0.11 Net::CIDR 1.08 POSIX 1.19 Scalar::Util 1.77 Socket 1.4 Sys::Hostname::Long 0.18 Sys::Syslog 1.9707 Time::HiRes 1.02 Time::localtime Optional module versions are: 1.30 Archive::Tar 0.21 bignum 1.82 Business::ISBN 1.10 Business::ISBN::Data 0.17 Convert::TNEF 1.08 Data::Dump 1.814 DB_File 1.13 DBD::SQLite 1.56 DBI 1.15 Digest 1.01 Digest::HMAC 2.36 Digest::MD5 2.10 Digest::SHA1 1.00 Encode::Detect 0.17008 Error 0.18 ExtUtils::CBuilder 2.18 ExtUtils::ParseXS 0.44 Inline 1.08 IO::String 1.04 IO::Zlib 2.21 IP::Country 0.20 Mail::ClamAV 3.002002 Mail::SpamAssassin v2.004 Mail::SPF 1.999001 Mail::SPF::Query 0.19 Math::BigRat 0.2808 Module::Build 0.20 Net::CIDR::Lite 0.60 Net::DNS 0.002.2 Net::DNS::Resolver::Programmable missing Net::LDAP 4.004 NetAddr::IP 1.94 Parse::RecDescent missing SAVI 2.64 Test::Harness 0.95 Test::Manifest 1.95 Text::Balanced 1.35 URI 0.7203 version 0.62 YAML see attached ms.txt for mailscanner --debug --debug-sa # l /var/spool/MailScanner/incoming/SpamAssassin-Temp/.spamassassin15944T1P9 bFtmp -rw------- 1 root root 2433 Aug 20 03:11 /var/spool/MailScanner/incoming/SpamAssassin-Temp/.spamassassin15944T1P9 bFtmp # fuser /var/spool/MailScanner/incoming/SpamAssassin-Temp/.spamassassin15944T1P9 bFtmp root@houmx05:/var/spool/MailScanner/incoming/SpamAssassin-Temp # grep l7K8B63E015934 /var/log/maillog Aug 20 03:11:14 houmx05 milter-greylist: l7K8B63E015934: skipping greylist because this is the default action, (from=, rcpt=, addr=ARouen-252-1-67-214.w90-23.abo.wanadoo.fr[90.23.62.214]) Aug 20 03:11:14 houmx05 sendmail[15934]: l7K8B63E015934: from=, size=1880, class=0, nrcpts=1, msgid=<000801c7e301$a7518b00$1201a8c0@reginald>, proto=SMTP, daemon=MTA, relay=ARouen-252-1-67-214.w90-23.abo.wanadoo.fr [90.23.62.214] Aug 20 03:11:14 houmx05 sendmail[15934]: l7K8B63E015934: Milter add: header: X-Null-Tag: 6a12c78c6f1e5960796d07939b28851d Aug 20 03:11:14 houmx05 sendmail[15934]: l7K8B63E015934: Milter add: header: X-Greylist: Default is to whitelist mail, not delayed by milter-greylist-3.0rc3 (houmx05.bakerbotts.com [204.194.98.17]); Mon, 20 Aug 2007 03:11:14 -0500 (CDT) Aug 20 03:11:14 houmx05 sendmail[15934]: l7K8B63E015934: to=, delay=00:00:00, mailer=esmtp, pri=31880, stat=queued Aug 20 03:11:29 houmx05 MailScanner[15899]: Message l7K8B63E015934 from 90.23.62.214 (reginald@chmai2.loxinfo.co.th) to bakerbotts.com is not spam, SpamAssassin (not cached, score=0, required 5, autolearn=) Aug 20 03:11:29 houmx05 sendmail[15968]: l7K8B63E015934: to=, delay=00:00:15, xdelay=00:00:00, mailer=esmtp, pri=121880, relay=housweep01.bakerbotts.net. [10.20.254.236], dsn=2.0.0, stat=Sent (Message received OK) Contents of /var/spool/MailScanner/incoming/SpamAssassin-Temp/.spamassassin15944T1P9 bFtmp: X-BakerBotts-MailScanner-From: reginald@chmai2.loxinfo.co.th X-Envelope-From: reginald@chmai2.loxinfo.co.th Return-Path: Received: from abo.wanadoo.fr (ARouen-252-1-67-214.w90-23.abo.wanadoo.fr [90.23.62.214]) by houmx05.bakerbotts.com (8.13.8/8.13.5) with SMTP id l7K8B63E015934 for ; Mon, 20 Aug 2007 03:11:14 -0500 Message-ID: <000801c7e301$a7518b00$1201a8c0@reginald> From: "natal julia" TO: Subject: Hey bro, found this site Date: Mon, 20 Aug 2007 23:02:05 +0300 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_001_000C_01C7E301.A7518B00" Content-Transfer-Encoding: 7bit X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express Macintosh Edition - 5.01 (1630) X-MimeOLE: Produced By Microsoft MimeOLE V X-Null-Tag: 6a12c78c6f1e5960796d07939b28851d X-Greylist: Default is to whitelist mail, not delayed by milter-greylist-3.0rc3 (houmx05.bakerbotts.com [204.194.98.17]); Mon, 20 Aug 2007 03:11:14 -0500 (CDT) This is a multi-part message in MIME format. ------=_NextPart_001_000C_01C7E301.A7518B00 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit ------=_NextPart_001_000C_01C7E301.A7518B00 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: 7bit

Finally the real thing- no more ripoffs!

Enhancement Patches are hot right now, VERY hot!

Unfortunately, most are cheap imitiations and do very little to increase your size and stamina.

Well this is the real thing, not an imitation!

One of the very originals, the absolutely strongest Patch available, anywhere!

Check out the site for more info TODAY, you'll be glad you did ;)

0rder now

Remove you e-mail

Is there any more debug options I can use to figure this one out? Thanks, Donald Donald Dawson Baker Botts L.L.P. Security Administrator 713-229-2183 Classification: UNCLASSIFIED Caveats: NONE -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From MailScanner at ecs.soton.ac.uk Mon Aug 20 19:20:24 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Aug 20 19:21:06 2007 Subject: sophos update installs crontab entry In-Reply-To: <46C9D71F.3010005@chime.ucl.ac.uk> References: <46C9D71F.3010005@chime.ucl.ac.uk> Message-ID: <46C9DB68.1090403@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Anthony Peacock wrote: > Hi, > > Mark Nienberg wrote: >> I noticed that the following recently appeared in my root crontab, >> presumably after MailScanner updated sophos v5: >> >> 3-59/5 * * * * /opt/sophos-av/bin/savupdate >> >> This runs a sophos update every 5 minutes and doesn't do the locking >> that MailScanner does, so it is probably best to delete it and allow >> MailScanner to take care of updates. >> >> I wonder if it is possible to modify the sophos-autoupdate script to >> remove this entry if savupdate creates it? > > -1 > > Please don't. > > I really don't want MailScanner messing with my Sophos install thank > you very much. > But hopefully you install Sophos using my Sophos.install script at the moment. It's possible that script could be written to remove that crontab entry. That way it would only get done once, at install-time. Whatever method you use to install it, do *not* install the on-access scanning. You can safely disable all the sav-* init.d scripts too. I might do some work on that. Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.3 (Build 3017) Charset: ISO-8859-1 wj8DBQFGydtpEfZZRxQVtlQRAqV9AKD4uLESQBBLsOJTzJRc1SE5whoF9wCg52Jx WMM5gxU/G9tDAmrVDrWsZak= =Aq1U -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From list-mailscanner at linguaphone.com Mon Aug 20 19:32:38 2007 From: list-mailscanner at linguaphone.com (Gareth) Date: Mon Aug 20 19:32:43 2007 Subject: antispam server setup website - comments welcome Message-ID: I have created a little webpage listing the software I use and all the plugins etc... Its designed to be a page I can point people to so they can get an idea of what they should be doing and what additional rules they could be using etc... http://www.gbnetwork.co.uk/mailscanner/index.html Comments appreciated. From MailScanner at ecs.soton.ac.uk Mon Aug 20 19:49:39 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Aug 20 19:50:32 2007 Subject: sophos update installs crontab entry In-Reply-To: References: Message-ID: <46C9E243.1060402@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mark Nienberg wrote: > I noticed that the following recently appeared in my root crontab, > presumably after MailScanner updated sophos v5: > > 3-59/5 * * * * /opt/sophos-av/bin/savupdate > > This runs a sophos update every 5 minutes and doesn't do the locking > that MailScanner does, so it is probably best to delete it and allow > MailScanner to take care of updates. > > I wonder if it is possible to modify the sophos-autoupdate script to > remove this entry if savupdate creates it? Done, but not in sophos-autoupdate. I have also disabled and switched off the Sophos daemons as you don't need any of them running, they just waste resources and generated yet more unwanted syslog output. These changes will be in the Sophos.install in the next release. Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.3 (Build 3017) Charset: ISO-8859-1 wj8DBQFGyeJEEfZZRxQVtlQRAgF8AKCLZamHW45xXbnLBPTnUZAJ4H38lwCeKboM qfIUJ54QdltETANIqOW5jUA= =uOQN -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Mon Aug 20 20:09:34 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Aug 20 20:10:38 2007 Subject: antispam server setup website - comments welcome In-Reply-To: References: Message-ID: <46C9E6EE.7010109@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Gareth wrote: > http://www.gbnetwork.co.uk/mailscanner/index.html > > Comments appreciated. > I would remove Pyzor. I've never been a fan of it, and get on well without it. It's only 2 servers which is not good for a global service. I would also add DCC. Very useful and very reliable. I have my own DCC server, which I wouldn't advise you try to set up, it was a right pain to get it working, even with help from the author :-( But do use DCC itself as a client, it helps detect a lot of spam and outages and very very rare. There are multiple servers on multiple sites. Other than those, that looks like a pretty comprehensive list. How much help is all the OCR stuff? I've never installed it, and again find that I can live happily without it. Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.3 (Build 3017) Charset: ISO-8859-1 wj8DBQFGyebvEfZZRxQVtlQRAq11AJ9vEtDO79O0ADHcoeGYgRf2MLHd0gCdGOjF vBl7XjgG+r2arV/Ayi/XEZk= =CNZL -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From list-mailscanner at linguaphone.com Mon Aug 20 20:28:36 2007 From: list-mailscanner at linguaphone.com (Gareth) Date: Mon Aug 20 20:28:41 2007 Subject: antispam server setup website - comments welcome In-Reply-To: <46C9E6EE.7010109@ecs.soton.ac.uk> Message-ID: I get on fairly well with pyzor. It seems able to detect a lot of the image and pdf spam. I do use the alternative server 82.94.255.100:24441 though which is much more reliable. I do intend to try DCC but I believe it matches any email that a lot of people receive so you have to whitelist any mailing lists you are on? The OCR does work reasonably well although there is a lot that it cannot detect. If you use the sanesecurity signatures for clamav then it is probably not really worth installing as they detect the majority of them and you do need a lot of packages for fuzzyocr to work. I also intend to take a look at CRM114 at some point aswell. > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info]On Behalf Of Julian > Field > Sent: 20 August 2007 20:10 > To: MailScanner discussion > Subject: Re: antispam server setup website - comments welcome > > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Gareth wrote: > > http://www.gbnetwork.co.uk/mailscanner/index.html > > > > Comments appreciated. > > > I would remove Pyzor. I've never been a fan of it, and get on well > without it. It's only 2 servers which is not good for a global service. > > I would also add DCC. Very useful and very reliable. I have my own DCC > server, which I wouldn't advise you try to set up, it was a right pain > to get it working, even with help from the author :-( But do use DCC > itself as a client, it helps detect a lot of spam and outages and very > very rare. There are multiple servers on multiple sites. > > Other than those, that looks like a pretty comprehensive list. > > How much help is all the OCR stuff? I've never installed it, and again > find that I can live happily without it. > > Jules > > - -- > Julian Field MEng CITP > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > For all your IT requirements visit www.transtec.co.uk > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.6.3 (Build 3017) > Charset: ISO-8859-1 > > wj8DBQFGyebvEfZZRxQVtlQRAq11AJ9vEtDO79O0ADHcoeGYgRf2MLHd0gCdGOjF > vBl7XjgG+r2arV/Ayi/XEZk= > =CNZL > -----END PGP SIGNATURE----- > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > For all your IT requirements visit www.transtec.co.uk > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > From MailScanner at ecs.soton.ac.uk Mon Aug 20 20:43:20 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Aug 20 20:44:01 2007 Subject: antispam server setup website - comments welcome In-Reply-To: References: Message-ID: <46C9EED8.1050201@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Gareth wrote: > I get on fairly well with pyzor. It seems able to detect a lot of the image > and pdf spam. I do use the alternative server 82.94.255.100:24441 though > which is much more reliable. > This is a level of tweaking and maintenance that I don't have the time for. > I do intend to try DCC but I believe it matches any email that a lot of > people receive so you have to whitelist any mailing lists you are on? > I never have, and don't have any problems with it. Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.3 (Build 3017) Charset: ISO-8859-1 wj8DBQFGye7YEfZZRxQVtlQRAr5kAKDQFzly28dIofxsw6VO7vTMzNSatACfYSZA qh4n6f8jDHpRdXnTw9cafyw= =yURk -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From gmane at tippingmar.com Mon Aug 20 20:46:49 2007 From: gmane at tippingmar.com (Mark Nienberg) Date: Mon Aug 20 20:47:23 2007 Subject: sophos update installs crontab entry In-Reply-To: <46C9E243.1060402@ecs.soton.ac.uk> References: <46C9E243.1060402@ecs.soton.ac.uk> Message-ID: Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > Mark Nienberg wrote: >> I noticed that the following recently appeared in my root crontab, >> presumably after MailScanner updated sophos v5: >> >> 3-59/5 * * * * /opt/sophos-av/bin/savupdate >> >> This runs a sophos update every 5 minutes and doesn't do the locking >> that MailScanner does, so it is probably best to delete it and allow >> MailScanner to take care of updates. >> >> I wonder if it is possible to modify the sophos-autoupdate script to >> remove this entry if savupdate creates it? > Done, but not in sophos-autoupdate. I have also disabled and switched > off the Sophos daemons as you don't need any of them running, they just > waste resources and generated yet more unwanted syslog output. > > These changes will be in the Sophos.install in the next release. That is a nice improvement to Sophos.install. I guess you are saying that we need to monitor crontab and manually remove the savupdate whenever it reappears? The crontab entry was put there during the initial Sophos installation but I had removed it many months ago. It reappeared recently, though I have made no changes to my Sophos installation. Mark From list-mailscanner at linguaphone.com Mon Aug 20 20:50:04 2007 From: list-mailscanner at linguaphone.com (Gareth) Date: Mon Aug 20 20:50:16 2007 Subject: SpamAssassin Rule Actions enhancement Message-ID: How easy would it be to enhance the 'SpamAssassin Rule Actions' section so that you could write a rule based on the smapassassin score itself? For example :- SpamAssassin Rule Actions = SASCORE>25=>not-deliver store The reason being is that I use the low scoring spam options to mark spam as possible spam and deliver it. High scoring marks mail as spam and delivers it. I would like to be able to just delete anything which is very high scoring. Thanks Gareth From MailScanner at ecs.soton.ac.uk Mon Aug 20 22:10:24 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Aug 20 22:11:41 2007 Subject: SpamAssassin Rule Actions enhancement In-Reply-To: References: Message-ID: <46CA0340.6050701@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 That's a really good idea. I have changed SASCORE to SpamScore but otherwise I have done a full implementation of what you wanted. So instead of a SpamAssassin rule name, you can give any of SpamScore>25 SpamScore>=25 SpamScore==25 SpamScore<=25 SpamScore<25 Note you can only give 1 action per rulename (or spamscore comparison), so to correct your example below, you would have to say SpamAssassin Rule Actions = SpamScore>25=>not-deliver, SpamScore>25=>store This will be in the next release. Note that it can be used to implement as many levels of spam actions as you want. So if normal spam actions and high-scoring spam actions aren't enough for you, you can use this to implement a 3rd or even a 4th level of spam actions as well. Jules. Gareth wrote: > How easy would it be to enhance the 'SpamAssassin Rule Actions' section so > that you could write a rule based on the smapassassin score itself? > For example :- > SpamAssassin Rule Actions = SASCORE>25=>not-deliver store > > The reason being is that I use the low scoring spam options to mark spam as > possible spam and deliver it. High scoring marks mail as spam and delivers > it. I would like to be able to just delete anything which is very high > scoring. > > Thanks > Gareth > > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.3 (Build 3017) Charset: ISO-8859-1 wj8DBQFGygNNEfZZRxQVtlQRAkN+AJkBqYI0KBh1X+D0BQxw5AGTSOyjvwCgl5Un TGbkU+jBhupmH806ZFeAjcw= =5Uje -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From tim at denmantire.com Mon Aug 20 22:22:00 2007 From: tim at denmantire.com (Tim Boyer) Date: Mon Aug 20 22:22:16 2007 Subject: Heads up for spamhaus.org problems References: <20070819222357.GA27826@rpcs.net> <20070820020201.GA2841@rpcs.net> Message-ID: On Sun, 19 Aug 2007 22:02:01 -0400, Richard Potter wrote: >On Mon, Aug 20, 2007 at 12:34:23AM +0200, Raymond Dijkxhoorn wrote: > >> >Just doing a routine check here, and I have a few mail servers >> >misbehaving. It >> >*appears* sendmail dnsbl to zen.spamhaus.org is timing out, and causing >> >mail >> >delivery delays, or none at all. >> > >> >I'm going to discontinue spamhaus, and see what happens. >> >> Buy rsync from them. Most likely you fire a lot of lookups on their >> servers and they started to ban high volume mailservers some time ago. >> We have seen this in a lot of places allready. >> >> May i ask how much mail are you processing daily? > >Thanks for the reply Raymond.. I wasn't aware they were doing that. These >are low volume servers, less than 2,000 messages per day. Does that count >as "high volume" to spamhaus? > >Richard "Use of the Spamhaus DNSBLs via DNS queries to our public DNSBL mirrors is free for low-traffic mail servers serving less than 100 users. Use of the Spamhaus DNSBLs by commercial or corporate networks, ISPs and ESPs, requires a subscription to Spamhaus's Data Feed service." I'd be shocked if 2,000 messages per day counts as high volume. That's 20 emails per person per day. -- tim boyer tim@denmantire.com From ms-list at alexb.ch Mon Aug 20 22:34:05 2007 From: ms-list at alexb.ch (Alex Broens) Date: Mon Aug 20 22:34:13 2007 Subject: Heads up for spamhaus.org problems In-Reply-To: References: <20070819222357.GA27826@rpcs.net> <20070820020201.GA2841@rpcs.net> Message-ID: <46CA08CD.8070400@alexb.ch> On 8/20/2007 11:22 PM, Tim Boyer wrote: > On Sun, 19 Aug 2007 22:02:01 -0400, Richard Potter wrote: > >> On Mon, Aug 20, 2007 at 12:34:23AM +0200, Raymond Dijkxhoorn wrote: >> >>>> Just doing a routine check here, and I have a few mail servers >>>> misbehaving. It >>>> *appears* sendmail dnsbl to zen.spamhaus.org is timing out, and causing >>>> mail >>>> delivery delays, or none at all. >>>> >>>> I'm going to discontinue spamhaus, and see what happens. >>> Buy rsync from them. Most likely you fire a lot of lookups on their >>> servers and they started to ban high volume mailservers some time ago. >>> We have seen this in a lot of places allready. >>> >>> May i ask how much mail are you processing daily? >> Thanks for the reply Raymond.. I wasn't aware they were doing that. These >> are low volume servers, less than 2,000 messages per day. Does that count >> as "high volume" to spamhaus? >> >> Richard > > "Use of the Spamhaus DNSBLs via DNS queries to our public DNSBL mirrors is free > for low-traffic mail servers serving less than 100 users. Use of the Spamhaus > DNSBLs by commercial or corporate networks, ISPs and ESPs, requires a > subscription to Spamhaus's Data Feed service." > > I'd be shocked if 2,000 messages per day counts as high volume. That's 20 > emails per person per day. no need to be shocked :-) Spamhaus can't block your mail server from doing queries - it blocks your DNS' access to the root zone - so if you use a DNS which is querying Xmillion queries/day and your server is only doing 10000/day then the rest of the X/million+your 10000 makes he count which rates a block. Alex From list-mailscanner at linguaphone.com Mon Aug 20 22:34:02 2007 From: list-mailscanner at linguaphone.com (Gareth) Date: Mon Aug 20 22:34:18 2007 Subject: Heads up for spamhaus.org problems In-Reply-To: Message-ID: > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info]On Behalf Of Tim > Boyer > Sent: 20 August 2007 22:22 > To: mailscanner@lists.mailscanner.info > Subject: Re: Heads up for spamhaus.org problems > > > On Sun, 19 Aug 2007 22:02:01 -0400, Richard Potter > wrote: > > >On Mon, Aug 20, 2007 at 12:34:23AM +0200, Raymond Dijkxhoorn wrote: > > > >> >Just doing a routine check here, and I have a few mail servers > >> >misbehaving. It > >> >*appears* sendmail dnsbl to zen.spamhaus.org is timing out, > and causing > >> >mail > >> >delivery delays, or none at all. > >> > > >> >I'm going to discontinue spamhaus, and see what happens. > >> > >> Buy rsync from them. Most likely you fire a lot of lookups on their > >> servers and they started to ban high volume mailservers some time ago. > >> We have seen this in a lot of places allready. > >> > >> May i ask how much mail are you processing daily? > > > >Thanks for the reply Raymond.. I wasn't aware they were doing that. These > >are low volume servers, less than 2,000 messages per day. Does that count > >as "high volume" to spamhaus? > > > >Richard > > "Use of the Spamhaus DNSBLs via DNS queries to our public DNSBL > mirrors is free > for low-traffic mail servers serving less than 100 users. Use of > the Spamhaus > DNSBLs by commercial or corporate networks, ISPs and ESPs, requires a > subscription to Spamhaus's Data Feed service." > > I'd be shocked if 2,000 messages per day counts as high volume. That's 20 > emails per person per day. > >From my experience when we moved over to MailScanner we did it gradually and on the 3rd day we were processing about 2000-2500 messages per day. On day 4 the Spamhaus DNSBLs stopped matching and never worked from that point onwards. So I would not be surprised if others got blocked for 2000 messages per day. From list-mailscanner at linguaphone.com Mon Aug 20 22:34:34 2007 From: list-mailscanner at linguaphone.com (Gareth) Date: Mon Aug 20 22:34:38 2007 Subject: SpamAssassin Rule Actions enhancement In-Reply-To: <46CA0340.6050701@ecs.soton.ac.uk> Message-ID: Thanks. I'm glad you thought it was a good idea :) > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info]On Behalf Of Julian > Field > Sent: 20 August 2007 22:10 > To: MailScanner discussion > Subject: Re: SpamAssassin Rule Actions enhancement > > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > That's a really good idea. I have changed SASCORE to SpamScore but > otherwise I have done a full implementation of what you wanted. So > instead of a SpamAssassin rule name, you can give any of > SpamScore>25 > SpamScore>=25 > SpamScore==25 > SpamScore<=25 > SpamScore<25 > > Note you can only give 1 action per rulename (or spamscore comparison), > so to correct your example below, you would have to say > > SpamAssassin Rule Actions = SpamScore>25=>not-deliver, SpamScore>25=>store > > This will be in the next release. > > Note that it can be used to implement as many levels of spam actions as > you want. So if normal spam actions and high-scoring spam actions aren't > enough for you, you can use this to implement a 3rd or even a 4th level > of spam actions as well. > > Jules. > > Gareth wrote: > > How easy would it be to enhance the 'SpamAssassin Rule Actions' > section so > > that you could write a rule based on the smapassassin score itself? > > For example :- > > SpamAssassin Rule Actions = SASCORE>25=>not-deliver store > > > > The reason being is that I use the low scoring spam options to > mark spam as > > possible spam and deliver it. High scoring marks mail as spam > and delivers > > it. I would like to be able to just delete anything which is very high > > scoring. > > > > Thanks > > Gareth > > > > > > Jules > > - -- > Julian Field MEng CITP > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > For all your IT requirements visit www.transtec.co.uk > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.6.3 (Build 3017) > Charset: ISO-8859-1 > > wj8DBQFGygNNEfZZRxQVtlQRAkN+AJkBqYI0KBh1X+D0BQxw5AGTSOyjvwCgl5Un > TGbkU+jBhupmH806ZFeAjcw= > =5Uje > -----END PGP SIGNATURE----- > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > For all your IT requirements visit www.transtec.co.uk > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > From ard at pergamentum.com Mon Aug 20 23:07:33 2007 From: ard at pergamentum.com (Alisdair Davey) Date: Mon Aug 20 23:07:51 2007 Subject: Heads up for spamhaus.org problems In-Reply-To: Message-ID: <200708202207.l7KM7Xda007804@www4.pergamentum.com> > > I'd be shocked if 2,000 messages per day counts as high volume. That's 20 > > emails per person per day. > > >From my experience when we moved over to MailScanner we did it gradually and > on the 3rd day we were processing about 2000-2500 messages per day. On day 4 > the Spamhaus DNSBLs stopped matching and never worked from that point > onwards. So I would not be surprised if others got blocked for 2000 messages > per day. I did a quick count through my log file for today - for 852 delivered messages I rejected 12716 with Spamhaus DNSBLs. That's almost 15:1... Alisdair -- Alisdair Davey ard@pergamentum.com Pergamentum Solutions 2066 Dailey Lane Superior, CO 80027 From ssilva at sgvwater.com Mon Aug 20 23:43:01 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Aug 20 23:43:14 2007 Subject: White Listing emails from eBay? In-Reply-To: References: <223f97700708200126w31eeb65r8847a646a7f0dc34@mail.gmail.com> Message-ID: Paul Hutchings spake the following on 8/20/2007 1:37 AM: > I think the issue is not that it's a false positive - I'd want to know > if it came from anywhere other than from eBay. > > I'll investigate the DKIM suggestion from Martin - as a sticking plaster > though is emailebay.com a workable suggestion? > Name based whitelisting is too easy to fool. Envelopes are easily forged. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ssilva at sgvwater.com Mon Aug 20 23:57:15 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Aug 20 23:57:31 2007 Subject: antispam server setup website - comments welcome In-Reply-To: References: <46C9E6EE.7010109@ecs.soton.ac.uk> Message-ID: Gareth spake the following on 8/20/2007 12:28 PM: > I get on fairly well with pyzor. It seems able to detect a lot of the image > and pdf spam. I do use the alternative server 82.94.255.100:24441 though > which is much more reliable. > > I do intend to try DCC but I believe it matches any email that a lot of > people receive so you have to whitelist any mailing lists you are on? > Usually mailing list messages get on there from people who use a "report-as-spam" button on messages they are too lazy to unsubscribe from. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From hmkash at arl.army.mil Tue Aug 21 00:38:31 2007 From: hmkash at arl.army.mil (Kash, Howard (Civ, ARL/CISD)) Date: Tue Aug 21 00:36:20 2007 Subject: SpamAssassin Rule Actions enhancement (UNCLASSIFIED) In-Reply-To: <46CA0340.6050701@ecs.soton.ac.uk> References: <46CA0340.6050701@ecs.soton.ac.uk> Message-ID: <88991ECEE371C644986F0C8837C207B701CC314E@ARLABML01.DS.ARL.ARMY.MIL> Classification: Caveats: *NOTICE: Would anyone else be interested in an option to the 'store' action to specify a directory relative to 'Quarantine Dir'? This way various levels of spamness can be stored in different directories. For example: SpamAssassin Rule Actions = SpamScore>25=>store HIGH, SpamScore>15=>store MED, SpamScore>=5=>store LOW, SpamScore<5=>deliver would store messages with SA scores between 5 and 15 in /var/spool/MailScanner/quarantine/spam/LOW, scores between 15 and 25 in /var/spool/MailScanner/quarantine/spam/MED, and scores over 25 in /var/spool/MailScanner/quarantine/spam/HIGH. How will the 'SpamAssassin Rule Actions', 'Spam Actions', and 'High Scoring Spam Actions' be prioritized? In other words, which one will have presedence if there are conflicting settings (i.e. High Scoring Spam Actions = delete, SpamAssassin Rule Actions = SpamScore>15=>store)? Thanks, Howard Classification: Caveats: From culleym at genevawoods.com Tue Aug 21 01:06:40 2007 From: culleym at genevawoods.com (Culley Morrow) Date: Tue Aug 21 01:07:00 2007 Subject: New Clam, Old, Mailscanner, Ancient Kernel Message-ID: <001a01c7e387$266c2460$0202fea9@genevawoods.com> Howdy folks, I've got a bit of a dilemma here. I've taken over admin for an aging Debian 3.0 server partly morphed to 4.0. By partly I mean it is still using the default 2.4.18-bf2.4 kernel. Way, way, out of date. The upshot is we are planning to replace it in the vaguely near future once we decide what groupware package to put in it's place. I'll list out the software versions below and I need a bit of assistance making them work for now. I know all I need to do is upgrade the kernel to 2.6 and it all works, but I'd like to get them functioning "As-Is" and then do the upgrade so I have something working to fall back on. Clam AV is currently shut off since clamd as a service was so slow. Kernel 2.4.18-bf2.4 Mailscanner 3.27.1-1 Clam AV 0.90.1-3etch3 Spam Assassin 2.64-1 Currently we are inundated with mass spam and I need to get some AV in place, be it Clam or another GNU/GPL/"free as in beer"-ware. I need a hand here if anyone wants to chime in. ~={o}=~ Culley Morrow IT Manager Geneva Woods Pharmacy -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070820/249d59f8/attachment.html From jim.barber at ddihealth.com Tue Aug 21 01:30:54 2007 From: jim.barber at ddihealth.com (Jim Barber) Date: Tue Aug 21 01:31:03 2007 Subject: MailScanner mailing list ended up on a black list. Message-ID: <46CA323E.9020403@ddihealth.com> Hi all. Last night I noticed that most (all?) of my incoming posts from this list were tagged as spam (despite having really low scores). I found the cause was due to an RBL server that I use having listed one of the email servers this list comes from. The MailScanner server that is getting black listed is: 83.98.192.7 which reverse resolves to safir.blacknight.ie The RBL server that I am using is blackholes.five-ten-sg.com This one I've added myself, but I am reluctant to remove it since so far over the months it has served me well. If you go to http://www.five-ten-sg.com/blackhole.php and enter 83.98.192.7 into the form it comes back with the following: ------------------------------------------------------------ IP address 83.98.192.7 is listed here as 83.98.192.165 misc. Although there may be other reasons, most of the listings in this category are due to (1. systems apparently sending bulk mail from ip addresses with bogus or missing reverse dns, or with no web server, or with boilerplate web content, or 2. a suspected multistage relay output, or 3. machines probably running MS SMTPSVC with an open guest account, or 4. running some open proxy), or it is in the same /24 subnet containing multiple machines with that property. ------------------------------------------------------------ The 'misc' (127.0.0.9) return code is defined by the site as: ------------------------------------------------------------ misc - Miscellaneous includes (but is NOT limited to) the following groups. Note that this does NOT include misc.spam which is listed under spam above. 1) /24 blocks of addresses containing systems that are apparently sending bulk email (in volumes apparently comparable with the volume from AOL, Earthlink, Google), with any of the following attributes: missing or bogus reverse dns, reverse dns names in domains with no web server, or domains with boilerplate web content. 2) Systems that are strongly suspected of being multistage open relays (where I have not been able to identify the input stage) or open proxies. 3) Any system that delivers spam here, that appears to be running MS SMTPSVC, and that appears to have relayed the message from China, Korea, Brazil, or any known open proxy. These are generally systems that have enabled the guest account, and spammers are using them as open relays, even though they do require SMTP AUTH. Enabling the guest account allows anyone to relay thru them. ------------------------------------------------------------ Is this the correct place to report it to? It's sort of ironic having an anti-spam list ending up marked as spam. Oh well. Regards, -- ---------- Jim Barber DDI Health From rpotter at rpcs.net Tue Aug 21 01:53:42 2007 From: rpotter at rpcs.net (Richard Potter) Date: Tue Aug 21 01:53:51 2007 Subject: Heads up for spamhaus.org problems In-Reply-To: <46CA08CD.8070400@alexb.ch> References: <20070819222357.GA27826@rpcs.net> <20070820020201.GA2841@rpcs.net> <46CA08CD.8070400@alexb.ch> Message-ID: <20070821005342.GA5580@rpcs.net> On Mon, Aug 20, 2007 at 11:34:05PM +0200, Alex Broens wrote: > On 8/20/2007 11:22 PM, Tim Boyer wrote: > >On Sun, 19 Aug 2007 22:02:01 -0400, Richard Potter > >wrote: > > > >>On Mon, Aug 20, 2007 at 12:34:23AM +0200, Raymond Dijkxhoorn wrote: > >> > >>>>Just doing a routine check here, and I have a few mail servers > >>>>misbehaving. It > >>>>*appears* sendmail dnsbl to zen.spamhaus.org is timing out, and causing > >>>>mail > >>>>delivery delays, or none at all. > >>>> > >>>>I'm going to discontinue spamhaus, and see what happens. > >>>Buy rsync from them. Most likely you fire a lot of lookups on their > >>>servers and they started to ban high volume mailservers some time ago. > >>>We have seen this in a lot of places allready. > >>> > >>>May i ask how much mail are you processing daily? > >>Thanks for the reply Raymond.. I wasn't aware they were doing that. These > >>are low volume servers, less than 2,000 messages per day. Does that count > >>as "high volume" to spamhaus? > >> > >>Richard > > > >"Use of the Spamhaus DNSBLs via DNS queries to our public DNSBL mirrors is > >free > >for low-traffic mail servers serving less than 100 users. Use of the > >Spamhaus > >DNSBLs by commercial or corporate networks, ISPs and ESPs, requires a > >subscription to Spamhaus's Data Feed service." > > > >I'd be shocked if 2,000 messages per day counts as high volume. That's 20 > >emails per person per day. > > no need to be shocked :-) > > Spamhaus can't block your mail server from doing queries - it blocks > your DNS' access to the root zone - so if you use a DNS which is > querying Xmillion queries/day and your server is only doing 10000/day > then the rest of the X/million+your 10000 makes he count which rates a > block. You are exactly right. I was told that off list. I switched the two boxes to an alternative DNS server, and spamhaus worked again. I'm not sure why I didn't figure that out on my own. I actually knew/should have known that. It was Sunday, and I might have had a few beers! :-) Richard From dave.list at pixelhammer.com Tue Aug 21 04:05:55 2007 From: dave.list at pixelhammer.com (DAve) Date: Tue Aug 21 04:07:18 2007 Subject: Heads up for spamhaus.org problems In-Reply-To: <20070821005342.GA5580@rpcs.net> References: <20070819222357.GA27826@rpcs.net> <20070820020201.GA2841@rpcs.net> <46CA08CD.8070400@alexb.ch> <20070821005342.GA5580@rpcs.net> Message-ID: <46CA5693.1090400@pixelhammer.com> Richard Potter wrote: > On Mon, Aug 20, 2007 at 11:34:05PM +0200, Alex Broens wrote: > >> On 8/20/2007 11:22 PM, Tim Boyer wrote: >>> On Sun, 19 Aug 2007 22:02:01 -0400, Richard Potter >>> wrote: >>> >>>> On Mon, Aug 20, 2007 at 12:34:23AM +0200, Raymond Dijkxhoorn wrote: >>>> >>>>>> Just doing a routine check here, and I have a few mail servers >>>>>> misbehaving. It >>>>>> *appears* sendmail dnsbl to zen.spamhaus.org is timing out, and causing >>>>>> mail >>>>>> delivery delays, or none at all. >>>>>> >>>>>> I'm going to discontinue spamhaus, and see what happens. >>>>> Buy rsync from them. Most likely you fire a lot of lookups on their >>>>> servers and they started to ban high volume mailservers some time ago. >>>>> We have seen this in a lot of places allready. >>>>> >>>>> May i ask how much mail are you processing daily? >>>> Thanks for the reply Raymond.. I wasn't aware they were doing that. These >>>> are low volume servers, less than 2,000 messages per day. Does that count >>>> as "high volume" to spamhaus? >>>> >>>> Richard >>> "Use of the Spamhaus DNSBLs via DNS queries to our public DNSBL mirrors is >>> free >>> for low-traffic mail servers serving less than 100 users. Use of the >>> Spamhaus >>> DNSBLs by commercial or corporate networks, ISPs and ESPs, requires a >>> subscription to Spamhaus's Data Feed service." >>> >>> I'd be shocked if 2,000 messages per day counts as high volume. That's 20 >>> emails per person per day. >> no need to be shocked :-) >> >> Spamhaus can't block your mail server from doing queries - it blocks >> your DNS' access to the root zone - so if you use a DNS which is >> querying Xmillion queries/day and your server is only doing 10000/day >> then the rest of the X/million+your 10000 makes he count which rates a >> block. > > > You are exactly right. I was told that off list. I switched the two > boxes to an alternative DNS server, and spamhaus worked again. > > I'm not sure why I didn't figure that out on my own. I actually > knew/should have known that. It was Sunday, and I might have had a > few beers! :-) > > Richard Are you using a caching server? Possibly it's not the 2000 queries a day they block, but the 10,000 needlessly repeated queries from the same DNS server. DAve -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible. From dave.list at pixelhammer.com Tue Aug 21 04:45:35 2007 From: dave.list at pixelhammer.com (DAve) Date: Tue Aug 21 04:46:57 2007 Subject: Heads up for spamhaus.org problems In-Reply-To: <46CA5693.1090400@pixelhammer.com> References: <20070819222357.GA27826@rpcs.net> <20070820020201.GA2841@rpcs.net> <46CA08CD.8070400@alexb.ch> <20070821005342.GA5580@rpcs.net> <46CA5693.1090400@pixelhammer.com> Message-ID: <46CA5FDF.80609@pixelhammer.com> DAve wrote: > Richard Potter wrote: >> On Mon, Aug 20, 2007 at 11:34:05PM +0200, Alex Broens wrote: >> >>> On 8/20/2007 11:22 PM, Tim Boyer wrote: >>>> On Sun, 19 Aug 2007 22:02:01 -0400, Richard Potter >>>> wrote: >>>> >>>>> On Mon, Aug 20, 2007 at 12:34:23AM +0200, Raymond Dijkxhoorn wrote: >>>>> >>>>>>> Just doing a routine check here, and I have a few mail servers >>>>>>> misbehaving. It >>>>>>> *appears* sendmail dnsbl to zen.spamhaus.org is timing out, and >>>>>>> causing mail >>>>>>> delivery delays, or none at all. >>>>>>> >>>>>>> I'm going to discontinue spamhaus, and see what happens. >>>>>> Buy rsync from them. Most likely you fire a lot of lookups on >>>>>> their servers and they started to ban high volume mailservers some >>>>>> time ago. >>>>>> We have seen this in a lot of places allready. >>>>>> >>>>>> May i ask how much mail are you processing daily? >>>>> Thanks for the reply Raymond.. I wasn't aware they were doing that. >>>>> These >>>>> are low volume servers, less than 2,000 messages per day. Does that >>>>> count >>>>> as "high volume" to spamhaus? >>>>> >>>>> Richard >>>> "Use of the Spamhaus DNSBLs via DNS queries to our public DNSBL >>>> mirrors is free >>>> for low-traffic mail servers serving less than 100 users. Use of the >>>> Spamhaus >>>> DNSBLs by commercial or corporate networks, ISPs and ESPs, requires a >>>> subscription to Spamhaus's Data Feed service." >>>> >>>> I'd be shocked if 2,000 messages per day counts as high volume. >>>> That's 20 >>>> emails per person per day. >>> no need to be shocked :-) >>> >>> Spamhaus can't block your mail server from doing queries - it blocks >>> your DNS' access to the root zone - so if you use a DNS which is >>> querying Xmillion queries/day and your server is only doing 10000/day >>> then the rest of the X/million+your 10000 makes he count which rates >>> a block. >> >> >> You are exactly right. I was told that off list. I switched the two >> boxes to an alternative DNS server, and spamhaus worked again. >> >> I'm not sure why I didn't figure that out on my own. I actually >> knew/should have known that. It was Sunday, and I might have had a few >> beers! :-) >> >> Richard > > Are you using a caching server? Possibly it's not the 2000 queries a day > they block, but the 10,000 needlessly repeated queries from the same DNS > server. > > DAve > I am *not* suggesting spamhaus blocks are your fault. When I re read my response it looked kinda mean the way I said it. I apologize if it appears that way. I do suspect spamhaus gets a large number of queries from non-caching servers. The use of a DNS cache is faster for you, less load for them, everyone wins. DAve -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible. From wolfgang at sweet-haven.com Tue Aug 21 06:46:59 2007 From: wolfgang at sweet-haven.com (Lew Wolfgang) Date: Tue Aug 21 06:47:11 2007 Subject: MailScanner mailing list ended up on a black list. In-Reply-To: <46CA323E.9020403@ddihealth.com> References: <46CA323E.9020403@ddihealth.com> Message-ID: <46CA7C53.5050000@sweet-haven.com> Hi Jim, Well, it happened to me too. One of my sites hosts email for a small research company. This past Saturday I noticed that a message from the president to his sister on hotmail.com was rejected as being spammy. A quick check showed that we were listed on apews.org with the reason being that another host on our subnet was caught spamming, but is now shut down. Further, it's a /17 subnet! 32,765 other innocent sites (potentially) were judged guilty by association! Microsoft's web site said the thing to do was implement SPF, which I did and after registering with Microsoft, was able to send mail to hotmail/msn addresses. SPF overrides a hit from a DNSBL in Microsoft's world, I guess. Then, this evening, we had another spammy bounce from an att.net address. This time, we're also listed in blackholes.five-ten-sg.com for the same "guilt by association" rationale. I guess they got mailscanner.info with the same broad brush. I see that 83.98.192.7 is in apews.org too. It's not right that innocent mail users and smtp sites have to change IP addresses and/or hosting companies to get away from spam-by-association. I also don't think that customer complaints to the likes of att.net and Microsoft would carry much water. So what are we to do? Lew Wolfgang Jim Barber wrote: > Hi all. > > Last night I noticed that most (all?) of my incoming posts from this > list were tagged as spam (despite having really low scores). > I found the cause was due to an RBL server that I use having listed one > of the email servers this list comes from. > > The MailScanner server that is getting black listed is: 83.98.192.7 > which reverse resolves to safir.blacknight.ie > The RBL server that I am using is blackholes.five-ten-sg.com > This one I've added myself, but I am reluctant to remove it since so far > over the months it has served me well. > > If you go to http://www.five-ten-sg.com/blackhole.php and enter > 83.98.192.7 into the form it comes back with the following: > > ------------------------------------------------------------ > IP address 83.98.192.7 is listed here as 83.98.192.165 misc. > > Although there may be other reasons, most of the listings in this > category are due to > (1. systems apparently sending bulk mail from ip addresses with bogus or > missing reverse dns, or with no web server, or with boilerplate web > content, or > 2. a suspected multistage relay output, or > 3. machines probably running MS SMTPSVC with an open guest account, or > 4. running some open proxy), or it is in the same /24 subnet containing > multiple machines with that property. > ------------------------------------------------------------ > > The 'misc' (127.0.0.9) return code is defined by the site as: > > ------------------------------------------------------------ > misc - Miscellaneous includes (but is NOT limited to) the following groups. > Note that this does NOT include misc.spam which is listed under spam above. > 1) /24 blocks of addresses containing systems that are apparently > sending bulk email (in volumes apparently comparable with the volume > from AOL, Earthlink, Google), with any of the following attributes: > missing or bogus reverse dns, reverse dns names in domains with no web > server, or domains with boilerplate web content. > 2) Systems that are strongly suspected of being multistage open relays > (where I have not been able to identify the input stage) or open proxies. > 3) Any system that delivers spam here, that appears to be running MS > SMTPSVC, and that appears to have relayed the message from China, Korea, > Brazil, or any known open proxy. > These are generally systems that have enabled the guest account, and > spammers are using them as open relays, even though they do require SMTP > AUTH. > Enabling the guest account allows anyone to relay thru them. > ------------------------------------------------------------ > > Is this the correct place to report it to? > It's sort of ironic having an anti-spam list ending up marked as spam. > Oh well. > > Regards, > From jim.barber at ddihealth.com Tue Aug 21 07:07:40 2007 From: jim.barber at ddihealth.com (Jim Barber) Date: Tue Aug 21 07:07:51 2007 Subject: {Spam?} Re: MailScanner mailing list ended up on a black list. In-Reply-To: <46CA7C53.5050000@sweet-haven.com> References: <46CA323E.9020403@ddihealth.com> <46CA7C53.5050000@sweet-haven.com> Message-ID: <46CA812C.9070903@ddihealth.com> An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070821/e2e316c2/attachment.html From Robert.Horton at goodmanmfg.com Tue Aug 21 07:13:34 2007 From: Robert.Horton at goodmanmfg.com (Horton, Robert) Date: Tue Aug 21 07:13:37 2007 Subject: CRM114 Problem In-Reply-To: <224FA7E11EA39E45843E11CEBBD3A36F189A80@HOUPEX01.nfsmith.info> References: <224FA7E11EA39E45843E11CEBBD3A36F189A80@HOUPEX01.nfsmith.info> Message-ID: <50678FBB708A9B4FB6B536F6F657883D028E9528@exch-gman.ad.goodmanmfg.com> Are you still having problems with the score at -0.00? I finally installed this evening and had the same problem. I think there is a bug in the crm114.pm (Version: 0.6.4), but what perplexes me is why some people claim its working...the lines I changed should affect everyone. Maybe this code was changed recently. I changed the following 2 lines in the sub call_crm dbg("crm114: opening pipe: $crm114_command < $tmpf"); $pid = Mail::SpamAssassin::Util::helper_app_pipe_open( *CRM_OUT, $tmpf, 1, $crm114_command); to dbg("crm114: opening pipe: $crm114_cmdline < $tmpf"); $pid = Mail::SpamAssassin::Util::helper_app_pipe_open( *CRM_OUT, $tmpf, 1, $crm114_cmdline); Within minutes crm114 started learning emails and no longer had the -0.00 score. You only get this score when you have an empty spam.css and nonspam.css and it doesn't know what to do with the email yet. Hope this helps, Robert Horton -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Mike Kercher Sent: Friday, August 10, 2007 11:13 AM To: MailScanner discussion Subject: CRM114 Problem I added CRM114 to a server last week per the docs in the wiki (and like I've done on several other servers), but the score is always -0.00 [root@mail crm114]# cssutil -b -r spam.css Sparse spectra file spam.css statistics: Total available buckets : 1048577 Total buckets in use : 0 Total in-use zero-count buckets : 0 Total buckets with value >= max : 0 Total hashed datums in file : 0 Documents learned : 15495 Features learned : 1 Average datums per bucket : 0.00 Maximum length of overflow chain : 0 Average length of overflow chain : 0.00 Average packing density : 0.00 [root@mail crm114]# cssutil -b -r nonspam.css Sparse spectra file nonspam.css statistics: Total available buckets : 1048577 Total buckets in use : 0 Total in-use zero-count buckets : 0 Total buckets with value >= max : 0 Total hashed datums in file : 0 Documents learned : 15495 Features learned : 1 Average datums per bucket : 0.00 Maximum length of overflow chain : 0 Average length of overflow chain : 0.00 Average packing density : 0.00 The Features learned hasn't changed in many days. Permissions look good, .crm's are +x Any suggestions where to look? Mike -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! CONFIDENTIALITY NOTE: The information contained in this transmission is privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this transmission in error, do not read it. Please immediately reply to the sender that you have received this communication in error and then delete it. Thank you. From list-mailscanner at linguaphone.com Tue Aug 21 08:37:16 2007 From: list-mailscanner at linguaphone.com (Gareth) Date: Tue Aug 21 08:37:34 2007 Subject: SpamAssassin Rule Actions enhancement (UNCLASSIFIED) In-Reply-To: <88991ECEE371C644986F0C8837C207B701CC314E@ARLABML01.DS.ARL.ARMY.MIL> References: <46CA0340.6050701@ecs.soton.ac.uk> <88991ECEE371C644986F0C8837C207B701CC314E@ARLABML01.DS.ARL.ARMY.MIL> Message-ID: <1187681835.16331.2.camel@gblades-suse.linguaphone-intranet.co.uk> On Tue, 2007-08-21 at 00:38, Kash, Howard (Civ, ARL/CISD) wrote: > Classification: Caveats: *NOTICE: > > Would anyone else be interested in an option to the 'store' action to > specify a directory relative to 'Quarantine Dir'? This way various > levels of spamness can be stored in different directories. For example: > > SpamAssassin Rule Actions = SpamScore>25=>store HIGH, > SpamScore>15=>store MED, SpamScore>=5=>store LOW, SpamScore<5=>deliver > > would store messages with SA scores between 5 and 15 in > /var/spool/MailScanner/quarantine/spam/LOW, scores between 15 and 25 in > /var/spool/MailScanner/quarantine/spam/MED, and scores over 25 in > /var/spool/MailScanner/quarantine/spam/HIGH. > > > How will the 'SpamAssassin Rule Actions', 'Spam Actions', and 'High > Scoring Spam Actions' be prioritized? In other words, which one will > have presedence if there are conflicting settings (i.e. High Scoring > Spam Actions = delete, SpamAssassin Rule Actions = SpamScore>15=>store)? I assume that the spam actions and high scoring spam action will work as normal. Then the custom rules would apply so if the high scoring option was to deliver you would have to specify the not-deliver action in the custom action if you did not want the email delivered. From martinh at solidstatelogic.com Tue Aug 21 08:39:23 2007 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Tue Aug 21 08:39:49 2007 Subject: antispam server setup website - comments welcome In-Reply-To: <46C9E6EE.7010109@ecs.soton.ac.uk> Message-ID: <7596c7e1d87a2241863c8959a0954aac@solidstatelogic.com> Jules Pyzor is fine, but you have to run a different server other than the broken one 'pyzor update' gives gives you... 82.94.255.100:24441 Is the functioning one. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Julian Field > Sent: 20 August 2007 20:10 > To: MailScanner discussion > Subject: Re: antispam server setup website - comments welcome > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Gareth wrote: > > http://www.gbnetwork.co.uk/mailscanner/index.html > > > > Comments appreciated. > > > I would remove Pyzor. I've never been a fan of it, and get on well > without it. It's only 2 servers which is not good for a global service. > > I would also add DCC. Very useful and very reliable. I have my own DCC > server, which I wouldn't advise you try to set up, it was a right pain > to get it working, even with help from the author :-( But do use DCC > itself as a client, it helps detect a lot of spam and outages and very > very rare. There are multiple servers on multiple sites. > > Other than those, that looks like a pretty comprehensive list. > > How much help is all the OCR stuff? I've never installed it, and again > find that I can live happily without it. > > Jules > > - -- > Julian Field MEng CITP > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > For all your IT requirements visit www.transtec.co.uk > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.6.3 (Build 3017) > Charset: ISO-8859-1 > > wj8DBQFGyebvEfZZRxQVtlQRAq11AJ9vEtDO79O0ADHcoeGYgRf2MLHd0gCdGOjF > vBl7XjgG+r2arV/Ayi/XEZk= > =CNZL > -----END PGP SIGNATURE----- > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > For all your IT requirements visit www.transtec.co.uk > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From list-mailscanner at linguaphone.com Tue Aug 21 08:41:32 2007 From: list-mailscanner at linguaphone.com (Gareth) Date: Tue Aug 21 08:41:41 2007 Subject: New Clam, Old, Mailscanner, Ancient Kernel In-Reply-To: <001a01c7e387$266c2460$0202fea9@genevawoods.com> References: <001a01c7e387$266c2460$0202fea9@genevawoods.com> Message-ID: <1187682092.16339.6.camel@gblades-suse.linguaphone-intranet.co.uk> My home system is still running redhat 9 with kernel-2.4.20-31.9. I dont have mailscanner or clamav on there but I am running the latest spamassassin with a whole load of plugins. The main thing to do is upgrade perl to 5.8.8 and you should be able to do that through CPAN. Once thats on then you should be able to install spamassassin 3.2.3 and MailScanner without problems as they are all perl based. On Tue, 2007-08-21 at 01:06, Culley Morrow wrote: > Howdy folks, I?ve got a bit of a dilemma here. I?ve taken over admin > for an aging Debian 3.0 server partly morphed to 4.0. By partly I mean > it is still using the default 2.4.18-bf2.4 kernel. Way, way, out of > date. The upshot is we are planning to replace it in the vaguely near > future once we decide what groupware package to put in it?s place. > > > > I?ll list out the software versions below and I need a bit of > assistance making them work for now. I know all I need to do is > upgrade the kernel to 2.6 and it all works, but I?d like to get them > functioning ?As-Is? and then do the upgrade so I have something > working to fall back on. Clam AV is currently shut off since clamd as > a service was so slow. > > > > Kernel 2.4.18-bf2.4 > > Mailscanner 3.27.1-1 > > Clam AV 0.90.1-3etch3 > > Spam Assassin 2.64-1 > > > > Currently we are inundated with mass spam and I need to get some AV in > place, be it Clam or another GNU/GPL/?free as in beer?-ware. I need a > hand here if anyone wants to chime in. > > > > > > ~={o}=~ > > > > > Culley Morrow > IT Manager > Geneva Woods Pharmacy > > > > > > > > > > > > ______________________________________________________________________ > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From martinh at solidstatelogic.com Tue Aug 21 08:44:18 2007 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Tue Aug 21 08:44:23 2007 Subject: New Clam, Old, Mailscanner, Ancient Kernel In-Reply-To: <001a01c7e387$266c2460$0202fea9@genevawoods.com> Message-ID: <49eff3444c609b4383b4c36b540e567b@solidstatelogic.com> Culley Mailscanner v3 had NOT been supported for many years.... I'd start with installing mailscanner v4.latest as fresh install and go from there.. You don't mention how much email (number of and volume), but 1GB per CPU core is recommended due to SA being a real memory hog! Clamd works nice for many people and is supported in the latest MS version. As for spam - more than likely SA 3.2.3 WITH the SARE rules etc will really make a difference.. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Culley Morrow > Sent: 21 August 2007 01:07 > To: mailscanner@lists.mailscanner.info > Subject: New Clam, Old, Mailscanner, Ancient Kernel > > Howdy folks, I've got a bit of a dilemma here. I've taken over admin for > an aging Debian 3.0 server partly morphed to 4.0. By partly I mean it is > still using the default 2.4.18-bf2.4 kernel. Way, way, out of date. The > upshot is we are planning to replace it in the vaguely near future once we > decide what groupware package to put in it's place. > > > > I'll list out the software versions below and I need a bit of assistance > making them work for now. I know all I need to do is upgrade the kernel to > 2.6 and it all works, but I'd like to get them functioning "As-Is" and > then do the upgrade so I have something working to fall back on. Clam AV > is currently shut off since clamd as a service was so slow. > > > > Kernel 2.4.18-bf2.4 > > Mailscanner 3.27.1-1 > > Clam AV 0.90.1-3etch3 > > Spam Assassin 2.64-1 > > > > Currently we are inundated with mass spam and I need to get some AV in > place, be it Clam or another GNU/GPL/"free as in beer"-ware. I need a hand > here if anyone wants to chime in. > > > > > > ~={o}=~ > > > > Culley Morrow > IT Manager > Geneva Woods Pharmacy > > > > > > > > ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From list-mailscanner at linguaphone.com Tue Aug 21 08:44:37 2007 From: list-mailscanner at linguaphone.com (Gareth) Date: Tue Aug 21 08:44:42 2007 Subject: Heads up for spamhaus.org problems In-Reply-To: <20070821005342.GA5580@rpcs.net> References: <20070819222357.GA27826@rpcs.net> <20070820020201.GA2841@rpcs.net> <46CA08CD.8070400@alexb.ch> <20070821005342.GA5580@rpcs.net> Message-ID: <1187682277.16339.9.camel@gblades-suse.linguaphone-intranet.co.uk> On Tue, 2007-08-21 at 01:53, Richard Potter wrote: > On Mon, Aug 20, 2007 at 11:34:05PM +0200, Alex Broens wrote: > > > On 8/20/2007 11:22 PM, Tim Boyer wrote: > > >On Sun, 19 Aug 2007 22:02:01 -0400, Richard Potter > > >wrote: > > > > > >>On Mon, Aug 20, 2007 at 12:34:23AM +0200, Raymond Dijkxhoorn wrote: > > >> > > >>>>Just doing a routine check here, and I have a few mail servers > > >>>>misbehaving. It > > >>>>*appears* sendmail dnsbl to zen.spamhaus.org is timing out, and causing > > >>>>mail > > >>>>delivery delays, or none at all. > > >>>> > > >>>>I'm going to discontinue spamhaus, and see what happens. > > >>>Buy rsync from them. Most likely you fire a lot of lookups on their > > >>>servers and they started to ban high volume mailservers some time ago. > > >>>We have seen this in a lot of places allready. > > >>> > > >>>May i ask how much mail are you processing daily? > > >>Thanks for the reply Raymond.. I wasn't aware they were doing that. These > > >>are low volume servers, less than 2,000 messages per day. Does that count > > >>as "high volume" to spamhaus? > > >> > > >>Richard > > > > > >"Use of the Spamhaus DNSBLs via DNS queries to our public DNSBL mirrors is > > >free > > >for low-traffic mail servers serving less than 100 users. Use of the > > >Spamhaus > > >DNSBLs by commercial or corporate networks, ISPs and ESPs, requires a > > >subscription to Spamhaus's Data Feed service." > > > > > >I'd be shocked if 2,000 messages per day counts as high volume. That's 20 > > >emails per person per day. > > > > no need to be shocked :-) > > > > Spamhaus can't block your mail server from doing queries - it blocks > > your DNS' access to the root zone - so if you use a DNS which is > > querying Xmillion queries/day and your server is only doing 10000/day > > then the rest of the X/million+your 10000 makes he count which rates a > > block. > > > You are exactly right. I was told that off list. I switched the two > boxes to an alternative DNS server, and spamhaus worked again. > > I'm not sure why I didn't figure that out on my own. I actually > knew/should have known that. It was Sunday, and I might have had a > few beers! :-) > > Richard When I was blocked for 2000 messages/day I was running a caching nameserver on the local box and no queries were forwarded elsewhere. From glenn.steen at gmail.com Tue Aug 21 08:51:22 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Aug 21 08:51:24 2007 Subject: Invalid Queue Files with Postfix In-Reply-To: <1187618803.13420.54.camel@gblades-suse.linguaphone-intranet.co.uk> References: <46C56930.D87E.0068.3@aafp.org> <46C5B203.5020108@ecs.soton.ac.uk> <46C58CFE.D87E.0068.3@aafp.org> <223f97700708171339h2115ce1fu1af220aa23462924@mail.gmail.com> <46C5CE13.D87E.0068.3@aafp.org> <46C6FDA7.3080605@ecs.soton.ac.uk> <46C957D4.D87E.0068.3@aafp.org> <1187618803.13420.54.camel@gblades-suse.linguaphone-intranet.co.uk> Message-ID: <223f97700708210051r97ec82ao517b2b5181aeefeb@mail.gmail.com> On 20/08/07, Gareth wrote: > On Mon, 2007-08-20 at 14:59, Brad Beckenhauer wrote: > > >>> On 8/18/2007 at 9:09 AM, in message <46C6FDA7.3080605@ecs.soton.ac.uk>, Julian > > Field wrote: > > > -----BEGIN PGP SIGNED MESSAGE----- > > > Hash: SHA1 > > > > > > > > > > > > Brad Beckenhauer wrote: > > >> > > >> That would be a nice feature request for MailScanner, something to > > >> provide consistant volume benchmarks across all supported MailScanner > > >> platforms. > > >> Something like: > > >> MailScanner -stats > > >> or a configuration setting to enable benchmarking with the > > >> understanding that there would be system overhead associated with the > > >> additional process. > > >> > > > What stats would you like it to log that it doesn't already? > > > There's no communication between the child processes once they are > > > started, but I could add a signal trap so that a kill -USR or something > > > would make them dump some figures to some file or other, then restart > > > the batch they were on. They already catch kill -HUP to force them to > > > die. So exactly what do you want to do when it receives a SIGUSR? > > > > Several times on the list I've noticed questions like "What's your volume?". > > Is there already something in MailScanner that can generate an answer to that question? > > > > My first thought would be to have MailScanner calculate the daily volume of total daily messages processed. That way when the "What's your volume" question comes up, there is a standardized way to respond to the question. An hourly histogram would be an interesting stat. > > > > Date > > TIME Msgs processed > > 00:00-01:00 xxxx > > 01:00-02:00 xxxx > > 02:00-03:00 xxxx > > ?---------------------- > > Mail Volume xxxxx > > Hourly Avg: xx% > > > > Anyway... That was the thought..... Feel free to toss the idea to the bit bucket. I'm not going to be arguing the idea. > > > > Thanks for listening. > > Brad > > I just use standard logwatch as it gives a good daily summary. > pflogsumm and MailWatch do the trick for me:-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From gmatt at nerc.ac.uk Tue Aug 21 09:55:06 2007 From: gmatt at nerc.ac.uk (Greg Matthews) Date: Tue Aug 21 09:55:24 2007 Subject: New Clam, Old, Mailscanner, Ancient Kernel In-Reply-To: <001a01c7e387$266c2460$0202fea9@genevawoods.com> References: <001a01c7e387$266c2460$0202fea9@genevawoods.com> Message-ID: <46CAA86A.4060206@nerc.ac.uk> Culley Morrow wrote: > I?ll list out the software versions below and I need a bit of assistance > making them work for now. I know all I need to do is upgrade the kernel > to 2.6 and it all works, but I?d like to get them functioning ?As-Is? > and then do the upgrade so I have something working to fall back on. > Clam AV is currently shut off since clamd as a service was so slow. kernel upgrade probably not very important. As others have pointed out, there is little reason not to upgrade MS and SA. Stick as much memory in the box as it can handle. > Kernel 2.4.18-bf2.4 > > Mailscanner 3.27.1-1 > > Clam AV 0.90.1-3etch3 > > Spam Assassin 2.64-1 > > > > Currently we are inundated with mass spam and I need to get some AV in > place, be it Clam or another GNU/GPL/?free as in beer?-ware. I need a > hand here if anyone wants to chime in. if you are "inundated" then the best start you can make is to reject as much as possible at the MTA. As this is Debian, your MTA is probably (but not necessarily) exim. Look at putting in a single well regarded block list at the MTA, something like zen.spamhaus.org but do your research and find one that /you/ like the look of (block list preferences can start flame wars!). Make sure you are rejecting mail at the MTA for all unknown recipients and not accepting then bouncing. Set up your MTA to throttle incoming mail so it doesnt get overwhelmed or let your incoming queue build up uncontrollably. Visit the MS wiki for tips on how to do this - dig deep, it can be a bit tricky to find what you are looking for. Search the archives for good links into the wiki. GREG -- Greg Matthews 01491 692445 Head of UNIX/Linux, iTSS Wallingford -- This message (and any attachments) is for the recipient only. NERC is subject to the Freedom of Information Act 2000 and the contents of this email and any reply you make may be disclosed by NERC unless it is exempt from release under the Act. Any material supplied to NERC may be stored in an electronic records management system. From ajcartmell at fonant.com Tue Aug 21 10:23:13 2007 From: ajcartmell at fonant.com (Anthony Cartmell) Date: Tue Aug 21 10:23:09 2007 Subject: antispam server setup website - comments welcome In-Reply-To: <7596c7e1d87a2241863c8959a0954aac@solidstatelogic.com> References: <7596c7e1d87a2241863c8959a0954aac@solidstatelogic.com> Message-ID: > Pyzor is fine, but you have to run a different server other than the > broken one 'pyzor update' gives gives you... > > 82.94.255.100:24441 > > Is the functioning one. With the one from "pyzor discover": [root@clive ~]# pyzor ping 66.250.40.33:24441 (200, 'OK') With the above: [root@clive ~]# pyzor ping 82.94.255.100:24441 (200, 'OK') Or does the ping not indicate the full server status? Anthony -- www.fonant.com - Quality web sites From maillists at conactive.com Tue Aug 21 10:31:22 2007 From: maillists at conactive.com (Kai Schaetzl) Date: Tue Aug 21 10:31:25 2007 Subject: MailScanner mailing list ended up on a black list. In-Reply-To: <46CA7C53.5050000@sweet-haven.com> References: <46CA323E.9020403@ddihealth.com> <46CA7C53.5050000@sweet-haven.com> Message-ID: Lew Wolfgang wrote on Mon, 20 Aug 2007 22:46:59 -0700: > SPF overrides a hit from > a DNSBL in Microsoft's world, I guess. I doubt they use apews. Like spews was it is not suitable for any business. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From martinh at solidstatelogic.com Tue Aug 21 11:10:42 2007 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Tue Aug 21 11:10:56 2007 Subject: antispam server setup website - comments welcome In-Reply-To: Message-ID: <8cb6665400aab84eb7a40767be8a6be7@solidstatelogic.com> No it doesn't, the 'discover' one is not being updated and seems broken. The other 82.250.255.100 actually works.... People have made many attempts to contact the pyzor "maintainer" on this to offer servers/bandwidth but he seems to ignore all offers... -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Anthony Cartmell > Sent: 21 August 2007 10:23 > To: MailScanner discussion > Subject: Re: antispam server setup website - comments welcome > > > Pyzor is fine, but you have to run a different server other than the > > broken one 'pyzor update' gives gives you... > > > > 82.94.255.100:24441 > > > > Is the functioning one. > > With the one from "pyzor discover": > > [root@clive ~]# pyzor ping > 66.250.40.33:24441 (200, 'OK') > > With the above: > > [root@clive ~]# pyzor ping > 82.94.255.100:24441 (200, 'OK') > > Or does the ping not indicate the full server status? > > Anthony > -- > www.fonant.com - Quality web sites > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From alvaro at hostalia.com Tue Aug 21 11:10:56 2007 From: alvaro at hostalia.com (=?ISO-8859-1?Q?Alvaro_Mar=EDn?=) Date: Tue Aug 21 11:10:59 2007 Subject: [Fwd: [Clamav-announce] announcing ClamAV 0.91.2] Message-ID: <46CABA30.9060109@hostalia.com> -------- Original Message -------- Date: Tue, 21 Aug 2007 11:38:52 +0200 From: Luca Gibelli To: ClamAV Announce Subject: [Clamav-announce] announcing ClamAV 0.91.2 Dear ClamAV users, This release fixes various bugs in libclamav, freshclam and clamav-milter, and adds support for PUA (Potentially Unwanted Application) signatures (clamscan: --detect-pua, clamd: DetectPUA). -- The ClamAV team (http://www.clamav.net/team) -- Luca Gibelli (luca _at_ clamav.net) - ClamAV, a GPL anti-virus toolkit [Tel] +1 706 7054022 [Fax] +1 706 5345792 [IM] nervous/jabber.linux.it PGP key id 5EFC5582 @ key server || http://www.clamav.net/gpg/luca.gpg _______________________________________________ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-announce Regards, -- Alvaro Mar?n Illera Hostalia Internet www.hostalia.com From ajcartmell at fonant.com Tue Aug 21 11:34:58 2007 From: ajcartmell at fonant.com (Anthony Cartmell) Date: Tue Aug 21 11:34:50 2007 Subject: antispam server setup website - comments welcome In-Reply-To: <8cb6665400aab84eb7a40767be8a6be7@solidstatelogic.com> References: <8cb6665400aab84eb7a40767be8a6be7@solidstatelogic.com> Message-ID: > No it doesn't, the 'discover' one is not being updated and seems broken. > > The other 82.250.255.100 actually works.... Ah, OK, I'll stick with that one then. Thanks for the info! > People have made many attempts to contact the pyzor "maintainer" on this > to offer servers/bandwidth but he seems to ignore all offers... It's sad when good software goes un-maintained. Anthony -- www.fonant.com - Quality web sites From MailScanner at ecs.soton.ac.uk Tue Aug 21 12:13:37 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Aug 21 12:13:56 2007 Subject: [Fwd: [Clamav-announce] announcing ClamAV 0.91.2] In-Reply-To: <46CABA30.9060109@hostalia.com> References: <46CABA30.9060109@hostalia.com> Message-ID: <46CAC8E1.8040908@ecs.soton.ac.uk> I have just updated my ClamAV+SpamAssassin package. Alvaro Mar?n wrote: > > > -------- Original Message -------- > Date: Tue, 21 Aug 2007 11:38:52 +0200 > From: Luca Gibelli > To: ClamAV Announce > Subject: [Clamav-announce] announcing ClamAV 0.91.2 > > > Dear ClamAV users, > > This release fixes various bugs in libclamav, freshclam and > clamav-milter, > and adds support for PUA (Potentially Unwanted Application) signatures > (clamscan: --detect-pua, clamd: DetectPUA). > > -- > The ClamAV team (http://www.clamav.net/team) > Jules -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From list-mailscanner at linguaphone.com Tue Aug 21 12:47:00 2007 From: list-mailscanner at linguaphone.com (Gareth) Date: Tue Aug 21 12:47:12 2007 Subject: DCC installation Message-ID: <1187696820.16338.16.camel@gblades-suse.linguaphone-intranet.co.uk> Just had a go at installing DCC. Installed the software, checked the DCC perl module was installed, enabled DCC and then restarted mailscanner. I read that the defaults that dcc installs are fine if you want to connect anonymously so in theory it should work. However I have not seen any matches so I think something might be wrong. This is the debug output :- #spamassassin -D -t a #cat a | grep dcc [9628] dbg: dcc: network tests on, registering DCC [9628] dbg: config: fixed relative path: /var/lib/spamassassin/3.002003/updates_spamassassin_org/25_dcc.cf [9628] dbg: config: using "/var/lib/spamassassin/3.002003/updates_spamassassin_org/25_dcc.cf" for included file [9628] dbg: config: read file /var/lib/spamassassin/3.002003/updates_spamassassin_org/25_dcc.cf [9628] dbg: dcc: dccifd is not available: no r/w dccifd socket found [9628] dbg: util: executable for dccproc was found at /usr/local/bin/dccproc [9628] dbg: dcc: dccproc is available: /usr/local/bin/dccproc [9628] dbg: dcc: opening pipe: /usr/local/bin/dccproc -H -x 0 -a 203.25.170.31 < /tmp/.spamassassin9628DjN0rLtmp [9628] dbg: dcc: killed stale helper [9642] [9628] dbg: dcc: [9642] terminated: exit=0xf100 [9628] dbg: dcc: check timed out after 8 seconds X-DCC-CTc-dcc2-Metrics: gecko.npgx.com.au 1031; Body=0 Fuz1=0 Fuz2=0 fMHId05XuL20k3PgNVdccAIexF9wrelX4WoQqkZVRwRKBxIuxyjID3j+fcRaSyFJGGEod8EFk2xW From shuttlebox at gmail.com Tue Aug 21 13:02:08 2007 From: shuttlebox at gmail.com (shuttlebox) Date: Tue Aug 21 13:02:15 2007 Subject: DCC installation In-Reply-To: <1187696820.16338.16.camel@gblades-suse.linguaphone-intranet.co.uk> References: <1187696820.16338.16.camel@gblades-suse.linguaphone-intranet.co.uk> Message-ID: <625385e30708210502o659b48abqabdb7a997bc65dba@mail.gmail.com> On 8/21/07, Gareth wrote: > Just had a go at installing DCC. Installed the software, checked the DCC > perl module was installed, enabled DCC and then restarted mailscanner. > > I read that the defaults that dcc installs are fine if you want to > connect anonymously so in theory it should work. However I have not seen > any matches so I think something might be wrong. Have you opened 6277/udp in your firewall? -- /peter From glenn.steen at gmail.com Tue Aug 21 13:10:09 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Aug 21 13:10:14 2007 Subject: temp files not being processed - score=0 (UNCLASSIFIED) In-Reply-To: <88991ECEE371C644986F0C8837C207B701CC314C@ARLABML01.DS.ARL.ARMY.MIL> References: <88991ECEE371C644986F0C8837C207B701CC314C@ARLABML01.DS.ARL.ARMY.MIL> Message-ID: <223f97700708210510v7699d8a4p64607cbf7a15f9cb@mail.gmail.com> On 20/08/07, Kash, Howard (Civ, ARL/CISD) wrote: > Classification: UNCLASSIFIED > Caveats: NONE > > > I've had the "(not cached, score=0, required 5, autolearn=)" problem > several times myself. Typically restarting MailScanner fixed the > problem. Last time it happened, simply restarting didn't help so I > tried removing SpamAssassin.cache.db and the problem stopped. Can't say > for sure removing the cache was the fix, but worth a try. > > BTW, is there something similar to db_verify that can be run on the > SpamAssassin cache to check for consistency? > > > Howard > Not really, at least not that I know of... You could always use analyse_SpamAssassin_cache to verify that the user you run MailScanner as can read through it all... -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From R.Sterenborg at netsourcing.nl Tue Aug 21 13:18:16 2007 From: R.Sterenborg at netsourcing.nl (Rob Sterenborg) Date: Tue Aug 21 13:20:10 2007 Subject: FW: [Clamav-users] clamav 0.91.2 is out. Don't use it. Message-ID: <74ACEB3E6A055643A89B8CEC74C7BF2488E134@WISENT.dcyb.net> clamav-users-bounces@lists.clamav.net wrote: > It has a dangerous (lack of) value for CL_SCAN_STDOPT. You're better > off not upgrading until they fix it. > > (filed as bug 631, but it's nothing new: CL_SCAN_STDOPT still doesn't > include CL_SCAN_PHISHING_DOMAINLIST; that omission can cause crashing > and hanging on certain platforms ... the clamav team already > knows about > this problem, and they even enable that option as a default > in clamscan, > just not in the CL_SCAN_STDOPT defined value ... my > suggestion is to not > upgrade until they release a version that fixes this problem) I saw this on the ClamAV list... Grts, Rob From list-mailscanner at linguaphone.com Tue Aug 21 13:40:33 2007 From: list-mailscanner at linguaphone.com (Gareth) Date: Tue Aug 21 13:40:47 2007 Subject: DCC installation In-Reply-To: <625385e30708210502o659b48abqabdb7a997bc65dba@mail.gmail.com> References: <1187696820.16338.16.camel@gblades-suse.linguaphone-intranet.co.uk> <625385e30708210502o659b48abqabdb7a997bc65dba@mail.gmail.com> Message-ID: <1187700033.16339.18.camel@gblades-suse.linguaphone-intranet.co.uk> On Tue, 2007-08-21 at 13:02, shuttlebox wrote: > On 8/21/07, Gareth wrote: > > Just had a go at installing DCC. Installed the software, checked the DCC > > perl module was installed, enabled DCC and then restarted mailscanner. > > > > I read that the defaults that dcc installs are fine if you want to > > connect anonymously so in theory it should work. However I have not seen > > any matches so I think something might be wrong. > > Have you opened 6277/udp in your firewall? Thanks that was it. Everything outbould was permitted but I forgot iptables does not track udp connections. From root at doctor.nl2k.ab.ca Tue Aug 21 15:09:20 2007 From: root at doctor.nl2k.ab.ca (Dave Shariff Yadallee - System Administrator a.k.a. The Root of the Problem) Date: Tue Aug 21 15:11:40 2007 Subject: [luca@clamav.net: [Clamav-announce] announcing ClamAV 0.91.2] Message-ID: <20070821140919.GC6031@doctor.nl2k.ab.ca> Jules and compnay new clamav. Do we have a PUA feture? ----- Forwarded message from Luca Gibelli ----- X-NetKnow-InComing-4.63.2-1-MailScanner-Watermark: 1188121228.68939@z5JrHnKnd5Rlt7or3YFJfA Return-Path: clamav-announce-bounces@lists.clamav.net Received: from tad.clamav.net by doctor.nl2k.ab.ca (8.14.1/8.14.1) with ESMTP id l7L9eDnW003340 for ; Tue, 21 Aug 2007 03:40:27 -0600 (MDT) X-Spam-Filter: check_local@doctor.nl2k.ab.ca by digitalanswers.org X-Virus-Scanned: Debian amavisd-new at tad.clamav.net Received: from tad.clamav.net ([127.0.0.1]) by localhost (tad.clamav.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9J+N17Ig9Lm5; Tue, 21 Aug 2007 11:39:57 +0200 (CEST) Received: from tad.clamav.net (localhost.localdomain [127.0.0.1]) by tad.clamav.net (Postfix) with ESMTP id A250A16C050; Tue, 21 Aug 2007 11:39:57 +0200 (CEST) X-Original-To: clamav-announce@tad.clamav.net Delivered-To: clamav-announce@tad.clamav.net X-Virus-Scanned: Debian amavisd-new at tad.clamav.net Received: from tad.clamav.net ([127.0.0.1]) by localhost (tad.clamav.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UWwO2le5ZcsN for ; Tue, 21 Aug 2007 11:38:53 +0200 (CEST) Received: from mosquito.nervous.bbs (localhost.localdomain [127.0.0.1]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by tad.clamav.net (Postfix) with ESMTP id A8CF116C050 for ; Tue, 21 Aug 2007 11:38:53 +0200 (CEST) Received: from nervous by mosquito.nervous.bbs with local (Exim 4.63) (envelope-from ) id 1INQCK-0001v9-Jz for clamav-announce@lists.clamav.net; Tue, 21 Aug 2007 11:38:53 +0200 Date: Tue, 21 Aug 2007 11:38:52 +0200 From: Luca Gibelli To: ClamAV Announce Message-ID: <20070821093852.GA7272@adsl.nervous.it> MIME-Version: 1.0 Content-Disposition: inline User-Agent: Mutt/1.5.13 (2006-08-11) X-Mailman-Approved-At: Tue, 21 Aug 2007 11:39:56 +0200 Subject: [Clamav-announce] announcing ClamAV 0.91.2 X-BeenThere: clamav-announce@lists.clamav.net X-Mailman-Version: 2.1.9 Precedence: list Reply-To: noreply@clamav.net List-Id: ClamAV events are announced here List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: clamav-announce-bounces@lists.clamav.net Errors-To: clamav-announce-bounces@lists.clamav.net X-NetKnow-InComing-4.63.2-1-MailScanner-Information: Please contact the ISP for more information X-NetKnow-InComing-4.63.2-1-MailScanner: Found to be clean X-NetKnow-InComing-4.63.2-1-MailScanner-From: clamav-announce-bounces@lists.clamav.net X-Spam-Status: No Dear ClamAV users, This release fixes various bugs in libclamav, freshclam and clamav-milter, and adds support for PUA (Potentially Unwanted Application) signatures (clamscan: --detect-pua, clamd: DetectPUA). -- The ClamAV team (http://www.clamav.net/team) -- Luca Gibelli (luca _at_ clamav.net) - ClamAV, a GPL anti-virus toolkit [Tel] +1 706 7054022 [Fax] +1 706 5345792 [IM] nervous/jabber.linux.it PGP key id 5EFC5582 @ key server || http://www.clamav.net/gpg/luca.gpg _______________________________________________ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-announce -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ----- End forwarded message ----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From rcooper at dwford.com Tue Aug 21 16:23:03 2007 From: rcooper at dwford.com (Rick Cooper) Date: Tue Aug 21 16:23:08 2007 Subject: [luca@clamav.net: [Clamav-announce] announcing ClamAV 0.91.2] In-Reply-To: <20070821140919.GC6031@doctor.nl2k.ab.ca> References: <20070821140919.GC6031@doctor.nl2k.ab.ca> Message-ID: <014901c7e407$2b420740$0301a8c0@SAHOMELT> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On > Behalf Of Dave Shariff Yadallee - System Administrator > a.k.a. The Root of theProblem > Sent: Tuesday, August 21, 2007 10:09 AM > To: mailscanner@lists.mailscanner.info > Subject: [luca@clamav.net: [Clamav-announce] announcing > ClamAV 0.91.2] > > Jules and compnay new clamav. Do we have a PUA feture? > [...] I believe that Mail::ClamAV will have to be updated to include the export CL_DB_PUA and then MailScanner will have to have a new option to tell Sub ClamAVModule if it should use CL_DB_PUA (since I doubt everyone will use it), and of course sub ClamAVModule will have to be updated to include the new flag. If you are using clamd then just enable PUA in the clamd.conf. Personally I have no idea what it does and haven't been able to find any information on it so I plan to ask on the clam list later. Rick -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From root at doctor.nl2k.ab.ca Tue Aug 21 16:36:06 2007 From: root at doctor.nl2k.ab.ca (Dave Shariff Yadallee - System Administrator a.k.a. The Root of the Problem) Date: Tue Aug 21 16:36:39 2007 Subject: [luca@clamav.net: [Clamav-announce] announcing ClamAV 0.91.2] In-Reply-To: <014901c7e407$2b420740$0301a8c0@SAHOMELT> References: <20070821140919.GC6031@doctor.nl2k.ab.ca> <014901c7e407$2b420740$0301a8c0@SAHOMELT> Message-ID: <20070821153605.GB10626@doctor.nl2k.ab.ca> On Tue, Aug 21, 2007 at 11:23:03AM -0400, Rick Cooper wrote: > > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info > > [mailto:mailscanner-bounces@lists.mailscanner.info] On > > Behalf Of Dave Shariff Yadallee - System Administrator > > a.k.a. The Root of theProblem > > Sent: Tuesday, August 21, 2007 10:09 AM > > To: mailscanner@lists.mailscanner.info > > Subject: [luca@clamav.net: [Clamav-announce] announcing > > ClamAV 0.91.2] > > > > Jules and compnay new clamav. Do we have a PUA feture? > > > [...] > > I believe that Mail::ClamAV will have to be updated to include the export > CL_DB_PUA and then MailScanner will have to have a new option to tell Sub > ClamAVModule if it should use CL_DB_PUA (since I doubt everyone will use > it), and of course sub ClamAVModule will have to be updated to include the > new flag. > > If you are using clamd then just enable PUA in the clamd.conf. Personally I > have no idea what it does and haven't been able to find any information on > it so I plan to ask on the clam list later. > > Rick > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > >From http://download.zicos.com/news.php/n/2647024/Clam-AntiVirus-0.91.2-Default-branch adds support for PUA (Potentially Unwanted Application) signatures (clamscan: --detect-pua, clamd: DetectPUA) And from: http://www.sophos.com/pressoffice/news/articles/2001/11/va_glossary.html#pua Potentially unwanted application (PUA) Description: PUA is a term used to describe an application that is not inherently malicious, but is generally considered unsuitable for the majority of business networks. Potentially unwanted applications include adware, dialers, remote administration tools and hacking tools. Hence you may be correct about definitions. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ssilva at sgvwater.com Tue Aug 21 16:49:01 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Aug 21 16:49:13 2007 Subject: MailScanner mailing list ended up on a black list. In-Reply-To: <46CA323E.9020403@ddihealth.com> References: <46CA323E.9020403@ddihealth.com> Message-ID: Jim Barber spake the following on 8/20/2007 5:30 PM: > Hi all. > > Last night I noticed that most (all?) of my incoming posts from this > list were tagged as spam (despite having really low scores). > I found the cause was due to an RBL server that I use having listed one > of the email servers this list comes from. > > The MailScanner server that is getting black listed is: 83.98.192.7 > which reverse resolves to safir.blacknight.ie > The RBL server that I am using is blackholes.five-ten-sg.com > This one I've added myself, but I am reluctant to remove it since so far > over the months it has served me well. > > If you go to http://www.five-ten-sg.com/blackhole.php and enter > 83.98.192.7 into the form it comes back with the following: > > ------------------------------------------------------------ > IP address 83.98.192.7 is listed here as 83.98.192.165 misc. > > Although there may be other reasons, most of the listings in this > category are due to > (1. systems apparently sending bulk mail from ip addresses with bogus or > missing reverse dns, or with no web server, or with boilerplate web > content, or > 2. a suspected multistage relay output, or > 3. machines probably running MS SMTPSVC with an open guest account, or > 4. running some open proxy), or it is in the same /24 subnet containing > multiple machines with that property. > ------------------------------------------------------------ > > The 'misc' (127.0.0.9) return code is defined by the site as: > > ------------------------------------------------------------ > misc - Miscellaneous includes (but is NOT limited to) the following groups. > Note that this does NOT include misc.spam which is listed under spam above. > 1) /24 blocks of addresses containing systems that are apparently > sending bulk email (in volumes apparently comparable with the volume > from AOL, Earthlink, Google), with any of the following attributes: > missing or bogus reverse dns, reverse dns names in domains with no web > server, or domains with boilerplate web content. > 2) Systems that are strongly suspected of being multistage open relays > (where I have not been able to identify the input stage) or open proxies. > 3) Any system that delivers spam here, that appears to be running MS > SMTPSVC, and that appears to have relayed the message from China, Korea, > Brazil, or any known open proxy. > These are generally systems that have enabled the guest account, and > spammers are using them as open relays, even though they do require SMTP > AUTH. > Enabling the guest account allows anyone to relay thru them. > ------------------------------------------------------------ > > Is this the correct place to report it to? > It's sort of ironic having an anti-spam list ending up marked as spam. > Oh well. > > Regards, > blackholes.five-ten-sg.com is too aggressive a list for me. One spammer can kill an entire subnet on that list. If you check those spammers on other lists, they are usually there also. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From mailadmin at baladia.gov.kw Tue Aug 21 16:56:58 2007 From: mailadmin at baladia.gov.kw (mailadmin@baladia.gov.kw) Date: Tue Aug 21 16:59:10 2007 Subject: mailscanner lint errors Message-ID: <3384.62.150.152.226.1187711818.squirrel@webmail.baladia.gov.kw> Dear ALL, i am using the latest mailscanner + the jules SA+AV script and have installed as per the docs and when i run the MailScanner --lint it shows me ------------------------------------------------- Version number in MailScanner.conf (4.62.9) is correct. ERROR: The "envelope_sender_header" in your spam.assassin.prefs.conf ERROR: is not correct, it should match X-Baladia-MailScanner-MailScanner-From Checking for SpamAssassin errors (if you use it)... SpamAssassin temp dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp SpamAssassin reported no errors. MailScanner.conf says "Virus Scanners = clamav" Found these virus scanners installed: clamav =========================================================================== Ignore errors about failing to find EOCD signature format error: can't find EOCD signature at /usr/sbin/MailScanner line 451 =========================================================================== Virus Scanner test reports: ClamAV said "eicar.com contains Eicar-Test-Signature" If any of your virus scanners (clamav) are not listed there, you should check that they are installed correctly and that MailScanner is finding them correctly via its virus.scanners.conf. --------------------------------------------------------------------------- r the above errors serious .. how cd i fix it 2) right now i have clamav-0.91.1-1.el5.rf and the latest stable version is 0.91.2 .. how cd i install this since earlier i installed it via Jules script apprecite and thnks regards simon -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From naolson at gmail.com Tue Aug 21 17:17:52 2007 From: naolson at gmail.com (Nathan Olson) Date: Tue Aug 21 17:17:55 2007 Subject: antispam server setup website - comments welcome In-Reply-To: References: <8cb6665400aab84eb7a40767be8a6be7@solidstatelogic.com> Message-ID: <8f54b4330708210917g6117645ay39450f381b2f4832@mail.gmail.com> We've had no problems with Razor. Nate From culleym at genevawoods.com Tue Aug 21 17:36:49 2007 From: culleym at genevawoods.com (Culley Morrow) Date: Tue Aug 21 17:37:04 2007 Subject: MailScanner Digest, Vol 20, Issue 49 In-Reply-To: <200708211100.l7LB09OJ008413@safir.blacknight.ie> References: <200708211100.l7LB09OJ008413@safir.blacknight.ie> Message-ID: <002b01c7e411$7989cf00$d10da8c0@genevawoods.com> Thanks for the replies. This server is quite meager with 256mb RAM and a 30gb hard drive, all running on a 4 year old Dell desktop. Meager is putting it mildly. I've got to make it work while it's in place, a massive replacement is in the works though. Clamscan was what I was meaning actually. I remember reading a while back in the archives that it was a major stumbling point with new versions on older systems. After an update it was running OK, but slowly getting further and further behind in the mail delivery. Anyway, I'll start digging through the wiki for better rules and see what I can start filtering out. ~={o}=~ Culley Morrow IT Manager Geneva Woods Pharmacy -----Original Message----- Message: 11 Date: Tue, 21 Aug 2007 09:55:06 +0100 From: Greg Matthews Subject: Re: New Clam, Old, Mailscanner, Ancient Kernel To: MailScanner discussion Message-ID: <46CAA86A.4060206@nerc.ac.uk> Content-Type: text/plain; charset=windows-1252; format=flowed Culley Morrow wrote: > Ill list out the software versions below and I need a bit of assistance > making them work for now. I know all I need to do is upgrade the kernel > to 2.6 and it all works, but Id like to get them functioning As-Is > and then do the upgrade so I have something working to fall back on. > Clam AV is currently shut off since clamd as a service was so slow. kernel upgrade probably not very important. As others have pointed out, there is little reason not to upgrade MS and SA. Stick as much memory in the box as it can handle. > Kernel 2.4.18-bf2.4 > > Mailscanner 3.27.1-1 > > Clam AV 0.90.1-3etch3 > > Spam Assassin 2.64-1 > > > > Currently we are inundated with mass spam and I need to get some AV in > place, be it Clam or another GNU/GPL/free as in beer-ware. I need a > hand here if anyone wants to chime in. if you are "inundated" then the best start you can make is to reject as much as possible at the MTA. As this is Debian, your MTA is probably (but not necessarily) exim. Look at putting in a single well regarded block list at the MTA, something like zen.spamhaus.org but do your research and find one that /you/ like the look of (block list preferences can start flame wars!). Make sure you are rejecting mail at the MTA for all unknown recipients and not accepting then bouncing. Set up your MTA to throttle incoming mail so it doesnt get overwhelmed or let your incoming queue build up uncontrollably. Visit the MS wiki for tips on how to do this - dig deep, it can be a bit tricky to find what you are looking for. Search the archives for good links into the wiki. GREG -- Greg Matthews 01491 692445 Head of UNIX/Linux, iTSS Wallingford From ssilva at sgvwater.com Tue Aug 21 17:49:56 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Aug 21 17:50:18 2007 Subject: mailscanner lint errors In-Reply-To: <3384.62.150.152.226.1187711818.squirrel@webmail.baladia.gov.kw> References: <3384.62.150.152.226.1187711818.squirrel@webmail.baladia.gov.kw> Message-ID: mailadmin@baladia.gov.kw spake the following on 8/21/2007 8:56 AM: > Dear ALL, > > i am using the latest mailscanner + the jules SA+AV script and have > installed as per the docs and when i run the MailScanner --lint it shows > me > > ------------------------------------------------- > > Version number in MailScanner.conf (4.62.9) is correct. > > ERROR: The "envelope_sender_header" in your spam.assassin.prefs.conf > ERROR: is not correct, it should match X-Baladia-MailScanner-MailScanner-From Edit the spam.assassin.prefs.conf so it matches the above line which it gets from your mailscanner.conf file. > > > Checking for SpamAssassin errors (if you use it)... > SpamAssassin temp dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp > SpamAssassin reported no errors. > MailScanner.conf says "Virus Scanners = clamav" > Found these virus scanners installed: clamav > =========================================================================== > Ignore errors about failing to find EOCD signature > format error: can't find EOCD signature > at /usr/sbin/MailScanner line 451 Like it says you can ignore this error. > =========================================================================== > Virus Scanner test reports: > ClamAV said "eicar.com contains Eicar-Test-Signature" > > If any of your virus scanners (clamav) > are not listed there, you should check that they are installed correctly > and that MailScanner is finding them correctly via its virus.scanners.conf. > > --------------------------------------------------------------------------- > r the above errors serious .. how cd i fix it > > > 2) right now i have clamav-0.91.1-1.el5.rf and the latest stable version > is 0.91.2 .. Since your clamav is an rpm from rpmforge, you didn't install it from Julian's script. > > how cd i install this since earlier i installed it via Jules script There are conflicting views on installing the newest clamav. Seems to be a bug in it. Watch the list for more details. > > > apprecite and thnks > > > regards > > simon > > -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From list-mailscanner at linguaphone.com Tue Aug 21 18:07:51 2007 From: list-mailscanner at linguaphone.com (Gareth) Date: Tue Aug 21 18:07:54 2007 Subject: MailScanner Digest, Vol 20, Issue 49 In-Reply-To: <002b01c7e411$7989cf00$d10da8c0@genevawoods.com> Message-ID: well clamscan is much slower than either the clamavmodule or clamd versions so changing to one of those should help speed it up considerably. Also you are running 0.90 version of clamav which has a bug causing it to take much longer to load its signatures which makes the clamscan method even slower again. Upgrading clamav and switching to clamavmodule will probably double your scanning speed easily. > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info]On Behalf Of Culley > Morrow > Sent: 21 August 2007 17:37 > To: mailscanner@lists.mailscanner.info > Subject: RE: MailScanner Digest, Vol 20, Issue 49 > > > Thanks for the replies. This server is quite meager with 256mb RAM and a > 30gb hard drive, all running on a 4 year old Dell desktop. Meager > is putting > it mildly. I've got to make it work while it's in place, a massive > replacement is in the works though. > > Clamscan was what I was meaning actually. I remember reading a > while back in > the archives that it was a major stumbling point with new > versions on older > systems. After an update it was running OK, but slowly getting further and > further behind in the mail delivery. > > Anyway, I'll start digging through the wiki for better rules and > see what I > can start filtering out. > > ~={o}=~ > > Culley Morrow > IT Manager > Geneva Woods Pharmacy > > > -----Original Message----- > Message: 11 > Date: Tue, 21 Aug 2007 09:55:06 +0100 > From: Greg Matthews > Subject: Re: New Clam, Old, Mailscanner, Ancient Kernel > To: MailScanner discussion > Message-ID: <46CAA86A.4060206@nerc.ac.uk> > Content-Type: text/plain; charset=windows-1252; format=flowed > > Culley Morrow wrote: > > Ill list out the software versions below and I need a bit of > assistance > > making them work for now. I know all I need to do is upgrade the kernel > > to 2.6 and it all works, but Id like to get them functioning As-Is > > and then do the upgrade so I have something working to fall back on. > > Clam AV is currently shut off since clamd as a service was so slow. > > kernel upgrade probably not very important. As others have pointed out, > there is little reason not to upgrade MS and SA. Stick as much memory in > the box as it can handle. > > > Kernel 2.4.18-bf2.4 > > > > Mailscanner 3.27.1-1 > > > > Clam AV 0.90.1-3etch3 > > > > Spam Assassin 2.64-1 > > > > > > > > Currently we are inundated with mass spam and I need to get some AV in > > place, be it Clam or another GNU/GPL/free as in beer-ware. I need a > > hand here if anyone wants to chime in. > > if you are "inundated" then the best start you can make is to reject as > much as possible at the MTA. As this is Debian, your MTA is probably > (but not necessarily) exim. Look at putting in a single well regarded > block list at the MTA, something like zen.spamhaus.org but do your > research and find one that /you/ like the look of (block list > preferences can start flame wars!). Make sure you are rejecting mail at > the MTA for all unknown recipients and not accepting then bouncing. Set > up your MTA to throttle incoming mail so it doesnt get overwhelmed or > let your incoming queue build up uncontrollably. > > Visit the MS wiki for tips on how to do this - dig deep, it can be a bit > tricky to find what you are looking for. Search the archives for good > links into the wiki. > > GREG > -- > Greg Matthews 01491 692445 > Head of UNIX/Linux, iTSS Wallingford > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > From sandrews at andrewscompanies.com Tue Aug 21 18:14:48 2007 From: sandrews at andrewscompanies.com (Steven Andrews) Date: Tue Aug 21 18:14:54 2007 Subject: CRM114 Problem In-Reply-To: <50678FBB708A9B4FB6B536F6F657883D028E9528@exch-gman.ad.goodmanmfg.com> References: <224FA7E11EA39E45843E11CEBBD3A36F189A80@HOUPEX01.nfsmith.info> <50678FBB708A9B4FB6B536F6F657883D028E9528@exch-gman.ad.goodmanmfg.com> Message-ID: <1964AAFBC212F742958F9275BF63DBB05B3D63@winchester.andrewscompanies.com> Got the updated files from mschuette.name according to the wiki and it is incremented for your changes; unfortunately, it didn't fix for me. Should I be using a different version than the 20073001 rpm? -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Horton, Robert Sent: Tuesday, August 21, 2007 2:14 AM To: MailScanner discussion Subject: RE: CRM114 Problem Are you still having problems with the score at -0.00? I finally installed this evening and had the same problem. I think there is a bug in the crm114.pm (Version: 0.6.4), but what perplexes me is why some people claim its working...the lines I changed should affect everyone. Maybe this code was changed recently. I changed the following 2 lines in the sub call_crm dbg("crm114: opening pipe: $crm114_command < $tmpf"); $pid = Mail::SpamAssassin::Util::helper_app_pipe_open( *CRM_OUT, $tmpf, 1, $crm114_command); to dbg("crm114: opening pipe: $crm114_cmdline < $tmpf"); $pid = Mail::SpamAssassin::Util::helper_app_pipe_open( *CRM_OUT, $tmpf, 1, $crm114_cmdline); Within minutes crm114 started learning emails and no longer had the -0.00 score. You only get this score when you have an empty spam.css and nonspam.css and it doesn't know what to do with the email yet. Hope this helps, Robert Horton -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Mike Kercher Sent: Friday, August 10, 2007 11:13 AM To: MailScanner discussion Subject: CRM114 Problem I added CRM114 to a server last week per the docs in the wiki (and like I've done on several other servers), but the score is always -0.00 [root@mail crm114]# cssutil -b -r spam.css Sparse spectra file spam.css statistics: Total available buckets : 1048577 Total buckets in use : 0 Total in-use zero-count buckets : 0 Total buckets with value >= max : 0 Total hashed datums in file : 0 Documents learned : 15495 Features learned : 1 Average datums per bucket : 0.00 Maximum length of overflow chain : 0 Average length of overflow chain : 0.00 Average packing density : 0.00 [root@mail crm114]# cssutil -b -r nonspam.css Sparse spectra file nonspam.css statistics: Total available buckets : 1048577 Total buckets in use : 0 Total in-use zero-count buckets : 0 Total buckets with value >= max : 0 Total hashed datums in file : 0 Documents learned : 15495 Features learned : 1 Average datums per bucket : 0.00 Maximum length of overflow chain : 0 Average length of overflow chain : 0.00 Average packing density : 0.00 The Features learned hasn't changed in many days. Permissions look good, .crm's are +x Any suggestions where to look? Mike -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! CONFIDENTIALITY NOTE: The information contained in this transmission is privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this transmission in error, do not read it. Please immediately reply to the sender that you have received this communication in error and then delete it. Thank you. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From mailadmin at baladia.gov.kw Tue Aug 21 19:18:18 2007 From: mailadmin at baladia.gov.kw (mailadmin@baladia.gov.kw) Date: Tue Aug 21 19:20:35 2007 Subject: thnks for ur suggestion In-Reply-To: References: <3384.62.150.152.226.1187711818.squirrel@webmail.baladia.gov.kw> Message-ID: <4177.62.150.152.226.1187720298.squirrel@webmail.baladia.gov.kw> Thanks guy, really apprecite your quick reply btw ur right im sorry i install clamav from rpm forge since i wanted mailscanner to use clamd for virus scanning i will keep in touch with list for more details my clamav update log shows that clamav is outdated thnks once again regards simon > mailadmin@baladia.gov.kw spake the following on 8/21/2007 8:56 AM: >> Dear ALL, >> >> i am using the latest mailscanner + the jules SA+AV script and have >> installed as per the docs and when i run the MailScanner --lint it shows >> me >> >> ------------------------------------------------- >> >> Version number in MailScanner.conf (4.62.9) is correct. >> >> ERROR: The "envelope_sender_header" in your spam.assassin.prefs.conf >> ERROR: is not correct, it should match >> X-Baladia-MailScanner-MailScanner-From > Edit the spam.assassin.prefs.conf so it matches the above line which it > gets > from your mailscanner.conf file. > >> >> >> Checking for SpamAssassin errors (if you use it)... >> SpamAssassin temp dir = >> /var/spool/MailScanner/incoming/SpamAssassin-Temp >> SpamAssassin reported no errors. >> MailScanner.conf says "Virus Scanners = clamav" >> Found these virus scanners installed: clamav >> =========================================================================== >> Ignore errors about failing to find EOCD signature >> format error: can't find EOCD signature >> at /usr/sbin/MailScanner line 451 > Like it says you can ignore this error. >> =========================================================================== >> Virus Scanner test reports: >> ClamAV said "eicar.com contains Eicar-Test-Signature" >> >> If any of your virus scanners (clamav) >> are not listed there, you should check that they are installed correctly >> and that MailScanner is finding them correctly via its >> virus.scanners.conf. >> >> --------------------------------------------------------------------------- >> r the above errors serious .. how cd i fix it >> >> >> 2) right now i have clamav-0.91.1-1.el5.rf and the latest stable version >> is 0.91.2 .. > Since your clamav is an rpm from rpmforge, you didn't install it from > Julian's > script. >> >> how cd i install this since earlier i installed it via Jules script > > There are conflicting views on installing the newest clamav. Seems to be a > bug > in it. Watch the list for more details. >> >> >> apprecite and thnks >> >> >> regards >> >> simon >> >> > > > -- > > MailScanner is like deodorant... > You hope everybody uses it, and > you notice quickly if they don't!!!! > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ssilva at sgvwater.com Tue Aug 21 19:46:06 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Aug 21 19:50:08 2007 Subject: thnks for ur suggestion In-Reply-To: <4177.62.150.152.226.1187720298.squirrel@webmail.baladia.gov.kw> References: <3384.62.150.152.226.1187711818.squirrel@webmail.baladia.gov.kw> <4177.62.150.152.226.1187720298.squirrel@webmail.baladia.gov.kw> Message-ID: mailadmin@baladia.gov.kw spake the following on 8/21/2007 11:18 AM: > Thanks guy, > > really apprecite your quick reply > btw ur right > im sorry > i install clamav from rpm forge since i wanted mailscanner to use clamd > for virus scanning > > i will keep in touch with list for more details > > my clamav update log shows that clamav is outdated > It will always report that as soon as a new version is out. It is usually safe to be back 2 or 3 version for at least a few months as bugs get worked out. I think there are several people on this list running 3.17 with no problems. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From Robert.Horton at goodmanmfg.com Tue Aug 21 20:33:44 2007 From: Robert.Horton at goodmanmfg.com (Horton, Robert) Date: Tue Aug 21 20:33:46 2007 Subject: CRM114 Problem In-Reply-To: <1964AAFBC212F742958F9275BF63DBB05B3D63@winchester.andrewscompanies.com> References: <224FA7E11EA39E45843E11CEBBD3A36F189A80@HOUPEX01.nfsmith.info><50678FBB708A9B4FB6B536F6F657883D028E9528@exch-gman.ad.goodmanmfg.com> <1964AAFBC212F742958F9275BF63DBB05B3D63@winchester.andrewscompanies.com> Message-ID: <50678FBB708A9B4FB6B536F6F657883D028E9530@exch-gman.ad.goodmanmfg.com> I didn't use the RPMs and made up my own method. I'm using RHEL 5 to test CRM right now. My install was based off the wiki and the emails in this list. I downloaded http://crm114.sourceforge.net/tarballs/crm114-20070428-BlameSpamConf.src.tar.gz and http://laurikari.net/tre/tre-0.7.5.tar.gz And ran the following commands: tar -zxvf tre-0.7.5.tar.gz cd tre-0.7.5 ./configure --enable-static make make check make install cd .. tar -zxvf crm114-20070428-BlameSpamConf.src.tar.gz cd crm114-20070428-BlameSpamConf.src make make megatest make install cd .. Then I created the /etc/mail/spamassassin/crm114 and grabbed the 2 files from Martin Sch?tte. When creating the crm114 directory I grabbed files from the downloaded crm114-20070428-BlameSpamConf.src directory. The resulting crm114 directory contained the following before startup. -rw-r--r-- 1 root root 0 Aug 20 22:03 blacklist.mfp -rwxr-xr-x 1 root root 17426 Aug 20 22:36 mailfilter.cf -rwxr-xr-x 1 root root 44537 Aug 20 22:02 mailfilter.crm -rwxr-xr-x 1 root root 14511 Aug 20 22:02 maillib.crm -rwxr-xr-x 1 root root 22677 Aug 20 22:02 mailreaver.crm -rwxr-xr-x 1 root root 37621 Aug 20 22:02 mailtrainer.crm -rw-r--r-- 1 root root 12582924 Aug 20 21:59 nonspam.css -rw-r--r-- 1 root root 49 Aug 20 22:03 priolist.mfp -rw-r--r-- 1 root root 0 Aug 20 22:03 rewrites.mfp -rwxr-xr-x 1 root root 6924 Aug 21 14:03 shuffle.crm -rw-r--r-- 1 root root 12582924 Aug 20 21:59 spam.css -rw-r--r-- 1 root root 0 Aug 20 22:03 whitelist.mfp One thing to note is I included shuffle.crm because it was referenced in the cf files. I don't know if it matters or if it's different in the RPM versions. I modified the .cf files as the wiki said. When you first do the lint test you will get the 0.00 score because the nonspam.css and spam.css are new. It stays this way until you start learning which was the original problem for me since the messages were not being learned. -Robert -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Steven Andrews Sent: Tuesday, August 21, 2007 12:15 PM To: MailScanner discussion Subject: RE: CRM114 Problem Got the updated files from mschuette.name according to the wiki and it is incremented for your changes; unfortunately, it didn't fix for me. Should I be using a different version than the 20073001 rpm? -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Horton, Robert Sent: Tuesday, August 21, 2007 2:14 AM To: MailScanner discussion Subject: RE: CRM114 Problem Are you still having problems with the score at -0.00? I finally installed this evening and had the same problem. I think there is a bug in the crm114.pm (Version: 0.6.4), but what perplexes me is why some people claim its working...the lines I changed should affect everyone. Maybe this code was changed recently. I changed the following 2 lines in the sub call_crm dbg("crm114: opening pipe: $crm114_command < $tmpf"); $pid = Mail::SpamAssassin::Util::helper_app_pipe_open( *CRM_OUT, $tmpf, 1, $crm114_command); to dbg("crm114: opening pipe: $crm114_cmdline < $tmpf"); $pid = Mail::SpamAssassin::Util::helper_app_pipe_open( *CRM_OUT, $tmpf, 1, $crm114_cmdline); Within minutes crm114 started learning emails and no longer had the -0.00 score. You only get this score when you have an empty spam.css and nonspam.css and it doesn't know what to do with the email yet. Hope this helps, Robert Horton -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Mike Kercher Sent: Friday, August 10, 2007 11:13 AM To: MailScanner discussion Subject: CRM114 Problem I added CRM114 to a server last week per the docs in the wiki (and like I've done on several other servers), but the score is always -0.00 [root@mail crm114]# cssutil -b -r spam.css Sparse spectra file spam.css statistics: Total available buckets : 1048577 Total buckets in use : 0 Total in-use zero-count buckets : 0 Total buckets with value >= max : 0 Total hashed datums in file : 0 Documents learned : 15495 Features learned : 1 Average datums per bucket : 0.00 Maximum length of overflow chain : 0 Average length of overflow chain : 0.00 Average packing density : 0.00 [root@mail crm114]# cssutil -b -r nonspam.css Sparse spectra file nonspam.css statistics: Total available buckets : 1048577 Total buckets in use : 0 Total in-use zero-count buckets : 0 Total buckets with value >= max : 0 Total hashed datums in file : 0 Documents learned : 15495 Features learned : 1 Average datums per bucket : 0.00 Maximum length of overflow chain : 0 Average length of overflow chain : 0.00 Average packing density : 0.00 The Features learned hasn't changed in many days. Permissions look good, .crm's are +x Any suggestions where to look? Mike -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! CONFIDENTIALITY NOTE: The information contained in this transmission is privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this transmission in error, do not read it. Please immediately reply to the sender that you have received this communication in error and then delete it. Thank you. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! CONFIDENTIALITY NOTE: The information contained in this transmission is privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this transmission in error, do not read it. Please immediately reply to the sender that you have received this communication in error and then delete it. Thank you. From tim at denmantire.com Wed Aug 22 02:26:07 2007 From: tim at denmantire.com (Tim Boyer) Date: Wed Aug 22 02:26:24 2007 Subject: Heads up for spamhaus.org problems References: <20070819222357.GA27826@rpcs.net> <20070820020201.GA2841@rpcs.net> <46CA08CD.8070400@alexb.ch> Message-ID: <844nc31s5e518hupbukd0gqv49sf5g39v0@4ax.com> On Mon, 20 Aug 2007 23:34:05 +0200, Alex Broens wrote: >On 8/20/2007 11:22 PM, Tim Boyer wrote: >> On Sun, 19 Aug 2007 22:02:01 -0400, Richard Potter wrote: >> >>> On Mon, Aug 20, 2007 at 12:34:23AM +0200, Raymond Dijkxhoorn wrote: >>> >>>>> Just doing a routine check here, and I have a few mail servers >>>>> misbehaving. It >>>>> *appears* sendmail dnsbl to zen.spamhaus.org is timing out, and causing >>>>> mail >>>>> delivery delays, or none at all. >>>>> >>>>> I'm going to discontinue spamhaus, and see what happens. >>>> Buy rsync from them. Most likely you fire a lot of lookups on their >>>> servers and they started to ban high volume mailservers some time ago. >>>> We have seen this in a lot of places allready. >>>> >>>> May i ask how much mail are you processing daily? >>> Thanks for the reply Raymond.. I wasn't aware they were doing that. These >>> are low volume servers, less than 2,000 messages per day. Does that count >>> as "high volume" to spamhaus? >>> >>> Richard >> >> "Use of the Spamhaus DNSBLs via DNS queries to our public DNSBL mirrors is free >> for low-traffic mail servers serving less than 100 users. Use of the Spamhaus >> DNSBLs by commercial or corporate networks, ISPs and ESPs, requires a >> subscription to Spamhaus's Data Feed service." >> >> I'd be shocked if 2,000 messages per day counts as high volume. That's 20 >> emails per person per day. > >no need to be shocked :-) > >Spamhaus can't block your mail server from doing queries - it blocks >your DNS' access to the root zone - so if you use a DNS which is >querying Xmillion queries/day and your server is only doing 10000/day >then the rest of the X/million+your 10000 makes he count which rates a >block. > >Alex Hah! Of course. That makes perfect sense. -- tim boyer tim@denmantire.com From Jeramy.Eling at britax-pmg.com Wed Aug 22 08:59:31 2007 From: Jeramy.Eling at britax-pmg.com (Jeramy Eling) Date: Wed Aug 22 08:59:36 2007 Subject: Whitelists and Fuzzy Message-ID: <5CD3BFF77DFFD411BCD100D0B720F94503C4E5E5@probe.britaxpmg.com> Hi All, I have an issue with my MailScanner setup blocking a particular email as the guy has a image as a signature, Fuzzy sees this and cranks the score up. I've whitelisted the email address but still the system see the email as Spam and still blocks it. Does anyone know if it's possible to establish a Whitelist for Fuzzy to ensure that these checks are performed on email from this particular address? Any suggestions would be much appreciated. Thanks In Advance Jez -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070822/0a048a8e/attachment.html From martinh at solidstatelogic.com Wed Aug 22 09:05:54 2007 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Wed Aug 22 09:05:59 2007 Subject: Whitelists and Fuzzy In-Reply-To: <5CD3BFF77DFFD411BCD100D0B720F94503C4E5E5@probe.britaxpmg.com> Message-ID: Jez Which whitelist did you use - there are several? I wonder why FuzzyOCR is triggering on this guys signature, a graphic signature (however misguided) is quite common. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Jeramy Eling > Sent: 22 August 2007 09:00 > To: mailscanner@lists.mailscanner.info > Subject: Whitelists and Fuzzy > > Hi All, > > I have an issue with my MailScanner setup blocking a particular email as > the guy has a image as a signature, Fuzzy sees this and cranks the score > up. I've whitelisted the email address but still the system see the email > as Spam and still blocks it. > > Does anyone know if it's possible to establish a Whitelist for Fuzzy to > ensure that these checks are performed on email from this particular > address? > > Any suggestions would be much appreciated. > > Thanks In Advance > > Jez ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From Jeramy.Eling at britax-pmg.com Wed Aug 22 09:15:46 2007 From: Jeramy.Eling at britax-pmg.com (Jeramy Eling) Date: Wed Aug 22 09:15:51 2007 Subject: Whitelists and Fuzzy Message-ID: <5CD3BFF77DFFD411BCD100D0B720F94503C4E5E6@probe.britaxpmg.com> Hi Martin A little bit of background, I have MailWatch running and I've got this integrated to do the White and Black listing from within Mailwatch, so as far as the config is concerned it's 'Is Definitely Not Spam' and 'Is Definitely Spam', additionally I have one running to allow certain emails with forms through as well. If I look at the email in the quarantine it shows a score of 5.00 and a matching rule of 'FUZZY_OCR_KNOWN_HASH'. Cheers Jez -----Original Message----- From: Martin.Hepworth [mailto:martinh@solidstatelogic.com] Sent: 22 August 2007 09:06 To: MailScanner discussion Subject: RE: Whitelists and Fuzzy Jez Which whitelist did you use - there are several? I wonder why FuzzyOCR is triggering on this guys signature, a graphic signature (however misguided) is quite common. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Jeramy Eling > Sent: 22 August 2007 09:00 > To: mailscanner@lists.mailscanner.info > Subject: Whitelists and Fuzzy > > Hi All, > > I have an issue with my MailScanner setup blocking a particular email > as the guy has a image as a signature, Fuzzy sees this and cranks the > score up. I've whitelisted the email address but still the system see > the email as Spam and still blocks it. > > Does anyone know if it's possible to establish a Whitelist for Fuzzy > to ensure that these checks are performed on email from this > particular address? > > Any suggestions would be much appreciated. > > Thanks In Advance > > Jez ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From martinh at solidstatelogic.com Wed Aug 22 09:21:46 2007 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Wed Aug 22 09:21:55 2007 Subject: Whitelists and Fuzzy In-Reply-To: <5CD3BFF77DFFD411BCD100D0B720F94503C4E5E6@probe.britaxpmg.com> Message-ID: Jez Hmm what other rules have hit in SA? Might be worth asking Steve et al on the mailwatch list about a problem with the MW whitelist stuff. There's been several threads on this in the past.. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Jeramy Eling > Sent: 22 August 2007 09:16 > To: MailScanner discussion > Subject: RE: Whitelists and Fuzzy > > Hi Martin > > A little bit of background, I have MailWatch running and I've got this > integrated to do the White and Black listing from within Mailwatch, so > as far as the config is concerned it's 'Is Definitely Not Spam' and 'Is > Definitely Spam', additionally I have one running to allow certain > emails with forms through as well. If I look at the email in the > quarantine it shows a score of 5.00 and a matching rule of > 'FUZZY_OCR_KNOWN_HASH'. > > Cheers > > Jez > > > -----Original Message----- > From: Martin.Hepworth [mailto:martinh@solidstatelogic.com] > Sent: 22 August 2007 09:06 > To: MailScanner discussion > Subject: RE: Whitelists and Fuzzy > > Jez > > Which whitelist did you use - there are several? I wonder why FuzzyOCR > is triggering on this guys signature, a graphic signature (however > misguided) is quite common. > > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > > bounces@lists.mailscanner.info] On Behalf Of Jeramy Eling > > Sent: 22 August 2007 09:00 > > To: mailscanner@lists.mailscanner.info > > Subject: Whitelists and Fuzzy > > > > Hi All, > > > > I have an issue with my MailScanner setup blocking a particular email > > as the guy has a image as a signature, Fuzzy sees this and cranks the > > score up. I've whitelisted the email address but still the system see > > the email as Spam and still blocks it. > > > > Does anyone know if it's possible to establish a Whitelist for Fuzzy > > to ensure that these checks are performed on email from this > > particular address? > > > > Any suggestions would be much appreciated. > > > > Thanks In Advance > > > > Jez > > > > > > ********************************************************************** > Confidentiality : This e-mail and any attachments are intended for the > addressee only and may be confidential. If they come to you in error you > must take no action based on them, nor must you copy or show them to > anyone. Please advise the sender by replying to this e-mail immediately > and then delete the original from your computer. > Opinion : Any opinions expressed in this e-mail are entirely those of > the author and unless specifically stated to the contrary, are not > necessarily those of the author's employer. > Security Warning : Internet e-mail is not necessarily a secure > communications medium and can be subject to data corruption. We advise > that you consider this fact when e-mailing us. > Viruses : We have taken steps to ensure that this e-mail and any > attachments are free from known viruses but in keeping with good > computing practice, you should ensure that they are virus free. > > Red Lion 49 Ltd T/A Solid State Logic > Registered as a limited company in England and Wales (Company > No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 > 1RU, United Kingdom > ********************************************************************** > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From list-mailscanner at linguaphone.com Wed Aug 22 09:22:07 2007 From: list-mailscanner at linguaphone.com (Gareth) Date: Wed Aug 22 09:22:15 2007 Subject: Whitelists and Fuzzy In-Reply-To: <5CD3BFF77DFFD411BCD100D0B720F94503C4E5E6@probe.britaxpmg.com> References: <5CD3BFF77DFFD411BCD100D0B720F94503C4E5E6@probe.britaxpmg.com> Message-ID: <1187770927.19242.7.camel@gblades-suse.linguaphone-intranet.co.uk> If you have a whitelist defined in mailwatch then it will be whitelisted regardless of the spamassassin score unless you have not configured the whitelist custom function correctly in mailscanner. Fuzzyocr has oviously detected the picture in the past and has stored a hash of it together with its score in its database to save future processing. If this image got a high score due to misconfiguration of the words file then you can use one of the tools that came with fuzzyocr to remove that image from the database so next time it is found it will recalculate the score. On Wed, 2007-08-22 at 09:15, Jeramy Eling wrote: > Hi Martin > > A little bit of background, I have MailWatch running and I've got this > integrated to do the White and Black listing from within Mailwatch, so > as far as the config is concerned it's 'Is Definitely Not Spam' and 'Is > Definitely Spam', additionally I have one running to allow certain > emails with forms through as well. If I look at the email in the > quarantine it shows a score of 5.00 and a matching rule of > 'FUZZY_OCR_KNOWN_HASH'. > > Cheers > > Jez > > > -----Original Message----- > From: Martin.Hepworth [mailto:martinh@solidstatelogic.com] > Sent: 22 August 2007 09:06 > To: MailScanner discussion > Subject: RE: Whitelists and Fuzzy > > Jez > > Which whitelist did you use - there are several? I wonder why FuzzyOCR > is triggering on this guys signature, a graphic signature (however > misguided) is quite common. > > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > > bounces@lists.mailscanner.info] On Behalf Of Jeramy Eling > > Sent: 22 August 2007 09:00 > > To: mailscanner@lists.mailscanner.info > > Subject: Whitelists and Fuzzy > > > > Hi All, > > > > I have an issue with my MailScanner setup blocking a particular email > > as the guy has a image as a signature, Fuzzy sees this and cranks the > > score up. I've whitelisted the email address but still the system see > > the email as Spam and still blocks it. > > > > Does anyone know if it's possible to establish a Whitelist for Fuzzy > > to ensure that these checks are performed on email from this > > particular address? > > > > Any suggestions would be much appreciated. > > > > Thanks In Advance > > > > Jez > > > > > > ********************************************************************** > Confidentiality : This e-mail and any attachments are intended for the > addressee only and may be confidential. If they come to you in error you > must take no action based on them, nor must you copy or show them to > anyone. Please advise the sender by replying to this e-mail immediately > and then delete the original from your computer. > Opinion : Any opinions expressed in this e-mail are entirely those of > the author and unless specifically stated to the contrary, are not > necessarily those of the author's employer. > Security Warning : Internet e-mail is not necessarily a secure > communications medium and can be subject to data corruption. We advise > that you consider this fact when e-mailing us. > Viruses : We have taken steps to ensure that this e-mail and any > attachments are free from known viruses but in keeping with good > computing practice, you should ensure that they are virus free. > > Red Lion 49 Ltd T/A Solid State Logic > Registered as a limited company in England and Wales (Company > No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 > 1RU, United Kingdom > ********************************************************************** > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From Jeramy.Eling at britax-pmg.com Wed Aug 22 09:24:26 2007 From: Jeramy.Eling at britax-pmg.com (Jeramy Eling) Date: Wed Aug 22 09:24:31 2007 Subject: Whitelists and Fuzzy Message-ID: <5CD3BFF77DFFD411BCD100D0B720F945047588CE@probe.britaxpmg.com> Martin, I've copied and pasted the full SA rule hits that the email has hit below: - 0.12 AWL From: address is in the auto white-list -2.60 BAYES_00 Bayesian spam probability is 0 to 1% 5.00 FUZZY_OCR_KNOWN_HASH Mail contains an image with known hash 0.37 HTML_30_40 Message is 30% to 40% HTML 0.00 HTML_MESSAGE HTML included in message 0.22 MIME_BASE64_NO_NAME base64 attachment does not have a file name Jez -----Original Message----- From: Martin.Hepworth [mailto:martinh@solidstatelogic.com] Sent: 22 August 2007 09:22 To: MailScanner discussion Subject: RE: Whitelists and Fuzzy Jez Hmm what other rules have hit in SA? Might be worth asking Steve et al on the mailwatch list about a problem with the MW whitelist stuff. There's been several threads on this in the past.. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Jeramy Eling > Sent: 22 August 2007 09:16 > To: MailScanner discussion > Subject: RE: Whitelists and Fuzzy > > Hi Martin > > A little bit of background, I have MailWatch running and I've got this > integrated to do the White and Black listing from within Mailwatch, so > as far as the config is concerned it's 'Is Definitely Not Spam' and > 'Is Definitely Spam', additionally I have one running to allow certain > emails with forms through as well. If I look at the email in the > quarantine it shows a score of 5.00 and a matching rule of > 'FUZZY_OCR_KNOWN_HASH'. > > Cheers > > Jez > > > -----Original Message----- > From: Martin.Hepworth [mailto:martinh@solidstatelogic.com] > Sent: 22 August 2007 09:06 > To: MailScanner discussion > Subject: RE: Whitelists and Fuzzy > > Jez > > Which whitelist did you use - there are several? I wonder why FuzzyOCR > is triggering on this guys signature, a graphic signature (however > misguided) is quite common. > > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info > > [mailto:mailscanner- bounces@lists.mailscanner.info] On Behalf Of > > Jeramy Eling > > Sent: 22 August 2007 09:00 > > To: mailscanner@lists.mailscanner.info > > Subject: Whitelists and Fuzzy > > > > Hi All, > > > > I have an issue with my MailScanner setup blocking a particular > > email as the guy has a image as a signature, Fuzzy sees this and > > cranks the score up. I've whitelisted the email address but still > > the system see the email as Spam and still blocks it. > > > > Does anyone know if it's possible to establish a Whitelist for Fuzzy > > to ensure that these checks are performed on email from this > > particular address? > > > > Any suggestions would be much appreciated. > > > > Thanks In Advance > > > > Jez > > > > > > ********************************************************************** > Confidentiality : This e-mail and any attachments are intended for the > addressee only and may be confidential. If they come to you in error > you must take no action based on them, nor must you copy or show them > to anyone. Please advise the sender by replying to this e-mail > immediately and then delete the original from your computer. > Opinion : Any opinions expressed in this e-mail are entirely those of > the author and unless specifically stated to the contrary, are not > necessarily those of the author's employer. > Security Warning : Internet e-mail is not necessarily a secure > communications medium and can be subject to data corruption. We advise > that you consider this fact when e-mailing us. > Viruses : We have taken steps to ensure that this e-mail and any > attachments are free from known viruses but in keeping with good > computing practice, you should ensure that they are virus free. > > Red Lion 49 Ltd T/A Solid State Logic > Registered as a limited company in England and Wales (Company > No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford > OX5 1RU, United Kingdom > ********************************************************************** > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From Jeramy.Eling at britax-pmg.com Wed Aug 22 09:29:54 2007 From: Jeramy.Eling at britax-pmg.com (Jeramy Eling) Date: Wed Aug 22 09:30:00 2007 Subject: Whitelists and Fuzzy Message-ID: <5CD3BFF77DFFD411BCD100D0B720F945047588CF@probe.britaxpmg.com> Gareth, Having not used the mentioned tools before do you know where I can find documentation for them. I'm currently looking on the FuzzyOCR site and there doesn't appear to be anything. Jez -----Original Message----- From: Gareth [mailto:list-mailscanner@linguaphone.com] Sent: 22 August 2007 09:22 To: MailScanner discussion Subject: RE: Whitelists and Fuzzy If you have a whitelist defined in mailwatch then it will be whitelisted regardless of the spamassassin score unless you have not configured the whitelist custom function correctly in mailscanner. Fuzzyocr has oviously detected the picture in the past and has stored a hash of it together with its score in its database to save future processing. If this image got a high score due to misconfiguration of the words file then you can use one of the tools that came with fuzzyocr to remove that image from the database so next time it is found it will recalculate the score. On Wed, 2007-08-22 at 09:15, Jeramy Eling wrote: > Hi Martin > > A little bit of background, I have MailWatch running and I've got this > integrated to do the White and Black listing from within Mailwatch, so > as far as the config is concerned it's 'Is Definitely Not Spam' and > 'Is Definitely Spam', additionally I have one running to allow certain > emails with forms through as well. If I look at the email in the > quarantine it shows a score of 5.00 and a matching rule of > 'FUZZY_OCR_KNOWN_HASH'. > > Cheers > > Jez > > > -----Original Message----- > From: Martin.Hepworth [mailto:martinh@solidstatelogic.com] > Sent: 22 August 2007 09:06 > To: MailScanner discussion > Subject: RE: Whitelists and Fuzzy > > Jez > > Which whitelist did you use - there are several? I wonder why FuzzyOCR > is triggering on this guys signature, a graphic signature (however > misguided) is quite common. > > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info > > [mailto:mailscanner- bounces@lists.mailscanner.info] On Behalf Of > > Jeramy Eling > > Sent: 22 August 2007 09:00 > > To: mailscanner@lists.mailscanner.info > > Subject: Whitelists and Fuzzy > > > > Hi All, > > > > I have an issue with my MailScanner setup blocking a particular > > email as the guy has a image as a signature, Fuzzy sees this and > > cranks the score up. I've whitelisted the email address but still > > the system see the email as Spam and still blocks it. > > > > Does anyone know if it's possible to establish a Whitelist for Fuzzy > > to ensure that these checks are performed on email from this > > particular address? > > > > Any suggestions would be much appreciated. > > > > Thanks In Advance > > > > Jez > > > > > > ********************************************************************** > Confidentiality : This e-mail and any attachments are intended for the > addressee only and may be confidential. If they come to you in error > you must take no action based on them, nor must you copy or show them > to anyone. Please advise the sender by replying to this e-mail > immediately and then delete the original from your computer. > Opinion : Any opinions expressed in this e-mail are entirely those of > the author and unless specifically stated to the contrary, are not > necessarily those of the author's employer. > Security Warning : Internet e-mail is not necessarily a secure > communications medium and can be subject to data corruption. We advise > that you consider this fact when e-mailing us. > Viruses : We have taken steps to ensure that this e-mail and any > attachments are free from known viruses but in keeping with good > computing practice, you should ensure that they are virus free. > > Red Lion 49 Ltd T/A Solid State Logic > Registered as a limited company in England and Wales (Company > No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford > OX5 1RU, United Kingdom > ********************************************************************** > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From list-mailscanner at linguaphone.com Wed Aug 22 09:37:17 2007 From: list-mailscanner at linguaphone.com (Gareth) Date: Wed Aug 22 09:37:33 2007 Subject: Whitelists and Fuzzy In-Reply-To: <5CD3BFF77DFFD411BCD100D0B720F945047588CF@probe.britaxpmg.com> References: <5CD3BFF77DFFD411BCD100D0B720F945047588CF@probe.britaxpmg.com> Message-ID: <1187771836.19248.10.camel@gblades-suse.linguaphone-intranet.co.uk> The program is called fussy-find and is located in the Utils directory in wherever you unpacked the source code to. Documentation is in the readme file in the same directory. On Wed, 2007-08-22 at 09:29, Jeramy Eling wrote: > Gareth, > > Having not used the mentioned tools before do you know where I can find > documentation for them. I'm currently looking on the FuzzyOCR site and > there doesn't appear to be anything. > > Jez > > -----Original Message----- > From: Gareth [mailto:list-mailscanner@linguaphone.com] > Sent: 22 August 2007 09:22 > To: MailScanner discussion > Subject: RE: Whitelists and Fuzzy > > If you have a whitelist defined in mailwatch then it will be whitelisted > regardless of the spamassassin score unless you have not configured the > whitelist custom function correctly in mailscanner. > > Fuzzyocr has oviously detected the picture in the past and has stored a > hash of it together with its score in its database to save future > processing. If this image got a high score due to misconfiguration of > the words file then you can use one of the tools that came with fuzzyocr > to remove that image from the database so next time it is found it will > recalculate the score. > > On Wed, 2007-08-22 at 09:15, Jeramy Eling wrote: > > Hi Martin > > > > A little bit of background, I have MailWatch running and I've got this > > > integrated to do the White and Black listing from within Mailwatch, so > > > as far as the config is concerned it's 'Is Definitely Not Spam' and > > 'Is Definitely Spam', additionally I have one running to allow certain > > > emails with forms through as well. If I look at the email in the > > quarantine it shows a score of 5.00 and a matching rule of > > 'FUZZY_OCR_KNOWN_HASH'. > > > > Cheers > > > > Jez > > > > > > -----Original Message----- > > From: Martin.Hepworth [mailto:martinh@solidstatelogic.com] > > Sent: 22 August 2007 09:06 > > To: MailScanner discussion > > Subject: RE: Whitelists and Fuzzy > > > > Jez > > > > Which whitelist did you use - there are several? I wonder why FuzzyOCR > > > is triggering on this guys signature, a graphic signature (however > > misguided) is quite common. > > > > -- > > Martin Hepworth > > Snr Systems Administrator > > Solid State Logic > > Tel: +44 (0)1865 842300 > > > > > -----Original Message----- > > > From: mailscanner-bounces@lists.mailscanner.info > > > [mailto:mailscanner- bounces@lists.mailscanner.info] On Behalf Of > > > Jeramy Eling > > > Sent: 22 August 2007 09:00 > > > To: mailscanner@lists.mailscanner.info > > > Subject: Whitelists and Fuzzy > > > > > > Hi All, > > > > > > I have an issue with my MailScanner setup blocking a particular > > > email as the guy has a image as a signature, Fuzzy sees this and > > > cranks the score up. I've whitelisted the email address but still > > > the system see the email as Spam and still blocks it. > > > > > > Does anyone know if it's possible to establish a Whitelist for Fuzzy > > > > to ensure that these checks are performed on email from this > > > particular address? > > > > > > Any suggestions would be much appreciated. > > > > > > Thanks In Advance > > > > > > Jez > > > > > > > > > > > > ********************************************************************** > > Confidentiality : This e-mail and any attachments are intended for the > > > addressee only and may be confidential. If they come to you in error > > you must take no action based on them, nor must you copy or show them > > to anyone. Please advise the sender by replying to this e-mail > > immediately and then delete the original from your computer. > > Opinion : Any opinions expressed in this e-mail are entirely those of > > the author and unless specifically stated to the contrary, are not > > necessarily those of the author's employer. > > Security Warning : Internet e-mail is not necessarily a secure > > communications medium and can be subject to data corruption. We advise > > > that you consider this fact when e-mailing us. > > Viruses : We have taken steps to ensure that this e-mail and any > > attachments are free from known viruses but in keeping with good > > computing practice, you should ensure that they are virus free. > > > > Red Lion 49 Ltd T/A Solid State Logic > > Registered as a limited company in England and Wales (Company > > No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford > > OX5 1RU, United Kingdom > > ********************************************************************** > > > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From list-mailscanner at linguaphone.com Wed Aug 22 09:55:46 2007 From: list-mailscanner at linguaphone.com (Gareth) Date: Wed Aug 22 09:55:58 2007 Subject: DCC not working Message-ID: <1187772946.19252.14.camel@gblades-suse.linguaphone-intranet.co.uk> I installed DCC and have got to the stage where a debug shows that it is able to query the servers :- | grep dcc [12550] dbg: dcc: network tests on, registering DCC [12550] dbg: config: fixed relative path: /var/lib/spamassassin/3.002003/updates_spamassassin_org/25_dcc.cf [12550] dbg: config: using "/var/lib/spamassassin/3.002003/updates_spamassassin_org/25_dcc.cf" for included file [12550] dbg: config: read file /var/lib/spamassassin/3.002003/updates_spamassassin_org/25_dcc.cf [12550] dbg: dcc: dccifd is not available: no r/w dccifd socket found [12550] dbg: util: executable for dccproc was found at /usr/local/bin/dccproc [12550] dbg: dcc: dccproc is available: /usr/local/bin/dccproc [12550] dbg: dcc: opening pipe: /usr/local/bin/dccproc -H -x 0 -a 203.25.170.31 < /tmp/.spamassassin12550Adpfnktmp [12550] dbg: dcc: got response: X-DCC--Metrics: mailscanner 1114; Body=1 Fuz1=1 Fuz2=1 X-DCC-CTc-dcc2-Metrics: gecko.npgx.com.au 1031; Body=0 Fuz1=0 Fuz2=0 fMHId05XuL20k3PgNVdccAIexF9wrelX4WoQqkZVRwRKBxIuxyjID3j+fcRaSyFJGGEod8EFk2xW However I have left it overnight and in the 1000 or so emails I have received in that time there has not been a single hit. Any ideas what could be wrong? From shuttlebox at gmail.com Wed Aug 22 10:14:07 2007 From: shuttlebox at gmail.com (shuttlebox) Date: Wed Aug 22 10:14:14 2007 Subject: Blastwave edition of MailScanner for Solaris Message-ID: <625385e30708220214v7e97d6b8k75208ce2024c35ef@mail.gmail.com> I have packaged MailScanner 4.62.9-3 for the Blastwave project. For those who don't know about Blastwave it's best described as bringing apt-get to Solaris. We package fresh versions of around 1700 software titles for Solaris 8+ sparc/x86. A complete MailScanner system would be installed by: # pkg-get -i sendmail mailscanner clamav spamassassin That would install those four apps and all their respective dependencies. No more compiling ClamAV, using CPAN for Perl modules and downloading packages from Sunfreeware that just wants another package...and another...and so on. In short - apt-get for Solaris. More info on http://www.blastwave.org. MailScanner is slightly adapted to Solaris/Blastwave to ease configuring somewhat, e.g. paths are changed here and there to fit Blastwave editions of Perl, ClamAV and so on. I only provide start scripts for Sendmail but Blastwave has packages for Exim and Postfix too so maybe someone could help me with that? Please give it a try if you're a Solaris user. There's a general users list for Blastwave where you can get help for Blastwave specific issued, direct questions about the packages themselves there and MailScanner questions here as usual. -- /peter From maillists at conactive.com Wed Aug 22 11:32:08 2007 From: maillists at conactive.com (Kai Schaetzl) Date: Wed Aug 22 11:32:11 2007 Subject: Whitelists and Fuzzy In-Reply-To: <5CD3BFF77DFFD411BCD100D0B720F945047588CF@probe.britaxpmg.com> References: <5CD3BFF77DFFD411BCD100D0B720F945047588CF@probe.britaxpmg.com> Message-ID: You don't seem to have noticed Gareth's comment about the MS whitelist. It seems your whitelist is not correctly set up, so it doesn't work at all. You may want to work on this as well ;-) Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From Jeramy.Eling at britax-pmg.com Wed Aug 22 11:35:24 2007 From: Jeramy.Eling at britax-pmg.com (Jeramy Eling) Date: Wed Aug 22 11:35:29 2007 Subject: Whitelists and Fuzzy Message-ID: <5CD3BFF77DFFD411BCD100D0B720F945047588D2@probe.britaxpmg.com> I have checked the W/L this morning by ading an address to it and bouncing an email in with the suspect signature attached. The email shows in MailWatch as whitelisted but it's still blocked because of the signature. -----Original Message----- From: Kai Schaetzl [mailto:maillists@conactive.com] Sent: 22 August 2007 11:32 To: mailscanner@lists.mailscanner.info Subject: Re: Whitelists and Fuzzy You don't seem to have noticed Gareth's comment about the MS whitelist. It seems your whitelist is not correctly set up, so it doesn't work at all. You may want to work on this as well ;-) Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From list-mailscanner at linguaphone.com Wed Aug 22 11:41:38 2007 From: list-mailscanner at linguaphone.com (Gareth) Date: Wed Aug 22 11:41:51 2007 Subject: Whitelists and Fuzzy In-Reply-To: <5CD3BFF77DFFD411BCD100D0B720F945047588D2@probe.britaxpmg.com> References: <5CD3BFF77DFFD411BCD100D0B720F945047588D2@probe.britaxpmg.com> Message-ID: <1187779298.19244.19.camel@gblades-suse.linguaphone-intranet.co.uk> If something is whitelisted then no way can it be classed as spam. Something is wrong with your mailscanner configuration. Check the config file has the following lines :- Then check to make sure SQLBlackWhiteList.pm is in the mailscanner CustomFunctions file and lastely that the SQLBlackWhiteList.pm file has the sql database and account details correctly set. Is Definitely Not Spam = &SQLWhitelist Is Definitely Spam = &SQLBlacklist On Wed, 2007-08-22 at 11:35, Jeramy Eling wrote: > I have checked the W/L this morning by ading an address to it and bouncing an email in with the suspect signature attached. The email shows in MailWatch as whitelisted but it's still blocked because of the signature. > > -----Original Message----- > From: Kai Schaetzl [mailto:maillists@conactive.com] > Sent: 22 August 2007 11:32 > To: mailscanner@lists.mailscanner.info > Subject: Re: Whitelists and Fuzzy > > You don't seem to have noticed Gareth's comment about the MS whitelist. It seems your whitelist is not correctly set up, so it doesn't work at all. > You may want to work on this as well ;-) > > Kai > > -- > Kai Sch?tzl, Berlin, Germany > Get your web at Conactive Internet Services: http://www.conactive.com > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From glenn.steen at gmail.com Wed Aug 22 11:48:11 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Aug 22 11:48:13 2007 Subject: MailScanner Digest, Vol 20, Issue 49 In-Reply-To: References: <002b01c7e411$7989cf00$d10da8c0@genevawoods.com> Message-ID: <223f97700708220348u7618c712g12b813571d14cb8e@mail.gmail.com> On 21/08/07, Gareth wrote: > well clamscan is much slower than either the clamavmodule or clamd versions > so changing to one of those should help speed it up considerably. > > Also you are running 0.90 version of clamav which has a bug causing it to > take much longer to load its signatures which makes the clamscan method even > slower again. > > Upgrading clamav and switching to clamavmodule will probably double your > scanning speed easily. With the meager memory resource (256 MiB), I would think that that would push things into thrashing heavily. Going for clamd (which has a smaller memory footprint) is likely better. Cheers -- Glenn > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info > > [mailto:mailscanner-bounces@lists.mailscanner.info]On Behalf Of Culley > > Morrow > > Sent: 21 August 2007 17:37 > > To: mailscanner@lists.mailscanner.info > > Subject: RE: MailScanner Digest, Vol 20, Issue 49 > > > > > > Thanks for the replies. This server is quite meager with 256mb RAM and a > > 30gb hard drive, all running on a 4 year old Dell desktop. Meager > > is putting > > it mildly. I've got to make it work while it's in place, a massive > > replacement is in the works though. > > > > Clamscan was what I was meaning actually. I remember reading a > > while back in > > the archives that it was a major stumbling point with new > > versions on older > > systems. After an update it was running OK, but slowly getting further and > > further behind in the mail delivery. > > > > Anyway, I'll start digging through the wiki for better rules and > > see what I > > can start filtering out. > > > > ~={o}=~ > > > > Culley Morrow > > IT Manager > > Geneva Woods Pharmacy > > > > > > -----Original Message----- > > Message: 11 > > Date: Tue, 21 Aug 2007 09:55:06 +0100 > > From: Greg Matthews > > Subject: Re: New Clam, Old, Mailscanner, Ancient Kernel > > To: MailScanner discussion > > Message-ID: <46CAA86A.4060206@nerc.ac.uk> > > Content-Type: text/plain; charset=windows-1252; format=flowed > > > > Culley Morrow wrote: > > > I ll list out the software versions below and I need a bit of > > assistance > > > making them work for now. I know all I need to do is upgrade the kernel > > > to 2.6 and it all works, but I d like to get them functioning As-Is > > > and then do the upgrade so I have something working to fall back on. > > > Clam AV is currently shut off since clamd as a service was so slow. > > > > kernel upgrade probably not very important. As others have pointed out, > > there is little reason not to upgrade MS and SA. Stick as much memory in > > the box as it can handle. > > > > > Kernel 2.4.18-bf2.4 > > > > > > Mailscanner 3.27.1-1 > > > > > > Clam AV 0.90.1-3etch3 > > > > > > Spam Assassin 2.64-1 > > > > > > > > > > > > Currently we are inundated with mass spam and I need to get some AV in > > > place, be it Clam or another GNU/GPL/ free as in beer -ware. I need a > > > hand here if anyone wants to chime in. > > > > if you are "inundated" then the best start you can make is to reject as > > much as possible at the MTA. As this is Debian, your MTA is probably > > (but not necessarily) exim. Look at putting in a single well regarded > > block list at the MTA, something like zen.spamhaus.org but do your > > research and find one that /you/ like the look of (block list > > preferences can start flame wars!). Make sure you are rejecting mail at > > the MTA for all unknown recipients and not accepting then bouncing. Set > > up your MTA to throttle incoming mail so it doesnt get overwhelmed or > > let your incoming queue build up uncontrollably. > > > > Visit the MS wiki for tips on how to do this - dig deep, it can be a bit > > tricky to find what you are looking for. Search the archives for good > > links into the wiki. > > > > GREG > > -- > > Greg Matthews 01491 692445 > > Head of UNIX/Linux, iTSS Wallingford > > > > > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > > > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Wed Aug 22 11:52:57 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Aug 22 11:53:01 2007 Subject: DCC not working In-Reply-To: <1187772946.19252.14.camel@gblades-suse.linguaphone-intranet.co.uk> References: <1187772946.19252.14.camel@gblades-suse.linguaphone-intranet.co.uk> Message-ID: <223f97700708220352td47e278k3502befe5fc56e2b@mail.gmail.com> On 22/08/07, Gareth wrote: > I installed DCC and have got to the stage where a debug shows that it is > able to query the servers :- > > | grep dcc > [12550] dbg: dcc: network tests on, registering DCC > [12550] dbg: config: fixed relative path: > /var/lib/spamassassin/3.002003/updates_spamassassin_org/25_dcc.cf > [12550] dbg: config: using > "/var/lib/spamassassin/3.002003/updates_spamassassin_org/25_dcc.cf" for > included file > [12550] dbg: config: read file > /var/lib/spamassassin/3.002003/updates_spamassassin_org/25_dcc.cf > [12550] dbg: dcc: dccifd is not available: no r/w dccifd socket found > [12550] dbg: util: executable for dccproc was found at > /usr/local/bin/dccproc > [12550] dbg: dcc: dccproc is available: /usr/local/bin/dccproc > [12550] dbg: dcc: opening pipe: /usr/local/bin/dccproc -H -x 0 -a > 203.25.170.31 < /tmp/.spamassassin12550Adpfnktmp > [12550] dbg: dcc: got response: X-DCC--Metrics: mailscanner 1114; Body=1 > Fuz1=1 Fuz2=1 > X-DCC-CTc-dcc2-Metrics: gecko.npgx.com.au 1031; Body=0 Fuz1=0 Fuz2=0 > fMHId05XuL20k3PgNVdccAIexF9wrelX4WoQqkZVRwRKBxIuxyjID3j+fcRaSyFJGGEod8EFk2xW > > However I have left it overnight and in the 1000 or so emails I have > received in that time there has not been a single hit. > > Any ideas what could be wrong? > Check that it works for postfix/postfix user. Usual SA test (-t -D < testmessage) should reveal any problems. -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From list-mailscanner at linguaphone.com Wed Aug 22 12:10:42 2007 From: list-mailscanner at linguaphone.com (Gareth) Date: Wed Aug 22 12:10:56 2007 Subject: DCC not working In-Reply-To: <223f97700708220352td47e278k3502befe5fc56e2b@mail.gmail.com> References: <1187772946.19252.14.camel@gblades-suse.linguaphone-intranet.co.uk> <223f97700708220352td47e278k3502befe5fc56e2b@mail.gmail.com> Message-ID: <1187781042.19244.24.camel@gblades-suse.linguaphone-intranet.co.uk> On Wed, 2007-08-22 at 11:52, Glenn Steen wrote: > On 22/08/07, Gareth wrote: > > I installed DCC and have got to the stage where a debug shows that it is > > able to query the servers :- > > > > | grep dcc > > [12550] dbg: dcc: network tests on, registering DCC > > [12550] dbg: config: fixed relative path: > > /var/lib/spamassassin/3.002003/updates_spamassassin_org/25_dcc.cf > > [12550] dbg: config: using > > "/var/lib/spamassassin/3.002003/updates_spamassassin_org/25_dcc.cf" for > > included file > > [12550] dbg: config: read file > > /var/lib/spamassassin/3.002003/updates_spamassassin_org/25_dcc.cf > > [12550] dbg: dcc: dccifd is not available: no r/w dccifd socket found > > [12550] dbg: util: executable for dccproc was found at > > /usr/local/bin/dccproc > > [12550] dbg: dcc: dccproc is available: /usr/local/bin/dccproc > > [12550] dbg: dcc: opening pipe: /usr/local/bin/dccproc -H -x 0 -a > > 203.25.170.31 < /tmp/.spamassassin12550Adpfnktmp > > [12550] dbg: dcc: got response: X-DCC--Metrics: mailscanner 1114; Body=1 > > Fuz1=1 Fuz2=1 > > X-DCC-CTc-dcc2-Metrics: gecko.npgx.com.au 1031; Body=0 Fuz1=0 Fuz2=0 > > fMHId05XuL20k3PgNVdccAIexF9wrelX4WoQqkZVRwRKBxIuxyjID3j+fcRaSyFJGGEod8EFk2xW > > > > However I have left it overnight and in the 1000 or so emails I have > > received in that time there has not been a single hit. > > > > Any ideas what could be wrong? > > > Check that it works for postfix/postfix user. Usual SA test (-t -D < > testmessage) should reveal any problems. I did that and it appears to work and sais it gets back a response from the server as in the earlier post. From glenn.steen at gmail.com Wed Aug 22 12:42:24 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Aug 22 12:42:29 2007 Subject: DCC not working In-Reply-To: <1187781042.19244.24.camel@gblades-suse.linguaphone-intranet.co.uk> References: <1187772946.19252.14.camel@gblades-suse.linguaphone-intranet.co.uk> <223f97700708220352td47e278k3502befe5fc56e2b@mail.gmail.com> <1187781042.19244.24.camel@gblades-suse.linguaphone-intranet.co.uk> Message-ID: <223f97700708220442p56bffcc4teaa7b7d0bd498527@mail.gmail.com> On 22/08/07, Gareth wrote: > On Wed, 2007-08-22 at 11:52, Glenn Steen wrote: > > On 22/08/07, Gareth wrote: > > > I installed DCC and have got to the stage where a debug shows that it is > > > able to query the servers :- > > > > > > | grep dcc > > > [12550] dbg: dcc: network tests on, registering DCC > > > [12550] dbg: config: fixed relative path: > > > /var/lib/spamassassin/3.002003/updates_spamassassin_org/25_dcc.cf > > > [12550] dbg: config: using > > > "/var/lib/spamassassin/3.002003/updates_spamassassin_org/25_dcc.cf" for > > > included file > > > [12550] dbg: config: read file > > > /var/lib/spamassassin/3.002003/updates_spamassassin_org/25_dcc.cf > > > [12550] dbg: dcc: dccifd is not available: no r/w dccifd socket found > > > [12550] dbg: util: executable for dccproc was found at > > > /usr/local/bin/dccproc > > > [12550] dbg: dcc: dccproc is available: /usr/local/bin/dccproc > > > [12550] dbg: dcc: opening pipe: /usr/local/bin/dccproc -H -x 0 -a > > > 203.25.170.31 < /tmp/.spamassassin12550Adpfnktmp > > > [12550] dbg: dcc: got response: X-DCC--Metrics: mailscanner 1114; Body=1 > > > Fuz1=1 Fuz2=1 > > > X-DCC-CTc-dcc2-Metrics: gecko.npgx.com.au 1031; Body=0 Fuz1=0 Fuz2=0 > > > fMHId05XuL20k3PgNVdccAIexF9wrelX4WoQqkZVRwRKBxIuxyjID3j+fcRaSyFJGGEod8EFk2xW > > > > > > However I have left it overnight and in the 1000 or so emails I have > > > received in that time there has not been a single hit. > > > > > > Any ideas what could be wrong? > > > > > Check that it works for postfix/postfix user. Usual SA test (-t -D < > > testmessage) should reveal any problems. > > I did that and it appears to work and sais it gets back a response from > the server as in the earlier post. > If so, did any of the 1000 messages get detected by any other digest check (razor or pyzor)? If you use MailWatch (which I think you do) you should easily be able to check the spamreport field for any mention of DCC... Isuppose this is how you determined that it didn't work? Might just be a question of ... patience;-) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From list-mailscanner at linguaphone.com Wed Aug 22 12:53:07 2007 From: list-mailscanner at linguaphone.com (Gareth) Date: Wed Aug 22 12:53:20 2007 Subject: DCC not working In-Reply-To: <223f97700708220442p56bffcc4teaa7b7d0bd498527@mail.gmail.com> References: <1187772946.19252.14.camel@gblades-suse.linguaphone-intranet.co.uk> <223f97700708220352td47e278k3502befe5fc56e2b@mail.gmail.com> <1187781042.19244.24.camel@gblades-suse.linguaphone-intranet.co.uk> <223f97700708220442p56bffcc4teaa7b7d0bd498527@mail.gmail.com> Message-ID: <1187783586.19250.30.camel@gblades-suse.linguaphone-intranet.co.uk> On Wed, 2007-08-22 at 12:42, Glenn Steen wrote: > If so, did any of the 1000 messages get detected by any other digest > check (razor or pyzor)? > If you use MailWatch (which I think you do) you should easily be able > to check the spamreport field for any mention of DCC... Isuppose this > is how you determined that it didn't work? Might just be a question of > ... patience;-) Yes Razor and Pyzor regularly detect spam. The mailwatch spamreport field has no mention of DCC in the 500 spams I have received since DCC appeared to start working. Even Fuzzy OCR had 39 matches in that timeframe and I would expect far better of DCC. From maillists at conactive.com Wed Aug 22 13:31:25 2007 From: maillists at conactive.com (Kai Schaetzl) Date: Wed Aug 22 13:31:30 2007 Subject: Whitelists and Fuzzy In-Reply-To: <5CD3BFF77DFFD411BCD100D0B720F945047588D2@probe.britaxpmg.com> References: <5CD3BFF77DFFD411BCD100D0B720F945047588D2@probe.britaxpmg.com> Message-ID: Jeramy Eling wrote on Wed, 22 Aug 2007 11:35:24 +0100: > I have checked the W/L this morning by ading an address to it to *which* whitelist? Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From Jeramy.Eling at britax-pmg.com Wed Aug 22 13:44:29 2007 From: Jeramy.Eling at britax-pmg.com (Jeramy Eling) Date: Wed Aug 22 13:44:35 2007 Subject: Whitelists and Fuzzy Message-ID: <5CD3BFF77DFFD411BCD100D0B720F94503C4E5E8@probe.britaxpmg.com> The Whitelist which is within the Mailwatch interface 'Is Definitely Not Spam'. -----Original Message----- From: Kai Schaetzl [mailto:maillists@conactive.com] Sent: 22 August 2007 13:31 To: mailscanner@lists.mailscanner.info Subject: Re: Whitelists and Fuzzy Jeramy Eling wrote on Wed, 22 Aug 2007 11:35:24 +0100: > I have checked the W/L this morning by ading an address to it to *which* whitelist? Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From ryanw at falsehope.com Wed Aug 22 13:47:18 2007 From: ryanw at falsehope.com (Ryan Weaver) Date: Wed Aug 22 13:47:29 2007 Subject: ClamAV & Sanesecurity & Spamassassin In-Reply-To: References: <5CD3BFF77DFFD411BCD100D0B720F945047588D2@probe.britaxpmg.com> Message-ID: <000e01c7e4ba$94ad3de0$be07b9a0$@com> Hi, I've looked around but have not been able to find an answer sufficient for me to implement. Is it possible to use the Sanesecurity definitions for ClamAV only via the Spamassassin plugin (i.e. use normal ClamAV Virus definitions for the virus scan, then use only the Sanesecurity definitions with the Spamassassin plugin)? I ask this because I am using the Vispan setup to auto block persistent virus / spam sources, however the Sanesecurity definitions make the initial virus scan return the phishing/spam as a virus hit. This is not completely bad because they are getting caught and blocked, but it would be more sanitary for them to be marked as spam instead of virus. Thanks, Ryan From Denis.Beauchemin at USherbrooke.ca Wed Aug 22 13:47:23 2007 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Wed Aug 22 13:47:55 2007 Subject: Whitelists and Fuzzy In-Reply-To: <5CD3BFF77DFFD411BCD100D0B720F94503C4E5E6@probe.britaxpmg.com> References: <5CD3BFF77DFFD411BCD100D0B720F94503C4E5E6@probe.britaxpmg.com> Message-ID: <46CC305B.2060405@USherbrooke.ca> Jeramy Eling a ?crit : > Hi Martin > > A little bit of background, I have MailWatch running and I've got this > integrated to do the White and Black listing from within Mailwatch, so > as far as the config is concerned it's 'Is Definitely Not Spam' and 'Is > Definitely Spam', additionally I have one running to allow certain > emails with forms through as well. If I look at the email in the > quarantine it shows a score of 5.00 and a matching rule of > 'FUZZY_OCR_KNOWN_HASH'. > > Cheers > > Jez > > > -----Original Message----- > From: Martin.Hepworth [mailto:martinh@solidstatelogic.com] > Sent: 22 August 2007 09:06 > To: MailScanner discussion > Subject: RE: Whitelists and Fuzzy > > Jez > > Which whitelist did you use - there are several? I wonder why FuzzyOCR > is triggering on this guys signature, a graphic signature (however > misguided) is quite common. > > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >> bounces@lists.mailscanner.info] On Behalf Of Jeramy Eling >> Sent: 22 August 2007 09:00 >> To: mailscanner@lists.mailscanner.info >> Subject: Whitelists and Fuzzy >> >> Hi All, >> >> I have an issue with my MailScanner setup blocking a particular email >> as the guy has a image as a signature, Fuzzy sees this and cranks the >> score up. I have the same problem with someone's sig that triggers on "cialis" even though the pic says "social services". On another occasion I reported a bug on the wiki and never got any feedback. I am thinking about dropping this plugin... Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 From clacroix at cegep-ste-foy.qc.ca Wed Aug 22 14:15:59 2007 From: clacroix at cegep-ste-foy.qc.ca (Charles Lacroix) Date: Wed Aug 22 14:16:07 2007 Subject: Whitelists and Fuzzy In-Reply-To: <46CC305B.2060405@USherbrooke.ca> References: <5CD3BFF77DFFD411BCD100D0B720F94503C4E5E6@probe.britaxpmg.com> <46CC305B.2060405@USherbrooke.ca> Message-ID: <200708220915.59903.clacroix@cegep-ste-foy.qc.ca> On Wednesday 22 August 2007 08:47, Denis Beauchemin wrote: > Jeramy Eling a ?crit : > > Hi Martin > > > > A little bit of background, I have MailWatch running and I've got this > > integrated to do the White and Black listing from within Mailwatch, so > > as far as the config is concerned it's 'Is Definitely Not Spam' and 'Is > > Definitely Spam', additionally I have one running to allow certain > > emails with forms through as well. If I look at the email in the > > quarantine it shows a score of 5.00 and a matching rule of > > 'FUZZY_OCR_KNOWN_HASH'. > > > > Cheers > > > > Jez > > > > > > -----Original Message----- > > From: Martin.Hepworth [mailto:martinh@solidstatelogic.com] > > Sent: 22 August 2007 09:06 > > To: MailScanner discussion > > Subject: RE: Whitelists and Fuzzy > > > > Jez > > > > Which whitelist did you use - there are several? I wonder why FuzzyOCR > > is triggering on this guys signature, a graphic signature (however > > misguided) is quite common. > > > > -- > > Martin Hepworth > > Snr Systems Administrator > > Solid State Logic > > Tel: +44 (0)1865 842300 > > > >> -----Original Message----- > >> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > >> bounces@lists.mailscanner.info] On Behalf Of Jeramy Eling > >> Sent: 22 August 2007 09:00 > >> To: mailscanner@lists.mailscanner.info > >> Subject: Whitelists and Fuzzy > >> > >> Hi All, > >> > >> I have an issue with my MailScanner setup blocking a particular email > >> as the guy has a image as a signature, Fuzzy sees this and cranks the > >> score up. > > I have the same problem with someone's sig that triggers on "cialis" > even though the pic says "social services". On another occasion I > reported a bug on the wiki and never got any feedback. I am thinking > about dropping this plugin... > > Denis > > -- > _ > ?v? Denis Beauchemin, analyste > /(_)\ Universit? de Sherbrooke, S.T.I. > ^ ^ T: 819.821.8000x62252 F: 819.821.8045 I tried Fuzzy OCR for a while, and i had the same problem with images signatures. They trigger on pretty much anything in an unpredictable way :) -- Charles Lacroix, Administrateur UNIX. Service des t?l?communications et des technologies C?gep de Sainte-Foy (418) 659-6600 # 4266 From MailScanner at ecs.soton.ac.uk Wed Aug 22 14:18:14 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Aug 22 14:18:38 2007 Subject: ClamAV & Sanesecurity & Spamassassin In-Reply-To: <000e01c7e4ba$94ad3de0$be07b9a0$@com> References: <5CD3BFF77DFFD411BCD100D0B720F945047588D2@probe.britaxpmg.com> <000e01c7e4ba$94ad3de0$be07b9a0$@com> Message-ID: <46CC3796.8090201@ecs.soton.ac.uk> The problem is that SpamAssassin doesn't call ClamAV, for which their signatures are designed. So it can't be done as far as I can see, sorry. Ryan Weaver wrote: > Hi, > > I've looked around but have not been able to find an answer sufficient for > me to implement. > > Is it possible to use the Sanesecurity definitions for ClamAV only via the > Spamassassin plugin (i.e. use normal ClamAV Virus definitions for the virus > scan, then use only the Sanesecurity definitions with the Spamassassin > plugin)? > > I ask this because I am using the Vispan setup to auto block persistent > virus / spam sources, however the Sanesecurity definitions make the initial > virus scan return the phishing/spam as a virus hit. This is not completely > bad because they are getting caught and blocked, but it would be more > sanitary for them to be marked as spam instead of virus. > > Thanks, > Ryan > > > Jules -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From list-mailscanner at linguaphone.com Wed Aug 22 14:36:36 2007 From: list-mailscanner at linguaphone.com (Gareth) Date: Wed Aug 22 14:36:47 2007 Subject: ClamAV & Sanesecurity & Spamassassin In-Reply-To: <000e01c7e4ba$94ad3de0$be07b9a0$@com> References: <5CD3BFF77DFFD411BCD100D0B720F945047588D2@probe.britaxpmg.com> <000e01c7e4ba$94ad3de0$be07b9a0$@com> Message-ID: <1187789796.19248.32.camel@gblades-suse.linguaphone-intranet.co.uk> It should be possible. You would need to somehow stop the clamav that mailscanner runs from using the sanesecurity signatures. Then you could configure http://wiki.apache.org/spamassassin/ClamAVPlugin with spamassassin. On Wed, 2007-08-22 at 13:47, Ryan Weaver wrote: > Hi, > > I've looked around but have not been able to find an answer sufficient for > me to implement. > > Is it possible to use the Sanesecurity definitions for ClamAV only via the > Spamassassin plugin (i.e. use normal ClamAV Virus definitions for the virus > scan, then use only the Sanesecurity definitions with the Spamassassin > plugin)? > > I ask this because I am using the Vispan setup to auto block persistent > virus / spam sources, however the Sanesecurity definitions make the initial > virus scan return the phishing/spam as a virus hit. This is not completely > bad because they are getting caught and blocked, but it would be more > sanitary for them to be marked as spam instead of virus. > > Thanks, > Ryan From john at tradoc.fr Wed Aug 22 14:54:36 2007 From: john at tradoc.fr (John Wilcock) Date: Wed Aug 22 14:54:44 2007 Subject: ClamAV & Sanesecurity & Spamassassin In-Reply-To: <46CC3796.8090201@ecs.soton.ac.uk> References: <5CD3BFF77DFFD411BCD100D0B720F945047588D2@probe.britaxpmg.com> <000e01c7e4ba$94ad3de0$be07b9a0$@com> <46CC3796.8090201@ecs.soton.ac.uk> Message-ID: <46CC401C.7000108@tradoc.fr> Julian Field wrote: > The problem is that SpamAssassin doesn't call ClamAV, for which their > signatures are designed. So it can't be done as far as I can see, sorry. I suspect Ryan was thinking of using http://wiki.apache.org/spamassassin/ClamAVPlugin to achieve his suggestion. John. -- -- Over 3000 webcams from ski resorts around the world - www.snoweye.com -- Translate your technical documents and web pages - www.tradoc.fr From MailScanner at ecs.soton.ac.uk Wed Aug 22 14:58:58 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Aug 22 14:59:13 2007 Subject: ClamAV & Sanesecurity & Spamassassin In-Reply-To: <1187789796.19248.32.camel@gblades-suse.linguaphone-intranet.co.uk> References: <5CD3BFF77DFFD411BCD100D0B720F945047588D2@probe.britaxpmg.com> <000e01c7e4ba$94ad3de0$be07b9a0$@com> <1187789796.19248.32.camel@gblades-suse.linguaphone-intranet.co.uk> Message-ID: <46CC4122.2000306@ecs.soton.ac.uk> Didn't realise you could do this. I don't know of any command-line switches for ClamAV that tell it what signature databases to use, but what do I know :-) Gareth wrote: > It should be possible. You would need to somehow stop the clamav that > mailscanner runs from using the sanesecurity signatures. > > Then you could configure > http://wiki.apache.org/spamassassin/ClamAVPlugin with spamassassin. > > On Wed, 2007-08-22 at 13:47, Ryan Weaver wrote: > >> Hi, >> >> I've looked around but have not been able to find an answer sufficient for >> me to implement. >> >> Is it possible to use the Sanesecurity definitions for ClamAV only via the >> Spamassassin plugin (i.e. use normal ClamAV Virus definitions for the virus >> scan, then use only the Sanesecurity definitions with the Spamassassin >> plugin)? >> >> I ask this because I am using the Vispan setup to auto block persistent >> virus / spam sources, however the Sanesecurity definitions make the initial >> virus scan return the phishing/spam as a virus hit. This is not completely >> bad because they are getting caught and blocked, but it would be more >> sanitary for them to be marked as spam instead of virus. >> >> Thanks, >> Ryan >> > > Jules -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From list-mailscanner at linguaphone.com Wed Aug 22 15:16:11 2007 From: list-mailscanner at linguaphone.com (Gareth) Date: Wed Aug 22 15:16:20 2007 Subject: ClamAV & Sanesecurity & Spamassassin In-Reply-To: <46CC4122.2000306@ecs.soton.ac.uk> References: <5CD3BFF77DFFD411BCD100D0B720F945047588D2@probe.britaxpmg.com> <000e01c7e4ba$94ad3de0$be07b9a0$@com> <1187789796.19248.32.camel@gblades-suse.linguaphone-intranet.co.uk> <46CC4122.2000306@ecs.soton.ac.uk> Message-ID: <1187792171.19250.40.camel@gblades-suse.linguaphone-intranet.co.uk> No I was thinking you might have to have two copies of clamav installed with one of them compiled to store its signatures in a different location. You could symlink the main signatures so both installs can see them and mailscanners update works correctly. You could have mailscanner use clamavmodule as it will have most issues with paths etc... You could have clamd started from the 2nd copy which can also see the sanesecurity signatures. The spamassassin plugin looks like it uses a tcpip socket to clamd so it should not be too bad keeping them both separate. On Wed, 2007-08-22 at 14:58, Julian Field wrote: > Didn't realise you could do this. > I don't know of any command-line switches for ClamAV that tell it what > signature databases to use, but what do I know :-) > > Gareth wrote: > > It should be possible. You would need to somehow stop the clamav that > > mailscanner runs from using the sanesecurity signatures. > > > > Then you could configure > > http://wiki.apache.org/spamassassin/ClamAVPlugin with spamassassin. > > > > On Wed, 2007-08-22 at 13:47, Ryan Weaver wrote: > > > >> Hi, > >> > >> I've looked around but have not been able to find an answer sufficient for > >> me to implement. > >> > >> Is it possible to use the Sanesecurity definitions for ClamAV only via the > >> Spamassassin plugin (i.e. use normal ClamAV Virus definitions for the virus > >> scan, then use only the Sanesecurity definitions with the Spamassassin > >> plugin)? > >> > >> I ask this because I am using the Vispan setup to auto block persistent > >> virus / spam sources, however the Sanesecurity definitions make the initial > >> virus scan return the phishing/spam as a virus hit. This is not completely > >> bad because they are getting caught and blocked, but it would be more > >> sanitary for them to be marked as spam instead of virus. > >> > >> Thanks, > >> Ryan > >> > > > > > > Jules > > -- > Julian Field MEng CITP > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > For all your IT requirements visit www.transtec.co.uk From maillists at conactive.com Wed Aug 22 15:22:15 2007 From: maillists at conactive.com (Kai Schaetzl) Date: Wed Aug 22 15:22:18 2007 Subject: Whitelists and Fuzzy In-Reply-To: <5CD3BFF77DFFD411BCD100D0B720F94503C4E5E8@probe.britaxpmg.com> References: <5CD3BFF77DFFD411BCD100D0B720F94503C4E5E8@probe.britaxpmg.com> Message-ID: Jeramy Eling wrote on Wed, 22 Aug 2007 13:44:29 +0100: > The Whitelist which is within the Mailwatch interface 'Is Definitely Not Spam'. I do not have such an option in my Mailwatch, I know only "Add to Whitelist". There are at least two different ways that this whitelisting is used. If you use the wrong one it's bound to fail, of course, as it won't match. Does your test message (the detected one) gets marked as W/L and green in Mailwatch? Does the same happen for your problem messages? A message that is detected by the MS whitelist will be green, marked as W/L and will not have any SA hits shown. As you see SA hits that means it is not on the MS whitelist, probably because it contains the wrong values for matching (see above). What value does Mailwatch show under Lists in Mailwatch when you whitelist that problem message? And is this a value that could match your problem messages? Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From maillists at conactive.com Wed Aug 22 15:22:15 2007 From: maillists at conactive.com (Kai Schaetzl) Date: Wed Aug 22 15:22:22 2007 Subject: ClamAV & Sanesecurity & Spamassassin In-Reply-To: <000e01c7e4ba$94ad3de0$be07b9a0$@com> References: <5CD3BFF77DFFD411BCD100D0B720F945047588D2@probe.britaxpmg.com> <000e01c7e4ba$94ad3de0$be07b9a0$@com> Message-ID: Sigh. *Please*, do not create new messages to a list by hitting reply. If you want to post a question hit "New message" in your mail client. Thanks. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From Jeramy.Eling at britax-pmg.com Wed Aug 22 15:32:52 2007 From: Jeramy.Eling at britax-pmg.com (Jeramy Eling) Date: Wed Aug 22 15:32:54 2007 Subject: Whitelists and Fuzzy Message-ID: <5CD3BFF77DFFD411BCD100D0B720F945047588D5@probe.britaxpmg.com> The address was added to the whitelist via the 'Lists' link at the top of MailWatch, this updates the 'Is Definitly Not Spam' configuration within MailScanner, which in the config is set to an SQL function. The message does indeed come through as W/Listed and highlighted in Green on the display, however it has still been hit by the SA rules. Jez -----Original Message----- From: Kai Schaetzl [mailto:maillists@conactive.com] Sent: 22 August 2007 15:22 To: mailscanner@lists.mailscanner.info Subject: Re: Whitelists and Fuzzy Jeramy Eling wrote on Wed, 22 Aug 2007 13:44:29 +0100: > The Whitelist which is within the Mailwatch interface 'Is Definitely Not Spam'. I do not have such an option in my Mailwatch, I know only "Add to Whitelist". There are at least two different ways that this whitelisting is used. If you use the wrong one it's bound to fail, of course, as it won't match. Does your test message (the detected one) gets marked as W/L and green in Mailwatch? Does the same happen for your problem messages? A message that is detected by the MS whitelist will be green, marked as W/L and will not have any SA hits shown. As you see SA hits that means it is not on the MS whitelist, probably because it contains the wrong values for matching (see above). What value does Mailwatch show under Lists in Mailwatch when you whitelist that problem message? And is this a value that could match your problem messages? Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From list-mailscanner at linguaphone.com Wed Aug 22 15:38:20 2007 From: list-mailscanner at linguaphone.com (Gareth) Date: Wed Aug 22 15:38:28 2007 Subject: Whitelists and Fuzzy In-Reply-To: <5CD3BFF77DFFD411BCD100D0B720F945047588D5@probe.britaxpmg.com> References: <5CD3BFF77DFFD411BCD100D0B720F945047588D5@probe.britaxpmg.com> Message-ID: <1187793500.19246.46.camel@gblades-suse.linguaphone-intranet.co.uk> Yes spamassassin is still run against the rules so at least you can see what the score is. However if it is whitelisted then it is never classed as spam by mailscanner. On my mailscanner any whitelisted messages just shows 'whitelisted' where the spamassassin rules are normally listed so although I can see what the score was I cannot tell which specific rules were matched. Is that what you get? On Wed, 2007-08-22 at 15:32, Jeramy Eling wrote: > The address was added to the whitelist via the 'Lists' link at the top of MailWatch, this updates the 'Is Definitly Not Spam' configuration within MailScanner, which in the config is set to an SQL function. > > The message does indeed come through as W/Listed and highlighted in Green on the display, however it has still been hit by the SA rules. > > Jez > > -----Original Message----- > From: Kai Schaetzl [mailto:maillists@conactive.com] > Sent: 22 August 2007 15:22 > To: mailscanner@lists.mailscanner.info > Subject: Re: Whitelists and Fuzzy > > Jeramy Eling wrote on Wed, 22 Aug 2007 13:44:29 +0100: > > > The Whitelist which is within the Mailwatch interface 'Is Definitely Not Spam'. > > I do not have such an option in my Mailwatch, I know only "Add to Whitelist". > There are at least two different ways that this whitelisting is used. If you use the wrong one it's bound to fail, of course, as it won't match. > > Does your test message (the detected one) gets marked as W/L and green in Mailwatch? Does the same happen for your problem messages? A message that is detected by the MS whitelist will be green, marked as W/L and will not have any SA hits shown. As you see SA hits that means it is not on the MS whitelist, probably because it contains the wrong values for matching (see above). What value does Mailwatch show under Lists in Mailwatch when you whitelist that problem message? And is this a value that could match your problem messages? > > Kai > > -- > Kai Sch?tzl, Berlin, Germany > Get your web at Conactive Internet Services: http://www.conactive.com > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From ryanw at falsehope.com Wed Aug 22 15:43:47 2007 From: ryanw at falsehope.com (Ryan Weaver) Date: Wed Aug 22 15:43:55 2007 Subject: ClamAV & Sanesecurity & Spamassassin In-Reply-To: References: <5CD3BFF77DFFD411BCD100D0B720F945047588D2@probe.britaxpmg.com> <000e01c7e4ba$94ad3de0$be07b9a0$@com> Message-ID: <001401c7e4ca$d970bf00$8c523d00$@com> Since you've given no reasons I assume this would be because your personal preference is to view your e-mail in threads and the 'reply' inserts this topic as a take-over into your thread based viewing system. Sorry, I didn't think about that, my bad... Thanks, Ryan -----Original Message----- From: On Behalf Of Kai Schaetzl Sigh. *Please*, do not create new messages to a list by hitting reply. If you want to post a question hit "New message" in your mail client. Thanks. Kai From Jeramy.Eling at britax-pmg.com Wed Aug 22 15:46:24 2007 From: Jeramy.Eling at britax-pmg.com (Jeramy Eling) Date: Wed Aug 22 15:46:26 2007 Subject: Whitelists and Fuzzy Message-ID: <5CD3BFF77DFFD411BCD100D0B720F945047588D6@probe.britaxpmg.com> I've just checked and it would appear to be my inability to read the screen ;) It seems that the test email with image attached is whitelisted, however it's been blocked as it's a BMP and MailScanner stops those to prevent possible buffer overflows. DOH!!! Sorry for going round and round on this one. Thanks all for your help Cheers Jez -----Original Message----- From: Gareth [mailto:list-mailscanner@linguaphone.com] Sent: 22 August 2007 15:38 To: MailScanner discussion Subject: RE: Whitelists and Fuzzy Yes spamassassin is still run against the rules so at least you can see what the score is. However if it is whitelisted then it is never classed as spam by mailscanner. On my mailscanner any whitelisted messages just shows 'whitelisted' where the spamassassin rules are normally listed so although I can see what the score was I cannot tell which specific rules were matched. Is that what you get? On Wed, 2007-08-22 at 15:32, Jeramy Eling wrote: > The address was added to the whitelist via the 'Lists' link at the top of MailWatch, this updates the 'Is Definitly Not Spam' configuration within MailScanner, which in the config is set to an SQL function. > > The message does indeed come through as W/Listed and highlighted in Green on the display, however it has still been hit by the SA rules. > > Jez > > -----Original Message----- > From: Kai Schaetzl [mailto:maillists@conactive.com] > Sent: 22 August 2007 15:22 > To: mailscanner@lists.mailscanner.info > Subject: Re: Whitelists and Fuzzy > > Jeramy Eling wrote on Wed, 22 Aug 2007 13:44:29 +0100: > > > The Whitelist which is within the Mailwatch interface 'Is Definitely Not Spam'. > > I do not have such an option in my Mailwatch, I know only "Add to Whitelist". > There are at least two different ways that this whitelisting is used. If you use the wrong one it's bound to fail, of course, as it won't match. > > Does your test message (the detected one) gets marked as W/L and green in Mailwatch? Does the same happen for your problem messages? A message that is detected by the MS whitelist will be green, marked as W/L and will not have any SA hits shown. As you see SA hits that means it is not on the MS whitelist, probably because it contains the wrong values for matching (see above). What value does Mailwatch show under Lists in Mailwatch when you whitelist that problem message? And is this a value that could match your problem messages? > > Kai > > -- > Kai Sch?tzl, Berlin, Germany > Get your web at Conactive Internet Services: http://www.conactive.com > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From martinh at solidstatelogic.com Wed Aug 22 15:53:56 2007 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Wed Aug 22 15:54:02 2007 Subject: Whitelists and Fuzzy In-Reply-To: <5CD3BFF77DFFD411BCD100D0B720F945047588D6@probe.britaxpmg.com> Message-ID: <703a19a9f4570747aa0d6f7eb7a9b3cd@solidstatelogic.com> Jez Must have old version of maiLScanner - .bmp hasn't been blocked by default for a while -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Jeramy Eling > Sent: 22 August 2007 15:46 > To: MailScanner discussion > Subject: RE: Whitelists and Fuzzy > > I've just checked and it would appear to be my inability to read the > screen ;) It seems that the test email with image attached is whitelisted, > however it's been blocked as it's a BMP and MailScanner stops those to > prevent possible buffer overflows. DOH!!! > > Sorry for going round and round on this one. > > Thanks all for your help > > Cheers > > Jez > > > > -----Original Message----- > From: Gareth [mailto:list-mailscanner@linguaphone.com] > Sent: 22 August 2007 15:38 > To: MailScanner discussion > Subject: RE: Whitelists and Fuzzy > > Yes spamassassin is still run against the rules so at least you can see > what the score is. However if it is whitelisted then it is never classed > as spam by mailscanner. On my mailscanner any whitelisted messages just > shows 'whitelisted' where the spamassassin rules are normally listed so > although I can see what the score was I cannot tell which specific rules > were matched. > > Is that what you get? > > > On Wed, 2007-08-22 at 15:32, Jeramy Eling wrote: > > The address was added to the whitelist via the 'Lists' link at the top > of MailWatch, this updates the 'Is Definitly Not Spam' configuration > within MailScanner, which in the config is set to an SQL function. > > > > The message does indeed come through as W/Listed and highlighted in > Green on the display, however it has still been hit by the SA rules. > > > > Jez > > > > -----Original Message----- > > From: Kai Schaetzl [mailto:maillists@conactive.com] > > Sent: 22 August 2007 15:22 > > To: mailscanner@lists.mailscanner.info > > Subject: Re: Whitelists and Fuzzy > > > > Jeramy Eling wrote on Wed, 22 Aug 2007 13:44:29 +0100: > > > > > The Whitelist which is within the Mailwatch interface 'Is Definitely > Not Spam'. > > > > I do not have such an option in my Mailwatch, I know only "Add to > Whitelist". > > There are at least two different ways that this whitelisting is used. If > you use the wrong one it's bound to fail, of course, as it won't match. > > > > Does your test message (the detected one) gets marked as W/L and green > in Mailwatch? Does the same happen for your problem messages? A message > that is detected by the MS whitelist will be green, marked as W/L and will > not have any SA hits shown. As you see SA hits that means it is not on the > MS whitelist, probably because it contains the wrong values for matching > (see above). What value does Mailwatch show under Lists in Mailwatch when > you whitelist that problem message? And is this a value that could match > your problem messages? > > > > Kai > > > > -- > > Kai Sch?tzl, Berlin, Germany > > Get your web at Conactive Internet Services: http://www.conactive.com > > > > > > > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From sandrews at andrewscompanies.com Wed Aug 22 16:09:25 2007 From: sandrews at andrewscompanies.com (Steven Andrews) Date: Wed Aug 22 16:09:31 2007 Subject: CRM114 Problem In-Reply-To: <50678FBB708A9B4FB6B536F6F657883D028E9530@exch-gman.ad.goodmanmfg.com> References: <224FA7E11EA39E45843E11CEBBD3A36F189A80@HOUPEX01.nfsmith.info><50678FBB708A9B4FB6B536F6F657883D028E9528@exch-gman.ad.goodmanmfg.com><1964AAFBC212F742958F9275BF63DBB05B3D63@winchester.andrewscompanies.com> <50678FBB708A9B4FB6B536F6F657883D028E9530@exch-gman.ad.goodmanmfg.com> Message-ID: <1964AAFBC212F742958F9275BF63DBB05B3D80@winchester.andrewscompanies.com> I think I'm going to have to give up and rebuild my box...even this didn't fix mine. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Horton, Robert Sent: Tuesday, August 21, 2007 3:34 PM To: MailScanner discussion Subject: RE: CRM114 Problem I didn't use the RPMs and made up my own method. I'm using RHEL 5 to test CRM right now. My install was based off the wiki and the emails in this list. I downloaded http://crm114.sourceforge.net/tarballs/crm114-20070428-BlameSpamConf.src.tar.gz and http://laurikari.net/tre/tre-0.7.5.tar.gz And ran the following commands: tar -zxvf tre-0.7.5.tar.gz cd tre-0.7.5 ./configure --enable-static make make check make install cd .. tar -zxvf crm114-20070428-BlameSpamConf.src.tar.gz cd crm114-20070428-BlameSpamConf.src make make megatest make install cd .. Then I created the /etc/mail/spamassassin/crm114 and grabbed the 2 files from Martin Sch?tte. When creating the crm114 directory I grabbed files from the downloaded crm114-20070428-BlameSpamConf.src directory. The resulting crm114 directory contained the following before startup. -rw-r--r-- 1 root root 0 Aug 20 22:03 blacklist.mfp -rwxr-xr-x 1 root root 17426 Aug 20 22:36 mailfilter.cf -rwxr-xr-x 1 root root 44537 Aug 20 22:02 mailfilter.crm -rwxr-xr-x 1 root root 14511 Aug 20 22:02 maillib.crm -rwxr-xr-x 1 root root 22677 Aug 20 22:02 mailreaver.crm -rwxr-xr-x 1 root root 37621 Aug 20 22:02 mailtrainer.crm -rw-r--r-- 1 root root 12582924 Aug 20 21:59 nonspam.css -rw-r--r-- 1 root root 49 Aug 20 22:03 priolist.mfp -rw-r--r-- 1 root root 0 Aug 20 22:03 rewrites.mfp -rwxr-xr-x 1 root root 6924 Aug 21 14:03 shuffle.crm -rw-r--r-- 1 root root 12582924 Aug 20 21:59 spam.css -rw-r--r-- 1 root root 0 Aug 20 22:03 whitelist.mfp One thing to note is I included shuffle.crm because it was referenced in the cf files. I don't know if it matters or if it's different in the RPM versions. I modified the .cf files as the wiki said. When you first do the lint test you will get the 0.00 score because the nonspam.css and spam.css are new. It stays this way until you start learning which was the original problem for me since the messages were not being learned. -Robert -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Steven Andrews Sent: Tuesday, August 21, 2007 12:15 PM To: MailScanner discussion Subject: RE: CRM114 Problem Got the updated files from mschuette.name according to the wiki and it is incremented for your changes; unfortunately, it didn't fix for me. Should I be using a different version than the 20073001 rpm? -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Horton, Robert Sent: Tuesday, August 21, 2007 2:14 AM To: MailScanner discussion Subject: RE: CRM114 Problem Are you still having problems with the score at -0.00? I finally installed this evening and had the same problem. I think there is a bug in the crm114.pm (Version: 0.6.4), but what perplexes me is why some people claim its working...the lines I changed should affect everyone. Maybe this code was changed recently. I changed the following 2 lines in the sub call_crm dbg("crm114: opening pipe: $crm114_command < $tmpf"); $pid = Mail::SpamAssassin::Util::helper_app_pipe_open( *CRM_OUT, $tmpf, 1, $crm114_command); to dbg("crm114: opening pipe: $crm114_cmdline < $tmpf"); $pid = Mail::SpamAssassin::Util::helper_app_pipe_open( *CRM_OUT, $tmpf, 1, $crm114_cmdline); Within minutes crm114 started learning emails and no longer had the -0.00 score. You only get this score when you have an empty spam.css and nonspam.css and it doesn't know what to do with the email yet. Hope this helps, Robert Horton -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Mike Kercher Sent: Friday, August 10, 2007 11:13 AM To: MailScanner discussion Subject: CRM114 Problem I added CRM114 to a server last week per the docs in the wiki (and like I've done on several other servers), but the score is always -0.00 [root@mail crm114]# cssutil -b -r spam.css Sparse spectra file spam.css statistics: Total available buckets : 1048577 Total buckets in use : 0 Total in-use zero-count buckets : 0 Total buckets with value >= max : 0 Total hashed datums in file : 0 Documents learned : 15495 Features learned : 1 Average datums per bucket : 0.00 Maximum length of overflow chain : 0 Average length of overflow chain : 0.00 Average packing density : 0.00 [root@mail crm114]# cssutil -b -r nonspam.css Sparse spectra file nonspam.css statistics: Total available buckets : 1048577 Total buckets in use : 0 Total in-use zero-count buckets : 0 Total buckets with value >= max : 0 Total hashed datums in file : 0 Documents learned : 15495 Features learned : 1 Average datums per bucket : 0.00 Maximum length of overflow chain : 0 Average length of overflow chain : 0.00 Average packing density : 0.00 The Features learned hasn't changed in many days. Permissions look good, .crm's are +x Any suggestions where to look? Mike -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! CONFIDENTIALITY NOTE: The information contained in this transmission is privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this transmission in error, do not read it. Please immediately reply to the sender that you have received this communication in error and then delete it. Thank you. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! CONFIDENTIALITY NOTE: The information contained in this transmission is privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this transmission in error, do not read it. Please immediately reply to the sender that you have received this communication in error and then delete it. Thank you. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From Denis.Beauchemin at USherbrooke.ca Wed Aug 22 16:41:00 2007 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Wed Aug 22 16:41:53 2007 Subject: Full message scan oddity Message-ID: <46CC590C.9020403@USherbrooke.ca> Hello, I just upgraded 2 MS servers to the latest stable and enabled the following option: ClamAV Full Message Scan = yes I sent a virus-infected email and noticed the following: Aug 22 11:16:59 smtpe4 MailScanner[21708]: l7MFGi0o022717/01_05_2005.txt:infected: Win32.Bagle.BO@mm Aug 22 11:17:00 smtpe4 MailScanner[21708]: ClamAV Module::INFECTED:: Worm.Bagle.DK:: ./l7MFGi0o022717/ Aug 22 11:17:00 smtpe4 MailScanner[21708]: ClamAV Module::INFECTED:: Worm.Bagle.DK:: ./l7MFGi0o022717/01_05_2005.txt Aug 22 11:17:00 smtpe4 MailScanner[21708]: /l7MFGi0o022717.message/00000350.EML/01_05_2005.txt contient le virus W32/Bagle.dldr.gen !!! Aug 22 11:17:00 smtpe4 MailScanner[21708]: /l7MFGi0o022717/01_05_2005.txt contient le virus W32/Bagle.dldr.gen !!! On a different server without this new feature, I get: Aug 22 11:34:31 132.210.244.93 MailScanner[4049]: /l7MFXTYu031455/01_05_2005.txt contient le virus W32/Bagle.dldr.gen !!! Aug 22 11:34:41 132.210.244.93 MailScanner[4049]: l7MFXTYu031455/01_05_2005.txt:infected: Win32.Bagle.BO@mm Aug 22 11:34:41 132.210.244.93 MailScanner[4049]: ClamAVModule::INFECTED:: Worm.Bagle.DK:: ./l7MFXTYu031455/01_05_2005.txt I now get 2 hits from McAfee and ClamAV, but only 1 from Bitdefender... is there a way to pass only the full message to the AV scanners? That way we would get only 1 warning and the server would also be working less. Thanks! Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3595 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070822/7baa5548/smime.bin From MailScanner at ecs.soton.ac.uk Wed Aug 22 17:14:45 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Aug 22 17:15:00 2007 Subject: Full message scan oddity In-Reply-To: <46CC590C.9020403@USherbrooke.ca> References: <46CC590C.9020403@USherbrooke.ca> Message-ID: <46CC60F5.9010101@ecs.soton.ac.uk> Denis Beauchemin wrote: > Hello, > > I just upgraded 2 MS servers to the latest stable and enabled the > following option: > ClamAV Full Message Scan = yes > > I sent a virus-infected email and noticed the following: > Aug 22 11:16:59 smtpe4 MailScanner[21708]: > l7MFGi0o022717/01_05_2005.txt:infected: Win32.Bagle.BO@mm > Aug 22 11:17:00 smtpe4 MailScanner[21708]: ClamAV Module::INFECTED:: > Worm.Bagle.DK:: ./l7MFGi0o022717/ > Aug 22 11:17:00 smtpe4 MailScanner[21708]: ClamAV Module::INFECTED:: > Worm.Bagle.DK:: ./l7MFGi0o022717/01_05_2005.txt > Aug 22 11:17:00 smtpe4 MailScanner[21708]: > /l7MFGi0o022717.message/00000350.EML/01_05_2005.txt contient le > virus W32/Bagle.dldr.gen !!! > Aug 22 11:17:00 smtpe4 MailScanner[21708]: > /l7MFGi0o022717/01_05_2005.txt contient le virus > W32/Bagle.dldr.gen !!! > > On a different server without this new feature, I get: > Aug 22 11:34:31 132.210.244.93 MailScanner[4049]: > /l7MFXTYu031455/01_05_2005.txt contient le virus > W32/Bagle.dldr.gen !!! > Aug 22 11:34:41 132.210.244.93 MailScanner[4049]: > l7MFXTYu031455/01_05_2005.txt:infected: Win32.Bagle.BO@mm > Aug 22 11:34:41 132.210.244.93 MailScanner[4049]: > ClamAVModule::INFECTED:: Worm.Bagle.DK:: ./l7MFXTYu031455/01_05_2005.txt > > I now get 2 hits from McAfee and ClamAV, but only 1 from > Bitdefender... is there a way to pass only the full message to the AV > scanners? That way we would get only 1 warning and the server would > also be working less. I could add a feature to do that, but it sounds a very dangerous thing to do. You are relying on your virus scanners' ability to unpack attachments on its own. As a fraction of the whole process for each message, scanning the attachments as well as the full message is only a tiny part of the time involved. I really wouldn't advise setting up MailScanner to _not_ scan the attachments. Only a few virus scanners can do this anyway. I'm really not keen on adding this feature, it's one which hardly anyone would use and it potentially exposes you to viruses with most virus scanners. Jules -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From maillists at conactive.com Wed Aug 22 17:31:21 2007 From: maillists at conactive.com (Kai Schaetzl) Date: Wed Aug 22 17:31:26 2007 Subject: Whitelists and Fuzzy In-Reply-To: <1187793500.19246.46.camel@gblades-suse.linguaphone-intranet.co.uk> References: <5CD3BFF77DFFD411BCD100D0B720F945047588D5@probe.britaxpmg.com> <1187793500.19246.46.camel@gblades-suse.linguaphone-intranet.co.uk> Message-ID: Gareth wrote on Wed, 22 Aug 2007 15:38:20 +0100: > Yes spamassassin is still run against the rules so at least you can see > what the score is. However if it is whitelisted then it is never classed > as spam by mailscanner. On my mailscanner any whitelisted messages just > shows 'whitelisted' where the spamassassin rules are normally listed so > although I can see what the score was I cannot tell which specific rules > were matched. That is not what I see here for whitelisted messages. The spam score shows as 0.0 and no rules are shown. Is that what you describe new to MS or new to MW? Of course, it could be possible that there are really no hits at all, but I doubt that ... Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From list-mailscanner at linguaphone.com Wed Aug 22 17:48:51 2007 From: list-mailscanner at linguaphone.com (Gareth) Date: Wed Aug 22 17:48:54 2007 Subject: Whitelists and Fuzzy In-Reply-To: Message-ID: > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info]On Behalf Of Kai > Schaetzl > Sent: 22 August 2007 17:31 > To: mailscanner@lists.mailscanner.info > Subject: Re: Whitelists and Fuzzy > > > Gareth wrote on Wed, 22 Aug 2007 15:38:20 +0100: > > > Yes spamassassin is still run against the rules so at least you can see > > what the score is. However if it is whitelisted then it is never classed > > as spam by mailscanner. On my mailscanner any whitelisted messages just > > shows 'whitelisted' where the spamassassin rules are normally listed so > > although I can see what the score was I cannot tell which specific rules > > were matched. > > That is not what I see here for whitelisted messages. The spam > score shows > as 0.0 and no rules are shown. Is that what you describe new to MS or new > to MW? Of course, it could be possible that there are really no hits at > all, but I doubt that ... > Mine shows 'whitelisted' where the rules are shown and a mostly non zero spam score. From MailScanner at ecs.soton.ac.uk Wed Aug 22 18:01:20 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Aug 22 18:02:02 2007 Subject: Whitelists and Fuzzy In-Reply-To: References: Message-ID: <46CC6BE0.3030208@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This depends on whether you have Always Include SpamAssassin Report or not. Setting that to yes will cause SpamAssassin to be done regardless of anything else, which is a bit of a waste of time and CPU. I always leave it set to no, as I better uses for the horsepower :-) Gareth wrote: >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info]On Behalf Of Kai >> Schaetzl >> Sent: 22 August 2007 17:31 >> To: mailscanner@lists.mailscanner.info >> Subject: Re: Whitelists and Fuzzy >> >> >> Gareth wrote on Wed, 22 Aug 2007 15:38:20 +0100: >> >> >>> Yes spamassassin is still run against the rules so at least you can see >>> what the score is. However if it is whitelisted then it is never classed >>> as spam by mailscanner. On my mailscanner any whitelisted messages just >>> shows 'whitelisted' where the spamassassin rules are normally listed so >>> although I can see what the score was I cannot tell which specific rules >>> were matched. >>> >> That is not what I see here for whitelisted messages. The spam >> score shows >> as 0.0 and no rules are shown. Is that what you describe new to MS or new >> to MW? Of course, it could be possible that there are really no hits at >> all, but I doubt that ... >> >> > > Mine shows 'whitelisted' where the rules are shown and a mostly non zero > spam score. > > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.3 (Build 3017) Charset: ISO-8859-1 wj8DBQFGzGvhEfZZRxQVtlQRAoleAKDY4UrmYrdxD8tGDqspoV790RszPQCfUbff O+knzWXjeGnTpF+zVHwlIK4= =xUdT -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From rcooper at dwford.com Wed Aug 22 18:05:21 2007 From: rcooper at dwford.com (Rick Cooper) Date: Wed Aug 22 18:05:27 2007 Subject: ClamAV & Sanesecurity & Spamassassin In-Reply-To: <1187792171.19250.40.camel@gblades-suse.linguaphone-intranet.co.uk> References: <5CD3BFF77DFFD411BCD100D0B720F945047588D2@probe.britaxpmg.com><000e01c7e4ba$94ad3de0$be07b9a0$@com><1187789796.19248.32.camel@gblades-suse.linguaphone-intranet.co.uk><46CC4122.2000306@ecs.soton.ac.uk> <1187792171.19250.40.camel@gblades-suse.linguaphone-intranet.co.uk> Message-ID: <005501c7e4de$a01a0180$0301a8c0@SAHOMELT> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On > Behalf Of Gareth > Sent: Wednesday, August 22, 2007 10:16 AM > To: MailScanner discussion > Subject: Re: ClamAV & Sanesecurity & Spamassassin > > No I was thinking you might have to have two copies of > clamav installed > with one of them compiled to store its signatures in a different > location. > You could symlink the main signatures so both installs can > see them and > mailscanners update works correctly. You could have mailscanner use > clamavmodule as it will have most issues with paths etc... > You could have clamd started from the 2nd copy which can also see the > sanesecurity signatures. The spamassassin plugin looks like it uses a > tcpip socket to clamd so it should not be too bad keeping them both > separate. [...] You only need one clamav installation, you need to setup a special clam database (example: /opt/clamdSane) directory with symlinks to the db files you want to use with in the special clam db dir. MSRBL-Images.hdb -> /usr/local/share/clamav/MSRBL-Images.hdb MSRBL-SPAM.ndb -> /usr/local/share/clamav/MSRBL-SPAM.ndb phish.ndb -> /usr/local/share/clamav/phish.ndb scam.ndb -> /usr/local/share/clamav/scam.ndb Next create a new clamd.conf line clamdSane.conf and change the DatabaseDirectory, TCPSocket (say 3311), and PidFile settings to something other than the default like DatabaseDirectory /opt/SaneDataBase TCPSocket 3311 PidFile /var/run/clamdSane.pid Start your second daemon : clamd --config-file=/path/clamdSane.conf And change this line in clamAV.pm (the plugin) my $clamav = new File::Scan::ClamAV(port => 3310); To my $clamav = new File::Scan::ClamAV(port => 3311); Now clamd should only see the SaneSecurity sigs when processed via the SpamAssassin ClamAV plugin Set your rules as desired Rick -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From maillists at conactive.com Wed Aug 22 18:31:24 2007 From: maillists at conactive.com (Kai Schaetzl) Date: Wed Aug 22 18:31:27 2007 Subject: ClamAV & Sanesecurity & Spamassassin In-Reply-To: <001401c7e4ca$d970bf00$8c523d00$@com> References: <5CD3BFF77DFFD411BCD100D0B720F945047588D2@probe.britaxpmg.com> <000e01c7e4ba$94ad3de0$be07b9a0$@com> <001401c7e4ca$d970bf00$8c523d00$@com> Message-ID: Ryan Weaver wrote on Wed, 22 Aug 2007 09:43:47 -0500: > Since you've given no reasons I assume this would be because your personal > preference is to view your e-mail in threads It doesn't matter if this is my preference or not. The point is that "reply" adds specific threading information, so you keep going in that thread. Thanks. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From Denis.Beauchemin at USherbrooke.ca Wed Aug 22 18:35:54 2007 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Wed Aug 22 18:36:41 2007 Subject: Full message scan oddity In-Reply-To: <46CC60F5.9010101@ecs.soton.ac.uk> References: <46CC590C.9020403@USherbrooke.ca> <46CC60F5.9010101@ecs.soton.ac.uk> Message-ID: <46CC73FA.3030905@USherbrooke.ca> Julian Field a ?crit : > > > Denis Beauchemin wrote: >> Hello, >> >> I just upgraded 2 MS servers to the latest stable and enabled the >> following option: >> ClamAV Full Message Scan = yes >> >> I sent a virus-infected email and noticed the following: >> Aug 22 11:16:59 smtpe4 MailScanner[21708]: >> l7MFGi0o022717/01_05_2005.txt:infected: Win32.Bagle.BO@mm >> Aug 22 11:17:00 smtpe4 MailScanner[21708]: ClamAV Module::INFECTED:: >> Worm.Bagle.DK:: ./l7MFGi0o022717/ >> Aug 22 11:17:00 smtpe4 MailScanner[21708]: ClamAV Module::INFECTED:: >> Worm.Bagle.DK:: ./l7MFGi0o022717/01_05_2005.txt >> Aug 22 11:17:00 smtpe4 MailScanner[21708]: >> /l7MFGi0o022717.message/00000350.EML/01_05_2005.txt contient >> le virus W32/Bagle.dldr.gen !!! >> Aug 22 11:17:00 smtpe4 MailScanner[21708]: >> /l7MFGi0o022717/01_05_2005.txt contient le virus >> W32/Bagle.dldr.gen !!! >> >> On a different server without this new feature, I get: >> Aug 22 11:34:31 132.210.244.93 MailScanner[4049]: >> /l7MFXTYu031455/01_05_2005.txt contient le virus >> W32/Bagle.dldr.gen !!! >> Aug 22 11:34:41 132.210.244.93 MailScanner[4049]: >> l7MFXTYu031455/01_05_2005.txt:infected: Win32.Bagle.BO@mm >> Aug 22 11:34:41 132.210.244.93 MailScanner[4049]: >> ClamAVModule::INFECTED:: Worm.Bagle.DK:: ./l7MFXTYu031455/01_05_2005.txt >> >> I now get 2 hits from McAfee and ClamAV, but only 1 from >> Bitdefender... is there a way to pass only the full message to the >> AV scanners? That way we would get only 1 warning and the server >> would also be working less. > I could add a feature to do that, but it sounds a very dangerous thing > to do. You are relying on your virus scanners' ability to unpack > attachments on its own. As a fraction of the whole process for each > message, scanning the attachments as well as the full message is only > a tiny part of the time involved. I really wouldn't advise setting up > MailScanner to _not_ scan the attachments. Only a few virus scanners > can do this anyway. > > I'm really not keen on adding this feature, it's one which hardly > anyone would use and it potentially exposes you to viruses with most > virus scanners. > > Jules > Julian, It makes perfect sense. I guess I will have to live with not so accurate virus statistics... Thanks again! Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 From list-mailscanner at linguaphone.com Wed Aug 22 18:50:16 2007 From: list-mailscanner at linguaphone.com (Gareth) Date: Wed Aug 22 18:50:24 2007 Subject: Full message scan oddity In-Reply-To: <46CC73FA.3030905@USherbrooke.ca> Message-ID: > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info]On Behalf Of Denis > Beauchemin > Sent: 22 August 2007 18:36 > To: MailScanner discussion > Subject: Re: Full message scan oddity > > > Julian Field a ?crit : > > > > > > Denis Beauchemin wrote: > >> Hello, > >> > >> I just upgraded 2 MS servers to the latest stable and enabled the > >> following option: > >> ClamAV Full Message Scan = yes > >> > >> I sent a virus-infected email and noticed the following: > >> Aug 22 11:16:59 smtpe4 MailScanner[21708]: > >> l7MFGi0o022717/01_05_2005.txt:infected: Win32.Bagle.BO@mm > >> Aug 22 11:17:00 smtpe4 MailScanner[21708]: ClamAV Module::INFECTED:: > >> Worm.Bagle.DK:: ./l7MFGi0o022717/ > >> Aug 22 11:17:00 smtpe4 MailScanner[21708]: ClamAV Module::INFECTED:: > >> Worm.Bagle.DK:: ./l7MFGi0o022717/01_05_2005.txt > >> Aug 22 11:17:00 smtpe4 MailScanner[21708]: > >> /l7MFGi0o022717.message/00000350.EML/01_05_2005.txt contient > >> le virus W32/Bagle.dldr.gen !!! > >> Aug 22 11:17:00 smtpe4 MailScanner[21708]: > >> /l7MFGi0o022717/01_05_2005.txt contient le virus > >> W32/Bagle.dldr.gen !!! > >> > >> On a different server without this new feature, I get: > >> Aug 22 11:34:31 132.210.244.93 MailScanner[4049]: > >> /l7MFXTYu031455/01_05_2005.txt contient le virus > >> W32/Bagle.dldr.gen !!! > >> Aug 22 11:34:41 132.210.244.93 MailScanner[4049]: > >> l7MFXTYu031455/01_05_2005.txt:infected: Win32.Bagle.BO@mm > >> Aug 22 11:34:41 132.210.244.93 MailScanner[4049]: > >> ClamAVModule::INFECTED:: Worm.Bagle.DK:: > ./l7MFXTYu031455/01_05_2005.txt > >> > >> I now get 2 hits from McAfee and ClamAV, but only 1 from > >> Bitdefender... is there a way to pass only the full message to the > >> AV scanners? That way we would get only 1 warning and the server > >> would also be working less. > > I could add a feature to do that, but it sounds a very dangerous thing > > to do. You are relying on your virus scanners' ability to unpack > > attachments on its own. As a fraction of the whole process for each > > message, scanning the attachments as well as the full message is only > > a tiny part of the time involved. I really wouldn't advise setting up > > MailScanner to _not_ scan the attachments. Only a few virus scanners > > can do this anyway. > > > > I'm really not keen on adding this feature, it's one which hardly > > anyone would use and it potentially exposes you to viruses with most > > virus scanners. > > > > Jules > > > Julian, > > It makes perfect sense. I guess I will have to live with not so > accurate virus statistics... > > Thanks again! > > Denis In my opinion you certenly dont want to stop scanning the attachments. The only thing you could do is not report the fact that the virus scanner found a virus in the email if it found something in the attachment. From Denis.Beauchemin at USherbrooke.ca Wed Aug 22 19:03:05 2007 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Wed Aug 22 19:03:22 2007 Subject: Full message scan oddity In-Reply-To: References: Message-ID: <46CC7A59.1080102@USherbrooke.ca> Gareth a ?crit : >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info]On Behalf Of Denis >> Beauchemin >> Sent: 22 August 2007 18:36 >> To: MailScanner discussion >> Subject: Re: Full message scan oddity >> >> >> Julian Field a ?crit : >> >>> Denis Beauchemin wrote: >>> >>>> Hello, >>>> >>>> I just upgraded 2 MS servers to the latest stable and enabled the >>>> following option: >>>> ClamAV Full Message Scan = yes >>>> >>>> I sent a virus-infected email and noticed the following: >>>> Aug 22 11:16:59 smtpe4 MailScanner[21708]: >>>> l7MFGi0o022717/01_05_2005.txt:infected: Win32.Bagle.BO@mm >>>> Aug 22 11:17:00 smtpe4 MailScanner[21708]: ClamAV Module::INFECTED:: >>>> Worm.Bagle.DK:: ./l7MFGi0o022717/ >>>> Aug 22 11:17:00 smtpe4 MailScanner[21708]: ClamAV Module::INFECTED:: >>>> Worm.Bagle.DK:: ./l7MFGi0o022717/01_05_2005.txt >>>> Aug 22 11:17:00 smtpe4 MailScanner[21708]: >>>> /l7MFGi0o022717.message/00000350.EML/01_05_2005.txt contient >>>> le virus W32/Bagle.dldr.gen !!! >>>> Aug 22 11:17:00 smtpe4 MailScanner[21708]: >>>> /l7MFGi0o022717/01_05_2005.txt contient le virus >>>> W32/Bagle.dldr.gen !!! >>>> >>>> On a different server without this new feature, I get: >>>> Aug 22 11:34:31 132.210.244.93 MailScanner[4049]: >>>> /l7MFXTYu031455/01_05_2005.txt contient le virus >>>> W32/Bagle.dldr.gen !!! >>>> Aug 22 11:34:41 132.210.244.93 MailScanner[4049]: >>>> l7MFXTYu031455/01_05_2005.txt:infected: Win32.Bagle.BO@mm >>>> Aug 22 11:34:41 132.210.244.93 MailScanner[4049]: >>>> ClamAVModule::INFECTED:: Worm.Bagle.DK:: >>>> >> ./l7MFXTYu031455/01_05_2005.txt >> >>>> I now get 2 hits from McAfee and ClamAV, but only 1 from >>>> Bitdefender... is there a way to pass only the full message to the >>>> AV scanners? That way we would get only 1 warning and the server >>>> would also be working less. >>>> >>> I could add a feature to do that, but it sounds a very dangerous thing >>> to do. You are relying on your virus scanners' ability to unpack >>> attachments on its own. As a fraction of the whole process for each >>> message, scanning the attachments as well as the full message is only >>> a tiny part of the time involved. I really wouldn't advise setting up >>> MailScanner to _not_ scan the attachments. Only a few virus scanners >>> can do this anyway. >>> >>> I'm really not keen on adding this feature, it's one which hardly >>> anyone would use and it potentially exposes you to viruses with most >>> virus scanners. >>> >>> Jules >>> >>> >> Julian, >> >> It makes perfect sense. I guess I will have to live with not so >> accurate virus statistics... >> >> Thanks again! >> >> Denis >> > > In my opinion you certenly dont want to stop scanning the attachments. The only thing you could do is not report the fact that the virus scanner found a virus in the email if it found something in the attachment. > > Gareth, No, I don't want to stop scanning some content. That's why I will have to live with inaccurate virus statistics (since some virus will be detected twice by ClamAV and McAfee). Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3595 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070822/8c8ba98e/smime.bin From MailScanner at ecs.soton.ac.uk Wed Aug 22 19:50:03 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Aug 22 19:50:47 2007 Subject: Full message scan oddity In-Reply-To: <46CC7A59.1080102@USherbrooke.ca> References: <46CC7A59.1080102@USherbrooke.ca> Message-ID: <46CC855B.1050702@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Denis Beauchemin wrote: > Gareth a ?crit : >>> -----Original Message----- >>> From: mailscanner-bounces@lists.mailscanner.info >>> [mailto:mailscanner-bounces@lists.mailscanner.info]On Behalf Of Denis >>> Beauchemin >>> Sent: 22 August 2007 18:36 >>> To: MailScanner discussion >>> Subject: Re: Full message scan oddity >>> >>> >>> Julian Field a ?crit : >>> >>>> Denis Beauchemin wrote: >>>> >>>>> Hello, >>>>> >>>>> I just upgraded 2 MS servers to the latest stable and enabled the >>>>> following option: >>>>> ClamAV Full Message Scan = yes >>>>> >>>>> I sent a virus-infected email and noticed the following: >>>>> Aug 22 11:16:59 smtpe4 MailScanner[21708]: >>>>> l7MFGi0o022717/01_05_2005.txt:infected: Win32.Bagle.BO@mm >>>>> Aug 22 11:17:00 smtpe4 MailScanner[21708]: ClamAV >>>>> Module::INFECTED:: Worm.Bagle.DK:: ./l7MFGi0o022717/ >>>>> Aug 22 11:17:00 smtpe4 MailScanner[21708]: ClamAV >>>>> Module::INFECTED:: Worm.Bagle.DK:: ./l7MFGi0o022717/01_05_2005.txt >>>>> Aug 22 11:17:00 smtpe4 MailScanner[21708]: >>>>> /l7MFGi0o022717.message/00000350.EML/01_05_2005.txt >>>>> contient le virus W32/Bagle.dldr.gen !!! >>>>> Aug 22 11:17:00 smtpe4 MailScanner[21708]: >>>>> /l7MFGi0o022717/01_05_2005.txt contient le virus >>>>> W32/Bagle.dldr.gen !!! >>>>> >>>>> On a different server without this new feature, I get: >>>>> Aug 22 11:34:31 132.210.244.93 MailScanner[4049]: >>>>> /l7MFXTYu031455/01_05_2005.txt contient le virus >>>>> W32/Bagle.dldr.gen !!! >>>>> Aug 22 11:34:41 132.210.244.93 MailScanner[4049]: >>>>> l7MFXTYu031455/01_05_2005.txt:infected: Win32.Bagle.BO@mm >>>>> Aug 22 11:34:41 132.210.244.93 MailScanner[4049]: >>>>> ClamAVModule::INFECTED:: Worm.Bagle.DK:: >>> ./l7MFXTYu031455/01_05_2005.txt >>> >>>>> I now get 2 hits from McAfee and ClamAV, but only 1 from >>>>> Bitdefender... is there a way to pass only the full message to >>>>> the AV scanners? That way we would get only 1 warning and the >>>>> server would also be working less. >>>>> >>>> I could add a feature to do that, but it sounds a very dangerous >>>> thing to do. You are relying on your virus scanners' ability to >>>> unpack attachments on its own. As a fraction of the whole process >>>> for each message, scanning the attachments as well as the full >>>> message is only a tiny part of the time involved. I really wouldn't >>>> advise setting up MailScanner to _not_ scan the attachments. Only a >>>> few virus scanners can do this anyway. >>>> >>>> I'm really not keen on adding this feature, it's one which hardly >>>> anyone would use and it potentially exposes you to viruses with >>>> most virus scanners. >>>> >>>> Jules >>>> >>>> >>> Julian, >>> >>> It makes perfect sense. I guess I will have to live with not so >>> accurate virus statistics... >>> >>> Thanks again! >>> >>> Denis >>> >> >> In my opinion you certenly dont want to stop scanning the >> attachments. The only thing you could do is not report the fact that >> the virus scanner found a virus in the email if it found something in >> the attachment. >> > Gareth, > > No, I don't want to stop scanning some content. That's why I will > have to live with inaccurate virus statistics (since some virus will > be detected twice by ClamAV and McAfee). The other stats problem is that the sanesecurity ClamAV signatures cause a load of your spam to be reported as a virus. That skews the stats quite a lot :-( Not much I can do about it either. Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.3 (Build 3017) Charset: UTF-8 wj8DBQFGzIVdEfZZRxQVtlQRAi6yAKDglaGNeEh2e+djpfy48WMD4J86bgCgvUb1 YIi+EJUqn5OBBJUazzWQrqA= =VZUV -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From ssilva at sgvwater.com Wed Aug 22 20:01:13 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Aug 22 20:01:34 2007 Subject: ClamAV & Sanesecurity & Spamassassin In-Reply-To: <001401c7e4ca$d970bf00$8c523d00$@com> References: <5CD3BFF77DFFD411BCD100D0B720F945047588D2@probe.britaxpmg.com> <000e01c7e4ba$94ad3de0$be07b9a0$@com> <001401c7e4ca$d970bf00$8c523d00$@com> Message-ID: Ryan Weaver spake the following on 8/22/2007 7:43 AM: > Since you've given no reasons I assume this would be because your personal > preference is to view your e-mail in threads and the 'reply' inserts this > topic as a take-over into your thread based viewing system. > > Sorry, I didn't think about that, my bad... > It is more a matter of politeness than personal preference. Imagine if you are talking to the man next to you about cars, and I walk up and change the subject to something else. The man next to you is still talking about cars. Try to follow both conversations at the same time and you will understand. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ssilva at sgvwater.com Wed Aug 22 20:11:40 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Aug 22 20:12:05 2007 Subject: Full message scan oddity In-Reply-To: <46CC60F5.9010101@ecs.soton.ac.uk> References: <46CC590C.9020403@USherbrooke.ca> <46CC60F5.9010101@ecs.soton.ac.uk> Message-ID: Julian Field spake the following on 8/22/2007 9:14 AM: > > > Denis Beauchemin wrote: >> Hello, >> >> I just upgraded 2 MS servers to the latest stable and enabled the >> following option: >> ClamAV Full Message Scan = yes >> >> I sent a virus-infected email and noticed the following: >> Aug 22 11:16:59 smtpe4 MailScanner[21708]: >> l7MFGi0o022717/01_05_2005.txt:infected: Win32.Bagle.BO@mm >> Aug 22 11:17:00 smtpe4 MailScanner[21708]: ClamAV Module::INFECTED:: >> Worm.Bagle.DK:: ./l7MFGi0o022717/ >> Aug 22 11:17:00 smtpe4 MailScanner[21708]: ClamAV Module::INFECTED:: >> Worm.Bagle.DK:: ./l7MFGi0o022717/01_05_2005.txt >> Aug 22 11:17:00 smtpe4 MailScanner[21708]: >> /l7MFGi0o022717.message/00000350.EML/01_05_2005.txt contient le >> virus W32/Bagle.dldr.gen !!! >> Aug 22 11:17:00 smtpe4 MailScanner[21708]: >> /l7MFGi0o022717/01_05_2005.txt contient le virus >> W32/Bagle.dldr.gen !!! >> >> On a different server without this new feature, I get: >> Aug 22 11:34:31 132.210.244.93 MailScanner[4049]: >> /l7MFXTYu031455/01_05_2005.txt contient le virus >> W32/Bagle.dldr.gen !!! >> Aug 22 11:34:41 132.210.244.93 MailScanner[4049]: >> l7MFXTYu031455/01_05_2005.txt:infected: Win32.Bagle.BO@mm >> Aug 22 11:34:41 132.210.244.93 MailScanner[4049]: >> ClamAVModule::INFECTED:: Worm.Bagle.DK:: ./l7MFXTYu031455/01_05_2005.txt >> >> I now get 2 hits from McAfee and ClamAV, but only 1 from >> Bitdefender... is there a way to pass only the full message to the AV >> scanners? That way we would get only 1 warning and the server would >> also be working less. > I could add a feature to do that, but it sounds a very dangerous thing > to do. You are relying on your virus scanners' ability to unpack > attachments on its own. As a fraction of the whole process for each > message, scanning the attachments as well as the full message is only a > tiny part of the time involved. I really wouldn't advise setting up > MailScanner to _not_ scan the attachments. Only a few virus scanners can > do this anyway. > > I'm really not keen on adding this feature, it's one which hardly anyone > would use and it potentially exposes you to viruses with most virus > scanners. > > Jules > What would be nice is the logging module to not report the same infection twice in the same message. IE... If found in unpacked message, suppress output of same virus in raw message. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From Denis.Beauchemin at USherbrooke.ca Wed Aug 22 20:50:26 2007 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Wed Aug 22 20:51:12 2007 Subject: Full message scan oddity In-Reply-To: <46CC855B.1050702@ecs.soton.ac.uk> References: <46CC7A59.1080102@USherbrooke.ca> <46CC855B.1050702@ecs.soton.ac.uk> Message-ID: <46CC9382.2020107@USherbrooke.ca> Julian Field a ?crit : > > The other stats problem is that the sanesecurity ClamAV signatures cause > a load of your spam to be reported as a virus. That skews the stats > quite a lot :-( Not much I can do about it either. > > True, but they are malignant spam, which I could relate to some form of virus ;-) Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3595 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070822/4948d330/smime.bin From r.berber at computer.org Wed Aug 22 21:00:14 2007 From: r.berber at computer.org (=?ISO-8859-1?Q?Ren=E9_Berber?=) Date: Wed Aug 22 21:00:50 2007 Subject: Whitelists and Fuzzy In-Reply-To: <46CC305B.2060405@USherbrooke.ca> References: <5CD3BFF77DFFD411BCD100D0B720F94503C4E5E6@probe.britaxpmg.com> <46CC305B.2060405@USherbrooke.ca> Message-ID: Denis Beauchemin wrote: > I have the same problem with someone's sig that triggers on "cialis" > even though the pic says "social services". On another occasion I > reported a bug on the wiki and never got any feedback. I am thinking > about dropping this plugin... That's easy to fix, in FuzzyOcr.words change the line to: cialis::0.1 Just to make the answer complete, most people probably already know this, the above tells FuzzyOcr to match with high certainty; the example you name does have 5 of the 6 letters of the word in order, so it is no wonder it matches -- you may even have to lower the 0.1 to 0.01 . In general I use a changed word list with short words and a few other words that are (mis)matched easily using the lower fuzzy factor (higher certainty). A few other words I use with a high fuzzy factor. -- Ren? Berber From jaearick at colby.edu Wed Aug 22 21:13:11 2007 From: jaearick at colby.edu (Jeff A. Earickson) Date: Wed Aug 22 21:13:16 2007 Subject: fell off the wagon, climbing back on Message-ID: Julian et al, I replaced my legacy sendmail box with an fancy new all-in-one email appliance on July 23. Anti-spam, anti-virus, integrated webmail/POP/IMAP/calendaring, shared mail folders, etc, etc. And I bailed off the list, thinking life would be good. Forgive me, Jules, for I have sinned. I've gotten my butt kicked by both the spammers and the user community in the past month. While my new gear is great for integrated webmail etc (and the users like it), its anti-spam setup is clearly inferior to MailScanner. I figured that the [unamed] appliance might be worse than MailScanner in terms of anti-spam, but I was shocked at how much of a difference there is. Due to popular demand/angry mobs, I am putting my legacy system back in front of the appliance to run sendmail/MailScanner in relay mode to get our spam back to where it was. I had left it intact, so this was just a case of updating MailScanner, SA, and clam and redoing my sendmail.cf file. Woe to those who stray from the path of MailScanner. You will be punished. Jeff Earickson Colby College From ryanw at falsehope.com Wed Aug 22 21:29:42 2007 From: ryanw at falsehope.com (Ryan Weaver) Date: Wed Aug 22 21:29:50 2007 Subject: ClamAV & Sanesecurity & Spamassassin In-Reply-To: <005501c7e4de$a01a0180$0301a8c0@SAHOMELT> References: <5CD3BFF77DFFD411BCD100D0B720F945047588D2@probe.britaxpmg.com><000e01c7e4ba$94ad3de0$be07b9a0$@com><1187789796.19248.32.camel@gblades-suse.linguaphone-intranet.co.uk><46CC4122.2000306@ecs.soton.ac.uk> <1187792171.19250.40.camel@gblades-suse.linguaphone-intranet.co.uk> <005501c7e4de$a01a0180$0301a8c0@SAHOMELT> Message-ID: <003601c7e4fb$2ce492d0$86adb870$@com> > -----Original Message----- > From: Rick Cooper > > > -----Original Message----- > > From: Gareth > > Sent: Wednesday, August 22, 2007 10:16 AM > > To: MailScanner discussion > > Subject: Re: ClamAV & Sanesecurity & Spamassassin > > > > No I was thinking you might have to have two copies of > > clamav installed > > with one of them compiled to store its signatures in a different > > location. > > You could symlink the main signatures so both installs can > > see them and > > mailscanners update works correctly. You could have mailscanner use > > clamavmodule as it will have most issues with paths etc... > > You could have clamd started from the 2nd copy which can also see > > the sanesecurity signatures. The spamassassin plugin looks like it > > uses a tcpip socket to clamd so it should not be too bad keeping them > > both separate. > > [...] > > You only need one clamav installation, you need to setup a special clam > database (example: /opt/clamdSane) directory with symlinks to the db > files > you want to use with in the special clam db dir. > > MSRBL-Images.hdb -> /usr/local/share/clamav/MSRBL-Images.hdb > MSRBL-SPAM.ndb -> /usr/local/share/clamav/MSRBL-SPAM.ndb > phish.ndb -> /usr/local/share/clamav/phish.ndb > scam.ndb -> /usr/local/share/clamav/scam.ndb > > Next create a new clamd.conf line clamdSane.conf and change the > DatabaseDirectory, TCPSocket (say 3311), and PidFile settings to > something > other than the default like > > DatabaseDirectory /opt/SaneDataBase > TCPSocket 3311 > PidFile /var/run/clamdSane.pid > > Start your second daemon : clamd --config-file=/path/clamdSane.conf > > And change this line in clamAV.pm (the plugin) > > my $clamav = new File::Scan::ClamAV(port => 3310); > > To > > my $clamav = new File::Scan::ClamAV(port => 3311); > > > Now clamd should only see the SaneSecurity sigs when processed via the > SpamAssassin ClamAV plugin > > Set your rules as desired > > Rick Sounds workable... Kind of convoluted, but workable :) Thanks, Ryan From lists at jfworks.net Wed Aug 22 22:14:23 2007 From: lists at jfworks.net (James) Date: Wed Aug 22 22:14:32 2007 Subject: fell off the wagon, climbing back on In-Reply-To: References: Message-ID: <46CCA72F.2010504@jfworks.net> Jeff A. Earickson wrote: > Julian et al, > > I replaced my legacy sendmail box with an fancy new all-in-one > email appliance on July 23. Anti-spam, anti-virus, integrated > webmail/POP/IMAP/calendaring, shared mail folders, etc, etc. > And I bailed off the list, thinking life would be good. > > Forgive me, Jules, for I have sinned. I've gotten my butt kicked > by both the spammers and the user community in the past month. > While my new gear is great for integrated webmail etc (and the > users like it), its anti-spam setup is clearly inferior to > MailScanner. I figured that the [unamed] appliance might be worse than > MailScanner in > terms of anti-spam, but I was shocked at how much of a difference there > is. > > Due to popular demand/angry mobs, I am putting my legacy system > back in front of the appliance to run sendmail/MailScanner in relay > mode to get our spam back to where it was. I had left it > intact, so this was just a case of updating MailScanner, SA, and clam > and redoing my sendmail.cf file. > > Woe to those who stray from the path of MailScanner. You > will be punished. > > Jeff Earickson > Colby College Tell the name of your sin brother and then you may be absolved. Welcome back ;) From mikes at hartwellcorp.com Wed Aug 22 23:16:09 2007 From: mikes at hartwellcorp.com (Michael St. Laurent) Date: Wed Aug 22 23:17:45 2007 Subject: fell off the wagon, climbing back on Message-ID: <3BF93070B3D1B047BA7ABF612958950D018FBCA4@hcex.hartwellcorp.com> > Tell the name of your sin brother and then you may be > absolved. Welcome > back ;) Hi, my name is Mike and I'm a Sysadmin. Welcome back. ;) From maillists at conactive.com Wed Aug 22 23:31:35 2007 From: maillists at conactive.com (Kai Schaetzl) Date: Wed Aug 22 23:31:38 2007 Subject: Whitelists and Fuzzy In-Reply-To: <46CC6BE0.3030208@ecs.soton.ac.uk> References: <46CC6BE0.3030208@ecs.soton.ac.uk> Message-ID: Julian Field wrote on Wed, 22 Aug 2007 18:01:20 +0100: > This depends on whether you have Always Include SpamAssassin Report or > not. Ah, yes, that's probably off. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From ssilva at sgvwater.com Thu Aug 23 00:20:26 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Aug 23 00:20:38 2007 Subject: fell off the wagon, climbing back on In-Reply-To: References: Message-ID: Jeff A. Earickson spake the following on 8/22/2007 1:13 PM: > Julian et al, > > I replaced my legacy sendmail box with an fancy new all-in-one > email appliance on July 23. Anti-spam, anti-virus, integrated > webmail/POP/IMAP/calendaring, shared mail folders, etc, etc. > And I bailed off the list, thinking life would be good. > > Forgive me, Jules, for I have sinned. I've gotten my butt kicked > by both the spammers and the user community in the past month. > While my new gear is great for integrated webmail etc (and the > users like it), its anti-spam setup is clearly inferior to MailScanner. > I figured that the [unamed] appliance might be worse than MailScanner in > terms of anti-spam, but I was shocked at how much of a difference there > is. > > Due to popular demand/angry mobs, I am putting my legacy system > back in front of the appliance to run sendmail/MailScanner in relay mode > to get our spam back to where it was. I had left it > intact, so this was just a case of updating MailScanner, SA, and clam > and redoing my sendmail.cf file. > > Woe to those who stray from the path of MailScanner. You > will be punished. > > Jeff Earickson > Colby College It is a good thing to have unburned bridges to retreat back over!! ;-P Say 10 hail Julian's and sin no more... -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From hvdkooij at vanderkooij.org Thu Aug 23 06:51:06 2007 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Thu Aug 23 06:51:16 2007 Subject: fell off the wagon, climbing back on In-Reply-To: <3BF93070B3D1B047BA7ABF612958950D018FBCA4@hcex.hartwellcorp.com> References: <3BF93070B3D1B047BA7ABF612958950D018FBCA4@hcex.hartwellcorp.com> Message-ID: On Wed, 22 Aug 2007, Michael St. Laurent wrote: >> Tell the name of your sin brother and then you may be >> absolved. Welcome >> back ;) > > Hi, my name is Mike and I'm a Sysadmin. There are sins beyond .... The sins of the fathers do not aply so it isn't your name ;-) Hugo. -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ This message is using 100% recycled electrons. Some men see computers as they are and say "Windows" I use computers with Linux and say "Why Windows?" (Thanks JFK, for this quote of George Bernard Shaw.) From martinh at solidstatelogic.com Thu Aug 23 08:56:24 2007 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Thu Aug 23 08:56:39 2007 Subject: fell off the wagon, climbing back on In-Reply-To: Message-ID: <8833d120fb64f24e95ea483a4e6b9f34@solidstatelogic.com> Jeff Welcome back - ah the prodigal son returns. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Jeff A. Earickson > Sent: 22 August 2007 21:13 > To: mailscanner mailing list > Subject: fell off the wagon, climbing back on > > Julian et al, > > I replaced my legacy sendmail box with an fancy new all-in-one > email appliance on July 23. Anti-spam, anti-virus, integrated > webmail/POP/IMAP/calendaring, shared mail folders, etc, etc. > And I bailed off the list, thinking life would be good. > > Forgive me, Jules, for I have sinned. I've gotten my butt kicked > by both the spammers and the user community in the past month. > While my new gear is great for integrated webmail etc (and the > users like it), its anti-spam setup is clearly inferior to MailScanner. > I figured that the [unamed] appliance might be worse than MailScanner in > terms of anti-spam, but I was shocked at how much of a difference there > is. > > Due to popular demand/angry mobs, I am putting my legacy system > back in front of the appliance to run sendmail/MailScanner in > relay mode to get our spam back to where it was. I had left it > intact, so this was just a case of updating MailScanner, SA, and clam > and redoing my sendmail.cf file. > > Woe to those who stray from the path of MailScanner. You > will be punished. > > Jeff Earickson > Colby College > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From glenn.steen at gmail.com Thu Aug 23 10:57:55 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Aug 23 10:57:57 2007 Subject: Whitelists and Fuzzy In-Reply-To: References: <5CD3BFF77DFFD411BCD100D0B720F945047588D5@probe.britaxpmg.com> <1187793500.19246.46.camel@gblades-suse.linguaphone-intranet.co.uk> Message-ID: <223f97700708230257s2e775e08w6bbaf7abf57ad9ff@mail.gmail.com> On 22/08/07, Kai Schaetzl wrote: > Gareth wrote on Wed, 22 Aug 2007 15:38:20 +0100: > > > Yes spamassassin is still run against the rules so at least you can see > > what the score is. However if it is whitelisted then it is never classed > > as spam by mailscanner. On my mailscanner any whitelisted messages just > > shows 'whitelisted' where the spamassassin rules are normally listed so > > although I can see what the score was I cannot tell which specific rules > > were matched. > > That is not what I see here for whitelisted messages. The spam score shows > as 0.0 and no rules are shown. Is that what you describe new to MS or new > to MW? Of course, it could be possible that there are really no hits at > all, but I doubt that ... > > Kai > Quite. The behaviour is dependant on whether you run SA on every message or not (always add sa score, or whatever the setting is named)... As with most things in MailScanner, there is an option to change it;-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Thu Aug 23 11:06:51 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Aug 23 11:06:54 2007 Subject: fell off the wagon, climbing back on In-Reply-To: References: Message-ID: <223f97700708230306v4447e378ob01ffbb7b0f4168e@mail.gmail.com> On 22/08/07, Jeff A. Earickson wrote: > Julian et al, > > I replaced my legacy sendmail box with an fancy new all-in-one > email appliance on July 23. Anti-spam, anti-virus, integrated > webmail/POP/IMAP/calendaring, shared mail folders, etc, etc. > And I bailed off the list, thinking life would be good. Shame Jeff, shame! To walk with the unbelievers... > Forgive me, Jules, for I have sinned. I've gotten my butt kicked > by both the spammers and the user community in the past month. > While my new gear is great for integrated webmail etc (and the > users like it), its anti-spam setup is clearly inferior to MailScanner. > I figured that the [unamed] appliance might be worse than MailScanner in Remember that "uname" is a Simple Command, not a Daemon Process. Apply it liberally as "uname -a" in you penitence.... and salvation might just be yours. > terms of anti-spam, but I was shocked at how much of a difference there > is. > > Due to popular demand/angry mobs, I am putting my legacy system > back in front of the appliance to run sendmail/MailScanner in > relay mode to get our spam back to where it was. I had left it > intact, so this was just a case of updating MailScanner, SA, and clam > and redoing my sendmail.cf file. > > Woe to those who stray from the path of MailScanner. You > will be punished. > > Jeff Earickson > Colby College To aid in your repentance, find Scott Silvas head-banging tool, print it, use it. Glad that you've seen the light, returned to the flock, and will henceforth not stray...;) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From MailScanner at ecs.soton.ac.uk Thu Aug 23 11:43:02 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Aug 23 11:44:23 2007 Subject: fell off the wagon, climbing back on In-Reply-To: References: Message-ID: <46CD64B6.9090600@ecs.soton.ac.uk> Jeff A. Earickson wrote: > Julian et al, > > I replaced my legacy sendmail box with an fancy new all-in-one > email appliance on July 23. Anti-spam, anti-virus, integrated > webmail/POP/IMAP/calendaring, shared mail folders, etc, etc. > And I bailed off the list, thinking life would be good. > > Forgive me, Jules, for I have sinned. How long has it been since your last confession? I forgive you your sins, as you have once again joined the way of the light and have repented your heinous sins. Let you walk the one true path into eternity. Jules -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From andy.mac at global-domination.org Thu Aug 23 14:03:26 2007 From: andy.mac at global-domination.org (Andrew MacLachlan) Date: Thu Aug 23 14:02:52 2007 Subject: Tiled gif spam Message-ID: I just forwarded this from my Yahoo acct through my MailScanner with FuzzyOcr and it sailed straight through... I'm not sure what my MTA level checks would have made of the original message though. Does anyone have any special tricks or rules to combat these messages? I'm running the latest everything on Centos 4.5 -Andy -- This message was scanned by ESVA and is believed to be clean. -------------- next part -------------- An embedded message was scrubbed... From: "Andrew MacLachlan" Subject: Fw: Funny thing. Date: Thu, 23 Aug 2007 13:39:31 +0100 Size: 12129 Url: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070823/409d5129/attachment.mht From Denis.Beauchemin at USherbrooke.ca Thu Aug 23 14:17:16 2007 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Thu Aug 23 14:17:47 2007 Subject: Whitelists and Fuzzy In-Reply-To: References: <5CD3BFF77DFFD411BCD100D0B720F94503C4E5E6@probe.britaxpmg.com> <46CC305B.2060405@USherbrooke.ca> Message-ID: <46CD88DC.5010102@USherbrooke.ca> Ren? Berber a ?crit : > Denis Beauchemin wrote: > > >> I have the same problem with someone's sig that triggers on "cialis" >> even though the pic says "social services". On another occasion I >> reported a bug on the wiki and never got any feedback. I am thinking >> about dropping this plugin... >> > > That's easy to fix, in FuzzyOcr.words change the line to: > > cialis::0.1 > > Just to make the answer complete, most people probably already know this, the > above tells FuzzyOcr to match with high certainty; the example you name does > have 5 of the 6 letters of the word in order, so it is no wonder it matches -- > you may even have to lower the 0.1 to 0.01 . > > In general I use a changed word list with short words and a few other words that > are (mis)matched easily using the lower fuzzy factor (higher certainty). A few > other words I use with a high fuzzy factor. > Ren?, Could you tell me where you found this information please? I cannot find it anywhere... Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3595 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070823/80c1a96d/smime.bin From andy.mac at global-domination.org Thu Aug 23 14:21:31 2007 From: andy.mac at global-domination.org (Andrew MacLachlan) Date: Thu Aug 23 14:20:55 2007 Subject: Tiled gif spam Message-ID: Sorry - this is the analysis from Mailwatch: Spam Report: Score Matching Rule score=3.919 4 required 0.00 DKIM_SIGNED -0.00 DKIM_VERIFIED 2.50 HTML_IMAGE_ONLY_16 0.00 HTML_MESSAGE 1.42 SARE_GIF_ATTACH As you can see, it was almost trapped. Of course I could always up the scores for SARE_GIF_ATTACH and HTML_IMAGE_ONLY_16, but I think an additional rule for side-by-side gifs might be a better approach? I'm not sure what the best score might be for such a rule - but something around the 1.0 mark would probably be appropriate. -Andy > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Andrew MacLachlan > Sent: 23 August 2007 14:03 > To: MailScanner discussion > Subject: Tiled gif spam > > I just forwarded this from my Yahoo acct through my MailScanner with > FuzzyOcr and it sailed straight through... I'm not sure what my MTA > level checks would have made of the original message though. > > Does anyone have any special tricks or rules to combat these messages? > > I'm running the latest everything on Centos 4.5 > > -Andy > > > -- > This message was scanned by ESVA and is believed to be clean. > -- This message was scanned by ESVA and is believed to be clean. From list-mailscanner at linguaphone.com Thu Aug 23 14:24:50 2007 From: list-mailscanner at linguaphone.com (Gareth) Date: Thu Aug 23 14:25:05 2007 Subject: Tiled gif spam In-Reply-To: References: Message-ID: <1187875490.22243.2.camel@gblades-suse.linguaphone-intranet.co.uk> No Bayes? On Thu, 2007-08-23 at 14:21, Andrew MacLachlan wrote: > Sorry - this is the analysis from Mailwatch: > > Spam Report: > Score Matching Rule > score=3.919 > 4 required > 0.00 DKIM_SIGNED > -0.00 DKIM_VERIFIED > 2.50 HTML_IMAGE_ONLY_16 > 0.00 HTML_MESSAGE > 1.42 SARE_GIF_ATTACH > > As you can see, it was almost trapped. Of course I could always up the > scores for SARE_GIF_ATTACH and HTML_IMAGE_ONLY_16, but I think an > additional rule for side-by-side gifs might be a better approach? I'm > not sure what the best score might be for such a rule - but something > around the 1.0 mark would probably be appropriate. > > -Andy > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > > bounces@lists.mailscanner.info] On Behalf Of Andrew MacLachlan > > Sent: 23 August 2007 14:03 > > To: MailScanner discussion > > Subject: Tiled gif spam > > > > I just forwarded this from my Yahoo acct through my MailScanner with > > FuzzyOcr and it sailed straight through... I'm not sure what my MTA > > level checks would have made of the original message though. > > > > Does anyone have any special tricks or rules to combat these messages? > > > > I'm running the latest everything on Centos 4.5 > > > > -Andy > > > > > > -- > > This message was scanned by ESVA and is believed to be clean. > > > > > > -- > This message was scanned by ESVA and is believed to be clean. From andy.mac at global-domination.org Thu Aug 23 14:43:48 2007 From: andy.mac at global-domination.org (Andrew MacLachlan) Date: Thu Aug 23 14:43:12 2007 Subject: antispam server setup website - comments welcome Message-ID: > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Anthony Cartmell > Sent: 21 August 2007 11:35 > To: MailScanner discussion > Subject: Re: antispam server setup website - comments welcome > > > No it doesn't, the 'discover' one is not being updated and seems broken. > > > > The other 82.250.255.100 actually works.... > > Ah, OK, I'll stick with that one then. Thanks for the info! > > > People have made many attempts to contact the pyzor "maintainer" on this > > to offer servers/bandwidth but he seems to ignore all offers... > > It's sad when good software goes un-maintained. > See the attached install script. If you use this procedure you will use both lists and pyzor will use the highest score returned. - Works well for me. -- This message was scanned by ESVA and is believed to be clean. -------------- next part -------------- cd /tmp wget http://ovh.dl.sourceforge.net/sourceforge/pyzor/pyzor-0.4.0.tar.bz2 tar -xjf pyzor-0.4.0.tar.bz2 cd pyzor-0.4.0 python setup.py build python setup.py install chmod -R a+rX /usr/share/doc/pyzor \ /usr/lib/python2.3/site-packages/pyzor \ /usr/bin/pyzor /usr/bin/pyzord su postfix -s /bin/bash -c 'pyzor discover' echo "82.94.255.100:24441">/var/spool/postfix/.pyzor/servers echo "66.250.40.33:24441">>/var/spool/postfix/.pyzor/servers cd /tmp rm -rf pyzor* From glenn.steen at gmail.com Thu Aug 23 15:02:42 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Aug 23 15:02:44 2007 Subject: Tiled gif spam In-Reply-To: References: Message-ID: <223f97700708230702v3d75a065m97f13b167b5b0b3d@mail.gmail.com> On 23/08/07, Andrew MacLachlan wrote: > Sorry - this is the analysis from Mailwatch: > > Spam Report: > Score Matching Rule > score=3.919 > 4 required > 0.00 DKIM_SIGNED > -0.00 DKIM_VERIFIED > 2.50 HTML_IMAGE_ONLY_16 > 0.00 HTML_MESSAGE > 1.42 SARE_GIF_ATTACH > > As you can see, it was almost trapped. Of course I could always up the > scores for SARE_GIF_ATTACH and HTML_IMAGE_ONLY_16, but I think an > additional rule for side-by-side gifs might be a better approach? I'm > not sure what the best score might be for such a rule - but something > around the 1.0 mark would probably be appropriate. > > -Andy > Why don't you use ImageInfo? Or do you do that and it didn't trigger even one little rule? If so... Strange... Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From andy.mac at global-domination.org Thu Aug 23 15:13:33 2007 From: andy.mac at global-domination.org (Andrew MacLachlan) Date: Thu Aug 23 15:12:53 2007 Subject: Tiled gif spam Message-ID: New install - Bayes DB not yet populated :-( > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Gareth > Sent: 23 August 2007 14:25 > To: MailScanner discussion > Subject: RE: Tiled gif spam > > No Bayes? > > On Thu, 2007-08-23 at 14:21, Andrew MacLachlan wrote: > > Sorry - this is the analysis from Mailwatch: > > > > Spam Report: > > Score Matching Rule > > score=3.919 > > 4 required > > 0.00 DKIM_SIGNED > > -0.00 DKIM_VERIFIED > > 2.50 HTML_IMAGE_ONLY_16 > > 0.00 HTML_MESSAGE > > 1.42 SARE_GIF_ATTACH > > > > As you can see, it was almost trapped. Of course I could always up the > > scores for SARE_GIF_ATTACH and HTML_IMAGE_ONLY_16, but I think an > > additional rule for side-by-side gifs might be a better approach? I'm > > not sure what the best score might be for such a rule - but something > > around the 1.0 mark would probably be appropriate. > > > > -Andy > > > > > -----Original Message----- > > > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > > > bounces@lists.mailscanner.info] On Behalf Of Andrew MacLachlan > > > Sent: 23 August 2007 14:03 > > > To: MailScanner discussion > > > Subject: Tiled gif spam > > > > > > I just forwarded this from my Yahoo acct through my MailScanner with > > > FuzzyOcr and it sailed straight through... I'm not sure what my MTA > > > level checks would have made of the original message though. > > > > > > Does anyone have any special tricks or rules to combat these messages? > > > > > > I'm running the latest everything on Centos 4.5 > > > > > > -Andy > > > > > > > > > -- > > > This message was scanned by ESVA and is believed to be clean. > > > > > > > > > > > -- > > This message was scanned by ESVA and is believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message was scanned by ESVA and is believed to be clean. > Click here to report this message as spam. > http://mail-gw.global-domination.org/cgi-bin/learn- > msg.cgi?id=188D017002.BFCDE > > -- This message was scanned by ESVA and is believed to be clean. From Denis.Beauchemin at USherbrooke.ca Thu Aug 23 15:51:31 2007 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Thu Aug 23 15:51:59 2007 Subject: Tiled gif spam In-Reply-To: <223f97700708230702v3d75a065m97f13b167b5b0b3d@mail.gmail.com> References: <223f97700708230702v3d75a065m97f13b167b5b0b3d@mail.gmail.com> Message-ID: <46CD9EF3.6060904@USherbrooke.ca> Glenn Steen a ?crit : > On 23/08/07, Andrew MacLachlan wrote: > >> Sorry - this is the analysis from Mailwatch: >> >> Spam Report: >> Score Matching Rule >> score=3.919 >> 4 required >> 0.00 DKIM_SIGNED >> -0.00 DKIM_VERIFIED >> 2.50 HTML_IMAGE_ONLY_16 >> 0.00 HTML_MESSAGE >> 1.42 SARE_GIF_ATTACH >> >> As you can see, it was almost trapped. Of course I could always up the >> scores for SARE_GIF_ATTACH and HTML_IMAGE_ONLY_16, but I think an >> additional rule for side-by-side gifs might be a better approach? I'm >> not sure what the best score might be for such a rule - but something >> around the 1.0 mark would probably be appropriate. >> >> -Andy >> >> > Why don't you use ImageInfo? Or do you do that and it didn't trigger > even one little rule? If so... Strange... > > Cheers > Glenn, Just installed it and fed it the email and... nothing... I ran SA in debug and saw it there, but no scoring... How can I tell it to look for n side-by-side gifs? I didn't see anything about side-by-side images, just the total amount of images, which could trigger on many FP... Thanks! Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3595 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070823/65613fbc/smime.bin From list-mailscanner at linguaphone.com Thu Aug 23 16:25:13 2007 From: list-mailscanner at linguaphone.com (Gareth) Date: Thu Aug 23 16:25:20 2007 Subject: Tiled gif spam In-Reply-To: <46CD9EF3.6060904@USherbrooke.ca> References: <223f97700708230702v3d75a065m97f13b167b5b0b3d@mail.gmail.com> <46CD9EF3.6060904@USherbrooke.ca> Message-ID: <1187882713.22245.4.camel@gblades-suse.linguaphone-intranet.co.uk> On Thu, 2007-08-23 at 15:51, Denis Beauchemin wrote: > Glenn Steen a ?crit : > > On 23/08/07, Andrew MacLachlan wrote: > > > >> Sorry - this is the analysis from Mailwatch: > >> > >> Spam Report: > >> Score Matching Rule > >> score=3.919 > >> 4 required > >> 0.00 DKIM_SIGNED > >> -0.00 DKIM_VERIFIED > >> 2.50 HTML_IMAGE_ONLY_16 > >> 0.00 HTML_MESSAGE > >> 1.42 SARE_GIF_ATTACH > >> > >> As you can see, it was almost trapped. Of course I could always up the > >> scores for SARE_GIF_ATTACH and HTML_IMAGE_ONLY_16, but I think an > >> additional rule for side-by-side gifs might be a better approach? I'm > >> not sure what the best score might be for such a rule - but something > >> around the 1.0 mark would probably be appropriate. > >> > >> -Andy > >> > >> > > Why don't you use ImageInfo? Or do you do that and it didn't trigger > > even one little rule? If so... Strange... > > > > Cheers > > > Glenn, > > Just installed it and fed it the email and... nothing... I ran SA in > debug and saw it there, but no scoring... > > How can I tell it to look for n side-by-side gifs? I didn't see > anything about side-by-side images, just the total amount of images, > which could trigger on many FP... > > Thanks! > > Denis Can you post the image up somewhere then we can take a look. From andy.mac at global-domination.org Thu Aug 23 16:28:44 2007 From: andy.mac at global-domination.org (Andrew MacLachlan) Date: Thu Aug 23 16:28:04 2007 Subject: Tiled gif spam Message-ID: > > Why don't you use ImageInfo? Or do you do that and it didn't trigger > > even one little rule? If so... Strange... > > > > Cheers > > > Glenn, > > Just installed it and fed it the email and... nothing... I ran SA in > debug and saw it there, but no scoring... > > How can I tell it to look for n side-by-side gifs? I didn't see > anything about side-by-side images, just the total amount of images, > which could trigger on many FP... > > Thanks! > > Denis Same response here, although DCC got it this time and pushed the score through the spam threshold... I've disabled SqlGrey and the RBLs in PF so MS gets more (some) spam so I can test this new build. Working really well with the new MS/SA/clamd etc. If the RBLs and postgrey were enabled I doubt that the message would have made it through to MS/SA or if it did, it would be delayed so that dcc etc would have time to catch it. -Andy -- This message was scanned by ESVA and is believed to be clean. From Chris at 7of9b.org Thu Aug 23 16:29:10 2007 From: Chris at 7of9b.org (Chris Burton) Date: Thu Aug 23 16:29:58 2007 Subject: Tiled gif spam References: <223f97700708230702v3d75a065m97f13b167b5b0b3d@mail.gmail.com><46CD9EF3.6060904@USherbrooke.ca> <1187882713.22245.4.camel@gblades-suse.linguaphone-intranet.co.uk> Message-ID: <009101c7e59a$5bf81de0$c7fda8c0@murphy3> > Can you post the image up somewhere then we can take a look. I'd guess they've already been posted to the list from the report below... but yes a sample to download would be a lot easier to work with :) Sender: mailscanner-bounces@lists.mailscanner.info Subject: Tiled gif spam Report: ClamAV: ORz5rrgzMj.gif contains MSRBL-Images/0-0-wgr6 Report: ClamAV: BAizt9ewri.gif contains MSRBL-Images/0-0-wgr3 Report: ClamAV: cZpjPKTOG9.gif contains MSRBL-Images/0-0-wgr5 Report: ClamAV: ZGXEPOSRrd.gif contains MSRBL-Images/0-0-wgr4 ChrisB. From martinh at solidstatelogic.com Thu Aug 23 16:31:36 2007 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Thu Aug 23 16:31:41 2007 Subject: Tiled gif spam In-Reply-To: <1187882713.22245.4.camel@gblades-suse.linguaphone-intranet.co.uk> Message-ID: Better would be to post the entire spam email (headers and all) somewhere then we can run through our systems and see what hits. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Gareth > Sent: 23 August 2007 16:25 > To: MailScanner discussion > Subject: Re: Tiled gif spam > > On Thu, 2007-08-23 at 15:51, Denis Beauchemin wrote: > > Glenn Steen a ?crit : > > > On 23/08/07, Andrew MacLachlan wrote: > > > > > >> Sorry - this is the analysis from Mailwatch: > > >> > > >> Spam Report: > > >> Score Matching Rule > > >> score=3.919 > > >> 4 required > > >> 0.00 DKIM_SIGNED > > >> -0.00 DKIM_VERIFIED > > >> 2.50 HTML_IMAGE_ONLY_16 > > >> 0.00 HTML_MESSAGE > > >> 1.42 SARE_GIF_ATTACH > > >> > > >> As you can see, it was almost trapped. Of course I could always up > the > > >> scores for SARE_GIF_ATTACH and HTML_IMAGE_ONLY_16, but I think an > > >> additional rule for side-by-side gifs might be a better approach? I'm > > >> not sure what the best score might be for such a rule - but something > > >> around the 1.0 mark would probably be appropriate. > > >> > > >> -Andy > > >> > > >> > > > Why don't you use ImageInfo? Or do you do that and it didn't trigger > > > even one little rule? If so... Strange... > > > > > > Cheers > > > > > Glenn, > > > > Just installed it and fed it the email and... nothing... I ran SA in > > debug and saw it there, but no scoring... > > > > How can I tell it to look for n side-by-side gifs? I didn't see > > anything about side-by-side images, just the total amount of images, > > which could trigger on many FP... > > > > Thanks! > > > > Denis > > Can you post the image up somewhere then we can take a look. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From ssilva at sgvwater.com Thu Aug 23 16:40:06 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Aug 23 16:40:31 2007 Subject: Clam and Phishing.Heuristics.Email.SpoofedDomain Message-ID: I am getting hammered by legit newsletters getting hit by this definition. Is there a way to ignore this one rule until the clam maintainers fix it? -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From Denis.Beauchemin at USherbrooke.ca Thu Aug 23 16:43:35 2007 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Thu Aug 23 16:44:11 2007 Subject: Tiled gif spam In-Reply-To: <1187882713.22245.4.camel@gblades-suse.linguaphone-intranet.co.uk> References: <223f97700708230702v3d75a065m97f13b167b5b0b3d@mail.gmail.com> <46CD9EF3.6060904@USherbrooke.ca> <1187882713.22245.4.camel@gblades-suse.linguaphone-intranet.co.uk> Message-ID: <46CDAB27.3040904@USherbrooke.ca> Gareth a ?crit : > On Thu, 2007-08-23 at 15:51, Denis Beauchemin wrote: > >> Glenn Steen a ?crit : >> >>> On 23/08/07, Andrew MacLachlan wrote: >>> >>> >>>> Sorry - this is the analysis from Mailwatch: >>>> >>>> Spam Report: >>>> Score Matching Rule >>>> score=3.919 >>>> 4 required >>>> 0.00 DKIM_SIGNED >>>> -0.00 DKIM_VERIFIED >>>> 2.50 HTML_IMAGE_ONLY_16 >>>> 0.00 HTML_MESSAGE >>>> 1.42 SARE_GIF_ATTACH >>>> >>>> As you can see, it was almost trapped. Of course I could always up the >>>> scores for SARE_GIF_ATTACH and HTML_IMAGE_ONLY_16, but I think an >>>> additional rule for side-by-side gifs might be a better approach? I'm >>>> not sure what the best score might be for such a rule - but something >>>> around the 1.0 mark would probably be appropriate. >>>> >>>> -Andy >>>> >>>> >>>> >>> Why don't you use ImageInfo? Or do you do that and it didn't trigger >>> even one little rule? If so... Strange... >>> >>> Cheers >>> >>> >> Glenn, >> >> Just installed it and fed it the email and... nothing... I ran SA in >> debug and saw it there, but no scoring... >> >> How can I tell it to look for n side-by-side gifs? I didn't see >> anything about side-by-side images, just the total amount of images, >> which could trigger on many FP... >> >> Thanks! >> >> Denis >> > > Can you post the image up somewhere then we can take a look. > > I'm not the one who started this thread. I just saved the original email to disk and ran it through my own SA setup. The original email was from andy.mac@global-domination.org (Andrew MacLachlan). Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 From support-lists at petdoctors.co.uk Thu Aug 23 17:08:40 2007 From: support-lists at petdoctors.co.uk (Nigel Kendrick) Date: Thu Aug 23 17:09:31 2007 Subject: FP in Phishing Detection Message-ID: <005401c7e59f$df08dfd0$3c65a8c0@support01> Yes, yes, I know it's html in an email, but it's like Canute and the tide trying to convince people that although it's pretty it's also a pain...anyway... Here's a block from an email sent by our Marketing lady - notice that 'www.petdoctors.co.uk' claims to be 'www.petdoctors.co.uk' - what's tripping the phishing alert and is it fixable? (Look away now if easily offended)

Find out more about Pet Doctors at MailScanner has detected a possible fraud attempt from "www.petdoctors.co.uk" claiming to be www.petdoctors.co.uk

Thanks Nigel Kendrick From MailScanner at ecs.soton.ac.uk Thu Aug 23 17:18:48 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Aug 23 17:20:28 2007 Subject: FP in Phishing Detection In-Reply-To: <005401c7e59f$df08dfd0$3c65a8c0@support01> References: <005401c7e59f$df08dfd0$3c65a8c0@support01> Message-ID: <46CDB368.20402@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 What version of MailScanner are you running? I've made a few changes recently. Nigel Kendrick wrote: > Yes, yes, I know it's html in an email, but it's like Canute and the tide > trying to convince people that although it's pretty it's also a > pain...anyway... > > Here's a block from an email sent by our Marketing lady - notice that > 'www.petdoctors.co.uk' claims to be 'www.petdoctors.co.uk' - what's tripping > the phishing alert and is it fixable? > > (Look away now if easily offended) > >

style='font-size: > 10.0pt;font-family:Tahoma'>Find out more about Pet Doctors at href="http://www.petdoctors.co.uk/">MailScanner has > detected a possible fraud attempt from "www.petdoctors.co.uk" claiming to > be www.petdoctors.co.uk pan> size=3 face=Tahoma> style='font-size:12.0pt;mso-bidi-font-size: > 10.0pt;font-family:Tahoma'>

> > Thanks > > Nigel Kendrick > > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.3 (Build 3017) Charset: ISO-8859-1 wj8DBQFGzbNqEfZZRxQVtlQRAj4vAKC6FICrMNOPMJI5EDPEg0iDZ5uRMgCfY6G7 Sa/XOq83aMw8w5WI8Sej50Q= =qfp9 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From martinh at solidstatelogic.com Thu Aug 23 17:20:53 2007 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Thu Aug 23 17:20:57 2007 Subject: FP in Phishing Detection In-Reply-To: <005401c7e59f$df08dfd0$3c65a8c0@support01> Message-ID: Nigel What vesion of MS (PS you any relation to Graham "shine Jesus Shine" Kendrick?) -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Nigel Kendrick > Sent: 23 August 2007 17:09 > To: MailScanner discussion > Subject: FP in Phishing Detection > > Yes, yes, I know it's html in an email, but it's like Canute and the tide > trying to convince people that although it's pretty it's also a > pain...anyway... > > Here's a block from an email sent by our Marketing lady - notice that > 'www.petdoctors.co.uk' claims to be 'www.petdoctors.co.uk' - what's > tripping > the phishing alert and is it fixable? > > (Look away now if easily offended) > >

style='font-size: > 10.0pt;font-family:Tahoma'>Find out more about Pet Doctors at href="http://www.petdoctors.co.uk/">MailScanner has > detected a possible fraud attempt from "www.petdoctors.co.uk" claiming to > be www.petdoctors.co.uk pan> size=3 face=Tahoma> style='font-size:12.0pt;mso-bidi-font-size: > 10.0pt;font-family:Tahoma'>

> > Thanks > > Nigel Kendrick > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From support-lists at petdoctors.co.uk Thu Aug 23 17:45:16 2007 From: support-lists at petdoctors.co.uk (Nigel Kendrick) Date: Thu Aug 23 17:46:06 2007 Subject: FP in Phishing Detection In-Reply-To: <46CDB368.20402@ecs.soton.ac.uk> Message-ID: <005c01c7e5a4$fbd4e820$3c65a8c0@support01> Hi Jules, Martin, That message would have been through 4.61.7 but I have upgraded to the latest this afternoon. Nigel From steinkel at pa.net Thu Aug 23 18:51:21 2007 From: steinkel at pa.net (Leland J. Steinke) Date: Thu Aug 23 18:51:27 2007 Subject: How can MailScanner "push back"? Message-ID: <46CDC919.3000304@pa.net> Has anybody set up a scheme where MailScanner tells the MTA to stop or slow message acceptance, short of blocking inbound port 25, when message scanning gets too far behind? We use postfix (so I will try not to reply to my own message). I have been playing with the idea of tuning the number of inbound smtpd processes in master.cf to match the capacity of the MailScanner instance running on the underlying hardware. The initial results are not particularly encouraging. Even with in-house RBLs and reduced spam-score thresholds for RBL addition, some of our servers are being overrun with apparent StormWorm emails from IPs all over the map, reducing the RBL's effectiveness. As another way to slow the onslaught in postfix, I added extra client and HELO restrictions, adding reject_unknown_client and reject_unknown_hostname to smtpd_{client,helo}_restrictions, respectively. It looks like the HELO restriction is blocking almost as much legitimate mail as illegitimate. Leland From list-mailscanner at linguaphone.com Thu Aug 23 19:04:02 2007 From: list-mailscanner at linguaphone.com (Gareth) Date: Thu Aug 23 19:04:08 2007 Subject: Clam and Phishing.Heuristics.Email.SpoofedDomain In-Reply-To: Message-ID: Are you using clamavmodule by any chance? > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info]On Behalf Of Scott > Silva > Sent: 23 August 2007 16:40 > To: mailscanner@lists.mailscanner.info > Subject: Clam and Phishing.Heuristics.Email.SpoofedDomain > > > I am getting hammered by legit newsletters getting hit by this > definition. Is > there a way to ignore this one rule until the clam maintainers fix it? > > -- > > MailScanner is like deodorant... > You hope everybody uses it, and > you notice quickly if they don't!!!! > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > From list-mailscanner at linguaphone.com Thu Aug 23 19:05:36 2007 From: list-mailscanner at linguaphone.com (Gareth) Date: Thu Aug 23 19:05:38 2007 Subject: Tiled gif spam In-Reply-To: <46CDAB27.3040904@USherbrooke.ca> Message-ID: > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info]On Behalf Of Denis > Beauchemin > Sent: 23 August 2007 16:44 > To: MailScanner discussion > Subject: Re: Tiled gif spam > > > Gareth a ?crit : > > On Thu, 2007-08-23 at 15:51, Denis Beauchemin wrote: > > > >> Glenn Steen a ?crit : > >> > >>> On 23/08/07, Andrew MacLachlan wrote: > >>> > >>> > >>>> Sorry - this is the analysis from Mailwatch: > >>>> > >>>> Spam Report: > >>>> Score Matching Rule > >>>> score=3.919 > >>>> 4 required > >>>> 0.00 DKIM_SIGNED > >>>> -0.00 DKIM_VERIFIED > >>>> 2.50 HTML_IMAGE_ONLY_16 > >>>> 0.00 HTML_MESSAGE > >>>> 1.42 SARE_GIF_ATTACH > >>>> > >>>> As you can see, it was almost trapped. Of course I could > always up the > >>>> scores for SARE_GIF_ATTACH and HTML_IMAGE_ONLY_16, but I think an > >>>> additional rule for side-by-side gifs might be a better approach? I'm > >>>> not sure what the best score might be for such a rule - but something > >>>> around the 1.0 mark would probably be appropriate. > >>>> > >>>> -Andy > >>>> > >>>> > >>>> > >>> Why don't you use ImageInfo? Or do you do that and it didn't trigger > >>> even one little rule? If so... Strange... > >>> > >>> Cheers > >>> > >>> > >> Glenn, > >> > >> Just installed it and fed it the email and... nothing... I ran SA in > >> debug and saw it there, but no scoring... > >> > >> How can I tell it to look for n side-by-side gifs? I didn't see > >> anything about side-by-side images, just the total amount of images, > >> which could trigger on many FP... > >> > >> Thanks! > >> > >> Denis > >> > > > > Can you post the image up somewhere then we can take a look. > > > > > I'm not the one who started this thread. I just saved the original > email to disk and ran it through my own SA setup. The original email > was from andy.mac@global-domination.org (Andrew MacLachlan). > > Denis I didn't see it. I guess the sanesecurity signatures caught it :) From r.berber at computer.org Thu Aug 23 19:08:57 2007 From: r.berber at computer.org (=?ISO-8859-1?Q?Ren=E9_Berber?=) Date: Thu Aug 23 19:09:15 2007 Subject: Whitelists and Fuzzy In-Reply-To: <46CD88DC.5010102@USherbrooke.ca> References: <5CD3BFF77DFFD411BCD100D0B720F94503C4E5E6@probe.britaxpmg.com> <46CC305B.2060405@USherbrooke.ca> <46CD88DC.5010102@USherbrooke.ca> Message-ID: Denis Beauchemin wrote: > Ren? Berber a ?crit : >> >> That's easy to fix, in FuzzyOcr.words change the line to: >> >> cialis::0.1 >> >> Just to make the answer complete, most people probably already know >> this, the >> above tells FuzzyOcr to match with high certainty; the example you >> name does >> have 5 of the 6 letters of the word in order, so it is no wonder it >> matches -- >> you may even have to lower the 0.1 to 0.01 . >> >> In general I use a changed word list with short words and a few other >> words that >> are (mis)matched easily using the lower fuzzy factor (higher >> certainty). A few >> other words I use with a high fuzzy factor. >> > Ren?, > > Could you tell me where you found this information please? I cannot > find it anywhere... On the configuration file: # Default detection treshold (see manual) # Default value: 0.25 (Can be changed on a per word basis in the wordlist). There's no manual yet, but for more detail on how this "threshold" is used you can read `perldoc String::Approx`. -- Ren? Berber From hvdkooij at vanderkooij.org Thu Aug 23 19:49:48 2007 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Thu Aug 23 19:50:17 2007 Subject: How can MailScanner "push back"? In-Reply-To: <46CDC919.3000304@pa.net> References: <46CDC919.3000304@pa.net> Message-ID: On Thu, 23 Aug 2007, Leland J. Steinke wrote: > Has anybody set up a scheme where MailScanner tells the MTA to stop or slow > message acceptance, short of blocking inbound port 25, when message scanning > gets too far behind? > > We use postfix (so I will try not to reply to my own message). I have been > playing with the idea of tuning the number of inbound smtpd processes in > master.cf to match the capacity of the MailScanner instance running on the > underlying hardware. The initial results are not particularly encouraging. > Even with in-house RBLs and reduced spam-score thresholds for RBL addition, > some of our servers are being overrun with apparent StormWorm emails from IPs > all over the map, reducing the RBL's effectiveness. Considering blocking DSL, cable and other 'user' IP ranges. There are some RBL's focussing on these ranges. It should give you some air. Hugo. -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ This message is using 100% recycled electrons. Some men see computers as they are and say "Windows" I use computers with Linux and say "Why Windows?" (Thanks JFK, for this quote of George Bernard Shaw.) From michael at huntley.net Thu Aug 23 19:53:13 2007 From: michael at huntley.net (Michael Huntley) Date: Thu Aug 23 19:53:48 2007 Subject: How can MailScanner "push back"? In-Reply-To: <46CDC919.3000304@pa.net> References: <46CDC919.3000304@pa.net> Message-ID: <46CDD799.9070609@huntley.net> Greylisting stopped a terrible mail storm on our system. http://postgrey.schweikert.ch/ Cheers! Michael vinum vesco valens viscus Leland J. Steinke wrote: > Has anybody set up a scheme where MailScanner tells the MTA to stop or > slow message acceptance, short of blocking inbound port 25, when > message scanning gets too far behind? > > We use postfix (so I will try not to reply to my own message). I have > been playing with the idea of tuning the number of inbound smtpd > processes in master.cf to match the capacity of the MailScanner > instance running on the underlying hardware. The initial results are > not particularly encouraging. Even with in-house RBLs and reduced > spam-score thresholds for RBL addition, some of our servers are being > overrun with apparent StormWorm emails from IPs all over the map, > reducing the RBL's effectiveness. > > As another way to slow the onslaught in postfix, I added extra client > and HELO restrictions, adding reject_unknown_client and > reject_unknown_hostname to smtpd_{client,helo}_restrictions, > respectively. It looks like the HELO restriction is blocking almost > as much legitimate mail as illegitimate. > > > Leland From steinkel at pa.net Thu Aug 23 20:21:12 2007 From: steinkel at pa.net (Leland J. Steinke) Date: Thu Aug 23 20:21:17 2007 Subject: How can MailScanner "push back"? In-Reply-To: <46CDD799.9070609@huntley.net> References: <46CDC919.3000304@pa.net> <46CDD799.9070609@huntley.net> Message-ID: <46CDDE28.9040306@pa.net> Michael Huntley wrote: > Greylisting stopped a terrible mail storm on our system. We've been using sqlgrey for almost 18 months now. The spammers have adapted. Hugo van der Kooij wrote: > Considering blocking DSL, cable and other 'user' IP ranges. There are > some RBL's focussing on these ranges. It should give you some air. We use PSBL and DSBL, in addition to our own RBL. We are an ISP, so I am loath to use RBLs such as PBL to reject connections, instead using them in SA to jack up spam scores. Maybe I need to write a postfix policy daemon to query the hold queue or otherwise check the box's status and 450-reject the connection if the box is overloaded... Leland From maillists at conactive.com Thu Aug 23 20:31:21 2007 From: maillists at conactive.com (Kai Schaetzl) Date: Thu Aug 23 20:31:24 2007 Subject: How can MailScanner "push back"? In-Reply-To: <46CDC919.3000304@pa.net> References: <46CDC919.3000304@pa.net> Message-ID: Leland J. Steinke wrote on Thu, 23 Aug 2007 13:51:21 -0400: > Has anybody set up a scheme where MailScanner tells the MTA to stop or > slow message acceptance, short of blocking inbound port 25, when message > scanning gets too far behind? I know you have Postfix, but maybe it's got a similar feature. In sendmail you can configure to stop processing and to stop queueing depending on certain system load. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From MailScanner at ecs.soton.ac.uk Thu Aug 23 20:48:27 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Aug 23 20:49:07 2007 Subject: How can MailScanner "push back"? In-Reply-To: <46CDDE28.9040306@pa.net> References: <46CDC919.3000304@pa.net> <46CDD799.9070609@huntley.net> <46CDDE28.9040306@pa.net> Message-ID: <46CDE48B.10908@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Leland J. Steinke wrote: > > Maybe I need to write a postfix policy daemon to query the hold queue > or otherwise check the box's status and 450-reject the connection if > the box is overloaded... That sounds like the best approach to me. Find the length of the hold queue from either direct measurement or watching the logs, and 450-reject connections if the queue is too large. You could alternatively do it without talking to postfix at all by using iptables to block connectivity to port 25 when the queue gets too large. I don't know how hard it is to write a postfix policy daemon :-) Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.3 (Build 3017) Charset: ISO-8859-1 wj8DBQFGzeSMEfZZRxQVtlQRAlVLAJ9FzXVh9eu4SAhN3TYuJO9Db/pAjgCfSabm Z/0eutmbLuDQpy7FQPk1vLU= =vyOy -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From davi at jvsinfo.com.br Thu Aug 23 20:58:55 2007 From: davi at jvsinfo.com.br (Davi Baldin) Date: Thu Aug 23 20:58:05 2007 Subject: =?iso-8859-1?q?ATEN=C7=C3O_-_Davi_estar=E1_ausente?= Message-ID: I will be out of the office starting 23/08/2007 and will not return until 01/09/2007. Estarei ausente at? dia 01/09/2007. Assuntos de suporte, favor encaminhar para suporte@jvsinfo.com.br, grato. From steve.freegard at fsl.com Thu Aug 23 21:12:31 2007 From: steve.freegard at fsl.com (Steve Freegard) Date: Thu Aug 23 21:12:31 2007 Subject: How can MailScanner "push back"? In-Reply-To: <46CDDE28.9040306@pa.net> References: <46CDC919.3000304@pa.net> <46CDD799.9070609@huntley.net> <46CDDE28.9040306@pa.net> Message-ID: <46CDEA2F.9030305@fsl.com> Hi Leland, Leland J. Steinke wrote: > Michael Huntley wrote: >> Greylisting stopped a terrible mail storm on our system. > > We've been using sqlgrey for almost 18 months now. The spammers have > adapted. > We've got a modified greylisting implementation in our BarricadeMX product which is very different to SQLgrey and has so far proven 100% effective against the botnet spam that passes traditional greylistng (no extra drawbacks from normal greylisting except for more bandwidth being used). Ping me off-list if you would like to try a demo of it. > Hugo van der Kooij wrote: > > Considering blocking DSL, cable and other 'user' IP ranges. There are > > some RBL's focussing on these ranges. It should give you some air. > > We use PSBL and DSBL, in addition to our own RBL. We are an ISP, so I > am loath to use RBLs such as PBL to reject connections, instead using > them in SA to jack up spam scores. I like the DSBL a lot - but you should probably consider adding cbl.abuseat.org as it will catch a *lot* of extra stuff missed by your existing two. Instead of using the PBL you could use dynablock.njabl.org and bypass any of your own dial-up/DSL ranges. Also consider adding milter-link into Postfix and rejecting stuff listed on multi.surbl.org and black.uribl.com at the MTA level as this will help a lot (on the non-botnet stuff anyway). > Maybe I need to write a postfix policy daemon to query the hold queue or > otherwise check the box's status and 450-reject the connection if the > box is overloaded... I really don't think that this will solve your problem as you'll end up seriously delaying geniune senders with sane retry intervals whilst the bots will continue to hammer away relentlessly whenever you start allowing connections again. It's a problem that will then get exponentially worse the more you shut of the port. It's better to minimise the amount of junk .vs. good message allowed into MailScanner from the MTA which is what we (FSL) are pretty good at now ;-) Kind regards, Steve. From steinkel at pa.net Thu Aug 23 21:14:26 2007 From: steinkel at pa.net (Leland J. Steinke) Date: Thu Aug 23 21:14:32 2007 Subject: How can MailScanner "push back"? In-Reply-To: <46CDE48B.10908@ecs.soton.ac.uk> References: <46CDC919.3000304@pa.net> <46CDD799.9070609@huntley.net> <46CDDE28.9040306@pa.net> <46CDE48B.10908@ecs.soton.ac.uk> Message-ID: <46CDEAA2.9040300@pa.net> Julian Field wrote: > I don't know how hard it is to write a postfix policy daemon :-) > Actually, "he who shall not be named" provides a sample policy daemon with the postfix source. Leland From Richard.Frovarp at sendit.nodak.edu Thu Aug 23 21:21:51 2007 From: Richard.Frovarp at sendit.nodak.edu (Richard Frovarp) Date: Thu Aug 23 21:21:55 2007 Subject: How can MailScanner "push back"? In-Reply-To: <46CDEA2F.9030305@fsl.com> References: <46CDC919.3000304@pa.net> <46CDD799.9070609@huntley.net> <46CDDE28.9040306@pa.net> <46CDEA2F.9030305@fsl.com> Message-ID: <46CDEC5F.1000103@sendit.nodak.edu> Steve Freegard wrote: > > > Instead of using the PBL you could use dynablock.njabl.org and bypass > any of your own dial-up/DSL ranges. dynablock is a mirror of the PBL and will go away at some point. In fact their site is now saying it will be going away soon, as it is long past time to switch to PBL. http://www.njabl.org/dynablock.html From Richard.Frovarp at sendit.nodak.edu Thu Aug 23 21:25:47 2007 From: Richard.Frovarp at sendit.nodak.edu (Richard Frovarp) Date: Thu Aug 23 21:25:50 2007 Subject: How can MailScanner "push back"? In-Reply-To: <46CDC919.3000304@pa.net> References: <46CDC919.3000304@pa.net> Message-ID: <46CDED4B.3020001@sendit.nodak.edu> Leland J. Steinke wrote: > Has anybody set up a scheme where MailScanner tells the MTA to stop or > slow message acceptance, short of blocking inbound port 25, when > message scanning gets too far behind? > > We use postfix (so I will try not to reply to my own message). I have > been playing with the idea of tuning the number of inbound smtpd > processes in master.cf to match the capacity of the MailScanner > instance running on the underlying hardware. The initial results are > not particularly encouraging. Even with in-house RBLs and reduced > spam-score thresholds for RBL addition, some of our servers are being > overrun with apparent StormWorm emails from IPs all over the map, > reducing the RBL's effectiveness. > > As another way to slow the onslaught in postfix, I added extra client > and HELO restrictions, adding reject_unknown_client and > reject_unknown_hostname to smtpd_{client,helo}_restrictions, > respectively. It looks like the HELO restriction is blocking almost > as much legitimate mail as illegitimate. > > > Leland We usually only have issues of one of our boxes getting hammered. If you run multiple machines, and only one is getting hammered, blocking 25 isn't a bad thing. The load will the hopefully go over to your other boxes. If it's spam and you're really lucky it might even stop (never seen this, hence the lucky part). I've shut off our incoming sendmail process on an overloaded box to let it catch up. It actually requires stopping the service MailScanner stop, service MailScanner startout, and check_mailscanner calls. An automated method of controlling postfix of iptables would probably work just as well, so long as all of your servers don't trip at the same time. From steve.freegard at fsl.com Thu Aug 23 22:05:01 2007 From: steve.freegard at fsl.com (Steve Freegard) Date: Thu Aug 23 22:05:01 2007 Subject: How can MailScanner "push back"? In-Reply-To: <46CDEC5F.1000103@sendit.nodak.edu> References: <46CDC919.3000304@pa.net> <46CDD799.9070609@huntley.net> <46CDDE28.9040306@pa.net> <46CDEA2F.9030305@fsl.com> <46CDEC5F.1000103@sendit.nodak.edu> Message-ID: <46CDF67D.4000208@fsl.com> Richard Frovarp wrote: > Steve Freegard wrote: >> >> >> Instead of using the PBL you could use dynablock.njabl.org and bypass >> any of your own dial-up/DSL ranges. > > dynablock is a mirror of the PBL and will go away at some point. In fact > their site is now saying it will be going away soon, as it is long past > time to switch to PBL. > > http://www.njabl.org/dynablock.html Yes - but my rationale behind that statement remains the same; PBL access for an ISP is potentially going to be very expensive (which is why I guess the OP was not using Spamhaus at all), so an rsync of dynablock before it disappears is probably a good idea. Kind regards, Steve. From ssilva at sgvwater.com Thu Aug 23 22:08:36 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Aug 23 22:08:51 2007 Subject: Clam and Phishing.Heuristics.Email.SpoofedDomain In-Reply-To: References:

Message-ID: Gareth spake the following on 8/23/2007 11:04 AM: > Are you using clamavmodule by any chance? > Yes I am. I thought about using clamd, but don't have enough volume to be worth the extra work. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From andy.mac at global-domination.org Thu Aug 23 22:50:27 2007 From: andy.mac at global-domination.org (Andrew MacLachlan) Date: Thu Aug 23 22:49:58 2007 Subject: How can MailScanner "push back"? Message-ID: > Actually, "he who shall not be named" provides a sample policy daemon > with the postfix source. > There is a much simpler solution (but I could also be confused...): Main.cf ... # INPUT RATE CONTROL # # The in_flow_delay configuration parameter implements mail input # flow control. This feature is turned on by default, although it # still needs further development (it's disabled on SCO UNIX due # to an SCO bug). # # A Postfix process will pause for $in_flow_delay seconds before # accepting a new message, when the message arrival rate exceeds the # message delivery rate. With the default 100 SMTP server process # limit, this limits the mail inflow to 100 messages a second more # than the number of messages delivered per second. # # Specify 0 to disable the feature. Valid delays are 0..10. # #in_flow_delay = 1s ... -HTH, Andy -- This message was scanned by ESVA and is believed to be clean. From andy.mac at global-domination.org Thu Aug 23 22:52:21 2007 From: andy.mac at global-domination.org (Andrew MacLachlan) Date: Thu Aug 23 22:52:03 2007 Subject: Tiled gif spam Message-ID: > > I didn't see it. I guess the sanesecurity signatures caught it :) > :-) -- This message was scanned by ESVA and is believed to be clean. From andy.mac at global-domination.org Thu Aug 23 22:54:51 2007 From: andy.mac at global-domination.org (Andrew MacLachlan) Date: Thu Aug 23 22:54:09 2007 Subject: =?iso-8859-1?q?RE=3A_ATEN=C7=C3O_-_Davi_estar=E1_ausente?= Message-ID: > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Davi Baldin > Sent: 23 August 2007 20:59 > To: mailscanner@lists.mailscanner.info > Subject: ATEN??O - Davi estar? ausente > > > I will be out of the office starting 23/08/2007 and will not return until > 01/09/2007. Does anyone know Davi's address so we can help ourselves to his things now that we know he's gone on holiday for a week? -- This message was scanned by ESVA and is believed to be clean. From jpenix at binarytribe.com Thu Aug 23 23:14:32 2007 From: jpenix at binarytribe.com (Joshua Penix) Date: Thu Aug 23 23:14:43 2007 Subject: Error in Clam/SA install script Message-ID: <9C05A28F-5A35-42D9-8D98-873F709D8110@binarytribe.com> Nothing major but I thought I'd mention it: Line 439 of install.sh in Julian's install-Clam-SA package attempts to back up SpamAssassin's /etc/mail/spamassassin/*.pre files, but it makes a path assumption and thusly fails as follows: Making backup of pre files to /tmp/backup.pre.9510.tar tar: *pre: Cannot stat: No such file or directory tar: Error exit delayed from previous errors And a blank tarball is created, leaving the user without backups of their SA configs. -- Joshua Penix http://www.binarytribe.com Binary Tribe Linux Integration Services & Network Consulting From miguelk at konsultex.com.br Thu Aug 23 23:33:31 2007 From: miguelk at konsultex.com.br (Miguel Koren O'Brien de Lacy) Date: Thu Aug 23 23:33:50 2007 Subject: =?iso-8859-1?q?ATEN=C7=C3O_-_Davi_estar=E1_ausente?= In-Reply-To: References: Message-ID: <46CE0B3B.5040006@konsultex.com.br> An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070823/64ea640c/attachment.html From ssilva at sgvwater.com Thu Aug 23 23:38:35 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Aug 23 23:38:48 2007 Subject: How can MailScanner "push back"? In-Reply-To: <46CDEA2F.9030305@fsl.com> References: <46CDC919.3000304@pa.net> <46CDD799.9070609@huntley.net> <46CDDE28.9040306@pa.net> <46CDEA2F.9030305@fsl.com> Message-ID: Steve Freegard spake the following on 8/23/2007 1:12 PM: > Hi Leland, > > Leland J. Steinke wrote: >> Michael Huntley wrote: >>> Greylisting stopped a terrible mail storm on our system. >> >> We've been using sqlgrey for almost 18 months now. The spammers have >> adapted. >> > > We've got a modified greylisting implementation in our BarricadeMX > product which is very different to SQLgrey and has so far proven 100% > effective against the botnet spam that passes traditional greylistng (no > extra drawbacks from normal greylisting except for more bandwidth being > used). Ping me off-list if you would like to try a demo of it. > >> Hugo van der Kooij wrote: >> > Considering blocking DSL, cable and other 'user' IP ranges. There are >> > some RBL's focussing on these ranges. It should give you some air. >> >> We use PSBL and DSBL, in addition to our own RBL. We are an ISP, so I >> am loath to use RBLs such as PBL to reject connections, instead using >> them in SA to jack up spam scores. > > I like the DSBL a lot - but you should probably consider adding > cbl.abuseat.org as it will catch a *lot* of extra stuff missed by your > existing two. > > Instead of using the PBL you could use dynablock.njabl.org and bypass > any of your own dial-up/DSL ranges. > Before you use dynablock.njabl.org you should read this; http://njabl.org/dynablock.html. It's been more than 6 months since NJABL maintenance of dynablock was terminated and dynablock became a copy of the Spamhaus PBL. The dynablock zone will be emptied sometime soon and the dynablock.njabl.org zone will be shut down. If you're still using dynablock.njabl.org, it's long past time to switch to pbl.spamhaus.org. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ram at netcore.co.in Fri Aug 24 06:09:30 2007 From: ram at netcore.co.in (ram) Date: Fri Aug 24 06:09:46 2007 Subject: How can MailScanner "push back"? In-Reply-To: <46CDEAA2.9040300@pa.net> References: <46CDC919.3000304@pa.net> <46CDD799.9070609@huntley.net> <46CDDE28.9040306@pa.net> <46CDE48B.10908@ecs.soton.ac.uk> <46CDEAA2.9040300@pa.net> Message-ID: <1187932170.21146.20.camel@localhost.localdomain> On Thu, 2007-08-23 at 16:14 -0400, Leland J. Steinke wrote: > Julian Field wrote: > > I don't know how hard it is to write a postfix policy daemon :-) > > > Actually, "he who shall not be named" provides a sample policy daemon > with the postfix source. I havent done policy daemons before, but it seems to to be trivial. One could use milters too, postfix 2.3 above support milters without hassles , I use a custom milter myself, but not for slowing down mails Slowing down mails I do by adjusting weights on the load balancer with a simple perl script Thanks Ram From hvdkooij at vanderkooij.org Fri Aug 24 07:02:41 2007 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Fri Aug 24 07:02:54 2007 Subject: =?iso-8859-1?q?RE=3A_ATEN=C7=C3O_-_Davi_estar=E1_ausente?= In-Reply-To: References: Message-ID: On Thu, 23 Aug 2007, Andrew MacLachlan wrote: >> I will be out of the office starting 23/08/2007 and will not return until >> 01/09/2007. > > Does anyone know Davi's address so we can help ourselves to his things now that we know he's gone on holiday for a week? Received: from legolas.jvsinfo.com.br (mail.jvsinfo.com.br [189.16.34.130]) Next stop: lacnic Hugo. -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ This message is using 100% recycled electrons. Some men see computers as they are and say "Windows" I use computers with Linux and say "Why Windows?" (Thanks JFK, for this quote of George Bernard Shaw.) From list-mailscanner at linguaphone.com Fri Aug 24 09:21:23 2007 From: list-mailscanner at linguaphone.com (Gareth) Date: Fri Aug 24 09:21:35 2007 Subject: Clam and Phishing.Heuristics.Email.SpoofedDomain In-Reply-To: References:

Message-ID: <1187943682.24997.9.camel@gblades-suse.linguaphone-intranet.co.uk> On Thu, 2007-08-23 at 22:08, Scott Silva wrote: > Gareth spake the following on 8/23/2007 11:04 AM: > > Are you using clamavmodule by any chance? > > > Yes I am. I thought about using clamd, but don't have enough volume to be > worth the extra work. Ok the problem is causes by a new clamav feature and unfortunetly in the clamavlib the option is enabled by default (equivilent to having --no-phishing-restrictedscan option set on clamscan) whereas everywhere else it is disabled. Attached is a new copy of SweepViruses.pm which turns the option off when calling clamavmodule and rectifies the problem. Jules has already fixed the issue in his development copy. -------------- next part -------------- A non-text attachment was scrubbed... Name: SweepViruses.pm.gz Type: application/x-gzip Size: 30651 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070824/18d0d586/SweepViruses.pm-0001.gz From viralert at fadalto.com Fri Aug 24 10:01:54 2007 From: viralert at fadalto.com (Phil) Date: Fri Aug 24 10:02:13 2007 Subject: MCP problem Message-ID: <20070824085224.M12471@yatta-it.com> Hi all, I'm using MailScanner-4.62.9-3. I have enabled MCP check as for previous version, but I'm not receiving mcp mail catched. My configuration file is: Non MCP Actions = deliver MCP Actions = store attachment forward spammy@yatta-it.com High Scoring MCP Actions = store forward spammy@yatta-it.com Bounce MCP As Attachment = no My mail log file says: Aug 24 10:41:50 tommy sendmail[13040]: l7O8fmQ3013040: from=, size=871, class=0, nrcpts=1, msgid=<200708240841.l7O8fW1r032052@dario.yatta-it.com>, proto=ESMTP, daemon=MTA, relay=217-133-242-204.b2b.tiscali.it [217.133.242.204] Aug 24 10:41:53 tommy MailScanner[12961]: New Batch: Scanning 1 messages, 1457 bytes Aug 24 10:41:53 tommy MailScanner[12961]: MCP Checks: Starting Aug 24 10:41:54 tommy MailScanner[12961]: Message l7O8fmQ3013040 from 217.133.242.204 (root@dario.yatta-it.com) to fdini.com is MCP, MCP-Checker (score=4, required 1, RULE1 4.00) Aug 24 10:41:54 tommy MailScanner[12961]: MCP Checks: Found 1 MCP messages Aug 24 10:41:54 tommy MailScanner[12961]: MCP Actions: message l7O8fmQ3013040 actions are spammy@yatta-it.com,store,forward Aug 24 10:41:54 tommy MailScanner[12961]: MCP Checks completed at 2544 bytes per second Aug 24 10:41:54 tommy MailScanner[12961]: Spam Checks: Starting Aug 24 10:42:11 tommy MailScanner[12961]: Spam Checks completed at 87 bytes per second Aug 24 10:42:11 tommy MailScanner[12961]: Virus and Content Scanning: Starting Aug 24 10:42:11 tommy MailScanner[12961]: Virus Scanning completed at 3874 bytes per second Aug 24 10:42:11 tommy MailScanner[12961]: Virus Processing completed at 1457 bytes per second Aug 24 10:42:11 tommy MailScanner[12961]: Disinfection completed at 1457 bytes per second Aug 24 10:42:11 tommy MailScanner[12961]: Batch completed at 82 bytes per second (1457 / 17) Aug 24 10:42:11 tommy MailScanner[12961]: Batch (1 message) processed in 17.64 seconds Aug 24 10:42:11 tommy MailScanner[12961]: Logging message l7O8fmQ3013040 to SQL Aug 24 10:42:11 tommy MailScanner[12961]: "Always Looked Up Last" took 0.00 seconds Aug 24 10:42:11 tommy MailScanner[12967]: l7O8fmQ3013040: Logged to MailWatch SQL For spam the behaviour of the new version of MailScanner is equal to the old one: Aug 24 10:45:03 tommy sendmail[13416]: l7O8j2So013416: from=, size=766, class=0, nrcpts=1, msgid=<000e01c7e62b$0d4dc050$5a615558@ws05>, proto=ESMTP, daemon=MTA, relay=[88.85.97.90] Aug 24 10:45:04 tommy MailScanner[13332]: New Batch: Scanning 1 messages, 1206 bytes Aug 24 10:45:04 tommy MailScanner[13332]: MCP Checks: Starting Aug 24 10:45:05 tommy MailScanner[13332]: MCP Checks completed at 5063 bytes per second Aug 24 10:45:05 tommy MailScanner[13332]: Spam Checks: Starting Aug 24 10:45:15 tommy MailScanner[13332]: RBL checks: l7O8j2So013416 found in SBL+XBL Aug 24 10:45:24 tommy MailScanner[13332]: Message l7O8j2So013416 from 88.85.97.90 (grissomofncv@timweld.com) to omissis.com is spam, SBL+XBL, SpamAssassin (not cached, score=12.044, required 4, BAYES_60 1.00, DK_POLICY_SIGNSOME 0.00, JM_TORA_XM 2.41, RAZOR2_CF_RANGE_51_100 0.50, RAZOR2_CF_RANGE_E8_51_100 1.50, RAZOR2_CHECK 0.50, RCVD_IN_XBL 3.03, RDNS_NONE 0.10, URIBL_BLACK 3.00) Aug 24 10:45:24 tommy MailScanner[13332]: Spam Checks: Found 1 spam messages Aug 24 10:45:24 tommy MailScanner[13332]: Spam Actions: message l7O8j2So013416 actions are attachment,spammy@yatta-it.com,store,forward Aug 24 10:45:24 tommy MailScanner[13332]: Spam Checks completed at 63 bytes per second Aug 24 10:45:24 tommy MailScanner[13332]: Virus and Content Scanning: Starting Aug 24 10:45:24 tommy MailScanner[13332]: Virus Scanning completed at 3189 bytes per second Aug 24 10:45:24 tommy MailScanner[13332]: Uninfected: Delivered 1 messages Aug 24 10:45:24 tommy MailScanner[13332]: Virus Processing completed at 1206 bytes per second Aug 24 10:45:24 tommy MailScanner[13332]: Batch completed at 62 bytes per second (1206 / 19) Aug 24 10:45:24 tommy MailScanner[13332]: Batch (1 message) processed in 19.44 seconds Aug 24 10:45:24 tommy MailScanner[13332]: Logging message l7O8j2So013416 to SQL Aug 24 10:45:24 tommy MailScanner[13332]: "Always Looked Up Last" took 0.00 seconds Aug 24 10:45:24 tommy MailScanner[13337]: l7O8j2So013416: Logged to MailWatch SQL Aug 24 10:45:24 tommy sendmail[13432]: l7O8j2So013416: to=, delay=00:00:21, xdelay=00:00:00, mailer=local, pri=120766, dsn=2.0.0, stat=Sent Any hint? Thanks to all! Phil From gmane at tippingmar.com Fri Aug 24 18:24:56 2007 From: gmane at tippingmar.com (Mark Nienberg) Date: Fri Aug 24 18:25:08 2007 Subject: Minimum Attachment Size Message-ID: # The minimum size, in bytes, of any attachment in a message. # If this is set less than or equal to zero, then no size checking is done. # It is very useful to set this to 1 as it removes any zero-length # attachments which may be created by broken viruses. # This can also be the filename of a ruleset. Minimum Attachment Size = 1 I tried setting this to 1 recently, (it had been 0) and found that messages with zero-length attachments were not delivered at all. I expected them tho be delivered without the zero-length attachment. Did I misunderstand the comment? Mark From cparker at swatgear.com Fri Aug 24 19:37:51 2007 From: cparker at swatgear.com (Chris W. Parker) Date: Fri Aug 24 19:37:56 2007 Subject: Modify filename rule regex to allow exception Message-ID: <97FD54B5E57A1842AA1A4B232E47611773EC1A@ati-ex-02.ati.local> Hello, I'd like to modify the following rule to allow an exception: \.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$ Found possible filename hiding Is it possible for this rule to be modified to allow .doc.rtf? We get contracts in that format and they get stripped because of the filename hiding. Instead of excepting a user (or sender) from all filename checks with a ruleset or removing this rule entirely, I thought it best to just modify the rule. Or is there a better way to handle this? Thanks, Chris. From Denis.Beauchemin at USherbrooke.ca Fri Aug 24 19:49:42 2007 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Fri Aug 24 19:50:22 2007 Subject: Modify filename rule regex to allow exception In-Reply-To: <97FD54B5E57A1842AA1A4B232E47611773EC1A@ati-ex-02.ati.local> References: <97FD54B5E57A1842AA1A4B232E47611773EC1A@ati-ex-02.ati.local> Message-ID: <46CF2846.50605@USherbrooke.ca> Chris W. Parker a ?crit : > Hello, > > I'd like to modify the following rule to allow an exception: > > \.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$ Found possible filename hiding > > Is it possible for this rule to be modified to allow .doc.rtf? > > We get contracts in that format and they get stripped because of the > filename hiding. Instead of excepting a user (or sender) from all > filename checks with a ruleset or removing this rule entirely, I thought > it best to just modify the rule. > > > Or is there a better way to handle this? > > > Thanks, > Chris. > Chris, I think the rules are accepted from top to bottom. So you could put the following line BEFORE the oher one in filename.rules.conf : allow \.doc\.rtf$ - - You could also use the following MailScanner.conf option: # Allow any attachment filenames matching any of the patters listed here. # If this setting is empty, it is ignored and no matches are made. # This can also be the filename of a ruleset. Allow Filenames = Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 From cparker at swatgear.com Fri Aug 24 20:25:41 2007 From: cparker at swatgear.com (Chris W. Parker) Date: Fri Aug 24 20:25:44 2007 Subject: Modify filename rule regex to allow exception References: <97FD54B5E57A1842AA1A4B232E47611773EC1A@ati-ex-02.ati.local> <46CF2846.50605@USherbrooke.ca> Message-ID: <97FD54B5E57A1842AA1A4B232E4761178EEAD8@ati-ex-02.ati.local> On Friday, August 24, 2007 11:50 AM Denis Beauchemin said: > I think the rules are accepted from top to bottom. So you could put > the following line BEFORE the oher one in filename.rules.conf : > allow \.doc\.rtf$ - - This worked. Thanks Denis! Chris. From MailScanner at ecs.soton.ac.uk Fri Aug 24 20:30:29 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Aug 24 20:30:54 2007 Subject: Minimum Attachment Size In-Reply-To: References: Message-ID: <46CF31D5.2020207@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I will have to check this out. Get back to me if you don't hear anything from me this weekend. Mark Nienberg wrote: > # The minimum size, in bytes, of any attachment in a message. > # If this is set less than or equal to zero, then no size checking is > done. > # It is very useful to set this to 1 as it removes any zero-length > # attachments which may be created by broken viruses. > # This can also be the filename of a ruleset. > Minimum Attachment Size = 1 > > I tried setting this to 1 recently, (it had been 0) and found that > messages with zero-length attachments were not delivered at all. I > expected them tho be delivered without the zero-length attachment. > Did I misunderstand the comment? > > Mark > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.3 (Build 3017) Charset: ISO-8859-1 wj4DBQFGzzHWEfZZRxQVtlQRAoKdAJjEUQdE7gQzi0aQap5fonJCtGWXAKDkakiK mUF8j9A3iv0oC8Hp2zStqw== =olqg -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Fri Aug 24 22:03:09 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Aug 24 22:03:25 2007 Subject: Minimum Attachment Size In-Reply-To: <46CF31D5.2020207@ecs.soton.ac.uk> References: <46CF31D5.2020207@ecs.soton.ac.uk> Message-ID: <46CF478D.9050004@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I just checked this on my own setup, and it appears to work fine. I set the min size to 10k and sent through some messages with small attachments. It put the messages in the outgoing queue with the small attachments replaced with reports, as expected. Julian Field wrote: > * PGP Signed: 08/24/07 at 20:30:30 > > I will have to check this out. Get back to me if you don't hear > anything from me this weekend. > > Mark Nienberg wrote: >> # The minimum size, in bytes, of any attachment in a message. >> # If this is set less than or equal to zero, then no size checking is >> done. >> # It is very useful to set this to 1 as it removes any zero-length >> # attachments which may be created by broken viruses. >> # This can also be the filename of a ruleset. >> Minimum Attachment Size = 1 >> >> I tried setting this to 1 recently, (it had been 0) and found that >> messages with zero-length attachments were not delivered at all. I >> expected them tho be delivered without the zero-length attachment. >> Did I misunderstand the comment? >> >> Mark >> > > Jules > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.3 (Build 3017) Charset: ISO-8859-1 wj8DBQFGz0ePEfZZRxQVtlQRAhePAJ9Q4IPjtdcnyCP0dZLp8HYxdm0HQACgpxjQ 6vu3YimAjkByENgQF95t/VQ= =S6CZ -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From ssilva at sgvwater.com Fri Aug 24 23:05:50 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Fri Aug 24 23:06:03 2007 Subject: Clam and Phishing.Heuristics.Email.SpoofedDomain In-Reply-To: <1187943682.24997.9.camel@gblades-suse.linguaphone-intranet.co.uk> References:

<1187943682.24997.9.camel@gblades-suse.linguaphone-intranet.co.uk> Message-ID: Gareth spake the following on 8/24/2007 1:21 AM: > On Thu, 2007-08-23 at 22:08, Scott Silva wrote: >> Gareth spake the following on 8/23/2007 11:04 AM: >>> Are you using clamavmodule by any chance? >>> >> Yes I am. I thought about using clamd, but don't have enough volume to be >> worth the extra work. > > Ok the problem is causes by a new clamav feature and unfortunetly in the > clamavlib the option is enabled by default (equivilent to having > --no-phishing-restrictedscan option set on clamscan) whereas everywhere > else it is disabled. Attached is a new copy of SweepViruses.pm which > turns the option off when calling clamavmodule and rectifies the > problem. Jules has already fixed the issue in his development copy. > I'll give it a try... Thanks! -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From gmane at tippingmar.com Sat Aug 25 01:47:41 2007 From: gmane at tippingmar.com (Mark Nienberg) Date: Sat Aug 25 01:48:01 2007 Subject: Minimum Attachment Size In-Reply-To: <46CF478D.9050004@ecs.soton.ac.uk> References: <46CF31D5.2020207@ecs.soton.ac.uk> <46CF478D.9050004@ecs.soton.ac.uk> Message-ID: Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > I just checked this on my own setup, and it appears to work fine. > I set the min size to 10k and sent through some messages with small > attachments. It put the messages in the outgoing queue with the small > attachments replaced with reports, as expected. Thanks for checking. I don't know what is happening then, so I'll just set it back to 0 for my system. [root@tesla xinetd.d]# MailScanner -v Running on Linux tesla.tippingmar.com 2.6.20-1.2320.fc5 #1 Tue Jun 12 18:50:38 EDT 2007 i686 athlon i386 GNU/Linux This is Fedora Core release 5 (Bordeaux) This is Perl version 5.008008 (5.8.8) This is MailScanner version 4.62.9 Mark From hvdkooij at vanderkooij.org Sat Aug 25 11:13:23 2007 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sat Aug 25 11:13:45 2007 Subject: How can MailScanner "push back"? In-Reply-To: <46CDC919.3000304@pa.net> References: <46CDC919.3000304@pa.net> Message-ID: On Thu, 23 Aug 2007, Leland J. Steinke wrote: > Has anybody set up a scheme where MailScanner tells the MTA to stop or slow > message acceptance, short of blocking inbound port 25, when message scanning > gets too far behind? > > We use postfix (so I will try not to reply to my own message). I have been > playing with the idea of tuning the number of inbound smtpd processes in > master.cf to match the capacity of the MailScanner instance running on the > underlying hardware. The initial results are not particularly encouraging. > Even with in-house RBLs and reduced spam-score thresholds for RBL addition, > some of our servers are being overrun with apparent StormWorm emails from IPs > all over the map, reducing the RBL's effectiveness. > > As another way to slow the onslaught in postfix, I added extra client and > HELO restrictions, adding reject_unknown_client and reject_unknown_hostname > to smtpd_{client,helo}_restrictions, respectively. It looks like the HELO > restriction is blocking almost as much legitimate mail as illegitimate. Here is one I find very usefull. It blocks a significant of user connections from networks I have nothing to do with. Adjust to your own needs. /etc/postfix/dynamic_networks: # # Dynamic Networks # /^adsl.*$/ reject_dynamic /^dhcp.*$/ reject_dynamic /^cable.*$/ reject_dynamic /^dialup.*$/ reject_dynamic /^dsl-.*$/ reject_dynamic /^dslnet.*$/ reject_dynamic /^dyn-.*$/ reject_dynamic /^dynamic-.*$/ reject_dynamic /^host.*$/ reject_dynamic /^ip-.*$/ reject_dynamic /^netblock-.*$/ reject_dynamic /^ppp.*$/ reject_dynamic /^static.*$/ reject_dynamic in /etc/postfix/main.cf: smtpd_restriction_classes = reject_RFC, reject_auto, reject_auto_virus, reject_domain, reject_dynamic, reject_infected, reject_spam, reject_user reject_RFC = check_client_access regexp:/etc/postfix/class/reject_RFC reject_auto = check_client_access regexp:/etc/postfix/class/reject_auto reject_auto_virus = check_client_access regexp:/etc/postfix/class/reject_auto_virus reject_domain = check_client_access regexp:/etc/postfix/class/reject_domain reject_dynamic = check_client_access regexp:/etc/postfix/class/reject_dynamic reject_infected = check_client_access regexp:/etc/postfix/class/reject_infected reject_spam = check_client_access regexp:/etc/postfix/class/reject_spam reject_user = check_client_access regexp:/etc/postfix/class/reject_user mtpd_client_restrictions = ...... regexp:/etc/postfix/dynamic_networks, ...... in /etc/postfix/class/reject_dynamic: /./ REJECT Dynamic (Cable, Dialup or DSL) network access denied; Use a smarthost instead (http://en.wikipedia.org/wiki/Smart_host) Combine it with other entries and it got me a significant decrease of messages I actually have to scan. For example any host ending with abo.wanadoo.fr has nothing to do with SMTP here either. While not a perfect solutions tricks like these may reduce the amount of messages you have to scan from unworkable to managable. Hugo. -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ This message is using 100% recycled electrons. Some men see computers as they are and say "Windows" I use computers with Linux and say "Why Windows?" (Thanks JFK, for this quote of George Bernard Shaw.) From v at vladville.com Sun Aug 26 03:58:07 2007 From: v at vladville.com (Vlad Mazek) Date: Sun Aug 26 03:58:15 2007 Subject: Redirecting *.spamhaus.org queries to local feed server Message-ID: Ok, so setup a local rbldnsd server for a spamhaus feed. Stupid question: how do I tell MailScanner/spamassassin to redirect *.spamhaus.com queries to my rbldnsd server? -Vlad -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070825/a8f95be7/attachment.html From doc at maddoc.net Sun Aug 26 06:14:38 2007 From: doc at maddoc.net (Doc Schneider) Date: Sun Aug 26 06:14:51 2007 Subject: Redirecting *.spamhaus.org queries to local feed server In-Reply-To: References: Message-ID: <46D10C3E.9080004@maddoc.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Vlad Mazek wrote: > Ok, so setup a local rbldnsd server for a spamhaus feed. > > Stupid question: how do I tell MailScanner/spamassassin to redirect > *.spamhaus.com queries to my rbldnsd server? > > -Vlad > For a caching name server zone "zen.spamhaus.org" { type forward; forward only; forwarders { 1.2.3.4; }; }; Of course change to 1.2.3.4 to the IP of your rbldnsd server. - -- - -Doc Lincoln, NE. http://www.genealogyforyou.com/ http://www.cairnproductions.com/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org iD8DBQFG0Qw+qOEeBwEpgcsRAlV1AJ93DMJE+gj2Ll4my38s3q15maYmWACeK2n1 i+3HzfTlJgkgiczcC6CWp5Q= =3qrW -----END PGP SIGNATURE----- From ms-list at alexb.ch Sun Aug 26 08:56:46 2007 From: ms-list at alexb.ch (Alex Broens) Date: Sun Aug 26 08:56:50 2007 Subject: Redirecting *.spamhaus.org queries to local feed server In-Reply-To: <46D10C3E.9080004@maddoc.net> References: <46D10C3E.9080004@maddoc.net> Message-ID: <46D1323E.4050100@alexb.ch> On 8/26/2007 7:14 AM, Doc Schneider wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Vlad Mazek wrote: >> Ok, so setup a local rbldnsd server for a spamhaus feed. >> >> Stupid question: how do I tell MailScanner/spamassassin to redirect >> *.spamhaus.com queries to my rbldnsd server? >> >> -Vlad >> > > For a caching name server > > zone "zen.spamhaus.org" { > type forward; > forward only; > forwarders { 1.2.3.4; }; > }; > > > Of course change to 1.2.3.4 to the IP of your rbldnsd server. that's not enough URIBL_SBL in 25_uribl.cf queries sbl.spamhaus.org so you'll also need zone "sbl.spamhaus.org" IN { type forward; forward first; forwarders { 1.2.3.4; }; }; Alex From v at vladville.com Sun Aug 26 15:48:52 2007 From: v at vladville.com (Vlad Mazek) Date: Sun Aug 26 15:48:57 2007 Subject: Redirecting *.spamhaus.org queries to local feed server In-Reply-To: <46D1323E.4050100@alexb.ch> References: <46D10C3E.9080004@maddoc.net> <46D1323E.4050100@alexb.ch> Message-ID: Should I have equivalent zones for PBL as well or is ZEN enough? -Vlad On 8/26/07, Alex Broens wrote: > > On 8/26/2007 7:14 AM, Doc Schneider wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > Vlad Mazek wrote: > >> Ok, so setup a local rbldnsd server for a spamhaus feed. > >> > >> Stupid question: how do I tell MailScanner/spamassassin to redirect > >> *.spamhaus.com queries to my rbldnsd server? > >> > >> -Vlad > >> > > > > For a caching name server > > > > zone "zen.spamhaus.org" { > > type forward; > > forward only; > > forwarders { 1.2.3.4; }; > > }; > > > > > > Of course change to 1.2.3.4 to the IP of your rbldnsd server. > > that's not enough > > URIBL_SBL in 25_uribl.cf queries sbl.spamhaus.org so you'll also need > > zone "sbl.spamhaus.org" IN { > type forward; > forward first; > forwarders { 1.2.3.4; }; > }; > > Alex > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- -Vlad -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070826/2c0f0e29/attachment.html From ms-list at alexb.ch Sun Aug 26 16:54:38 2007 From: ms-list at alexb.ch (Alex Broens) Date: Sun Aug 26 16:54:44 2007 Subject: Redirecting *.spamhaus.org queries to local feed server In-Reply-To: References: <46D10C3E.9080004@maddoc.net> <46D1323E.4050100@alexb.ch> Message-ID: <46D1A23E.8020508@alexb.ch> On 8/26/2007 4:48 PM, Vlad Mazek wrote: > Should I have equivalent zones for PBL as well or is ZEN enough? Nope PBL lookups happen thru Zen See 20_dnsbl_tests.cf Alex > -Vlad > > On 8/26/07, Alex Broens wrote: >> On 8/26/2007 7:14 AM, Doc Schneider wrote: >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> Vlad Mazek wrote: >>>> Ok, so setup a local rbldnsd server for a spamhaus feed. >>>> >>>> Stupid question: how do I tell MailScanner/spamassassin to redirect >>>> *.spamhaus.com queries to my rbldnsd server? >>>> >>>> -Vlad >>>> >>> For a caching name server >>> >>> zone "zen.spamhaus.org" { >>> type forward; >>> forward only; >>> forwarders { 1.2.3.4; }; >>> }; >>> >>> >>> Of course change to 1.2.3.4 to the IP of your rbldnsd server. >> that's not enough >> >> URIBL_SBL in 25_uribl.cf queries sbl.spamhaus.org so you'll also need >> >> zone "sbl.spamhaus.org" IN { >> type forward; >> forward first; >> forwarders { 1.2.3.4; }; >> }; >> >> Alex >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> > > > From MailScanner at ecs.soton.ac.uk Sun Aug 26 21:04:43 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sun Aug 26 21:05:08 2007 Subject: Redirecting *.spamhaus.org queries to local feed server In-Reply-To: <46D1A23E.8020508@alexb.ch> References: <46D10C3E.9080004@maddoc.net> <46D1323E.4050100@alexb.ch> <46D1A23E.8020508@alexb.ch> Message-ID: <46D1DCDB.1040106@ecs.soton.ac.uk> In my setup, which has all the zones, the only ones that get queried are zen (600k queries) and sbl (1.4m queries). Both xbl and pbl have had 0 queries. Alex Broens wrote: > On 8/26/2007 4:48 PM, Vlad Mazek wrote: >> Should I have equivalent zones for PBL as well or is ZEN enough? > > Nope > > PBL lookups happen thru Zen > See 20_dnsbl_tests.cf > > Alex > >> -Vlad >> >> On 8/26/07, Alex Broens wrote: >>> On 8/26/2007 7:14 AM, Doc Schneider wrote: >>>> -----BEGIN PGP SIGNED MESSAGE----- >>>> Hash: SHA1 >>>> >>>> Vlad Mazek wrote: >>>>> Ok, so setup a local rbldnsd server for a spamhaus feed. >>>>> >>>>> Stupid question: how do I tell MailScanner/spamassassin to redirect >>>>> *.spamhaus.com queries to my rbldnsd server? >>>>> >>>>> -Vlad >>>>> >>>> For a caching name server >>>> >>>> zone "zen.spamhaus.org" { >>>> type forward; >>>> forward only; >>>> forwarders { 1.2.3.4; }; >>>> }; >>>> >>>> >>>> Of course change to 1.2.3.4 to the IP of your rbldnsd server. >>> that's not enough >>> >>> URIBL_SBL in 25_uribl.cf queries sbl.spamhaus.org so you'll also need >>> >>> zone "sbl.spamhaus.org" IN { >>> type forward; >>> forward first; >>> forwarders { 1.2.3.4; }; >>> }; >>> >>> Alex >>> >>> -- >>> MailScanner mailing list >>> mailscanner@lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! >>> >> >> >> > > Jules -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From wizard at jimhermann.com Sun Aug 26 21:20:44 2007 From: wizard at jimhermann.com (Jim Hermann) Date: Sun Aug 26 21:21:32 2007 Subject: Outgoing Queue Dir Ruleset In-Reply-To: <200708261100.l7QB02E8013272@safir.blacknight.ie> References: <200708261100.l7QB02E8013272@safir.blacknight.ie> Message-ID: <000801c7e81e$953686b0$cc01a8c0@Dual> I have trying to create a ruleset for Outgoing Queue Dir and it does not appear to work. In MailScanner.conf, I changed to: Outgoing Queue Dir = /etc/MailScanner/rules/outgoing.rules My /etc/MailScanner/rules/outgoing.rules is: # Set "Outgoing Queue Dir = /etc/MailScanner/rules/outgoing.rules". To: *@aol.com /home/virtual/FILESYSTEMTEMPLATE/services/sendmail/mqueue.aol To: *@comcast.net /home/virtual/FILESYSTEMTEMPLATE/services/sendmail/mqueue.comcast FromOrTo: default /home/virtual/FILESYSTEMTEMPLATE/services/sendmail/mqueue.scanned I created the new directories in /home/virtual/FILESYSTEMTEMPLATE/services/sendmail/: drwxr-xr-x 6 root root 4.0K Aug 26 14:02 . drwxr-xr-x 4 root root 4.0K Sep 15 2006 .. drwxr-xr-x 2 root root 64K Aug 26 15:14 mqueue drwxr-xr-x 2 root root 4.0K Aug 26 14:01 mqueue.aol drwxr-xr-x 2 root root 4.0K Aug 26 14:01 mqueue.comcast drwxr-xr-x 2 root root 32K Aug 26 15:12 mqueue.scanned I restarted MailScanner and all email stopped moving from the Incoming Queue Dir to anywhere. What did I do wrong? Jim From MailScanner at ecs.soton.ac.uk Sun Aug 26 21:29:25 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sun Aug 26 21:29:43 2007 Subject: Outgoing Queue Dir Ruleset In-Reply-To: <000801c7e81e$953686b0$cc01a8c0@Dual> References: <200708261100.l7QB02E8013272@safir.blacknight.ie> <000801c7e81e$953686b0$cc01a8c0@Dual> Message-ID: <46D1E2A5.4090500@ecs.soton.ac.uk> Start by testing them with MailScanner's command-line options. Do a "MailScanner --help" to start with. Is your "Run As User" set to blank (or root)? The last time I tested this functionality it worked just fine, and I think other people use it. If you really can't get it to work with test messages, then mail me back and I'll test it here for you. Make sure your editor hasn't line wrapped the .rules file, the version you posted to the list has been wrapped. Jim Hermann wrote: > I have trying to create a ruleset for Outgoing Queue Dir and it does not > appear to work. > > In MailScanner.conf, I changed to: > > Outgoing Queue Dir = /etc/MailScanner/rules/outgoing.rules > > My /etc/MailScanner/rules/outgoing.rules is: > > # Set "Outgoing Queue Dir = /etc/MailScanner/rules/outgoing.rules". > > To: *@aol.com > /home/virtual/FILESYSTEMTEMPLATE/services/sendmail/mqueue.aol > To: *@comcast.net > /home/virtual/FILESYSTEMTEMPLATE/services/sendmail/mqueue.comcast > > FromOrTo: default > /home/virtual/FILESYSTEMTEMPLATE/services/sendmail/mqueue.scanned > > I created the new directories in > /home/virtual/FILESYSTEMTEMPLATE/services/sendmail/: > > drwxr-xr-x 6 root root 4.0K Aug 26 14:02 . > drwxr-xr-x 4 root root 4.0K Sep 15 2006 .. > drwxr-xr-x 2 root root 64K Aug 26 15:14 mqueue > drwxr-xr-x 2 root root 4.0K Aug 26 14:01 mqueue.aol > drwxr-xr-x 2 root root 4.0K Aug 26 14:01 mqueue.comcast > drwxr-xr-x 2 root root 32K Aug 26 15:12 mqueue.scanned > > I restarted MailScanner and all email stopped moving from the Incoming Queue > Dir to anywhere. > > What did I do wrong? > > Jim > > Jules -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Sun Aug 26 21:54:18 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sun Aug 26 21:55:31 2007 Subject: Outgoing Queue Dir Ruleset In-Reply-To: <46D1E2A5.4090500@ecs.soton.ac.uk> References: <200708261100.l7QB02E8013272@safir.blacknight.ie> <000801c7e81e$953686b0$cc01a8c0@Dual> <46D1E2A5.4090500@ecs.soton.ac.uk> Message-ID: <46D1E87A.9060601@ecs.soton.ac.uk> I have just tested this code, and it works just fine. Are you sure it hadn't put the files in the outgoing queue directories and then delivered them before you had time to look in the directories? Julian Field wrote: > Start by testing them with MailScanner's command-line options. > Do a "MailScanner --help" to start with. > Is your "Run As User" set to blank (or root)? > The last time I tested this functionality it worked just fine, and I > think other people use it. > If you really can't get it to work with test messages, then mail me > back and I'll test it here for you. > > Make sure your editor hasn't line wrapped the .rules file, the version > you posted to the list has been wrapped. > > Jim Hermann wrote: >> I have trying to create a ruleset for Outgoing Queue Dir and it does not >> appear to work. >> >> In MailScanner.conf, I changed to: >> >> Outgoing Queue Dir = /etc/MailScanner/rules/outgoing.rules >> >> My /etc/MailScanner/rules/outgoing.rules is: >> >> # Set "Outgoing Queue Dir = /etc/MailScanner/rules/outgoing.rules". >> >> To: *@aol.com >> /home/virtual/FILESYSTEMTEMPLATE/services/sendmail/mqueue.aol >> To: *@comcast.net >> /home/virtual/FILESYSTEMTEMPLATE/services/sendmail/mqueue.comcast >> >> FromOrTo: default >> /home/virtual/FILESYSTEMTEMPLATE/services/sendmail/mqueue.scanned >> >> I created the new directories in >> /home/virtual/FILESYSTEMTEMPLATE/services/sendmail/: >> >> drwxr-xr-x 6 root root 4.0K Aug 26 14:02 . >> drwxr-xr-x 4 root root 4.0K Sep 15 2006 .. >> drwxr-xr-x 2 root root 64K Aug 26 15:14 mqueue >> drwxr-xr-x 2 root root 4.0K Aug 26 14:01 mqueue.aol >> drwxr-xr-x 2 root root 4.0K Aug 26 14:01 mqueue.comcast >> drwxr-xr-x 2 root root 32K Aug 26 15:12 mqueue.scanned >> >> I restarted MailScanner and all email stopped moving from the >> Incoming Queue >> Dir to anywhere. >> >> What did I do wrong? >> >> Jim >> >> > > Jules > Jules -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From eersana at yahoo.com Mon Aug 27 02:53:18 2007 From: eersana at yahoo.com (anas asree) Date: Mon Aug 27 02:53:20 2007 Subject: Block Certain Yahoo Mail List In-Reply-To: Message-ID: <86780.55135.qm@web39802.mail.mud.yahoo.com> I'm using Postfix + Mailscanner Some of my users subscribe to certain yahoo mail list which is not related to their work.. How can I reject/blacklist that particular mail list ? --------------------------------- Got a little couch potato? Check out fun summer activities for kids. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070826/2286c0aa/attachment.html From bahadir.kiziltan at gmail.com Mon Aug 27 06:27:49 2007 From: bahadir.kiziltan at gmail.com (Bahadir Kiziltan) Date: Mon Aug 27 06:27:53 2007 Subject: Block Certain Yahoo Mail List In-Reply-To: <86780.55135.qm@web39802.mail.mud.yahoo.com> References: <86780.55135.qm@web39802.mail.mud.yahoo.com> Message-ID: On 8/27/07, anas asree wrote: > I'm using Postfix + Mailscanner > > Some of my users subscribe to certain yahoo mail list which is not related > to their work.. > > How can I reject/blacklist that particular mail list ? > take a look at the header of a mail coming from the mail list. you should see a line with "List-ID" string. then add the similar entry below to header_cheks file located at /etc/postfix directory by modifying the mail list name accordingly. /^List-Id: $/ REJECT lastly, stop/start postfix daemon. From MailScanner at ecs.soton.ac.uk Mon Aug 27 12:17:24 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Aug 27 12:17:43 2007 Subject: Release 4.63.4 Message-ID: <46D2B2C4.1090504@ecs.soton.ac.uk> Hi folks! I hope all of you in the UK are having a nice day off, it's the last one before Christmas :-( I have just released beta 4.63.4, which will turn into the stable release at the start of September, unless anything important happens before then. The new feature in this release that is not in the previous beta is that in the "SpamAssassin Rule Actions" feature, you can now specify a comma-separated list of actions for each each RULE=>action statement in it, saving you having to specify the RULE once for each action. Please let me know of any bugs in this release, as I want to get them fixed before the stable release on 1st September. Download as usual from www.mailscanner.info. The full Change Log for this release is this: * New Features and Improvements * 1 Improved init.d script, so that 'service MailScanner restart' or '/etc/init.d/MailScanner restart' runs faster. It pauses for just long enough for the old MailScanner to die gracefully, and starts up the new one as soon as the old one has died. Previously, it just waited for a fixed length of time which was much longer than needed for most people. 1 Improved tar installer so the directory created for MailScanner includes the build revision number as well as the main version number. 1 Improved phishing net logging to log entire real URL not just hostname. 1 Improvement to update_spamassassin to stop cron-generated mail. 1 New setting "Phishing Bad Sites File" which is a live continuously-updated list of known bad sites that have been reported to various mechanisms around the world. Please don't ask me for more information as I can't give it to you, but every site on the list has been manually tested and the list can be relied upon. Your installation should update this file every hour. NOTE: Run upgrade_languages_conf after installing this upgrade! 2 Reduce default "Restart Every" time to 2 hours so that updates to the known bad phishing sites list are re-read more frequently. 2 Added *.fdf to the list of dangerous filenames. Opening a .fdf file can cause the loading of any file on the internet into Adobe Acrobat. 2 Added 2 new variables to the sender reports: $size = size of message in bytes and $maxmessagesize = maximum allowed size of this message in bytes. 2 Added new setting "Check Filenames In Password-Protected Archives = yes" so that the filename checks can be suppressed on encrypted archives to allow a few people to get exe's and so on through the mail as part of their business needs. Normally leave this setting at "yes". 2 Added new setting "Include Binary Attachments In SpamAssassin = no" which can be used to tell SpamAssassin to look at all attachments, not just the ones containing text (or HTML, etc) which is its normal behaviour. Changing this setting to "yes" will have no effect without a patch to the SpamAssassin code, which you can fetch from http://www.mailscanner.info/mcp.html#patches It will slightly slow down SpamAssassin some of the time, and is therefore disabled by default. This can be very useful if you want to look for rude or derogatory content in messages, and do not want the huge speed impact of using MCP. It can successfully scan the content of Microsoft Word documents, for example. It won't be effective on PDF files however, as these are compressed internally so there is no readable text anywhere in the file. 3 Added a long $PATH to f-prot-autoupdate so we can find wget on most OS-es including Solaris. 3 Improved Sophos.install to disable the savupdate cron job and switch off the unwanted Sophos services. 3 Added a feature to the "SpamAssassin Rule Actions". You can now specify "SpamScore" and a number comparison, instead of just giving a SpamAssassin rule name. So you can say SpamAssassin Rule Actions = SpamScore>25=>delete and this will cause all messages scoring over 25 to be deleted. You can use this to set different actions at different spam scores, in addition to the normal spam actions and high-scoring spam actions. The numerical tests you can use are ">", ">=", "==", "<=" and "<". 4 The "action" in each "RULE=>action" in "SpamAssassin Rule Actions" can now be a comma-separated list of actions, so you can easily specify multiple actions per rule. * Fixes * 1 Improvement to phishing net to allow HTML tags with contents split over multiple lines. 1 Changed options to ClamAVmodule so it doesn't hit false positives with the phishing and scam email detection signatures. 1-2 Fixed bug where --lint gives "MailScanner.conf file not found" error. 2 Stopped writing a PID file when "MailScanner --lint" is run. 2 update_spamassassin no longer produces any output, so no crond email. 2 Fixed bug where clamavmodule scanner name wouldn't always be logged correctly. 2 Bugfix in ZMDiskStore.pm ZMailer support from Leonardo Helman. 3 Force installation of perl-Getopt-Long to try to solve the problems with command-line options producing 'config file not found' errors. 3 Commented out sample rules in max.message.size.rules file. 3 Fixed MailScanner.conf Sophos-specific settings for Sophos 5. Jules -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From jaearick at colby.edu Mon Aug 27 14:56:50 2007 From: jaearick at colby.edu (Jeff A. Earickson) Date: Mon Aug 27 14:57:24 2007 Subject: mailscanner as a front-end, help! Message-ID: Gang, I slid my legacy MailScanner system back in front of my email appliance this morning to block spam. I've got a problem with non-existent/dictionary attack addresses now. They get sent on to the appliance, who doesn't know the address, thence back to the front-end, unroutable -- mail loop, too many hops. I need MailScanner/sendmail to kill non-existent addresses up front. I found milter-ahead (costs euros). Any other ideas? Virtusertables, like http://q.queso.com/archives/002025? My setup: sendmail 8.14.1, MailScanner 4.62.9, SA and the other anti-spam additions. sendmail running as "define(`MAIL_HUB'" setting to pass all (non-spam) email on to the appliance for local delivery. Jeff Earickson Colby College From glenn.steen at gmail.com Mon Aug 27 15:05:25 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Aug 27 15:05:29 2007 Subject: mailscanner as a front-end, help! In-Reply-To: References: Message-ID: <223f97700708270705r71036dcu7a65b3ac5bd9b72b@mail.gmail.com> On 27/08/07, Jeff A. Earickson wrote: > Gang, > > I slid my legacy MailScanner system back in front of my email > appliance this morning to block spam. I've got a problem with > non-existent/dictionary attack addresses now. They get sent > on to the appliance, who doesn't know the address, thence back > to the front-end, unroutable -- mail loop, too many hops. > I need MailScanner/sendmail to kill non-existent addresses up > front. I found milter-ahead (costs euros). Any other ideas? > Virtusertables, like http://q.queso.com/archives/002025? > > My setup: sendmail 8.14.1, MailScanner 4.62.9, SA and the other > anti-spam additions. sendmail running as "define(`MAIL_HUB'" > setting to pass all (non-spam) email on to the appliance for > local delivery. > > Jeff Earickson > Colby College smf-sav can do this, I gather... But depending on how tyhings are set, it might not help (if the appliance doesn't correctly reject the non-existant recipients...). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From mailadmin at baladia.gov.kw Mon Aug 27 16:02:15 2007 From: mailadmin at baladia.gov.kw (mailadmin@baladia.gov.kw) Date: Mon Aug 27 16:04:06 2007 Subject: how to install updated SA+clamAV Message-ID: <2407.62.150.152.226.1188226935.squirrel@webmail.baladia.gov.kw> Dear All, I have a recently installed the following on Centos 5 as per the install docs CentOS5 MailScanner-4.62.9-3 Clam-0.91.1-SA-3.2.3 n its been workin perfectly fine the clamAV 0.91.1 is already outdated and since some bugs were reported in the ClamAV 0.91.2 i jus waited. now i see on mailscanner site the updated Clam-0.91.2-SA-3.2.3 jules script 1) now since its on mailscanner site obviously its perfectly OK to upgrade ClamAV to 0.91.2 2) how cd i update my clamav to 0.91.2 as when i installed it before i installed clamav, clamdb & clamd from dagwiers rpm site as i wanted clamd support for mailscanner and only installed SA running the install.sh script from Clam-0.91.1-SA-3.2.3 easy installtion package apprecite your help regards simon -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ka at pacific.net Mon Aug 27 16:07:14 2007 From: ka at pacific.net (Ken A) Date: Mon Aug 27 16:07:15 2007 Subject: mailscanner as a front-end, help! In-Reply-To: <223f97700708270705r71036dcu7a65b3ac5bd9b72b@mail.gmail.com> References: <223f97700708270705r71036dcu7a65b3ac5bd9b72b@mail.gmail.com> Message-ID: <46D2E8A2.6010908@pacific.net> Glenn Steen wrote: > On 27/08/07, Jeff A. Earickson wrote: >> Gang, >> >> I slid my legacy MailScanner system back in front of my email >> appliance this morning to block spam. I've got a problem with >> non-existent/dictionary attack addresses now. They get sent >> on to the appliance, who doesn't know the address, thence back >> to the front-end, unroutable -- mail loop, too many hops. >> I need MailScanner/sendmail to kill non-existent addresses up >> front. I found milter-ahead (costs euros). Any other ideas? >> Virtusertables, like http://q.queso.com/archives/002025? >> >> My setup: sendmail 8.14.1, MailScanner 4.62.9, SA and the other >> anti-spam additions. sendmail running as "define(`MAIL_HUB'" >> setting to pass all (non-spam) email on to the appliance for >> local delivery. >> >> Jeff Earickson >> Colby College > smf-sav can do this, I gather... But depending on how tyhings are set, > it might not help (if the appliance doesn't correctly reject the > non-existant recipients...). > > Cheers In the past, I used a script to generate a sendmail access list to do this, with To:user@domain RELAY and a default TO:domain Err..'no such user' at the bottom. That was replaced a while ago with smf-sav. Both methods work well. -- Ken Anderson Pacific.Net From Richard.Frovarp at sendit.nodak.edu Mon Aug 27 16:09:13 2007 From: Richard.Frovarp at sendit.nodak.edu (Richard Frovarp) Date: Mon Aug 27 16:09:18 2007 Subject: how to install updated SA+clamAV In-Reply-To: <2407.62.150.152.226.1188226935.squirrel@webmail.baladia.gov.kw> References: <2407.62.150.152.226.1188226935.squirrel@webmail.baladia.gov.kw> Message-ID: <46D2E919.40308@sendit.nodak.edu> mailadmin@baladia.gov.kw wrote: > Dear All, > > I have a recently installed the following on Centos 5 as per the install > docs > > CentOS5 > MailScanner-4.62.9-3 > Clam-0.91.1-SA-3.2.3 > > n its been workin perfectly fine > > the clamAV 0.91.1 is already outdated and since some bugs were reported in > the ClamAV 0.91.2 i jus waited. > > now i see on mailscanner site the updated Clam-0.91.2-SA-3.2.3 jules script > > 1) now since its on mailscanner site obviously its perfectly OK to upgrade > ClamAV to 0.91.2 > > 2) how cd i update my clamav to 0.91.2 > as when i installed it before i installed clamav, clamdb & clamd from > dagwiers rpm site as i wanted clamd support for mailscanner and only > installed SA running the install.sh script from Clam-0.91.1-SA-3.2.3 easy > installtion package > > Then get the RPMs from dagwiers site and upgrade that way. From MailScanner at ecs.soton.ac.uk Mon Aug 27 16:25:40 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Aug 27 16:26:01 2007 Subject: how to install updated SA+clamAV In-Reply-To: <2407.62.150.152.226.1188226935.squirrel@webmail.baladia.gov.kw> References: <2407.62.150.152.226.1188226935.squirrel@webmail.baladia.gov.kw> Message-ID: <46D2ECF4.5070305@ecs.soton.ac.uk> mailadmin@baladia.gov.kw wrote: > Dear All, > > I have a recently installed the following on Centos 5 as per the install > docs > > CentOS5 > MailScanner-4.62.9-3 > Clam-0.91.1-SA-3.2.3 > > n its been workin perfectly fine > > the clamAV 0.91.1 is already outdated and since some bugs were reported in > the ClamAV 0.91.2 i jus waited. > > now i see on mailscanner site the updated Clam-0.91.2-SA-3.2.3 jules script > > 1) now since its on mailscanner site obviously its perfectly OK to upgrade > ClamAV to 0.91.2 > I would personally not install 0.91.2. > 2) how cd i update my clamav to 0.91.2 > as when i installed it before i installed clamav, clamdb & clamd from > dagwiers rpm site as i wanted clamd support for mailscanner and only > installed SA running the install.sh script from Clam-0.91.1-SA-3.2.3 easy > installtion package > Don't install 0.91.2, wait for 0.91.3. 0.91.1 will work perfectly well for you. > > apprecite your help > > > regards > > simon > > > > > > > Jules -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From chen at hhmi.umbc.edu Mon Aug 27 16:38:42 2007 From: chen at hhmi.umbc.edu (Yu Chen) Date: Mon Aug 27 16:38:45 2007 Subject: how to install updated SA+clamAV In-Reply-To: <46D2ECF4.5070305@ecs.soton.ac.uk> References: <2407.62.150.152.226.1188226935.squirrel@webmail.baladia.gov.kw> <46D2ECF4.5070305@ecs.soton.ac.uk> Message-ID: >> installed SA running the install.sh script from Clam-0.91.1-SA-3.2.3 easy >> installtion package >> > Don't install 0.91.2, wait for 0.91.3. > 0.91.1 will work perfectly well for you. Hmmm... I am just about to put MailScanner together with Clam 0.91.2 on the newly installed system, so do you mean I should not install Clam0.91.2 this time? Thanks, CY > >> >> apprecite your help >> >> >> regards >> >> simon >> >> >> >> >> >> >> > > Jules > > =========================================== Yu Chen Howard Hughes Medical Institute Chemistry Building, Rm 182 University of Maryland at Baltimore County 1000 Hilltop Circle Baltimore, MD 21250 phone: (410)455-1728 (primary) (410)455-6347 (secondary) fax: (410)455-1174 email: chen@hhmi.umbc.edu =========================================== From mailadmin at baladia.gov.kw Mon Aug 27 17:24:56 2007 From: mailadmin at baladia.gov.kw (mailadmin@baladia.gov.kw) Date: Mon Aug 27 17:26:37 2007 Subject: how to install updated SA+clamAV Message-ID: <2720.62.150.152.226.1188231896.squirrel@webmail.baladia.gov.kw> Dear All, I have a recently installed the following on Centos 5 as per the install docs CentOS5 MailScanner-4.62.9-3 Clam-0.91.1-SA-3.2.3 n its been workin perfectly fine the clamAV 0.91.1 is already outdated and since some bugs were reported in the ClamAV 0.91.2 i jus waited. now i see on mailscanner site the updated Clam-0.91.2-SA-3.2.3 jules script 1) now since its on mailscanner site obviously its perfectly OK to upgrade ClamAV to 0.91.2 2) how cd i update my clamav to 0.91.2 as when i installed it before i installed clamav, clamdb & clamd from dagwiers rpm site as i wanted clamd support for mailscanner and only installed SA running the install.sh script from Clam-0.91.1-SA-3.2.3 easy installtion package apprecite your help regards simon -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From maillists at conactive.com Mon Aug 27 17:31:30 2007 From: maillists at conactive.com (Kai Schaetzl) Date: Mon Aug 27 17:31:40 2007 Subject: how to install updated SA+clamAV In-Reply-To: <2407.62.150.152.226.1188226935.squirrel@webmail.baladia.gov.kw> References: <2407.62.150.152.226.1188226935.squirrel@webmail.baladia.gov.kw> Message-ID: wrote on Mon, 27 Aug 2007 18:02:15 +0300 (AST): > CentOS5 You want to use yum for upgrading installed packages. Subscribe to the centos mailing list and read a bit of documentation about CentOS. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From tobias.axelsson at vxu.se Mon Aug 27 18:17:33 2007 From: tobias.axelsson at vxu.se (Tobias Axelsson) Date: Mon Aug 27 18:17:41 2007 Subject: SLES 10 experience References: <006801c7e09d$a4f44e30$ad582fc2@taxbrbr> <223f97700708170149s15085a11r2e3c01500528412@mail.gmail.com> Message-ID: <004d01c7e8ce$287cc100$7a01a8c0@taxbrbr> Hi Well, don't got any sun this summer, eccept for my holiday in bulgaria :) Need to go to warm places when you living in this mess of clouds, rain and wind. So who are you, what you working with? Cheers, Tobias ----- Original Message ----- From: "Glenn Steen" To: "MailScanner discussion" Sent: Friday, August 17, 2007 10:49 AM Subject: Re: SLES 10 experience On 17/08/07, Tobias Axelsson wrote: > > > > > Hi > > I have now in 3 years running mailscanner/mailwatch on Suse linux > enterprise > server 9 on three servers almost without problem. > > Now we need more performance and gonna replace them with three new > bladeservers 2x4quadcore/6GB ram and no disk. > > Becourse of the blade-structure, I gonna need to san-boot them, (the > systemdisk is a SAN-disk) and therefor it requires SuSE linux enterprise > 10. > Do someone have good experience with SLES10? A lot is changed... Tjena Tobias, I have no real experience, but there have been several indications on the list that the latest and greatest MailScanner works OK on that plattform. > Thanks, Tobias > Sweden How is V?xj?? I hear from my kids (visiting the in-laws) that the weather finally has turned into something resembling summer...:-) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From wizard at jimhermann.com Mon Aug 27 18:40:58 2007 From: wizard at jimhermann.com (Jim Hermann) Date: Mon Aug 27 18:47:44 2007 Subject: Outgoing Queue Dir Ruleset In-Reply-To: <46D1E87A.9060601@ecs.soton.ac.uk> References: <200708261100.l7QB02E8013272@safir.blacknight.ie> <000801c7e81e$953686b0$cc01a8c0@Dual><46D1E2A5.4090500@ecs.soton.ac.uk> <46D1E87A.9060601@ecs.soton.ac.uk> Message-ID: <00c301c7e8d1$6dc1e120$cc01a8c0@Dual> It's possible. Does MailScanner automatically add the -OQueueDirectory="Outgoing Queue Dir" argument for Sendmail2? It looks like it does. I was not expecting it. I had: Sendmail2 = /usr/sbin/sendmail -L sm-MailScanner -OProcessTitlePrefix=sm-MailScanner -ODeliveryMode=background -OQueueDirectory=/home/virtual/FILESYSTEMTEMPLATE/services/sendmail/mqueue.s canned -C /etc/mail/sm-MailScanner.cf So I changed it to: Sendmail2 = /usr/sbin/sendmail -L sm-mailscanner -OProcessTitlePrefix=sm-mailscanner -ODeliveryMode=background -C /etc/mail/sm-MailScanner.cf Jim > -----Original Message----- > From: Julian Field [mailto:MailScanner@ecs.soton.ac.uk] > Sent: Sunday, August 26, 2007 03:54 PM > To: MailScanner discussion > Subject: Re: Outgoing Queue Dir Ruleset > > I have just tested this code, and it works just fine. > Are you sure it hadn't put the files in the outgoing queue > directories > and then delivered them before you had time to look in the > directories? > > Julian Field wrote: > > Start by testing them with MailScanner's command-line options. > > Do a "MailScanner --help" to start with. > > Is your "Run As User" set to blank (or root)? > > The last time I tested this functionality it worked just > fine, and I > > think other people use it. > > If you really can't get it to work with test messages, then mail me > > back and I'll test it here for you. > > > > Make sure your editor hasn't line wrapped the .rules file, > the version > > you posted to the list has been wrapped. > > > > Jim Hermann wrote: > >> I have trying to create a ruleset for Outgoing Queue Dir > and it does not > >> appear to work. > >> > >> In MailScanner.conf, I changed to: > >> > >> Outgoing Queue Dir = /etc/MailScanner/rules/outgoing.rules > >> > >> My /etc/MailScanner/rules/outgoing.rules is: > >> > >> # Set "Outgoing Queue Dir = > /etc/MailScanner/rules/outgoing.rules". > >> > >> To: *@aol.com > >> /home/virtual/FILESYSTEMTEMPLATE/services/sendmail/mqueue.aol > >> To: *@comcast.net > >> /home/virtual/FILESYSTEMTEMPLATE/services/sendmail/mqueue.comcast > >> > >> FromOrTo: default > >> /home/virtual/FILESYSTEMTEMPLATE/services/sendmail/mqueue.scanned > >> > >> I created the new directories in > >> /home/virtual/FILESYSTEMTEMPLATE/services/sendmail/: > >> > >> drwxr-xr-x 6 root root 4.0K Aug 26 14:02 . > >> drwxr-xr-x 4 root root 4.0K Sep 15 2006 .. > >> drwxr-xr-x 2 root root 64K Aug 26 15:14 mqueue > >> drwxr-xr-x 2 root root 4.0K Aug 26 14:01 mqueue.aol > >> drwxr-xr-x 2 root root 4.0K Aug 26 14:01 mqueue.comcast > >> drwxr-xr-x 2 root root 32K Aug 26 15:12 mqueue.scanned > >> > >> I restarted MailScanner and all email stopped moving from the > >> Incoming Queue > >> Dir to anywhere. > >> > >> What did I do wrong? > >> > >> Jim > >> > >> > > > > Jules > > > > Jules > > -- > Julian Field MEng CITP > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > For all your IT requirements visit www.transtec.co.uk > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > For all your IT requirements visit www.transtec.co.uk > > > From jaearick at colby.edu Mon Aug 27 18:52:59 2007 From: jaearick at colby.edu (Jeff A. Earickson) Date: Mon Aug 27 18:54:42 2007 Subject: mailscanner as a front-end, help! In-Reply-To: <46D2E8A2.6010908@pacific.net> References: <223f97700708270705r71036dcu7a65b3ac5bd9b72b@mail.gmail.com> <46D2E8A2.6010908@pacific.net> Message-ID: Thanks to all, smf-sav works great. On Mon, 27 Aug 2007, Ken A wrote: > Date: Mon, 27 Aug 2007 10:07:14 -0500 > From: Ken A > Reply-To: MailScanner discussion > To: MailScanner discussion > Subject: Re: mailscanner as a front-end, help! > > Glenn Steen wrote: >> On 27/08/07, Jeff A. Earickson wrote: >>> Gang, >>> >>> I slid my legacy MailScanner system back in front of my email >>> appliance this morning to block spam. I've got a problem with >>> non-existent/dictionary attack addresses now. They get sent >>> on to the appliance, who doesn't know the address, thence back >>> to the front-end, unroutable -- mail loop, too many hops. >>> I need MailScanner/sendmail to kill non-existent addresses up >>> front. I found milter-ahead (costs euros). Any other ideas? >>> Virtusertables, like http://q.queso.com/archives/002025? >>> >>> My setup: sendmail 8.14.1, MailScanner 4.62.9, SA and the other >>> anti-spam additions. sendmail running as "define(`MAIL_HUB'" >>> setting to pass all (non-spam) email on to the appliance for >>> local delivery. >>> >>> Jeff Earickson >>> Colby College >> smf-sav can do this, I gather... But depending on how tyhings are set, >> it might not help (if the appliance doesn't correctly reject the >> non-existant recipients...). >> >> Cheers > > In the past, I used a script to generate a sendmail access list to do this, > with To:user@domain RELAY and a default TO:domain Err..'no such user' at the > bottom. That was replaced a while ago with smf-sav. Both methods work well. > > -- > Ken Anderson > Pacific.Net > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From MailScanner at ecs.soton.ac.uk Mon Aug 27 19:38:00 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Aug 27 19:38:20 2007 Subject: Outgoing Queue Dir Ruleset In-Reply-To: <00c301c7e8d1$6dc1e120$cc01a8c0@Dual> References: <200708261100.l7QB02E8013272@safir.blacknight.ie> <000801c7e81e$953686b0$cc01a8c0@Dual><46D1E2A5.4090500@ecs.soton.ac.uk> <46D1E87A.9060601@ecs.soton.ac.uk> <00c301c7e8d1$6dc1e120$cc01a8c0@Dual> Message-ID: <46D31A08.9080806@ecs.soton.ac.uk> Jim Hermann wrote: > It's possible. Does MailScanner automatically add the > -OQueueDirectory="Outgoing Queue Dir" argument for Sendmail2? It looks like > it does. I was not expecting it. > Of course it does. Otherwise it wouldn't be able to tell sendmail to deliver the message if it wasn't placed in the default queue. You weren't expecting a bug now were you? :-) > I had: > > Sendmail2 = /usr/sbin/sendmail -L sm-MailScanner > -OProcessTitlePrefix=sm-MailScanner -ODeliveryMode=background > -OQueueDirectory=/home/virtual/FILESYSTEMTEMPLATE/services/sendmail/mqueue.s > canned -C /etc/mail/sm-MailScanner.cf > > So I changed it to: > > Sendmail2 = /usr/sbin/sendmail -L sm-mailscanner > -OProcessTitlePrefix=sm-mailscanner -ODeliveryMode=background -C > /etc/mail/sm-MailScanner.cf > > Jim > > >> -----Original Message----- >> From: Julian Field [mailto:MailScanner@ecs.soton.ac.uk] >> Sent: Sunday, August 26, 2007 03:54 PM >> To: MailScanner discussion >> Subject: Re: Outgoing Queue Dir Ruleset >> >> I have just tested this code, and it works just fine. >> Are you sure it hadn't put the files in the outgoing queue >> directories >> and then delivered them before you had time to look in the >> directories? >> >> Julian Field wrote: >> >>> Start by testing them with MailScanner's command-line options. >>> Do a "MailScanner --help" to start with. >>> Is your "Run As User" set to blank (or root)? >>> The last time I tested this functionality it worked just >>> >> fine, and I >> >>> think other people use it. >>> If you really can't get it to work with test messages, then mail me >>> back and I'll test it here for you. >>> >>> Make sure your editor hasn't line wrapped the .rules file, >>> >> the version >> >>> you posted to the list has been wrapped. >>> >>> Jim Hermann wrote: >>> >>>> I have trying to create a ruleset for Outgoing Queue Dir >>>> >> and it does not >> >>>> appear to work. >>>> >>>> In MailScanner.conf, I changed to: >>>> >>>> Outgoing Queue Dir = /etc/MailScanner/rules/outgoing.rules >>>> >>>> My /etc/MailScanner/rules/outgoing.rules is: >>>> >>>> # Set "Outgoing Queue Dir = >>>> >> /etc/MailScanner/rules/outgoing.rules". >> >>>> To: *@aol.com >>>> /home/virtual/FILESYSTEMTEMPLATE/services/sendmail/mqueue.aol >>>> To: *@comcast.net >>>> /home/virtual/FILESYSTEMTEMPLATE/services/sendmail/mqueue.comcast >>>> >>>> FromOrTo: default >>>> /home/virtual/FILESYSTEMTEMPLATE/services/sendmail/mqueue.scanned >>>> >>>> I created the new directories in >>>> /home/virtual/FILESYSTEMTEMPLATE/services/sendmail/: >>>> >>>> drwxr-xr-x 6 root root 4.0K Aug 26 14:02 . >>>> drwxr-xr-x 4 root root 4.0K Sep 15 2006 .. >>>> drwxr-xr-x 2 root root 64K Aug 26 15:14 mqueue >>>> drwxr-xr-x 2 root root 4.0K Aug 26 14:01 mqueue.aol >>>> drwxr-xr-x 2 root root 4.0K Aug 26 14:01 mqueue.comcast >>>> drwxr-xr-x 2 root root 32K Aug 26 15:12 mqueue.scanned >>>> >>>> I restarted MailScanner and all email stopped moving from the >>>> Incoming Queue >>>> Dir to anywhere. >>>> >>>> What did I do wrong? >>>> >>>> Jim >>>> >>>> >>>> >>> Jules >>> >>> >> Jules >> >> -- >> Julian Field MEng CITP >> www.MailScanner.info >> Buy the MailScanner book at www.MailScanner.info/store >> >> MailScanner customisation, or any advanced system administration help? >> Contact me at Jules@Jules.FM >> >> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >> For all your IT requirements visit www.transtec.co.uk >> >> >> -- >> This message has been scanned for viruses and >> dangerous content by MailScanner, and is >> believed to be clean. >> For all your IT requirements visit www.transtec.co.uk >> >> >> >> > > Jules -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From grupolistas at gmail.com Mon Aug 27 20:03:23 2007 From: grupolistas at gmail.com (infolistas listas) Date: Mon Aug 27 20:03:26 2007 Subject: block attachment per user Message-ID: <44c071aa0708271203lfaeb870p8a3d8aa0c1b3dffd@mail.gmail.com> Hi all is it possible to block some users from attaching files in mailscanner? EX: john, bob and joseph are allow to send attachments but paul, patrick and maria are not allowed. Thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070827/2806a31a/attachment.html From MailScanner at ecs.soton.ac.uk Mon Aug 27 20:14:14 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Aug 27 20:14:34 2007 Subject: block attachment per user In-Reply-To: <44c071aa0708271203lfaeb870p8a3d8aa0c1b3dffd@mail.gmail.com> References: <44c071aa0708271203lfaeb870p8a3d8aa0c1b3dffd@mail.gmail.com> Message-ID: <46D32286.40203@ecs.soton.ac.uk> Just use a ruleset with the Maximum Attachment Size setting in MailScanner.conf. Put this in MailScanner.conf: Maximum Attachment Size = %rules-dir%/max.attach.size.rules and in /etc/MailScanner/rules/max.attach.size.rules put this: from: john@yourdomain.com -1 from: bob@yourdomain.com -1 from: joseph@yourdomain.com -1 from: paul@yourdomain.com 0 from: patrick@yourdomain.com 0 from: maria@yourdomain.com 0 fromorto: default -1 Note the last line sets the default to -1 which is "no limit" for this setting. Then "service MailScanner reload" or (if that command doesn't work) "/etc/init.d/MailScanner reload". MailScanner rulesets are documented at length in the wiki and in the Book. infolistas listas wrote: > Hi all is it possible to block some users from attaching files in > mailscanner? > EX: john, bob and joseph are allow to send attachments but paul, > patrick and maria are not allowed. > Thanks Jules -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From am.lists at gmail.com Mon Aug 27 21:03:15 2007 From: am.lists at gmail.com (am.lists) Date: Mon Aug 27 21:03:18 2007 Subject: Ignoring first hop (backup-mx) Message-ID: <25a66d840708271303r7de8550eq63080a2e778a283c@mail.gmail.com> I'm on the verge of moving hosting providers. Unfortunately, I'm moving the place where my two primary proxies live (MailScanner 4.58 at the moment, upgrade comes soon, Postfix 2.2.2, and ClamAV). I have an agreement with a buddy of mine to provide me with backup-mx services for the next couple of days while I do the move. But... I don't know what his filtering has to offer (if any), and I don't want to inadvertently take in a bunch of junk because I have to w/l his box. Once the move is finished and I'm up and running on the other side, how do I whitelist his IP to receive all of that mail in for my users without killing SPF rules and also being able to check that "2nd" hop instead of the first hop (which will be his server) against my SA rule-based RBLs? Sorry if this is an obvious one, but it's not one I've had to deal with yet. Angelo From ssilva at sgvwater.com Mon Aug 27 21:47:03 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Aug 27 21:47:34 2007 Subject: Ignoring first hop (backup-mx) In-Reply-To: <25a66d840708271303r7de8550eq63080a2e778a283c@mail.gmail.com> References: <25a66d840708271303r7de8550eq63080a2e778a283c@mail.gmail.com> Message-ID: am.lists spake the following on 8/27/2007 1:03 PM: > I'm on the verge of moving hosting providers. > > Unfortunately, I'm moving the place where my two primary proxies live > (MailScanner 4.58 at the moment, upgrade comes soon, Postfix 2.2.2, > and ClamAV). > > I have an agreement with a buddy of mine to provide me with backup-mx > services for the next couple of days while I do the move. > > But... I don't know what his filtering has to offer (if any), and I > don't want to inadvertently take in a bunch of junk because I have to > w/l his box. > > Once the move is finished and I'm up and running on the other side, > how do I whitelist his IP to receive all of that mail in for my users > without killing SPF rules and also being able to check that "2nd" hop > instead of the first hop (which will be his server) against my SA > rule-based RBLs? > > Sorry if this is an obvious one, but it's not one I've had to deal with yet. > > Angelo You could put his ip in your trusted networks for spamassasssin. That should put the hop before him as the first untrusted network. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From grupolistas at gmail.com Mon Aug 27 21:51:04 2007 From: grupolistas at gmail.com (infolistas listas) Date: Mon Aug 27 21:51:10 2007 Subject: postfix stopped sending mail Message-ID: <44c071aa0708271351v48377f5dg2cd2d28f3763cb98@mail.gmail.com> After instaling mailscanner I cant get postfix to send mail, it stays on the queue forever. I tried stopping mailscanner and still so it didnt work, any ideias? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070827/577feb1c/attachment.html From MailScanner at ecs.soton.ac.uk Mon Aug 27 22:00:24 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Aug 27 22:00:40 2007 Subject: postfix stopped sending mail In-Reply-To: <44c071aa0708271351v48377f5dg2cd2d28f3763cb98@mail.gmail.com> References: <44c071aa0708271351v48377f5dg2cd2d28f3763cb98@mail.gmail.com> Message-ID: <46D33B68.5080206@ecs.soton.ac.uk> Start by double checking that you have done *all* the steps listed at http://www.mailscanner.info/postfix.html What directory is the mail sticking in? hold or incoming? infolistas listas wrote: > After instaling mailscanner I cant get postfix to send mail, it stays > on the queue forever. > I tried stopping mailscanner and still so it didnt work, any ideias? Jules -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From hvdkooij at vanderkooij.org Mon Aug 27 22:34:26 2007 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Mon Aug 27 22:34:44 2007 Subject: [SPAM] Re: postfix stopped sending mail In-Reply-To: <46D33B68.5080206@ecs.soton.ac.uk> References: <44c071aa0708271351v48377f5dg2cd2d28f3763cb98@mail.gmail.com> <46D33B68.5080206@ecs.soton.ac.uk> Message-ID: On Mon, 27 Aug 2007, Julian Field wrote: > Start by double checking that you have done *all* the steps listed at > http://www.mailscanner.info/postfix.html > > What directory is the mail sticking in? hold or incoming? And it will not hurt if you can look into the log and pick the section that seems to indicate trouble or a lack of action if checking the steps did not resolve the issue. Hugo. -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ This message is using 100% recycled electrons. Some men see computers as they are and say "Windows" I use computers with Linux and say "Why Windows?" (Thanks JFK, for this quote of George Bernard Shaw.) From ssilva at sgvwater.com Mon Aug 27 23:18:38 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Aug 27 23:19:07 2007 Subject: postfix stopped sending mail In-Reply-To: <44c071aa0708271351v48377f5dg2cd2d28f3763cb98@mail.gmail.com> References: <44c071aa0708271351v48377f5dg2cd2d28f3763cb98@mail.gmail.com> Message-ID: infolistas listas spake the following on 8/27/2007 1:51 PM: > After instaling mailscanner I cant get postfix to send mail, it stays on > the queue forever. > I tried stopping mailscanner and still so it didnt work, any ideias? > Did you install MailScanner properly? Follow this howto; http://wiki.mailscanner.info/doku.php?id=documentation:configuration:mta:postfix:installation -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From am.lists at gmail.com Mon Aug 27 23:39:41 2007 From: am.lists at gmail.com (am.lists) Date: Mon Aug 27 23:39:46 2007 Subject: Ignoring first hop (backup-mx) In-Reply-To: References: <25a66d840708271303r7de8550eq63080a2e778a283c@mail.gmail.com> Message-ID: <25a66d840708271539p79d64461od51f86c5fef75aea@mail.gmail.com> On 8/27/07, Scott Silva wrote: > am.lists spake the following on 8/27/2007 1:03 PM: > > I'm on the verge of moving hosting providers. > > > > Unfortunately, I'm moving the place where my two primary proxies live > > (MailScanner 4.58 at the moment, upgrade comes soon, Postfix 2.2.2, > > and ClamAV). > > > > I have an agreement with a buddy of mine to provide me with backup-mx > > services for the next couple of days while I do the move. > > > > But... I don't know what his filtering has to offer (if any), and I > > don't want to inadvertently take in a bunch of junk because I have to > > w/l his box. > > > > Once the move is finished and I'm up and running on the other side, > > how do I whitelist his IP to receive all of that mail in for my users > > without killing SPF rules and also being able to check that "2nd" hop > > instead of the first hop (which will be his server) against my SA > > rule-based RBLs? > > > > Sorry if this is an obvious one, but it's not one I've had to deal with yet. > > > > Angelo > You could put his ip in your trusted networks for spamassasssin. That should > put the hop before him as the first untrusted network. > Ding ding ding! That's it! I knew it was in there, I just couldn't remember what it was. Thanks Scott. Angelo From drolland at kdinet.com Tue Aug 28 01:58:04 2007 From: drolland at kdinet.com (Diane Rolland) Date: Tue Aug 28 01:58:11 2007 Subject: SARE rules question Message-ID: <000001c7e90e$7e87c730$9700a8c0@kdinet.local> I have tried to install/configure SARE Rules and RulesDeJour from http://www.rulesemporium.com/rules.htm and when I run the below command I get the following failures. /usr/bin/spamassassin -p /etc/MailScanner/spam.assassin.prefs.conf --lint Failed to parse line in SpamAssassin configuration, skipping: lock_method flock Failed to parse line in SpamAssassin configuration, skipping: use_auto_whitelist 0 Failed to parse line in SpamAssassin configuration, skipping: envelope_sender_header X-MailScanner-From By commenting them out of the spam.assassin.prefs.conf file for the above items I get the --lint to run without error, but I'm not sure what that means to my configuration. I have SA 2.55, MailScanner-4.50.15-1 (I know, out of date) Is there any hope for me using the SARE Rules from http://www.rulesemporium.com/rules.htm? Thanks in Advance, Diane -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070827/5cb531d1/attachment.html From am.lists at gmail.com Tue Aug 28 03:30:37 2007 From: am.lists at gmail.com (am.lists) Date: Tue Aug 28 03:30:43 2007 Subject: Simple show of hands... regarding bonded sender, dkim, habeas, etc. Message-ID: <25a66d840708271930h5785beccu7cb7fbab9f62ff17@mail.gmail.com> I think this, although related to mail scanning practices more so than the software, may be a smidge OT, but it's absolutely the correct forum for the question... Does anyone else give "credit" either by way of SA negative scoring, whitelist status, or any other reward (pick a style) for senders coming in as a "bonded sender" or "habeas accredited" or any other pay-to-play sending service? I currently do not, but I was interviewing someone and their answer was "well if they go to the trouble to set that up, then I leave that up to the people at bonded sender, etc. to filter out the applicants for me." Personally, I don't care what accreditation a sender has or spoofs, if it has spammy intention (URI, phraseology, etc.) I'm gonna filter it. Does the community agree? I'd love some other viewpoints on this. Thanks all, Angelo From p.katzmann at thiesen.com Tue Aug 28 07:20:55 2007 From: p.katzmann at thiesen.com (Peter Katzmann) Date: Tue Aug 28 07:21:17 2007 Subject: SARE rules question In-Reply-To: <000001c7e90e$7e87c730$9700a8c0@kdinet.local> References: <000001c7e90e$7e87c730$9700a8c0@kdinet.local> Message-ID: <46D3BEC7.7030209@thiesen.com> Hello Diana, these errors are problems in the spamassasin config anyway. peter Diane Rolland wrote: > I have tried to install/configure SARE Rules and RulesDeJour from > http://www.rulesemporium.com/rules.htm and when I run the below command I > get the following failures. > > /usr/bin/spamassassin -p /etc/MailScanner/spam.assassin.prefs.conf --lint > > Failed to parse line in SpamAssassin configuration, skipping: lock_method > flock > Failed to parse line in SpamAssassin configuration, skipping: > use_auto_whitelist 0 > Failed to parse line in SpamAssassin configuration, skipping: > envelope_sender_header X-MailScanner-From > > By commenting them out of the spam.assassin.prefs.conf file for the above > items I get the --lint to run without error, but I'm not sure what that > means to my configuration. > > I have SA 2.55, MailScanner-4.50.15-1 (I know, out of date) > > Is there any hope for me using the SARE Rules from > http://www.rulesemporium.com/rules.htm? > > Thanks in Advance, > Diane > > > > _______________________________________________________ Registergericht / Court of jurisdiction: Amtsgericht Gie?en HRB 5708 Gesch?ftsf?hrer / Managing Director: Edith Thiesen, J?rgen Thiesen USt.-Id: DE 175 623 789 Ust.-Nr: 018 246 00743 FA Fulda Hauptsitz / Headquarters: Thiesen GmbH / Im Tiegel 9 / 36367 Wartenberg / Germany From mailadmin at baladia.gov.kw Tue Aug 28 07:22:23 2007 From: mailadmin at baladia.gov.kw (mailadmin@baladia.gov.kw) Date: Tue Aug 28 07:24:17 2007 Subject: how to install updated SA+clamAV In-Reply-To: <46D2ECF4.5070305@ecs.soton.ac.uk> References: <2407.62.150.152.226.1188226935.squirrel@webmail.baladia.gov.kw> <46D2ECF4.5070305@ecs.soton.ac.uk> Message-ID: <3504.62.150.152.42.1188282143.squirrel@webmail.baladia.gov.kw> > > > mailadmin@baladia.gov.kw wrote: >> Dear All, >> >> I have a recently installed the following on Centos 5 as per the >> install >> docs >> >> CentOS5 >> MailScanner-4.62.9-3 >> Clam-0.91.1-SA-3.2.3 >> >> n its been workin perfectly fine >> >> the clamAV 0.91.1 is already outdated and since some bugs were reported >> in >> the ClamAV 0.91.2 i jus waited. >> >> now i see on mailscanner site the updated Clam-0.91.2-SA-3.2.3 jules >> script >> >> 1) now since its on mailscanner site obviously its perfectly OK to >> upgrade >> ClamAV to 0.91.2 >> > I would personally not install 0.91.2. >> 2) how cd i update my clamav to 0.91.2 >> as when i installed it before i installed clamav, clamdb & clamd from >> dagwiers rpm site as i wanted clamd support for mailscanner and only >> installed SA running the install.sh script from Clam-0.91.1-SA-3.2.3 >> easy >> installtion package >> > Don't install 0.91.2, wait for 0.91.3. > 0.91.1 will work perfectly well for you. > >> Thanks Julian really apprecite your quick reply regards Benedict >> apprecite your help >> >> >> regards >> >> simon >> >> >> >> >> >> >> > > Jules > > -- > Julian Field MEng CITP > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > For all your IT requirements visit www.transtec.co.uk > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > For all your IT requirements visit www.transtec.co.uk > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From list-mailscanner at linguaphone.com Tue Aug 28 08:29:57 2007 From: list-mailscanner at linguaphone.com (Gareth) Date: Tue Aug 28 08:30:02 2007 Subject: Simple show of hands... regarding bonded sender, dkim, habeas, etc. In-Reply-To: <25a66d840708271930h5785beccu7cb7fbab9f62ff17@mail.gmail.com> Message-ID: If they get a negative score in the default spamassassin configuration then I leave it in. I have only ever had one spam come through one of these programs (IADB) and I forwarded the mail to their helpdesk and they agreed it was spam and said they would take it up with the sender. > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info]On Behalf Of am.lists > Sent: 28 August 2007 03:31 > To: MailScanner discussion > Subject: Simple show of hands... regarding bonded sender, dkim, habeas, > etc. > > > I think this, although related to mail scanning practices more so than > the software, may be a smidge OT, but it's absolutely the correct > forum for the question... > > Does anyone else give "credit" either by way of SA negative scoring, > whitelist status, or any other reward (pick a style) for senders > coming in as a "bonded sender" or "habeas accredited" or any other > pay-to-play sending service? > > I currently do not, but I was interviewing someone and their answer > was "well if they go to the trouble to set that up, then I leave that > up to the people at bonded sender, etc. to filter out the applicants > for me." > > Personally, I don't care what accreditation a sender has or spoofs, if > it has spammy intention (URI, phraseology, etc.) I'm gonna filter it. > > Does the community agree? > > I'd love some other viewpoints on this. > > Thanks all, > > Angelo > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > From viralert at fadalto.com Tue Aug 28 08:47:12 2007 From: viralert at fadalto.com (Phil) Date: Tue Aug 28 08:47:29 2007 Subject: MCP problem In-Reply-To: <20070824085224.M12471@yatta-it.com> References: <20070824085224.M12471@yatta-it.com> Message-ID: <20070828074412.M42671@yatta-it.com> Hi all, I hope you could give me magic hints.. I've a trouble that reduce me to tears :) First of all, on a Fedora Core 6 machine, I'm using MailScanner-4.62.9-3. I have enabled MCP check as for previous version, but I'm not receiving the mcp mail that has been catched. My configuration file is: Non MCP Actions = deliver MCP Actions = store attachment forward spammy@yatta-it.com High Scoring MCP Actions = store forward spammy@yatta-it.com Bounce MCP As Attachment = no My mail log file says: Aug 24 10:41:50 tommy sendmail[13040]: l7O8fmQ3013040: from=, size=871, class=0, nrcpts=1, msgid=<200708240841.l7O8fW1r032052@dario.yatta-it.com>, proto=ESMTP, daemon=MTA, relay=217-133-242-204.b2b.tiscali.it [217.133.242.204] Aug 24 10:41:53 tommy MailScanner[12961]: New Batch: Scanning 1 messages, 1457 bytes Aug 24 10:41:53 tommy MailScanner[12961]: MCP Checks: Starting Aug 24 10:41:54 tommy MailScanner[12961]: Message l7O8fmQ3013040 from 217.133.242.204 (root@dario.yatta-it.com) to fdini.com is MCP, MCP-Checker (score=4, required 1, RULE1 4.00) Aug 24 10:41:54 tommy MailScanner[12961]: MCP Checks: Found 1 MCP messages Aug 24 10:41:54 tommy MailScanner[12961]: MCP Actions: message l7O8fmQ3013040 actions are spammy@yatta-it.com,store,forward Aug 24 10:41:54 tommy MailScanner[12961]: MCP Checks completed at 2544 bytes per second Aug 24 10:41:54 tommy MailScanner[12961]: Spam Checks: Starting Aug 24 10:42:11 tommy MailScanner[12961]: Spam Checks completed at 87 bytes per second Aug 24 10:42:11 tommy MailScanner[12961]: Virus and Content Scanning: Starting Aug 24 10:42:11 tommy MailScanner[12961]: Virus Scanning completed at 3874 bytes per second Aug 24 10:42:11 tommy MailScanner[12961]: Virus Processing completed at 1457 bytes per second Aug 24 10:42:11 tommy MailScanner[12961]: Disinfection completed at 1457 bytes per second Aug 24 10:42:11 tommy MailScanner[12961]: Batch completed at 82 bytes per second (1457 / 17) Aug 24 10:42:11 tommy MailScanner[12961]: Batch (1 message) processed in 17.64 seconds Aug 24 10:42:11 tommy MailScanner[12961]: Logging message l7O8fmQ3013040 to SQL Aug 24 10:42:11 tommy MailScanner[12961]: "Always Looked Up Last" took 0.00 seconds Aug 24 10:42:11 tommy MailScanner[12967]: l7O8fmQ3013040: Logged to MailWatch SQL For spam the behaviour of the new version of MailScanner is equal to the old one: Aug 24 10:45:03 tommy sendmail[13416]: l7O8j2So013416: from=, size=766, class=0, nrcpts=1, msgid=<000e01c7e62b$0d4dc050$5a615558@ws05>, proto=ESMTP, daemon=MTA, relay=[88.85.97.90] Aug 24 10:45:04 tommy MailScanner[13332]: New Batch: Scanning 1 messages, 1206 bytes Aug 24 10:45:04 tommy MailScanner[13332]: MCP Checks: Starting Aug 24 10:45:05 tommy MailScanner[13332]: MCP Checks completed at 5063 bytes per second Aug 24 10:45:05 tommy MailScanner[13332]: Spam Checks: Starting Aug 24 10:45:15 tommy MailScanner[13332]: RBL checks: l7O8j2So013416 found in SBL+XBL Aug 24 10:45:24 tommy MailScanner[13332]: Message l7O8j2So013416 from 88.85.97.90 (grissomofncv@timweld.com) to omissis.com is spam, SBL+XBL, SpamAssassin (not cached, score=12.044, required 4, BAYES_60 1.00, DK_POLICY_SIGNSOME 0.00, JM_TORA_XM 2.41, RAZOR2_CF_RANGE_51_100 0.50, RAZOR2_CF_RANGE_E8_51_100 1.50, RAZOR2_CHECK 0.50, RCVD_IN_XBL 3.03, RDNS_NONE 0.10, URIBL_BLACK 3.00) Aug 24 10:45:24 tommy MailScanner[13332]: Spam Checks: Found 1 spam messages Aug 24 10:45:24 tommy MailScanner[13332]: Spam Actions: message l7O8j2So013416 actions are attachment,spammy@yatta-it.com,store,forward Aug 24 10:45:24 tommy MailScanner[13332]: Spam Checks completed at 63 bytes per second Aug 24 10:45:24 tommy MailScanner[13332]: Virus and Content Scanning: Starting Aug 24 10:45:24 tommy MailScanner[13332]: Virus Scanning completed at 3189 bytes per second Aug 24 10:45:24 tommy MailScanner[13332]: Uninfected: Delivered 1 messages Aug 24 10:45:24 tommy MailScanner[13332]: Virus Processing completed at 1206 bytes per second Aug 24 10:45:24 tommy MailScanner[13332]: Batch completed at 62 bytes per second (1206 / 19) Aug 24 10:45:24 tommy MailScanner[13332]: Batch (1 message) processed in 19.44 seconds Aug 24 10:45:24 tommy MailScanner[13332]: Logging message l7O8j2So013416 to SQL Aug 24 10:45:24 tommy MailScanner[13332]: "Always Looked Up Last" took 0.00 seconds Aug 24 10:45:24 tommy MailScanner[13337]: l7O8j2So013416: Logged to MailWatch SQL Aug 24 10:45:24 tommy sendmail[13432]: l7O8j2So013416: to=, delay=00:00:21, xdelay=00:00:00, mailer=local, pri=120766, dsn=2.0.0, stat=Sent As you can see the first log misses the line Aug 24 10:45:24 tommy sendmail[13432]: l7O8j2So013416: to=, delay=00:00:21, xdelay=00:00:00, mailer=local, pri=120766, dsn=2.0.0, stat=Sent I cannot find the message in the queue folder... it disappears :( Any hint? Thanks to all! Phil From pmb1 at york.ac.uk Tue Aug 28 10:33:57 2007 From: pmb1 at york.ac.uk (Mike Brudenell) Date: Tue Aug 28 10:34:12 2007 Subject: Latest Sophos: possible problem with missing symbol in library Message-ID: <015A2A9D-C1F5-4F84-AFF4-E2C02D58A4A8@york.ac.uk> Greetings - A colleague just sent me a security advisory about Sophos Anti-Virus and how until the very latest release a few days ago it had an issue that could allow a remote DoS attack on your server: http://www.sophos.com/support/knowledgebase/article/28407.html So I decided to use MajorSophos to upgrade our Sophos installation for MailScanner on our Solaris 10 boxes a bit earlier than usual. This seemed to go OK and left us with: Current Sophos version information follows: Product version : 4.21.0 Released : 03 September 2007 However MailScanner is refusing to start its children up. Running in debug mode shows these errors: In Debugging mode, not forking... Can't load '/opt/york/lib/perl5/site_perl/5.8.0/sun4-solaris/auto/ SAVI/SAVI.so' for module SAVI: ld.so.1: /opt/york/bin/perl: fatal: relocation error: file /opt/york/lib/perl5/site_perl/5.8.0/sun4- solaris/auto/SAVI/SAVI.so: symbol SOPHOS_CLSID_SAVI2: referenced symbol not found at /opt/york/lib/perl5/5.8.0/sun4-solaris/ DynaLoader.pm line 229. at /opt/york/MailScanner/lib/MailScanner/SweepViruses.pm line 431 Compilation failed in require at /opt/york/MailScanner/lib/ MailScanner/SweepViruses.pm line 431. I tried upgrading the SAVI.pm Perl module but that wouldn't install either, failing its test suite for the same problem. Googling has revealed that the SOPHOS_CLSID_SAVI2 symbol has gone AWOL from the Sophos libraries before, back in 2002-ish: http://www.vanja.com/listarc/vtools/2002-November/000909.html One of the articles in the above conversation suggested using nm to check the libsavi.so file for the symbol. On a server still running the un-upgraded Sophos I see: % nm -D libsavi.so | fgrep -i CLSID [37] | 2256560| 16|OBJT |GLOB |0 |14 | SOPHOS_CLSID_SAVI2 % but on the system with the upgraded Sophos I instead get: % nm -D /opt/york/Sophos/lib/libsavi.so | fgrep CLSID % So it looks like it may indeed be missing: a problem that may cause the very latest Sophos not to work with the SAVI.pm module. Is anyone else seeing this? (And if you haven't upgraded Sophos yet, be careful if you try it!) Cheers, Mike B-} -- The Computing Service, University of York, Heslington, York Yo10 5DD, UK Tel:+44-1904-433811 FAX:+44-1904-433740 * Unsolicited commercial e-mail is NOT welcome at this e-mail address. * From adrik at salesmanager.nl Tue Aug 28 11:51:23 2007 From: adrik at salesmanager.nl (Adri Koppes) Date: Tue Aug 28 11:51:25 2007 Subject: Mailscanner Clamd scanner module does not detect virus with / Message-ID: I recently switched from ClamAVModule to using Clamd with MailScanner 4.61.7. I also use the extra clamav database MSRBL-Images and MSRBL-SPAM from www.msrbl.com. Some definitions in MSRBL-Images contain virus names with '/' characters. When clamd detects such an images it gives a message like: /usr/local/etc/MailScanner/incoming/69469/l7S87Zuk071123/1.gif: MSRBL-Images/0-0 -wgrZ FOUND However MailScanner does NOT detect the message as being infected. Using the ClamAVModule scanner, the message is correctly identified as being infected. Probably this is due to some special path handling in SweepViruses.pm for the ClamD module. Best regards, A. Koppes SalesManager Software B.V. From MailScanner at ecs.soton.ac.uk Tue Aug 28 12:17:54 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Aug 28 12:18:18 2007 Subject: Mailscanner Clamd scanner module does not detect virus with / In-Reply-To: References: Message-ID: <46D40462.8040008@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Can you send me a sample message so that I can have something to work with please? I obviously need to fix this, preferably before the next stable release later this week. Adri Koppes wrote: > I recently switched from ClamAVModule to using Clamd with MailScanner > 4.61.7. > I also use the extra clamav database MSRBL-Images and MSRBL-SPAM from > www.msrbl.com. > Some definitions in MSRBL-Images contain virus names with '/' > characters. > When clamd detects such an images it gives a message like: > > /usr/local/etc/MailScanner/incoming/69469/l7S87Zuk071123/1.gif: > MSRBL-Images/0-0 > -wgrZ FOUND > > However MailScanner does NOT detect the message as being infected. > Using the ClamAVModule scanner, the message is correctly identified as > being infected. > Probably this is due to some special path handling in SweepViruses.pm > for the ClamD module. > > Best regards, > > A. Koppes > SalesManager Software B.V. > > > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.3 (Build 3017) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFG1ARiEfZZRxQVtlQRAm1SAKCc1w7LLzI2M9lJ44BbpwcYnSfVIACgkdaO Q/T//7IlxLFae7UiV9t9ZCw= =Y1cF -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From paul.hutchings at mira.co.uk Tue Aug 28 13:02:43 2007 From: paul.hutchings at mira.co.uk (Paul Hutchings) Date: Tue Aug 28 13:02:50 2007 Subject: MailScanner via Yum (CentOS) Message-ID: I'm playing with CentOS 5 as a new distribution. It seems I can get most things via the CentOS distribution or by adding rpmforge to the yum repository list. Does anyone know if it is possible to get mailscanner in this manner rather than having to download and build from the RPMs on the site? TIA, Paul Paul Hutchings Network Administrator, MIRA Ltd. Tel: 44 (0)24 7635 5378 Fax: 44 (0)24 7635 8378 mailto:paul.hutchings@mira.co.uk -- MIRA Ltd Watling Street, Nuneaton, Warwickshire, CV10 0TU, England. Registered in England and Wales No. 402570 VAT Registration GB 114 5409 96 The contents of this e-mail are confidential and are solely for the use of the intended recipient. If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax. You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited. From MailScanner at ecs.soton.ac.uk Tue Aug 28 13:35:01 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Aug 28 13:35:18 2007 Subject: MailScanner via Yum (CentOS) In-Reply-To: References: Message-ID: <46D41675.3000302@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I don't believe you can, no. Sorry. It only takes a few minutes to install with my installation script. Paul Hutchings wrote: > I'm playing with CentOS 5 as a new distribution. > > It seems I can get most things via the CentOS distribution or by adding > rpmforge to the yum repository list. > > Does anyone know if it is possible to get mailscanner in this manner > rather than having to download and build from the RPMs on the site? > > TIA, > Paul > > Paul Hutchings > Network Administrator, MIRA Ltd. > Tel: 44 (0)24 7635 5378 > Fax: 44 (0)24 7635 8378 > mailto:paul.hutchings@mira.co.uk > > > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.3 (Build 3017) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFG1BZ1EfZZRxQVtlQRAoahAJ0Z9qtpC9JrK0ywRm5sEt3q8/GLLQCdFXk9 P8NuVjnpGFmgvKO0sqpDryU= =UUvb -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From wizard at jimhermann.com Tue Aug 28 13:59:57 2007 From: wizard at jimhermann.com (Jim Hermann) Date: Tue Aug 28 13:59:53 2007 Subject: Outgoing Queue Dir Ruleset In-Reply-To: <46D31A08.9080806@ecs.soton.ac.uk> References: <200708261100.l7QB02E8013272@safir.blacknight.ie> <000801c7e81e$953686b0$cc01a8c0@Dual><46D1E2A5.4090500@ecs.soton.ac.uk> <46D1E87A.9060601@ecs.soton.ac.uk><00c301c7e8d1$6dc1e120$cc01a8c0@Dual> <46D31A08.9080806@ecs.soton.ac.uk> Message-ID: <009401c7e973$564e4770$cc01a8c0@Dual> > Jim Hermann wrote: > > It's possible. Does MailScanner automatically add the > > -OQueueDirectory="Outgoing Queue Dir" argument for > Sendmail2? It looks like > > it does. I was not expecting it. > > > Of course it does. Otherwise it wouldn't be able to tell sendmail to > deliver the message if it wasn't placed in the default queue. You > weren't expecting a bug now were you? :-) > > Jules No. I was hoping to use a Ruleset for the Outgoing Queue Dir and use separate instances of sendmail to handle each outgoing queue directory. Is there a way to have MS tell sendmail to use different configuration files for each outgoing queue directory? I want to use these statements: /usr/sbin/sendmail -L sm-mailscanner -OProcessTitlePrefix=sm-mailscanner --DeliveryMode=background -OQueueDirectory=/home/virtual/FILESYSTEMTEMPLATE/services/sendmail/mqueue.s canned -C /etc/mail/sm-MailScanner.cf /usr/sbin/sendmail -L sm-aolscanner -OProcessTitlePrefix=sm-aolcanner --DeliveryMode=background -OQueueDirectory=/home/virtual/FILESYSTEMTEMPLATE/services/sendmail/mqueue.a ol -C /etc/mail/sm-aolscanner.cf /usr/sbin/sendmail -L sm-comcastcanner -OProcessTitlePrefix=sm-comcastcanner --DeliveryMode=background -OQueueDirectory=/home/virtual/FILESYSTEMTEMPLATE/services/sendmail/mqueue.c omcast -C /etc/mail/sm-comcastscanner.cf Jim From MailScanner at ecs.soton.ac.uk Tue Aug 28 14:20:25 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Aug 28 14:21:07 2007 Subject: Outgoing Queue Dir Ruleset In-Reply-To: <009401c7e973$564e4770$cc01a8c0@Dual> References: <200708261100.l7QB02E8013272@safir.blacknight.ie> <000801c7e81e$953686b0$cc01a8c0@Dual><46D1E2A5.4090500@ecs.soton.ac.uk> <46D1E87A.9060601@ecs.soton.ac.uk><00c301c7e8d1$6dc1e120$cc01a8c0@Dual> <46D31A08.9080806@ecs.soton.ac.uk> <009401c7e973$564e4770$cc01a8c0@Dual> Message-ID: <46D42119.1010209@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jim Hermann wrote: >> Jim Hermann wrote: >> >>> It's possible. Does MailScanner automatically add the >>> -OQueueDirectory="Outgoing Queue Dir" argument for >>> >> Sendmail2? It looks like >> >>> it does. I was not expecting it. >>> >>> >> Of course it does. Otherwise it wouldn't be able to tell sendmail to >> deliver the message if it wasn't placed in the default queue. You >> weren't expecting a bug now were you? :-) >> >> Jules >> > > No. I was hoping to use a Ruleset for the Outgoing Queue Dir and use > separate instances of sendmail to handle each outgoing queue directory. Is > there a way to have MS tell sendmail to use different configuration files > for each outgoing queue directory? > Only by hacking the code, sorry. It's not built-in functionality, sorry. > I want to use these statements: > > /usr/sbin/sendmail -L sm-mailscanner -OProcessTitlePrefix=sm-mailscanner > --DeliveryMode=background > -OQueueDirectory=/home/virtual/FILESYSTEMTEMPLATE/services/sendmail/mqueue.s > canned -C /etc/mail/sm-MailScanner.cf > > /usr/sbin/sendmail -L sm-aolscanner -OProcessTitlePrefix=sm-aolcanner > --DeliveryMode=background > -OQueueDirectory=/home/virtual/FILESYSTEMTEMPLATE/services/sendmail/mqueue.a > ol -C /etc/mail/sm-aolscanner.cf > > /usr/sbin/sendmail -L sm-comcastcanner -OProcessTitlePrefix=sm-comcastcanner > --DeliveryMode=background > -OQueueDirectory=/home/virtual/FILESYSTEMTEMPLATE/services/sendmail/mqueue.c > omcast -C /etc/mail/sm-comcastscanner.cf > > Jim > > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.3 (Build 3017) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFG1CEaEfZZRxQVtlQRAvvgAJ0eTBycVuZOPCFKvQ4tsWrs+XN7RwCePmOa hF5bS7CQ/4uD7E2YfpS19lk= =PtYA -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Tue Aug 28 14:26:38 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Aug 28 14:27:16 2007 Subject: Outgoing Queue Dir Ruleset In-Reply-To: <46D42119.1010209@ecs.soton.ac.uk> References: <200708261100.l7QB02E8013272@safir.blacknight.ie> <000801c7e81e$953686b0$cc01a8c0@Dual><46D1E2A5.4090500@ecs.soton.ac.uk> <46D1E87A.9060601@ecs.soton.ac.uk><00c301c7e8d1$6dc1e120$cc01a8c0@Dual> <46D31A08.9080806@ecs.soton.ac.uk> <009401c7e973$564e4770$cc01a8c0@Dual> <46D42119.1010209@ecs.soton.ac.uk> Message-ID: <46D4228E.1010802@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 2nd thoughts: can you put a ruleset on sendmail2? The conf file will tell you if you can or not, I can't remember. Julian Field wrote: > * PGP Signed: 08/28/07 at 14:20:26 > > > > Jim Hermann wrote: >>> Jim Hermann wrote: >>> >>>> It's possible. Does MailScanner automatically add the >>>> -OQueueDirectory="Outgoing Queue Dir" argument for >>> Sendmail2? It looks like >>> >>>> it does. I was not expecting it. >>>> >>> Of course it does. Otherwise it wouldn't be able to tell sendmail to >>> deliver the message if it wasn't placed in the default queue. You >>> weren't expecting a bug now were you? :-) >>> >>> Jules >>> >> >> No. I was hoping to use a Ruleset for the Outgoing Queue Dir and use >> separate instances of sendmail to handle each outgoing queue >> directory. Is >> there a way to have MS tell sendmail to use different configuration >> files >> for each outgoing queue directory? >> > Only by hacking the code, sorry. It's not built-in functionality, sorry. >> I want to use these statements: >> >> /usr/sbin/sendmail -L sm-mailscanner -OProcessTitlePrefix=sm-mailscanner >> --DeliveryMode=background >> -OQueueDirectory=/home/virtual/FILESYSTEMTEMPLATE/services/sendmail/mqueue.s >> >> canned -C /etc/mail/sm-MailScanner.cf >> >> /usr/sbin/sendmail -L sm-aolscanner -OProcessTitlePrefix=sm-aolcanner >> --DeliveryMode=background >> -OQueueDirectory=/home/virtual/FILESYSTEMTEMPLATE/services/sendmail/mqueue.a >> >> ol -C /etc/mail/sm-aolscanner.cf >> >> /usr/sbin/sendmail -L sm-comcastcanner >> -OProcessTitlePrefix=sm-comcastcanner >> --DeliveryMode=background >> -OQueueDirectory=/home/virtual/FILESYSTEMTEMPLATE/services/sendmail/mqueue.c >> >> omcast -C /etc/mail/sm-comcastscanner.cf >> >> Jim >> >> > > Jules > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.3 (Build 3017) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFG1CKPEfZZRxQVtlQRArJPAKDq7aT/TBUvKefOtyLb4aOLM52W0gCfZFtp 3dMfY8tr25EN8jhrgbtbNfA= =FPKH -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From P.G.M.Peters at utwente.nl Tue Aug 28 16:01:48 2007 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Tue Aug 28 16:01:55 2007 Subject: MailScanner is far easier to get running on a mail server than Anomy Sanitizer Message-ID: <46D438DC.7050702@utwente.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 "If Linux is hardly affected by viruses, why do system administrators use anti-virus software on their Linux email servers? Because an anti-virus scanner on a mail server can serve as another level of defense for Microsoft Windows desktop users." Read more on http://www.linux.com/feature/118618 - -- Peter Peters, senior beheerder (Security) Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/itbe -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFG1DjbelLo80lrIdIRAr4SAKCjF9tFskApg9ox30RlTTkkifUMqwCeIc+o JLNH8H17qHvpR4wQxlOyrBw= =Q9t4 -----END PGP SIGNATURE----- From lundin at fini.net Tue Aug 28 16:09:32 2007 From: lundin at fini.net (John Lundin) Date: Tue Aug 28 16:10:01 2007 Subject: MailScanner via Yum (CentOS) In-Reply-To: References: Message-ID: <20070828150932.GD21971@fini.net> On Tue, Aug 28, 2007 at 01:02:43PM +0100, Paul Hutchings wrote: > It seems I can get most things via the CentOS distribution or by adding > rpmforge to the yum repository list. > > Does anyone know if it is possible to get mailscanner in this manner > rather than having to download and build from the RPMs on the site? Mostly. I do run MS on a Centos box without installed compile tools. You need to create a MailScanner-perl-MIME-Base64 rpm on another similar system first, copy it over and install it. Install the rpmforge perl packages corresponding to the perl-* srpms in the distribution (the ones that aren't available are in core perl.) I used the tnef from rpmforge. Then install the unpacked mailscanner rpm and configure. Worked for me. In theory (untried) you should just be able to install the MailScanner-perl-MIME-Base64 rpm and then: yum localinstall mailscanner-x.yy.z-k.noarch.rpm Of course, either of these may void your warranty. ;-) To be safe, keep your puppies and kittens away from the installed system. -- lundin@fini.net "I looked at GNU diffutils, and I had to rinse out my eyes with soap and water." -- Linus Torvalds 20050923git From MailScanner at ecs.soton.ac.uk Tue Aug 28 16:22:31 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Aug 28 16:22:51 2007 Subject: MailScanner is far easier to get running on a mail server than Anomy Sanitizer In-Reply-To: <46D438DC.7050702@utwente.nl> References: <46D438DC.7050702@utwente.nl> Message-ID: <46D43DB7.1060705@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Thanks for that. My Google "MailScanner" news-watcher told me about it this morning. I added a comment to it about MailWatch as a GUI for MailScanner. Nice review otherwise. Peter Peters wrote: > * PGP Signed by an unverified key: 08/28/07 at 16:01:47 > > "If Linux is hardly affected by viruses, why do system administrators > use anti-virus software on their Linux email servers? Because an > anti-virus scanner on a mail server can serve as another level of > defense for Microsoft Windows desktop users." > > Read more on http://www.linux.com/feature/118618 > > -- > Peter Peters, senior beheerder (Security) > Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) > Universiteit Twente, Postbus 217, 7500 AE Enschede > telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/itbe > > * Peter Peters > * 0x496B21D2 - Unverified(L) > > > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.3 (Build 3017) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFG1D24EfZZRxQVtlQRAoo6AKDUxPz4N7jrcEgMFAUfrjAdfN5UzwCgw2G6 V/utTh9VDtQJPn3CXnB6EqQ= =AdGw -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From grupolistas at gmail.com Tue Aug 28 17:55:26 2007 From: grupolistas at gmail.com (infolistas listas) Date: Tue Aug 28 17:55:31 2007 Subject: postfix stopped sending mail In-Reply-To: References: <44c071aa0708271351v48377f5dg2cd2d28f3763cb98@mail.gmail.com> Message-ID: <44c071aa0708280955s333789a4g56629649c07a315@mail.gmail.com> Thanks guys I solved the problem this night, as commented by hugo the problem was with the "hold and incoming" permissions were set unproperly. Thanks again, 2007/8/27, Scott Silva : > > infolistas listas spake the following on 8/27/2007 1:51 PM: > > After instaling mailscanner I cant get postfix to send mail, it stays on > > the queue forever. > > I tried stopping mailscanner and still so it didnt work, any ideias? > > > Did you install MailScanner properly? > > Follow this howto; > > http://wiki.mailscanner.info/doku.php?id=documentation:configuration:mta:postfix:installation > > > -- > > MailScanner is like deodorant... > You hope everybody uses it, and > you notice quickly if they don't!!!! > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070828/08754387/attachment.html From ssilva at sgvwater.com Tue Aug 28 18:09:33 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Aug 28 18:09:52 2007 Subject: Ping Message-ID: Quiet list? Or comm problems? I will soon see.... -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From MailScanner at ecs.soton.ac.uk Tue Aug 28 18:18:20 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Aug 28 18:18:36 2007 Subject: Ping In-Reply-To: References: Message-ID: <46D458DC.8070805@ecs.soton.ac.uk> There's been a dozen or two postings today. Scott Silva wrote: > Quiet list? Or comm problems? > > I will soon see.... Jules -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From waytotheweb at googlemail.com Tue Aug 28 17:12:04 2007 From: waytotheweb at googlemail.com (Sarah Trayser) Date: Tue Aug 28 18:18:45 2007 Subject: DCC not scoring from within MailScanner Message-ID: Hi all, We're using the DCC plugin on all our servers and it used to work, but in the last few weeks it does not seem to be hitting at all. However, when I manually run an email through SpamAssassin (spamassassin -tD < mail.txt), it DOES get a DCC score. For example, I have just tested a spam message that just came into one of the servers, did not get a DCC score through MailScanner/SpamAssassin, but when I did a manual spamassassin test on the same mail just a couple of minutes later it does get a hit on DCC_CHECK. No problems in MailScanner or SpamAssasin lint tests. Running MailScanner v4.62.9, perl 5.8.8, SpamAssassin 3.2.3, DCC 1.3.59, on CentOS 4.5. Any ideas? -- Regards, Sarah Trayser Way to the Web Ltd Server Management Services: http://www.configserver.com Web Hosting: http://www.waytotheweb.com From mkettler at evi-inc.com Tue Aug 28 18:26:26 2007 From: mkettler at evi-inc.com (Matt Kettler) Date: Tue Aug 28 18:29:11 2007 Subject: SARE rules question In-Reply-To: <000001c7e90e$7e87c730$9700a8c0@kdinet.local> References: <000001c7e90e$7e87c730$9700a8c0@kdinet.local> Message-ID: <46D45AC2.60501@evi-inc.com> Diane Rolland wrote: > I have tried to install/configure SARE Rules and RulesDeJour from > http://www.rulesemporium.com/rules.htm and when I run the below command > I get the following failures. > > /usr/bin/spamassassin -p /etc/MailScanner/spam.assassin.prefs.conf --lint > > Failed to parse line in SpamAssassin configuration, skipping: > lock_method flock > Failed to parse line in SpamAssassin configuration, skipping: > use_auto_whitelist 0 > Failed to parse line in SpamAssassin configuration, skipping: > envelope_sender_header X-MailScanner-From > > By commenting them out of the spam.assassin.prefs.conf file for the > above items I get the --lint to run without error, but I'm not sure what > that means to my configuration. > > I have SA 2.55, MailScanner-4.50.15-1 (I know, out of date) not just out of date.. ancient. SA 2.55 is from may of 2003. 2.55 is also subject to a remotely exploitable DoS attack by sending it a malformed email. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0796 Before messing with SARE and RDJ, I'd seriously look at upgrading. In any event your version is way too old to support those options. The flock is really just a performance tweak, you won't miss it. This allows SA to use a faster lock method for your bayes database, at the expense of not being NFS compatible. The envelope_sender_header, well, there's no equivalent functionality in your version, but this allows SA to look at nonstandard headers when trying to detect the envelope sender. This really would only affect your whitelist_from* and blacklist_from* efforts. use_auto_whitelist allows you to disable the AWL, but in your version, it defaults to off anyway unless you pass a command-line parameter. (in 2.60 they changed it to default-on and added a config option. In 3.1.0 it became a plugin, so nowdays you can just disable it by not loading it.) From paul.hutchings at mira.co.uk Tue Aug 28 18:30:35 2007 From: paul.hutchings at mira.co.uk (Paul Hutchings) Date: Tue Aug 28 18:30:42 2007 Subject: MailScanner via Yum (CentOS) References: <46D41675.3000302@ecs.soton.ac.uk> Message-ID: Hi Julian, Thanks for the reply. That's how I've been installing it on Suse, just thought I'd ask in case there was a neater/simpler way on CentOS/RHEL. Is there a list somewhere of what the MailScanner script checks for before (if needed) installing itself? It would be nice (I presume, certainly not an expert on this!) to have as much as possible pre-installed? Cheers, Paul Paul Hutchings Network Administrator, MIRA Ltd. Tel: 44 (0)24 7635 5378 Fax: 44 (0)24 7635 8378 mailto:paul.hutchings@mira.co.uk -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian Field Sent: 28 August 2007 13:35 To: MailScanner discussion Subject: Re: MailScanner via Yum (CentOS) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I don't believe you can, no. Sorry. It only takes a few minutes to install with my installation script. Paul Hutchings wrote: > I'm playing with CentOS 5 as a new distribution. > > It seems I can get most things via the CentOS distribution or by adding > rpmforge to the yum repository list. > > Does anyone know if it is possible to get mailscanner in this manner > rather than having to download and build from the RPMs on the site? > > TIA, > Paul > > Paul Hutchings > Network Administrator, MIRA Ltd. > Tel: 44 (0)24 7635 5378 > Fax: 44 (0)24 7635 8378 > mailto:paul.hutchings@mira.co.uk > > > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.3 (Build 3017) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFG1BZ1EfZZRxQVtlQRAoahAJ0Z9qtpC9JrK0ywRm5sEt3q8/GLLQCdFXk9 P8NuVjnpGFmgvKO0sqpDryU= =UUvb -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MIRA Ltd Watling Street, Nuneaton, Warwickshire, CV10 0TU, England. Registered in England and Wales No. 402570 VAT Registration GB 114 5409 96 The contents of this e-mail are confidential and are solely for the use of the intended recipient. If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax. You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited. From grupolistas at gmail.com Tue Aug 28 18:40:07 2007 From: grupolistas at gmail.com (infolistas listas) Date: Tue Aug 28 18:40:10 2007 Subject: block attachment per user In-Reply-To: <46D32286.40203@ecs.soton.ac.uk> References: <44c071aa0708271203lfaeb870p8a3d8aa0c1b3dffd@mail.gmail.com> <46D32286.40203@ecs.soton.ac.uk> Message-ID: <44c071aa0708281040x27c36f76g17a26ea14cc9aa97@mail.gmail.com> Thanks julian worked perfectly, just following this rules managements is there a way to block these attachments for these specific users from sending mail to another domain that isnt mine, and allow them to attach when sending mail to own domain? EX: john may send mail to mydomain but he may not send to yahoo maria may send mail to mydomain and to yahoo Is it possible? 2007/8/27, Julian Field : > > Just use a ruleset with the Maximum Attachment Size setting in > MailScanner.conf. > > Put this in MailScanner.conf: > Maximum Attachment Size = %rules-dir%/max.attach.size.rules > > and in /etc/MailScanner/rules/max.attach.size.rules put this: > from: john@yourdomain.com -1 > from: bob@yourdomain.com -1 > from: joseph@yourdomain.com -1 > from: paul@yourdomain.com 0 > from: patrick@yourdomain.com 0 > from: maria@yourdomain.com 0 > fromorto: default -1 > > Note the last line sets the default to -1 which is "no limit" for this > setting. > > Then "service MailScanner reload" or (if that command doesn't work) > "/etc/init.d/MailScanner reload". > > MailScanner rulesets are documented at length in the wiki and in the Book. > > > infolistas listas wrote: > > Hi all is it possible to block some users from attaching files in > > mailscanner? > > EX: john, bob and joseph are allow to send attachments but paul, > > patrick and maria are not allowed. > > Thanks > > Jules > > -- > Julian Field MEng CITP > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > For all your IT requirements visit www.transtec.co.uk > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > For all your IT requirements visit www.transtec.co.uk > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070828/c4b727d9/attachment.html From MailScanner at ecs.soton.ac.uk Tue Aug 28 18:43:01 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Aug 28 18:43:21 2007 Subject: DCC not scoring from within MailScanner In-Reply-To: References: Message-ID: <46D45EA5.3030306@ecs.soton.ac.uk> Do you have an outgoing firewall? My DCC is running pretty much all the same versions as you, and is working fine. We allow outbound by default except for SMTP. Sarah Trayser wrote: > Hi all, > > We're using the DCC plugin on all our servers and it used to work, but > in the last few weeks it does not seem to be hitting at all. However, > when I manually run an email through SpamAssassin (spamassassin -tD < > mail.txt), it DOES get a DCC score. > > For example, I have just tested a spam message that just came into one > of the servers, did not get a DCC score through > MailScanner/SpamAssassin, but when I did a manual spamassassin test on > the same mail just a couple of minutes later it does get a hit on > DCC_CHECK. > > No problems in MailScanner or SpamAssasin lint tests. > > Running MailScanner v4.62.9, perl 5.8.8, SpamAssassin 3.2.3, DCC > 1.3.59, on CentOS 4.5. > > Any ideas? > > Jules -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Tue Aug 28 18:50:03 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Aug 28 18:50:22 2007 Subject: MailScanner via Yum (CentOS) In-Reply-To: References: <46D41675.3000302@ecs.soton.ac.uk> Message-ID: <46D4604B.7050007@ecs.soton.ac.uk> Paul Hutchings wrote: > Hi Julian, > > Thanks for the reply. That's how I've been installing it on Suse, just > thought I'd ask in case there was a neater/simpler way on CentOS/RHEL. > > Is there a list somewhere of what the MailScanner script checks for > before (if needed) installing itself? > Read the install.sh script :-) It installs all its required Perl modules as RPMs first. It rebuilds the RPMs from SRPMs to guarantee they are built for the right paths for your system. > It would be nice (I presume, certainly not an expert on this!) to have > as much as possible pre-installed? > It will install everything it needs, or tell you if it's not there. Just make sure you have gcc and make before you start :-) > Cheers, > Paul > > Paul Hutchings > Network Administrator, MIRA Ltd. > Tel: 44 (0)24 7635 5378 > Fax: 44 (0)24 7635 8378 > mailto:paul.hutchings@mira.co.uk > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian > Field > Sent: 28 August 2007 13:35 > To: MailScanner discussion > Subject: Re: MailScanner via Yum (CentOS) > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > I don't believe you can, no. Sorry. It only takes a few minutes to > install with my installation script. > > Paul Hutchings wrote: > >> I'm playing with CentOS 5 as a new distribution. >> >> It seems I can get most things via the CentOS distribution or by >> > adding > >> rpmforge to the yum repository list. >> >> Does anyone know if it is possible to get mailscanner in this manner >> rather than having to download and build from the RPMs on the site? >> >> TIA, >> Paul >> >> Paul Hutchings >> Network Administrator, MIRA Ltd. >> Tel: 44 (0)24 7635 5378 >> Fax: 44 (0)24 7635 8378 >> mailto:paul.hutchings@mira.co.uk >> >> >> >> > > Jules > > - -- > Julian Field MEng CITP > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.6.3 (Build 3017) > Comment: (pgp-secured) > Charset: ISO-8859-1 > > wj8DBQFG1BZ1EfZZRxQVtlQRAoahAJ0Z9qtpC9JrK0ywRm5sEt3q8/GLLQCdFXk9 > P8NuVjnpGFmgvKO0sqpDryU= > =UUvb > -----END PGP SIGNATURE----- > > Jules -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Tue Aug 28 19:12:57 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Aug 28 19:13:14 2007 Subject: block attachment per user In-Reply-To: <44c071aa0708281040x27c36f76g17a26ea14cc9aa97@mail.gmail.com> References: <44c071aa0708271203lfaeb870p8a3d8aa0c1b3dffd@mail.gmail.com> <46D32286.40203@ecs.soton.ac.uk> <44c071aa0708281040x27c36f76g17a26ea14cc9aa97@mail.gmail.com> Message-ID: <46D465A9.4040105@ecs.soton.ac.uk> infolistas listas wrote: > Thanks julian worked perfectly, just following this rules managements > is there a way to block these attachments for these specific users > from sending mail to another domain that isnt mine, and allow them to > attach when sending mail to own domain? > EX: > > john may send mail to mydomain but he may not send to yahoo From: john@mydomain.com And To: mydomain.com -1 From: john@mydomain.com 0 > > maria may send mail to mydomain and to yahoo > > Is it possible? > > > 2007/8/27, Julian Field < MailScanner@ecs.soton.ac.uk > >: > > Just use a ruleset with the Maximum Attachment Size setting in > MailScanner.conf. > > Put this in MailScanner.conf: > Maximum Attachment Size = %rules-dir%/max.attach.size.rules > > and in /etc/MailScanner/rules/max.attach.size.rules put this: > from: john@yourdomain.com -1 > from: bob@yourdomain.com -1 > from: joseph@yourdomain.com -1 > from: paul@yourdomain.com 0 > from: patrick@yourdomain.com 0 > from: maria@yourdomain.com 0 > fromorto: default -1 > > Note the last line sets the default to -1 which is "no limit" for this > setting. > > Then "service MailScanner reload" or (if that command doesn't work) > "/etc/init.d/MailScanner reload". > > MailScanner rulesets are documented at length in the wiki and in > the Book. > > > infolistas listas wrote: > > Hi all is it possible to block some users from attaching files in > > mailscanner? > > EX: john, bob and joseph are allow to send attachments but paul, > > patrick and maria are not allowed. > > Thanks > > Jules > > -- > Julian Field MEng CITP > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > For all your IT requirements visit www.transtec.co.uk > > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > For all your IT requirements visit www.transtec.co.uk > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > > Support MailScanner development - buy the book off the website! > > Jules -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From grupolistas at gmail.com Tue Aug 28 19:13:25 2007 From: grupolistas at gmail.com (infolistas listas) Date: Tue Aug 28 19:13:28 2007 Subject: block attachment per user In-Reply-To: <44c071aa0708281040x27c36f76g17a26ea14cc9aa97@mail.gmail.com> References: <44c071aa0708271203lfaeb870p8a3d8aa0c1b3dffd@mail.gmail.com> <46D32286.40203@ecs.soton.ac.uk> <44c071aa0708281040x27c36f76g17a26ea14cc9aa97@mail.gmail.com> Message-ID: <44c071aa0708281113k70b7d9fg2ded0238543375e7@mail.gmail.com> Ok I lookedup some examples from others rules and found it from: john@domain -1 from: maria@domain -1 to: *gmail.com -1 #allows attach to be send to everything on gmail to: *@domain -1 #allows attach to be send to my domain fromorto: default 0 Thanks. 2007/8/28, infolistas listas : > > Thanks julian worked perfectly, just following this rules managements is > there a way to block these attachments for these specific users from sending > mail to another domain that isnt mine, and allow them to attach when sending > mail to own domain? > EX: > > john may send mail to mydomain but he may not send to yahoo > maria may send mail to mydomain and to yahoo > > Is it possible? > > > 2007/8/27, Julian Field < MailScanner@ecs.soton.ac.uk>: > > > > Just use a ruleset with the Maximum Attachment Size setting in > > MailScanner.conf. > > > > Put this in MailScanner.conf: > > Maximum Attachment Size = %rules-dir%/max.attach.size.rules > > > > and in /etc/MailScanner/rules/max.attach.size.rules put this: > > from: john@yourdomain.com -1 > > from: bob@yourdomain.com -1 > > from: joseph@yourdomain.com -1 > > from: paul@yourdomain.com 0 > > from: patrick@yourdomain.com 0 > > from: maria@yourdomain.com 0 > > fromorto: default -1 > > > > Note the last line sets the default to -1 which is "no limit" for this > > setting. > > > > Then "service MailScanner reload" or (if that command doesn't work) > > "/etc/init.d/MailScanner reload". > > > > MailScanner rulesets are documented at length in the wiki and in the > > Book. > > > > > > infolistas listas wrote: > > > Hi all is it possible to block some users from attaching files in > > > mailscanner? > > > EX: john, bob and joseph are allow to send attachments but paul, > > > patrick and maria are not allowed. > > > Thanks > > > > Jules > > > > -- > > Julian Field MEng CITP > > www.MailScanner.info > > Buy the MailScanner book at www.MailScanner.info/store > > > > MailScanner customisation, or any advanced system administration help? > > Contact me at Jules@Jules.FM > > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > For all your IT requirements visit www.transtec.co.uk > > > > > > -- > > This message has been scanned for viruses and > > dangerous content by MailScanner, and is > > believed to be clean. > > For all your IT requirements visit www.transtec.co.uk > > > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070828/2293208b/attachment.html From steve.swaney at fsl.com Tue Aug 28 19:19:39 2007 From: steve.swaney at fsl.com (Stephen Swaney) Date: Tue Aug 28 19:18:56 2007 Subject: MailScanner via Yum (CentOS) In-Reply-To: <46D4604B.7050007@ecs.soton.ac.uk> References: <46D41675.3000302@ecs.soton.ac.uk> <46D4604B.7050007@ecs.soton.ac.uk> Message-ID: <014c01c7e99f$ff4ee1a0$fdeca4e0$@swaney@fsl.com> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Julian Field > Sent: Tuesday, August 28, 2007 1:50 PM > To: MailScanner discussion > Subject: Re: MailScanner via Yum (CentOS) > > > > Paul Hutchings wrote: > > Hi Julian, > > > > Thanks for the reply. That's how I've been installing it on Suse, > just > > thought I'd ask in case there was a neater/simpler way on > CentOS/RHEL. > > > > Is there a list somewhere of what the MailScanner script checks for > > before (if needed) installing itself? > > > Read the install.sh script :-) > It installs all its required Perl modules as RPMs first. It rebuilds > the > RPMs from SRPMs to guarantee they are built for the right paths for > your > system. > > > It would be nice (I presume, certainly not an expert on this!) to > have > > as much as possible pre-installed? > > > It will install everything it needs, or tell you if it's not there. > Just > make sure you have gcc and make before you start :-) and rpm-build :) Steve Steve Swaney steve@fsl.com www.fsl.com > > Cheers, > > Paul > > > > Paul Hutchings > > Network Administrator, MIRA Ltd. > > Tel: 44 (0)24 7635 5378 > > Fax: 44 (0)24 7635 8378 > > mailto:paul.hutchings@mira.co.uk > > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info > > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of > Julian > > Field > > Sent: 28 August 2007 13:35 > > To: MailScanner discussion > > Subject: Re: MailScanner via Yum (CentOS) > > > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > I don't believe you can, no. Sorry. It only takes a few minutes to > > install with my installation script. > > > > Paul Hutchings wrote: > > > >> I'm playing with CentOS 5 as a new distribution. > >> > >> It seems I can get most things via the CentOS distribution or by > >> > > adding > > > >> rpmforge to the yum repository list. > >> > >> Does anyone know if it is possible to get mailscanner in this manner > >> rather than having to download and build from the RPMs on the site? > >> > >> TIA, > >> Paul > >> > >> Paul Hutchings > >> Network Administrator, MIRA Ltd. > >> Tel: 44 (0)24 7635 5378 > >> Fax: 44 (0)24 7635 8378 > >> mailto:paul.hutchings@mira.co.uk > >> > >> > >> > >> > > > > Jules > > > > - -- > > Julian Field MEng CITP > > www.MailScanner.info > > Buy the MailScanner book at www.MailScanner.info/store > > > > Need help customising MailScanner? > > Contact me! > > Need help fixing or optimising your systems? > > Contact me! > > Need help getting you started solving new requirements from your > boss? > > Contact me! > > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > > > > -----BEGIN PGP SIGNATURE----- > > Version: PGP Desktop 9.6.3 (Build 3017) > > Comment: (pgp-secured) > > Charset: ISO-8859-1 > > > > wj8DBQFG1BZ1EfZZRxQVtlQRAoahAJ0Z9qtpC9JrK0ywRm5sEt3q8/GLLQCdFXk9 > > P8NuVjnpGFmgvKO0sqpDryU= > > =UUvb > > -----END PGP SIGNATURE----- > > > > > > Jules > > -- > Julian Field MEng CITP > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > For all your IT requirements visit www.transtec.co.uk > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > For all your IT requirements visit www.transtec.co.uk > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From mkettler at evi-inc.com Tue Aug 28 19:31:26 2007 From: mkettler at evi-inc.com (Matt Kettler) Date: Tue Aug 28 19:34:04 2007 Subject: DCC not scoring from within MailScanner In-Reply-To: <46D45EA5.3030306@ecs.soton.ac.uk> References: <46D45EA5.3030306@ecs.soton.ac.uk> Message-ID: <46D469FE.5030207@evi-inc.com> Julian Field wrote: > Do you have an outgoing firewall? Well, that would affect the command-line version too. > My DCC is running pretty much all the > same versions as you, and is working fine. We allow outbound by default > except for SMTP. Mine's working fine on older versions. It seems rather odd that it works on the command-line, but not under MailScanner. Any chance you're using dccifd and the socket is in a place where mailscanner doesn't have access rights? From MailScanner at ecs.soton.ac.uk Tue Aug 28 19:43:59 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Aug 28 19:45:02 2007 Subject: MailScanner via Yum (CentOS) In-Reply-To: <014c01c7e99f$ff4ee1a0$fdeca4e0$@swaney@fsl.com> References: <46D41675.3000302@ecs.soton.ac.uk> <46D4604B.7050007@ecs.soton.ac.uk> <014c01c7e99f$ff4ee1a0$fdeca4e0$@swaney@fsl.com> Message-ID: <46D46CEF.50504@ecs.soton.ac.uk> Stephen Swaney wrote: > >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >> bounces@lists.mailscanner.info] On Behalf Of Julian Field >> Sent: Tuesday, August 28, 2007 1:50 PM >> To: MailScanner discussion >> Subject: Re: MailScanner via Yum (CentOS) >> >> >> >> Paul Hutchings wrote: >> >>> Hi Julian, >>> >>> Thanks for the reply. That's how I've been installing it on Suse, >>> >> just >> >>> thought I'd ask in case there was a neater/simpler way on >>> >> CentOS/RHEL. >> >>> Is there a list somewhere of what the MailScanner script checks for >>> before (if needed) installing itself? >>> >>> >> Read the install.sh script :-) >> It installs all its required Perl modules as RPMs first. It rebuilds >> the >> RPMs from SRPMs to guarantee they are built for the right paths for >> your >> system. >> >> >>> It would be nice (I presume, certainly not an expert on this!) to >>> >> have >> >>> as much as possible pre-installed? >>> >>> >> It will install everything it needs, or tell you if it's not there. >> Just >> make sure you have gcc and make before you start :-) >> > > and rpm-build :) > Good point, that's the most common culprit! Thanks Steve :-) > >>> Cheers, >>> Paul >>> >>> Paul Hutchings >>> Network Administrator, MIRA Ltd. >>> Tel: 44 (0)24 7635 5378 >>> Fax: 44 (0)24 7635 8378 >>> mailto:paul.hutchings@mira.co.uk >>> >>> -----Original Message----- >>> From: mailscanner-bounces@lists.mailscanner.info >>> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of >>> >> Julian >> >>> Field >>> Sent: 28 August 2007 13:35 >>> To: MailScanner discussion >>> Subject: Re: MailScanner via Yum (CentOS) >>> >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> I don't believe you can, no. Sorry. It only takes a few minutes to >>> install with my installation script. >>> >>> Paul Hutchings wrote: >>> >>> >>>> I'm playing with CentOS 5 as a new distribution. >>>> >>>> It seems I can get most things via the CentOS distribution or by >>>> >>>> >>> adding >>> >>> >>>> rpmforge to the yum repository list. >>>> >>>> Does anyone know if it is possible to get mailscanner in this manner >>>> rather than having to download and build from the RPMs on the site? >>>> >>>> TIA, >>>> Paul >>>> >>>> Paul Hutchings >>>> Network Administrator, MIRA Ltd. >>>> Tel: 44 (0)24 7635 5378 >>>> Fax: 44 (0)24 7635 8378 >>>> mailto:paul.hutchings@mira.co.uk >>>> >>>> >>>> >>>> >>>> >>> Jules >>> >>> - -- >>> Julian Field MEng CITP >>> www.MailScanner.info >>> Buy the MailScanner book at www.MailScanner.info/store >>> >>> Need help customising MailScanner? >>> Contact me! >>> Need help fixing or optimising your systems? >>> Contact me! >>> Need help getting you started solving new requirements from your >>> >> boss? >> >>> Contact me! >>> >>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >>> >>> >>> -----BEGIN PGP SIGNATURE----- >>> Version: PGP Desktop 9.6.3 (Build 3017) >>> Comment: (pgp-secured) >>> Charset: ISO-8859-1 >>> >>> wj8DBQFG1BZ1EfZZRxQVtlQRAoahAJ0Z9qtpC9JrK0ywRm5sEt3q8/GLLQCdFXk9 >>> P8NuVjnpGFmgvKO0sqpDryU= >>> =UUvb >>> -----END PGP SIGNATURE----- >>> >>> >>> >> Jules >> >> -- >> Julian Field MEng CITP >> www.MailScanner.info >> Buy the MailScanner book at www.MailScanner.info/store >> >> MailScanner customisation, or any advanced system administration help? >> Contact me at Jules@Jules.FM >> >> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >> For all your IT requirements visit www.transtec.co.uk >> >> >> -- >> This message has been scanned for viruses and >> dangerous content by MailScanner, and is >> believed to be clean. >> For all your IT requirements visit www.transtec.co.uk >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> > > Jules -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From paul.hutchings at mira.co.uk Tue Aug 28 20:06:18 2007 From: paul.hutchings at mira.co.uk (Paul Hutchings) Date: Tue Aug 28 20:06:20 2007 Subject: MailScanner via Yum (CentOS) References: <46D41675.3000302@ecs.soton.ac.uk> <46D4604B.7050007@ecs.soton.ac.uk> Message-ID: > Read the install.sh script :-) Rather embarrassingly I did once I'd sent the reply to the list :-) I'd appreciate any feedback on how other people handle this - I can see the benefits of using the rpm's supplied with MailScanner as I would assume it sorts out things like minimum versions req'd, but at the same time I'm thinking is there a benefit to using as much as possible of what comes with the OS? -- MIRA Ltd Watling Street, Nuneaton, Warwickshire, CV10 0TU, England. Registered in England and Wales No. 402570 VAT Registration GB 114 5409 96 The contents of this e-mail are confidential and are solely for the use of the intended recipient. If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax. You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited. From mstandish at gmail.com Tue Aug 28 20:07:55 2007 From: mstandish at gmail.com (Matt Standish) Date: Tue Aug 28 20:07:58 2007 Subject: SLES 10 experience In-Reply-To: <006801c7e09d$a4f44e30$ad582fc2@taxbrbr> References: <006801c7e09d$a4f44e30$ad582fc2@taxbrbr> Message-ID: <39e688060708281207h2d4e1dc4x8f24ad357f1221e5@mail.gmail.com> I have been running Mailscanner on SLES 10 for some time. I did build a custom RPM for postfix for some of the database related stuff.. I haven't had any OS related problems. On 8/17/07, Tobias Axelsson wrote: > > > > > Hi > > I have now in 3 years running mailscanner/mailwatch on Suse linux enterprise > server 9 on three servers almost without problem. > > Now we need more performance and gonna replace them with three new > bladeservers 2x4quadcore/6GB ram and no disk. > > Becourse of the blade-structure, I gonna need to san-boot them, (the > systemdisk is a SAN-disk) and therefor it requires SuSE linux enterprise 10. > Do someone have good experience with SLES10? A lot is changed... > > Thanks, Tobias > Sweden > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- Matt Standish MSN Messenger: mps_@hotmail.com Yahoo Messenger: mattstandish@yahoo.com Google Talk: mstandish From MailScanner at ecs.soton.ac.uk Tue Aug 28 20:28:43 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Aug 28 20:29:09 2007 Subject: MailScanner via Yum (CentOS) In-Reply-To: References: <46D41675.3000302@ecs.soton.ac.uk> <46D4604B.7050007@ecs.soton.ac.uk> Message-ID: <46D4776B.20902@ecs.soton.ac.uk> Paul Hutchings wrote: >> Read the install.sh script :-) >> > > Rather embarrassingly I did once I'd sent the reply to the list :-) > > I'd appreciate any feedback on how other people handle this - I can see > the benefits of using the rpm's supplied with MailScanner as I would > assume it sorts out things like minimum versions req'd, but at the same > time I'm thinking is there a benefit to using as much as possible of > what comes with the OS? > It doesn't install a new module unless it needs to for some reason. If your current version is okay, then it will leave it as it is and not upgrade it. But many of the requirements are not shipped with the OS. Jules -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From dnsadmin at 1bigthink.com Tue Aug 28 20:42:43 2007 From: dnsadmin at 1bigthink.com (dnsadmin 1bigthink.com) Date: Tue Aug 28 20:42:59 2007 Subject: MailScanner via Yum (CentOS) In-Reply-To: References: <46D41675.3000302@ecs.soton.ac.uk> <46D4604B.7050007@ecs.soton.ac.uk> Message-ID: <200708281943.l7SJh2e1008726@mxt.1bigthink.com> At 03:06 PM 8/28/2007, you wrote: > > Read the install.sh script :-) > >Rather embarrassingly I did once I'd sent the reply to the list :-) > >I'd appreciate any feedback on how other people handle this - I can see >the benefits of using the rpm's supplied with MailScanner as I would >assume it sorts out things like minimum versions req'd, but at the same >time I'm thinking is there a benefit to using as much as possible of >what comes with the OS? No. MailScanner and the SpamAssassin/ClamAV installers are updated far more regularly than the similar components of the OS. All the important parts of the OS will still be handled well by RedHat/CentOS. Well, CentOS, anyway. I've been on CentOS since RedHat went the route of support licences. I understand your squeamishness; when I tried SuSe I found some odd things that a lot of familiar programs broke and/or broke familiar programs (only due to my lack of experience with the OS, I'm sure). MailScanner goes very well with RedHat/CentOS. Cheers, Glenn From list-mailscanner at linguaphone.com Tue Aug 28 21:31:34 2007 From: list-mailscanner at linguaphone.com (Gareth) Date: Tue Aug 28 21:31:37 2007 Subject: DCC not scoring from within MailScanner In-Reply-To: <46D469FE.5030207@evi-inc.com> Message-ID: The top 3 problems with getting DCC to work are :- 1) Firewall but this wont allow it to work from the command prompt for any user. 2) Permissions. Test it under the same user which mailscanner runs as. 3) Path issues. Make sure you correctly have the dcc path set in the spamassassin configuration. This is the error I made which resulted in the same issue you are experiencing. > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info]On Behalf Of Matt > Kettler > Sent: 28 August 2007 19:31 > To: MailScanner discussion > Subject: Re: DCC not scoring from within MailScanner > > > Julian Field wrote: > > Do you have an outgoing firewall? > > Well, that would affect the command-line version too. > > > My DCC is running pretty much all the > > same versions as you, and is working fine. We allow outbound by default > > except for SMTP. > > Mine's working fine on older versions. > > It seems rather odd that it works on the command-line, but not > under MailScanner. > > Any chance you're using dccifd and the socket is in a place where > mailscanner > doesn't have access rights? > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > From waytotheweb at googlemail.com Tue Aug 28 22:15:15 2007 From: waytotheweb at googlemail.com (Sarah Trayser) Date: Tue Aug 28 22:15:19 2007 Subject: DCC not scoring from within MailScanner In-Reply-To: References: <46D469FE.5030207@evi-inc.com> Message-ID: Thanks for all the replies. We're using dccproc, not dccifd. On 28/08/07, Gareth wrote: > The top 3 problems with getting DCC to work are :- > > 1) Firewall but this wont allow it to work from the command prompt for any > user. Although we do run a firewall, that can't be the issue since it's working from the command line. > > 2) Permissions. Test it under the same user which mailscanner runs as. In my testing I did this. DCC works when I run a spamassassin test as the mailscanner user, just not when MailScanner calls it, apparently. > 3) Path issues. Make sure you correctly have the dcc path set in the > spamassassin configuration. This is the error I made which resulted in the > same issue you are experiencing. Wouldn't this affect the command line test as well? Where would this be set - mailscanner.cf > spam.assassin.prefs.conf? This is what I see in that file: ifplugin Mail::SpamAssassin::Plugin::DCC #dcc_path /usr/local/bin/dccproc endif As far as I know we have not changed that so I assume it has always been commented out. -- Regards, Sarah Trayser Way to the Web Ltd Server Management Services: http://www.configserver.com Web Hosting: http://www.waytotheweb.com From naolson at gmail.com Tue Aug 28 22:52:28 2007 From: naolson at gmail.com (Nathan Olson) Date: Tue Aug 28 22:52:32 2007 Subject: MailScanner via Yum (CentOS) In-Reply-To: References: <46D41675.3000302@ecs.soton.ac.uk> <46D4604B.7050007@ecs.soton.ac.uk> Message-ID: <8f54b4330708281452g10b0440ej22bfd4e1f4dc721b@mail.gmail.com> We run RHEL5 (64-bit, Server + Virt) and install home-grown RPMs using the latest sources from CPAN for all the components not included or available via RedHat's yum channels. Take Base64.pm, for example. Included in the perl RPM on RHEL5. We just use that. Same with HTML-Tagset and many others. It works fine, but it takes work. Nate From steve.swaney at fsl.com Wed Aug 29 00:46:00 2007 From: steve.swaney at fsl.com (Stephen Swaney) Date: Wed Aug 29 00:45:18 2007 Subject: MailScanner via Yum (CentOS) In-Reply-To: <8f54b4330708281452g10b0440ej22bfd4e1f4dc721b@mail.gmail.com> References: <46D41675.3000302@ecs.soton.ac.uk> <46D4604B.7050007@ecs.soton.ac.uk> <8f54b4330708281452g10b0440ej22bfd4e1f4dc721b@mail.gmail.com> Message-ID: <030a01c7e9cd$968a4500$c39ecf00$@swaney@fsl.com> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Nathan Olson > Sent: Tuesday, August 28, 2007 5:52 PM > To: MailScanner discussion > Subject: Re: MailScanner via Yum (CentOS) > > We run RHEL5 (64-bit, Server + Virt) and install home-grown RPMs using > the > latest sources from CPAN for all the components not included or > available via RedHat's yum channels. > > Take Base64.pm, for example. Included in the perl RPM on RHEL5. We > just use that. > Same with HTML-Tagset and many others. > > It works fine, but it takes work. > > Nate > -- It looks like the sites that know enough to intelligently use the various methods to install rpms can pretty much dissect Julian's install.sh script to use yum (or up2date RH 5.0) to keep their systems updated the way they want to. But it's not simple! After following this thread, I can tell you that based on our experience to update our own applications using yum - and for Julian to try to handle all the Operating Systems he supports - and to continue with incredibly fast implementation of feature requests - and get a little rest now and then - and have some dinners out with his mates - etc - etc -this is not trivial! And this should not be his job! He already makes it so simple for newbes and experienced admins to simply keep their MailScanner apps up to date he shouldn't be asked to do more. What I would suggest is that if you really want to do this is to help Julian. Setup a yum repository that handles all of the dependencies that that MailScanner requires (hint enablerepo=) and if you're really ambitious, add SpamAssassin, Razor, DCC - you get the idea. We're starting doing this for our MailScanner maintenance clients since it will save us time and them costs and we may make this accessible the MailScanner list as we have the time and resources but it won't be soon. We're really too busy with BarricadeMX installs. Who wants' to volunteer :>). We'll be happy to share what we've done so far with you but you'll need a bit of bandwith! Steve Steve Swaney steve@fsl.com www.fsl.com From naolson at gmail.com Wed Aug 29 02:16:47 2007 From: naolson at gmail.com (Nathan Olson) Date: Wed Aug 29 02:16:50 2007 Subject: MailScanner via Yum (CentOS) In-Reply-To: <-5452022688349182458@unknownmsgid> References: <46D41675.3000302@ecs.soton.ac.uk> <46D4604B.7050007@ecs.soton.ac.uk> <8f54b4330708281452g10b0440ej22bfd4e1f4dc721b@mail.gmail.com> <-5452022688349182458@unknownmsgid> Message-ID: <8f54b4330708281816y7572cac2r6ef68f7a94fedce6@mail.gmail.com> Actually, we have SpamAssassin + all requirements (for 64-bit RHEL5 - spec files should work for 32-bit as well) and Razor as RPMs. Is someone actually interested in these? Nate From wizard at jimhermann.com Wed Aug 29 05:25:24 2007 From: wizard at jimhermann.com (Jim Hermann) Date: Wed Aug 29 05:25:12 2007 Subject: Outgoing Queue Dir Ruleset In-Reply-To: <46D42119.1010209@ecs.soton.ac.uk> References: <200708261100.l7QB02E8013272@safir.blacknight.ie> <000801c7e81e$953686b0$cc01a8c0@Dual><46D1E2A5.4090500@ecs.soton.ac.uk> <46D1E87A.9060601@ecs.soton.ac.uk><00c301c7e8d1$6dc1e120$cc01a8c0@Dual> <46D31A08.9080806@ecs.soton.ac.uk><009401c7e973$564e4770$cc01a8c0@Dual> <46D42119.1010209@ecs.soton.ac.uk> Message-ID: <011a01c7e9f4$9ee70220$cc01a8c0@Dual> > Jim Hermann wrote: > > No. I was hoping to use a Ruleset for the Outgoing Queue Dir and use > > separate instances of sendmail to handle each outgoing > queue directory. Is > > there a way to have MS tell sendmail to use different > configuration files > > for each outgoing queue directory? > > > Only by hacking the code, sorry. It's not built-in > functionality, sorry. > >2nd thoughts: can you put a ruleset on sendmail2? The conf file will >tell you if you can or not, I can't remember. I don't feel bad for not noticing. ;) Now my MailScanner.conf contains: Outgoing Queue Dir = /etc/MailScanner/rules/outgoing.rules Sendmail2 = /etc/MailScanner/rules/sendmail2.rules Use Default Rules With Multiple Recipients = yes Delivery Method = batch /etc/MailScanner/rules/outgoing.rules contains: To: *@aol.com /home/virtual/FILESYSTEMTEMPLATE/services/sendmail/mqueue.scanned1 To: *@cs.com /home/virtual/FILESYSTEMTEMPLATE/services/sendmail/mqueue.scanned1 To: *@comcast.net /home/virtual/FILESYSTEMTEMPLATE/services/sendmail/mqueue.scanned2 To: *@yahoo.com /home/virtual/FILESYSTEMTEMPLATE/services/sendmail/mqueue.scanned2 FromOrTo: default /home/virtual/FILESYSTEMTEMPLATE/services/sendmail/mqueue.scanned /etc/MailScanner/rules/sendmail2.rules contains: To: *@aol.com /usr/sbin/sendmail -L sm-mailscanner1 -OProcessTitlePrefix=sm-mailscanner1 -ODeliveryMode=background -C /etc/mail/sm-mailscanner1.cf To: *@cs.com /usr/sbin/sendmail -L sm-mailscanner1 -OProcessTitlePrefix=sm-mailscanner1 -ODeliveryMode=background -C /etc/mail/sm-mailscanner1.cf To: *@comcast.net /usr/sbin/sendmail -L sm-mailscanner2 -OProcessTitlePrefix=sm-mailscanner2 -ODeliveryMode=background -C /etc/mail/sm-mailscanner2.cf To: *@yahoo.com /usr/sbin/sendmail -L sm-mailscanner2 -OProcessTitlePrefix=sm-mailscanner2 -ODeliveryMode=background -C /etc/mail/sm-mailscanner2.cf FromOrTo: default /usr/sbin/sendmail -L sm-mailscanner -OProcessTitlePrefix=sm-mailscanner -ODeliveryMode=background -C /etc/mail/sm-mailscanner.cf MailScanner stores the email in the correct directory but does not use the correct version of sendmail2. It does use the default value of sendmail2. The "sm-mailscanner" shows up in the log. How do I get the Ruleset to match the other values for Sendmail2? Thanks. Jim From tgc at statsbiblioteket.dk Wed Aug 29 07:48:32 2007 From: tgc at statsbiblioteket.dk (Tom G. Christensen) Date: Wed Aug 29 07:48:34 2007 Subject: MailScanner via Yum (CentOS) In-Reply-To: References: Message-ID: <46D516C0.4030704@statsbiblioteket.dk> Paul Hutchings wrote: > I'm playing with CentOS 5 as a new distribution. > > It seems I can get most things via the CentOS distribution or by adding > rpmforge to the yum repository list. > > Does anyone know if it is possible to get mailscanner in this manner > rather than having to download and build from the RPMs on the site? > I just did such an install on CentOS 5, but it's not as easy as it should be. The main gotcha is that 3 of the perl modules that MailScanner wants to install conflicts with the main perl package since it already provides the modules. The modules are File-Temp, Getopt-Long and Test-Harness. For my own use I've created a perl package which has these modules as replaceable subpackages. The alternative is to force the install of the offending RPMS. With rpmforge enabled and standing in the MailScanner dir I did: # yum install `ls perl-* | sed -e 's/$perl-[a-zA-Z-]*$-[0-9]*.*/\1/'` # yum install tnef perl-HTML-Parser is only 3.55 in CentOS 5 while MailScanner ships 3.56, I built my own version of the RPMforge package with 3.56 instead. mailscanner itself ofcourse it not available via yum but with all the above in place you can just install the rpm package in the MailScanner tarball without running install.sh (yay!). After that it's easy, RPMforge has clamav, SA and Razor ready to install. If you want DCC you can get it from ATrpms.net. -tgc From paul.hutchings at mira.co.uk Wed Aug 29 09:01:11 2007 From: paul.hutchings at mira.co.uk (Paul Hutchings) Date: Wed Aug 29 09:01:19 2007 Subject: MailScanner via Yum (CentOS) References: <46D41675.3000302@ecs.soton.ac.uk> <46D4604B.7050007@ecs.soton.ac.uk> <46D4776B.20902@ecs.soton.ac.uk> Message-ID: Ok what I did was to simply do what I've been doing on Suse i.e. download the rpm installer and run install.sh Afterwards I ran "yum update". Bearing in mind I have rpmforge installed this was the output: ======================================================================== ===== Package Arch Version Repository Size ======================================================================== ===== Updating: perl-Archive-Zip noarch 1.20-1.el5.rf rpmforge 100 k perl-Convert-BinHex noarch 1.119-2.2.el5.rf rpmforge 34 k perl-Convert-TNEF noarch 0.17-3.2.el5.rf rpmforge 18 k perl-DBD-SQLite x86_64 1.13-1.el5.rf rpmforge 52 k perl-Filesys-Df x86_64 0.92-1.el5.rf rpmforge 36 k perl-IO-stringy noarch 2.110-1.2.el5.rf rpmforge 70 k perl-MIME-tools noarch 5.420-1.el5.rf rpmforge 276 k perl-MailTools noarch 1.77-1.el5.rf rpmforge 85 k perl-Net-CIDR noarch 0.11-1.2.el5.rf rpmforge 15 k perl-Sys-Hostname-Long noarch 1.4-1.2.el5.rf rpmforge 12 k tnef x86_64 1.4.3-1.el5.rf rpmforge 46 k Transaction Summary ======================================================================== ===== Install 0 Package(s) Update 11 Package(s) Remove 0 Package(s) So it would appear I'm good to go with the install script and the things yum will update by itself? Cheers, Paul Paul Hutchings Network Administrator, MIRA Ltd. Tel: 44 (0)24 7635 5378 Fax: 44 (0)24 7635 8378 mailto:paul.hutchings@mira.co.uk -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian Field Sent: 28 August 2007 20:29 To: MailScanner discussion Subject: Re: MailScanner via Yum (CentOS) Paul Hutchings wrote: >> Read the install.sh script :-) >> > > Rather embarrassingly I did once I'd sent the reply to the list :-) > > I'd appreciate any feedback on how other people handle this - I can see > the benefits of using the rpm's supplied with MailScanner as I would > assume it sorts out things like minimum versions req'd, but at the same > time I'm thinking is there a benefit to using as much as possible of > what comes with the OS? > It doesn't install a new module unless it needs to for some reason. If your current version is okay, then it will leave it as it is and not upgrade it. But many of the requirements are not shipped with the OS. Jules -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MIRA Ltd Watling Street, Nuneaton, Warwickshire, CV10 0TU, England. Registered in England and Wales No. 402570 VAT Registration GB 114 5409 96 The contents of this e-mail are confidential and are solely for the use of the intended recipient. If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax. You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited. From MailScanner at ecs.soton.ac.uk Wed Aug 29 10:49:39 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Aug 29 10:49:57 2007 Subject: Outgoing Queue Dir Ruleset In-Reply-To: <011a01c7e9f4$9ee70220$cc01a8c0@Dual> References: <200708261100.l7QB02E8013272@safir.blacknight.ie> <000801c7e81e$953686b0$cc01a8c0@Dual><46D1E2A5.4090500@ecs.soton.ac.uk> <46D1E87A.9060601@ecs.soton.ac.uk><00c301c7e8d1$6dc1e120$cc01a8c0@Dual> <46D31A08.9080806@ecs.soton.ac.uk><009401c7e973$564e4770$cc01a8c0@Dual> <46D42119.1010209@ecs.soton.ac.uk> <011a01c7e9f4$9ee70220$cc01a8c0@Dual> Message-ID: <46D54133.8080201@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jim Hermann wrote: >> Jim Hermann wrote: >> >>> No. I was hoping to use a Ruleset for the Outgoing Queue Dir and use >>> separate instances of sendmail to handle each outgoing >>> >> queue directory. Is >> >>> there a way to have MS tell sendmail to use different >>> >> configuration files >> >>> for each outgoing queue directory? >>> >>> >> Only by hacking the code, sorry. It's not built-in >> functionality, sorry. >> >> 2nd thoughts: can you put a ruleset on sendmail2? The conf file will >> tell you if you can or not, I can't remember. >> > > I don't feel bad for not noticing. ;) > > Now my MailScanner.conf contains: > > Outgoing Queue Dir = /etc/MailScanner/rules/outgoing.rules > Sendmail2 = /etc/MailScanner/rules/sendmail2.rules > Use Default Rules With Multiple Recipients = yes > Delivery Method = batch > > /etc/MailScanner/rules/outgoing.rules contains: > > To: *@aol.com > /home/virtual/FILESYSTEMTEMPLATE/services/sendmail/mqueue.scanned1 > To: *@cs.com > /home/virtual/FILESYSTEMTEMPLATE/services/sendmail/mqueue.scanned1 > To: *@comcast.net > /home/virtual/FILESYSTEMTEMPLATE/services/sendmail/mqueue.scanned2 > To: *@yahoo.com > /home/virtual/FILESYSTEMTEMPLATE/services/sendmail/mqueue.scanned2 > > FromOrTo: default > /home/virtual/FILESYSTEMTEMPLATE/services/sendmail/mqueue.scanned > > /etc/MailScanner/rules/sendmail2.rules contains: > > To: *@aol.com /usr/sbin/sendmail -L sm-mailscanner1 > -OProcessTitlePrefix=sm-mailscanner1 -ODeliveryMode=background -C > /etc/mail/sm-mailscanner1.cf > To: *@cs.com /usr/sbin/sendmail -L sm-mailscanner1 > -OProcessTitlePrefix=sm-mailscanner1 -ODeliveryMode=background -C > /etc/mail/sm-mailscanner1.cf > To: *@comcast.net /usr/sbin/sendmail -L sm-mailscanner2 > -OProcessTitlePrefix=sm-mailscanner2 -ODeliveryMode=background -C > /etc/mail/sm-mailscanner2.cf > To: *@yahoo.com /usr/sbin/sendmail -L sm-mailscanner2 > -OProcessTitlePrefix=sm-mailscanner2 -ODeliveryMode=background -C > /etc/mail/sm-mailscanner2.cf > > FromOrTo: default /usr/sbin/sendmail -L sm-mailscanner > -OProcessTitlePrefix=sm-mailscanner -ODeliveryMode=background -C > /etc/mail/sm-mailscanner.cf > > MailScanner stores the email in the correct directory but does not use the > correct version of sendmail2. It does use the default value of sendmail2. > The "sm-mailscanner" shows up in the log. How do I get the Ruleset to match > the other values for Sendmail2? > You upgrade to my next release :-) I have just found the bug and fixed it. Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.3 (Build 3017) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFG1UEzEfZZRxQVtlQRAkM0AKCxOtAKfzdRMH4FKPtMi2XEvC5XHACeKP8R 3ObgpFL/qDs1cb37n4Z0mJQ= =umQw -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From christiannygaard at gmail.com Wed Aug 29 12:22:53 2007 From: christiannygaard at gmail.com (Christian Nygaard) Date: Wed Aug 29 12:22:57 2007 Subject: Spam Filter Fusion with MailScanner? Message-ID: <4d4321660708290422j19c1a5fei64802005fa6b4b1e@mail.gmail.com> Hi! Today we are using MailScanner with SpamAssassin but it seems that more Spam is leaking through the last couple of months. I was wondering if anyone have started to use Spam filter fusion, fusing in more filters than SpamAssassin? If you did, how did you do it? On-line Spam Filter Fusion http://plg.uwaterloo.ca/~gvcormac/sigir.pdf http://plg.uwaterloo.ca/~gvcormac/dmcspam.pdf Kind regards, Christian -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070829/553f7341/attachment.html From list-mailscanner at linguaphone.com Wed Aug 29 12:43:46 2007 From: list-mailscanner at linguaphone.com (Gareth) Date: Wed Aug 29 12:43:56 2007 Subject: list of variables which can be used in reports Message-ID: <1188387826.3776.3.camel@gblades-suse.linguaphone-intranet.co.uk> Is there a list of variables that can be used in reports anywhere? I have a look in the book and on wiki but could not find anything. In particular I would like to change the inline spam report so that it also reports the total spamassassin score. Thanks Gareth From list-mailscanner at linguaphone.com Wed Aug 29 12:45:41 2007 From: list-mailscanner at linguaphone.com (Gareth) Date: Wed Aug 29 12:45:49 2007 Subject: Spam Filter Fusion with MailScanner? In-Reply-To: <4d4321660708290422j19c1a5fei64802005fa6b4b1e@mail.gmail.com> References: <4d4321660708290422j19c1a5fei64802005fa6b4b1e@mail.gmail.com> Message-ID: <1188387941.3781.6.camel@gblades-suse.linguaphone-intranet.co.uk> No I haven't because I find that we catch practically all the spam. Perhaps there are some additional rules or plugins you could be using. Is your mailscanner and spamassassin fully up to date? What plugins, antivirus and additional rules do you use? On Wed, 2007-08-29 at 12:22, Christian Nygaard wrote: > Hi! > > Today we are using MailScanner with SpamAssassin but it seems that > more > Spam is leaking through the last couple of months. > > I was wondering if anyone have started to use Spam filter fusion, > fusing in more > filters than SpamAssassin? If you did, how did you do it? > > On-line Spam Filter Fusion > http://plg.uwaterloo.ca/~gvcormac/sigir.pdf > http://plg.uwaterloo.ca/~gvcormac/dmcspam.pdf > > Kind regards, > Christian > > > > ______________________________________________________________________ > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From wizard at jimhermann.com Wed Aug 29 13:23:04 2007 From: wizard at jimhermann.com (Jim Hermann) Date: Wed Aug 29 13:22:57 2007 Subject: Outgoing Queue Dir Ruleset In-Reply-To: <46D54133.8080201@ecs.soton.ac.uk> References: <200708261100.l7QB02E8013272@safir.blacknight.ie> <000801c7e81e$953686b0$cc01a8c0@Dual><46D1E2A5.4090500@ecs.soton.ac.uk> <46D1E87A.9060601@ecs.soton.ac.uk><00c301c7e8d1$6dc1e120$cc01a8c0@Dual> <46D31A08.9080806@ecs.soton.ac.uk><009401c7e973$564e4770$cc01a8c0@Dual> <46D42119.1010209@ecs.soton.ac.uk><011a01c7e9f4$9ee70220$cc01a8c0@Dual> <46D54133.8080201@ecs.soton.ac.uk> Message-ID: <013c01c7ea37$5aea64c0$cc01a8c0@Dual> > > MailScanner stores the email in the correct directory but > does not use the > > correct version of sendmail2. It does use the default > value of sendmail2. > > The "sm-mailscanner" shows up in the log. How do I get the > Ruleset to match > > the other values for Sendmail2? > > > You upgrade to my next release :-) > I have just found the bug and fixed it. > > Jules Thanks. Can I download the latest beta and get the fix? Jim From MailScanner at ecs.soton.ac.uk Wed Aug 29 13:42:49 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Aug 29 13:43:07 2007 Subject: list of variables which can be used in reports In-Reply-To: <1188387826.3776.3.camel@gblades-suse.linguaphone-intranet.co.uk> References: <1188387826.3776.3.camel@gblades-suse.linguaphone-intranet.co.uk> Message-ID: <46D569C9.7060206@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Each of the sample reports I provide use all the variables available in that report. If you need any adding, just tell me what you want and where you want to use it. Gareth wrote: > Is there a list of variables that can be used in reports anywhere? > I have a look in the book and on wiki but could not find anything. > > In particular I would like to change the inline spam report so that it > also reports the total spamassassin score. > > Thanks > Gareth > > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.3 (Build 3017) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFG1WnKEfZZRxQVtlQRAjOMAKDv3xvdvg4NnszZQfONbjkx7a/KxACgiMtf ZAqlgmHz/zYbZd8uuP4VlHI= =s2b8 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Wed Aug 29 13:48:14 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Aug 29 13:49:16 2007 Subject: Outgoing Queue Dir Ruleset In-Reply-To: <013c01c7ea37$5aea64c0$cc01a8c0@Dual> References: <200708261100.l7QB02E8013272@safir.blacknight.ie> <000801c7e81e$953686b0$cc01a8c0@Dual><46D1E2A5.4090500@ecs.soton.ac.uk> <46D1E87A.9060601@ecs.soton.ac.uk><00c301c7e8d1$6dc1e120$cc01a8c0@Dual> <46D31A08.9080806@ecs.soton.ac.uk><009401c7e973$564e4770$cc01a8c0@Dual> <46D42119.1010209@ecs.soton.ac.uk><011a01c7e9f4$9ee70220$cc01a8c0@Dual> <46D54133.8080201@ecs.soton.ac.uk> <013c01c7ea37$5aea64c0$cc01a8c0@Dual> Message-ID: <46D56B0E.30507@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jim Hermann wrote: >>> MailScanner stores the email in the correct directory but >>> >> does not use the >> >>> correct version of sendmail2. It does use the default >>> >> value of sendmail2. >> >>> The "sm-mailscanner" shows up in the log. How do I get the >>> >> Ruleset to match >> >>> the other values for Sendmail2? >>> >>> >> You upgrade to my next release :-) >> I have just found the bug and fixed it. >> >> Jules >> > > Thanks. > > Can I download the latest beta and get the fix? > I have just created 4.63.5 for you. Please test it as soon as you can and let me know how you get on. Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.3 (Build 3017) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFG1WsOEfZZRxQVtlQRAuO5AJ9eCUCAYr+Bmtrp3ghKH8ozhWJXVQCbBgUF FSQ0YakMCpE6xeDQ1YEVWlc= =p+Qi -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From list-mailscanner at linguaphone.com Wed Aug 29 13:49:46 2007 From: list-mailscanner at linguaphone.com (Gareth) Date: Wed Aug 29 13:49:52 2007 Subject: list of variables which can be used in reports In-Reply-To: <46D569C9.7060206@ecs.soton.ac.uk> References: <1188387826.3776.3.camel@gblades-suse.linguaphone-intranet.co.uk> <46D569C9.7060206@ecs.soton.ac.uk> Message-ID: <1188391785.3773.12.camel@gblades-suse.linguaphone-intranet.co.uk> It would be useful to have the total spam score as a variable. The reason being that I get users to drop copies of all false positives into a shared folder and it would save me having to manually add up all the scores to find what the total was. Depending on how much over the threshold it was I decide to do various things such as whitelist them, tell them to fix their mail system or do nothing :) Thanks On Wed, 2007-08-29 at 13:42, Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Each of the sample reports I provide use all the variables available in > that report. > If you need any adding, just tell me what you want and where you want to > use it. > > Gareth wrote: > > Is there a list of variables that can be used in reports anywhere? > > I have a look in the book and on wiki but could not find anything. > > > > In particular I would like to change the inline spam report so that it > > also reports the total spamassassin score. > > > > Thanks > > Gareth > > > > > > Jules > > - -- > Julian Field MEng CITP > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.6.3 (Build 3017) > Comment: (pgp-secured) > Charset: ISO-8859-1 > > wj8DBQFG1WnKEfZZRxQVtlQRAjOMAKDv3xvdvg4NnszZQfONbjkx7a/KxACgiMtf > ZAqlgmHz/zYbZd8uuP4VlHI= > =s2b8 > -----END PGP SIGNATURE----- > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Wed Aug 29 13:54:07 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Aug 29 13:54:25 2007 Subject: Spam Filter Fusion with MailScanner? In-Reply-To: <1188387941.3781.6.camel@gblades-suse.linguaphone-intranet.co.uk> References: <4d4321660708290422j19c1a5fei64802005fa6b4b1e@mail.gmail.com> <1188387941.3781.6.camel@gblades-suse.linguaphone-intranet.co.uk> Message-ID: <46D56C6F.9080304@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 metoo. I find that I can catch just about every spam that comes in here. I probably miss 2 or 3 per day into my own account, and mailscanner@ecs.soton.ac.uk is in an awful lot of address lists! Over the past couple of months, if anything, I have been more successful than usual. If you want me to give your server a thorough health-check and improve your anti-spam setup, I will happily do so, but I do charge for the service. Contact me off-list if you are interested. Best regards, Jules. Gareth wrote: > No I haven't because I find that we catch practically all the spam. > Perhaps there are some additional rules or plugins you could be using. > Is your mailscanner and spamassassin fully up to date? > What plugins, antivirus and additional rules do you use? > > On Wed, 2007-08-29 at 12:22, Christian Nygaard wrote: > >> Hi! >> >> Today we are using MailScanner with SpamAssassin but it seems that >> more >> Spam is leaking through the last couple of months. >> >> I was wondering if anyone have started to use Spam filter fusion, >> fusing in more >> filters than SpamAssassin? If you did, how did you do it? >> >> On-line Spam Filter Fusion >> http://plg.uwaterloo.ca/~gvcormac/sigir.pdf >> http://plg.uwaterloo.ca/~gvcormac/dmcspam.pdf >> >> Kind regards, >> Christian >> >> >> >> ______________________________________________________________________ >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> > > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.3 (Build 3017) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFG1WxwEfZZRxQVtlQRAmoAAKDjXnoOxtJBgltNWmhVxn08k23WswCg1FvQ YGOa3VcRm3bJHCNdnNTKhHQ= =fnk4 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Wed Aug 29 13:55:31 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Aug 29 13:55:58 2007 Subject: list of variables which can be used in reports In-Reply-To: <1188391785.3773.12.camel@gblades-suse.linguaphone-intranet.co.uk> References: <1188387826.3776.3.camel@gblades-suse.linguaphone-intranet.co.uk> <46D569C9.7060206@ecs.soton.ac.uk> <1188391785.3773.12.camel@gblades-suse.linguaphone-intranet.co.uk> Message-ID: <46D56CC3.7020200@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 But in which report(s) specifically? And don't say "all of them" :-) Gareth wrote: > It would be useful to have the total spam score as a variable. > > The reason being that I get users to drop copies of all false positives > into a shared folder and it would save me having to manually add up all > the scores to find what the total was. Depending on how much over the > threshold it was I decide to do various things such as whitelist them, > tell them to fix their mail system or do nothing :) > > Thanks > > On Wed, 2007-08-29 at 13:42, Julian Field wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Each of the sample reports I provide use all the variables available in >> that report. >> If you need any adding, just tell me what you want and where you want to >> use it. >> >> Gareth wrote: >> >>> Is there a list of variables that can be used in reports anywhere? >>> I have a look in the book and on wiki but could not find anything. >>> >>> In particular I would like to change the inline spam report so that it >>> also reports the total spamassassin score. >>> >>> Thanks >>> Gareth >>> >>> >>> >> Jules >> >> - -- >> Julian Field MEng CITP >> www.MailScanner.info >> Buy the MailScanner book at www.MailScanner.info/store >> >> Need help customising MailScanner? >> Contact me! >> Need help fixing or optimising your systems? >> Contact me! >> Need help getting you started solving new requirements from your boss? >> Contact me! >> >> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >> >> >> -----BEGIN PGP SIGNATURE----- >> Version: PGP Desktop 9.6.3 (Build 3017) >> Comment: (pgp-secured) >> Charset: ISO-8859-1 >> >> wj8DBQFG1WnKEfZZRxQVtlQRAjOMAKDv3xvdvg4NnszZQfONbjkx7a/KxACgiMtf >> ZAqlgmHz/zYbZd8uuP4VlHI= >> =s2b8 >> -----END PGP SIGNATURE----- >> >> -- >> This message has been scanned for viruses and >> dangerous content by MailScanner, and is >> believed to be clean. >> For all your IT requirements visit www.transtec.co.uk >> > > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.3 (Build 3017) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFG1WzEEfZZRxQVtlQRAlCnAKCnSNqx5goX+IwKXK8F+IgWfGc3jwCg+7Gt zJ/GCo6o8GBmLmMx8nzltqk= =bDpY -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From list-mailscanner at linguaphone.com Wed Aug 29 13:59:56 2007 From: list-mailscanner at linguaphone.com (Gareth) Date: Wed Aug 29 14:00:09 2007 Subject: list of variables which can be used in reports In-Reply-To: <46D56CC3.7020200@ecs.soton.ac.uk> References: <1188387826.3776.3.camel@gblades-suse.linguaphone-intranet.co.uk> <46D569C9.7060206@ecs.soton.ac.uk> <1188391785.3773.12.camel@gblades-suse.linguaphone-intranet.co.uk> <46D56CC3.7020200@ecs.soton.ac.uk> Message-ID: <1188392396.3779.14.camel@gblades-suse.linguaphone-intranet.co.uk> en/inline.spam.warning.txt please. On Wed, 2007-08-29 at 13:55, Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > But in which report(s) specifically? And don't say "all of them" :-) > > Gareth wrote: > > It would be useful to have the total spam score as a variable. > > > > The reason being that I get users to drop copies of all false positives > > into a shared folder and it would save me having to manually add up all > > the scores to find what the total was. Depending on how much over the > > threshold it was I decide to do various things such as whitelist them, > > tell them to fix their mail system or do nothing :) > > > > Thanks > > > > On Wed, 2007-08-29 at 13:42, Julian Field wrote: > > > >> -----BEGIN PGP SIGNED MESSAGE----- > >> Hash: SHA1 > >> > >> Each of the sample reports I provide use all the variables available in > >> that report. > >> If you need any adding, just tell me what you want and where you want to > >> use it. > >> > >> Gareth wrote: > >> > >>> Is there a list of variables that can be used in reports anywhere? > >>> I have a look in the book and on wiki but could not find anything. > >>> > >>> In particular I would like to change the inline spam report so that it > >>> also reports the total spamassassin score. > >>> > >>> Thanks > >>> Gareth > >>> > >>> > >>> > >> Jules > >> > >> - -- > >> Julian Field MEng CITP > >> www.MailScanner.info > >> Buy the MailScanner book at www.MailScanner.info/store > >> > >> Need help customising MailScanner? > >> Contact me! > >> Need help fixing or optimising your systems? > >> Contact me! > >> Need help getting you started solving new requirements from your boss? > >> Contact me! > >> > >> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > >> > >> > >> -----BEGIN PGP SIGNATURE----- > >> Version: PGP Desktop 9.6.3 (Build 3017) > >> Comment: (pgp-secured) > >> Charset: ISO-8859-1 > >> > >> wj8DBQFG1WnKEfZZRxQVtlQRAjOMAKDv3xvdvg4NnszZQfONbjkx7a/KxACgiMtf > >> ZAqlgmHz/zYbZd8uuP4VlHI= > >> =s2b8 > >> -----END PGP SIGNATURE----- > >> > >> -- > >> This message has been scanned for viruses and > >> dangerous content by MailScanner, and is > >> believed to be clean. > >> For all your IT requirements visit www.transtec.co.uk > >> > > > > > > Jules > > - -- > Julian Field MEng CITP > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.6.3 (Build 3017) > Comment: (pgp-secured) > Charset: ISO-8859-1 > > wj8DBQFG1WzEEfZZRxQVtlQRAlCnAKCnSNqx5goX+IwKXK8F+IgWfGc3jwCg+7Gt > zJ/GCo6o8GBmLmMx8nzltqk= > =bDpY > -----END PGP SIGNATURE----- > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > For all your IT requirements visit www.transtec.co.uk From Denis.Beauchemin at USherbrooke.ca Wed Aug 29 14:42:27 2007 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Wed Aug 29 14:46:26 2007 Subject: list of variables which can be used in reports In-Reply-To: <1188387826.3776.3.camel@gblades-suse.linguaphone-intranet.co.uk> References: <1188387826.3776.3.camel@gblades-suse.linguaphone-intranet.co.uk> Message-ID: <46D577C3.10705@USherbrooke.ca> Gareth a ?crit : > Is there a list of variables that can be used in reports anywhere? > I have a look in the book and on wiki but could not find anything. > > In particular I would like to change the inline spam report so that it > also reports the total spamassassin score. > > Thanks > Gareth > > Gareth, No need to modify MS if you use "$longspamreport" in your report. I added the following to spam.assassin.prefs.conf and it becomes the new "$longspamreport": clear-report-template report D?tails de l'analyse du message: (_HITS_ points, _REQD_ requis) report pts nom de la r?gle description report ---- ---------------------- -------------------------------------------------- report _SUMMARY_ The _HITS_ prints the total SA score, while _REQD_ prints the required score. Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 From MailScanner at ecs.soton.ac.uk Wed Aug 29 14:53:28 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Aug 29 14:53:49 2007 Subject: list of variables which can be used in reports In-Reply-To: <1188392396.3779.14.camel@gblades-suse.linguaphone-intranet.co.uk> References: <1188387826.3776.3.camel@gblades-suse.linguaphone-intranet.co.uk> <46D569C9.7060206@ecs.soton.ac.uk> <1188391785.3773.12.camel@gblades-suse.linguaphone-intranet.co.uk> <46D56CC3.7020200@ecs.soton.ac.uk> <1188392396.3779.14.camel@gblades-suse.linguaphone-intranet.co.uk> Message-ID: <46D57A58.50406@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 You should already be able to use "$sascore" in this report. Sorry it's not in the example report, I must have overlooked that. Any others you need? Gareth wrote: > en/inline.spam.warning.txt please. > > On Wed, 2007-08-29 at 13:55, Julian Field wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> But in which report(s) specifically? And don't say "all of them" :-) >> >> Gareth wrote: >> >>> It would be useful to have the total spam score as a variable. >>> >>> The reason being that I get users to drop copies of all false positives >>> into a shared folder and it would save me having to manually add up all >>> the scores to find what the total was. Depending on how much over the >>> threshold it was I decide to do various things such as whitelist them, >>> tell them to fix their mail system or do nothing :) >>> >>> Thanks >>> >>> On Wed, 2007-08-29 at 13:42, Julian Field wrote: >>> >>> >>>> -----BEGIN PGP SIGNED MESSAGE----- >>>> Hash: SHA1 >>>> >>>> Each of the sample reports I provide use all the variables available in >>>> that report. >>>> If you need any adding, just tell me what you want and where you want to >>>> use it. >>>> >>>> Gareth wrote: >>>> >>>> >>>>> Is there a list of variables that can be used in reports anywhere? >>>>> I have a look in the book and on wiki but could not find anything. >>>>> >>>>> In particular I would like to change the inline spam report so that it >>>>> also reports the total spamassassin score. >>>>> >>>>> Thanks >>>>> Gareth >>>>> >>>>> >>>>> >>>>> >>>> Jules >>>> >>>> - -- >>>> Julian Field MEng CITP >>>> www.MailScanner.info >>>> Buy the MailScanner book at www.MailScanner.info/store >>>> >>>> Need help customising MailScanner? >>>> Contact me! >>>> Need help fixing or optimising your systems? >>>> Contact me! >>>> Need help getting you started solving new requirements from your boss? >>>> Contact me! >>>> >>>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >>>> >>>> >>>> -----BEGIN PGP SIGNATURE----- >>>> Version: PGP Desktop 9.6.3 (Build 3017) >>>> Comment: (pgp-secured) >>>> Charset: ISO-8859-1 >>>> >>>> wj8DBQFG1WnKEfZZRxQVtlQRAjOMAKDv3xvdvg4NnszZQfONbjkx7a/KxACgiMtf >>>> ZAqlgmHz/zYbZd8uuP4VlHI= >>>> =s2b8 >>>> -----END PGP SIGNATURE----- >>>> >>>> -- >>>> This message has been scanned for viruses and >>>> dangerous content by MailScanner, and is >>>> believed to be clean. >>>> For all your IT requirements visit www.transtec.co.uk >>>> >>>> >>> >>> >> Jules >> >> - -- >> Julian Field MEng CITP >> www.MailScanner.info >> Buy the MailScanner book at www.MailScanner.info/store >> >> Need help customising MailScanner? >> Contact me! >> Need help fixing or optimising your systems? >> Contact me! >> Need help getting you started solving new requirements from your boss? >> Contact me! >> >> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >> >> >> -----BEGIN PGP SIGNATURE----- >> Version: PGP Desktop 9.6.3 (Build 3017) >> Comment: (pgp-secured) >> Charset: ISO-8859-1 >> >> wj8DBQFG1WzEEfZZRxQVtlQRAlCnAKCnSNqx5goX+IwKXK8F+IgWfGc3jwCg+7Gt >> zJ/GCo6o8GBmLmMx8nzltqk= >> =bDpY >> -----END PGP SIGNATURE----- >> >> -- >> This message has been scanned for viruses and >> dangerous content by MailScanner, and is >> believed to be clean. >> For all your IT requirements visit www.transtec.co.uk >> > > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.3 (Build 3017) Comment: (pgp-secured) Charset: ISO-8859-15 wj8DBQFG1XpZEfZZRxQVtlQRAiFpAJ9k5bJIxeq83zR8a4VwiIJHjTMfXACeJC3z G9o7Ewzmqn+55QDHvlYA2Ew= =GBej -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From list-mailscanner at linguaphone.com Wed Aug 29 15:08:45 2007 From: list-mailscanner at linguaphone.com (Gareth) Date: Wed Aug 29 15:08:55 2007 Subject: list of variables which can be used in reports In-Reply-To: <46D57A58.50406@ecs.soton.ac.uk> References: <1188387826.3776.3.camel@gblades-suse.linguaphone-intranet.co.uk> <46D569C9.7060206@ecs.soton.ac.uk> <1188391785.3773.12.camel@gblades-suse.linguaphone-intranet.co.uk> <46D56CC3.7020200@ecs.soton.ac.uk> <1188392396.3779.14.camel@gblades-suse.linguaphone-intranet.co.uk> <46D57A58.50406@ecs.soton.ac.uk> Message-ID: <1188396525.3773.16.camel@gblades-suse.linguaphone-intranet.co.uk> Just modified the report and it is working fine. Thanks On Wed, 2007-08-29 at 14:53, Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > You should already be able to use "$sascore" in this report. Sorry it's > not in the example report, I must have overlooked that. Any others you need? > > Gareth wrote: > > en/inline.spam.warning.txt please. > > > > On Wed, 2007-08-29 at 13:55, Julian Field wrote: > > > >> -----BEGIN PGP SIGNED MESSAGE----- > >> Hash: SHA1 > >> > >> But in which report(s) specifically? And don't say "all of them" :-) > >> > >> Gareth wrote: > >> > >>> It would be useful to have the total spam score as a variable. > >>> > >>> The reason being that I get users to drop copies of all false positives > >>> into a shared folder and it would save me having to manually add up all > >>> the scores to find what the total was. Depending on how much over the > >>> threshold it was I decide to do various things such as whitelist them, > >>> tell them to fix their mail system or do nothing :) > >>> > >>> Thanks > >>> > >>> On Wed, 2007-08-29 at 13:42, Julian Field wrote: > >>> > >>> > >>>> -----BEGIN PGP SIGNED MESSAGE----- > >>>> Hash: SHA1 > >>>> > >>>> Each of the sample reports I provide use all the variables available in > >>>> that report. > >>>> If you need any adding, just tell me what you want and where you want to > >>>> use it. > >>>> > >>>> Gareth wrote: > >>>> > >>>> > >>>>> Is there a list of variables that can be used in reports anywhere? > >>>>> I have a look in the book and on wiki but could not find anything. > >>>>> > >>>>> In particular I would like to change the inline spam report so that it > >>>>> also reports the total spamassassin score. > >>>>> > >>>>> Thanks > >>>>> Gareth > >>>>> > >>>>> > >>>>> > >>>>> > >>>> Jules > >>>> > >>>> - -- > >>>> Julian Field MEng CITP > >>>> www.MailScanner.info > >>>> Buy the MailScanner book at www.MailScanner.info/store > >>>> > >>>> Need help customising MailScanner? > >>>> Contact me! > >>>> Need help fixing or optimising your systems? > >>>> Contact me! > >>>> Need help getting you started solving new requirements from your boss? > >>>> Contact me! > >>>> > >>>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > >>>> > >>>> > >>>> -----BEGIN PGP SIGNATURE----- > >>>> Version: PGP Desktop 9.6.3 (Build 3017) > >>>> Comment: (pgp-secured) > >>>> Charset: ISO-8859-1 > >>>> > >>>> wj8DBQFG1WnKEfZZRxQVtlQRAjOMAKDv3xvdvg4NnszZQfONbjkx7a/KxACgiMtf > >>>> ZAqlgmHz/zYbZd8uuP4VlHI= > >>>> =s2b8 > >>>> -----END PGP SIGNATURE----- > >>>> > >>>> -- > >>>> This message has been scanned for viruses and > >>>> dangerous content by MailScanner, and is > >>>> believed to be clean. > >>>> For all your IT requirements visit www.transtec.co.uk > >>>> > >>>> > >>> > >>> > >> Jules > >> > >> - -- > >> Julian Field MEng CITP > >> www.MailScanner.info > >> Buy the MailScanner book at www.MailScanner.info/store > >> > >> Need help customising MailScanner? > >> Contact me! > >> Need help fixing or optimising your systems? > >> Contact me! > >> Need help getting you started solving new requirements from your boss? > >> Contact me! > >> > >> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > >> > >> > >> -----BEGIN PGP SIGNATURE----- > >> Version: PGP Desktop 9.6.3 (Build 3017) > >> Comment: (pgp-secured) > >> Charset: ISO-8859-1 > >> > >> wj8DBQFG1WzEEfZZRxQVtlQRAlCnAKCnSNqx5goX+IwKXK8F+IgWfGc3jwCg+7Gt > >> zJ/GCo6o8GBmLmMx8nzltqk= > >> =bDpY > >> -----END PGP SIGNATURE----- > >> > >> -- > >> This message has been scanned for viruses and > >> dangerous content by MailScanner, and is > >> believed to be clean. > >> For all your IT requirements visit www.transtec.co.uk > >> > > > > > > Jules > > - -- > Julian Field MEng CITP > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.6.3 (Build 3017) > Comment: (pgp-secured) > Charset: ISO-8859-15 > > wj8DBQFG1XpZEfZZRxQVtlQRAiFpAJ9k5bJIxeq83zR8a4VwiIJHjTMfXACeJC3z > G9o7Ewzmqn+55QDHvlYA2Ew= > =GBej > -----END PGP SIGNATURE----- > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > For all your IT requirements visit www.transtec.co.uk From paul.hutchings at mira.co.uk Wed Aug 29 16:23:34 2007 From: paul.hutchings at mira.co.uk (Paul Hutchings) Date: Wed Aug 29 16:23:37 2007 Subject: missing /usr/lib/MailScanner/clamd-wrapper?! Message-ID: When running update_virus_scanners I get "/usr/lib/MailScanner/clamd-wrapper: No such file or directory" Which is understandable as it isn't there. I'm not sure why I'm seeing it though? Scanning is done through clamd and seems to work fine, though of course this makes me wonder how it can be working when it is also specified for clamd in virus.scanners.conf?! Hope that makes sense! Paul Paul Hutchings Network Administrator, MIRA Ltd. Tel: 44 (0)24 7635 5378 Fax: 44 (0)24 7635 8378 mailto:paul.hutchings@mira.co.uk -- MIRA Ltd Watling Street, Nuneaton, Warwickshire, CV10 0TU, England. Registered in England and Wales No. 402570 VAT Registration GB 114 5409 96 The contents of this e-mail are confidential and are solely for the use of the intended recipient. If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax. You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited. From ssilva at sgvwater.com Wed Aug 29 16:39:52 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Aug 29 16:40:04 2007 Subject: list of variables which can be used in reports In-Reply-To: <46D577C3.10705@USherbrooke.ca> References: <1188387826.3776.3.camel@gblades-suse.linguaphone-intranet.co.uk> <46D577C3.10705@USherbrooke.ca> Message-ID: Denis Beauchemin spake the following on 8/29/2007 6:42 AM: > Gareth a ?crit : >> Is there a list of variables that can be used in reports anywhere? >> I have a look in the book and on wiki but could not find anything. >> >> In particular I would like to change the inline spam report so that it >> also reports the total spamassassin score. >> >> Thanks >> Gareth >> >> > Gareth, > > No need to modify MS if you use "$longspamreport" in your report. I > added the following to spam.assassin.prefs.conf and it becomes the new > "$longspamreport": > clear-report-template > report D?tails de l'analyse du message: (_HITS_ points, _REQD_ requis) > report pts nom de la r?gle description > report ---- ---------------------- > -------------------------------------------------- > report _SUMMARY_ > > The _HITS_ prints the total SA score, while _REQD_ prints the required > score. > --OT-- French is such a beautiful looking language! I wish I would have studied better in class. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From cparker at swatgear.com Wed Aug 29 17:24:39 2007 From: cparker at swatgear.com (Chris W. Parker) Date: Wed Aug 29 17:24:42 2007 Subject: Releaseing mail from quarantine (wiki instructions didn't work) Message-ID: <97FD54B5E57A1842AA1A4B232E4761178EEAF4@ati-ex-02.ati.local> Hello, First issue is that I've got an email that is being quarantined because it is claimed to be "nested too deeply". To release it from the quarantine I referred to http://wiki.mailscanner.info/doku.php?id=maq:index#quarantine_management . It says to simply copy the qf/df file pair of the offending email into the outgoing queue. But when I do that nothing happens. The email just sits there in the queue whilst other emails (that are received and found to be clean) come and go through the queue. I finally restarted MailScanner and that seemed to get the message on its way. Which brings me to the second issue... After MailScanner restarted it was quarantined again for the same problem. Back to square one. I'd like to suggest that the wiki be updated with more complete instructions since, unless my system is out of the norm, those instructions very lacking. It doesn't mention the need to restart MailScanner and simply copying the qf/df files to the outgoing queue merely results in the email(s) being quarantined again. So now I'm looking for the rule that caused this email to be quarantined in the first place and the best I could find is: ClamAVmodule Maximum Recursion Level = 8 I raised the max up to 25 and redid the release+restart and the user was able to receive the email. When I checked the .zip it only had one folder with two files. So... file.zip: folder fileA.xls fileB.xls This is hardly 25 levels of nesting. What could cause this to be flagged? Another part in this puzzle is that the message was larger than the "Max Spam Check Size = 150000" limit. Could this be related? Thanks, Chris. From Richard.Frovarp at sendit.nodak.edu Wed Aug 29 17:36:16 2007 From: Richard.Frovarp at sendit.nodak.edu (Richard Frovarp) Date: Wed Aug 29 17:36:19 2007 Subject: Releaseing mail from quarantine (wiki instructions didn't work) In-Reply-To: <97FD54B5E57A1842AA1A4B232E4761178EEAF4@ati-ex-02.ati.local> References: <97FD54B5E57A1842AA1A4B232E4761178EEAF4@ati-ex-02.ati.local> Message-ID: <46D5A080.1030908@sendit.nodak.edu> Chris W. Parker wrote: > Hello, > > First issue is that I've got an email that is being quarantined because > it is claimed to be "nested too deeply". > > To release it from the quarantine I referred to > http://wiki.mailscanner.info/doku.php?id=maq:index#quarantine_management > . It says to simply copy the qf/df file pair of the offending email into > the outgoing queue. But when I do that nothing happens. The email just > sits there in the queue whilst other emails (that are received and found > to be clean) come and go through the queue. I finally restarted > MailScanner and that seemed to get the message on its way. Which brings > me to the second issue... After MailScanner restarted it was quarantined > again for the same problem. Back to square one. > > I'd like to suggest that the wiki be updated with more complete > instructions since, unless my system is out of the norm, those > instructions very lacking. It doesn't mention the need to restart > MailScanner and simply copying the qf/df files to the outgoing queue > merely results in the email(s) being quarantined again. > > Are you sure you copied it to the outgoing queue? MailScanner won't read files out of there. It should only be checking the incoming queue. > > Another part in this puzzle is that the message was larger than the "Max > Spam Check Size = 150000" limit. Could this be related? > That should cause the message to be skipped from being checked for spam by SA. Sounds like it probably was as ClamAV is what was triggering on this message. From MailScanner at ecs.soton.ac.uk Wed Aug 29 17:36:55 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Aug 29 17:37:15 2007 Subject: missing /usr/lib/MailScanner/clamd-wrapper?! In-Reply-To: References: Message-ID: <46D5A0A7.40107@ecs.soton.ac.uk> You have an out-of-date virus.scanners.conf file. clamd-wrapper doesn't exist any more. Paul Hutchings wrote: > When running update_virus_scanners I get > "/usr/lib/MailScanner/clamd-wrapper: No such file or directory" > > Which is understandable as it isn't there. I'm not sure why I'm seeing > it though? > > Scanning is done through clamd and seems to work fine, though of course > this makes me wonder how it can be working when it is also specified for > clamd in virus.scanners.conf?! > > Hope that makes sense! > > Paul > > Paul Hutchings > Network Administrator, MIRA Ltd. > Tel: 44 (0)24 7635 5378 > Fax: 44 (0)24 7635 8378 > mailto:paul.hutchings@mira.co.uk > > > Jules -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Wed Aug 29 17:44:41 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Aug 29 17:45:01 2007 Subject: Releaseing mail from quarantine (wiki instructions didn't work) In-Reply-To: <97FD54B5E57A1842AA1A4B232E4761178EEAF4@ati-ex-02.ati.local> References: <97FD54B5E57A1842AA1A4B232E4761178EEAF4@ati-ex-02.ati.local> Message-ID: <46D5A279.8000906@ecs.soton.ac.uk> Once you've copied the message into the *outgoing* queue, it won't get re-read by MailScanner, but you need to tell sendmail to make a delivery attempt on the message, or else it will just get processed the next time the queue runner passes it in the queue. Read the docs for "sendmail -q". If you don't like the instructions on the wiki, please expand them! But you do *not* need to restart MailScanner to flush the outgoing queue, what you are seeing is a side-effect. If you want to try to flush every message in the queue, do "sendmail -q". If you know that the message you are trying to flush contains "01234" in its filename, you can do "sendmail -qI01234" and it will just flush that message. Chris W. Parker wrote: > Hello, > > First issue is that I've got an email that is being quarantined because > it is claimed to be "nested too deeply". > > To release it from the quarantine I referred to > http://wiki.mailscanner.info/doku.php?id=maq:index#quarantine_management > . It says to simply copy the qf/df file pair of the offending email into > the outgoing queue. But when I do that nothing happens. The email just > sits there in the queue whilst other emails (that are received and found > to be clean) come and go through the queue. I finally restarted > MailScanner and that seemed to get the message on its way. Which brings > me to the second issue... After MailScanner restarted it was quarantined > again for the same problem. Back to square one. > > I'd like to suggest that the wiki be updated with more complete > instructions since, unless my system is out of the norm, those > instructions very lacking. It doesn't mention the need to restart > MailScanner and simply copying the qf/df files to the outgoing queue > merely results in the email(s) being quarantined again. > > > So now I'm looking for the rule that caused this email to be quarantined > in the first place and the best I could find is: > > ClamAVmodule Maximum Recursion Level = 8 > > I raised the max up to 25 and redid the release+restart and the user was > able to receive the email. When I checked the .zip it only had one > folder with two files. > > So... > > file.zip: > folder > fileA.xls > fileB.xls > > This is hardly 25 levels of nesting. What could cause this to be > flagged? > > Another part in this puzzle is that the message was larger than the "Max > Spam Check Size = 150000" limit. Could this be related? > > > > Thanks, > Chris. > > Jules -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From cparker at swatgear.com Wed Aug 29 18:44:32 2007 From: cparker at swatgear.com (Chris W. Parker) Date: Wed Aug 29 18:44:34 2007 Subject: Releaseing mail from quarantine (wiki instructions didn't work) References: <97FD54B5E57A1842AA1A4B232E4761178EEAF4@ati-ex-02.ati.local> <46D5A279.8000906@ecs.soton.ac.uk> Message-ID: <97FD54B5E57A1842AA1A4B232E4761178EEAF6@ati-ex-02.ati.local> On Wednesday, August 29, 2007 9:45 AM Julian Field said: > Once you've copied the message into the *outgoing* queue, it won't get > re-read by MailScanner, but you need to tell sendmail to make a > delivery attempt on the message, or else it will just get processed > the next time the queue runner passes it in the queue. Read the docs > for "sendmail -q". > > If you don't like the instructions on the wiki, please expand them! > But you do *not* need to restart MailScanner to flush the outgoing > queue, what you are seeing is a side-effect. If you want to try to > flush every message in the queue, do "sendmail -q". If you know that > the message you are trying to flush contains "01234" in its filename, > you can do "sendmail -qI01234" and it will just flush that message. Thanks Julian. I didn't realize the wiki was open to everyone so I will note all these things there. Chris. From cparker at swatgear.com Wed Aug 29 18:45:52 2007 From: cparker at swatgear.com (Chris W. Parker) Date: Wed Aug 29 18:45:56 2007 Subject: Releaseing mail from quarantine (wiki instructions didn't work) References: <97FD54B5E57A1842AA1A4B232E4761178EEAF4@ati-ex-02.ati.local> <46D5A279.8000906@ecs.soton.ac.uk> Message-ID: <97FD54B5E57A1842AA1A4B232E4761178EEAF7@ati-ex-02.ati.local> Julian, What about this part? >> ClamAVmodule Maximum Recursion Level = 8 >> >> I raised the max up to 25 and redid the release+restart and the user >> was able to receive the email. When I checked the .zip it only had >> one folder with two files. >> >> So... >> >> file.zip: >> folder >> fileA.xls >> fileB.xls >> >> This is hardly 8 levels of nesting. What could cause this to be >> flagged? Are there any insights you can add to this? Thanks, Chris. From MailScanner at ecs.soton.ac.uk Wed Aug 29 19:14:38 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Aug 29 19:15:02 2007 Subject: Releaseing mail from quarantine (wiki instructions didn't work) In-Reply-To: <97FD54B5E57A1842AA1A4B232E4761178EEAF7@ati-ex-02.ati.local> References: <97FD54B5E57A1842AA1A4B232E4761178EEAF4@ati-ex-02.ati.local> <46D5A279.8000906@ecs.soton.ac.uk> <97FD54B5E57A1842AA1A4B232E4761178EEAF7@ati-ex-02.ati.local> Message-ID: <46D5B78E.8000208@ecs.soton.ac.uk> Chris W. Parker wrote: > Julian, > > What about this part? > > >>> ClamAVmodule Maximum Recursion Level = 8 >>> >>> I raised the max up to 25 and redid the release+restart and the user >>> was able to receive the email. When I checked the .zip it only had >>> one folder with two files. >>> >>> So... >>> >>> file.zip: >>> folder >>> fileA.xls >>> fileB.xls >>> >>> This is hardly 8 levels of nesting. What could cause this to be >>> flagged? >>> > > Are there any insights you can add to this? > If it's a ClamAVmodule setting, it's just something I pass into the scanner. If there's a bug in ClamAVmodule causing this to be incorrectly interpreted, that ain't my problem :-) Maximum Archive Depth is my problem, so if that is working wrong then do tell me. Jules -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From maillists at conactive.com Wed Aug 29 21:31:35 2007 From: maillists at conactive.com (Kai Schaetzl) Date: Wed Aug 29 21:31:38 2007 Subject: MailScanner via Yum (CentOS) In-Reply-To: References: Message-ID: short version: yum install clamav clamav-db --enablerepo=rpmforge for SA: yum install perl-Digest-SHA1 perl-Net-DNS perl-Archive-Tar perl-IO-Zlib yum install --enablerepo=rpmforge perl-Encode-Detect perl-Mail-SPF perl-IP-Country perl-Mail-DKIM perl-Net-Ident for MailScanner: yum install --enablerepo=rpmforge perl-Archive-Zip perl-Convert-BinHex perl-Convert-TNEF perl-DBD-SQLite perl-Filesys-Df perl-IO-stringy perl-MIME-tools perl-Net-CIDR perl-Sys-Hostname-Long install SA (from their latest tarball) unpack the rpm-install tarball for Mailscanner, cd to it and rpm -ivh tnef-*.i386.rpm rpm -ivh mailscanner-*.noarch.rpm configure to your needs Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From maillists at conactive.com Wed Aug 29 22:31:28 2007 From: maillists at conactive.com (Kai Schaetzl) Date: Wed Aug 29 22:31:31 2007 Subject: MailScanner via Yum (CentOS) In-Reply-To: <20070828150932.GD21971@fini.net> References:

Finally the real thing- no more ripoffs!

Enhancement Patches are hot right now, VERY hot! Unfortunately, most are cheap imitiations and do very little to increase your size and stamina. Well this is the real thing, not an imitation! One of the very originals, the absolutely strongest Patch available, anywhere!

Check out the site for more info TODAY, you'll be glad you did ;)

Finally the real thing- no more ripoffs!

Enhancement Patches are hot right now, VERY hot! Unfortunately, most are cheap imitiations and do very little to increase your size and stamina. Well this is the real thing, not an imitation! One of the very originals, the absolutely strongest Patch available, anywhere!

Check out the site for more info TODAY, you'll be glad you did ;)

Find out more about Pet Doctors at MailScanner has detected a possible fraud attempt from "www.petdoctors.co.uk" claiming to be www.petdoctors.co.uk

Enhancement Patches are hot right now, VERY hot!

Unfortunately, most are cheap imitiations and do very little to increase your size and stamina.

Well this is the real thing, not an imitation!

One of the very originals, the absolutely strongest Patch available, anywhere!

Enhancement Patches are hot right now, VERY hot!

Unfortunately, most are cheap imitiations and do very little to increase your size and stamina.

Well this is the real thing, not an imitation!

One of the very originals, the absolutely strongest Patch available, anywhere!