From holger at gebhardweb.de Sun Jul 1 00:16:56 2007 From: holger at gebhardweb.de (Holger Gebhard) Date: Sun Jul 1 00:17:06 2007 Subject: AW: Fake User-Agent on PDF -- WARNING! In-Reply-To: <4686C87A.1060800@ecs.soton.ac.uk> References: <46868B9E.2050409@ecs.soton.ac.uk> <46869C90.3010308@alexb.ch> <4686B8D1.7090005@ecs.soton.ac.uk> <4686C87A.1060800@ecs.soton.ac.uk> Message-ID: <007901c7bb6c$c0dcdaf0$429690d0$@de> I wrote a very simple regex to catch the pdf-spams until other rules are available (more than 15.000 pdf-spams today) ;-) The regex is not very fast but still works: full PDF_ONLY_SPAM /encoding\:\s+7bit(\n?)+[\-0-9]+.{1,40}type\:\s+application\/pdf\;.{1,40}nam e\=.{1,40}\.pdf.{1,50}disposition\:\s+inline\;.{1,40}filename\=.{1,40}\.pdf/ is describe PDF_ONLY_SPAM PDF only Message, no text in message body score PDF_ONLY_SPAM 1.0 This rule match only messages with specific encodings, pdf attachments and no text in message body. Works fine with no false positives until today. Regards Holger -----Urspr?ngliche Nachricht----- Von: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] Im Auftrag von Julian Field Gesendet: Samstag, 30. Juni 2007 23:18 An: MailScanner discussion Betreff: Re: Fake User-Agent on PDF -- WARNING! -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Turns out this is not an illegal version number at all, it's perfectly valid. So I strongly advise against using any rule based on this version number :-( bother :( Jules. Julian Field wrote: > * PGP Signed: 06/30/07 at 21:10:58 > > > > Alex Broens wrote: >> On 6/30/2007 6:58 PM, Julian Field wrote: >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> >>> >>> Hugo van der Kooij wrote: >>>> Hi, >>>> >>>> So far all SPAM PDF files that did not get killed on other issues >>>> seem to use a fake User-Agent header: User-Agent: Thunderbird >>>> 1.5.0.12 (Windows/20070509) >>>> >>>> According to >>>> http://www.mozilla.com/en-US/thunderbird/releases/1.5.0.12.html the >>>> release date is impossible however. >>>> >>>> I have not written a SA rule (yet). I wrote a detectline in my >>>> header checks of postfix: >>>> /^User-Agent: Thunderbird 1.5.0.12 \(Windows/20070509\)/ >>>> REJECT This is a fake version of Thunderbird >>> Here's a SA rule that will do the same thing: >>> header JKF_FAKE_TBIRD User-Agent =~ /Thunderbird 1.5.0.12 >>> \(Windows\/20070509\)/ >>> describe JKF_FAKE_TBIRD Fake version of Thunderbird >>> score JKF_FAKE_TBIRD 1.5 >>> >> >> Jules, >> >> /Thunderbird 1\.5\.0\.12\(Windows\/20070509\)/ >> >> forgot to escape periods? > Yes, agreed. But it's not very important. A version of the rule that > accepts 1-5-0-12 is fine too, that's certainly a fake Thunderbird > version number! :-) > > Jules > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGhsh7EfZZRxQVtlQRApDXAKCBXXaMud5aMvC5l6iiT6bj5JZc8ACgks5S rMGjfeZFOyLwjmauVhOpqYc= =kdEn -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From hvdkooij at vanderkooij.org Sun Jul 1 04:08:16 2007 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sun Jul 1 04:09:20 2007 Subject: Fake User-Agent on PDF -- WARNING! In-Reply-To: <223f97700706301547x4466d99diad9fc8d648d8811@mail.gmail.com> References: <46868B9E.2050409@ecs.soton.ac.uk> <46869C90.3010308@alexb.ch> <4686B8D1.7090005@ecs.soton.ac.uk> <4686C87A.1060800@ecs.soton.ac.uk> <223f97700706301547x4466d99diad9fc8d648d8811@mail.gmail.com> Message-ID: On Sun, 1 Jul 2007, Glenn Steen wrote: > On 01/07/07, Hugo van der Kooij wrote: >> On Sat, 30 Jun 2007, Julian Field wrote: >> >> > Turns out this is not an illegal version number at all, it's perfectly >> > valid. >> > So I strongly advise against using any rule based on this version number >> > :-( >> > >> > bother :( >> >> It just is an odd combination of a version with a timestamp 20070509 and a >> release date online of 2007-05-30. It is a sure thing to put someone off >> like that. >> >> Common guys. No messing with my birthday. > You're quite an advanced admin/user for a newborn....:-D. > > Have you done any form of count on the occurance of this suspect > combo? You mentioned not having counted/checked them all IIRC. The odd thing was that relative few of the SPAM message are left between spam and high spam. Those get side tracked. These were all messages containing PDF files and originating from all over the world. Including a correctly signed gmail one but they all contained the same User-Agent. I then checked the release notes for TB 1.5.0.12 and noticed it was only released a month ago. But the date stamp in the header seems to indicate the version is weeks older. Which to me sounded very much like foul play. There is still foul play at hand or I would not get these SPAM messages to non existing users.(that is I did ad adam@, anna@, .... to a trapdoor account as it is abused a lot while there were never such accounts here.) But it is more likely that some backdoor is using TB to do the dirty work. Hugo. -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ This message is using 100% recycled electrons. Some men see computers as they are and say "Windows" I use computers with Linux and say "Why Windows?" (Thanks JFK, for the insight.) From glenn.steen at gmail.com Sun Jul 1 04:30:23 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Sun Jul 1 04:30:25 2007 Subject: Doubts about PF, what are the pros/cons about other MTAs? In-Reply-To: <4686DCC5.9050208@syska.dk> References: <467E9AD4.5080200@syska.dk> <4686A7AA.4060008@rogers.com> <4686C568.9070307@syska.dk> <4686C841.7030109@ecs.soton.ac.uk> <4686DCC5.9050208@syska.dk> Message-ID: <223f97700706302030v6c8af1edp2477f88a8f34cd63@mail.gmail.com> On 01/07/07, Mikael Syska wrote: > Hey, > > Julian Field wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > > > > > Mikael Syska wrote: > > > >> [snip] > >> I think I'm convinced now ... I'm going to use postfix, since no real > >> arguments againts it have been made. > >> > >> Thanks for the time guys. > >> > > I'm going to release a new stable version tomorrow which includes the > > recent Postfix bugfix to do with its milter support. > > If you can't wait till tomorrow, then it's already on the website, > > you'll just have to guess the URL for 4.61.7-1 :-) > > > I can wait ... I wont begin on the server until tuesday ... So no > problems there. > > Can't wait to get my hands dirty converting the old amavisd-new setup > ... some other dude had setup it up, and its a real pain to figure out ... > > Btw, read on a page on the internet where a person said that MS did not > use the resources very good cause its spawning a new process for every > mail and afterwards closing it. amavisd-new also did that in the start > but changed over to daemon style ... so its not spawning a new proces > every time ... > Is there something about this, or did the guy just not like MS ? > and if there are something about it ... will MS be changed to spawn > daemons ? > what are the pros/cons agints it ? > Don't belieeve everything said on the net....:) MS runs a master and several worker children, which all (incidentally) work in a daemon-like fashion, and these children will take turns popping messages from the queue ... They will take as many messages as necessary to form a batch (1 -> ...many messages) and work on these in a "group" way... So no "single process for every message" there:-). The worker children might in turn spawn children to run specific functions, like AV etc, but they will still work on the whole batch as such. Very efficient, very slick. Of course, as with most things in MS, you can configure the amount of workers to prespawn, as well as most any aspect of the process... You'll see, once you start using it;) What motive the person stating the "one process/mail" thing has, I surely can't speculate about... But it isn't correct. That much is for certain. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From hvdkooij at vanderkooij.org Sun Jul 1 04:55:39 2007 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sun Jul 1 04:56:40 2007 Subject: Doubts about PF, what are the pros/cons about other MTAs? In-Reply-To: <4686DCC5.9050208@syska.dk> References: <467E9AD4.5080200@syska.dk> <4686A7AA.4060008@rogers.com> <4686C568.9070307@syska.dk> <4686C841.7030109@ecs.soton.ac.uk> <4686DCC5.9050208@syska.dk> Message-ID: On Sun, 1 Jul 2007, Mikael Syska wrote: > Can't wait to get my hands dirty converting the old amavisd-new setup ... > some other dude had setup it up, and its a real pain to figure out ... I find amavisd rather counter intuitive. Even with a reasonable knowledge of perl at hand. > Btw, read on a page on the internet where a person said that MS did not use > the resources very good cause its spawning a new process for every mail and > afterwards closing it. amavisd-new also did that in the start but changed > over to daemon style ... so its not spawning a new proces every time ... > Is there something about this, or did the guy just not like MS ? > and if there are something about it ... will MS be changed to spawn daemons ? > what are the pros/cons agints it Amavis has even more issues with the spawning of tasks as each message is handled seperatly and for each it will fire up the scanner manually. Just for fun fire 5 messages with a 10 MB ZIP file and each ZIP file containing like 10k files each on a Barracuda. Then do the same on a MailScanner system. (Barracuda uses amavid among other things.) See which one lives happily ever after. Hugo. -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ This message is using 100% recycled electrons. Some men see computers as they are and say "Windows" I use computers with Linux and say "Why Windows?" (Thanks JFK, for the insight.) From MailScanner at ecs.soton.ac.uk Sun Jul 1 11:42:49 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sun Jul 1 11:44:31 2007 Subject: MailScanner ANNOUNCE: stable 4.61 released Message-ID: <46878529.5070707@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I have just released a new version of MailScanner, stable version 4.61.7. The main new things this month are: - - Direct support for clamd, for extra speed. - - Bug fixes in the attachments auto-zip feature introduced last month. - - Bug fixes in the support for Postfix milters. Download as usual from www.mailscanner.info. The full change log is: * New Features and Improvements * 1 Direct support for the "clamd" virus scanner -- now talks directly to the clamd daemon without any overhead of calling clamd-wrapper or clamdscan. As a result, this should be faster than the previous clamd support. It also has a much smaller memory footprint than the "clamavmodule" scanner. This is all thanks to Rick Cooper who wrote the original code. New configuration options are - Clamd Port = 3310 - Clamd Socket = /tmp/clamd - Clamd Lock File = /var/lock/subsys/clamd - Clamd Use Threads = no The use of these settings is explained in the MailScanner.conf file. 2 Changed session handling in direct clamd virus scanner support. 3 'MailScanner --lint' now finds clamd virus scanner. 3 Made clamd subsys lock file blank by default, so it works on non-Linux systems. 3 Added another example to the Allowed Sophos Error Messages setting for password-protected files. 4 Renamed "sa-update" command and cron job to "update_spamassassin". 4 Added ability to easily disable update_virus_scanners script. 4 Added conditional call to sa-compile to update_spamassassin cron job. 4 Added to $PATH in update_phishing_sites for Solaris 10 locations. 5 Watermarking functionality has had to be withdrawn due to patent issues. Sorry about this, but it would cause huge problems in the USA where software patents are legally enforceable and it would cause problems with including patented code in GPL software too. 6 Added facility to change SpamAssassin's temporary working files directory, using the new option 'SpamAssassin Temporary Dir'. By default this is put under the Incoming Work Dir location, as that is (hopefully) mounted using tmpfs. If an attempt to use this directory fails, it reverts to /tmp. 7 Fixed bug in finding PERL5LIB in installers. Thanks to Sean Coleman. * Fixes * 2 Fixed bug in auto-zip feature with a message containing 2 attachments with the same filename. 2 Fixed bug in auto-zip feature that would allow zipping of an attachment which had been cleaned out of the message. 3 Fixed "identified/found" bug in AVG parser. 3 Fixed bugs in Panda and AVG parsers courtesy of Rick Cooper. 3 Fixed bug in Postfix handler which caused a problem with empty messages. 4 Fixed bug in SuSE init.d script stopping MailScanner reload working properly. 4 Changed method for getting MCP to decode binary attachments (the interesting ones have "application" in their MIME type). New patch for SpamAssassin 3.2.1 Util.pm required now. No other SpamAssassin patches required at all. 4 Added definition of "noticesizeinfected" to languages.conf. 4 Added speedup (courtesy of Glenn Steen) to the new Postfix milter support. 4 Fixed rare bug in Postfix milter header support (from Glenn Steen). 5 Fixed problems with /usr/sbin/update_spamassassin not calling sa-update. Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGh4UzEfZZRxQVtlQRAhseAKDZb7K3zuDXjs8Cj51hUxnkFgFKigCeN7rI iDHrxy7/khtdYYhuYd2LiOc= =3VyR -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From mikael at syska.dk Sun Jul 1 12:04:33 2007 From: mikael at syska.dk (Mikael Syska) Date: Sun Jul 1 12:04:29 2007 Subject: Doubts about PF, what are the pros/cons about other MTAs? In-Reply-To: <223f97700706302030v6c8af1edp2477f88a8f34cd63@mail.gmail.com> References: <467E9AD4.5080200@syska.dk> <4686A7AA.4060008@rogers.com> <4686C568.9070307@syska.dk> <4686C841.7030109@ecs.soton.ac.uk> <4686DCC5.9050208@syska.dk> <223f97700706302030v6c8af1edp2477f88a8f34cd63@mail.gmail.com> Message-ID: <46878A41.9070100@syska.dk> Glenn Steen wrote: > On 01/07/07, Mikael Syska wrote: >> Hey, >> >> Julian Field wrote: >> > -----BEGIN PGP SIGNED MESSAGE----- >> > Hash: SHA1 >> > >> > >> > >> > Mikael Syska wrote: >> > >> >> [snip] >> >> I think I'm convinced now ... I'm going to use postfix, since no real >> >> arguments againts it have been made. >> >> >> >> Thanks for the time guys. >> >> >> > I'm going to release a new stable version tomorrow which includes the >> > recent Postfix bugfix to do with its milter support. >> > If you can't wait till tomorrow, then it's already on the website, >> > you'll just have to guess the URL for 4.61.7-1 :-) >> > >> I can wait ... I wont begin on the server until tuesday ... So no >> problems there. >> >> Can't wait to get my hands dirty converting the old amavisd-new setup >> ... some other dude had setup it up, and its a real pain to figure >> out ... >> >> Btw, read on a page on the internet where a person said that MS did not >> use the resources very good cause its spawning a new process for every >> mail and afterwards closing it. amavisd-new also did that in the start >> but changed over to daemon style ... so its not spawning a new proces >> every time ... >> Is there something about this, or did the guy just not like MS ? >> and if there are something about it ... will MS be changed to spawn >> daemons ? >> what are the pros/cons agints it ? >> > Don't belieeve everything said on the net....:) > MS runs a master and several worker children, which all (incidentally) > work in a daemon-like fashion, and these children will take turns > popping messages from the queue ... They will take as many messages as > necessary to form a batch (1 -> ...many messages) and work on these in > a "group" way... So no "single process for every message" there:-). > The worker children might in turn spawn children to run specific > functions, like AV etc, but they will still work on the whole batch as > such. So whenever MS checks the mailqueue it takes all the mails in the queue, and runs a batch agains them ? and then again in x seconds with a new batch, taking mail that havent been handled? > Very efficient, very slick. If the above is right, this seems like its using the resources better than amavisd-new maybe, but theese days Ram and harddrives are very cheap, so if it just runs fast, i'm happy. > Of course, as with most things in MS, you can configure the amount of > workers to prespawn, as well as most any aspect of the process... > You'll see, once you start using it;) Think this cleared any doubts i had. > > What motive the person stating the "one process/mail" thing has, I > surely can't speculate about... But it isn't correct. That much is for > certain. Can't say, lost the url... but if one process can handle multiple mails in the same run, it sounds great. > > Cheers // Mikael Syska From glenn.steen at gmail.com Sun Jul 1 13:17:05 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Sun Jul 1 13:17:08 2007 Subject: Doubts about PF, what are the pros/cons about other MTAs? In-Reply-To: <46878A41.9070100@syska.dk> References: <467E9AD4.5080200@syska.dk> <4686A7AA.4060008@rogers.com> <4686C568.9070307@syska.dk> <4686C841.7030109@ecs.soton.ac.uk> <4686DCC5.9050208@syska.dk> <223f97700706302030v6c8af1edp2477f88a8f34cd63@mail.gmail.com> <46878A41.9070100@syska.dk> Message-ID: <223f97700707010517lf2aeac4tb81e2a7f282512a3@mail.gmail.com> On 01/07/07, Mikael Syska wrote: > Glenn Steen wrote: > > On 01/07/07, Mikael Syska wrote: > >> Hey, > >> > >> Julian Field wrote: > >> > -----BEGIN PGP SIGNED MESSAGE----- > >> > Hash: SHA1 > >> > > >> > > >> > > >> > Mikael Syska wrote: > >> > > >> >> [snip] > >> >> I think I'm convinced now ... I'm going to use postfix, since no real > >> >> arguments againts it have been made. > >> >> > >> >> Thanks for the time guys. > >> >> > >> > I'm going to release a new stable version tomorrow which includes the > >> > recent Postfix bugfix to do with its milter support. > >> > If you can't wait till tomorrow, then it's already on the website, > >> > you'll just have to guess the URL for 4.61.7-1 :-) > >> > > >> I can wait ... I wont begin on the server until tuesday ... So no > >> problems there. > >> > >> Can't wait to get my hands dirty converting the old amavisd-new setup > >> ... some other dude had setup it up, and its a real pain to figure > >> out ... > >> > >> Btw, read on a page on the internet where a person said that MS did not > >> use the resources very good cause its spawning a new process for every > >> mail and afterwards closing it. amavisd-new also did that in the start > >> but changed over to daemon style ... so its not spawning a new proces > >> every time ... > >> Is there something about this, or did the guy just not like MS ? > >> and if there are something about it ... will MS be changed to spawn > >> daemons ? > >> what are the pros/cons agints it ? > >> > > Don't belieeve everything said on the net....:) > > MS runs a master and several worker children, which all (incidentally) > > work in a daemon-like fashion, and these children will take turns > > popping messages from the queue ... They will take as many messages as > > necessary to form a batch (1 -> ...many messages) and work on these in > > a "group" way... So no "single process for every message" there:-). > > The worker children might in turn spawn children to run specific > > functions, like AV etc, but they will still work on the whole batch as > > such. > So whenever MS checks the mailqueue it takes all the mails in the queue, > and runs a batch agains them ? and then again in x seconds with a new > batch, taking mail that havent been handled? It's clever enough to keep track of which items is handled by some other worker, so ... Yes, it will only handle new items... It might look a bit strange when you have "New batch: Found 28 messages in queue" and then followed by running a batch with only one or two messages, but this is because other workers are handling the other queued messages. The decoupling of the scanning process fromthe SMTP transaction(s) and the batch strategy are some of the design decisions Jules made that really make things fly with MS. > > Very efficient, very slick. > If the above is right, this seems like its using the resources better > than amavisd-new maybe, but theese days Ram and harddrives are very > cheap, so if it just runs fast, i'm happy. Resource efficiency is one of the high points of MS... The activity of spam/av-scanning is resource hungry, by definition, so ... be happy that MailScanner is so cleverly come together;-). > > Of course, as with most things in MS, you can configure the amount of > > workers to prespawn, as well as most any aspect of the process... > > You'll see, once you start using it;) > Think this cleared any doubts i had. Good. When you set this up, there is a lot of good stuff in the MailScanner wiki... Specifics for MS+PF... and very much generally good advice in the MAQ (although since the faq-o-matic (old MAQ) has died again, some of the links in the new MAQ is plain dead). So have a long hard look at http://wiki.mailscanner.info, especially the documentation:configuration:mta:postfix subpages (look at the index to find them). > > > > What motive the person stating the "one process/mail" thing has, I > > surely can't speculate about... But it isn't correct. That much is for > > certain. > Can't say, lost the url... but if one process can handle multiple mails > in the same run, it sounds great. Yep. It *is* great;-) With MS, you can build the best darned email scanning system you can imagine, and in some cases.... youu couldn't even imagine how good it'd be:-) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From MailScanner at ecs.soton.ac.uk Sun Jul 1 13:17:44 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sun Jul 1 13:20:44 2007 Subject: Doubts about PF, what are the pros/cons about other MTAs? In-Reply-To: <46878A41.9070100@syska.dk> References: <467E9AD4.5080200@syska.dk> <4686A7AA.4060008@rogers.com> <4686C568.9070307@syska.dk> <4686C841.7030109@ecs.soton.ac.uk> <4686DCC5.9050208@syska.dk> <223f97700706302030v6c8af1edp2477f88a8f34cd63@mail.gmail.com> <46878A41.9070100@syska.dk> Message-ID: <46879B68.2000108@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mikael Syska wrote: > Glenn Steen wrote: >> On 01/07/07, Mikael Syska wrote: >>> Hey, >>> >>> Julian Field wrote: >>> > -----BEGIN PGP SIGNED MESSAGE----- >>> > Hash: SHA1 >>> > >>> > >>> > >>> > Mikael Syska wrote: >>> > >>> >> [snip] >>> >> I think I'm convinced now ... I'm going to use postfix, since no >>> real >>> >> arguments againts it have been made. >>> >> >>> >> Thanks for the time guys. >>> >> >>> > I'm going to release a new stable version tomorrow which includes the >>> > recent Postfix bugfix to do with its milter support. >>> > If you can't wait till tomorrow, then it's already on the website, >>> > you'll just have to guess the URL for 4.61.7-1 :-) >>> > >>> I can wait ... I wont begin on the server until tuesday ... So no >>> problems there. >>> >>> Can't wait to get my hands dirty converting the old amavisd-new setup >>> ... some other dude had setup it up, and its a real pain to figure >>> out ... >>> >>> Btw, read on a page on the internet where a person said that MS did not >>> use the resources very good cause its spawning a new process for every >>> mail and afterwards closing it. amavisd-new also did that in the start >>> but changed over to daemon style ... so its not spawning a new proces >>> every time ... >>> Is there something about this, or did the guy just not like MS ? >>> and if there are something about it ... will MS be changed to spawn >>> daemons ? >>> what are the pros/cons agints it ? >>> >> Don't belieeve everything said on the net....:) >> MS runs a master and several worker children, which all (incidentally) >> work in a daemon-like fashion, and these children will take turns >> popping messages from the queue ... They will take as many messages as >> necessary to form a batch (1 -> ...many messages) and work on these in >> a "group" way... So no "single process for every message" there:-). >> The worker children might in turn spawn children to run specific >> functions, like AV etc, but they will still work on the whole batch as >> such. > So whenever MS checks the mailqueue it takes all the mails in the > queue, and runs a batch agains them ? and then again in x seconds with > a new batch, taking mail that havent been handled? It only waits at all if there were no messages available. So any mail in the queue is processed immediately. But otherwise you've just about got it, yes. On a busy system, it will just go round without waiting at all as there will (pretty much) always be mail in the queue. And there are multiple processes doing the same thing. They are started with a delay between each one in the hope that there will always be 1 process very close to checking for new messages, despite what the others are doing. The net result is that the processes are always at different stages of handling a batch, so that all the resources available are being used all the time. Some bits are very processor-intensive, some network-intensive and some memory-intensive. Everything gets used all the time as different processes are at different stages of processing each batch. This can result in high "load average" figures on a busy server, and this is perfectly normal and to be expected. A high "load average" doesn't mean it's being over-worked. Load averages of 10 to 15 are just fine. If you don't agree with that statement, read up on what the load average figure actually means, it's not just CPU. > >> Very efficient, very slick. > If the above is right, this seems like its using the resources better > than amavisd-new maybe, but theese days Ram and harddrives are very > cheap, so if it just runs fast, i'm happy. I would recommend normally 1GB ram per CPU. >> Of course, as with most things in MS, you can configure the amount of >> workers to prespawn, as well as most any aspect of the process... >> You'll see, once you start using it;) > Think this cleared any doubts i had. Good. >> >> What motive the person stating the "one process/mail" thing has, I >> surely can't speculate about... But it isn't correct. That much is for >> certain. > Can't say, lost the url... but if one process can handle multiple > mails in the same run, it sounds great. The idea of the batches is that there is a certain cost overhead in handling each batch, regardless of the number of messages in the batch. Starting up the virus scanner is a very good example, as it takes time to load the signatures, which makes scanning 2 files take only slightly longer than scanning 1 file. The net result is that MailScanner's efficiency _improves_ as the load increases, as that makes the batches bigger. Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGh5tvEfZZRxQVtlQRAj8+AJ9jR1t4Dub/RpDEUdk09JNYTqBDLgCgztiT AYm/7h9oD/lbiGYCObgQl4M= =kCJU -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Sun Jul 1 13:48:23 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sun Jul 1 13:51:00 2007 Subject: Doubts about PF, what are the pros/cons about other MTAs? In-Reply-To: <223f97700707010517lf2aeac4tb81e2a7f282512a3@mail.gmail.com> References: <467E9AD4.5080200@syska.dk> <4686A7AA.4060008@rogers.com> <4686C568.9070307@syska.dk> <4686C841.7030109@ecs.soton.ac.uk> <4686DCC5.9050208@syska.dk> <223f97700706302030v6c8af1edp2477f88a8f34cd63@mail.gmail.com> <46878A41.9070100@syska.dk> <223f97700707010517lf2aeac4tb81e2a7f282512a3@mail.gmail.com> Message-ID: <4687A297.1090509@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Glenn, you make me blush :-) Glenn Steen wrote: > On 01/07/07, Mikael Syska wrote: >> Glenn Steen wrote: >> > On 01/07/07, Mikael Syska wrote: >> >> Hey, >> >> >> >> Julian Field wrote: >> >> > -----BEGIN PGP SIGNED MESSAGE----- >> >> > Hash: SHA1 >> >> > >> >> > >> >> > >> >> > Mikael Syska wrote: >> >> > >> >> >> [snip] >> >> >> I think I'm convinced now ... I'm going to use postfix, since >> no real >> >> >> arguments againts it have been made. >> >> >> >> >> >> Thanks for the time guys. >> >> >> >> >> > I'm going to release a new stable version tomorrow which >> includes the >> >> > recent Postfix bugfix to do with its milter support. >> >> > If you can't wait till tomorrow, then it's already on the website, >> >> > you'll just have to guess the URL for 4.61.7-1 :-) >> >> > >> >> I can wait ... I wont begin on the server until tuesday ... So no >> >> problems there. >> >> >> >> Can't wait to get my hands dirty converting the old amavisd-new setup >> >> ... some other dude had setup it up, and its a real pain to figure >> >> out ... >> >> >> >> Btw, read on a page on the internet where a person said that MS >> did not >> >> use the resources very good cause its spawning a new process for >> every >> >> mail and afterwards closing it. amavisd-new also did that in the >> start >> >> but changed over to daemon style ... so its not spawning a new proces >> >> every time ... >> >> Is there something about this, or did the guy just not like MS ? >> >> and if there are something about it ... will MS be changed to spawn >> >> daemons ? >> >> what are the pros/cons agints it ? >> >> >> > Don't belieeve everything said on the net....:) >> > MS runs a master and several worker children, which all (incidentally) >> > work in a daemon-like fashion, and these children will take turns >> > popping messages from the queue ... They will take as many messages as >> > necessary to form a batch (1 -> ...many messages) and work on these in >> > a "group" way... So no "single process for every message" there:-). >> > The worker children might in turn spawn children to run specific >> > functions, like AV etc, but they will still work on the whole batch as >> > such. >> So whenever MS checks the mailqueue it takes all the mails in the queue, >> and runs a batch agains them ? and then again in x seconds with a new >> batch, taking mail that havent been handled? > It's clever enough to keep track of which items is handled by some > other worker, so ... Yes, it will only handle new items... It might > look a bit strange when you have "New batch: Found 28 messages in > queue" and then followed by running a batch with only one or two > messages, but this is because other workers are handling the other > queued messages. > The decoupling of the scanning process fromthe SMTP transaction(s) and > the batch strategy are some of the design decisions Jules made that > really make things fly with MS. > >> > Very efficient, very slick. >> If the above is right, this seems like its using the resources better >> than amavisd-new maybe, but theese days Ram and harddrives are very >> cheap, so if it just runs fast, i'm happy. > Resource efficiency is one of the high points of MS... The activity of > spam/av-scanning is resource hungry, by definition, so ... be happy > that MailScanner is so cleverly come together;-). > >> > Of course, as with most things in MS, you can configure the amount of >> > workers to prespawn, as well as most any aspect of the process... >> > You'll see, once you start using it;) >> Think this cleared any doubts i had. > Good. > When you set this up, there is a lot of good stuff in the MailScanner > wiki... Specifics for MS+PF... and very much generally good advice in > the MAQ (although since the faq-o-matic (old MAQ) has died again, some > of the links in the new MAQ is plain dead). So have a long hard look > at http://wiki.mailscanner.info, especially the > documentation:configuration:mta:postfix subpages (look at the index to > find them). > >> > >> > What motive the person stating the "one process/mail" thing has, I >> > surely can't speculate about... But it isn't correct. That much is for >> > certain. >> Can't say, lost the url... but if one process can handle multiple mails >> in the same run, it sounds great. > Yep. It *is* great;-) > With MS, you can build the best darned email scanning system you can > imagine, and in some cases.... youu couldn't even imagine how good > it'd be:-) > > Cheers Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGh6KYEfZZRxQVtlQRAssnAKC6QRE1GO1R5CRQpGvd8974pYJnOwCfRjgo TcjdMjoYE4ifIwNog13xHwE= =+cbW -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From darren at serversphere.com Sun Jul 1 18:12:55 2007 From: darren at serversphere.com (Darren Benfer) Date: Sun Jul 1 18:13:00 2007 Subject: Long Child Startup Times In-Reply-To: <33B7C3D4-C7BB-4FE8-AD69-4802CA37F31B@technologytiger.net> References: <1182844619.26893.2.camel@gblades-suse.linguaphone-intranet.co.uk> <4681C794.7000207@rheelweb.co.nz> <33B7C3D4-C7BB-4FE8-AD69-4802CA37F31B@technologytiger.net> Message-ID: <4687E097.7070506@serversphere.com> Lately it seems like it takes MS children take forever to start up for some reason, and my server load climbs to 4-5 while they are doing so. Anyone else experiencing (or experienced) this? Anything I should check into for a fix? Worked well for about year, but latest update for MS started this trend. TIA! Darren @ Serversphere.com From nerijusb at dtiltas.lt Sun Jul 1 18:58:55 2007 From: nerijusb at dtiltas.lt (Nerijus Baliunas) Date: Sun Jul 1 19:00:07 2007 Subject: Long Child Startup Times In-Reply-To: <4687E097.7070506@serversphere.com> References: <1182844619.26893.2.camel@gblades-suse.linguaphone-intranet.co.uk> <4681C794.7000207@rheelweb.co.nz><33B7C3D4-C7BB-4FE8-AD69-4802CA37F31B@technologytiger.net> <4687E097.7070506@serversphere.com> Message-ID: <20070701180003.2F871FF06@mx-a.vdnet.lt> On Sun, 01 Jul 2007 13:12:55 -0400 Darren Benfer wrote: > Lately it seems like it takes MS children take forever to start up for > some reason, and my server load climbs to 4-5 while they are doing so. > Anyone else experiencing (or experienced) this? Anything I should check > into for a fix? Worked well for about year, but latest update for MS > started this trend. Please provide more info - MailScanner versions before and now, what virus scanners are used, MTA (sendmail? postfix?) etc. Regards, Nerijus From MailScanner at ecs.soton.ac.uk Sun Jul 1 19:11:54 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sun Jul 1 19:14:54 2007 Subject: Long Child Startup Times In-Reply-To: <4687E097.7070506@serversphere.com> References: <1182844619.26893.2.camel@gblades-suse.linguaphone-intranet.co.uk> <4681C794.7000207@rheelweb.co.nz> <33B7C3D4-C7BB-4FE8-AD69-4802CA37F31B@technologytiger.net> <4687E097.7070506@serversphere.com> Message-ID: <4687EE6A.5050603@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I'll put a tenner on the fact that you are running the latest version of ClamAV and are using the clamavmodule scanner. It's ClamAV's fault in that case. The current version takes *forever* to load the signatures. Fortunately it only has to do this once in each child. You can fix it by either 1) Download and run the latest release candidate of ClamAV which apparently has fixed it. This is the most common solution I have seen. 2) Wait for the new version of ClamAV and not worry about it for now. It only affects the startup time of each child, not the actual processing speed of ClamAV. This is what I have done. 3) Switch to clamd but make sure you are running something to keep an eye on the clamd daemon in case it crashes (I cannot guarantee clamd's stability). Jules. Darren Benfer wrote: > Lately it seems like it takes MS children take forever to start up for > some reason, and my server load climbs to 4-5 while they are doing so. > Anyone else experiencing (or experienced) this? Anything I should > check into for a fix? Worked well for about year, but latest update > for MS started this trend. > > TIA! > Darren @ Serversphere.com Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGh+5rEfZZRxQVtlQRAtZpAJ99I6EWKthmGH6yqNFd5J2AVPoubQCglcKA YaHuW+6cN/wa9DLZH6A1Ty8= =Jovf -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From hvdkooij at vanderkooij.org Sun Jul 1 19:14:25 2007 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sun Jul 1 19:15:26 2007 Subject: Long Child Startup Times In-Reply-To: <20070701180003.2F871FF06@mx-a.vdnet.lt> References: <1182844619.26893.2.camel@gblades-suse.linguaphone-intranet.co.uk> <4681C794.7000207@rheelweb.co.nz><33B7C3D4-C7BB-4FE8-AD69-4802CA37F31B@technologytiger.net> <4687E097.7070506@serversphere.com> <20070701180003.2F871FF06@mx-a.vdnet.lt> Message-ID: On Sun, 1 Jul 2007, Nerijus Baliunas wrote: > On Sun, 01 Jul 2007 13:12:55 -0400 Darren Benfer wrote: > >> Lately it seems like it takes MS children take forever to start up for >> some reason, and my server load climbs to 4-5 while they are doing so. >> Anyone else experiencing (or experienced) this? Anything I should check >> into for a fix? Worked well for about year, but latest update for MS >> started this trend. > > Please provide more info - MailScanner versions before and now, what virus > scanners are used, MTA (sendmail? postfix?) etc. Also run something like top to see which process is in fact consuming resources. Hugo. -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ This message is using 100% recycled electrons. Some men see computers as they are and say "Windows" I use computers with Linux and say "Why Windows?" (Thanks JFK, for the insight.) From mkercher at nfsmith.com Sun Jul 1 20:36:54 2007 From: mkercher at nfsmith.com (Mike Kercher) Date: Sun Jul 1 20:37:03 2007 Subject: MailScanner ANNOUNCE: stable 4.61 released In-Reply-To: <46878529.5070707@ecs.soton.ac.uk> References: <46878529.5070707@ecs.soton.ac.uk> Message-ID: <441247027D4F274EB760A5F6E1ED9C7E7DA3@houpex02.nfsmith.info> Is clamd supposed to be faster than the clamavmodule? Mike -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian Field Sent: Sunday, July 01, 2007 5:43 AM To: MailScanner discussion; MailScanner-Announce mailing list list Subject: MailScanner ANNOUNCE: stable 4.61 released -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I have just released a new version of MailScanner, stable version 4.61.7. The main new things this month are: - - Direct support for clamd, for extra speed. - - Bug fixes in the attachments auto-zip feature introduced last month. - - Bug fixes in the support for Postfix milters. Download as usual from www.mailscanner.info. The full change log is: * New Features and Improvements * 1 Direct support for the "clamd" virus scanner -- now talks directly to the clamd daemon without any overhead of calling clamd-wrapper or clamdscan. As a result, this should be faster than the previous clamd support. It also has a much smaller memory footprint than the "clamavmodule" scanner. This is all thanks to Rick Cooper who wrote the original code. New configuration options are - Clamd Port = 3310 - Clamd Socket = /tmp/clamd - Clamd Lock File = /var/lock/subsys/clamd - Clamd Use Threads = no The use of these settings is explained in the MailScanner.conf file. 2 Changed session handling in direct clamd virus scanner support. 3 'MailScanner --lint' now finds clamd virus scanner. 3 Made clamd subsys lock file blank by default, so it works on non-Linux systems. 3 Added another example to the Allowed Sophos Error Messages setting for password-protected files. 4 Renamed "sa-update" command and cron job to "update_spamassassin". 4 Added ability to easily disable update_virus_scanners script. 4 Added conditional call to sa-compile to update_spamassassin cron job. 4 Added to $PATH in update_phishing_sites for Solaris 10 locations. 5 Watermarking functionality has had to be withdrawn due to patent issues. Sorry about this, but it would cause huge problems in the USA where software patents are legally enforceable and it would cause problems with including patented code in GPL software too. 6 Added facility to change SpamAssassin's temporary working files directory, using the new option 'SpamAssassin Temporary Dir'. By default this is put under the Incoming Work Dir location, as that is (hopefully) mounted using tmpfs. If an attempt to use this directory fails, it reverts to /tmp. 7 Fixed bug in finding PERL5LIB in installers. Thanks to Sean Coleman. * Fixes * 2 Fixed bug in auto-zip feature with a message containing 2 attachments with the same filename. 2 Fixed bug in auto-zip feature that would allow zipping of an attachment which had been cleaned out of the message. 3 Fixed "identified/found" bug in AVG parser. 3 Fixed bugs in Panda and AVG parsers courtesy of Rick Cooper. 3 Fixed bug in Postfix handler which caused a problem with empty messages. 4 Fixed bug in SuSE init.d script stopping MailScanner reload working properly. 4 Changed method for getting MCP to decode binary attachments (the interesting ones have "application" in their MIME type). New patch for SpamAssassin 3.2.1 Util.pm required now. No other SpamAssassin patches required at all. 4 Added definition of "noticesizeinfected" to languages.conf. 4 Added speedup (courtesy of Glenn Steen) to the new Postfix milter support. 4 Fixed rare bug in Postfix milter header support (from Glenn Steen). 5 Fixed problems with /usr/sbin/update_spamassassin not calling sa-update. Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGh4UzEfZZRxQVtlQRAhseAKDZb7K3zuDXjs8Cj51hUxnkFgFKigCeN7rI iDHrxy7/khtdYYhuYd2LiOc= =3VyR -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From MailScanner at ecs.soton.ac.uk Sun Jul 1 21:08:46 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sun Jul 1 21:11:26 2007 Subject: MailScanner ANNOUNCE: stable 4.61 released In-Reply-To: <441247027D4F274EB760A5F6E1ED9C7E7DA3@houpex02.nfsmith.info> References: <46878529.5070707@ecs.soton.ac.uk> <441247027D4F274EB760A5F6E1ED9C7E7DA3@houpex02.nfsmith.info> Message-ID: <468809CE.20808@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 It shouldn't be any different in speed. Not appreciably different, anyhow. It's there as some people don't like having to depend on a 3rd party module, Mail::ClamAV, as that had to be modified recently for the new version of ClamAV. Personally, I'm going to stick with clamavmodule as then I don't have to depend upon a daemon not crashing. Mike Kercher wrote: > Is clamd supposed to be faster than the clamavmodule? > > Mike > > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian > Field > Sent: Sunday, July 01, 2007 5:43 AM > To: MailScanner discussion; MailScanner-Announce mailing list list > Subject: MailScanner ANNOUNCE: stable 4.61 released > > > * PGP Bad Signature, Signed by an unverified key: 07/01/07 at 11:42:59 > > I have just released a new version of MailScanner, stable version > 4.61.7. > > The main new things this month are: > - Direct support for clamd, for extra speed. > - Bug fixes in the attachments auto-zip feature introduced last month. > - Bug fixes in the support for Postfix milters. > > Download as usual from www.mailscanner.info. > > The full change log is: > > * New Features and Improvements * > 1 Direct support for the "clamd" virus scanner -- now talks directly to > the > clamd daemon without any overhead of calling clamd-wrapper or > clamdscan. > As a result, this should be faster than the previous clamd support. > It also has a much smaller memory footprint than the "clamavmodule" > scanner. > This is all thanks to Rick Cooper who wrote the original code. > New configuration options are > - Clamd Port = 3310 > - Clamd Socket = /tmp/clamd > - Clamd Lock File = /var/lock/subsys/clamd > - Clamd Use Threads = no > The use of these settings is explained in the MailScanner.conf file. > 2 Changed session handling in direct clamd virus scanner support. > 3 'MailScanner --lint' now finds clamd virus scanner. > 3 Made clamd subsys lock file blank by default, so it works on non-Linux > systems. > 3 Added another example to the Allowed Sophos Error Messages setting for > password-protected files. > 4 Renamed "sa-update" command and cron job to "update_spamassassin". > 4 Added ability to easily disable update_virus_scanners script. > 4 Added conditional call to sa-compile to update_spamassassin cron job. > 4 Added to $PATH in update_phishing_sites for Solaris 10 locations. > 5 Watermarking functionality has had to be withdrawn due to patent > issues. > Sorry about this, but it would cause huge problems in the USA where > software patents are legally enforceable and it would cause problems > with > including patented code in GPL software too. > 6 Added facility to change SpamAssassin's temporary working files > directory, > using the new option 'SpamAssassin Temporary Dir'. By default this is > put > under the Incoming Work Dir location, as that is (hopefully) mounted > using > tmpfs. If an attempt to use this directory fails, it reverts to /tmp. > 7 Fixed bug in finding PERL5LIB in installers. Thanks to Sean Coleman. > > * Fixes * > 2 Fixed bug in auto-zip feature with a message containing 2 attachments > with > the same filename. > 2 Fixed bug in auto-zip feature that would allow zipping of an > attachment > which had been cleaned out of the message. > 3 Fixed "identified/found" bug in AVG parser. > 3 Fixed bugs in Panda and AVG parsers courtesy of Rick Cooper. > 3 Fixed bug in Postfix handler which caused a problem with empty > messages. > 4 Fixed bug in SuSE init.d script stopping MailScanner reload working > properly. > 4 Changed method for getting MCP to decode binary attachments (the > interesting > ones have "application" in their MIME type). New patch for > SpamAssassin 3.2.1 > Util.pm required now. No other SpamAssassin patches required at all. > 4 Added definition of "noticesizeinfected" to languages.conf. > 4 Added speedup (courtesy of Glenn Steen) to the new Postfix milter > support. > 4 Fixed rare bug in Postfix milter header support (from Glenn Steen). > 5 Fixed problems with /usr/sbin/update_spamassassin not calling > sa-update. > > Jules > > -- > Julian Field MEng CITP > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all > your IT requirements visit www.transtec.co.uk > > > * Julian Field > * 0x1415B654 - Unverified(L) > > > -- > This message has been scanned for viruses and dangerous content by > MailScanner, and is believed to be clean. > For all your IT requirements visit www.transtec.co.uk > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGiAnPEfZZRxQVtlQRAo1NAKCGvcFWgpmORURzz+mBSfivqkV8IwCgrJQd D5qIkWXPWLwkLKjntF2t/XA= =9HA9 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From jan-peter at koopmann.eu Sun Jul 1 21:58:45 2007 From: jan-peter at koopmann.eu (Koopmann, Jan-Peter) Date: Sun Jul 1 21:58:12 2007 Subject: Freebsd 6 and mailscanner port In-Reply-To: References: <20070629195448.GA52188@micron.lacnic.net.uy> <7A5B4051-E836-487A-8E5A-F42DD77820F9@csolve.net> <20070629235020.GA69756@micron.lacnic.net.uy><46864AB5.80005@syska.dk> Message-ID: > 1. The port patched some files to get freebsd-specific paths. Correct. Mainly in -wrapper scripts and the demo/default-configs > 2. I think "make initial-config" overwrote some of those files > with unpatched files from the distribution. All initial-config does is copying the .sample so you get a running config. The patched files should be left alone. > Or maybe I was just tired. I think/hope so. :-) From glenn.steen at gmail.com Sun Jul 1 22:01:31 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Sun Jul 1 22:01:32 2007 Subject: Long Child Startup Times In-Reply-To: References: <1182844619.26893.2.camel@gblades-suse.linguaphone-intranet.co.uk> <4681C794.7000207@rheelweb.co.nz> <33B7C3D4-C7BB-4FE8-AD69-4802CA37F31B@technologytiger.net> <4687E097.7070506@serversphere.com> <20070701180003.2F871FF06@mx-a.vdnet.lt> Message-ID: <223f97700707011401xa552eb0ge2bf0caba6aa763f@mail.gmail.com> On 01/07/07, Hugo van der Kooij wrote: > On Sun, 1 Jul 2007, Nerijus Baliunas wrote: > > > On Sun, 01 Jul 2007 13:12:55 -0400 Darren Benfer wrote: > > > >> Lately it seems like it takes MS children take forever to start up for > >> some reason, and my server load climbs to 4-5 while they are doing so. > >> Anyone else experiencing (or experienced) this? Anything I should check > >> into for a fix? Worked well for about year, but latest update for MS > >> started this trend. > > > > Please provide more info - MailScanner versions before and now, what virus > > scanners are used, MTA (sendmail? postfix?) etc. > > Also run something like top to see which process is in fact consuming > resources. > > Hugo. I'm with Jules on this one, clamav 0.90.something and clamavmodule will have exactly this effect. Then again, asking for more info tobe able to give better help is never wrong either....:-) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Sun Jul 1 22:05:00 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Sun Jul 1 22:05:02 2007 Subject: Doubts about PF, what are the pros/cons about other MTAs? In-Reply-To: <4687A297.1090509@ecs.soton.ac.uk> References: <467E9AD4.5080200@syska.dk> <4686A7AA.4060008@rogers.com> <4686C568.9070307@syska.dk> <4686C841.7030109@ecs.soton.ac.uk> <4686DCC5.9050208@syska.dk> <223f97700706302030v6c8af1edp2477f88a8f34cd63@mail.gmail.com> <46878A41.9070100@syska.dk> <223f97700707010517lf2aeac4tb81e2a7f282512a3@mail.gmail.com> <4687A297.1090509@ecs.soton.ac.uk> Message-ID: <223f97700707011405md1ac4dg373b969756f926d6@mail.gmail.com> On 01/07/07, Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Glenn, you make me blush :-) > Why? I'm just stating the obvious... That this piece of software is ingeniously come together, and that I'm a happy customer... Praise where praise is due, is all.;-) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From seamus at rheelweb.co.nz Sun Jul 1 22:29:15 2007 From: seamus at rheelweb.co.nz (Seamus Allan) Date: Sun Jul 1 22:29:23 2007 Subject: Postfix Address Verification In-Reply-To: <39526.194.70.180.170.1183109209.squirrel@www.technologytiger.net> References: <1182844619.26893.2.camel@gblades-suse.linguaphone-intranet.co.uk> <4681C794.7000207@rheelweb.co.nz> <33B7C3D4-C7BB-4FE8-AD69-4802CA37F31B@technologytiger.net> <4682E8CF.7010602@rheelweb.co.nz> <59838.194.70.180.170.1183020415.squirrel@www.technologytiger.net> <4684832B.90709@rheelweb.co.nz> <39526.194.70.180.170.1183109209.squirrel@www.technologytiger.net> Message-ID: <46881CAB.2090504@rheelweb.co.nz> Drew Marshall wrote: > This looks like a DNS problem. Are you running a cacheing DNS server on > this box? Postfix is rejecting with a temporary failure (450) as it is > having what it thinks could be a short term problem. I assume you have set > the next hop in the transport map file, have you done this using a name > record or IP address? i.e. in the file does it say: > > validdomain relay:internal.host > > or > > validdomain relay:[192.168.1.225] > > Just to make sure this isn't Postfix logging a slight red herring, can you > also let me know what you have under: > > smtpd_client_restrictions > smtpd_sender_restrictions > > in main.cf > > The other thing to check is the logs of the internal machine (Exchange?), > just in case there is anything obvious there. > > Drew > > > Hi, I am not running a caching DNS server on this box, all DNS queries are passed to our internal DNS server, however this shouldn't be an issue, as you noted because the next hop is dictated by an entry in the transport map, using IP based hosts. This is what I find so confusing, surely Postfix uses this transport map or even the relay_domain map to decide whether a domain is valid or not? I did spend the other day looking at the internal mail hub, and there is nothing out of the ordinary in there which would indicate a problem (such as SMTP restrictions because of connection rate or something). In my main.cf, I don't have entries for smtpd_client_restrictions or smtpd_sender_restrictions (whether this is bad or not?), and my smtp_receipient_restrictions is as follows: smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unverified_recipient It all seems rather tricky, as there is nothing obvious as to why this his happening. Cheers for the help Seamus *Seamus Allan* Network Engineer Rheel Electronics Ltd From res at ausics.net Sun Jul 1 23:41:24 2007 From: res at ausics.net (Res) Date: Sun Jul 1 23:41:38 2007 Subject: Doubts about PF, what are the pros/cons about other MTAs? In-Reply-To: <46878A41.9070100@syska.dk> References: <467E9AD4.5080200@syska.dk> <4686A7AA.4060008@rogers.com> <4686C568.9070307@syska.dk> <4686C841.7030109@ecs.soton.ac.uk> <4686DCC5.9050208@syska.dk> <223f97700706302030v6c8af1edp2477f88a8f34cd63@mail.gmail.com> <46878A41.9070100@syska.dk> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NotDashEscaped: You need GnuPG to verify this message On Sun, 1 Jul 2007, Mikael Syska wrote: > If the above is right, this seems like its using the resources better than > amavisd-new maybe, but theese days Ram and harddrives are very cheap, so if > it just runs fast, i'm happy. I've used many methods, amavisd(-new), sophos, mimedefang, qmailscanner and commercial apps, nothing comes close to MailScanners reliability and performance (although I've only used sendmail and qmail, any postmix server I take over gets quickly replaced by either sendmail or qmail so I've never seen the MS/PF issues) -- Cheers Res -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFGiC2UsWhAmSIQh7MRApzoAJ47tJ3PhV1/DwS8YBLqqzrdKKkjMgCePAba VaLA7cu7ytdenFSx6tfAdvs= =Vn8A -----END PGP SIGNATURE----- From carock at epconline.com Mon Jul 2 03:20:32 2007 From: carock at epconline.com (Chuck Rock) Date: Mon Jul 2 03:20:44 2007 Subject: Wierd question In-Reply-To: <468809CE.20808@ecs.soton.ac.uk> Message-ID: <0d1601c7bc4f$91584d30$8c007f0a@epctech.com> I have a weird question, but if it's something that can be answered with MS, then I'd be very grateful. I have FreeBSD, MailScanner, ClamAV and Sendmail scanning incoming mail. I need to take messages to a specific domain and only allow them from a certain IP, another mail server. If they come from any other IP then they get rejected or deleted. Is this possible with a MailScanner ruleset? Thanks, Chuck From matt at coders.co.uk Mon Jul 2 07:16:28 2007 From: matt at coders.co.uk (Matt Hampton) Date: Mon Jul 2 07:12:25 2007 Subject: Wierd question In-Reply-To: <53hHLrICIeIQYLbrfC2Bow!1183343240.55954@0d1601c7bc4f$91584d30$8c007f0a@epctech.com> References: <53hHLrICIeIQYLbrfC2Bow!1183343240.55954@0d1601c7bc4f$91584d30$8c007f0a@epctech.com> Message-ID: <4688983C.2050507@coders.co.uk> Chuck Rock wrote: > I have a weird question, but if it's something that can be answered with MS, > then I'd be very grateful. > > I have FreeBSD, MailScanner, ClamAV and Sendmail scanning incoming mail. > > I need to take messages to a specific domain and only allow them from a > certain IP, another mail server. If they come from any other IP then they > get rejected or deleted. Why not do it in sendmail http://thread.gmane.org/gmane.linux.centos.general/27221/focus=27323 From ram at netcore.co.in Mon Jul 2 07:46:05 2007 From: ram at netcore.co.in (ram) Date: Mon Jul 2 07:46:22 2007 Subject: MailScanner with postfix SPF checks problem Message-ID: <1183358765.6034.18.camel@localhost.localdomain> I am using postfix 2.3 with MailScanner 4.59 and spamassassin 3.1.5 In postfix I have added X-envelope-sender to the headers The mail when scanned thru MailScanner does not seem to get the header. But When I see the mail in the quarantine the header is very much there When I take the same mail from quarantine and run spamassassin -D < $file I can see the SPF checks happenning fine. Unfortunately this doesnt seem to happen everytime. A lot of time SPF checks do go on fine. Have I misconfigured something ? The relevant line are here ( from MailScanner in debug mode ) ------------------ 23773] dbg: dns: checking RBL zen.spamhaus.org., set zen [23773] dbg: dns: checking RBL iadb.isipp.com., set iadb-firsttrusted [23773] dbg: check: running tests for priority: 0 [23773] dbg: rules: running header regexp tests; score so far=0 [23773] dbg: rules: ran header rule __HAS_MSGID ======> got hit: "<" [23773] dbg: rules: ran header rule __SANE_MSGID ======> got hit: "<1183358182.09113@spamassassin_spamd_init> [23773] dbg: rules: " [23773] dbg: rules: ran header rule __MSGID_OK_HOST ======> got hit: "@spamassassin_spamd_init>" [23773] dbg: rules: ran header rule NO_REAL_NAME ======> got hit: "ignore@compiling.spamassassin.taint.org [23773] dbg: rules: " [23773] dbg: rules: ran header rule __MSGID_OK_DIGITS ======> got hit: "1183358182" [23773] dbg: spf: no suitable relay for spf use found, skipping SPF-helo check [23773] dbg: eval: all '*From' addrs: ignore@compiling.spamassassin.taint.org [23773] dbg: eval: all '*To' addrs: [23773] dbg: spf: no suitable relay for spf use found, skipping SPF check [23773] dbg: rules: ran eval rule NO_RELAYS ======> got hit [23773] dbg: spf: cannot get Envelope-From, cannot use SPF [23773] dbg: spf: def_spf_whitelist_from: could not find useable envelope sender [23773] dbg: rules: ran eval rule __UNUSABLE_MSGID ======> got hit [23773] dbg: spf: spf_whitelist_from: could not find useable envelope sender [23773] dbg: rules: running body-text per-line regexp tests; score so far=0.96 [23773] dbg: rules: ran body rule __NONEMPTY_BODY ======> got hit: "I" [23773] dbg: uri: running uri tests; score so far=0.96 [23773] dbg: rules: running raw-body-text per-line regexp tests; score so far=0.96 [23773] dbg: rules: running full-text regexp tests; score so far=0.96 [23773] dbg: info: entering helper-app run mode Jul 02 12:06:25.298183 check[23773]: [ 2] [bootup] Logging initiated LogDebugLevel=3 to stdout Jul 02 12:06:26.372740 check[23773]: [ 3] mail 1 is not known spam. [23773] dbg: info: leaving helper-app run mode [23773] dbg: razor2: part=0 engine=4 contested=0 confidence=0 [23773] dbg: razor2: results: spam? 0 [23773] dbg: razor2: results: engine 8, highest cf score: 0 [23773] dbg: razor2: results: engine 4, highest cf score: 0 [23773] dbg: pyzor: use_pyzor option not enabled, disabling Pyzor From glenn.steen at gmail.com Mon Jul 2 07:55:21 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Jul 2 07:55:22 2007 Subject: Wierd question In-Reply-To: <4688983C.2050507@coders.co.uk> References: <4688983C.2050507@coders.co.uk> Message-ID: <223f97700707012355n650bc7dbx22e5cabec83dcaca@mail.gmail.com> True Matt, best done as early as possible. . . But it is possible to do with a rule set or so, and some imagination, in MS too:) On 02/07/07, Matt Hampton wrote: > Chuck Rock wrote: > > I have a weird question, but if it's something that can be answered with > MS, > > then I'd be very grateful. > > > > I have FreeBSD, MailScanner, ClamAV and Sendmail scanning incoming mail. > > > > I need to take messages to a specific domain and only allow them from a > > certain IP, another mail server. If they come from any other IP then they > > get rejected or deleted. > > Why not do it in sendmail > > http://thread.gmane.org/gmane.linux.centos.general/27221/focus=27323 > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Mon Jul 2 08:05:27 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Jul 2 08:05:28 2007 Subject: MailScanner with postfix SPF checks problem In-Reply-To: <1183358765.6034.18.camel@localhost.localdomain> References: <1183358765.6034.18.camel@localhost.localdomain> Message-ID: <223f97700707020005x6aa096en51f72f3e2d024a80@mail.gmail.com> First error is about a problem with received lines. . . You don't do anything bad to them in a header check, do you? (Sorry for top post, am using my mobile phone to tap this in:) On 02/07/07, ram wrote: > I am using postfix 2.3 with MailScanner 4.59 and spamassassin 3.1.5 > In postfix I have added X-envelope-sender to the headers > > The mail when scanned thru MailScanner does not seem to get the header. > But When I see the mail in the quarantine the header is very much there > When I take the same mail from quarantine and run spamassassin -D < > $file I can see the SPF checks happenning fine. > > Unfortunately this doesnt seem to happen everytime. A lot of time SPF > checks do go on fine. > > > Have I misconfigured something ? > > > > The relevant line are here ( from MailScanner in debug mode ) > ------------------ > > 23773] dbg: dns: checking RBL zen.spamhaus.org., set zen > [23773] dbg: dns: checking RBL iadb.isipp.com., set iadb-firsttrusted > [23773] dbg: check: running tests for priority: 0 > [23773] dbg: rules: running header regexp tests; score so far=0 > [23773] dbg: rules: ran header rule __HAS_MSGID ======> got hit: "<" > [23773] dbg: rules: ran header rule __SANE_MSGID ======> got hit: > "<1183358182.09113@spamassassin_spamd_init> > [23773] dbg: rules: " > [23773] dbg: rules: ran header rule __MSGID_OK_HOST ======> got hit: > "@spamassassin_spamd_init>" > [23773] dbg: rules: ran header rule NO_REAL_NAME ======> got hit: > "ignore@compiling.spamassassin.taint.org > [23773] dbg: rules: " > [23773] dbg: rules: ran header rule __MSGID_OK_DIGITS ======> got hit: > "1183358182" > [23773] dbg: spf: no suitable relay for spf use found, skipping SPF-helo > check > [23773] dbg: eval: all '*From' addrs: > ignore@compiling.spamassassin.taint.org > [23773] dbg: eval: all '*To' addrs: > [23773] dbg: spf: no suitable relay for spf use found, skipping SPF > check > [23773] dbg: rules: ran eval rule NO_RELAYS ======> got hit > [23773] dbg: spf: cannot get Envelope-From, cannot use SPF > [23773] dbg: spf: def_spf_whitelist_from: could not find useable > envelope sender > [23773] dbg: rules: ran eval rule __UNUSABLE_MSGID ======> got hit > [23773] dbg: spf: spf_whitelist_from: could not find useable envelope > sender > [23773] dbg: rules: running body-text per-line regexp tests; score so > far=0.96 > [23773] dbg: rules: ran body rule __NONEMPTY_BODY ======> got hit: "I" > [23773] dbg: uri: running uri tests; score so far=0.96 > [23773] dbg: rules: running raw-body-text per-line regexp tests; score > so far=0.96 > [23773] dbg: rules: running full-text regexp tests; score so far=0.96 > [23773] dbg: info: entering helper-app run mode > Jul 02 12:06:25.298183 check[23773]: [ 2] [bootup] Logging initiated > LogDebugLevel=3 to stdout > Jul 02 12:06:26.372740 check[23773]: [ 3] mail 1 is not known spam. > [23773] dbg: info: leaving helper-app run mode > [23773] dbg: razor2: part=0 engine=4 contested=0 confidence=0 > [23773] dbg: razor2: results: spam? 0 > [23773] dbg: razor2: results: engine 8, highest cf score: 0 > [23773] dbg: razor2: results: engine 4, highest cf score: 0 > [23773] dbg: pyzor: use_pyzor option not enabled, disabling Pyzor > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From ram at netcore.co.in Mon Jul 2 08:40:41 2007 From: ram at netcore.co.in (ram) Date: Mon Jul 2 08:40:55 2007 Subject: MailScanner with postfix SPF checks problem In-Reply-To: <223f97700707020005x6aa096en51f72f3e2d024a80@mail.gmail.com> References: <1183358765.6034.18.camel@localhost.localdomain> <223f97700707020005x6aa096en51f72f3e2d024a80@mail.gmail.com> Message-ID: <1183362041.6034.32.camel@localhost.localdomain> On Mon, 2007-07-02 at 07:05 +0000, Glenn Steen wrote: > First error is about a problem with received lines. . . You don't do > anything bad to them in a header check, do you? (Sorry for top post, > am using my mobile phone to tap this in:) I am not doing anything more than in postfix smtpd_data_restrictions: check_sender_access regexp:/etc/postfix/add_x_envelope_from ------/etc/postfix/add_x_envelope_from ---------- /^<>$/ PREPEND X-Envelope-From: <> /^(.*)$/ PREPEND X-Envelope-From: <$1> ---------------------- Thanks Ram From ram at netcore.co.in Mon Jul 2 09:17:18 2007 From: ram at netcore.co.in (ram) Date: Mon Jul 2 09:17:25 2007 Subject: MailScanner ANNOUNCE: stable 4.61 released In-Reply-To: <46878529.5070707@ecs.soton.ac.uk> References: <46878529.5070707@ecs.soton.ac.uk> Message-ID: <1183364239.6034.45.camel@localhost.localdomain> On Sun, 2007-07-01 at 11:42 +0100, Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > I have just released a new version of MailScanner, stable version 4.61.7. > > The main new things this month are: > - - Direct support for clamd, for extra speed. > - - Bug fixes in the attachments auto-zip feature introduced last month. > - - Bug fixes in the support for Postfix milters. > > Download as usual from www.mailscanner.info. This was from a thread sometime ago http://lists.mailscanner.info/pipermail/mailscanner/2007-February/070414.html Can I use whitelist from IP's to look at ips beyond a relay address. If the MX is pointed to a relay server, and the relay server forwards the mail to the MailScanner server , then MailScanner always sees the same IP in the from. But If I want to whitelist an IP address that relayed to the MX server , Can I do this ? Thanks Ram From Q.G.Campbell at newcastle.ac.uk Mon Jul 2 09:43:38 2007 From: Q.G.Campbell at newcastle.ac.uk (Quentin Campbell) Date: Mon Jul 2 09:44:05 2007 Subject: 4.61.7 'make' failures Message-ID: <4165CF7A7F12DE4B96622CCBB90586470AA7F72E@largo.campus.ncl.ac.uk> I have 4 'make' failures caused by RPM build errors when doing an 'install.sh' on a RH/AS4 system. The four RPMs are: Test-Simple-0.70-1 Math-BigRat-0.19-1 bignum-0.21-1 Math-BigInt-1.86-1 It appears that the last three failures are a consequence of the inability to install the Test-Simple-0.70-1 RPM. Whether I do it via MailScanner or CPAN I get the same errors: Failed Test Stat Wstat Total Fail Failed List of Failed ------------------------------------------------------------------------------- t/sort_bug.t 0 11 2 4 200.00% 1-2 3 tests and 10 subtests skipped. Failed 1/66 test scripts, 98.48% okay. 2/492 subtests failed, 99.59% okay. make: *** [test_dynamic] Error 255 /usr/bin/make test -- NOT OK Running make install make test had returned bad status, won't install without force I can force the install but want to understand the significance of the 'test_dynamic' Error 255 failure before deciding whether to do that. A Google search shows this error in other applications but does not provide any hints about why this problem occurs or how to fix it. Has anyone else experienced this problem? Quentin --- PHONE: +44 191 222 8209??? Information Systems and Services (ISS), ?????????????????????????? Newcastle University, ?????????????????????????? Newcastle upon Tyne, FAX:?? +44 191 222 8765??? United Kingdom, NE1 7RU. ------------------------------------------------------------------------ From m.anderlini at database.it Mon Jul 2 10:51:38 2007 From: m.anderlini at database.it (Marcello Anderlini) Date: Mon Jul 2 10:51:50 2007 Subject: R: Fake User-Agent on PDF In-Reply-To: <4686B8D1.7090005@ecs.soton.ac.uk> References: <46868B9E.2050409@ecs.soton.ac.uk><46869C90.3010308@alexb.ch> <4686B8D1.7090005@ecs.soton.ac.uk> Message-ID: <002501c7bc8e$95897520$3f01a8c0@dbdomain.database.it> Sorry guys, but cause my poor English I'm not sure I've understood if there is a good rules to block pdf spam. If there is, could someone publish one working ? Thanks to all for you kindly help. bye -----Messaggio originale----- Da: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] Per conto di Julian Field Inviato: sabato 30 giugno 2007 22.11 A: MailScanner discussion Oggetto: Re: Fake User-Agent on PDF -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Alex Broens wrote: > On 6/30/2007 6:58 PM, Julian Field wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> >> >> Hugo van der Kooij wrote: >>> Hi, >>> >>> So far all SPAM PDF files that did not get killed on other issues >>> seem to use a fake User-Agent header: User-Agent: Thunderbird >>> 1.5.0.12 (Windows/20070509) >>> >>> According to >>> http://www.mozilla.com/en-US/thunderbird/releases/1.5.0.12.html the >>> release date is impossible however. >>> >>> I have not written a SA rule (yet). I wrote a detectline in my >>> header checks of postfix: >>> /^User-Agent: Thunderbird 1.5.0.12 \(Windows/20070509\)/ >>> REJECT This is a fake version of Thunderbird >> Here's a SA rule that will do the same thing: >> header JKF_FAKE_TBIRD User-Agent =~ /Thunderbird 1.5.0.12 >> \(Windows\/20070509\)/ describe JKF_FAKE_TBIRD Fake version of >> Thunderbird score JKF_FAKE_TBIRD 1.5 >> > > Jules, > > /Thunderbird 1\.5\.0\.12\(Windows\/20070509\)/ > > forgot to escape periods? Yes, agreed. But it's not very important. A version of the rule that accepts 1-5-0-12 is fine too, that's certainly a fake Thunderbird version number! :-) Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGhrjSEfZZRxQVtlQRAu2EAJ4igl0/TOETgNqILIWWqerSAay5SACfZR/P EWRfPaZ8ae4+/Ev/3Iyy6Qs= =ckQ6 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- Messaggio verificato dal servizio antivirus di Database Informatica -- Messaggio verificato dal servizio antivirus di Database Informatica From MailScanner at ecs.soton.ac.uk Mon Jul 2 10:59:31 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Jul 2 11:02:47 2007 Subject: R: Fake User-Agent on PDF In-Reply-To: <002501c7bc8e$95897520$3f01a8c0@dbdomain.database.it> References: <46868B9E.2050409@ecs.soton.ac.uk><46869C90.3010308@alexb.ch> <4686B8D1.7090005@ecs.soton.ac.uk> <002501c7bc8e$95897520$3f01a8c0@dbdomain.database.it> Message-ID: <4688CC83.4060403@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This one was published yesterday, which the author claims to work okay: full PDF_ONLY_SPAM /encoding\:\s+7bit(\n?)+[\-0-9]+.{1,40}type\:\s+application\/pdf\;.{1,40}name\=.{1,40}\.pdf.{1,50}disposition\:\s+inline\;.{1,40}filename\=.{1,40}\.pdf/is describe PDF_ONLY_SPAM PDF only Message, no text in message body score PDF_ONLY_SPAM 2.0 Marcello Anderlini wrote: > Sorry guys, but cause my poor English I'm not sure I've understood if there > is a good rules to block pdf spam. > If there is, could someone publish one working ? > > Thanks to all for you kindly help. > > bye > > -----Messaggio originale----- > Da: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] Per conto di Julian > Field > Inviato: sabato 30 giugno 2007 22.11 > A: MailScanner discussion > Oggetto: Re: Fake User-Agent on PDF > > > * PGP Bad Signature, Signed by an unverified key: 06/30/07 at 21:10:58 > > > > Alex Broens wrote: > >> On 6/30/2007 6:58 PM, Julian Field wrote: >> >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> >>> >>> Hugo van der Kooij wrote: >>> >>>> Hi, >>>> >>>> So far all SPAM PDF files that did not get killed on other issues >>>> seem to use a fake User-Agent header: User-Agent: Thunderbird >>>> 1.5.0.12 (Windows/20070509) >>>> >>>> According to >>>> http://www.mozilla.com/en-US/thunderbird/releases/1.5.0.12.html the >>>> release date is impossible however. >>>> >>>> I have not written a SA rule (yet). I wrote a detectline in my >>>> header checks of postfix: >>>> /^User-Agent: Thunderbird 1.5.0.12 \(Windows/20070509\)/ >>>> REJECT This is a fake version of Thunderbird >>>> >>> Here's a SA rule that will do the same thing: >>> header JKF_FAKE_TBIRD User-Agent =~ /Thunderbird 1.5.0.12 >>> \(Windows\/20070509\)/ describe JKF_FAKE_TBIRD Fake version of >>> Thunderbird score JKF_FAKE_TBIRD 1.5 >>> >>> >> Jules, >> >> /Thunderbird 1\.5\.0\.12\(Windows\/20070509\)/ >> >> forgot to escape periods? >> > Yes, agreed. But it's not very important. A version of the rule that > accepts 1-5-0-12 is fine too, that's certainly a fake Thunderbird > version number! :-) > > Jules > > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGiMyEEfZZRxQVtlQRAhIBAKC5wMPePUUKn6a84bFqfkfCflthvwCeORVq nX4ZfLalyxh7/YoIwS0eLKM= =YumB -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From hvdkooij at vanderkooij.org Mon Jul 2 11:40:15 2007 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Mon Jul 2 11:41:35 2007 Subject: MailScanner ANNOUNCE: stable 4.61 released In-Reply-To: <1183364239.6034.45.camel@localhost.localdomain> References: <46878529.5070707@ecs.soton.ac.uk> <1183364239.6034.45.camel@localhost.localdomain> Message-ID: On Mon, 2 Jul 2007, ram wrote: > On Sun, 2007-07-01 at 11:42 +0100, Julian Field wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> I have just released a new version of MailScanner, stable version 4.61.7. >> >> The main new things this month are: >> - - Direct support for clamd, for extra speed. >> - - Bug fixes in the attachments auto-zip feature introduced last month. >> - - Bug fixes in the support for Postfix milters. >> >> Download as usual from www.mailscanner.info. > > This was from a thread sometime ago > http://lists.mailscanner.info/pipermail/mailscanner/2007-February/070414.html > > Can I use whitelist from IP's to look at ips beyond a relay address. You are hijacking an announcement to start a new thread. If you start a new thread then do so with a fresh message. But MS checks all Received: headers. That is why some readers here used to barf on my local network address (192.0.2.0/24) in the top Received: header. They will do not so anymore as my local postfix server now eats Received: headers from local clients so they will not leak out any more. Hugo. -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ This message is using 100% recycled electrons. Some men see computers as they are and say "Windows" I use computers with Linux and say "Why Windows?" (Thanks JFK, for the insight.) From jan-peter at koopmann.eu Mon Jul 2 11:45:25 2007 From: jan-peter at koopmann.eu (Koopmann, Jan-Peter) Date: Mon Jul 2 11:44:49 2007 Subject: MailScanner ANNOUNCE: stable 4.61 released In-Reply-To: References: Message-ID: Hi Jules, > 4 Renamed "sa-update" command and cron job to "update_spamassassin". I am probably missing something, but in bin/cron you distribute update_spamassassin.cron which introduces an updatedelay. It then calls /opt/MailScanner/bin/update_spamassassin which in itself also contains an UPDATEDELAY. So the cron-delay-mechanism is called twice? Why? Regards, JP From MailScanner at ecs.soton.ac.uk Mon Jul 2 12:13:33 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Jul 2 12:16:44 2007 Subject: MailScanner ANNOUNCE: stable 4.61 released In-Reply-To: References: Message-ID: <4688DDDD.3060809@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Koopmann, Jan-Peter wrote: > Hi Jules, > > >> 4 Renamed "sa-update" command and cron job to "update_spamassassin". >> > > I am probably missing something, but in bin/cron you distribute > update_spamassassin.cron which introduces an updatedelay. It then calls > /opt/MailScanner/bin/update_spamassassin which in itself also contains > an UPDATEDELAY. So the cron-delay-mechanism is called twice? Why? > Sorry, there shouldn't be 2 delays. I have now removed the delay from /usr/sbin/update_spamassassin and have released a 4.61.7-2 with it removed. Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGiN3eEfZZRxQVtlQRAn8+AKD5LUHmQJ5g2N1dN81fTCvJhsG8zQCgpBBT pM0yaLdhhdlQioJYPOog85E= =Y2V0 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From Q.G.Campbell at newcastle.ac.uk Mon Jul 2 12:17:37 2007 From: Q.G.Campbell at newcastle.ac.uk (Quentin Campbell) Date: Mon Jul 2 12:18:40 2007 Subject: 4.61.7 'make' failures - In-Reply-To: <4165CF7A7F12DE4B96622CCBB90586470AA7F72E@largo.campus.ncl.ac.uk> References: <4165CF7A7F12DE4B96622CCBB90586470AA7F72E@largo.campus.ncl.ac.uk> Message-ID: <4165CF7A7F12DE4B96622CCBB90586470AA7F7B4@largo.campus.ncl.ac.uk> >-----Original Message----- >From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >bounces@lists.mailscanner.info] On Behalf Of Quentin Campbell >Sent: 02 July 2007 09:44 >To: MailScanner discussion >Subject: 4.61.7 'make' failures > >I have 4 'make' failures caused by RPM build errors when doing an >'install.sh' on a RH/AS4 system. > >The four RPMs are: > >Test-Simple-0.70-1 >Math-BigRat-0.19-1 >bignum-0.21-1 >Math-BigInt-1.86-1 > >It appears that the last three failures are a consequence of the >inability to install the Test-Simple-0.70-1 RPM. Whether I do it via >MailScanner or CPAN I get the same errors: > >Failed Test Stat Wstat Total Fail Failed List of Failed >----------------------------------------------------------------------- - >------- >t/sort_bug.t 0 11 2 4 200.00% 1-2 >3 tests and 10 subtests skipped. >Failed 1/66 test scripts, 98.48% okay. 2/492 subtests failed, 99.59% >okay. >make: *** [test_dynamic] Error 255 > /usr/bin/make test -- NOT OK >Running make install > make test had returned bad status, won't install without force > >I can force the install but want to understand the significance of the >'test_dynamic' Error 255 failure before deciding whether to do that. A >Google search shows this error in other applications but does not >provide any hints about why this problem occurs or how to fix it. > >Has anyone else experienced this problem? >[snip] After some more research it appears that I can safely 'force' the installation of Test-Simple-0.70-1. The failing test in sort_bug.t is for whether 'eq_set' works correctly or not. It appears that the use of 'eq_set' is in any case deprecated so this failure can be safely ignored. The relevant URLs can be found by doing a Google search on 'eq_set perl' Quentin From jgg at giversen.net Mon Jul 2 12:19:49 2007 From: jgg at giversen.net (sysadm) Date: Mon Jul 2 12:19:50 2007 Subject: OT: problems installing perl-Test-Simple modul Message-ID: <4688DF55.4090804@giversen.net> Dear all When I try to rebuild the perl-Test-Simple rpm module i get the following errors, it seems that it's the sort_bug test that is the problem, what am i missing here? OS: CentOS 4.5 t/skipall.................ok t/sort_bug................dubious Test returned status 0 (wstat 11, 0xb) DIED. FAILED tests 1-2 Failed 2/2 tests, 0.00% okay t/tbt_01basic.............ok t/tbt_02fhrestore.........ok t/tbt_03die...............ok t/tbt_04line_num..........ok t/tbt_05faildiag..........ok t/tbt_06errormess.........ok t/tbt_07args..............ok t/thread_taint............ok t/threads.................ok t/todo....................ok t/undef...................ok t/use_ok..................ok t/useing..................ok Failed Test Stat Wstat Total Fail List of Failed ------------------------------------------------------------------------------- t/sort_bug.t 0 11 2 4 1-2 2 tests and 10 subtests skipped. Failed 1/66 test scripts. 2/504 subtests failed. Files=66, Tests=504, 5 wallclock secs ( 4.50 cusr + 0.64 csys = 5.14 CPU) Failed 1/66 test programs. 2/504 subtests failed. make: *** [test_dynamic] Error 255 fejl: Fejl-afslutningsstatus fra /var/tmp/rpm-tmp.17688 (%build) Regards J?rgen Giversen From cobalt-users1 at fishnet.co.uk Mon Jul 2 12:24:14 2007 From: cobalt-users1 at fishnet.co.uk (Ian) Date: Mon Jul 2 12:24:37 2007 Subject: R: Fake User-Agent on PDF In-Reply-To: <002501c7bc8e$95897520$3f01a8c0@dbdomain.database.it> References: , <4686B8D1.7090005@ecs.soton.ac.uk>, <002501c7bc8e$95897520$3f01a8c0@dbdomain.database.it> Message-ID: <4688EE6E.18605.719782@cobalt-users1.fishnet.co.uk> On 2 Jul 2007 at 11:51, Marcello Anderlini wrote: > Sorry guys, but cause my poor English I'm not sure I've understood if there > is a good rules to block pdf spam. > If there is, could someone publish one working ? Hi, One of the SARE ninjas has created a plugin called PDFInfo. This was posted on the spamassassin list last week: Until its publicly released, you can request it with a simple email to us, see http://www.rulesemporium.com/plugins.htm#pdfinfo Works well here. Regards Ian -- From m.anderlini at database.it Mon Jul 2 13:11:28 2007 From: m.anderlini at database.it (Marcello Anderlini) Date: Mon Jul 2 13:11:39 2007 Subject: R: R: Fake User-Agent on PDF In-Reply-To: <4688CC83.4060403@ecs.soton.ac.uk> References: <46868B9E.2050409@ecs.soton.ac.uk><46869C90.3010308@alexb.ch> <4686B8D1.7090005@ecs.soton.ac.uk><002501c7bc8e$95897520$3f01a8c0@dbdomain.database.it> <4688CC83.4060403@ecs.soton.ac.uk> Message-ID: <002b01c7bca2$1e87f960$3f01a8c0@dbdomain.database.it> Thanks for your answer. I put these lines in spam.assassin.prefs.conf but I get this error. Where's my error ? Ps (mailscanner.cf is link to /etc/MailScanner/spam.assassin.prefs.conf ================================= [28788] warn: config: SpamAssassin failed to parse line, no value provided for "full", skipping: full PDF_ONLY_SPAM [28788] warn: config: failed to parse line, skipping, in "/etc/mail/spamassassin/mailscanner.cf": /encoding\:\s+7bit(\n?)+[\-0-9]+.{1,40}type\:\s+application\/pdf\;.{1,40}nam e\=.{1,40}\.pdf.{1,50}disposition\:\s+inline\;.{1,40}filename\=.{1,40}\.pdf/ is [28788] warn: config: warning: description exists for non-existent rule PDF_ONLY_SPAM [28788] warn: config: warning: score set for non-existent rule PDF_ONLY_SPAM [28788] warn: lint: 4 issues detected, please rerun with debug enabled for more information ================================= -----Messaggio originale----- Da: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] Per conto di Julian Field Inviato: luned? 2 luglio 2007 12.00 A: MailScanner discussion Oggetto: Re: R: Fake User-Agent on PDF -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This one was published yesterday, which the author claims to work okay: full PDF_ONLY_SPAM /encoding\:\s+7bit(\n?)+[\-0-9]+.{1,40}type\:\s+application\/pdf\;.{1,40}nam e\=.{1,40}\.pdf.{1,50}disposition\:\s+inline\;.{1,40}filename\=.{1,40}\.pdf/ is describe PDF_ONLY_SPAM PDF only Message, no text in message body score PDF_ONLY_SPAM 2.0 Marcello Anderlini wrote: > Sorry guys, but cause my poor English I'm not sure I've understood if there > is a good rules to block pdf spam. > If there is, could someone publish one working ? > > Thanks to all for you kindly help. > > bye > > -----Messaggio originale----- > Da: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] Per conto di Julian > Field > Inviato: sabato 30 giugno 2007 22.11 > A: MailScanner discussion > Oggetto: Re: Fake User-Agent on PDF > > > * PGP Bad Signature, Signed by an unverified key: 06/30/07 at 21:10:58 > > > > Alex Broens wrote: > >> On 6/30/2007 6:58 PM, Julian Field wrote: >> >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> >>> >>> Hugo van der Kooij wrote: >>> >>>> Hi, >>>> >>>> So far all SPAM PDF files that did not get killed on other issues >>>> seem to use a fake User-Agent header: User-Agent: Thunderbird >>>> 1.5.0.12 (Windows/20070509) >>>> >>>> According to >>>> http://www.mozilla.com/en-US/thunderbird/releases/1.5.0.12.html the >>>> release date is impossible however. >>>> >>>> I have not written a SA rule (yet). I wrote a detectline in my >>>> header checks of postfix: >>>> /^User-Agent: Thunderbird 1.5.0.12 \(Windows/20070509\)/ >>>> REJECT This is a fake version of Thunderbird >>>> >>> Here's a SA rule that will do the same thing: >>> header JKF_FAKE_TBIRD User-Agent =~ /Thunderbird 1.5.0.12 >>> \(Windows\/20070509\)/ describe JKF_FAKE_TBIRD Fake version of >>> Thunderbird score JKF_FAKE_TBIRD 1.5 >>> >>> >> Jules, >> >> /Thunderbird 1\.5\.0\.12\(Windows\/20070509\)/ >> >> forgot to escape periods? >> > Yes, agreed. But it's not very important. A version of the rule that > accepts 1-5-0-12 is fine too, that's certainly a fake Thunderbird > version number! :-) > > Jules > > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGiMyEEfZZRxQVtlQRAhIBAKC5wMPePUUKn6a84bFqfkfCflthvwCeORVq nX4ZfLalyxh7/YoIwS0eLKM= =YumB -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- Messaggio verificato dal servizio antivirus di Database Informatica -- Messaggio verificato dal servizio antivirus di Database Informatica From mwilson at cobasys.com Mon Jul 2 13:22:25 2007 From: mwilson at cobasys.com (Mike Wilson) Date: Mon Jul 2 13:22:35 2007 Subject: Creating a blacklist word list? In-Reply-To: <002b01c7bca2$1e87f960$3f01a8c0@dbdomain.database.it> Message-ID: <2C7100720056A2408E0DC6795A5CDF0A033417D3@COBS-EXCH-01.texaco.ovonic> Is there a way to create a wordlist so that if an email contains a word on this list it would be blacklisted? This would help knock out about 50% of the spam that still seem to get through the system. Mike Wilson -- This message has been scanned for viruses and dangerous content by MailScanner Relay-B, and is believed to be clean. From m.anderlini at database.it Mon Jul 2 13:33:38 2007 From: m.anderlini at database.it (Marcello Anderlini) Date: Mon Jul 2 13:33:49 2007 Subject: R: R: Fake User-Agent on PDF In-Reply-To: <002b01c7bca2$1e87f960$3f01a8c0@dbdomain.database.it> References: <46868B9E.2050409@ecs.soton.ac.uk><46869C90.3010308@alexb.ch> <4686B8D1.7090005@ecs.soton.ac.uk><002501c7bc8e$95897520$3f01a8c0@dbdomain.database.it><4688CC83.4060403@ecs.soton.ac.uk> <002b01c7bca2$1e87f960$3f01a8c0@dbdomain.database.it> Message-ID: <000001c7bca5$3727cf10$3f01a8c0@dbdomain.database.it> Ok, I found my error, but it seems is not running and on my test system this kind of spam still pass. Someone else suggest to use an other plugin http://www.rulesemporium.com/plugins.htm#pdfinfo but I see is still in beta. Does anyone has some other suggestion or rules to stop this spam ? Realy thanks for your help Best regards -----Messaggio originale----- Da: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] Per conto di Marcello Anderlini Inviato: luned? 2 luglio 2007 14.11 A: 'MailScanner discussion' Oggetto: R: R: Fake User-Agent on PDF Thanks for your answer. I put these lines in spam.assassin.prefs.conf but I get this error. Where's my error ? Ps (mailscanner.cf is link to /etc/MailScanner/spam.assassin.prefs.conf ================================= [28788] warn: config: SpamAssassin failed to parse line, no value provided for "full", skipping: full PDF_ONLY_SPAM [28788] warn: config: failed to parse line, skipping, in "/etc/mail/spamassassin/mailscanner.cf": /encoding\:\s+7bit(\n?)+[\-0-9]+.{1,40}type\:\s+application\/pdf\;.{1,40}nam e\=.{1,40}\.pdf.{1,50}disposition\:\s+inline\;.{1,40}filename\=.{1,40}\.pdf/ is [28788] warn: config: warning: description exists for non-existent rule PDF_ONLY_SPAM [28788] warn: config: warning: score set for non-existent rule PDF_ONLY_SPAM [28788] warn: lint: 4 issues detected, please rerun with debug enabled for more information ================================= -----Messaggio originale----- Da: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] Per conto di Julian Field Inviato: luned? 2 luglio 2007 12.00 A: MailScanner discussion Oggetto: Re: R: Fake User-Agent on PDF -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This one was published yesterday, which the author claims to work okay: full PDF_ONLY_SPAM /encoding\:\s+7bit(\n?)+[\-0-9]+.{1,40}type\:\s+application\/pdf\;.{1,40}nam e\=.{1,40}\.pdf.{1,50}disposition\:\s+inline\;.{1,40}filename\=.{1,40}\.pdf/ is describe PDF_ONLY_SPAM PDF only Message, no text in message body score PDF_ONLY_SPAM 2.0 Marcello Anderlini wrote: > Sorry guys, but cause my poor English I'm not sure I've understood if there > is a good rules to block pdf spam. > If there is, could someone publish one working ? > > Thanks to all for you kindly help. > > bye > > -----Messaggio originale----- > Da: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] Per conto di > Julian Field > Inviato: sabato 30 giugno 2007 22.11 > A: MailScanner discussion > Oggetto: Re: Fake User-Agent on PDF > > > * PGP Bad Signature, Signed by an unverified key: 06/30/07 at 21:10:58 > > > > Alex Broens wrote: > >> On 6/30/2007 6:58 PM, Julian Field wrote: >> >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> >>> >>> Hugo van der Kooij wrote: >>> >>>> Hi, >>>> >>>> So far all SPAM PDF files that did not get killed on other issues >>>> seem to use a fake User-Agent header: User-Agent: Thunderbird >>>> 1.5.0.12 (Windows/20070509) >>>> >>>> According to >>>> http://www.mozilla.com/en-US/thunderbird/releases/1.5.0.12.html the >>>> release date is impossible however. >>>> >>>> I have not written a SA rule (yet). I wrote a detectline in my >>>> header checks of postfix: >>>> /^User-Agent: Thunderbird 1.5.0.12 \(Windows/20070509\)/ >>>> REJECT This is a fake version of Thunderbird >>>> >>> Here's a SA rule that will do the same thing: >>> header JKF_FAKE_TBIRD User-Agent =~ /Thunderbird 1.5.0.12 >>> \(Windows\/20070509\)/ describe JKF_FAKE_TBIRD Fake version of >>> Thunderbird score JKF_FAKE_TBIRD 1.5 >>> >>> >> Jules, >> >> /Thunderbird 1\.5\.0\.12\(Windows\/20070509\)/ >> >> forgot to escape periods? >> > Yes, agreed. But it's not very important. A version of the rule that > accepts 1-5-0-12 is fine too, that's certainly a fake Thunderbird > version number! :-) > > Jules > > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGiMyEEfZZRxQVtlQRAhIBAKC5wMPePUUKn6a84bFqfkfCflthvwCeORVq nX4ZfLalyxh7/YoIwS0eLKM= =YumB -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- Messaggio verificato dal servizio antivirus di Database Informatica -- Messaggio verificato dal servizio antivirus di Database Informatica -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- Messaggio verificato dal servizio antivirus di Database Informatica From seanos at seanos.net Mon Jul 2 13:38:17 2007 From: seanos at seanos.net (=?utf-8?B?U2XDoW4gTyBTdWxsaXZhbg==?=) Date: Mon Jul 2 13:38:42 2007 Subject: Creating a blacklist word list? In-Reply-To: <2C7100720056A2408E0DC6795A5CDF0A033417D3@COBS-EXCH-01.texaco.ovonic> References: <2C7100720056A2408E0DC6795A5CDF0A033417D3@COBS-EXCH-01.texaco.ovonic> Message-ID: <45958.160.6.1.47.1183379897.squirrel@webmail.seanos.net> > Is there a way to create a wordlist so that if an email contains a word > on this list it would be blacklisted? > This would help knock out about 50% of the spam that still seem to get > through the system. > http://www.mailscanner.info/mcp.html Se?n From ram at netcore.co.in Mon Jul 2 13:41:04 2007 From: ram at netcore.co.in (ram) Date: Mon Jul 2 13:41:11 2007 Subject: Creating a blacklist word list? In-Reply-To: <2C7100720056A2408E0DC6795A5CDF0A033417D3@COBS-EXCH-01.texaco.ovonic> References: <2C7100720056A2408E0DC6795A5CDF0A033417D3@COBS-EXCH-01.texaco.ovonic> Message-ID: <1183380064.9897.3.camel@localhost.localdomain> On Mon, 2007-07-02 at 08:22 -0400, Mike Wilson wrote: > Is there a way to create a wordlist so that if an email contains a word > on this list it would be blacklisted? > This would help knock out about 50% of the spam that still seem to get > through the system. > BTW If all you want to do is word checks , you can also try some checks at the MTA , that way you stop the mail before it reaches MailScanner. For eg postfix supports header_checks Alternatively You could use spamassassin and add a rule in spamassassin. But Adding single word rules is always dangerous and can cause FP's. Be careful with what you are doing > Mike Wilson > > -- > This message has been scanned for viruses and > dangerous content by MailScanner Relay-B, and is > believed to be clean. > From mwilson at cobasys.com Mon Jul 2 13:53:48 2007 From: mwilson at cobasys.com (Mike Wilson) Date: Mon Jul 2 13:53:53 2007 Subject: Creating a blacklist word list? In-Reply-To: <45958.160.6.1.47.1183379897.squirrel@webmail.seanos.net> Message-ID: <2C7100720056A2408E0DC6795A5CDF0A0339D3D1@COBS-EXCH-01.texaco.ovonic> Great info, so next question would be, is there a way to have the MCPblacklisted/MCPwhitelisted options look at a MySQL datebase table for the wordlists? -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Se?n O Sullivan Sent: Monday, July 02, 2007 8:38 AM To: MailScanner discussion Subject: Re: Creating a blacklist word list? > Is there a way to create a wordlist so that if an email contains a > word on this list it would be blacklisted? > This would help knock out about 50% of the spam that still seem to get > through the system. > http://www.mailscanner.info/mcp.html Se?n -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner Relay-B, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner Relay-B, and is believed to be clean. From darren at serversphere.com Mon Jul 2 14:17:18 2007 From: darren at serversphere.com (Darren Benfer) Date: Mon Jul 2 14:17:14 2007 Subject: Long Child Startup Times In-Reply-To: <4687EE6A.5050603@ecs.soton.ac.uk> References: <1182844619.26893.2.camel@gblades-suse.linguaphone-intranet.co.uk> <4681C794.7000207@rheelweb.co.nz> <33B7C3D4-C7BB-4FE8-AD69-4802CA37F31B@technologytiger.net> <4687E097.7070506@serversphere.com> <4687EE6A.5050603@ecs.soton.ac.uk> Message-ID: <4688FADE.8080207@serversphere.com> Jules, Thank you, yes! This is exactly the case - we use clamAV/clamavmodule. Sorry I did not provide this info in my original post. Switching clam off makes things as speedy as ever, so I will just endure it across all machines until the current RC moves into release. Thanks, Darren Julian Field wrote: > I'll put a tenner on the fact that you are running the latest version of > ClamAV and are using the clamavmodule scanner. > It's ClamAV's fault in that case. The current version takes *forever* to > load the signatures. Fortunately it only has to do this once in each child. > You can fix it by either > 1) Download and run the latest release candidate of ClamAV which > apparently has fixed it. This is the most common solution I have seen. > 2) Wait for the new version of ClamAV and not worry about it for now. It > only affects the startup time of each child, not the actual processing > speed of ClamAV. This is what I have done. > 3) Switch to clamd but make sure you are running something to keep an > eye on the clamd daemon in case it crashes (I cannot guarantee clamd's > stability). > > Jules. > > Darren Benfer wrote: >> Lately it seems like it takes MS children take forever to start up for >> some reason, and my server load climbs to 4-5 while they are doing so. >> Anyone else experiencing (or experienced) this? Anything I should >> check into for a fix? Worked well for about year, but latest update >> for MS started this trend. >> >> TIA! >> Darren @ Serversphere.com > > Jules > From pablo at lacnic.net Mon Jul 2 15:24:40 2007 From: pablo at lacnic.net (Pablo Allietti) Date: Mon Jul 2 15:11:26 2007 Subject: Postfix MTA Message-ID: <20070702142440.GA57767@micron.lacnic.net.uy> Hi all. i have a dude. when i use postfix which is the sentence in Sendmail = ???? # Set whether to use postfix, sendmail, exim or zmailer. # If you are using postfix, then see the "SpamAssassin User State Dir" # setting near the end of this file MTA = postfix # Set how to invoke MTA when sending messages MailScanner has created # (e.g. to sender/recipient saying "found a virus in your message") # This can also be the filename of a ruleset. Sendmail = /usr/lib/sendmail -- .- Pablo Allietti E-mail: pablo@lacnic.net | LACNIC Phone : +598 2 6042222 | http://LACNIC.NET From pablo at lacnic.net Mon Jul 2 15:26:45 2007 From: pablo at lacnic.net (Pablo Allietti) Date: Mon Jul 2 15:13:28 2007 Subject: rc.mailscanner Message-ID: <20070702142645.GB57767@micron.lacnic.net.uy> i download the rc.mailscanner to start and stop in freebsd the mailscanner but is only for sendmail.... anybody have this file for postfix?? thanks- -- From t.d.lee at durham.ac.uk Mon Jul 2 15:13:44 2007 From: t.d.lee at durham.ac.uk (David Lee) Date: Mon Jul 2 15:13:58 2007 Subject: Clam/SA package: possible inconsistency? Message-ID: Jules, Historically, I have maintained the Clam+SA aspects of our MailScanner installations (mostly Fedora-based OSes) using RPM for ClamAV and CPAN for SA. I would like to switch to using your package. This, in theory, ought to give better support, better consistency, and easier installation. But I've stumbled across an apparent inconsistency in the ClamAV section. Your software (MS, SA) generally installs directly into system locations. Examples: /usr/sbin/MailScanner (binary) /etc/MailScanner/ (directory) /usr/bin/sa-learn (binary) In that sense, they are RPM-like. (That's fine with me!) But (uniquely, I think), your build of clamav wants to install into "/usr/local". This seems inconsistent with your builds of MS and SA. Is this difference a deliberate decision? Could you consider making your version of clamav install into the natural system locations (just like your other software), rather than this unique "/usr/local" location? -- : David Lee I.T. Service : : Senior Systems Programmer Computer Centre : : UNIX Team Leader Durham University : : South Road : : http://www.dur.ac.uk/t.d.lee/ Durham DH1 3LE : : Phone: +44 191 334 2752 U.K. : From jan-peter at koopmann.eu Mon Jul 2 15:20:42 2007 From: jan-peter at koopmann.eu (Koopmann, Jan-Peter) Date: Mon Jul 2 15:20:12 2007 Subject: rc.mailscanner In-Reply-To: References: Message-ID: > i download the rc.mailscanner to start and stop in freebsd the > mailscanner but is only for sendmail.... > > anybody have this file for postfix?? I suppose you are not using the MailScanner port? If not give it a try. We provide two scripts (mailscanner and mta) in order to start/stop MailScanner or the MTA you are using. Not sure if/how postfix works but please try it out and if necessary provide instructions on how to change the mta-script. Regards, JP From uxbod at splatnix.net Mon Jul 2 15:35:15 2007 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Mon Jul 2 15:36:00 2007 Subject: Postfix MTA In-Reply-To: <20070702142440.GA57767@micron.lacnic.net.uy> References: <20070702142440.GA57767@micron.lacnic.net.uy> Message-ID: <72dfa9a655839ddb58a761d69fc3241b@62.49.223.244> Just set MTA = postfix and where your queue directory is. On Mon, 2 Jul 2007 11:24:40 -0300, Pablo Allietti wrote: > Hi all. i have a dude. when i use postfix which is the sentence in > Sendmail = ???? > > > > # Set whether to use postfix, sendmail, exim or zmailer. > # If you are using postfix, then see the "SpamAssassin User State Dir" > # setting near the end of this file > MTA = postfix > > # Set how to invoke MTA when sending messages MailScanner has created > # (e.g. to sender/recipient saying "found a virus in your message") > # This can also be the filename of a ruleset. > Sendmail = /usr/lib/sendmail > > -- > > > .- > Pablo Allietti > E-mail: pablo@lacnic.net | LACNIC > Phone : +598 2 6042222 | http://LACNIC.NET > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. -- --[ UxBoD ]-- // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Mon Jul 2 15:36:58 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Jul 2 15:40:40 2007 Subject: Clam/SA package: possible inconsistency? In-Reply-To: References: Message-ID: <46890D8A.9080807@ecs.soton.ac.uk> David Lee wrote: > Jules, > > Historically, I have maintained the Clam+SA aspects of our MailScanner > installations (mostly Fedora-based OSes) using RPM for ClamAV and CPAN > for SA. > > I would like to switch to using your package. This, in theory, ought to > give better support, better consistency, and easier installation. But > I've stumbled across an apparent inconsistency in the ClamAV section. > > Your software (MS, SA) generally installs directly into system locations. > Examples: > /usr/sbin/MailScanner (binary) > /etc/MailScanner/ (directory) > /usr/bin/sa-learn (binary) > > In that sense, they are RPM-like. (That's fine with me!) > > But (uniquely, I think), your build of clamav wants to install into > "/usr/local". This seems inconsistent with your builds of MS and SA. > > Is this difference a deliberate decision? > > Could you consider making your version of clamav install into the natural > system locations (just like your other software), rather than this unique > "/usr/local" location? > I just let it install ClamAV where the source wants to let me install it. If you want a /usr installation of ClamAV, I would strongly recommend Dag's RPM builds of it. All available at http://dag.wieers.com/. The installer for my ClamAV+SA package now asks you whether you want it to install ClamAV for you, in case you prefer to use Dag's RPM build of it. Jules -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From holger at gebhardweb.de Mon Jul 2 15:42:54 2007 From: holger at gebhardweb.de (Holger Gebhard) Date: Mon Jul 2 15:41:58 2007 Subject: R: Fake User-Agent on PDF References: <46868B9E.2050409@ecs.soton.ac.uk><46869C90.3010308@alexb.ch> <4686B8D1.7090005@ecs.soton.ac.uk><002501c7bc8e$95897520$3f01a8c0@dbdomain.database.it><4688CC83.4060403@ecs.soton.ac.uk><002b01c7bca2$1e87f960$3f01a8c0@dbdomain.database.it> <000001c7bca5$3727cf10$3f01a8c0@dbdomain.database.it> Message-ID: <036701c7bcb7$4667e700$0164320a@conware.int> Try this rule... It is a very simple regex to catch the pdf-spams until other rules are available. The regex is not very fast but still works: full PDF_ONLY_SPAM /encoding\:\s+7bit(\n?)+[\-0-9]+.{1,40}type\:\s+application\/pdf\;.{1,40}name\=.{1,40}\.pdf.{1,50}disposition\:\s+inline\;.{1,40}filename\=.{1,40}\.pdf/is describe PDF_ONLY_SPAM PDF only Message, no text in message body score PDF_ONLY_SPAM 1.0 "or whatever you want..." This rule match only messages with specific encodings, pdf attachments and no text in message body. Works fine with no false positives until today. Regards Holger ----- Original Message ----- From: "Marcello Anderlini" To: "'MailScanner discussion'" Sent: Monday, July 02, 2007 2:33 PM Subject: R: R: Fake User-Agent on PDF Ok, I found my error, but it seems is not running and on my test system this kind of spam still pass. Someone else suggest to use an other plugin http://www.rulesemporium.com/plugins.htm#pdfinfo but I see is still in beta. Does anyone has some other suggestion or rules to stop this spam ? Realy thanks for your help Best regards -----Messaggio originale----- Da: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] Per conto di Marcello Anderlini Inviato: luned? 2 luglio 2007 14.11 A: 'MailScanner discussion' Oggetto: R: R: Fake User-Agent on PDF Thanks for your answer. I put these lines in spam.assassin.prefs.conf but I get this error. Where's my error ? Ps (mailscanner.cf is link to /etc/MailScanner/spam.assassin.prefs.conf ================================= [28788] warn: config: SpamAssassin failed to parse line, no value provided for "full", skipping: full PDF_ONLY_SPAM [28788] warn: config: failed to parse line, skipping, in "/etc/mail/spamassassin/mailscanner.cf": /encoding\:\s+7bit(\n?)+[\-0-9]+.{1,40}type\:\s+application\/pdf\;.{1,40}nam e\=.{1,40}\.pdf.{1,50}disposition\:\s+inline\;.{1,40}filename\=.{1,40}\.pdf/ is [28788] warn: config: warning: description exists for non-existent rule PDF_ONLY_SPAM [28788] warn: config: warning: score set for non-existent rule PDF_ONLY_SPAM [28788] warn: lint: 4 issues detected, please rerun with debug enabled for more information ================================= -----Messaggio originale----- Da: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] Per conto di Julian Field Inviato: luned? 2 luglio 2007 12.00 A: MailScanner discussion Oggetto: Re: R: Fake User-Agent on PDF -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This one was published yesterday, which the author claims to work okay: full PDF_ONLY_SPAM /encoding\:\s+7bit(\n?)+[\-0-9]+.{1,40}type\:\s+application\/pdf\;.{1,40}nam e\=.{1,40}\.pdf.{1,50}disposition\:\s+inline\;.{1,40}filename\=.{1,40}\.pdf/ is describe PDF_ONLY_SPAM PDF only Message, no text in message body score PDF_ONLY_SPAM 2.0 Marcello Anderlini wrote: > Sorry guys, but cause my poor English I'm not sure I've understood if there > is a good rules to block pdf spam. > If there is, could someone publish one working ? > > Thanks to all for you kindly help. > > bye > > -----Messaggio originale----- > Da: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] Per conto di > Julian Field > Inviato: sabato 30 giugno 2007 22.11 > A: MailScanner discussion > Oggetto: Re: Fake User-Agent on PDF > > > * PGP Bad Signature, Signed by an unverified key: 06/30/07 at 21:10:58 > > > > Alex Broens wrote: > >> On 6/30/2007 6:58 PM, Julian Field wrote: >> >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> >>> >>> Hugo van der Kooij wrote: >>> >>>> Hi, >>>> >>>> So far all SPAM PDF files that did not get killed on other issues >>>> seem to use a fake User-Agent header: User-Agent: Thunderbird >>>> 1.5.0.12 (Windows/20070509) >>>> >>>> According to >>>> http://www.mozilla.com/en-US/thunderbird/releases/1.5.0.12.html the >>>> release date is impossible however. >>>> >>>> I have not written a SA rule (yet). I wrote a detectline in my >>>> header checks of postfix: >>>> /^User-Agent: Thunderbird 1.5.0.12 \(Windows/20070509\)/ >>>> REJECT This is a fake version of Thunderbird >>>> >>> Here's a SA rule that will do the same thing: >>> header JKF_FAKE_TBIRD User-Agent =~ /Thunderbird 1.5.0.12 >>> \(Windows\/20070509\)/ describe JKF_FAKE_TBIRD Fake version of >>> Thunderbird score JKF_FAKE_TBIRD 1.5 >>> >>> >> Jules, >> >> /Thunderbird 1\.5\.0\.12\(Windows\/20070509\)/ >> >> forgot to escape periods? >> > Yes, agreed. But it's not very important. A version of the rule that > accepts 1-5-0-12 is fine too, that's certainly a fake Thunderbird > version number! :-) > > Jules > > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGiMyEEfZZRxQVtlQRAhIBAKC5wMPePUUKn6a84bFqfkfCflthvwCeORVq nX4ZfLalyxh7/YoIwS0eLKM= =YumB -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- Messaggio verificato dal servizio antivirus di Database Informatica -- Messaggio verificato dal servizio antivirus di Database Informatica -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- Messaggio verificato dal servizio antivirus di Database Informatica -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From MailScanner at ecs.soton.ac.uk Mon Jul 2 15:39:41 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Jul 2 15:42:56 2007 Subject: Postfix MTA In-Reply-To: <20070702142440.GA57767@micron.lacnic.net.uy> References: <20070702142440.GA57767@micron.lacnic.net.uy> Message-ID: <46890E2D.4060005@ecs.soton.ac.uk> You should just be able to use Sendmail = /usr/sbin/sendmail Though check, if you are using RedHat (or CentOS probably), that you have set the MTA correctly using the program 'system-switch-mail'. Pablo Allietti wrote: > Hi all. i have a dude. when i use postfix which is the sentence in > Sendmail = ???? > > > > # Set whether to use postfix, sendmail, exim or zmailer. > # If you are using postfix, then see the "SpamAssassin User State Dir" > # setting near the end of this file > MTA = postfix > > # Set how to invoke MTA when sending messages MailScanner has created > # (e.g. to sender/recipient saying "found a virus in your message") > # This can also be the filename of a ruleset. > Sendmail = /usr/lib/sendmail > > Jules -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From pablo at lacnic.net Mon Jul 2 16:01:34 2007 From: pablo at lacnic.net (Pablo Allietti) Date: Mon Jul 2 15:48:16 2007 Subject: rc.mailscanner In-Reply-To: References: Message-ID: <20070702150134.GC57767@micron.lacnic.net.uy> On Mon, Jul 02, 2007 at 04:20:42PM +0200, Koopmann, Jan-Peter wrote: > > i download the rc.mailscanner to start and stop in freebsd the > > mailscanner but is only for sendmail.... > > > > anybody have this file for postfix?? > > I suppose you are not using the MailScanner port? If not give it a try. > We provide two scripts (mailscanner and mta) in order to start/stop > MailScanner or the MTA you are using. Not sure if/how postfix works but > please try it out and if necessary provide instructions on how to change > the mta-script. nop, this script is only for sendmail and exim, the pid in postfix is a group of pids in folder /var/spool/postfix/pid :( and i dont know how to add this to the script.. > > > Regards, > JP > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! ---end quoted text--- -- .- Pablo Allietti E-mail: pablo@lacnic.net | LACNIC Phone : +598 2 6042222 | http://LACNIC.NET From hvdkooij at vanderkooij.org Mon Jul 2 15:50:32 2007 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Mon Jul 2 15:51:37 2007 Subject: Postfix MTA In-Reply-To: <20070702142440.GA57767@micron.lacnic.net.uy> References: <20070702142440.GA57767@micron.lacnic.net.uy> Message-ID: On Mon, 2 Jul 2007, Pablo Allietti wrote: > Hi all. i have a dude. when i use postfix which is the sentence in > Sendmail = ???? The line is just fine. Any linux distro should have this by now because it is for years now defined in the LSB definition. Hugo. -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ This message is using 100% recycled electrons. Some men see computers as they are and say "Windows" I use computers with Linux and say "Why Windows?" (Thanks JFK, for the insight.) From jan-peter at koopmann.eu Mon Jul 2 16:31:58 2007 From: jan-peter at koopmann.eu (Koopmann, Jan-Peter) Date: Mon Jul 2 16:31:25 2007 Subject: rc.mailscanner In-Reply-To: References: Message-ID: > nop, this script is only for sendmail and exim, the pid in postfix is a > group of pids in folder /var/spool/postfix/pid :( and i dont know how > to > add this to the script.. What about the postfix port in FreeBSD? It surely has a MTA start/stop mechanism at hand. Why not use that and the mailscanner start/stop script of my port? From stinkybob at gmail.com Mon Jul 2 16:45:45 2007 From: stinkybob at gmail.com (Eugene MacDougal) Date: Mon Jul 2 16:45:48 2007 Subject: Solaris upgrade problems Message-ID: <2579c6b20707020845m3b79b3s252c21ea817649da@mail.gmail.com> Here are some of the "problems" I experience whenever I upgrade MailScanner. And for background, my system is a Sun V40Z (dual opteron, 8gb ram, solaris 10) running MS 4.61.7, SA 3.2.1, Clam 0.93. I installed all of these using the tar based installers from Julian's site. 1. Neither the "udp" nor the "unix" options for Sys::Syslog's setlogsock command work on my system. Every time a new release comes out, I have to grep for setlogsock in every file and change it from unix or udp to "native". Is this something that we could move to the MailScanner.conffile? Make an option for syslog type and then have the various programs that use that option poll MailScanner.conf for the appropriate variable? This would make my life so much easier. 2. The whole "/opt/MailScanner" symlink thing seems a bit counter-intuitive. I appreciate the ease that it brings for rolling back to an older version in case the new one fails, but I need to manually check all of the config files (filename rules, filetype rules, etc) and see if there are any problems with dropping my existing ones back into place. It seems like the upgrade_MailScanner_conf and upgrade_languages_conf scripts could be updated to check every config file in the release instead of just their respective targets. 3. The "update_virus_scanners" script needs an update for the SunOS grep test. Not all systems come with /usr/xpg4/bin/grep installed. A full build will, but not a network minimal. Solaris does come with a compatible grep that will use the -e option "/usr/bin/egrep". If that setting could be upgraded to use egrep that would be great. Thanks, Eugene -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070702/fdde908d/attachment.html From sandrews at andrewscompanies.com Mon Jul 2 16:48:55 2007 From: sandrews at andrewscompanies.com (Steven Andrews) Date: Mon Jul 2 16:48:59 2007 Subject: SA 3.1.9 upgrade to 3.2.1 problem In-Reply-To: References: Message-ID: <1964AAFBC212F742958F9275BF63DBB04B0DDD@winchester.andrewscompanies.com> I did a yum and it appears that my 3.2.0 as installed by Julian's script was downgraded to 3.1.9 and trying to reinstall via Jules' clam/sa 3.2.1 package leaves me at 3.1.9. Thoughts on what I'm doing wrong? Steve From ram at netcore.co.in Mon Jul 2 16:49:54 2007 From: ram at netcore.co.in (ram) Date: Mon Jul 2 16:50:06 2007 Subject: MailScanner with postfix SPF checks problem In-Reply-To: <223f97700707020005x6aa096en51f72f3e2d024a80@mail.gmail.com> References: <1183358765.6034.18.camel@localhost.localdomain> <223f97700707020005x6aa096en51f72f3e2d024a80@mail.gmail.com> Message-ID: <1183391394.9897.23.camel@localhost.localdomain> On Mon, 2007-07-02 at 07:05 +0000, Glenn Steen wrote: > First error is about a problem with received lines. . . You don't do > anything bad to them in a header check, do you? (Sorry for top post, > am using my mobile phone to tap this in:) Sorry, Apparently these messages were are getting hit by spamassassin-cache. SO when I tested with the same content again again I was getting results from cache and not thru a real check Thanks Ram From pablo at lacnic.net Mon Jul 2 17:11:35 2007 From: pablo at lacnic.net (Pablo Allietti) Date: Mon Jul 2 16:58:14 2007 Subject: rc.mailscanner In-Reply-To: References: Message-ID: <20070702161135.GD57767@micron.lacnic.net.uy> On Mon, Jul 02, 2007 at 05:31:58PM +0200, Koopmann, Jan-Peter wrote: > > nop, this script is only for sendmail and exim, the pid in postfix is > a > > group of pids in folder /var/spool/postfix/pid :( and i dont know how > > to > > add this to the script.. > > What about the postfix port in FreeBSD? It surely has a MTA start/stop > mechanism at hand. Why not use that and the mailscanner start/stop > script of my port? because the port give me an error like said in other mail before that... i installed from source and work, i only need this script to start stop with postfix. > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! ---end quoted text--- -- .- Pablo Allietti E-mail: pablo@lacnic.net | LACNIC Phone : +598 2 6042222 | http://LACNIC.NET From sandrews at andrewscompanies.com Mon Jul 2 17:10:24 2007 From: sandrews at andrewscompanies.com (Steven Andrews) Date: Mon Jul 2 17:10:28 2007 Subject: SA 3.1.9 upgrade to 3.2.1 problem [Solved[ In-Reply-To: <1964AAFBC212F742958F9275BF63DBB04B0DDD@winchester.andrewscompanies.com> References: <1964AAFBC212F742958F9275BF63DBB04B0DDD@winchester.andrewscompanies.com> Message-ID: <1964AAFBC212F742958F9275BF63DBB04B0DDE@winchester.andrewscompanies.com> I'm going to answer my question, just in case anyone else has this. Remove old spamassassin rpm -e spamassassin Download latest 3.2.1 from spamassassin.apache.org rpmbuild -tb Mail-SpamAssassin-3.2.1.tar.gz Install 3.2.1 packages cd /usr/src/redhat/RPMS/i386 rpm -ivh perl-Mail-SpamAssassin-3.2.1-1.i386.rpm rpm -ivh spamassassin-3.2.1.i386.rpm Yum after that didn't take me back to 3.1.9 -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Steven Andrews Sent: Monday, July 02, 2007 11:49 AM To: MailScanner discussion Subject: SA 3.1.9 upgrade to 3.2.1 problem I did a yum and it appears that my 3.2.0 as installed by Julian's script was downgraded to 3.1.9 and trying to reinstall via Jules' clam/sa 3.2.1 package leaves me at 3.1.9. Thoughts on what I'm doing wrong? Steve -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From ssilva at sgvwater.com Mon Jul 2 18:02:10 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Jul 2 18:02:23 2007 Subject: Doubts about PF, what are the pros/cons about other MTAs? In-Reply-To: References: <467E9AD4.5080200@syska.dk> <4686A7AA.4060008@rogers.com> <4686C568.9070307@syska.dk> <4686C841.7030109@ecs.soton.ac.uk> <4686DCC5.9050208@syska.dk> <223f97700706302030v6c8af1edp2477f88a8f34cd63@mail.gmail.com> <46878A41.9070100@syska.dk> Message-ID: Res spake the following on 7/1/2007 3:41 PM: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > NotDashEscaped: You need GnuPG to verify this message > > On Sun, 1 Jul 2007, Mikael Syska wrote: > >> If the above is right, this seems like its using the resources better >> than amavisd-new maybe, but theese days Ram and harddrives are very >> cheap, so if it just runs fast, i'm happy. > > I've used many methods, amavisd(-new), sophos, mimedefang, qmailscanner > and commercial apps, nothing comes close to MailScanners reliability and > performance (although I've only used sendmail and qmail, any postmix > server I take over gets quickly replaced by either sendmail or qmail so > I've never seen the MS/PF issues) > > No fair bashing Postfix while Glenn is on vacation!! ;-P -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From jan-peter at koopmann.eu Mon Jul 2 18:06:53 2007 From: jan-peter at koopmann.eu (Koopmann, Jan-Peter) Date: Mon Jul 2 18:06:17 2007 Subject: rc.mailscanner In-Reply-To: References: Message-ID: > because the port give me an error like said in other mail before > that... Most probably your system is screwed up somehow otherwise the port would work (unless all other installations are screwed up and yours is the only correct one of course *g*). And I strongly suggest to find and fix the problem first before going to production. Once that is fixed, you can move on with the provided scripts. From ssilva at sgvwater.com Mon Jul 2 18:13:14 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Jul 2 18:13:24 2007 Subject: Wierd question In-Reply-To: <0d1601c7bc4f$91584d30$8c007f0a@epctech.com> References: <468809CE.20808@ecs.soton.ac.uk> <0d1601c7bc4f$91584d30$8c007f0a@epctech.com> Message-ID: Chuck Rock spake the following on 7/1/2007 7:20 PM: > I have a weird question, but if it's something that can be answered with MS, > then I'd be very grateful. > > I have FreeBSD, MailScanner, ClamAV and Sendmail scanning incoming mail. > > I need to take messages to a specific domain and only allow them from a > certain IP, another mail server. If they come from any other IP then they > get rejected or deleted. > > Is this possible with a MailScanner ruleset? > > Thanks, > Chuck > > I think it could be done with MailScanner, but you would only want to delete there. If you want to reject, you would need to do it at the MTA level to prevent spam backscatter. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From carock at epconline.com Mon Jul 2 18:41:41 2007 From: carock at epconline.com (Chuck Rock) Date: Mon Jul 2 18:41:44 2007 Subject: Wierd question In-Reply-To: Message-ID: <0e8e01c7bcd0$4040b370$8c007f0a@epctech.com> Yeah, delete is fine. Since the MX record will reflect the proper MX, only spammers will try to send to the old MX server. Any ideas on how to implement? Chuck -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Scott Silva Sent: Monday, July 02, 2007 12:13 PM To: mailscanner@lists.mailscanner.info Subject: Re: Wierd question Chuck Rock spake the following on 7/1/2007 7:20 PM: > I have a weird question, but if it's something that can be answered with MS, > then I'd be very grateful. > > I have FreeBSD, MailScanner, ClamAV and Sendmail scanning incoming mail. > > I need to take messages to a specific domain and only allow them from a > certain IP, another mail server. If they come from any other IP then they > get rejected or deleted. > > Is this possible with a MailScanner ruleset? > > Thanks, > Chuck > > I think it could be done with MailScanner, but you would only want to delete there. If you want to reject, you would need to do it at the MTA level to prevent spam backscatter. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From mkettler at evi-inc.com Mon Jul 2 18:55:46 2007 From: mkettler at evi-inc.com (Matt Kettler) Date: Mon Jul 2 18:56:39 2007 Subject: Wierd question In-Reply-To: <0e8e01c7bcd0$4040b370$8c007f0a@epctech.com> References: <0e8e01c7bcd0$4040b370$8c007f0a@epctech.com> Message-ID: <46893C22.80200@evi-inc.com> Chuck Rock wrote: > Yeah, delete is fine. Since the MX record will reflect the proper MX, only > spammers will try to send to the old MX server. > > Any ideas on how to implement? At that point, why not just shut down the old MX server completely? Or, in alternative, have the SMTP server on the old MX 550 everything? It seems silly to bother accepting the mail, then forward it to a primary MX, accept it there, and then have MailScanner delete it. From MailScanner at ecs.soton.ac.uk Mon Jul 2 18:58:37 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Jul 2 19:02:08 2007 Subject: Wierd question In-Reply-To: <0d1601c7bc4f$91584d30$8c007f0a@epctech.com> References: <0d1601c7bc4f$91584d30$8c007f0a@epctech.com> Message-ID: <46893CCD.4070900@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 You can do this very simply with a ruleset on the "Reject Messages" configuration option. To: domain.com and From: 10.1.1.1 no To: domain.com yes FromOrTo: default no That should do the trick I think. Chuck Rock wrote: > I have a weird question, but if it's something that can be answered with MS, > then I'd be very grateful. > > I have FreeBSD, MailScanner, ClamAV and Sendmail scanning incoming mail. > > I need to take messages to a specific domain and only allow them from a > certain IP, another mail server. If they come from any other IP then they > get rejected or deleted. > > Is this possible with a MailScanner ruleset? > > Thanks, > Chuck > > > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGiTzOEfZZRxQVtlQRAnRAAJ9x2RBbdNkQqbGb5MoPrSRoGq4mTwCeN1bS i+fxDsM1z6TJ65lg3zDsON0= =gRQr -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From mikej at rogers.com Mon Jul 2 19:04:32 2007 From: mikej at rogers.com (Mike Jakubik) Date: Mon Jul 2 19:04:35 2007 Subject: rc.mailscanner In-Reply-To: <20070702161135.GD57767@micron.lacnic.net.uy> References: <20070702161135.GD57767@micron.lacnic.net.uy> Message-ID: <46893E30.3010702@rogers.com> Pablo Allietti wrote: > On Mon, Jul 02, 2007 at 05:31:58PM +0200, Koopmann, Jan-Peter wrote: > >>> nop, this script is only for sendmail and exim, the pid in postfix is >>> >> a >> >>> group of pids in folder /var/spool/postfix/pid :( and i dont know how >>> to >>> add this to the script.. >>> >> What about the postfix port in FreeBSD? It surely has a MTA start/stop >> mechanism at hand. Why not use that and the mailscanner start/stop >> script of my port? >> > > > because the port give me an error like said in other mail before that... > > i installed from source and work, i only need this script to start stop > with postfix. > Thats usually not a good solution on FreeBSD is a port exists. Indeed there is a port for MailScanner and postfix, they both come with startup scripts and work just fine (on my systems). I would recommend you troubleshoot your port install process, you may want to deinstall all, update the tree and try again. From mailscanner at yeticomputers.com Mon Jul 2 19:09:40 2007 From: mailscanner at yeticomputers.com (Rick Chadderdon) Date: Mon Jul 2 19:09:54 2007 Subject: rc.mailscanner In-Reply-To: <46893E30.3010702@rogers.com> References: <20070702161135.GD57767@micron.lacnic.net.uy> <46893E30.3010702@rogers.com> Message-ID: <46893F64.1040101@yeticomputers.com> Mike Jakubik wrote: > Pablo Allietti wrote: >> because the port give me an error like said in other mail before that... >> i installed from source and work, i only need this script to start stop >> with postfix. > > Thats usually not a good solution on FreeBSD is a port exists. Indeed > there is a port for MailScanner and postfix, they both come with > startup scripts and work just fine (on my systems). I would recommend > you troubleshoot your port install process, you may want to deinstall > all, update the tree and try again. I'm with Mike here. I also use the standard ports and use the startup scripts that came with postfix and mailscanner (and not the mta script), and all is working fine. I would probably deinstall everything, update the tree and start over with just the ports. Rick From nerijusb at dtiltas.lt Mon Jul 2 19:22:17 2007 From: nerijusb at dtiltas.lt (Nerijus Baliunas) Date: Mon Jul 2 19:30:13 2007 Subject: SA 3.1.9 upgrade to 3.2.1 problem In-Reply-To: <1964AAFBC212F742958F9275BF63DBB04B0DDD@winchester.andrewscompanies.com> References: <1964AAFBC212F742958F9275BF63DBB04B0DDD@winchester.andrewscompanies.com> Message-ID: <20070702182853.C291C1224AC@mx-b.vdnet.lt> On Mon, 2 Jul 2007 11:48:55 -0400 Steven Andrews wrote: > I did a yum and it appears that my 3.2.0 as installed by Julian's script > was downgraded to 3.1.9 and trying to reinstall via Jules' clam/sa 3.2.1 > package leaves me at 3.1.9. > > Thoughts on what I'm doing wrong? Although you already answered yourself, but what you did wrong is you mixed system SA package and Julian's script. You should use either a package or install by using Julian's script. Regards, Nerijus From cparker at swatgear.com Mon Jul 2 20:30:20 2007 From: cparker at swatgear.com (Chris W. Parker) Date: Mon Jul 2 20:30:24 2007 Subject: SpamAssassin is constantly timing out Message-ID: <97FD54B5E57A1842AA1A4B232E47611773EBD2@ati-ex-02.ati.local> Hello, I recently upgraded to the latest (as of two weeks ago) MailScanner and now SpamAssassin is consistently timing out. I believe the original timeout period was 60 seconds but I've since increased it to 300 seconds and it still seems to be consistently timing out every five minutes. My old setting was 300 seconds and I didn't have this problem. The server load is pretty good (I think): [root@filter /var/log]# uptime 12:19:06 up 112 days, 1:40, 1 user, load average: 1.47, 1.77, 1.87 If it's still timing out at five minutes and the server load is not high, might it not be a processing power issue? Where else should I look? Thanks! Chris. From alex at nkpanama.com Mon Jul 2 20:35:09 2007 From: alex at nkpanama.com (Alex Neuman) Date: Mon Jul 2 20:35:48 2007 Subject: SpamAssassin is constantly timing out In-Reply-To: <97FD54B5E57A1842AA1A4B232E47611773EBD2@ati-ex-02.ati.local> References: <97FD54B5E57A1842AA1A4B232E47611773EBD2@ati-ex-02.ati.local> Message-ID: <4689536D.6040503@nkpanama.com> DNS? Chris W. Parker wrote: > Hello, > > I recently upgraded to the latest (as of two weeks ago) MailScanner and > now SpamAssassin is consistently timing out. > > I believe the original timeout period was 60 seconds but I've since > increased it to 300 seconds and it still seems to be consistently timing > out every five minutes. My old setting was 300 seconds and I didn't have > this problem. > > The server load is pretty good (I think): > > [root@filter /var/log]# uptime > 12:19:06 up 112 days, 1:40, 1 user, load average: 1.47, 1.77, 1.87 > > > If it's still timing out at five minutes and the server load is not > high, might it not be a processing power issue? > > Where else should I look? > > > > Thanks! > Chris. > From MailScanner at ecs.soton.ac.uk Mon Jul 2 20:46:00 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Jul 2 20:48:34 2007 Subject: SpamAssassin is constantly timing out In-Reply-To: <97FD54B5E57A1842AA1A4B232E47611773EBD2@ati-ex-02.ati.local> References: <97FD54B5E57A1842AA1A4B232E47611773EBD2@ati-ex-02.ati.local> Message-ID: <468955F8.1090701@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Start MailScanner with MailScanner -debug -debug-sa and thump Ctrl-S when it pauses. This should tell you what is causing the timeouts. (Ctrl-Q continues the output that Ctrl-S pauses) Chris W. Parker wrote: > Hello, > > I recently upgraded to the latest (as of two weeks ago) MailScanner and > now SpamAssassin is consistently timing out. > > I believe the original timeout period was 60 seconds but I've since > increased it to 300 seconds and it still seems to be consistently timing > out every five minutes. My old setting was 300 seconds and I didn't have > this problem. > > The server load is pretty good (I think): > > [root@filter /var/log]# uptime > 12:19:06 up 112 days, 1:40, 1 user, load average: 1.47, 1.77, 1.87 > > > If it's still timing out at five minutes and the server load is not > high, might it not be a processing power issue? > > Where else should I look? > > > > Thanks! > Chris. > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGiVX4EfZZRxQVtlQRAuHAAJ95OE61SFVZdNCsCk0DNLDmSQgaIACfaQ4L mp5drNsEUh0JR/GCnz787y8= =Nefd -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From mkettler at evi-inc.com Mon Jul 2 21:04:02 2007 From: mkettler at evi-inc.com (Matt Kettler) Date: Mon Jul 2 21:08:05 2007 Subject: SpamAssassin is constantly timing out In-Reply-To: <97FD54B5E57A1842AA1A4B232E47611773EBD2@ati-ex-02.ati.local> References: <97FD54B5E57A1842AA1A4B232E47611773EBD2@ati-ex-02.ati.local> Message-ID: <46895A32.4070008@evi-inc.com> Chris W. Parker wrote: > Hello, > > I recently upgraded to the latest (as of two weeks ago) MailScanner and > now SpamAssassin is consistently timing out. > > I believe the original timeout period was 60 seconds but I've since > increased it to 300 seconds and it still seems to be consistently timing > out every five minutes. My old setting was 300 seconds and I didn't have > this problem. > > The server load is pretty good (I think): > > [root@filter /var/log]# uptime > 12:19:06 up 112 days, 1:40, 1 user, load average: 1.47, 1.77, 1.87 > > > If it's still timing out at five minutes and the server load is not > high, might it not be a processing power issue? > > Where else should I look? Julian's debug options are an excellent suggestion. If you're using ordinary file based (instead of SQL based) bayes, I'd also check in the bayes directory. If there are several ".expire" file laying around, MailScanner is killing SA while it attempting to perform expiry on the bayes DB. If that's the case, a short-term fix would be to run sa-learn --force-expire on the command line. That will run the expiry process on the command line, and you should get a bit of a reprieve before expiry tries to run again during normal scans. Longer term solutions (if this is the problem) can be a mixture of: 1) Extend your timeout to be long enough for the bayes DB to expire. 2) Disable SA's bayes auto expire feature, and create a cronjob to run sa-learn --force expire 3) Switch off to SQL based bayes, which runs expire *SIGNIFICANTLY* faster than DB_File does. (see http://wiki.apache.org/spamassassin/BayesBenchmarkResults, where 3 is a force-expire operation) From carock at epconline.com Mon Jul 2 21:14:29 2007 From: carock at epconline.com (Chuck Rock) Date: Mon Jul 2 21:14:33 2007 Subject: Wierd question In-Reply-To: <46893CCD.4070900@ecs.soton.ac.uk> Message-ID: <005a01c7bce5$986cac60$8c007f0a@epctech.com> Excellent, I will test. Basically for the other guy, I had a mail server running MS and clamAV and SpamAssassin. All free stuff, works nice mostly. I purchased a Barracuda to "add" domains to with an extra fee for the expensive commercial spam filter. The final destination server is still the same. I just changed MX so only the Barracuda was listed. What I've found through experience though, servers will continue to send mail to the old MX record even though it doesn't exist. I still have servers receiving messages for domains we haven't hosted for years. To keep the spammers from bypassing the new Barracuda filter inserted in the mail flow, I must make the final destination server ignore messages from all other IP's for incoming mail destined for specific domains and only allow them from the new spam filter device IP. If any of you have a filter like this, and you haven't limited the old MX server from receiving mail from just any IP for the domain, spam is probably getting past your new filter. Thanks, Chuck -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian Field Sent: Monday, July 02, 2007 12:59 PM To: MailScanner discussion Subject: Re: Wierd question -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 You can do this very simply with a ruleset on the "Reject Messages" configuration option. To: domain.com and From: 10.1.1.1 no To: domain.com yes FromOrTo: default no That should do the trick I think. Chuck Rock wrote: > I have a weird question, but if it's something that can be answered with MS, > then I'd be very grateful. > > I have FreeBSD, MailScanner, ClamAV and Sendmail scanning incoming mail. > > I need to take messages to a specific domain and only allow them from a > certain IP, another mail server. If they come from any other IP then they > get rejected or deleted. > > Is this possible with a MailScanner ruleset? > > Thanks, > Chuck > > > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGiTzOEfZZRxQVtlQRAnRAAJ9x2RBbdNkQqbGb5MoPrSRoGq4mTwCeN1bS i+fxDsM1z6TJ65lg3zDsON0= =gRQr -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From carock at epconline.com Mon Jul 2 21:24:35 2007 From: carock at epconline.com (Chuck Rock) Date: Mon Jul 2 21:24:41 2007 Subject: Wierd question In-Reply-To: <46893CCD.4070900@ecs.soton.ac.uk> Message-ID: <006a01c7bce7$01ed3aa0$8c007f0a@epctech.com> This worked great. I wish I had thought of it myself ;-) I added it to the Is Definitely Spam = %rules-dir%/spam.blacklist.rules So it would silently delete. Thank you! Chuck -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian Field Sent: Monday, July 02, 2007 12:59 PM To: MailScanner discussion Subject: Re: Wierd question -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 You can do this very simply with a ruleset on the "Reject Messages" configuration option. To: domain.com and From: 10.1.1.1 no To: domain.com yes FromOrTo: default no That should do the trick I think. Chuck Rock wrote: > I have a weird question, but if it's something that can be answered with MS, > then I'd be very grateful. > > I have FreeBSD, MailScanner, ClamAV and Sendmail scanning incoming mail. > > I need to take messages to a specific domain and only allow them from a > certain IP, another mail server. If they come from any other IP then they > get rejected or deleted. > > Is this possible with a MailScanner ruleset? > > Thanks, > Chuck > > > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGiTzOEfZZRxQVtlQRAnRAAJ9x2RBbdNkQqbGb5MoPrSRoGq4mTwCeN1bS i+fxDsM1z6TJ65lg3zDsON0= =gRQr -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From KGoods at AIAInsurance.com Mon Jul 2 21:40:12 2007 From: KGoods at AIAInsurance.com (Ken Goods) Date: Mon Jul 2 21:42:15 2007 Subject: Wierd question Message-ID: <13C0059880FDD3118DC600508B6D4A6D01C2947A@aiainsurance.com> Chuck Rock wrote: > Excellent, I will test. > > Basically for the other guy, I had a mail server running MS and > clamAV and SpamAssassin. All free stuff, works nice mostly. > > I purchased a Barracuda to "add" domains to with an extra fee for the > expensive commercial spam filter. > > The final destination server is still the same. I just changed MX so > only the Barracuda was listed. > > What I've found through experience though, servers will continue to > send mail to the old MX record even though it doesn't exist. I still > have servers receiving messages for domains we haven't hosted for > years. > > To keep the spammers from bypassing the new Barracuda filter inserted > in the mail flow, I must make the final destination server ignore > messages from all other IP's for incoming mail destined for specific > domains and only allow them from the new spam filter device IP. > > If any of you have a filter like this, and you haven't limited the > old MX server from receiving mail from just any IP for the domain, > spam is probably getting past your new filter. > > Thanks, > Chuck Hi Chuck, I had a similar problem come up recently. We were using a MS/SA/Clam box in front of our Exchange box. I had closed port 25 to the Exchange box from the big "I" so only mail coming from the filter box would make it to the Exchange server although both had MX DNS records with the Exchange box being the primary. We had people outside connecting to the Exchange box with Outlook (in corporate mode) through OpenVPN. Then it seems that the powers that be wanted people to be able to connect directly to the Exchange box using standard email clients (POP/SMTP) and obviously that couldn't be done with port 25 blocked. What I did was this.... I made the filter box the primary, removed the DNS entries for the Exchange box and opened port 25 to the Exchange box. I still get a few spams a day (very few) that are connecting via IP address but other than that it works a charm. If you don't need anyone connecting to your final destination server from the outside, simply block port 25 incoming to it. If both servers are within your DMZ this should work perfectly and you won't have to mess with rules or other configurations. Outgoing mail will still flow from the final destination server since you're not blocking 25 outgoing. I ran my mailserver like that for almost 2 years without problems. Just another option, as always YMMV... Kind regards, Ken Ken Goods Network Administrator CropUSA Insurance, Inc. From carock at epconline.com Mon Jul 2 21:54:58 2007 From: carock at epconline.com (Chuck Rock) Date: Mon Jul 2 21:55:10 2007 Subject: Wierd question In-Reply-To: <13C0059880FDD3118DC600508B6D4A6D01C2947A@aiainsurance.com> Message-ID: <007601c7bceb$4095bd00$8c007f0a@epctech.com> Yeah, that was a dedicated server though. This is a shared hosting server, so only the people paying extra for the filter will get it. So the box will still need to receive port 25 traffic from the outside world for most of the domains it hosts. Chuck -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Ken Goods Sent: Monday, July 02, 2007 3:40 PM To: 'MailScanner discussion' Subject: RE: Wierd question Chuck Rock wrote: > Excellent, I will test. > > Basically for the other guy, I had a mail server running MS and > clamAV and SpamAssassin. All free stuff, works nice mostly. > > I purchased a Barracuda to "add" domains to with an extra fee for the > expensive commercial spam filter. > > The final destination server is still the same. I just changed MX so > only the Barracuda was listed. > > What I've found through experience though, servers will continue to > send mail to the old MX record even though it doesn't exist. I still > have servers receiving messages for domains we haven't hosted for > years. > > To keep the spammers from bypassing the new Barracuda filter inserted > in the mail flow, I must make the final destination server ignore > messages from all other IP's for incoming mail destined for specific > domains and only allow them from the new spam filter device IP. > > If any of you have a filter like this, and you haven't limited the > old MX server from receiving mail from just any IP for the domain, > spam is probably getting past your new filter. > > Thanks, > Chuck Hi Chuck, I had a similar problem come up recently. We were using a MS/SA/Clam box in front of our Exchange box. I had closed port 25 to the Exchange box from the big "I" so only mail coming from the filter box would make it to the Exchange server although both had MX DNS records with the Exchange box being the primary. We had people outside connecting to the Exchange box with Outlook (in corporate mode) through OpenVPN. Then it seems that the powers that be wanted people to be able to connect directly to the Exchange box using standard email clients (POP/SMTP) and obviously that couldn't be done with port 25 blocked. What I did was this.... I made the filter box the primary, removed the DNS entries for the Exchange box and opened port 25 to the Exchange box. I still get a few spams a day (very few) that are connecting via IP address but other than that it works a charm. If you don't need anyone connecting to your final destination server from the outside, simply block port 25 incoming to it. If both servers are within your DMZ this should work perfectly and you won't have to mess with rules or other configurations. Outgoing mail will still flow from the final destination server since you're not blocking 25 outgoing. I ran my mailserver like that for almost 2 years without problems. Just another option, as always YMMV... Kind regards, Ken Ken Goods Network Administrator CropUSA Insurance, Inc. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From res at ausics.net Mon Jul 2 23:25:29 2007 From: res at ausics.net (Res) Date: Mon Jul 2 23:25:41 2007 Subject: Doubts about PF, what are the pros/cons about other MTAs? In-Reply-To: References: <467E9AD4.5080200@syska.dk> <4686A7AA.4060008@rogers.com> <4686C568.9070307@syska.dk> <4686C841.7030109@ecs.soton.ac.uk> <4686DCC5.9050208@syska.dk> <223f97700706302030v6c8af1edp2477f88a8f34cd63@mail.gmail.com> <46878A41.9070100@syska.dk> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NotDashEscaped: You need GnuPG to verify this message On Mon, 2 Jul 2007, Scott Silva wrote: >> performance (although I've only used sendmail and qmail, any postmix >> server I take over gets quickly replaced by either sendmail or qmail so >> I've never seen the MS/PF issues) >> >> > No fair bashing Postfix while Glenn is on vacation!! ;-P awwww, he can see it when he gets back :) -- Cheers Res -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFGiXtZsWhAmSIQh7MRAmqSAJ0cZRnpuxcGKB1ed1ZeGnYS7WfAjACeNOZB W2NWK0iVFo9GcHdZLe92Np0= =mGe3 -----END PGP SIGNATURE----- From ssilva at sgvwater.com Tue Jul 3 00:44:53 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Jul 3 00:45:00 2007 Subject: Wierd question In-Reply-To: <005a01c7bce5$986cac60$8c007f0a@epctech.com> References: <46893CCD.4070900@ecs.soton.ac.uk> <005a01c7bce5$986cac60$8c007f0a@epctech.com> Message-ID: Chuck Rock spake the following on 7/2/2007 1:14 PM: > Excellent, I will test. > > Basically for the other guy, I had a mail server running MS and clamAV and > SpamAssassin. All free stuff, works nice mostly. > > I purchased a Barracuda to "add" domains to with an extra fee for the > expensive commercial spam filter. > > The final destination server is still the same. I just changed MX so only > the Barracuda was listed. > > What I've found through experience though, servers will continue to send > mail to the old MX record even though it doesn't exist. I still have servers > receiving messages for domains we haven't hosted for years. > > To keep the spammers from bypassing the new Barracuda filter inserted in the > mail flow, I must make the final destination server ignore messages from all > other IP's for incoming mail destined for specific domains and only allow > them from the new spam filter device IP. > > If any of you have a filter like this, and you haven't limited the old MX > server from receiving mail from just any IP for the domain, spam is probably > getting past your new filter. > None of my MX's will relay anything that they are not supposed to relay. If an MX doesn't need to relay a domain anymore, it should reject it. You want to reject at the first point of connection, or you have to bounce an NDR and take a chance of being a joe-job relay. In sendmail, you remove that domain from the relay_domains, I'm sure every other MTA has the same feature. An MX should not blindly relay anything. If it relays for one or a hundred domains, that is all it should be configured for. Sure it is a little more work, but it doesn't get changed much. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From lists at gmnet.net Tue Jul 3 01:19:03 2007 From: lists at gmnet.net (mail) Date: Tue Jul 3 01:19:09 2007 Subject: Any advice for a new server? Message-ID: <1183421943.8123.116.camel@thor.greenbuzz.net> Hi, I have been running a mail server with sendmail/ MailScanner/ ClamAV/ Mailman/ Squirrelmail/ combo for the past 7 years. It is now time to migrate my accounts to a brand new server. I was using Redhat9, but now I'm 99% sure that I will go with Gentoo. I am also 90% sure that I will stay with sendmail/ ClamAV/ Squirrelmail and 100% sure to stay with MailScanner/ Mailman. I don't have a whole lot of accounts so I do have some room to make changes and play around. Also, I just bought a new copy of Julian's book, so I have allot of reading to to! What I really need is the ability to set up pop and web mail services for my clients, also I need Mailman lists, and really good spam/ AV filters! Does anybody have any advice for somebody starting with a fresh server? Thanks! rick From res at ausics.net Tue Jul 3 02:02:22 2007 From: res at ausics.net (Res) Date: Tue Jul 3 02:02:31 2007 Subject: Any advice for a new server? In-Reply-To: <1183421943.8123.116.camel@thor.greenbuzz.net> References: <1183421943.8123.116.camel@thor.greenbuzz.net> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NotDashEscaped: You need GnuPG to verify this message On Tue, 3 Jul 2007, mail wrote: > Hi, > > I have been running a mail server with sendmail/ MailScanner/ ClamAV/ > Mailman/ Squirrelmail/ combo for the past 7 years. It is now time to > migrate my accounts to a brand new server. I was using Redhat9, but now > I'm 99% sure that I will go with Gentoo. I am also 90% sure that I will You want to make sure you have several years of support, for this reason I last used a RH OS on servers at RH9, I had one RH9 box for for up to 2 years after RH stopped supporting it, because it was unbreakable. I have since moved it to the same as other servers, being Slackware, as close to true sources as you'll get (hence why there is no 20+ updates relased every week like RH/Fedora/Debian etc), version support is at least 5 years or more. Also extremely reliable and stable, a good time to try it as Slackware 12.0 was released overnight. > stay with sendmail/ ClamAV/ Squirrelmail and 100% sure to stay with > MailScanner/ Mailman. I don't have a whole lot of accounts so I do have Yep, stay with them all, but make sure you use the latest versions of them. -- Cheers Res -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFGiaAesWhAmSIQh7MRAuR6AKCckPnA6p4SFKMLUyXMrt9Z6qSNdACeOlM8 XzplccsAL+NIxGJVBw1CLNg= =d01E -----END PGP SIGNATURE----- From itdept at fractalweb.com Tue Jul 3 05:20:02 2007 From: itdept at fractalweb.com (Chris Yuzik) Date: Tue Jul 3 05:20:13 2007 Subject: Any advice for a new server? In-Reply-To: <1183421943.8123.116.camel@thor.greenbuzz.net> References: <1183421943.8123.116.camel@thor.greenbuzz.net> Message-ID: <4689CE72.2040202@fractalweb.com> mail wrote: > Hi, > > I have been running a mail server with sendmail/ MailScanner/ ClamAV/ > Mailman/ Squirrelmail/ combo for the past 7 years. It is now time to > migrate my accounts to a brand new server. I was using Redhat9, but now > I'm 99% sure that I will go with Gentoo. I am also 90% sure that I will > stay with sendmail/ ClamAV/ Squirrelmail and 100% sure to stay with > MailScanner/ Mailman. I don't have a whole lot of accounts so I do have > some room to make changes and play around. Also, I just bought a new > copy of Julian's book, so I have allot of reading to to! What I really > need is the ability to set up pop and web mail services for my clients, > also I need Mailman lists, and really good spam/ AV filters! Does > anybody have any advice for somebody starting with a fresh server? > Rick, I'm not a Slackware user like Res is, but I'm overall happy with Centos. I've been the Gentoo route, and while compiling small things from source is fine, having to compile for 12+ hours straight on a production server is NOT cool, and imho offers little benefit over installing pre-compiled binaries for your hardware. By all means, investigate Slackware. Play with Centos. Try another server-class distro or two. And stick with MailScanner/ClamAV/Sendmail/MailMan/Squirrelmail. Add in some MailWatch. And please let us know what you discover. Cheers, Chris From r.berber at computer.org Tue Jul 3 07:09:57 2007 From: r.berber at computer.org (=?ISO-8859-1?Q?Ren=E9_Berber?=) Date: Tue Jul 3 07:10:19 2007 Subject: Any advice for a new server? In-Reply-To: <4689CE72.2040202@fractalweb.com> References: <1183421943.8123.116.camel@thor.greenbuzz.net> <4689CE72.2040202@fractalweb.com> Message-ID: Chris Yuzik wrote: > I'm not a Slackware user like Res is, but I'm overall happy with Centos. > I've been the Gentoo route, and while compiling small things from source > is fine, having to compile for 12+ hours straight on a production server > is NOT cool, and imho offers little benefit over installing pre-compiled > binaries for your hardware. [snip] Gentoo also offers pre-compiled packages, installed with the same tool (emerge)... -- Ren? Berber From Q.G.Campbell at newcastle.ac.uk Tue Jul 3 08:12:33 2007 From: Q.G.Campbell at newcastle.ac.uk (Quentin Campbell) Date: Tue Jul 3 08:13:18 2007 Subject: Test::Harness, Test::Simple & bug in install.sh (4.6*.*) Message-ID: <4165CF7A7F12DE4B96622CCBB90586470AC91F9C@largo.campus.ncl.ac.uk> Julian Since you added Test::Harness, Test::Simple, etc to the collection of source RPMs in 'install.sh', a number of us have been experiencing MailScanner build problems. At the heart of this is the 'sort_bug.t' test failure in Test::Simple (Test-Simple-0.70-1). I accept that this flags a genuine problem but as the use of 'eq_set' is now deprecated the 'sort_bug.t' test can be safely ignored. I did this by using CPAN and forcing the installation of Test-Simple-0.70-1 and Test-Harness-2.64-1 on my RedHat AS4 system. However when you re-run install.sh (from 4.61.7-*) it ignored these already installed versions and tries to reinstall them itself. The reinstallation problem is linked to line 290 in install.sh where you do: PERL5LIB=`perl -V | grep site_perl | grep -v config_args | tr -d ' ' | tr '\n' ':'` If you _do_not_ set PERL5LIB as above then "./CheckModuleVersion Test::Simple 0.70" works as expected and returns '0'. With PERL5LIB set as above then the above invocation of CheckModuleVersion returns '1' and causes the install.sh script to try to reinstall Test::Simple (which fails because of the sort_bug.t test failure). I note that CheckModuleVersion also fails to find the already installed version of Test::Harness but it does correctly find most of the other modules you check for. There appears to be a further problem in install.sh at lines 329 to 334: 322 FILEPREFIX=perl-${MODFILE}-${VERS}-${BUILD} ... 329 if [ "x${MODFILE}" = "xCompress-Zlib" -o "x${MODFILE}" = "xTest-Harness" ]; then 330 echo Detected Compress-Zlib, building appropriately... 331 PERL5LIB= $RPMBUILD --rebuild ${FILEPREFIX}.src.rpm 332 else 333 $RPMBUILD --rebuild ${FILEPREFIX}.src.rpm 334 fi What is the purpose of line 331? PS After PERL5LIB is set at line 290 it contains (as an unbroken string): /usr/lib/perl5/site_perl/5.8.5/i386-linux-thread-multi:/usr/lib/perl5/site_perl/5.8.4/i386-linux-thread-multi:/usr/lib/perl5/site_perl/5.8.3/i386-linux-thread-multi:/usr/lib/perl5/site_perl/5.8.2/i386-linux-thread-multi:/usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi:/usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi:/usr/lib/perl5/site_perl/5.8.5:/usr/lib/perl5/site_perl/5.8.4:/usr/lib/perl5/site_perl/5.8.3:/usr/lib/perl5/site_perl/5.8.2:/usr/lib/perl5/site_perl/5.8.1:/usr/lib/perl5/site_perl/5.8.0:/usr/lib/perl5/site_perl: Quentin --- PHONE: +44 191 222 8209??? Information Systems and Services (ISS), ?????????????????????????? Newcastle University, ?????????????????????????? Newcastle upon Tyne, FAX:?? +44 191 222 8765??? United Kingdom, NE1 7RU. ------------------------------------------------------------------------ From Q.G.Campbell at newcastle.ac.uk Tue Jul 3 08:20:09 2007 From: Q.G.Campbell at newcastle.ac.uk (Quentin Campbell) Date: Tue Jul 3 08:20:20 2007 Subject: Test::Harness, Test::Simple & bug in install.sh (4.6*.*) - MORE Message-ID: <4165CF7A7F12DE4B96622CCBB90586470AC91F9E@largo.campus.ncl.ac.uk> Julian I forgot to add to my previous message re. the above the results of the 'perl -V' command: [root@cheviot9 MailScanner-4.61.7-2]# perl -V Summary of my perl5 (revision 5 version 8 subversion 5) configuration: Platform: osname=linux, osvers=2.6.9-22.18.bz155725.elsmp, archname=i386-linux-thread-multi uname='linux hs20-bc1-4.build.redhat.com 2.6.9-22.18.bz155725.elsmp #1 smp thu nov 17 15:34:08 est 2005 i686 i686 i386 gnulinux ' config_args='-des -Doptimize=-O2 -g -pipe -m32 -march=i386 -mtune=pentium4 -Dversion=5.8.5 -Dmyhostname=localhost -Dperladmin=root@localhost -Dcc=gcc -Dcf_by=Red Hat, Inc. -Dinstallprefix=/usr -Dprefix=/usr -Darchname=i386-linux -Dvendorprefix=/usr -Dsiteprefix=/usr -Duseshrplib -Dusethreads -Duseithreads -Duselargefiles -Dd_dosuid -Dd_semctl_semun -Di_db -Ui_ndbm -Di_gdbm -Di_shadow -Di_syslog -Dman3ext=3pm -Duseperlio -Dinstallusrbinperl -Ubincompat5005 -Uversiononly -Dpager=/usr/bin/less -isr -Dinc_version_list=5.8.4 5.8.3 5.8.2 5.8.1 5.8.0' hint=recommended, useposix=true, d_sigaction=define usethreads=define use5005threads=undef useithreads=define usemultiplicity=define useperlio=define d_sfio=undef uselargefiles=define usesocks=undef use64bitint=undef use64bitall=undef uselongdouble=undef usemymalloc=n, bincompat5005=undef Compiler: cc='gcc', ccflags ='-D_REENTRANT -D_GNU_SOURCE -DDEBUGGING -fno-strict-aliasing -pipe -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -I/usr/include/gdbm', optimize='-O2 -g -pipe -m32 -march=i386 -mtune=pentium4', cppflags='-D_REENTRANT -D_GNU_SOURCE -DDEBUGGING -fno-strict-aliasing -pipe -I/usr/local/include -I/usr/include/gdbm' ccversion='', gccversion='3.4.6 20060404 (Red Hat 3.4.6-2)', gccosandvers='' intsize=4, longsize=4, ptrsize=4, doublesize=8, byteorder=1234 d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=12 ivtype='long', ivsize=4, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8 alignbytes=4, prototype=define Linker and Libraries: ld='gcc', ldflags =' -L/usr/local/lib' libpth=/usr/local/lib /lib /usr/lib libs=-lresolv -lnsl -lgdbm -ldb -ldl -lm -lcrypt -lutil -lpthread -lc perllibs=-lresolv -lnsl -ldl -lm -lcrypt -lutil -lpthread -lc libc=/lib/libc-2.3.4.so, so=so, useshrplib=true, libperl=libperl.so gnulibc_version='2.3.4' Dynamic Linking: dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E -Wl,-rpath,/usr/lib/perl5/5.8.5/i386-linux-thread-multi/CORE' cccdlflags='-fPIC', lddlflags='-shared -L/usr/local/lib' Characteristics of this binary (from libperl): Compile-time options: DEBUGGING MULTIPLICITY USE_ITHREADS USE_LARGE_FILES PERL_IMPLICIT_CONTEXT Built under linux Compiled at Jul 24 2006 18:28:10 @INC: /usr/lib/perl5/5.8.5/i386-linux-thread-multi /usr/lib/perl5/5.8.5 /usr/lib/perl5/site_perl/5.8.5/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.4/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.3/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.2/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.5 /usr/lib/perl5/site_perl/5.8.4 /usr/lib/perl5/site_perl/5.8.3 /usr/lib/perl5/site_perl/5.8.2 /usr/lib/perl5/site_perl/5.8.1 /usr/lib/perl5/site_perl/5.8.0 /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl/5.8.5/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.4/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.3/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.2/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.1/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.5 /usr/lib/perl5/vendor_perl/5.8.4 /usr/lib/perl5/vendor_perl/5.8.3 /usr/lib/perl5/vendor_perl/5.8.2 /usr/lib/perl5/vendor_perl/5.8.1 /usr/lib/perl5/vendor_perl/5.8.0 /usr/lib/perl5/vendor_perl . Quentin --- PHONE: +44 191 222 8209??? Information Systems and Services (ISS), ?????????????????????????? Newcastle University, ?????????????????????????? Newcastle upon Tyne, FAX:?? +44 191 222 8765??? United Kingdom, NE1 7RU. ------------------------------------------------------------------------ From pablo at lacnic.net Tue Jul 3 14:00:58 2007 From: pablo at lacnic.net (Pablo Allietti) Date: Tue Jul 3 13:47:15 2007 Subject: log and hold Message-ID: <20070703130058.GD43573@micron.lacnic.net.uy> finally i can install the port in freebsd :) i change the config for my system and have 2 problems. 1. in the maillog appears avery minute and second the nexts messages check the seconds and minute please Jul 3 09:40:35 micron2 MailScanner[50947]: Using SpamAssassin results cache Jul 3 09:40:35 micron2 MailScanner[50947]: Connected to SpamAssassin cache database Jul 3 09:40:35 micron2 MailScanner[50947]: Enabling SpamAssassin auto-whitelist functionality... Jul 3 09:40:37 micron2 MailScanner[50947]: I have found clamavmodule scanners installed, and will use them all by default. Jul 3 09:40:39 micron2 MailScanner[50910]: None of the files matched by the "Monitors For ClamAV Updates" patterns exist! Jul 3 09:40:40 micron2 MailScanner[50984]: MailScanner E-Mail Virus Scanner version 4.60.8 starting... Jul 3 09:40:40 micron2 MailScanner[50984]: Read 775 hostnames from the phishing whitelist Jul 3 09:40:40 micron2 MailScanner[50984]: Using SpamAssassin results cache Jul 3 09:40:40 micron2 MailScanner[50984]: Connected to SpamAssassin cache database Jul 3 09:40:40 micron2 MailScanner[50984]: Enabling SpamAssassin auto-whitelist functionality... Jul 3 09:40:42 micron2 MailScanner[50984]: I have found clamavmodule scanners installed, and will use them all by default. Jul 3 09:40:44 micron2 MailScanner[50947]: None of the files matched by the "Monitors For ClamAV Updates" patterns exist! Jul 3 09:40:45 micron2 MailScanner[51021]: MailScanner E-Mail Virus Scanner version 4.60.8 starting... Jul 3 09:40:45 micron2 MailScanner[51021]: Read 775 hostnames from the phishing whitelist Jul 3 09:40:45 micron2 MailScanner[51021]: Using SpamAssassin results cache ############################################# 2. Follow the tutorial in Julian page http://www.mailscanner.info/install/postfix.shtml i put my postfix in hold.. and every message that i send to the server stay in queue :( i need somthing in postfix to send this messages or i have an error in mailscanner?? micron2# mailq -Queue ID- --Size-- ----Arrival Time---- -Sender/Recipient------- 87676308432! 1671 Mon Jul 2 17:09:48 pablo@lacnic.net pablo@micron2.lacnic.net.uy From hvdkooij at vanderkooij.org Tue Jul 3 13:54:11 2007 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Tue Jul 3 13:55:20 2007 Subject: log and hold In-Reply-To: <20070703130058.GD43573@micron.lacnic.net.uy> References: <20070703130058.GD43573@micron.lacnic.net.uy> Message-ID: On Tue, 3 Jul 2007, Pablo Allietti wrote: > 1. in the maillog appears avery minute and second the nexts messages > check the seconds and minute please ... > Jul 3 09:40:37 micron2 MailScanner[50947]: I have found clamavmodule > scanners installed, and will use them all by default. > Jul 3 09:40:39 micron2 MailScanner[50910]: None of the files matched by > the "Monitors For ClamAV Updates" patterns exist! You need to fix this. > 2. Follow the tutorial in Julian page > http://www.mailscanner.info/install/postfix.shtml > > i put my postfix in hold.. and every message that i send to the server > stay in queue :( i need somthing in postfix to send this messages or i > have an error in mailscanner?? You need to fix issue 1. Then issue 2 should be gone as well. Your system is missing a working MS so no one will read the queue. Hugo. -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ This message is using 100% recycled electrons. Some men see computers as they are and say "Windows" I use computers with Linux and say "Why Windows?" (Thanks JFK, for the insight.) From pablo at lacnic.net Tue Jul 3 15:14:02 2007 From: pablo at lacnic.net (Pablo Allietti) Date: Tue Jul 3 15:00:21 2007 Subject: log and hold In-Reply-To: References: <20070703130058.GD43573@micron.lacnic.net.uy> Message-ID: <20070703141402.GF43573@micron.lacnic.net.uy> On Tue, Jul 03, 2007 at 02:54:11PM +0200, Hugo van der Kooij wrote: > On Tue, 3 Jul 2007, Pablo Allietti wrote: > > >1. in the maillog appears avery minute and second the nexts messages > >check the seconds and minute please > > ... > >Jul 3 09:40:37 micron2 MailScanner[50947]: I have found clamavmodule > >scanners installed, and will use them all by default. > >Jul 3 09:40:39 micron2 MailScanner[50910]: None of the files matched by > >the "Monitors For ClamAV Updates" patterns exist! > > You need to fix this. > > >2. Follow the tutorial in Julian page > >http://www.mailscanner.info/install/postfix.shtml > > > >i put my postfix in hold.. and every message that i send to the server > >stay in queue :( i need somthing in postfix to send this messages or i > >have an error in mailscanner?? > > You need to fix issue 1. Then issue 2 should be gone as well. > > Your system is missing a working MS so no one will read the queue. done! thanks ... i change auto for clamav and work perfectly now. :) > > Hugo. > > -- > hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ > This message is using 100% recycled electrons. > > Some men see computers as they are and say "Windows" > I use computers with Linux and say "Why Windows?" > (Thanks JFK, for the insight.) > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! ---end quoted text--- -- .- Pablo Allietti E-mail: pablo@lacnic.net | LACNIC Phone : +598 2 6042222 | http://LACNIC.NET From rob at dido.ca Tue Jul 3 15:40:30 2007 From: rob at dido.ca (Rob Morin) Date: Tue Jul 3 15:40:31 2007 Subject: A simple test custome rule? Message-ID: <468A5FDE.9020300@dido.ca> Hello all... i wanted to make a test custom rule as a test to start to write my own rules as i have not done this before.... so in local.cf i wrote header DIDO_ATTACHMENT_SUBJECT_RULE Subject =~ /testing 123/i score DIDO_ATTACHMENT_SUBJECT_RULE 2.50 describe DIDO_ATTACHMENT_SUBJECT_RULE Test Headers However after a reload of MS and SA this rule is never seen/used?? What would i be doing wrong, i read the custom rule wiki at apache Any help appreciated... using SA version 3.17 and pretty much latest MS thanks -- Rob Morin Dido InterNet Inc. Montreal, Canada Http://www.dido.ca 514-990-4444 From cschnee at box.telemedia.ch Tue Jul 3 15:56:44 2007 From: cschnee at box.telemedia.ch (Christoph Schneeberger) Date: Tue Jul 3 15:57:05 2007 Subject: Problem with MS on OpenBSD 4.1 Message-ID: <468A63AC.5040808@box.telemedia.ch> Hello, I am using Mailscanner since quite a time and I am currently building up a new site with the latest components and a recent OS. I am using MailScanner 4.61.7 on OpenBSD 4.1_stable (as of 29th of June). I have my MailScanner running as it seems, but however and whatever I configure I never get detailed Spamassassin results in the header. Just the Spamscore character or the numeric Score (depening on how i configure it). But the spam recognition seems to work so far. I have all options in MailScanner.conf that seem to refer to that set to yes: Spam Score = yes Detailed Spam Report = yes Include Scores In SpamAssassin Report = yes Always Include SpamAssassin Report = yes When I run MS and SA in debug mode I get an error at line 832 in Mailscanner which is the following line: $batch->Explode(); The error I get is [24820] dbg: locker: safe_unlock: unlocked /root/.spamassassin/bayes.mutex [24820] dbg: learn: initializing learner Ignore errors about failing to find EOCD signature format error: can't find EOCD signature at /opt/MailScanner/bin/MailScanner line 832 Stopping now as you are debugging me. Done. I currently have no Antivirus configured since in the beginning I got issues with MailScanner telling that it can't change group to "clamav" (its named _clamav in OpenBSD), so I fixed this and the error went away, but to make sure I set the Antivirus to none. I haven't included my complete config, Mailscanner -v output and/or the complete debug output since its quite large and I was unsure if this would be considered rude on this list. So if I need to post them I'll happily provide them here. If anybody has any hints for me where to look further or what to do I would highly appreciate it, I am working on this since almost 2 days and I am really running out of ideas on where to look. Many thanks in advance and cheers from rainy switzerland, Christoph From MailScanner at ecs.soton.ac.uk Tue Jul 3 15:55:10 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Jul 3 16:00:27 2007 Subject: A simple test custome rule? In-Reply-To: <468A5FDE.9020300@dido.ca> References: <468A5FDE.9020300@dido.ca> Message-ID: <468A634E.2080002@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Where did you put local.cf? Rob Morin wrote: > Hello all... i wanted to make a test custom rule as a test to start to > write my own rules as i have not done this before.... > > so in local.cf i wrote > > header DIDO_ATTACHMENT_SUBJECT_RULE Subject =~ /testing > 123/i score DIDO_ATTACHMENT_SUBJECT_RULE 2.50 > describe DIDO_ATTACHMENT_SUBJECT_RULE Test Headers > > However after a reload of MS and SA this rule is never seen/used?? > > What would i be doing wrong, i read the custom rule wiki at apache > > Any help appreciated... > > using SA version 3.17 and pretty much latest MS > > thanks > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFGimNdEfZZRxQVtlQRArzhAKDAetPqAfjxQCIeRlZIg8KgWPj3xwCdGJO4 NOiDhL46APDoFmVHeNcBnNE= =eksY -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From minduni at ti-edu.ch Tue Jul 3 16:08:19 2007 From: minduni at ti-edu.ch (Marco Induni) Date: Tue Jul 3 16:08:22 2007 Subject: Filename rule question Message-ID: <468A6663.8010907@ti-edu.ch> Hi All, I try to deny some email attachments based just on the filename. So I setup the following test rule to deny all attachment for email sended to me@pluto.com (obviously just a real address) - in /etc/MailScanner/Mailscanner.conf -- Filename Rules = %rules-dir%/filename-rules.rules - in /etc/MailScanner/rules/filename-rules.rules -- To: me@pluto.com /etc/MailScanner/filename-alldeny.conf -- FromOrTo: default /etc/MailScanner/filename-nocheck.rules.conf - in /etc/MailScanner/filename-alldeny.conf -- deny .* - - - in /etc/MailScanner/filename-nocheck.rules.conf -- allow .* - - So I expect that any attachment will be denied, but is not true. It seems that everything is passing through, and the rule is not matching anything. I've done MailScanner --lint and no syntax error appear. I've also tried the standard rules enclosed (deny .exe .reg,...), but didn't work. Question, for the filename rule to work, should I always setup also the filetype rule ? Any other ideas ? Where I'm wrong ? Thank you and best regards Marco Induni From MailScanner at ecs.soton.ac.uk Tue Jul 3 16:04:58 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Jul 3 16:08:48 2007 Subject: Problem with MS on OpenBSD 4.1 In-Reply-To: <468A63AC.5040808@box.telemedia.ch> References: <468A63AC.5040808@box.telemedia.ch> Message-ID: <468A659A.3090602@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Christoph Schneeberger wrote: > Hello, > > I am using Mailscanner since quite a time and I am currently building up > a new site with the latest components and a recent OS. > > I am using MailScanner 4.61.7 on OpenBSD 4.1_stable (as of 29th of June). > > I have my MailScanner running as it seems, but however and whatever I > configure I never get detailed Spamassassin results in the header. Just > the Spamscore character or the numeric Score (depening on how i > configure it). But the spam recognition seems to work so far. > > I have all options in MailScanner.conf that seem to refer to that set to > yes: > > Spam Score = yes > Detailed Spam Report = yes > Include Scores In SpamAssassin Report = yes > Always Include SpamAssassin Report = yes > > > When I run MS and SA in debug mode I get an error at line 832 in > Mailscanner which is the following line: > > $batch->Explode(); > > The error I get is > > > [24820] dbg: locker: safe_unlock: unlocked /root/.spamassassin/bayes.mutex > [24820] dbg: learn: initializing learner > Ignore errors about failing to find EOCD signature > That line gives a hint. > format error: can't find EOCD signature > at /opt/MailScanner/bin/MailScanner line 832 > So you can ignore that. > Stopping now as you are debugging me. > Done. > It has run to completion normally. It hasn't bombed out on an error at all. It has done exactly what it is supposed to do in Debug mode: process 1 batch of messages and then exit. > I currently have no Antivirus configured since in the beginning I got > issues with MailScanner telling that it can't change group to "clamav" > (its named _clamav in OpenBSD), so I fixed this and the error went away, > but to make sure I set the Antivirus to none. > > I haven't included my complete config, Mailscanner -v output and/or the > complete debug output since its quite large and I was unsure if this > would be considered rude on this list. > So if I need to post them I'll happily provide them here. > > If anybody has any hints for me where to look further or what to do I > would highly appreciate it, I am working on this since almost 2 days and > I am really running out of ideas on where to look. > > Many thanks in advance and cheers from rainy switzerland, > Christoph > > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFGimWbEfZZRxQVtlQRAsQrAKC/xXzMz8c68WAcUvCaEPRAMYaJQQCgk3J3 Q4Z7w28mw1Hg2tBN2dFM+8M= =401R -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From rob at dido.ca Tue Jul 3 16:10:08 2007 From: rob at dido.ca (Rob Morin) Date: Tue Jul 3 16:10:07 2007 Subject: {Spam?} Re: A simple test custome rule? In-Reply-To: <468A634E.2080002@ecs.soton.ac.uk> References: <468A5FDE.9020300@dido.ca> <468A634E.2080002@ecs.soton.ac.uk> Message-ID: <468A66D0.4040706@dido.ca> An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070703/ec0fdfc3/attachment.html From cschnee at box.telemedia.ch Tue Jul 3 16:19:57 2007 From: cschnee at box.telemedia.ch (Christoph Schneeberger) Date: Tue Jul 3 16:23:40 2007 Subject: Problem with MS on OpenBSD 4.1 In-Reply-To: <468A659A.3090602@ecs.soton.ac.uk> References: <468A63AC.5040808@box.telemedia.ch> <468A659A.3090602@ecs.soton.ac.uk> Message-ID: <468A691D.7020605@box.telemedia.ch> Hi Julian, Thanks for your reply. Julian Field wrote: .. > >When I run MS and SA in debug mode I get an error at line 832 in > >Mailscanner which is the following line: > > >$batch->Explode(); > > >The error I get is > > > > >[24820] dbg: locker: safe_unlock: unlocked > /root/.spamassassin/bayes.mutex > >[24820] dbg: learn: initializing learner > >Ignore errors about failing to find EOCD signature > > > That line gives a hint. > > >format error: can't find EOCD signature > > at /opt/MailScanner/bin/MailScanner line 832 > > > So you can ignore that. > > >Stopping now as you are debugging me. > > Done. > > > It has run to completion normally. It hasn't bombed out on an error at > all. It has done exactly what it is supposed to do in Debug mode: > process 1 batch of messages and then exit. Ok thanks, i was thinking that too, but somebody on irc told me i need to get rid of this line832 error and that would solve my problem of not having any detailed Spamassassin result headers at all. So could you give me any direction or hints where I could further search to get that problem of not having detailed results in the header solved, since thats the only problem I really have. Or asked else: Is anybody on this list running a current MailScanner on OpenBSD 4.1 successfully and do you have any hints for me where too look ? Thanks a lot and best regards, Christoph From cparker at swatgear.com Tue Jul 3 16:41:24 2007 From: cparker at swatgear.com (Chris W. Parker) Date: Tue Jul 3 16:41:27 2007 Subject: SpamAssassin is constantly timing out References: <97FD54B5E57A1842AA1A4B232E47611773EBD2@ati-ex-02.ati.local> <468955F8.1090701@ecs.soton.ac.uk> Message-ID: <97FD54B5E57A1842AA1A4B232E47611773EBD4@ati-ex-02.ati.local> On Monday, July 02, 2007 12:46 PM Julian Field said: > Start MailScanner with > MailScanner -debug -debug-sa > and thump Ctrl-S when it pauses. This should tell you what is causing > the timeouts. (Ctrl-Q continues the output that Ctrl-S pauses) Thanks Julian. I had no idea what I was looking for as the information came up but on one of the times when I paused the output I noticed it said that ClamAV was out of date or not compatible or something. I put my thinking cap on and remembered that I never ran the ClamAV+SA module that I downloaded from the MailScanner site. So I ran that and restarted MailScanner and checked the maillog this morning and it looks like the timeouts have stopped. But during the install process of the ClamAV+SA module I got this message: About to build the ClamAV virus scanner ./install.sh: ./configure: /bin/sh: bad interpreter: Permission denied make: *** No targets specified and no makefile found. Stop. make: *** No rule to make target `install'. Stop. That doesn't make me feel warm and fuzzy inside, but still it seems that ClamAV is working because of the following messages in maillog: Jul 3 05:12:03 filter MailScanner[26690]: I have found bitdefender clamavmodule scanners installed, and will use them all by default. Jul 3 06:08:51 filter update.virus.scanners: Found clamav installed Jul 3 06:08:51 filter update.virus.scanners: Running autoupdate for clamav Jul 3 06:08:52 filter ClamAV-autoupdate[29788]: ClamAV did not need updating Does all this sound copasetic? Thanks! Chris. From itdept at fractalweb.com Tue Jul 3 18:41:33 2007 From: itdept at fractalweb.com (Chris Yuzik) Date: Tue Jul 3 18:41:47 2007 Subject: Any advice for a new server? In-Reply-To: References: <1183421943.8123.116.camel@thor.greenbuzz.net> <4689CE72.2040202@fractalweb.com> Message-ID: <468A8A4D.1030604@fractalweb.com> Ren? Berber wrote: > Chris Yuzik wrote: > > >> I'm not a Slackware user like Res is, but I'm overall happy with Centos. >> I've been the Gentoo route, and while compiling small things from source >> is fine, having to compile for 12+ hours straight on a production server >> is NOT cool, and imho offers little benefit over installing pre-compiled >> binaries for your hardware. >> > [snip] > > Gentoo also offers pre-compiled packages, installed with the same tool (emerge)... > Ren?, Thanks. I did not know that. I should have pointed out that it's been years (about 3 and a half) since I last played with Gentoo. I still remember spending 2+ days compiling openoffice.org. :-) Chris From glenn.steen at gmail.com Tue Jul 3 18:51:06 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Jul 3 18:51:09 2007 Subject: Filename rule question In-Reply-To: <468A6663.8010907@ti-edu.ch> References: <468A6663.8010907@ti-edu.ch> Message-ID: <223f97700707031051y1b3f0fcci36cbea3b9c330d95@mail.gmail.com> On 03/07/07, Marco Induni wrote: > Hi All, > I try to deny some email attachments based just on the filename. > So I setup the following test rule to deny all attachment for email > sended to me@pluto.com (obviously just a real address) > > - in /etc/MailScanner/Mailscanner.conf > -- Filename Rules = %rules-dir%/filename-rules.rules > > - in /etc/MailScanner/rules/filename-rules.rules > -- To: me@pluto.com /etc/MailScanner/filename-alldeny.conf > -- FromOrTo: default > /etc/MailScanner/filename-nocheck.rules.conf > > - in /etc/MailScanner/filename-alldeny.conf > -- deny .* - - > > - in /etc/MailScanner/filename-nocheck.rules.conf > -- allow .* - - > > > So I expect that any attachment will be denied, but is not true. > It seems that everything is passing through, and the rule is not > matching anything. > I've done MailScanner --lint and no syntax error appear. > I've also tried the standard rules enclosed (deny .exe .reg,...), but > didn't work. When troubleshooting things like these, always doublecheck your assumptions with MailScanner itself... Try "MailScanner --help" to see the possible things you can do ... apart from the well-known --debug and --lint (start by doing a lint... it'll show you any bad syntax errors), you can also try any setting with any sender/receiver .... In your case you'd test MailScanner --value=filenamerules --from=anyone@example.net --to=me@pluto.com and perhaps some variations ... Replace with addresses valid to your situation. > Question, for the filename rule to work, should I always setup also the > filetype rule ? Almost always a good thing to do, yes. Check those with the same strategy/commands. > Any other ideas ? > Where I'm wrong ? Probably a typo. Might be related to those files needing to be separated... Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From rob at dido.ca Tue Jul 3 19:04:34 2007 From: rob at dido.ca (Rob Morin) Date: Tue Jul 3 19:04:33 2007 Subject: {Spam?} Re: A simple test custome rule? In-Reply-To: <468A634E.2080002@ecs.soton.ac.uk> References: <468A5FDE.9020300@dido.ca> <468A634E.2080002@ecs.soton.ac.uk> Message-ID: <468A8FB2.20908@dido.ca> An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070703/85578fda/attachment.html From glenn.steen at gmail.com Tue Jul 3 19:15:43 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Jul 3 19:15:45 2007 Subject: Problem with MS on OpenBSD 4.1 In-Reply-To: <468A691D.7020605@box.telemedia.ch> References: <468A63AC.5040808@box.telemedia.ch> <468A659A.3090602@ecs.soton.ac.uk> <468A691D.7020605@box.telemedia.ch> Message-ID: <223f97700707031115m7f156454wac3f7b80febe5434@mail.gmail.com> On 03/07/07, Christoph Schneeberger wrote: > Hi Julian, > > Thanks for your reply. > > Julian Field wrote: > .. > > > >When I run MS and SA in debug mode I get an error at line 832 in > > >Mailscanner which is the following line: > > > > >$batch->Explode(); > > > > >The error I get is > > > > > > > >[24820] dbg: locker: safe_unlock: unlocked > > /root/.spamassassin/bayes.mutex > > >[24820] dbg: learn: initializing learner > > >Ignore errors about failing to find EOCD signature > > > > > > That line gives a hint. > > > > >format error: can't find EOCD signature > > > at /opt/MailScanner/bin/MailScanner line 832 > > > > > > So you can ignore that. > > > > >Stopping now as you are debugging me. > > > Done. > > > > > > It has run to completion normally. It hasn't bombed out on an error at > > all. It has done exactly what it is supposed to do in Debug mode: > > process 1 batch of messages and then exit. > > > Ok thanks, i was thinking that too, but somebody on irc told me i need > to get rid of this line832 error and that would solve my problem of not > having any detailed Spamassassin result headers at all. > > So could you give me any direction or hints where I could further search > to get that problem of not having detailed results in the header solved, > since thats the only problem I really have. > > Or asked else: Is anybody on this list running a current MailScanner on > OpenBSD 4.1 successfully and do you have any hints for me where too look ? > > Thanks a lot and best regards, > Christoph > OpenBSD isn]t exactly unheard of, but it certainly isn\t one of the more used OSes.... But this might not be anything specific to your OS... Call me dull, but did you run a MailScanner --debug --debug-sa ... with something obvious, like a GTUBE, on queue? Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From rlane at i-centrix.com Tue Jul 3 19:19:31 2007 From: rlane at i-centrix.com (Ryan Lane) Date: Tue Jul 3 19:18:47 2007 Subject: New support for clamd Message-ID: <468A9333.1040702@i-centrix.com> The new support for clamd is most excellent! I run a fairly busy server, and the processing times are significantly better. I just implemented the change this morning, and I immediately saw the benefit. The load on the server is considerably better too. Down from an almost constant 1.00+ load average to 0.20 Thanks for the great work, and continual improvements. -Ryan From ms-list at alexb.ch Tue Jul 3 19:21:38 2007 From: ms-list at alexb.ch (Alex Broens) Date: Tue Jul 3 19:21:45 2007 Subject: {Spam?} Re: A simple test custome rule? In-Reply-To: <468A8FB2.20908@dido.ca> References: <468A5FDE.9020300@dido.ca> <468A634E.2080002@ecs.soton.ac.uk> <468A8FB2.20908@dido.ca> Message-ID: <468A93B2.3030201@alexb.ch> On 7/3/2007 8:04 PM, Rob Morin wrote: > Ok so i see my rule now in the headers for the email, so i guess its working... > however it seems that it would not work alone?? > > IE, if i send a regular email with the text in the subject that i am looking > for, the email comes through with no score at all, even though i associated my > rule with a score of 2.75 > > Strange, i guess there is something i am missing.... > > Yes, score=20.952 tag=-9999 tag2=4.5 kill=7.5 tests=[BAYES_99=3.5, > DIDO_PDF_ATTACHMENT_SUBJECT_RULE=2.75, HELO_DYNAMIC_IPADDR=4.2, > RCVD_IN_BL_SPAMCOP_NET=1.558, RCVD_IN_NJABL_DUL=2, RCVD_IN_PBL=0.001, > RCVD_IN_SORBS_DUL=2.046, RCVD_IN_XBL=4.897] > > My rule is DIDO_PDF_ATTACHMENT_SUBJECT_RULE=2.75 > > but if i send an email with .pdf in the subject it does not get caught.... weird... > > ### To catch that pdf attach email crap in the subject line > header DIDO_PDF_ATTACHMENT_SUBJECT_RULE Subject =~ /.pdf/i > score DIDO_PDF_ATTACHMENT_SUBJECT_RULE 2.75 > describe DIDO_PDF_ATTACHMENT_SUBJECT_RULE PDF Crap try escaping the period Subject =~ /\.pdf/i Alex From MailScanner at ecs.soton.ac.uk Tue Jul 3 19:21:47 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Jul 3 19:27:39 2007 Subject: SpamAssassin is constantly timing out In-Reply-To: <97FD54B5E57A1842AA1A4B232E47611773EBD4@ati-ex-02.ati.local> References: <97FD54B5E57A1842AA1A4B232E47611773EBD2@ati-ex-02.ati.local> <468955F8.1090701@ecs.soton.ac.uk> <97FD54B5E57A1842AA1A4B232E47611773EBD4@ati-ex-02.ati.local> Message-ID: <468A93BB.40603@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Chris W. Parker wrote: > On Monday, July 02, 2007 12:46 PM Julian Field said: > > >> Start MailScanner with >> MailScanner -debug -debug-sa >> and thump Ctrl-S when it pauses. This should tell you what is causing >> the timeouts. (Ctrl-Q continues the output that Ctrl-S pauses) >> > > Thanks Julian. > > I had no idea what I was looking for as the information came up but on > one of the times when I paused the output I noticed it said that ClamAV > was out of date or not compatible or something. I put my thinking cap on > and remembered that I never ran the ClamAV+SA module that I downloaded > from the MailScanner site. So I ran that and restarted MailScanner and > checked the maillog this morning and it looks like the timeouts have > stopped. > > But during the install process of the ClamAV+SA module I got this > message: > > About to build the ClamAV virus scanner > ./install.sh: ./configure: /bin/sh: bad interpreter: Permission denied > That's really weird, never seen that before. I assume you have a /bin/sh! > make: *** No targets specified and no makefile found. Stop. > make: *** No rule to make target `install'. Stop. > > That doesn't make me feel warm and fuzzy inside, but still it seems that > ClamAV is working because of the following messages in maillog: > > Jul 3 05:12:03 filter MailScanner[26690]: I have found bitdefender > clamavmodule scanners installed, and will use them all by default. > Jul 3 06:08:51 filter update.virus.scanners: Found clamav installed > Jul 3 06:08:51 filter update.virus.scanners: Running autoupdate for > clamav > Jul 3 06:08:52 filter ClamAV-autoupdate[29788]: ClamAV did not need > updating > > Does all this sound copasetic? > Sounds like you have a version of ClamAV already installed. If it's an RPM of ClamAV then look for updates at dag.wieers.com. > > Thanks! > Chris. > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGipO8EfZZRxQVtlQRApGkAJ4zTfcRY+bBgGEonpw29nmph1BXYwCgv4iC MOWoUQx327O7ly7sTrpFbH0= =glHD -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Tue Jul 3 19:23:33 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Jul 3 19:33:12 2007 Subject: Filename rule question In-Reply-To: <223f97700707031051y1b3f0fcci36cbea3b9c330d95@mail.gmail.com> References: <468A6663.8010907@ti-edu.ch> <223f97700707031051y1b3f0fcci36cbea3b9c330d95@mail.gmail.com> Message-ID: <468A9425.3050007@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Glenn Steen wrote: > On 03/07/07, Marco Induni wrote: >> Hi All, >> I try to deny some email attachments based just on the filename. >> So I setup the following test rule to deny all attachment for email >> sended to me@pluto.com (obviously just a real address) >> >> - in /etc/MailScanner/Mailscanner.conf >> -- Filename Rules = %rules-dir%/filename-rules.rules >> >> - in /etc/MailScanner/rules/filename-rules.rules >> -- To: me@pluto.com /etc/MailScanner/filename-alldeny.conf >> -- FromOrTo: default >> /etc/MailScanner/filename-nocheck.rules.conf >> >> - in /etc/MailScanner/filename-alldeny.conf >> -- deny .* - - >> >> - in /etc/MailScanner/filename-nocheck.rules.conf >> -- allow .* - - >> >> >> So I expect that any attachment will be denied, but is not true. >> It seems that everything is passing through, and the rule is not >> matching anything. >> I've done MailScanner --lint and no syntax error appear. >> I've also tried the standard rules enclosed (deny .exe .reg,...), but >> didn't work. > > When troubleshooting things like these, always doublecheck your > assumptions with MailScanner itself... Try "MailScanner --help" to see > the possible things you can do ... apart from the well-known --debug > and --lint (start by doing a lint... it'll show you any bad syntax > errors), you can also try any setting with any sender/receiver .... In > your case you'd test > MailScanner --value=filenamerules --from=anyone@example.net > --to=me@pluto.com > and perhaps some variations ... Replace with addresses valid to your > situation. > >> Question, for the filename rule to work, should I always setup also the >> filetype rule ? > > Almost always a good thing to do, yes. Check those with the same > strategy/commands. > > >> Any other ideas ? >> Where I'm wrong ? > > Probably a typo. Might be related to those files needing to be > separated... That catches out a lot of people. filename.rules.conf and its brethren have to be tab-separated as otherwise the filename and filetype regular expressions cannot include spaces. > > Cheers Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGipQmEfZZRxQVtlQRArW3AKCz+ALm1GvtddoQRXs+K/A6RZ8qmQCeMDH8 d9kZ/HGBrzpKDSCi4+DL/Ds= =J68O -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From Denis.Beauchemin at USherbrooke.ca Tue Jul 3 19:36:24 2007 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Tue Jul 3 19:36:54 2007 Subject: {Spam?} Re: A simple test custome rule? In-Reply-To: <468A8FB2.20908@dido.ca> References: <468A5FDE.9020300@dido.ca> <468A634E.2080002@ecs.soton.ac.uk> <468A8FB2.20908@dido.ca> Message-ID: <468A9728.1000701@USherbrooke.ca> Rob Morin a ?crit : > Ok so i see my rule now in the headers for the email, so i guess its > working... however it seems that it would not work alone?? Do you have the following i MailScanner.conf: Always Include SpamAssassin Report = yes If not then you will not see your rule hit unless the email is considered spam... Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3595 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070703/c36b4d57/smime.bin From shuttlebox at gmail.com Tue Jul 3 19:54:35 2007 From: shuttlebox at gmail.com (shuttlebox) Date: Tue Jul 3 19:54:39 2007 Subject: SpamAssassin is constantly timing out In-Reply-To: <97FD54B5E57A1842AA1A4B232E47611773EBD4@ati-ex-02.ati.local> References: <97FD54B5E57A1842AA1A4B232E47611773EBD2@ati-ex-02.ati.local> <468955F8.1090701@ecs.soton.ac.uk> <97FD54B5E57A1842AA1A4B232E47611773EBD4@ati-ex-02.ati.local> Message-ID: <625385e30707031154q6b6dab17ued473acc0afc860a@mail.gmail.com> On 7/3/07, Chris W. Parker wrote: > ./install.sh: ./configure: /bin/sh: bad interpreter: Permission denied Where was install.sh located? Maybe in /tmp mounted with noexec? -- /peter From cparker at swatgear.com Tue Jul 3 20:18:55 2007 From: cparker at swatgear.com (Chris W. Parker) Date: Tue Jul 3 20:18:57 2007 Subject: SpamAssassin is constantly timing out References: <97FD54B5E57A1842AA1A4B232E47611773EBD2@ati-ex-02.ati.local><468955F8.1090701@ecs.soton.ac.uk><97FD54B5E57A1842AA1A4B232E47611773EBD4@ati-ex-02.ati.local> <625385e30707031154q6b6dab17ued473acc0afc860a@mail.gmail.com> Message-ID: <97FD54B5E57A1842AA1A4B232E4761178EEA53@ati-ex-02.ati.local> On Tuesday, July 03, 2007 11:55 AM shuttlebox said: > On 7/3/07, Chris W. Parker wrote: >> ./install.sh: ./configure: /bin/sh: bad interpreter: Permission >> denied > > Where was install.sh located? Maybe in /tmp mounted with noexec? It's here: [root@filter ~/downloads/install-Clam-0.90.3-SA-3.2.1]# But yes, /tmp is mounted with noexec. Chris. From dboltz at gmail.com Tue Jul 3 20:24:47 2007 From: dboltz at gmail.com (Dave Boltz) Date: Tue Jul 3 20:24:55 2007 Subject: MailScanner not delivering mail anymore Message-ID: <3c1d4f520707031224i18258d45pd90079220d8eac93@mail.gmail.com> I've been going through stuff all day and I'm really stuck here. I hope someone can help me. I use MailScanner with sendmail. This setup has been in place for years and worked without problems. All of a sudden this weekend it stopped delivering its mail from the incoming queue but instead just piles up there. If I modify my MailScanner.conf file to run in debug mode it will process a bunch of email and send it of but it's always finishing with the messages below. I notice from MailWatch that if I run this without debug mode it will start marking all email as a virus after some time. The number of EOCD messages seems to very with the number of email processed in that run. Does anyone have any clues as to how I can solve this issue? Starting MailScanner daemons: incoming sendmail: SPF milter already running [ OK ] outgoing sendmail: [ OK ] MailScanner: In Debugging mode, not forking... Ignore errors about failing to find EOCD signature format error: can't find EOCD signature at /usr/sbin/MailScanner line 820 format error: can't find EOCD signature at /usr/sbin/MailScanner line 820 commit ineffective with AutoCommit enabled at /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm line 93, line 707. Commmit ineffective while AutoCommit is on at /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm line 93, line 707. Stopping now as you are debugging me. [ OK ] -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070703/45d7d3c8/attachment.html From jkf at ecs.soton.ac.uk Tue Jul 3 20:23:35 2007 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Tue Jul 3 20:27:20 2007 Subject: SpamAssassin is constantly timing out In-Reply-To: <97FD54B5E57A1842AA1A4B232E4761178EEA53@ati-ex-02.ati.local> References: <97FD54B5E57A1842AA1A4B232E47611773EBD2@ati-ex-02.ati.local><468955F8.1090701@ecs.soton.ac.uk><97FD54B5E57A1842AA1A4B232E47611773EBD4@ati-ex-02.ati.local> <625385e30707031154q6b6dab17ued473acc0afc860a@mail.gmail.com> <97FD54B5E57A1842AA1A4B232E4761178EEA53@ati-ex-02.ati.local> Message-ID: <468AA237.3070404@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Chris W. Parker wrote: > On Tuesday, July 03, 2007 11:55 AM shuttlebox said: > > >> On 7/3/07, Chris W. Parker wrote: >> >>> ./install.sh: ./configure: /bin/sh: bad interpreter: Permission >>> denied >>> >> Where was install.sh located? Maybe in /tmp mounted with noexec? >> > > It's here: > > [root@filter ~/downloads/install-Clam-0.90.3-SA-3.2.1]# > > But yes, /tmp is mounted with noexec. > That's the problem then. Type this and then rerun the ./install.sh script. mount -o remount,exec /tmp > > > Chris. > Jules - -- Julian Field MBCS CITP jkf@ecs.soton.ac.uk Teaching Systems Manager Electronics & Computer Science University of Southampton SO17 1BJ, UK -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGiqJ0EfZZRxQVtlQRAgxEAKDKTLJDHDJsCcUabbXslOMm7+gB7wCfbXxu geNKnsiPii1aW1sdJ+KHnoY= =oTKQ -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Tue Jul 3 20:48:08 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Jul 3 20:51:06 2007 Subject: MailScanner not delivering mail anymore In-Reply-To: <3c1d4f520707031224i18258d45pd90079220d8eac93@mail.gmail.com> References: <3c1d4f520707031224i18258d45pd90079220d8eac93@mail.gmail.com> Message-ID: <468AA7F8.3080108@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dave Boltz wrote: > > I've been going through stuff all day and I'm really stuck here. I > hope someone can help me. I use MailScanner with sendmail. This > setup has been in place for years and worked without problems. All of > a sudden this weekend it stopped delivering its mail from the incoming > queue but instead just piles up there. If I modify my > MailScanner.conf file to run in debug mode it will process a bunch of > email and send it of but it's always finishing with the messages > below. I notice from MailWatch that if I run this without debug mode > it will start marking all email as a virus after some time. The > number of EOCD messages seems to very with the number of email > processed in that run. > And it specifically told you in the output to ignore EOCD errors. So please ignore them :-) > > Does anyone have any clues as to how I can solve this issue? > > > Starting MailScanner daemons: > > incoming sendmail: SPF milter already running > > [ OK ] > > outgoing sendmail: [ OK ] > > MailScanner: In Debugging mode, not forking... > > Ignore errors about failing to find EOCD signature > > format error: can't find EOCD signature > > at /usr/sbin/MailScanner line 820 > > format error: can't find EOCD signature > > at /usr/sbin/MailScanner line 820 > > commit ineffective with AutoCommit enabled at > /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm line 93, > line 707. > > Commmit ineffective while AutoCommit is on at > /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm line 93, > line 707. > > Stopping now as you are debugging me. > All of those are totally harmless. What virus scanners are you using? What does MailScanner --lint say? When it starts marking them as viruses, what is it logging? You haven't given us any useful info to go on :-( Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGiqf4EfZZRxQVtlQRAj3dAJ4gkdl+kGGR0m2r42I9NX82xkuUvACfeLk9 FZQ9Lu0mtHY9A8XVY4trM/4= =X4g1 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From carock at epconline.com Tue Jul 3 20:56:41 2007 From: carock at epconline.com (Chuck Rock) Date: Tue Jul 3 20:56:58 2007 Subject: Wierd question In-Reply-To: Message-ID: <003801c7bdac$46ae4880$8c007f0a@epctech.com> The server I need to stop receiving mail is not a relay, but the final destination POP3 account server. It used to be the MX handler for the domain, but now the new filter server is. I needed the final destination POP3 mailbox server to reject mail to a specific domain from every other IP except the new filter server. Since the POP3 server was a listed MX handler for the domain, it's in caches and spammer relay lists for the domain. Once the DNS changes have propagated and most caches have timed out and refreshed, the only mail for that specific domain still being sent to the old MX ip is junk. Since the server is still the final destination POP3 mailbox server, it MUST receive mail for that domain. I just needed to make sure it was only from the filter and not just any IP. Since the server hosts hundreds of other domains, I could not just filter port 25 traffic, it had to be domain specific. If you use a prefilter setup like a piece of hardware for spam/av filter for E-mail, you will get spam and other junk bypassing your filter if the old MX record for the domain will still accept mail from any address for the filtered domain. Chuck -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Scott Silva Sent: Monday, July 02, 2007 6:45 PM To: mailscanner@lists.mailscanner.info Subject: Re: Wierd question Chuck Rock spake the following on 7/2/2007 1:14 PM: > Excellent, I will test. > > Basically for the other guy, I had a mail server running MS and clamAV and > SpamAssassin. All free stuff, works nice mostly. > > I purchased a Barracuda to "add" domains to with an extra fee for the > expensive commercial spam filter. > > The final destination server is still the same. I just changed MX so only > the Barracuda was listed. > > What I've found through experience though, servers will continue to send > mail to the old MX record even though it doesn't exist. I still have servers > receiving messages for domains we haven't hosted for years. > > To keep the spammers from bypassing the new Barracuda filter inserted in the > mail flow, I must make the final destination server ignore messages from all > other IP's for incoming mail destined for specific domains and only allow > them from the new spam filter device IP. > > If any of you have a filter like this, and you haven't limited the old MX > server from receiving mail from just any IP for the domain, spam is probably > getting past your new filter. > None of my MX's will relay anything that they are not supposed to relay. If an MX doesn't need to relay a domain anymore, it should reject it. You want to reject at the first point of connection, or you have to bounce an NDR and take a chance of being a joe-job relay. In sendmail, you remove that domain from the relay_domains, I'm sure every other MTA has the same feature. An MX should not blindly relay anything. If it relays for one or a hundred domains, that is all it should be configured for. Sure it is a little more work, but it doesn't get changed much. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From itdept at fractalweb.com Tue Jul 3 21:02:35 2007 From: itdept at fractalweb.com (Chris Yuzik) Date: Tue Jul 3 21:02:51 2007 Subject: clamd configuration? Message-ID: <468AAB5B.7010101@fractalweb.com> I'm testing clamd instead of clamavmodule, but am still having a problem. I'm on Centos 4.4 with everything kept up to date. I'm running MailScanner 4.61.7, and I've got clamd running, and have specified that MailScanner should use "clamd" as the antivirus scanner. I've tried sending the eicar test file through and it walks through everything. I must have missed something. # MailScanner --lint Read 777 hostnames from the phishing whitelist Config: calling custom init function SQLBlacklist Config: calling custom init function MailWatchLogging Config: calling custom init function SQLWhitelist Checking version numbers... Version number in MailScanner.conf (4.61.7) is correct. Checking for SpamAssassin errors (if you use it)... SpamAssassin temporary working directory is /var/spool/MailScanner/incoming/SpamAssassin-Temp SpamAssassin temp dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp Using SpamAssassin results cache Connected to SpamAssassin cache database SpamAssassin reported no errors. Using locktype = posix Creating hardcoded struct_flock subroutine for linux (Linux-type) MailScanner.conf says "Virus Scanners = clamd" Found these virus scanners installed: clamavmodule, clamd # grep -i clamd /etc/MailScanner/MailScanner.conf | grep -v '^#' Virus Scanners = clamd Clamd Port = 3310 Clamd Socket = /tmp/clamd Clamd Lock File = /var/lock/subsys/clamd Clamd Use Threads = yes Freshclam indicates that clamav is up to date. Thanks, Chris From uxbod at splatnix.net Tue Jul 3 21:04:55 2007 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Tue Jul 3 21:04:57 2007 Subject: Any advice for a new server? In-Reply-To: <468A8A4D.1030604@fractalweb.com> References: <468A8A4D.1030604@fractalweb.com> Message-ID: Yes, but OpenOffice would not be required on the server ;) To put Gentoo in context I recently re-built my dual Opteron 2GB server in two hours. All up to date and optimised. I just love the control and flexibility that Gentoo offers. Though do agree with some comments that it is not the easiest distro to get running. The LiveCD has helped to address the balance though now. --[ UxBoD ]-- // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From uxbod at splatnix.net Tue Jul 3 21:06:18 2007 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Tue Jul 3 21:06:24 2007 Subject: clamd configuration? In-Reply-To: <468AAB5B.7010101@fractalweb.com> References: <468AAB5B.7010101@fractalweb.com> Message-ID: <332b3e3ad3564836ac864a0bda4708b6@62.49.223.244> ps -ef | grep clamd what does that show ? Anything in /var/log/messages ? Have you ran MailScanner in debug mode ? On Tue, 03 Jul 2007 13:02:35 -0700, Chris Yuzik wrote: > I'm testing clamd instead of clamavmodule, but am still having a > problem. I'm on Centos 4.4 with everything kept up to date. > > I'm running MailScanner 4.61.7, and I've got clamd running, and have > specified that MailScanner should use "clamd" as the antivirus scanner. > I've tried sending the eicar test file through and it walks through > everything. I must have missed something. > > # MailScanner --lint > Read 777 hostnames from the phishing whitelist > Config: calling custom init function SQLBlacklist > Config: calling custom init function MailWatchLogging > Config: calling custom init function SQLWhitelist > Checking version numbers... > Version number in MailScanner.conf (4.61.7) is correct. > > Checking for SpamAssassin errors (if you use it)... > SpamAssassin temporary working directory is > /var/spool/MailScanner/incoming/SpamAssassin-Temp > SpamAssassin temp dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp > Using SpamAssassin results cache > Connected to SpamAssassin cache database > SpamAssassin reported no errors. > Using locktype = posix > Creating hardcoded struct_flock subroutine for linux (Linux-type) > MailScanner.conf says "Virus Scanners = clamd" > Found these virus scanners installed: clamavmodule, clamd > > # grep -i clamd /etc/MailScanner/MailScanner.conf | grep -v '^#' > Virus Scanners = clamd > Clamd Port = 3310 > Clamd Socket = /tmp/clamd > Clamd Lock File = /var/lock/subsys/clamd > Clamd Use Threads = yes > > Freshclam indicates that clamav is up to date. > > Thanks, > Chris > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. -- --[ UxBoD ]-- // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From rlane at i-centrix.com Tue Jul 3 21:14:05 2007 From: rlane at i-centrix.com (Ryan Lane) Date: Tue Jul 3 21:13:21 2007 Subject: clamd configuration? In-Reply-To: <468AAB5B.7010101@fractalweb.com> References: <468AAB5B.7010101@fractalweb.com> Message-ID: <468AAE0D.3020103@i-centrix.com> Chris Yuzik wrote: > # grep -i clamd /etc/MailScanner/MailScanner.conf | grep -v '^#' > Virus Scanners = clamd > Clamd Port = 3310 > Clamd Socket = /tmp/clamd > Clamd Lock File = /var/lock/subsys/clamd > Clamd Use Threads = yes I just set this up today, and have it working (with eicar test files, and clamav test files). My config lines are: Clamd Port = 3310 Clamd Socket = /var/run/clamav/clamd.sock #Clamd Socket = /tmp/clamd Clamd Lock File = # /var/lock/subsys/clamd Clamd Use Threads = yes I'm running this on centos 4.5 with clamav/clamd from dag's repo. -Ryan From r.berber at computer.org Tue Jul 3 22:59:12 2007 From: r.berber at computer.org (=?ISO-8859-1?Q?Ren=E9_Berber?=) Date: Tue Jul 3 22:59:37 2007 Subject: Any advice for a new server? In-Reply-To: <468A8A4D.1030604@fractalweb.com> References: <1183421943.8123.116.camel@thor.greenbuzz.net> <4689CE72.2040202@fractalweb.com> <468A8A4D.1030604@fractalweb.com> Message-ID: Chris Yuzik wrote: > Ren? Berber wrote: >> Chris Yuzik wrote: >> >> >>> I'm not a Slackware user like Res is, but I'm overall happy with Centos. >>> I've been the Gentoo route, and while compiling small things from source >>> is fine, having to compile for 12+ hours straight on a production server >>> is NOT cool, and imho offers little benefit over installing pre-compiled >>> binaries for your hardware. >>> >> [snip] >> >> Gentoo also offers pre-compiled packages, installed with the same tool >> (emerge)... >> > Ren?, > > Thanks. I did not know that. I should have pointed out that it's been > years (about 3 and a half) since I last played with Gentoo. I still > remember spending 2+ days compiling openoffice.org. :-) Yep, that's the beast that really makes you wonder, why compile everything? ;-) -- Ren? Berber From itdept at fractalweb.com Tue Jul 3 23:24:22 2007 From: itdept at fractalweb.com (Chris Yuzik) Date: Tue Jul 3 23:24:37 2007 Subject: clamd configuration? In-Reply-To: <332b3e3ad3564836ac864a0bda4708b6@62.49.223.244> References: <468AAB5B.7010101@fractalweb.com> <332b3e3ad3564836ac864a0bda4708b6@62.49.223.244> Message-ID: <468ACC96.2010305@fractalweb.com> --[ UxBoD ]-- wrote: > ps -ef | grep clamd > > what does that show ? > > Anything in /var/log/messages ? Have you ran MailScanner in debug mode ? > # ps -ef | grep clamd root 26478 14850 0 13:07 pts/1 00:00:00 grep clamd clamav 32619 1 2 12:08 ? 00:01:38 clamd If I tail the maillog while grepping for anything about clam, and send the eicar file through, I get absolutely nothing. Also /var/log/messages shows that freshclam has updated but nothing else; no mention of the virus test file. I've tried MailScanner in debug mode and there weren't any errors. Chris From itdept at fractalweb.com Wed Jul 4 00:06:19 2007 From: itdept at fractalweb.com (Chris Yuzik) Date: Wed Jul 4 00:06:35 2007 Subject: clamd configuration? In-Reply-To: <468ACC96.2010305@fractalweb.com> References: <468AAB5B.7010101@fractalweb.com> <332b3e3ad3564836ac864a0bda4708b6@62.49.223.244> <468ACC96.2010305@fractalweb.com> Message-ID: <468AD66B.2000704@fractalweb.com> I have done some further testing, and still cannot get MailScanner to talk to clamd. Argh! While tailing /var/log/maillog and /var/log/clamav/clamav.log, with: tail -f /var/log/maillog | grep -i clam and tail -f /var/log/clamav/clamd.log I've done '# clamdscan' in a dir that has the eicar test file in it, and I immediately see in clamd.log 'Tue Jul 3 15:44:30 2007 -> /etc/MailScanner/clamtest/eicar_com.zip: Eicar-Test-Signature FOUND'. If I email the same file to myself, it goes right through the server and there are no log entries in either log. So it appears that Clamd is doing its thing, but MailScanner is not talking to it. I'd ask the clam people, but at this point this problem is looking like a MailScanner problem. Chris From itdept at fractalweb.com Wed Jul 4 00:22:41 2007 From: itdept at fractalweb.com (Chris Yuzik) Date: Wed Jul 4 00:23:00 2007 Subject: clamd configuration? In-Reply-To: <468AAE0D.3020103@i-centrix.com> References: <468AAB5B.7010101@fractalweb.com> <468AAE0D.3020103@i-centrix.com> Message-ID: <468ADA41.4010307@fractalweb.com> Ryan Lane wrote: > Chris Yuzik wrote: >> # grep -i clamd /etc/MailScanner/MailScanner.conf | grep -v '^#' >> Virus Scanners = clamd >> Clamd Port = 3310 >> Clamd Socket = /tmp/clamd >> Clamd Lock File = /var/lock/subsys/clamd >> Clamd Use Threads = yes > > I just set this up today, and have it working (with eicar test files, > and clamav test files). My config lines are: > > Clamd Port = 3310 > Clamd Socket = /var/run/clamav/clamd.sock > #Clamd Socket = /tmp/clamd > Clamd Lock File = # /var/lock/subsys/clamd > Clamd Use Threads = yes > > I'm running this on centos 4.5 with clamav/clamd from dag's repo. I went through the config file for clamd and found that the TCP port wasn't enabled for the daemon, so I uncommented out the line, and restarted clamd. Still not working. Oy. Not sure what to do next. From rcooper at dwford.com Wed Jul 4 00:42:00 2007 From: rcooper at dwford.com (Rick Cooper) Date: Wed Jul 4 00:42:10 2007 Subject: clamd configuration? In-Reply-To: <468ADA41.4010307@fractalweb.com> References: <468AAB5B.7010101@fractalweb.com> <468AAE0D.3020103@i-centrix.com> <468ADA41.4010307@fractalweb.com> Message-ID: <06bb01c7bdcb$c0ac3330$0301a8c0@SAHOMELT> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On > Behalf Of Chris Yuzik > Sent: Tuesday, July 03, 2007 7:23 PM > To: MailScanner discussion > Subject: Re: clamd configuration? > > Ryan Lane wrote: > > Chris Yuzik wrote: > >> # grep -i clamd /etc/MailScanner/MailScanner.conf | grep -v '^#' > >> Virus Scanners = clamd > >> Clamd Port = 3310 > >> Clamd Socket = /tmp/clamd > >> Clamd Lock File = /var/lock/subsys/clamd > >> Clamd Use Threads = yes > > [...] > > > > I'm running this on centos 4.5 with clamav/clamd from dag's repo. > I went through the config file for clamd and found that the TCP port > wasn't enabled for the daemon, so I uncommented out the line, and > restarted clamd. Still not working. > > Oy. > > Not sure what to do next. > Please run MailScanner in debug mode, show what is output from the clamd section, and if possible the clamd.conf, remember that is where the clam daemon is getting it's parameter. If MailScanner cannot reach clamd there will be alerts even if you are not in debug mode. Also note if you supply a path to the socket the port is not used. If you are not using unix sockets (/tmp/clamd or /tmp/clamd.sock, etc) then you should have an IP address (probably 127.0.0.1) for the socket address. Rick -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From res at ausics.net Wed Jul 4 00:43:01 2007 From: res at ausics.net (Res) Date: Wed Jul 4 00:43:12 2007 Subject: clamd configuration? In-Reply-To: <468AAB5B.7010101@fractalweb.com> References: <468AAB5B.7010101@fractalweb.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NotDashEscaped: You need GnuPG to verify this message Hi Chris, On Tue, 3 Jul 2007, Chris Yuzik wrote: > Clamd Port = 3310 > Clamd Socket = /tmp/clamd Your saying Port number but supplying no IP change the socket to: Clamd Port = 3310 Clamd Socket = 127.0.0.1 #/tmp/clamd -- Cheers Res -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD4DBQFGit8FsWhAmSIQh7MRAsETAJiv+LavPZq4GH4Hh2IJJUgtTcaUAJ98KWuY Cx/CNeB/SdrQy4GKC5/frQ== =aQv1 -----END PGP SIGNATURE----- From seamus at rheelweb.co.nz Wed Jul 4 01:05:22 2007 From: seamus at rheelweb.co.nz (Seamus Allan) Date: Wed Jul 4 01:05:27 2007 Subject: Postfix Address Verification In-Reply-To: <46881CAB.2090504@rheelweb.co.nz> References: <1182844619.26893.2.camel@gblades-suse.linguaphone-intranet.co.uk> <4681C794.7000207@rheelweb.co.nz> <33B7C3D4-C7BB-4FE8-AD69-4802CA37F31B@technologytiger.net> <4682E8CF.7010602@rheelweb.co.nz> <59838.194.70.180.170.1183020415.squirrel@www.technologytiger.net> <4684832B.90709@rheelweb.co.nz> <39526.194.70.180.170.1183109209.squirrel@www.technologytiger.net> <46881CAB.2090504@rheelweb.co.nz> Message-ID: <468AE442.6000501@rheelweb.co.nz> Drew Marshall wrote: >> This looks like a DNS problem. Are you running a cacheing DNS server on >> this box? Postfix is rejecting with a temporary failure (450) as it is >> having what it thinks could be a short term problem. I assume you >> have set >> the next hop in the transport map file, have you done this using a name >> record or IP address? i.e. in the file does it say: >> >> validdomain relay:internal.host >> >> or >> >> validdomain relay:[192.168.1.225] >> >> Just to make sure this isn't Postfix logging a slight red herring, >> can you >> also let me know what you have under: >> >> smtpd_client_restrictions >> smtpd_sender_restrictions >> >> in main.cf >> >> The other thing to check is the logs of the internal machine >> (Exchange?), >> just in case there is anything obvious there. >> >> Drew >> >> >> > Hi, > > I am not running a caching DNS server on this box, all DNS queries are > passed to our internal DNS server, however this shouldn't be an issue, > as you noted because the next hop is dictated by an entry in the > transport map, using IP based hosts. This is what I find so confusing, > surely Postfix uses this transport map or even the relay_domain map to > decide whether a domain is valid or not? > I did spend the other day looking at the internal mail hub, and there > is nothing out of the ordinary in there which would indicate a problem > (such as SMTP restrictions because of connection rate or something). > In my main.cf, I don't have entries for smtpd_client_restrictions or > smtpd_sender_restrictions (whether this is bad or not?), and my > smtp_receipient_restrictions is as follows: > smtpd_recipient_restrictions = permit_mynetworks, > permit_sasl_authenticated, reject_unauth_destination, > reject_non_fqdn_recipient, reject_unknown_recipient_domain, > reject_unverified_recipient > > It all seems rather tricky, as there is nothing obvious as to why this > his happening. > > Cheers for the help > > > Seamus > > *Seamus Allan* > Network Engineer > Rheel Electronics Ltd > Anybody got ideas? Cheers Seamus -- *Seamus Allan* Network Engineer Rheel Electronics Ltd From res at ausics.net Wed Jul 4 01:05:56 2007 From: res at ausics.net (Res) Date: Wed Jul 4 01:06:11 2007 Subject: qmail/mailscanner support site planned outage Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NotDashEscaped: You need GnuPG to verify this message Hi Folks, qms.ausics.net (the mailscanner and qmail support site) will be down Saturday July 7 from 1400-1600 UTC (Midnight local) for server upgrade... -- Cheers Res -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFGiuRksWhAmSIQh7MRAjlhAJ43bqkmhlg6aFNWAUHnC0UgIyupBQCcCb6Y Y/CL+/8TM1gvrg3E/+Xh3wE= =qD4O -----END PGP SIGNATURE----- From itdept at fractalweb.com Wed Jul 4 03:51:26 2007 From: itdept at fractalweb.com (Chris Yuzik) Date: Wed Jul 4 03:52:21 2007 Subject: clamd configuration? In-Reply-To: <06bb01c7bdcb$c0ac3330$0301a8c0@SAHOMELT> References: <468AAB5B.7010101@fractalweb.com> <468AAE0D.3020103@i-centrix.com> <468ADA41.4010307@fractalweb.com> <06bb01c7bdcb$c0ac3330$0301a8c0@SAHOMELT> Message-ID: <468B0B2E.8080201@fractalweb.com> Rick Cooper wrote: > Please run MailScanner in debug mode, show what is output from the clamd > section, and if possible the clamd.conf, remember that is where the clam > daemon is getting it's parameter. If MailScanner cannot reach clamd there > will be alerts even if you are not in debug mode. Also note if you supply a > path to the socket the port is not used. If you are not using unix sockets > (/tmp/clamd or /tmp/clamd.sock, etc) then you should have an IP address > (probably 127.0.0.1) for the socket address. Rick, Ok, here you go. I put MailScanner into debug mode, did a lint, plopped a message with the eicar test file into the inqueue, etc. Looks like clamd is called and the messages handed off, but it doesn't find the virus. Chris # MailScanner --lint Read 777 hostnames from the phishing whitelist Config: calling custom init function SQLBlacklist Config: calling custom init function MailWatchLogging Config: calling custom init function SQLWhitelist Checking version numbers... Version number in MailScanner.conf (4.61.7) is correct. Checking for SpamAssassin errors (if you use it)... SpamAssassin temporary working directory is /var/spool/MailScanner/incoming/SpamAssassin-Temp SpamAssassin temp dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp Using SpamAssassin results cache Connected to SpamAssassin cache database SpamAssassin reported no errors. lock.pl sees Config LockType = posix lock.pl sees have_module = 0 Using locktype = posix Creating hardcoded struct_flock subroutine for linux (Linux-type) MailScanner.conf says "Virus Scanners = clamd" Debug Mode Is On Use Threads : YES IP : 127.0.0.1 Port : 3310 Lock File : NOT USED Time Out : 300 Scan Dir : /var/spool/MailScanner/incoming/29637/ISITINSTALLED Clamd : Sending PING Clamd : GOT 'PONG' ClamD is running Found these virus scanners installed: clamavmodule, clamd # service MailScanner start Starting MailScanner daemons: incoming sendmail: [ OK ] outgoing sendmail: [ OK ] MailScanner: In Debugging mode, not forking... SpamAssassin temp dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp Ignore errors about failing to find EOCD signature Stopping now as you are debugging me. [ OK ] [root@devel MailScanner]# commit ineffective with AutoCommit enabled at /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm line 93, line 138. Commmit ineffective while AutoCommit is on at /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm line 93, line 138. and Jul 3 19:46:49 devel MailScanner[29319]: MailScanner E-Mail Virus Scanner version 4.61.7 starting... Jul 3 19:46:49 devel MailScanner[29319]: Read 777 hostnames from the phishing whitelist Jul 3 19:46:49 devel MailScanner[29319]: Config: calling custom init function SQLBlacklist Jul 3 19:46:49 devel MailScanner[29319]: Starting up SQL Blacklist Jul 3 19:46:49 devel MailScanner[29319]: Read 28 blacklist entries Jul 3 19:46:49 devel MailScanner[29319]: Config: calling custom init function MailWatchLogging Jul 3 19:46:49 devel MailScanner[29319]: Started SQL Logging child Jul 3 19:46:49 devel MailScanner[29319]: Config: calling custom init function SQLWhitelist Jul 3 19:46:49 devel MailScanner[29319]: Starting up SQL Whitelist Jul 3 19:46:49 devel MailScanner[29319]: Read 18 whitelist entries Jul 3 19:46:49 devel MailScanner[29319]: SpamAssassin temporary working directory is /var/spool/MailScanner/incoming/SpamAssassin-Temp Jul 3 19:46:50 devel MailScanner[29319]: Using SpamAssassin results cache Jul 3 19:46:50 devel MailScanner[29319]: Connected to SpamAssassin cache database Jul 3 19:46:50 devel MailScanner[29319]: Expired 2 records from the SpamAssassin cache Jul 3 19:46:50 devel MailScanner[29319]: Enabling SpamAssassin auto-whitelist functionality... Jul 3 19:46:52 devel MailScanner[29319]: lock.pl sees Config LockType = posix Jul 3 19:46:52 devel MailScanner[29319]: lock.pl sees have_module = 0 Jul 3 19:46:52 devel MailScanner[29319]: Using locktype = posix Jul 3 19:46:52 devel MailScanner[29319]: Creating hardcoded struct_flock subroutine for linux (Linux-type) Jul 3 19:46:52 devel MailScanner[29319]: New Batch: Scanning 3 messages, 55415 bytes Jul 3 19:46:52 devel MailScanner[29319]: Created attachment dirs for 3 messages Jul 3 19:46:52 devel MailScanner[29319]: Spam Checks: Starting Jul 3 19:46:55 devel MailScanner[29319]: SpamAssassin returned 0 Jul 3 19:46:56 devel MailScanner[29319]: SpamAssassin returned 0 Jul 3 19:46:59 devel MailScanner[29319]: SpamAssassin returned 0 Jul 3 19:46:59 devel MailScanner[29319]: Spam Checks completed at 8412 bytes per second Jul 3 19:46:59 devel MailScanner[29319]: Virus and Content Scanning: Starting Jul 3 19:46:59 devel MailScanner[29319]: Commencing scanning by clamd... Jul 3 19:46:59 devel MailScanner[29365]: Debug Mode Is On Jul 3 19:46:59 devel MailScanner[29365]: Use Threads : YES Jul 3 19:46:59 devel MailScanner[29365]: IP : 127.0.0.1 Jul 3 19:46:59 devel MailScanner[29365]: Port : 3310 Jul 3 19:46:59 devel MailScanner[29365]: Lock File : NOT USED Jul 3 19:46:59 devel MailScanner[29365]: Time Out : 300 Jul 3 19:46:59 devel MailScanner[29365]: Scan Dir : /var/spool/MailScanner/incoming/29319 Jul 3 19:46:59 devel MailScanner[29365]: Clamd : Sending PING Jul 3 19:46:59 devel MailScanner[29365]: Clamd : GOT 'PONG' Jul 3 19:46:59 devel MailScanner[29365]: ClamD is running Jul 3 19:46:59 devel MailScanner[29365]: SENT : MULTISCAN /var/spool/MailScanner/incoming/29319 Jul 3 19:46:59 devel MailScanner[29319]: Completed scanning by clamd Jul 3 19:46:59 devel MailScanner[29319]: Completed checking by /usr/local/bin/file Jul 3 19:46:59 devel MailScanner[29319]: Virus Scanning completed at 367181 bytes per second Jul 3 19:46:59 devel MailScanner[29319]: About to deliver 3 messages Jul 3 19:46:59 devel MailScanner[29319]: Uninfected: Delivered 3 messages Jul 3 19:46:59 devel MailScanner[29319]: Batch completed at 8175 bytes per second (55415 / 6) Jul 3 19:46:59 devel MailScanner[29319]: Batch (3 messages) processed in 6.78 seconds Jul 3 19:46:59 devel MailScanner[29319]: Logging message l642kYcl029232 to SQL Jul 3 19:46:59 devel MailScanner[29319]: Logging message l642kPu9029221 to SQL Jul 3 19:46:59 devel MailScanner[29319]: Logging message l642juvd029134 to SQL Jul 3 19:46:59 devel MailScanner[29319]: "Always Looked Up Last" took 0.01 seconds Jul 3 19:46:59 devel MailScanner[29319]: Config: calling custom end function SQLBlacklist Jul 3 19:46:59 devel MailScanner[29319]: Closing down by-domain spam blacklist Jul 3 19:46:59 devel MailScanner[29319]: Config: calling custom end function MailWatchLogging Jul 3 19:46:59 devel MailScanner[29319]: Config: calling custom end function SQLWhitelist Jul 3 19:46:59 devel MailScanner[29319]: Closing down by-domain spam whitelist Jul 3 19:46:59 devel MailScanner[29319]: MailScanner child dying of old age Jul 3 19:46:59 devel MailScanner[29327]: l642kYcl029232: Logged to MailWatch SQL Jul 3 19:46:59 devel MailScanner[29327]: l642kPu9029221: Logged to MailWatch SQL Jul 3 19:46:59 devel MailScanner[29327]: l642juvd029134: Logged to MailWatch SQL Jul 3 19:49:08 devel MailScanner[29637]: MailScanner E-Mail Virus Scanner version 4.61.7 starting... From res at ausics.net Wed Jul 4 04:11:43 2007 From: res at ausics.net (Res) Date: Wed Jul 4 04:11:53 2007 Subject: clamd configuration? In-Reply-To: <468B0B2E.8080201@fractalweb.com> References: <468AAB5B.7010101@fractalweb.com> <468AAE0D.3020103@i-centrix.com> <468ADA41.4010307@fractalweb.com> <06bb01c7bdcb$c0ac3330$0301a8c0@SAHOMELT> <468B0B2E.8080201@fractalweb.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NotDashEscaped: You need GnuPG to verify this message On Tue, 3 Jul 2007, Chris Yuzik wrote: > Jul 3 19:46:59 devel MailScanner[29319]: Batch (3 messages) processed in > 6.78 seconds holy crap thats slow... Jul 4 13:10:55 mx-2-in MailScanner[5635]: Batch (30 messages) processed in 38.76 seconds Jul 4 13:11:05 mx-2-in MailScanner[5632]: Batch (7 messages) processed in 1.92 seconds -- Cheers Res -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFGiw/vsWhAmSIQh7MRAojRAKCDJB/WyuZB7DLlBgINuIMSghfTegCfSuzQ 9JKelFtvJ+suNbl4n+aI/PU= =tcX7 -----END PGP SIGNATURE----- From itdept at fractalweb.com Wed Jul 4 05:12:34 2007 From: itdept at fractalweb.com (Chris Yuzik) Date: Wed Jul 4 05:12:51 2007 Subject: clamd configuration? In-Reply-To: References: <468AAB5B.7010101@fractalweb.com> <468AAE0D.3020103@i-centrix.com> <468ADA41.4010307@fractalweb.com> <06bb01c7bdcb$c0ac3330$0301a8c0@SAHOMELT> <468B0B2E.8080201@fractalweb.com> Message-ID: <468B1E32.8040606@fractalweb.com> Res wrote: > holy crap thats slow... > > > Jul 4 13:10:55 mx-2-in MailScanner[5635]: Batch (30 messages) processed > in 38.76 seconds Res, Ha ha. Well, sorry, was a bit distracted. Since it was running in debug mode, the delay was because someone was talking to me and it took me a few seconds before I typed "service MailScanner start". Normally, the "be-atches" (ha ha) seem to average ~7 to ~12 seconds. Chris From res at ausics.net Wed Jul 4 06:17:19 2007 From: res at ausics.net (Res) Date: Wed Jul 4 06:17:29 2007 Subject: clamd configuration? In-Reply-To: <468B1E32.8040606@fractalweb.com> References: <468AAB5B.7010101@fractalweb.com> <468AAE0D.3020103@i-centrix.com> <468ADA41.4010307@fractalweb.com> <06bb01c7bdcb$c0ac3330$0301a8c0@SAHOMELT> <468B0B2E.8080201@fractalweb.com> <468B1E32.8040606@fractalweb.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NotDashEscaped: You need GnuPG to verify this message LOL :P On Tue, 3 Jul 2007, Chris Yuzik wrote: > Res wrote: > >> holy crap thats slow... >> >> >> Jul 4 13:10:55 mx-2-in MailScanner[5635]: Batch (30 messages) processed in >> 38.76 seconds > > Res, > > Ha ha. Well, sorry, was a bit distracted. Since it was running in debug mode, > the delay was because someone was talking to me and it took me a few seconds > before I typed "service MailScanner start". Normally, the "be-atches" (ha ha) > seem to average ~7 to ~12 seconds. > > Chris > > -- Cheers Res -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFGiy1fsWhAmSIQh7MRAjTuAKCPYyA0NPbzV4UOso3Oki6h8rci0ACeJ46Z fRdOVDeLNlSEuH8LcWfUVVE= =8Ubr -----END PGP SIGNATURE----- From leiw324 at yahoo.com.hk Wed Jul 4 06:41:31 2007 From: leiw324 at yahoo.com.hk (Wilson Kwok) Date: Wed Jul 4 06:41:34 2007 Subject: Some maillog question Message-ID: <927842.49000.qm@web54404.mail.yahoo.com> Hello, Can anyone help to explain the following MailScanner log ? is the mailScanner got hacking or something like that ? Jul 4 12:42:24 mailgateway MailScanner[22295]: Commercial scanner clamav timed out! Jul 4 12:42:24 mailgateway MailScanner[22295]: clamav: Failed to complete, timed out Jul 4 12:42:24 mailgateway MailScanner[22295]: Virus Scanning: Denial Of Service attack detected! Thanks --------------------------------- Yahoo!Mail 為你每一個電郵捐出一點心意,盡獻愛心 立即開始愛心行動 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070704/f032ac8d/attachment.html From minduni at ti-edu.ch Wed Jul 4 08:31:34 2007 From: minduni at ti-edu.ch (Marco Induni) Date: Wed Jul 4 08:31:35 2007 Subject: Filename rule question In-Reply-To: <223f97700707031051y1b3f0fcci36cbea3b9c330d95@mail.gmail.com> References: <468A6663.8010907@ti-edu.ch> <223f97700707031051y1b3f0fcci36cbea3b9c330d95@mail.gmail.com> Message-ID: <468B4CD6.5050001@ti-edu.ch> Glenn Steen wrote: > On 03/07/07, Marco Induni wrote: >> Hi All, >> I try to deny some email attachments based just on the filename. >> So I setup the following test rule to deny all attachment for email >> sended to me@pluto.com (obviously just a real address) >> >> - in /etc/MailScanner/Mailscanner.conf >> -- Filename Rules = %rules-dir%/filename-rules.rules >> >> - in /etc/MailScanner/rules/filename-rules.rules >> -- To: me@pluto.com /etc/MailScanner/filename-alldeny.conf >> -- FromOrTo: default >> /etc/MailScanner/filename-nocheck.rules.conf >> >> - in /etc/MailScanner/filename-alldeny.conf >> -- deny .* - - >> >> - in /etc/MailScanner/filename-nocheck.rules.conf >> -- allow .* - - >> >> >> So I expect that any attachment will be denied, but is not true. >> It seems that everything is passing through, and the rule is not >> matching anything. >> I've done MailScanner --lint and no syntax error appear. >> I've also tried the standard rules enclosed (deny .exe .reg,...), but >> didn't work. > > When troubleshooting things like these, always doublecheck your > assumptions with MailScanner itself... Try "MailScanner --help" to see > the possible things you can do ... apart from the well-known --debug > and --lint (start by doing a lint... it'll show you any bad syntax > errors), you can also try any setting with any sender/receiver .... In > your case you'd test > MailScanner --value=filenamerules --from=anyone@example.net > --to=me@pluto.com > and perhaps some variations ... Replace with addresses valid to your > situation. > Glenn, thanks for the suggestions. I've verified with Mailscanner --value=filenamerules and the various address to be sure that the result point to the rule that deny the attachment(see below) Looked up internal option name "filenamerules" With sender = root@xxx recipient = xxx@xx Client IP = Virus = Result is "/etc/MailScanner/filename-alldeny.conf" But unfortunately the attachment are still allowed I've double checked to see if I've placed space instead of TAB on the rule, but all seems ok. Also the MailScanner --lint don't get any syntax error. Actually I've tested on MailScanner 4.58.9 and 4.61.7 with the same result. On the /etc/MailScanner/filename-alldeny.conf there is just deny .* - - and in MailScanner.conf Allow Filenames = Deny Filenames = Filename Rules = %rules-dir%/filename-rules.rules No idea :-( Thanks marco >> Question, for the filename rule to work, should I always setup also the >> filetype rule ? > > Almost always a good thing to do, yes. Check those with the same > strategy/commands. > > >> Any other ideas ? >> Where I'm wrong ? > > Probably a typo. Might be related to those files needing to be > separated... > > Cheers -- Marco Induni Universita` della Svizzera italiana Servizi informatici / TI-EDU Galleria 2 CH-6928 Manno (Switzerland) E-mail: minduni@ti-edu.ch Tel: +41 58 666 6656 Fax: +41 58 666 6650 From minduni at ti-edu.ch Wed Jul 4 08:34:33 2007 From: minduni at ti-edu.ch (Marco Induni) Date: Wed Jul 4 08:34:35 2007 Subject: Filename rule question In-Reply-To: <468A9425.3050007@ecs.soton.ac.uk> References: <468A6663.8010907@ti-edu.ch> <223f97700707031051y1b3f0fcci36cbea3b9c330d95@mail.gmail.com> <468A9425.3050007@ecs.soton.ac.uk> Message-ID: <468B4D89.3050208@ti-edu.ch> Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > Glenn Steen wrote: >> On 03/07/07, Marco Induni wrote: >>> Hi All, >>> I try to deny some email attachments based just on the filename. >>> So I setup the following test rule to deny all attachment for email >>> sended to me@pluto.com (obviously just a real address) >>> >>> - in /etc/MailScanner/Mailscanner.conf >>> -- Filename Rules = %rules-dir%/filename-rules.rules >>> >>> - in /etc/MailScanner/rules/filename-rules.rules >>> -- To: me@pluto.com /etc/MailScanner/filename-alldeny.conf >>> -- FromOrTo: default >>> /etc/MailScanner/filename-nocheck.rules.conf >>> >>> - in /etc/MailScanner/filename-alldeny.conf >>> -- deny .* - - >>> >>> - in /etc/MailScanner/filename-nocheck.rules.conf >>> -- allow .* - - >>> >>> >>> So I expect that any attachment will be denied, but is not true. >>> It seems that everything is passing through, and the rule is not >>> matching anything. >>> I've done MailScanner --lint and no syntax error appear. >>> I've also tried the standard rules enclosed (deny .exe .reg,...), but >>> didn't work. >> When troubleshooting things like these, always doublecheck your >> assumptions with MailScanner itself... Try "MailScanner --help" to see >> the possible things you can do ... apart from the well-known --debug >> and --lint (start by doing a lint... it'll show you any bad syntax >> errors), you can also try any setting with any sender/receiver .... In >> your case you'd test >> MailScanner --value=filenamerules --from=anyone@example.net >> --to=me@pluto.com >> and perhaps some variations ... Replace with addresses valid to your >> situation. >> >>> Question, for the filename rule to work, should I always setup also the >>> filetype rule ? >> Almost always a good thing to do, yes. Check those with the same >> strategy/commands. >> >> >>> Any other ideas ? >>> Where I'm wrong ? Julian, thanks for your answer. I've double checked and the rule is separated with TAB. Should be something else... Marco >> Probably a typo. Might be related to those files needing to be >> separated... > That catches out a lot of people. filename.rules.conf and its brethren > have to be tab-separated as otherwise the filename and filetype regular > expressions cannot include spaces. > >> Cheers > > Jules > > - -- > Julian Field MEng CITP > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > For all your IT requirements visit www.transtec.co.uk > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.6.2 (Build 2014) > Charset: ISO-8859-1 > > wj8DBQFGipQmEfZZRxQVtlQRArW3AKCz+ALm1GvtddoQRXs+K/A6RZ8qmQCeMDH8 > d9kZ/HGBrzpKDSCi4+DL/Ds= > =J68O > -----END PGP SIGNATURE----- > -- Marco Induni Universita` della Svizzera italiana Servizi informatici / TI-EDU Galleria 2 CH-6928 Manno (Switzerland) E-mail: minduni@ti-edu.ch Tel: +41 58 666 6656 Fax: +41 58 666 6650 From martinh at solidstatelogic.com Wed Jul 4 09:06:53 2007 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Wed Jul 4 09:07:06 2007 Subject: Some maillog question In-Reply-To: <927842.49000.qm@web54404.mail.yahoo.com> Message-ID: Wilson Nope - look in the clamd.conf file. There's a setting you may need to increase.. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Wilson Kwok > Sent: 04 July 2007 06:42 > To: mailscanner@lists.mailscanner.info > Subject: Some maillog question > > Hello, > > Can anyone help to explain the following MailScanner log ? is the > mailScanner got hacking or something like that ? > > Jul 4 12:42:24 mailgateway MailScanner[22295]: Commercial scanner clamav > timed out! > Jul 4 12:42:24 mailgateway MailScanner[22295]: clamav: Failed to > complete, timed out > Jul 4 12:42:24 mailgateway MailScanner[22295]: Virus Scanning: Denial Of > Service attack detected! > > > Thanks > > ________________________________ > > Yahoo!Mail =9E=E9=C4=E3=C3=BF=D2=BB=82=80=EB=8A=E0]=BE=E8=B3=F6=D2=BB=FCc= =D0=C4=D2=E2=A3=AC=B1M=ABI=90=DB=D0=C4 > =C1=A2=BC=B4=E9_=CA=BC=90= =DB=D0=C4=D0=D0=84=D3 ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the=20 addressee only and may be confidential. If they come to you in error=20 you must take no action based on them, nor must you copy or show them=20 to anyone. Please advise the sender by replying to this e-mail=20 immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of=20 the author and unless specifically stated to the contrary, are not=20 necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure=20 communications medium and can be subject to data corruption. We advise=20 that you consider this fact when e-mailing us.=20 Viruses : We have taken steps to ensure that this e-mail and any=20 attachments are free from known viruses but in keeping with good=20 computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales=20 (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU,=20 United Kingdom ********************************************************************** From cschnee at box.telemedia.ch Wed Jul 4 09:08:23 2007 From: cschnee at box.telemedia.ch (Christoph Schneeberger) Date: Wed Jul 4 09:13:35 2007 Subject: Problem with MS on OpenBSD 4.1 In-Reply-To: <223f97700707031115m7f156454wac3f7b80febe5434@mail.gmail.com> References: <468A63AC.5040808@box.telemedia.ch> <468A659A.3090602@ecs.soton.ac.uk> <468A691D.7020605@box.telemedia.ch> <223f97700707031115m7f156454wac3f7b80febe5434@mail.gmail.com> Message-ID: <468B5577.2070402@box.telemedia.ch> Glenn Steen wrote: > On 03/07/07, Christoph Schneeberger wrote: >> Hi Julian, >> >> Thanks for your reply. >> >> Julian Field wrote: >> .. >> >> > >When I run MS and SA in debug mode I get an error at line 832 in >> > >Mailscanner which is the following line: >> > >> > >$batch->Explode(); >> > >> > >The error I get is >> > >> > > >> > >[24820] dbg: locker: safe_unlock: unlocked >> > /root/.spamassassin/bayes.mutex >> > >[24820] dbg: learn: initializing learner >> > >Ignore errors about failing to find EOCD signature >> > >> > >> > That line gives a hint. >> > >> > >format error: can't find EOCD signature >> > > at /opt/MailScanner/bin/MailScanner line 832 >> > >> > >> > So you can ignore that. >> > >> > >Stopping now as you are debugging me. >> > > Done. >> > >> > >> > It has run to completion normally. It hasn't bombed out on an error at >> > all. It has done exactly what it is supposed to do in Debug mode: >> > process 1 batch of messages and then exit. >> >> >> Ok thanks, i was thinking that too, but somebody on irc told me i need >> to get rid of this line832 error and that would solve my problem of not >> having any detailed Spamassassin result headers at all. >> >> So could you give me any direction or hints where I could further search >> to get that problem of not having detailed results in the header solved, >> since thats the only problem I really have. >> >> Or asked else: Is anybody on this list running a current MailScanner on >> OpenBSD 4.1 successfully and do you have any hints for me where too >> look ? >> >> Thanks a lot and best regards, >> Christoph >> > OpenBSD isn]t exactly unheard of, but it certainly isn\t one of the > more used OSes.... But this might not be anything specific to your > OS... Call me dull, but did you run a > MailScanner --debug --debug-sa > ... with something obvious, like a GTUBE, on queue? > > Cheers Thanks for your reply, I had to google GTUBE before I knew what you meant ;-) I have run with debug and debug-sa (from MailScanner.conf but I guess that is the same result) and people on irc told me the output i pasted looks good, but I'll happily provide it at the end of this mail. I have sent a mail (only body with copy-paste) from my inbox that is spam through the MS in question and it scored it with 18 and flagged the Subject properly with {Spam?}, BUT only the Spamscore and the Subject Flag are here, no details on which tests how many score was given, just a result. The reason I want OpenBSD is the spamd/pf combo which is quite unique for greylisting and since 4.1 even more use- and powerful. Also I have used OpenBSD since 2.5 and I am quite satisfied with its robustness and safety. Another reason is that I am a sendmail veteran because there was nothing else really serious at the time i needed my first mailhub, so I read different sendmails books and am quite comfortable with it. I've never found my way into other MTAs and since most Linux are now shipping Postfix, Exim or whatever I am sticking with OpenBSD for Mailhubs, Mailgates etc. So here is the output of ./bin/MailScanner --debug --debug-sa 2>&1 | tee /tmp/log --- Currently you are using no virus scanners. This is probably not what you want. In your /opt/MailScanner/etc/MailScanner.conf file, set Virus Scanners = clamav Then download http://www.sng.ecs.soton.ac.uk/mailscanner/files/4/install-Clam-SA.tar.gz Unpack it, "cd" into the directory and run ./install.sh In Debugging mode, not forking... SpamAssassin temp dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp [14467] dbg: logger: adding facilities: all [14467] dbg: logger: logging level is DBG [14467] dbg: generic: SpamAssassin version 3.1.8 [14467] dbg: config: score set 0 chosen. [14467] dbg: util: running in taint mode? no [14467] dbg: message: ---- MIME PARSER START ---- [14467] dbg: message: main message type: text/plain [14467] dbg: message: parsing normal part [14467] dbg: message: added part, type: text/plain [14467] dbg: message: ---- MIME PARSER END ---- [14467] dbg: dns: is Net::DNS::Resolver available? yes [14467] dbg: dns: Net::DNS version: 0.59 [14467] dbg: ignore: test message to precompile patterns and load modules [14467] dbg: config: using "/etc/mail/spamassassin" for site rules pre files [14467] dbg: config: read file /etc/mail/spamassassin/init.pre [14467] dbg: config: read file /etc/mail/spamassassin/v310.pre [14467] dbg: config: read file /etc/mail/spamassassin/v312.pre [14467] dbg: config: using "/usr/local/share/spamassassin" for sys rules pre files [14467] dbg: config: using "/usr/local/share/spamassassin" for default rules dir [14467] dbg: config: read file /usr/local/share/spamassassin/10_misc.cf [14467] dbg: config: read file /usr/local/share/spamassassin/20_advance_fee.cf [14467] dbg: config: read file /usr/local/share/spamassassin/20_anti_ratware.cf [14467] dbg: config: read file /usr/local/share/spamassassin/20_body_tests.cf [14467] dbg: config: read file /usr/local/share/spamassassin/20_compensate.cf [14467] dbg: config: read file /usr/local/share/spamassassin/20_dnsbl_tests.cf [14467] dbg: config: read file /usr/local/share/spamassassin/20_drugs.cf [14467] dbg: config: read file /usr/local/share/spamassassin/20_fake_helo_tests.cf [14467] dbg: config: read file /usr/local/share/spamassassin/20_head_tests.cf [14467] dbg: config: read file /usr/local/share/spamassassin/20_html_tests.cf [14467] dbg: config: read file /usr/local/share/spamassassin/20_meta_tests.cf [14467] dbg: config: read file /usr/local/share/spamassassin/20_net_tests.cf [14467] dbg: config: read file /usr/local/share/spamassassin/20_phrases.cf [14467] dbg: config: read file /usr/local/share/spamassassin/20_porn.cf [14467] dbg: config: read file /usr/local/share/spamassassin/20_ratware.cf [14467] dbg: config: read file /usr/local/share/spamassassin/20_uri_tests.cf [14467] dbg: config: read file /usr/local/share/spamassassin/23_bayes.cf [14467] dbg: config: read file /usr/local/share/spamassassin/25_accessdb.cf [14467] dbg: config: read file /usr/local/share/spamassassin/25_antivirus.cf [14467] dbg: config: read file /usr/local/share/spamassassin/25_body_tests_es.cf [14467] dbg: config: read file /usr/local/share/spamassassin/25_body_tests_pl.cf [14467] dbg: config: read file /usr/local/share/spamassassin/25_dcc.cf [14467] dbg: config: read file /usr/local/share/spamassassin/25_dkim.cf [14467] dbg: config: read file /usr/local/share/spamassassin/25_domainkeys.cf [14467] dbg: config: read file /usr/local/share/spamassassin/25_hashcash.cf [14467] dbg: config: read file /usr/local/share/spamassassin/25_pyzor.cf [14467] dbg: config: read file /usr/local/share/spamassassin/25_razor2.cf [14467] dbg: config: read file /usr/local/share/spamassassin/25_replace.cf [14467] dbg: config: read file /usr/local/share/spamassassin/25_spf.cf [14467] dbg: config: read file /usr/local/share/spamassassin/25_textcat.cf [14467] dbg: config: read file /usr/local/share/spamassassin/25_uribl.cf [14467] dbg: config: read file /usr/local/share/spamassassin/30_text_de.cf [14467] dbg: config: read file /usr/local/share/spamassassin/30_text_fr.cf [14467] dbg: config: read file /usr/local/share/spamassassin/30_text_it.cf [14467] dbg: config: read file /usr/local/share/spamassassin/30_text_nl.cf [14467] dbg: config: read file /usr/local/share/spamassassin/30_text_pl.cf [14467] dbg: config: read file /usr/local/share/spamassassin/30_text_pt_br.cf [14467] dbg: config: read file /usr/local/share/spamassassin/50_scores.cf [14467] dbg: config: read file /usr/local/share/spamassassin/60_awl.cf [14467] dbg: config: read file /usr/local/share/spamassassin/60_whitelist.cf [14467] dbg: config: read file /usr/local/share/spamassassin/60_whitelist_dk.cf [14467] dbg: config: read file /usr/local/share/spamassassin/60_whitelist_dkim.cf [14467] dbg: config: read file /usr/local/share/spamassassin/60_whitelist_spf.cf [14467] dbg: config: read file /usr/local/share/spamassassin/60_whitelist_subject.cf [14467] dbg: config: using "/etc/mail/spamassassin" for site rules dir [14467] dbg: config: read file /etc/mail/spamassassin/local.cf [14467] dbg: config: read file /etc/mail/spamassassin/mailscanner.cf [14467] dbg: plugin: loading Mail::SpamAssassin::Plugin::URIDNSBL from @INC [14467] dbg: plugin: registered Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x4a1cbc80) [14467] dbg: plugin: loading Mail::SpamAssassin::Plugin::Hashcash from @INC [14467] dbg: plugin: registered Mail::SpamAssassin::Plugin::Hashcash=HASH(0x4390e3a0) [14467] dbg: plugin: loading Mail::SpamAssassin::Plugin::SPF from @INC [14467] dbg: plugin: registered Mail::SpamAssassin::Plugin::SPF=HASH(0x4c4dc6a0) [14467] dbg: plugin: loading Mail::SpamAssassin::Plugin::Pyzor from @INC [14467] dbg: pyzor: network tests on, attempting Pyzor [14467] dbg: plugin: registered Mail::SpamAssassin::Plugin::Pyzor=HASH(0x4b99feb0) [14467] dbg: plugin: loading Mail::SpamAssassin::Plugin::Razor2 from @INC [14467] dbg: razor2: razor2 is available, version 2.82 [14467] dbg: plugin: registered Mail::SpamAssassin::Plugin::Razor2=HASH(0x46e71a90) [14467] dbg: plugin: loading Mail::SpamAssassin::Plugin::SpamCop from @INC [14467] dbg: reporter: network tests on, attempting SpamCop [14467] dbg: plugin: registered Mail::SpamAssassin::Plugin::SpamCop=HASH(0x4ac42bb0) [14467] dbg: plugin: loading Mail::SpamAssassin::Plugin::AWL from @INC [14467] dbg: plugin: registered Mail::SpamAssassin::Plugin::AWL=HASH(0x441d61c0) [14467] dbg: plugin: loading Mail::SpamAssassin::Plugin::AutoLearnThreshold from @INC [14467] dbg: plugin: registered Mail::SpamAssassin::Plugin::AutoLearnThreshold=HASH(0x47fce710) [14467] dbg: plugin: loading Mail::SpamAssassin::Plugin::WhiteListSubject from @INC [14467] dbg: plugin: registered Mail::SpamAssassin::Plugin::WhiteListSubject=HASH(0x500524c0) [14467] dbg: plugin: loading Mail::SpamAssassin::Plugin::MIMEHeader from @INC [14467] dbg: plugin: registered Mail::SpamAssassin::Plugin::MIMEHeader=HASH(0x4caf65a0) [14467] dbg: plugin: loading Mail::SpamAssassin::Plugin::ReplaceTags from @INC [14467] dbg: plugin: registered Mail::SpamAssassin::Plugin::ReplaceTags=HASH(0x487f0b70) [14467] dbg: config: adding redirector regex: /^http:\/\/chkpt\.zdnet\.com\/chkpt\/\w+\/(.*)$/i [14467] dbg: config: adding redirector regex: /^http:\/\/www(?:\d+)?\.nate\.com\/r\/\w+\/(.*)$/i [14467] dbg: config: adding redirector regex: /^http:\/\/.+\.gov\/(?:.*\/)?externalLink\.jhtml\?.*url=(.*?)(?:&.*)?$/i [14467] dbg: config: adding redirector regex: /^http:\/\/redir\.internet\.com\/.+?\/.+?\/(.*)$/i [14467] dbg: config: adding redirector regex: /^http:\/\/(?:.*?\.)?adtech\.de\/.*(?:;|\|)link=(.*?)(?:;|$)/i [14467] dbg: config: adding redirector regex: m'^http.*?/redirect\.php\?.*(?<=[?&])goto=(.*?)(?:$|[&#])'i [14467] dbg: config: adding redirector regex: m'^https?:/*(?:[^/]+\.)?emf\d\.com/r\.cfm.*?&r=(.*)'i [14467] dbg: config: adding redirector regex: m'/(?:index.php)?\?.*(?<=[?&])URL=(.*?)(?:$|[&#])'i [14467] dbg: config: adding redirector regex: m'^http:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/url\?.*?(?<=[?&])q=(.*?)(?:$|[&#])'i [14467] dbg: config: adding redirector regex: m'^http:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/search\?.*?(?<=[?&])q=[^&]*?(?<=%20|..[=+\s])site:(.*?)(?:$|%20|[\s+&#])'i [14467] dbg: config: adding redirector regex: m'^http:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/search\?.*?(?<=[?&])q=[^&]*?(?<=%20|..[=+\s])(?:"|%22)(.*?)(?:$|%22|["\s+&#])'i [14467] dbg: config: adding redirector regex: m'^http:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/translate\?.*?(?<=[?&])u=(.*?)(?:$|[&#])'i [14467] dbg: plugin: Mail::SpamAssassin::Plugin::ReplaceTags=HASH(0x487f0b70) implements 'finish_parsing_end' [14467] dbg: replacetags: replacing tags [14467] dbg: replacetags: done replacing tags [14467] dbg: bayes: tie-ing to DB file R/O /root/.spamassassin/bayes_toks [14467] dbg: bayes: tie-ing to DB file R/O /root/.spamassassin/bayes_seen [14467] dbg: bayes: found bayes db version 3 [14467] dbg: bayes: DB journal sync: last sync: 0 [14467] dbg: bayes: not available for scanning, only 0 spam(s) in bayes DB < 200 [14467] dbg: bayes: untie-ing [14467] dbg: bayes: untie-ing db_toks [14467] dbg: bayes: untie-ing db_seen [14467] dbg: config: score set 1 chosen. [14467] dbg: message: ---- MIME PARSER START ---- [14467] dbg: message: main message type: text/plain [14467] dbg: message: parsing normal part [14467] dbg: message: added part, type: text/plain [14467] dbg: message: ---- MIME PARSER END ---- [14467] dbg: bayes: tie-ing to DB file R/O /root/.spamassassin/bayes_toks [14467] dbg: bayes: tie-ing to DB file R/O /root/.spamassassin/bayes_seen [14467] dbg: bayes: found bayes db version 3 [14467] dbg: bayes: DB journal sync: last sync: 0 [14467] dbg: bayes: not available for scanning, only 0 spam(s) in bayes DB < 200 [14467] dbg: bayes: untie-ing [14467] dbg: bayes: untie-ing db_toks [14467] dbg: bayes: untie-ing db_seen [14467] dbg: dns: dns_available set to yes in config file, skipping test [14467] dbg: metadata: X-Spam-Relays-Trusted: [14467] dbg: metadata: X-Spam-Relays-Untrusted: [14467] dbg: metadata: X-Spam-Relays-Internal: [14467] dbg: metadata: X-Spam-Relays-External: [14467] dbg: message: no encoding detected [14467] dbg: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x4a1cbc80) implements 'parsed_metadata' [14467] dbg: uridnsbl: domains to query: [14467] dbg: dns: checking RBL sbl-xbl.spamhaus.org., set sblxbl-lastexternal [14467] dbg: dns: checking RBL sa-accredit.habeas.com., set habeas-firsttrusted [14467] dbg: dns: checking RBL sbl-xbl.spamhaus.org., set sblxbl [14467] dbg: dns: checking RBL sa-other.bondedsender.org., set bsp-untrusted [14467] dbg: dns: checking RBL combined.njabl.org., set njabl-lastexternal [14467] dbg: dns: checking RBL combined.njabl.org., set njabl [14467] dbg: dns: checking RBL combined-HIB.dnsiplists.completewhois.com., set whois [14467] dbg: dns: checking RBL list.dsbl.org., set dsbl-lastexternal [14467] dbg: dns: checking RBL bl.spamcop.net., set spamcop [14467] dbg: dns: checking RBL sa-trusted.bondedsender.org., set bsp-firsttrusted [14467] dbg: dns: checking RBL combined-HIB.dnsiplists.completewhois.com., set whois-lastexternal [14467] dbg: dns: checking RBL dnsbl.sorbs.net., set sorbs-lastexternal [14467] dbg: dns: checking RBL dnsbl.sorbs.net., set sorbs [14467] dbg: dns: checking RBL iadb.isipp.com., set iadb-firsttrusted [14467] dbg: check: running tests for priority: 0 [14467] dbg: rules: running header regexp tests; score so far=0 [14467] dbg: rules: ran header rule __HAS_MSGID ======> got hit: "<" [14467] dbg: rules: ran header rule __MSGID_OK_DIGITS ======> got hit: "1183536114" [14467] dbg: rules: ran header rule __SANE_MSGID ======> got hit: "<1183536114.8107@spamassassin_spamd_init> [14467] dbg: rules: " [14467] dbg: rules: ran header rule NO_REAL_NAME ======> got hit: "ignore@compiling.spamassassin.taint.org [14467] dbg: rules: " [14467] dbg: rules: ran header rule __MSGID_OK_HOST ======> got hit: "@spamassassin_spamd_init>" [14467] dbg: spf: no suitable relay for spf use found, skipping SPF-helo check [14467] dbg: eval: all '*From' addrs: ignore@compiling.spamassassin.taint.org [14467] dbg: eval: all '*To' addrs: [14467] dbg: spf: no suitable relay for spf use found, skipping SPF check [14467] dbg: rules: ran eval rule NO_RELAYS ======> got hit [14467] dbg: spf: cannot get Envelope-From, cannot use SPF [14467] dbg: spf: def_spf_whitelist_from: could not find useable envelope sender [14467] dbg: rules: ran eval rule __UNUSABLE_MSGID ======> got hit [14467] dbg: rules: ran eval rule MISSING_HEADERS ======> got hit [14467] dbg: spf: spf_whitelist_from: could not find useable envelope sender [14467] dbg: rules: running body-text per-line regexp tests; score so far=0.738 [14467] dbg: rules: ran body rule __NONEMPTY_BODY ======> got hit: "I" [14467] dbg: uri: running uri tests; score so far=0.738 [14467] dbg: rules: running raw-body-text per-line regexp tests; score so far=0.738 [14467] dbg: rules: running full-text regexp tests; score so far=0.738 [14467] dbg: info: entering helper-app run mode [14467] dbg: info: leaving helper-app run mode [14467] dbg: razor2: part=0 engine=4 contested=0 confidence=0 [14467] dbg: razor2: results: spam? 0 [14467] dbg: razor2: results: engine 8, highest cf score: 0 [14467] dbg: razor2: results: engine 4, highest cf score: 0 [14467] dbg: util: current PATH is: /sbin:/bin:/usr/sbin:/usr/bin [14467] dbg: pyzor: pyzor is not available: no pyzor executable found [14467] dbg: pyzor: no pyzor found, disabling Pyzor [14467] dbg: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x4a1cbc80) implements 'check_tick' [14467] dbg: check: running tests for priority: 500 [14467] dbg: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x4a1cbc80) implements 'check_post_dnsbl' [14467] dbg: rules: running meta tests; score so far=0.738 [14467] info: rules: meta test DIGEST_MULTIPLE has undefined dependency 'DCC_CHECK' [14467] dbg: rules: running header regexp tests; score so far=2.216 [14467] dbg: rules: running body-text per-line regexp tests; score so far=2.216 [14467] dbg: uri: running uri tests; score so far=2.216 [14467] dbg: rules: running raw-body-text per-line regexp tests; score so far=2.216 [14467] dbg: rules: running full-text regexp tests; score so far=2.216 [14467] dbg: check: running tests for priority: 1000 [14467] dbg: rules: running meta tests; score so far=2.216 [14467] dbg: rules: running header regexp tests; score so far=2.216 [14467] dbg: rules: running body-text per-line regexp tests; score so far=2.216 [14467] dbg: uri: running uri tests; score so far=2.216 [14467] dbg: rules: running raw-body-text per-line regexp tests; score so far=2.216 [14467] dbg: rules: running full-text regexp tests; score so far=2.216 [14467] dbg: check: is spam? score=2.216 required=5 [14467] dbg: check: tests=MISSING_HEADERS,MISSING_SUBJECT,NO_REAL_NAME,NO_RECEIVED,NO_RELAYS,TO_CC_NONE [14467] dbg: check: subtests=__HAS_MSGID,__MSGID_OK_DIGITS,__MSGID_OK_HOST,__NONEMPTY_BODY,__SANE_MSGID,__UNUSABLE_MSGID Ignore errors about failing to find EOCD signature format error: can't find EOCD signature at ./bin/MailScanner line 832 Stopping now as you are debugging me. --- Please not I have disabled clamav for the moment to debug this without having to care about possible problems with the Antivirus, however the result was the same (no spamassassin details) when having the antivirus set to 'clamav' or 'clamd'. Also I have installed clamav and SA from local ports in OpenBSD 4.1, but maybe I should use the provided package from the MS site ? Would that be worth a try ? Thanks for any hints or tips in advance. Cheers, Christoph -- ---------------------------------------------------+ / Christoph Schneeberger / SCS TeleMedia AG | / GIAC GSEC / Liestalerstrasse 47 | / cschnee@telemedia.ch / info@telemedia.ch | / 4419 Lupsingen / http://www.telemedia.ch | / tel +41 61 915 9155 / fax +41 61 911 0714 | --------------------------------------------------------+ This e-mail is confidential and may be privileged. It may be read, copied and used only by the addressee. If you have received it in error, please contact us immediately. "Quis custodiet ipsos custodes?" From martinh at solidstatelogic.com Wed Jul 4 09:19:50 2007 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Wed Jul 4 09:19:55 2007 Subject: Problem with MS on OpenBSD 4.1 In-Reply-To: <468B5577.2070402@box.telemedia.ch> Message-ID: <84ac9bebdba50c4db2e3a7321854dbf0@solidstatelogic.com> Chris Spamd/spamc isn't used for MailScanner, MS calls it direct. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Christoph Schneeberger > Sent: 04 July 2007 09:08 > To: MailScanner discussion > Subject: Re: Problem with MS on OpenBSD 4.1 > > Glenn Steen wrote: > > On 03/07/07, Christoph Schneeberger wrote: > >> Hi Julian, > >> > >> Thanks for your reply. > >> > >> Julian Field wrote: > >> .. > >> > >> > >When I run MS and SA in debug mode I get an error at line 832 in > >> > >Mailscanner which is the following line: > >> > > >> > >$batch->Explode(); > >> > > >> > >The error I get is > >> > > >> > > > >> > >[24820] dbg: locker: safe_unlock: unlocked > >> > /root/.spamassassin/bayes.mutex > >> > >[24820] dbg: learn: initializing learner > >> > >Ignore errors about failing to find EOCD signature > >> > > >> > > >> > That line gives a hint. > >> > > >> > >format error: can't find EOCD signature > >> > > at /opt/MailScanner/bin/MailScanner line 832 > >> > > >> > > >> > So you can ignore that. > >> > > >> > >Stopping now as you are debugging me. > >> > > Done. > >> > > >> > > >> > It has run to completion normally. It hasn't bombed out on an error > at > >> > all. It has done exactly what it is supposed to do in Debug mode: > >> > process 1 batch of messages and then exit. > >> > >> > >> Ok thanks, i was thinking that too, but somebody on irc told me i need > >> to get rid of this line832 error and that would solve my problem of not > >> having any detailed Spamassassin result headers at all. > >> > >> So could you give me any direction or hints where I could further > search > >> to get that problem of not having detailed results in the header > solved, > >> since thats the only problem I really have. > >> > >> Or asked else: Is anybody on this list running a current MailScanner on > >> OpenBSD 4.1 successfully and do you have any hints for me where too > >> look ? > >> > >> Thanks a lot and best regards, > >> Christoph > >> > > OpenBSD isn]t exactly unheard of, but it certainly isn\t one of the > > more used OSes.... But this might not be anything specific to your > > OS... Call me dull, but did you run a > > MailScanner --debug --debug-sa > > ... with something obvious, like a GTUBE, on queue? > > > > Cheers > > Thanks for your reply, I had to google GTUBE before I knew what you > meant ;-) > > I have run with debug and debug-sa (from MailScanner.conf but I guess > that is the same result) and people on irc told me the output i pasted > looks good, but I'll happily provide it at the end of this mail. > > I have sent a mail (only body with copy-paste) from my inbox that is > spam through the MS in question and it scored it with 18 and flagged the > Subject properly with {Spam?}, BUT only the Spamscore and the Subject > Flag are here, no details on which tests how many score was given, just > a result. > > The reason I want OpenBSD is the spamd/pf combo which is quite unique > for greylisting and since 4.1 even more use- and powerful. Also I have > used OpenBSD since 2.5 and I am quite satisfied with its robustness and > safety. Another reason is that I am a sendmail veteran because there was > nothing else really serious at the time i needed my first mailhub, so I > read different sendmails books and am quite comfortable with it. I've > never found my way into other MTAs and since most Linux are now shipping > Postfix, Exim or whatever I am sticking with OpenBSD for Mailhubs, > Mailgates etc. > > So here is the output of > ./bin/MailScanner --debug --debug-sa 2>&1 | tee /tmp/log > --- > > Currently you are using no virus scanners. > This is probably not what you want. > > In your /opt/MailScanner/etc/MailScanner.conf file, set > Virus Scanners = clamav > Then download > > http://www.sng.ecs.soton.ac.uk/mailscanner/files/4/install-Clam-SA.tar.g z > Unpack it, "cd" into the directory and run ./install.sh > > In Debugging mode, not forking... > SpamAssassin temp dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp > [14467] dbg: logger: adding facilities: all > [14467] dbg: logger: logging level is DBG > [14467] dbg: generic: SpamAssassin version 3.1.8 > [14467] dbg: config: score set 0 chosen. > [14467] dbg: util: running in taint mode? no > [14467] dbg: message: ---- MIME PARSER START ---- > [14467] dbg: message: main message type: text/plain > [14467] dbg: message: parsing normal part > [14467] dbg: message: added part, type: text/plain > [14467] dbg: message: ---- MIME PARSER END ---- > [14467] dbg: dns: is Net::DNS::Resolver available? yes > [14467] dbg: dns: Net::DNS version: 0.59 > [14467] dbg: ignore: test message to precompile patterns and load modules > [14467] dbg: config: using "/etc/mail/spamassassin" for site rules pre > files > [14467] dbg: config: read file /etc/mail/spamassassin/init.pre > [14467] dbg: config: read file /etc/mail/spamassassin/v310.pre > [14467] dbg: config: read file /etc/mail/spamassassin/v312.pre > [14467] dbg: config: using "/usr/local/share/spamassassin" for sys rules > pre files > [14467] dbg: config: using "/usr/local/share/spamassassin" for default > rules dir > [14467] dbg: config: read file /usr/local/share/spamassassin/10_misc.cf > [14467] dbg: config: read file > /usr/local/share/spamassassin/20_advance_fee.cf > [14467] dbg: config: read file > /usr/local/share/spamassassin/20_anti_ratware.cf > [14467] dbg: config: read file > /usr/local/share/spamassassin/20_body_tests.cf > [14467] dbg: config: read file > /usr/local/share/spamassassin/20_compensate.cf > [14467] dbg: config: read file > /usr/local/share/spamassassin/20_dnsbl_tests.cf > [14467] dbg: config: read file /usr/local/share/spamassassin/20_drugs.cf > [14467] dbg: config: read file > /usr/local/share/spamassassin/20_fake_helo_tests.cf > [14467] dbg: config: read file > /usr/local/share/spamassassin/20_head_tests.cf > [14467] dbg: config: read file > /usr/local/share/spamassassin/20_html_tests.cf > [14467] dbg: config: read file > /usr/local/share/spamassassin/20_meta_tests.cf > [14467] dbg: config: read file > /usr/local/share/spamassassin/20_net_tests.cf > [14467] dbg: config: read file /usr/local/share/spamassassin/20_phrases.cf > [14467] dbg: config: read file /usr/local/share/spamassassin/20_porn.cf > [14467] dbg: config: read file /usr/local/share/spamassassin/20_ratware.cf > [14467] dbg: config: read file > /usr/local/share/spamassassin/20_uri_tests.cf > [14467] dbg: config: read file /usr/local/share/spamassassin/23_bayes.cf > [14467] dbg: config: read file > /usr/local/share/spamassassin/25_accessdb.cf > [14467] dbg: config: read file > /usr/local/share/spamassassin/25_antivirus.cf > [14467] dbg: config: read file > /usr/local/share/spamassassin/25_body_tests_es.cf > [14467] dbg: config: read file > /usr/local/share/spamassassin/25_body_tests_pl.cf > [14467] dbg: config: read file /usr/local/share/spamassassin/25_dcc.cf > [14467] dbg: config: read file /usr/local/share/spamassassin/25_dkim.cf > [14467] dbg: config: read file > /usr/local/share/spamassassin/25_domainkeys.cf > [14467] dbg: config: read file > /usr/local/share/spamassassin/25_hashcash.cf > [14467] dbg: config: read file /usr/local/share/spamassassin/25_pyzor.cf > [14467] dbg: config: read file /usr/local/share/spamassassin/25_razor2.cf > [14467] dbg: config: read file /usr/local/share/spamassassin/25_replace.cf > [14467] dbg: config: read file /usr/local/share/spamassassin/25_spf.cf > [14467] dbg: config: read file /usr/local/share/spamassassin/25_textcat.cf > [14467] dbg: config: read file /usr/local/share/spamassassin/25_uribl.cf > [14467] dbg: config: read file /usr/local/share/spamassassin/30_text_de.cf > [14467] dbg: config: read file /usr/local/share/spamassassin/30_text_fr.cf > [14467] dbg: config: read file /usr/local/share/spamassassin/30_text_it.cf > [14467] dbg: config: read file /usr/local/share/spamassassin/30_text_nl.cf > [14467] dbg: config: read file /usr/local/share/spamassassin/30_text_pl.cf > [14467] dbg: config: read file > /usr/local/share/spamassassin/30_text_pt_br.cf > [14467] dbg: config: read file /usr/local/share/spamassassin/50_scores.cf > [14467] dbg: config: read file /usr/local/share/spamassassin/60_awl.cf > [14467] dbg: config: read file > /usr/local/share/spamassassin/60_whitelist.cf > [14467] dbg: config: read file > /usr/local/share/spamassassin/60_whitelist_dk.cf > [14467] dbg: config: read file > /usr/local/share/spamassassin/60_whitelist_dkim.cf > [14467] dbg: config: read file > /usr/local/share/spamassassin/60_whitelist_spf.cf > [14467] dbg: config: read file > /usr/local/share/spamassassin/60_whitelist_subject.cf > [14467] dbg: config: using "/etc/mail/spamassassin" for site rules dir > [14467] dbg: config: read file /etc/mail/spamassassin/local.cf > [14467] dbg: config: read file /etc/mail/spamassassin/mailscanner.cf > [14467] dbg: plugin: loading Mail::SpamAssassin::Plugin::URIDNSBL from > @INC > [14467] dbg: plugin: registered > Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x4a1cbc80) > [14467] dbg: plugin: loading Mail::SpamAssassin::Plugin::Hashcash from > @INC > [14467] dbg: plugin: registered > Mail::SpamAssassin::Plugin::Hashcash=HASH(0x4390e3a0) > [14467] dbg: plugin: loading Mail::SpamAssassin::Plugin::SPF from @INC > [14467] dbg: plugin: registered > Mail::SpamAssassin::Plugin::SPF=HASH(0x4c4dc6a0) > [14467] dbg: plugin: loading Mail::SpamAssassin::Plugin::Pyzor from @INC > [14467] dbg: pyzor: network tests on, attempting Pyzor > [14467] dbg: plugin: registered > Mail::SpamAssassin::Plugin::Pyzor=HASH(0x4b99feb0) > [14467] dbg: plugin: loading Mail::SpamAssassin::Plugin::Razor2 from @INC > [14467] dbg: razor2: razor2 is available, version 2.82 > [14467] dbg: plugin: registered > Mail::SpamAssassin::Plugin::Razor2=HASH(0x46e71a90) > [14467] dbg: plugin: loading Mail::SpamAssassin::Plugin::SpamCop from @INC > [14467] dbg: reporter: network tests on, attempting SpamCop > [14467] dbg: plugin: registered > Mail::SpamAssassin::Plugin::SpamCop=HASH(0x4ac42bb0) > [14467] dbg: plugin: loading Mail::SpamAssassin::Plugin::AWL from @INC > [14467] dbg: plugin: registered > Mail::SpamAssassin::Plugin::AWL=HASH(0x441d61c0) > [14467] dbg: plugin: loading > Mail::SpamAssassin::Plugin::AutoLearnThreshold from @INC > [14467] dbg: plugin: registered > Mail::SpamAssassin::Plugin::AutoLearnThreshold=HASH(0x47fce710) > [14467] dbg: plugin: loading > Mail::SpamAssassin::Plugin::WhiteListSubject from @INC > [14467] dbg: plugin: registered > Mail::SpamAssassin::Plugin::WhiteListSubject=HASH(0x500524c0) > [14467] dbg: plugin: loading Mail::SpamAssassin::Plugin::MIMEHeader from > @INC > [14467] dbg: plugin: registered > Mail::SpamAssassin::Plugin::MIMEHeader=HASH(0x4caf65a0) > [14467] dbg: plugin: loading Mail::SpamAssassin::Plugin::ReplaceTags > from @INC > [14467] dbg: plugin: registered > Mail::SpamAssassin::Plugin::ReplaceTags=HASH(0x487f0b70) > [14467] dbg: config: adding redirector regex: > /^http:\/\/chkpt\.zdnet\.com\/chkpt\/\w+\/(.*)$/i > [14467] dbg: config: adding redirector regex: > /^http:\/\/www(?:\d+)?\.nate\.com\/r\/\w+\/(.*)$/i > [14467] dbg: config: adding redirector regex: > /^http:\/\/.+\.gov\/(?:.*\/)?externalLink\.jhtml\?.*url=(.*?)(?:&.*)?$/i > [14467] dbg: config: adding redirector regex: > /^http:\/\/redir\.internet\.com\/.+?\/.+?\/(.*)$/i > [14467] dbg: config: adding redirector regex: > /^http:\/\/(?:.*?\.)?adtech\.de\/.*(?:;|\|)link=(.*?)(?:;|$)/i > [14467] dbg: config: adding redirector regex: > m'^http.*?/redirect\.php\?.*(?<=[?&])goto=(.*?)(?:$|[&#])'i > [14467] dbg: config: adding redirector regex: > m'^https?:/*(?:[^/]+\.)?emf\d\.com/r\.cfm.*?&r=(.*)'i > [14467] dbg: config: adding redirector regex: > m'/(?:index.php)?\?.*(?<=[?&])URL=(.*?)(?:$|[&#])'i > [14467] dbg: config: adding redirector regex: > m'^http:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/url\?.*?(?<=[?&])q=(.*?)(?: $| > [&#])'i > [14467] dbg: config: adding redirector regex: > m'^http:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/search\?.*?(?<=[?&])q=[^&]* ?( > ?<=%20|..[=+\s])site:(.*?)(?:$|%20|[\s+&#])'i > [14467] dbg: config: adding redirector regex: > m'^http:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/search\?.*?(?<=[?&])q=[^&]* ?( > ?<=%20|..[=+\s])(?:"|%22)(.*?)(?:$|%22|["\s+&#])'i > [14467] dbg: config: adding redirector regex: > m'^http:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/translate\?.*?(?<=[?&])u=(. *? > )(?:$|[&#])'i > [14467] dbg: plugin: > Mail::SpamAssassin::Plugin::ReplaceTags=HASH(0x487f0b70) implements > 'finish_parsing_end' > [14467] dbg: replacetags: replacing tags > [14467] dbg: replacetags: done replacing tags > [14467] dbg: bayes: tie-ing to DB file R/O /root/.spamassassin/bayes_toks > [14467] dbg: bayes: tie-ing to DB file R/O /root/.spamassassin/bayes_seen > [14467] dbg: bayes: found bayes db version 3 > [14467] dbg: bayes: DB journal sync: last sync: 0 > [14467] dbg: bayes: not available for scanning, only 0 spam(s) in bayes > DB < 200 > [14467] dbg: bayes: untie-ing > [14467] dbg: bayes: untie-ing db_toks > [14467] dbg: bayes: untie-ing db_seen > [14467] dbg: config: score set 1 chosen. > [14467] dbg: message: ---- MIME PARSER START ---- > [14467] dbg: message: main message type: text/plain > [14467] dbg: message: parsing normal part > [14467] dbg: message: added part, type: text/plain > [14467] dbg: message: ---- MIME PARSER END ---- > [14467] dbg: bayes: tie-ing to DB file R/O /root/.spamassassin/bayes_toks > [14467] dbg: bayes: tie-ing to DB file R/O /root/.spamassassin/bayes_seen > [14467] dbg: bayes: found bayes db version 3 > [14467] dbg: bayes: DB journal sync: last sync: 0 > [14467] dbg: bayes: not available for scanning, only 0 spam(s) in bayes > DB < 200 > [14467] dbg: bayes: untie-ing > [14467] dbg: bayes: untie-ing db_toks > [14467] dbg: bayes: untie-ing db_seen > [14467] dbg: dns: dns_available set to yes in config file, skipping test > [14467] dbg: metadata: X-Spam-Relays-Trusted: > [14467] dbg: metadata: X-Spam-Relays-Untrusted: > [14467] dbg: metadata: X-Spam-Relays-Internal: > [14467] dbg: metadata: X-Spam-Relays-External: > [14467] dbg: message: no encoding detected > [14467] dbg: plugin: > Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x4a1cbc80) implements > 'parsed_metadata' > [14467] dbg: uridnsbl: domains to query: > [14467] dbg: dns: checking RBL sbl-xbl.spamhaus.org., set > sblxbl-lastexternal > [14467] dbg: dns: checking RBL sa-accredit.habeas.com., set > habeas-firsttrusted > [14467] dbg: dns: checking RBL sbl-xbl.spamhaus.org., set sblxbl > [14467] dbg: dns: checking RBL sa-other.bondedsender.org., set bsp- > untrusted > [14467] dbg: dns: checking RBL combined.njabl.org., set njabl-lastexternal > [14467] dbg: dns: checking RBL combined.njabl.org., set njabl > [14467] dbg: dns: checking RBL > combined-HIB.dnsiplists.completewhois.com., set whois > [14467] dbg: dns: checking RBL list.dsbl.org., set dsbl-lastexternal > [14467] dbg: dns: checking RBL bl.spamcop.net., set spamcop > [14467] dbg: dns: checking RBL sa-trusted.bondedsender.org., set > bsp-firsttrusted > [14467] dbg: dns: checking RBL > combined-HIB.dnsiplists.completewhois.com., set whois-lastexternal > [14467] dbg: dns: checking RBL dnsbl.sorbs.net., set sorbs-lastexternal > [14467] dbg: dns: checking RBL dnsbl.sorbs.net., set sorbs > [14467] dbg: dns: checking RBL iadb.isipp.com., set iadb-firsttrusted > [14467] dbg: check: running tests for priority: 0 > [14467] dbg: rules: running header regexp tests; score so far=0 > [14467] dbg: rules: ran header rule __HAS_MSGID ======> got hit: "<" > [14467] dbg: rules: ran header rule __MSGID_OK_DIGITS ======> got hit: > "1183536114" > [14467] dbg: rules: ran header rule __SANE_MSGID ======> got hit: > "<1183536114.8107@spamassassin_spamd_init> > [14467] dbg: rules: " > [14467] dbg: rules: ran header rule NO_REAL_NAME ======> got hit: > "ignore@compiling.spamassassin.taint.org > [14467] dbg: rules: " > [14467] dbg: rules: ran header rule __MSGID_OK_HOST ======> got hit: > "@spamassassin_spamd_init>" > [14467] dbg: spf: no suitable relay for spf use found, skipping SPF-helo > check > [14467] dbg: eval: all '*From' addrs: > ignore@compiling.spamassassin.taint.org > [14467] dbg: eval: all '*To' addrs: > [14467] dbg: spf: no suitable relay for spf use found, skipping SPF check > [14467] dbg: rules: ran eval rule NO_RELAYS ======> got hit > [14467] dbg: spf: cannot get Envelope-From, cannot use SPF > [14467] dbg: spf: def_spf_whitelist_from: could not find useable > envelope sender > [14467] dbg: rules: ran eval rule __UNUSABLE_MSGID ======> got hit > [14467] dbg: rules: ran eval rule MISSING_HEADERS ======> got hit > [14467] dbg: spf: spf_whitelist_from: could not find useable envelope > sender > [14467] dbg: rules: running body-text per-line regexp tests; score so > far=0.738 > [14467] dbg: rules: ran body rule __NONEMPTY_BODY ======> got hit: "I" > [14467] dbg: uri: running uri tests; score so far=0.738 > [14467] dbg: rules: running raw-body-text per-line regexp tests; score > so far=0.738 > [14467] dbg: rules: running full-text regexp tests; score so far=0.738 > [14467] dbg: info: entering helper-app run mode > [14467] dbg: info: leaving helper-app run mode > [14467] dbg: razor2: part=0 engine=4 contested=0 confidence=0 > [14467] dbg: razor2: results: spam? 0 > [14467] dbg: razor2: results: engine 8, highest cf score: 0 > [14467] dbg: razor2: results: engine 4, highest cf score: 0 > [14467] dbg: util: current PATH is: /sbin:/bin:/usr/sbin:/usr/bin > [14467] dbg: pyzor: pyzor is not available: no pyzor executable found > [14467] dbg: pyzor: no pyzor found, disabling Pyzor > [14467] dbg: plugin: > Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x4a1cbc80) implements > 'check_tick' > [14467] dbg: check: running tests for priority: 500 > [14467] dbg: plugin: > Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x4a1cbc80) implements > 'check_post_dnsbl' > [14467] dbg: rules: running meta tests; score so far=0.738 > [14467] info: rules: meta test DIGEST_MULTIPLE has undefined dependency > 'DCC_CHECK' > [14467] dbg: rules: running header regexp tests; score so far=2.216 > [14467] dbg: rules: running body-text per-line regexp tests; score so > far=2.216 > [14467] dbg: uri: running uri tests; score so far=2.216 > [14467] dbg: rules: running raw-body-text per-line regexp tests; score > so far=2.216 > [14467] dbg: rules: running full-text regexp tests; score so far=2.216 > [14467] dbg: check: running tests for priority: 1000 > [14467] dbg: rules: running meta tests; score so far=2.216 > [14467] dbg: rules: running header regexp tests; score so far=2.216 > [14467] dbg: rules: running body-text per-line regexp tests; score so > far=2.216 > [14467] dbg: uri: running uri tests; score so far=2.216 > [14467] dbg: rules: running raw-body-text per-line regexp tests; score > so far=2.216 > [14467] dbg: rules: running full-text regexp tests; score so far=2.216 > [14467] dbg: check: is spam? score=2.216 required=5 > [14467] dbg: check: > tests=MISSING_HEADERS,MISSING_SUBJECT,NO_REAL_NAME,NO_RECEIVED,NO_RELAYS ,T > O_CC_NONE > [14467] dbg: check: > subtests=__HAS_MSGID,__MSGID_OK_DIGITS,__MSGID_OK_HOST,__NONEMPTY_BODY,_ _S > ANE_MSGID,__UNUSABLE_MSGID > Ignore errors about failing to find EOCD signature > format error: can't find EOCD signature > at ./bin/MailScanner line 832 > Stopping now as you are debugging me. > --- > > Please not I have disabled clamav for the moment to debug this without > having to care about possible problems with the Antivirus, however the > result was the same (no spamassassin details) when having the antivirus > set to 'clamav' or 'clamd'. > > Also I have installed clamav and SA from local ports in OpenBSD 4.1, but > maybe I should use the provided package from the MS site ? Would that be > worth a try ? > > Thanks for any hints or tips in advance. > > > Cheers, > Christoph > > -- > ---------------------------------------------------+ > / Christoph Schneeberger / SCS TeleMedia AG | > / GIAC GSEC / Liestalerstrasse 47 | > / cschnee@telemedia.ch / info@telemedia.ch | > / 4419 Lupsingen / http://www.telemedia.ch | > / tel +41 61 915 9155 / fax +41 61 911 0714 | > --------------------------------------------------------+ > > This e-mail is confidential and may be privileged. It may > be read, copied and used only by the addressee. If you > have received it in error, please contact us immediately. > > > "Quis custodiet ipsos custodes?" > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From cschnee at box.telemedia.ch Wed Jul 4 09:24:53 2007 From: cschnee at box.telemedia.ch (Christoph Schneeberger) Date: Wed Jul 4 09:29:49 2007 Subject: Problem with MS on OpenBSD 4.1 In-Reply-To: <84ac9bebdba50c4db2e3a7321854dbf0@solidstatelogic.com> References: <84ac9bebdba50c4db2e3a7321854dbf0@solidstatelogic.com> Message-ID: <468B5955.3080106@box.telemedia.ch> Sorry for the confusion, I am talking about OpenBSDs spamd which is accidently called the same as SA's spamd, see http://www.openbsd.org/cgi-bin/man.cgi?query=spamd&apropos=0&sektion=0&manpath=OpenBSD+Current&arch=i386&format=html I am aware that MS calls SA Modules and does not use the daemon, thanks anyway for the tip. Worth a try if you don't know it. Thanks & Cheers, Christoph Martin.Hepworth wrote: > Chris > > Spamd/spamc isn't used for MailScanner, MS calls it direct. > > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >> bounces@lists.mailscanner.info] On Behalf Of Christoph Schneeberger >> Sent: 04 July 2007 09:08 >> To: MailScanner discussion >> Subject: Re: Problem with MS on OpenBSD 4.1 >> >> Glenn Steen wrote: >> >>> On 03/07/07, Christoph Schneeberger >>> > wrote: > >>>> Hi Julian, >>>> >>>> Thanks for your reply. >>>> >>>> Julian Field wrote: >>>> .. >>>> >>>> >>>>>> When I run MS and SA in debug mode I get an error at line 832 in >>>>>> Mailscanner which is the following line: >>>>>> >>>>>> $batch->Explode(); >>>>>> >>>>>> The error I get is >>>>>> >>>>>> >>>>>> [24820] dbg: locker: safe_unlock: unlocked >>>>>> >>>>> /root/.spamassassin/bayes.mutex >>>>> >>>>>> [24820] dbg: learn: initializing learner >>>>>> Ignore errors about failing to find EOCD signature >>>>>> >>>>> That line gives a hint. >>>>> >>>>> >>>>>> format error: can't find EOCD signature >>>>>> at /opt/MailScanner/bin/MailScanner line 832 >>>>>> >>>>> So you can ignore that. >>>>> >>>>> >>>>>> Stopping now as you are debugging me. >>>>>> Done. >>>>>> >>>>> It has run to completion normally. It hasn't bombed out on an >>>>> > error > >> at >> >>>>> all. It has done exactly what it is supposed to do in Debug mode: >>>>> process 1 batch of messages and then exit. >>>>> >>>> Ok thanks, i was thinking that too, but somebody on irc told me i >>>> > need > >>>> to get rid of this line832 error and that would solve my problem of >>>> > not > >>>> having any detailed Spamassassin result headers at all. >>>> >>>> So could you give me any direction or hints where I could further >>>> >> search >> >>>> to get that problem of not having detailed results in the header >>>> >> solved, >> >>>> since thats the only problem I really have. >>>> >>>> Or asked else: Is anybody on this list running a current >>>> > MailScanner on > >>>> OpenBSD 4.1 successfully and do you have any hints for me where too >>>> look ? >>>> >>>> Thanks a lot and best regards, >>>> Christoph >>>> >>>> >>> OpenBSD isn]t exactly unheard of, but it certainly isn\t one of the >>> more used OSes.... But this might not be anything specific to your >>> OS... Call me dull, but did you run a >>> MailScanner --debug --debug-sa >>> ... with something obvious, like a GTUBE, on queue? >>> >>> Cheers >>> >> Thanks for your reply, I had to google GTUBE before I knew what you >> meant ;-) >> >> I have run with debug and debug-sa (from MailScanner.conf but I guess >> that is the same result) and people on irc told me the output i pasted >> looks good, but I'll happily provide it at the end of this mail. >> >> I have sent a mail (only body with copy-paste) from my inbox that is >> spam through the MS in question and it scored it with 18 and flagged >> > the > >> Subject properly with {Spam?}, BUT only the Spamscore and the Subject >> Flag are here, no details on which tests how many score was given, >> > just > >> a result. >> >> The reason I want OpenBSD is the spamd/pf combo which is quite unique >> for greylisting and since 4.1 even more use- and powerful. Also I have >> used OpenBSD since 2.5 and I am quite satisfied with its robustness >> > and > >> safety. Another reason is that I am a sendmail veteran because there >> > was > >> nothing else really serious at the time i needed my first mailhub, so >> > I > >> read different sendmails books and am quite comfortable with it. I've >> never found my way into other MTAs and since most Linux are now >> > shipping > >> Postfix, Exim or whatever I am sticking with OpenBSD for Mailhubs, >> Mailgates etc. >> >> So here is the output of >> ./bin/MailScanner --debug --debug-sa 2>&1 | tee /tmp/log >> --- >> >> Currently you are using no virus scanners. >> This is probably not what you want. >> >> In your /opt/MailScanner/etc/MailScanner.conf file, set >> Virus Scanners = clamav >> Then download >> >> >> > http://www.sng.ecs.soton.ac.uk/mailscanner/files/4/install-Clam-SA.tar.g > z > >> Unpack it, "cd" into the directory and run ./install.sh >> >> In Debugging mode, not forking... >> SpamAssassin temp dir = >> > /var/spool/MailScanner/incoming/SpamAssassin-Temp > >> [14467] dbg: logger: adding facilities: all >> [14467] dbg: logger: logging level is DBG >> [14467] dbg: generic: SpamAssassin version 3.1.8 >> [14467] dbg: config: score set 0 chosen. >> [14467] dbg: util: running in taint mode? no >> [14467] dbg: message: ---- MIME PARSER START ---- >> [14467] dbg: message: main message type: text/plain >> [14467] dbg: message: parsing normal part >> [14467] dbg: message: added part, type: text/plain >> [14467] dbg: message: ---- MIME PARSER END ---- >> [14467] dbg: dns: is Net::DNS::Resolver available? yes >> [14467] dbg: dns: Net::DNS version: 0.59 >> [14467] dbg: ignore: test message to precompile patterns and load >> > modules > >> [14467] dbg: config: using "/etc/mail/spamassassin" for site rules pre >> files >> [14467] dbg: config: read file /etc/mail/spamassassin/init.pre >> [14467] dbg: config: read file /etc/mail/spamassassin/v310.pre >> [14467] dbg: config: read file /etc/mail/spamassassin/v312.pre >> [14467] dbg: config: using "/usr/local/share/spamassassin" for sys >> > rules > >> pre files >> [14467] dbg: config: using "/usr/local/share/spamassassin" for default >> rules dir >> [14467] dbg: config: read file >> > /usr/local/share/spamassassin/10_misc.cf > >> [14467] dbg: config: read file >> /usr/local/share/spamassassin/20_advance_fee.cf >> [14467] dbg: config: read file >> /usr/local/share/spamassassin/20_anti_ratware.cf >> [14467] dbg: config: read file >> /usr/local/share/spamassassin/20_body_tests.cf >> [14467] dbg: config: read file >> /usr/local/share/spamassassin/20_compensate.cf >> [14467] dbg: config: read file >> /usr/local/share/spamassassin/20_dnsbl_tests.cf >> [14467] dbg: config: read file >> > /usr/local/share/spamassassin/20_drugs.cf > >> [14467] dbg: config: read file >> /usr/local/share/spamassassin/20_fake_helo_tests.cf >> [14467] dbg: config: read file >> /usr/local/share/spamassassin/20_head_tests.cf >> [14467] dbg: config: read file >> /usr/local/share/spamassassin/20_html_tests.cf >> [14467] dbg: config: read file >> /usr/local/share/spamassassin/20_meta_tests.cf >> [14467] dbg: config: read file >> /usr/local/share/spamassassin/20_net_tests.cf >> [14467] dbg: config: read file >> > /usr/local/share/spamassassin/20_phrases.cf > >> [14467] dbg: config: read file >> > /usr/local/share/spamassassin/20_porn.cf > >> [14467] dbg: config: read file >> > /usr/local/share/spamassassin/20_ratware.cf > >> [14467] dbg: config: read file >> /usr/local/share/spamassassin/20_uri_tests.cf >> [14467] dbg: config: read file >> > /usr/local/share/spamassassin/23_bayes.cf > >> [14467] dbg: config: read file >> /usr/local/share/spamassassin/25_accessdb.cf >> [14467] dbg: config: read file >> /usr/local/share/spamassassin/25_antivirus.cf >> [14467] dbg: config: read file >> /usr/local/share/spamassassin/25_body_tests_es.cf >> [14467] dbg: config: read file >> /usr/local/share/spamassassin/25_body_tests_pl.cf >> [14467] dbg: config: read file /usr/local/share/spamassassin/25_dcc.cf >> [14467] dbg: config: read file >> > /usr/local/share/spamassassin/25_dkim.cf > >> [14467] dbg: config: read file >> /usr/local/share/spamassassin/25_domainkeys.cf >> [14467] dbg: config: read file >> /usr/local/share/spamassassin/25_hashcash.cf >> [14467] dbg: config: read file >> > /usr/local/share/spamassassin/25_pyzor.cf > >> [14467] dbg: config: read file >> > /usr/local/share/spamassassin/25_razor2.cf > >> [14467] dbg: config: read file >> > /usr/local/share/spamassassin/25_replace.cf > >> [14467] dbg: config: read file /usr/local/share/spamassassin/25_spf.cf >> [14467] dbg: config: read file >> > /usr/local/share/spamassassin/25_textcat.cf > >> [14467] dbg: config: read file >> > /usr/local/share/spamassassin/25_uribl.cf > >> [14467] dbg: config: read file >> > /usr/local/share/spamassassin/30_text_de.cf > >> [14467] dbg: config: read file >> > /usr/local/share/spamassassin/30_text_fr.cf > >> [14467] dbg: config: read file >> > /usr/local/share/spamassassin/30_text_it.cf > >> [14467] dbg: config: read file >> > /usr/local/share/spamassassin/30_text_nl.cf > >> [14467] dbg: config: read file >> > /usr/local/share/spamassassin/30_text_pl.cf > >> [14467] dbg: config: read file >> /usr/local/share/spamassassin/30_text_pt_br.cf >> [14467] dbg: config: read file >> > /usr/local/share/spamassassin/50_scores.cf > >> [14467] dbg: config: read file /usr/local/share/spamassassin/60_awl.cf >> [14467] dbg: config: read file >> /usr/local/share/spamassassin/60_whitelist.cf >> [14467] dbg: config: read file >> /usr/local/share/spamassassin/60_whitelist_dk.cf >> [14467] dbg: config: read file >> /usr/local/share/spamassassin/60_whitelist_dkim.cf >> [14467] dbg: config: read file >> /usr/local/share/spamassassin/60_whitelist_spf.cf >> [14467] dbg: config: read file >> /usr/local/share/spamassassin/60_whitelist_subject.cf >> [14467] dbg: config: using "/etc/mail/spamassassin" for site rules dir >> [14467] dbg: config: read file /etc/mail/spamassassin/local.cf >> [14467] dbg: config: read file /etc/mail/spamassassin/mailscanner.cf >> [14467] dbg: plugin: loading Mail::SpamAssassin::Plugin::URIDNSBL from >> @INC >> [14467] dbg: plugin: registered >> Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x4a1cbc80) >> [14467] dbg: plugin: loading Mail::SpamAssassin::Plugin::Hashcash from >> @INC >> [14467] dbg: plugin: registered >> Mail::SpamAssassin::Plugin::Hashcash=HASH(0x4390e3a0) >> [14467] dbg: plugin: loading Mail::SpamAssassin::Plugin::SPF from @INC >> [14467] dbg: plugin: registered >> Mail::SpamAssassin::Plugin::SPF=HASH(0x4c4dc6a0) >> [14467] dbg: plugin: loading Mail::SpamAssassin::Plugin::Pyzor from >> > @INC > >> [14467] dbg: pyzor: network tests on, attempting Pyzor >> [14467] dbg: plugin: registered >> Mail::SpamAssassin::Plugin::Pyzor=HASH(0x4b99feb0) >> [14467] dbg: plugin: loading Mail::SpamAssassin::Plugin::Razor2 from >> > @INC > >> [14467] dbg: razor2: razor2 is available, version 2.82 >> [14467] dbg: plugin: registered >> Mail::SpamAssassin::Plugin::Razor2=HASH(0x46e71a90) >> [14467] dbg: plugin: loading Mail::SpamAssassin::Plugin::SpamCop from >> > @INC > >> [14467] dbg: reporter: network tests on, attempting SpamCop >> [14467] dbg: plugin: registered >> Mail::SpamAssassin::Plugin::SpamCop=HASH(0x4ac42bb0) >> [14467] dbg: plugin: loading Mail::SpamAssassin::Plugin::AWL from @INC >> [14467] dbg: plugin: registered >> Mail::SpamAssassin::Plugin::AWL=HASH(0x441d61c0) >> [14467] dbg: plugin: loading >> Mail::SpamAssassin::Plugin::AutoLearnThreshold from @INC >> [14467] dbg: plugin: registered >> Mail::SpamAssassin::Plugin::AutoLearnThreshold=HASH(0x47fce710) >> [14467] dbg: plugin: loading >> Mail::SpamAssassin::Plugin::WhiteListSubject from @INC >> [14467] dbg: plugin: registered >> Mail::SpamAssassin::Plugin::WhiteListSubject=HASH(0x500524c0) >> [14467] dbg: plugin: loading Mail::SpamAssassin::Plugin::MIMEHeader >> > from > >> @INC >> [14467] dbg: plugin: registered >> Mail::SpamAssassin::Plugin::MIMEHeader=HASH(0x4caf65a0) >> [14467] dbg: plugin: loading Mail::SpamAssassin::Plugin::ReplaceTags >> from @INC >> [14467] dbg: plugin: registered >> Mail::SpamAssassin::Plugin::ReplaceTags=HASH(0x487f0b70) >> [14467] dbg: config: adding redirector regex: >> /^http:\/\/chkpt\.zdnet\.com\/chkpt\/\w+\/(.*)$/i >> [14467] dbg: config: adding redirector regex: >> /^http:\/\/www(?:\d+)?\.nate\.com\/r\/\w+\/(.*)$/i >> [14467] dbg: config: adding redirector regex: >> >> > /^http:\/\/.+\.gov\/(?:.*\/)?externalLink\.jhtml\?.*url=(.*?)(?:&.*)?$/i > >> [14467] dbg: config: adding redirector regex: >> /^http:\/\/redir\.internet\.com\/.+?\/.+?\/(.*)$/i >> [14467] dbg: config: adding redirector regex: >> /^http:\/\/(?:.*?\.)?adtech\.de\/.*(?:;|\|)link=(.*?)(?:;|$)/i >> [14467] dbg: config: adding redirector regex: >> m'^http.*?/redirect\.php\?.*(?<=[?&])goto=(.*?)(?:$|[&#])'i >> [14467] dbg: config: adding redirector regex: >> m'^https?:/*(?:[^/]+\.)?emf\d\.com/r\.cfm.*?&r=(.*)'i >> [14467] dbg: config: adding redirector regex: >> m'/(?:index.php)?\?.*(?<=[?&])URL=(.*?)(?:$|[&#])'i >> [14467] dbg: config: adding redirector regex: >> >> > m'^http:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/url\?.*?(?<=[?&])q=(.*?)(?: > $| > >> [&#])'i >> [14467] dbg: config: adding redirector regex: >> >> > m'^http:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/search\?.*?(?<=[?&])q=[^&]* > ?( > >> ?<=%20|..[=+\s])site:(.*?)(?:$|%20|[\s+&#])'i >> [14467] dbg: config: adding redirector regex: >> >> > m'^http:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/search\?.*?(?<=[?&])q=[^&]* > ?( > >> ?<=%20|..[=+\s])(?:"|%22)(.*?)(?:$|%22|["\s+&#])'i >> [14467] dbg: config: adding redirector regex: >> >> > m'^http:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/translate\?.*?(?<=[?&])u=(. > *? > >> )(?:$|[&#])'i >> [14467] dbg: plugin: >> Mail::SpamAssassin::Plugin::ReplaceTags=HASH(0x487f0b70) implements >> 'finish_parsing_end' >> [14467] dbg: replacetags: replacing tags >> [14467] dbg: replacetags: done replacing tags >> [14467] dbg: bayes: tie-ing to DB file R/O >> > /root/.spamassassin/bayes_toks > >> [14467] dbg: bayes: tie-ing to DB file R/O >> > /root/.spamassassin/bayes_seen > >> [14467] dbg: bayes: found bayes db version 3 >> [14467] dbg: bayes: DB journal sync: last sync: 0 >> [14467] dbg: bayes: not available for scanning, only 0 spam(s) in >> > bayes > >> DB < 200 >> [14467] dbg: bayes: untie-ing >> [14467] dbg: bayes: untie-ing db_toks >> [14467] dbg: bayes: untie-ing db_seen >> [14467] dbg: config: score set 1 chosen. >> [14467] dbg: message: ---- MIME PARSER START ---- >> [14467] dbg: message: main message type: text/plain >> [14467] dbg: message: parsing normal part >> [14467] dbg: message: added part, type: text/plain >> [14467] dbg: message: ---- MIME PARSER END ---- >> [14467] dbg: bayes: tie-ing to DB file R/O >> > /root/.spamassassin/bayes_toks > >> [14467] dbg: bayes: tie-ing to DB file R/O >> > /root/.spamassassin/bayes_seen > >> [14467] dbg: bayes: found bayes db version 3 >> [14467] dbg: bayes: DB journal sync: last sync: 0 >> [14467] dbg: bayes: not available for scanning, only 0 spam(s) in >> > bayes > >> DB < 200 >> [14467] dbg: bayes: untie-ing >> [14467] dbg: bayes: untie-ing db_toks >> [14467] dbg: bayes: untie-ing db_seen >> [14467] dbg: dns: dns_available set to yes in config file, skipping >> > test > >> [14467] dbg: metadata: X-Spam-Relays-Trusted: >> [14467] dbg: metadata: X-Spam-Relays-Untrusted: >> [14467] dbg: metadata: X-Spam-Relays-Internal: >> [14467] dbg: metadata: X-Spam-Relays-External: >> [14467] dbg: message: no encoding detected >> [14467] dbg: plugin: >> Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x4a1cbc80) implements >> 'parsed_metadata' >> [14467] dbg: uridnsbl: domains to query: >> [14467] dbg: dns: checking RBL sbl-xbl.spamhaus.org., set >> sblxbl-lastexternal >> [14467] dbg: dns: checking RBL sa-accredit.habeas.com., set >> habeas-firsttrusted >> [14467] dbg: dns: checking RBL sbl-xbl.spamhaus.org., set sblxbl >> [14467] dbg: dns: checking RBL sa-other.bondedsender.org., set bsp- >> untrusted >> [14467] dbg: dns: checking RBL combined.njabl.org., set >> > njabl-lastexternal > >> [14467] dbg: dns: checking RBL combined.njabl.org., set njabl >> [14467] dbg: dns: checking RBL >> combined-HIB.dnsiplists.completewhois.com., set whois >> [14467] dbg: dns: checking RBL list.dsbl.org., set dsbl-lastexternal >> [14467] dbg: dns: checking RBL bl.spamcop.net., set spamcop >> [14467] dbg: dns: checking RBL sa-trusted.bondedsender.org., set >> bsp-firsttrusted >> [14467] dbg: dns: checking RBL >> combined-HIB.dnsiplists.completewhois.com., set whois-lastexternal >> [14467] dbg: dns: checking RBL dnsbl.sorbs.net., set >> > sorbs-lastexternal > >> [14467] dbg: dns: checking RBL dnsbl.sorbs.net., set sorbs >> [14467] dbg: dns: checking RBL iadb.isipp.com., set iadb-firsttrusted >> [14467] dbg: check: running tests for priority: 0 >> [14467] dbg: rules: running header regexp tests; score so far=0 >> [14467] dbg: rules: ran header rule __HAS_MSGID ======> got hit: "<" >> [14467] dbg: rules: ran header rule __MSGID_OK_DIGITS ======> got hit: >> "1183536114" >> [14467] dbg: rules: ran header rule __SANE_MSGID ======> got hit: >> "<1183536114.8107@spamassassin_spamd_init> >> [14467] dbg: rules: " >> [14467] dbg: rules: ran header rule NO_REAL_NAME ======> got hit: >> "ignore@compiling.spamassassin.taint.org >> [14467] dbg: rules: " >> [14467] dbg: rules: ran header rule __MSGID_OK_HOST ======> got hit: >> "@spamassassin_spamd_init>" >> [14467] dbg: spf: no suitable relay for spf use found, skipping >> > SPF-helo > >> check >> [14467] dbg: eval: all '*From' addrs: >> ignore@compiling.spamassassin.taint.org >> [14467] dbg: eval: all '*To' addrs: >> [14467] dbg: spf: no suitable relay for spf use found, skipping SPF >> > check > >> [14467] dbg: rules: ran eval rule NO_RELAYS ======> got hit >> [14467] dbg: spf: cannot get Envelope-From, cannot use SPF >> [14467] dbg: spf: def_spf_whitelist_from: could not find useable >> envelope sender >> [14467] dbg: rules: ran eval rule __UNUSABLE_MSGID ======> got hit >> [14467] dbg: rules: ran eval rule MISSING_HEADERS ======> got hit >> [14467] dbg: spf: spf_whitelist_from: could not find useable envelope >> sender >> [14467] dbg: rules: running body-text per-line regexp tests; score so >> far=0.738 >> [14467] dbg: rules: ran body rule __NONEMPTY_BODY ======> got hit: "I" >> [14467] dbg: uri: running uri tests; score so far=0.738 >> [14467] dbg: rules: running raw-body-text per-line regexp tests; score >> so far=0.738 >> [14467] dbg: rules: running full-text regexp tests; score so far=0.738 >> [14467] dbg: info: entering helper-app run mode >> [14467] dbg: info: leaving helper-app run mode >> [14467] dbg: razor2: part=0 engine=4 contested=0 confidence=0 >> [14467] dbg: razor2: results: spam? 0 >> [14467] dbg: razor2: results: engine 8, highest cf score: 0 >> [14467] dbg: razor2: results: engine 4, highest cf score: 0 >> [14467] dbg: util: current PATH is: /sbin:/bin:/usr/sbin:/usr/bin >> [14467] dbg: pyzor: pyzor is not available: no pyzor executable found >> [14467] dbg: pyzor: no pyzor found, disabling Pyzor >> [14467] dbg: plugin: >> Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x4a1cbc80) implements >> 'check_tick' >> [14467] dbg: check: running tests for priority: 500 >> [14467] dbg: plugin: >> Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x4a1cbc80) implements >> 'check_post_dnsbl' >> [14467] dbg: rules: running meta tests; score so far=0.738 >> [14467] info: rules: meta test DIGEST_MULTIPLE has undefined >> > dependency > >> 'DCC_CHECK' >> [14467] dbg: rules: running header regexp tests; score so far=2.216 >> [14467] dbg: rules: running body-text per-line regexp tests; score so >> far=2.216 >> [14467] dbg: uri: running uri tests; score so far=2.216 >> [14467] dbg: rules: running raw-body-text per-line regexp tests; score >> so far=2.216 >> [14467] dbg: rules: running full-text regexp tests; score so far=2.216 >> [14467] dbg: check: running tests for priority: 1000 >> [14467] dbg: rules: running meta tests; score so far=2.216 >> [14467] dbg: rules: running header regexp tests; score so far=2.216 >> [14467] dbg: rules: running body-text per-line regexp tests; score so >> far=2.216 >> [14467] dbg: uri: running uri tests; score so far=2.216 >> [14467] dbg: rules: running raw-body-text per-line regexp tests; score >> so far=2.216 >> [14467] dbg: rules: running full-text regexp tests; score so far=2.216 >> [14467] dbg: check: is spam? score=2.216 required=5 >> [14467] dbg: check: >> >> > tests=MISSING_HEADERS,MISSING_SUBJECT,NO_REAL_NAME,NO_RECEIVED,NO_RELAYS > ,T > >> O_CC_NONE >> [14467] dbg: check: >> >> > subtests=__HAS_MSGID,__MSGID_OK_DIGITS,__MSGID_OK_HOST,__NONEMPTY_BODY,_ > _S > >> ANE_MSGID,__UNUSABLE_MSGID >> Ignore errors about failing to find EOCD signature >> format error: can't find EOCD signature >> at ./bin/MailScanner line 832 >> Stopping now as you are debugging me. >> --- >> >> Please not I have disabled clamav for the moment to debug this without >> having to care about possible problems with the Antivirus, however the >> result was the same (no spamassassin details) when having the >> > antivirus > >> set to 'clamav' or 'clamd'. >> >> Also I have installed clamav and SA from local ports in OpenBSD 4.1, >> > but > >> maybe I should use the provided package from the MS site ? Would that >> > be > >> worth a try ? >> >> Thanks for any hints or tips in advance. >> >> >> Cheers, >> Christoph >> >> -- >> ---------------------------------------------------+ >> / Christoph Schneeberger / SCS TeleMedia AG | >> / GIAC GSEC / Liestalerstrasse 47 | >> / cschnee@telemedia.ch / info@telemedia.ch | >> / 4419 Lupsingen / http://www.telemedia.ch | >> / tel +41 61 915 9155 / fax +41 61 911 0714 | >> --------------------------------------------------------+ >> >> This e-mail is confidential and may be privileged. It may >> be read, copied and used only by the addressee. If you >> have received it in error, please contact us immediately. >> >> >> "Quis custodiet ipsos custodes?" >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> > > > > > ********************************************************************** > Confidentiality : This e-mail and any attachments are intended for the > addressee only and may be confidential. If they come to you in error > you must take no action based on them, nor must you copy or show them > to anyone. Please advise the sender by replying to this e-mail > immediately and then delete the original from your computer. > Opinion : Any opinions expressed in this e-mail are entirely those of > the author and unless specifically stated to the contrary, are not > necessarily those of the author's employer. > Security Warning : Internet e-mail is not necessarily a secure > communications medium and can be subject to data corruption. We advise > that you consider this fact when e-mailing us. > Viruses : We have taken steps to ensure that this e-mail and any > attachments are free from known viruses but in keeping with good > computing practice, you should ensure that they are virus free. > > Red Lion 49 Ltd T/A Solid State Logic > Registered as a limited company in England and Wales > (Company No:5362730) > Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, > United Kingdom > ********************************************************************** > > -- ---------------------------------------------------+ / Christoph Schneeberger / SCS TeleMedia AG | / GIAC GSEC / Liestalerstrasse 47 | / cschnee@telemedia.ch / info@telemedia.ch | / 4419 Lupsingen / http://www.telemedia.ch | / tel +41 61 915 9155 / fax +41 61 911 0714 | --------------------------------------------------------+ This e-mail is confidential and may be privileged. It may be read, copied and used only by the addressee. If you have received it in error, please contact us immediately. "Quis custodiet ipsos custodes?" -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070704/e0ee7f08/attachment.html From glenn.steen at gmail.com Wed Jul 4 10:59:30 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Jul 4 10:59:32 2007 Subject: Filename rule question In-Reply-To: <468B4CD6.5050001@ti-edu.ch> References: <468A6663.8010907@ti-edu.ch> <223f97700707031051y1b3f0fcci36cbea3b9c330d95@mail.gmail.com> <468B4CD6.5050001@ti-edu.ch> Message-ID: <223f97700707040259w54b286b2y1530dc3d7fddedaa@mail.gmail.com> On 04/07/07, Marco Induni wrote: > Glenn Steen wrote: > > On 03/07/07, Marco Induni wrote: > >> Hi All, > >> I try to deny some email attachments based just on the filename. > >> So I setup the following test rule to deny all attachment for email > >> sended to me@pluto.com (obviously just a real address) > >> > >> - in /etc/MailScanner/Mailscanner.conf > >> -- Filename Rules = %rules-dir%/filename-rules.rules > >> > >> - in /etc/MailScanner/rules/filename-rules.rules > >> -- To: me@pluto.com /etc/MailScanner/filename-alldeny.conf > >> -- FromOrTo: default > >> /etc/MailScanner/filename-nocheck.rules.conf > >> > >> - in /etc/MailScanner/filename-alldeny.conf > >> -- deny .* - - > >> > >> - in /etc/MailScanner/filename-nocheck.rules.conf > >> -- allow .* - - > >> > >> > >> So I expect that any attachment will be denied, but is not true. > >> It seems that everything is passing through, and the rule is not > >> matching anything. > >> I've done MailScanner --lint and no syntax error appear. > >> I've also tried the standard rules enclosed (deny .exe .reg,...), but > >> didn't work. > > > > When troubleshooting things like these, always doublecheck your > > assumptions with MailScanner itself... Try "MailScanner --help" to see > > the possible things you can do ... apart from the well-known --debug > > and --lint (start by doing a lint... it'll show you any bad syntax > > errors), you can also try any setting with any sender/receiver .... In > > your case you'd test > > MailScanner --value=filenamerules --from=anyone@example.net > > --to=me@pluto.com > > and perhaps some variations ... Replace with addresses valid to your > > situation. > > > Glenn, > thanks for the suggestions. I've verified with Mailscanner > --value=filenamerules and the various address to be sure that the result > point to the rule that deny the attachment(see below) > > Looked up internal option name "filenamerules" > With sender = root@xxx > recipient = xxx@xx > Client IP = > Virus = > Result is "/etc/MailScanner/filename-alldeny.conf" > > > But unfortunately the attachment are still allowed > I've double checked to see if I've placed space instead of TAB on the > rule, but all seems ok. > > Also the MailScanner --lint don't get any syntax error. > > Actually I've tested on MailScanner 4.58.9 and 4.61.7 with the same result. > > On the /etc/MailScanner/filename-alldeny.conf there is just > deny .* - - > > and in MailScanner.conf > > Allow Filenames = > Deny Filenames = > Filename Rules = %rules-dir%/filename-rules.rules > > > No idea :-( > Just a thought, but your quotes of the files in your first message.... Do the begin with "--" or "allow/deny"? That is: are there 4 fields in the file, separated by , or five (I think the lint would caatch this, so ... probably nothing...:-). Also, you should pay extra attention to whether it is finame or filetype rules kicking in (in the logs... Perhaps you have MailWatch? Makes things ... easier to see:-). I always try to make filenames and filetypes functionally equivalent:). Paying attention to ones logs is never wrong anyway, so ... you wouldn't have any log snippets to look at, for a relevant test run? When you send these messages, or indeed any messages sent to you, if the mail has more recipients than one... then the rules applicable to the first recipient will "win" for all of them... So you might need split messages/recipient (look in the wiki how to do this... At least Postfix and Sendmail can do this for you), to be sure what rules will trigger for a specific message/recipient combination. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Wed Jul 4 11:25:44 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Jul 4 11:25:47 2007 Subject: Problem with MS on OpenBSD 4.1 In-Reply-To: <468B5577.2070402@box.telemedia.ch> References: <468A63AC.5040808@box.telemedia.ch> <468A659A.3090602@ecs.soton.ac.uk> <468A691D.7020605@box.telemedia.ch> <223f97700707031115m7f156454wac3f7b80febe5434@mail.gmail.com> <468B5577.2070402@box.telemedia.ch> Message-ID: <223f97700707040325v773416f4wcc68d98af2307a01@mail.gmail.com> On 04/07/07, Christoph Schneeberger wrote: > Glenn Steen wrote: > > On 03/07/07, Christoph Schneeberger wrote: > >> Hi Julian, > >> > >> Thanks for your reply. > >> > >> Julian Field wrote: > >> .. > >> > >> > >When I run MS and SA in debug mode I get an error at line 832 in > >> > >Mailscanner which is the following line: > >> > > >> > >$batch->Explode(); > >> > > >> > >The error I get is > >> > > >> > > > >> > >[24820] dbg: locker: safe_unlock: unlocked > >> > /root/.spamassassin/bayes.mutex > >> > >[24820] dbg: learn: initializing learner > >> > >Ignore errors about failing to find EOCD signature > >> > > >> > > >> > That line gives a hint. > >> > > >> > >format error: can't find EOCD signature > >> > > at /opt/MailScanner/bin/MailScanner line 832 > >> > > >> > > >> > So you can ignore that. > >> > > >> > >Stopping now as you are debugging me. > >> > > Done. > >> > > >> > > >> > It has run to completion normally. It hasn't bombed out on an error at > >> > all. It has done exactly what it is supposed to do in Debug mode: > >> > process 1 batch of messages and then exit. > >> > >> > >> Ok thanks, i was thinking that too, but somebody on irc told me i need > >> to get rid of this line832 error and that would solve my problem of not > >> having any detailed Spamassassin result headers at all. > >> > >> So could you give me any direction or hints where I could further search > >> to get that problem of not having detailed results in the header solved, > >> since thats the only problem I really have. > >> > >> Or asked else: Is anybody on this list running a current MailScanner on > >> OpenBSD 4.1 successfully and do you have any hints for me where too > >> look ? > >> > >> Thanks a lot and best regards, > >> Christoph > >> > > OpenBSD isn]t exactly unheard of, but it certainly isn\t one of the > > more used OSes.... But this might not be anything specific to your > > OS... Call me dull, but did you run a > > MailScanner --debug --debug-sa > > ... with something obvious, like a GTUBE, on queue? > > > > Cheers > > Thanks for your reply, I had to google GTUBE before I knew what you > meant ;-) > > I have run with debug and debug-sa (from MailScanner.conf but I guess > that is the same result) and people on irc told me the output i pasted > looks good, but I'll happily provide it at the end of this mail. Yep, they are equivalent... Just easier to use the command line:-). > I have sent a mail (only body with copy-paste) from my inbox that is > spam through the MS in question and it scored it with 18 and flagged the > Subject properly with {Spam?}, BUT only the Spamscore and the Subject > Flag are here, no details on which tests how many score was given, just > a result. This is indeed strange... IIRC there was someone else posting about specifics for OpenBSD a while back... You have looked in the maillist archives (gmane is good for this), I presume? > The reason I want OpenBSD is the spamd/pf combo which is quite unique > for greylisting and since 4.1 even more use- and powerful. Also I have > used OpenBSD since 2.5 and I am quite satisfied with its robustness and > safety. Another reason is that I am a sendmail veteran because there was > nothing else really serious at the time i needed my first mailhub, so I > read different sendmails books and am quite comfortable with it. I've > never found my way into other MTAs and since most Linux are now shipping > Postfix, Exim or whatever I am sticking with OpenBSD for Mailhubs, > Mailgates etc. Oh, no quarrel from me, you should stick with what you're comfy with. Personally I switched to PF quite a few years ago, but that was ... in the bad old days, when sendmail was a sieve and PF looked ... shiny:-). Today, all the major MTAs (no, not exchange:-):-) are quite secure. TW, most any linux distro can be configured with most any MTA... Some even have a nice tool for switching between them (like CentOS/RHEL does). Not that I'm telling you to switch:-). > So here is the output of > ./bin/MailScanner --debug --debug-sa 2>&1 | tee /tmp/log > --- > (snip) > tests=MISSING_HEADERS,MISSING_SUBJECT,NO_REAL_NAME,NO_RECEIVED,NO_RELAYS,TO_CC_NONE > [14467] dbg: check: > subtests=__HAS_MSGID,__MSGID_OK_DIGITS,__MSGID_OK_HOST,__NONEMPTY_BODY,__SANE_MSGID,__UNUSABLE_MSGID > Ignore errors about failing to find EOCD signature > format error: can't find EOCD signature > at ./bin/MailScanner line 832 > Stopping now as you are debugging me. > --- Ok, so the tests are there, and should be reported back to MS... Hm. > Please not I have disabled clamav for the moment to debug this without > having to care about possible problems with the Antivirus, however the > result was the same (no spamassassin details) when having the antivirus > set to 'clamav' or 'clamd'. Yeah, that shouldn't matter. > Also I have installed clamav and SA from local ports in OpenBSD 4.1, but > maybe I should use the provided package from the MS site ? Would that be > worth a try ? I've stopped using prepackaged things for those, since there occasionally are strange problems due to ... quirky packaging (not often, IIRC mostly concerning RPM-based linux distros, but ... still ...)... So uninstalling the SA you have (which is slightly dated anyway, and don't seem to be using sa-update...), and perhaps your clamav too, and reinstalling them using Jules package... Might be very worth your while. > Thanks for any hints or tips in advance. > > > Cheers, > Christoph > > -- > ---------------------------------------------------+ > / Christoph Schneeberger / SCS TeleMedia AG | > / GIAC GSEC / Liestalerstrasse 47 | > / cschnee@telemedia.ch / info@telemedia.ch | > / 4419 Lupsingen / http://www.telemedia.ch | > / tel +41 61 915 9155 / fax +41 61 911 0714 | > --------------------------------------------------------+ > > This e-mail is confidential and may be privileged. It may > be read, copied and used only by the addressee. If you > have received it in error, please contact us immediately. > > > "Quis custodiet ipsos custodes?" Indeed...:-) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From gerard at seibercom.net Wed Jul 4 12:08:56 2007 From: gerard at seibercom.net (Gerard) Date: Wed Jul 4 12:08:49 2007 Subject: Postfix Address Verification In-Reply-To: <468AE442.6000501@rheelweb.co.nz> References: <46881CAB.2090504@rheelweb.co.nz> <468AE442.6000501@rheelweb.co.nz> Message-ID: <20070704070636.7FFD.GERARD@seibercom.net> On July 03, 2007 at 08:05PM Seamus Allan wrote: [snip] > Anybody got ideas? Have you tried posting this question on the Postfix forum? You will obviously need to include a the results of a 'postconf -n' output as well as the relevant sections of the maillog. Off hand, I cannot see anything wrong though. -- Gerard "Everybody has a right to be stupid, but some people abuse the privilege." Joseph Stalin From martinh at solidstatelogic.com Wed Jul 4 12:15:43 2007 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Wed Jul 4 12:15:47 2007 Subject: Postfix Address Verification In-Reply-To: <20070704070636.7FFD.GERARD@seibercom.net> Message-ID: <6a5b3338ddca144790b0da740700adfc@solidstatelogic.com> Seamus I'd start here.. http://wiki.mailscanner.info/doku.php?id=documentation:configuration:mta :postfix:how_to:reject_non_existent_users -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Gerard > Sent: 04 July 2007 12:09 > To: mailscanner@lists.mailscanner.info > Subject: Re[2]: Postfix Address Verification > > On July 03, 2007 at 08:05PM Seamus Allan wrote: > > [snip] > > > Anybody got ideas? > > Have you tried posting this question on the Postfix forum? You will > obviously need to include a the results of a 'postconf -n' output as > well as the relevant sections of the maillog. > > Off hand, I cannot see anything wrong though. > > -- > Gerard > > "Everybody has a right to be stupid, but some people abuse the privilege." > > Joseph Stalin > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From lists at gmnet.net Wed Jul 4 12:56:03 2007 From: lists at gmnet.net (mail) Date: Wed Jul 4 12:56:18 2007 Subject: Any advice for a new server? In-Reply-To: References: <1183421943.8123.116.camel@thor.greenbuzz.net> Message-ID: <1183550163.31212.45.camel@thor.greenbuzz.net> On Tue, 2007-07-03 at 11:02 +1000, Res wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > NotDashEscaped: You need GnuPG to verify this message > > On Tue, 3 Jul 2007, mail wrote: > > > Hi, > > > > I have been running a mail server with sendmail/ MailScanner/ ClamAV/ > > Mailman/ Squirrelmail/ combo for the past 7 years. It is now time to > > migrate my accounts to a brand new server. I was using Redhat9, but now > > I'm 99% sure that I will go with Gentoo. I am also 90% sure that I will > > You want to make sure you have several years of support, for this reason > I last used a RH OS on servers at RH9, I had one RH9 box for for up to 2 > years after RH stopped supporting it, because it was unbreakable. > I have since moved it to the same as other servers, being Slackware, as > close to true sources as you'll get (hence why there is no 20+ updates > relased every week like RH/Fedora/Debian etc), version support is at > least 5 years or more. Also extremely reliable and stable, a good time to > try it as Slackware 12.0 was released overnight. > > > > stay with sendmail/ ClamAV/ Squirrelmail and 100% sure to stay with > > MailScanner/ Mailman. I don't have a whole lot of accounts so I do have > > Yep, stay with them all, but make sure you use the latest versions of > them. > > > -- > Cheers > Res > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.7 (GNU/Linux) > > iD8DBQFGiaAesWhAmSIQh7MRAuR6AKCckPnA6p4SFKMLUyXMrt9Z6qSNdACeOlM8 > XzplccsAL+NIxGJVBw1CLNg= > =d01E > -----END PGP SIGNATURE----- Thanks to everyone so far for the insight! I think I will use Gentoo. I got somewhat burned by using RH9 the last time. Almost as soon as I installed it and got it up and running, they stopped supporting it. I am really happy with portage as my update path. I don't mind compiling stuff from source because I will be doing that anyway for many things. Also I will not be installing any windowing or desktop applications at all. I can't wait to get the Mailscanner book and dive in! rick From cschnee at box.telemedia.ch Wed Jul 4 15:54:20 2007 From: cschnee at box.telemedia.ch (Christoph Schneeberger) Date: Wed Jul 4 15:55:23 2007 Subject: SOLVED: Re: Problem with MS on OpenBSD 4.1 In-Reply-To: <223f97700707040325v773416f4wcc68d98af2307a01@mail.gmail.com> References: <468A63AC.5040808@box.telemedia.ch> <468A659A.3090602@ecs.soton.ac.uk> <468A691D.7020605@box.telemedia.ch> <223f97700707031115m7f156454wac3f7b80febe5434@mail.gmail.com> <468B5577.2070402@box.telemedia.ch> <223f97700707040325v773416f4wcc68d98af2307a01@mail.gmail.com> Message-ID: <468BB49C.2090004@box.telemedia.ch> After my fourth day on this issue, I tried to reactivate my previous install under an i386 machine with 4.59.4. I haven't got that far there so I had still the default setup and no migration of configuration and just tested it to see if I get detailed headers which I surprisingly got. To minimize my own errors I did migrate the config line by line and after every line changed I ran a test to see if my detailed report headers disappear or not. Suddenly when adding my Mail Header= rule file to the config i started to lack the detailed reports...after looking at this rule file I used there I felt incredibly stupid (or as maxsec said: The problem has been between the chair and the keyboard). I used config variables like %mail_header% in my rule file, but those vars were not defined in the main MailScanner.conf like: %mail_header% = X-%org-name%-MailScanner: Okay, I added those missing vars - et viola (courtesy to Kelly Bundy) I got my detailed reports in header... Maybe the MS debug output could have mentioned something regarding this, but thats not an excuse for a completely stupid migration mistake from me. Anyway, I want to say thanks, first for all that offered help and assistance and second for MailScanner, which is really an exciting tool for me. Cheers and thx alot again, Christoph From Denis.Beauchemin at USherbrooke.ca Wed Jul 4 16:06:04 2007 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Wed Jul 4 16:06:35 2007 Subject: Vulnerability in Net::DNS Message-ID: <468BB75C.9000506@USherbrooke.ca> Hello all, I just read this: 07.27.36 CVE: CVE-2007-3377, CVE-2007-3409 Platform: Cross Platform Title: Perl Net::DNS Remote Multiple Vulnerabilities Description: The Perl Net::DNS module allows scripts written in Perl to perform DNS queries. The application is exposed to multiple issues. Perl Net::DNS module versions prior to 0.60. are affected. Ref: http://www.securityfocus.com/bid/24669 I just upgraded to 0.60, reloaded MS and everything is working fine. Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3595 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070704/490cfb6d/smime.bin From rcooper at dwford.com Wed Jul 4 16:23:11 2007 From: rcooper at dwford.com (Rick Cooper) Date: Wed Jul 4 16:23:20 2007 Subject: clamd configuration? In-Reply-To: <468B0B2E.8080201@fractalweb.com> References: <468AAB5B.7010101@fractalweb.com><468AAE0D.3020103@i-centrix.com> <468ADA41.4010307@fractalweb.com><06bb01c7bdcb$c0ac3330$0301a8c0@SAHOMELT> <468B0B2E.8080201@fractalweb.com> Message-ID: <006301c7be4f$3c350530$0301a8c0@SAHOMELT> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On > Behalf Of Chris Yuzik > Sent: Tuesday, July 03, 2007 10:51 PM > To: MailScanner discussion > Subject: Re: clamd configuration? > [...] > Rick, > > Ok, here you go. I put MailScanner into debug mode, did a > lint, plopped > a message with the eicar test file into the inqueue, etc. Looks like > clamd is called and the messages handed off, but it doesn't > find the virus. > > Chris > Ok, sorry so spotty on returns, My mother in-law passed away Fri and the weekend through last night was spent with all the duties entailed with such an event (and of course my Wife and Kids). My guess is permissions are insufficient, check the user that clamd is running under. If it's not root then make sure you have added the correct MailScanner config params at the working dir setup or add the MS user to clam's group and turn on supplementary groups in the clamd.conf. I am testing with a situation where I am running the daemon with insufficient perms now and I get: "Access denied. ERROR" from the daemon however the line: elsif ($rest =~ /^.+\sERROR$/) { Is not catching the above (because $rest is empty) thus it's falling through to } else { print "CLEAN:: :: $dirname/$childname/$filename\n"; Which it should never do, IMHO. I clipped this from the clamavmodule code so perhaps clamavmodule does return other items. Julian, I really haven't the time to D/L and patch the release code, perhaps you can add the following: # If we get an access denied error then print the properly # formatted error and leave print "ERROR::Permissions Problem Clamd was denied access to " . "$ScanDir::$ScanDir\n" if $results =~ /\.\/Access denied. ERROR/; last if $results =~ /\.\/Access denied. ERROR/; Above : next if $results =~ /^\.\/OK/; (about line 3316 or so in SweepViruses.pm) as this will catch the access denied line. Since I took the logic from clamavmodule I never thought about permission problems which clamavmodule couldn't have (I would think). This will cause the parser to see the error, but bear in mind any error in the parser results in MailScanner flagging the message as having a virus in the log, but it passes the attachment by because there is no filename to flag. It does generate an obvious error that any semi-alert admin will catch however : ERROR::Permissions Problem Clamd was denied access to /dev/shm/15408 Julian : I think the section that results in: print "CLEAN:: :: $dirname/$childname/$filename\n"; should be changed to print "ERROR::UNKNOWN RETURN FROM CLAMD $result :: $ScanDir\n"; As we catch OK/ERROR/INFECTED above it and anything else has to be a problem. Sorry for not having caught that possibility sooner. Also sorry if this post is less than coherent. If Julian hasn't the time to post a patch then I should be able to get to it by the weekend as some rather large projects are piling up on me due to death and holiday (which I really shouldn't work this time). Rick -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From jgouveia at gmail.com Wed Jul 4 16:32:49 2007 From: jgouveia at gmail.com (=?ISO-8859-1?Q?Jo=E3o_Gouveia?=) Date: Wed Jul 4 16:32:51 2007 Subject: Vulnerability in Net::DNS In-Reply-To: <468BB75C.9000506@USherbrooke.ca> References: <468BB75C.9000506@USherbrooke.ca> Message-ID: <39ee73db0707040832x41b2fb71j256bc7dfe4db2cf2@mail.gmail.com> At a first glance, this seams to be related to the server component of Net::DNS, so that shoudn't have any impact on client side apps such as MS/spamassassin. On 7/4/07, Denis Beauchemin wrote: > Hello all, > > I just read this: > > 07.27.36 CVE: CVE-2007-3377, CVE-2007-3409 > Platform: Cross Platform > Title: Perl Net::DNS Remote Multiple Vulnerabilities > Description: The Perl Net::DNS module allows scripts written in Perl > to perform DNS queries. The application is exposed to multiple issues. > Perl Net::DNS module versions prior to 0.60. are affected. > Ref: http://www.securityfocus.com/bid/24669 > > > I just upgraded to 0.60, reloaded MS and everything is working fine. > > Denis > > -- > _ > ?v? Denis Beauchemin, analyste > /(_)\ Universit? de Sherbrooke, S.T.I. > ^ ^ T: 819.821.8000x62252 F: 819.821.8045 > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > From minduni at ti-edu.ch Wed Jul 4 16:45:29 2007 From: minduni at ti-edu.ch (Marco Induni) Date: Wed Jul 4 16:45:31 2007 Subject: Filename rule question In-Reply-To: <223f97700707040259w54b286b2y1530dc3d7fddedaa@mail.gmail.com> References: <468A6663.8010907@ti-edu.ch> <223f97700707031051y1b3f0fcci36cbea3b9c330d95@mail.gmail.com> <468B4CD6.5050001@ti-edu.ch> <223f97700707040259w54b286b2y1530dc3d7fddedaa@mail.gmail.com> Message-ID: <468BC099.7060508@ti-edu.ch> Glenn Steen wrote: > On 04/07/07, Marco Induni wrote: >> Glenn Steen wrote: >> > On 03/07/07, Marco Induni wrote: >> >> Hi All, >> >> I try to deny some email attachments based just on the filename. >> >> So I setup the following test rule to deny all attachment for email >> >> sended to me@pluto.com (obviously just a real address) >> >> >> >> - in /etc/MailScanner/Mailscanner.conf >> >> -- Filename Rules = %rules-dir%/filename-rules.rules >> >> >> >> - in /etc/MailScanner/rules/filename-rules.rules >> >> -- To: me@pluto.com /etc/MailScanner/filename-alldeny.conf >> >> -- FromOrTo: default >> >> /etc/MailScanner/filename-nocheck.rules.conf >> >> >> >> - in /etc/MailScanner/filename-alldeny.conf >> >> -- deny .* - - >> >> >> >> - in /etc/MailScanner/filename-nocheck.rules.conf >> >> -- allow .* - - >> >> >> >> >> >> So I expect that any attachment will be denied, but is not true. >> >> It seems that everything is passing through, and the rule is not >> >> matching anything. >> >> I've done MailScanner --lint and no syntax error appear. >> >> I've also tried the standard rules enclosed (deny .exe .reg,...), but >> >> didn't work. >> > >> > When troubleshooting things like these, always doublecheck your >> > assumptions with MailScanner itself... Try "MailScanner --help" to see >> > the possible things you can do ... apart from the well-known --debug >> > and --lint (start by doing a lint... it'll show you any bad syntax >> > errors), you can also try any setting with any sender/receiver .... In >> > your case you'd test >> > MailScanner --value=filenamerules --from=anyone@example.net >> > --to=me@pluto.com >> > and perhaps some variations ... Replace with addresses valid to your >> > situation. >> > >> Glenn, >> thanks for the suggestions. I've verified with Mailscanner >> --value=filenamerules and the various address to be sure that the result >> point to the rule that deny the attachment(see below) >> >> Looked up internal option name "filenamerules" >> With sender = root@xxx >> recipient = xxx@xx >> Client IP = >> Virus = >> Result is "/etc/MailScanner/filename-alldeny.conf" >> >> >> But unfortunately the attachment are still allowed >> I've double checked to see if I've placed space instead of TAB on the >> rule, but all seems ok. >> >> Also the MailScanner --lint don't get any syntax error. >> >> Actually I've tested on MailScanner 4.58.9 and 4.61.7 with the same >> result. >> >> On the /etc/MailScanner/filename-alldeny.conf there is just >> deny .* - - >> >> and in MailScanner.conf >> >> Allow Filenames = >> Deny Filenames = >> Filename Rules = %rules-dir%/filename-rules.rules >> >> >> No idea :-( >> > Just a thought, but your quotes of the files in your first message.... > Do the begin with "--" or "allow/deny"? That is: are there 4 fields in > the file, separated by , or five (I think the lint would caatch > this, so ... probably nothing...:-). > Hi Gleen, unfortunately, the file is correct, I added the -- for ident on the mail only, but it look like a field. Also as you said this error (and even the lost TAB) are catched by the --lint option. > Also, you should pay extra attention to whether it is finame or > filetype rules kicking in (in the logs... Perhaps you have MailWatch? > Makes things ... easier to see:-). Uhm, I don't have Mailwatch installed, but in the log i can't see the rules involved. I had to activate some flag, or there are special logs ? The rules appear to be correct when i tested via the "MailScanner --value=filenamerules ...." > I always try to make filenames and filetypes functionally equivalent:). > Paying attention to ones logs is never wrong anyway, so ... you > wouldn't have any log snippets to look at, for a relevant test run? > > When you send these messages, or indeed any messages sent to you, if > the mail has more recipients than one... then the rules applicable to > the first recipient will "win" for all of them... So you might need > split messages/recipient (look in the wiki how to do this... At least > Postfix and Sendmail can do this for you), to be sure what rules will > trigger for a specific message/recipient combination. Good point, but in my test I'm the only recipient > > Cheers Grazie (Thank you) -- Marco Induni Universita` della Svizzera italiana Servizi informatici / TI-EDU Galleria 2 CH-6928 Manno (Switzerland) E-mail: minduni@ti-edu.ch Tel: +41 58 666 6656 Fax: +41 58 666 6650 From hvdkooij at vanderkooij.org Wed Jul 4 16:46:08 2007 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Wed Jul 4 16:47:14 2007 Subject: Some maillog question In-Reply-To: References: Message-ID: On Wed, 4 Jul 2007, Martin.Hepworth wrote: > Nope - look in the clamd.conf file. There's a setting you may need to > increase.. If the scan can not be completed in the default 300 seconds you may have a DoS sample at hand. Or a system that is underpowered for the task at hand. Or you need to tell your users not to send DVD images by email. Hugo. -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ This message is using 100% recycled electrons. Please, don't top post: A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Some men see computers as they are and say "Windows" I use computers with Linux and say "Why Windows?" (Thanks JFK, for the insight.) From MailScanner at ecs.soton.ac.uk Wed Jul 4 16:52:55 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Jul 4 16:58:42 2007 Subject: MailScanner ANNOUNCE: Re: Vulnerability in Net::DNS In-Reply-To: <468BB75C.9000506@USherbrooke.ca> References: <468BB75C.9000506@USherbrooke.ca> Message-ID: <468BC257.5000201@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I have just updated my ClamAV+SpamAssassin package on www.mailscanner.info to solve this vulnerability. I would advise everyone to download and install the new version of this package. Denis Beauchemin wrote: > Hello all, > > I just read this: > > 07.27.36 CVE: CVE-2007-3377, CVE-2007-3409 > Platform: Cross Platform > Title: Perl Net::DNS Remote Multiple Vulnerabilities > Description: The Perl Net::DNS module allows scripts written in Perl > to perform DNS queries. The application is exposed to multiple issues. > Perl Net::DNS module versions prior to 0.60. are affected. > Ref: http://www.securityfocus.com/bid/24669 > > > I just upgraded to 0.60, reloaded MS and everything is working fine. > > Denis > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Comment: (pgp-secured) Charset: UTF-8 wj8DBQFGi8JXEfZZRxQVtlQRAs/VAKCPeEtCTHQsW1+9VnHM5MRhQxA90gCeK/Id zgKXq0MJu2yIDQ3Wn5Gy7mc= =0BSq -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Wed Jul 4 16:59:38 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Jul 4 17:04:10 2007 Subject: Some maillog question In-Reply-To: References: Message-ID: <468BC3EA.6010401@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hugo van der Kooij wrote: > On Wed, 4 Jul 2007, Martin.Hepworth wrote: > >> Nope - look in the clamd.conf file. There's a setting you may need to >> increase.. > > If the scan can not be completed in the default 300 seconds you may > have a DoS sample at hand. Or a system that is underpowered for the > task at hand. Or you need to tell your users not to send DVD images by > email. > If you are running ClamAV 0.90 (Virus Scanners = clamav) then try running the 0.91 release candidate as this loads the virus signatures a *lot* faster. Or else try clamavmodule or clamd. Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFGi8PqEfZZRxQVtlQRAnzpAJ95AgotgJ02XGUrf6GDUWxAw/2VDgCgoZxS 4FjkFfRI7IrGK9t171gKr4Q= =8iH7 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From mailscanner at ecs.soton.ac.uk Wed Jul 4 20:13:01 2007 From: mailscanner at ecs.soton.ac.uk (Jules) Date: Wed Jul 4 20:14:50 2007 Subject: Ping Message-ID: <200707041913.l64JD1D1013544@safir.blacknight.ie> Not at all sure the list is working, so I'm doing this one by hand. -- JulesFM From uxbod at splatnix.net Wed Jul 4 20:17:06 2007 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Wed Jul 4 20:17:10 2007 Subject: Ping In-Reply-To: <200707041913.l64JD1D1013544@safir.blacknight.ie> References: <200707041913.l64JD1D1013544@safir.blacknight.ie> Message-ID: <2797931a085805f37b5eed3cbbb96ec2@62.49.223.244> Pong! On Wed, 4 Jul 2007 20:13:01 +0100, Jules wrote: > Not at all sure the list is working, so I'm doing this one by hand. > -- > JulesFM > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. -- --[ UxBoD ]-- // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From clacroix at cegep-ste-foy.qc.ca Wed Jul 4 20:17:58 2007 From: clacroix at cegep-ste-foy.qc.ca (Charles Lacroix) Date: Wed Jul 4 20:18:02 2007 Subject: Ping In-Reply-To: <200707041913.l64JD1D1013544@safir.blacknight.ie> References: <200707041913.l64JD1D1013544@safir.blacknight.ie> Message-ID: <200707041517.58832.clacroix@cegep-ste-foy.qc.ca> What have you done to the list!! :) On Wednesday 04 July 2007 15:13, Jules wrote: > Not at all sure the list is working, so I'm doing this one by hand. > -- > JulesFM -- Charles Lacroix, Administrateur UNIX. Service des t?l?communications et des technologies C?gep de Sainte-Foy (418) 659-6600 # 4266 From mailscanner at slackadelic.com Wed Jul 4 20:19:15 2007 From: mailscanner at slackadelic.com (Matt Hayes) Date: Wed Jul 4 20:19:24 2007 Subject: Ping In-Reply-To: <200707041913.l64JD1D1013544@safir.blacknight.ie> References: <200707041913.l64JD1D1013544@safir.blacknight.ie> Message-ID: <468BF2B3.9000603@slackadelic.com> Jules wrote: > Not at all sure the list is working, so I'm doing this one by hand. It's working Jules. -Matt From MailScanner at ecs.soton.ac.uk Wed Jul 4 20:25:52 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Jul 4 20:28:36 2007 Subject: Ping In-Reply-To: <468BF2B3.9000603@slackadelic.com> References: <200707041913.l64JD1D1013544@safir.blacknight.ie> <468BF2B3.9000603@slackadelic.com> Message-ID: <468BF440.9000009@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Matt Hayes wrote: > Jules wrote: >> Not at all sure the list is working, so I'm doing this one by hand. > > It's working Jules. Phew. We went over 3 hours without a single posting, that's almost unheard of :-) > > -Matt > > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGi/RBEfZZRxQVtlQRAmn1AKCZT2KBayjga9J0I9hdz9zBR3uk2ACg8Xvt V+51K2FW10H0uJLM/5hYLBQ= =iziZ -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From uxbod at splatnix.net Wed Jul 4 20:33:06 2007 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Wed Jul 4 20:33:10 2007 Subject: Ping In-Reply-To: <468BF440.9000009@ecs.soton.ac.uk> References: <468BF440.9000009@ecs.soton.ac.uk> Message-ID: <38e6466229b168459a56f45fc2db9af0@62.49.223.244> typeset -i count let count=0 while (( ${count} -lt 1000 )) do echo "Does it still work" | mailx -s "Ping ${count}" mailscanner@lists.mailscanner.info sleep 60 let ${count}+=1 done :) On Wed, 04 Jul 2007 20:25:52 +0100, Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > Matt Hayes wrote: >> Jules wrote: >>> Not at all sure the list is working, so I'm doing this one by hand. >> >> It's working Jules. > Phew. We went over 3 hours without a single posting, that's almost > unheard of :-) >> >> -Matt >> >> > > Jules > > - -- > Julian Field MEng CITP > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > For all your IT requirements visit www.transtec.co.uk > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.6.2 (Build 2014) > Charset: ISO-8859-1 > > wj8DBQFGi/RBEfZZRxQVtlQRAmn1AKCZT2KBayjga9J0I9hdz9zBR3uk2ACg8Xvt > V+51K2FW10H0uJLM/5hYLBQ= > =iziZ > -----END PGP SIGNATURE----- > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > For all your IT requirements visit www.transtec.co.uk > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. -- --[ UxBoD ]-- // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From seamus at rheelweb.co.nz Wed Jul 4 22:42:43 2007 From: seamus at rheelweb.co.nz (Seamus Allan) Date: Wed Jul 4 22:42:52 2007 Subject: Postfix Address Verification In-Reply-To: <6a5b3338ddca144790b0da740700adfc@solidstatelogic.com> References: <6a5b3338ddca144790b0da740700adfc@solidstatelogic.com> Message-ID: <468C1453.8050102@rheelweb.co.nz> Thats where I originally started ;) Cheers though Martin.Hepworth wrote: > Seamus > I'd start here.. > > > > http://wiki.mailscanner.info/doku.php?id=documentation:configuration:mta > :postfix:how_to:reject_non_existent_users > > > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > From glenn.steen at gmail.com Wed Jul 4 23:20:22 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Jul 4 23:20:24 2007 Subject: Filename rule question In-Reply-To: <468BC099.7060508@ti-edu.ch> References: <468A6663.8010907@ti-edu.ch> <223f97700707031051y1b3f0fcci36cbea3b9c330d95@mail.gmail.com> <468B4CD6.5050001@ti-edu.ch> <223f97700707040259w54b286b2y1530dc3d7fddedaa@mail.gmail.com> <468BC099.7060508@ti-edu.ch> Message-ID: <223f97700707041520j5e8be73bt17235c459ec441c5@mail.gmail.com> On 04/07/07, Marco Induni wrote: > Glenn Steen wrote: (snip) > >> No idea :-( > >> > > Just a thought, but your quotes of the files in your first message.... > > Do the begin with "--" or "allow/deny"? That is: are there 4 fields in > > the file, separated by , or five (I think the lint would caatch > > this, so ... probably nothing...:-). > > > Hi Gleen, Go easy on the "e"s;-) > unfortunately, the file is correct, I added the -- for ident on the mail > only, but it look like a field. > Also as you said this error (and even the lost TAB) are catched by the > --lint option. Yeah, wouldn't it be nice if it was some easy typo... To much to hope for, I guess:-). > > Also, you should pay extra attention to whether it is finame or > > filetype rules kicking in (in the logs... Perhaps you have MailWatch? > > Makes things ... easier to see:-). > > Uhm, I don't have Mailwatch installed, but in the log i can't see the > rules involved. I had to activate some flag, or there are special logs ? > The rules appear to be correct when i tested via the "MailScanner > --value=filenamerules ...." No, nothing special, MailWatch just highlight things and make them obvious (like when you thing you have one envelope sender, and in reality you don't... you have some other...)... In that vein, did you do the tests by telnet (so that you have complete control of the SMTP conversation) or ... some other thing? Perhaps there is some other rule,like a whitelist for the local host or domain, kicking in _before_ the rule you try out? If you supply a --ip=... you can test that too... Would be great if this was something eaily explicable... I'm running out of ideas:-). > > > I always try to make filenames and filetypes functionally equivalent:). > > Paying attention to ones logs is never wrong anyway, so ... you > > wouldn't have any log snippets to look at, for a relevant test run? > > > > When you send these messages, or indeed any messages sent to you, if > > the mail has more recipients than one... then the rules applicable to > > the first recipient will "win" for all of them... So you might need > > split messages/recipient (look in the wiki how to do this... At least > > Postfix and Sendmail can do this for you), to be sure what rules will > > trigger for a specific message/recipient combination. > > Good point, but in my test I'm the only recipient Hm, another good pint down the drain:-). > > > > Cheers > > Grazie (Thank you) > Thank me when we get to the bottom of this...:-). I wonder if the file isn't a bit suspect anyway... If you change it to deny/\..*$/-- ... does that make a difference? If you make some specific deny rules? And perhaps some "specific but the other way around" in the default file? We're missing something here....:) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Wed Jul 4 23:25:03 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Jul 4 23:25:04 2007 Subject: Ping In-Reply-To: <468BF440.9000009@ecs.soton.ac.uk> References: <200707041913.l64JD1D1013544@safir.blacknight.ie> <468BF2B3.9000603@slackadelic.com> <468BF440.9000009@ecs.soton.ac.uk> Message-ID: <223f97700707041525t21a3ef46h19854aab47bb06b9@mail.gmail.com> On 04/07/07, Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > Matt Hayes wrote: > > Jules wrote: > >> Not at all sure the list is working, so I'm doing this one by hand. > > > > It's working Jules. > Phew. We went over 3 hours without a single posting, that's almost > unheard of :-) I'm doing something Hugo wouldn't approve of (but you would, I know, since it's a nice red:-)... And I'm on vacation, al right... :-D In just 2 and 1/2 weeks all will be back to the normal noise level....:-):-) Seriously though.... If it's quiet... either more people than me are vacationing, or there are very few problems right now;). > > > > -Matt > > > > > > Jules > Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Wed Jul 4 23:33:47 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Jul 4 23:33:50 2007 Subject: Postfix Address Verification In-Reply-To: <468C1453.8050102@rheelweb.co.nz> References: <6a5b3338ddca144790b0da740700adfc@solidstatelogic.com> <468C1453.8050102@rheelweb.co.nz> Message-ID: <223f97700707041533v35800e35of42185fbf62573af@mail.gmail.com> On 04/07/07, Seamus Allan wrote: > Thats where I originally started ;) > Cheers though > Thing is, I'm still not too clear on which postfix is telling you this.... "external" or "internal"... Am slightly "muddled" ATM, but ... does both recognize that they are to handle that particular domain? And it's users? How did you set the verification up on both of them? I might be completely "muddled", so please set me straight:-) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From root at doctor.nl2k.ab.ca Thu Jul 5 01:45:27 2007 From: root at doctor.nl2k.ab.ca (Dave Shariff Yadallee - System Administrator a.k.a. The Root of the Problem) Date: Thu Jul 5 01:46:37 2007 Subject: MailScanner ANNOUNCE: Re: Vulnerability in Net::DNS In-Reply-To: <468BC257.5000201@ecs.soton.ac.uk> References: <468BB75C.9000506@USherbrooke.ca> <468BC257.5000201@ecs.soton.ac.uk> Message-ID: <20070705004527.GA1587@doctor.nl2k.ab.ca> On Wed, Jul 04, 2007 at 04:52:55PM +0100, Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > I have just updated my ClamAV+SpamAssassin package on > www.mailscanner.info to solve this vulnerability. > I would advise everyone to download and install the new version of this > package. > > Denis Beauchemin wrote: > > Hello all, > > > > I just read this: > > > > 07.27.36 CVE: CVE-2007-3377, CVE-2007-3409 > > Platform: Cross Platform > > Title: Perl Net::DNS Remote Multiple Vulnerabilities > > Description: The Perl Net::DNS module allows scripts written in Perl > > to perform DNS queries. The application is exposed to multiple issues. > > Perl Net::DNS module versions prior to 0.60. are affected. > > Ref: http://www.securityfocus.com/bid/24669 > > > > > > I just upgraded to 0.60, reloaded MS and everything is working fine. > > > > Denis > > > > Jules > > - -- > Julian Field MEng CITP > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.6.2 (Build 2014) > Comment: (pgp-secured) > Charset: UTF-8 > > wj8DBQFGi8JXEfZZRxQVtlQRAs/VAKCPeEtCTHQsW1+9VnHM5MRhQxA90gCeK/Id > zgKXq0MJu2yIDQ3Wn5Gy7mc= > =0BSq > -----END PGP SIGNATURE----- > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > For all your IT requirements visit www.transtec.co.uk > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > Thank goodness for cpan as well. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mailscanner at vivekmittal.org Thu Jul 5 03:08:06 2007 From: mailscanner at vivekmittal.org (Vivek Mittal) Date: Thu Jul 5 03:08:08 2007 Subject: Whitelist issue In-Reply-To: <733d6ede0707040257v6c1da171k7c43f0dc5e297d1e@mail.gmail.com> References: <733d6ede0707040257v6c1da171k7c43f0dc5e297d1e@mail.gmail.com> Message-ID: <733d6ede0707041908j7cde6da0y8e91a4964be6d850@mail.gmail.com> Sorry, if some people receive this twice. I sent this yesterday and have not seen it show up in the list yet. ------------Previous message----------------- Hi, We have been using MailScanner for about 6 months now and it is working really well. We have seen that 70% of our incoming mail is spam and of that, 80% is classed as High Spam, so it is helping us filtering a large part of our mail. In the last six months, we have noticed that even the mail classed as Low Spam is 99.99% spam. The 0.01% that is not spam is due to documents scanned and emailed from our printer. We have tried to whitelist the address, but it does not work. I hope someone can help in determining the cause. My spam.whitelist.rules file contains the following entries From: *@*.abc.com yes From: *@*.xyz.com.au yes where xyz.com.au is our firm. Now, emails from abc.com are whitelisted, but emails from our printer (printer@xyz.com.au) are not. Below is a sample header as stored in the Mailscanner archives (with some stuff modified) V8 T1170549349 K0 N0 P170442 Fbs $_mx05.syd.isp.net.au [210.41.30.235] $rESMTP $smx05.syd.isp.net.au ${daemon_flags} ${if_addr}10.1.10.10 S<> rRFC822; vivek@xyz.com.au RPFD: H?P?Return-Path: <~Ag> H??Received: from mx05.syd.isp.net.au (mx05.syd.isp.net.au [210.41.30.235]) by ap.xyz.com.au (8.13.4/8.13.4) with ESMTP id l140Znb5009886 for ; Sun, 4 Feb 2007 11:35:49 +1100 H?D?Date: Sun, 4 Feb 2007 11:35:49 +1100 H??Received: from 114.090.dsl.mel.isp.net.au ([211.26.244.114]) by mx05.syd.isp.net.au with SMTP; 04 Feb 2007 11:34:12 +1100 H??X-IronPort-AV: i="4.13,277,1167570000"; d="pdf'?scan'208"; a="29083045:sNHT433197450" H??From: "XYZ PTY LTD" H??To: H??Subject: 2feb H??Message-ID: <24331418> H??MIME-Version: 1.0 H??Content-Type: multipart/mixed; boundary="__59453boundry__" When looking at the source of the delivered message, you can see X_XYZ_MAILSCANNER_INFORMATION='Please contact the ISP for more information',X_XYZ_MAILSCANNER='Found to be clean',X_XYZ_MAILSCANNER_SPAMCHECK='spam, SpamAssassin (not cached,\tscore=7.37, required 6, AWL -0.09, HELO_DYNAMIC_HCC 3.28,\tINVALID_MSGID 1.71, MSGID_SHORT 2.46), X_XYZ_MAILSCANNER_SPAMSCORE='7',X_XYZ_MAILSCANNER_FROM='',X_SPAM_STATUS='Yes' When comparing the header with email froms abc.com, they just say X_XYZ_MAILSCANNER_SPAMCHECK='not spam (whitelisted),\tSpamAssassin (not cached, score=-2.454, required 6,\tautolearn=not spam, ADVANCE_FEE_1 0.00, ALL_TRUSTED -1.44, AWL -1.15,\tHTML_MESSAGE 0.00, MPART_ALT_DIFF 0.14) So there must either be something wrong with my whitelists file or something that is completely non-obvious to me. I searched for others with similar problems and the only one that I found was to change From: *@xyz.com.au yes to From: *@*.xyz.com.au yes but that has not worked either. I hope someone can help. Regards, Vivek From seamus at rheelweb.co.nz Thu Jul 5 04:17:05 2007 From: seamus at rheelweb.co.nz (Seamus Allan) Date: Thu Jul 5 04:17:11 2007 Subject: Postfix Address Verification In-Reply-To: <223f97700707041533v35800e35of42185fbf62573af@mail.gmail.com> References: <6a5b3338ddca144790b0da740700adfc@solidstatelogic.com> <468C1453.8050102@rheelweb.co.nz> <223f97700707041533v35800e35of42185fbf62573af@mail.gmail.com> Message-ID: <468C62B1.3090606@rheelweb.co.nz> Mail from the internet hits the "Gateway" machine with MailScanner and postfix. The clean mail is then forwarded to the "Hub" machine, running windows and Mail Enable Enterprise. What was happening is that bulk mailers were targeting abcd@domain.com, and a bunch of this was getting through the Gateway as all it knew about was the domains that it was allowed to forward, and where to send them (transport map pointing to the Hub machine). The Hub machine was replying 550 mailbox does not exist, and so the Gateway was trying to send bounce messages back to a non existent mailbox where the spam originated from. So, as per documentation (on the MailScanner docs, Postfix website), I set up verification on the Gatekeeper machine, such that when a mail comes in, postfix looks in the transport map, then queries the Hub machine as to whether the mailbox exists or now. Then the Gateway machine can reject the mail "at the door" (solving bandwidth, load and bounce issues). This worked pretty much OK, until I realised that mail was not being delivered for some (a lot as it turned out) of domains. A look in the maillog was showing that mail to these domains was being rejected by the Gatekeeper (presumably the verification mechanism) with a 400 error of Domain Not Found (as in previous log entries that have been posted). I suspected at first that the Hub machine was blocking access, but nothing in the logs indicate this (on either machines). So I'm a bit lost Hope this helps someone help me, Cheers Seamus >> > Thing is, I'm still not too clear on which postfix is telling you > this.... "external" or "internal"... Am slightly "muddled" ATM, but > ... does both recognize that they are to handle that particular > domain? And it's users? How did you set the verification up on both of > them? > I might be completely "muddled", so please set me straight:-) > > Cheers From ram at netcore.co.in Thu Jul 5 06:47:58 2007 From: ram at netcore.co.in (ram) Date: Thu Jul 5 06:48:13 2007 Subject: Whitelist issue In-Reply-To: <733d6ede0707041908j7cde6da0y8e91a4964be6d850@mail.gmail.com> References: <733d6ede0707040257v6c1da171k7c43f0dc5e297d1e@mail.gmail.com> <733d6ede0707041908j7cde6da0y8e91a4964be6d850@mail.gmail.com> Message-ID: <1183614478.7215.32.camel@localhost.localdomain> On Thu, 2007-07-05 at 12:08 +1000, Vivek Mittal wrote: > Sorry, if some people receive this twice. I sent this yesterday and > have not seen it show up in the list yet. > > ------------Previous message----------------- > > Hi, > > We have been using MailScanner for about 6 months now and it is > working really well. We have seen that 70% of our incoming mail is > spam and of that, 80% is classed as High Spam, so it is helping us > filtering a large part of our mail. > > In the last six months, we have noticed that even the mail classed as > Low Spam is 99.99% spam. The 0.01% that is not spam is due to > documents scanned and emailed from our printer. We have tried to > whitelist the address, but it does not work. I hope someone can help > in determining the cause. > > My spam.whitelist.rules file contains the following entries > > From: *@*.abc.com yes > From: *@*.xyz.com.au yes > > where xyz.com.au is our firm. Now, emails from abc.com are > whitelisted, but emails from our printer (printer@xyz.com.au) are not. > Below is a sample header as stored in the Mailscanner archives (with > some stuff modified) > As a gerenral practice you should not whitelist your own domain. Unless you have ways of preventing people forging your domain at the MTA ( like SPF ) Do you have in MailScanner.conf --- Is Definitely Not Spam = %rules-dir%/spam.whitelist.rules --- Is whitelisting intermittently failing or failing every time? Thanks Ram From R.Sterenborg at netsourcing.nl Thu Jul 5 07:34:24 2007 From: R.Sterenborg at netsourcing.nl (Rob Sterenborg) Date: Thu Jul 5 07:35:10 2007 Subject: Postfix Address Verification In-Reply-To: <468C62B1.3090606@rheelweb.co.nz> References: <6a5b3338ddca144790b0da740700adfc@solidstatelogic.com> <468C1453.8050102@rheelweb.co.nz><223f97700707041533v35800e35of42185fbf62573af@mail.gmail.com> <468C62B1.3090606@rheelweb.co.nz> Message-ID: <74ACEB3E6A055643A89B8CEC74C7BF2488E0BE@WISENT.dcyb.net> > Mail from the internet hits the "Gateway" machine with > MailScanner and postfix. The clean mail is then forwarded to the > "Hub" machine, running windows and Mail Enable Enterprise. [...] > So, as per documentation (on the MailScanner docs, Postfix > website), I set up verification on the Gatekeeper machine, such > that when a mail comes in, postfix looks in the transport map, I didn't see this in the doc, so I'm not sure if you did this.. If your Postfix is a relay for your Windows mailserver, Postfix *must* know which domains to relay for. Typically, you configure Postfix for this using the relay_domains parameter which holds either all relay domains or points to a file/db that holds the relay domains. relay_domains should *only* contain relay domains, and mydestination should -of course- *not* contain any relay domains. See: man 5 postconf. > then queries the Hub machine as to whether the mailbox exists or > now. Then the Gateway machine can reject the mail "at the door" > (solving bandwidth, load and bounce issues). Personally, I think you shouldn't bother your Windows mailserver with address verification. I know nothing of Mail Enable Enterprise, but perhaps you can, like with Exchange, export a list of all know email addresses using some script (perhaps LDAP?), reformat this list into something postmap can use to create the hash file or put it in a database, and configure Postfix to query that list/db using relay_recipient_maps. That way you may not have all email addresses at any given time but if generating the email address list isn't generating too much load you can schedule the script to run more frequently so you won't run far behind. This all depends on your needs however. The positive side on this is that when you get flooded with email, at least the Windows servers don't get DOS-ed with verification requests so your corporate/internal email doesn't suffer from it. Grts, Rob From minduni at ti-edu.ch Thu Jul 5 09:33:51 2007 From: minduni at ti-edu.ch (Marco Induni) Date: Thu Jul 5 09:33:53 2007 Subject: Filename rule question In-Reply-To: <223f97700707041520j5e8be73bt17235c459ec441c5@mail.gmail.com> References: <468A6663.8010907@ti-edu.ch> <223f97700707031051y1b3f0fcci36cbea3b9c330d95@mail.gmail.com> <468B4CD6.5050001@ti-edu.ch> <223f97700707040259w54b286b2y1530dc3d7fddedaa@mail.gmail.com> <468BC099.7060508@ti-edu.ch> <223f97700707041520j5e8be73bt17235c459ec441c5@mail.gmail.com> Message-ID: <468CACEF.30202@ti-edu.ch> Glenn Steen wrote: > On 04/07/07, Marco Induni wrote: > (snip) >> Hi Gleen, Sorry, for the mistake :-( > Go easy on the "e"s;-) >> unfortunately, the file is correct, I added the -- for ident on the mail >> only, but it look like a field. >> Also as you said this error (and even the lost TAB) are catched by the >> --lint option. > > Yeah, wouldn't it be nice if it was some easy typo... To much to hope > for, I guess:-). > >> > Also, you should pay extra attention to whether it is finame or >> > filetype rules kicking in (in the logs... Perhaps you have MailWatch? >> > Makes things ... easier to see:-). >> >> Uhm, I don't have Mailwatch installed, but in the log i can't see the >> rules involved. I had to activate some flag, or there are special logs ? >> The rules appear to be correct when i tested via the "MailScanner >> --value=filenamerules ...." > > No, nothing special, MailWatch just highlight things and make them > obvious (like when you thing you have one envelope sender, and in > reality you don't... you have some other...)... In that vein, did you > do the tests by telnet (so that you have complete control of the SMTP > conversation) or ... some other thing? > Perhaps there is some other rule,like a whitelist for the local host > or domain, kicking in _before_ the rule you try out? If you supply a > --ip=... you can test that too... > Would be great if this was something eaily explicable... I'm running > out of ideas:-). Also tried with ip, and from different "external" account as gmail,... Nope > >> >> > I always try to make filenames and filetypes functionally equivalent:). >> > Paying attention to ones logs is never wrong anyway, so ... you >> > wouldn't have any log snippets to look at, for a relevant test run? >> > >> > When you send these messages, or indeed any messages sent to you, if >> > the mail has more recipients than one... then the rules applicable to >> > the first recipient will "win" for all of them... So you might need >> > split messages/recipient (look in the wiki how to do this... At least >> > Postfix and Sendmail can do this for you), to be sure what rules will >> > trigger for a specific message/recipient combination. >> >> Good point, but in my test I'm the only recipient > Hm, another good pint down the drain:-). > >> > >> > Cheers >> >> Grazie (Thank you) >> > Thank me when we get to the bottom of this...:-). > I wonder if the file isn't a bit suspect anyway... If you change it to > deny/\..*$/-- > ... does that make a difference? If you make some specific deny rules? > And perhaps some "specific but the other way around" in the default > file? > We're missing something here....:) > > Cheers Also tried to use the sample rule filename.rules.conf directly setting the "Filename Rules = %etc-dir%/filename.rules.conf, but nothing. At the end I made one of the two mailgateway reacheble just for me, and set the Mailscanner in debug mode. This the output when a send an email: >>>>> Ignore errors about failing to find EOCD signature format error: file is too short at /usr/sbin/MailScanner line 832 Stopping now as you are debugging me. >>>>> At the line 832 seems to be the attachment extraction 831 $0 = 'MailScanner: extracting attachments'; 832 $batch->Explode(); Could be that for some reason this step fail, and then all the rules tied to the file attachemnet are skipped ? In case i'm using - Mailscanner 4.61.7 - Red Hat Enterprise Linux AS release 3 (Taroon Update 9) - Linux 2.4.21-50.EL - Perl 5.8.0 - Spamassassin 3.1.9 Hope this could be an hint Cheers marco -- Marco Induni Universita` della Svizzera italiana Servizi informatici / TI-EDU Galleria 2 CH-6928 Manno (Switzerland) E-mail: minduni@ti-edu.ch Tel: +41 58 666 6656 Fax: +41 58 666 6650 From glenn.steen at gmail.com Thu Jul 5 10:55:03 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Jul 5 10:55:05 2007 Subject: Whitelist issue In-Reply-To: <1183614478.7215.32.camel@localhost.localdomain> References: <733d6ede0707040257v6c1da171k7c43f0dc5e297d1e@mail.gmail.com> <733d6ede0707041908j7cde6da0y8e91a4964be6d850@mail.gmail.com> <1183614478.7215.32.camel@localhost.localdomain> Message-ID: <223f97700707050255p36c7af61t7ca09e3b6e8dd314@mail.gmail.com> Cc ram, whitelisting ones own should be done by way of IP address. Be specific for the printer, or your network. On 05/07/07, ram wrote: > On Thu, 2007-07-05 at 12:08 +1000, Vivek Mittal wrote: > > Sorry, if some people receive this twice. I sent this yesterday and > > have not seen it show up in the list yet. > > > > ------------Previous message----------------- > > > > Hi, > > > > We have been using MailScanner for about 6 months now and it is > > working really well. We have seen that 70% of our incoming mail is > > spam and of that, 80% is classed as High Spam, so it is helping us > > filtering a large part of our mail. > > > > In the last six months, we have noticed that even the mail classed as > > Low Spam is 99.99% spam. The 0.01% that is not spam is due to > > documents scanned and emailed from our printer. We have tried to > > whitelist the address, but it does not work. I hope someone can help > > in determining the cause. > > > > My spam.whitelist.rules file contains the following entries > > > > From: *@*.abc.com yes > > From: *@*.xyz.com.au yes > > > > where xyz.com.au is our firm. Now, emails from abc.com are > > whitelisted, but emails from our printer (printer@xyz.com.au) are not. > > Below is a sample header as stored in the Mailscanner archives (with > > some stuff modified) > > > > As a gerenral practice you should not whitelist your own domain. Unless > you have ways of preventing people forging your domain at the MTA ( like > SPF ) > > Do you have in MailScanner.conf > --- > Is Definitely Not Spam = %rules-dir%/spam.whitelist.rules > --- > Is whitelisting intermittently failing or failing every time? > > Thanks > Ram > > > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From res at ausics.net Thu Jul 5 11:15:17 2007 From: res at ausics.net (Res) Date: Thu Jul 5 11:15:27 2007 Subject: Whitelist issue In-Reply-To: <223f97700707050255p36c7af61t7ca09e3b6e8dd314@mail.gmail.com> References: <733d6ede0707040257v6c1da171k7c43f0dc5e297d1e@mail.gmail.com> <733d6ede0707041908j7cde6da0y8e91a4964be6d850@mail.gmail.com> <1183614478.7215.32.camel@localhost.localdomain> <223f97700707050255p36c7af61t7ca09e3b6e8dd314@mail.gmail.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NotDashEscaped: You need GnuPG to verify this message On Thu, 5 Jul 2007, Glenn Steen wrote: > Cc ram, whitelisting ones own should be done by way of IP address. Be > specific for the printer, or your network. Furthermore, to be a good netizen, the whitelist should be from your IP range TO your domain, and scan from your users to everyone else. Everybody who blanket whitelists their own users only passes the problem on to the recipient networks and contribute to the world wide spam problem rather than be part of its elimination. -- Cheers Res -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFGjMS1sWhAmSIQh7MRArAZAKCPjgaoN50BMXkRa1QlpZONW6/sdACdGmnM noZbwxaMQfr6Zh+Sh+vIMEk= =1dlR -----END PGP SIGNATURE----- From glenn.steen at gmail.com Thu Jul 5 11:44:24 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Jul 5 11:44:26 2007 Subject: Whitelist issue In-Reply-To: References: <733d6ede0707040257v6c1da171k7c43f0dc5e297d1e@mail.gmail.com> <733d6ede0707041908j7cde6da0y8e91a4964be6d850@mail.gmail.com> <1183614478.7215.32.camel@localhost.localdomain> <223f97700707050255p36c7af61t7ca09e3b6e8dd314@mail.gmail.com> Message-ID: <223f97700707050344x65402eb6v424e7e4911eb6d54@mail.gmail.com> On 05/07/07, Res wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > NotDashEscaped: You need GnuPG to verify this message > > On Thu, 5 Jul 2007, Glenn Steen wrote: > > > Cc ram, whitelisting ones own should be done by way of IP address. Be > > specific for the printer, or your network. > > Furthermore, to be a good netizen, the whitelist should be from your IP > range TO your domain, and scan from your users to everyone else. > > Everybody who blanket whitelists their own users only passes the problem > on to the recipient networks and contribute to the world wide spam problem > rather than be part of its elimination. > > Oh yes, Noel, quite correct (as mostly.... still saving up for those postmix "doubts", you rendmauling evil bunny;-)... One can always justify this by the benefit to ones own domain(s)... It only take one rouge that you W/L to get you (rightly) listed...:-) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Thu Jul 5 11:49:37 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Jul 5 11:49:40 2007 Subject: Filename rule question In-Reply-To: <468CACEF.30202@ti-edu.ch> References: <468A6663.8010907@ti-edu.ch> <223f97700707031051y1b3f0fcci36cbea3b9c330d95@mail.gmail.com> <468B4CD6.5050001@ti-edu.ch> <223f97700707040259w54b286b2y1530dc3d7fddedaa@mail.gmail.com> <468BC099.7060508@ti-edu.ch> <223f97700707041520j5e8be73bt17235c459ec441c5@mail.gmail.com> <468CACEF.30202@ti-edu.ch> Message-ID: <223f97700707050349y696668ccu92b618343da7d77b@mail.gmail.com> On 05/07/07, Marco Induni wrote: (snip) > Also tried to use the sample rule filename.rules.conf directly setting > the "Filename Rules = %etc-dir%/filename.rules.conf, but nothing. > > At the end I made one of the two mailgateway reacheble just for me, and > set the Mailscanner in debug mode. > This the output when a send an email: > > >>>>> > Ignore errors about failing to find EOCD signature > format error: file is too short > at /usr/sbin/MailScanner line 832 > Stopping now as you are debugging me. > >>>>> > > At the line 832 seems to be the attachment extraction > > 831 $0 = 'MailScanner: extracting attachments'; > 832 $batch->Explode(); Normally you'd see the EOCD error from that line, which is safe to ignore.... This though, I've mostly seen when the attachments really have been damaged (bad MIME)... You don't have any "pre-filters" that could confuse things, do you? > Could be that for some reason this step fail, and then all the rules > tied to the file attachemnet are skipped ? > > In case i'm using > > - Mailscanner 4.61.7 > - Red Hat Enterprise Linux AS release 3 (Taroon Update 9) > - Linux 2.4.21-50.EL > - Perl 5.8.0 > - Spamassassin 3.1.9 Could you give a "MailScanner -V" too? Just in case you have a bum perl module or so:-). > > Hope this could be an hint > > Cheers > marco > > > Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Thu Jul 5 11:51:39 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Jul 5 11:51:42 2007 Subject: Postfix Address Verification In-Reply-To: <74ACEB3E6A055643A89B8CEC74C7BF2488E0BE@WISENT.dcyb.net> References: <6a5b3338ddca144790b0da740700adfc@solidstatelogic.com> <468C1453.8050102@rheelweb.co.nz> <223f97700707041533v35800e35of42185fbf62573af@mail.gmail.com> <468C62B1.3090606@rheelweb.co.nz> <74ACEB3E6A055643A89B8CEC74C7BF2488E0BE@WISENT.dcyb.net> Message-ID: <223f97700707050351t47635e2bx92642bc19f4e1d0f@mail.gmail.com> On 05/07/07, Rob Sterenborg wrote: > > Mail from the internet hits the "Gateway" machine with > > MailScanner and postfix. The clean mail is then forwarded to the > > "Hub" machine, running windows and Mail Enable Enterprise. > > [...] > > > So, as per documentation (on the MailScanner docs, Postfix > > website), I set up verification on the Gatekeeper machine, such > > that when a mail comes in, postfix looks in the transport map, > > I didn't see this in the doc, so I'm not sure if you did this.. > > If your Postfix is a relay for your Windows mailserver, Postfix *must* > know which domains to relay for. Typically, you configure Postfix for > this using the relay_domains parameter which holds either all relay > domains or points to a file/db that holds the relay domains. > relay_domains should *only* contain relay domains, and mydestination > should -of course- *not* contain any relay domains. > See: man 5 postconf. > > > then queries the Hub machine as to whether the mailbox exists or > > now. Then the Gateway machine can reject the mail "at the door" > > (solving bandwidth, load and bounce issues). > > Personally, I think you shouldn't bother your Windows mailserver with > address verification. > I know nothing of Mail Enable Enterprise, but perhaps you can, like with > Exchange, export a list of all know email addresses using some script > (perhaps LDAP?), reformat this list into something postmap can use to > create the hash file or put it in a database, and configure Postfix to > query that list/db using relay_recipient_maps. > > That way you may not have all email addresses at any given time but if > generating the email address list isn't generating too much load you can > schedule the script to run more frequently so you won't run far behind. > This all depends on your needs however. > The positive side on this is that when you get flooded with email, at > least the Windows servers don't get DOS-ed with verification requests so > your corporate/internal email doesn't suffer from it. > > > Grts, > Rob Thanks Rob for chipping in.... this was exactly what I was leaning towards, both the doubt about the relay_domains and the suggestion to offload the work to PF itself. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From uxbod at splatnix.net Thu Jul 5 11:55:27 2007 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Thu Jul 5 11:55:52 2007 Subject: Postfix Address Verification In-Reply-To: <223f97700707050351t47635e2bx92642bc19f4e1d0f@mail.gmail.com> References: <223f97700707050351t47635e2bx92642bc19f4e1d0f@mail.gmail.com> Message-ID: <39cfb74fe9648f00fc2e7054d4fbe547@62.49.223.244> I do the same for a client who runs Lotus Notes. Hourly dump from LDAP of all users email addresses and then postmap it. We have cut down email to the internal Notes servers from ?150k per day to 5k, through a combination of PF and MailScanner. On Thu, 5 Jul 2007 12:51:39 +0200, "Glenn Steen" wrote: > On 05/07/07, Rob Sterenborg wrote: >> > Mail from the internet hits the "Gateway" machine with >> > MailScanner and postfix. The clean mail is then forwarded to the >> > "Hub" machine, running windows and Mail Enable Enterprise. >> >> [...] >> >> > So, as per documentation (on the MailScanner docs, Postfix >> > website), I set up verification on the Gatekeeper machine, such >> > that when a mail comes in, postfix looks in the transport map, >> >> I didn't see this in the doc, so I'm not sure if you did this.. >> >> If your Postfix is a relay for your Windows mailserver, Postfix *must* >> know which domains to relay for. Typically, you configure Postfix for >> this using the relay_domains parameter which holds either all relay >> domains or points to a file/db that holds the relay domains. >> relay_domains should *only* contain relay domains, and mydestination >> should -of course- *not* contain any relay domains. >> See: man 5 postconf. >> >> > then queries the Hub machine as to whether the mailbox exists or >> > now. Then the Gateway machine can reject the mail "at the door" >> > (solving bandwidth, load and bounce issues). >> >> Personally, I think you shouldn't bother your Windows mailserver with >> address verification. >> I know nothing of Mail Enable Enterprise, but perhaps you can, like with >> Exchange, export a list of all know email addresses using some script >> (perhaps LDAP?), reformat this list into something postmap can use to >> create the hash file or put it in a database, and configure Postfix to >> query that list/db using relay_recipient_maps. >> >> That way you may not have all email addresses at any given time but if >> generating the email address list isn't generating too much load you can >> schedule the script to run more frequently so you won't run far behind. >> This all depends on your needs however. >> The positive side on this is that when you get flooded with email, at >> least the Windows servers don't get DOS-ed with verification requests so >> your corporate/internal email doesn't suffer from it. >> >> >> Grts, >> Rob > > Thanks Rob for chipping in.... this was exactly what I was leaning > towards, both the doubt about the relay_domains and the suggestion to > offload the work to PF itself. > > Cheers > -- > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. -- --[ UxBoD ]-- // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From glenn.steen at gmail.com Thu Jul 5 12:06:36 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Jul 5 12:06:38 2007 Subject: Postfix Address Verification In-Reply-To: <39cfb74fe9648f00fc2e7054d4fbe547@62.49.223.244> References: <223f97700707050351t47635e2bx92642bc19f4e1d0f@mail.gmail.com> <39cfb74fe9648f00fc2e7054d4fbe547@62.49.223.244> Message-ID: <223f97700707050406q1b118b42o1d96f6cb3024ac57@mail.gmail.com> On 05/07/07, --[ UxBoD ]-- wrote: > I do the same for a client who runs Lotus Notes. Hourly dump from LDAP of > all users email addresses and then postmap it. We have cut down email to > the internal Notes servers from ?150k per day to 5k, through a combination > of PF and MailScanner. > Yeah Phil, I do that myself too, although I dump (a not that big) AD every 15 minutes, so that I don't have to rely on the M-Sexchange admin to do the right thing... Saves me job as well as him:-). In my case I only reduce total volume (by that particular measure) by about 25% though... Total rejected fluctuating between 35 - 50%... Call me lucky:-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From mailscanner at vivekmittal.org Thu Jul 5 12:08:40 2007 From: mailscanner at vivekmittal.org (Vivek Mittal) Date: Thu Jul 5 12:08:42 2007 Subject: Whitelist issue In-Reply-To: <223f97700707050344x65402eb6v424e7e4911eb6d54@mail.gmail.com> References: <733d6ede0707040257v6c1da171k7c43f0dc5e297d1e@mail.gmail.com> <733d6ede0707041908j7cde6da0y8e91a4964be6d850@mail.gmail.com> <1183614478.7215.32.camel@localhost.localdomain> <223f97700707050255p36c7af61t7ca09e3b6e8dd314@mail.gmail.com> <223f97700707050344x65402eb6v424e7e4911eb6d54@mail.gmail.com> Message-ID: <733d6ede0707050408p3daaa5abyef8d008250cba45@mail.gmail.com> This is going a bit off-topic from getting whitelisting to work in the first place. However, I am interested in know more about how whitelisting your own domain can get you listed. The way we are using MailScanner is to scan all incoming email. I have set up our mail server to accept emails to our domain only and not to relay anything else. I'm pretty sure that our server is not an open relay. So how does whitelisting the domain affect this? On 7/5/07, Glenn Steen wrote: > On 05/07/07, Res wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > NotDashEscaped: You need GnuPG to verify this message > > > > On Thu, 5 Jul 2007, Glenn Steen wrote: > > > > > Cc ram, whitelisting ones own should be done by way of IP address. Be > > > specific for the printer, or your network. > > > > Furthermore, to be a good netizen, the whitelist should be from your IP > > range TO your domain, and scan from your users to everyone else. > > > > Everybody who blanket whitelists their own users only passes the problem > > on to the recipient networks and contribute to the world wide spam problem > > rather than be part of its elimination. > > > > > Oh yes, Noel, quite correct (as mostly.... still saving up for those > postmix "doubts", you rendmauling evil bunny;-)... One can always > justify this by the benefit to ones own domain(s)... It only take one > rouge that you W/L to get you (rightly) listed...:-) > > Cheers > -- > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From jayesha_shinde at yahoo.com Thu Jul 5 12:41:36 2007 From: jayesha_shinde at yahoo.com (jayesh shinde) Date: Thu Jul 5 12:41:38 2007 Subject: filename extension problem Message-ID: <644743.83240.qm@web54403.mail.yahoo.com> Dear All, I have one query , I am using MailScanner version 4.34.8 on FC2 with sendmail. Some of my users are sending there email with an attachments with double or multiple extention ( Ex:-- my.com.location.doc) When it goes through MailScanner for scanning attachment , it give me the following error as :-- ##### At Fri Jun 29 18:00:56 2007 the virus scanner said: MailScanner: Attempt to hide real filename extension (my.com.location.doc) ###### My queries are :-- 1) Is there any way to by pass above such multiple extension mail through MailScanner. If yes then where should i define this ruleset & how to write this rule for single user. 2) If i bypass the above such multiple extension attachment , will it affect the block extention list ( define under /etc/MailScanner/filename.rules.conf ) Thanks & Regards Jayesh Shinde --------------------------------- Sick sense of humor? Visit Yahoo! TV's Comedy with an Edge to see what's on, when. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070705/50ba9f54/attachment.html From minduni at ti-edu.ch Thu Jul 5 12:55:15 2007 From: minduni at ti-edu.ch (Marco Induni) Date: Thu Jul 5 12:55:18 2007 Subject: Filename rule question In-Reply-To: <223f97700707050349y696668ccu92b618343da7d77b@mail.gmail.com> References: <468A6663.8010907@ti-edu.ch> <223f97700707031051y1b3f0fcci36cbea3b9c330d95@mail.gmail.com> <468B4CD6.5050001@ti-edu.ch> <223f97700707040259w54b286b2y1530dc3d7fddedaa@mail.gmail.com> <468BC099.7060508@ti-edu.ch> <223f97700707041520j5e8be73bt17235c459ec441c5@mail.gmail.com> <468CACEF.30202@ti-edu.ch> <223f97700707050349y696668ccu92b618343da7d77b@mail.gmail.com> Message-ID: <468CDC23.7000500@ti-edu.ch> Glenn Steen wrote: > On 05/07/07, Marco Induni wrote: > (snip) >> Also tried to use the sample rule filename.rules.conf directly setting >> the "Filename Rules = %etc-dir%/filename.rules.conf, but nothing. >> >> At the end I made one of the two mailgateway reacheble just for me, and >> set the Mailscanner in debug mode. >> This the output when a send an email: >> >> >>>>> >> Ignore errors about failing to find EOCD signature >> format error: file is too short >> at /usr/sbin/MailScanner line 832 >> Stopping now as you are debugging me. >> >>>>> >> >> At the line 832 seems to be the attachment extraction >> >> 831 $0 = 'MailScanner: extracting attachments'; >> 832 $batch->Explode(); > Normally you'd see the EOCD error from that line, which is safe to > ignore.... This though, I've mostly seen when the attachments really > have been damaged (bad MIME)... You don't have any "pre-filters" that > could confuse things, do you? Glenn, I'm not sure of the meaning of "pre-filters", but we do just Antivirus and + Spamassasin. > >> Could be that for some reason this step fail, and then all the rules >> tied to the file attachemnet are skipped ? >> >> In case i'm using >> >> - Mailscanner 4.61.7 >> - Red Hat Enterprise Linux AS release 3 (Taroon Update 9) >> - Linux 2.4.21-50.EL >> - Perl 5.8.0 >> - Spamassassin 3.1.9 > > Could you give a "MailScanner -V" too? Just in case you have a bum > perl module or so:-). > Here the output of MailScanner -V Running on Linux mg1.ti-edu.ch 2.4.21-47.0.1.ELsmp #1 SMP Fri Oct 13 17:56:20 EDT 2006 i686 i686 i386 GNU/Linux This is Red Hat Enterprise Linux AS release 3 (Taroon Update 9) This is Perl version 5.008000 (5.8.0) This is MailScanner version 4.61.7 Module versions are: 1.00 AnyDBM_File 1.16 Archive::Zip 1.01 Carp 1.119 Convert::BinHex 1.00 DirHandle 1.04 Fcntl 2.71 File::Basename 2.05 File::Copy 2.01 FileHandle 1.05 File::Path 0.13 File::Temp 0.90 Filesys::Df 1.35 HTML::Entities 3.56 HTML::Parser 2.37 HTML::TokeParser 1.23 IO 1.14 IO::File 1.13 IO::Pipe 1.77 Mail::Header 1.86 Math::BigInt 3.05 MIME::Base64 5.420 MIME::Decoder 5.420 MIME::Decoder::UU 5.420 MIME::Head 5.420 MIME::Parser 3.03 MIME::QuotedPrint 5.420 MIME::Tools 0.11 Net::CIDR 1.05 POSIX 1.09 Scalar::Util 1.75 Socket 1.4 Sys::Hostname::Long 0.18 Sys::Syslog 1.9707 Time::HiRes 1.02 Time::localtime Optional module versions are: 1.29 Archive::Tar 0.21 bignum missing Business::ISBN missing Business::ISBN::Data 0.17 Convert::TNEF missing Data::Dump 1.815 DB_File 1.13 DBD::SQLite 1.56 DBI 1.15 Digest 1.01 Digest::HMAC 2.36 Digest::MD5 2.11 Digest::SHA1 missing Encode::Detect missing Error missing ExtUtils::CBuilder missing ExtUtils::ParseXS missing Inline 1.08 IO::String 1.04 IO::Zlib 2.23 IP::Country missing Mail::ClamAV 3.001009 Mail::SpamAssassin missing Mail::SPF 1.999001 Mail::SPF::Query 0.19 Math::BigRat missing Module::Build 0.20 Net::CIDR::Lite 0.60 Net::DNS missing Net::DNS::Resolver::Programmable missing Net::LDAP missing NetAddr::IP missing Parse::RecDescent missing SAVI 2.26 Test::Harness missing Test::Manifest 1.89 Text::Balanced 1.35 URI missing version missing YAML Cheers >> >> Hope this could be an hint >> >> Cheers >> marco >> >> >> > > Cheers -- Marco Induni Universita` della Svizzera italiana Servizi informatici / TI-EDU Galleria 2 CH-6928 Manno (Switzerland) E-mail: minduni@ti-edu.ch Tel: +41 58 666 6656 Fax: +41 58 666 6650 From list-mailscanner at linguaphone.com Thu Jul 5 13:04:34 2007 From: list-mailscanner at linguaphone.com (Gareth) Date: Thu Jul 5 13:04:46 2007 Subject: filename extension problem In-Reply-To: <644743.83240.qm@web54403.mail.yahoo.com> References: <644743.83240.qm@web54403.mail.yahoo.com> Message-ID: <1183637074.17314.15.camel@gblades-suse.linguaphone-intranet.co.uk> On Thu, 2007-07-05 at 12:41, jayesh shinde wrote: > Dear All, > I have one query , I am using MailScanner version > 4.34.8 on FC2 with sendmail. Some of my users are sending there email > with an attachments with double or multiple extention ( Ex:-- > my.com.location.doc) > When it goes through MailScanner for scanning > attachment , it give me the following error as :-- > > ##### > At Fri Jun 29 18:00:56 2007 the virus scanner said: > MailScanner: Attempt to hide real filename extension > (my.com.location.doc) > ###### filename.rules.conf contails this line :- # Deny all other double file extensions. This catches any hidden filenames. deny \.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$ Found possible filename hiding Att empt to hide real filename extension This blocks any filename ending with a two or 3 character extension followed by a 3 character extension. I cant see how this would block the specific example you gave though. I am not running the very latest version of mailscanner though so perhaps yours has been updated. > My queries are :-- > 1) Is there any way to by pass above such multiple extension mail > through MailScanner. If yes then where should i define this ruleset & > how to write this rule for > single user. Just remove the section in the file mentioned above. > 2) If i bypass the above such multiple extension attachment , will it > affect the block extention list ( define under > /etc/MailScanner/filename.rules.conf ) From hvdkooij at vanderkooij.org Thu Jul 5 13:06:06 2007 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Thu Jul 5 13:07:12 2007 Subject: Whitelist issue In-Reply-To: <733d6ede0707050408p3daaa5abyef8d008250cba45@mail.gmail.com> References: <733d6ede0707040257v6c1da171k7c43f0dc5e297d1e@mail.gmail.com> <733d6ede0707041908j7cde6da0y8e91a4964be6d850@mail.gmail.com> <1183614478.7215.32.camel@localhost.localdomain> <223f97700707050255p36c7af61t7ca09e3b6e8dd314@mail.gmail.com> <223f97700707050344x65402eb6v424e7e4911eb6d54@mail.gmail.com> <733d6ede0707050408p3daaa5abyef8d008250cba45@mail.gmail.com> Message-ID: On Thu, 5 Jul 2007, Vivek Mittal wrote: > This is going a bit off-topic from getting whitelisting to work in the > first place. However, I am interested in know more about how > whitelisting your own domain can get you listed. The way we are using > MailScanner is to scan all incoming email. I have set up our mail > server to accept emails to our domain only and not to relay anything > else. I'm pretty sure that our server is not an open relay. So how > does whitelisting the domain affect this? If you are a corporate network and have reasonable security in place I guess not. But if you are an evil bunny working for an ISP with thousands of DSL subscribers you are in quite a different situation. And part of my job is cleaning out corporate networks after the got hosed by malware. So even corporate networks can get themselves blacklisted. Hugo. PS: A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ This message is using 100% recycled electrons. Some men see computers as they are and say "Windows" I use computers with Linux and say "Why Windows?" (Thanks JFK, for the insight.) From hvdkooij at vanderkooij.org Thu Jul 5 13:19:29 2007 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Thu Jul 5 13:20:30 2007 Subject: filename extension problem In-Reply-To: <644743.83240.qm@web54403.mail.yahoo.com> References: <644743.83240.qm@web54403.mail.yahoo.com> Message-ID: On Thu, 5 Jul 2007, jayesh shinde wrote: > 1) Is there any way to by pass above such multiple extension mail through MailScanner. If yes then where should i define this ruleset & how to write this rule for > single user. Use another filename.rules.conf file and disable (comment) the line. The use a rule file to determine who uses which filename.rules.conf file. Hugo. -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ This message is using 100% recycled electrons. Some men see computers as they are and say "Windows" I use computers with Linux and say "Why Windows?" (Thanks JFK, for the insight.) From MailScanner at ecs.soton.ac.uk Thu Jul 5 10:35:40 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jul 5 13:43:07 2007 Subject: Whitelist issue In-Reply-To: <733d6ede0707041908j7cde6da0y8e91a4964be6d850@mail.gmail.com> References: <733d6ede0707040257v6c1da171k7c43f0dc5e297d1e@mail.gmail.com> <733d6ede0707041908j7cde6da0y8e91a4964be6d850@mail.gmail.com> Message-ID: <468CBB6C.3080608@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Vivek Mittal wrote: > Sorry, if some people receive this twice. I sent this yesterday and > have not seen it show up in the list yet. > > ------------Previous message----------------- > > Hi, > > We have been using MailScanner for about 6 months now and it is > working really well. We have seen that 70% of our incoming mail is > spam and of that, 80% is classed as High Spam, so it is helping us > filtering a large part of our mail. > > In the last six months, we have noticed that even the mail classed as > Low Spam is 99.99% spam. The 0.01% that is not spam is due to > documents scanned and emailed from our printer. We have tried to > whitelist the address, but it does not work. I hope someone can help > in determining the cause. > > My spam.whitelist.rules file contains the following entries > > From: *@*.abc.com yes > From: *@*.xyz.com.au yes > > where xyz.com.au is our firm. Now, emails from abc.com are > whitelisted, but emails from our printer (printer@xyz.com.au) are not. > Below is a sample header as stored in the Mailscanner archives (with > some stuff modified) You need to whitelist *@xyz.com.au and not *@*.xyz.com.au as that won't match your printer's email address. > > V8 > T1170549349 > K0 > N0 > P170442 > Fbs > $_mx05.syd.isp.net.au [210.41.30.235] > $rESMTP > $smx05.syd.isp.net.au > ${daemon_flags} > ${if_addr}10.1.10.10 > S<> > rRFC822; vivek@xyz.com.au > RPFD: > H?P?Return-Path: <~Ag> > H??Received: from mx05.syd.isp.net.au (mx05.syd.isp.net.au > [210.41.30.235]) > by ap.xyz.com.au (8.13.4/8.13.4) with ESMTP id l140Znb5009886 > for ; Sun, 4 Feb 2007 11:35:49 +1100 > H?D?Date: Sun, 4 Feb 2007 11:35:49 +1100 > H??Received: from 114.090.dsl.mel.isp.net.au ([211.26.244.114]) > by mx05.syd.isp.net.au with SMTP; 04 Feb 2007 11:34:12 +1100 > H??X-IronPort-AV: i="4.13,277,1167570000"; > d="pdf'?scan'208"; a="29083045:sNHT433197450" > H??From: "XYZ PTY LTD" > H??To: > H??Subject: 2feb > H??Message-ID: <24331418> > H??MIME-Version: 1.0 > H??Content-Type: multipart/mixed; > boundary="__59453boundry__" > > When looking at the source of the delivered message, you can see > > X_XYZ_MAILSCANNER_INFORMATION='Please contact the ISP for more > information',X_XYZ_MAILSCANNER='Found to be > clean',X_XYZ_MAILSCANNER_SPAMCHECK='spam, SpamAssassin (not > cached,\tscore=7.37, required 6, AWL -0.09, HELO_DYNAMIC_HCC > 3.28,\tINVALID_MSGID 1.71, MSGID_SHORT 2.46), > X_XYZ_MAILSCANNER_SPAMSCORE='7',X_XYZ_MAILSCANNER_FROM='',X_SPAM_STATUS='Yes' > > > When comparing the header with email froms abc.com, they just say > X_XYZ_MAILSCANNER_SPAMCHECK='not spam (whitelisted),\tSpamAssassin > (not cached, score=-2.454, required 6,\tautolearn=not spam, > ADVANCE_FEE_1 0.00, ALL_TRUSTED -1.44, AWL -1.15,\tHTML_MESSAGE 0.00, > MPART_ALT_DIFF 0.14) > > So there must either be something wrong with my whitelists file or > something that is completely non-obvious to me. > > I searched for others with similar problems and the only one that I > found was to change > From: *@xyz.com.au yes > > to > > From: *@*.xyz.com.au yes > > but that has not worked either. > > I hope someone can help. > > Regards, > Vivek Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGjLttEfZZRxQVtlQRAqntAJ9Tu4EUfamTLv+R5g6d8vszU74HhwCgxmC0 dn0MmHAKypMHILHsQxklPos= =S1OE -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From glenn.steen at gmail.com Thu Jul 5 14:42:40 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Jul 5 14:42:42 2007 Subject: Whitelist issue In-Reply-To: References: <733d6ede0707040257v6c1da171k7c43f0dc5e297d1e@mail.gmail.com> <733d6ede0707041908j7cde6da0y8e91a4964be6d850@mail.gmail.com> <1183614478.7215.32.camel@localhost.localdomain> <223f97700707050255p36c7af61t7ca09e3b6e8dd314@mail.gmail.com> <223f97700707050344x65402eb6v424e7e4911eb6d54@mail.gmail.com> <733d6ede0707050408p3daaa5abyef8d008250cba45@mail.gmail.com> Message-ID: <223f97700707050642q609c34d6k2136baac48a90a3e@mail.gmail.com> On 05/07/07, Hugo van der Kooij wrote: > On Thu, 5 Jul 2007, Vivek Mittal wrote: > > > This is going a bit off-topic from getting whitelisting to work in the > > first place. However, I am interested in know more about how > > whitelisting your own domain can get you listed. The way we are using > > MailScanner is to scan all incoming email. I have set up our mail > > server to accept emails to our domain only and not to relay anything > > else. I'm pretty sure that our server is not an open relay. So how > > does whitelisting the domain affect this? > > If you are a corporate network and have reasonable security in place I > guess not. > > But if you are an evil bunny working for an ISP with thousands of DSL > subscribers you are in quite a different situation. > > And part of my job is cleaning out corporate networks after the got hosed > by malware. So even corporate networks can get themselves blacklisted. Definitely. Even if you are a strict corporate shop, there is little to no benefit avoiding outbound scanning. Thing is to be in charge;). . . Else someone else will be. Now, as to the problem. . . Whitelisting by IP neatly solve the initial problem without exposing one to easily spoof-able things:). > Hugo. > > PS: > A: Yes. > >Q: Are you sure? > >>A: Because it reverses the logical flow of conversation. > >>>Q: Why is top posting frowned upon? > > -- > hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ > This message is using 100% recycled electrons. > > Some men see computers as they are and say "Windows" > I use computers with Linux and say "Why Windows?" > (Thanks JFK, for the insight.) > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From mrm at quantumcc.com Thu Jul 5 17:44:25 2007 From: mrm at quantumcc.com (Mike Masse) Date: Thu Jul 5 17:44:36 2007 Subject: New support for clamd In-Reply-To: <468A9333.1040702@i-centrix.com> References: <468A9333.1040702@i-centrix.com> Message-ID: I recently updated our servers to clamd as well and have noticed a huge drop in cpu utilization. Thanks!! Mike Ryan Lane wrote: > The new support for clamd is most excellent! I run a fairly busy > server, and the processing times are significantly better. I just > implemented the change this morning, and I immediately saw the benefit. > The load on the server is considerably better too. Down from an almost > constant 1.00+ load average to 0.20 Thanks for the great work, and > continual improvements. > > -Ryan From cparker at swatgear.com Thu Jul 5 18:13:19 2007 From: cparker at swatgear.com (Chris W. Parker) Date: Thu Jul 5 18:13:22 2007 Subject: SpamAssassin is constantly timing out References: <97FD54B5E57A1842AA1A4B232E47611773EBD2@ati-ex-02.ati.local><468955F8.1090701@ecs.soton.ac.uk><97FD54B5E57A1842AA1A4B232E47611773EBD4@ati-ex-02.ati.local> <625385e30707031154q6b6dab17ued473acc0afc860a@mail.gmail.com><97FD54B5E57A1842AA1A4B232E4761178EEA53@ati-ex-02.ati.local> <468AA237.3070404@ecs.soton.ac.uk> Message-ID: <97FD54B5E57A1842AA1A4B232E4761178EEA55@ati-ex-02.ati.local> On Tuesday, July 03, 2007 12:24 PM Julian Field said: > That's the problem then. Type this and then rerun the ./install.sh > script. mount -o remount,exec /tmp Thanks Julian. How about "File checker /usr/bin/file timed out!" ? This doesn't happen often (three times yesterday [the 4th]). Is it normal? Chris. From MailScanner at ecs.soton.ac.uk Thu Jul 5 18:11:28 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jul 5 18:14:54 2007 Subject: New support for clamd In-Reply-To: References: <468A9333.1040702@i-centrix.com> Message-ID: <468D2640.5090304@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 What were you using before? Mike Masse wrote: > I recently updated our servers to clamd as well and have noticed a > huge drop in cpu utilization. Thanks!! > > Mike > > > > Ryan Lane wrote: >> The new support for clamd is most excellent! I run a fairly busy >> server, and the processing times are significantly better. I just >> implemented the change this morning, and I immediately saw the >> benefit. The load on the server is considerably better too. Down >> from an almost constant 1.00+ load average to 0.20 Thanks for the >> great work, and continual improvements. >> >> -Ryan > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGjSZBEfZZRxQVtlQRAhDCAJ9GVl60daJzY57NuvRCez1eoJqkNwCgps36 BPxiv8tOKUK4/DCFW20gR4U= =Q7oD -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Thu Jul 5 18:30:06 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jul 5 18:33:19 2007 Subject: SpamAssassin is constantly timing out In-Reply-To: <97FD54B5E57A1842AA1A4B232E4761178EEA55@ati-ex-02.ati.local> References: <97FD54B5E57A1842AA1A4B232E47611773EBD2@ati-ex-02.ati.local><468955F8.1090701@ecs.soton.ac.uk><97FD54B5E57A1842AA1A4B232E47611773EBD4@ati-ex-02.ati.local> <625385e30707031154q6b6dab17ued473acc0afc860a@mail.gmail.com><97FD54B5E57A1842AA1A4B232E4761178EEA53@ati-ex-02.ati.local> <468AA237.3070404@ecs.soton.ac.uk> <97FD54B5E57A1842AA1A4B232E4761178EEA55@ati-ex-02.ati.local> Message-ID: <468D2A9E.30801@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Chris W. Parker wrote: > On Tuesday, July 03, 2007 12:24 PM Julian Field said: > > >> That's the problem then. Type this and then rerun the ./install.sh >> script. mount -o remount,exec /tmp >> > > Thanks Julian. > > How about "File checker /usr/bin/file timed out!" ? This doesn't happen > often (three times yesterday [the 4th]). Is it normal? > I've never known "file" time out before. It really shouldn't happen. Is your server particularly over-loaded or anything like that which would make it run extremely slowly? Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGjSqkEfZZRxQVtlQRArGGAJ0ZYaBVOBxGufh2OeQpC9FUHXsfiACgibuG VJApYcIu+AWqu3OskFdKfDE= =EC3D -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From jan-peter at koopmann.eu Thu Jul 5 18:43:46 2007 From: jan-peter at koopmann.eu (Koopmann, Jan-Peter) Date: Thu Jul 5 18:43:11 2007 Subject: SpamAssassin is constantly timing out In-Reply-To: References: <97FD54B5E57A1842AA1A4B232E47611773EBD2@ati-ex-02.ati.local><468955F8.1090701@ecs.soton.ac.uk><97FD54B5E57A1842AA1A4B232E47611773EBD4@ati-ex-02.ati.local> <625385e30707031154q6b6dab17ued473acc0afc860a@mail.gmail.com><97FD54B5E57A1842AA1A4B232E4761178EEA53@ati-ex-02.ati.local> <468AA237.3070404@ecs.soton.ac.uk><97FD54B5E57A1842AA1A4B232E4761178EEA55@ati-ex-02.ati.local> Message-ID: Hi Jules, funny thing is that at one site I have a similar problem. We see SA timeouts, sometimes 3 times a day, sometimes 10 times a day. I even see things like Jul 3 12:39:56 proxy MailScanner[99745]: SpamAssassin timed out and was killed, failure 0 of 20 Failure 0 of 20??? :-) The server is not overloaded, DNS is usually working quite fine. Timeout is set to 200 seconds. I have no clue what this could be and how I could debug this. I could use SA Logs for an entire day to see what happens. Any ideas how to debug this? Regards, JP From MailScanner at ecs.soton.ac.uk Thu Jul 5 18:53:34 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jul 5 18:56:19 2007 Subject: SpamAssassin is constantly timing out In-Reply-To: References: <97FD54B5E57A1842AA1A4B232E47611773EBD2@ati-ex-02.ati.local><468955F8.1090701@ecs.soton.ac.uk><97FD54B5E57A1842AA1A4B232E47611773EBD4@ati-ex-02.ati.local> <625385e30707031154q6b6dab17ued473acc0afc860a@mail.gmail.com><97FD54B5E57A1842AA1A4B232E4761178EEA53@ati-ex-02.ati.local> <468AA237.3070404@ecs.soton.ac.uk><97FD54B5E57A1842AA1A4B232E4761178EEA55@ati-ex-02.ati.local> Message-ID: <468D301E.7070908@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Koopmann, Jan-Peter wrote: > Jul 3 12:39:56 proxy MailScanner[99745]: SpamAssassin timed out and was > killed, failure 0 of 20 > > Failure 0 of 20??? :-) > That bit of code clearly leaves a bit to be desired. I'll take a look this weekend and try to find the problem. Clearly something is off by 1. Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGjTAfEfZZRxQVtlQRAppuAJ9TziE7hDkEpezXNBYqngMHW1aQywCgwVJP 2JQ2EiH16hm+VjBOqxspLPM= =UHKF -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From raymond at prolocation.net Thu Jul 5 19:07:01 2007 From: raymond at prolocation.net (Raymond Dijkxhoorn) Date: Thu Jul 5 19:06:59 2007 Subject: SpamAssassin is constantly timing out In-Reply-To: <468D301E.7070908@ecs.soton.ac.uk> References: <97FD54B5E57A1842AA1A4B232E47611773EBD2@ati-ex-02.ati.local><468955F8.1090701@ecs.soton.ac.uk><97FD54B5E57A1842AA1A4B232E47611773EBD4@ati-ex-02.ati.local> <625385e30707031154q6b6dab17ued473acc0afc860a@mail.gmail.com><97FD54B5E57A1842AA1A4B232E4761178EEA53@ati-ex-02.ati.local> <468AA237.3070404@ecs.soton.ac.uk><97FD54B5E57A1842AA1A4B232E4761178EEA55@ati-ex-02.ati.local> <468D301E.7070908@ecs.soton.ac.uk> Message-ID: Hi! >> Failure 0 of 20??? :-) > That bit of code clearly leaves a bit to be desired. I'll take a look > this weekend and try to find the problem. Clearly something is off by 1. If it helps i also get them ;) Bye, Raymond. From stork at openenterprise.ca Thu Jul 5 19:42:02 2007 From: stork at openenterprise.ca (Johnny Stork) Date: Thu Jul 5 19:42:13 2007 Subject: Mailscanner and Virtualmin Message-ID: <468D3B7A.70503@openenterprise.ca> I thought I would try out virtualmin to manage a few localing hosted sites but have noticed that within the VirtualMin interface in Webmin, on my gateway mail server running MailScanner, the "Start Mailserver" and "Start Dovecot" buttons are crossed out indicating that VM does not appear to "see" mailscanner? Does anyone have any expereicne setting up VM on a machine running Mailscanner? -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. Check out Open Enterprise Solutions for your own powerful open-source Virus/Spam/Content detection solutions and mail gateway. From ssilva at sgvwater.com Thu Jul 5 20:05:11 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Jul 5 20:05:23 2007 Subject: Ping In-Reply-To: <223f97700707041525t21a3ef46h19854aab47bb06b9@mail.gmail.com> References: <200707041913.l64JD1D1013544@safir.blacknight.ie> <468BF2B3.9000603@slackadelic.com> <468BF440.9000009@ecs.soton.ac.uk> <223f97700707041525t21a3ef46h19854aab47bb06b9@mail.gmail.com> Message-ID: Glenn Steen spake the following on 7/4/2007 3:25 PM: > On 04/07/07, Julian Field wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> >> >> Matt Hayes wrote: >> > Jules wrote: >> >> Not at all sure the list is working, so I'm doing this one by hand. >> > >> > It's working Jules. >> Phew. We went over 3 hours without a single posting, that's almost >> unheard of :-) > > I'm doing something Hugo wouldn't approve of (but you would, I know, > since it's a nice red:-)... And I'm on vacation, al right... :-D > In just 2 and 1/2 weeks all will be back to the normal noise > level....:-):-) > Seriously though.... If it's quiet... either more people than me are > vacationing, or there are very few problems right now;). > >> > >> > -Matt >> > >> > >> >> Jules >> > Cheers Also a holiday in the US. So if the quietness covered that point in time when this hemisphere is "reveling" and the other hemisphere is trying to get a little sleep, then ..... -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From itdept at fractalweb.com Thu Jul 5 21:14:07 2007 From: itdept at fractalweb.com (Chris Yuzik) Date: Thu Jul 5 21:14:31 2007 Subject: Mailscanner and Virtualmin In-Reply-To: <468D3B7A.70503@openenterprise.ca> References: <468D3B7A.70503@openenterprise.ca> Message-ID: <468D510F.6090106@fractalweb.com> Johnny Stork wrote: > I thought I would try out virtualmin to manage a few localing hosted > sites but have noticed that within the VirtualMin interface in Webmin, > on my gateway mail server running MailScanner, the "Start Mailserver" > and "Start Dovecot" buttons are crossed out indicating that VM does not > appear to "see" mailscanner? Does anyone have any expereicne setting up > VM on a machine running Mailscanner? > We've played around with Virtualmin, and it's fine with MailScanner, although it doesn't seem to "see" MailScanner and does think that the mail server is down. Aside from that, everything is okay. From glenn.steen at gmail.com Thu Jul 5 21:16:18 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Jul 5 21:16:20 2007 Subject: Filename rule question In-Reply-To: <468CDC23.7000500@ti-edu.ch> References: <468A6663.8010907@ti-edu.ch> <223f97700707031051y1b3f0fcci36cbea3b9c330d95@mail.gmail.com> <468B4CD6.5050001@ti-edu.ch> <223f97700707040259w54b286b2y1530dc3d7fddedaa@mail.gmail.com> <468BC099.7060508@ti-edu.ch> <223f97700707041520j5e8be73bt17235c459ec441c5@mail.gmail.com> <468CACEF.30202@ti-edu.ch> <223f97700707050349y696668ccu92b618343da7d77b@mail.gmail.com> <468CDC23.7000500@ti-edu.ch> Message-ID: <223f97700707051316y462cffd5ka6ce8064d614350f@mail.gmail.com> On 05/07/07, Marco Induni wrote: > Glenn Steen wrote: > > On 05/07/07, Marco Induni wrote: > > (snip) > >> Also tried to use the sample rule filename.rules.conf directly setting > >> the "Filename Rules = %etc-dir%/filename.rules.conf, but nothing. > >> > >> At the end I made one of the two mailgateway reacheble just for me, and > >> set the Mailscanner in debug mode. > >> This the output when a send an email: > >> > >> >>>>> > >> Ignore errors about failing to find EOCD signature > >> format error: file is too short > >> at /usr/sbin/MailScanner line 832 > >> Stopping now as you are debugging me. > >> >>>>> > >> > >> At the line 832 seems to be the attachment extraction > >> > >> 831 $0 = 'MailScanner: extracting attachments'; > >> 832 $batch->Explode(); > > Normally you'd see the EOCD error from that line, which is safe to > > ignore.... This though, I've mostly seen when the attachments really > > have been damaged (bad MIME)... You don't have any "pre-filters" that > > could confuse things, do you? > > Glenn, > I'm not sure of the meaning of "pre-filters", but we do just Antivirus > and + Spamassasin. Just fishing for any other software to blame:-)... Like a milter... That would happen before MailScanner can get a hold of it... > >> Could be that for some reason this step fail, and then all the rules > >> tied to the file attachemnet are skipped ? > >> > >> In case i'm using > >> > >> - Mailscanner 4.61.7 > >> - Red Hat Enterprise Linux AS release 3 (Taroon Update 9) > >> - Linux 2.4.21-50.EL > >> - Perl 5.8.0 > >> - Spamassassin 3.1.9 > > > > Could you give a "MailScanner -V" too? Just in case you have a bum > > perl module or so:-). > > > Here the output of MailScanner -V > > Running on > Linux mg1.ti-edu.ch 2.4.21-47.0.1.ELsmp #1 SMP Fri Oct 13 17:56:20 EDT > 2006 i686 > i686 i386 GNU/Linux > This is Red Hat Enterprise Linux AS release 3 (Taroon Update 9) > This is Perl version 5.008000 (5.8.0) > > This is MailScanner version 4.61.7 > Module versions are: > 1.00 AnyDBM_File > 1.16 Archive::Zip > 1.01 Carp > 1.119 Convert::BinHex > 1.00 DirHandle > 1.04 Fcntl > 2.71 File::Basename > 2.05 File::Copy > 2.01 FileHandle > 1.05 File::Path > 0.13 File::Temp > 0.90 Filesys::Df > 1.35 HTML::Entities > 3.56 HTML::Parser > 2.37 HTML::TokeParser > 1.23 IO > 1.14 IO::File > 1.13 IO::Pipe > 1.77 Mail::Header > 1.86 Math::BigInt > 3.05 MIME::Base64 > 5.420 MIME::Decoder > 5.420 MIME::Decoder::UU > 5.420 MIME::Head > 5.420 MIME::Parser > 3.03 MIME::QuotedPrint > 5.420 MIME::Tools > 0.11 Net::CIDR > 1.05 POSIX > 1.09 Scalar::Util > 1.75 Socket > 1.4 Sys::Hostname::Long > 0.18 Sys::Syslog > 1.9707 Time::HiRes > 1.02 Time::localtime > > Optional module versions are: > 1.29 Archive::Tar > 0.21 bignum > missing Business::ISBN > missing Business::ISBN::Data > 0.17 Convert::TNEF > missing Data::Dump > 1.815 DB_File > 1.13 DBD::SQLite > 1.56 DBI > 1.15 Digest > 1.01 Digest::HMAC > 2.36 Digest::MD5 > 2.11 Digest::SHA1 > missing Encode::Detect > missing Error > missing ExtUtils::CBuilder > missing ExtUtils::ParseXS > missing Inline > 1.08 IO::String > 1.04 IO::Zlib > 2.23 IP::Country > missing Mail::ClamAV > 3.001009 Mail::SpamAssassin > missing Mail::SPF > 1.999001 Mail::SPF::Query > 0.19 Math::BigRat > missing Module::Build > 0.20 Net::CIDR::Lite > 0.60 Net::DNS > missing Net::DNS::Resolver::Programmable > missing Net::LDAP > missing NetAddr::IP > missing Parse::RecDescent > missing SAVI > 2.26 Test::Harness > missing Test::Manifest > 1.89 Text::Balanced > 1.35 URI > missing version > missing YAML > > To my tired eyes that doesn't look that bad... More's the pity... Seems you don't install SA and Clamav by way of Jules easy package (or else a lot more of the optional modules would be there)... Hm... One could start installing those, of course, but I don't see them having an effect. You did say that restoring the default filename/filetype rules files and reloading/restarting MailScanner didn't have any effect either? Most strange. How did you install the MIME::* packages? Via jules installer or via distro or CPAN? Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From res at ausics.net Thu Jul 5 21:40:06 2007 From: res at ausics.net (Res) Date: Thu Jul 5 21:40:18 2007 Subject: Whitelist issue In-Reply-To: <223f97700707050344x65402eb6v424e7e4911eb6d54@mail.gmail.com> References: <733d6ede0707040257v6c1da171k7c43f0dc5e297d1e@mail.gmail.com> <733d6ede0707041908j7cde6da0y8e91a4964be6d850@mail.gmail.com> <1183614478.7215.32.camel@localhost.localdomain> <223f97700707050255p36c7af61t7ca09e3b6e8dd314@mail.gmail.com> <223f97700707050344x65402eb6v424e7e4911eb6d54@mail.gmail.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NotDashEscaped: You need GnuPG to verify this message On Thu, 5 Jul 2007, Glenn Steen wrote: > Oh yes, Noel, quite correct (as mostly.... still saving up for those > postmix "doubts", you rendmauling evil bunny;-)... One can always > justify this by the benefit to ones own domain(s)... It only take one > rouge that you W/L to get you (rightly) listed...:-) Indeed, nasty for private enterprise, more so for telcos -- Cheers Res -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFGjVcnsWhAmSIQh7MRAoYcAJ4p5QKuqdg0RZ1zJIGunJrYu9DlnQCgkICw l4dlwcK/8jlhGgJI1BaejMQ= =wj1u -----END PGP SIGNATURE----- From seamus at rheelweb.co.nz Thu Jul 5 21:51:20 2007 From: seamus at rheelweb.co.nz (Seamus Allan) Date: Thu Jul 5 21:51:32 2007 Subject: Postfix Address Verification In-Reply-To: <223f97700707050406q1b118b42o1d96f6cb3024ac57@mail.gmail.com> References: <223f97700707050351t47635e2bx92642bc19f4e1d0f@mail.gmail.com> <39cfb74fe9648f00fc2e7054d4fbe547@62.49.223.244> <223f97700707050406q1b118b42o1d96f6cb3024ac57@mail.gmail.com> Message-ID: <468D59C8.3010500@rheelweb.co.nz> Hi Guys, of course I have relay_domains setup, or my mail wouldn't be transferring in the first place! I was hoping not to have to pull the email list from the Hub machine, but it seems that my problem is pretty weird. Thanks though. Seamus >> > Yeah Phil, I do that myself too, although I dump (a not that big) AD > every 15 minutes, so that I don't have to rely on the M-Sexchange > admin to do the right thing... Saves me job as well as him:-). In my > case I only reduce total volume (by that particular measure) by about > 25% though... Total rejected fluctuating between 35 - 50%... Call me > lucky:-). > > Cheers From itdept at fractalweb.com Thu Jul 5 23:11:50 2007 From: itdept at fractalweb.com (Chris Yuzik) Date: Thu Jul 5 23:12:13 2007 Subject: clamd configuration? In-Reply-To: <006301c7be4f$3c350530$0301a8c0@SAHOMELT> References: <468AAB5B.7010101@fractalweb.com><468AAE0D.3020103@i-centrix.com> <468ADA41.4010307@fractalweb.com><06bb01c7bdcb$c0ac3330$0301a8c0@SAHOMELT> <468B0B2E.8080201@fractalweb.com> <006301c7be4f$3c350530$0301a8c0@SAHOMELT> Message-ID: <468D6CA6.7010702@fractalweb.com> Rick, Sorry to hear of your family's loss. FWIW, after reading your message and finally tracking down the permissions Clamd was running under and specifying the same user/group info in MailScanner.conf, all is well. Haven't noticed a significant decrease in system load though. Thank you for all your help. Cheers, Chris From seamus at rheelweb.co.nz Thu Jul 5 23:58:58 2007 From: seamus at rheelweb.co.nz (Seamus Allan) Date: Thu Jul 5 23:59:17 2007 Subject: Postfix Address Verification In-Reply-To: <468D59C8.3010500@rheelweb.co.nz> References: <223f97700707050351t47635e2bx92642bc19f4e1d0f@mail.gmail.com> <39cfb74fe9648f00fc2e7054d4fbe547@62.49.223.244> <223f97700707050406q1b118b42o1d96f6cb3024ac57@mail.gmail.com> <468D59C8.3010500@rheelweb.co.nz> Message-ID: <468D77B2.8020109@rheelweb.co.nz> Seamus Allan wrote: > Hi Guys, > > of course I have relay_domains setup, or my mail wouldn't be > transferring in the first place! I was hoping not to have to pull the > email list from the Hub machine, but it seems that my problem is > pretty weird. > > Thanks though. > > Seamus >>> >> Yeah Phil, I do that myself too, although I dump (a not that big) AD >> every 15 minutes, so that I don't have to rely on the M-Sexchange >> admin to do the right thing... Saves me job as well as him:-). In my >> case I only reduce total volume (by that particular measure) by about >> 25% though... Total rejected fluctuating between 35 - 50%... Call me >> lucky:-). >> >> Cheers Actually it occurred to me that this wouldn't work in full, because the mail for some of the domains that pass through the Gateway machine is destined for other mailservers in the world that I cannot pull the mailboxes from. So I do need to get the verification working correctly. I might have to try the Postfix forum or something. Cheers Seamus From cparker at swatgear.com Fri Jul 6 00:03:09 2007 From: cparker at swatgear.com (Chris W. Parker) Date: Fri Jul 6 00:03:12 2007 Subject: SpamAssassin is constantly timing out References: <97FD54B5E57A1842AA1A4B232E47611773EBD2@ati-ex-02.ati.local><468955F8.1090701@ecs.soton.ac.uk><97FD54B5E57A1842AA1A4B232E47611773EBD4@ati-ex-02.ati.local> <625385e30707031154q6b6dab17ued473acc0afc860a@mail.gmail.com><97FD54B5E57A1842AA1A4B232E4761178EEA53@ati-ex-02.ati.local> <468AA237.3070404@ecs.soton.ac.uk><97FD54B5E57A1842AA1A4B232E4761178EEA55@ati-ex-02.ati.local> <468D2A9E.30801@ecs.soton.ac.uk> Message-ID: <97FD54B5E57A1842AA1A4B232E47611773EBD5@ati-ex-02.ati.local> On Thursday, July 05, 2007 10:30 AM Julian Field said: > I've never known "file" time out before. It really shouldn't happen. > Is your server particularly over-loaded or anything like that which > would make it run extremely slowly? It doesn't have a high load on average but it's possible that there are surges at different times during the day. The first column is usually between .5 and 1.5. Chris. From rcooper at dwford.com Fri Jul 6 04:00:36 2007 From: rcooper at dwford.com (Rick Cooper) Date: Fri Jul 6 04:00:40 2007 Subject: clamd configuration? In-Reply-To: <468D6CA6.7010702@fractalweb.com> References: <468AAB5B.7010101@fractalweb.com><468AAE0D.3020103@i-centrix.com> <468ADA41.4010307@fractalweb.com><06bb01c7bdcb$c0ac3330$0301a8c0@SAHOMELT> <468B0B2E.8080201@fractalweb.com><006301c7be4f$3c350530$0301a8c0@SAHOMELT> <468D6CA6.7010702@fractalweb.com> Message-ID: <02a601c7bf79$d3e77d60$0301a8c0@SAHOMELT> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On > Behalf Of Chris Yuzik > Sent: Thursday, July 05, 2007 6:12 PM > To: MailScanner discussion > Subject: Re: clamd configuration? > > Rick, > > Sorry to hear of your family's loss. Thank you very much. > > FWIW, after reading your message and finally tracking down the > permissions Clamd was running under and specifying the same > user/group > info in MailScanner.conf, all is well. Haven't noticed a significant > decrease in system load though. Thank you for all your help. > I will have a patch out by next week to handle warning of permission errors. If you were using clamavmodule then I would think there wouldn't be much difference (except possibly larger batches were the threading and handling entire directorys at once would help), the biggest difference (from clamavmodule) would be the memory consumption (significant). Now the load difference between clamscan and clamd is pretty large. Rick -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From rcooper at dwford.com Fri Jul 6 04:05:24 2007 From: rcooper at dwford.com (Rick Cooper) Date: Fri Jul 6 04:05:32 2007 Subject: New config parameters Message-ID: <02aa01c7bf7a$7fc794d0$0301a8c0@SAHOMELT> I downloaded the latest stable today and noticed some changes in reference to changing the incoming work dir. The following seems like it should be a bit more detailed: # NOTE: If you change this, you should change these too: # NOTE: SpamAssassin Temporary Dir # NOTE: SpamAssassin Cache Database File If I place the SA temp dir and MailScanner incoming Work Dir on a tmpfs file system I wouldn't think I would want the SpamAssassin Cache DataBase placed there as well as it would be lost between system reboots would it not? Rick -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From res at ausics.net Fri Jul 6 05:44:15 2007 From: res at ausics.net (Res) Date: Fri Jul 6 05:44:27 2007 Subject: New config parameters In-Reply-To: <02aa01c7bf7a$7fc794d0$0301a8c0@SAHOMELT> References: <02aa01c7bf7a$7fc794d0$0301a8c0@SAHOMELT> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NotDashEscaped: You need GnuPG to verify this message On Thu, 5 Jul 2007, Rick Cooper wrote: > If I place the SA temp dir and MailScanner incoming Work Dir on a tmpfs file > system I wouldn't think I would want the SpamAssassin Cache DataBase placed > there as well as it would be lost between system reboots would it not? Yes, but I've heard from the S.A folks that's not such a bad thing, unless you reboot every day that is. I've been using it on tmpfs for a long time. -- Cheers Res -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFGjcifsWhAmSIQh7MRAp0rAJsH0QIkiX+7UO1ngTl32FEN1Sv8UACeP/Bl IaSrDzftK68vTobY/M1YAlc= =B8g1 -----END PGP SIGNATURE----- From R.Sterenborg at netsourcing.nl Fri Jul 6 06:55:05 2007 From: R.Sterenborg at netsourcing.nl (Rob Sterenborg) Date: Fri Jul 6 07:04:31 2007 Subject: Postfix Address Verification In-Reply-To: <468D77B2.8020109@rheelweb.co.nz> References: <223f97700707050351t47635e2bx92642bc19f4e1d0f@mail.gmail.com> <39cfb74fe9648f00fc2e7054d4fbe547@62.49.223.244> <223f97700707050406q1b118b42o1d96f6cb3024ac57@mail.gmail.com><468D59C8.3010500@rheelweb.co.nz> <468D77B2.8020109@rheelweb.co.nz> Message-ID: <74ACEB3E6A055643A89B8CEC74C7BF2488E0C3@WISENT.dcyb.net> Seamus Allan wrote: > Seamus Allan wrote: >> Hi Guys, >> >> of course I have relay_domains setup, or my mail wouldn't be >> transferring in the first place! I was hoping not to have to pull the >> email list from the Hub machine, but it seems that my problem is >> pretty weird. Some email *would* be transferred and some *wouldn't* if your relay_domains table is setup but isn't complete. Since you're saying that email is not accepted for *some* domains (posting on june 28: "However, the next morning I came in to discover that some of the domains we host were not getting any email."), I'd say it was a valid thought. > Actually it occurred to me that this wouldn't work in full, because > the mail for some of the domains that pass through the Gateway machine > is destined for other mailservers in the world that I cannot pull the > mailboxes from. So I do need to get the verification working > correctly. I might have to try the Postfix forum or something. I think that's a more appropriate place for this challenge, indeed. ;-) Just a thought before going there: I didn't see much of your PF config on this list apart from some snippets (that doesn't automagically mean that I would be able to help you if you did post more of it). I can understand that and it is your good right not to show it but it's hard to support a config you don't fully know. When going to the Postfix list, be prepared to explain what you've already done and to post the (sanitized) output of postconf -n, maybe other (sanitized) information. The problem may be completely something else that we haven't thought of because the rest of the PF config is unknown to us. Some PF guru on that list will most likely want to see it to support you. Grts, Rob From mailscanner at vivekmittal.org Fri Jul 6 07:34:48 2007 From: mailscanner at vivekmittal.org (Vivek Mittal) Date: Fri Jul 6 07:34:50 2007 Subject: Whitelist issue In-Reply-To: References: <733d6ede0707040257v6c1da171k7c43f0dc5e297d1e@mail.gmail.com> <733d6ede0707041908j7cde6da0y8e91a4964be6d850@mail.gmail.com> <1183614478.7215.32.camel@localhost.localdomain> <223f97700707050255p36c7af61t7ca09e3b6e8dd314@mail.gmail.com> <223f97700707050344x65402eb6v424e7e4911eb6d54@mail.gmail.com> Message-ID: <733d6ede0707052334r5aa6224x215bf6d88632b88@mail.gmail.com> I've tried setting it to @eblueprint.com.au as well as printer@eblueprint.com.au with no luck. I did have a breakthrough today. I installed MailWatch with the hope of using its whitelisting feature to help with this. I sent a trial message from the printer and noticed that the from column is blank. The message headers are below. I can see a From: field there but it is not being picked up?! This looks more like a printer problem than a mailscanner one, but I need some sort of a solution to stop mailscanner marking these emails as spam. Return-Path: < g> Received: from mx06.syd.isp.net.au (mx06.syd.isp.net.au [210.50.76.235]) by app.xyz.com.au (8.13.4/8.13.4) with ESMTP id l666dcRf010593 for ; Fri, 6 Jul 2007 16:39:39 +1000 Date: Fri, 6 Jul 2007 16:39:38 +1000 X-IronPort-AV: E=Sophos;i="4.16,506,1175436000"; d="pdf'?scan'208";a="54928259" Received: from 114.090.dsl.mel.isp.net.au ([211.26.244.114]) by smtp06.syd.isp.net.au with SMTP; 06 Jul 2007 16:24:07 +1000 From: "XYZ PTY LTD" To: Subject: Fax sent by : XYZ PTY LTD<> Message-ID: <1104100900> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="__59453boundry__" On 7/6/07, Res wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > NotDashEscaped: You need GnuPG to verify this message > > On Thu, 5 Jul 2007, Glenn Steen wrote: > > > Oh yes, Noel, quite correct (as mostly.... still saving up for those > > postmix "doubts", you rendmauling evil bunny;-)... One can always > > justify this by the benefit to ones own domain(s)... It only take one > > rouge that you W/L to get you (rightly) listed...:-) > > Indeed, nasty for private enterprise, more so for telcos > > > -- > Cheers > Res > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.7 (GNU/Linux) > > iD8DBQFGjVcnsWhAmSIQh7MRAoYcAJ4p5QKuqdg0RZ1zJIGunJrYu9DlnQCgkICw > l4dlwcK/8jlhGgJI1BaejMQ= > =wj1u > -----END PGP SIGNATURE----- > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From leiw324 at yahoo.com.hk Fri Jul 6 07:48:07 2007 From: leiw324 at yahoo.com.hk (Wilson Kwok) Date: Fri Jul 6 07:48:09 2007 Subject: Commercial scanner clamav timed out! Message-ID: <290316.6797.qm@web54401.mail.yahoo.com> Hello, Environment: postfix-2.2.10-1.1.el4 + MailScanner-perl-MIME-Base64-3.05-5 + clamav-0.90.3-1.el4.rf + spamassassin-3.2.1-1.el4.rf MailScanner always sent logs, can anyone help me ? Log here: Jul 6 11:36:39 mailgateway MailScanner[20662]: Commercial scanner clamav timed out! Jul 6 11:36:39 mailgateway MailScanner[20662]: clamav: Failed to complete, timed out Jul 6 11:36:39 mailgateway MailScanner[20662]: Virus Scanning: Denial Of Service attack detected! Jul 6 11:37:30 mailgateway MailScanner[20659]: Commercial scanner clamav timed out! Jul 6 11:37:30 mailgateway MailScanner[20659]: clamav: Failed to complete, timed out Jul 6 11:37:30 mailgateway MailScanner[20659]: Virus Scanning: Denial Of Service attack detected! Jul 6 11:38:34 mailgateway MailScanner[20121]: Commercial scanner clamav timed out! Jul 6 11:38:34 mailgateway MailScanner[20121]: clamav: Failed to complete, timed out Jul 6 11:38:34 mailgateway MailScanner[20121]: Virus Scanning: Denial Of Service attack is in message 80B8741821F.81DD6 Jul 6 11:38:34 mailgateway MailScanner[20121]: Infected message 80B8741821F.81DD6 came from 200.86.17.36 Jul 6 11:39:44 mailgateway MailScanner[20428]: Commercial scanner clamav timed out! Jul 6 11:39:44 mailgateway MailScanner[20428]: clamav: Failed to complete, timed out --------------------------------- Yahoo!Mail 為你每一個電郵捐出一點心意,盡獻愛心 立即開始愛心行動 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070706/57b3298f/attachment.html From martinh at solidstatelogic.com Fri Jul 6 09:18:16 2007 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Fri Jul 6 09:18:26 2007 Subject: Commercial scanner clamav timed out! In-Reply-To: <290316.6797.qm@web54401.mail.yahoo.com> Message-ID: <39539ed9b640e64582f34f5e5ee68224@solidstatelogic.com> Wilson Have a look at the clamd.conf for timeout settings! -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Wilson Kwok > Sent: 06 July 2007 07:48 > To: mailscanner@lists.mailscanner.info > Subject: Commercial scanner clamav timed out! > > Hello, > > Environment: postfix-2.2.10-1.1.el4 + MailScanner-perl-MIME-Base64-3.05-5 > + clamav-0.90.3-1.el4.rf + spamassassin-3.2.1-1.el4.rf > > MailScanner always sent logs, can anyone help me ? > > > Log here: > > Jul 6 11:36:39 mailgateway MailScanner[20662]: Commercial scanner clamav > timed out! > Jul 6 11:36:39 mailgateway MailScanner[20662]: clamav: Failed to > complete, timed out > Jul 6 11:36:39 mailgateway MailScanner[20662]: Virus Scanning: Denial Of > Service attack detected! > Jul 6 11:37:30 mailgateway MailScanner[20659]: Commercial scanner clamav > timed out! > Jul 6 11:37:30 mailgateway MailScanner[20659]: clamav: Failed to > complete, timed out > Jul 6 11:37:30 mailgateway MailScanner[20659]: Virus Scanning: Denial Of > Service attack detected! > Jul 6 11:38:34 mailgateway MailScanner[20121]: Commercial scanner clamav > timed out! > Jul 6 11:38:34 mailgateway MailScanner[20121]: clamav: Failed to > complete, timed out > Jul 6 11:38:34 mailgateway MailScanner[20121]: Virus Scanning: Denial Of > Service attack is in message 80B8741821F.81DD6 > Jul 6 11:38:34 mailgateway MailScanner[20121]: Infected message > 80B8741821F.81DD6 came from 200.86.17.36 > Jul 6 11:39:44 mailgateway MailScanner[20428]: Commercial scanner clamav > timed out! > Jul 6 11:39:44 mailgateway MailScanner[20428]: clamav: Failed to > complete, timed out > > > ________________________________ > > Yahoo!Mail =9E=E9=C4=E3=C3=BF=D2=BB=82=80=EB=8A=E0]=BE=E8=B3=F6=D2=BB=FCc= =D0=C4=D2=E2=A3=AC=B1M=ABI=90=DB=D0=C4 > =C1=A2=BC=B4=E9_=CA=BC=90= =DB=D0=C4=D0=D0=84=D3 ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the=20 addressee only and may be confidential. If they come to you in error=20 you must take no action based on them, nor must you copy or show them=20 to anyone. Please advise the sender by replying to this e-mail=20 immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of=20 the author and unless specifically stated to the contrary, are not=20 necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure=20 communications medium and can be subject to data corruption. We advise=20 that you consider this fact when e-mailing us.=20 Viruses : We have taken steps to ensure that this e-mail and any=20 attachments are free from known viruses but in keeping with good=20 computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales=20 (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU,=20 United Kingdom ********************************************************************** From raymond at prolocation.net Fri Jul 6 09:48:51 2007 From: raymond at prolocation.net (Raymond Dijkxhoorn) Date: Fri Jul 6 09:48:51 2007 Subject: New config parameters In-Reply-To: References: <02aa01c7bf7a$7fc794d0$0301a8c0@SAHOMELT> Message-ID: Hi! >> If I place the SA temp dir and MailScanner incoming Work Dir on a tmpfs >> file >> system I wouldn't think I would want the SpamAssassin Cache DataBase placed >> there as well as it would be lost between system reboots would it not? > Yes, but I've heard from the S.A folks that's not such a bad thing, unless > you reboot every day that is. I've been using it on tmpfs for a long time. The cache database is something Julian made, not the SA people. Its not your bayes DB's its the caching system... Bye, Raymond. From minduni at ti-edu.ch Fri Jul 6 10:21:58 2007 From: minduni at ti-edu.ch (Marco Induni) Date: Fri Jul 6 10:22:00 2007 Subject: Filename rule question In-Reply-To: <223f97700707051316y462cffd5ka6ce8064d614350f@mail.gmail.com> References: <468A6663.8010907@ti-edu.ch> <223f97700707031051y1b3f0fcci36cbea3b9c330d95@mail.gmail.com> <468B4CD6.5050001@ti-edu.ch> <223f97700707040259w54b286b2y1530dc3d7fddedaa@mail.gmail.com> <468BC099.7060508@ti-edu.ch> <223f97700707041520j5e8be73bt17235c459ec441c5@mail.gmail.com> <468CACEF.30202@ti-edu.ch> <223f97700707050349y696668ccu92b618343da7d77b@mail.gmail.com> <468CDC23.7000500@ti-edu.ch> <223f97700707051316y462cffd5ka6ce8064d614350f@mail.gmail.com> Message-ID: <468E09B6.10605@ti-edu.ch> Glenn Steen wrote: > On 05/07/07, Marco Induni wrote: >> Glenn Steen wrote: >> > On 05/07/07, Marco Induni wrote: >> > (snip) >> >> Also tried to use the sample rule filename.rules.conf directly setting >> >> the "Filename Rules = %etc-dir%/filename.rules.conf, but nothing. >> >> >> >> At the end I made one of the two mailgateway reacheble just for me, >> and >> >> set the Mailscanner in debug mode. >> >> This the output when a send an email: >> >> >> >> >>>>> >> >> Ignore errors about failing to find EOCD signature >> >> format error: file is too short >> >> at /usr/sbin/MailScanner line 832 >> >> Stopping now as you are debugging me. >> >> >>>>> >> >> >> >> At the line 832 seems to be the attachment extraction >> >> >> >> 831 $0 = 'MailScanner: extracting attachments'; >> >> 832 $batch->Explode(); >> > Normally you'd see the EOCD error from that line, which is safe to >> > ignore.... This though, I've mostly seen when the attachments really >> > have been damaged (bad MIME)... You don't have any "pre-filters" that >> > could confuse things, do you? >> >> Glenn, >> I'm not sure of the meaning of "pre-filters", but we do just Antivirus >> and + Spamassasin. > > Just fishing for any other software to blame:-)... Like a milter... > That would happen before MailScanner can get a hold of it... > Ah, I see. No any pre-filter so. >> >> Could be that for some reason this step fail, and then all the rules >> >> tied to the file attachemnet are skipped ? >> >> >> >> In case i'm using >> >> >> >> - Mailscanner 4.61.7 >> >> - Red Hat Enterprise Linux AS release 3 (Taroon Update 9) >> >> - Linux 2.4.21-50.EL >> >> - Perl 5.8.0 >> >> - Spamassassin 3.1.9 >> > >> > Could you give a "MailScanner -V" too? Just in case you have a bum >> > perl module or so:-). >> > >> Here the output of MailScanner -V >> >> Running on >> Linux mg1.ti-edu.ch 2.4.21-47.0.1.ELsmp #1 SMP Fri Oct 13 17:56:20 EDT >> 2006 i686 >> i686 i386 GNU/Linux >> This is Red Hat Enterprise Linux AS release 3 (Taroon Update 9) >> This is Perl version 5.008000 (5.8.0) >> >> This is MailScanner version 4.61.7 >> Module versions are: >> 1.00 AnyDBM_File >> 1.16 Archive::Zip >> 1.01 Carp >> 1.119 Convert::BinHex >> 1.00 DirHandle >> 1.04 Fcntl >> 2.71 File::Basename >> 2.05 File::Copy >> 2.01 FileHandle >> 1.05 File::Path >> 0.13 File::Temp >> 0.90 Filesys::Df >> 1.35 HTML::Entities >> 3.56 HTML::Parser >> 2.37 HTML::TokeParser >> 1.23 IO >> 1.14 IO::File >> 1.13 IO::Pipe >> 1.77 Mail::Header >> 1.86 Math::BigInt >> 3.05 MIME::Base64 >> 5.420 MIME::Decoder >> 5.420 MIME::Decoder::UU >> 5.420 MIME::Head >> 5.420 MIME::Parser >> 3.03 MIME::QuotedPrint >> 5.420 MIME::Tools >> 0.11 Net::CIDR >> 1.05 POSIX >> 1.09 Scalar::Util >> 1.75 Socket >> 1.4 Sys::Hostname::Long >> 0.18 Sys::Syslog >> 1.9707 Time::HiRes >> 1.02 Time::localtime >> >> Optional module versions are: >> 1.29 Archive::Tar >> 0.21 bignum >> missing Business::ISBN >> missing Business::ISBN::Data >> 0.17 Convert::TNEF >> missing Data::Dump >> 1.815 DB_File >> 1.13 DBD::SQLite >> 1.56 DBI >> 1.15 Digest >> 1.01 Digest::HMAC >> 2.36 Digest::MD5 >> 2.11 Digest::SHA1 >> missing Encode::Detect >> missing Error >> missing ExtUtils::CBuilder >> missing ExtUtils::ParseXS >> missing Inline >> 1.08 IO::String >> 1.04 IO::Zlib >> 2.23 IP::Country >> missing Mail::ClamAV >> 3.001009 Mail::SpamAssassin >> missing Mail::SPF >> 1.999001 Mail::SPF::Query >> 0.19 Math::BigRat >> missing Module::Build >> 0.20 Net::CIDR::Lite >> 0.60 Net::DNS >> missing Net::DNS::Resolver::Programmable >> missing Net::LDAP >> missing NetAddr::IP >> missing Parse::RecDescent >> missing SAVI >> 2.26 Test::Harness >> missing Test::Manifest >> 1.89 Text::Balanced >> 1.35 URI >> missing version >> missing YAML >> >> > To my tired eyes that doesn't look that bad... More's the pity... Hope now you eyes are better > Seems you don't install SA and Clamav by way of Jules easy package (or > else a lot more of the optional modules would be there)... Hm... One > could start installing those, of course, but I don't see them having > an effect. In fact, we use uvscan(mcafee) and sometime clamav AV, but they are installed apart (SA via CPAN / clamav make /make install) You did say that restoring the default filename/filetype > rules files and reloading/restarting MailScanner didn't have any > effect either? Most strange. Yes, it is so. > How did you install the MIME::* packages? Via jules installer or via > distro or CPAN? Via jules. I've installed the new version a couple of days ago. Cheers > > Cheers -- Marco Induni Universita` della Svizzera italiana Servizi informatici / TI-EDU Galleria 2 CH-6928 Manno (Switzerland) E-mail: minduni@ti-edu.ch Tel: +41 58 666 6656 Fax: +41 58 666 6650 From j.ede at birchenallhowden.co.uk Fri Jul 6 10:41:37 2007 From: j.ede at birchenallhowden.co.uk (Jason Ede) Date: Fri Jul 6 10:42:01 2007 Subject: clamd configuration? In-Reply-To: <468B0B2E.8080201@fractalweb.com> References: <468AAB5B.7010101@fractalweb.com> <468AAE0D.3020103@i-centrix.com> <468ADA41.4010307@fractalweb.com> <06bb01c7bdcb$c0ac3330$0301a8c0@SAHOMELT> <468B0B2E.8080201@fractalweb.com> Message-ID: I had the same problem with clamd missing the attached virus although all looks fine through the debug apart from the test viruses not being detected. I've checked user and permission levels and all looks good as far as I can see... I've gone back to using clamavmodule for now... Oh, MailScanner is 4.61.7 and clamav is the 0.91rc2 Jason -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Chris Yuzik Sent: 04 July 2007 03:51 To: MailScanner discussion Subject: Re: clamd configuration? Rick Cooper wrote: > Please run MailScanner in debug mode, show what is output from the clamd > section, and if possible the clamd.conf, remember that is where the clam > daemon is getting it's parameter. If MailScanner cannot reach clamd there > will be alerts even if you are not in debug mode. Also note if you supply a > path to the socket the port is not used. If you are not using unix sockets > (/tmp/clamd or /tmp/clamd.sock, etc) then you should have an IP address > (probably 127.0.0.1) for the socket address. Rick, Ok, here you go. I put MailScanner into debug mode, did a lint, plopped a message with the eicar test file into the inqueue, etc. Looks like clamd is called and the messages handed off, but it doesn't find the virus. Chris # MailScanner --lint Read 777 hostnames from the phishing whitelist Config: calling custom init function SQLBlacklist Config: calling custom init function MailWatchLogging Config: calling custom init function SQLWhitelist Checking version numbers... Version number in MailScanner.conf (4.61.7) is correct. Checking for SpamAssassin errors (if you use it)... SpamAssassin temporary working directory is /var/spool/MailScanner/incoming/SpamAssassin-Temp SpamAssassin temp dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp Using SpamAssassin results cache Connected to SpamAssassin cache database SpamAssassin reported no errors. lock.pl sees Config LockType = posix lock.pl sees have_module = 0 Using locktype = posix Creating hardcoded struct_flock subroutine for linux (Linux-type) MailScanner.conf says "Virus Scanners = clamd" Debug Mode Is On Use Threads : YES IP : 127.0.0.1 Port : 3310 Lock File : NOT USED Time Out : 300 Scan Dir : /var/spool/MailScanner/incoming/29637/ISITINSTALLED Clamd : Sending PING Clamd : GOT 'PONG' ClamD is running Found these virus scanners installed: clamavmodule, clamd # service MailScanner start Starting MailScanner daemons: incoming sendmail: [ OK ] outgoing sendmail: [ OK ] MailScanner: In Debugging mode, not forking... SpamAssassin temp dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp Ignore errors about failing to find EOCD signature Stopping now as you are debugging me. [ OK ] [root@devel MailScanner]# commit ineffective with AutoCommit enabled at /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm line 93, line 138. Commmit ineffective while AutoCommit is on at /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm line 93, line 138. and Jul 3 19:46:49 devel MailScanner[29319]: MailScanner E-Mail Virus Scanner version 4.61.7 starting... Jul 3 19:46:49 devel MailScanner[29319]: Read 777 hostnames from the phishing whitelist Jul 3 19:46:49 devel MailScanner[29319]: Config: calling custom init function SQLBlacklist Jul 3 19:46:49 devel MailScanner[29319]: Starting up SQL Blacklist Jul 3 19:46:49 devel MailScanner[29319]: Read 28 blacklist entries Jul 3 19:46:49 devel MailScanner[29319]: Config: calling custom init function MailWatchLogging Jul 3 19:46:49 devel MailScanner[29319]: Started SQL Logging child Jul 3 19:46:49 devel MailScanner[29319]: Config: calling custom init function SQLWhitelist Jul 3 19:46:49 devel MailScanner[29319]: Starting up SQL Whitelist Jul 3 19:46:49 devel MailScanner[29319]: Read 18 whitelist entries Jul 3 19:46:49 devel MailScanner[29319]: SpamAssassin temporary working directory is /var/spool/MailScanner/incoming/SpamAssassin-Temp Jul 3 19:46:50 devel MailScanner[29319]: Using SpamAssassin results cache Jul 3 19:46:50 devel MailScanner[29319]: Connected to SpamAssassin cache database Jul 3 19:46:50 devel MailScanner[29319]: Expired 2 records from the SpamAssassin cache Jul 3 19:46:50 devel MailScanner[29319]: Enabling SpamAssassin auto-whitelist functionality... Jul 3 19:46:52 devel MailScanner[29319]: lock.pl sees Config LockType = posix Jul 3 19:46:52 devel MailScanner[29319]: lock.pl sees have_module = 0 Jul 3 19:46:52 devel MailScanner[29319]: Using locktype = posix Jul 3 19:46:52 devel MailScanner[29319]: Creating hardcoded struct_flock subroutine for linux (Linux-type) Jul 3 19:46:52 devel MailScanner[29319]: New Batch: Scanning 3 messages, 55415 bytes Jul 3 19:46:52 devel MailScanner[29319]: Created attachment dirs for 3 messages Jul 3 19:46:52 devel MailScanner[29319]: Spam Checks: Starting Jul 3 19:46:55 devel MailScanner[29319]: SpamAssassin returned 0 Jul 3 19:46:56 devel MailScanner[29319]: SpamAssassin returned 0 Jul 3 19:46:59 devel MailScanner[29319]: SpamAssassin returned 0 Jul 3 19:46:59 devel MailScanner[29319]: Spam Checks completed at 8412 bytes per second Jul 3 19:46:59 devel MailScanner[29319]: Virus and Content Scanning: Starting Jul 3 19:46:59 devel MailScanner[29319]: Commencing scanning by clamd... Jul 3 19:46:59 devel MailScanner[29365]: Debug Mode Is On Jul 3 19:46:59 devel MailScanner[29365]: Use Threads : YES Jul 3 19:46:59 devel MailScanner[29365]: IP : 127.0.0.1 Jul 3 19:46:59 devel MailScanner[29365]: Port : 3310 Jul 3 19:46:59 devel MailScanner[29365]: Lock File : NOT USED Jul 3 19:46:59 devel MailScanner[29365]: Time Out : 300 Jul 3 19:46:59 devel MailScanner[29365]: Scan Dir : /var/spool/MailScanner/incoming/29319 Jul 3 19:46:59 devel MailScanner[29365]: Clamd : Sending PING Jul 3 19:46:59 devel MailScanner[29365]: Clamd : GOT 'PONG' Jul 3 19:46:59 devel MailScanner[29365]: ClamD is running Jul 3 19:46:59 devel MailScanner[29365]: SENT : MULTISCAN /var/spool/MailScanner/incoming/29319 Jul 3 19:46:59 devel MailScanner[29319]: Completed scanning by clamd Jul 3 19:46:59 devel MailScanner[29319]: Completed checking by /usr/local/bin/file Jul 3 19:46:59 devel MailScanner[29319]: Virus Scanning completed at 367181 bytes per second Jul 3 19:46:59 devel MailScanner[29319]: About to deliver 3 messages Jul 3 19:46:59 devel MailScanner[29319]: Uninfected: Delivered 3 messages Jul 3 19:46:59 devel MailScanner[29319]: Batch completed at 8175 bytes per second (55415 / 6) Jul 3 19:46:59 devel MailScanner[29319]: Batch (3 messages) processed in 6.78 seconds Jul 3 19:46:59 devel MailScanner[29319]: Logging message l642kYcl029232 to SQL Jul 3 19:46:59 devel MailScanner[29319]: Logging message l642kPu9029221 to SQL Jul 3 19:46:59 devel MailScanner[29319]: Logging message l642juvd029134 to SQL Jul 3 19:46:59 devel MailScanner[29319]: "Always Looked Up Last" took 0.01 seconds Jul 3 19:46:59 devel MailScanner[29319]: Config: calling custom end function SQLBlacklist Jul 3 19:46:59 devel MailScanner[29319]: Closing down by-domain spam blacklist Jul 3 19:46:59 devel MailScanner[29319]: Config: calling custom end function MailWatchLogging Jul 3 19:46:59 devel MailScanner[29319]: Config: calling custom end function SQLWhitelist Jul 3 19:46:59 devel MailScanner[29319]: Closing down by-domain spam whitelist Jul 3 19:46:59 devel MailScanner[29319]: MailScanner child dying of old age Jul 3 19:46:59 devel MailScanner[29327]: l642kYcl029232: Logged to MailWatch SQL Jul 3 19:46:59 devel MailScanner[29327]: l642kPu9029221: Logged to MailWatch SQL Jul 3 19:46:59 devel MailScanner[29327]: l642juvd029134: Logged to MailWatch SQL Jul 3 19:49:08 devel MailScanner[29637]: MailScanner E-Mail Virus Scanner version 4.61.7 starting... -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From R.Sterenborg at netsourcing.nl Fri Jul 6 10:45:46 2007 From: R.Sterenborg at netsourcing.nl (Rob Sterenborg) Date: Fri Jul 6 10:47:33 2007 Subject: Commercial scanner clamav timed out! In-Reply-To: <39539ed9b640e64582f34f5e5ee68224@solidstatelogic.com> References: <290316.6797.qm@web54401.mail.yahoo.com> <39539ed9b640e64582f34f5e5ee68224@solidstatelogic.com> Message-ID: <74ACEB3E6A055643A89B8CEC74C7BF2488E0C4@WISENT.dcyb.net> > Wilson > > Have a look at the clamd.conf for timeout settings! Maybe I'm overlooking something, but I don't see clamd mentioned anywhere so I'm guessing clamscan is used, of which I've recently seen some post saying it's timeing out. OP: Switch to either clamdscan or clamavmodule if you're using clamscan. Grts, Rob >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >> bounces@lists.mailscanner.info] On Behalf Of Wilson Kwok >> Sent: 06 July 2007 07:48 >> To: mailscanner@lists.mailscanner.info >> Subject: Commercial scanner clamav timed out! >> >> Hello, >> >> Environment: postfix-2.2.10-1.1.el4 + > MailScanner-perl-MIME-Base64-3.05-5 >> + clamav-0.90.3-1.el4.rf + spamassassin-3.2.1-1.el4.rf >> >> MailScanner always sent logs, can anyone help me ? >> >> >> Log here: >> Jul 6 11:36:39 mailgateway MailScanner[20662]: Commercial scanner >> clamav timed out! >> Jul 6 11:36:39 mailgateway MailScanner[20662]: clamav: Failed to >> complete, timed out >> Jul 6 11:36:39 mailgateway MailScanner[20662]: Virus Scanning: >> Denial Of Service attack detected! >> Jul 6 11:37:30 mailgateway MailScanner[20659]: Commercial scanner >> clamav timed out! >> Jul 6 11:37:30 mailgateway MailScanner[20659]: clamav: Failed to >> complete, timed out >> Jul 6 11:37:30 mailgateway MailScanner[20659]: Virus Scanning: >> Denial Of Service attack detected! >> Jul 6 11:38:34 mailgateway MailScanner[20121]: Commercial scanner >> clamav timed out! >> Jul 6 11:38:34 mailgateway MailScanner[20121]: clamav: Failed to >> complete, timed out >> Jul 6 11:38:34 mailgateway MailScanner[20121]: Virus Scanning: >> Denial Of Service attack is in message 80B8741821F.81DD6 >> Jul 6 11:38:34 mailgateway MailScanner[20121]: Infected message >> 80B8741821F.81DD6 came from 200.86.17.36 >> Jul 6 11:39:44 mailgateway MailScanner[20428]: Commercial scanner >> clamav timed out! >> Jul 6 11:39:44 mailgateway MailScanner[20428]: clamav: Failed to >> complete, timed out From MailScanner at ecs.soton.ac.uk Fri Jul 6 10:48:51 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Jul 6 10:51:19 2007 Subject: New config parameters In-Reply-To: <02aa01c7bf7a$7fc794d0$0301a8c0@SAHOMELT> References: <02aa01c7bf7a$7fc794d0$0301a8c0@SAHOMELT> Message-ID: <468E1003.8090809@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Yes it would be lost. But it rebuilds so fast it's not worth worrying about. The gain in speed more than outweighs this. Rick Cooper wrote: > I downloaded the latest stable today and noticed some changes in reference > to changing the incoming work dir. The following seems like it should be a > bit more detailed: > > # NOTE: If you change this, you should change these too: > # NOTE: SpamAssassin Temporary Dir > # NOTE: SpamAssassin Cache Database File > > If I place the SA temp dir and MailScanner incoming Work Dir on a tmpfs file > system I wouldn't think I would want the SpamAssassin Cache DataBase placed > there as well as it would be lost between system reboots would it not? > > > Rick > > > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGjhAEEfZZRxQVtlQRAvU8AKD8vcegUbULZk13T/0/C6N2TBmMhACbB54p aWxp3O4GHXVOtwTD2fOwR+Y= =syaQ -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From martinh at solidstatelogic.com Fri Jul 6 11:02:31 2007 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Fri Jul 6 11:02:34 2007 Subject: Commercial scanner clamav timed out! In-Reply-To: <74ACEB3E6A055643A89B8CEC74C7BF2488E0C4@WISENT.dcyb.net> Message-ID: Ah sorry yeah switch to clamd. Clamscan takes a huge of time to load up...fixed in 0.91.rc releases.. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Rob Sterenborg > Sent: 06 July 2007 10:46 > To: MailScanner discussion > Subject: RE: Commercial scanner clamav timed out! > > > Wilson > > > > Have a look at the clamd.conf for timeout settings! > > Maybe I'm overlooking something, but I don't see clamd mentioned > anywhere so I'm guessing clamscan is used, of which I've recently seen > some post saying it's timeing out. > > OP: Switch to either clamdscan or clamavmodule if you're using clamscan. > > > Grts, > Rob > > > >> -----Original Message----- > >> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > >> bounces@lists.mailscanner.info] On Behalf Of Wilson Kwok > >> Sent: 06 July 2007 07:48 > >> To: mailscanner@lists.mailscanner.info > >> Subject: Commercial scanner clamav timed out! > >> > >> Hello, > >> > >> Environment: postfix-2.2.10-1.1.el4 + > > MailScanner-perl-MIME-Base64-3.05-5 > >> + clamav-0.90.3-1.el4.rf + spamassassin-3.2.1-1.el4.rf > >> > >> MailScanner always sent logs, can anyone help me ? > >> > >> > >> Log here: > > >> Jul 6 11:36:39 mailgateway MailScanner[20662]: Commercial scanner > >> clamav timed out! > >> Jul 6 11:36:39 mailgateway MailScanner[20662]: clamav: Failed to > >> complete, timed out > >> Jul 6 11:36:39 mailgateway MailScanner[20662]: Virus Scanning: > >> Denial Of Service attack detected! > > >> Jul 6 11:37:30 mailgateway MailScanner[20659]: Commercial scanner > >> clamav timed out! > >> Jul 6 11:37:30 mailgateway MailScanner[20659]: clamav: Failed to > >> complete, timed out > >> Jul 6 11:37:30 mailgateway MailScanner[20659]: Virus Scanning: > >> Denial Of Service attack detected! > > >> Jul 6 11:38:34 mailgateway MailScanner[20121]: Commercial scanner > >> clamav timed out! > >> Jul 6 11:38:34 mailgateway MailScanner[20121]: clamav: Failed to > >> complete, timed out > >> Jul 6 11:38:34 mailgateway MailScanner[20121]: Virus Scanning: > >> Denial Of Service attack is in message 80B8741821F.81DD6 > >> Jul 6 11:38:34 mailgateway MailScanner[20121]: Infected message > >> 80B8741821F.81DD6 came from 200.86.17.36 > > >> Jul 6 11:39:44 mailgateway MailScanner[20428]: Commercial scanner > >> clamav timed out! > >> Jul 6 11:39:44 mailgateway MailScanner[20428]: clamav: Failed to > >> complete, timed out > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From gerard at seibercom.net Fri Jul 6 11:22:16 2007 From: gerard at seibercom.net (Gerard) Date: Fri Jul 6 11:22:05 2007 Subject: Postfix Address Verification In-Reply-To: <74ACEB3E6A055643A89B8CEC74C7BF2488E0C3@WISENT.dcyb.net> References: <468D77B2.8020109@rheelweb.co.nz> <74ACEB3E6A055643A89B8CEC74C7BF2488E0C3@WISENT.dcyb.net> Message-ID: <20070706061414.C5CF.GERARD@seibercom.net> On July 06, 2007 at 01:55AM Rob Sterenborg wrote: > Just a thought before going there: I didn't see much of your PF config > on this list apart from some snippets (that doesn't automagically mean > that I would be able to help you if you did post more of it). I can > understand that and it is your good right not to show it but it's hard > to support a config you don't fully know. > When going to the Postfix list, be prepared to explain what you've > already done and to post the (sanitized) output of postconf -n, maybe > other (sanitized) information. The problem may be completely something > else that we haven't thought of because the rest of the PF config is > unknown to us. Some PF guru on that list will most likely want to see it > to support you. From personal experience, if you post the 'sanitized' version of "postconf -n' rather than the full output of that command, you leave yourself open to abuse. If you do decide to obscure domain names, be sure to do it consistently throughout the file. DO NOT obscure IP addresses. It would behoove you to post the complete output of: 1) postconf -n 2) Complete list of modifications to master.cf 3) Relevant mail log entries. You may need to run Postfix in debug mode. Someone will inevitably inform you of that detail if it needs to be done. As a long time user of Postfix, I can attest to the assistance I have received on their forum, provided I played by their rules. Good luck! -- Gerard From R.Sterenborg at netsourcing.nl Fri Jul 6 11:50:10 2007 From: R.Sterenborg at netsourcing.nl (Rob Sterenborg) Date: Fri Jul 6 11:52:17 2007 Subject: Postfix Address Verification In-Reply-To: <20070706061414.C5CF.GERARD@seibercom.net> References: <468D77B2.8020109@rheelweb.co.nz><74ACEB3E6A055643A89B8CEC74C7BF2488E0C3@WISENT.dcyb.net> <20070706061414.C5CF.GERARD@seibercom.net> Message-ID: <74ACEB3E6A055643A89B8CEC74C7BF2488E0C7@WISENT.dcyb.net> >> Just a thought before going there: I didn't see much of your PF >> config on this list apart from some snippets (that doesn't >> automagically mean that I would be able to help you if you did post >> more of it). I can understand that and it is your good right not to >> show it but it's hard to support a config you don't fully know. >> When going to the Postfix list, be prepared to explain what you've >> already done and to post the (sanitized) output of postconf -n, maybe >> other (sanitized) information. The problem may be completely >> something else that we haven't thought of because the rest of the PF >> config is unknown to us. Some PF guru on that list will most likely >> want to see it to support you. > > > From personal experience, if you post the 'sanitized' version of > "postconf -n' rather than the full output of that command, you leave > yourself open to abuse. I'm sorry if I wasn't clear on that; I'm not native English: I guess "sanitize" was not the correct word.. I meant to say what you are saying below but your comment is more in depth. What I don't understand however, is how I would be open to abuse by sending a sanitized version op postconf -n instead of the original output. The full original output certainly can contain information you don't want to spread on the list. With sanitized I meant that the output of postconf -n would have that information obfuscated. > If you do decide to obscure domain names, be sure to do it > consistently throughout the file. DO NOT obscure IP addresses. > > It would behoove you to post the complete output of: > > 1) postconf -n > 2) Complete list of modifications to master.cf > 3) Relevant mail log entries. > > You may need to run Postfix in debug mode. Someone will inevitably > inform you of that detail if it needs to be done. > > As a long time user of Postfix, I can attest to the assistance I have > received on their forum, provided I played by their rules. Grts, Rob From gerard at seibercom.net Fri Jul 6 12:19:11 2007 From: gerard at seibercom.net (Gerard) Date: Fri Jul 6 12:18:58 2007 Subject: Postfix Address Verification In-Reply-To: <74ACEB3E6A055643A89B8CEC74C7BF2488E0C7@WISENT.dcyb.net> References: <20070706061414.C5CF.GERARD@seibercom.net> <74ACEB3E6A055643A89B8CEC74C7BF2488E0C7@WISENT.dcyb.net> Message-ID: <20070706071038.1D6C.GERARD@seibercom.net> On July 06, 2007 at 06:50AM Rob Sterenborg wrote: [snip] > I'm sorry if I wasn't clear on that; I'm not native English: I guess > "sanitize" was not the correct word.. I meant to say what you are saying > below but your comment is more in depth. > > What I don't understand however, is how I would be open to abuse by > sending a sanitized version op postconf -n instead of the original > output. The full original output certainly can contain information you > don't want to spread on the list. With sanitized I meant that the output > of postconf -n would have that information obfuscated. We are probably talking about the say thing. I was under the impression that you meant for the OP to send only selected portions of the output of 'postconf -n' rather than the entire output. The problem is that so many users, especially those using 'virtual' addressing, or anything to do with 'virtual', redact the file so badly that nobody is able to easily spot where the problem is. To obscure a domain name, when the poster is in fact using that same name in his/her email address is ridiculous. In any case, the more complete the information that is supplied is, the better chance of getting a satisfactory response. -- Gerard From rcooper at dwford.com Fri Jul 6 12:19:00 2007 From: rcooper at dwford.com (Rick Cooper) Date: Fri Jul 6 12:19:06 2007 Subject: clamd configuration? In-Reply-To: References: <468AAB5B.7010101@fractalweb.com><468AAE0D.3020103@i-centrix.com> <468ADA41.4010307@fractalweb.com><06bb01c7bdcb$c0ac3330$0301a8c0@SAHOMELT><468B0B2E.8080201@fractalweb.com> Message-ID: <00ab01c7bfbf$73fbf7a0$0301a8c0@SAHOMELT> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On > Behalf Of Jason Ede > Sent: Friday, July 06, 2007 5:42 AM > To: MailScanner discussion > Subject: RE: clamd configuration? > > I had the same problem with clamd missing the attached virus > although all looks fine through the debug apart from the > test viruses not being detected. > > I've checked user and permission levels and all looks good > as far as I can see... > > I've gone back to using clamavmodule for now... > > Oh, MailScanner is 4.61.7 and clamav is the 0.91rc2 > > Jason > [...] Apply the attached patch to SweepViruses.pm and retry clamd. You should see an error line this time. Best guess is a minor permissions problem, could be something else and it should still show up as an error line in the log. Julian, this patch should be applied to SweepViruses.pm Version 4.61.7 Rick -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- A non-text attachment was scrubbed... Name: SweepViruses.pm.diff Type: application/octet-stream Size: 1100 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070706/9d17e69e/SweepViruses.pm.obj From glenn.steen at gmail.com Fri Jul 6 13:27:54 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Jul 6 13:27:57 2007 Subject: Whitelist issue In-Reply-To: <733d6ede0707052334r5aa6224x215bf6d88632b88@mail.gmail.com> References: <733d6ede0707040257v6c1da171k7c43f0dc5e297d1e@mail.gmail.com> <733d6ede0707041908j7cde6da0y8e91a4964be6d850@mail.gmail.com> <1183614478.7215.32.camel@localhost.localdomain> <223f97700707050255p36c7af61t7ca09e3b6e8dd314@mail.gmail.com> <223f97700707050344x65402eb6v424e7e4911eb6d54@mail.gmail.com> <733d6ede0707052334r5aa6224x215bf6d88632b88@mail.gmail.com> Message-ID: <223f97700707060527u1b75866fn8b2a15705b14cbc7@mail.gmail.com> On 06/07/07, Vivek Mittal wrote: > I've tried setting it to @eblueprint.com.au as well as > printer@eblueprint.com.au with no luck. > > I did have a breakthrough today. I installed MailWatch with the hope > of using its whitelisting feature to help with this. I sent a trial > message from the printer and noticed that the from column is blank. > The message headers are below. I can see a From: field there but it > is not being picked up?! > > This looks more like a printer problem than a mailscanner one, but I > need some sort of a solution to stop mailscanner marking these emails > as spam. > > Return-Path: < g> > Received: from mx06.syd.isp.net.au (mx06.syd.isp.net.au [210.50.76.235]) > by app.xyz.com.au (8.13.4/8.13.4) with ESMTP id l666dcRf010593 > for ; Fri, 6 Jul 2007 16:39:39 +1000 > Date: Fri, 6 Jul 2007 16:39:38 +1000 > X-IronPort-AV: E=Sophos;i="4.16,506,1175436000"; > d="pdf'?scan'208";a="54928259" > Received: from 114.090.dsl.mel.isp.net.au ([211.26.244.114]) > by smtp06.syd.isp.net.au with SMTP; 06 Jul 2007 16:24:07 +1000 > From: "XYZ PTY LTD" > To: > Subject: Fax sent by : XYZ PTY LTD<> > Message-ID: <1104100900> > MIME-Version: 1.0 > Content-Type: multipart/mixed; > boundary="__59453boundry__" > Right. So you don't have the envelopesender that you thought. Explains everything perfectly. Now, can you please consider using the IP address of the printer for the W/L instead? This will solve your problem. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Fri Jul 6 13:40:21 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Jul 6 13:40:23 2007 Subject: Filename rule question In-Reply-To: <468E09B6.10605@ti-edu.ch> References: <468A6663.8010907@ti-edu.ch> <468B4CD6.5050001@ti-edu.ch> <223f97700707040259w54b286b2y1530dc3d7fddedaa@mail.gmail.com> <468BC099.7060508@ti-edu.ch> <223f97700707041520j5e8be73bt17235c459ec441c5@mail.gmail.com> <468CACEF.30202@ti-edu.ch> <223f97700707050349y696668ccu92b618343da7d77b@mail.gmail.com> <468CDC23.7000500@ti-edu.ch> <223f97700707051316y462cffd5ka6ce8064d614350f@mail.gmail.com> <468E09B6.10605@ti-edu.ch> Message-ID: <223f97700707060540n7c7b022eye5700536d480541c@mail.gmail.com> On 06/07/07, Marco Induni wrote: > Glenn Steen wrote: (snip) > >> > >> > > To my tired eyes that doesn't look that bad... More's the pity... > Hope now you eyes are better :-) > > Seems you don't install SA and Clamav by way of Jules easy package (or > > else a lot more of the optional modules would be there)... Hm... One > > could start installing those, of course, but I don't see them having > > an effect. > In fact, we use uvscan(mcafee) and sometime clamav AV, but they are > installed apart (SA via CPAN / clamav make /make install) Ok. I don't think you need remove/reinstall with Jules package... It does more or less those, and then adds a lot of perl modules to make Mail::ClamAV happy. Would be passing strange if that had any impact on this problem. > > You did say that restoring the default filename/filetype > > rules files and reloading/restarting MailScanner didn't have any > > effect either? Most strange. > Yes, it is so. This make me think there is something seriously wrong here... And perhaps not _directly_ related to the rule file used... Unless of course the files aren't readable or something strange like that... Nah, probably not. > > How did you install the MIME::* packages? Via jules installer or via > > distro or CPAN? > Via jules. I've installed the new version a couple of days ago. > You could try reinstall them (force them from CPAN or something), just to see that they build/install OK... Apart from this, you don't see any strange log entries in the normal syslog? We really need to get a handle on what is going bonkers here. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From MailScanner at ecs.soton.ac.uk Fri Jul 6 14:26:53 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Jul 6 14:31:25 2007 Subject: Commercial scanner clamav timed out! In-Reply-To: <290316.6797.qm@web54401.mail.yahoo.com> References: <290316.6797.qm@web54401.mail.yahoo.com> Message-ID: <468E431D.6020206@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The current version of the clamscan binary (as used by the "clamav" scanner setting) takes a very long time to load the virus signatures. Either a) Increase the timeout (not good) b) Install the 0.91rc2 version of ClamAV as this loads and starts much faster c) Use the "clamavmodule" scanner setting together with the ClamAV+SA package available from www.mailscanner.info d) Use the "clamd" scanner setting together with the clamd RPM available from dag.wieers.com. This is probably the best answer. Go for (d) first. Wilson Kwok wrote: > Hello, > Environment: postfix-2.2.10-1.1.el4 + MailScanner-perl-MIME-Base64-3.05-5 > + clamav-0.90.3-1.el4.rf + spamassassin-3.2.1-1.el4.rf > MailScanner always sent logs, can anyone help me ? > Log here: > Jul 6 11:36:39 mailgateway MailScanner[20662]: Commercial scanner > clamav timed out! > Jul 6 11:36:39 mailgateway MailScanner[20662]: clamav: Failed to > complete, timed out > Jul 6 11:36:39 mailgateway MailScanner[20662]: Virus Scanning: Denial > Of Service attack detected! > Jul 6 11:37:30 mailgateway MailScanner[20659]: Commercial scanner > clamav timed out! > Jul 6 11:37:30 mailgateway MailScanner[20659]: clamav: Failed to > complete, timed out > Jul 6 11:37:30 mailgateway MailScanner[20659]: Virus Scanning: Denial > Of Service attack detected! > Jul 6 11:38:34 mailgateway MailScanner[20121]: Commercial scanner > clamav timed out! > Jul 6 11:38:34 mailgateway MailScanner[20121]: clamav: Failed to > complete, timed out > Jul 6 11:38:34 mailgateway MailScanner[20121]: Virus Scanning: Denial > Of Service attack is in message 80B8741821F.81DD6 > Jul 6 11:38:34 mailgateway MailScanner[20121]: Infected message > 80B8741821F.81DD6 came from 200.86.17.36 > Jul 6 11:39:44 mailgateway MailScanner[20428]: Commercial scanner > clamav timed out! > Jul 6 11:39:44 mailgateway MailScanner[20428]: clamav: Failed to > complete, timed out > > ------------------------------------------------------------------------ > Yahoo!Mail =AC=B0=A7A=A8C=A4@=AD=D3=B9q=B6l=AE=BD=A5X=A4@=C2I=A4=DF=B7N= =A1A=BA=C9=C4m=B7R=A4=DF *=A5=DF=A7Y=B6}=A9l=B7R=A4=DF=A6=E6=B0=CA*=20 Jules - --=20 Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Comment: (pgp-secured) Charset: Big5 wj8DBQFGjkMeEfZZRxQVtlQRAtkZAJwIJBRTTIwnUdm50QbTmUuSLZYbDgCg2ZCM r8wijAqQKh5Ju2VcowsLD7o=3D =3DA6/H -----END PGP SIGNATURE----- --=20 This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Fri Jul 6 14:28:07 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Jul 6 14:32:40 2007 Subject: Commercial scanner clamav timed out! In-Reply-To: <74ACEB3E6A055643A89B8CEC74C7BF2488E0C4@WISENT.dcyb.net> References: <290316.6797.qm@web54401.mail.yahoo.com> <39539ed9b640e64582f34f5e5ee68224@solidstatelogic.com> <74ACEB3E6A055643A89B8CEC74C7BF2488E0C4@WISENT.dcyb.net> Message-ID: <468E4367.7060805@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Rob Sterenborg wrote: >> Wilson >> >> Have a look at the clamd.conf for timeout settings! >> > > Maybe I'm overlooking something, but I don't see clamd mentioned > anywhere so I'm guessing clamscan is used, of which I've recently seen > some post saying it's timeing out. > > OP: Switch to either clamdscan or clamavmodule if you're using clamscan. > > I do not support use of clamdscan. If you want to use clamd then upgrade to version 4.61 and use the direct clamd support. Editing *-wrapper scripts is not recommended. > Grts, > Rob > > > >>> -----Original Message----- >>> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >>> bounces@lists.mailscanner.info] On Behalf Of Wilson Kwok >>> Sent: 06 July 2007 07:48 >>> To: mailscanner@lists.mailscanner.info >>> Subject: Commercial scanner clamav timed out! >>> >>> Hello, >>> >>> Environment: postfix-2.2.10-1.1.el4 + >>> >> MailScanner-perl-MIME-Base64-3.05-5 >> >>> + clamav-0.90.3-1.el4.rf + spamassassin-3.2.1-1.el4.rf >>> >>> MailScanner always sent logs, can anyone help me ? >>> >>> >>> Log here: >>> > > >>> Jul 6 11:36:39 mailgateway MailScanner[20662]: Commercial scanner >>> clamav timed out! >>> Jul 6 11:36:39 mailgateway MailScanner[20662]: clamav: Failed to >>> complete, timed out >>> Jul 6 11:36:39 mailgateway MailScanner[20662]: Virus Scanning: >>> Denial Of Service attack detected! >>> > > >>> Jul 6 11:37:30 mailgateway MailScanner[20659]: Commercial scanner >>> clamav timed out! >>> Jul 6 11:37:30 mailgateway MailScanner[20659]: clamav: Failed to >>> complete, timed out >>> Jul 6 11:37:30 mailgateway MailScanner[20659]: Virus Scanning: >>> Denial Of Service attack detected! >>> > > >>> Jul 6 11:38:34 mailgateway MailScanner[20121]: Commercial scanner >>> clamav timed out! >>> Jul 6 11:38:34 mailgateway MailScanner[20121]: clamav: Failed to >>> complete, timed out >>> Jul 6 11:38:34 mailgateway MailScanner[20121]: Virus Scanning: >>> Denial Of Service attack is in message 80B8741821F.81DD6 >>> Jul 6 11:38:34 mailgateway MailScanner[20121]: Infected message >>> 80B8741821F.81DD6 came from 200.86.17.36 >>> > > >>> Jul 6 11:39:44 mailgateway MailScanner[20428]: Commercial scanner >>> clamav timed out! >>> Jul 6 11:39:44 mailgateway MailScanner[20428]: clamav: Failed to >>> complete, timed out >>> Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFGjkNnEfZZRxQVtlQRAj/xAJ0dWXhb+eG+bjAxsxE5jKgbUY4ZaACfU8ac /I7s2YixwXEmn5woML2Xecc= =hlL3 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Fri Jul 6 14:30:58 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Jul 6 14:35:33 2007 Subject: clamd configuration? In-Reply-To: <00ab01c7bfbf$73fbf7a0$0301a8c0@SAHOMELT> References: <468AAB5B.7010101@fractalweb.com><468AAE0D.3020103@i-centrix.com> <468ADA41.4010307@fractalweb.com><06bb01c7bdcb$c0ac3330$0301a8c0@SAHOMELT><468B0B2E.8080201@fractalweb.com> <00ab01c7bfbf$73fbf7a0$0301a8c0@SAHOMELT> Message-ID: <468E4412.4080609@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Rick, Minor points: 1) I use 2-character identation, and no tab characters 2) Please do "print STDERR" and not just "print". It will just make my life easier, many thanks! Cheers for the patch, it will be in the next release. Jules. Rick Cooper wrote: > > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info > > [mailto:mailscanner-bounces@lists.mailscanner.info] On > > Behalf Of Jason Ede > > Sent: Friday, July 06, 2007 5:42 AM > > To: MailScanner discussion > > Subject: RE: clamd configuration? > > > > I had the same problem with clamd missing the attached virus > > although all looks fine through the debug apart from the > > test viruses not being detected. > > > > I've checked user and permission levels and all looks good > > as far as I can see... > > > > I've gone back to using clamavmodule for now... > > > > Oh, MailScanner is 4.61.7 and clamav is the 0.91rc2 > > > > Jason > > > [...] > > Apply the attached patch to SweepViruses.pm and retry clamd. You should see > an error line this time. Best guess is a minor permissions problem, could be > something else and it should still show up as an error line in the log. > > Julian, > this patch should be applied to SweepViruses.pm Version 4.61.7 > > Rick > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFGjkQTEfZZRxQVtlQRAnqdAJ4wr9DGAmlR3NLsr5jZF7qG+gcfgACgtGES MSfc8rkNX8UENGhVTsvciEI= =+73O -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Fri Jul 6 14:33:57 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Jul 6 14:37:09 2007 Subject: clamd configuration? In-Reply-To: <00ab01c7bfbf$73fbf7a0$0301a8c0@SAHOMELT> References: <468AAB5B.7010101@fractalweb.com><468AAE0D.3020103@i-centrix.com> <468ADA41.4010307@fractalweb.com><06bb01c7bdcb$c0ac3330$0301a8c0@SAHOMELT><468B0B2E.8080201@fractalweb.com> <00ab01c7bfbf$73fbf7a0$0301a8c0@SAHOMELT> Message-ID: <468E44C5.2010006@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Oops, apology owed. Didn't read the patch carefully enough before replying. Please take back all my comments in the previous email (except the one about the patch being in the next release!). Sorry! :-( Jules. Rick Cooper wrote: > > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info > > [mailto:mailscanner-bounces@lists.mailscanner.info] On > > Behalf Of Jason Ede > > Sent: Friday, July 06, 2007 5:42 AM > > To: MailScanner discussion > > Subject: RE: clamd configuration? > > > > I had the same problem with clamd missing the attached virus > > although all looks fine through the debug apart from the > > test viruses not being detected. > > > > I've checked user and permission levels and all looks good > > as far as I can see... > > > > I've gone back to using clamavmodule for now... > > > > Oh, MailScanner is 4.61.7 and clamav is the 0.91rc2 > > > > Jason > > > [...] > > Apply the attached patch to SweepViruses.pm and retry clamd. You should see > an error line this time. Best guess is a minor permissions problem, could be > something else and it should still show up as an error line in the log. > > Julian, > this patch should be applied to SweepViruses.pm Version 4.61.7 > > Rick > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFGjkTGEfZZRxQVtlQRAo9lAKCS6+8ktQTrhOcJ1LOb/8fVWA2nvwCePrBQ +71Me/Hm11WpAllyiql+8ys= =SHub -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From j.ede at birchenallhowden.co.uk Fri Jul 6 14:38:08 2007 From: j.ede at birchenallhowden.co.uk (Jason Ede) Date: Fri Jul 6 14:38:23 2007 Subject: clamd configuration? In-Reply-To: <00ab01c7bfbf$73fbf7a0$0301a8c0@SAHOMELT> References: <468AAB5B.7010101@fractalweb.com><468AAE0D.3020103@i-centrix.com> <468ADA41.4010307@fractalweb.com><06bb01c7bdcb$c0ac3330$0301a8c0@SAHOMELT><468B0B2E.8080201@fractalweb.com> <00ab01c7bfbf$73fbf7a0$0301a8c0@SAHOMELT> Message-ID: Ok... I'm getting an unknown error returned now... Jason Jul 6 14:36:28 gateway MailScanner[19018]: Commencing scanning by clamd... Jul 6 14:36:28 gateway MailScanner[19070]: Debug Mode Is On Jul 6 14:36:28 gateway MailScanner[19070]: Use Threads : NO Jul 6 14:36:28 gateway MailScanner[19070]: Socket : /tmp/clamd Jul 6 14:36:28 gateway MailScanner[19070]: IP : Using Sockets Jul 6 14:36:28 gateway MailScanner[19070]: Lock File : NOT USED Jul 6 14:36:28 gateway MailScanner[19070]: Time Out : 300 Jul 6 14:36:28 gateway MailScanner[19070]: Scan Dir : /var/spool/MailScanner/incoming/19018 Jul 6 14:36:28 gateway MailScanner[19070]: Clamd : Sending PING Jul 6 14:36:28 gateway MailScanner[19070]: Clamd : GOT 'PONG' Jul 6 14:36:28 gateway MailScanner[19070]: ClamD is running Jul 6 14:36:28 gateway MailScanner[19070]: SENT : CONTSCAN /var/spool/MailScanner/incoming/19018 Jul 6 14:36:28 gateway MailScanner[19018]: ERROR::UNKOWN CLAMD RETURN ./lstat() failed. ERROR :: /var/spool/MailScanner/incoming/19018 Jul 6 14:36:29 gateway MailScanner[19018]: Completed scanning by clamd Jul 6 14:36:29 gateway MailScanner[19018]: Virus Scanning: Clamd found 1 infections Jul 6 14:36:29 gateway MailScanner[19018]: Virus Scanning: Found 1 viruses Jul 6 14:36:29 gateway MailScanner[19018]: Filename Checks: Windows/DOS Executable (76144968599.30A99 eicar.com) Jul 6 14:36:29 gateway MailScanner[19018]: Filename Checks: Windows/DOS Executable (3D8D3968598.E288F eicar.com) Jul 6 14:36:29 gateway MailScanner[19018]: Filename Checks: Windows/DOS Executable (946219685A0.5F3A4 eicar.com) Jul 6 14:36:29 gateway MailScanner[19018]: Completed checking by /usr/bin/file Jul 6 14:36:29 gateway MailScanner[19018]: Other Checks: Found 3 problems -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Rick Cooper Sent: 06 July 2007 12:19 To: 'MailScanner discussion' Subject: RE: clamd configuration? > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On > Behalf Of Jason Ede > Sent: Friday, July 06, 2007 5:42 AM > To: MailScanner discussion > Subject: RE: clamd configuration? > > I had the same problem with clamd missing the attached virus > although all looks fine through the debug apart from the > test viruses not being detected. > > I've checked user and permission levels and all looks good > as far as I can see... > > I've gone back to using clamavmodule for now... > > Oh, MailScanner is 4.61.7 and clamav is the 0.91rc2 > > Jason > [...] Apply the attached patch to SweepViruses.pm and retry clamd. You should see an error line this time. Best guess is a minor permissions problem, could be something else and it should still show up as an error line in the log. Julian, this patch should be applied to SweepViruses.pm Version 4.61.7 Rick -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From rcooper at dwford.com Fri Jul 6 14:52:49 2007 From: rcooper at dwford.com (Rick Cooper) Date: Fri Jul 6 14:52:54 2007 Subject: clamd configuration? In-Reply-To: <468E44C5.2010006@ecs.soton.ac.uk> References: <468AAB5B.7010101@fractalweb.com><468AAE0D.3020103@i-centrix.com> <468ADA41.4010307@fractalweb.com><06bb01c7bdcb$c0ac3330$0301a8c0@SAHOMELT><468B0B2E.8080201@fractalweb.com> <00ab01c7bfbf$73fbf7a0$0301a8c0@SAHOMELT> <468E44C5.2010006@ecs.soton.ac.uk> Message-ID: <00da01c7bfd4$f150e110$0301a8c0@SAHOMELT> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On > Behalf Of Julian Field > Sent: Friday, July 06, 2007 9:34 AM > To: MailScanner discussion > Subject: Re: clamd configuration? > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Oops, apology owed. > Didn't read the patch carefully enough before replying. > Please take back all my comments in the previous email > (except the one > about the patch being in the next release!). > > Sorry! :-( > Jules. Whew! I thought I had used the proper indent and made sure there were no tabs this time! I guessed that you were mistaken about the print STDERR (since the parser wouldn't see that n'est-ce pas?) No problem, thanks Rick > > Rick Cooper wrote: > > > > > > > -----Original Message----- > > > From: mailscanner-bounces@lists.mailscanner.info > > > [mailto:mailscanner-bounces@lists.mailscanner.info] On > > > Behalf Of Jason Ede > > > Sent: Friday, July 06, 2007 5:42 AM > > > To: MailScanner discussion > > > Subject: RE: clamd configuration? > > > > > > I had the same problem with clamd missing the attached virus > > > although all looks fine through the debug apart from the > > > test viruses not being detected. > > > > > > I've checked user and permission levels and all looks good > > > as far as I can see... > > > > > > I've gone back to using clamavmodule for now... > > > > > > Oh, MailScanner is 4.61.7 and clamav is the 0.91rc2 > > > > > > Jason > > > > > [...] > > > > Apply the attached patch to SweepViruses.pm and retry > clamd. You should see > > an error line this time. Best guess is a minor permissions > problem, could be > > something else and it should still show up as an error > line in the log. > > > > Julian, > > this patch should be applied to SweepViruses.pm Version 4.61.7 > > > > Rick > > > > -- > > This message has been scanned for viruses and > > dangerous content by MailScanner, and is > > believed to be clean. > > > > > > > > Jules > > - -- > Julian Field MEng CITP > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from > your boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.6.2 (Build 2014) > Comment: (pgp-secured) > Charset: ISO-8859-1 > > wj8DBQFGjkTGEfZZRxQVtlQRAo9lAKCS6+8ktQTrhOcJ1LOb/8fVWA2nvwCePrBQ > +71Me/Hm11WpAllyiql+8ys= > =SHub > -----END PGP SIGNATURE----- > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > For all your IT requirements visit www.transtec.co.uk > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From rcooper at dwford.com Fri Jul 6 15:16:32 2007 From: rcooper at dwford.com (Rick Cooper) Date: Fri Jul 6 15:16:38 2007 Subject: clamd configuration? In-Reply-To: References: <468AAB5B.7010101@fractalweb.com><468AAE0D.3020103@i-centrix.com><468ADA41.4010307@fractalweb.com><06bb01c7bdcb$c0ac3330$0301a8c0@SAHOMELT><468B0B2E.8080201@fractalweb.com><00ab01c7bfbf$73fbf7a0$0301a8c0@SAHOMELT> Message-ID: <00e101c7bfd8$417646a0$0301a8c0@SAHOMELT> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On > Behalf Of Jason Ede > Sent: Friday, July 06, 2007 9:38 AM > To: MailScanner discussion > Subject: RE: clamd configuration? > > Ok... I'm getting an unknown error returned now... > > Jason > [...] > Jul 6 14:36:28 gateway MailScanner[19018]: ERROR::UNKOWN > CLAMD RETURN ./lstat() failed. ERROR :: [...] This is (almost) certainly a permissions problem. It could, of course, be the working dir/files are gone but that is pretty close to impossible since the mail processing continues. What user/group is clamd running as? What are the What User/Group owns the incomming work dir? (MS Config incoming Work User = incoming Work Group =) My guess is they are different. Solutions: 1. Run clamd as root 2. set the Incomming Work Group to the clamd user group and set Incoming Work Permissions = 0640 (or 0660) 3. Add clamd user to the MailScanner user group and set AllowSupplementaryGroups to yes (must be started by root) I would opt for options 1 or 2 (Don't forget the Incoming Work Permissions = 0640 part!) I haven't been able to find what exactly "triggers lstat() failed" verses "permission denied." In ClamAV but both are generally permissions related, although the lstat problem can happen if a temporary file is removed before clamd gets to it... This should/could never happen with MailScanner. Rick -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From donald.dawson at bakerbotts.com Fri Jul 6 15:38:56 2007 From: donald.dawson at bakerbotts.com (donald.dawson@bakerbotts.com) Date: Fri Jul 6 15:39:06 2007 Subject: FW: gofer (stock spam) Message-ID: This may have already been addressed, but is there a released rule set or add-on that would help in identifying these type of stock spam emails? We use MailScanner 4.59.4 (MailScanner-v: 3.002000 Mail::SpamAssassin), SpamAssassin 3.2 (SpamAssassin -V), Perl 5.8.5, DCC, Pyzor. We run sa-update and RulesDuJour for automatic updates. We turned off Razor since it was causing delays in processing mail. In MailScanner, we turned off SpamHaus since we process too much email - it appears it was just raising the score of high spam: 'Spam List = SBL+XBL' We also use milter-greylist during the hours of 10 PM and 5 AM. We use milter-null (snert) to reduce bounce backs. We receive about 300k emails a day with about 70% identified as spam. We deliver about 5% of the suspected spam (score below 5). I am considering adding the botnet plugin from: http://people.ucsc.edu/~jrudd/spamassassin/Botnet.tar and have added a fake MX entry. We use BAYES, but we don't feed spam or ham so it may have little help. Here are the cf files we use in /etc/mail/spamassassin: 00_FVGT_File001.cf 70_sare_header_eng.cf 70_sare_specific.cf 70_sare_whitelist_rcvd.cf bakerbotts.cf popcorn_new.cf 70_sare_adult.cf 70_sare_highrisk.cf 70_sare_spoof.cf 70_sare_whitelist_spf.cf bogus-virus-warnings.cf random.cf 70_sare_bayes_poison_nxm.cf 70_sare_html0.cf 70_sare_stocks.cf 70_zmi_german.cf chickenpox.cf tripwire.cf 70_sare_evilnum0.cf 70_sare_html_eng.cf 70_sare_unsub.cf 72_sare_bml_post25x.cf local.cf weeds.cf 70_sare_genlsubj0.cf 70_sare_obfu0.cf 70_sare_uri0.cf 72_sare_redirect_post3.0.0.cf mailscanner.cf 70_sare_genlsubj_eng.cf 70_sare_oem.cf 70_sare_uri_eng.cf 88_FVGT_headers.cf mangled.cf 70_sare_header0.cf 70_sare_random.cf 70_sare_whitelist.cf 99_sare_fraud_post25x.cf pdfinfo.cf plugins from init.pre: loadplugin Mail::SpamAssassin::Plugin::URIDNSBL loadplugin Mail::SpamAssassin::Plugin::Hashcash loadplugin Mail::SpamAssassin::Plugin::SPF loadplugin Mail::SpamAssassin::Plugin::DCC loadplugin Mail::SpamAssassin::Plugin::Razor2 loadplugin Mail::SpamAssassin::Plugin::SpamCop loadplugin Mail::SpamAssassin::Plugin::AWL loadplugin Mail::SpamAssassin::Plugin::AutoLearnThreshold loadplugin Mail::SpamAssassin::Plugin::TextCat loadplugin Mail::SpamAssassin::Plugin::WhiteListSubject loadplugin Mail::SpamAssassin::Plugin::MIMEHeader loadplugin Mail::SpamAssassin::Plugin::ReplaceTags loadplugin Mail::SpamAssassin::Plugin::PDFInfo I don't understand why the SA files are loaded into /var/lib/spamassassin/3.002000... insteada of /usr/share/spamassassin: /usr/bin/spamassassin -D -p /etc/MailScanner/spam.assassin.prefs.conf --lint: [17634] dbg: config: fixed relative path: /var/lib/spamassassin/3.002000/updates_spamassassin_org/10_default_prefs .cf [17634] dbg: config: using "/var/lib/spamassassin/3.002000/updates_spamassassin_org/10_default_pref s.cf" for included file Any input on our configuration would be appreciated - I enjoy this and the spamassassin forums. Donald Donald Dawson Security Administrator Baker Botts L.L.P. 713-229-2183 ------------------------------------------------------------------------ -------------------------- -------------------------- HEADERS: -------------------------- Microsoft Mail Internet Headers Version 2.0 Received: from houfe01node01.bakerbotts.net ([10.20.254.151]) by HOUEVS02.bakerbotts.net with Microsoft SMTPSVC(6.0.3790.211); Thu, 5 Jul 2007 09:42:54 -0500 Received: from housweep03.bakerbotts.net ([10.20.254.246]) by houfe01node01.bakerbotts.net with Microsoft SMTPSVC(6.0.3790.211); Thu, 5 Jul 2007 09:42:54 -0500 Received: from housweep01.bakerbotts.net (housweep01.bakerbotts.net [10.20.254.236]) by housweep03.bakerbotts.net (Content Technologies SMTPRS 4.3.20) with ESMTP id for ; Thu, 5 Jul 2007 09:42:53 -0500 Received: from houmx05.bakerbotts.com (houmx05-inside.bakerbotts.net) by housweep01.bakerbotts.net (Content Technologies SMTPRS 4.3.20) with ESMTP id for ; Thu, 5 Jul 2007 09:42:53 -0500 X-Envelope-From: cgl@vsnl.net Received: from hdxkxu ([211.201.113.55]) by houmx05.bakerbotts.com (8.13.8/8.13.5) with SMTP id l65EgeXO005996 for ; Thu, 5 Jul 2007 09:42:49 -0500 Received: from [203.176.133.112] (helo=lqiv) by hdxkxu with smtp (Exim 4.62 (FreeBSD)) id 1I6Tgu-0004b8-KB; Thu, 5 Jul 2007 23:45:06 +0900 Message-ID: <468D035C.7050006@vsnl.net> Date: Thu, 5 Jul 2007 23:42:36 +0900 From: "Nell B. Velasquez" User-Agent: Thunderbird 1.5.0.12 (Windows/20070509) MIME-Version: 1.0 To: donald.dawson@bakerbotts.com Subject: gofer Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Null-Tag: 28934f0720308f41d1b0b26ca91189b7 X-Greylist: IP, sender and recipient auto-whitelisted, not delayed by milter-greylist-3.0rc3 (houmx05.bakerbotts.com [204.194.98.17]); Thu, 05 Jul 2007 09:42:51 -0500 (CDT) X-BakerBotts-MailScanner-Information: Please contact the ISP for more information X-BakerBotts-MailScanner-SpamCheck: spam, SBL+XBL, SpamAssassin (not cached, score=4.388, required 5, FH_RELAY_NODNS 1.45, RCVD_IN_BL_SPAMCOP_NET 1.96, RCVD_IN_SORBS_DUL 0.88, RDNS_NONE 0.10) X-BakerBotts-MailScanner-SpamScore: ssss X-BakerBotts-MailScanner-From: cgl@vsnl.net X-Spam-Status: Yes Return-Path: cgl@vsnl.net X-OriginalArrivalTime: 05 Jul 2007 14:42:54.0023 (UTC) FILETIME=[C5162D70:01C7BF12] -----Original Message----- From: Nell B. Velasquez [mailto:cgl@vsnl.net] Sent: Thursday, July 05, 2007 9:43 AM To: Dawson, Donald Subject: gofer ERMX Continues To Expand As Stock Climbs Up 16.6%! EntreMetrix Inc. (ERMX) $0.21 UP 16.6% ERMX announced further expansion with K-9 Genetics. Healthy and Premium dog foods grossed $3.6 Billion in 2006, up from $1.9 billion in previous years. Read up on ERMX over the holiday, we think you will see even more fireworks on Thursday morning! It's the kind of summer movie that's drawing families and we're very excited for its progress going into the rest of the weekend. The trend of cinematic schlock turned into musical theater is now upon us. Rio's concert, the only free one for Live Earth, would include performances by Lenny Kravitz, Macy Gray and Pharrell Williams. "My mind is in great shape. See the Magic of Disney Parks. It will be hosted by Ann Curry and Carson Daly and feature some of the day's highlights from around the world as well as live performances by the Police and others. "It's because they are people I love as women," the French-born designer told The Associated Press. Golijov went to Botswana last month at the behest of the Met and discussed the opera with Minghella on the production site of the director's latest movie project, based on "The No. The death was not considered suspicious, he said. Germany backs Cruise's anti-Hitler film - Yahoo! "Yes, it's been approved," said Christine Berg, DFFF project head at the FFA. "I'd love to work with new music because I think that's also the only way forward," he said then. broadcast and cable partner, using all of the company's assets at its disposal. " "My joke is I got to have a lot of Blue Cross," Rickles says. A brisk Fourth of July week would help Hollywood recover from a monthlong downturn that followed a huge start to summer in May. "The great fear when you work for an elephant like the Met, being there for the first time of course, is whether you can create poetry and emotion. com AP Photo: Director Anthony Minghella poses for photographers during arrivals to the New York premiere of 'Breaking. We could be very pleasantly surprised or it might perform as television is going to perform on that weekend," Harrison said. " When he's not working, he doesn't go to comedy clubs. "It's come around to the idea that maybe we should take this seriously. Beane notes that producers Joel Silver, Lawrence Gordon and a young development executive named Brian Grazer all helped make the original "Xanadu. MSNBC will have live reports from New York and London throughout the day. com Nome Search Powered by :: Free RSS news Add RSS news to your web site engineering news vertical portal can now be syndicated quickly and easily using our new Really Simple Syndication feeds. "Yes, it's been approved," said Christine Berg, DFFF project head at the FFA. "There will be an appropriate delay so there is no issue with standards," Harrison said. " "He has enormous qualities as a human being and an absolutely extraordinary talent for designing," Almodovar told the AP. NBC will have three hours of primetime coverage, live and taped, from Giants Stadium in East Rutherford, N. "I didn't think about making it. "I took my best shots. What happens if we change our minds? com Now Everyone Can Fly Business Class Flat Bed and British Serive. From j.ede at birchenallhowden.co.uk Fri Jul 6 15:41:43 2007 From: j.ede at birchenallhowden.co.uk (Jason Ede) Date: Fri Jul 6 15:42:03 2007 Subject: clamd configuration? In-Reply-To: <00e101c7bfd8$417646a0$0301a8c0@SAHOMELT> References: <468AAB5B.7010101@fractalweb.com><468AAE0D.3020103@i-centrix.com><468ADA41.4010307@fractalweb.com><06bb01c7bdcb$c0ac3330$0301a8c0@SAHOMELT><468B0B2E.8080201@fractalweb.com><00ab01c7bfbf$73fbf7a0$0301a8c0@SAHOMELT> <00e101c7bfd8$417646a0$0301a8c0@SAHOMELT> Message-ID: ClamAV was running as user clamav and group clamav The incoming work group parameter in mailscanner.conf is set to clamav the incoming dir is owned by user postfix group clamav If I set the clamd to being run as user root then it all seems to work quite happily and detects the test viruses as below... I'll use this setup for now I think. Jason Jul 6 15:38:07 gateway MailScanner[21753]: Files hidden in very deeply nested archive in 0EC8D9685C2.D171D Jul 6 15:38:08 gateway MailScanner[21753]: Password-protected archive (eicarpasswdocr.zip) in 44B169685CE.1FA20 Jul 6 15:38:08 gateway postfix/smtpd[21683]: connect from unknown[58.186.231.112] Jul 6 15:38:08 gateway MailScanner[21753]: Password-protected archive (eicarpasswd.zip) in 2706D9685CD.A5BA0 Jul 6 15:38:08 gateway MailScanner[21753]: Virus and Content Scanning: Starting Jul 6 15:38:08 gateway MailScanner[21753]: Commencing scanning by clamd... Jul 6 15:38:08 gateway MailScanner[21827]: Debug Mode Is On Jul 6 15:38:08 gateway MailScanner[21827]: Use Threads : NO Jul 6 15:38:08 gateway MailScanner[21827]: Socket : /tmp/clamd Jul 6 15:38:08 gateway MailScanner[21827]: IP : Using Sockets Jul 6 15:38:08 gateway MailScanner[21827]: Lock File : NOT USED Jul 6 15:38:08 gateway MailScanner[21827]: Time Out : 300 Jul 6 15:38:08 gateway MailScanner[21827]: Scan Dir : /var/spool/MailScanner/incoming/21753 Jul 6 15:38:08 gateway MailScanner[21827]: Clamd : Sending PING Jul 6 15:38:08 gateway MailScanner[21827]: Clamd : GOT 'PONG' Jul 6 15:38:08 gateway MailScanner[21827]: ClamD is running Jul 6 15:38:08 gateway MailScanner[21827]: SENT : CONTSCAN /var/spool/MailScanner/incoming/21753 Jul 6 15:38:08 gateway MailScanner[21753]: INFECTED:: Eicar-Test-Signature FOUND :: ./DBBC19685C1.AC916/eicar.com.txt Jul 6 15:38:08 gateway MailScanner[21753]: INFECTED:: Eicar-Test-Signature FOUND :: ./BE4FC968592.3B329/eicar.com Jul 6 15:38:08 gateway MailScanner[21753]: INFECTED:: Eicar-Test-Signature FOUND :: ./232F89685CC.CA233/eicar_com.zip Jul 6 15:38:08 gateway MailScanner[21753]: INFECTED:: Eicar-Test-Signature FOUND :: ./232F89685CC.CA233/eicar.com Jul 6 15:38:08 gateway MailScanner[21753]: INFECTED:: Eicar-Test-Signature FOUND :: ./0EC8D9685C2.D171D/eicar_com.zip Jul 6 15:38:08 gateway MailScanner[21753]: INFECTED:: Eicar-Test-Signature FOUND :: ./0EC8D9685C2.D171D/eicarcom2.zip Jul 6 15:38:08 gateway MailScanner[21753]: INFECTED:: Eicar-Test-Signature FOUND :: ./0EC8D9685C2.D171D/eicar.com Jul 6 15:38:08 gateway MailScanner[21753]: Completed scanning by clamd Jul 6 15:38:09 gateway MailScanner[21753]: Virus Scanning: Clamd found 7 infections -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Rick Cooper Sent: 06 July 2007 15:17 To: 'MailScanner discussion' Subject: RE: clamd configuration? > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On > Behalf Of Jason Ede > Sent: Friday, July 06, 2007 9:38 AM > To: MailScanner discussion > Subject: RE: clamd configuration? > > Ok... I'm getting an unknown error returned now... > > Jason > [...] > Jul 6 14:36:28 gateway MailScanner[19018]: ERROR::UNKOWN > CLAMD RETURN ./lstat() failed. ERROR :: [...] This is (almost) certainly a permissions problem. It could, of course, be the working dir/files are gone but that is pretty close to impossible since the mail processing continues. What user/group is clamd running as? What are the What User/Group owns the incomming work dir? (MS Config incoming Work User = incoming Work Group =) My guess is they are different. Solutions: 1. Run clamd as root 2. set the Incomming Work Group to the clamd user group and set Incoming Work Permissions = 0640 (or 0660) 3. Add clamd user to the MailScanner user group and set AllowSupplementaryGroups to yes (must be started by root) I would opt for options 1 or 2 (Don't forget the Incoming Work Permissions = 0640 part!) I haven't been able to find what exactly "triggers lstat() failed" verses "permission denied." In ClamAV but both are generally permissions related, although the lstat problem can happen if a temporary file is removed before clamd gets to it... This should/could never happen with MailScanner. Rick -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From Denis.Beauchemin at USherbrooke.ca Fri Jul 6 15:50:46 2007 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Fri Jul 6 15:51:10 2007 Subject: FW: gofer (stock spam) In-Reply-To: References: Message-ID: <468E56C6.2080508@USherbrooke.ca> donald.dawson@bakerbotts.com a ?crit : > This may have already been addressed, but is there a released rule set > or add-on that would help in identifying these type of stock spam > emails? > > ... > -----Original Message----- > From: Nell B. Velasquez [mailto:cgl@vsnl.net] > Sent: Thursday, July 05, 2007 9:43 AM > To: Dawson, Donald > Subject: gofer > > > ERMX Continues To Expand As Stock Climbs Up 16.6%! > > EntreMetrix Inc. (ERMX) > $0.21 UP 16.6% > > ERMX announced further expansion with K-9 Genetics. Healthy and Premium > dog foods grossed $3.6 Billion in 2006, up from $1.9 billion in previous > years. Read up on ERMX over the holiday, we think you will see even more > fireworks on Thursday morning! > Donald, I catch these with KAM: http://www.peregrinehw.com/downloads/SpamAssassin/contrib/KAM.cf It is updated quite often (daily?). Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 From rcooper at dwford.com Fri Jul 6 15:52:20 2007 From: rcooper at dwford.com (Rick Cooper) Date: Fri Jul 6 15:52:28 2007 Subject: clamd configuration? In-Reply-To: References: <468AAB5B.7010101@fractalweb.com><468AAE0D.3020103@i-centrix.com><468ADA41.4010307@fractalweb.com><06bb01c7bdcb$c0ac3330$0301a8c0@SAHOMELT><468B0B2E.8080201@fractalweb.com><00ab01c7bfbf$73fbf7a0$0301a8c0@SAHOMELT><00e101c7bfd8$417646a0$0301a8c0@SAHOMELT> Message-ID: <00ea01c7bfdd$4160f7a0$0301a8c0@SAHOMELT> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On > Behalf Of Jason Ede > Sent: Friday, July 06, 2007 10:42 AM > To: MailScanner discussion > Subject: RE: clamd configuration? > > > ClamAV was running as user clamav and group clamav > > The incoming work group parameter in mailscanner.conf is set > to clamav > > the incoming dir is owned by user postfix group clamav > > If I set the clamd to being run as user root then it all > seems to work quite happily and detects the test viruses as > below... I'll use this setup for now I think. > > Jason Remember check the incommming work dir permissions, the default is (IIRC) 0600 so the clamav group would not be able to access it. (if, of course, you want to go back to using the clamav user/group) Rick > > > > > > Jul 6 15:38:07 gateway MailScanner[21753]: Files hidden in > very deeply nested archive in 0EC8D9685C2.D171D > Jul 6 15:38:08 gateway MailScanner[21753]: > Password-protected archive (eicarpasswdocr.zip) in 44B169685CE.1FA20 > Jul 6 15:38:08 gateway postfix/smtpd[21683]: connect from > unknown[58.186.231.112] > Jul 6 15:38:08 gateway MailScanner[21753]: > Password-protected archive (eicarpasswd.zip) in 2706D9685CD.A5BA0 > Jul 6 15:38:08 gateway MailScanner[21753]: Virus and > Content Scanning: Starting > Jul 6 15:38:08 gateway MailScanner[21753]: Commencing > scanning by clamd... > Jul 6 15:38:08 gateway MailScanner[21827]: Debug Mode Is On > Jul 6 15:38:08 gateway MailScanner[21827]: Use Threads : NO > Jul 6 15:38:08 gateway MailScanner[21827]: Socket : /tmp/clamd > Jul 6 15:38:08 gateway MailScanner[21827]: IP : Using Sockets > Jul 6 15:38:08 gateway MailScanner[21827]: Lock File : NOT USED > Jul 6 15:38:08 gateway MailScanner[21827]: Time Out : 300 > Jul 6 15:38:08 gateway MailScanner[21827]: Scan Dir : > /var/spool/MailScanner/incoming/21753 > Jul 6 15:38:08 gateway MailScanner[21827]: Clamd : Sending PING > Jul 6 15:38:08 gateway MailScanner[21827]: Clamd : GOT 'PONG' > Jul 6 15:38:08 gateway MailScanner[21827]: ClamD is running > Jul 6 15:38:08 gateway MailScanner[21827]: SENT : CONTSCAN > /var/spool/MailScanner/incoming/21753 > Jul 6 15:38:08 gateway MailScanner[21753]: INFECTED:: > Eicar-Test-Signature FOUND :: ./DBBC19685C1.AC916/eicar.com.txt > Jul 6 15:38:08 gateway MailScanner[21753]: INFECTED:: > Eicar-Test-Signature FOUND :: ./BE4FC968592.3B329/eicar.com > Jul 6 15:38:08 gateway MailScanner[21753]: INFECTED:: > Eicar-Test-Signature FOUND :: ./232F89685CC.CA233/eicar_com.zip > Jul 6 15:38:08 gateway MailScanner[21753]: INFECTED:: > Eicar-Test-Signature FOUND :: ./232F89685CC.CA233/eicar.com > Jul 6 15:38:08 gateway MailScanner[21753]: INFECTED:: > Eicar-Test-Signature FOUND :: ./0EC8D9685C2.D171D/eicar_com.zip > Jul 6 15:38:08 gateway MailScanner[21753]: INFECTED:: > Eicar-Test-Signature FOUND :: ./0EC8D9685C2.D171D/eicarcom2.zip > Jul 6 15:38:08 gateway MailScanner[21753]: INFECTED:: > Eicar-Test-Signature FOUND :: ./0EC8D9685C2.D171D/eicar.com > Jul 6 15:38:08 gateway MailScanner[21753]: Completed > scanning by clamd > Jul 6 15:38:09 gateway MailScanner[21753]: Virus Scanning: > Clamd found 7 infections > > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On > Behalf Of Rick Cooper > Sent: 06 July 2007 15:17 > To: 'MailScanner discussion' > Subject: RE: clamd configuration? > > > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info > > [mailto:mailscanner-bounces@lists.mailscanner.info] On > > Behalf Of Jason Ede > > Sent: Friday, July 06, 2007 9:38 AM > > To: MailScanner discussion > > Subject: RE: clamd configuration? > > > > Ok... I'm getting an unknown error returned now... > > > > Jason > > > [...] > > Jul 6 14:36:28 gateway MailScanner[19018]: ERROR::UNKOWN > > CLAMD RETURN ./lstat() failed. ERROR :: > [...] > > This is (almost) certainly a permissions problem. It could, > of course, be > the working dir/files are gone but that is pretty close to > impossible since > the mail processing continues. > > What user/group is clamd running as? > What are the > What User/Group owns the incomming work dir? (MS Config > incoming Work User = > incoming Work Group =) > > My guess is they are different. Solutions: > > 1. Run clamd as root > 2. set the Incomming Work Group to the clamd user > group and set > Incoming Work Permissions = 0640 (or 0660) > 3. Add clamd user to the MailScanner user group and set > AllowSupplementaryGroups to yes (must be started by root) > > I would opt for options 1 or 2 (Don't forget the Incoming > Work Permissions = > 0640 part!) > > I haven't been able to find what exactly "triggers lstat() > failed" verses > "permission denied." In ClamAV but both are generally > permissions related, > although the lstat problem can happen if a temporary file is > removed before > clamd gets to it... This should/could never happen with MailScanner. > > Rick > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From j.ede at birchenallhowden.co.uk Fri Jul 6 16:09:22 2007 From: j.ede at birchenallhowden.co.uk (Jason Ede) Date: Fri Jul 6 16:09:43 2007 Subject: clamd configuration? In-Reply-To: <00ea01c7bfdd$4160f7a0$0301a8c0@SAHOMELT> References: <468AAB5B.7010101@fractalweb.com><468AAE0D.3020103@i-centrix.com><468ADA41.4010307@fractalweb.com><06bb01c7bdcb$c0ac3330$0301a8c0@SAHOMELT><468B0B2E.8080201@fractalweb.com><00ab01c7bfbf$73fbf7a0$0301a8c0@SAHOMELT><00e101c7bfd8$417646a0$0301a8c0@SAHOMELT> <00ea01c7bfdd$4160f7a0$0301a8c0@SAHOMELT> Message-ID: The permissions were set to 640 IIRC... Jason -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Rick Cooper Sent: 06 July 2007 15:52 To: 'MailScanner discussion' Subject: RE: clamd configuration? > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On > Behalf Of Jason Ede > Sent: Friday, July 06, 2007 10:42 AM > To: MailScanner discussion > Subject: RE: clamd configuration? > > > ClamAV was running as user clamav and group clamav > > The incoming work group parameter in mailscanner.conf is set > to clamav > > the incoming dir is owned by user postfix group clamav > > If I set the clamd to being run as user root then it all > seems to work quite happily and detects the test viruses as > below... I'll use this setup for now I think. > > Jason Remember check the incommming work dir permissions, the default is (IIRC) 0600 so the clamav group would not be able to access it. (if, of course, you want to go back to using the clamav user/group) Rick > > > > > > Jul 6 15:38:07 gateway MailScanner[21753]: Files hidden in > very deeply nested archive in 0EC8D9685C2.D171D > Jul 6 15:38:08 gateway MailScanner[21753]: > Password-protected archive (eicarpasswdocr.zip) in 44B169685CE.1FA20 > Jul 6 15:38:08 gateway postfix/smtpd[21683]: connect from > unknown[58.186.231.112] > Jul 6 15:38:08 gateway MailScanner[21753]: > Password-protected archive (eicarpasswd.zip) in 2706D9685CD.A5BA0 > Jul 6 15:38:08 gateway MailScanner[21753]: Virus and > Content Scanning: Starting > Jul 6 15:38:08 gateway MailScanner[21753]: Commencing > scanning by clamd... > Jul 6 15:38:08 gateway MailScanner[21827]: Debug Mode Is On > Jul 6 15:38:08 gateway MailScanner[21827]: Use Threads : NO > Jul 6 15:38:08 gateway MailScanner[21827]: Socket : /tmp/clamd > Jul 6 15:38:08 gateway MailScanner[21827]: IP : Using Sockets > Jul 6 15:38:08 gateway MailScanner[21827]: Lock File : NOT USED > Jul 6 15:38:08 gateway MailScanner[21827]: Time Out : 300 > Jul 6 15:38:08 gateway MailScanner[21827]: Scan Dir : > /var/spool/MailScanner/incoming/21753 > Jul 6 15:38:08 gateway MailScanner[21827]: Clamd : Sending PING > Jul 6 15:38:08 gateway MailScanner[21827]: Clamd : GOT 'PONG' > Jul 6 15:38:08 gateway MailScanner[21827]: ClamD is running > Jul 6 15:38:08 gateway MailScanner[21827]: SENT : CONTSCAN > /var/spool/MailScanner/incoming/21753 > Jul 6 15:38:08 gateway MailScanner[21753]: INFECTED:: > Eicar-Test-Signature FOUND :: ./DBBC19685C1.AC916/eicar.com.txt > Jul 6 15:38:08 gateway MailScanner[21753]: INFECTED:: > Eicar-Test-Signature FOUND :: ./BE4FC968592.3B329/eicar.com > Jul 6 15:38:08 gateway MailScanner[21753]: INFECTED:: > Eicar-Test-Signature FOUND :: ./232F89685CC.CA233/eicar_com.zip > Jul 6 15:38:08 gateway MailScanner[21753]: INFECTED:: > Eicar-Test-Signature FOUND :: ./232F89685CC.CA233/eicar.com > Jul 6 15:38:08 gateway MailScanner[21753]: INFECTED:: > Eicar-Test-Signature FOUND :: ./0EC8D9685C2.D171D/eicar_com.zip > Jul 6 15:38:08 gateway MailScanner[21753]: INFECTED:: > Eicar-Test-Signature FOUND :: ./0EC8D9685C2.D171D/eicarcom2.zip > Jul 6 15:38:08 gateway MailScanner[21753]: INFECTED:: > Eicar-Test-Signature FOUND :: ./0EC8D9685C2.D171D/eicar.com > Jul 6 15:38:08 gateway MailScanner[21753]: Completed > scanning by clamd > Jul 6 15:38:09 gateway MailScanner[21753]: Virus Scanning: > Clamd found 7 infections > > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On > Behalf Of Rick Cooper > Sent: 06 July 2007 15:17 > To: 'MailScanner discussion' > Subject: RE: clamd configuration? > > > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info > > [mailto:mailscanner-bounces@lists.mailscanner.info] On > > Behalf Of Jason Ede > > Sent: Friday, July 06, 2007 9:38 AM > > To: MailScanner discussion > > Subject: RE: clamd configuration? > > > > Ok... I'm getting an unknown error returned now... > > > > Jason > > > [...] > > Jul 6 14:36:28 gateway MailScanner[19018]: ERROR::UNKOWN > > CLAMD RETURN ./lstat() failed. ERROR :: > [...] > > This is (almost) certainly a permissions problem. It could, > of course, be > the working dir/files are gone but that is pretty close to > impossible since > the mail processing continues. > > What user/group is clamd running as? > What are the > What User/Group owns the incomming work dir? (MS Config > incoming Work User = > incoming Work Group =) > > My guess is they are different. Solutions: > > 1. Run clamd as root > 2. set the Incomming Work Group to the clamd user > group and set > Incoming Work Permissions = 0640 (or 0660) > 3. Add clamd user to the MailScanner user group and set > AllowSupplementaryGroups to yes (must be started by root) > > I would opt for options 1 or 2 (Don't forget the Incoming > Work Permissions = > 0640 part!) > > I haven't been able to find what exactly "triggers lstat() > failed" verses > "permission denied." In ClamAV but both are generally > permissions related, > although the lstat problem can happen if a temporary file is > removed before > clamd gets to it... This should/could never happen with MailScanner. > > Rick > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From donald.dawson at bakerbotts.com Fri Jul 6 16:30:43 2007 From: donald.dawson at bakerbotts.com (donald.dawson@bakerbotts.com) Date: Fri Jul 6 16:30:50 2007 Subject: FW: gofer (stock spam) In-Reply-To: <468E56C6.2080508@USherbrooke.ca> Message-ID: thanks - I'll try it out. I'll reduce some of the scores (4 and over) so we don't affect our ham by accident. Thanks, Donald Donald Dawson Security Administrator Baker Botts L.L.P. 713-229-2183 -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Denis Beauchemin Sent: Friday, July 06, 2007 9:51 AM To: MailScanner discussion Subject: Re: FW: gofer (stock spam) donald.dawson@bakerbotts.com a ?crit : > This may have already been addressed, but is there a released rule set > or add-on that would help in identifying these type of stock spam > emails? > > ... > -----Original Message----- > From: Nell B. Velasquez [mailto:cgl@vsnl.net] > Sent: Thursday, July 05, 2007 9:43 AM > To: Dawson, Donald > Subject: gofer > > > ERMX Continues To Expand As Stock Climbs Up 16.6%! > > EntreMetrix Inc. (ERMX) > $0.21 UP 16.6% > > ERMX announced further expansion with K-9 Genetics. Healthy and Premium > dog foods grossed $3.6 Billion in 2006, up from $1.9 billion in previous > years. Read up on ERMX over the holiday, we think you will see even more > fireworks on Thursday morning! > Donald, I catch these with KAM: http://www.peregrinehw.com/downloads/SpamAssassin/contrib/KAM.cf It is updated quite often (daily?). Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From itdept at fractalweb.com Fri Jul 6 16:56:07 2007 From: itdept at fractalweb.com (Chris Yuzik) Date: Fri Jul 6 16:56:32 2007 Subject: clamd configuration? In-Reply-To: References: <468AAB5B.7010101@fractalweb.com><468AAE0D.3020103@i-centrix.com><468ADA41.4010307@fractalweb.com><06bb01c7bdcb$c0ac3330$0301a8c0@SAHOMELT><468B0B2E.8080201@fractalweb.com><00ab01c7bfbf$73fbf7a0$0301a8c0@SAHOMELT> <00e101c7bfd8$417646a0$0301a8c0@SAHOMELT> Message-ID: <468E6617.5080609@fractalweb.com> Jason Ede wrote: > ClamAV was running as user clamav and group clamav > > The incoming work group parameter in mailscanner.conf is set to clamav > > the incoming dir is owned by user postfix group clamav > > If I set the clamd to being run as user root then it all seems to work quite happily and detects the test viruses as below... I'll use this setup for now I think. > Jason, In MailScanner.conf, did you also set this? Incoming Work User = clamav Incoming Work Group = clamav This was what my system was missing. I had set the group and the permissions, but it was only when I set "Incoming Work User" to "clamav" that it started working as expected. Hope this helps. Chris From KGoods at AIAInsurance.com Fri Jul 6 17:03:53 2007 From: KGoods at AIAInsurance.com (Ken Goods) Date: Fri Jul 6 17:05:56 2007 Subject: Upgrade question Message-ID: <13C0059880FDD3118DC600508B6D4A6D01C29487@aiainsurance.com> I am upgrading from MS 4.51.6 to 4.61.7. At the same time I'd like to upgrade SA and ClamAV using Julian's script. So far I've ran the MS install script and it seemed to exit without error. I did not stop MailScanner prior to running the script so I assume 4.51.6 is still processing mail and appears to be doing so. Next I was going to run the SA-ClamAV install script but was wondering whether I should stop MailScanner first and also if I should remove the old versions of SA and Clam somehow. This is a production box and I really can't afford for it to be down too long. (I did make backups as instructed in the MAQ but they only apply to MS and not SA/Clam) I've put off upgrading due to the horror stories I've been hearing on the this and clam's list about Clam taking so much time to scan. I understand that this has been resolved for the most part by using the clammodule or clamd. Having never ran it that way (I've always gone with the defaults) I'm not exactly sure how much work is involved. If I leave the Virus Scanners = auto setting alone will it automatically use the clammodule? Or do I need to tell it what to use? I also use Bit Defender, will the "auto" setting pick that up as well? Is this documented somewhere? I've looked but I can't seem to find it. If it is, kindly point me in the right direction, I'm not afraid of reading. :) Running Sendmail on Centos 4.3 Here's the output of MailScanner -V as it sits today (MailScanner has not been restarted since I ran the install script so 4.51.6 is still running) [root@gw-mail install-Clam-0.90.3-SA-3.2.1]# MailScanner -V Running on Linux gw-mail 2.6.9-34.EL #1 Wed Mar 8 00:07:35 CST 2006 i686 i686 i386 GNU/Linux This is CentOS release 4.3 (Final) This is Perl version 5.008005 (5.8.5) This is MailScanner version 4.61.7 Module versions are: 1.00 AnyDBM_File 1.16 Archive::Zip 1.03 Carp 1.119 Convert::BinHex 1.00 DirHandle 1.05 Fcntl 2.73 File::Basename 2.08 File::Copy 2.01 FileHandle 1.06 File::Path 0.14 File::Temp 0.90 Filesys::Df 1.35 HTML::Entities 3.56 HTML::Parser 2.37 HTML::TokeParser 1.21 IO 1.10 IO::File 1.123 IO::Pipe 1.71 Mail::Header 1.86 Math::BigInt 3.05 MIME::Base64 5.420 MIME::Decoder 5.420 MIME::Decoder::UU 5.420 MIME::Head 5.420 MIME::Parser 3.03 MIME::QuotedPrint 5.420 MIME::Tools 0.11 Net::CIDR 1.08 POSIX 1.14 Scalar::Util 1.77 Socket 1.4 Sys::Hostname::Long 0.18 Sys::Syslog 1.9707 Time::HiRes 1.02 Time::localtime Optional module versions are: 1.26 Archive::Tar 0.21 bignum 1.74 Business::ISBN missing Business::ISBN::Data 0.17 Convert::TNEF missing Data::Dump 1.810 DB_File 1.13 DBD::SQLite 1.50 DBI 1.08 Digest 1.01 Digest::HMAC 2.33 Digest::MD5 2.10 Digest::SHA1 missing Encode::Detect missing Error missing ExtUtils::CBuilder missing ExtUtils::ParseXS 0.44 Inline 1.06 IO::String 1.04 IO::Zlib 2.20 IP::Country 0.17 Mail::ClamAV 3.001001 Mail::SpamAssassin missing Mail::SPF 1.997 Mail::SPF::Query 0.19 Math::BigRat missing Module::Build 0.15 Net::CIDR::Lite 0.48 Net::DNS missing Net::DNS::Resolver::Programmable missing Net::LDAP missing NetAddr::IP 1.94 Parse::RecDescent missing SAVI 2.42 Test::Harness 0.95 Test::Manifest 1.95 Text::Balanced 1.35 URI missing version missing YAML [root@gw-mail install-Clam-0.90.3-SA-3.2.1]# TIA! Kind regards, Ken Ken Goods Network Administrator CropUSA Insurance, Inc. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070706/ff938a9f/attachment.html From KGoods at AIAInsurance.com Fri Jul 6 17:09:00 2007 From: KGoods at AIAInsurance.com (Ken Goods) Date: Fri Jul 6 17:11:04 2007 Subject: Upgrade question, I should add.... Message-ID: <13C0059880FDD3118DC600508B6D4A6D01C29488@aiainsurance.com> I have also edited MailScanner.conf.rpmnew after running upgrade_MailScanner_conf but haven't renamed them yet. It seems like it didn't pick up a bunch of my settings like it used to.... mostly where I used rules files instead of yes/no, is this typical? Thanks again, Ken Ken Goods Network Administrator CropUSA Insurance, Inc. From mrm at quantumcc.com Fri Jul 6 17:35:21 2007 From: mrm at quantumcc.com (Mike Masse) Date: Fri Jul 6 17:35:49 2007 Subject: New support for clamd In-Reply-To: <468D2640.5090304@ecs.soton.ac.uk> References: <468A9333.1040702@i-centrix.com> <468D2640.5090304@ecs.soton.ac.uk> Message-ID: The default that was installed with the all in one installer: clamscan The system has bascially gone from averaging around 90% utilization since some of the last ClamAV upgrades to less then 2%. Approx 30k messages per server per day. Mike Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > What were you using before? > > Mike Masse wrote: >> I recently updated our servers to clamd as well and have noticed a >> huge drop in cpu utilization. Thanks!! >> >> Mike From mrm at quantumcc.com Fri Jul 6 17:39:08 2007 From: mrm at quantumcc.com (Mike Masse) Date: Fri Jul 6 17:40:06 2007 Subject: multiple mailscanners with milter-null Message-ID: I've seen Julian's suggestion to use Milter-null to combat backscatter and like the idea, but am curious anyone knows if it's possible to work with different outgoing and incoming servers? I have 3 MailScanner servers in front of my message store servers. One of the MS machines is for outgoing, and the other two handle incoming with MX based load balancing. If the outgoing puts a hash in the header of the outgoing messages, will the incoming server's recognize the outgoing server's hashes? Mike From itdept at fractalweb.com Fri Jul 6 19:13:19 2007 From: itdept at fractalweb.com (Chris Yuzik) Date: Fri Jul 6 19:13:41 2007 Subject: multiple mailscanners with milter-null In-Reply-To: References: Message-ID: <468E863F.5080209@fractalweb.com> Mike Masse wrote: > I've seen Julian's suggestion to use Milter-null to combat backscatter > and like the idea, but am curious anyone knows if it's possible to work > with different outgoing and incoming servers? I have 3 MailScanner > servers in front of my message store servers. One of the MS machines > is for outgoing, and the other two handle incoming with MX based load > balancing. If the outgoing puts a hash in the header of the outgoing > messages, will the incoming server's recognize the outgoing server's > hashes? Mike, My understanding is that as long as all of your servers have the same secret phrase listed for milter-null, then you should be okay. Chris From MailScanner at ecs.soton.ac.uk Fri Jul 6 19:50:38 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Jul 6 19:53:19 2007 Subject: Upgrade question In-Reply-To: <13C0059880FDD3118DC600508B6D4A6D01C29487@aiainsurance.com> References: <13C0059880FDD3118DC600508B6D4A6D01C29487@aiainsurance.com> Message-ID: <468E8EFE.2070907@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ken Goods wrote: > I am upgrading from MS 4.51.6 to 4.61.7. At the same time I'd like to > upgrade SA and ClamAV using Julian's script. > > So far I've ran the MS install script and it seemed to exit without > error. I did not stop MailScanner prior to running the script so I > assume 4.51.6 is still processing mail and appears to be doing so. > Next I was going to run the SA-ClamAV install script but was wondering > whether I should stop MailScanner first and also if I should remove > the old versions of SA and Clam somehow. This is a production box and > I really can't afford for it to be down too long. (I did make backups > as instructed in the MAQ but they only apply to MS and not SA/Clam) You don't need to remove the old SA and Clam, so long as your previous versions were installed by my script as well. The new versions will be installed over the top of your previous ones. It's not essential to stop MailScanner first, if you use some other virus scanner as well. Otherwise there may be a short period in which ClamAV is not completely up to date. You could just shutdown MailScanner and leave the sendmail processes running. Try doing this service MailScanner stopms and if that does not work then service MailScanner stop service MailScanner startin service MailScanner startout and mail will just build up in the mqueue.in (the inbound queue). > I've put off upgrading due to the horror stories I've been hearing on > the this and clam's list about Clam taking so much time to scan. The new version of ClamAV takes a very long time to start up, while it loads it virus signatures. So I would advise you to use clamavmodule or clamd (clamavmodule is easier to set up as you don't have to worry about permissions at all). Using clamavmodule means it will take an age to do the "starting child process" stage, but will then work nice and fast. Using clamd means you will need an init.d script for it and so on, so if you want to do this then I would recommend you install ClamAV from the RPMs at dag.wieers.com. The latest versions of my ClamAV+SA package ask if you want it to install ClamAV (which you obviously don't want to do if you installed it from RPM from Dag's archive). Then the long startup delay will be when clamd starts up, not MailScanner. > I understand that this has been resolved for the most part by using > the clammodule or clamd. Having never ran it that way (I've always > gone with the defaults) I'm not exactly sure how much work is > involved. If I leave the Virus Scanners = auto setting alone will it > automatically use the clammodule? If it's installed, then yes. But if it finds clamd running then "auto" will try to use that instead. > Or do I need to tell it what to use? I also use Bit Defender, will the > "auto" setting pick that up as well? Yes. The command MailScanner --lint will tell you what virus scanners it has found, and hence what it will use if you use "auto". Personally I would advise you specify exactly which scanners to use, so there's no chance of confusion. > Is this documented somewhere? I've looked but I can't seem to find it. > If it is, kindly point me in the right direction, I'm not afraid of > reading. :) The problems with Clam are temporary and will go away in the next version. > > Running Sendmail on Centos 4.3 > Here's the output of MailScanner -V as it sits today (MailScanner has > not been restarted since I ran the install script so 4.51.6 is still > running) > > [root@gw-mail install-Clam-0.90.3-SA-3.2.1]# MailScanner -V > Running on > Linux gw-mail 2.6.9-34.EL #1 Wed Mar 8 00:07:35 CST 2006 i686 i686 > i386 GNU/Linux > This is CentOS release 4.3 (Final) > This is Perl version 5.008005 (5.8.5) > > This is MailScanner version 4.61.7 > Module versions are: > 1.00 AnyDBM_File > 1.16 Archive::Zip > 1.03 Carp > 1.119 Convert::BinHex > 1.00 DirHandle > 1.05 Fcntl > 2.73 File::Basename > 2.08 File::Copy > 2.01 FileHandle > 1.06 File::Path > 0.14 File::Temp > 0.90 Filesys::Df > 1.35 HTML::Entities > 3.56 HTML::Parser > 2.37 HTML::TokeParser > 1.21 IO > 1.10 IO::File > 1.123 IO::Pipe > 1.71 Mail::Header > 1.86 Math::BigInt > 3.05 MIME::Base64 > 5.420 MIME::Decoder > 5.420 MIME::Decoder::UU > 5.420 MIME::Head > 5.420 MIME::Parser > 3.03 MIME::QuotedPrint > 5.420 MIME::Tools > 0.11 Net::CIDR > 1.08 POSIX > 1.14 Scalar::Util > 1.77 Socket > 1.4 Sys::Hostname::Long > 0.18 Sys::Syslog > 1.9707 Time::HiRes > 1.02 Time::localtime > > Optional module versions are: > 1.26 Archive::Tar > 0.21 bignum > 1.74 Business::ISBN > missing Business::ISBN::Data > 0.17 Convert::TNEF > missing Data::Dump > 1.810 DB_File > 1.13 DBD::SQLite > 1.50 DBI > 1.08 Digest > 1.01 Digest::HMAC > 2.33 Digest::MD5 > 2.10 Digest::SHA1 > missing Encode::Detect > missing Error > missing ExtUtils::CBuilder > missing ExtUtils::ParseXS > 0.44 Inline > 1.06 IO::String > 1.04 IO::Zlib > 2.20 IP::Country > 0.17 Mail::ClamAV > 3.001001 Mail::SpamAssassin > missing Mail::SPF > 1.997 Mail::SPF::Query > 0.19 Math::BigRat > missing Module::Build > 0.15 Net::CIDR::Lite > 0.48 Net::DNS > missing Net::DNS::Resolver::Programmable > missing Net::LDAP > missing NetAddr::IP > 1.94 Parse::RecDescent > missing SAVI > 2.42 Test::Harness > 0.95 Test::Manifest > 1.95 Text::Balanced > 1.35 URI > missing version > missing YAML > [root@gw-mail install-Clam-0.90.3-SA-3.2.1]# You need to update to the new version of SpamAssassin as well, best done using my ClamAV+SA package (in which ClamAV is an optional install choice when you run it). Hope that's enough answers to get you started. If you are feeling rich and want me to do it for you, then get in touch off list. Or even if you just want me to do a quick sanity check of your setup for you, which shouldn't take more than half an hour or so. Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGjo7/EfZZRxQVtlQRAqeoAKDi8yq9RnAE5Mqauf60KY1DWjR/4QCgidz7 x8fuzrstZTCmySSjdF02yvY= =VMPW -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Fri Jul 6 19:53:37 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Jul 6 19:56:07 2007 Subject: Upgrade question, I should add.... In-Reply-To: <13C0059880FDD3118DC600508B6D4A6D01C29488@aiainsurance.com> References: <13C0059880FDD3118DC600508B6D4A6D01C29488@aiainsurance.com> Message-ID: <468E8FB1.9080508@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ken Goods wrote: > I have also edited MailScanner.conf.rpmnew after running > upgrade_MailScanner_conf but haven't renamed them yet. It seems like it > didn't pick up a bunch of my settings like it used to.... mostly where I > used rules files instead of yes/no, is this typical? > upgrade_MailScanner_conf *reads* the ".rpmnew" file but doesn't write to it. If you follow the instructions you get when you run the command, it will generate a "MailScanner.new" file. This will copy over all your ruleset settings as well, for definite. You don't want to edit the .rpmnew file directly yourself, it's used as the template for the new MailScanner.new file which you then rename to MailScanner.conf as guided by the upgrade_MailScanner_conf script. And don't forget its brother upgrade_languages_conf as well, there might be more added in there too! Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGjo+xEfZZRxQVtlQRAsgJAKDKWxDS2SfYDiI7Slm6OZpqYs2YQgCeKQfo UC+xk/EAUnHAkxMYNTsi3YU= =oLve -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Fri Jul 6 19:58:23 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Jul 6 20:02:20 2007 Subject: multiple mailscanners with milter-null In-Reply-To: References: Message-ID: <468E90CF.7040109@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mike Masse wrote: > I've seen Julian's suggestion to use Milter-null to combat backscatter > and like the idea, We are looking at a second revision (patent-safe this time) of incorporating this into MailScanner itself, so you don't need milter-null or equivalent. > but am curious anyone knows if it's possible to work with different > outgoing and incoming servers? Dead easy. Just run it on both servers and make sure the secret is the same. I use the same milter-null.cf on each server. > I have 3 MailScanner servers in front of my message store > servers. One of the MS machines is for outgoing, and the other two > handle incoming with MX based load balancing. If the outgoing puts a > hash in the header of the outgoing messages, will the incoming > server's recognize the outgoing server's hashes? Yes, just use the same secret on them all. Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGjpDQEfZZRxQVtlQRAg0LAKDmqeR23gVxkuqLljWG9iLhS/KrigCeO2J2 Spab9Lkt0Kic6fj5eR1N/Rc= =UgS0 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From KGoods at AIAInsurance.com Fri Jul 6 20:27:24 2007 From: KGoods at AIAInsurance.com (Ken Goods) Date: Fri Jul 6 20:29:30 2007 Subject: Upgrade question Message-ID: <13C0059880FDD3118DC600508B6D4A6D01C29489@aiainsurance.com> Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > Ken Goods wrote: >> I am upgrading from MS 4.51.6 to 4.61.7. At the same time I'd like to >> upgrade SA and ClamAV using Julian's script. >> >> So far I've ran the MS install script and it seemed to exit without >> error. I did not stop MailScanner prior to running the script so I >> assume 4.51.6 is still processing mail and appears to be doing so. >> Next I was going to run the SA-ClamAV install script but was >> wondering whether I should stop MailScanner first and also if I >> should remove the old versions of SA and Clam somehow. This is a >> production box and I really can't afford for it to be down too long. >> (I did make backups as instructed in the MAQ but they only apply to >> MS and not SA/Clam) > You don't need to remove the old SA and Clam, so long as your previous > versions were installed by my script as well. The new versions will be > installed over the top of your previous ones. > > It's not essential to stop MailScanner first, if you use some other > virus scanner as well. Otherwise there may be a short period in which > ClamAV is not completely up to date. You could just shutdown > MailScanner and leave the sendmail processes running. Try doing this > service MailScanner stopms > and if that does not work then > service MailScanner stop > service MailScanner startin > service MailScanner startout > and mail will just build up in the mqueue.in (the inbound queue). > >> I've put off upgrading due to the horror stories I've been hearing on >> the this and clam's list about Clam taking so much time to scan. > The new version of ClamAV takes a very long time to start up, while it > loads it virus signatures. So I would advise you to use clamavmodule > or clamd (clamavmodule is easier to set up as you don't have to worry > about permissions at all). Using clamavmodule means it will take an > age to do the "starting child process" stage, but will then work nice > and fast. Using clamd means you will need an init.d script for it and > so on, so if you want to do this then I would recommend you install > ClamAV from the RPMs at dag.wieers.com. The latest versions of my > ClamAV+SA package ask if you want it to install ClamAV (which you > obviously don't want to do > if you installed it from RPM from Dag's archive). Then the long > startup delay will be when clamd starts up, not MailScanner. > >> I understand that this has been resolved for the most part by using >> the clammodule or clamd. Having never ran it that way (I've always >> gone with the defaults) I'm not exactly sure how much work is >> involved. If I leave the Virus Scanners = auto setting alone will it >> automatically use the clammodule? > If it's installed, then yes. But if it finds clamd running then "auto" > will try to use that instead. >> Or do I need to tell it what to use? I also use Bit Defender, will >> the "auto" setting pick that up as well? > Yes. The command > MailScanner --lint > will tell you what virus scanners it has found, and hence what it will > use if you use "auto". Personally I would advise you specify exactly > which scanners to use, so there's no chance of confusion. > >> Is this documented somewhere? I've looked but I can't seem to find >> it. If it is, kindly point me in the right direction, I'm not afraid >> of reading. :) > The problems with Clam are temporary and will go away in the next > version. >> >> Running Sendmail on Centos 4.3 >> Here's the output of MailScanner -V as it sits today (MailScanner has >> not been restarted since I ran the install script so 4.51.6 is still >> running) >> >> [root@gw-mail install-Clam-0.90.3-SA-3.2.1]# MailScanner -V >> Running on >> Linux gw-mail 2.6.9-34.EL #1 Wed Mar 8 00:07:35 CST 2006 i686 i686 >> i386 GNU/Linux This is CentOS release 4.3 (Final) >> This is Perl version 5.008005 (5.8.5) >> >> This is MailScanner version 4.61.7 >> Module versions are: >> 1.00 AnyDBM_File >> 1.16 Archive::Zip >> 1.03 Carp >> 1.119 Convert::BinHex >> 1.00 DirHandle >> 1.05 Fcntl >> 2.73 File::Basename >> 2.08 File::Copy >> 2.01 FileHandle >> 1.06 File::Path >> 0.14 File::Temp >> 0.90 Filesys::Df >> 1.35 HTML::Entities >> 3.56 HTML::Parser >> 2.37 HTML::TokeParser >> 1.21 IO >> 1.10 IO::File >> 1.123 IO::Pipe >> 1.71 Mail::Header >> 1.86 Math::BigInt >> 3.05 MIME::Base64 >> 5.420 MIME::Decoder >> 5.420 MIME::Decoder::UU >> 5.420 MIME::Head >> 5.420 MIME::Parser >> 3.03 MIME::QuotedPrint >> 5.420 MIME::Tools >> 0.11 Net::CIDR >> 1.08 POSIX >> 1.14 Scalar::Util >> 1.77 Socket >> 1.4 Sys::Hostname::Long >> 0.18 Sys::Syslog >> 1.9707 Time::HiRes >> 1.02 Time::localtime >> >> Optional module versions are: >> 1.26 Archive::Tar >> 0.21 bignum >> 1.74 Business::ISBN >> missing Business::ISBN::Data >> 0.17 Convert::TNEF >> missing Data::Dump >> 1.810 DB_File >> 1.13 DBD::SQLite >> 1.50 DBI >> 1.08 Digest >> 1.01 Digest::HMAC >> 2.33 Digest::MD5 >> 2.10 Digest::SHA1 >> missing Encode::Detect >> missing Error >> missing ExtUtils::CBuilder >> missing ExtUtils::ParseXS >> 0.44 Inline >> 1.06 IO::String >> 1.04 IO::Zlib >> 2.20 IP::Country >> 0.17 Mail::ClamAV >> 3.001001 Mail::SpamAssassin >> missing Mail::SPF >> 1.997 Mail::SPF::Query >> 0.19 Math::BigRat >> missing Module::Build >> 0.15 Net::CIDR::Lite >> 0.48 Net::DNS >> missing Net::DNS::Resolver::Programmable >> missing Net::LDAP >> missing NetAddr::IP >> 1.94 Parse::RecDescent >> missing SAVI >> 2.42 Test::Harness >> 0.95 Test::Manifest >> 1.95 Text::Balanced >> 1.35 URI >> missing version >> missing YAML >> [root@gw-mail install-Clam-0.90.3-SA-3.2.1]# > You need to update to the new version of SpamAssassin as well, best > done using my ClamAV+SA package (in which ClamAV is an optional > install > choice when you run it). > > Hope that's enough answers to get you started. If you are feeling rich > and want me to do it for you, then get in touch off list. Or even if > you just want me to do a quick sanity check of your setup for you, > which shouldn't take more than half an hour or so. > > Jules > Jules, Thanks so much for this clear explaination of the upgrade process. I really wish I could talk the powers that be into sending some money your way but things are a little tight... I do it personally but due to things being tight here I don't have any extra to spend either (excrement does run downhill after all huh? :)) I will talk them into sending a donation soon though. I let them know all the time how much we've saved by using your excellent software. They are aware and I keep dropping hints. Pretty soon this squeaky wheel is going to get greased! :) Back to the subject... I started installing SA and ClamAV by hand but once I discovered your install package I've been using it ever since. It just plain works and works well! I don't foresee any problems with what you have outlined above. Thanks again for your time to explain this. It's been so long that I had forgotten how easy it was. ;) Take care and I hope you're feeling better and better. Kind regards, Ken Ken Goods Network Administrator CropUSA Insurance, Inc. From KGoods at AIAInsurance.com Fri Jul 6 20:30:17 2007 From: KGoods at AIAInsurance.com (Ken Goods) Date: Fri Jul 6 20:32:20 2007 Subject: Upgrade question, I should add.... Message-ID: <13C0059880FDD3118DC600508B6D4A6D01C2948A@aiainsurance.com> Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > Ken Goods wrote: >> I have also edited MailScanner.conf.rpmnew after running >> upgrade_MailScanner_conf but haven't renamed them yet. It seems like >> it didn't pick up a bunch of my settings like it used to.... mostly >> where I used rules files instead of yes/no, is this typical? >> > upgrade_MailScanner_conf *reads* the ".rpmnew" file but doesn't write > to it. If you follow the instructions you get when you run the > command, it will generate a "MailScanner.new" file. This will copy > over all your ruleset settings as well, for definite. You don't want > to edit the .rpmnew file directly yourself, it's used as the template > for the new MailScanner.new file which you then rename to > MailScanner.conf as guided by the upgrade_MailScanner_conf script. > > And don't forget its brother upgrade_languages_conf as well, there > might be more added in there too! > > Jules Duh... knock to the head. Like I said before, it's been so long since I've upgraded that I forgot how easy all this is thanks to you! Thanks again Jules.. you're the best! Ken Goods Network Administrator CropUSA Insurance, Inc. From raymond at prolocation.net Fri Jul 6 21:09:52 2007 From: raymond at prolocation.net (Raymond Dijkxhoorn) Date: Fri Jul 6 21:09:50 2007 Subject: clamd configuration? In-Reply-To: <468E6617.5080609@fractalweb.com> References: <468AAB5B.7010101@fractalweb.com><468AAE0D.3020103@i-centrix.com><468ADA41.4010307@fractalweb.com><06bb01c7bdcb$c0ac3330$0301a8c0@SAHOMELT><468B0B2E.8080201@fractalweb.com><00ab01c7bfbf$73fbf7a0$0301a8c0@SAHOMELT> <00e101c7bfd8$417646a0$0301a8c0@SAHOMELT> <468E6617.5080609@fractalweb.com> Message-ID: Hi! > In MailScanner.conf, did you also set this? > > Incoming Work User = clamav > Incoming Work Group = clamav > > This was what my system was missing. I had set the group and the permissions, > but it was only when I set "Incoming Work User" to "clamav" that it started > working as expected. I fixed it the other way around, just let run clamd run as user (in our scenario) exim. Was more or less easier to do. Just my 2 cents. Bye, Raymond. From glenn.steen at gmail.com Fri Jul 6 21:29:30 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Jul 6 21:29:31 2007 Subject: clamd configuration? In-Reply-To: References: <468AAB5B.7010101@fractalweb.com> <06bb01c7bdcb$c0ac3330$0301a8c0@SAHOMELT> <468B0B2E.8080201@fractalweb.com> <00ab01c7bfbf$73fbf7a0$0301a8c0@SAHOMELT> <00e101c7bfd8$417646a0$0301a8c0@SAHOMELT> <468E6617.5080609@fractalweb.com> Message-ID: <223f97700707061329l32750005u61ad3fce946d5477@mail.gmail.com> On 06/07/07, Raymond Dijkxhoorn wrote: > Hi! > > > In MailScanner.conf, did you also set this? > > > > Incoming Work User = clamav > > Incoming Work Group = clamav > > > > This was what my system was missing. I had set the group and the permissions, > > but it was only when I set "Incoming Work User" to "clamav" that it started > > working as expected. > > I fixed it the other way around, just let run clamd run as user (in our > scenario) exim. Was more or less easier to do. Just my 2 cents. > > Bye, > Raymond. Yep, it'd likely be easiest to run clamd as user/group postfix (with appropriate settings in MailScanner.conf, of course). I'd opt for that... As is, I'll live with clamavmodule until after the vacation:-) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From MailScanner at ecs.soton.ac.uk Fri Jul 6 21:39:33 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Jul 6 21:43:04 2007 Subject: I was bored this afternoon... Message-ID: <468EA885.8030301@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Download http://www.mailscanner.info/files/4/tar/MailScanner-install-4.62.1-2.tar.gz and take a look at the Perl source code in lib/MailScanner/*.pm It should work just fine. Hey, I was bored... :-) Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGjqiGEfZZRxQVtlQRAor9AJ9R+DIecOqjfjEqpCPL5UUbYDVivwCgpn4L Hfc/u+vuxgMqcKSh4RtCLxM= =MGW6 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Fri Jul 6 22:11:38 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Jul 6 22:15:00 2007 Subject: Upgrade question In-Reply-To: <13C0059880FDD3118DC600508B6D4A6D01C29489@aiainsurance.com> References: <13C0059880FDD3118DC600508B6D4A6D01C29489@aiainsurance.com> Message-ID: <468EB00A.8010606@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ken Goods wrote: > Jules, > Thanks so much for this clear explaination of the upgrade process. I really > wish I could talk the powers that be into sending some money your way but > things are a little tight... If it would help if I did a bit of work for you, then I can easily arrange that. > I will talk them into sending a donation soon though. I let them know all > the time how much we've saved by using your excellent software. They are > aware and I keep dropping hints. Pretty soon this squeaky wheel is going to > get greased! :) > Cheers. > Take care and I hope you're feeling better and better. > Well, I have survived my first week back at work pretty well. I don't feel completely exhausted either, which is good. I've been taking it easy, slowly finding things to do, letting everyone else continue doing all the jobs they took over while I was away. Most of it seemed to be ordering myself some new toys and a sofa for my office :-) Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGjrALEfZZRxQVtlQRAhigAJ9WjK+C6bjNIPeErEfGtDs4YuKKtACfUIsS p0GDvUzLt4AD1d3c8OwWqVc= =gzU4 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From mkettler at evi-inc.com Fri Jul 6 23:52:20 2007 From: mkettler at evi-inc.com (Matt Kettler) Date: Fri Jul 6 23:53:28 2007 Subject: I was bored this afternoon... In-Reply-To: <468EA885.8030301@ecs.soton.ac.uk> References: <468EA885.8030301@ecs.soton.ac.uk> Message-ID: <468EC7A4.5050105@evi-inc.com> Julian Field wrote: > Download > > http://www.mailscanner.info/files/4/tar/MailScanner-install-4.62.1-2.tar.gz > and take a look at the Perl source code in lib/MailScanner/*.pm > > It should work just fine. > > Hey, I was bored... :-) Hey, if you're so bored.. update your Amazon wishlist, it's down to 4 items! From jayesha_shinde at yahoo.com Sat Jul 7 09:58:21 2007 From: jayesha_shinde at yahoo.com (jayesh shinde) Date: Sat Jul 7 09:58:24 2007 Subject: filename extension problem Message-ID: <89658.92325.qm@web54403.mail.yahoo.com> Hi Hugo van der Kooij , My problem solve. I done exactly u specifed in ur mail. And rulset is also working Many Thanks & Regards Jayesh Shinde On Thu, 2007-07-05 at 12:41, jayesh shinde wrote: > Dear All, > I have one query , I am using MailScanner version > 4.34.8 on FC2 with sendmail. Some of my users are sending there email > with an attachments with double or multiple extention ( Ex:-- > my.com.location.doc) > When it goes through MailScanner for scanning > attachment , it give me the following error as :-- > > ##### > At Fri Jun 29 18:00:56 2007 the virus scanner said: > MailScanner: Attempt to hide real filename extension > (my.com.location.doc) > ###### >>filename.rules.conf contails this line :- >># Deny all other double file extensions. This catches any hidden >>filenames. deny >>\.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$ Found possible filename >>hiding Att >>empt to hide real filename extension >>This blocks any filename ending with a two or 3 character extension >>followed by a 3 character extension. I cant see how this would block >> the >>specific example you gave though. >>I am not running the very latest version of mailscanner though so >>perhaps yours has been updated. > My queries are :-- > 1) Is there any way to by pass above such multiple extension mail > through MailScanner. If yes then where should i define this ruleset & > how to write this rule for > single user. Just remove the section in the file mentioned above. > 2) If i bypass the above such multiple extension attachment , will it > affect the block extention list ( define under > /etc/MailScanner/filename.rules.conf ) --------------------------------- TV dinner still cooling? Check out "Tonight's Picks" on Yahoo! TV. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070707/20caaef4/attachment.html From shuttlebox at gmail.com Sat Jul 7 11:45:34 2007 From: shuttlebox at gmail.com (shuttlebox) Date: Sat Jul 7 11:45:38 2007 Subject: I was bored this afternoon... In-Reply-To: <468EA885.8030301@ecs.soton.ac.uk> References: <468EA885.8030301@ecs.soton.ac.uk> Message-ID: <625385e30707070345x648e9706nab9bed0e9d756b5d@mail.gmail.com> On 7/6/07, Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Download > > http://www.mailscanner.info/files/4/tar/MailScanner-install-4.62.1-2.tar.gz > and take a look at the Perl source code in lib/MailScanner/*.pm > > It should work just fine. > > Hey, I was bored... :-) > > Jules I'm at home and can't try the new beta but read the change log that said the installers are improved. How so? -- /peter From glenn.steen at gmail.com Sat Jul 7 13:33:59 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Sat Jul 7 13:34:01 2007 Subject: I was bored this afternoon... In-Reply-To: <625385e30707070345x648e9706nab9bed0e9d756b5d@mail.gmail.com> References: <468EA885.8030301@ecs.soton.ac.uk> <625385e30707070345x648e9706nab9bed0e9d756b5d@mail.gmail.com> Message-ID: <223f97700707070533r49699f46q607f8b9fc0d4204@mail.gmail.com> On 07/07/07, shuttlebox wrote: > On 7/6/07, Julian Field wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > Download > > > > http://www.mailscanner.info/files/4/tar/MailScanner-install-4.62.1-2.tar.gz > > and take a look at the Perl source code in lib/MailScanner/*.pm > > > > It should work just fine. > > > > Hey, I was bored... :-) > > > > Jules > > I'm at home and can't try the new beta but read the change log that > said the installers are improved. How so? > We really shouldn't do this Peter.... If it's vacation, it's vacation... Even if it's raining:-) Tjena -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From MailScanner at ecs.soton.ac.uk Sat Jul 7 13:37:04 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sat Jul 7 13:41:32 2007 Subject: I was bored this afternoon... In-Reply-To: <625385e30707070345x648e9706nab9bed0e9d756b5d@mail.gmail.com> References: <468EA885.8030301@ecs.soton.ac.uk> <625385e30707070345x648e9706nab9bed0e9d756b5d@mail.gmail.com> Message-ID: <468F88F0.9010709@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 shuttlebox wrote: > On 7/6/07, Julian Field wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Download >> >> http://www.mailscanner.info/files/4/tar/MailScanner-install-4.62.1-2.tar.gz >> >> and take a look at the Perl source code in lib/MailScanner/*.pm >> >> It should work just fine. >> >> Hey, I was bored... :-) >> >> Jules > > I'm at home and can't try the new beta but read the change log that > said the installers are improved. How so? They should detect some of the modules better if they are already installed. Should make upgrades a bit quicker. Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGj4jxEfZZRxQVtlQRAhDQAKDsjoMtXYjdTddpLR41JN1Cqy3trACgo2TC +rlBCCkUE9J+iLHUvmqHEOM= =rfO4 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From shuttlebox at gmail.com Sat Jul 7 13:45:28 2007 From: shuttlebox at gmail.com (shuttlebox) Date: Sat Jul 7 13:45:30 2007 Subject: I was bored this afternoon... In-Reply-To: <223f97700707070533r49699f46q607f8b9fc0d4204@mail.gmail.com> References: <468EA885.8030301@ecs.soton.ac.uk> <625385e30707070345x648e9706nab9bed0e9d756b5d@mail.gmail.com> <223f97700707070533r49699f46q607f8b9fc0d4204@mail.gmail.com> Message-ID: <625385e30707070545j53aa78dbx88f468c5c4d9259f@mail.gmail.com> On 7/7/07, Glenn Steen wrote: > We really shouldn't do this Peter.... If it's vacation, it's > vacation... Even if it's raining:-) I'm not on vacation yet. Broke four bones riding my racing motorcycle four weeks ago so I'm getting cab rides to work so not to spend vacation days in a cast. :-) -- /peter From gordon at itnt.co.za Sat Jul 7 19:24:04 2007 From: gordon at itnt.co.za (Gordon Colyn) Date: Sat Jul 7 19:24:21 2007 Subject: Feature request Message-ID: <004301c7c0c4$00676e90$6403a8c0@gordon> -] ITNT [-Any way you can create a process to deliver very large mails for specific domains at a different time or place in a different sendmail queue that can be triggered to allow for delivery after hours? Thanks Gordon Colyn 083 296 7534 011 792 5990 InTheNet Technologies www.itnt.co.za MSN: gordoncolyn@hotmail.com SKYPE: gordoncolyn From MailScanner at ecs.soton.ac.uk Sat Jul 7 19:42:20 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sat Jul 7 19:44:51 2007 Subject: Feature request In-Reply-To: <004301c7c0c4$00676e90$6403a8c0@gordon> References: <004301c7c0c4$00676e90$6403a8c0@gordon> Message-ID: <468FDE8C.2070108@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Yes, you can do this. You just need to create a ruleset (or Custom Function) to produce a different "Outgoing Queue Dir" for different messages. Then you can use the "Delivery Method = batch" for messages you want delivering immediately, and "Delivery Method = queue" for messages you want to deliver under the control of a different program. Again, you do this by applying a ruleset or Custom Function to the conf setting "Delivery Method". If you use "Delivery Method = queue" for a message, MailScanner will just put the message in the outgoing queue ready to be delivered, but won't actually tell sendmail to do anything with it. "Delivery Method = batch" does the same, but also tells sendmail to immediately attempt to deliver the message. Rulesets and Custom Functions are all explained in the book. There are many examples of Rulesets in the book and the wiki (and in the mailing list archives) and there are examples of Custom Functions in the book and in the directory /usr/lib/MailScanner/MailScanner/CustomFunctions" on your MailScanner server. Hope that helps get you started, Jules. P.S. For a fee, I will write the code for you if you know what you want to do. Or I can write enough of it to get you going if you aren't quite sure yet what you want to do. Unfortunately I can't afford to give away my programming effort for free (other than in MailScanner itself, of course! :-) Gordon Colyn wrote: > -] ITNT [-Any way you can create a process to deliver very large mails for > specific domains at a different time or place in a different sendmail queue > that can be triggered to allow for delivery after hours? > > > > Thanks > > Gordon Colyn > 083 296 7534 > 011 792 5990 > InTheNet Technologies > www.itnt.co.za > MSN: gordoncolyn@hotmail.com > SKYPE: gordoncolyn > > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGj96NEfZZRxQVtlQRAq5MAJ9YEIhQLGtH9JvOs/zkHHwt0/kZhgCfdTxo rYjmRI5HrzvhNOlB2MPa2nw= =kgxq -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From micoots at yahoo.com Sun Jul 8 04:44:15 2007 From: micoots at yahoo.com (Michael Mansour) Date: Sun Jul 8 04:44:18 2007 Subject: Mailscanner and Virtualmin In-Reply-To: <468D510F.6090106@fractalweb.com> Message-ID: <174201.58260.qm@web33312.mail.mud.yahoo.com> Hi guys, Chris Yuzik wrote: Johnny Stork wrote: > I thought I would try out virtualmin to manage a few localing hosted > sites but have noticed that within the VirtualMin interface in Webmin, > on my gateway mail server running MailScanner, the "Start Mailserver" > and "Start Dovecot" buttons are crossed out indicating that VM does not > appear to "see" mailscanner? Does anyone have any expereicne setting up > VM on a machine running Mailscanner? We've played around with Virtualmin, and it's fine with MailScanner, although it doesn't seem to "see" MailScanner and does think that the mail server is down. Aside from that, everything is okay. I use Virtualmin GPL and Virtualmin Pro with MailScanner and have been for years. There's no such thing as "MailScanner support in Virtualmin", since Virtualmin only checks whether sendmail is running or not. But it doesn't matter, MailScanner works, Virtualmin works, Virtualmin does not need to interact with MailScanner since they both do different things. Regards, Michael. --------------------------------- Yahoo!7 Mail has just got even bigger and better with unlimited storage on all webmail accounts. Find out more. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070708/d40e00fa/attachment.html From j.ede at birchenallhowden.co.uk Sun Jul 8 08:04:45 2007 From: j.ede at birchenallhowden.co.uk (Jason Ede) Date: Sun Jul 8 08:05:06 2007 Subject: Off-topic RDJ not working properly since DOS a few weeks back Message-ID: Ok, I know this is sligtly off-topic, but has anyone else had problems with Rules_du_jour since the DDOS against sare and spamhaus a few weeks back? It runs fine when run manually, but when it runs overnight automatically it fails to download at least one of the rulesets and then gets stuck as below... ***WARNING***: spamassassin --lint failed. Rolling configuration files back, not restarting SpamAssassin. Rollback command is: mv -f /etc/mail/spamassassin/70_sare_evilnum0.cf /etc/mail/spamassassin/RulesDuJour/70_sare_evilnum0.cf.2; mv -f /etc/mail/spamassassin/RulesDuJour/70_sare_evilnum0.cf.20070708-0456 /etc/mail/spamassassin/70_sare_evilnum0.cf; Lint output: [12337] warn: config: failed to parse line, skipping: [12337] warn: config: failed to parse line, skipping: [12337] warn: config: failed to parse line, skipping: [12337] warn: config: failed to parse line, skipping: [12337] warn: lint: 4 issues detected, please rerun with debug enabled for more information The really odd thing is that it always seems to get stuck on the first of the rule sets (was tripwire, now evilnumbers!) Jason -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070708/46696a8e/attachment.html From csaba at linuxforum.hu Sun Jul 8 08:10:47 2007 From: csaba at linuxforum.hu (=?ISO-8859-2?Q?Kov=E1cs_Csaba?=) Date: Sun Jul 8 08:16:11 2007 Subject: Off-topic RDJ not working properly since DOS a few weeks back In-Reply-To: References: Message-ID: <46908DF7.1070509@linuxforum.hu> Jason Ede ?rta: > > Ok, I know this is sligtly off-topic, but has anyone else had problems > with Rules_du_jour since the DDOS against sare and spamhaus a few > weeks back? > > > > It runs fine when run manually, but when it runs overnight > automatically it fails to download at least one of the rulesets and > then gets stuck as below... > > > > ***WARNING***: spamassassin --lint failed. > Rolling configuration files back, not restarting SpamAssassin. > Rollback command is: mv -f /etc/mail/spamassassin/70_sare_evilnum0.cf > /etc/mail/spamassassin/RulesDuJour/70_sare_evilnum0.cf.2; mv -f > /etc/mail/spamassassin/RulesDuJour/70_sare_evilnum0.cf.20070708-0456 > /etc/mail/spamassassin/70_sare_evilnum0.cf; > > > > I have same problem: ***WARNING***: /usr/bin/spamassassin -p /etc/MailScanner/spam.assassin.prefs.conf --lint failed. Rolling configuration files back, not restarting SpamAssassin. Rollback command is: mv -f /etc/mail/spamassassin/70_sare_evilnum2.cf /etc/mail/spamassassin/RulesDuJour/70_sare_evilnum2.cf.2; mv -f /etc/mail/spamassassin/RulesDuJour/70_sare_evilnum2.cf.20070708-0411 /etc/mail/spamassassin/70_sare_evilnum2.cf; mv -f /etc/mail/spamassassin/70_sare_whitelist_spf.cf /etc/mail/spamassassin/RulesDuJour/70_sare_whitelist_spf.cf.2; mv -f /etc/mail/spamassassin/RulesDuJour/70_sare_whitelist_spf.cf.20070708-0411 /etc/mail/spamassassin/70_sare_whitelist_spf.cf; Csaba From j.ede at birchenallhowden.co.uk Sun Jul 8 08:15:17 2007 From: j.ede at birchenallhowden.co.uk (Jason Ede) Date: Sun Jul 8 08:16:14 2007 Subject: Off-topic RDJ not working properly since DOS a few weeks back In-Reply-To: References: Message-ID: Forgot to add that I keep clearing out the RulesDuJour directory in /etc/mail/spamassassin... ________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailscanner-bounces@lists.mailscanner.info] On Behalf Of Jason Ede [j.ede@birchenallhowden.co.uk] Sent: 08 July 2007 08:04 To: mailscanner@lists.mailscanner.info Subject: Off-topic RDJ not working properly since DOS a few weeks back Ok, I know this is sligtly off-topic, but has anyone else had problems with Rules_du_jour since the DDOS against sare and spamhaus a few weeks back? It runs fine when run manually, but when it runs overnight automatically it fails to download at least one of the rulesets and then gets stuck as below... ***WARNING***: spamassassin --lint failed. Rolling configuration files back, not restarting SpamAssassin. Rollback command is: mv -f /etc/mail/spamassassin/70_sare_evilnum0.cf /etc/mail/spamassassin/RulesDuJour/70_sare_evilnum0.cf.2; mv -f /etc/mail/spamassassin/RulesDuJour/70_sare_evilnum0.cf.20070708-0456 /etc/mail/spamassassin/70_sare_evilnum0.cf; Lint output: [12337] warn: config: failed to parse line, skipping: [12337] warn: config: failed to parse line, skipping: [12337] warn: config: failed to parse line, skipping: [12337] warn: config: failed to parse line, skipping: [12337] warn: lint: 4 issues detected, please rerun with debug enabled for more information The really odd thing is that it always seems to get stuck on the first of the rule sets (was tripwire, now evilnumbers!) Jason -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070708/0b0c2613/attachment.html From j.ede at birchenallhowden.co.uk Sun Jul 8 08:38:50 2007 From: j.ede at birchenallhowden.co.uk (Jason Ede) Date: Sun Jul 8 08:39:53 2007 Subject: Off-topic RDJ not working properly since DOS a few weeks back In-Reply-To: References: , Message-ID: I think I've found a workaround in http://saupdates.openprotect.com/ although its a different way of doing it... Now just need to work out how to just select the rules I want in that list... ________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailscanner-bounces@lists.mailscanner.info] On Behalf Of Jason Ede [j.ede@birchenallhowden.co.uk] Sent: 08 July 2007 08:15 To: MailScanner discussion Subject: RE: Off-topic RDJ not working properly since DOS a few weeks back Forgot to add that I keep clearing out the RulesDuJour directory in /etc/mail/spamassassin... ________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailscanner-bounces@lists.mailscanner.info] On Behalf Of Jason Ede [j.ede@birchenallhowden.co.uk] Sent: 08 July 2007 08:04 To: mailscanner@lists.mailscanner.info Subject: Off-topic RDJ not working properly since DOS a few weeks back Ok, I know this is sligtly off-topic, but has anyone else had problems with Rules_du_jour since the DDOS against sare and spamhaus a few weeks back? It runs fine when run manually, but when it runs overnight automatically it fails to download at least one of the rulesets and then gets stuck as below... ***WARNING***: spamassassin --lint failed. Rolling configuration files back, not restarting SpamAssassin. Rollback command is: mv -f /etc/mail/spamassassin/70_sare_evilnum0.cf /etc/mail/spamassassin/RulesDuJour/70_sare_evilnum0.cf.2; mv -f /etc/mail/spamassassin/RulesDuJour/70_sare_evilnum0.cf.20070708-0456 /etc/mail/spamassassin/70_sare_evilnum0.cf; Lint output: [12337] warn: config: failed to parse line, skipping: [12337] warn: config: failed to parse line, skipping: [12337] warn: config: failed to parse line, skipping: [12337] warn: config: failed to parse line, skipping: [12337] warn: lint: 4 issues detected, please rerun with debug enabled for more information The really odd thing is that it always seems to get stuck on the first of the rule sets (was tripwire, now evilnumbers!) Jason -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070708/14cee8a4/attachment.html From ajcartmell at fonant.com Sun Jul 8 09:47:02 2007 From: ajcartmell at fonant.com (Anthony Cartmell) Date: Sun Jul 8 09:46:39 2007 Subject: Off-topic RDJ not working properly since DOS a few weeks back In-Reply-To: References: Message-ID: > Ok, I know this is sligtly off-topic, but has anyone else had problems > with Rules_du_jour since the DDOS against sare and spamhaus a few weeks > back? Yes, and I've even added in a five-second pause between checking each rule. Hasn't helped :( Might investigate doing the updates at a different time of day. Anthony -- www.fonant.com - Quality web sites From j.ede at birchenallhowden.co.uk Sun Jul 8 09:55:50 2007 From: j.ede at birchenallhowden.co.uk (Jason Ede) Date: Sun Jul 8 09:56:52 2007 Subject: Off-topic RDJ not working properly since DOS a few weeks back In-Reply-To: References: , Message-ID: Just found this... http://www.nabble.com/Patch-for-rules_du_jour-t3996266.html which has an update for RDJ script.... --- /root/rules_du_jour.orig 2007-06-17 21:01:24.000000000 -0500 +++ /var/lib/spamassassin/rules_du_jour 2007-06-28 14:07:37.000000000 -0500 @@ -780,7 +780,30 @@ [ "${DEBUG}" ] && echo "Retrieving file from ${CF_URL}..."; # send wget output to a temp file for grepping - HttpGet ${CF_URL} ${TMPDIR}/${CF_BASENAME}; + # + # This while loop is a fix for Rules Emporium honey-pot DDoS + # shield as of 6/28/07. Send comments and bugs to Lindsay Haisley, + # fmouse@.... + GET_COUNT=1; + MAX_GET_COUNT=4; + while [ ${GET_COUNT} -lt ${MAX_GET_COUNT} ]; do + HttpGet ${CF_URL} ${TMPDIR}/${CF_BASENAME}; + if ${GREP} -iq 'META HTTP-EQUIV' ${TMPDIR}/${CF_BASENAME} ; then + rm -f ${TMPDIR}/${CF_BASENAME}; + sleep 1; + [ "${DEBUG}" ] && echo "Got refresh URL, pass ${GET_COUNT}..."; + GET_COUNT=`expr ${GET_COUNT} + 1`; + else + [ "${DEBUG}" ] && echo "Rules file OK, pass ${GET_COUNT}..."; + GET_COUNT=`expr ${MAX_GET_COUNT} + 1`; + fi + done + if ${GREP} -iq 'META HTTP-EQUIV' ${TMPDIR}/${CF_BASENAME} ; then + rm -f ${TMPDIR}/${CF_BASENAME}; + GET_COUNT=`expr ${GET_COUNT} - 1`; + [ "${DEBUG}" ] && echo "Download of ${CF_BASENAME} FAILED after ${GET_COUNT} tries. Skipping ..."; + fi + # Append these errors to a variable to be mailed to the admin (later in script) [ "${FAILED}" ] && RULES_THAT_404ED="${RULES_THAT_404ED}\n${CF_NAME} had an unknown error:\n${HTTP_ERROR}"; ________________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailscanner-bounces@lists.mailscanner.info] On Behalf Of Anthony Cartmell [ajcartmell@fonant.com] Sent: 08 July 2007 09:47 To: MailScanner discussion Subject: Re: Off-topic RDJ not working properly since DOS a few weeks back > Ok, I know this is sligtly off-topic, but has anyone else had problems > with Rules_du_jour since the DDOS against sare and spamhaus a few weeks > back? Yes, and I've even added in a five-second pause between checking each rule. Hasn't helped :( Might investigate doing the updates at a different time of day. Anthony -- www.fonant.com - Quality web sites -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From rcooper at dwford.com Sun Jul 8 16:57:42 2007 From: rcooper at dwford.com (Rick Cooper) Date: Sun Jul 8 16:57:51 2007 Subject: Off-topic RDJ not working properly since DOS a few weeks back In-Reply-To: References: Message-ID: <01c801c7c178$b7d58ad0$0301a8c0@SAHOMELT> _____ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Jason Ede Sent: Sunday, July 08, 2007 3:05 AM To: mailscanner@lists.mailscanner.info Subject: Off-topic RDJ not working properly since DOS a few weeks back Ok, I know this is sligtly off-topic, but has anyone else had problems with Rules_du_jour since the DDOS against sare and spamhaus a few weeks back? It runs fine when run manually, but when it runs overnight automatically it fails to download at least one of the rulesets and then gets stuck as below... [Rick Cooper] The prefered method (since before the DDOS) is to use sa-update. Look here for information as to how to add SARE channels to sa-update http://daryl.dostech.ca/sa-update/sare/sare-sa-update-howto.txt I never had a problem when the DDOS attacks began Rick -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070708/c9f16ec2/attachment.html From MailScanner at ecs.soton.ac.uk Sun Jul 8 20:12:46 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sun Jul 8 20:20:18 2007 Subject: HOWTO: Adding extra rulesets to SpamAssassin Message-ID: <4691372E.4060709@ecs.soton.ac.uk> Skipped content of type multipart/mixed-------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 195 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070708/6a871924/PGP.bin From MailScanner at ecs.soton.ac.uk Sun Jul 8 20:23:50 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sun Jul 8 20:26:37 2007 Subject: Beta release: 4.62.2 Message-ID: <469139C6.1080002@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I have just released a new beta to support the SAUPDATEARGS setting in /etc/MailScanner/sysconfig for easy implementation of the HOWTO I just published on adding extra rulesets to SpamAssassin without having to use RulesDuJour. The full Change Log is this: * New Features and Improvements * 1 Improved non-Linux installer. 1 Improved Linux installer. 1 Updated OpenBSD installation guide. Thanks to Jeremy Evans for this. 1 Upgraded MIME::Base64 to 3.07. 1 Improved error reporting for clamd permissions problems. Thanks Rick. 2 Added SAUPDATEARGS to /etc/sysconfig/MailScanner and /usr/sbin/update_spamassassin. For a good use of this, see http://daryl.dostech.ca/sa-update/sare/sare-sa-update-howto.txt and search for "HOWTO" in the Subject: line of the MailScanner-discussion list archive. This process replaces RulesDuJour entirely. Another good ruleset to add to your setup is http://www.peregrinehw.com/downloads/SpamAssassin/contrib/KAM.cf To download this automatically every night, fetch http://www.mailscanner.info/files/4/KAM.cf.sh and put it in /etc/cron.daily and make it executable (type "chmod +x /etc/cron.daily/KAM.cf.sh"). Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGkTnHEfZZRxQVtlQRAi2qAJ0WOo3IkQzzgj8Yd0YHzxIrPawMCgCgshoi hLBcefY5kJipO4qXSP4Ti8w= =FVn8 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Sun Jul 8 20:35:02 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sun Jul 8 20:37:56 2007 Subject: HOWTO: Adding extra rulesets to SpamAssassin In-Reply-To: <4691372E.4060709@ecs.soton.ac.uk> References: <4691372E.4060709@ecs.soton.ac.uk> Message-ID: <46913C66.1040509@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 One thing I forgot to mention: the KAM.cf.sh script uses wget, so make sure you have that installed. > However, there is one extra ruleset which you might like to try. I've > got it going and it appears to work pretty well. Attached to this > message is a file KAM.cf.sh which you should put into > /etc/cron.daily/KAM.cf.sh and make it executable: > chmod +x /etc/cron.daily/KAM.cf.sh > Run it once to get the initial copy of the ruleset file. It will keep > a backup copy of the KAM.cf ruleset in KAM.cf.backup, which it will > use if it can't download KAM.cf correctly later. Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGkTxnEfZZRxQVtlQRAtRSAKDO/uy6Ue1z2g+HCAkMc7e296+DSwCgjvhW 13Q1Tg6DpWjStbka55gokAQ= =6f7Q -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From seamus at rheelweb.co.nz Mon Jul 9 03:40:41 2007 From: seamus at rheelweb.co.nz (Seamus Allan) Date: Mon Jul 9 03:41:02 2007 Subject: Postfix Address Verification In-Reply-To: <20070706071038.1D6C.GERARD@seibercom.net> References: <20070706061414.C5CF.GERARD@seibercom.net> <74ACEB3E6A055643A89B8CEC74C7BF2488E0C7@WISENT.dcyb.net> <20070706071038.1D6C.GERARD@seibercom.net> Message-ID: <4691A029.8060908@rheelweb.co.nz> I suspect I have solved the problem. After trying to set up sender domain verification (to prevent stuff from abcd@fghi.com) I discovered that people who had their domains with us could not send email, giving a 430 Domain not found error. (Needless to say the phones started ringing immediately!). I then realised that Postfix wasn't using the relay map to determine whether a domain existed or not, it just did a dns lookup, in our case to our internal dns server. The internal DNS is used essentially only for the intranet and a few hostnames of servers, so most domains that it is 'authoritative' for only have A records for www.domain.com. So when postfix was querying to see whether domain.com existed, the DNS was giving no results and thusly, the 430 error popped up. After fixing the DNS up, the sender domain verification worked, and I have just turned on the recipient verification back on to see whether that is fixed too. Cheers all Seamus -- *Seamus Allan* Network Engineer Rheel Electronics Ltd Phone +64-3-386 3070 Fax +64-3-386-3071 Mobile +64-21-178-2980 seamus@rheelweb.co.nz www.rheel.co.nz This e-mail together with any attachments is confidential, may be subject to legal privilege and may contain proprietary information, including information protected by copyright. If you are not the intended recipient, please do not copy, use or disclose this e-mail; please notify us immediately by return e-mail and then delete this e-mail. From tipusadat at yahoo.com Mon Jul 9 07:33:10 2007 From: tipusadat at yahoo.com (msht) Date: Mon Jul 9 07:35:11 2007 Subject: Commercial scanner clamav timed out! References: <290316.6797.qm@web54401.mail.yahoo.com> Message-ID: Dear Wilson did u find any solusion for this problem? i'm also having the same sort of problem and yet to find any solusion. Rgds. From minduni at ti-edu.ch Mon Jul 9 09:04:26 2007 From: minduni at ti-edu.ch (Marco Induni) Date: Mon Jul 9 09:04:28 2007 Subject: Filename rule question In-Reply-To: <223f97700707060540n7c7b022eye5700536d480541c@mail.gmail.com> References: <468A6663.8010907@ti-edu.ch> <468B4CD6.5050001@ti-edu.ch> <223f97700707040259w54b286b2y1530dc3d7fddedaa@mail.gmail.com> <468BC099.7060508@ti-edu.ch> <223f97700707041520j5e8be73bt17235c459ec441c5@mail.gmail.com> <468CACEF.30202@ti-edu.ch> <223f97700707050349y696668ccu92b618343da7d77b@mail.gmail.com> <468CDC23.7000500@ti-edu.ch> <223f97700707051316y462cffd5ka6ce8064d614350f@mail.gmail.com> <468E09B6.10605@ti-edu.ch> <223f97700707060540n7c7b022eye5700536d480541c@mail.gmail.com> Message-ID: <4691EC0A.3040209@ti-edu.ch> Glenn Steen wrote: > On 06/07/07, Marco Induni wrote: >> Glenn Steen wrote: > (snip) >> >> >> >> >> > To my tired eyes that doesn't look that bad... More's the pity... >> Hope now you eyes are better > :-) > >> > Seems you don't install SA and Clamav by way of Jules easy package (or >> > else a lot more of the optional modules would be there)... Hm... One >> > could start installing those, of course, but I don't see them having >> > an effect. >> In fact, we use uvscan(mcafee) and sometime clamav AV, but they are >> installed apart (SA via CPAN / clamav make /make install) > Ok. I don't think you need remove/reinstall with Jules package... It > does more or less those, and then adds a lot of perl modules to make > Mail::ClamAV happy. Would be passing strange if that had any impact on > this problem. > >> > You did say that restoring the default filename/filetype >> > rules files and reloading/restarting MailScanner didn't have any >> > effect either? Most strange. >> Yes, it is so. > > This make me think there is something seriously wrong here... And > perhaps not _directly_ related to the rule file used... Unless of > course the files aren't readable or something strange like that... > Nah, probably not. > >> > How did you install the MIME::* packages? Via jules installer or via >> > distro or CPAN? >> Via jules. I've installed the new version a couple of days ago. >> > You could try reinstall them (force them from CPAN or something), just > to see that they build/install OK... > Apart from this, you don't see any strange log entries in the normal > syslog? We really need to get a handle on what is going bonkers here. > Cheers Glenn, I'm on vacation. I will do it all the test starting from 24 of july. So I will not bother you for 2 weeks ;-) Cheers Marco From daniel at danielf.ch Mon Jul 9 10:57:41 2007 From: daniel at danielf.ch (Daniel Fuhrer) Date: Mon Jul 9 10:57:49 2007 Subject: MCP rule Message-ID: <96EF3FB3C374A64187CCB0D0DA716F2446F8@idefix.danielf.local> Hi all I have a question about MCP rules. In general the rules are working. Here my rules: header __BOUNCE_RULE1 Subject =~ /warning: could not send message for past 4 hours/i header __BOUNCE_RULE2 Subject =~ /returned mail:/i header __BOUNCE_RULE3 Subject =~ /delivery status notification/i header __BOUNCE_RULE4 Subject =~ /delivery notification:/i header __BOUNCE_RULE5 Subject =~ /mail system error/i header __BOUNCE_RULE6 Subject =~ /undelivered mail/i header __BOUNCE_RULE7 Subject =~ /failure delivery/i header __BOUNCE_RULE8 Subject =~ /failure notice/i header __BOUNCE_RULE9 Subject =~ /mail delivery problem/i header __BOUNCE_RULE10 Subject =~ /delivery failure/i header __BOUNCE_RULE11 Subject =~ /undeliverable mail/i header __BOUNCE_RULE12 Subject =~ /mail delivery failed/i header __BOUNCE_RULE20 Content-Type =~ /delivery-status/i header __BOUNCE_RULE30 Auto-Submitted =~ /auto-generated/i header __BOUNCE_RULE40 From =~ /mail delivery subsystem/i header __BOUNCE_RULE41 From =~ /postmaster/i header __BOUNCE_RULE42 From =~ /mailer-deamon/i header __BOUNCE_RULE50 To =~ /newsletter/i meta BOUNCE_RULE1 ((__BOUNCE_RULE1 || __BOUNCE_RULE2) && __BOUNCE_RULE20 && __BOUNCE_RULE30 && __BOUNCE_RULE40 && __BOUNCE_RULE50) describe BOUNCE_RULE1 Indicates a bounce from the mailgateway score BOUNCE_RULE1 12 meta BOUNCE_RULE2 ((__BOUNCE_RULE3 || __BOUNCE_RULE4 || __BOUNCE_RULE5 || __BOUNCE_RULE6 || __BOUNCE_RULE7 || __BOUNCE_RULE8 || __BOUNCE__RULE9 || __BOUNCE_RULE10 || __BOUNCE_RULE11 || __BOUNCE_RULE12) && (__BOUNCE_RULE40 || __BOUNCE_RULE41 || __BOUNCE_RULE42) && __BOUNCE_RULE50) describe BOUNCE_RULE2 Indicates a bounce from a remote mailserver score BOUNCE_RULE2 12 header T_BOUNCE_RULE1 Subject =~ /warning: could not send message for past 4 hours/i describe T_BOUNCE_RULE1 BOUNCE_RULE Subject Warning: could not send message for past 4 hours header T_BOUNCE_RULE2 Subject =~ /returned mail:/i describe T_BOUNCE_RULE2 BOUNCE_RULE Subject Returned mail: header T_BOUNCE_RULE3 Subject =~ /delivery status notification/i describe T_BOUNCE_RULE3 BOUNCE_RULE Subject Delivery Status Notification header T_BOUNCE_RULE4 Subject =~ /delivery notification:/i describe T_BOUNCE_RULE4 BOUNCE_RULE Subject Delivery Notification header T_BOUNCE_RULE5 Subject =~ /mail system error/i describe T_BOUNCE_RULE5 BOUNCE_RULE Subject Mail System Error header T_BOUNCE_RULE6 Subject =~ /undelivered mail/i describe T_BOUNCE_RULE6 BOUNCE_RULE Subject Undelivered Mail header T_BOUNCE_RULE7 Subject =~ /failure delivery/i describe T_BOUNCE_RULE7 BOUNCE_RULE Subject Failure Delivery header T_BOUNCE_RULE8 Subject =~ /failure notice/i describe T_BOUNCE_RULE8 BOUNCE_RULE Subject failure notice header T_BOUNCE_RULE9 Subject =~ /mail delivery problem/i describe T_BOUNCE_RULE9 BOUNCE_RULE Subject Mail Delivery Problem header T_BOUNCE_RULE10 Subject =~ /delivery failure/i describe T_BOUNCE_RULE10 BOUNCE_RULE Subject Mail DELIVERY FAILURE header T_BOUNCE_RULE11 Subject =~ /undeliverable mail/i describe T_BOUNCE_RULE11 BOUNCE_RULE Subject Undeliverable Mail header T_BOUNCE_RULE12 Subject =~ /mail delivery failed/i describe T_BOUNCE_RULE12 BOUNCE_RULE Subject Mail delivery failed header T_BOUNCE_RULE20 Content-Type =~ /delivery-status/i describe T_BOUNCE_RULE20 BOUNCE_RULE Content-Type header T_BOUNCE_RULE30 Auto-Submitted =~ /auto-generated/i describe T_BOUNCE_RULE30 BOUNCE_RULE Auto-Submitted header T_BOUNCE_RULE40 From =~ /Mail Delivery Subsystem/i describe T_BOUNCE_RULE40 BOUNCE_RULE From header T_BOUNCE_RULE41 From =~ /postmaster/i describe T_BOUNCE_RULE41 BOUNCE_RULE From postmaster header T_BOUNCE_RULE42 From =~ /MAILER-DAEMON/i describe T_BOUNCE_RULE42 BOUNCE_RULE From MAILER-DAEMON header T_BOUNCE_RULE50 To =~ /newsletter/i describe T_BOUNCE_RULE50 BOUNCE_RULE To The following mail is not marked as MCP Highscore and I don't understand why. Here the MCP Report (from Mailwatch): T_BOUNCE_RULE11 BOUNCE_RULE Subject Undeliverable Mail T_BOUNCE_RULE20 BOUNCE_RULE Content-Type T_BOUNCE_RULE42 BOUNCE_RULE From MAILER-DAEMON T_BOUNCE_RULE50 BOUNCE_RULE To Thanks for your help. Cheers Daniel -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070709/6ca136e5/attachment.html From jonas at vrt.dk Mon Jul 9 11:04:18 2007 From: jonas at vrt.dk (Jonas A. Larsen) Date: Mon Jul 9 11:04:41 2007 Subject: How to monitor the health of the MailScanner architecture Message-ID: <000901c7c210$8d1f4310$a75dc930$@dk> Hello all I have a problem, and discussing it on the irc channel didn?t turn up any obvious solution. Say you have more than 1 MS box scanning mails for a specific domain. They are load balanced in some way, so the load is split over the servers. Now lets say one of the servers have a problem. Not a fatal problem, so the server is still running (responds to pings etc) port 25 is still open, and exim (the mta in my case) still accepts mails. But for some reason, crash, corrupt config, full root fs etc. the process of moving mails from the incoming queue to the outgoing queue is not working. What I am interested in, is a system to alert me of such a problem automatically. Currently the only thing, besides clients noticing mail being delayed, is for me to look at my mailscaner-mrtg graphs for the incoming queue and notice that its growing. One method of doing all this automatically that we came up with, would be some complex system that would work as follows: You create a domain for each MailScanner, that only that MailScanner scans for. You then create an imap account on another system for each of the domains. You then create a script that sends a mail to each of the accounts and after X amount of minutes check to see if the mail has arrived on the imap account. If yes, delete the mail and do the same thing again after Y amount of minutes (a cron job), if it doesn?t exist something must be wrong with the mailflow, either its interrupted or is experiencing delays. Do anybody have a better idea or know of something that can do this already? My root file system ran full last week, and it caused mails to still be accepted (incoming is on /var on another disk) but MS was frozen because it couldn?t extract attachments to /tmp which was full because it was on the same disk as the root fs. I hope I have made the above somewhat clear, if not please ask me to clarify. Med venlig hilsen / Best regards Jonas Akrouh Larsen TechBiz ApS Laplandsgade 4, 2. sal 2300 K?benhavn S Office: 7020 0979 Direct: 33369974 Fax: 7020 0978 Mobile: 51201096 Web: www.techbiz.dk -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070709/412e23ba/attachment.html From paul.hutchings at mira.co.uk Mon Jul 9 11:23:56 2007 From: paul.hutchings at mira.co.uk (Paul Hutchings) Date: Mon Jul 9 11:24:14 2007 Subject: Phishing Whitelist Message-ID: phishing.safe.sites.conf says to email updates to phishing@mailscanner.info - this address bounces though as user unknown. Paul Hutchings Network Administrator, MIRA Ltd. Tel: 44 (0)24 7635 5378 Fax: 44 (0)24 7635 8378 mailto:paul.hutchings@mira.co.uk -- MIRA Ltd. Watling Street, Nuneaton, Warwickshire, CV10 0TU, England. Registered in England No. 402570 VAT Registration GB 114 5409 96 The contents of this e-mail are confidential and are solely for the use of the intended recipient. If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax. You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited. From Alistair.Carmichael at ntltravel.com Mon Jul 9 11:31:25 2007 From: Alistair.Carmichael at ntltravel.com (Alistair Carmichael) Date: Mon Jul 9 11:31:29 2007 Subject: How to monitor the health of the MailScanner architecture In-Reply-To: <000901c7c210$8d1f4310$a75dc930$@dk> References: <000901c7c210$8d1f4310$a75dc930$@dk> Message-ID: <6EEC6D949794754FB8D83A4D87DF7168BE65B7@gh-redd-exch-01.redditch.ntltravel.local> Hi, The monitoring software I use - nagios is capable of this, without going into too much detail its basically a monitoring tool that can run on a webserver and then check the status of software such as your mta remotely aswell as executing local scripts on each mailscanner server to check queue sizes and report back to the nagios monitoring server via the nagios nrpe plugin, which can be configured to alert via email or even sms once certain thresholds (e.g queue size) are met. In our setup I wrote my own queue size monitor script but there are nrpe scripts already created for various MTA's out there. Al ________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Jonas A. Larsen Sent: 09 July 2007 11:04 To: mailscanner@lists.mailscanner.info Subject: How to monitor the health of the MailScanner architecture Hello all I have a problem, and discussing it on the irc channel didn't turn up any obvious solution. Say you have more than 1 MS box scanning mails for a specific domain. They are load balanced in some way, so the load is split over the servers. Now lets say one of the servers have a problem. Not a fatal problem, so the server is still running (responds to pings etc) port 25 is still open, and exim (the mta in my case) still accepts mails. But for some reason, crash, corrupt config, full root fs etc. the process of moving mails from the incoming queue to the outgoing queue is not working. What I am interested in, is a system to alert me of such a problem automatically. Currently the only thing, besides clients noticing mail being delayed, is for me to look at my mailscaner-mrtg graphs for the incoming queue and notice that its growing. One method of doing all this automatically that we came up with, would be some complex system that would work as follows: You create a domain for each MailScanner, that only that MailScanner scans for. You then create an imap account on another system for each of the domains. You then create a script that sends a mail to each of the accounts and after X amount of minutes check to see if the mail has arrived on the imap account. If yes, delete the mail and do the same thing again after Y amount of minutes (a cron job), if it doesn't exist something must be wrong with the mailflow, either its interrupted or is experiencing delays. Do anybody have a better idea or know of something that can do this already? My root file system ran full last week, and it caused mails to still be accepted (incoming is on /var on another disk) but MS was frozen because it couldn't extract attachments to /tmp which was full because it was on the same disk as the root fs. I hope I have made the above somewhat clear, if not please ask me to clarify. Med venlig hilsen / Best regards Jonas Akrouh Larsen TechBiz ApS Laplandsgade 4, 2. sal 2300 K?benhavn S Office: 7020 0979 Direct: 33369974 Fax: 7020 0978 Mobile: 51201096 Web: www.techbiz.dk This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070709/4d8305e7/attachment.html From list-mailscanner at linguaphone.com Mon Jul 9 11:36:02 2007 From: list-mailscanner at linguaphone.com (Gareth) Date: Mon Jul 9 11:36:10 2007 Subject: How to monitor the health of the MailScanner architecture In-Reply-To: <000901c7c210$8d1f4310$a75dc930$@dk> References: <000901c7c210$8d1f4310$a75dc930$@dk> Message-ID: <1183977362.27061.9.camel@gblades-suse.linguaphone-intranet.co.uk> Have a look at Nagios. It will ssh into the box and perform various monitoring tasks. It can check disk space and monitor if particular processes are running as standard. You could easily write a custom check script to monitor the mail queue and alert if it grows too big. On Mon, 2007-07-09 at 11:04, Jonas A. Larsen wrote: > Hello all > > > > I have a problem, and discussing it on the irc channel didn?t turn up > any obvious solution. > > > > Say you have more than 1 MS box scanning mails for a specific domain. > They are load balanced in some way, so the load is split over the > servers. > > > > Now lets say one of the servers have a problem. Not a fatal problem, > so the server is still running (responds to pings etc) port 25 is > still open, and exim (the mta in my case) still accepts mails. > > > > But for some reason, crash, corrupt config, full root fs etc. the > process of moving mails from the incoming queue to the outgoing queue > is not working. > > > > What I am interested in, is a system to alert me of such a problem > automatically. > > > > Currently the only thing, besides clients noticing mail being delayed, > is for me to look at my mailscaner-mrtg graphs for the incoming queue > and notice that its growing. > > > > One method of doing all this automatically that we came up with, would > be some complex system that would work as follows: > > > > You create a domain for each MailScanner, that only that MailScanner > scans for. > > > > You then create an imap account on another system for each of the > domains. > > > > You then create a script that sends a mail to each of the accounts and > after X amount of minutes check to see if the mail has arrived on the > imap account. If yes, delete the mail and do the same thing again > after Y amount of minutes (a cron job), if it doesn?t exist something > must be wrong with the mailflow, either its interrupted or is > experiencing delays. > > > > Do anybody have a better idea or know of something that can do this > already? > > > > My root file system ran full last week, and it caused mails to still > be accepted (incoming is on /var on another disk) but MS was frozen > because it couldn?t extract attachments to /tmp which was full because > it was on the same disk as the root fs. > > > > I hope I have made the above somewhat clear, if not please ask me to > clarify. > > > > > > Med venlig hilsen / Best regards > > > > Jonas Akrouh Larsen > > > > TechBiz ApS > > Laplandsgade 4, 2. sal > > 2300 K?benhavn S > > > > Office: 7020 0979 > > Direct: 33369974 > > Fax: 7020 0978 > > Mobile: 51201096 > > Web:www.techbiz.dk > > > > > > ______________________________________________________________________ > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From jonas at vrt.dk Mon Jul 9 12:06:57 2007 From: jonas at vrt.dk (Jonas A. Larsen) Date: Mon Jul 9 12:07:19 2007 Subject: How to monitor the health of the MailScanner architecture In-Reply-To: <6EEC6D949794754FB8D83A4D87DF7168BE65B7@gh-redd-exch-01.redditch.ntltravel.local> References: <000901c7c210$8d1f4310$a75dc930$@dk> <6EEC6D949794754FB8D83A4D87DF7168BE65B7@gh-redd-exch-01.redditch.ntltravel.local> Message-ID: <002001c7c219$4d475580$e7d60080$@dk> Hi Alistair and Gareth too. I have used nagios for many years. However if you read my mail again, I specifically don?t need to know the queue size or the status of the MTA, none of those can give you a definitive answer about whether or not mail flow is working, I need something that can check if mail is flowing and if its delayed. /Jonas From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Alistair Carmichael Sent: 9. juli 2007 12:31 To: MailScanner discussion Subject: RE: How to monitor the health of the MailScanner architecture Hi, The monitoring software I use - nagios is capable of this, without going into too much detail its basically a monitoring tool that can run on a webserver and then check the status of software such as your mta remotely aswell as executing local scripts on each mailscanner server to check queue sizes and report back to the nagios monitoring server via the nagios nrpe plugin, which can be configured to alert via email or even sms once certain thresholds (e.g queue size) are met. In our setup I wrote my own queue size monitor script but there are nrpe scripts already created for various MTA?s out there. Al _____ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Jonas A. Larsen Sent: 09 July 2007 11:04 To: mailscanner@lists.mailscanner.info Subject: How to monitor the health of the MailScanner architecture Hello all I have a problem, and discussing it on the irc channel didn?t turn up any obvious solution. Say you have more than 1 MS box scanning mails for a specific domain. They are load balanced in some way, so the load is split over the servers. Now lets say one of the servers have a problem. Not a fatal problem, so the server is still running (responds to pings etc) port 25 is still open, and exim (the mta in my case) still accepts mails. But for some reason, crash, corrupt config, full root fs etc. the process of moving mails from the incoming queue to the outgoing queue is not working. What I am interested in, is a system to alert me of such a problem automatically. Currently the only thing, besides clients noticing mail being delayed, is for me to look at my mailscaner-mrtg graphs for the incoming queue and notice that its growing. One method of doing all this automatically that we came up with, would be some complex system that would work as follows: You create a domain for each MailScanner, that only that MailScanner scans for. You then create an imap account on another system for each of the domains. You then create a script that sends a mail to each of the accounts and after X amount of minutes check to see if the mail has arrived on the imap account. If yes, delete the mail and do the same thing again after Y amount of minutes (a cron job), if it doesn?t exist something must be wrong with the mailflow, either its interrupted or is experiencing delays. Do anybody have a better idea or know of something that can do this already? My root file system ran full last week, and it caused mails to still be accepted (incoming is on /var on another disk) but MS was frozen because it couldn?t extract attachments to /tmp which was full because it was on the same disk as the root fs. I hope I have made the above somewhat clear, if not please ask me to clarify. Med venlig hilsen / Best regards Jonas Akrouh Larsen TechBiz ApS Laplandsgade 4, 2. sal 2300 K?benhavn S Office: 7020 0979 Direct: 33369974 Fax: 7020 0978 Mobile: 51201096 Web: www.techbiz.dk This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070709/0b906d43/attachment.html From list-mailscanner at linguaphone.com Mon Jul 9 12:20:38 2007 From: list-mailscanner at linguaphone.com (Gareth) Date: Mon Jul 9 12:20:45 2007 Subject: How to monitor the health of the MailScanner architecture In-Reply-To: <002001c7c219$4d475580$e7d60080$@dk> References: <000901c7c210$8d1f4310$a75dc930$@dk> <6EEC6D949794754FB8D83A4D87DF7168BE65B7@gh-redd-exch-01.redditch.ntltravel.local> <002001c7c219$4d475580$e7d60080$@dk> Message-ID: <1183980038.27054.15.camel@gblades-suse.linguaphone-intranet.co.uk> You can still use Nagios. You just need to decide exactly what you want to monitor. For example look at the incoming mail queue and the date of the oldest file. If it is <5 minutes or so then you can assume it is working. If it is over 5 minutes then there could be a problem so check the sql database (assuming you are using mailwatch) to see if there have been any mails processed in last few minutes. If so then we just have a backlog otherwise something isn't working so alert. On Mon, 2007-07-09 at 12:06, Jonas A. Larsen wrote: > Hi Alistair and Gareth too. > > > > I have used nagios for many years. However if you read my mail again, > I specifically don?t need to know the queue size or the status of the > MTA, none of those can give you a definitive answer about whether or > not mail flow is working, I need something that can check if mail is > flowing and if its delayed. > > > > > /Jonas > > > > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of > Alistair Carmichael > Sent: 9. juli 2007 12:31 > To: MailScanner discussion > Subject: RE: How to monitor the health of the MailScanner architecture > > > > > Hi, > > The monitoring software I use - nagios is capable of this, without > going into too much detail its basically a monitoring tool that can > run on a webserver and then check the status of software such as your > mta remotely aswell as executing local scripts on each mailscanner > server to check queue sizes and report back to the nagios monitoring > server via the nagios nrpe plugin, which can be configured to alert > via email or even sms once certain thresholds (e.g queue size) are > met. > > In our setup I wrote my own queue size monitor script but there are > nrpe scripts already created for various MTA?s out there. > > > > Al > > > > > ______________________________________________________________________ > > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Jonas > A. Larsen > Sent: 09 July 2007 11:04 > To: mailscanner@lists.mailscanner.info > Subject: How to monitor the health of the MailScanner architecture > > > > > Hello all > > > > I have a problem, and discussing it on the irc channel didn?t turn up > any obvious solution. > > > > Say you have more than 1 MS box scanning mails for a specific domain. > They are load balanced in some way, so the load is split over the > servers. > > > > Now lets say one of the servers have a problem. Not a fatal problem, > so the server is still running (responds to pings etc) port 25 is > still open, and exim (the mta in my case) still accepts mails. > > > > But for some reason, crash, corrupt config, full root fs etc. the > process of moving mails from the incoming queue to the outgoing queue > is not working. > > > > What I am interested in, is a system to alert me of such a problem > automatically. > > > > Currently the only thing, besides clients noticing mail being delayed, > is for me to look at my mailscaner-mrtg graphs for the incoming queue > and notice that its growing. > > > > One method of doing all this automatically that we came up with, would > be some complex system that would work as follows: > > > > You create a domain for each MailScanner, that only that MailScanner > scans for. > > > > You then create an imap account on another system for each of the > domains. > > > > You then create a script that sends a mail to each of the accounts and > after X amount of minutes check to see if the mail has arrived on the > imap account. If yes, delete the mail and do the same thing again > after Y amount of minutes (a cron job), if it doesn?t exist something > must be wrong with the mailflow, either its interrupted or is > experiencing delays. > > > > Do anybody have a better idea or know of something that can do this > already? > > > > My root file system ran full last week, and it caused mails to still > be accepted (incoming is on /var on another disk) but MS was frozen > because it couldn?t extract attachments to /tmp which was full because > it was on the same disk as the root fs. > > > > I hope I have made the above somewhat clear, if not please ask me to > clarify. > > > > > > Med venlig hilsen / Best regards > > > > Jonas Akrouh Larsen > > > > TechBiz ApS > > Laplandsgade 4, 2. sal > > 2300 K?benhavn S > > > > Office: 7020 0979 > > Direct: 33369974 > > Fax: 7020 0978 > > Mobile: 51201096 > > Web:www.techbiz.dk > > > > > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they > are addressed. If you have received this email in error please notify > the system manager. This message contains confidential information and > is intended only for the individual named. If you are not the named > addressee you should not disseminate, distribute or copy this e-mail. > > > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they > are addressed. If you have received this email in error please notify > the system manager. This message contains confidential information and > is intended only for the individual named. If you are not the named > addressee you should not disseminate, distribute or copy this e-mail. > > > > ______________________________________________________________________ > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From MailScanner at ecs.soton.ac.uk Mon Jul 9 12:29:13 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Jul 9 12:33:26 2007 Subject: Phishing Whitelist In-Reply-To: References: Message-ID: <46921C09.6040005@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Many thanks for reporting that. Fixed now. Paul Hutchings wrote: > phishing.safe.sites.conf says to email updates to > phishing@mailscanner.info - this address bounces though as user unknown. > > Paul Hutchings > Network Administrator, MIRA Ltd. > Tel: 44 (0)24 7635 5378 > Fax: 44 (0)24 7635 8378 > mailto:paul.hutchings@mira.co.uk > > > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGkhwKEfZZRxQVtlQRAq0VAJ9vHr72eejYc/CvAZ1ghSuP2UIXqgCfVlew bJDqKOyi60GH/hwy52qoQVw= =WP28 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From nick at inticon.net Mon Jul 9 13:20:42 2007 From: nick at inticon.net (Nick Brown) Date: Mon Jul 9 13:21:21 2007 Subject: SpamAssassin Timeouts Message-ID: Evening All, Apologies in advance if this has been previously covered however the search function for this list seems to be down currently. We have been running a Postifx + MailScanner (SpamAssassin / CLAMAV) server for a couple months with no issues to report. Works extremely well and the customers are only saying good things. Over the last couple of days we have been configuring a second server which today we went live with and configured a secondary MX records for all customers domains. Everything looks fine, configuration was pretty much identical to the first server. Since the volume of mail has increased however on the new server we are seeing every second or third email giving us the following in the headers X-MailScanner-SpamCheck: not spam, SpamAssassin (Disabled due to 20 consecutive timeouts) A quick search through MailScanner.conf reveals the following are set with a value of 20; File Timeout = 20 Ignore Spam Whitelist if Rec. Exceed = 20 Custom Spam Scanner Timeout=20 MCP Max SpamAssassin Timeouts = 20 Note that both the customer scanner and MCP checks are disabled so I don't believe these should come into play. Nor do I believe the first two should be having an impact on standard emails that are clearly spam, and have no attachments. Any suggestions you have are much appreciated :-) Cheers Nick Brown. Sent using the Microsoft Entourage 2004 for Mac Test Drive. From MailScanner at ecs.soton.ac.uk Mon Jul 9 13:55:08 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Jul 9 13:58:40 2007 Subject: SpamAssassin Timeouts In-Reply-To: References: Message-ID: <4692302C.20200@ecs.soton.ac.uk> Check how fast your SpamAssassin is running. Run MailScanner -debug -debug-sa and thump Ctrl-S to freeze the output whenever it pauses. Thump Ctrl-Q to resume normal output again. That should give you an indication of anything that is running slowly. It may be dcc or razor or dns lookups taking a long time. They are the most likely candidates. Jules. Nick Brown wrote: > Evening All, > > Apologies in advance if this has been previously covered however the search > function for this list seems to be down currently. > > We have been running a Postifx + MailScanner (SpamAssassin / CLAMAV) server > for a couple months with no issues to report. Works extremely well and the > customers are only saying good things. > > Over the last couple of days we have been configuring a second server which > today we went live with and configured a secondary MX records for all > customers domains. > > Everything looks fine, configuration was pretty much identical to the first > server. > > Since the volume of mail has increased however on the new server we are > seeing every second or third email giving us the following in the headers > > X-MailScanner-SpamCheck: not spam, > SpamAssassin (Disabled due to 20 consecutive timeouts) > > A quick search through MailScanner.conf reveals the following are set with a > value of 20; > > File Timeout = 20 > Ignore Spam Whitelist if Rec. Exceed = 20 > > Custom Spam Scanner Timeout=20 > MCP Max SpamAssassin Timeouts = 20 > > Note that both the customer scanner and MCP checks are disabled so I don't > believe these should come into play. > > Nor do I believe the first two should be having an impact on standard emails > that are clearly spam, and have no attachments. > > Any suggestions you have are much appreciated :-) > > Cheers > Nick Brown. > > Sent using the Microsoft Entourage 2004 for Mac Test Drive. > > > Jules -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From dave.list at pixelhammer.com Mon Jul 9 14:02:47 2007 From: dave.list at pixelhammer.com (DAve) Date: Mon Jul 9 14:03:59 2007 Subject: How to monitor the health of the MailScanner architecture In-Reply-To: <002001c7c219$4d475580$e7d60080$@dk> References: <000901c7c210$8d1f4310$a75dc930$@dk> <6EEC6D949794754FB8D83A4D87DF7168BE65B7@gh-redd-exch-01.redditch.ntltravel.local> <002001c7c219$4d475580$e7d60080$@dk> Message-ID: <469231F7.7030302@pixelhammer.com> Jonas A. Larsen wrote: > Hi Alistair and Gareth too. > > > > I have used nagios for many years. However if you read my mail again, I > specifically don?t need to know the queue size or the status of the MTA, > none of those can give you a definitive answer about whether or not mail > flow is working, I need something that can check if mail is flowing and > if its delayed. I simply check for the existence of my normal daily report emails. I have backups running in the evening, audit reports in the early morning, ClamAV update results, server health emails, etc. If they stop, I have a problem. Something is reported nearly every hour of the day. So simply checking whatever mailbox your reporting arrives in is an excellent indicator. No reporting show up, MS has an issue or your entire network is hosed. In which case your pager has already alerted you to the problem ;^) DAve -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible. From campbell at cnpapers.com Mon Jul 9 14:56:59 2007 From: campbell at cnpapers.com (Steve Campbell) Date: Mon Jul 9 14:57:08 2007 Subject: Commercial scanner clamav timed out! In-Reply-To: References: <290316.6797.qm@web54401.mail.yahoo.com> Message-ID: <46923EAB.2000603@cnpapers.com> msht wrote: > Dear Wilson > did u find any solusion for this problem? i'm also having the same sort > of problem and yet to find any solusion. > > Rgds. > > > > > Last week, I was getting tons of DDOS messages and also receiving this message in my logs. I am using an older version of everything as I haven't updated recently. I had just switched to clamavmodule on this machine. Anyway, I'm not totally sure which resolved the problem, but I switched back to clamav and started mass blocking (in my access file and firewall) the IP ranges that were causing the problem messages. It was all related to timeouts, though, and I have a feeling the suggestions given in prior posts would solve the problem if you can get the timeout long enough to otherwise not cause problems with the delay. I haven't seen the log messages since. Steve Campbell From ugob at lubik.ca Mon Jul 9 16:50:01 2007 From: ugob at lubik.ca (Ugo Bellavance) Date: Mon Jul 9 16:50:26 2007 Subject: switching from clamavmodule -> clamd... source? Message-ID: Hi, I'd like to switch from clamavmodule to clamd. I used to use a source-install of clamav. I've read that the easiest way to get clamd running is using dag's RPM. However, a dependency for clamd is clamav and clamav-db. How will that play with my current source install of clamav? Should I move to using exclusively rpm clamav? Regards, Ugo From martinh at solidstatelogic.com Mon Jul 9 16:57:01 2007 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Mon Jul 9 16:57:07 2007 Subject: switching from clamavmodule -> clamd... source? In-Reply-To: Message-ID: <61c1e3b889db9c49b35cbd16af95ae22@solidstatelogic.com> Ugo I just created a new init file for clamd, started that then switched over to clamd in the virus scanners, restarted MS and it was done.. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Ugo Bellavance > Sent: 09 July 2007 16:50 > To: mailscanner@lists.mailscanner.info > Subject: switching from clamavmodule -> clamd... source? > > Hi, > > I'd like to switch from clamavmodule to clamd. I used to use a > source-install of clamav. I've read that the easiest way to get clamd > running is using dag's RPM. However, a dependency for clamd is clamav > and clamav-db. How will that play with my current source install of > clamav? Should I move to using exclusively rpm clamav? > > Regards, > > Ugo > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From ugob at lubik.ca Mon Jul 9 16:59:50 2007 From: ugob at lubik.ca (Ugo Bellavance) Date: Mon Jul 9 17:00:15 2007 Subject: switching from clamavmodule -> clamd... source? In-Reply-To: <61c1e3b889db9c49b35cbd16af95ae22@solidstatelogic.com> References: <61c1e3b889db9c49b35cbd16af95ae22@solidstatelogic.com> Message-ID: Martin.Hepworth wrote: > Ugo Hi Martin > I just created a new init file for clamd, started that then switched > over to clamd in the virus scanners, restarted MS and it was done.. Can you publish your script somewhere? I'm running Centos-4. Thanks, Ugo From martinh at solidstatelogic.com Mon Jul 9 17:05:57 2007 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Mon Jul 9 17:06:02 2007 Subject: switching from clamavmodule -> clamd... source? In-Reply-To: Message-ID: <7916e7314ffecf4b930abfba47620357@solidstatelogic.com> Mine is for FreeBSd so will be slightly different as it's using FreeBSD's macros'.. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Ugo Bellavance > Sent: 09 July 2007 17:00 > To: mailscanner@lists.mailscanner.info > Subject: Re: switching from clamavmodule -> clamd... source? > > Martin.Hepworth wrote: > > Ugo > > Hi Martin > > > I just created a new init file for clamd, started that then switched > > over to clamd in the virus scanners, restarted MS and it was done.. > > Can you publish your script somewhere? I'm running Centos-4. > > Thanks, > > Ugo > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From ugob at lubik.ca Mon Jul 9 17:17:55 2007 From: ugob at lubik.ca (Ugo Bellavance) Date: Mon Jul 9 17:18:10 2007 Subject: switching from clamavmodule -> clamd... source? In-Reply-To: <7916e7314ffecf4b930abfba47620357@solidstatelogic.com> References: <7916e7314ffecf4b930abfba47620357@solidstatelogic.com> Message-ID: Martin.Hepworth wrote: > Mine is for FreeBSd so will be slightly different as it's using > FreeBSD's macros'.. Ok, I didnt' think quickly enough... here is the one used by dag's clamd rpm package: --------------------------- #!/bin/sh # # Startup script for the Clam AntiVirus Daemon # # chkconfig: 2345 61 39 # description: Clam AntiVirus Daemon is a TCP/IP or socket protocol \ # server. # processname: clamd # pidfile: /var/run/clamav/clamd.pid # config: /etc/clamav.conf # Source function library. . /etc/rc.d/init.d/functions # Source networking configuration. . /etc/sysconfig/network [ -x /usr/sbin/clamd ] || exit 0 # See how we were called. case "$1" in start) echo -n "Starting Clam AntiVirus Daemon: " daemon clamd RETVAL=$? echo [ $RETVAL -eq 0 ] && touch /var/lock/subsys/clamd ;; stop) echo -n "Stopping Clam AntiVirus Daemon: " killproc clamd rm -f /var/clamav/clamd.socket rm -f /var/run/clamav/clamav.pid RETVAL=$? echo ### heres the fix... we gotta remove the stale files on restart [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/clamd ;; status) status clamd RETVAL=$? ;; restart|reload) $0 stop $0 start RETVAL=$? ;; condrestart) [ -e /var/lock/subsys/clamd ] && restart RETVAL=$? ;; *) echo "Usage: clamd {start|stop|status|restart|reload|condrestart}" exit 1 esac exit $RETVAL From ugob at lubik.ca Mon Jul 9 17:22:48 2007 From: ugob at lubik.ca (Ugo Bellavance) Date: Mon Jul 9 17:25:08 2007 Subject: switching from clamavmodule -> clamd... source? In-Reply-To: References: Message-ID: Ugo Bellavance wrote: > Hi, > > I'd like to switch from clamavmodule to clamd. I used to use a > source-install of clamav. I've read that the easiest way to get clamd > running is using dag's RPM. However, a dependency for clamd is clamav > and clamav-db. How will that play with my current source install of > clamav? Should I move to using exclusively rpm clamav? It looks like the source install is overwritten by the RPM. This answers my question... Ugo From MailScanner at ecs.soton.ac.uk Mon Jul 9 17:48:20 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Jul 9 17:52:56 2007 Subject: switching from clamavmodule -> clamd... source? In-Reply-To: References: Message-ID: <469266D4.7060405@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ugo Bellavance wrote: > Ugo Bellavance wrote: >> Hi, >> >> I'd like to switch from clamavmodule to clamd. I used to use a >> source-install of clamav. I've read that the easiest way to get >> clamd running is using dag's RPM. However, a dependency for clamd is >> clamav and clamav-db. How will that play with my current source >> install of clamav? Should I move to using exclusively rpm clamav? > > > > It looks like the source install is overwritten by the RPM. This > answers my question... The source install by default goes in /usr/local, while the RPMs most often go into /usr/bin, /etc and so on. Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGkmbUEfZZRxQVtlQRAp8yAKDAm6L3ET3tic9As/LLmIWSLgLd2QCeIsp2 XPTytOUB9uskRYbU6Q4YT5U= =bz7B -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From jan-peter at koopmann.eu Mon Jul 9 18:20:54 2007 From: jan-peter at koopmann.eu (Koopmann, Jan-Peter) Date: Mon Jul 9 18:20:17 2007 Subject: Phishing fraud bug? Message-ID: Hi, I think there is a strange bug in the phishing detection. Look at this E-Mail Body snipplet (taken from Exim queue file): 1I7otX-000FTi-7d-D This is a multi-part message in MIME format. ------_=_NextPart_001_01C7C205.D495F46E Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hallo Herr Koopmann, -- Test AG http://www.test.de Vorstand: Alexander Test Aufsichtsratvorsitzender: Claudius Test This is what I get after MailScanner has finished: MailScanner has detected a possible fraud attempt from "www.test.devorstand" claiming to be http://www.test.de Somehow MailScanner does not see that the URL is "http://www.test.de" only. I can provide the complete Exim-Queue files for download in case you need them Jules. Kind regards, JP From mc.mailscanner at clayreed.com Mon Jul 9 18:42:49 2007 From: mc.mailscanner at clayreed.com (Martin Clayton) Date: Mon Jul 9 18:42:57 2007 Subject: Phishing rules - url syntax Message-ID: Hi, I'm trying to help someone out here: http://forum.mailtraq.com/viewtopic.php?f=7&t=832 Replies to some of his messages are showing: | MailScanner has detected a possible fraud attempt from | "www.mailtraqdirect.co.uk" claiming to be (the rest of | the message is missing in the reply e-mail) He's using a free version of the Mailtraq MTA http://www.mailtraq.com/ which appends the following text to all email messages: | ______________________________________________________________ | Email via Mailtraq4Free from Enstar (www.mailtraqdirect.co.uk) ... or as text/html: | Test

| Email via Mailtraq4Free from Enstar (www.mailtraqdirect.co.uk) Is it possible that the url syntax is triggering the alert, or is the decision based on other factors (message headers, dns lookups...)? Any pointers, much appreciated. Cheers, Martin From MailScanner at ecs.soton.ac.uk Mon Jul 9 18:40:39 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Jul 9 18:43:34 2007 Subject: Phishing fraud bug? In-Reply-To: References: Message-ID: <46927317.1010807@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I remove all whitespace in the link text fairly early on in the process. I do this as it could be quite possible to make a link look like something else by putting it at the end of a long line and inserting a line-break in the middle of it, appearing just like word-wrapping. So it sees http://www.test.devorstand: which is valid except there isn't a number after the ":". I might be able to do something about this, but certainly no promises. It's difficult to put the whitespace back in after you've taken it out :-( Koopmann, Jan-Peter wrote: > Hi, > > I think there is a strange bug in the phishing detection. Look at this > E-Mail Body snipplet (taken from Exim queue file): > > 1I7otX-000FTi-7d-D > This is a multi-part message in MIME format. > > ------_=_NextPart_001_01C7C205.D495F46E > Content-Type: text/plain; > charset="iso-8859-1" > Content-Transfer-Encoding: quoted-printable > > Hallo Herr Koopmann, > > > -- > Test AG > http://www.test.de > > Vorstand: Alexander Test > Aufsichtsratvorsitzender: Claudius Test > > > This is what I get after MailScanner has finished: > > MailScanner has detected a possible fraud attempt from > "www.test.devorstand" claiming to be http://www.test.de > > > > Somehow MailScanner does not see that the URL is "http://www.test.de" > only. I can provide the complete Exim-Queue files for download in case > you need them Jules. > > > Kind regards, > JP > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGknMYEfZZRxQVtlQRAvzxAKDRxVgqaaFFsNh987ezE9ZxbNSlEQCg1NxA vY3q2bvsX+h+K2UiE6DAzjI= =rcW/ -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From johnnyb at marlboro.edu Mon Jul 9 18:56:21 2007 From: johnnyb at marlboro.edu (John Baker) Date: Mon Jul 9 18:56:22 2007 Subject: a clarification for Ignore Spam Whitelist rule Message-ID: <469276C5.1040303@marlboro.edu> Hello An organization who rents space from us over the summer had somebody unwittingly send out a mass mail with ,I'm told, some 1000 recipients under To: rather than Bcc: This got tagged by our mailscanner. I need to be sure that none of our own bulk mail out ever gets ignored by the whitelist. I saw this in the log: ignored whitelist, had 50 recipients (>20) In my MailScanner.conf this is set to the default: Ignore Spam Whitelist If Recipients Exceed = 20 So I'm looking for two points of clarification here if anyone can help. 1: Does this rule only trigger if the recipients are in the To: field and ignore recipients in the Ccc: or Bcc fields? 2: where does the 50 come from here? Is is just how many postfix or mailscanner would consider at a time? Thanks -- John Baker Network Systems Administrator Marlboro College Phone: 451-7551 off campus; 551 on campus From holger at noefer.org Mon Jul 9 19:33:15 2007 From: holger at noefer.org (=?UTF-8?B?SG9sZ2VyIE7DtmZlcg==?=) Date: Mon Jul 9 19:33:22 2007 Subject: How to monitor the health of the MailScanner architecture In-Reply-To: <000901c7c210$8d1f4310$a75dc930$@dk> References: <000901c7c210$8d1f4310$a75dc930$@dk> Message-ID: <46927F6B.4020502@noefer.org> Hi, for the monitoring of my server I use hobbit. It has very nice plugins. If you use hobbit you have a hobbit-server (Monitoring server) and a hobbit-client (e.g. Mailserver). The Server does some checks from the server side an the client reports some values, like cpu load, disk usage, inodes, mailq items, mailq size and so on. On both sides, server and client, you can create your own scripts which can monitor your system. At the server side you can connect a gsm modem to the server to notify an admin if the server hase some problems or you can use emails to notify them. It is very nice ;-) Best regards, Holger Jonas A. Larsen schrieb: > Hello all > > > > I have a problem, and discussing it on the irc channel didn?t turn up > any obvious solution. > > > > Say you have more than 1 MS box scanning mails for a specific domain. > They are load balanced in some way, so the load is split over the servers. > > > > Now lets say one of the servers have a problem. Not a fatal problem, so > the server is still running (responds to pings etc) port 25 is still > open, and exim (the mta in my case) still accepts mails. > > > > But for some reason, crash, corrupt config, full root fs etc. the > process of moving mails from the incoming queue to the outgoing queue is > not working. > > > > What I am interested in, is a system to alert me of such a problem > automatically. > > > > Currently the only thing, besides clients noticing mail being delayed, > is for me to look at my mailscaner-mrtg graphs for the incoming queue > and notice that its growing. > > > > One method of doing all this automatically that we came up with, would > be some complex system that would work as follows: > > > > You create a domain for each MailScanner, that only that MailScanner > scans for. > > > > You then create an imap account on another system for each of the domains. > > > > You then create a script that sends a mail to each of the accounts and > after X amount of minutes check to see if the mail has arrived on the > imap account. If yes, delete the mail and do the same thing again after > Y amount of minutes (a cron job), if it doesn?t exist something must be > wrong with the mailflow, either its interrupted or is experiencing delays. > > > > Do anybody have a better idea or know of something that can do this already? > > > > My root file system ran full last week, and it caused mails to still be > accepted (incoming is on /var on another disk) but MS was frozen because > it couldn?t extract attachments to /tmp which was full because it was on > the same disk as the root fs. > > > > I hope I have made the above somewhat clear, if not please ask me to > clarify. > > > > > > *Med venlig hilsen / Best regards* > > > > *Jonas Akrouh Larsen* > > * * > > TechBiz ApS > > Laplandsgade 4, 2. sal > > 2300 K?benhavn S > > > > Office: 7020 0979 > > Direct: 33369974 > > Fax: 7020 0978 > > Mobile: 51201096 > > Web: www.techbiz.dk > > > From glenn.steen at gmail.com Mon Jul 9 20:32:37 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Jul 9 20:32:40 2007 Subject: Filename rule question In-Reply-To: <4691EC0A.3040209@ti-edu.ch> References: <468A6663.8010907@ti-edu.ch> <468BC099.7060508@ti-edu.ch> <223f97700707041520j5e8be73bt17235c459ec441c5@mail.gmail.com> <468CACEF.30202@ti-edu.ch> <223f97700707050349y696668ccu92b618343da7d77b@mail.gmail.com> <468CDC23.7000500@ti-edu.ch> <223f97700707051316y462cffd5ka6ce8064d614350f@mail.gmail.com> <468E09B6.10605@ti-edu.ch> <223f97700707060540n7c7b022eye5700536d480541c@mail.gmail.com> <4691EC0A.3040209@ti-edu.ch> Message-ID: <223f97700707091232q691a2277i75715cfe09c3be94@mail.gmail.com> Good. . . I'm on vacation too;). On 09/07/07, Marco Induni wrote: > Glenn Steen wrote: > > On 06/07/07, Marco Induni wrote: > >> Glenn Steen wrote: > > (snip) > >> >> > >> >> > >> > To my tired eyes that doesn't look that bad... More's the pity... > >> Hope now you eyes are better > > :-) > > > >> > Seems you don't install SA and Clamav by way of Jules easy package (or > >> > else a lot more of the optional modules would be there)... Hm... One > >> > could start installing those, of course, but I don't see them having > >> > an effect. > >> In fact, we use uvscan(mcafee) and sometime clamav AV, but they are > >> installed apart (SA via CPAN / clamav make /make install) > > Ok. I don't think you need remove/reinstall with Jules package... It > > does more or less those, and then adds a lot of perl modules to make > > Mail::ClamAV happy. Would be passing strange if that had any impact on > > this problem. > > > >> > You did say that restoring the default filename/filetype > >> > rules files and reloading/restarting MailScanner didn't have any > >> > effect either? Most strange. > >> Yes, it is so. > > > > This make me think there is something seriously wrong here... And > > perhaps not _directly_ related to the rule file used... Unless of > > course the files aren't readable or something strange like that... > > Nah, probably not. > > > >> > How did you install the MIME::* packages? Via jules installer or via > >> > distro or CPAN? > >> Via jules. I've installed the new version a couple of days ago. > >> > > You could try reinstall them (force them from CPAN or something), just > > to see that they build/install OK... > > Apart from this, you don't see any strange log entries in the normal > > syslog? We really need to get a handle on what is going bonkers here. > > Cheers > Glenn, > I'm on vacation. I will do it all the test starting from 24 of july. > So I will not bother you for 2 weeks ;-) > > Cheers > Marco > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From jan-peter at koopmann.eu Mon Jul 9 20:38:39 2007 From: jan-peter at koopmann.eu (Koopmann, Jan-Peter) Date: Mon Jul 9 20:38:01 2007 Subject: Phishing fraud bug? In-Reply-To: References: Message-ID: Hi Jules, > I remove all whitespace in the link text fairly early on in the > process. > I do this as it could be quite possible to make a link look like > something else by putting it at the end of a long line and inserting a > line-break in the middle of it, appearing just like word-wrapping. But a newline character or similar would not be interpreted as part of the link by the MUA, would it? So clicking such a construct would not do any harm. Of course the user could always mark the entire seemingly link and copy&paste it in the browser. Hard to cover that. > So it sees > http://www.test.devorstand: > which is valid except there isn't a number after the ":". I might be > able to do something about this, but certainly no promises. It's > difficult to put the whitespace back in after you've taken it out :-( Hm. This will result in quite some false positives and already has. Due to a "new" german law all B2B e-mails in Germany need a legitimate disclaimer stating all sorts of information. While the home-page URL is voluntary, most of the companies will state it in the footer followed by additional information just as I quoted. All of them will be scrambled by MailScanner. Not sure how to solve this problem. Any ideas? Regards, JP From MailScanner at ecs.soton.ac.uk Mon Jul 9 21:04:33 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Jul 9 21:07:32 2007 Subject: a clarification for Ignore Spam Whitelist rule In-Reply-To: <469276C5.1040303@marlboro.edu> References: <469276C5.1040303@marlboro.edu> Message-ID: <469294D1.6090409@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 John Baker wrote: > Hello > > An organization who rents space from us over the summer had somebody > unwittingly send out a mass mail with ,I'm told, some 1000 recipients > under To: rather than Bcc: This got tagged by our mailscanner. I need > to be sure that none of our own bulk mail out ever gets ignored by the > whitelist. > > I saw this in the log: > > ignored whitelist, had 50 recipients (>20) > > In my MailScanner.conf this is set to the default: > > Ignore Spam Whitelist If Recipients Exceed = 20 > > So I'm looking for two points of clarification here if anyone can help. > > 1: Does this rule only trigger if the recipients are in the To: field > and ignore recipients in the Ccc: or Bcc fields? It counts recipients, it doesn't look in the headers. So no, it does not specifically ignore recipients in the Cc: or Bcc: fields. > > 2: where does the 50 come from here? Is is just how many postfix or > mailscanner would consider at a time? Yes. > > Thanks Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGkpTSEfZZRxQVtlQRAqaAAKDqSgBX0YU+wbkUVoBTOqKOZLPVCACgsqgF IYfXginW2HuPFYdHSL7rkoQ= =/oLw -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Mon Jul 9 21:08:50 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Jul 9 21:11:47 2007 Subject: Phishing fraud bug? In-Reply-To: References: Message-ID: <469295D2.1070904@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Koopmann, Jan-Peter wrote: > Hi Jules, > > >> I remove all whitespace in the link text fairly early on in the >> process. >> I do this as it could be quite possible to make a link look like >> something else by putting it at the end of a long line and inserting a >> line-break in the middle of it, appearing just like word-wrapping. >> > > But a newline character or similar would not be interpreted as part of > the link by the MUA, would it? So clicking such a construct would not do > any harm. Of course the user could always mark the entire seemingly link > and copy&paste it in the browser. Hard to cover that. > What about this simple HTML? http://www.nice.co .uk/ That would look like a word-wrapped link to www.nice.co.uk but would actually be a link to www.nasty.co.uk. I believe that's what I'm trying to cover. > > >> So it sees >> http://www.test.devorstand: >> which is valid except there isn't a number after the ":". I might be >> able to do something about this, but certainly no promises. It's >> difficult to put the whitespace back in after you've taken it out :-( >> > > Hm. This will result in quite some false positives and already has. Due > to a "new" german law all B2B e-mails in Germany need a legitimate > disclaimer stating all sorts of information. While the home-page URL is > voluntary, most of the companies will state it in the footer followed by > additional information just as I quoted. All of them will be scrambled > by MailScanner. > > Not sure how to solve this problem. Any ideas? > Not immediately, no. It's impossible to make the phishing net perfect. It's a very heuristic piece of code. Though if you fancy looking at the code and suggesting improvements, they are very welcome. It is documented fairly well at www.phishingnet.info. Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGkpXTEfZZRxQVtlQRAh8vAKCFQa7sAxTpjrk6bsNt9ZNHJBwFqACgka/d TQW4OlpF5RNsbt2SAQn1BFU= =nktS -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From gordon at itnt.co.za Mon Jul 9 21:11:57 2007 From: gordon at itnt.co.za (Gordon Colyn) Date: Mon Jul 9 21:12:21 2007 Subject: How to monitor the health of the MailScanner architecture References: <000901c7c210$8d1f4310$a75dc930$@dk> <6EEC6D949794754FB8D83A4D87DF7168BE65B7@gh-redd-exch-01.redditch.ntltravel.local> Message-ID: <01d201c7c265$67a4af80$6503a8c0@gordon> Skipped content of type multipart/alternative-------------- next part -------------- #!/usr/bin/php -q Verifying Stateful Database Connection..."; } $link = mysql_connect($mySERVER, $myUSER, $myPASS) or die("Database Connection Check FAILED: " . mysql_error()); if(isset($silent)){ //Do not say anything, keep headers clean }else{ echo "OK"; echo "
Verifying Database Integrity..."; } mysql_select_db($myDB) or die("Database Integrity Check FAILED: " . mysql_error()); if(isset($silent)){ //Do not say anything, keep headers clean }else{ echo "OK"; } //DATABASE CONNECTION BUILT $inq = mysql_result(mysql_query("SELECT COUNT(*) FROM inq"),0); $outq = mysql_result(mysql_query("SELECT COUNT(*) FROM outq"),0); #$outq2 = mysql_result(mysql_query("SELECT COUNT(*) FROM outq2"),0); #$outq3 = mysql_result(mysql_query("SELECT COUNT(*) FROM outq3"),0); #$outq4 = mysql_result(mysql_query("SELECT COUNT(*) FROM outq4"),0); #$outq5 = mysql_result(mysql_query("SELECT COUNT(*) FROM outq5"),0); //echo "
Incoming: " . $inq . "
"; //echo "Outgoing: " . $outq . "
"; $mailme = 0; $mailsubject = "Relay MailQ Alert: "; if($inq > $inlimit){ $mailme = 1; $mailsubject = $mailsubject . "Inbound Queue"; } $outerror=0; if($outq > $outlimit){ $outerror=1; } if($outq2 > $outlimit2){ $outerror=1; } if($outq3 > $outlimit3){ $outerror=1; } if($outq4 > $outlimit4){ $outerror=1; } if($outq4 > $outlimit4){ $outerror=1; } if($outq5 > $outlimit5){ $outerror=1; } if($outerror==1){ if($mailme == 1){ $mailsubject = $mailsubject . " & "; } $mailme = 1; $mailsubject = $mailsubject . "OutBound Queue"; } if($mailme == 1){ //send report //echo "
Report
"; $mailsubject = $mailsubject . " Limits Exceeded"; $mailbody = "Status \r\nInbound: " . $inq . "\r\nOutbound: " . $outq . /*"\r\nOutbound 2: " . $outq2 . " \r\nOutbound 3: " . $outq3 . " \r\nOutbound 4: " . $outq4 . "\r\nOutbound 5: " . $outq5 . */"\r\n\r\n This report was generated by an automated script, please do not reply to this address \r\n"; //echo "
Subject: " . $mailsubject . "
"; //echo "
Body: " . $mailbody . "
"; mail($mailto,$mailsubject,$mailbody); }else{ //no report //echo "
no report
"; } ?> From philippe at beau.nom.fr Mon Jul 9 21:52:49 2007 From: philippe at beau.nom.fr (Philippe BEAU) Date: Mon Jul 9 21:53:03 2007 Subject: Tag some mails and send to quarantine others .. Message-ID: <000601c7c26b$1cb176b0$64fefe0a@beauhqlo3ihx4g> Hello all, I've a Mailscanner gateway which is working very well. I would like to make some tweaks. Also, for the moment, the mails are tagged with a subject like "SPAM?". I would like for somes domains only to delete directly the spam. Is anyone can say me if i can do this with a ruleset ? Best regards and thanks Philippe, From jase at sensis.com Mon Jul 9 21:57:54 2007 From: jase at sensis.com (Desai, Jason) Date: Mon Jul 9 21:58:28 2007 Subject: HOWTO: Adding extra rulesets to SpamAssassin In-Reply-To: <4691372E.4060709@ecs.soton.ac.uk> Message-ID: <1951DC816E1A9F469307B05FA183F4389DC758@corpatsmail1.corp.sensis.com> You may also wish to rm -f /etc/mail/spamassassin/tripwire.cf Jase > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Julian Field > Sent: Sunday, July 08, 2007 3:13 PM > To: MailScanner discussion > Subject: HOWTO: Adding extra rulesets to SpamAssassin > > I thought I would write this up as a little HOWTO on using the > SpamAssassin-recommended approach without having to use > RulesDuJour at all. > > Firstly disable RulesDuJour > chmod -x /etc/cron/daily/rules_du_jour_wrapper > Now it won't run every night. > > Next, delete all the rulesets downloaded by RulesDuJour, as > we're going > to use sa-update to get them instead. We don't want 2 copies of the > rulesets. > rm -f /etc/mail/spamassassin/*sare*cf > rm -rf /etc/mail/spamassassin/RulesDuJour > > Create a file for your list of SpamAssassin 'channels' including the > default set. Attached is a file to drop into > /etc/mail/spamassassin/jkf-channel-list.txt. Note that this is my > *personal* set of SARE rules that I use on my servers. I > strongly advise > you go to www.rulesemporium.com and read the descriptions of all the > rulesets and adapt the file to your own personal requirements. > > Next we need to add a PGP key to SpamAssassin's update > method. This is a > condensed version of > http://daryl.dostech.ca/sa-update/sare/sare-sa-update-howto.txt. > wget http://daryl.dostech.ca/sa-update/sare/GPG.KEY > sa-update --import GPG.KEY > > Next we need to add some command-line arguments to the call > to sa-update. > > If you are using MailScanner 4.62.2 or later (which I'm just about to > publish) then edit /etc/sysconfig/MailScanner and edit the > definition of > SAUPDATEARGS to say > SAUPDATEARGS="-D --channelfile > /etc/mail/spamassassin/jkf-channel-list.txt --gpgkey 856AA88A" > (That should all be on one line of course) > Once you are happy everything is working, remove the "-D" and it will > run a lot more quietly. > > If you are using MailScanner 4.62.1 or earlier, then edit > /etc/cron.daily/sa-update and/or /etc/cron.daily/update_spamassassin > and/or /usr/sbin/update_spamassassin to make sure the call to > $SAUPDATE > says this: > $SAUPDATE -D --channelfile > /etc/mail/spamassassin/jkf-channel-list.txt > --gpgkey 856AA88A > (That should all be on one line of course) > Once you are happy everything is working, remove the "-D" and it will > run a lot more quietly. > > That concludes the main bit of this. > > However, there is one extra ruleset which you might like to try. I've > got it going and it appears to work pretty well. Attached to this > message is a file KAM.cf.sh which you should put into > /etc/cron.daily/KAM.cf.sh and make it executable: > chmod +x /etc/cron.daily/KAM.cf.sh > Run it once to get the initial copy of the ruleset file. It > will keep a > backup copy of the KAM.cf ruleset in KAM.cf.backup, which it > will use if > it can't download KAM.cf correctly later. > > That's about it. > I hope this improves the effectiveness of your spam checking. > > Jules > > -- > Julian Field MEng CITP > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > For all your IT requirements visit www.transtec.co.uk > > From smlists at shaw.ca Mon Jul 9 22:03:35 2007 From: smlists at shaw.ca (Steve Mason) Date: Mon Jul 9 22:04:39 2007 Subject: Does Install-Clam upgrade Spamassassin? In-Reply-To: <469276C5.1040303@marlboro.edu> References: <469276C5.1040303@marlboro.edu> Message-ID: <000601c7c26c$a1296690$1424010a@mcscore> Hi all. Whilst changing over to sa-update from rules_du_jour, I seem to have hosed my spamassassin. Should install-Clam-0.90.3-SA-3.2.1 upgrade my spamassassin from 3.1.9 to 3.2.1? I ran it, and now I have a /var/lib/spamassassin/3.002.001 but spamassassin --version returns 3.1.9 and --lint coughs up a lot of errors now. Steve From lists at jfworks.net Mon Jul 9 22:07:24 2007 From: lists at jfworks.net (James) Date: Mon Jul 9 22:07:36 2007 Subject: Beta release: 4.62.2 In-Reply-To: <469139C6.1080002@ecs.soton.ac.uk> References: <469139C6.1080002@ecs.soton.ac.uk> Message-ID: <4692A38C.7090101@jfworks.net> Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > I have just released a new beta to support the SAUPDATEARGS setting in > /etc/MailScanner/sysconfig for easy implementation of the HOWTO I just > published on adding extra rulesets to SpamAssassin without having to use > RulesDuJour. > > The full Change Log is this: > > * New Features and Improvements * > 1 Improved non-Linux installer. > 1 Improved Linux installer. > 1 Updated OpenBSD installation guide. Thanks to Jeremy Evans for this. > 1 Upgraded MIME::Base64 to 3.07. > 1 Improved error reporting for clamd permissions problems. Thanks Rick. > 2 Added SAUPDATEARGS to /etc/sysconfig/MailScanner and > /usr/sbin/update_spamassassin. For a good use of this, see > http://daryl.dostech.ca/sa-update/sare/sare-sa-update-howto.txt and search > for "HOWTO" in the Subject: line of the MailScanner-discussion list > archive. > This process replaces RulesDuJour entirely. > Another good ruleset to add to your setup is > http://www.peregrinehw.com/downloads/SpamAssassin/contrib/KAM.cf > To download this automatically every night, fetch > http://www.mailscanner.info/files/4/KAM.cf.sh and put it in > /etc/cron.daily > and make it executable (type "chmod +x /etc/cron.daily/KAM.cf.sh"). > > Jules > Installed and working fine :) The directions you had posted regarding sa-update were helpfull, thanks. My question is this: In the /etc/cron.daily/update_spamassassin script there is comment about the default behavior and that it can cause problems if implimented. Is there any reason that I should not enable this script as I do want the daily updates vi sa-update ? Should I make my own cron for this then? Thanks, James From MailScanner at ecs.soton.ac.uk Mon Jul 9 22:05:14 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Jul 9 22:07:46 2007 Subject: Tag some mails and send to quarantine others .. In-Reply-To: <000601c7c26b$1cb176b0$64fefe0a@beauhqlo3ihx4g> References: <000601c7c26b$1cb176b0$64fefe0a@beauhqlo3ihx4g> Message-ID: <4692A30A.8080706@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Yes, you can do this with a ruleset. Ruleset example number 32767.... :-) In MailScanner.conf, put something like Spam Actions = %rules-dir%/spam.actions.rules High Scoring Spam Actions = %rules-dir/spam.actions.rules (You can of course make these point to different ruleset files if you want different actions for normal spam and high-scoring spam) In /etc/MailScanner/rules/spam.actions.rules put lines like To: domain1.com store To: domain2.com deliver To: domain3.com deliver attachment store which will do different things for mail to the 3 example domains. Then just service MailScanner reload and it will reload the new configuration and take actions based on it. Philippe BEAU wrote: > Hello all, > > I've a Mailscanner gateway which is working very well. I would like to make > some tweaks. Also, for the moment, the mails are tagged with a subject like > "SPAM?". I would like for somes domains only to delete directly the spam. > > Is anyone can say me if i can do this with a ruleset ? > > Best regards and thanks > > Philippe, > > > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGkqMLEfZZRxQVtlQRAhLwAJ9/Nxwhr0qvWhMZ+ZgAYyR/KCNYTgCfd1X6 oqV2hRm5jBkh0MOyIFellRY= =4W0O -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Mon Jul 9 22:18:22 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Jul 9 22:21:18 2007 Subject: Does Install-Clam upgrade Spamassassin? In-Reply-To: <000601c7c26c$a1296690$1424010a@mcscore> References: <469276C5.1040303@marlboro.edu> <000601c7c26c$a1296690$1424010a@mcscore> Message-ID: <4692A61E.2070908@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Steve Mason wrote: > Hi all. Whilst changing over to sa-update from rules_du_jour, I seem to > have hosed my spamassassin. > > Should install-Clam-0.90.3-SA-3.2.1 upgrade my spamassassin from 3.1.9 to > 3.2.1? > Yes. But not if your SpamAssassin was installed via RPM. > I ran it, and now I have a /var/lib/spamassassin/3.002.001 but spamassassin > --version returns 3.1.9 and --lint coughs up a lot of errors now. > You probably have an RPM version of spamassassin installed as well. rpm -e spamassassin and then reinstall the latest spamassassin from my package. Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGkqYfEfZZRxQVtlQRAp0FAJ9L7A+WDVl/0QLz6qvxuwrq9rjiAQCgvix1 Jk9X8ffFf6AVksSHiHY3OPU= =iuYa -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Mon Jul 9 22:20:34 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Jul 9 22:24:33 2007 Subject: Beta release: 4.62.2 In-Reply-To: <4692A38C.7090101@jfworks.net> References: <469139C6.1080002@ecs.soton.ac.uk> <4692A38C.7090101@jfworks.net> Message-ID: <4692A6A2.7020605@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 James wrote: > Julian Field wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> I have just released a new beta to support the SAUPDATEARGS setting >> in /etc/MailScanner/sysconfig for easy implementation of the HOWTO I >> just published on adding extra rulesets to SpamAssassin without >> having to use RulesDuJour. >> >> The full Change Log is this: >> >> * New Features and Improvements * >> 1 Improved non-Linux installer. >> 1 Improved Linux installer. >> 1 Updated OpenBSD installation guide. Thanks to Jeremy Evans for this. >> 1 Upgraded MIME::Base64 to 3.07. >> 1 Improved error reporting for clamd permissions problems. Thanks Rick. >> 2 Added SAUPDATEARGS to /etc/sysconfig/MailScanner and >> /usr/sbin/update_spamassassin. For a good use of this, see >> http://daryl.dostech.ca/sa-update/sare/sare-sa-update-howto.txt and >> search >> for "HOWTO" in the Subject: line of the MailScanner-discussion list >> archive. >> This process replaces RulesDuJour entirely. >> Another good ruleset to add to your setup is >> http://www.peregrinehw.com/downloads/SpamAssassin/contrib/KAM.cf >> To download this automatically every night, fetch >> http://www.mailscanner.info/files/4/KAM.cf.sh and put it in >> /etc/cron.daily >> and make it executable (type "chmod +x /etc/cron.daily/KAM.cf.sh"). >> >> Jules >> > Installed and working fine :) The directions you had posted regarding > sa-update were helpfull, thanks. > My question is this: In the /etc/cron.daily/update_spamassassin script > there is comment about the default > behavior and that it can cause problems if implimented. Is there any > reason that I should not enable this script as I do want the > daily updates vi sa-update ? Should I make my own cron for this then? Sorry, that comment is rather out of date now. I'll remove it. It's quite safe these days, the problems were from the first release of SpamAssassin's sa-update program. Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGkqajEfZZRxQVtlQRApfqAKDU2LE51ge88UTOTVExqB2+PrXGBwCfTKS5 4JJofHCn5Zu3i6qevyNoUl4= =ifQJ -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From smlists at shaw.ca Mon Jul 9 22:33:28 2007 From: smlists at shaw.ca (Steve Mason) Date: Mon Jul 9 22:34:25 2007 Subject: Does Install-Clam upgrade Spamassassin? In-Reply-To: <4692A61E.2070908@ecs.soton.ac.uk> References: <469276C5.1040303@marlboro.edu> <000601c7c26c$a1296690$1424010a@mcscore> <4692A61E.2070908@ecs.soton.ac.uk> Message-ID: <000701c7c270$c9db8100$1424010a@mcscore> > >Yes. But not if your SpamAssassin was installed via RPM. >You probably have an RPM version of spamassassin installed as well. > rpm -e spamassassin >and then reinstall the latest spamassassin from my package. D'oh!! Of course. Thanks! From glenn.steen at gmail.com Mon Jul 9 22:52:39 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Jul 9 22:52:41 2007 Subject: How to monitor the health of the MailScanner architecture In-Reply-To: <002001c7c219$4d475580$e7d60080$@dk> References: <000901c7c210$8d1f4310$a75dc930$@dk> <6EEC6D949794754FB8D83A4D87DF7168BE65B7@gh-redd-exch-01.redditch.ntltravel.local> <002001c7c219$4d475580$e7d60080$@dk> Message-ID: <223f97700707091452hc93d97vd6ed0546484ef8ba@mail.gmail.com> On 09/07/07, Jonas A. Larsen wrote: > > > > > Hi Alistair and Gareth too. > > > > I have used nagios for many years. However if you read my mail again, I > specifically don't need to know the queue size or the status of the MTA, > none of those can give you a definitive answer about whether or not mail > flow is working, I need something that can check if mail is flowing and if > its delayed. > Um, just script up a snippet that send a mail through to a service account (use telnet with expect, or perl or whatever... Make that sending snippet a function/sub/procedure and let it take an argument servername, then loop through the list of servers.... You know what to do:-), then use an automated MUA in the same script (whatever you need) to check that it is received within a reasonable time... Nail within an expect script would be nice for that last bit ... How hard can it be:-):-). You'd have to keep an eye on reasonable timing, and think through how to report errors... Could probably be incorporated as a testscript into any monitoring app... Or run from cron with some reasonable regularity. Should be fairly easy to write up ... But I'm on vacation, so you do it yourself;-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From jan-peter at koopmann.eu Tue Jul 10 09:19:10 2007 From: jan-peter at koopmann.eu (Koopmann, Jan-Peter) Date: Tue Jul 10 09:18:31 2007 Subject: Phishing fraud bug? In-Reply-To: References: Message-ID: Forget it. Looks like the link provided in the footer was wrong in the first place. Plain-Text is working like a charm. False alarm. Terribly sorry. Regards, JP From jonas at vrt.dk Tue Jul 10 11:35:26 2007 From: jonas at vrt.dk (Jonas A. Larsen) Date: Tue Jul 10 11:35:31 2007 Subject: How to monitor the health of the MailScanner architecture In-Reply-To: <223f97700707091452hc93d97vd6ed0546484ef8ba@mail.gmail.com> References: <000901c7c210$8d1f4310$a75dc930$@dk> <6EEC6D949794754FB8D83A4D87DF7168BE65B7@gh-redd-exch-01.redditch.ntltravel.local> <002001c7c219$4d475580$e7d60080$@dk> <223f97700707091452hc93d97vd6ed0546484ef8ba@mail.gmail.com> Message-ID: <001e01c7c2de$074aa850$15dff8f0$@dk> Hi Glenn > > > Um, just script up a snippet that send a mail through to a service > account (use telnet with expect, or perl or whatever... Make that > sending snippet a function/sub/procedure and let it take an argument > servername, then loop through the list of servers.... You know what to > do:-), then use an automated MUA in the same script (whatever you > need) to check that it is received within a reasonable time... Nail > within an expect script would be nice for that last bit ... How hard > can it be:-):-). > You'd have to keep an eye on reasonable timing, and think through how > to report errors... > Could probably be incorporated as a testscript into any monitoring > app... Or run from cron with some reasonable regularity. > Should be fairly easy to write up ... But I'm on vacation, so you do > it yourself;-). > This is precisely what is needed :) regarding the "fairly easy to write up" I guess that depends on how elite coding scriptiong skills you have and how much time you got :) We currently got it running using a freeware windows monitoring tool, that had this precise check. I was just looking for something that already existed and general comments. (because I'm a lazy boy) People seem to have misunderstood it a bit since they are recommending generic monitoring solutions. Neither nagios, bigbrother or others have the above solution. I actually think munin had something but it would have to be re-scripted to be useable (assuming I don?t want to run munin) I do find it odd though, that more or less nobody appears to be monitoring their mail systems in this way. I still say it?s the only way to be 100% if your system is functioning or not. Checking the mta daemon, mailscanner daemon, queue sizes etc. are all not a perfect way to check if the mailscanning process is functioning. Cheers Med venlig hilsen / Best regards Jonas Akrouh Larsen TechBiz ApS Laplandsgade 4, 2. sal 2300 K?benhavn S Office: 7020 0979 Direct: 33369974 Fax: 7020 0978 Mobile: 51201096 Web: www.techbiz.dk. From theodrake at comcast.net Tue Jul 10 14:25:54 2007 From: theodrake at comcast.net (Ed Bruce) Date: Tue Jul 10 14:26:02 2007 Subject: Beta release: 4.62.2 In-Reply-To: <4692A6A2.7020605@ecs.soton.ac.uk> References: <469139C6.1080002@ecs.soton.ac.uk> <4692A38C.7090101@jfworks.net> <4692A6A2.7020605@ecs.soton.ac.uk> Message-ID: <469388E2.6060402@comcast.net> Julian Field wrote: > > > James wrote: > > Julian Field wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- > >> Hash: SHA1 > >> > >> I have just released a new beta to support the SAUPDATEARGS setting > >> in /etc/MailScanner/sysconfig for easy implementation of the HOWTO I > >> just published on adding extra rulesets to SpamAssassin without > >> having to use RulesDuJour. > >> > >> The full Change Log is this: > >> > >> * New Features and Improvements * > >> 1 Improved non-Linux installer. > >> 1 Improved Linux installer. > >> 1 Updated OpenBSD installation guide. Thanks to Jeremy Evans for this. > >> 1 Upgraded MIME::Base64 to 3.07. > >> 1 Improved error reporting for clamd permissions problems. Thanks Rick. > >> 2 Added SAUPDATEARGS to /etc/sysconfig/MailScanner and > >> /usr/sbin/update_spamassassin. For a good use of this, see > >> http://daryl.dostech.ca/sa-update/sare/sare-sa-update-howto.txt and > >> search > >> for "HOWTO" in the Subject: line of the MailScanner-discussion list > >> archive. > >> This process replaces RulesDuJour entirely. > >> Another good ruleset to add to your setup is > >> http://www.peregrinehw.com/downloads/SpamAssassin/contrib/KAM.cf > >> To download this automatically every night, fetch > >> http://www.mailscanner.info/files/4/KAM.cf.sh and put it in > >> /etc/cron.daily > >> and make it executable (type "chmod +x /etc/cron.daily/KAM.cf.sh"). > >> > >> Jules > >> > > Installed and working fine :) The directions you had posted regarding > > sa-update were helpfull, thanks. > > My question is this: In the /etc/cron.daily/update_spamassassin script > > there is comment about the default > > behavior and that it can cause problems if implimented. Is there any > > reason that I should not enable this script as I do want the > > daily updates vi sa-update ? Should I make my own cron for this then? > Sorry, that comment is rather out of date now. I'll remove it. It's > quite safe these days, the problems were from the first release of > SpamAssassin's sa-update program. > > Jules > That had me worried too. I am running the beta on my secondary MTA and all appears to be working. Just got my first email notification that KAM.cf.sh ran sucessfully. Also got a debug output from update_spamassassin and all looks good there also. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 249 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070710/c706a68c/signature.bin From dstraka at caspercollege.edu Tue Jul 10 15:06:34 2007 From: dstraka at caspercollege.edu (Daniel Straka) Date: Tue Jul 10 15:06:55 2007 Subject: Can't get to SARE, where to add rule? In-Reply-To: <4688CC83.4060403@ecs.soton.ac.uk> References: <46868B9E.2050409@ecs.soton.ac.uk><46869C90.3010308@alexb.ch> <4686B8D1.7090005@ecs.soton.ac.uk> <002501c7bc8e$95897520$3f01a8c0@dbdomain.database.it><002501c7bc8e$95897520$3f01a8c0@dbdomain.database.it> <4688CC83.4060403@ecs.soton.ac.uk> Message-ID: <46933E0A.61A4.0000.0@caspercollege.edu> I get a timeout when trying to connect to the SARE site. I'm trying to get the PDF spam rules from there but.., I've got this from a list posting last week, where would I put this to make it work? I have no experience with SA rules so be kind. ------------------------------------ This one was published yesterday, which the author claims to work okay: full PDF_ONLY_SPAM /encoding\:\s+7bit(\n?)+[\-0-9]+.{1,40}type\:\s+application\/pdf\;.{1,40}name\=.{1,40}\.pdf.{1,50}disposition\:\s+inline\;.{1,40}filename\=.{1,40}\.pdf/is describe PDF_ONLY_SPAM PDF only Message, no text in message body score PDF_ONLY_SPAM 2.0 ------------------------------------- Thanks, -- Dan Straka Systems Coordinator Casper College 307.268.2399 From themba at dcdata.co.za Tue Jul 10 15:15:37 2007 From: themba at dcdata.co.za (Themba Ntleki) Date: Tue Jul 10 15:12:49 2007 Subject: MailScanner not Logging!! Message-ID: <46939489.2000306@dcdata.co.za> Hi All, I have a huge problem with MailScanner not logging messages, With my working installs, When I: tail -f /var/log/mail I can see: Logging message MSG#ID to SQL then see: Logged message MSG#ID to SQL. With my problematic install, I cannot see the message: 'Logged message MSG#ID to SQL.' in the mail logs. I'm running Suse Linux. I have tried upgrading to the latest version of MailScanner, but nothing helps so far, Please Help.... Kind Regards, Themba Ntleki -- This email and all contents are subject to the following disclaimer: http://www.dcdata.co.za/emaildisclaimer.html From MailScanner at ecs.soton.ac.uk Tue Jul 10 15:14:05 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Jul 10 15:17:35 2007 Subject: Can't get to SARE, where to add rule? In-Reply-To: <46933E0A.61A4.0000.0@caspercollege.edu> References: <46868B9E.2050409@ecs.soton.ac.uk><46869C90.3010308@alexb.ch> <4686B8D1.7090005@ecs.soton.ac.uk> <002501c7bc8e$95897520$3f01a8c0@dbdomain.database.it><002501c7bc8e$95897520$3f01a8c0@dbdomain.database.it> <4688CC83.4060403@ecs.soton.ac.uk> <46933E0A.61A4.0000.0@caspercollege.edu> Message-ID: <4693942D.9030006@ecs.soton.ac.uk> You could put it in /etc/MailScanner/spam.assasssin.prefs.conf and then service MailScanner reload Daniel Straka wrote: > I get a timeout when trying to connect to the SARE site. I'm trying to get the PDF spam rules from there but.., > I've got this from a list posting last week, where would I put this to make it work? I have no experience with SA rules so be kind. > > ------------------------------------ > > This one was published yesterday, which the author claims to work okay: > > full PDF_ONLY_SPAM > /encoding\:\s+7bit(\n?)+[\-0-9]+.{1,40}type\:\s+application\/pdf\;.{1,40}name\=.{1,40}\.pdf.{1,50}disposition\:\s+inline\;.{1,40}filename\=.{1,40}\.pdf/is > describe PDF_ONLY_SPAM PDF only Message, no text in message body > score PDF_ONLY_SPAM 2.0 > > ------------------------------------- > > Thanks, > Jules -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From list-mailscanner at linguaphone.com Tue Jul 10 15:20:10 2007 From: list-mailscanner at linguaphone.com (Gareth) Date: Tue Jul 10 15:20:17 2007 Subject: Can't get to SARE, where to add rule? In-Reply-To: <4693942D.9030006@ecs.soton.ac.uk> References: <46868B9E.2050409@ecs.soton.ac.uk><46869C90.3010308@alexb.ch> <4686B8D1.7090005@ecs.soton.ac.uk> <002501c7bc8e$95897520$3f01a8c0@dbdomain.database.it> <002501c7bc8e$95897520$3f01a8c0@dbdomain.database.it> <4688CC83.4060403@ecs.soton.ac.uk> <46933E0A.61A4.0000.0@caspercollege.edu> <4693942D.9030006@ecs.soton.ac.uk> Message-ID: <1184077210.30189.31.camel@gblades-suse.linguaphone-intranet.co.uk> Or you could email webmaster@rulesemporium.com and ask to use the PDFinfo plugin. This comes with some rules as standard but you can write your own using it (it includes lots of examples). On Tue, 2007-07-10 at 15:14, Julian Field wrote: > You could put it in /etc/MailScanner/spam.assasssin.prefs.conf and then > service MailScanner reload > > > Daniel Straka wrote: > > I get a timeout when trying to connect to the SARE site. I'm trying to get the PDF spam rules from there but.., > > I've got this from a list posting last week, where would I put this to make it work? I have no experience with SA rules so be kind. > > > > ------------------------------------ > > > > This one was published yesterday, which the author claims to work okay: > > > > full PDF_ONLY_SPAM > > /encoding\:\s+7bit(\n?)+[\-0-9]+.{1,40}type\:\s+application\/pdf\;.{1,40}name\=.{1,40}\.pdf.{1,50}disposition\:\s+inline\;.{1,40}filename\=.{1,40}\.pdf/is > > describe PDF_ONLY_SPAM PDF only Message, no text in message body > > score PDF_ONLY_SPAM 2.0 > > > > ------------------------------------- > > > > Thanks, > > > > Jules > > -- > Julian Field MEng CITP > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > For all your IT requirements visit www.transtec.co.uk From Alistair.Carmichael at ntltravel.com Tue Jul 10 15:24:51 2007 From: Alistair.Carmichael at ntltravel.com (Alistair Carmichael) Date: Tue Jul 10 15:25:00 2007 Subject: MailScanner not Logging!! In-Reply-To: <46939489.2000306@dcdata.co.za> References: <46939489.2000306@dcdata.co.za> Message-ID: <6EEC6D949794754FB8D83A4D87DF7168BE6618@gh-redd-exch-01.redditch.ntltravel.local> -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Themba Ntleki Sent: 10 July 2007 15:16 To: mailscanner@lists.mailscanner.info Subject: MailScanner not Logging!! Hi All, I have a huge problem with MailScanner not logging messages, With my working installs, When I: tail -f /var/log/mail I can see: Logging message MSG#ID to SQL then see: Logged message MSG#ID to SQL. With my problematic install, I cannot see the message: 'Logged message MSG#ID to SQL.' in the mail logs. I'm running Suse Linux. I have tried upgrading to the latest version of MailScanner, but nothing helps so far, Please Help.... Kind Regards, Themba Ntleki Hi, Check your MailWatch.pm file that you have the correct database name, user, password and host configured here, if these are correct make sure you can connect with: mysql -u(username) -p(password) -h(host) (dbname) At command line, you should get to a prompt like mysql> if you get an error this is likely to be the same cause of why you don't see the logged message x to sql, if this all succeeds I would restart mailscanner in debug mode paying attention to your maillog file and your messages file. -- This email and all contents are subject to the following disclaimer: http://www.dcdata.co.za/emaildisclaimer.html -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. From ljosnet at gmail.com Tue Jul 10 16:05:38 2007 From: ljosnet at gmail.com (emm1) Date: Tue Jul 10 16:05:41 2007 Subject: Strange CLAMD errors Message-ID: <910ee2ac0707100805ne111c5fp32cba3558ad2a58c@mail.gmail.com> Hello, after I upgraded to 4.61.7 on my FreeBSD 6.2 box I am seeing those errors. I have checked to see if clamd is running and it is. Any ideas? Jul 10 15:00:31 mainframe MailScanner[12276]: New Batch: Scanning 1 messages, 3973 bytes Jul 10 15:00:31 mainframe MailScanner[12276]: Expired 1 records from the SpamAssassin cache Jul 10 15:00:34 mainframe MailScanner[12276]: Virus and Content Scanning: Starting Jul 10 15:00:34 mainframe MailScanner[13026]: ERROR:: COULD NOT CONNECT TO CLAMD, RECOMMEND RESTARTING DAEMON Jul 10 15:00:34 mainframe MailScanner[12276]: ERROR:: COULD NOT CONNECT TO CLAMD, RECOMMEND RESTARTING DAEMON :: . Jul 10 15:00:34 mainframe MailScanner[12276]: Virus Scanning: Clamd found 1 infections Jul 10 15:00:34 mainframe MailScanner[12276]: Virus Scanning: Found 1 viruses Jul 10 15:00:34 mainframe MailScanner[12276]: Uninfected: Delivered 1 messages From martinh at solidstatelogic.com Tue Jul 10 16:10:52 2007 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Tue Jul 10 16:10:55 2007 Subject: Strange CLAMD errors In-Reply-To: <910ee2ac0707100805ne111c5fp32cba3558ad2a58c@mail.gmail.com> Message-ID: <2c6de78b8ffff344b3dfb9e659555624@solidstatelogic.com> Have you got clamd listening on a port (defined in MailScanner.conf and clamd.conf)? -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of emm1 > Sent: 10 July 2007 16:06 > To: MailScanner discussion > Subject: Strange CLAMD errors > > Hello, after I upgraded to 4.61.7 on my FreeBSD 6.2 box I am seeing > those errors. > I have checked to see if clamd is running and it is. Any ideas? > > Jul 10 15:00:31 mainframe MailScanner[12276]: New Batch: Scanning 1 > messages, 3973 bytes > Jul 10 15:00:31 mainframe MailScanner[12276]: Expired 1 records from > the SpamAssassin cache > Jul 10 15:00:34 mainframe MailScanner[12276]: Virus and Content > Scanning: Starting > Jul 10 15:00:34 mainframe MailScanner[13026]: ERROR:: COULD NOT > CONNECT TO CLAMD, RECOMMEND RESTARTING DAEMON > Jul 10 15:00:34 mainframe MailScanner[12276]: ERROR:: COULD NOT > CONNECT TO CLAMD, RECOMMEND RESTARTING DAEMON :: . > Jul 10 15:00:34 mainframe MailScanner[12276]: Virus Scanning: Clamd > found 1 infections > Jul 10 15:00:34 mainframe MailScanner[12276]: Virus Scanning: Found 1 > viruses > Jul 10 15:00:34 mainframe MailScanner[12276]: Uninfected: Delivered 1 > messages > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From ljosnet at gmail.com Tue Jul 10 16:19:46 2007 From: ljosnet at gmail.com (emm1) Date: Tue Jul 10 16:19:49 2007 Subject: Strange CLAMD errors In-Reply-To: <2c6de78b8ffff344b3dfb9e659555624@solidstatelogic.com> References: <910ee2ac0707100805ne111c5fp32cba3558ad2a58c@mail.gmail.com> <2c6de78b8ffff344b3dfb9e659555624@solidstatelogic.com> Message-ID: <910ee2ac0707100819yf246c14y6ba7a6ad7e49d3b5@mail.gmail.com> No idea, this was working fine before I updated. :) On 7/10/07, Martin.Hepworth wrote: > > Have you got clamd listening on a port (defined in MailScanner.conf and > clamd.conf)? > > > > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > > bounces@lists.mailscanner.info] On Behalf Of emm1 > > Sent: 10 July 2007 16:06 > > To: MailScanner discussion > > Subject: Strange CLAMD errors > > > > Hello, after I upgraded to 4.61.7 on my FreeBSD 6.2 box I am seeing > > those errors. > > I have checked to see if clamd is running and it is. Any ideas? > > > > Jul 10 15:00:31 mainframe MailScanner[12276]: New Batch: Scanning 1 > > messages, 3973 bytes > > Jul 10 15:00:31 mainframe MailScanner[12276]: Expired 1 records from > > the SpamAssassin cache > > Jul 10 15:00:34 mainframe MailScanner[12276]: Virus and Content > > Scanning: Starting > > Jul 10 15:00:34 mainframe MailScanner[13026]: ERROR:: COULD NOT > > CONNECT TO CLAMD, RECOMMEND RESTARTING DAEMON > > Jul 10 15:00:34 mainframe MailScanner[12276]: ERROR:: COULD NOT > > CONNECT TO CLAMD, RECOMMEND RESTARTING DAEMON :: . > > Jul 10 15:00:34 mainframe MailScanner[12276]: Virus Scanning: Clamd > > found 1 infections > > Jul 10 15:00:34 mainframe MailScanner[12276]: Virus Scanning: Found 1 > > viruses > > Jul 10 15:00:34 mainframe MailScanner[12276]: Uninfected: Delivered 1 > > messages > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > > > ********************************************************************** > Confidentiality : This e-mail and any attachments are intended for the > addressee only and may be confidential. If they come to you in error > you must take no action based on them, nor must you copy or show them > to anyone. Please advise the sender by replying to this e-mail > immediately and then delete the original from your computer. > Opinion : Any opinions expressed in this e-mail are entirely those of > the author and unless specifically stated to the contrary, are not > necessarily those of the author's employer. > Security Warning : Internet e-mail is not necessarily a secure > communications medium and can be subject to data corruption. We advise > that you consider this fact when e-mailing us. > Viruses : We have taken steps to ensure that this e-mail and any > attachments are free from known viruses but in keeping with good > computing practice, you should ensure that they are virus free. > > Red Lion 49 Ltd T/A Solid State Logic > Registered as a limited company in England and Wales > (Company No:5362730) > Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, > United Kingdom > ********************************************************************** > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From martinh at solidstatelogic.com Tue Jul 10 16:24:19 2007 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Tue Jul 10 16:24:58 2007 Subject: Strange CLAMD errors In-Reply-To: <910ee2ac0707100819yf246c14y6ba7a6ad7e49d3b5@mail.gmail.com> Message-ID: <0d875ca8fbed024cb2be24cadcd1b440@solidstatelogic.com> Upgraded from what - you sure the MailScanner.conf is set to Virus scanners = clamd And not clamdscan ???? -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of emm1 > Sent: 10 July 2007 16:20 > To: MailScanner discussion > Subject: Re: Strange CLAMD errors > > No idea, this was working fine before I updated. :) > > On 7/10/07, Martin.Hepworth wrote: > > > > Have you got clamd listening on a port (defined in MailScanner.conf and > > clamd.conf)? > > > > > > > > -- > > Martin Hepworth > > Snr Systems Administrator > > Solid State Logic > > Tel: +44 (0)1865 842300 > > > > > -----Original Message----- > > > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > > > bounces@lists.mailscanner.info] On Behalf Of emm1 > > > Sent: 10 July 2007 16:06 > > > To: MailScanner discussion > > > Subject: Strange CLAMD errors > > > > > > Hello, after I upgraded to 4.61.7 on my FreeBSD 6.2 box I am seeing > > > those errors. > > > I have checked to see if clamd is running and it is. Any ideas? > > > > > > Jul 10 15:00:31 mainframe MailScanner[12276]: New Batch: Scanning 1 > > > messages, 3973 bytes > > > Jul 10 15:00:31 mainframe MailScanner[12276]: Expired 1 records from > > > the SpamAssassin cache > > > Jul 10 15:00:34 mainframe MailScanner[12276]: Virus and Content > > > Scanning: Starting > > > Jul 10 15:00:34 mainframe MailScanner[13026]: ERROR:: COULD NOT > > > CONNECT TO CLAMD, RECOMMEND RESTARTING DAEMON > > > Jul 10 15:00:34 mainframe MailScanner[12276]: ERROR:: COULD NOT > > > CONNECT TO CLAMD, RECOMMEND RESTARTING DAEMON :: . > > > Jul 10 15:00:34 mainframe MailScanner[12276]: Virus Scanning: Clamd > > > found 1 infections > > > Jul 10 15:00:34 mainframe MailScanner[12276]: Virus Scanning: Found 1 > > > viruses > > > Jul 10 15:00:34 mainframe MailScanner[12276]: Uninfected: Delivered 1 > > > messages > > > -- > > > MailScanner mailing list > > > mailscanner@lists.mailscanner.info > > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > > > Support MailScanner development - buy the book off the website! > > > > > > > > > > ********************************************************************** > > Confidentiality : This e-mail and any attachments are intended for the > > addressee only and may be confidential. If they come to you in error > > you must take no action based on them, nor must you copy or show them > > to anyone. Please advise the sender by replying to this e-mail > > immediately and then delete the original from your computer. > > Opinion : Any opinions expressed in this e-mail are entirely those of > > the author and unless specifically stated to the contrary, are not > > necessarily those of the author's employer. > > Security Warning : Internet e-mail is not necessarily a secure > > communications medium and can be subject to data corruption. We advise > > that you consider this fact when e-mailing us. > > Viruses : We have taken steps to ensure that this e-mail and any > > attachments are free from known viruses but in keeping with good > > computing practice, you should ensure that they are virus free. > > > > Red Lion 49 Ltd T/A Solid State Logic > > Registered as a limited company in England and Wales > > (Company No:5362730) > > Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, > > United Kingdom > > ********************************************************************** > > > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From ljosnet at gmail.com Tue Jul 10 16:27:41 2007 From: ljosnet at gmail.com (emm1) Date: Tue Jul 10 16:27:43 2007 Subject: Strange CLAMD errors In-Reply-To: <0d875ca8fbed024cb2be24cadcd1b440@solidstatelogic.com> References: <910ee2ac0707100819yf246c14y6ba7a6ad7e49d3b5@mail.gmail.com> <0d875ca8fbed024cb2be24cadcd1b440@solidstatelogic.com> Message-ID: <910ee2ac0707100827g5b453141hdd3524d02f90f56d@mail.gmail.com> Yes, it's using clamd. I changed no config files before or after the upgrade from ports. This just started to appear in the maillog. It's detecting every single mail that is legit as virus and then delivers it. On 7/10/07, Martin.Hepworth wrote: > > Upgraded from what - you sure the MailScanner.conf is set to > > Virus scanners = clamd > > And not clamdscan ???? > > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > > bounces@lists.mailscanner.info] On Behalf Of emm1 > > Sent: 10 July 2007 16:20 > > To: MailScanner discussion > > Subject: Re: Strange CLAMD errors > > > > No idea, this was working fine before I updated. :) > > > > On 7/10/07, Martin.Hepworth wrote: > > > > > > Have you got clamd listening on a port (defined in MailScanner.conf > and > > > clamd.conf)? > > > > > > > > > > > > -- > > > Martin Hepworth > > > Snr Systems Administrator > > > Solid State Logic > > > Tel: +44 (0)1865 842300 > > > > > > > -----Original Message----- > > > > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner- > > > > bounces@lists.mailscanner.info] On Behalf Of emm1 > > > > Sent: 10 July 2007 16:06 > > > > To: MailScanner discussion > > > > Subject: Strange CLAMD errors > > > > > > > > Hello, after I upgraded to 4.61.7 on my FreeBSD 6.2 box I am > seeing > > > > those errors. > > > > I have checked to see if clamd is running and it is. Any ideas? > > > > > > > > Jul 10 15:00:31 mainframe MailScanner[12276]: New Batch: Scanning > 1 > > > > messages, 3973 bytes > > > > Jul 10 15:00:31 mainframe MailScanner[12276]: Expired 1 records > from > > > > the SpamAssassin cache > > > > Jul 10 15:00:34 mainframe MailScanner[12276]: Virus and Content > > > > Scanning: Starting > > > > Jul 10 15:00:34 mainframe MailScanner[13026]: ERROR:: COULD NOT > > > > CONNECT TO CLAMD, RECOMMEND RESTARTING DAEMON > > > > Jul 10 15:00:34 mainframe MailScanner[12276]: ERROR:: COULD NOT > > > > CONNECT TO CLAMD, RECOMMEND RESTARTING DAEMON :: . > > > > Jul 10 15:00:34 mainframe MailScanner[12276]: Virus Scanning: > Clamd > > > > found 1 infections > > > > Jul 10 15:00:34 mainframe MailScanner[12276]: Virus Scanning: > Found 1 > > > > viruses > > > > Jul 10 15:00:34 mainframe MailScanner[12276]: Uninfected: > Delivered 1 > > > > messages > > > > -- > > > > MailScanner mailing list > > > > mailscanner@lists.mailscanner.info > > > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > > > > > Support MailScanner development - buy the book off the website! > > > > > > > > > > > > > > > > ********************************************************************** > > > Confidentiality : This e-mail and any attachments are intended for > the > > > addressee only and may be confidential. If they come to you in error > > > you must take no action based on them, nor must you copy or show > them > > > to anyone. Please advise the sender by replying to this e-mail > > > immediately and then delete the original from your computer. > > > Opinion : Any opinions expressed in this e-mail are entirely those > of > > > the author and unless specifically stated to the contrary, are not > > > necessarily those of the author's employer. > > > Security Warning : Internet e-mail is not necessarily a secure > > > communications medium and can be subject to data corruption. We > advise > > > that you consider this fact when e-mailing us. > > > Viruses : We have taken steps to ensure that this e-mail and any > > > attachments are free from known viruses but in keeping with good > > > computing practice, you should ensure that they are virus free. > > > > > > Red Lion 49 Ltd T/A Solid State Logic > > > Registered as a limited company in England and Wales > > > (Company No:5362730) > > > Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, > > > United Kingdom > > > > ********************************************************************** > > > > > > -- > > > MailScanner mailing list > > > mailscanner@lists.mailscanner.info > > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > > > Support MailScanner development - buy the book off the website! > > > > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > > > ********************************************************************** > Confidentiality : This e-mail and any attachments are intended for the > addressee only and may be confidential. If they come to you in error > you must take no action based on them, nor must you copy or show them > to anyone. Please advise the sender by replying to this e-mail > immediately and then delete the original from your computer. > Opinion : Any opinions expressed in this e-mail are entirely those of > the author and unless specifically stated to the contrary, are not > necessarily those of the author's employer. > Security Warning : Internet e-mail is not necessarily a secure > communications medium and can be subject to data corruption. We advise > that you consider this fact when e-mailing us. > Viruses : We have taken steps to ensure that this e-mail and any > attachments are free from known viruses but in keeping with good > computing practice, you should ensure that they are virus free. > > Red Lion 49 Ltd T/A Solid State Logic > Registered as a limited company in England and Wales > (Company No:5362730) > Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, > United Kingdom > ********************************************************************** > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From listacct at tulsaconnect.com Tue Jul 10 16:32:48 2007 From: listacct at tulsaconnect.com (TCIS List Acct) Date: Tue Jul 10 16:32:30 2007 Subject: zen.spamhaus.org timeouts? Message-ID: <4693A6A0.3030305@tulsaconnect.com> All of a sudden today we are getting DNS lookup timeouts when querying zen.spamhaus.org across all of our MailScanner boxes. Is anyone else having trouble doing RBL lookups against zen.spamhaus.org? -- ----------------------------------------- Mike Bacher / listacct@tulsaconnect.com TCIS - TulsaConnect Internet Services http://www.tulsaconnect.com ----------------------------------------- From mailscanner at slackadelic.com Tue Jul 10 16:34:53 2007 From: mailscanner at slackadelic.com (Matt Hayes) Date: Tue Jul 10 16:35:00 2007 Subject: zen.spamhaus.org timeouts? In-Reply-To: <4693A6A0.3030305@tulsaconnect.com> References: <4693A6A0.3030305@tulsaconnect.com> Message-ID: <4693A71D.4020901@slackadelic.com> TCIS List Acct wrote: > All of a sudden today we are getting DNS lookup timeouts when querying > zen.spamhaus.org across all of our MailScanner boxes. Is anyone else > having trouble doing RBL lookups against zen.spamhaus.org? > I've not noticed any issues. -Matt -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From j.ede at birchenallhowden.co.uk Tue Jul 10 16:35:41 2007 From: j.ede at birchenallhowden.co.uk (Jason Ede) Date: Tue Jul 10 16:36:28 2007 Subject: zen.spamhaus.org timeouts? In-Reply-To: <4693A6A0.3030305@tulsaconnect.com> References: <4693A6A0.3030305@tulsaconnect.com> Message-ID: also rulesemporium is slow... I'm guessing its another DDOS in progress... Jason ________________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailscanner-bounces@lists.mailscanner.info] On Behalf Of TCIS List Acct [listacct@tulsaconnect.com] Sent: 10 July 2007 16:32 To: MailScanner discussion Subject: zen.spamhaus.org timeouts? All of a sudden today we are getting DNS lookup timeouts when querying zen.spamhaus.org across all of our MailScanner boxes. Is anyone else having trouble doing RBL lookups against zen.spamhaus.org? -- ----------------------------------------- Mike Bacher / listacct@tulsaconnect.com TCIS - TulsaConnect Internet Services http://www.tulsaconnect.com ----------------------------------------- -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From ssilva at sgvwater.com Tue Jul 10 16:49:01 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Jul 10 16:49:16 2007 Subject: zen.spamhaus.org timeouts? In-Reply-To: <4693A6A0.3030305@tulsaconnect.com> References: <4693A6A0.3030305@tulsaconnect.com> Message-ID: TCIS List Acct spake the following on 7/10/2007 8:32 AM: > All of a sudden today we are getting DNS lookup timeouts when querying > zen.spamhaus.org across all of our MailScanner boxes. Is anyone else > having trouble doing RBL lookups against zen.spamhaus.org? > Everything is fine here. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From glenn.steen at gmail.com Tue Jul 10 16:49:36 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Jul 10 16:49:39 2007 Subject: How to monitor the health of the MailScanner architecture In-Reply-To: <001e01c7c2de$074aa850$15dff8f0$@dk> References: <000901c7c210$8d1f4310$a75dc930$@dk> <6EEC6D949794754FB8D83A4D87DF7168BE65B7@gh-redd-exch-01.redditch.ntltravel.local> <002001c7c219$4d475580$e7d60080$@dk> <223f97700707091452hc93d97vd6ed0546484ef8ba@mail.gmail.com> <001e01c7c2de$074aa850$15dff8f0$@dk> Message-ID: <223f97700707100849l378fce92xf1386f7b5e779193@mail.gmail.com> On 10/07/07, Jonas A. Larsen wrote: > Hi Glenn > > > > > Um, just script up a snippet that send a mail through to a service > > account (use telnet with expect, or perl or whatever... Make that > > sending snippet a function/sub/procedure and let it take an argument > > servername, then loop through the list of servers.... You know what to > > do:-), then use an automated MUA in the same script (whatever you > > need) to check that it is received within a reasonable time... Nail > > within an expect script would be nice for that last bit ... How hard > > can it be:-):-). > > You'd have to keep an eye on reasonable timing, and think through how > > to report errors... > > Could probably be incorporated as a testscript into any monitoring > > app... Or run from cron with some reasonable regularity. > > Should be fairly easy to write up ... But I'm on vacation, so you do > > it yourself;-). > > This is precisely what is needed :) regarding the "fairly easy to write > up" I guess that depends on how elite coding scriptiong skills you have and > how much time you got :) True:-) > We currently got it running using a freeware windows monitoring tool, that > had this precise check. (Yuk! Well, whatever works, I guess...:-) > I was just looking for something that already existed and general comments. > (because I'm a lazy boy) That's generally the big motivator to do something like that... The effort to make it is less than doing it by hand (if even possible:-):-). > People seem to have misunderstood it a bit since they are recommending > generic monitoring solutions. Neither nagios, bigbrother or others have the > above solution. I actually think munin had something but it would have to be > re-scripted to be useable (assuming I don't want to run munin) True. This would probably slot into something more generic, to handle the alerting etc... Laziness again, why reinvent that part of it:-). > I do find it odd though, that more or less nobody appears to be monitoring > their mail systems in this way. I still say it's the only way to be 100% if > your system is functioning or not. Checking the mta daemon, mailscanner > daemon, queue sizes etc. are all not a perfect way to check if the > mailscanning process is functioning. I suspect that people fall into a lot of different categories here... Some have small installations that don't really need that kind of alerting.... The users and perhaps something like MailWatch/Vispan/MailScanner-MRTG/whatever is enough of an alerting system:-). For larger systems something homegrown in [favourite monitoring app] is likely enough. Another "problem" is that anything like this will become somewhat specific to how your "mailflow topology" looks... So the bigger players probably do have something like this in place already, but deem it way to specific to their setup to be meaningful to share. If I find the time and energy when I'm back from vacation (not that likely, but ... if:), I might make something simple to work from... Yes, that is half a promise of half a solution:-). > > Cheers Likewise! > > Med venlig hilsen / Best regards > > Jonas Akrouh Larsen > > TechBiz ApS > Laplandsgade 4, 2. sal > 2300 K?benhavn S > > Office: 7020 0979 > Direct: 33369974 > Fax: 7020 0978 > Mobile: 51201096 > Web: www.techbiz.dk. > > -- -- Glenn (off in the west-swedish wilderness around Arvika... No, I'm going to give the festival a miss this year too:-) email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From mailscanner at cfwebdesigns.com Tue Jul 10 16:59:20 2007 From: mailscanner at cfwebdesigns.com (Custom Framer Web Designs) Date: Tue Jul 10 16:59:28 2007 Subject: Server whitelist being ignored Message-ID: <006f01c7c30b$479a7570$0402a8c0@VAIODESKTOP1> I have a problem with messages that come from addresses, and domains that are on the server-wide whitelist are being scanned and scored as spam. It is my understanding that by being on the whitelist, messages from these addresses would not be scanned. Am I wrong in this thinking? If not, have you a suggestion as to what may be wrong. Merrill From rcooper at dwford.com Tue Jul 10 17:00:22 2007 From: rcooper at dwford.com (Rick Cooper) Date: Tue Jul 10 17:00:28 2007 Subject: Strange CLAMD errors In-Reply-To: <910ee2ac0707100805ne111c5fp32cba3558ad2a58c@mail.gmail.com> References: <910ee2ac0707100805ne111c5fp32cba3558ad2a58c@mail.gmail.com> Message-ID: <020b01c7c30b$6c5a9200$c8b0b9cf@SAHOMELT> If you were using the old clamd (clamdscan) support, you need to configure the new clamd parameters in MailScanner.con to match your clamd.conf. The latest MailScanner calls clamd directly not via clamdscan. Look at the change log Rick > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of emm1 > Sent: Tuesday, July 10, 2007 11:06 AM > To: MailScanner discussion > Subject: Strange CLAMD errors > > Hello, after I upgraded to 4.61.7 on my FreeBSD 6.2 box I am seeing > those errors. > I have checked to see if clamd is running and it is. Any ideas? > > Jul 10 15:00:31 mainframe MailScanner[12276]: New Batch: Scanning 1 > messages, 3973 bytes > Jul 10 15:00:31 mainframe MailScanner[12276]: Expired 1 records from > the SpamAssassin cache > Jul 10 15:00:34 mainframe MailScanner[12276]: Virus and Content > Scanning: Starting > Jul 10 15:00:34 mainframe MailScanner[13026]: ERROR:: COULD NOT > CONNECT TO CLAMD, RECOMMEND RESTARTING DAEMON > Jul 10 15:00:34 mainframe MailScanner[12276]: ERROR:: COULD NOT > CONNECT TO CLAMD, RECOMMEND RESTARTING DAEMON :: . > Jul 10 15:00:34 mainframe MailScanner[12276]: Virus Scanning: Clamd > found 1 infections > Jul 10 15:00:34 mainframe MailScanner[12276]: Virus > Scanning: Found 1 viruses > Jul 10 15:00:34 mainframe MailScanner[12276]: Uninfected: > Delivered 1 messages > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From Alistair.Carmichael at ntltravel.com Tue Jul 10 17:04:04 2007 From: Alistair.Carmichael at ntltravel.com (Alistair Carmichael) Date: Tue Jul 10 17:04:07 2007 Subject: How to monitor the health of the MailScanner architecture In-Reply-To: <223f97700707100849l378fce92xf1386f7b5e779193@mail.gmail.com> References: <000901c7c210$8d1f4310$a75dc930$@dk><6EEC6D949794754FB8D83A4D87DF7168BE65B7@gh-redd-exch-01.redditch.ntltravel.local><002001c7c219$4d475580$e7d60080$@dk><223f97700707091452hc93d97vd6ed0546484ef8ba@mail.gmail.com><001e01c7c2de$074aa850$15dff8f0$@dk> <223f97700707100849l378fce92xf1386f7b5e779193@mail.gmail.com> Message-ID: <6EEC6D949794754FB8D83A4D87DF7168BE662D@gh-redd-exch-01.redditch.ntltravel.local> -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Glenn Steen Sent: 10 July 2007 16:50 To: MailScanner discussion Subject: Re: How to monitor the health of the MailScanner architecture On 10/07/07, Jonas A. Larsen wrote: > Hi Glenn > > > > > Um, just script up a snippet that send a mail through to a service > > account (use telnet with expect, or perl or whatever... Make that > > sending snippet a function/sub/procedure and let it take an argument > > servername, then loop through the list of servers.... You know what to > > do:-), then use an automated MUA in the same script (whatever you > > need) to check that it is received within a reasonable time... Nail > > within an expect script would be nice for that last bit ... How hard > > can it be:-):-). > > You'd have to keep an eye on reasonable timing, and think through how > > to report errors... > > Could probably be incorporated as a testscript into any monitoring > > app... Or run from cron with some reasonable regularity. > > Should be fairly easy to write up ... But I'm on vacation, so you do > > it yourself;-). > > This is precisely what is needed :) regarding the "fairly easy to write > up" I guess that depends on how elite coding scriptiong skills you have and > how much time you got :) True:-) > We currently got it running using a freeware windows monitoring tool, that > had this precise check. (Yuk! Well, whatever works, I guess...:-) > I was just looking for something that already existed and general comments. > (because I'm a lazy boy) That's generally the big motivator to do something like that... The effort to make it is less than doing it by hand (if even possible:-):-). > People seem to have misunderstood it a bit since they are recommending > generic monitoring solutions. Neither nagios, bigbrother or others have the > above solution. I actually think munin had something but it would have to be > re-scripted to be useable (assuming I don't want to run munin) True. This would probably slot into something more generic, to handle the alerting etc... Laziness again, why reinvent that part of it:-). > I do find it odd though, that more or less nobody appears to be monitoring > their mail systems in this way. I still say it's the only way to be 100% if > your system is functioning or not. Checking the mta daemon, mailscanner > daemon, queue sizes etc. are all not a perfect way to check if the > mailscanning process is functioning. I suspect that people fall into a lot of different categories here... Some have small installations that don't really need that kind of alerting.... The users and perhaps something like MailWatch/Vispan/MailScanner-MRTG/whatever is enough of an alerting system:-). For larger systems something homegrown in [favourite monitoring app] is likely enough. Another "problem" is that anything like this will become somewhat specific to how your "mailflow topology" looks... So the bigger players probably do have something like this in place already, but deem it way to specific to their setup to be meaningful to share. If I find the time and energy when I'm back from vacation (not that likely, but ... if:), I might make something simple to work from... Yes, that is half a promise of half a solution:-). > > Cheers Likewise! One method I thought of by using a shell script in conjunction with mailwatch is to run a shell script to generate a message every minute to output "$$`date +%s`" to a temp file, then run the mail command using the output (cat) of this file as the subject and send the message to a generic postmaster address. Then sleep for half a min or so and then run a mysql query on your mailwatch database's maillog table like "select Count(*) from maillog where subject = 'cat /tmp/myfile'" If the result of count(*) is 1 then the message has been collected and scanned by mailscanner, if the answer is zero then it has not. It probably wouldn't take too long to throw together into a shell script. The only downside I think would be if you have one mailwatch database used by 3 mailscanners like we do this query can take a while to execute due to the sheer size of the database but might work ok for a single server setup. My 2 more cents ;) > > Med venlig hilsen / Best regards > > Jonas Akrouh Larsen > > TechBiz ApS > Laplandsgade 4, 2. sal > 2300 K?benhavn S > > Office: 7020 0979 > Direct: 33369974 > Fax: 7020 0978 > Mobile: 51201096 > Web: www.techbiz.dk. > > -- -- Glenn (off in the west-swedish wilderness around Arvika... No, I'm going to give the festival a miss this year too:-) email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. From ljosnet at gmail.com Tue Jul 10 17:09:39 2007 From: ljosnet at gmail.com (emm1) Date: Tue Jul 10 17:09:42 2007 Subject: Strange CLAMD errors In-Reply-To: <020b01c7c30b$6c5a9200$c8b0b9cf@SAHOMELT> References: <910ee2ac0707100805ne111c5fp32cba3558ad2a58c@mail.gmail.com> <020b01c7c30b$6c5a9200$c8b0b9cf@SAHOMELT> Message-ID: <910ee2ac0707100909y7e7796e9yce6b21f032962800@mail.gmail.com> Yeah I see it now, thanks. On 7/10/07, Rick Cooper wrote: > If you were using the old clamd (clamdscan) support, you need to configure > the new clamd parameters in MailScanner.con to match your clamd.conf. The > latest MailScanner calls clamd directly not via clamdscan. Look at the > change log > > Rick > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info > > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of emm1 > > Sent: Tuesday, July 10, 2007 11:06 AM > > To: MailScanner discussion > > Subject: Strange CLAMD errors > > > > Hello, after I upgraded to 4.61.7 on my FreeBSD 6.2 box I am seeing > > those errors. > > I have checked to see if clamd is running and it is. Any ideas? > > > > Jul 10 15:00:31 mainframe MailScanner[12276]: New Batch: Scanning 1 > > messages, 3973 bytes > > Jul 10 15:00:31 mainframe MailScanner[12276]: Expired 1 records from > > the SpamAssassin cache > > Jul 10 15:00:34 mainframe MailScanner[12276]: Virus and Content > > Scanning: Starting > > Jul 10 15:00:34 mainframe MailScanner[13026]: ERROR:: COULD NOT > > CONNECT TO CLAMD, RECOMMEND RESTARTING DAEMON > > Jul 10 15:00:34 mainframe MailScanner[12276]: ERROR:: COULD NOT > > CONNECT TO CLAMD, RECOMMEND RESTARTING DAEMON :: . > > Jul 10 15:00:34 mainframe MailScanner[12276]: Virus Scanning: Clamd > > found 1 infections > > Jul 10 15:00:34 mainframe MailScanner[12276]: Virus > > Scanning: Found 1 viruses > > Jul 10 15:00:34 mainframe MailScanner[12276]: Uninfected: > > Delivered 1 messages > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > > -- > > This message has been scanned for viruses and > > dangerous content by MailScanner, and is > > believed to be clean. > > > > > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From ka at pacific.net Tue Jul 10 17:16:13 2007 From: ka at pacific.net (Ken A) Date: Tue Jul 10 17:16:18 2007 Subject: How to monitor the health of the MailScanner architecture In-Reply-To: <001e01c7c2de$074aa850$15dff8f0$@dk> References: <000901c7c210$8d1f4310$a75dc930$@dk> <6EEC6D949794754FB8D83A4D87DF7168BE65B7@gh-redd-exch-01.redditch.ntltravel.local> <002001c7c219$4d475580$e7d60080$@dk> <223f97700707091452hc93d97vd6ed0546484ef8ba@mail.gmail.com> <001e01c7c2de$074aa850$15dff8f0$@dk> Message-ID: <4693B0CD.8090806@pacific.net> Jonas A. Larsen wrote: > Hi Glenn >> Um, just script up a snippet that send a mail through to a service >> account (use telnet with expect, or perl or whatever... Make that >> sending snippet a function/sub/procedure and let it take an argument >> servername, then loop through the list of servers.... You know what to >> do:-), then use an automated MUA in the same script (whatever you >> need) to check that it is received within a reasonable time... Nail >> within an expect script would be nice for that last bit ... How hard >> can it be:-):-). >> You'd have to keep an eye on reasonable timing, and think through how >> to report errors... >> Could probably be incorporated as a testscript into any monitoring >> app... Or run from cron with some reasonable regularity. >> Should be fairly easy to write up ... But I'm on vacation, so you do >> it yourself;-). >> This is precisely what is needed :) regarding the "fairly easy to write > up" I guess that depends on how elite coding scriptiong skills you have and > how much time you got :) > > We currently got it running using a freeware windows monitoring tool, that > had this precise check. > > I was just looking for something that already existed and general comments. > (because I'm a lazy boy) > > People seem to have misunderstood it a bit since they are recommending > generic monitoring solutions. Neither nagios, bigbrother or others have the > above solution. I actually think munin had something but it would have to be > re-scripted to be useable (assuming I don?t want to run munin) > > I do find it odd though, that more or less nobody appears to be monitoring > their mail systems in this way. I still say it?s the only way to be 100% if > your system is functioning or not. Checking the mta daemon, mailscanner > daemon, queue sizes etc. are all not a perfect way to check if the > mailscanning process is functioning. There are many parts to the mail flow process. You can't check them all by passing a message through, though that certainly will tell you that messages can flow through your mail system! If I get a page at 3am that says "mail stopped flowing", I'd be pretty disappointed in my monitoring software. I want to know a lot more than that before my feet hit the floor. If your monitoring software is setup correctly (nagios here), you can quite correctly infer that all processing is working normally if all tests are passed. You just have to design or tweak the tests (these are usually simple shell or perl scripts that nagios uses) to fit your architecture. It's not hard, but it's implementation specific, mostly. Ken > > Cheers > > Med venlig hilsen / Best regards > > Jonas Akrouh Larsen > > -- Ken Anderson Pacific.Net From glenn.steen at gmail.com Tue Jul 10 17:17:44 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Jul 10 17:17:49 2007 Subject: How to monitor the health of the MailScanner architecture In-Reply-To: <6EEC6D949794754FB8D83A4D87DF7168BE662D@gh-redd-exch-01.redditch.ntltravel.local> References: <000901c7c210$8d1f4310$a75dc930$@dk> <6EEC6D949794754FB8D83A4D87DF7168BE65B7@gh-redd-exch-01.redditch.ntltravel.local> <002001c7c219$4d475580$e7d60080$@dk> <223f97700707091452hc93d97vd6ed0546484ef8ba@mail.gmail.com> <001e01c7c2de$074aa850$15dff8f0$@dk> <223f97700707100849l378fce92xf1386f7b5e779193@mail.gmail.com> <6EEC6D949794754FB8D83A4D87DF7168BE662D@gh-redd-exch-01.redditch.ntltravel.local> Message-ID: <223f97700707100917o2cadec8bg9445f22b360b9499@mail.gmail.com> On 10/07/07, Alistair Carmichael wrote: (snip) > > One method I thought of by using a shell script in conjunction with mailwatch is to run a shell script to generate a message every minute to output "$$`date +%s`" to a temp file, then run the mail command using the output (cat) of this file as the subject and send the message to a generic postmaster address. Then sleep for half a min or so and then run a mysql query on your mailwatch database's maillog table like "select Count(*) from maillog where subject = 'cat /tmp/myfile'" > If the result of count(*) is 1 then the message has been collected and scanned by mailscanner, if the answer is zero then it has not. > It probably wouldn't take too long to throw together into a shell script. > The only downside I think would be if you have one mailwatch database used by 3 mailscanners like we do this query can take a while to execute due to the sheer size of the database but might work ok for a single server setup. > My 2 more cents ;) > Certainly worth exploring since that would reduce the dependecies/ickiness of the checking part (expecting ones way through even the simplest textbased MUA can be ... frustrating:-). And as you say, it would be easy to script and would probably scale rather OK (scriptwise... One message per MS server... Not the query bit:) with several MS servers... Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From ms-list at alexb.ch Tue Jul 10 17:26:40 2007 From: ms-list at alexb.ch (Alex Broens) Date: Tue Jul 10 17:26:47 2007 Subject: zen.spamhaus.org timeouts? In-Reply-To: <4693A6A0.3030305@tulsaconnect.com> References: <4693A6A0.3030305@tulsaconnect.com> Message-ID: <4693B340.7000606@alexb.ch> On 7/10/2007 5:32 PM, TCIS List Acct wrote: > All of a sudden today we are getting DNS lookup timeouts when querying > zen.spamhaus.org across all of our MailScanner boxes. Is anyone else > having trouble doing RBL lookups against zen.spamhaus.org? > try a traceroute if you're on LEVEL3 they're having problems Alex From ugob at lubik.ca Tue Jul 10 17:31:27 2007 From: ugob at lubik.ca (Ugo Bellavance) Date: Tue Jul 10 17:31:50 2007 Subject: switching from clamavmodule -> clamd... source? In-Reply-To: <469266D4.7060405@ecs.soton.ac.uk> References: <469266D4.7060405@ecs.soton.ac.uk> Message-ID: Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > Ugo Bellavance wrote: >> Ugo Bellavance wrote: >>> Hi, >>> >>> I'd like to switch from clamavmodule to clamd. I used to use a >>> source-install of clamav. I've read that the easiest way to get >>> clamd running is using dag's RPM. However, a dependency for clamd is >>> clamav and clamav-db. How will that play with my current source >>> install of clamav? Should I move to using exclusively rpm clamav? >> >> >> It looks like the source install is overwritten by the RPM. This >> answers my question... > The source install by default goes in /usr/local, while the RPMs most > often go into /usr/bin, /etc and so on. You're right. And if we remove /usr/local/freshclam, MailScanner can't update clamav. Anyone really documented all the process of switching from clamav or clamavmodule to clamd? I could do it, if I can gather all the information. Regards, Ugo From MailScanner at ecs.soton.ac.uk Tue Jul 10 19:00:28 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Jul 10 19:05:27 2007 Subject: switching from clamavmodule -> clamd... source? In-Reply-To: References: <469266D4.7060405@ecs.soton.ac.uk> Message-ID: <4693C93C.3020508@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ugo Bellavance wrote: > Julian Field wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> >> >> Ugo Bellavance wrote: >>> Ugo Bellavance wrote: >>>> Hi, >>>> >>>> I'd like to switch from clamavmodule to clamd. I used to use a >>>> source-install of clamav. I've read that the easiest way to get >>>> clamd running is using dag's RPM. However, a dependency for clamd >>>> is clamav and clamav-db. How will that play with my current source >>>> install of clamav? Should I move to using exclusively rpm clamav? >>> >>> >>> It looks like the source install is overwritten by the RPM. This >>> answers my question... >> The source install by default goes in /usr/local, while the RPMs most >> often go into /usr/bin, /etc and so on. > > You're right. And if we remove /usr/local/freshclam, MailScanner > can't update clamav. Make sure that /etc/MailScanner/virus.scanners.conf points to the right installation (i.e. /usr or /usr/local). Then it will call /usr/bin/freshclam for you. > Anyone really documented all the process of switching from clamav or > clamavmodule to clamd? I could do it, if I can gather all the > information. I would proceed like this: 1. Make sure you have a sufficiently recent MailScanner installed so that you have direct support of clamd. Version 4.61.7-2 at least. I don't believe in running betas once there is a stable release of the same version. 2. Install ClamAV from the RPMs at dag.wieers.com. You need the correct builds of clamav, clamav-db and clamd. This way you get the init.d script for free. 3. Install my ClamAV+SpamAssassin package, telling it not to install ClamAV. Tell it you ClamAV installation lives at /usr/bin (or /usr, or /usr/bin/clamscan, it will work out what you meant). 4. Check your clam* entries in /etc/MailScanner/virus.scanners.conf all point to /usr. 5. Set your "Virus Scanners =" entry in /etc/MailScanner/MailScanner.conf to include "clamd". 6. Set up the Clamd-specific entries in /etc/MailScanner/MailScanner.conf to the same values as you use in /etc/clamd.conf. By default I *think* you can just leave them alone. But if you are running a system with more than 1 CPU (or more than 1 CPU core), then switch on "Clamd Use Threads = yes" in MailScanner.conf. 7. chkconfig clamd on 8. service clamd start 9. service MailScanner restart I'm sure others will correct any mistakes in the above guide. I have just updated my ClamAV+SA package so that it prints more instructions to inform your choice of whether you want it to install ClamAV or not, and tells you where to get the RPMs if you decide to take that route. Please can someone add this, and my previous recent HOWTO, to the Wiki for me? Thanks guys! Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGk8k+EfZZRxQVtlQRAtdOAJ0eMyGc2DaUO9kWXfG9ITRjI1G40gCgxuwt Mz5idcUe5IzReEJBQf1nTHQ= =EanK -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From brandonc at webpipe.net Tue Jul 10 19:19:28 2007 From: brandonc at webpipe.net (Brandon Checketts) Date: Tue Jul 10 19:18:59 2007 Subject: How to monitor the health of the MailScanner architecture In-Reply-To: <002001c7c219$4d475580$e7d60080$@dk> References: <000901c7c210$8d1f4310$a75dc930$@dk> <6EEC6D949794754FB8D83A4D87DF7168BE65B7@gh-redd-exch-01.redditch.ntltravel.local> <002001c7c219$4d475580$e7d60080$@dk> Message-ID: <4693CDB0.1050307@webpipe.net> Nagios actually can do this. Check out the section on 'passive checks' at http://nagios.sourceforge.net/docs/3_0/passivechecks.html. You'd have to create something to send automated emails every so often, then have it delivered to a script that parses out the timestamp and writes to the nagios external command file in the specified format. Thanks, Brandon Checketts Jonas A. Larsen wrote: > Hi Alistair and Gareth too. > > > > I have used nagios for many years. However if you read my mail again, I > specifically don?t need to know the queue size or the status of the MTA, > none of those can give you a definitive answer about whether or not mail > flow is working, I need something that can check if mail is flowing and > if its delayed. > > > > > /Jonas > > > > *From:* mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] *On Behalf Of > *Alistair Carmichael > *Sent:* 9. juli 2007 12:31 > *To:* MailScanner discussion > *Subject:* RE: How to monitor the health of the MailScanner architecture > > > > Hi, > > The monitoring software I use - nagios is capable of this, without going > into too much detail its basically a monitoring tool that can run on a > webserver and then check the status of software such as your mta > remotely aswell as executing local scripts on each mailscanner server to > check queue sizes and report back to the nagios monitoring server via > the nagios nrpe plugin, which can be configured to alert via email or > even sms once certain thresholds (e.g queue size) are met. > > In our setup I wrote my own queue size monitor script but there are nrpe > scripts already created for various MTA?s out there. > > > > Al > > > > ------------------------------------------------------------------------ > > *From:* mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] *On Behalf Of *Jonas > A. Larsen > *Sent:* 09 July 2007 11:04 > *To:* mailscanner@lists.mailscanner.info > *Subject:* How to monitor the health of the MailScanner architecture > > > > Hello all > > > > I have a problem, and discussing it on the irc channel didn?t turn up > any obvious solution. > > > > Say you have more than 1 MS box scanning mails for a specific domain. > They are load balanced in some way, so the load is split over the servers. > > > > Now lets say one of the servers have a problem. Not a fatal problem, so > the server is still running (responds to pings etc) port 25 is still > open, and exim (the mta in my case) still accepts mails. > > > > But for some reason, crash, corrupt config, full root fs etc. the > process of moving mails from the incoming queue to the outgoing queue is > not working. > > > > What I am interested in, is a system to alert me of such a problem > automatically. > > > > Currently the only thing, besides clients noticing mail being delayed, > is for me to look at my mailscaner-mrtg graphs for the incoming queue > and notice that its growing. > > > > One method of doing all this automatically that we came up with, would > be some complex system that would work as follows: > > > > You create a domain for each MailScanner, that only that MailScanner > scans for. > > > > You then create an imap account on another system for each of the domains. > > > > You then create a script that sends a mail to each of the accounts and > after X amount of minutes check to see if the mail has arrived on the > imap account. If yes, delete the mail and do the same thing again after > Y amount of minutes (a cron job), if it doesn?t exist something must be > wrong with the mailflow, either its interrupted or is experiencing delays. > > > > Do anybody have a better idea or know of something that can do this already? > > > > My root file system ran full last week, and it caused mails to still be > accepted (incoming is on /var on another disk) but MS was frozen because > it couldn?t extract attachments to /tmp which was full because it was on > the same disk as the root fs. > > > > I hope I have made the above somewhat clear, if not please ask me to > clarify. > > > > > > *Med venlig hilsen / Best regards* > > > > *Jonas Akrouh Larsen* > > * * > > TechBiz ApS > > Laplandsgade 4, 2. sal > > 2300 K?benhavn S > > > > Office: 7020 0979 > > Direct: 33369974 > > Fax: 7020 0978 > > Mobile: 51201096 > > Web: www.techbiz.dk > > > > > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they are > addressed. If you have received this email in error please notify the > system manager. This message contains confidential information and is > intended only for the individual named. If you are not the named > addressee you should not disseminate, distribute or copy this e-mail. > > > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they are > addressed. If you have received this email in error please notify the > system manager. This message contains confidential information and is > intended only for the individual named. If you are not the named > addressee you should not disseminate, distribute or copy this e-mail. > From ugob at lubik.ca Tue Jul 10 19:21:33 2007 From: ugob at lubik.ca (Ugo Bellavance) Date: Tue Jul 10 19:21:48 2007 Subject: switching from clamavmodule -> clamd... source? In-Reply-To: <4693C93C.3020508@ecs.soton.ac.uk> References: <469266D4.7060405@ecs.soton.ac.uk> <4693C93C.3020508@ecs.soton.ac.uk> Message-ID: Julian Field wrote: >>>>> I'd like to switch from clamavmodule to clamd. I used to use a >>>>> source-install of clamav. I've read that the easiest way to get >>>>> clamd running is using dag's RPM. However, a dependency for clamd >>>>> is clamav and clamav-db. How will that play with my current source >>>>> install of clamav? Should I move to using exclusively rpm clamav? >>>> >>>> >>>> It looks like the source install is overwritten by the RPM. This >>>> answers my question... >>> The source install by default goes in /usr/local, while the RPMs most >>> often go into /usr/bin, /etc and so on. >> You're right. And if we remove /usr/local/freshclam, MailScanner >> can't update clamav. > Make sure that /etc/MailScanner/virus.scanners.conf points to the right > installation (i.e. /usr or /usr/local). Then it will call > /usr/bin/freshclam for you. Ok. >> Anyone really documented all the process of switching from clamav or >> clamavmodule to clamd? I could do it, if I can gather all the >> information. > I would proceed like this: > > 1. Make sure you have a sufficiently recent MailScanner installed so > that you have direct support of clamd. Version 4.61.7-2 at least. I > don't believe in running betas once there is a stable release of the > same version. Ok > 2. Install ClamAV from the RPMs at dag.wieers.com. You need the correct > builds of clamav, clamav-db and clamd. This way you get the init.d > script for free. Ok > 3. Install my ClamAV+SpamAssassin package, telling it not to install > ClamAV. Tell it you ClamAV installation lives at /usr/bin (or /usr, or > /usr/bin/clamscan, it will work out what you meant). Why is that necessary if SA 3.2.1 is already installed on the system? > 4. Check your clam* entries in /etc/MailScanner/virus.scanners.conf all > point to /usr. Ok. I guess this means that MailScanner assumes a source install by default. This probably means that any user that wants to switch from source to dag's rpm would have to do this right? > 5. Set your "Virus Scanners =" entry in > /etc/MailScanner/MailScanner.conf to include "clamd". Ok 5.5. Set the Incoming Work Group and Incoming Work Permission settings accordingly: Incoming Work Group = clamav Incoming Work Permissions = 0640 > 6. Set up the Clamd-specific entries in > /etc/MailScanner/MailScanner.conf to the same values as you use in > /etc/clamd.conf. By default I *think* you can just leave them alone. But > if you are running a system with more than 1 CPU (or more than 1 CPU > core), then switch on "Clamd Use Threads = yes" in MailScanner.conf. Ok > 7. chkconfig clamd on I think the RPM does it by default. > 8. service clamd start > 9. service MailScanner restart > > I'm sure others will correct any mistakes in the above guide. > > I have just updated my ClamAV+SA package so that it prints more > instructions to inform your choice of whether you want it to install > ClamAV or not, and tells you where to get the RPMs if you decide to take > that route. > > Please can someone add this, and my previous recent HOWTO, to the Wiki > for me? Will do as soon as I have all the info. Ugo From MailScanner at ecs.soton.ac.uk Tue Jul 10 19:48:53 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Jul 10 19:55:58 2007 Subject: switching from clamavmodule -> clamd... source? In-Reply-To: References: <469266D4.7060405@ecs.soton.ac.uk> <4693C93C.3020508@ecs.soton.ac.uk> Message-ID: <4693D495.5030409@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ugo Bellavance wrote: > Julian Field wrote: >>>>>> I'd like to switch from clamavmodule to clamd. I used to use >>>>>> a source-install of clamav. I've read that the easiest way to >>>>>> get clamd running is using dag's RPM. However, a dependency for >>>>>> clamd is clamav and clamav-db. How will that play with my >>>>>> current source install of clamav? Should I move to using >>>>>> exclusively rpm clamav? >>>>> >>>>> >>>>> It looks like the source install is overwritten by the RPM. This >>>>> answers my question... >>>> The source install by default goes in /usr/local, while the RPMs >>>> most often go into /usr/bin, /etc and so on. >>> You're right. And if we remove /usr/local/freshclam, MailScanner >>> can't update clamav. >> Make sure that /etc/MailScanner/virus.scanners.conf points to the >> right installation (i.e. /usr or /usr/local). Then it will call >> /usr/bin/freshclam for you. > > Ok. > >>> Anyone really documented all the process of switching from clamav or >>> clamavmodule to clamd? I could do it, if I can gather all the >>> information. >> I would proceed like this: >> >> 1. Make sure you have a sufficiently recent MailScanner installed so >> that you have direct support of clamd. Version 4.61.7-2 at least. I >> don't believe in running betas once there is a stable release of the >> same version. > > Ok > >> 2. Install ClamAV from the RPMs at dag.wieers.com. You need the >> correct builds of clamav, clamav-db and clamd. This way you get the >> init.d script for free. > > Ok > >> 3. Install my ClamAV+SpamAssassin package, telling it not to install >> ClamAV. Tell it you ClamAV installation lives at /usr/bin (or /usr, >> or /usr/bin/clamscan, it will work out what you meant). > > Why is that necessary if SA 3.2.1 is already installed on the system? It's not in that case, no. > >> 4. Check your clam* entries in /etc/MailScanner/virus.scanners.conf >> all point to /usr. > > Ok. I guess this means that MailScanner assumes a source install by > default. This probably means that any user that wants to switch from > source to dag's rpm would have to do this right? Correct. > >> 5. Set your "Virus Scanners =" entry in >> /etc/MailScanner/MailScanner.conf to include "clamd". > > Ok > > 5.5. Set the Incoming Work Group and Incoming Work Permission settings > accordingly: > > Incoming Work Group = clamav > Incoming Work Permissions = 0640 Good point, forgot that one. Well spotted! > >> 6. Set up the Clamd-specific entries in >> /etc/MailScanner/MailScanner.conf to the same values as you use in >> /etc/clamd.conf. By default I *think* you can just leave them alone. >> But if you are running a system with more than 1 CPU (or more than 1 >> CPU core), then switch on "Clamd Use Threads = yes" in MailScanner.conf. > > Ok > >> 7. chkconfig clamd on > > I think the RPM does it by default. > >> 8. service clamd start >> 9. service MailScanner restart >> >> I'm sure others will correct any mistakes in the above guide. >> >> I have just updated my ClamAV+SA package so that it prints more >> instructions to inform your choice of whether you want it to install >> ClamAV or not, and tells you where to get the RPMs if you decide to >> take that route. >> >> Please can someone add this, and my previous recent HOWTO, to the >> Wiki for me? > > Will do as soon as I have all the info. Thanks a lot for doing that. > > Ugo > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGk9SWEfZZRxQVtlQRAsGbAJ98ItHhiH/NIqD2DqHdTY6HDDskXgCfa65b hXggRJYdMpd6bqhcPbO2B9s= =JO+8 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From listacct at tulsaconnect.com Tue Jul 10 21:20:33 2007 From: listacct at tulsaconnect.com (TCIS List Acct) Date: Tue Jul 10 21:20:10 2007 Subject: zen.spamhaus.org timeouts? In-Reply-To: References: <4693A6A0.3030305@tulsaconnect.com> Message-ID: <4693EA11.9060702@tulsaconnect.com> Scott Silva wrote: > Everything is fine here. > My guess is our volume exceeded what they are going to allow on the freebie servers, so we've ponied up some cash and subscribed to the data feed via rsync and now all is well again (and speedier to boot) :)) -- ----------------------------------------- Mike Bacher / listacct@tulsaconnect.com TCIS - TulsaConnect Internet Services http://www.tulsaconnect.com ----------------------------------------- From ugob at lubik.ca Tue Jul 10 21:23:16 2007 From: ugob at lubik.ca (Ugo Bellavance) Date: Tue Jul 10 21:23:41 2007 Subject: switching from clamavmodule -> clamd... source? In-Reply-To: <4693D495.5030409@ecs.soton.ac.uk> References: <469266D4.7060405@ecs.soton.ac.uk> <4693C93C.3020508@ecs.soton.ac.uk> <4693D495.5030409@ecs.soton.ac.uk> Message-ID: Julian Field wrote: >>> Please can someone add this, and my previous recent HOWTO, to the >>> Wiki for me? >> Will do as soon as I have all the info. > Thanks a lot for doing that. >> Ugo http://wiki.mailscanner.info/doku.php?id=documentation:anti_virus:clamav:switch_to_rpm_clamd Please, everyone, review and comment. Especially the "FIXME" items. -- Ugo Bellavance FSL Technical Support Team From MailScanner at ecs.soton.ac.uk Tue Jul 10 22:02:56 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Jul 10 22:10:16 2007 Subject: switching from clamavmodule -> clamd... source? In-Reply-To: References: <469266D4.7060405@ecs.soton.ac.uk> <4693C93C.3020508@ecs.soton.ac.uk> <4693D495.5030409@ecs.soton.ac.uk> Message-ID: <4693F400.5030309@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ugo Bellavance wrote: > Julian Field wrote: > >>>> Please can someone add this, and my previous recent HOWTO, to the >>>> Wiki for me? >>> Will do as soon as I have all the info. >> Thanks a lot for doing that. >>> Ugo > > http://wiki.mailscanner.info/doku.php?id=documentation:anti_virus:clamav:switch_to_rpm_clamd > > > Please, everyone, review and comment. Especially the "FIXME" items. > Fix Me 1: That example is fine. Fix Me 2: My package does not install any RPM's anyway, so there's nothing you can easily remove. You can do this if you want: cd /usr/lib/perl5 find . -name 'SpamAssassin.pm' -print | xargs rm to remove any old installations of SpamAssassin. Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGk/QBEfZZRxQVtlQRAsPvAKDZoML9uL3YgkcBlwKpM748J2pbfwCfbgvn JHSbqcpyak8XklvkJut0D7w= =kF7V -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From ugob at lubik.ca Tue Jul 10 22:44:03 2007 From: ugob at lubik.ca (Ugo Bellavance) Date: Tue Jul 10 22:44:19 2007 Subject: switching from clamavmodule -> clamd... source? In-Reply-To: <4693F400.5030309@ecs.soton.ac.uk> References: <469266D4.7060405@ecs.soton.ac.uk> <4693C93C.3020508@ecs.soton.ac.uk> <4693D495.5030409@ecs.soton.ac.uk> <4693F400.5030309@ecs.soton.ac.uk> Message-ID: Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > Ugo Bellavance wrote: >> Julian Field wrote: >> >>>>> Please can someone add this, and my previous recent HOWTO, to the >>>>> Wiki for me? >>>> Will do as soon as I have all the info. >>> Thanks a lot for doing that. >>>> Ugo >> http://wiki.mailscanner.info/doku.php?id=documentation:anti_virus:clamav:switch_to_rpm_clamd >> >> >> Please, everyone, review and comment. Especially the "FIXME" items. >> > Fix Me 1: That example is fine. Ok, but should all the clam* entries like that, or only clamav? > Fix Me 2: My package does not install any RPM's anyway, so there's > nothing you can easily remove. You can do this if you want: > cd /usr/lib/perl5 > find . -name 'SpamAssassin.pm' -print | xargs rm > to remove any old installations of SpamAssassin. I don't mind SA, as long as we can remove clamav. The article is only about clam. Thanks, -- Ugo Bellavance FSL Technical Support Team From richard.siddall at elirion.net Tue Jul 10 22:52:28 2007 From: richard.siddall at elirion.net (Richard Siddall) Date: Tue Jul 10 22:54:14 2007 Subject: switching from clamavmodule -> clamd... source? In-Reply-To: References: <469266D4.7060405@ecs.soton.ac.uk> <4693C93C.3020508@ecs.soton.ac.uk> <4693D495.5030409@ecs.soton.ac.uk> Message-ID: <4693FF9C.7090405@elirion.net> Ugo Bellavance wrote: > http://wiki.mailscanner.info/doku.php?id=documentation:anti_virus:clamav:switch_to_rpm_clamd > > > Please, everyone, review and comment. Especially the "FIXME" items. > Step 9 seems to be unnecessary in MailWatch 1.0.4. It's already there. Regards, Richard. From ugob at lubik.ca Tue Jul 10 23:23:47 2007 From: ugob at lubik.ca (Ugo Bellavance) Date: Tue Jul 10 23:24:04 2007 Subject: switching from clamavmodule -> clamd... source? In-Reply-To: <4693FF9C.7090405@elirion.net> References: <469266D4.7060405@ecs.soton.ac.uk> <4693C93C.3020508@ecs.soton.ac.uk> <4693D495.5030409@ecs.soton.ac.uk> <4693FF9C.7090405@elirion.net> Message-ID: Richard Siddall wrote: > Ugo Bellavance wrote: >> http://wiki.mailscanner.info/doku.php?id=documentation:anti_virus:clamav:switch_to_rpm_clamd >> >> >> Please, everyone, review and comment. Especially the "FIXME" items. >> > > Step 9 seems to be unnecessary in MailWatch 1.0.4. It's already there. Thanks for letting me know. Better to leave it there, a lot of people don't upgrade MailWatch once it is in... -- Ugo Bellavance FSL Technical Support Team From Phil.Udel at SalemCorp.com Tue Jul 10 23:35:33 2007 From: Phil.Udel at SalemCorp.com (Phil Udel) Date: Tue Jul 10 23:35:39 2007 Subject: Help with ClamAVMod Message-ID: <064f01c7c342$a0f4e3d0$6102a8c0@salemcorp.com> I just upgraded to MS 4.61.7.2 today on a Centos 4.x system I am having problems with CLamAVmod working. When ever I add clamavmodule to the Virus Scanners List MS stops possessing Email and finally Fails after three min or so. I check and Mail::ClamAV is up to date (0.20) . I installed install-Clam-0.90.3-SA-3.2.1.tar.gz. There looks like there is a Patch , But I cant Find It. Can someone Please Help :) -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070710/2249741a/attachment.html From kate at rheel.co.nz Wed Jul 11 00:37:10 2007 From: kate at rheel.co.nz (Kathryn Allan) Date: Wed Jul 11 00:37:18 2007 Subject: Issues trying to get freshclam working Message-ID: <46941826.6000807@rheel.co.nz> Hi all, I have just done a make install of clamav using ./configuration --prefix= so that it puts config file in /etc/clamd.conf for example. That all went smoothly but when I try and run freshclam i get the following error -bash: /usr/local/bin/freshclam: No such file or directory Where do I change where it looks for freshclam? Thanks Kate From r.berber at computer.org Wed Jul 11 01:45:10 2007 From: r.berber at computer.org (=?ISO-8859-1?Q?Ren=E9_Berber?=) Date: Wed Jul 11 01:45:27 2007 Subject: Issues trying to get freshclam working In-Reply-To: <46941826.6000807@rheel.co.nz> References: <46941826.6000807@rheel.co.nz> Message-ID: Kathryn Allan wrote: > I have just done a make install of clamav using ./configuration --prefix= > so that it puts config file in /etc/clamd.conf for example. Wrong procedure. If you want clamd.conf in /etc use --sysconfdir=/etc . > That all went smoothly but when I try and run freshclam i get the > following error > -bash: /usr/local/bin/freshclam: No such file or directory > > Where do I change where it looks for freshclam? Have you tried `which freshclam`? If you want to change the location used by MailScanner, then you'll have to change lib/clamav-autoupdate, but that's not the recommended procedure, better uninstall your clamav and re-install with the --sysconfigdir option (no --prefix). It's probably under /bin (thanks to your wrong use of the --prefix parameter), even if /bin did not exist before. -- Ren? Berber From ugob at lubik.ca Wed Jul 11 03:53:18 2007 From: ugob at lubik.ca (Ugo Bellavance) Date: Wed Jul 11 03:53:33 2007 Subject: Help with ClamAVMod In-Reply-To: <064f01c7c342$a0f4e3d0$6102a8c0@salemcorp.com> References: <064f01c7c342$a0f4e3d0$6102a8c0@salemcorp.com> Message-ID: Phil Udel wrote: > I just upgraded to MS 4.61.7.2 today on a Centos 4.x system > I am having problems with CLamAVmod working. > When ever I add clamavmodule to the Virus Scanners List MS stops > possessing Email and finally Fails after three min or so. > Please let us see some log entries. Regards. Ugo From ugob at lubik.ca Wed Jul 11 03:57:56 2007 From: ugob at lubik.ca (Ugo Bellavance) Date: Wed Jul 11 04:00:04 2007 Subject: Issues trying to get freshclam working In-Reply-To: <46941826.6000807@rheel.co.nz> References: <46941826.6000807@rheel.co.nz> Message-ID: Kathryn Allan wrote: > Hi all, > > I have just done a make install of clamav using ./configuration --prefix= > so that it puts config file in /etc/clamd.conf for example. > > That all went smoothly but when I try and run freshclam i get the > following error > -bash: /usr/local/bin/freshclam: No such file or directory > > Where do I change where it looks for freshclam? What OS? Which version of clamAV? From kate at rheel.co.nz Wed Jul 11 04:23:54 2007 From: kate at rheel.co.nz (Kathryn Allan) Date: Wed Jul 11 04:24:02 2007 Subject: Issues trying to get freshclam working In-Reply-To: References: <46941826.6000807@rheel.co.nz> Message-ID: <46944D4A.1090209@rheel.co.nz> An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070711/b523f8e2/attachment.html From kate at rheel.co.nz Wed Jul 11 04:24:58 2007 From: kate at rheel.co.nz (Kathryn Allan) Date: Wed Jul 11 04:25:02 2007 Subject: Issues trying to get freshclam working In-Reply-To: References: <46941826.6000807@rheel.co.nz> Message-ID: <46944D8A.7010709@rheel.co.nz> Just installed CentOS 5 and latest version of ClamAV. Ren?'s answer fixed my issue. Thanks Ugo Bellavance wrote: > Kathryn Allan wrote: >> Hi all, >> >> I have just done a make install of clamav using ./configuration >> --prefix= >> so that it puts config file in /etc/clamd.conf for example. >> >> That all went smoothly but when I try and run freshclam i get the >> following error >> -bash: /usr/local/bin/freshclam: No such file or directory >> >> Where do I change where it looks for freshclam? > > What OS? Which version of clamAV? > From hden at kcbbs.gen.nz Wed Jul 11 05:43:20 2007 From: hden at kcbbs.gen.nz (Hendrik den Hartog) Date: Wed Jul 11 05:24:39 2007 Subject: Language File In-Reply-To: <4693F400.5030309@ecs.soton.ac.uk> References: <469266D4.7060405@ecs.soton.ac.uk> <4693C93C.3020508@ecs.soton.ac.uk> <4693D495.5030409@ecs.soton.ac.uk> <4693F400.5030309@ecs.soton.ac.uk> Message-ID: <20070711044320.GA25959@mew.kcbbs.gen.nz> Gidday We've recently upgraded MailScanner after several months, and am getting logged errors about missing strings.. 'Looked up unknown string notcached in language translation file' ..etc We did copy the(a) new language,conf.rpmnew to language.conf, but this didn't sort the issue. Is there anywhere we can download a current english (en) language file from to sort this? Cheers! Pasadena School (Dave) From lists at jfworks.net Wed Jul 11 07:21:47 2007 From: lists at jfworks.net (James) Date: Wed Jul 11 07:21:54 2007 Subject: Language File In-Reply-To: <20070711044320.GA25959@mew.kcbbs.gen.nz> References: <469266D4.7060405@ecs.soton.ac.uk> <4693C93C.3020508@ecs.soton.ac.uk> <4693D495.5030409@ecs.soton.ac.uk> <4693F400.5030309@ecs.soton.ac.uk> <20070711044320.GA25959@mew.kcbbs.gen.nz> Message-ID: <469476FB.3030901@jfworks.net> Hendrik den Hartog wrote: > Gidday > > We've recently upgraded MailScanner after several months, and am getting logged errors about missing strings.. > > 'Looked up unknown string notcached in language translation file' > > ..etc > > We did copy the(a) new language,conf.rpmnew to language.conf, but this didn't > sort the issue. > > Is there anywhere we can download a current english (en) language file from to sort this? > > Cheers! > Pasadena School (Dave) > Have you run "upgrade_languages_conf " ? It will give the directions for upgrading the file. James From paul.hutchings at mira.co.uk Wed Jul 11 08:33:17 2007 From: paul.hutchings at mira.co.uk (Paul Hutchings) Date: Wed Jul 11 08:33:26 2007 Subject: Local phishing whitelist? Message-ID: Is there a way of having a local phishing whitelist as well as the default/auto-updated one that comes with Mailscanner? I don't see a way of specifying more than one file? TIA, Paul Paul Hutchings Network Administrator, MIRA Ltd. Tel: 44 (0)24 7635 5378 Fax: 44 (0)24 7635 8378 mailto:paul.hutchings@mira.co.uk -- MIRA Ltd. Watling Street, Nuneaton, Warwickshire, CV10 0TU, England. Registered in England No. 402570 VAT Registration GB 114 5409 96 The contents of this e-mail are confidential and are solely for the use of the intended recipient. If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax. You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited. From martinh at solidstatelogic.com Wed Jul 11 09:00:32 2007 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Wed Jul 11 09:00:45 2007 Subject: Local phishing whitelist? In-Reply-To: Message-ID: <5943e9739270674299fab02af44ce34a@solidstatelogic.com> Paul Put your changes to that single file and the autoupdate will merge the two sets together - clever huh? -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Paul Hutchings > Sent: 11 July 2007 08:33 > To: MailScanner discussion > Subject: Local phishing whitelist? > > Is there a way of having a local phishing whitelist as well as the > default/auto-updated one that comes with Mailscanner? > > I don't see a way of specifying more than one file? > > TIA, > Paul > > Paul Hutchings > Network Administrator, MIRA Ltd. > Tel: 44 (0)24 7635 5378 > Fax: 44 (0)24 7635 8378 > mailto:paul.hutchings@mira.co.uk > > > -- > MIRA Ltd. > > Watling Street, Nuneaton, Warwickshire, CV10 0TU, England. > > Registered in England No. 402570 > VAT Registration GB 114 5409 96 > > The contents of this e-mail are confidential and are solely for the use of > the intended recipient. > If you receive this e-mail in error, please delete it and notify us either > by e-mail, telephone or fax. > You should not copy, forward or otherwise disclose the content of the e- > mail as this is prohibited. > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From jan-peter at koopmann.eu Wed Jul 11 09:20:53 2007 From: jan-peter at koopmann.eu (Koopmann, Jan-Peter) Date: Wed Jul 11 09:20:17 2007 Subject: switching from clamavmodule -> clamd... source? In-Reply-To: References: <469266D4.7060405@ecs.soton.ac.uk> Message-ID: > Make sure that /etc/MailScanner/virus.scanners.conf points to the right > installation (i.e. /usr or /usr/local). Then it will call > /usr/bin/freshclam for you. So if freshclam is located in /usr/local/bin/freshclam I need to put /usr/local in virus.scanners.conf? What is the advantage over using the freshclam daemon? From ram at netcore.co.in Wed Jul 11 10:05:13 2007 From: ram at netcore.co.in (ram) Date: Wed Jul 11 10:06:19 2007 Subject: Server whitelist being ignored In-Reply-To: <006f01c7c30b$479a7570$0402a8c0@VAIODESKTOP1> References: <006f01c7c30b$479a7570$0402a8c0@VAIODESKTOP1> Message-ID: <1184144713.29744.6.camel@localhost.localdomain> On Tue, 2007-07-10 at 11:59 -0400, Custom Framer Web Designs wrote: > I have a problem with messages that come from addresses, and domains that > are on the server-wide whitelist are being scanned and scored as spam. > > It is my understanding that by being on the whitelist, messages from these > addresses would not be scanned. > > Am I wrong in this thinking? Is this happenning every time for those ids , or only some times Thanks Ram From henker at evendi.de Wed Jul 11 10:14:46 2007 From: henker at evendi.de (Henke) Date: Wed Jul 11 10:14:52 2007 Subject: Lost the X-Spam-Score-Header along the way Message-ID: I *somehow* lost the X-Spam-Score-Header on one of my mail servers. Starting with 4.61.7, I noticed that neither the detailed SpamAssassin report nor the Spam-Score header was added. So I upgraded to 4.62.2 and the detailed report is added again, however still no X-Spam-Score-Header. Is there any way to find out why it's not added ? The MailScanner.conf contains SpamScore Number Instead Of Stars = no Spam Score Character = s Spam Score = yes Spam Score Number Format = %d and it's still working on another box with 4.61.7 with an *almost* identical config. Regards, Steffan From kennyfelden at hotmail.com Wed Jul 11 10:46:50 2007 From: kennyfelden at hotmail.com (Kenny Of The Fells) Date: Wed Jul 11 10:46:58 2007 Subject: Problem with mail that is non-spam and also mcp Message-ID: I have a rule such that non-spam to a set of users is quarantined: To: pupil*@ store This works as expected. However, if mail is also mcp, it is quarantined twice. Given that if I change the above rule to: To: pupil1*@ deliver mcp mail *doesn't* get delivered (it does get quarantined as mcp), why is it stored in the first case above rather than being ignored? How do I prevent non-spam mcp mail being stored twice? My MailScanner.conf is set to do mcp checks first. Thanks Peter From sa at streaming-networks.com Wed Jul 11 11:00:57 2007 From: sa at streaming-networks.com (sa@streaming-networks.com) Date: Wed Jul 11 11:02:03 2007 Subject: ruleset=check_mail ... Not Allowed Message-ID: <127101c7c3a2$60a91340$5505a8c0@stream.net> Hi, I am not getting emails delivered from anyone@sympatico.ca Following are my maillogs: Jul 11 05:07:02 mymailserver sendmail[17276]: l6B06xLD017276: ruleset=check_mail, arg1=, relay=xyz.domain.com [IP Address], reject=550 5.0.0 ... Not Allowed Jul 11 05:07:03 mymailserver sendmail[17276]: l6B06xLD017276: from=, size=0, class=0, nrcpts=0, proto=SMTP, daemon=MTA, relay=xyz.domain.com [IP Address] No entries for sympatico.ca in my Mailscanner (and its relevant) config files. Any clue? Regards, Umar Murtaza -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070711/1c88bf0a/attachment-0001.html From Chris.Russell at knowledgeit.co.uk Wed Jul 11 11:10:45 2007 From: Chris.Russell at knowledgeit.co.uk (Chris Russell) Date: Wed Jul 11 11:10:48 2007 Subject: Quarantine from Custom Spam Scanner Message-ID: <1638CDD827D51E4D8E9B2741290E1C9101001143@wkits02.knowledgeit.co.uk> Julian, et al Is there any easy way to force (via a customer spam scanner) a message to be quarantined ? We have a few instances were we require the message to be quarantined regardless of the status, and whilst I can think of a few ways to do this, most mean modifying the mailscanner code. Is there any way to do this without the above being necessary (ie: maybe a force quarantine flag ?) Thanks Chris The contents of this e-mail may be privileged and are confidential. It may not be disclosed to or used by anyone other than the addressee(s), nor copied in any way. Any views or opinions presented are solely those of the author and do not necessarily represent those of Knowledge Limited. If received in error, please advise the sender, then delete it from your system. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070711/211dc5c5/attachment.html From res at ausics.net Wed Jul 11 11:47:10 2007 From: res at ausics.net (Res) Date: Wed Jul 11 11:47:27 2007 Subject: ruleset=check_mail ... Not Allowed In-Reply-To: <127101c7c3a2$60a91340$5505a8c0@stream.net> References: <127101c7c3a2$60a91340$5505a8c0@stream.net> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NotDashEscaped: You need GnuPG to verify this message Yeah, its sendmail reject list. nothing to do with mailscanner check your /etc/mail/access On Wed, 11 Jul 2007, sa@streaming-networks.com wrote: > > Hi, > > I am not getting emails delivered from anyone@sympatico.ca > > > Following are my maillogs: > > Jul 11 05:07:02 mymailserver sendmail[17276]: l6B06xLD017276: ruleset=check_mail, arg1=, relay=xyz.domain.com [IP Address], reject=550 5.0.0 ... Not Allowed > Jul 11 05:07:03 mymailserver sendmail[17276]: l6B06xLD017276: from=, size=0, class=0, nrcpts=0, proto=SMTP, daemon=MTA, relay=xyz.domain.com [IP Address] > > > No entries for sympatico.ca in my Mailscanner (and its relevant) config files. > > > Any clue? > > > Regards, > > > Umar Murtaza -- Cheers Res -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFGlLUusWhAmSIQh7MRAj92AJ0ciO07eT8f7DfsE3+aPyEOTaJWEQCfR6h3 T7eW1kCs/NUvhZc3d8XufIc= =dLli -----END PGP SIGNATURE----- From MailScanner at ecs.soton.ac.uk Wed Jul 11 12:10:48 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Jul 11 12:15:02 2007 Subject: switching from clamavmodule -> clamd... source? In-Reply-To: References: <469266D4.7060405@ecs.soton.ac.uk> <4693C93C.3020508@ecs.soton.ac.uk> <4693D495.5030409@ecs.soton.ac.uk> <4693F400.5030309@ecs.soton.ac.uk> Message-ID: <4694BAB8.8000509@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ugo Bellavance wrote: > Julian Field wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> >> >> Ugo Bellavance wrote: >>> Julian Field wrote: >>> >>>>>> Please can someone add this, and my previous recent HOWTO, to the >>>>>> Wiki for me? >>>>> Will do as soon as I have all the info. >>>> Thanks a lot for doing that. >>>>> Ugo >>> http://wiki.mailscanner.info/doku.php?id=documentation:anti_virus:clamav:switch_to_rpm_clamd >>> >>> >>> Please, everyone, review and comment. Especially the "FIXME" items. >>> >> Fix Me 1: That example is fine. > > Ok, but should all the clam* entries like that, or only clamav? Yes, the last "word" on each line should be the same for all 3 entries. > >> Fix Me 2: My package does not install any RPM's anyway, so there's >> nothing you can easily remove. You can do this if you want: >> cd /usr/lib/perl5 >> find . -name 'SpamAssassin.pm' -print | xargs rm >> to remove any old installations of SpamAssassin. > > I don't mind SA, as long as we can remove clamav. The article is only > about clam. In which case just remove /usr/local/bin/*clam* Cheers, Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGlLq5EfZZRxQVtlQRAuD5AJ9xkp6T7SPyojuUbyGrwoldqhqv7wCgwpHd /ay2pynbiuvxFjp+47fu21k= =dTZA -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From prandal at herefordshire.gov.uk Wed Jul 11 12:54:04 2007 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Wed Jul 11 12:54:48 2007 Subject: ClamAV 0.91 is out Message-ID: <7EF0EE5CB3B263488C8C18823239BEBA0118F5DA@HC-MBX02.herefordshire.gov.uk> Project: Clam AntiVirus (clamav) Package: clamav Date : 2007-07-11 12:59 Project "Clam AntiVirus" ('clamav') has released the new version of package 'clamav'. You can download it from SourceForge.net by following this link: or browse Release Notes and ChangeLog by visiting this link: Cheers, Phil -- Phil Randal Network Engineer Herefordshire Council Hereford, UK From support-lists at petdoctors.co.uk Wed Jul 11 12:56:05 2007 From: support-lists at petdoctors.co.uk (Nigel Kendrick) Date: Wed Jul 11 12:57:22 2007 Subject: 4.61.7-2 - Attachments get zipped = message body disappears Message-ID: <00f001c7c3b2$762db350$3c65a8c0@support01> Hi, It's been pointed out to me by an employee that if mail attachments get munged into 'attachments.zip' the message body text disappears. I have tried this and it's happened to me too. I have just reinstalled 4.61.7-2 and there's no change so I have had to turn off the feature. I have looked back a week or so before I installed the latest MailScanner and things were working fine then. MS 4.61.7-2 Postfix 2:2.2.10-1.1.el4 What else do the wise ones need to know!? Thanks From martinh at solidstatelogic.com Wed Jul 11 13:00:39 2007 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Wed Jul 11 13:00:47 2007 Subject: 4.61.7-2 - Attachments get zipped = message body disappears In-Reply-To: <00f001c7c3b2$762db350$3c65a8c0@support01> Message-ID: <05989f4a7929a3409c60502a246b5e75@solidstatelogic.com> This is a side effect for users where the email message is actually an attachment and not in the normal message body....I've had fun with this as well.. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Nigel Kendrick > Sent: 11 July 2007 12:56 > To: MailScanner discussion > Subject: 4.61.7-2 - Attachments get zipped = message body disappears > > Hi, > > It's been pointed out to me by an employee that if mail attachments get > munged into 'attachments.zip' the message body text disappears. > > I have tried this and it's happened to me too. I have just reinstalled > 4.61.7-2 and there's no change so I have had to turn off the feature. > > I have looked back a week or so before I installed the latest MailScanner > and things were working fine then. > > MS 4.61.7-2 > Postfix 2:2.2.10-1.1.el4 > > What else do the wise ones need to know!? > > Thanks > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From list-mailscanner at linguaphone.com Wed Jul 11 13:04:55 2007 From: list-mailscanner at linguaphone.com (Gareth) Date: Wed Jul 11 13:05:04 2007 Subject: ClamAV 0.91 is out In-Reply-To: <7EF0EE5CB3B263488C8C18823239BEBA0118F5DA@HC-MBX02.herefordshire.gov.uk> References: <7EF0EE5CB3B263488C8C18823239BEBA0118F5DA@HC-MBX02.herefordshire.gov.uk> Message-ID: <1184155495.743.10.camel@gblades-suse.linguaphone-intranet.co.uk> On Wed, 2007-07-11 at 12:54, Randal, Phil wrote: > Project: Clam AntiVirus (clamav) > Package: clamav > Date : 2007-07-11 12:59 > > Project "Clam AntiVirus" ('clamav') has released the new version of > package > 'clamav'. You can download it from SourceForge.net by following this > link: > =522414> > or browse Release Notes and ChangeLog by visiting this link: > > > Cheers, > > Phil Do you know if an update to clamavmodule is required? From sa at streaming-networks.com Wed Jul 11 13:04:15 2007 From: sa at streaming-networks.com (sa@streaming-networks.com) Date: Wed Jul 11 13:05:18 2007 Subject: ruleset=check_mail ... Not Allowed References: <127101c7c3a2$60a91340$5505a8c0@stream.net> Message-ID: <133d01c7c3b3$99df77b0$5505a8c0@stream.net> thanks got it. is /etc/mail/access maintained by some group or its managed by the individual SAs themselves? Regards, Umar ----- Original Message ----- From: "Res" To: "MailScanner discussion" Sent: Wednesday, July 11, 2007 3:47 PM Subject: Re: ruleset=check_mail ... Not Allowed > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > NotDashEscaped: You need GnuPG to verify this message > > > Yeah, its sendmail reject list. nothing to do with mailscanner > > check your /etc/mail/access > > On Wed, 11 Jul 2007, sa@streaming-networks.com wrote: > > > > > Hi, > > > > I am not getting emails delivered from anyone@sympatico.ca > > > > > > Following are my maillogs: > > > > Jul 11 05:07:02 mymailserver sendmail[17276]: l6B06xLD017276: ruleset=check_mail, arg1=, relay=xyz.domain.com [IP Address], reject=550 5.0.0 ... Not Allowed > > Jul 11 05:07:03 mymailserver sendmail[17276]: l6B06xLD017276: from=, size=0, class=0, nrcpts=0, proto=SMTP, daemon=MTA, relay=xyz.domain.com [IP Address] > > > > > > No entries for sympatico.ca in my Mailscanner (and its relevant) config files. > > > > > > Any clue? > > > > > > Regards, > > > > > > Umar Murtaza > > -- > Cheers > Res > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.7 (GNU/Linux) > > iD8DBQFGlLUusWhAmSIQh7MRAj92AJ0ciO07eT8f7DfsE3+aPyEOTaJWEQCfR6h3 > T7eW1kCs/NUvhZc3d8XufIc= > =dLli > -----END PGP SIGNATURE----- > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From support-lists at petdoctors.co.uk Wed Jul 11 13:08:38 2007 From: support-lists at petdoctors.co.uk (Nigel Kendrick) Date: Wed Jul 11 13:09:55 2007 Subject: 4.61.7-2 - Attachments get zipped = message body disappears In-Reply-To: <05989f4a7929a3409c60502a246b5e75@solidstatelogic.com> Message-ID: <011f01c7c3b4$3709fec0$3c65a8c0@support01> > >Subject: RE: 4.61.7-2 - Attachments get zipped = message body disappears > > >This is a side effect for users where the email message is actually an >attachment and not in the normal message body....I've had fun with this >as well.. I upgraded 3 mail servers at the same time last week and I have just sent another test message with attachment to my Googlemail account via a different server and this message has made it in one piece. What's the best way to approach this!? Ta From shuttlebox at gmail.com Wed Jul 11 13:29:09 2007 From: shuttlebox at gmail.com (shuttlebox) Date: Wed Jul 11 13:29:13 2007 Subject: Quarantine from Custom Spam Scanner In-Reply-To: <1638CDD827D51E4D8E9B2741290E1C9101001143@wkits02.knowledgeit.co.uk> References: <1638CDD827D51E4D8E9B2741290E1C9101001143@wkits02.knowledgeit.co.uk> Message-ID: <625385e30707110529w5026db3do3a870add38126123@mail.gmail.com> On 7/11/07, Chris Russell wrote: > Julian, et al > > Is there any easy way to force (via a customer spam scanner) a message to be quarantined ? > > We have a few instances were we require the message to be quarantined regardless of the status, and whilst I can think of a few ways to do this, most mean modifying the mailscanner code. > > Is there any way to do this without the above being necessary (ie: maybe a force quarantine flag ?) Can't you use a ruleset for Non Spam, Spam and High Scoring Spam Actions? Mail to/from certain adresses gets a store. -- /peter From prandal at herefordshire.gov.uk Wed Jul 11 13:22:33 2007 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Wed Jul 11 13:32:15 2007 Subject: ClamAV 0.91 is out In-Reply-To: <1184155495.743.10.camel@gblades-suse.linguaphone-intranet.co.uk> References: <7EF0EE5CB3B263488C8C18823239BEBA0118F5DA@HC-MBX02.herefordshire.gov.uk> <1184155495.743.10.camel@gblades-suse.linguaphone-intranet.co.uk> Message-ID: <7EF0EE5CB3B263488C8C18823239BEBA0118F5E8@HC-MBX02.herefordshire.gov.uk> It works here fine with ClamAVModule 0.20. Cheers, Phil -- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Gareth > Sent: 11 July 2007 13:05 > To: MailScanner discussion > Subject: Re: ClamAV 0.91 is out > > On Wed, 2007-07-11 at 12:54, Randal, Phil wrote: > > Project: Clam AntiVirus (clamav) > > Package: clamav > > Date : 2007-07-11 12:59 > > > > Project "Clam AntiVirus" ('clamav') has released the new version of > > package > > 'clamav'. You can download it from SourceForge.net by following this > > link: > > > release_id > > =522414> > > or browse Release Notes and ChangeLog by visiting this link: > > > > > > Cheers, > > > > Phil > > Do you know if an update to clamavmodule is required? > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From Phil.Udel at SalemCorp.com Wed Jul 11 13:41:44 2007 From: Phil.Udel at SalemCorp.com (Phil Udel) Date: Wed Jul 11 13:41:52 2007 Subject: Help with ClamAVMod In-Reply-To: References: <064f01c7c342$a0f4e3d0$6102a8c0@salemcorp.com> Message-ID: <070601c7c3b8$d6781060$6102a8c0@salemcorp.com> That has been the problem. Nothing in the Mailscanner log and freshclam log is empty. I do get this message: Jul 11 12:24:29 pinkie MailScanner[10879]: Message Content Protection SpamAssass in timed out and was killed, consecutive failure 1 of 20 I don't get them if I take clamavmodule out of the MS Config and just use mcafee -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Ugo Bellavance Sent: Tuesday, July 10, 2007 10:53 PM To: mailscanner@lists.mailscanner.info Subject: Re: Help with ClamAVMod Phil Udel wrote: > I just upgraded to MS 4.61.7.2 today on a Centos 4.x system I am > having problems with CLamAVmod working. > When ever I add clamavmodule to the Virus Scanners List MS stops > possessing Email and finally Fails after three min or so. > Please let us see some log entries. Regards. Ugo -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From rcooper at dwford.com Wed Jul 11 13:55:08 2007 From: rcooper at dwford.com (Rick Cooper) Date: Wed Jul 11 13:55:13 2007 Subject: ClamAV 0.91 is out In-Reply-To: <1184155495.743.10.camel@gblades-suse.linguaphone-intranet.co.uk> References: <7EF0EE5CB3B263488C8C18823239BEBA0118F5DA@HC-MBX02.herefordshire.gov.uk> <1184155495.743.10.camel@gblades-suse.linguaphone-intranet.co.uk> Message-ID: <019901c7c3ba$b6212f70$0301a8c0@SAHOMELT> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On > Behalf Of Gareth > Sent: Wednesday, July 11, 2007 10:05 PM > To: MailScanner discussion > Subject: Re: ClamAV 0.91 is out > > On Wed, 2007-07-11 at 12:54, Randal, Phil wrote: > > Project: Clam AntiVirus (clamav) > > Package: clamav > > Date : 2007-07-11 12:59 > > > > Project "Clam AntiVirus" ('clamav') has released the new version of > > package > > 'clamav'. You can download it from SourceForge.net by > following this > > link: [...] > Do you know if an update to clamavmodule is required? > I didn't see any changes to the libclamv API so there shouldn't be any. The only time clamavmodule get's hosed is when they change the library API Rick -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ka at pacific.net Wed Jul 11 14:21:40 2007 From: ka at pacific.net (Ken A) Date: Wed Jul 11 14:21:43 2007 Subject: 4.61.7-2 - Attachments get zipped = message body disappears In-Reply-To: <011f01c7c3b4$3709fec0$3c65a8c0@support01> References: <011f01c7c3b4$3709fec0$3c65a8c0@support01> Message-ID: <4694D964.2000408@pacific.net> Nigel Kendrick wrote: >> Subject: RE: 4.61.7-2 - Attachments get zipped = message body disappears >> >> >> This is a side effect for users where the email message is actually an >> attachment and not in the normal message body....I've had fun with this >> as well.. > > > I upgraded 3 mail servers at the same time last week and I have just sent > another test message with attachment to my Googlemail account via a > different server and this message has made it in one piece. > > What's the best way to approach this!? > > Ta > Seems like it would be nice to be able to specify which type of attachments to zip.. (doc|xls|pdf|tiff).. etc. Ken -- Ken Anderson Pacific.Net From martinh at solidstatelogic.com Wed Jul 11 14:36:41 2007 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Wed Jul 11 14:36:51 2007 Subject: 4.61.7-2 - Attachments get zipped = message body disappears In-Reply-To: <4694D964.2000408@pacific.net> Message-ID: <3f87b39933559b4ea540bd6e84ecf2c2@solidstatelogic.com> Ken Trouble is some MUA's put html based messages as attachments....or can do if they are configured that way.. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Ken A > Sent: 11 July 2007 14:22 > To: MailScanner discussion > Subject: Re: 4.61.7-2 - Attachments get zipped = message body disappears > > Nigel Kendrick wrote: > >> Subject: RE: 4.61.7-2 - Attachments get zipped = message body > disappears > >> > >> > >> This is a side effect for users where the email message is actually an > >> attachment and not in the normal message body....I've had fun with this > >> as well.. > > > > > > I upgraded 3 mail servers at the same time last week and I have just > sent > > another test message with attachment to my Googlemail account via a > > different server and this message has made it in one piece. > > > > What's the best way to approach this!? > > > > Ta > > > Seems like it would be nice to be able to specify which type of > attachments to zip.. (doc|xls|pdf|tiff).. etc. > Ken > > -- > Ken Anderson > Pacific.Net > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From Chris.Russell at knowledgeit.co.uk Wed Jul 11 14:37:29 2007 From: Chris.Russell at knowledgeit.co.uk (Chris Russell) Date: Wed Jul 11 14:37:36 2007 Subject: Quarantine from Custom Spam Scanner In-Reply-To: <625385e30707110529w5026db3do3a870add38126123@mail.gmail.com> References: <1638CDD827D51E4D8E9B2741290E1C9101001143@wkits02.knowledgeit.co.uk> <625385e30707110529w5026db3do3a870add38126123@mail.gmail.com> Message-ID: <1638CDD827D51E4D8E9B2741290E1C910100119D@wkits02.knowledgeit.co.uk> > Is there any way to do this without the above being necessary (ie: > maybe a force quarantine flag ?) > Can't you use a ruleset for Non Spam, Spam and High Scoring Spam Actions? Mail to/from certain adresses gets a store. Hi Peter, Not really, as quarantine needs to be on anything from subject lines to file types. Thanks Chris The contents of this e-mail may be privileged and are confidential. It may not be disclosed to or used by anyone other than the addressee(s), nor copied in any way. Any views or opinions presented are solely those of the author and do not necessarily represent those of Knowledge Limited. If received in error, please advise the sender, then delete it from your system. From Denis.Beauchemin at USherbrooke.ca Wed Jul 11 14:41:47 2007 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Wed Jul 11 14:42:14 2007 Subject: Lost the X-Spam-Score-Header along the way In-Reply-To: References: Message-ID: <4694DE1B.1050301@USherbrooke.ca> Henke a ?crit : > > I *somehow* lost the X-Spam-Score-Header on one of my mail servers. > Starting with 4.61.7, I noticed that neither the detailed SpamAssassin > report nor the Spam-Score header was added. > So I upgraded to 4.62.2 and the detailed report is added again, > however still no X-Spam-Score-Header. > Is there any way to find out why it's not added ? > > The MailScanner.conf contains > > SpamScore Number Instead Of Stars = no > Spam Score Character = s > Spam Score = yes > Spam Score Number Format = %d > > and it's still working on another box with 4.61.7 with an *almost* > identical config. > > Regards, > > Steffan > Steffan, You're also supposed to have: # Add this extra header if "Spam Score" = yes. The header will # contain 1 character for every point of the SpamAssassin score. Spam Score Header = X-%org-name%-MailScanner-SpamScore: Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3595 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070711/cf1abfb5/smime.bin From MailScanner at ecs.soton.ac.uk Wed Jul 11 14:48:41 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Jul 11 14:54:52 2007 Subject: Issues trying to get freshclam working In-Reply-To: References: <46941826.6000807@rheel.co.nz> Message-ID: <4694DFB9.2000504@ecs.soton.ac.uk> Ren? Berber wrote: > Kathryn Allan wrote: > > >> I have just done a make install of clamav using ./configuration --prefix= >> so that it puts config file in /etc/clamd.conf for example. >> > > Wrong procedure. > > If you want clamd.conf in /etc use --sysconfdir=/etc . > > >> That all went smoothly but when I try and run freshclam i get the >> following error >> -bash: /usr/local/bin/freshclam: No such file or directory >> >> Where do I change where it looks for freshclam? >> > > Have you tried `which freshclam`? If you want to change the location used by > MailScanner, then you'll have to change lib/clamav-autoupdate, but that's not > the recommended procedure, better uninstall your clamav and re-install with the > --sysconfigdir option (no --prefix). > You shouldn't need to edit any autoupdate or wrapper script. They get their information from /etc/MailScanner/virus.scanners.conf file, that's the one you should edit. Any edits to autoupdate or wrapper scripts will get overwritten by your next MailScanner upgrade. Changes to virus.scanners.conf will be preserved. > It's probably under /bin (thanks to your wrong use of the --prefix parameter), > even if /bin did not exist before. > Jules -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Wed Jul 11 14:50:46 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Jul 11 14:56:18 2007 Subject: switching from clamavmodule -> clamd... source? In-Reply-To: References: <469266D4.7060405@ecs.soton.ac.uk> Message-ID: <4694E036.7020907@ecs.soton.ac.uk> Koopmann, Jan-Peter wrote: >> Make sure that /etc/MailScanner/virus.scanners.conf points to the >> > right > >> installation (i.e. /usr or /usr/local). Then it will call >> /usr/bin/freshclam for you. >> > > So if freshclam is located in /usr/local/bin/freshclam I need to put > /usr/local in virus.scanners.conf? > Correct. > What is the advantage over using the freshclam daemon? > There isn't a freshclam daemon. My clamav-autoupdate scripts call the freshclam program to do the actual work anyway. Jules -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Wed Jul 11 14:53:49 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Jul 11 14:57:55 2007 Subject: Quarantine from Custom Spam Scanner In-Reply-To: <1638CDD827D51E4D8E9B2741290E1C9101001143@wkits02.knowledgeit.co.uk> References: <1638CDD827D51E4D8E9B2741290E1C9101001143@wkits02.knowledgeit.co.uk> Message-ID: <4694E0ED.2000102@ecs.soton.ac.uk> I would advise you use a ruleset or a Custom Function on the "Archive Mail =" setting in MailScanner.conf. Chris Russell wrote: > Julian, et al > > Is there any easy way to force (via a customer spam scanner) a > message to be quarantined ? > > We have a few instances were we require the message to be quarantined > regardless of the status, and whilst I can think of a few ways to do > this, most mean modifying the mailscanner code. > > Is there any way to do this without the above being necessary (ie: > maybe a force quarantine flag ?) > > Thanks > > Chris > > > > The contents of this e-mail may be privileged and are confidential. > It may not be disclosed to or used by anyone other than the > addressee(s), nor copied in any way. Any views or opinions presented > are solely those of the author and do not necessarily represent those > of Knowledge Limited. > > If received in error, please advise the sender, then delete it from > your system. > Jules -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From ka at pacific.net Wed Jul 11 14:59:55 2007 From: ka at pacific.net (Ken A) Date: Wed Jul 11 14:59:59 2007 Subject: 4.61.7-2 - Attachments get zipped = message body disappears In-Reply-To: <3f87b39933559b4ea540bd6e84ecf2c2@solidstatelogic.com> References: <3f87b39933559b4ea540bd6e84ecf2c2@solidstatelogic.com> Message-ID: <4694E25B.4030408@pacific.net> Martin.Hepworth wrote: > Ken > > Trouble is some MUA's put html based messages as attachments....or can > do if they are configured that way.. I might be missing something, but if MailScanner only zips where filename or filetype matches a list, then this wouldn't be a problem. It could also ! match .htm? or winmail.dat or whatever that evil attachment name is. Ken > > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >> bounces@lists.mailscanner.info] On Behalf Of Ken A >> Sent: 11 July 2007 14:22 >> To: MailScanner discussion >> Subject: Re: 4.61.7-2 - Attachments get zipped = message body > disappears >> Nigel Kendrick wrote: >>>> Subject: RE: 4.61.7-2 - Attachments get zipped = message body >> disappears >>>> >>>> This is a side effect for users where the email message is actually > an >>>> attachment and not in the normal message body....I've had fun with > this >>>> as well.. >>> >>> I upgraded 3 mail servers at the same time last week and I have just >> sent >>> another test message with attachment to my Googlemail account via a >>> different server and this message has made it in one piece. >>> >>> What's the best way to approach this!? >>> >>> Ta >>> >> Seems like it would be nice to be able to specify which type of >> attachments to zip.. (doc|xls|pdf|tiff).. etc. >> Ken >> >> -- >> Ken Anderson >> Pacific.Net >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! > > > > > ********************************************************************** > Confidentiality : This e-mail and any attachments are intended for the > addressee only and may be confidential. If they come to you in error > you must take no action based on them, nor must you copy or show them > to anyone. Please advise the sender by replying to this e-mail > immediately and then delete the original from your computer. > Opinion : Any opinions expressed in this e-mail are entirely those of > the author and unless specifically stated to the contrary, are not > necessarily those of the author's employer. > Security Warning : Internet e-mail is not necessarily a secure > communications medium and can be subject to data corruption. We advise > that you consider this fact when e-mailing us. > Viruses : We have taken steps to ensure that this e-mail and any > attachments are free from known viruses but in keeping with good > computing practice, you should ensure that they are virus free. > > Red Lion 49 Ltd T/A Solid State Logic > Registered as a limited company in England and Wales > (Company No:5362730) > Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, > United Kingdom > ********************************************************************** > -- Ken Anderson Pacific.Net From Chris.Russell at knowledgeit.co.uk Wed Jul 11 15:01:25 2007 From: Chris.Russell at knowledgeit.co.uk (Chris Russell) Date: Wed Jul 11 15:01:33 2007 Subject: Quarantine from Custom Spam Scanner In-Reply-To: <4694E0ED.2000102@ecs.soton.ac.uk> References: <1638CDD827D51E4D8E9B2741290E1C9101001143@wkits02.knowledgeit.co.uk> <4694E0ED.2000102@ecs.soton.ac.uk> Message-ID: <1638CDD827D51E4D8E9B2741290E1C91010011AD@wkits02.knowledgeit.co.uk> > I would advise you use a ruleset or a Custom Function on the "Archive Mail =" setting in MailScanner.conf. Mwahaha, I knew you would have something ... Thanks Jules.. :) The contents of this e-mail may be privileged and are confidential. It may not be disclosed to or used by anyone other than the addressee(s), nor copied in any way. Any views or opinions presented are solely those of the author and do not necessarily represent those of Knowledge Limited. If received in error, please advise the sender, then delete it from your system. From MailScanner at ecs.soton.ac.uk Wed Jul 11 15:03:18 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Jul 11 15:08:11 2007 Subject: ClamAV 0.91 is out In-Reply-To: <7EF0EE5CB3B263488C8C18823239BEBA0118F5DA@HC-MBX02.herefordshire.gov.uk> References: <7EF0EE5CB3B263488C8C18823239BEBA0118F5DA@HC-MBX02.herefordshire.gov.uk> Message-ID: <4694E326.5070908@ecs.soton.ac.uk> I have just released an updated version of my ClamAV+SpamAssassin package including this new release. Randal, Phil wrote: > Project: Clam AntiVirus (clamav) > Package: clamav > Date : 2007-07-11 12:59 > > Project "Clam AntiVirus" ('clamav') has released the new version of > package > 'clamav'. You can download it from SourceForge.net by following this > link: > =522414> > or browse Release Notes and ChangeLog by visiting this link: > > > Cheers, > > Phil > > -- > Phil Randal > Network Engineer > Herefordshire Council > Hereford, UK > Jules -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Wed Jul 11 15:07:12 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Jul 11 15:10:59 2007 Subject: 4.61.7-2 - Attachments get zipped = message body disappears In-Reply-To: <4694E25B.4030408@pacific.net> References: <3f87b39933559b4ea540bd6e84ecf2c2@solidstatelogic.com> <4694E25B.4030408@pacific.net> Message-ID: <4694E410.90406@ecs.soton.ac.uk> Ken A wrote: > Martin.Hepworth wrote: >> Ken >> >> Trouble is some MUA's put html based messages as attachments....or can >> do if they are configured that way.. > > I might be missing something, but if MailScanner only zips where > filename or filetype matches a list, then this wouldn't be a problem. > It could also ! match .htm? or winmail.dat or whatever that evil > attachment name is. > Ken Can someone send me a message including this problem please! Easiest way to get it to me might be to make the message sendmail queue files into a zip and put that on a website somewhere, and email me the URL. Then I can take a look at trying to come up with a workaround. Many thanks, Jules. > > >> >> -- >> Martin Hepworth >> Snr Systems Administrator >> Solid State Logic >> Tel: +44 (0)1865 842300 >> >>> -----Original Message----- >>> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >>> bounces@lists.mailscanner.info] On Behalf Of Ken A >>> Sent: 11 July 2007 14:22 >>> To: MailScanner discussion >>> Subject: Re: 4.61.7-2 - Attachments get zipped = message body >> disappears >>> Nigel Kendrick wrote: >>>>> Subject: RE: 4.61.7-2 - Attachments get zipped = message body >>> disappears >>>>> >>>>> This is a side effect for users where the email message is actually >> an >>>>> attachment and not in the normal message body....I've had fun with >> this >>>>> as well.. >>>> >>>> I upgraded 3 mail servers at the same time last week and I have just >>> sent >>>> another test message with attachment to my Googlemail account via a >>>> different server and this message has made it in one piece. >>>> >>>> What's the best way to approach this!? >>>> >>>> Ta >>>> >>> Seems like it would be nice to be able to specify which type of >>> attachments to zip.. (doc|xls|pdf|tiff).. etc. >>> Ken >>> >>> -- >>> Ken Anderson >>> Pacific.Net >>> -- >>> MailScanner mailing list >>> mailscanner@lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! >> >> >> >> >> ********************************************************************** >> Confidentiality : This e-mail and any attachments are intended for >> the addressee only and may be confidential. If they come to you in >> error you must take no action based on them, nor must you copy or >> show them to anyone. Please advise the sender by replying to this >> e-mail immediately and then delete the original from your computer. >> Opinion : Any opinions expressed in this e-mail are entirely those of >> the author and unless specifically stated to the contrary, are not >> necessarily those of the author's employer. >> Security Warning : Internet e-mail is not necessarily a secure >> communications medium and can be subject to data corruption. We >> advise that you consider this fact when e-mailing us. Viruses : We >> have taken steps to ensure that this e-mail and any attachments are >> free from known viruses but in keeping with good computing practice, >> you should ensure that they are virus free. >> >> Red Lion 49 Ltd T/A Solid State Logic >> Registered as a limited company in England and Wales (Company >> No:5362730) >> Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, >> United Kingdom >> ********************************************************************** >> > > Jules -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From root at doctor.nl2k.ab.ca Wed Jul 11 15:11:53 2007 From: root at doctor.nl2k.ab.ca (Dave Shariff Yadallee - System Administrator a.k.a. The Root of the Problem) Date: Wed Jul 11 15:13:01 2007 Subject: Spam getting through [dr.defrimkerqagu@yahoo.com: {Spam?} SOS Kosovo] Message-ID: <20070711141152.GA29353@doctor.nl2k.ab.ca> Please note the below is an example of a spam that an outgoing mailserver should have caught. ----- Forwarded message from "Dr.Defrim Kerqagu" ----- Return-Path: doctor@doctor.nl2k.ab.ca Received: from doctor.nl2k.ab.ca by doctor.nl2k.ab.ca (8.14.1/8.14.1) with ESMTP id l6BE8ROs029083 for ; Wed, 11 Jul 2007 08:08:32 -0600 (MDT) Received: (from doctor@localhost) by doctor.nl2k.ab.ca (8.14.1/8.14.1/Submit) id l6BE8RNM029081 for root@doctor.nl2k.ab.ca; Wed, 11 Jul 2007 08:08:27 -0600 (MDT) Resent-From: doctor@doctor.nl2k.ab.ca Resent-Date: Wed, 11 Jul 2007 08:08:26 -0600 Resent-Message-ID: <20070711140826.GA28749@doctor.nl2k.ab.ca> Resent-To: "Dave Shariff Yadallee - System Administrator a.k.a. The Root of the Problem" Received: from hc-a02.pointdnshere.com by doctor.nl2k.ab.ca (8.14.1/8.14.1) with ESMTP id l6BDYPWq016086 for ; Wed, 11 Jul 2007 07:34:40 -0600 (MDT) X-Spam-Filter: check_local@doctor.nl2k.ab.ca by digitalanswers.org Received: from apache by hc-a02.pointdnshere.com with local (Exim 4.60) (envelope-from ) id 1I8cKW-0007YM-Ju for doctor@doctor.nl2k.ab.ca; Wed, 11 Jul 2007 21:34:08 +0800 To: doctor@doctor.nl2k.ab.ca Subject: {Spam?} SOS Kosovo From: "Dr.Defrim Kerqagu" Reply-To: dr.defrimkerqagu@yahoo.com MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 8bit Message-Id: Date: Wed, 11 Jul 2007 21:34:08 +0800 X-pointdnshere_com-MailScanner-Information: Please contact the ISP for more information X-pointdnshere_com-MailScanner: Found to be clean X-pointdnshere_com-MailScanner-SpamCheck: not spam, SpamAssassin (cached, score=-0.751, required 6, ADVANCE_FEE_1 0.00, BAYES_00 -2.60, FORGED_YAHOO_RCVD 1.85, NO_RELAYS -0.00) X-pointdnshere_com-MailScanner-From: sosir@sosir.ws X-Spam-Status: No, Yes, No X-Null-Tag: 78f059339423ddb8617c6e2b1edbc36f X-Null-Tag: cadd312ec8139d5a47a58596df0834de X-NetKnow-InComing-4.61.7-1-MailScanner: Found to be clean, Found to be clean X-NetKnow-InComing-4.61.7-1-MailScanner-SpamCheck: spam, SpamAssassin (not cached, score=45.076, required 1, FORGED_YAHOO_RCVD 45.00, NO_RELAYS -0.00, TW_QA 0.08) X-NetKnow-InComing-4.61.7-1-MailScanner-SpamScore: sssssssssssssssssssssssssssssssssssssssssssss X-NetKnow-InComing-4.61.7-1-MailScanner-Information: Please contact the ISP for more information X-NetKnow-InComing-4.61.7-1-MailScanner-From: doctor@doctor.nl2k.ab.ca Dear Lady/Sir, My name is Dr. Defrim Kerqagu and I am from Rahovec/Kosovo. I am writing this E-mail to you for your possible assistance in helping two young children from my town (my patients) that suffer from Congenital Heart Disease. Your assistance is required and appreciated to take them for surgery abroad as such a possibility does not exist in Kosovo. Your assistance can be from 1 Euro to as much as your heart can give for a heart. PS: Please disseminate this e-mail to as many friends as you have so that they could help too, these children are in need of your help. Dr. Defrim Kerqagu Rahovec Kosovo Tel: +377 (0) 44 363 220 dr.defrimkerqagu@yahoo.com Bank Account details: Pro Credit Bank Kosovo Account number: 1140127589000186 Swift Code: MBKORS22 Rahovec Kosovo -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ----- End forwarded message ----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From henker at evendi.de Wed Jul 11 15:15:41 2007 From: henker at evendi.de (Henke) Date: Wed Jul 11 15:15:44 2007 Subject: Lost the X-Spam-Score-Header along the way In-Reply-To: <4694DE1B.1050301@USherbrooke.ca> References: <4694DE1B.1050301@USherbrooke.ca> Message-ID: On Wed, 11 Jul 2007, Denis Beauchemin wrote: > You're also supposed to have: > # Add this extra header if "Spam Score" = yes. The header will > # contain 1 character for every point of the SpamAssassin score. > Spam Score Header = X-%org-name%-MailScanner-SpamScore: Denis, thank you for your reply - but I still have Spam Score Header = X-MailScanner-SpamScore: in my MailScanner.conf, sorry I didn't post that. It *used* to work that way for ages, so I'm not sure what caused it to stop... Regards, Steffan From jan-peter at koopmann.eu Wed Jul 11 15:32:53 2007 From: jan-peter at koopmann.eu (Koopmann, Jan-Peter) Date: Wed Jul 11 15:32:13 2007 Subject: switching from clamavmodule -> clamd... source? In-Reply-To: References: <469266D4.7060405@ecs.soton.ac.uk> Message-ID: > There isn't a freshclam daemon. My clamav-autoupdate scripts call the > freshclam program to do the actual work anyway. At least on FreeBSD you can run freshclam in daemon mode: -d, --daemon Run in a daemon mode. This option requires --checks. -p FILE, --pid=FILE Write daemon's pid to FILE. From FStein at thehill.org Wed Jul 11 15:45:28 2007 From: FStein at thehill.org (Stein, Mr. Fred) Date: Wed Jul 11 15:48:13 2007 Subject: ClamAV 0.91 is out In-Reply-To: <4694E326.5070908@ecs.soton.ac.uk> References: <7EF0EE5CB3B263488C8C18823239BEBA0118F5DA@HC-MBX02.herefordshire.gov.uk> <4694E326.5070908@ecs.soton.ac.uk> Message-ID: -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian Field Sent: Wednesday, July 11, 2007 10:03 AM To: MailScanner discussion Subject: Re: ClamAV 0.91 is out I have just released an updated version of my ClamAV+SpamAssassin package including this new release. Randal, Phil wrote: > Project: Clam AntiVirus (clamav) > Package: clamav > Date : 2007-07-11 12:59 > > Project "Clam AntiVirus" ('clamav') has released the new version of > package > 'clamav'. You can download it from SourceForge.net by following this > link: > =522414> > or browse Release Notes and ChangeLog by visiting this link: > > > Cheers, > > Phil > > -- > Phil Randal > Network Engineer > Herefordshire Council > Hereford, UK > Jules -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! Jules The link appears not to work. Fred Fred Stein Network Administrator The Hill School 717 E. High Street Pottstown, PA 19464 fstein@thehill.org www.thehill.org From ssilva at sgvwater.com Wed Jul 11 15:59:48 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Jul 11 16:00:03 2007 Subject: Help with ClamAVMod In-Reply-To: <070601c7c3b8$d6781060$6102a8c0@salemcorp.com> References: <064f01c7c342$a0f4e3d0$6102a8c0@salemcorp.com> <070601c7c3b8$d6781060$6102a8c0@salemcorp.com> Message-ID: Phil Udel spake the following on 7/11/2007 5:41 AM: > That has been the problem. Nothing in the Mailscanner log and freshclam log > is empty. > > I do get this message: > Jul 11 12:24:29 pinkie MailScanner[10879]: Message Content Protection > SpamAssass in timed out and was killed, consecutive failure 1 of 20 > > I don't get them if I take clamavmodule out of the MS Config and just use > mcafee > I had this recently when clam 0.90 came out. I had to stop everything and re-install clam and clamavmodule before it started working. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From mikael at syska.dk Wed Jul 11 16:00:25 2007 From: mikael at syska.dk (Mikael Syska) Date: Wed Jul 11 16:00:33 2007 Subject: ClamAV 0.91 is out In-Reply-To: References: <7EF0EE5CB3B263488C8C18823239BEBA0118F5DA@HC-MBX02.herefordshire.gov.uk> <4694E326.5070908@ecs.soton.ac.uk> Message-ID: <4694F089.2040103@syska.dk> Hi, Stein, Mr. Fred wrote: > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian > Field > Sent: Wednesday, July 11, 2007 10:03 AM > To: MailScanner discussion > Subject: Re: ClamAV 0.91 is out > > I have just released an updated version of my ClamAV+SpamAssassin > package including this new release. > > Randal, Phil wrote: > >> Project: Clam AntiVirus (clamav) >> Package: clamav >> Date : 2007-07-11 12:59 >> >> Project "Clam AntiVirus" ('clamav') has released the new version of >> package >> 'clamav'. You can download it from SourceForge.net by following this >> link: >> >> > >> =522414> >> or browse Release Notes and ChangeLog by visiting this link: >> >> >> Cheers, >> >> Phil >> >> -- >> Phil Randal >> Network Engineer >> Herefordshire Council >> Hereford, UK >> >> > > Jules Think you forgot the text to the message or ? I can't see anything other than jules previously message ... nothing changed. // ouT From support-lists at petdoctors.co.uk Wed Jul 11 16:16:04 2007 From: support-lists at petdoctors.co.uk (Nigel Kendrick) Date: Wed Jul 11 16:17:21 2007 Subject: Ouch! Message-ID: <014d01c7c3ce$65ce0bb0$3c65a8c0@support01> Don't think I'll risk it... " By ordering Penis Enlarge Patch, maximize your gains with our most Explosive Package! " Ouch! From neilw at dcdata.co.za Wed Jul 11 16:21:49 2007 From: neilw at dcdata.co.za (Neil Wilson) Date: Wed Jul 11 16:22:07 2007 Subject: Ouch! In-Reply-To: <014d01c7c3ce$65ce0bb0$3c65a8c0@support01> References: <014d01c7c3ce$65ce0bb0$3c65a8c0@support01> Message-ID: <4694F58D.3010203@dcdata.co.za> Hahaah!! Nigel Kendrick wrote: > Don't think I'll risk it... > > " > > By ordering Penis Enlarge Patch, maximize your gains with our most Explosive > Package! > > " > > Ouch! > > -- This email and all contents are subject to the following disclaimer: http://www.dcdata.co.za/emaildisclaimer.html From jase at sensis.com Wed Jul 11 16:22:06 2007 From: jase at sensis.com (Desai, Jason) Date: Wed Jul 11 16:23:04 2007 Subject: ClamAV 0.91 is out In-Reply-To: <4694E326.5070908@ecs.soton.ac.uk> Message-ID: <1951DC816E1A9F469307B05FA183F4389DC79A@corpatsmail1.corp.sensis.com> I'm getting a 404 error trying to download it. Is everything ok on the web site? Not Found The requested URL /files/4/install-Clam-0.91-SA-3.2.1.tar.gz was not found on this server. Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request. Jase > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Julian Field > Sent: Wednesday, July 11, 2007 10:03 AM > To: MailScanner discussion > Subject: Re: ClamAV 0.91 is out > > I have just released an updated version of my ClamAV+SpamAssassin > package including this new release. > > Randal, Phil wrote: > > Project: Clam AntiVirus (clamav) > > Package: clamav > > Date : 2007-07-11 12:59 > > > > Project "Clam AntiVirus" ('clamav') has released the new version of > > package > > 'clamav'. You can download it from SourceForge.net by following this > > link: > > > release_id > > =522414> > > or browse Release Notes and ChangeLog by visiting this link: > > > > > > Cheers, > > > > Phil > > > > -- > > Phil Randal > > Network Engineer > > Herefordshire Council > > Hereford, UK > > > > Jules > > -- > Julian Field MEng CITP > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > For all your IT requirements visit www.transtec.co.uk > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From rcooper at dwford.com Wed Jul 11 16:43:50 2007 From: rcooper at dwford.com (Rick Cooper) Date: Wed Jul 11 16:43:54 2007 Subject: 4.61.7-2 - Attachments get zipped = message body disappears In-Reply-To: <4694D964.2000408@pacific.net> References: <011f01c7c3b4$3709fec0$3c65a8c0@support01> <4694D964.2000408@pacific.net> Message-ID: <01c201c7c3d2$47417890$0301a8c0@SAHOMELT> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On > Behalf Of Ken A > Sent: Wednesday, July 11, 2007 11:22 PM > To: MailScanner discussion > Subject: Re: 4.61.7-2 - Attachments get zipped = message > body disappears > > Nigel Kendrick wrote: > >> Subject: RE: 4.61.7-2 - Attachments get zipped = message > body disappears > >> > >> > >> This is a side effect for users where the email message > is actually an > >> attachment and not in the normal message body....I've had > fun with this > >> as well.. > > > > > > I upgraded 3 mail servers at the same time last week and I > have just sent > > another test message with attachment to my Googlemail account via a > > different server and this message has made it in one piece. > > > > What's the best way to approach this!? > > > > Ta > > > Seems like it would be nice to be able to specify which type of > attachments to zip.. (doc|xls|pdf|tiff).. etc. > Ken > You can specify what kinds of files are *not* zipped in MailScanner.conf. My says Attachment Extensions Not To Zip = .zip .rar .gz .tgz .mpg .mpeg .mp3 .rpm .pdf .xls .htm .html .eml Rick -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From Phil.Udel at SalemCorp.com Wed Jul 11 17:03:42 2007 From: Phil.Udel at SalemCorp.com (Phil Udel) Date: Wed Jul 11 17:04:05 2007 Subject: Help with ClamAVMod In-Reply-To: <070601c7c3b8$d6781060$6102a8c0@salemcorp.com> References: <064f01c7c342$a0f4e3d0$6102a8c0@salemcorp.com> <070601c7c3b8$d6781060$6102a8c0@salemcorp.com> Message-ID: <073e01c7c3d5$0d7dff40$6102a8c0@salemcorp.com> Looks Like 0.9.1 Fixed my problem. Just install new release and all is working fine. Made only one change to the clamfresh to point to /usr/local/bin not /usr/bin -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Phil Udel Sent: Wednesday, July 11, 2007 8:42 AM To: 'MailScanner discussion' Subject: RE: Help with ClamAVMod That has been the problem. Nothing in the Mailscanner log and freshclam log is empty. I do get this message: Jul 11 12:24:29 pinkie MailScanner[10879]: Message Content Protection SpamAssass in timed out and was killed, consecutive failure 1 of 20 I don't get them if I take clamavmodule out of the MS Config and just use mcafee -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Ugo Bellavance Sent: Tuesday, July 10, 2007 10:53 PM To: mailscanner@lists.mailscanner.info Subject: Re: Help with ClamAVMod Phil Udel wrote: > I just upgraded to MS 4.61.7.2 today on a Centos 4.x system I am > having problems with CLamAVmod working. > When ever I add clamavmodule to the Virus Scanners List MS stops > possessing Email and finally Fails after three min or so. > Please let us see some log entries. Regards. Ugo -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From matt at coders.co.uk Wed Jul 11 17:23:26 2007 From: matt at coders.co.uk (Matt Hampton) Date: Wed Jul 11 17:21:44 2007 Subject: Changing scores/rules on the fly when calling SpamAssassin from MailScanner Message-ID: <469503FE.6000100@coders.co.uk> Hi I am looking at writing an extension to MailScanner so that we can allow different settings to be applied. My primary objective is to allow different username to be used for bayes. If I am able to achieve scores and and rules as well this would be a bonus. I have mocked something up which uses the $t->copy_config() and $t->read_scoreonly_config(). I am saving the config (using freeze/thaws) to disk so that the other MailScanner processes can share them (using tie with a Tie::DB_Lock). I cause the tied hashfile to be recreated when MailScanner restarts causing a reload of the primary files. This is working but I was wondering if there was a better way to do it. It looks like http://issues.apache.org/SpamAssassin/show_bug.cgi?id=3852 would help here but it doesn't look like any progress has been made :-) If I just want to change the bayes username I can (I assume) just do this: $f->signal_user_changed(username=>"newuser"); But how do I revert back to the default? cheers Matt From matt at coders.co.uk Wed Jul 11 17:23:26 2007 From: matt at coders.co.uk (Matt Hampton) Date: Wed Jul 11 17:22:15 2007 Subject: Changing scores/rules on the fly when calling SpamAssassin from MailScanner Message-ID: <469503FE.6000100@coders.co.uk> Hi I am looking at writing an extension to MailScanner so that we can allow different settings to be applied. My primary objective is to allow different username to be used for bayes. If I am able to achieve scores and and rules as well this would be a bonus. I have mocked something up which uses the $t->copy_config() and $t->read_scoreonly_config(). I am saving the config (using freeze/thaws) to disk so that the other MailScanner processes can share them (using tie with a Tie::DB_Lock). I cause the tied hashfile to be recreated when MailScanner restarts causing a reload of the primary files. This is working but I was wondering if there was a better way to do it. It looks like http://issues.apache.org/SpamAssassin/show_bug.cgi?id=3852 would help here but it doesn't look like any progress has been made :-) If I just want to change the bayes username I can (I assume) just do this: $f->signal_user_changed(username=>"newuser"); But how do I revert back to the default? cheers Matt From theodrake at comcast.net Wed Jul 11 17:36:15 2007 From: theodrake at comcast.net (Ed Bruce) Date: Wed Jul 11 17:36:30 2007 Subject: ClamAV 0.91 is out In-Reply-To: <1951DC816E1A9F469307B05FA183F4389DC79A@corpatsmail1.corp.sensis.com> References: <1951DC816E1A9F469307B05FA183F4389DC79A@corpatsmail1.corp.sensis.com> Message-ID: <469506FF.10000@comcast.net> Desai, Jason wrote: > I'm getting a 404 error trying to download it. Is everything ok on the > web site? > > Not Found > The requested URL /files/4/install-Clam-0.91-SA-3.2.1.tar.gz was not > found on this server. > > Additionally, a 404 Not Found error was encountered while trying to use > an ErrorDocument to handle the request. > I got the same error when attempting to download this file. I tried others and they worked. So I'm guessing its only a problem with this one file and not the web site. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 249 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070711/9c2a28aa/signature.bin From j.ede at birchenallhowden.co.uk Wed Jul 11 17:50:28 2007 From: j.ede at birchenallhowden.co.uk (Jason Ede) Date: Wed Jul 11 17:50:44 2007 Subject: Notify recipient of blocked password protected zips? Message-ID: I see recipients of blocked double extension files get notified, but not if the blocked file is a password protected zip. Is there a way to enable it for these files without being flooded with other reports? Jason -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070711/6fad2661/attachment.html From dnsadmin at 1bigthink.com Wed Jul 11 17:52:32 2007 From: dnsadmin at 1bigthink.com (dnsadmin 1bigthink.com) Date: Wed Jul 11 17:52:47 2007 Subject: ATTN: Julian -- WAS Re: ClamAV 0.91 is out In-Reply-To: <469506FF.10000@comcast.net> References: <1951DC816E1A9F469307B05FA183F4389DC79A@corpatsmail1.corp.sensis.com> <469506FF.10000@comcast.net> Message-ID: <200707111652.l6BGqkUP001641@mxt.1bigthink.com> Hello Julian, The package isn't where we are expecting it or URL is typo'd. Thanks, Glenn At 12:36 PM 7/11/2007, you wrote: >Desai, Jason wrote: > > I'm getting a 404 error trying to download it. Is everything ok on the > > web site? > > > > Not Found > > The requested URL /files/4/install-Clam-0.91-SA-3.2.1.tar.gz was not > > found on this server. > > > > Additionally, a 404 Not Found error was encountered while trying to use > > an ErrorDocument to handle the request. > > > >I got the same error when attempting to download this file. I tried >others and they worked. So I'm guessing its only a problem with this one >file and not the web site. > > > >-- >MailScanner mailing list >mailscanner@lists.mailscanner.info >http://lists.mailscanner.info/mailman/listinfo/mailscanner > >Before posting, read http://wiki.mailscanner.info/posting > >Support MailScanner development - buy the book off the website! From MailScanner at ecs.soton.ac.uk Wed Jul 11 18:12:11 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Jul 11 18:15:25 2007 Subject: ClamAV 0.91 is out In-Reply-To: <469506FF.10000@comcast.net> References: <1951DC816E1A9F469307B05FA183F4389DC79A@corpatsmail1.corp.sensis.com> <469506FF.10000@comcast.net> Message-ID: <46950F6B.7040306@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ed Bruce wrote: > Desai, Jason wrote: > >> I'm getting a 404 error trying to download it. Is everything ok on the >> web site? >> >> Not Found >> The requested URL /files/4/install-Clam-0.91-SA-3.2.1.tar.gz was not >> found on this server. >> >> Additionally, a 404 Not Found error was encountered while trying to use >> an ErrorDocument to handle the request. >> >> > > I got the same error when attempting to download this file. I tried > others and they worked. So I'm guessing its only a problem with this one > file and not the web site. > I copied the file to the wrong web server. Doh! Fixed now. Sorry about that. Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGlQ9rEfZZRxQVtlQRAkofAKDVRs/a+lXnwk+WX9qNofMLB8eYOACgw6jX aNx/9freYblTCBEQJ1nQJfM= =Md9c -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Wed Jul 11 18:17:01 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Jul 11 18:21:41 2007 Subject: ATTN: Julian -- WAS Re: ClamAV 0.91 is out In-Reply-To: <200707111652.l6BGqkUP001641@mxt.1bigthink.com> References: <1951DC816E1A9F469307B05FA183F4389DC79A@corpatsmail1.corp.sensis.com> <469506FF.10000@comcast.net> <200707111652.l6BGqkUP001641@mxt.1bigthink.com> Message-ID: <4695108D.5070305@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 It's okay now. P.S. If you want to send a message just to me, then email directly, please do not use the mailing list for this. dnsadmin 1bigthink.com wrote: > Hello Julian, > > The package isn't where we are expecting it or URL is typo'd. > > Thanks, > Glenn > > At 12:36 PM 7/11/2007, you wrote: > >> Desai, Jason wrote: >> > I'm getting a 404 error trying to download it. Is everything ok on >> the >> > web site? >> > >> > Not Found >> > The requested URL /files/4/install-Clam-0.91-SA-3.2.1.tar.gz was not >> > found on this server. >> > >> > Additionally, a 404 Not Found error was encountered while trying to >> use >> > an ErrorDocument to handle the request. >> > >> >> I got the same error when attempting to download this file. I tried >> others and they worked. So I'm guessing its only a problem with this one >> file and not the web site. >> >> >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGlRCOEfZZRxQVtlQRAoegAKD5iV8fdW7YFjW9DwRWX9KbxYKVEwCfTeYL DcEFpWwyJAxQ9TfGUDyffQg= =0QDW -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From steve.freegard at fsl.com Wed Jul 11 19:08:09 2007 From: steve.freegard at fsl.com (Steve Freegard) Date: Wed Jul 11 19:08:14 2007 Subject: Changing scores/rules on the fly when calling SpamAssassin from MailScanner In-Reply-To: <469503FE.6000100__33106.1303768822$1184171115$gmane$org@coders.co.uk> References: <469503FE.6000100__33106.1303768822$1184171115$gmane$org@coders.co.uk> Message-ID: <46951C89.7000401@fsl.com> Hey Matt, Matt Hampton wrote: > If I just want to change the bayes username I can (I assume) just do this: > > $f->signal_user_changed(username=>"newuser"); > > But how do I revert back to the default? > Just a thought - but wouldn't the default be the user that is running MailScanner e.g. the Run As User, so to revert back you'd run: $f->signal_user_changed( username => MailScanner::Config::Value('runasuser'), user_dir => undef, userstate_dir => MailScanner::Config::Value('spamassassinuserstatedir')); Hope this helps. Cheers, Steve. From support-lists at petdoctors.co.uk Wed Jul 11 19:52:43 2007 From: support-lists at petdoctors.co.uk (Nigel Kendrick) Date: Wed Jul 11 19:54:04 2007 Subject: MailScanner.conf and MailScanner.conf.local Message-ID: <002601c7c3ec$a9de3a00$3c65a8c0@support01> Julian et al. It occurs to me that over my not-very-massive pile of 4 mail servers, many of the settings are common to the lot and if I tweak a 'generic' setting on one I generally tweak it on all of them. To this end, is it possible (or would it be possible) to have the site-specific settings in one config file and generic ones in another (MailScanner.conf.local and MailScanner.conf?) so I could arrange for a replication script to keep the generics in sync? Following on from that, is there (or could there) be a mechanism to remotely restart MailScanner - say, for example, by MailScanner noticing the creation of /etc/MailScanner/restart.flg that could be put in place during a sync operation as mentioned above? Just wonderin' Thanks Nigel Kendrick From wendiw at itasoftware.com Wed Jul 11 20:00:11 2007 From: wendiw at itasoftware.com (Wendi Whitsett) Date: Wed Jul 11 20:00:16 2007 Subject: R: Fake User-Agent on PDF In-Reply-To: <4688EE6E.18605.719782@cobalt-users1.fishnet.co.uk> References: , <4686B8D1.7090005@ecs.soton.ac.uk>, <002501c7bc8e$95897520$3f01a8c0@dbdomain.database.it> <4688EE6E.18605.719782@cobalt-users1.fishnet.co.uk> Message-ID: <469528BB.20300@itasoftware.com> Thanks Ian! Wendi Ian wrote: > On 2 Jul 2007 at 11:51, Marcello Anderlini wrote: > > >> Sorry guys, but cause my poor English I'm not sure I've understood if there >> is a good rules to block pdf spam. >> If there is, could someone publish one working ? >> > > Hi, > > One of the SARE ninjas has created a plugin called PDFInfo. This was posted on the > spamassassin list last week: > > > > Until its publicly released, you can request it with a simple email to > us, see http://www.rulesemporium.com/plugins.htm#pdfinfo > > > > Works well here. > > Regards > > Ian > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3257 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070711/52f2d928/smime.bin From hden at kcbbs.gen.nz Wed Jul 11 20:37:49 2007 From: hden at kcbbs.gen.nz (Hendrik den Hartog) Date: Wed Jul 11 20:19:05 2007 Subject: Language File In-Reply-To: <469476FB.3030901@jfworks.net> References: <469266D4.7060405@ecs.soton.ac.uk> <4693C93C.3020508@ecs.soton.ac.uk> <4693D495.5030409@ecs.soton.ac.uk> <4693F400.5030309@ecs.soton.ac.uk> <20070711044320.GA25959@mew.kcbbs.gen.nz> <469476FB.3030901@jfworks.net> Message-ID: <20070711193749.GA26398@mew.kcbbs.gen.nz> Yes, we ran the upgrade command as per the instructions, we also quickly set up Mailscanner on a spare machine, then copied the language.conf.rpmnew across, but the log still shows some strings missing? Where are the language conf files? in the mailscanner.rpm part of the un-tared files? i.e. can we just load this via an rpm command to extract the language files [as oppossed to re-running the whole install script?) Cheers! Dave On Tue, Jul 10, 2007 at 11:21:47PM -0700, James wrote: > Hendrik den Hartog wrote: > >Gidday > > > >We've recently upgraded MailScanner after several months, and am getting > >logged errors about missing strings.. > > > >'Looked up unknown string notcached in language translation file' > > > >..etc > > > >We did copy the(a) new language,conf.rpmnew to language.conf, but this > >didn't > >sort the issue. > > > >Is there anywhere we can download a current english (en) language file > >from to sort this? > > > >Cheers! > >Pasadena School (Dave) > > > Have you run "upgrade_languages_conf " ? It will give the directions for > upgrading the file. > > James > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From ssilva at sgvwater.com Wed Jul 11 20:28:09 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Jul 11 20:28:20 2007 Subject: Language File In-Reply-To: <20070711193749.GA26398@mew.kcbbs.gen.nz> References: <469266D4.7060405@ecs.soton.ac.uk> <4693C93C.3020508@ecs.soton.ac.uk> <4693D495.5030409@ecs.soton.ac.uk> <4693F400.5030309@ecs.soton.ac.uk> <20070711044320.GA25959@mew.kcbbs.gen.nz> <469476FB.3030901@jfworks.net> <20070711193749.GA26398@mew.kcbbs.gen.nz> Message-ID: Hendrik den Hartog spake the following on 7/11/2007 12:37 PM: > Yes, we ran the upgrade command as per the instructions, we also quickly > set up Mailscanner on a spare machine, then copied the language.conf.rpmnew > across, but the log still shows some strings missing? > > Where are the language conf files? in the mailscanner.rpm part of the > un-tared files? i.e. can we just load this via an rpm command to extract > the language files [as oppossed to re-running the whole install script?) > > Cheers! > Dave Which version are you running? -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From hden at kcbbs.gen.nz Wed Jul 11 20:54:03 2007 From: hden at kcbbs.gen.nz (Hendrik den Hartog) Date: Wed Jul 11 20:35:22 2007 Subject: Language File In-Reply-To: <20070711193749.GA26398@mew.kcbbs.gen.nz> References: <469266D4.7060405@ecs.soton.ac.uk> <4693C93C.3020508@ecs.soton.ac.uk> <4693D495.5030409@ecs.soton.ac.uk> <4693F400.5030309@ecs.soton.ac.uk> <20070711044320.GA25959@mew.kcbbs.gen.nz> <469476FB.3030901@jfworks.net> <20070711193749.GA26398@mew.kcbbs.gen.nz> Message-ID: <20070711195403.GA26414@mew.kcbbs.gen.nz> Sorry for the self reply, but an admendment to my previous.. Seems only a couple of strings are "missing", mostly.. unknown string notcached and occassional unknown string skippedastoobig Thought this xtra info may help pinpoint this?? Cheers! Dave On Thu, Jul 12, 2007 at 07:37:49AM +1200, Hendrik den Hartog wrote: > > Yes, we ran the upgrade command as per the instructions, we also quickly > set up Mailscanner on a spare machine, then copied the language.conf.rpmnew > across, but the log still shows some strings missing? > > Where are the language conf files? in the mailscanner.rpm part of the > un-tared files? i.e. can we just load this via an rpm command to extract > the language files [as oppossed to re-running the whole install script?) > > Cheers! > Dave > > > > On Tue, Jul 10, 2007 at 11:21:47PM -0700, James wrote: > > Hendrik den Hartog wrote: > > >Gidday > > > > > >We've recently upgraded MailScanner after several months, and am getting > > >logged errors about missing strings.. > > > > > >'Looked up unknown string notcached in language translation file' > > > > > >..etc > > > > > >We did copy the(a) new language,conf.rpmnew to language.conf, but this > > >didn't > > >sort the issue. > > > > > >Is there anywhere we can download a current english (en) language file > > >from to sort this? > > > > > >Cheers! > > >Pasadena School (Dave) > > > > > Have you run "upgrade_languages_conf " ? It will give the directions for > > upgrading the file. > > > > James > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From prandal at herefordshire.gov.uk Wed Jul 11 20:45:14 2007 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Wed Jul 11 20:45:23 2007 Subject: FW: [Full-disclosure] Advisory - Clam AntiVirus RAR File HandlingDenial Of Service Vulnerability. Message-ID: <7EF0EE5CB3B263488C8C18823239BEBA03CEE8@HC-MBX02.herefordshire.gov.uk> Right folks, Here's why we should all upgrade to ClamAV 0.91 right now. Thanks Jules for so speedily releasing you updated installers. Phil -----Original Message----- From: full-disclosure-bounces@lists.grok.org.uk [mailto:full-disclosure-bounces@lists.grok.org.uk] On Behalf Of Metaeye SG Sent: 11 July 2007 16:13 To: bugtraq@securityfocus.com; full-disclosure@lists.grok.org.uk; news@securiteam.com Subject: [Full-disclosure] Advisory - Clam AntiVirus RAR File HandlingDenial Of Service Vulnerability. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Vendor - ------ Clam Antivirus (http://www.clamav.net) Product - ------- Clamav (libclamav) Versions Affected - ----------------- All before 0.91 Severity - -------- Moderate Issue - ----- Clamav crashes due to processing of standard filters in RAR VM, while processing a corrupted RAR file. Processing the corrupted file results in a null pointer deference. Impact - ------ Processing the corrupted file will result in crashing of clamscan application and clamd daemon. Fix - --- Upgrade to version 0.91. PoC - --- http://www.metaeye.org/codes/corrupted.rar Vendor Status - ------------- Reported: 25/06/2007 Fixed: 11/07/2007 References - ---------- https://wwws.clamav.net/bugzilla/show_bug.cgi?id=555 http://www.metaeye.org/advisories/54 Metaeye SG // http://www.metaeye.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFGlPN/gHlN5ncUR6wRAo1AAJ9dNI51Y4t5BRG3aqIUHPih8cJQ7ACfVrW1 21o5Oadk6A7OVGhdzJph2gk= =YuBi -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ From wintermutecx at gmail.com Wed Jul 11 20:45:45 2007 From: wintermutecx at gmail.com (Dave) Date: Wed Jul 11 20:45:48 2007 Subject: deny webbug Message-ID: We have an outside contractor who sends email to users here locally, he uses msgtag.com to tag all his messages. It appears mailscanner is not disarming those. Is there a ruleset were I can specify which tags always get disarmed? I see there is one for white listing. My current setting is disarm. From hden at kcbbs.gen.nz Wed Jul 11 21:16:01 2007 From: hden at kcbbs.gen.nz (Hendrik den Hartog) Date: Wed Jul 11 20:57:17 2007 Subject: Language File In-Reply-To: References: <4693C93C.3020508@ecs.soton.ac.uk> <4693D495.5030409@ecs.soton.ac.uk> <4693F400.5030309@ecs.soton.ac.uk> <20070711044320.GA25959@mew.kcbbs.gen.nz> <469476FB.3030901@jfworks.net> <20070711193749.GA26398@mew.kcbbs.gen.nz> Message-ID: <20070711201601.GA26433@mew.kcbbs.gen.nz> Version 4.61.7-2 Cheers Dave On Wed, Jul 11, 2007 at 12:28:09PM -0700, Scott Silva wrote: > Hendrik den Hartog spake the following on 7/11/2007 12:37 PM: > > Yes, we ran the upgrade command as per the instructions, we also quickly > > set up Mailscanner on a spare machine, then copied the language.conf.rpmnew > > across, but the log still shows some strings missing? > > > > Where are the language conf files? in the mailscanner.rpm part of the > > un-tared files? i.e. can we just load this via an rpm command to extract > > the language files [as oppossed to re-running the whole install script?) > > > > Cheers! > > Dave > Which version are you running? > > > -- > > MailScanner is like deodorant... > You hope everybody uses it, and > you notice quickly if they don't!!!! > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From hvdkooij at vanderkooij.org Wed Jul 11 21:03:45 2007 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Wed Jul 11 21:04:52 2007 Subject: Language File In-Reply-To: <20070711193749.GA26398@mew.kcbbs.gen.nz> References: <469266D4.7060405@ecs.soton.ac.uk> <4693C93C.3020508@ecs.soton.ac.uk> <4693D495.5030409@ecs.soton.ac.uk> <4693F400.5030309@ecs.soton.ac.uk> <20070711044320.GA25959@mew.kcbbs.gen.nz> <469476FB.3030901@jfworks.net> <20070711193749.GA26398@mew.kcbbs.gen.nz> Message-ID: On Thu, 12 Jul 2007, Hendrik den Hartog wrote: > Yes, we ran the upgrade command as per the instructions, we also quickly > set up Mailscanner on a spare machine, then copied the language.conf.rpmnew > across, but the log still shows some strings missing? RPM will attempt to keep existing configuration files (if a package tags a file as config file!) by adding the new as .rpmnew So it serves no point to move them around. As a rule of thumb I try to backup config files before I start to edit them by moving them out of the way and copy the file back. So for example the shipped mailscanner.conf: mv mailscanner.conf mailscanner.conf.SHIPPED cp mailscanner.conf.SHIPPED mailscanner.conf I can then edit mailscanner.conf as much as I like. If I run a diff on them I can tell exactly what I changed: diff -u mailscanner.conf.SHIPPED mailscanner.conf > mailscanner.conf.CHANGES Telling what has changed from old package to new package reuires a fidd on the rpmnew file. diff mailscanner.conf.SHIPPED mailscanner.conf.rpmnew I find it works great to know which config options were added and thenn I can decide how to go about with fixing my config file to adjust for the new options. I also have the silly habbit of copying config lines before I make changes. So the shipped line was: %org-name% = yoursite I then make it: #H#%org-name% = yoursite %org-name% = vanderkooij.org So even without a clean config file I can tell my changes apart from the default ones. I hope this helps you to make config changes less difficult. Hugo. -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ This message is using 100% recycled electrons. Some men see computers as they are and say "Windows" I use computers with Linux and say "Why Windows?" (Thanks JFK, for the insight.) From MailScanner at ecs.soton.ac.uk Wed Jul 11 21:03:00 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Jul 11 21:07:47 2007 Subject: MailScanner.conf and MailScanner.conf.local In-Reply-To: <002601c7c3ec$a9de3a00$3c65a8c0@support01> References: <002601c7c3ec$a9de3a00$3c65a8c0@support01> Message-ID: <46953774.3050205@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Nigel Kendrick wrote: > Julian et al. > > It occurs to me that over my not-very-massive pile of 4 mail servers, many > of the settings are common to the lot and if I tweak a 'generic' setting on > one I generally tweak it on all of them. To this end, is it possible (or > would it be possible) to have the site-specific settings in one config file > and generic ones in another (MailScanner.conf.local and MailScanner.conf?) > so I could arrange for a replication script to keep the generics in sync? > I guess an "include" command could be possible. It would ruin the upgrade_MailScanner_conf though which would be a great shame. > Following on from that, is there (or could there) be a mechanism to remotely > restart MailScanner - say, for example, by MailScanner noticing the creation > of /etc/MailScanner/restart.flg that could be put in place during a sync > operation as mentioned above? > Things like rsync allow a command to be executed upon completion of the sync process. Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGlTd1EfZZRxQVtlQRAlF/AJ4+4yvRQdobY1JBZgPm0gLh/h7FDQCfdhtA byuuzEBZeJfMNrXyj1Y2+jc= =+NpR -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Wed Jul 11 21:07:49 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Jul 11 21:11:59 2007 Subject: Language File In-Reply-To: <20070711195403.GA26414@mew.kcbbs.gen.nz> References: <469266D4.7060405@ecs.soton.ac.uk> <4693C93C.3020508@ecs.soton.ac.uk> <4693D495.5030409@ecs.soton.ac.uk> <4693F400.5030309@ecs.soton.ac.uk> <20070711044320.GA25959@mew.kcbbs.gen.nz> <469476FB.3030901@jfworks.net> <20070711193749.GA26398@mew.kcbbs.gen.nz> <20070711195403.GA26414@mew.kcbbs.gen.nz> Message-ID: <46953895.6020708@ecs.soton.ac.uk> Skipped content of type multipart/mixed-------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 195 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070711/08d225ce/PGP-0001.bin From MailScanner at ecs.soton.ac.uk Wed Jul 11 21:09:27 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Jul 11 21:14:10 2007 Subject: deny webbug In-Reply-To: References: Message-ID: <469538F7.7070503@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Can you send me the HTML of the web-bug they use please? It works by finding 1x1,1x2,2x1 and 2x2 pixel images in the HTML. Dave wrote: > We have an outside contractor who sends email to users here locally, > he uses msgtag.com to tag all his messages. It appears mailscanner is > not disarming those. Is there a ruleset were I can specify which tags > always get disarmed? I see there is one for white listing. My current > setting is disarm. Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGlTj4EfZZRxQVtlQRAi2hAJsHVYtEE8QgdRFkFJj7PbA8RUq+sgCg2UpQ aU5qH4EvU6bpZjOXVhAoZEE= =jCs6 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From rout at tj.rs.gov.br Wed Jul 11 21:34:58 2007 From: rout at tj.rs.gov.br (Felipe Rout) Date: Wed Jul 11 21:35:04 2007 Subject: Ldap query in ruleset file Message-ID: <1184186098.3534.8.camel@urede05.tjrs.gov.br> Hello, I would like to know if is possible to create rulesets files using ldap queries. I needo to know if a user takes part in certain Active Directory groups. Thi way I can manage permissions only adding or removing users from/to this groups. Thanks for any help. From ssilva at sgvwater.com Wed Jul 11 22:01:38 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Jul 11 22:01:59 2007 Subject: MailScanner.conf and MailScanner.conf.local In-Reply-To: <46953774.3050205@ecs.soton.ac.uk> References: <002601c7c3ec$a9de3a00$3c65a8c0@support01> <46953774.3050205@ecs.soton.ac.uk> Message-ID: Julian Field spake the following on 7/11/2007 1:03 PM: > > > Nigel Kendrick wrote: >> Julian et al. > >> It occurs to me that over my not-very-massive pile of 4 mail servers, many >> of the settings are common to the lot and if I tweak a 'generic' setting on >> one I generally tweak it on all of them. To this end, is it possible (or >> would it be possible) to have the site-specific settings in one config file >> and generic ones in another (MailScanner.conf.local and MailScanner.conf?) >> so I could arrange for a replication script to keep the generics in sync? > > I guess an "include" command could be possible. It would ruin the > upgrade_MailScanner_conf though which would be a great shame. >> Following on from that, is there (or could there) be a mechanism to remotely >> restart MailScanner - say, for example, by MailScanner noticing the creation >> of /etc/MailScanner/restart.flg that could be put in place during a sync >> operation as mentioned above? > > Things like rsync allow a command to be executed upon completion of the > sync process. > > Jules > Or you could run mon or monit or something like that, and tell it to restart MailScanner if the conf file changes. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From rcooper at dwford.com Wed Jul 11 22:51:05 2007 From: rcooper at dwford.com (Rick Cooper) Date: Wed Jul 11 22:51:09 2007 Subject: MailScanner.conf and MailScanner.conf.local In-Reply-To: <002601c7c3ec$a9de3a00$3c65a8c0@support01> References: <002601c7c3ec$a9de3a00$3c65a8c0@support01> Message-ID: <000f01c7c405$952ad000$0301a8c0@SAHOMELT> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On > Behalf Of Nigel Kendrick > Sent: Thursday, July 12, 2007 4:53 AM > To: 'MailScanner discussion' > Subject: MailScanner.conf and MailScanner.conf.local > > Julian et al. > > It occurs to me that over my not-very-massive pile of 4 mail > servers, many > of the settings are common to the lot and if I tweak a > 'generic' setting on > one I generally tweak it on all of them. To this end, is it > possible (or > would it be possible) to have the site-specific settings in > one config file > and generic ones in another (MailScanner.conf.local and > MailScanner.conf?) > so I could arrange for a replication script to keep the > generics in sync? > I don't know what your "generic" settings are but I have about a dozen things that change depending on which server mailscanner is installed in. Most of them have to do with site names and such. I use lib/MailScanner/CustomConfig.pm to set environment variables for the items I need changed for example: Each server has a file (example) /SomeDir/ThisSig that contains an (Unique) entry like: ABC my %Sigs = ( 'ABC' => "company1.com:My First Company:www.company1.com/mailrejected.php", 'EFG' => "company1.com:My First Company:www.company1.com/mailrejected.php", 'HIJ' => "company1.com:My First Company:www.company1.com/mailrejected.php" ); my $CoSig; $CoSig = `/bin/cat /SomeDir/ThisSig`; chomp($CoSig); my $SigStr = $Sigs{$CoSig}; my ($OrgName,$OrgNameLong,$WebSite) = split(/:/,$SigStr); $ENV{ORGNAME} = $OrgName; $ENV{ORGNAMELONG} = $OrgNameLong; $ENV{MSWEB} = $WebSite; $ENV{COSIG} = $CoSig; Now in MailScanner.Conf I use settings like %org-name% = ${ORGNAME} %org-long-name% = ${ORGNAMELONG} %web-site% = ${MSWEB} Spam Header = X-${COSIG}-MailScanner-SpamCheck If you didn't want to maintain the %Sigs part (not a problem for me because I don't add or subtract servers very often) You could just eliminate that part and set the entries in /SomeDir/ThisSig like ABC::ParamOne::ParamTwo::ParamThree:ParamFour And then $CoSig = `/bin/cat /SomeDir/ThisSig`; chomp($CoSig); my ($OrgKey,$ParamOne,$ParamTwo,$ParamThree,$ParamFour) = split(/::/,$CoSig); $ENV{P1} = $OrgKey; $ENV{P2} = $ParamOne; $ENV{P3} = $ParamTwo; $ENV{P4} = $ParamThree; $ENV{P5} = $ParamFour; And then in MailScanner.conf : Some Setting = ${P4}/other/stuff Now I can (and do) push out one MailScanner.conf that will handle all the servers based on their specific information contained in /SomeDir/ThisSig. I don't think there is a setting in MailScanner that could pertain to site specific information that will not allow the ${ENV_VAR} format. Rick -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From rcooper at dwford.com Wed Jul 11 23:16:10 2007 From: rcooper at dwford.com (Rick Cooper) Date: Wed Jul 11 23:16:19 2007 Subject: MailScanner.conf and MailScanner.conf.local In-Reply-To: References: <002601c7c3ec$a9de3a00$3c65a8c0@support01><46953774.3050205@ecs.soton.ac.uk> Message-ID: <001001c7c409$1632db90$0301a8c0@SAHOMELT> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On > Behalf Of Scott Silva > Sent: Thursday, July 12, 2007 7:02 AM > To: mailscanner@lists.mailscanner.info > Subject: Re: MailScanner.conf and MailScanner.conf.local > > Julian Field spake the following on 7/11/2007 1:03 PM: > > > > > > Nigel Kendrick wrote: > >> Julian et al. > > > >> It occurs to me that over my not-very-massive pile of 4 > mail servers, many > >> of the settings are common to the lot and if I tweak a > 'generic' setting on > >> one I generally tweak it on all of them. To this end, is > it possible (or > >> would it be possible) to have the site-specific settings > in one config file > >> and generic ones in another (MailScanner.conf.local and > MailScanner.conf?) > >> so I could arrange for a replication script to keep the > generics in sync? > > > > I guess an "include" command could be possible. It would ruin the > > upgrade_MailScanner_conf though which would be a great shame. > >> Following on from that, is there (or could there) be a > mechanism to remotely > >> restart MailScanner - say, for example, by MailScanner > noticing the creation > >> of /etc/MailScanner/restart.flg that could be put in > place during a sync > >> operation as mentioned above? > > > > Things like rsync allow a command to be executed upon > completion of the > > sync process. > > > > Jules > > > Or you could run mon or monit or something like that, and > tell it to restart > MailScanner if the conf file changes. > -- > Something I had asked before would be Behavior similar to exim where it notices when an external file changes and reloads any data it uses rather than using the cached information. If I change something in a lookup file (in exim) I don't have to worry about restarting the daemon. So with MS if I change something in a rule file it would be nice not to have to restart MS to gain access to the changed information. Before it processes a rulefile check to see if it has changed and reload if it has. Same with the config file, check ever XYZ min and reload if the file has changed. I would think some kind of crc or simple stat would work. Of course that might be difficult with the internal structure of MS I have never really looked at the flow that closely Rick -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From hden at kcbbs.gen.nz Thu Jul 12 00:21:25 2007 From: hden at kcbbs.gen.nz (Hendrik den Hartog) Date: Thu Jul 12 00:02:43 2007 Subject: Language File In-Reply-To: <46953895.6020708@ecs.soton.ac.uk> References: <4693C93C.3020508@ecs.soton.ac.uk> <4693D495.5030409@ecs.soton.ac.uk> <4693F400.5030309@ecs.soton.ac.uk> <20070711044320.GA25959@mew.kcbbs.gen.nz> <469476FB.3030901@jfworks.net> <20070711193749.GA26398@mew.kcbbs.gen.nz> <20070711195403.GA26414@mew.kcbbs.gen.nz> <46953895.6020708@ecs.soton.ac.uk> Message-ID: <20070711232125.GA26467@mew.kcbbs.gen.nz> Julian Thanks for bailing us out. I admit the problem was caused by myself, mainly some bad housekeeping, (just like real life [sigh]). Had a mess of previous files cluttering the folder which obviously confused me [which isn't hard] Once again, thanks! Cheers! Dave On Wed, Jul 11, 2007 at 09:07:49PM +0100, Julian Field wrote: > Here's a copy of the latest English languages.conf. It goes into > /etc/MailScanner/reports/en. > But if you have changed your file (which it would seem you have or else > there wouldn't be a .rpmnew file) then use upgrade_languages_conf and > use this as the .rpmnew file. > > Hendrik den Hartog wrote: > >Sorry for the self reply, but an admendment to my previous.. > > > >Seems only a couple of strings are "missing", mostly.. > > > >unknown string notcached > > > >and occassional > > > >unknown string skippedastoobig > > > >Thought this xtra info may help pinpoint this?? > > > >Cheers! > >Dave > > > > > > > > > > > >On Thu, Jul 12, 2007 at 07:37:49AM +1200, Hendrik den Hartog wrote: > > > > > > > >>Yes, we ran the upgrade command as per the instructions, we also quickly > >>set up Mailscanner on a spare machine, then copied the > >>language.conf.rpmnew > >>across, but the log still shows some strings missing? > >> > >>Where are the language conf files? in the mailscanner.rpm part of the > >>un-tared files? i.e. can we just load this via an rpm command to extract > >>the language files [as oppossed to re-running the whole install script?) > >> > >>Cheers! > >>Dave > >> > >> > >> > >>On Tue, Jul 10, 2007 at 11:21:47PM -0700, James wrote: > >> > >>>Hendrik den Hartog wrote: > >>> > >>>>Gidday > >>>> > >>>>We've recently upgraded MailScanner after several months, and am > >>>>getting logged errors about missing strings.. > >>>> > >>>>'Looked up unknown string notcached in language translation file' > >>>> > >>>>..etc > >>>> > >>>>We did copy the(a) new language,conf.rpmnew to language.conf, but this > >>>>didn't > >>>>sort the issue. > >>>> > >>>>Is there anywhere we can download a current english (en) language file > >>>> > >>>>from to sort this? > >>> > >>>>Cheers! > >>>>Pasadena School (Dave) > >>>> > >>>> > >>>Have you run "upgrade_languages_conf " ? It will give the directions for > >>>upgrading the file. > >>> > >>>James > >>>-- > >>>MailScanner mailing list > >>>mailscanner@lists.mailscanner.info > >>>http://lists.mailscanner.info/mailman/listinfo/mailscanner > >>> > >>>Before posting, read http://wiki.mailscanner.info/posting > >>> > >>>Support MailScanner development - buy the book off the website! > >>> > >>-- > >>MailScanner mailing list > >>mailscanner@lists.mailscanner.info > >>http://lists.mailscanner.info/mailman/listinfo/mailscanner > >> > >>Before posting, read http://wiki.mailscanner.info/posting > >> > >>Support MailScanner development - buy the book off the website! > >> > > Jules > > -- > Julian Field MEng CITP > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > For all your IT requirements visit www.transtec.co.uk > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From chandler.lists at chapman.edu Thu Jul 12 04:14:46 2007 From: chandler.lists at chapman.edu (Jay Chandler) Date: Thu Jul 12 04:14:54 2007 Subject: Mail System Redesign Message-ID: <46959CA6.5010008@chapman.edu> Howdy. I'm at a bit of a crossroads at this point in time-- I've crossposted this message to a few places where those far more knowledgeable than I are wont to hide. I've been tasked with rearchitecting the mailsystem for our university. I did this once before; probably 9 months ago, since what passed before was truly no longer working. What we have right now is FreeBSD MX boxes running Postfix for an MTA that are screening email for RFC compliance, and against several DNSBLs (as well as "does this user exist in our LDAP directory?") -- anything that fails is rejected, anything that passes continues on. After that, we're running MailScanner on the messages, and tagging according to SpamAssassin (configured with sitewide rules because that's how MailScanner does things). From there, we deliver to the user's mbox (mounted over NFS, but I've managed to work out the locking issues). Dovecot serves the mbox to our Squirrelmail server, as well as to POP or IMAP users directly at their client of choice. I have a few problems with this setup. The first is user dissatisfaction. They want the ability to white and black list individual senders (and possibly domains), preferably as close to the beginning of the process as possible. Obviously I don't want one user's whitelisting of spammers.com to affect anyone but that particular user. As of now we have no individual white or black listing. The second is management-- I'm looking to convert to MailDir (to obliterate the last vestiges of the locking issues) and institute quotas. The third is upper management suggesting that we might look to move to an Exchange server for handling user accounts at some point in the future, and as much of the white and blacklisting functionality should continue to exist if users edit their .forward files to show a completely different system (such as Exchange. Ugh). Does anyone have any wisdom on this situation that they'd care to express? -- Jay Chandler / KB1JWQ Network Administrator / Systems Exorcist Chapman University, Orange CA From hvdkooij at vanderkooij.org Thu Jul 12 06:39:11 2007 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Thu Jul 12 06:39:20 2007 Subject: Mail System Redesign In-Reply-To: <46959CA6.5010008@chapman.edu> References: <46959CA6.5010008@chapman.edu> Message-ID: On Wed, 11 Jul 2007, Jay Chandler wrote: > I have a few problems with this setup. The first is user dissatisfaction. > They want the ability to white and black list individual senders (and > possibly domains), preferably as close to the beginning of the process as > possible. Obviously I don't want one user's whitelisting of spammers.com to > affect anyone but that particular user. As of now we have no individual > white or black listing. MailWatch can do this for your users. You should be able to add this to your setup in a jiffy. Hugo. -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ This message is using 100% recycled electrons. Some men see computers as they are and say "Windows" I use computers with Linux and say "Why Windows?" (Thanks JFK, for the insight.) From res at ausics.net Thu Jul 12 07:15:52 2007 From: res at ausics.net (Res) Date: Thu Jul 12 07:16:03 2007 Subject: Mail System Redesign In-Reply-To: References: <46959CA6.5010008@chapman.edu> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NotDashEscaped: You need GnuPG to verify this message On Thu, 12 Jul 2007, Hugo van der Kooij wrote: > On Wed, 11 Jul 2007, Jay Chandler wrote: > >> I have a few problems with this setup. The first is user dissatisfaction. >> They want the ability to white and black list individual senders (and >> possibly domains), preferably as close to the beginning of the process as >> possible. Obviously I don't want one user's whitelisting of spammers.com >> to affect anyone but that particular user. As of now we have no individual >> white or black listing. > > MailWatch can do this for your users. You should be able to add this to your > setup in a jiffy. MailWatch requires database, so you should also include the implications of this in any suggestions, ie: additional hardware, severe peformance impact etc, a Uni I'd imagine would be like many medium to even large I/OSPs and that becomes a very serious issue. -- Cheers Res -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFGlccYsWhAmSIQh7MRAhxlAKCf5nVYvbfvyejFzfKtS/pKH7tSnwCgkfaN /1UQg1Tabxp7iqU/hnxLEfc= =/bem -----END PGP SIGNATURE----- From jan-peter at koopmann.eu Thu Jul 12 08:23:34 2007 From: jan-peter at koopmann.eu (Koopmann, Jan-Peter) Date: Thu Jul 12 08:22:54 2007 Subject: Mail System Redesign In-Reply-To: References: Message-ID: Hi, > What we have right now is FreeBSD MX boxes running Postfix for an MTA > that are screening email for RFC compliance, and against several DNSBLs Good choice. If you want to make your life a bit simpler regarding RFC compliance and tons of other very interesting tests google for BarricadeMX from Fort Systems since this will really help you. Your Postfix configuration will be a lot simpler and more spam will be rejected at MTA level. > (as well as "does this user exist in our LDAP directory?") -- anything > that fails is rejected, anything that passes continues on. After that, > we're running MailScanner on the messages, and tagging according to > SpamAssassin (configured with sitewide rules because that's how > MailScanner does things). You can tweak some things like individual spamscores, white/black lists with MailWatch. Only to a certain extent but it might help you. > I have a few problems with this setup. The first is user > dissatisfaction. They want the ability to white and black list > individual senders (and possibly domains), preferably as close to the > beginning of the process as possible. As said before MailWatch can help you with this a bit. However the black/whitelists will be handled during MailScanner phase and not at MTA phase which might not satisfy you. Of course the MaiLWatch database structure is not too complicated and you could use the corresponding MySQL table with Postfix (with Exim at least it is possible so Postfix should be able to do this as well). If speed is an issue you could periodically create a black/whitelist lookup table in a more suitable format and use that. I would have to take a look at Barricade MX again but possibly you could use BMX as well for this. > The third is upper management suggesting that we might look to move to > an Exchange server for handling user accounts at some point in the > future, and as much of the white and blacklisting functionality should > continue to exist if users edit their .forward files to show a > completely different system (such as Exchange. Ugh). Starting with Exchange 2003 it is a much better system than most imagine. It greatly depends on what you want to achieve. Exchange works great together with Outlook, gives you a great Web access and you could easily offer services like POP, IMAP, RPC over HTTPS, HTTPS access. Outlook users will love the functionality and your users could share data. Moreover campus-wide public folders could be a nice gimmick as well. If redundancy is an issue setting up an Exchange Cluster will give you all the redundancy you need. If however 99% of your users are not using Outlook but things like Thunderbird and IMAP/POP, Exchange will not really give you any benefit. That being said, Exchange works with MailWatch, SpamAssassin etc. Have a look at SMTPTracker so that the SpamAssassin scores will be translated to Exchange Spam Confidence level. Low Scoring spam that is being delivered to Exchange will automatically be delivered to the users Junk E-Mail folder then. The user can then use outlooks own Junk E-Mail functionality and override the action permanently by whitelisting/blacklisting the sender. Advantage: The user does not have to leave Outlook/Outlook Web Access and login to a secondary system like MailWatch. Pretty simple to use and very easy to maintain. > Does anyone have any wisdom on this situation that they'd care to > express? My recommendation: - Barricade MX as first line of defense on at least two MX servers - Postfix/Exim/Sendmail as MTA. Not really worth discussing which one to use as it really does not matter if you use Barricade MX. - MailScanner/SpamAssassin as second line of defense - Exchange (possibly cluster) with SMTPTracker on it (is only about 40$) - Outlook, Outlook Web Access as preferred user agents (or Entourage for Mac OS X), IMAPS/POPS as secondary offering Kind regards, JP From martinh at solidstatelogic.com Thu Jul 12 09:10:18 2007 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Thu Jul 12 09:10:34 2007 Subject: Mail System Redesign In-Reply-To: <46959CA6.5010008@chapman.edu> Message-ID: <0f711fe9c927514f8ae25eceaec397f5@solidstatelogic.com> Jay For backend email have a look at how the boys at Cambridge UK have done there's. Its called hermes (based around exim of course) and the main person behind it Tony Finch. Google will help to show archicture etc etc.... -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Jay Chandler > Sent: 12 July 2007 04:15 > To: MailScanner discussion > Subject: Mail System Redesign > > Howdy. > > I'm at a bit of a crossroads at this point in time-- I've crossposted > this message to a few places where those far more knowledgeable than I > are wont to hide. > > I've been tasked with rearchitecting the mailsystem for our university. > I did this once before; probably 9 months ago, since what passed before > was truly no longer working. > > What we have right now is FreeBSD MX boxes running Postfix for an MTA > that are screening email for RFC compliance, and against several DNSBLs > (as well as "does this user exist in our LDAP directory?") -- anything > that fails is rejected, anything that passes continues on. After that, > we're running MailScanner on the messages, and tagging according to > SpamAssassin (configured with sitewide rules because that's how > MailScanner does things). From there, we deliver to the user's mbox > (mounted over NFS, but I've managed to work out the locking issues). > Dovecot serves the mbox to our Squirrelmail server, as well as to POP or > IMAP users directly at their client of choice. > > I have a few problems with this setup. The first is user > dissatisfaction. They want the ability to white and black list > individual senders (and possibly domains), preferably as close to the > beginning of the process as possible. Obviously I don't want one user's > whitelisting of spammers.com to affect anyone but that particular user. > As of now we have no individual white or black listing. > > The second is management-- I'm looking to convert to MailDir (to > obliterate the last vestiges of the locking issues) and institute quotas. > > The third is upper management suggesting that we might look to move to > an Exchange server for handling user accounts at some point in the > future, and as much of the white and blacklisting functionality should > continue to exist if users edit their .forward files to show a > completely different system (such as Exchange. Ugh). > > Does anyone have any wisdom on this situation that they'd care to express? > > -- > Jay Chandler / KB1JWQ > Network Administrator / Systems Exorcist > Chapman University, Orange CA > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From paul.hutchings at mira.co.uk Thu Jul 12 09:41:44 2007 From: paul.hutchings at mira.co.uk (Paul Hutchings) Date: Thu Jul 12 09:41:59 2007 Subject: Local phishing whitelist? References: <5943e9739270674299fab02af44ce34a@solidstatelogic.com> Message-ID: So it does! Thanks very much for the pointer. Paul Hutchings Network Administrator, MIRA Ltd. Tel: 44 (0)24 7635 5378 Fax: 44 (0)24 7635 8378 mailto:paul.hutchings@mira.co.uk -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Martin.Hepworth Sent: 11 July 2007 09:01 To: MailScanner discussion Subject: RE: Local phishing whitelist? Paul Put your changes to that single file and the autoupdate will merge the two sets together - clever huh? -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Paul Hutchings > Sent: 11 July 2007 08:33 > To: MailScanner discussion > Subject: Local phishing whitelist? > > Is there a way of having a local phishing whitelist as well as the > default/auto-updated one that comes with Mailscanner? > > I don't see a way of specifying more than one file? > > TIA, > Paul > > Paul Hutchings > Network Administrator, MIRA Ltd. > Tel: 44 (0)24 7635 5378 > Fax: 44 (0)24 7635 8378 > mailto:paul.hutchings@mira.co.uk > > > -- > MIRA Ltd. > > Watling Street, Nuneaton, Warwickshire, CV10 0TU, England. > > Registered in England No. 402570 > VAT Registration GB 114 5409 96 > > The contents of this e-mail are confidential and are solely for the use of > the intended recipient. > If you receive this e-mail in error, please delete it and notify us either > by e-mail, telephone or fax. > You should not copy, forward or otherwise disclose the content of the e- > mail as this is prohibited. > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MIRA Ltd. Watling Street, Nuneaton, Warwickshire, CV10 0TU, England. Registered in England No. 402570 VAT Registration GB 114 5409 96 The contents of this e-mail are confidential and are solely for the use of the intended recipient. If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax. You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited. From MailScanner at ecs.soton.ac.uk Thu Jul 12 10:55:17 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jul 12 10:55:45 2007 Subject: MailScanner.conf and MailScanner.conf.local In-Reply-To: <001001c7c409$1632db90$0301a8c0@SAHOMELT> References: <002601c7c3ec$a9de3a00$3c65a8c0@support01><46953774.3050205@ecs.soton.ac.uk> <001001c7c409$1632db90$0301a8c0@SAHOMELT> Message-ID: <4695FA85.90807@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Rick Cooper wrote: > > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info > > [mailto:mailscanner-bounces@lists.mailscanner.info] On > > Behalf Of Scott Silva > > Sent: Thursday, July 12, 2007 7:02 AM > > To: mailscanner@lists.mailscanner.info > > Subject: Re: MailScanner.conf and MailScanner.conf.local > > > > Julian Field spake the following on 7/11/2007 1:03 PM: > > > > > > > > > Nigel Kendrick wrote: > > >> Julian et al. > > > > > >> It occurs to me that over my not-very-massive pile of 4 > > mail servers, many > > >> of the settings are common to the lot and if I tweak a > > 'generic' setting on > > >> one I generally tweak it on all of them. To this end, is > > it possible (or > > >> would it be possible) to have the site-specific settings > > in one config file > > >> and generic ones in another (MailScanner.conf.local and > > MailScanner.conf?) > > >> so I could arrange for a replication script to keep the > > generics in sync? > > > > > > I guess an "include" command could be possible. It would ruin the > > > upgrade_MailScanner_conf though which would be a great shame. > > >> Following on from that, is there (or could there) be a > > mechanism to remotely > > >> restart MailScanner - say, for example, by MailScanner > > noticing the creation > > >> of /etc/MailScanner/restart.flg that could be put in > > place during a sync > > >> operation as mentioned above? > > > > > > Things like rsync allow a command to be executed upon > > completion of the > > > sync process. > > > > > > Jules > > > > > Or you could run mon or monit or something like that, and > > tell it to restart > > MailScanner if the conf file changes. > > -- > > > > Something I had asked before would be Behavior similar to exim where it > notices when an external file changes and reloads any data it uses rather > than using the cached information. If I change something in a lookup file > (in exim) I don't have to worry about restarting the daemon. So with MS if I > change something in a rule file it would be nice not to have to restart MS > to gain access to the changed information. Before it processes a rulefile > check to see if it has changed and reload if it has. Same with the config > file, check ever XYZ min and reload if the file has changed. I would think > some kind of crc or simple stat would work. Of course that might be > difficult with the internal structure of MS I have never really looked at > the flow that closely > I haven't done that specifically. I don't like systems that instantly notice config changes, as I like to put the change in place and then double-check it before it takes effect. Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGlfqGEfZZRxQVtlQRAqf5AKCZWFwos3cIo4CNzdiq/GDFDMGUHwCfX+Si dP2u7RQHW+8JS3Oj9kITSRo= =k9D8 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From Alistair.Carmichael at ntltravel.com Thu Jul 12 12:13:17 2007 From: Alistair.Carmichael at ntltravel.com (Alistair Carmichael) Date: Thu Jul 12 12:14:28 2007 Subject: How to monitor the health of the MailScanner architecture In-Reply-To: <223f97700707100917o2cadec8bg9445f22b360b9499@mail.gmail.com> References: <000901c7c210$8d1f4310$a75dc930$@dk><6EEC6D949794754FB8D83A4D87DF7168BE65B7@gh-redd-exch-01.redditch.ntltravel.local><002001c7c219$4d475580$e7d60080$@dk><223f97700707091452hc93d97vd6ed0546484ef8ba@mail.gmail.com><001e01c7c2de$074aa850$15dff8f0$@dk><223f97700707100849l378fce92xf1386f7b5e779193@mail.gmail.com><6EEC6D949794754FB8D83A4D87DF7168BE662D@gh-redd-exch-01.redditch.ntltravel.local> <223f97700707100917o2cadec8bg9445f22b360b9499@mail.gmail.com> Message-ID: <6EEC6D949794754FB8D83A4D87DF7168BE66F2@gh-redd-exch-01.redditch.ntltravel.local> Certainly worth exploring since that would reduce the dependecies/ickiness of the checking part (expecting ones way through even the simplest textbased MUA can be ... frustrating:-). And as you say, it would be easy to script and would probably scale rather OK (scriptwise... One message per MS server... Not the query bit:) with several MS servers... Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se Here's one I nocked together in a few mins, this is NOT for people to download and run but feel free to download, edit for your setup and play with. It is gziped and you download / run at your own risk I accept no responsibility for what anyone does with this script on their system, any tips or revisions feel free to mail me off list. It uses very basic *nix commands and was created on a centos box, no reason why it shouldn't run without altering the paths on other linux / unix o/s. If I get some more time I'll put some proper comments and error checking in. www.n00k.co.uk/mailtest.sh.gz This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. From sandrews at andrewscompanies.com Thu Jul 12 13:54:19 2007 From: sandrews at andrewscompanies.com (Steven Andrews) Date: Thu Jul 12 13:54:25 2007 Subject: Sign clean messages rule In-Reply-To: <6EEC6D949794754FB8D83A4D87DF7168BE66F2@gh-redd-exch-01.redditch.ntltravel.local> References: <000901c7c210$8d1f4310$a75dc930$@dk><6EEC6D949794754FB8D83A4D87DF7168BE65B7@gh-redd-exch-01.redditch.ntltravel.local><002001c7c219$4d475580$e7d60080$@dk><223f97700707091452hc93d97vd6ed0546484ef8ba@mail.gmail.com><001e01c7c2de$074aa850$15dff8f0$@dk><223f97700707100849l378fce92xf1386f7b5e779193@mail.gmail.com><6EEC6D949794754FB8D83A4D87DF7168BE662D@gh-redd-exch-01.redditch.ntltravel.local><223f97700707100917o2cadec8bg9445f22b360b9499@mail.gmail.com> <6EEC6D949794754FB8D83A4D87DF7168BE66F2@gh-redd-exch-01.redditch.ntltravel.local> Message-ID: <1964AAFBC212F742958F9275BF63DBB04B0E8D@winchester.andrewscompanies.com> I'm using the Sign Clean Messages as a bit of a hack to add a standard legal disclaimer to all messages leaving the system. Well, wouldn't you know it, they've decided to throw another domain at this box and now I've got to give it a different disclaimer for that domain. I think I'm on the right path that I need to make a rule here.... Inline HTML Signature = %report-dir%/inline.sig.html Inline Text Signature = %report-dir%/inline.sig.txt How do I write that rule so that domain1.com gets inline.sig1.html and domain2.com gets inline.sig2.html? Thanks! Steve From martinh at solidstatelogic.com Thu Jul 12 14:04:58 2007 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Thu Jul 12 14:05:01 2007 Subject: Sign clean messages rule In-Reply-To: <1964AAFBC212F742958F9275BF63DBB04B0E8D@winchester.andrewscompanies.com> Message-ID: <9df79bb52a19d34badf7069cdb56d61d@solidstatelogic.com> Steve From the EXAMPLES file in the etc/rules dir.. 4. Use different signatures for different domains Set "Inline Text Signature = /opt/MailScanner/etc/rules/sig.text.rules" & set "Inline HTML Signature = /opt/MailScanner/etc/rules/sig.html.rules". Use rules for each file that look like this: From: *@domain1.com /opt/MailScanner/etc/reports/domain1.sig.txt From: *@domain2.com /opt/MailScanner/etc/reports/domain2.sig.txt with equivalent rules in the "sig.html.rules" file. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Steven Andrews > Sent: 12 July 2007 13:54 > To: MailScanner discussion > Subject: Sign clean messages rule > > I'm using the Sign Clean Messages as a bit of a hack to add a standard > legal disclaimer to all messages leaving the system. > > Well, wouldn't you know it, they've decided to throw another domain at > this box and now I've got to give it a different disclaimer for that > domain. > > I think I'm on the right path that I need to make a rule here.... > Inline HTML Signature = %report-dir%/inline.sig.html > Inline Text Signature = %report-dir%/inline.sig.txt > > How do I write that rule so that domain1.com gets inline.sig1.html and > domain2.com gets inline.sig2.html? > > Thanks! > > Steve > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From sandrews at andrewscompanies.com Thu Jul 12 14:07:44 2007 From: sandrews at andrewscompanies.com (Steven Andrews) Date: Thu Jul 12 14:07:47 2007 Subject: Sign clean messages rule In-Reply-To: <1964AAFBC212F742958F9275BF63DBB04B0E8D@winchester.andrewscompanies.com> References: <000901c7c210$8d1f4310$a75dc930$@dk><6EEC6D949794754FB8D83A4D87DF7168BE65B7@gh-redd-exch-01.redditch.ntltravel.local><002001c7c219$4d475580$e7d60080$@dk><223f97700707091452hc93d97vd6ed0546484ef8ba@mail.gmail.com><001e01c7c2de$074aa850$15dff8f0$@dk><223f97700707100849l378fce92xf1386f7b5e779193@mail.gmail.com><6EEC6D949794754FB8D83A4D87DF7168BE662D@gh-redd-exch-01.redditch.ntltravel.local><223f97700707100917o2cadec8bg9445f22b360b9499@mail.gmail.com><6EEC6D949794754FB8D83A4D87DF7168BE66F2@gh-redd-exch-01.redditch.ntltravel.local> <1964AAFBC212F742958F9275BF63DBB04B0E8D@winchester.andrewscompanies.com> Message-ID: <1964AAFBC212F742958F9275BF63DBB04B0E8F@winchester.andrewscompanies.com> Don't flame me. I just found the answer in the example file. I'll have my self flogged by the end of the day. Steve -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Steven Andrews Sent: Thursday, July 12, 2007 8:54 AM To: MailScanner discussion Subject: Sign clean messages rule I'm using the Sign Clean Messages as a bit of a hack to add a standard legal disclaimer to all messages leaving the system. Well, wouldn't you know it, they've decided to throw another domain at this box and now I've got to give it a different disclaimer for that domain. I think I'm on the right path that I need to make a rule here.... Inline HTML Signature = %report-dir%/inline.sig.html Inline Text Signature = %report-dir%/inline.sig.txt How do I write that rule so that domain1.com gets inline.sig1.html and domain2.com gets inline.sig2.html? Thanks! Steve -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From martinh at solidstatelogic.com Thu Jul 12 14:13:20 2007 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Thu Jul 12 14:13:26 2007 Subject: Sign clean messages rule In-Reply-To: <1964AAFBC212F742958F9275BF63DBB04B0E8F@winchester.andrewscompanies.com> Message-ID: <402a1a7ac393274cb199131589d7d30a@solidstatelogic.com> Steve Consider yourself chastised - report immediately to stores and book out a large birch twig....:-) -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Steven Andrews > Sent: 12 July 2007 14:08 > To: MailScanner discussion > Subject: RE: Sign clean messages rule > > Don't flame me. I just found the answer in the example file. I'll have > my self flogged by the end of the day. > > Steve > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Steven > Andrews > Sent: Thursday, July 12, 2007 8:54 AM > To: MailScanner discussion > Subject: Sign clean messages rule > > I'm using the Sign Clean Messages as a bit of a hack to add a standard > legal disclaimer to all messages leaving the system. > > Well, wouldn't you know it, they've decided to throw another domain at > this box and now I've got to give it a different disclaimer for that > domain. > > I think I'm on the right path that I need to make a rule here.... > Inline HTML Signature = %report-dir%/inline.sig.html Inline Text > Signature = %report-dir%/inline.sig.txt > > How do I write that rule so that domain1.com gets inline.sig1.html and > domain2.com gets inline.sig2.html? > > Thanks! > > Steve > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From theodrake at comcast.net Thu Jul 12 15:05:56 2007 From: theodrake at comcast.net (Ed Bruce) Date: Thu Jul 12 15:06:05 2007 Subject: MailScanner.conf and MailScanner.conf.local In-Reply-To: <4695FA85.90807@ecs.soton.ac.uk> References: <002601c7c3ec$a9de3a00$3c65a8c0@support01><46953774.3050205@ecs.soton.ac.uk> <001001c7c409$1632db90$0301a8c0@SAHOMELT> <4695FA85.90807@ecs.soton.ac.uk> Message-ID: <46963544.7090600@comcast.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Julian Field wrote: > I haven't done that specifically. I don't like systems that instantly > notice config changes, as I like to put the change in place and then > double-check it before it takes effect. > > Jules > I have to agree wholeheartedly. I'm notorious for fat fingering things and really like to have a bit of an oops factor when I make changes. It has saved me many times when I've double checked something only to see some really glaring errors. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (Cygwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGljVCpdNaP9x3McgRAglKAJ96zDa8CIrtGEAknnfsum5M5sMm9gCgkYmC qyUOt4h+c4lyMwcxtZLLT1w= =io5T -----END PGP SIGNATURE----- From shuttlebox at gmail.com Thu Jul 12 15:31:17 2007 From: shuttlebox at gmail.com (shuttlebox) Date: Thu Jul 12 15:31:20 2007 Subject: MailScanner.conf and MailScanner.conf.local In-Reply-To: <46963544.7090600@comcast.net> References: <002601c7c3ec$a9de3a00$3c65a8c0@support01> <46953774.3050205@ecs.soton.ac.uk> <001001c7c409$1632db90$0301a8c0@SAHOMELT> <4695FA85.90807@ecs.soton.ac.uk> <46963544.7090600@comcast.net> Message-ID: <625385e30707120731m3e6cac7k3e1bb3f850a50121@mail.gmail.com> On 7/12/07, Ed Bruce wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Julian Field wrote: > > > I haven't done that specifically. I don't like systems that instantly > > notice config changes, as I like to put the change in place and then > > double-check it before it takes effect. > > > > Jules > > > > I have to agree wholeheartedly. I'm notorious for fat fingering things > and really like to have a bit of an oops factor when I make changes. It > has saved me many times when I've double checked something only to see > some really glaring errors. +1 -- /peter From rcooper at dwford.com Thu Jul 12 16:08:03 2007 From: rcooper at dwford.com (Rick Cooper) Date: Thu Jul 12 16:08:07 2007 Subject: MailScanner.conf and MailScanner.conf.local In-Reply-To: <46963544.7090600@comcast.net> References: <002601c7c3ec$a9de3a00$3c65a8c0@support01><46953774.3050205@ecs.soton.ac.uk> <001001c7c409$1632db90$0301a8c0@SAHOMELT><4695FA85.90807@ecs.soton.ac.uk> <46963544.7090600@comcast.net> Message-ID: <01df01c7c496$71cc6e70$0301a8c0@SAHOMELT> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On > Behalf Of Ed Bruce > Sent: Friday, July 13, 2007 12:06 AM > To: MailScanner discussion > Subject: Re: MailScanner.conf and MailScanner.conf.local > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Julian Field wrote: > > > I haven't done that specifically. I don't like systems > that instantly > > notice config changes, as I like to put the change in > place and then > > double-check it before it takes effect. > > > > Jules > > > > I have to agree wholeheartedly. I'm notorious for fat > fingering things > and really like to have a bit of an oops factor when I make > changes. It > has saved me many times when I've double checked something > only to see > some really glaring errors. Me too, but I guess I am weird as I don't move something in place until I have checked as many times as I am going to. If course I still find the occasional error only after implementation ;-) Rick -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ssilva at sgvwater.com Thu Jul 12 16:34:25 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Jul 12 16:34:39 2007 Subject: Sign clean messages rule In-Reply-To: <1964AAFBC212F742958F9275BF63DBB04B0E8F@winchester.andrewscompanies.com> References: <000901c7c210$8d1f4310$a75dc930$@dk><6EEC6D949794754FB8D83A4D87DF7168BE65B7@gh-redd-exch-01.redditch.ntltravel.local><002001c7c219$4d475580$e7d60080$@dk><223f97700707091452hc93d97vd6ed0546484ef8ba@mail.gmail.com><001e01c7c2de$074aa850$15dff8f0$@dk><223f97700707100849l378fce92xf1386f7b5e779193@mail.gmail.com><6EEC6D949794754FB8D83A4D87DF7168BE662D@gh-redd-exch-01.redditch.ntltravel.local><223f97700707100917o2cadec8bg9445f22b360b9499@mail.gmail.com><6EEC6D949794754FB8D83A4D87DF7168BE66F2@gh-redd-exch-01.redditch.ntltravel.local> <1964AAFBC212F742958F9275BF63DBB04B0E8D@winchester.andrewscompanies.com> <1964AAFBC212F742958F9275BF63DBB04B0E8F@winchester.andrewscompanies.com> Message-ID: Steven Andrews spake the following on 7/12/2007 6:07 AM: > Don't flame me. I just found the answer in the example file. I'll have > my self flogged by the end of the day. > " The floggings will continue until morale improves!" -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From Q.G.Campbell at newcastle.ac.uk Thu Jul 12 16:37:08 2007 From: Q.G.Campbell at newcastle.ac.uk (Quentin Campbell) Date: Thu Jul 12 16:39:14 2007 Subject: A very slow MS 4.62.2-3 & SA 3.2.1 & ClamAV 0.91 machine Message-ID: <4165CF7A7F12DE4B96622CCBB90586470AC92C18@largo.campus.ncl.ac.uk> I have a very slow mail gateway among the 4 that I have just upgraded. They all run MS 4.62.2-3, SA 3.2.1 and ClamAV 0.91 and should have identical configurations for MS and SA. MCP processing is done and it is the same on all 4. There were 211 batches of 30 messages each processed on the slow machine. Overall the average time to process each message is 15 seconds! The last two of these batches were processed by running MailScanner in debug mode. The average processing time for each message then dropped to between 2 and 3 seconds! I am trying to get a handle on why this machine is so slow. Any suggestions to help further my investigation are welcome. Quentin --- PHONE: +44 191 222 8209??? Information Systems and Services (ISS), ?????????????????????????? Newcastle University, ?????????????????????????? Newcastle upon Tyne, FAX:?? +44 191 222 8765??? United Kingdom, NE1 7RU. ------------------------------------------------------------------------ From Q.G.Campbell at newcastle.ac.uk Thu Jul 12 16:43:54 2007 From: Q.G.Campbell at newcastle.ac.uk (Quentin Campbell) Date: Thu Jul 12 16:45:28 2007 Subject: Strange interaction between MS 4.62.2-3 & ClamAV 0.91 Message-ID: <4165CF7A7F12DE4B96622CCBB90586470AC92C1C@largo.campus.ncl.ac.uk> When running MS in debug mode on a machine running MS 4.62.2-3 & ClamAV 0.91 it says: [root@cheviot1 tmp]# service MailScanner start Starting MailScanner daemons: incoming sendmail: [ OK ] outgoing sendmail: [ OK ] MailScanner: In Debugging mode, not forking... SpamAssassin temp dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp Use of uninitialized value in concatenation (.) or string at /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin.pm line 1087. Use of uninitialized value in concatenation (.) or string at /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin.pm line 1089. LibClamAV Warning: ************************************************** LibClamAV Warning: *** The virus database is older than 7 days. *** LibClamAV Warning: *** Please update it IMMEDIATELY! *** LibClamAV Warning: ************************************************** Ignore errors about failing to find EOCD signature Stopping now as you are debugging me. [ OK ] [root@cheviot1 tmp]# The ClamAV database is up to date. The same behaviour is seen on two similarly built machines. This does not happen on a third machine running MS 4.61.3-1 & ClamAV 0.90.3. Quentin --- PHONE: +44 191 222 8209??? Information Systems and Services (ISS), ?????????????????????????? Newcastle University, ?????????????????????????? Newcastle upon Tyne, FAX:?? +44 191 222 8765??? United Kingdom, NE1 7RU. ------------------------------------------------------------------------ From MailScanner at ecs.soton.ac.uk Thu Jul 12 16:53:31 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jul 12 16:54:55 2007 Subject: Strange interaction between MS 4.62.2-3 & ClamAV 0.91 In-Reply-To: <4165CF7A7F12DE4B96622CCBB90586470AC92C1C@largo.campus.ncl.ac.uk> References: <4165CF7A7F12DE4B96622CCBB90586470AC92C1C@largo.campus.ncl.ac.uk> Message-ID: <46964E7B.9010006@ecs.soton.ac.uk> Check virus.scanners.conf and your $PATH to see what and where your version(s) of ClamAV are installed. Quentin Campbell wrote: > When running MS in debug mode on a machine running MS 4.62.2-3 & ClamAV 0.91 it says: > > [root@cheviot1 tmp]# service MailScanner start > Starting MailScanner daemons: > incoming sendmail: [ OK ] > outgoing sendmail: [ OK ] > MailScanner: In Debugging mode, not forking... > SpamAssassin temp dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp > Use of uninitialized value in concatenation (.) or string at /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin.pm line 1087. > Use of uninitialized value in concatenation (.) or string at /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin.pm line 1089. > LibClamAV Warning: ************************************************** > LibClamAV Warning: *** The virus database is older than 7 days. *** > LibClamAV Warning: *** Please update it IMMEDIATELY! *** > LibClamAV Warning: ************************************************** > Ignore errors about failing to find EOCD signature > Stopping now as you are debugging me. > [ OK ] > [root@cheviot1 tmp]# > > The ClamAV database is up to date. The same behaviour is seen on two similarly built machines. > > This does not happen on a third machine running MS 4.61.3-1 & ClamAV 0.90.3. > > > Quentin > --- > PHONE: +44 191 222 8209 Information Systems and Services (ISS), > Newcastle University, > Newcastle upon Tyne, > FAX: +44 191 222 8765 United Kingdom, NE1 7RU. > ------------------------------------------------------------------------ > > > > Jules -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From leiw324 at yahoo.com.hk Thu Jul 12 17:01:52 2007 From: leiw324 at yahoo.com.hk (Wilson Kwok) Date: Thu Jul 12 17:01:55 2007 Subject: Can't receive and send email Message-ID: <79877.19695.qm@web54401.mail.yahoo.com> Hello, Please see the log in the following UR about receiving email: http://wilson-kwok.com/log/maillog.txt Why always show SpamAssassin cache hit for message 3AE25700AD.EC9F5 etc etc ? Thanks --------------------------------- Yahoo!Mail 為你每一個電郵捐出一點心意,盡獻愛心 立即開始愛心行動 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070713/91a66ab8/attachment.html From mailscanner at slackadelic.com Thu Jul 12 17:43:47 2007 From: mailscanner at slackadelic.com (Matt Hayes) Date: Thu Jul 12 17:43:56 2007 Subject: Can't receive and send email In-Reply-To: <79877.19695.qm@web54401.mail.yahoo.com> References: <79877.19695.qm@web54401.mail.yahoo.com> Message-ID: <46965A43.8070709@slackadelic.com> Wilson Kwok wrote: > Hello, > > Please see the log in the following UR about receiving email: > > http://wilson-kwok.com/log/maillog.txt > > Why always show SpamAssassin cache hit for message 3AE25700AD.EC9F5 etc > etc ? > > Thanks > > > > ------------------------------------------------------------------------ > Yahoo!Mail 為你每一個電郵捐出一點心意,盡獻愛心 > > -- > This message has been scanned for viruses and > dangerous content by *MailScanner* , and is > believed to be clean. > That's normal. You can safely ignore that. -Matt -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From dgottsc at emory.edu Thu Jul 12 17:47:56 2007 From: dgottsc at emory.edu (Gottschalk, David) Date: Thu Jul 12 17:48:07 2007 Subject: A very slow MS 4.62.2-3 & SA 3.2.1 & ClamAV 0.91 machine In-Reply-To: <4165CF7A7F12DE4B96622CCBB90586470AC92C18@largo.campus.ncl.ac.uk> References: <4165CF7A7F12DE4B96622CCBB90586470AC92C18@largo.campus.ncl.ac.uk> Message-ID: <8D2EFA3D9FD29C45BCEC3B532F0E23084115DC1564@RDPEXCH2.Eu.Emory.Edu> I have five mail gateways. Here are a few things I've done that helped a lot. The item that made the biggest difference was changing 'Max Unscanned Messages Per Scan = 30' to 10, and changing 'Max Unsafe Messages Per Scan = 30' to 10 as well. I also increased my "Max Children" to 10, but I'm still working on tweaking that (only been running MailScanner in production for a week now). I had one machine that could not keep up with the volume of mail. I couldn't figure out why one machine was having trouble when the rest were doing fine. Soon I discovered that Spamassassin was causing a huge slow down on that one box. It was hanging for ever on checking if dns was avaiable or not. I set 'dns_available no' in the spam.assassin.prefs.conf file and things sped waaayyy up. I changed it on my other relays and it made a significant different on them as well, but not as much as the one relay that couldn't keep up with mail orginially. I still haven't figured out why it so greatly effected that one machine. Hope that helps. Good luck. David Gottschalk Emory University Infrastructure Technology Services david.gottschalk@emory.edu -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Quentin Campbell Sent: Thursday, July 12, 2007 11:37 AM To: MailScanner discussion Subject: A very slow MS 4.62.2-3 & SA 3.2.1 & ClamAV 0.91 machine I have a very slow mail gateway among the 4 that I have just upgraded. They all run MS 4.62.2-3, SA 3.2.1 and ClamAV 0.91 and should have identical configurations for MS and SA. MCP processing is done and it is the same on all 4. There were 211 batches of 30 messages each processed on the slow machine. Overall the average time to process each message is 15 seconds! The last two of these batches were processed by running MailScanner in debug mode. The average processing time for each message then dropped to between 2 and 3 seconds! I am trying to get a handle on why this machine is so slow. Any suggestions to help further my investigation are welcome. Quentin --- PHONE: +44 191 222 8209 Information Systems and Services (ISS), Newcastle University, Newcastle upon Tyne, FAX: +44 191 222 8765 United Kingdom, NE1 7RU. ------------------------------------------------------------------------ -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From alex at nkpanama.com Thu Jul 12 18:22:03 2007 From: alex at nkpanama.com (Alex Neuman van der Hans) Date: Thu Jul 12 18:23:02 2007 Subject: A very slow MS 4.62.2-3 & SA 3.2.1 & ClamAV 0.91 machine In-Reply-To: <8D2EFA3D9FD29C45BCEC3B532F0E23084115DC1564@RDPEXCH2.Eu.Emory.Edu> References: <4165CF7A7F12DE4B96622CCBB90586470AC92C18@largo.campus.ncl.ac.uk> <8D2EFA3D9FD29C45BCEC3B532F0E23084115DC1564@RDPEXCH2.Eu.Emory.Edu> Message-ID: <4696633B.8000006@nkpanama.com> Gottschalk, David wrote: > I have five mail gateways. Here are a few things I've done that helped a lot. > > The item that made the biggest difference was changing 'Max Unscanned Messages Per Scan = 30' to 10, and changing 'Max Unsafe Messages Per Scan = 30' to 10 as well. > > I also increased my "Max Children" to 10, but I'm still working on tweaking that (only been running MailScanner in production for a week now). > > I had one machine that could not keep up with the volume of mail. I couldn't figure out why one machine was having trouble when the rest were doing fine. Soon I discovered that Spamassassin was causing a huge slow down on that one box. It was hanging for ever on checking if dns was avaiable or not. I set 'dns_available no' in the spam.assassin.prefs.conf file and things sped waaayyy up. I changed it on my other relays and it made a significant different on them as well, but not as much as the one relay that couldn't keep up with mail orginially. I still haven't figured out why it so greatly effected that one machine. > > I believe dns_available no might *affect* :-) machines that don't have local caching DNS enabled much more than those that don't. It's always been recommended to do this in order to minimize DNS lookup times for spamassassin. > Hope that helps. > > Good luck. > > David Gottschalk > Emory University Infrastructure Technology Services > david.gottschalk@emory.edu > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Quentin Campbell > Sent: Thursday, July 12, 2007 11:37 AM > To: MailScanner discussion > Subject: A very slow MS 4.62.2-3 & SA 3.2.1 & ClamAV 0.91 machine > > I have a very slow mail gateway among the 4 that I have just upgraded. > > They all run MS 4.62.2-3, SA 3.2.1 and ClamAV 0.91 and should have identical configurations for MS and SA. MCP processing is done and it is the same on all 4. > > There were 211 batches of 30 messages each processed on the slow machine. Overall the average time to process each message is 15 seconds! > > The last two of these batches were processed by running MailScanner in debug mode. The average processing time for each message then dropped to between 2 and 3 seconds! > > I am trying to get a handle on why this machine is so slow. Any suggestions to help further my investigation are welcome. > > Quentin > --- > PHONE: +44 191 222 8209 Information Systems and Services (ISS), > Newcastle University, > Newcastle upon Tyne, > FAX: +44 191 222 8765 United Kingdom, NE1 7RU. > ------------------------------------------------------------------------ > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From larskman at gmail.com Thu Jul 12 19:15:31 2007 From: larskman at gmail.com (fname lname) Date: Thu Jul 12 19:15:35 2007 Subject: MailScanner Spam report Message-ID: Is there a way to have mailscanner to email all the users that was sent email for that data on the local domain and spam report so the end users will know what emails where blocked by the scanner? tnx From mailscanner at slackadelic.com Thu Jul 12 19:23:02 2007 From: mailscanner at slackadelic.com (Matt Hayes) Date: Thu Jul 12 19:23:12 2007 Subject: MailScanner Spam report In-Reply-To: References: Message-ID: <46967186.1070601@slackadelic.com> fname lname wrote: > Is there a way to have mailscanner to email all the users that was > sent email for that data on the local domain and spam report so the > end users will know what emails where blocked by the scanner? > > tnx If using MailWatch with MailScanner this is definitely possible. -Matt -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Thu Jul 12 19:31:23 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jul 12 19:32:48 2007 Subject: Watermarking returns+ graphical signatures Message-ID: <4696737B.7040805@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I have just released a new beta with 2 major features added: Firstly, the watermarking functionality has returned. But this time it is implemented differently so is safe from all patent problems. It is implemented in pretty much the same way that milter-null does it. Secondly, ever wanted to be able to put an image in your HTML signature? Well now you can. The image is embedded in the message so it will display even when the recipients' email applications are configured not to fetch remote images. And there's one more little feature: some companies such as msgtag.com have evaded the web bug detection by not defining the size of the web bug image. Now you can just black-list images from any servers or domains so all images from msgtag.com can be blocked at once. Download as usual from www.mailscanner.info. The full change log is this: * New Features and Improvements * 1 Improved non-Linux installer. 1 Improved Linux installer. 1 Updated OpenBSD installation guide. Thanks to Jeremy Evans for this. 1 Upgraded MIME::Base64 to 3.07. 1 Improved error reporting for clamd permissions problems. Thanks Rick. 2 Added SAUPDATEARGS to /etc/sysconfig/MailScanner and /usr/sbin/update_spamassassin. For a good use of this, see http://daryl.dostech.ca/sa-update/sare/sare-sa-update-howto.txt and search for "HOWTO" in the Subject: line of the MailScanner-discussion list archive. This process replaces RulesDuJour entirely. Another good ruleset to add to your setup is http://www.peregrinehw.com/downloads/SpamAssassin/contrib/KAM.cf To download this automatically every night, fetch http://www.mailscanner.info/files/4/KAM.cf.sh and put it in /etc/cron.daily and make it executable (type "chmod +x /etc/cron.daily/KAM.cf.sh"). 3 Added "Known Web Bug Servers" so you can blacklist images from known servers of web bug services. 3 Added functionality of "milter-null" to MailScanner so you no longer need to run this separately. It is called "Watermarking" and there is a whole section for the settings in MailScanner.conf. They are Add Watermark = yes Skip Spam Checks If Watermark Valid = yes Watermark Header = MailScanner-%org-name%-Watermark: Watermark Lifetime = 432000 # in seconds, = 5 days Watermark Secret = SET-THIS-TO-A-SECRET! Also added Digest::MD5 to the required list of Perl modules, this is needed for the watermarking code. 3 Added optional image to the clean message signature. You can also use this to add an arbitrary image attachment to any message, if you so wish. The main point is to be able to have graphical HTML signatures on messages. The settings are Attach Image To Signature = no Attach Image To HTML Message Only = yes Signature Image Filename = %report-dir%/sig.jpg Signature Image Filename = signature.jpg * Fixes * 2-2 Fixed error in RPM installer. 2-3 Fixed error in update_spamassassin. Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGlnN8EfZZRxQVtlQRApRlAJ9kkmWhyrhl0b1CdEPw0UcokEl6fwCffc8Y HQ9+YyK0H19yy2343Aev6LE= =/thZ -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Thu Jul 12 19:46:13 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jul 12 19:46:52 2007 Subject: A very slow MS 4.62.2-3 & SA 3.2.1 & ClamAV 0.91 machine In-Reply-To: <4696633B.8000006@nkpanama.com> References: <4165CF7A7F12DE4B96622CCBB90586470AC92C18@largo.campus.ncl.ac.uk> <8D2EFA3D9FD29C45BCEC3B532F0E23084115DC1564@RDPEXCH2.Eu.Emory.Edu> <4696633B.8000006@nkpanama.com> Message-ID: <469676F5.2030003@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Alex Neuman van der Hans wrote: > Gottschalk, David wrote: >> I have five mail gateways. Here are a few things I've done that >> helped a lot. >> >> The item that made the biggest difference was changing 'Max Unscanned >> Messages Per Scan = 30' to 10, and changing 'Max Unsafe Messages Per >> Scan = 30' to 10 as well. >> >> I also increased my "Max Children" to 10, but I'm still working on >> tweaking that (only been running MailScanner in production for a week >> now). >> >> I had one machine that could not keep up with the volume of mail. I >> couldn't figure out why one machine was having trouble when the rest >> were doing fine. Soon I discovered that Spamassassin was causing a >> huge slow down on that one box. It was hanging for ever on checking >> if dns was avaiable or not. I set 'dns_available no' in the >> spam.assassin.prefs.conf file and things sped waaayyy up. I changed >> it on my other relays and it made a significant different on them as >> well, but not as much as the one relay that couldn't keep up with >> mail orginially. I still haven't figured out why it so greatly >> effected that one machine. >> >> > I believe dns_available no might *affect* :-) machines that don't have > local caching DNS enabled much more than those that don't. It's always > been recommended to do this in order to minimize DNS lookup times for > spamassassin. But if you switch off DNS lookups for SpamAssassin, you will severely damage its ability to detect spam. Better to diagnose your slow DNS lookups and switch it back on. Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGlnb2EfZZRxQVtlQRAsQ4AKCL061Yc7jF+9B1olsB8zmWHY4DJgCg/nwI zg+GSFaYSDl1atRGzdLHA5o= =bVBy -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From larskman at gmail.com Thu Jul 12 19:49:51 2007 From: larskman at gmail.com (fname lname) Date: Thu Jul 12 19:49:55 2007 Subject: MailScanner Spam report In-Reply-To: <46967186.1070601@slackadelic.com> References: <46967186.1070601@slackadelic.com> Message-ID: So, i can have this sent to each user. On 7/12/07, Matt Hayes wrote: > fname lname wrote: > > Is there a way to have mailscanner to email all the users that was > > sent email for that data on the local domain and spam report so the > > end users will know what emails where blocked by the scanner? > > > > tnx > > If using MailWatch with MailScanner this is definitely possible. > > -Matt > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From alex at nkpanama.com Thu Jul 12 19:51:18 2007 From: alex at nkpanama.com (Alex Neuman van der Hans) Date: Thu Jul 12 19:52:16 2007 Subject: A very slow MS 4.62.2-3 & SA 3.2.1 & ClamAV 0.91 machine In-Reply-To: <469676F5.2030003@ecs.soton.ac.uk> References: <4165CF7A7F12DE4B96622CCBB90586470AC92C18@largo.campus.ncl.ac.uk> <8D2EFA3D9FD29C45BCEC3B532F0E23084115DC1564@RDPEXCH2.Eu.Emory.Edu> <4696633B.8000006@nkpanama.com> <469676F5.2030003@ecs.soton.ac.uk> Message-ID: <46967826.8030608@nkpanama.com> Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > Alex Neuman van der Hans wrote: > >> Gottschalk, David wrote: >> >>> I have five mail gateways. Here are a few things I've done that >>> helped a lot. >>> >>> The item that made the biggest difference was changing 'Max Unscanned >>> Messages Per Scan = 30' to 10, and changing 'Max Unsafe Messages Per >>> Scan = 30' to 10 as well. >>> >>> I also increased my "Max Children" to 10, but I'm still working on >>> tweaking that (only been running MailScanner in production for a week >>> now). >>> >>> I had one machine that could not keep up with the volume of mail. I >>> couldn't figure out why one machine was having trouble when the rest >>> were doing fine. Soon I discovered that Spamassassin was causing a >>> huge slow down on that one box. It was hanging for ever on checking >>> if dns was avaiable or not. I set 'dns_available no' in the >>> spam.assassin.prefs.conf file and things sped waaayyy up. I changed >>> it on my other relays and it made a significant different on them as >>> well, but not as much as the one relay that couldn't keep up with >>> mail orginially. I still haven't figured out why it so greatly >>> effected that one machine. >>> >>> >>> >> I believe dns_available no might *affect* :-) machines that don't have >> local caching DNS enabled much more than those that don't. It's always >> been recommended to do this in order to minimize DNS lookup times for >> spamassassin. >> By "do this" I mean use a caching nameserver, not disable DNS lookups... :-) > But if you switch off DNS lookups for SpamAssassin, you will severely > damage its ability to detect spam. Better to diagnose your slow DNS > lookups and switch it back on. > > Jules > > - -- > Julian Field MEng CITP > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > For all your IT requirements visit www.transtec.co.uk > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.6.2 (Build 2014) > Charset: ISO-8859-1 > > wj8DBQFGlnb2EfZZRxQVtlQRAsQ4AKCL061Yc7jF+9B1olsB8zmWHY4DJgCg/nwI > zg+GSFaYSDl1atRGzdLHA5o= > =bVBy > -----END PGP SIGNATURE----- > > From dgottsc at emory.edu Thu Jul 12 19:54:25 2007 From: dgottsc at emory.edu (Gottschalk, David) Date: Thu Jul 12 19:54:37 2007 Subject: A very slow MS 4.62.2-3 & SA 3.2.1 & ClamAV 0.91 machine In-Reply-To: <469676F5.2030003@ecs.soton.ac.uk> References: <4165CF7A7F12DE4B96622CCBB90586470AC92C18@largo.campus.ncl.ac.uk> <8D2EFA3D9FD29C45BCEC3B532F0E23084115DC1564@RDPEXCH2.Eu.Emory.Edu> <4696633B.8000006@nkpanama.com> <469676F5.2030003@ecs.soton.ac.uk> Message-ID: <8D2EFA3D9FD29C45BCEC3B532F0E23084115DC1658@RDPEXCH2.Eu.Emory.Edu> My understanding of the dns_available settings was merely to check if DNS was working properly before it attempted to do DNS checks. Do I not understand that setting correctly? David Gottschalk -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian Field Sent: Thursday, July 12, 2007 2:46 PM To: MailScanner discussion Subject: Re: A very slow MS 4.62.2-3 & SA 3.2.1 & ClamAV 0.91 machine -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Alex Neuman van der Hans wrote: > Gottschalk, David wrote: >> I have five mail gateways. Here are a few things I've done that >> helped a lot. >> >> The item that made the biggest difference was changing 'Max Unscanned >> Messages Per Scan = 30' to 10, and changing 'Max Unsafe Messages Per >> Scan = 30' to 10 as well. >> >> I also increased my "Max Children" to 10, but I'm still working on >> tweaking that (only been running MailScanner in production for a week >> now). >> >> I had one machine that could not keep up with the volume of mail. I >> couldn't figure out why one machine was having trouble when the rest >> were doing fine. Soon I discovered that Spamassassin was causing a >> huge slow down on that one box. It was hanging for ever on checking >> if dns was avaiable or not. I set 'dns_available no' in the >> spam.assassin.prefs.conf file and things sped waaayyy up. I changed >> it on my other relays and it made a significant different on them as >> well, but not as much as the one relay that couldn't keep up with >> mail orginially. I still haven't figured out why it so greatly >> effected that one machine. >> >> > I believe dns_available no might *affect* :-) machines that don't have > local caching DNS enabled much more than those that don't. It's always > been recommended to do this in order to minimize DNS lookup times for > spamassassin. But if you switch off DNS lookups for SpamAssassin, you will severely damage its ability to detect spam. Better to diagnose your slow DNS lookups and switch it back on. Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGlnb2EfZZRxQVtlQRAsQ4AKCL061Yc7jF+9B1olsB8zmWHY4DJgCg/nwI zg+GSFaYSDl1atRGzdLHA5o= =bVBy -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From mailscanner at slackadelic.com Thu Jul 12 20:00:55 2007 From: mailscanner at slackadelic.com (Matt Hayes) Date: Thu Jul 12 20:01:02 2007 Subject: MailScanner Spam report In-Reply-To: References: <46967186.1070601@slackadelic.com> Message-ID: <46967A67.30900@slackadelic.com> fname lname wrote: > So, i can have this sent to each user. > Using MailWatch you can have it sent to each user, yes. -Matt P.S. Try not to top post ;) -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From shuttlebox at gmail.com Thu Jul 12 20:04:14 2007 From: shuttlebox at gmail.com (shuttlebox) Date: Thu Jul 12 20:04:18 2007 Subject: A very slow MS 4.62.2-3 & SA 3.2.1 & ClamAV 0.91 machine In-Reply-To: <8D2EFA3D9FD29C45BCEC3B532F0E23084115DC1658@RDPEXCH2.Eu.Emory.Edu> References: <4165CF7A7F12DE4B96622CCBB90586470AC92C18@largo.campus.ncl.ac.uk> <8D2EFA3D9FD29C45BCEC3B532F0E23084115DC1564@RDPEXCH2.Eu.Emory.Edu> <4696633B.8000006@nkpanama.com> <469676F5.2030003@ecs.soton.ac.uk> <8D2EFA3D9FD29C45BCEC3B532F0E23084115DC1658@RDPEXCH2.Eu.Emory.Edu> Message-ID: <625385e30707121204r4aac42dbna4941402850843fb@mail.gmail.com> On 7/12/07, Gottschalk, David wrote: > My understanding of the dns_available settings was merely to check if DNS was working properly before it attempted to do DNS checks. > > Do I not understand that setting correctly? >From SA man page: --> dns_available { yes | test[: name1 name2...] | no } (default: test) By default, SpamAssassin will query some default hosts on the internet to attempt to check if DNS is working on not. The problem is that it can introduce some delay if your network connection is down, and in some cases it can wrongly guess that DNS is unavailable because the test connections failed. SpamAssassin includes a default set of 13 servers, among which 3 are picked randomly. You can however specify your own list by specifying dns_available test: server1.tld server2.tld server3.tld Please note, the DNS test queries for MX records so if you specify your own list of servers, please make sure to choose the one(s) which has an associated MX record. <-- If you want to save time not doing the test, set it to yes. Do not set it to no unless you really don't have DNS service. -- /peter From bpumphrey at woodmclaw.com Thu Jul 12 20:06:32 2007 From: bpumphrey at woodmclaw.com (Billy A. Pumphrey) Date: Thu Jul 12 20:06:35 2007 Subject: Feature(s) Message-ID: <04D932B0071FE34FA63EBB1977B48D1502BC7636@woodenex.woodmaclaw.local> Is it possible to do a major version of MailScanner to pretty much be a MailArchiver? I am not a programmer, but seems like there may or may not have to be big changes to do the following: - Receive the email from Exchange Journal - See if the MailWatch guy can alter the code to reflect the changes. - Be able to export the searched results to a single file or even a PST for moving between systems. I just love everything about MailScanner and would love the layout to accomplish this sort of task. If Julian is willing to accept money for these sort of changes and according to what the price might be, we (really me) (the law firm) would most likely be willing to put some money toward this. I have tried some demos of other software that does mail archiving but they just don't suite me. Any thoughts? Billy Pumphrey IT Manager Wooden & McLaughlin From alex at nkpanama.com Thu Jul 12 20:10:58 2007 From: alex at nkpanama.com (Alex Neuman van der Hans) Date: Thu Jul 12 20:11:57 2007 Subject: Feature(s) In-Reply-To: <04D932B0071FE34FA63EBB1977B48D1502BC7636@woodenex.woodmaclaw.local> References: <04D932B0071FE34FA63EBB1977B48D1502BC7636@woodenex.woodmaclaw.local> Message-ID: <46967CC2.30900@nkpanama.com> Billy A. Pumphrey wrote: > Is it possible to do a major version of MailScanner to pretty much be a > MailArchiver? I am not a programmer, but seems like there may or may > not have to be big changes to do the following: > > - Receive the email from Exchange Journal > - See if the MailWatch guy can alter the code to reflect the changes. > - Be able to export the searched results to a single file or even a PST > for moving between systems. > > I just love everything about MailScanner and would love the layout to > accomplish this sort of task. If Julian is willing to accept money for > these sort of changes and according to what the price might be, we > (really me) (the law firm) would most likely be willing to put some > money toward this. > > I have tried some demos of other software that does mail archiving but > they just don't suite me. > > Any thoughts? > > This functionality (apart from the PST stuff) is already built into MailScanner, and it's pretty flexible through the use of rulesets. In fact, you can do a poor man's version of "archive only nonspam" by using it in conjunction with another ruleset on "non spam actions =". You can even set it up so that it becomes an IMAP-readable archive of your e-mail if you tweak it right. > Billy Pumphrey > IT Manager > Wooden & McLaughlin > > From mailscanner at slackadelic.com Thu Jul 12 20:14:12 2007 From: mailscanner at slackadelic.com (Matt Hayes) Date: Thu Jul 12 20:14:18 2007 Subject: Feature(s) In-Reply-To: <04D932B0071FE34FA63EBB1977B48D1502BC7636@woodenex.woodmaclaw.local> References: <04D932B0071FE34FA63EBB1977B48D1502BC7636@woodenex.woodmaclaw.local> Message-ID: <46967D84.9020503@slackadelic.com> Billy A. Pumphrey wrote: > Is it possible to do a major version of MailScanner to pretty much be a > MailArchiver? I am not a programmer, but seems like there may or may > not have to be big changes to do the following: > > - Receive the email from Exchange Journal > - See if the MailWatch guy can alter the code to reflect the changes. > - Be able to export the searched results to a single file or even a PST > for moving between systems. > > I just love everything about MailScanner and would love the layout to > accomplish this sort of task. If Julian is willing to accept money for > these sort of changes and according to what the price might be, we > (really me) (the law firm) would most likely be willing to put some > money toward this. > > I have tried some demos of other software that does mail archiving but > they just don't suite me. > > Any thoughts? > > Billy Pumphrey > IT Manager > Wooden & McLaughlin > Billy, Knowing it is off topic.. have you tried archivesink? I believe that is what it is called. One of our clients uses Exchange and they are required to archive email for like 7 years so we use that to achieve this. -Matt -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Thu Jul 12 20:16:42 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jul 12 20:18:13 2007 Subject: Feature(s) In-Reply-To: <04D932B0071FE34FA63EBB1977B48D1502BC7636@woodenex.woodmaclaw.local> References: <04D932B0071FE34FA63EBB1977B48D1502BC7636@woodenex.woodmaclaw.local> Message-ID: <46967E1A.4010103@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Have you tried the "Archive Mail" setting? Billy A. Pumphrey wrote: > Is it possible to do a major version of MailScanner to pretty much be a > MailArchiver? I am not a programmer, but seems like there may or may > not have to be big changes to do the following: > > - Receive the email from Exchange Journal > - See if the MailWatch guy can alter the code to reflect the changes. > - Be able to export the searched results to a single file or even a PST > for moving between systems. > > I just love everything about MailScanner and would love the layout to > accomplish this sort of task. If Julian is willing to accept money for > these sort of changes and according to what the price might be, we > (really me) (the law firm) would most likely be willing to put some > money toward this. > > I have tried some demos of other software that does mail archiving but > they just don't suite me. > > Any thoughts? > > Billy Pumphrey > IT Manager > Wooden & McLaughlin > > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGln4bEfZZRxQVtlQRAjieAJwIegrjgCFbkKnGA/+0c8KyJLjxYACg6RVV VH8+2xvGQAElAvsckLCDmm8= =1K1t -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From dgottsc at emory.edu Thu Jul 12 20:24:53 2007 From: dgottsc at emory.edu (Gottschalk, David) Date: Thu Jul 12 20:25:03 2007 Subject: A very slow MS 4.62.2-3 & SA 3.2.1 & ClamAV 0.91 machine In-Reply-To: <625385e30707121204r4aac42dbna4941402850843fb@mail.gmail.com> References: <4165CF7A7F12DE4B96622CCBB90586470AC92C18@largo.campus.ncl.ac.uk> <8D2EFA3D9FD29C45BCEC3B532F0E23084115DC1564@RDPEXCH2.Eu.Emory.Edu> <4696633B.8000006@nkpanama.com> <469676F5.2030003@ecs.soton.ac.uk> <8D2EFA3D9FD29C45BCEC3B532F0E23084115DC1658@RDPEXCH2.Eu.Emory.Edu> <625385e30707121204r4aac42dbna4941402850843fb@mail.gmail.com> Message-ID: <8D2EFA3D9FD29C45BCEC3B532F0E23084115DC1696@RDPEXCH2.Eu.Emory.Edu> Oh, ok. I misunderstood that option. Strangely, I turned DNS lookups back on and that box that was slow earlier in the week and it is fast now. It has on average about 15-30 messages waiting in the inbound queue, but process times per message are still very fast (under 5 secs on average). Earlier in the week, the inbound queue was just filling up all the way till the point I had 2,000+ messages waiting to be scanned. David Gottschalk -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of shuttlebox Sent: Thursday, July 12, 2007 3:04 PM To: MailScanner discussion Subject: Re: A very slow MS 4.62.2-3 & SA 3.2.1 & ClamAV 0.91 machine On 7/12/07, Gottschalk, David wrote: > My understanding of the dns_available settings was merely to check if DNS was working properly before it attempted to do DNS checks. > > Do I not understand that setting correctly? >From SA man page: --> dns_available { yes | test[: name1 name2...] | no } (default: test) By default, SpamAssassin will query some default hosts on the internet to attempt to check if DNS is working on not. The problem is that it can introduce some delay if your network connection is down, and in some cases it can wrongly guess that DNS is unavailable because the test connections failed. SpamAssassin includes a default set of 13 servers, among which 3 are picked randomly. You can however specify your own list by specifying dns_available test: server1.tld server2.tld server3.tld Please note, the DNS test queries for MX records so if you specify your own list of servers, please make sure to choose the one(s) which has an associated MX record. <-- If you want to save time not doing the test, set it to yes. Do not set it to no unless you really don't have DNS service. -- /peter -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From MailScanner at ecs.soton.ac.uk Thu Jul 12 20:27:21 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jul 12 20:27:51 2007 Subject: Feature(s) In-Reply-To: <46967CC2.30900@nkpanama.com> References: <04D932B0071FE34FA63EBB1977B48D1502BC7636@woodenex.woodmaclaw.local> <46967CC2.30900@nkpanama.com> Message-ID: <46968099.20403@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 If you decide to do it via MailScanner, please feel free to pay me for writing it anyway :-) If there are any other specific things you would like adding to the Archive Mail functionality, feel free to discuss them with me. Many things are possible. Best regards, Jules. Alex Neuman van der Hans wrote: > Billy A. Pumphrey wrote: >> Is it possible to do a major version of MailScanner to pretty much be a >> MailArchiver? I am not a programmer, but seems like there may or may >> not have to be big changes to do the following: >> >> - Receive the email from Exchange Journal >> - See if the MailWatch guy can alter the code to reflect the >> changes. - Be able to export the searched results to a single file >> or even a PST >> for moving between systems. >> >> I just love everything about MailScanner and would love the layout to >> accomplish this sort of task. If Julian is willing to accept money for >> these sort of changes and according to what the price might be, we >> (really me) (the law firm) would most likely be willing to put some >> money toward this. >> >> I have tried some demos of other software that does mail archiving but >> they just don't suite me. >> >> Any thoughts? >> >> > This functionality (apart from the PST stuff) is already built into > MailScanner, and it's pretty flexible through the use of rulesets. In > fact, you can do a poor man's version of "archive only nonspam" by > using it in conjunction with another ruleset on "non spam actions =". > > You can even set it up so that it becomes an IMAP-readable archive of > your e-mail if you tweak it right. >> Billy Pumphrey >> IT Manager >> Wooden & McLaughlin >> >> > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGloCaEfZZRxQVtlQRAm9sAJ44ZBg9UgcxJwAaUhfDZs6NHOKPFgCgryiY YA4EE+LcvRBwS3aaLerBYB0= =OT+o -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From steve.swaney at fsl.com Thu Jul 12 20:37:03 2007 From: steve.swaney at fsl.com (Stephen Swaney) Date: Thu Jul 12 20:39:11 2007 Subject: Feature(s) In-Reply-To: <04D932B0071FE34FA63EBB1977B48D1502BC7636@woodenex.woodmaclaw.local> References: <04D932B0071FE34FA63EBB1977B48D1502BC7636@woodenex.woodmaclaw.local> Message-ID: <01b701c7c4bc$05f11590$11d340b0$@swaney@fsl.com> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Billy A. Pumphrey > Sent: Thursday, July 12, 2007 3:07 PM > To: MailScanner discussion > Subject: Feature(s) > > Is it possible to do a major version of MailScanner to pretty much be a > MailArchiver? I am not a programmer, but seems like there may or may > not have to be big changes to do the following: > > - Receive the email from Exchange Journal > - See if the MailWatch guy can alter the code to reflect the changes. > - Be able to export the searched results to a single file or even a PST > for moving between systems. > > I just love everything about MailScanner and would love the layout to > accomplish this sort of task. If Julian is willing to accept money for > these sort of changes and according to what the price might be, we > (really me) (the law firm) would most likely be willing to put some > money toward this. > > I have tried some demos of other software that does mail archiving but > they just don't suite me. > > Any thoughts? > > Billy Pumphrey > IT Manager > Wooden & McLaughlin > A program to do this already exists. I've done some quick testing and it seem to work. MailArchiva - Open Source Email Archiving Software www.mailarchiva.com/ Steve Steve Swaney steve@fsl.com From jan-peter at koopmann.eu Thu Jul 12 20:41:40 2007 From: jan-peter at koopmann.eu (Koopmann, Jan-Peter) Date: Thu Jul 12 20:40:57 2007 Subject: Feature(s) In-Reply-To: References: Message-ID: > I have tried some demos of other software that does mail archiving but > they just don't suite me. Tried exclaimer mail archiver yet? From jan-peter at koopmann.eu Thu Jul 12 20:50:50 2007 From: jan-peter at koopmann.eu (Koopmann, Jan-Peter) Date: Thu Jul 12 20:50:09 2007 Subject: Feature(s) In-Reply-To: References: <04D932B0071FE34FA63EBB1977B48D1502BC7636@woodenex.woodmaclaw.local> Message-ID: > MailArchiva - Open Source Email Archiving Software > www.mailarchiva.com/ Nice one. Have not seen this one yet but it went straight to the bookmark list. Thanks Steve! From matt at coders.co.uk Thu Jul 12 21:34:18 2007 From: matt at coders.co.uk (Matt Hampton) Date: Thu Jul 12 21:31:57 2007 Subject: Watermarking returns+ graphical signatures In-Reply-To: <4696737B.7040805@ecs.soton.ac.uk> References: <4696737B.7040805@ecs.soton.ac.uk> Message-ID: <4696904A.4040204@coders.co.uk> Julian Field wrote: > 3 Added optional image to the clean message signature. You can also use this > to add an arbitrary image attachment to any message, if you so wish. The > main point is to be able to have graphical HTML signatures on messages. > The settings are > Attach Image To Signature = no > Attach Image To HTML Message Only = yes > Signature Image Filename = %report-dir%/sig.jpg > Signature Image Filename = signature.jpg What Jules forgot to mention: >From MailScanner.conf: # When using an image in the signature, there are 2 filenames which need # to be set. The first is the location in this server's filesystem of # the image file itself. The second is the name of the image as it is # stored in the attachment. The HTML version of the signature will refer # to this second name in the HTML tag. Signature Image Filename = %report-dir%/sig.jpg This file name must end with the the same extension as the MIME Type So: .gif for GIF .jpeg for JPEG (not .jpg as in the example) .png for PNG Hope this make sense. Matt From csweeney at osubucks.org Thu Jul 12 22:21:40 2007 From: csweeney at osubucks.org (Chris Sweeney) Date: Thu Jul 12 22:22:25 2007 Subject: A very slow MS 4.62.2-3 & SA 3.2.1 & ClamAV 0.91 machine In-Reply-To: <8D2EFA3D9FD29C45BCEC3B532F0E23084115DC1564@RDPEXCH2.Eu.Emory.Edu> References: <4165CF7A7F12DE4B96622CCBB90586470AC92C18@largo.campus.ncl.ac.uk> <8D2EFA3D9FD29C45BCEC3B532F0E23084115DC1564@RDPEXCH2.Eu.Emory.Edu> Message-ID: <2559.70.60.69.215.1184275300.squirrel@webmail.osubucks.org> I have the same problem, on Sunday I upgraded a MailScanner box running RHEL 4 to the latest Spamassassin/ClamAV using the tar file from the site and I went on that machine, (2GIG RAM, 3GHZ processor) from less then 4 seconds total processing time per message to now over 40 seconds per message. 40 seconds is good right now, it doesn't seem to be anything to do with MailScanner it seems to be hanging at the virus/spamassassin scanning. Chris > I have five mail gateways. Here are a few things I've done that helped a > lot. > > The item that made the biggest difference was changing 'Max Unscanned > Messages Per Scan = 30' to 10, and changing 'Max Unsafe Messages Per Scan > = 30' to 10 as well. > > I also increased my "Max Children" to 10, but I'm still working on > tweaking that (only been running MailScanner in production for a week > now). > > I had one machine that could not keep up with the volume of mail. I > couldn't figure out why one machine was having trouble when the rest were > doing fine. Soon I discovered that Spamassassin was causing a huge slow > down on that one box. It was hanging for ever on checking if dns was > avaiable or not. I set 'dns_available no' in the spam.assassin.prefs.conf > file and things sped waaayyy up. I changed it on my other relays and it > made a significant different on them as well, but not as much as the one > relay that couldn't keep up with mail orginially. I still haven't figured > out why it so greatly effected that one machine. > > Hope that helps. > > Good luck. > > David Gottschalk > Emory University Infrastructure Technology Services > david.gottschalk@emory.edu > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Quentin > Campbell > Sent: Thursday, July 12, 2007 11:37 AM > To: MailScanner discussion > Subject: A very slow MS 4.62.2-3 & SA 3.2.1 & ClamAV 0.91 machine > > I have a very slow mail gateway among the 4 that I have just upgraded. > > They all run MS 4.62.2-3, SA 3.2.1 and ClamAV 0.91 and should have > identical configurations for MS and SA. MCP processing is done and it is > the same on all 4. > > There were 211 batches of 30 messages each processed on the slow machine. > Overall the average time to process each message is 15 seconds! > > The last two of these batches were processed by running MailScanner in > debug mode. The average processing time for each message then dropped to > between 2 and 3 seconds! > > I am trying to get a handle on why this machine is so slow. Any > suggestions to help further my investigation are welcome. > > Quentin > --- > PHONE: +44 191 222 8209 Information Systems and Services (ISS), > Newcastle University, > Newcastle upon Tyne, > FAX: +44 191 222 8765 United Kingdom, NE1 7RU. > ------------------------------------------------------------------------ > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- Chris Sweeney Cincinnati Phone http://www.cincinnatiphone.com Microsoft's new slogan: "Wait for us! We're the leaders!" -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From csaba at linuxforum.hu Thu Jul 12 22:48:57 2007 From: csaba at linuxforum.hu (=?ISO-8859-2?Q?Kov=E1cs_Csaba?=) Date: Thu Jul 12 22:54:55 2007 Subject: Different signatures per domain In-Reply-To: <4696737B.7040805@ecs.soton.ac.uk> References: <4696737B.7040805@ecs.soton.ac.uk> Message-ID: <4696A1C9.300@linuxforum.hu> Some domains on my server does not need any sinatures. Is it possible to attach different signatures for different domains ? Csaba From itdept at fractalweb.com Thu Jul 12 22:58:00 2007 From: itdept at fractalweb.com (Chris Yuzik) Date: Thu Jul 12 22:58:22 2007 Subject: Feature(s) In-Reply-To: <01b701c7c4bc$05f11590$11d340b0$@swaney@fsl.com> References: <04D932B0071FE34FA63EBB1977B48D1502BC7636@woodenex.woodmaclaw.local> <01b701c7c4bc$05f11590$11d340b0$@swaney@fsl.com> Message-ID: <4696A3E8.7000808@fractalweb.com> Stephen Swaney wrote: > > A program to do this already exists. I've done some quick testing and it > seem to work. > > MailArchiva - Open Source Email Archiving Software > www.mailarchiva.com/ Steve, The more I learn, the more I know I don't know. Got any other gems up your sleeves? Cheers, Chris From MailScanner at ecs.soton.ac.uk Thu Jul 12 23:00:51 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jul 12 23:01:21 2007 Subject: A very slow MS 4.62.2-3 & SA 3.2.1 & ClamAV 0.91 machine In-Reply-To: <2559.70.60.69.215.1184275300.squirrel@webmail.osubucks.org> References: <4165CF7A7F12DE4B96622CCBB90586470AC92C18@largo.campus.ncl.ac.uk> <8D2EFA3D9FD29C45BCEC3B532F0E23084115DC1564@RDPEXCH2.Eu.Emory.Edu> <2559.70.60.69.215.1184275300.squirrel@webmail.osubucks.org> Message-ID: <4696A493.3010509@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Have you tried running it in debug mode with SA debug switched on too? MailScanner -debug -debug-sa and press Ctrl-S to pause the output when it appears to stop for a bit. That will tell you why it is taking so long. In case you don't know, Ctrl-Q will resume the normal output again. Chris Sweeney wrote: > I have the same problem, on Sunday I upgraded a MailScanner box running > RHEL 4 to the latest Spamassassin/ClamAV using the tar file from the site > and I went on that machine, (2GIG RAM, 3GHZ processor) from less then 4 > seconds total processing time per message to now over 40 seconds per > message. 40 seconds is good right now, it doesn't seem to be anything to > do with MailScanner it seems to be hanging at the virus/spamassassin > scanning. > > Chris > > > >> I have five mail gateways. Here are a few things I've done that helped a >> lot. >> >> The item that made the biggest difference was changing 'Max Unscanned >> Messages Per Scan = 30' to 10, and changing 'Max Unsafe Messages Per Scan >> = 30' to 10 as well. >> >> I also increased my "Max Children" to 10, but I'm still working on >> tweaking that (only been running MailScanner in production for a week >> now). >> >> I had one machine that could not keep up with the volume of mail. I >> couldn't figure out why one machine was having trouble when the rest were >> doing fine. Soon I discovered that Spamassassin was causing a huge slow >> down on that one box. It was hanging for ever on checking if dns was >> avaiable or not. I set 'dns_available no' in the spam.assassin.prefs.conf >> file and things sped waaayyy up. I changed it on my other relays and it >> made a significant different on them as well, but not as much as the one >> relay that couldn't keep up with mail orginially. I still haven't figured >> out why it so greatly effected that one machine. >> >> Hope that helps. >> >> Good luck. >> >> David Gottschalk >> Emory University Infrastructure Technology Services >> david.gottschalk@emory.edu >> >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Quentin >> Campbell >> Sent: Thursday, July 12, 2007 11:37 AM >> To: MailScanner discussion >> Subject: A very slow MS 4.62.2-3 & SA 3.2.1 & ClamAV 0.91 machine >> >> I have a very slow mail gateway among the 4 that I have just upgraded. >> >> They all run MS 4.62.2-3, SA 3.2.1 and ClamAV 0.91 and should have >> identical configurations for MS and SA. MCP processing is done and it is >> the same on all 4. >> >> There were 211 batches of 30 messages each processed on the slow machine. >> Overall the average time to process each message is 15 seconds! >> >> The last two of these batches were processed by running MailScanner in >> debug mode. The average processing time for each message then dropped to >> between 2 and 3 seconds! >> >> I am trying to get a handle on why this machine is so slow. Any >> suggestions to help further my investigation are welcome. >> >> Quentin >> --- >> PHONE: +44 191 222 8209 Information Systems and Services (ISS), >> Newcastle University, >> Newcastle upon Tyne, >> FAX: +44 191 222 8765 United Kingdom, NE1 7RU. >> ------------------------------------------------------------------------ >> >> >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> -- >> This message has been scanned for viruses and >> dangerous content by MailScanner, and is >> believed to be clean. >> >> >> > > > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGlqSTEfZZRxQVtlQRAkGKAJ9qt7bOdkTqei6fDpzYerNwrb65jACgrjtV gUx0qSvSvgmPOLgci1M75Z0= =n8c4 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From csweeney at osubucks.org Thu Jul 12 23:14:30 2007 From: csweeney at osubucks.org (Chris Sweeney) Date: Thu Jul 12 23:16:35 2007 Subject: A very slow MS 4.62.2-3 & SA 3.2.1 & ClamAV 0.91 machine In-Reply-To: <4696A493.3010509@ecs.soton.ac.uk> References: <4165CF7A7F12DE4B96622CCBB90586470AC92C18@largo.campus.ncl.ac.uk> <8D2EFA3D9FD29C45BCEC3B532F0E23084115DC1564@RDPEXCH2.Eu.Emory.Edu> <2559.70.60.69.215.1184275300.squirrel@webmail.osubucks.org> <4696A493.3010509@ecs.soton.ac.uk> Message-ID: <2993.70.60.69.215.1184278470.squirrel@webmail.osubucks.org> This is the last thing I see before it seems to stop runnnig in debug mode: [31439] dbg: check: subtests=__HAS_MSGID,__MISSING_REF,__MSGID_OK_DIGITS,__MSGID_OK_HOST,__MSOE_MID_WRONG_CASE,__NONEMPTY_BODY,__SANE_MSGID,__SARE_WHITELIST_FLAG,__UNUSABLE_MSGID It runs good to this point then just kind of dies. In debug mode it seems to be hanging there. It won't go beyond that. Thanks Chris > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Have you tried running it in debug mode with SA debug switched on too? > MailScanner -debug -debug-sa > and press Ctrl-S to pause the output when it appears to stop for a bit. > That will tell you why it is taking so long. In case you don't know, > Ctrl-Q will resume the normal output again. > > Chris Sweeney wrote: >> I have the same problem, on Sunday I upgraded a MailScanner box running >> RHEL 4 to the latest Spamassassin/ClamAV using the tar file from the >> site >> and I went on that machine, (2GIG RAM, 3GHZ processor) from less then 4 >> seconds total processing time per message to now over 40 seconds per >> message. 40 seconds is good right now, it doesn't seem to be anything >> to >> do with MailScanner it seems to be hanging at the virus/spamassassin >> scanning. >> >> Chris >> >> >> >>> I have five mail gateways. Here are a few things I've done that helped >>> a >>> lot. >>> >>> The item that made the biggest difference was changing 'Max Unscanned >>> Messages Per Scan = 30' to 10, and changing 'Max Unsafe Messages Per >>> Scan >>> = 30' to 10 as well. >>> >>> I also increased my "Max Children" to 10, but I'm still working on >>> tweaking that (only been running MailScanner in production for a week >>> now). >>> >>> I had one machine that could not keep up with the volume of mail. I >>> couldn't figure out why one machine was having trouble when the rest >>> were >>> doing fine. Soon I discovered that Spamassassin was causing a huge slow >>> down on that one box. It was hanging for ever on checking if dns was >>> avaiable or not. I set 'dns_available no' in the >>> spam.assassin.prefs.conf >>> file and things sped waaayyy up. I changed it on my other relays and it >>> made a significant different on them as well, but not as much as the >>> one >>> relay that couldn't keep up with mail orginially. I still haven't >>> figured >>> out why it so greatly effected that one machine. >>> >>> Hope that helps. >>> >>> Good luck. >>> >>> David Gottschalk >>> Emory University Infrastructure Technology Services >>> david.gottschalk@emory.edu >>> >>> -----Original Message----- >>> From: mailscanner-bounces@lists.mailscanner.info >>> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of >>> Quentin >>> Campbell >>> Sent: Thursday, July 12, 2007 11:37 AM >>> To: MailScanner discussion >>> Subject: A very slow MS 4.62.2-3 & SA 3.2.1 & ClamAV 0.91 machine >>> >>> I have a very slow mail gateway among the 4 that I have just upgraded. >>> >>> They all run MS 4.62.2-3, SA 3.2.1 and ClamAV 0.91 and should have >>> identical configurations for MS and SA. MCP processing is done and it >>> is >>> the same on all 4. >>> >>> There were 211 batches of 30 messages each processed on the slow >>> machine. >>> Overall the average time to process each message is 15 seconds! >>> >>> The last two of these batches were processed by running MailScanner in >>> debug mode. The average processing time for each message then dropped >>> to >>> between 2 and 3 seconds! >>> >>> I am trying to get a handle on why this machine is so slow. Any >>> suggestions to help further my investigation are welcome. >>> >>> Quentin >>> --- >>> PHONE: +44 191 222 8209 Information Systems and Services (ISS), >>> Newcastle University, >>> Newcastle upon Tyne, >>> FAX: +44 191 222 8765 United Kingdom, NE1 7RU. >>> ------------------------------------------------------------------------ >>> >>> >>> >>> -- >>> MailScanner mailing list >>> mailscanner@lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! >>> -- >>> MailScanner mailing list >>> mailscanner@lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! >>> >>> -- >>> This message has been scanned for viruses and >>> dangerous content by MailScanner, and is >>> believed to be clean. >>> >>> >>> >> >> >> > > Jules > > - -- > Julian Field MEng CITP > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > For all your IT requirements visit www.transtec.co.uk > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.6.2 (Build 2014) > Charset: ISO-8859-1 > > wj8DBQFGlqSTEfZZRxQVtlQRAkGKAJ9qt7bOdkTqei6fDpzYerNwrb65jACgrjtV > gUx0qSvSvgmPOLgci1M75Z0= > =n8c4 > -----END PGP SIGNATURE----- > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > For all your IT requirements visit www.transtec.co.uk > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- Chris Sweeney Cincinnati Phone http://www.cincinnatiphone.com Microsoft's new slogan: "Wait for us! We're the leaders!" -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ssilva at sgvwater.com Thu Jul 12 23:37:22 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Jul 12 23:37:39 2007 Subject: Different signatures per domain In-Reply-To: <4696A1C9.300@linuxforum.hu> References: <4696737B.7040805@ecs.soton.ac.uk> <4696A1C9.300@linuxforum.hu> Message-ID: Kov?cs Csaba spake the following on 7/12/2007 2:48 PM: > Some domains on my server does not need any sinatures. > Is it possible to attach different signatures for different domains ? > > Csaba If Julian wrote it, I'm sure it probably supports rulesets. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From brent.addis at pronet.co.nz Thu Jul 12 23:33:17 2007 From: brent.addis at pronet.co.nz (Brent Addis) Date: Thu Jul 12 23:43:13 2007 Subject: A very slow MS 4.62.2-3 & SA 3.2.1 & ClamAV 0.91 machine References: <4165CF7A7F12DE4B96622CCBB90586470AC92C18@largo.campus.ncl.ac.uk> <8D2EFA3D9FD29C45BCEC3B532F0E23084115DC1564@RDPEXCH2.Eu.Emory.Edu> <2559.70.60.69.215.1184275300.squirrel@webmail.osubucks.org> <4696A493.3010509@ecs.soton.ac.uk> <2993.70.60.69.215.1184278470.squirrel@webmail.osubucks.org> Message-ID: <7EF1F27F7292534D82933F70AB6996CC25CDC8@pro-ak-exch01.hosted.pronet.net.nz> Couple of things to try: Try removing the last rule and try debug again. There may be something not quite right with it. It could also be a problem with the rule after the one showing. freezing on it before it loads and not showing you. If this is the case, try removing the whole ruleset (Move it out of the directory) and try again. Or, you could remove all your rules, and put them back in one by one, running debug each time, until it stops working. Once you know what rule/ruleset is doing it, it should be easier to track down what the actual cause of the problem is. ________________________________ From: mailscanner-bounces@lists.mailscanner.info on behalf of Chris Sweeney Sent: Fri 13/07/2007 10:14 a.m. To: MailScanner discussion Subject: Re: A very slow MS 4.62.2-3 & SA 3.2.1 & ClamAV 0.91 machine This is the last thing I see before it seems to stop runnnig in debug mode: [31439] dbg: check: subtests=__HAS_MSGID,__MISSING_REF,__MSGID_OK_DIGITS,__MSGID_OK_HOST,__MSOE_MID_WRONG_CASE,__NONEMPTY_BODY,__SANE_MSGID,__SARE_WHITELIST_FLAG,__UNUSABLE_MSGID It runs good to this point then just kind of dies. In debug mode it seems to be hanging there. It won't go beyond that. Thanks Chris > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Have you tried running it in debug mode with SA debug