From holger at gebhardweb.de Sun Jul 1 00:16:56 2007 From: holger at gebhardweb.de (Holger Gebhard) Date: Sun Jul 1 00:17:06 2007 Subject: AW: Fake User-Agent on PDF -- WARNING! In-Reply-To: <4686C87A.1060800@ecs.soton.ac.uk> References: <46868B9E.2050409@ecs.soton.ac.uk> <46869C90.3010308@alexb.ch> <4686B8D1.7090005@ecs.soton.ac.uk> <4686C87A.1060800@ecs.soton.ac.uk> Message-ID: <007901c7bb6c$c0dcdaf0$429690d0$@de> I wrote a very simple regex to catch the pdf-spams until other rules are available (more than 15.000 pdf-spams today) ;-) The regex is not very fast but still works: full PDF_ONLY_SPAM /encoding\:\s+7bit(\n?)+[\-0-9]+.{1,40}type\:\s+application\/pdf\;.{1,40}nam e\=.{1,40}\.pdf.{1,50}disposition\:\s+inline\;.{1,40}filename\=.{1,40}\.pdf/ is describe PDF_ONLY_SPAM PDF only Message, no text in message body score PDF_ONLY_SPAM 1.0 This rule match only messages with specific encodings, pdf attachments and no text in message body. Works fine with no false positives until today. Regards Holger -----Urspr?ngliche Nachricht----- Von: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] Im Auftrag von Julian Field Gesendet: Samstag, 30. Juni 2007 23:18 An: MailScanner discussion Betreff: Re: Fake User-Agent on PDF -- WARNING! -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Turns out this is not an illegal version number at all, it's perfectly valid. So I strongly advise against using any rule based on this version number :-( bother :( Jules. Julian Field wrote: > * PGP Signed: 06/30/07 at 21:10:58 > > > > Alex Broens wrote: >> On 6/30/2007 6:58 PM, Julian Field wrote: >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> >>> >>> Hugo van der Kooij wrote: >>>> Hi, >>>> >>>> So far all SPAM PDF files that did not get killed on other issues >>>> seem to use a fake User-Agent header: User-Agent: Thunderbird >>>> 1.5.0.12 (Windows/20070509) >>>> >>>> According to >>>> http://www.mozilla.com/en-US/thunderbird/releases/1.5.0.12.html the >>>> release date is impossible however. >>>> >>>> I have not written a SA rule (yet). I wrote a detectline in my >>>> header checks of postfix: >>>> /^User-Agent: Thunderbird 1.5.0.12 \(Windows/20070509\)/ >>>> REJECT This is a fake version of Thunderbird >>> Here's a SA rule that will do the same thing: >>> header JKF_FAKE_TBIRD User-Agent =~ /Thunderbird 1.5.0.12 >>> \(Windows\/20070509\)/ >>> describe JKF_FAKE_TBIRD Fake version of Thunderbird >>> score JKF_FAKE_TBIRD 1.5 >>> >> >> Jules, >> >> /Thunderbird 1\.5\.0\.12\(Windows\/20070509\)/ >> >> forgot to escape periods? > Yes, agreed. But it's not very important. A version of the rule that > accepts 1-5-0-12 is fine too, that's certainly a fake Thunderbird > version number! :-) > > Jules > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGhsh7EfZZRxQVtlQRApDXAKCBXXaMud5aMvC5l6iiT6bj5JZc8ACgks5S rMGjfeZFOyLwjmauVhOpqYc= =kdEn -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From hvdkooij at vanderkooij.org Sun Jul 1 04:08:16 2007 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sun Jul 1 04:09:20 2007 Subject: Fake User-Agent on PDF -- WARNING! In-Reply-To: <223f97700706301547x4466d99diad9fc8d648d8811@mail.gmail.com> References: <46868B9E.2050409@ecs.soton.ac.uk> <46869C90.3010308@alexb.ch> <4686B8D1.7090005@ecs.soton.ac.uk> <4686C87A.1060800@ecs.soton.ac.uk> <223f97700706301547x4466d99diad9fc8d648d8811@mail.gmail.com> Message-ID: On Sun, 1 Jul 2007, Glenn Steen wrote: > On 01/07/07, Hugo van der Kooij wrote: >> On Sat, 30 Jun 2007, Julian Field wrote: >> >> > Turns out this is not an illegal version number at all, it's perfectly >> > valid. >> > So I strongly advise against using any rule based on this version number >> > :-( >> > >> > bother :( >> >> It just is an odd combination of a version with a timestamp 20070509 and a >> release date online of 2007-05-30. It is a sure thing to put someone off >> like that. >> >> Common guys. No messing with my birthday. > You're quite an advanced admin/user for a newborn....:-D. > > Have you done any form of count on the occurance of this suspect > combo? You mentioned not having counted/checked them all IIRC. The odd thing was that relative few of the SPAM message are left between spam and high spam. Those get side tracked. These were all messages containing PDF files and originating from all over the world. Including a correctly signed gmail one but they all contained the same User-Agent. I then checked the release notes for TB 1.5.0.12 and noticed it was only released a month ago. But the date stamp in the header seems to indicate the version is weeks older. Which to me sounded very much like foul play. There is still foul play at hand or I would not get these SPAM messages to non existing users.(that is I did ad adam@, anna@, .... to a trapdoor account as it is abused a lot while there were never such accounts here.) But it is more likely that some backdoor is using TB to do the dirty work. Hugo. -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ This message is using 100% recycled electrons. Some men see computers as they are and say "Windows" I use computers with Linux and say "Why Windows?" (Thanks JFK, for the insight.) From glenn.steen at gmail.com Sun Jul 1 04:30:23 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Sun Jul 1 04:30:25 2007 Subject: Doubts about PF, what are the pros/cons about other MTAs? In-Reply-To: <4686DCC5.9050208@syska.dk> References: <467E9AD4.5080200@syska.dk> <4686A7AA.4060008@rogers.com> <4686C568.9070307@syska.dk> <4686C841.7030109@ecs.soton.ac.uk> <4686DCC5.9050208@syska.dk> Message-ID: <223f97700706302030v6c8af1edp2477f88a8f34cd63@mail.gmail.com> On 01/07/07, Mikael Syska wrote: > Hey, > > Julian Field wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > > > > > Mikael Syska wrote: > > > >> [snip] > >> I think I'm convinced now ... I'm going to use postfix, since no real > >> arguments againts it have been made. > >> > >> Thanks for the time guys. > >> > > I'm going to release a new stable version tomorrow which includes the > > recent Postfix bugfix to do with its milter support. > > If you can't wait till tomorrow, then it's already on the website, > > you'll just have to guess the URL for 4.61.7-1 :-) > > > I can wait ... I wont begin on the server until tuesday ... So no > problems there. > > Can't wait to get my hands dirty converting the old amavisd-new setup > ... some other dude had setup it up, and its a real pain to figure out ... > > Btw, read on a page on the internet where a person said that MS did not > use the resources very good cause its spawning a new process for every > mail and afterwards closing it. amavisd-new also did that in the start > but changed over to daemon style ... so its not spawning a new proces > every time ... > Is there something about this, or did the guy just not like MS ? > and if there are something about it ... will MS be changed to spawn > daemons ? > what are the pros/cons agints it ? > Don't belieeve everything said on the net....:) MS runs a master and several worker children, which all (incidentally) work in a daemon-like fashion, and these children will take turns popping messages from the queue ... They will take as many messages as necessary to form a batch (1 -> ...many messages) and work on these in a "group" way... So no "single process for every message" there:-). The worker children might in turn spawn children to run specific functions, like AV etc, but they will still work on the whole batch as such. Very efficient, very slick. Of course, as with most things in MS, you can configure the amount of workers to prespawn, as well as most any aspect of the process... You'll see, once you start using it;) What motive the person stating the "one process/mail" thing has, I surely can't speculate about... But it isn't correct. That much is for certain. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From hvdkooij at vanderkooij.org Sun Jul 1 04:55:39 2007 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sun Jul 1 04:56:40 2007 Subject: Doubts about PF, what are the pros/cons about other MTAs? In-Reply-To: <4686DCC5.9050208@syska.dk> References: <467E9AD4.5080200@syska.dk> <4686A7AA.4060008@rogers.com> <4686C568.9070307@syska.dk> <4686C841.7030109@ecs.soton.ac.uk> <4686DCC5.9050208@syska.dk> Message-ID: On Sun, 1 Jul 2007, Mikael Syska wrote: > Can't wait to get my hands dirty converting the old amavisd-new setup ... > some other dude had setup it up, and its a real pain to figure out ... I find amavisd rather counter intuitive. Even with a reasonable knowledge of perl at hand. > Btw, read on a page on the internet where a person said that MS did not use > the resources very good cause its spawning a new process for every mail and > afterwards closing it. amavisd-new also did that in the start but changed > over to daemon style ... so its not spawning a new proces every time ... > Is there something about this, or did the guy just not like MS ? > and if there are something about it ... will MS be changed to spawn daemons ? > what are the pros/cons agints it Amavis has even more issues with the spawning of tasks as each message is handled seperatly and for each it will fire up the scanner manually. Just for fun fire 5 messages with a 10 MB ZIP file and each ZIP file containing like 10k files each on a Barracuda. Then do the same on a MailScanner system. (Barracuda uses amavid among other things.) See which one lives happily ever after. Hugo. -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ This message is using 100% recycled electrons. Some men see computers as they are and say "Windows" I use computers with Linux and say "Why Windows?" (Thanks JFK, for the insight.) From MailScanner at ecs.soton.ac.uk Sun Jul 1 11:42:49 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sun Jul 1 11:44:31 2007 Subject: MailScanner ANNOUNCE: stable 4.61 released Message-ID: <46878529.5070707@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I have just released a new version of MailScanner, stable version 4.61.7. The main new things this month are: - - Direct support for clamd, for extra speed. - - Bug fixes in the attachments auto-zip feature introduced last month. - - Bug fixes in the support for Postfix milters. Download as usual from www.mailscanner.info. The full change log is: * New Features and Improvements * 1 Direct support for the "clamd" virus scanner -- now talks directly to the clamd daemon without any overhead of calling clamd-wrapper or clamdscan. As a result, this should be faster than the previous clamd support. It also has a much smaller memory footprint than the "clamavmodule" scanner. This is all thanks to Rick Cooper who wrote the original code. New configuration options are - Clamd Port = 3310 - Clamd Socket = /tmp/clamd - Clamd Lock File = /var/lock/subsys/clamd - Clamd Use Threads = no The use of these settings is explained in the MailScanner.conf file. 2 Changed session handling in direct clamd virus scanner support. 3 'MailScanner --lint' now finds clamd virus scanner. 3 Made clamd subsys lock file blank by default, so it works on non-Linux systems. 3 Added another example to the Allowed Sophos Error Messages setting for password-protected files. 4 Renamed "sa-update" command and cron job to "update_spamassassin". 4 Added ability to easily disable update_virus_scanners script. 4 Added conditional call to sa-compile to update_spamassassin cron job. 4 Added to $PATH in update_phishing_sites for Solaris 10 locations. 5 Watermarking functionality has had to be withdrawn due to patent issues. Sorry about this, but it would cause huge problems in the USA where software patents are legally enforceable and it would cause problems with including patented code in GPL software too. 6 Added facility to change SpamAssassin's temporary working files directory, using the new option 'SpamAssassin Temporary Dir'. By default this is put under the Incoming Work Dir location, as that is (hopefully) mounted using tmpfs. If an attempt to use this directory fails, it reverts to /tmp. 7 Fixed bug in finding PERL5LIB in installers. Thanks to Sean Coleman. * Fixes * 2 Fixed bug in auto-zip feature with a message containing 2 attachments with the same filename. 2 Fixed bug in auto-zip feature that would allow zipping of an attachment which had been cleaned out of the message. 3 Fixed "identified/found" bug in AVG parser. 3 Fixed bugs in Panda and AVG parsers courtesy of Rick Cooper. 3 Fixed bug in Postfix handler which caused a problem with empty messages. 4 Fixed bug in SuSE init.d script stopping MailScanner reload working properly. 4 Changed method for getting MCP to decode binary attachments (the interesting ones have "application" in their MIME type). New patch for SpamAssassin 3.2.1 Util.pm required now. No other SpamAssassin patches required at all. 4 Added definition of "noticesizeinfected" to languages.conf. 4 Added speedup (courtesy of Glenn Steen) to the new Postfix milter support. 4 Fixed rare bug in Postfix milter header support (from Glenn Steen). 5 Fixed problems with /usr/sbin/update_spamassassin not calling sa-update. Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGh4UzEfZZRxQVtlQRAhseAKDZb7K3zuDXjs8Cj51hUxnkFgFKigCeN7rI iDHrxy7/khtdYYhuYd2LiOc= =3VyR -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From mikael at syska.dk Sun Jul 1 12:04:33 2007 From: mikael at syska.dk (Mikael Syska) Date: Sun Jul 1 12:04:29 2007 Subject: Doubts about PF, what are the pros/cons about other MTAs? In-Reply-To: <223f97700706302030v6c8af1edp2477f88a8f34cd63@mail.gmail.com> References: <467E9AD4.5080200@syska.dk> <4686A7AA.4060008@rogers.com> <4686C568.9070307@syska.dk> <4686C841.7030109@ecs.soton.ac.uk> <4686DCC5.9050208@syska.dk> <223f97700706302030v6c8af1edp2477f88a8f34cd63@mail.gmail.com> Message-ID: <46878A41.9070100@syska.dk> Glenn Steen wrote: > On 01/07/07, Mikael Syska wrote: >> Hey, >> >> Julian Field wrote: >> > -----BEGIN PGP SIGNED MESSAGE----- >> > Hash: SHA1 >> > >> > >> > >> > Mikael Syska wrote: >> > >> >> [snip] >> >> I think I'm convinced now ... I'm going to use postfix, since no real >> >> arguments againts it have been made. >> >> >> >> Thanks for the time guys. >> >> >> > I'm going to release a new stable version tomorrow which includes the >> > recent Postfix bugfix to do with its milter support. >> > If you can't wait till tomorrow, then it's already on the website, >> > you'll just have to guess the URL for 4.61.7-1 :-) >> > >> I can wait ... I wont begin on the server until tuesday ... So no >> problems there. >> >> Can't wait to get my hands dirty converting the old amavisd-new setup >> ... some other dude had setup it up, and its a real pain to figure >> out ... >> >> Btw, read on a page on the internet where a person said that MS did not >> use the resources very good cause its spawning a new process for every >> mail and afterwards closing it. amavisd-new also did that in the start >> but changed over to daemon style ... so its not spawning a new proces >> every time ... >> Is there something about this, or did the guy just not like MS ? >> and if there are something about it ... will MS be changed to spawn >> daemons ? >> what are the pros/cons agints it ? >> > Don't belieeve everything said on the net....:) > MS runs a master and several worker children, which all (incidentally) > work in a daemon-like fashion, and these children will take turns > popping messages from the queue ... They will take as many messages as > necessary to form a batch (1 -> ...many messages) and work on these in > a "group" way... So no "single process for every message" there:-). > The worker children might in turn spawn children to run specific > functions, like AV etc, but they will still work on the whole batch as > such. So whenever MS checks the mailqueue it takes all the mails in the queue, and runs a batch agains them ? and then again in x seconds with a new batch, taking mail that havent been handled? > Very efficient, very slick. If the above is right, this seems like its using the resources better than amavisd-new maybe, but theese days Ram and harddrives are very cheap, so if it just runs fast, i'm happy. > Of course, as with most things in MS, you can configure the amount of > workers to prespawn, as well as most any aspect of the process... > You'll see, once you start using it;) Think this cleared any doubts i had. > > What motive the person stating the "one process/mail" thing has, I > surely can't speculate about... But it isn't correct. That much is for > certain. Can't say, lost the url... but if one process can handle multiple mails in the same run, it sounds great. > > Cheers // Mikael Syska From glenn.steen at gmail.com Sun Jul 1 13:17:05 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Sun Jul 1 13:17:08 2007 Subject: Doubts about PF, what are the pros/cons about other MTAs? In-Reply-To: <46878A41.9070100@syska.dk> References: <467E9AD4.5080200@syska.dk> <4686A7AA.4060008@rogers.com> <4686C568.9070307@syska.dk> <4686C841.7030109@ecs.soton.ac.uk> <4686DCC5.9050208@syska.dk> <223f97700706302030v6c8af1edp2477f88a8f34cd63@mail.gmail.com> <46878A41.9070100@syska.dk> Message-ID: <223f97700707010517lf2aeac4tb81e2a7f282512a3@mail.gmail.com> On 01/07/07, Mikael Syska wrote: > Glenn Steen wrote: > > On 01/07/07, Mikael Syska wrote: > >> Hey, > >> > >> Julian Field wrote: > >> > -----BEGIN PGP SIGNED MESSAGE----- > >> > Hash: SHA1 > >> > > >> > > >> > > >> > Mikael Syska wrote: > >> > > >> >> [snip] > >> >> I think I'm convinced now ... I'm going to use postfix, since no real > >> >> arguments againts it have been made. > >> >> > >> >> Thanks for the time guys. > >> >> > >> > I'm going to release a new stable version tomorrow which includes the > >> > recent Postfix bugfix to do with its milter support. > >> > If you can't wait till tomorrow, then it's already on the website, > >> > you'll just have to guess the URL for 4.61.7-1 :-) > >> > > >> I can wait ... I wont begin on the server until tuesday ... So no > >> problems there. > >> > >> Can't wait to get my hands dirty converting the old amavisd-new setup > >> ... some other dude had setup it up, and its a real pain to figure > >> out ... > >> > >> Btw, read on a page on the internet where a person said that MS did not > >> use the resources very good cause its spawning a new process for every > >> mail and afterwards closing it. amavisd-new also did that in the start > >> but changed over to daemon style ... so its not spawning a new proces > >> every time ... > >> Is there something about this, or did the guy just not like MS ? > >> and if there are something about it ... will MS be changed to spawn > >> daemons ? > >> what are the pros/cons agints it ? > >> > > Don't belieeve everything said on the net....:) > > MS runs a master and several worker children, which all (incidentally) > > work in a daemon-like fashion, and these children will take turns > > popping messages from the queue ... They will take as many messages as > > necessary to form a batch (1 -> ...many messages) and work on these in > > a "group" way... So no "single process for every message" there:-). > > The worker children might in turn spawn children to run specific > > functions, like AV etc, but they will still work on the whole batch as > > such. > So whenever MS checks the mailqueue it takes all the mails in the queue, > and runs a batch agains them ? and then again in x seconds with a new > batch, taking mail that havent been handled? It's clever enough to keep track of which items is handled by some other worker, so ... Yes, it will only handle new items... It might look a bit strange when you have "New batch: Found 28 messages in queue" and then followed by running a batch with only one or two messages, but this is because other workers are handling the other queued messages. The decoupling of the scanning process fromthe SMTP transaction(s) and the batch strategy are some of the design decisions Jules made that really make things fly with MS. > > Very efficient, very slick. > If the above is right, this seems like its using the resources better > than amavisd-new maybe, but theese days Ram and harddrives are very > cheap, so if it just runs fast, i'm happy. Resource efficiency is one of the high points of MS... The activity of spam/av-scanning is resource hungry, by definition, so ... be happy that MailScanner is so cleverly come together;-). > > Of course, as with most things in MS, you can configure the amount of > > workers to prespawn, as well as most any aspect of the process... > > You'll see, once you start using it;) > Think this cleared any doubts i had. Good. When you set this up, there is a lot of good stuff in the MailScanner wiki... Specifics for MS+PF... and very much generally good advice in the MAQ (although since the faq-o-matic (old MAQ) has died again, some of the links in the new MAQ is plain dead). So have a long hard look at http://wiki.mailscanner.info, especially the documentation:configuration:mta:postfix subpages (look at the index to find them). > > > > What motive the person stating the "one process/mail" thing has, I > > surely can't speculate about... But it isn't correct. That much is for > > certain. > Can't say, lost the url... but if one process can handle multiple mails > in the same run, it sounds great. Yep. It *is* great;-) With MS, you can build the best darned email scanning system you can imagine, and in some cases.... youu couldn't even imagine how good it'd be:-) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From MailScanner at ecs.soton.ac.uk Sun Jul 1 13:17:44 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sun Jul 1 13:20:44 2007 Subject: Doubts about PF, what are the pros/cons about other MTAs? In-Reply-To: <46878A41.9070100@syska.dk> References: <467E9AD4.5080200@syska.dk> <4686A7AA.4060008@rogers.com> <4686C568.9070307@syska.dk> <4686C841.7030109@ecs.soton.ac.uk> <4686DCC5.9050208@syska.dk> <223f97700706302030v6c8af1edp2477f88a8f34cd63@mail.gmail.com> <46878A41.9070100@syska.dk> Message-ID: <46879B68.2000108@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mikael Syska wrote: > Glenn Steen wrote: >> On 01/07/07, Mikael Syska wrote: >>> Hey, >>> >>> Julian Field wrote: >>> > -----BEGIN PGP SIGNED MESSAGE----- >>> > Hash: SHA1 >>> > >>> > >>> > >>> > Mikael Syska wrote: >>> > >>> >> [snip] >>> >> I think I'm convinced now ... I'm going to use postfix, since no >>> real >>> >> arguments againts it have been made. >>> >> >>> >> Thanks for the time guys. >>> >> >>> > I'm going to release a new stable version tomorrow which includes the >>> > recent Postfix bugfix to do with its milter support. >>> > If you can't wait till tomorrow, then it's already on the website, >>> > you'll just have to guess the URL for 4.61.7-1 :-) >>> > >>> I can wait ... I wont begin on the server until tuesday ... So no >>> problems there. >>> >>> Can't wait to get my hands dirty converting the old amavisd-new setup >>> ... some other dude had setup it up, and its a real pain to figure >>> out ... >>> >>> Btw, read on a page on the internet where a person said that MS did not >>> use the resources very good cause its spawning a new process for every >>> mail and afterwards closing it. amavisd-new also did that in the start >>> but changed over to daemon style ... so its not spawning a new proces >>> every time ... >>> Is there something about this, or did the guy just not like MS ? >>> and if there are something about it ... will MS be changed to spawn >>> daemons ? >>> what are the pros/cons agints it ? >>> >> Don't belieeve everything said on the net....:) >> MS runs a master and several worker children, which all (incidentally) >> work in a daemon-like fashion, and these children will take turns >> popping messages from the queue ... They will take as many messages as >> necessary to form a batch (1 -> ...many messages) and work on these in >> a "group" way... So no "single process for every message" there:-). >> The worker children might in turn spawn children to run specific >> functions, like AV etc, but they will still work on the whole batch as >> such. > So whenever MS checks the mailqueue it takes all the mails in the > queue, and runs a batch agains them ? and then again in x seconds with > a new batch, taking mail that havent been handled? It only waits at all if there were no messages available. So any mail in the queue is processed immediately. But otherwise you've just about got it, yes. On a busy system, it will just go round without waiting at all as there will (pretty much) always be mail in the queue. And there are multiple processes doing the same thing. They are started with a delay between each one in the hope that there will always be 1 process very close to checking for new messages, despite what the others are doing. The net result is that the processes are always at different stages of handling a batch, so that all the resources available are being used all the time. Some bits are very processor-intensive, some network-intensive and some memory-intensive. Everything gets used all the time as different processes are at different stages of processing each batch. This can result in high "load average" figures on a busy server, and this is perfectly normal and to be expected. A high "load average" doesn't mean it's being over-worked. Load averages of 10 to 15 are just fine. If you don't agree with that statement, read up on what the load average figure actually means, it's not just CPU. > >> Very efficient, very slick. > If the above is right, this seems like its using the resources better > than amavisd-new maybe, but theese days Ram and harddrives are very > cheap, so if it just runs fast, i'm happy. I would recommend normally 1GB ram per CPU. >> Of course, as with most things in MS, you can configure the amount of >> workers to prespawn, as well as most any aspect of the process... >> You'll see, once you start using it;) > Think this cleared any doubts i had. Good. >> >> What motive the person stating the "one process/mail" thing has, I >> surely can't speculate about... But it isn't correct. That much is for >> certain. > Can't say, lost the url... but if one process can handle multiple > mails in the same run, it sounds great. The idea of the batches is that there is a certain cost overhead in handling each batch, regardless of the number of messages in the batch. Starting up the virus scanner is a very good example, as it takes time to load the signatures, which makes scanning 2 files take only slightly longer than scanning 1 file. The net result is that MailScanner's efficiency _improves_ as the load increases, as that makes the batches bigger. Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGh5tvEfZZRxQVtlQRAj8+AJ9jR1t4Dub/RpDEUdk09JNYTqBDLgCgztiT AYm/7h9oD/lbiGYCObgQl4M= =kCJU -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Sun Jul 1 13:48:23 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sun Jul 1 13:51:00 2007 Subject: Doubts about PF, what are the pros/cons about other MTAs? In-Reply-To: <223f97700707010517lf2aeac4tb81e2a7f282512a3@mail.gmail.com> References: <467E9AD4.5080200@syska.dk> <4686A7AA.4060008@rogers.com> <4686C568.9070307@syska.dk> <4686C841.7030109@ecs.soton.ac.uk> <4686DCC5.9050208@syska.dk> <223f97700706302030v6c8af1edp2477f88a8f34cd63@mail.gmail.com> <46878A41.9070100@syska.dk> <223f97700707010517lf2aeac4tb81e2a7f282512a3@mail.gmail.com> Message-ID: <4687A297.1090509@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Glenn, you make me blush :-) Glenn Steen wrote: > On 01/07/07, Mikael Syska wrote: >> Glenn Steen wrote: >> > On 01/07/07, Mikael Syska wrote: >> >> Hey, >> >> >> >> Julian Field wrote: >> >> > -----BEGIN PGP SIGNED MESSAGE----- >> >> > Hash: SHA1 >> >> > >> >> > >> >> > >> >> > Mikael Syska wrote: >> >> > >> >> >> [snip] >> >> >> I think I'm convinced now ... I'm going to use postfix, since >> no real >> >> >> arguments againts it have been made. >> >> >> >> >> >> Thanks for the time guys. >> >> >> >> >> > I'm going to release a new stable version tomorrow which >> includes the >> >> > recent Postfix bugfix to do with its milter support. >> >> > If you can't wait till tomorrow, then it's already on the website, >> >> > you'll just have to guess the URL for 4.61.7-1 :-) >> >> > >> >> I can wait ... I wont begin on the server until tuesday ... So no >> >> problems there. >> >> >> >> Can't wait to get my hands dirty converting the old amavisd-new setup >> >> ... some other dude had setup it up, and its a real pain to figure >> >> out ... >> >> >> >> Btw, read on a page on the internet where a person said that MS >> did not >> >> use the resources very good cause its spawning a new process for >> every >> >> mail and afterwards closing it. amavisd-new also did that in the >> start >> >> but changed over to daemon style ... so its not spawning a new proces >> >> every time ... >> >> Is there something about this, or did the guy just not like MS ? >> >> and if there are something about it ... will MS be changed to spawn >> >> daemons ? >> >> what are the pros/cons agints it ? >> >> >> > Don't belieeve everything said on the net....:) >> > MS runs a master and several worker children, which all (incidentally) >> > work in a daemon-like fashion, and these children will take turns >> > popping messages from the queue ... They will take as many messages as >> > necessary to form a batch (1 -> ...many messages) and work on these in >> > a "group" way... So no "single process for every message" there:-). >> > The worker children might in turn spawn children to run specific >> > functions, like AV etc, but they will still work on the whole batch as >> > such. >> So whenever MS checks the mailqueue it takes all the mails in the queue, >> and runs a batch agains them ? and then again in x seconds with a new >> batch, taking mail that havent been handled? > It's clever enough to keep track of which items is handled by some > other worker, so ... Yes, it will only handle new items... It might > look a bit strange when you have "New batch: Found 28 messages in > queue" and then followed by running a batch with only one or two > messages, but this is because other workers are handling the other > queued messages. > The decoupling of the scanning process fromthe SMTP transaction(s) and > the batch strategy are some of the design decisions Jules made that > really make things fly with MS. > >> > Very efficient, very slick. >> If the above is right, this seems like its using the resources better >> than amavisd-new maybe, but theese days Ram and harddrives are very >> cheap, so if it just runs fast, i'm happy. > Resource efficiency is one of the high points of MS... The activity of > spam/av-scanning is resource hungry, by definition, so ... be happy > that MailScanner is so cleverly come together;-). > >> > Of course, as with most things in MS, you can configure the amount of >> > workers to prespawn, as well as most any aspect of the process... >> > You'll see, once you start using it;) >> Think this cleared any doubts i had. > Good. > When you set this up, there is a lot of good stuff in the MailScanner > wiki... Specifics for MS+PF... and very much generally good advice in > the MAQ (although since the faq-o-matic (old MAQ) has died again, some > of the links in the new MAQ is plain dead). So have a long hard look > at http://wiki.mailscanner.info, especially the > documentation:configuration:mta:postfix subpages (look at the index to > find them). > >> > >> > What motive the person stating the "one process/mail" thing has, I >> > surely can't speculate about... But it isn't correct. That much is for >> > certain. >> Can't say, lost the url... but if one process can handle multiple mails >> in the same run, it sounds great. > Yep. It *is* great;-) > With MS, you can build the best darned email scanning system you can > imagine, and in some cases.... youu couldn't even imagine how good > it'd be:-) > > Cheers Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGh6KYEfZZRxQVtlQRAssnAKC6QRE1GO1R5CRQpGvd8974pYJnOwCfRjgo TcjdMjoYE4ifIwNog13xHwE= =+cbW -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From darren at serversphere.com Sun Jul 1 18:12:55 2007 From: darren at serversphere.com (Darren Benfer) Date: Sun Jul 1 18:13:00 2007 Subject: Long Child Startup Times In-Reply-To: <33B7C3D4-C7BB-4FE8-AD69-4802CA37F31B@technologytiger.net> References: <1182844619.26893.2.camel@gblades-suse.linguaphone-intranet.co.uk> <4681C794.7000207@rheelweb.co.nz> <33B7C3D4-C7BB-4FE8-AD69-4802CA37F31B@technologytiger.net> Message-ID: <4687E097.7070506@serversphere.com> Lately it seems like it takes MS children take forever to start up for some reason, and my server load climbs to 4-5 while they are doing so. Anyone else experiencing (or experienced) this? Anything I should check into for a fix? Worked well for about year, but latest update for MS started this trend. TIA! Darren @ Serversphere.com From nerijusb at dtiltas.lt Sun Jul 1 18:58:55 2007 From: nerijusb at dtiltas.lt (Nerijus Baliunas) Date: Sun Jul 1 19:00:07 2007 Subject: Long Child Startup Times In-Reply-To: <4687E097.7070506@serversphere.com> References: <1182844619.26893.2.camel@gblades-suse.linguaphone-intranet.co.uk> <4681C794.7000207@rheelweb.co.nz><33B7C3D4-C7BB-4FE8-AD69-4802CA37F31B@technologytiger.net> <4687E097.7070506@serversphere.com> Message-ID: <20070701180003.2F871FF06@mx-a.vdnet.lt> On Sun, 01 Jul 2007 13:12:55 -0400 Darren Benfer wrote: > Lately it seems like it takes MS children take forever to start up for > some reason, and my server load climbs to 4-5 while they are doing so. > Anyone else experiencing (or experienced) this? Anything I should check > into for a fix? Worked well for about year, but latest update for MS > started this trend. Please provide more info - MailScanner versions before and now, what virus scanners are used, MTA (sendmail? postfix?) etc. Regards, Nerijus From MailScanner at ecs.soton.ac.uk Sun Jul 1 19:11:54 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sun Jul 1 19:14:54 2007 Subject: Long Child Startup Times In-Reply-To: <4687E097.7070506@serversphere.com> References: <1182844619.26893.2.camel@gblades-suse.linguaphone-intranet.co.uk> <4681C794.7000207@rheelweb.co.nz> <33B7C3D4-C7BB-4FE8-AD69-4802CA37F31B@technologytiger.net> <4687E097.7070506@serversphere.com> Message-ID: <4687EE6A.5050603@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I'll put a tenner on the fact that you are running the latest version of ClamAV and are using the clamavmodule scanner. It's ClamAV's fault in that case. The current version takes *forever* to load the signatures. Fortunately it only has to do this once in each child. You can fix it by either 1) Download and run the latest release candidate of ClamAV which apparently has fixed it. This is the most common solution I have seen. 2) Wait for the new version of ClamAV and not worry about it for now. It only affects the startup time of each child, not the actual processing speed of ClamAV. This is what I have done. 3) Switch to clamd but make sure you are running something to keep an eye on the clamd daemon in case it crashes (I cannot guarantee clamd's stability). Jules. Darren Benfer wrote: > Lately it seems like it takes MS children take forever to start up for > some reason, and my server load climbs to 4-5 while they are doing so. > Anyone else experiencing (or experienced) this? Anything I should > check into for a fix? Worked well for about year, but latest update > for MS started this trend. > > TIA! > Darren @ Serversphere.com Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGh+5rEfZZRxQVtlQRAtZpAJ99I6EWKthmGH6yqNFd5J2AVPoubQCglcKA YaHuW+6cN/wa9DLZH6A1Ty8= =Jovf -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From hvdkooij at vanderkooij.org Sun Jul 1 19:14:25 2007 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sun Jul 1 19:15:26 2007 Subject: Long Child Startup Times In-Reply-To: <20070701180003.2F871FF06@mx-a.vdnet.lt> References: <1182844619.26893.2.camel@gblades-suse.linguaphone-intranet.co.uk> <4681C794.7000207@rheelweb.co.nz><33B7C3D4-C7BB-4FE8-AD69-4802CA37F31B@technologytiger.net> <4687E097.7070506@serversphere.com> <20070701180003.2F871FF06@mx-a.vdnet.lt> Message-ID: On Sun, 1 Jul 2007, Nerijus Baliunas wrote: > On Sun, 01 Jul 2007 13:12:55 -0400 Darren Benfer wrote: > >> Lately it seems like it takes MS children take forever to start up for >> some reason, and my server load climbs to 4-5 while they are doing so. >> Anyone else experiencing (or experienced) this? Anything I should check >> into for a fix? Worked well for about year, but latest update for MS >> started this trend. > > Please provide more info - MailScanner versions before and now, what virus > scanners are used, MTA (sendmail? postfix?) etc. Also run something like top to see which process is in fact consuming resources. Hugo. -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ This message is using 100% recycled electrons. Some men see computers as they are and say "Windows" I use computers with Linux and say "Why Windows?" (Thanks JFK, for the insight.) From mkercher at nfsmith.com Sun Jul 1 20:36:54 2007 From: mkercher at nfsmith.com (Mike Kercher) Date: Sun Jul 1 20:37:03 2007 Subject: MailScanner ANNOUNCE: stable 4.61 released In-Reply-To: <46878529.5070707@ecs.soton.ac.uk> References: <46878529.5070707@ecs.soton.ac.uk> Message-ID: <441247027D4F274EB760A5F6E1ED9C7E7DA3@houpex02.nfsmith.info> Is clamd supposed to be faster than the clamavmodule? Mike -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian Field Sent: Sunday, July 01, 2007 5:43 AM To: MailScanner discussion; MailScanner-Announce mailing list list Subject: MailScanner ANNOUNCE: stable 4.61 released -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I have just released a new version of MailScanner, stable version 4.61.7. The main new things this month are: - - Direct support for clamd, for extra speed. - - Bug fixes in the attachments auto-zip feature introduced last month. - - Bug fixes in the support for Postfix milters. Download as usual from www.mailscanner.info. The full change log is: * New Features and Improvements * 1 Direct support for the "clamd" virus scanner -- now talks directly to the clamd daemon without any overhead of calling clamd-wrapper or clamdscan. As a result, this should be faster than the previous clamd support. It also has a much smaller memory footprint than the "clamavmodule" scanner. This is all thanks to Rick Cooper who wrote the original code. New configuration options are - Clamd Port = 3310 - Clamd Socket = /tmp/clamd - Clamd Lock File = /var/lock/subsys/clamd - Clamd Use Threads = no The use of these settings is explained in the MailScanner.conf file. 2 Changed session handling in direct clamd virus scanner support. 3 'MailScanner --lint' now finds clamd virus scanner. 3 Made clamd subsys lock file blank by default, so it works on non-Linux systems. 3 Added another example to the Allowed Sophos Error Messages setting for password-protected files. 4 Renamed "sa-update" command and cron job to "update_spamassassin". 4 Added ability to easily disable update_virus_scanners script. 4 Added conditional call to sa-compile to update_spamassassin cron job. 4 Added to $PATH in update_phishing_sites for Solaris 10 locations. 5 Watermarking functionality has had to be withdrawn due to patent issues. Sorry about this, but it would cause huge problems in the USA where software patents are legally enforceable and it would cause problems with including patented code in GPL software too. 6 Added facility to change SpamAssassin's temporary working files directory, using the new option 'SpamAssassin Temporary Dir'. By default this is put under the Incoming Work Dir location, as that is (hopefully) mounted using tmpfs. If an attempt to use this directory fails, it reverts to /tmp. 7 Fixed bug in finding PERL5LIB in installers. Thanks to Sean Coleman. * Fixes * 2 Fixed bug in auto-zip feature with a message containing 2 attachments with the same filename. 2 Fixed bug in auto-zip feature that would allow zipping of an attachment which had been cleaned out of the message. 3 Fixed "identified/found" bug in AVG parser. 3 Fixed bugs in Panda and AVG parsers courtesy of Rick Cooper. 3 Fixed bug in Postfix handler which caused a problem with empty messages. 4 Fixed bug in SuSE init.d script stopping MailScanner reload working properly. 4 Changed method for getting MCP to decode binary attachments (the interesting ones have "application" in their MIME type). New patch for SpamAssassin 3.2.1 Util.pm required now. No other SpamAssassin patches required at all. 4 Added definition of "noticesizeinfected" to languages.conf. 4 Added speedup (courtesy of Glenn Steen) to the new Postfix milter support. 4 Fixed rare bug in Postfix milter header support (from Glenn Steen). 5 Fixed problems with /usr/sbin/update_spamassassin not calling sa-update. Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGh4UzEfZZRxQVtlQRAhseAKDZb7K3zuDXjs8Cj51hUxnkFgFKigCeN7rI iDHrxy7/khtdYYhuYd2LiOc= =3VyR -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From MailScanner at ecs.soton.ac.uk Sun Jul 1 21:08:46 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sun Jul 1 21:11:26 2007 Subject: MailScanner ANNOUNCE: stable 4.61 released In-Reply-To: <441247027D4F274EB760A5F6E1ED9C7E7DA3@houpex02.nfsmith.info> References: <46878529.5070707@ecs.soton.ac.uk> <441247027D4F274EB760A5F6E1ED9C7E7DA3@houpex02.nfsmith.info> Message-ID: <468809CE.20808@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 It shouldn't be any different in speed. Not appreciably different, anyhow. It's there as some people don't like having to depend on a 3rd party module, Mail::ClamAV, as that had to be modified recently for the new version of ClamAV. Personally, I'm going to stick with clamavmodule as then I don't have to depend upon a daemon not crashing. Mike Kercher wrote: > Is clamd supposed to be faster than the clamavmodule? > > Mike > > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian > Field > Sent: Sunday, July 01, 2007 5:43 AM > To: MailScanner discussion; MailScanner-Announce mailing list list > Subject: MailScanner ANNOUNCE: stable 4.61 released > > > * PGP Bad Signature, Signed by an unverified key: 07/01/07 at 11:42:59 > > I have just released a new version of MailScanner, stable version > 4.61.7. > > The main new things this month are: > - Direct support for clamd, for extra speed. > - Bug fixes in the attachments auto-zip feature introduced last month. > - Bug fixes in the support for Postfix milters. > > Download as usual from www.mailscanner.info. > > The full change log is: > > * New Features and Improvements * > 1 Direct support for the "clamd" virus scanner -- now talks directly to > the > clamd daemon without any overhead of calling clamd-wrapper or > clamdscan. > As a result, this should be faster than the previous clamd support. > It also has a much smaller memory footprint than the "clamavmodule" > scanner. > This is all thanks to Rick Cooper who wrote the original code. > New configuration options are > - Clamd Port = 3310 > - Clamd Socket = /tmp/clamd > - Clamd Lock File = /var/lock/subsys/clamd > - Clamd Use Threads = no > The use of these settings is explained in the MailScanner.conf file. > 2 Changed session handling in direct clamd virus scanner support. > 3 'MailScanner --lint' now finds clamd virus scanner. > 3 Made clamd subsys lock file blank by default, so it works on non-Linux > systems. > 3 Added another example to the Allowed Sophos Error Messages setting for > password-protected files. > 4 Renamed "sa-update" command and cron job to "update_spamassassin". > 4 Added ability to easily disable update_virus_scanners script. > 4 Added conditional call to sa-compile to update_spamassassin cron job. > 4 Added to $PATH in update_phishing_sites for Solaris 10 locations. > 5 Watermarking functionality has had to be withdrawn due to patent > issues. > Sorry about this, but it would cause huge problems in the USA where > software patents are legally enforceable and it would cause problems > with > including patented code in GPL software too. > 6 Added facility to change SpamAssassin's temporary working files > directory, > using the new option 'SpamAssassin Temporary Dir'. By default this is > put > under the Incoming Work Dir location, as that is (hopefully) mounted > using > tmpfs. If an attempt to use this directory fails, it reverts to /tmp. > 7 Fixed bug in finding PERL5LIB in installers. Thanks to Sean Coleman. > > * Fixes * > 2 Fixed bug in auto-zip feature with a message containing 2 attachments > with > the same filename. > 2 Fixed bug in auto-zip feature that would allow zipping of an > attachment > which had been cleaned out of the message. > 3 Fixed "identified/found" bug in AVG parser. > 3 Fixed bugs in Panda and AVG parsers courtesy of Rick Cooper. > 3 Fixed bug in Postfix handler which caused a problem with empty > messages. > 4 Fixed bug in SuSE init.d script stopping MailScanner reload working > properly. > 4 Changed method for getting MCP to decode binary attachments (the > interesting > ones have "application" in their MIME type). New patch for > SpamAssassin 3.2.1 > Util.pm required now. No other SpamAssassin patches required at all. > 4 Added definition of "noticesizeinfected" to languages.conf. > 4 Added speedup (courtesy of Glenn Steen) to the new Postfix milter > support. > 4 Fixed rare bug in Postfix milter header support (from Glenn Steen). > 5 Fixed problems with /usr/sbin/update_spamassassin not calling > sa-update. > > Jules > > -- > Julian Field MEng CITP > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all > your IT requirements visit www.transtec.co.uk > > > * Julian Field > * 0x1415B654 - Unverified(L) > > > -- > This message has been scanned for viruses and dangerous content by > MailScanner, and is believed to be clean. > For all your IT requirements visit www.transtec.co.uk > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGiAnPEfZZRxQVtlQRAo1NAKCGvcFWgpmORURzz+mBSfivqkV8IwCgrJQd D5qIkWXPWLwkLKjntF2t/XA= =9HA9 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From jan-peter at koopmann.eu Sun Jul 1 21:58:45 2007 From: jan-peter at koopmann.eu (Koopmann, Jan-Peter) Date: Sun Jul 1 21:58:12 2007 Subject: Freebsd 6 and mailscanner port In-Reply-To: References: <20070629195448.GA52188@micron.lacnic.net.uy> <7A5B4051-E836-487A-8E5A-F42DD77820F9@csolve.net> <20070629235020.GA69756@micron.lacnic.net.uy><46864AB5.80005@syska.dk> Message-ID: > 1. The port patched some files to get freebsd-specific paths. Correct. Mainly in -wrapper scripts and the demo/default-configs > 2. I think "make initial-config" overwrote some of those files > with unpatched files from the distribution. All initial-config does is copying the .sample so you get a running config. The patched files should be left alone. > Or maybe I was just tired. I think/hope so. :-) From glenn.steen at gmail.com Sun Jul 1 22:01:31 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Sun Jul 1 22:01:32 2007 Subject: Long Child Startup Times In-Reply-To: References: <1182844619.26893.2.camel@gblades-suse.linguaphone-intranet.co.uk> <4681C794.7000207@rheelweb.co.nz> <33B7C3D4-C7BB-4FE8-AD69-4802CA37F31B@technologytiger.net> <4687E097.7070506@serversphere.com> <20070701180003.2F871FF06@mx-a.vdnet.lt> Message-ID: <223f97700707011401xa552eb0ge2bf0caba6aa763f@mail.gmail.com> On 01/07/07, Hugo van der Kooij wrote: > On Sun, 1 Jul 2007, Nerijus Baliunas wrote: > > > On Sun, 01 Jul 2007 13:12:55 -0400 Darren Benfer wrote: > > > >> Lately it seems like it takes MS children take forever to start up for > >> some reason, and my server load climbs to 4-5 while they are doing so. > >> Anyone else experiencing (or experienced) this? Anything I should check > >> into for a fix? Worked well for about year, but latest update for MS > >> started this trend. > > > > Please provide more info - MailScanner versions before and now, what virus > > scanners are used, MTA (sendmail? postfix?) etc. > > Also run something like top to see which process is in fact consuming > resources. > > Hugo. I'm with Jules on this one, clamav 0.90.something and clamavmodule will have exactly this effect. Then again, asking for more info tobe able to give better help is never wrong either....:-) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Sun Jul 1 22:05:00 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Sun Jul 1 22:05:02 2007 Subject: Doubts about PF, what are the pros/cons about other MTAs? In-Reply-To: <4687A297.1090509@ecs.soton.ac.uk> References: <467E9AD4.5080200@syska.dk> <4686A7AA.4060008@rogers.com> <4686C568.9070307@syska.dk> <4686C841.7030109@ecs.soton.ac.uk> <4686DCC5.9050208@syska.dk> <223f97700706302030v6c8af1edp2477f88a8f34cd63@mail.gmail.com> <46878A41.9070100@syska.dk> <223f97700707010517lf2aeac4tb81e2a7f282512a3@mail.gmail.com> <4687A297.1090509@ecs.soton.ac.uk> Message-ID: <223f97700707011405md1ac4dg373b969756f926d6@mail.gmail.com> On 01/07/07, Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Glenn, you make me blush :-) > Why? I'm just stating the obvious... That this piece of software is ingeniously come together, and that I'm a happy customer... Praise where praise is due, is all.;-) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From seamus at rheelweb.co.nz Sun Jul 1 22:29:15 2007 From: seamus at rheelweb.co.nz (Seamus Allan) Date: Sun Jul 1 22:29:23 2007 Subject: Postfix Address Verification In-Reply-To: <39526.194.70.180.170.1183109209.squirrel@www.technologytiger.net> References: <1182844619.26893.2.camel@gblades-suse.linguaphone-intranet.co.uk> <4681C794.7000207@rheelweb.co.nz> <33B7C3D4-C7BB-4FE8-AD69-4802CA37F31B@technologytiger.net> <4682E8CF.7010602@rheelweb.co.nz> <59838.194.70.180.170.1183020415.squirrel@www.technologytiger.net> <4684832B.90709@rheelweb.co.nz> <39526.194.70.180.170.1183109209.squirrel@www.technologytiger.net> Message-ID: <46881CAB.2090504@rheelweb.co.nz> Drew Marshall wrote: > This looks like a DNS problem. Are you running a cacheing DNS server on > this box? Postfix is rejecting with a temporary failure (450) as it is > having what it thinks could be a short term problem. I assume you have set > the next hop in the transport map file, have you done this using a name > record or IP address? i.e. in the file does it say: > > validdomain relay:internal.host > > or > > validdomain relay:[192.168.1.225] > > Just to make sure this isn't Postfix logging a slight red herring, can you > also let me know what you have under: > > smtpd_client_restrictions > smtpd_sender_restrictions > > in main.cf > > The other thing to check is the logs of the internal machine (Exchange?), > just in case there is anything obvious there. > > Drew > > > Hi, I am not running a caching DNS server on this box, all DNS queries are passed to our internal DNS server, however this shouldn't be an issue, as you noted because the next hop is dictated by an entry in the transport map, using IP based hosts. This is what I find so confusing, surely Postfix uses this transport map or even the relay_domain map to decide whether a domain is valid or not? I did spend the other day looking at the internal mail hub, and there is nothing out of the ordinary in there which would indicate a problem (such as SMTP restrictions because of connection rate or something). In my main.cf, I don't have entries for smtpd_client_restrictions or smtpd_sender_restrictions (whether this is bad or not?), and my smtp_receipient_restrictions is as follows: smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unverified_recipient It all seems rather tricky, as there is nothing obvious as to why this his happening. Cheers for the help Seamus *Seamus Allan* Network Engineer Rheel Electronics Ltd From res at ausics.net Sun Jul 1 23:41:24 2007 From: res at ausics.net (Res) Date: Sun Jul 1 23:41:38 2007 Subject: Doubts about PF, what are the pros/cons about other MTAs? In-Reply-To: <46878A41.9070100@syska.dk> References: <467E9AD4.5080200@syska.dk> <4686A7AA.4060008@rogers.com> <4686C568.9070307@syska.dk> <4686C841.7030109@ecs.soton.ac.uk> <4686DCC5.9050208@syska.dk> <223f97700706302030v6c8af1edp2477f88a8f34cd63@mail.gmail.com> <46878A41.9070100@syska.dk> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NotDashEscaped: You need GnuPG to verify this message On Sun, 1 Jul 2007, Mikael Syska wrote: > If the above is right, this seems like its using the resources better than > amavisd-new maybe, but theese days Ram and harddrives are very cheap, so if > it just runs fast, i'm happy. I've used many methods, amavisd(-new), sophos, mimedefang, qmailscanner and commercial apps, nothing comes close to MailScanners reliability and performance (although I've only used sendmail and qmail, any postmix server I take over gets quickly replaced by either sendmail or qmail so I've never seen the MS/PF issues) -- Cheers Res -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFGiC2UsWhAmSIQh7MRApzoAJ47tJ3PhV1/DwS8YBLqqzrdKKkjMgCePAba VaLA7cu7ytdenFSx6tfAdvs= =Vn8A -----END PGP SIGNATURE----- From carock at epconline.com Mon Jul 2 03:20:32 2007 From: carock at epconline.com (Chuck Rock) Date: Mon Jul 2 03:20:44 2007 Subject: Wierd question In-Reply-To: <468809CE.20808@ecs.soton.ac.uk> Message-ID: <0d1601c7bc4f$91584d30$8c007f0a@epctech.com> I have a weird question, but if it's something that can be answered with MS, then I'd be very grateful. I have FreeBSD, MailScanner, ClamAV and Sendmail scanning incoming mail. I need to take messages to a specific domain and only allow them from a certain IP, another mail server. If they come from any other IP then they get rejected or deleted. Is this possible with a MailScanner ruleset? Thanks, Chuck From matt at coders.co.uk Mon Jul 2 07:16:28 2007 From: matt at coders.co.uk (Matt Hampton) Date: Mon Jul 2 07:12:25 2007 Subject: Wierd question In-Reply-To: <53hHLrICIeIQYLbrfC2Bow!1183343240.55954@0d1601c7bc4f$91584d30$8c007f0a@epctech.com> References: <53hHLrICIeIQYLbrfC2Bow!1183343240.55954@0d1601c7bc4f$91584d30$8c007f0a@epctech.com> Message-ID: <4688983C.2050507@coders.co.uk> Chuck Rock wrote: > I have a weird question, but if it's something that can be answered with MS, > then I'd be very grateful. > > I have FreeBSD, MailScanner, ClamAV and Sendmail scanning incoming mail. > > I need to take messages to a specific domain and only allow them from a > certain IP, another mail server. If they come from any other IP then they > get rejected or deleted. Why not do it in sendmail http://thread.gmane.org/gmane.linux.centos.general/27221/focus=27323 From ram at netcore.co.in Mon Jul 2 07:46:05 2007 From: ram at netcore.co.in (ram) Date: Mon Jul 2 07:46:22 2007 Subject: MailScanner with postfix SPF checks problem Message-ID: <1183358765.6034.18.camel@localhost.localdomain> I am using postfix 2.3 with MailScanner 4.59 and spamassassin 3.1.5 In postfix I have added X-envelope-sender to the headers The mail when scanned thru MailScanner does not seem to get the header. But When I see the mail in the quarantine the header is very much there When I take the same mail from quarantine and run spamassassin -D < $file I can see the SPF checks happenning fine. Unfortunately this doesnt seem to happen everytime. A lot of time SPF checks do go on fine. Have I misconfigured something ? The relevant line are here ( from MailScanner in debug mode ) ------------------ 23773] dbg: dns: checking RBL zen.spamhaus.org., set zen [23773] dbg: dns: checking RBL iadb.isipp.com., set iadb-firsttrusted [23773] dbg: check: running tests for priority: 0 [23773] dbg: rules: running header regexp tests; score so far=0 [23773] dbg: rules: ran header rule __HAS_MSGID ======> got hit: "<" [23773] dbg: rules: ran header rule __SANE_MSGID ======> got hit: "<1183358182.09113@spamassassin_spamd_init> [23773] dbg: rules: " [23773] dbg: rules: ran header rule __MSGID_OK_HOST ======> got hit: "@spamassassin_spamd_init>" [23773] dbg: rules: ran header rule NO_REAL_NAME ======> got hit: "ignore@compiling.spamassassin.taint.org [23773] dbg: rules: " [23773] dbg: rules: ran header rule __MSGID_OK_DIGITS ======> got hit: "1183358182" [23773] dbg: spf: no suitable relay for spf use found, skipping SPF-helo check [23773] dbg: eval: all '*From' addrs: ignore@compiling.spamassassin.taint.org [23773] dbg: eval: all '*To' addrs: [23773] dbg: spf: no suitable relay for spf use found, skipping SPF check [23773] dbg: rules: ran eval rule NO_RELAYS ======> got hit [23773] dbg: spf: cannot get Envelope-From, cannot use SPF [23773] dbg: spf: def_spf_whitelist_from: could not find useable envelope sender [23773] dbg: rules: ran eval rule __UNUSABLE_MSGID ======> got hit [23773] dbg: spf: spf_whitelist_from: could not find useable envelope sender [23773] dbg: rules: running body-text per-line regexp tests; score so far=0.96 [23773] dbg: rules: ran body rule __NONEMPTY_BODY ======> got hit: "I" [23773] dbg: uri: running uri tests; score so far=0.96 [23773] dbg: rules: running raw-body-text per-line regexp tests; score so far=0.96 [23773] dbg: rules: running full-text regexp tests; score so far=0.96 [23773] dbg: info: entering helper-app run mode Jul 02 12:06:25.298183 check[23773]: [ 2] [bootup] Logging initiated LogDebugLevel=3 to stdout Jul 02 12:06:26.372740 check[23773]: [ 3] mail 1 is not known spam. [23773] dbg: info: leaving helper-app run mode [23773] dbg: razor2: part=0 engine=4 contested=0 confidence=0 [23773] dbg: razor2: results: spam? 0 [23773] dbg: razor2: results: engine 8, highest cf score: 0 [23773] dbg: razor2: results: engine 4, highest cf score: 0 [23773] dbg: pyzor: use_pyzor option not enabled, disabling Pyzor From glenn.steen at gmail.com Mon Jul 2 07:55:21 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Jul 2 07:55:22 2007 Subject: Wierd question In-Reply-To: <4688983C.2050507@coders.co.uk> References: <4688983C.2050507@coders.co.uk> Message-ID: <223f97700707012355n650bc7dbx22e5cabec83dcaca@mail.gmail.com> True Matt, best done as early as possible. . . But it is possible to do with a rule set or so, and some imagination, in MS too:) On 02/07/07, Matt Hampton wrote: > Chuck Rock wrote: > > I have a weird question, but if it's something that can be answered with > MS, > > then I'd be very grateful. > > > > I have FreeBSD, MailScanner, ClamAV and Sendmail scanning incoming mail. > > > > I need to take messages to a specific domain and only allow them from a > > certain IP, another mail server. If they come from any other IP then they > > get rejected or deleted. > > Why not do it in sendmail > > http://thread.gmane.org/gmane.linux.centos.general/27221/focus=27323 > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Mon Jul 2 08:05:27 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Jul 2 08:05:28 2007 Subject: MailScanner with postfix SPF checks problem In-Reply-To: <1183358765.6034.18.camel@localhost.localdomain> References: <1183358765.6034.18.camel@localhost.localdomain> Message-ID: <223f97700707020005x6aa096en51f72f3e2d024a80@mail.gmail.com> First error is about a problem with received lines. . . You don't do anything bad to them in a header check, do you? (Sorry for top post, am using my mobile phone to tap this in:) On 02/07/07, ram wrote: > I am using postfix 2.3 with MailScanner 4.59 and spamassassin 3.1.5 > In postfix I have added X-envelope-sender to the headers > > The mail when scanned thru MailScanner does not seem to get the header. > But When I see the mail in the quarantine the header is very much there > When I take the same mail from quarantine and run spamassassin -D < > $file I can see the SPF checks happenning fine. > > Unfortunately this doesnt seem to happen everytime. A lot of time SPF > checks do go on fine. > > > Have I misconfigured something ? > > > > The relevant line are here ( from MailScanner in debug mode ) > ------------------ > > 23773] dbg: dns: checking RBL zen.spamhaus.org., set zen > [23773] dbg: dns: checking RBL iadb.isipp.com., set iadb-firsttrusted > [23773] dbg: check: running tests for priority: 0 > [23773] dbg: rules: running header regexp tests; score so far=0 > [23773] dbg: rules: ran header rule __HAS_MSGID ======> got hit: "<" > [23773] dbg: rules: ran header rule __SANE_MSGID ======> got hit: > "<1183358182.09113@spamassassin_spamd_init> > [23773] dbg: rules: " > [23773] dbg: rules: ran header rule __MSGID_OK_HOST ======> got hit: > "@spamassassin_spamd_init>" > [23773] dbg: rules: ran header rule NO_REAL_NAME ======> got hit: > "ignore@compiling.spamassassin.taint.org > [23773] dbg: rules: " > [23773] dbg: rules: ran header rule __MSGID_OK_DIGITS ======> got hit: > "1183358182" > [23773] dbg: spf: no suitable relay for spf use found, skipping SPF-helo > check > [23773] dbg: eval: all '*From' addrs: > ignore@compiling.spamassassin.taint.org > [23773] dbg: eval: all '*To' addrs: > [23773] dbg: spf: no suitable relay for spf use found, skipping SPF > check > [23773] dbg: rules: ran eval rule NO_RELAYS ======> got hit > [23773] dbg: spf: cannot get Envelope-From, cannot use SPF > [23773] dbg: spf: def_spf_whitelist_from: could not find useable > envelope sender > [23773] dbg: rules: ran eval rule __UNUSABLE_MSGID ======> got hit > [23773] dbg: spf: spf_whitelist_from: could not find useable envelope > sender > [23773] dbg: rules: running body-text per-line regexp tests; score so > far=0.96 > [23773] dbg: rules: ran body rule __NONEMPTY_BODY ======> got hit: "I" > [23773] dbg: uri: running uri tests; score so far=0.96 > [23773] dbg: rules: running raw-body-text per-line regexp tests; score > so far=0.96 > [23773] dbg: rules: running full-text regexp tests; score so far=0.96 > [23773] dbg: info: entering helper-app run mode > Jul 02 12:06:25.298183 check[23773]: [ 2] [bootup] Logging initiated > LogDebugLevel=3 to stdout > Jul 02 12:06:26.372740 check[23773]: [ 3] mail 1 is not known spam. > [23773] dbg: info: leaving helper-app run mode > [23773] dbg: razor2: part=0 engine=4 contested=0 confidence=0 > [23773] dbg: razor2: results: spam? 0 > [23773] dbg: razor2: results: engine 8, highest cf score: 0 > [23773] dbg: razor2: results: engine 4, highest cf score: 0 > [23773] dbg: pyzor: use_pyzor option not enabled, disabling Pyzor > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From ram at netcore.co.in Mon Jul 2 08:40:41 2007 From: ram at netcore.co.in (ram) Date: Mon Jul 2 08:40:55 2007 Subject: MailScanner with postfix SPF checks problem In-Reply-To: <223f97700707020005x6aa096en51f72f3e2d024a80@mail.gmail.com> References: <1183358765.6034.18.camel@localhost.localdomain> <223f97700707020005x6aa096en51f72f3e2d024a80@mail.gmail.com> Message-ID: <1183362041.6034.32.camel@localhost.localdomain> On Mon, 2007-07-02 at 07:05 +0000, Glenn Steen wrote: > First error is about a problem with received lines. . . You don't do > anything bad to them in a header check, do you? (Sorry for top post, > am using my mobile phone to tap this in:) I am not doing anything more than in postfix smtpd_data_restrictions: check_sender_access regexp:/etc/postfix/add_x_envelope_from ------/etc/postfix/add_x_envelope_from ---------- /^<>$/ PREPEND X-Envelope-From: <> /^(.*)$/ PREPEND X-Envelope-From: <$1> ---------------------- Thanks Ram From ram at netcore.co.in Mon Jul 2 09:17:18 2007 From: ram at netcore.co.in (ram) Date: Mon Jul 2 09:17:25 2007 Subject: MailScanner ANNOUNCE: stable 4.61 released In-Reply-To: <46878529.5070707@ecs.soton.ac.uk> References: <46878529.5070707@ecs.soton.ac.uk> Message-ID: <1183364239.6034.45.camel@localhost.localdomain> On Sun, 2007-07-01 at 11:42 +0100, Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > I have just released a new version of MailScanner, stable version 4.61.7. > > The main new things this month are: > - - Direct support for clamd, for extra speed. > - - Bug fixes in the attachments auto-zip feature introduced last month. > - - Bug fixes in the support for Postfix milters. > > Download as usual from www.mailscanner.info. This was from a thread sometime ago http://lists.mailscanner.info/pipermail/mailscanner/2007-February/070414.html Can I use whitelist from IP's to look at ips beyond a relay address. If the MX is pointed to a relay server, and the relay server forwards the mail to the MailScanner server , then MailScanner always sees the same IP in the from. But If I want to whitelist an IP address that relayed to the MX server , Can I do this ? Thanks Ram From Q.G.Campbell at newcastle.ac.uk Mon Jul 2 09:43:38 2007 From: Q.G.Campbell at newcastle.ac.uk (Quentin Campbell) Date: Mon Jul 2 09:44:05 2007 Subject: 4.61.7 'make' failures Message-ID: <4165CF7A7F12DE4B96622CCBB90586470AA7F72E@largo.campus.ncl.ac.uk> I have 4 'make' failures caused by RPM build errors when doing an 'install.sh' on a RH/AS4 system. The four RPMs are: Test-Simple-0.70-1 Math-BigRat-0.19-1 bignum-0.21-1 Math-BigInt-1.86-1 It appears that the last three failures are a consequence of the inability to install the Test-Simple-0.70-1 RPM. Whether I do it via MailScanner or CPAN I get the same errors: Failed Test Stat Wstat Total Fail Failed List of Failed ------------------------------------------------------------------------------- t/sort_bug.t 0 11 2 4 200.00% 1-2 3 tests and 10 subtests skipped. Failed 1/66 test scripts, 98.48% okay. 2/492 subtests failed, 99.59% okay. make: *** [test_dynamic] Error 255 /usr/bin/make test -- NOT OK Running make install make test had returned bad status, won't install without force I can force the install but want to understand the significance of the 'test_dynamic' Error 255 failure before deciding whether to do that. A Google search shows this error in other applications but does not provide any hints about why this problem occurs or how to fix it. Has anyone else experienced this problem? Quentin --- PHONE: +44 191 222 8209??? Information Systems and Services (ISS), ?????????????????????????? Newcastle University, ?????????????????????????? Newcastle upon Tyne, FAX:?? +44 191 222 8765??? United Kingdom, NE1 7RU. ------------------------------------------------------------------------ From m.anderlini at database.it Mon Jul 2 10:51:38 2007 From: m.anderlini at database.it (Marcello Anderlini) Date: Mon Jul 2 10:51:50 2007 Subject: R: Fake User-Agent on PDF In-Reply-To: <4686B8D1.7090005@ecs.soton.ac.uk> References: <46868B9E.2050409@ecs.soton.ac.uk><46869C90.3010308@alexb.ch> <4686B8D1.7090005@ecs.soton.ac.uk> Message-ID: <002501c7bc8e$95897520$3f01a8c0@dbdomain.database.it> Sorry guys, but cause my poor English I'm not sure I've understood if there is a good rules to block pdf spam. If there is, could someone publish one working ? Thanks to all for you kindly help. bye -----Messaggio originale----- Da: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] Per conto di Julian Field Inviato: sabato 30 giugno 2007 22.11 A: MailScanner discussion Oggetto: Re: Fake User-Agent on PDF -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Alex Broens wrote: > On 6/30/2007 6:58 PM, Julian Field wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> >> >> Hugo van der Kooij wrote: >>> Hi, >>> >>> So far all SPAM PDF files that did not get killed on other issues >>> seem to use a fake User-Agent header: User-Agent: Thunderbird >>> 1.5.0.12 (Windows/20070509) >>> >>> According to >>> http://www.mozilla.com/en-US/thunderbird/releases/1.5.0.12.html the >>> release date is impossible however. >>> >>> I have not written a SA rule (yet). I wrote a detectline in my >>> header checks of postfix: >>> /^User-Agent: Thunderbird 1.5.0.12 \(Windows/20070509\)/ >>> REJECT This is a fake version of Thunderbird >> Here's a SA rule that will do the same thing: >> header JKF_FAKE_TBIRD User-Agent =~ /Thunderbird 1.5.0.12 >> \(Windows\/20070509\)/ describe JKF_FAKE_TBIRD Fake version of >> Thunderbird score JKF_FAKE_TBIRD 1.5 >> > > Jules, > > /Thunderbird 1\.5\.0\.12\(Windows\/20070509\)/ > > forgot to escape periods? Yes, agreed. But it's not very important. A version of the rule that accepts 1-5-0-12 is fine too, that's certainly a fake Thunderbird version number! :-) Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGhrjSEfZZRxQVtlQRAu2EAJ4igl0/TOETgNqILIWWqerSAay5SACfZR/P EWRfPaZ8ae4+/Ev/3Iyy6Qs= =ckQ6 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- Messaggio verificato dal servizio antivirus di Database Informatica -- Messaggio verificato dal servizio antivirus di Database Informatica From MailScanner at ecs.soton.ac.uk Mon Jul 2 10:59:31 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Jul 2 11:02:47 2007 Subject: R: Fake User-Agent on PDF In-Reply-To: <002501c7bc8e$95897520$3f01a8c0@dbdomain.database.it> References: <46868B9E.2050409@ecs.soton.ac.uk><46869C90.3010308@alexb.ch> <4686B8D1.7090005@ecs.soton.ac.uk> <002501c7bc8e$95897520$3f01a8c0@dbdomain.database.it> Message-ID: <4688CC83.4060403@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This one was published yesterday, which the author claims to work okay: full PDF_ONLY_SPAM /encoding\:\s+7bit(\n?)+[\-0-9]+.{1,40}type\:\s+application\/pdf\;.{1,40}name\=.{1,40}\.pdf.{1,50}disposition\:\s+inline\;.{1,40}filename\=.{1,40}\.pdf/is describe PDF_ONLY_SPAM PDF only Message, no text in message body score PDF_ONLY_SPAM 2.0 Marcello Anderlini wrote: > Sorry guys, but cause my poor English I'm not sure I've understood if there > is a good rules to block pdf spam. > If there is, could someone publish one working ? > > Thanks to all for you kindly help. > > bye > > -----Messaggio originale----- > Da: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] Per conto di Julian > Field > Inviato: sabato 30 giugno 2007 22.11 > A: MailScanner discussion > Oggetto: Re: Fake User-Agent on PDF > > > * PGP Bad Signature, Signed by an unverified key: 06/30/07 at 21:10:58 > > > > Alex Broens wrote: > >> On 6/30/2007 6:58 PM, Julian Field wrote: >> >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> >>> >>> Hugo van der Kooij wrote: >>> >>>> Hi, >>>> >>>> So far all SPAM PDF files that did not get killed on other issues >>>> seem to use a fake User-Agent header: User-Agent: Thunderbird >>>> 1.5.0.12 (Windows/20070509) >>>> >>>> According to >>>> http://www.mozilla.com/en-US/thunderbird/releases/1.5.0.12.html the >>>> release date is impossible however. >>>> >>>> I have not written a SA rule (yet). I wrote a detectline in my >>>> header checks of postfix: >>>> /^User-Agent: Thunderbird 1.5.0.12 \(Windows/20070509\)/ >>>> REJECT This is a fake version of Thunderbird >>>> >>> Here's a SA rule that will do the same thing: >>> header JKF_FAKE_TBIRD User-Agent =~ /Thunderbird 1.5.0.12 >>> \(Windows\/20070509\)/ describe JKF_FAKE_TBIRD Fake version of >>> Thunderbird score JKF_FAKE_TBIRD 1.5 >>> >>> >> Jules, >> >> /Thunderbird 1\.5\.0\.12\(Windows\/20070509\)/ >> >> forgot to escape periods? >> > Yes, agreed. But it's not very important. A version of the rule that > accepts 1-5-0-12 is fine too, that's certainly a fake Thunderbird > version number! :-) > > Jules > > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGiMyEEfZZRxQVtlQRAhIBAKC5wMPePUUKn6a84bFqfkfCflthvwCeORVq nX4ZfLalyxh7/YoIwS0eLKM= =YumB -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From hvdkooij at vanderkooij.org Mon Jul 2 11:40:15 2007 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Mon Jul 2 11:41:35 2007 Subject: MailScanner ANNOUNCE: stable 4.61 released In-Reply-To: <1183364239.6034.45.camel@localhost.localdomain> References: <46878529.5070707@ecs.soton.ac.uk> <1183364239.6034.45.camel@localhost.localdomain> Message-ID: On Mon, 2 Jul 2007, ram wrote: > On Sun, 2007-07-01 at 11:42 +0100, Julian Field wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> I have just released a new version of MailScanner, stable version 4.61.7. >> >> The main new things this month are: >> - - Direct support for clamd, for extra speed. >> - - Bug fixes in the attachments auto-zip feature introduced last month. >> - - Bug fixes in the support for Postfix milters. >> >> Download as usual from www.mailscanner.info. > > This was from a thread sometime ago > http://lists.mailscanner.info/pipermail/mailscanner/2007-February/070414.html > > Can I use whitelist from IP's to look at ips beyond a relay address. You are hijacking an announcement to start a new thread. If you start a new thread then do so with a fresh message. But MS checks all Received: headers. That is why some readers here used to barf on my local network address (192.0.2.0/24) in the top Received: header. They will do not so anymore as my local postfix server now eats Received: headers from local clients so they will not leak out any more. Hugo. -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ This message is using 100% recycled electrons. Some men see computers as they are and say "Windows" I use computers with Linux and say "Why Windows?" (Thanks JFK, for the insight.) From jan-peter at koopmann.eu Mon Jul 2 11:45:25 2007 From: jan-peter at koopmann.eu (Koopmann, Jan-Peter) Date: Mon Jul 2 11:44:49 2007 Subject: MailScanner ANNOUNCE: stable 4.61 released In-Reply-To: References: Message-ID: Hi Jules, > 4 Renamed "sa-update" command and cron job to "update_spamassassin". I am probably missing something, but in bin/cron you distribute update_spamassassin.cron which introduces an updatedelay. It then calls /opt/MailScanner/bin/update_spamassassin which in itself also contains an UPDATEDELAY. So the cron-delay-mechanism is called twice? Why? Regards, JP From MailScanner at ecs.soton.ac.uk Mon Jul 2 12:13:33 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Jul 2 12:16:44 2007 Subject: MailScanner ANNOUNCE: stable 4.61 released In-Reply-To: References: Message-ID: <4688DDDD.3060809@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Koopmann, Jan-Peter wrote: > Hi Jules, > > >> 4 Renamed "sa-update" command and cron job to "update_spamassassin". >> > > I am probably missing something, but in bin/cron you distribute > update_spamassassin.cron which introduces an updatedelay. It then calls > /opt/MailScanner/bin/update_spamassassin which in itself also contains > an UPDATEDELAY. So the cron-delay-mechanism is called twice? Why? > Sorry, there shouldn't be 2 delays. I have now removed the delay from /usr/sbin/update_spamassassin and have released a 4.61.7-2 with it removed. Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGiN3eEfZZRxQVtlQRAn8+AKD5LUHmQJ5g2N1dN81fTCvJhsG8zQCgpBBT pM0yaLdhhdlQioJYPOog85E= =Y2V0 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From Q.G.Campbell at newcastle.ac.uk Mon Jul 2 12:17:37 2007 From: Q.G.Campbell at newcastle.ac.uk (Quentin Campbell) Date: Mon Jul 2 12:18:40 2007 Subject: 4.61.7 'make' failures - In-Reply-To: <4165CF7A7F12DE4B96622CCBB90586470AA7F72E@largo.campus.ncl.ac.uk> References: <4165CF7A7F12DE4B96622CCBB90586470AA7F72E@largo.campus.ncl.ac.uk> Message-ID: <4165CF7A7F12DE4B96622CCBB90586470AA7F7B4@largo.campus.ncl.ac.uk> >-----Original Message----- >From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >bounces@lists.mailscanner.info] On Behalf Of Quentin Campbell >Sent: 02 July 2007 09:44 >To: MailScanner discussion >Subject: 4.61.7 'make' failures > >I have 4 'make' failures caused by RPM build errors when doing an >'install.sh' on a RH/AS4 system. > >The four RPMs are: > >Test-Simple-0.70-1 >Math-BigRat-0.19-1 >bignum-0.21-1 >Math-BigInt-1.86-1 > >It appears that the last three failures are a consequence of the >inability to install the Test-Simple-0.70-1 RPM. Whether I do it via >MailScanner or CPAN I get the same errors: > >Failed Test Stat Wstat Total Fail Failed List of Failed >----------------------------------------------------------------------- - >------- >t/sort_bug.t 0 11 2 4 200.00% 1-2 >3 tests and 10 subtests skipped. >Failed 1/66 test scripts, 98.48% okay. 2/492 subtests failed, 99.59% >okay. >make: *** [test_dynamic] Error 255 > /usr/bin/make test -- NOT OK >Running make install > make test had returned bad status, won't install without force > >I can force the install but want to understand the significance of the >'test_dynamic' Error 255 failure before deciding whether to do that. A >Google search shows this error in other applications but does not >provide any hints about why this problem occurs or how to fix it. > >Has anyone else experienced this problem? >[snip] After some more research it appears that I can safely 'force' the installation of Test-Simple-0.70-1. The failing test in sort_bug.t is for whether 'eq_set' works correctly or not. It appears that the use of 'eq_set' is in any case deprecated so this failure can be safely ignored. The relevant URLs can be found by doing a Google search on 'eq_set perl' Quentin From jgg at giversen.net Mon Jul 2 12:19:49 2007 From: jgg at giversen.net (sysadm) Date: Mon Jul 2 12:19:50 2007 Subject: OT: problems installing perl-Test-Simple modul Message-ID: <4688DF55.4090804@giversen.net> Dear all When I try to rebuild the perl-Test-Simple rpm module i get the following errors, it seems that it's the sort_bug test that is the problem, what am i missing here? OS: CentOS 4.5 t/skipall.................ok t/sort_bug................dubious Test returned status 0 (wstat 11, 0xb) DIED. FAILED tests 1-2 Failed 2/2 tests, 0.00% okay t/tbt_01basic.............ok t/tbt_02fhrestore.........ok t/tbt_03die...............ok t/tbt_04line_num..........ok t/tbt_05faildiag..........ok t/tbt_06errormess.........ok t/tbt_07args..............ok t/thread_taint............ok t/threads.................ok t/todo....................ok t/undef...................ok t/use_ok..................ok t/useing..................ok Failed Test Stat Wstat Total Fail List of Failed ------------------------------------------------------------------------------- t/sort_bug.t 0 11 2 4 1-2 2 tests and 10 subtests skipped. Failed 1/66 test scripts. 2/504 subtests failed. Files=66, Tests=504, 5 wallclock secs ( 4.50 cusr + 0.64 csys = 5.14 CPU) Failed 1/66 test programs. 2/504 subtests failed. make: *** [test_dynamic] Error 255 fejl: Fejl-afslutningsstatus fra /var/tmp/rpm-tmp.17688 (%build) Regards J?rgen Giversen From cobalt-users1 at fishnet.co.uk Mon Jul 2 12:24:14 2007 From: cobalt-users1 at fishnet.co.uk (Ian) Date: Mon Jul 2 12:24:37 2007 Subject: R: Fake User-Agent on PDF In-Reply-To: <002501c7bc8e$95897520$3f01a8c0@dbdomain.database.it> References: , <4686B8D1.7090005@ecs.soton.ac.uk>, <002501c7bc8e$95897520$3f01a8c0@dbdomain.database.it> Message-ID: <4688EE6E.18605.719782@cobalt-users1.fishnet.co.uk> On 2 Jul 2007 at 11:51, Marcello Anderlini wrote: > Sorry guys, but cause my poor English I'm not sure I've understood if there > is a good rules to block pdf spam. > If there is, could someone publish one working ? Hi, One of the SARE ninjas has created a plugin called PDFInfo. This was posted on the spamassassin list last week: Until its publicly released, you can request it with a simple email to us, see http://www.rulesemporium.com/plugins.htm#pdfinfo Works well here. Regards Ian -- From m.anderlini at database.it Mon Jul 2 13:11:28 2007 From: m.anderlini at database.it (Marcello Anderlini) Date: Mon Jul 2 13:11:39 2007 Subject: R: R: Fake User-Agent on PDF In-Reply-To: <4688CC83.4060403@ecs.soton.ac.uk> References: <46868B9E.2050409@ecs.soton.ac.uk><46869C90.3010308@alexb.ch> <4686B8D1.7090005@ecs.soton.ac.uk><002501c7bc8e$95897520$3f01a8c0@dbdomain.database.it> <4688CC83.4060403@ecs.soton.ac.uk> Message-ID: <002b01c7bca2$1e87f960$3f01a8c0@dbdomain.database.it> Thanks for your answer. I put these lines in spam.assassin.prefs.conf but I get this error. Where's my error ? Ps (mailscanner.cf is link to /etc/MailScanner/spam.assassin.prefs.conf ================================= [28788] warn: config: SpamAssassin failed to parse line, no value provided for "full", skipping: full PDF_ONLY_SPAM [28788] warn: config: failed to parse line, skipping, in "/etc/mail/spamassassin/mailscanner.cf": /encoding\:\s+7bit(\n?)+[\-0-9]+.{1,40}type\:\s+application\/pdf\;.{1,40}nam e\=.{1,40}\.pdf.{1,50}disposition\:\s+inline\;.{1,40}filename\=.{1,40}\.pdf/ is [28788] warn: config: warning: description exists for non-existent rule PDF_ONLY_SPAM [28788] warn: config: warning: score set for non-existent rule PDF_ONLY_SPAM [28788] warn: lint: 4 issues detected, please rerun with debug enabled for more information ================================= -----Messaggio originale----- Da: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] Per conto di Julian Field Inviato: luned? 2 luglio 2007 12.00 A: MailScanner discussion Oggetto: Re: R: Fake User-Agent on PDF -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This one was published yesterday, which the author claims to work okay: full PDF_ONLY_SPAM /encoding\:\s+7bit(\n?)+[\-0-9]+.{1,40}type\:\s+application\/pdf\;.{1,40}nam e\=.{1,40}\.pdf.{1,50}disposition\:\s+inline\;.{1,40}filename\=.{1,40}\.pdf/ is describe PDF_ONLY_SPAM PDF only Message, no text in message body score PDF_ONLY_SPAM 2.0 Marcello Anderlini wrote: > Sorry guys, but cause my poor English I'm not sure I've understood if there > is a good rules to block pdf spam. > If there is, could someone publish one working ? > > Thanks to all for you kindly help. > > bye > > -----Messaggio originale----- > Da: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] Per conto di Julian > Field > Inviato: sabato 30 giugno 2007 22.11 > A: MailScanner discussion > Oggetto: Re: Fake User-Agent on PDF > > > * PGP Bad Signature, Signed by an unverified key: 06/30/07 at 21:10:58 > > > > Alex Broens wrote: > >> On 6/30/2007 6:58 PM, Julian Field wrote: >> >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> >>> >>> Hugo van der Kooij wrote: >>> >>>> Hi, >>>> >>>> So far all SPAM PDF files that did not get killed on other issues >>>> seem to use a fake User-Agent header: User-Agent: Thunderbird >>>> 1.5.0.12 (Windows/20070509) >>>> >>>> According to >>>> http://www.mozilla.com/en-US/thunderbird/releases/1.5.0.12.html the >>>> release date is impossible however. >>>> >>>> I have not written a SA rule (yet). I wrote a detectline in my >>>> header checks of postfix: >>>> /^User-Agent: Thunderbird 1.5.0.12 \(Windows/20070509\)/ >>>> REJECT This is a fake version of Thunderbird >>>> >>> Here's a SA rule that will do the same thing: >>> header JKF_FAKE_TBIRD User-Agent =~ /Thunderbird 1.5.0.12 >>> \(Windows\/20070509\)/ describe JKF_FAKE_TBIRD Fake version of >>> Thunderbird score JKF_FAKE_TBIRD 1.5 >>> >>> >> Jules, >> >> /Thunderbird 1\.5\.0\.12\(Windows\/20070509\)/ >> >> forgot to escape periods? >> > Yes, agreed. But it's not very important. A version of the rule that > accepts 1-5-0-12 is fine too, that's certainly a fake Thunderbird > version number! :-) > > Jules > > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGiMyEEfZZRxQVtlQRAhIBAKC5wMPePUUKn6a84bFqfkfCflthvwCeORVq nX4ZfLalyxh7/YoIwS0eLKM= =YumB -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- Messaggio verificato dal servizio antivirus di Database Informatica -- Messaggio verificato dal servizio antivirus di Database Informatica From mwilson at cobasys.com Mon Jul 2 13:22:25 2007 From: mwilson at cobasys.com (Mike Wilson) Date: Mon Jul 2 13:22:35 2007 Subject: Creating a blacklist word list? In-Reply-To: <002b01c7bca2$1e87f960$3f01a8c0@dbdomain.database.it> Message-ID: <2C7100720056A2408E0DC6795A5CDF0A033417D3@COBS-EXCH-01.texaco.ovonic> Is there a way to create a wordlist so that if an email contains a word on this list it would be blacklisted? This would help knock out about 50% of the spam that still seem to get through the system. Mike Wilson -- This message has been scanned for viruses and dangerous content by MailScanner Relay-B, and is believed to be clean. From m.anderlini at database.it Mon Jul 2 13:33:38 2007 From: m.anderlini at database.it (Marcello Anderlini) Date: Mon Jul 2 13:33:49 2007 Subject: R: R: Fake User-Agent on PDF In-Reply-To: <002b01c7bca2$1e87f960$3f01a8c0@dbdomain.database.it> References: <46868B9E.2050409@ecs.soton.ac.uk><46869C90.3010308@alexb.ch> <4686B8D1.7090005@ecs.soton.ac.uk><002501c7bc8e$95897520$3f01a8c0@dbdomain.database.it><4688CC83.4060403@ecs.soton.ac.uk> <002b01c7bca2$1e87f960$3f01a8c0@dbdomain.database.it> Message-ID: <000001c7bca5$3727cf10$3f01a8c0@dbdomain.database.it> Ok, I found my error, but it seems is not running and on my test system this kind of spam still pass. Someone else suggest to use an other plugin http://www.rulesemporium.com/plugins.htm#pdfinfo but I see is still in beta. Does anyone has some other suggestion or rules to stop this spam ? Realy thanks for your help Best regards -----Messaggio originale----- Da: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] Per conto di Marcello Anderlini Inviato: luned? 2 luglio 2007 14.11 A: 'MailScanner discussion' Oggetto: R: R: Fake User-Agent on PDF Thanks for your answer. I put these lines in spam.assassin.prefs.conf but I get this error. Where's my error ? Ps (mailscanner.cf is link to /etc/MailScanner/spam.assassin.prefs.conf ================================= [28788] warn: config: SpamAssassin failed to parse line, no value provided for "full", skipping: full PDF_ONLY_SPAM [28788] warn: config: failed to parse line, skipping, in "/etc/mail/spamassassin/mailscanner.cf": /encoding\:\s+7bit(\n?)+[\-0-9]+.{1,40}type\:\s+application\/pdf\;.{1,40}nam e\=.{1,40}\.pdf.{1,50}disposition\:\s+inline\;.{1,40}filename\=.{1,40}\.pdf/ is [28788] warn: config: warning: description exists for non-existent rule PDF_ONLY_SPAM [28788] warn: config: warning: score set for non-existent rule PDF_ONLY_SPAM [28788] warn: lint: 4 issues detected, please rerun with debug enabled for more information ================================= -----Messaggio originale----- Da: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] Per conto di Julian Field Inviato: luned? 2 luglio 2007 12.00 A: MailScanner discussion Oggetto: Re: R: Fake User-Agent on PDF -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This one was published yesterday, which the author claims to work okay: full PDF_ONLY_SPAM /encoding\:\s+7bit(\n?)+[\-0-9]+.{1,40}type\:\s+application\/pdf\;.{1,40}nam e\=.{1,40}\.pdf.{1,50}disposition\:\s+inline\;.{1,40}filename\=.{1,40}\.pdf/ is describe PDF_ONLY_SPAM PDF only Message, no text in message body score PDF_ONLY_SPAM 2.0 Marcello Anderlini wrote: > Sorry guys, but cause my poor English I'm not sure I've understood if there > is a good rules to block pdf spam. > If there is, could someone publish one working ? > > Thanks to all for you kindly help. > > bye > > -----Messaggio originale----- > Da: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] Per conto di > Julian Field > Inviato: sabato 30 giugno 2007 22.11 > A: MailScanner discussion > Oggetto: Re: Fake User-Agent on PDF > > > * PGP Bad Signature, Signed by an unverified key: 06/30/07 at 21:10:58 > > > > Alex Broens wrote: > >> On 6/30/2007 6:58 PM, Julian Field wrote: >> >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> >>> >>> Hugo van der Kooij wrote: >>> >>>> Hi, >>>> >>>> So far all SPAM PDF files that did not get killed on other issues >>>> seem to use a fake User-Agent header: User-Agent: Thunderbird >>>> 1.5.0.12 (Windows/20070509) >>>> >>>> According to >>>> http://www.mozilla.com/en-US/thunderbird/releases/1.5.0.12.html the >>>> release date is impossible however. >>>> >>>> I have not written a SA rule (yet). I wrote a detectline in my >>>> header checks of postfix: >>>> /^User-Agent: Thunderbird 1.5.0.12 \(Windows/20070509\)/ >>>> REJECT This is a fake version of Thunderbird >>>> >>> Here's a SA rule that will do the same thing: >>> header JKF_FAKE_TBIRD User-Agent =~ /Thunderbird 1.5.0.12 >>> \(Windows\/20070509\)/ describe JKF_FAKE_TBIRD Fake version of >>> Thunderbird score JKF_FAKE_TBIRD 1.5 >>> >>> >> Jules, >> >> /Thunderbird 1\.5\.0\.12\(Windows\/20070509\)/ >> >> forgot to escape periods? >> > Yes, agreed. But it's not very important. A version of the rule that > accepts 1-5-0-12 is fine too, that's certainly a fake Thunderbird > version number! :-) > > Jules > > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGiMyEEfZZRxQVtlQRAhIBAKC5wMPePUUKn6a84bFqfkfCflthvwCeORVq nX4ZfLalyxh7/YoIwS0eLKM= =YumB -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- Messaggio verificato dal servizio antivirus di Database Informatica -- Messaggio verificato dal servizio antivirus di Database Informatica -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- Messaggio verificato dal servizio antivirus di Database Informatica From seanos at seanos.net Mon Jul 2 13:38:17 2007 From: seanos at seanos.net (=?utf-8?B?U2XDoW4gTyBTdWxsaXZhbg==?=) Date: Mon Jul 2 13:38:42 2007 Subject: Creating a blacklist word list? In-Reply-To: <2C7100720056A2408E0DC6795A5CDF0A033417D3@COBS-EXCH-01.texaco.ovonic> References: <2C7100720056A2408E0DC6795A5CDF0A033417D3@COBS-EXCH-01.texaco.ovonic> Message-ID: <45958.160.6.1.47.1183379897.squirrel@webmail.seanos.net> > Is there a way to create a wordlist so that if an email contains a word > on this list it would be blacklisted? > This would help knock out about 50% of the spam that still seem to get > through the system. > http://www.mailscanner.info/mcp.html Se?n From ram at netcore.co.in Mon Jul 2 13:41:04 2007 From: ram at netcore.co.in (ram) Date: Mon Jul 2 13:41:11 2007 Subject: Creating a blacklist word list? In-Reply-To: <2C7100720056A2408E0DC6795A5CDF0A033417D3@COBS-EXCH-01.texaco.ovonic> References: <2C7100720056A2408E0DC6795A5CDF0A033417D3@COBS-EXCH-01.texaco.ovonic> Message-ID: <1183380064.9897.3.camel@localhost.localdomain> On Mon, 2007-07-02 at 08:22 -0400, Mike Wilson wrote: > Is there a way to create a wordlist so that if an email contains a word > on this list it would be blacklisted? > This would help knock out about 50% of the spam that still seem to get > through the system. > BTW If all you want to do is word checks , you can also try some checks at the MTA , that way you stop the mail before it reaches MailScanner. For eg postfix supports header_checks Alternatively You could use spamassassin and add a rule in spamassassin. But Adding single word rules is always dangerous and can cause FP's. Be careful with what you are doing > Mike Wilson > > -- > This message has been scanned for viruses and > dangerous content by MailScanner Relay-B, and is > believed to be clean. > From mwilson at cobasys.com Mon Jul 2 13:53:48 2007 From: mwilson at cobasys.com (Mike Wilson) Date: Mon Jul 2 13:53:53 2007 Subject: Creating a blacklist word list? In-Reply-To: <45958.160.6.1.47.1183379897.squirrel@webmail.seanos.net> Message-ID: <2C7100720056A2408E0DC6795A5CDF0A0339D3D1@COBS-EXCH-01.texaco.ovonic> Great info, so next question would be, is there a way to have the MCPblacklisted/MCPwhitelisted options look at a MySQL datebase table for the wordlists? -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Se?n O Sullivan Sent: Monday, July 02, 2007 8:38 AM To: MailScanner discussion Subject: Re: Creating a blacklist word list? > Is there a way to create a wordlist so that if an email contains a > word on this list it would be blacklisted? > This would help knock out about 50% of the spam that still seem to get > through the system. > http://www.mailscanner.info/mcp.html Se?n -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner Relay-B, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner Relay-B, and is believed to be clean. From darren at serversphere.com Mon Jul 2 14:17:18 2007 From: darren at serversphere.com (Darren Benfer) Date: Mon Jul 2 14:17:14 2007 Subject: Long Child Startup Times In-Reply-To: <4687EE6A.5050603@ecs.soton.ac.uk> References: <1182844619.26893.2.camel@gblades-suse.linguaphone-intranet.co.uk> <4681C794.7000207@rheelweb.co.nz> <33B7C3D4-C7BB-4FE8-AD69-4802CA37F31B@technologytiger.net> <4687E097.7070506@serversphere.com> <4687EE6A.5050603@ecs.soton.ac.uk> Message-ID: <4688FADE.8080207@serversphere.com> Jules, Thank you, yes! This is exactly the case - we use clamAV/clamavmodule. Sorry I did not provide this info in my original post. Switching clam off makes things as speedy as ever, so I will just endure it across all machines until the current RC moves into release. Thanks, Darren Julian Field wrote: > I'll put a tenner on the fact that you are running the latest version of > ClamAV and are using the clamavmodule scanner. > It's ClamAV's fault in that case. The current version takes *forever* to > load the signatures. Fortunately it only has to do this once in each child. > You can fix it by either > 1) Download and run the latest release candidate of ClamAV which > apparently has fixed it. This is the most common solution I have seen. > 2) Wait for the new version of ClamAV and not worry about it for now. It > only affects the startup time of each child, not the actual processing > speed of ClamAV. This is what I have done. > 3) Switch to clamd but make sure you are running something to keep an > eye on the clamd daemon in case it crashes (I cannot guarantee clamd's > stability). > > Jules. > > Darren Benfer wrote: >> Lately it seems like it takes MS children take forever to start up for >> some reason, and my server load climbs to 4-5 while they are doing so. >> Anyone else experiencing (or experienced) this? Anything I should >> check into for a fix? Worked well for about year, but latest update >> for MS started this trend. >> >> TIA! >> Darren @ Serversphere.com > > Jules > From pablo at lacnic.net Mon Jul 2 15:24:40 2007 From: pablo at lacnic.net (Pablo Allietti) Date: Mon Jul 2 15:11:26 2007 Subject: Postfix MTA Message-ID: <20070702142440.GA57767@micron.lacnic.net.uy> Hi all. i have a dude. when i use postfix which is the sentence in Sendmail = ???? # Set whether to use postfix, sendmail, exim or zmailer. # If you are using postfix, then see the "SpamAssassin User State Dir" # setting near the end of this file MTA = postfix # Set how to invoke MTA when sending messages MailScanner has created # (e.g. to sender/recipient saying "found a virus in your message") # This can also be the filename of a ruleset. Sendmail = /usr/lib/sendmail -- .- Pablo Allietti E-mail: pablo@lacnic.net | LACNIC Phone : +598 2 6042222 | http://LACNIC.NET From pablo at lacnic.net Mon Jul 2 15:26:45 2007 From: pablo at lacnic.net (Pablo Allietti) Date: Mon Jul 2 15:13:28 2007 Subject: rc.mailscanner Message-ID: <20070702142645.GB57767@micron.lacnic.net.uy> i download the rc.mailscanner to start and stop in freebsd the mailscanner but is only for sendmail.... anybody have this file for postfix?? thanks- -- From t.d.lee at durham.ac.uk Mon Jul 2 15:13:44 2007 From: t.d.lee at durham.ac.uk (David Lee) Date: Mon Jul 2 15:13:58 2007 Subject: Clam/SA package: possible inconsistency? Message-ID: Jules, Historically, I have maintained the Clam+SA aspects of our MailScanner installations (mostly Fedora-based OSes) using RPM for ClamAV and CPAN for SA. I would like to switch to using your package. This, in theory, ought to give better support, better consistency, and easier installation. But I've stumbled across an apparent inconsistency in the ClamAV section. Your software (MS, SA) generally installs directly into system locations. Examples: /usr/sbin/MailScanner (binary) /etc/MailScanner/ (directory) /usr/bin/sa-learn (binary) In that sense, they are RPM-like. (That's fine with me!) But (uniquely, I think), your build of clamav wants to install into "/usr/local". This seems inconsistent with your builds of MS and SA. Is this difference a deliberate decision? Could you consider making your version of clamav install into the natural system locations (just like your other software), rather than this unique "/usr/local" location? -- : David Lee I.T. Service : : Senior Systems Programmer Computer Centre : : UNIX Team Leader Durham University : : South Road : : http://www.dur.ac.uk/t.d.lee/ Durham DH1 3LE : : Phone: +44 191 334 2752 U.K. : From jan-peter at koopmann.eu Mon Jul 2 15:20:42 2007 From: jan-peter at koopmann.eu (Koopmann, Jan-Peter) Date: Mon Jul 2 15:20:12 2007 Subject: rc.mailscanner In-Reply-To: References: Message-ID: > i download the rc.mailscanner to start and stop in freebsd the > mailscanner but is only for sendmail.... > > anybody have this file for postfix?? I suppose you are not using the MailScanner port? If not give it a try. We provide two scripts (mailscanner and mta) in order to start/stop MailScanner or the MTA you are using. Not sure if/how postfix works but please try it out and if necessary provide instructions on how to change the mta-script. Regards, JP From uxbod at splatnix.net Mon Jul 2 15:35:15 2007 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Mon Jul 2 15:36:00 2007 Subject: Postfix MTA In-Reply-To: <20070702142440.GA57767@micron.lacnic.net.uy> References: <20070702142440.GA57767@micron.lacnic.net.uy> Message-ID: <72dfa9a655839ddb58a761d69fc3241b@62.49.223.244> Just set MTA = postfix and where your queue directory is. On Mon, 2 Jul 2007 11:24:40 -0300, Pablo Allietti wrote: > Hi all. i have a dude. when i use postfix which is the sentence in > Sendmail = ???? > > > > # Set whether to use postfix, sendmail, exim or zmailer. > # If you are using postfix, then see the "SpamAssassin User State Dir" > # setting near the end of this file > MTA = postfix > > # Set how to invoke MTA when sending messages MailScanner has created > # (e.g. to sender/recipient saying "found a virus in your message") > # This can also be the filename of a ruleset. > Sendmail = /usr/lib/sendmail > > -- > > > .- > Pablo Allietti > E-mail: pablo@lacnic.net | LACNIC > Phone : +598 2 6042222 | http://LACNIC.NET > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. -- --[ UxBoD ]-- // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Mon Jul 2 15:36:58 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Jul 2 15:40:40 2007 Subject: Clam/SA package: possible inconsistency? In-Reply-To: References: Message-ID: <46890D8A.9080807@ecs.soton.ac.uk> David Lee wrote: > Jules, > > Historically, I have maintained the Clam+SA aspects of our MailScanner > installations (mostly Fedora-based OSes) using RPM for ClamAV and CPAN > for SA. > > I would like to switch to using your package. This, in theory, ought to > give better support, better consistency, and easier installation. But > I've stumbled across an apparent inconsistency in the ClamAV section. > > Your software (MS, SA) generally installs directly into system locations. > Examples: > /usr/sbin/MailScanner (binary) > /etc/MailScanner/ (directory) > /usr/bin/sa-learn (binary) > > In that sense, they are RPM-like. (That's fine with me!) > > But (uniquely, I think), your build of clamav wants to install into > "/usr/local". This seems inconsistent with your builds of MS and SA. > > Is this difference a deliberate decision? > > Could you consider making your version of clamav install into the natural > system locations (just like your other software), rather than this unique > "/usr/local" location? > I just let it install ClamAV where the source wants to let me install it. If you want a /usr installation of ClamAV, I would strongly recommend Dag's RPM builds of it. All available at http://dag.wieers.com/. The installer for my ClamAV+SA package now asks you whether you want it to install ClamAV for you, in case you prefer to use Dag's RPM build of it. Jules -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From holger at gebhardweb.de Mon Jul 2 15:42:54 2007 From: holger at gebhardweb.de (Holger Gebhard) Date: Mon Jul 2 15:41:58 2007 Subject: R: Fake User-Agent on PDF References: <46868B9E.2050409@ecs.soton.ac.uk><46869C90.3010308@alexb.ch> <4686B8D1.7090005@ecs.soton.ac.uk><002501c7bc8e$95897520$3f01a8c0@dbdomain.database.it><4688CC83.4060403@ecs.soton.ac.uk><002b01c7bca2$1e87f960$3f01a8c0@dbdomain.database.it> <000001c7bca5$3727cf10$3f01a8c0@dbdomain.database.it> Message-ID: <036701c7bcb7$4667e700$0164320a@conware.int> Try this rule... It is a very simple regex to catch the pdf-spams until other rules are available. The regex is not very fast but still works: full PDF_ONLY_SPAM /encoding\:\s+7bit(\n?)+[\-0-9]+.{1,40}type\:\s+application\/pdf\;.{1,40}name\=.{1,40}\.pdf.{1,50}disposition\:\s+inline\;.{1,40}filename\=.{1,40}\.pdf/is describe PDF_ONLY_SPAM PDF only Message, no text in message body score PDF_ONLY_SPAM 1.0 "or whatever you want..." This rule match only messages with specific encodings, pdf attachments and no text in message body. Works fine with no false positives until today. Regards Holger ----- Original Message ----- From: "Marcello Anderlini" To: "'MailScanner discussion'" Sent: Monday, July 02, 2007 2:33 PM Subject: R: R: Fake User-Agent on PDF Ok, I found my error, but it seems is not running and on my test system this kind of spam still pass. Someone else suggest to use an other plugin http://www.rulesemporium.com/plugins.htm#pdfinfo but I see is still in beta. Does anyone has some other suggestion or rules to stop this spam ? Realy thanks for your help Best regards -----Messaggio originale----- Da: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] Per conto di Marcello Anderlini Inviato: luned? 2 luglio 2007 14.11 A: 'MailScanner discussion' Oggetto: R: R: Fake User-Agent on PDF Thanks for your answer. I put these lines in spam.assassin.prefs.conf but I get this error. Where's my error ? Ps (mailscanner.cf is link to /etc/MailScanner/spam.assassin.prefs.conf ================================= [28788] warn: config: SpamAssassin failed to parse line, no value provided for "full", skipping: full PDF_ONLY_SPAM [28788] warn: config: failed to parse line, skipping, in "/etc/mail/spamassassin/mailscanner.cf": /encoding\:\s+7bit(\n?)+[\-0-9]+.{1,40}type\:\s+application\/pdf\;.{1,40}nam e\=.{1,40}\.pdf.{1,50}disposition\:\s+inline\;.{1,40}filename\=.{1,40}\.pdf/ is [28788] warn: config: warning: description exists for non-existent rule PDF_ONLY_SPAM [28788] warn: config: warning: score set for non-existent rule PDF_ONLY_SPAM [28788] warn: lint: 4 issues detected, please rerun with debug enabled for more information ================================= -----Messaggio originale----- Da: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] Per conto di Julian Field Inviato: luned? 2 luglio 2007 12.00 A: MailScanner discussion Oggetto: Re: R: Fake User-Agent on PDF -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This one was published yesterday, which the author claims to work okay: full PDF_ONLY_SPAM /encoding\:\s+7bit(\n?)+[\-0-9]+.{1,40}type\:\s+application\/pdf\;.{1,40}nam e\=.{1,40}\.pdf.{1,50}disposition\:\s+inline\;.{1,40}filename\=.{1,40}\.pdf/ is describe PDF_ONLY_SPAM PDF only Message, no text in message body score PDF_ONLY_SPAM 2.0 Marcello Anderlini wrote: > Sorry guys, but cause my poor English I'm not sure I've understood if there > is a good rules to block pdf spam. > If there is, could someone publish one working ? > > Thanks to all for you kindly help. > > bye > > -----Messaggio originale----- > Da: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] Per conto di > Julian Field > Inviato: sabato 30 giugno 2007 22.11 > A: MailScanner discussion > Oggetto: Re: Fake User-Agent on PDF > > > * PGP Bad Signature, Signed by an unverified key: 06/30/07 at 21:10:58 > > > > Alex Broens wrote: > >> On 6/30/2007 6:58 PM, Julian Field wrote: >> >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> >>> >>> Hugo van der Kooij wrote: >>> >>>> Hi, >>>> >>>> So far all SPAM PDF files that did not get killed on other issues >>>> seem to use a fake User-Agent header: User-Agent: Thunderbird >>>> 1.5.0.12 (Windows/20070509) >>>> >>>> According to >>>> http://www.mozilla.com/en-US/thunderbird/releases/1.5.0.12.html the >>>> release date is impossible however. >>>> >>>> I have not written a SA rule (yet). I wrote a detectline in my >>>> header checks of postfix: >>>> /^User-Agent: Thunderbird 1.5.0.12 \(Windows/20070509\)/ >>>> REJECT This is a fake version of Thunderbird >>>> >>> Here's a SA rule that will do the same thing: >>> header JKF_FAKE_TBIRD User-Agent =~ /Thunderbird 1.5.0.12 >>> \(Windows\/20070509\)/ describe JKF_FAKE_TBIRD Fake version of >>> Thunderbird score JKF_FAKE_TBIRD 1.5 >>> >>> >> Jules, >> >> /Thunderbird 1\.5\.0\.12\(Windows\/20070509\)/ >> >> forgot to escape periods? >> > Yes, agreed. But it's not very important. A version of the rule that > accepts 1-5-0-12 is fine too, that's certainly a fake Thunderbird > version number! :-) > > Jules > > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGiMyEEfZZRxQVtlQRAhIBAKC5wMPePUUKn6a84bFqfkfCflthvwCeORVq nX4ZfLalyxh7/YoIwS0eLKM= =YumB -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- Messaggio verificato dal servizio antivirus di Database Informatica -- Messaggio verificato dal servizio antivirus di Database Informatica -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- Messaggio verificato dal servizio antivirus di Database Informatica -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From MailScanner at ecs.soton.ac.uk Mon Jul 2 15:39:41 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Jul 2 15:42:56 2007 Subject: Postfix MTA In-Reply-To: <20070702142440.GA57767@micron.lacnic.net.uy> References: <20070702142440.GA57767@micron.lacnic.net.uy> Message-ID: <46890E2D.4060005@ecs.soton.ac.uk> You should just be able to use Sendmail = /usr/sbin/sendmail Though check, if you are using RedHat (or CentOS probably), that you have set the MTA correctly using the program 'system-switch-mail'. Pablo Allietti wrote: > Hi all. i have a dude. when i use postfix which is the sentence in > Sendmail = ???? > > > > # Set whether to use postfix, sendmail, exim or zmailer. > # If you are using postfix, then see the "SpamAssassin User State Dir" > # setting near the end of this file > MTA = postfix > > # Set how to invoke MTA when sending messages MailScanner has created > # (e.g. to sender/recipient saying "found a virus in your message") > # This can also be the filename of a ruleset. > Sendmail = /usr/lib/sendmail > > Jules -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From pablo at lacnic.net Mon Jul 2 16:01:34 2007 From: pablo at lacnic.net (Pablo Allietti) Date: Mon Jul 2 15:48:16 2007 Subject: rc.mailscanner In-Reply-To: References: Message-ID: <20070702150134.GC57767@micron.lacnic.net.uy> On Mon, Jul 02, 2007 at 04:20:42PM +0200, Koopmann, Jan-Peter wrote: > > i download the rc.mailscanner to start and stop in freebsd the > > mailscanner but is only for sendmail.... > > > > anybody have this file for postfix?? > > I suppose you are not using the MailScanner port? If not give it a try. > We provide two scripts (mailscanner and mta) in order to start/stop > MailScanner or the MTA you are using. Not sure if/how postfix works but > please try it out and if necessary provide instructions on how to change > the mta-script. nop, this script is only for sendmail and exim, the pid in postfix is a group of pids in folder /var/spool/postfix/pid :( and i dont know how to add this to the script.. > > > Regards, > JP > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! ---end quoted text--- -- .- Pablo Allietti E-mail: pablo@lacnic.net | LACNIC Phone : +598 2 6042222 | http://LACNIC.NET From hvdkooij at vanderkooij.org Mon Jul 2 15:50:32 2007 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Mon Jul 2 15:51:37 2007 Subject: Postfix MTA In-Reply-To: <20070702142440.GA57767@micron.lacnic.net.uy> References: <20070702142440.GA57767@micron.lacnic.net.uy> Message-ID: On Mon, 2 Jul 2007, Pablo Allietti wrote: > Hi all. i have a dude. when i use postfix which is the sentence in > Sendmail = ???? The line is just fine. Any linux distro should have this by now because it is for years now defined in the LSB definition. Hugo. -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ This message is using 100% recycled electrons. Some men see computers as they are and say "Windows" I use computers with Linux and say "Why Windows?" (Thanks JFK, for the insight.) From jan-peter at koopmann.eu Mon Jul 2 16:31:58 2007 From: jan-peter at koopmann.eu (Koopmann, Jan-Peter) Date: Mon Jul 2 16:31:25 2007 Subject: rc.mailscanner In-Reply-To: References: Message-ID: > nop, this script is only for sendmail and exim, the pid in postfix is a > group of pids in folder /var/spool/postfix/pid :( and i dont know how > to > add this to the script.. What about the postfix port in FreeBSD? It surely has a MTA start/stop mechanism at hand. Why not use that and the mailscanner start/stop script of my port? From stinkybob at gmail.com Mon Jul 2 16:45:45 2007 From: stinkybob at gmail.com (Eugene MacDougal) Date: Mon Jul 2 16:45:48 2007 Subject: Solaris upgrade problems Message-ID: <2579c6b20707020845m3b79b3s252c21ea817649da@mail.gmail.com> Here are some of the "problems" I experience whenever I upgrade MailScanner. And for background, my system is a Sun V40Z (dual opteron, 8gb ram, solaris 10) running MS 4.61.7, SA 3.2.1, Clam 0.93. I installed all of these using the tar based installers from Julian's site. 1. Neither the "udp" nor the "unix" options for Sys::Syslog's setlogsock command work on my system. Every time a new release comes out, I have to grep for setlogsock in every file and change it from unix or udp to "native". Is this something that we could move to the MailScanner.conffile? Make an option for syslog type and then have the various programs that use that option poll MailScanner.conf for the appropriate variable? This would make my life so much easier. 2. The whole "/opt/MailScanner" symlink thing seems a bit counter-intuitive. I appreciate the ease that it brings for rolling back to an older version in case the new one fails, but I need to manually check all of the config files (filename rules, filetype rules, etc) and see if there are any problems with dropping my existing ones back into place. It seems like the upgrade_MailScanner_conf and upgrade_languages_conf scripts could be updated to check every config file in the release instead of just their respective targets. 3. The "update_virus_scanners" script needs an update for the SunOS grep test. Not all systems come with /usr/xpg4/bin/grep installed. A full build will, but not a network minimal. Solaris does come with a compatible grep that will use the -e option "/usr/bin/egrep". If that setting could be upgraded to use egrep that would be great. Thanks, Eugene -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070702/fdde908d/attachment.html From sandrews at andrewscompanies.com Mon Jul 2 16:48:55 2007 From: sandrews at andrewscompanies.com (Steven Andrews) Date: Mon Jul 2 16:48:59 2007 Subject: SA 3.1.9 upgrade to 3.2.1 problem In-Reply-To: References: Message-ID: <1964AAFBC212F742958F9275BF63DBB04B0DDD@winchester.andrewscompanies.com> I did a yum and it appears that my 3.2.0 as installed by Julian's script was downgraded to 3.1.9 and trying to reinstall via Jules' clam/sa 3.2.1 package leaves me at 3.1.9. Thoughts on what I'm doing wrong? Steve From ram at netcore.co.in Mon Jul 2 16:49:54 2007 From: ram at netcore.co.in (ram) Date: Mon Jul 2 16:50:06 2007 Subject: MailScanner with postfix SPF checks problem In-Reply-To: <223f97700707020005x6aa096en51f72f3e2d024a80@mail.gmail.com> References: <1183358765.6034.18.camel@localhost.localdomain> <223f97700707020005x6aa096en51f72f3e2d024a80@mail.gmail.com> Message-ID: <1183391394.9897.23.camel@localhost.localdomain> On Mon, 2007-07-02 at 07:05 +0000, Glenn Steen wrote: > First error is about a problem with received lines. . . You don't do > anything bad to them in a header check, do you? (Sorry for top post, > am using my mobile phone to tap this in:) Sorry, Apparently these messages were are getting hit by spamassassin-cache. SO when I tested with the same content again again I was getting results from cache and not thru a real check Thanks Ram From pablo at lacnic.net Mon Jul 2 17:11:35 2007 From: pablo at lacnic.net (Pablo Allietti) Date: Mon Jul 2 16:58:14 2007 Subject: rc.mailscanner In-Reply-To: References: Message-ID: <20070702161135.GD57767@micron.lacnic.net.uy> On Mon, Jul 02, 2007 at 05:31:58PM +0200, Koopmann, Jan-Peter wrote: > > nop, this script is only for sendmail and exim, the pid in postfix is > a > > group of pids in folder /var/spool/postfix/pid :( and i dont know how > > to > > add this to the script.. > > What about the postfix port in FreeBSD? It surely has a MTA start/stop > mechanism at hand. Why not use that and the mailscanner start/stop > script of my port? because the port give me an error like said in other mail before that... i installed from source and work, i only need this script to start stop with postfix. > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! ---end quoted text--- -- .- Pablo Allietti E-mail: pablo@lacnic.net | LACNIC Phone : +598 2 6042222 | http://LACNIC.NET From sandrews at andrewscompanies.com Mon Jul 2 17:10:24 2007 From: sandrews at andrewscompanies.com (Steven Andrews) Date: Mon Jul 2 17:10:28 2007 Subject: SA 3.1.9 upgrade to 3.2.1 problem [Solved[ In-Reply-To: <1964AAFBC212F742958F9275BF63DBB04B0DDD@winchester.andrewscompanies.com> References: <1964AAFBC212F742958F9275BF63DBB04B0DDD@winchester.andrewscompanies.com> Message-ID: <1964AAFBC212F742958F9275BF63DBB04B0DDE@winchester.andrewscompanies.com> I'm going to answer my question, just in case anyone else has this. Remove old spamassassin rpm -e spamassassin Download latest 3.2.1 from spamassassin.apache.org rpmbuild -tb Mail-SpamAssassin-3.2.1.tar.gz Install 3.2.1 packages cd /usr/src/redhat/RPMS/i386 rpm -ivh perl-Mail-SpamAssassin-3.2.1-1.i386.rpm rpm -ivh spamassassin-3.2.1.i386.rpm Yum after that didn't take me back to 3.1.9 -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Steven Andrews Sent: Monday, July 02, 2007 11:49 AM To: MailScanner discussion Subject: SA 3.1.9 upgrade to 3.2.1 problem I did a yum and it appears that my 3.2.0 as installed by Julian's script was downgraded to 3.1.9 and trying to reinstall via Jules' clam/sa 3.2.1 package leaves me at 3.1.9. Thoughts on what I'm doing wrong? Steve -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From ssilva at sgvwater.com Mon Jul 2 18:02:10 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Jul 2 18:02:23 2007 Subject: Doubts about PF, what are the pros/cons about other MTAs? In-Reply-To: References: <467E9AD4.5080200@syska.dk> <4686A7AA.4060008@rogers.com> <4686C568.9070307@syska.dk> <4686C841.7030109@ecs.soton.ac.uk> <4686DCC5.9050208@syska.dk> <223f97700706302030v6c8af1edp2477f88a8f34cd63@mail.gmail.com> <46878A41.9070100@syska.dk> Message-ID: Res spake the following on 7/1/2007 3:41 PM: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > NotDashEscaped: You need GnuPG to verify this message > > On Sun, 1 Jul 2007, Mikael Syska wrote: > >> If the above is right, this seems like its using the resources better >> than amavisd-new maybe, but theese days Ram and harddrives are very >> cheap, so if it just runs fast, i'm happy. > > I've used many methods, amavisd(-new), sophos, mimedefang, qmailscanner > and commercial apps, nothing comes close to MailScanners reliability and > performance (although I've only used sendmail and qmail, any postmix > server I take over gets quickly replaced by either sendmail or qmail so > I've never seen the MS/PF issues) > > No fair bashing Postfix while Glenn is on vacation!! ;-P -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From jan-peter at koopmann.eu Mon Jul 2 18:06:53 2007 From: jan-peter at koopmann.eu (Koopmann, Jan-Peter) Date: Mon Jul 2 18:06:17 2007 Subject: rc.mailscanner In-Reply-To: References: Message-ID: > because the port give me an error like said in other mail before > that... Most probably your system is screwed up somehow otherwise the port would work (unless all other installations are screwed up and yours is the only correct one of course *g*). And I strongly suggest to find and fix the problem first before going to production. Once that is fixed, you can move on with the provided scripts. From ssilva at sgvwater.com Mon Jul 2 18:13:14 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Jul 2 18:13:24 2007 Subject: Wierd question In-Reply-To: <0d1601c7bc4f$91584d30$8c007f0a@epctech.com> References: <468809CE.20808@ecs.soton.ac.uk> <0d1601c7bc4f$91584d30$8c007f0a@epctech.com> Message-ID: Chuck Rock spake the following on 7/1/2007 7:20 PM: > I have a weird question, but if it's something that can be answered with MS, > then I'd be very grateful. > > I have FreeBSD, MailScanner, ClamAV and Sendmail scanning incoming mail. > > I need to take messages to a specific domain and only allow them from a > certain IP, another mail server. If they come from any other IP then they > get rejected or deleted. > > Is this possible with a MailScanner ruleset? > > Thanks, > Chuck > > I think it could be done with MailScanner, but you would only want to delete there. If you want to reject, you would need to do it at the MTA level to prevent spam backscatter. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From carock at epconline.com Mon Jul 2 18:41:41 2007 From: carock at epconline.com (Chuck Rock) Date: Mon Jul 2 18:41:44 2007 Subject: Wierd question In-Reply-To: Message-ID: <0e8e01c7bcd0$4040b370$8c007f0a@epctech.com> Yeah, delete is fine. Since the MX record will reflect the proper MX, only spammers will try to send to the old MX server. Any ideas on how to implement? Chuck -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Scott Silva Sent: Monday, July 02, 2007 12:13 PM To: mailscanner@lists.mailscanner.info Subject: Re: Wierd question Chuck Rock spake the following on 7/1/2007 7:20 PM: > I have a weird question, but if it's something that can be answered with MS, > then I'd be very grateful. > > I have FreeBSD, MailScanner, ClamAV and Sendmail scanning incoming mail. > > I need to take messages to a specific domain and only allow them from a > certain IP, another mail server. If they come from any other IP then they > get rejected or deleted. > > Is this possible with a MailScanner ruleset? > > Thanks, > Chuck > > I think it could be done with MailScanner, but you would only want to delete there. If you want to reject, you would need to do it at the MTA level to prevent spam backscatter. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From mkettler at evi-inc.com Mon Jul 2 18:55:46 2007 From: mkettler at evi-inc.com (Matt Kettler) Date: Mon Jul 2 18:56:39 2007 Subject: Wierd question In-Reply-To: <0e8e01c7bcd0$4040b370$8c007f0a@epctech.com> References: <0e8e01c7bcd0$4040b370$8c007f0a@epctech.com> Message-ID: <46893C22.80200@evi-inc.com> Chuck Rock wrote: > Yeah, delete is fine. Since the MX record will reflect the proper MX, only > spammers will try to send to the old MX server. > > Any ideas on how to implement? At that point, why not just shut down the old MX server completely? Or, in alternative, have the SMTP server on the old MX 550 everything? It seems silly to bother accepting the mail, then forward it to a primary MX, accept it there, and then have MailScanner delete it. From MailScanner at ecs.soton.ac.uk Mon Jul 2 18:58:37 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Jul 2 19:02:08 2007 Subject: Wierd question In-Reply-To: <0d1601c7bc4f$91584d30$8c007f0a@epctech.com> References: <0d1601c7bc4f$91584d30$8c007f0a@epctech.com> Message-ID: <46893CCD.4070900@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 You can do this very simply with a ruleset on the "Reject Messages" configuration option. To: domain.com and From: 10.1.1.1 no To: domain.com yes FromOrTo: default no That should do the trick I think. Chuck Rock wrote: > I have a weird question, but if it's something that can be answered with MS, > then I'd be very grateful. > > I have FreeBSD, MailScanner, ClamAV and Sendmail scanning incoming mail. > > I need to take messages to a specific domain and only allow them from a > certain IP, another mail server. If they come from any other IP then they > get rejected or deleted. > > Is this possible with a MailScanner ruleset? > > Thanks, > Chuck > > > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGiTzOEfZZRxQVtlQRAnRAAJ9x2RBbdNkQqbGb5MoPrSRoGq4mTwCeN1bS i+fxDsM1z6TJ65lg3zDsON0= =gRQr -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From mikej at rogers.com Mon Jul 2 19:04:32 2007 From: mikej at rogers.com (Mike Jakubik) Date: Mon Jul 2 19:04:35 2007 Subject: rc.mailscanner In-Reply-To: <20070702161135.GD57767@micron.lacnic.net.uy> References: <20070702161135.GD57767@micron.lacnic.net.uy> Message-ID: <46893E30.3010702@rogers.com> Pablo Allietti wrote: > On Mon, Jul 02, 2007 at 05:31:58PM +0200, Koopmann, Jan-Peter wrote: > >>> nop, this script is only for sendmail and exim, the pid in postfix is >>> >> a >> >>> group of pids in folder /var/spool/postfix/pid :( and i dont know how >>> to >>> add this to the script.. >>> >> What about the postfix port in FreeBSD? It surely has a MTA start/stop >> mechanism at hand. Why not use that and the mailscanner start/stop >> script of my port? >> > > > because the port give me an error like said in other mail before that... > > i installed from source and work, i only need this script to start stop > with postfix. > Thats usually not a good solution on FreeBSD is a port exists. Indeed there is a port for MailScanner and postfix, they both come with startup scripts and work just fine (on my systems). I would recommend you troubleshoot your port install process, you may want to deinstall all, update the tree and try again. From mailscanner at yeticomputers.com Mon Jul 2 19:09:40 2007 From: mailscanner at yeticomputers.com (Rick Chadderdon) Date: Mon Jul 2 19:09:54 2007 Subject: rc.mailscanner In-Reply-To: <46893E30.3010702@rogers.com> References: <20070702161135.GD57767@micron.lacnic.net.uy> <46893E30.3010702@rogers.com> Message-ID: <46893F64.1040101@yeticomputers.com> Mike Jakubik wrote: > Pablo Allietti wrote: >> because the port give me an error like said in other mail before that... >> i installed from source and work, i only need this script to start stop >> with postfix. > > Thats usually not a good solution on FreeBSD is a port exists. Indeed > there is a port for MailScanner and postfix, they both come with > startup scripts and work just fine (on my systems). I would recommend > you troubleshoot your port install process, you may want to deinstall > all, update the tree and try again. I'm with Mike here. I also use the standard ports and use the startup scripts that came with postfix and mailscanner (and not the mta script), and all is working fine. I would probably deinstall everything, update the tree and start over with just the ports. Rick From nerijusb at dtiltas.lt Mon Jul 2 19:22:17 2007 From: nerijusb at dtiltas.lt (Nerijus Baliunas) Date: Mon Jul 2 19:30:13 2007 Subject: SA 3.1.9 upgrade to 3.2.1 problem In-Reply-To: <1964AAFBC212F742958F9275BF63DBB04B0DDD@winchester.andrewscompanies.com> References: <1964AAFBC212F742958F9275BF63DBB04B0DDD@winchester.andrewscompanies.com> Message-ID: <20070702182853.C291C1224AC@mx-b.vdnet.lt> On Mon, 2 Jul 2007 11:48:55 -0400 Steven Andrews wrote: > I did a yum and it appears that my 3.2.0 as installed by Julian's script > was downgraded to 3.1.9 and trying to reinstall via Jules' clam/sa 3.2.1 > package leaves me at 3.1.9. > > Thoughts on what I'm doing wrong? Although you already answered yourself, but what you did wrong is you mixed system SA package and Julian's script. You should use either a package or install by using Julian's script. Regards, Nerijus From cparker at swatgear.com Mon Jul 2 20:30:20 2007 From: cparker at swatgear.com (Chris W. Parker) Date: Mon Jul 2 20:30:24 2007 Subject: SpamAssassin is constantly timing out Message-ID: <97FD54B5E57A1842AA1A4B232E47611773EBD2@ati-ex-02.ati.local> Hello, I recently upgraded to the latest (as of two weeks ago) MailScanner and now SpamAssassin is consistently timing out. I believe the original timeout period was 60 seconds but I've since increased it to 300 seconds and it still seems to be consistently timing out every five minutes. My old setting was 300 seconds and I didn't have this problem. The server load is pretty good (I think): [root@filter /var/log]# uptime 12:19:06 up 112 days, 1:40, 1 user, load average: 1.47, 1.77, 1.87 If it's still timing out at five minutes and the server load is not high, might it not be a processing power issue? Where else should I look? Thanks! Chris. From alex at nkpanama.com Mon Jul 2 20:35:09 2007 From: alex at nkpanama.com (Alex Neuman) Date: Mon Jul 2 20:35:48 2007 Subject: SpamAssassin is constantly timing out In-Reply-To: <97FD54B5E57A1842AA1A4B232E47611773EBD2@ati-ex-02.ati.local> References: <97FD54B5E57A1842AA1A4B232E47611773EBD2@ati-ex-02.ati.local> Message-ID: <4689536D.6040503@nkpanama.com> DNS? Chris W. Parker wrote: > Hello, > > I recently upgraded to the latest (as of two weeks ago) MailScanner and > now SpamAssassin is consistently timing out. > > I believe the original timeout period was 60 seconds but I've since > increased it to 300 seconds and it still seems to be consistently timing > out every five minutes. My old setting was 300 seconds and I didn't have > this problem. > > The server load is pretty good (I think): > > [root@filter /var/log]# uptime > 12:19:06 up 112 days, 1:40, 1 user, load average: 1.47, 1.77, 1.87 > > > If it's still timing out at five minutes and the server load is not > high, might it not be a processing power issue? > > Where else should I look? > > > > Thanks! > Chris. > From MailScanner at ecs.soton.ac.uk Mon Jul 2 20:46:00 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Jul 2 20:48:34 2007 Subject: SpamAssassin is constantly timing out In-Reply-To: <97FD54B5E57A1842AA1A4B232E47611773EBD2@ati-ex-02.ati.local> References: <97FD54B5E57A1842AA1A4B232E47611773EBD2@ati-ex-02.ati.local> Message-ID: <468955F8.1090701@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Start MailScanner with MailScanner -debug -debug-sa and thump Ctrl-S when it pauses. This should tell you what is causing the timeouts. (Ctrl-Q continues the output that Ctrl-S pauses) Chris W. Parker wrote: > Hello, > > I recently upgraded to the latest (as of two weeks ago) MailScanner and > now SpamAssassin is consistently timing out. > > I believe the original timeout period was 60 seconds but I've since > increased it to 300 seconds and it still seems to be consistently timing > out every five minutes. My old setting was 300 seconds and I didn't have > this problem. > > The server load is pretty good (I think): > > [root@filter /var/log]# uptime > 12:19:06 up 112 days, 1:40, 1 user, load average: 1.47, 1.77, 1.87 > > > If it's still timing out at five minutes and the server load is not > high, might it not be a processing power issue? > > Where else should I look? > > > > Thanks! > Chris. > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGiVX4EfZZRxQVtlQRAuHAAJ95OE61SFVZdNCsCk0DNLDmSQgaIACfaQ4L mp5drNsEUh0JR/GCnz787y8= =Nefd -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From mkettler at evi-inc.com Mon Jul 2 21:04:02 2007 From: mkettler at evi-inc.com (Matt Kettler) Date: Mon Jul 2 21:08:05 2007 Subject: SpamAssassin is constantly timing out In-Reply-To: <97FD54B5E57A1842AA1A4B232E47611773EBD2@ati-ex-02.ati.local> References: <97FD54B5E57A1842AA1A4B232E47611773EBD2@ati-ex-02.ati.local> Message-ID: <46895A32.4070008@evi-inc.com> Chris W. Parker wrote: > Hello, > > I recently upgraded to the latest (as of two weeks ago) MailScanner and > now SpamAssassin is consistently timing out. > > I believe the original timeout period was 60 seconds but I've since > increased it to 300 seconds and it still seems to be consistently timing > out every five minutes. My old setting was 300 seconds and I didn't have > this problem. > > The server load is pretty good (I think): > > [root@filter /var/log]# uptime > 12:19:06 up 112 days, 1:40, 1 user, load average: 1.47, 1.77, 1.87 > > > If it's still timing out at five minutes and the server load is not > high, might it not be a processing power issue? > > Where else should I look? Julian's debug options are an excellent suggestion. If you're using ordinary file based (instead of SQL based) bayes, I'd also check in the bayes directory. If there are several ".expire" file laying around, MailScanner is killing SA while it attempting to perform expiry on the bayes DB. If that's the case, a short-term fix would be to run sa-learn --force-expire on the command line. That will run the expiry process on the command line, and you should get a bit of a reprieve before expiry tries to run again during normal scans. Longer term solutions (if this is the problem) can be a mixture of: 1) Extend your timeout to be long enough for the bayes DB to expire. 2) Disable SA's bayes auto expire feature, and create a cronjob to run sa-learn --force expire 3) Switch off to SQL based bayes, which runs expire *SIGNIFICANTLY* faster than DB_File does. (see http://wiki.apache.org/spamassassin/BayesBenchmarkResults, where 3 is a force-expire operation) From carock at epconline.com Mon Jul 2 21:14:29 2007 From: carock at epconline.com (Chuck Rock) Date: Mon Jul 2 21:14:33 2007 Subject: Wierd question In-Reply-To: <46893CCD.4070900@ecs.soton.ac.uk> Message-ID: <005a01c7bce5$986cac60$8c007f0a@epctech.com> Excellent, I will test. Basically for the other guy, I had a mail server running MS and clamAV and SpamAssassin. All free stuff, works nice mostly. I purchased a Barracuda to "add" domains to with an extra fee for the expensive commercial spam filter. The final destination server is still the same. I just changed MX so only the Barracuda was listed. What I've found through experience though, servers will continue to send mail to the old MX record even though it doesn't exist. I still have servers receiving messages for domains we haven't hosted for years. To keep the spammers from bypassing the new Barracuda filter inserted in the mail flow, I must make the final destination server ignore messages from all other IP's for incoming mail destined for specific domains and only allow them from the new spam filter device IP. If any of you have a filter like this, and you haven't limited the old MX server from receiving mail from just any IP for the domain, spam is probably getting past your new filter. Thanks, Chuck -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian Field Sent: Monday, July 02, 2007 12:59 PM To: MailScanner discussion Subject: Re: Wierd question -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 You can do this very simply with a ruleset on the "Reject Messages" configuration option. To: domain.com and From: 10.1.1.1 no To: domain.com yes FromOrTo: default no That should do the trick I think. Chuck Rock wrote: > I have a weird question, but if it's something that can be answered with MS, > then I'd be very grateful. > > I have FreeBSD, MailScanner, ClamAV and Sendmail scanning incoming mail. > > I need to take messages to a specific domain and only allow them from a > certain IP, another mail server. If they come from any other IP then they > get rejected or deleted. > > Is this possible with a MailScanner ruleset? > > Thanks, > Chuck > > > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGiTzOEfZZRxQVtlQRAnRAAJ9x2RBbdNkQqbGb5MoPrSRoGq4mTwCeN1bS i+fxDsM1z6TJ65lg3zDsON0= =gRQr -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From carock at epconline.com Mon Jul 2 21:24:35 2007 From: carock at epconline.com (Chuck Rock) Date: Mon Jul 2 21:24:41 2007 Subject: Wierd question In-Reply-To: <46893CCD.4070900@ecs.soton.ac.uk> Message-ID: <006a01c7bce7$01ed3aa0$8c007f0a@epctech.com> This worked great. I wish I had thought of it myself ;-) I added it to the Is Definitely Spam = %rules-dir%/spam.blacklist.rules So it would silently delete. Thank you! Chuck -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian Field Sent: Monday, July 02, 2007 12:59 PM To: MailScanner discussion Subject: Re: Wierd question -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 You can do this very simply with a ruleset on the "Reject Messages" configuration option. To: domain.com and From: 10.1.1.1 no To: domain.com yes FromOrTo: default no That should do the trick I think. Chuck Rock wrote: > I have a weird question, but if it's something that can be answered with MS, > then I'd be very grateful. > > I have FreeBSD, MailScanner, ClamAV and Sendmail scanning incoming mail. > > I need to take messages to a specific domain and only allow them from a > certain IP, another mail server. If they come from any other IP then they > get rejected or deleted. > > Is this possible with a MailScanner ruleset? > > Thanks, > Chuck > > > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGiTzOEfZZRxQVtlQRAnRAAJ9x2RBbdNkQqbGb5MoPrSRoGq4mTwCeN1bS i+fxDsM1z6TJ65lg3zDsON0= =gRQr -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From KGoods at AIAInsurance.com Mon Jul 2 21:40:12 2007 From: KGoods at AIAInsurance.com (Ken Goods) Date: Mon Jul 2 21:42:15 2007 Subject: Wierd question Message-ID: <13C0059880FDD3118DC600508B6D4A6D01C2947A@aiainsurance.com> Chuck Rock wrote: > Excellent, I will test. > > Basically for the other guy, I had a mail server running MS and > clamAV and SpamAssassin. All free stuff, works nice mostly. > > I purchased a Barracuda to "add" domains to with an extra fee for the > expensive commercial spam filter. > > The final destination server is still the same. I just changed MX so > only the Barracuda was listed. > > What I've found through experience though, servers will continue to > send mail to the old MX record even though it doesn't exist. I still > have servers receiving messages for domains we haven't hosted for > years. > > To keep the spammers from bypassing the new Barracuda filter inserted > in the mail flow, I must make the final destination server ignore > messages from all other IP's for incoming mail destined for specific > domains and only allow them from the new spam filter device IP. > > If any of you have a filter like this, and you haven't limited the > old MX server from receiving mail from just any IP for the domain, > spam is probably getting past your new filter. > > Thanks, > Chuck Hi Chuck, I had a similar problem come up recently. We were using a MS/SA/Clam box in front of our Exchange box. I had closed port 25 to the Exchange box from the big "I" so only mail coming from the filter box would make it to the Exchange server although both had MX DNS records with the Exchange box being the primary. We had people outside connecting to the Exchange box with Outlook (in corporate mode) through OpenVPN. Then it seems that the powers that be wanted people to be able to connect directly to the Exchange box using standard email clients (POP/SMTP) and obviously that couldn't be done with port 25 blocked. What I did was this.... I made the filter box the primary, removed the DNS entries for the Exchange box and opened port 25 to the Exchange box. I still get a few spams a day (very few) that are connecting via IP address but other than that it works a charm. If you don't need anyone connecting to your final destination server from the outside, simply block port 25 incoming to it. If both servers are within your DMZ this should work perfectly and you won't have to mess with rules or other configurations. Outgoing mail will still flow from the final destination server since you're not blocking 25 outgoing. I ran my mailserver like that for almost 2 years without problems. Just another option, as always YMMV... Kind regards, Ken Ken Goods Network Administrator CropUSA Insurance, Inc. From carock at epconline.com Mon Jul 2 21:54:58 2007 From: carock at epconline.com (Chuck Rock) Date: Mon Jul 2 21:55:10 2007 Subject: Wierd question In-Reply-To: <13C0059880FDD3118DC600508B6D4A6D01C2947A@aiainsurance.com> Message-ID: <007601c7bceb$4095bd00$8c007f0a@epctech.com> Yeah, that was a dedicated server though. This is a shared hosting server, so only the people paying extra for the filter will get it. So the box will still need to receive port 25 traffic from the outside world for most of the domains it hosts. Chuck -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Ken Goods Sent: Monday, July 02, 2007 3:40 PM To: 'MailScanner discussion' Subject: RE: Wierd question Chuck Rock wrote: > Excellent, I will test. > > Basically for the other guy, I had a mail server running MS and > clamAV and SpamAssassin. All free stuff, works nice mostly. > > I purchased a Barracuda to "add" domains to with an extra fee for the > expensive commercial spam filter. > > The final destination server is still the same. I just changed MX so > only the Barracuda was listed. > > What I've found through experience though, servers will continue to > send mail to the old MX record even though it doesn't exist. I still > have servers receiving messages for domains we haven't hosted for > years. > > To keep the spammers from bypassing the new Barracuda filter inserted > in the mail flow, I must make the final destination server ignore > messages from all other IP's for incoming mail destined for specific > domains and only allow them from the new spam filter device IP. > > If any of you have a filter like this, and you haven't limited the > old MX server from receiving mail from just any IP for the domain, > spam is probably getting past your new filter. > > Thanks, > Chuck Hi Chuck, I had a similar problem come up recently. We were using a MS/SA/Clam box in front of our Exchange box. I had closed port 25 to the Exchange box from the big "I" so only mail coming from the filter box would make it to the Exchange server although both had MX DNS records with the Exchange box being the primary. We had people outside connecting to the Exchange box with Outlook (in corporate mode) through OpenVPN. Then it seems that the powers that be wanted people to be able to connect directly to the Exchange box using standard email clients (POP/SMTP) and obviously that couldn't be done with port 25 blocked. What I did was this.... I made the filter box the primary, removed the DNS entries for the Exchange box and opened port 25 to the Exchange box. I still get a few spams a day (very few) that are connecting via IP address but other than that it works a charm. If you don't need anyone connecting to your final destination server from the outside, simply block port 25 incoming to it. If both servers are within your DMZ this should work perfectly and you won't have to mess with rules or other configurations. Outgoing mail will still flow from the final destination server since you're not blocking 25 outgoing. I ran my mailserver like that for almost 2 years without problems. Just another option, as always YMMV... Kind regards, Ken Ken Goods Network Administrator CropUSA Insurance, Inc. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From res at ausics.net Mon Jul 2 23:25:29 2007 From: res at ausics.net (Res) Date: Mon Jul 2 23:25:41 2007 Subject: Doubts about PF, what are the pros/cons about other MTAs? In-Reply-To: References: <467E9AD4.5080200@syska.dk> <4686A7AA.4060008@rogers.com> <4686C568.9070307@syska.dk> <4686C841.7030109@ecs.soton.ac.uk> <4686DCC5.9050208@syska.dk> <223f97700706302030v6c8af1edp2477f88a8f34cd63@mail.gmail.com> <46878A41.9070100@syska.dk> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NotDashEscaped: You need GnuPG to verify this message On Mon, 2 Jul 2007, Scott Silva wrote: >> performance (although I've only used sendmail and qmail, any postmix >> server I take over gets quickly replaced by either sendmail or qmail so >> I've never seen the MS/PF issues) >> >> > No fair bashing Postfix while Glenn is on vacation!! ;-P awwww, he can see it when he gets back :) -- Cheers Res -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFGiXtZsWhAmSIQh7MRAmqSAJ0cZRnpuxcGKB1ed1ZeGnYS7WfAjACeNOZB W2NWK0iVFo9GcHdZLe92Np0= =mGe3 -----END PGP SIGNATURE----- From ssilva at sgvwater.com Tue Jul 3 00:44:53 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Jul 3 00:45:00 2007 Subject: Wierd question In-Reply-To: <005a01c7bce5$986cac60$8c007f0a@epctech.com> References: <46893CCD.4070900@ecs.soton.ac.uk> <005a01c7bce5$986cac60$8c007f0a@epctech.com> Message-ID: Chuck Rock spake the following on 7/2/2007 1:14 PM: > Excellent, I will test. > > Basically for the other guy, I had a mail server running MS and clamAV and > SpamAssassin. All free stuff, works nice mostly. > > I purchased a Barracuda to "add" domains to with an extra fee for the > expensive commercial spam filter. > > The final destination server is still the same. I just changed MX so only > the Barracuda was listed. > > What I've found through experience though, servers will continue to send > mail to the old MX record even though it doesn't exist. I still have servers > receiving messages for domains we haven't hosted for years. > > To keep the spammers from bypassing the new Barracuda filter inserted in the > mail flow, I must make the final destination server ignore messages from all > other IP's for incoming mail destined for specific domains and only allow > them from the new spam filter device IP. > > If any of you have a filter like this, and you haven't limited the old MX > server from receiving mail from just any IP for the domain, spam is probably > getting past your new filter. > None of my MX's will relay anything that they are not supposed to relay. If an MX doesn't need to relay a domain anymore, it should reject it. You want to reject at the first point of connection, or you have to bounce an NDR and take a chance of being a joe-job relay. In sendmail, you remove that domain from the relay_domains, I'm sure every other MTA has the same feature. An MX should not blindly relay anything. If it relays for one or a hundred domains, that is all it should be configured for. Sure it is a little more work, but it doesn't get changed much. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From lists at gmnet.net Tue Jul 3 01:19:03 2007 From: lists at gmnet.net (mail) Date: Tue Jul 3 01:19:09 2007 Subject: Any advice for a new server? Message-ID: <1183421943.8123.116.camel@thor.greenbuzz.net> Hi, I have been running a mail server with sendmail/ MailScanner/ ClamAV/ Mailman/ Squirrelmail/ combo for the past 7 years. It is now time to migrate my accounts to a brand new server. I was using Redhat9, but now I'm 99% sure that I will go with Gentoo. I am also 90% sure that I will stay with sendmail/ ClamAV/ Squirrelmail and 100% sure to stay with MailScanner/ Mailman. I don't have a whole lot of accounts so I do have some room to make changes and play around. Also, I just bought a new copy of Julian's book, so I have allot of reading to to! What I really need is the ability to set up pop and web mail services for my clients, also I need Mailman lists, and really good spam/ AV filters! Does anybody have any advice for somebody starting with a fresh server? Thanks! rick From res at ausics.net Tue Jul 3 02:02:22 2007 From: res at ausics.net (Res) Date: Tue Jul 3 02:02:31 2007 Subject: Any advice for a new server? In-Reply-To: <1183421943.8123.116.camel@thor.greenbuzz.net> References: <1183421943.8123.116.camel@thor.greenbuzz.net> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NotDashEscaped: You need GnuPG to verify this message On Tue, 3 Jul 2007, mail wrote: > Hi, > > I have been running a mail server with sendmail/ MailScanner/ ClamAV/ > Mailman/ Squirrelmail/ combo for the past 7 years. It is now time to > migrate my accounts to a brand new server. I was using Redhat9, but now > I'm 99% sure that I will go with Gentoo. I am also 90% sure that I will You want to make sure you have several years of support, for this reason I last used a RH OS on servers at RH9, I had one RH9 box for for up to 2 years after RH stopped supporting it, because it was unbreakable. I have since moved it to the same as other servers, being Slackware, as close to true sources as you'll get (hence why there is no 20+ updates relased every week like RH/Fedora/Debian etc), version support is at least 5 years or more. Also extremely reliable and stable, a good time to try it as Slackware 12.0 was released overnight. > stay with sendmail/ ClamAV/ Squirrelmail and 100% sure to stay with > MailScanner/ Mailman. I don't have a whole lot of accounts so I do have Yep, stay with them all, but make sure you use the latest versions of them. -- Cheers Res -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFGiaAesWhAmSIQh7MRAuR6AKCckPnA6p4SFKMLUyXMrt9Z6qSNdACeOlM8 XzplccsAL+NIxGJVBw1CLNg= =d01E -----END PGP SIGNATURE----- From itdept at fractalweb.com Tue Jul 3 05:20:02 2007 From: itdept at fractalweb.com (Chris Yuzik) Date: Tue Jul 3 05:20:13 2007 Subject: Any advice for a new server? In-Reply-To: <1183421943.8123.116.camel@thor.greenbuzz.net> References: <1183421943.8123.116.camel@thor.greenbuzz.net> Message-ID: <4689CE72.2040202@fractalweb.com> mail wrote: > Hi, > > I have been running a mail server with sendmail/ MailScanner/ ClamAV/ > Mailman/ Squirrelmail/ combo for the past 7 years. It is now time to > migrate my accounts to a brand new server. I was using Redhat9, but now > I'm 99% sure that I will go with Gentoo. I am also 90% sure that I will > stay with sendmail/ ClamAV/ Squirrelmail and 100% sure to stay with > MailScanner/ Mailman. I don't have a whole lot of accounts so I do have > some room to make changes and play around. Also, I just bought a new > copy of Julian's book, so I have allot of reading to to! What I really > need is the ability to set up pop and web mail services for my clients, > also I need Mailman lists, and really good spam/ AV filters! Does > anybody have any advice for somebody starting with a fresh server? > Rick, I'm not a Slackware user like Res is, but I'm overall happy with Centos. I've been the Gentoo route, and while compiling small things from source is fine, having to compile for 12+ hours straight on a production server is NOT cool, and imho offers little benefit over installing pre-compiled binaries for your hardware. By all means, investigate Slackware. Play with Centos. Try another server-class distro or two. And stick with MailScanner/ClamAV/Sendmail/MailMan/Squirrelmail. Add in some MailWatch. And please let us know what you discover. Cheers, Chris From r.berber at computer.org Tue Jul 3 07:09:57 2007 From: r.berber at computer.org (=?ISO-8859-1?Q?Ren=E9_Berber?=) Date: Tue Jul 3 07:10:19 2007 Subject: Any advice for a new server? In-Reply-To: <4689CE72.2040202@fractalweb.com> References: <1183421943.8123.116.camel@thor.greenbuzz.net> <4689CE72.2040202@fractalweb.com> Message-ID: Chris Yuzik wrote: > I'm not a Slackware user like Res is, but I'm overall happy with Centos. > I've been the Gentoo route, and while compiling small things from source > is fine, having to compile for 12+ hours straight on a production server > is NOT cool, and imho offers little benefit over installing pre-compiled > binaries for your hardware. [snip] Gentoo also offers pre-compiled packages, installed with the same tool (emerge)... -- Ren? Berber From Q.G.Campbell at newcastle.ac.uk Tue Jul 3 08:12:33 2007 From: Q.G.Campbell at newcastle.ac.uk (Quentin Campbell) Date: Tue Jul 3 08:13:18 2007 Subject: Test::Harness, Test::Simple & bug in install.sh (4.6*.*) Message-ID: <4165CF7A7F12DE4B96622CCBB90586470AC91F9C@largo.campus.ncl.ac.uk> Julian Since you added Test::Harness, Test::Simple, etc to the collection of source RPMs in 'install.sh', a number of us have been experiencing MailScanner build problems. At the heart of this is the 'sort_bug.t' test failure in Test::Simple (Test-Simple-0.70-1). I accept that this flags a genuine problem but as the use of 'eq_set' is now deprecated the 'sort_bug.t' test can be safely ignored. I did this by using CPAN and forcing the installation of Test-Simple-0.70-1 and Test-Harness-2.64-1 on my RedHat AS4 system. However when you re-run install.sh (from 4.61.7-*) it ignored these already installed versions and tries to reinstall them itself. The reinstallation problem is linked to line 290 in install.sh where you do: PERL5LIB=`perl -V | grep site_perl | grep -v config_args | tr -d ' ' | tr '\n' ':'` If you _do_not_ set PERL5LIB as above then "./CheckModuleVersion Test::Simple 0.70" works as expected and returns '0'. With PERL5LIB set as above then the above invocation of CheckModuleVersion returns '1' and causes the install.sh script to try to reinstall Test::Simple (which fails because of the sort_bug.t test failure). I note that CheckModuleVersion also fails to find the already installed version of Test::Harness but it does correctly find most of the other modules you check for. There appears to be a further problem in install.sh at lines 329 to 334: 322 FILEPREFIX=perl-${MODFILE}-${VERS}-${BUILD} ... 329 if [ "x${MODFILE}" = "xCompress-Zlib" -o "x${MODFILE}" = "xTest-Harness" ]; then 330 echo Detected Compress-Zlib, building appropriately... 331 PERL5LIB= $RPMBUILD --rebuild ${FILEPREFIX}.src.rpm 332 else 333 $RPMBUILD --rebuild ${FILEPREFIX}.src.rpm 334 fi What is the purpose of line 331? PS After PERL5LIB is set at line 290 it contains (as an unbroken string): /usr/lib/perl5/site_perl/5.8.5/i386-linux-thread-multi:/usr/lib/perl5/site_perl/5.8.4/i386-linux-thread-multi:/usr/lib/perl5/site_perl/5.8.3/i386-linux-thread-multi:/usr/lib/perl5/site_perl/5.8.2/i386-linux-thread-multi:/usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi:/usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi:/usr/lib/perl5/site_perl/5.8.5:/usr/lib/perl5/site_perl/5.8.4:/usr/lib/perl5/site_perl/5.8.3:/usr/lib/perl5/site_perl/5.8.2:/usr/lib/perl5/site_perl/5.8.1:/usr/lib/perl5/site_perl/5.8.0:/usr/lib/perl5/site_perl: Quentin --- PHONE: +44 191 222 8209??? Information Systems and Services (ISS), ?????????????????????????? Newcastle University, ?????????????????????????? Newcastle upon Tyne, FAX:?? +44 191 222 8765??? United Kingdom, NE1 7RU. ------------------------------------------------------------------------ From Q.G.Campbell at newcastle.ac.uk Tue Jul 3 08:20:09 2007 From: Q.G.Campbell at newcastle.ac.uk (Quentin Campbell) Date: Tue Jul 3 08:20:20 2007 Subject: Test::Harness, Test::Simple & bug in install.sh (4.6*.*) - MORE Message-ID: <4165CF7A7F12DE4B96622CCBB90586470AC91F9E@largo.campus.ncl.ac.uk> Julian I forgot to add to my previous message re. the above the results of the 'perl -V' command: [root@cheviot9 MailScanner-4.61.7-2]# perl -V Summary of my perl5 (revision 5 version 8 subversion 5) configuration: Platform: osname=linux, osvers=2.6.9-22.18.bz155725.elsmp, archname=i386-linux-thread-multi uname='linux hs20-bc1-4.build.redhat.com 2.6.9-22.18.bz155725.elsmp #1 smp thu nov 17 15:34:08 est 2005 i686 i686 i386 gnulinux ' config_args='-des -Doptimize=-O2 -g -pipe -m32 -march=i386 -mtune=pentium4 -Dversion=5.8.5 -Dmyhostname=localhost -Dperladmin=root@localhost -Dcc=gcc -Dcf_by=Red Hat, Inc. -Dinstallprefix=/usr -Dprefix=/usr -Darchname=i386-linux -Dvendorprefix=/usr -Dsiteprefix=/usr -Duseshrplib -Dusethreads -Duseithreads -Duselargefiles -Dd_dosuid -Dd_semctl_semun -Di_db -Ui_ndbm -Di_gdbm -Di_shadow -Di_syslog -Dman3ext=3pm -Duseperlio -Dinstallusrbinperl -Ubincompat5005 -Uversiononly -Dpager=/usr/bin/less -isr -Dinc_version_list=5.8.4 5.8.3 5.8.2 5.8.1 5.8.0' hint=recommended, useposix=true, d_sigaction=define usethreads=define use5005threads=undef useithreads=define usemultiplicity=define useperlio=define d_sfio=undef uselargefiles=define usesocks=undef use64bitint=undef use64bitall=undef uselongdouble=undef usemymalloc=n, bincompat5005=undef Compiler: cc='gcc', ccflags ='-D_REENTRANT -D_GNU_SOURCE -DDEBUGGING -fno-strict-aliasing -pipe -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -I/usr/include/gdbm', optimize='-O2 -g -pipe -m32 -march=i386 -mtune=pentium4', cppflags='-D_REENTRANT -D_GNU_SOURCE -DDEBUGGING -fno-strict-aliasing -pipe -I/usr/local/include -I/usr/include/gdbm' ccversion='', gccversion='3.4.6 20060404 (Red Hat 3.4.6-2)', gccosandvers='' intsize=4, longsize=4, ptrsize=4, doublesize=8, byteorder=1234 d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=12 ivtype='long', ivsize=4, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8 alignbytes=4, prototype=define Linker and Libraries: ld='gcc', ldflags =' -L/usr/local/lib' libpth=/usr/local/lib /lib /usr/lib libs=-lresolv -lnsl -lgdbm -ldb -ldl -lm -lcrypt -lutil -lpthread -lc perllibs=-lresolv -lnsl -ldl -lm -lcrypt -lutil -lpthread -lc libc=/lib/libc-2.3.4.so, so=so, useshrplib=true, libperl=libperl.so gnulibc_version='2.3.4' Dynamic Linking: dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E -Wl,-rpath,/usr/lib/perl5/5.8.5/i386-linux-thread-multi/CORE' cccdlflags='-fPIC', lddlflags='-shared -L/usr/local/lib' Characteristics of this binary (from libperl): Compile-time options: DEBUGGING MULTIPLICITY USE_ITHREADS USE_LARGE_FILES PERL_IMPLICIT_CONTEXT Built under linux Compiled at Jul 24 2006 18:28:10 @INC: /usr/lib/perl5/5.8.5/i386-linux-thread-multi /usr/lib/perl5/5.8.5 /usr/lib/perl5/site_perl/5.8.5/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.4/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.3/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.2/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.5 /usr/lib/perl5/site_perl/5.8.4 /usr/lib/perl5/site_perl/5.8.3 /usr/lib/perl5/site_perl/5.8.2 /usr/lib/perl5/site_perl/5.8.1 /usr/lib/perl5/site_perl/5.8.0 /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl/5.8.5/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.4/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.3/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.2/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.1/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.5 /usr/lib/perl5/vendor_perl/5.8.4 /usr/lib/perl5/vendor_perl/5.8.3 /usr/lib/perl5/vendor_perl/5.8.2 /usr/lib/perl5/vendor_perl/5.8.1 /usr/lib/perl5/vendor_perl/5.8.0 /usr/lib/perl5/vendor_perl . Quentin --- PHONE: +44 191 222 8209??? Information Systems and Services (ISS), ?????????????????????????? Newcastle University, ?????????????????????????? Newcastle upon Tyne, FAX:?? +44 191 222 8765??? United Kingdom, NE1 7RU. ------------------------------------------------------------------------ From pablo at lacnic.net Tue Jul 3 14:00:58 2007 From: pablo at lacnic.net (Pablo Allietti) Date: Tue Jul 3 13:47:15 2007 Subject: log and hold Message-ID: <20070703130058.GD43573@micron.lacnic.net.uy> finally i can install the port in freebsd :) i change the config for my system and have 2 problems. 1. in the maillog appears avery minute and second the nexts messages check the seconds and minute please Jul 3 09:40:35 micron2 MailScanner[50947]: Using SpamAssassin results cache Jul 3 09:40:35 micron2 MailScanner[50947]: Connected to SpamAssassin cache database Jul 3 09:40:35 micron2 MailScanner[50947]: Enabling SpamAssassin auto-whitelist functionality... Jul 3 09:40:37 micron2 MailScanner[50947]: I have found clamavmodule scanners installed, and will use them all by default. Jul 3 09:40:39 micron2 MailScanner[50910]: None of the files matched by the "Monitors For ClamAV Updates" patterns exist! Jul 3 09:40:40 micron2 MailScanner[50984]: MailScanner E-Mail Virus Scanner version 4.60.8 starting... Jul 3 09:40:40 micron2 MailScanner[50984]: Read 775 hostnames from the phishing whitelist Jul 3 09:40:40 micron2 MailScanner[50984]: Using SpamAssassin results cache Jul 3 09:40:40 micron2 MailScanner[50984]: Connected to SpamAssassin cache database Jul 3 09:40:40 micron2 MailScanner[50984]: Enabling SpamAssassin auto-whitelist functionality... Jul 3 09:40:42 micron2 MailScanner[50984]: I have found clamavmodule scanners installed, and will use them all by default. Jul 3 09:40:44 micron2 MailScanner[50947]: None of the files matched by the "Monitors For ClamAV Updates" patterns exist! Jul 3 09:40:45 micron2 MailScanner[51021]: MailScanner E-Mail Virus Scanner version 4.60.8 starting... Jul 3 09:40:45 micron2 MailScanner[51021]: Read 775 hostnames from the phishing whitelist Jul 3 09:40:45 micron2 MailScanner[51021]: Using SpamAssassin results cache ############################################# 2. Follow the tutorial in Julian page http://www.mailscanner.info/install/postfix.shtml i put my postfix in hold.. and every message that i send to the server stay in queue :( i need somthing in postfix to send this messages or i have an error in mailscanner?? micron2# mailq -Queue ID- --Size-- ----Arrival Time---- -Sender/Recipient------- 87676308432! 1671 Mon Jul 2 17:09:48 pablo@lacnic.net pablo@micron2.lacnic.net.uy From hvdkooij at vanderkooij.org Tue Jul 3 13:54:11 2007 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Tue Jul 3 13:55:20 2007 Subject: log and hold In-Reply-To: <20070703130058.GD43573@micron.lacnic.net.uy> References: <20070703130058.GD43573@micron.lacnic.net.uy> Message-ID: On Tue, 3 Jul 2007, Pablo Allietti wrote: > 1. in the maillog appears avery minute and second the nexts messages > check the seconds and minute please ... > Jul 3 09:40:37 micron2 MailScanner[50947]: I have found clamavmodule > scanners installed, and will use them all by default. > Jul 3 09:40:39 micron2 MailScanner[50910]: None of the files matched by > the "Monitors For ClamAV Updates" patterns exist! You need to fix this. > 2. Follow the tutorial in Julian page > http://www.mailscanner.info/install/postfix.shtml > > i put my postfix in hold.. and every message that i send to the server > stay in queue :( i need somthing in postfix to send this messages or i > have an error in mailscanner?? You need to fix issue 1. Then issue 2 should be gone as well. Your system is missing a working MS so no one will read the queue. Hugo. -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ This message is using 100% recycled electrons. Some men see computers as they are and say "Windows" I use computers with Linux and say "Why Windows?" (Thanks JFK, for the insight.) From pablo at lacnic.net Tue Jul 3 15:14:02 2007 From: pablo at lacnic.net (Pablo Allietti) Date: Tue Jul 3 15:00:21 2007 Subject: log and hold In-Reply-To: References: <20070703130058.GD43573@micron.lacnic.net.uy> Message-ID: <20070703141402.GF43573@micron.lacnic.net.uy> On Tue, Jul 03, 2007 at 02:54:11PM +0200, Hugo van der Kooij wrote: > On Tue, 3 Jul 2007, Pablo Allietti wrote: > > >1. in the maillog appears avery minute and second the nexts messages > >check the seconds and minute please > > ... > >Jul 3 09:40:37 micron2 MailScanner[50947]: I have found clamavmodule > >scanners installed, and will use them all by default. > >Jul 3 09:40:39 micron2 MailScanner[50910]: None of the files matched by > >the "Monitors For ClamAV Updates" patterns exist! > > You need to fix this. > > >2. Follow the tutorial in Julian page > >http://www.mailscanner.info/install/postfix.shtml > > > >i put my postfix in hold.. and every message that i send to the server > >stay in queue :( i need somthing in postfix to send this messages or i > >have an error in mailscanner?? > > You need to fix issue 1. Then issue 2 should be gone as well. > > Your system is missing a working MS so no one will read the queue. done! thanks ... i change auto for clamav and work perfectly now. :) > > Hugo. > > -- > hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ > This message is using 100% recycled electrons. > > Some men see computers as they are and say "Windows" > I use computers with Linux and say "Why Windows?" > (Thanks JFK, for the insight.) > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! ---end quoted text--- -- .- Pablo Allietti E-mail: pablo@lacnic.net | LACNIC Phone : +598 2 6042222 | http://LACNIC.NET From rob at dido.ca Tue Jul 3 15:40:30 2007 From: rob at dido.ca (Rob Morin) Date: Tue Jul 3 15:40:31 2007 Subject: A simple test custome rule? Message-ID: <468A5FDE.9020300@dido.ca> Hello all... i wanted to make a test custom rule as a test to start to write my own rules as i have not done this before.... so in local.cf i wrote header DIDO_ATTACHMENT_SUBJECT_RULE Subject =~ /testing 123/i score DIDO_ATTACHMENT_SUBJECT_RULE 2.50 describe DIDO_ATTACHMENT_SUBJECT_RULE Test Headers However after a reload of MS and SA this rule is never seen/used?? What would i be doing wrong, i read the custom rule wiki at apache Any help appreciated... using SA version 3.17 and pretty much latest MS thanks -- Rob Morin Dido InterNet Inc. Montreal, Canada Http://www.dido.ca 514-990-4444 From cschnee at box.telemedia.ch Tue Jul 3 15:56:44 2007 From: cschnee at box.telemedia.ch (Christoph Schneeberger) Date: Tue Jul 3 15:57:05 2007 Subject: Problem with MS on OpenBSD 4.1 Message-ID: <468A63AC.5040808@box.telemedia.ch> Hello, I am using Mailscanner since quite a time and I am currently building up a new site with the latest components and a recent OS. I am using MailScanner 4.61.7 on OpenBSD 4.1_stable (as of 29th of June). I have my MailScanner running as it seems, but however and whatever I configure I never get detailed Spamassassin results in the header. Just the Spamscore character or the numeric Score (depening on how i configure it). But the spam recognition seems to work so far. I have all options in MailScanner.conf that seem to refer to that set to yes: Spam Score = yes Detailed Spam Report = yes Include Scores In SpamAssassin Report = yes Always Include SpamAssassin Report = yes When I run MS and SA in debug mode I get an error at line 832 in Mailscanner which is the following line: $batch->Explode(); The error I get is [24820] dbg: locker: safe_unlock: unlocked /root/.spamassassin/bayes.mutex [24820] dbg: learn: initializing learner Ignore errors about failing to find EOCD signature format error: can't find EOCD signature at /opt/MailScanner/bin/MailScanner line 832 Stopping now as you are debugging me. Done. I currently have no Antivirus configured since in the beginning I got issues with MailScanner telling that it can't change group to "clamav" (its named _clamav in OpenBSD), so I fixed this and the error went away, but to make sure I set the Antivirus to none. I haven't included my complete config, Mailscanner -v output and/or the complete debug output since its quite large and I was unsure if this would be considered rude on this list. So if I need to post them I'll happily provide them here. If anybody has any hints for me where to look further or what to do I would highly appreciate it, I am working on this since almost 2 days and I am really running out of ideas on where to look. Many thanks in advance and cheers from rainy switzerland, Christoph From MailScanner at ecs.soton.ac.uk Tue Jul 3 15:55:10 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Jul 3 16:00:27 2007 Subject: A simple test custome rule? In-Reply-To: <468A5FDE.9020300@dido.ca> References: <468A5FDE.9020300@dido.ca> Message-ID: <468A634E.2080002@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Where did you put local.cf? Rob Morin wrote: > Hello all... i wanted to make a test custom rule as a test to start to > write my own rules as i have not done this before.... > > so in local.cf i wrote > > header DIDO_ATTACHMENT_SUBJECT_RULE Subject =~ /testing > 123/i score DIDO_ATTACHMENT_SUBJECT_RULE 2.50 > describe DIDO_ATTACHMENT_SUBJECT_RULE Test Headers > > However after a reload of MS and SA this rule is never seen/used?? > > What would i be doing wrong, i read the custom rule wiki at apache > > Any help appreciated... > > using SA version 3.17 and pretty much latest MS > > thanks > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFGimNdEfZZRxQVtlQRArzhAKDAetPqAfjxQCIeRlZIg8KgWPj3xwCdGJO4 NOiDhL46APDoFmVHeNcBnNE= =eksY -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From minduni at ti-edu.ch Tue Jul 3 16:08:19 2007 From: minduni at ti-edu.ch (Marco Induni) Date: Tue Jul 3 16:08:22 2007 Subject: Filename rule question Message-ID: <468A6663.8010907@ti-edu.ch> Hi All, I try to deny some email attachments based just on the filename. So I setup the following test rule to deny all attachment for email sended to me@pluto.com (obviously just a real address) - in /etc/MailScanner/Mailscanner.conf -- Filename Rules = %rules-dir%/filename-rules.rules - in /etc/MailScanner/rules/filename-rules.rules -- To: me@pluto.com /etc/MailScanner/filename-alldeny.conf -- FromOrTo: default /etc/MailScanner/filename-nocheck.rules.conf - in /etc/MailScanner/filename-alldeny.conf -- deny .* - - - in /etc/MailScanner/filename-nocheck.rules.conf -- allow .* - - So I expect that any attachment will be denied, but is not true. It seems that everything is passing through, and the rule is not matching anything. I've done MailScanner --lint and no syntax error appear. I've also tried the standard rules enclosed (deny .exe .reg,...), but didn't work. Question, for the filename rule to work, should I always setup also the filetype rule ? Any other ideas ? Where I'm wrong ? Thank you and best regards Marco Induni From MailScanner at ecs.soton.ac.uk Tue Jul 3 16:04:58 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Jul 3 16:08:48 2007 Subject: Problem with MS on OpenBSD 4.1 In-Reply-To: <468A63AC.5040808@box.telemedia.ch> References: <468A63AC.5040808@box.telemedia.ch> Message-ID: <468A659A.3090602@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Christoph Schneeberger wrote: > Hello, > > I am using Mailscanner since quite a time and I am currently building up > a new site with the latest components and a recent OS. > > I am using MailScanner 4.61.7 on OpenBSD 4.1_stable (as of 29th of June). > > I have my MailScanner running as it seems, but however and whatever I > configure I never get detailed Spamassassin results in the header. Just > the Spamscore character or the numeric Score (depening on how i > configure it). But the spam recognition seems to work so far. > > I have all options in MailScanner.conf that seem to refer to that set to > yes: > > Spam Score = yes > Detailed Spam Report = yes > Include Scores In SpamAssassin Report = yes > Always Include SpamAssassin Report = yes > > > When I run MS and SA in debug mode I get an error at line 832 in > Mailscanner which is the following line: > > $batch->Explode(); > > The error I get is > > > [24820] dbg: locker: safe_unlock: unlocked /root/.spamassassin/bayes.mutex > [24820] dbg: learn: initializing learner > Ignore errors about failing to find EOCD signature > That line gives a hint. > format error: can't find EOCD signature > at /opt/MailScanner/bin/MailScanner line 832 > So you can ignore that. > Stopping now as you are debugging me. > Done. > It has run to completion normally. It hasn't bombed out on an error at all. It has done exactly what it is supposed to do in Debug mode: process 1 batch of messages and then exit. > I currently have no Antivirus configured since in the beginning I got > issues with MailScanner telling that it can't change group to "clamav" > (its named _clamav in OpenBSD), so I fixed this and the error went away, > but to make sure I set the Antivirus to none. > > I haven't included my complete config, Mailscanner -v output and/or the > complete debug output since its quite large and I was unsure if this > would be considered rude on this list. > So if I need to post them I'll happily provide them here. > > If anybody has any hints for me where to look further or what to do I > would highly appreciate it, I am working on this since almost 2 days and > I am really running out of ideas on where to look. > > Many thanks in advance and cheers from rainy switzerland, > Christoph > > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFGimWbEfZZRxQVtlQRAsQrAKC/xXzMz8c68WAcUvCaEPRAMYaJQQCgk3J3 Q4Z7w28mw1Hg2tBN2dFM+8M= =401R -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From rob at dido.ca Tue Jul 3 16:10:08 2007 From: rob at dido.ca (Rob Morin) Date: Tue Jul 3 16:10:07 2007 Subject: {Spam?} Re: A simple test custome rule? In-Reply-To: <468A634E.2080002@ecs.soton.ac.uk> References: <468A5FDE.9020300@dido.ca> <468A634E.2080002@ecs.soton.ac.uk> Message-ID: <468A66D0.4040706@dido.ca> An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070703/ec0fdfc3/attachment.html From cschnee at box.telemedia.ch Tue Jul 3 16:19:57 2007 From: cschnee at box.telemedia.ch (Christoph Schneeberger) Date: Tue Jul 3 16:23:40 2007 Subject: Problem with MS on OpenBSD 4.1 In-Reply-To: <468A659A.3090602@ecs.soton.ac.uk> References: <468A63AC.5040808@box.telemedia.ch> <468A659A.3090602@ecs.soton.ac.uk> Message-ID: <468A691D.7020605@box.telemedia.ch> Hi Julian, Thanks for your reply. Julian Field wrote: .. > >When I run MS and SA in debug mode I get an error at line 832 in > >Mailscanner which is the following line: > > >$batch->Explode(); > > >The error I get is > > > > >[24820] dbg: locker: safe_unlock: unlocked > /root/.spamassassin/bayes.mutex > >[24820] dbg: learn: initializing learner > >Ignore errors about failing to find EOCD signature > > > That line gives a hint. > > >format error: can't find EOCD signature > > at /opt/MailScanner/bin/MailScanner line 832 > > > So you can ignore that. > > >Stopping now as you are debugging me. > > Done. > > > It has run to completion normally. It hasn't bombed out on an error at > all. It has done exactly what it is supposed to do in Debug mode: > process 1 batch of messages and then exit. Ok thanks, i was thinking that too, but somebody on irc told me i need to get rid of this line832 error and that would solve my problem of not having any detailed Spamassassin result headers at all. So could you give me any direction or hints where I could further search to get that problem of not having detailed results in the header solved, since thats the only problem I really have. Or asked else: Is anybody on this list running a current MailScanner on OpenBSD 4.1 successfully and do you have any hints for me where too look ? Thanks a lot and best regards, Christoph From cparker at swatgear.com Tue Jul 3 16:41:24 2007 From: cparker at swatgear.com (Chris W. Parker) Date: Tue Jul 3 16:41:27 2007 Subject: SpamAssassin is constantly timing out References: <97FD54B5E57A1842AA1A4B232E47611773EBD2@ati-ex-02.ati.local> <468955F8.1090701@ecs.soton.ac.uk> Message-ID: <97FD54B5E57A1842AA1A4B232E47611773EBD4@ati-ex-02.ati.local> On Monday, July 02, 2007 12:46 PM Julian Field said: > Start MailScanner with > MailScanner -debug -debug-sa > and thump Ctrl-S when it pauses. This should tell you what is causing > the timeouts. (Ctrl-Q continues the output that Ctrl-S pauses) Thanks Julian. I had no idea what I was looking for as the information came up but on one of the times when I paused the output I noticed it said that ClamAV was out of date or not compatible or something. I put my thinking cap on and remembered that I never ran the ClamAV+SA module that I downloaded from the MailScanner site. So I ran that and restarted MailScanner and checked the maillog this morning and it looks like the timeouts have stopped. But during the install process of the ClamAV+SA module I got this message: About to build the ClamAV virus scanner ./install.sh: ./configure: /bin/sh: bad interpreter: Permission denied make: *** No targets specified and no makefile found. Stop. make: *** No rule to make target `install'. Stop. That doesn't make me feel warm and fuzzy inside, but still it seems that ClamAV is working because of the following messages in maillog: Jul 3 05:12:03 filter MailScanner[26690]: I have found bitdefender clamavmodule scanners installed, and will use them all by default. Jul 3 06:08:51 filter update.virus.scanners: Found clamav installed Jul 3 06:08:51 filter update.virus.scanners: Running autoupdate for clamav Jul 3 06:08:52 filter ClamAV-autoupdate[29788]: ClamAV did not need updating Does all this sound copasetic? Thanks! Chris. From itdept at fractalweb.com Tue Jul 3 18:41:33 2007 From: itdept at fractalweb.com (Chris Yuzik) Date: Tue Jul 3 18:41:47 2007 Subject: Any advice for a new server? In-Reply-To: References: <1183421943.8123.116.camel@thor.greenbuzz.net> <4689CE72.2040202@fractalweb.com> Message-ID: <468A8A4D.1030604@fractalweb.com> Ren? Berber wrote: > Chris Yuzik wrote: > > >> I'm not a Slackware user like Res is, but I'm overall happy with Centos. >> I've been the Gentoo route, and while compiling small things from source >> is fine, having to compile for 12+ hours straight on a production server >> is NOT cool, and imho offers little benefit over installing pre-compiled >> binaries for your hardware. >> > [snip] > > Gentoo also offers pre-compiled packages, installed with the same tool (emerge)... > Ren?, Thanks. I did not know that. I should have pointed out that it's been years (about 3 and a half) since I last played with Gentoo. I still remember spending 2+ days compiling openoffice.org. :-) Chris From glenn.steen at gmail.com Tue Jul 3 18:51:06 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Jul 3 18:51:09 2007 Subject: Filename rule question In-Reply-To: <468A6663.8010907@ti-edu.ch> References: <468A6663.8010907@ti-edu.ch> Message-ID: <223f97700707031051y1b3f0fcci36cbea3b9c330d95@mail.gmail.com> On 03/07/07, Marco Induni wrote: > Hi All, > I try to deny some email attachments based just on the filename. > So I setup the following test rule to deny all attachment for email > sended to me@pluto.com (obviously just a real address) > > - in /etc/MailScanner/Mailscanner.conf > -- Filename Rules = %rules-dir%/filename-rules.rules > > - in /etc/MailScanner/rules/filename-rules.rules > -- To: me@pluto.com /etc/MailScanner/filename-alldeny.conf > -- FromOrTo: default > /etc/MailScanner/filename-nocheck.rules.conf > > - in /etc/MailScanner/filename-alldeny.conf > -- deny .* - - > > - in /etc/MailScanner/filename-nocheck.rules.conf > -- allow .* - - > > > So I expect that any attachment will be denied, but is not true. > It seems that everything is passing through, and the rule is not > matching anything. > I've done MailScanner --lint and no syntax error appear. > I've also tried the standard rules enclosed (deny .exe .reg,...), but > didn't work. When troubleshooting things like these, always doublecheck your assumptions with MailScanner itself... Try "MailScanner --help" to see the possible things you can do ... apart from the well-known --debug and --lint (start by doing a lint... it'll show you any bad syntax errors), you can also try any setting with any sender/receiver .... In your case you'd test MailScanner --value=filenamerules --from=anyone@example.net --to=me@pluto.com and perhaps some variations ... Replace with addresses valid to your situation. > Question, for the filename rule to work, should I always setup also the > filetype rule ? Almost always a good thing to do, yes. Check those with the same strategy/commands. > Any other ideas ? > Where I'm wrong ? Probably a typo. Might be related to those files needing to be separated... Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From rob at dido.ca Tue Jul 3 19:04:34 2007 From: rob at dido.ca (Rob Morin) Date: Tue Jul 3 19:04:33 2007 Subject: {Spam?} Re: A simple test custome rule? In-Reply-To: <468A634E.2080002@ecs.soton.ac.uk> References: <468A5FDE.9020300@dido.ca> <468A634E.2080002@ecs.soton.ac.uk> Message-ID: <468A8FB2.20908@dido.ca> An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070703/85578fda/attachment.html From glenn.steen at gmail.com Tue Jul 3 19:15:43 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Jul 3 19:15:45 2007 Subject: Problem with MS on OpenBSD 4.1 In-Reply-To: <468A691D.7020605@box.telemedia.ch> References: <468A63AC.5040808@box.telemedia.ch> <468A659A.3090602@ecs.soton.ac.uk> <468A691D.7020605@box.telemedia.ch> Message-ID: <223f97700707031115m7f156454wac3f7b80febe5434@mail.gmail.com> On 03/07/07, Christoph Schneeberger wrote: > Hi Julian, > > Thanks for your reply. > > Julian Field wrote: > .. > > > >When I run MS and SA in debug mode I get an error at line 832 in > > >Mailscanner which is the following line: > > > > >$batch->Explode(); > > > > >The error I get is > > > > > > > >[24820] dbg: locker: safe_unlock: unlocked > > /root/.spamassassin/bayes.mutex > > >[24820] dbg: learn: initializing learner > > >Ignore errors about failing to find EOCD signature > > > > > > That line gives a hint. > > > > >format error: can't find EOCD signature > > > at /opt/MailScanner/bin/MailScanner line 832 > > > > > > So you can ignore that. > > > > >Stopping now as you are debugging me. > > > Done. > > > > > > It has run to completion normally. It hasn't bombed out on an error at > > all. It has done exactly what it is supposed to do in Debug mode: > > process 1 batch of messages and then exit. > > > Ok thanks, i was thinking that too, but somebody on irc told me i need > to get rid of this line832 error and that would solve my problem of not > having any detailed Spamassassin result headers at all. > > So could you give me any direction or hints where I could further search > to get that problem of not having detailed results in the header solved, > since thats the only problem I really have. > > Or asked else: Is anybody on this list running a current MailScanner on > OpenBSD 4.1 successfully and do you have any hints for me where too look ? > > Thanks a lot and best regards, > Christoph > OpenBSD isn]t exactly unheard of, but it certainly isn\t one of the more used OSes.... But this might not be anything specific to your OS... Call me dull, but did you run a MailScanner --debug --debug-sa ... with something obvious, like a GTUBE, on queue? Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From rlane at i-centrix.com Tue Jul 3 19:19:31 2007 From: rlane at i-centrix.com (Ryan Lane) Date: Tue Jul 3 19:18:47 2007 Subject: New support for clamd Message-ID: <468A9333.1040702@i-centrix.com> The new support for clamd is most excellent! I run a fairly busy server, and the processing times are significantly better. I just implemented the change this morning, and I immediately saw the benefit. The load on the server is considerably better too. Down from an almost constant 1.00+ load average to 0.20 Thanks for the great work, and continual improvements. -Ryan From ms-list at alexb.ch Tue Jul 3 19:21:38 2007 From: ms-list at alexb.ch (Alex Broens) Date: Tue Jul 3 19:21:45 2007 Subject: {Spam?} Re: A simple test custome rule? In-Reply-To: <468A8FB2.20908@dido.ca> References: <468A5FDE.9020300@dido.ca> <468A634E.2080002@ecs.soton.ac.uk> <468A8FB2.20908@dido.ca> Message-ID: <468A93B2.3030201@alexb.ch> On 7/3/2007 8:04 PM, Rob Morin wrote: > Ok so i see my rule now in the headers for the email, so i guess its working... > however it seems that it would not work alone?? > > IE, if i send a regular email with the text in the subject that i am looking > for, the email comes through with no score at all, even though i associated my > rule with a score of 2.75 > > Strange, i guess there is something i am missing.... > > Yes, score=20.952 tag=-9999 tag2=4.5 kill=7.5 tests=[BAYES_99=3.5, > DIDO_PDF_ATTACHMENT_SUBJECT_RULE=2.75, HELO_DYNAMIC_IPADDR=4.2, > RCVD_IN_BL_SPAMCOP_NET=1.558, RCVD_IN_NJABL_DUL=2, RCVD_IN_PBL=0.001, > RCVD_IN_SORBS_DUL=2.046, RCVD_IN_XBL=4.897] > > My rule is DIDO_PDF_ATTACHMENT_SUBJECT_RULE=2.75 > > but if i send an email with .pdf in the subject it does not get caught.... weird... > > ### To catch that pdf attach email crap in the subject line > header DIDO_PDF_ATTACHMENT_SUBJECT_RULE Subject =~ /.pdf/i > score DIDO_PDF_ATTACHMENT_SUBJECT_RULE 2.75 > describe DIDO_PDF_ATTACHMENT_SUBJECT_RULE PDF Crap try escaping the period Subject =~ /\.pdf/i Alex From MailScanner at ecs.soton.ac.uk Tue Jul 3 19:21:47 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Jul 3 19:27:39 2007 Subject: SpamAssassin is constantly timing out In-Reply-To: <97FD54B5E57A1842AA1A4B232E47611773EBD4@ati-ex-02.ati.local> References: <97FD54B5E57A1842AA1A4B232E47611773EBD2@ati-ex-02.ati.local> <468955F8.1090701@ecs.soton.ac.uk> <97FD54B5E57A1842AA1A4B232E47611773EBD4@ati-ex-02.ati.local> Message-ID: <468A93BB.40603@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Chris W. Parker wrote: > On Monday, July 02, 2007 12:46 PM Julian Field said: > > >> Start MailScanner with >> MailScanner -debug -debug-sa >> and thump Ctrl-S when it pauses. This should tell you what is causing >> the timeouts. (Ctrl-Q continues the output that Ctrl-S pauses) >> > > Thanks Julian. > > I had no idea what I was looking for as the information came up but on > one of the times when I paused the output I noticed it said that ClamAV > was out of date or not compatible or something. I put my thinking cap on > and remembered that I never ran the ClamAV+SA module that I downloaded > from the MailScanner site. So I ran that and restarted MailScanner and > checked the maillog this morning and it looks like the timeouts have > stopped. > > But during the install process of the ClamAV+SA module I got this > message: > > About to build the ClamAV virus scanner > ./install.sh: ./configure: /bin/sh: bad interpreter: Permission denied > That's really weird, never seen that before. I assume you have a /bin/sh! > make: *** No targets specified and no makefile found. Stop. > make: *** No rule to make target `install'. Stop. > > That doesn't make me feel warm and fuzzy inside, but still it seems that > ClamAV is working because of the following messages in maillog: > > Jul 3 05:12:03 filter MailScanner[26690]: I have found bitdefender > clamavmodule scanners installed, and will use them all by default. > Jul 3 06:08:51 filter update.virus.scanners: Found clamav installed > Jul 3 06:08:51 filter update.virus.scanners: Running autoupdate for > clamav > Jul 3 06:08:52 filter ClamAV-autoupdate[29788]: ClamAV did not need > updating > > Does all this sound copasetic? > Sounds like you have a version of ClamAV already installed. If it's an RPM of ClamAV then look for updates at dag.wieers.com. > > Thanks! > Chris. > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGipO8EfZZRxQVtlQRApGkAJ4zTfcRY+bBgGEonpw29nmph1BXYwCgv4iC MOWoUQx327O7ly7sTrpFbH0= =glHD -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Tue Jul 3 19:23:33 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Jul 3 19:33:12 2007 Subject: Filename rule question In-Reply-To: <223f97700707031051y1b3f0fcci36cbea3b9c330d95@mail.gmail.com> References: <468A6663.8010907@ti-edu.ch> <223f97700707031051y1b3f0fcci36cbea3b9c330d95@mail.gmail.com> Message-ID: <468A9425.3050007@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Glenn Steen wrote: > On 03/07/07, Marco Induni wrote: >> Hi All, >> I try to deny some email attachments based just on the filename. >> So I setup the following test rule to deny all attachment for email >> sended to me@pluto.com (obviously just a real address) >> >> - in /etc/MailScanner/Mailscanner.conf >> -- Filename Rules = %rules-dir%/filename-rules.rules >> >> - in /etc/MailScanner/rules/filename-rules.rules >> -- To: me@pluto.com /etc/MailScanner/filename-alldeny.conf >> -- FromOrTo: default >> /etc/MailScanner/filename-nocheck.rules.conf >> >> - in /etc/MailScanner/filename-alldeny.conf >> -- deny .* - - >> >> - in /etc/MailScanner/filename-nocheck.rules.conf >> -- allow .* - - >> >> >> So I expect that any attachment will be denied, but is not true. >> It seems that everything is passing through, and the rule is not >> matching anything. >> I've done MailScanner --lint and no syntax error appear. >> I've also tried the standard rules enclosed (deny .exe .reg,...), but >> didn't work. > > When troubleshooting things like these, always doublecheck your > assumptions with MailScanner itself... Try "MailScanner --help" to see > the possible things you can do ... apart from the well-known --debug > and --lint (start by doing a lint... it'll show you any bad syntax > errors), you can also try any setting with any sender/receiver .... In > your case you'd test > MailScanner --value=filenamerules --from=anyone@example.net > --to=me@pluto.com > and perhaps some variations ... Replace with addresses valid to your > situation. > >> Question, for the filename rule to work, should I always setup also the >> filetype rule ? > > Almost always a good thing to do, yes. Check those with the same > strategy/commands. > > >> Any other ideas ? >> Where I'm wrong ? > > Probably a typo. Might be related to those files needing to be > separated... That catches out a lot of people. filename.rules.conf and its brethren have to be tab-separated as otherwise the filename and filetype regular expressions cannot include spaces. > > Cheers Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGipQmEfZZRxQVtlQRArW3AKCz+ALm1GvtddoQRXs+K/A6RZ8qmQCeMDH8 d9kZ/HGBrzpKDSCi4+DL/Ds= =J68O -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From Denis.Beauchemin at USherbrooke.ca Tue Jul 3 19:36:24 2007 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Tue Jul 3 19:36:54 2007 Subject: {Spam?} Re: A simple test custome rule? In-Reply-To: <468A8FB2.20908@dido.ca> References: <468A5FDE.9020300@dido.ca> <468A634E.2080002@ecs.soton.ac.uk> <468A8FB2.20908@dido.ca> Message-ID: <468A9728.1000701@USherbrooke.ca> Rob Morin a ?crit : > Ok so i see my rule now in the headers for the email, so i guess its > working... however it seems that it would not work alone?? Do you have the following i MailScanner.conf: Always Include SpamAssassin Report = yes If not then you will not see your rule hit unless the email is considered spam... Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3595 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070703/c36b4d57/smime.bin From shuttlebox at gmail.com Tue Jul 3 19:54:35 2007 From: shuttlebox at gmail.com (shuttlebox) Date: Tue Jul 3 19:54:39 2007 Subject: SpamAssassin is constantly timing out In-Reply-To: <97FD54B5E57A1842AA1A4B232E47611773EBD4@ati-ex-02.ati.local> References: <97FD54B5E57A1842AA1A4B232E47611773EBD2@ati-ex-02.ati.local> <468955F8.1090701@ecs.soton.ac.uk> <97FD54B5E57A1842AA1A4B232E47611773EBD4@ati-ex-02.ati.local> Message-ID: <625385e30707031154q6b6dab17ued473acc0afc860a@mail.gmail.com> On 7/3/07, Chris W. Parker wrote: > ./install.sh: ./configure: /bin/sh: bad interpreter: Permission denied Where was install.sh located? Maybe in /tmp mounted with noexec? -- /peter From cparker at swatgear.com Tue Jul 3 20:18:55 2007 From: cparker at swatgear.com (Chris W. Parker) Date: Tue Jul 3 20:18:57 2007 Subject: SpamAssassin is constantly timing out References: <97FD54B5E57A1842AA1A4B232E47611773EBD2@ati-ex-02.ati.local><468955F8.1090701@ecs.soton.ac.uk><97FD54B5E57A1842AA1A4B232E47611773EBD4@ati-ex-02.ati.local> <625385e30707031154q6b6dab17ued473acc0afc860a@mail.gmail.com> Message-ID: <97FD54B5E57A1842AA1A4B232E4761178EEA53@ati-ex-02.ati.local> On Tuesday, July 03, 2007 11:55 AM shuttlebox said: > On 7/3/07, Chris W. Parker wrote: >> ./install.sh: ./configure: /bin/sh: bad interpreter: Permission >> denied > > Where was install.sh located? Maybe in /tmp mounted with noexec? It's here: [root@filter ~/downloads/install-Clam-0.90.3-SA-3.2.1]# But yes, /tmp is mounted with noexec. Chris. From dboltz at gmail.com Tue Jul 3 20:24:47 2007 From: dboltz at gmail.com (Dave Boltz) Date: Tue Jul 3 20:24:55 2007 Subject: MailScanner not delivering mail anymore Message-ID: <3c1d4f520707031224i18258d45pd90079220d8eac93@mail.gmail.com> I've been going through stuff all day and I'm really stuck here. I hope someone can help me. I use MailScanner with sendmail. This setup has been in place for years and worked without problems. All of a sudden this weekend it stopped delivering its mail from the incoming queue but instead just piles up there. If I modify my MailScanner.conf file to run in debug mode it will process a bunch of email and send it of but it's always finishing with the messages below. I notice from MailWatch that if I run this without debug mode it will start marking all email as a virus after some time. The number of EOCD messages seems to very with the number of email processed in that run. Does anyone have any clues as to how I can solve this issue? Starting MailScanner daemons: incoming sendmail: SPF milter already running [ OK ] outgoing sendmail: [ OK ] MailScanner: In Debugging mode, not forking... Ignore errors about failing to find EOCD signature format error: can't find EOCD signature at /usr/sbin/MailScanner line 820 format error: can't find EOCD signature at /usr/sbin/MailScanner line 820 commit ineffective with AutoCommit enabled at /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm line 93, line 707. Commmit ineffective while AutoCommit is on at /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm line 93, line 707. Stopping now as you are debugging me. [ OK ] -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070703/45d7d3c8/attachment.html From jkf at ecs.soton.ac.uk Tue Jul 3 20:23:35 2007 From: jkf at ecs.soton.ac.uk (Julian Field) Date: Tue Jul 3 20:27:20 2007 Subject: SpamAssassin is constantly timing out In-Reply-To: <97FD54B5E57A1842AA1A4B232E4761178EEA53@ati-ex-02.ati.local> References: <97FD54B5E57A1842AA1A4B232E47611773EBD2@ati-ex-02.ati.local><468955F8.1090701@ecs.soton.ac.uk><97FD54B5E57A1842AA1A4B232E47611773EBD4@ati-ex-02.ati.local> <625385e30707031154q6b6dab17ued473acc0afc860a@mail.gmail.com> <97FD54B5E57A1842AA1A4B232E4761178EEA53@ati-ex-02.ati.local> Message-ID: <468AA237.3070404@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Chris W. Parker wrote: > On Tuesday, July 03, 2007 11:55 AM shuttlebox said: > > >> On 7/3/07, Chris W. Parker wrote: >> >>> ./install.sh: ./configure: /bin/sh: bad interpreter: Permission >>> denied >>> >> Where was install.sh located? Maybe in /tmp mounted with noexec? >> > > It's here: > > [root@filter ~/downloads/install-Clam-0.90.3-SA-3.2.1]# > > But yes, /tmp is mounted with noexec. > That's the problem then. Type this and then rerun the ./install.sh script. mount -o remount,exec /tmp > > > Chris. > Jules - -- Julian Field MBCS CITP jkf@ecs.soton.ac.uk Teaching Systems Manager Electronics & Computer Science University of Southampton SO17 1BJ, UK -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGiqJ0EfZZRxQVtlQRAgxEAKDKTLJDHDJsCcUabbXslOMm7+gB7wCfbXxu geNKnsiPii1aW1sdJ+KHnoY= =oTKQ -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Tue Jul 3 20:48:08 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Jul 3 20:51:06 2007 Subject: MailScanner not delivering mail anymore In-Reply-To: <3c1d4f520707031224i18258d45pd90079220d8eac93@mail.gmail.com> References: <3c1d4f520707031224i18258d45pd90079220d8eac93@mail.gmail.com> Message-ID: <468AA7F8.3080108@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dave Boltz wrote: > > I've been going through stuff all day and I'm really stuck here. I > hope someone can help me. I use MailScanner with sendmail. This > setup has been in place for years and worked without problems. All of > a sudden this weekend it stopped delivering its mail from the incoming > queue but instead just piles up there. If I modify my > MailScanner.conf file to run in debug mode it will process a bunch of > email and send it of but it's always finishing with the messages > below. I notice from MailWatch that if I run this without debug mode > it will start marking all email as a virus after some time. The > number of EOCD messages seems to very with the number of email > processed in that run. > And it specifically told you in the output to ignore EOCD errors. So please ignore them :-) > > Does anyone have any clues as to how I can solve this issue? > > > Starting MailScanner daemons: > > incoming sendmail: SPF milter already running > > [ OK ] > > outgoing sendmail: [ OK ] > > MailScanner: In Debugging mode, not forking... > > Ignore errors about failing to find EOCD signature > > format error: can't find EOCD signature > > at /usr/sbin/MailScanner line 820 > > format error: can't find EOCD signature > > at /usr/sbin/MailScanner line 820 > > commit ineffective with AutoCommit enabled at > /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm line 93, > line 707. > > Commmit ineffective while AutoCommit is on at > /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm line 93, > line 707. > > Stopping now as you are debugging me. > All of those are totally harmless. What virus scanners are you using? What does MailScanner --lint say? When it starts marking them as viruses, what is it logging? You haven't given us any useful info to go on :-( Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGiqf4EfZZRxQVtlQRAj3dAJ4gkdl+kGGR0m2r42I9NX82xkuUvACfeLk9 FZQ9Lu0mtHY9A8XVY4trM/4= =X4g1 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From carock at epconline.com Tue Jul 3 20:56:41 2007 From: carock at epconline.com (Chuck Rock) Date: Tue Jul 3 20:56:58 2007 Subject: Wierd question In-Reply-To: Message-ID: <003801c7bdac$46ae4880$8c007f0a@epctech.com> The server I need to stop receiving mail is not a relay, but the final destination POP3 account server. It used to be the MX handler for the domain, but now the new filter server is. I needed the final destination POP3 mailbox server to reject mail to a specific domain from every other IP except the new filter server. Since the POP3 server was a listed MX handler for the domain, it's in caches and spammer relay lists for the domain. Once the DNS changes have propagated and most caches have timed out and refreshed, the only mail for that specific domain still being sent to the old MX ip is junk. Since the server is still the final destination POP3 mailbox server, it MUST receive mail for that domain. I just needed to make sure it was only from the filter and not just any IP. Since the server hosts hundreds of other domains, I could not just filter port 25 traffic, it had to be domain specific. If you use a prefilter setup like a piece of hardware for spam/av filter for E-mail, you will get spam and other junk bypassing your filter if the old MX record for the domain will still accept mail from any address for the filtered domain. Chuck -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Scott Silva Sent: Monday, July 02, 2007 6:45 PM To: mailscanner@lists.mailscanner.info Subject: Re: Wierd question Chuck Rock spake the following on 7/2/2007 1:14 PM: > Excellent, I will test. > > Basically for the other guy, I had a mail server running MS and clamAV and > SpamAssassin. All free stuff, works nice mostly. > > I purchased a Barracuda to "add" domains to with an extra fee for the > expensive commercial spam filter. > > The final destination server is still the same. I just changed MX so only > the Barracuda was listed. > > What I've found through experience though, servers will continue to send > mail to the old MX record even though it doesn't exist. I still have servers > receiving messages for domains we haven't hosted for years. > > To keep the spammers from bypassing the new Barracuda filter inserted in the > mail flow, I must make the final destination server ignore messages from all > other IP's for incoming mail destined for specific domains and only allow > them from the new spam filter device IP. > > If any of you have a filter like this, and you haven't limited the old MX > server from receiving mail from just any IP for the domain, spam is probably > getting past your new filter. > None of my MX's will relay anything that they are not supposed to relay. If an MX doesn't need to relay a domain anymore, it should reject it. You want to reject at the first point of connection, or you have to bounce an NDR and take a chance of being a joe-job relay. In sendmail, you remove that domain from the relay_domains, I'm sure every other MTA has the same feature. An MX should not blindly relay anything. If it relays for one or a hundred domains, that is all it should be configured for. Sure it is a little more work, but it doesn't get changed much. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From itdept at fractalweb.com Tue Jul 3 21:02:35 2007 From: itdept at fractalweb.com (Chris Yuzik) Date: Tue Jul 3 21:02:51 2007 Subject: clamd configuration? Message-ID: <468AAB5B.7010101@fractalweb.com> I'm testing clamd instead of clamavmodule, but am still having a problem. I'm on Centos 4.4 with everything kept up to date. I'm running MailScanner 4.61.7, and I've got clamd running, and have specified that MailScanner should use "clamd" as the antivirus scanner. I've tried sending the eicar test file through and it walks through everything. I must have missed something. # MailScanner --lint Read 777 hostnames from the phishing whitelist Config: calling custom init function SQLBlacklist Config: calling custom init function MailWatchLogging Config: calling custom init function SQLWhitelist Checking version numbers... Version number in MailScanner.conf (4.61.7) is correct. Checking for SpamAssassin errors (if you use it)... SpamAssassin temporary working directory is /var/spool/MailScanner/incoming/SpamAssassin-Temp SpamAssassin temp dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp Using SpamAssassin results cache Connected to SpamAssassin cache database SpamAssassin reported no errors. Using locktype = posix Creating hardcoded struct_flock subroutine for linux (Linux-type) MailScanner.conf says "Virus Scanners = clamd" Found these virus scanners installed: clamavmodule, clamd # grep -i clamd /etc/MailScanner/MailScanner.conf | grep -v '^#' Virus Scanners = clamd Clamd Port = 3310 Clamd Socket = /tmp/clamd Clamd Lock File = /var/lock/subsys/clamd Clamd Use Threads = yes Freshclam indicates that clamav is up to date. Thanks, Chris From uxbod at splatnix.net Tue Jul 3 21:04:55 2007 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Tue Jul 3 21:04:57 2007 Subject: Any advice for a new server? In-Reply-To: <468A8A4D.1030604@fractalweb.com> References: <468A8A4D.1030604@fractalweb.com> Message-ID: Yes, but OpenOffice would not be required on the server ;) To put Gentoo in context I recently re-built my dual Opteron 2GB server in two hours. All up to date and optimised. I just love the control and flexibility that Gentoo offers. Though do agree with some comments that it is not the easiest distro to get running. The LiveCD has helped to address the balance though now. --[ UxBoD ]-- // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From uxbod at splatnix.net Tue Jul 3 21:06:18 2007 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Tue Jul 3 21:06:24 2007 Subject: clamd configuration? In-Reply-To: <468AAB5B.7010101@fractalweb.com> References: <468AAB5B.7010101@fractalweb.com> Message-ID: <332b3e3ad3564836ac864a0bda4708b6@62.49.223.244> ps -ef | grep clamd what does that show ? Anything in /var/log/messages ? Have you ran MailScanner in debug mode ? On Tue, 03 Jul 2007 13:02:35 -0700, Chris Yuzik wrote: > I'm testing clamd instead of clamavmodule, but am still having a > problem. I'm on Centos 4.4 with everything kept up to date. > > I'm running MailScanner 4.61.7, and I've got clamd running, and have > specified that MailScanner should use "clamd" as the antivirus scanner. > I've tried sending the eicar test file through and it walks through > everything. I must have missed something. > > # MailScanner --lint > Read 777 hostnames from the phishing whitelist > Config: calling custom init function SQLBlacklist > Config: calling custom init function MailWatchLogging > Config: calling custom init function SQLWhitelist > Checking version numbers... > Version number in MailScanner.conf (4.61.7) is correct. > > Checking for SpamAssassin errors (if you use it)... > SpamAssassin temporary working directory is > /var/spool/MailScanner/incoming/SpamAssassin-Temp > SpamAssassin temp dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp > Using SpamAssassin results cache > Connected to SpamAssassin cache database > SpamAssassin reported no errors. > Using locktype = posix > Creating hardcoded struct_flock subroutine for linux (Linux-type) > MailScanner.conf says "Virus Scanners = clamd" > Found these virus scanners installed: clamavmodule, clamd > > # grep -i clamd /etc/MailScanner/MailScanner.conf | grep -v '^#' > Virus Scanners = clamd > Clamd Port = 3310 > Clamd Socket = /tmp/clamd > Clamd Lock File = /var/lock/subsys/clamd > Clamd Use Threads = yes > > Freshclam indicates that clamav is up to date. > > Thanks, > Chris > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. -- --[ UxBoD ]-- // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From rlane at i-centrix.com Tue Jul 3 21:14:05 2007 From: rlane at i-centrix.com (Ryan Lane) Date: Tue Jul 3 21:13:21 2007 Subject: clamd configuration? In-Reply-To: <468AAB5B.7010101@fractalweb.com> References: <468AAB5B.7010101@fractalweb.com> Message-ID: <468AAE0D.3020103@i-centrix.com> Chris Yuzik wrote: > # grep -i clamd /etc/MailScanner/MailScanner.conf | grep -v '^#' > Virus Scanners = clamd > Clamd Port = 3310 > Clamd Socket = /tmp/clamd > Clamd Lock File = /var/lock/subsys/clamd > Clamd Use Threads = yes I just set this up today, and have it working (with eicar test files, and clamav test files). My config lines are: Clamd Port = 3310 Clamd Socket = /var/run/clamav/clamd.sock #Clamd Socket = /tmp/clamd Clamd Lock File = # /var/lock/subsys/clamd Clamd Use Threads = yes I'm running this on centos 4.5 with clamav/clamd from dag's repo. -Ryan From r.berber at computer.org Tue Jul 3 22:59:12 2007 From: r.berber at computer.org (=?ISO-8859-1?Q?Ren=E9_Berber?=) Date: Tue Jul 3 22:59:37 2007 Subject: Any advice for a new server? In-Reply-To: <468A8A4D.1030604@fractalweb.com> References: <1183421943.8123.116.camel@thor.greenbuzz.net> <4689CE72.2040202@fractalweb.com> <468A8A4D.1030604@fractalweb.com> Message-ID: Chris Yuzik wrote: > Ren? Berber wrote: >> Chris Yuzik wrote: >> >> >>> I'm not a Slackware user like Res is, but I'm overall happy with Centos. >>> I've been the Gentoo route, and while compiling small things from source >>> is fine, having to compile for 12+ hours straight on a production server >>> is NOT cool, and imho offers little benefit over installing pre-compiled >>> binaries for your hardware. >>> >> [snip] >> >> Gentoo also offers pre-compiled packages, installed with the same tool >> (emerge)... >> > Ren?, > > Thanks. I did not know that. I should have pointed out that it's been > years (about 3 and a half) since I last played with Gentoo. I still > remember spending 2+ days compiling openoffice.org. :-) Yep, that's the beast that really makes you wonder, why compile everything? ;-) -- Ren? Berber From itdept at fractalweb.com Tue Jul 3 23:24:22 2007 From: itdept at fractalweb.com (Chris Yuzik) Date: Tue Jul 3 23:24:37 2007 Subject: clamd configuration? In-Reply-To: <332b3e3ad3564836ac864a0bda4708b6@62.49.223.244> References: <468AAB5B.7010101@fractalweb.com> <332b3e3ad3564836ac864a0bda4708b6@62.49.223.244> Message-ID: <468ACC96.2010305@fractalweb.com> --[ UxBoD ]-- wrote: > ps -ef | grep clamd > > what does that show ? > > Anything in /var/log/messages ? Have you ran MailScanner in debug mode ? > # ps -ef | grep clamd root 26478 14850 0 13:07 pts/1 00:00:00 grep clamd clamav 32619 1 2 12:08 ? 00:01:38 clamd If I tail the maillog while grepping for anything about clam, and send the eicar file through, I get absolutely nothing. Also /var/log/messages shows that freshclam has updated but nothing else; no mention of the virus test file. I've tried MailScanner in debug mode and there weren't any errors. Chris From itdept at fractalweb.com Wed Jul 4 00:06:19 2007 From: itdept at fractalweb.com (Chris Yuzik) Date: Wed Jul 4 00:06:35 2007 Subject: clamd configuration? In-Reply-To: <468ACC96.2010305@fractalweb.com> References: <468AAB5B.7010101@fractalweb.com> <332b3e3ad3564836ac864a0bda4708b6@62.49.223.244> <468ACC96.2010305@fractalweb.com> Message-ID: <468AD66B.2000704@fractalweb.com> I have done some further testing, and still cannot get MailScanner to talk to clamd. Argh! While tailing /var/log/maillog and /var/log/clamav/clamav.log, with: tail -f /var/log/maillog | grep -i clam and tail -f /var/log/clamav/clamd.log I've done '# clamdscan' in a dir that has the eicar test file in it, and I immediately see in clamd.log 'Tue Jul 3 15:44:30 2007 -> /etc/MailScanner/clamtest/eicar_com.zip: Eicar-Test-Signature FOUND'. If I email the same file to myself, it goes right through the server and there are no log entries in either log. So it appears that Clamd is doing its thing, but MailScanner is not talking to it. I'd ask the clam people, but at this point this problem is looking like a MailScanner problem. Chris From itdept at fractalweb.com Wed Jul 4 00:22:41 2007 From: itdept at fractalweb.com (Chris Yuzik) Date: Wed Jul 4 00:23:00 2007 Subject: clamd configuration? In-Reply-To: <468AAE0D.3020103@i-centrix.com> References: <468AAB5B.7010101@fractalweb.com> <468AAE0D.3020103@i-centrix.com> Message-ID: <468ADA41.4010307@fractalweb.com> Ryan Lane wrote: > Chris Yuzik wrote: >> # grep -i clamd /etc/MailScanner/MailScanner.conf | grep -v '^#' >> Virus Scanners = clamd >> Clamd Port = 3310 >> Clamd Socket = /tmp/clamd >> Clamd Lock File = /var/lock/subsys/clamd >> Clamd Use Threads = yes > > I just set this up today, and have it working (with eicar test files, > and clamav test files). My config lines are: > > Clamd Port = 3310 > Clamd Socket = /var/run/clamav/clamd.sock > #Clamd Socket = /tmp/clamd > Clamd Lock File = # /var/lock/subsys/clamd > Clamd Use Threads = yes > > I'm running this on centos 4.5 with clamav/clamd from dag's repo. I went through the config file for clamd and found that the TCP port wasn't enabled for the daemon, so I uncommented out the line, and restarted clamd. Still not working. Oy. Not sure what to do next. From rcooper at dwford.com Wed Jul 4 00:42:00 2007 From: rcooper at dwford.com (Rick Cooper) Date: Wed Jul 4 00:42:10 2007 Subject: clamd configuration? In-Reply-To: <468ADA41.4010307@fractalweb.com> References: <468AAB5B.7010101@fractalweb.com> <468AAE0D.3020103@i-centrix.com> <468ADA41.4010307@fractalweb.com> Message-ID: <06bb01c7bdcb$c0ac3330$0301a8c0@SAHOMELT> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On > Behalf Of Chris Yuzik > Sent: Tuesday, July 03, 2007 7:23 PM > To: MailScanner discussion > Subject: Re: clamd configuration? > > Ryan Lane wrote: > > Chris Yuzik wrote: > >> # grep -i clamd /etc/MailScanner/MailScanner.conf | grep -v '^#' > >> Virus Scanners = clamd > >> Clamd Port = 3310 > >> Clamd Socket = /tmp/clamd > >> Clamd Lock File = /var/lock/subsys/clamd > >> Clamd Use Threads = yes > > [...] > > > > I'm running this on centos 4.5 with clamav/clamd from dag's repo. > I went through the config file for clamd and found that the TCP port > wasn't enabled for the daemon, so I uncommented out the line, and > restarted clamd. Still not working. > > Oy. > > Not sure what to do next. > Please run MailScanner in debug mode, show what is output from the clamd section, and if possible the clamd.conf, remember that is where the clam daemon is getting it's parameter. If MailScanner cannot reach clamd there will be alerts even if you are not in debug mode. Also note if you supply a path to the socket the port is not used. If you are not using unix sockets (/tmp/clamd or /tmp/clamd.sock, etc) then you should have an IP address (probably 127.0.0.1) for the socket address. Rick -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From res at ausics.net Wed Jul 4 00:43:01 2007 From: res at ausics.net (Res) Date: Wed Jul 4 00:43:12 2007 Subject: clamd configuration? In-Reply-To: <468AAB5B.7010101@fractalweb.com> References: <468AAB5B.7010101@fractalweb.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NotDashEscaped: You need GnuPG to verify this message Hi Chris, On Tue, 3 Jul 2007, Chris Yuzik wrote: > Clamd Port = 3310 > Clamd Socket = /tmp/clamd Your saying Port number but supplying no IP change the socket to: Clamd Port = 3310 Clamd Socket = 127.0.0.1 #/tmp/clamd -- Cheers Res -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD4DBQFGit8FsWhAmSIQh7MRAsETAJiv+LavPZq4GH4Hh2IJJUgtTcaUAJ98KWuY Cx/CNeB/SdrQy4GKC5/frQ== =aQv1 -----END PGP SIGNATURE----- From seamus at rheelweb.co.nz Wed Jul 4 01:05:22 2007 From: seamus at rheelweb.co.nz (Seamus Allan) Date: Wed Jul 4 01:05:27 2007 Subject: Postfix Address Verification In-Reply-To: <46881CAB.2090504@rheelweb.co.nz> References: <1182844619.26893.2.camel@gblades-suse.linguaphone-intranet.co.uk> <4681C794.7000207@rheelweb.co.nz> <33B7C3D4-C7BB-4FE8-AD69-4802CA37F31B@technologytiger.net> <4682E8CF.7010602@rheelweb.co.nz> <59838.194.70.180.170.1183020415.squirrel@www.technologytiger.net> <4684832B.90709@rheelweb.co.nz> <39526.194.70.180.170.1183109209.squirrel@www.technologytiger.net> <46881CAB.2090504@rheelweb.co.nz> Message-ID: <468AE442.6000501@rheelweb.co.nz> Drew Marshall wrote: >> This looks like a DNS problem. Are you running a cacheing DNS server on >> this box? Postfix is rejecting with a temporary failure (450) as it is >> having what it thinks could be a short term problem. I assume you >> have set >> the next hop in the transport map file, have you done this using a name >> record or IP address? i.e. in the file does it say: >> >> validdomain relay:internal.host >> >> or >> >> validdomain relay:[192.168.1.225] >> >> Just to make sure this isn't Postfix logging a slight red herring, >> can you >> also let me know what you have under: >> >> smtpd_client_restrictions >> smtpd_sender_restrictions >> >> in main.cf >> >> The other thing to check is the logs of the internal machine >> (Exchange?), >> just in case there is anything obvious there. >> >> Drew >> >> >> > Hi, > > I am not running a caching DNS server on this box, all DNS queries are > passed to our internal DNS server, however this shouldn't be an issue, > as you noted because the next hop is dictated by an entry in the > transport map, using IP based hosts. This is what I find so confusing, > surely Postfix uses this transport map or even the relay_domain map to > decide whether a domain is valid or not? > I did spend the other day looking at the internal mail hub, and there > is nothing out of the ordinary in there which would indicate a problem > (such as SMTP restrictions because of connection rate or something). > In my main.cf, I don't have entries for smtpd_client_restrictions or > smtpd_sender_restrictions (whether this is bad or not?), and my > smtp_receipient_restrictions is as follows: > smtpd_recipient_restrictions = permit_mynetworks, > permit_sasl_authenticated, reject_unauth_destination, > reject_non_fqdn_recipient, reject_unknown_recipient_domain, > reject_unverified_recipient > > It all seems rather tricky, as there is nothing obvious as to why this > his happening. > > Cheers for the help > > > Seamus > > *Seamus Allan* > Network Engineer > Rheel Electronics Ltd > Anybody got ideas? Cheers Seamus -- *Seamus Allan* Network Engineer Rheel Electronics Ltd From res at ausics.net Wed Jul 4 01:05:56 2007 From: res at ausics.net (Res) Date: Wed Jul 4 01:06:11 2007 Subject: qmail/mailscanner support site planned outage Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NotDashEscaped: You need GnuPG to verify this message Hi Folks, qms.ausics.net (the mailscanner and qmail support site) will be down Saturday July 7 from 1400-1600 UTC (Midnight local) for server upgrade... -- Cheers Res -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFGiuRksWhAmSIQh7MRAjlhAJ43bqkmhlg6aFNWAUHnC0UgIyupBQCcCb6Y Y/CL+/8TM1gvrg3E/+Xh3wE= =qD4O -----END PGP SIGNATURE----- From itdept at fractalweb.com Wed Jul 4 03:51:26 2007 From: itdept at fractalweb.com (Chris Yuzik) Date: Wed Jul 4 03:52:21 2007 Subject: clamd configuration? In-Reply-To: <06bb01c7bdcb$c0ac3330$0301a8c0@SAHOMELT> References: <468AAB5B.7010101@fractalweb.com> <468AAE0D.3020103@i-centrix.com> <468ADA41.4010307@fractalweb.com> <06bb01c7bdcb$c0ac3330$0301a8c0@SAHOMELT> Message-ID: <468B0B2E.8080201@fractalweb.com> Rick Cooper wrote: > Please run MailScanner in debug mode, show what is output from the clamd > section, and if possible the clamd.conf, remember that is where the clam > daemon is getting it's parameter. If MailScanner cannot reach clamd there > will be alerts even if you are not in debug mode. Also note if you supply a > path to the socket the port is not used. If you are not using unix sockets > (/tmp/clamd or /tmp/clamd.sock, etc) then you should have an IP address > (probably 127.0.0.1) for the socket address. Rick, Ok, here you go. I put MailScanner into debug mode, did a lint, plopped a message with the eicar test file into the inqueue, etc. Looks like clamd is called and the messages handed off, but it doesn't find the virus. Chris # MailScanner --lint Read 777 hostnames from the phishing whitelist Config: calling custom init function SQLBlacklist Config: calling custom init function MailWatchLogging Config: calling custom init function SQLWhitelist Checking version numbers... Version number in MailScanner.conf (4.61.7) is correct. Checking for SpamAssassin errors (if you use it)... SpamAssassin temporary working directory is /var/spool/MailScanner/incoming/SpamAssassin-Temp SpamAssassin temp dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp Using SpamAssassin results cache Connected to SpamAssassin cache database SpamAssassin reported no errors. lock.pl sees Config LockType = posix lock.pl sees have_module = 0 Using locktype = posix Creating hardcoded struct_flock subroutine for linux (Linux-type) MailScanner.conf says "Virus Scanners = clamd" Debug Mode Is On Use Threads : YES IP : 127.0.0.1 Port : 3310 Lock File : NOT USED Time Out : 300 Scan Dir : /var/spool/MailScanner/incoming/29637/ISITINSTALLED Clamd : Sending PING Clamd : GOT 'PONG' ClamD is running Found these virus scanners installed: clamavmodule, clamd # service MailScanner start Starting MailScanner daemons: incoming sendmail: [ OK ] outgoing sendmail: [ OK ] MailScanner: In Debugging mode, not forking... SpamAssassin temp dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp Ignore errors about failing to find EOCD signature Stopping now as you are debugging me. [ OK ] [root@devel MailScanner]# commit ineffective with AutoCommit enabled at /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm line 93, line 138. Commmit ineffective while AutoCommit is on at /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm line 93, line 138. and Jul 3 19:46:49 devel MailScanner[29319]: MailScanner E-Mail Virus Scanner version 4.61.7 starting... Jul 3 19:46:49 devel MailScanner[29319]: Read 777 hostnames from the phishing whitelist Jul 3 19:46:49 devel MailScanner[29319]: Config: calling custom init function SQLBlacklist Jul 3 19:46:49 devel MailScanner[29319]: Starting up SQL Blacklist Jul 3 19:46:49 devel MailScanner[29319]: Read 28 blacklist entries Jul 3 19:46:49 devel MailScanner[29319]: Config: calling custom init function MailWatchLogging Jul 3 19:46:49 devel MailScanner[29319]: Started SQL Logging child Jul 3 19:46:49 devel MailScanner[29319]: Config: calling custom init function SQLWhitelist Jul 3 19:46:49 devel MailScanner[29319]: Starting up SQL Whitelist Jul 3 19:46:49 devel MailScanner[29319]: Read 18 whitelist entries Jul 3 19:46:49 devel MailScanner[29319]: SpamAssassin temporary working directory is /var/spool/MailScanner/incoming/SpamAssassin-Temp Jul 3 19:46:50 devel MailScanner[29319]: Using SpamAssassin results cache Jul 3 19:46:50 devel MailScanner[29319]: Connected to SpamAssassin cache database Jul 3 19:46:50 devel MailScanner[29319]: Expired 2 records from the SpamAssassin cache Jul 3 19:46:50 devel MailScanner[29319]: Enabling SpamAssassin auto-whitelist functionality... Jul 3 19:46:52 devel MailScanner[29319]: lock.pl sees Config LockType = posix Jul 3 19:46:52 devel MailScanner[29319]: lock.pl sees have_module = 0 Jul 3 19:46:52 devel MailScanner[29319]: Using locktype = posix Jul 3 19:46:52 devel MailScanner[29319]: Creating hardcoded struct_flock subroutine for linux (Linux-type) Jul 3 19:46:52 devel MailScanner[29319]: New Batch: Scanning 3 messages, 55415 bytes Jul 3 19:46:52 devel MailScanner[29319]: Created attachment dirs for 3 messages Jul 3 19:46:52 devel MailScanner[29319]: Spam Checks: Starting Jul 3 19:46:55 devel MailScanner[29319]: SpamAssassin returned 0 Jul 3 19:46:56 devel MailScanner[29319]: SpamAssassin returned 0 Jul 3 19:46:59 devel MailScanner[29319]: SpamAssassin returned 0 Jul 3 19:46:59 devel MailScanner[29319]: Spam Checks completed at 8412 bytes per second Jul 3 19:46:59 devel MailScanner[29319]: Virus and Content Scanning: Starting Jul 3 19:46:59 devel MailScanner[29319]: Commencing scanning by clamd... Jul 3 19:46:59 devel MailScanner[29365]: Debug Mode Is On Jul 3 19:46:59 devel MailScanner[29365]: Use Threads : YES Jul 3 19:46:59 devel MailScanner[29365]: IP : 127.0.0.1 Jul 3 19:46:59 devel MailScanner[29365]: Port : 3310 Jul 3 19:46:59 devel MailScanner[29365]: Lock File : NOT USED Jul 3 19:46:59 devel MailScanner[29365]: Time Out : 300 Jul 3 19:46:59 devel MailScanner[29365]: Scan Dir : /var/spool/MailScanner/incoming/29319 Jul 3 19:46:59 devel MailScanner[29365]: Clamd : Sending PING Jul 3 19:46:59 devel MailScanner[29365]: Clamd : GOT 'PONG' Jul 3 19:46:59 devel MailScanner[29365]: ClamD is running Jul 3 19:46:59 devel MailScanner[29365]: SENT : MULTISCAN /var/spool/MailScanner/incoming/29319 Jul 3 19:46:59 devel MailScanner[29319]: Completed scanning by clamd Jul 3 19:46:59 devel MailScanner[29319]: Completed checking by /usr/local/bin/file Jul 3 19:46:59 devel MailScanner[29319]: Virus Scanning completed at 367181 bytes per second Jul 3 19:46:59 devel MailScanner[29319]: About to deliver 3 messages Jul 3 19:46:59 devel MailScanner[29319]: Uninfected: Delivered 3 messages Jul 3 19:46:59 devel MailScanner[29319]: Batch completed at 8175 bytes per second (55415 / 6) Jul 3 19:46:59 devel MailScanner[29319]: Batch (3 messages) processed in 6.78 seconds Jul 3 19:46:59 devel MailScanner[29319]: Logging message l642kYcl029232 to SQL Jul 3 19:46:59 devel MailScanner[29319]: Logging message l642kPu9029221 to SQL Jul 3 19:46:59 devel MailScanner[29319]: Logging message l642juvd029134 to SQL Jul 3 19:46:59 devel MailScanner[29319]: "Always Looked Up Last" took 0.01 seconds Jul 3 19:46:59 devel MailScanner[29319]: Config: calling custom end function SQLBlacklist Jul 3 19:46:59 devel MailScanner[29319]: Closing down by-domain spam blacklist Jul 3 19:46:59 devel MailScanner[29319]: Config: calling custom end function MailWatchLogging Jul 3 19:46:59 devel MailScanner[29319]: Config: calling custom end function SQLWhitelist Jul 3 19:46:59 devel MailScanner[29319]: Closing down by-domain spam whitelist Jul 3 19:46:59 devel MailScanner[29319]: MailScanner child dying of old age Jul 3 19:46:59 devel MailScanner[29327]: l642kYcl029232: Logged to MailWatch SQL Jul 3 19:46:59 devel MailScanner[29327]: l642kPu9029221: Logged to MailWatch SQL Jul 3 19:46:59 devel MailScanner[29327]: l642juvd029134: Logged to MailWatch SQL Jul 3 19:49:08 devel MailScanner[29637]: MailScanner E-Mail Virus Scanner version 4.61.7 starting... From res at ausics.net Wed Jul 4 04:11:43 2007 From: res at ausics.net (Res) Date: Wed Jul 4 04:11:53 2007 Subject: clamd configuration? In-Reply-To: <468B0B2E.8080201@fractalweb.com> References: <468AAB5B.7010101@fractalweb.com> <468AAE0D.3020103@i-centrix.com> <468ADA41.4010307@fractalweb.com> <06bb01c7bdcb$c0ac3330$0301a8c0@SAHOMELT> <468B0B2E.8080201@fractalweb.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NotDashEscaped: You need GnuPG to verify this message On Tue, 3 Jul 2007, Chris Yuzik wrote: > Jul 3 19:46:59 devel MailScanner[29319]: Batch (3 messages) processed in > 6.78 seconds holy crap thats slow... Jul 4 13:10:55 mx-2-in MailScanner[5635]: Batch (30 messages) processed in 38.76 seconds Jul 4 13:11:05 mx-2-in MailScanner[5632]: Batch (7 messages) processed in 1.92 seconds -- Cheers Res -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFGiw/vsWhAmSIQh7MRAojRAKCDJB/WyuZB7DLlBgINuIMSghfTegCfSuzQ 9JKelFtvJ+suNbl4n+aI/PU= =tcX7 -----END PGP SIGNATURE----- From itdept at fractalweb.com Wed Jul 4 05:12:34 2007 From: itdept at fractalweb.com (Chris Yuzik) Date: Wed Jul 4 05:12:51 2007 Subject: clamd configuration? In-Reply-To: References: <468AAB5B.7010101@fractalweb.com> <468AAE0D.3020103@i-centrix.com> <468ADA41.4010307@fractalweb.com> <06bb01c7bdcb$c0ac3330$0301a8c0@SAHOMELT> <468B0B2E.8080201@fractalweb.com> Message-ID: <468B1E32.8040606@fractalweb.com> Res wrote: > holy crap thats slow... > > > Jul 4 13:10:55 mx-2-in MailScanner[5635]: Batch (30 messages) processed > in 38.76 seconds Res, Ha ha. Well, sorry, was a bit distracted. Since it was running in debug mode, the delay was because someone was talking to me and it took me a few seconds before I typed "service MailScanner start". Normally, the "be-atches" (ha ha) seem to average ~7 to ~12 seconds. Chris From res at ausics.net Wed Jul 4 06:17:19 2007 From: res at ausics.net (Res) Date: Wed Jul 4 06:17:29 2007 Subject: clamd configuration? In-Reply-To: <468B1E32.8040606@fractalweb.com> References: <468AAB5B.7010101@fractalweb.com> <468AAE0D.3020103@i-centrix.com> <468ADA41.4010307@fractalweb.com> <06bb01c7bdcb$c0ac3330$0301a8c0@SAHOMELT> <468B0B2E.8080201@fractalweb.com> <468B1E32.8040606@fractalweb.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NotDashEscaped: You need GnuPG to verify this message LOL :P On Tue, 3 Jul 2007, Chris Yuzik wrote: > Res wrote: > >> holy crap thats slow... >> >> >> Jul 4 13:10:55 mx-2-in MailScanner[5635]: Batch (30 messages) processed in >> 38.76 seconds > > Res, > > Ha ha. Well, sorry, was a bit distracted. Since it was running in debug mode, > the delay was because someone was talking to me and it took me a few seconds > before I typed "service MailScanner start". Normally, the "be-atches" (ha ha) > seem to average ~7 to ~12 seconds. > > Chris > > -- Cheers Res -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFGiy1fsWhAmSIQh7MRAjTuAKCPYyA0NPbzV4UOso3Oki6h8rci0ACeJ46Z fRdOVDeLNlSEuH8LcWfUVVE= =8Ubr -----END PGP SIGNATURE----- From leiw324 at yahoo.com.hk Wed Jul 4 06:41:31 2007 From: leiw324 at yahoo.com.hk (Wilson Kwok) Date: Wed Jul 4 06:41:34 2007 Subject: Some maillog question Message-ID: <927842.49000.qm@web54404.mail.yahoo.com> Hello, Can anyone help to explain the following MailScanner log ? is the mailScanner got hacking or something like that ? Jul 4 12:42:24 mailgateway MailScanner[22295]: Commercial scanner clamav timed out! Jul 4 12:42:24 mailgateway MailScanner[22295]: clamav: Failed to complete, timed out Jul 4 12:42:24 mailgateway MailScanner[22295]: Virus Scanning: Denial Of Service attack detected! Thanks --------------------------------- Yahoo!Mail ¬°§A¨C¤@­Ó¹q¶l®½¥X¤@ÂI¤ß·N¡AºÉÄm·R¤ß ¥ß§Y¶}©l·R¤ß¦æ°Ê -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070704/f032ac8d/attachment.html From minduni at ti-edu.ch Wed Jul 4 08:31:34 2007 From: minduni at ti-edu.ch (Marco Induni) Date: Wed Jul 4 08:31:35 2007 Subject: Filename rule question In-Reply-To: <223f97700707031051y1b3f0fcci36cbea3b9c330d95@mail.gmail.com> References: <468A6663.8010907@ti-edu.ch> <223f97700707031051y1b3f0fcci36cbea3b9c330d95@mail.gmail.com> Message-ID: <468B4CD6.5050001@ti-edu.ch> Glenn Steen wrote: > On 03/07/07, Marco Induni wrote: >> Hi All, >> I try to deny some email attachments based just on the filename. >> So I setup the following test rule to deny all attachment for email >> sended to me@pluto.com (obviously just a real address) >> >> - in /etc/MailScanner/Mailscanner.conf >> -- Filename Rules = %rules-dir%/filename-rules.rules >> >> - in /etc/MailScanner/rules/filename-rules.rules >> -- To: me@pluto.com /etc/MailScanner/filename-alldeny.conf >> -- FromOrTo: default >> /etc/MailScanner/filename-nocheck.rules.conf >> >> - in /etc/MailScanner/filename-alldeny.conf >> -- deny .* - - >> >> - in /etc/MailScanner/filename-nocheck.rules.conf >> -- allow .* - - >> >> >> So I expect that any attachment will be denied, but is not true. >> It seems that everything is passing through, and the rule is not >> matching anything. >> I've done MailScanner --lint and no syntax error appear. >> I've also tried the standard rules enclosed (deny .exe .reg,...), but >> didn't work. > > When troubleshooting things like these, always doublecheck your > assumptions with MailScanner itself... Try "MailScanner --help" to see > the possible things you can do ... apart from the well-known --debug > and --lint (start by doing a lint... it'll show you any bad syntax > errors), you can also try any setting with any sender/receiver .... In > your case you'd test > MailScanner --value=filenamerules --from=anyone@example.net > --to=me@pluto.com > and perhaps some variations ... Replace with addresses valid to your > situation. > Glenn, thanks for the suggestions. I've verified with Mailscanner --value=filenamerules and the various address to be sure that the result point to the rule that deny the attachment(see below) Looked up internal option name "filenamerules" With sender = root@xxx recipient = xxx@xx Client IP = Virus = Result is "/etc/MailScanner/filename-alldeny.conf" But unfortunately the attachment are still allowed I've double checked to see if I've placed space instead of TAB on the rule, but all seems ok. Also the MailScanner --lint don't get any syntax error. Actually I've tested on MailScanner 4.58.9 and 4.61.7 with the same result. On the /etc/MailScanner/filename-alldeny.conf there is just deny .* - - and in MailScanner.conf Allow Filenames = Deny Filenames = Filename Rules = %rules-dir%/filename-rules.rules No idea :-( Thanks marco >> Question, for the filename rule to work, should I always setup also the >> filetype rule ? > > Almost always a good thing to do, yes. Check those with the same > strategy/commands. > > >> Any other ideas ? >> Where I'm wrong ? > > Probably a typo. Might be related to those files needing to be > separated... > > Cheers -- Marco Induni Universita` della Svizzera italiana Servizi informatici / TI-EDU Galleria 2 CH-6928 Manno (Switzerland) E-mail: minduni@ti-edu.ch Tel: +41 58 666 6656 Fax: +41 58 666 6650 From minduni at ti-edu.ch Wed Jul 4 08:34:33 2007 From: minduni at ti-edu.ch (Marco Induni) Date: Wed Jul 4 08:34:35 2007 Subject: Filename rule question In-Reply-To: <468A9425.3050007@ecs.soton.ac.uk> References: <468A6663.8010907@ti-edu.ch> <223f97700707031051y1b3f0fcci36cbea3b9c330d95@mail.gmail.com> <468A9425.3050007@ecs.soton.ac.uk> Message-ID: <468B4D89.3050208@ti-edu.ch> Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > Glenn Steen wrote: >> On 03/07/07, Marco Induni wrote: >>> Hi All, >>> I try to deny some email attachments based just on the filename. >>> So I setup the following test rule to deny all attachment for email >>> sended to me@pluto.com (obviously just a real address) >>> >>> - in /etc/MailScanner/Mailscanner.conf >>> -- Filename Rules = %rules-dir%/filename-rules.rules >>> >>> - in /etc/MailScanner/rules/filename-rules.rules >>> -- To: me@pluto.com /etc/MailScanner/filename-alldeny.conf >>> -- FromOrTo: default >>> /etc/MailScanner/filename-nocheck.rules.conf >>> >>> - in /etc/MailScanner/filename-alldeny.conf >>> -- deny .* - - >>> >>> - in /etc/MailScanner/filename-nocheck.rules.conf >>> -- allow .* - - >>> >>> >>> So I expect that any attachment will be denied, but is not true. >>> It seems that everything is passing through, and the rule is not >>> matching anything. >>> I've done MailScanner --lint and no syntax error appear. >>> I've also tried the standard rules enclosed (deny .exe .reg,...), but >>> didn't work. >> When troubleshooting things like these, always doublecheck your >> assumptions with MailScanner itself... Try "MailScanner --help" to see >> the possible things you can do ... apart from the well-known --debug >> and --lint (start by doing a lint... it'll show you any bad syntax >> errors), you can also try any setting with any sender/receiver .... In >> your case you'd test >> MailScanner --value=filenamerules --from=anyone@example.net >> --to=me@pluto.com >> and perhaps some variations ... Replace with addresses valid to your >> situation. >> >>> Question, for the filename rule to work, should I always setup also the >>> filetype rule ? >> Almost always a good thing to do, yes. Check those with the same >> strategy/commands. >> >> >>> Any other ideas ? >>> Where I'm wrong ? Julian, thanks for your answer. I've double checked and the rule is separated with TAB. Should be something else... Marco >> Probably a typo. Might be related to those files needing to be >> separated... > That catches out a lot of people. filename.rules.conf and its brethren > have to be tab-separated as otherwise the filename and filetype regular > expressions cannot include spaces. > >> Cheers > > Jules > > - -- > Julian Field MEng CITP > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > For all your IT requirements visit www.transtec.co.uk > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.6.2 (Build 2014) > Charset: ISO-8859-1 > > wj8DBQFGipQmEfZZRxQVtlQRArW3AKCz+ALm1GvtddoQRXs+K/A6RZ8qmQCeMDH8 > d9kZ/HGBrzpKDSCi4+DL/Ds= > =J68O > -----END PGP SIGNATURE----- > -- Marco Induni Universita` della Svizzera italiana Servizi informatici / TI-EDU Galleria 2 CH-6928 Manno (Switzerland) E-mail: minduni@ti-edu.ch Tel: +41 58 666 6656 Fax: +41 58 666 6650 From martinh at solidstatelogic.com Wed Jul 4 09:06:53 2007 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Wed Jul 4 09:07:06 2007 Subject: Some maillog question In-Reply-To: <927842.49000.qm@web54404.mail.yahoo.com> Message-ID: Wilson Nope - look in the clamd.conf file. There's a setting you may need to increase.. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Wilson Kwok > Sent: 04 July 2007 06:42 > To: mailscanner@lists.mailscanner.info > Subject: Some maillog question > > Hello, > > Can anyone help to explain the following MailScanner log ? is the > mailScanner got hacking or something like that ? > > Jul 4 12:42:24 mailgateway MailScanner[22295]: Commercial scanner clamav > timed out! > Jul 4 12:42:24 mailgateway MailScanner[22295]: clamav: Failed to > complete, timed out > Jul 4 12:42:24 mailgateway MailScanner[22295]: Virus Scanning: Denial Of > Service attack detected! > > > Thanks > > ________________________________ > > Yahoo!Mail =9E=E9=C4=E3=C3=BF=D2=BB=82=80=EB=8A=E0]=BE=E8=B3=F6=D2=BB=FCc= =D0=C4=D2=E2=A3=AC=B1M=ABI=90=DB=D0=C4 > =C1=A2=BC=B4=E9_=CA=BC=90= =DB=D0=C4=D0=D0=84=D3 ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the=20 addressee only and may be confidential. If they come to you in error=20 you must take no action based on them, nor must you copy or show them=20 to anyone. Please advise the sender by replying to this e-mail=20 immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of=20 the author and unless specifically stated to the contrary, are not=20 necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure=20 communications medium and can be subject to data corruption. We advise=20 that you consider this fact when e-mailing us.=20 Viruses : We have taken steps to ensure that this e-mail and any=20 attachments are free from known viruses but in keeping with good=20 computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales=20 (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU,=20 United Kingdom ********************************************************************** From cschnee at box.telemedia.ch Wed Jul 4 09:08:23 2007 From: cschnee at box.telemedia.ch (Christoph Schneeberger) Date: Wed Jul 4 09:13:35 2007 Subject: Problem with MS on OpenBSD 4.1 In-Reply-To: <223f97700707031115m7f156454wac3f7b80febe5434@mail.gmail.com> References: <468A63AC.5040808@box.telemedia.ch> <468A659A.3090602@ecs.soton.ac.uk> <468A691D.7020605@box.telemedia.ch> <223f97700707031115m7f156454wac3f7b80febe5434@mail.gmail.com> Message-ID: <468B5577.2070402@box.telemedia.ch> Glenn Steen wrote: > On 03/07/07, Christoph Schneeberger wrote: >> Hi Julian, >> >> Thanks for your reply. >> >> Julian Field wrote: >> .. >> >> > >When I run MS and SA in debug mode I get an error at line 832 in >> > >Mailscanner which is the following line: >> > >> > >$batch->Explode(); >> > >> > >The error I get is >> > >> > > >> > >[24820] dbg: locker: safe_unlock: unlocked >> > /root/.spamassassin/bayes.mutex >> > >[24820] dbg: learn: initializing learner >> > >Ignore errors about failing to find EOCD signature >> > >> > >> > That line gives a hint. >> > >> > >format error: can't find EOCD signature >> > > at /opt/MailScanner/bin/MailScanner line 832 >> > >> > >> > So you can ignore that. >> > >> > >Stopping now as you are debugging me. >> > > Done. >> > >> > >> > It has run to completion normally. It hasn't bombed out on an error at >> > all. It has done exactly what it is supposed to do in Debug mode: >> > process 1 batch of messages and then exit. >> >> >> Ok thanks, i was thinking that too, but somebody on irc told me i need >> to get rid of this line832 error and that would solve my problem of not >> having any detailed Spamassassin result headers at all. >> >> So could you give me any direction or hints where I could further search >> to get that problem of not having detailed results in the header solved, >> since thats the only problem I really have. >> >> Or asked else: Is anybody on this list running a current MailScanner on >> OpenBSD 4.1 successfully and do you have any hints for me where too >> look ? >> >> Thanks a lot and best regards, >> Christoph >> > OpenBSD isn]t exactly unheard of, but it certainly isn\t one of the > more used OSes.... But this might not be anything specific to your > OS... Call me dull, but did you run a > MailScanner --debug --debug-sa > ... with something obvious, like a GTUBE, on queue? > > Cheers Thanks for your reply, I had to google GTUBE before I knew what you meant ;-) I have run with debug and debug-sa (from MailScanner.conf but I guess that is the same result) and people on irc told me the output i pasted looks good, but I'll happily provide it at the end of this mail. I have sent a mail (only body with copy-paste) from my inbox that is spam through the MS in question and it scored it with 18 and flagged the Subject properly with {Spam?}, BUT only the Spamscore and the Subject Flag are here, no details on which tests how many score was given, just a result. The reason I want OpenBSD is the spamd/pf combo which is quite unique for greylisting and since 4.1 even more use- and powerful. Also I have used OpenBSD since 2.5 and I am quite satisfied with its robustness and safety. Another reason is that I am a sendmail veteran because there was nothing else really serious at the time i needed my first mailhub, so I read different sendmails books and am quite comfortable with it. I've never found my way into other MTAs and since most Linux are now shipping Postfix, Exim or whatever I am sticking with OpenBSD for Mailhubs, Mailgates etc. So here is the output of ./bin/MailScanner --debug --debug-sa 2>&1 | tee /tmp/log --- Currently you are using no virus scanners. This is probably not what you want. In your /opt/MailScanner/etc/MailScanner.conf file, set Virus Scanners = clamav Then download http://www.sng.ecs.soton.ac.uk/mailscanner/files/4/install-Clam-SA.tar.gz Unpack it, "cd" into the directory and run ./install.sh In Debugging mode, not forking... SpamAssassin temp dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp [14467] dbg: logger: adding facilities: all [14467] dbg: logger: logging level is DBG [14467] dbg: generic: SpamAssassin version 3.1.8 [14467] dbg: config: score set 0 chosen. [14467] dbg: util: running in taint mode? no [14467] dbg: message: ---- MIME PARSER START ---- [14467] dbg: message: main message type: text/plain [14467] dbg: message: parsing normal part [14467] dbg: message: added part, type: text/plain [14467] dbg: message: ---- MIME PARSER END ---- [14467] dbg: dns: is Net::DNS::Resolver available? yes [14467] dbg: dns: Net::DNS version: 0.59 [14467] dbg: ignore: test message to precompile patterns and load modules [14467] dbg: config: using "/etc/mail/spamassassin" for site rules pre files [14467] dbg: config: read file /etc/mail/spamassassin/init.pre [14467] dbg: config: read file /etc/mail/spamassassin/v310.pre [14467] dbg: config: read file /etc/mail/spamassassin/v312.pre [14467] dbg: config: using "/usr/local/share/spamassassin" for sys rules pre files [14467] dbg: config: using "/usr/local/share/spamassassin" for default rules dir [14467] dbg: config: read file /usr/local/share/spamassassin/10_misc.cf [14467] dbg: config: read file /usr/local/share/spamassassin/20_advance_fee.cf [14467] dbg: config: read file /usr/local/share/spamassassin/20_anti_ratware.cf [14467] dbg: config: read file /usr/local/share/spamassassin/20_body_tests.cf [14467] dbg: config: read file /usr/local/share/spamassassin/20_compensate.cf [14467] dbg: config: read file /usr/local/share/spamassassin/20_dnsbl_tests.cf [14467] dbg: config: read file /usr/local/share/spamassassin/20_drugs.cf [14467] dbg: config: read file /usr/local/share/spamassassin/20_fake_helo_tests.cf [14467] dbg: config: read file /usr/local/share/spamassassin/20_head_tests.cf [14467] dbg: config: read file /usr/local/share/spamassassin/20_html_tests.cf [14467] dbg: config: read file /usr/local/share/spamassassin/20_meta_tests.cf [14467] dbg: config: read file /usr/local/share/spamassassin/20_net_tests.cf [14467] dbg: config: read file /usr/local/share/spamassassin/20_phrases.cf [14467] dbg: config: read file /usr/local/share/spamassassin/20_porn.cf [14467] dbg: config: read file /usr/local/share/spamassassin/20_ratware.cf [14467] dbg: config: read file /usr/local/share/spamassassin/20_uri_tests.cf [14467] dbg: config: read file /usr/local/share/spamassassin/23_bayes.cf [14467] dbg: config: read file /usr/local/share/spamassassin/25_accessdb.cf [14467] dbg: config: read file /usr/local/share/spamassassin/25_antivirus.cf [14467] dbg: config: read file /usr/local/share/spamassassin/25_body_tests_es.cf [14467] dbg: config: read file /usr/local/share/spamassassin/25_body_tests_pl.cf [14467] dbg: config: read file /usr/local/share/spamassassin/25_dcc.cf [14467] dbg: config: read file /usr/local/share/spamassassin/25_dkim.cf [14467] dbg: config: read file /usr/local/share/spamassassin/25_domainkeys.cf [14467] dbg: config: read file /usr/local/share/spamassassin/25_hashcash.cf [14467] dbg: config: read file /usr/local/share/spamassassin/25_pyzor.cf [14467] dbg: config: read file /usr/local/share/spamassassin/25_razor2.cf [14467] dbg: config: read file /usr/local/share/spamassassin/25_replace.cf [14467] dbg: config: read file /usr/local/share/spamassassin/25_spf.cf [14467] dbg: config: read file /usr/local/share/spamassassin/25_textcat.cf [14467] dbg: config: read file /usr/local/share/spamassassin/25_uribl.cf [14467] dbg: config: read file /usr/local/share/spamassassin/30_text_de.cf [14467] dbg: config: read file /usr/local/share/spamassassin/30_text_fr.cf [14467] dbg: config: read file /usr/local/share/spamassassin/30_text_it.cf [14467] dbg: config: read file /usr/local/share/spamassassin/30_text_nl.cf [14467] dbg: config: read file /usr/local/share/spamassassin/30_text_pl.cf [14467] dbg: config: read file /usr/local/share/spamassassin/30_text_pt_br.cf [14467] dbg: config: read file /usr/local/share/spamassassin/50_scores.cf [14467] dbg: config: read file /usr/local/share/spamassassin/60_awl.cf [14467] dbg: config: read file /usr/local/share/spamassassin/60_whitelist.cf [14467] dbg: config: read file /usr/local/share/spamassassin/60_whitelist_dk.cf [14467] dbg: config: read file /usr/local/share/spamassassin/60_whitelist_dkim.cf [14467] dbg: config: read file /usr/local/share/spamassassin/60_whitelist_spf.cf [14467] dbg: config: read file /usr/local/share/spamassassin/60_whitelist_subject.cf [14467] dbg: config: using "/etc/mail/spamassassin" for site rules dir [14467] dbg: config: read file /etc/mail/spamassassin/local.cf [14467] dbg: config: read file /etc/mail/spamassassin/mailscanner.cf [14467] dbg: plugin: loading Mail::SpamAssassin::Plugin::URIDNSBL from @INC [14467] dbg: plugin: registered Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x4a1cbc80) [14467] dbg: plugin: loading Mail::SpamAssassin::Plugin::Hashcash from @INC [14467] dbg: plugin: registered Mail::SpamAssassin::Plugin::Hashcash=HASH(0x4390e3a0) [14467] dbg: plugin: loading Mail::SpamAssassin::Plugin::SPF from @INC [14467] dbg: plugin: registered Mail::SpamAssassin::Plugin::SPF=HASH(0x4c4dc6a0) [14467] dbg: plugin: loading Mail::SpamAssassin::Plugin::Pyzor from @INC [14467] dbg: pyzor: network tests on, attempting Pyzor [14467] dbg: plugin: registered Mail::SpamAssassin::Plugin::Pyzor=HASH(0x4b99feb0) [14467] dbg: plugin: loading Mail::SpamAssassin::Plugin::Razor2 from @INC [14467] dbg: razor2: razor2 is available, version 2.82 [14467] dbg: plugin: registered Mail::SpamAssassin::Plugin::Razor2=HASH(0x46e71a90) [14467] dbg: plugin: loading Mail::SpamAssassin::Plugin::SpamCop from @INC [14467] dbg: reporter: network tests on, attempting SpamCop [14467] dbg: plugin: registered Mail::SpamAssassin::Plugin::SpamCop=HASH(0x4ac42bb0) [14467] dbg: plugin: loading Mail::SpamAssassin::Plugin::AWL from @INC [14467] dbg: plugin: registered Mail::SpamAssassin::Plugin::AWL=HASH(0x441d61c0) [14467] dbg: plugin: loading Mail::SpamAssassin::Plugin::AutoLearnThreshold from @INC [14467] dbg: plugin: registered Mail::SpamAssassin::Plugin::AutoLearnThreshold=HASH(0x47fce710) [14467] dbg: plugin: loading Mail::SpamAssassin::Plugin::WhiteListSubject from @INC [14467] dbg: plugin: registered Mail::SpamAssassin::Plugin::WhiteListSubject=HASH(0x500524c0) [14467] dbg: plugin: loading Mail::SpamAssassin::Plugin::MIMEHeader from @INC [14467] dbg: plugin: registered Mail::SpamAssassin::Plugin::MIMEHeader=HASH(0x4caf65a0) [14467] dbg: plugin: loading Mail::SpamAssassin::Plugin::ReplaceTags from @INC [14467] dbg: plugin: registered Mail::SpamAssassin::Plugin::ReplaceTags=HASH(0x487f0b70) [14467] dbg: config: adding redirector regex: /^http:\/\/chkpt\.zdnet\.com\/chkpt\/\w+\/(.*)$/i [14467] dbg: config: adding redirector regex: /^http:\/\/www(?:\d+)?\.nate\.com\/r\/\w+\/(.*)$/i [14467] dbg: config: adding redirector regex: /^http:\/\/.+\.gov\/(?:.*\/)?externalLink\.jhtml\?.*url=(.*?)(?:&.*)?$/i [14467] dbg: config: adding redirector regex: /^http:\/\/redir\.internet\.com\/.+?\/.+?\/(.*)$/i [14467] dbg: config: adding redirector regex: /^http:\/\/(?:.*?\.)?adtech\.de\/.*(?:;|\|)link=(.*?)(?:;|$)/i [14467] dbg: config: adding redirector regex: m'^http.*?/redirect\.php\?.*(?<=[?&])goto=(.*?)(?:$|[&#])'i [14467] dbg: config: adding redirector regex: m'^https?:/*(?:[^/]+\.)?emf\d\.com/r\.cfm.*?&r=(.*)'i [14467] dbg: config: adding redirector regex: m'/(?:index.php)?\?.*(?<=[?&])URL=(.*?)(?:$|[&#])'i [14467] dbg: config: adding redirector regex: m'^http:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/url\?.*?(?<=[?&])q=(.*?)(?:$|[&#])'i [14467] dbg: config: adding redirector regex: m'^http:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/search\?.*?(?<=[?&])q=[^&]*?(?<=%20|..[=+\s])site:(.*?)(?:$|%20|[\s+&#])'i [14467] dbg: config: adding redirector regex: m'^http:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/search\?.*?(?<=[?&])q=[^&]*?(?<=%20|..[=+\s])(?:"|%22)(.*?)(?:$|%22|["\s+&#])'i [14467] dbg: config: adding redirector regex: m'^http:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/translate\?.*?(?<=[?&])u=(.*?)(?:$|[&#])'i [14467] dbg: plugin: Mail::SpamAssassin::Plugin::ReplaceTags=HASH(0x487f0b70) implements 'finish_parsing_end' [14467] dbg: replacetags: replacing tags [14467] dbg: replacetags: done replacing tags [14467] dbg: bayes: tie-ing to DB file R/O /root/.spamassassin/bayes_toks [14467] dbg: bayes: tie-ing to DB file R/O /root/.spamassassin/bayes_seen [14467] dbg: bayes: found bayes db version 3 [14467] dbg: bayes: DB journal sync: last sync: 0 [14467] dbg: bayes: not available for scanning, only 0 spam(s) in bayes DB < 200 [14467] dbg: bayes: untie-ing [14467] dbg: bayes: untie-ing db_toks [14467] dbg: bayes: untie-ing db_seen [14467] dbg: config: score set 1 chosen. [14467] dbg: message: ---- MIME PARSER START ---- [14467] dbg: message: main message type: text/plain [14467] dbg: message: parsing normal part [14467] dbg: message: added part, type: text/plain [14467] dbg: message: ---- MIME PARSER END ---- [14467] dbg: bayes: tie-ing to DB file R/O /root/.spamassassin/bayes_toks [14467] dbg: bayes: tie-ing to DB file R/O /root/.spamassassin/bayes_seen [14467] dbg: bayes: found bayes db version 3 [14467] dbg: bayes: DB journal sync: last sync: 0 [14467] dbg: bayes: not available for scanning, only 0 spam(s) in bayes DB < 200 [14467] dbg: bayes: untie-ing [14467] dbg: bayes: untie-ing db_toks [14467] dbg: bayes: untie-ing db_seen [14467] dbg: dns: dns_available set to yes in config file, skipping test [14467] dbg: metadata: X-Spam-Relays-Trusted: [14467] dbg: metadata: X-Spam-Relays-Untrusted: [14467] dbg: metadata: X-Spam-Relays-Internal: [14467] dbg: metadata: X-Spam-Relays-External: [14467] dbg: message: no encoding detected [14467] dbg: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x4a1cbc80) implements 'parsed_metadata' [14467] dbg: uridnsbl: domains to query: [14467] dbg: dns: checking RBL sbl-xbl.spamhaus.org., set sblxbl-lastexternal [14467] dbg: dns: checking RBL sa-accredit.habeas.com., set habeas-firsttrusted [14467] dbg: dns: checking RBL sbl-xbl.spamhaus.org., set sblxbl [14467] dbg: dns: checking RBL sa-other.bondedsender.org., set bsp-untrusted [14467] dbg: dns: checking RBL combined.njabl.org., set njabl-lastexternal [14467] dbg: dns: checking RBL combined.njabl.org., set njabl [14467] dbg: dns: checking RBL combined-HIB.dnsiplists.completewhois.com., set whois [14467] dbg: dns: checking RBL list.dsbl.org., set dsbl-lastexternal [14467] dbg: dns: checking RBL bl.spamcop.net., set spamcop [14467] dbg: dns: checking RBL sa-trusted.bondedsender.org., set bsp-firsttrusted [14467] dbg: dns: checking RBL combined-HIB.dnsiplists.completewhois.com., set whois-lastexternal [14467] dbg: dns: checking RBL dnsbl.sorbs.net., set sorbs-lastexternal [14467] dbg: dns: checking RBL dnsbl.sorbs.net., set sorbs [14467] dbg: dns: checking RBL iadb.isipp.com., set iadb-firsttrusted [14467] dbg: check: running tests for priority: 0 [14467] dbg: rules: running header regexp tests; score so far=0 [14467] dbg: rules: ran header rule __HAS_MSGID ======> got hit: "<" [14467] dbg: rules: ran header rule __MSGID_OK_DIGITS ======> got hit: "1183536114" [14467] dbg: rules: ran header rule __SANE_MSGID ======> got hit: "<1183536114.8107@spamassassin_spamd_init> [14467] dbg: rules: " [14467] dbg: rules: ran header rule NO_REAL_NAME ======> got hit: "ignore@compiling.spamassassin.taint.org [14467] dbg: rules: " [14467] dbg: rules: ran header rule __MSGID_OK_HOST ======> got hit: "@spamassassin_spamd_init>" [14467] dbg: spf: no suitable relay for spf use found, skipping SPF-helo check [14467] dbg: eval: all '*From' addrs: ignore@compiling.spamassassin.taint.org [14467] dbg: eval: all '*To' addrs: [14467] dbg: spf: no suitable relay for spf use found, skipping SPF check [14467] dbg: rules: ran eval rule NO_RELAYS ======> got hit [14467] dbg: spf: cannot get Envelope-From, cannot use SPF [14467] dbg: spf: def_spf_whitelist_from: could not find useable envelope sender [14467] dbg: rules: ran eval rule __UNUSABLE_MSGID ======> got hit [14467] dbg: rules: ran eval rule MISSING_HEADERS ======> got hit [14467] dbg: spf: spf_whitelist_from: could not find useable envelope sender [14467] dbg: rules: running body-text per-line regexp tests; score so far=0.738 [14467] dbg: rules: ran body rule __NONEMPTY_BODY ======> got hit: "I" [14467] dbg: uri: running uri tests; score so far=0.738 [14467] dbg: rules: running raw-body-text per-line regexp tests; score so far=0.738 [14467] dbg: rules: running full-text regexp tests; score so far=0.738 [14467] dbg: info: entering helper-app run mode [14467] dbg: info: leaving helper-app run mode [14467] dbg: razor2: part=0 engine=4 contested=0 confidence=0 [14467] dbg: razor2: results: spam? 0 [14467] dbg: razor2: results: engine 8, highest cf score: 0 [14467] dbg: razor2: results: engine 4, highest cf score: 0 [14467] dbg: util: current PATH is: /sbin:/bin:/usr/sbin:/usr/bin [14467] dbg: pyzor: pyzor is not available: no pyzor executable found [14467] dbg: pyzor: no pyzor found, disabling Pyzor [14467] dbg: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x4a1cbc80) implements 'check_tick' [14467] dbg: check: running tests for priority: 500 [14467] dbg: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x4a1cbc80) implements 'check_post_dnsbl' [14467] dbg: rules: running meta tests; score so far=0.738 [14467] info: rules: meta test DIGEST_MULTIPLE has undefined dependency 'DCC_CHECK' [14467] dbg: rules: running header regexp tests; score so far=2.216 [14467] dbg: rules: running body-text per-line regexp tests; score so far=2.216 [14467] dbg: uri: running uri tests; score so far=2.216 [14467] dbg: rules: running raw-body-text per-line regexp tests; score so far=2.216 [14467] dbg: rules: running full-text regexp tests; score so far=2.216 [14467] dbg: check: running tests for priority: 1000 [14467] dbg: rules: running meta tests; score so far=2.216 [14467] dbg: rules: running header regexp tests; score so far=2.216 [14467] dbg: rules: running body-text per-line regexp tests; score so far=2.216 [14467] dbg: uri: running uri tests; score so far=2.216 [14467] dbg: rules: running raw-body-text per-line regexp tests; score so far=2.216 [14467] dbg: rules: running full-text regexp tests; score so far=2.216 [14467] dbg: check: is spam? score=2.216 required=5 [14467] dbg: check: tests=MISSING_HEADERS,MISSING_SUBJECT,NO_REAL_NAME,NO_RECEIVED,NO_RELAYS,TO_CC_NONE [14467] dbg: check: subtests=__HAS_MSGID,__MSGID_OK_DIGITS,__MSGID_OK_HOST,__NONEMPTY_BODY,__SANE_MSGID,__UNUSABLE_MSGID Ignore errors about failing to find EOCD signature format error: can't find EOCD signature at ./bin/MailScanner line 832 Stopping now as you are debugging me. --- Please not I have disabled clamav for the moment to debug this without having to care about possible problems with the Antivirus, however the result was the same (no spamassassin details) when having the antivirus set to 'clamav' or 'clamd'. Also I have installed clamav and SA from local ports in OpenBSD 4.1, but maybe I should use the provided package from the MS site ? Would that be worth a try ? Thanks for any hints or tips in advance. Cheers, Christoph -- ---------------------------------------------------+ / Christoph Schneeberger / SCS TeleMedia AG | / GIAC GSEC / Liestalerstrasse 47 | / cschnee@telemedia.ch / info@telemedia.ch | / 4419 Lupsingen / http://www.telemedia.ch | / tel +41 61 915 9155 / fax +41 61 911 0714 | --------------------------------------------------------+ This e-mail is confidential and may be privileged. It may be read, copied and used only by the addressee. If you have received it in error, please contact us immediately. "Quis custodiet ipsos custodes?" From martinh at solidstatelogic.com Wed Jul 4 09:19:50 2007 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Wed Jul 4 09:19:55 2007 Subject: Problem with MS on OpenBSD 4.1 In-Reply-To: <468B5577.2070402@box.telemedia.ch> Message-ID: <84ac9bebdba50c4db2e3a7321854dbf0@solidstatelogic.com> Chris Spamd/spamc isn't used for MailScanner, MS calls it direct. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Christoph Schneeberger > Sent: 04 July 2007 09:08 > To: MailScanner discussion > Subject: Re: Problem with MS on OpenBSD 4.1 > > Glenn Steen wrote: > > On 03/07/07, Christoph Schneeberger wrote: > >> Hi Julian, > >> > >> Thanks for your reply. > >> > >> Julian Field wrote: > >> .. > >> > >> > >When I run MS and SA in debug mode I get an error at line 832 in > >> > >Mailscanner which is the following line: > >> > > >> > >$batch->Explode(); > >> > > >> > >The error I get is > >> > > >> > > > >> > >[24820] dbg: locker: safe_unlock: unlocked > >> > /root/.spamassassin/bayes.mutex > >> > >[24820] dbg: learn: initializing learner > >> > >Ignore errors about failing to find EOCD signature > >> > > >> > > >> > That line gives a hint. > >> > > >> > >format error: can't find EOCD signature > >> > > at /opt/MailScanner/bin/MailScanner line 832 > >> > > >> > > >> > So you can ignore that. > >> > > >> > >Stopping now as you are debugging me. > >> > > Done. > >> > > >> > > >> > It has run to completion normally. It hasn't bombed out on an error > at > >> > all. It has done exactly what it is supposed to do in Debug mode: > >> > process 1 batch of messages and then exit. > >> > >> > >> Ok thanks, i was thinking that too, but somebody on irc told me i need > >> to get rid of this line832 error and that would solve my problem of not > >> having any detailed Spamassassin result headers at all. > >> > >> So could you give me any direction or hints where I could further > search > >> to get that problem of not having detailed results in the header > solved, > >> since thats the only problem I really have. > >> > >> Or asked else: Is anybody on this list running a current MailScanner on > >> OpenBSD 4.1 successfully and do you have any hints for me where too > >> look ? > >> > >> Thanks a lot and best regards, > >> Christoph > >> > > OpenBSD isn]t exactly unheard of, but it certainly isn\t one of the > > more used OSes.... But this might not be anything specific to your > > OS... Call me dull, but did you run a > > MailScanner --debug --debug-sa > > ... with something obvious, like a GTUBE, on queue? > > > > Cheers > > Thanks for your reply, I had to google GTUBE before I knew what you > meant ;-) > > I have run with debug and debug-sa (from MailScanner.conf but I guess > that is the same result) and people on irc told me the output i pasted > looks good, but I'll happily provide it at the end of this mail. > > I have sent a mail (only body with copy-paste) from my inbox that is > spam through the MS in question and it scored it with 18 and flagged the > Subject properly with {Spam?}, BUT only the Spamscore and the Subject > Flag are here, no details on which tests how many score was given, just > a result. > > The reason I want OpenBSD is the spamd/pf combo which is quite unique > for greylisting and since 4.1 even more use- and powerful. Also I have > used OpenBSD since 2.5 and I am quite satisfied with its robustness and > safety. Another reason is that I am a sendmail veteran because there was > nothing else really serious at the time i needed my first mailhub, so I > read different sendmails books and am quite comfortable with it. I've > never found my way into other MTAs and since most Linux are now shipping > Postfix, Exim or whatever I am sticking with OpenBSD for Mailhubs, > Mailgates etc. > > So here is the output of > ./bin/MailScanner --debug --debug-sa 2>&1 | tee /tmp/log > --- > > Currently you are using no virus scanners. > This is probably not what you want. > > In your /opt/MailScanner/etc/MailScanner.conf file, set > Virus Scanners = clamav > Then download > > http://www.sng.ecs.soton.ac.uk/mailscanner/files/4/install-Clam-SA.tar.g z > Unpack it, "cd" into the directory and run ./install.sh > > In Debugging mode, not forking... > SpamAssassin temp dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp > [14467] dbg: logger: adding facilities: all > [14467] dbg: logger: logging level is DBG > [14467] dbg: generic: SpamAssassin version 3.1.8 > [14467] dbg: config: score set 0 chosen. > [14467] dbg: util: running in taint mode? no > [14467] dbg: message: ---- MIME PARSER START ---- > [14467] dbg: message: main message type: text/plain > [14467] dbg: message: parsing normal part > [14467] dbg: message: added part, type: text/plain > [14467] dbg: message: ---- MIME PARSER END ---- > [14467] dbg: dns: is Net::DNS::Resolver available? yes > [14467] dbg: dns: Net::DNS version: 0.59 > [14467] dbg: ignore: test message to precompile patterns and load modules > [14467] dbg: config: using "/etc/mail/spamassassin" for site rules pre > files > [14467] dbg: config: read file /etc/mail/spamassassin/init.pre > [14467] dbg: config: read file /etc/mail/spamassassin/v310.pre > [14467] dbg: config: read file /etc/mail/spamassassin/v312.pre > [14467] dbg: config: using "/usr/local/share/spamassassin" for sys rules > pre files > [14467] dbg: config: using "/usr/local/share/spamassassin" for default > rules dir > [14467] dbg: config: read file /usr/local/share/spamassassin/10_misc.cf > [14467] dbg: config: read file > /usr/local/share/spamassassin/20_advance_fee.cf > [14467] dbg: config: read file > /usr/local/share/spamassassin/20_anti_ratware.cf > [14467] dbg: config: read file > /usr/local/share/spamassassin/20_body_tests.cf > [14467] dbg: config: read file > /usr/local/share/spamassassin/20_compensate.cf > [14467] dbg: config: read file > /usr/local/share/spamassassin/20_dnsbl_tests.cf > [14467] dbg: config: read file /usr/local/share/spamassassin/20_drugs.cf > [14467] dbg: config: read file > /usr/local/share/spamassassin/20_fake_helo_tests.cf > [14467] dbg: config: read file > /usr/local/share/spamassassin/20_head_tests.cf > [14467] dbg: config: read file > /usr/local/share/spamassassin/20_html_tests.cf > [14467] dbg: config: read file > /usr/local/share/spamassassin/20_meta_tests.cf > [14467] dbg: config: read file > /usr/local/share/spamassassin/20_net_tests.cf > [14467] dbg: config: read file /usr/local/share/spamassassin/20_phrases.cf > [14467] dbg: config: read file /usr/local/share/spamassassin/20_porn.cf > [14467] dbg: config: read file /usr/local/share/spamassassin/20_ratware.cf > [14467] dbg: config: read file > /usr/local/share/spamassassin/20_uri_tests.cf > [14467] dbg: config: read file /usr/local/share/spamassassin/23_bayes.cf > [14467] dbg: config: read file > /usr/local/share/spamassassin/25_accessdb.cf > [14467] dbg: config: read file > /usr/local/share/spamassassin/25_antivirus.cf > [14467] dbg: config: read file > /usr/local/share/spamassassin/25_body_tests_es.cf > [14467] dbg: config: read file > /usr/local/share/spamassassin/25_body_tests_pl.cf > [14467] dbg: config: read file /usr/local/share/spamassassin/25_dcc.cf > [14467] dbg: config: read file /usr/local/share/spamassassin/25_dkim.cf > [14467] dbg: config: read file > /usr/local/share/spamassassin/25_domainkeys.cf > [14467] dbg: config: read file > /usr/local/share/spamassassin/25_hashcash.cf > [14467] dbg: config: read file /usr/local/share/spamassassin/25_pyzor.cf > [14467] dbg: config: read file /usr/local/share/spamassassin/25_razor2.cf > [14467] dbg: config: read file /usr/local/share/spamassassin/25_replace.cf > [14467] dbg: config: read file /usr/local/share/spamassassin/25_spf.cf > [14467] dbg: config: read file /usr/local/share/spamassassin/25_textcat.cf > [14467] dbg: config: read file /usr/local/share/spamassassin/25_uribl.cf > [14467] dbg: config: read file /usr/local/share/spamassassin/30_text_de.cf > [14467] dbg: config: read file /usr/local/share/spamassassin/30_text_fr.cf > [14467] dbg: config: read file /usr/local/share/spamassassin/30_text_it.cf > [14467] dbg: config: read file /usr/local/share/spamassassin/30_text_nl.cf > [14467] dbg: config: read file /usr/local/share/spamassassin/30_text_pl.cf > [14467] dbg: config: read file > /usr/local/share/spamassassin/30_text_pt_br.cf > [14467] dbg: config: read file /usr/local/share/spamassassin/50_scores.cf > [14467] dbg: config: read file /usr/local/share/spamassassin/60_awl.cf > [14467] dbg: config: read file > /usr/local/share/spamassassin/60_whitelist.cf > [14467] dbg: config: read file > /usr/local/share/spamassassin/60_whitelist_dk.cf > [14467] dbg: config: read file > /usr/local/share/spamassassin/60_whitelist_dkim.cf > [14467] dbg: config: read file > /usr/local/share/spamassassin/60_whitelist_spf.cf > [14467] dbg: config: read file > /usr/local/share/spamassassin/60_whitelist_subject.cf > [14467] dbg: config: using "/etc/mail/spamassassin" for site rules dir > [14467] dbg: config: read file /etc/mail/spamassassin/local.cf > [14467] dbg: config: read file /etc/mail/spamassassin/mailscanner.cf > [14467] dbg: plugin: loading Mail::SpamAssassin::Plugin::URIDNSBL from > @INC > [14467] dbg: plugin: registered > Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x4a1cbc80) > [14467] dbg: plugin: loading Mail::SpamAssassin::Plugin::Hashcash from > @INC > [14467] dbg: plugin: registered > Mail::SpamAssassin::Plugin::Hashcash=HASH(0x4390e3a0) > [14467] dbg: plugin: loading Mail::SpamAssassin::Plugin::SPF from @INC > [14467] dbg: plugin: registered > Mail::SpamAssassin::Plugin::SPF=HASH(0x4c4dc6a0) > [14467] dbg: plugin: loading Mail::SpamAssassin::Plugin::Pyzor from @INC > [14467] dbg: pyzor: network tests on, attempting Pyzor > [14467] dbg: plugin: registered > Mail::SpamAssassin::Plugin::Pyzor=HASH(0x4b99feb0) > [14467] dbg: plugin: loading Mail::SpamAssassin::Plugin::Razor2 from @INC > [14467] dbg: razor2: razor2 is available, version 2.82 > [14467] dbg: plugin: registered > Mail::SpamAssassin::Plugin::Razor2=HASH(0x46e71a90) > [14467] dbg: plugin: loading Mail::SpamAssassin::Plugin::SpamCop from @INC > [14467] dbg: reporter: network tests on, attempting SpamCop > [14467] dbg: plugin: registered > Mail::SpamAssassin::Plugin::SpamCop=HASH(0x4ac42bb0) > [14467] dbg: plugin: loading Mail::SpamAssassin::Plugin::AWL from @INC > [14467] dbg: plugin: registered > Mail::SpamAssassin::Plugin::AWL=HASH(0x441d61c0) > [14467] dbg: plugin: loading > Mail::SpamAssassin::Plugin::AutoLearnThreshold from @INC > [14467] dbg: plugin: registered > Mail::SpamAssassin::Plugin::AutoLearnThreshold=HASH(0x47fce710) > [14467] dbg: plugin: loading > Mail::SpamAssassin::Plugin::WhiteListSubject from @INC > [14467] dbg: plugin: registered > Mail::SpamAssassin::Plugin::WhiteListSubject=HASH(0x500524c0) > [14467] dbg: plugin: loading Mail::SpamAssassin::Plugin::MIMEHeader from > @INC > [14467] dbg: plugin: registered > Mail::SpamAssassin::Plugin::MIMEHeader=HASH(0x4caf65a0) > [14467] dbg: plugin: loading Mail::SpamAssassin::Plugin::ReplaceTags > from @INC > [14467] dbg: plugin: registered > Mail::SpamAssassin::Plugin::ReplaceTags=HASH(0x487f0b70) > [14467] dbg: config: adding redirector regex: > /^http:\/\/chkpt\.zdnet\.com\/chkpt\/\w+\/(.*)$/i > [14467] dbg: config: adding redirector regex: > /^http:\/\/www(?:\d+)?\.nate\.com\/r\/\w+\/(.*)$/i > [14467] dbg: config: adding redirector regex: > /^http:\/\/.+\.gov\/(?:.*\/)?externalLink\.jhtml\?.*url=(.*?)(?:&.*)?$/i > [14467] dbg: config: adding redirector regex: > /^http:\/\/redir\.internet\.com\/.+?\/.+?\/(.*)$/i > [14467] dbg: config: adding redirector regex: > /^http:\/\/(?:.*?\.)?adtech\.de\/.*(?:;|\|)link=(.*?)(?:;|$)/i > [14467] dbg: config: adding redirector regex: > m'^http.*?/redirect\.php\?.*(?<=[?&])goto=(.*?)(?:$|[&#])'i > [14467] dbg: config: adding redirector regex: > m'^https?:/*(?:[^/]+\.)?emf\d\.com/r\.cfm.*?&r=(.*)'i > [14467] dbg: config: adding redirector regex: > m'/(?:index.php)?\?.*(?<=[?&])URL=(.*?)(?:$|[&#])'i > [14467] dbg: config: adding redirector regex: > m'^http:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/url\?.*?(?<=[?&])q=(.*?)(?: $| > [&#])'i > [14467] dbg: config: adding redirector regex: > m'^http:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/search\?.*?(?<=[?&])q=[^&]* ?( > ?<=%20|..[=+\s])site:(.*?)(?:$|%20|[\s+&#])'i > [14467] dbg: config: adding redirector regex: > m'^http:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/search\?.*?(?<=[?&])q=[^&]* ?( > ?<=%20|..[=+\s])(?:"|%22)(.*?)(?:$|%22|["\s+&#])'i > [14467] dbg: config: adding redirector regex: > m'^http:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/translate\?.*?(?<=[?&])u=(. *? > )(?:$|[&#])'i > [14467] dbg: plugin: > Mail::SpamAssassin::Plugin::ReplaceTags=HASH(0x487f0b70) implements > 'finish_parsing_end' > [14467] dbg: replacetags: replacing tags > [14467] dbg: replacetags: done replacing tags > [14467] dbg: bayes: tie-ing to DB file R/O /root/.spamassassin/bayes_toks > [14467] dbg: bayes: tie-ing to DB file R/O /root/.spamassassin/bayes_seen > [14467] dbg: bayes: found bayes db version 3 > [14467] dbg: bayes: DB journal sync: last sync: 0 > [14467] dbg: bayes: not available for scanning, only 0 spam(s) in bayes > DB < 200 > [14467] dbg: bayes: untie-ing > [14467] dbg: bayes: untie-ing db_toks > [14467] dbg: bayes: untie-ing db_seen > [14467] dbg: config: score set 1 chosen. > [14467] dbg: message: ---- MIME PARSER START ---- > [14467] dbg: message: main message type: text/plain > [14467] dbg: message: parsing normal part > [14467] dbg: message: added part, type: text/plain > [14467] dbg: message: ---- MIME PARSER END ---- > [14467] dbg: bayes: tie-ing to DB file R/O /root/.spamassassin/bayes_toks > [14467] dbg: bayes: tie-ing to DB file R/O /root/.spamassassin/bayes_seen > [14467] dbg: bayes: found bayes db version 3 > [14467] dbg: bayes: DB journal sync: last sync: 0 > [14467] dbg: bayes: not available for scanning, only 0 spam(s) in bayes > DB < 200 > [14467] dbg: bayes: untie-ing > [14467] dbg: bayes: untie-ing db_toks > [14467] dbg: bayes: untie-ing db_seen > [14467] dbg: dns: dns_available set to yes in config file, skipping test > [14467] dbg: metadata: X-Spam-Relays-Trusted: > [14467] dbg: metadata: X-Spam-Relays-Untrusted: > [14467] dbg: metadata: X-Spam-Relays-Internal: > [14467] dbg: metadata: X-Spam-Relays-External: > [14467] dbg: message: no encoding detected > [14467] dbg: plugin: > Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x4a1cbc80) implements > 'parsed_metadata' > [14467] dbg: uridnsbl: domains to query: > [14467] dbg: dns: checking RBL sbl-xbl.spamhaus.org., set > sblxbl-lastexternal > [14467] dbg: dns: checking RBL sa-accredit.habeas.com., set > habeas-firsttrusted > [14467] dbg: dns: checking RBL sbl-xbl.spamhaus.org., set sblxbl > [14467] dbg: dns: checking RBL sa-other.bondedsender.org., set bsp- > untrusted > [14467] dbg: dns: checking RBL combined.njabl.org., set njabl-lastexternal > [14467] dbg: dns: checking RBL combined.njabl.org., set njabl > [14467] dbg: dns: checking RBL > combined-HIB.dnsiplists.completewhois.com., set whois > [14467] dbg: dns: checking RBL list.dsbl.org., set dsbl-lastexternal > [14467] dbg: dns: checking RBL bl.spamcop.net., set spamcop > [14467] dbg: dns: checking RBL sa-trusted.bondedsender.org., set > bsp-firsttrusted > [14467] dbg: dns: checking RBL > combined-HIB.dnsiplists.completewhois.com., set whois-lastexternal > [14467] dbg: dns: checking RBL dnsbl.sorbs.net., set sorbs-lastexternal > [14467] dbg: dns: checking RBL dnsbl.sorbs.net., set sorbs > [14467] dbg: dns: checking RBL iadb.isipp.com., set iadb-firsttrusted > [14467] dbg: check: running tests for priority: 0 > [14467] dbg: rules: running header regexp tests; score so far=0 > [14467] dbg: rules: ran header rule __HAS_MSGID ======> got hit: "<" > [14467] dbg: rules: ran header rule __MSGID_OK_DIGITS ======> got hit: > "1183536114" > [14467] dbg: rules: ran header rule __SANE_MSGID ======> got hit: > "<1183536114.8107@spamassassin_spamd_init> > [14467] dbg: rules: " > [14467] dbg: rules: ran header rule NO_REAL_NAME ======> got hit: > "ignore@compiling.spamassassin.taint.org > [14467] dbg: rules: " > [14467] dbg: rules: ran header rule __MSGID_OK_HOST ======> got hit: > "@spamassassin_spamd_init>" > [14467] dbg: spf: no suitable relay for spf use found, skipping SPF-helo > check > [14467] dbg: eval: all '*From' addrs: > ignore@compiling.spamassassin.taint.org > [14467] dbg: eval: all '*To' addrs: > [14467] dbg: spf: no suitable relay for spf use found, skipping SPF check > [14467] dbg: rules: ran eval rule NO_RELAYS ======> got hit > [14467] dbg: spf: cannot get Envelope-From, cannot use SPF > [14467] dbg: spf: def_spf_whitelist_from: could not find useable > envelope sender > [14467] dbg: rules: ran eval rule __UNUSABLE_MSGID ======> got hit > [14467] dbg: rules: ran eval rule MISSING_HEADERS ======> got hit > [14467] dbg: spf: spf_whitelist_from: could not find useable envelope > sender > [14467] dbg: rules: running body-text per-line regexp tests; score so > far=0.738 > [14467] dbg: rules: ran body rule __NONEMPTY_BODY ======> got hit: "I" > [14467] dbg: uri: running uri tests; score so far=0.738 > [14467] dbg: rules: running raw-body-text per-line regexp tests; score > so far=0.738 > [14467] dbg: rules: running full-text regexp tests; score so far=0.738 > [14467] dbg: info: entering helper-app run mode > [14467] dbg: info: leaving helper-app run mode > [14467] dbg: razor2: part=0 engine=4 contested=0 confidence=0 > [14467] dbg: razor2: results: spam? 0 > [14467] dbg: razor2: results: engine 8, highest cf score: 0 > [14467] dbg: razor2: results: engine 4, highest cf score: 0 > [14467] dbg: util: current PATH is: /sbin:/bin:/usr/sbin:/usr/bin > [14467] dbg: pyzor: pyzor is not available: no pyzor executable found > [14467] dbg: pyzor: no pyzor found, disabling Pyzor > [14467] dbg: plugin: > Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x4a1cbc80) implements > 'check_tick' > [14467] dbg: check: running tests for priority: 500 > [14467] dbg: plugin: > Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x4a1cbc80) implements > 'check_post_dnsbl' > [14467] dbg: rules: running meta tests; score so far=0.738 > [14467] info: rules: meta test DIGEST_MULTIPLE has undefined dependency > 'DCC_CHECK' > [14467] dbg: rules: running header regexp tests; score so far=2.216 > [14467] dbg: rules: running body-text per-line regexp tests; score so > far=2.216 > [14467] dbg: uri: running uri tests; score so far=2.216 > [14467] dbg: rules: running raw-body-text per-line regexp tests; score > so far=2.216 > [14467] dbg: rules: running full-text regexp tests; score so far=2.216 > [14467] dbg: check: running tests for priority: 1000 > [14467] dbg: rules: running meta tests; score so far=2.216 > [14467] dbg: rules: running header regexp tests; score so far=2.216 > [14467] dbg: rules: running body-text per-line regexp tests; score so > far=2.216 > [14467] dbg: uri: running uri tests; score so far=2.216 > [14467] dbg: rules: running raw-body-text per-line regexp tests; score > so far=2.216 > [14467] dbg: rules: running full-text regexp tests; score so far=2.216 > [14467] dbg: check: is spam? score=2.216 required=5 > [14467] dbg: check: > tests=MISSING_HEADERS,MISSING_SUBJECT,NO_REAL_NAME,NO_RECEIVED,NO_RELAYS ,T > O_CC_NONE > [14467] dbg: check: > subtests=__HAS_MSGID,__MSGID_OK_DIGITS,__MSGID_OK_HOST,__NONEMPTY_BODY,_ _S > ANE_MSGID,__UNUSABLE_MSGID > Ignore errors about failing to find EOCD signature > format error: can't find EOCD signature > at ./bin/MailScanner line 832 > Stopping now as you are debugging me. > --- > > Please not I have disabled clamav for the moment to debug this without > having to care about possible problems with the Antivirus, however the > result was the same (no spamassassin details) when having the antivirus > set to 'clamav' or 'clamd'. > > Also I have installed clamav and SA from local ports in OpenBSD 4.1, but > maybe I should use the provided package from the MS site ? Would that be > worth a try ? > > Thanks for any hints or tips in advance. > > > Cheers, > Christoph > > -- > ---------------------------------------------------+ > / Christoph Schneeberger / SCS TeleMedia AG | > / GIAC GSEC / Liestalerstrasse 47 | > / cschnee@telemedia.ch / info@telemedia.ch | > / 4419 Lupsingen / http://www.telemedia.ch | > / tel +41 61 915 9155 / fax +41 61 911 0714 | > --------------------------------------------------------+ > > This e-mail is confidential and may be privileged. It may > be read, copied and used only by the addressee. If you > have received it in error, please contact us immediately. > > > "Quis custodiet ipsos custodes?" > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From cschnee at box.telemedia.ch Wed Jul 4 09:24:53 2007 From: cschnee at box.telemedia.ch (Christoph Schneeberger) Date: Wed Jul 4 09:29:49 2007 Subject: Problem with MS on OpenBSD 4.1 In-Reply-To: <84ac9bebdba50c4db2e3a7321854dbf0@solidstatelogic.com> References: <84ac9bebdba50c4db2e3a7321854dbf0@solidstatelogic.com> Message-ID: <468B5955.3080106@box.telemedia.ch> Sorry for the confusion, I am talking about OpenBSDs spamd which is accidently called the same as SA's spamd, see http://www.openbsd.org/cgi-bin/man.cgi?query=spamd&apropos=0&sektion=0&manpath=OpenBSD+Current&arch=i386&format=html I am aware that MS calls SA Modules and does not use the daemon, thanks anyway for the tip. Worth a try if you don't know it. Thanks & Cheers, Christoph Martin.Hepworth wrote: > Chris > > Spamd/spamc isn't used for MailScanner, MS calls it direct. > > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >> bounces@lists.mailscanner.info] On Behalf Of Christoph Schneeberger >> Sent: 04 July 2007 09:08 >> To: MailScanner discussion >> Subject: Re: Problem with MS on OpenBSD 4.1 >> >> Glenn Steen wrote: >> >>> On 03/07/07, Christoph Schneeberger >>> > wrote: > >>>> Hi Julian, >>>> >>>> Thanks for your reply. >>>> >>>> Julian Field wrote: >>>> .. >>>> >>>> >>>>>> When I run MS and SA in debug mode I get an error at line 832 in >>>>>> Mailscanner which is the following line: >>>>>> >>>>>> $batch->Explode(); >>>>>> >>>>>> The error I get is >>>>>> >>>>>> >>>>>> [24820] dbg: locker: safe_unlock: unlocked >>>>>> >>>>> /root/.spamassassin/bayes.mutex >>>>> >>>>>> [24820] dbg: learn: initializing learner >>>>>> Ignore errors about failing to find EOCD signature >>>>>> >>>>> That line gives a hint. >>>>> >>>>> >>>>>> format error: can't find EOCD signature >>>>>> at /opt/MailScanner/bin/MailScanner line 832 >>>>>> >>>>> So you can ignore that. >>>>> >>>>> >>>>>> Stopping now as you are debugging me. >>>>>> Done. >>>>>> >>>>> It has run to completion normally. It hasn't bombed out on an >>>>> > error > >> at >> >>>>> all. It has done exactly what it is supposed to do in Debug mode: >>>>> process 1 batch of messages and then exit. >>>>> >>>> Ok thanks, i was thinking that too, but somebody on irc told me i >>>> > need > >>>> to get rid of this line832 error and that would solve my problem of >>>> > not > >>>> having any detailed Spamassassin result headers at all. >>>> >>>> So could you give me any direction or hints where I could further >>>> >> search >> >>>> to get that problem of not having detailed results in the header >>>> >> solved, >> >>>> since thats the only problem I really have. >>>> >>>> Or asked else: Is anybody on this list running a current >>>> > MailScanner on > >>>> OpenBSD 4.1 successfully and do you have any hints for me where too >>>> look ? >>>> >>>> Thanks a lot and best regards, >>>> Christoph >>>> >>>> >>> OpenBSD isn]t exactly unheard of, but it certainly isn\t one of the >>> more used OSes.... But this might not be anything specific to your >>> OS... Call me dull, but did you run a >>> MailScanner --debug --debug-sa >>> ... with something obvious, like a GTUBE, on queue? >>> >>> Cheers >>> >> Thanks for your reply, I had to google GTUBE before I knew what you >> meant ;-) >> >> I have run with debug and debug-sa (from MailScanner.conf but I guess >> that is the same result) and people on irc told me the output i pasted >> looks good, but I'll happily provide it at the end of this mail. >> >> I have sent a mail (only body with copy-paste) from my inbox that is >> spam through the MS in question and it scored it with 18 and flagged >> > the > >> Subject properly with {Spam?}, BUT only the Spamscore and the Subject >> Flag are here, no details on which tests how many score was given, >> > just > >> a result. >> >> The reason I want OpenBSD is the spamd/pf combo which is quite unique >> for greylisting and since 4.1 even more use- and powerful. Also I have >> used OpenBSD since 2.5 and I am quite satisfied with its robustness >> > and > >> safety. Another reason is that I am a sendmail veteran because there >> > was > >> nothing else really serious at the time i needed my first mailhub, so >> > I > >> read different sendmails books and am quite comfortable with it. I've >> never found my way into other MTAs and since most Linux are now >> > shipping > >> Postfix, Exim or whatever I am sticking with OpenBSD for Mailhubs, >> Mailgates etc. >> >> So here is the output of >> ./bin/MailScanner --debug --debug-sa 2>&1 | tee /tmp/log >> --- >> >> Currently you are using no virus scanners. >> This is probably not what you want. >> >> In your /opt/MailScanner/etc/MailScanner.conf file, set >> Virus Scanners = clamav >> Then download >> >> >> > http://www.sng.ecs.soton.ac.uk/mailscanner/files/4/install-Clam-SA.tar.g > z > >> Unpack it, "cd" into the directory and run ./install.sh >> >> In Debugging mode, not forking... >> SpamAssassin temp dir = >> > /var/spool/MailScanner/incoming/SpamAssassin-Temp > >> [14467] dbg: logger: adding facilities: all >> [14467] dbg: logger: logging level is DBG >> [14467] dbg: generic: SpamAssassin version 3.1.8 >> [14467] dbg: config: score set 0 chosen. >> [14467] dbg: util: running in taint mode? no >> [14467] dbg: message: ---- MIME PARSER START ---- >> [14467] dbg: message: main message type: text/plain >> [14467] dbg: message: parsing normal part >> [14467] dbg: message: added part, type: text/plain >> [14467] dbg: message: ---- MIME PARSER END ---- >> [14467] dbg: dns: is Net::DNS::Resolver available? yes >> [14467] dbg: dns: Net::DNS version: 0.59 >> [14467] dbg: ignore: test message to precompile patterns and load >> > modules > >> [14467] dbg: config: using "/etc/mail/spamassassin" for site rules pre >> files >> [14467] dbg: config: read file /etc/mail/spamassassin/init.pre >> [14467] dbg: config: read file /etc/mail/spamassassin/v310.pre >> [14467] dbg: config: read file /etc/mail/spamassassin/v312.pre >> [14467] dbg: config: using "/usr/local/share/spamassassin" for sys >> > rules > >> pre files >> [14467] dbg: config: using "/usr/local/share/spamassassin" for default >> rules dir >> [14467] dbg: config: read file >> > /usr/local/share/spamassassin/10_misc.cf > >> [14467] dbg: config: read file >> /usr/local/share/spamassassin/20_advance_fee.cf >> [14467] dbg: config: read file >> /usr/local/share/spamassassin/20_anti_ratware.cf >> [14467] dbg: config: read file >> /usr/local/share/spamassassin/20_body_tests.cf >> [14467] dbg: config: read file >> /usr/local/share/spamassassin/20_compensate.cf >> [14467] dbg: config: read file >> /usr/local/share/spamassassin/20_dnsbl_tests.cf >> [14467] dbg: config: read file >> > /usr/local/share/spamassassin/20_drugs.cf > >> [14467] dbg: config: read file >> /usr/local/share/spamassassin/20_fake_helo_tests.cf >> [14467] dbg: config: read file >> /usr/local/share/spamassassin/20_head_tests.cf >> [14467] dbg: config: read file >> /usr/local/share/spamassassin/20_html_tests.cf >> [14467] dbg: config: read file >> /usr/local/share/spamassassin/20_meta_tests.cf >> [14467] dbg: config: read file >> /usr/local/share/spamassassin/20_net_tests.cf >> [14467] dbg: config: read file >> > /usr/local/share/spamassassin/20_phrases.cf > >> [14467] dbg: config: read file >> > /usr/local/share/spamassassin/20_porn.cf > >> [14467] dbg: config: read file >> > /usr/local/share/spamassassin/20_ratware.cf > >> [14467] dbg: config: read file >> /usr/local/share/spamassassin/20_uri_tests.cf >> [14467] dbg: config: read file >> > /usr/local/share/spamassassin/23_bayes.cf > >> [14467] dbg: config: read file >> /usr/local/share/spamassassin/25_accessdb.cf >> [14467] dbg: config: read file >> /usr/local/share/spamassassin/25_antivirus.cf >> [14467] dbg: config: read file >> /usr/local/share/spamassassin/25_body_tests_es.cf >> [14467] dbg: config: read file >> /usr/local/share/spamassassin/25_body_tests_pl.cf >> [14467] dbg: config: read file /usr/local/share/spamassassin/25_dcc.cf >> [14467] dbg: config: read file >> > /usr/local/share/spamassassin/25_dkim.cf > >> [14467] dbg: config: read file >> /usr/local/share/spamassassin/25_domainkeys.cf >> [14467] dbg: config: read file >> /usr/local/share/spamassassin/25_hashcash.cf >> [14467] dbg: config: read file >> > /usr/local/share/spamassassin/25_pyzor.cf > >> [14467] dbg: config: read file >> > /usr/local/share/spamassassin/25_razor2.cf > >> [14467] dbg: config: read file >> > /usr/local/share/spamassassin/25_replace.cf > >> [14467] dbg: config: read file /usr/local/share/spamassassin/25_spf.cf >> [14467] dbg: config: read file >> > /usr/local/share/spamassassin/25_textcat.cf > >> [14467] dbg: config: read file >> > /usr/local/share/spamassassin/25_uribl.cf > >> [14467] dbg: config: read file >> > /usr/local/share/spamassassin/30_text_de.cf > >> [14467] dbg: config: read file >> > /usr/local/share/spamassassin/30_text_fr.cf > >> [14467] dbg: config: read file >> > /usr/local/share/spamassassin/30_text_it.cf > >> [14467] dbg: config: read file >> > /usr/local/share/spamassassin/30_text_nl.cf > >> [14467] dbg: config: read file >> > /usr/local/share/spamassassin/30_text_pl.cf > >> [14467] dbg: config: read file >> /usr/local/share/spamassassin/30_text_pt_br.cf >> [14467] dbg: config: read file >> > /usr/local/share/spamassassin/50_scores.cf > >> [14467] dbg: config: read file /usr/local/share/spamassassin/60_awl.cf >> [14467] dbg: config: read file >> /usr/local/share/spamassassin/60_whitelist.cf >> [14467] dbg: config: read file >> /usr/local/share/spamassassin/60_whitelist_dk.cf >> [14467] dbg: config: read file >> /usr/local/share/spamassassin/60_whitelist_dkim.cf >> [14467] dbg: config: read file >> /usr/local/share/spamassassin/60_whitelist_spf.cf >> [14467] dbg: config: read file >> /usr/local/share/spamassassin/60_whitelist_subject.cf >> [14467] dbg: config: using "/etc/mail/spamassassin" for site rules dir >> [14467] dbg: config: read file /etc/mail/spamassassin/local.cf >> [14467] dbg: config: read file /etc/mail/spamassassin/mailscanner.cf >> [14467] dbg: plugin: loading Mail::SpamAssassin::Plugin::URIDNSBL from >> @INC >> [14467] dbg: plugin: registered >> Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x4a1cbc80) >> [14467] dbg: plugin: loading Mail::SpamAssassin::Plugin::Hashcash from >> @INC >> [14467] dbg: plugin: registered >> Mail::SpamAssassin::Plugin::Hashcash=HASH(0x4390e3a0) >> [14467] dbg: plugin: loading Mail::SpamAssassin::Plugin::SPF from @INC >> [14467] dbg: plugin: registered >> Mail::SpamAssassin::Plugin::SPF=HASH(0x4c4dc6a0) >> [14467] dbg: plugin: loading Mail::SpamAssassin::Plugin::Pyzor from >> > @INC > >> [14467] dbg: pyzor: network tests on, attempting Pyzor >> [14467] dbg: plugin: registered >> Mail::SpamAssassin::Plugin::Pyzor=HASH(0x4b99feb0) >> [14467] dbg: plugin: loading Mail::SpamAssassin::Plugin::Razor2 from >> > @INC > >> [14467] dbg: razor2: razor2 is available, version 2.82 >> [14467] dbg: plugin: registered >> Mail::SpamAssassin::Plugin::Razor2=HASH(0x46e71a90) >> [14467] dbg: plugin: loading Mail::SpamAssassin::Plugin::SpamCop from >> > @INC > >> [14467] dbg: reporter: network tests on, attempting SpamCop >> [14467] dbg: plugin: registered >> Mail::SpamAssassin::Plugin::SpamCop=HASH(0x4ac42bb0) >> [14467] dbg: plugin: loading Mail::SpamAssassin::Plugin::AWL from @INC >> [14467] dbg: plugin: registered >> Mail::SpamAssassin::Plugin::AWL=HASH(0x441d61c0) >> [14467] dbg: plugin: loading >> Mail::SpamAssassin::Plugin::AutoLearnThreshold from @INC >> [14467] dbg: plugin: registered >> Mail::SpamAssassin::Plugin::AutoLearnThreshold=HASH(0x47fce710) >> [14467] dbg: plugin: loading >> Mail::SpamAssassin::Plugin::WhiteListSubject from @INC >> [14467] dbg: plugin: registered >> Mail::SpamAssassin::Plugin::WhiteListSubject=HASH(0x500524c0) >> [14467] dbg: plugin: loading Mail::SpamAssassin::Plugin::MIMEHeader >> > from > >> @INC >> [14467] dbg: plugin: registered >> Mail::SpamAssassin::Plugin::MIMEHeader=HASH(0x4caf65a0) >> [14467] dbg: plugin: loading Mail::SpamAssassin::Plugin::ReplaceTags >> from @INC >> [14467] dbg: plugin: registered >> Mail::SpamAssassin::Plugin::ReplaceTags=HASH(0x487f0b70) >> [14467] dbg: config: adding redirector regex: >> /^http:\/\/chkpt\.zdnet\.com\/chkpt\/\w+\/(.*)$/i >> [14467] dbg: config: adding redirector regex: >> /^http:\/\/www(?:\d+)?\.nate\.com\/r\/\w+\/(.*)$/i >> [14467] dbg: config: adding redirector regex: >> >> > /^http:\/\/.+\.gov\/(?:.*\/)?externalLink\.jhtml\?.*url=(.*?)(?:&.*)?$/i > >> [14467] dbg: config: adding redirector regex: >> /^http:\/\/redir\.internet\.com\/.+?\/.+?\/(.*)$/i >> [14467] dbg: config: adding redirector regex: >> /^http:\/\/(?:.*?\.)?adtech\.de\/.*(?:;|\|)link=(.*?)(?:;|$)/i >> [14467] dbg: config: adding redirector regex: >> m'^http.*?/redirect\.php\?.*(?<=[?&])goto=(.*?)(?:$|[&#])'i >> [14467] dbg: config: adding redirector regex: >> m'^https?:/*(?:[^/]+\.)?emf\d\.com/r\.cfm.*?&r=(.*)'i >> [14467] dbg: config: adding redirector regex: >> m'/(?:index.php)?\?.*(?<=[?&])URL=(.*?)(?:$|[&#])'i >> [14467] dbg: config: adding redirector regex: >> >> > m'^http:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/url\?.*?(?<=[?&])q=(.*?)(?: > $| > >> [&#])'i >> [14467] dbg: config: adding redirector regex: >> >> > m'^http:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/search\?.*?(?<=[?&])q=[^&]* > ?( > >> ?<=%20|..[=+\s])site:(.*?)(?:$|%20|[\s+&#])'i >> [14467] dbg: config: adding redirector regex: >> >> > m'^http:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/search\?.*?(?<=[?&])q=[^&]* > ?( > >> ?<=%20|..[=+\s])(?:"|%22)(.*?)(?:$|%22|["\s+&#])'i >> [14467] dbg: config: adding redirector regex: >> >> > m'^http:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/translate\?.*?(?<=[?&])u=(. > *? > >> )(?:$|[&#])'i >> [14467] dbg: plugin: >> Mail::SpamAssassin::Plugin::ReplaceTags=HASH(0x487f0b70) implements >> 'finish_parsing_end' >> [14467] dbg: replacetags: replacing tags >> [14467] dbg: replacetags: done replacing tags >> [14467] dbg: bayes: tie-ing to DB file R/O >> > /root/.spamassassin/bayes_toks > >> [14467] dbg: bayes: tie-ing to DB file R/O >> > /root/.spamassassin/bayes_seen > >> [14467] dbg: bayes: found bayes db version 3 >> [14467] dbg: bayes: DB journal sync: last sync: 0 >> [14467] dbg: bayes: not available for scanning, only 0 spam(s) in >> > bayes > >> DB < 200 >> [14467] dbg: bayes: untie-ing >> [14467] dbg: bayes: untie-ing db_toks >> [14467] dbg: bayes: untie-ing db_seen >> [14467] dbg: config: score set 1 chosen. >> [14467] dbg: message: ---- MIME PARSER START ---- >> [14467] dbg: message: main message type: text/plain >> [14467] dbg: message: parsing normal part >> [14467] dbg: message: added part, type: text/plain >> [14467] dbg: message: ---- MIME PARSER END ---- >> [14467] dbg: bayes: tie-ing to DB file R/O >> > /root/.spamassassin/bayes_toks > >> [14467] dbg: bayes: tie-ing to DB file R/O >> > /root/.spamassassin/bayes_seen > >> [14467] dbg: bayes: found bayes db version 3 >> [14467] dbg: bayes: DB journal sync: last sync: 0 >> [14467] dbg: bayes: not available for scanning, only 0 spam(s) in >> > bayes > >> DB < 200 >> [14467] dbg: bayes: untie-ing >> [14467] dbg: bayes: untie-ing db_toks >> [14467] dbg: bayes: untie-ing db_seen >> [14467] dbg: dns: dns_available set to yes in config file, skipping >> > test > >> [14467] dbg: metadata: X-Spam-Relays-Trusted: >> [14467] dbg: metadata: X-Spam-Relays-Untrusted: >> [14467] dbg: metadata: X-Spam-Relays-Internal: >> [14467] dbg: metadata: X-Spam-Relays-External: >> [14467] dbg: message: no encoding detected >> [14467] dbg: plugin: >> Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x4a1cbc80) implements >> 'parsed_metadata' >> [14467] dbg: uridnsbl: domains to query: >> [14467] dbg: dns: checking RBL sbl-xbl.spamhaus.org., set >> sblxbl-lastexternal >> [14467] dbg: dns: checking RBL sa-accredit.habeas.com., set >> habeas-firsttrusted >> [14467] dbg: dns: checking RBL sbl-xbl.spamhaus.org., set sblxbl >> [14467] dbg: dns: checking RBL sa-other.bondedsender.org., set bsp- >> untrusted >> [14467] dbg: dns: checking RBL combined.njabl.org., set >> > njabl-lastexternal > >> [14467] dbg: dns: checking RBL combined.njabl.org., set njabl >> [14467] dbg: dns: checking RBL >> combined-HIB.dnsiplists.completewhois.com., set whois >> [14467] dbg: dns: checking RBL list.dsbl.org., set dsbl-lastexternal >> [14467] dbg: dns: checking RBL bl.spamcop.net., set spamcop >> [14467] dbg: dns: checking RBL sa-trusted.bondedsender.org., set >> bsp-firsttrusted >> [14467] dbg: dns: checking RBL >> combined-HIB.dnsiplists.completewhois.com., set whois-lastexternal >> [14467] dbg: dns: checking RBL dnsbl.sorbs.net., set >> > sorbs-lastexternal > >> [14467] dbg: dns: checking RBL dnsbl.sorbs.net., set sorbs >> [14467] dbg: dns: checking RBL iadb.isipp.com., set iadb-firsttrusted >> [14467] dbg: check: running tests for priority: 0 >> [14467] dbg: rules: running header regexp tests; score so far=0 >> [14467] dbg: rules: ran header rule __HAS_MSGID ======> got hit: "<" >> [14467] dbg: rules: ran header rule __MSGID_OK_DIGITS ======> got hit: >> "1183536114" >> [14467] dbg: rules: ran header rule __SANE_MSGID ======> got hit: >> "<1183536114.8107@spamassassin_spamd_init> >> [14467] dbg: rules: " >> [14467] dbg: rules: ran header rule NO_REAL_NAME ======> got hit: >> "ignore@compiling.spamassassin.taint.org >> [14467] dbg: rules: " >> [14467] dbg: rules: ran header rule __MSGID_OK_HOST ======> got hit: >> "@spamassassin_spamd_init>" >> [14467] dbg: spf: no suitable relay for spf use found, skipping >> > SPF-helo > >> check >> [14467] dbg: eval: all '*From' addrs: >> ignore@compiling.spamassassin.taint.org >> [14467] dbg: eval: all '*To' addrs: >> [14467] dbg: spf: no suitable relay for spf use found, skipping SPF >> > check > >> [14467] dbg: rules: ran eval rule NO_RELAYS ======> got hit >> [14467] dbg: spf: cannot get Envelope-From, cannot use SPF >> [14467] dbg: spf: def_spf_whitelist_from: could not find useable >> envelope sender >> [14467] dbg: rules: ran eval rule __UNUSABLE_MSGID ======> got hit >> [14467] dbg: rules: ran eval rule MISSING_HEADERS ======> got hit >> [14467] dbg: spf: spf_whitelist_from: could not find useable envelope >> sender >> [14467] dbg: rules: running body-text per-line regexp tests; score so >> far=0.738 >> [14467] dbg: rules: ran body rule __NONEMPTY_BODY ======> got hit: "I" >> [14467] dbg: uri: running uri tests; score so far=0.738 >> [14467] dbg: rules: running raw-body-text per-line regexp tests; score >> so far=0.738 >> [14467] dbg: rules: running full-text regexp tests; score so far=0.738 >> [14467] dbg: info: entering helper-app run mode >> [14467] dbg: info: leaving helper-app run mode >> [14467] dbg: razor2: part=0 engine=4 contested=0 confidence=0 >> [14467] dbg: razor2: results: spam? 0 >> [14467] dbg: razor2: results: engine 8, highest cf score: 0 >> [14467] dbg: razor2: results: engine 4, highest cf score: 0 >> [14467] dbg: util: current PATH is: /sbin:/bin:/usr/sbin:/usr/bin >> [14467] dbg: pyzor: pyzor is not available: no pyzor executable found >> [14467] dbg: pyzor: no pyzor found, disabling Pyzor >> [14467] dbg: plugin: >> Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x4a1cbc80) implements >> 'check_tick' >> [14467] dbg: check: running tests for priority: 500 >> [14467] dbg: plugin: >> Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x4a1cbc80) implements >> 'check_post_dnsbl' >> [14467] dbg: rules: running meta tests; score so far=0.738 >> [14467] info: rules: meta test DIGEST_MULTIPLE has undefined >> > dependency > >> 'DCC_CHECK' >> [14467] dbg: rules: running header regexp tests; score so far=2.216 >> [14467] dbg: rules: running body-text per-line regexp tests; score so >> far=2.216 >> [14467] dbg: uri: running uri tests; score so far=2.216 >> [14467] dbg: rules: running raw-body-text per-line regexp tests; score >> so far=2.216 >> [14467] dbg: rules: running full-text regexp tests; score so far=2.216 >> [14467] dbg: check: running tests for priority: 1000 >> [14467] dbg: rules: running meta tests; score so far=2.216 >> [14467] dbg: rules: running header regexp tests; score so far=2.216 >> [14467] dbg: rules: running body-text per-line regexp tests; score so >> far=2.216 >> [14467] dbg: uri: running uri tests; score so far=2.216 >> [14467] dbg: rules: running raw-body-text per-line regexp tests; score >> so far=2.216 >> [14467] dbg: rules: running full-text regexp tests; score so far=2.216 >> [14467] dbg: check: is spam? score=2.216 required=5 >> [14467] dbg: check: >> >> > tests=MISSING_HEADERS,MISSING_SUBJECT,NO_REAL_NAME,NO_RECEIVED,NO_RELAYS > ,T > >> O_CC_NONE >> [14467] dbg: check: >> >> > subtests=__HAS_MSGID,__MSGID_OK_DIGITS,__MSGID_OK_HOST,__NONEMPTY_BODY,_ > _S > >> ANE_MSGID,__UNUSABLE_MSGID >> Ignore errors about failing to find EOCD signature >> format error: can't find EOCD signature >> at ./bin/MailScanner line 832 >> Stopping now as you are debugging me. >> --- >> >> Please not I have disabled clamav for the moment to debug this without >> having to care about possible problems with the Antivirus, however the >> result was the same (no spamassassin details) when having the >> > antivirus > >> set to 'clamav' or 'clamd'. >> >> Also I have installed clamav and SA from local ports in OpenBSD 4.1, >> > but > >> maybe I should use the provided package from the MS site ? Would that >> > be > >> worth a try ? >> >> Thanks for any hints or tips in advance. >> >> >> Cheers, >> Christoph >> >> -- >> ---------------------------------------------------+ >> / Christoph Schneeberger / SCS TeleMedia AG | >> / GIAC GSEC / Liestalerstrasse 47 | >> / cschnee@telemedia.ch / info@telemedia.ch | >> / 4419 Lupsingen / http://www.telemedia.ch | >> / tel +41 61 915 9155 / fax +41 61 911 0714 | >> --------------------------------------------------------+ >> >> This e-mail is confidential and may be privileged. It may >> be read, copied and used only by the addressee. If you >> have received it in error, please contact us immediately. >> >> >> "Quis custodiet ipsos custodes?" >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> > > > > > ********************************************************************** > Confidentiality : This e-mail and any attachments are intended for the > addressee only and may be confidential. If they come to you in error > you must take no action based on them, nor must you copy or show them > to anyone. Please advise the sender by replying to this e-mail > immediately and then delete the original from your computer. > Opinion : Any opinions expressed in this e-mail are entirely those of > the author and unless specifically stated to the contrary, are not > necessarily those of the author's employer. > Security Warning : Internet e-mail is not necessarily a secure > communications medium and can be subject to data corruption. We advise > that you consider this fact when e-mailing us. > Viruses : We have taken steps to ensure that this e-mail and any > attachments are free from known viruses but in keeping with good > computing practice, you should ensure that they are virus free. > > Red Lion 49 Ltd T/A Solid State Logic > Registered as a limited company in England and Wales > (Company No:5362730) > Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, > United Kingdom > ********************************************************************** > > -- ---------------------------------------------------+ / Christoph Schneeberger / SCS TeleMedia AG | / GIAC GSEC / Liestalerstrasse 47 | / cschnee@telemedia.ch / info@telemedia.ch | / 4419 Lupsingen / http://www.telemedia.ch | / tel +41 61 915 9155 / fax +41 61 911 0714 | --------------------------------------------------------+ This e-mail is confidential and may be privileged. It may be read, copied and used only by the addressee. If you have received it in error, please contact us immediately. "Quis custodiet ipsos custodes?" -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070704/e0ee7f08/attachment.html From glenn.steen at gmail.com Wed Jul 4 10:59:30 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Jul 4 10:59:32 2007 Subject: Filename rule question In-Reply-To: <468B4CD6.5050001@ti-edu.ch> References: <468A6663.8010907@ti-edu.ch> <223f97700707031051y1b3f0fcci36cbea3b9c330d95@mail.gmail.com> <468B4CD6.5050001@ti-edu.ch> Message-ID: <223f97700707040259w54b286b2y1530dc3d7fddedaa@mail.gmail.com> On 04/07/07, Marco Induni wrote: > Glenn Steen wrote: > > On 03/07/07, Marco Induni wrote: > >> Hi All, > >> I try to deny some email attachments based just on the filename. > >> So I setup the following test rule to deny all attachment for email > >> sended to me@pluto.com (obviously just a real address) > >> > >> - in /etc/MailScanner/Mailscanner.conf > >> -- Filename Rules = %rules-dir%/filename-rules.rules > >> > >> - in /etc/MailScanner/rules/filename-rules.rules > >> -- To: me@pluto.com /etc/MailScanner/filename-alldeny.conf > >> -- FromOrTo: default > >> /etc/MailScanner/filename-nocheck.rules.conf > >> > >> - in /etc/MailScanner/filename-alldeny.conf > >> -- deny .* - - > >> > >> - in /etc/MailScanner/filename-nocheck.rules.conf > >> -- allow .* - - > >> > >> > >> So I expect that any attachment will be denied, but is not true. > >> It seems that everything is passing through, and the rule is not > >> matching anything. > >> I've done MailScanner --lint and no syntax error appear. > >> I've also tried the standard rules enclosed (deny .exe .reg,...), but > >> didn't work. > > > > When troubleshooting things like these, always doublecheck your > > assumptions with MailScanner itself... Try "MailScanner --help" to see > > the possible things you can do ... apart from the well-known --debug > > and --lint (start by doing a lint... it'll show you any bad syntax > > errors), you can also try any setting with any sender/receiver .... In > > your case you'd test > > MailScanner --value=filenamerules --from=anyone@example.net > > --to=me@pluto.com > > and perhaps some variations ... Replace with addresses valid to your > > situation. > > > Glenn, > thanks for the suggestions. I've verified with Mailscanner > --value=filenamerules and the various address to be sure that the result > point to the rule that deny the attachment(see below) > > Looked up internal option name "filenamerules" > With sender = root@xxx > recipient = xxx@xx > Client IP = > Virus = > Result is "/etc/MailScanner/filename-alldeny.conf" > > > But unfortunately the attachment are still allowed > I've double checked to see if I've placed space instead of TAB on the > rule, but all seems ok. > > Also the MailScanner --lint don't get any syntax error. > > Actually I've tested on MailScanner 4.58.9 and 4.61.7 with the same result. > > On the /etc/MailScanner/filename-alldeny.conf there is just > deny .* - - > > and in MailScanner.conf > > Allow Filenames = > Deny Filenames = > Filename Rules = %rules-dir%/filename-rules.rules > > > No idea :-( > Just a thought, but your quotes of the files in your first message.... Do the begin with "--" or "allow/deny"? That is: are there 4 fields in the file, separated by , or five (I think the lint would caatch this, so ... probably nothing...:-). Also, you should pay extra attention to whether it is finame or filetype rules kicking in (in the logs... Perhaps you have MailWatch? Makes things ... easier to see:-). I always try to make filenames and filetypes functionally equivalent:). Paying attention to ones logs is never wrong anyway, so ... you wouldn't have any log snippets to look at, for a relevant test run? When you send these messages, or indeed any messages sent to you, if the mail has more recipients than one... then the rules applicable to the first recipient will "win" for all of them... So you might need split messages/recipient (look in the wiki how to do this... At least Postfix and Sendmail can do this for you), to be sure what rules will trigger for a specific message/recipient combination. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Wed Jul 4 11:25:44 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Jul 4 11:25:47 2007 Subject: Problem with MS on OpenBSD 4.1 In-Reply-To: <468B5577.2070402@box.telemedia.ch> References: <468A63AC.5040808@box.telemedia.ch> <468A659A.3090602@ecs.soton.ac.uk> <468A691D.7020605@box.telemedia.ch> <223f97700707031115m7f156454wac3f7b80febe5434@mail.gmail.com> <468B5577.2070402@box.telemedia.ch> Message-ID: <223f97700707040325v773416f4wcc68d98af2307a01@mail.gmail.com> On 04/07/07, Christoph Schneeberger wrote: > Glenn Steen wrote: > > On 03/07/07, Christoph Schneeberger wrote: > >> Hi Julian, > >> > >> Thanks for your reply. > >> > >> Julian Field wrote: > >> .. > >> > >> > >When I run MS and SA in debug mode I get an error at line 832 in > >> > >Mailscanner which is the following line: > >> > > >> > >$batch->Explode(); > >> > > >> > >The error I get is > >> > > >> > > > >> > >[24820] dbg: locker: safe_unlock: unlocked > >> > /root/.spamassassin/bayes.mutex > >> > >[24820] dbg: learn: initializing learner > >> > >Ignore errors about failing to find EOCD signature > >> > > >> > > >> > That line gives a hint. > >> > > >> > >format error: can't find EOCD signature > >> > > at /opt/MailScanner/bin/MailScanner line 832 > >> > > >> > > >> > So you can ignore that. > >> > > >> > >Stopping now as you are debugging me. > >> > > Done. > >> > > >> > > >> > It has run to completion normally. It hasn't bombed out on an error at > >> > all. It has done exactly what it is supposed to do in Debug mode: > >> > process 1 batch of messages and then exit. > >> > >> > >> Ok thanks, i was thinking that too, but somebody on irc told me i need > >> to get rid of this line832 error and that would solve my problem of not > >> having any detailed Spamassassin result headers at all. > >> > >> So could you give me any direction or hints where I could further search > >> to get that problem of not having detailed results in the header solved, > >> since thats the only problem I really have. > >> > >> Or asked else: Is anybody on this list running a current MailScanner on > >> OpenBSD 4.1 successfully and do you have any hints for me where too > >> look ? > >> > >> Thanks a lot and best regards, > >> Christoph > >> > > OpenBSD isn]t exactly unheard of, but it certainly isn\t one of the > > more used OSes.... But this might not be anything specific to your > > OS... Call me dull, but did you run a > > MailScanner --debug --debug-sa > > ... with something obvious, like a GTUBE, on queue? > > > > Cheers > > Thanks for your reply, I had to google GTUBE before I knew what you > meant ;-) > > I have run with debug and debug-sa (from MailScanner.conf but I guess > that is the same result) and people on irc told me the output i pasted > looks good, but I'll happily provide it at the end of this mail. Yep, they are equivalent... Just easier to use the command line:-). > I have sent a mail (only body with copy-paste) from my inbox that is > spam through the MS in question and it scored it with 18 and flagged the > Subject properly with {Spam?}, BUT only the Spamscore and the Subject > Flag are here, no details on which tests how many score was given, just > a result. This is indeed strange... IIRC there was someone else posting about specifics for OpenBSD a while back... You have looked in the maillist archives (gmane is good for this), I presume? > The reason I want OpenBSD is the spamd/pf combo which is quite unique > for greylisting and since 4.1 even more use- and powerful. Also I have > used OpenBSD since 2.5 and I am quite satisfied with its robustness and > safety. Another reason is that I am a sendmail veteran because there was > nothing else really serious at the time i needed my first mailhub, so I > read different sendmails books and am quite comfortable with it. I've > never found my way into other MTAs and since most Linux are now shipping > Postfix, Exim or whatever I am sticking with OpenBSD for Mailhubs, > Mailgates etc. Oh, no quarrel from me, you should stick with what you're comfy with. Personally I switched to PF quite a few years ago, but that was ... in the bad old days, when sendmail was a sieve and PF looked ... shiny:-). Today, all the major MTAs (no, not exchange:-):-) are quite secure. TW, most any linux distro can be configured with most any MTA... Some even have a nice tool for switching between them (like CentOS/RHEL does). Not that I'm telling you to switch:-). > So here is the output of > ./bin/MailScanner --debug --debug-sa 2>&1 | tee /tmp/log > --- > (snip) > tests=MISSING_HEADERS,MISSING_SUBJECT,NO_REAL_NAME,NO_RECEIVED,NO_RELAYS,TO_CC_NONE > [14467] dbg: check: > subtests=__HAS_MSGID,__MSGID_OK_DIGITS,__MSGID_OK_HOST,__NONEMPTY_BODY,__SANE_MSGID,__UNUSABLE_MSGID > Ignore errors about failing to find EOCD signature > format error: can't find EOCD signature > at ./bin/MailScanner line 832 > Stopping now as you are debugging me. > --- Ok, so the tests are there, and should be reported back to MS... Hm. > Please not I have disabled clamav for the moment to debug this without > having to care about possible problems with the Antivirus, however the > result was the same (no spamassassin details) when having the antivirus > set to 'clamav' or 'clamd'. Yeah, that shouldn't matter. > Also I have installed clamav and SA from local ports in OpenBSD 4.1, but > maybe I should use the provided package from the MS site ? Would that be > worth a try ? I've stopped using prepackaged things for those, since there occasionally are strange problems due to ... quirky packaging (not often, IIRC mostly concerning RPM-based linux distros, but ... still ...)... So uninstalling the SA you have (which is slightly dated anyway, and don't seem to be using sa-update...), and perhaps your clamav too, and reinstalling them using Jules package... Might be very worth your while. > Thanks for any hints or tips in advance. > > > Cheers, > Christoph > > -- > ---------------------------------------------------+ > / Christoph Schneeberger / SCS TeleMedia AG | > / GIAC GSEC / Liestalerstrasse 47 | > / cschnee@telemedia.ch / info@telemedia.ch | > / 4419 Lupsingen / http://www.telemedia.ch | > / tel +41 61 915 9155 / fax +41 61 911 0714 | > --------------------------------------------------------+ > > This e-mail is confidential and may be privileged. It may > be read, copied and used only by the addressee. If you > have received it in error, please contact us immediately. > > > "Quis custodiet ipsos custodes?" Indeed...:-) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From gerard at seibercom.net Wed Jul 4 12:08:56 2007 From: gerard at seibercom.net (Gerard) Date: Wed Jul 4 12:08:49 2007 Subject: Postfix Address Verification In-Reply-To: <468AE442.6000501@rheelweb.co.nz> References: <46881CAB.2090504@rheelweb.co.nz> <468AE442.6000501@rheelweb.co.nz> Message-ID: <20070704070636.7FFD.GERARD@seibercom.net> On July 03, 2007 at 08:05PM Seamus Allan wrote: [snip] > Anybody got ideas? Have you tried posting this question on the Postfix forum? You will obviously need to include a the results of a 'postconf -n' output as well as the relevant sections of the maillog. Off hand, I cannot see anything wrong though. -- Gerard "Everybody has a right to be stupid, but some people abuse the privilege." Joseph Stalin From martinh at solidstatelogic.com Wed Jul 4 12:15:43 2007 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Wed Jul 4 12:15:47 2007 Subject: Postfix Address Verification In-Reply-To: <20070704070636.7FFD.GERARD@seibercom.net> Message-ID: <6a5b3338ddca144790b0da740700adfc@solidstatelogic.com> Seamus I'd start here.. http://wiki.mailscanner.info/doku.php?id=documentation:configuration:mta :postfix:how_to:reject_non_existent_users -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Gerard > Sent: 04 July 2007 12:09 > To: mailscanner@lists.mailscanner.info > Subject: Re[2]: Postfix Address Verification > > On July 03, 2007 at 08:05PM Seamus Allan wrote: > > [snip] > > > Anybody got ideas? > > Have you tried posting this question on the Postfix forum? You will > obviously need to include a the results of a 'postconf -n' output as > well as the relevant sections of the maillog. > > Off hand, I cannot see anything wrong though. > > -- > Gerard > > "Everybody has a right to be stupid, but some people abuse the privilege." > > Joseph Stalin > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From lists at gmnet.net Wed Jul 4 12:56:03 2007 From: lists at gmnet.net (mail) Date: Wed Jul 4 12:56:18 2007 Subject: Any advice for a new server? In-Reply-To: References: <1183421943.8123.116.camel@thor.greenbuzz.net> Message-ID: <1183550163.31212.45.camel@thor.greenbuzz.net> On Tue, 2007-07-03 at 11:02 +1000, Res wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > NotDashEscaped: You need GnuPG to verify this message > > On Tue, 3 Jul 2007, mail wrote: > > > Hi, > > > > I have been running a mail server with sendmail/ MailScanner/ ClamAV/ > > Mailman/ Squirrelmail/ combo for the past 7 years. It is now time to > > migrate my accounts to a brand new server. I was using Redhat9, but now > > I'm 99% sure that I will go with Gentoo. I am also 90% sure that I will > > You want to make sure you have several years of support, for this reason > I last used a RH OS on servers at RH9, I had one RH9 box for for up to 2 > years after RH stopped supporting it, because it was unbreakable. > I have since moved it to the same as other servers, being Slackware, as > close to true sources as you'll get (hence why there is no 20+ updates > relased every week like RH/Fedora/Debian etc), version support is at > least 5 years or more. Also extremely reliable and stable, a good time to > try it as Slackware 12.0 was released overnight. > > > > stay with sendmail/ ClamAV/ Squirrelmail and 100% sure to stay with > > MailScanner/ Mailman. I don't have a whole lot of accounts so I do have > > Yep, stay with them all, but make sure you use the latest versions of > them. > > > -- > Cheers > Res > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.7 (GNU/Linux) > > iD8DBQFGiaAesWhAmSIQh7MRAuR6AKCckPnA6p4SFKMLUyXMrt9Z6qSNdACeOlM8 > XzplccsAL+NIxGJVBw1CLNg= > =d01E > -----END PGP SIGNATURE----- Thanks to everyone so far for the insight! I think I will use Gentoo. I got somewhat burned by using RH9 the last time. Almost as soon as I installed it and got it up and running, they stopped supporting it. I am really happy with portage as my update path. I don't mind compiling stuff from source because I will be doing that anyway for many things. Also I will not be installing any windowing or desktop applications at all. I can't wait to get the Mailscanner book and dive in! rick From cschnee at box.telemedia.ch Wed Jul 4 15:54:20 2007 From: cschnee at box.telemedia.ch (Christoph Schneeberger) Date: Wed Jul 4 15:55:23 2007 Subject: SOLVED: Re: Problem with MS on OpenBSD 4.1 In-Reply-To: <223f97700707040325v773416f4wcc68d98af2307a01@mail.gmail.com> References: <468A63AC.5040808@box.telemedia.ch> <468A659A.3090602@ecs.soton.ac.uk> <468A691D.7020605@box.telemedia.ch> <223f97700707031115m7f156454wac3f7b80febe5434@mail.gmail.com> <468B5577.2070402@box.telemedia.ch> <223f97700707040325v773416f4wcc68d98af2307a01@mail.gmail.com> Message-ID: <468BB49C.2090004@box.telemedia.ch> After my fourth day on this issue, I tried to reactivate my previous install under an i386 machine with 4.59.4. I haven't got that far there so I had still the default setup and no migration of configuration and just tested it to see if I get detailed headers which I surprisingly got. To minimize my own errors I did migrate the config line by line and after every line changed I ran a test to see if my detailed report headers disappear or not. Suddenly when adding my Mail Header= rule file to the config i started to lack the detailed reports...after looking at this rule file I used there I felt incredibly stupid (or as maxsec said: The problem has been between the chair and the keyboard). I used config variables like %mail_header% in my rule file, but those vars were not defined in the main MailScanner.conf like: %mail_header% = X-%org-name%-MailScanner: Okay, I added those missing vars - et viola (courtesy to Kelly Bundy) I got my detailed reports in header... Maybe the MS debug output could have mentioned something regarding this, but thats not an excuse for a completely stupid migration mistake from me. Anyway, I want to say thanks, first for all that offered help and assistance and second for MailScanner, which is really an exciting tool for me. Cheers and thx alot again, Christoph From Denis.Beauchemin at USherbrooke.ca Wed Jul 4 16:06:04 2007 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Wed Jul 4 16:06:35 2007 Subject: Vulnerability in Net::DNS Message-ID: <468BB75C.9000506@USherbrooke.ca> Hello all, I just read this: 07.27.36 CVE: CVE-2007-3377, CVE-2007-3409 Platform: Cross Platform Title: Perl Net::DNS Remote Multiple Vulnerabilities Description: The Perl Net::DNS module allows scripts written in Perl to perform DNS queries. The application is exposed to multiple issues. Perl Net::DNS module versions prior to 0.60. are affected. Ref: http://www.securityfocus.com/bid/24669 I just upgraded to 0.60, reloaded MS and everything is working fine. Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3595 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070704/490cfb6d/smime.bin From rcooper at dwford.com Wed Jul 4 16:23:11 2007 From: rcooper at dwford.com (Rick Cooper) Date: Wed Jul 4 16:23:20 2007 Subject: clamd configuration? In-Reply-To: <468B0B2E.8080201@fractalweb.com> References: <468AAB5B.7010101@fractalweb.com><468AAE0D.3020103@i-centrix.com> <468ADA41.4010307@fractalweb.com><06bb01c7bdcb$c0ac3330$0301a8c0@SAHOMELT> <468B0B2E.8080201@fractalweb.com> Message-ID: <006301c7be4f$3c350530$0301a8c0@SAHOMELT> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On > Behalf Of Chris Yuzik > Sent: Tuesday, July 03, 2007 10:51 PM > To: MailScanner discussion > Subject: Re: clamd configuration? > [...] > Rick, > > Ok, here you go. I put MailScanner into debug mode, did a > lint, plopped > a message with the eicar test file into the inqueue, etc. Looks like > clamd is called and the messages handed off, but it doesn't > find the virus. > > Chris > Ok, sorry so spotty on returns, My mother in-law passed away Fri and the weekend through last night was spent with all the duties entailed with such an event (and of course my Wife and Kids). My guess is permissions are insufficient, check the user that clamd is running under. If it's not root then make sure you have added the correct MailScanner config params at the working dir setup or add the MS user to clam's group and turn on supplementary groups in the clamd.conf. I am testing with a situation where I am running the daemon with insufficient perms now and I get: "Access denied. ERROR" from the daemon however the line: elsif ($rest =~ /^.+\sERROR$/) { Is not catching the above (because $rest is empty) thus it's falling through to } else { print "CLEAN:: :: $dirname/$childname/$filename\n"; Which it should never do, IMHO. I clipped this from the clamavmodule code so perhaps clamavmodule does return other items. Julian, I really haven't the time to D/L and patch the release code, perhaps you can add the following: # If we get an access denied error then print the properly # formatted error and leave print "ERROR::Permissions Problem Clamd was denied access to " . "$ScanDir::$ScanDir\n" if $results =~ /\.\/Access denied. ERROR/; last if $results =~ /\.\/Access denied. ERROR/; Above : next if $results =~ /^\.\/OK/; (about line 3316 or so in SweepViruses.pm) as this will catch the access denied line. Since I took the logic from clamavmodule I never thought about permission problems which clamavmodule couldn't have (I would think). This will cause the parser to see the error, but bear in mind any error in the parser results in MailScanner flagging the message as having a virus in the log, but it passes the attachment by because there is no filename to flag. It does generate an obvious error that any semi-alert admin will catch however : ERROR::Permissions Problem Clamd was denied access to /dev/shm/15408 Julian : I think the section that results in: print "CLEAN:: :: $dirname/$childname/$filename\n"; should be changed to print "ERROR::UNKNOWN RETURN FROM CLAMD $result :: $ScanDir\n"; As we catch OK/ERROR/INFECTED above it and anything else has to be a problem. Sorry for not having caught that possibility sooner. Also sorry if this post is less than coherent. If Julian hasn't the time to post a patch then I should be able to get to it by the weekend as some rather large projects are piling up on me due to death and holiday (which I really shouldn't work this time). Rick -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From jgouveia at gmail.com Wed Jul 4 16:32:49 2007 From: jgouveia at gmail.com (=?ISO-8859-1?Q?Jo=E3o_Gouveia?=) Date: Wed Jul 4 16:32:51 2007 Subject: Vulnerability in Net::DNS In-Reply-To: <468BB75C.9000506@USherbrooke.ca> References: <468BB75C.9000506@USherbrooke.ca> Message-ID: <39ee73db0707040832x41b2fb71j256bc7dfe4db2cf2@mail.gmail.com> At a first glance, this seams to be related to the server component of Net::DNS, so that shoudn't have any impact on client side apps such as MS/spamassassin. On 7/4/07, Denis Beauchemin wrote: > Hello all, > > I just read this: > > 07.27.36 CVE: CVE-2007-3377, CVE-2007-3409 > Platform: Cross Platform > Title: Perl Net::DNS Remote Multiple Vulnerabilities > Description: The Perl Net::DNS module allows scripts written in Perl > to perform DNS queries. The application is exposed to multiple issues. > Perl Net::DNS module versions prior to 0.60. are affected. > Ref: http://www.securityfocus.com/bid/24669 > > > I just upgraded to 0.60, reloaded MS and everything is working fine. > > Denis > > -- > _ > ?v? Denis Beauchemin, analyste > /(_)\ Universit? de Sherbrooke, S.T.I. > ^ ^ T: 819.821.8000x62252 F: 819.821.8045 > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > From minduni at ti-edu.ch Wed Jul 4 16:45:29 2007 From: minduni at ti-edu.ch (Marco Induni) Date: Wed Jul 4 16:45:31 2007 Subject: Filename rule question In-Reply-To: <223f97700707040259w54b286b2y1530dc3d7fddedaa@mail.gmail.com> References: <468A6663.8010907@ti-edu.ch> <223f97700707031051y1b3f0fcci36cbea3b9c330d95@mail.gmail.com> <468B4CD6.5050001@ti-edu.ch> <223f97700707040259w54b286b2y1530dc3d7fddedaa@mail.gmail.com> Message-ID: <468BC099.7060508@ti-edu.ch> Glenn Steen wrote: > On 04/07/07, Marco Induni wrote: >> Glenn Steen wrote: >> > On 03/07/07, Marco Induni wrote: >> >> Hi All, >> >> I try to deny some email attachments based just on the filename. >> >> So I setup the following test rule to deny all attachment for email >> >> sended to me@pluto.com (obviously just a real address) >> >> >> >> - in /etc/MailScanner/Mailscanner.conf >> >> -- Filename Rules = %rules-dir%/filename-rules.rules >> >> >> >> - in /etc/MailScanner/rules/filename-rules.rules >> >> -- To: me@pluto.com /etc/MailScanner/filename-alldeny.conf >> >> -- FromOrTo: default >> >> /etc/MailScanner/filename-nocheck.rules.conf >> >> >> >> - in /etc/MailScanner/filename-alldeny.conf >> >> -- deny .* - - >> >> >> >> - in /etc/MailScanner/filename-nocheck.rules.conf >> >> -- allow .* - - >> >> >> >> >> >> So I expect that any attachment will be denied, but is not true. >> >> It seems that everything is passing through, and the rule is not >> >> matching anything. >> >> I've done MailScanner --lint and no syntax error appear. >> >> I've also tried the standard rules enclosed (deny .exe .reg,...), but >> >> didn't work. >> > >> > When troubleshooting things like these, always doublecheck your >> > assumptions with MailScanner itself... Try "MailScanner --help" to see >> > the possible things you can do ... apart from the well-known --debug >> > and --lint (start by doing a lint... it'll show you any bad syntax >> > errors), you can also try any setting with any sender/receiver .... In >> > your case you'd test >> > MailScanner --value=filenamerules --from=anyone@example.net >> > --to=me@pluto.com >> > and perhaps some variations ... Replace with addresses valid to your >> > situation. >> > >> Glenn, >> thanks for the suggestions. I've verified with Mailscanner >> --value=filenamerules and the various address to be sure that the result >> point to the rule that deny the attachment(see below) >> >> Looked up internal option name "filenamerules" >> With sender = root@xxx >> recipient = xxx@xx >> Client IP = >> Virus = >> Result is "/etc/MailScanner/filename-alldeny.conf" >> >> >> But unfortunately the attachment are still allowed >> I've double checked to see if I've placed space instead of TAB on the >> rule, but all seems ok. >> >> Also the MailScanner --lint don't get any syntax error. >> >> Actually I've tested on MailScanner 4.58.9 and 4.61.7 with the same >> result. >> >> On the /etc/MailScanner/filename-alldeny.conf there is just >> deny .* - - >> >> and in MailScanner.conf >> >> Allow Filenames = >> Deny Filenames = >> Filename Rules = %rules-dir%/filename-rules.rules >> >> >> No idea :-( >> > Just a thought, but your quotes of the files in your first message.... > Do the begin with "--" or "allow/deny"? That is: are there 4 fields in > the file, separated by , or five (I think the lint would caatch > this, so ... probably nothing...:-). > Hi Gleen, unfortunately, the file is correct, I added the -- for ident on the mail only, but it look like a field. Also as you said this error (and even the lost TAB) are catched by the --lint option. > Also, you should pay extra attention to whether it is finame or > filetype rules kicking in (in the logs... Perhaps you have MailWatch? > Makes things ... easier to see:-). Uhm, I don't have Mailwatch installed, but in the log i can't see the rules involved. I had to activate some flag, or there are special logs ? The rules appear to be correct when i tested via the "MailScanner --value=filenamerules ...." > I always try to make filenames and filetypes functionally equivalent:). > Paying attention to ones logs is never wrong anyway, so ... you > wouldn't have any log snippets to look at, for a relevant test run? > > When you send these messages, or indeed any messages sent to you, if > the mail has more recipients than one... then the rules applicable to > the first recipient will "win" for all of them... So you might need > split messages/recipient (look in the wiki how to do this... At least > Postfix and Sendmail can do this for you), to be sure what rules will > trigger for a specific message/recipient combination. Good point, but in my test I'm the only recipient > > Cheers Grazie (Thank you) -- Marco Induni Universita` della Svizzera italiana Servizi informatici / TI-EDU Galleria 2 CH-6928 Manno (Switzerland) E-mail: minduni@ti-edu.ch Tel: +41 58 666 6656 Fax: +41 58 666 6650 From hvdkooij at vanderkooij.org Wed Jul 4 16:46:08 2007 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Wed Jul 4 16:47:14 2007 Subject: Some maillog question In-Reply-To: References: Message-ID: On Wed, 4 Jul 2007, Martin.Hepworth wrote: > Nope - look in the clamd.conf file. There's a setting you may need to > increase.. If the scan can not be completed in the default 300 seconds you may have a DoS sample at hand. Or a system that is underpowered for the task at hand. Or you need to tell your users not to send DVD images by email. Hugo. -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ This message is using 100% recycled electrons. Please, don't top post: A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Some men see computers as they are and say "Windows" I use computers with Linux and say "Why Windows?" (Thanks JFK, for the insight.) From MailScanner at ecs.soton.ac.uk Wed Jul 4 16:52:55 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Jul 4 16:58:42 2007 Subject: MailScanner ANNOUNCE: Re: Vulnerability in Net::DNS In-Reply-To: <468BB75C.9000506@USherbrooke.ca> References: <468BB75C.9000506@USherbrooke.ca> Message-ID: <468BC257.5000201@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I have just updated my ClamAV+SpamAssassin package on www.mailscanner.info to solve this vulnerability. I would advise everyone to download and install the new version of this package. Denis Beauchemin wrote: > Hello all, > > I just read this: > > 07.27.36 CVE: CVE-2007-3377, CVE-2007-3409 > Platform: Cross Platform > Title: Perl Net::DNS Remote Multiple Vulnerabilities > Description: The Perl Net::DNS module allows scripts written in Perl > to perform DNS queries. The application is exposed to multiple issues. > Perl Net::DNS module versions prior to 0.60. are affected. > Ref: http://www.securityfocus.com/bid/24669 > > > I just upgraded to 0.60, reloaded MS and everything is working fine. > > Denis > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Comment: (pgp-secured) Charset: UTF-8 wj8DBQFGi8JXEfZZRxQVtlQRAs/VAKCPeEtCTHQsW1+9VnHM5MRhQxA90gCeK/Id zgKXq0MJu2yIDQ3Wn5Gy7mc= =0BSq -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Wed Jul 4 16:59:38 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Jul 4 17:04:10 2007 Subject: Some maillog question In-Reply-To: References: Message-ID: <468BC3EA.6010401@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hugo van der Kooij wrote: > On Wed, 4 Jul 2007, Martin.Hepworth wrote: > >> Nope - look in the clamd.conf file. There's a setting you may need to >> increase.. > > If the scan can not be completed in the default 300 seconds you may > have a DoS sample at hand. Or a system that is underpowered for the > task at hand. Or you need to tell your users not to send DVD images by > email. > If you are running ClamAV 0.90 (Virus Scanners = clamav) then try running the 0.91 release candidate as this loads the virus signatures a *lot* faster. Or else try clamavmodule or clamd. Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFGi8PqEfZZRxQVtlQRAnzpAJ95AgotgJ02XGUrf6GDUWxAw/2VDgCgoZxS 4FjkFfRI7IrGK9t171gKr4Q= =8iH7 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From mailscanner at ecs.soton.ac.uk Wed Jul 4 20:13:01 2007 From: mailscanner at ecs.soton.ac.uk (Jules) Date: Wed Jul 4 20:14:50 2007 Subject: Ping Message-ID: <200707041913.l64JD1D1013544@safir.blacknight.ie> Not at all sure the list is working, so I'm doing this one by hand. -- JulesFM From uxbod at splatnix.net Wed Jul 4 20:17:06 2007 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Wed Jul 4 20:17:10 2007 Subject: Ping In-Reply-To: <200707041913.l64JD1D1013544@safir.blacknight.ie> References: <200707041913.l64JD1D1013544@safir.blacknight.ie> Message-ID: <2797931a085805f37b5eed3cbbb96ec2@62.49.223.244> Pong! On Wed, 4 Jul 2007 20:13:01 +0100, Jules wrote: > Not at all sure the list is working, so I'm doing this one by hand. > -- > JulesFM > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. -- --[ UxBoD ]-- // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From clacroix at cegep-ste-foy.qc.ca Wed Jul 4 20:17:58 2007 From: clacroix at cegep-ste-foy.qc.ca (Charles Lacroix) Date: Wed Jul 4 20:18:02 2007 Subject: Ping In-Reply-To: <200707041913.l64JD1D1013544@safir.blacknight.ie> References: <200707041913.l64JD1D1013544@safir.blacknight.ie> Message-ID: <200707041517.58832.clacroix@cegep-ste-foy.qc.ca> What have you done to the list!! :) On Wednesday 04 July 2007 15:13, Jules wrote: > Not at all sure the list is working, so I'm doing this one by hand. > -- > JulesFM -- Charles Lacroix, Administrateur UNIX. Service des t?l?communications et des technologies C?gep de Sainte-Foy (418) 659-6600 # 4266 From mailscanner at slackadelic.com Wed Jul 4 20:19:15 2007 From: mailscanner at slackadelic.com (Matt Hayes) Date: Wed Jul 4 20:19:24 2007 Subject: Ping In-Reply-To: <200707041913.l64JD1D1013544@safir.blacknight.ie> References: <200707041913.l64JD1D1013544@safir.blacknight.ie> Message-ID: <468BF2B3.9000603@slackadelic.com> Jules wrote: > Not at all sure the list is working, so I'm doing this one by hand. It's working Jules. -Matt From MailScanner at ecs.soton.ac.uk Wed Jul 4 20:25:52 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Jul 4 20:28:36 2007 Subject: Ping In-Reply-To: <468BF2B3.9000603@slackadelic.com> References: <200707041913.l64JD1D1013544@safir.blacknight.ie> <468BF2B3.9000603@slackadelic.com> Message-ID: <468BF440.9000009@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Matt Hayes wrote: > Jules wrote: >> Not at all sure the list is working, so I'm doing this one by hand. > > It's working Jules. Phew. We went over 3 hours without a single posting, that's almost unheard of :-) > > -Matt > > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGi/RBEfZZRxQVtlQRAmn1AKCZT2KBayjga9J0I9hdz9zBR3uk2ACg8Xvt V+51K2FW10H0uJLM/5hYLBQ= =iziZ -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From uxbod at splatnix.net Wed Jul 4 20:33:06 2007 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Wed Jul 4 20:33:10 2007 Subject: Ping In-Reply-To: <468BF440.9000009@ecs.soton.ac.uk> References: <468BF440.9000009@ecs.soton.ac.uk> Message-ID: <38e6466229b168459a56f45fc2db9af0@62.49.223.244> typeset -i count let count=0 while (( ${count} -lt 1000 )) do echo "Does it still work" | mailx -s "Ping ${count}" mailscanner@lists.mailscanner.info sleep 60 let ${count}+=1 done :) On Wed, 04 Jul 2007 20:25:52 +0100, Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > Matt Hayes wrote: >> Jules wrote: >>> Not at all sure the list is working, so I'm doing this one by hand. >> >> It's working Jules. > Phew. We went over 3 hours without a single posting, that's almost > unheard of :-) >> >> -Matt >> >> > > Jules > > - -- > Julian Field MEng CITP > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > For all your IT requirements visit www.transtec.co.uk > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.6.2 (Build 2014) > Charset: ISO-8859-1 > > wj8DBQFGi/RBEfZZRxQVtlQRAmn1AKCZT2KBayjga9J0I9hdz9zBR3uk2ACg8Xvt > V+51K2FW10H0uJLM/5hYLBQ= > =iziZ > -----END PGP SIGNATURE----- > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > For all your IT requirements visit www.transtec.co.uk > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. -- --[ UxBoD ]-- // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From seamus at rheelweb.co.nz Wed Jul 4 22:42:43 2007 From: seamus at rheelweb.co.nz (Seamus Allan) Date: Wed Jul 4 22:42:52 2007 Subject: Postfix Address Verification In-Reply-To: <6a5b3338ddca144790b0da740700adfc@solidstatelogic.com> References: <6a5b3338ddca144790b0da740700adfc@solidstatelogic.com> Message-ID: <468C1453.8050102@rheelweb.co.nz> Thats where I originally started ;) Cheers though Martin.Hepworth wrote: > Seamus > I'd start here.. > > > > http://wiki.mailscanner.info/doku.php?id=documentation:configuration:mta > :postfix:how_to:reject_non_existent_users > > > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > From glenn.steen at gmail.com Wed Jul 4 23:20:22 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Jul 4 23:20:24 2007 Subject: Filename rule question In-Reply-To: <468BC099.7060508@ti-edu.ch> References: <468A6663.8010907@ti-edu.ch> <223f97700707031051y1b3f0fcci36cbea3b9c330d95@mail.gmail.com> <468B4CD6.5050001@ti-edu.ch> <223f97700707040259w54b286b2y1530dc3d7fddedaa@mail.gmail.com> <468BC099.7060508@ti-edu.ch> Message-ID: <223f97700707041520j5e8be73bt17235c459ec441c5@mail.gmail.com> On 04/07/07, Marco Induni wrote: > Glenn Steen wrote: (snip) > >> No idea :-( > >> > > Just a thought, but your quotes of the files in your first message.... > > Do the begin with "--" or "allow/deny"? That is: are there 4 fields in > > the file, separated by , or five (I think the lint would caatch > > this, so ... probably nothing...:-). > > > Hi Gleen, Go easy on the "e"s;-) > unfortunately, the file is correct, I added the -- for ident on the mail > only, but it look like a field. > Also as you said this error (and even the lost TAB) are catched by the > --lint option. Yeah, wouldn't it be nice if it was some easy typo... To much to hope for, I guess:-). > > Also, you should pay extra attention to whether it is finame or > > filetype rules kicking in (in the logs... Perhaps you have MailWatch? > > Makes things ... easier to see:-). > > Uhm, I don't have Mailwatch installed, but in the log i can't see the > rules involved. I had to activate some flag, or there are special logs ? > The rules appear to be correct when i tested via the "MailScanner > --value=filenamerules ...." No, nothing special, MailWatch just highlight things and make them obvious (like when you thing you have one envelope sender, and in reality you don't... you have some other...)... In that vein, did you do the tests by telnet (so that you have complete control of the SMTP conversation) or ... some other thing? Perhaps there is some other rule,like a whitelist for the local host or domain, kicking in _before_ the rule you try out? If you supply a --ip=... you can test that too... Would be great if this was something eaily explicable... I'm running out of ideas:-). > > > I always try to make filenames and filetypes functionally equivalent:). > > Paying attention to ones logs is never wrong anyway, so ... you > > wouldn't have any log snippets to look at, for a relevant test run? > > > > When you send these messages, or indeed any messages sent to you, if > > the mail has more recipients than one... then the rules applicable to > > the first recipient will "win" for all of them... So you might need > > split messages/recipient (look in the wiki how to do this... At least > > Postfix and Sendmail can do this for you), to be sure what rules will > > trigger for a specific message/recipient combination. > > Good point, but in my test I'm the only recipient Hm, another good pint down the drain:-). > > > > Cheers > > Grazie (Thank you) > Thank me when we get to the bottom of this...:-). I wonder if the file isn't a bit suspect anyway... If you change it to deny/\..*$/-- ... does that make a difference? If you make some specific deny rules? And perhaps some "specific but the other way around" in the default file? We're missing something here....:) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Wed Jul 4 23:25:03 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Jul 4 23:25:04 2007 Subject: Ping In-Reply-To: <468BF440.9000009@ecs.soton.ac.uk> References: <200707041913.l64JD1D1013544@safir.blacknight.ie> <468BF2B3.9000603@slackadelic.com> <468BF440.9000009@ecs.soton.ac.uk> Message-ID: <223f97700707041525t21a3ef46h19854aab47bb06b9@mail.gmail.com> On 04/07/07, Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > Matt Hayes wrote: > > Jules wrote: > >> Not at all sure the list is working, so I'm doing this one by hand. > > > > It's working Jules. > Phew. We went over 3 hours without a single posting, that's almost > unheard of :-) I'm doing something Hugo wouldn't approve of (but you would, I know, since it's a nice red:-)... And I'm on vacation, al right... :-D In just 2 and 1/2 weeks all will be back to the normal noise level....:-):-) Seriously though.... If it's quiet... either more people than me are vacationing, or there are very few problems right now;). > > > > -Matt > > > > > > Jules > Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Wed Jul 4 23:33:47 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Jul 4 23:33:50 2007 Subject: Postfix Address Verification In-Reply-To: <468C1453.8050102@rheelweb.co.nz> References: <6a5b3338ddca144790b0da740700adfc@solidstatelogic.com> <468C1453.8050102@rheelweb.co.nz> Message-ID: <223f97700707041533v35800e35of42185fbf62573af@mail.gmail.com> On 04/07/07, Seamus Allan wrote: > Thats where I originally started ;) > Cheers though > Thing is, I'm still not too clear on which postfix is telling you this.... "external" or "internal"... Am slightly "muddled" ATM, but ... does both recognize that they are to handle that particular domain? And it's users? How did you set the verification up on both of them? I might be completely "muddled", so please set me straight:-) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From root at doctor.nl2k.ab.ca Thu Jul 5 01:45:27 2007 From: root at doctor.nl2k.ab.ca (Dave Shariff Yadallee - System Administrator a.k.a. The Root of the Problem) Date: Thu Jul 5 01:46:37 2007 Subject: MailScanner ANNOUNCE: Re: Vulnerability in Net::DNS In-Reply-To: <468BC257.5000201@ecs.soton.ac.uk> References: <468BB75C.9000506@USherbrooke.ca> <468BC257.5000201@ecs.soton.ac.uk> Message-ID: <20070705004527.GA1587@doctor.nl2k.ab.ca> On Wed, Jul 04, 2007 at 04:52:55PM +0100, Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > I have just updated my ClamAV+SpamAssassin package on > www.mailscanner.info to solve this vulnerability. > I would advise everyone to download and install the new version of this > package. > > Denis Beauchemin wrote: > > Hello all, > > > > I just read this: > > > > 07.27.36 CVE: CVE-2007-3377, CVE-2007-3409 > > Platform: Cross Platform > > Title: Perl Net::DNS Remote Multiple Vulnerabilities > > Description: The Perl Net::DNS module allows scripts written in Perl > > to perform DNS queries. The application is exposed to multiple issues. > > Perl Net::DNS module versions prior to 0.60. are affected. > > Ref: http://www.securityfocus.com/bid/24669 > > > > > > I just upgraded to 0.60, reloaded MS and everything is working fine. > > > > Denis > > > > Jules > > - -- > Julian Field MEng CITP > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.6.2 (Build 2014) > Comment: (pgp-secured) > Charset: UTF-8 > > wj8DBQFGi8JXEfZZRxQVtlQRAs/VAKCPeEtCTHQsW1+9VnHM5MRhQxA90gCeK/Id > zgKXq0MJu2yIDQ3Wn5Gy7mc= > =0BSq > -----END PGP SIGNATURE----- > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > For all your IT requirements visit www.transtec.co.uk > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > Thank goodness for cpan as well. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mailscanner at vivekmittal.org Thu Jul 5 03:08:06 2007 From: mailscanner at vivekmittal.org (Vivek Mittal) Date: Thu Jul 5 03:08:08 2007 Subject: Whitelist issue In-Reply-To: <733d6ede0707040257v6c1da171k7c43f0dc5e297d1e@mail.gmail.com> References: <733d6ede0707040257v6c1da171k7c43f0dc5e297d1e@mail.gmail.com> Message-ID: <733d6ede0707041908j7cde6da0y8e91a4964be6d850@mail.gmail.com> Sorry, if some people receive this twice. I sent this yesterday and have not seen it show up in the list yet. ------------Previous message----------------- Hi, We have been using MailScanner for about 6 months now and it is working really well. We have seen that 70% of our incoming mail is spam and of that, 80% is classed as High Spam, so it is helping us filtering a large part of our mail. In the last six months, we have noticed that even the mail classed as Low Spam is 99.99% spam. The 0.01% that is not spam is due to documents scanned and emailed from our printer. We have tried to whitelist the address, but it does not work. I hope someone can help in determining the cause. My spam.whitelist.rules file contains the following entries From: *@*.abc.com yes From: *@*.xyz.com.au yes where xyz.com.au is our firm. Now, emails from abc.com are whitelisted, but emails from our printer (printer@xyz.com.au) are not. Below is a sample header as stored in the Mailscanner archives (with some stuff modified) V8 T1170549349 K0 N0 P170442 Fbs $_mx05.syd.isp.net.au [210.41.30.235] $rESMTP $smx05.syd.isp.net.au ${daemon_flags} ${if_addr}10.1.10.10 S<> rRFC822; vivek@xyz.com.au RPFD: H?P?Return-Path: <~Ag> H??Received: from mx05.syd.isp.net.au (mx05.syd.isp.net.au [210.41.30.235]) by ap.xyz.com.au (8.13.4/8.13.4) with ESMTP id l140Znb5009886 for ; Sun, 4 Feb 2007 11:35:49 +1100 H?D?Date: Sun, 4 Feb 2007 11:35:49 +1100 H??Received: from 114.090.dsl.mel.isp.net.au ([211.26.244.114]) by mx05.syd.isp.net.au with SMTP; 04 Feb 2007 11:34:12 +1100 H??X-IronPort-AV: i="4.13,277,1167570000"; d="pdf'?scan'208"; a="29083045:sNHT433197450" H??From: "XYZ PTY LTD" H??To: H??Subject: 2feb H??Message-ID: <24331418> H??MIME-Version: 1.0 H??Content-Type: multipart/mixed; boundary="__59453boundry__" When looking at the source of the delivered message, you can see X_XYZ_MAILSCANNER_INFORMATION='Please contact the ISP for more information',X_XYZ_MAILSCANNER='Found to be clean',X_XYZ_MAILSCANNER_SPAMCHECK='spam, SpamAssassin (not cached,\tscore=7.37, required 6, AWL -0.09, HELO_DYNAMIC_HCC 3.28,\tINVALID_MSGID 1.71, MSGID_SHORT 2.46), X_XYZ_MAILSCANNER_SPAMSCORE='7',X_XYZ_MAILSCANNER_FROM='',X_SPAM_STATUS='Yes' When comparing the header with email froms abc.com, they just say X_XYZ_MAILSCANNER_SPAMCHECK='not spam (whitelisted),\tSpamAssassin (not cached, score=-2.454, required 6,\tautolearn=not spam, ADVANCE_FEE_1 0.00, ALL_TRUSTED -1.44, AWL -1.15,\tHTML_MESSAGE 0.00, MPART_ALT_DIFF 0.14) So there must either be something wrong with my whitelists file or something that is completely non-obvious to me. I searched for others with similar problems and the only one that I found was to change From: *@xyz.com.au yes to From: *@*.xyz.com.au yes but that has not worked either. I hope someone can help. Regards, Vivek From seamus at rheelweb.co.nz Thu Jul 5 04:17:05 2007 From: seamus at rheelweb.co.nz (Seamus Allan) Date: Thu Jul 5 04:17:11 2007 Subject: Postfix Address Verification In-Reply-To: <223f97700707041533v35800e35of42185fbf62573af@mail.gmail.com> References: <6a5b3338ddca144790b0da740700adfc@solidstatelogic.com> <468C1453.8050102@rheelweb.co.nz> <223f97700707041533v35800e35of42185fbf62573af@mail.gmail.com> Message-ID: <468C62B1.3090606@rheelweb.co.nz> Mail from the internet hits the "Gateway" machine with MailScanner and postfix. The clean mail is then forwarded to the "Hub" machine, running windows and Mail Enable Enterprise. What was happening is that bulk mailers were targeting abcd@domain.com, and a bunch of this was getting through the Gateway as all it knew about was the domains that it was allowed to forward, and where to send them (transport map pointing to the Hub machine). The Hub machine was replying 550 mailbox does not exist, and so the Gateway was trying to send bounce messages back to a non existent mailbox where the spam originated from. So, as per documentation (on the MailScanner docs, Postfix website), I set up verification on the Gatekeeper machine, such that when a mail comes in, postfix looks in the transport map, then queries the Hub machine as to whether the mailbox exists or now. Then the Gateway machine can reject the mail "at the door" (solving bandwidth, load and bounce issues). This worked pretty much OK, until I realised that mail was not being delivered for some (a lot as it turned out) of domains. A look in the maillog was showing that mail to these domains was being rejected by the Gatekeeper (presumably the verification mechanism) with a 400 error of Domain Not Found (as in previous log entries that have been posted). I suspected at first that the Hub machine was blocking access, but nothing in the logs indicate this (on either machines). So I'm a bit lost Hope this helps someone help me, Cheers Seamus >> > Thing is, I'm still not too clear on which postfix is telling you > this.... "external" or "internal"... Am slightly "muddled" ATM, but > ... does both recognize that they are to handle that particular > domain? And it's users? How did you set the verification up on both of > them? > I might be completely "muddled", so please set me straight:-) > > Cheers From ram at netcore.co.in Thu Jul 5 06:47:58 2007 From: ram at netcore.co.in (ram) Date: Thu Jul 5 06:48:13 2007 Subject: Whitelist issue In-Reply-To: <733d6ede0707041908j7cde6da0y8e91a4964be6d850@mail.gmail.com> References: <733d6ede0707040257v6c1da171k7c43f0dc5e297d1e@mail.gmail.com> <733d6ede0707041908j7cde6da0y8e91a4964be6d850@mail.gmail.com> Message-ID: <1183614478.7215.32.camel@localhost.localdomain> On Thu, 2007-07-05 at 12:08 +1000, Vivek Mittal wrote: > Sorry, if some people receive this twice. I sent this yesterday and > have not seen it show up in the list yet. > > ------------Previous message----------------- > > Hi, > > We have been using MailScanner for about 6 months now and it is > working really well. We have seen that 70% of our incoming mail is > spam and of that, 80% is classed as High Spam, so it is helping us > filtering a large part of our mail. > > In the last six months, we have noticed that even the mail classed as > Low Spam is 99.99% spam. The 0.01% that is not spam is due to > documents scanned and emailed from our printer. We have tried to > whitelist the address, but it does not work. I hope someone can help > in determining the cause. > > My spam.whitelist.rules file contains the following entries > > From: *@*.abc.com yes > From: *@*.xyz.com.au yes > > where xyz.com.au is our firm. Now, emails from abc.com are > whitelisted, but emails from our printer (printer@xyz.com.au) are not. > Below is a sample header as stored in the Mailscanner archives (with > some stuff modified) > As a gerenral practice you should not whitelist your own domain. Unless you have ways of preventing people forging your domain at the MTA ( like SPF ) Do you have in MailScanner.conf --- Is Definitely Not Spam = %rules-dir%/spam.whitelist.rules --- Is whitelisting intermittently failing or failing every time? Thanks Ram From R.Sterenborg at netsourcing.nl Thu Jul 5 07:34:24 2007 From: R.Sterenborg at netsourcing.nl (Rob Sterenborg) Date: Thu Jul 5 07:35:10 2007 Subject: Postfix Address Verification In-Reply-To: <468C62B1.3090606@rheelweb.co.nz> References: <6a5b3338ddca144790b0da740700adfc@solidstatelogic.com> <468C1453.8050102@rheelweb.co.nz><223f97700707041533v35800e35of42185fbf62573af@mail.gmail.com> <468C62B1.3090606@rheelweb.co.nz> Message-ID: <74ACEB3E6A055643A89B8CEC74C7BF2488E0BE@WISENT.dcyb.net> > Mail from the internet hits the "Gateway" machine with > MailScanner and postfix. The clean mail is then forwarded to the > "Hub" machine, running windows and Mail Enable Enterprise. [...] > So, as per documentation (on the MailScanner docs, Postfix > website), I set up verification on the Gatekeeper machine, such > that when a mail comes in, postfix looks in the transport map, I didn't see this in the doc, so I'm not sure if you did this.. If your Postfix is a relay for your Windows mailserver, Postfix *must* know which domains to relay for. Typically, you configure Postfix for this using the relay_domains parameter which holds either all relay domains or points to a file/db that holds the relay domains. relay_domains should *only* contain relay domains, and mydestination should -of course- *not* contain any relay domains. See: man 5 postconf. > then queries the Hub machine as to whether the mailbox exists or > now. Then the Gateway machine can reject the mail "at the door" > (solving bandwidth, load and bounce issues). Personally, I think you shouldn't bother your Windows mailserver with address verification. I know nothing of Mail Enable Enterprise, but perhaps you can, like with Exchange, export a list of all know email addresses using some script (perhaps LDAP?), reformat this list into something postmap can use to create the hash file or put it in a database, and configure Postfix to query that list/db using relay_recipient_maps. That way you may not have all email addresses at any given time but if generating the email address list isn't generating too much load you can schedule the script to run more frequently so you won't run far behind. This all depends on your needs however. The positive side on this is that when you get flooded with email, at least the Windows servers don't get DOS-ed with verification requests so your corporate/internal email doesn't suffer from it. Grts, Rob From minduni at ti-edu.ch Thu Jul 5 09:33:51 2007 From: minduni at ti-edu.ch (Marco Induni) Date: Thu Jul 5 09:33:53 2007 Subject: Filename rule question In-Reply-To: <223f97700707041520j5e8be73bt17235c459ec441c5@mail.gmail.com> References: <468A6663.8010907@ti-edu.ch> <223f97700707031051y1b3f0fcci36cbea3b9c330d95@mail.gmail.com> <468B4CD6.5050001@ti-edu.ch> <223f97700707040259w54b286b2y1530dc3d7fddedaa@mail.gmail.com> <468BC099.7060508@ti-edu.ch> <223f97700707041520j5e8be73bt17235c459ec441c5@mail.gmail.com> Message-ID: <468CACEF.30202@ti-edu.ch> Glenn Steen wrote: > On 04/07/07, Marco Induni wrote: > (snip) >> Hi Gleen, Sorry, for the mistake :-( > Go easy on the "e"s;-) >> unfortunately, the file is correct, I added the -- for ident on the mail >> only, but it look like a field. >> Also as you said this error (and even the lost TAB) are catched by the >> --lint option. > > Yeah, wouldn't it be nice if it was some easy typo... To much to hope > for, I guess:-). > >> > Also, you should pay extra attention to whether it is finame or >> > filetype rules kicking in (in the logs... Perhaps you have MailWatch? >> > Makes things ... easier to see:-). >> >> Uhm, I don't have Mailwatch installed, but in the log i can't see the >> rules involved. I had to activate some flag, or there are special logs ? >> The rules appear to be correct when i tested via the "MailScanner >> --value=filenamerules ...." > > No, nothing special, MailWatch just highlight things and make them > obvious (like when you thing you have one envelope sender, and in > reality you don't... you have some other...)... In that vein, did you > do the tests by telnet (so that you have complete control of the SMTP > conversation) or ... some other thing? > Perhaps there is some other rule,like a whitelist for the local host > or domain, kicking in _before_ the rule you try out? If you supply a > --ip=... you can test that too... > Would be great if this was something eaily explicable... I'm running > out of ideas:-). Also tried with ip, and from different "external" account as gmail,... Nope > >> >> > I always try to make filenames and filetypes functionally equivalent:). >> > Paying attention to ones logs is never wrong anyway, so ... you >> > wouldn't have any log snippets to look at, for a relevant test run? >> > >> > When you send these messages, or indeed any messages sent to you, if >> > the mail has more recipients than one... then the rules applicable to >> > the first recipient will "win" for all of them... So you might need >> > split messages/recipient (look in the wiki how to do this... At least >> > Postfix and Sendmail can do this for you), to be sure what rules will >> > trigger for a specific message/recipient combination. >> >> Good point, but in my test I'm the only recipient > Hm, another good pint down the drain:-). > >> > >> > Cheers >> >> Grazie (Thank you) >> > Thank me when we get to the bottom of this...:-). > I wonder if the file isn't a bit suspect anyway... If you change it to > deny/\..*$/-- > ... does that make a difference? If you make some specific deny rules? > And perhaps some "specific but the other way around" in the default > file? > We're missing something here....:) > > Cheers Also tried to use the sample rule filename.rules.conf directly setting the "Filename Rules = %etc-dir%/filename.rules.conf, but nothing. At the end I made one of the two mailgateway reacheble just for me, and set the Mailscanner in debug mode. This the output when a send an email: >>>>> Ignore errors about failing to find EOCD signature format error: file is too short at /usr/sbin/MailScanner line 832 Stopping now as you are debugging me. >>>>> At the line 832 seems to be the attachment extraction 831 $0 = 'MailScanner: extracting attachments'; 832 $batch->Explode(); Could be that for some reason this step fail, and then all the rules tied to the file attachemnet are skipped ? In case i'm using - Mailscanner 4.61.7 - Red Hat Enterprise Linux AS release 3 (Taroon Update 9) - Linux 2.4.21-50.EL - Perl 5.8.0 - Spamassassin 3.1.9 Hope this could be an hint Cheers marco -- Marco Induni Universita` della Svizzera italiana Servizi informatici / TI-EDU Galleria 2 CH-6928 Manno (Switzerland) E-mail: minduni@ti-edu.ch Tel: +41 58 666 6656 Fax: +41 58 666 6650 From glenn.steen at gmail.com Thu Jul 5 10:55:03 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Jul 5 10:55:05 2007 Subject: Whitelist issue In-Reply-To: <1183614478.7215.32.camel@localhost.localdomain> References: <733d6ede0707040257v6c1da171k7c43f0dc5e297d1e@mail.gmail.com> <733d6ede0707041908j7cde6da0y8e91a4964be6d850@mail.gmail.com> <1183614478.7215.32.camel@localhost.localdomain> Message-ID: <223f97700707050255p36c7af61t7ca09e3b6e8dd314@mail.gmail.com> Cc ram, whitelisting ones own should be done by way of IP address. Be specific for the printer, or your network. On 05/07/07, ram wrote: > On Thu, 2007-07-05 at 12:08 +1000, Vivek Mittal wrote: > > Sorry, if some people receive this twice. I sent this yesterday and > > have not seen it show up in the list yet. > > > > ------------Previous message----------------- > > > > Hi, > > > > We have been using MailScanner for about 6 months now and it is > > working really well. We have seen that 70% of our incoming mail is > > spam and of that, 80% is classed as High Spam, so it is helping us > > filtering a large part of our mail. > > > > In the last six months, we have noticed that even the mail classed as > > Low Spam is 99.99% spam. The 0.01% that is not spam is due to > > documents scanned and emailed from our printer. We have tried to > > whitelist the address, but it does not work. I hope someone can help > > in determining the cause. > > > > My spam.whitelist.rules file contains the following entries > > > > From: *@*.abc.com yes > > From: *@*.xyz.com.au yes > > > > where xyz.com.au is our firm. Now, emails from abc.com are > > whitelisted, but emails from our printer (printer@xyz.com.au) are not. > > Below is a sample header as stored in the Mailscanner archives (with > > some stuff modified) > > > > As a gerenral practice you should not whitelist your own domain. Unless > you have ways of preventing people forging your domain at the MTA ( like > SPF ) > > Do you have in MailScanner.conf > --- > Is Definitely Not Spam = %rules-dir%/spam.whitelist.rules > --- > Is whitelisting intermittently failing or failing every time? > > Thanks > Ram > > > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From res at ausics.net Thu Jul 5 11:15:17 2007 From: res at ausics.net (Res) Date: Thu Jul 5 11:15:27 2007 Subject: Whitelist issue In-Reply-To: <223f97700707050255p36c7af61t7ca09e3b6e8dd314@mail.gmail.com> References: <733d6ede0707040257v6c1da171k7c43f0dc5e297d1e@mail.gmail.com> <733d6ede0707041908j7cde6da0y8e91a4964be6d850@mail.gmail.com> <1183614478.7215.32.camel@localhost.localdomain> <223f97700707050255p36c7af61t7ca09e3b6e8dd314@mail.gmail.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NotDashEscaped: You need GnuPG to verify this message On Thu, 5 Jul 2007, Glenn Steen wrote: > Cc ram, whitelisting ones own should be done by way of IP address. Be > specific for the printer, or your network. Furthermore, to be a good netizen, the whitelist should be from your IP range TO your domain, and scan from your users to everyone else. Everybody who blanket whitelists their own users only passes the problem on to the recipient networks and contribute to the world wide spam problem rather than be part of its elimination. -- Cheers Res -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFGjMS1sWhAmSIQh7MRArAZAKCPjgaoN50BMXkRa1QlpZONW6/sdACdGmnM noZbwxaMQfr6Zh+Sh+vIMEk= =1dlR -----END PGP SIGNATURE----- From glenn.steen at gmail.com Thu Jul 5 11:44:24 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Jul 5 11:44:26 2007 Subject: Whitelist issue In-Reply-To: References: <733d6ede0707040257v6c1da171k7c43f0dc5e297d1e@mail.gmail.com> <733d6ede0707041908j7cde6da0y8e91a4964be6d850@mail.gmail.com> <1183614478.7215.32.camel@localhost.localdomain> <223f97700707050255p36c7af61t7ca09e3b6e8dd314@mail.gmail.com> Message-ID: <223f97700707050344x65402eb6v424e7e4911eb6d54@mail.gmail.com> On 05/07/07, Res wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > NotDashEscaped: You need GnuPG to verify this message > > On Thu, 5 Jul 2007, Glenn Steen wrote: > > > Cc ram, whitelisting ones own should be done by way of IP address. Be > > specific for the printer, or your network. > > Furthermore, to be a good netizen, the whitelist should be from your IP > range TO your domain, and scan from your users to everyone else. > > Everybody who blanket whitelists their own users only passes the problem > on to the recipient networks and contribute to the world wide spam problem > rather than be part of its elimination. > > Oh yes, Noel, quite correct (as mostly.... still saving up for those postmix "doubts", you rendmauling evil bunny;-)... One can always justify this by the benefit to ones own domain(s)... It only take one rouge that you W/L to get you (rightly) listed...:-) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Thu Jul 5 11:49:37 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Jul 5 11:49:40 2007 Subject: Filename rule question In-Reply-To: <468CACEF.30202@ti-edu.ch> References: <468A6663.8010907@ti-edu.ch> <223f97700707031051y1b3f0fcci36cbea3b9c330d95@mail.gmail.com> <468B4CD6.5050001@ti-edu.ch> <223f97700707040259w54b286b2y1530dc3d7fddedaa@mail.gmail.com> <468BC099.7060508@ti-edu.ch> <223f97700707041520j5e8be73bt17235c459ec441c5@mail.gmail.com> <468CACEF.30202@ti-edu.ch> Message-ID: <223f97700707050349y696668ccu92b618343da7d77b@mail.gmail.com> On 05/07/07, Marco Induni wrote: (snip) > Also tried to use the sample rule filename.rules.conf directly setting > the "Filename Rules = %etc-dir%/filename.rules.conf, but nothing. > > At the end I made one of the two mailgateway reacheble just for me, and > set the Mailscanner in debug mode. > This the output when a send an email: > > >>>>> > Ignore errors about failing to find EOCD signature > format error: file is too short > at /usr/sbin/MailScanner line 832 > Stopping now as you are debugging me. > >>>>> > > At the line 832 seems to be the attachment extraction > > 831 $0 = 'MailScanner: extracting attachments'; > 832 $batch->Explode(); Normally you'd see the EOCD error from that line, which is safe to ignore.... This though, I've mostly seen when the attachments really have been damaged (bad MIME)... You don't have any "pre-filters" that could confuse things, do you? > Could be that for some reason this step fail, and then all the rules > tied to the file attachemnet are skipped ? > > In case i'm using > > - Mailscanner 4.61.7 > - Red Hat Enterprise Linux AS release 3 (Taroon Update 9) > - Linux 2.4.21-50.EL > - Perl 5.8.0 > - Spamassassin 3.1.9 Could you give a "MailScanner -V" too? Just in case you have a bum perl module or so:-). > > Hope this could be an hint > > Cheers > marco > > > Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Thu Jul 5 11:51:39 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Jul 5 11:51:42 2007 Subject: Postfix Address Verification In-Reply-To: <74ACEB3E6A055643A89B8CEC74C7BF2488E0BE@WISENT.dcyb.net> References: <6a5b3338ddca144790b0da740700adfc@solidstatelogic.com> <468C1453.8050102@rheelweb.co.nz> <223f97700707041533v35800e35of42185fbf62573af@mail.gmail.com> <468C62B1.3090606@rheelweb.co.nz> <74ACEB3E6A055643A89B8CEC74C7BF2488E0BE@WISENT.dcyb.net> Message-ID: <223f97700707050351t47635e2bx92642bc19f4e1d0f@mail.gmail.com> On 05/07/07, Rob Sterenborg wrote: > > Mail from the internet hits the "Gateway" machine with > > MailScanner and postfix. The clean mail is then forwarded to the > > "Hub" machine, running windows and Mail Enable Enterprise. > > [...] > > > So, as per documentation (on the MailScanner docs, Postfix > > website), I set up verification on the Gatekeeper machine, such > > that when a mail comes in, postfix looks in the transport map, > > I didn't see this in the doc, so I'm not sure if you did this.. > > If your Postfix is a relay for your Windows mailserver, Postfix *must* > know which domains to relay for. Typically, you configure Postfix for > this using the relay_domains parameter which holds either all relay > domains or points to a file/db that holds the relay domains. > relay_domains should *only* contain relay domains, and mydestination > should -of course- *not* contain any relay domains. > See: man 5 postconf. > > > then queries the Hub machine as to whether the mailbox exists or > > now. Then the Gateway machine can reject the mail "at the door" > > (solving bandwidth, load and bounce issues). > > Personally, I think you shouldn't bother your Windows mailserver with > address verification. > I know nothing of Mail Enable Enterprise, but perhaps you can, like with > Exchange, export a list of all know email addresses using some script > (perhaps LDAP?), reformat this list into something postmap can use to > create the hash file or put it in a database, and configure Postfix to > query that list/db using relay_recipient_maps. > > That way you may not have all email addresses at any given time but if > generating the email address list isn't generating too much load you can > schedule the script to run more frequently so you won't run far behind. > This all depends on your needs however. > The positive side on this is that when you get flooded with email, at > least the Windows servers don't get DOS-ed with verification requests so > your corporate/internal email doesn't suffer from it. > > > Grts, > Rob Thanks Rob for chipping in.... this was exactly what I was leaning towards, both the doubt about the relay_domains and the suggestion to offload the work to PF itself. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From uxbod at splatnix.net Thu Jul 5 11:55:27 2007 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Thu Jul 5 11:55:52 2007 Subject: Postfix Address Verification In-Reply-To: <223f97700707050351t47635e2bx92642bc19f4e1d0f@mail.gmail.com> References: <223f97700707050351t47635e2bx92642bc19f4e1d0f@mail.gmail.com> Message-ID: <39cfb74fe9648f00fc2e7054d4fbe547@62.49.223.244> I do the same for a client who runs Lotus Notes. Hourly dump from LDAP of all users email addresses and then postmap it. We have cut down email to the internal Notes servers from ?150k per day to 5k, through a combination of PF and MailScanner. On Thu, 5 Jul 2007 12:51:39 +0200, "Glenn Steen" wrote: > On 05/07/07, Rob Sterenborg wrote: >> > Mail from the internet hits the "Gateway" machine with >> > MailScanner and postfix. The clean mail is then forwarded to the >> > "Hub" machine, running windows and Mail Enable Enterprise. >> >> [...] >> >> > So, as per documentation (on the MailScanner docs, Postfix >> > website), I set up verification on the Gatekeeper machine, such >> > that when a mail comes in, postfix looks in the transport map, >> >> I didn't see this in the doc, so I'm not sure if you did this.. >> >> If your Postfix is a relay for your Windows mailserver, Postfix *must* >> know which domains to relay for. Typically, you configure Postfix for >> this using the relay_domains parameter which holds either all relay >> domains or points to a file/db that holds the relay domains. >> relay_domains should *only* contain relay domains, and mydestination >> should -of course- *not* contain any relay domains. >> See: man 5 postconf. >> >> > then queries the Hub machine as to whether the mailbox exists or >> > now. Then the Gateway machine can reject the mail "at the door" >> > (solving bandwidth, load and bounce issues). >> >> Personally, I think you shouldn't bother your Windows mailserver with >> address verification. >> I know nothing of Mail Enable Enterprise, but perhaps you can, like with >> Exchange, export a list of all know email addresses using some script >> (perhaps LDAP?), reformat this list into something postmap can use to >> create the hash file or put it in a database, and configure Postfix to >> query that list/db using relay_recipient_maps. >> >> That way you may not have all email addresses at any given time but if >> generating the email address list isn't generating too much load you can >> schedule the script to run more frequently so you won't run far behind. >> This all depends on your needs however. >> The positive side on this is that when you get flooded with email, at >> least the Windows servers don't get DOS-ed with verification requests so >> your corporate/internal email doesn't suffer from it. >> >> >> Grts, >> Rob > > Thanks Rob for chipping in.... this was exactly what I was leaning > towards, both the doubt about the relay_domains and the suggestion to > offload the work to PF itself. > > Cheers > -- > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. -- --[ UxBoD ]-- // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From glenn.steen at gmail.com Thu Jul 5 12:06:36 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Jul 5 12:06:38 2007 Subject: Postfix Address Verification In-Reply-To: <39cfb74fe9648f00fc2e7054d4fbe547@62.49.223.244> References: <223f97700707050351t47635e2bx92642bc19f4e1d0f@mail.gmail.com> <39cfb74fe9648f00fc2e7054d4fbe547@62.49.223.244> Message-ID: <223f97700707050406q1b118b42o1d96f6cb3024ac57@mail.gmail.com> On 05/07/07, --[ UxBoD ]-- wrote: > I do the same for a client who runs Lotus Notes. Hourly dump from LDAP of > all users email addresses and then postmap it. We have cut down email to > the internal Notes servers from ?150k per day to 5k, through a combination > of PF and MailScanner. > Yeah Phil, I do that myself too, although I dump (a not that big) AD every 15 minutes, so that I don't have to rely on the M-Sexchange admin to do the right thing... Saves me job as well as him:-). In my case I only reduce total volume (by that particular measure) by about 25% though... Total rejected fluctuating between 35 - 50%... Call me lucky:-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From mailscanner at vivekmittal.org Thu Jul 5 12:08:40 2007 From: mailscanner at vivekmittal.org (Vivek Mittal) Date: Thu Jul 5 12:08:42 2007 Subject: Whitelist issue In-Reply-To: <223f97700707050344x65402eb6v424e7e4911eb6d54@mail.gmail.com> References: <733d6ede0707040257v6c1da171k7c43f0dc5e297d1e@mail.gmail.com> <733d6ede0707041908j7cde6da0y8e91a4964be6d850@mail.gmail.com> <1183614478.7215.32.camel@localhost.localdomain> <223f97700707050255p36c7af61t7ca09e3b6e8dd314@mail.gmail.com> <223f97700707050344x65402eb6v424e7e4911eb6d54@mail.gmail.com> Message-ID: <733d6ede0707050408p3daaa5abyef8d008250cba45@mail.gmail.com> This is going a bit off-topic from getting whitelisting to work in the first place. However, I am interested in know more about how whitelisting your own domain can get you listed. The way we are using MailScanner is to scan all incoming email. I have set up our mail server to accept emails to our domain only and not to relay anything else. I'm pretty sure that our server is not an open relay. So how does whitelisting the domain affect this? On 7/5/07, Glenn Steen wrote: > On 05/07/07, Res wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > NotDashEscaped: You need GnuPG to verify this message > > > > On Thu, 5 Jul 2007, Glenn Steen wrote: > > > > > Cc ram, whitelisting ones own should be done by way of IP address. Be > > > specific for the printer, or your network. > > > > Furthermore, to be a good netizen, the whitelist should be from your IP > > range TO your domain, and scan from your users to everyone else. > > > > Everybody who blanket whitelists their own users only passes the problem > > on to the recipient networks and contribute to the world wide spam problem > > rather than be part of its elimination. > > > > > Oh yes, Noel, quite correct (as mostly.... still saving up for those > postmix "doubts", you rendmauling evil bunny;-)... One can always > justify this by the benefit to ones own domain(s)... It only take one > rouge that you W/L to get you (rightly) listed...:-) > > Cheers > -- > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From jayesha_shinde at yahoo.com Thu Jul 5 12:41:36 2007 From: jayesha_shinde at yahoo.com (jayesh shinde) Date: Thu Jul 5 12:41:38 2007 Subject: filename extension problem Message-ID: <644743.83240.qm@web54403.mail.yahoo.com> Dear All, I have one query , I am using MailScanner version 4.34.8 on FC2 with sendmail. Some of my users are sending there email with an attachments with double or multiple extention ( Ex:-- my.com.location.doc) When it goes through MailScanner for scanning attachment , it give me the following error as :-- ##### At Fri Jun 29 18:00:56 2007 the virus scanner said: MailScanner: Attempt to hide real filename extension (my.com.location.doc) ###### My queries are :-- 1) Is there any way to by pass above such multiple extension mail through MailScanner. If yes then where should i define this ruleset & how to write this rule for single user. 2) If i bypass the above such multiple extension attachment , will it affect the block extention list ( define under /etc/MailScanner/filename.rules.conf ) Thanks & Regards Jayesh Shinde --------------------------------- Sick sense of humor? Visit Yahoo! TV's Comedy with an Edge to see what's on, when. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070705/50ba9f54/attachment.html From minduni at ti-edu.ch Thu Jul 5 12:55:15 2007 From: minduni at ti-edu.ch (Marco Induni) Date: Thu Jul 5 12:55:18 2007 Subject: Filename rule question In-Reply-To: <223f97700707050349y696668ccu92b618343da7d77b@mail.gmail.com> References: <468A6663.8010907@ti-edu.ch> <223f97700707031051y1b3f0fcci36cbea3b9c330d95@mail.gmail.com> <468B4CD6.5050001@ti-edu.ch> <223f97700707040259w54b286b2y1530dc3d7fddedaa@mail.gmail.com> <468BC099.7060508@ti-edu.ch> <223f97700707041520j5e8be73bt17235c459ec441c5@mail.gmail.com> <468CACEF.30202@ti-edu.ch> <223f97700707050349y696668ccu92b618343da7d77b@mail.gmail.com> Message-ID: <468CDC23.7000500@ti-edu.ch> Glenn Steen wrote: > On 05/07/07, Marco Induni wrote: > (snip) >> Also tried to use the sample rule filename.rules.conf directly setting >> the "Filename Rules = %etc-dir%/filename.rules.conf, but nothing. >> >> At the end I made one of the two mailgateway reacheble just for me, and >> set the Mailscanner in debug mode. >> This the output when a send an email: >> >> >>>>> >> Ignore errors about failing to find EOCD signature >> format error: file is too short >> at /usr/sbin/MailScanner line 832 >> Stopping now as you are debugging me. >> >>>>> >> >> At the line 832 seems to be the attachment extraction >> >> 831 $0 = 'MailScanner: extracting attachments'; >> 832 $batch->Explode(); > Normally you'd see the EOCD error from that line, which is safe to > ignore.... This though, I've mostly seen when the attachments really > have been damaged (bad MIME)... You don't have any "pre-filters" that > could confuse things, do you? Glenn, I'm not sure of the meaning of "pre-filters", but we do just Antivirus and + Spamassasin. > >> Could be that for some reason this step fail, and then all the rules >> tied to the file attachemnet are skipped ? >> >> In case i'm using >> >> - Mailscanner 4.61.7 >> - Red Hat Enterprise Linux AS release 3 (Taroon Update 9) >> - Linux 2.4.21-50.EL >> - Perl 5.8.0 >> - Spamassassin 3.1.9 > > Could you give a "MailScanner -V" too? Just in case you have a bum > perl module or so:-). > Here the output of MailScanner -V Running on Linux mg1.ti-edu.ch 2.4.21-47.0.1.ELsmp #1 SMP Fri Oct 13 17:56:20 EDT 2006 i686 i686 i386 GNU/Linux This is Red Hat Enterprise Linux AS release 3 (Taroon Update 9) This is Perl version 5.008000 (5.8.0) This is MailScanner version 4.61.7 Module versions are: 1.00 AnyDBM_File 1.16 Archive::Zip 1.01 Carp 1.119 Convert::BinHex 1.00 DirHandle 1.04 Fcntl 2.71 File::Basename 2.05 File::Copy 2.01 FileHandle 1.05 File::Path 0.13 File::Temp 0.90 Filesys::Df 1.35 HTML::Entities 3.56 HTML::Parser 2.37 HTML::TokeParser 1.23 IO 1.14 IO::File 1.13 IO::Pipe 1.77 Mail::Header 1.86 Math::BigInt 3.05 MIME::Base64 5.420 MIME::Decoder 5.420 MIME::Decoder::UU 5.420 MIME::Head 5.420 MIME::Parser 3.03 MIME::QuotedPrint 5.420 MIME::Tools 0.11 Net::CIDR 1.05 POSIX 1.09 Scalar::Util 1.75 Socket 1.4 Sys::Hostname::Long 0.18 Sys::Syslog 1.9707 Time::HiRes 1.02 Time::localtime Optional module versions are: 1.29 Archive::Tar 0.21 bignum missing Business::ISBN missing Business::ISBN::Data 0.17 Convert::TNEF missing Data::Dump 1.815 DB_File 1.13 DBD::SQLite 1.56 DBI 1.15 Digest 1.01 Digest::HMAC 2.36 Digest::MD5 2.11 Digest::SHA1 missing Encode::Detect missing Error missing ExtUtils::CBuilder missing ExtUtils::ParseXS missing Inline 1.08 IO::String 1.04 IO::Zlib 2.23 IP::Country missing Mail::ClamAV 3.001009 Mail::SpamAssassin missing Mail::SPF 1.999001 Mail::SPF::Query 0.19 Math::BigRat missing Module::Build 0.20 Net::CIDR::Lite 0.60 Net::DNS missing Net::DNS::Resolver::Programmable missing Net::LDAP missing NetAddr::IP missing Parse::RecDescent missing SAVI 2.26 Test::Harness missing Test::Manifest 1.89 Text::Balanced 1.35 URI missing version missing YAML Cheers >> >> Hope this could be an hint >> >> Cheers >> marco >> >> >> > > Cheers -- Marco Induni Universita` della Svizzera italiana Servizi informatici / TI-EDU Galleria 2 CH-6928 Manno (Switzerland) E-mail: minduni@ti-edu.ch Tel: +41 58 666 6656 Fax: +41 58 666 6650 From list-mailscanner at linguaphone.com Thu Jul 5 13:04:34 2007 From: list-mailscanner at linguaphone.com (Gareth) Date: Thu Jul 5 13:04:46 2007 Subject: filename extension problem In-Reply-To: <644743.83240.qm@web54403.mail.yahoo.com> References: <644743.83240.qm@web54403.mail.yahoo.com> Message-ID: <1183637074.17314.15.camel@gblades-suse.linguaphone-intranet.co.uk> On Thu, 2007-07-05 at 12:41, jayesh shinde wrote: > Dear All, > I have one query , I am using MailScanner version > 4.34.8 on FC2 with sendmail. Some of my users are sending there email > with an attachments with double or multiple extention ( Ex:-- > my.com.location.doc) > When it goes through MailScanner for scanning > attachment , it give me the following error as :-- > > ##### > At Fri Jun 29 18:00:56 2007 the virus scanner said: > MailScanner: Attempt to hide real filename extension > (my.com.location.doc) > ###### filename.rules.conf contails this line :- # Deny all other double file extensions. This catches any hidden filenames. deny \.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$ Found possible filename hiding Att empt to hide real filename extension This blocks any filename ending with a two or 3 character extension followed by a 3 character extension. I cant see how this would block the specific example you gave though. I am not running the very latest version of mailscanner though so perhaps yours has been updated. > My queries are :-- > 1) Is there any way to by pass above such multiple extension mail > through MailScanner. If yes then where should i define this ruleset & > how to write this rule for > single user. Just remove the section in the file mentioned above. > 2) If i bypass the above such multiple extension attachment , will it > affect the block extention list ( define under > /etc/MailScanner/filename.rules.conf ) From hvdkooij at vanderkooij.org Thu Jul 5 13:06:06 2007 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Thu Jul 5 13:07:12 2007 Subject: Whitelist issue In-Reply-To: <733d6ede0707050408p3daaa5abyef8d008250cba45@mail.gmail.com> References: <733d6ede0707040257v6c1da171k7c43f0dc5e297d1e@mail.gmail.com> <733d6ede0707041908j7cde6da0y8e91a4964be6d850@mail.gmail.com> <1183614478.7215.32.camel@localhost.localdomain> <223f97700707050255p36c7af61t7ca09e3b6e8dd314@mail.gmail.com> <223f97700707050344x65402eb6v424e7e4911eb6d54@mail.gmail.com> <733d6ede0707050408p3daaa5abyef8d008250cba45@mail.gmail.com> Message-ID: On Thu, 5 Jul 2007, Vivek Mittal wrote: > This is going a bit off-topic from getting whitelisting to work in the > first place. However, I am interested in know more about how > whitelisting your own domain can get you listed. The way we are using > MailScanner is to scan all incoming email. I have set up our mail > server to accept emails to our domain only and not to relay anything > else. I'm pretty sure that our server is not an open relay. So how > does whitelisting the domain affect this? If you are a corporate network and have reasonable security in place I guess not. But if you are an evil bunny working for an ISP with thousands of DSL subscribers you are in quite a different situation. And part of my job is cleaning out corporate networks after the got hosed by malware. So even corporate networks can get themselves blacklisted. Hugo. PS: A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ This message is using 100% recycled electrons. Some men see computers as they are and say "Windows" I use computers with Linux and say "Why Windows?" (Thanks JFK, for the insight.) From hvdkooij at vanderkooij.org Thu Jul 5 13:19:29 2007 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Thu Jul 5 13:20:30 2007 Subject: filename extension problem In-Reply-To: <644743.83240.qm@web54403.mail.yahoo.com> References: <644743.83240.qm@web54403.mail.yahoo.com> Message-ID: On Thu, 5 Jul 2007, jayesh shinde wrote: > 1) Is there any way to by pass above such multiple extension mail through MailScanner. If yes then where should i define this ruleset & how to write this rule for > single user. Use another filename.rules.conf file and disable (comment) the line. The use a rule file to determine who uses which filename.rules.conf file. Hugo. -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ This message is using 100% recycled electrons. Some men see computers as they are and say "Windows" I use computers with Linux and say "Why Windows?" (Thanks JFK, for the insight.) From MailScanner at ecs.soton.ac.uk Thu Jul 5 10:35:40 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jul 5 13:43:07 2007 Subject: Whitelist issue In-Reply-To: <733d6ede0707041908j7cde6da0y8e91a4964be6d850@mail.gmail.com> References: <733d6ede0707040257v6c1da171k7c43f0dc5e297d1e@mail.gmail.com> <733d6ede0707041908j7cde6da0y8e91a4964be6d850@mail.gmail.com> Message-ID: <468CBB6C.3080608@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Vivek Mittal wrote: > Sorry, if some people receive this twice. I sent this yesterday and > have not seen it show up in the list yet. > > ------------Previous message----------------- > > Hi, > > We have been using MailScanner for about 6 months now and it is > working really well. We have seen that 70% of our incoming mail is > spam and of that, 80% is classed as High Spam, so it is helping us > filtering a large part of our mail. > > In the last six months, we have noticed that even the mail classed as > Low Spam is 99.99% spam. The 0.01% that is not spam is due to > documents scanned and emailed from our printer. We have tried to > whitelist the address, but it does not work. I hope someone can help > in determining the cause. > > My spam.whitelist.rules file contains the following entries > > From: *@*.abc.com yes > From: *@*.xyz.com.au yes > > where xyz.com.au is our firm. Now, emails from abc.com are > whitelisted, but emails from our printer (printer@xyz.com.au) are not. > Below is a sample header as stored in the Mailscanner archives (with > some stuff modified) You need to whitelist *@xyz.com.au and not *@*.xyz.com.au as that won't match your printer's email address. > > V8 > T1170549349 > K0 > N0 > P170442 > Fbs > $_mx05.syd.isp.net.au [210.41.30.235] > $rESMTP > $smx05.syd.isp.net.au > ${daemon_flags} > ${if_addr}10.1.10.10 > S<> > rRFC822; vivek@xyz.com.au > RPFD: > H?P?Return-Path: <~Ag> > H??Received: from mx05.syd.isp.net.au (mx05.syd.isp.net.au > [210.41.30.235]) > by ap.xyz.com.au (8.13.4/8.13.4) with ESMTP id l140Znb5009886 > for ; Sun, 4 Feb 2007 11:35:49 +1100 > H?D?Date: Sun, 4 Feb 2007 11:35:49 +1100 > H??Received: from 114.090.dsl.mel.isp.net.au ([211.26.244.114]) > by mx05.syd.isp.net.au with SMTP; 04 Feb 2007 11:34:12 +1100 > H??X-IronPort-AV: i="4.13,277,1167570000"; > d="pdf'?scan'208"; a="29083045:sNHT433197450" > H??From: "XYZ PTY LTD" > H??To: > H??Subject: 2feb > H??Message-ID: <24331418> > H??MIME-Version: 1.0 > H??Content-Type: multipart/mixed; > boundary="__59453boundry__" > > When looking at the source of the delivered message, you can see > > X_XYZ_MAILSCANNER_INFORMATION='Please contact the ISP for more > information',X_XYZ_MAILSCANNER='Found to be > clean',X_XYZ_MAILSCANNER_SPAMCHECK='spam, SpamAssassin (not > cached,\tscore=7.37, required 6, AWL -0.09, HELO_DYNAMIC_HCC > 3.28,\tINVALID_MSGID 1.71, MSGID_SHORT 2.46), > X_XYZ_MAILSCANNER_SPAMSCORE='7',X_XYZ_MAILSCANNER_FROM='',X_SPAM_STATUS='Yes' > > > When comparing the header with email froms abc.com, they just say > X_XYZ_MAILSCANNER_SPAMCHECK='not spam (whitelisted),\tSpamAssassin > (not cached, score=-2.454, required 6,\tautolearn=not spam, > ADVANCE_FEE_1 0.00, ALL_TRUSTED -1.44, AWL -1.15,\tHTML_MESSAGE 0.00, > MPART_ALT_DIFF 0.14) > > So there must either be something wrong with my whitelists file or > something that is completely non-obvious to me. > > I searched for others with similar problems and the only one that I > found was to change > From: *@xyz.com.au yes > > to > > From: *@*.xyz.com.au yes > > but that has not worked either. > > I hope someone can help. > > Regards, > Vivek Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGjLttEfZZRxQVtlQRAqntAJ9Tu4EUfamTLv+R5g6d8vszU74HhwCgxmC0 dn0MmHAKypMHILHsQxklPos= =S1OE -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From glenn.steen at gmail.com Thu Jul 5 14:42:40 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Jul 5 14:42:42 2007 Subject: Whitelist issue In-Reply-To: References: <733d6ede0707040257v6c1da171k7c43f0dc5e297d1e@mail.gmail.com> <733d6ede0707041908j7cde6da0y8e91a4964be6d850@mail.gmail.com> <1183614478.7215.32.camel@localhost.localdomain> <223f97700707050255p36c7af61t7ca09e3b6e8dd314@mail.gmail.com> <223f97700707050344x65402eb6v424e7e4911eb6d54@mail.gmail.com> <733d6ede0707050408p3daaa5abyef8d008250cba45@mail.gmail.com> Message-ID: <223f97700707050642q609c34d6k2136baac48a90a3e@mail.gmail.com> On 05/07/07, Hugo van der Kooij wrote: > On Thu, 5 Jul 2007, Vivek Mittal wrote: > > > This is going a bit off-topic from getting whitelisting to work in the > > first place. However, I am interested in know more about how > > whitelisting your own domain can get you listed. The way we are using > > MailScanner is to scan all incoming email. I have set up our mail > > server to accept emails to our domain only and not to relay anything > > else. I'm pretty sure that our server is not an open relay. So how > > does whitelisting the domain affect this? > > If you are a corporate network and have reasonable security in place I > guess not. > > But if you are an evil bunny working for an ISP with thousands of DSL > subscribers you are in quite a different situation. > > And part of my job is cleaning out corporate networks after the got hosed > by malware. So even corporate networks can get themselves blacklisted. Definitely. Even if you are a strict corporate shop, there is little to no benefit avoiding outbound scanning. Thing is to be in charge;). . . Else someone else will be. Now, as to the problem. . . Whitelisting by IP neatly solve the initial problem without exposing one to easily spoof-able things:). > Hugo. > > PS: > A: Yes. > >Q: Are you sure? > >>A: Because it reverses the logical flow of conversation. > >>>Q: Why is top posting frowned upon? > > -- > hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ > This message is using 100% recycled electrons. > > Some men see computers as they are and say "Windows" > I use computers with Linux and say "Why Windows?" > (Thanks JFK, for the insight.) > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From mrm at quantumcc.com Thu Jul 5 17:44:25 2007 From: mrm at quantumcc.com (Mike Masse) Date: Thu Jul 5 17:44:36 2007 Subject: New support for clamd In-Reply-To: <468A9333.1040702@i-centrix.com> References: <468A9333.1040702@i-centrix.com> Message-ID: I recently updated our servers to clamd as well and have noticed a huge drop in cpu utilization. Thanks!! Mike Ryan Lane wrote: > The new support for clamd is most excellent! I run a fairly busy > server, and the processing times are significantly better. I just > implemented the change this morning, and I immediately saw the benefit. > The load on the server is considerably better too. Down from an almost > constant 1.00+ load average to 0.20 Thanks for the great work, and > continual improvements. > > -Ryan From cparker at swatgear.com Thu Jul 5 18:13:19 2007 From: cparker at swatgear.com (Chris W. Parker) Date: Thu Jul 5 18:13:22 2007 Subject: SpamAssassin is constantly timing out References: <97FD54B5E57A1842AA1A4B232E47611773EBD2@ati-ex-02.ati.local><468955F8.1090701@ecs.soton.ac.uk><97FD54B5E57A1842AA1A4B232E47611773EBD4@ati-ex-02.ati.local> <625385e30707031154q6b6dab17ued473acc0afc860a@mail.gmail.com><97FD54B5E57A1842AA1A4B232E4761178EEA53@ati-ex-02.ati.local> <468AA237.3070404@ecs.soton.ac.uk> Message-ID: <97FD54B5E57A1842AA1A4B232E4761178EEA55@ati-ex-02.ati.local> On Tuesday, July 03, 2007 12:24 PM Julian Field said: > That's the problem then. Type this and then rerun the ./install.sh > script. mount -o remount,exec /tmp Thanks Julian. How about "File checker /usr/bin/file timed out!" ? This doesn't happen often (three times yesterday [the 4th]). Is it normal? Chris. From MailScanner at ecs.soton.ac.uk Thu Jul 5 18:11:28 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jul 5 18:14:54 2007 Subject: New support for clamd In-Reply-To: References: <468A9333.1040702@i-centrix.com> Message-ID: <468D2640.5090304@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 What were you using before? Mike Masse wrote: > I recently updated our servers to clamd as well and have noticed a > huge drop in cpu utilization. Thanks!! > > Mike > > > > Ryan Lane wrote: >> The new support for clamd is most excellent! I run a fairly busy >> server, and the processing times are significantly better. I just >> implemented the change this morning, and I immediately saw the >> benefit. The load on the server is considerably better too. Down >> from an almost constant 1.00+ load average to 0.20 Thanks for the >> great work, and continual improvements. >> >> -Ryan > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGjSZBEfZZRxQVtlQRAhDCAJ9GVl60daJzY57NuvRCez1eoJqkNwCgps36 BPxiv8tOKUK4/DCFW20gR4U= =Q7oD -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Thu Jul 5 18:30:06 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jul 5 18:33:19 2007 Subject: SpamAssassin is constantly timing out In-Reply-To: <97FD54B5E57A1842AA1A4B232E4761178EEA55@ati-ex-02.ati.local> References: <97FD54B5E57A1842AA1A4B232E47611773EBD2@ati-ex-02.ati.local><468955F8.1090701@ecs.soton.ac.uk><97FD54B5E57A1842AA1A4B232E47611773EBD4@ati-ex-02.ati.local> <625385e30707031154q6b6dab17ued473acc0afc860a@mail.gmail.com><97FD54B5E57A1842AA1A4B232E4761178EEA53@ati-ex-02.ati.local> <468AA237.3070404@ecs.soton.ac.uk> <97FD54B5E57A1842AA1A4B232E4761178EEA55@ati-ex-02.ati.local> Message-ID: <468D2A9E.30801@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Chris W. Parker wrote: > On Tuesday, July 03, 2007 12:24 PM Julian Field said: > > >> That's the problem then. Type this and then rerun the ./install.sh >> script. mount -o remount,exec /tmp >> > > Thanks Julian. > > How about "File checker /usr/bin/file timed out!" ? This doesn't happen > often (three times yesterday [the 4th]). Is it normal? > I've never known "file" time out before. It really shouldn't happen. Is your server particularly over-loaded or anything like that which would make it run extremely slowly? Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGjSqkEfZZRxQVtlQRArGGAJ0ZYaBVOBxGufh2OeQpC9FUHXsfiACgibuG VJApYcIu+AWqu3OskFdKfDE= =EC3D -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From jan-peter at koopmann.eu Thu Jul 5 18:43:46 2007 From: jan-peter at koopmann.eu (Koopmann, Jan-Peter) Date: Thu Jul 5 18:43:11 2007 Subject: SpamAssassin is constantly timing out In-Reply-To: References: <97FD54B5E57A1842AA1A4B232E47611773EBD2@ati-ex-02.ati.local><468955F8.1090701@ecs.soton.ac.uk><97FD54B5E57A1842AA1A4B232E47611773EBD4@ati-ex-02.ati.local> <625385e30707031154q6b6dab17ued473acc0afc860a@mail.gmail.com><97FD54B5E57A1842AA1A4B232E4761178EEA53@ati-ex-02.ati.local> <468AA237.3070404@ecs.soton.ac.uk><97FD54B5E57A1842AA1A4B232E4761178EEA55@ati-ex-02.ati.local> Message-ID: Hi Jules, funny thing is that at one site I have a similar problem. We see SA timeouts, sometimes 3 times a day, sometimes 10 times a day. I even see things like Jul 3 12:39:56 proxy MailScanner[99745]: SpamAssassin timed out and was killed, failure 0 of 20 Failure 0 of 20??? :-) The server is not overloaded, DNS is usually working quite fine. Timeout is set to 200 seconds. I have no clue what this could be and how I could debug this. I could use SA Logs for an entire day to see what happens. Any ideas how to debug this? Regards, JP From MailScanner at ecs.soton.ac.uk Thu Jul 5 18:53:34 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jul 5 18:56:19 2007 Subject: SpamAssassin is constantly timing out In-Reply-To: References: <97FD54B5E57A1842AA1A4B232E47611773EBD2@ati-ex-02.ati.local><468955F8.1090701@ecs.soton.ac.uk><97FD54B5E57A1842AA1A4B232E47611773EBD4@ati-ex-02.ati.local> <625385e30707031154q6b6dab17ued473acc0afc860a@mail.gmail.com><97FD54B5E57A1842AA1A4B232E4761178EEA53@ati-ex-02.ati.local> <468AA237.3070404@ecs.soton.ac.uk><97FD54B5E57A1842AA1A4B232E4761178EEA55@ati-ex-02.ati.local> Message-ID: <468D301E.7070908@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Koopmann, Jan-Peter wrote: > Jul 3 12:39:56 proxy MailScanner[99745]: SpamAssassin timed out and was > killed, failure 0 of 20 > > Failure 0 of 20??? :-) > That bit of code clearly leaves a bit to be desired. I'll take a look this weekend and try to find the problem. Clearly something is off by 1. Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGjTAfEfZZRxQVtlQRAppuAJ9TziE7hDkEpezXNBYqngMHW1aQywCgwVJP 2JQ2EiH16hm+VjBOqxspLPM= =UHKF -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From raymond at prolocation.net Thu Jul 5 19:07:01 2007 From: raymond at prolocation.net (Raymond Dijkxhoorn) Date: Thu Jul 5 19:06:59 2007 Subject: SpamAssassin is constantly timing out In-Reply-To: <468D301E.7070908@ecs.soton.ac.uk> References: <97FD54B5E57A1842AA1A4B232E47611773EBD2@ati-ex-02.ati.local><468955F8.1090701@ecs.soton.ac.uk><97FD54B5E57A1842AA1A4B232E47611773EBD4@ati-ex-02.ati.local> <625385e30707031154q6b6dab17ued473acc0afc860a@mail.gmail.com><97FD54B5E57A1842AA1A4B232E4761178EEA53@ati-ex-02.ati.local> <468AA237.3070404@ecs.soton.ac.uk><97FD54B5E57A1842AA1A4B232E4761178EEA55@ati-ex-02.ati.local> <468D301E.7070908@ecs.soton.ac.uk> Message-ID: Hi! >> Failure 0 of 20??? :-) > That bit of code clearly leaves a bit to be desired. I'll take a look > this weekend and try to find the problem. Clearly something is off by 1. If it helps i also get them ;) Bye, Raymond. From stork at openenterprise.ca Thu Jul 5 19:42:02 2007 From: stork at openenterprise.ca (Johnny Stork) Date: Thu Jul 5 19:42:13 2007 Subject: Mailscanner and Virtualmin Message-ID: <468D3B7A.70503@openenterprise.ca> I thought I would try out virtualmin to manage a few localing hosted sites but have noticed that within the VirtualMin interface in Webmin, on my gateway mail server running MailScanner, the "Start Mailserver" and "Start Dovecot" buttons are crossed out indicating that VM does not appear to "see" mailscanner? Does anyone have any expereicne setting up VM on a machine running Mailscanner? -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. Check out Open Enterprise Solutions for your own powerful open-source Virus/Spam/Content detection solutions and mail gateway. From ssilva at sgvwater.com Thu Jul 5 20:05:11 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Jul 5 20:05:23 2007 Subject: Ping In-Reply-To: <223f97700707041525t21a3ef46h19854aab47bb06b9@mail.gmail.com> References: <200707041913.l64JD1D1013544@safir.blacknight.ie> <468BF2B3.9000603@slackadelic.com> <468BF440.9000009@ecs.soton.ac.uk> <223f97700707041525t21a3ef46h19854aab47bb06b9@mail.gmail.com> Message-ID: Glenn Steen spake the following on 7/4/2007 3:25 PM: > On 04/07/07, Julian Field wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> >> >> Matt Hayes wrote: >> > Jules wrote: >> >> Not at all sure the list is working, so I'm doing this one by hand. >> > >> > It's working Jules. >> Phew. We went over 3 hours without a single posting, that's almost >> unheard of :-) > > I'm doing something Hugo wouldn't approve of (but you would, I know, > since it's a nice red:-)... And I'm on vacation, al right... :-D > In just 2 and 1/2 weeks all will be back to the normal noise > level....:-):-) > Seriously though.... If it's quiet... either more people than me are > vacationing, or there are very few problems right now;). > >> > >> > -Matt >> > >> > >> >> Jules >> > Cheers Also a holiday in the US. So if the quietness covered that point in time when this hemisphere is "reveling" and the other hemisphere is trying to get a little sleep, then ..... -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From itdept at fractalweb.com Thu Jul 5 21:14:07 2007 From: itdept at fractalweb.com (Chris Yuzik) Date: Thu Jul 5 21:14:31 2007 Subject: Mailscanner and Virtualmin In-Reply-To: <468D3B7A.70503@openenterprise.ca> References: <468D3B7A.70503@openenterprise.ca> Message-ID: <468D510F.6090106@fractalweb.com> Johnny Stork wrote: > I thought I would try out virtualmin to manage a few localing hosted > sites but have noticed that within the VirtualMin interface in Webmin, > on my gateway mail server running MailScanner, the "Start Mailserver" > and "Start Dovecot" buttons are crossed out indicating that VM does not > appear to "see" mailscanner? Does anyone have any expereicne setting up > VM on a machine running Mailscanner? > We've played around with Virtualmin, and it's fine with MailScanner, although it doesn't seem to "see" MailScanner and does think that the mail server is down. Aside from that, everything is okay. From glenn.steen at gmail.com Thu Jul 5 21:16:18 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Jul 5 21:16:20 2007 Subject: Filename rule question In-Reply-To: <468CDC23.7000500@ti-edu.ch> References: <468A6663.8010907@ti-edu.ch> <223f97700707031051y1b3f0fcci36cbea3b9c330d95@mail.gmail.com> <468B4CD6.5050001@ti-edu.ch> <223f97700707040259w54b286b2y1530dc3d7fddedaa@mail.gmail.com> <468BC099.7060508@ti-edu.ch> <223f97700707041520j5e8be73bt17235c459ec441c5@mail.gmail.com> <468CACEF.30202@ti-edu.ch> <223f97700707050349y696668ccu92b618343da7d77b@mail.gmail.com> <468CDC23.7000500@ti-edu.ch> Message-ID: <223f97700707051316y462cffd5ka6ce8064d614350f@mail.gmail.com> On 05/07/07, Marco Induni wrote: > Glenn Steen wrote: > > On 05/07/07, Marco Induni wrote: > > (snip) > >> Also tried to use the sample rule filename.rules.conf directly setting > >> the "Filename Rules = %etc-dir%/filename.rules.conf, but nothing. > >> > >> At the end I made one of the two mailgateway reacheble just for me, and > >> set the Mailscanner in debug mode. > >> This the output when a send an email: > >> > >> >>>>> > >> Ignore errors about failing to find EOCD signature > >> format error: file is too short > >> at /usr/sbin/MailScanner line 832 > >> Stopping now as you are debugging me. > >> >>>>> > >> > >> At the line 832 seems to be the attachment extraction > >> > >> 831 $0 = 'MailScanner: extracting attachments'; > >> 832 $batch->Explode(); > > Normally you'd see the EOCD error from that line, which is safe to > > ignore.... This though, I've mostly seen when the attachments really > > have been damaged (bad MIME)... You don't have any "pre-filters" that > > could confuse things, do you? > > Glenn, > I'm not sure of the meaning of "pre-filters", but we do just Antivirus > and + Spamassasin. Just fishing for any other software to blame:-)... Like a milter... That would happen before MailScanner can get a hold of it... > >> Could be that for some reason this step fail, and then all the rules > >> tied to the file attachemnet are skipped ? > >> > >> In case i'm using > >> > >> - Mailscanner 4.61.7 > >> - Red Hat Enterprise Linux AS release 3 (Taroon Update 9) > >> - Linux 2.4.21-50.EL > >> - Perl 5.8.0 > >> - Spamassassin 3.1.9 > > > > Could you give a "MailScanner -V" too? Just in case you have a bum > > perl module or so:-). > > > Here the output of MailScanner -V > > Running on > Linux mg1.ti-edu.ch 2.4.21-47.0.1.ELsmp #1 SMP Fri Oct 13 17:56:20 EDT > 2006 i686 > i686 i386 GNU/Linux > This is Red Hat Enterprise Linux AS release 3 (Taroon Update 9) > This is Perl version 5.008000 (5.8.0) > > This is MailScanner version 4.61.7 > Module versions are: > 1.00 AnyDBM_File > 1.16 Archive::Zip > 1.01 Carp > 1.119 Convert::BinHex > 1.00 DirHandle > 1.04 Fcntl > 2.71 File::Basename > 2.05 File::Copy > 2.01 FileHandle > 1.05 File::Path > 0.13 File::Temp > 0.90 Filesys::Df > 1.35 HTML::Entities > 3.56 HTML::Parser > 2.37 HTML::TokeParser > 1.23 IO > 1.14 IO::File > 1.13 IO::Pipe > 1.77 Mail::Header > 1.86 Math::BigInt > 3.05 MIME::Base64 > 5.420 MIME::Decoder > 5.420 MIME::Decoder::UU > 5.420 MIME::Head > 5.420 MIME::Parser > 3.03 MIME::QuotedPrint > 5.420 MIME::Tools > 0.11 Net::CIDR > 1.05 POSIX > 1.09 Scalar::Util > 1.75 Socket > 1.4 Sys::Hostname::Long > 0.18 Sys::Syslog > 1.9707 Time::HiRes > 1.02 Time::localtime > > Optional module versions are: > 1.29 Archive::Tar > 0.21 bignum > missing Business::ISBN > missing Business::ISBN::Data > 0.17 Convert::TNEF > missing Data::Dump > 1.815 DB_File > 1.13 DBD::SQLite > 1.56 DBI > 1.15 Digest > 1.01 Digest::HMAC > 2.36 Digest::MD5 > 2.11 Digest::SHA1 > missing Encode::Detect > missing Error > missing ExtUtils::CBuilder > missing ExtUtils::ParseXS > missing Inline > 1.08 IO::String > 1.04 IO::Zlib > 2.23 IP::Country > missing Mail::ClamAV > 3.001009 Mail::SpamAssassin > missing Mail::SPF > 1.999001 Mail::SPF::Query > 0.19 Math::BigRat > missing Module::Build > 0.20 Net::CIDR::Lite > 0.60 Net::DNS > missing Net::DNS::Resolver::Programmable > missing Net::LDAP > missing NetAddr::IP > missing Parse::RecDescent > missing SAVI > 2.26 Test::Harness > missing Test::Manifest > 1.89 Text::Balanced > 1.35 URI > missing version > missing YAML > > To my tired eyes that doesn't look that bad... More's the pity... Seems you don't install SA and Clamav by way of Jules easy package (or else a lot more of the optional modules would be there)... Hm... One could start installing those, of course, but I don't see them having an effect. You did say that restoring the default filename/filetype rules files and reloading/restarting MailScanner didn't have any effect either? Most strange. How did you install the MIME::* packages? Via jules installer or via distro or CPAN? Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From res at ausics.net Thu Jul 5 21:40:06 2007 From: res at ausics.net (Res) Date: Thu Jul 5 21:40:18 2007 Subject: Whitelist issue In-Reply-To: <223f97700707050344x65402eb6v424e7e4911eb6d54@mail.gmail.com> References: <733d6ede0707040257v6c1da171k7c43f0dc5e297d1e@mail.gmail.com> <733d6ede0707041908j7cde6da0y8e91a4964be6d850@mail.gmail.com> <1183614478.7215.32.camel@localhost.localdomain> <223f97700707050255p36c7af61t7ca09e3b6e8dd314@mail.gmail.com> <223f97700707050344x65402eb6v424e7e4911eb6d54@mail.gmail.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NotDashEscaped: You need GnuPG to verify this message On Thu, 5 Jul 2007, Glenn Steen wrote: > Oh yes, Noel, quite correct (as mostly.... still saving up for those > postmix "doubts", you rendmauling evil bunny;-)... One can always > justify this by the benefit to ones own domain(s)... It only take one > rouge that you W/L to get you (rightly) listed...:-) Indeed, nasty for private enterprise, more so for telcos -- Cheers Res -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFGjVcnsWhAmSIQh7MRAoYcAJ4p5QKuqdg0RZ1zJIGunJrYu9DlnQCgkICw l4dlwcK/8jlhGgJI1BaejMQ= =wj1u -----END PGP SIGNATURE----- From seamus at rheelweb.co.nz Thu Jul 5 21:51:20 2007 From: seamus at rheelweb.co.nz (Seamus Allan) Date: Thu Jul 5 21:51:32 2007 Subject: Postfix Address Verification In-Reply-To: <223f97700707050406q1b118b42o1d96f6cb3024ac57@mail.gmail.com> References: <223f97700707050351t47635e2bx92642bc19f4e1d0f@mail.gmail.com> <39cfb74fe9648f00fc2e7054d4fbe547@62.49.223.244> <223f97700707050406q1b118b42o1d96f6cb3024ac57@mail.gmail.com> Message-ID: <468D59C8.3010500@rheelweb.co.nz> Hi Guys, of course I have relay_domains setup, or my mail wouldn't be transferring in the first place! I was hoping not to have to pull the email list from the Hub machine, but it seems that my problem is pretty weird. Thanks though. Seamus >> > Yeah Phil, I do that myself too, although I dump (a not that big) AD > every 15 minutes, so that I don't have to rely on the M-Sexchange > admin to do the right thing... Saves me job as well as him:-). In my > case I only reduce total volume (by that particular measure) by about > 25% though... Total rejected fluctuating between 35 - 50%... Call me > lucky:-). > > Cheers From itdept at fractalweb.com Thu Jul 5 23:11:50 2007 From: itdept at fractalweb.com (Chris Yuzik) Date: Thu Jul 5 23:12:13 2007 Subject: clamd configuration? In-Reply-To: <006301c7be4f$3c350530$0301a8c0@SAHOMELT> References: <468AAB5B.7010101@fractalweb.com><468AAE0D.3020103@i-centrix.com> <468ADA41.4010307@fractalweb.com><06bb01c7bdcb$c0ac3330$0301a8c0@SAHOMELT> <468B0B2E.8080201@fractalweb.com> <006301c7be4f$3c350530$0301a8c0@SAHOMELT> Message-ID: <468D6CA6.7010702@fractalweb.com> Rick, Sorry to hear of your family's loss. FWIW, after reading your message and finally tracking down the permissions Clamd was running under and specifying the same user/group info in MailScanner.conf, all is well. Haven't noticed a significant decrease in system load though. Thank you for all your help. Cheers, Chris From seamus at rheelweb.co.nz Thu Jul 5 23:58:58 2007 From: seamus at rheelweb.co.nz (Seamus Allan) Date: Thu Jul 5 23:59:17 2007 Subject: Postfix Address Verification In-Reply-To: <468D59C8.3010500@rheelweb.co.nz> References: <223f97700707050351t47635e2bx92642bc19f4e1d0f@mail.gmail.com> <39cfb74fe9648f00fc2e7054d4fbe547@62.49.223.244> <223f97700707050406q1b118b42o1d96f6cb3024ac57@mail.gmail.com> <468D59C8.3010500@rheelweb.co.nz> Message-ID: <468D77B2.8020109@rheelweb.co.nz> Seamus Allan wrote: > Hi Guys, > > of course I have relay_domains setup, or my mail wouldn't be > transferring in the first place! I was hoping not to have to pull the > email list from the Hub machine, but it seems that my problem is > pretty weird. > > Thanks though. > > Seamus >>> >> Yeah Phil, I do that myself too, although I dump (a not that big) AD >> every 15 minutes, so that I don't have to rely on the M-Sexchange >> admin to do the right thing... Saves me job as well as him:-). In my >> case I only reduce total volume (by that particular measure) by about >> 25% though... Total rejected fluctuating between 35 - 50%... Call me >> lucky:-). >> >> Cheers Actually it occurred to me that this wouldn't work in full, because the mail for some of the domains that pass through the Gateway machine is destined for other mailservers in the world that I cannot pull the mailboxes from. So I do need to get the verification working correctly. I might have to try the Postfix forum or something. Cheers Seamus From cparker at swatgear.com Fri Jul 6 00:03:09 2007 From: cparker at swatgear.com (Chris W. Parker) Date: Fri Jul 6 00:03:12 2007 Subject: SpamAssassin is constantly timing out References: <97FD54B5E57A1842AA1A4B232E47611773EBD2@ati-ex-02.ati.local><468955F8.1090701@ecs.soton.ac.uk><97FD54B5E57A1842AA1A4B232E47611773EBD4@ati-ex-02.ati.local> <625385e30707031154q6b6dab17ued473acc0afc860a@mail.gmail.com><97FD54B5E57A1842AA1A4B232E4761178EEA53@ati-ex-02.ati.local> <468AA237.3070404@ecs.soton.ac.uk><97FD54B5E57A1842AA1A4B232E4761178EEA55@ati-ex-02.ati.local> <468D2A9E.30801@ecs.soton.ac.uk> Message-ID: <97FD54B5E57A1842AA1A4B232E47611773EBD5@ati-ex-02.ati.local> On Thursday, July 05, 2007 10:30 AM Julian Field said: > I've never known "file" time out before. It really shouldn't happen. > Is your server particularly over-loaded or anything like that which > would make it run extremely slowly? It doesn't have a high load on average but it's possible that there are surges at different times during the day. The first column is usually between .5 and 1.5. Chris. From rcooper at dwford.com Fri Jul 6 04:00:36 2007 From: rcooper at dwford.com (Rick Cooper) Date: Fri Jul 6 04:00:40 2007 Subject: clamd configuration? In-Reply-To: <468D6CA6.7010702@fractalweb.com> References: <468AAB5B.7010101@fractalweb.com><468AAE0D.3020103@i-centrix.com> <468ADA41.4010307@fractalweb.com><06bb01c7bdcb$c0ac3330$0301a8c0@SAHOMELT> <468B0B2E.8080201@fractalweb.com><006301c7be4f$3c350530$0301a8c0@SAHOMELT> <468D6CA6.7010702@fractalweb.com> Message-ID: <02a601c7bf79$d3e77d60$0301a8c0@SAHOMELT> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On > Behalf Of Chris Yuzik > Sent: Thursday, July 05, 2007 6:12 PM > To: MailScanner discussion > Subject: Re: clamd configuration? > > Rick, > > Sorry to hear of your family's loss. Thank you very much. > > FWIW, after reading your message and finally tracking down the > permissions Clamd was running under and specifying the same > user/group > info in MailScanner.conf, all is well. Haven't noticed a significant > decrease in system load though. Thank you for all your help. > I will have a patch out by next week to handle warning of permission errors. If you were using clamavmodule then I would think there wouldn't be much difference (except possibly larger batches were the threading and handling entire directorys at once would help), the biggest difference (from clamavmodule) would be the memory consumption (significant). Now the load difference between clamscan and clamd is pretty large. Rick -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From rcooper at dwford.com Fri Jul 6 04:05:24 2007 From: rcooper at dwford.com (Rick Cooper) Date: Fri Jul 6 04:05:32 2007 Subject: New config parameters Message-ID: <02aa01c7bf7a$7fc794d0$0301a8c0@SAHOMELT> I downloaded the latest stable today and noticed some changes in reference to changing the incoming work dir. The following seems like it should be a bit more detailed: # NOTE: If you change this, you should change these too: # NOTE: SpamAssassin Temporary Dir # NOTE: SpamAssassin Cache Database File If I place the SA temp dir and MailScanner incoming Work Dir on a tmpfs file system I wouldn't think I would want the SpamAssassin Cache DataBase placed there as well as it would be lost between system reboots would it not? Rick -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From res at ausics.net Fri Jul 6 05:44:15 2007 From: res at ausics.net (Res) Date: Fri Jul 6 05:44:27 2007 Subject: New config parameters In-Reply-To: <02aa01c7bf7a$7fc794d0$0301a8c0@SAHOMELT> References: <02aa01c7bf7a$7fc794d0$0301a8c0@SAHOMELT> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NotDashEscaped: You need GnuPG to verify this message On Thu, 5 Jul 2007, Rick Cooper wrote: > If I place the SA temp dir and MailScanner incoming Work Dir on a tmpfs file > system I wouldn't think I would want the SpamAssassin Cache DataBase placed > there as well as it would be lost between system reboots would it not? Yes, but I've heard from the S.A folks that's not such a bad thing, unless you reboot every day that is. I've been using it on tmpfs for a long time. -- Cheers Res -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFGjcifsWhAmSIQh7MRAp0rAJsH0QIkiX+7UO1ngTl32FEN1Sv8UACeP/Bl IaSrDzftK68vTobY/M1YAlc= =B8g1 -----END PGP SIGNATURE----- From R.Sterenborg at netsourcing.nl Fri Jul 6 06:55:05 2007 From: R.Sterenborg at netsourcing.nl (Rob Sterenborg) Date: Fri Jul 6 07:04:31 2007 Subject: Postfix Address Verification In-Reply-To: <468D77B2.8020109@rheelweb.co.nz> References: <223f97700707050351t47635e2bx92642bc19f4e1d0f@mail.gmail.com> <39cfb74fe9648f00fc2e7054d4fbe547@62.49.223.244> <223f97700707050406q1b118b42o1d96f6cb3024ac57@mail.gmail.com><468D59C8.3010500@rheelweb.co.nz> <468D77B2.8020109@rheelweb.co.nz> Message-ID: <74ACEB3E6A055643A89B8CEC74C7BF2488E0C3@WISENT.dcyb.net> Seamus Allan wrote: > Seamus Allan wrote: >> Hi Guys, >> >> of course I have relay_domains setup, or my mail wouldn't be >> transferring in the first place! I was hoping not to have to pull the >> email list from the Hub machine, but it seems that my problem is >> pretty weird. Some email *would* be transferred and some *wouldn't* if your relay_domains table is setup but isn't complete. Since you're saying that email is not accepted for *some* domains (posting on june 28: "However, the next morning I came in to discover that some of the domains we host were not getting any email."), I'd say it was a valid thought. > Actually it occurred to me that this wouldn't work in full, because > the mail for some of the domains that pass through the Gateway machine > is destined for other mailservers in the world that I cannot pull the > mailboxes from. So I do need to get the verification working > correctly. I might have to try the Postfix forum or something. I think that's a more appropriate place for this challenge, indeed. ;-) Just a thought before going there: I didn't see much of your PF config on this list apart from some snippets (that doesn't automagically mean that I would be able to help you if you did post more of it). I can understand that and it is your good right not to show it but it's hard to support a config you don't fully know. When going to the Postfix list, be prepared to explain what you've already done and to post the (sanitized) output of postconf -n, maybe other (sanitized) information. The problem may be completely something else that we haven't thought of because the rest of the PF config is unknown to us. Some PF guru on that list will most likely want to see it to support you. Grts, Rob From mailscanner at vivekmittal.org Fri Jul 6 07:34:48 2007 From: mailscanner at vivekmittal.org (Vivek Mittal) Date: Fri Jul 6 07:34:50 2007 Subject: Whitelist issue In-Reply-To: References: <733d6ede0707040257v6c1da171k7c43f0dc5e297d1e@mail.gmail.com> <733d6ede0707041908j7cde6da0y8e91a4964be6d850@mail.gmail.com> <1183614478.7215.32.camel@localhost.localdomain> <223f97700707050255p36c7af61t7ca09e3b6e8dd314@mail.gmail.com> <223f97700707050344x65402eb6v424e7e4911eb6d54@mail.gmail.com> Message-ID: <733d6ede0707052334r5aa6224x215bf6d88632b88@mail.gmail.com> I've tried setting it to @eblueprint.com.au as well as printer@eblueprint.com.au with no luck. I did have a breakthrough today. I installed MailWatch with the hope of using its whitelisting feature to help with this. I sent a trial message from the printer and noticed that the from column is blank. The message headers are below. I can see a From: field there but it is not being picked up?! This looks more like a printer problem than a mailscanner one, but I need some sort of a solution to stop mailscanner marking these emails as spam. Return-Path: < g> Received: from mx06.syd.isp.net.au (mx06.syd.isp.net.au [210.50.76.235]) by app.xyz.com.au (8.13.4/8.13.4) with ESMTP id l666dcRf010593 for ; Fri, 6 Jul 2007 16:39:39 +1000 Date: Fri, 6 Jul 2007 16:39:38 +1000 X-IronPort-AV: E=Sophos;i="4.16,506,1175436000"; d="pdf'?scan'208";a="54928259" Received: from 114.090.dsl.mel.isp.net.au ([211.26.244.114]) by smtp06.syd.isp.net.au with SMTP; 06 Jul 2007 16:24:07 +1000 From: "XYZ PTY LTD" To: Subject: Fax sent by : XYZ PTY LTD<> Message-ID: <1104100900> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="__59453boundry__" On 7/6/07, Res wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > NotDashEscaped: You need GnuPG to verify this message > > On Thu, 5 Jul 2007, Glenn Steen wrote: > > > Oh yes, Noel, quite correct (as mostly.... still saving up for those > > postmix "doubts", you rendmauling evil bunny;-)... One can always > > justify this by the benefit to ones own domain(s)... It only take one > > rouge that you W/L to get you (rightly) listed...:-) > > Indeed, nasty for private enterprise, more so for telcos > > > -- > Cheers > Res > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.7 (GNU/Linux) > > iD8DBQFGjVcnsWhAmSIQh7MRAoYcAJ4p5QKuqdg0RZ1zJIGunJrYu9DlnQCgkICw > l4dlwcK/8jlhGgJI1BaejMQ= > =wj1u > -----END PGP SIGNATURE----- > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From leiw324 at yahoo.com.hk Fri Jul 6 07:48:07 2007 From: leiw324 at yahoo.com.hk (Wilson Kwok) Date: Fri Jul 6 07:48:09 2007 Subject: Commercial scanner clamav timed out! Message-ID: <290316.6797.qm@web54401.mail.yahoo.com> Hello, Environment: postfix-2.2.10-1.1.el4 + MailScanner-perl-MIME-Base64-3.05-5 + clamav-0.90.3-1.el4.rf + spamassassin-3.2.1-1.el4.rf MailScanner always sent logs, can anyone help me ? Log here: Jul 6 11:36:39 mailgateway MailScanner[20662]: Commercial scanner clamav timed out! Jul 6 11:36:39 mailgateway MailScanner[20662]: clamav: Failed to complete, timed out Jul 6 11:36:39 mailgateway MailScanner[20662]: Virus Scanning: Denial Of Service attack detected! Jul 6 11:37:30 mailgateway MailScanner[20659]: Commercial scanner clamav timed out! Jul 6 11:37:30 mailgateway MailScanner[20659]: clamav: Failed to complete, timed out Jul 6 11:37:30 mailgateway MailScanner[20659]: Virus Scanning: Denial Of Service attack detected! Jul 6 11:38:34 mailgateway MailScanner[20121]: Commercial scanner clamav timed out! Jul 6 11:38:34 mailgateway MailScanner[20121]: clamav: Failed to complete, timed out Jul 6 11:38:34 mailgateway MailScanner[20121]: Virus Scanning: Denial Of Service attack is in message 80B8741821F.81DD6 Jul 6 11:38:34 mailgateway MailScanner[20121]: Infected message 80B8741821F.81DD6 came from 200.86.17.36 Jul 6 11:39:44 mailgateway MailScanner[20428]: Commercial scanner clamav timed out! Jul 6 11:39:44 mailgateway MailScanner[20428]: clamav: Failed to complete, timed out --------------------------------- Yahoo!Mail ¬°§A¨C¤@­Ó¹q¶l®½¥X¤@ÂI¤ß·N¡AºÉÄm·R¤ß ¥ß§Y¶}©l·R¤ß¦æ°Ê -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070706/57b3298f/attachment.html From martinh at solidstatelogic.com Fri Jul 6 09:18:16 2007 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Fri Jul 6 09:18:26 2007 Subject: Commercial scanner clamav timed out! In-Reply-To: <290316.6797.qm@web54401.mail.yahoo.com> Message-ID: <39539ed9b640e64582f34f5e5ee68224@solidstatelogic.com> Wilson Have a look at the clamd.conf for timeout settings! -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Wilson Kwok > Sent: 06 July 2007 07:48 > To: mailscanner@lists.mailscanner.info > Subject: Commercial scanner clamav timed out! > > Hello, > > Environment: postfix-2.2.10-1.1.el4 + MailScanner-perl-MIME-Base64-3.05-5 > + clamav-0.90.3-1.el4.rf + spamassassin-3.2.1-1.el4.rf > > MailScanner always sent logs, can anyone help me ? > > > Log here: > > Jul 6 11:36:39 mailgateway MailScanner[20662]: Commercial scanner clamav > timed out! > Jul 6 11:36:39 mailgateway MailScanner[20662]: clamav: Failed to > complete, timed out > Jul 6 11:36:39 mailgateway MailScanner[20662]: Virus Scanning: Denial Of > Service attack detected! > Jul 6 11:37:30 mailgateway MailScanner[20659]: Commercial scanner clamav > timed out! > Jul 6 11:37:30 mailgateway MailScanner[20659]: clamav: Failed to > complete, timed out > Jul 6 11:37:30 mailgateway MailScanner[20659]: Virus Scanning: Denial Of > Service attack detected! > Jul 6 11:38:34 mailgateway MailScanner[20121]: Commercial scanner clamav > timed out! > Jul 6 11:38:34 mailgateway MailScanner[20121]: clamav: Failed to > complete, timed out > Jul 6 11:38:34 mailgateway MailScanner[20121]: Virus Scanning: Denial Of > Service attack is in message 80B8741821F.81DD6 > Jul 6 11:38:34 mailgateway MailScanner[20121]: Infected message > 80B8741821F.81DD6 came from 200.86.17.36 > Jul 6 11:39:44 mailgateway MailScanner[20428]: Commercial scanner clamav > timed out! > Jul 6 11:39:44 mailgateway MailScanner[20428]: clamav: Failed to > complete, timed out > > > ________________________________ > > Yahoo!Mail =9E=E9=C4=E3=C3=BF=D2=BB=82=80=EB=8A=E0]=BE=E8=B3=F6=D2=BB=FCc= =D0=C4=D2=E2=A3=AC=B1M=ABI=90=DB=D0=C4 > =C1=A2=BC=B4=E9_=CA=BC=90= =DB=D0=C4=D0=D0=84=D3 ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the=20 addressee only and may be confidential. If they come to you in error=20 you must take no action based on them, nor must you copy or show them=20 to anyone. Please advise the sender by replying to this e-mail=20 immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of=20 the author and unless specifically stated to the contrary, are not=20 necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure=20 communications medium and can be subject to data corruption. We advise=20 that you consider this fact when e-mailing us.=20 Viruses : We have taken steps to ensure that this e-mail and any=20 attachments are free from known viruses but in keeping with good=20 computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales=20 (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU,=20 United Kingdom ********************************************************************** From raymond at prolocation.net Fri Jul 6 09:48:51 2007 From: raymond at prolocation.net (Raymond Dijkxhoorn) Date: Fri Jul 6 09:48:51 2007 Subject: New config parameters In-Reply-To: References: <02aa01c7bf7a$7fc794d0$0301a8c0@SAHOMELT> Message-ID: Hi! >> If I place the SA temp dir and MailScanner incoming Work Dir on a tmpfs >> file >> system I wouldn't think I would want the SpamAssassin Cache DataBase placed >> there as well as it would be lost between system reboots would it not? > Yes, but I've heard from the S.A folks that's not such a bad thing, unless > you reboot every day that is. I've been using it on tmpfs for a long time. The cache database is something Julian made, not the SA people. Its not your bayes DB's its the caching system... Bye, Raymond. From minduni at ti-edu.ch Fri Jul 6 10:21:58 2007 From: minduni at ti-edu.ch (Marco Induni) Date: Fri Jul 6 10:22:00 2007 Subject: Filename rule question In-Reply-To: <223f97700707051316y462cffd5ka6ce8064d614350f@mail.gmail.com> References: <468A6663.8010907@ti-edu.ch> <223f97700707031051y1b3f0fcci36cbea3b9c330d95@mail.gmail.com> <468B4CD6.5050001@ti-edu.ch> <223f97700707040259w54b286b2y1530dc3d7fddedaa@mail.gmail.com> <468BC099.7060508@ti-edu.ch> <223f97700707041520j5e8be73bt17235c459ec441c5@mail.gmail.com> <468CACEF.30202@ti-edu.ch> <223f97700707050349y696668ccu92b618343da7d77b@mail.gmail.com> <468CDC23.7000500@ti-edu.ch> <223f97700707051316y462cffd5ka6ce8064d614350f@mail.gmail.com> Message-ID: <468E09B6.10605@ti-edu.ch> Glenn Steen wrote: > On 05/07/07, Marco Induni wrote: >> Glenn Steen wrote: >> > On 05/07/07, Marco Induni wrote: >> > (snip) >> >> Also tried to use the sample rule filename.rules.conf directly setting >> >> the "Filename Rules = %etc-dir%/filename.rules.conf, but nothing. >> >> >> >> At the end I made one of the two mailgateway reacheble just for me, >> and >> >> set the Mailscanner in debug mode. >> >> This the output when a send an email: >> >> >> >> >>>>> >> >> Ignore errors about failing to find EOCD signature >> >> format error: file is too short >> >> at /usr/sbin/MailScanner line 832 >> >> Stopping now as you are debugging me. >> >> >>>>> >> >> >> >> At the line 832 seems to be the attachment extraction >> >> >> >> 831 $0 = 'MailScanner: extracting attachments'; >> >> 832 $batch->Explode(); >> > Normally you'd see the EOCD error from that line, which is safe to >> > ignore.... This though, I've mostly seen when the attachments really >> > have been damaged (bad MIME)... You don't have any "pre-filters" that >> > could confuse things, do you? >> >> Glenn, >> I'm not sure of the meaning of "pre-filters", but we do just Antivirus >> and + Spamassasin. > > Just fishing for any other software to blame:-)... Like a milter... > That would happen before MailScanner can get a hold of it... > Ah, I see. No any pre-filter so. >> >> Could be that for some reason this step fail, and then all the rules >> >> tied to the file attachemnet are skipped ? >> >> >> >> In case i'm using >> >> >> >> - Mailscanner 4.61.7 >> >> - Red Hat Enterprise Linux AS release 3 (Taroon Update 9) >> >> - Linux 2.4.21-50.EL >> >> - Perl 5.8.0 >> >> - Spamassassin 3.1.9 >> > >> > Could you give a "MailScanner -V" too? Just in case you have a bum >> > perl module or so:-). >> > >> Here the output of MailScanner -V >> >> Running on >> Linux mg1.ti-edu.ch 2.4.21-47.0.1.ELsmp #1 SMP Fri Oct 13 17:56:20 EDT >> 2006 i686 >> i686 i386 GNU/Linux >> This is Red Hat Enterprise Linux AS release 3 (Taroon Update 9) >> This is Perl version 5.008000 (5.8.0) >> >> This is MailScanner version 4.61.7 >> Module versions are: >> 1.00 AnyDBM_File >> 1.16 Archive::Zip >> 1.01 Carp >> 1.119 Convert::BinHex >> 1.00 DirHandle >> 1.04 Fcntl >> 2.71 File::Basename >> 2.05 File::Copy >> 2.01 FileHandle >> 1.05 File::Path >> 0.13 File::Temp >> 0.90 Filesys::Df >> 1.35 HTML::Entities >> 3.56 HTML::Parser >> 2.37 HTML::TokeParser >> 1.23 IO >> 1.14 IO::File >> 1.13 IO::Pipe >> 1.77 Mail::Header >> 1.86 Math::BigInt >> 3.05 MIME::Base64 >> 5.420 MIME::Decoder >> 5.420 MIME::Decoder::UU >> 5.420 MIME::Head >> 5.420 MIME::Parser >> 3.03 MIME::QuotedPrint >> 5.420 MIME::Tools >> 0.11 Net::CIDR >> 1.05 POSIX >> 1.09 Scalar::Util >> 1.75 Socket >> 1.4 Sys::Hostname::Long >> 0.18 Sys::Syslog >> 1.9707 Time::HiRes >> 1.02 Time::localtime >> >> Optional module versions are: >> 1.29 Archive::Tar >> 0.21 bignum >> missing Business::ISBN >> missing Business::ISBN::Data >> 0.17 Convert::TNEF >> missing Data::Dump >> 1.815 DB_File >> 1.13 DBD::SQLite >> 1.56 DBI >> 1.15 Digest >> 1.01 Digest::HMAC >> 2.36 Digest::MD5 >> 2.11 Digest::SHA1 >> missing Encode::Detect >> missing Error >> missing ExtUtils::CBuilder >> missing ExtUtils::ParseXS >> missing Inline >> 1.08 IO::String >> 1.04 IO::Zlib >> 2.23 IP::Country >> missing Mail::ClamAV >> 3.001009 Mail::SpamAssassin >> missing Mail::SPF >> 1.999001 Mail::SPF::Query >> 0.19 Math::BigRat >> missing Module::Build >> 0.20 Net::CIDR::Lite >> 0.60 Net::DNS >> missing Net::DNS::Resolver::Programmable >> missing Net::LDAP >> missing NetAddr::IP >> missing Parse::RecDescent >> missing SAVI >> 2.26 Test::Harness >> missing Test::Manifest >> 1.89 Text::Balanced >> 1.35 URI >> missing version >> missing YAML >> >> > To my tired eyes that doesn't look that bad... More's the pity... Hope now you eyes are better > Seems you don't install SA and Clamav by way of Jules easy package (or > else a lot more of the optional modules would be there)... Hm... One > could start installing those, of course, but I don't see them having > an effect. In fact, we use uvscan(mcafee) and sometime clamav AV, but they are installed apart (SA via CPAN / clamav make /make install) You did say that restoring the default filename/filetype > rules files and reloading/restarting MailScanner didn't have any > effect either? Most strange. Yes, it is so. > How did you install the MIME::* packages? Via jules installer or via > distro or CPAN? Via jules. I've installed the new version a couple of days ago. Cheers > > Cheers -- Marco Induni Universita` della Svizzera italiana Servizi informatici / TI-EDU Galleria 2 CH-6928 Manno (Switzerland) E-mail: minduni@ti-edu.ch Tel: +41 58 666 6656 Fax: +41 58 666 6650 From j.ede at birchenallhowden.co.uk Fri Jul 6 10:41:37 2007 From: j.ede at birchenallhowden.co.uk (Jason Ede) Date: Fri Jul 6 10:42:01 2007 Subject: clamd configuration? In-Reply-To: <468B0B2E.8080201@fractalweb.com> References: <468AAB5B.7010101@fractalweb.com> <468AAE0D.3020103@i-centrix.com> <468ADA41.4010307@fractalweb.com> <06bb01c7bdcb$c0ac3330$0301a8c0@SAHOMELT> <468B0B2E.8080201@fractalweb.com> Message-ID: I had the same problem with clamd missing the attached virus although all looks fine through the debug apart from the test viruses not being detected. I've checked user and permission levels and all looks good as far as I can see... I've gone back to using clamavmodule for now... Oh, MailScanner is 4.61.7 and clamav is the 0.91rc2 Jason -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Chris Yuzik Sent: 04 July 2007 03:51 To: MailScanner discussion Subject: Re: clamd configuration? Rick Cooper wrote: > Please run MailScanner in debug mode, show what is output from the clamd > section, and if possible the clamd.conf, remember that is where the clam > daemon is getting it's parameter. If MailScanner cannot reach clamd there > will be alerts even if you are not in debug mode. Also note if you supply a > path to the socket the port is not used. If you are not using unix sockets > (/tmp/clamd or /tmp/clamd.sock, etc) then you should have an IP address > (probably 127.0.0.1) for the socket address. Rick, Ok, here you go. I put MailScanner into debug mode, did a lint, plopped a message with the eicar test file into the inqueue, etc. Looks like clamd is called and the messages handed off, but it doesn't find the virus. Chris # MailScanner --lint Read 777 hostnames from the phishing whitelist Config: calling custom init function SQLBlacklist Config: calling custom init function MailWatchLogging Config: calling custom init function SQLWhitelist Checking version numbers... Version number in MailScanner.conf (4.61.7) is correct. Checking for SpamAssassin errors (if you use it)... SpamAssassin temporary working directory is /var/spool/MailScanner/incoming/SpamAssassin-Temp SpamAssassin temp dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp Using SpamAssassin results cache Connected to SpamAssassin cache database SpamAssassin reported no errors. lock.pl sees Config LockType = posix lock.pl sees have_module = 0 Using locktype = posix Creating hardcoded struct_flock subroutine for linux (Linux-type) MailScanner.conf says "Virus Scanners = clamd" Debug Mode Is On Use Threads : YES IP : 127.0.0.1 Port : 3310 Lock File : NOT USED Time Out : 300 Scan Dir : /var/spool/MailScanner/incoming/29637/ISITINSTALLED Clamd : Sending PING Clamd : GOT 'PONG' ClamD is running Found these virus scanners installed: clamavmodule, clamd # service MailScanner start Starting MailScanner daemons: incoming sendmail: [ OK ] outgoing sendmail: [ OK ] MailScanner: In Debugging mode, not forking... SpamAssassin temp dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp Ignore errors about failing to find EOCD signature Stopping now as you are debugging me. [ OK ] [root@devel MailScanner]# commit ineffective with AutoCommit enabled at /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm line 93, line 138. Commmit ineffective while AutoCommit is on at /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm line 93, line 138. and Jul 3 19:46:49 devel MailScanner[29319]: MailScanner E-Mail Virus Scanner version 4.61.7 starting... Jul 3 19:46:49 devel MailScanner[29319]: Read 777 hostnames from the phishing whitelist Jul 3 19:46:49 devel MailScanner[29319]: Config: calling custom init function SQLBlacklist Jul 3 19:46:49 devel MailScanner[29319]: Starting up SQL Blacklist Jul 3 19:46:49 devel MailScanner[29319]: Read 28 blacklist entries Jul 3 19:46:49 devel MailScanner[29319]: Config: calling custom init function MailWatchLogging Jul 3 19:46:49 devel MailScanner[29319]: Started SQL Logging child Jul 3 19:46:49 devel MailScanner[29319]: Config: calling custom init function SQLWhitelist Jul 3 19:46:49 devel MailScanner[29319]: Starting up SQL Whitelist Jul 3 19:46:49 devel MailScanner[29319]: Read 18 whitelist entries Jul 3 19:46:49 devel MailScanner[29319]: SpamAssassin temporary working directory is /var/spool/MailScanner/incoming/SpamAssassin-Temp Jul 3 19:46:50 devel MailScanner[29319]: Using SpamAssassin results cache Jul 3 19:46:50 devel MailScanner[29319]: Connected to SpamAssassin cache database Jul 3 19:46:50 devel MailScanner[29319]: Expired 2 records from the SpamAssassin cache Jul 3 19:46:50 devel MailScanner[29319]: Enabling SpamAssassin auto-whitelist functionality... Jul 3 19:46:52 devel MailScanner[29319]: lock.pl sees Config LockType = posix Jul 3 19:46:52 devel MailScanner[29319]: lock.pl sees have_module = 0 Jul 3 19:46:52 devel MailScanner[29319]: Using locktype = posix Jul 3 19:46:52 devel MailScanner[29319]: Creating hardcoded struct_flock subroutine for linux (Linux-type) Jul 3 19:46:52 devel MailScanner[29319]: New Batch: Scanning 3 messages, 55415 bytes Jul 3 19:46:52 devel MailScanner[29319]: Created attachment dirs for 3 messages Jul 3 19:46:52 devel MailScanner[29319]: Spam Checks: Starting Jul 3 19:46:55 devel MailScanner[29319]: SpamAssassin returned 0 Jul 3 19:46:56 devel MailScanner[29319]: SpamAssassin returned 0 Jul 3 19:46:59 devel MailScanner[29319]: SpamAssassin returned 0 Jul 3 19:46:59 devel MailScanner[29319]: Spam Checks completed at 8412 bytes per second Jul 3 19:46:59 devel MailScanner[29319]: Virus and Content Scanning: Starting Jul 3 19:46:59 devel MailScanner[29319]: Commencing scanning by clamd... Jul 3 19:46:59 devel MailScanner[29365]: Debug Mode Is On Jul 3 19:46:59 devel MailScanner[29365]: Use Threads : YES Jul 3 19:46:59 devel MailScanner[29365]: IP : 127.0.0.1 Jul 3 19:46:59 devel MailScanner[29365]: Port : 3310 Jul 3 19:46:59 devel MailScanner[29365]: Lock File : NOT USED Jul 3 19:46:59 devel MailScanner[29365]: Time Out : 300 Jul 3 19:46:59 devel MailScanner[29365]: Scan Dir : /var/spool/MailScanner/incoming/29319 Jul 3 19:46:59 devel MailScanner[29365]: Clamd : Sending PING Jul 3 19:46:59 devel MailScanner[29365]: Clamd : GOT 'PONG' Jul 3 19:46:59 devel MailScanner[29365]: ClamD is running Jul 3 19:46:59 devel MailScanner[29365]: SENT : MULTISCAN /var/spool/MailScanner/incoming/29319 Jul 3 19:46:59 devel MailScanner[29319]: Completed scanning by clamd Jul 3 19:46:59 devel MailScanner[29319]: Completed checking by /usr/local/bin/file Jul 3 19:46:59 devel MailScanner[29319]: Virus Scanning completed at 367181 bytes per second Jul 3 19:46:59 devel MailScanner[29319]: About to deliver 3 messages Jul 3 19:46:59 devel MailScanner[29319]: Uninfected: Delivered 3 messages Jul 3 19:46:59 devel MailScanner[29319]: Batch completed at 8175 bytes per second (55415 / 6) Jul 3 19:46:59 devel MailScanner[29319]: Batch (3 messages) processed in 6.78 seconds Jul 3 19:46:59 devel MailScanner[29319]: Logging message l642kYcl029232 to SQL Jul 3 19:46:59 devel MailScanner[29319]: Logging message l642kPu9029221 to SQL Jul 3 19:46:59 devel MailScanner[29319]: Logging message l642juvd029134 to SQL Jul 3 19:46:59 devel MailScanner[29319]: "Always Looked Up Last" took 0.01 seconds Jul 3 19:46:59 devel MailScanner[29319]: Config: calling custom end function SQLBlacklist Jul 3 19:46:59 devel MailScanner[29319]: Closing down by-domain spam blacklist Jul 3 19:46:59 devel MailScanner[29319]: Config: calling custom end function MailWatchLogging Jul 3 19:46:59 devel MailScanner[29319]: Config: calling custom end function SQLWhitelist Jul 3 19:46:59 devel MailScanner[29319]: Closing down by-domain spam whitelist Jul 3 19:46:59 devel MailScanner[29319]: MailScanner child dying of old age Jul 3 19:46:59 devel MailScanner[29327]: l642kYcl029232: Logged to MailWatch SQL Jul 3 19:46:59 devel MailScanner[29327]: l642kPu9029221: Logged to MailWatch SQL Jul 3 19:46:59 devel MailScanner[29327]: l642juvd029134: Logged to MailWatch SQL Jul 3 19:49:08 devel MailScanner[29637]: MailScanner E-Mail Virus Scanner version 4.61.7 starting... -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From R.Sterenborg at netsourcing.nl Fri Jul 6 10:45:46 2007 From: R.Sterenborg at netsourcing.nl (Rob Sterenborg) Date: Fri Jul 6 10:47:33 2007 Subject: Commercial scanner clamav timed out! In-Reply-To: <39539ed9b640e64582f34f5e5ee68224@solidstatelogic.com> References: <290316.6797.qm@web54401.mail.yahoo.com> <39539ed9b640e64582f34f5e5ee68224@solidstatelogic.com> Message-ID: <74ACEB3E6A055643A89B8CEC74C7BF2488E0C4@WISENT.dcyb.net> > Wilson > > Have a look at the clamd.conf for timeout settings! Maybe I'm overlooking something, but I don't see clamd mentioned anywhere so I'm guessing clamscan is used, of which I've recently seen some post saying it's timeing out. OP: Switch to either clamdscan or clamavmodule if you're using clamscan. Grts, Rob >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >> bounces@lists.mailscanner.info] On Behalf Of Wilson Kwok >> Sent: 06 July 2007 07:48 >> To: mailscanner@lists.mailscanner.info >> Subject: Commercial scanner clamav timed out! >> >> Hello, >> >> Environment: postfix-2.2.10-1.1.el4 + > MailScanner-perl-MIME-Base64-3.05-5 >> + clamav-0.90.3-1.el4.rf + spamassassin-3.2.1-1.el4.rf >> >> MailScanner always sent logs, can anyone help me ? >> >> >> Log here: >> Jul 6 11:36:39 mailgateway MailScanner[20662]: Commercial scanner >> clamav timed out! >> Jul 6 11:36:39 mailgateway MailScanner[20662]: clamav: Failed to >> complete, timed out >> Jul 6 11:36:39 mailgateway MailScanner[20662]: Virus Scanning: >> Denial Of Service attack detected! >> Jul 6 11:37:30 mailgateway MailScanner[20659]: Commercial scanner >> clamav timed out! >> Jul 6 11:37:30 mailgateway MailScanner[20659]: clamav: Failed to >> complete, timed out >> Jul 6 11:37:30 mailgateway MailScanner[20659]: Virus Scanning: >> Denial Of Service attack detected! >> Jul 6 11:38:34 mailgateway MailScanner[20121]: Commercial scanner >> clamav timed out! >> Jul 6 11:38:34 mailgateway MailScanner[20121]: clamav: Failed to >> complete, timed out >> Jul 6 11:38:34 mailgateway MailScanner[20121]: Virus Scanning: >> Denial Of Service attack is in message 80B8741821F.81DD6 >> Jul 6 11:38:34 mailgateway MailScanner[20121]: Infected message >> 80B8741821F.81DD6 came from 200.86.17.36 >> Jul 6 11:39:44 mailgateway MailScanner[20428]: Commercial scanner >> clamav timed out! >> Jul 6 11:39:44 mailgateway MailScanner[20428]: clamav: Failed to >> complete, timed out From MailScanner at ecs.soton.ac.uk Fri Jul 6 10:48:51 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Jul 6 10:51:19 2007 Subject: New config parameters In-Reply-To: <02aa01c7bf7a$7fc794d0$0301a8c0@SAHOMELT> References: <02aa01c7bf7a$7fc794d0$0301a8c0@SAHOMELT> Message-ID: <468E1003.8090809@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Yes it would be lost. But it rebuilds so fast it's not worth worrying about. The gain in speed more than outweighs this. Rick Cooper wrote: > I downloaded the latest stable today and noticed some changes in reference > to changing the incoming work dir. The following seems like it should be a > bit more detailed: > > # NOTE: If you change this, you should change these too: > # NOTE: SpamAssassin Temporary Dir > # NOTE: SpamAssassin Cache Database File > > If I place the SA temp dir and MailScanner incoming Work Dir on a tmpfs file > system I wouldn't think I would want the SpamAssassin Cache DataBase placed > there as well as it would be lost between system reboots would it not? > > > Rick > > > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGjhAEEfZZRxQVtlQRAvU8AKD8vcegUbULZk13T/0/C6N2TBmMhACbB54p aWxp3O4GHXVOtwTD2fOwR+Y= =syaQ -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From martinh at solidstatelogic.com Fri Jul 6 11:02:31 2007 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Fri Jul 6 11:02:34 2007 Subject: Commercial scanner clamav timed out! In-Reply-To: <74ACEB3E6A055643A89B8CEC74C7BF2488E0C4@WISENT.dcyb.net> Message-ID: Ah sorry yeah switch to clamd. Clamscan takes a huge of time to load up...fixed in 0.91.rc releases.. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Rob Sterenborg > Sent: 06 July 2007 10:46 > To: MailScanner discussion > Subject: RE: Commercial scanner clamav timed out! > > > Wilson > > > > Have a look at the clamd.conf for timeout settings! > > Maybe I'm overlooking something, but I don't see clamd mentioned > anywhere so I'm guessing clamscan is used, of which I've recently seen > some post saying it's timeing out. > > OP: Switch to either clamdscan or clamavmodule if you're using clamscan. > > > Grts, > Rob > > > >> -----Original Message----- > >> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > >> bounces@lists.mailscanner.info] On Behalf Of Wilson Kwok > >> Sent: 06 July 2007 07:48 > >> To: mailscanner@lists.mailscanner.info > >> Subject: Commercial scanner clamav timed out! > >> > >> Hello, > >> > >> Environment: postfix-2.2.10-1.1.el4 + > > MailScanner-perl-MIME-Base64-3.05-5 > >> + clamav-0.90.3-1.el4.rf + spamassassin-3.2.1-1.el4.rf > >> > >> MailScanner always sent logs, can anyone help me ? > >> > >> > >> Log here: > > >> Jul 6 11:36:39 mailgateway MailScanner[20662]: Commercial scanner > >> clamav timed out! > >> Jul 6 11:36:39 mailgateway MailScanner[20662]: clamav: Failed to > >> complete, timed out > >> Jul 6 11:36:39 mailgateway MailScanner[20662]: Virus Scanning: > >> Denial Of Service attack detected! > > >> Jul 6 11:37:30 mailgateway MailScanner[20659]: Commercial scanner > >> clamav timed out! > >> Jul 6 11:37:30 mailgateway MailScanner[20659]: clamav: Failed to > >> complete, timed out > >> Jul 6 11:37:30 mailgateway MailScanner[20659]: Virus Scanning: > >> Denial Of Service attack detected! > > >> Jul 6 11:38:34 mailgateway MailScanner[20121]: Commercial scanner > >> clamav timed out! > >> Jul 6 11:38:34 mailgateway MailScanner[20121]: clamav: Failed to > >> complete, timed out > >> Jul 6 11:38:34 mailgateway MailScanner[20121]: Virus Scanning: > >> Denial Of Service attack is in message 80B8741821F.81DD6 > >> Jul 6 11:38:34 mailgateway MailScanner[20121]: Infected message > >> 80B8741821F.81DD6 came from 200.86.17.36 > > >> Jul 6 11:39:44 mailgateway MailScanner[20428]: Commercial scanner > >> clamav timed out! > >> Jul 6 11:39:44 mailgateway MailScanner[20428]: clamav: Failed to > >> complete, timed out > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From gerard at seibercom.net Fri Jul 6 11:22:16 2007 From: gerard at seibercom.net (Gerard) Date: Fri Jul 6 11:22:05 2007 Subject: Postfix Address Verification In-Reply-To: <74ACEB3E6A055643A89B8CEC74C7BF2488E0C3@WISENT.dcyb.net> References: <468D77B2.8020109@rheelweb.co.nz> <74ACEB3E6A055643A89B8CEC74C7BF2488E0C3@WISENT.dcyb.net> Message-ID: <20070706061414.C5CF.GERARD@seibercom.net> On July 06, 2007 at 01:55AM Rob Sterenborg wrote: > Just a thought before going there: I didn't see much of your PF config > on this list apart from some snippets (that doesn't automagically mean > that I would be able to help you if you did post more of it). I can > understand that and it is your good right not to show it but it's hard > to support a config you don't fully know. > When going to the Postfix list, be prepared to explain what you've > already done and to post the (sanitized) output of postconf -n, maybe > other (sanitized) information. The problem may be completely something > else that we haven't thought of because the rest of the PF config is > unknown to us. Some PF guru on that list will most likely want to see it > to support you. From personal experience, if you post the 'sanitized' version of "postconf -n' rather than the full output of that command, you leave yourself open to abuse. If you do decide to obscure domain names, be sure to do it consistently throughout the file. DO NOT obscure IP addresses. It would behoove you to post the complete output of: 1) postconf -n 2) Complete list of modifications to master.cf 3) Relevant mail log entries. You may need to run Postfix in debug mode. Someone will inevitably inform you of that detail if it needs to be done. As a long time user of Postfix, I can attest to the assistance I have received on their forum, provided I played by their rules. Good luck! -- Gerard From R.Sterenborg at netsourcing.nl Fri Jul 6 11:50:10 2007 From: R.Sterenborg at netsourcing.nl (Rob Sterenborg) Date: Fri Jul 6 11:52:17 2007 Subject: Postfix Address Verification In-Reply-To: <20070706061414.C5CF.GERARD@seibercom.net> References: <468D77B2.8020109@rheelweb.co.nz><74ACEB3E6A055643A89B8CEC74C7BF2488E0C3@WISENT.dcyb.net> <20070706061414.C5CF.GERARD@seibercom.net> Message-ID: <74ACEB3E6A055643A89B8CEC74C7BF2488E0C7@WISENT.dcyb.net> >> Just a thought before going there: I didn't see much of your PF >> config on this list apart from some snippets (that doesn't >> automagically mean that I would be able to help you if you did post >> more of it). I can understand that and it is your good right not to >> show it but it's hard to support a config you don't fully know. >> When going to the Postfix list, be prepared to explain what you've >> already done and to post the (sanitized) output of postconf -n, maybe >> other (sanitized) information. The problem may be completely >> something else that we haven't thought of because the rest of the PF >> config is unknown to us. Some PF guru on that list will most likely >> want to see it to support you. > > > From personal experience, if you post the 'sanitized' version of > "postconf -n' rather than the full output of that command, you leave > yourself open to abuse. I'm sorry if I wasn't clear on that; I'm not native English: I guess "sanitize" was not the correct word.. I meant to say what you are saying below but your comment is more in depth. What I don't understand however, is how I would be open to abuse by sending a sanitized version op postconf -n instead of the original output. The full original output certainly can contain information you don't want to spread on the list. With sanitized I meant that the output of postconf -n would have that information obfuscated. > If you do decide to obscure domain names, be sure to do it > consistently throughout the file. DO NOT obscure IP addresses. > > It would behoove you to post the complete output of: > > 1) postconf -n > 2) Complete list of modifications to master.cf > 3) Relevant mail log entries. > > You may need to run Postfix in debug mode. Someone will inevitably > inform you of that detail if it needs to be done. > > As a long time user of Postfix, I can attest to the assistance I have > received on their forum, provided I played by their rules. Grts, Rob From gerard at seibercom.net Fri Jul 6 12:19:11 2007 From: gerard at seibercom.net (Gerard) Date: Fri Jul 6 12:18:58 2007 Subject: Postfix Address Verification In-Reply-To: <74ACEB3E6A055643A89B8CEC74C7BF2488E0C7@WISENT.dcyb.net> References: <20070706061414.C5CF.GERARD@seibercom.net> <74ACEB3E6A055643A89B8CEC74C7BF2488E0C7@WISENT.dcyb.net> Message-ID: <20070706071038.1D6C.GERARD@seibercom.net> On July 06, 2007 at 06:50AM Rob Sterenborg wrote: [snip] > I'm sorry if I wasn't clear on that; I'm not native English: I guess > "sanitize" was not the correct word.. I meant to say what you are saying > below but your comment is more in depth. > > What I don't understand however, is how I would be open to abuse by > sending a sanitized version op postconf -n instead of the original > output. The full original output certainly can contain information you > don't want to spread on the list. With sanitized I meant that the output > of postconf -n would have that information obfuscated. We are probably talking about the say thing. I was under the impression that you meant for the OP to send only selected portions of the output of 'postconf -n' rather than the entire output. The problem is that so many users, especially those using 'virtual' addressing, or anything to do with 'virtual', redact the file so badly that nobody is able to easily spot where the problem is. To obscure a domain name, when the poster is in fact using that same name in his/her email address is ridiculous. In any case, the more complete the information that is supplied is, the better chance of getting a satisfactory response. -- Gerard From rcooper at dwford.com Fri Jul 6 12:19:00 2007 From: rcooper at dwford.com (Rick Cooper) Date: Fri Jul 6 12:19:06 2007 Subject: clamd configuration? In-Reply-To: References: <468AAB5B.7010101@fractalweb.com><468AAE0D.3020103@i-centrix.com> <468ADA41.4010307@fractalweb.com><06bb01c7bdcb$c0ac3330$0301a8c0@SAHOMELT><468B0B2E.8080201@fractalweb.com> Message-ID: <00ab01c7bfbf$73fbf7a0$0301a8c0@SAHOMELT> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On > Behalf Of Jason Ede > Sent: Friday, July 06, 2007 5:42 AM > To: MailScanner discussion > Subject: RE: clamd configuration? > > I had the same problem with clamd missing the attached virus > although all looks fine through the debug apart from the > test viruses not being detected. > > I've checked user and permission levels and all looks good > as far as I can see... > > I've gone back to using clamavmodule for now... > > Oh, MailScanner is 4.61.7 and clamav is the 0.91rc2 > > Jason > [...] Apply the attached patch to SweepViruses.pm and retry clamd. You should see an error line this time. Best guess is a minor permissions problem, could be something else and it should still show up as an error line in the log. Julian, this patch should be applied to SweepViruses.pm Version 4.61.7 Rick -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- A non-text attachment was scrubbed... Name: SweepViruses.pm.diff Type: application/octet-stream Size: 1100 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070706/9d17e69e/SweepViruses.pm.obj From glenn.steen at gmail.com Fri Jul 6 13:27:54 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Jul 6 13:27:57 2007 Subject: Whitelist issue In-Reply-To: <733d6ede0707052334r5aa6224x215bf6d88632b88@mail.gmail.com> References: <733d6ede0707040257v6c1da171k7c43f0dc5e297d1e@mail.gmail.com> <733d6ede0707041908j7cde6da0y8e91a4964be6d850@mail.gmail.com> <1183614478.7215.32.camel@localhost.localdomain> <223f97700707050255p36c7af61t7ca09e3b6e8dd314@mail.gmail.com> <223f97700707050344x65402eb6v424e7e4911eb6d54@mail.gmail.com> <733d6ede0707052334r5aa6224x215bf6d88632b88@mail.gmail.com> Message-ID: <223f97700707060527u1b75866fn8b2a15705b14cbc7@mail.gmail.com> On 06/07/07, Vivek Mittal wrote: > I've tried setting it to @eblueprint.com.au as well as > printer@eblueprint.com.au with no luck. > > I did have a breakthrough today. I installed MailWatch with the hope > of using its whitelisting feature to help with this. I sent a trial > message from the printer and noticed that the from column is blank. > The message headers are below. I can see a From: field there but it > is not being picked up?! > > This looks more like a printer problem than a mailscanner one, but I > need some sort of a solution to stop mailscanner marking these emails > as spam. > > Return-Path: < g> > Received: from mx06.syd.isp.net.au (mx06.syd.isp.net.au [210.50.76.235]) > by app.xyz.com.au (8.13.4/8.13.4) with ESMTP id l666dcRf010593 > for ; Fri, 6 Jul 2007 16:39:39 +1000 > Date: Fri, 6 Jul 2007 16:39:38 +1000 > X-IronPort-AV: E=Sophos;i="4.16,506,1175436000"; > d="pdf'?scan'208";a="54928259" > Received: from 114.090.dsl.mel.isp.net.au ([211.26.244.114]) > by smtp06.syd.isp.net.au with SMTP; 06 Jul 2007 16:24:07 +1000 > From: "XYZ PTY LTD" > To: > Subject: Fax sent by : XYZ PTY LTD<> > Message-ID: <1104100900> > MIME-Version: 1.0 > Content-Type: multipart/mixed; > boundary="__59453boundry__" > Right. So you don't have the envelopesender that you thought. Explains everything perfectly. Now, can you please consider using the IP address of the printer for the W/L instead? This will solve your problem. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Fri Jul 6 13:40:21 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Jul 6 13:40:23 2007 Subject: Filename rule question In-Reply-To: <468E09B6.10605@ti-edu.ch> References: <468A6663.8010907@ti-edu.ch> <468B4CD6.5050001@ti-edu.ch> <223f97700707040259w54b286b2y1530dc3d7fddedaa@mail.gmail.com> <468BC099.7060508@ti-edu.ch> <223f97700707041520j5e8be73bt17235c459ec441c5@mail.gmail.com> <468CACEF.30202@ti-edu.ch> <223f97700707050349y696668ccu92b618343da7d77b@mail.gmail.com> <468CDC23.7000500@ti-edu.ch> <223f97700707051316y462cffd5ka6ce8064d614350f@mail.gmail.com> <468E09B6.10605@ti-edu.ch> Message-ID: <223f97700707060540n7c7b022eye5700536d480541c@mail.gmail.com> On 06/07/07, Marco Induni wrote: > Glenn Steen wrote: (snip) > >> > >> > > To my tired eyes that doesn't look that bad... More's the pity... > Hope now you eyes are better :-) > > Seems you don't install SA and Clamav by way of Jules easy package (or > > else a lot more of the optional modules would be there)... Hm... One > > could start installing those, of course, but I don't see them having > > an effect. > In fact, we use uvscan(mcafee) and sometime clamav AV, but they are > installed apart (SA via CPAN / clamav make /make install) Ok. I don't think you need remove/reinstall with Jules package... It does more or less those, and then adds a lot of perl modules to make Mail::ClamAV happy. Would be passing strange if that had any impact on this problem. > > You did say that restoring the default filename/filetype > > rules files and reloading/restarting MailScanner didn't have any > > effect either? Most strange. > Yes, it is so. This make me think there is something seriously wrong here... And perhaps not _directly_ related to the rule file used... Unless of course the files aren't readable or something strange like that... Nah, probably not. > > How did you install the MIME::* packages? Via jules installer or via > > distro or CPAN? > Via jules. I've installed the new version a couple of days ago. > You could try reinstall them (force them from CPAN or something), just to see that they build/install OK... Apart from this, you don't see any strange log entries in the normal syslog? We really need to get a handle on what is going bonkers here. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From MailScanner at ecs.soton.ac.uk Fri Jul 6 14:26:53 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Jul 6 14:31:25 2007 Subject: Commercial scanner clamav timed out! In-Reply-To: <290316.6797.qm@web54401.mail.yahoo.com> References: <290316.6797.qm@web54401.mail.yahoo.com> Message-ID: <468E431D.6020206@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The current version of the clamscan binary (as used by the "clamav" scanner setting) takes a very long time to load the virus signatures. Either a) Increase the timeout (not good) b) Install the 0.91rc2 version of ClamAV as this loads and starts much faster c) Use the "clamavmodule" scanner setting together with the ClamAV+SA package available from www.mailscanner.info d) Use the "clamd" scanner setting together with the clamd RPM available from dag.wieers.com. This is probably the best answer. Go for (d) first. Wilson Kwok wrote: > Hello, > Environment: postfix-2.2.10-1.1.el4 + MailScanner-perl-MIME-Base64-3.05-5 > + clamav-0.90.3-1.el4.rf + spamassassin-3.2.1-1.el4.rf > MailScanner always sent logs, can anyone help me ? > Log here: > Jul 6 11:36:39 mailgateway MailScanner[20662]: Commercial scanner > clamav timed out! > Jul 6 11:36:39 mailgateway MailScanner[20662]: clamav: Failed to > complete, timed out > Jul 6 11:36:39 mailgateway MailScanner[20662]: Virus Scanning: Denial > Of Service attack detected! > Jul 6 11:37:30 mailgateway MailScanner[20659]: Commercial scanner > clamav timed out! > Jul 6 11:37:30 mailgateway MailScanner[20659]: clamav: Failed to > complete, timed out > Jul 6 11:37:30 mailgateway MailScanner[20659]: Virus Scanning: Denial > Of Service attack detected! > Jul 6 11:38:34 mailgateway MailScanner[20121]: Commercial scanner > clamav timed out! > Jul 6 11:38:34 mailgateway MailScanner[20121]: clamav: Failed to > complete, timed out > Jul 6 11:38:34 mailgateway MailScanner[20121]: Virus Scanning: Denial > Of Service attack is in message 80B8741821F.81DD6 > Jul 6 11:38:34 mailgateway MailScanner[20121]: Infected message > 80B8741821F.81DD6 came from 200.86.17.36 > Jul 6 11:39:44 mailgateway MailScanner[20428]: Commercial scanner > clamav timed out! > Jul 6 11:39:44 mailgateway MailScanner[20428]: clamav: Failed to > complete, timed out > > ------------------------------------------------------------------------ > Yahoo!Mail =AC=B0=A7A=A8C=A4@=AD=D3=B9q=B6l=AE=BD=A5X=A4@=C2I=A4=DF=B7N= =A1A=BA=C9=C4m=B7R=A4=DF *=A5=DF=A7Y=B6}=A9l=B7R=A4=DF=A6=E6=B0=CA*=20 Jules - --=20 Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Comment: (pgp-secured) Charset: Big5 wj8DBQFGjkMeEfZZRxQVtlQRAtkZAJwIJBRTTIwnUdm50QbTmUuSLZYbDgCg2ZCM r8wijAqQKh5Ju2VcowsLD7o=3D =3DA6/H -----END PGP SIGNATURE----- --=20 This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Fri Jul 6 14:28:07 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Jul 6 14:32:40 2007 Subject: Commercial scanner clamav timed out! In-Reply-To: <74ACEB3E6A055643A89B8CEC74C7BF2488E0C4@WISENT.dcyb.net> References: <290316.6797.qm@web54401.mail.yahoo.com> <39539ed9b640e64582f34f5e5ee68224@solidstatelogic.com> <74ACEB3E6A055643A89B8CEC74C7BF2488E0C4@WISENT.dcyb.net> Message-ID: <468E4367.7060805@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Rob Sterenborg wrote: >> Wilson >> >> Have a look at the clamd.conf for timeout settings! >> > > Maybe I'm overlooking something, but I don't see clamd mentioned > anywhere so I'm guessing clamscan is used, of which I've recently seen > some post saying it's timeing out. > > OP: Switch to either clamdscan or clamavmodule if you're using clamscan. > > I do not support use of clamdscan. If you want to use clamd then upgrade to version 4.61 and use the direct clamd support. Editing *-wrapper scripts is not recommended. > Grts, > Rob > > > >>> -----Original Message----- >>> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >>> bounces@lists.mailscanner.info] On Behalf Of Wilson Kwok >>> Sent: 06 July 2007 07:48 >>> To: mailscanner@lists.mailscanner.info >>> Subject: Commercial scanner clamav timed out! >>> >>> Hello, >>> >>> Environment: postfix-2.2.10-1.1.el4 + >>> >> MailScanner-perl-MIME-Base64-3.05-5 >> >>> + clamav-0.90.3-1.el4.rf + spamassassin-3.2.1-1.el4.rf >>> >>> MailScanner always sent logs, can anyone help me ? >>> >>> >>> Log here: >>> > > >>> Jul 6 11:36:39 mailgateway MailScanner[20662]: Commercial scanner >>> clamav timed out! >>> Jul 6 11:36:39 mailgateway MailScanner[20662]: clamav: Failed to >>> complete, timed out >>> Jul 6 11:36:39 mailgateway MailScanner[20662]: Virus Scanning: >>> Denial Of Service attack detected! >>> > > >>> Jul 6 11:37:30 mailgateway MailScanner[20659]: Commercial scanner >>> clamav timed out! >>> Jul 6 11:37:30 mailgateway MailScanner[20659]: clamav: Failed to >>> complete, timed out >>> Jul 6 11:37:30 mailgateway MailScanner[20659]: Virus Scanning: >>> Denial Of Service attack detected! >>> > > >>> Jul 6 11:38:34 mailgateway MailScanner[20121]: Commercial scanner >>> clamav timed out! >>> Jul 6 11:38:34 mailgateway MailScanner[20121]: clamav: Failed to >>> complete, timed out >>> Jul 6 11:38:34 mailgateway MailScanner[20121]: Virus Scanning: >>> Denial Of Service attack is in message 80B8741821F.81DD6 >>> Jul 6 11:38:34 mailgateway MailScanner[20121]: Infected message >>> 80B8741821F.81DD6 came from 200.86.17.36 >>> > > >>> Jul 6 11:39:44 mailgateway MailScanner[20428]: Commercial scanner >>> clamav timed out! >>> Jul 6 11:39:44 mailgateway MailScanner[20428]: clamav: Failed to >>> complete, timed out >>> Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFGjkNnEfZZRxQVtlQRAj/xAJ0dWXhb+eG+bjAxsxE5jKgbUY4ZaACfU8ac /I7s2YixwXEmn5woML2Xecc= =hlL3 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Fri Jul 6 14:30:58 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Jul 6 14:35:33 2007 Subject: clamd configuration? In-Reply-To: <00ab01c7bfbf$73fbf7a0$0301a8c0@SAHOMELT> References: <468AAB5B.7010101@fractalweb.com><468AAE0D.3020103@i-centrix.com> <468ADA41.4010307@fractalweb.com><06bb01c7bdcb$c0ac3330$0301a8c0@SAHOMELT><468B0B2E.8080201@fractalweb.com> <00ab01c7bfbf$73fbf7a0$0301a8c0@SAHOMELT> Message-ID: <468E4412.4080609@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Rick, Minor points: 1) I use 2-character identation, and no tab characters 2) Please do "print STDERR" and not just "print". It will just make my life easier, many thanks! Cheers for the patch, it will be in the next release. Jules. Rick Cooper wrote: > > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info > > [mailto:mailscanner-bounces@lists.mailscanner.info] On > > Behalf Of Jason Ede > > Sent: Friday, July 06, 2007 5:42 AM > > To: MailScanner discussion > > Subject: RE: clamd configuration? > > > > I had the same problem with clamd missing the attached virus > > although all looks fine through the debug apart from the > > test viruses not being detected. > > > > I've checked user and permission levels and all looks good > > as far as I can see... > > > > I've gone back to using clamavmodule for now... > > > > Oh, MailScanner is 4.61.7 and clamav is the 0.91rc2 > > > > Jason > > > [...] > > Apply the attached patch to SweepViruses.pm and retry clamd. You should see > an error line this time. Best guess is a minor permissions problem, could be > something else and it should still show up as an error line in the log. > > Julian, > this patch should be applied to SweepViruses.pm Version 4.61.7 > > Rick > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFGjkQTEfZZRxQVtlQRAnqdAJ4wr9DGAmlR3NLsr5jZF7qG+gcfgACgtGES MSfc8rkNX8UENGhVTsvciEI= =+73O -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Fri Jul 6 14:33:57 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Jul 6 14:37:09 2007 Subject: clamd configuration? In-Reply-To: <00ab01c7bfbf$73fbf7a0$0301a8c0@SAHOMELT> References: <468AAB5B.7010101@fractalweb.com><468AAE0D.3020103@i-centrix.com> <468ADA41.4010307@fractalweb.com><06bb01c7bdcb$c0ac3330$0301a8c0@SAHOMELT><468B0B2E.8080201@fractalweb.com> <00ab01c7bfbf$73fbf7a0$0301a8c0@SAHOMELT> Message-ID: <468E44C5.2010006@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Oops, apology owed. Didn't read the patch carefully enough before replying. Please take back all my comments in the previous email (except the one about the patch being in the next release!). Sorry! :-( Jules. Rick Cooper wrote: > > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info > > [mailto:mailscanner-bounces@lists.mailscanner.info] On > > Behalf Of Jason Ede > > Sent: Friday, July 06, 2007 5:42 AM > > To: MailScanner discussion > > Subject: RE: clamd configuration? > > > > I had the same problem with clamd missing the attached virus > > although all looks fine through the debug apart from the > > test viruses not being detected. > > > > I've checked user and permission levels and all looks good > > as far as I can see... > > > > I've gone back to using clamavmodule for now... > > > > Oh, MailScanner is 4.61.7 and clamav is the 0.91rc2 > > > > Jason > > > [...] > > Apply the attached patch to SweepViruses.pm and retry clamd. You should see > an error line this time. Best guess is a minor permissions problem, could be > something else and it should still show up as an error line in the log. > > Julian, > this patch should be applied to SweepViruses.pm Version 4.61.7 > > Rick > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFGjkTGEfZZRxQVtlQRAo9lAKCS6+8ktQTrhOcJ1LOb/8fVWA2nvwCePrBQ +71Me/Hm11WpAllyiql+8ys= =SHub -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From j.ede at birchenallhowden.co.uk Fri Jul 6 14:38:08 2007 From: j.ede at birchenallhowden.co.uk (Jason Ede) Date: Fri Jul 6 14:38:23 2007 Subject: clamd configuration? In-Reply-To: <00ab01c7bfbf$73fbf7a0$0301a8c0@SAHOMELT> References: <468AAB5B.7010101@fractalweb.com><468AAE0D.3020103@i-centrix.com> <468ADA41.4010307@fractalweb.com><06bb01c7bdcb$c0ac3330$0301a8c0@SAHOMELT><468B0B2E.8080201@fractalweb.com> <00ab01c7bfbf$73fbf7a0$0301a8c0@SAHOMELT> Message-ID: Ok... I'm getting an unknown error returned now... Jason Jul 6 14:36:28 gateway MailScanner[19018]: Commencing scanning by clamd... Jul 6 14:36:28 gateway MailScanner[19070]: Debug Mode Is On Jul 6 14:36:28 gateway MailScanner[19070]: Use Threads : NO Jul 6 14:36:28 gateway MailScanner[19070]: Socket : /tmp/clamd Jul 6 14:36:28 gateway MailScanner[19070]: IP : Using Sockets Jul 6 14:36:28 gateway MailScanner[19070]: Lock File : NOT USED Jul 6 14:36:28 gateway MailScanner[19070]: Time Out : 300 Jul 6 14:36:28 gateway MailScanner[19070]: Scan Dir : /var/spool/MailScanner/incoming/19018 Jul 6 14:36:28 gateway MailScanner[19070]: Clamd : Sending PING Jul 6 14:36:28 gateway MailScanner[19070]: Clamd : GOT 'PONG' Jul 6 14:36:28 gateway MailScanner[19070]: ClamD is running Jul 6 14:36:28 gateway MailScanner[19070]: SENT : CONTSCAN /var/spool/MailScanner/incoming/19018 Jul 6 14:36:28 gateway MailScanner[19018]: ERROR::UNKOWN CLAMD RETURN ./lstat() failed. ERROR :: /var/spool/MailScanner/incoming/19018 Jul 6 14:36:29 gateway MailScanner[19018]: Completed scanning by clamd Jul 6 14:36:29 gateway MailScanner[19018]: Virus Scanning: Clamd found 1 infections Jul 6 14:36:29 gateway MailScanner[19018]: Virus Scanning: Found 1 viruses Jul 6 14:36:29 gateway MailScanner[19018]: Filename Checks: Windows/DOS Executable (76144968599.30A99 eicar.com) Jul 6 14:36:29 gateway MailScanner[19018]: Filename Checks: Windows/DOS Executable (3D8D3968598.E288F eicar.com) Jul 6 14:36:29 gateway MailScanner[19018]: Filename Checks: Windows/DOS Executable (946219685A0.5F3A4 eicar.com) Jul 6 14:36:29 gateway MailScanner[19018]: Completed checking by /usr/bin/file Jul 6 14:36:29 gateway MailScanner[19018]: Other Checks: Found 3 problems -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Rick Cooper Sent: 06 July 2007 12:19 To: 'MailScanner discussion' Subject: RE: clamd configuration? > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On > Behalf Of Jason Ede > Sent: Friday, July 06, 2007 5:42 AM > To: MailScanner discussion > Subject: RE: clamd configuration? > > I had the same problem with clamd missing the attached virus > although all looks fine through the debug apart from the > test viruses not being detected. > > I've checked user and permission levels and all looks good > as far as I can see... > > I've gone back to using clamavmodule for now... > > Oh, MailScanner is 4.61.7 and clamav is the 0.91rc2 > > Jason > [...] Apply the attached patch to SweepViruses.pm and retry clamd. You should see an error line this time. Best guess is a minor permissions problem, could be something else and it should still show up as an error line in the log. Julian, this patch should be applied to SweepViruses.pm Version 4.61.7 Rick -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From rcooper at dwford.com Fri Jul 6 14:52:49 2007 From: rcooper at dwford.com (Rick Cooper) Date: Fri Jul 6 14:52:54 2007 Subject: clamd configuration? In-Reply-To: <468E44C5.2010006@ecs.soton.ac.uk> References: <468AAB5B.7010101@fractalweb.com><468AAE0D.3020103@i-centrix.com> <468ADA41.4010307@fractalweb.com><06bb01c7bdcb$c0ac3330$0301a8c0@SAHOMELT><468B0B2E.8080201@fractalweb.com> <00ab01c7bfbf$73fbf7a0$0301a8c0@SAHOMELT> <468E44C5.2010006@ecs.soton.ac.uk> Message-ID: <00da01c7bfd4$f150e110$0301a8c0@SAHOMELT> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On > Behalf Of Julian Field > Sent: Friday, July 06, 2007 9:34 AM > To: MailScanner discussion > Subject: Re: clamd configuration? > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Oops, apology owed. > Didn't read the patch carefully enough before replying. > Please take back all my comments in the previous email > (except the one > about the patch being in the next release!). > > Sorry! :-( > Jules. Whew! I thought I had used the proper indent and made sure there were no tabs this time! I guessed that you were mistaken about the print STDERR (since the parser wouldn't see that n'est-ce pas?) No problem, thanks Rick > > Rick Cooper wrote: > > > > > > > -----Original Message----- > > > From: mailscanner-bounces@lists.mailscanner.info > > > [mailto:mailscanner-bounces@lists.mailscanner.info] On > > > Behalf Of Jason Ede > > > Sent: Friday, July 06, 2007 5:42 AM > > > To: MailScanner discussion > > > Subject: RE: clamd configuration? > > > > > > I had the same problem with clamd missing the attached virus > > > although all looks fine through the debug apart from the > > > test viruses not being detected. > > > > > > I've checked user and permission levels and all looks good > > > as far as I can see... > > > > > > I've gone back to using clamavmodule for now... > > > > > > Oh, MailScanner is 4.61.7 and clamav is the 0.91rc2 > > > > > > Jason > > > > > [...] > > > > Apply the attached patch to SweepViruses.pm and retry > clamd. You should see > > an error line this time. Best guess is a minor permissions > problem, could be > > something else and it should still show up as an error > line in the log. > > > > Julian, > > this patch should be applied to SweepViruses.pm Version 4.61.7 > > > > Rick > > > > -- > > This message has been scanned for viruses and > > dangerous content by MailScanner, and is > > believed to be clean. > > > > > > > > Jules > > - -- > Julian Field MEng CITP > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from > your boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.6.2 (Build 2014) > Comment: (pgp-secured) > Charset: ISO-8859-1 > > wj8DBQFGjkTGEfZZRxQVtlQRAo9lAKCS6+8ktQTrhOcJ1LOb/8fVWA2nvwCePrBQ > +71Me/Hm11WpAllyiql+8ys= > =SHub > -----END PGP SIGNATURE----- > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > For all your IT requirements visit www.transtec.co.uk > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From rcooper at dwford.com Fri Jul 6 15:16:32 2007 From: rcooper at dwford.com (Rick Cooper) Date: Fri Jul 6 15:16:38 2007 Subject: clamd configuration? In-Reply-To: References: <468AAB5B.7010101@fractalweb.com><468AAE0D.3020103@i-centrix.com><468ADA41.4010307@fractalweb.com><06bb01c7bdcb$c0ac3330$0301a8c0@SAHOMELT><468B0B2E.8080201@fractalweb.com><00ab01c7bfbf$73fbf7a0$0301a8c0@SAHOMELT> Message-ID: <00e101c7bfd8$417646a0$0301a8c0@SAHOMELT> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On > Behalf Of Jason Ede > Sent: Friday, July 06, 2007 9:38 AM > To: MailScanner discussion > Subject: RE: clamd configuration? > > Ok... I'm getting an unknown error returned now... > > Jason > [...] > Jul 6 14:36:28 gateway MailScanner[19018]: ERROR::UNKOWN > CLAMD RETURN ./lstat() failed. ERROR :: [...] This is (almost) certainly a permissions problem. It could, of course, be the working dir/files are gone but that is pretty close to impossible since the mail processing continues. What user/group is clamd running as? What are the What User/Group owns the incomming work dir? (MS Config incoming Work User = incoming Work Group =) My guess is they are different. Solutions: 1. Run clamd as root 2. set the Incomming Work Group to the clamd user group and set Incoming Work Permissions = 0640 (or 0660) 3. Add clamd user to the MailScanner user group and set AllowSupplementaryGroups to yes (must be started by root) I would opt for options 1 or 2 (Don't forget the Incoming Work Permissions = 0640 part!) I haven't been able to find what exactly "triggers lstat() failed" verses "permission denied." In ClamAV but both are generally permissions related, although the lstat problem can happen if a temporary file is removed before clamd gets to it... This should/could never happen with MailScanner. Rick -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From donald.dawson at bakerbotts.com Fri Jul 6 15:38:56 2007 From: donald.dawson at bakerbotts.com (donald.dawson@bakerbotts.com) Date: Fri Jul 6 15:39:06 2007 Subject: FW: gofer (stock spam) Message-ID: This may have already been addressed, but is there a released rule set or add-on that would help in identifying these type of stock spam emails? We use MailScanner 4.59.4 (MailScanner-v: 3.002000 Mail::SpamAssassin), SpamAssassin 3.2 (SpamAssassin -V), Perl 5.8.5, DCC, Pyzor. We run sa-update and RulesDuJour for automatic updates. We turned off Razor since it was causing delays in processing mail. In MailScanner, we turned off SpamHaus since we process too much email - it appears it was just raising the score of high spam: 'Spam List = SBL+XBL' We also use milter-greylist during the hours of 10 PM and 5 AM. We use milter-null (snert) to reduce bounce backs. We receive about 300k emails a day with about 70% identified as spam. We deliver about 5% of the suspected spam (score below 5). I am considering adding the botnet plugin from: http://people.ucsc.edu/~jrudd/spamassassin/Botnet.tar and have added a fake MX entry. We use BAYES, but we don't feed spam or ham so it may have little help. Here are the cf files we use in /etc/mail/spamassassin: 00_FVGT_File001.cf 70_sare_header_eng.cf 70_sare_specific.cf 70_sare_whitelist_rcvd.cf bakerbotts.cf popcorn_new.cf 70_sare_adult.cf 70_sare_highrisk.cf 70_sare_spoof.cf 70_sare_whitelist_spf.cf bogus-virus-warnings.cf random.cf 70_sare_bayes_poison_nxm.cf 70_sare_html0.cf 70_sare_stocks.cf 70_zmi_german.cf chickenpox.cf tripwire.cf 70_sare_evilnum0.cf 70_sare_html_eng.cf 70_sare_unsub.cf 72_sare_bml_post25x.cf local.cf weeds.cf 70_sare_genlsubj0.cf 70_sare_obfu0.cf 70_sare_uri0.cf 72_sare_redirect_post3.0.0.cf mailscanner.cf 70_sare_genlsubj_eng.cf 70_sare_oem.cf 70_sare_uri_eng.cf 88_FVGT_headers.cf mangled.cf 70_sare_header0.cf 70_sare_random.cf 70_sare_whitelist.cf 99_sare_fraud_post25x.cf pdfinfo.cf plugins from init.pre: loadplugin Mail::SpamAssassin::Plugin::URIDNSBL loadplugin Mail::SpamAssassin::Plugin::Hashcash loadplugin Mail::SpamAssassin::Plugin::SPF loadplugin Mail::SpamAssassin::Plugin::DCC loadplugin Mail::SpamAssassin::Plugin::Razor2 loadplugin Mail::SpamAssassin::Plugin::SpamCop loadplugin Mail::SpamAssassin::Plugin::AWL loadplugin Mail::SpamAssassin::Plugin::AutoLearnThreshold loadplugin Mail::SpamAssassin::Plugin::TextCat loadplugin Mail::SpamAssassin::Plugin::WhiteListSubject loadplugin Mail::SpamAssassin::Plugin::MIMEHeader loadplugin Mail::SpamAssassin::Plugin::ReplaceTags loadplugin Mail::SpamAssassin::Plugin::PDFInfo I don't understand why the SA files are loaded into /var/lib/spamassassin/3.002000... insteada of /usr/share/spamassassin: /usr/bin/spamassassin -D -p /etc/MailScanner/spam.assassin.prefs.conf --lint: [17634] dbg: config: fixed relative path: /var/lib/spamassassin/3.002000/updates_spamassassin_org/10_default_prefs .cf [17634] dbg: config: using "/var/lib/spamassassin/3.002000/updates_spamassassin_org/10_default_pref s.cf" for included file Any input on our configuration would be appreciated - I enjoy this and the spamassassin forums. Donald Donald Dawson Security Administrator Baker Botts L.L.P. 713-229-2183 ------------------------------------------------------------------------ -------------------------- -------------------------- HEADERS: -------------------------- Microsoft Mail Internet Headers Version 2.0 Received: from houfe01node01.bakerbotts.net ([10.20.254.151]) by HOUEVS02.bakerbotts.net with Microsoft SMTPSVC(6.0.3790.211); Thu, 5 Jul 2007 09:42:54 -0500 Received: from housweep03.bakerbotts.net ([10.20.254.246]) by houfe01node01.bakerbotts.net with Microsoft SMTPSVC(6.0.3790.211); Thu, 5 Jul 2007 09:42:54 -0500 Received: from housweep01.bakerbotts.net (housweep01.bakerbotts.net [10.20.254.236]) by housweep03.bakerbotts.net (Content Technologies SMTPRS 4.3.20) with ESMTP id for ; Thu, 5 Jul 2007 09:42:53 -0500 Received: from houmx05.bakerbotts.com (houmx05-inside.bakerbotts.net) by housweep01.bakerbotts.net (Content Technologies SMTPRS 4.3.20) with ESMTP id for ; Thu, 5 Jul 2007 09:42:53 -0500 X-Envelope-From: cgl@vsnl.net Received: from hdxkxu ([211.201.113.55]) by houmx05.bakerbotts.com (8.13.8/8.13.5) with SMTP id l65EgeXO005996 for ; Thu, 5 Jul 2007 09:42:49 -0500 Received: from [203.176.133.112] (helo=lqiv) by hdxkxu with smtp (Exim 4.62 (FreeBSD)) id 1I6Tgu-0004b8-KB; Thu, 5 Jul 2007 23:45:06 +0900 Message-ID: <468D035C.7050006@vsnl.net> Date: Thu, 5 Jul 2007 23:42:36 +0900 From: "Nell B. Velasquez" User-Agent: Thunderbird 1.5.0.12 (Windows/20070509) MIME-Version: 1.0 To: donald.dawson@bakerbotts.com Subject: gofer Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Null-Tag: 28934f0720308f41d1b0b26ca91189b7 X-Greylist: IP, sender and recipient auto-whitelisted, not delayed by milter-greylist-3.0rc3 (houmx05.bakerbotts.com [204.194.98.17]); Thu, 05 Jul 2007 09:42:51 -0500 (CDT) X-BakerBotts-MailScanner-Information: Please contact the ISP for more information X-BakerBotts-MailScanner-SpamCheck: spam, SBL+XBL, SpamAssassin (not cached, score=4.388, required 5, FH_RELAY_NODNS 1.45, RCVD_IN_BL_SPAMCOP_NET 1.96, RCVD_IN_SORBS_DUL 0.88, RDNS_NONE 0.10) X-BakerBotts-MailScanner-SpamScore: ssss X-BakerBotts-MailScanner-From: cgl@vsnl.net X-Spam-Status: Yes Return-Path: cgl@vsnl.net X-OriginalArrivalTime: 05 Jul 2007 14:42:54.0023 (UTC) FILETIME=[C5162D70:01C7BF12] -----Original Message----- From: Nell B. Velasquez [mailto:cgl@vsnl.net] Sent: Thursday, July 05, 2007 9:43 AM To: Dawson, Donald Subject: gofer ERMX Continues To Expand As Stock Climbs Up 16.6%! EntreMetrix Inc. (ERMX) $0.21 UP 16.6% ERMX announced further expansion with K-9 Genetics. Healthy and Premium dog foods grossed $3.6 Billion in 2006, up from $1.9 billion in previous years. Read up on ERMX over the holiday, we think you will see even more fireworks on Thursday morning! It's the kind of summer movie that's drawing families and we're very excited for its progress going into the rest of the weekend. The trend of cinematic schlock turned into musical theater is now upon us. Rio's concert, the only free one for Live Earth, would include performances by Lenny Kravitz, Macy Gray and Pharrell Williams. "My mind is in great shape. See the Magic of Disney Parks. It will be hosted by Ann Curry and Carson Daly and feature some of the day's highlights from around the world as well as live performances by the Police and others. "It's because they are people I love as women," the French-born designer told The Associated Press. Golijov went to Botswana last month at the behest of the Met and discussed the opera with Minghella on the production site of the director's latest movie project, based on "The No. The death was not considered suspicious, he said. Germany backs Cruise's anti-Hitler film - Yahoo! "Yes, it's been approved," said Christine Berg, DFFF project head at the FFA. "I'd love to work with new music because I think that's also the only way forward," he said then. broadcast and cable partner, using all of the company's assets at its disposal. " "My joke is I got to have a lot of Blue Cross," Rickles says. A brisk Fourth of July week would help Hollywood recover from a monthlong downturn that followed a huge start to summer in May. "The great fear when you work for an elephant like the Met, being there for the first time of course, is whether you can create poetry and emotion. com AP Photo: Director Anthony Minghella poses for photographers during arrivals to the New York premiere of 'Breaking. We could be very pleasantly surprised or it might perform as television is going to perform on that weekend," Harrison said. " When he's not working, he doesn't go to comedy clubs. "It's come around to the idea that maybe we should take this seriously. Beane notes that producers Joel Silver, Lawrence Gordon and a young development executive named Brian Grazer all helped make the original "Xanadu. MSNBC will have live reports from New York and London throughout the day. com Nome Search Powered by :: Free RSS news Add RSS news to your web site engineering news vertical portal can now be syndicated quickly and easily using our new Really Simple Syndication feeds. "Yes, it's been approved," said Christine Berg, DFFF project head at the FFA. "There will be an appropriate delay so there is no issue with standards," Harrison said. " "He has enormous qualities as a human being and an absolutely extraordinary talent for designing," Almodovar told the AP. NBC will have three hours of primetime coverage, live and taped, from Giants Stadium in East Rutherford, N. "I didn't think about making it. "I took my best shots. What happens if we change our minds? com Now Everyone Can Fly Business Class Flat Bed and British Serive. From j.ede at birchenallhowden.co.uk Fri Jul 6 15:41:43 2007 From: j.ede at birchenallhowden.co.uk (Jason Ede) Date: Fri Jul 6 15:42:03 2007 Subject: clamd configuration? In-Reply-To: <00e101c7bfd8$417646a0$0301a8c0@SAHOMELT> References: <468AAB5B.7010101@fractalweb.com><468AAE0D.3020103@i-centrix.com><468ADA41.4010307@fractalweb.com><06bb01c7bdcb$c0ac3330$0301a8c0@SAHOMELT><468B0B2E.8080201@fractalweb.com><00ab01c7bfbf$73fbf7a0$0301a8c0@SAHOMELT> <00e101c7bfd8$417646a0$0301a8c0@SAHOMELT> Message-ID: ClamAV was running as user clamav and group clamav The incoming work group parameter in mailscanner.conf is set to clamav the incoming dir is owned by user postfix group clamav If I set the clamd to being run as user root then it all seems to work quite happily and detects the test viruses as below... I'll use this setup for now I think. Jason Jul 6 15:38:07 gateway MailScanner[21753]: Files hidden in very deeply nested archive in 0EC8D9685C2.D171D Jul 6 15:38:08 gateway MailScanner[21753]: Password-protected archive (eicarpasswdocr.zip) in 44B169685CE.1FA20 Jul 6 15:38:08 gateway postfix/smtpd[21683]: connect from unknown[58.186.231.112] Jul 6 15:38:08 gateway MailScanner[21753]: Password-protected archive (eicarpasswd.zip) in 2706D9685CD.A5BA0 Jul 6 15:38:08 gateway MailScanner[21753]: Virus and Content Scanning: Starting Jul 6 15:38:08 gateway MailScanner[21753]: Commencing scanning by clamd... Jul 6 15:38:08 gateway MailScanner[21827]: Debug Mode Is On Jul 6 15:38:08 gateway MailScanner[21827]: Use Threads : NO Jul 6 15:38:08 gateway MailScanner[21827]: Socket : /tmp/clamd Jul 6 15:38:08 gateway MailScanner[21827]: IP : Using Sockets Jul 6 15:38:08 gateway MailScanner[21827]: Lock File : NOT USED Jul 6 15:38:08 gateway MailScanner[21827]: Time Out : 300 Jul 6 15:38:08 gateway MailScanner[21827]: Scan Dir : /var/spool/MailScanner/incoming/21753 Jul 6 15:38:08 gateway MailScanner[21827]: Clamd : Sending PING Jul 6 15:38:08 gateway MailScanner[21827]: Clamd : GOT 'PONG' Jul 6 15:38:08 gateway MailScanner[21827]: ClamD is running Jul 6 15:38:08 gateway MailScanner[21827]: SENT : CONTSCAN /var/spool/MailScanner/incoming/21753 Jul 6 15:38:08 gateway MailScanner[21753]: INFECTED:: Eicar-Test-Signature FOUND :: ./DBBC19685C1.AC916/eicar.com.txt Jul 6 15:38:08 gateway MailScanner[21753]: INFECTED:: Eicar-Test-Signature FOUND :: ./BE4FC968592.3B329/eicar.com Jul 6 15:38:08 gateway MailScanner[21753]: INFECTED:: Eicar-Test-Signature FOUND :: ./232F89685CC.CA233/eicar_com.zip Jul 6 15:38:08 gateway MailScanner[21753]: INFECTED:: Eicar-Test-Signature FOUND :: ./232F89685CC.CA233/eicar.com Jul 6 15:38:08 gateway MailScanner[21753]: INFECTED:: Eicar-Test-Signature FOUND :: ./0EC8D9685C2.D171D/eicar_com.zip Jul 6 15:38:08 gateway MailScanner[21753]: INFECTED:: Eicar-Test-Signature FOUND :: ./0EC8D9685C2.D171D/eicarcom2.zip Jul 6 15:38:08 gateway MailScanner[21753]: INFECTED:: Eicar-Test-Signature FOUND :: ./0EC8D9685C2.D171D/eicar.com Jul 6 15:38:08 gateway MailScanner[21753]: Completed scanning by clamd Jul 6 15:38:09 gateway MailScanner[21753]: Virus Scanning: Clamd found 7 infections -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Rick Cooper Sent: 06 July 2007 15:17 To: 'MailScanner discussion' Subject: RE: clamd configuration? > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On > Behalf Of Jason Ede > Sent: Friday, July 06, 2007 9:38 AM > To: MailScanner discussion > Subject: RE: clamd configuration? > > Ok... I'm getting an unknown error returned now... > > Jason > [...] > Jul 6 14:36:28 gateway MailScanner[19018]: ERROR::UNKOWN > CLAMD RETURN ./lstat() failed. ERROR :: [...] This is (almost) certainly a permissions problem. It could, of course, be the working dir/files are gone but that is pretty close to impossible since the mail processing continues. What user/group is clamd running as? What are the What User/Group owns the incomming work dir? (MS Config incoming Work User = incoming Work Group =) My guess is they are different. Solutions: 1. Run clamd as root 2. set the Incomming Work Group to the clamd user group and set Incoming Work Permissions = 0640 (or 0660) 3. Add clamd user to the MailScanner user group and set AllowSupplementaryGroups to yes (must be started by root) I would opt for options 1 or 2 (Don't forget the Incoming Work Permissions = 0640 part!) I haven't been able to find what exactly "triggers lstat() failed" verses "permission denied." In ClamAV but both are generally permissions related, although the lstat problem can happen if a temporary file is removed before clamd gets to it... This should/could never happen with MailScanner. Rick -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From Denis.Beauchemin at USherbrooke.ca Fri Jul 6 15:50:46 2007 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Fri Jul 6 15:51:10 2007 Subject: FW: gofer (stock spam) In-Reply-To: References: Message-ID: <468E56C6.2080508@USherbrooke.ca> donald.dawson@bakerbotts.com a ?crit : > This may have already been addressed, but is there a released rule set > or add-on that would help in identifying these type of stock spam > emails? > > ... > -----Original Message----- > From: Nell B. Velasquez [mailto:cgl@vsnl.net] > Sent: Thursday, July 05, 2007 9:43 AM > To: Dawson, Donald > Subject: gofer > > > ERMX Continues To Expand As Stock Climbs Up 16.6%! > > EntreMetrix Inc. (ERMX) > $0.21 UP 16.6% > > ERMX announced further expansion with K-9 Genetics. Healthy and Premium > dog foods grossed $3.6 Billion in 2006, up from $1.9 billion in previous > years. Read up on ERMX over the holiday, we think you will see even more > fireworks on Thursday morning! > Donald, I catch these with KAM: http://www.peregrinehw.com/downloads/SpamAssassin/contrib/KAM.cf It is updated quite often (daily?). Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 From rcooper at dwford.com Fri Jul 6 15:52:20 2007 From: rcooper at dwford.com (Rick Cooper) Date: Fri Jul 6 15:52:28 2007 Subject: clamd configuration? In-Reply-To: References: <468AAB5B.7010101@fractalweb.com><468AAE0D.3020103@i-centrix.com><468ADA41.4010307@fractalweb.com><06bb01c7bdcb$c0ac3330$0301a8c0@SAHOMELT><468B0B2E.8080201@fractalweb.com><00ab01c7bfbf$73fbf7a0$0301a8c0@SAHOMELT><00e101c7bfd8$417646a0$0301a8c0@SAHOMELT> Message-ID: <00ea01c7bfdd$4160f7a0$0301a8c0@SAHOMELT> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On > Behalf Of Jason Ede > Sent: Friday, July 06, 2007 10:42 AM > To: MailScanner discussion > Subject: RE: clamd configuration? > > > ClamAV was running as user clamav and group clamav > > The incoming work group parameter in mailscanner.conf is set > to clamav > > the incoming dir is owned by user postfix group clamav > > If I set the clamd to being run as user root then it all > seems to work quite happily and detects the test viruses as > below... I'll use this setup for now I think. > > Jason Remember check the incommming work dir permissions, the default is (IIRC) 0600 so the clamav group would not be able to access it. (if, of course, you want to go back to using the clamav user/group) Rick > > > > > > Jul 6 15:38:07 gateway MailScanner[21753]: Files hidden in > very deeply nested archive in 0EC8D9685C2.D171D > Jul 6 15:38:08 gateway MailScanner[21753]: > Password-protected archive (eicarpasswdocr.zip) in 44B169685CE.1FA20 > Jul 6 15:38:08 gateway postfix/smtpd[21683]: connect from > unknown[58.186.231.112] > Jul 6 15:38:08 gateway MailScanner[21753]: > Password-protected archive (eicarpasswd.zip) in 2706D9685CD.A5BA0 > Jul 6 15:38:08 gateway MailScanner[21753]: Virus and > Content Scanning: Starting > Jul 6 15:38:08 gateway MailScanner[21753]: Commencing > scanning by clamd... > Jul 6 15:38:08 gateway MailScanner[21827]: Debug Mode Is On > Jul 6 15:38:08 gateway MailScanner[21827]: Use Threads : NO > Jul 6 15:38:08 gateway MailScanner[21827]: Socket : /tmp/clamd > Jul 6 15:38:08 gateway MailScanner[21827]: IP : Using Sockets > Jul 6 15:38:08 gateway MailScanner[21827]: Lock File : NOT USED > Jul 6 15:38:08 gateway MailScanner[21827]: Time Out : 300 > Jul 6 15:38:08 gateway MailScanner[21827]: Scan Dir : > /var/spool/MailScanner/incoming/21753 > Jul 6 15:38:08 gateway MailScanner[21827]: Clamd : Sending PING > Jul 6 15:38:08 gateway MailScanner[21827]: Clamd : GOT 'PONG' > Jul 6 15:38:08 gateway MailScanner[21827]: ClamD is running > Jul 6 15:38:08 gateway MailScanner[21827]: SENT : CONTSCAN > /var/spool/MailScanner/incoming/21753 > Jul 6 15:38:08 gateway MailScanner[21753]: INFECTED:: > Eicar-Test-Signature FOUND :: ./DBBC19685C1.AC916/eicar.com.txt > Jul 6 15:38:08 gateway MailScanner[21753]: INFECTED:: > Eicar-Test-Signature FOUND :: ./BE4FC968592.3B329/eicar.com > Jul 6 15:38:08 gateway MailScanner[21753]: INFECTED:: > Eicar-Test-Signature FOUND :: ./232F89685CC.CA233/eicar_com.zip > Jul 6 15:38:08 gateway MailScanner[21753]: INFECTED:: > Eicar-Test-Signature FOUND :: ./232F89685CC.CA233/eicar.com > Jul 6 15:38:08 gateway MailScanner[21753]: INFECTED:: > Eicar-Test-Signature FOUND :: ./0EC8D9685C2.D171D/eicar_com.zip > Jul 6 15:38:08 gateway MailScanner[21753]: INFECTED:: > Eicar-Test-Signature FOUND :: ./0EC8D9685C2.D171D/eicarcom2.zip > Jul 6 15:38:08 gateway MailScanner[21753]: INFECTED:: > Eicar-Test-Signature FOUND :: ./0EC8D9685C2.D171D/eicar.com > Jul 6 15:38:08 gateway MailScanner[21753]: Completed > scanning by clamd > Jul 6 15:38:09 gateway MailScanner[21753]: Virus Scanning: > Clamd found 7 infections > > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On > Behalf Of Rick Cooper > Sent: 06 July 2007 15:17 > To: 'MailScanner discussion' > Subject: RE: clamd configuration? > > > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info > > [mailto:mailscanner-bounces@lists.mailscanner.info] On > > Behalf Of Jason Ede > > Sent: Friday, July 06, 2007 9:38 AM > > To: MailScanner discussion > > Subject: RE: clamd configuration? > > > > Ok... I'm getting an unknown error returned now... > > > > Jason > > > [...] > > Jul 6 14:36:28 gateway MailScanner[19018]: ERROR::UNKOWN > > CLAMD RETURN ./lstat() failed. ERROR :: > [...] > > This is (almost) certainly a permissions problem. It could, > of course, be > the working dir/files are gone but that is pretty close to > impossible since > the mail processing continues. > > What user/group is clamd running as? > What are the > What User/Group owns the incomming work dir? (MS Config > incoming Work User = > incoming Work Group =) > > My guess is they are different. Solutions: > > 1. Run clamd as root > 2. set the Incomming Work Group to the clamd user > group and set > Incoming Work Permissions = 0640 (or 0660) > 3. Add clamd user to the MailScanner user group and set > AllowSupplementaryGroups to yes (must be started by root) > > I would opt for options 1 or 2 (Don't forget the Incoming > Work Permissions = > 0640 part!) > > I haven't been able to find what exactly "triggers lstat() > failed" verses > "permission denied." In ClamAV but both are generally > permissions related, > although the lstat problem can happen if a temporary file is > removed before > clamd gets to it... This should/could never happen with MailScanner. > > Rick > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From j.ede at birchenallhowden.co.uk Fri Jul 6 16:09:22 2007 From: j.ede at birchenallhowden.co.uk (Jason Ede) Date: Fri Jul 6 16:09:43 2007 Subject: clamd configuration? In-Reply-To: <00ea01c7bfdd$4160f7a0$0301a8c0@SAHOMELT> References: <468AAB5B.7010101@fractalweb.com><468AAE0D.3020103@i-centrix.com><468ADA41.4010307@fractalweb.com><06bb01c7bdcb$c0ac3330$0301a8c0@SAHOMELT><468B0B2E.8080201@fractalweb.com><00ab01c7bfbf$73fbf7a0$0301a8c0@SAHOMELT><00e101c7bfd8$417646a0$0301a8c0@SAHOMELT> <00ea01c7bfdd$4160f7a0$0301a8c0@SAHOMELT> Message-ID: The permissions were set to 640 IIRC... Jason -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Rick Cooper Sent: 06 July 2007 15:52 To: 'MailScanner discussion' Subject: RE: clamd configuration? > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On > Behalf Of Jason Ede > Sent: Friday, July 06, 2007 10:42 AM > To: MailScanner discussion > Subject: RE: clamd configuration? > > > ClamAV was running as user clamav and group clamav > > The incoming work group parameter in mailscanner.conf is set > to clamav > > the incoming dir is owned by user postfix group clamav > > If I set the clamd to being run as user root then it all > seems to work quite happily and detects the test viruses as > below... I'll use this setup for now I think. > > Jason Remember check the incommming work dir permissions, the default is (IIRC) 0600 so the clamav group would not be able to access it. (if, of course, you want to go back to using the clamav user/group) Rick > > > > > > Jul 6 15:38:07 gateway MailScanner[21753]: Files hidden in > very deeply nested archive in 0EC8D9685C2.D171D > Jul 6 15:38:08 gateway MailScanner[21753]: > Password-protected archive (eicarpasswdocr.zip) in 44B169685CE.1FA20 > Jul 6 15:38:08 gateway postfix/smtpd[21683]: connect from > unknown[58.186.231.112] > Jul 6 15:38:08 gateway MailScanner[21753]: > Password-protected archive (eicarpasswd.zip) in 2706D9685CD.A5BA0 > Jul 6 15:38:08 gateway MailScanner[21753]: Virus and > Content Scanning: Starting > Jul 6 15:38:08 gateway MailScanner[21753]: Commencing > scanning by clamd... > Jul 6 15:38:08 gateway MailScanner[21827]: Debug Mode Is On > Jul 6 15:38:08 gateway MailScanner[21827]: Use Threads : NO > Jul 6 15:38:08 gateway MailScanner[21827]: Socket : /tmp/clamd > Jul 6 15:38:08 gateway MailScanner[21827]: IP : Using Sockets > Jul 6 15:38:08 gateway MailScanner[21827]: Lock File : NOT USED > Jul 6 15:38:08 gateway MailScanner[21827]: Time Out : 300 > Jul 6 15:38:08 gateway MailScanner[21827]: Scan Dir : > /var/spool/MailScanner/incoming/21753 > Jul 6 15:38:08 gateway MailScanner[21827]: Clamd : Sending PING > Jul 6 15:38:08 gateway MailScanner[21827]: Clamd : GOT 'PONG' > Jul 6 15:38:08 gateway MailScanner[21827]: ClamD is running > Jul 6 15:38:08 gateway MailScanner[21827]: SENT : CONTSCAN > /var/spool/MailScanner/incoming/21753 > Jul 6 15:38:08 gateway MailScanner[21753]: INFECTED:: > Eicar-Test-Signature FOUND :: ./DBBC19685C1.AC916/eicar.com.txt > Jul 6 15:38:08 gateway MailScanner[21753]: INFECTED:: > Eicar-Test-Signature FOUND :: ./BE4FC968592.3B329/eicar.com > Jul 6 15:38:08 gateway MailScanner[21753]: INFECTED:: > Eicar-Test-Signature FOUND :: ./232F89685CC.CA233/eicar_com.zip > Jul 6 15:38:08 gateway MailScanner[21753]: INFECTED:: > Eicar-Test-Signature FOUND :: ./232F89685CC.CA233/eicar.com > Jul 6 15:38:08 gateway MailScanner[21753]: INFECTED:: > Eicar-Test-Signature FOUND :: ./0EC8D9685C2.D171D/eicar_com.zip > Jul 6 15:38:08 gateway MailScanner[21753]: INFECTED:: > Eicar-Test-Signature FOUND :: ./0EC8D9685C2.D171D/eicarcom2.zip > Jul 6 15:38:08 gateway MailScanner[21753]: INFECTED:: > Eicar-Test-Signature FOUND :: ./0EC8D9685C2.D171D/eicar.com > Jul 6 15:38:08 gateway MailScanner[21753]: Completed > scanning by clamd > Jul 6 15:38:09 gateway MailScanner[21753]: Virus Scanning: > Clamd found 7 infections > > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On > Behalf Of Rick Cooper > Sent: 06 July 2007 15:17 > To: 'MailScanner discussion' > Subject: RE: clamd configuration? > > > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info > > [mailto:mailscanner-bounces@lists.mailscanner.info] On > > Behalf Of Jason Ede > > Sent: Friday, July 06, 2007 9:38 AM > > To: MailScanner discussion > > Subject: RE: clamd configuration? > > > > Ok... I'm getting an unknown error returned now... > > > > Jason > > > [...] > > Jul 6 14:36:28 gateway MailScanner[19018]: ERROR::UNKOWN > > CLAMD RETURN ./lstat() failed. ERROR :: > [...] > > This is (almost) certainly a permissions problem. It could, > of course, be > the working dir/files are gone but that is pretty close to > impossible since > the mail processing continues. > > What user/group is clamd running as? > What are the > What User/Group owns the incomming work dir? (MS Config > incoming Work User = > incoming Work Group =) > > My guess is they are different. Solutions: > > 1. Run clamd as root > 2. set the Incomming Work Group to the clamd user > group and set > Incoming Work Permissions = 0640 (or 0660) > 3. Add clamd user to the MailScanner user group and set > AllowSupplementaryGroups to yes (must be started by root) > > I would opt for options 1 or 2 (Don't forget the Incoming > Work Permissions = > 0640 part!) > > I haven't been able to find what exactly "triggers lstat() > failed" verses > "permission denied." In ClamAV but both are generally > permissions related, > although the lstat problem can happen if a temporary file is > removed before > clamd gets to it... This should/could never happen with MailScanner. > > Rick > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From donald.dawson at bakerbotts.com Fri Jul 6 16:30:43 2007 From: donald.dawson at bakerbotts.com (donald.dawson@bakerbotts.com) Date: Fri Jul 6 16:30:50 2007 Subject: FW: gofer (stock spam) In-Reply-To: <468E56C6.2080508@USherbrooke.ca> Message-ID: thanks - I'll try it out. I'll reduce some of the scores (4 and over) so we don't affect our ham by accident. Thanks, Donald Donald Dawson Security Administrator Baker Botts L.L.P. 713-229-2183 -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Denis Beauchemin Sent: Friday, July 06, 2007 9:51 AM To: MailScanner discussion Subject: Re: FW: gofer (stock spam) donald.dawson@bakerbotts.com a ?crit : > This may have already been addressed, but is there a released rule set > or add-on that would help in identifying these type of stock spam > emails? > > ... > -----Original Message----- > From: Nell B. Velasquez [mailto:cgl@vsnl.net] > Sent: Thursday, July 05, 2007 9:43 AM > To: Dawson, Donald > Subject: gofer > > > ERMX Continues To Expand As Stock Climbs Up 16.6%! > > EntreMetrix Inc. (ERMX) > $0.21 UP 16.6% > > ERMX announced further expansion with K-9 Genetics. Healthy and Premium > dog foods grossed $3.6 Billion in 2006, up from $1.9 billion in previous > years. Read up on ERMX over the holiday, we think you will see even more > fireworks on Thursday morning! > Donald, I catch these with KAM: http://www.peregrinehw.com/downloads/SpamAssassin/contrib/KAM.cf It is updated quite often (daily?). Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From itdept at fractalweb.com Fri Jul 6 16:56:07 2007 From: itdept at fractalweb.com (Chris Yuzik) Date: Fri Jul 6 16:56:32 2007 Subject: clamd configuration? In-Reply-To: References: <468AAB5B.7010101@fractalweb.com><468AAE0D.3020103@i-centrix.com><468ADA41.4010307@fractalweb.com><06bb01c7bdcb$c0ac3330$0301a8c0@SAHOMELT><468B0B2E.8080201@fractalweb.com><00ab01c7bfbf$73fbf7a0$0301a8c0@SAHOMELT> <00e101c7bfd8$417646a0$0301a8c0@SAHOMELT> Message-ID: <468E6617.5080609@fractalweb.com> Jason Ede wrote: > ClamAV was running as user clamav and group clamav > > The incoming work group parameter in mailscanner.conf is set to clamav > > the incoming dir is owned by user postfix group clamav > > If I set the clamd to being run as user root then it all seems to work quite happily and detects the test viruses as below... I'll use this setup for now I think. > Jason, In MailScanner.conf, did you also set this? Incoming Work User = clamav Incoming Work Group = clamav This was what my system was missing. I had set the group and the permissions, but it was only when I set "Incoming Work User" to "clamav" that it started working as expected. Hope this helps. Chris From KGoods at AIAInsurance.com Fri Jul 6 17:03:53 2007 From: KGoods at AIAInsurance.com (Ken Goods) Date: Fri Jul 6 17:05:56 2007 Subject: Upgrade question Message-ID: <13C0059880FDD3118DC600508B6D4A6D01C29487@aiainsurance.com> I am upgrading from MS 4.51.6 to 4.61.7. At the same time I'd like to upgrade SA and ClamAV using Julian's script. So far I've ran the MS install script and it seemed to exit without error. I did not stop MailScanner prior to running the script so I assume 4.51.6 is still processing mail and appears to be doing so. Next I was going to run the SA-ClamAV install script but was wondering whether I should stop MailScanner first and also if I should remove the old versions of SA and Clam somehow. This is a production box and I really can't afford for it to be down too long. (I did make backups as instructed in the MAQ but they only apply to MS and not SA/Clam) I've put off upgrading due to the horror stories I've been hearing on the this and clam's list about Clam taking so much time to scan. I understand that this has been resolved for the most part by using the clammodule or clamd. Having never ran it that way (I've always gone with the defaults) I'm not exactly sure how much work is involved. If I leave the Virus Scanners = auto setting alone will it automatically use the clammodule? Or do I need to tell it what to use? I also use Bit Defender, will the "auto" setting pick that up as well? Is this documented somewhere? I've looked but I can't seem to find it. If it is, kindly point me in the right direction, I'm not afraid of reading. :) Running Sendmail on Centos 4.3 Here's the output of MailScanner -V as it sits today (MailScanner has not been restarted since I ran the install script so 4.51.6 is still running) [root@gw-mail install-Clam-0.90.3-SA-3.2.1]# MailScanner -V Running on Linux gw-mail 2.6.9-34.EL #1 Wed Mar 8 00:07:35 CST 2006 i686 i686 i386 GNU/Linux This is CentOS release 4.3 (Final) This is Perl version 5.008005 (5.8.5) This is MailScanner version 4.61.7 Module versions are: 1.00 AnyDBM_File 1.16 Archive::Zip 1.03 Carp 1.119 Convert::BinHex 1.00 DirHandle 1.05 Fcntl 2.73 File::Basename 2.08 File::Copy 2.01 FileHandle 1.06 File::Path 0.14 File::Temp 0.90 Filesys::Df 1.35 HTML::Entities 3.56 HTML::Parser 2.37 HTML::TokeParser 1.21 IO 1.10 IO::File 1.123 IO::Pipe 1.71 Mail::Header 1.86 Math::BigInt 3.05 MIME::Base64 5.420 MIME::Decoder 5.420 MIME::Decoder::UU 5.420 MIME::Head 5.420 MIME::Parser 3.03 MIME::QuotedPrint 5.420 MIME::Tools 0.11 Net::CIDR 1.08 POSIX 1.14 Scalar::Util 1.77 Socket 1.4 Sys::Hostname::Long 0.18 Sys::Syslog 1.9707 Time::HiRes 1.02 Time::localtime Optional module versions are: 1.26 Archive::Tar 0.21 bignum 1.74 Business::ISBN missing Business::ISBN::Data 0.17 Convert::TNEF missing Data::Dump 1.810 DB_File 1.13 DBD::SQLite 1.50 DBI 1.08 Digest 1.01 Digest::HMAC 2.33 Digest::MD5 2.10 Digest::SHA1 missing Encode::Detect missing Error missing ExtUtils::CBuilder missing ExtUtils::ParseXS 0.44 Inline 1.06 IO::String 1.04 IO::Zlib 2.20 IP::Country 0.17 Mail::ClamAV 3.001001 Mail::SpamAssassin missing Mail::SPF 1.997 Mail::SPF::Query 0.19 Math::BigRat missing Module::Build 0.15 Net::CIDR::Lite 0.48 Net::DNS missing Net::DNS::Resolver::Programmable missing Net::LDAP missing NetAddr::IP 1.94 Parse::RecDescent missing SAVI 2.42 Test::Harness 0.95 Test::Manifest 1.95 Text::Balanced 1.35 URI missing version missing YAML [root@gw-mail install-Clam-0.90.3-SA-3.2.1]# TIA! Kind regards, Ken Ken Goods Network Administrator CropUSA Insurance, Inc. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070706/ff938a9f/attachment.html From KGoods at AIAInsurance.com Fri Jul 6 17:09:00 2007 From: KGoods at AIAInsurance.com (Ken Goods) Date: Fri Jul 6 17:11:04 2007 Subject: Upgrade question, I should add.... Message-ID: <13C0059880FDD3118DC600508B6D4A6D01C29488@aiainsurance.com> I have also edited MailScanner.conf.rpmnew after running upgrade_MailScanner_conf but haven't renamed them yet. It seems like it didn't pick up a bunch of my settings like it used to.... mostly where I used rules files instead of yes/no, is this typical? Thanks again, Ken Ken Goods Network Administrator CropUSA Insurance, Inc. From mrm at quantumcc.com Fri Jul 6 17:35:21 2007 From: mrm at quantumcc.com (Mike Masse) Date: Fri Jul 6 17:35:49 2007 Subject: New support for clamd In-Reply-To: <468D2640.5090304@ecs.soton.ac.uk> References: <468A9333.1040702@i-centrix.com> <468D2640.5090304@ecs.soton.ac.uk> Message-ID: The default that was installed with the all in one installer: clamscan The system has bascially gone from averaging around 90% utilization since some of the last ClamAV upgrades to less then 2%. Approx 30k messages per server per day. Mike Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > What were you using before? > > Mike Masse wrote: >> I recently updated our servers to clamd as well and have noticed a >> huge drop in cpu utilization. Thanks!! >> >> Mike From mrm at quantumcc.com Fri Jul 6 17:39:08 2007 From: mrm at quantumcc.com (Mike Masse) Date: Fri Jul 6 17:40:06 2007 Subject: multiple mailscanners with milter-null Message-ID: I've seen Julian's suggestion to use Milter-null to combat backscatter and like the idea, but am curious anyone knows if it's possible to work with different outgoing and incoming servers? I have 3 MailScanner servers in front of my message store servers. One of the MS machines is for outgoing, and the other two handle incoming with MX based load balancing. If the outgoing puts a hash in the header of the outgoing messages, will the incoming server's recognize the outgoing server's hashes? Mike From itdept at fractalweb.com Fri Jul 6 19:13:19 2007 From: itdept at fractalweb.com (Chris Yuzik) Date: Fri Jul 6 19:13:41 2007 Subject: multiple mailscanners with milter-null In-Reply-To: References: Message-ID: <468E863F.5080209@fractalweb.com> Mike Masse wrote: > I've seen Julian's suggestion to use Milter-null to combat backscatter > and like the idea, but am curious anyone knows if it's possible to work > with different outgoing and incoming servers? I have 3 MailScanner > servers in front of my message store servers. One of the MS machines > is for outgoing, and the other two handle incoming with MX based load > balancing. If the outgoing puts a hash in the header of the outgoing > messages, will the incoming server's recognize the outgoing server's > hashes? Mike, My understanding is that as long as all of your servers have the same secret phrase listed for milter-null, then you should be okay. Chris From MailScanner at ecs.soton.ac.uk Fri Jul 6 19:50:38 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Jul 6 19:53:19 2007 Subject: Upgrade question In-Reply-To: <13C0059880FDD3118DC600508B6D4A6D01C29487@aiainsurance.com> References: <13C0059880FDD3118DC600508B6D4A6D01C29487@aiainsurance.com> Message-ID: <468E8EFE.2070907@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ken Goods wrote: > I am upgrading from MS 4.51.6 to 4.61.7. At the same time I'd like to > upgrade SA and ClamAV using Julian's script. > > So far I've ran the MS install script and it seemed to exit without > error. I did not stop MailScanner prior to running the script so I > assume 4.51.6 is still processing mail and appears to be doing so. > Next I was going to run the SA-ClamAV install script but was wondering > whether I should stop MailScanner first and also if I should remove > the old versions of SA and Clam somehow. This is a production box and > I really can't afford for it to be down too long. (I did make backups > as instructed in the MAQ but they only apply to MS and not SA/Clam) You don't need to remove the old SA and Clam, so long as your previous versions were installed by my script as well. The new versions will be installed over the top of your previous ones. It's not essential to stop MailScanner first, if you use some other virus scanner as well. Otherwise there may be a short period in which ClamAV is not completely up to date. You could just shutdown MailScanner and leave the sendmail processes running. Try doing this service MailScanner stopms and if that does not work then service MailScanner stop service MailScanner startin service MailScanner startout and mail will just build up in the mqueue.in (the inbound queue). > I've put off upgrading due to the horror stories I've been hearing on > the this and clam's list about Clam taking so much time to scan. The new version of ClamAV takes a very long time to start up, while it loads it virus signatures. So I would advise you to use clamavmodule or clamd (clamavmodule is easier to set up as you don't have to worry about permissions at all). Using clamavmodule means it will take an age to do the "starting child process" stage, but will then work nice and fast. Using clamd means you will need an init.d script for it and so on, so if you want to do this then I would recommend you install ClamAV from the RPMs at dag.wieers.com. The latest versions of my ClamAV+SA package ask if you want it to install ClamAV (which you obviously don't want to do if you installed it from RPM from Dag's archive). Then the long startup delay will be when clamd starts up, not MailScanner. > I understand that this has been resolved for the most part by using > the clammodule or clamd. Having never ran it that way (I've always > gone with the defaults) I'm not exactly sure how much work is > involved. If I leave the Virus Scanners = auto setting alone will it > automatically use the clammodule? If it's installed, then yes. But if it finds clamd running then "auto" will try to use that instead. > Or do I need to tell it what to use? I also use Bit Defender, will the > "auto" setting pick that up as well? Yes. The command MailScanner --lint will tell you what virus scanners it has found, and hence what it will use if you use "auto". Personally I would advise you specify exactly which scanners to use, so there's no chance of confusion. > Is this documented somewhere? I've looked but I can't seem to find it. > If it is, kindly point me in the right direction, I'm not afraid of > reading. :) The problems with Clam are temporary and will go away in the next version. > > Running Sendmail on Centos 4.3 > Here's the output of MailScanner -V as it sits today (MailScanner has > not been restarted since I ran the install script so 4.51.6 is still > running) > > [root@gw-mail install-Clam-0.90.3-SA-3.2.1]# MailScanner -V > Running on > Linux gw-mail 2.6.9-34.EL #1 Wed Mar 8 00:07:35 CST 2006 i686 i686 > i386 GNU/Linux > This is CentOS release 4.3 (Final) > This is Perl version 5.008005 (5.8.5) > > This is MailScanner version 4.61.7 > Module versions are: > 1.00 AnyDBM_File > 1.16 Archive::Zip > 1.03 Carp > 1.119 Convert::BinHex > 1.00 DirHandle > 1.05 Fcntl > 2.73 File::Basename > 2.08 File::Copy > 2.01 FileHandle > 1.06 File::Path > 0.14 File::Temp > 0.90 Filesys::Df > 1.35 HTML::Entities > 3.56 HTML::Parser > 2.37 HTML::TokeParser > 1.21 IO > 1.10 IO::File > 1.123 IO::Pipe > 1.71 Mail::Header > 1.86 Math::BigInt > 3.05 MIME::Base64 > 5.420 MIME::Decoder > 5.420 MIME::Decoder::UU > 5.420 MIME::Head > 5.420 MIME::Parser > 3.03 MIME::QuotedPrint > 5.420 MIME::Tools > 0.11 Net::CIDR > 1.08 POSIX > 1.14 Scalar::Util > 1.77 Socket > 1.4 Sys::Hostname::Long > 0.18 Sys::Syslog > 1.9707 Time::HiRes > 1.02 Time::localtime > > Optional module versions are: > 1.26 Archive::Tar > 0.21 bignum > 1.74 Business::ISBN > missing Business::ISBN::Data > 0.17 Convert::TNEF > missing Data::Dump > 1.810 DB_File > 1.13 DBD::SQLite > 1.50 DBI > 1.08 Digest > 1.01 Digest::HMAC > 2.33 Digest::MD5 > 2.10 Digest::SHA1 > missing Encode::Detect > missing Error > missing ExtUtils::CBuilder > missing ExtUtils::ParseXS > 0.44 Inline > 1.06 IO::String > 1.04 IO::Zlib > 2.20 IP::Country > 0.17 Mail::ClamAV > 3.001001 Mail::SpamAssassin > missing Mail::SPF > 1.997 Mail::SPF::Query > 0.19 Math::BigRat > missing Module::Build > 0.15 Net::CIDR::Lite > 0.48 Net::DNS > missing Net::DNS::Resolver::Programmable > missing Net::LDAP > missing NetAddr::IP > 1.94 Parse::RecDescent > missing SAVI > 2.42 Test::Harness > 0.95 Test::Manifest > 1.95 Text::Balanced > 1.35 URI > missing version > missing YAML > [root@gw-mail install-Clam-0.90.3-SA-3.2.1]# You need to update to the new version of SpamAssassin as well, best done using my ClamAV+SA package (in which ClamAV is an optional install choice when you run it). Hope that's enough answers to get you started. If you are feeling rich and want me to do it for you, then get in touch off list. Or even if you just want me to do a quick sanity check of your setup for you, which shouldn't take more than half an hour or so. Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGjo7/EfZZRxQVtlQRAqeoAKDi8yq9RnAE5Mqauf60KY1DWjR/4QCgidz7 x8fuzrstZTCmySSjdF02yvY= =VMPW -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Fri Jul 6 19:53:37 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Jul 6 19:56:07 2007 Subject: Upgrade question, I should add.... In-Reply-To: <13C0059880FDD3118DC600508B6D4A6D01C29488@aiainsurance.com> References: <13C0059880FDD3118DC600508B6D4A6D01C29488@aiainsurance.com> Message-ID: <468E8FB1.9080508@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ken Goods wrote: > I have also edited MailScanner.conf.rpmnew after running > upgrade_MailScanner_conf but haven't renamed them yet. It seems like it > didn't pick up a bunch of my settings like it used to.... mostly where I > used rules files instead of yes/no, is this typical? > upgrade_MailScanner_conf *reads* the ".rpmnew" file but doesn't write to it. If you follow the instructions you get when you run the command, it will generate a "MailScanner.new" file. This will copy over all your ruleset settings as well, for definite. You don't want to edit the .rpmnew file directly yourself, it's used as the template for the new MailScanner.new file which you then rename to MailScanner.conf as guided by the upgrade_MailScanner_conf script. And don't forget its brother upgrade_languages_conf as well, there might be more added in there too! Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGjo+xEfZZRxQVtlQRAsgJAKDKWxDS2SfYDiI7Slm6OZpqYs2YQgCeKQfo UC+xk/EAUnHAkxMYNTsi3YU= =oLve -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Fri Jul 6 19:58:23 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Jul 6 20:02:20 2007 Subject: multiple mailscanners with milter-null In-Reply-To: References: Message-ID: <468E90CF.7040109@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mike Masse wrote: > I've seen Julian's suggestion to use Milter-null to combat backscatter > and like the idea, We are looking at a second revision (patent-safe this time) of incorporating this into MailScanner itself, so you don't need milter-null or equivalent. > but am curious anyone knows if it's possible to work with different > outgoing and incoming servers? Dead easy. Just run it on both servers and make sure the secret is the same. I use the same milter-null.cf on each server. > I have 3 MailScanner servers in front of my message store > servers. One of the MS machines is for outgoing, and the other two > handle incoming with MX based load balancing. If the outgoing puts a > hash in the header of the outgoing messages, will the incoming > server's recognize the outgoing server's hashes? Yes, just use the same secret on them all. Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGjpDQEfZZRxQVtlQRAg0LAKDmqeR23gVxkuqLljWG9iLhS/KrigCeO2J2 Spab9Lkt0Kic6fj5eR1N/Rc= =UgS0 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From KGoods at AIAInsurance.com Fri Jul 6 20:27:24 2007 From: KGoods at AIAInsurance.com (Ken Goods) Date: Fri Jul 6 20:29:30 2007 Subject: Upgrade question Message-ID: <13C0059880FDD3118DC600508B6D4A6D01C29489@aiainsurance.com> Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > Ken Goods wrote: >> I am upgrading from MS 4.51.6 to 4.61.7. At the same time I'd like to >> upgrade SA and ClamAV using Julian's script. >> >> So far I've ran the MS install script and it seemed to exit without >> error. I did not stop MailScanner prior to running the script so I >> assume 4.51.6 is still processing mail and appears to be doing so. >> Next I was going to run the SA-ClamAV install script but was >> wondering whether I should stop MailScanner first and also if I >> should remove the old versions of SA and Clam somehow. This is a >> production box and I really can't afford for it to be down too long. >> (I did make backups as instructed in the MAQ but they only apply to >> MS and not SA/Clam) > You don't need to remove the old SA and Clam, so long as your previous > versions were installed by my script as well. The new versions will be > installed over the top of your previous ones. > > It's not essential to stop MailScanner first, if you use some other > virus scanner as well. Otherwise there may be a short period in which > ClamAV is not completely up to date. You could just shutdown > MailScanner and leave the sendmail processes running. Try doing this > service MailScanner stopms > and if that does not work then > service MailScanner stop > service MailScanner startin > service MailScanner startout > and mail will just build up in the mqueue.in (the inbound queue). > >> I've put off upgrading due to the horror stories I've been hearing on >> the this and clam's list about Clam taking so much time to scan. > The new version of ClamAV takes a very long time to start up, while it > loads it virus signatures. So I would advise you to use clamavmodule > or clamd (clamavmodule is easier to set up as you don't have to worry > about permissions at all). Using clamavmodule means it will take an > age to do the "starting child process" stage, but will then work nice > and fast. Using clamd means you will need an init.d script for it and > so on, so if you want to do this then I would recommend you install > ClamAV from the RPMs at dag.wieers.com. The latest versions of my > ClamAV+SA package ask if you want it to install ClamAV (which you > obviously don't want to do > if you installed it from RPM from Dag's archive). Then the long > startup delay will be when clamd starts up, not MailScanner. > >> I understand that this has been resolved for the most part by using >> the clammodule or clamd. Having never ran it that way (I've always >> gone with the defaults) I'm not exactly sure how much work is >> involved. If I leave the Virus Scanners = auto setting alone will it >> automatically use the clammodule? > If it's installed, then yes. But if it finds clamd running then "auto" > will try to use that instead. >> Or do I need to tell it what to use? I also use Bit Defender, will >> the "auto" setting pick that up as well? > Yes. The command > MailScanner --lint > will tell you what virus scanners it has found, and hence what it will > use if you use "auto". Personally I would advise you specify exactly > which scanners to use, so there's no chance of confusion. > >> Is this documented somewhere? I've looked but I can't seem to find >> it. If it is, kindly point me in the right direction, I'm not afraid >> of reading. :) > The problems with Clam are temporary and will go away in the next > version. >> >> Running Sendmail on Centos 4.3 >> Here's the output of MailScanner -V as it sits today (MailScanner has >> not been restarted since I ran the install script so 4.51.6 is still >> running) >> >> [root@gw-mail install-Clam-0.90.3-SA-3.2.1]# MailScanner -V >> Running on >> Linux gw-mail 2.6.9-34.EL #1 Wed Mar 8 00:07:35 CST 2006 i686 i686 >> i386 GNU/Linux This is CentOS release 4.3 (Final) >> This is Perl version 5.008005 (5.8.5) >> >> This is MailScanner version 4.61.7 >> Module versions are: >> 1.00 AnyDBM_File >> 1.16 Archive::Zip >> 1.03 Carp >> 1.119 Convert::BinHex >> 1.00 DirHandle >> 1.05 Fcntl >> 2.73 File::Basename >> 2.08 File::Copy >> 2.01 FileHandle >> 1.06 File::Path >> 0.14 File::Temp >> 0.90 Filesys::Df >> 1.35 HTML::Entities >> 3.56 HTML::Parser >> 2.37 HTML::TokeParser >> 1.21 IO >> 1.10 IO::File >> 1.123 IO::Pipe >> 1.71 Mail::Header >> 1.86 Math::BigInt >> 3.05 MIME::Base64 >> 5.420 MIME::Decoder >> 5.420 MIME::Decoder::UU >> 5.420 MIME::Head >> 5.420 MIME::Parser >> 3.03 MIME::QuotedPrint >> 5.420 MIME::Tools >> 0.11 Net::CIDR >> 1.08 POSIX >> 1.14 Scalar::Util >> 1.77 Socket >> 1.4 Sys::Hostname::Long >> 0.18 Sys::Syslog >> 1.9707 Time::HiRes >> 1.02 Time::localtime >> >> Optional module versions are: >> 1.26 Archive::Tar >> 0.21 bignum >> 1.74 Business::ISBN >> missing Business::ISBN::Data >> 0.17 Convert::TNEF >> missing Data::Dump >> 1.810 DB_File >> 1.13 DBD::SQLite >> 1.50 DBI >> 1.08 Digest >> 1.01 Digest::HMAC >> 2.33 Digest::MD5 >> 2.10 Digest::SHA1 >> missing Encode::Detect >> missing Error >> missing ExtUtils::CBuilder >> missing ExtUtils::ParseXS >> 0.44 Inline >> 1.06 IO::String >> 1.04 IO::Zlib >> 2.20 IP::Country >> 0.17 Mail::ClamAV >> 3.001001 Mail::SpamAssassin >> missing Mail::SPF >> 1.997 Mail::SPF::Query >> 0.19 Math::BigRat >> missing Module::Build >> 0.15 Net::CIDR::Lite >> 0.48 Net::DNS >> missing Net::DNS::Resolver::Programmable >> missing Net::LDAP >> missing NetAddr::IP >> 1.94 Parse::RecDescent >> missing SAVI >> 2.42 Test::Harness >> 0.95 Test::Manifest >> 1.95 Text::Balanced >> 1.35 URI >> missing version >> missing YAML >> [root@gw-mail install-Clam-0.90.3-SA-3.2.1]# > You need to update to the new version of SpamAssassin as well, best > done using my ClamAV+SA package (in which ClamAV is an optional > install > choice when you run it). > > Hope that's enough answers to get you started. If you are feeling rich > and want me to do it for you, then get in touch off list. Or even if > you just want me to do a quick sanity check of your setup for you, > which shouldn't take more than half an hour or so. > > Jules > Jules, Thanks so much for this clear explaination of the upgrade process. I really wish I could talk the powers that be into sending some money your way but things are a little tight... I do it personally but due to things being tight here I don't have any extra to spend either (excrement does run downhill after all huh? :)) I will talk them into sending a donation soon though. I let them know all the time how much we've saved by using your excellent software. They are aware and I keep dropping hints. Pretty soon this squeaky wheel is going to get greased! :) Back to the subject... I started installing SA and ClamAV by hand but once I discovered your install package I've been using it ever since. It just plain works and works well! I don't foresee any problems with what you have outlined above. Thanks again for your time to explain this. It's been so long that I had forgotten how easy it was. ;) Take care and I hope you're feeling better and better. Kind regards, Ken Ken Goods Network Administrator CropUSA Insurance, Inc. From KGoods at AIAInsurance.com Fri Jul 6 20:30:17 2007 From: KGoods at AIAInsurance.com (Ken Goods) Date: Fri Jul 6 20:32:20 2007 Subject: Upgrade question, I should add.... Message-ID: <13C0059880FDD3118DC600508B6D4A6D01C2948A@aiainsurance.com> Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > Ken Goods wrote: >> I have also edited MailScanner.conf.rpmnew after running >> upgrade_MailScanner_conf but haven't renamed them yet. It seems like >> it didn't pick up a bunch of my settings like it used to.... mostly >> where I used rules files instead of yes/no, is this typical? >> > upgrade_MailScanner_conf *reads* the ".rpmnew" file but doesn't write > to it. If you follow the instructions you get when you run the > command, it will generate a "MailScanner.new" file. This will copy > over all your ruleset settings as well, for definite. You don't want > to edit the .rpmnew file directly yourself, it's used as the template > for the new MailScanner.new file which you then rename to > MailScanner.conf as guided by the upgrade_MailScanner_conf script. > > And don't forget its brother upgrade_languages_conf as well, there > might be more added in there too! > > Jules Duh... knock to the head. Like I said before, it's been so long since I've upgraded that I forgot how easy all this is thanks to you! Thanks again Jules.. you're the best! Ken Goods Network Administrator CropUSA Insurance, Inc. From raymond at prolocation.net Fri Jul 6 21:09:52 2007 From: raymond at prolocation.net (Raymond Dijkxhoorn) Date: Fri Jul 6 21:09:50 2007 Subject: clamd configuration? In-Reply-To: <468E6617.5080609@fractalweb.com> References: <468AAB5B.7010101@fractalweb.com><468AAE0D.3020103@i-centrix.com><468ADA41.4010307@fractalweb.com><06bb01c7bdcb$c0ac3330$0301a8c0@SAHOMELT><468B0B2E.8080201@fractalweb.com><00ab01c7bfbf$73fbf7a0$0301a8c0@SAHOMELT> <00e101c7bfd8$417646a0$0301a8c0@SAHOMELT> <468E6617.5080609@fractalweb.com> Message-ID: Hi! > In MailScanner.conf, did you also set this? > > Incoming Work User = clamav > Incoming Work Group = clamav > > This was what my system was missing. I had set the group and the permissions, > but it was only when I set "Incoming Work User" to "clamav" that it started > working as expected. I fixed it the other way around, just let run clamd run as user (in our scenario) exim. Was more or less easier to do. Just my 2 cents. Bye, Raymond. From glenn.steen at gmail.com Fri Jul 6 21:29:30 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Jul 6 21:29:31 2007 Subject: clamd configuration? In-Reply-To: References: <468AAB5B.7010101@fractalweb.com> <06bb01c7bdcb$c0ac3330$0301a8c0@SAHOMELT> <468B0B2E.8080201@fractalweb.com> <00ab01c7bfbf$73fbf7a0$0301a8c0@SAHOMELT> <00e101c7bfd8$417646a0$0301a8c0@SAHOMELT> <468E6617.5080609@fractalweb.com> Message-ID: <223f97700707061329l32750005u61ad3fce946d5477@mail.gmail.com> On 06/07/07, Raymond Dijkxhoorn wrote: > Hi! > > > In MailScanner.conf, did you also set this? > > > > Incoming Work User = clamav > > Incoming Work Group = clamav > > > > This was what my system was missing. I had set the group and the permissions, > > but it was only when I set "Incoming Work User" to "clamav" that it started > > working as expected. > > I fixed it the other way around, just let run clamd run as user (in our > scenario) exim. Was more or less easier to do. Just my 2 cents. > > Bye, > Raymond. Yep, it'd likely be easiest to run clamd as user/group postfix (with appropriate settings in MailScanner.conf, of course). I'd opt for that... As is, I'll live with clamavmodule until after the vacation:-) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From MailScanner at ecs.soton.ac.uk Fri Jul 6 21:39:33 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Jul 6 21:43:04 2007 Subject: I was bored this afternoon... Message-ID: <468EA885.8030301@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Download http://www.mailscanner.info/files/4/tar/MailScanner-install-4.62.1-2.tar.gz and take a look at the Perl source code in lib/MailScanner/*.pm It should work just fine. Hey, I was bored... :-) Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGjqiGEfZZRxQVtlQRAor9AJ9R+DIecOqjfjEqpCPL5UUbYDVivwCgpn4L Hfc/u+vuxgMqcKSh4RtCLxM= =MGW6 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Fri Jul 6 22:11:38 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Jul 6 22:15:00 2007 Subject: Upgrade question In-Reply-To: <13C0059880FDD3118DC600508B6D4A6D01C29489@aiainsurance.com> References: <13C0059880FDD3118DC600508B6D4A6D01C29489@aiainsurance.com> Message-ID: <468EB00A.8010606@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ken Goods wrote: > Jules, > Thanks so much for this clear explaination of the upgrade process. I really > wish I could talk the powers that be into sending some money your way but > things are a little tight... If it would help if I did a bit of work for you, then I can easily arrange that. > I will talk them into sending a donation soon though. I let them know all > the time how much we've saved by using your excellent software. They are > aware and I keep dropping hints. Pretty soon this squeaky wheel is going to > get greased! :) > Cheers. > Take care and I hope you're feeling better and better. > Well, I have survived my first week back at work pretty well. I don't feel completely exhausted either, which is good. I've been taking it easy, slowly finding things to do, letting everyone else continue doing all the jobs they took over while I was away. Most of it seemed to be ordering myself some new toys and a sofa for my office :-) Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGjrALEfZZRxQVtlQRAhigAJ9WjK+C6bjNIPeErEfGtDs4YuKKtACfUIsS p0GDvUzLt4AD1d3c8OwWqVc= =gzU4 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From mkettler at evi-inc.com Fri Jul 6 23:52:20 2007 From: mkettler at evi-inc.com (Matt Kettler) Date: Fri Jul 6 23:53:28 2007 Subject: I was bored this afternoon... In-Reply-To: <468EA885.8030301@ecs.soton.ac.uk> References: <468EA885.8030301@ecs.soton.ac.uk> Message-ID: <468EC7A4.5050105@evi-inc.com> Julian Field wrote: > Download > > http://www.mailscanner.info/files/4/tar/MailScanner-install-4.62.1-2.tar.gz > and take a look at the Perl source code in lib/MailScanner/*.pm > > It should work just fine. > > Hey, I was bored... :-) Hey, if you're so bored.. update your Amazon wishlist, it's down to 4 items! From jayesha_shinde at yahoo.com Sat Jul 7 09:58:21 2007 From: jayesha_shinde at yahoo.com (jayesh shinde) Date: Sat Jul 7 09:58:24 2007 Subject: filename extension problem Message-ID: <89658.92325.qm@web54403.mail.yahoo.com> Hi Hugo van der Kooij , My problem solve. I done exactly u specifed in ur mail. And rulset is also working Many Thanks & Regards Jayesh Shinde On Thu, 2007-07-05 at 12:41, jayesh shinde wrote: > Dear All, > I have one query , I am using MailScanner version > 4.34.8 on FC2 with sendmail. Some of my users are sending there email > with an attachments with double or multiple extention ( Ex:-- > my.com.location.doc) > When it goes through MailScanner for scanning > attachment , it give me the following error as :-- > > ##### > At Fri Jun 29 18:00:56 2007 the virus scanner said: > MailScanner: Attempt to hide real filename extension > (my.com.location.doc) > ###### >>filename.rules.conf contails this line :- >># Deny all other double file extensions. This catches any hidden >>filenames. deny >>\.[a-z][a-z0-9]{2,3}\s*\.[a-z0-9]{3}$ Found possible filename >>hiding Att >>empt to hide real filename extension >>This blocks any filename ending with a two or 3 character extension >>followed by a 3 character extension. I cant see how this would block >> the >>specific example you gave though. >>I am not running the very latest version of mailscanner though so >>perhaps yours has been updated. > My queries are :-- > 1) Is there any way to by pass above such multiple extension mail > through MailScanner. If yes then where should i define this ruleset & > how to write this rule for > single user. Just remove the section in the file mentioned above. > 2) If i bypass the above such multiple extension attachment , will it > affect the block extention list ( define under > /etc/MailScanner/filename.rules.conf ) --------------------------------- TV dinner still cooling? Check out "Tonight's Picks" on Yahoo! TV. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070707/20caaef4/attachment.html From shuttlebox at gmail.com Sat Jul 7 11:45:34 2007 From: shuttlebox at gmail.com (shuttlebox) Date: Sat Jul 7 11:45:38 2007 Subject: I was bored this afternoon... In-Reply-To: <468EA885.8030301@ecs.soton.ac.uk> References: <468EA885.8030301@ecs.soton.ac.uk> Message-ID: <625385e30707070345x648e9706nab9bed0e9d756b5d@mail.gmail.com> On 7/6/07, Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Download > > http://www.mailscanner.info/files/4/tar/MailScanner-install-4.62.1-2.tar.gz > and take a look at the Perl source code in lib/MailScanner/*.pm > > It should work just fine. > > Hey, I was bored... :-) > > Jules I'm at home and can't try the new beta but read the change log that said the installers are improved. How so? -- /peter From glenn.steen at gmail.com Sat Jul 7 13:33:59 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Sat Jul 7 13:34:01 2007 Subject: I was bored this afternoon... In-Reply-To: <625385e30707070345x648e9706nab9bed0e9d756b5d@mail.gmail.com> References: <468EA885.8030301@ecs.soton.ac.uk> <625385e30707070345x648e9706nab9bed0e9d756b5d@mail.gmail.com> Message-ID: <223f97700707070533r49699f46q607f8b9fc0d4204@mail.gmail.com> On 07/07/07, shuttlebox wrote: > On 7/6/07, Julian Field wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > Download > > > > http://www.mailscanner.info/files/4/tar/MailScanner-install-4.62.1-2.tar.gz > > and take a look at the Perl source code in lib/MailScanner/*.pm > > > > It should work just fine. > > > > Hey, I was bored... :-) > > > > Jules > > I'm at home and can't try the new beta but read the change log that > said the installers are improved. How so? > We really shouldn't do this Peter.... If it's vacation, it's vacation... Even if it's raining:-) Tjena -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From MailScanner at ecs.soton.ac.uk Sat Jul 7 13:37:04 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sat Jul 7 13:41:32 2007 Subject: I was bored this afternoon... In-Reply-To: <625385e30707070345x648e9706nab9bed0e9d756b5d@mail.gmail.com> References: <468EA885.8030301@ecs.soton.ac.uk> <625385e30707070345x648e9706nab9bed0e9d756b5d@mail.gmail.com> Message-ID: <468F88F0.9010709@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 shuttlebox wrote: > On 7/6/07, Julian Field wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Download >> >> http://www.mailscanner.info/files/4/tar/MailScanner-install-4.62.1-2.tar.gz >> >> and take a look at the Perl source code in lib/MailScanner/*.pm >> >> It should work just fine. >> >> Hey, I was bored... :-) >> >> Jules > > I'm at home and can't try the new beta but read the change log that > said the installers are improved. How so? They should detect some of the modules better if they are already installed. Should make upgrades a bit quicker. Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGj4jxEfZZRxQVtlQRAhDQAKDsjoMtXYjdTddpLR41JN1Cqy3trACgo2TC +rlBCCkUE9J+iLHUvmqHEOM= =rfO4 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From shuttlebox at gmail.com Sat Jul 7 13:45:28 2007 From: shuttlebox at gmail.com (shuttlebox) Date: Sat Jul 7 13:45:30 2007 Subject: I was bored this afternoon... In-Reply-To: <223f97700707070533r49699f46q607f8b9fc0d4204@mail.gmail.com> References: <468EA885.8030301@ecs.soton.ac.uk> <625385e30707070345x648e9706nab9bed0e9d756b5d@mail.gmail.com> <223f97700707070533r49699f46q607f8b9fc0d4204@mail.gmail.com> Message-ID: <625385e30707070545j53aa78dbx88f468c5c4d9259f@mail.gmail.com> On 7/7/07, Glenn Steen wrote: > We really shouldn't do this Peter.... If it's vacation, it's > vacation... Even if it's raining:-) I'm not on vacation yet. Broke four bones riding my racing motorcycle four weeks ago so I'm getting cab rides to work so not to spend vacation days in a cast. :-) -- /peter From gordon at itnt.co.za Sat Jul 7 19:24:04 2007 From: gordon at itnt.co.za (Gordon Colyn) Date: Sat Jul 7 19:24:21 2007 Subject: Feature request Message-ID: <004301c7c0c4$00676e90$6403a8c0@gordon> -] ITNT [-Any way you can create a process to deliver very large mails for specific domains at a different time or place in a different sendmail queue that can be triggered to allow for delivery after hours? Thanks Gordon Colyn 083 296 7534 011 792 5990 InTheNet Technologies www.itnt.co.za MSN: gordoncolyn@hotmail.com SKYPE: gordoncolyn From MailScanner at ecs.soton.ac.uk Sat Jul 7 19:42:20 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sat Jul 7 19:44:51 2007 Subject: Feature request In-Reply-To: <004301c7c0c4$00676e90$6403a8c0@gordon> References: <004301c7c0c4$00676e90$6403a8c0@gordon> Message-ID: <468FDE8C.2070108@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Yes, you can do this. You just need to create a ruleset (or Custom Function) to produce a different "Outgoing Queue Dir" for different messages. Then you can use the "Delivery Method = batch" for messages you want delivering immediately, and "Delivery Method = queue" for messages you want to deliver under the control of a different program. Again, you do this by applying a ruleset or Custom Function to the conf setting "Delivery Method". If you use "Delivery Method = queue" for a message, MailScanner will just put the message in the outgoing queue ready to be delivered, but won't actually tell sendmail to do anything with it. "Delivery Method = batch" does the same, but also tells sendmail to immediately attempt to deliver the message. Rulesets and Custom Functions are all explained in the book. There are many examples of Rulesets in the book and the wiki (and in the mailing list archives) and there are examples of Custom Functions in the book and in the directory /usr/lib/MailScanner/MailScanner/CustomFunctions" on your MailScanner server. Hope that helps get you started, Jules. P.S. For a fee, I will write the code for you if you know what you want to do. Or I can write enough of it to get you going if you aren't quite sure yet what you want to do. Unfortunately I can't afford to give away my programming effort for free (other than in MailScanner itself, of course! :-) Gordon Colyn wrote: > -] ITNT [-Any way you can create a process to deliver very large mails for > specific domains at a different time or place in a different sendmail queue > that can be triggered to allow for delivery after hours? > > > > Thanks > > Gordon Colyn > 083 296 7534 > 011 792 5990 > InTheNet Technologies > www.itnt.co.za > MSN: gordoncolyn@hotmail.com > SKYPE: gordoncolyn > > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGj96NEfZZRxQVtlQRAq5MAJ9YEIhQLGtH9JvOs/zkHHwt0/kZhgCfdTxo rYjmRI5HrzvhNOlB2MPa2nw= =kgxq -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From micoots at yahoo.com Sun Jul 8 04:44:15 2007 From: micoots at yahoo.com (Michael Mansour) Date: Sun Jul 8 04:44:18 2007 Subject: Mailscanner and Virtualmin In-Reply-To: <468D510F.6090106@fractalweb.com> Message-ID: <174201.58260.qm@web33312.mail.mud.yahoo.com> Hi guys, Chris Yuzik wrote: Johnny Stork wrote: > I thought I would try out virtualmin to manage a few localing hosted > sites but have noticed that within the VirtualMin interface in Webmin, > on my gateway mail server running MailScanner, the "Start Mailserver" > and "Start Dovecot" buttons are crossed out indicating that VM does not > appear to "see" mailscanner? Does anyone have any expereicne setting up > VM on a machine running Mailscanner? We've played around with Virtualmin, and it's fine with MailScanner, although it doesn't seem to "see" MailScanner and does think that the mail server is down. Aside from that, everything is okay. I use Virtualmin GPL and Virtualmin Pro with MailScanner and have been for years. There's no such thing as "MailScanner support in Virtualmin", since Virtualmin only checks whether sendmail is running or not. But it doesn't matter, MailScanner works, Virtualmin works, Virtualmin does not need to interact with MailScanner since they both do different things. Regards, Michael. --------------------------------- Yahoo!7 Mail has just got even bigger and better with unlimited storage on all webmail accounts. Find out more. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070708/d40e00fa/attachment.html From j.ede at birchenallhowden.co.uk Sun Jul 8 08:04:45 2007 From: j.ede at birchenallhowden.co.uk (Jason Ede) Date: Sun Jul 8 08:05:06 2007 Subject: Off-topic RDJ not working properly since DOS a few weeks back Message-ID: Ok, I know this is sligtly off-topic, but has anyone else had problems with Rules_du_jour since the DDOS against sare and spamhaus a few weeks back? It runs fine when run manually, but when it runs overnight automatically it fails to download at least one of the rulesets and then gets stuck as below... ***WARNING***: spamassassin --lint failed. Rolling configuration files back, not restarting SpamAssassin. Rollback command is: mv -f /etc/mail/spamassassin/70_sare_evilnum0.cf /etc/mail/spamassassin/RulesDuJour/70_sare_evilnum0.cf.2; mv -f /etc/mail/spamassassin/RulesDuJour/70_sare_evilnum0.cf.20070708-0456 /etc/mail/spamassassin/70_sare_evilnum0.cf; Lint output: [12337] warn: config: failed to parse line, skipping: [12337] warn: config: failed to parse line, skipping: [12337] warn: config: failed to parse line, skipping: [12337] warn: config: failed to parse line, skipping: [12337] warn: lint: 4 issues detected, please rerun with debug enabled for more information The really odd thing is that it always seems to get stuck on the first of the rule sets (was tripwire, now evilnumbers!) Jason -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070708/46696a8e/attachment.html From csaba at linuxforum.hu Sun Jul 8 08:10:47 2007 From: csaba at linuxforum.hu (=?ISO-8859-2?Q?Kov=E1cs_Csaba?=) Date: Sun Jul 8 08:16:11 2007 Subject: Off-topic RDJ not working properly since DOS a few weeks back In-Reply-To: References: Message-ID: <46908DF7.1070509@linuxforum.hu> Jason Ede ?rta: > > Ok, I know this is sligtly off-topic, but has anyone else had problems > with Rules_du_jour since the DDOS against sare and spamhaus a few > weeks back? > > > > It runs fine when run manually, but when it runs overnight > automatically it fails to download at least one of the rulesets and > then gets stuck as below... > > > > ***WARNING***: spamassassin --lint failed. > Rolling configuration files back, not restarting SpamAssassin. > Rollback command is: mv -f /etc/mail/spamassassin/70_sare_evilnum0.cf > /etc/mail/spamassassin/RulesDuJour/70_sare_evilnum0.cf.2; mv -f > /etc/mail/spamassassin/RulesDuJour/70_sare_evilnum0.cf.20070708-0456 > /etc/mail/spamassassin/70_sare_evilnum0.cf; > > > > I have same problem: ***WARNING***: /usr/bin/spamassassin -p /etc/MailScanner/spam.assassin.prefs.conf --lint failed. Rolling configuration files back, not restarting SpamAssassin. Rollback command is: mv -f /etc/mail/spamassassin/70_sare_evilnum2.cf /etc/mail/spamassassin/RulesDuJour/70_sare_evilnum2.cf.2; mv -f /etc/mail/spamassassin/RulesDuJour/70_sare_evilnum2.cf.20070708-0411 /etc/mail/spamassassin/70_sare_evilnum2.cf; mv -f /etc/mail/spamassassin/70_sare_whitelist_spf.cf /etc/mail/spamassassin/RulesDuJour/70_sare_whitelist_spf.cf.2; mv -f /etc/mail/spamassassin/RulesDuJour/70_sare_whitelist_spf.cf.20070708-0411 /etc/mail/spamassassin/70_sare_whitelist_spf.cf; Csaba From j.ede at birchenallhowden.co.uk Sun Jul 8 08:15:17 2007 From: j.ede at birchenallhowden.co.uk (Jason Ede) Date: Sun Jul 8 08:16:14 2007 Subject: Off-topic RDJ not working properly since DOS a few weeks back In-Reply-To: References: Message-ID: Forgot to add that I keep clearing out the RulesDuJour directory in /etc/mail/spamassassin... ________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailscanner-bounces@lists.mailscanner.info] On Behalf Of Jason Ede [j.ede@birchenallhowden.co.uk] Sent: 08 July 2007 08:04 To: mailscanner@lists.mailscanner.info Subject: Off-topic RDJ not working properly since DOS a few weeks back Ok, I know this is sligtly off-topic, but has anyone else had problems with Rules_du_jour since the DDOS against sare and spamhaus a few weeks back? It runs fine when run manually, but when it runs overnight automatically it fails to download at least one of the rulesets and then gets stuck as below... ***WARNING***: spamassassin --lint failed. Rolling configuration files back, not restarting SpamAssassin. Rollback command is: mv -f /etc/mail/spamassassin/70_sare_evilnum0.cf /etc/mail/spamassassin/RulesDuJour/70_sare_evilnum0.cf.2; mv -f /etc/mail/spamassassin/RulesDuJour/70_sare_evilnum0.cf.20070708-0456 /etc/mail/spamassassin/70_sare_evilnum0.cf; Lint output: [12337] warn: config: failed to parse line, skipping: [12337] warn: config: failed to parse line, skipping: [12337] warn: config: failed to parse line, skipping: [12337] warn: config: failed to parse line, skipping: [12337] warn: lint: 4 issues detected, please rerun with debug enabled for more information The really odd thing is that it always seems to get stuck on the first of the rule sets (was tripwire, now evilnumbers!) Jason -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070708/0b0c2613/attachment.html From j.ede at birchenallhowden.co.uk Sun Jul 8 08:38:50 2007 From: j.ede at birchenallhowden.co.uk (Jason Ede) Date: Sun Jul 8 08:39:53 2007 Subject: Off-topic RDJ not working properly since DOS a few weeks back In-Reply-To: References: , Message-ID: I think I've found a workaround in http://saupdates.openprotect.com/ although its a different way of doing it... Now just need to work out how to just select the rules I want in that list... ________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailscanner-bounces@lists.mailscanner.info] On Behalf Of Jason Ede [j.ede@birchenallhowden.co.uk] Sent: 08 July 2007 08:15 To: MailScanner discussion Subject: RE: Off-topic RDJ not working properly since DOS a few weeks back Forgot to add that I keep clearing out the RulesDuJour directory in /etc/mail/spamassassin... ________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailscanner-bounces@lists.mailscanner.info] On Behalf Of Jason Ede [j.ede@birchenallhowden.co.uk] Sent: 08 July 2007 08:04 To: mailscanner@lists.mailscanner.info Subject: Off-topic RDJ not working properly since DOS a few weeks back Ok, I know this is sligtly off-topic, but has anyone else had problems with Rules_du_jour since the DDOS against sare and spamhaus a few weeks back? It runs fine when run manually, but when it runs overnight automatically it fails to download at least one of the rulesets and then gets stuck as below... ***WARNING***: spamassassin --lint failed. Rolling configuration files back, not restarting SpamAssassin. Rollback command is: mv -f /etc/mail/spamassassin/70_sare_evilnum0.cf /etc/mail/spamassassin/RulesDuJour/70_sare_evilnum0.cf.2; mv -f /etc/mail/spamassassin/RulesDuJour/70_sare_evilnum0.cf.20070708-0456 /etc/mail/spamassassin/70_sare_evilnum0.cf; Lint output: [12337] warn: config: failed to parse line, skipping: [12337] warn: config: failed to parse line, skipping: [12337] warn: config: failed to parse line, skipping: [12337] warn: config: failed to parse line, skipping: [12337] warn: lint: 4 issues detected, please rerun with debug enabled for more information The really odd thing is that it always seems to get stuck on the first of the rule sets (was tripwire, now evilnumbers!) Jason -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070708/14cee8a4/attachment.html From ajcartmell at fonant.com Sun Jul 8 09:47:02 2007 From: ajcartmell at fonant.com (Anthony Cartmell) Date: Sun Jul 8 09:46:39 2007 Subject: Off-topic RDJ not working properly since DOS a few weeks back In-Reply-To: References: Message-ID: > Ok, I know this is sligtly off-topic, but has anyone else had problems > with Rules_du_jour since the DDOS against sare and spamhaus a few weeks > back? Yes, and I've even added in a five-second pause between checking each rule. Hasn't helped :( Might investigate doing the updates at a different time of day. Anthony -- www.fonant.com - Quality web sites From j.ede at birchenallhowden.co.uk Sun Jul 8 09:55:50 2007 From: j.ede at birchenallhowden.co.uk (Jason Ede) Date: Sun Jul 8 09:56:52 2007 Subject: Off-topic RDJ not working properly since DOS a few weeks back In-Reply-To: References: , Message-ID: Just found this... http://www.nabble.com/Patch-for-rules_du_jour-t3996266.html which has an update for RDJ script.... --- /root/rules_du_jour.orig 2007-06-17 21:01:24.000000000 -0500 +++ /var/lib/spamassassin/rules_du_jour 2007-06-28 14:07:37.000000000 -0500 @@ -780,7 +780,30 @@ [ "${DEBUG}" ] && echo "Retrieving file from ${CF_URL}..."; # send wget output to a temp file for grepping - HttpGet ${CF_URL} ${TMPDIR}/${CF_BASENAME}; + # + # This while loop is a fix for Rules Emporium honey-pot DDoS + # shield as of 6/28/07. Send comments and bugs to Lindsay Haisley, + # fmouse@.... + GET_COUNT=1; + MAX_GET_COUNT=4; + while [ ${GET_COUNT} -lt ${MAX_GET_COUNT} ]; do + HttpGet ${CF_URL} ${TMPDIR}/${CF_BASENAME}; + if ${GREP} -iq 'META HTTP-EQUIV' ${TMPDIR}/${CF_BASENAME} ; then + rm -f ${TMPDIR}/${CF_BASENAME}; + sleep 1; + [ "${DEBUG}" ] && echo "Got refresh URL, pass ${GET_COUNT}..."; + GET_COUNT=`expr ${GET_COUNT} + 1`; + else + [ "${DEBUG}" ] && echo "Rules file OK, pass ${GET_COUNT}..."; + GET_COUNT=`expr ${MAX_GET_COUNT} + 1`; + fi + done + if ${GREP} -iq 'META HTTP-EQUIV' ${TMPDIR}/${CF_BASENAME} ; then + rm -f ${TMPDIR}/${CF_BASENAME}; + GET_COUNT=`expr ${GET_COUNT} - 1`; + [ "${DEBUG}" ] && echo "Download of ${CF_BASENAME} FAILED after ${GET_COUNT} tries. Skipping ..."; + fi + # Append these errors to a variable to be mailed to the admin (later in script) [ "${FAILED}" ] && RULES_THAT_404ED="${RULES_THAT_404ED}\n${CF_NAME} had an unknown error:\n${HTTP_ERROR}"; ________________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailscanner-bounces@lists.mailscanner.info] On Behalf Of Anthony Cartmell [ajcartmell@fonant.com] Sent: 08 July 2007 09:47 To: MailScanner discussion Subject: Re: Off-topic RDJ not working properly since DOS a few weeks back > Ok, I know this is sligtly off-topic, but has anyone else had problems > with Rules_du_jour since the DDOS against sare and spamhaus a few weeks > back? Yes, and I've even added in a five-second pause between checking each rule. Hasn't helped :( Might investigate doing the updates at a different time of day. Anthony -- www.fonant.com - Quality web sites -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From rcooper at dwford.com Sun Jul 8 16:57:42 2007 From: rcooper at dwford.com (Rick Cooper) Date: Sun Jul 8 16:57:51 2007 Subject: Off-topic RDJ not working properly since DOS a few weeks back In-Reply-To: References: Message-ID: <01c801c7c178$b7d58ad0$0301a8c0@SAHOMELT> _____ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Jason Ede Sent: Sunday, July 08, 2007 3:05 AM To: mailscanner@lists.mailscanner.info Subject: Off-topic RDJ not working properly since DOS a few weeks back Ok, I know this is sligtly off-topic, but has anyone else had problems with Rules_du_jour since the DDOS against sare and spamhaus a few weeks back? It runs fine when run manually, but when it runs overnight automatically it fails to download at least one of the rulesets and then gets stuck as below... [Rick Cooper] The prefered method (since before the DDOS) is to use sa-update. Look here for information as to how to add SARE channels to sa-update http://daryl.dostech.ca/sa-update/sare/sare-sa-update-howto.txt I never had a problem when the DDOS attacks began Rick -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070708/c9f16ec2/attachment.html From MailScanner at ecs.soton.ac.uk Sun Jul 8 20:12:46 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sun Jul 8 20:20:18 2007 Subject: HOWTO: Adding extra rulesets to SpamAssassin Message-ID: <4691372E.4060709@ecs.soton.ac.uk> Skipped content of type multipart/mixed-------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 195 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070708/6a871924/PGP.bin From MailScanner at ecs.soton.ac.uk Sun Jul 8 20:23:50 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sun Jul 8 20:26:37 2007 Subject: Beta release: 4.62.2 Message-ID: <469139C6.1080002@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I have just released a new beta to support the SAUPDATEARGS setting in /etc/MailScanner/sysconfig for easy implementation of the HOWTO I just published on adding extra rulesets to SpamAssassin without having to use RulesDuJour. The full Change Log is this: * New Features and Improvements * 1 Improved non-Linux installer. 1 Improved Linux installer. 1 Updated OpenBSD installation guide. Thanks to Jeremy Evans for this. 1 Upgraded MIME::Base64 to 3.07. 1 Improved error reporting for clamd permissions problems. Thanks Rick. 2 Added SAUPDATEARGS to /etc/sysconfig/MailScanner and /usr/sbin/update_spamassassin. For a good use of this, see http://daryl.dostech.ca/sa-update/sare/sare-sa-update-howto.txt and search for "HOWTO" in the Subject: line of the MailScanner-discussion list archive. This process replaces RulesDuJour entirely. Another good ruleset to add to your setup is http://www.peregrinehw.com/downloads/SpamAssassin/contrib/KAM.cf To download this automatically every night, fetch http://www.mailscanner.info/files/4/KAM.cf.sh and put it in /etc/cron.daily and make it executable (type "chmod +x /etc/cron.daily/KAM.cf.sh"). Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGkTnHEfZZRxQVtlQRAi2qAJ0WOo3IkQzzgj8Yd0YHzxIrPawMCgCgshoi hLBcefY5kJipO4qXSP4Ti8w= =FVn8 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Sun Jul 8 20:35:02 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sun Jul 8 20:37:56 2007 Subject: HOWTO: Adding extra rulesets to SpamAssassin In-Reply-To: <4691372E.4060709@ecs.soton.ac.uk> References: <4691372E.4060709@ecs.soton.ac.uk> Message-ID: <46913C66.1040509@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 One thing I forgot to mention: the KAM.cf.sh script uses wget, so make sure you have that installed. > However, there is one extra ruleset which you might like to try. I've > got it going and it appears to work pretty well. Attached to this > message is a file KAM.cf.sh which you should put into > /etc/cron.daily/KAM.cf.sh and make it executable: > chmod +x /etc/cron.daily/KAM.cf.sh > Run it once to get the initial copy of the ruleset file. It will keep > a backup copy of the KAM.cf ruleset in KAM.cf.backup, which it will > use if it can't download KAM.cf correctly later. Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGkTxnEfZZRxQVtlQRAtRSAKDO/uy6Ue1z2g+HCAkMc7e296+DSwCgjvhW 13Q1Tg6DpWjStbka55gokAQ= =6f7Q -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From seamus at rheelweb.co.nz Mon Jul 9 03:40:41 2007 From: seamus at rheelweb.co.nz (Seamus Allan) Date: Mon Jul 9 03:41:02 2007 Subject: Postfix Address Verification In-Reply-To: <20070706071038.1D6C.GERARD@seibercom.net> References: <20070706061414.C5CF.GERARD@seibercom.net> <74ACEB3E6A055643A89B8CEC74C7BF2488E0C7@WISENT.dcyb.net> <20070706071038.1D6C.GERARD@seibercom.net> Message-ID: <4691A029.8060908@rheelweb.co.nz> I suspect I have solved the problem. After trying to set up sender domain verification (to prevent stuff from abcd@fghi.com) I discovered that people who had their domains with us could not send email, giving a 430 Domain not found error. (Needless to say the phones started ringing immediately!). I then realised that Postfix wasn't using the relay map to determine whether a domain existed or not, it just did a dns lookup, in our case to our internal dns server. The internal DNS is used essentially only for the intranet and a few hostnames of servers, so most domains that it is 'authoritative' for only have A records for www.domain.com. So when postfix was querying to see whether domain.com existed, the DNS was giving no results and thusly, the 430 error popped up. After fixing the DNS up, the sender domain verification worked, and I have just turned on the recipient verification back on to see whether that is fixed too. Cheers all Seamus -- *Seamus Allan* Network Engineer Rheel Electronics Ltd Phone +64-3-386 3070 Fax +64-3-386-3071 Mobile +64-21-178-2980 seamus@rheelweb.co.nz www.rheel.co.nz This e-mail together with any attachments is confidential, may be subject to legal privilege and may contain proprietary information, including information protected by copyright. If you are not the intended recipient, please do not copy, use or disclose this e-mail; please notify us immediately by return e-mail and then delete this e-mail. From tipusadat at yahoo.com Mon Jul 9 07:33:10 2007 From: tipusadat at yahoo.com (msht) Date: Mon Jul 9 07:35:11 2007 Subject: Commercial scanner clamav timed out! References: <290316.6797.qm@web54401.mail.yahoo.com> Message-ID: Dear Wilson did u find any solusion for this problem? i'm also having the same sort of problem and yet to find any solusion. Rgds. From minduni at ti-edu.ch Mon Jul 9 09:04:26 2007 From: minduni at ti-edu.ch (Marco Induni) Date: Mon Jul 9 09:04:28 2007 Subject: Filename rule question In-Reply-To: <223f97700707060540n7c7b022eye5700536d480541c@mail.gmail.com> References: <468A6663.8010907@ti-edu.ch> <468B4CD6.5050001@ti-edu.ch> <223f97700707040259w54b286b2y1530dc3d7fddedaa@mail.gmail.com> <468BC099.7060508@ti-edu.ch> <223f97700707041520j5e8be73bt17235c459ec441c5@mail.gmail.com> <468CACEF.30202@ti-edu.ch> <223f97700707050349y696668ccu92b618343da7d77b@mail.gmail.com> <468CDC23.7000500@ti-edu.ch> <223f97700707051316y462cffd5ka6ce8064d614350f@mail.gmail.com> <468E09B6.10605@ti-edu.ch> <223f97700707060540n7c7b022eye5700536d480541c@mail.gmail.com> Message-ID: <4691EC0A.3040209@ti-edu.ch> Glenn Steen wrote: > On 06/07/07, Marco Induni wrote: >> Glenn Steen wrote: > (snip) >> >> >> >> >> > To my tired eyes that doesn't look that bad... More's the pity... >> Hope now you eyes are better > :-) > >> > Seems you don't install SA and Clamav by way of Jules easy package (or >> > else a lot more of the optional modules would be there)... Hm... One >> > could start installing those, of course, but I don't see them having >> > an effect. >> In fact, we use uvscan(mcafee) and sometime clamav AV, but they are >> installed apart (SA via CPAN / clamav make /make install) > Ok. I don't think you need remove/reinstall with Jules package... It > does more or less those, and then adds a lot of perl modules to make > Mail::ClamAV happy. Would be passing strange if that had any impact on > this problem. > >> > You did say that restoring the default filename/filetype >> > rules files and reloading/restarting MailScanner didn't have any >> > effect either? Most strange. >> Yes, it is so. > > This make me think there is something seriously wrong here... And > perhaps not _directly_ related to the rule file used... Unless of > course the files aren't readable or something strange like that... > Nah, probably not. > >> > How did you install the MIME::* packages? Via jules installer or via >> > distro or CPAN? >> Via jules. I've installed the new version a couple of days ago. >> > You could try reinstall them (force them from CPAN or something), just > to see that they build/install OK... > Apart from this, you don't see any strange log entries in the normal > syslog? We really need to get a handle on what is going bonkers here. > Cheers Glenn, I'm on vacation. I will do it all the test starting from 24 of july. So I will not bother you for 2 weeks ;-) Cheers Marco From daniel at danielf.ch Mon Jul 9 10:57:41 2007 From: daniel at danielf.ch (Daniel Fuhrer) Date: Mon Jul 9 10:57:49 2007 Subject: MCP rule Message-ID: <96EF3FB3C374A64187CCB0D0DA716F2446F8@idefix.danielf.local> Hi all I have a question about MCP rules. In general the rules are working. Here my rules: header __BOUNCE_RULE1 Subject =~ /warning: could not send message for past 4 hours/i header __BOUNCE_RULE2 Subject =~ /returned mail:/i header __BOUNCE_RULE3 Subject =~ /delivery status notification/i header __BOUNCE_RULE4 Subject =~ /delivery notification:/i header __BOUNCE_RULE5 Subject =~ /mail system error/i header __BOUNCE_RULE6 Subject =~ /undelivered mail/i header __BOUNCE_RULE7 Subject =~ /failure delivery/i header __BOUNCE_RULE8 Subject =~ /failure notice/i header __BOUNCE_RULE9 Subject =~ /mail delivery problem/i header __BOUNCE_RULE10 Subject =~ /delivery failure/i header __BOUNCE_RULE11 Subject =~ /undeliverable mail/i header __BOUNCE_RULE12 Subject =~ /mail delivery failed/i header __BOUNCE_RULE20 Content-Type =~ /delivery-status/i header __BOUNCE_RULE30 Auto-Submitted =~ /auto-generated/i header __BOUNCE_RULE40 From =~ /mail delivery subsystem/i header __BOUNCE_RULE41 From =~ /postmaster/i header __BOUNCE_RULE42 From =~ /mailer-deamon/i header __BOUNCE_RULE50 To =~ /newsletter/i meta BOUNCE_RULE1 ((__BOUNCE_RULE1 || __BOUNCE_RULE2) && __BOUNCE_RULE20 && __BOUNCE_RULE30 && __BOUNCE_RULE40 && __BOUNCE_RULE50) describe BOUNCE_RULE1 Indicates a bounce from the mailgateway score BOUNCE_RULE1 12 meta BOUNCE_RULE2 ((__BOUNCE_RULE3 || __BOUNCE_RULE4 || __BOUNCE_RULE5 || __BOUNCE_RULE6 || __BOUNCE_RULE7 || __BOUNCE_RULE8 || __BOUNCE__RULE9 || __BOUNCE_RULE10 || __BOUNCE_RULE11 || __BOUNCE_RULE12) && (__BOUNCE_RULE40 || __BOUNCE_RULE41 || __BOUNCE_RULE42) && __BOUNCE_RULE50) describe BOUNCE_RULE2 Indicates a bounce from a remote mailserver score BOUNCE_RULE2 12 header T_BOUNCE_RULE1 Subject =~ /warning: could not send message for past 4 hours/i describe T_BOUNCE_RULE1 BOUNCE_RULE Subject Warning: could not send message for past 4 hours header T_BOUNCE_RULE2 Subject =~ /returned mail:/i describe T_BOUNCE_RULE2 BOUNCE_RULE Subject Returned mail: header T_BOUNCE_RULE3 Subject =~ /delivery status notification/i describe T_BOUNCE_RULE3 BOUNCE_RULE Subject Delivery Status Notification header T_BOUNCE_RULE4 Subject =~ /delivery notification:/i describe T_BOUNCE_RULE4 BOUNCE_RULE Subject Delivery Notification header T_BOUNCE_RULE5 Subject =~ /mail system error/i describe T_BOUNCE_RULE5 BOUNCE_RULE Subject Mail System Error header T_BOUNCE_RULE6 Subject =~ /undelivered mail/i describe T_BOUNCE_RULE6 BOUNCE_RULE Subject Undelivered Mail header T_BOUNCE_RULE7 Subject =~ /failure delivery/i describe T_BOUNCE_RULE7 BOUNCE_RULE Subject Failure Delivery header T_BOUNCE_RULE8 Subject =~ /failure notice/i describe T_BOUNCE_RULE8 BOUNCE_RULE Subject failure notice header T_BOUNCE_RULE9 Subject =~ /mail delivery problem/i describe T_BOUNCE_RULE9 BOUNCE_RULE Subject Mail Delivery Problem header T_BOUNCE_RULE10 Subject =~ /delivery failure/i describe T_BOUNCE_RULE10 BOUNCE_RULE Subject Mail DELIVERY FAILURE header T_BOUNCE_RULE11 Subject =~ /undeliverable mail/i describe T_BOUNCE_RULE11 BOUNCE_RULE Subject Undeliverable Mail header T_BOUNCE_RULE12 Subject =~ /mail delivery failed/i describe T_BOUNCE_RULE12 BOUNCE_RULE Subject Mail delivery failed header T_BOUNCE_RULE20 Content-Type =~ /delivery-status/i describe T_BOUNCE_RULE20 BOUNCE_RULE Content-Type header T_BOUNCE_RULE30 Auto-Submitted =~ /auto-generated/i describe T_BOUNCE_RULE30 BOUNCE_RULE Auto-Submitted header T_BOUNCE_RULE40 From =~ /Mail Delivery Subsystem/i describe T_BOUNCE_RULE40 BOUNCE_RULE From header T_BOUNCE_RULE41 From =~ /postmaster/i describe T_BOUNCE_RULE41 BOUNCE_RULE From postmaster header T_BOUNCE_RULE42 From =~ /MAILER-DAEMON/i describe T_BOUNCE_RULE42 BOUNCE_RULE From MAILER-DAEMON header T_BOUNCE_RULE50 To =~ /newsletter/i describe T_BOUNCE_RULE50 BOUNCE_RULE To The following mail is not marked as MCP Highscore and I don't understand why. Here the MCP Report (from Mailwatch): T_BOUNCE_RULE11 BOUNCE_RULE Subject Undeliverable Mail T_BOUNCE_RULE20 BOUNCE_RULE Content-Type T_BOUNCE_RULE42 BOUNCE_RULE From MAILER-DAEMON T_BOUNCE_RULE50 BOUNCE_RULE To Thanks for your help. Cheers Daniel -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070709/6ca136e5/attachment.html From jonas at vrt.dk Mon Jul 9 11:04:18 2007 From: jonas at vrt.dk (Jonas A. Larsen) Date: Mon Jul 9 11:04:41 2007 Subject: How to monitor the health of the MailScanner architecture Message-ID: <000901c7c210$8d1f4310$a75dc930$@dk> Hello all I have a problem, and discussing it on the irc channel didn?t turn up any obvious solution. Say you have more than 1 MS box scanning mails for a specific domain. They are load balanced in some way, so the load is split over the servers. Now lets say one of the servers have a problem. Not a fatal problem, so the server is still running (responds to pings etc) port 25 is still open, and exim (the mta in my case) still accepts mails. But for some reason, crash, corrupt config, full root fs etc. the process of moving mails from the incoming queue to the outgoing queue is not working. What I am interested in, is a system to alert me of such a problem automatically. Currently the only thing, besides clients noticing mail being delayed, is for me to look at my mailscaner-mrtg graphs for the incoming queue and notice that its growing. One method of doing all this automatically that we came up with, would be some complex system that would work as follows: You create a domain for each MailScanner, that only that MailScanner scans for. You then create an imap account on another system for each of the domains. You then create a script that sends a mail to each of the accounts and after X amount of minutes check to see if the mail has arrived on the imap account. If yes, delete the mail and do the same thing again after Y amount of minutes (a cron job), if it doesn?t exist something must be wrong with the mailflow, either its interrupted or is experiencing delays. Do anybody have a better idea or know of something that can do this already? My root file system ran full last week, and it caused mails to still be accepted (incoming is on /var on another disk) but MS was frozen because it couldn?t extract attachments to /tmp which was full because it was on the same disk as the root fs. I hope I have made the above somewhat clear, if not please ask me to clarify. Med venlig hilsen / Best regards Jonas Akrouh Larsen TechBiz ApS Laplandsgade 4, 2. sal 2300 K?benhavn S Office: 7020 0979 Direct: 33369974 Fax: 7020 0978 Mobile: 51201096 Web: www.techbiz.dk -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070709/412e23ba/attachment.html From paul.hutchings at mira.co.uk Mon Jul 9 11:23:56 2007 From: paul.hutchings at mira.co.uk (Paul Hutchings) Date: Mon Jul 9 11:24:14 2007 Subject: Phishing Whitelist Message-ID: phishing.safe.sites.conf says to email updates to phishing@mailscanner.info - this address bounces though as user unknown. Paul Hutchings Network Administrator, MIRA Ltd. Tel: 44 (0)24 7635 5378 Fax: 44 (0)24 7635 8378 mailto:paul.hutchings@mira.co.uk -- MIRA Ltd. Watling Street, Nuneaton, Warwickshire, CV10 0TU, England. Registered in England No. 402570 VAT Registration GB 114 5409 96 The contents of this e-mail are confidential and are solely for the use of the intended recipient. If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax. You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited. From Alistair.Carmichael at ntltravel.com Mon Jul 9 11:31:25 2007 From: Alistair.Carmichael at ntltravel.com (Alistair Carmichael) Date: Mon Jul 9 11:31:29 2007 Subject: How to monitor the health of the MailScanner architecture In-Reply-To: <000901c7c210$8d1f4310$a75dc930$@dk> References: <000901c7c210$8d1f4310$a75dc930$@dk> Message-ID: <6EEC6D949794754FB8D83A4D87DF7168BE65B7@gh-redd-exch-01.redditch.ntltravel.local> Hi, The monitoring software I use - nagios is capable of this, without going into too much detail its basically a monitoring tool that can run on a webserver and then check the status of software such as your mta remotely aswell as executing local scripts on each mailscanner server to check queue sizes and report back to the nagios monitoring server via the nagios nrpe plugin, which can be configured to alert via email or even sms once certain thresholds (e.g queue size) are met. In our setup I wrote my own queue size monitor script but there are nrpe scripts already created for various MTA's out there. Al ________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Jonas A. Larsen Sent: 09 July 2007 11:04 To: mailscanner@lists.mailscanner.info Subject: How to monitor the health of the MailScanner architecture Hello all I have a problem, and discussing it on the irc channel didn't turn up any obvious solution. Say you have more than 1 MS box scanning mails for a specific domain. They are load balanced in some way, so the load is split over the servers. Now lets say one of the servers have a problem. Not a fatal problem, so the server is still running (responds to pings etc) port 25 is still open, and exim (the mta in my case) still accepts mails. But for some reason, crash, corrupt config, full root fs etc. the process of moving mails from the incoming queue to the outgoing queue is not working. What I am interested in, is a system to alert me of such a problem automatically. Currently the only thing, besides clients noticing mail being delayed, is for me to look at my mailscaner-mrtg graphs for the incoming queue and notice that its growing. One method of doing all this automatically that we came up with, would be some complex system that would work as follows: You create a domain for each MailScanner, that only that MailScanner scans for. You then create an imap account on another system for each of the domains. You then create a script that sends a mail to each of the accounts and after X amount of minutes check to see if the mail has arrived on the imap account. If yes, delete the mail and do the same thing again after Y amount of minutes (a cron job), if it doesn't exist something must be wrong with the mailflow, either its interrupted or is experiencing delays. Do anybody have a better idea or know of something that can do this already? My root file system ran full last week, and it caused mails to still be accepted (incoming is on /var on another disk) but MS was frozen because it couldn't extract attachments to /tmp which was full because it was on the same disk as the root fs. I hope I have made the above somewhat clear, if not please ask me to clarify. Med venlig hilsen / Best regards Jonas Akrouh Larsen TechBiz ApS Laplandsgade 4, 2. sal 2300 K?benhavn S Office: 7020 0979 Direct: 33369974 Fax: 7020 0978 Mobile: 51201096 Web: www.techbiz.dk This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070709/4d8305e7/attachment.html From list-mailscanner at linguaphone.com Mon Jul 9 11:36:02 2007 From: list-mailscanner at linguaphone.com (Gareth) Date: Mon Jul 9 11:36:10 2007 Subject: How to monitor the health of the MailScanner architecture In-Reply-To: <000901c7c210$8d1f4310$a75dc930$@dk> References: <000901c7c210$8d1f4310$a75dc930$@dk> Message-ID: <1183977362.27061.9.camel@gblades-suse.linguaphone-intranet.co.uk> Have a look at Nagios. It will ssh into the box and perform various monitoring tasks. It can check disk space and monitor if particular processes are running as standard. You could easily write a custom check script to monitor the mail queue and alert if it grows too big. On Mon, 2007-07-09 at 11:04, Jonas A. Larsen wrote: > Hello all > > > > I have a problem, and discussing it on the irc channel didn?t turn up > any obvious solution. > > > > Say you have more than 1 MS box scanning mails for a specific domain. > They are load balanced in some way, so the load is split over the > servers. > > > > Now lets say one of the servers have a problem. Not a fatal problem, > so the server is still running (responds to pings etc) port 25 is > still open, and exim (the mta in my case) still accepts mails. > > > > But for some reason, crash, corrupt config, full root fs etc. the > process of moving mails from the incoming queue to the outgoing queue > is not working. > > > > What I am interested in, is a system to alert me of such a problem > automatically. > > > > Currently the only thing, besides clients noticing mail being delayed, > is for me to look at my mailscaner-mrtg graphs for the incoming queue > and notice that its growing. > > > > One method of doing all this automatically that we came up with, would > be some complex system that would work as follows: > > > > You create a domain for each MailScanner, that only that MailScanner > scans for. > > > > You then create an imap account on another system for each of the > domains. > > > > You then create a script that sends a mail to each of the accounts and > after X amount of minutes check to see if the mail has arrived on the > imap account. If yes, delete the mail and do the same thing again > after Y amount of minutes (a cron job), if it doesn?t exist something > must be wrong with the mailflow, either its interrupted or is > experiencing delays. > > > > Do anybody have a better idea or know of something that can do this > already? > > > > My root file system ran full last week, and it caused mails to still > be accepted (incoming is on /var on another disk) but MS was frozen > because it couldn?t extract attachments to /tmp which was full because > it was on the same disk as the root fs. > > > > I hope I have made the above somewhat clear, if not please ask me to > clarify. > > > > > > Med venlig hilsen / Best regards > > > > Jonas Akrouh Larsen > > > > TechBiz ApS > > Laplandsgade 4, 2. sal > > 2300 K?benhavn S > > > > Office: 7020 0979 > > Direct: 33369974 > > Fax: 7020 0978 > > Mobile: 51201096 > > Web:www.techbiz.dk > > > > > > ______________________________________________________________________ > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From jonas at vrt.dk Mon Jul 9 12:06:57 2007 From: jonas at vrt.dk (Jonas A. Larsen) Date: Mon Jul 9 12:07:19 2007 Subject: How to monitor the health of the MailScanner architecture In-Reply-To: <6EEC6D949794754FB8D83A4D87DF7168BE65B7@gh-redd-exch-01.redditch.ntltravel.local> References: <000901c7c210$8d1f4310$a75dc930$@dk> <6EEC6D949794754FB8D83A4D87DF7168BE65B7@gh-redd-exch-01.redditch.ntltravel.local> Message-ID: <002001c7c219$4d475580$e7d60080$@dk> Hi Alistair and Gareth too. I have used nagios for many years. However if you read my mail again, I specifically don?t need to know the queue size or the status of the MTA, none of those can give you a definitive answer about whether or not mail flow is working, I need something that can check if mail is flowing and if its delayed. /Jonas From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Alistair Carmichael Sent: 9. juli 2007 12:31 To: MailScanner discussion Subject: RE: How to monitor the health of the MailScanner architecture Hi, The monitoring software I use - nagios is capable of this, without going into too much detail its basically a monitoring tool that can run on a webserver and then check the status of software such as your mta remotely aswell as executing local scripts on each mailscanner server to check queue sizes and report back to the nagios monitoring server via the nagios nrpe plugin, which can be configured to alert via email or even sms once certain thresholds (e.g queue size) are met. In our setup I wrote my own queue size monitor script but there are nrpe scripts already created for various MTA?s out there. Al _____ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Jonas A. Larsen Sent: 09 July 2007 11:04 To: mailscanner@lists.mailscanner.info Subject: How to monitor the health of the MailScanner architecture Hello all I have a problem, and discussing it on the irc channel didn?t turn up any obvious solution. Say you have more than 1 MS box scanning mails for a specific domain. They are load balanced in some way, so the load is split over the servers. Now lets say one of the servers have a problem. Not a fatal problem, so the server is still running (responds to pings etc) port 25 is still open, and exim (the mta in my case) still accepts mails. But for some reason, crash, corrupt config, full root fs etc. the process of moving mails from the incoming queue to the outgoing queue is not working. What I am interested in, is a system to alert me of such a problem automatically. Currently the only thing, besides clients noticing mail being delayed, is for me to look at my mailscaner-mrtg graphs for the incoming queue and notice that its growing. One method of doing all this automatically that we came up with, would be some complex system that would work as follows: You create a domain for each MailScanner, that only that MailScanner scans for. You then create an imap account on another system for each of the domains. You then create a script that sends a mail to each of the accounts and after X amount of minutes check to see if the mail has arrived on the imap account. If yes, delete the mail and do the same thing again after Y amount of minutes (a cron job), if it doesn?t exist something must be wrong with the mailflow, either its interrupted or is experiencing delays. Do anybody have a better idea or know of something that can do this already? My root file system ran full last week, and it caused mails to still be accepted (incoming is on /var on another disk) but MS was frozen because it couldn?t extract attachments to /tmp which was full because it was on the same disk as the root fs. I hope I have made the above somewhat clear, if not please ask me to clarify. Med venlig hilsen / Best regards Jonas Akrouh Larsen TechBiz ApS Laplandsgade 4, 2. sal 2300 K?benhavn S Office: 7020 0979 Direct: 33369974 Fax: 7020 0978 Mobile: 51201096 Web: www.techbiz.dk This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070709/0b906d43/attachment.html From list-mailscanner at linguaphone.com Mon Jul 9 12:20:38 2007 From: list-mailscanner at linguaphone.com (Gareth) Date: Mon Jul 9 12:20:45 2007 Subject: How to monitor the health of the MailScanner architecture In-Reply-To: <002001c7c219$4d475580$e7d60080$@dk> References: <000901c7c210$8d1f4310$a75dc930$@dk> <6EEC6D949794754FB8D83A4D87DF7168BE65B7@gh-redd-exch-01.redditch.ntltravel.local> <002001c7c219$4d475580$e7d60080$@dk> Message-ID: <1183980038.27054.15.camel@gblades-suse.linguaphone-intranet.co.uk> You can still use Nagios. You just need to decide exactly what you want to monitor. For example look at the incoming mail queue and the date of the oldest file. If it is <5 minutes or so then you can assume it is working. If it is over 5 minutes then there could be a problem so check the sql database (assuming you are using mailwatch) to see if there have been any mails processed in last few minutes. If so then we just have a backlog otherwise something isn't working so alert. On Mon, 2007-07-09 at 12:06, Jonas A. Larsen wrote: > Hi Alistair and Gareth too. > > > > I have used nagios for many years. However if you read my mail again, > I specifically don?t need to know the queue size or the status of the > MTA, none of those can give you a definitive answer about whether or > not mail flow is working, I need something that can check if mail is > flowing and if its delayed. > > > > > /Jonas > > > > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of > Alistair Carmichael > Sent: 9. juli 2007 12:31 > To: MailScanner discussion > Subject: RE: How to monitor the health of the MailScanner architecture > > > > > Hi, > > The monitoring software I use - nagios is capable of this, without > going into too much detail its basically a monitoring tool that can > run on a webserver and then check the status of software such as your > mta remotely aswell as executing local scripts on each mailscanner > server to check queue sizes and report back to the nagios monitoring > server via the nagios nrpe plugin, which can be configured to alert > via email or even sms once certain thresholds (e.g queue size) are > met. > > In our setup I wrote my own queue size monitor script but there are > nrpe scripts already created for various MTA?s out there. > > > > Al > > > > > ______________________________________________________________________ > > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Jonas > A. Larsen > Sent: 09 July 2007 11:04 > To: mailscanner@lists.mailscanner.info > Subject: How to monitor the health of the MailScanner architecture > > > > > Hello all > > > > I have a problem, and discussing it on the irc channel didn?t turn up > any obvious solution. > > > > Say you have more than 1 MS box scanning mails for a specific domain. > They are load balanced in some way, so the load is split over the > servers. > > > > Now lets say one of the servers have a problem. Not a fatal problem, > so the server is still running (responds to pings etc) port 25 is > still open, and exim (the mta in my case) still accepts mails. > > > > But for some reason, crash, corrupt config, full root fs etc. the > process of moving mails from the incoming queue to the outgoing queue > is not working. > > > > What I am interested in, is a system to alert me of such a problem > automatically. > > > > Currently the only thing, besides clients noticing mail being delayed, > is for me to look at my mailscaner-mrtg graphs for the incoming queue > and notice that its growing. > > > > One method of doing all this automatically that we came up with, would > be some complex system that would work as follows: > > > > You create a domain for each MailScanner, that only that MailScanner > scans for. > > > > You then create an imap account on another system for each of the > domains. > > > > You then create a script that sends a mail to each of the accounts and > after X amount of minutes check to see if the mail has arrived on the > imap account. If yes, delete the mail and do the same thing again > after Y amount of minutes (a cron job), if it doesn?t exist something > must be wrong with the mailflow, either its interrupted or is > experiencing delays. > > > > Do anybody have a better idea or know of something that can do this > already? > > > > My root file system ran full last week, and it caused mails to still > be accepted (incoming is on /var on another disk) but MS was frozen > because it couldn?t extract attachments to /tmp which was full because > it was on the same disk as the root fs. > > > > I hope I have made the above somewhat clear, if not please ask me to > clarify. > > > > > > Med venlig hilsen / Best regards > > > > Jonas Akrouh Larsen > > > > TechBiz ApS > > Laplandsgade 4, 2. sal > > 2300 K?benhavn S > > > > Office: 7020 0979 > > Direct: 33369974 > > Fax: 7020 0978 > > Mobile: 51201096 > > Web:www.techbiz.dk > > > > > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they > are addressed. If you have received this email in error please notify > the system manager. This message contains confidential information and > is intended only for the individual named. If you are not the named > addressee you should not disseminate, distribute or copy this e-mail. > > > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they > are addressed. If you have received this email in error please notify > the system manager. This message contains confidential information and > is intended only for the individual named. If you are not the named > addressee you should not disseminate, distribute or copy this e-mail. > > > > ______________________________________________________________________ > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From MailScanner at ecs.soton.ac.uk Mon Jul 9 12:29:13 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Jul 9 12:33:26 2007 Subject: Phishing Whitelist In-Reply-To: References: Message-ID: <46921C09.6040005@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Many thanks for reporting that. Fixed now. Paul Hutchings wrote: > phishing.safe.sites.conf says to email updates to > phishing@mailscanner.info - this address bounces though as user unknown. > > Paul Hutchings > Network Administrator, MIRA Ltd. > Tel: 44 (0)24 7635 5378 > Fax: 44 (0)24 7635 8378 > mailto:paul.hutchings@mira.co.uk > > > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGkhwKEfZZRxQVtlQRAq0VAJ9vHr72eejYc/CvAZ1ghSuP2UIXqgCfVlew bJDqKOyi60GH/hwy52qoQVw= =WP28 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From nick at inticon.net Mon Jul 9 13:20:42 2007 From: nick at inticon.net (Nick Brown) Date: Mon Jul 9 13:21:21 2007 Subject: SpamAssassin Timeouts Message-ID: Evening All, Apologies in advance if this has been previously covered however the search function for this list seems to be down currently. We have been running a Postifx + MailScanner (SpamAssassin / CLAMAV) server for a couple months with no issues to report. Works extremely well and the customers are only saying good things. Over the last couple of days we have been configuring a second server which today we went live with and configured a secondary MX records for all customers domains. Everything looks fine, configuration was pretty much identical to the first server. Since the volume of mail has increased however on the new server we are seeing every second or third email giving us the following in the headers X-MailScanner-SpamCheck: not spam, SpamAssassin (Disabled due to 20 consecutive timeouts) A quick search through MailScanner.conf reveals the following are set with a value of 20; File Timeout = 20 Ignore Spam Whitelist if Rec. Exceed = 20 Custom Spam Scanner Timeout=20 MCP Max SpamAssassin Timeouts = 20 Note that both the customer scanner and MCP checks are disabled so I don't believe these should come into play. Nor do I believe the first two should be having an impact on standard emails that are clearly spam, and have no attachments. Any suggestions you have are much appreciated :-) Cheers Nick Brown. Sent using the Microsoft Entourage 2004 for Mac Test Drive. From MailScanner at ecs.soton.ac.uk Mon Jul 9 13:55:08 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Jul 9 13:58:40 2007 Subject: SpamAssassin Timeouts In-Reply-To: References: Message-ID: <4692302C.20200@ecs.soton.ac.uk> Check how fast your SpamAssassin is running. Run MailScanner -debug -debug-sa and thump Ctrl-S to freeze the output whenever it pauses. Thump Ctrl-Q to resume normal output again. That should give you an indication of anything that is running slowly. It may be dcc or razor or dns lookups taking a long time. They are the most likely candidates. Jules. Nick Brown wrote: > Evening All, > > Apologies in advance if this has been previously covered however the search > function for this list seems to be down currently. > > We have been running a Postifx + MailScanner (SpamAssassin / CLAMAV) server > for a couple months with no issues to report. Works extremely well and the > customers are only saying good things. > > Over the last couple of days we have been configuring a second server which > today we went live with and configured a secondary MX records for all > customers domains. > > Everything looks fine, configuration was pretty much identical to the first > server. > > Since the volume of mail has increased however on the new server we are > seeing every second or third email giving us the following in the headers > > X-MailScanner-SpamCheck: not spam, > SpamAssassin (Disabled due to 20 consecutive timeouts) > > A quick search through MailScanner.conf reveals the following are set with a > value of 20; > > File Timeout = 20 > Ignore Spam Whitelist if Rec. Exceed = 20 > > Custom Spam Scanner Timeout=20 > MCP Max SpamAssassin Timeouts = 20 > > Note that both the customer scanner and MCP checks are disabled so I don't > believe these should come into play. > > Nor do I believe the first two should be having an impact on standard emails > that are clearly spam, and have no attachments. > > Any suggestions you have are much appreciated :-) > > Cheers > Nick Brown. > > Sent using the Microsoft Entourage 2004 for Mac Test Drive. > > > Jules -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From dave.list at pixelhammer.com Mon Jul 9 14:02:47 2007 From: dave.list at pixelhammer.com (DAve) Date: Mon Jul 9 14:03:59 2007 Subject: How to monitor the health of the MailScanner architecture In-Reply-To: <002001c7c219$4d475580$e7d60080$@dk> References: <000901c7c210$8d1f4310$a75dc930$@dk> <6EEC6D949794754FB8D83A4D87DF7168BE65B7@gh-redd-exch-01.redditch.ntltravel.local> <002001c7c219$4d475580$e7d60080$@dk> Message-ID: <469231F7.7030302@pixelhammer.com> Jonas A. Larsen wrote: > Hi Alistair and Gareth too. > > > > I have used nagios for many years. However if you read my mail again, I > specifically don?t need to know the queue size or the status of the MTA, > none of those can give you a definitive answer about whether or not mail > flow is working, I need something that can check if mail is flowing and > if its delayed. I simply check for the existence of my normal daily report emails. I have backups running in the evening, audit reports in the early morning, ClamAV update results, server health emails, etc. If they stop, I have a problem. Something is reported nearly every hour of the day. So simply checking whatever mailbox your reporting arrives in is an excellent indicator. No reporting show up, MS has an issue or your entire network is hosed. In which case your pager has already alerted you to the problem ;^) DAve -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible. From campbell at cnpapers.com Mon Jul 9 14:56:59 2007 From: campbell at cnpapers.com (Steve Campbell) Date: Mon Jul 9 14:57:08 2007 Subject: Commercial scanner clamav timed out! In-Reply-To: References: <290316.6797.qm@web54401.mail.yahoo.com> Message-ID: <46923EAB.2000603@cnpapers.com> msht wrote: > Dear Wilson > did u find any solusion for this problem? i'm also having the same sort > of problem and yet to find any solusion. > > Rgds. > > > > > Last week, I was getting tons of DDOS messages and also receiving this message in my logs. I am using an older version of everything as I haven't updated recently. I had just switched to clamavmodule on this machine. Anyway, I'm not totally sure which resolved the problem, but I switched back to clamav and started mass blocking (in my access file and firewall) the IP ranges that were causing the problem messages. It was all related to timeouts, though, and I have a feeling the suggestions given in prior posts would solve the problem if you can get the timeout long enough to otherwise not cause problems with the delay. I haven't seen the log messages since. Steve Campbell From ugob at lubik.ca Mon Jul 9 16:50:01 2007 From: ugob at lubik.ca (Ugo Bellavance) Date: Mon Jul 9 16:50:26 2007 Subject: switching from clamavmodule -> clamd... source? Message-ID: Hi, I'd like to switch from clamavmodule to clamd. I used to use a source-install of clamav. I've read that the easiest way to get clamd running is using dag's RPM. However, a dependency for clamd is clamav and clamav-db. How will that play with my current source install of clamav? Should I move to using exclusively rpm clamav? Regards, Ugo From martinh at solidstatelogic.com Mon Jul 9 16:57:01 2007 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Mon Jul 9 16:57:07 2007 Subject: switching from clamavmodule -> clamd... source? In-Reply-To: Message-ID: <61c1e3b889db9c49b35cbd16af95ae22@solidstatelogic.com> Ugo I just created a new init file for clamd, started that then switched over to clamd in the virus scanners, restarted MS and it was done.. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Ugo Bellavance > Sent: 09 July 2007 16:50 > To: mailscanner@lists.mailscanner.info > Subject: switching from clamavmodule -> clamd... source? > > Hi, > > I'd like to switch from clamavmodule to clamd. I used to use a > source-install of clamav. I've read that the easiest way to get clamd > running is using dag's RPM. However, a dependency for clamd is clamav > and clamav-db. How will that play with my current source install of > clamav? Should I move to using exclusively rpm clamav? > > Regards, > > Ugo > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From ugob at lubik.ca Mon Jul 9 16:59:50 2007 From: ugob at lubik.ca (Ugo Bellavance) Date: Mon Jul 9 17:00:15 2007 Subject: switching from clamavmodule -> clamd... source? In-Reply-To: <61c1e3b889db9c49b35cbd16af95ae22@solidstatelogic.com> References: <61c1e3b889db9c49b35cbd16af95ae22@solidstatelogic.com> Message-ID: Martin.Hepworth wrote: > Ugo Hi Martin > I just created a new init file for clamd, started that then switched > over to clamd in the virus scanners, restarted MS and it was done.. Can you publish your script somewhere? I'm running Centos-4. Thanks, Ugo From martinh at solidstatelogic.com Mon Jul 9 17:05:57 2007 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Mon Jul 9 17:06:02 2007 Subject: switching from clamavmodule -> clamd... source? In-Reply-To: Message-ID: <7916e7314ffecf4b930abfba47620357@solidstatelogic.com> Mine is for FreeBSd so will be slightly different as it's using FreeBSD's macros'.. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Ugo Bellavance > Sent: 09 July 2007 17:00 > To: mailscanner@lists.mailscanner.info > Subject: Re: switching from clamavmodule -> clamd... source? > > Martin.Hepworth wrote: > > Ugo > > Hi Martin > > > I just created a new init file for clamd, started that then switched > > over to clamd in the virus scanners, restarted MS and it was done.. > > Can you publish your script somewhere? I'm running Centos-4. > > Thanks, > > Ugo > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From ugob at lubik.ca Mon Jul 9 17:17:55 2007 From: ugob at lubik.ca (Ugo Bellavance) Date: Mon Jul 9 17:18:10 2007 Subject: switching from clamavmodule -> clamd... source? In-Reply-To: <7916e7314ffecf4b930abfba47620357@solidstatelogic.com> References: <7916e7314ffecf4b930abfba47620357@solidstatelogic.com> Message-ID: Martin.Hepworth wrote: > Mine is for FreeBSd so will be slightly different as it's using > FreeBSD's macros'.. Ok, I didnt' think quickly enough... here is the one used by dag's clamd rpm package: --------------------------- #!/bin/sh # # Startup script for the Clam AntiVirus Daemon # # chkconfig: 2345 61 39 # description: Clam AntiVirus Daemon is a TCP/IP or socket protocol \ # server. # processname: clamd # pidfile: /var/run/clamav/clamd.pid # config: /etc/clamav.conf # Source function library. . /etc/rc.d/init.d/functions # Source networking configuration. . /etc/sysconfig/network [ -x /usr/sbin/clamd ] || exit 0 # See how we were called. case "$1" in start) echo -n "Starting Clam AntiVirus Daemon: " daemon clamd RETVAL=$? echo [ $RETVAL -eq 0 ] && touch /var/lock/subsys/clamd ;; stop) echo -n "Stopping Clam AntiVirus Daemon: " killproc clamd rm -f /var/clamav/clamd.socket rm -f /var/run/clamav/clamav.pid RETVAL=$? echo ### heres the fix... we gotta remove the stale files on restart [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/clamd ;; status) status clamd RETVAL=$? ;; restart|reload) $0 stop $0 start RETVAL=$? ;; condrestart) [ -e /var/lock/subsys/clamd ] && restart RETVAL=$? ;; *) echo "Usage: clamd {start|stop|status|restart|reload|condrestart}" exit 1 esac exit $RETVAL From ugob at lubik.ca Mon Jul 9 17:22:48 2007 From: ugob at lubik.ca (Ugo Bellavance) Date: Mon Jul 9 17:25:08 2007 Subject: switching from clamavmodule -> clamd... source? In-Reply-To: References: Message-ID: Ugo Bellavance wrote: > Hi, > > I'd like to switch from clamavmodule to clamd. I used to use a > source-install of clamav. I've read that the easiest way to get clamd > running is using dag's RPM. However, a dependency for clamd is clamav > and clamav-db. How will that play with my current source install of > clamav? Should I move to using exclusively rpm clamav? It looks like the source install is overwritten by the RPM. This answers my question... Ugo From MailScanner at ecs.soton.ac.uk Mon Jul 9 17:48:20 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Jul 9 17:52:56 2007 Subject: switching from clamavmodule -> clamd... source? In-Reply-To: References: Message-ID: <469266D4.7060405@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ugo Bellavance wrote: > Ugo Bellavance wrote: >> Hi, >> >> I'd like to switch from clamavmodule to clamd. I used to use a >> source-install of clamav. I've read that the easiest way to get >> clamd running is using dag's RPM. However, a dependency for clamd is >> clamav and clamav-db. How will that play with my current source >> install of clamav? Should I move to using exclusively rpm clamav? > > > > It looks like the source install is overwritten by the RPM. This > answers my question... The source install by default goes in /usr/local, while the RPMs most often go into /usr/bin, /etc and so on. Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGkmbUEfZZRxQVtlQRAp8yAKDAm6L3ET3tic9As/LLmIWSLgLd2QCeIsp2 XPTytOUB9uskRYbU6Q4YT5U= =bz7B -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From jan-peter at koopmann.eu Mon Jul 9 18:20:54 2007 From: jan-peter at koopmann.eu (Koopmann, Jan-Peter) Date: Mon Jul 9 18:20:17 2007 Subject: Phishing fraud bug? Message-ID: Hi, I think there is a strange bug in the phishing detection. Look at this E-Mail Body snipplet (taken from Exim queue file): 1I7otX-000FTi-7d-D This is a multi-part message in MIME format. ------_=_NextPart_001_01C7C205.D495F46E Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hallo Herr Koopmann, -- Test AG http://www.test.de Vorstand: Alexander Test Aufsichtsratvorsitzender: Claudius Test This is what I get after MailScanner has finished: MailScanner has detected a possible fraud attempt from "www.test.devorstand" claiming to be http://www.test.de Somehow MailScanner does not see that the URL is "http://www.test.de" only. I can provide the complete Exim-Queue files for download in case you need them Jules. Kind regards, JP From mc.mailscanner at clayreed.com Mon Jul 9 18:42:49 2007 From: mc.mailscanner at clayreed.com (Martin Clayton) Date: Mon Jul 9 18:42:57 2007 Subject: Phishing rules - url syntax Message-ID: Hi, I'm trying to help someone out here: http://forum.mailtraq.com/viewtopic.php?f=7&t=832 Replies to some of his messages are showing: | MailScanner has detected a possible fraud attempt from | "www.mailtraqdirect.co.uk" claiming to be (the rest of | the message is missing in the reply e-mail) He's using a free version of the Mailtraq MTA http://www.mailtraq.com/ which appends the following text to all email messages: | ______________________________________________________________ | Email via Mailtraq4Free from Enstar (www.mailtraqdirect.co.uk) ... or as text/html: | Test

| Email via Mailtraq4Free from Enstar (www.mailtraqdirect.co.uk) Is it possible that the url syntax is triggering the alert, or is the decision based on other factors (message headers, dns lookups...)? Any pointers, much appreciated. Cheers, Martin From MailScanner at ecs.soton.ac.uk Mon Jul 9 18:40:39 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Jul 9 18:43:34 2007 Subject: Phishing fraud bug? In-Reply-To: References: Message-ID: <46927317.1010807@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I remove all whitespace in the link text fairly early on in the process. I do this as it could be quite possible to make a link look like something else by putting it at the end of a long line and inserting a line-break in the middle of it, appearing just like word-wrapping. So it sees http://www.test.devorstand: which is valid except there isn't a number after the ":". I might be able to do something about this, but certainly no promises. It's difficult to put the whitespace back in after you've taken it out :-( Koopmann, Jan-Peter wrote: > Hi, > > I think there is a strange bug in the phishing detection. Look at this > E-Mail Body snipplet (taken from Exim queue file): > > 1I7otX-000FTi-7d-D > This is a multi-part message in MIME format. > > ------_=_NextPart_001_01C7C205.D495F46E > Content-Type: text/plain; > charset="iso-8859-1" > Content-Transfer-Encoding: quoted-printable > > Hallo Herr Koopmann, > > > -- > Test AG > http://www.test.de > > Vorstand: Alexander Test > Aufsichtsratvorsitzender: Claudius Test > > > This is what I get after MailScanner has finished: > > MailScanner has detected a possible fraud attempt from > "www.test.devorstand" claiming to be http://www.test.de > > > > Somehow MailScanner does not see that the URL is "http://www.test.de" > only. I can provide the complete Exim-Queue files for download in case > you need them Jules. > > > Kind regards, > JP > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGknMYEfZZRxQVtlQRAvzxAKDRxVgqaaFFsNh987ezE9ZxbNSlEQCg1NxA vY3q2bvsX+h+K2UiE6DAzjI= =rcW/ -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From johnnyb at marlboro.edu Mon Jul 9 18:56:21 2007 From: johnnyb at marlboro.edu (John Baker) Date: Mon Jul 9 18:56:22 2007 Subject: a clarification for Ignore Spam Whitelist rule Message-ID: <469276C5.1040303@marlboro.edu> Hello An organization who rents space from us over the summer had somebody unwittingly send out a mass mail with ,I'm told, some 1000 recipients under To: rather than Bcc: This got tagged by our mailscanner. I need to be sure that none of our own bulk mail out ever gets ignored by the whitelist. I saw this in the log: ignored whitelist, had 50 recipients (>20) In my MailScanner.conf this is set to the default: Ignore Spam Whitelist If Recipients Exceed = 20 So I'm looking for two points of clarification here if anyone can help. 1: Does this rule only trigger if the recipients are in the To: field and ignore recipients in the Ccc: or Bcc fields? 2: where does the 50 come from here? Is is just how many postfix or mailscanner would consider at a time? Thanks -- John Baker Network Systems Administrator Marlboro College Phone: 451-7551 off campus; 551 on campus From holger at noefer.org Mon Jul 9 19:33:15 2007 From: holger at noefer.org (=?UTF-8?B?SG9sZ2VyIE7DtmZlcg==?=) Date: Mon Jul 9 19:33:22 2007 Subject: How to monitor the health of the MailScanner architecture In-Reply-To: <000901c7c210$8d1f4310$a75dc930$@dk> References: <000901c7c210$8d1f4310$a75dc930$@dk> Message-ID: <46927F6B.4020502@noefer.org> Hi, for the monitoring of my server I use hobbit. It has very nice plugins. If you use hobbit you have a hobbit-server (Monitoring server) and a hobbit-client (e.g. Mailserver). The Server does some checks from the server side an the client reports some values, like cpu load, disk usage, inodes, mailq items, mailq size and so on. On both sides, server and client, you can create your own scripts which can monitor your system. At the server side you can connect a gsm modem to the server to notify an admin if the server hase some problems or you can use emails to notify them. It is very nice ;-) Best regards, Holger Jonas A. Larsen schrieb: > Hello all > > > > I have a problem, and discussing it on the irc channel didn?t turn up > any obvious solution. > > > > Say you have more than 1 MS box scanning mails for a specific domain. > They are load balanced in some way, so the load is split over the servers. > > > > Now lets say one of the servers have a problem. Not a fatal problem, so > the server is still running (responds to pings etc) port 25 is still > open, and exim (the mta in my case) still accepts mails. > > > > But for some reason, crash, corrupt config, full root fs etc. the > process of moving mails from the incoming queue to the outgoing queue is > not working. > > > > What I am interested in, is a system to alert me of such a problem > automatically. > > > > Currently the only thing, besides clients noticing mail being delayed, > is for me to look at my mailscaner-mrtg graphs for the incoming queue > and notice that its growing. > > > > One method of doing all this automatically that we came up with, would > be some complex system that would work as follows: > > > > You create a domain for each MailScanner, that only that MailScanner > scans for. > > > > You then create an imap account on another system for each of the domains. > > > > You then create a script that sends a mail to each of the accounts and > after X amount of minutes check to see if the mail has arrived on the > imap account. If yes, delete the mail and do the same thing again after > Y amount of minutes (a cron job), if it doesn?t exist something must be > wrong with the mailflow, either its interrupted or is experiencing delays. > > > > Do anybody have a better idea or know of something that can do this already? > > > > My root file system ran full last week, and it caused mails to still be > accepted (incoming is on /var on another disk) but MS was frozen because > it couldn?t extract attachments to /tmp which was full because it was on > the same disk as the root fs. > > > > I hope I have made the above somewhat clear, if not please ask me to > clarify. > > > > > > *Med venlig hilsen / Best regards* > > > > *Jonas Akrouh Larsen* > > * * > > TechBiz ApS > > Laplandsgade 4, 2. sal > > 2300 K?benhavn S > > > > Office: 7020 0979 > > Direct: 33369974 > > Fax: 7020 0978 > > Mobile: 51201096 > > Web: www.techbiz.dk > > > From glenn.steen at gmail.com Mon Jul 9 20:32:37 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Jul 9 20:32:40 2007 Subject: Filename rule question In-Reply-To: <4691EC0A.3040209@ti-edu.ch> References: <468A6663.8010907@ti-edu.ch> <468BC099.7060508@ti-edu.ch> <223f97700707041520j5e8be73bt17235c459ec441c5@mail.gmail.com> <468CACEF.30202@ti-edu.ch> <223f97700707050349y696668ccu92b618343da7d77b@mail.gmail.com> <468CDC23.7000500@ti-edu.ch> <223f97700707051316y462cffd5ka6ce8064d614350f@mail.gmail.com> <468E09B6.10605@ti-edu.ch> <223f97700707060540n7c7b022eye5700536d480541c@mail.gmail.com> <4691EC0A.3040209@ti-edu.ch> Message-ID: <223f97700707091232q691a2277i75715cfe09c3be94@mail.gmail.com> Good. . . I'm on vacation too;). On 09/07/07, Marco Induni wrote: > Glenn Steen wrote: > > On 06/07/07, Marco Induni wrote: > >> Glenn Steen wrote: > > (snip) > >> >> > >> >> > >> > To my tired eyes that doesn't look that bad... More's the pity... > >> Hope now you eyes are better > > :-) > > > >> > Seems you don't install SA and Clamav by way of Jules easy package (or > >> > else a lot more of the optional modules would be there)... Hm... One > >> > could start installing those, of course, but I don't see them having > >> > an effect. > >> In fact, we use uvscan(mcafee) and sometime clamav AV, but they are > >> installed apart (SA via CPAN / clamav make /make install) > > Ok. I don't think you need remove/reinstall with Jules package... It > > does more or less those, and then adds a lot of perl modules to make > > Mail::ClamAV happy. Would be passing strange if that had any impact on > > this problem. > > > >> > You did say that restoring the default filename/filetype > >> > rules files and reloading/restarting MailScanner didn't have any > >> > effect either? Most strange. > >> Yes, it is so. > > > > This make me think there is something seriously wrong here... And > > perhaps not _directly_ related to the rule file used... Unless of > > course the files aren't readable or something strange like that... > > Nah, probably not. > > > >> > How did you install the MIME::* packages? Via jules installer or via > >> > distro or CPAN? > >> Via jules. I've installed the new version a couple of days ago. > >> > > You could try reinstall them (force them from CPAN or something), just > > to see that they build/install OK... > > Apart from this, you don't see any strange log entries in the normal > > syslog? We really need to get a handle on what is going bonkers here. > > Cheers > Glenn, > I'm on vacation. I will do it all the test starting from 24 of july. > So I will not bother you for 2 weeks ;-) > > Cheers > Marco > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From jan-peter at koopmann.eu Mon Jul 9 20:38:39 2007 From: jan-peter at koopmann.eu (Koopmann, Jan-Peter) Date: Mon Jul 9 20:38:01 2007 Subject: Phishing fraud bug? In-Reply-To: References: Message-ID: Hi Jules, > I remove all whitespace in the link text fairly early on in the > process. > I do this as it could be quite possible to make a link look like > something else by putting it at the end of a long line and inserting a > line-break in the middle of it, appearing just like word-wrapping. But a newline character or similar would not be interpreted as part of the link by the MUA, would it? So clicking such a construct would not do any harm. Of course the user could always mark the entire seemingly link and copy&paste it in the browser. Hard to cover that. > So it sees > http://www.test.devorstand: > which is valid except there isn't a number after the ":". I might be > able to do something about this, but certainly no promises. It's > difficult to put the whitespace back in after you've taken it out :-( Hm. This will result in quite some false positives and already has. Due to a "new" german law all B2B e-mails in Germany need a legitimate disclaimer stating all sorts of information. While the home-page URL is voluntary, most of the companies will state it in the footer followed by additional information just as I quoted. All of them will be scrambled by MailScanner. Not sure how to solve this problem. Any ideas? Regards, JP From MailScanner at ecs.soton.ac.uk Mon Jul 9 21:04:33 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Jul 9 21:07:32 2007 Subject: a clarification for Ignore Spam Whitelist rule In-Reply-To: <469276C5.1040303@marlboro.edu> References: <469276C5.1040303@marlboro.edu> Message-ID: <469294D1.6090409@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 John Baker wrote: > Hello > > An organization who rents space from us over the summer had somebody > unwittingly send out a mass mail with ,I'm told, some 1000 recipients > under To: rather than Bcc: This got tagged by our mailscanner. I need > to be sure that none of our own bulk mail out ever gets ignored by the > whitelist. > > I saw this in the log: > > ignored whitelist, had 50 recipients (>20) > > In my MailScanner.conf this is set to the default: > > Ignore Spam Whitelist If Recipients Exceed = 20 > > So I'm looking for two points of clarification here if anyone can help. > > 1: Does this rule only trigger if the recipients are in the To: field > and ignore recipients in the Ccc: or Bcc fields? It counts recipients, it doesn't look in the headers. So no, it does not specifically ignore recipients in the Cc: or Bcc: fields. > > 2: where does the 50 come from here? Is is just how many postfix or > mailscanner would consider at a time? Yes. > > Thanks Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGkpTSEfZZRxQVtlQRAqaAAKDqSgBX0YU+wbkUVoBTOqKOZLPVCACgsqgF IYfXginW2HuPFYdHSL7rkoQ= =/oLw -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Mon Jul 9 21:08:50 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Jul 9 21:11:47 2007 Subject: Phishing fraud bug? In-Reply-To: References: Message-ID: <469295D2.1070904@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Koopmann, Jan-Peter wrote: > Hi Jules, > > >> I remove all whitespace in the link text fairly early on in the >> process. >> I do this as it could be quite possible to make a link look like >> something else by putting it at the end of a long line and inserting a >> line-break in the middle of it, appearing just like word-wrapping. >> > > But a newline character or similar would not be interpreted as part of > the link by the MUA, would it? So clicking such a construct would not do > any harm. Of course the user could always mark the entire seemingly link > and copy&paste it in the browser. Hard to cover that. > What about this simple HTML? http://www.nice.co .uk/ That would look like a word-wrapped link to www.nice.co.uk but would actually be a link to www.nasty.co.uk. I believe that's what I'm trying to cover. > > >> So it sees >> http://www.test.devorstand: >> which is valid except there isn't a number after the ":". I might be >> able to do something about this, but certainly no promises. It's >> difficult to put the whitespace back in after you've taken it out :-( >> > > Hm. This will result in quite some false positives and already has. Due > to a "new" german law all B2B e-mails in Germany need a legitimate > disclaimer stating all sorts of information. While the home-page URL is > voluntary, most of the companies will state it in the footer followed by > additional information just as I quoted. All of them will be scrambled > by MailScanner. > > Not sure how to solve this problem. Any ideas? > Not immediately, no. It's impossible to make the phishing net perfect. It's a very heuristic piece of code. Though if you fancy looking at the code and suggesting improvements, they are very welcome. It is documented fairly well at www.phishingnet.info. Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGkpXTEfZZRxQVtlQRAh8vAKCFQa7sAxTpjrk6bsNt9ZNHJBwFqACgka/d TQW4OlpF5RNsbt2SAQn1BFU= =nktS -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From gordon at itnt.co.za Mon Jul 9 21:11:57 2007 From: gordon at itnt.co.za (Gordon Colyn) Date: Mon Jul 9 21:12:21 2007 Subject: How to monitor the health of the MailScanner architecture References: <000901c7c210$8d1f4310$a75dc930$@dk> <6EEC6D949794754FB8D83A4D87DF7168BE65B7@gh-redd-exch-01.redditch.ntltravel.local> Message-ID: <01d201c7c265$67a4af80$6503a8c0@gordon> Skipped content of type multipart/alternative-------------- next part -------------- #!/usr/bin/php -q Verifying Stateful Database Connection..."; } $link = mysql_connect($mySERVER, $myUSER, $myPASS) or die("Database Connection Check FAILED: " . mysql_error()); if(isset($silent)){ //Do not say anything, keep headers clean }else{ echo "OK"; echo "
Verifying Database Integrity..."; } mysql_select_db($myDB) or die("Database Integrity Check FAILED: " . mysql_error()); if(isset($silent)){ //Do not say anything, keep headers clean }else{ echo "OK"; } //DATABASE CONNECTION BUILT $inq = mysql_result(mysql_query("SELECT COUNT(*) FROM inq"),0); $outq = mysql_result(mysql_query("SELECT COUNT(*) FROM outq"),0); #$outq2 = mysql_result(mysql_query("SELECT COUNT(*) FROM outq2"),0); #$outq3 = mysql_result(mysql_query("SELECT COUNT(*) FROM outq3"),0); #$outq4 = mysql_result(mysql_query("SELECT COUNT(*) FROM outq4"),0); #$outq5 = mysql_result(mysql_query("SELECT COUNT(*) FROM outq5"),0); //echo "
Incoming: " . $inq . "
"; //echo "Outgoing: " . $outq . "
"; $mailme = 0; $mailsubject = "Relay MailQ Alert: "; if($inq > $inlimit){ $mailme = 1; $mailsubject = $mailsubject . "Inbound Queue"; } $outerror=0; if($outq > $outlimit){ $outerror=1; } if($outq2 > $outlimit2){ $outerror=1; } if($outq3 > $outlimit3){ $outerror=1; } if($outq4 > $outlimit4){ $outerror=1; } if($outq4 > $outlimit4){ $outerror=1; } if($outq5 > $outlimit5){ $outerror=1; } if($outerror==1){ if($mailme == 1){ $mailsubject = $mailsubject . " & "; } $mailme = 1; $mailsubject = $mailsubject . "OutBound Queue"; } if($mailme == 1){ //send report //echo "
Report
"; $mailsubject = $mailsubject . " Limits Exceeded"; $mailbody = "Status \r\nInbound: " . $inq . "\r\nOutbound: " . $outq . /*"\r\nOutbound 2: " . $outq2 . " \r\nOutbound 3: " . $outq3 . " \r\nOutbound 4: " . $outq4 . "\r\nOutbound 5: " . $outq5 . */"\r\n\r\n This report was generated by an automated script, please do not reply to this address \r\n"; //echo "
Subject: " . $mailsubject . "
"; //echo "
Body: " . $mailbody . "
"; mail($mailto,$mailsubject,$mailbody); }else{ //no report //echo "
no report
"; } ?> From philippe at beau.nom.fr Mon Jul 9 21:52:49 2007 From: philippe at beau.nom.fr (Philippe BEAU) Date: Mon Jul 9 21:53:03 2007 Subject: Tag some mails and send to quarantine others .. Message-ID: <000601c7c26b$1cb176b0$64fefe0a@beauhqlo3ihx4g> Hello all, I've a Mailscanner gateway which is working very well. I would like to make some tweaks. Also, for the moment, the mails are tagged with a subject like "SPAM?". I would like for somes domains only to delete directly the spam. Is anyone can say me if i can do this with a ruleset ? Best regards and thanks Philippe, From jase at sensis.com Mon Jul 9 21:57:54 2007 From: jase at sensis.com (Desai, Jason) Date: Mon Jul 9 21:58:28 2007 Subject: HOWTO: Adding extra rulesets to SpamAssassin In-Reply-To: <4691372E.4060709@ecs.soton.ac.uk> Message-ID: <1951DC816E1A9F469307B05FA183F4389DC758@corpatsmail1.corp.sensis.com> You may also wish to rm -f /etc/mail/spamassassin/tripwire.cf Jase > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Julian Field > Sent: Sunday, July 08, 2007 3:13 PM > To: MailScanner discussion > Subject: HOWTO: Adding extra rulesets to SpamAssassin > > I thought I would write this up as a little HOWTO on using the > SpamAssassin-recommended approach without having to use > RulesDuJour at all. > > Firstly disable RulesDuJour > chmod -x /etc/cron/daily/rules_du_jour_wrapper > Now it won't run every night. > > Next, delete all the rulesets downloaded by RulesDuJour, as > we're going > to use sa-update to get them instead. We don't want 2 copies of the > rulesets. > rm -f /etc/mail/spamassassin/*sare*cf > rm -rf /etc/mail/spamassassin/RulesDuJour > > Create a file for your list of SpamAssassin 'channels' including the > default set. Attached is a file to drop into > /etc/mail/spamassassin/jkf-channel-list.txt. Note that this is my > *personal* set of SARE rules that I use on my servers. I > strongly advise > you go to www.rulesemporium.com and read the descriptions of all the > rulesets and adapt the file to your own personal requirements. > > Next we need to add a PGP key to SpamAssassin's update > method. This is a > condensed version of > http://daryl.dostech.ca/sa-update/sare/sare-sa-update-howto.txt. > wget http://daryl.dostech.ca/sa-update/sare/GPG.KEY > sa-update --import GPG.KEY > > Next we need to add some command-line arguments to the call > to sa-update. > > If you are using MailScanner 4.62.2 or later (which I'm just about to > publish) then edit /etc/sysconfig/MailScanner and edit the > definition of > SAUPDATEARGS to say > SAUPDATEARGS="-D --channelfile > /etc/mail/spamassassin/jkf-channel-list.txt --gpgkey 856AA88A" > (That should all be on one line of course) > Once you are happy everything is working, remove the "-D" and it will > run a lot more quietly. > > If you are using MailScanner 4.62.1 or earlier, then edit > /etc/cron.daily/sa-update and/or /etc/cron.daily/update_spamassassin > and/or /usr/sbin/update_spamassassin to make sure the call to > $SAUPDATE > says this: > $SAUPDATE -D --channelfile > /etc/mail/spamassassin/jkf-channel-list.txt > --gpgkey 856AA88A > (That should all be on one line of course) > Once you are happy everything is working, remove the "-D" and it will > run a lot more quietly. > > That concludes the main bit of this. > > However, there is one extra ruleset which you might like to try. I've > got it going and it appears to work pretty well. Attached to this > message is a file KAM.cf.sh which you should put into > /etc/cron.daily/KAM.cf.sh and make it executable: > chmod +x /etc/cron.daily/KAM.cf.sh > Run it once to get the initial copy of the ruleset file. It > will keep a > backup copy of the KAM.cf ruleset in KAM.cf.backup, which it > will use if > it can't download KAM.cf correctly later. > > That's about it. > I hope this improves the effectiveness of your spam checking. > > Jules > > -- > Julian Field MEng CITP > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > For all your IT requirements visit www.transtec.co.uk > > From smlists at shaw.ca Mon Jul 9 22:03:35 2007 From: smlists at shaw.ca (Steve Mason) Date: Mon Jul 9 22:04:39 2007 Subject: Does Install-Clam upgrade Spamassassin? In-Reply-To: <469276C5.1040303@marlboro.edu> References: <469276C5.1040303@marlboro.edu> Message-ID: <000601c7c26c$a1296690$1424010a@mcscore> Hi all. Whilst changing over to sa-update from rules_du_jour, I seem to have hosed my spamassassin. Should install-Clam-0.90.3-SA-3.2.1 upgrade my spamassassin from 3.1.9 to 3.2.1? I ran it, and now I have a /var/lib/spamassassin/3.002.001 but spamassassin --version returns 3.1.9 and --lint coughs up a lot of errors now. Steve From lists at jfworks.net Mon Jul 9 22:07:24 2007 From: lists at jfworks.net (James) Date: Mon Jul 9 22:07:36 2007 Subject: Beta release: 4.62.2 In-Reply-To: <469139C6.1080002@ecs.soton.ac.uk> References: <469139C6.1080002@ecs.soton.ac.uk> Message-ID: <4692A38C.7090101@jfworks.net> Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > I have just released a new beta to support the SAUPDATEARGS setting in > /etc/MailScanner/sysconfig for easy implementation of the HOWTO I just > published on adding extra rulesets to SpamAssassin without having to use > RulesDuJour. > > The full Change Log is this: > > * New Features and Improvements * > 1 Improved non-Linux installer. > 1 Improved Linux installer. > 1 Updated OpenBSD installation guide. Thanks to Jeremy Evans for this. > 1 Upgraded MIME::Base64 to 3.07. > 1 Improved error reporting for clamd permissions problems. Thanks Rick. > 2 Added SAUPDATEARGS to /etc/sysconfig/MailScanner and > /usr/sbin/update_spamassassin. For a good use of this, see > http://daryl.dostech.ca/sa-update/sare/sare-sa-update-howto.txt and search > for "HOWTO" in the Subject: line of the MailScanner-discussion list > archive. > This process replaces RulesDuJour entirely. > Another good ruleset to add to your setup is > http://www.peregrinehw.com/downloads/SpamAssassin/contrib/KAM.cf > To download this automatically every night, fetch > http://www.mailscanner.info/files/4/KAM.cf.sh and put it in > /etc/cron.daily > and make it executable (type "chmod +x /etc/cron.daily/KAM.cf.sh"). > > Jules > Installed and working fine :) The directions you had posted regarding sa-update were helpfull, thanks. My question is this: In the /etc/cron.daily/update_spamassassin script there is comment about the default behavior and that it can cause problems if implimented. Is there any reason that I should not enable this script as I do want the daily updates vi sa-update ? Should I make my own cron for this then? Thanks, James From MailScanner at ecs.soton.ac.uk Mon Jul 9 22:05:14 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Jul 9 22:07:46 2007 Subject: Tag some mails and send to quarantine others .. In-Reply-To: <000601c7c26b$1cb176b0$64fefe0a@beauhqlo3ihx4g> References: <000601c7c26b$1cb176b0$64fefe0a@beauhqlo3ihx4g> Message-ID: <4692A30A.8080706@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Yes, you can do this with a ruleset. Ruleset example number 32767.... :-) In MailScanner.conf, put something like Spam Actions = %rules-dir%/spam.actions.rules High Scoring Spam Actions = %rules-dir/spam.actions.rules (You can of course make these point to different ruleset files if you want different actions for normal spam and high-scoring spam) In /etc/MailScanner/rules/spam.actions.rules put lines like To: domain1.com store To: domain2.com deliver To: domain3.com deliver attachment store which will do different things for mail to the 3 example domains. Then just service MailScanner reload and it will reload the new configuration and take actions based on it. Philippe BEAU wrote: > Hello all, > > I've a Mailscanner gateway which is working very well. I would like to make > some tweaks. Also, for the moment, the mails are tagged with a subject like > "SPAM?". I would like for somes domains only to delete directly the spam. > > Is anyone can say me if i can do this with a ruleset ? > > Best regards and thanks > > Philippe, > > > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGkqMLEfZZRxQVtlQRAhLwAJ9/Nxwhr0qvWhMZ+ZgAYyR/KCNYTgCfd1X6 oqV2hRm5jBkh0MOyIFellRY= =4W0O -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Mon Jul 9 22:18:22 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Jul 9 22:21:18 2007 Subject: Does Install-Clam upgrade Spamassassin? In-Reply-To: <000601c7c26c$a1296690$1424010a@mcscore> References: <469276C5.1040303@marlboro.edu> <000601c7c26c$a1296690$1424010a@mcscore> Message-ID: <4692A61E.2070908@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Steve Mason wrote: > Hi all. Whilst changing over to sa-update from rules_du_jour, I seem to > have hosed my spamassassin. > > Should install-Clam-0.90.3-SA-3.2.1 upgrade my spamassassin from 3.1.9 to > 3.2.1? > Yes. But not if your SpamAssassin was installed via RPM. > I ran it, and now I have a /var/lib/spamassassin/3.002.001 but spamassassin > --version returns 3.1.9 and --lint coughs up a lot of errors now. > You probably have an RPM version of spamassassin installed as well. rpm -e spamassassin and then reinstall the latest spamassassin from my package. Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGkqYfEfZZRxQVtlQRAp0FAJ9L7A+WDVl/0QLz6qvxuwrq9rjiAQCgvix1 Jk9X8ffFf6AVksSHiHY3OPU= =iuYa -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Mon Jul 9 22:20:34 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Jul 9 22:24:33 2007 Subject: Beta release: 4.62.2 In-Reply-To: <4692A38C.7090101@jfworks.net> References: <469139C6.1080002@ecs.soton.ac.uk> <4692A38C.7090101@jfworks.net> Message-ID: <4692A6A2.7020605@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 James wrote: > Julian Field wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> I have just released a new beta to support the SAUPDATEARGS setting >> in /etc/MailScanner/sysconfig for easy implementation of the HOWTO I >> just published on adding extra rulesets to SpamAssassin without >> having to use RulesDuJour. >> >> The full Change Log is this: >> >> * New Features and Improvements * >> 1 Improved non-Linux installer. >> 1 Improved Linux installer. >> 1 Updated OpenBSD installation guide. Thanks to Jeremy Evans for this. >> 1 Upgraded MIME::Base64 to 3.07. >> 1 Improved error reporting for clamd permissions problems. Thanks Rick. >> 2 Added SAUPDATEARGS to /etc/sysconfig/MailScanner and >> /usr/sbin/update_spamassassin. For a good use of this, see >> http://daryl.dostech.ca/sa-update/sare/sare-sa-update-howto.txt and >> search >> for "HOWTO" in the Subject: line of the MailScanner-discussion list >> archive. >> This process replaces RulesDuJour entirely. >> Another good ruleset to add to your setup is >> http://www.peregrinehw.com/downloads/SpamAssassin/contrib/KAM.cf >> To download this automatically every night, fetch >> http://www.mailscanner.info/files/4/KAM.cf.sh and put it in >> /etc/cron.daily >> and make it executable (type "chmod +x /etc/cron.daily/KAM.cf.sh"). >> >> Jules >> > Installed and working fine :) The directions you had posted regarding > sa-update were helpfull, thanks. > My question is this: In the /etc/cron.daily/update_spamassassin script > there is comment about the default > behavior and that it can cause problems if implimented. Is there any > reason that I should not enable this script as I do want the > daily updates vi sa-update ? Should I make my own cron for this then? Sorry, that comment is rather out of date now. I'll remove it. It's quite safe these days, the problems were from the first release of SpamAssassin's sa-update program. Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGkqajEfZZRxQVtlQRApfqAKDU2LE51ge88UTOTVExqB2+PrXGBwCfTKS5 4JJofHCn5Zu3i6qevyNoUl4= =ifQJ -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From smlists at shaw.ca Mon Jul 9 22:33:28 2007 From: smlists at shaw.ca (Steve Mason) Date: Mon Jul 9 22:34:25 2007 Subject: Does Install-Clam upgrade Spamassassin? In-Reply-To: <4692A61E.2070908@ecs.soton.ac.uk> References: <469276C5.1040303@marlboro.edu> <000601c7c26c$a1296690$1424010a@mcscore> <4692A61E.2070908@ecs.soton.ac.uk> Message-ID: <000701c7c270$c9db8100$1424010a@mcscore> > >Yes. But not if your SpamAssassin was installed via RPM. >You probably have an RPM version of spamassassin installed as well. > rpm -e spamassassin >and then reinstall the latest spamassassin from my package. D'oh!! Of course. Thanks! From glenn.steen at gmail.com Mon Jul 9 22:52:39 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Jul 9 22:52:41 2007 Subject: How to monitor the health of the MailScanner architecture In-Reply-To: <002001c7c219$4d475580$e7d60080$@dk> References: <000901c7c210$8d1f4310$a75dc930$@dk> <6EEC6D949794754FB8D83A4D87DF7168BE65B7@gh-redd-exch-01.redditch.ntltravel.local> <002001c7c219$4d475580$e7d60080$@dk> Message-ID: <223f97700707091452hc93d97vd6ed0546484ef8ba@mail.gmail.com> On 09/07/07, Jonas A. Larsen wrote: > > > > > Hi Alistair and Gareth too. > > > > I have used nagios for many years. However if you read my mail again, I > specifically don't need to know the queue size or the status of the MTA, > none of those can give you a definitive answer about whether or not mail > flow is working, I need something that can check if mail is flowing and if > its delayed. > Um, just script up a snippet that send a mail through to a service account (use telnet with expect, or perl or whatever... Make that sending snippet a function/sub/procedure and let it take an argument servername, then loop through the list of servers.... You know what to do:-), then use an automated MUA in the same script (whatever you need) to check that it is received within a reasonable time... Nail within an expect script would be nice for that last bit ... How hard can it be:-):-). You'd have to keep an eye on reasonable timing, and think through how to report errors... Could probably be incorporated as a testscript into any monitoring app... Or run from cron with some reasonable regularity. Should be fairly easy to write up ... But I'm on vacation, so you do it yourself;-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From jan-peter at koopmann.eu Tue Jul 10 09:19:10 2007 From: jan-peter at koopmann.eu (Koopmann, Jan-Peter) Date: Tue Jul 10 09:18:31 2007 Subject: Phishing fraud bug? In-Reply-To: References: Message-ID: Forget it. Looks like the link provided in the footer was wrong in the first place. Plain-Text is working like a charm. False alarm. Terribly sorry. Regards, JP From jonas at vrt.dk Tue Jul 10 11:35:26 2007 From: jonas at vrt.dk (Jonas A. Larsen) Date: Tue Jul 10 11:35:31 2007 Subject: How to monitor the health of the MailScanner architecture In-Reply-To: <223f97700707091452hc93d97vd6ed0546484ef8ba@mail.gmail.com> References: <000901c7c210$8d1f4310$a75dc930$@dk> <6EEC6D949794754FB8D83A4D87DF7168BE65B7@gh-redd-exch-01.redditch.ntltravel.local> <002001c7c219$4d475580$e7d60080$@dk> <223f97700707091452hc93d97vd6ed0546484ef8ba@mail.gmail.com> Message-ID: <001e01c7c2de$074aa850$15dff8f0$@dk> Hi Glenn > > > Um, just script up a snippet that send a mail through to a service > account (use telnet with expect, or perl or whatever... Make that > sending snippet a function/sub/procedure and let it take an argument > servername, then loop through the list of servers.... You know what to > do:-), then use an automated MUA in the same script (whatever you > need) to check that it is received within a reasonable time... Nail > within an expect script would be nice for that last bit ... How hard > can it be:-):-). > You'd have to keep an eye on reasonable timing, and think through how > to report errors... > Could probably be incorporated as a testscript into any monitoring > app... Or run from cron with some reasonable regularity. > Should be fairly easy to write up ... But I'm on vacation, so you do > it yourself;-). > This is precisely what is needed :) regarding the "fairly easy to write up" I guess that depends on how elite coding scriptiong skills you have and how much time you got :) We currently got it running using a freeware windows monitoring tool, that had this precise check. I was just looking for something that already existed and general comments. (because I'm a lazy boy) People seem to have misunderstood it a bit since they are recommending generic monitoring solutions. Neither nagios, bigbrother or others have the above solution. I actually think munin had something but it would have to be re-scripted to be useable (assuming I don?t want to run munin) I do find it odd though, that more or less nobody appears to be monitoring their mail systems in this way. I still say it?s the only way to be 100% if your system is functioning or not. Checking the mta daemon, mailscanner daemon, queue sizes etc. are all not a perfect way to check if the mailscanning process is functioning. Cheers Med venlig hilsen / Best regards Jonas Akrouh Larsen TechBiz ApS Laplandsgade 4, 2. sal 2300 K?benhavn S Office: 7020 0979 Direct: 33369974 Fax: 7020 0978 Mobile: 51201096 Web: www.techbiz.dk. From theodrake at comcast.net Tue Jul 10 14:25:54 2007 From: theodrake at comcast.net (Ed Bruce) Date: Tue Jul 10 14:26:02 2007 Subject: Beta release: 4.62.2 In-Reply-To: <4692A6A2.7020605@ecs.soton.ac.uk> References: <469139C6.1080002@ecs.soton.ac.uk> <4692A38C.7090101@jfworks.net> <4692A6A2.7020605@ecs.soton.ac.uk> Message-ID: <469388E2.6060402@comcast.net> Julian Field wrote: > > > James wrote: > > Julian Field wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- > >> Hash: SHA1 > >> > >> I have just released a new beta to support the SAUPDATEARGS setting > >> in /etc/MailScanner/sysconfig for easy implementation of the HOWTO I > >> just published on adding extra rulesets to SpamAssassin without > >> having to use RulesDuJour. > >> > >> The full Change Log is this: > >> > >> * New Features and Improvements * > >> 1 Improved non-Linux installer. > >> 1 Improved Linux installer. > >> 1 Updated OpenBSD installation guide. Thanks to Jeremy Evans for this. > >> 1 Upgraded MIME::Base64 to 3.07. > >> 1 Improved error reporting for clamd permissions problems. Thanks Rick. > >> 2 Added SAUPDATEARGS to /etc/sysconfig/MailScanner and > >> /usr/sbin/update_spamassassin. For a good use of this, see > >> http://daryl.dostech.ca/sa-update/sare/sare-sa-update-howto.txt and > >> search > >> for "HOWTO" in the Subject: line of the MailScanner-discussion list > >> archive. > >> This process replaces RulesDuJour entirely. > >> Another good ruleset to add to your setup is > >> http://www.peregrinehw.com/downloads/SpamAssassin/contrib/KAM.cf > >> To download this automatically every night, fetch > >> http://www.mailscanner.info/files/4/KAM.cf.sh and put it in > >> /etc/cron.daily > >> and make it executable (type "chmod +x /etc/cron.daily/KAM.cf.sh"). > >> > >> Jules > >> > > Installed and working fine :) The directions you had posted regarding > > sa-update were helpfull, thanks. > > My question is this: In the /etc/cron.daily/update_spamassassin script > > there is comment about the default > > behavior and that it can cause problems if implimented. Is there any > > reason that I should not enable this script as I do want the > > daily updates vi sa-update ? Should I make my own cron for this then? > Sorry, that comment is rather out of date now. I'll remove it. It's > quite safe these days, the problems were from the first release of > SpamAssassin's sa-update program. > > Jules > That had me worried too. I am running the beta on my secondary MTA and all appears to be working. Just got my first email notification that KAM.cf.sh ran sucessfully. Also got a debug output from update_spamassassin and all looks good there also. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 249 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070710/c706a68c/signature.bin From dstraka at caspercollege.edu Tue Jul 10 15:06:34 2007 From: dstraka at caspercollege.edu (Daniel Straka) Date: Tue Jul 10 15:06:55 2007 Subject: Can't get to SARE, where to add rule? In-Reply-To: <4688CC83.4060403@ecs.soton.ac.uk> References: <46868B9E.2050409@ecs.soton.ac.uk><46869C90.3010308@alexb.ch> <4686B8D1.7090005@ecs.soton.ac.uk> <002501c7bc8e$95897520$3f01a8c0@dbdomain.database.it><002501c7bc8e$95897520$3f01a8c0@dbdomain.database.it> <4688CC83.4060403@ecs.soton.ac.uk> Message-ID: <46933E0A.61A4.0000.0@caspercollege.edu> I get a timeout when trying to connect to the SARE site. I'm trying to get the PDF spam rules from there but.., I've got this from a list posting last week, where would I put this to make it work? I have no experience with SA rules so be kind. ------------------------------------ This one was published yesterday, which the author claims to work okay: full PDF_ONLY_SPAM /encoding\:\s+7bit(\n?)+[\-0-9]+.{1,40}type\:\s+application\/pdf\;.{1,40}name\=.{1,40}\.pdf.{1,50}disposition\:\s+inline\;.{1,40}filename\=.{1,40}\.pdf/is describe PDF_ONLY_SPAM PDF only Message, no text in message body score PDF_ONLY_SPAM 2.0 ------------------------------------- Thanks, -- Dan Straka Systems Coordinator Casper College 307.268.2399 From themba at dcdata.co.za Tue Jul 10 15:15:37 2007 From: themba at dcdata.co.za (Themba Ntleki) Date: Tue Jul 10 15:12:49 2007 Subject: MailScanner not Logging!! Message-ID: <46939489.2000306@dcdata.co.za> Hi All, I have a huge problem with MailScanner not logging messages, With my working installs, When I: tail -f /var/log/mail I can see: Logging message MSG#ID to SQL then see: Logged message MSG#ID to SQL. With my problematic install, I cannot see the message: 'Logged message MSG#ID to SQL.' in the mail logs. I'm running Suse Linux. I have tried upgrading to the latest version of MailScanner, but nothing helps so far, Please Help.... Kind Regards, Themba Ntleki -- This email and all contents are subject to the following disclaimer: http://www.dcdata.co.za/emaildisclaimer.html From MailScanner at ecs.soton.ac.uk Tue Jul 10 15:14:05 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Jul 10 15:17:35 2007 Subject: Can't get to SARE, where to add rule? In-Reply-To: <46933E0A.61A4.0000.0@caspercollege.edu> References: <46868B9E.2050409@ecs.soton.ac.uk><46869C90.3010308@alexb.ch> <4686B8D1.7090005@ecs.soton.ac.uk> <002501c7bc8e$95897520$3f01a8c0@dbdomain.database.it><002501c7bc8e$95897520$3f01a8c0@dbdomain.database.it> <4688CC83.4060403@ecs.soton.ac.uk> <46933E0A.61A4.0000.0@caspercollege.edu> Message-ID: <4693942D.9030006@ecs.soton.ac.uk> You could put it in /etc/MailScanner/spam.assasssin.prefs.conf and then service MailScanner reload Daniel Straka wrote: > I get a timeout when trying to connect to the SARE site. I'm trying to get the PDF spam rules from there but.., > I've got this from a list posting last week, where would I put this to make it work? I have no experience with SA rules so be kind. > > ------------------------------------ > > This one was published yesterday, which the author claims to work okay: > > full PDF_ONLY_SPAM > /encoding\:\s+7bit(\n?)+[\-0-9]+.{1,40}type\:\s+application\/pdf\;.{1,40}name\=.{1,40}\.pdf.{1,50}disposition\:\s+inline\;.{1,40}filename\=.{1,40}\.pdf/is > describe PDF_ONLY_SPAM PDF only Message, no text in message body > score PDF_ONLY_SPAM 2.0 > > ------------------------------------- > > Thanks, > Jules -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From list-mailscanner at linguaphone.com Tue Jul 10 15:20:10 2007 From: list-mailscanner at linguaphone.com (Gareth) Date: Tue Jul 10 15:20:17 2007 Subject: Can't get to SARE, where to add rule? In-Reply-To: <4693942D.9030006@ecs.soton.ac.uk> References: <46868B9E.2050409@ecs.soton.ac.uk><46869C90.3010308@alexb.ch> <4686B8D1.7090005@ecs.soton.ac.uk> <002501c7bc8e$95897520$3f01a8c0@dbdomain.database.it> <002501c7bc8e$95897520$3f01a8c0@dbdomain.database.it> <4688CC83.4060403@ecs.soton.ac.uk> <46933E0A.61A4.0000.0@caspercollege.edu> <4693942D.9030006@ecs.soton.ac.uk> Message-ID: <1184077210.30189.31.camel@gblades-suse.linguaphone-intranet.co.uk> Or you could email webmaster@rulesemporium.com and ask to use the PDFinfo plugin. This comes with some rules as standard but you can write your own using it (it includes lots of examples). On Tue, 2007-07-10 at 15:14, Julian Field wrote: > You could put it in /etc/MailScanner/spam.assasssin.prefs.conf and then > service MailScanner reload > > > Daniel Straka wrote: > > I get a timeout when trying to connect to the SARE site. I'm trying to get the PDF spam rules from there but.., > > I've got this from a list posting last week, where would I put this to make it work? I have no experience with SA rules so be kind. > > > > ------------------------------------ > > > > This one was published yesterday, which the author claims to work okay: > > > > full PDF_ONLY_SPAM > > /encoding\:\s+7bit(\n?)+[\-0-9]+.{1,40}type\:\s+application\/pdf\;.{1,40}name\=.{1,40}\.pdf.{1,50}disposition\:\s+inline\;.{1,40}filename\=.{1,40}\.pdf/is > > describe PDF_ONLY_SPAM PDF only Message, no text in message body > > score PDF_ONLY_SPAM 2.0 > > > > ------------------------------------- > > > > Thanks, > > > > Jules > > -- > Julian Field MEng CITP > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > For all your IT requirements visit www.transtec.co.uk From Alistair.Carmichael at ntltravel.com Tue Jul 10 15:24:51 2007 From: Alistair.Carmichael at ntltravel.com (Alistair Carmichael) Date: Tue Jul 10 15:25:00 2007 Subject: MailScanner not Logging!! In-Reply-To: <46939489.2000306@dcdata.co.za> References: <46939489.2000306@dcdata.co.za> Message-ID: <6EEC6D949794754FB8D83A4D87DF7168BE6618@gh-redd-exch-01.redditch.ntltravel.local> -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Themba Ntleki Sent: 10 July 2007 15:16 To: mailscanner@lists.mailscanner.info Subject: MailScanner not Logging!! Hi All, I have a huge problem with MailScanner not logging messages, With my working installs, When I: tail -f /var/log/mail I can see: Logging message MSG#ID to SQL then see: Logged message MSG#ID to SQL. With my problematic install, I cannot see the message: 'Logged message MSG#ID to SQL.' in the mail logs. I'm running Suse Linux. I have tried upgrading to the latest version of MailScanner, but nothing helps so far, Please Help.... Kind Regards, Themba Ntleki Hi, Check your MailWatch.pm file that you have the correct database name, user, password and host configured here, if these are correct make sure you can connect with: mysql -u(username) -p(password) -h(host) (dbname) At command line, you should get to a prompt like mysql> if you get an error this is likely to be the same cause of why you don't see the logged message x to sql, if this all succeeds I would restart mailscanner in debug mode paying attention to your maillog file and your messages file. -- This email and all contents are subject to the following disclaimer: http://www.dcdata.co.za/emaildisclaimer.html -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. From ljosnet at gmail.com Tue Jul 10 16:05:38 2007 From: ljosnet at gmail.com (emm1) Date: Tue Jul 10 16:05:41 2007 Subject: Strange CLAMD errors Message-ID: <910ee2ac0707100805ne111c5fp32cba3558ad2a58c@mail.gmail.com> Hello, after I upgraded to 4.61.7 on my FreeBSD 6.2 box I am seeing those errors. I have checked to see if clamd is running and it is. Any ideas? Jul 10 15:00:31 mainframe MailScanner[12276]: New Batch: Scanning 1 messages, 3973 bytes Jul 10 15:00:31 mainframe MailScanner[12276]: Expired 1 records from the SpamAssassin cache Jul 10 15:00:34 mainframe MailScanner[12276]: Virus and Content Scanning: Starting Jul 10 15:00:34 mainframe MailScanner[13026]: ERROR:: COULD NOT CONNECT TO CLAMD, RECOMMEND RESTARTING DAEMON Jul 10 15:00:34 mainframe MailScanner[12276]: ERROR:: COULD NOT CONNECT TO CLAMD, RECOMMEND RESTARTING DAEMON :: . Jul 10 15:00:34 mainframe MailScanner[12276]: Virus Scanning: Clamd found 1 infections Jul 10 15:00:34 mainframe MailScanner[12276]: Virus Scanning: Found 1 viruses Jul 10 15:00:34 mainframe MailScanner[12276]: Uninfected: Delivered 1 messages From martinh at solidstatelogic.com Tue Jul 10 16:10:52 2007 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Tue Jul 10 16:10:55 2007 Subject: Strange CLAMD errors In-Reply-To: <910ee2ac0707100805ne111c5fp32cba3558ad2a58c@mail.gmail.com> Message-ID: <2c6de78b8ffff344b3dfb9e659555624@solidstatelogic.com> Have you got clamd listening on a port (defined in MailScanner.conf and clamd.conf)? -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of emm1 > Sent: 10 July 2007 16:06 > To: MailScanner discussion > Subject: Strange CLAMD errors > > Hello, after I upgraded to 4.61.7 on my FreeBSD 6.2 box I am seeing > those errors. > I have checked to see if clamd is running and it is. Any ideas? > > Jul 10 15:00:31 mainframe MailScanner[12276]: New Batch: Scanning 1 > messages, 3973 bytes > Jul 10 15:00:31 mainframe MailScanner[12276]: Expired 1 records from > the SpamAssassin cache > Jul 10 15:00:34 mainframe MailScanner[12276]: Virus and Content > Scanning: Starting > Jul 10 15:00:34 mainframe MailScanner[13026]: ERROR:: COULD NOT > CONNECT TO CLAMD, RECOMMEND RESTARTING DAEMON > Jul 10 15:00:34 mainframe MailScanner[12276]: ERROR:: COULD NOT > CONNECT TO CLAMD, RECOMMEND RESTARTING DAEMON :: . > Jul 10 15:00:34 mainframe MailScanner[12276]: Virus Scanning: Clamd > found 1 infections > Jul 10 15:00:34 mainframe MailScanner[12276]: Virus Scanning: Found 1 > viruses > Jul 10 15:00:34 mainframe MailScanner[12276]: Uninfected: Delivered 1 > messages > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From ljosnet at gmail.com Tue Jul 10 16:19:46 2007 From: ljosnet at gmail.com (emm1) Date: Tue Jul 10 16:19:49 2007 Subject: Strange CLAMD errors In-Reply-To: <2c6de78b8ffff344b3dfb9e659555624@solidstatelogic.com> References: <910ee2ac0707100805ne111c5fp32cba3558ad2a58c@mail.gmail.com> <2c6de78b8ffff344b3dfb9e659555624@solidstatelogic.com> Message-ID: <910ee2ac0707100819yf246c14y6ba7a6ad7e49d3b5@mail.gmail.com> No idea, this was working fine before I updated. :) On 7/10/07, Martin.Hepworth wrote: > > Have you got clamd listening on a port (defined in MailScanner.conf and > clamd.conf)? > > > > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > > bounces@lists.mailscanner.info] On Behalf Of emm1 > > Sent: 10 July 2007 16:06 > > To: MailScanner discussion > > Subject: Strange CLAMD errors > > > > Hello, after I upgraded to 4.61.7 on my FreeBSD 6.2 box I am seeing > > those errors. > > I have checked to see if clamd is running and it is. Any ideas? > > > > Jul 10 15:00:31 mainframe MailScanner[12276]: New Batch: Scanning 1 > > messages, 3973 bytes > > Jul 10 15:00:31 mainframe MailScanner[12276]: Expired 1 records from > > the SpamAssassin cache > > Jul 10 15:00:34 mainframe MailScanner[12276]: Virus and Content > > Scanning: Starting > > Jul 10 15:00:34 mainframe MailScanner[13026]: ERROR:: COULD NOT > > CONNECT TO CLAMD, RECOMMEND RESTARTING DAEMON > > Jul 10 15:00:34 mainframe MailScanner[12276]: ERROR:: COULD NOT > > CONNECT TO CLAMD, RECOMMEND RESTARTING DAEMON :: . > > Jul 10 15:00:34 mainframe MailScanner[12276]: Virus Scanning: Clamd > > found 1 infections > > Jul 10 15:00:34 mainframe MailScanner[12276]: Virus Scanning: Found 1 > > viruses > > Jul 10 15:00:34 mainframe MailScanner[12276]: Uninfected: Delivered 1 > > messages > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > > > ********************************************************************** > Confidentiality : This e-mail and any attachments are intended for the > addressee only and may be confidential. If they come to you in error > you must take no action based on them, nor must you copy or show them > to anyone. Please advise the sender by replying to this e-mail > immediately and then delete the original from your computer. > Opinion : Any opinions expressed in this e-mail are entirely those of > the author and unless specifically stated to the contrary, are not > necessarily those of the author's employer. > Security Warning : Internet e-mail is not necessarily a secure > communications medium and can be subject to data corruption. We advise > that you consider this fact when e-mailing us. > Viruses : We have taken steps to ensure that this e-mail and any > attachments are free from known viruses but in keeping with good > computing practice, you should ensure that they are virus free. > > Red Lion 49 Ltd T/A Solid State Logic > Registered as a limited company in England and Wales > (Company No:5362730) > Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, > United Kingdom > ********************************************************************** > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From martinh at solidstatelogic.com Tue Jul 10 16:24:19 2007 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Tue Jul 10 16:24:58 2007 Subject: Strange CLAMD errors In-Reply-To: <910ee2ac0707100819yf246c14y6ba7a6ad7e49d3b5@mail.gmail.com> Message-ID: <0d875ca8fbed024cb2be24cadcd1b440@solidstatelogic.com> Upgraded from what - you sure the MailScanner.conf is set to Virus scanners = clamd And not clamdscan ???? -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of emm1 > Sent: 10 July 2007 16:20 > To: MailScanner discussion > Subject: Re: Strange CLAMD errors > > No idea, this was working fine before I updated. :) > > On 7/10/07, Martin.Hepworth wrote: > > > > Have you got clamd listening on a port (defined in MailScanner.conf and > > clamd.conf)? > > > > > > > > -- > > Martin Hepworth > > Snr Systems Administrator > > Solid State Logic > > Tel: +44 (0)1865 842300 > > > > > -----Original Message----- > > > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > > > bounces@lists.mailscanner.info] On Behalf Of emm1 > > > Sent: 10 July 2007 16:06 > > > To: MailScanner discussion > > > Subject: Strange CLAMD errors > > > > > > Hello, after I upgraded to 4.61.7 on my FreeBSD 6.2 box I am seeing > > > those errors. > > > I have checked to see if clamd is running and it is. Any ideas? > > > > > > Jul 10 15:00:31 mainframe MailScanner[12276]: New Batch: Scanning 1 > > > messages, 3973 bytes > > > Jul 10 15:00:31 mainframe MailScanner[12276]: Expired 1 records from > > > the SpamAssassin cache > > > Jul 10 15:00:34 mainframe MailScanner[12276]: Virus and Content > > > Scanning: Starting > > > Jul 10 15:00:34 mainframe MailScanner[13026]: ERROR:: COULD NOT > > > CONNECT TO CLAMD, RECOMMEND RESTARTING DAEMON > > > Jul 10 15:00:34 mainframe MailScanner[12276]: ERROR:: COULD NOT > > > CONNECT TO CLAMD, RECOMMEND RESTARTING DAEMON :: . > > > Jul 10 15:00:34 mainframe MailScanner[12276]: Virus Scanning: Clamd > > > found 1 infections > > > Jul 10 15:00:34 mainframe MailScanner[12276]: Virus Scanning: Found 1 > > > viruses > > > Jul 10 15:00:34 mainframe MailScanner[12276]: Uninfected: Delivered 1 > > > messages > > > -- > > > MailScanner mailing list > > > mailscanner@lists.mailscanner.info > > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > > > Support MailScanner development - buy the book off the website! > > > > > > > > > > ********************************************************************** > > Confidentiality : This e-mail and any attachments are intended for the > > addressee only and may be confidential. If they come to you in error > > you must take no action based on them, nor must you copy or show them > > to anyone. Please advise the sender by replying to this e-mail > > immediately and then delete the original from your computer. > > Opinion : Any opinions expressed in this e-mail are entirely those of > > the author and unless specifically stated to the contrary, are not > > necessarily those of the author's employer. > > Security Warning : Internet e-mail is not necessarily a secure > > communications medium and can be subject to data corruption. We advise > > that you consider this fact when e-mailing us. > > Viruses : We have taken steps to ensure that this e-mail and any > > attachments are free from known viruses but in keeping with good > > computing practice, you should ensure that they are virus free. > > > > Red Lion 49 Ltd T/A Solid State Logic > > Registered as a limited company in England and Wales > > (Company No:5362730) > > Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, > > United Kingdom > > ********************************************************************** > > > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From ljosnet at gmail.com Tue Jul 10 16:27:41 2007 From: ljosnet at gmail.com (emm1) Date: Tue Jul 10 16:27:43 2007 Subject: Strange CLAMD errors In-Reply-To: <0d875ca8fbed024cb2be24cadcd1b440@solidstatelogic.com> References: <910ee2ac0707100819yf246c14y6ba7a6ad7e49d3b5@mail.gmail.com> <0d875ca8fbed024cb2be24cadcd1b440@solidstatelogic.com> Message-ID: <910ee2ac0707100827g5b453141hdd3524d02f90f56d@mail.gmail.com> Yes, it's using clamd. I changed no config files before or after the upgrade from ports. This just started to appear in the maillog. It's detecting every single mail that is legit as virus and then delivers it. On 7/10/07, Martin.Hepworth wrote: > > Upgraded from what - you sure the MailScanner.conf is set to > > Virus scanners = clamd > > And not clamdscan ???? > > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > > bounces@lists.mailscanner.info] On Behalf Of emm1 > > Sent: 10 July 2007 16:20 > > To: MailScanner discussion > > Subject: Re: Strange CLAMD errors > > > > No idea, this was working fine before I updated. :) > > > > On 7/10/07, Martin.Hepworth wrote: > > > > > > Have you got clamd listening on a port (defined in MailScanner.conf > and > > > clamd.conf)? > > > > > > > > > > > > -- > > > Martin Hepworth > > > Snr Systems Administrator > > > Solid State Logic > > > Tel: +44 (0)1865 842300 > > > > > > > -----Original Message----- > > > > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner- > > > > bounces@lists.mailscanner.info] On Behalf Of emm1 > > > > Sent: 10 July 2007 16:06 > > > > To: MailScanner discussion > > > > Subject: Strange CLAMD errors > > > > > > > > Hello, after I upgraded to 4.61.7 on my FreeBSD 6.2 box I am > seeing > > > > those errors. > > > > I have checked to see if clamd is running and it is. Any ideas? > > > > > > > > Jul 10 15:00:31 mainframe MailScanner[12276]: New Batch: Scanning > 1 > > > > messages, 3973 bytes > > > > Jul 10 15:00:31 mainframe MailScanner[12276]: Expired 1 records > from > > > > the SpamAssassin cache > > > > Jul 10 15:00:34 mainframe MailScanner[12276]: Virus and Content > > > > Scanning: Starting > > > > Jul 10 15:00:34 mainframe MailScanner[13026]: ERROR:: COULD NOT > > > > CONNECT TO CLAMD, RECOMMEND RESTARTING DAEMON > > > > Jul 10 15:00:34 mainframe MailScanner[12276]: ERROR:: COULD NOT > > > > CONNECT TO CLAMD, RECOMMEND RESTARTING DAEMON :: . > > > > Jul 10 15:00:34 mainframe MailScanner[12276]: Virus Scanning: > Clamd > > > > found 1 infections > > > > Jul 10 15:00:34 mainframe MailScanner[12276]: Virus Scanning: > Found 1 > > > > viruses > > > > Jul 10 15:00:34 mainframe MailScanner[12276]: Uninfected: > Delivered 1 > > > > messages > > > > -- > > > > MailScanner mailing list > > > > mailscanner@lists.mailscanner.info > > > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > > > > > Support MailScanner development - buy the book off the website! > > > > > > > > > > > > > > > > ********************************************************************** > > > Confidentiality : This e-mail and any attachments are intended for > the > > > addressee only and may be confidential. If they come to you in error > > > you must take no action based on them, nor must you copy or show > them > > > to anyone. Please advise the sender by replying to this e-mail > > > immediately and then delete the original from your computer. > > > Opinion : Any opinions expressed in this e-mail are entirely those > of > > > the author and unless specifically stated to the contrary, are not > > > necessarily those of the author's employer. > > > Security Warning : Internet e-mail is not necessarily a secure > > > communications medium and can be subject to data corruption. We > advise > > > that you consider this fact when e-mailing us. > > > Viruses : We have taken steps to ensure that this e-mail and any > > > attachments are free from known viruses but in keeping with good > > > computing practice, you should ensure that they are virus free. > > > > > > Red Lion 49 Ltd T/A Solid State Logic > > > Registered as a limited company in England and Wales > > > (Company No:5362730) > > > Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, > > > United Kingdom > > > > ********************************************************************** > > > > > > -- > > > MailScanner mailing list > > > mailscanner@lists.mailscanner.info > > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > > > Support MailScanner development - buy the book off the website! > > > > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > > > ********************************************************************** > Confidentiality : This e-mail and any attachments are intended for the > addressee only and may be confidential. If they come to you in error > you must take no action based on them, nor must you copy or show them > to anyone. Please advise the sender by replying to this e-mail > immediately and then delete the original from your computer. > Opinion : Any opinions expressed in this e-mail are entirely those of > the author and unless specifically stated to the contrary, are not > necessarily those of the author's employer. > Security Warning : Internet e-mail is not necessarily a secure > communications medium and can be subject to data corruption. We advise > that you consider this fact when e-mailing us. > Viruses : We have taken steps to ensure that this e-mail and any > attachments are free from known viruses but in keeping with good > computing practice, you should ensure that they are virus free. > > Red Lion 49 Ltd T/A Solid State Logic > Registered as a limited company in England and Wales > (Company No:5362730) > Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, > United Kingdom > ********************************************************************** > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From listacct at tulsaconnect.com Tue Jul 10 16:32:48 2007 From: listacct at tulsaconnect.com (TCIS List Acct) Date: Tue Jul 10 16:32:30 2007 Subject: zen.spamhaus.org timeouts? Message-ID: <4693A6A0.3030305@tulsaconnect.com> All of a sudden today we are getting DNS lookup timeouts when querying zen.spamhaus.org across all of our MailScanner boxes. Is anyone else having trouble doing RBL lookups against zen.spamhaus.org? -- ----------------------------------------- Mike Bacher / listacct@tulsaconnect.com TCIS - TulsaConnect Internet Services http://www.tulsaconnect.com ----------------------------------------- From mailscanner at slackadelic.com Tue Jul 10 16:34:53 2007 From: mailscanner at slackadelic.com (Matt Hayes) Date: Tue Jul 10 16:35:00 2007 Subject: zen.spamhaus.org timeouts? In-Reply-To: <4693A6A0.3030305@tulsaconnect.com> References: <4693A6A0.3030305@tulsaconnect.com> Message-ID: <4693A71D.4020901@slackadelic.com> TCIS List Acct wrote: > All of a sudden today we are getting DNS lookup timeouts when querying > zen.spamhaus.org across all of our MailScanner boxes. Is anyone else > having trouble doing RBL lookups against zen.spamhaus.org? > I've not noticed any issues. -Matt -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From j.ede at birchenallhowden.co.uk Tue Jul 10 16:35:41 2007 From: j.ede at birchenallhowden.co.uk (Jason Ede) Date: Tue Jul 10 16:36:28 2007 Subject: zen.spamhaus.org timeouts? In-Reply-To: <4693A6A0.3030305@tulsaconnect.com> References: <4693A6A0.3030305@tulsaconnect.com> Message-ID: also rulesemporium is slow... I'm guessing its another DDOS in progress... Jason ________________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailscanner-bounces@lists.mailscanner.info] On Behalf Of TCIS List Acct [listacct@tulsaconnect.com] Sent: 10 July 2007 16:32 To: MailScanner discussion Subject: zen.spamhaus.org timeouts? All of a sudden today we are getting DNS lookup timeouts when querying zen.spamhaus.org across all of our MailScanner boxes. Is anyone else having trouble doing RBL lookups against zen.spamhaus.org? -- ----------------------------------------- Mike Bacher / listacct@tulsaconnect.com TCIS - TulsaConnect Internet Services http://www.tulsaconnect.com ----------------------------------------- -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From ssilva at sgvwater.com Tue Jul 10 16:49:01 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Jul 10 16:49:16 2007 Subject: zen.spamhaus.org timeouts? In-Reply-To: <4693A6A0.3030305@tulsaconnect.com> References: <4693A6A0.3030305@tulsaconnect.com> Message-ID: TCIS List Acct spake the following on 7/10/2007 8:32 AM: > All of a sudden today we are getting DNS lookup timeouts when querying > zen.spamhaus.org across all of our MailScanner boxes. Is anyone else > having trouble doing RBL lookups against zen.spamhaus.org? > Everything is fine here. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From glenn.steen at gmail.com Tue Jul 10 16:49:36 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Jul 10 16:49:39 2007 Subject: How to monitor the health of the MailScanner architecture In-Reply-To: <001e01c7c2de$074aa850$15dff8f0$@dk> References: <000901c7c210$8d1f4310$a75dc930$@dk> <6EEC6D949794754FB8D83A4D87DF7168BE65B7@gh-redd-exch-01.redditch.ntltravel.local> <002001c7c219$4d475580$e7d60080$@dk> <223f97700707091452hc93d97vd6ed0546484ef8ba@mail.gmail.com> <001e01c7c2de$074aa850$15dff8f0$@dk> Message-ID: <223f97700707100849l378fce92xf1386f7b5e779193@mail.gmail.com> On 10/07/07, Jonas A. Larsen wrote: > Hi Glenn > > > > > Um, just script up a snippet that send a mail through to a service > > account (use telnet with expect, or perl or whatever... Make that > > sending snippet a function/sub/procedure and let it take an argument > > servername, then loop through the list of servers.... You know what to > > do:-), then use an automated MUA in the same script (whatever you > > need) to check that it is received within a reasonable time... Nail > > within an expect script would be nice for that last bit ... How hard > > can it be:-):-). > > You'd have to keep an eye on reasonable timing, and think through how > > to report errors... > > Could probably be incorporated as a testscript into any monitoring > > app... Or run from cron with some reasonable regularity. > > Should be fairly easy to write up ... But I'm on vacation, so you do > > it yourself;-). > > This is precisely what is needed :) regarding the "fairly easy to write > up" I guess that depends on how elite coding scriptiong skills you have and > how much time you got :) True:-) > We currently got it running using a freeware windows monitoring tool, that > had this precise check. (Yuk! Well, whatever works, I guess...:-) > I was just looking for something that already existed and general comments. > (because I'm a lazy boy) That's generally the big motivator to do something like that... The effort to make it is less than doing it by hand (if even possible:-):-). > People seem to have misunderstood it a bit since they are recommending > generic monitoring solutions. Neither nagios, bigbrother or others have the > above solution. I actually think munin had something but it would have to be > re-scripted to be useable (assuming I don't want to run munin) True. This would probably slot into something more generic, to handle the alerting etc... Laziness again, why reinvent that part of it:-). > I do find it odd though, that more or less nobody appears to be monitoring > their mail systems in this way. I still say it's the only way to be 100% if > your system is functioning or not. Checking the mta daemon, mailscanner > daemon, queue sizes etc. are all not a perfect way to check if the > mailscanning process is functioning. I suspect that people fall into a lot of different categories here... Some have small installations that don't really need that kind of alerting.... The users and perhaps something like MailWatch/Vispan/MailScanner-MRTG/whatever is enough of an alerting system:-). For larger systems something homegrown in [favourite monitoring app] is likely enough. Another "problem" is that anything like this will become somewhat specific to how your "mailflow topology" looks... So the bigger players probably do have something like this in place already, but deem it way to specific to their setup to be meaningful to share. If I find the time and energy when I'm back from vacation (not that likely, but ... if:), I might make something simple to work from... Yes, that is half a promise of half a solution:-). > > Cheers Likewise! > > Med venlig hilsen / Best regards > > Jonas Akrouh Larsen > > TechBiz ApS > Laplandsgade 4, 2. sal > 2300 K?benhavn S > > Office: 7020 0979 > Direct: 33369974 > Fax: 7020 0978 > Mobile: 51201096 > Web: www.techbiz.dk. > > -- -- Glenn (off in the west-swedish wilderness around Arvika... No, I'm going to give the festival a miss this year too:-) email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From mailscanner at cfwebdesigns.com Tue Jul 10 16:59:20 2007 From: mailscanner at cfwebdesigns.com (Custom Framer Web Designs) Date: Tue Jul 10 16:59:28 2007 Subject: Server whitelist being ignored Message-ID: <006f01c7c30b$479a7570$0402a8c0@VAIODESKTOP1> I have a problem with messages that come from addresses, and domains that are on the server-wide whitelist are being scanned and scored as spam. It is my understanding that by being on the whitelist, messages from these addresses would not be scanned. Am I wrong in this thinking? If not, have you a suggestion as to what may be wrong. Merrill From rcooper at dwford.com Tue Jul 10 17:00:22 2007 From: rcooper at dwford.com (Rick Cooper) Date: Tue Jul 10 17:00:28 2007 Subject: Strange CLAMD errors In-Reply-To: <910ee2ac0707100805ne111c5fp32cba3558ad2a58c@mail.gmail.com> References: <910ee2ac0707100805ne111c5fp32cba3558ad2a58c@mail.gmail.com> Message-ID: <020b01c7c30b$6c5a9200$c8b0b9cf@SAHOMELT> If you were using the old clamd (clamdscan) support, you need to configure the new clamd parameters in MailScanner.con to match your clamd.conf. The latest MailScanner calls clamd directly not via clamdscan. Look at the change log Rick > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of emm1 > Sent: Tuesday, July 10, 2007 11:06 AM > To: MailScanner discussion > Subject: Strange CLAMD errors > > Hello, after I upgraded to 4.61.7 on my FreeBSD 6.2 box I am seeing > those errors. > I have checked to see if clamd is running and it is. Any ideas? > > Jul 10 15:00:31 mainframe MailScanner[12276]: New Batch: Scanning 1 > messages, 3973 bytes > Jul 10 15:00:31 mainframe MailScanner[12276]: Expired 1 records from > the SpamAssassin cache > Jul 10 15:00:34 mainframe MailScanner[12276]: Virus and Content > Scanning: Starting > Jul 10 15:00:34 mainframe MailScanner[13026]: ERROR:: COULD NOT > CONNECT TO CLAMD, RECOMMEND RESTARTING DAEMON > Jul 10 15:00:34 mainframe MailScanner[12276]: ERROR:: COULD NOT > CONNECT TO CLAMD, RECOMMEND RESTARTING DAEMON :: . > Jul 10 15:00:34 mainframe MailScanner[12276]: Virus Scanning: Clamd > found 1 infections > Jul 10 15:00:34 mainframe MailScanner[12276]: Virus > Scanning: Found 1 viruses > Jul 10 15:00:34 mainframe MailScanner[12276]: Uninfected: > Delivered 1 messages > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From Alistair.Carmichael at ntltravel.com Tue Jul 10 17:04:04 2007 From: Alistair.Carmichael at ntltravel.com (Alistair Carmichael) Date: Tue Jul 10 17:04:07 2007 Subject: How to monitor the health of the MailScanner architecture In-Reply-To: <223f97700707100849l378fce92xf1386f7b5e779193@mail.gmail.com> References: <000901c7c210$8d1f4310$a75dc930$@dk><6EEC6D949794754FB8D83A4D87DF7168BE65B7@gh-redd-exch-01.redditch.ntltravel.local><002001c7c219$4d475580$e7d60080$@dk><223f97700707091452hc93d97vd6ed0546484ef8ba@mail.gmail.com><001e01c7c2de$074aa850$15dff8f0$@dk> <223f97700707100849l378fce92xf1386f7b5e779193@mail.gmail.com> Message-ID: <6EEC6D949794754FB8D83A4D87DF7168BE662D@gh-redd-exch-01.redditch.ntltravel.local> -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Glenn Steen Sent: 10 July 2007 16:50 To: MailScanner discussion Subject: Re: How to monitor the health of the MailScanner architecture On 10/07/07, Jonas A. Larsen wrote: > Hi Glenn > > > > > Um, just script up a snippet that send a mail through to a service > > account (use telnet with expect, or perl or whatever... Make that > > sending snippet a function/sub/procedure and let it take an argument > > servername, then loop through the list of servers.... You know what to > > do:-), then use an automated MUA in the same script (whatever you > > need) to check that it is received within a reasonable time... Nail > > within an expect script would be nice for that last bit ... How hard > > can it be:-):-). > > You'd have to keep an eye on reasonable timing, and think through how > > to report errors... > > Could probably be incorporated as a testscript into any monitoring > > app... Or run from cron with some reasonable regularity. > > Should be fairly easy to write up ... But I'm on vacation, so you do > > it yourself;-). > > This is precisely what is needed :) regarding the "fairly easy to write > up" I guess that depends on how elite coding scriptiong skills you have and > how much time you got :) True:-) > We currently got it running using a freeware windows monitoring tool, that > had this precise check. (Yuk! Well, whatever works, I guess...:-) > I was just looking for something that already existed and general comments. > (because I'm a lazy boy) That's generally the big motivator to do something like that... The effort to make it is less than doing it by hand (if even possible:-):-). > People seem to have misunderstood it a bit since they are recommending > generic monitoring solutions. Neither nagios, bigbrother or others have the > above solution. I actually think munin had something but it would have to be > re-scripted to be useable (assuming I don't want to run munin) True. This would probably slot into something more generic, to handle the alerting etc... Laziness again, why reinvent that part of it:-). > I do find it odd though, that more or less nobody appears to be monitoring > their mail systems in this way. I still say it's the only way to be 100% if > your system is functioning or not. Checking the mta daemon, mailscanner > daemon, queue sizes etc. are all not a perfect way to check if the > mailscanning process is functioning. I suspect that people fall into a lot of different categories here... Some have small installations that don't really need that kind of alerting.... The users and perhaps something like MailWatch/Vispan/MailScanner-MRTG/whatever is enough of an alerting system:-). For larger systems something homegrown in [favourite monitoring app] is likely enough. Another "problem" is that anything like this will become somewhat specific to how your "mailflow topology" looks... So the bigger players probably do have something like this in place already, but deem it way to specific to their setup to be meaningful to share. If I find the time and energy when I'm back from vacation (not that likely, but ... if:), I might make something simple to work from... Yes, that is half a promise of half a solution:-). > > Cheers Likewise! One method I thought of by using a shell script in conjunction with mailwatch is to run a shell script to generate a message every minute to output "$$`date +%s`" to a temp file, then run the mail command using the output (cat) of this file as the subject and send the message to a generic postmaster address. Then sleep for half a min or so and then run a mysql query on your mailwatch database's maillog table like "select Count(*) from maillog where subject = 'cat /tmp/myfile'" If the result of count(*) is 1 then the message has been collected and scanned by mailscanner, if the answer is zero then it has not. It probably wouldn't take too long to throw together into a shell script. The only downside I think would be if you have one mailwatch database used by 3 mailscanners like we do this query can take a while to execute due to the sheer size of the database but might work ok for a single server setup. My 2 more cents ;) > > Med venlig hilsen / Best regards > > Jonas Akrouh Larsen > > TechBiz ApS > Laplandsgade 4, 2. sal > 2300 K?benhavn S > > Office: 7020 0979 > Direct: 33369974 > Fax: 7020 0978 > Mobile: 51201096 > Web: www.techbiz.dk. > > -- -- Glenn (off in the west-swedish wilderness around Arvika... No, I'm going to give the festival a miss this year too:-) email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. From ljosnet at gmail.com Tue Jul 10 17:09:39 2007 From: ljosnet at gmail.com (emm1) Date: Tue Jul 10 17:09:42 2007 Subject: Strange CLAMD errors In-Reply-To: <020b01c7c30b$6c5a9200$c8b0b9cf@SAHOMELT> References: <910ee2ac0707100805ne111c5fp32cba3558ad2a58c@mail.gmail.com> <020b01c7c30b$6c5a9200$c8b0b9cf@SAHOMELT> Message-ID: <910ee2ac0707100909y7e7796e9yce6b21f032962800@mail.gmail.com> Yeah I see it now, thanks. On 7/10/07, Rick Cooper wrote: > If you were using the old clamd (clamdscan) support, you need to configure > the new clamd parameters in MailScanner.con to match your clamd.conf. The > latest MailScanner calls clamd directly not via clamdscan. Look at the > change log > > Rick > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info > > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of emm1 > > Sent: Tuesday, July 10, 2007 11:06 AM > > To: MailScanner discussion > > Subject: Strange CLAMD errors > > > > Hello, after I upgraded to 4.61.7 on my FreeBSD 6.2 box I am seeing > > those errors. > > I have checked to see if clamd is running and it is. Any ideas? > > > > Jul 10 15:00:31 mainframe MailScanner[12276]: New Batch: Scanning 1 > > messages, 3973 bytes > > Jul 10 15:00:31 mainframe MailScanner[12276]: Expired 1 records from > > the SpamAssassin cache > > Jul 10 15:00:34 mainframe MailScanner[12276]: Virus and Content > > Scanning: Starting > > Jul 10 15:00:34 mainframe MailScanner[13026]: ERROR:: COULD NOT > > CONNECT TO CLAMD, RECOMMEND RESTARTING DAEMON > > Jul 10 15:00:34 mainframe MailScanner[12276]: ERROR:: COULD NOT > > CONNECT TO CLAMD, RECOMMEND RESTARTING DAEMON :: . > > Jul 10 15:00:34 mainframe MailScanner[12276]: Virus Scanning: Clamd > > found 1 infections > > Jul 10 15:00:34 mainframe MailScanner[12276]: Virus > > Scanning: Found 1 viruses > > Jul 10 15:00:34 mainframe MailScanner[12276]: Uninfected: > > Delivered 1 messages > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > > -- > > This message has been scanned for viruses and > > dangerous content by MailScanner, and is > > believed to be clean. > > > > > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From ka at pacific.net Tue Jul 10 17:16:13 2007 From: ka at pacific.net (Ken A) Date: Tue Jul 10 17:16:18 2007 Subject: How to monitor the health of the MailScanner architecture In-Reply-To: <001e01c7c2de$074aa850$15dff8f0$@dk> References: <000901c7c210$8d1f4310$a75dc930$@dk> <6EEC6D949794754FB8D83A4D87DF7168BE65B7@gh-redd-exch-01.redditch.ntltravel.local> <002001c7c219$4d475580$e7d60080$@dk> <223f97700707091452hc93d97vd6ed0546484ef8ba@mail.gmail.com> <001e01c7c2de$074aa850$15dff8f0$@dk> Message-ID: <4693B0CD.8090806@pacific.net> Jonas A. Larsen wrote: > Hi Glenn >> Um, just script up a snippet that send a mail through to a service >> account (use telnet with expect, or perl or whatever... Make that >> sending snippet a function/sub/procedure and let it take an argument >> servername, then loop through the list of servers.... You know what to >> do:-), then use an automated MUA in the same script (whatever you >> need) to check that it is received within a reasonable time... Nail >> within an expect script would be nice for that last bit ... How hard >> can it be:-):-). >> You'd have to keep an eye on reasonable timing, and think through how >> to report errors... >> Could probably be incorporated as a testscript into any monitoring >> app... Or run from cron with some reasonable regularity. >> Should be fairly easy to write up ... But I'm on vacation, so you do >> it yourself;-). >> This is precisely what is needed :) regarding the "fairly easy to write > up" I guess that depends on how elite coding scriptiong skills you have and > how much time you got :) > > We currently got it running using a freeware windows monitoring tool, that > had this precise check. > > I was just looking for something that already existed and general comments. > (because I'm a lazy boy) > > People seem to have misunderstood it a bit since they are recommending > generic monitoring solutions. Neither nagios, bigbrother or others have the > above solution. I actually think munin had something but it would have to be > re-scripted to be useable (assuming I don?t want to run munin) > > I do find it odd though, that more or less nobody appears to be monitoring > their mail systems in this way. I still say it?s the only way to be 100% if > your system is functioning or not. Checking the mta daemon, mailscanner > daemon, queue sizes etc. are all not a perfect way to check if the > mailscanning process is functioning. There are many parts to the mail flow process. You can't check them all by passing a message through, though that certainly will tell you that messages can flow through your mail system! If I get a page at 3am that says "mail stopped flowing", I'd be pretty disappointed in my monitoring software. I want to know a lot more than that before my feet hit the floor. If your monitoring software is setup correctly (nagios here), you can quite correctly infer that all processing is working normally if all tests are passed. You just have to design or tweak the tests (these are usually simple shell or perl scripts that nagios uses) to fit your architecture. It's not hard, but it's implementation specific, mostly. Ken > > Cheers > > Med venlig hilsen / Best regards > > Jonas Akrouh Larsen > > -- Ken Anderson Pacific.Net From glenn.steen at gmail.com Tue Jul 10 17:17:44 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Jul 10 17:17:49 2007 Subject: How to monitor the health of the MailScanner architecture In-Reply-To: <6EEC6D949794754FB8D83A4D87DF7168BE662D@gh-redd-exch-01.redditch.ntltravel.local> References: <000901c7c210$8d1f4310$a75dc930$@dk> <6EEC6D949794754FB8D83A4D87DF7168BE65B7@gh-redd-exch-01.redditch.ntltravel.local> <002001c7c219$4d475580$e7d60080$@dk> <223f97700707091452hc93d97vd6ed0546484ef8ba@mail.gmail.com> <001e01c7c2de$074aa850$15dff8f0$@dk> <223f97700707100849l378fce92xf1386f7b5e779193@mail.gmail.com> <6EEC6D949794754FB8D83A4D87DF7168BE662D@gh-redd-exch-01.redditch.ntltravel.local> Message-ID: <223f97700707100917o2cadec8bg9445f22b360b9499@mail.gmail.com> On 10/07/07, Alistair Carmichael wrote: (snip) > > One method I thought of by using a shell script in conjunction with mailwatch is to run a shell script to generate a message every minute to output "$$`date +%s`" to a temp file, then run the mail command using the output (cat) of this file as the subject and send the message to a generic postmaster address. Then sleep for half a min or so and then run a mysql query on your mailwatch database's maillog table like "select Count(*) from maillog where subject = 'cat /tmp/myfile'" > If the result of count(*) is 1 then the message has been collected and scanned by mailscanner, if the answer is zero then it has not. > It probably wouldn't take too long to throw together into a shell script. > The only downside I think would be if you have one mailwatch database used by 3 mailscanners like we do this query can take a while to execute due to the sheer size of the database but might work ok for a single server setup. > My 2 more cents ;) > Certainly worth exploring since that would reduce the dependecies/ickiness of the checking part (expecting ones way through even the simplest textbased MUA can be ... frustrating:-). And as you say, it would be easy to script and would probably scale rather OK (scriptwise... One message per MS server... Not the query bit:) with several MS servers... Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From ms-list at alexb.ch Tue Jul 10 17:26:40 2007 From: ms-list at alexb.ch (Alex Broens) Date: Tue Jul 10 17:26:47 2007 Subject: zen.spamhaus.org timeouts? In-Reply-To: <4693A6A0.3030305@tulsaconnect.com> References: <4693A6A0.3030305@tulsaconnect.com> Message-ID: <4693B340.7000606@alexb.ch> On 7/10/2007 5:32 PM, TCIS List Acct wrote: > All of a sudden today we are getting DNS lookup timeouts when querying > zen.spamhaus.org across all of our MailScanner boxes. Is anyone else > having trouble doing RBL lookups against zen.spamhaus.org? > try a traceroute if you're on LEVEL3 they're having problems Alex From ugob at lubik.ca Tue Jul 10 17:31:27 2007 From: ugob at lubik.ca (Ugo Bellavance) Date: Tue Jul 10 17:31:50 2007 Subject: switching from clamavmodule -> clamd... source? In-Reply-To: <469266D4.7060405@ecs.soton.ac.uk> References: <469266D4.7060405@ecs.soton.ac.uk> Message-ID: Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > Ugo Bellavance wrote: >> Ugo Bellavance wrote: >>> Hi, >>> >>> I'd like to switch from clamavmodule to clamd. I used to use a >>> source-install of clamav. I've read that the easiest way to get >>> clamd running is using dag's RPM. However, a dependency for clamd is >>> clamav and clamav-db. How will that play with my current source >>> install of clamav? Should I move to using exclusively rpm clamav? >> >> >> It looks like the source install is overwritten by the RPM. This >> answers my question... > The source install by default goes in /usr/local, while the RPMs most > often go into /usr/bin, /etc and so on. You're right. And if we remove /usr/local/freshclam, MailScanner can't update clamav. Anyone really documented all the process of switching from clamav or clamavmodule to clamd? I could do it, if I can gather all the information. Regards, Ugo From MailScanner at ecs.soton.ac.uk Tue Jul 10 19:00:28 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Jul 10 19:05:27 2007 Subject: switching from clamavmodule -> clamd... source? In-Reply-To: References: <469266D4.7060405@ecs.soton.ac.uk> Message-ID: <4693C93C.3020508@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ugo Bellavance wrote: > Julian Field wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> >> >> Ugo Bellavance wrote: >>> Ugo Bellavance wrote: >>>> Hi, >>>> >>>> I'd like to switch from clamavmodule to clamd. I used to use a >>>> source-install of clamav. I've read that the easiest way to get >>>> clamd running is using dag's RPM. However, a dependency for clamd >>>> is clamav and clamav-db. How will that play with my current source >>>> install of clamav? Should I move to using exclusively rpm clamav? >>> >>> >>> It looks like the source install is overwritten by the RPM. This >>> answers my question... >> The source install by default goes in /usr/local, while the RPMs most >> often go into /usr/bin, /etc and so on. > > You're right. And if we remove /usr/local/freshclam, MailScanner > can't update clamav. Make sure that /etc/MailScanner/virus.scanners.conf points to the right installation (i.e. /usr or /usr/local). Then it will call /usr/bin/freshclam for you. > Anyone really documented all the process of switching from clamav or > clamavmodule to clamd? I could do it, if I can gather all the > information. I would proceed like this: 1. Make sure you have a sufficiently recent MailScanner installed so that you have direct support of clamd. Version 4.61.7-2 at least. I don't believe in running betas once there is a stable release of the same version. 2. Install ClamAV from the RPMs at dag.wieers.com. You need the correct builds of clamav, clamav-db and clamd. This way you get the init.d script for free. 3. Install my ClamAV+SpamAssassin package, telling it not to install ClamAV. Tell it you ClamAV installation lives at /usr/bin (or /usr, or /usr/bin/clamscan, it will work out what you meant). 4. Check your clam* entries in /etc/MailScanner/virus.scanners.conf all point to /usr. 5. Set your "Virus Scanners =" entry in /etc/MailScanner/MailScanner.conf to include "clamd". 6. Set up the Clamd-specific entries in /etc/MailScanner/MailScanner.conf to the same values as you use in /etc/clamd.conf. By default I *think* you can just leave them alone. But if you are running a system with more than 1 CPU (or more than 1 CPU core), then switch on "Clamd Use Threads = yes" in MailScanner.conf. 7. chkconfig clamd on 8. service clamd start 9. service MailScanner restart I'm sure others will correct any mistakes in the above guide. I have just updated my ClamAV+SA package so that it prints more instructions to inform your choice of whether you want it to install ClamAV or not, and tells you where to get the RPMs if you decide to take that route. Please can someone add this, and my previous recent HOWTO, to the Wiki for me? Thanks guys! Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGk8k+EfZZRxQVtlQRAtdOAJ0eMyGc2DaUO9kWXfG9ITRjI1G40gCgxuwt Mz5idcUe5IzReEJBQf1nTHQ= =EanK -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From brandonc at webpipe.net Tue Jul 10 19:19:28 2007 From: brandonc at webpipe.net (Brandon Checketts) Date: Tue Jul 10 19:18:59 2007 Subject: How to monitor the health of the MailScanner architecture In-Reply-To: <002001c7c219$4d475580$e7d60080$@dk> References: <000901c7c210$8d1f4310$a75dc930$@dk> <6EEC6D949794754FB8D83A4D87DF7168BE65B7@gh-redd-exch-01.redditch.ntltravel.local> <002001c7c219$4d475580$e7d60080$@dk> Message-ID: <4693CDB0.1050307@webpipe.net> Nagios actually can do this. Check out the section on 'passive checks' at http://nagios.sourceforge.net/docs/3_0/passivechecks.html. You'd have to create something to send automated emails every so often, then have it delivered to a script that parses out the timestamp and writes to the nagios external command file in the specified format. Thanks, Brandon Checketts Jonas A. Larsen wrote: > Hi Alistair and Gareth too. > > > > I have used nagios for many years. However if you read my mail again, I > specifically don?t need to know the queue size or the status of the MTA, > none of those can give you a definitive answer about whether or not mail > flow is working, I need something that can check if mail is flowing and > if its delayed. > > > > > /Jonas > > > > *From:* mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] *On Behalf Of > *Alistair Carmichael > *Sent:* 9. juli 2007 12:31 > *To:* MailScanner discussion > *Subject:* RE: How to monitor the health of the MailScanner architecture > > > > Hi, > > The monitoring software I use - nagios is capable of this, without going > into too much detail its basically a monitoring tool that can run on a > webserver and then check the status of software such as your mta > remotely aswell as executing local scripts on each mailscanner server to > check queue sizes and report back to the nagios monitoring server via > the nagios nrpe plugin, which can be configured to alert via email or > even sms once certain thresholds (e.g queue size) are met. > > In our setup I wrote my own queue size monitor script but there are nrpe > scripts already created for various MTA?s out there. > > > > Al > > > > ------------------------------------------------------------------------ > > *From:* mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] *On Behalf Of *Jonas > A. Larsen > *Sent:* 09 July 2007 11:04 > *To:* mailscanner@lists.mailscanner.info > *Subject:* How to monitor the health of the MailScanner architecture > > > > Hello all > > > > I have a problem, and discussing it on the irc channel didn?t turn up > any obvious solution. > > > > Say you have more than 1 MS box scanning mails for a specific domain. > They are load balanced in some way, so the load is split over the servers. > > > > Now lets say one of the servers have a problem. Not a fatal problem, so > the server is still running (responds to pings etc) port 25 is still > open, and exim (the mta in my case) still accepts mails. > > > > But for some reason, crash, corrupt config, full root fs etc. the > process of moving mails from the incoming queue to the outgoing queue is > not working. > > > > What I am interested in, is a system to alert me of such a problem > automatically. > > > > Currently the only thing, besides clients noticing mail being delayed, > is for me to look at my mailscaner-mrtg graphs for the incoming queue > and notice that its growing. > > > > One method of doing all this automatically that we came up with, would > be some complex system that would work as follows: > > > > You create a domain for each MailScanner, that only that MailScanner > scans for. > > > > You then create an imap account on another system for each of the domains. > > > > You then create a script that sends a mail to each of the accounts and > after X amount of minutes check to see if the mail has arrived on the > imap account. If yes, delete the mail and do the same thing again after > Y amount of minutes (a cron job), if it doesn?t exist something must be > wrong with the mailflow, either its interrupted or is experiencing delays. > > > > Do anybody have a better idea or know of something that can do this already? > > > > My root file system ran full last week, and it caused mails to still be > accepted (incoming is on /var on another disk) but MS was frozen because > it couldn?t extract attachments to /tmp which was full because it was on > the same disk as the root fs. > > > > I hope I have made the above somewhat clear, if not please ask me to > clarify. > > > > > > *Med venlig hilsen / Best regards* > > > > *Jonas Akrouh Larsen* > > * * > > TechBiz ApS > > Laplandsgade 4, 2. sal > > 2300 K?benhavn S > > > > Office: 7020 0979 > > Direct: 33369974 > > Fax: 7020 0978 > > Mobile: 51201096 > > Web: www.techbiz.dk > > > > > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they are > addressed. If you have received this email in error please notify the > system manager. This message contains confidential information and is > intended only for the individual named. If you are not the named > addressee you should not disseminate, distribute or copy this e-mail. > > > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they are > addressed. If you have received this email in error please notify the > system manager. This message contains confidential information and is > intended only for the individual named. If you are not the named > addressee you should not disseminate, distribute or copy this e-mail. > From ugob at lubik.ca Tue Jul 10 19:21:33 2007 From: ugob at lubik.ca (Ugo Bellavance) Date: Tue Jul 10 19:21:48 2007 Subject: switching from clamavmodule -> clamd... source? In-Reply-To: <4693C93C.3020508@ecs.soton.ac.uk> References: <469266D4.7060405@ecs.soton.ac.uk> <4693C93C.3020508@ecs.soton.ac.uk> Message-ID: Julian Field wrote: >>>>> I'd like to switch from clamavmodule to clamd. I used to use a >>>>> source-install of clamav. I've read that the easiest way to get >>>>> clamd running is using dag's RPM. However, a dependency for clamd >>>>> is clamav and clamav-db. How will that play with my current source >>>>> install of clamav? Should I move to using exclusively rpm clamav? >>>> >>>> >>>> It looks like the source install is overwritten by the RPM. This >>>> answers my question... >>> The source install by default goes in /usr/local, while the RPMs most >>> often go into /usr/bin, /etc and so on. >> You're right. And if we remove /usr/local/freshclam, MailScanner >> can't update clamav. > Make sure that /etc/MailScanner/virus.scanners.conf points to the right > installation (i.e. /usr or /usr/local). Then it will call > /usr/bin/freshclam for you. Ok. >> Anyone really documented all the process of switching from clamav or >> clamavmodule to clamd? I could do it, if I can gather all the >> information. > I would proceed like this: > > 1. Make sure you have a sufficiently recent MailScanner installed so > that you have direct support of clamd. Version 4.61.7-2 at least. I > don't believe in running betas once there is a stable release of the > same version. Ok > 2. Install ClamAV from the RPMs at dag.wieers.com. You need the correct > builds of clamav, clamav-db and clamd. This way you get the init.d > script for free. Ok > 3. Install my ClamAV+SpamAssassin package, telling it not to install > ClamAV. Tell it you ClamAV installation lives at /usr/bin (or /usr, or > /usr/bin/clamscan, it will work out what you meant). Why is that necessary if SA 3.2.1 is already installed on the system? > 4. Check your clam* entries in /etc/MailScanner/virus.scanners.conf all > point to /usr. Ok. I guess this means that MailScanner assumes a source install by default. This probably means that any user that wants to switch from source to dag's rpm would have to do this right? > 5. Set your "Virus Scanners =" entry in > /etc/MailScanner/MailScanner.conf to include "clamd". Ok 5.5. Set the Incoming Work Group and Incoming Work Permission settings accordingly: Incoming Work Group = clamav Incoming Work Permissions = 0640 > 6. Set up the Clamd-specific entries in > /etc/MailScanner/MailScanner.conf to the same values as you use in > /etc/clamd.conf. By default I *think* you can just leave them alone. But > if you are running a system with more than 1 CPU (or more than 1 CPU > core), then switch on "Clamd Use Threads = yes" in MailScanner.conf. Ok > 7. chkconfig clamd on I think the RPM does it by default. > 8. service clamd start > 9. service MailScanner restart > > I'm sure others will correct any mistakes in the above guide. > > I have just updated my ClamAV+SA package so that it prints more > instructions to inform your choice of whether you want it to install > ClamAV or not, and tells you where to get the RPMs if you decide to take > that route. > > Please can someone add this, and my previous recent HOWTO, to the Wiki > for me? Will do as soon as I have all the info. Ugo From MailScanner at ecs.soton.ac.uk Tue Jul 10 19:48:53 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Jul 10 19:55:58 2007 Subject: switching from clamavmodule -> clamd... source? In-Reply-To: References: <469266D4.7060405@ecs.soton.ac.uk> <4693C93C.3020508@ecs.soton.ac.uk> Message-ID: <4693D495.5030409@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ugo Bellavance wrote: > Julian Field wrote: >>>>>> I'd like to switch from clamavmodule to clamd. I used to use >>>>>> a source-install of clamav. I've read that the easiest way to >>>>>> get clamd running is using dag's RPM. However, a dependency for >>>>>> clamd is clamav and clamav-db. How will that play with my >>>>>> current source install of clamav? Should I move to using >>>>>> exclusively rpm clamav? >>>>> >>>>> >>>>> It looks like the source install is overwritten by the RPM. This >>>>> answers my question... >>>> The source install by default goes in /usr/local, while the RPMs >>>> most often go into /usr/bin, /etc and so on. >>> You're right. And if we remove /usr/local/freshclam, MailScanner >>> can't update clamav. >> Make sure that /etc/MailScanner/virus.scanners.conf points to the >> right installation (i.e. /usr or /usr/local). Then it will call >> /usr/bin/freshclam for you. > > Ok. > >>> Anyone really documented all the process of switching from clamav or >>> clamavmodule to clamd? I could do it, if I can gather all the >>> information. >> I would proceed like this: >> >> 1. Make sure you have a sufficiently recent MailScanner installed so >> that you have direct support of clamd. Version 4.61.7-2 at least. I >> don't believe in running betas once there is a stable release of the >> same version. > > Ok > >> 2. Install ClamAV from the RPMs at dag.wieers.com. You need the >> correct builds of clamav, clamav-db and clamd. This way you get the >> init.d script for free. > > Ok > >> 3. Install my ClamAV+SpamAssassin package, telling it not to install >> ClamAV. Tell it you ClamAV installation lives at /usr/bin (or /usr, >> or /usr/bin/clamscan, it will work out what you meant). > > Why is that necessary if SA 3.2.1 is already installed on the system? It's not in that case, no. > >> 4. Check your clam* entries in /etc/MailScanner/virus.scanners.conf >> all point to /usr. > > Ok. I guess this means that MailScanner assumes a source install by > default. This probably means that any user that wants to switch from > source to dag's rpm would have to do this right? Correct. > >> 5. Set your "Virus Scanners =" entry in >> /etc/MailScanner/MailScanner.conf to include "clamd". > > Ok > > 5.5. Set the Incoming Work Group and Incoming Work Permission settings > accordingly: > > Incoming Work Group = clamav > Incoming Work Permissions = 0640 Good point, forgot that one. Well spotted! > >> 6. Set up the Clamd-specific entries in >> /etc/MailScanner/MailScanner.conf to the same values as you use in >> /etc/clamd.conf. By default I *think* you can just leave them alone. >> But if you are running a system with more than 1 CPU (or more than 1 >> CPU core), then switch on "Clamd Use Threads = yes" in MailScanner.conf. > > Ok > >> 7. chkconfig clamd on > > I think the RPM does it by default. > >> 8. service clamd start >> 9. service MailScanner restart >> >> I'm sure others will correct any mistakes in the above guide. >> >> I have just updated my ClamAV+SA package so that it prints more >> instructions to inform your choice of whether you want it to install >> ClamAV or not, and tells you where to get the RPMs if you decide to >> take that route. >> >> Please can someone add this, and my previous recent HOWTO, to the >> Wiki for me? > > Will do as soon as I have all the info. Thanks a lot for doing that. > > Ugo > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGk9SWEfZZRxQVtlQRAsGbAJ98ItHhiH/NIqD2DqHdTY6HDDskXgCfa65b hXggRJYdMpd6bqhcPbO2B9s= =JO+8 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From listacct at tulsaconnect.com Tue Jul 10 21:20:33 2007 From: listacct at tulsaconnect.com (TCIS List Acct) Date: Tue Jul 10 21:20:10 2007 Subject: zen.spamhaus.org timeouts? In-Reply-To: References: <4693A6A0.3030305@tulsaconnect.com> Message-ID: <4693EA11.9060702@tulsaconnect.com> Scott Silva wrote: > Everything is fine here. > My guess is our volume exceeded what they are going to allow on the freebie servers, so we've ponied up some cash and subscribed to the data feed via rsync and now all is well again (and speedier to boot) :)) -- ----------------------------------------- Mike Bacher / listacct@tulsaconnect.com TCIS - TulsaConnect Internet Services http://www.tulsaconnect.com ----------------------------------------- From ugob at lubik.ca Tue Jul 10 21:23:16 2007 From: ugob at lubik.ca (Ugo Bellavance) Date: Tue Jul 10 21:23:41 2007 Subject: switching from clamavmodule -> clamd... source? In-Reply-To: <4693D495.5030409@ecs.soton.ac.uk> References: <469266D4.7060405@ecs.soton.ac.uk> <4693C93C.3020508@ecs.soton.ac.uk> <4693D495.5030409@ecs.soton.ac.uk> Message-ID: Julian Field wrote: >>> Please can someone add this, and my previous recent HOWTO, to the >>> Wiki for me? >> Will do as soon as I have all the info. > Thanks a lot for doing that. >> Ugo http://wiki.mailscanner.info/doku.php?id=documentation:anti_virus:clamav:switch_to_rpm_clamd Please, everyone, review and comment. Especially the "FIXME" items. -- Ugo Bellavance FSL Technical Support Team From MailScanner at ecs.soton.ac.uk Tue Jul 10 22:02:56 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Jul 10 22:10:16 2007 Subject: switching from clamavmodule -> clamd... source? In-Reply-To: References: <469266D4.7060405@ecs.soton.ac.uk> <4693C93C.3020508@ecs.soton.ac.uk> <4693D495.5030409@ecs.soton.ac.uk> Message-ID: <4693F400.5030309@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ugo Bellavance wrote: > Julian Field wrote: > >>>> Please can someone add this, and my previous recent HOWTO, to the >>>> Wiki for me? >>> Will do as soon as I have all the info. >> Thanks a lot for doing that. >>> Ugo > > http://wiki.mailscanner.info/doku.php?id=documentation:anti_virus:clamav:switch_to_rpm_clamd > > > Please, everyone, review and comment. Especially the "FIXME" items. > Fix Me 1: That example is fine. Fix Me 2: My package does not install any RPM's anyway, so there's nothing you can easily remove. You can do this if you want: cd /usr/lib/perl5 find . -name 'SpamAssassin.pm' -print | xargs rm to remove any old installations of SpamAssassin. Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGk/QBEfZZRxQVtlQRAsPvAKDZoML9uL3YgkcBlwKpM748J2pbfwCfbgvn JHSbqcpyak8XklvkJut0D7w= =kF7V -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From ugob at lubik.ca Tue Jul 10 22:44:03 2007 From: ugob at lubik.ca (Ugo Bellavance) Date: Tue Jul 10 22:44:19 2007 Subject: switching from clamavmodule -> clamd... source? In-Reply-To: <4693F400.5030309@ecs.soton.ac.uk> References: <469266D4.7060405@ecs.soton.ac.uk> <4693C93C.3020508@ecs.soton.ac.uk> <4693D495.5030409@ecs.soton.ac.uk> <4693F400.5030309@ecs.soton.ac.uk> Message-ID: Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > Ugo Bellavance wrote: >> Julian Field wrote: >> >>>>> Please can someone add this, and my previous recent HOWTO, to the >>>>> Wiki for me? >>>> Will do as soon as I have all the info. >>> Thanks a lot for doing that. >>>> Ugo >> http://wiki.mailscanner.info/doku.php?id=documentation:anti_virus:clamav:switch_to_rpm_clamd >> >> >> Please, everyone, review and comment. Especially the "FIXME" items. >> > Fix Me 1: That example is fine. Ok, but should all the clam* entries like that, or only clamav? > Fix Me 2: My package does not install any RPM's anyway, so there's > nothing you can easily remove. You can do this if you want: > cd /usr/lib/perl5 > find . -name 'SpamAssassin.pm' -print | xargs rm > to remove any old installations of SpamAssassin. I don't mind SA, as long as we can remove clamav. The article is only about clam. Thanks, -- Ugo Bellavance FSL Technical Support Team From richard.siddall at elirion.net Tue Jul 10 22:52:28 2007 From: richard.siddall at elirion.net (Richard Siddall) Date: Tue Jul 10 22:54:14 2007 Subject: switching from clamavmodule -> clamd... source? In-Reply-To: References: <469266D4.7060405@ecs.soton.ac.uk> <4693C93C.3020508@ecs.soton.ac.uk> <4693D495.5030409@ecs.soton.ac.uk> Message-ID: <4693FF9C.7090405@elirion.net> Ugo Bellavance wrote: > http://wiki.mailscanner.info/doku.php?id=documentation:anti_virus:clamav:switch_to_rpm_clamd > > > Please, everyone, review and comment. Especially the "FIXME" items. > Step 9 seems to be unnecessary in MailWatch 1.0.4. It's already there. Regards, Richard. From ugob at lubik.ca Tue Jul 10 23:23:47 2007 From: ugob at lubik.ca (Ugo Bellavance) Date: Tue Jul 10 23:24:04 2007 Subject: switching from clamavmodule -> clamd... source? In-Reply-To: <4693FF9C.7090405@elirion.net> References: <469266D4.7060405@ecs.soton.ac.uk> <4693C93C.3020508@ecs.soton.ac.uk> <4693D495.5030409@ecs.soton.ac.uk> <4693FF9C.7090405@elirion.net> Message-ID: Richard Siddall wrote: > Ugo Bellavance wrote: >> http://wiki.mailscanner.info/doku.php?id=documentation:anti_virus:clamav:switch_to_rpm_clamd >> >> >> Please, everyone, review and comment. Especially the "FIXME" items. >> > > Step 9 seems to be unnecessary in MailWatch 1.0.4. It's already there. Thanks for letting me know. Better to leave it there, a lot of people don't upgrade MailWatch once it is in... -- Ugo Bellavance FSL Technical Support Team From Phil.Udel at SalemCorp.com Tue Jul 10 23:35:33 2007 From: Phil.Udel at SalemCorp.com (Phil Udel) Date: Tue Jul 10 23:35:39 2007 Subject: Help with ClamAVMod Message-ID: <064f01c7c342$a0f4e3d0$6102a8c0@salemcorp.com> I just upgraded to MS 4.61.7.2 today on a Centos 4.x system I am having problems with CLamAVmod working. When ever I add clamavmodule to the Virus Scanners List MS stops possessing Email and finally Fails after three min or so. I check and Mail::ClamAV is up to date (0.20) . I installed install-Clam-0.90.3-SA-3.2.1.tar.gz. There looks like there is a Patch , But I cant Find It. Can someone Please Help :) -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070710/2249741a/attachment.html From kate at rheel.co.nz Wed Jul 11 00:37:10 2007 From: kate at rheel.co.nz (Kathryn Allan) Date: Wed Jul 11 00:37:18 2007 Subject: Issues trying to get freshclam working Message-ID: <46941826.6000807@rheel.co.nz> Hi all, I have just done a make install of clamav using ./configuration --prefix= so that it puts config file in /etc/clamd.conf for example. That all went smoothly but when I try and run freshclam i get the following error -bash: /usr/local/bin/freshclam: No such file or directory Where do I change where it looks for freshclam? Thanks Kate From r.berber at computer.org Wed Jul 11 01:45:10 2007 From: r.berber at computer.org (=?ISO-8859-1?Q?Ren=E9_Berber?=) Date: Wed Jul 11 01:45:27 2007 Subject: Issues trying to get freshclam working In-Reply-To: <46941826.6000807@rheel.co.nz> References: <46941826.6000807@rheel.co.nz> Message-ID: Kathryn Allan wrote: > I have just done a make install of clamav using ./configuration --prefix= > so that it puts config file in /etc/clamd.conf for example. Wrong procedure. If you want clamd.conf in /etc use --sysconfdir=/etc . > That all went smoothly but when I try and run freshclam i get the > following error > -bash: /usr/local/bin/freshclam: No such file or directory > > Where do I change where it looks for freshclam? Have you tried `which freshclam`? If you want to change the location used by MailScanner, then you'll have to change lib/clamav-autoupdate, but that's not the recommended procedure, better uninstall your clamav and re-install with the --sysconfigdir option (no --prefix). It's probably under /bin (thanks to your wrong use of the --prefix parameter), even if /bin did not exist before. -- Ren? Berber From ugob at lubik.ca Wed Jul 11 03:53:18 2007 From: ugob at lubik.ca (Ugo Bellavance) Date: Wed Jul 11 03:53:33 2007 Subject: Help with ClamAVMod In-Reply-To: <064f01c7c342$a0f4e3d0$6102a8c0@salemcorp.com> References: <064f01c7c342$a0f4e3d0$6102a8c0@salemcorp.com> Message-ID: Phil Udel wrote: > I just upgraded to MS 4.61.7.2 today on a Centos 4.x system > I am having problems with CLamAVmod working. > When ever I add clamavmodule to the Virus Scanners List MS stops > possessing Email and finally Fails after three min or so. > Please let us see some log entries. Regards. Ugo From ugob at lubik.ca Wed Jul 11 03:57:56 2007 From: ugob at lubik.ca (Ugo Bellavance) Date: Wed Jul 11 04:00:04 2007 Subject: Issues trying to get freshclam working In-Reply-To: <46941826.6000807@rheel.co.nz> References: <46941826.6000807@rheel.co.nz> Message-ID: Kathryn Allan wrote: > Hi all, > > I have just done a make install of clamav using ./configuration --prefix= > so that it puts config file in /etc/clamd.conf for example. > > That all went smoothly but when I try and run freshclam i get the > following error > -bash: /usr/local/bin/freshclam: No such file or directory > > Where do I change where it looks for freshclam? What OS? Which version of clamAV? From kate at rheel.co.nz Wed Jul 11 04:23:54 2007 From: kate at rheel.co.nz (Kathryn Allan) Date: Wed Jul 11 04:24:02 2007 Subject: Issues trying to get freshclam working In-Reply-To: References: <46941826.6000807@rheel.co.nz> Message-ID: <46944D4A.1090209@rheel.co.nz> An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070711/b523f8e2/attachment.html From kate at rheel.co.nz Wed Jul 11 04:24:58 2007 From: kate at rheel.co.nz (Kathryn Allan) Date: Wed Jul 11 04:25:02 2007 Subject: Issues trying to get freshclam working In-Reply-To: References: <46941826.6000807@rheel.co.nz> Message-ID: <46944D8A.7010709@rheel.co.nz> Just installed CentOS 5 and latest version of ClamAV. Ren?'s answer fixed my issue. Thanks Ugo Bellavance wrote: > Kathryn Allan wrote: >> Hi all, >> >> I have just done a make install of clamav using ./configuration >> --prefix= >> so that it puts config file in /etc/clamd.conf for example. >> >> That all went smoothly but when I try and run freshclam i get the >> following error >> -bash: /usr/local/bin/freshclam: No such file or directory >> >> Where do I change where it looks for freshclam? > > What OS? Which version of clamAV? > From hden at kcbbs.gen.nz Wed Jul 11 05:43:20 2007 From: hden at kcbbs.gen.nz (Hendrik den Hartog) Date: Wed Jul 11 05:24:39 2007 Subject: Language File In-Reply-To: <4693F400.5030309@ecs.soton.ac.uk> References: <469266D4.7060405@ecs.soton.ac.uk> <4693C93C.3020508@ecs.soton.ac.uk> <4693D495.5030409@ecs.soton.ac.uk> <4693F400.5030309@ecs.soton.ac.uk> Message-ID: <20070711044320.GA25959@mew.kcbbs.gen.nz> Gidday We've recently upgraded MailScanner after several months, and am getting logged errors about missing strings.. 'Looked up unknown string notcached in language translation file' ..etc We did copy the(a) new language,conf.rpmnew to language.conf, but this didn't sort the issue. Is there anywhere we can download a current english (en) language file from to sort this? Cheers! Pasadena School (Dave) From lists at jfworks.net Wed Jul 11 07:21:47 2007 From: lists at jfworks.net (James) Date: Wed Jul 11 07:21:54 2007 Subject: Language File In-Reply-To: <20070711044320.GA25959@mew.kcbbs.gen.nz> References: <469266D4.7060405@ecs.soton.ac.uk> <4693C93C.3020508@ecs.soton.ac.uk> <4693D495.5030409@ecs.soton.ac.uk> <4693F400.5030309@ecs.soton.ac.uk> <20070711044320.GA25959@mew.kcbbs.gen.nz> Message-ID: <469476FB.3030901@jfworks.net> Hendrik den Hartog wrote: > Gidday > > We've recently upgraded MailScanner after several months, and am getting logged errors about missing strings.. > > 'Looked up unknown string notcached in language translation file' > > ..etc > > We did copy the(a) new language,conf.rpmnew to language.conf, but this didn't > sort the issue. > > Is there anywhere we can download a current english (en) language file from to sort this? > > Cheers! > Pasadena School (Dave) > Have you run "upgrade_languages_conf " ? It will give the directions for upgrading the file. James From paul.hutchings at mira.co.uk Wed Jul 11 08:33:17 2007 From: paul.hutchings at mira.co.uk (Paul Hutchings) Date: Wed Jul 11 08:33:26 2007 Subject: Local phishing whitelist? Message-ID: Is there a way of having a local phishing whitelist as well as the default/auto-updated one that comes with Mailscanner? I don't see a way of specifying more than one file? TIA, Paul Paul Hutchings Network Administrator, MIRA Ltd. Tel: 44 (0)24 7635 5378 Fax: 44 (0)24 7635 8378 mailto:paul.hutchings@mira.co.uk -- MIRA Ltd. Watling Street, Nuneaton, Warwickshire, CV10 0TU, England. Registered in England No. 402570 VAT Registration GB 114 5409 96 The contents of this e-mail are confidential and are solely for the use of the intended recipient. If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax. You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited. From martinh at solidstatelogic.com Wed Jul 11 09:00:32 2007 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Wed Jul 11 09:00:45 2007 Subject: Local phishing whitelist? In-Reply-To: Message-ID: <5943e9739270674299fab02af44ce34a@solidstatelogic.com> Paul Put your changes to that single file and the autoupdate will merge the two sets together - clever huh? -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Paul Hutchings > Sent: 11 July 2007 08:33 > To: MailScanner discussion > Subject: Local phishing whitelist? > > Is there a way of having a local phishing whitelist as well as the > default/auto-updated one that comes with Mailscanner? > > I don't see a way of specifying more than one file? > > TIA, > Paul > > Paul Hutchings > Network Administrator, MIRA Ltd. > Tel: 44 (0)24 7635 5378 > Fax: 44 (0)24 7635 8378 > mailto:paul.hutchings@mira.co.uk > > > -- > MIRA Ltd. > > Watling Street, Nuneaton, Warwickshire, CV10 0TU, England. > > Registered in England No. 402570 > VAT Registration GB 114 5409 96 > > The contents of this e-mail are confidential and are solely for the use of > the intended recipient. > If you receive this e-mail in error, please delete it and notify us either > by e-mail, telephone or fax. > You should not copy, forward or otherwise disclose the content of the e- > mail as this is prohibited. > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From jan-peter at koopmann.eu Wed Jul 11 09:20:53 2007 From: jan-peter at koopmann.eu (Koopmann, Jan-Peter) Date: Wed Jul 11 09:20:17 2007 Subject: switching from clamavmodule -> clamd... source? In-Reply-To: References: <469266D4.7060405@ecs.soton.ac.uk> Message-ID: > Make sure that /etc/MailScanner/virus.scanners.conf points to the right > installation (i.e. /usr or /usr/local). Then it will call > /usr/bin/freshclam for you. So if freshclam is located in /usr/local/bin/freshclam I need to put /usr/local in virus.scanners.conf? What is the advantage over using the freshclam daemon? From ram at netcore.co.in Wed Jul 11 10:05:13 2007 From: ram at netcore.co.in (ram) Date: Wed Jul 11 10:06:19 2007 Subject: Server whitelist being ignored In-Reply-To: <006f01c7c30b$479a7570$0402a8c0@VAIODESKTOP1> References: <006f01c7c30b$479a7570$0402a8c0@VAIODESKTOP1> Message-ID: <1184144713.29744.6.camel@localhost.localdomain> On Tue, 2007-07-10 at 11:59 -0400, Custom Framer Web Designs wrote: > I have a problem with messages that come from addresses, and domains that > are on the server-wide whitelist are being scanned and scored as spam. > > It is my understanding that by being on the whitelist, messages from these > addresses would not be scanned. > > Am I wrong in this thinking? Is this happenning every time for those ids , or only some times Thanks Ram From henker at evendi.de Wed Jul 11 10:14:46 2007 From: henker at evendi.de (Henke) Date: Wed Jul 11 10:14:52 2007 Subject: Lost the X-Spam-Score-Header along the way Message-ID: I *somehow* lost the X-Spam-Score-Header on one of my mail servers. Starting with 4.61.7, I noticed that neither the detailed SpamAssassin report nor the Spam-Score header was added. So I upgraded to 4.62.2 and the detailed report is added again, however still no X-Spam-Score-Header. Is there any way to find out why it's not added ? The MailScanner.conf contains SpamScore Number Instead Of Stars = no Spam Score Character = s Spam Score = yes Spam Score Number Format = %d and it's still working on another box with 4.61.7 with an *almost* identical config. Regards, Steffan From kennyfelden at hotmail.com Wed Jul 11 10:46:50 2007 From: kennyfelden at hotmail.com (Kenny Of The Fells) Date: Wed Jul 11 10:46:58 2007 Subject: Problem with mail that is non-spam and also mcp Message-ID: I have a rule such that non-spam to a set of users is quarantined: To: pupil*@ store This works as expected. However, if mail is also mcp, it is quarantined twice. Given that if I change the above rule to: To: pupil1*@ deliver mcp mail *doesn't* get delivered (it does get quarantined as mcp), why is it stored in the first case above rather than being ignored? How do I prevent non-spam mcp mail being stored twice? My MailScanner.conf is set to do mcp checks first. Thanks Peter From sa at streaming-networks.com Wed Jul 11 11:00:57 2007 From: sa at streaming-networks.com (sa@streaming-networks.com) Date: Wed Jul 11 11:02:03 2007 Subject: ruleset=check_mail ... Not Allowed Message-ID: <127101c7c3a2$60a91340$5505a8c0@stream.net> Hi, I am not getting emails delivered from anyone@sympatico.ca Following are my maillogs: Jul 11 05:07:02 mymailserver sendmail[17276]: l6B06xLD017276: ruleset=check_mail, arg1=, relay=xyz.domain.com [IP Address], reject=550 5.0.0 ... Not Allowed Jul 11 05:07:03 mymailserver sendmail[17276]: l6B06xLD017276: from=, size=0, class=0, nrcpts=0, proto=SMTP, daemon=MTA, relay=xyz.domain.com [IP Address] No entries for sympatico.ca in my Mailscanner (and its relevant) config files. Any clue? Regards, Umar Murtaza -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070711/1c88bf0a/attachment-0001.html From Chris.Russell at knowledgeit.co.uk Wed Jul 11 11:10:45 2007 From: Chris.Russell at knowledgeit.co.uk (Chris Russell) Date: Wed Jul 11 11:10:48 2007 Subject: Quarantine from Custom Spam Scanner Message-ID: <1638CDD827D51E4D8E9B2741290E1C9101001143@wkits02.knowledgeit.co.uk> Julian, et al Is there any easy way to force (via a customer spam scanner) a message to be quarantined ? We have a few instances were we require the message to be quarantined regardless of the status, and whilst I can think of a few ways to do this, most mean modifying the mailscanner code. Is there any way to do this without the above being necessary (ie: maybe a force quarantine flag ?) Thanks Chris The contents of this e-mail may be privileged and are confidential. It may not be disclosed to or used by anyone other than the addressee(s), nor copied in any way. Any views or opinions presented are solely those of the author and do not necessarily represent those of Knowledge Limited. If received in error, please advise the sender, then delete it from your system. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070711/211dc5c5/attachment.html From res at ausics.net Wed Jul 11 11:47:10 2007 From: res at ausics.net (Res) Date: Wed Jul 11 11:47:27 2007 Subject: ruleset=check_mail ... Not Allowed In-Reply-To: <127101c7c3a2$60a91340$5505a8c0@stream.net> References: <127101c7c3a2$60a91340$5505a8c0@stream.net> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NotDashEscaped: You need GnuPG to verify this message Yeah, its sendmail reject list. nothing to do with mailscanner check your /etc/mail/access On Wed, 11 Jul 2007, sa@streaming-networks.com wrote: > > Hi, > > I am not getting emails delivered from anyone@sympatico.ca > > > Following are my maillogs: > > Jul 11 05:07:02 mymailserver sendmail[17276]: l6B06xLD017276: ruleset=check_mail, arg1=, relay=xyz.domain.com [IP Address], reject=550 5.0.0 ... Not Allowed > Jul 11 05:07:03 mymailserver sendmail[17276]: l6B06xLD017276: from=, size=0, class=0, nrcpts=0, proto=SMTP, daemon=MTA, relay=xyz.domain.com [IP Address] > > > No entries for sympatico.ca in my Mailscanner (and its relevant) config files. > > > Any clue? > > > Regards, > > > Umar Murtaza -- Cheers Res -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFGlLUusWhAmSIQh7MRAj92AJ0ciO07eT8f7DfsE3+aPyEOTaJWEQCfR6h3 T7eW1kCs/NUvhZc3d8XufIc= =dLli -----END PGP SIGNATURE----- From MailScanner at ecs.soton.ac.uk Wed Jul 11 12:10:48 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Jul 11 12:15:02 2007 Subject: switching from clamavmodule -> clamd... source? In-Reply-To: References: <469266D4.7060405@ecs.soton.ac.uk> <4693C93C.3020508@ecs.soton.ac.uk> <4693D495.5030409@ecs.soton.ac.uk> <4693F400.5030309@ecs.soton.ac.uk> Message-ID: <4694BAB8.8000509@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ugo Bellavance wrote: > Julian Field wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> >> >> Ugo Bellavance wrote: >>> Julian Field wrote: >>> >>>>>> Please can someone add this, and my previous recent HOWTO, to the >>>>>> Wiki for me? >>>>> Will do as soon as I have all the info. >>>> Thanks a lot for doing that. >>>>> Ugo >>> http://wiki.mailscanner.info/doku.php?id=documentation:anti_virus:clamav:switch_to_rpm_clamd >>> >>> >>> Please, everyone, review and comment. Especially the "FIXME" items. >>> >> Fix Me 1: That example is fine. > > Ok, but should all the clam* entries like that, or only clamav? Yes, the last "word" on each line should be the same for all 3 entries. > >> Fix Me 2: My package does not install any RPM's anyway, so there's >> nothing you can easily remove. You can do this if you want: >> cd /usr/lib/perl5 >> find . -name 'SpamAssassin.pm' -print | xargs rm >> to remove any old installations of SpamAssassin. > > I don't mind SA, as long as we can remove clamav. The article is only > about clam. In which case just remove /usr/local/bin/*clam* Cheers, Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGlLq5EfZZRxQVtlQRAuD5AJ9xkp6T7SPyojuUbyGrwoldqhqv7wCgwpHd /ay2pynbiuvxFjp+47fu21k= =dTZA -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From prandal at herefordshire.gov.uk Wed Jul 11 12:54:04 2007 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Wed Jul 11 12:54:48 2007 Subject: ClamAV 0.91 is out Message-ID: <7EF0EE5CB3B263488C8C18823239BEBA0118F5DA@HC-MBX02.herefordshire.gov.uk> Project: Clam AntiVirus (clamav) Package: clamav Date : 2007-07-11 12:59 Project "Clam AntiVirus" ('clamav') has released the new version of package 'clamav'. You can download it from SourceForge.net by following this link: or browse Release Notes and ChangeLog by visiting this link: Cheers, Phil -- Phil Randal Network Engineer Herefordshire Council Hereford, UK From support-lists at petdoctors.co.uk Wed Jul 11 12:56:05 2007 From: support-lists at petdoctors.co.uk (Nigel Kendrick) Date: Wed Jul 11 12:57:22 2007 Subject: 4.61.7-2 - Attachments get zipped = message body disappears Message-ID: <00f001c7c3b2$762db350$3c65a8c0@support01> Hi, It's been pointed out to me by an employee that if mail attachments get munged into 'attachments.zip' the message body text disappears. I have tried this and it's happened to me too. I have just reinstalled 4.61.7-2 and there's no change so I have had to turn off the feature. I have looked back a week or so before I installed the latest MailScanner and things were working fine then. MS 4.61.7-2 Postfix 2:2.2.10-1.1.el4 What else do the wise ones need to know!? Thanks From martinh at solidstatelogic.com Wed Jul 11 13:00:39 2007 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Wed Jul 11 13:00:47 2007 Subject: 4.61.7-2 - Attachments get zipped = message body disappears In-Reply-To: <00f001c7c3b2$762db350$3c65a8c0@support01> Message-ID: <05989f4a7929a3409c60502a246b5e75@solidstatelogic.com> This is a side effect for users where the email message is actually an attachment and not in the normal message body....I've had fun with this as well.. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Nigel Kendrick > Sent: 11 July 2007 12:56 > To: MailScanner discussion > Subject: 4.61.7-2 - Attachments get zipped = message body disappears > > Hi, > > It's been pointed out to me by an employee that if mail attachments get > munged into 'attachments.zip' the message body text disappears. > > I have tried this and it's happened to me too. I have just reinstalled > 4.61.7-2 and there's no change so I have had to turn off the feature. > > I have looked back a week or so before I installed the latest MailScanner > and things were working fine then. > > MS 4.61.7-2 > Postfix 2:2.2.10-1.1.el4 > > What else do the wise ones need to know!? > > Thanks > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From list-mailscanner at linguaphone.com Wed Jul 11 13:04:55 2007 From: list-mailscanner at linguaphone.com (Gareth) Date: Wed Jul 11 13:05:04 2007 Subject: ClamAV 0.91 is out In-Reply-To: <7EF0EE5CB3B263488C8C18823239BEBA0118F5DA@HC-MBX02.herefordshire.gov.uk> References: <7EF0EE5CB3B263488C8C18823239BEBA0118F5DA@HC-MBX02.herefordshire.gov.uk> Message-ID: <1184155495.743.10.camel@gblades-suse.linguaphone-intranet.co.uk> On Wed, 2007-07-11 at 12:54, Randal, Phil wrote: > Project: Clam AntiVirus (clamav) > Package: clamav > Date : 2007-07-11 12:59 > > Project "Clam AntiVirus" ('clamav') has released the new version of > package > 'clamav'. You can download it from SourceForge.net by following this > link: > =522414> > or browse Release Notes and ChangeLog by visiting this link: > > > Cheers, > > Phil Do you know if an update to clamavmodule is required? From sa at streaming-networks.com Wed Jul 11 13:04:15 2007 From: sa at streaming-networks.com (sa@streaming-networks.com) Date: Wed Jul 11 13:05:18 2007 Subject: ruleset=check_mail ... Not Allowed References: <127101c7c3a2$60a91340$5505a8c0@stream.net> Message-ID: <133d01c7c3b3$99df77b0$5505a8c0@stream.net> thanks got it. is /etc/mail/access maintained by some group or its managed by the individual SAs themselves? Regards, Umar ----- Original Message ----- From: "Res" To: "MailScanner discussion" Sent: Wednesday, July 11, 2007 3:47 PM Subject: Re: ruleset=check_mail ... Not Allowed > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > NotDashEscaped: You need GnuPG to verify this message > > > Yeah, its sendmail reject list. nothing to do with mailscanner > > check your /etc/mail/access > > On Wed, 11 Jul 2007, sa@streaming-networks.com wrote: > > > > > Hi, > > > > I am not getting emails delivered from anyone@sympatico.ca > > > > > > Following are my maillogs: > > > > Jul 11 05:07:02 mymailserver sendmail[17276]: l6B06xLD017276: ruleset=check_mail, arg1=, relay=xyz.domain.com [IP Address], reject=550 5.0.0 ... Not Allowed > > Jul 11 05:07:03 mymailserver sendmail[17276]: l6B06xLD017276: from=, size=0, class=0, nrcpts=0, proto=SMTP, daemon=MTA, relay=xyz.domain.com [IP Address] > > > > > > No entries for sympatico.ca in my Mailscanner (and its relevant) config files. > > > > > > Any clue? > > > > > > Regards, > > > > > > Umar Murtaza > > -- > Cheers > Res > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.7 (GNU/Linux) > > iD8DBQFGlLUusWhAmSIQh7MRAj92AJ0ciO07eT8f7DfsE3+aPyEOTaJWEQCfR6h3 > T7eW1kCs/NUvhZc3d8XufIc= > =dLli > -----END PGP SIGNATURE----- > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From support-lists at petdoctors.co.uk Wed Jul 11 13:08:38 2007 From: support-lists at petdoctors.co.uk (Nigel Kendrick) Date: Wed Jul 11 13:09:55 2007 Subject: 4.61.7-2 - Attachments get zipped = message body disappears In-Reply-To: <05989f4a7929a3409c60502a246b5e75@solidstatelogic.com> Message-ID: <011f01c7c3b4$3709fec0$3c65a8c0@support01> > >Subject: RE: 4.61.7-2 - Attachments get zipped = message body disappears > > >This is a side effect for users where the email message is actually an >attachment and not in the normal message body....I've had fun with this >as well.. I upgraded 3 mail servers at the same time last week and I have just sent another test message with attachment to my Googlemail account via a different server and this message has made it in one piece. What's the best way to approach this!? Ta From shuttlebox at gmail.com Wed Jul 11 13:29:09 2007 From: shuttlebox at gmail.com (shuttlebox) Date: Wed Jul 11 13:29:13 2007 Subject: Quarantine from Custom Spam Scanner In-Reply-To: <1638CDD827D51E4D8E9B2741290E1C9101001143@wkits02.knowledgeit.co.uk> References: <1638CDD827D51E4D8E9B2741290E1C9101001143@wkits02.knowledgeit.co.uk> Message-ID: <625385e30707110529w5026db3do3a870add38126123@mail.gmail.com> On 7/11/07, Chris Russell wrote: > Julian, et al > > Is there any easy way to force (via a customer spam scanner) a message to be quarantined ? > > We have a few instances were we require the message to be quarantined regardless of the status, and whilst I can think of a few ways to do this, most mean modifying the mailscanner code. > > Is there any way to do this without the above being necessary (ie: maybe a force quarantine flag ?) Can't you use a ruleset for Non Spam, Spam and High Scoring Spam Actions? Mail to/from certain adresses gets a store. -- /peter From prandal at herefordshire.gov.uk Wed Jul 11 13:22:33 2007 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Wed Jul 11 13:32:15 2007 Subject: ClamAV 0.91 is out In-Reply-To: <1184155495.743.10.camel@gblades-suse.linguaphone-intranet.co.uk> References: <7EF0EE5CB3B263488C8C18823239BEBA0118F5DA@HC-MBX02.herefordshire.gov.uk> <1184155495.743.10.camel@gblades-suse.linguaphone-intranet.co.uk> Message-ID: <7EF0EE5CB3B263488C8C18823239BEBA0118F5E8@HC-MBX02.herefordshire.gov.uk> It works here fine with ClamAVModule 0.20. Cheers, Phil -- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Gareth > Sent: 11 July 2007 13:05 > To: MailScanner discussion > Subject: Re: ClamAV 0.91 is out > > On Wed, 2007-07-11 at 12:54, Randal, Phil wrote: > > Project: Clam AntiVirus (clamav) > > Package: clamav > > Date : 2007-07-11 12:59 > > > > Project "Clam AntiVirus" ('clamav') has released the new version of > > package > > 'clamav'. You can download it from SourceForge.net by following this > > link: > > > release_id > > =522414> > > or browse Release Notes and ChangeLog by visiting this link: > > > > > > Cheers, > > > > Phil > > Do you know if an update to clamavmodule is required? > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From Phil.Udel at SalemCorp.com Wed Jul 11 13:41:44 2007 From: Phil.Udel at SalemCorp.com (Phil Udel) Date: Wed Jul 11 13:41:52 2007 Subject: Help with ClamAVMod In-Reply-To: References: <064f01c7c342$a0f4e3d0$6102a8c0@salemcorp.com> Message-ID: <070601c7c3b8$d6781060$6102a8c0@salemcorp.com> That has been the problem. Nothing in the Mailscanner log and freshclam log is empty. I do get this message: Jul 11 12:24:29 pinkie MailScanner[10879]: Message Content Protection SpamAssass in timed out and was killed, consecutive failure 1 of 20 I don't get them if I take clamavmodule out of the MS Config and just use mcafee -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Ugo Bellavance Sent: Tuesday, July 10, 2007 10:53 PM To: mailscanner@lists.mailscanner.info Subject: Re: Help with ClamAVMod Phil Udel wrote: > I just upgraded to MS 4.61.7.2 today on a Centos 4.x system I am > having problems with CLamAVmod working. > When ever I add clamavmodule to the Virus Scanners List MS stops > possessing Email and finally Fails after three min or so. > Please let us see some log entries. Regards. Ugo -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From rcooper at dwford.com Wed Jul 11 13:55:08 2007 From: rcooper at dwford.com (Rick Cooper) Date: Wed Jul 11 13:55:13 2007 Subject: ClamAV 0.91 is out In-Reply-To: <1184155495.743.10.camel@gblades-suse.linguaphone-intranet.co.uk> References: <7EF0EE5CB3B263488C8C18823239BEBA0118F5DA@HC-MBX02.herefordshire.gov.uk> <1184155495.743.10.camel@gblades-suse.linguaphone-intranet.co.uk> Message-ID: <019901c7c3ba$b6212f70$0301a8c0@SAHOMELT> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On > Behalf Of Gareth > Sent: Wednesday, July 11, 2007 10:05 PM > To: MailScanner discussion > Subject: Re: ClamAV 0.91 is out > > On Wed, 2007-07-11 at 12:54, Randal, Phil wrote: > > Project: Clam AntiVirus (clamav) > > Package: clamav > > Date : 2007-07-11 12:59 > > > > Project "Clam AntiVirus" ('clamav') has released the new version of > > package > > 'clamav'. You can download it from SourceForge.net by > following this > > link: [...] > Do you know if an update to clamavmodule is required? > I didn't see any changes to the libclamv API so there shouldn't be any. The only time clamavmodule get's hosed is when they change the library API Rick -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ka at pacific.net Wed Jul 11 14:21:40 2007 From: ka at pacific.net (Ken A) Date: Wed Jul 11 14:21:43 2007 Subject: 4.61.7-2 - Attachments get zipped = message body disappears In-Reply-To: <011f01c7c3b4$3709fec0$3c65a8c0@support01> References: <011f01c7c3b4$3709fec0$3c65a8c0@support01> Message-ID: <4694D964.2000408@pacific.net> Nigel Kendrick wrote: >> Subject: RE: 4.61.7-2 - Attachments get zipped = message body disappears >> >> >> This is a side effect for users where the email message is actually an >> attachment and not in the normal message body....I've had fun with this >> as well.. > > > I upgraded 3 mail servers at the same time last week and I have just sent > another test message with attachment to my Googlemail account via a > different server and this message has made it in one piece. > > What's the best way to approach this!? > > Ta > Seems like it would be nice to be able to specify which type of attachments to zip.. (doc|xls|pdf|tiff).. etc. Ken -- Ken Anderson Pacific.Net From martinh at solidstatelogic.com Wed Jul 11 14:36:41 2007 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Wed Jul 11 14:36:51 2007 Subject: 4.61.7-2 - Attachments get zipped = message body disappears In-Reply-To: <4694D964.2000408@pacific.net> Message-ID: <3f87b39933559b4ea540bd6e84ecf2c2@solidstatelogic.com> Ken Trouble is some MUA's put html based messages as attachments....or can do if they are configured that way.. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Ken A > Sent: 11 July 2007 14:22 > To: MailScanner discussion > Subject: Re: 4.61.7-2 - Attachments get zipped = message body disappears > > Nigel Kendrick wrote: > >> Subject: RE: 4.61.7-2 - Attachments get zipped = message body > disappears > >> > >> > >> This is a side effect for users where the email message is actually an > >> attachment and not in the normal message body....I've had fun with this > >> as well.. > > > > > > I upgraded 3 mail servers at the same time last week and I have just > sent > > another test message with attachment to my Googlemail account via a > > different server and this message has made it in one piece. > > > > What's the best way to approach this!? > > > > Ta > > > Seems like it would be nice to be able to specify which type of > attachments to zip.. (doc|xls|pdf|tiff).. etc. > Ken > > -- > Ken Anderson > Pacific.Net > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From Chris.Russell at knowledgeit.co.uk Wed Jul 11 14:37:29 2007 From: Chris.Russell at knowledgeit.co.uk (Chris Russell) Date: Wed Jul 11 14:37:36 2007 Subject: Quarantine from Custom Spam Scanner In-Reply-To: <625385e30707110529w5026db3do3a870add38126123@mail.gmail.com> References: <1638CDD827D51E4D8E9B2741290E1C9101001143@wkits02.knowledgeit.co.uk> <625385e30707110529w5026db3do3a870add38126123@mail.gmail.com> Message-ID: <1638CDD827D51E4D8E9B2741290E1C910100119D@wkits02.knowledgeit.co.uk> > Is there any way to do this without the above being necessary (ie: > maybe a force quarantine flag ?) > Can't you use a ruleset for Non Spam, Spam and High Scoring Spam Actions? Mail to/from certain adresses gets a store. Hi Peter, Not really, as quarantine needs to be on anything from subject lines to file types. Thanks Chris The contents of this e-mail may be privileged and are confidential. It may not be disclosed to or used by anyone other than the addressee(s), nor copied in any way. Any views or opinions presented are solely those of the author and do not necessarily represent those of Knowledge Limited. If received in error, please advise the sender, then delete it from your system. From Denis.Beauchemin at USherbrooke.ca Wed Jul 11 14:41:47 2007 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Wed Jul 11 14:42:14 2007 Subject: Lost the X-Spam-Score-Header along the way In-Reply-To: References: Message-ID: <4694DE1B.1050301@USherbrooke.ca> Henke a ?crit : > > I *somehow* lost the X-Spam-Score-Header on one of my mail servers. > Starting with 4.61.7, I noticed that neither the detailed SpamAssassin > report nor the Spam-Score header was added. > So I upgraded to 4.62.2 and the detailed report is added again, > however still no X-Spam-Score-Header. > Is there any way to find out why it's not added ? > > The MailScanner.conf contains > > SpamScore Number Instead Of Stars = no > Spam Score Character = s > Spam Score = yes > Spam Score Number Format = %d > > and it's still working on another box with 4.61.7 with an *almost* > identical config. > > Regards, > > Steffan > Steffan, You're also supposed to have: # Add this extra header if "Spam Score" = yes. The header will # contain 1 character for every point of the SpamAssassin score. Spam Score Header = X-%org-name%-MailScanner-SpamScore: Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3595 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070711/cf1abfb5/smime.bin From MailScanner at ecs.soton.ac.uk Wed Jul 11 14:48:41 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Jul 11 14:54:52 2007 Subject: Issues trying to get freshclam working In-Reply-To: References: <46941826.6000807@rheel.co.nz> Message-ID: <4694DFB9.2000504@ecs.soton.ac.uk> Ren? Berber wrote: > Kathryn Allan wrote: > > >> I have just done a make install of clamav using ./configuration --prefix= >> so that it puts config file in /etc/clamd.conf for example. >> > > Wrong procedure. > > If you want clamd.conf in /etc use --sysconfdir=/etc . > > >> That all went smoothly but when I try and run freshclam i get the >> following error >> -bash: /usr/local/bin/freshclam: No such file or directory >> >> Where do I change where it looks for freshclam? >> > > Have you tried `which freshclam`? If you want to change the location used by > MailScanner, then you'll have to change lib/clamav-autoupdate, but that's not > the recommended procedure, better uninstall your clamav and re-install with the > --sysconfigdir option (no --prefix). > You shouldn't need to edit any autoupdate or wrapper script. They get their information from /etc/MailScanner/virus.scanners.conf file, that's the one you should edit. Any edits to autoupdate or wrapper scripts will get overwritten by your next MailScanner upgrade. Changes to virus.scanners.conf will be preserved. > It's probably under /bin (thanks to your wrong use of the --prefix parameter), > even if /bin did not exist before. > Jules -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Wed Jul 11 14:50:46 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Jul 11 14:56:18 2007 Subject: switching from clamavmodule -> clamd... source? In-Reply-To: References: <469266D4.7060405@ecs.soton.ac.uk> Message-ID: <4694E036.7020907@ecs.soton.ac.uk> Koopmann, Jan-Peter wrote: >> Make sure that /etc/MailScanner/virus.scanners.conf points to the >> > right > >> installation (i.e. /usr or /usr/local). Then it will call >> /usr/bin/freshclam for you. >> > > So if freshclam is located in /usr/local/bin/freshclam I need to put > /usr/local in virus.scanners.conf? > Correct. > What is the advantage over using the freshclam daemon? > There isn't a freshclam daemon. My clamav-autoupdate scripts call the freshclam program to do the actual work anyway. Jules -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Wed Jul 11 14:53:49 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Jul 11 14:57:55 2007 Subject: Quarantine from Custom Spam Scanner In-Reply-To: <1638CDD827D51E4D8E9B2741290E1C9101001143@wkits02.knowledgeit.co.uk> References: <1638CDD827D51E4D8E9B2741290E1C9101001143@wkits02.knowledgeit.co.uk> Message-ID: <4694E0ED.2000102@ecs.soton.ac.uk> I would advise you use a ruleset or a Custom Function on the "Archive Mail =" setting in MailScanner.conf. Chris Russell wrote: > Julian, et al > > Is there any easy way to force (via a customer spam scanner) a > message to be quarantined ? > > We have a few instances were we require the message to be quarantined > regardless of the status, and whilst I can think of a few ways to do > this, most mean modifying the mailscanner code. > > Is there any way to do this without the above being necessary (ie: > maybe a force quarantine flag ?) > > Thanks > > Chris > > > > The contents of this e-mail may be privileged and are confidential. > It may not be disclosed to or used by anyone other than the > addressee(s), nor copied in any way. Any views or opinions presented > are solely those of the author and do not necessarily represent those > of Knowledge Limited. > > If received in error, please advise the sender, then delete it from > your system. > Jules -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From ka at pacific.net Wed Jul 11 14:59:55 2007 From: ka at pacific.net (Ken A) Date: Wed Jul 11 14:59:59 2007 Subject: 4.61.7-2 - Attachments get zipped = message body disappears In-Reply-To: <3f87b39933559b4ea540bd6e84ecf2c2@solidstatelogic.com> References: <3f87b39933559b4ea540bd6e84ecf2c2@solidstatelogic.com> Message-ID: <4694E25B.4030408@pacific.net> Martin.Hepworth wrote: > Ken > > Trouble is some MUA's put html based messages as attachments....or can > do if they are configured that way.. I might be missing something, but if MailScanner only zips where filename or filetype matches a list, then this wouldn't be a problem. It could also ! match .htm? or winmail.dat or whatever that evil attachment name is. Ken > > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >> bounces@lists.mailscanner.info] On Behalf Of Ken A >> Sent: 11 July 2007 14:22 >> To: MailScanner discussion >> Subject: Re: 4.61.7-2 - Attachments get zipped = message body > disappears >> Nigel Kendrick wrote: >>>> Subject: RE: 4.61.7-2 - Attachments get zipped = message body >> disappears >>>> >>>> This is a side effect for users where the email message is actually > an >>>> attachment and not in the normal message body....I've had fun with > this >>>> as well.. >>> >>> I upgraded 3 mail servers at the same time last week and I have just >> sent >>> another test message with attachment to my Googlemail account via a >>> different server and this message has made it in one piece. >>> >>> What's the best way to approach this!? >>> >>> Ta >>> >> Seems like it would be nice to be able to specify which type of >> attachments to zip.. (doc|xls|pdf|tiff).. etc. >> Ken >> >> -- >> Ken Anderson >> Pacific.Net >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! > > > > > ********************************************************************** > Confidentiality : This e-mail and any attachments are intended for the > addressee only and may be confidential. If they come to you in error > you must take no action based on them, nor must you copy or show them > to anyone. Please advise the sender by replying to this e-mail > immediately and then delete the original from your computer. > Opinion : Any opinions expressed in this e-mail are entirely those of > the author and unless specifically stated to the contrary, are not > necessarily those of the author's employer. > Security Warning : Internet e-mail is not necessarily a secure > communications medium and can be subject to data corruption. We advise > that you consider this fact when e-mailing us. > Viruses : We have taken steps to ensure that this e-mail and any > attachments are free from known viruses but in keeping with good > computing practice, you should ensure that they are virus free. > > Red Lion 49 Ltd T/A Solid State Logic > Registered as a limited company in England and Wales > (Company No:5362730) > Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, > United Kingdom > ********************************************************************** > -- Ken Anderson Pacific.Net From Chris.Russell at knowledgeit.co.uk Wed Jul 11 15:01:25 2007 From: Chris.Russell at knowledgeit.co.uk (Chris Russell) Date: Wed Jul 11 15:01:33 2007 Subject: Quarantine from Custom Spam Scanner In-Reply-To: <4694E0ED.2000102@ecs.soton.ac.uk> References: <1638CDD827D51E4D8E9B2741290E1C9101001143@wkits02.knowledgeit.co.uk> <4694E0ED.2000102@ecs.soton.ac.uk> Message-ID: <1638CDD827D51E4D8E9B2741290E1C91010011AD@wkits02.knowledgeit.co.uk> > I would advise you use a ruleset or a Custom Function on the "Archive Mail =" setting in MailScanner.conf. Mwahaha, I knew you would have something ... Thanks Jules.. :) The contents of this e-mail may be privileged and are confidential. It may not be disclosed to or used by anyone other than the addressee(s), nor copied in any way. Any views or opinions presented are solely those of the author and do not necessarily represent those of Knowledge Limited. If received in error, please advise the sender, then delete it from your system. From MailScanner at ecs.soton.ac.uk Wed Jul 11 15:03:18 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Jul 11 15:08:11 2007 Subject: ClamAV 0.91 is out In-Reply-To: <7EF0EE5CB3B263488C8C18823239BEBA0118F5DA@HC-MBX02.herefordshire.gov.uk> References: <7EF0EE5CB3B263488C8C18823239BEBA0118F5DA@HC-MBX02.herefordshire.gov.uk> Message-ID: <4694E326.5070908@ecs.soton.ac.uk> I have just released an updated version of my ClamAV+SpamAssassin package including this new release. Randal, Phil wrote: > Project: Clam AntiVirus (clamav) > Package: clamav > Date : 2007-07-11 12:59 > > Project "Clam AntiVirus" ('clamav') has released the new version of > package > 'clamav'. You can download it from SourceForge.net by following this > link: > =522414> > or browse Release Notes and ChangeLog by visiting this link: > > > Cheers, > > Phil > > -- > Phil Randal > Network Engineer > Herefordshire Council > Hereford, UK > Jules -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Wed Jul 11 15:07:12 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Jul 11 15:10:59 2007 Subject: 4.61.7-2 - Attachments get zipped = message body disappears In-Reply-To: <4694E25B.4030408@pacific.net> References: <3f87b39933559b4ea540bd6e84ecf2c2@solidstatelogic.com> <4694E25B.4030408@pacific.net> Message-ID: <4694E410.90406@ecs.soton.ac.uk> Ken A wrote: > Martin.Hepworth wrote: >> Ken >> >> Trouble is some MUA's put html based messages as attachments....or can >> do if they are configured that way.. > > I might be missing something, but if MailScanner only zips where > filename or filetype matches a list, then this wouldn't be a problem. > It could also ! match .htm? or winmail.dat or whatever that evil > attachment name is. > Ken Can someone send me a message including this problem please! Easiest way to get it to me might be to make the message sendmail queue files into a zip and put that on a website somewhere, and email me the URL. Then I can take a look at trying to come up with a workaround. Many thanks, Jules. > > >> >> -- >> Martin Hepworth >> Snr Systems Administrator >> Solid State Logic >> Tel: +44 (0)1865 842300 >> >>> -----Original Message----- >>> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >>> bounces@lists.mailscanner.info] On Behalf Of Ken A >>> Sent: 11 July 2007 14:22 >>> To: MailScanner discussion >>> Subject: Re: 4.61.7-2 - Attachments get zipped = message body >> disappears >>> Nigel Kendrick wrote: >>>>> Subject: RE: 4.61.7-2 - Attachments get zipped = message body >>> disappears >>>>> >>>>> This is a side effect for users where the email message is actually >> an >>>>> attachment and not in the normal message body....I've had fun with >> this >>>>> as well.. >>>> >>>> I upgraded 3 mail servers at the same time last week and I have just >>> sent >>>> another test message with attachment to my Googlemail account via a >>>> different server and this message has made it in one piece. >>>> >>>> What's the best way to approach this!? >>>> >>>> Ta >>>> >>> Seems like it would be nice to be able to specify which type of >>> attachments to zip.. (doc|xls|pdf|tiff).. etc. >>> Ken >>> >>> -- >>> Ken Anderson >>> Pacific.Net >>> -- >>> MailScanner mailing list >>> mailscanner@lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! >> >> >> >> >> ********************************************************************** >> Confidentiality : This e-mail and any attachments are intended for >> the addressee only and may be confidential. If they come to you in >> error you must take no action based on them, nor must you copy or >> show them to anyone. Please advise the sender by replying to this >> e-mail immediately and then delete the original from your computer. >> Opinion : Any opinions expressed in this e-mail are entirely those of >> the author and unless specifically stated to the contrary, are not >> necessarily those of the author's employer. >> Security Warning : Internet e-mail is not necessarily a secure >> communications medium and can be subject to data corruption. We >> advise that you consider this fact when e-mailing us. Viruses : We >> have taken steps to ensure that this e-mail and any attachments are >> free from known viruses but in keeping with good computing practice, >> you should ensure that they are virus free. >> >> Red Lion 49 Ltd T/A Solid State Logic >> Registered as a limited company in England and Wales (Company >> No:5362730) >> Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, >> United Kingdom >> ********************************************************************** >> > > Jules -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From root at doctor.nl2k.ab.ca Wed Jul 11 15:11:53 2007 From: root at doctor.nl2k.ab.ca (Dave Shariff Yadallee - System Administrator a.k.a. The Root of the Problem) Date: Wed Jul 11 15:13:01 2007 Subject: Spam getting through [dr.defrimkerqagu@yahoo.com: {Spam?} SOS Kosovo] Message-ID: <20070711141152.GA29353@doctor.nl2k.ab.ca> Please note the below is an example of a spam that an outgoing mailserver should have caught. ----- Forwarded message from "Dr.Defrim Kerqagu" ----- Return-Path: doctor@doctor.nl2k.ab.ca Received: from doctor.nl2k.ab.ca by doctor.nl2k.ab.ca (8.14.1/8.14.1) with ESMTP id l6BE8ROs029083 for ; Wed, 11 Jul 2007 08:08:32 -0600 (MDT) Received: (from doctor@localhost) by doctor.nl2k.ab.ca (8.14.1/8.14.1/Submit) id l6BE8RNM029081 for root@doctor.nl2k.ab.ca; Wed, 11 Jul 2007 08:08:27 -0600 (MDT) Resent-From: doctor@doctor.nl2k.ab.ca Resent-Date: Wed, 11 Jul 2007 08:08:26 -0600 Resent-Message-ID: <20070711140826.GA28749@doctor.nl2k.ab.ca> Resent-To: "Dave Shariff Yadallee - System Administrator a.k.a. The Root of the Problem" Received: from hc-a02.pointdnshere.com by doctor.nl2k.ab.ca (8.14.1/8.14.1) with ESMTP id l6BDYPWq016086 for ; Wed, 11 Jul 2007 07:34:40 -0600 (MDT) X-Spam-Filter: check_local@doctor.nl2k.ab.ca by digitalanswers.org Received: from apache by hc-a02.pointdnshere.com with local (Exim 4.60) (envelope-from ) id 1I8cKW-0007YM-Ju for doctor@doctor.nl2k.ab.ca; Wed, 11 Jul 2007 21:34:08 +0800 To: doctor@doctor.nl2k.ab.ca Subject: {Spam?} SOS Kosovo From: "Dr.Defrim Kerqagu" Reply-To: dr.defrimkerqagu@yahoo.com MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 8bit Message-Id: Date: Wed, 11 Jul 2007 21:34:08 +0800 X-pointdnshere_com-MailScanner-Information: Please contact the ISP for more information X-pointdnshere_com-MailScanner: Found to be clean X-pointdnshere_com-MailScanner-SpamCheck: not spam, SpamAssassin (cached, score=-0.751, required 6, ADVANCE_FEE_1 0.00, BAYES_00 -2.60, FORGED_YAHOO_RCVD 1.85, NO_RELAYS -0.00) X-pointdnshere_com-MailScanner-From: sosir@sosir.ws X-Spam-Status: No, Yes, No X-Null-Tag: 78f059339423ddb8617c6e2b1edbc36f X-Null-Tag: cadd312ec8139d5a47a58596df0834de X-NetKnow-InComing-4.61.7-1-MailScanner: Found to be clean, Found to be clean X-NetKnow-InComing-4.61.7-1-MailScanner-SpamCheck: spam, SpamAssassin (not cached, score=45.076, required 1, FORGED_YAHOO_RCVD 45.00, NO_RELAYS -0.00, TW_QA 0.08) X-NetKnow-InComing-4.61.7-1-MailScanner-SpamScore: sssssssssssssssssssssssssssssssssssssssssssss X-NetKnow-InComing-4.61.7-1-MailScanner-Information: Please contact the ISP for more information X-NetKnow-InComing-4.61.7-1-MailScanner-From: doctor@doctor.nl2k.ab.ca Dear Lady/Sir, My name is Dr. Defrim Kerqagu and I am from Rahovec/Kosovo. I am writing this E-mail to you for your possible assistance in helping two young children from my town (my patients) that suffer from Congenital Heart Disease. Your assistance is required and appreciated to take them for surgery abroad as such a possibility does not exist in Kosovo. Your assistance can be from 1 Euro to as much as your heart can give for a heart. PS: Please disseminate this e-mail to as many friends as you have so that they could help too, these children are in need of your help. Dr. Defrim Kerqagu Rahovec Kosovo Tel: +377 (0) 44 363 220 dr.defrimkerqagu@yahoo.com Bank Account details: Pro Credit Bank Kosovo Account number: 1140127589000186 Swift Code: MBKORS22 Rahovec Kosovo -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ----- End forwarded message ----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From henker at evendi.de Wed Jul 11 15:15:41 2007 From: henker at evendi.de (Henke) Date: Wed Jul 11 15:15:44 2007 Subject: Lost the X-Spam-Score-Header along the way In-Reply-To: <4694DE1B.1050301@USherbrooke.ca> References: <4694DE1B.1050301@USherbrooke.ca> Message-ID: On Wed, 11 Jul 2007, Denis Beauchemin wrote: > You're also supposed to have: > # Add this extra header if "Spam Score" = yes. The header will > # contain 1 character for every point of the SpamAssassin score. > Spam Score Header = X-%org-name%-MailScanner-SpamScore: Denis, thank you for your reply - but I still have Spam Score Header = X-MailScanner-SpamScore: in my MailScanner.conf, sorry I didn't post that. It *used* to work that way for ages, so I'm not sure what caused it to stop... Regards, Steffan From jan-peter at koopmann.eu Wed Jul 11 15:32:53 2007 From: jan-peter at koopmann.eu (Koopmann, Jan-Peter) Date: Wed Jul 11 15:32:13 2007 Subject: switching from clamavmodule -> clamd... source? In-Reply-To: References: <469266D4.7060405@ecs.soton.ac.uk> Message-ID: > There isn't a freshclam daemon. My clamav-autoupdate scripts call the > freshclam program to do the actual work anyway. At least on FreeBSD you can run freshclam in daemon mode: -d, --daemon Run in a daemon mode. This option requires --checks. -p FILE, --pid=FILE Write daemon's pid to FILE. From FStein at thehill.org Wed Jul 11 15:45:28 2007 From: FStein at thehill.org (Stein, Mr. Fred) Date: Wed Jul 11 15:48:13 2007 Subject: ClamAV 0.91 is out In-Reply-To: <4694E326.5070908@ecs.soton.ac.uk> References: <7EF0EE5CB3B263488C8C18823239BEBA0118F5DA@HC-MBX02.herefordshire.gov.uk> <4694E326.5070908@ecs.soton.ac.uk> Message-ID: -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian Field Sent: Wednesday, July 11, 2007 10:03 AM To: MailScanner discussion Subject: Re: ClamAV 0.91 is out I have just released an updated version of my ClamAV+SpamAssassin package including this new release. Randal, Phil wrote: > Project: Clam AntiVirus (clamav) > Package: clamav > Date : 2007-07-11 12:59 > > Project "Clam AntiVirus" ('clamav') has released the new version of > package > 'clamav'. You can download it from SourceForge.net by following this > link: > =522414> > or browse Release Notes and ChangeLog by visiting this link: > > > Cheers, > > Phil > > -- > Phil Randal > Network Engineer > Herefordshire Council > Hereford, UK > Jules -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! Jules The link appears not to work. Fred Fred Stein Network Administrator The Hill School 717 E. High Street Pottstown, PA 19464 fstein@thehill.org www.thehill.org From ssilva at sgvwater.com Wed Jul 11 15:59:48 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Jul 11 16:00:03 2007 Subject: Help with ClamAVMod In-Reply-To: <070601c7c3b8$d6781060$6102a8c0@salemcorp.com> References: <064f01c7c342$a0f4e3d0$6102a8c0@salemcorp.com> <070601c7c3b8$d6781060$6102a8c0@salemcorp.com> Message-ID: Phil Udel spake the following on 7/11/2007 5:41 AM: > That has been the problem. Nothing in the Mailscanner log and freshclam log > is empty. > > I do get this message: > Jul 11 12:24:29 pinkie MailScanner[10879]: Message Content Protection > SpamAssass in timed out and was killed, consecutive failure 1 of 20 > > I don't get them if I take clamavmodule out of the MS Config and just use > mcafee > I had this recently when clam 0.90 came out. I had to stop everything and re-install clam and clamavmodule before it started working. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From mikael at syska.dk Wed Jul 11 16:00:25 2007 From: mikael at syska.dk (Mikael Syska) Date: Wed Jul 11 16:00:33 2007 Subject: ClamAV 0.91 is out In-Reply-To: References: <7EF0EE5CB3B263488C8C18823239BEBA0118F5DA@HC-MBX02.herefordshire.gov.uk> <4694E326.5070908@ecs.soton.ac.uk> Message-ID: <4694F089.2040103@syska.dk> Hi, Stein, Mr. Fred wrote: > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian > Field > Sent: Wednesday, July 11, 2007 10:03 AM > To: MailScanner discussion > Subject: Re: ClamAV 0.91 is out > > I have just released an updated version of my ClamAV+SpamAssassin > package including this new release. > > Randal, Phil wrote: > >> Project: Clam AntiVirus (clamav) >> Package: clamav >> Date : 2007-07-11 12:59 >> >> Project "Clam AntiVirus" ('clamav') has released the new version of >> package >> 'clamav'. You can download it from SourceForge.net by following this >> link: >> >> > >> =522414> >> or browse Release Notes and ChangeLog by visiting this link: >> >> >> Cheers, >> >> Phil >> >> -- >> Phil Randal >> Network Engineer >> Herefordshire Council >> Hereford, UK >> >> > > Jules Think you forgot the text to the message or ? I can't see anything other than jules previously message ... nothing changed. // ouT From support-lists at petdoctors.co.uk Wed Jul 11 16:16:04 2007 From: support-lists at petdoctors.co.uk (Nigel Kendrick) Date: Wed Jul 11 16:17:21 2007 Subject: Ouch! Message-ID: <014d01c7c3ce$65ce0bb0$3c65a8c0@support01> Don't think I'll risk it... " By ordering Penis Enlarge Patch, maximize your gains with our most Explosive Package! " Ouch! From neilw at dcdata.co.za Wed Jul 11 16:21:49 2007 From: neilw at dcdata.co.za (Neil Wilson) Date: Wed Jul 11 16:22:07 2007 Subject: Ouch! In-Reply-To: <014d01c7c3ce$65ce0bb0$3c65a8c0@support01> References: <014d01c7c3ce$65ce0bb0$3c65a8c0@support01> Message-ID: <4694F58D.3010203@dcdata.co.za> Hahaah!! Nigel Kendrick wrote: > Don't think I'll risk it... > > " > > By ordering Penis Enlarge Patch, maximize your gains with our most Explosive > Package! > > " > > Ouch! > > -- This email and all contents are subject to the following disclaimer: http://www.dcdata.co.za/emaildisclaimer.html From jase at sensis.com Wed Jul 11 16:22:06 2007 From: jase at sensis.com (Desai, Jason) Date: Wed Jul 11 16:23:04 2007 Subject: ClamAV 0.91 is out In-Reply-To: <4694E326.5070908@ecs.soton.ac.uk> Message-ID: <1951DC816E1A9F469307B05FA183F4389DC79A@corpatsmail1.corp.sensis.com> I'm getting a 404 error trying to download it. Is everything ok on the web site? Not Found The requested URL /files/4/install-Clam-0.91-SA-3.2.1.tar.gz was not found on this server. Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request. Jase > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Julian Field > Sent: Wednesday, July 11, 2007 10:03 AM > To: MailScanner discussion > Subject: Re: ClamAV 0.91 is out > > I have just released an updated version of my ClamAV+SpamAssassin > package including this new release. > > Randal, Phil wrote: > > Project: Clam AntiVirus (clamav) > > Package: clamav > > Date : 2007-07-11 12:59 > > > > Project "Clam AntiVirus" ('clamav') has released the new version of > > package > > 'clamav'. You can download it from SourceForge.net by following this > > link: > > > release_id > > =522414> > > or browse Release Notes and ChangeLog by visiting this link: > > > > > > Cheers, > > > > Phil > > > > -- > > Phil Randal > > Network Engineer > > Herefordshire Council > > Hereford, UK > > > > Jules > > -- > Julian Field MEng CITP > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > For all your IT requirements visit www.transtec.co.uk > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From rcooper at dwford.com Wed Jul 11 16:43:50 2007 From: rcooper at dwford.com (Rick Cooper) Date: Wed Jul 11 16:43:54 2007 Subject: 4.61.7-2 - Attachments get zipped = message body disappears In-Reply-To: <4694D964.2000408@pacific.net> References: <011f01c7c3b4$3709fec0$3c65a8c0@support01> <4694D964.2000408@pacific.net> Message-ID: <01c201c7c3d2$47417890$0301a8c0@SAHOMELT> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On > Behalf Of Ken A > Sent: Wednesday, July 11, 2007 11:22 PM > To: MailScanner discussion > Subject: Re: 4.61.7-2 - Attachments get zipped = message > body disappears > > Nigel Kendrick wrote: > >> Subject: RE: 4.61.7-2 - Attachments get zipped = message > body disappears > >> > >> > >> This is a side effect for users where the email message > is actually an > >> attachment and not in the normal message body....I've had > fun with this > >> as well.. > > > > > > I upgraded 3 mail servers at the same time last week and I > have just sent > > another test message with attachment to my Googlemail account via a > > different server and this message has made it in one piece. > > > > What's the best way to approach this!? > > > > Ta > > > Seems like it would be nice to be able to specify which type of > attachments to zip.. (doc|xls|pdf|tiff).. etc. > Ken > You can specify what kinds of files are *not* zipped in MailScanner.conf. My says Attachment Extensions Not To Zip = .zip .rar .gz .tgz .mpg .mpeg .mp3 .rpm .pdf .xls .htm .html .eml Rick -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From Phil.Udel at SalemCorp.com Wed Jul 11 17:03:42 2007 From: Phil.Udel at SalemCorp.com (Phil Udel) Date: Wed Jul 11 17:04:05 2007 Subject: Help with ClamAVMod In-Reply-To: <070601c7c3b8$d6781060$6102a8c0@salemcorp.com> References: <064f01c7c342$a0f4e3d0$6102a8c0@salemcorp.com> <070601c7c3b8$d6781060$6102a8c0@salemcorp.com> Message-ID: <073e01c7c3d5$0d7dff40$6102a8c0@salemcorp.com> Looks Like 0.9.1 Fixed my problem. Just install new release and all is working fine. Made only one change to the clamfresh to point to /usr/local/bin not /usr/bin -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Phil Udel Sent: Wednesday, July 11, 2007 8:42 AM To: 'MailScanner discussion' Subject: RE: Help with ClamAVMod That has been the problem. Nothing in the Mailscanner log and freshclam log is empty. I do get this message: Jul 11 12:24:29 pinkie MailScanner[10879]: Message Content Protection SpamAssass in timed out and was killed, consecutive failure 1 of 20 I don't get them if I take clamavmodule out of the MS Config and just use mcafee -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Ugo Bellavance Sent: Tuesday, July 10, 2007 10:53 PM To: mailscanner@lists.mailscanner.info Subject: Re: Help with ClamAVMod Phil Udel wrote: > I just upgraded to MS 4.61.7.2 today on a Centos 4.x system I am > having problems with CLamAVmod working. > When ever I add clamavmodule to the Virus Scanners List MS stops > possessing Email and finally Fails after three min or so. > Please let us see some log entries. Regards. Ugo -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From matt at coders.co.uk Wed Jul 11 17:23:26 2007 From: matt at coders.co.uk (Matt Hampton) Date: Wed Jul 11 17:21:44 2007 Subject: Changing scores/rules on the fly when calling SpamAssassin from MailScanner Message-ID: <469503FE.6000100@coders.co.uk> Hi I am looking at writing an extension to MailScanner so that we can allow different settings to be applied. My primary objective is to allow different username to be used for bayes. If I am able to achieve scores and and rules as well this would be a bonus. I have mocked something up which uses the $t->copy_config() and $t->read_scoreonly_config(). I am saving the config (using freeze/thaws) to disk so that the other MailScanner processes can share them (using tie with a Tie::DB_Lock). I cause the tied hashfile to be recreated when MailScanner restarts causing a reload of the primary files. This is working but I was wondering if there was a better way to do it. It looks like http://issues.apache.org/SpamAssassin/show_bug.cgi?id=3852 would help here but it doesn't look like any progress has been made :-) If I just want to change the bayes username I can (I assume) just do this: $f->signal_user_changed(username=>"newuser"); But how do I revert back to the default? cheers Matt From matt at coders.co.uk Wed Jul 11 17:23:26 2007 From: matt at coders.co.uk (Matt Hampton) Date: Wed Jul 11 17:22:15 2007 Subject: Changing scores/rules on the fly when calling SpamAssassin from MailScanner Message-ID: <469503FE.6000100@coders.co.uk> Hi I am looking at writing an extension to MailScanner so that we can allow different settings to be applied. My primary objective is to allow different username to be used for bayes. If I am able to achieve scores and and rules as well this would be a bonus. I have mocked something up which uses the $t->copy_config() and $t->read_scoreonly_config(). I am saving the config (using freeze/thaws) to disk so that the other MailScanner processes can share them (using tie with a Tie::DB_Lock). I cause the tied hashfile to be recreated when MailScanner restarts causing a reload of the primary files. This is working but I was wondering if there was a better way to do it. It looks like http://issues.apache.org/SpamAssassin/show_bug.cgi?id=3852 would help here but it doesn't look like any progress has been made :-) If I just want to change the bayes username I can (I assume) just do this: $f->signal_user_changed(username=>"newuser"); But how do I revert back to the default? cheers Matt From theodrake at comcast.net Wed Jul 11 17:36:15 2007 From: theodrake at comcast.net (Ed Bruce) Date: Wed Jul 11 17:36:30 2007 Subject: ClamAV 0.91 is out In-Reply-To: <1951DC816E1A9F469307B05FA183F4389DC79A@corpatsmail1.corp.sensis.com> References: <1951DC816E1A9F469307B05FA183F4389DC79A@corpatsmail1.corp.sensis.com> Message-ID: <469506FF.10000@comcast.net> Desai, Jason wrote: > I'm getting a 404 error trying to download it. Is everything ok on the > web site? > > Not Found > The requested URL /files/4/install-Clam-0.91-SA-3.2.1.tar.gz was not > found on this server. > > Additionally, a 404 Not Found error was encountered while trying to use > an ErrorDocument to handle the request. > I got the same error when attempting to download this file. I tried others and they worked. So I'm guessing its only a problem with this one file and not the web site. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 249 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070711/9c2a28aa/signature.bin From j.ede at birchenallhowden.co.uk Wed Jul 11 17:50:28 2007 From: j.ede at birchenallhowden.co.uk (Jason Ede) Date: Wed Jul 11 17:50:44 2007 Subject: Notify recipient of blocked password protected zips? Message-ID: I see recipients of blocked double extension files get notified, but not if the blocked file is a password protected zip. Is there a way to enable it for these files without being flooded with other reports? Jason -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070711/6fad2661/attachment.html From dnsadmin at 1bigthink.com Wed Jul 11 17:52:32 2007 From: dnsadmin at 1bigthink.com (dnsadmin 1bigthink.com) Date: Wed Jul 11 17:52:47 2007 Subject: ATTN: Julian -- WAS Re: ClamAV 0.91 is out In-Reply-To: <469506FF.10000@comcast.net> References: <1951DC816E1A9F469307B05FA183F4389DC79A@corpatsmail1.corp.sensis.com> <469506FF.10000@comcast.net> Message-ID: <200707111652.l6BGqkUP001641@mxt.1bigthink.com> Hello Julian, The package isn't where we are expecting it or URL is typo'd. Thanks, Glenn At 12:36 PM 7/11/2007, you wrote: >Desai, Jason wrote: > > I'm getting a 404 error trying to download it. Is everything ok on the > > web site? > > > > Not Found > > The requested URL /files/4/install-Clam-0.91-SA-3.2.1.tar.gz was not > > found on this server. > > > > Additionally, a 404 Not Found error was encountered while trying to use > > an ErrorDocument to handle the request. > > > >I got the same error when attempting to download this file. I tried >others and they worked. So I'm guessing its only a problem with this one >file and not the web site. > > > >-- >MailScanner mailing list >mailscanner@lists.mailscanner.info >http://lists.mailscanner.info/mailman/listinfo/mailscanner > >Before posting, read http://wiki.mailscanner.info/posting > >Support MailScanner development - buy the book off the website! From MailScanner at ecs.soton.ac.uk Wed Jul 11 18:12:11 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Jul 11 18:15:25 2007 Subject: ClamAV 0.91 is out In-Reply-To: <469506FF.10000@comcast.net> References: <1951DC816E1A9F469307B05FA183F4389DC79A@corpatsmail1.corp.sensis.com> <469506FF.10000@comcast.net> Message-ID: <46950F6B.7040306@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ed Bruce wrote: > Desai, Jason wrote: > >> I'm getting a 404 error trying to download it. Is everything ok on the >> web site? >> >> Not Found >> The requested URL /files/4/install-Clam-0.91-SA-3.2.1.tar.gz was not >> found on this server. >> >> Additionally, a 404 Not Found error was encountered while trying to use >> an ErrorDocument to handle the request. >> >> > > I got the same error when attempting to download this file. I tried > others and they worked. So I'm guessing its only a problem with this one > file and not the web site. > I copied the file to the wrong web server. Doh! Fixed now. Sorry about that. Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGlQ9rEfZZRxQVtlQRAkofAKDVRs/a+lXnwk+WX9qNofMLB8eYOACgw6jX aNx/9freYblTCBEQJ1nQJfM= =Md9c -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Wed Jul 11 18:17:01 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Jul 11 18:21:41 2007 Subject: ATTN: Julian -- WAS Re: ClamAV 0.91 is out In-Reply-To: <200707111652.l6BGqkUP001641@mxt.1bigthink.com> References: <1951DC816E1A9F469307B05FA183F4389DC79A@corpatsmail1.corp.sensis.com> <469506FF.10000@comcast.net> <200707111652.l6BGqkUP001641@mxt.1bigthink.com> Message-ID: <4695108D.5070305@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 It's okay now. P.S. If you want to send a message just to me, then email directly, please do not use the mailing list for this. dnsadmin 1bigthink.com wrote: > Hello Julian, > > The package isn't where we are expecting it or URL is typo'd. > > Thanks, > Glenn > > At 12:36 PM 7/11/2007, you wrote: > >> Desai, Jason wrote: >> > I'm getting a 404 error trying to download it. Is everything ok on >> the >> > web site? >> > >> > Not Found >> > The requested URL /files/4/install-Clam-0.91-SA-3.2.1.tar.gz was not >> > found on this server. >> > >> > Additionally, a 404 Not Found error was encountered while trying to >> use >> > an ErrorDocument to handle the request. >> > >> >> I got the same error when attempting to download this file. I tried >> others and they worked. So I'm guessing its only a problem with this one >> file and not the web site. >> >> >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGlRCOEfZZRxQVtlQRAoegAKD5iV8fdW7YFjW9DwRWX9KbxYKVEwCfTeYL DcEFpWwyJAxQ9TfGUDyffQg= =0QDW -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From steve.freegard at fsl.com Wed Jul 11 19:08:09 2007 From: steve.freegard at fsl.com (Steve Freegard) Date: Wed Jul 11 19:08:14 2007 Subject: Changing scores/rules on the fly when calling SpamAssassin from MailScanner In-Reply-To: <469503FE.6000100__33106.1303768822$1184171115$gmane$org@coders.co.uk> References: <469503FE.6000100__33106.1303768822$1184171115$gmane$org@coders.co.uk> Message-ID: <46951C89.7000401@fsl.com> Hey Matt, Matt Hampton wrote: > If I just want to change the bayes username I can (I assume) just do this: > > $f->signal_user_changed(username=>"newuser"); > > But how do I revert back to the default? > Just a thought - but wouldn't the default be the user that is running MailScanner e.g. the Run As User, so to revert back you'd run: $f->signal_user_changed( username => MailScanner::Config::Value('runasuser'), user_dir => undef, userstate_dir => MailScanner::Config::Value('spamassassinuserstatedir')); Hope this helps. Cheers, Steve. From support-lists at petdoctors.co.uk Wed Jul 11 19:52:43 2007 From: support-lists at petdoctors.co.uk (Nigel Kendrick) Date: Wed Jul 11 19:54:04 2007 Subject: MailScanner.conf and MailScanner.conf.local Message-ID: <002601c7c3ec$a9de3a00$3c65a8c0@support01> Julian et al. It occurs to me that over my not-very-massive pile of 4 mail servers, many of the settings are common to the lot and if I tweak a 'generic' setting on one I generally tweak it on all of them. To this end, is it possible (or would it be possible) to have the site-specific settings in one config file and generic ones in another (MailScanner.conf.local and MailScanner.conf?) so I could arrange for a replication script to keep the generics in sync? Following on from that, is there (or could there) be a mechanism to remotely restart MailScanner - say, for example, by MailScanner noticing the creation of /etc/MailScanner/restart.flg that could be put in place during a sync operation as mentioned above? Just wonderin' Thanks Nigel Kendrick From wendiw at itasoftware.com Wed Jul 11 20:00:11 2007 From: wendiw at itasoftware.com (Wendi Whitsett) Date: Wed Jul 11 20:00:16 2007 Subject: R: Fake User-Agent on PDF In-Reply-To: <4688EE6E.18605.719782@cobalt-users1.fishnet.co.uk> References: , <4686B8D1.7090005@ecs.soton.ac.uk>, <002501c7bc8e$95897520$3f01a8c0@dbdomain.database.it> <4688EE6E.18605.719782@cobalt-users1.fishnet.co.uk> Message-ID: <469528BB.20300@itasoftware.com> Thanks Ian! Wendi Ian wrote: > On 2 Jul 2007 at 11:51, Marcello Anderlini wrote: > > >> Sorry guys, but cause my poor English I'm not sure I've understood if there >> is a good rules to block pdf spam. >> If there is, could someone publish one working ? >> > > Hi, > > One of the SARE ninjas has created a plugin called PDFInfo. This was posted on the > spamassassin list last week: > > > > Until its publicly released, you can request it with a simple email to > us, see http://www.rulesemporium.com/plugins.htm#pdfinfo > > > > Works well here. > > Regards > > Ian > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3257 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070711/52f2d928/smime.bin From hden at kcbbs.gen.nz Wed Jul 11 20:37:49 2007 From: hden at kcbbs.gen.nz (Hendrik den Hartog) Date: Wed Jul 11 20:19:05 2007 Subject: Language File In-Reply-To: <469476FB.3030901@jfworks.net> References: <469266D4.7060405@ecs.soton.ac.uk> <4693C93C.3020508@ecs.soton.ac.uk> <4693D495.5030409@ecs.soton.ac.uk> <4693F400.5030309@ecs.soton.ac.uk> <20070711044320.GA25959@mew.kcbbs.gen.nz> <469476FB.3030901@jfworks.net> Message-ID: <20070711193749.GA26398@mew.kcbbs.gen.nz> Yes, we ran the upgrade command as per the instructions, we also quickly set up Mailscanner on a spare machine, then copied the language.conf.rpmnew across, but the log still shows some strings missing? Where are the language conf files? in the mailscanner.rpm part of the un-tared files? i.e. can we just load this via an rpm command to extract the language files [as oppossed to re-running the whole install script?) Cheers! Dave On Tue, Jul 10, 2007 at 11:21:47PM -0700, James wrote: > Hendrik den Hartog wrote: > >Gidday > > > >We've recently upgraded MailScanner after several months, and am getting > >logged errors about missing strings.. > > > >'Looked up unknown string notcached in language translation file' > > > >..etc > > > >We did copy the(a) new language,conf.rpmnew to language.conf, but this > >didn't > >sort the issue. > > > >Is there anywhere we can download a current english (en) language file > >from to sort this? > > > >Cheers! > >Pasadena School (Dave) > > > Have you run "upgrade_languages_conf " ? It will give the directions for > upgrading the file. > > James > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From ssilva at sgvwater.com Wed Jul 11 20:28:09 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Jul 11 20:28:20 2007 Subject: Language File In-Reply-To: <20070711193749.GA26398@mew.kcbbs.gen.nz> References: <469266D4.7060405@ecs.soton.ac.uk> <4693C93C.3020508@ecs.soton.ac.uk> <4693D495.5030409@ecs.soton.ac.uk> <4693F400.5030309@ecs.soton.ac.uk> <20070711044320.GA25959@mew.kcbbs.gen.nz> <469476FB.3030901@jfworks.net> <20070711193749.GA26398@mew.kcbbs.gen.nz> Message-ID: Hendrik den Hartog spake the following on 7/11/2007 12:37 PM: > Yes, we ran the upgrade command as per the instructions, we also quickly > set up Mailscanner on a spare machine, then copied the language.conf.rpmnew > across, but the log still shows some strings missing? > > Where are the language conf files? in the mailscanner.rpm part of the > un-tared files? i.e. can we just load this via an rpm command to extract > the language files [as oppossed to re-running the whole install script?) > > Cheers! > Dave Which version are you running? -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From hden at kcbbs.gen.nz Wed Jul 11 20:54:03 2007 From: hden at kcbbs.gen.nz (Hendrik den Hartog) Date: Wed Jul 11 20:35:22 2007 Subject: Language File In-Reply-To: <20070711193749.GA26398@mew.kcbbs.gen.nz> References: <469266D4.7060405@ecs.soton.ac.uk> <4693C93C.3020508@ecs.soton.ac.uk> <4693D495.5030409@ecs.soton.ac.uk> <4693F400.5030309@ecs.soton.ac.uk> <20070711044320.GA25959@mew.kcbbs.gen.nz> <469476FB.3030901@jfworks.net> <20070711193749.GA26398@mew.kcbbs.gen.nz> Message-ID: <20070711195403.GA26414@mew.kcbbs.gen.nz> Sorry for the self reply, but an admendment to my previous.. Seems only a couple of strings are "missing", mostly.. unknown string notcached and occassional unknown string skippedastoobig Thought this xtra info may help pinpoint this?? Cheers! Dave On Thu, Jul 12, 2007 at 07:37:49AM +1200, Hendrik den Hartog wrote: > > Yes, we ran the upgrade command as per the instructions, we also quickly > set up Mailscanner on a spare machine, then copied the language.conf.rpmnew > across, but the log still shows some strings missing? > > Where are the language conf files? in the mailscanner.rpm part of the > un-tared files? i.e. can we just load this via an rpm command to extract > the language files [as oppossed to re-running the whole install script?) > > Cheers! > Dave > > > > On Tue, Jul 10, 2007 at 11:21:47PM -0700, James wrote: > > Hendrik den Hartog wrote: > > >Gidday > > > > > >We've recently upgraded MailScanner after several months, and am getting > > >logged errors about missing strings.. > > > > > >'Looked up unknown string notcached in language translation file' > > > > > >..etc > > > > > >We did copy the(a) new language,conf.rpmnew to language.conf, but this > > >didn't > > >sort the issue. > > > > > >Is there anywhere we can download a current english (en) language file > > >from to sort this? > > > > > >Cheers! > > >Pasadena School (Dave) > > > > > Have you run "upgrade_languages_conf " ? It will give the directions for > > upgrading the file. > > > > James > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From prandal at herefordshire.gov.uk Wed Jul 11 20:45:14 2007 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Wed Jul 11 20:45:23 2007 Subject: FW: [Full-disclosure] Advisory - Clam AntiVirus RAR File HandlingDenial Of Service Vulnerability. Message-ID: <7EF0EE5CB3B263488C8C18823239BEBA03CEE8@HC-MBX02.herefordshire.gov.uk> Right folks, Here's why we should all upgrade to ClamAV 0.91 right now. Thanks Jules for so speedily releasing you updated installers. Phil -----Original Message----- From: full-disclosure-bounces@lists.grok.org.uk [mailto:full-disclosure-bounces@lists.grok.org.uk] On Behalf Of Metaeye SG Sent: 11 July 2007 16:13 To: bugtraq@securityfocus.com; full-disclosure@lists.grok.org.uk; news@securiteam.com Subject: [Full-disclosure] Advisory - Clam AntiVirus RAR File HandlingDenial Of Service Vulnerability. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Vendor - ------ Clam Antivirus (http://www.clamav.net) Product - ------- Clamav (libclamav) Versions Affected - ----------------- All before 0.91 Severity - -------- Moderate Issue - ----- Clamav crashes due to processing of standard filters in RAR VM, while processing a corrupted RAR file. Processing the corrupted file results in a null pointer deference. Impact - ------ Processing the corrupted file will result in crashing of clamscan application and clamd daemon. Fix - --- Upgrade to version 0.91. PoC - --- http://www.metaeye.org/codes/corrupted.rar Vendor Status - ------------- Reported: 25/06/2007 Fixed: 11/07/2007 References - ---------- https://wwws.clamav.net/bugzilla/show_bug.cgi?id=555 http://www.metaeye.org/advisories/54 Metaeye SG // http://www.metaeye.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFGlPN/gHlN5ncUR6wRAo1AAJ9dNI51Y4t5BRG3aqIUHPih8cJQ7ACfVrW1 21o5Oadk6A7OVGhdzJph2gk= =YuBi -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ From wintermutecx at gmail.com Wed Jul 11 20:45:45 2007 From: wintermutecx at gmail.com (Dave) Date: Wed Jul 11 20:45:48 2007 Subject: deny webbug Message-ID: We have an outside contractor who sends email to users here locally, he uses msgtag.com to tag all his messages. It appears mailscanner is not disarming those. Is there a ruleset were I can specify which tags always get disarmed? I see there is one for white listing. My current setting is disarm. From hden at kcbbs.gen.nz Wed Jul 11 21:16:01 2007 From: hden at kcbbs.gen.nz (Hendrik den Hartog) Date: Wed Jul 11 20:57:17 2007 Subject: Language File In-Reply-To: References: <4693C93C.3020508@ecs.soton.ac.uk> <4693D495.5030409@ecs.soton.ac.uk> <4693F400.5030309@ecs.soton.ac.uk> <20070711044320.GA25959@mew.kcbbs.gen.nz> <469476FB.3030901@jfworks.net> <20070711193749.GA26398@mew.kcbbs.gen.nz> Message-ID: <20070711201601.GA26433@mew.kcbbs.gen.nz> Version 4.61.7-2 Cheers Dave On Wed, Jul 11, 2007 at 12:28:09PM -0700, Scott Silva wrote: > Hendrik den Hartog spake the following on 7/11/2007 12:37 PM: > > Yes, we ran the upgrade command as per the instructions, we also quickly > > set up Mailscanner on a spare machine, then copied the language.conf.rpmnew > > across, but the log still shows some strings missing? > > > > Where are the language conf files? in the mailscanner.rpm part of the > > un-tared files? i.e. can we just load this via an rpm command to extract > > the language files [as oppossed to re-running the whole install script?) > > > > Cheers! > > Dave > Which version are you running? > > > -- > > MailScanner is like deodorant... > You hope everybody uses it, and > you notice quickly if they don't!!!! > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From hvdkooij at vanderkooij.org Wed Jul 11 21:03:45 2007 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Wed Jul 11 21:04:52 2007 Subject: Language File In-Reply-To: <20070711193749.GA26398@mew.kcbbs.gen.nz> References: <469266D4.7060405@ecs.soton.ac.uk> <4693C93C.3020508@ecs.soton.ac.uk> <4693D495.5030409@ecs.soton.ac.uk> <4693F400.5030309@ecs.soton.ac.uk> <20070711044320.GA25959@mew.kcbbs.gen.nz> <469476FB.3030901@jfworks.net> <20070711193749.GA26398@mew.kcbbs.gen.nz> Message-ID: On Thu, 12 Jul 2007, Hendrik den Hartog wrote: > Yes, we ran the upgrade command as per the instructions, we also quickly > set up Mailscanner on a spare machine, then copied the language.conf.rpmnew > across, but the log still shows some strings missing? RPM will attempt to keep existing configuration files (if a package tags a file as config file!) by adding the new as .rpmnew So it serves no point to move them around. As a rule of thumb I try to backup config files before I start to edit them by moving them out of the way and copy the file back. So for example the shipped mailscanner.conf: mv mailscanner.conf mailscanner.conf.SHIPPED cp mailscanner.conf.SHIPPED mailscanner.conf I can then edit mailscanner.conf as much as I like. If I run a diff on them I can tell exactly what I changed: diff -u mailscanner.conf.SHIPPED mailscanner.conf > mailscanner.conf.CHANGES Telling what has changed from old package to new package reuires a fidd on the rpmnew file. diff mailscanner.conf.SHIPPED mailscanner.conf.rpmnew I find it works great to know which config options were added and thenn I can decide how to go about with fixing my config file to adjust for the new options. I also have the silly habbit of copying config lines before I make changes. So the shipped line was: %org-name% = yoursite I then make it: #H#%org-name% = yoursite %org-name% = vanderkooij.org So even without a clean config file I can tell my changes apart from the default ones. I hope this helps you to make config changes less difficult. Hugo. -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ This message is using 100% recycled electrons. Some men see computers as they are and say "Windows" I use computers with Linux and say "Why Windows?" (Thanks JFK, for the insight.) From MailScanner at ecs.soton.ac.uk Wed Jul 11 21:03:00 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Jul 11 21:07:47 2007 Subject: MailScanner.conf and MailScanner.conf.local In-Reply-To: <002601c7c3ec$a9de3a00$3c65a8c0@support01> References: <002601c7c3ec$a9de3a00$3c65a8c0@support01> Message-ID: <46953774.3050205@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Nigel Kendrick wrote: > Julian et al. > > It occurs to me that over my not-very-massive pile of 4 mail servers, many > of the settings are common to the lot and if I tweak a 'generic' setting on > one I generally tweak it on all of them. To this end, is it possible (or > would it be possible) to have the site-specific settings in one config file > and generic ones in another (MailScanner.conf.local and MailScanner.conf?) > so I could arrange for a replication script to keep the generics in sync? > I guess an "include" command could be possible. It would ruin the upgrade_MailScanner_conf though which would be a great shame. > Following on from that, is there (or could there) be a mechanism to remotely > restart MailScanner - say, for example, by MailScanner noticing the creation > of /etc/MailScanner/restart.flg that could be put in place during a sync > operation as mentioned above? > Things like rsync allow a command to be executed upon completion of the sync process. Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGlTd1EfZZRxQVtlQRAlF/AJ4+4yvRQdobY1JBZgPm0gLh/h7FDQCfdhtA byuuzEBZeJfMNrXyj1Y2+jc= =+NpR -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Wed Jul 11 21:07:49 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Jul 11 21:11:59 2007 Subject: Language File In-Reply-To: <20070711195403.GA26414@mew.kcbbs.gen.nz> References: <469266D4.7060405@ecs.soton.ac.uk> <4693C93C.3020508@ecs.soton.ac.uk> <4693D495.5030409@ecs.soton.ac.uk> <4693F400.5030309@ecs.soton.ac.uk> <20070711044320.GA25959@mew.kcbbs.gen.nz> <469476FB.3030901@jfworks.net> <20070711193749.GA26398@mew.kcbbs.gen.nz> <20070711195403.GA26414@mew.kcbbs.gen.nz> Message-ID: <46953895.6020708@ecs.soton.ac.uk> Skipped content of type multipart/mixed-------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 195 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070711/08d225ce/PGP-0001.bin From MailScanner at ecs.soton.ac.uk Wed Jul 11 21:09:27 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Jul 11 21:14:10 2007 Subject: deny webbug In-Reply-To: References: Message-ID: <469538F7.7070503@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Can you send me the HTML of the web-bug they use please? It works by finding 1x1,1x2,2x1 and 2x2 pixel images in the HTML. Dave wrote: > We have an outside contractor who sends email to users here locally, > he uses msgtag.com to tag all his messages. It appears mailscanner is > not disarming those. Is there a ruleset were I can specify which tags > always get disarmed? I see there is one for white listing. My current > setting is disarm. Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGlTj4EfZZRxQVtlQRAi2hAJsHVYtEE8QgdRFkFJj7PbA8RUq+sgCg2UpQ aU5qH4EvU6bpZjOXVhAoZEE= =jCs6 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From rout at tj.rs.gov.br Wed Jul 11 21:34:58 2007 From: rout at tj.rs.gov.br (Felipe Rout) Date: Wed Jul 11 21:35:04 2007 Subject: Ldap query in ruleset file Message-ID: <1184186098.3534.8.camel@urede05.tjrs.gov.br> Hello, I would like to know if is possible to create rulesets files using ldap queries. I needo to know if a user takes part in certain Active Directory groups. Thi way I can manage permissions only adding or removing users from/to this groups. Thanks for any help. From ssilva at sgvwater.com Wed Jul 11 22:01:38 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Jul 11 22:01:59 2007 Subject: MailScanner.conf and MailScanner.conf.local In-Reply-To: <46953774.3050205@ecs.soton.ac.uk> References: <002601c7c3ec$a9de3a00$3c65a8c0@support01> <46953774.3050205@ecs.soton.ac.uk> Message-ID: Julian Field spake the following on 7/11/2007 1:03 PM: > > > Nigel Kendrick wrote: >> Julian et al. > >> It occurs to me that over my not-very-massive pile of 4 mail servers, many >> of the settings are common to the lot and if I tweak a 'generic' setting on >> one I generally tweak it on all of them. To this end, is it possible (or >> would it be possible) to have the site-specific settings in one config file >> and generic ones in another (MailScanner.conf.local and MailScanner.conf?) >> so I could arrange for a replication script to keep the generics in sync? > > I guess an "include" command could be possible. It would ruin the > upgrade_MailScanner_conf though which would be a great shame. >> Following on from that, is there (or could there) be a mechanism to remotely >> restart MailScanner - say, for example, by MailScanner noticing the creation >> of /etc/MailScanner/restart.flg that could be put in place during a sync >> operation as mentioned above? > > Things like rsync allow a command to be executed upon completion of the > sync process. > > Jules > Or you could run mon or monit or something like that, and tell it to restart MailScanner if the conf file changes. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From rcooper at dwford.com Wed Jul 11 22:51:05 2007 From: rcooper at dwford.com (Rick Cooper) Date: Wed Jul 11 22:51:09 2007 Subject: MailScanner.conf and MailScanner.conf.local In-Reply-To: <002601c7c3ec$a9de3a00$3c65a8c0@support01> References: <002601c7c3ec$a9de3a00$3c65a8c0@support01> Message-ID: <000f01c7c405$952ad000$0301a8c0@SAHOMELT> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On > Behalf Of Nigel Kendrick > Sent: Thursday, July 12, 2007 4:53 AM > To: 'MailScanner discussion' > Subject: MailScanner.conf and MailScanner.conf.local > > Julian et al. > > It occurs to me that over my not-very-massive pile of 4 mail > servers, many > of the settings are common to the lot and if I tweak a > 'generic' setting on > one I generally tweak it on all of them. To this end, is it > possible (or > would it be possible) to have the site-specific settings in > one config file > and generic ones in another (MailScanner.conf.local and > MailScanner.conf?) > so I could arrange for a replication script to keep the > generics in sync? > I don't know what your "generic" settings are but I have about a dozen things that change depending on which server mailscanner is installed in. Most of them have to do with site names and such. I use lib/MailScanner/CustomConfig.pm to set environment variables for the items I need changed for example: Each server has a file (example) /SomeDir/ThisSig that contains an (Unique) entry like: ABC my %Sigs = ( 'ABC' => "company1.com:My First Company:www.company1.com/mailrejected.php", 'EFG' => "company1.com:My First Company:www.company1.com/mailrejected.php", 'HIJ' => "company1.com:My First Company:www.company1.com/mailrejected.php" ); my $CoSig; $CoSig = `/bin/cat /SomeDir/ThisSig`; chomp($CoSig); my $SigStr = $Sigs{$CoSig}; my ($OrgName,$OrgNameLong,$WebSite) = split(/:/,$SigStr); $ENV{ORGNAME} = $OrgName; $ENV{ORGNAMELONG} = $OrgNameLong; $ENV{MSWEB} = $WebSite; $ENV{COSIG} = $CoSig; Now in MailScanner.Conf I use settings like %org-name% = ${ORGNAME} %org-long-name% = ${ORGNAMELONG} %web-site% = ${MSWEB} Spam Header = X-${COSIG}-MailScanner-SpamCheck If you didn't want to maintain the %Sigs part (not a problem for me because I don't add or subtract servers very often) You could just eliminate that part and set the entries in /SomeDir/ThisSig like ABC::ParamOne::ParamTwo::ParamThree:ParamFour And then $CoSig = `/bin/cat /SomeDir/ThisSig`; chomp($CoSig); my ($OrgKey,$ParamOne,$ParamTwo,$ParamThree,$ParamFour) = split(/::/,$CoSig); $ENV{P1} = $OrgKey; $ENV{P2} = $ParamOne; $ENV{P3} = $ParamTwo; $ENV{P4} = $ParamThree; $ENV{P5} = $ParamFour; And then in MailScanner.conf : Some Setting = ${P4}/other/stuff Now I can (and do) push out one MailScanner.conf that will handle all the servers based on their specific information contained in /SomeDir/ThisSig. I don't think there is a setting in MailScanner that could pertain to site specific information that will not allow the ${ENV_VAR} format. Rick -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From rcooper at dwford.com Wed Jul 11 23:16:10 2007 From: rcooper at dwford.com (Rick Cooper) Date: Wed Jul 11 23:16:19 2007 Subject: MailScanner.conf and MailScanner.conf.local In-Reply-To: References: <002601c7c3ec$a9de3a00$3c65a8c0@support01><46953774.3050205@ecs.soton.ac.uk> Message-ID: <001001c7c409$1632db90$0301a8c0@SAHOMELT> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On > Behalf Of Scott Silva > Sent: Thursday, July 12, 2007 7:02 AM > To: mailscanner@lists.mailscanner.info > Subject: Re: MailScanner.conf and MailScanner.conf.local > > Julian Field spake the following on 7/11/2007 1:03 PM: > > > > > > Nigel Kendrick wrote: > >> Julian et al. > > > >> It occurs to me that over my not-very-massive pile of 4 > mail servers, many > >> of the settings are common to the lot and if I tweak a > 'generic' setting on > >> one I generally tweak it on all of them. To this end, is > it possible (or > >> would it be possible) to have the site-specific settings > in one config file > >> and generic ones in another (MailScanner.conf.local and > MailScanner.conf?) > >> so I could arrange for a replication script to keep the > generics in sync? > > > > I guess an "include" command could be possible. It would ruin the > > upgrade_MailScanner_conf though which would be a great shame. > >> Following on from that, is there (or could there) be a > mechanism to remotely > >> restart MailScanner - say, for example, by MailScanner > noticing the creation > >> of /etc/MailScanner/restart.flg that could be put in > place during a sync > >> operation as mentioned above? > > > > Things like rsync allow a command to be executed upon > completion of the > > sync process. > > > > Jules > > > Or you could run mon or monit or something like that, and > tell it to restart > MailScanner if the conf file changes. > -- > Something I had asked before would be Behavior similar to exim where it notices when an external file changes and reloads any data it uses rather than using the cached information. If I change something in a lookup file (in exim) I don't have to worry about restarting the daemon. So with MS if I change something in a rule file it would be nice not to have to restart MS to gain access to the changed information. Before it processes a rulefile check to see if it has changed and reload if it has. Same with the config file, check ever XYZ min and reload if the file has changed. I would think some kind of crc or simple stat would work. Of course that might be difficult with the internal structure of MS I have never really looked at the flow that closely Rick -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From hden at kcbbs.gen.nz Thu Jul 12 00:21:25 2007 From: hden at kcbbs.gen.nz (Hendrik den Hartog) Date: Thu Jul 12 00:02:43 2007 Subject: Language File In-Reply-To: <46953895.6020708@ecs.soton.ac.uk> References: <4693C93C.3020508@ecs.soton.ac.uk> <4693D495.5030409@ecs.soton.ac.uk> <4693F400.5030309@ecs.soton.ac.uk> <20070711044320.GA25959@mew.kcbbs.gen.nz> <469476FB.3030901@jfworks.net> <20070711193749.GA26398@mew.kcbbs.gen.nz> <20070711195403.GA26414@mew.kcbbs.gen.nz> <46953895.6020708@ecs.soton.ac.uk> Message-ID: <20070711232125.GA26467@mew.kcbbs.gen.nz> Julian Thanks for bailing us out. I admit the problem was caused by myself, mainly some bad housekeeping, (just like real life [sigh]). Had a mess of previous files cluttering the folder which obviously confused me [which isn't hard] Once again, thanks! Cheers! Dave On Wed, Jul 11, 2007 at 09:07:49PM +0100, Julian Field wrote: > Here's a copy of the latest English languages.conf. It goes into > /etc/MailScanner/reports/en. > But if you have changed your file (which it would seem you have or else > there wouldn't be a .rpmnew file) then use upgrade_languages_conf and > use this as the .rpmnew file. > > Hendrik den Hartog wrote: > >Sorry for the self reply, but an admendment to my previous.. > > > >Seems only a couple of strings are "missing", mostly.. > > > >unknown string notcached > > > >and occassional > > > >unknown string skippedastoobig > > > >Thought this xtra info may help pinpoint this?? > > > >Cheers! > >Dave > > > > > > > > > > > >On Thu, Jul 12, 2007 at 07:37:49AM +1200, Hendrik den Hartog wrote: > > > > > > > >>Yes, we ran the upgrade command as per the instructions, we also quickly > >>set up Mailscanner on a spare machine, then copied the > >>language.conf.rpmnew > >>across, but the log still shows some strings missing? > >> > >>Where are the language conf files? in the mailscanner.rpm part of the > >>un-tared files? i.e. can we just load this via an rpm command to extract > >>the language files [as oppossed to re-running the whole install script?) > >> > >>Cheers! > >>Dave > >> > >> > >> > >>On Tue, Jul 10, 2007 at 11:21:47PM -0700, James wrote: > >> > >>>Hendrik den Hartog wrote: > >>> > >>>>Gidday > >>>> > >>>>We've recently upgraded MailScanner after several months, and am > >>>>getting logged errors about missing strings.. > >>>> > >>>>'Looked up unknown string notcached in language translation file' > >>>> > >>>>..etc > >>>> > >>>>We did copy the(a) new language,conf.rpmnew to language.conf, but this > >>>>didn't > >>>>sort the issue. > >>>> > >>>>Is there anywhere we can download a current english (en) language file > >>>> > >>>>from to sort this? > >>> > >>>>Cheers! > >>>>Pasadena School (Dave) > >>>> > >>>> > >>>Have you run "upgrade_languages_conf " ? It will give the directions for > >>>upgrading the file. > >>> > >>>James > >>>-- > >>>MailScanner mailing list > >>>mailscanner@lists.mailscanner.info > >>>http://lists.mailscanner.info/mailman/listinfo/mailscanner > >>> > >>>Before posting, read http://wiki.mailscanner.info/posting > >>> > >>>Support MailScanner development - buy the book off the website! > >>> > >>-- > >>MailScanner mailing list > >>mailscanner@lists.mailscanner.info > >>http://lists.mailscanner.info/mailman/listinfo/mailscanner > >> > >>Before posting, read http://wiki.mailscanner.info/posting > >> > >>Support MailScanner development - buy the book off the website! > >> > > Jules > > -- > Julian Field MEng CITP > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > For all your IT requirements visit www.transtec.co.uk > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From chandler.lists at chapman.edu Thu Jul 12 04:14:46 2007 From: chandler.lists at chapman.edu (Jay Chandler) Date: Thu Jul 12 04:14:54 2007 Subject: Mail System Redesign Message-ID: <46959CA6.5010008@chapman.edu> Howdy. I'm at a bit of a crossroads at this point in time-- I've crossposted this message to a few places where those far more knowledgeable than I are wont to hide. I've been tasked with rearchitecting the mailsystem for our university. I did this once before; probably 9 months ago, since what passed before was truly no longer working. What we have right now is FreeBSD MX boxes running Postfix for an MTA that are screening email for RFC compliance, and against several DNSBLs (as well as "does this user exist in our LDAP directory?") -- anything that fails is rejected, anything that passes continues on. After that, we're running MailScanner on the messages, and tagging according to SpamAssassin (configured with sitewide rules because that's how MailScanner does things). From there, we deliver to the user's mbox (mounted over NFS, but I've managed to work out the locking issues). Dovecot serves the mbox to our Squirrelmail server, as well as to POP or IMAP users directly at their client of choice. I have a few problems with this setup. The first is user dissatisfaction. They want the ability to white and black list individual senders (and possibly domains), preferably as close to the beginning of the process as possible. Obviously I don't want one user's whitelisting of spammers.com to affect anyone but that particular user. As of now we have no individual white or black listing. The second is management-- I'm looking to convert to MailDir (to obliterate the last vestiges of the locking issues) and institute quotas. The third is upper management suggesting that we might look to move to an Exchange server for handling user accounts at some point in the future, and as much of the white and blacklisting functionality should continue to exist if users edit their .forward files to show a completely different system (such as Exchange. Ugh). Does anyone have any wisdom on this situation that they'd care to express? -- Jay Chandler / KB1JWQ Network Administrator / Systems Exorcist Chapman University, Orange CA From hvdkooij at vanderkooij.org Thu Jul 12 06:39:11 2007 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Thu Jul 12 06:39:20 2007 Subject: Mail System Redesign In-Reply-To: <46959CA6.5010008@chapman.edu> References: <46959CA6.5010008@chapman.edu> Message-ID: On Wed, 11 Jul 2007, Jay Chandler wrote: > I have a few problems with this setup. The first is user dissatisfaction. > They want the ability to white and black list individual senders (and > possibly domains), preferably as close to the beginning of the process as > possible. Obviously I don't want one user's whitelisting of spammers.com to > affect anyone but that particular user. As of now we have no individual > white or black listing. MailWatch can do this for your users. You should be able to add this to your setup in a jiffy. Hugo. -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ This message is using 100% recycled electrons. Some men see computers as they are and say "Windows" I use computers with Linux and say "Why Windows?" (Thanks JFK, for the insight.) From res at ausics.net Thu Jul 12 07:15:52 2007 From: res at ausics.net (Res) Date: Thu Jul 12 07:16:03 2007 Subject: Mail System Redesign In-Reply-To: References: <46959CA6.5010008@chapman.edu> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NotDashEscaped: You need GnuPG to verify this message On Thu, 12 Jul 2007, Hugo van der Kooij wrote: > On Wed, 11 Jul 2007, Jay Chandler wrote: > >> I have a few problems with this setup. The first is user dissatisfaction. >> They want the ability to white and black list individual senders (and >> possibly domains), preferably as close to the beginning of the process as >> possible. Obviously I don't want one user's whitelisting of spammers.com >> to affect anyone but that particular user. As of now we have no individual >> white or black listing. > > MailWatch can do this for your users. You should be able to add this to your > setup in a jiffy. MailWatch requires database, so you should also include the implications of this in any suggestions, ie: additional hardware, severe peformance impact etc, a Uni I'd imagine would be like many medium to even large I/OSPs and that becomes a very serious issue. -- Cheers Res -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFGlccYsWhAmSIQh7MRAhxlAKCf5nVYvbfvyejFzfKtS/pKH7tSnwCgkfaN /1UQg1Tabxp7iqU/hnxLEfc= =/bem -----END PGP SIGNATURE----- From jan-peter at koopmann.eu Thu Jul 12 08:23:34 2007 From: jan-peter at koopmann.eu (Koopmann, Jan-Peter) Date: Thu Jul 12 08:22:54 2007 Subject: Mail System Redesign In-Reply-To: References: Message-ID: Hi, > What we have right now is FreeBSD MX boxes running Postfix for an MTA > that are screening email for RFC compliance, and against several DNSBLs Good choice. If you want to make your life a bit simpler regarding RFC compliance and tons of other very interesting tests google for BarricadeMX from Fort Systems since this will really help you. Your Postfix configuration will be a lot simpler and more spam will be rejected at MTA level. > (as well as "does this user exist in our LDAP directory?") -- anything > that fails is rejected, anything that passes continues on. After that, > we're running MailScanner on the messages, and tagging according to > SpamAssassin (configured with sitewide rules because that's how > MailScanner does things). You can tweak some things like individual spamscores, white/black lists with MailWatch. Only to a certain extent but it might help you. > I have a few problems with this setup. The first is user > dissatisfaction. They want the ability to white and black list > individual senders (and possibly domains), preferably as close to the > beginning of the process as possible. As said before MailWatch can help you with this a bit. However the black/whitelists will be handled during MailScanner phase and not at MTA phase which might not satisfy you. Of course the MaiLWatch database structure is not too complicated and you could use the corresponding MySQL table with Postfix (with Exim at least it is possible so Postfix should be able to do this as well). If speed is an issue you could periodically create a black/whitelist lookup table in a more suitable format and use that. I would have to take a look at Barricade MX again but possibly you could use BMX as well for this. > The third is upper management suggesting that we might look to move to > an Exchange server for handling user accounts at some point in the > future, and as much of the white and blacklisting functionality should > continue to exist if users edit their .forward files to show a > completely different system (such as Exchange. Ugh). Starting with Exchange 2003 it is a much better system than most imagine. It greatly depends on what you want to achieve. Exchange works great together with Outlook, gives you a great Web access and you could easily offer services like POP, IMAP, RPC over HTTPS, HTTPS access. Outlook users will love the functionality and your users could share data. Moreover campus-wide public folders could be a nice gimmick as well. If redundancy is an issue setting up an Exchange Cluster will give you all the redundancy you need. If however 99% of your users are not using Outlook but things like Thunderbird and IMAP/POP, Exchange will not really give you any benefit. That being said, Exchange works with MailWatch, SpamAssassin etc. Have a look at SMTPTracker so that the SpamAssassin scores will be translated to Exchange Spam Confidence level. Low Scoring spam that is being delivered to Exchange will automatically be delivered to the users Junk E-Mail folder then. The user can then use outlooks own Junk E-Mail functionality and override the action permanently by whitelisting/blacklisting the sender. Advantage: The user does not have to leave Outlook/Outlook Web Access and login to a secondary system like MailWatch. Pretty simple to use and very easy to maintain. > Does anyone have any wisdom on this situation that they'd care to > express? My recommendation: - Barricade MX as first line of defense on at least two MX servers - Postfix/Exim/Sendmail as MTA. Not really worth discussing which one to use as it really does not matter if you use Barricade MX. - MailScanner/SpamAssassin as second line of defense - Exchange (possibly cluster) with SMTPTracker on it (is only about 40$) - Outlook, Outlook Web Access as preferred user agents (or Entourage for Mac OS X), IMAPS/POPS as secondary offering Kind regards, JP From martinh at solidstatelogic.com Thu Jul 12 09:10:18 2007 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Thu Jul 12 09:10:34 2007 Subject: Mail System Redesign In-Reply-To: <46959CA6.5010008@chapman.edu> Message-ID: <0f711fe9c927514f8ae25eceaec397f5@solidstatelogic.com> Jay For backend email have a look at how the boys at Cambridge UK have done there's. Its called hermes (based around exim of course) and the main person behind it Tony Finch. Google will help to show archicture etc etc.... -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Jay Chandler > Sent: 12 July 2007 04:15 > To: MailScanner discussion > Subject: Mail System Redesign > > Howdy. > > I'm at a bit of a crossroads at this point in time-- I've crossposted > this message to a few places where those far more knowledgeable than I > are wont to hide. > > I've been tasked with rearchitecting the mailsystem for our university. > I did this once before; probably 9 months ago, since what passed before > was truly no longer working. > > What we have right now is FreeBSD MX boxes running Postfix for an MTA > that are screening email for RFC compliance, and against several DNSBLs > (as well as "does this user exist in our LDAP directory?") -- anything > that fails is rejected, anything that passes continues on. After that, > we're running MailScanner on the messages, and tagging according to > SpamAssassin (configured with sitewide rules because that's how > MailScanner does things). From there, we deliver to the user's mbox > (mounted over NFS, but I've managed to work out the locking issues). > Dovecot serves the mbox to our Squirrelmail server, as well as to POP or > IMAP users directly at their client of choice. > > I have a few problems with this setup. The first is user > dissatisfaction. They want the ability to white and black list > individual senders (and possibly domains), preferably as close to the > beginning of the process as possible. Obviously I don't want one user's > whitelisting of spammers.com to affect anyone but that particular user. > As of now we have no individual white or black listing. > > The second is management-- I'm looking to convert to MailDir (to > obliterate the last vestiges of the locking issues) and institute quotas. > > The third is upper management suggesting that we might look to move to > an Exchange server for handling user accounts at some point in the > future, and as much of the white and blacklisting functionality should > continue to exist if users edit their .forward files to show a > completely different system (such as Exchange. Ugh). > > Does anyone have any wisdom on this situation that they'd care to express? > > -- > Jay Chandler / KB1JWQ > Network Administrator / Systems Exorcist > Chapman University, Orange CA > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From paul.hutchings at mira.co.uk Thu Jul 12 09:41:44 2007 From: paul.hutchings at mira.co.uk (Paul Hutchings) Date: Thu Jul 12 09:41:59 2007 Subject: Local phishing whitelist? References: <5943e9739270674299fab02af44ce34a@solidstatelogic.com> Message-ID: So it does! Thanks very much for the pointer. Paul Hutchings Network Administrator, MIRA Ltd. Tel: 44 (0)24 7635 5378 Fax: 44 (0)24 7635 8378 mailto:paul.hutchings@mira.co.uk -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Martin.Hepworth Sent: 11 July 2007 09:01 To: MailScanner discussion Subject: RE: Local phishing whitelist? Paul Put your changes to that single file and the autoupdate will merge the two sets together - clever huh? -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Paul Hutchings > Sent: 11 July 2007 08:33 > To: MailScanner discussion > Subject: Local phishing whitelist? > > Is there a way of having a local phishing whitelist as well as the > default/auto-updated one that comes with Mailscanner? > > I don't see a way of specifying more than one file? > > TIA, > Paul > > Paul Hutchings > Network Administrator, MIRA Ltd. > Tel: 44 (0)24 7635 5378 > Fax: 44 (0)24 7635 8378 > mailto:paul.hutchings@mira.co.uk > > > -- > MIRA Ltd. > > Watling Street, Nuneaton, Warwickshire, CV10 0TU, England. > > Registered in England No. 402570 > VAT Registration GB 114 5409 96 > > The contents of this e-mail are confidential and are solely for the use of > the intended recipient. > If you receive this e-mail in error, please delete it and notify us either > by e-mail, telephone or fax. > You should not copy, forward or otherwise disclose the content of the e- > mail as this is prohibited. > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MIRA Ltd. Watling Street, Nuneaton, Warwickshire, CV10 0TU, England. Registered in England No. 402570 VAT Registration GB 114 5409 96 The contents of this e-mail are confidential and are solely for the use of the intended recipient. If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax. You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited. From MailScanner at ecs.soton.ac.uk Thu Jul 12 10:55:17 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jul 12 10:55:45 2007 Subject: MailScanner.conf and MailScanner.conf.local In-Reply-To: <001001c7c409$1632db90$0301a8c0@SAHOMELT> References: <002601c7c3ec$a9de3a00$3c65a8c0@support01><46953774.3050205@ecs.soton.ac.uk> <001001c7c409$1632db90$0301a8c0@SAHOMELT> Message-ID: <4695FA85.90807@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Rick Cooper wrote: > > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info > > [mailto:mailscanner-bounces@lists.mailscanner.info] On > > Behalf Of Scott Silva > > Sent: Thursday, July 12, 2007 7:02 AM > > To: mailscanner@lists.mailscanner.info > > Subject: Re: MailScanner.conf and MailScanner.conf.local > > > > Julian Field spake the following on 7/11/2007 1:03 PM: > > > > > > > > > Nigel Kendrick wrote: > > >> Julian et al. > > > > > >> It occurs to me that over my not-very-massive pile of 4 > > mail servers, many > > >> of the settings are common to the lot and if I tweak a > > 'generic' setting on > > >> one I generally tweak it on all of them. To this end, is > > it possible (or > > >> would it be possible) to have the site-specific settings > > in one config file > > >> and generic ones in another (MailScanner.conf.local and > > MailScanner.conf?) > > >> so I could arrange for a replication script to keep the > > generics in sync? > > > > > > I guess an "include" command could be possible. It would ruin the > > > upgrade_MailScanner_conf though which would be a great shame. > > >> Following on from that, is there (or could there) be a > > mechanism to remotely > > >> restart MailScanner - say, for example, by MailScanner > > noticing the creation > > >> of /etc/MailScanner/restart.flg that could be put in > > place during a sync > > >> operation as mentioned above? > > > > > > Things like rsync allow a command to be executed upon > > completion of the > > > sync process. > > > > > > Jules > > > > > Or you could run mon or monit or something like that, and > > tell it to restart > > MailScanner if the conf file changes. > > -- > > > > Something I had asked before would be Behavior similar to exim where it > notices when an external file changes and reloads any data it uses rather > than using the cached information. If I change something in a lookup file > (in exim) I don't have to worry about restarting the daemon. So with MS if I > change something in a rule file it would be nice not to have to restart MS > to gain access to the changed information. Before it processes a rulefile > check to see if it has changed and reload if it has. Same with the config > file, check ever XYZ min and reload if the file has changed. I would think > some kind of crc or simple stat would work. Of course that might be > difficult with the internal structure of MS I have never really looked at > the flow that closely > I haven't done that specifically. I don't like systems that instantly notice config changes, as I like to put the change in place and then double-check it before it takes effect. Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGlfqGEfZZRxQVtlQRAqf5AKCZWFwos3cIo4CNzdiq/GDFDMGUHwCfX+Si dP2u7RQHW+8JS3Oj9kITSRo= =k9D8 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From Alistair.Carmichael at ntltravel.com Thu Jul 12 12:13:17 2007 From: Alistair.Carmichael at ntltravel.com (Alistair Carmichael) Date: Thu Jul 12 12:14:28 2007 Subject: How to monitor the health of the MailScanner architecture In-Reply-To: <223f97700707100917o2cadec8bg9445f22b360b9499@mail.gmail.com> References: <000901c7c210$8d1f4310$a75dc930$@dk><6EEC6D949794754FB8D83A4D87DF7168BE65B7@gh-redd-exch-01.redditch.ntltravel.local><002001c7c219$4d475580$e7d60080$@dk><223f97700707091452hc93d97vd6ed0546484ef8ba@mail.gmail.com><001e01c7c2de$074aa850$15dff8f0$@dk><223f97700707100849l378fce92xf1386f7b5e779193@mail.gmail.com><6EEC6D949794754FB8D83A4D87DF7168BE662D@gh-redd-exch-01.redditch.ntltravel.local> <223f97700707100917o2cadec8bg9445f22b360b9499@mail.gmail.com> Message-ID: <6EEC6D949794754FB8D83A4D87DF7168BE66F2@gh-redd-exch-01.redditch.ntltravel.local> Certainly worth exploring since that would reduce the dependecies/ickiness of the checking part (expecting ones way through even the simplest textbased MUA can be ... frustrating:-). And as you say, it would be easy to script and would probably scale rather OK (scriptwise... One message per MS server... Not the query bit:) with several MS servers... Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se Here's one I nocked together in a few mins, this is NOT for people to download and run but feel free to download, edit for your setup and play with. It is gziped and you download / run at your own risk I accept no responsibility for what anyone does with this script on their system, any tips or revisions feel free to mail me off list. It uses very basic *nix commands and was created on a centos box, no reason why it shouldn't run without altering the paths on other linux / unix o/s. If I get some more time I'll put some proper comments and error checking in. www.n00k.co.uk/mailtest.sh.gz This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. From sandrews at andrewscompanies.com Thu Jul 12 13:54:19 2007 From: sandrews at andrewscompanies.com (Steven Andrews) Date: Thu Jul 12 13:54:25 2007 Subject: Sign clean messages rule In-Reply-To: <6EEC6D949794754FB8D83A4D87DF7168BE66F2@gh-redd-exch-01.redditch.ntltravel.local> References: <000901c7c210$8d1f4310$a75dc930$@dk><6EEC6D949794754FB8D83A4D87DF7168BE65B7@gh-redd-exch-01.redditch.ntltravel.local><002001c7c219$4d475580$e7d60080$@dk><223f97700707091452hc93d97vd6ed0546484ef8ba@mail.gmail.com><001e01c7c2de$074aa850$15dff8f0$@dk><223f97700707100849l378fce92xf1386f7b5e779193@mail.gmail.com><6EEC6D949794754FB8D83A4D87DF7168BE662D@gh-redd-exch-01.redditch.ntltravel.local><223f97700707100917o2cadec8bg9445f22b360b9499@mail.gmail.com> <6EEC6D949794754FB8D83A4D87DF7168BE66F2@gh-redd-exch-01.redditch.ntltravel.local> Message-ID: <1964AAFBC212F742958F9275BF63DBB04B0E8D@winchester.andrewscompanies.com> I'm using the Sign Clean Messages as a bit of a hack to add a standard legal disclaimer to all messages leaving the system. Well, wouldn't you know it, they've decided to throw another domain at this box and now I've got to give it a different disclaimer for that domain. I think I'm on the right path that I need to make a rule here.... Inline HTML Signature = %report-dir%/inline.sig.html Inline Text Signature = %report-dir%/inline.sig.txt How do I write that rule so that domain1.com gets inline.sig1.html and domain2.com gets inline.sig2.html? Thanks! Steve From martinh at solidstatelogic.com Thu Jul 12 14:04:58 2007 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Thu Jul 12 14:05:01 2007 Subject: Sign clean messages rule In-Reply-To: <1964AAFBC212F742958F9275BF63DBB04B0E8D@winchester.andrewscompanies.com> Message-ID: <9df79bb52a19d34badf7069cdb56d61d@solidstatelogic.com> Steve From the EXAMPLES file in the etc/rules dir.. 4. Use different signatures for different domains Set "Inline Text Signature = /opt/MailScanner/etc/rules/sig.text.rules" & set "Inline HTML Signature = /opt/MailScanner/etc/rules/sig.html.rules". Use rules for each file that look like this: From: *@domain1.com /opt/MailScanner/etc/reports/domain1.sig.txt From: *@domain2.com /opt/MailScanner/etc/reports/domain2.sig.txt with equivalent rules in the "sig.html.rules" file. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Steven Andrews > Sent: 12 July 2007 13:54 > To: MailScanner discussion > Subject: Sign clean messages rule > > I'm using the Sign Clean Messages as a bit of a hack to add a standard > legal disclaimer to all messages leaving the system. > > Well, wouldn't you know it, they've decided to throw another domain at > this box and now I've got to give it a different disclaimer for that > domain. > > I think I'm on the right path that I need to make a rule here.... > Inline HTML Signature = %report-dir%/inline.sig.html > Inline Text Signature = %report-dir%/inline.sig.txt > > How do I write that rule so that domain1.com gets inline.sig1.html and > domain2.com gets inline.sig2.html? > > Thanks! > > Steve > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From sandrews at andrewscompanies.com Thu Jul 12 14:07:44 2007 From: sandrews at andrewscompanies.com (Steven Andrews) Date: Thu Jul 12 14:07:47 2007 Subject: Sign clean messages rule In-Reply-To: <1964AAFBC212F742958F9275BF63DBB04B0E8D@winchester.andrewscompanies.com> References: <000901c7c210$8d1f4310$a75dc930$@dk><6EEC6D949794754FB8D83A4D87DF7168BE65B7@gh-redd-exch-01.redditch.ntltravel.local><002001c7c219$4d475580$e7d60080$@dk><223f97700707091452hc93d97vd6ed0546484ef8ba@mail.gmail.com><001e01c7c2de$074aa850$15dff8f0$@dk><223f97700707100849l378fce92xf1386f7b5e779193@mail.gmail.com><6EEC6D949794754FB8D83A4D87DF7168BE662D@gh-redd-exch-01.redditch.ntltravel.local><223f97700707100917o2cadec8bg9445f22b360b9499@mail.gmail.com><6EEC6D949794754FB8D83A4D87DF7168BE66F2@gh-redd-exch-01.redditch.ntltravel.local> <1964AAFBC212F742958F9275BF63DBB04B0E8D@winchester.andrewscompanies.com> Message-ID: <1964AAFBC212F742958F9275BF63DBB04B0E8F@winchester.andrewscompanies.com> Don't flame me. I just found the answer in the example file. I'll have my self flogged by the end of the day. Steve -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Steven Andrews Sent: Thursday, July 12, 2007 8:54 AM To: MailScanner discussion Subject: Sign clean messages rule I'm using the Sign Clean Messages as a bit of a hack to add a standard legal disclaimer to all messages leaving the system. Well, wouldn't you know it, they've decided to throw another domain at this box and now I've got to give it a different disclaimer for that domain. I think I'm on the right path that I need to make a rule here.... Inline HTML Signature = %report-dir%/inline.sig.html Inline Text Signature = %report-dir%/inline.sig.txt How do I write that rule so that domain1.com gets inline.sig1.html and domain2.com gets inline.sig2.html? Thanks! Steve -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From martinh at solidstatelogic.com Thu Jul 12 14:13:20 2007 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Thu Jul 12 14:13:26 2007 Subject: Sign clean messages rule In-Reply-To: <1964AAFBC212F742958F9275BF63DBB04B0E8F@winchester.andrewscompanies.com> Message-ID: <402a1a7ac393274cb199131589d7d30a@solidstatelogic.com> Steve Consider yourself chastised - report immediately to stores and book out a large birch twig....:-) -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Steven Andrews > Sent: 12 July 2007 14:08 > To: MailScanner discussion > Subject: RE: Sign clean messages rule > > Don't flame me. I just found the answer in the example file. I'll have > my self flogged by the end of the day. > > Steve > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Steven > Andrews > Sent: Thursday, July 12, 2007 8:54 AM > To: MailScanner discussion > Subject: Sign clean messages rule > > I'm using the Sign Clean Messages as a bit of a hack to add a standard > legal disclaimer to all messages leaving the system. > > Well, wouldn't you know it, they've decided to throw another domain at > this box and now I've got to give it a different disclaimer for that > domain. > > I think I'm on the right path that I need to make a rule here.... > Inline HTML Signature = %report-dir%/inline.sig.html Inline Text > Signature = %report-dir%/inline.sig.txt > > How do I write that rule so that domain1.com gets inline.sig1.html and > domain2.com gets inline.sig2.html? > > Thanks! > > Steve > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From theodrake at comcast.net Thu Jul 12 15:05:56 2007 From: theodrake at comcast.net (Ed Bruce) Date: Thu Jul 12 15:06:05 2007 Subject: MailScanner.conf and MailScanner.conf.local In-Reply-To: <4695FA85.90807@ecs.soton.ac.uk> References: <002601c7c3ec$a9de3a00$3c65a8c0@support01><46953774.3050205@ecs.soton.ac.uk> <001001c7c409$1632db90$0301a8c0@SAHOMELT> <4695FA85.90807@ecs.soton.ac.uk> Message-ID: <46963544.7090600@comcast.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Julian Field wrote: > I haven't done that specifically. I don't like systems that instantly > notice config changes, as I like to put the change in place and then > double-check it before it takes effect. > > Jules > I have to agree wholeheartedly. I'm notorious for fat fingering things and really like to have a bit of an oops factor when I make changes. It has saved me many times when I've double checked something only to see some really glaring errors. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (Cygwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGljVCpdNaP9x3McgRAglKAJ96zDa8CIrtGEAknnfsum5M5sMm9gCgkYmC qyUOt4h+c4lyMwcxtZLLT1w= =io5T -----END PGP SIGNATURE----- From shuttlebox at gmail.com Thu Jul 12 15:31:17 2007 From: shuttlebox at gmail.com (shuttlebox) Date: Thu Jul 12 15:31:20 2007 Subject: MailScanner.conf and MailScanner.conf.local In-Reply-To: <46963544.7090600@comcast.net> References: <002601c7c3ec$a9de3a00$3c65a8c0@support01> <46953774.3050205@ecs.soton.ac.uk> <001001c7c409$1632db90$0301a8c0@SAHOMELT> <4695FA85.90807@ecs.soton.ac.uk> <46963544.7090600@comcast.net> Message-ID: <625385e30707120731m3e6cac7k3e1bb3f850a50121@mail.gmail.com> On 7/12/07, Ed Bruce wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Julian Field wrote: > > > I haven't done that specifically. I don't like systems that instantly > > notice config changes, as I like to put the change in place and then > > double-check it before it takes effect. > > > > Jules > > > > I have to agree wholeheartedly. I'm notorious for fat fingering things > and really like to have a bit of an oops factor when I make changes. It > has saved me many times when I've double checked something only to see > some really glaring errors. +1 -- /peter From rcooper at dwford.com Thu Jul 12 16:08:03 2007 From: rcooper at dwford.com (Rick Cooper) Date: Thu Jul 12 16:08:07 2007 Subject: MailScanner.conf and MailScanner.conf.local In-Reply-To: <46963544.7090600@comcast.net> References: <002601c7c3ec$a9de3a00$3c65a8c0@support01><46953774.3050205@ecs.soton.ac.uk> <001001c7c409$1632db90$0301a8c0@SAHOMELT><4695FA85.90807@ecs.soton.ac.uk> <46963544.7090600@comcast.net> Message-ID: <01df01c7c496$71cc6e70$0301a8c0@SAHOMELT> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On > Behalf Of Ed Bruce > Sent: Friday, July 13, 2007 12:06 AM > To: MailScanner discussion > Subject: Re: MailScanner.conf and MailScanner.conf.local > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Julian Field wrote: > > > I haven't done that specifically. I don't like systems > that instantly > > notice config changes, as I like to put the change in > place and then > > double-check it before it takes effect. > > > > Jules > > > > I have to agree wholeheartedly. I'm notorious for fat > fingering things > and really like to have a bit of an oops factor when I make > changes. It > has saved me many times when I've double checked something > only to see > some really glaring errors. Me too, but I guess I am weird as I don't move something in place until I have checked as many times as I am going to. If course I still find the occasional error only after implementation ;-) Rick -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ssilva at sgvwater.com Thu Jul 12 16:34:25 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Jul 12 16:34:39 2007 Subject: Sign clean messages rule In-Reply-To: <1964AAFBC212F742958F9275BF63DBB04B0E8F@winchester.andrewscompanies.com> References: <000901c7c210$8d1f4310$a75dc930$@dk><6EEC6D949794754FB8D83A4D87DF7168BE65B7@gh-redd-exch-01.redditch.ntltravel.local><002001c7c219$4d475580$e7d60080$@dk><223f97700707091452hc93d97vd6ed0546484ef8ba@mail.gmail.com><001e01c7c2de$074aa850$15dff8f0$@dk><223f97700707100849l378fce92xf1386f7b5e779193@mail.gmail.com><6EEC6D949794754FB8D83A4D87DF7168BE662D@gh-redd-exch-01.redditch.ntltravel.local><223f97700707100917o2cadec8bg9445f22b360b9499@mail.gmail.com><6EEC6D949794754FB8D83A4D87DF7168BE66F2@gh-redd-exch-01.redditch.ntltravel.local> <1964AAFBC212F742958F9275BF63DBB04B0E8D@winchester.andrewscompanies.com> <1964AAFBC212F742958F9275BF63DBB04B0E8F@winchester.andrewscompanies.com> Message-ID: Steven Andrews spake the following on 7/12/2007 6:07 AM: > Don't flame me. I just found the answer in the example file. I'll have > my self flogged by the end of the day. > " The floggings will continue until morale improves!" -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From Q.G.Campbell at newcastle.ac.uk Thu Jul 12 16:37:08 2007 From: Q.G.Campbell at newcastle.ac.uk (Quentin Campbell) Date: Thu Jul 12 16:39:14 2007 Subject: A very slow MS 4.62.2-3 & SA 3.2.1 & ClamAV 0.91 machine Message-ID: <4165CF7A7F12DE4B96622CCBB90586470AC92C18@largo.campus.ncl.ac.uk> I have a very slow mail gateway among the 4 that I have just upgraded. They all run MS 4.62.2-3, SA 3.2.1 and ClamAV 0.91 and should have identical configurations for MS and SA. MCP processing is done and it is the same on all 4. There were 211 batches of 30 messages each processed on the slow machine. Overall the average time to process each message is 15 seconds! The last two of these batches were processed by running MailScanner in debug mode. The average processing time for each message then dropped to between 2 and 3 seconds! I am trying to get a handle on why this machine is so slow. Any suggestions to help further my investigation are welcome. Quentin --- PHONE: +44 191 222 8209??? Information Systems and Services (ISS), ?????????????????????????? Newcastle University, ?????????????????????????? Newcastle upon Tyne, FAX:?? +44 191 222 8765??? United Kingdom, NE1 7RU. ------------------------------------------------------------------------ From Q.G.Campbell at newcastle.ac.uk Thu Jul 12 16:43:54 2007 From: Q.G.Campbell at newcastle.ac.uk (Quentin Campbell) Date: Thu Jul 12 16:45:28 2007 Subject: Strange interaction between MS 4.62.2-3 & ClamAV 0.91 Message-ID: <4165CF7A7F12DE4B96622CCBB90586470AC92C1C@largo.campus.ncl.ac.uk> When running MS in debug mode on a machine running MS 4.62.2-3 & ClamAV 0.91 it says: [root@cheviot1 tmp]# service MailScanner start Starting MailScanner daemons: incoming sendmail: [ OK ] outgoing sendmail: [ OK ] MailScanner: In Debugging mode, not forking... SpamAssassin temp dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp Use of uninitialized value in concatenation (.) or string at /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin.pm line 1087. Use of uninitialized value in concatenation (.) or string at /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin.pm line 1089. LibClamAV Warning: ************************************************** LibClamAV Warning: *** The virus database is older than 7 days. *** LibClamAV Warning: *** Please update it IMMEDIATELY! *** LibClamAV Warning: ************************************************** Ignore errors about failing to find EOCD signature Stopping now as you are debugging me. [ OK ] [root@cheviot1 tmp]# The ClamAV database is up to date. The same behaviour is seen on two similarly built machines. This does not happen on a third machine running MS 4.61.3-1 & ClamAV 0.90.3. Quentin --- PHONE: +44 191 222 8209??? Information Systems and Services (ISS), ?????????????????????????? Newcastle University, ?????????????????????????? Newcastle upon Tyne, FAX:?? +44 191 222 8765??? United Kingdom, NE1 7RU. ------------------------------------------------------------------------ From MailScanner at ecs.soton.ac.uk Thu Jul 12 16:53:31 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jul 12 16:54:55 2007 Subject: Strange interaction between MS 4.62.2-3 & ClamAV 0.91 In-Reply-To: <4165CF7A7F12DE4B96622CCBB90586470AC92C1C@largo.campus.ncl.ac.uk> References: <4165CF7A7F12DE4B96622CCBB90586470AC92C1C@largo.campus.ncl.ac.uk> Message-ID: <46964E7B.9010006@ecs.soton.ac.uk> Check virus.scanners.conf and your $PATH to see what and where your version(s) of ClamAV are installed. Quentin Campbell wrote: > When running MS in debug mode on a machine running MS 4.62.2-3 & ClamAV 0.91 it says: > > [root@cheviot1 tmp]# service MailScanner start > Starting MailScanner daemons: > incoming sendmail: [ OK ] > outgoing sendmail: [ OK ] > MailScanner: In Debugging mode, not forking... > SpamAssassin temp dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp > Use of uninitialized value in concatenation (.) or string at /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin.pm line 1087. > Use of uninitialized value in concatenation (.) or string at /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin.pm line 1089. > LibClamAV Warning: ************************************************** > LibClamAV Warning: *** The virus database is older than 7 days. *** > LibClamAV Warning: *** Please update it IMMEDIATELY! *** > LibClamAV Warning: ************************************************** > Ignore errors about failing to find EOCD signature > Stopping now as you are debugging me. > [ OK ] > [root@cheviot1 tmp]# > > The ClamAV database is up to date. The same behaviour is seen on two similarly built machines. > > This does not happen on a third machine running MS 4.61.3-1 & ClamAV 0.90.3. > > > Quentin > --- > PHONE: +44 191 222 8209 Information Systems and Services (ISS), > Newcastle University, > Newcastle upon Tyne, > FAX: +44 191 222 8765 United Kingdom, NE1 7RU. > ------------------------------------------------------------------------ > > > > Jules -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From leiw324 at yahoo.com.hk Thu Jul 12 17:01:52 2007 From: leiw324 at yahoo.com.hk (Wilson Kwok) Date: Thu Jul 12 17:01:55 2007 Subject: Can't receive and send email Message-ID: <79877.19695.qm@web54401.mail.yahoo.com> Hello, Please see the log in the following UR about receiving email: http://wilson-kwok.com/log/maillog.txt Why always show SpamAssassin cache hit for message 3AE25700AD.EC9F5 etc etc ? Thanks --------------------------------- Yahoo!Mail ¬°§A¨C¤@­Ó¹q¶l®½¥X¤@ÂI¤ß·N¡AºÉÄm·R¤ß ¥ß§Y¶}©l·R¤ß¦æ°Ê -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070713/91a66ab8/attachment.html From mailscanner at slackadelic.com Thu Jul 12 17:43:47 2007 From: mailscanner at slackadelic.com (Matt Hayes) Date: Thu Jul 12 17:43:56 2007 Subject: Can't receive and send email In-Reply-To: <79877.19695.qm@web54401.mail.yahoo.com> References: <79877.19695.qm@web54401.mail.yahoo.com> Message-ID: <46965A43.8070709@slackadelic.com> Wilson Kwok wrote: > Hello, > > Please see the log in the following UR about receiving email: > > http://wilson-kwok.com/log/maillog.txt > > Why always show SpamAssassin cache hit for message 3AE25700AD.EC9F5 etc > etc ? > > Thanks > > > > ------------------------------------------------------------------------ > Yahoo!Mail ¬°§A¨C¤@­Ó¹q¶l®½¥X¤@ÂI¤ß·N¡AºÉÄm·R¤ß > > -- > This message has been scanned for viruses and > dangerous content by *MailScanner* , and is > believed to be clean. > That's normal. You can safely ignore that. -Matt -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From dgottsc at emory.edu Thu Jul 12 17:47:56 2007 From: dgottsc at emory.edu (Gottschalk, David) Date: Thu Jul 12 17:48:07 2007 Subject: A very slow MS 4.62.2-3 & SA 3.2.1 & ClamAV 0.91 machine In-Reply-To: <4165CF7A7F12DE4B96622CCBB90586470AC92C18@largo.campus.ncl.ac.uk> References: <4165CF7A7F12DE4B96622CCBB90586470AC92C18@largo.campus.ncl.ac.uk> Message-ID: <8D2EFA3D9FD29C45BCEC3B532F0E23084115DC1564@RDPEXCH2.Eu.Emory.Edu> I have five mail gateways. Here are a few things I've done that helped a lot. The item that made the biggest difference was changing 'Max Unscanned Messages Per Scan = 30' to 10, and changing 'Max Unsafe Messages Per Scan = 30' to 10 as well. I also increased my "Max Children" to 10, but I'm still working on tweaking that (only been running MailScanner in production for a week now). I had one machine that could not keep up with the volume of mail. I couldn't figure out why one machine was having trouble when the rest were doing fine. Soon I discovered that Spamassassin was causing a huge slow down on that one box. It was hanging for ever on checking if dns was avaiable or not. I set 'dns_available no' in the spam.assassin.prefs.conf file and things sped waaayyy up. I changed it on my other relays and it made a significant different on them as well, but not as much as the one relay that couldn't keep up with mail orginially. I still haven't figured out why it so greatly effected that one machine. Hope that helps. Good luck. David Gottschalk Emory University Infrastructure Technology Services david.gottschalk@emory.edu -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Quentin Campbell Sent: Thursday, July 12, 2007 11:37 AM To: MailScanner discussion Subject: A very slow MS 4.62.2-3 & SA 3.2.1 & ClamAV 0.91 machine I have a very slow mail gateway among the 4 that I have just upgraded. They all run MS 4.62.2-3, SA 3.2.1 and ClamAV 0.91 and should have identical configurations for MS and SA. MCP processing is done and it is the same on all 4. There were 211 batches of 30 messages each processed on the slow machine. Overall the average time to process each message is 15 seconds! The last two of these batches were processed by running MailScanner in debug mode. The average processing time for each message then dropped to between 2 and 3 seconds! I am trying to get a handle on why this machine is so slow. Any suggestions to help further my investigation are welcome. Quentin --- PHONE: +44 191 222 8209 Information Systems and Services (ISS), Newcastle University, Newcastle upon Tyne, FAX: +44 191 222 8765 United Kingdom, NE1 7RU. ------------------------------------------------------------------------ -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From alex at nkpanama.com Thu Jul 12 18:22:03 2007 From: alex at nkpanama.com (Alex Neuman van der Hans) Date: Thu Jul 12 18:23:02 2007 Subject: A very slow MS 4.62.2-3 & SA 3.2.1 & ClamAV 0.91 machine In-Reply-To: <8D2EFA3D9FD29C45BCEC3B532F0E23084115DC1564@RDPEXCH2.Eu.Emory.Edu> References: <4165CF7A7F12DE4B96622CCBB90586470AC92C18@largo.campus.ncl.ac.uk> <8D2EFA3D9FD29C45BCEC3B532F0E23084115DC1564@RDPEXCH2.Eu.Emory.Edu> Message-ID: <4696633B.8000006@nkpanama.com> Gottschalk, David wrote: > I have five mail gateways. Here are a few things I've done that helped a lot. > > The item that made the biggest difference was changing 'Max Unscanned Messages Per Scan = 30' to 10, and changing 'Max Unsafe Messages Per Scan = 30' to 10 as well. > > I also increased my "Max Children" to 10, but I'm still working on tweaking that (only been running MailScanner in production for a week now). > > I had one machine that could not keep up with the volume of mail. I couldn't figure out why one machine was having trouble when the rest were doing fine. Soon I discovered that Spamassassin was causing a huge slow down on that one box. It was hanging for ever on checking if dns was avaiable or not. I set 'dns_available no' in the spam.assassin.prefs.conf file and things sped waaayyy up. I changed it on my other relays and it made a significant different on them as well, but not as much as the one relay that couldn't keep up with mail orginially. I still haven't figured out why it so greatly effected that one machine. > > I believe dns_available no might *affect* :-) machines that don't have local caching DNS enabled much more than those that don't. It's always been recommended to do this in order to minimize DNS lookup times for spamassassin. > Hope that helps. > > Good luck. > > David Gottschalk > Emory University Infrastructure Technology Services > david.gottschalk@emory.edu > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Quentin Campbell > Sent: Thursday, July 12, 2007 11:37 AM > To: MailScanner discussion > Subject: A very slow MS 4.62.2-3 & SA 3.2.1 & ClamAV 0.91 machine > > I have a very slow mail gateway among the 4 that I have just upgraded. > > They all run MS 4.62.2-3, SA 3.2.1 and ClamAV 0.91 and should have identical configurations for MS and SA. MCP processing is done and it is the same on all 4. > > There were 211 batches of 30 messages each processed on the slow machine. Overall the average time to process each message is 15 seconds! > > The last two of these batches were processed by running MailScanner in debug mode. The average processing time for each message then dropped to between 2 and 3 seconds! > > I am trying to get a handle on why this machine is so slow. Any suggestions to help further my investigation are welcome. > > Quentin > --- > PHONE: +44 191 222 8209 Information Systems and Services (ISS), > Newcastle University, > Newcastle upon Tyne, > FAX: +44 191 222 8765 United Kingdom, NE1 7RU. > ------------------------------------------------------------------------ > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From larskman at gmail.com Thu Jul 12 19:15:31 2007 From: larskman at gmail.com (fname lname) Date: Thu Jul 12 19:15:35 2007 Subject: MailScanner Spam report Message-ID: Is there a way to have mailscanner to email all the users that was sent email for that data on the local domain and spam report so the end users will know what emails where blocked by the scanner? tnx From mailscanner at slackadelic.com Thu Jul 12 19:23:02 2007 From: mailscanner at slackadelic.com (Matt Hayes) Date: Thu Jul 12 19:23:12 2007 Subject: MailScanner Spam report In-Reply-To: References: Message-ID: <46967186.1070601@slackadelic.com> fname lname wrote: > Is there a way to have mailscanner to email all the users that was > sent email for that data on the local domain and spam report so the > end users will know what emails where blocked by the scanner? > > tnx If using MailWatch with MailScanner this is definitely possible. -Matt -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Thu Jul 12 19:31:23 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jul 12 19:32:48 2007 Subject: Watermarking returns+ graphical signatures Message-ID: <4696737B.7040805@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I have just released a new beta with 2 major features added: Firstly, the watermarking functionality has returned. But this time it is implemented differently so is safe from all patent problems. It is implemented in pretty much the same way that milter-null does it. Secondly, ever wanted to be able to put an image in your HTML signature? Well now you can. The image is embedded in the message so it will display even when the recipients' email applications are configured not to fetch remote images. And there's one more little feature: some companies such as msgtag.com have evaded the web bug detection by not defining the size of the web bug image. Now you can just black-list images from any servers or domains so all images from msgtag.com can be blocked at once. Download as usual from www.mailscanner.info. The full change log is this: * New Features and Improvements * 1 Improved non-Linux installer. 1 Improved Linux installer. 1 Updated OpenBSD installation guide. Thanks to Jeremy Evans for this. 1 Upgraded MIME::Base64 to 3.07. 1 Improved error reporting for clamd permissions problems. Thanks Rick. 2 Added SAUPDATEARGS to /etc/sysconfig/MailScanner and /usr/sbin/update_spamassassin. For a good use of this, see http://daryl.dostech.ca/sa-update/sare/sare-sa-update-howto.txt and search for "HOWTO" in the Subject: line of the MailScanner-discussion list archive. This process replaces RulesDuJour entirely. Another good ruleset to add to your setup is http://www.peregrinehw.com/downloads/SpamAssassin/contrib/KAM.cf To download this automatically every night, fetch http://www.mailscanner.info/files/4/KAM.cf.sh and put it in /etc/cron.daily and make it executable (type "chmod +x /etc/cron.daily/KAM.cf.sh"). 3 Added "Known Web Bug Servers" so you can blacklist images from known servers of web bug services. 3 Added functionality of "milter-null" to MailScanner so you no longer need to run this separately. It is called "Watermarking" and there is a whole section for the settings in MailScanner.conf. They are Add Watermark = yes Skip Spam Checks If Watermark Valid = yes Watermark Header = MailScanner-%org-name%-Watermark: Watermark Lifetime = 432000 # in seconds, = 5 days Watermark Secret = SET-THIS-TO-A-SECRET! Also added Digest::MD5 to the required list of Perl modules, this is needed for the watermarking code. 3 Added optional image to the clean message signature. You can also use this to add an arbitrary image attachment to any message, if you so wish. The main point is to be able to have graphical HTML signatures on messages. The settings are Attach Image To Signature = no Attach Image To HTML Message Only = yes Signature Image Filename = %report-dir%/sig.jpg Signature Image Filename = signature.jpg * Fixes * 2-2 Fixed error in RPM installer. 2-3 Fixed error in update_spamassassin. Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGlnN8EfZZRxQVtlQRApRlAJ9kkmWhyrhl0b1CdEPw0UcokEl6fwCffc8Y HQ9+YyK0H19yy2343Aev6LE= =/thZ -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Thu Jul 12 19:46:13 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jul 12 19:46:52 2007 Subject: A very slow MS 4.62.2-3 & SA 3.2.1 & ClamAV 0.91 machine In-Reply-To: <4696633B.8000006@nkpanama.com> References: <4165CF7A7F12DE4B96622CCBB90586470AC92C18@largo.campus.ncl.ac.uk> <8D2EFA3D9FD29C45BCEC3B532F0E23084115DC1564@RDPEXCH2.Eu.Emory.Edu> <4696633B.8000006@nkpanama.com> Message-ID: <469676F5.2030003@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Alex Neuman van der Hans wrote: > Gottschalk, David wrote: >> I have five mail gateways. Here are a few things I've done that >> helped a lot. >> >> The item that made the biggest difference was changing 'Max Unscanned >> Messages Per Scan = 30' to 10, and changing 'Max Unsafe Messages Per >> Scan = 30' to 10 as well. >> >> I also increased my "Max Children" to 10, but I'm still working on >> tweaking that (only been running MailScanner in production for a week >> now). >> >> I had one machine that could not keep up with the volume of mail. I >> couldn't figure out why one machine was having trouble when the rest >> were doing fine. Soon I discovered that Spamassassin was causing a >> huge slow down on that one box. It was hanging for ever on checking >> if dns was avaiable or not. I set 'dns_available no' in the >> spam.assassin.prefs.conf file and things sped waaayyy up. I changed >> it on my other relays and it made a significant different on them as >> well, but not as much as the one relay that couldn't keep up with >> mail orginially. I still haven't figured out why it so greatly >> effected that one machine. >> >> > I believe dns_available no might *affect* :-) machines that don't have > local caching DNS enabled much more than those that don't. It's always > been recommended to do this in order to minimize DNS lookup times for > spamassassin. But if you switch off DNS lookups for SpamAssassin, you will severely damage its ability to detect spam. Better to diagnose your slow DNS lookups and switch it back on. Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGlnb2EfZZRxQVtlQRAsQ4AKCL061Yc7jF+9B1olsB8zmWHY4DJgCg/nwI zg+GSFaYSDl1atRGzdLHA5o= =bVBy -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From larskman at gmail.com Thu Jul 12 19:49:51 2007 From: larskman at gmail.com (fname lname) Date: Thu Jul 12 19:49:55 2007 Subject: MailScanner Spam report In-Reply-To: <46967186.1070601@slackadelic.com> References: <46967186.1070601@slackadelic.com> Message-ID: So, i can have this sent to each user. On 7/12/07, Matt Hayes wrote: > fname lname wrote: > > Is there a way to have mailscanner to email all the users that was > > sent email for that data on the local domain and spam report so the > > end users will know what emails where blocked by the scanner? > > > > tnx > > If using MailWatch with MailScanner this is definitely possible. > > -Matt > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From alex at nkpanama.com Thu Jul 12 19:51:18 2007 From: alex at nkpanama.com (Alex Neuman van der Hans) Date: Thu Jul 12 19:52:16 2007 Subject: A very slow MS 4.62.2-3 & SA 3.2.1 & ClamAV 0.91 machine In-Reply-To: <469676F5.2030003@ecs.soton.ac.uk> References: <4165CF7A7F12DE4B96622CCBB90586470AC92C18@largo.campus.ncl.ac.uk> <8D2EFA3D9FD29C45BCEC3B532F0E23084115DC1564@RDPEXCH2.Eu.Emory.Edu> <4696633B.8000006@nkpanama.com> <469676F5.2030003@ecs.soton.ac.uk> Message-ID: <46967826.8030608@nkpanama.com> Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > Alex Neuman van der Hans wrote: > >> Gottschalk, David wrote: >> >>> I have five mail gateways. Here are a few things I've done that >>> helped a lot. >>> >>> The item that made the biggest difference was changing 'Max Unscanned >>> Messages Per Scan = 30' to 10, and changing 'Max Unsafe Messages Per >>> Scan = 30' to 10 as well. >>> >>> I also increased my "Max Children" to 10, but I'm still working on >>> tweaking that (only been running MailScanner in production for a week >>> now). >>> >>> I had one machine that could not keep up with the volume of mail. I >>> couldn't figure out why one machine was having trouble when the rest >>> were doing fine. Soon I discovered that Spamassassin was causing a >>> huge slow down on that one box. It was hanging for ever on checking >>> if dns was avaiable or not. I set 'dns_available no' in the >>> spam.assassin.prefs.conf file and things sped waaayyy up. I changed >>> it on my other relays and it made a significant different on them as >>> well, but not as much as the one relay that couldn't keep up with >>> mail orginially. I still haven't figured out why it so greatly >>> effected that one machine. >>> >>> >>> >> I believe dns_available no might *affect* :-) machines that don't have >> local caching DNS enabled much more than those that don't. It's always >> been recommended to do this in order to minimize DNS lookup times for >> spamassassin. >> By "do this" I mean use a caching nameserver, not disable DNS lookups... :-) > But if you switch off DNS lookups for SpamAssassin, you will severely > damage its ability to detect spam. Better to diagnose your slow DNS > lookups and switch it back on. > > Jules > > - -- > Julian Field MEng CITP > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > For all your IT requirements visit www.transtec.co.uk > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.6.2 (Build 2014) > Charset: ISO-8859-1 > > wj8DBQFGlnb2EfZZRxQVtlQRAsQ4AKCL061Yc7jF+9B1olsB8zmWHY4DJgCg/nwI > zg+GSFaYSDl1atRGzdLHA5o= > =bVBy > -----END PGP SIGNATURE----- > > From dgottsc at emory.edu Thu Jul 12 19:54:25 2007 From: dgottsc at emory.edu (Gottschalk, David) Date: Thu Jul 12 19:54:37 2007 Subject: A very slow MS 4.62.2-3 & SA 3.2.1 & ClamAV 0.91 machine In-Reply-To: <469676F5.2030003@ecs.soton.ac.uk> References: <4165CF7A7F12DE4B96622CCBB90586470AC92C18@largo.campus.ncl.ac.uk> <8D2EFA3D9FD29C45BCEC3B532F0E23084115DC1564@RDPEXCH2.Eu.Emory.Edu> <4696633B.8000006@nkpanama.com> <469676F5.2030003@ecs.soton.ac.uk> Message-ID: <8D2EFA3D9FD29C45BCEC3B532F0E23084115DC1658@RDPEXCH2.Eu.Emory.Edu> My understanding of the dns_available settings was merely to check if DNS was working properly before it attempted to do DNS checks. Do I not understand that setting correctly? David Gottschalk -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian Field Sent: Thursday, July 12, 2007 2:46 PM To: MailScanner discussion Subject: Re: A very slow MS 4.62.2-3 & SA 3.2.1 & ClamAV 0.91 machine -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Alex Neuman van der Hans wrote: > Gottschalk, David wrote: >> I have five mail gateways. Here are a few things I've done that >> helped a lot. >> >> The item that made the biggest difference was changing 'Max Unscanned >> Messages Per Scan = 30' to 10, and changing 'Max Unsafe Messages Per >> Scan = 30' to 10 as well. >> >> I also increased my "Max Children" to 10, but I'm still working on >> tweaking that (only been running MailScanner in production for a week >> now). >> >> I had one machine that could not keep up with the volume of mail. I >> couldn't figure out why one machine was having trouble when the rest >> were doing fine. Soon I discovered that Spamassassin was causing a >> huge slow down on that one box. It was hanging for ever on checking >> if dns was avaiable or not. I set 'dns_available no' in the >> spam.assassin.prefs.conf file and things sped waaayyy up. I changed >> it on my other relays and it made a significant different on them as >> well, but not as much as the one relay that couldn't keep up with >> mail orginially. I still haven't figured out why it so greatly >> effected that one machine. >> >> > I believe dns_available no might *affect* :-) machines that don't have > local caching DNS enabled much more than those that don't. It's always > been recommended to do this in order to minimize DNS lookup times for > spamassassin. But if you switch off DNS lookups for SpamAssassin, you will severely damage its ability to detect spam. Better to diagnose your slow DNS lookups and switch it back on. Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGlnb2EfZZRxQVtlQRAsQ4AKCL061Yc7jF+9B1olsB8zmWHY4DJgCg/nwI zg+GSFaYSDl1atRGzdLHA5o= =bVBy -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From mailscanner at slackadelic.com Thu Jul 12 20:00:55 2007 From: mailscanner at slackadelic.com (Matt Hayes) Date: Thu Jul 12 20:01:02 2007 Subject: MailScanner Spam report In-Reply-To: References: <46967186.1070601@slackadelic.com> Message-ID: <46967A67.30900@slackadelic.com> fname lname wrote: > So, i can have this sent to each user. > Using MailWatch you can have it sent to each user, yes. -Matt P.S. Try not to top post ;) -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From shuttlebox at gmail.com Thu Jul 12 20:04:14 2007 From: shuttlebox at gmail.com (shuttlebox) Date: Thu Jul 12 20:04:18 2007 Subject: A very slow MS 4.62.2-3 & SA 3.2.1 & ClamAV 0.91 machine In-Reply-To: <8D2EFA3D9FD29C45BCEC3B532F0E23084115DC1658@RDPEXCH2.Eu.Emory.Edu> References: <4165CF7A7F12DE4B96622CCBB90586470AC92C18@largo.campus.ncl.ac.uk> <8D2EFA3D9FD29C45BCEC3B532F0E23084115DC1564@RDPEXCH2.Eu.Emory.Edu> <4696633B.8000006@nkpanama.com> <469676F5.2030003@ecs.soton.ac.uk> <8D2EFA3D9FD29C45BCEC3B532F0E23084115DC1658@RDPEXCH2.Eu.Emory.Edu> Message-ID: <625385e30707121204r4aac42dbna4941402850843fb@mail.gmail.com> On 7/12/07, Gottschalk, David wrote: > My understanding of the dns_available settings was merely to check if DNS was working properly before it attempted to do DNS checks. > > Do I not understand that setting correctly? >From SA man page: --> dns_available { yes | test[: name1 name2...] | no } (default: test) By default, SpamAssassin will query some default hosts on the internet to attempt to check if DNS is working on not. The problem is that it can introduce some delay if your network connection is down, and in some cases it can wrongly guess that DNS is unavailable because the test connections failed. SpamAssassin includes a default set of 13 servers, among which 3 are picked randomly. You can however specify your own list by specifying dns_available test: server1.tld server2.tld server3.tld Please note, the DNS test queries for MX records so if you specify your own list of servers, please make sure to choose the one(s) which has an associated MX record. <-- If you want to save time not doing the test, set it to yes. Do not set it to no unless you really don't have DNS service. -- /peter From bpumphrey at woodmclaw.com Thu Jul 12 20:06:32 2007 From: bpumphrey at woodmclaw.com (Billy A. Pumphrey) Date: Thu Jul 12 20:06:35 2007 Subject: Feature(s) Message-ID: <04D932B0071FE34FA63EBB1977B48D1502BC7636@woodenex.woodmaclaw.local> Is it possible to do a major version of MailScanner to pretty much be a MailArchiver? I am not a programmer, but seems like there may or may not have to be big changes to do the following: - Receive the email from Exchange Journal - See if the MailWatch guy can alter the code to reflect the changes. - Be able to export the searched results to a single file or even a PST for moving between systems. I just love everything about MailScanner and would love the layout to accomplish this sort of task. If Julian is willing to accept money for these sort of changes and according to what the price might be, we (really me) (the law firm) would most likely be willing to put some money toward this. I have tried some demos of other software that does mail archiving but they just don't suite me. Any thoughts? Billy Pumphrey IT Manager Wooden & McLaughlin From alex at nkpanama.com Thu Jul 12 20:10:58 2007 From: alex at nkpanama.com (Alex Neuman van der Hans) Date: Thu Jul 12 20:11:57 2007 Subject: Feature(s) In-Reply-To: <04D932B0071FE34FA63EBB1977B48D1502BC7636@woodenex.woodmaclaw.local> References: <04D932B0071FE34FA63EBB1977B48D1502BC7636@woodenex.woodmaclaw.local> Message-ID: <46967CC2.30900@nkpanama.com> Billy A. Pumphrey wrote: > Is it possible to do a major version of MailScanner to pretty much be a > MailArchiver? I am not a programmer, but seems like there may or may > not have to be big changes to do the following: > > - Receive the email from Exchange Journal > - See if the MailWatch guy can alter the code to reflect the changes. > - Be able to export the searched results to a single file or even a PST > for moving between systems. > > I just love everything about MailScanner and would love the layout to > accomplish this sort of task. If Julian is willing to accept money for > these sort of changes and according to what the price might be, we > (really me) (the law firm) would most likely be willing to put some > money toward this. > > I have tried some demos of other software that does mail archiving but > they just don't suite me. > > Any thoughts? > > This functionality (apart from the PST stuff) is already built into MailScanner, and it's pretty flexible through the use of rulesets. In fact, you can do a poor man's version of "archive only nonspam" by using it in conjunction with another ruleset on "non spam actions =". You can even set it up so that it becomes an IMAP-readable archive of your e-mail if you tweak it right. > Billy Pumphrey > IT Manager > Wooden & McLaughlin > > From mailscanner at slackadelic.com Thu Jul 12 20:14:12 2007 From: mailscanner at slackadelic.com (Matt Hayes) Date: Thu Jul 12 20:14:18 2007 Subject: Feature(s) In-Reply-To: <04D932B0071FE34FA63EBB1977B48D1502BC7636@woodenex.woodmaclaw.local> References: <04D932B0071FE34FA63EBB1977B48D1502BC7636@woodenex.woodmaclaw.local> Message-ID: <46967D84.9020503@slackadelic.com> Billy A. Pumphrey wrote: > Is it possible to do a major version of MailScanner to pretty much be a > MailArchiver? I am not a programmer, but seems like there may or may > not have to be big changes to do the following: > > - Receive the email from Exchange Journal > - See if the MailWatch guy can alter the code to reflect the changes. > - Be able to export the searched results to a single file or even a PST > for moving between systems. > > I just love everything about MailScanner and would love the layout to > accomplish this sort of task. If Julian is willing to accept money for > these sort of changes and according to what the price might be, we > (really me) (the law firm) would most likely be willing to put some > money toward this. > > I have tried some demos of other software that does mail archiving but > they just don't suite me. > > Any thoughts? > > Billy Pumphrey > IT Manager > Wooden & McLaughlin > Billy, Knowing it is off topic.. have you tried archivesink? I believe that is what it is called. One of our clients uses Exchange and they are required to archive email for like 7 years so we use that to achieve this. -Matt -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Thu Jul 12 20:16:42 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jul 12 20:18:13 2007 Subject: Feature(s) In-Reply-To: <04D932B0071FE34FA63EBB1977B48D1502BC7636@woodenex.woodmaclaw.local> References: <04D932B0071FE34FA63EBB1977B48D1502BC7636@woodenex.woodmaclaw.local> Message-ID: <46967E1A.4010103@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Have you tried the "Archive Mail" setting? Billy A. Pumphrey wrote: > Is it possible to do a major version of MailScanner to pretty much be a > MailArchiver? I am not a programmer, but seems like there may or may > not have to be big changes to do the following: > > - Receive the email from Exchange Journal > - See if the MailWatch guy can alter the code to reflect the changes. > - Be able to export the searched results to a single file or even a PST > for moving between systems. > > I just love everything about MailScanner and would love the layout to > accomplish this sort of task. If Julian is willing to accept money for > these sort of changes and according to what the price might be, we > (really me) (the law firm) would most likely be willing to put some > money toward this. > > I have tried some demos of other software that does mail archiving but > they just don't suite me. > > Any thoughts? > > Billy Pumphrey > IT Manager > Wooden & McLaughlin > > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGln4bEfZZRxQVtlQRAjieAJwIegrjgCFbkKnGA/+0c8KyJLjxYACg6RVV VH8+2xvGQAElAvsckLCDmm8= =1K1t -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From dgottsc at emory.edu Thu Jul 12 20:24:53 2007 From: dgottsc at emory.edu (Gottschalk, David) Date: Thu Jul 12 20:25:03 2007 Subject: A very slow MS 4.62.2-3 & SA 3.2.1 & ClamAV 0.91 machine In-Reply-To: <625385e30707121204r4aac42dbna4941402850843fb@mail.gmail.com> References: <4165CF7A7F12DE4B96622CCBB90586470AC92C18@largo.campus.ncl.ac.uk> <8D2EFA3D9FD29C45BCEC3B532F0E23084115DC1564@RDPEXCH2.Eu.Emory.Edu> <4696633B.8000006@nkpanama.com> <469676F5.2030003@ecs.soton.ac.uk> <8D2EFA3D9FD29C45BCEC3B532F0E23084115DC1658@RDPEXCH2.Eu.Emory.Edu> <625385e30707121204r4aac42dbna4941402850843fb@mail.gmail.com> Message-ID: <8D2EFA3D9FD29C45BCEC3B532F0E23084115DC1696@RDPEXCH2.Eu.Emory.Edu> Oh, ok. I misunderstood that option. Strangely, I turned DNS lookups back on and that box that was slow earlier in the week and it is fast now. It has on average about 15-30 messages waiting in the inbound queue, but process times per message are still very fast (under 5 secs on average). Earlier in the week, the inbound queue was just filling up all the way till the point I had 2,000+ messages waiting to be scanned. David Gottschalk -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of shuttlebox Sent: Thursday, July 12, 2007 3:04 PM To: MailScanner discussion Subject: Re: A very slow MS 4.62.2-3 & SA 3.2.1 & ClamAV 0.91 machine On 7/12/07, Gottschalk, David wrote: > My understanding of the dns_available settings was merely to check if DNS was working properly before it attempted to do DNS checks. > > Do I not understand that setting correctly? >From SA man page: --> dns_available { yes | test[: name1 name2...] | no } (default: test) By default, SpamAssassin will query some default hosts on the internet to attempt to check if DNS is working on not. The problem is that it can introduce some delay if your network connection is down, and in some cases it can wrongly guess that DNS is unavailable because the test connections failed. SpamAssassin includes a default set of 13 servers, among which 3 are picked randomly. You can however specify your own list by specifying dns_available test: server1.tld server2.tld server3.tld Please note, the DNS test queries for MX records so if you specify your own list of servers, please make sure to choose the one(s) which has an associated MX record. <-- If you want to save time not doing the test, set it to yes. Do not set it to no unless you really don't have DNS service. -- /peter -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From MailScanner at ecs.soton.ac.uk Thu Jul 12 20:27:21 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jul 12 20:27:51 2007 Subject: Feature(s) In-Reply-To: <46967CC2.30900@nkpanama.com> References: <04D932B0071FE34FA63EBB1977B48D1502BC7636@woodenex.woodmaclaw.local> <46967CC2.30900@nkpanama.com> Message-ID: <46968099.20403@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 If you decide to do it via MailScanner, please feel free to pay me for writing it anyway :-) If there are any other specific things you would like adding to the Archive Mail functionality, feel free to discuss them with me. Many things are possible. Best regards, Jules. Alex Neuman van der Hans wrote: > Billy A. Pumphrey wrote: >> Is it possible to do a major version of MailScanner to pretty much be a >> MailArchiver? I am not a programmer, but seems like there may or may >> not have to be big changes to do the following: >> >> - Receive the email from Exchange Journal >> - See if the MailWatch guy can alter the code to reflect the >> changes. - Be able to export the searched results to a single file >> or even a PST >> for moving between systems. >> >> I just love everything about MailScanner and would love the layout to >> accomplish this sort of task. If Julian is willing to accept money for >> these sort of changes and according to what the price might be, we >> (really me) (the law firm) would most likely be willing to put some >> money toward this. >> >> I have tried some demos of other software that does mail archiving but >> they just don't suite me. >> >> Any thoughts? >> >> > This functionality (apart from the PST stuff) is already built into > MailScanner, and it's pretty flexible through the use of rulesets. In > fact, you can do a poor man's version of "archive only nonspam" by > using it in conjunction with another ruleset on "non spam actions =". > > You can even set it up so that it becomes an IMAP-readable archive of > your e-mail if you tweak it right. >> Billy Pumphrey >> IT Manager >> Wooden & McLaughlin >> >> > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGloCaEfZZRxQVtlQRAm9sAJ44ZBg9UgcxJwAaUhfDZs6NHOKPFgCgryiY YA4EE+LcvRBwS3aaLerBYB0= =OT+o -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From steve.swaney at fsl.com Thu Jul 12 20:37:03 2007 From: steve.swaney at fsl.com (Stephen Swaney) Date: Thu Jul 12 20:39:11 2007 Subject: Feature(s) In-Reply-To: <04D932B0071FE34FA63EBB1977B48D1502BC7636@woodenex.woodmaclaw.local> References: <04D932B0071FE34FA63EBB1977B48D1502BC7636@woodenex.woodmaclaw.local> Message-ID: <01b701c7c4bc$05f11590$11d340b0$@swaney@fsl.com> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Billy A. Pumphrey > Sent: Thursday, July 12, 2007 3:07 PM > To: MailScanner discussion > Subject: Feature(s) > > Is it possible to do a major version of MailScanner to pretty much be a > MailArchiver? I am not a programmer, but seems like there may or may > not have to be big changes to do the following: > > - Receive the email from Exchange Journal > - See if the MailWatch guy can alter the code to reflect the changes. > - Be able to export the searched results to a single file or even a PST > for moving between systems. > > I just love everything about MailScanner and would love the layout to > accomplish this sort of task. If Julian is willing to accept money for > these sort of changes and according to what the price might be, we > (really me) (the law firm) would most likely be willing to put some > money toward this. > > I have tried some demos of other software that does mail archiving but > they just don't suite me. > > Any thoughts? > > Billy Pumphrey > IT Manager > Wooden & McLaughlin > A program to do this already exists. I've done some quick testing and it seem to work. MailArchiva - Open Source Email Archiving Software www.mailarchiva.com/ Steve Steve Swaney steve@fsl.com From jan-peter at koopmann.eu Thu Jul 12 20:41:40 2007 From: jan-peter at koopmann.eu (Koopmann, Jan-Peter) Date: Thu Jul 12 20:40:57 2007 Subject: Feature(s) In-Reply-To: References: Message-ID: > I have tried some demos of other software that does mail archiving but > they just don't suite me. Tried exclaimer mail archiver yet? From jan-peter at koopmann.eu Thu Jul 12 20:50:50 2007 From: jan-peter at koopmann.eu (Koopmann, Jan-Peter) Date: Thu Jul 12 20:50:09 2007 Subject: Feature(s) In-Reply-To: References: <04D932B0071FE34FA63EBB1977B48D1502BC7636@woodenex.woodmaclaw.local> Message-ID: > MailArchiva - Open Source Email Archiving Software > www.mailarchiva.com/ Nice one. Have not seen this one yet but it went straight to the bookmark list. Thanks Steve! From matt at coders.co.uk Thu Jul 12 21:34:18 2007 From: matt at coders.co.uk (Matt Hampton) Date: Thu Jul 12 21:31:57 2007 Subject: Watermarking returns+ graphical signatures In-Reply-To: <4696737B.7040805@ecs.soton.ac.uk> References: <4696737B.7040805@ecs.soton.ac.uk> Message-ID: <4696904A.4040204@coders.co.uk> Julian Field wrote: > 3 Added optional image to the clean message signature. You can also use this > to add an arbitrary image attachment to any message, if you so wish. The > main point is to be able to have graphical HTML signatures on messages. > The settings are > Attach Image To Signature = no > Attach Image To HTML Message Only = yes > Signature Image Filename = %report-dir%/sig.jpg > Signature Image Filename = signature.jpg What Jules forgot to mention: >From MailScanner.conf: # When using an image in the signature, there are 2 filenames which need # to be set. The first is the location in this server's filesystem of # the image file itself. The second is the name of the image as it is # stored in the attachment. The HTML version of the signature will refer # to this second name in the HTML tag. Signature Image Filename = %report-dir%/sig.jpg This file name must end with the the same extension as the MIME Type So: .gif for GIF .jpeg for JPEG (not .jpg as in the example) .png for PNG Hope this make sense. Matt From csweeney at osubucks.org Thu Jul 12 22:21:40 2007 From: csweeney at osubucks.org (Chris Sweeney) Date: Thu Jul 12 22:22:25 2007 Subject: A very slow MS 4.62.2-3 & SA 3.2.1 & ClamAV 0.91 machine In-Reply-To: <8D2EFA3D9FD29C45BCEC3B532F0E23084115DC1564@RDPEXCH2.Eu.Emory.Edu> References: <4165CF7A7F12DE4B96622CCBB90586470AC92C18@largo.campus.ncl.ac.uk> <8D2EFA3D9FD29C45BCEC3B532F0E23084115DC1564@RDPEXCH2.Eu.Emory.Edu> Message-ID: <2559.70.60.69.215.1184275300.squirrel@webmail.osubucks.org> I have the same problem, on Sunday I upgraded a MailScanner box running RHEL 4 to the latest Spamassassin/ClamAV using the tar file from the site and I went on that machine, (2GIG RAM, 3GHZ processor) from less then 4 seconds total processing time per message to now over 40 seconds per message. 40 seconds is good right now, it doesn't seem to be anything to do with MailScanner it seems to be hanging at the virus/spamassassin scanning. Chris > I have five mail gateways. Here are a few things I've done that helped a > lot. > > The item that made the biggest difference was changing 'Max Unscanned > Messages Per Scan = 30' to 10, and changing 'Max Unsafe Messages Per Scan > = 30' to 10 as well. > > I also increased my "Max Children" to 10, but I'm still working on > tweaking that (only been running MailScanner in production for a week > now). > > I had one machine that could not keep up with the volume of mail. I > couldn't figure out why one machine was having trouble when the rest were > doing fine. Soon I discovered that Spamassassin was causing a huge slow > down on that one box. It was hanging for ever on checking if dns was > avaiable or not. I set 'dns_available no' in the spam.assassin.prefs.conf > file and things sped waaayyy up. I changed it on my other relays and it > made a significant different on them as well, but not as much as the one > relay that couldn't keep up with mail orginially. I still haven't figured > out why it so greatly effected that one machine. > > Hope that helps. > > Good luck. > > David Gottschalk > Emory University Infrastructure Technology Services > david.gottschalk@emory.edu > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Quentin > Campbell > Sent: Thursday, July 12, 2007 11:37 AM > To: MailScanner discussion > Subject: A very slow MS 4.62.2-3 & SA 3.2.1 & ClamAV 0.91 machine > > I have a very slow mail gateway among the 4 that I have just upgraded. > > They all run MS 4.62.2-3, SA 3.2.1 and ClamAV 0.91 and should have > identical configurations for MS and SA. MCP processing is done and it is > the same on all 4. > > There were 211 batches of 30 messages each processed on the slow machine. > Overall the average time to process each message is 15 seconds! > > The last two of these batches were processed by running MailScanner in > debug mode. The average processing time for each message then dropped to > between 2 and 3 seconds! > > I am trying to get a handle on why this machine is so slow. Any > suggestions to help further my investigation are welcome. > > Quentin > --- > PHONE: +44 191 222 8209 Information Systems and Services (ISS), > Newcastle University, > Newcastle upon Tyne, > FAX: +44 191 222 8765 United Kingdom, NE1 7RU. > ------------------------------------------------------------------------ > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- Chris Sweeney Cincinnati Phone http://www.cincinnatiphone.com Microsoft's new slogan: "Wait for us! We're the leaders!" -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From csaba at linuxforum.hu Thu Jul 12 22:48:57 2007 From: csaba at linuxforum.hu (=?ISO-8859-2?Q?Kov=E1cs_Csaba?=) Date: Thu Jul 12 22:54:55 2007 Subject: Different signatures per domain In-Reply-To: <4696737B.7040805@ecs.soton.ac.uk> References: <4696737B.7040805@ecs.soton.ac.uk> Message-ID: <4696A1C9.300@linuxforum.hu> Some domains on my server does not need any sinatures. Is it possible to attach different signatures for different domains ? Csaba From itdept at fractalweb.com Thu Jul 12 22:58:00 2007 From: itdept at fractalweb.com (Chris Yuzik) Date: Thu Jul 12 22:58:22 2007 Subject: Feature(s) In-Reply-To: <01b701c7c4bc$05f11590$11d340b0$@swaney@fsl.com> References: <04D932B0071FE34FA63EBB1977B48D1502BC7636@woodenex.woodmaclaw.local> <01b701c7c4bc$05f11590$11d340b0$@swaney@fsl.com> Message-ID: <4696A3E8.7000808@fractalweb.com> Stephen Swaney wrote: > > A program to do this already exists. I've done some quick testing and it > seem to work. > > MailArchiva - Open Source Email Archiving Software > www.mailarchiva.com/ Steve, The more I learn, the more I know I don't know. Got any other gems up your sleeves? Cheers, Chris From MailScanner at ecs.soton.ac.uk Thu Jul 12 23:00:51 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jul 12 23:01:21 2007 Subject: A very slow MS 4.62.2-3 & SA 3.2.1 & ClamAV 0.91 machine In-Reply-To: <2559.70.60.69.215.1184275300.squirrel@webmail.osubucks.org> References: <4165CF7A7F12DE4B96622CCBB90586470AC92C18@largo.campus.ncl.ac.uk> <8D2EFA3D9FD29C45BCEC3B532F0E23084115DC1564@RDPEXCH2.Eu.Emory.Edu> <2559.70.60.69.215.1184275300.squirrel@webmail.osubucks.org> Message-ID: <4696A493.3010509@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Have you tried running it in debug mode with SA debug switched on too? MailScanner -debug -debug-sa and press Ctrl-S to pause the output when it appears to stop for a bit. That will tell you why it is taking so long. In case you don't know, Ctrl-Q will resume the normal output again. Chris Sweeney wrote: > I have the same problem, on Sunday I upgraded a MailScanner box running > RHEL 4 to the latest Spamassassin/ClamAV using the tar file from the site > and I went on that machine, (2GIG RAM, 3GHZ processor) from less then 4 > seconds total processing time per message to now over 40 seconds per > message. 40 seconds is good right now, it doesn't seem to be anything to > do with MailScanner it seems to be hanging at the virus/spamassassin > scanning. > > Chris > > > >> I have five mail gateways. Here are a few things I've done that helped a >> lot. >> >> The item that made the biggest difference was changing 'Max Unscanned >> Messages Per Scan = 30' to 10, and changing 'Max Unsafe Messages Per Scan >> = 30' to 10 as well. >> >> I also increased my "Max Children" to 10, but I'm still working on >> tweaking that (only been running MailScanner in production for a week >> now). >> >> I had one machine that could not keep up with the volume of mail. I >> couldn't figure out why one machine was having trouble when the rest were >> doing fine. Soon I discovered that Spamassassin was causing a huge slow >> down on that one box. It was hanging for ever on checking if dns was >> avaiable or not. I set 'dns_available no' in the spam.assassin.prefs.conf >> file and things sped waaayyy up. I changed it on my other relays and it >> made a significant different on them as well, but not as much as the one >> relay that couldn't keep up with mail orginially. I still haven't figured >> out why it so greatly effected that one machine. >> >> Hope that helps. >> >> Good luck. >> >> David Gottschalk >> Emory University Infrastructure Technology Services >> david.gottschalk@emory.edu >> >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Quentin >> Campbell >> Sent: Thursday, July 12, 2007 11:37 AM >> To: MailScanner discussion >> Subject: A very slow MS 4.62.2-3 & SA 3.2.1 & ClamAV 0.91 machine >> >> I have a very slow mail gateway among the 4 that I have just upgraded. >> >> They all run MS 4.62.2-3, SA 3.2.1 and ClamAV 0.91 and should have >> identical configurations for MS and SA. MCP processing is done and it is >> the same on all 4. >> >> There were 211 batches of 30 messages each processed on the slow machine. >> Overall the average time to process each message is 15 seconds! >> >> The last two of these batches were processed by running MailScanner in >> debug mode. The average processing time for each message then dropped to >> between 2 and 3 seconds! >> >> I am trying to get a handle on why this machine is so slow. Any >> suggestions to help further my investigation are welcome. >> >> Quentin >> --- >> PHONE: +44 191 222 8209 Information Systems and Services (ISS), >> Newcastle University, >> Newcastle upon Tyne, >> FAX: +44 191 222 8765 United Kingdom, NE1 7RU. >> ------------------------------------------------------------------------ >> >> >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> -- >> This message has been scanned for viruses and >> dangerous content by MailScanner, and is >> believed to be clean. >> >> >> > > > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGlqSTEfZZRxQVtlQRAkGKAJ9qt7bOdkTqei6fDpzYerNwrb65jACgrjtV gUx0qSvSvgmPOLgci1M75Z0= =n8c4 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From csweeney at osubucks.org Thu Jul 12 23:14:30 2007 From: csweeney at osubucks.org (Chris Sweeney) Date: Thu Jul 12 23:16:35 2007 Subject: A very slow MS 4.62.2-3 & SA 3.2.1 & ClamAV 0.91 machine In-Reply-To: <4696A493.3010509@ecs.soton.ac.uk> References: <4165CF7A7F12DE4B96622CCBB90586470AC92C18@largo.campus.ncl.ac.uk> <8D2EFA3D9FD29C45BCEC3B532F0E23084115DC1564@RDPEXCH2.Eu.Emory.Edu> <2559.70.60.69.215.1184275300.squirrel@webmail.osubucks.org> <4696A493.3010509@ecs.soton.ac.uk> Message-ID: <2993.70.60.69.215.1184278470.squirrel@webmail.osubucks.org> This is the last thing I see before it seems to stop runnnig in debug mode: [31439] dbg: check: subtests=__HAS_MSGID,__MISSING_REF,__MSGID_OK_DIGITS,__MSGID_OK_HOST,__MSOE_MID_WRONG_CASE,__NONEMPTY_BODY,__SANE_MSGID,__SARE_WHITELIST_FLAG,__UNUSABLE_MSGID It runs good to this point then just kind of dies. In debug mode it seems to be hanging there. It won't go beyond that. Thanks Chris > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Have you tried running it in debug mode with SA debug switched on too? > MailScanner -debug -debug-sa > and press Ctrl-S to pause the output when it appears to stop for a bit. > That will tell you why it is taking so long. In case you don't know, > Ctrl-Q will resume the normal output again. > > Chris Sweeney wrote: >> I have the same problem, on Sunday I upgraded a MailScanner box running >> RHEL 4 to the latest Spamassassin/ClamAV using the tar file from the >> site >> and I went on that machine, (2GIG RAM, 3GHZ processor) from less then 4 >> seconds total processing time per message to now over 40 seconds per >> message. 40 seconds is good right now, it doesn't seem to be anything >> to >> do with MailScanner it seems to be hanging at the virus/spamassassin >> scanning. >> >> Chris >> >> >> >>> I have five mail gateways. Here are a few things I've done that helped >>> a >>> lot. >>> >>> The item that made the biggest difference was changing 'Max Unscanned >>> Messages Per Scan = 30' to 10, and changing 'Max Unsafe Messages Per >>> Scan >>> = 30' to 10 as well. >>> >>> I also increased my "Max Children" to 10, but I'm still working on >>> tweaking that (only been running MailScanner in production for a week >>> now). >>> >>> I had one machine that could not keep up with the volume of mail. I >>> couldn't figure out why one machine was having trouble when the rest >>> were >>> doing fine. Soon I discovered that Spamassassin was causing a huge slow >>> down on that one box. It was hanging for ever on checking if dns was >>> avaiable or not. I set 'dns_available no' in the >>> spam.assassin.prefs.conf >>> file and things sped waaayyy up. I changed it on my other relays and it >>> made a significant different on them as well, but not as much as the >>> one >>> relay that couldn't keep up with mail orginially. I still haven't >>> figured >>> out why it so greatly effected that one machine. >>> >>> Hope that helps. >>> >>> Good luck. >>> >>> David Gottschalk >>> Emory University Infrastructure Technology Services >>> david.gottschalk@emory.edu >>> >>> -----Original Message----- >>> From: mailscanner-bounces@lists.mailscanner.info >>> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of >>> Quentin >>> Campbell >>> Sent: Thursday, July 12, 2007 11:37 AM >>> To: MailScanner discussion >>> Subject: A very slow MS 4.62.2-3 & SA 3.2.1 & ClamAV 0.91 machine >>> >>> I have a very slow mail gateway among the 4 that I have just upgraded. >>> >>> They all run MS 4.62.2-3, SA 3.2.1 and ClamAV 0.91 and should have >>> identical configurations for MS and SA. MCP processing is done and it >>> is >>> the same on all 4. >>> >>> There were 211 batches of 30 messages each processed on the slow >>> machine. >>> Overall the average time to process each message is 15 seconds! >>> >>> The last two of these batches were processed by running MailScanner in >>> debug mode. The average processing time for each message then dropped >>> to >>> between 2 and 3 seconds! >>> >>> I am trying to get a handle on why this machine is so slow. Any >>> suggestions to help further my investigation are welcome. >>> >>> Quentin >>> --- >>> PHONE: +44 191 222 8209 Information Systems and Services (ISS), >>> Newcastle University, >>> Newcastle upon Tyne, >>> FAX: +44 191 222 8765 United Kingdom, NE1 7RU. >>> ------------------------------------------------------------------------ >>> >>> >>> >>> -- >>> MailScanner mailing list >>> mailscanner@lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! >>> -- >>> MailScanner mailing list >>> mailscanner@lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! >>> >>> -- >>> This message has been scanned for viruses and >>> dangerous content by MailScanner, and is >>> believed to be clean. >>> >>> >>> >> >> >> > > Jules > > - -- > Julian Field MEng CITP > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > For all your IT requirements visit www.transtec.co.uk > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.6.2 (Build 2014) > Charset: ISO-8859-1 > > wj8DBQFGlqSTEfZZRxQVtlQRAkGKAJ9qt7bOdkTqei6fDpzYerNwrb65jACgrjtV > gUx0qSvSvgmPOLgci1M75Z0= > =n8c4 > -----END PGP SIGNATURE----- > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > For all your IT requirements visit www.transtec.co.uk > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- Chris Sweeney Cincinnati Phone http://www.cincinnatiphone.com Microsoft's new slogan: "Wait for us! We're the leaders!" -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ssilva at sgvwater.com Thu Jul 12 23:37:22 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Jul 12 23:37:39 2007 Subject: Different signatures per domain In-Reply-To: <4696A1C9.300@linuxforum.hu> References: <4696737B.7040805@ecs.soton.ac.uk> <4696A1C9.300@linuxforum.hu> Message-ID: Kov?cs Csaba spake the following on 7/12/2007 2:48 PM: > Some domains on my server does not need any sinatures. > Is it possible to attach different signatures for different domains ? > > Csaba If Julian wrote it, I'm sure it probably supports rulesets. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From brent.addis at pronet.co.nz Thu Jul 12 23:33:17 2007 From: brent.addis at pronet.co.nz (Brent Addis) Date: Thu Jul 12 23:43:13 2007 Subject: A very slow MS 4.62.2-3 & SA 3.2.1 & ClamAV 0.91 machine References: <4165CF7A7F12DE4B96622CCBB90586470AC92C18@largo.campus.ncl.ac.uk> <8D2EFA3D9FD29C45BCEC3B532F0E23084115DC1564@RDPEXCH2.Eu.Emory.Edu> <2559.70.60.69.215.1184275300.squirrel@webmail.osubucks.org> <4696A493.3010509@ecs.soton.ac.uk> <2993.70.60.69.215.1184278470.squirrel@webmail.osubucks.org> Message-ID: <7EF1F27F7292534D82933F70AB6996CC25CDC8@pro-ak-exch01.hosted.pronet.net.nz> Couple of things to try: Try removing the last rule and try debug again. There may be something not quite right with it. It could also be a problem with the rule after the one showing. freezing on it before it loads and not showing you. If this is the case, try removing the whole ruleset (Move it out of the directory) and try again. Or, you could remove all your rules, and put them back in one by one, running debug each time, until it stops working. Once you know what rule/ruleset is doing it, it should be easier to track down what the actual cause of the problem is. ________________________________ From: mailscanner-bounces@lists.mailscanner.info on behalf of Chris Sweeney Sent: Fri 13/07/2007 10:14 a.m. To: MailScanner discussion Subject: Re: A very slow MS 4.62.2-3 & SA 3.2.1 & ClamAV 0.91 machine This is the last thing I see before it seems to stop runnnig in debug mode: [31439] dbg: check: subtests=__HAS_MSGID,__MISSING_REF,__MSGID_OK_DIGITS,__MSGID_OK_HOST,__MSOE_MID_WRONG_CASE,__NONEMPTY_BODY,__SANE_MSGID,__SARE_WHITELIST_FLAG,__UNUSABLE_MSGID It runs good to this point then just kind of dies. In debug mode it seems to be hanging there. It won't go beyond that. Thanks Chris > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Have you tried running it in debug mode with SA debug switched on too? > MailScanner -debug -debug-sa > and press Ctrl-S to pause the output when it appears to stop for a bit. > That will tell you why it is taking so long. In case you don't know, > Ctrl-Q will resume the normal output again. > > Chris Sweeney wrote: >> I have the same problem, on Sunday I upgraded a MailScanner box running >> RHEL 4 to the latest Spamassassin/ClamAV using the tar file from the >> site >> and I went on that machine, (2GIG RAM, 3GHZ processor) from less then 4 >> seconds total processing time per message to now over 40 seconds per >> message. 40 seconds is good right now, it doesn't seem to be anything >> to >> do with MailScanner it seems to be hanging at the virus/spamassassin >> scanning. >> >> Chris >> >> >> >>> I have five mail gateways. Here are a few things I've done that helped >>> a >>> lot. >>> >>> The item that made the biggest difference was changing 'Max Unscanned >>> Messages Per Scan = 30' to 10, and changing 'Max Unsafe Messages Per >>> Scan >>> = 30' to 10 as well. >>> >>> I also increased my "Max Children" to 10, but I'm still working on >>> tweaking that (only been running MailScanner in production for a week >>> now). >>> >>> I had one machine that could not keep up with the volume of mail. I >>> couldn't figure out why one machine was having trouble when the rest >>> were >>> doing fine. Soon I discovered that Spamassassin was causing a huge slow >>> down on that one box. It was hanging for ever on checking if dns was >>> avaiable or not. I set 'dns_available no' in the >>> spam.assassin.prefs.conf >>> file and things sped waaayyy up. I changed it on my other relays and it >>> made a significant different on them as well, but not as much as the >>> one >>> relay that couldn't keep up with mail orginially. I still haven't >>> figured >>> out why it so greatly effected that one machine. >>> >>> Hope that helps. >>> >>> Good luck. >>> >>> David Gottschalk >>> Emory University Infrastructure Technology Services >>> david.gottschalk@emory.edu >>> >>> -----Original Message----- >>> From: mailscanner-bounces@lists.mailscanner.info >>> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of >>> Quentin >>> Campbell >>> Sent: Thursday, July 12, 2007 11:37 AM >>> To: MailScanner discussion >>> Subject: A very slow MS 4.62.2-3 & SA 3.2.1 & ClamAV 0.91 machine >>> >>> I have a very slow mail gateway among the 4 that I have just upgraded. >>> >>> They all run MS 4.62.2-3, SA 3.2.1 and ClamAV 0.91 and should have >>> identical configurations for MS and SA. MCP processing is done and it >>> is >>> the same on all 4. >>> >>> There were 211 batches of 30 messages each processed on the slow >>> machine. >>> Overall the average time to process each message is 15 seconds! >>> >>> The last two of these batches were processed by running MailScanner in >>> debug mode. The average processing time for each message then dropped >>> to >>> between 2 and 3 seconds! >>> >>> I am trying to get a handle on why this machine is so slow. Any >>> suggestions to help further my investigation are welcome. >>> >>> Quentin >>> --- >>> PHONE: +44 191 222 8209 Information Systems and Services (ISS), >>> Newcastle University, >>> Newcastle upon Tyne, >>> FAX: +44 191 222 8765 United Kingdom, NE1 7RU. >>> ------------------------------------------------------------------------ >>> >>> >>> >>> -- >>> MailScanner mailing list >>> mailscanner@lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! >>> -- >>> MailScanner mailing list >>> mailscanner@lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! >>> >>> -- >>> This message has been scanned for viruses and >>> dangerous content by MailScanner, and is >>> believed to be clean. >>> >>> >>> >> >> >> > > Jules > > - -- > Julian Field MEng CITP > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > For all your IT requirements visit www.transtec.co.uk > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.6.2 (Build 2014) > Charset: ISO-8859-1 > > wj8DBQFGlqSTEfZZRxQVtlQRAkGKAJ9qt7bOdkTqei6fDpzYerNwrb65jACgrjtV > gUx0qSvSvgmPOLgci1M75Z0= > =n8c4 > -----END PGP SIGNATURE----- > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > For all your IT requirements visit www.transtec.co.uk > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- Chris Sweeney Cincinnati Phone http://www.cincinnatiphone.com Microsoft's new slogan: "Wait for us! We're the leaders!" -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/ms-tnef Size: 12794 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070713/ed687a55/attachment.bin From ds at caribenet.com Fri Jul 13 01:09:41 2007 From: ds at caribenet.com (Dirk Enrique Seiffert) Date: Fri Jul 13 01:11:48 2007 Subject: MailScanner - OpenSUSE 10.1 - ClamAV trouble Message-ID: <57094.192.168.8.1.1184285381.squirrel@mail.lintecsa.com> Hello I use MailScanner on various Opensuse 10.1 Mailserver. About two days ago I updated the ClamAV Opensuse rpm to clamav-0.90.3-3.1 - Since then it takes an eternity to scan for virus. Jul 12 18:56:57 mail MailScanner[25523]: Virus Processing completed at 195581 bytes per second Jul 12 18:56:57 mail MailScanner[25523]: Batch completed at 19 bytes per second (2320 / 117) Jul 12 18:56:57 mail MailScanner[25523]: Batch (1 message) processed in 117.39 seconds CPU load stays on 99%. In many cases I get a false "Denial Of Service attack is in message" for plain text mails. Exactly the same behaviour I can see on two different MailServers. My MailScanner Version is 4.55.10. Plese let me know if you have similar observations or even solutions. -- Dirk Enrique Seiffert - Lintec S.A. Ed. Torre del Reloj - Of. 401 Plaza de los Coches, Centro Cartagena - Colombia http://www.lintecsa.com From Q.G.Campbell at newcastle.ac.uk Fri Jul 13 08:24:41 2007 From: Q.G.Campbell at newcastle.ac.uk (Quentin Campbell) Date: Fri Jul 13 08:26:17 2007 Subject: Strange interaction between MS 4.62.2-3 & ClamAV 0.91 - more info In-Reply-To: <46964E7B.9010006@ecs.soton.ac.uk> References: <4165CF7A7F12DE4B96622CCBB90586470AC92C1C@largo.campus.ncl.ac.uk> <46964E7B.9010006@ecs.soton.ac.uk> Message-ID: <4165CF7A7F12DE4B96622CCBB90586470AC92C66@largo.campus.ncl.ac.uk> >-----Original Message----- >From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >bounces@lists.mailscanner.info] On Behalf Of Julian Field >Sent: 12 July 2007 16:54 >To: MailScanner discussion >Subject: Re: Strange interaction between MS 4.62.2-3 & ClamAV 0.91 > >Check virus.scanners.conf and your $PATH to see what and where your >version(s) of ClamAV are installed. Julian I am using ClamAVModule and have Virus Scanners = clamavmodule mcafee in /etc/MailScanner/MailScanner.conf. The 'clam' entries in 'virus.scanners.conf' are: clamav /usr/lib/MailScanner/clamav-wrapper /usr/local clamd /bin/false /usr/local clamavmodule /bin/false /tmp Also in MailScanner.conf I have: Monitors for ClamAV Updates = /usr/local/clamav/*.inc/* /usr/local/clamav/*.cvd and 'ls -l /usr/local/clamav' gives total 9156 drwxr-xr-x 2 clamav clamav 4096 Jul 13 02:09 daily.inc -rw-r--r-- 1 clamav clamav 9351789 Jul 12 15:41 main.cvd Anything else I should have included? ClamAV (and McAfee) are otherwise working OK: Jul 13 08:12:09 cheviot1 MailScanner[4734]: INFECTED:: Worm.Mydoom.M:: ./l6D7ALEo017921/transcript.zip Jul 13 08:12:11 cheviot1 MailScanner[4734]: /l6D7ALEo017921/transcript.zip Found the W32/Mydoom.o@MM!zip virus !!! Jul 13 08:12:11 cheviot1 MailScanner[4734]: Infected message l6D7ALEo017921 came from 61.207.12.160 Quentin > >Quentin Campbell wrote: >> When running MS in debug mode on a machine running MS 4.62.2-3 & >ClamAV 0.91 it says: >> >> [root@cheviot1 tmp]# service MailScanner start >> Starting MailScanner daemons: >> incoming sendmail: [ OK ] >> outgoing sendmail: [ OK ] >> MailScanner: In Debugging mode, not forking... >> SpamAssassin temp dir = /var/spool/MailScanner/incoming/SpamAssassin- >Temp >> Use of uninitialized value in concatenation (.) or string at >/usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin.pm line 1087. >> Use of uninitialized value in concatenation (.) or string at >/usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin.pm line 1089. >> LibClamAV Warning: ************************************************** >> LibClamAV Warning: *** The virus database is older than 7 days. *** >> LibClamAV Warning: *** Please update it IMMEDIATELY! *** >> LibClamAV Warning: ************************************************** >> Ignore errors about failing to find EOCD signature >> Stopping now as you are debugging me. >> [ OK ] >> [root@cheviot1 tmp]# >> >> The ClamAV database is up to date. The same behaviour is seen on two >similarly built machines. >> >> This does not happen on a third machine running MS 4.61.3-1 & ClamAV >0.90.3. >> >> >> Quentin >> --- >> PHONE: +44 191 222 8209 Information Systems and Services (ISS), >> Newcastle University, >> Newcastle upon Tyne, >> FAX: +44 191 222 8765 United Kingdom, NE1 7RU. >> ---------------------------------------------------------------------- >-- >> >> >> >> > >Jules > >-- >Julian Field MEng CITP >www.MailScanner.info >Buy the MailScanner book at www.MailScanner.info/store > >Need help customising MailScanner? >Contact me! >Need help fixing or optimising your systems? >Contact me! >Need help getting you started solving new requirements from your boss? >Contact me! > >PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > >-- >This message has been scanned for viruses and >dangerous content by MailScanner, and is >believed to be clean. >For all your IT requirements visit www.transtec.co.uk > >-- >MailScanner mailing list >mailscanner@lists.mailscanner.info >http://lists.mailscanner.info/mailman/listinfo/mailscanner > >Before posting, read http://wiki.mailscanner.info/posting > >Support MailScanner development - buy the book off the website! From tim.sattler at nordcapital.com Fri Jul 13 08:30:21 2007 From: tim.sattler at nordcapital.com (Sattler, Tim) Date: Fri Jul 13 08:30:35 2007 Subject: Watermarking returns+ graphical signatures In-Reply-To: <4696737B.7040805@ecs.soton.ac.uk> References: <4696737B.7040805@ecs.soton.ac.uk> Message-ID: Julian Field wrote: > Firstly, the watermarking functionality has returned. But this time it > is implemented differently so is safe from all patent problems. It is > implemented in pretty much the same way that milter-null does it. We have two MailScanner gateways both handling incoming and outgoing mail, so the reply to a message does not necessarily come in the same way the message went out. Does the watermarking functionality work in such a setup as well? Thanks Tim From martinh at solidstatelogic.com Fri Jul 13 09:02:01 2007 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Fri Jul 13 09:02:34 2007 Subject: Different signatures per domain In-Reply-To: <4696A1C9.300@linuxforum.hu> Message-ID: <59cf7ca0d5d18041852ef0d0a303a9a2@solidstatelogic.com> Hi Hmm same question two times in the same day..so here's the same answer ;-) From the EXAMPLES file in the etc/rules dir.. 4. Use different signatures for different domains Set "Inline Text Signature = /opt/MailScanner/etc/rules/sig.text.rules" & set "Inline HTML Signature = /opt/MailScanner/etc/rules/sig.html.rules". Use rules for each file that look like this: From: *@domain1.com /opt/MailScanner/etc/reports/domain1.sig.txt From: *@domain2.com /opt/MailScanner/etc/reports/domain2.sig.txt with equivalent rules in the "sig.html.rules" file. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Kov?cs Csaba > Sent: 12 July 2007 22:49 > To: MailScanner discussion > Subject: Different signatures per domain > > Some domains on my server does not need any sinatures. > Is it possible to attach different signatures for different domains ? > > Csaba > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From Q.G.Campbell at newcastle.ac.uk Fri Jul 13 09:18:00 2007 From: Q.G.Campbell at newcastle.ac.uk (Quentin Campbell) Date: Fri Jul 13 09:18:35 2007 Subject: A very slow MS 4.62.2-3 & SA 3.2.1 & ClamAV 0.91 machine - some results of -sa-debug In-Reply-To: <4165CF7A7F12DE4B96622CCBB90586470AC92C18@largo.campus.ncl.ac.uk> References: <4165CF7A7F12DE4B96622CCBB90586470AC92C18@largo.campus.ncl.ac.uk> Message-ID: <4165CF7A7F12DE4B96622CCBB90586470AC92C79@largo.campus.ncl.ac.uk> When I do 'MailScanner -debug -sa-debug' there is no obvious big pause but a hesitation when it starts to '... dbg: rules: running body tests; score so far...'. A more obvious thing is that lookup times for uridnsbl sites is very variable and that responses are not cached: ... ... [25023] dbg: uridnsbl: query for carquiet.com took 5 seconds to look up (sbl.spamhaus.org.:236.81.138.89) [25023] dbg: uridnsbl: query for carquiet.com took 5 seconds to look up (sbl.spamhaus.org.:14.241.178.80) [25046] dbg: uridnsbl: query for aegean.gr took 7 seconds to look up (multi.uribl.com.:aegean.gr) [25046] dbg: uridnsbl: query for aegean.gr took 7 seconds to look up (bl.open-whois.org.:aegean.gr) [25046] dbg: uridnsbl: query for aegean.gr took 7 seconds to look up (multi.surbl.org.:aegean.gr) [25046] dbg: uridnsbl: query for aegean.gr took 7 seconds to look up (dob.sibl.support-intelligence.net:aegean.gr) [25046] dbg: uridnsbl: query for aegean.gr took 7 seconds to look up (sbl.spamhaus.org.:1.130.251.195) [25046] dbg: uridnsbl: query for aegean.gr took 7 seconds to look up (sbl.spamhaus.org.:3.148.251.195) [25046] dbg: uridnsbl: query for aegean.gr took 7 seconds to look up (sbl.spamhaus.org.:8.130.251.195) [25046] dbg: uridnsbl: query for aegean.gr took 7 seconds to look up (sbl.spamhaus.org.:19.168.251.195) [25046] dbg: uridnsbl: query for aegean.gr took 7 seconds to look up (sbl.spamhaus.org.:9.177.251.195) [25046] dbg: uridnsbl: query for aegean.gr took 7 seconds to look up (sbl.spamhaus.org.:5.160.251.195) [25046] dbg: uridnsbl: query for aegean.gr took 7 seconds to look up (sbl.spamhaus.org.:3.144.251.195) [25046] dbg: uridnsbl: query for aegean.gr took 7 seconds to look up (sbl.spamhaus.org.:210.210.177.194) [25046] dbg: uridnsbl: query for aegean.gr took 7 seconds to look up (sbl.spamhaus.org.:5.128.251.195) [25046] dbg: uridnsbl: query for aegean.gr took 7 seconds to look up (sbl.spamhaus.org.:1.128.251.195) [25046] dbg: uridnsbl: query for aegean.gr took 7 seconds to look up (sbl.spamhaus.org.:5.184.251.195) [25047] dbg: uridnsbl: query for poemboy.hk took 6 seconds to look up (multi.surbl.org.:poemboy.hk) [25047] dbg: uridnsbl: query for carquiet.com took 6 seconds to look up (multi.surbl.org.:carquiet.com) [25047] dbg: uridnsbl: query for carquiet.com took 6 seconds to look up (dob.sibl.support-intelligence.net:carquiet.com) [25047] dbg: uridnsbl: query for poemboy.hk took 6 seconds to look up (multi.uribl.com.:poemboy.hk) [25047] dbg: uridnsbl: query for poemboy.hk took 6 seconds to look up (bl.open-whois.org.:poemboy.hk) [25047] dbg: uridnsbl: query for carquiet.com took 6 seconds to look up (bl.open-whois.org.:carquiet.com) [25047] dbg: uridnsbl: query for carquiet.com took 6 seconds to look up (multi.uribl.com.:carquiet.com) [25047] dbg: uridnsbl: query for poemboy.hk took 6 seconds to look up (dob.sibl.support-intelligence.net:poemboy.hk) [25047] dbg: uridnsbl: query for carquiet.com took 6 seconds to look up (sbl.spamhaus.org.:236.81.138.89) [25047] dbg: uridnsbl: query for carquiet.com took 6 seconds to look up (sbl.spamhaus.org.:14.241.178.80) [25050] dbg: uridnsbl: query for sciencedirect.com took 13 seconds to look up (dob.sibl.support-intelligence.net:sciencedirect.com) [25050] dbg: uridnsbl: query for sciencedirect.com took 13 seconds to look up (bl.open-whois.org.:sciencedirect.com) [25050] dbg: uridnsbl: query for sciencedirect.com took 13 seconds to look up (multi.surbl.org.:sciencedirect.com) [25050] dbg: uridnsbl: query for sciencedirect.com took 13 seconds to look up (multi.uribl.com.:sciencedirect.com) [25050] dbg: uridnsbl: query for sciencedirect.com took 13 seconds to look up (sbl.spamhaus.org.:3.4.12.138) [25050] dbg: uridnsbl: query for sciencedirect.com took 13 seconds to look up (sbl.spamhaus.org.:2.4.12.138) [25050] dbg: uridnsbl: query for sciencedirect.com took 13 seconds to look up (sbl.spamhaus.org.:11.200.81.198) [25050] dbg: uridnsbl: query for sciencedirect.com took 13 seconds to look up (sbl.spamhaus.org.:2.180.25.207) [25023] dbg: uridnsbl: query for carquiet.com took 5 seconds to look up (multi.uribl.com.:carquiet.com) [25023] dbg: uridnsbl: query for carquiet.com took 5 seconds to look up (multi.surbl.org.:carquiet.com) [25023] dbg: uridnsbl: query for poemboy.hk took 5 seconds to look up (multi.uribl.com.:poemboy.hk) [25023] dbg: uridnsbl: query for poemboy.hk took 5 seconds to look up (bl.open-whois.org.:poemboy.hk) [25023] dbg: uridnsbl: query for poemboy.hk took 5 seconds to look up (multi.surbl.org.:poemboy.hk) [25023] dbg: uridnsbl: query for poemboy.hk took 5 seconds to look up (dob.sibl.support-intelligence.net:poemboy.hk) [25023] dbg: uridnsbl: query for carquiet.com took 5 seconds to look up (bl.open-whois.org.:carquiet.com) [25023] dbg: uridnsbl: query for carquiet.com took 5 seconds to look up (dob.sibl.support-intelligence.net:carquiet.com) ... ... Quentin >-----Original Message----- >From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >bounces@lists.mailscanner.info] On Behalf Of Quentin Campbell >Sent: 12 July 2007 16:37 >To: MailScanner discussion >Subject: A very slow MS 4.62.2-3 & SA 3.2.1 & ClamAV 0.91 machine > >I have a very slow mail gateway among the 4 that I have just upgraded. > >They all run MS 4.62.2-3, SA 3.2.1 and ClamAV 0.91 and should have >identical configurations for MS and SA. MCP processing is done and it is >the same on all 4. > >There were 211 batches of 30 messages each processed on the slow >machine. Overall the average time to process each message is 15 seconds! > >The last two of these batches were processed by running MailScanner in >debug mode. The average processing time for each message then dropped to >between 2 and 3 seconds! > >I am trying to get a handle on why this machine is so slow. Any >suggestions to help further my investigation are welcome. > >Quentin >--- >PHONE: +44 191 222 8209??? Information Systems and Services (ISS), >?????????????????????????? Newcastle University, >?????????????????????????? Newcastle upon Tyne, >FAX:?? +44 191 222 8765??? United Kingdom, NE1 7RU. >------------------------------------------------------------------------ > > > >-- >MailScanner mailing list >mailscanner@lists.mailscanner.info >http://lists.mailscanner.info/mailman/listinfo/mailscanner > >Before posting, read http://wiki.mailscanner.info/posting > >Support MailScanner development - buy the book off the website! From mailadmin at baladia.gov.kw Fri Jul 13 08:44:03 2007 From: mailadmin at baladia.gov.kw (mailadmin@baladia.gov.kw) Date: Fri Jul 13 09:26:50 2007 Subject: sendmail , mailscanner problem Message-ID: <1717.62.150.152.226.1184312643.squirrel@webmail.baladia.gov.kw> dear All, I have rcently installed Centos OS 4.5 + sendmail-8.13.1-3.2.el4 + MailScanner-4.61.7-2 + clamav 0.90.3 and is being working perfect.. But i have noticed one thing if for any reason i say service sendmail stop and then service mailScanner stop it stop without any error then when i say service sendmail start it starts fine without any error n wthen when i start MailScanner it somes times start fine no errors but sometimes with errors Starting MailScanner daemons: incoming sendmail: [ OK ] outgoing sendmail: [ OK MailScanner: Can't locate IO/Wrap.pm in @INC (@INC contains: /usr/lib/MailScanner /usr/lib/perl5/5.8.5/i386-linux-thread-multi /usr/lib/perl5/5.8.5 /usr/lib/perl5/site_perl/5.8.5/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.4/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.3/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.2/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.5 /usr/lib/perl5/site_perl/5.8.4 /usr/lib/perl5/site_perl/5.8.3 /usr/lib/perl5/site_perl/5.8.2 /usr/lib/perl5/site_perl/5.8.1 /usr/lib/perl5/site_perl/5.8.0 /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl/5.8.5/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.4/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.3/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.2/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.1/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.5 /usr/lib/perl5/vendor_perl/5.8.4 /usr/lib/perl5/vendor_perl/5.8.3 /usr/lib/perl5/vendor_perl/5.8.2 /usr/lib/perl5/vendor_perl/5.8.1 /usr/lib/perl5/vendor_perl/5.8.0 /usr/lib/perl5/vendor_perl . /usr/lib/MailScanner/5.8.5/i386-linux-thread-multi /usr/lib/MailScanner/5.8.5 /usr/lib/MailScanner/i386-linux-thread-multi /usr/lib/MailScanner/5.8.4 /usr/lib/MailScanner/5.8.3 /usr/lib/MailScanner/5.8.2 /usr/lib/MailScanner/5.8.1 /usr/lib/MailScanner/5.8.0 /usr/lib/MailScanner) at /usr/lib/perl5/site_perl/5.8.5/MIME/Parser.pm line 134. BEGIN failed--compilation aborted at /usr/lib/perl5/site_perl/5.8.5/MIME/Parser.pm line 134. Compilation failed in require at /usr/lib/MailScanner/MailScanner/MCPMessage.pm line 41. BEGIN failed--compilation aborted at /usr/lib/MailScanner/MailScanner/MCPMessage.pm line 41. Compilation failed in require at /usr/sbin/MailScanner line 78. BEGIN failed--compilation aborted at /usr/sbin/MailScanner line 78. n then in my maillog i c ul 13 12:01:12 kmdns2 sendmail[13382]: starting daemon (8.13.1): queueing@00:15:00 Jul 13 12:01:17 kmdns2 sendmail[13373]: NOQUEUE: SYSERR(root): opendaemonsocket: daemon MTA: cannot bind: Address already in use but if i restart the pc everythin is perfect n no errors of either sendmail or mailscanner in my /var/log/maillog 2) also any message sent has scanned by MailScanner at the end how can i disable this messgae Appreciate your help thnks regards simon From matt at coders.co.uk Fri Jul 13 09:35:34 2007 From: matt at coders.co.uk (Matt Hampton) Date: Fri Jul 13 09:33:43 2007 Subject: Watermarking returns+ graphical signatures In-Reply-To: References: <4696737B.7040805@ecs.soton.ac.uk> Message-ID: <46973956.6030303@coders.co.uk> Sattler, Tim wrote: > Julian Field wrote: > >> Firstly, the watermarking functionality has returned. But this time it > >> is implemented differently so is safe from all patent problems. It is >> implemented in pretty much the same way that milter-null does it. > > We have two MailScanner gateways both handling incoming and outgoing > mail, so the reply to a message does not necessarily come in the > same way the message went out. Does the watermarking functionality > work in such a setup as well? Yes - the hash is calculated on the envelope from and then various headers within the the message itself and combined with your secret and a timestamp. It is then added as a header. When the message comes back in it uses the envelope to and then looks for the headers in the message body and checks the match and the expiry. matt From MailScanner at ecs.soton.ac.uk Fri Jul 13 11:00:09 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Jul 13 11:00:59 2007 Subject: MailScanner - OpenSUSE 10.1 - ClamAV trouble In-Reply-To: <57094.192.168.8.1.1184285381.squirrel@mail.lintecsa.com> References: <57094.192.168.8.1.1184285381.squirrel@mail.lintecsa.com> Message-ID: <46974D29.7090009@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Upgrade to ClamAV 0.91. Dirk Enrique Seiffert wrote: > Hello I use MailScanner on various Opensuse 10.1 Mailserver. About two > days ago I updated the ClamAV Opensuse rpm to clamav-0.90.3-3.1 - Since > then it takes an eternity to scan for virus. > > Jul 12 18:56:57 mail MailScanner[25523]: Virus Processing completed at > 195581 bytes per second > Jul 12 18:56:57 mail MailScanner[25523]: Batch completed at 19 bytes per > second (2320 / 117) > Jul 12 18:56:57 mail MailScanner[25523]: Batch (1 message) processed in > 117.39 seconds > > CPU load stays on 99%. > > In many cases I get a false "Denial Of Service attack is in message" for > plain text mails. Exactly the same behaviour I can see on two different > MailServers. My MailScanner Version is 4.55.10. > > Plese let me know if you have similar observations or even solutions. > > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGl00qEfZZRxQVtlQRAmPiAKC+ZEySEVmG/CAAV8sw3VzAqhk4bgCffqHK LWUgN+VvCmWlNnuIePvPCNw= =k33w -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From Q.G.Campbell at newcastle.ac.uk Fri Jul 13 11:38:29 2007 From: Q.G.Campbell at newcastle.ac.uk (Quentin Campbell) Date: Fri Jul 13 11:38:36 2007 Subject: A very slow MS 4.62.2-3 & SA 3.2.1 & ClamAV 0.91 machine - FIXED (temporarily) In-Reply-To: <4165CF7A7F12DE4B96622CCBB90586470AC92C79@largo.campus.ncl.ac.uk> References: <4165CF7A7F12DE4B96622CCBB90586470AC92C18@largo.campus.ncl.ac.uk> <4165CF7A7F12DE4B96622CCBB90586470AC92C79@largo.campus.ncl.ac.uk> Message-ID: <4165CF7A7F12DE4B96622CCBB90586470AC92CC4@largo.campus.ncl.ac.uk> I have found a temporary fix to this problem which is to switch off MCP checks. HOWEVER I can find no explanation as to why this should help in my situation. I currently have 4 identically configured gateways each carrying roughly the same traffic load. Only one of these needs to have "MCP Checks = no". The other three work OK when this is "yes". The /etc/MailScanner hierarchy is the same. So is /etc/mail/spamassassin. All run with the same MS & SA & ClamAV versions. I am doing sa-update nightly so /var/lib/spamassassin hierarchy is the same. Ditto /usr/share/spamassassin (which should be ignored now that I use 'sa-update'). What files/directorise outside of the above might slow down MCP checks? NB This problem is NOT likely to be directly related to the version of MailScanner I am running because this problem occurred on the machine before I upgraded to 4.62.2-3 and SA 3.2.1 but was less pronounced. Quentin >-----Original Message----- >From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >bounces@lists.mailscanner.info] On Behalf Of Quentin Campbell >Sent: 13 July 2007 09:18 >To: MailScanner discussion >Subject: RE: A very slow MS 4.62.2-3 & SA 3.2.1 & ClamAV 0.91 machine - >someresults of -sa-debug > >When I do 'MailScanner -debug -sa-debug' there is no obvious big pause >but a hesitation when it starts to '... dbg: rules: running body tests; >score so far...'. > >A more obvious thing is that lookup times for uridnsbl sites is very >variable and that responses are not cached: > >... >... >[25023] dbg: uridnsbl: query for carquiet.com took 5 seconds to look up >(sbl.spamhaus.org.:236.81.138.89) >[25023] dbg: uridnsbl: query for carquiet.com took 5 seconds to look up >(sbl.spamhaus.org.:14.241.178.80) >[25046] dbg: uridnsbl: query for aegean.gr took 7 seconds to look up >(multi.uribl.com.:aegean.gr) >[25046] dbg: uridnsbl: query for aegean.gr took 7 seconds to look up >(bl.open-whois.org.:aegean.gr) >[25046] dbg: uridnsbl: query for aegean.gr took 7 seconds to look up >(multi.surbl.org.:aegean.gr) >[25046] dbg: uridnsbl: query for aegean.gr took 7 seconds to look up >(dob.sibl.support-intelligence.net:aegean.gr) >[25046] dbg: uridnsbl: query for aegean.gr took 7 seconds to look up >(sbl.spamhaus.org.:1.130.251.195) >[25046] dbg: uridnsbl: query for aegean.gr took 7 seconds to look up >(sbl.spamhaus.org.:3.148.251.195) >[25046] dbg: uridnsbl: query for aegean.gr took 7 seconds to look up >(sbl.spamhaus.org.:8.130.251.195) >[25046] dbg: uridnsbl: query for aegean.gr took 7 seconds to look up >(sbl.spamhaus.org.:19.168.251.195) >[25046] dbg: uridnsbl: query for aegean.gr took 7 seconds to look up >(sbl.spamhaus.org.:9.177.251.195) >[25046] dbg: uridnsbl: query for aegean.gr took 7 seconds to look up >(sbl.spamhaus.org.:5.160.251.195) >[25046] dbg: uridnsbl: query for aegean.gr took 7 seconds to look up >(sbl.spamhaus.org.:3.144.251.195) >[25046] dbg: uridnsbl: query for aegean.gr took 7 seconds to look up >(sbl.spamhaus.org.:210.210.177.194) >[25046] dbg: uridnsbl: query for aegean.gr took 7 seconds to look up >(sbl.spamhaus.org.:5.128.251.195) >[25046] dbg: uridnsbl: query for aegean.gr took 7 seconds to look up >(sbl.spamhaus.org.:1.128.251.195) >[25046] dbg: uridnsbl: query for aegean.gr took 7 seconds to look up >(sbl.spamhaus.org.:5.184.251.195) >[25047] dbg: uridnsbl: query for poemboy.hk took 6 seconds to look up >(multi.surbl.org.:poemboy.hk) >[25047] dbg: uridnsbl: query for carquiet.com took 6 seconds to look up >(multi.surbl.org.:carquiet.com) >[25047] dbg: uridnsbl: query for carquiet.com took 6 seconds to look up >(dob.sibl.support-intelligence.net:carquiet.com) >[25047] dbg: uridnsbl: query for poemboy.hk took 6 seconds to look up >(multi.uribl.com.:poemboy.hk) >[25047] dbg: uridnsbl: query for poemboy.hk took 6 seconds to look up >(bl.open-whois.org.:poemboy.hk) >[25047] dbg: uridnsbl: query for carquiet.com took 6 seconds to look up >(bl.open-whois.org.:carquiet.com) >[25047] dbg: uridnsbl: query for carquiet.com took 6 seconds to look up >(multi.uribl.com.:carquiet.com) >[25047] dbg: uridnsbl: query for poemboy.hk took 6 seconds to look up >(dob.sibl.support-intelligence.net:poemboy.hk) >[25047] dbg: uridnsbl: query for carquiet.com took 6 seconds to look up >(sbl.spamhaus.org.:236.81.138.89) >[25047] dbg: uridnsbl: query for carquiet.com took 6 seconds to look up >(sbl.spamhaus.org.:14.241.178.80) >[25050] dbg: uridnsbl: query for sciencedirect.com took 13 seconds to >look up (dob.sibl.support-intelligence.net:sciencedirect.com) >[25050] dbg: uridnsbl: query for sciencedirect.com took 13 seconds to >look up (bl.open-whois.org.:sciencedirect.com) >[25050] dbg: uridnsbl: query for sciencedirect.com took 13 seconds to >look up (multi.surbl.org.:sciencedirect.com) >[25050] dbg: uridnsbl: query for sciencedirect.com took 13 seconds to >look up (multi.uribl.com.:sciencedirect.com) >[25050] dbg: uridnsbl: query for sciencedirect.com took 13 seconds to >look up (sbl.spamhaus.org.:3.4.12.138) >[25050] dbg: uridnsbl: query for sciencedirect.com took 13 seconds to >look up (sbl.spamhaus.org.:2.4.12.138) >[25050] dbg: uridnsbl: query for sciencedirect.com took 13 seconds to >look up (sbl.spamhaus.org.:11.200.81.198) >[25050] dbg: uridnsbl: query for sciencedirect.com took 13 seconds to >look up (sbl.spamhaus.org.:2.180.25.207) >[25023] dbg: uridnsbl: query for carquiet.com took 5 seconds to look up >(multi.uribl.com.:carquiet.com) >[25023] dbg: uridnsbl: query for carquiet.com took 5 seconds to look up >(multi.surbl.org.:carquiet.com) >[25023] dbg: uridnsbl: query for poemboy.hk took 5 seconds to look up >(multi.uribl.com.:poemboy.hk) >[25023] dbg: uridnsbl: query for poemboy.hk took 5 seconds to look up >(bl.open-whois.org.:poemboy.hk) >[25023] dbg: uridnsbl: query for poemboy.hk took 5 seconds to look up >(multi.surbl.org.:poemboy.hk) >[25023] dbg: uridnsbl: query for poemboy.hk took 5 seconds to look up >(dob.sibl.support-intelligence.net:poemboy.hk) >[25023] dbg: uridnsbl: query for carquiet.com took 5 seconds to look up >(bl.open-whois.org.:carquiet.com) >[25023] dbg: uridnsbl: query for carquiet.com took 5 seconds to look up >(dob.sibl.support-intelligence.net:carquiet.com) >... >... > > >Quentin > >>-----Original Message----- >>From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >>bounces@lists.mailscanner.info] On Behalf Of Quentin Campbell >>Sent: 12 July 2007 16:37 >>To: MailScanner discussion >>Subject: A very slow MS 4.62.2-3 & SA 3.2.1 & ClamAV 0.91 machine >> >>I have a very slow mail gateway among the 4 that I have just upgraded. >> >>They all run MS 4.62.2-3, SA 3.2.1 and ClamAV 0.91 and should have >>identical configurations for MS and SA. MCP processing is done and it >is >>the same on all 4. >> >>There were 211 batches of 30 messages each processed on the slow >>machine. Overall the average time to process each message is 15 >seconds! >> >>The last two of these batches were processed by running MailScanner in >>debug mode. The average processing time for each message then dropped >to >>between 2 and 3 seconds! >> >>I am trying to get a handle on why this machine is so slow. Any >>suggestions to help further my investigation are welcome. >> >>Quentin >>--- >>PHONE: +44 191 222 8209??? Information Systems and Services (ISS), >>?????????????????????????? Newcastle University, >>?????????????????????????? Newcastle upon Tyne, >>FAX:?? +44 191 222 8765??? United Kingdom, NE1 7RU. >>----------------------------------------------------------------------- >- >> >> >> >>-- >>MailScanner mailing list >>mailscanner@lists.mailscanner.info >>http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >>Before posting, read http://wiki.mailscanner.info/posting >> >>Support MailScanner development - buy the book off the website! >-- >MailScanner mailing list >mailscanner@lists.mailscanner.info >http://lists.mailscanner.info/mailman/listinfo/mailscanner > >Before posting, read http://wiki.mailscanner.info/posting > >Support MailScanner development - buy the book off the website! From Richard.Frovarp at sendit.nodak.edu Fri Jul 13 12:42:15 2007 From: Richard.Frovarp at sendit.nodak.edu (Richard Frovarp) Date: Fri Jul 13 12:42:19 2007 Subject: A very slow MS 4.62.2-3 & SA 3.2.1 & ClamAV 0.91 machine - some results of -sa-debug In-Reply-To: <4165CF7A7F12DE4B96622CCBB90586470AC92C79@largo.campus.ncl.ac.uk> References: <4165CF7A7F12DE4B96622CCBB90586470AC92C18@largo.campus.ncl.ac.uk> <4165CF7A7F12DE4B96622CCBB90586470AC92C79@largo.campus.ncl.ac.uk> Message-ID: <46976517.4040907@sendit.nodak.edu> Quentin Campbell wrote: > When I do 'MailScanner -debug -sa-debug' there is no obvious big pause but a hesitation when it starts to '... dbg: rules: running body tests; score so far...'. > > A more obvious thing is that lookup times for uridnsbl sites is very variable and that responses are not cached: > Make sure you are running a caching nameserver on your MailScanner boxes. And some of those queries might be cached. SA can make one query and use the result in multiple rules. The debug output might not be reflecting that. From leiw324 at yahoo.com.hk Fri Jul 13 13:31:48 2007 From: leiw324 at yahoo.com.hk (Wilson Kwok) Date: Fri Jul 13 13:31:51 2007 Subject: Please help Message-ID: <501519.31550.qm@web54402.mail.yahoo.com> Hello, I still can't send or eceive email, the following log always appear.... Jul 13 20:36:31 abc MailScanner[6771]: New Batch: Found 36 messages waiting Jul 13 20:36:31 abc MailScanner[6771]: New Batch: Scanning 30 messages, 279155 bytes Jul 13 20:36:31 abc MailScanner[6771]: SpamAssassin cache hit for message 034D6700AC.D7930 Jul 13 20:36:31 abc MailScanner[6771]: SpamAssassin cache hit for message 5CB9D700BB.F28E7 Jul 13 20:36:31 abc MailScanner[6771]: SpamAssassin cache hit for message 711A8700B1.A41D4 Jul 13 20:36:31 abc MailScanner[6771]: SpamAssassin cache hit for message 258BE700BE.023E8 Jul 13 20:36:31 abc MailScanner[6771]: SpamAssassin cache hit for message AFCF1700B6.4D95D Jul 13 20:36:31 abc MailScanner[6771]: SpamAssassin cache hit for message 06FBC700C4.E654E Jul 13 20:36:31 abc MailScanner[6771]: SpamAssassin cache hit for message 0E714700AA.863F7 Jul 13 20:36:31 abc MailScanner[6771]: SpamAssassin cache hit for message 6BAB2700C0.06A3F Jul 13 20:36:31 abc MailScanner[6771]: SpamAssassin cache hit for message 52316700BF.23789 Jul 13 20:36:31 abc MailScanner[6771]: SpamAssassin cache hit for message 95805700BC.9F1CA Jul 13 20:36:31 abc MailScanner[6771]: SpamAssassin cache hit for message 6C41A700AE.B8DF1 Jul 13 20:36:31 abc MailScanner[6771]: SpamAssassin cache hit for message 3AE25700AD.A1147 Jul 13 20:36:31 abc MailScanner[6771]: SpamAssassin cache hit for message 55CA3700AF.23091 Jul 13 20:36:31 abc MailScanner[6771]: SpamAssassin cache hit for message 406C5700C6.BD320 Jul 13 20:36:31 abc MailScanner[6771]: SpamAssassin cache hit for message E48AC700B5.BA5E0 Jul 13 20:36:31 abc MailScanner[6771]: SpamAssassin cache hit for message 22886700BA.5BED2 Jul 13 20:36:31 abc MailScanner[6771]: SpamAssassin cache hit for message A552E700B4.96180 Jul 13 20:36:31 abc MailScanner[6771]: SpamAssassin cache hit for message 3D1A8700B8.C4FB8 Jul 13 20:36:31 abc MailScanner[6771]: SpamAssassin cache hit for message 461C1700C5.2E1A0 Jul 13 20:36:31 abc MailScanner[6771]: SpamAssassin cache hit for message 92E53700C1.BC100 Jul 13 20:36:31 abc MailScanner[6771]: SpamAssassin cache hit for message 65BF1700B0.7C8FB Jul 13 20:36:31 abc MailScanner[6771]: SpamAssassin cache hit for message B81A0700B2.8526F --------------------------------- Yahoo!Mail ¬°§A¨C¤@­Ó¹q¶l®½¥X¤@ÂI¤ß·N¡AºÉÄm·R¤ß ¥ß§Y¶}©l·R¤ß¦æ°Ê -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070713/f05c5b0f/attachment.html From martinh at solidstatelogic.com Fri Jul 13 13:39:10 2007 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Fri Jul 13 13:39:23 2007 Subject: Please help In-Reply-To: <501519.31550.qm@web54402.mail.yahoo.com> Message-ID: Wilson Has it every worked? If not what instructions have you followed to install and configure? What happens if you stop maiLScanner then run 'MailScanner --debug --debug-sa" -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Wilson Kwok > Sent: 13 July 2007 13:32 > To: mailscanner@lists.mailscanner.info > Subject: Please help > > Hello, > > I still can't send or eceive email, the following log always appear.... > > Jul 13 20:36:31 abc MailScanner[6771]: New Batch: Found 36 messages > waiting > Jul 13 20:36:31 abc MailScanner[6771]: New Batch: Scanning 30 messages, > 279155 bytes > Jul 13 20:36:31 abc MailScanner[6771]: SpamAssassin cache hit for message > 034D6700AC.D7930 > Jul 13 20:36:31 abc MailScanner[6771]: SpamAssassin cache hit for message > 5CB9D700BB.F28E7 > Jul 13 20:36:31 abc MailScanner[6771]: SpamAssassin cache hit for message > 711A8700B1.A41D4 > Jul 13 20:36:31 abc MailScanner[6771]: SpamAssassin cache hit for message > 258BE700BE.023E8 > Jul 13 20:36:31 abc MailScanner[6771]: SpamAssassin cache hit for message > AFCF1700B6.4D95D > Jul 13 20:36:31 abc MailScanner[6771]: SpamAssassin cache hit for message > 06FBC700C4.E654E > Jul 13 20:36:31 abc MailScanner[6771]: SpamAssassin cache hit for message > 0E714700AA.863F7 > Jul 13 20:36:31 abc MailScanner[6771]: SpamAssassin cache hit for message > 6BAB2700C0.06A3F > Jul 13 20:36:31 abc MailScanner[6771]: SpamAssassin cache hit for message > 52316700BF.23789 > Jul 13 20:36:31 abc MailScanner[6771]: SpamAssassin cache hit for message > 95805700BC.9F1CA > Jul 13 20:36:31 abc MailScanner[6771]: SpamAssassin cache hit for message > 6C41A700AE.B8DF1 > Jul 13 20:36:31 abc MailScanner[6771]: SpamAssassin cache hit for message > 3AE25700AD.A1147 > Jul 13 20:36:31 abc MailScanner[6771]: SpamAssassin cache hit for message > 55CA3700AF.23091 > Jul 13 20:36:31 abc MailScanner[6771]: SpamAssassin cache hit for message > 406C5700C6.BD320 > Jul 13 20:36:31 abc MailScanner[6771]: SpamAssassin cache hit for message > E48AC700B5.BA5E0 > Jul 13 20:36:31 abc MailScanner[6771]: SpamAssassin cache hit for message > 22886700BA.5BED2 > Jul 13 20:36:31 abc MailScanner[6771]: SpamAssassin cache hit for message > A552E700B4.96180 > Jul 13 20:36:31 abc MailScanner[6771]: SpamAssassin cache hit for message > 3D1A8700B8.C4FB8 > Jul 13 20:36:31 abc MailScanner[6771]: SpamAssassin cache hit for message > 461C1700C5.2E1A0 > Jul 13 20:36:31 abc MailScanner[6771]: SpamAssassin cache hit for message > 92E53700C1.BC100 > Jul 13 20:36:31 abc MailScanner[6771]: SpamAssassin cache hit for message > 65BF1700B0.7C8FB > Jul 13 20:36:31 abc MailScanner[6771]: SpamAssassin cache hit for message > B81A0700B2.8526F > > ________________________________ > > Yahoo!Mail =9E=E9=C4=E3=C3=BF=D2=BB=82=80=EB=8A=E0]=BE=E8=B3=F6=D2=BB=FCc= =D0=C4=D2=E2=A3=AC=B1M=ABI=90=DB=D0=C4 > =C1=A2=BC=B4=E9_=CA=BC=90= =DB=D0=C4=D0=D0=84=D3 ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the=20 addressee only and may be confidential. If they come to you in error=20 you must take no action based on them, nor must you copy or show them=20 to anyone. Please advise the sender by replying to this e-mail=20 immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of=20 the author and unless specifically stated to the contrary, are not=20 necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure=20 communications medium and can be subject to data corruption. We advise=20 that you consider this fact when e-mailing us.=20 Viruses : We have taken steps to ensure that this e-mail and any=20 attachments are free from known viruses but in keeping with good=20 computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales=20 (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU,=20 United Kingdom ********************************************************************** From steve.swaney at fsl.com Fri Jul 13 14:11:55 2007 From: steve.swaney at fsl.com (Stephen Swaney) Date: Fri Jul 13 14:14:05 2007 Subject: Feature(s) In-Reply-To: <4696A3E8.7000808@fractalweb.com> References: <04D932B0071FE34FA63EBB1977B48D1502BC7636@woodenex.woodmaclaw.local> <01b701c7c4bc$05f11590$11d340b0$@swaney@fsl.com> <4696A3E8.7000808@fractalweb.com> Message-ID: <034801c7c54f$62fcee60$28f6cb20$@swaney@fsl.com> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Chris Yuzik > Sent: Thursday, July 12, 2007 5:58 PM > To: MailScanner discussion > Subject: Re: Feature(s) > > Stephen Swaney wrote: > > > > A program to do this already exists. I've done some quick testing and > it > > seem to work. > > > > MailArchiva - Open Source Email Archiving Software > > www.mailarchiva.com/ > > Steve, > > The more I learn, the more I know I don't know. > > Got any other gems up your sleeves? Not today. > > Cheers, > Chris The thing I liked about MailArchiva was the way that indexing works. The problem with archiving email for Regulatory purposes is not saving the messages, its finding specific messages based on a combination of sender, dates, content, etc. MailArchiva stores to variable sized volumes which can be any type of storage medium. Each volume contains it own index, which is as large or larger as the message store, but you can easily locate specific messages using pretty complex search criteria. Steve Steve Swaney steve@fsl.com From theodrake at comcast.net Fri Jul 13 14:34:31 2007 From: theodrake at comcast.net (Ed Bruce) Date: Fri Jul 13 14:34:42 2007 Subject: Watermarking returns+ graphical signatures In-Reply-To: References: <4696737B.7040805@ecs.soton.ac.uk> Message-ID: <46977F67.30007@comcast.net> Sattler, Tim wrote: > Julian Field wrote: > >> Firstly, the watermarking functionality has returned. But this time it > >> is implemented differently so is safe from all patent problems. It is >> implemented in pretty much the same way that milter-null does it. > > We have two MailScanner gateways both handling incoming and outgoing > mail, so the reply to a message does not necessarily come in the > same way the message went out. Does the watermarking functionality > work in such a setup as well? > > Thanks > Tim I have similiar situation. We have two MS gateways. One handles incoming and outgoing, the other only incoming. On the server that only handles incoming is where I will install this beta and try out the watermarking. When this introduce any problems. One server running with watermarking and the other not? -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 249 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070713/80b7f1d6/signature.bin From evanderleun at hal9000.nl Fri Jul 13 14:42:36 2007 From: evanderleun at hal9000.nl (Erik van der Leun) Date: Fri Jul 13 14:42:49 2007 Subject: Please help In-Reply-To: References: Message-ID: <4697814C.3020404@hal9000.nl> Try turning off your SpamAssassin Results cache Cache SpamAssassin Results = no Martin.Hepworth wrote: > Wilson > > Has it every worked? If not what instructions have you followed to > install and configure? > > What happens if you stop maiLScanner then run 'MailScanner --debug > --debug-sa" > > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >> bounces@lists.mailscanner.info] On Behalf Of Wilson Kwok >> Sent: 13 July 2007 13:32 >> To: mailscanner@lists.mailscanner.info >> Subject: Please help >> >> Hello, >> >> I still can't send or eceive email, the following log always >> > appear.... > >> Jul 13 20:36:31 abc MailScanner[6771]: New Batch: Found 36 messages >> waiting >> Jul 13 20:36:31 abc MailScanner[6771]: New Batch: Scanning 30 >> > messages, > >> 279155 bytes >> Jul 13 20:36:31 abc MailScanner[6771]: SpamAssassin cache hit for >> > message > >> 034D6700AC.D7930 >> Jul 13 20:36:31 abc MailScanner[6771]: SpamAssassin cache hit for >> > message > >> 5CB9D700BB.F28E7 >> Jul 13 20:36:31 abc MailScanner[6771]: SpamAssassin cache hit for >> > message > >> 711A8700B1.A41D4 >> Jul 13 20:36:31 abc MailScanner[6771]: SpamAssassin cache hit for >> > message > >> 258BE700BE.023E8 >> Jul 13 20:36:31 abc MailScanner[6771]: SpamAssassin cache hit for >> > message > >> AFCF1700B6.4D95D >> Jul 13 20:36:31 abc MailScanner[6771]: SpamAssassin cache hit for >> > message > >> 06FBC700C4.E654E >> Jul 13 20:36:31 abc MailScanner[6771]: SpamAssassin cache hit for >> > message > >> 0E714700AA.863F7 >> Jul 13 20:36:31 abc MailScanner[6771]: SpamAssassin cache hit for >> > message > >> 6BAB2700C0.06A3F >> Jul 13 20:36:31 abc MailScanner[6771]: SpamAssassin cache hit for >> > message > >> 52316700BF.23789 >> Jul 13 20:36:31 abc MailScanner[6771]: SpamAssassin cache hit for >> > message > >> 95805700BC.9F1CA >> Jul 13 20:36:31 abc MailScanner[6771]: SpamAssassin cache hit for >> > message > >> 6C41A700AE.B8DF1 >> Jul 13 20:36:31 abc MailScanner[6771]: SpamAssassin cache hit for >> > message > >> 3AE25700AD.A1147 >> Jul 13 20:36:31 abc MailScanner[6771]: SpamAssassin cache hit for >> > message > >> 55CA3700AF.23091 >> Jul 13 20:36:31 abc MailScanner[6771]: SpamAssassin cache hit for >> > message > >> 406C5700C6.BD320 >> Jul 13 20:36:31 abc MailScanner[6771]: SpamAssassin cache hit for >> > message > >> E48AC700B5.BA5E0 >> Jul 13 20:36:31 abc MailScanner[6771]: SpamAssassin cache hit for >> > message > >> 22886700BA.5BED2 >> Jul 13 20:36:31 abc MailScanner[6771]: SpamAssassin cache hit for >> > message > >> A552E700B4.96180 >> Jul 13 20:36:31 abc MailScanner[6771]: SpamAssassin cache hit for >> > message > >> 3D1A8700B8.C4FB8 >> Jul 13 20:36:31 abc MailScanner[6771]: SpamAssassin cache hit for >> > message > >> 461C1700C5.2E1A0 >> Jul 13 20:36:31 abc MailScanner[6771]: SpamAssassin cache hit for >> > message > >> 92E53700C1.BC100 >> Jul 13 20:36:31 abc MailScanner[6771]: SpamAssassin cache hit for >> > message > >> 65BF1700B0.7C8FB >> Jul 13 20:36:31 abc MailScanner[6771]: SpamAssassin cache hit for >> > message > >> B81A0700B2.8526F >> >> ________________________________ >> >> Yahoo!Mail žéÄãÿһ‚€ëŠà]¾è³öÒ»ücÐÄÒ⣬±M«IÛÐÄ >> Á¢¼´é_ʼÛÐÄÐÐ„Ó >> > > > > > ********************************************************************** > Confidentiality : This e-mail and any attachments are intended for the > addressee only and may be confidential. If they come to you in error > you must take no action based on them, nor must you copy or show them > to anyone. Please advise the sender by replying to this e-mail > immediately and then delete the original from your computer. > Opinion : Any opinions expressed in this e-mail are entirely those of > the author and unless specifically stated to the contrary, are not > necessarily those of the author's employer. > Security Warning : Internet e-mail is not necessarily a secure > communications medium and can be subject to data corruption. We advise > that you consider this fact when e-mailing us. > Viruses : We have taken steps to ensure that this e-mail and any > attachments are free from known viruses but in keeping with good > computing practice, you should ensure that they are virus free. > > Red Lion 49 Ltd T/A Solid State Logic > Registered as a limited company in England and Wales > (Company No:5362730) > Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, > United Kingdom > ********************************************************************** > > -- Erik van der Leun Head of System Administration TBlox BV Van Nelleweg 1 3044 BC Rotterdam T +31 (0)10 750 3190 F +31 (0)20 524 8516 M +31 (0)6 26 974 886 E evanderleun@tblox.com W www.tblox.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070713/8757ee0f/attachment.html From theodrake at comcast.net Fri Jul 13 15:18:26 2007 From: theodrake at comcast.net (Ed Bruce) Date: Fri Jul 13 15:18:36 2007 Subject: Watermarking returns+ graphical signatures In-Reply-To: <46977F67.30007@comcast.net> References: <4696737B.7040805@ecs.soton.ac.uk> <46977F67.30007@comcast.net> Message-ID: <469789B2.9010800@comcast.net> Ed Bruce wrote: > > I have similiar situation. We have two MS gateways. One handles incoming > and outgoing, the other only incoming. On the server that only handles > incoming is where I will install this beta and try out the watermarking. > When this introduce any problems. One server running with watermarking > and the other not? > > Ok I've read over how this works and it doesn't appear to have any bad side effects. Also since I don't use the test server to send email the watermark will not be tested. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 249 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070713/953aff3c/signature.bin From bpumphrey at woodmclaw.com Fri Jul 13 15:18:56 2007 From: bpumphrey at woodmclaw.com (Billy A. Pumphrey) Date: Fri Jul 13 15:18:59 2007 Subject: Feature(s) In-Reply-To: <46967E1A.4010103@ecs.soton.ac.uk> Message-ID: <04D932B0071FE34FA63EBB1977B48D1502BC7789@woodenex.woodmaclaw.local> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Julian Field > Sent: Thursday, July 12, 2007 3:17 PM > To: MailScanner discussion > Subject: Re: Feature(s) > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Have you tried the "Archive Mail" setting? > Yes, only thing is MailScanner is not in line to process the internal messages of the Exchange server. Say from internal user Bob to internal user Tom. From bpumphrey at woodmclaw.com Fri Jul 13 15:21:06 2007 From: bpumphrey at woodmclaw.com (Billy A. Pumphrey) Date: Fri Jul 13 15:21:09 2007 Subject: Feature(s) In-Reply-To: <46967CC2.30900@nkpanama.com> Message-ID: <04D932B0071FE34FA63EBB1977B48D1502BC778D@woodenex.woodmaclaw.local> > This functionality (apart from the PST stuff) is already built into > MailScanner, and it's pretty flexible through the use of rulesets. In > fact, you can do a poor man's version of "archive only nonspam" by using > it in conjunction with another ruleset on "non spam actions =". > > You can even set it up so that it becomes an IMAP-readable archive of > your e-mail if you tweak it right. I mentioned it in my other response, but the only problem still is for archiving the internal email. If there can be one machine that: - Does what MailScanner does by simply being MailScanner (filter, virus,etc) - Also archive the internal email From bpumphrey at woodmclaw.com Fri Jul 13 15:28:47 2007 From: bpumphrey at woodmclaw.com (Billy A. Pumphrey) Date: Fri Jul 13 15:28:50 2007 Subject: Feature(s) In-Reply-To: <46968099.20403@ecs.soton.ac.uk> Message-ID: <04D932B0071FE34FA63EBB1977B48D1502BC77A1@woodenex.woodmaclaw.local> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Julian Field > Sent: Thursday, July 12, 2007 3:27 PM > To: MailScanner discussion > Subject: Re: Feature(s) > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > If you decide to do it via MailScanner, please feel free to pay me for > writing it anyway :-) > > If there are any other specific things you would like adding to the > Archive Mail functionality, feel free to discuss them with me. Many > things are possible. > > Best regards, > Jules. > I have found a solution that I really like but it is just too much money, plus MailScanner almost does it and it would be a lot cheaper and better. Here is the reference product: http://www.emailarchivesolutions.com/Defender.htm I have demoed it and it is fast and simple. I can't remember the export file type, but it can export all emails from a search to one file. It is the most common file that can be imported or exported to about everything. Things to maybe adding to MailScanner might be: - Ability to catch the internet Exchange email via journal - Export the searched email to a common file format. Maybe some of the reading on the product tells somewhere, but I didn't read it all yet and I forget the file type. - Upgrade the web interface to reflect it. I really like the how the search is laid out for this and for the MailArchiva application that was mentioned by someone else. I don't know if this would be a job for the MailWatch. From mkercher at nfsmith.com Fri Jul 13 15:28:28 2007 From: mkercher at nfsmith.com (Mike Kercher) Date: Fri Jul 13 15:30:25 2007 Subject: sendmail , mailscanner problem In-Reply-To: <1717.62.150.152.226.1184312643.squirrel@webmail.baladia.gov.kw> References: <1717.62.150.152.226.1184312643.squirrel@webmail.baladia.gov.kw> Message-ID: <441247027D4F274EB760A5F6E1ED9C7E020D5E@houpex02.nfsmith.info> Did you chkconfig sendmail off? Almost sounds like your sendmail processes are still running. Also, you can install IO::Wrap to get rid of the perl module error. Mike -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of mailadmin@baladia.gov.kw Sent: Friday, July 13, 2007 2:44 AM To: mailscanner@lists.mailscanner.info Subject: sendmail , mailscanner problem dear All, I have rcently installed Centos OS 4.5 + sendmail-8.13.1-3.2.el4 + MailScanner-4.61.7-2 + clamav 0.90.3 and is being working perfect.. But i have noticed one thing if for any reason i say service sendmail stop and then service mailScanner stop it stop without any error then when i say service sendmail start it starts fine without any error n wthen when i start MailScanner it somes times start fine no errors but sometimes with errors Starting MailScanner daemons: incoming sendmail: [ OK ] outgoing sendmail: [ OK MailScanner: Can't locate IO/Wrap.pm in @INC (@INC contains: /usr/lib/MailScanner /usr/lib/perl5/5.8.5/i386-linux-thread-multi /usr/lib/perl5/5.8.5 /usr/lib/perl5/site_perl/5.8.5/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.4/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.3/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.2/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.5 /usr/lib/perl5/site_perl/5.8.4 /usr/lib/perl5/site_perl/5.8.3 /usr/lib/perl5/site_perl/5.8.2 /usr/lib/perl5/site_perl/5.8.1 /usr/lib/perl5/site_perl/5.8.0 /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl/5.8.5/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.4/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.3/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.2/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.1/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.5 /usr/lib/perl5/vendor_perl/5.8.4 /usr/lib/perl5/vendor_perl/5.8.3 /usr/lib/perl5/vendor_perl/5.8.2 /usr/lib/perl5/vendor_perl/5.8.1 /usr/lib/perl5/vendor_perl/5.8.0 /usr/lib/perl5/vendor_perl . /usr/lib/MailScanner/5.8.5/i386-linux-thread-multi /usr/lib/MailScanner/5.8.5 /usr/lib/MailScanner/i386-linux-thread-multi /usr/lib/MailScanner/5.8.4 /usr/lib/MailScanner/5.8.3 /usr/lib/MailScanner/5.8.2 /usr/lib/MailScanner/5.8.1 /usr/lib/MailScanner/5.8.0 /usr/lib/MailScanner) at /usr/lib/perl5/site_perl/5.8.5/MIME/Parser.pm line 134. BEGIN failed--compilation aborted at /usr/lib/perl5/site_perl/5.8.5/MIME/Parser.pm line 134. Compilation failed in require at /usr/lib/MailScanner/MailScanner/MCPMessage.pm line 41. BEGIN failed--compilation aborted at /usr/lib/MailScanner/MailScanner/MCPMessage.pm line 41. Compilation failed in require at /usr/sbin/MailScanner line 78. BEGIN failed--compilation aborted at /usr/sbin/MailScanner line 78. n then in my maillog i c ul 13 12:01:12 kmdns2 sendmail[13382]: starting daemon (8.13.1): queueing@00:15:00 Jul 13 12:01:17 kmdns2 sendmail[13373]: NOQUEUE: SYSERR(root): opendaemonsocket: daemon MTA: cannot bind: Address already in use but if i restart the pc everythin is perfect n no errors of either sendmail or mailscanner in my /var/log/maillog 2) also any message sent has scanned by MailScanner at the end how can i disable this messgae Appreciate your help thnks regards simon -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From bpumphrey at woodmclaw.com Fri Jul 13 15:33:01 2007 From: bpumphrey at woodmclaw.com (Billy A. Pumphrey) Date: Fri Jul 13 15:33:04 2007 Subject: Feature(s) In-Reply-To: <01b701c7c4bc$05f11590$11d340b0$@swaney@fsl.com> Message-ID: <04D932B0071FE34FA63EBB1977B48D1502BC77AA@woodenex.woodmaclaw.local> > A program to do this already exists. I've done some quick testing and it > seem to work. > > MailArchiva - Open Source Email Archiving Software > www.mailarchiva.com/ > > Steve > > Steve Swaney > steve@fsl.com > I installed this and demoed it for a short time. It was not as stable as I would have liked. There were a lot of people having trouble with the program not processing message after it processed 200 messages. I thing I had that problem with the first install or fixed it with something, I don't recall. After that it seemed to be processing messages still but it stopped showing the recent processed emails at the home screen. I really liked the product, fast, nice searching. I then emailed them looking to see if the enterprise version (seemed like there might have been two different versions) offered more. This did not offer the exporting of emails. May now I don't know, it has been 3-4 months since I installed it. From itdept at fractalweb.com Fri Jul 13 15:32:58 2007 From: itdept at fractalweb.com (Chris Yuzik) Date: Fri Jul 13 15:33:17 2007 Subject: Watermarked messages still checked for spam in 4.62.3 In-Reply-To: <4696737B.7040805@ecs.soton.ac.uk> References: <4696737B.7040805@ecs.soton.ac.uk> Message-ID: <46978D1A.7040307@fractalweb.com> Julian, I have installed the latest beta and have been testing the watermarking feature. Something isn't working right. I have "Skip Spam Checks If Watermark Valid = yes" in the MailScanner.conf file, have defined a secret, and of course restarted MailScanner. User "a" sends to user "b". "B" receives message and watermark header is indeed added (so far so good). User "B" replies to message with gtube text, and spamassassin gives message a score of 997.40 and quarantines the message. Did I misconfigure something? Thanks, Chris From bpumphrey at woodmclaw.com Fri Jul 13 15:33:56 2007 From: bpumphrey at woodmclaw.com (Billy A. Pumphrey) Date: Fri Jul 13 15:33:59 2007 Subject: Feature(s) In-Reply-To: Message-ID: <04D932B0071FE34FA63EBB1977B48D1502BC77AD@woodenex.woodmaclaw.local> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Koopmann, Jan-Peter > Sent: Thursday, July 12, 2007 3:42 PM > To: MailScanner discussion > Subject: RE: Feature(s) > > > I have tried some demos of other software that does mail archiving but > > they just don't suite me. > > Tried exclaimer mail archiver yet? > -- I tried to try exclaimer. I never could get it to work. I gave up on it and was going to try later. I had some communication with their tech side too to try and get it going but I never got it going. From alex at nkpanama.com Fri Jul 13 15:35:23 2007 From: alex at nkpanama.com (Alex Neuman van der Hans) Date: Fri Jul 13 15:36:21 2007 Subject: Feature(s) In-Reply-To: <04D932B0071FE34FA63EBB1977B48D1502BC778D@woodenex.woodmaclaw.local> References: <04D932B0071FE34FA63EBB1977B48D1502BC778D@woodenex.woodmaclaw.local> Message-ID: <46978DAB.8000005@nkpanama.com> Unfortunately that could only happen if there were a way to tell Outlook to use the MailScanner machine as the outgoing mail server, which you *can*, but only if you tell Outlook that your Exchange server is a regular IMAP/POP server. Billy A. Pumphrey wrote: >> This functionality (apart from the PST stuff) is already built into >> MailScanner, and it's pretty flexible through the use of rulesets. In >> fact, you can do a poor man's version of "archive only nonspam" by >> > using > >> it in conjunction with another ruleset on "non spam actions =". >> >> You can even set it up so that it becomes an IMAP-readable archive of >> your e-mail if you tweak it right. >> > > I mentioned it in my other response, but the only problem still is for > archiving the internal email. > > If there can be one machine that: > - Does what MailScanner does by simply being MailScanner (filter, > virus,etc) > - Also archive the internal email > Unfortunately that could only happen if there were a way to tell Outlook to use the MailScanner machine as the outgoing mail server, which you *can*, but only if you tell Outlook that your Exchange server is a regular IMAP/POP server. ... unless your Exchange server is behind a firewall, in which case you could *try* (don't know if it'd work) telling the firewall to make all incoming packets on port 25 from machines *other* than the MailScanner machine to go *to* the MailScanner machine instead. From Alistair.Carmichael at ntltravel.com Fri Jul 13 15:50:50 2007 From: Alistair.Carmichael at ntltravel.com (Alistair Carmichael) Date: Fri Jul 13 15:50:56 2007 Subject: sendmail , mailscanner problem In-Reply-To: <441247027D4F274EB760A5F6E1ED9C7E020D5E@houpex02.nfsmith.info> References: <1717.62.150.152.226.1184312643.squirrel@webmail.baladia.gov.kw> <441247027D4F274EB760A5F6E1ED9C7E020D5E@houpex02.nfsmith.info> Message-ID: <6EEC6D949794754FB8D83A4D87DF7168BE679E@gh-redd-exch-01.redditch.ntltravel.local> -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Mike Kercher Sent: 13 July 2007 15:28 To: MailScanner discussion Subject: RE: sendmail , mailscanner problem Did you chkconfig sendmail off? Almost sounds like your sendmail processes are still running. Also, you can install IO::Wrap to get rid of the perl module error. Mike Hi, You don't need to do "service sendmail start" then "service mailscanner start" as when you issue the mailscanner with start this also starts sendmail at which point you've started a duplicate sendmail process which will fail to listen on port 25 and spit out the error you saw. Chkconfig sendmail off will stop sendmail automatically starting on boot but just use service mailscanner stop/start and this will stop/start sendmail respectively. This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. From bpumphrey at woodmclaw.com Fri Jul 13 15:59:23 2007 From: bpumphrey at woodmclaw.com (Billy A. Pumphrey) Date: Fri Jul 13 15:59:27 2007 Subject: Feature(s) In-Reply-To: <46978DAB.8000005@nkpanama.com> Message-ID: <04D932B0071FE34FA63EBB1977B48D1502BC77DE@woodenex.woodmaclaw.local> > > Billy A. Pumphrey wrote: > >> This functionality (apart from the PST stuff) is already built into > >> MailScanner, and it's pretty flexible through the use of rulesets. In > >> fact, you can do a poor man's version of "archive only nonspam" by > >> > > using > > > >> it in conjunction with another ruleset on "non spam actions =". > >> > >> You can even set it up so that it becomes an IMAP-readable archive of > >> your e-mail if you tweak it right. > >> > > > > I mentioned it in my other response, but the only problem still is for > > archiving the internal email. > > > > If there can be one machine that: > > - Does what MailScanner does by simply being MailScanner (filter, > > virus,etc) > > - Also archive the internal email > > > Unfortunately that could only happen if there were a way to tell Outlook > to use the MailScanner machine as the outgoing mail server, which you > *can*, but only if you tell Outlook that your Exchange server is a > regular IMAP/POP server. > ... unless your Exchange server is behind a firewall, in which case you > could *try* (don't know if it'd work) telling the firewall to make all > incoming packets on port 25 from machines *other* than the MailScanner > machine to go *to* the MailScanner machine instead. The Exchange journal, some people may not know what it is I don't know. But it is simple a email address that Exchange will forward all of the emails that it processes. So every single email will go to this address. Then the archive program will receive these emails and do their thing. Put them in sql, index them, etc. So there would actually be duplicates if MailScanner processed mail like normal and then got all of the messages sent by the journal. Which makes me think that this would not work. Well maybe this was a bad idea, but I don't know unless I ask. From dgottsc at emory.edu Fri Jul 13 16:05:57 2007 From: dgottsc at emory.edu (Gottschalk, David) Date: Fri Jul 13 16:09:11 2007 Subject: A very slow MS 4.62.2-3 & SA 3.2.1 & ClamAV 0.91 machine - some results of -sa-debug In-Reply-To: <46976517.4040907@sendit.nodak.edu> References: <4165CF7A7F12DE4B96622CCBB90586470AC92C18@largo.campus.ncl.ac.uk> <4165CF7A7F12DE4B96622CCBB90586470AC92C79@largo.campus.ncl.ac.uk> <46976517.4040907@sendit.nodak.edu> Message-ID: <8D2EFA3D9FD29C45BCEC3B532F0E23084115DC192E@RDPEXCH2.Eu.Emory.Edu> When I run 'MailScanner -debug -sa-debug' it hangs for a long time on this: Use of uninitialized value in concatenation (.) or string at /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin.pm line 1087. Use of uninitialized value in concatenation (.) or string at /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin.pm line 1089. [25089] dbg: config: read_scoreonly_config: cannot open "": No such file or directory Is that normal? Thanks. David Gottschalk david.gottschalk@emory.edu -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Richard Frovarp Sent: Friday, July 13, 2007 7:42 AM To: MailScanner discussion Subject: Re: A very slow MS 4.62.2-3 & SA 3.2.1 & ClamAV 0.91 machine - some results of -sa-debug Quentin Campbell wrote: > When I do 'MailScanner -debug -sa-debug' there is no obvious big pause but a hesitation when it starts to '... dbg: rules: running body tests; score so far...'. > > A more obvious thing is that lookup times for uridnsbl sites is very variable and that responses are not cached: > Make sure you are running a caching nameserver on your MailScanner boxes. And some of those queries might be cached. SA can make one query and use the result in multiple rules. The debug output might not be reflecting that. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From matt at coders.co.uk Fri Jul 13 16:28:53 2007 From: matt at coders.co.uk (Matt Hampton) Date: Fri Jul 13 16:27:17 2007 Subject: Watermarked messages still checked for spam in 4.62.3 In-Reply-To: <46978D1A.7040307@fractalweb.com> References: <4696737B.7040805@ecs.soton.ac.uk> <46978D1A.7040307@fractalweb.com> Message-ID: <46979A35.8010805@coders.co.uk> Chris Yuzik wrote: > Did I misconfigure something? No. Unfortunately myself and Julian had a difference in understanding on what I had implemented. Currently the settings have no effect. I am waiting to hear back from Jules now. matt From itdept at fractalweb.com Fri Jul 13 16:36:27 2007 From: itdept at fractalweb.com (Chris Yuzik) Date: Fri Jul 13 16:36:45 2007 Subject: Watermarked messages still checked for spam in 4.62.3 In-Reply-To: <46979A35.8010805@coders.co.uk> References: <4696737B.7040805@ecs.soton.ac.uk> <46978D1A.7040307@fractalweb.com> <46979A35.8010805@coders.co.uk> Message-ID: <46979BFB.1080501@fractalweb.com> Matt Hampton wrote: > Currently the settings have no effect. > > I am waiting to hear back from Jules now. > > matt Matt, Too bad. Seems like a really nice feature. Any idea when it will actually work? Chris From dyioulos at firstbhph.com Fri Jul 13 17:01:39 2007 From: dyioulos at firstbhph.com (Dimitri Yioulos) Date: Fri Jul 13 17:01:06 2007 Subject: sendmail , mailscanner problem In-Reply-To: <1717.62.150.152.226.1184312643.squirrel@webmail.baladia.gov.kw> References: <1717.62.150.152.226.1184312643.squirrel@webmail.baladia.gov.kw> Message-ID: <200707131201.40188.dyioulos@firstbhph.com> On Friday 13 July 2007 3:44 am, mailadmin@baladia.gov.kw wrote: > dear All, > > I have rcently installed Centos OS 4.5 + sendmail-8.13.1-3.2.el4 + > MailScanner-4.61.7-2 + clamav 0.90.3 and is being working perfect.. > > But i have noticed one thing > > if for any reason i say service sendmail stop > and then service mailScanner stop > > it stop without any error > > then when i say service sendmail start it starts fine without any error > > n wthen when i start MailScanner it somes times start fine no errors but > sometimes with errors > > Starting MailScanner daemons: > incoming sendmail: [ OK ] > outgoing sendmail: [ OK > MailScanner: > > Can't locate IO/Wrap.pm in @INC (@INC contains: /usr/lib/MailScanner > /usr/lib/perl5/5.8.5/i386-linux-thread-multi /usr/lib/perl5/5.8.5 > /usr/lib/perl5/site_perl/5.8.5/i386-linux-thread-multi > /usr/lib/perl5/site_perl/5.8.4/i386-linux-thread-multi > /usr/lib/perl5/site_perl/5.8.3/i386-linux-thread-multi > /usr/lib/perl5/site_perl/5.8.2/i386-linux-thread-multi > /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi > /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi > /usr/lib/perl5/site_perl/5.8.5 /usr/lib/perl5/site_perl/5.8.4 > /usr/lib/perl5/site_perl/5.8.3 /usr/lib/perl5/site_perl/5.8.2 > /usr/lib/perl5/site_perl/5.8.1 /usr/lib/perl5/site_perl/5.8.0 > /usr/lib/perl5/site_perl > /usr/lib/perl5/vendor_perl/5.8.5/i386-linux-thread-multi > /usr/lib/perl5/vendor_perl/5.8.4/i386-linux-thread-multi > /usr/lib/perl5/vendor_perl/5.8.3/i386-linux-thread-multi > /usr/lib/perl5/vendor_perl/5.8.2/i386-linux-thread-multi > /usr/lib/perl5/vendor_perl/5.8.1/i386-linux-thread-multi > /usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi > /usr/lib/perl5/vendor_perl/5.8.5 /usr/lib/perl5/vendor_perl/5.8.4 > /usr/lib/perl5/vendor_perl/5.8.3 /usr/lib/perl5/vendor_perl/5.8.2 > /usr/lib/perl5/vendor_perl/5.8.1 /usr/lib/perl5/vendor_perl/5.8.0 > /usr/lib/perl5/vendor_perl . > /usr/lib/MailScanner/5.8.5/i386-linux-thread-multi > /usr/lib/MailScanner/5.8.5 /usr/lib/MailScanner/i386-linux-thread-multi > /usr/lib/MailScanner/5.8.4 /usr/lib/MailScanner/5.8.3 > /usr/lib/MailScanner/5.8.2 /usr/lib/MailScanner/5.8.1 > /usr/lib/MailScanner/5.8.0 /usr/lib/MailScanner) at > /usr/lib/perl5/site_perl/5.8.5/MIME/Parser.pm line 134. > BEGIN failed--compilation aborted at > /usr/lib/perl5/site_perl/5.8.5/MIME/Parser.pm line 134. > Compilation failed in require at > /usr/lib/MailScanner/MailScanner/MCPMessage.pm line 41. > BEGIN failed--compilation aborted at > /usr/lib/MailScanner/MailScanner/MCPMessage.pm line 41. > Compilation failed in require at /usr/sbin/MailScanner line 78. > BEGIN failed--compilation aborted at /usr/sbin/MailScanner line 78. > > n then in my maillog i c > ul 13 12:01:12 kmdns2 sendmail[13382]: starting daemon (8.13.1): > queueing@00:15:00 > Jul 13 12:01:17 kmdns2 sendmail[13373]: NOQUEUE: SYSERR(root): > opendaemonsocket: daemon MTA: cannot bind: Address already in use > > but if i restart the pc everythin is perfect n no errors of either > sendmail or mailscanner in my /var/log/maillog > > > 2) also any message sent has scanned by MailScanner at the end > how can i disable this messgae > > Appreciate your help > > thnks > > regards > > simon > > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! Answer 1 - don't run an instance of sendmail. Let MailScanner call sendmail. Answer 2 - set Sign Clean Messages = No in MailScanner.conf Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Fri Jul 13 17:01:28 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Jul 13 17:02:06 2007 Subject: Watermarked messages still checked for spam in 4.62.3 In-Reply-To: <46978D1A.7040307@fractalweb.com> References: <4696737B.7040805@ecs.soton.ac.uk> <46978D1A.7040307@fractalweb.com> Message-ID: <4697A1D8.1060501@ecs.soton.ac.uk> Yes, thanks, we know it's not right. I screwed up the code. We'll get back to you with a new beta very soon. In the mean time, the code won't cause any harm :-) Chris Yuzik wrote: > Julian, > > I have installed the latest beta and have been testing the > watermarking feature. Something isn't working right. > > I have "Skip Spam Checks If Watermark Valid = yes" in the > MailScanner.conf file, have defined a secret, and of course restarted > MailScanner. > > User "a" sends to user "b". "B" receives message and watermark header > is indeed added (so far so good). > > User "B" replies to message with gtube text, and spamassassin gives > message a score of 997.40 and quarantines the message. > > Did I misconfigure something? > > Thanks, > Chris Jules -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From ds at caribenet.com Fri Jul 13 18:54:50 2007 From: ds at caribenet.com (Dirk Enrique Seiffert) Date: Fri Jul 13 18:56:38 2007 Subject: MailScanner - OpenSUSE 10.1 - ClamAV trouble (solved) In-Reply-To: <46974D29.7090009@ecs.soton.ac.uk> References: <57094.192.168.8.1.1184285381.squirrel@mail.lintecsa.com> <46974D29.7090009@ecs.soton.ac.uk> Message-ID: <44754.192.168.8.1.1184349290.squirrel@mail.lintecsa.com> > Upgrade to ClamAV 0.91. Thanks, this was the solution. ClamAV 0.91 works like a charme! > Dirk Enrique Seiffert wrote: >> Hello I use MailScanner on various Opensuse 10.1 Mailserver. About two >> days ago I updated the ClamAV Opensuse rpm to clamav-0.90.3-3.1 - Since >> then it takes an eternity to scan for virus. >> >> Jul 12 18:56:57 mail MailScanner[25523]: Virus Processing completed at >> 195581 bytes per second >> Jul 12 18:56:57 mail MailScanner[25523]: Batch completed at 19 bytes per >> second (2320 / 117) >> Jul 12 18:56:57 mail MailScanner[25523]: Batch (1 message) processed in >> 117.39 seconds >> >> CPU load stays on 99%. >> >> In many cases I get a false "Denial Of Service attack is in message" for >> plain text mails. Exactly the same behaviour I can see on two different >> MailServers. My MailScanner Version is 4.55.10. >> >> Plese let me know if you have similar observations or even solutions. >> >> > > Jules > > - -- > Julian Field MEng CITP > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > For all your IT requirements visit www.transtec.co.uk > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.6.2 (Build 2014) > Charset: ISO-8859-1 > > wj8DBQFGl00qEfZZRxQVtlQRAmPiAKC+ZEySEVmG/CAAV8sw3VzAqhk4bgCffqHK > LWUgN+VvCmWlNnuIePvPCNw= > =k33w > -----END PGP SIGNATURE----- > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > For all your IT requirements visit www.transtec.co.uk > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- Dirk Enrique Seiffert - Lintec S.A. Ed. Torre del Reloj - Of. 401 Plaza de los Coches, Centro Cartagena - Colombia http://www.lintecsa.com From dr.defrimkercagu at hotmail.com Fri Jul 13 19:00:04 2007 From: dr.defrimkercagu at hotmail.com (defrim kerqagu) Date: Fri Jul 13 19:05:09 2007 Subject: Spam getting through [dr.defrimkerqagu yahoo.com: {Spam?}SOS Kosovo] References: <20070711141152.GA29353@doctor.nl2k.ab.ca> Message-ID: please if you can tell me why you reported me as a spam. From jan-peter at koopmann.eu Fri Jul 13 19:11:20 2007 From: jan-peter at koopmann.eu (Koopmann, Jan-Peter) Date: Fri Jul 13 19:10:42 2007 Subject: Spam getting through [dr.defrimkerqagu yahoo.com:{Spam?}SOS Kosovo] In-Reply-To: References: <20070711141152.GA29353@doctor.nl2k.ab.ca> Message-ID: Read http://www.mailscanner.info/support.html Section: My Mail was Rejected by MailScanner. From glenn.steen at gmail.com Fri Jul 13 20:01:18 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Jul 13 20:01:21 2007 Subject: Watermarking returns+ graphical signatures In-Reply-To: <46973956.6030303@coders.co.uk> References: <4696737B.7040805@ecs.soton.ac.uk> <46973956.6030303@coders.co.uk> Message-ID: <223f97700707131201l5671cc51iffc232f92e663e93@mail.gmail.com> On 13/07/07, Matt Hampton wrote: > Sattler, Tim wrote: > > Julian Field wrote: > > > >> Firstly, the watermarking functionality has returned. But this time it > > > >> is implemented differently so is safe from all patent problems. It is > >> implemented in pretty much the same way that milter-null does it. > > > > We have two MailScanner gateways both handling incoming and outgoing > > mail, so the reply to a message does not necessarily come in the > > same way the message went out. Does the watermarking functionality > > work in such a setup as well? > > Yes - the hash is calculated on the envelope from and then various > headers within the the message itself and combined with your secret and > a timestamp. It is then added as a header. > > When the message comes back in it uses the envelope to and then looks > for the headers in the message body and checks the match and the expiry. > > matt > Right, so how crackable will this be? Some of the headers will be ever the same, as will the secret... I suppose you've added in some headers that will change? and something else? so that it isn't obvious, with a little knowledge, how to brute force the secret... and then have a "highway" past MailScanner... Which would be, obviously, very bad...:) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From uxbod at splatnix.net Fri Jul 13 20:08:09 2007 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Fri Jul 13 20:08:13 2007 Subject: Watermarking returns+ graphical signatures In-Reply-To: <223f97700707131201l5671cc51iffc232f92e663e93@mail.gmail.com> References: <223f97700707131201l5671cc51iffc232f92e663e93@mail.gmail.com> Message-ID: Glenn, Have it installed now, and the fact that MD5 is being used then I would imagine very secure. I have not looked at the code yet to see how easy it would be to reverse engineer, but I reckon that all is good. I am still disappointed that no one has posted the patent pending number for the FSL solution. Would be very intestering reading, especially due to what this watermark is doing and without effecting the US patent ie. additional header and encrypted with key. Regards, On Fri, 13 Jul 2007 21:01:18 +0200, "Glenn Steen" wrote: > On 13/07/07, Matt Hampton wrote: >> Sattler, Tim wrote: >> > Julian Field wrote: >> > >> >> Firstly, the watermarking functionality has returned. But this time > it >> > >> >> is implemented differently so is safe from all patent problems. It is >> >> implemented in pretty much the same way that milter-null does it. >> > >> > We have two MailScanner gateways both handling incoming and outgoing >> > mail, so the reply to a message does not necessarily come in the >> > same way the message went out. Does the watermarking functionality >> > work in such a setup as well? >> >> Yes - the hash is calculated on the envelope from and then various >> headers within the the message itself and combined with your secret and >> a timestamp. It is then added as a header. >> >> When the message comes back in it uses the envelope to and then looks >> for the headers in the message body and checks the match and the expiry. >> >> matt >> > Right, so how crackable will this be? Some of the headers will be ever > the same, as will the secret... I suppose you've added in some headers > that will change? and something else? so that it isn't obvious, with a > little knowledge, how to brute force the secret... and then have a > "highway" past MailScanner... Which would be, obviously, very bad...:) > > Cheers > -- > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. -- --[ UxBoD ]-- // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From matt at coders.co.uk Fri Jul 13 20:28:09 2007 From: matt at coders.co.uk (Matt Hampton) Date: Fri Jul 13 20:25:50 2007 Subject: Watermarking returns+ graphical signatures In-Reply-To: <223f97700707131201l5671cc51iffc232f92e663e93@mail.gmail.com> References: <4696737B.7040805@ecs.soton.ac.uk> <46973956.6030303@coders.co.uk> <223f97700707131201l5671cc51iffc232f92e663e93@mail.gmail.com> Message-ID: <4697D249.6040808@coders.co.uk> Glenn Steen wrote: > Right, so how crackable will this be? Some of the headers will be ever > the same, as will the secret... I suppose you've added in some headers > that will change? and something else? so that it isn't obvious, with a > little knowledge, how to brute force the secret... and then have a > "highway" past MailScanner... Which would be, obviously, very bad...:) Hey it weren't my idea ;-) The current code only contains the milter-null functionality which is currently not working due to a mixup between me and jules. The hash is calculated based on a secret, Subject Date From To User-Agent Message-ID An expiry time Is that enough for you? :-) matt From MailScanner at ecs.soton.ac.uk Fri Jul 13 21:23:51 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Jul 13 21:27:19 2007 Subject: Watermarking should do something now Message-ID: <4697DF57.5000809@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I have hopefully fixed the watermarking setup so it should do something now :-) You'll need to upgrade_MailScanner_conf to pick up the new options and their docs. Release 4.62.3-2. Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGl99YEfZZRxQVtlQRAkquAJ0ZsHeY6RaG5vQpPeezYlrdUvA3eQCffQ5X fSFVu4Jr84ZAI+1JrUS1BWA= =rTj7 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From itdept at fractalweb.com Fri Jul 13 22:01:15 2007 From: itdept at fractalweb.com (Chris Yuzik) Date: Fri Jul 13 22:01:38 2007 Subject: Watermarking should do something now In-Reply-To: <4697DF57.5000809@ecs.soton.ac.uk> References: <4697DF57.5000809@ecs.soton.ac.uk> Message-ID: <4697E81B.9050703@fractalweb.com> Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > I have hopefully fixed the watermarking setup so it should do something > now :-) > You'll need to upgrade_MailScanner_conf to pick up the new options and > their docs. > > Release 4.62.3-2. Jules, Did the upgrade to latest beta. Made changes to MailScanner.conf. Restarted MailScanner. Did same test as this morning. 1. Sent message from user "a" to user "b" 2. User "b" replied to user "a" message with gtube. 3. MailScanner tagged message as spam with a score of 997.40 and quarantined it. I can run further tests if you like, but I'm not really sure what to test. Cheers, Chris From MailScanner at ecs.soton.ac.uk Fri Jul 13 22:26:42 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Jul 13 22:27:12 2007 Subject: Watermarking should do something now In-Reply-To: <4697E81B.9050703@fractalweb.com> References: <4697DF57.5000809@ecs.soton.ac.uk> <4697E81B.9050703@fractalweb.com> Message-ID: <4697EE12.7050607@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Chris Yuzik wrote: > Julian Field wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> I have hopefully fixed the watermarking setup so it should do >> something now :-) >> You'll need to upgrade_MailScanner_conf to pick up the new options >> and their docs. >> >> Release 4.62.3-2. > > Jules, > > Did the upgrade to latest beta. Made changes to MailScanner.conf. > Restarted MailScanner. > > Did same test as this morning. > > 1. Sent message from user "a" to user "b" > 2. User "b" replied to user "a" message with gtube. > 3. MailScanner tagged message as spam with a score of 997.40 and > quarantined it. > > I can run further tests if you like, but I'm not really sure what to > test. The watermarking only applies to messages with received with a null sender (ie delivery error notifications). The idea is that by spotting a valid watermark, you can see that a message delivery error came from a delivery you attempted, and that it is not a joe-job attack (where vast quantities of spam are sent out claiming to come from you, so that you get all the delivery error messages. This can be used as a DoS attack on your site, by overwhelming you with delivery error messages. And it's a right pain too). Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGl+4UEfZZRxQVtlQRAgCoAJ9FD28TCxSbaM1mw72nVnSi1ez7BwCgwViu tfXnolBvdwITw/xXTy0dUY8= =e/5o -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From glenn.steen at gmail.com Fri Jul 13 22:32:26 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Jul 13 22:32:27 2007 Subject: Watermarking returns+ graphical signatures In-Reply-To: <4697D249.6040808@coders.co.uk> References: <4696737B.7040805@ecs.soton.ac.uk> <46973956.6030303@coders.co.uk> <223f97700707131201l5671cc51iffc232f92e663e93@mail.gmail.com> <4697D249.6040808@coders.co.uk> Message-ID: <223f97700707131432m4e140f71q604d9f77777306d3@mail.gmail.com> On 13/07/07, Matt Hampton wrote: > Glenn Steen wrote: > > Right, so how crackable will this be? Some of the headers will be ever > > the same, as will the secret... I suppose you've added in some headers > > that will change? and something else? so that it isn't obvious, with a > > little knowledge, how to brute force the secret... and then have a > > "highway" past MailScanner... Which would be, obviously, very bad...:) > > Hey it weren't my idea ;-) > > The current code only contains the milter-null functionality which is > currently not working due to a mixup between me and jules. > > The hash is calculated based on > > a secret, > Subject > Date > From > To > User-Agent > Message-ID > An expiry time > > Is that enough for you? :-) > Maybe, i obviously am going to have to look at some code and decide for myself. . .:) where the key part likely will be the secret itself and that extra. . . Just want to be extra sure before starting to use something like this;) > matt > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From MailScanner at ecs.soton.ac.uk Fri Jul 13 22:39:44 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Jul 13 22:40:14 2007 Subject: Watermarking should do something now In-Reply-To: <4697E81B.9050703@fractalweb.com> References: <4697DF57.5000809@ecs.soton.ac.uk> <4697E81B.9050703@fractalweb.com> Message-ID: <4697F120.5090503@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I have just revised the documentation, so that it now reflects what actually happens with the watermarking functionality. Either install the new release or else just read http://www.mailscanner.info/MailScanner.conf.index.html#Add%20Watermark and the related items for other watermark checks. Chris Yuzik wrote: > Julian Field wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> I have hopefully fixed the watermarking setup so it should do >> something now :-) >> You'll need to upgrade_MailScanner_conf to pick up the new options >> and their docs. >> >> Release 4.62.3-2. > > Jules, > > Did the upgrade to latest beta. Made changes to MailScanner.conf. > Restarted MailScanner. > > Did same test as this morning. > > 1. Sent message from user "a" to user "b" > 2. User "b" replied to user "a" message with gtube. > 3. MailScanner tagged message as spam with a score of 997.40 and > quarantined it. > > I can run further tests if you like, but I'm not really sure what to > test. > > Cheers, > Chris Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGl/EhEfZZRxQVtlQRAi5/AJ4wrRQ8xaYbQtZ4E/e5w6496Q7kngCffQln VYUq+XeVPzBGsGrcwiBRsKs= =HoCt -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From uxbod at splatnix.net Fri Jul 13 22:49:33 2007 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Fri Jul 13 22:49:39 2007 Subject: Watermarking should do something now In-Reply-To: <4697F120.5090503@ecs.soton.ac.uk> References: <4697F120.5090503@ecs.soton.ac.uk> Message-ID: <80c64ecc0e4d11c063518232d47eae97@62.49.223.244> Jules, and the FSL staff, what is the pending patent number ? Thanks, On Fri, 13 Jul 2007 22:39:44 +0100, Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > I have just revised the documentation, so that it now reflects what > actually happens with the watermarking functionality. > > Either install the new release or else just read > http://www.mailscanner.info/MailScanner.conf.index.html#Add%20Watermark > and the related items for other watermark checks. > > > Chris Yuzik wrote: >> Julian Field wrote: >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> I have hopefully fixed the watermarking setup so it should do >>> something now :-) >>> You'll need to upgrade_MailScanner_conf to pick up the new options >>> and their docs. >>> >>> Release 4.62.3-2. >> >> Jules, >> >> Did the upgrade to latest beta. Made changes to MailScanner.conf. >> Restarted MailScanner. >> >> Did same test as this morning. >> >> 1. Sent message from user "a" to user "b" >> 2. User "b" replied to user "a" message with gtube. >> 3. MailScanner tagged message as spam with a score of 997.40 and >> quarantined it. >> >> I can run further tests if you like, but I'm not really sure what to >> test. >> >> Cheers, >> Chris > > Jules > > - -- > Julian Field MEng CITP > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > For all your IT requirements visit www.transtec.co.uk > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.6.2 (Build 2014) > Charset: ISO-8859-1 > > wj8DBQFGl/EhEfZZRxQVtlQRAi5/AJ4wrRQ8xaYbQtZ4E/e5w6496Q7kngCffQln > VYUq+XeVPzBGsGrcwiBRsKs= > =HoCt > -----END PGP SIGNATURE----- > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > For all your IT requirements visit www.transtec.co.uk > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. -- --[ UxBoD ]-- // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From hvdkooij at vanderkooij.org Fri Jul 13 22:53:08 2007 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Fri Jul 13 22:53:18 2007 Subject: Spam getting through [dr.defrimkerqagu yahoo.com: {Spam?}SOS Kosovo] In-Reply-To: References: <20070711141152.GA29353@doctor.nl2k.ab.ca> Message-ID: On Fri, 13 Jul 2007, defrim kerqagu wrote: > please if you can tell me why you reported me as a spam. Short version: Free email services are a menace. Hugo. -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ This message is using 100% recycled electrons. Some men see computers as they are and say "Windows" I use computers with Linux and say "Why Windows?" (Thanks JFK, for the insight.) From cabrera at hyettemail.com Fri Jul 13 23:10:28 2007 From: cabrera at hyettemail.com (Manuel Cabrera Caballero) Date: Fri Jul 13 23:10:40 2007 Subject: testing mailscanner In-Reply-To: <4697F120.5090503@ecs.soton.ac.uk> References: <4697DF57.5000809@ecs.soton.ac.uk> <4697E81B.9050703@fractalweb.com> <4697F120.5090503@ecs.soton.ac.uk> Message-ID: <4697F854.6070400@hyettemail.com> Hi, I Install the beta of mailscanner with postfix and clamav and wanted to know a form to know if this or not filtering mails as it had to be Mails enters and leaves the server or, but I do not see something in maillog that it says to me if this is ok Only with MailScanner.conf -- Debug = yes ??? Log Speed = yes Log Spam = yes etc.. Excuse my poor english From ssilva at sgvwater.com Fri Jul 13 23:20:19 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Fri Jul 13 23:20:36 2007 Subject: Spam getting through [dr.defrimkerqagu yahoo.com: {Spam?}SOS Kosovo] In-Reply-To: References: <20070711141152.GA29353@doctor.nl2k.ab.ca> Message-ID: defrim kerqagu spake the following on 7/13/2007 11:00 AM: > > please if you can tell me why you reported me as a spam. > Looks like spam to me! -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From glenn.steen at gmail.com Fri Jul 13 23:22:46 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Jul 13 23:22:48 2007 Subject: Watermarking returns+ graphical signatures In-Reply-To: References: <223f97700707131201l5671cc51iffc232f92e663e93@mail.gmail.com> Message-ID: <223f97700707131522h367c9113k712c1beb035c82f4@mail.gmail.com> On 13/07/07, --[ UxBoD ]-- wrote: > Glenn, > > Have it installed now, and the fact that MD5 is being used then I would > imagine very secure. I have not looked at the code yet to see how easy it > would be to reverse engineer, but I reckon that all is good. MD5 is OK as hash function, yes. but it is only that.... no magic at all... If the things you are hashing are easily determined (except for a simple secret), then you would be open to a brute force attack on that part (the secret... This is why it is still imperative to protect your password hashes, even if you do use MD5 passwords;-). In this particular case I'm thinking that Matt&Jules probably have added enough, as long as everything isn't readable from the message. What makes it likely a useable thing is the expiry, which is what I'll have to look more closely at (I'm thinking this thing could be very useful for setups like mine... small to medium corporate thingies... So I really want this to be workable:-). I'll perhaps get some time next week for code review:-). > I am still disappointed that no one has posted the patent pending number > for the FSL solution. Would be very intestering reading, especially due to > what this watermark is doing and without effecting the US patent ie. > additional header and encrypted with key. The small frustrations of life, I guess....:-):-) > Regards, > > On Fri, 13 Jul 2007 21:01:18 +0200, "Glenn Steen" > wrote: > > On 13/07/07, Matt Hampton wrote: > >> Sattler, Tim wrote: > >> > Julian Field wrote: > >> > > >> >> Firstly, the watermarking functionality has returned. But this time > > it > >> > > >> >> is implemented differently so is safe from all patent problems. It is > >> >> implemented in pretty much the same way that milter-null does it. > >> > > >> > We have two MailScanner gateways both handling incoming and outgoing > >> > mail, so the reply to a message does not necessarily come in the > >> > same way the message went out. Does the watermarking functionality > >> > work in such a setup as well? > >> > >> Yes - the hash is calculated on the envelope from and then various > >> headers within the the message itself and combined with your secret and > >> a timestamp. It is then added as a header. > >> > >> When the message comes back in it uses the envelope to and then looks > >> for the headers in the message body and checks the match and the expiry. > >> > >> matt > >> > > Right, so how crackable will this be? Some of the headers will be ever > > the same, as will the secret... I suppose you've added in some headers > > that will change? and something else? so that it isn't obvious, with a > > little knowledge, how to brute force the secret... and then have a > > "highway" past MailScanner... Which would be, obviously, very bad...:) > > Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From itdept at fractalweb.com Fri Jul 13 23:48:57 2007 From: itdept at fractalweb.com (Chris Yuzik) Date: Fri Jul 13 23:49:19 2007 Subject: Watermarking should do something now In-Reply-To: <4697EE12.7050607@ecs.soton.ac.uk> References: <4697DF57.5000809@ecs.soton.ac.uk> <4697E81B.9050703@fractalweb.com> <4697EE12.7050607@ecs.soton.ac.uk> Message-ID: <46980159.30101@fractalweb.com> Jules, Let me ask you this then: Is it possible to make this work as I had hoped it would? For example: 1. Let's say "user a" on our system sends an email to "user b". 2. MailScanner adds the watermark 3. "user b" replies back with something that would normally get tagged as spam, but because it's a reply to a message that originated on our system, we let it through anyways no matter how "spammy" the reply might be. What do you think? Chris From mailscanner at tecnowaydigital.com.br Sat Jul 14 01:41:29 2007 From: mailscanner at tecnowaydigital.com.br (MailScanner) Date: Sat Jul 14 02:27:05 2007 Subject: Auto Reply Message-ID: <001001c7c5b6$08058e10$0705a8c0@twdnb01> I everybody ! Can I create any MailScanner rule to do a autoreply (like vacation) function ? Thanks Rog?rio Wiethorn -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070713/3ff50137/attachment.html From ka at pacific.net Sat Jul 14 02:42:13 2007 From: ka at pacific.net (Ken A) Date: Sat Jul 14 02:42:15 2007 Subject: Auto Reply In-Reply-To: <001001c7c5b6$08058e10$0705a8c0@twdnb01> References: <001001c7c5b6$08058e10$0705a8c0@twdnb01> Message-ID: <469829F5.7070903@pacific.net> MailScanner wrote: > I everybody ! > > Can I create any MailScanner rule to do a autoreply (like vacation) function ? > > Thanks > > Rog?rio Wiethorn > > > no, generally MailScanner (Julian) doesn't like to auto email anything/anyone. So such ideas are frowned upon due to the high probability that such implementations would (and are) abused to great effect by spammers. Ken -- Ken Anderson Pacific.Net From mailscanner at tecnowaydigital.com.br Sat Jul 14 02:59:33 2007 From: mailscanner at tecnowaydigital.com.br (=?iso-8859-1?Q?Rog=E9rio_Jr.?=) Date: Sat Jul 14 02:59:54 2007 Subject: Auto Reply References: <001001c7c5b6$08058e10$0705a8c0@twdnb01> <469829F5.7070903@pacific.net> Message-ID: <00cd01c7c5ba$9feb37d0$0705a8c0@twdnb01> So, what can I use when my users ask me a solution to notify senders when they are at vacation ? ----- Original Message ----- From: "Ken A" To: "MailScanner discussion" Sent: Friday, July 13, 2007 10:42 PM Subject: Re: Auto Reply > MailScanner wrote: >> I everybody ! >> >> Can I create any MailScanner rule to do a autoreply (like vacation) >> function ? >> >> Thanks >> >> Rog?rio Wiethorn >> >> >> > > no, generally MailScanner (Julian) doesn't like to auto email > anything/anyone. So such ideas are frowned upon due to the high > probability that such implementations would (and are) abused to great > effect by spammers. > > Ken > > > -- > Ken Anderson > Pacific.Net > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From glenn.steen at gmail.com Sat Jul 14 03:32:59 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Sat Jul 14 03:33:00 2007 Subject: Auto Reply In-Reply-To: <00cd01c7c5ba$9feb37d0$0705a8c0@twdnb01> References: <001001c7c5b6$08058e10$0705a8c0@twdnb01> <469829F5.7070903@pacific.net> <00cd01c7c5ba$9feb37d0$0705a8c0@twdnb01> Message-ID: <223f97700707131932y72b47b72u7d9413e0f166b067@mail.gmail.com> On 14/07/07, Rog?rio Jr. wrote: > So, what can I use when my users ask me a solution to notify > senders when they are at vacation ? > In the best of worlds.... nothing. Baring that (and after explaining the point Ken made) you could always try convince them that they would be better off doing mailbox delegations.... and baring that.... well, is vacation still working, anyone?:-) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From r.berber at computer.org Sat Jul 14 04:20:23 2007 From: r.berber at computer.org (=?ISO-8859-1?Q?Ren=E9_Berber?=) Date: Sat Jul 14 04:20:48 2007 Subject: Auto Reply In-Reply-To: <223f97700707131932y72b47b72u7d9413e0f166b067@mail.gmail.com> References: <001001c7c5b6$08058e10$0705a8c0@twdnb01> <469829F5.7070903@pacific.net> <00cd01c7c5ba$9feb37d0$0705a8c0@twdnb01> <223f97700707131932y72b47b72u7d9413e0f166b067@mail.gmail.com> Message-ID: Glenn Steen wrote: > On 14/07/07, Rog?rio Jr. wrote: >> So, what can I use when my users ask me a solution to notify >> senders when they are at vacation ? >> > In the best of worlds.... nothing. > Baring that (and after explaining the point Ken made) you could always > try convince them that they would be better off doing mailbox > delegations.... and baring that.... well, is vacation still working, > anyone?:-) Yes, vacation still works. Hint for OP: it comes with sendmail. -- Ren? Berber From leiw324 at yahoo.com.hk Sat Jul 14 04:22:50 2007 From: leiw324 at yahoo.com.hk (Wilson Kwok) Date: Sat Jul 14 04:22:53 2007 Subject: How to uninstall MailScanner ? Message-ID: <678323.62028.qm@web54402.mail.yahoo.com> Hello, Can anyone teach me how to uninstall MailScaner ? Thanks --------------------------------- µL­­¹q¶lÀx¦s¶q¡A§A´NµL»Ý¦A¾á¤ß¦¬¥ó½cÀx¦sªÅ¶¡·|§_¹L¶q! ¥ß§Y¨Ï¥ÎYahoo! Mail -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070714/b5dfe065/attachment.html From itdept at fractalweb.com Sat Jul 14 05:46:29 2007 From: itdept at fractalweb.com (Chris Yuzik) Date: Sat Jul 14 05:46:52 2007 Subject: How to uninstall MailScanner ? In-Reply-To: <678323.62028.qm@web54402.mail.yahoo.com> References: <678323.62028.qm@web54402.mail.yahoo.com> Message-ID: <46985525.1040508@fractalweb.com> Wilson Kwok wrote: > Hello, > > Can anyone teach me how to uninstall MailScaner ? > > > Thanks > > ------------------------------------------------------------------------ > µL­­¹q¶lÀx¦s¶q¡A§A´NµL»Ý¦A¾á¤ß¦¬¥ó½cÀx¦sªÅ¶¡·|§_¹L¶q! > *¥ß§Y¨Ï¥ÎYahoo! Mail* > Wilson, Well, gee, I've never wanted to uninstall MailScanner. That said, the answer to your question lies in how exactly you installed it in the first place. If you did it from RPM, then it would be different from if you did it from a tarball. How did you install it in the first place? Chris From hvdkooij at vanderkooij.org Sat Jul 14 08:20:32 2007 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sat Jul 14 08:20:39 2007 Subject: Auto Reply In-Reply-To: <001001c7c5b6$08058e10$0705a8c0@twdnb01> References: <001001c7c5b6$08058e10$0705a8c0@twdnb01> Message-ID: On Fri, 13 Jul 2007, MailScanner wrote: > Can I create any MailScanner rule to do a autoreply (like vacation) function ? So you want to build a SPAM amplifier? People have been flogged here for less. Hugo. -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ This message is using 100% recycled electrons. Some men see computers as they are and say "Windows" I use computers with Linux and say "Why Windows?" (Thanks JFK, for the insight.) From hvdkooij at vanderkooij.org Sat Jul 14 08:25:26 2007 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sat Jul 14 08:25:41 2007 Subject: Auto Reply In-Reply-To: References: <001001c7c5b6$08058e10$0705a8c0@twdnb01> <469829F5.7070903@pacific.net> <00cd01c7c5ba$9feb37d0$0705a8c0@twdnb01> <223f97700707131932y72b47b72u7d9413e0f166b067@mail.gmail.com> Message-ID: On Fri, 13 Jul 2007, Ren? Berber wrote: > Glenn Steen wrote: > >> On 14/07/07, Rog?rio Jr. wrote: >>> So, what can I use when my users ask me a solution to notify >>> senders when they are at vacation ? >>> >> In the best of worlds.... nothing. >> Baring that (and after explaining the point Ken made) you could always >> try convince them that they would be better off doing mailbox >> delegations.... and baring that.... well, is vacation still working, >> anyone?:-) > > Yes, vacation still works. Hint for OP: it comes with sendmail. Well. I think I can propably write some .procmail recipy that is 10 times less problematic then you average annoying Exchange autoresponder. It's just that I hate the buggers sufficiently not wanting to add another menace by building my own autoresponder. Hugo. -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ This message is using 100% recycled electrons. Some men see computers as they are and say "Windows" I use computers with Linux and say "Why Windows?" (Thanks JFK, for the insight.) From hvdkooij at vanderkooij.org Sat Jul 14 08:27:07 2007 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sat Jul 14 08:27:21 2007 Subject: How to uninstall MailScanner ? In-Reply-To: <678323.62028.qm@web54402.mail.yahoo.com> References: <678323.62028.qm@web54402.mail.yahoo.com> Message-ID: On Sat, 14 Jul 2007, Wilson Kwok wrote: > Hello, > > Can anyone teach me how to uninstall MailScaner ? `rm -rf /` should get rid of it. It will propably also kill your resume and your job at that but those are minor nuisances. Hugo. -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ This message is using 100% recycled electrons. Some men see computers as they are and say "Windows" I use computers with Linux and say "Why Windows?" (Thanks JFK, for the insight.) From jan-peter at koopmann.eu Sat Jul 14 09:53:38 2007 From: jan-peter at koopmann.eu (Koopmann, Jan-Peter) Date: Sat Jul 14 09:52:57 2007 Subject: Auto Reply In-Reply-To: References: <001001c7c5b6$08058e10$0705a8c0@twdnb01><469829F5.7070903@pacific.net> Message-ID: > So, what can I use when my users ask me a solution to notify > senders when they are at vacation ? Depends on your environment. If you use Exchange/Notes, you can use their vacation system (even though it greatly sucks). With sendmail, exim, procmail etc. you get much more sophisticated systems. Without more informatione, there really is no way to tell. From jan-peter at koopmann.eu Sat Jul 14 09:57:22 2007 From: jan-peter at koopmann.eu (Koopmann, Jan-Peter) Date: Sat Jul 14 09:56:41 2007 Subject: Watermarking should do something now In-Reply-To: References: <4697F120.5090503@ecs.soton.ac.uk> Message-ID: The list is quit high volume: > Jules, and the FSL staff, > > what is the pending patent number ? Have you tried contacting fsl directly? If so and they have not given it to you yet I suspect they do not want to release it at this particular time. Be patient. Regards, JP From uxbod at splatnix.net Sat Jul 14 10:53:04 2007 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Sat Jul 14 10:53:08 2007 Subject: Latest Release In-Reply-To: References: Message-ID: <62c9e9ed6411ccf8729594cf74cd98ee@62.49.223.244> works a treat. Less and less spam etc is getting through. Congrats Jules. On Sat, 14 Jul 2007 10:57:22 +0200, "Koopmann, Jan-Peter" wrote: > The list is quit high volume: > >> Jules, and the FSL staff, >> >> what is the pending patent number ? > > Have you tried contacting fsl directly? If so and they have not given it > to you yet I suspect they do not want to release it at this particular > time. Be patient. > > Regards, > JP > > -- --[ UxBoD ]-- // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mogens at fumlersoft.dk Sat Jul 14 11:40:57 2007 From: mogens at fumlersoft.dk (Mogens Melander) Date: Sat Jul 14 11:40:08 2007 Subject: Spam getting through [dr.defrimkerqagu yahoo.com: {Spam?}SOS Kosovo] In-Reply-To: References: <20070711141152.GA29353@doctor.nl2k.ab.ca> Message-ID: <1400.90.184.16.67.1184409657.squirrel@mail.fumlersoft.dk> I got your mail, and shure, i did deem it spam, maybe even "nigeria-scam" class. On Fri, July 13, 2007 20:00, defrim kerqagu wrote: > > > please if you can tell me why you reported me as a spam. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > -- Later Mogens Melander +45 40 85 71 38 +66 870 133 224 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From alex at nkpanama.com Sat Jul 14 14:48:17 2007 From: alex at nkpanama.com (Alex Neuman van der Hans) Date: Sat Jul 14 14:49:11 2007 Subject: Auto Reply In-Reply-To: References: <001001c7c5b6$08058e10$0705a8c0@twdnb01> <469829F5.7070903@pacific.net> <00cd01c7c5ba$9feb37d0$0705a8c0@twdnb01> <223f97700707131932y72b47b72u7d9413e0f166b067@mail.gmail.com> Message-ID: <4698D421.90305@nkpanama.com> Hugo van der Kooij wrote: > >> >> Yes, vacation still works. Hint for OP: it comes with sendmail. > You can also achieve the same functionality with Webmin's version - which is also built into Usermin so that users themselves can update their preferences. I like that it can give you an option *not* to respond again if you receive a second (or third, etc.) e-mail from the same person within a specific timeframe (say, the length of your vacation). > Hugo. > From alex at nkpanama.com Sat Jul 14 14:50:47 2007 From: alex at nkpanama.com (Alex Neuman van der Hans) Date: Sat Jul 14 14:51:37 2007 Subject: How to uninstall MailScanner ? In-Reply-To: References: <678323.62028.qm@web54402.mail.yahoo.com> Message-ID: <4698D4B7.8060500@nkpanama.com> Hugo van der Kooij wrote: > On Sat, 14 Jul 2007, Wilson Kwok wrote: > >> Hello, >> >> Can anyone teach me how to uninstall MailScaner ? > > `rm -rf /` should get rid of it. It will propably also kill your > resume and your job at that but those are minor nuisances. > Ouch! Seems to be Hugo's newbie patience quota is running a little low these days ;-) But in all fairness, it all comes down to stopping MailScanner and restarting your regular MTA "by itself", and telling your system to "keep it that way". As pointed out before, on a RedHat-like system using RPM's, that would be something like "chkconfig MailScanner off" followed by "chkconfig sendmail on" or something similar. I wouldn't get rid of the MailScanner install just yet - users will be screaming for it to come back! :-) > Hugo. > From glenn.steen at gmail.com Sat Jul 14 16:31:53 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Sat Jul 14 16:31:55 2007 Subject: Auto Reply In-Reply-To: References: <001001c7c5b6$08058e10$0705a8c0@twdnb01> <469829F5.7070903@pacific.net> <00cd01c7c5ba$9feb37d0$0705a8c0@twdnb01> <223f97700707131932y72b47b72u7d9413e0f166b067@mail.gmail.com> Message-ID: <223f97700707140831r58a15910j4e6f7183d43a1ce4@mail.gmail.com> On 14/07/07, Hugo van der Kooij wrote: > On Fri, 13 Jul 2007, Ren? Berber wrote: > > > Glenn Steen wrote: > > > >> On 14/07/07, Rog?rio Jr. wrote: > >>> So, what can I use when my users ask me a solution to notify > >>> senders when they are at vacation ? > >>> > >> In the best of worlds.... nothing. > >> Baring that (and after explaining the point Ken made) you could always > >> try convince them that they would be better off doing mailbox > >> delegations.... and baring that.... well, is vacation still working, > >> anyone?:-) > > > > Yes, vacation still works. Hint for OP: it comes with sendmail. > > Well. I think I can propably write some .procmail recipy that is 10 times > less problematic then you average annoying Exchange autoresponder. It's > just that I hate the buggers sufficiently not wanting to add another > menace by building my own autoresponder. > > Hugo. > Very true Hugo.... As you probably guessed from my reasoning, I'm less than enthused myself... And mystified, by the users and the PHBs enormously dense minds.... They've seen the results of bad autoresponders, I've explained it (in detail) ... and they _still_ are adamant that they _need_ it. Sigh. I give up. It's been noted in protocols, and is now on the PHBs head. I wash my hands;). Just goes to show the wonders of corporate life, I guess:-D Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From r.berber at computer.org Sat Jul 14 21:33:37 2007 From: r.berber at computer.org (=?ISO-8859-1?Q?Ren=E9_Berber?=) Date: Sat Jul 14 21:33:56 2007 Subject: Auto Reply In-Reply-To: <4698D421.90305@nkpanama.com> References: <001001c7c5b6$08058e10$0705a8c0@twdnb01> <469829F5.7070903@pacific.net> <00cd01c7c5ba$9feb37d0$0705a8c0@twdnb01> <223f97700707131932y72b47b72u7d9413e0f166b067@mail.gmail.com> <4698D421.90305@nkpanama.com> Message-ID: Alex Neuman van der Hans wrote: >>> Yes, vacation still works. Hint for OP: it comes with sendmail. >> > You can also achieve the same functionality with Webmin's version - Webmin uses sendmail's vacation. > which is also built into Usermin so that users themselves can update > their preferences. I like that it can give you an option *not* to > respond again if you receive a second (or third, etc.) e-mail from the > same person within a specific timeframe (say, the length of your vacation). That's standard behavior with sendmail's vacation. -- Ren? Berber From glenn.steen at gmail.com Sat Jul 14 22:04:40 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Sat Jul 14 22:04:41 2007 Subject: Auto Reply In-Reply-To: References: <001001c7c5b6$08058e10$0705a8c0@twdnb01> <469829F5.7070903@pacific.net> <00cd01c7c5ba$9feb37d0$0705a8c0@twdnb01> <223f97700707131932y72b47b72u7d9413e0f166b067@mail.gmail.com> <4698D421.90305@nkpanama.com> Message-ID: <223f97700707141404q1aeaed9clf55881df4c83232@mail.gmail.com> On 14/07/07, Ren? Berber wrote: > Alex Neuman van der Hans wrote: > > >>> Yes, vacation still works. Hint for OP: it comes with sendmail. > >> > > You can also achieve the same functionality with Webmin's version - > > Webmin uses sendmail's vacation. > > > which is also built into Usermin so that users themselves can update > > their preferences. I like that it can give you an option *not* to > > respond again if you receive a second (or third, etc.) e-mail from the > > same person within a specific timeframe (say, the length of your vacation). > > That's standard behavior with sendmail's vacation. > -- > Ren? Berber > Forgot to say thanks for the info before, Ren? so ... I'll do it now:-). Thanks for the info, good to know the ol' dragons die hard;-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From mailadmin at baladia.gov.kw Sun Jul 15 19:06:43 2007 From: mailadmin at baladia.gov.kw (mailadmin@baladia.gov.kw) Date: Sun Jul 15 19:48:15 2007 Subject: installation for mailscanner Message-ID: <1744.62.150.152.226.1184522803.squirrel@webmail.baladia.gov.kw> Dear All, I am new to mailscanner n have gone throght the docs.. but wanna clear a few doubts b4 the following have already been installed Centos 4.5 perl-5.8.5-36.RHEL4 spamassassin-3.2.1-1.el4.rf clamav-0.91-1.el4.rf I downloaded the (install-Clam-0.91-SA-3.2.1) and read the install.sh script says -------------------------------------------------- 'If you want to use MailScanners support for Clamd (virus-scanning' echo 'daemon) then I recommend you cancel this script now (press Ctrl-C)' echo 'and install the RPMs for clamav, clamav-db and clamd from' echo ' http://dag.wieers.com/rpm/packages/clamav' --------------------------------------------------------- so i did the above and hence have the above but later in the install script i see the followin ---------------------------------------------------------------------- echo echo '*** IMPORTANT ***' sleep 2 echo I could not find your MailScanner virus.scanners.conf file. echo Please locate the file yourself and edit the clamav and clamd lines in it. echo On those 2 lines, the path at the end of each line needs to be $CLAMPRINT. ----------------------------------------------------------------------- now im confused .. 1) do i ned to run the install.sh script in /install-Clam-0.91-SA-3.2.1 directory since it will install not only clamav but also spamassassin as i dont see any clamav.conf file. OR do i have to install the mailScanner software first appreciate if you can tell me the steps also i see that echo 'Now you need to install:' echo '1) Razor-agents-sdk and Razor2 from http://razor.sourceforge.net/ and' echo '2) DCC from http://www.rhyolite.com/anti-spam/dcc/ and' echo '3) Rules_Du_Jour from http://www.fsl.com/support' how do i know if my system has already the above installed . Thanks and Apprecite regards simon From glenn.steen at gmail.com Sun Jul 15 21:08:52 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Sun Jul 15 21:08:54 2007 Subject: installation for mailscanner In-Reply-To: <1744.62.150.152.226.1184522803.squirrel@webmail.baladia.gov.kw> References: <1744.62.150.152.226.1184522803.squirrel@webmail.baladia.gov.kw> Message-ID: <223f97700707151308m6ae735bcxc570c8af1945fba5@mail.gmail.com> On 15/07/07, mailadmin@baladia.gov.kw wrote: > > Dear All, > > I am new to mailscanner n have gone throght the docs.. > but wanna clear a few doubts b4 > > the following have already been installed > > Centos 4.5 > perl-5.8.5-36.RHEL4 > spamassassin-3.2.1-1.el4.rf > clamav-0.91-1.el4.rf > > I downloaded the (install-Clam-0.91-SA-3.2.1) and read the install.sh > script says > -------------------------------------------------- > 'If you want to use MailScanners support for Clamd (virus-scanning' > echo 'daemon) then I recommend you cancel this script now (press Ctrl-C)' > echo 'and install the RPMs for clamav, clamav-db and clamd from' > echo ' http://dag.wieers.com/rpm/packages/clamav' > > --------------------------------------------------------- > > so i did the above and hence have the above Fine. > but later in the install script i see the followin > > ---------------------------------------------------------------------- > echo > echo '*** IMPORTANT ***' > sleep 2 > echo I could not find your MailScanner virus.scanners.conf file. > echo Please locate the file yourself and edit the clamav and clamd lines > in it. > echo On those 2 lines, the path at the end of each line needs to be > $CLAMPRINT. > ----------------------------------------------------------------------- > > now im confused .. > > 1) do i ned to run the install.sh script in /install-Clam-0.91-SA-3.2.1 > directory since it will install not only clamav but also spamassassin as i > dont see any clamav.conf file. OR do i have to install the mailScanner > software first With what you have already you don't need to install Jules clam+SA package, no. You are basically ready to install the main MailScanner package now (via the rpm package and runniing the install.sh in that... not reading it... Methinks you should lay of reading the install.sh scripts in favour of actually running them, they will tell you everything you need know....;-). > appreciate if you can tell me the steps If you are keen on reading up on things, you are better off reading: 1) Jules page on installation. 2) The MAQ and the wiki. 3) The book. > also i see that > echo 'Now you need to install:' > echo '1) Razor-agents-sdk and Razor2 from http://razor.sourceforge.net/ and' > echo '2) DCC from http://www.rhyolite.com/anti-spam/dcc/ and' > echo '3) Rules_Du_Jour from http://www.fsl.com/support' > > how do i know if my system has already the above installed . You don't. Go get them (and possily pyzor too)... The MAQ and wiki has all relevant details on this too. > > Thanks and Apprecite > > > regards > > simon Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Sun Jul 15 21:11:31 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Sun Jul 15 21:11:33 2007 Subject: installation for mailscanner In-Reply-To: <223f97700707151308m6ae735bcxc570c8af1945fba5@mail.gmail.com> References: <1744.62.150.152.226.1184522803.squirrel@webmail.baladia.gov.kw> <223f97700707151308m6ae735bcxc570c8af1945fba5@mail.gmail.com> Message-ID: <223f97700707151311n44cd99abje6b6b9ac08b59e6b@mail.gmail.com> On 15/07/07, Glenn Steen wrote: > On 15/07/07, mailadmin@baladia.gov.kw wrote: (snip) > > also i see that > > echo 'Now you need to install:' > > echo '1) Razor-agents-sdk and Razor2 from http://razor.sourceforge.net/ and' > > echo '2) DCC from http://www.rhyolite.com/anti-spam/dcc/ and' > > echo '3) Rules_Du_Jour from http://www.fsl.com/support' > > > > how do i know if my system has already the above installed . > You don't. Go get them (and possily pyzor too)... The MAQ and wiki has > all relevant details on this too. You don't have them already, is what I meant tosay:-). So go get 'em... Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From MailScanner at ecs.soton.ac.uk Sun Jul 15 21:56:19 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sun Jul 15 21:56:51 2007 Subject: installation for mailscanner In-Reply-To: <1744.62.150.152.226.1184522803.squirrel@webmail.baladia.gov.kw> References: <1744.62.150.152.226.1184522803.squirrel@webmail.baladia.gov.kw> Message-ID: <469A89F3.9060209@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 1. Remove the spamassassin rpm with rpm -e spamassassin 2. Install MailScanner. 3. Then install my ClamAV+SpamAssassin package, tell it not to install ClamAV (just run the script, it will prompt you). Tell it that clamscan is installed in /usr/bin/clamscan (it will prompt you for this too). 4. Install Razor and DCC (your system won't already have them, they aren't in any standard Linux distributions). 5. Either install RulesDuJour (see www.fsl.com/support) or else read my recent posting to the list entitled HOWTO: Adding extra rulesets to SpamAssassin (posted on 8th July 2007) By the way, there's one mistake in there. you need to do mkdir /etc/mail/spamassassin/sa-update-keys before you do the command with '--import' in it. Otherwise you'll get an error message from it. It is arguable that my HOWTO is nowadays a better way to do it than RulesduJour. I wouldn't bother wading through reading all my install.sh scripts. Just run them, they stop to give you time to read things. And they will ask you if they need to know anything. mailadmin@baladia.gov.kw wrote: > Dear All, > > I am new to mailscanner n have gone throght the docs.. > but wanna clear a few doubts b4 > > the following have already been installed > > Centos 4.5 > perl-5.8.5-36.RHEL4 > spamassassin-3.2.1-1.el4.rf > clamav-0.91-1.el4.rf > > I downloaded the (install-Clam-0.91-SA-3.2.1) and read the install.sh > script says > -------------------------------------------------- > 'If you want to use MailScanners support for Clamd (virus-scanning' > echo 'daemon) then I recommend you cancel this script now (press Ctrl-C)' > echo 'and install the RPMs for clamav, clamav-db and clamd from' > echo ' http://dag.wieers.com/rpm/packages/clamav' > > --------------------------------------------------------- > > so i did the above and hence have the above > > but later in the install script i see the followin > > ---------------------------------------------------------------------- > echo > echo '*** IMPORTANT ***' > sleep 2 > echo I could not find your MailScanner virus.scanners.conf file. > echo Please locate the file yourself and edit the clamav and clamd lines > in it. > echo On those 2 lines, the path at the end of each line needs to be > $CLAMPRINT. > ----------------------------------------------------------------------- > > now im confused .. > > 1) do i ned to run the install.sh script in /install-Clam-0.91-SA-3.2.1 > directory since it will install not only clamav but also spamassassin as i > dont see any clamav.conf file. OR do i have to install the mailScanner > software first > > appreciate if you can tell me the steps > > also i see that > echo 'Now you need to install:' > echo '1) Razor-agents-sdk and Razor2 from http://razor.sourceforge.net/ and' > echo '2) DCC from http://www.rhyolite.com/anti-spam/dcc/ and' > echo '3) Rules_Du_Jour from http://www.fsl.com/support' > > how do i know if my system has already the above installed . > > > Thanks and Apprecite > > > regards > > simon > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGmon0EfZZRxQVtlQRAqMqAJoD+IpW1rfSqM+of/SUZi/+Aheo+ACg9b/p BVn2p+zt3EOhAtj17xryWz4= =8TDv -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From leiw324 at yahoo.com.hk Sun Jul 15 22:59:12 2007 From: leiw324 at yahoo.com.hk (Wilson Kwok) Date: Sun Jul 15 22:59:15 2007 Subject: Uninstall MailScanner Message-ID: <565979.34098.qm@web54404.mail.yahoo.com> Hello, I was posted this message, but still no anwser how to uninstall MailScanner ? please help --------------------------------- µL­­¹q¶lÀx¦s¶q¡A§A´NµL»Ý¦A¾á¤ß¦¬¥ó½cÀx¦sªÅ¶¡·|§_¹L¶q! ¥ß§Y¨Ï¥ÎYahoo! Mail -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070716/e8cc879e/attachment.html From naolson at gmail.com Sun Jul 15 23:10:09 2007 From: naolson at gmail.com (Nathan Olson) Date: Sun Jul 15 23:10:14 2007 Subject: Uninstall MailScanner In-Reply-To: <565979.34098.qm@web54404.mail.yahoo.com> References: <565979.34098.qm@web54404.mail.yahoo.com> Message-ID: <8f54b4330707151510m14d233efg6955aecc981a6e2b@mail.gmail.com> You have provided absolutely no information as to how you installed it in the first place. Nate From res at ausics.net Mon Jul 16 00:29:55 2007 From: res at ausics.net (Res) Date: Mon Jul 16 00:30:04 2007 Subject: installation for mailscanner In-Reply-To: <223f97700707151308m6ae735bcxc570c8af1945fba5@mail.gmail.com> References: <1744.62.150.152.226.1184522803.squirrel@webmail.baladia.gov.kw> <223f97700707151308m6ae735bcxc570c8af1945fba5@mail.gmail.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NotDashEscaped: You need GnuPG to verify this message On Sun, 15 Jul 2007, Glenn Steen wrote: >> echo '3) Rules_Du_Jour from http://www.fsl.com/support' Maybe that needs to be removed and replaced with the newer preferred method as well. -- Cheers Res -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFGmq3zsWhAmSIQh7MRAnnsAKCi0xoMhfEdjrj9qW2AWPKvmjxquwCgl3o+ v8QIhAHOoQY817Ig1rSBd+o= =IMzv -----END PGP SIGNATURE----- From res at ausics.net Mon Jul 16 00:35:40 2007 From: res at ausics.net (Res) Date: Mon Jul 16 00:35:49 2007 Subject: Uninstall MailScanner In-Reply-To: <565979.34098.qm@web54404.mail.yahoo.com> References: <565979.34098.qm@web54404.mail.yahoo.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NotDashEscaped: You need GnuPG to verify this message Hi Wilson, On Mon, 16 Jul 2007, Wilson Kwok wrote: > Hello, > > I was posted this message, but still no anwser how to uninstall MailScanner ? please help If you installed the rpm version, rpm -e MailScanner if you installed the tarball version, rm -rf /opt/MailScanner-version then rm the /opt/MailScanner softlink. Make sure you change your MTA start scripts back to normal by removing any reference to mailscanner, if the rpm version, (I have not used it in years) but i recall it copied to MTA.old or something and chmods it -x, so rename it normal and chmod +x it so your MTA can run as normal. Also check your hourly and daily cron tasks for mailscanner related scripts and remove them. -- Cheers Res -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFGmq9MsWhAmSIQh7MRAvibAJ0QxUCUxQTeE+PbBMGXdZhqfe/kuQCffbaK bElrOVK2SwuyytvXep/7KT8= =H1DN -----END PGP SIGNATURE----- From hvdkooij at vanderkooij.org Mon Jul 16 06:38:57 2007 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Mon Jul 16 06:39:05 2007 Subject: Uninstall MailScanner In-Reply-To: <565979.34098.qm@web54404.mail.yahoo.com> References: <565979.34098.qm@web54404.mail.yahoo.com> Message-ID: On Mon, 16 Jul 2007, Wilson Kwok wrote: > I was posted this message, but still no anwser how to uninstall MailScanner ? please help Frankly. If you have no clue how to uninstall it yourself then I have some serious doubts wether any instruction here will be sfficient. You most likely end up with a system you still do not understand. After all you propably got the instructions also on the system you want to remove it from. I recommend you do not post again untill you took the time to read the responses and deliver the information everyone is asking for. Hugo. -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ This message is using 100% recycled electrons. Some men see computers as they are and say "Windows" I use computers with Linux and say "Why Windows?" (Thanks JFK, for the insight.) From res at ausics.net Mon Jul 16 08:57:31 2007 From: res at ausics.net (Res) Date: Mon Jul 16 08:57:42 2007 Subject: Uninstall MailScanner In-Reply-To: References: <565979.34098.qm@web54404.mail.yahoo.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NotDashEscaped: You need GnuPG to verify this message FFS you lot, there is either rpm or tarball installs so two ways of uninstalling. If you are not going to help him, shut the fuck up! because you are not contributing to anything but generating noise. And you mob of rude arrogant twits wonder why people dont like to post on lists for help, when they do all you do is sprout this diatribe, even a prick like me can help without being a prick all the time, so hte rest of you pull your heads in. On Mon, 16 Jul 2007, Hugo van der Kooij wrote: > On Mon, 16 Jul 2007, Wilson Kwok wrote: > >> I was posted this message, but still no anwser how to uninstall >> MailScanner ? please help > > Frankly. If you have no clue how to uninstall it yourself then I have some > serious doubts wether any instruction here will be sfficient. You most likely > end up with a system you still do not understand. > > After all you propably got the instructions also on the system you want to > remove it from. > > I recommend you do not post again untill you took the time to read the > responses and deliver the information everyone is asking for. > > Hugo. > > -- Cheers Res -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFGmyTrsWhAmSIQh7MRAvO3AJ9qNNR/9SpTcDY+5dTuTQZlwKDKqACgjeHG iOtWSL2LS9cBz14J6M7qt30= =HNKN -----END PGP SIGNATURE----- From jan-peter at koopmann.eu Mon Jul 16 09:26:20 2007 From: jan-peter at koopmann.eu (Koopmann, Jan-Peter) Date: Mon Jul 16 09:25:35 2007 Subject: Uninstall MailScanner In-Reply-To: References: <565979.34098.qm@web54404.mail.yahoo.com> Message-ID: Res, > FFS you lot, there is either rpm or tarball installs so two ways of > uninstalling. In FreeBSD there would be ports. On most other systems there would be tarball install, rpm install, install script from Julian etc. Several ways to install the system and the dependencies. I have not seen any information on how he installed it in the first place and on what system. So the answer "two ways of uninstalling" is not complete to put it the polite way. Incorrect would come to mind as well. > If you are not going to help him, shut the fuck up! because you are not > contributing to anything but generating noise. There were several posts either pointing him to the correct direction or asking additional information needed for helping him. All he has provided was a repetition of the initial question without providing additional help. While I agree that Hugo's answers were rude (amusing but rude) your answer to him and others is way out of line. > And you mob of rude arrogant twits wonder why people dont like to post > on > lists for help, when they do all you do is sprout this diatribe, even a > prick like me can help without being a prick all the time, so hte rest > of > you pull your heads in. Compared to other lists the vast majority of people in this list is always eager to help people. Calling them (and me in fact) a "mob of rude arrogant twits" is again way out of line. So please calm down! And in fact Hugo is right with one thing: If Wilson did not understand how to install the system in the first place or how it works and if he even is unable to answer some simple questions that would allow us to help, then I also truly doubt that installing/uninstalling MailScanner will leave him a system he understands in any way. Therefore personally I would recommend using things like DefenderMX in order to use Mailscanners great framework without having to understand all the nifty parts. From what I have read so far (and maybe I am misjudging him big time if so: sorry), Wilson is not likely to master this quest at present time. Kind regards, JP From MailScanner at ecs.soton.ac.uk Mon Jul 16 09:26:29 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Jul 16 09:27:03 2007 Subject: Uninstall MailScanner In-Reply-To: References: <565979.34098.qm@web54404.mail.yahoo.com> Message-ID: <469B2BB5.2030003@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Come on guys, let's all behave like adults. You know full well that I don't tolerate language like that here. I think sufficient advice has been given on how this guy (who may well not understand enough English to understand what you are trying to tell him) can uninstall MailScanner. So this thread is closed. Anyone who doesn't agree should go a cool down for half an hour outside :-) Jules. Res wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > NotDashEscaped: You need GnuPG to verify this message > > > FFS you lot, there is either rpm or tarball installs so two ways of > uninstalling. > > If you are not going to help him, shut the fuck up! because you are > not contributing to anything but generating noise. > > And you mob of rude arrogant twits wonder why people dont like to post > on lists for help, when they do all you do is sprout this diatribe, > even a prick like me can help without being a prick all the time, so > hte rest of you pull your heads in. > > > > On Mon, 16 Jul 2007, Hugo van der Kooij wrote: > >> On Mon, 16 Jul 2007, Wilson Kwok wrote: >> >>> I was posted this message, but still no anwser how to uninstall >>> MailScanner ? please help >> >> Frankly. If you have no clue how to uninstall it yourself then I have >> some serious doubts wether any instruction here will be sfficient. >> You most likely end up with a system you still do not understand. >> >> After all you propably got the instructions also on the system you >> want to remove it from. >> >> I recommend you do not post again untill you took the time to read >> the responses and deliver the information everyone is asking for. >> >> Hugo. >> >> > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGmyu2EfZZRxQVtlQRAkgpAJ9RUGv5BixKBOJq6SmZHfRsqVaQrACeKzUj 7M6+tgIRHokvngn7E3Ekm4Q= =TnAI -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From Jason at SYO.Com Mon Jul 16 13:53:50 2007 From: Jason at SYO.Com (Jason Gottschalk) Date: Mon Jul 16 13:51:46 2007 Subject: How to get e-mail messages from Mail Scanner? Message-ID: <331157498.20070716085350@SYO.Com> Hello MailScanner, I have a customer that has lost his exchange mailbox. I have been archiving mail for this customer for some time. With Filters, I can see the e-mail he has sent and received for a long time. How do I get these messages out of the system so I can import them into his outlook? I can click the "[ ]" and send them one at a time, but that will takes years! any ideas? -- Best regards, Jason Gottschalk mailto:Jason@SYO.Com SYO Computer Engineering Services, Inc. SYO - Servicing Your Organization 586-286-2557 From sandrews at andrewscompanies.com Mon Jul 16 14:01:19 2007 From: sandrews at andrewscompanies.com (Steven Andrews) Date: Mon Jul 16 14:01:21 2007 Subject: Uninstall MailScanner In-Reply-To: <469B2BB5.2030003@ecs.soton.ac.uk> References: <565979.34098.qm@web54404.mail.yahoo.com> <469B2BB5.2030003@ecs.soton.ac.uk> Message-ID: <1964AAFBC212F742958F9275BF63DBB04B0EDB@winchester.andrewscompanies.com> What is this "outside" thing you talk about? -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian Field Sent: Monday, July 16, 2007 4:26 AM To: MailScanner discussion Subject: Re: Uninstall MailScanner -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Come on guys, let's all behave like adults. You know full well that I don't tolerate language like that here. I think sufficient advice has been given on how this guy (who may well not understand enough English to understand what you are trying to tell him) can uninstall MailScanner. So this thread is closed. Anyone who doesn't agree should go a cool down for half an hour outside :-) Jules. Res wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > NotDashEscaped: You need GnuPG to verify this message > > > FFS you lot, there is either rpm or tarball installs so two ways of > uninstalling. > > If you are not going to help him, shut the fuck up! because you are > not contributing to anything but generating noise. > > And you mob of rude arrogant twits wonder why people dont like to post > on lists for help, when they do all you do is sprout this diatribe, > even a prick like me can help without being a prick all the time, so > hte rest of you pull your heads in. > > > > On Mon, 16 Jul 2007, Hugo van der Kooij wrote: > >> On Mon, 16 Jul 2007, Wilson Kwok wrote: >> >>> I was posted this message, but still no anwser how to uninstall >>> MailScanner ? please help >> >> Frankly. If you have no clue how to uninstall it yourself then I have >> some serious doubts wether any instruction here will be sfficient. >> You most likely end up with a system you still do not understand. >> >> After all you propably got the instructions also on the system you >> want to remove it from. >> >> I recommend you do not post again untill you took the time to read >> the responses and deliver the information everyone is asking for. >> >> Hugo. >> >> > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGmyu2EfZZRxQVtlQRAkgpAJ9RUGv5BixKBOJq6SmZHfRsqVaQrACeKzUj 7M6+tgIRHokvngn7E3Ekm4Q= =TnAI -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From MailScanner at ecs.soton.ac.uk Mon Jul 16 14:22:29 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Jul 16 14:22:51 2007 Subject: Uninstall MailScanner In-Reply-To: <1964AAFBC212F742958F9275BF63DBB04B0EDB@winchester.andrewscompanies.com> References: <565979.34098.qm@web54404.mail.yahoo.com> <469B2BB5.2030003@ecs.soton.ac.uk> <1964AAFBC212F742958F9275BF63DBB04B0EDB@winchester.andrewscompanies.com> Message-ID: <469B7115.7000701@ecs.soton.ac.uk> It's the big green room with the day star in it. Bandwidth is lousy on the whole. Greatly over-rated. Steven Andrews wrote: > What is this "outside" thing you talk about? > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian > Field > Sent: Monday, July 16, 2007 4:26 AM > To: MailScanner discussion > Subject: Re: Uninstall MailScanner > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Come on guys, let's all behave like adults. You know full well that I > don't tolerate language like that here. > I think sufficient advice has been given on how this guy (who may well > not understand enough English to understand what you are trying to tell > him) can uninstall MailScanner. > > So this thread is closed. Anyone who doesn't agree should go a cool down > for half an hour outside :-) > > Jules. > > Res wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> NotDashEscaped: You need GnuPG to verify this message >> >> >> FFS you lot, there is either rpm or tarball installs so two ways of >> uninstalling. >> >> If you are not going to help him, shut the fuck up! because you are >> not contributing to anything but generating noise. >> >> And you mob of rude arrogant twits wonder why people dont like to post >> > > >> on lists for help, when they do all you do is sprout this diatribe, >> even a prick like me can help without being a prick all the time, so >> hte rest of you pull your heads in. >> >> >> >> On Mon, 16 Jul 2007, Hugo van der Kooij wrote: >> >> >>> On Mon, 16 Jul 2007, Wilson Kwok wrote: >>> >>> >>>> I was posted this message, but still no anwser how to uninstall >>>> MailScanner ? please help >>>> >>> Frankly. If you have no clue how to uninstall it yourself then I have >>> > > >>> some serious doubts wether any instruction here will be sfficient. >>> You most likely end up with a system you still do not understand. >>> >>> After all you propably got the instructions also on the system you >>> want to remove it from. >>> >>> I recommend you do not post again untill you took the time to read >>> the responses and deliver the information everyone is asking for. >>> >>> Hugo. >>> >>> >>> > > Jules > > - -- > Julian Field MEng CITP > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all > your IT requirements visit www.transtec.co.uk > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.6.2 (Build 2014) > Charset: ISO-8859-1 > > wj8DBQFGmyu2EfZZRxQVtlQRAkgpAJ9RUGv5BixKBOJq6SmZHfRsqVaQrACeKzUj > 7M6+tgIRHokvngn7E3Ekm4Q= > =TnAI > -----END PGP SIGNATURE----- > > -- > This message has been scanned for viruses and dangerous content by > MailScanner, and is believed to be clean. > For all your IT requirements visit www.transtec.co.uk > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > Jules -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From ram at netcore.co.in Mon Jul 16 14:23:20 2007 From: ram at netcore.co.in (ram) Date: Mon Jul 16 14:23:25 2007 Subject: How to Allow mails marked "could be a suspicious file " Message-ID: <1184592200.19284.16.camel@localhost.localdomain> Some of my important mails are getting caught by Mailscanner with messages like /360701A5B3D.4CBEB/ADRAP_Suitability.zip->portqry.exe could be a suspicious file (encrypted program in archive) So How can I tell MailScanner not to bother and allow these messages thru Thanks Ram From dave.list at pixelhammer.com Mon Jul 16 14:42:11 2007 From: dave.list at pixelhammer.com (DAve) Date: Mon Jul 16 14:43:28 2007 Subject: Uninstall MailScanner In-Reply-To: <1964AAFBC212F742958F9275BF63DBB04B0EDB@winchester.andrewscompanies.com> References: <565979.34098.qm@web54404.mail.yahoo.com> <469B2BB5.2030003@ecs.soton.ac.uk> <1964AAFBC212F742958F9275BF63DBB04B0EDB@winchester.andrewscompanies.com> Message-ID: <469B75B3.20406@pixelhammer.com> Steven Andrews wrote: > What is this "outside" thing you talk about? It's that great big room with the blue ceiling and plants like the lobby, not sure where the light switch is and some fool keeps turning them off after work. DAve > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian > Field > Sent: Monday, July 16, 2007 4:26 AM > To: MailScanner discussion > Subject: Re: Uninstall MailScanner > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Come on guys, let's all behave like adults. You know full well that I > don't tolerate language like that here. > I think sufficient advice has been given on how this guy (who may well > not understand enough English to understand what you are trying to tell > him) can uninstall MailScanner. > > So this thread is closed. Anyone who doesn't agree should go a cool down > for half an hour outside :-) > > Jules. > > Res wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> NotDashEscaped: You need GnuPG to verify this message >> >> >> FFS you lot, there is either rpm or tarball installs so two ways of >> uninstalling. >> >> If you are not going to help him, shut the fuck up! because you are >> not contributing to anything but generating noise. >> >> And you mob of rude arrogant twits wonder why people dont like to post > >> on lists for help, when they do all you do is sprout this diatribe, >> even a prick like me can help without being a prick all the time, so >> hte rest of you pull your heads in. >> >> >> >> On Mon, 16 Jul 2007, Hugo van der Kooij wrote: >> >>> On Mon, 16 Jul 2007, Wilson Kwok wrote: >>> >>>> I was posted this message, but still no anwser how to uninstall >>>> MailScanner ? please help >>> Frankly. If you have no clue how to uninstall it yourself then I have > >>> some serious doubts wether any instruction here will be sfficient. >>> You most likely end up with a system you still do not understand. >>> >>> After all you propably got the instructions also on the system you >>> want to remove it from. >>> >>> I recommend you do not post again untill you took the time to read >>> the responses and deliver the information everyone is asking for. >>> >>> Hugo. >>> >>> > > Jules > > - -- > Julian Field MEng CITP > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all > your IT requirements visit www.transtec.co.uk > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.6.2 (Build 2014) > Charset: ISO-8859-1 > > wj8DBQFGmyu2EfZZRxQVtlQRAkgpAJ9RUGv5BixKBOJq6SmZHfRsqVaQrACeKzUj > 7M6+tgIRHokvngn7E3Ekm4Q= > =TnAI > -----END PGP SIGNATURE----- > > -- > This message has been scanned for viruses and dangerous content by > MailScanner, and is believed to be clean. > For all your IT requirements visit www.transtec.co.uk > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible. From list-mailscanner at linguaphone.com Mon Jul 16 15:07:37 2007 From: list-mailscanner at linguaphone.com (Gareth) Date: Mon Jul 16 15:07:51 2007 Subject: How to Allow mails marked "could be a suspicious file " In-Reply-To: <1184592200.19284.16.camel@localhost.localdomain> References: <1184592200.19284.16.camel@localhost.localdomain> Message-ID: <1184594856.12844.4.camel@gblades-suse.linguaphone-intranet.co.uk> The problem it is finding exe files within archives. Set the scan archive depth to 0 and it wont do content check on archive contents (but will still virus scan them). On Mon, 2007-07-16 at 14:23, ram wrote: > Some of my important mails are getting caught by Mailscanner with > messages like > > > /360701A5B3D.4CBEB/ADRAP_Suitability.zip->portqry.exe could be a > suspicious file (encrypted program in archive) > > So How can I tell MailScanner not to bother and allow these messages > thru > > > Thanks > Ram From paul.hutchings at mira.co.uk Mon Jul 16 15:16:32 2007 From: paul.hutchings at mira.co.uk (Paul Hutchings) Date: Mon Jul 16 15:16:35 2007 Subject: Running clamd as Root? Message-ID: I appreciate this isn't strictly a MailScanner issue, but as this box is dedicated to Postfix/MailScanner I thought I'd ask here. I'd been having awful trouble getting MailScanner to work with clamd with Postfix as my MTA. Doubtless due to permissions and my lack of understanding of how they work in fine detail on *nix. One suggestion (the simplest) was to simply run clamd as root. I've done this and it appears to be working, and appears to be an order of magnitude quicker than using "clamav". I'd appreciate a sanity check on whether there is any harm in doing this? I've checked and clams is only listening on port 3310 on 127.0.0.1 TIA -- MIRA Ltd. Watling Street, Nuneaton, Warwickshire, CV10 0TU, England. Registered in England No. 402570 VAT Registration GB 114 5409 96 The contents of this e-mail are confidential and are solely for the use of the intended recipient. If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax. You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited. From ram at netcore.co.in Mon Jul 16 15:21:28 2007 From: ram at netcore.co.in (ram) Date: Mon Jul 16 15:21:42 2007 Subject: How to Allow mails marked "could be a suspicious file " In-Reply-To: <1184594856.12844.4.camel@gblades-suse.linguaphone-intranet.co.uk> References: <1184592200.19284.16.camel@localhost.localdomain> <1184594856.12844.4.camel@gblades-suse.linguaphone-intranet.co.uk> Message-ID: <1184595688.19284.23.camel@localhost.localdomain> On Mon, 2007-07-16 at 15:07 +0100, Gareth wrote: > The problem it is finding exe files within archives. Set the scan > archive depth to 0 and it wont do content check on archive contents (but > will still virus scan them). > > On Mon, 2007-07-16 at 14:23, ram wrote: > > Some of my important mails are getting caught by Mailscanner with > > messages like > > > > > > /360701A5B3D.4CBEB/ADRAP_Suitability.zip->portqry.exe could be a > > suspicious file (encrypted program in archive) > > > > So How can I tell MailScanner not to bother and allow these messages > > thru > > I already have that in MailScanner.conf ------ Maximum Archive Depth = 0 --------- From leiw324 at yahoo.com.hk Mon Jul 16 15:38:29 2007 From: leiw324 at yahoo.com.hk (Wilson Kwok) Date: Mon Jul 16 15:38:32 2007 Subject: (no subject) Message-ID: <120476.76987.qm@web54408.mail.yahoo.com> Hello, The MailScanner still can't scan virus and spam mail.... I was uninstalled the old version and then installed back new version, but the answer is ..... Here is the maillog, you can see no message about scanning virus or spam, I already enabled clamav and spamassassin on MailScanner.conf, Jul 16 22:09:38 ecfind postfix/cleanup[6990]: 794FC700AD: message-id= Jul 16 22:09:38 ecfind postfix/cleanup[6991]: 7B3A9700AE: message-id=<015501c7c7aa$cb6685d0$ae00a8c0@beginneramd64> Jul 16 22:09:38 ecfind postfix/qmgr[4090]: 794FC700AD: from=, size=4092, nrcpt=1 (queue active) Jul 16 22:09:38 ecfind postfix/smtpd[6986]: disconnect from mail.samba.org[66.70.73.150] Jul 16 22:09:38 ecfind postfix/qmgr[4090]: 7B3A9700AE: from=, size=3581, nrcpt=1 (queue active) Jul 16 22:09:38 ecfind postfix/smtpd[6983]: disconnect from mail.samba.org[66.70.73.150] Jul 16 22:09:38 ecfind postfix/cleanup[6992]: 7D602700AF: message-id=<1184592707.4500.1.camel@aleph.whitemice.org> Jul 16 22:09:38 ecfind postfix/qmgr[4090]: 7D602700AF: from=, size=3934, nrcpt=1 (queue active) Jul 16 22:09:38 ecfind postfix/smtpd[6985]: disconnect from mail.samba.org[66.70.73.150] Jul 16 22:09:38 ecfind postfix/local[6993]: 794FC700AD: to=, orig_to=, relay=local, delay=1, status=sent (delivered to file: /var/spool/virtual/wilson-kwok.com/mail) Jul 16 22:09:38 ecfind postfix/qmgr[4090]: 794FC700AD: removed --------------------------------- µL­­¹q¶lÀx¦s¶q¡A§A´NµL»Ý¦A¾á¤ß¦¬¥ó½cÀx¦sªÅ¶¡·|§_¹L¶q! ¥ß§Y¨Ï¥ÎYahoo! Mail -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070716/2d03b205/attachment.html From leiw324 at yahoo.com.hk Mon Jul 16 15:42:11 2007 From: leiw324 at yahoo.com.hk (Wilson Kwok) Date: Mon Jul 16 15:42:14 2007 Subject: Can't scan virus or spam mail Message-ID: <118166.89125.qm@web54404.mail.yahoo.com> Hello, I was uninstalled the old version and then installed the new version, but still can't scan viris or spam mail. Here is the maillog, you can see no message about scanning virus or spam, I already enabled clamav and spamassassin on MailScanner.conf Jul 16 22:09:38 ecfind postfix/cleanup[6990]: 794FC700AD: message-id= Jul 16 22:09:38 ecfind postfix/cleanup[6991]: 7B3A9700AE: message-id=<015501c7c7aa$cb6685d0$ae00a8c0@beginneramd64> Jul 16 22:09:38 ecfind postfix/qmgr[4090]: 794FC700AD: from=, size=4092, nrcpt=1 (queue active) Jul 16 22:09:38 ecfind postfix/smtpd[6986]: disconnect from mail.samba.org[66.70.73.150] Jul 16 22:09:38 ecfind postfix/qmgr[4090]: 7B3A9700AE: from=, size=3581, nrcpt=1 (queue active) Jul 16 22:09:38 ecfind postfix/smtpd[6983]: disconnect from mail.samba.org[66.70.73.150] Jul 16 22:09:38 ecfind postfix/cleanup[6992]: 7D602700AF: message-id=<1184592707.4500.1.camel@aleph.whitemice.org> Jul 16 22:09:38 ecfind postfix/qmgr[4090]: 7D602700AF: from=, size=3934, nrcpt=1 (queue active) Jul 16 22:09:38 ecfind postfix/smtpd[6985]: disconnect from mail.samba.org[66.70.73.150] Jul 16 22:09:38 ecfind postfix/local[6993]: 794FC700AD: to=, orig_to=, relay=local, delay=1, status=sent (delivered to file: /var/spool/virtual/wilson-kwok.com/mail) Jul 16 22:09:38 ecfind postfix/qmgr[4090]: 794FC700AD: removed --------------------------------- Yahoo!Mail ¬°§A¨C¤@­Ó¹q¶l®½¥X¤@ÂI¤ß·N¡AºÉÄm·R¤ß ¥ß§Y¶}©l·R¤ß¦æ°Ê -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070716/0d34cea9/attachment.html From cabrera at hyettemail.com Mon Jul 16 17:01:12 2007 From: cabrera at hyettemail.com (Manuel Cabrera Caballero) Date: Mon Jul 16 17:01:26 2007 Subject: Can't scan virus or spam mail In-Reply-To: <118166.89125.qm@web54404.mail.yahoo.com> References: <118166.89125.qm@web54404.mail.yahoo.com> Message-ID: <469B9648.9020607@hyettemail.com> I have the same problem, that is why I am asking: How can I check if the mailscanner works? But it looks that nobody knows Wilson Kwok wrote: > Hello, > > I was uninstalled the old version and then installed the new > version, but still > can't scan viris or spam mail. > > Here is the maillog, you can see no message about scanning virus or > spam, I already enabled clamav and spamassassin on MailScanner.conf > > Jul 16 22:09:38 ecfind postfix/cleanup[6990]: 794FC700AD: > message-id= > > Jul 16 22:09:38 ecfind postfix/cleanup[6991]: 7B3A9700AE: > message-id=<015501c7c7aa$cb6685d0$ae00a8c0@beginneramd64 > > > Jul 16 22:09:38 ecfind postfix/qmgr[4090]: 794FC700AD: > from= >, size=4092, > nrcpt=1 (queue active) > Jul 16 22:09:38 ecfind postfix/smtpd[6986]: disconnect from > mail.samba.org[66.70.73.150] > Jul 16 22:09:38 ecfind postfix/qmgr[4090]: 7B3A9700AE: > from= >, size=3581, > nrcpt=1 (queue active) > Jul 16 22:09:38 ecfind postfix/smtpd[6983]: disconnect from > mail.samba.org[66.70.73.150] > Jul 16 22:09:38 ecfind postfix/cleanup[6992]: 7D602700AF: > message-id=<1184592707.4500.1.camel@aleph.whitemice.org > > > Jul 16 22:09:38 ecfind postfix/qmgr[4090]: 7D602700AF: > from= >, size=3934, > nrcpt=1 (queue active) > Jul 16 22:09:38 ecfind postfix/smtpd[6985]: disconnect from > mail.samba.org[66.70.73.150] > Jul 16 22:09:38 ecfind postfix/local[6993]: 794FC700AD: > to= >, orig_to= >, relay=local, delay=1, status=sent > (delivered to file: /var/spool/virtual/wilson-kwok.com/mail) > Jul 16 22:09:38 ecfind postfix/qmgr[4090]: 794FC700AD: removed > > ------------------------------------------------------------------------ > Yahoo!Mail ¬°§A¨C¤@­Ó¹q¶l®½¥X¤@ÂI¤ß·N¡AºÉÄm·R¤ß > *¥ß§Y¶}©l·R¤ß¦æ°Ê* > From glenn.steen at gmail.com Mon Jul 16 17:16:35 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Jul 16 17:16:36 2007 Subject: Uninstall MailScanner In-Reply-To: <469B75B3.20406@pixelhammer.com> References: <565979.34098.qm@web54404.mail.yahoo.com> <469B2BB5.2030003@ecs.soton.ac.uk> <1964AAFBC212F742958F9275BF63DBB04B0EDB@winchester.andrewscompanies.com> <469B75B3.20406@pixelhammer.com> Message-ID: <223f97700707160916l85df255mb102f6048748eb65@mail.gmail.com> Too much Paranoia (the RPG). . . Oh well. 'Trust The Computer. The Computer is your Friend.'. . . And avoid that frightening thing called The Outside. . . Beware the Tree Terrorists! (A.k.a squirrels:). Sorry, couldn't resist;) On 16/07/07, DAve wrote: > Steven Andrews wrote: > > What is this "outside" thing you talk about? > > It's that great big room with the blue ceiling and plants like the > lobby, not sure where the light switch is and some fool keeps turning > them off after work. > > DAve > > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info > > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian > > Field > > Sent: Monday, July 16, 2007 4:26 AM > > To: MailScanner discussion > > Subject: Re: Uninstall MailScanner > > > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > Come on guys, let's all behave like adults. You know full well that I > > don't tolerate language like that here. > > I think sufficient advice has been given on how this guy (who may well > > not understand enough English to understand what you are trying to tell > > him) can uninstall MailScanner. > > > > So this thread is closed. Anyone who doesn't agree should go a cool down > > for half an hour outside :-) > > > > Jules. > > > > Res wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- > >> Hash: SHA1 > >> NotDashEscaped: You need GnuPG to verify this message > >> > >> > >> FFS you lot, there is either rpm or tarball installs so two ways of > >> uninstalling. > >> > >> If you are not going to help him, shut the fuck up! because you are > >> not contributing to anything but generating noise. > >> > >> And you mob of rude arrogant twits wonder why people dont like to post > > > >> on lists for help, when they do all you do is sprout this diatribe, > >> even a prick like me can help without being a prick all the time, so > >> hte rest of you pull your heads in. > >> > >> > >> > >> On Mon, 16 Jul 2007, Hugo van der Kooij wrote: > >> > >>> On Mon, 16 Jul 2007, Wilson Kwok wrote: > >>> > >>>> I was posted this message, but still no anwser how to uninstall > >>>> MailScanner ? please help > >>> Frankly. If you have no clue how to uninstall it yourself then I have > > > >>> some serious doubts wether any instruction here will be sfficient. > >>> You most likely end up with a system you still do not understand. > >>> > >>> After all you propably got the instructions also on the system you > >>> want to remove it from. > >>> > >>> I recommend you do not post again untill you took the time to read > >>> the responses and deliver the information everyone is asking for. > >>> > >>> Hugo. > >>> > >>> > > > > Jules > > > > - -- > > Julian Field MEng CITP > > www.MailScanner.info > > Buy the MailScanner book at www.MailScanner.info/store > > > > MailScanner customisation, or any advanced system administration help? > > Contact me at Jules@Jules.FM > > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all > > your IT requirements visit www.transtec.co.uk > > > > > > -----BEGIN PGP SIGNATURE----- > > Version: PGP Desktop 9.6.2 (Build 2014) > > Charset: ISO-8859-1 > > > > wj8DBQFGmyu2EfZZRxQVtlQRAkgpAJ9RUGv5BixKBOJq6SmZHfRsqVaQrACeKzUj > > 7M6+tgIRHokvngn7E3Ekm4Q= > > =TnAI > > -----END PGP SIGNATURE----- > > > > -- > > This message has been scanned for viruses and dangerous content by > > MailScanner, and is believed to be clean. > > For all your IT requirements visit www.transtec.co.uk > > > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > -- > Three years now I've asked Google why they don't have a > logo change for Memorial Day. Why do they choose to do logos > for other non-international holidays, but nothing for > Veterans? > > Maybe they forgot who made that choice possible. > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From MailScanner at ecs.soton.ac.uk Mon Jul 16 17:40:24 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Jul 16 17:41:39 2007 Subject: How to Allow mails marked "could be a suspicious file " In-Reply-To: <1184592200.19284.16.camel@localhost.localdomain> References: <1184592200.19284.16.camel@localhost.localdomain> Message-ID: <469B9F78.1090309@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This looks to me like a report from a virus scanner. See if there is a command-line option for your scanner that stops it looking for things like this. If you tell me what scanner you're using, then I can tell you where the mod needs to be made. ram wrote: > Some of my important mails are getting caught by Mailscanner with > messages like > > > /360701A5B3D.4CBEB/ADRAP_Suitability.zip->portqry.exe could be a > suspicious file (encrypted program in archive) > > So How can I tell MailScanner not to bother and allow these messages > thru > > > Thanks > Ram > > > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGm595EfZZRxQVtlQRAgvpAKD+mQgzUxohREC0k5ewauc44mkqTACghFQN ie0hLMGa0MiFLrWoUUoNSmA= =/akq -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Mon Jul 16 17:41:16 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Jul 16 17:41:48 2007 Subject: Running clamd as Root? In-Reply-To: References: Message-ID: <469B9FAC.2020900@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Nothing too awful. I run sendmail on my MailScanners and run everything as root on them. Paul Hutchings wrote: > I appreciate this isn't strictly a MailScanner issue, but as this box is > dedicated to Postfix/MailScanner I thought I'd ask here. > > I'd been having awful trouble getting MailScanner to work with clamd > with Postfix as my MTA. Doubtless due to permissions and my lack of > understanding of how they work in fine detail on *nix. > > One suggestion (the simplest) was to simply run clamd as root. > > I've done this and it appears to be working, and appears to be an order > of magnitude quicker than using "clamav". > > I'd appreciate a sanity check on whether there is any harm in doing > this? > > I've checked and clams is only listening on port 3310 on 127.0.0.1 > > TIA > > > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGm5+tEfZZRxQVtlQRAhc1AKCC3TRonj+aJcvi7l1oDAykPqhM/gCfXwV9 DiljTX9xJdQAQNpg8vY8z0I= =NqQ7 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Mon Jul 16 17:43:11 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Jul 16 17:43:53 2007 Subject: Can't scan virus or spam mail In-Reply-To: <469B9648.9020607@hyettemail.com> References: <118166.89125.qm@web54404.mail.yahoo.com> <469B9648.9020607@hyettemail.com> Message-ID: <469BA01F.7000506@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Have you followed the instructions on the MailScanner web site on how to install MailScanner with Postfix? It's at http://www.mailscanner.info/postfix.html and contains some very important steps. Manuel Cabrera Caballero wrote: > I have the same problem, that is why I am asking: How can I check if the > mailscanner works? But it looks that nobody knows > > Wilson Kwok wrote: >=20=20=20 >> Hello, >>=20=20 >> I was uninstalled the old version and then installed the new=20 >> version, but still >> can't scan viris or spam mail. >>=20=20 >> Here is the maillog, you can see no message about scanning virus or=20 >> spam, I already enabled clamav and spamassassin on MailScanner.conf >>=20=20 >> Jul 16 22:09:38 ecfind postfix/cleanup[6990]: 794FC700AD:=20 >> message-id=3D> > >> Jul 16 22:09:38 ecfind postfix/cleanup[6991]: 7B3A9700AE:=20 >> message-id=3D<015501c7c7aa$cb6685d0$ae00a8c0@beginneramd64=20 >> > >> Jul 16 22:09:38 ecfind postfix/qmgr[4090]: 794FC700AD:=20 >> from=3D> >, size=3D4= 092,=20 >> nrcpt=3D1 (queue active) >> Jul 16 22:09:38 ecfind postfix/smtpd[6986]: disconnect from=20 >> mail.samba.org[66.70.73.150] >> Jul 16 22:09:38 ecfind postfix/qmgr[4090]: 7B3A9700AE:=20 >> from=3D> >, size=3D3= 581,=20 >> nrcpt=3D1 (queue active) >> Jul 16 22:09:38 ecfind postfix/smtpd[6983]: disconnect from=20 >> mail.samba.org[66.70.73.150] >> Jul 16 22:09:38 ecfind postfix/cleanup[6992]: 7D602700AF:=20 >> message-id=3D<1184592707.4500.1.camel@aleph.whitemice.org=20 >> > >> Jul 16 22:09:38 ecfind postfix/qmgr[4090]: 7D602700AF:=20 >> from=3D> >, size=3D3= 934,=20 >> nrcpt=3D1 (queue active) >> Jul 16 22:09:38 ecfind postfix/smtpd[6985]: disconnect from=20 >> mail.samba.org[66.70.73.150] >> Jul 16 22:09:38 ecfind postfix/local[6993]: 794FC700AD:=20 >> to=3D> >, orig_to=3D> >, relay=3Dlocal, delay=3D1, status=3Dsent= =20 >> (delivered to file: /var/spool/virtual/wilson-kwok.com/mail) >> Jul 16 22:09:38 ecfind postfix/qmgr[4090]: 794FC700AD: removed >> >> ------------------------------------------------------------------------ >> Yahoo!Mail =AC=B0=A7A=A8C=A4@=AD=D3=B9q=B6l=AE=BD=A5X=A4@=C2I=A4=DF=B7N= =A1A=BA=C9=C4m=B7R=A4=DF=20 >> *=A5=DF=A7Y=B6}=A9l=B7R=A4= =DF=A6=E6=B0=CA* >> >>=20=20=20=20=20 > >=20=20=20 Jules - --=20 Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: Big5 wj8DBQFGm6AgEfZZRxQVtlQRAl2bAJoC62FUU8w5GtopeEgzz9wjzzW2VQCeIamb +zs6AY47qOFC1niki/HxcCs=3D =3DIz7i -----END PGP SIGNATURE----- --=20 This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From cabrera at hyettemail.com Mon Jul 16 18:11:45 2007 From: cabrera at hyettemail.com (Manuel Cabrera Caballero) Date: Mon Jul 16 18:11:59 2007 Subject: Can't scan virus or spam mail In-Reply-To: <469BA01F.7000506@ecs.soton.ac.uk> References: <118166.89125.qm@web54404.mail.yahoo.com> <469B9648.9020607@hyettemail.com> <469BA01F.7000506@ecs.soton.ac.uk> Message-ID: <469BA6D1.3050902@hyettemail.com> Jules, Bad tapeworm a step, /etc/postfix/header_check in my config but is /etc/postfix/header_checks with s in your howto is clear. already is ok, thanks, now if it works to me. and thanks for your patience, Jules with whom we did not speak English. Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Have you followed the instructions on the MailScanner web site on how to > install MailScanner with Postfix? It's at > http://www.mailscanner.info/postfix.html > and contains some very important steps. > > Manuel Cabrera Caballero wrote: >> I have the same problem, that is why I am asking: How can I check if the >> mailscanner works? But it looks that nobody knows >> >> Wilson Kwok wrote: >> >>> Hello, >>> >>> I was uninstalled the old version and then installed the new >>> version, but still >>> can't scan viris or spam mail. >>> >>> Here is the maillog, you can see no message about scanning virus or >>> spam, I already enabled clamav and spamassassin on MailScanner.conf >>> >>> Jul 16 22:09:38 ecfind postfix/cleanup[6990]: 794FC700AD: >>> message-id=>> > >>> Jul 16 22:09:38 ecfind postfix/cleanup[6991]: 7B3A9700AE: >>> message-id=<015501c7c7aa$cb6685d0$ae00a8c0@beginneramd64 >>> > >>> Jul 16 22:09:38 ecfind postfix/qmgr[4090]: 794FC700AD: >>> from=>> >, size=4092, >>> nrcpt=1 (queue active) >>> Jul 16 22:09:38 ecfind postfix/smtpd[6986]: disconnect from >>> mail.samba.org[66.70.73.150] >>> Jul 16 22:09:38 ecfind postfix/qmgr[4090]: 7B3A9700AE: >>> from=>> >, size=3581, >>> nrcpt=1 (queue active) >>> Jul 16 22:09:38 ecfind postfix/smtpd[6983]: disconnect from >>> mail.samba.org[66.70.73.150] >>> Jul 16 22:09:38 ecfind postfix/cleanup[6992]: 7D602700AF: >>> message-id=<1184592707.4500.1.camel@aleph.whitemice.org >>> > >>> Jul 16 22:09:38 ecfind postfix/qmgr[4090]: 7D602700AF: >>> from=>> >, size=3934, >>> nrcpt=1 (queue active) >>> Jul 16 22:09:38 ecfind postfix/smtpd[6985]: disconnect from >>> mail.samba.org[66.70.73.150] >>> Jul 16 22:09:38 ecfind postfix/local[6993]: 794FC700AD: >>> to=>> >, orig_to=>> >, relay=local, delay=1, status=sent >>> (delivered to file: /var/spool/virtual/wilson-kwok.com/mail) >>> Jul 16 22:09:38 ecfind postfix/qmgr[4090]: 794FC700AD: removed >>> >>> ------------------------------------------------------------------------ >>> Yahoo!Mail ¬°§A¨C¤@­Ó¹q¶l®½¥X¤@ÂI¤ß·N¡AºÉÄm·R¤ß >>> *¥ß§Y¶}©l·R¤ß¦æ°Ê* >>> >>> >> > > Jules > > - -- > Julian Field MEng CITP > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > For all your IT requirements visit www.transtec.co.uk > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.6.2 (Build 2014) > Charset: Big5 > > wj8DBQFGm6AgEfZZRxQVtlQRAl2bAJoC62FUU8w5GtopeEgzz9wjzzW2VQCeIamb > +zs6AY47qOFC1niki/HxcCs= > =Iz7i > -----END PGP SIGNATURE----- > From alex at nkpanama.com Mon Jul 16 19:10:47 2007 From: alex at nkpanama.com (Alex Neuman van der Hans) Date: Mon Jul 16 19:12:00 2007 Subject: Auto Reply In-Reply-To: References: <001001c7c5b6$08058e10$0705a8c0@twdnb01> <469829F5.7070903@pacific.net> <00cd01c7c5ba$9feb37d0$0705a8c0@twdnb01> <223f97700707131932y72b47b72u7d9413e0f166b067@mail.gmail.com> <4698D421.90305@nkpanama.com> Message-ID: <469BB4A7.7090606@nkpanama.com> Ren? Berber wrote: > Alex Neuman van der Hans wrote: > > >>>> Yes, vacation still works. Hint for OP: it comes with sendmail. >>>> >> You can also achieve the same functionality with Webmin's version - >> > > Webmin uses sendmail's vacation. > > Actually, there's a module that uses a vacation script and another that does a custom reply written in perl IIRC. >> which is also built into Usermin so that users themselves can update >> their preferences. I like that it can give you an option *not* to >> respond again if you receive a second (or third, etc.) e-mail from the >> same person within a specific timeframe (say, the length of your vacation). >> > > That's standard behavior with sendmail's vacation. > From alex at nkpanama.com Mon Jul 16 19:48:43 2007 From: alex at nkpanama.com (Alex Neuman van der Hans) Date: Mon Jul 16 19:49:31 2007 Subject: How to get e-mail messages from Mail Scanner? In-Reply-To: <331157498.20070716085350@SYO.Com> References: <331157498.20070716085350@SYO.Com> Message-ID: <469BBD8B.4020302@nkpanama.com> Jason Gottschalk wrote: > Hello MailScanner, > > I have a customer that has lost his exchange mailbox. I have been > archiving mail for this customer for some time. With Filters, I can > see the e-mail he has sent and received for a long time. > > How do I get these messages out of the system so I can import them > into his outlook? > > I can click the "[ ]" and send them one at a time, but that will takes > years! > > any ideas? > > > Don't know how to do it, but if I had to do it I'd attack the problem this way: 1. Find a specific set of criteria (could be more than one) to separate the messages I want from the rest (for example, all messages that have 192.168.x.z in them since they would have been sent from the client's particular box, plus all messages that say "client@client.com" somwhere on the same line as the word "From:". 2. Take every file that fits that criteria and copy it somewhere else (from the quarantine or the archive) 3. Place those files in the MTA's queue (for example, in sendmail it should be /var/spool/mqueue) 4. ... 5. Profit! Just kidding about those last two. Anybody here with a better understanding of the mechanics of MailScanner could tell you if this would work. From alex at nkpanama.com Mon Jul 16 19:50:07 2007 From: alex at nkpanama.com (Alex Neuman van der Hans) Date: Mon Jul 16 19:50:56 2007 Subject: Running clamd as Root? In-Reply-To: <469B9FAC.2020900@ecs.soton.ac.uk> References: <469B9FAC.2020900@ecs.soton.ac.uk> Message-ID: <469BBDDF.3010601@nkpanama.com> Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Nothing too awful. I run sendmail on my MailScanners and run everything > as root on them. > > The digital equivalent of "going commando" :-) http://en.wikipedia.org/wiki/Going_commando > Paul Hutchings wrote: > >> I appreciate this isn't strictly a MailScanner issue, but as this box is >> dedicated to Postfix/MailScanner I thought I'd ask here. >> >> I'd been having awful trouble getting MailScanner to work with clamd >> with Postfix as my MTA. Doubtless due to permissions and my lack of >> understanding of how they work in fine detail on *nix. >> >> One suggestion (the simplest) was to simply run clamd as root. >> >> I've done this and it appears to be working, and appears to be an order >> of magnitude quicker than using "clamav". >> >> I'd appreciate a sanity check on whether there is any harm in doing >> this? >> >> I've checked and clams is only listening on port 3310 on 127.0.0.1 >> >> TIA >> >> >> >> > > Jules > > - -- > Julian Field MEng CITP > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > For all your IT requirements visit www.transtec.co.uk > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.6.2 (Build 2014) > Charset: ISO-8859-1 > > wj8DBQFGm5+tEfZZRxQVtlQRAhc1AKCC3TRonj+aJcvi7l1oDAykPqhM/gCfXwV9 > DiljTX9xJdQAQNpg8vY8z0I= > =NqQ7 > -----END PGP SIGNATURE----- > > From alex at nkpanama.com Mon Jul 16 19:56:41 2007 From: alex at nkpanama.com (Alex Neuman van der Hans) Date: Mon Jul 16 19:57:29 2007 Subject: Can't scan virus or spam mail In-Reply-To: <469B9648.9020607@hyettemail.com> References: <118166.89125.qm@web54404.mail.yahoo.com> <469B9648.9020607@hyettemail.com> Message-ID: <469BBF69.2050507@nkpanama.com> Manuel Cabrera Caballero wrote: > I have the same problem, that is why I am asking: How can I check if the > mailscanner works? But it looks that nobody knows > > You can check by looking at your maillogs. MailScanner should be inserting messages there. You can also check for MailScanner's headers on received mail. By "nobody knows" you probably mean "I didn't ask in a way that would help people understand my particular situation and offer me help or advice", I guess. Try reading *http://tinyurl.com/anel (English) or **http://tinyurl.com/cr6pf (Spanish) and rephrasing your request, it'll probably help a lot. * > Wilson Kwok wrote: > >> Hello, >> >> I was uninstalled the old version and then installed the new >> version, but still >> can't scan viris or spam mail. >> >> Here is the maillog, you can see no message about scanning virus or >> spam, I already enabled clamav and spamassassin on MailScanner.conf >> >> Jul 16 22:09:38 ecfind postfix/cleanup[6990]: 794FC700AD: >> message-id=> > >> Jul 16 22:09:38 ecfind postfix/cleanup[6991]: 7B3A9700AE: >> message-id=<015501c7c7aa$cb6685d0$ae00a8c0@beginneramd64 >> > >> Jul 16 22:09:38 ecfind postfix/qmgr[4090]: 794FC700AD: >> from=> >, size=4092, >> nrcpt=1 (queue active) >> Jul 16 22:09:38 ecfind postfix/smtpd[6986]: disconnect from >> mail.samba.org[66.70.73.150] >> Jul 16 22:09:38 ecfind postfix/qmgr[4090]: 7B3A9700AE: >> from=> >, size=3581, >> nrcpt=1 (queue active) >> Jul 16 22:09:38 ecfind postfix/smtpd[6983]: disconnect from >> mail.samba.org[66.70.73.150] >> Jul 16 22:09:38 ecfind postfix/cleanup[6992]: 7D602700AF: >> message-id=<1184592707.4500.1.camel@aleph.whitemice.org >> > >> Jul 16 22:09:38 ecfind postfix/qmgr[4090]: 7D602700AF: >> from=> >, size=3934, >> nrcpt=1 (queue active) >> Jul 16 22:09:38 ecfind postfix/smtpd[6985]: disconnect from >> mail.samba.org[66.70.73.150] >> Jul 16 22:09:38 ecfind postfix/local[6993]: 794FC700AD: >> to=> >, orig_to=> >, relay=local, delay=1, status=sent >> (delivered to file: /var/spool/virtual/wilson-kwok.com/mail) >> Jul 16 22:09:38 ecfind postfix/qmgr[4090]: 794FC700AD: removed >> >> ------------------------------------------------------------------------ >> Yahoo!Mail ¬°§A¨C¤@­Ó¹q¶l®½¥X¤@ÂI¤ß·N¡AºÉÄm·R¤ß >> *¥ß§Y¶}©l·R¤ß¦æ°Ê* >> >> > > From rcooper at dwford.com Mon Jul 16 20:49:26 2007 From: rcooper at dwford.com (Rick Cooper) Date: Mon Jul 16 20:49:32 2007 Subject: Running clamd as Root? In-Reply-To: References: Message-ID: <005401c7c7e2$6ad44120$0301a8c0@SAHOMELT> I run it as root myself, of course there is always the remote possibility of an issue but there are no shell accounts (except mine) on my mail (or web, proxy, etc) servers everything is virtual (with exim/dovecot/pure-ftpd). I also use a Unix socket rather than TCP socket. IIRC the default clam install runs as root (not default package as that is up to the maintainers). But I also use clamd with viralator and Squid so it's just easier. Rick > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On > Behalf Of Paul Hutchings > Sent: Tuesday, July 17, 2007 12:17 AM > To: MailScanner discussion > Subject: Running clamd as Root? > > I appreciate this isn't strictly a MailScanner issue, but as > this box is > dedicated to Postfix/MailScanner I thought I'd ask here. > > I'd been having awful trouble getting MailScanner to work with clamd > with Postfix as my MTA. Doubtless due to permissions and my lack of > understanding of how they work in fine detail on *nix. > > One suggestion (the simplest) was to simply run clamd as root. > > I've done this and it appears to be working, and appears to > be an order > of magnitude quicker than using "clamav". > > I'd appreciate a sanity check on whether there is any harm in doing > this? > > I've checked and clams is only listening on port 3310 on 127.0.0.1 > > TIA > > > -- > MIRA Ltd. > > Watling Street, Nuneaton, Warwickshire, CV10 0TU, England. > > Registered in England No. 402570 > VAT Registration GB 114 5409 96 > > The contents of this e-mail are confidential and are solely > for the use of the intended recipient. > If you receive this e-mail in error, please delete it and > notify us either by e-mail, telephone or fax. > You should not copy, forward or otherwise disclose the > content of the e-mail as this is prohibited. > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From Jim at jameswest.com Mon Jul 16 20:55:36 2007 From: Jim at jameswest.com (Jim West) Date: Mon Jul 16 20:56:14 2007 Subject: How to get e-mail messages from Mail Scanner? In-Reply-To: <469BBD8B.4020302@nkpanama.com> References: <331157498.20070716085350@SYO.Com> <469BBD8B.4020302@nkpanama.com> Message-ID: <7.0.1.0.2.20070716135347.03d464e8@jameswest.com> Do you have a POP server running, i.e. DoveCot perchance? If so, just have the customer POP into your server and pull the mail. If I recall, OutLook does still support POP accounts. - Jim At 12:48 PM 7/16/2007, you wrote: >Jason Gottschalk wrote: >>Hello MailScanner, >> >>I have a customer that has lost his exchange mailbox. I have been >>archiving mail for this customer for some time. With Filters, I can >>see the e-mail he has sent and received for a long time. >> >>How do I get these messages out of the system so I can import them >>into his outlook? >> >>I can click the "[ ]" and send them one at a time, but that will takes >>years! >> >>any ideas? >> >> >> >Don't know how to do it, but if I had to do it I'd attack the >problem this way: > >1. Find a specific set of criteria (could be more than one) to >separate the messages I want from the rest (for example, all >messages that have 192.168.x.z in them since they would have been >sent from the client's particular box, plus all messages that say >"client@client.com" somwhere on the same line as the word "From:". >2. Take every file that fits that criteria and copy it somewhere >else (from the quarantine or the archive) >3. Place those files in the MTA's queue (for example, in sendmail it >should be /var/spool/mqueue) >4. ... >5. Profit! > >Just kidding about those last two. Anybody here with a better >understanding of the mechanics of MailScanner could tell you if this >would work. >-- >MailScanner mailing list >mailscanner@lists.mailscanner.info >http://lists.mailscanner.info/mailman/listinfo/mailscanner > >Before posting, read http://wiki.mailscanner.info/posting > >Support MailScanner development - buy the book off the website! From Jason at SYO.Com Mon Jul 16 21:10:58 2007 From: Jason at SYO.Com (Jason Gottschalk) Date: Mon Jul 16 21:08:53 2007 Subject: How to get e-mail messages from Mail Scanner? In-Reply-To: <7.0.1.0.2.20070716135347.03d464e8@jameswest.com> References: <331157498.20070716085350@SYO.Com> <469BBD8B.4020302@nkpanama.com> <7.0.1.0.2.20070716135347.03d464e8@jameswest.com> Message-ID: <11510314368.20070716161058@SYO.Com> Hello Jim, But I think it it is the archive, I used the Store command. There are not any pop accounts for this domain on this server, we are just passing them through here to be scanned. So how do I get hundreds of messages in the archive or the quarantine sent out to an address? Or, saved in a format I can copy to the workstation and import? Jason. Monday, July 16, 2007, 3:55:36 PM, you wrote: Jim> Do you have a POP server running, i.e. DoveCot perchance? Jim> If so, just have the customer POP into your server and pull the mail. Jim> If I recall, OutLook does still support POP accounts. Jim> - Jim Jim> At 12:48 PM 7/16/2007, you wrote: >>Jason Gottschalk wrote: >>>Hello MailScanner, >>> >>>I have a customer that has lost his exchange mailbox. I have been >>>archiving mail for this customer for some time. With Filters, I can >>>see the e-mail he has sent and received for a long time. >>> >>>How do I get these messages out of the system so I can import them >>>into his outlook? >>> >>>I can click the "[ ]" and send them one at a time, but that will takes >>>years! >>> >>>any ideas? >>> >>> >>> >>Don't know how to do it, but if I had to do it I'd attack the >>problem this way: >> >>1. Find a specific set of criteria (could be more than one) to >>separate the messages I want from the rest (for example, all >>messages that have 192.168.x.z in them since they would have been >>sent from the client's particular box, plus all messages that say >>"client@client.com" somwhere on the same line as the word "From:". >>2. Take every file that fits that criteria and copy it somewhere >>else (from the quarantine or the archive) >>3. Place those files in the MTA's queue (for example, in sendmail it >>should be /var/spool/mqueue) >>4. ... >>5. Profit! >> >>Just kidding about those last two. Anybody here with a better >>understanding of the mechanics of MailScanner could tell you if this >>would work. >>-- >>MailScanner mailing list >>mailscanner@lists.mailscanner.info >>http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >>Before posting, read http://wiki.mailscanner.info/posting >> >>Support MailScanner development - buy the book off the website! -- Best regards, Jason Gottschalk mailto:Jason@SYO.Com SYO Computer Engineering Services, Inc. 586-286-2557 From rickt at rickt.org Mon Jul 16 21:16:02 2007 From: rickt at rickt.org (Rick Tait) Date: Mon Jul 16 21:16:06 2007 Subject: Confusion regarding whitelisting... (scan.messages.rules vs. spam.whitelist.rules?) Message-ID: <798375e00707161316j178a18b5x6501c5d89abe2c90@mail.gmail.com> Hi all, I am suffering a little bit of confusion regarding whitelisting, and I am hoping that someone can help me out. I'm sure its very simple. I am trying to make sure that certain emails are NOT spam-checked (i.e. whitelisted). It is my understanding that I can use the "Scan Messages" directive for this. OK, so the email address I want to be whitelisted is: jeffgund@infolist.com . So the appropriate parts of my MailScanner.conf are: Scan Messages = %rules-dir%/scan.messages.rules Is Definitely Not Spam = %rules-dir%/spam.whitelist.rules Is Definitely Spam = %rules-dir%/spam.blacklist.rules And in my /etc/MailScanner/rules/scan.messages.rules, I have the following (which I understand tells MailScanner NOT to scan messages from this address, but then scan all others): From: jeffgund@infolist.com no ToOrFrom: default yes Contents of /etc/MailScanner/rules/spam.whitelist.rules: FromOrTo: default no Contents of /etc/MailScanner/rules/spam.blacklist.rules: (empty) I have restarted MailScanner, but the emails from this user are still being marked as SPAM! From the headers I can see: *X-MailScanner-SpamCheck:* spam, SpamAssassin (not cached, score=6.58, required 4.8, BAYES_40 2.00, HTML_40_50 0.50, HTML_MESSAGE 0.00, HTML_MIME_NO_HTML_TAG 1.08, MIME_HTML_ONLY 0.00, UNPARSEABLE_RELAY 3.00) I am very confused as to why this is not being whitelisted. I initially had a similar entry in /etc/MailScanner/rules/spam.whitelist.rules but that did not seem to work either. What am I doing wrong? For simple whitelisting, i.e. please never check emails from foo@foo.com or *@*.foo.com, what is the correct procedure? spam.whitelist.rules or scan.messages.rules? Thank you all in advance! -Rick. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070716/25d5ae4e/attachment.html From glenn.steen at gmail.com Mon Jul 16 21:45:09 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Jul 16 21:45:11 2007 Subject: (no subject) In-Reply-To: <120476.76987.qm@web54408.mail.yahoo.com> References: <120476.76987.qm@web54408.mail.yahoo.com> Message-ID: <223f97700707161345i7299788et6f27af7520cd61cd@mail.gmail.com> T24gMTYvMDcvMDcsIFdpbHNvbiBLd29rIDxsZWl3MzI0QHlhaG9vLmNvbS5oaz4gd3JvdGU6Cj4g SGVsbG8sCj4KPiAgIFRoZSBNYWlsU2Nhbm5lciBzdGlsbCBjYW4ndCBzY2FuIHZpcnVzIGFuZCBz cGFtIG1haWwuLi4uIEkgd2FzIHVuaW5zdGFsbGVkCj4gdGhlIG9sZCB2ZXJzaW9uIGFuZCB0aGVu IGluc3RhbGxlZCBiYWNrIG5ldyB2ZXJzaW9uLCBidXQgdGhlIGFuc3dlciBpcyAuLi4uLgo+Cj4g SGVyZSBpcyB0aGUgbWFpbGxvZywgeW91IGNhbiBzZWUgbm8gbWVzc2FnZSBhYm91dCBzY2Fubmlu ZyB2aXJ1cyBvciBzcGFtLCBJCj4gYWxyZWFkeSBlbmFibGVkIGNsYW1hdiBhbmQgc3BhbWFzc2Fz c2luIG9uIE1haWxTY2FubmVyLmNvbmYsCj4KPiBKdWwgMTYgMjI6MDk6MzggZWNmaW5kIHBvc3Rm aXgvY2xlYW51cFs2OTkwXTogNzk0RkM3MDBBRDoKPiBtZXNzYWdlLWlkPTxhNzQ2NmY0NjA3MDcx NjA2MDhnNTY2NTE1ZmFvYzI5NjUxYjhmNWI3OTVhZUBtYWlsLmdtYWlsLmNvbT4KPiBKdWwgMTYg MjI6MDk6MzggZWNmaW5kIHBvc3RmaXgvY2xlYW51cFs2OTkxXTogN0IzQTk3MDBBRToKPiBtZXNz YWdlLWlkPTwwMTU1MDFjN2M3YWEkY2I2Njg1ZDAkYWUwMGE4YzBAYmVnaW5uZXJhbWQ2ND4KPiBK dWwgMTYgMjI6MDk6MzggZWNmaW5kIHBvc3RmaXgvcW1ncls0MDkwXTogNzk0RkM3MDBBRDoKPiBm cm9tPTxzYW1iYS1ib3VuY2VzK21haWw9d2lsc29uLWt3b2suY29tQGxpc3RzLnNhbWJhLm9yZz4s Cj4gc2l6ZT00MDkyLCBucmNwdD0xIChxdWV1ZSBhY3RpdmUpCj4gSnVsIDE2IDIyOjA5OjM4IGVj ZmluZCBwb3N0Zml4L3NtdHBkWzY5ODZdOiBkaXNjb25uZWN0IGZyb20KPiBtYWlsLnNhbWJhLm9y Z1s2Ni43MC43My4xNTBdCj4gSnVsIDE2IDIyOjA5OjM4IGVjZmluZCBwb3N0Zml4L3FtZ3JbNDA5 MF06IDdCM0E5NzAwQUU6Cj4gZnJvbT08c2FtYmEtYm91bmNlcyttYWlsPXdpbHNvbi1rd29rLmNv bUBsaXN0cy5zYW1iYS5vcmc+LAo+IHNpemU9MzU4MSwgbnJjcHQ9MSAocXVldWUgYWN0aXZlKQo+ IEp1bCAxNiAyMjowOTozOCBlY2ZpbmQgcG9zdGZpeC9zbXRwZFs2OTgzXTogZGlzY29ubmVjdCBm cm9tCj4gbWFpbC5zYW1iYS5vcmdbNjYuNzAuNzMuMTUwXQo+IEp1bCAxNiAyMjowOTozOCBlY2Zp bmQgcG9zdGZpeC9jbGVhbnVwWzY5OTJdOiA3RDYwMjcwMEFGOgo+IG1lc3NhZ2UtaWQ9PDExODQ1 OTI3MDcuNDUwMC4xLmNhbWVsQGFsZXBoLndoaXRlbWljZS5vcmc+Cj4gSnVsIDE2IDIyOjA5OjM4 IGVjZmluZCBwb3N0Zml4L3FtZ3JbNDA5MF06IDdENjAyNzAwQUY6Cj4gZnJvbT08c2FtYmEtYm91 bmNlcyttYWlsPXdpbHNvbi1rd29rLmNvbUBsaXN0cy5zYW1iYS5vcmc+LAo+IHNpemU9MzkzNCwg bnJjcHQ9MSAocXVldWUgYWN0aXZlKQo+IEp1bCAxNiAyMjowOTozOCBlY2ZpbmQgcG9zdGZpeC9z bXRwZFs2OTg1XTogZGlzY29ubmVjdCBmcm9tCj4gbWFpbC5zYW1iYS5vcmdbNjYuNzAuNzMuMTUw XQo+IEp1bCAxNiAyMjowOTozOCBlY2ZpbmQgcG9zdGZpeC9sb2NhbFs2OTkzXTogNzk0RkM3MDBB RDoKPiB0bz08bWFpbC53aWxzb24ta3dvay5jb21AZWNmaW5kLm5ldD4sIG9yaWdfdG89PG1haWxA d2lsc29uLWt3b2suY29tPiwKPiByZWxheT1sb2NhbCwgZGVsYXk9MSwgc3RhdHVzPXNlbnQgKGRl bGl2ZXJlZCB0byBmaWxlOgo+IC92YXIvc3Bvb2wvdmlydHVhbC93aWxzb24ta3dvay5jb20vbWFp bCkKPiBKdWwgMTYgMjI6MDk6MzggZWNmaW5kIHBvc3RmaXgvcW1ncls0MDkwXTogNzk0RkM3MDBB RDogcmVtb3ZlZAo+Cj4KPiAgX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KPiC1TK2t uXG2bMB4pnO2caFBp0G0TrVMu92mQb7hpN+mrKXzvWPAeKZzqsW2obd8p1+5TLZxISCl36dZqM+l zllhaG9vISBNYWlsCj4KPgpVbSwgV2lsc29uLi4uIGRpZCB5b3UgImNoa2NvbmZpZyBwb3N0Zml4 IG9mZiIgZm9sbG93ZWQgYnkgYSAiY2hrY29uZmlnCk1haWxTY2FubmVyIG9uIiAod2l0aCB0aGUg cmVsZXZhbnQgUG9zdGZpeCBzZXR0aW5ncyBpbgpNYWlsU2Nhbm5lci5jb25mIGV0Yyk/IEFuZCAi c2VydmljZSBwb3N0Zml4IHN0b3AiIGZvbGxvd2VkIGJ5ICJzZXJ2aWNlCk1haWxTY2FubmVyIHN0 YXJ0Ij8KCkNoZWVycwotLSAKLS0gR2xlbm4KZW1haWw6IGdsZW5uIDwgZG90ID4gc3RlZW4gPCBh dCA+IGdtYWlsIDwgZG90ID4gY29tCndvcms6IGdsZW5uIDwgZG90ID4gc3RlZW4gPCBhdCA+IGFw MSA8IGRvdCA+IHNlCg== From MailScanner at ecs.soton.ac.uk Mon Jul 16 21:46:33 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Jul 16 21:47:02 2007 Subject: How to get e-mail messages from Mail Scanner? In-Reply-To: <11510314368.20070716161058@SYO.Com> References: <331157498.20070716085350@SYO.Com> <469BBD8B.4020302@nkpanama.com> <7.0.1.0.2.20070716135347.03d464e8@jameswest.com> <11510314368.20070716161058@SYO.Com> Message-ID: <469BD929.9090601@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Are you saving them in raw queue file format?\ If so, just drop them in the outgoing queue /var/spool/mqueue on sendmail /var/spool/postfix/incoming on postfix Set the ownerships and permissions correctly, and they should just get delivered. Jason Gottschalk wrote: > Hello Jim, > > But I think it it is the archive, I used the Store command. There > are not any pop accounts for this domain on this server, we are just > passing them through here to be scanned. > > So how do I get hundreds of messages in the archive or the quarantine > sent out to an address? Or, saved in a format I can copy to the > workstation and import? > > Jason. > > Monday, July 16, 2007, 3:55:36 PM, you wrote: > Jim> Do you have a POP server running, i.e. DoveCot perchance? > > Jim> If so, just have the customer POP into your server and pull the mail. > > Jim> If I recall, OutLook does still support POP accounts. > > Jim> - Jim > Jim> At 12:48 PM 7/16/2007, you wrote: > >>> Jason Gottschalk wrote: >>> >>>> Hello MailScanner, >>>> >>>> I have a customer that has lost his exchange mailbox. I have been >>>> archiving mail for this customer for some time. With Filters, I can >>>> see the e-mail he has sent and received for a long time. >>>> >>>> How do I get these messages out of the system so I can import them >>>> into his outlook? >>>> >>>> I can click the "[ ]" and send them one at a time, but that will takes >>>> years! >>>> >>>> any ideas? >>>> >>>> >>>> >>>> >>> Don't know how to do it, but if I had to do it I'd attack the >>> problem this way: >>> >>> 1. Find a specific set of criteria (could be more than one) to >>> separate the messages I want from the rest (for example, all >>> messages that have 192.168.x.z in them since they would have been >>> sent from the client's particular box, plus all messages that say >>> "client@client.com" somwhere on the same line as the word "From:". >>> 2. Take every file that fits that criteria and copy it somewhere >>> else (from the quarantine or the archive) >>> 3. Place those files in the MTA's queue (for example, in sendmail it >>> should be /var/spool/mqueue) >>> 4. ... >>> 5. Profit! >>> >>> Just kidding about those last two. Anybody here with a better >>> understanding of the mechanics of MailScanner could tell you if this >>> would work. >>> -- >>> MailScanner mailing list >>> mailscanner@lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! >>> > > > > > > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGm9kqEfZZRxQVtlQRAkYAAKCGRwrMbBNcqC5gZrAHtEHarob5AQCeIeUl 23A1ULPScbEBDVsyy1iFgzk= =zxir -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Mon Jul 16 21:49:19 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Jul 16 21:49:57 2007 Subject: {Disarmed} Confusion regarding whitelisting... (scan.messages.rules vs. spam.whitelist.rules?) In-Reply-To: <798375e00707161316j178a18b5x6501c5d89abe2c90@mail.gmail.com> References: <798375e00707161316j178a18b5x6501c5d89abe2c90@mail.gmail.com> Message-ID: <469BD9CF.10300@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Rick Tait wrote: > Hi all, > > I am suffering a little bit of confusion regarding whitelisting, and I > am hoping that someone can help me out. I'm sure its very simple. > > I am trying to make sure that certain emails are NOT spam-checked ( > i.e. whitelisted). It is my understanding that I can use the "Scan > Messages" directive for this. If you use that, it will not virus-scan them either. If you just want to stop spam checks, use "Spam Checks" for doing this. > OK, so the email address I want to be whitelisted is: *MailScanner has > detected a possible fraud attempt from "gort.flamingangelfilms.com" > claiming to be* jeffgund@infolist.com > . > > So the appropriate parts of my MailScanner.conf are: > > Scan Messages = %rules-dir%/scan.messages.rules > Is Definitely Not Spam = %rules-dir%/spam.whitelist.rules > Is Definitely Spam = %rules-dir%/spam.blacklist.rules > > And in my /etc/MailScanner/rules/scan.messages.rules, I have the > following (which I understand tells MailScanner NOT to scan messages > from this address, but then scan all others): > > From: jeffgund@infolist.com no > ToOrFrom: default yes > > Contents of /etc/MailScanner/rules/spam.whitelist.rules: > FromOrTo: default no > > Contents of /etc/MailScanner/rules/spam.blacklist.rules: > (empty) > > I have restarted MailScanner, but the emails from this user are still > being marked as SPAM! From the headers I can see: Check that the envelope sender address is really where the message is claiming to come from, for starters. > > *X-MailScanner-SpamCheck:* spam, SpamAssassin (not cached, score=6.58, > required 4.8, BAYES_40 2.00, HTML_40_50 0.50, HTML_MESSAGE 0.00, > HTML_MIME_NO_HTML_TAG 1.08, MIME_HTML_ONLY 0.00, > UNPARSEABLE_RELAY 3.00) > > I am very confused as to why this is not being whitelisted. I > initially had a similar entry in > /etc/MailScanner/rules/spam.whitelist.rules but that did not seem to > work either. > > What am I doing wrong? > > For simple whitelisting, i.e. please never check emails from > foo@foo.com or *@*.foo.com, what is the correct > procedure? spam.whitelist.rules or scan.messages.rules ? > > Thank you all in advance! > > -Rick. > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGm9nQEfZZRxQVtlQRAuCJAJ9j6IiEcuEXqX1UXK9wyubTCwWVTgCeNt6Y FYBZAykwJkk+SEDDF0Y8APU= =UQKF -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From glenn.steen at gmail.com Mon Jul 16 21:58:42 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Jul 16 21:58:44 2007 Subject: How to get e-mail messages from Mail Scanner? In-Reply-To: <11510314368.20070716161058@SYO.Com> References: <331157498.20070716085350@SYO.Com> <469BBD8B.4020302@nkpanama.com> <7.0.1.0.2.20070716135347.03d464e8@jameswest.com> <11510314368.20070716161058@SYO.Com> Message-ID: <223f97700707161358n49be1ee9nf722936668bd1a90@mail.gmail.com> On 16/07/07, Jason Gottschalk wrote: > Hello Jim, > > But I think it it is the archive, I used the Store command. There > are not any pop accounts for this domain on this server, we are just > passing them through here to be scanned. > > So how do I get hundreds of messages in the archive or the quarantine > sent out to an address? Or, saved in a format I can copy to the > workstation and import? > > Jason. > "Archive of quarantine"? Sounds a bit like you are using MailWatch and have store set on the non-spam action... In whiich case this beconmes a problem of: a) Finding the relevant messages, and b) sending them to the recipient. If you indeed use MailWatch, then a) is fixed by a simple SQL query... All you really need is to construct a file containing all the message IDs and possibly all the dates... Heck, why not let the SQL scriptlet construct a file of filenames (one/line) with the absolute path to the message file (which is in RFC822 format), then simply loop over that and use yourMTAs sendmail command (for i in $(cat filenames); do sendmail recipient@add.ress<$i; done) ... Simple as that:-). I'm on vacation, so will not be writing that scriptlet for you anytime this week... perhaps when I'm back to the grindstone...:-) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From philippe at beau.nom.fr Mon Jul 16 22:31:23 2007 From: philippe at beau.nom.fr (Philippe BEAU) Date: Mon Jul 16 22:31:35 2007 Subject: Which Mailscanner version + module is the latest ? Message-ID: <001201c7c7f0$a8c54ed0$64fefe0a@beauhqlo3ihx4g> Hello all, I would like to install my new platform (i've an old MailScanner running ...). Is anyone can say me which mailscanner version will work well with latest clamav & co ? Best regards Philippe, From rickt at rickt.org Mon Jul 16 22:35:49 2007 From: rickt at rickt.org (Rick Tait) Date: Mon Jul 16 22:35:52 2007 Subject: {Disarmed} Confusion regarding whitelisting... (scan.messages.rules vs. spam.whitelist.rules?) In-Reply-To: <469BD9CF.10300@ecs.soton.ac.uk> References: <798375e00707161316j178a18b5x6501c5d89abe2c90@mail.gmail.com> <469BD9CF.10300@ecs.soton.ac.uk> Message-ID: <798375e00707161435j3e906d2ayd7e746697de048d8@mail.gmail.com> On 7/16/07, Julian Field wrote: Julian -- I appreciate your response sir! > I am trying to make sure that certain emails are NOT spam-checked ( > > It is my understanding that I can use the "Scan > > Messages" directive for this. > If you use that, it will not virus-scan them either. If you just want to > stop spam checks, use "Spam Checks" for doing this. Understood, thank you for the clarification. I will definitely move back to using Spam Checks for the whitelisting. Check that the envelope sender address is really where the message is > claiming to come from, for starters. Yes, I already have done that -- I should have mentioned that in my initial post to the list. It's definitely a legit email/sender. Here are the relevant headers: --- snip --- From: Info List < jeffgund@infolist.com> X-MailScanner: CLEAN X-MailScanner-SpamCheck: spam, SpamAssassin (not cached, score=6.958, required 4.8, BAYES_50 2.50, HTML_30_40 0.37, HTML_MESSAGE 0.00, HTML_MIME_NO_HTML_TAG 1.08, MIME_HTML_ONLY 0.00, UNPARSEABLE_RELAY 3.00) X-MailScanner-SpamScore: ssssss X-MailScanner-From: root@www.infolist.com --- snip --- So that definitely does seem legit. And bear in mind what I have in my whitelist file: --- snip --- From: jeffgund@infolist.com no ToOrFrom: default yes --- snip --- I'm stumped! By the way, this issue (whitelisting not working) does not seem to be isolated to just this remote user. It does not appear to be working in general. Everything else is working beautifully. Thanks so much for your help in advance! -Rick. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070716/877921d7/attachment.html From lists at jfworks.net Mon Jul 16 22:43:14 2007 From: lists at jfworks.net (James) Date: Mon Jul 16 22:43:26 2007 Subject: Which Mailscanner version + module is the latest ? In-Reply-To: <001201c7c7f0$a8c54ed0$64fefe0a@beauhqlo3ihx4g> References: <001201c7c7f0$a8c54ed0$64fefe0a@beauhqlo3ihx4g> Message-ID: <469BE672.7050806@jfworks.net> Philippe BEAU wrote: > Hello all, > > I would like to install my new platform (i've an old MailScanner running > ...). Is anyone can say me which mailscanner version will work well with > latest clamav & co ? > > Best regards > > Philippe, > > > You probably want to install the latest stable version of MailScanner. As for clamav you may want to use clamavmodule or clamd for virus scanning. clamd support was recently added to MailScanner. You may also want to use the "ClamAV 0.91 and SpamAssassin 3.2.1 easy installation package" from the mailscanner.info site also. James From steve.freegard at fsl.com Mon Jul 16 23:04:54 2007 From: steve.freegard at fsl.com (Steve Freegard) Date: Mon Jul 16 23:05:01 2007 Subject: How to get e-mail messages from Mail Scanner? In-Reply-To: <223f97700707161358n49be1ee9nf722936668bd1a90@mail.gmail.com> References: <331157498.20070716085350@SYO.Com> <469BBD8B.4020302@nkpanama.com> <7.0.1.0.2.20070716135347.03d464e8@jameswest.com> <11510314368.20070716161058@SYO.Com> <223f97700707161358n49be1ee9nf722936668bd1a90@mail.gmail.com> Message-ID: <469BEB86.50405@fsl.com> Hi Glenn/Jason, Glenn Steen wrote: > On 16/07/07, Jason Gottschalk wrote: > "Archive of quarantine"? Sounds a bit like you are using MailWatch and > have store set on the non-spam action... In whiich case this beconmes > a problem of: > a) Finding the relevant messages, and > b) sending them to the recipient. > > If you indeed use MailWatch, then a) is fixed by a simple SQL query... > All you really need is to construct a file containing all the message > IDs and possibly all the dates... Heck, why not let the SQL scriptlet > construct a file of filenames (one/line) with the absolute path to the > message file (which is in RFC822 format), then simply loop over that > and use yourMTAs sendmail command (for i in $(cat filenames); do > sendmail recipient@add.ress<$i; done) ... Simple as that:-). > I'm on vacation, so will not be writing that scriptlet for you anytime > this week... perhaps when I'm back to the grindstone...:-) I wrote something similar for a customer with a similar problem which is attached. You will need to edit it and change 'mysql -N mailscanner' to 'mysql -u -p -N mailscanner' where is your MailWatch MySQL user. It will prompt you for the password when you run it. It is run like: resend.sh 2007-06-01 2007-06-16 fsl.com The first argument is the date from, second is the date to and third is used to match all or part of a destination address (e.g. domain or full e-mail address), it will then find all messages for matching those criteria and resend them from the quarantine. Hope it helps. Kind regards, Steve. -- Steve Freegard Development Director Fort Systems Ltd. -------------- next part -------------- A non-text attachment was scrubbed... Name: resend.sh Type: application/x-shellscript Size: 602 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070716/32d888c2/resend.bin From shuttlebox at gmail.com Mon Jul 16 23:07:38 2007 From: shuttlebox at gmail.com (shuttlebox) Date: Mon Jul 16 23:07:41 2007 Subject: {Disarmed} Confusion regarding whitelisting... (scan.messages.rules vs. spam.whitelist.rules?) In-Reply-To: <798375e00707161435j3e906d2ayd7e746697de048d8@mail.gmail.com> References: <798375e00707161316j178a18b5x6501c5d89abe2c90@mail.gmail.com> <469BD9CF.10300@ecs.soton.ac.uk> <798375e00707161435j3e906d2ayd7e746697de048d8@mail.gmail.com> Message-ID: <625385e30707161507i6a748013od6412bae073cd780@mail.gmail.com> On 7/16/07, Rick Tait wrote: > Yes, I already have done that -- I should have mentioned that in my initial > post to the list. It's definitely a legit email/sender. Here are the > relevant headers: > > --- snip --- > From: Info List < jeffgund@infolist.com> > X-MailScanner-From: root@www.infolist.com > --- snip --- > > So that definitely does seem legit. And bear in mind what I have in my > whitelist file: > > --- snip --- > From: jeffgund@infolist.com no > ToOrFrom: default yes > --- snip --- The From: header can contain anything, the real sender is root@www.infolist.com and is what should be in the ruleset. -- /peter From glenn.steen at gmail.com Mon Jul 16 23:30:39 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Jul 16 23:30:41 2007 Subject: How to get e-mail messages from Mail Scanner? In-Reply-To: <469BEB86.50405@fsl.com> References: <331157498.20070716085350@SYO.Com> <469BBD8B.4020302@nkpanama.com> <7.0.1.0.2.20070716135347.03d464e8@jameswest.com> <11510314368.20070716161058@SYO.Com> <223f97700707161358n49be1ee9nf722936668bd1a90@mail.gmail.com> <469BEB86.50405@fsl.com> Message-ID: <223f97700707161530r4dce1435h7859a1109bc224a9@mail.gmail.com> On 17/07/07, Steve Freegard wrote: > Hi Glenn/Jason, > > Glenn Steen wrote: > > On 16/07/07, Jason Gottschalk wrote: > > "Archive of quarantine"? Sounds a bit like you are using MailWatch and > > have store set on the non-spam action... In whiich case this beconmes > > a problem of: > > a) Finding the relevant messages, and > > b) sending them to the recipient. > > > > If you indeed use MailWatch, then a) is fixed by a simple SQL query... > > All you really need is to construct a file containing all the message > > IDs and possibly all the dates... Heck, why not let the SQL scriptlet > > construct a file of filenames (one/line) with the absolute path to the > > message file (which is in RFC822 format), then simply loop over that > > and use yourMTAs sendmail command (for i in $(cat filenames); do > > sendmail recipient@add.ress<$i; done) ... Simple as that:-). > > I'm on vacation, so will not be writing that scriptlet for you anytime > > this week... perhaps when I'm back to the grindstone...:-) > > I wrote something similar for a customer with a similar problem which is > attached. > > You will need to edit it and change 'mysql -N mailscanner' to 'mysql > -u -p -N mailscanner' where is your MailWatch MySQL > user. It will prompt you for the password when you run it. > > It is run like: > > resend.sh 2007-06-01 2007-06-16 fsl.com > > The first argument is the date from, second is the date to and third is > used to match all or part of a destination address (e.g. domain or full > e-mail address), it will then find all messages for matching those > criteria and resend them from the quarantine. > > Hope it helps. > > Kind regards, > Steve. > Thanks a bundle Steve.... I thought someone would've written something like that already:-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Mon Jul 16 23:43:06 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Jul 16 23:43:07 2007 Subject: {Disarmed} Confusion regarding whitelisting... (scan.messages.rules vs. spam.whitelist.rules?) In-Reply-To: <798375e00707161435j3e906d2ayd7e746697de048d8@mail.gmail.com> References: <798375e00707161316j178a18b5x6501c5d89abe2c90@mail.gmail.com> <469BD9CF.10300@ecs.soton.ac.uk> <798375e00707161435j3e906d2ayd7e746697de048d8@mail.gmail.com> Message-ID: <223f97700707161543o49b263dfn5f38418084577006@mail.gmail.com> On 16/07/07, Rick Tait wrote: > On 7/16/07, Julian Field wrote: > > > Julian -- I appreciate your response sir! > > > > I am trying to make sure that certain emails are NOT spam-checked ( > > > It is my understanding that I can use the "Scan > > > Messages" directive for this. > > If you use that, it will not virus-scan them either. If you just want to > > stop spam checks, use "Spam Checks" for doing this. > > Understood, thank you for the clarification. I will definitely move back to > using Spam Checks for the whitelisting. > > > Check that the envelope sender address is really where the message is > > claiming to come from, for starters. > > Yes, I already have done that -- I should have mentioned that in my initial > post to the list. It's definitely a legit email/sender. Here are the > relevant headers: > > --- snip --- > From: Info List < jeffgund@infolist.com> > X-MailScanner: CLEAN > X-MailScanner-SpamCheck: spam, SpamAssassin (not cached, > score=6.958, required 4.8, BAYES_50 2.50, HTML_30_40 0.37, > HTML_MESSAGE 0.00, HTML_MIME_NO_HTML_TAG 1.08, MIME_HTML_ONLY 0.00, > UNPARSEABLE_RELAY 3.00) > X-MailScanner-SpamScore: ssssss > X-MailScanner-From: root@www.infolist.com > --- snip --- > > So that definitely does seem legit. And bear in mind what I have in my > whitelist file: > > --- snip --- > From: jeffgund@infolist.com no > ToOrFrom: default yes > --- snip --- > > I'm stumped! By the way, this issue (whitelisting not working) does not seem > to be isolated to just this remote user. It does not appear to be working in > general. Everything else is working beautifully. > > Thanks so much for your help in advance! > > -Rick. > Maillog is where you might see that the sender really is what you think it is (as pointed out by Peter, the From: has no bearing on anything real... Envelope sender is also very easily spoofed, but the From: could contain just about anything... or nothing:)... And when doing this type of "whitelisting", keep in mind that there are a few different things you might want to whitelist as well, to reac different results (filename/filetype, phishing ... ) and that how todo that might differ... Also, using _only_ the envelope sender (which is very easily spoofed) for whitelisting is generally not a good idea... Using the sending IP address is much better, but perhaps harder to obtain/maintain... And you will have to split multi-recipient mails into one mail/recipient, to be sure that your whitelists really work as you expect them. Look in the wiki how todo that. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From andy.mac at global-domination.org Tue Jul 17 00:00:18 2007 From: andy.mac at global-domination.org (Andrew MacLachlan) Date: Tue Jul 17 00:00:17 2007 Subject: Uninstall MailScanner (OT) Message-ID: >So this thread is closed. Anyone who doesn't agree should go a cool down >for half an hour outside :-) That's not nice - If I went outside for half an hour I'd drown given the lovely weather we are experiencing this "summer"... -Andy -- This message was scanned by ESVA and is believed to be clean. From doc at maddoc.net Tue Jul 17 00:11:10 2007 From: doc at maddoc.net (Doc Schneider) Date: Tue Jul 17 00:11:18 2007 Subject: [Clamav-announce] announcing ClamAV 0.91.1 Message-ID: <469BFB0E.5060109@maddoc.net> Geez... a new one is out! This release fixes stability and other issues of 0.91. See the ChangeLog for the full list. -- -Doc Lincoln, NE. http://www.genealogyforyou.com/ http://www.cairnproductions.com/ From root at doctor.nl2k.ab.ca Tue Jul 17 00:28:48 2007 From: root at doctor.nl2k.ab.ca (Dave Shariff Yadallee - System Administrator a.k.a. The Root of the Problem) Date: Tue Jul 17 00:29:07 2007 Subject: [luca@clamav.net: [Clamav-announce] announcing ClamAV 0.91.1] Message-ID: <20070716232848.GA3828@doctor.nl2k.ab.ca> Just got this in the e-mail; a new and improved clamav. ----- Forwarded message from Luca Gibelli ----- Return-Path: clamav-announce-bounces@lists.clamav.net Received: from tad.clamav.net by doctor.nl2k.ab.ca (8.14.1/8.14.1) with ESMTP id l6GMe2mF007174 for ; Mon, 16 Jul 2007 16:40:17 -0600 (MDT) X-Spam-Filter: check_local@doctor.nl2k.ab.ca by digitalanswers.org X-Virus-Scanned: Debian amavisd-new at tad.clamav.net Received: from tad.clamav.net ([127.0.0.1]) by localhost (tad.clamav.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mgC5WIjst7on; Tue, 17 Jul 2007 00:39:48 +0200 (CEST) Received: from tad.clamav.net (localhost.localdomain [127.0.0.1]) by tad.clamav.net (Postfix) with ESMTP id EE48C16C051; Tue, 17 Jul 2007 00:39:47 +0200 (CEST) X-Original-To: clamav-announce@tad.clamav.net Delivered-To: clamav-announce@tad.clamav.net X-Virus-Scanned: Debian amavisd-new at tad.clamav.net Received: from tad.clamav.net ([127.0.0.1]) by localhost (tad.clamav.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GM0JYdvDI6eL for ; Tue, 17 Jul 2007 00:39:22 +0200 (CEST) Received: from mosquito.nervous.bbs (localhost.localdomain [127.0.0.1]) by tad.clamav.net (Postfix) with ESMTP id 0B68516C051 for ; Tue, 17 Jul 2007 00:39:22 +0200 (CEST) Received: from nervous by mosquito.nervous.bbs with local (Exim 4.63) (envelope-from ) id 1IAZDt-0008MM-Tz for clamav-announce@lists.clamav.net; Tue, 17 Jul 2007 00:39:21 +0200 Date: Tue, 17 Jul 2007 00:39:21 +0200 From: Luca Gibelli To: ClamAV Announce Message-ID: <20070716223921.GT9366@adsl.nervous.it> MIME-Version: 1.0 Content-Disposition: inline User-Agent: Mutt/1.5.13 (2006-08-11) X-Mailman-Approved-At: Tue, 17 Jul 2007 00:39:45 +0200 Subject: [Clamav-announce] announcing ClamAV 0.91.1 X-BeenThere: clamav-announce@lists.clamav.net X-Mailman-Version: 2.1.9 Precedence: list Reply-To: noreply@clamav.net List-Id: ClamAV events are announced here List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: clamav-announce-bounces@lists.clamav.net Errors-To: clamav-announce-bounces@lists.clamav.net X-NetKnow-InComing-4.62.2-3-MailScanner-Information: Please contact the ISP for more information X-NetKnow-InComing-4.62.2-3-MailScanner: Found to be clean X-NetKnow-InComing-4.62.2-3-MailScanner-From: clamav-announce-bounces@lists.clamav.net X-Spam-Status: No Dear ClamAV users, This release fixes stability and other issues of 0.91. See the ChangeLog for the full list. Do not miss the opportunity to vote for SourceForge.net 2007 Community Choice Awards at http://sourceforge.net/awards/cca/vote.php . ClamAV was nominated for the Best Tool or Utility for SysAdmins category. Thanks, -- The ClamAV team (http://www.clamav.net/team) -- Luca Gibelli (luca _at_ clamav.net) - ClamAV, a GPL anti-virus toolkit [Tel] +1 706 7054022 [Fax] +1 706 5345792 [IM] nervous/jabber.linux.it PGP key id 5EFC5582 @ key server || http://www.clamav.net/gpg/luca.gpg _______________________________________________ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-announce -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ----- End forwarded message ----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From Jason at SYO.Com Tue Jul 17 01:42:16 2007 From: Jason at SYO.Com (Jason Gottschalk) Date: Tue Jul 17 01:40:12 2007 Subject: How to get e-mail messages from Mail Scanner? In-Reply-To: <469BD929.9090601@ecs.soton.ac.uk> References: <331157498.20070716085350@SYO.Com> <469BBD8B.4020302@nkpanama.com> <7.0.1.0.2.20070716135347.03d464e8@jameswest.com> <11510314368.20070716161058@SYO.Com> <469BD929.9090601@ecs.soton.ac.uk> Message-ID: <552165006.20070716204216@SYO.Com> Hello Julian, They are stored like this: %date%/nonspam/filename Monday, July 16, 2007, 4:46:33 PM, you wrote: Julian> -----BEGIN PGP SIGNED MESSAGE----- Julian> Hash: SHA1 Julian> Are you saving them in raw queue file format?\ Julian> If so, just drop them in the outgoing queue Julian> /var/spool/mqueue on sendmail Julian> /var/spool/postfix/incoming on postfix Julian> Set the ownerships and permissions correctly, and they should just get Julian> delivered. Julian> Jason Gottschalk wrote: >> Hello Jim, >> >> But I think it it is the archive, I used the Store command. There >> are not any pop accounts for this domain on this server, we are just >> passing them through here to be scanned. >> >> So how do I get hundreds of messages in the archive or the quarantine >> sent out to an address? Or, saved in a format I can copy to the >> workstation and import? >> >> Jason. >> >> Monday, July 16, 2007, 3:55:36 PM, you wrote: >> Jim> Do you have a POP server running, i.e. DoveCot perchance? >> >> Jim> If so, just have the customer POP into your server and pull the mail. >> >> Jim> If I recall, OutLook does still support POP accounts. >> >> Jim> - Jim >> Jim> At 12:48 PM 7/16/2007, you wrote: >> >>>> Jason Gottschalk wrote: >>>> >>>>> Hello MailScanner, >>>>> >>>>> I have a customer that has lost his exchange mailbox. I have been >>>>> archiving mail for this customer for some time. With Filters, I can >>>>> see the e-mail he has sent and received for a long time. >>>>> >>>>> How do I get these messages out of the system so I can import them >>>>> into his outlook? >>>>> >>>>> I can click the "[ ]" and send them one at a time, but that will takes >>>>> years! >>>>> >>>>> any ideas? >>>>> >>>>> >>>>> >>>>> >>>> Don't know how to do it, but if I had to do it I'd attack the >>>> problem this way: >>>> >>>> 1. Find a specific set of criteria (could be more than one) to >>>> separate the messages I want from the rest (for example, all >>>> messages that have 192.168.x.z in them since they would have been >>>> sent from the client's particular box, plus all messages that say >>>> "client@client.com" somwhere on the same line as the word "From:". >>>> 2. Take every file that fits that criteria and copy it somewhere >>>> else (from the quarantine or the archive) >>>> 3. Place those files in the MTA's queue (for example, in sendmail it >>>> should be /var/spool/mqueue) >>>> 4. ... >>>> 5. Profit! >>>> >>>> Just kidding about those last two. Anybody here with a better >>>> understanding of the mechanics of MailScanner could tell you if this >>>> would work. >>>> -- >>>> MailScanner mailing list >>>> mailscanner@lists.mailscanner.info >>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>> >>>> Before posting, read http://wiki.mailscanner.info/posting >>>> >>>> Support MailScanner development - buy the book off the website! >>>> >> >> >> >> >> >> Julian> Jules Julian> - -- Julian> Julian Field MEng CITP Julian> www.MailScanner.info Julian> Buy the MailScanner book at www.MailScanner.info/store Julian> MailScanner customisation, or any advanced system administration help? Julian> Contact me at Jules@Jules.FM Julian> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 Julian> For all your IT requirements visit www.transtec.co.uk Julian> -----BEGIN PGP SIGNATURE----- Julian> Version: PGP Desktop 9.6.2 (Build 2014) Julian> Charset: ISO-8859-1 Julian> wj8DBQFGm9kqEfZZRxQVtlQRAkYAAKCGRwrMbBNcqC5gZrAHtEHarob5AQCeIeUl Julian> 23A1ULPScbEBDVsyy1iFgzk= Julian> =zxir Julian> -----END PGP SIGNATURE----- Julian> -- Julian> This message has been scanned for viruses and Julian> dangerous content by MailScanner, and is Julian> believed to be clean. Julian> For all your IT requirements visit www.transtec.co.uk -- Best regards, Jason Gottschalk mailto:Jason@SYO.Com SYO Computer Engineering Services, Inc. 586-286-2557 From Jason at SYO.Com Tue Jul 17 01:43:06 2007 From: Jason at SYO.Com (Jason Gottschalk) Date: Tue Jul 17 01:41:02 2007 Subject: How to get e-mail messages from Mail Scanner? In-Reply-To: <223f97700707161358n49be1ee9nf722936668bd1a90@mail.gmail.com> References: <331157498.20070716085350@SYO.Com> <469BBD8B.4020302@nkpanama.com> <7.0.1.0.2.20070716135347.03d464e8@jameswest.com> <11510314368.20070716161058@SYO.Com> <223f97700707161358n49be1ee9nf722936668bd1a90@mail.gmail.com> Message-ID: <0650529.20070716204306@SYO.Com> Hello Glenn, What did you do? log into my server? ! :) that's exactly my situation. Monday, July 16, 2007, 4:58:42 PM, you wrote: Glenn> On 16/07/07, Jason Gottschalk wrote: >> Hello Jim, >> >> But I think it it is the archive, I used the Store command. There >> are not any pop accounts for this domain on this server, we are just >> passing them through here to be scanned. >> >> So how do I get hundreds of messages in the archive or the quarantine >> sent out to an address? Or, saved in a format I can copy to the >> workstation and import? >> >> Jason. >> Glenn> "Archive of quarantine"? Sounds a bit like you are using MailWatch and Glenn> have store set on the non-spam action... In whiich case this beconmes Glenn> a problem of: Glenn> a) Finding the relevant messages, and Glenn> b) sending them to the recipient. Glenn> If you indeed use MailWatch, then a) is fixed by a simple SQL query... Glenn> All you really need is to construct a file containing all the message Glenn> IDs and possibly all the dates... Heck, why not let the SQL scriptlet Glenn> construct a file of filenames (one/line) with the absolute path to the Glenn> message file (which is in RFC822 format), then simply loop over that Glenn> and use yourMTAs sendmail command (for i in $(cat filenames); do Glenn> sendmail recipient@add.ress<$i; done) ... Simple as that:-). Glenn> I'm on vacation, so will not be writing that scriptlet for you anytime Glenn> this week... perhaps when I'm back to the grindstone...:-) Glenn> Cheers Glenn> -- Glenn> -- Glenn Glenn> email: glenn < dot > steen < at > gmail < dot > com Glenn> work: glenn < dot > steen < at > ap1 < dot > se -- Best regards, Jason Gottschalk mailto:Jason@SYO.Com SYO Computer Engineering Services, Inc. 586-286-2557 From Jason at SYO.Com Tue Jul 17 01:54:04 2007 From: Jason at SYO.Com (Jason Gottschalk) Date: Tue Jul 17 01:51:59 2007 Subject: How to get e-mail messages from Mail Scanner? In-Reply-To: <469BEB86.50405@fsl.com> References: <331157498.20070716085350@SYO.Com> <469BBD8B.4020302@nkpanama.com> <7.0.1.0.2.20070716135347.03d464e8@jameswest.com> <11510314368.20070716161058@SYO.Com> <223f97700707161358n49be1ee9nf722936668bd1a90@mail.gmail.com> <469BEB86.50405@fsl.com> Message-ID: <1136055151.20070716205404@SYO.Com> Hello Steve, okay, very nice, and thank you! Will this scan all the sub directories? The files are in directories like this: quarantine/20070715/nonspam/1IA1h7-0000Yt-H3 I looked at the code, will it send only the non spam mail and will it send messages if there is a match on the TO: as well as the CC: ? Monday, July 16, 2007, 6:04:54 PM, you wrote: Steve> Hi Glenn/Jason, Steve> Glenn Steen wrote: >> On 16/07/07, Jason Gottschalk wrote: >> "Archive of quarantine"? Sounds a bit like you are using MailWatch and >> have store set on the non-spam action... In whiich case this beconmes >> a problem of: >> a) Finding the relevant messages, and >> b) sending them to the recipient. >> >> If you indeed use MailWatch, then a) is fixed by a simple SQL query... >> All you really need is to construct a file containing all the message >> IDs and possibly all the dates... Heck, why not let the SQL scriptlet >> construct a file of filenames (one/line) with the absolute path to the >> message file (which is in RFC822 format), then simply loop over that >> and use yourMTAs sendmail command (for i in $(cat filenames); do >> sendmail recipient@add.ress<$i; done) ... Simple as that:-). >> I'm on vacation, so will not be writing that scriptlet for you anytime >> this week... perhaps when I'm back to the grindstone...:-) Steve> I wrote something similar for a customer with a similar problem which is Steve> attached. Steve> You will need to edit it and change 'mysql -N mailscanner' to 'mysql Steve> -u -p -N mailscanner' where is your MailWatch MySQL Steve> user. It will prompt you for the password when you run it. Steve> It is run like: Steve> resend.sh 2007-06-01 2007-06-16 fsl.com Steve> The first argument is the date from, second is the date to and third is Steve> used to match all or part of a destination address (e.g. domain or full Steve> e-mail address), it will then find all messages for matching those Steve> criteria and resend them from the quarantine. Steve> Hope it helps. Steve> Kind regards, Steve> Steve. Steve> -- Steve> Steve Freegard Steve> Development Director Steve> Fort Systems Ltd. -- Best regards, Jason Gottschalk mailto:Jason@SYO.Com SYO Computer Engineering Services, Inc. 586-286-2557 From ram at netcore.co.in Tue Jul 17 06:22:24 2007 From: ram at netcore.co.in (ram) Date: Tue Jul 17 06:22:31 2007 Subject: How to Allow mails marked "could be a suspicious file " In-Reply-To: <469B9F78.1090309@ecs.soton.ac.uk> References: <1184592200.19284.16.camel@localhost.localdomain> <469B9F78.1090309@ecs.soton.ac.uk> Message-ID: <1184649744.25752.2.camel@localhost.localdomain> On Mon, 2007-07-16 at 17:40 +0100, Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > This looks to me like a report from a virus scanner. See if there is a > command-line option for your scanner that stops it looking for things > like this. If you tell me what scanner you're using, then I can tell you > where the mod needs to be made. I am using clamavmodule and f-prot Thanks Ram From mogens at fumlersoft.dk Tue Jul 17 08:22:13 2007 From: mogens at fumlersoft.dk (Mogens Melander) Date: Tue Jul 17 08:21:11 2007 Subject: {Disarmed} Confusion regarding whitelisting... (scan.messages.rules vs. spam.whitelist.rules?) In-Reply-To: <798375e00707161435j3e906d2ayd7e746697de048d8@mail.gmail.com> References: <798375e00707161316j178a18b5x6501c5d89abe2c90@mail.gmail.com> <469BD9CF.10300@ecs.soton.ac.uk> <798375e00707161435j3e906d2ayd7e746697de048d8@mail.gmail.com> Message-ID: <4862.90.184.16.67.1184656933.squirrel@mail.fumlersoft.dk> On Mon, July 16, 2007 23:35, Rick Tait wrote: > On 7/16/07, Julian Field wrote: > > Julian -- I appreciate your response sir! > >> I am trying to make sure that certain emails are NOT spam-checked ( >> > It is my understanding that I can use the "Scan >> > Messages" directive for this. >> If you use that, it will not virus-scan them either. If you just want to >> stop spam checks, use "Spam Checks" for doing this. > > > Understood, thank you for the clarification. I will definitely move back > to > using Spam Checks for the whitelisting. > > Check that the envelope sender address is really where the message is >> claiming to come from, for starters. > > > Yes, I already have done that -- I should have mentioned that in my > initial > post to the list. It's definitely a legit email/sender. Here are the > relevant headers: > > --- snip --- > From: Info List < jeffgund@infolist.com> > X-MailScanner: CLEAN > X-MailScanner-SpamCheck: spam, SpamAssassin (not cached, > score=6.958, required 4.8, BAYES_50 2.50, HTML_30_40 0.37, > HTML_MESSAGE 0.00, HTML_MIME_NO_HTML_TAG 1.08, MIME_HTML_ONLY 0.00, > UNPARSEABLE_RELAY 3.00) > X-MailScanner-SpamScore: ssssss > X-MailScanner-From: root@www.infolist.com > --- snip --- > > So that definitely does seem legit. And bear in mind what I have in my > whitelist file: > > --- snip --- > From: jeffgund@infolist.com no > ToOrFrom: default yes > --- snip --- If this is your white-list, i think you got it backwards, not whitelisting jeffgund@infolist.com, but everything else. > > I'm stumped! By the way, this issue (whitelisting not working) does not > seem > to be isolated to just this remote user. It does not appear to be working > in > general. Everything else is working beautifully. > -- Later Mogens Melander +45 40 85 71 38 +66 870 133 224 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From hofu12 at physik.tu-darmstadt.de Tue Jul 17 09:42:47 2007 From: hofu12 at physik.tu-darmstadt.de (jh) Date: Tue Jul 17 09:42:58 2007 Subject: adverse effect of SA cache Message-ID: Hi, I experienced a bad effect of SA cache: As I got hit by constantly more than 500 connections from multiple machines trying to deliver the same message, no message got rejected even after updating bayes, body rules etc.. A commandline call to spamassassin rejected all messages, but obviously the first of these messages got not identified and blocked the cache for all subsequent calls to SA. I switched caching off via MS now. Greetings jh From matt at coders.co.uk Tue Jul 17 11:39:41 2007 From: matt at coders.co.uk (Matt Hampton) Date: Tue Jul 17 11:37:35 2007 Subject: adverse effect of SA cache In-Reply-To: References: Message-ID: <469C9C6D.1060208@coders.co.uk> jh wrote: > Hi, > > I experienced a bad effect of SA cache: > As I got hit by constantly more than 500 connections from > multiple machines trying to deliver the same message, > no message got rejected even after updating bayes, body rules etc.. > A commandline call to spamassassin rejected all messages, > but obviously the first of these messages got not identified > and blocked the cache for all subsequent calls to SA. Why didn't you just shorten the cache lifetime in the config? matt From list-mailscanner at linguaphone.com Tue Jul 17 12:30:00 2007 From: list-mailscanner at linguaphone.com (Gareth) Date: Tue Jul 17 12:30:16 2007 Subject: Postfix header check to reject certain senders Message-ID: <1184671800.15921.16.camel@gblades-suse.linguaphone-intranet.co.uk> A bit off topic but you are normally a friendly bunch :) I am trying to get postfix () to reject mail from certain senders rather than accept and then delete it in mailscanner. One such mail has the following in the headers:- From: root@adsl.linguaphone.com To: root@adsl.linguaphone.com Subject: adsl.linguaphone.com security run output I have my postfix header checks set to use regexp matching and the file contains :- /^From:.*\@adsl\.linguaphone\,com/ REJECT Sender address blacklisted. /^Received:/ HOLD The problem is that the mail I am trying to block is not being rejected. All mail is being put in the hold queue and Mailscanner working correctly so header checks are working. Have I done something wrong with the syntax? From konve at logout.cz Tue Jul 17 12:35:58 2007 From: konve at logout.cz (Dalimil Gala) Date: Tue Jul 17 12:36:14 2007 Subject: R: Fake User-Agent on PDF In-Reply-To: <4688EE6E.18605.719782@cobalt-users1.fishnet.co.uk> References: , <4686B8D1.7090005@ecs.soton.ac.uk>, <002501c7bc8e$95897520$3f01a8c0@dbdomain.database.it> <4688EE6E.18605.719782@cobalt-users1.fishnet.co.uk> Message-ID: <469CA99E.9020300@logout.cz> Hi, the PDFInfo plugin is available to public since yesterday http://www.rulesemporium.com/plugins.htm#pdfinfo I have installed it on two of my mail hubs, both are working well so far Jul 17 13:21:34 antigona MailScanner[20197]: Message l6HBLJbk021114 from 70.166.145.4 (noi@ucla.edu) to xxxxx.ch is spam, SpamAssassin (score=20.74, required 5, autolearn=disabled, BAYES_95 4.60, GMD_PDF_ENCRYPTED 0.60, GMD_PDF_FUZZY2_T6 1.99, GMD_PDF_HORIZ 0.90, GMD_PDF_STOX_M1 3.25, GMD_PDF_STOX_M3 2.25, GMD_PDF_STOX_M4 2.95, HELO_DYNAMIC_IPADDR 4.20, INVALID_MSGID 0.00) Dalimil Gala > Hi, > > One of the SARE ninjas has created a plugin called PDFInfo. This was posted on the > spamassassin list last week: > > > > Until its publicly released, you can request it with a simple email to > us, see http://www.rulesemporium.com/plugins.htm#pdfinfo > > > > Works well here. > > Regards > > Ian > From ms-list at alexb.ch Tue Jul 17 12:39:05 2007 From: ms-list at alexb.ch (Alex Broens) Date: Tue Jul 17 12:39:12 2007 Subject: R: Fake User-Agent on PDF In-Reply-To: <469CA99E.9020300@logout.cz> References: , <4686B8D1.7090005@ecs.soton.ac.uk>, <002501c7bc8e$95897520$3f01a8c0@dbdomain.database.it> <4688EE6E.18605.719782@cobalt-users1.fishnet.co.uk> <469CA99E.9020300@logout.cz> Message-ID: <469CAA59.3060508@alexb.ch> On 7/17/2007 1:35 PM, Dalimil Gala wrote: > the PDFInfo plugin is available to public since yesterday > http://www.rulesemporium.com/plugins.htm#pdfinfo > > I have installed it on two of my mail hubs, both are working well so far "If you find it useful, consider adding to the SARE Beer Fund." From glenn.steen at gmail.com Tue Jul 17 12:55:34 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Jul 17 12:55:38 2007 Subject: Postfix header check to reject certain senders In-Reply-To: <1184671800.15921.16.camel@gblades-suse.linguaphone-intranet.co.uk> References: <1184671800.15921.16.camel@gblades-suse.linguaphone-intranet.co.uk> Message-ID: <223f97700707170455n7675180bva3304f040296b035@mail.gmail.com> On 17/07/07, Gareth wrote: > A bit off topic but you are normally a friendly bunch :) > > I am trying to get postfix () to reject mail from certain senders rather > than accept and then delete it in mailscanner. > > One such mail has the following in the headers:- > From: root@adsl.linguaphone.com > To: root@adsl.linguaphone.com > Subject: adsl.linguaphone.com security run output > > I have my postfix header checks set to use regexp matching and the file > contains :- > > /^From:.*\@adsl\.linguaphone\,com/ REJECT Sender > address blacklisted. > /^Received:/ HOLD > > The problem is that the mail I am trying to block is not being rejected. > All mail is being put in the hold queue and Mailscanner working > correctly so header checks are working. > Have I done something wrong with the syntax? > Look at rejecting the _envelope_ sender instead. That From: is probably spoofed to high heaven:-). Also, this should be done in the access map instead. ... Then again, I'm on vacation, so the brain might be sligtly turned off (more than usual, that is:-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From leiw324 at yahoo.com.hk Tue Jul 17 13:06:26 2007 From: leiw324 at yahoo.com.hk (Wilson Kwok) Date: Tue Jul 17 13:06:28 2007 Subject: Still can't send or recevie email Message-ID: <668920.2725.qm@web54408.mail.yahoo.com> hello, I was posted here, I followed someone told me disabled the Cache SpamAssassin Results = no, and I also uninstalled the MailScanner... but the answer is same.... when I type mailq, I can see the test email from my yahoo account.... here is the maillog: Jul 17 20:11:17 abc postfix/smtpd[9265]: connect from web54401.mail.yahoo.com[206.190.49.131] Jul 17 20:11:18 abc MailScanner[9266]: Enabling SpamAssassin auto-whitelist functionality... Jul 17 20:11:18 abc postfix/smtpd[9265]: C52F5700AA: client=web54401.mail.yahoo.com[206.190.49.131] Jul 17 20:11:19 abc MailScanner[9266]: Using locktype = flock Jul 17 20:11:19 abc MailScanner[9266]: New Batch: Scanning 2 messages, 6646 bytes Jul 17 20:11:19 abc postfix/cleanup[9267]: C52F5700AA: hold: header Received: from web54401.mail.yahoo.com (web54401.mail.yahoo.com [206.190.49.131])??by abc (Postfix) with SMTP id C52F5700AA??for ; Tue, 17 Jul 2007 20:11:18 +0800 (HKT) from web54401.mail.yahoo.com[206.190.49.131]; from= to= proto=SMTP helo= Jul 17 20:11:19 abc postfix/cleanup[9267]: C52F5700AA: hold: header Received: (qmail 73875 invoked by uid 60001); 17 Jul 2007 12:04:12 -0000 from web54401.mail.yahoo.com[206.190.49.131]; from= to= proto=SMTP helo= Jul 17 20:11:19 abc postfix/cleanup[9267]: C52F5700AA: hold: header Received: from [58.177.105.214] by web54401.mail.yahoo.com via HTTP; Tue, 17 Jul 2007 20:04:12 CST from web54401.mail.yahoo.com[206.190.49.131]; from= to= proto=SMTP helo= Jul 17 20:11:19 abc postfix/cleanup[9267]: C52F5700AA: message-id=<77161.69046.qm@web54401.mail.yahoo.com> Jul 17 20:11:19 abc postfix/smtpd[9265]: disconnect from web54401.mail.yahoo.com[206.190.49.131] Jul 17 20:11:22 abc MailScanner[9272]: MailScanner E-Mail Virus Scanner version 4.61.7 starting... Jul 17 20:11:22 abc MailScanner[9272]: SpamAssassin temporary working directory is /var/spool/MailScanner/incoming/SpamAssassin-Temp Jul 17 20:11:23 abc MailScanner[9272]: Enabling SpamAssassin auto-whitelist functionality... Jul 17 20:11:24 abc MailScanner[9272]: Using locktype = flock Jul 17 20:11:24 abc MailScanner[9272]: New Batch: Scanning 3 messages, 8755 bytes Jul 17 20:11:27 abc MailScanner[9278]: MailScanner E-Mail Virus Scanner version 4.61.7 starting... Jul 17 20:11:27 abc MailScanner[9278]: SpamAssassin temporary working directory is /var/spool/MailScanner/incoming/SpamAssassin-Temp Jul 17 20:11:28 abc MailScanner[9278]: Enabling SpamAssassin auto-whitelist functionality... Jul 17 20:11:29 abc MailScanner[9278]: Using locktype = flock Jul 17 20:11:29 abc MailScanner[9278]: New Batch: Scanning 3 messages, 8755 bytes Jul 17 20:11:32 abc MailScanner[9283]: MailScanner E-Mail Virus Scanner version 4.61.7 starting... Jul 17 20:11:32 abc MailScanner[9283]: SpamAssassin temporary working directory is /var/spool/MailScanner/incoming/SpamAssassin-Temp Jul 17 20:11:33 abc MailScanner[9283]: Enabling SpamAssassin auto-whitelist functionality... Jul 17 20:11:34 abc MailScanner[9283]: Using locktype = flock Jul 17 20:11:34 abc MailScanner[9283]: New Batch: Scanning 3 messages, 8755 bytes Jul 17 20:11:37 abc MailScanner[9287]: MailScanner E-Mail Virus Scanner version 4.61.7 starting... Jul 17 20:11:37 abc MailScanner[9287]: SpamAssassin temporary working directory is /var/spool/MailScanner/incoming/SpamAssassin-Temp Jul 17 20:11:38 abc MailScanner[9287]: Enabling SpamAssassin auto-whitelist functionality... Jul 17 20:11:39 abc MailScanner[9287]: Using locktype = flock Jul 17 20:11:39 abc MailScanner[9287]: New Batch: Scanning 3 messages, 8755 bytes Jul 17 20:11:42 abc MailScanner[9291]: MailScanner E-Mail Virus Scanner version 4.61.7 starting... Jul 17 20:11:42 abc MailScanner[9291]: SpamAssassin temporary working directory is /var/spool/MailScanner/incoming/SpamAssassin-Temp Jul 17 20:11:43 abc MailScanner[9291]: Enabling SpamAssassin auto-whitelist functionality... Jul 17 20:11:44 abc MailScanner[9291]: Using locktype = flock Jul 17 20:11:44 abc MailScanner[9291]: New Batch: Scanning 3 messages, 8755 bytes Jul 17 20:11:47 abc MailScanner[9295]: MailScanner E-Mail Virus Scanner version 4.61.7 starting... Jul 17 20:11:48 abc MailScanner[9295]: SpamAssassin temporary working directory is /var/spool/MailScanner/incoming/SpamAssassin-Temp Jul 17 20:11:48 abc MailScanner[9295]: Enabling SpamAssassin auto-whitelist functionality... Jul 17 20:11:49 abc MailScanner[9295]: Using locktype = flock Jul 17 20:11:49 abc MailScanner[9295]: New Batch: Scanning 3 messages, 8755 bytes Jul 17 20:11:52 abc MailScanner[9299]: MailScanner E-Mail Virus Scanner version 4.61.7 starting... Jul 17 20:11:53 abc MailScanner[9299]: SpamAssassin temporary working directory is /var/spool/MailScanner/incoming/SpamAssassin-Temp Jul 17 20:11:53 abc MailScanner[9299]: Enabling SpamAssassin auto-whitelist functionality... Jul 17 20:11:54 abc MailScanner[9299]: Using locktype = flock Jul 17 20:11:54 abc MailScanner[9299]: New Batch: Scanning 3 messages, 8755 bytes Jul 17 20:11:57 abc MailScanner[9303]: MailScanner E-Mail Virus Scanner version 4.61.7 starting... Jul 17 20:11:58 abc MailScanner[9303]: SpamAssassin temporary working directory is /var/spool/MailScanner/incoming/SpamAssassin-Temp here is the mailq: [root@abc MailScanner]# mailq -Queue ID- --Size-- ----Arrival Time---- -Sender/Recipient------- 66482700A8! 1760 Tue Jul 17 20:04:10 leiw324@yahoo.com.hk mail.wilson-kwok.com@ecfind.net C52F5700AA! 1731 Tue Jul 17 20:11:18 leiw324@yahoo.com.hk mail.wilson-kwok.com@ecfind.net --------------------------------- µL­­¹q¶lÀx¦s¶q¡A§A´NµL»Ý¦A¾á¤ß¦¬¥ó½cÀx¦sªÅ¶¡·|§_¹L¶q! ¥ß§Y¨Ï¥ÎYahoo! Mail -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070717/5b468cc4/attachment.html From glenn.steen at gmail.com Tue Jul 17 13:12:14 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Jul 17 13:12:18 2007 Subject: Still can't send or recevie email In-Reply-To: <668920.2725.qm@web54408.mail.yahoo.com> References: <668920.2725.qm@web54408.mail.yahoo.com> Message-ID: <223f97700707170512vf72808td777b07e4c383f28@mail.gmail.com> On 17/07/07, Wilson Kwok wrote: > hello, > > I was posted here, I followed someone told me disabled the Cache > SpamAssassin Results = no, and I also uninstalled the MailScanner... but the > answer is same.... when I type mailq, I can see the test email from my yahoo > account.... > > here is the maillog: > > Jul 17 20:11:17 abc postfix/smtpd[9265]: connect from > web54401.mail.yahoo.com[206.190.49.131] > Jul 17 20:11:18 abc MailScanner[9266]: Enabling SpamAssassin auto-whitelist > functionality... > Jul 17 20:11:18 abc postfix/smtpd[9265]: C52F5700AA: > client=web54401.mail.yahoo.com[206.190.49.131] > Jul 17 20:11:19 abc MailScanner[9266]: Using locktype = flock > Jul 17 20:11:19 abc MailScanner[9266]: New Batch: Scanning 2 messages, 6646 > bytes > Jul 17 20:11:19 abc postfix/cleanup[9267]: C52F5700AA: hold: header > Received: from web54401.mail.yahoo.com (web54401.mail.yahoo.com > [206.190.49.131])??by abc (Postfix) with SMTP id C52F5700AA??for > ; Tue, 17 Jul 2007 20:11:18 +0800 (HKT) from > web54401.mail.yahoo.com[206.190.49.131]; from= > to= proto=SMTP helo= > Jul 17 20:11:19 abc postfix/cleanup[9267]: C52F5700AA: hold: header > Received: (qmail 73875 invoked by uid 60001); 17 Jul 2007 12:04:12 -0000 > from web54401.mail.yahoo.com[206.190.49.131]; from= > to= proto=SMTP helo= > Jul 17 20:11:19 abc postfix/cleanup[9267]: C52F5700AA: hold: header > Received: from [58.177.105.214] by web54401.mail.yahoo.com via HTTP; Tue, 17 > Jul 2007 20:04:12 CST from web54401.mail.yahoo.com[206.190.49.131]; > from= to= proto=SMTP > helo= > Jul 17 20:11:19 abc postfix/cleanup[9267]: C52F5700AA: > message-id=<77161.69046.qm@web54401.mail.yahoo.com> > Jul 17 20:11:19 abc postfix/smtpd[9265]: disconnect from > web54401.mail.yahoo.com[206.190.49.131] > Jul 17 20:11:22 abc MailScanner[9272]: MailScanner E-Mail Virus Scanner > version 4.61.7 starting... > Jul 17 20:11:22 abc MailScanner[9272]: SpamAssassin temporary working > directory is > /var/spool/MailScanner/incoming/SpamAssassin-Temp > Jul 17 20:11:23 abc MailScanner[9272]: Enabling SpamAssassin auto-whitelist > functionality... > Jul 17 20:11:24 abc MailScanner[9272]: Using locktype = flock > Jul 17 20:11:24 abc MailScanner[9272]: New Batch: Scanning 3 messages, 8755 > bytes > Jul 17 20:11:27 abc MailScanner[9278]: MailScanner E-Mail Virus Scanner > version 4.61.7 starting... > Jul 17 20:11:27 abc MailScanner[9278]: SpamAssassin temporary working > directory is > /var/spool/MailScanner/incoming/SpamAssassin-Temp > Jul 17 20:11:28 abc MailScanner[9278]: Enabling SpamAssassin auto-whitelist > functionality... > Jul 17 20:11:29 abc MailScanner[9278]: Using locktype = flock > Jul 17 20:11:29 abc MailScanner[9278]: New Batch: Scanning 3 messages, 8755 > bytes > Jul 17 20:11:32 abc MailScanner[9283]: MailScanner E-Mail Virus Scanner > version 4.61.7 starting... > Jul 17 20:11:32 abc MailScanner[9283]: SpamAssassin temporary working > directory is > /var/spool/MailScanner/incoming/SpamAssassin-Temp > Jul 17 20:11:33 abc MailScanner[9283]: Enabling SpamAssassin auto-whitelist > functionality... > Jul 17 20:11:34 abc MailScanner[9283]: Using locktype = flock > Jul 17 20:11:34 abc MailScanner[9283]: New Batch: Scanning 3 messages, 8755 > bytes > Jul 17 20:11:37 abc MailScanner[9287]: MailScanner E-Mail Virus Scanner > version 4.61.7 starting... > Jul 17 20:11:37 abc MailScanner[9287]: SpamAssassin temporary working > directory is > /var/spool/MailScanner/incoming/SpamAssassin-Temp > Jul 17 20:11:38 abc MailScanner[9287]: Enabling SpamAssassin auto-whitelist > functionality... > Jul 17 20:11:39 abc MailScanner[9287]: Using locktype = flock > Jul 17 20:11:39 abc MailScanner[9287]: New Batch: Scanning 3 messages, 8755 > bytes > Jul 17 20:11:42 abc MailScanner[9291]: MailScanner E-Mail Virus Scanner > version 4.61.7 starting... > Jul 17 20:11:42 abc MailScanner[9291]: SpamAssassin temporary working > directory is > /var/spool/MailScanner/incoming/SpamAssassin-Temp > Jul 17 20:11:43 abc MailScanner[9291]: Enabling SpamAssassin auto-whitelist > functionality... > Jul 17 20:11:44 abc MailScanner[9291]: Using locktype = flock > Jul 17 20:11:44 abc MailScanner[9291]: New Batch: Scanning 3 messages, 8755 > bytes > Jul 17 20:11:47 abc MailScanner[9295]: MailScanner E-Mail Virus Scanner > version 4.61.7 starting... > Jul 17 20:11:48 abc MailScanner[9295]: SpamAssassin temporary working > directory is > /var/spool/MailScanner/incoming/SpamAssassin-Temp > Jul 17 20:11:48 abc MailScanner[9295]: Enabling SpamAssassin auto-whitelist > functionality... > Jul 17 20:11:49 abc MailScanner[9295]: Using locktype = flock > Jul 17 20:11:49 abc MailScanner[9295]: New Batch: Scanning 3 messages, 8755 > bytes > Jul 17 20:11:52 abc MailScanner[9299]: MailScanner E-Mail Virus Scanner > version 4.61.7 starting... > Jul 17 20:11:53 abc MailScanner[9299]: SpamAssassin temporary working > directory is > /var/spool/MailScanner/incoming/SpamAssassin-Temp > Jul 17 20:11:53 abc MailScanner[9299]: Enabling SpamAssassin auto-whitelist > functionality... > Jul 17 20:11:54 abc MailScanner[9299]: Using locktype = flock > Jul 17 20:11:54 abc MailScanner[9299]: New Batch: Scanning 3 messages, 8755 > bytes > Jul 17 20:11:57 abc MailScanner[9303]: MailScanner E-Mail Virus Scanner > version 4.61.7 starting... > Jul 17 20:11:58 abc MailScanner[9303]: SpamAssassin temporary working > directory is > /var/spool/MailScanner/incoming/SpamAssassin-Temp > > here is the mailq: > > [root@abc MailScanner]# mailq > -Queue ID- --Size-- ----Arrival Time---- -Sender/Recipient------- > 66482700A8! 1760 Tue Jul 17 20:04:10 leiw324@yahoo.com.hk > > mail.wilson-kwok.com@ecfind.net > C52F5700AA! 1731 Tue Jul 17 20:11:18 leiw324@yahoo.com.hk > > mail.wilson-kwok.com@ecfind.net > Wilson, could you check that you don't have any file _not_ being a queue file in your postfix hold directory? Seems like you have something there confusing MailScanner... (that find 3 messages, while mailq only find 2...)... Perhaps a razor log file or somesuch. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From matt at coders.co.uk Tue Jul 17 13:17:19 2007 From: matt at coders.co.uk (Matt Hampton) Date: Tue Jul 17 13:14:44 2007 Subject: Still can't send or recevie email In-Reply-To: <668920.2725.qm@web54408.mail.yahoo.com> References: <668920.2725.qm@web54408.mail.yahoo.com> Message-ID: <469CB34F.9070006@coders.co.uk> Wilson Kwok wrote: > hello, > > I was posted here, I followed someone told me disabled the Cache > SpamAssassin Results = no, and I also uninstalled the MailScanner... but > the answer is same.... when I type mailq, I can see the test email from > my yahoo account.... > Looks like there is a problem that MailScanner isn't reporting in the mail log. Try running /path/to/MailScanner --debug and send us the output of that. matt From steves at awebd.com.au Tue Jul 17 13:34:01 2007 From: steves at awebd.com.au (Steve Simeonidis) Date: Tue Jul 17 13:34:17 2007 Subject: stats script Message-ID: <7673651.1184675641889.JavaMail.root@mail.awebd.com.au> can someone please point me to a simple script that generate some stats on spam/viruses/etc parsing the maillog files? Is there anything MailScanner specific available? Thanks Steve -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070717/c83354f7/attachment.html From nick at inticon.net Tue Jul 17 13:40:04 2007 From: nick at inticon.net (Nick Brown) Date: Tue Jul 17 13:40:43 2007 Subject: stats script In-Reply-To: <7673651.1184675641889.JavaMail.root@mail.awebd.com.au> Message-ID: MailWatch http://mailwatch.sourceforge.net/doku.php MailScanner-MRTG http://mailscannermrtg.sourceforge.net/ Cheers Nick. On 17/7/07 10:34 PM, "Steve Simeonidis" wrote: > can someone please point me to a simple script that generate some > stats on spam/viruses/etc parsing the maillog files? > > Is there anything MailScanner specific available? > > Thanks > Steve > > Sent using the Microsoft Entourage 2004 for Mac Test Drive. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070717/21006186/attachment.html From list-mailscanner at linguaphone.com Tue Jul 17 13:51:40 2007 From: list-mailscanner at linguaphone.com (Gareth) Date: Tue Jul 17 13:51:48 2007 Subject: Postfix header check to reject certain senders In-Reply-To: <223f97700707170455n7675180bva3304f040296b035@mail.gmail.com> References: <1184671800.15921.16.camel@gblades-suse.linguaphone-intranet.co.uk> <223f97700707170455n7675180bva3304f040296b035@mail.gmail.com> Message-ID: <1184676700.15921.64.camel@gblades-suse.linguaphone-intranet.co.uk> On Tue, 2007-07-17 at 12:55, Glenn Steen wrote: > On 17/07/07, Gareth wrote: > > A bit off topic but you are normally a friendly bunch :) > > > > I am trying to get postfix () to reject mail from certain senders rather > > than accept and then delete it in mailscanner. > > > > One such mail has the following in the headers:- > > From: root@adsl.linguaphone.com > > To: root@adsl.linguaphone.com > > Subject: adsl.linguaphone.com security run output > > > > I have my postfix header checks set to use regexp matching and the file > > contains :- > > > > /^From:.*\@adsl\.linguaphone\,com/ REJECT Sender > > address blacklisted. > > /^Received:/ HOLD > > > > The problem is that the mail I am trying to block is not being rejected. > > All mail is being put in the hold queue and Mailscanner working > > correctly so header checks are working. > > Have I done something wrong with the syntax? > > > Look at rejecting the _envelope_ sender instead. That From: is > probably spoofed to high heaven:-). > > Also, this should be done in the access map instead. > ... Then again, I'm on vacation, so the brain might be sligtly turned > off (more than usual, that is:-). ok I added :- smtpd_client_restrictions = check_client_access hash:/etc/postfix/access then added the following line to the access file :- adsl.linguaphone.com REJECT Sender address blacklisted. I then used postmap and restarted postfix but the mail is still being accepted. I configured a copy of outlook with that email address for testing purposes. Any ideas? From shuttlebox at gmail.com Tue Jul 17 13:52:52 2007 From: shuttlebox at gmail.com (shuttlebox) Date: Tue Jul 17 13:52:56 2007 Subject: stats script In-Reply-To: <7673651.1184675641889.JavaMail.root@mail.awebd.com.au> References: <7673651.1184675641889.JavaMail.root@mail.awebd.com.au> Message-ID: <625385e30707170552w537cab1bse8c6d45303d63fca@mail.gmail.com> On 7/17/07, Steve Simeonidis wrote: > can someone please point me to a simple script that generate some > stats on spam/viruses/etc parsing the maillog files? > > Is there anything MailScanner specific available? Vispan - http://www.while.org.uk/content/view/9/5/ -- /peter From john at tradoc.fr Tue Jul 17 13:58:14 2007 From: john at tradoc.fr (John Wilcock) Date: Tue Jul 17 13:58:22 2007 Subject: stats script In-Reply-To: References: Message-ID: <469CBCE6.1050603@tradoc.fr> Nick Brown wrote: > MailWatch http://mailwatch.sourceforge.net/doku.php > MailScanner-MRTG http://mailscannermrtg.sourceforge.net/ I'd add logwatch http://www.logwatch.org/ for daily summary reports. For usage graphs I find that mailgraph http://mailgraph.schweikert.ch/ is a good alternative to MailScanner-MRTG. If you also want the system load graphs included in MS-MRTG you might want to combine it with something like collectd http://www.collectd.org/ John. -- -- Over 3000 webcams from ski resorts around the world - www.snoweye.com -- Translate your technical documents and web pages - www.tradoc.fr From campbell at cnpapers.com Tue Jul 17 13:59:59 2007 From: campbell at cnpapers.com (Steve Campbell) Date: Tue Jul 17 14:00:08 2007 Subject: Still can't send or recevie email In-Reply-To: <668920.2725.qm@web54408.mail.yahoo.com> References: <668920.2725.qm@web54408.mail.yahoo.com> Message-ID: <469CBD4F.9050001@cnpapers.com> Wilson Kwok wrote: > hello, > I was posted here, I followed someone told me disabled the Cache > SpamAssassin Results = no, and I also uninstalled the MailScanner... > but the answer is same.... when I type mailq, I can see the test email > from my yahoo account.... > here is the maillog: > Jul 17 20:11:17 abc postfix/smtpd[9265]: connect from > web54401.mail.yahoo.com[206.190.49.131] > Jul 17 20:11:18 abc MailScanner[9266]: Enabling SpamAssassin > auto-whitelist functionality... > Jul 17 20:11:18 abc postfix/smtpd[9265]: C52F5700AA: > client=web54401.mail.yahoo.com[206.190.49.131] > Jul 17 20:11:19 abc MailScanner[9266]: Using locktype = flock > Jul 17 20:11:19 abc MailScanner[9266]: New Batch: Scanning 2 messages, > 6646 bytes > Jul 17 20:11:19 abc postfix/cleanup[9267]: C52F5700AA: hold: header > Received: from web54401.mail.yahoo.com (web54401.mail.yahoo.com > [206.190.49.131])??by abc (Postfix) with SMTP id C52F5700AA??for > >; Tue, 17 Jul 2007 > 20:11:18 +0800 (HKT) from web54401.mail.yahoo.com[206.190.49.131]; > from=> > to=> proto=SMTP > helo= > Jul 17 20:11:19 abc postfix/cleanup[9267]: C52F5700AA: hold: header > Received: (qmail 73875 invoked by uid 60001); 17 Jul 2007 12:04:12 > -0000 from web54401.mail.yahoo.com[206.190.49.131]; > from=> > to=> proto=SMTP > helo= > Jul 17 20:11:19 abc postfix/cleanup[9267]: C52F5700AA: hold: header > Received: from [58.177.105.214] by web54401.mail.yahoo.com via HTTP; > Tue, 17 Jul 2007 20:04:12 CST from > web54401.mail.yahoo.com[206.190.49.131]; from= > to= > proto=SMTP helo= > Jul 17 20:11:19 abc postfix/cleanup[9267]: C52F5700AA: > message-id=<77161.69046.qm@web54401.mail.yahoo.com > > > Jul 17 20:11:19 abc postfix/smtpd[9265]: disconnect from > web54401.mail.yahoo.com[206.190.49.131] > Jul 17 20:11:22 abc MailScanner[9272]: MailScanner E-Mail Virus > Scanner version 4.61.7 starting... > Jul 17 20:11:22 abc MailScanner[9272]: SpamAssassin temporary working > directory is /var/spool/MailScanner/incoming/SpamAssassin-Temp > Jul 17 20:11:23 abc MailScanner[9272]: Enabling SpamAssassin > auto-whitelist functionality... > Jul 17 20:11:24 abc MailScanner[9272]: Using locktype = flock > Jul 17 20:11:24 abc MailScanner[9272]: New Batch: Scanning 3 messages, > 8755 bytes > Jul 17 20:11:27 abc MailScanner[9278]: MailScanner E-Mail Virus > Scanner version 4.61.7 starting... > Jul 17 20:11:27 abc MailScanner[9278]: SpamAssassin temporary working > directory is /var/spool/MailScanner/incoming/SpamAssassin-Temp > Jul 17 20:11:28 abc MailScanner[9278]: Enabling SpamAssassin > auto-whitelist functionality... > Jul 17 20:11:29 abc MailScanner[9278]: Using locktype = flock > Jul 17 20:11:29 abc MailScanner[9278]: New Batch: Scanning 3 messages, > 8755 bytes > Jul 17 20:11:32 abc MailScanner[9283]: MailScanner E-Mail Virus > Scanner version 4.61.7 starting... > Jul 17 20:11:32 abc MailScanner[9283]: SpamAssassin temporary working > directory is /var/spool/MailScanner/incoming/SpamAssassin-Temp > Jul 17 20:11:33 abc MailScanner[9283]: Enabling SpamAssassin > auto-whitelist functionality... > Jul 17 20:11:34 abc MailScanner[9283]: Using locktype = flock > Jul 17 20:11:34 abc MailScanner[9283]: New Batch: Scanning 3 messages, > 8755 bytes > Jul 17 20:11:37 abc MailScanner[9287]: MailScanner E-Mail Virus > Scanner version 4.61.7 starting... > Jul 17 20:11:37 abc MailScanner[9287]: SpamAssassin temporary working > directory is /var/spool/MailScanner/incoming/SpamAssassin-Temp > Jul 17 20:11:38 abc MailScanner[9287]: Enabling SpamAssassin > auto-whitelist functionality... > Jul 17 20:11:39 abc MailScanner[9287]: Using locktype = flock > Jul 17 20:11:39 abc MailScanner[9287]: New Batch: Scanning 3 messages, > 8755 bytes > Jul 17 20:11:42 abc MailScanner[9291]: MailScanner E-Mail Virus > Scanner version 4.61.7 starting... > Jul 17 20:11:42 abc MailScanner[9291]: SpamAssassin temporary working > directory is /var/spool/MailScanner/incoming/SpamAssassin-Temp > Jul 17 20:11:43 abc MailScanner[9291]: Enabling SpamAssassin > auto-whitelist functionality... > Jul 17 20:11:44 abc MailScanner[9291]: Using locktype = flock > Jul 17 20:11:44 abc MailScanner[9291]: New Batch: Scanning 3 messages, > 8755 bytes > Jul 17 20:11:47 abc MailScanner[9295]: MailScanner E-Mail Virus > Scanner version 4.61.7 starting... > Jul 17 20:11:48 abc MailScanner[9295]: SpamAssassin temporary working > directory is /var/spool/MailScanner/incoming/SpamAssassin-Temp > Jul 17 20:11:48 abc MailScanner[9295]: Enabling SpamAssassin > auto-whitelist functionality... > Jul 17 20:11:49 abc MailScanner[9295]: Using locktype = flock > Jul 17 20:11:49 abc MailScanner[9295]: New Batch: Scanning 3 messages, > 8755 bytes > Jul 17 20:11:52 abc MailScanner[9299]: MailScanner E-Mail Virus > Scanner version 4.61.7 starting... > Jul 17 20:11:53 abc MailScanner[9299]: SpamAssassin temporary working > directory is /var/spool/MailScanner/incoming/SpamAssassin-Temp > Jul 17 20:11:53 abc MailScanner[9299]: Enabling SpamAssassin > auto-whitelist functionality... > Jul 17 20:11:54 abc MailScanner[9299]: Using locktype = flock > Jul 17 20:11:54 abc MailScanner[9299]: New Batch: Scanning 3 messages, > 8755 bytes > Jul 17 20:11:57 abc MailScanner[9303]: MailScanner E-Mail Virus > Scanner version 4.61.7 starting... > Jul 17 20:11:58 abc MailScanner[9303]: SpamAssassin temporary working > directory is /var/spool/MailScanner/incoming/SpamAssassin-Temp > here is the mailq: > [root@abc MailScanner]# mailq > -Queue ID- --Size-- ----Arrival Time---- -Sender/Recipient------- > 66482700A8! 1760 Tue Jul 17 20:04:10 leiw324@yahoo.com.hk > > mail.wilson-kwok.com@ecfind.net > C52F5700AA! 1731 Tue Jul 17 20:11:18 leiw324@yahoo.com.hk > > mail.wilson-kwok.com@ecfind.net > > ------------------------------------------------------------------------ > µL­­¹q¶lÀx¦s¶q¡A§A´NµL»Ý¦A¾á¤ß¦¬¥ó½cÀx¦sªÅ¶¡·|§_¹L¶q! *¥ß§Y¨Ï¥ÎYahoo! > Mail* Looks like your "Lock Type" might be wrong or unset in your Mailscanner.conf file. Check it and set it to "Posix" and see where that gets you. steve From glenn.steen at gmail.com Tue Jul 17 14:05:14 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Jul 17 14:05:21 2007 Subject: Postfix header check to reject certain senders In-Reply-To: <1184676700.15921.64.camel@gblades-suse.linguaphone-intranet.co.uk> References: <1184671800.15921.16.camel@gblades-suse.linguaphone-intranet.co.uk> <223f97700707170455n7675180bva3304f040296b035@mail.gmail.com> <1184676700.15921.64.camel@gblades-suse.linguaphone-intranet.co.uk> Message-ID: <223f97700707170605u6bffb36fn38d3517639326b51@mail.gmail.com> On 17/07/07, Gareth wrote: > On Tue, 2007-07-17 at 12:55, Glenn Steen wrote: > > On 17/07/07, Gareth wrote: > > > A bit off topic but you are normally a friendly bunch :) > > > > > > I am trying to get postfix () to reject mail from certain senders rather > > > than accept and then delete it in mailscanner. > > > > > > One such mail has the following in the headers:- > > > From: root@adsl.linguaphone.com > > > To: root@adsl.linguaphone.com > > > Subject: adsl.linguaphone.com security run output > > > > > > I have my postfix header checks set to use regexp matching and the file > > > contains :- > > > > > > /^From:.*\@adsl\.linguaphone\,com/ REJECT Sender > > > address blacklisted. > > > /^Received:/ HOLD > > > > > > The problem is that the mail I am trying to block is not being rejected. > > > All mail is being put in the hold queue and Mailscanner working > > > correctly so header checks are working. > > > Have I done something wrong with the syntax? > > > > > Look at rejecting the _envelope_ sender instead. That From: is > > probably spoofed to high heaven:-). > > > > Also, this should be done in the access map instead. > > ... Then again, I'm on vacation, so the brain might be sligtly turned > > off (more than usual, that is:-). > > ok I added :- > smtpd_client_restrictions = check_client_access hash:/etc/postfix/access > > then added the following line to the access file :- > adsl.linguaphone.com REJECT Sender address > blacklisted. > > I then used postmap and restarted postfix but the mail is still being > accepted. I configured a copy of outlook with that email address for > testing purposes. > > Any ideas? > Ok, might be your (postfix, implicit) trust rules taking effect before the access rule (permit_mynetworks ...). See to it that the client machine isn't part of that trust. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Tue Jul 17 14:08:03 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Jul 17 14:08:05 2007 Subject: Still can't send or recevie email In-Reply-To: <469CBD4F.9050001@cnpapers.com> References: <668920.2725.qm@web54408.mail.yahoo.com> <469CBD4F.9050001@cnpapers.com> Message-ID: <223f97700707170608g5798c279s42c2f19eea09b83c@mail.gmail.com> T24gMTcvMDcvMDcsIFN0ZXZlIENhbXBiZWxsIDxjYW1wYmVsbEBjbnBhcGVycy5jb20+IHdyb3Rl Ogo+Cj4KPiBXaWxzb24gS3dvayB3cm90ZToKPiA+IGhlbGxvLAo+ID4gSSB3YXMgcG9zdGVkIGhl cmUsIEkgZm9sbG93ZWQgc29tZW9uZSB0b2xkIG1lIGRpc2FibGVkIHRoZSBDYWNoZQo+ID4gU3Bh bUFzc2Fzc2luIFJlc3VsdHMgPSBubywgYW5kIEkgYWxzbyB1bmluc3RhbGxlZCB0aGUgTWFpbFNj YW5uZXIuLi4KPiA+IGJ1dCB0aGUgYW5zd2VyIGlzIHNhbWUuLi4uIHdoZW4gSSB0eXBlIG1haWxx LCBJIGNhbiBzZWUgdGhlIHRlc3QgZW1haWwKPiA+IGZyb20gbXkgeWFob28gYWNjb3VudC4uLi4K PiA+IGhlcmUgaXMgdGhlIG1haWxsb2c6Cj4gPiBKdWwgMTcgMjA6MTE6MTcgYWJjIHBvc3RmaXgv c210cGRbOTI2NV06IGNvbm5lY3QgZnJvbQo+ID4gd2ViNTQ0MDEubWFpbC55YWhvby5jb21bMjA2 LjE5MC40OS4xMzFdCj4gPiBKdWwgMTcgMjA6MTE6MTggYWJjIE1haWxTY2FubmVyWzkyNjZdOiBF bmFibGluZyBTcGFtQXNzYXNzaW4KPiA+IGF1dG8td2hpdGVsaXN0IGZ1bmN0aW9uYWxpdHkuLi4K PiA+IEp1bCAxNyAyMDoxMToxOCBhYmMgcG9zdGZpeC9zbXRwZFs5MjY1XTogQzUyRjU3MDBBQToK PiA+IGNsaWVudD13ZWI1NDQwMS5tYWlsLnlhaG9vLmNvbVsyMDYuMTkwLjQ5LjEzMV0KPiA+IEp1 bCAxNyAyMDoxMToxOSBhYmMgTWFpbFNjYW5uZXJbOTI2Nl06IFVzaW5nIGxvY2t0eXBlID0gZmxv Y2sKPiA+IEp1bCAxNyAyMDoxMToxOSBhYmMgTWFpbFNjYW5uZXJbOTI2Nl06IE5ldyBCYXRjaDog U2Nhbm5pbmcgMiBtZXNzYWdlcywKPiA+IDY2NDYgYnl0ZXMKPiA+IEp1bCAxNyAyMDoxMToxOSBh YmMgcG9zdGZpeC9jbGVhbnVwWzkyNjddOiBDNTJGNTcwMEFBOiBob2xkOiBoZWFkZXIKPiA+IFJl Y2VpdmVkOiBmcm9tIHdlYjU0NDAxLm1haWwueWFob28uY29tICh3ZWI1NDQwMS5tYWlsLnlhaG9v LmNvbQo+ID4gWzIwNi4xOTAuNDkuMTMxXSk/P2J5IGFiYyAoUG9zdGZpeCkgd2l0aCBTTVRQIGlk IEM1MkY1NzAwQUE/P2Zvcgo+ID4gPG1haWxAd2lsc29uLWt3b2suY29tIDxtYWlsdG86bWFpbEB3 aWxzb24ta3dvay5jb20+PjsgVHVlLCAxNyBKdWwgMjAwNwo+ID4gMjA6MTE6MTggKzA4MDAgKEhL VCkgZnJvbSB3ZWI1NDQwMS5tYWlsLnlhaG9vLmNvbVsyMDYuMTkwLjQ5LjEzMV07Cj4gPiBmcm9t PTxsZWl3MzI0QHlhaG9vLmNvbS5oayA8bWFpbHRvOmxlaXczMjRAeWFob28uY29tLmhrPj4KPiA+ IHRvPTxtYWlsQHdpbHNvbi1rd29rLmNvbSA8bWFpbHRvOm1haWxAd2lsc29uLWt3b2suY29tPj4g cHJvdG89U01UUAo+ID4gaGVsbz08d2ViNTQ0MDEubWFpbC55YWhvby5jb20+Cj4gPiBKdWwgMTcg MjA6MTE6MTkgYWJjIHBvc3RmaXgvY2xlYW51cFs5MjY3XTogQzUyRjU3MDBBQTogaG9sZDogaGVh ZGVyCj4gPiBSZWNlaXZlZDogKHFtYWlsIDczODc1IGludm9rZWQgYnkgdWlkIDYwMDAxKTsgMTcg SnVsIDIwMDcgMTI6MDQ6MTIKPiA+IC0wMDAwIGZyb20gd2ViNTQ0MDEubWFpbC55YWhvby5jb21b MjA2LjE5MC40OS4xMzFdOwo+ID4gZnJvbT08bGVpdzMyNEB5YWhvby5jb20uaGsgPG1haWx0bzps ZWl3MzI0QHlhaG9vLmNvbS5oaz4+Cj4gPiB0bz08bWFpbEB3aWxzb24ta3dvay5jb20gPG1haWx0 bzptYWlsQHdpbHNvbi1rd29rLmNvbT4+IHByb3RvPVNNVFAKPiA+IGhlbG89PHdlYjU0NDAxLm1h aWwueWFob28uY29tPgo+ID4gSnVsIDE3IDIwOjExOjE5IGFiYyBwb3N0Zml4L2NsZWFudXBbOTI2 N106IEM1MkY1NzAwQUE6IGhvbGQ6IGhlYWRlcgo+ID4gUmVjZWl2ZWQ6IGZyb20gWzU4LjE3Ny4x MDUuMjE0XSBieSB3ZWI1NDQwMS5tYWlsLnlhaG9vLmNvbSB2aWEgSFRUUDsKPiA+IFR1ZSwgMTcg SnVsIDIwMDcgMjA6MDQ6MTIgQ1NUIGZyb20KPiA+IHdlYjU0NDAxLm1haWwueWFob28uY29tWzIw Ni4xOTAuNDkuMTMxXTsgZnJvbT08bGVpdzMyNEB5YWhvby5jb20uaGsKPiA+IDxtYWlsdG86bGVp dzMyNEB5YWhvby5jb20uaGs+PiB0bz08bWFpbEB3aWxzb24ta3dvay5jb20KPiA+IDxtYWlsdG86 bWFpbEB3aWxzb24ta3dvay5jb20+PiBwcm90bz1TTVRQIGhlbG89PHdlYjU0NDAxLm1haWwueWFo b28uY29tPgo+ID4gSnVsIDE3IDIwOjExOjE5IGFiYyBwb3N0Zml4L2NsZWFudXBbOTI2N106IEM1 MkY1NzAwQUE6Cj4gPiBtZXNzYWdlLWlkPTw3NzE2MS42OTA0Ni5xbUB3ZWI1NDQwMS5tYWlsLnlh aG9vLmNvbQo+ID4gPG1haWx0bzo3NzE2MS42OTA0Ni5xbUB3ZWI1NDQwMS5tYWlsLnlhaG9vLmNv bT4+Cj4gPiBKdWwgMTcgMjA6MTE6MTkgYWJjIHBvc3RmaXgvc210cGRbOTI2NV06IGRpc2Nvbm5l Y3QgZnJvbQo+ID4gd2ViNTQ0MDEubWFpbC55YWhvby5jb21bMjA2LjE5MC40OS4xMzFdCj4gPiBK dWwgMTcgMjA6MTE6MjIgYWJjIE1haWxTY2FubmVyWzkyNzJdOiBNYWlsU2Nhbm5lciBFLU1haWwg VmlydXMKPiA+IFNjYW5uZXIgdmVyc2lvbiA0LjYxLjcgc3RhcnRpbmcuLi4KPiA+IEp1bCAxNyAy MDoxMToyMiBhYmMgTWFpbFNjYW5uZXJbOTI3Ml06IFNwYW1Bc3Nhc3NpbiB0ZW1wb3Jhcnkgd29y a2luZwo+ID4gZGlyZWN0b3J5IGlzIC92YXIvc3Bvb2wvTWFpbFNjYW5uZXIvaW5jb21pbmcvU3Bh bUFzc2Fzc2luLVRlbXAKPiA+IEp1bCAxNyAyMDoxMToyMyBhYmMgTWFpbFNjYW5uZXJbOTI3Ml06 IEVuYWJsaW5nIFNwYW1Bc3Nhc3Npbgo+ID4gYXV0by13aGl0ZWxpc3QgZnVuY3Rpb25hbGl0eS4u Lgo+ID4gSnVsIDE3IDIwOjExOjI0IGFiYyBNYWlsU2Nhbm5lcls5MjcyXTogVXNpbmcgbG9ja3R5 cGUgPSBmbG9jawo+ID4gSnVsIDE3IDIwOjExOjI0IGFiYyBNYWlsU2Nhbm5lcls5MjcyXTogTmV3 IEJhdGNoOiBTY2FubmluZyAzIG1lc3NhZ2VzLAo+ID4gODc1NSBieXRlcwo+ID4gSnVsIDE3IDIw OjExOjI3IGFiYyBNYWlsU2Nhbm5lcls5Mjc4XTogTWFpbFNjYW5uZXIgRS1NYWlsIFZpcnVzCj4g PiBTY2FubmVyIHZlcnNpb24gNC42MS43IHN0YXJ0aW5nLi4uCj4gPiBKdWwgMTcgMjA6MTE6Mjcg YWJjIE1haWxTY2FubmVyWzkyNzhdOiBTcGFtQXNzYXNzaW4gdGVtcG9yYXJ5IHdvcmtpbmcKPiA+ IGRpcmVjdG9yeSBpcyAvdmFyL3Nwb29sL01haWxTY2FubmVyL2luY29taW5nL1NwYW1Bc3Nhc3Np bi1UZW1wCj4gPiBKdWwgMTcgMjA6MTE6MjggYWJjIE1haWxTY2FubmVyWzkyNzhdOiBFbmFibGlu ZyBTcGFtQXNzYXNzaW4KPiA+IGF1dG8td2hpdGVsaXN0IGZ1bmN0aW9uYWxpdHkuLi4KPiA+IEp1 bCAxNyAyMDoxMToyOSBhYmMgTWFpbFNjYW5uZXJbOTI3OF06IFVzaW5nIGxvY2t0eXBlID0gZmxv Y2sKPiA+IEp1bCAxNyAyMDoxMToyOSBhYmMgTWFpbFNjYW5uZXJbOTI3OF06IE5ldyBCYXRjaDog U2Nhbm5pbmcgMyBtZXNzYWdlcywKPiA+IDg3NTUgYnl0ZXMKPiA+IEp1bCAxNyAyMDoxMTozMiBh YmMgTWFpbFNjYW5uZXJbOTI4M106IE1haWxTY2FubmVyIEUtTWFpbCBWaXJ1cwo+ID4gU2Nhbm5l ciB2ZXJzaW9uIDQuNjEuNyBzdGFydGluZy4uLgo+ID4gSnVsIDE3IDIwOjExOjMyIGFiYyBNYWls U2Nhbm5lcls5MjgzXTogU3BhbUFzc2Fzc2luIHRlbXBvcmFyeSB3b3JraW5nCj4gPiBkaXJlY3Rv cnkgaXMgL3Zhci9zcG9vbC9NYWlsU2Nhbm5lci9pbmNvbWluZy9TcGFtQXNzYXNzaW4tVGVtcAo+ ID4gSnVsIDE3IDIwOjExOjMzIGFiYyBNYWlsU2Nhbm5lcls5MjgzXTogRW5hYmxpbmcgU3BhbUFz c2Fzc2luCj4gPiBhdXRvLXdoaXRlbGlzdCBmdW5jdGlvbmFsaXR5Li4uCj4gPiBKdWwgMTcgMjA6 MTE6MzQgYWJjIE1haWxTY2FubmVyWzkyODNdOiBVc2luZyBsb2NrdHlwZSA9IGZsb2NrCj4gPiBK dWwgMTcgMjA6MTE6MzQgYWJjIE1haWxTY2FubmVyWzkyODNdOiBOZXcgQmF0Y2g6IFNjYW5uaW5n IDMgbWVzc2FnZXMsCj4gPiA4NzU1IGJ5dGVzCj4gPiBKdWwgMTcgMjA6MTE6MzcgYWJjIE1haWxT Y2FubmVyWzkyODddOiBNYWlsU2Nhbm5lciBFLU1haWwgVmlydXMKPiA+IFNjYW5uZXIgdmVyc2lv biA0LjYxLjcgc3RhcnRpbmcuLi4KPiA+IEp1bCAxNyAyMDoxMTozNyBhYmMgTWFpbFNjYW5uZXJb OTI4N106IFNwYW1Bc3Nhc3NpbiB0ZW1wb3Jhcnkgd29ya2luZwo+ID4gZGlyZWN0b3J5IGlzIC92 YXIvc3Bvb2wvTWFpbFNjYW5uZXIvaW5jb21pbmcvU3BhbUFzc2Fzc2luLVRlbXAKPiA+IEp1bCAx NyAyMDoxMTozOCBhYmMgTWFpbFNjYW5uZXJbOTI4N106IEVuYWJsaW5nIFNwYW1Bc3Nhc3Npbgo+ ID4gYXV0by13aGl0ZWxpc3QgZnVuY3Rpb25hbGl0eS4uLgo+ID4gSnVsIDE3IDIwOjExOjM5IGFi YyBNYWlsU2Nhbm5lcls5Mjg3XTogVXNpbmcgbG9ja3R5cGUgPSBmbG9jawo+ID4gSnVsIDE3IDIw OjExOjM5IGFiYyBNYWlsU2Nhbm5lcls5Mjg3XTogTmV3IEJhdGNoOiBTY2FubmluZyAzIG1lc3Nh Z2VzLAo+ID4gODc1NSBieXRlcwo+ID4gSnVsIDE3IDIwOjExOjQyIGFiYyBNYWlsU2Nhbm5lcls5 MjkxXTogTWFpbFNjYW5uZXIgRS1NYWlsIFZpcnVzCj4gPiBTY2FubmVyIHZlcnNpb24gNC42MS43 IHN0YXJ0aW5nLi4uCj4gPiBKdWwgMTcgMjA6MTE6NDIgYWJjIE1haWxTY2FubmVyWzkyOTFdOiBT cGFtQXNzYXNzaW4gdGVtcG9yYXJ5IHdvcmtpbmcKPiA+IGRpcmVjdG9yeSBpcyAvdmFyL3Nwb29s L01haWxTY2FubmVyL2luY29taW5nL1NwYW1Bc3Nhc3Npbi1UZW1wCj4gPiBKdWwgMTcgMjA6MTE6 NDMgYWJjIE1haWxTY2FubmVyWzkyOTFdOiBFbmFibGluZyBTcGFtQXNzYXNzaW4KPiA+IGF1dG8t d2hpdGVsaXN0IGZ1bmN0aW9uYWxpdHkuLi4KPiA+IEp1bCAxNyAyMDoxMTo0NCBhYmMgTWFpbFNj YW5uZXJbOTI5MV06IFVzaW5nIGxvY2t0eXBlID0gZmxvY2sKPiA+IEp1bCAxNyAyMDoxMTo0NCBh YmMgTWFpbFNjYW5uZXJbOTI5MV06IE5ldyBCYXRjaDogU2Nhbm5pbmcgMyBtZXNzYWdlcywKPiA+ IDg3NTUgYnl0ZXMKPiA+IEp1bCAxNyAyMDoxMTo0NyBhYmMgTWFpbFNjYW5uZXJbOTI5NV06IE1h aWxTY2FubmVyIEUtTWFpbCBWaXJ1cwo+ID4gU2Nhbm5lciB2ZXJzaW9uIDQuNjEuNyBzdGFydGlu Zy4uLgo+ID4gSnVsIDE3IDIwOjExOjQ4IGFiYyBNYWlsU2Nhbm5lcls5Mjk1XTogU3BhbUFzc2Fz c2luIHRlbXBvcmFyeSB3b3JraW5nCj4gPiBkaXJlY3RvcnkgaXMgL3Zhci9zcG9vbC9NYWlsU2Nh bm5lci9pbmNvbWluZy9TcGFtQXNzYXNzaW4tVGVtcAo+ID4gSnVsIDE3IDIwOjExOjQ4IGFiYyBN YWlsU2Nhbm5lcls5Mjk1XTogRW5hYmxpbmcgU3BhbUFzc2Fzc2luCj4gPiBhdXRvLXdoaXRlbGlz dCBmdW5jdGlvbmFsaXR5Li4uCj4gPiBKdWwgMTcgMjA6MTE6NDkgYWJjIE1haWxTY2FubmVyWzky OTVdOiBVc2luZyBsb2NrdHlwZSA9IGZsb2NrCj4gPiBKdWwgMTcgMjA6MTE6NDkgYWJjIE1haWxT Y2FubmVyWzkyOTVdOiBOZXcgQmF0Y2g6IFNjYW5uaW5nIDMgbWVzc2FnZXMsCj4gPiA4NzU1IGJ5 dGVzCj4gPiBKdWwgMTcgMjA6MTE6NTIgYWJjIE1haWxTY2FubmVyWzkyOTldOiBNYWlsU2Nhbm5l ciBFLU1haWwgVmlydXMKPiA+IFNjYW5uZXIgdmVyc2lvbiA0LjYxLjcgc3RhcnRpbmcuLi4KPiA+ IEp1bCAxNyAyMDoxMTo1MyBhYmMgTWFpbFNjYW5uZXJbOTI5OV06IFNwYW1Bc3Nhc3NpbiB0ZW1w b3Jhcnkgd29ya2luZwo+ID4gZGlyZWN0b3J5IGlzIC92YXIvc3Bvb2wvTWFpbFNjYW5uZXIvaW5j b21pbmcvU3BhbUFzc2Fzc2luLVRlbXAKPiA+IEp1bCAxNyAyMDoxMTo1MyBhYmMgTWFpbFNjYW5u ZXJbOTI5OV06IEVuYWJsaW5nIFNwYW1Bc3Nhc3Npbgo+ID4gYXV0by13aGl0ZWxpc3QgZnVuY3Rp b25hbGl0eS4uLgo+ID4gSnVsIDE3IDIwOjExOjU0IGFiYyBNYWlsU2Nhbm5lcls5Mjk5XTogVXNp bmcgbG9ja3R5cGUgPSBmbG9jawo+ID4gSnVsIDE3IDIwOjExOjU0IGFiYyBNYWlsU2Nhbm5lcls5 Mjk5XTogTmV3IEJhdGNoOiBTY2FubmluZyAzIG1lc3NhZ2VzLAo+ID4gODc1NSBieXRlcwo+ID4g SnVsIDE3IDIwOjExOjU3IGFiYyBNYWlsU2Nhbm5lcls5MzAzXTogTWFpbFNjYW5uZXIgRS1NYWls IFZpcnVzCj4gPiBTY2FubmVyIHZlcnNpb24gNC42MS43IHN0YXJ0aW5nLi4uCj4gPiBKdWwgMTcg MjA6MTE6NTggYWJjIE1haWxTY2FubmVyWzkzMDNdOiBTcGFtQXNzYXNzaW4gdGVtcG9yYXJ5IHdv cmtpbmcKPiA+IGRpcmVjdG9yeSBpcyAvdmFyL3Nwb29sL01haWxTY2FubmVyL2luY29taW5nL1Nw YW1Bc3Nhc3Npbi1UZW1wCj4gPiBoZXJlIGlzIHRoZSBtYWlscToKPiA+IFtyb290QGFiYyBNYWls U2Nhbm5lcl0jIG1haWxxCj4gPiAtUXVldWUgSUQtIC0tU2l6ZS0tIC0tLS1BcnJpdmFsIFRpbWUt LS0tIC1TZW5kZXIvUmVjaXBpZW50LS0tLS0tLQo+ID4gNjY0ODI3MDBBOCEgMTc2MCBUdWUgSnVs IDE3IDIwOjA0OjEwIGxlaXczMjRAeWFob28uY29tLmhrCj4gPiA8bWFpbHRvOmxlaXczMjRAeWFo b28uY29tLmhrPgo+ID4gbWFpbC53aWxzb24ta3dvay5jb21AZWNmaW5kLm5ldCA8bWFpbHRvOm1h aWwud2lsc29uLWt3b2suY29tQGVjZmluZC5uZXQ+Cj4gPiBDNTJGNTcwMEFBISAxNzMxIFR1ZSBK dWwgMTcgMjA6MTE6MTggbGVpdzMyNEB5YWhvby5jb20uaGsKPiA+IDxtYWlsdG86bGVpdzMyNEB5 YWhvby5jb20uaGs+Cj4gPiBtYWlsLndpbHNvbi1rd29rLmNvbUBlY2ZpbmQubmV0IDxtYWlsdG86 bWFpbC53aWxzb24ta3dvay5jb21AZWNmaW5kLm5ldD4KPiA+Cj4gPiAtLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0K PiA+ILVMra25cbZswHimc7ZxoUGnQbROtUy73aZBvuGk36aspfO9Y8B4pnOqxbaht3ynX7lMtnEh ICql36dZqM+lzllhaG9vIQo+ID4gTWFpbCoKPgo+IExvb2tzIGxpa2UgeW91ciAiTG9jayBUeXBl IiBtaWdodCBiZSB3cm9uZyBvciB1bnNldCBpbiB5b3VyCj4gTWFpbHNjYW5uZXIuY29uZiBmaWxl LiBDaGVjayBpdCBhbmQgc2V0IGl0IHRvICJQb3NpeCIgYW5kIHNlZSB3aGVyZSB0aGF0Cj4gZ2V0 cyB5b3UuCj4KPiBzdGV2ZQo+CklJUkMgV2lsc29uIGlzIHVzaW5nIFBvc3RmaXgsIGluIHdoaWNo IGNhc2UgdGhhdCB3b3VsZG4ndCBtYXR0ZXIuCgotLSAKLS0gR2xlbm4KZW1haWw6IGdsZW5uIDwg ZG90ID4gc3RlZW4gPCBhdCA+IGdtYWlsIDwgZG90ID4gY29tCndvcms6IGdsZW5uIDwgZG90ID4g c3RlZW4gPCBhdCA+IGFwMSA8IGRvdCA+IHNlCg== From nick at inticon.net Tue Jul 17 14:31:16 2007 From: nick at inticon.net (Nick Brown) Date: Tue Jul 17 14:31:54 2007 Subject: stats script In-Reply-To: <625385e30707170552w537cab1bse8c6d45303d63fca@mail.gmail.com> Message-ID: Despite the fact the site feels like its hosted on 56k that's fairly interesting looking. Can it provide a single set of graphs and data for multiple servers? That's what I'm most interested in currently. Having a separate instance of MRTG graphs and statistics for each server isn't ideal. On 17/7/07 10:52 PM, "shuttlebox" wrote: > On 7/17/07, Steve Simeonidis wrote: >> can someone please point me to a simple script that generate some >> stats on spam/viruses/etc parsing the maillog files? >> >> Is there anything MailScanner specific available? > > Vispan - http://www.while.org.uk/content/view/9/5/ Sent using the Microsoft Entourage 2004 for Mac Test Drive. From campbell at cnpapers.com Tue Jul 17 14:38:30 2007 From: campbell at cnpapers.com (Steve Campbell) Date: Tue Jul 17 14:38:43 2007 Subject: Still can't send or recevie email In-Reply-To: <223f97700707170608g5798c279s42c2f19eea09b83c@mail.gmail.com> References: <668920.2725.qm@web54408.mail.yahoo.com> <469CBD4F.9050001@cnpapers.com> <223f97700707170608g5798c279s42c2f19eea09b83c@mail.gmail.com> Message-ID: <469CC656.3090006@cnpapers.com> Glenn Steen wrote: > On 17/07/07, Steve Campbell wrote: >> >> >> Wilson Kwok wrote: >> > hello, >> > I was posted here, I followed someone told me disabled the Cache >> > SpamAssassin Results = no, and I also uninstalled the MailScanner... >> > but the answer is same.... when I type mailq, I can see the test email >> > from my yahoo account.... >> > here is the maillog: >> > Jul 17 20:11:17 abc postfix/smtpd[9265]: connect from >> > web54401.mail.yahoo.com[206.190.49.131] >> > Jul 17 20:11:18 abc MailScanner[9266]: Enabling SpamAssassin >> > auto-whitelist functionality... >> > Jul 17 20:11:18 abc postfix/smtpd[9265]: C52F5700AA: >> > client=web54401.mail.yahoo.com[206.190.49.131] >> > Jul 17 20:11:19 abc MailScanner[9266]: Using locktype = flock >> > Jul 17 20:11:19 abc MailScanner[9266]: New Batch: Scanning 2 messages, >> > 6646 bytes >> > Jul 17 20:11:19 abc postfix/cleanup[9267]: C52F5700AA: hold: header >> > Received: from web54401.mail.yahoo.com (web54401.mail.yahoo.com >> > [206.190.49.131])??by abc (Postfix) with SMTP id C52F5700AA??for >> > >; Tue, 17 Jul 2007 >> > 20:11:18 +0800 (HKT) from web54401.mail.yahoo.com[206.190.49.131]; >> > from=> >> > to=> proto=SMTP >> > helo= >> > Jul 17 20:11:19 abc postfix/cleanup[9267]: C52F5700AA: hold: header >> > Received: (qmail 73875 invoked by uid 60001); 17 Jul 2007 12:04:12 >> > -0000 from web54401.mail.yahoo.com[206.190.49.131]; >> > from=> >> > to=> proto=SMTP >> > helo= >> > Jul 17 20:11:19 abc postfix/cleanup[9267]: C52F5700AA: hold: header >> > Received: from [58.177.105.214] by web54401.mail.yahoo.com via HTTP; >> > Tue, 17 Jul 2007 20:04:12 CST from >> > web54401.mail.yahoo.com[206.190.49.131]; from=> > > to=> > > proto=SMTP >> helo= >> > Jul 17 20:11:19 abc postfix/cleanup[9267]: C52F5700AA: >> > message-id=<77161.69046.qm@web54401.mail.yahoo.com >> > > >> > Jul 17 20:11:19 abc postfix/smtpd[9265]: disconnect from >> > web54401.mail.yahoo.com[206.190.49.131] >> > Jul 17 20:11:22 abc MailScanner[9272]: MailScanner E-Mail Virus >> > Scanner version 4.61.7 starting... >> > Jul 17 20:11:22 abc MailScanner[9272]: SpamAssassin temporary working >> > directory is /var/spool/MailScanner/incoming/SpamAssassin-Temp >> > Jul 17 20:11:23 abc MailScanner[9272]: Enabling SpamAssassin >> > auto-whitelist functionality... >> > Jul 17 20:11:24 abc MailScanner[9272]: Using locktype = flock >> > Jul 17 20:11:24 abc MailScanner[9272]: New Batch: Scanning 3 messages, >> > 8755 bytes >> > Jul 17 20:11:27 abc MailScanner[9278]: MailScanner E-Mail Virus >> > Scanner version 4.61.7 starting... >> > Jul 17 20:11:27 abc MailScanner[9278]: SpamAssassin temporary working >> > directory is /var/spool/MailScanner/incoming/SpamAssassin-Temp >> > Jul 17 20:11:28 abc MailScanner[9278]: Enabling SpamAssassin >> > auto-whitelist functionality... >> > Jul 17 20:11:29 abc MailScanner[9278]: Using locktype = flock >> > Jul 17 20:11:29 abc MailScanner[9278]: New Batch: Scanning 3 messages, >> > 8755 bytes >> > Jul 17 20:11:32 abc MailScanner[9283]: MailScanner E-Mail Virus >> > Scanner version 4.61.7 starting... >> > Jul 17 20:11:32 abc MailScanner[9283]: SpamAssassin temporary working >> > directory is /var/spool/MailScanner/incoming/SpamAssassin-Temp >> > Jul 17 20:11:33 abc MailScanner[9283]: Enabling SpamAssassin >> > auto-whitelist functionality... >> > Jul 17 20:11:34 abc MailScanner[9283]: Using locktype = flock >> > Jul 17 20:11:34 abc MailScanner[9283]: New Batch: Scanning 3 messages, >> > 8755 bytes >> > Jul 17 20:11:37 abc MailScanner[9287]: MailScanner E-Mail Virus >> > Scanner version 4.61.7 starting... >> > Jul 17 20:11:37 abc MailScanner[9287]: SpamAssassin temporary working >> > directory is /var/spool/MailScanner/incoming/SpamAssassin-Temp >> > Jul 17 20:11:38 abc MailScanner[9287]: Enabling SpamAssassin >> > auto-whitelist functionality... >> > Jul 17 20:11:39 abc MailScanner[9287]: Using locktype = flock >> > Jul 17 20:11:39 abc MailScanner[9287]: New Batch: Scanning 3 messages, >> > 8755 bytes >> > Jul 17 20:11:42 abc MailScanner[9291]: MailScanner E-Mail Virus >> > Scanner version 4.61.7 starting... >> > Jul 17 20:11:42 abc MailScanner[9291]: SpamAssassin temporary working >> > directory is /var/spool/MailScanner/incoming/SpamAssassin-Temp >> > Jul 17 20:11:43 abc MailScanner[9291]: Enabling SpamAssassin >> > auto-whitelist functionality... >> > Jul 17 20:11:44 abc MailScanner[9291]: Using locktype = flock >> > Jul 17 20:11:44 abc MailScanner[9291]: New Batch: Scanning 3 messages, >> > 8755 bytes >> > Jul 17 20:11:47 abc MailScanner[9295]: MailScanner E-Mail Virus >> > Scanner version 4.61.7 starting... >> > Jul 17 20:11:48 abc MailScanner[9295]: SpamAssassin temporary working >> > directory is /var/spool/MailScanner/incoming/SpamAssassin-Temp >> > Jul 17 20:11:48 abc MailScanner[9295]: Enabling SpamAssassin >> > auto-whitelist functionality... >> > Jul 17 20:11:49 abc MailScanner[9295]: Using locktype = flock >> > Jul 17 20:11:49 abc MailScanner[9295]: New Batch: Scanning 3 messages, >> > 8755 bytes >> > Jul 17 20:11:52 abc MailScanner[9299]: MailScanner E-Mail Virus >> > Scanner version 4.61.7 starting... >> > Jul 17 20:11:53 abc MailScanner[9299]: SpamAssassin temporary working >> > directory is /var/spool/MailScanner/incoming/SpamAssassin-Temp >> > Jul 17 20:11:53 abc MailScanner[9299]: Enabling SpamAssassin >> > auto-whitelist functionality... >> > Jul 17 20:11:54 abc MailScanner[9299]: Using locktype = flock >> > Jul 17 20:11:54 abc MailScanner[9299]: New Batch: Scanning 3 messages, >> > 8755 bytes >> > Jul 17 20:11:57 abc MailScanner[9303]: MailScanner E-Mail Virus >> > Scanner version 4.61.7 starting... >> > Jul 17 20:11:58 abc MailScanner[9303]: SpamAssassin temporary working >> > directory is /var/spool/MailScanner/incoming/SpamAssassin-Temp >> > here is the mailq: >> > [root@abc MailScanner]# mailq >> > -Queue ID- --Size-- ----Arrival Time---- -Sender/Recipient------- >> > 66482700A8! 1760 Tue Jul 17 20:04:10 leiw324@yahoo.com.hk >> > >> > mail.wilson-kwok.com@ecfind.net >> >> > C52F5700AA! 1731 Tue Jul 17 20:11:18 leiw324@yahoo.com.hk >> > >> > mail.wilson-kwok.com@ecfind.net >> >> > >> > >> ------------------------------------------------------------------------ >> > ??????????????????????????! *????Yahoo! >> > Mail* >> >> Looks like your "Lock Type" might be wrong or unset in your >> Mailscanner.conf file. Check it and set it to "Posix" and see where that >> gets you. >> >> steve >> > IIRC Wilson is using Postfix, in which case that wouldn't matter. Oh, yeah, you're right. Then I vote for the bad file in the input queue. That's been a common one in the past. steve From shuttlebox at gmail.com Tue Jul 17 14:41:32 2007 From: shuttlebox at gmail.com (shuttlebox) Date: Tue Jul 17 14:41:35 2007 Subject: stats script In-Reply-To: References: <625385e30707170552w537cab1bse8c6d45303d63fca@mail.gmail.com> Message-ID: <625385e30707170641v39f9c805u5de75e86546f0798@mail.gmail.com> On 7/17/07, Nick Brown wrote: > Despite the fact the site feels like its hosted on 56k that's fairly > interesting looking. Can it provide a single set of graphs and data for > multiple servers? > > That's what I'm most interested in currently. Having a separate instance of > MRTG graphs and statistics for each server isn't ideal. Yes, it was very slow today, don't know why. No, it's meant to be run on each server. I export the output directory from several servers to one web server but it's still one page to look at per server. -- /peter From list-mailscanner at linguaphone.com Tue Jul 17 14:21:41 2007 From: list-mailscanner at linguaphone.com (Gareth) Date: Tue Jul 17 14:51:39 2007 Subject: Postfix header check to reject certain senders In-Reply-To: <223f97700707170605u6bffb36fn38d3517639326b51@mail.gmail.com> References: <1184671800.15921.16.camel@gblades-suse.linguaphone-intranet.co.uk> <223f97700707170455n7675180bva3304f040296b035@mail.gmail.com> <1184676700.15921.64.camel@gblades-suse.linguaphone-intranet.co.uk> <223f97700707170605u6bffb36fn38d3517639326b51@mail.gmail.com> Message-ID: <1184678501.15923.70.camel@gblades-suse.linguaphone-intranet.co.uk> On Tue, 2007-07-17 at 14:05, Glenn Steen wrote: > On 17/07/07, Gareth wrote: > > On Tue, 2007-07-17 at 12:55, Glenn Steen wrote: > > > On 17/07/07, Gareth wrote: > > > > A bit off topic but you are normally a friendly bunch :) > > > > > > > > I am trying to get postfix () to reject mail from certain senders rather > > > > than accept and then delete it in mailscanner. > > > > > > > > One such mail has the following in the headers:- > > > > From: root@adsl.linguaphone.com > > > > To: root@adsl.linguaphone.com > > > > Subject: adsl.linguaphone.com security run output > > > > > > > > I have my postfix header checks set to use regexp matching and the file > > > > contains :- > > > > > > > > /^From:.*\@adsl\.linguaphone\,com/ REJECT Sender > > > > address blacklisted. > > > > /^Received:/ HOLD > > > > > > > > The problem is that the mail I am trying to block is not being rejected. > > > > All mail is being put in the hold queue and Mailscanner working > > > > correctly so header checks are working. > > > > Have I done something wrong with the syntax? > > > > > > > Look at rejecting the _envelope_ sender instead. That From: is > > > probably spoofed to high heaven:-). > > > > > > Also, this should be done in the access map instead. > > > ... Then again, I'm on vacation, so the brain might be sligtly turned > > > off (more than usual, that is:-). > > > > ok I added :- > > smtpd_client_restrictions = check_client_access hash:/etc/postfix/access > > > > then added the following line to the access file :- > > adsl.linguaphone.com REJECT Sender address > > blacklisted. > > > > I then used postmap and restarted postfix but the mail is still being > > accepted. I configured a copy of outlook with that email address for > > testing purposes. > > > > Any ideas? > > > Ok, might be your (postfix, implicit) trust rules taking effect before > the access rule (permit_mynetworks ...). See to it that the client > machine isn't part of that trust. > I thought it would be easier to ssh into my home machine and then test it using telnet from there :- 220 mailscanner.linguaphone-intranet.co.uk ESMTP Postfix HELO gbhome 250 mailscanner.linguaphone-intranet.co.uk MAIL FROM: test@adsl.linguaphone.com 250 2.1.0 Ok RCPT TO: test@cdlive.co.uk 250 2.1.5 Ok DATA 354 End data with . test . 250 2.0.0 Ok: queued as 0E128AA0123 still not working for some reason. Thanks for your help so far. From MailScanner at ecs.soton.ac.uk Tue Jul 17 15:29:52 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Jul 17 15:26:20 2007 Subject: [Clamav-announce] announcing ClamAV 0.91.1 In-Reply-To: <469BFB0E.5060109@maddoc.net> References: <469BFB0E.5060109@maddoc.net> Message-ID: <469CD260.6030508@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I have just released an upgraded ClamAV+SA package containing this update. Doc Schneider wrote: > Geez... a new one is out! > > This release fixes stability and other issues of 0.91. See the ChangeLog > for the full list. > > > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFGnNJgEfZZRxQVtlQRArVwAKC+B1yL2irAtBgpcJThxCyoMTbIHACgjgM2 3JV6AdAFz75EA47sGVdgqwo= =AohH -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Tue Jul 17 15:31:38 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Jul 17 15:28:06 2007 Subject: How to Allow mails marked "could be a suspicious file " In-Reply-To: <1184649744.25752.2.camel@localhost.localdomain> References: <1184592200.19284.16.camel@localhost.localdomain> <469B9F78.1090309@ecs.soton.ac.uk> <1184649744.25752.2.camel@localhost.localdomain> Message-ID: <469CD2CA.1020801@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 In which case read the f-prot command-line documentation (try "f-prot - --help") and see what the option is that turns on/off "suspicious file" detection. ram wrote: > On Mon, 2007-07-16 at 17:40 +0100, Julian Field wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> This looks to me like a report from a virus scanner. See if there is a >> command-line option for your scanner that stops it looking for things >> like this. If you tell me what scanner you're using, then I can tell you >> where the mod needs to be made. >> > > > I am using clamavmodule and f-prot > > > Thanks > Ram > > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFGnNLQEfZZRxQVtlQRArxPAKCQKPXEoVVVsvHtop5bWFQWaZOc9wCdEZ/y PJegvznXvYehVu8VLkOkd2w= =RKxK -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From glenn.steen at gmail.com Tue Jul 17 16:19:44 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Jul 17 16:19:46 2007 Subject: Postfix header check to reject certain senders In-Reply-To: <1184678501.15923.70.camel@gblades-suse.linguaphone-intranet.co.uk> References: <1184671800.15921.16.camel@gblades-suse.linguaphone-intranet.co.uk> <223f97700707170455n7675180bva3304f040296b035@mail.gmail.com> <1184676700.15921.64.camel@gblades-suse.linguaphone-intranet.co.uk> <223f97700707170605u6bffb36fn38d3517639326b51@mail.gmail.com> <1184678501.15923.70.camel@gblades-suse.linguaphone-intranet.co.uk> Message-ID: <223f97700707170819m2018f26bl626a4050996cb6a1@mail.gmail.com> On 17/07/07, Gareth wrote: > On Tue, 2007-07-17 at 14:05, Glenn Steen wrote: > > On 17/07/07, Gareth wrote: > > > On Tue, 2007-07-17 at 12:55, Glenn Steen wrote: > > > > On 17/07/07, Gareth wrote: > > > > > A bit off topic but you are normally a friendly bunch :) > > > > > > > > > > I am trying to get postfix () to reject mail from certain senders rather > > > > > than accept and then delete it in mailscanner. > > > > > > > > > > One such mail has the following in the headers:- > > > > > From: root@adsl.linguaphone.com > > > > > To: root@adsl.linguaphone.com > > > > > Subject: adsl.linguaphone.com security run output > > > > > > > > > > I have my postfix header checks set to use regexp matching and the file > > > > > contains :- > > > > > > > > > > /^From:.*\@adsl\.linguaphone\,com/ REJECT Sender > > > > > address blacklisted. > > > > > /^Received:/ HOLD > > > > > > > > > > The problem is that the mail I am trying to block is not being rejected. > > > > > All mail is being put in the hold queue and Mailscanner working > > > > > correctly so header checks are working. > > > > > Have I done something wrong with the syntax? > > > > > > > > > Look at rejecting the _envelope_ sender instead. That From: is > > > > probably spoofed to high heaven:-). > > > > > > > > Also, this should be done in the access map instead. > > > > ... Then again, I'm on vacation, so the brain might be sligtly turned > > > > off (more than usual, that is:-). > > > > > > ok I added :- > > > smtpd_client_restrictions = check_client_access hash:/etc/postfix/access > > > > > > then added the following line to the access file :- > > > adsl.linguaphone.com REJECT Sender address > > > blacklisted. > > > > > > I then used postmap and restarted postfix but the mail is still being > > > accepted. I configured a copy of outlook with that email address for > > > testing purposes. > > > > > > Any ideas? > > > > > Ok, might be your (postfix, implicit) trust rules taking effect before > > the access rule (permit_mynetworks ...). See to it that the client > > machine isn't part of that trust. > > > > I thought it would be easier to ssh into my home machine and then test > it using telnet from there :- > > 220 mailscanner.linguaphone-intranet.co.uk ESMTP Postfix > HELO gbhome > 250 mailscanner.linguaphone-intranet.co.uk > MAIL FROM: test@adsl.linguaphone.com > 250 2.1.0 Ok > RCPT TO: test@cdlive.co.uk > 250 2.1.5 Ok > DATA > 354 End data with . > test > . > 250 2.0.0 Ok: queued as 0E128AA0123 > > still not working for some reason. Thanks for your help so far. > Hm, that should've worked.... Wait and I'll check how I've set this up at work (I have an access file named deny_domain_spoof (could've named it ... whatever:-), which basically deny anyone from the outside from pretending to be me/my servers... Those I let through via the permit_mynetworks setting preceding the access map instruction. I have this set on helo_restrictions (check_helo_access hash:/...) and on sender_access (check_sender_restrictions hash:...) respectively... but client should be OK too (unless I'm totally on vacation:-). Just a moment while I invoke the SSL--X magic word... Nah, as said, these are the relevant lines for that (I have a load of others (as usual) on recipients too:-): smtpd_sender_restrictions = permit_mynetworks, check_sender_access hash:/etc/postfix/deny_domain_spoof smtpd_helo_restrictions = permit_mynetworks, check_helo_access hash:/etc/postfix/deny_domain_spoof ... and that file basically look like: dt2116.ap1.se OK ap1.se REJECT 172.18.3.60 REJECT 194.14.216.2 REJECT 127.0.0.1 REJECT ... where the first is a testbox (needs to get through this, without being part of mynetworks) and the rest are things that I've seen spammers try use. Rejects quite a lot of crap:-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From Denis.Beauchemin at USherbrooke.ca Tue Jul 17 16:26:39 2007 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Tue Jul 17 16:27:02 2007 Subject: R: Fake User-Agent on PDF In-Reply-To: <469CA99E.9020300@logout.cz> References: , <4686B8D1.7090005@ecs.soton.ac.uk>, <002501c7bc8e$95897520$3f01a8c0@dbdomain.database.it> <4688EE6E.18605.719782@cobalt-users1.fishnet.co.uk> <469CA99E.9020300@logout.cz> Message-ID: <469CDFAF.7010608@USherbrooke.ca> Dalimil Gala a ?crit : > > Hi, > > the PDFInfo plugin is available to public since yesterday > http://www.rulesemporium.com/plugins.htm#pdfinfo > > I have installed it on two of my mail hubs, both are working well so far > > Jul 17 13:21:34 antigona MailScanner[20197]: Message l6HBLJbk021114 > from 70.166.145.4 (noi@ucla.edu) to xxxxx.ch is spam, SpamAssassin > (score=20.74, required 5, autolearn=disabled, BAYES_95 4.60, > GMD_PDF_ENCRYPTED 0.60, GMD_PDF_FUZZY2_T6 1.99, GMD_PDF_HORIZ 0.90, > GMD_PDF_STOX_M1 3.25, GMD_PDF_STOX_M3 2.25, GMD_PDF_STOX_M4 2.95, > HELO_DYNAMIC_IPADDR 4.20, INVALID_MSGID 0.00) > > > Dalimil Gala > I just downloaded and installed it and "spamassassin --lint" returns an error because pdfinfo.cf is in error (the last test name is spelled incorrectly): meta __GMD_PDF_CHECKSUM ( GMD_PDF_FUZZY1_T1 || GMD_PDF_FUZZY2_T1 || GMD_PDF_FUZZY2_T2 || GMD_PDF_FUZZY2_T3 || GMD_PDF_FUZZY2_T4 || GMD_PDF_FUZZY2_T5 || GMD_PDF_FUZZY2_T6 || GMD_PDF_FUZZY_7 ) should read: meta __GMD_PDF_CHECKSUM ( GMD_PDF_FUZZY1_T1 || GMD_PDF_FUZZY2_T1 || GMD_PDF_FUZZY2_T2 || GMD_PDF_FUZZY2_T3 || GMD_PDF_FUZZY2_T4 || GMD_PDF_FUZZY2_T5 || GMD_PDF_FUZZY2_T6 || GMD_PDF_FUZZY2_T7 ) Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 From john at tradoc.fr Tue Jul 17 16:28:18 2007 From: john at tradoc.fr (John Wilcock) Date: Tue Jul 17 16:28:25 2007 Subject: Phishing net getting confused Message-ID: <469CE012.9040401@tradoc.fr> I think I've uncovered a buglet in the phishing net code (MailScanner version 4.61.7). Given the following snippet (this was an outgoing message, quoting an original that included the hotbar link; the moz-do-not-send bits weren't in that original and seem to be generated by Thunderbird): > href="http://promos.hotbar.com/promos/promodll.dll?RunPromo&El=&SG=& > ;RAND=16236&partner=hbtools"> moz-do-not-send="true" title="" alt="Upgrade Your Email - Click here!" > src="http://promos.hotbar.com/promos/promodll.dll?GetPromo&El=&SG=& > RAND=16236&partner=hbtools&/p.gif" > border="0"> Mailscanner's phishing net detected this as follows: > MailScanner[12590]: Found phishing fraud from promos.hotbar.com > claiming to be > www. in 6F13B8053.635D4 Clearly the moz-do-not-send is causing a problem, since the original message without those tags correctly passed through the net undetected. John. -- -- Over 3000 webcams from ski resorts around the world - www.snoweye.com -- Translate your technical documents and web pages - www.tradoc.fr From Kevin_Miller at ci.juneau.ak.us Tue Jul 17 16:28:59 2007 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Tue Jul 17 16:29:08 2007 Subject: R: Fake User-Agent on PDF In-Reply-To: <469CA99E.9020300@logout.cz> References: , <4686B8D1.7090005@ecs.soton.ac.uk>, <002501c7bc8e$95897520$3f01a8c0@dbdomain.database.it><4688EE6E.18605.719782@cobalt-users1.fishnet.co.uk> <469CA99E.9020300@logout.cz> Message-ID: Dalimil Gala wrote: > Hi, > > the PDFInfo plugin is available to public since yesterday > http://www.rulesemporium.com/plugins.htm#pdfinfo > > I have installed it on two of my mail hubs, both are working well so > far Is anyone else having trouble getting to rulesemporium? It was working fine when I went on vacation for a month at the end of May. Sometime in June they were the recipient of a DDOS attack apparently. Ever since then my RulesDuJour has been failing and I can only infrequently bring up the home page in Firefox. I can't get beyond the homepage when it does come up. On one of my boxes I've switched over to sa-update but haven't had a chance to on the other yet. Is pdfinfo mirrored anywhere? I've had a complaint about the pdf spam (although it seems to have died off some in the last few days). Also, how much of a load impact does it carry? Thanks... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From donald.dawson at bakerbotts.com Tue Jul 17 16:31:59 2007 From: donald.dawson at bakerbotts.com (donald.dawson@bakerbotts.com) Date: Tue Jul 17 16:32:30 2007 Subject: How to get Spam report in header? Message-ID: We use MailScanner and Spamassassin. Our email has a header line as follows: X-BakerBotts-MailScanner-SpamCheck: not spam (whitelisted), SpamAssassin (not cached, score=-4.4, required 5, autolearn=not spam, BAYES_00 -0.40, RCVD_IN_DNSWL_MED -4.00) Is it possible to include the 'Spam-Report' as in the example below? X-Spam-Status: Yes, score=9.7 required=6.0 tests=DCC_CHECK, DIGEST_MULTIPLE, RAZOR2_CF_RANGE_51_100, RAZOR2_CF_RANGE_E4_51_100, RAZOR2_CHECK, RCVD_IN_NJABL_DUL, RCVD_IN_WHOIS_INVALID, UNPARSEABLE_RELAY autolearn=no version=3.1.8, No X-Spam-Report: * 0.0 UNPARSEABLE_RELAY Informational: message has unparseable relay lines * 0.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) * 1.5 RAZOR2_CF_RANGE_E4_51_100 Razor2 gives engine 4 confidence level * above 50% * [cf: 54] * 0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50% * [cf: 54] * 1.4 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/) * 2.2 RCVD_IN_WHOIS_INVALID RBL: CompleteWhois: sender on invalid IP block * [218.81.195.107 listed in combined-HIB.dnsiplists.completewhois.com] * 1.7 RCVD_IN_NJABL_DUL RBL: NJABL: dialup sender did non-local SMTP * [218.81.195.107 listed in combined.njabl.org] * 2.0 DIGEST_MULTIPLE Message hits more than one network digest check Thanks, Donald Donald Dawson Security Administrator Baker Botts L.L.P. 713-229-2183 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070717/9799683e/attachment.html From jan-peter at koopmann.eu Tue Jul 17 16:35:01 2007 From: jan-peter at koopmann.eu (Koopmann, Jan-Peter) Date: Tue Jul 17 16:34:55 2007 Subject: How to get Spam report in header? In-Reply-To: References: Message-ID: AFAIK: No there is no way. From: donald.dawson@bakerbotts.com [mailto:donald.dawson@bakerbotts.com] Sent: Tuesday, July 17, 2007 5:32 PM To: users@spamassassin.apache.org; mailscanner@lists.mailscanner.info Subject: How to get Spam report in header? We use MailScanner and Spamassassin. Our email has a header line as follows: X-BakerBotts-MailScanner-SpamCheck: not spam (whitelisted), SpamAssassin (not cached, score=-4.4, required 5, autolearn=not spam, BAYES_00 -0.40, RCVD_IN_DNSWL_MED -4.00) Is it possible to include the 'Spam-Report' as in the example below? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070717/43a7afd4/attachment.html From ms-list at alexb.ch Tue Jul 17 17:08:19 2007 From: ms-list at alexb.ch (Alex Broens) Date: Tue Jul 17 17:08:28 2007 Subject: R: Fake User-Agent on PDF In-Reply-To: <469CDFAF.7010608@USherbrooke.ca> References: , <4686B8D1.7090005@ecs.soton.ac.uk>, <002501c7bc8e$95897520$3f01a8c0@dbdomain.database.it> <4688EE6E.18605.719782@cobalt-users1.fishnet.co.uk> <469CA99E.9020300@logout.cz> <469CDFAF.7010608@USherbrooke.ca> Message-ID: <469CE973.2020804@alexb.ch> On 7/17/2007 5:26 PM, Denis Beauchemin wrote: > I just downloaded and installed it and "spamassassin --lint" returns an > error because pdfinfo.cf is in error (the last test name is spelled > incorrectly): > meta __GMD_PDF_CHECKSUM ( GMD_PDF_FUZZY1_T1 || GMD_PDF_FUZZY2_T1 > || GMD_PDF_FUZZY2_T2 || GMD_PDF_FUZZY2_T3 || GMD_PDF_FUZZY2_T4 || > GMD_PDF_FUZZY2_T5 || GMD_PDF_FUZZY2_T6 || GMD_PDF_FUZZY_7 ) > should read: > meta __GMD_PDF_CHECKSUM ( GMD_PDF_FUZZY1_T1 || GMD_PDF_FUZZY2_T1 > || GMD_PDF_FUZZY2_T2 || GMD_PDF_FUZZY2_T3 || GMD_PDF_FUZZY2_T4 || > GMD_PDF_FUZZY2_T5 || GMD_PDF_FUZZY2_T6 || GMD_PDF_FUZZY2_T7 ) > > Denis > fixed thx From MailScanner at ecs.soton.ac.uk Tue Jul 17 17:43:30 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Jul 17 17:44:03 2007 Subject: R: Fake User-Agent on PDF In-Reply-To: References: , <4686B8D1.7090005@ecs.soton.ac.uk>, <002501c7bc8e$95897520$3f01a8c0@dbdomain.database.it><4688EE6E.18605.719782@cobalt-users1.fishnet.co.uk> <469CA99E.9020300@logout.cz> Message-ID: <469CF1B2.4050801@ecs.soton.ac.uk> Skipped content of type multipart/mixed-------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 195 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070717/3206347e/PGP.bin From raymond at prolocation.net Tue Jul 17 17:58:28 2007 From: raymond at prolocation.net (Raymond Dijkxhoorn) Date: Tue Jul 17 17:58:26 2007 Subject: R: Fake User-Agent on PDF In-Reply-To: <469CF1B2.4050801@ecs.soton.ac.uk> References: , <4686B8D1.7090005@ecs.soton.ac.uk>, <002501c7bc8e$95897520$3f01a8c0@dbdomain.database.it><4688EE6E.18605.719782@cobalt-users1.fishnet.co.uk> <469CA99E.9020300@logout.cz> <469CF1B2.4050801@ecs.soton.ac.uk> Message-ID: Jules, >>> the PDFInfo plugin is available to public since yesterday >>> http://www.rulesemporium.com/plugins.htm#pdfinfo >>> >>> I have installed it on two of my mail hubs, both are working well so >>> far >> Is anyone else having trouble getting to rulesemporium? It was working >> fine when I went on vacation for a month at the end of May. Sometime in >> June they were the recipient of a DDOS attack apparently. Ever since >> then my RulesDuJour has been failing and I can only infrequently bring >> up the home page in Firefox. I can't get beyond the homepage when it >> does come up. PDFinfo is only available on request. I doubt Dallas will appreciate is being posted on a public list. Bye, Raymond. From sandrews at andrewscompanies.com Tue Jul 17 18:02:51 2007 From: sandrews at andrewscompanies.com (Steven Andrews) Date: Tue Jul 17 18:03:05 2007 Subject: R: Fake User-Agent on PDF In-Reply-To: References: , <4686B8D1.7090005@ecs.soton.ac.uk>, <002501c7bc8e$95897520$3f01a8c0@dbdomain.database.it><4688EE6E.18605.719782@cobalt-users1.fishnet.co.uk><469CA99E.9020300@logout.cz><469CF1B2.4050801@ecs.soton.ac.uk> Message-ID: <1964AAFBC212F742958F9275BF63DBB04B0F02@winchester.andrewscompanies.com> No, It's public now. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Raymond Dijkxhoorn Sent: Tuesday, July 17, 2007 12:58 PM To: MailScanner discussion Subject: Re: R: Fake User-Agent on PDF Jules, >>> the PDFInfo plugin is available to public since yesterday >>> http://www.rulesemporium.com/plugins.htm#pdfinfo >>> >>> I have installed it on two of my mail hubs, both are working well so >>> far >> Is anyone else having trouble getting to rulesemporium? It was >> working fine when I went on vacation for a month at the end of May. >> Sometime in June they were the recipient of a DDOS attack apparently. >> Ever since then my RulesDuJour has been failing and I can only >> infrequently bring up the home page in Firefox. I can't get beyond >> the homepage when it does come up. PDFinfo is only available on request. I doubt Dallas will appreciate is being posted on a public list. Bye, Raymond. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From raymond at prolocation.net Tue Jul 17 18:06:43 2007 From: raymond at prolocation.net (Raymond Dijkxhoorn) Date: Tue Jul 17 18:06:42 2007 Subject: R: Fake User-Agent on PDF In-Reply-To: References: , <4686B8D1.7090005@ecs.soton.ac.uk>, <002501c7bc8e$95897520$3f01a8c0@dbdomain.database.it><4688EE6E.18605.719782@cobalt-users1.fishnet.co.uk> <469CA99E.9020300@logout.cz> <469CF1B2.4050801@ecs.soton.ac.uk> Message-ID: Hi! >>> Is anyone else having trouble getting to rulesemporium? It was working >>> fine when I went on vacation for a month at the end of May. Sometime in >>> June they were the recipient of a DDOS attack apparently. Ever since >>> then my RulesDuJour has been failing and I can only infrequently bring >>> up the home page in Firefox. I can't get beyond the homepage when it >>> does come up. > PDFinfo is only available on request. I doubt Dallas will appreciate is being > posted on a public list. Never mind, i see its listed on the public page again ;) Bye, Raymond. From ajcartmell at fonant.com Tue Jul 17 18:06:32 2007 From: ajcartmell at fonant.com (Anthony Cartmell) Date: Tue Jul 17 18:06:45 2007 Subject: R: Fake User-Agent on PDF In-Reply-To: <469CF1B2.4050801@ecs.soton.ac.uk> References: <4686B8D1.7090005@ecs.soton.ac.uk> <002501c7bc8e$95897520$3f01a8c0@dbdomain.database.it> <4688EE6E.18605.719782@cobalt-users1.fishnet.co.uk> <469CA99E.9020300@logout.cz> <469CF1B2.4050801@ecs.soton.ac.uk> Message-ID: > PDFInfo (with the fix) attached. Nearly! still a typo: GMD_PDF_FUZZY_T7 should read GMD_PDF_FUZZY2_T7 Anthony -- www.fonant.com - Quality web sites From azher at niit.edu.pk Tue Jul 17 20:16:50 2007 From: azher at niit.edu.pk (Azher Amin) Date: Tue Jul 17 20:17:28 2007 Subject: FuzzyOCR problems ... Message-ID: <469D15A2.7060409@niit.edu.pk> Hi, I am using Debian Etch, and installed the latest SA package from mailscanner, gocr 0.44, libnetpbm10, libnetpbm10-dev. I was trying to install fuzzyocr-3.5.1-devel.tar.gz and i got the following errors (). Packages Mail::SpamAssassin::PerMsgStatus is also upto date as reported by perl -MCPAN. Plz suggest what can be wrong. -Azher [4196] dbg: rules: compiled uri tests [4196] dbg: https_http_mismatch: anchors 0 [4196] warn: rules: failed to run FUZZY_OCR_CORRUPT_IMG test, skipping: [4196] warn: (Can't locate object method "dummy_check" via package "Mail::SpamAssassin::PerMsgStatus" at (eval 719) line 377. [4196] warn: ) [4196] dbg: eval: stock info total: 0 [4196] warn: rules: failed to run CG_FUJI_JPG test, skipping: [4196] warn: (Can't locate object method "image_name_regex" via package "Mail::SpamAssassin::PerMsgStatus" at (eval 719) line 804. [4196] warn: ) [4196] warn: rules: failed to run CG_DOUBLEDOT_GIF test, skipping: [4196] warn: (Can't locate object method "image_name_regex" via package "Mail::SpamAssassin::PerMsgStatus" at (eval 719) line 919. [4196] warn: ) [4196] warn: rules: failed to run CG_SONY_JPG test, skipping: [4196] warn: (Can't locate object method "image_name_regex" via package "Mail::SpamAssassin::PerMsgStatus" at (eval 719) line 1418. [4196] warn: ) [4196] warn: rules: failed to run CG_CANON_JPG test, skipping: [4196] warn: (Can't locate object method "image_name_regex" via package "Mail::SpamAssassin::PerMsgStatus" at (eval 719) line 2349. [4196] dbg: rules: running rawbody tests; score so far=1.899 [4196] dbg: rules: compiled rawbody tests [4196] dbg: rules: running full tests; score so far=1.899 [4196] dbg: rules: compiled full tests [4196] dbg: rules: running meta tests; score so far=1.899 [4196] dbg: rules: compiled meta tests [4196] dbg: check: running tests for priority: 500 [4196] dbg: rules: running head tests; score so far=1.899 [4196] dbg: rules: compiled head tests [4196] dbg: rules: running body tests; score so far=1.899 [4196] dbg: rules: compiled body tests [4196] dbg: rules: running uri tests; score so far=1.899 [4196] dbg: rules: compiled uri tests [4196] dbg: rules: running rawbody tests; score so far=1.899 [4196] dbg: rules: compiled rawbody tests [4196] dbg: rules: running full tests; score so far=1.899 [4196] dbg: rules: compiled full tests [4196] dbg: rules: running meta tests; score so far=1.899 [4196] dbg: rules: meta test DIGEST_MULTIPLE has undefined dependency 'DCC_CHECK' [4196] info: rules: meta test FM_DDDD_TIMES_2 has dependency 'FH_HOST_EQ_D_D_D_D' with a zero score [4196] info: rules: meta test FM_SEX_HOSTDDDD has dependency 'FH_HOST_EQ_D_D_D_D' with a zero score [4196] info: rules: meta test HS_PHARMA_1 has dependency 'HS_SUBJ_ONLINE_PHARMACEUTICAL' with a zero score [4196] dbg: rules: compiled meta tests [4196] dbg: check: running tests for priority: 900 [4196] dbg: rules: running head tests; score so far=4.205 [4196] dbg: rules: compiled head tests [4196] dbg: rules: running body tests; score so far=4.205 [4196] dbg: rules: compiled body tests [4196] dbg: rules: running uri tests; score so far=4.205 [4196] dbg: rules: compiled uri tests [4196] warn: rules: failed to run FUZZY_OCR test, skipping: [4196] warn: (Can't locate object method "fuzzyocr_check" via package "Mail::SpamAssassin::PerMsgStatus" at (eval 780) line 17. [4196] warn: ) [4196] dbg: rules: running rawbody tests; score so far=4.205 From MailScanner at ecs.soton.ac.uk Tue Jul 17 20:47:28 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Jul 17 20:48:07 2007 Subject: R: Fake User-Agent on PDF In-Reply-To: References: , <4686B8D1.7090005@ecs.soton.ac.uk>, <002501c7bc8e$95897520$3f01a8c0@dbdomain.database.it><4688EE6E.18605.719782@cobalt-users1.fishnet.co.uk> <469CA99E.9020300@logout.cz> <469CF1B2.4050801@ecs.soton.ac.uk> Message-ID: <469D1CD0.7000204@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I thought it had just been made publicly available. Raymond Dijkxhoorn wrote: > Jules, > >>>> the PDFInfo plugin is available to public since yesterday >>>> http://www.rulesemporium.com/plugins.htm#pdfinfo >>>> >>>> I have installed it on two of my mail hubs, both are working well so >>>> far > >>> Is anyone else having trouble getting to rulesemporium? It was working >>> fine when I went on vacation for a month at the end of May. >>> Sometime in >>> June they were the recipient of a DDOS attack apparently. Ever since >>> then my RulesDuJour has been failing and I can only infrequently bring >>> up the home page in Firefox. I can't get beyond the homepage when it >>> does come up. > > PDFinfo is only available on request. I doubt Dallas will appreciate > is being posted on a public list. > > Bye, > Raymond. Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGnRzREfZZRxQVtlQRAu9+AKCjwrT3QaksHQItj3FdYpddwhrH7gCeM1QJ TjjadT5g/Vi/f7tEXKc+vYU= =u1UW -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From raymond at prolocation.net Tue Jul 17 20:54:53 2007 From: raymond at prolocation.net (Raymond Dijkxhoorn) Date: Tue Jul 17 20:54:51 2007 Subject: R: Fake User-Agent on PDF In-Reply-To: <469D1CD0.7000204@ecs.soton.ac.uk> References: , <4686B8D1.7090005@ecs.soton.ac.uk>, <002501c7bc8e$95897520$3f01a8c0@dbdomain.database.it><4688EE6E.18605.719782@cobalt-users1.fishnet.co.uk> <469CA99E.9020300@logout.cz> <469CF1B2.4050801@ecs.soton.ac.uk> <469D1CD0.7000204@ecs.soton.ac.uk> Message-ID: Hi! > I thought it had just been made publicly available. >> PDFinfo is only available on request. I doubt Dallas will appreciate >> is being posted on a public list. Yes i was. Dallas didnt notify me, i guess he was bored of handling the requests. Thanks to Alex for making the sigs available btw! (Thanks Alex). bye, Raymond. From MailScanner at ecs.soton.ac.uk Tue Jul 17 20:57:39 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Jul 17 20:58:12 2007 Subject: FuzzyOCR problems ... In-Reply-To: <469D15A2.7060409@niit.edu.pk> References: <469D15A2.7060409@niit.edu.pk> Message-ID: <469D1F33.8080609@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I suggest you post to the SpamAssassin mailing list, as this is not a MailScanner problem. Though I'm sure someone here will help if they can. Azher Amin wrote: > Hi, > > I am using Debian Etch, and installed the latest SA package from > mailscanner, gocr 0.44, libnetpbm10, libnetpbm10-dev. I was trying to > install fuzzyocr-3.5.1-devel.tar.gz and i got the following errors (). > Packages Mail::SpamAssassin::PerMsgStatus is also upto date as > reported by perl -MCPAN. Plz suggest what can be wrong. Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGnR80EfZZRxQVtlQRAgHLAJwNim1PhEGfnJjyjqMWCnoprVJIXwCfSXgk V2L/x8BWdSewaEnYK9kZjgU= =5lZQ -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From uxbod at splatnix.net Tue Jul 17 21:01:50 2007 From: uxbod at splatnix.net (UxBoD) Date: Tue Jul 17 21:01:40 2007 Subject: R: Fake User-Agent on PDF In-Reply-To: <469D1CD0.7000204@ecs.soton.ac.uk> Message-ID: <32533813.531184702510470.JavaMail.root@office.splatnix.net> Just taken from the website :- PDFInfo Description: Plugin that provides the ability to write SA rules based on PDF attachment characteristics. This plugin in itself it totally independant of ImageInfo, and you can run it on SpamAssassin v3.0, v3.1, and v3.2. This plugin is now publically available, enjoy it while it lasts. Created by: Dallas Engelken License Type: None Current Version: 0.4 Last Modified: 2007-07-16 ----- Original Message ----- From: "Julian Field" To: "MailScanner discussion" Sent: Tuesday, July 17, 2007 8:47:28 PM (GMT) Europe/London Subject: Re: R: Fake User-Agent on PDF -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I thought it had just been made publicly available. Raymond Dijkxhoorn wrote: > Jules, > >>>> the PDFInfo plugin is available to public since yesterday >>>> http://www.rulesemporium.com/plugins.htm#pdfinfo >>>> >>>> I have installed it on two of my mail hubs, both are working well so >>>> far > >>> Is anyone else having trouble getting to rulesemporium? It was working >>> fine when I went on vacation for a month at the end of May. >>> Sometime in >>> June they were the recipient of a DDOS attack apparently. Ever since >>> then my RulesDuJour has been failing and I can only infrequently bring >>> up the home page in Firefox. I can't get beyond the homepage when it >>> does come up. > > PDFinfo is only available on request. I doubt Dallas will appreciate > is being posted on a public list. > > Bye, > Raymond. Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGnRzREfZZRxQVtlQRAu9+AKCjwrT3QaksHQItj3FdYpddwhrH7gCeM1QJ TjjadT5g/Vi/f7tEXKc+vYU= =u1UW -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ralloway at winbeam.com Tue Jul 17 21:12:13 2007 From: ralloway at winbeam.com (Richard D Alloway) Date: Tue Jul 17 21:12:18 2007 Subject: Reason for whitelisting? Message-ID: I am receiving some spam that should be getting flagged or deleted, but is being marked as "not spam (whitelisted)" by MailScanner. When I look at the logs for the offending message, I see things like: Jul 17 15:49:57 smtp-gateway-4 milter-ahead[2117]: 61096 l6HJnjqf014254: cacheGet(b411110, 'robjulie@xxxxxxxx', {st=0, cn=1}) Jul 17 15:49:57 smtp-gateway-4 milter-ahead[2117]: 61096 l6HJnjqf014254: cacheGet(b411110, 'rockwell@xxxxxxxx', {st=0, cn=1}) Jul 17 15:49:57 smtp-gateway-4 milter-ahead[2117]: 61096 l6HJnjqf014254: cacheGet(b411110, 'rome74@xxxxxxx', {st=0, cn=1}) Jul 17 15:49:58 smtp-gateway-4 sendmail[14254]: l6HJnjqf014254: from=, size=1713, class=0, nrcpts=11, msgid=<924405758.55504416941907@xxxxxxxxxxxxx>, proto=ESMTP, daemon=MTA, relay=xxxxxxxxxxxxxxxxxx [xx.xxx.xx.xx] (may be forged) Jul 17 15:50:23 smtp-gateway-4 MailScanner[10318]: Message l6HJnjqf014254 from xx.xxx.xx.xx (gadaandstelecommbef@xxxxxxxxxxxxxx) is whitelisted Jul 17 15:50:29 smtp-gateway-4 MailScanner[10318]: Message l6HJnjqf014254 from xx.xxx.xx.xx (gadaandstelecommbef@xxxxxxxxxxxxxxxxxx) to xxxxxxx is not spam (whitelisted), SpamAssassin (not cached, score=15.974, required 4, autolearn=spam, BAYES_99 8.00, HELO_DYNAMIC_DHCP 1.40, HTML_MESSAGE 0.00, RDNS_DYNAMIC 0.10, URIBL_BLACK 3.00, URIBL_JP_SURBL 1.50, URIBL_OB_SURBL 1.50, URIBL_SC_SURBL 0.47) Jul 17 15:50:36 smtp-gateway-4 MailScanner[10318]: tag found in message l6HJnjqf014254 from gadaandstelecommbef@xxxxxxxxxxxxxxxx Jul 17 15:50:37 smtp-gateway-4 sendmail[14848]: l6HJnjqf014254: to=,,, delay=00:00:40, xdelay=00:00:00, mailer=smtp, pri=421713, relay=mail.xxxxxxxxx [xx.xx.xx.xx], dsn=2.0.0, stat=Sent (ok 1184701833 qp 906) None of the recipients, IP addresses, domain names, etc are in any of our configuration files at all. How can I track down the exact part of the message that is triggering the whitelisting in MailScanner? Thanks! -Richard D Alloway Chief Technical Officer Winbeam Inc From list-mailscanner at linguaphone.com Tue Jul 17 21:15:40 2007 From: list-mailscanner at linguaphone.com (Gareth) Date: Tue Jul 17 21:15:49 2007 Subject: FuzzyOCR problems ... In-Reply-To: <469D15A2.7060409@niit.edu.pk> Message-ID: > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info]On Behalf Of Azher > Amin > Sent: 17 July 2007 20:17 > To: mailscanner@lists.mailscanner.info > Subject: FuzzyOCR problems ... > > > Hi, > > I am using Debian Etch, and installed the latest SA package from > mailscanner, gocr 0.44, libnetpbm10, libnetpbm10-dev. I was trying to > install fuzzyocr-3.5.1-devel.tar.gz and i got the following errors (). > Packages Mail::SpamAssassin::PerMsgStatus is also upto date as reported > by perl -MCPAN. Plz suggest what can be wrong. > > -Azher > I would try installing the latest SVN release of fuzzyocr and not 3.5.1. 3.5.1 is not totally compatible with spamassassin 3.2 although I think the incompatibility is with logging and not the errors you are getting. From mkettler at evi-inc.com Tue Jul 17 21:16:52 2007 From: mkettler at evi-inc.com (Matt Kettler) Date: Tue Jul 17 21:18:21 2007 Subject: Reason for whitelisting? In-Reply-To: References: Message-ID: <469D23B4.1070903@evi-inc.com> Richard D Alloway wrote: > > I am receiving some spam that should be getting flagged or deleted, but > is being marked as "not spam (whitelisted)" by MailScanner. > > When I look at the logs for the offending message, I see things like: > Jul 17 15:50:23 smtp-gateway-4 MailScanner[10318]: Message > l6HJnjqf014254 from xx.xxx.xx.xx (gadaandstelecommbef@xxxxxxxxxxxxxx) is > whitelisted > Jul 17 15:50:29 smtp-gateway-4 MailScanner[10318]: Message > l6HJnjqf014254 from xx.xxx.xx.xx > (gadaandstelecommbef@xxxxxxxxxxxxxxxxxx) to xxxxxxx is not spam > (whitelisted), SpamAssassin (not cached, score=15.974, required 4, > > None of the recipients, IP addresses, domain names, etc are in any of > our configuration files at all. > > How can I track down the exact part of the message that is triggering > the whitelisting in MailScanner? Take a look at the file pointed to by your "Is Definitely Not Spam" setting in MailScanner.conf. By default this would be /etc/MailScanner/rules/spam.whitelist.rules From bbecken at aafp.org Tue Jul 17 21:24:27 2007 From: bbecken at aafp.org (Brad Beckenhauer) Date: Tue Jul 17 21:45:54 2007 Subject: MailScanner Lint logic Message-ID: <469CDF29.D87E.0068.3@aafp.org> Julian, If MailScanner is stopped and MailScanner --lint is run, the lint outputs the below information. Would you consider revising the lint logic to cleanup the output? # MailScanner --lint Could not read file /var/run/MailScanner.pid at /usr/lib/MailScanner/MailScanner/Config.pm line 2376 Error in line 181, file "/var/run/MailScanner.pid" for pidfile does not exist (or can not be read) at /usr/lib/MailScanner/MailScanner/Config.pm line 2556 thanks Brad From lists at jfworks.net Tue Jul 17 21:53:01 2007 From: lists at jfworks.net (James) Date: Tue Jul 17 21:53:11 2007 Subject: FuzzyOCR problems ... In-Reply-To: <469D15A2.7060409@niit.edu.pk> References: <469D15A2.7060409@niit.edu.pk> Message-ID: <469D2C2D.4030607@jfworks.net> Azher Amin wrote: > Hi, > > I am using Debian Etch, and installed the latest SA package from > mailscanner, gocr 0.44, libnetpbm10, libnetpbm10-dev. I was trying to > install fuzzyocr-3.5.1-devel.tar.gz and i got the following errors (). > Packages Mail::SpamAssassin::PerMsgStatus is also upto date as > reported by perl -MCPAN. Plz suggest what can be wrong. > > -Azher > > [4196] dbg: rules: compiled uri tests > [4196] dbg: https_http_mismatch: anchors 0 > [4196] warn: rules: failed to run FUZZY_OCR_CORRUPT_IMG test, skipping: > [4196] warn: (Can't locate object method "dummy_check" via package > "Mail::SpamAssassin::PerMsgStatus" at (eval 719) line 377. > [4196] warn: ) > [4196] dbg: eval: stock info total: 0 > [4196] warn: rules: failed to run CG_FUJI_JPG test, skipping: > [4196] warn: (Can't locate object method "image_name_regex" via > package "Mail::SpamAssassin::PerMsgStatus" at (eval 719) line 804. > [4196] warn: ) > [4196] warn: rules: failed to run CG_DOUBLEDOT_GIF test, skipping: > [4196] warn: (Can't locate object method "image_name_regex" via > package "Mail::SpamAssassin::PerMsgStatus" at (eval 719) line 919. > [4196] warn: ) > [4196] warn: rules: failed to run CG_SONY_JPG test, skipping: > [4196] warn: (Can't locate object method "image_name_regex" via > package "Mail::SpamAssassin::PerMsgStatus" at (eval 719) line 1418. > [4196] warn: ) > [4196] warn: rules: failed to run CG_CANON_JPG test, skipping: > [4196] warn: (Can't locate object method "image_name_regex" via > package "Mail::SpamAssassin::PerMsgStatus" at (eval 719) line 2349. Maybe you need more packages? While not the same OS, perhaps this can give some clues. Im not familiar with debian, but Im sure you can find the same or build from source. With CentOS I installed the following for fuzzyocr: ImageMagick gocr libungif libungif-devel netpbm-progs (seems you have this one maybe ) gifsicle Perl Modules: String::Approx Time::HiRes MLDBM MLDMB::Sync Log::Agent James From ssilva at sgvwater.com Tue Jul 17 22:19:51 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Jul 17 22:20:11 2007 Subject: Postfix header check to reject certain senders In-Reply-To: <223f97700707170455n7675180bva3304f040296b035@mail.gmail.com> References: <1184671800.15921.16.camel@gblades-suse.linguaphone-intranet.co.uk> <223f97700707170455n7675180bva3304f040296b035@mail.gmail.com> Message-ID: Glenn Steen spake the following on 7/17/2007 4:55 AM: > On 17/07/07, Gareth wrote: >> A bit off topic but you are normally a friendly bunch :) >> >> I am trying to get postfix () to reject mail from certain senders rather >> than accept and then delete it in mailscanner. >> >> One such mail has the following in the headers:- >> From: root@adsl.linguaphone.com >> To: root@adsl.linguaphone.com >> Subject: adsl.linguaphone.com security run output >> >> I have my postfix header checks set to use regexp matching and the file >> contains :- >> >> /^From:.*\@adsl\.linguaphone\,com/ REJECT Sender >> address blacklisted. >> /^Received:/ HOLD >> >> The problem is that the mail I am trying to block is not being rejected. >> All mail is being put in the hold queue and Mailscanner working >> correctly so header checks are working. >> Have I done something wrong with the syntax? >> > Look at rejecting the _envelope_ sender instead. That From: is > probably spoofed to high heaven:-). > > Also, this should be done in the access map instead. > ... Then again, I'm on vacation, so the brain might be sligtly turned > off (more than usual, that is:-). > > Cheers You sure get a lot of vacation! Have you been completely free of work, or have you been "tapped" a few times by the PHB's? -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ssilva at sgvwater.com Tue Jul 17 22:25:53 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Jul 17 22:26:15 2007 Subject: Phishing net getting confused In-Reply-To: <469CE012.9040401@tradoc.fr> References: <469CE012.9040401@tradoc.fr> Message-ID: John Wilcock spake the following on 7/17/2007 8:28 AM: > I think I've uncovered a buglet in the phishing net code (MailScanner > version 4.61.7). > > Given the following snippet (this was an outgoing message, quoting an > original that included the hotbar link; the moz-do-not-send bits weren't > in that original and seem to be generated by Thunderbird): > >> > href="http://promos.hotbar.com/promos/promodll.dll?RunPromo&El=&SG=& >> >> ;RAND=16236&partner=hbtools">> moz-do-not-send="true" title="" alt="Upgrade Your Email - Click here!" >> src="http://promos.hotbar.com/promos/promodll.dll?GetPromo&El=&SG=& >> >> RAND=16236&partner=hbtools&/p.gif" >> border="0"> > > Mailscanner's phishing net detected this as follows: > >> MailScanner[12590]: Found phishing fraud from promos.hotbar.com >> claiming to be >> www.> >> in 6F13B8053.635D4 > > Clearly the moz-do-not-send is causing a problem, since the original > message without those tags correctly passed through the net undetected. > > John. > Did sending user tell Thunderbird it was not junk "before" forwarding? I think that is how it disables stuff it thinks is bad. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From res at ausics.net Tue Jul 17 22:48:51 2007 From: res at ausics.net (Res) Date: Tue Jul 17 22:49:12 2007 Subject: MailScanner Lint logic In-Reply-To: <469CDF29.D87E.0068.3@aafp.org> References: <469CDF29.D87E.0068.3@aafp.org> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NotDashEscaped: You need GnuPG to verify this message On Tue, 17 Jul 2007, Brad Beckenhauer wrote: > Julian, > If MailScanner is stopped and MailScanner --lint is run, the lint > outputs the below information. > Would you consider revising the lint logic to cleanup the output? > > # MailScanner --lint > Could not read file /var/run/MailScanner.pid at > /usr/lib/MailScanner/MailScanner/Config.pm line 2376 > Error in line 181, file "/var/run/MailScanner.pid" for pidfile does not > exist (or can not be read) at /usr/lib/MailScanner/MailScanner/Config.pm > line 2556 Brad, what version you running? I don't see this on tarball install... root@valhalla:~# /etc/rc.d/rc.sendmail mailscanner-stop Stopping MailScanner... Done. root@valhalla:~# /opt/MailScanner/bin/MailScanner --lint Read 797 hostnames from the phishing whitelist Checking version numbers... Version number in MailScanner.conf (4.61.7) is correct. Checking for SpamAssassin errors (if you use it)... SpamAssassin temporary working directory is /var/spool/MailScanner/incoming/SpamAssassin-Temp SpamAssassin temp dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp Using SpamAssassin results cache Connected to SpamAssassin cache database SpamAssassin reported no errors. Using locktype = posix Creating hardcoded struct_flock subroutine for linux (Linux-type) MailScanner.conf says "Virus Scanners = f-prot" Found these virus scanners installed: f-prot -- Cheers Res -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFGnTlDsWhAmSIQh7MRAttjAJ4lg3Q0RfzWP1jOkG552oroaSnsMgCeJuUL EsEp5Kamw+ipS1+E7S7xxTU= =JawX -----END PGP SIGNATURE----- From michael at dilworth.net Tue Jul 17 22:49:20 2007 From: michael at dilworth.net (Michael R. Dilworth) Date: Tue Jul 17 22:49:48 2007 Subject: FYI: PDFInfo and "Max SpamAssassin Size=40k" Message-ID: <012101c7c8bc$5498dee0$5713cc40@OCEANII> Just to save some time for some of you, the 40k number can is on the small side for some of the PDF spams I've been receiving. I took me a while to figure out the difference between spamassassin -D and the live MailScanner... From ms-list at alexb.ch Tue Jul 17 23:20:09 2007 From: ms-list at alexb.ch (Alex Broens) Date: Tue Jul 17 23:20:16 2007 Subject: FYI: PDFInfo and "Max SpamAssassin Size=40k" In-Reply-To: <012101c7c8bc$5498dee0$5713cc40@OCEANII> References: <012101c7c8bc$5498dee0$5713cc40@OCEANII> Message-ID: <469D4099.5040708@alexb.ch> On 7/17/2007 11:49 PM, Michael R. Dilworth wrote: > Just to save some time for some of you, the 40k number > can is on the small side for some of the PDF spams I've > been receiving. FWI: I'm using: Max Spam Check Size = 250000 Max SpamAssassin Size = 2500000 which, AFAIK are the default SA values. Alex -- *Spammer hell has no DSL* From glenn.steen at gmail.com Tue Jul 17 23:21:45 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Jul 17 23:21:49 2007 Subject: Postfix header check to reject certain senders In-Reply-To: References: <1184671800.15921.16.camel@gblades-suse.linguaphone-intranet.co.uk> <223f97700707170455n7675180bva3304f040296b035@mail.gmail.com> Message-ID: <223f97700707171521r2c6aa38j9558e5e86c3c2bac@mail.gmail.com> On 17/07/07, Scott Silva wrote: > Glenn Steen spake the following on 7/17/2007 4:55 AM: > > On 17/07/07, Gareth wrote: > >> A bit off topic but you are normally a friendly bunch :) > >> > >> I am trying to get postfix () to reject mail from certain senders rather > >> than accept and then delete it in mailscanner. > >> > >> One such mail has the following in the headers:- > >> From: root@adsl.linguaphone.com > >> To: root@adsl.linguaphone.com > >> Subject: adsl.linguaphone.com security run output > >> > >> I have my postfix header checks set to use regexp matching and the file > >> contains :- > >> > >> /^From:.*\@adsl\.linguaphone\,com/ REJECT Sender > >> address blacklisted. > >> /^Received:/ HOLD > >> > >> The problem is that the mail I am trying to block is not being rejected. > >> All mail is being put in the hold queue and Mailscanner working > >> correctly so header checks are working. > >> Have I done something wrong with the syntax? > >> > > Look at rejecting the _envelope_ sender instead. That From: is > > probably spoofed to high heaven:-). > > > > Also, this should be done in the access map instead. > > ... Then again, I'm on vacation, so the brain might be sligtly turned > > off (more than usual, that is:-). > > > > Cheers > You sure get a lot of vacation! Have you been completely free of work, or have > you been "tapped" a few times by the PHB's? > > Three weeks might be considered much by some, I guess.... I usually try to get four each summer, but due to the SE asia trip this spring .... three was all I could get out of the PHB:-):-) Been "tapped" by the PHB, a retiring DBA, a few programmers some windoze admins and some few users(!)... That and the raining and the usual repairs on the house (painting the awnings (I think that's the right word for that particular part of the roof:-)... A lot of climbing around, which isn't as easy as it used to be:-)... Not much of a vacation....:-). VPN is the death of relaxation and recreation.... You know how it is. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From ssilva at sgvwater.com Wed Jul 18 00:04:41 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Jul 18 00:05:07 2007 Subject: Postfix header check to reject certain senders In-Reply-To: <223f97700707171521r2c6aa38j9558e5e86c3c2bac@mail.gmail.com> References: <1184671800.15921.16.camel@gblades-suse.linguaphone-intranet.co.uk> <223f97700707170455n7675180bva3304f040296b035@mail.gmail.com> <223f97700707171521r2c6aa38j9558e5e86c3c2bac@mail.gmail.com> Message-ID: Glenn Steen spake the following on 7/17/2007 3:21 PM: > On 17/07/07, Scott Silva wrote: >> Glenn Steen spake the following on 7/17/2007 4:55 AM: >> > On 17/07/07, Gareth wrote: >> >> A bit off topic but you are normally a friendly bunch :) >> >> >> >> I am trying to get postfix () to reject mail from certain senders >> rather >> >> than accept and then delete it in mailscanner. >> >> >> >> One such mail has the following in the headers:- >> >> From: root@adsl.linguaphone.com >> >> To: root@adsl.linguaphone.com >> >> Subject: adsl.linguaphone.com security run output >> >> >> >> I have my postfix header checks set to use regexp matching and the >> file >> >> contains :- >> >> >> >> /^From:.*\@adsl\.linguaphone\,com/ REJECT Sender >> >> address blacklisted. >> >> /^Received:/ HOLD >> >> >> >> The problem is that the mail I am trying to block is not being >> rejected. >> >> All mail is being put in the hold queue and Mailscanner working >> >> correctly so header checks are working. >> >> Have I done something wrong with the syntax? >> >> >> > Look at rejecting the _envelope_ sender instead. That From: is >> > probably spoofed to high heaven:-). >> > >> > Also, this should be done in the access map instead. >> > ... Then again, I'm on vacation, so the brain might be sligtly turned >> > off (more than usual, that is:-). >> > >> > Cheers >> You sure get a lot of vacation! Have you been completely free of work, >> or have >> you been "tapped" a few times by the PHB's? >> >> > > Three weeks might be considered much by some, I guess.... I usually > try to get four each summer, but due to the SE asia trip this spring > .... three was all I could get out of the PHB:-):-) > > Been "tapped" by the PHB, a retiring DBA, a few programmers some > windoze admins and some few users(!)... That and the raining and the > usual repairs on the house (painting the awnings (I think that's the > right word for that particular part of the roof:-)... A lot of > climbing around, which isn't as easy as it used to be:-)... Not much > of a vacation....:-). > VPN is the death of relaxation and recreation.... You know how it is. > > > Cheers Here's to what you have left! Cheers!! ;-D -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From am.lists at gmail.com Wed Jul 18 01:27:09 2007 From: am.lists at gmail.com (am.lists) Date: Wed Jul 18 01:27:14 2007 Subject: Reason for whitelisting? In-Reply-To: References: Message-ID: <25a66d840707171727i4c89120aga3a5ac0cd7e9b11d@mail.gmail.com> On 7/17/07, Richard D Alloway wrote: > > I am receiving some spam that should be getting flagged or deleted, but is > being marked as "not spam (whitelisted)" by MailScanner. > > When I look at the logs for the offending message, I see things like: > > Jul 17 15:49:57 smtp-gateway-4 milter-ahead[2117]: 61096 > l6HJnjqf014254: cacheGet(b411110, 'robjulie@xxxxxxxx', {st=0, cn=1}) > Jul 17 15:49:57 smtp-gateway-4 milter-ahead[2117]: 61096 > l6HJnjqf014254: cacheGet(b411110, 'rockwell@xxxxxxxx', {st=0, cn=1}) > Jul 17 15:49:57 smtp-gateway-4 milter-ahead[2117]: 61096 > l6HJnjqf014254: cacheGet(b411110, 'rome74@xxxxxxx', {st=0, cn=1}) > Jul 17 15:49:58 smtp-gateway-4 sendmail[14254]: > l6HJnjqf014254: from=, size=1713, > class=0, nrcpts=11, msgid=<924405758.55504416941907@xxxxxxxxxxxxx>, > proto=ESMTP, daemon=MTA, relay=xxxxxxxxxxxxxxxxxx [xx.xxx.xx.xx] (may > be forged) > Jul 17 15:50:23 smtp-gateway-4 MailScanner[10318]: Message l6HJnjqf014254 from > xx.xxx.xx.xx (gadaandstelecommbef@xxxxxxxxxxxxxx) is whitelisted > Jul 17 15:50:29 smtp-gateway-4 MailScanner[10318]: > Message l6HJnjqf014254 from xx.xxx.xx.xx > (gadaandstelecommbef@xxxxxxxxxxxxxxxxxx) to xxxxxxx is not > spam (whitelisted), > SpamAssassin (not cached, score=15.974, required 4, autolearn=spam, BAYES_99 > 8.00, HELO_DYNAMIC_DHCP 1.40, HTML_MESSAGE 0.00, RDNS_DYNAMIC 0.10, URIBL_BLACK > 3.00, URIBL_JP_SURBL 1.50, URIBL_OB_SURBL 1.50, URIBL_SC_SURBL 0.47) > Jul 17 15:50:36 smtp-gateway-4 MailScanner[10318]: > tag found in message l6HJnjqf014254 from gadaandstelecommbef@xxxxxxxxxxxxxxxx > Jul 17 15:50:37 smtp-gateway-4 sendmail[14848]: l6HJnjqf014254: > to=,,, delay=00:00:40, > xdelay=00:00:00, mailer=smtp, pri=421713, relay=mail.xxxxxxxxx > [xx.xx.xx.xx], dsn=2.0.0, stat=Sent (ok 1184701833 qp 906) > Robert, Did you by chance download/install a pre-configured kit? Some have pre-defined "known-good" senders pre-populated in a sql table somewhere. Also, the SARE rule 70_sare_whitelist.cf contains several known-good's too. Perhaps if you shared the final MTA's IP here some of us would be willing to test for it in our systems as well. Regds, Angelo From steves at awebd.com.au Wed Jul 18 01:56:52 2007 From: steves at awebd.com.au (Steve Simeonidis) Date: Wed Jul 18 01:57:02 2007 Subject: stats script - shell/perl In-Reply-To: Message-ID: <1762274.1184720212898.JavaMail.root@mail.awebd.com.au> Is there anything simple like a perl or shell script that can send an email with the stats? don't need any html, graphs, etc. ? Thanks Steve ----- Original Message ----- From: mailscanner-bounces@lists.mailscanner.info on behalf of Nick Brown Sent: Tue, 17/7/2007 10:42pm To: MailScanner discussion Subject: Re: stats script MailWatch http://mailwatch.sourceforge.net/doku.php MailScanner-MRTG http://mailscannermrtg.sourceforge.net/ Cheers Nick. On 17/7/07 10:34 PM, "Steve Simeonidis" wrote: can someone please point me to a simple script that generate some stats on spam/viruses/etc parsing the maillog files? Is there anything MailScanner specific available? Thanks Steve Sent using the Microsoft Entourage 2004 for Mac Test Drive. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070718/24424849/attachment.html From naolson at gmail.com Wed Jul 18 02:36:54 2007 From: naolson at gmail.com (Nathan Olson) Date: Wed Jul 18 02:36:57 2007 Subject: stats script - shell/perl In-Reply-To: <1762274.1184720212898.JavaMail.root@mail.awebd.com.au> References: <1762274.1184720212898.JavaMail.root@mail.awebd.com.au> Message-ID: <8f54b4330707171836w2b93dc68ydf43f8568f89e977@mail.gmail.com> Try this. You might have to modify the virus regexp, as it's tailored to McAfee. We run it from cron every night. Nate -------------- next part -------------- A non-text attachment was scrubbed... Name: mailscanner-counter.pl Type: application/octet-stream Size: 2496 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070717/36eda5c1/mailscanner-counter.obj From john at tradoc.fr Wed Jul 18 08:19:16 2007 From: john at tradoc.fr (John Wilcock) Date: Wed Jul 18 08:19:30 2007 Subject: Phishing net getting confused In-Reply-To: References: <469CE012.9040401@tradoc.fr> Message-ID: <469DBEF4.4070908@tradoc.fr> Scott Silva wrote: > John Wilcock spake the following on 7/17/2007 8:28 AM: >> I think I've uncovered a buglet in the phishing net code (MailScanner >> version 4.61.7). ... >> Mailscanner's phishing net detected this as follows: >> >>> MailScanner[12590]: Found phishing fraud from promos.hotbar.com >>> claiming to be >>> www.>> >>> in 6F13B8053.635D4 >> Clearly the moz-do-not-send is causing a problem, since the original >> message without those tags correctly passed through the net undetected. >> >> John. >> > Did sending user tell Thunderbird it was not junk "before" forwarding? I think > that is how it disables stuff it thinks is bad. Quite possibly, but that's not the point here. MS is getting "confused" by the hyphens in the html attribute name. Looking at the code, there's a tag detection regex that searches for tag names and attribute names with \w+ whereas in fact the HTML spec, or rather the underlying SGML spec also allows names to contain (but not start with) -_.: as well. I've attached a patch that seems to do the trick, for Julian's perusal. John. -- -- Over 3000 webcams from ski resorts around the world - www.snoweye.com -- Translate your technical documents and web pages - www.tradoc.fr -------------- next part -------------- --- ./Message.pm.orig 2007-07-18 08:44:27.000000000 +0200 +++ /usr/lib/MailScanner/MailScanner/Message.pm 2007-07-18 09:04:08.000000000 +0200 @@ -5832,7 +5832,7 @@ $squashedtext =~ s/\\/\//g; # Change \ to / as many browsers do this $squashedtext =~ s/^\[\d*\]//; # Removing leading [numbers] #$squashedtext =~ s/(\<\/?[^>]*\>)*//ig; # Remove tags - $squashedtext =~ s/(\<\/?\w+((\s+\w+(\s*=\s*(?:\".*?\"|\'.*?\'|[^\'\">\s]+))?)+\s*|\s*)\/?\>)*//ig; # Remove tags, better re from snifer_@hotmail.com + $squashedtext =~ s/(\<\/?[a-z][a-z0-9:._-]*((\s+[a-z][a-z0-9:._-]*(\s*=\s*(?:\".*?\"|\'.*?\'|[^\'\">\s]+))?)+\s*|\s*)\/?\>)*//ig; # Remove tags, re from snifer_@hotmail.com adapted by JW $squashedtext =~ s/\s+//g; # Remove any whitespace $squashedtext =~ s/^[^\/:]+\@//; # Remove username of email addresses #$squashedtext =~ s/\&\w*\;//g; # Remove things like < and > From mailadmin at baladia.gov.kw Wed Jul 18 07:43:08 2007 From: mailadmin at baladia.gov.kw (simon) Date: Wed Jul 18 08:23:22 2007 Subject: thnks for your advice Message-ID: <1477.62.150.152.49.1184740988.squirrel@webmail.baladia.gov.kw> Thank you guys Julian and gleen i really do apprecite your help and now my MailScanner is working beautifully.. 1) but i would like to know how do i really test my installltion of MS for through spam dtection n virus scanning. since this is a test system and i have jus one user created for testing mails 2) also how do i know if mailscanner is using clamd for virus scanning 3) also i installed the jules package of spamassassin+ clamav but the clamav package is in logs says WARNING: Local version: 0.91 Recommended version: 0.91.1 could i jus download the latest rpm and jus use rpm -Uvh clam*** to upgrade it appreciate if u cd let me know Regards simon -- Network Administrator From neilw at dcdata.co.za Wed Jul 18 09:01:06 2007 From: neilw at dcdata.co.za (Neil Wilson) Date: Wed Jul 18 09:01:30 2007 Subject: ClamScan Denial of Service attack Message-ID: <469DC8C2.5010209@dcdata.co.za> Hi guys, I've just had quite a serious problem with one of my clients which seemed to have been caused by Clamscan which rejected nearly all emails as "MailScanner[30767]: Virus Scanning: Denial Of Service attack detected!" It looks like it did this because we're using "clamav" as our virus scanner, and clamscan was killing the system rescources. The server is running "ClamAV 0.90.3/3691/Wed Jul 18 08:04:43 2007" which came with the Clam-SA-easy installation package. I know the latest MailScanner has full support for clamd, and it appears to work fine, but we have a lot of servers running with the same config, so to upgrade all of them to the latest MS+Clam will take forever. Does the latest stable release of clam correct the problem with using clamav as our virus scanner with MS, can we just upgrade Clam on all our servers or do we have to upgrade all of these servers to the latest MS+Clam etc? Thanks, Any help will be greatly appreciated. Regards. Neil -- This email and all contents are subject to the following disclaimer: http://www.dcdata.co.za/emaildisclaimer.html From jan-peter at koopmann.eu Wed Jul 18 09:10:57 2007 From: jan-peter at koopmann.eu (Koopmann, Jan-Peter) Date: Wed Jul 18 09:10:15 2007 Subject: ClamScan Denial of Service attack In-Reply-To: References: Message-ID: > I know the latest MailScanner has full support for clamd, and it > appears to work fine, but > we have a lot of servers running with the same config, so to upgrade > all of them to the > latest MS+Clam will take forever. You should still consider it. > Does the latest stable release of clam correct the problem with using > clamav as our virus > scanner with MS, can we just upgrade Clam on all our servers or do we > have to upgrade all of > these servers to the latest MS+Clam etc? Depending on what version of MS you are running you should be fine with the clamav upgrade. It might/should help you a bit since 0.91 has improved a bit on resource usage. However the speed increase you get by switching MailScanner from clam-wrapper to clamd on high volume servers is still worth considering! Regards, JP From Alistair.Carmichael at ntltravel.com Wed Jul 18 09:11:16 2007 From: Alistair.Carmichael at ntltravel.com (Alistair Carmichael) Date: Wed Jul 18 09:11:29 2007 Subject: ClamScan Denial of Service attack In-Reply-To: <469DC8C2.5010209@dcdata.co.za> References: <469DC8C2.5010209@dcdata.co.za> Message-ID: <6EEC6D949794754FB8D83A4D87DF7168BE6862@gh-redd-exch-01.redditch.ntltravel.local> -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Neil Wilson Sent: 18 July 2007 09:01 To: MailScanner discussion Subject: ClamScan Denial of Service attack Hi guys, I've just had quite a serious problem with one of my clients which seemed to have been caused by Clamscan which rejected nearly all emails as "MailScanner[30767]: Virus Scanning: Denial Of Service attack detected!" It looks like it did this because we're using "clamav" as our virus scanner, and clamscan was killing the system rescources. The server is running "ClamAV 0.90.3/3691/Wed Jul 18 08:04:43 2007" which came with the Clam-SA-easy installation package. I know the latest MailScanner has full support for clamd, and it appears to work fine, but we have a lot of servers running with the same config, so to upgrade all of them to the latest MS+Clam will take forever. Does the latest stable release of clam correct the problem with using clamav as our virus scanner with MS, can we just upgrade Clam on all our servers or do we have to upgrade all of these servers to the latest MS+Clam etc? Thanks, Any help will be greatly appreciated. Regards. Neil Hi, I had experienced the same problem which is down to that version of clam and the time it takes when starting up. Upgrading to the most recent clam solves the problem, you may also want to look at clamd or clamavmodule as a scanning engine if you handle large quantities of mail, using clamavmodule now I've found this a lot more effective. The most recent version of clam is included in the sa+clam package at mailscanner.info. Al This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. From neilw at dcdata.co.za Wed Jul 18 09:15:26 2007 From: neilw at dcdata.co.za (Neil Wilson) Date: Wed Jul 18 09:15:46 2007 Subject: ClamScan Denial of Service attack In-Reply-To: References: Message-ID: <469DCC1E.6000002@dcdata.co.za> Thanks for the reply JP, Koopmann, Jan-Peter wrote: > You should still consider it. We will definitely do so, but time is short at the moment and I need to make sure we don't have a repeat of the current problem. > Depending on what version of MS you are running you should be fine with > the clamav upgrade. It might/should help you a bit since 0.91 has > improved a bit on resource usage. However the speed increase you get by > switching MailScanner from clam-wrapper to clamd on high volume servers > is still worth considering! Great! thank you very much. Neil -- This email and all contents are subject to the following disclaimer: http://www.dcdata.co.za/emaildisclaimer.html From neilw at dcdata.co.za Wed Jul 18 09:18:17 2007 From: neilw at dcdata.co.za (Neil Wilson) Date: Wed Jul 18 09:18:37 2007 Subject: ClamScan Denial of Service attack In-Reply-To: <6EEC6D949794754FB8D83A4D87DF7168BE6862@gh-redd-exch-01.redditch.ntltravel.local> References: <469DC8C2.5010209@dcdata.co.za> <6EEC6D949794754FB8D83A4D87DF7168BE6862@gh-redd-exch-01.redditch.ntltravel.local> Message-ID: <469DCCC9.3090804@dcdata.co.za> Alistair Carmichael wrote: > Hi, > I had experienced the same problem which is down to that version of clam > and the time it takes when starting up. Upgrading to the most recent > clam solves the problem, you may also want to look at clamd or > clamavmodule as a scanning engine if you handle large quantities of > mail, using clamavmodule now I've found this a lot more effective. The > most recent version of clam is included in the sa+clam package at > mailscanner.info. > > Al Thanks Alistair, will definitely look into changing in the future. Regards. Neil -- This email and all contents are subject to the following disclaimer: http://www.dcdata.co.za/emaildisclaimer.html From tgc at statsbiblioteket.dk Wed Jul 18 09:23:13 2007 From: tgc at statsbiblioteket.dk (Tom G. Christensen) Date: Wed Jul 18 09:23:16 2007 Subject: ClamScan Denial of Service attack In-Reply-To: <469DC8C2.5010209@dcdata.co.za> References: <469DC8C2.5010209@dcdata.co.za> Message-ID: <469DCDF1.4080908@statsbiblioteket.dk> Neil Wilson wrote: > Hi guys, > > I've just had quite a serious problem with one of my clients which > seemed to have been caused by Clamscan which rejected nearly all emails > as "MailScanner[30767]: Virus Scanning: Denial Of Service attack detected!" > > It looks like it did this because we're using "clamav" as our virus > scanner, and clamscan was killing the system rescources. > > The server is running "ClamAV 0.90.3/3691/Wed Jul 18 08:04:43 2007" > which came with the Clam-SA-easy installation package. > It's been beaten to death already but clamav 0.90.x has a serious performance issue when using clamscan due to very long signature DB load times. Upgrading to 0.91.1 will fix this and allow you to continue to use clamscan. I recently upgraded two MailScanner gateways from clamav 0.88.7 to 0.91(.1) and this has lowered the cpu usage even though I continue to use clamscan. -tgc From list-mailscanner at linguaphone.com Wed Jul 18 09:35:49 2007 From: list-mailscanner at linguaphone.com (Gareth) Date: Wed Jul 18 09:36:01 2007 Subject: Postfix header check to reject certain senders In-Reply-To: <223f97700707170819m2018f26bl626a4050996cb6a1@mail.gmail.com> References: <1184671800.15921.16.camel@gblades-suse.linguaphone-intranet.co.uk> <223f97700707170455n7675180bva3304f040296b035@mail.gmail.com> <1184676700.15921.64.camel@gblades-suse.linguaphone-intranet.co.uk> <223f97700707170605u6bffb36fn38d3517639326b51@mail.gmail.com> <1184678501.15923.70.camel@gblades-suse.linguaphone-intranet.co.uk> <223f97700707170819m2018f26bl626a4050996cb6a1@mail.gmail.com> Message-ID: <1184747749.18625.1.camel@gblades-suse.linguaphone-intranet.co.uk> On Tue, 2007-07-17 at 16:19, Glenn Steen wrote: > Hm, that should've worked.... Wait and I'll check how I've set this up > at work (I have an access file named deny_domain_spoof (could've named > it ... whatever:-), which basically deny anyone from the outside from > pretending to be me/my servers... Those I let through via the > permit_mynetworks setting preceding the access map instruction. I have > this set on helo_restrictions (check_helo_access hash:/...) and on > sender_access (check_sender_restrictions hash:...) respectively... but > client should be OK too (unless I'm totally on vacation:-). > Just a moment while I invoke the SSL--X magic word... > Nah, as said, these are the relevant lines for that (I have a load of > others (as usual) on recipients too:-): > > smtpd_sender_restrictions = permit_mynetworks, check_sender_access > hash:/etc/postfix/deny_domain_spoof > smtpd_helo_restrictions = permit_mynetworks, check_helo_access > hash:/etc/postfix/deny_domain_spoof I changed from using smtpd_client_restrictions to smtpd_sender_restrictions and now it is working fine. Thanks From neilw at dcdata.co.za Wed Jul 18 10:26:28 2007 From: neilw at dcdata.co.za (Neil Wilson) Date: Wed Jul 18 10:26:49 2007 Subject: ClamScan Denial of Service attack In-Reply-To: <469DCDF1.4080908@statsbiblioteket.dk> References: <469DC8C2.5010209@dcdata.co.za> <469DCDF1.4080908@statsbiblioteket.dk> Message-ID: <469DDCC4.3090000@dcdata.co.za> Tom G. Christensen wrote: > It's been beaten to death already but clamav 0.90.x has a serious > performance issue when using clamscan due to very long signature DB load > times. > Upgrading to 0.91.1 will fix this and allow you to continue to use > clamscan. > > I recently upgraded two MailScanner gateways from clamav 0.88.7 to > 0.91(.1) and this has lowered the cpu usage even though I continue to > use clamscan. Thanks Tom. -- This email and all contents are subject to the following disclaimer: http://www.dcdata.co.za/emaildisclaimer.html From mogens at fumlersoft.dk Wed Jul 18 11:33:38 2007 From: mogens at fumlersoft.dk (Mogens Melander) Date: Wed Jul 18 11:32:35 2007 Subject: stats script In-Reply-To: References: Message-ID: <1979.90.184.16.67.1184754818.squirrel@mail.fumlersoft.dk> On Tue, July 17, 2007 14:40, Nick Brown wrote: > MailWatch http://mailwatch.sourceforge.net/doku.php > MailScanner-MRTG http://mailscannermrtg.sourceforge.net/ I like the way Vispan http://www.while.org.uk/mailstats/ handles spammers ao. While giving some simple stats on overall health. > > Cheers > Nick. > > > On 17/7/07 10:34 PM, "Steve Simeonidis" wrote: > >> can someone please point me to a simple script that generate some >> stats on spam/viruses/etc parsing the maillog files? >> >> Is there anything MailScanner specific available? >> >> Thanks >> Steve >> -- Later Mogens Melander +45 40 85 71 38 +66 870 133 224 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Wed Jul 18 12:16:54 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Jul 18 12:17:46 2007 Subject: thnks for your advice In-Reply-To: <1477.62.150.152.49.1184740988.squirrel@webmail.baladia.gov.kw> References: <1477.62.150.152.49.1184740988.squirrel@webmail.baladia.gov.kw> Message-ID: <469DF6A6.8080002@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 simon wrote: > Thank you guys Julian and gleen > i really do apprecite your help and now my MailScanner is working > beautifully.. > > 1) but i would like to know how do i really test my installltion of MS for > through spam dtection n virus scanning. > since this is a test system and i have jus one user created for testing mails > Look up www.eicar.org. This is a test virus which all scanners recognise, but which is a totally harmless program. There is also a test spam called GTUBE which comes with SpamAssassin, which will get a very high score from SpamAssassin. > 2) also how do i know if mailscanner is using clamd for virus scanning > MailScanner --lint will tell you quite a bit. > 3) also i installed the jules package of spamassassin+ clamav > but the clamav package is in logs says > WARNING: Local version: 0.91 Recommended version: 0.91.1 > could i jus download the latest rpm and jus use rpm -Uvh clam*** to > upgrade it > No. Download the latest version of my package and install that over the top, which will give you 0.91.1. > > appreciate if u cd let me know > > Regards > > simon > > > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGnfamEfZZRxQVtlQRAmfqAJ0bVx+9GBRJIDBxjXgdmL4wxnBtTQCfUhNH DbzvqsP9Ao1D4Ot6V096a+A= =q0hZ -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Wed Jul 18 12:22:47 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Jul 18 12:23:43 2007 Subject: Phishing net getting confused In-Reply-To: <469DBEF4.4070908@tradoc.fr> References: <469CE012.9040401@tradoc.fr> <469DBEF4.4070908@tradoc.fr> Message-ID: <469DF807.8080206@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Thanks for that John. It will be in the next release. Going to a nice dinner this evening on HMS Warrior in Portsmouth. Department academics and management are having a 60th anniversary dinner. Should be good. Expect photos very soon. John ---- You might even still recognise some of them! Jules. John Wilcock wrote: > Scott Silva wrote: >> John Wilcock spake the following on 7/17/2007 8:28 AM: >>> I think I've uncovered a buglet in the phishing net code (MailScanner >>> version 4.61.7). > ... >>> Mailscanner's phishing net detected this as follows: >>> >>>> MailScanner[12590]: Found phishing fraud from promos.hotbar.com >>>> claiming to be >>>> www.>>> >>>> >>>> in 6F13B8053.635D4 >>> Clearly the moz-do-not-send is causing a problem, since the original >>> message without those tags correctly passed through the net undetected. >>> >>> John. >>> >> Did sending user tell Thunderbird it was not junk "before" >> forwarding? I think >> that is how it disables stuff it thinks is bad. > > Quite possibly, but that's not the point here. MS is getting > "confused" by the hyphens in the html attribute name. > > Looking at the code, there's a tag detection regex that searches for > tag names and attribute names with \w+ whereas in fact the HTML spec, > or rather the underlying SGML spec also allows names to contain (but > not start with) -_.: as well. I've attached a patch that seems to do > the trick, for Julian's perusal. > > John. > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGnfgLEfZZRxQVtlQRAn0dAJ9z5mF+0+JtfkU6y1KNnoxfMVKbaQCgxrS3 xMH+m3sNcpynMRU+m7CEkP4= =BA/n -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From theodrake at comcast.net Wed Jul 18 14:44:58 2007 From: theodrake at comcast.net (Ed Bruce) Date: Wed Jul 18 14:45:10 2007 Subject: Phishing net getting confused In-Reply-To: <469DF807.8080206@ecs.soton.ac.uk> References: <469CE012.9040401@tradoc.fr> <469DBEF4.4070908@tradoc.fr> <469DF807.8080206@ecs.soton.ac.uk> Message-ID: <469E195A.10502@comcast.net> Julian Field wrote: > Thanks for that John. It will be in the next release. > Going to a nice dinner this evening on HMS Warrior in Portsmouth. > Department academics and management are having a 60th anniversary > dinner. Should be good. Expect photos very soon. John ---- You might > even still recognise some of them! > > Jules. > Lucky you. So are you getting the Tudor Banquet... -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 249 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070718/b1a9b928/signature.bin From MailScanner at ecs.soton.ac.uk Wed Jul 18 15:01:43 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Jul 18 14:59:02 2007 Subject: Phishing net getting confused In-Reply-To: <469E195A.10502@comcast.net> References: <469CE012.9040401@tradoc.fr> <469DBEF4.4070908@tradoc.fr> <469DF807.8080206@ecs.soton.ac.uk> <469E195A.10502@comcast.net> Message-ID: <469E1D47.8090306@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ed Bruce wrote: > Julian Field wrote: > >> Thanks for that John. It will be in the next release. >> Going to a nice dinner this evening on HMS Warrior in Portsmouth. >> Department academics and management are having a 60th anniversary >> dinner. Should be good. Expect photos very soon. John ---- You might >> even still recognise some of them! >> >> Jules. >> >> > > Lucky you. So are you getting the Tudor Banquet... > I'll let you know tomorrow. Seeing as I was sick all last night I probably won't be eating much anyway. More photos, less food, should be a good night though! Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFGnh1IEfZZRxQVtlQRAtThAKCf2DBRD1BxMBOIIbxj0bBssX96hgCgs7ko Pklc6fZThQAJf4ieiFuDft0= =HmXZ -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From hvdkooij at vanderkooij.org Wed Jul 18 15:29:16 2007 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Wed Jul 18 15:29:26 2007 Subject: How to Allow mails marked "could be a suspicious file " In-Reply-To: <1184649744.25752.2.camel@localhost.localdomain> References: <1184592200.19284.16.camel@localhost.localdomain> <469B9F78.1090309@ecs.soton.ac.uk> <1184649744.25752.2.camel@localhost.localdomain> Message-ID: On Tue, 17 Jul 2007, ram wrote: > On Mon, 2007-07-16 at 17:40 +0100, Julian Field wrote: >> >> This looks to me like a report from a virus scanner. See if there is a >> command-line option for your scanner that stops it looking for things >> like this. If you tell me what scanner you're using, then I can tell you >> where the mod needs to be made. > > I am using clamavmodule and f-prot I used to be rather fond of F-Prot. But in recent months I am able to test the various AV solutions against malware collected by some major parties. And all of a sudden F-Prot is falling rather behind. My test collection shot from 45k to over 100k of unique samples in 3 months. And F-Prot scores only 32%. ClamAV scores 74%. These are rather crude results at the moment as I need to rewrite a lot of the parsing scripts to handle the new setup. But I hope to present more detailed information in a month or so. Hugo. -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ This message is using 100% recycled electrons. Some men see computers as they are and say "Windows" I use computers with Linux and say "Why Windows?" (Thanks JFK, for the insight.) From tjones at isthmus.com Wed Jul 18 15:50:21 2007 From: tjones at isthmus.com (Thom Jones) Date: Wed Jul 18 16:02:34 2007 Subject: stats script - shell/perl In-Reply-To: <1762274.1184720212898.JavaMail.root@mail.awebd.com.au> References: <1762274.1184720212898.JavaMail.root@mail.awebd.com.au> Message-ID: <200707180950.21639.tjones@isthmus.com> On Tuesday 17 July 2007, Steve Simeonidis wrote: > Is there anything simple like a perl or shell script that can send > an email with the stats? don't need any html, graphs, etc. > If you are using sendmail, check sendmail_stats: http://www.reedmedia.net/software/sendmail_stats/ perl script. works great. -- Thom Jones Isthmus Publishing Co., Inc. http://www.thedailypage.com Everyone has a photographic memory, some just don't have film. From rickt at rickt.org Wed Jul 18 16:22:14 2007 From: rickt at rickt.org (Rick Tait) Date: Wed Jul 18 16:22:16 2007 Subject: Thanks for previous answers + How to stop "cascading" MailScanners from multiple scans? Message-ID: <798375e00707180822u1135e35dx7dad15f5530df228@mail.gmail.com> Hi all, Thanks to everyone for their very useful and kind replies to my questions the other day regarding whitelisting. All is working very well now -- THANK YOU! I do have another question however. I have multiple MailScanner boxes on multiple networks, all "backing each other up" as secondary/tertiary MX servers, etc. Sometimes however, due to the vagaries of routing, up/down circuits etc, it comes to pass that an email's route to its final delivery destination in our network means that the machine must pass through multiple MailScanner boxes. What I am seeing is that MailScanner will scan each email, regardless of whether it has already been scanned or not. My question is this: How do I have MailScanner scan an email just once? i.e. If any of the MailScanner headers are already present in the email, how do I have the email automatically just passed through? Thanks so much! -Rick. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070718/d101d81d/attachment.html From carock at epconline.com Wed Jul 18 16:47:54 2007 From: carock at epconline.com (Chuck Rock) Date: Wed Jul 18 16:47:59 2007 Subject: Thanks for previous answers + How to stop "cascading" MailScannersfrom multiple scans? In-Reply-To: <798375e00707180822u1135e35dx7dad15f5530df228@mail.gmail.com> Message-ID: <115701c7c953$01b92d50$8c007f0a@epctech.com> This is how I did it. ../MailScanner.conf:Virus Scanning = %etc-dir%/MailScanner/rules/not.localhost.rules ../MailScanner.conf:Spam Checks = %etc-dir%/MailScanner/rules/not.localhost.rules The not.localhost.rules looks like this. From: 127.0.0.1 no From: 12.160.144.2 no From: 10.127.0.0/24 no From: 68.90.69.12 no FromOrTo: default yes Any IP's you add to the rules with "no" will not be scanned when a message comes from one of those IP's. Chuck _____ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Rick Tait Sent: Wednesday, July 18, 2007 10:22 AM To: MailScanner discussion Subject: Thanks for previous answers + How to stop "cascading" MailScannersfrom multiple scans? Hi all, Thanks to everyone for their very useful and kind replies to my questions the other day regarding whitelisting. All is working very well now -- THANK YOU! I do have another question however. I have multiple MailScanner boxes on multiple networks, all "backing each other up" as secondary/tertiary MX servers, etc. Sometimes however, due to the vagaries of routing, up/down circuits etc, it comes to pass that an email's route to its final delivery destination in our network means that the machine must pass through multiple MailScanner boxes. What I am seeing is that MailScanner will scan each email, regardless of whether it has already been scanned or not. My question is this: How do I have MailScanner scan an email just once? i.e. If any of the MailScanner headers are already present in the email, how do I have the email automatically just passed through? Thanks so much! -Rick. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070718/29ed154d/attachment.html From MailScanner at ecs.soton.ac.uk Wed Jul 18 16:50:56 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Jul 18 16:48:16 2007 Subject: Thanks for previous answers + How to stop "cascading" MailScanners from multiple scans? In-Reply-To: <798375e00707180822u1135e35dx7dad15f5530df228@mail.gmail.com> References: <798375e00707180822u1135e35dx7dad15f5530df228@mail.gmail.com> Message-ID: <469E36E0.2020002@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Rick Tait wrote: > Hi all, > > Thanks to everyone for their very useful and kind replies to my > questions the other day regarding whitelisting. All is working very > well now -- THANK YOU! > > I do have another question however. > > I have multiple MailScanner boxes on multiple networks, all "backing > each other up" as secondary/tertiary MX servers, etc. Sometimes > however, due to the vagaries of routing, up/down circuits etc, it > comes to pass that an email's route to its final delivery destination > in our network means that the machine must pass through multiple > MailScanner boxes. What I am seeing is that MailScanner will scan each > email, regardless of whether it has already been scanned or not. > > My question is this: How do I have MailScanner scan an email just > once? i.e. If any of the MailScanner headers are already present in > the email, how do I have the email automatically just passed through? > Every part of an email message can be forged. If MailScanner had a facility whereby the scanning process could be skipped if a certain element (e.g. a header) was present, it would be trivial for the spammers and virus-writers to bypass MailScanner. So no, you can't do this. And no, you shouldn't try to :-) The headers are constructed and managed so that multiple MailScanners leave a tidy trail behind them. We can have messages in our system which might be scanned by 4 different MailScanner servers quite easily, if a campus address (2 servers) is .forward-ed to a department address, which takes it through 2 more (MX and delivery servers). Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFGnjbgEfZZRxQVtlQRAs4aAKCpFzlnYWCTy6pG4OJYjN0sCw9hAACgyzRU wjLj9EkcDr6urCm6yViaGN4= =vDaE -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From Alistair.Carmichael at ntltravel.com Wed Jul 18 17:00:27 2007 From: Alistair.Carmichael at ntltravel.com (Alistair Carmichael) Date: Wed Jul 18 17:00:36 2007 Subject: Thanks for previous answers + How to stop "cascading" MailScanners from multiple scans? In-Reply-To: <469E36E0.2020002@ecs.soton.ac.uk> References: <798375e00707180822u1135e35dx7dad15f5530df228@mail.gmail.com> <469E36E0.2020002@ecs.soton.ac.uk> Message-ID: <6EEC6D949794754FB8D83A4D87DF7168BE68B2@gh-redd-exch-01.redditch.ntltravel.local> > Every part of an email message can be forged. If MailScanner had a > facility whereby the scanning process could be skipped if a certain > element (e.g. a header) was present, it would be trivial for the > spammers and virus-writers to bypass MailScanner. > > So no, you can't do this. And no, you shouldn't try to :-) > > The headers are constructed and managed so that multiple MailScanners > leave a tidy trail behind them. We can have messages in our system which > might be scanned by 4 different MailScanner servers quite easily, if a > campus address (2 servers) is .forward-ed to a department address, which > takes it through 2 more (MX and delivery servers). > > Jules > > - -- > Julian Field MEng CITP > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 What about if the sendmail MTA that collects and delivers messages after being scanned (normally from /var/spool/mqueue) is configured to listen on an alternative TCP port, then set up nat policies either with iptables or your own firewall on each of the server so traffic destined for port 25 to the other mailscanner servers is translated to your alternative port (this alternative port would also be firewalled to the rest of the internet to avoid any spammers tracking this down. Our situation we have multiple mailscanners and often mail will go through lots of scanners especially when being forwarded but haven't ran into any issues with this. Al This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. From ssilva at sgvwater.com Wed Jul 18 19:42:36 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Jul 18 19:40:05 2007 Subject: thnks for your advice In-Reply-To: <1477.62.150.152.49.1184740988.squirrel@webmail.baladia.gov.kw> References: <1477.62.150.152.49.1184740988.squirrel@webmail.baladia.gov.kw> Message-ID: simon spake the following on 7/17/2007 11:43 PM: > > Thank you guys Julian and gleen > i really do apprecite your help and now my MailScanner is working > beautifully.. > > 1) but i would like to know how do i really test my installltion of MS for > through spam dtection n virus scanning. > since this is a test system and i have jus one user created for testing mails > > 2) also how do i know if mailscanner is using clamd for virus scanning > > 3) also i installed the jules package of spamassassin+ clamav > but the clamav package is in logs says > WARNING: Local version: 0.91 Recommended version: 0.91.1 > could i jus download the latest rpm and jus use rpm -Uvh clam*** to > upgrade it > > > appreciate if u cd let me know > > Regards > > simon > > If you installed clam from rpm to get clamd going, just go back to where you downloaded your clam*.rpms and see if they have the new one done yet. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From bbecken at aafp.org Wed Jul 18 19:47:58 2007 From: bbecken at aafp.org (Brad Beckenhauer) Date: Wed Jul 18 19:48:42 2007 Subject: MailScanner Lint logic In-Reply-To: References: <469CDF29.D87E.0068.3@aafp.org> Message-ID: <469E1A06.D87E.0068.3@aafp.org> >>> Res 7/17/2007 4:48 PM >>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NotDashEscaped: You need GnuPG to verify this message On Tue, 17 Jul 2007, Brad Beckenhauer wrote: > Julian, > If MailScanner is stopped and MailScanner --lint is run, the lint > outputs the below information. > Would you consider revising the lint logic to cleanup the output? > > # MailScanner --lint > Could not read file /var/run/MailScanner.pid at > /usr/lib/MailScanner/MailScanner/Config.pm line 2376 > Error in line 181, file "/var/run/MailScanner.pid" for pidfile does not > exist (or can not be read) at /usr/lib/MailScanner/MailScanner/Config.pm > line 2556 Brad, what version you running? I don't see this on tarball install... Running 4.60.8 on Centos 4.4, Installed via the rpm. I get the message when: # /etc/init.d/MailScanner stop # /usr/sbin/MailScanner --lint -rwxr-xr-x 1 root root 46171 Jun 1 04:51 /usr/sbin/MailScanner root@valhalla:~# /etc/rc.d/rc.sendmail mailscanner-stop Stopping MailScanner... Done. root@valhalla:~# /opt/MailScanner/bin/MailScanner --lint Read 797 hostnames from the phishing whitelist Checking version numbers... Version number in MailScanner.conf (4.61.7) is correct. Checking for SpamAssassin errors (if you use it)... SpamAssassin temporary working directory is /var/spool/MailScanner/incoming/SpamAssassin-Temp SpamAssassin temp dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp Using SpamAssassin results cache Connected to SpamAssassin cache database SpamAssassin reported no errors. Using locktype = posix Creating hardcoded struct_flock subroutine for linux (Linux-type) MailScanner.conf says "Virus Scanners = f-prot" Found these virus scanners installed: f-prot -- Cheers Res -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFGnTlDsWhAmSIQh7MRAttjAJ4lg3Q0RfzWP1jOkG552oroaSnsMgCeJuUL EsEp5Kamw+ipS1+E7S7xxTU= =JawX -----END PGP SIGNATURE----- -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From uxbod at splatnix.net Wed Jul 18 19:55:40 2007 From: uxbod at splatnix.net (UxBoD) Date: Wed Jul 18 19:54:59 2007 Subject: Thanks for previous answers + How to stop "cascading" MailScanners from multiple scans? In-Reply-To: <6EEC6D949794754FB8D83A4D87DF7168BE68B2@gh-redd-exch-01.redditch.ntltravel.local> Message-ID: <6159669.861184784940862.JavaMail.root@office.splatnix.net> If using the latest release, with watermark, then as long as the SECRET is the same of each node will it not pass through without being scanned? ----- Original Message ----- From: "Alistair Carmichael" To: "MailScanner discussion" Sent: Wednesday, July 18, 2007 5:00:27 PM (GMT) Europe/London Subject: RE: Thanks for previous answers + How to stop "cascading" MailScanners from multiple scans? > Every part of an email message can be forged. If MailScanner had a > facility whereby the scanning process could be skipped if a certain > element (e.g. a header) was present, it would be trivial for the > spammers and virus-writers to bypass MailScanner. > > So no, you can't do this. And no, you shouldn't try to :-) > > The headers are constructed and managed so that multiple MailScanners > leave a tidy trail behind them. We can have messages in our system which > might be scanned by 4 different MailScanner servers quite easily, if a > campus address (2 servers) is .forward-ed to a department address, which > takes it through 2 more (MX and delivery servers). > > Jules > > - -- > Julian Field MEng CITP > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 What about if the sendmail MTA that collects and delivers messages after being scanned (normally from /var/spool/mqueue) is configured to listen on an alternative TCP port, then set up nat policies either with iptables or your own firewall on each of the server so traffic destined for port 25 to the other mailscanner servers is translated to your alternative port (this alternative port would also be firewalled to the rest of the internet to avoid any spammers tracking this down. Our situation we have multiple mailscanners and often mail will go through lots of scanners especially when being forwarded but haven't ran into any issues with this. Al This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mstandish at gmail.com Wed Jul 18 21:17:42 2007 From: mstandish at gmail.com (Matt Standish) Date: Wed Jul 18 21:17:46 2007 Subject: clientip and CusomConfig.pm Message-ID: <39e688060707181317x2a0cfe27h8c52b4f3dae6e9f3@mail.gmail.com> Hi, I recently posted a similar message to the mailwatch list and after further research I think it may be better asked here. I would also like to add that the MailScanner source is documented beautifully. Thanks for a great product. I would like to alter MailWatch.pm in customfunctions to to log the IP address of the original sender of the message or the last sender before my spamassassin trusted_networks list. Currently it logs clientip which is the previous hop. This would do if I could list my scanner as the MX but because of my institutions size this is simply not possible. For example if I have a message that took this path: 10.10.100.1 badguy.spam.net 192.168.100.1 evil.internet.com 192.168.200.1 untrusted.internet.com 192.168.1.1 trustedrelay.mydomain.com 192.168.15.1 trustedrelay2.mydomain.com 192.168.10.1 mymailscanner.mydomain.com spamassassin trusted_networds = 192.168.15.1/32 192.168.10.1/32 192.168.1.1/32 192.168.1.1 and 192.168.15.1 would not be logged but 192.168.200.1 would. I am looking through Message.pm and CustomConfig.pm to try and create another function to grab this info from the headers. Am I correct in assuming that I would add the function in CustomConfig.pm to avoid problems when upgrading? Am I even looking in the right place? Has this already been done? Any ideas? Thanks. -- Matt Standish From res at ausics.net Thu Jul 19 00:44:49 2007 From: res at ausics.net (Res) Date: Thu Jul 19 00:44:59 2007 Subject: MailScanner Lint logic In-Reply-To: <469E1A06.D87E.0068.3@aafp.org> References: <469CDF29.D87E.0068.3@aafp.org> <469E1A06.D87E.0068.3@aafp.org> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NotDashEscaped: You need GnuPG to verify this message Brad, OK, you might want to try the latest MailScanner and see if it still exists, if it does, Julian runs CentOS so he should be able to help you (amongst others), mine are all Slackware and Solaris, so I will not be able to reproduce the problem to help sorry. On Wed, 18 Jul 2007, Brad Beckenhauer wrote: > > >>>> Res 7/17/2007 4:48 PM >>> > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > NotDashEscaped: You need GnuPG to verify this message > > On Tue, 17 Jul 2007, Brad Beckenhauer wrote: > >> Julian, >> If MailScanner is stopped and MailScanner --lint is run, the lint >> outputs the below information. >> Would you consider revising the lint logic to cleanup the output? >> >> # MailScanner --lint >> Could not read file /var/run/MailScanner.pid at >> /usr/lib/MailScanner/MailScanner/Config.pm line 2376 >> Error in line 181, file "/var/run/MailScanner.pid" for pidfile does > not >> exist (or can not be read) at > /usr/lib/MailScanner/MailScanner/Config.pm >> line 2556 > > > Brad, what version you running? I don't see this on tarball > install... > > Running 4.60.8 on Centos 4.4, Installed via the rpm. > I get the message when: > # /etc/init.d/MailScanner stop > # /usr/sbin/MailScanner --lint > -rwxr-xr-x 1 root root 46171 Jun 1 04:51 /usr/sbin/MailScanner > > > > root@valhalla:~# /etc/rc.d/rc.sendmail mailscanner-stop > Stopping MailScanner... Done. > root@valhalla:~# /opt/MailScanner/bin/MailScanner --lint > Read 797 hostnames from the phishing whitelist > Checking version numbers... > Version number in MailScanner.conf (4.61.7) is correct. > > Checking for SpamAssassin errors (if you use it)... > SpamAssassin temporary working directory is > /var/spool/MailScanner/incoming/SpamAssassin-Temp > SpamAssassin temp dir = > /var/spool/MailScanner/incoming/SpamAssassin-Temp > Using SpamAssassin results cache > Connected to SpamAssassin cache database > SpamAssassin reported no errors. > Using locktype = posix > Creating hardcoded struct_flock subroutine for linux (Linux-type) > MailScanner.conf says "Virus Scanners = f-prot" > Found these virus scanners installed: f-prot > > > -- Cheers Res -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFGnqXxsWhAmSIQh7MRAlYNAJwJhoI7b+hwTqbCZoKSyfyEy1BRxACgpYbe e0if4YTWnAR7fpmjazZXkXo= =o2Mq -----END PGP SIGNATURE----- From carl at theholidayclub.com Thu Jul 19 09:53:05 2007 From: carl at theholidayclub.com (Carl Werner) Date: Thu Jul 19 09:53:42 2007 Subject: Spamassin scores. In-Reply-To: <012101c7c8bc$5498dee0$5713cc40@OCEANII> References: <012101c7c8bc$5498dee0$5713cc40@OCEANII> Message-ID: <5F8F8207DD724A149CFF8B05A00FB3F9@thccwerner> Hi, I have entered custom scores for some of the spamassassin rules in spam.assassin.prefs.conf, but the changes do not reflect in the scores that are used by Mailscanner. When I start Mailscanner it does say that it reads that specific spam.assassin.prefs.conf file and SpamAssassin --Lint gives the following: dbg: config: using "/etc/MailScanner/spam.assassin.prefs.conf" for user prefs file Any idea where/how to look for the problem will be appreciated. Thanks Carl From uxbod at splatnix.net Thu Jul 19 10:09:03 2007 From: uxbod at splatnix.net (UxBoD) Date: Thu Jul 19 10:07:56 2007 Subject: ClamD does not appear to be scanning Message-ID: <1618752.1281184836143932.JavaMail.root@office.splatnix.net> Hi, Upgraded to latest release of ClamAV and it does not appear to be scanning anymore. Nothing odd in the logfile and the socket is okay. [root@bianchi postfix.in]# ls -l /tmp/clamd.socket srwxrwxrwx 1 clamav clamav 0 Jul 19 04:49 /tmp/clamd.socket Any ideas what to check next :( Thanks, -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From uxbod at splatnix.net Thu Jul 19 10:42:28 2007 From: uxbod at splatnix.net (UxBoD) Date: Thu Jul 19 10:41:21 2007 Subject: ClamD does not appear to be scanning [RESOLVED] In-Reply-To: <1618752.1281184836143932.JavaMail.root@office.splatnix.net> Message-ID: <12046572.1311184838148564.JavaMail.root@office.splatnix.net> Permissions had gone whacky for some reason. All okay now :D ----- Original Message ----- From: "UxBoD" To: "MailScanner discussion" Sent: Thursday, July 19, 2007 10:09:03 AM (GMT) Europe/London Subject: ClamD does not appear to be scanning Hi, Upgraded to latest release of ClamAV and it does not appear to be scanning anymore. Nothing odd in the logfile and the socket is okay. [root@bianchi postfix.in]# ls -l /tmp/clamd.socket srwxrwxrwx 1 clamav clamav 0 Jul 19 04:49 /tmp/clamd.socket Any ideas what to check next :( Thanks, -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From uxbod at splatnix.net Thu Jul 19 10:52:36 2007 From: uxbod at splatnix.net (UxBoD) Date: Thu Jul 19 10:51:31 2007 Subject: UNKNOWN CLAMD RETURN Message-ID: <24672513.1371184838756007.JavaMail.root@office.splatnix.net> Has anybody seen this before ? :- Jul 19 05:50:37 bianchi clamd[6704]: /var/spool/MailScanner/incoming/6884/7D1F27CF0A5.9D407.header: Email.Spam.Gen595.Sanesecurity.07052401 FOUND Jul 19 05:50:37 bianchi MailScanner[6884]: ERROR:: UNKNOWN CLAMD RETURN ./7D1F27CF0A5.9D407.header/Email.Spam.Gen595.Sanesecurity.07052401 FOUND :: /var/spool/MailScanner/incoming/6884 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From uxbod at splatnix.net Thu Jul 19 11:12:51 2007 From: uxbod at splatnix.net (UxBoD) Date: Thu Jul 19 11:12:21 2007 Subject: UNKNOWN CLAMD RETURN In-Reply-To: <24672513.1371184838756007.JavaMail.root@office.splatnix.net> Message-ID: <20890075.1401184839971690.JavaMail.root@office.splatnix.net> I have added a couple of extra debug lines to SweepViruses.pm :- print "ERROR:: UNKNOWN CLAMD RETURN $results :: $ScanDir\n"; print "ERROR2:: $rest\n"; print "ERROR3:: $results\n"; and get the following :- Jul 19 06:05:08 bianchi MailScanner[11482]: ERROR2:: Jul 19 06:05:08 bianchi MailScanner[11482]: ERROR3:: ./9F1F37CF28F.C25E5.header/Email.Hdr.Sanesecurity.07061900 FOUND so line 3308 reads :- my ($dot,$childname,$filename,$rest) = split('/',$results); looks like the childname is not getting added into the results string by clamd ? ----- Original Message ----- From: "UxBoD" To: "MailScanner discussion" Sent: Thursday, July 19, 2007 10:52:36 AM (GMT) Europe/London Subject: UNKNOWN CLAMD RETURN Has anybody seen this before ? :- Jul 19 05:50:37 bianchi clamd[6704]: /var/spool/MailScanner/incoming/6884/7D1F27CF0A5.9D407.header: Email.Spam.Gen595.Sanesecurity.07052401 FOUND Jul 19 05:50:37 bianchi MailScanner[6884]: ERROR:: UNKNOWN CLAMD RETURN ./7D1F27CF0A5.9D407.header/Email.Spam.Gen595.Sanesecurity.07052401 FOUND :: /var/spool/MailScanner/incoming/6884 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From uxbod at splatnix.net Thu Jul 19 11:17:53 2007 From: uxbod at splatnix.net (UxBoD) Date: Thu Jul 19 11:17:10 2007 Subject: UNKNOWN CLAMD RETURN In-Reply-To: <20890075.1401184839971690.JavaMail.root@office.splatnix.net> Message-ID: <1780316.1431184840273775.JavaMail.root@office.splatnix.net> Sorry here is what versions running :- MailScanner 4.62.3 (RPM) ClamAV 0.91/3697/Wed Jul 18 20:18:47 2007 (RPM) Cheers, ----- Original Message ----- From: "UxBoD" To: "MailScanner discussion" Sent: Thursday, July 19, 2007 11:12:51 AM (GMT) Europe/London Subject: Re: UNKNOWN CLAMD RETURN I have added a couple of extra debug lines to SweepViruses.pm :- print "ERROR:: UNKNOWN CLAMD RETURN $results :: $ScanDir\n"; print "ERROR2:: $rest\n"; print "ERROR3:: $results\n"; and get the following :- Jul 19 06:05:08 bianchi MailScanner[11482]: ERROR2:: Jul 19 06:05:08 bianchi MailScanner[11482]: ERROR3:: ./9F1F37CF28F.C25E5.header/Email.Hdr.Sanesecurity.07061900 FOUND so line 3308 reads :- my ($dot,$childname,$filename,$rest) = split('/',$results); looks like the childname is not getting added into the results string by clamd ? ----- Original Message ----- From: "UxBoD" To: "MailScanner discussion" Sent: Thursday, July 19, 2007 10:52:36 AM (GMT) Europe/London Subject: UNKNOWN CLAMD RETURN Has anybody seen this before ? :- Jul 19 05:50:37 bianchi clamd[6704]: /var/spool/MailScanner/incoming/6884/7D1F27CF0A5.9D407.header: Email.Spam.Gen595.Sanesecurity.07052401 FOUND Jul 19 05:50:37 bianchi MailScanner[6884]: ERROR:: UNKNOWN CLAMD RETURN ./7D1F27CF0A5.9D407.header/Email.Spam.Gen595.Sanesecurity.07052401 FOUND :: /var/spool/MailScanner/incoming/6884 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From list-mailscanner at linguaphone.com Thu Jul 19 11:22:34 2007 From: list-mailscanner at linguaphone.com (Gareth) Date: Thu Jul 19 11:22:41 2007 Subject: UNKNOWN CLAMD RETURN In-Reply-To: <1780316.1431184840273775.JavaMail.root@office.splatnix.net> References: <1780316.1431184840273775.JavaMail.root@office.splatnix.net> Message-ID: <1184840554.21692.4.camel@gblades-suse.linguaphone-intranet.co.uk> Are you running 0.91 or 0.91.1. The build number matches mine which is 0.91.1 :- # clamscan -V ClamAV 0.91.1/3697/Thu Jul 19 01:18:47 2007 On Thu, 2007-07-19 at 11:17, UxBoD wrote: > Sorry here is what versions running :- > > MailScanner 4.62.3 (RPM) > ClamAV 0.91/3697/Wed Jul 18 20:18:47 2007 (RPM) > > Cheers, > ----- Original Message ----- > From: "UxBoD" > To: "MailScanner discussion" > Sent: Thursday, July 19, 2007 11:12:51 AM (GMT) Europe/London > Subject: Re: UNKNOWN CLAMD RETURN > > I have added a couple of extra debug lines to SweepViruses.pm :- > > print "ERROR:: UNKNOWN CLAMD RETURN $results :: $ScanDir\n"; > print "ERROR2:: $rest\n"; > print "ERROR3:: $results\n"; > > and get the following :- > > Jul 19 06:05:08 bianchi MailScanner[11482]: ERROR2:: > Jul 19 06:05:08 bianchi MailScanner[11482]: ERROR3:: ./9F1F37CF28F.C25E5.header/Email.Hdr.Sanesecurity.07061900 FOUND > > so line 3308 reads :- > > my ($dot,$childname,$filename,$rest) = split('/',$results); > > looks like the childname is not getting added into the results string by clamd ? > > ----- Original Message ----- > From: "UxBoD" > To: "MailScanner discussion" > Sent: Thursday, July 19, 2007 10:52:36 AM (GMT) Europe/London > Subject: UNKNOWN CLAMD RETURN > > Has anybody seen this before ? :- > > Jul 19 05:50:37 bianchi clamd[6704]: /var/spool/MailScanner/incoming/6884/7D1F27CF0A5.9D407.header: Email.Spam.Gen595.Sanesecurity.07052401 FOUND > Jul 19 05:50:37 bianchi MailScanner[6884]: ERROR:: UNKNOWN CLAMD RETURN ./7D1F27CF0A5.9D407.header/Email.Spam.Gen595.Sanesecurity.07052401 FOUND :: /var/spool/MailScanner/incoming/6884 > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. From uxbod at splatnix.net Thu Jul 19 11:27:18 2007 From: uxbod at splatnix.net (UxBoD) Date: Thu Jul 19 11:26:16 2007 Subject: UNKNOWN CLAMD RETURN In-Reply-To: <1184840554.21692.4.camel@gblades-suse.linguaphone-intranet.co.uk> Message-ID: <23818465.1491184840838179.JavaMail.root@office.splatnix.net> Hi, I have installed the RPMs from dag.wieers.com :- [root@bianchi ~]# rpm -qa | grep -i clam clamav-db-0.91-1.el5.rf clamd-0.91-1.el5.rf clamav-0.91-1.el5.rf Regards, ----- Original Message ----- From: "Gareth" To: "MailScanner discussion" Sent: Thursday, July 19, 2007 11:22:34 AM (GMT) Europe/London Subject: Re: UNKNOWN CLAMD RETURN Are you running 0.91 or 0.91.1. The build number matches mine which is 0.91.1 :- # clamscan -V ClamAV 0.91.1/3697/Thu Jul 19 01:18:47 2007 On Thu, 2007-07-19 at 11:17, UxBoD wrote: > Sorry here is what versions running :- > > MailScanner 4.62.3 (RPM) > ClamAV 0.91/3697/Wed Jul 18 20:18:47 2007 (RPM) > > Cheers, > ----- Original Message ----- > From: "UxBoD" > To: "MailScanner discussion" > Sent: Thursday, July 19, 2007 11:12:51 AM (GMT) Europe/London > Subject: Re: UNKNOWN CLAMD RETURN > > I have added a couple of extra debug lines to SweepViruses.pm :- > > print "ERROR:: UNKNOWN CLAMD RETURN $results :: $ScanDir\n"; > print "ERROR2:: $rest\n"; > print "ERROR3:: $results\n"; > > and get the following :- > > Jul 19 06:05:08 bianchi MailScanner[11482]: ERROR2:: > Jul 19 06:05:08 bianchi MailScanner[11482]: ERROR3:: ./9F1F37CF28F.C25E5.header/Email.Hdr.Sanesecurity.07061900 FOUND > > so line 3308 reads :- > > my ($dot,$childname,$filename,$rest) = split('/',$results); > > looks like the childname is not getting added into the results string by clamd ? > > ----- Original Message ----- > From: "UxBoD" > To: "MailScanner discussion" > Sent: Thursday, July 19, 2007 10:52:36 AM (GMT) Europe/London > Subject: UNKNOWN CLAMD RETURN > > Has anybody seen this before ? :- > > Jul 19 05:50:37 bianchi clamd[6704]: /var/spool/MailScanner/incoming/6884/7D1F27CF0A5.9D407.header: Email.Spam.Gen595.Sanesecurity.07052401 FOUND > Jul 19 05:50:37 bianchi MailScanner[6884]: ERROR:: UNKNOWN CLAMD RETURN ./7D1F27CF0A5.9D407.header/Email.Spam.Gen595.Sanesecurity.07052401 FOUND :: /var/spool/MailScanner/incoming/6884 > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From r.berber at computer.org Thu Jul 19 11:37:49 2007 From: r.berber at computer.org (=?ISO-8859-1?Q?Ren=E9_Berber?=) Date: Thu Jul 19 11:38:08 2007 Subject: UNKNOWN CLAMD RETURN In-Reply-To: <1184840554.21692.4.camel@gblades-suse.linguaphone-intranet.co.uk> References: <1780316.1431184840273775.JavaMail.root@office.splatnix.net> <1184840554.21692.4.camel@gblades-suse.linguaphone-intranet.co.uk> Message-ID: Gareth wrote: > Are you running 0.91 or 0.91.1. > The build number matches mine which is 0.91.1 :- That's not a build number, it's the database version. -- Ren? Berber From uxbod at splatnix.net Thu Jul 19 11:52:45 2007 From: uxbod at splatnix.net (UxBoD) Date: Thu Jul 19 11:52:02 2007 Subject: UNKNOWN CLAMD RETURN In-Reply-To: Message-ID: <2595048.1581184842365748.JavaMail.root@office.splatnix.net> [root@bianchi ~]# clamscan -v --debug /tmp LibClamAV debug: Initializing the engine (0.91) ----- Original Message ----- From: "Ren? Berber" To: mailscanner@lists.mailscanner.info Sent: Thursday, July 19, 2007 11:37:49 AM (GMT) Europe/London Subject: Re: UNKNOWN CLAMD RETURN Gareth wrote: > Are you running 0.91 or 0.91.1. > The build number matches mine which is 0.91.1 :- That's not a build number, it's the database version. -- Ren? Berber -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From uxbod at splatnix.net Thu Jul 19 12:08:50 2007 From: uxbod at splatnix.net (UxBoD) Date: Thu Jul 19 12:07:56 2007 Subject: UNKNOWN CLAMD RETURN In-Reply-To: <2595048.1581184842365748.JavaMail.root@office.splatnix.net> Message-ID: <11966524.1641184843330635.JavaMail.root@office.splatnix.net> I have just installed the tarball from MailScanner.info to ensure running 0.91.1 and get exactly the same problem when using clamd. ----- Original Message ----- From: "UxBoD" To: "MailScanner discussion" Sent: Thursday, July 19, 2007 11:52:45 AM (GMT) Europe/London Subject: Re: UNKNOWN CLAMD RETURN [root@bianchi ~]# clamscan -v --debug /tmp LibClamAV debug: Initializing the engine (0.91) ----- Original Message ----- From: "Ren? Berber" To: mailscanner@lists.mailscanner.info Sent: Thursday, July 19, 2007 11:37:49 AM (GMT) Europe/London Subject: Re: UNKNOWN CLAMD RETURN Gareth wrote: > Are you running 0.91 or 0.91.1. > The build number matches mine which is 0.91.1 :- That's not a build number, it's the database version. -- Ren? Berber -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From uxbod at splatnix.net Thu Jul 19 12:17:52 2007 From: uxbod at splatnix.net (UxBoD) Date: Thu Jul 19 12:17:29 2007 Subject: UNKNOWN CLAMD RETURN In-Reply-To: <2595048.1581184842365748.JavaMail.root@office.splatnix.net> Message-ID: <12371547.1701184843872473.JavaMail.root@office.splatnix.net> Okay, found what is going off now :) It is when a virus is found in the header :- Jul 19 07:13:32 bianchi MailScanner[4309]: ERROR1:: ./90FB07CF20C.CB775.header/Email.Hdr.Sanesecurity.07012400 FOUND Jul 19 07:13:32 bianchi MailScanner[4309]: ERROR1:: ./90FB07CF20C.CB775.header/Email.Hdr.Sanesecurity.07012400 FOUND Jul 19 07:13:32 bianchi MailScanner[4309]: ERROR1:: ./90FB07CF20C.CB775.header/Email.Hdr.Sanesecurity.07012400 FOUND Jul 19 07:13:32 bianchi MailScanner[4309]: ERROR1:: ./90FB07CF20C.CB775.header/Email.Hdr.Sanesecurity.07012400 FOUND Jul 19 07:13:32 bianchi MailScanner[4309]: ERROR1:: ./90FB07CF20C.CB775.header/Email.Hdr.Sanesecurity.07012400 FOUND Jul 19 07:14:11 bianchi MailScanner[4303]: ERROR1:: ./6C8967CEC4E.D9FD0/pic68.jpg/MSRBL-Images/3-0-_Hw FOUND Jul 19 07:13:32 bianchi MailScanner[4309]: ERROR1:: ./90FB07CF20C.CB775.header/Email.Hdr.Sanesecurity.07012400 FOUND Jul 19 07:14:11 bianchi MailScanner[4303]: ERROR1:: ./6C8967CEC4E.D9FD0/pic68.jpg/MSRBL-Images/3-0-_Hw FOUND Jul 19 07:13:32 bianchi MailScanner[4309]: ERROR1:: ./90FB07CF20C.CB775.header/Email.Hdr.Sanesecurity.07012400 FOUND Jul 19 07:14:11 bianchi MailScanner[4303]: ERROR1:: ./6C8967CEC4E.D9FD0/pic68.jpg/MSRBL-Images/3-0-_Hw FOUND Jul 19 07:14:33 bianchi MailScanner[4234]: ERROR1:: ./B818C7CF20C.575C6/msg-4234-4.html/Html.Loan.Gen006.Sanesecurity.06120200 FOUND as you can see if its a header the second element does not get set ie. |. ----- Original Message ----- From: "UxBoD" To: "MailScanner discussion" Sent: Thursday, July 19, 2007 11:52:45 AM (GMT) Europe/London Subject: Re: UNKNOWN CLAMD RETURN [root@bianchi ~]# clamscan -v --debug /tmp LibClamAV debug: Initializing the engine (0.91) ----- Original Message ----- From: "Ren? Berber" To: mailscanner@lists.mailscanner.info Sent: Thursday, July 19, 2007 11:37:49 AM (GMT) Europe/London Subject: Re: UNKNOWN CLAMD RETURN Gareth wrote: > Are you running 0.91 or 0.91.1. > The build number matches mine which is 0.91.1 :- That's not a build number, it's the database version. -- Ren? Berber -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From carl at theholidayclub.com Thu Jul 19 12:25:25 2007 From: carl at theholidayclub.com (Carl Werner) Date: Thu Jul 19 12:26:16 2007 Subject: Spamassin scores. Message-ID: Hi, When I run MS in debug mode, I I get the following: Use of uninitialized value in concatenation (.) or string at /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin.pm line 1087. Use of uninitialized value in concatenation (.) or string at /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin.pm line 1089. check: no loaded plugin implements 'check_main': cannot scan! at /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/PerMsgStatus.pm line 164. config: unparseable chars in 'if you are running SA 3.0.0 or higher, you already have antidrug and this file': '3.0.0' Ignore errors about failing to find EOCD signature format error: can't find EOCD signature at /usr/sbin/MailScanner line 820 format error: can't find EOCD signature at /usr/sbin/MailScanner line 820 format error: can't find EOCD signature at /usr/sbin/MailScanner line 820 format error: can't find EOCD signature at /usr/sbin/MailScanner line 820 format error: can't find EOCD signature at /usr/sbin/MailScanner line 820 Could any of this be the cause for Mailscanner not using my custom SA scores? Thanks Carl -----Original Message----- From: Carl Werner [mailto:carl@theholidayclub.com] Sent: 19 July 2007 10:53 AM To: 'MailScanner discussion' Subject: Spamassin scores. Hi, I have entered custom scores for some of the spamassassin rules in spam.assassin.prefs.conf, but the changes do not reflect in the scores that are used by Mailscanner. When I start Mailscanner it does say that it reads that specific spam.assassin.prefs.conf file and SpamAssassin --Lint gives the following: dbg: config: using "/etc/MailScanner/spam.assassin.prefs.conf" for user prefs file Any idea where/how to look for the problem will be appreciated. Thanks Carl From rcooper at dwford.com Thu Jul 19 12:27:04 2007 From: rcooper at dwford.com (Rick Cooper) Date: Thu Jul 19 12:27:09 2007 Subject: UNKNOWN CLAMD RETURN In-Reply-To: <1780316.1431184840273775.JavaMail.root@office.splatnix.net> References: <20890075.1401184839971690.JavaMail.root@office.splatnix.net> <1780316.1431184840273775.JavaMail.root@office.splatnix.net> Message-ID: <01a301c7c9f7$bbb38d00$0301a8c0@SAHOMELT> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On > Behalf Of UxBoD > Sent: Thursday, July 19, 2007 6:18 AM > To: MailScanner discussion > Subject: Re: UNKNOWN CLAMD RETURN > > Sorry here is what versions running :- > > MailScanner 4.62.3 (RPM) > ClamAV 0.91/3697/Wed Jul 18 20:18:47 2007 (RPM) > > Cheers, > ----- Original Message ----- > From: "UxBoD" > To: "MailScanner discussion" > Sent: Thursday, July 19, 2007 11:12:51 AM (GMT) Europe/London > Subject: Re: UNKNOWN CLAMD RETURN > > I have added a couple of extra debug lines to SweepViruses.pm :- > > print "ERROR:: UNKNOWN CLAMD RETURN $results :: $ScanDir\n"; > print "ERROR2:: $rest\n"; > print "ERROR3:: $results\n"; > > and get the following :- > > Jul 19 06:05:08 bianchi MailScanner[11482]: ERROR2:: > Jul 19 06:05:08 bianchi MailScanner[11482]: ERROR3:: > ./9F1F37CF28F.C25E5.header/Email.Hdr.Sanesecurity.07061900 FOUND > [...] That line is really formated wrong, the filename is missing from the output. Should be something like ./1IBU5l-0003RA-Ru/eicar.com/Eicar-Test-Signature FOUND ^ ^ ^ ^ Dot Child File rest Could you scan an eicar test file from the command line with clamdscan and see how the output looks? Rick -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From uxbod at splatnix.net Thu Jul 19 12:35:33 2007 From: uxbod at splatnix.net (UxBoD) Date: Thu Jul 19 12:34:23 2007 Subject: UNKNOWN CLAMD RETURN In-Reply-To: <01a301c7c9f7$bbb38d00$0301a8c0@SAHOMELT> Message-ID: <24119617.1761184844933000.JavaMail.root@office.splatnix.net> Rick, Here is the output :- [root@bianchi tmp]# clamscan /tmp/eicar.com /tmp/eicar.com: Eicar-Test-Signature FOUND ----------- SCAN SUMMARY ----------- Known viruses: 154131 Engine version: 0.91.1 Scanned directories: 0 Scanned files: 1 Infected files: 1 Data scanned: 0.00 MB Time: 1.491 sec (0 m 1 s) [root@bianchi tmp]# clamdscan /tmp/eicar.com /tmp/eicar.com: Eicar-Test-Signature FOUND ----------- SCAN SUMMARY ----------- Infected files: 1 Time: 0.000 sec (0 m 0 s) But as it is the header then that is probably why it is not giving a filename that has been scanned. ----- Original Message ----- From: "Rick Cooper" To: "MailScanner discussion" Sent: Thursday, July 19, 2007 12:27:04 PM (GMT) Europe/London Subject: RE: UNKNOWN CLAMD RETURN > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On > Behalf Of UxBoD > Sent: Thursday, July 19, 2007 6:18 AM > To: MailScanner discussion > Subject: Re: UNKNOWN CLAMD RETURN > > Sorry here is what versions running :- > > MailScanner 4.62.3 (RPM) > ClamAV 0.91/3697/Wed Jul 18 20:18:47 2007 (RPM) > > Cheers, > ----- Original Message ----- > From: "UxBoD" > To: "MailScanner discussion" > Sent: Thursday, July 19, 2007 11:12:51 AM (GMT) Europe/London > Subject: Re: UNKNOWN CLAMD RETURN > > I have added a couple of extra debug lines to SweepViruses.pm :- > > print "ERROR:: UNKNOWN CLAMD RETURN $results :: $ScanDir\n"; > print "ERROR2:: $rest\n"; > print "ERROR3:: $results\n"; > > and get the following :- > > Jul 19 06:05:08 bianchi MailScanner[11482]: ERROR2:: > Jul 19 06:05:08 bianchi MailScanner[11482]: ERROR3:: > ./9F1F37CF28F.C25E5.header/Email.Hdr.Sanesecurity.07061900 FOUND > [...] That line is really formated wrong, the filename is missing from the output. Should be something like ./1IBU5l-0003RA-Ru/eicar.com/Eicar-Test-Signature FOUND ^ ^ ^ ^ Dot Child File rest Could you scan an eicar test file from the command line with clamdscan and see how the output looks? Rick -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From rcooper at dwford.com Thu Jul 19 12:48:42 2007 From: rcooper at dwford.com (Rick Cooper) Date: Thu Jul 19 12:48:47 2007 Subject: UNKNOWN CLAMD RETURN In-Reply-To: <12371547.1701184843872473.JavaMail.root@office.splatnix.net> References: <2595048.1581184842365748.JavaMail.root@office.splatnix.net> <12371547.1701184843872473.JavaMail.root@office.splatnix.net> Message-ID: <01bc01c7c9fa$c1d112e0$0301a8c0@SAHOMELT> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On > Behalf Of UxBoD > Sent: Thursday, July 19, 2007 7:18 AM > To: MailScanner discussion > Subject: Re: UNKNOWN CLAMD RETURN > > Okay, found what is going off now :) It is when a virus is > found in the header :- > > Jul 19 07:13:32 bianchi MailScanner[4309]: ERROR1:: > ./90FB07CF20C.CB775.header/Email.Hdr.Sanesecurity.07012400 FOUND Try adding this: if ($filename =~ /.+?\sFOUND$/ && $rest eq '') { $rest = $filename; $filename = $childname $childname = '.'; } Below my ($dot,$childname,$filename,$rest) = split('/',$results); I think that shoud catch this and still be safe but what action will be taken as far as a virus scanner catching a virus that is not in a file, my guess is this sig is actually catching spam and not a virus. If you can still test this message try the above and let me know how the messages is treated. Julian? Rick -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From rcooper at dwford.com Thu Jul 19 12:54:28 2007 From: rcooper at dwford.com (Rick Cooper) Date: Thu Jul 19 12:54:34 2007 Subject: UNKNOWN CLAMD RETURN In-Reply-To: <24119617.1761184844933000.JavaMail.root@office.splatnix.net> References: <01a301c7c9f7$bbb38d00$0301a8c0@SAHOMELT> <24119617.1761184844933000.JavaMail.root@office.splatnix.net> Message-ID: <01bd01c7c9fb$8fcc1780$0301a8c0@SAHOMELT> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On > Behalf Of UxBoD > Sent: Thursday, July 19, 2007 7:36 AM > To: MailScanner discussion > Subject: Re: UNKNOWN CLAMD RETURN > > Rick, > > Here is the output :- > > [root@bianchi tmp]# clamscan /tmp/eicar.com > /tmp/eicar.com: Eicar-Test-Signature FOUND > > ----------- SCAN SUMMARY ----------- > Known viruses: 154131 > Engine version: 0.91.1 > Scanned directories: 0 > Scanned files: 1 > Infected files: 1 > Data scanned: 0.00 MB > Time: 1.491 sec (0 m 1 s) > [root@bianchi tmp]# clamdscan /tmp/eicar.com > /tmp/eicar.com: Eicar-Test-Signature FOUND > > ----------- SCAN SUMMARY ----------- > Infected files: 1 > Time: 0.000 sec (0 m 0 s) > > But as it is the header then that is probably why it is not > giving a filename that has been scanned. [..] I am kind of wondering if the file(s) in ./ shouldn't be ingnored, I believe (Julian?) the only file in the ./ dir is the header file and the only rules that would trigger on a header file would be the SaneSecurity spam sigs. Julian, do you agree with skipping anything in the root of the ScanDir and let SA catch it (hopefully), or mark the entire message as bad? Rick -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From uxbod at splatnix.net Thu Jul 19 12:57:10 2007 From: uxbod at splatnix.net (UxBoD) Date: Thu Jul 19 12:56:03 2007 Subject: UNKNOWN CLAMD RETURN In-Reply-To: <24119617.1761184844933000.JavaMail.root@office.splatnix.net> Message-ID: <158107.1791184846230577.JavaMail.root@office.splatnix.net> I have tried changing the code in SweepViruses.pm too :- my $slashes = ($results =~ tr/\//\//); my ($dot,$childname,$filename,$rest) = split('/',$results); my ($dot,$filename,$rest) = split('/',$results) if ($slashes < 3); which now writes out to maillog as the file being INFECTED :- Jul 19 07:45:54 bianchi MailScanner[7833]: INFECTED:: Email.Hdr.Sanesecurity.07012400 FOUND :: ./BDCDD7CF27A.49D6B.header/BDCDD7CF27A.49D6B.header Jul 19 07:46:59 bianchi MailScanner[7601]: INFECTED:: Email.Scam4.Gen824.Sanesecurity.07051409 FOUND :: ./AC0FB7CF27A.96473.header/AC0FB7CF27A.96473.header Jul 19 07:46:59 bianchi MailScanner[7608]: INFECTED:: Email.Spam.Gen595.Sanesecurity.07052401 FOUND :: ./100DE7CEF53.AD8E0.header/100DE7CEF53.AD8E0.header Jul 19 07:47:17 bianchi MailScanner[7669]: INFECTED:: Email.Hdr.Sanesecurity.07012400 FOUND :: ./7F1647CF285.8D628.header/7F1647CF285.8D628.header Jul 19 07:47:33 bianchi MailScanner[7760]: INFECTED:: Email.Scam4.Gen824.Sanesecurity.07051409 FOUND :: ./392767CEBF5.89DDE.header/392767CEBF5.89DDE.header Jul 19 07:48:32 bianchi MailScanner[7781]: INFECTED:: Email.Scam4.Gen824.Sanesecurity.07051409 FOUND :: ./6A4BF7CECA4.1C3E3.header/6A4BF7CECA4.1C3E3.header but for some reason it does not mark it as a Virus in MailWatch :( ----- Original Message ----- From: "UxBoD" To: "MailScanner discussion" Sent: Thursday, July 19, 2007 12:35:33 PM (GMT) Europe/London Subject: Re: UNKNOWN CLAMD RETURN Rick, Here is the output :- [root@bianchi tmp]# clamscan /tmp/eicar.com /tmp/eicar.com: Eicar-Test-Signature FOUND ----------- SCAN SUMMARY ----------- Known viruses: 154131 Engine version: 0.91.1 Scanned directories: 0 Scanned files: 1 Infected files: 1 Data scanned: 0.00 MB Time: 1.491 sec (0 m 1 s) [root@bianchi tmp]# clamdscan /tmp/eicar.com /tmp/eicar.com: Eicar-Test-Signature FOUND ----------- SCAN SUMMARY ----------- Infected files: 1 Time: 0.000 sec (0 m 0 s) But as it is the header then that is probably why it is not giving a filename that has been scanned. ----- Original Message ----- From: "Rick Cooper" To: "MailScanner discussion" Sent: Thursday, July 19, 2007 12:27:04 PM (GMT) Europe/London Subject: RE: UNKNOWN CLAMD RETURN > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On > Behalf Of UxBoD > Sent: Thursday, July 19, 2007 6:18 AM > To: MailScanner discussion > Subject: Re: UNKNOWN CLAMD RETURN > > Sorry here is what versions running :- > > MailScanner 4.62.3 (RPM) > ClamAV 0.91/3697/Wed Jul 18 20:18:47 2007 (RPM) > > Cheers, > ----- Original Message ----- > From: "UxBoD" > To: "MailScanner discussion" > Sent: Thursday, July 19, 2007 11:12:51 AM (GMT) Europe/London > Subject: Re: UNKNOWN CLAMD RETURN > > I have added a couple of extra debug lines to SweepViruses.pm :- > > print "ERROR:: UNKNOWN CLAMD RETURN $results :: $ScanDir\n"; > print "ERROR2:: $rest\n"; > print "ERROR3:: $results\n"; > > and get the following :- > > Jul 19 06:05:08 bianchi MailScanner[11482]: ERROR2:: > Jul 19 06:05:08 bianchi MailScanner[11482]: ERROR3:: > ./9F1F37CF28F.C25E5.header/Email.Hdr.Sanesecurity.07061900 FOUND > [...] That line is really formated wrong, the filename is missing from the output. Should be something like ./1IBU5l-0003RA-Ru/eicar.com/Eicar-Test-Signature FOUND ^ ^ ^ ^ Dot Child File rest Could you scan an eicar test file from the command line with clamdscan and see how the output looks? Rick -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From uxbod at splatnix.net Thu Jul 19 13:11:21 2007 From: uxbod at splatnix.net (UxBoD) Date: Thu Jul 19 13:10:18 2007 Subject: UNKNOWN CLAMD RETURN In-Reply-To: <01bd01c7c9fb$8fcc1780$0301a8c0@SAHOMELT> Message-ID: <14164257.1821184847081024.JavaMail.root@office.splatnix.net> Rick, SA is missing a lot of these whereas SANE is picking them up. I have changed the code too be :- if ($filename =~ /.+?\sFOUND$/ && $rest eq '') { $rest = $filename; $filename = $childname; $childname = 'header'; } instead of using a '.' as it may get pattern matched later on. ----- Original Message ----- From: "Rick Cooper" To: "MailScanner discussion" Sent: Thursday, July 19, 2007 12:54:28 PM (GMT) Europe/London Subject: RE: UNKNOWN CLAMD RETURN > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On > Behalf Of UxBoD > Sent: Thursday, July 19, 2007 7:36 AM > To: MailScanner discussion > Subject: Re: UNKNOWN CLAMD RETURN > > Rick, > > Here is the output :- > > [root@bianchi tmp]# clamscan /tmp/eicar.com > /tmp/eicar.com: Eicar-Test-Signature FOUND > > ----------- SCAN SUMMARY ----------- > Known viruses: 154131 > Engine version: 0.91.1 > Scanned directories: 0 > Scanned files: 1 > Infected files: 1 > Data scanned: 0.00 MB > Time: 1.491 sec (0 m 1 s) > [root@bianchi tmp]# clamdscan /tmp/eicar.com > /tmp/eicar.com: Eicar-Test-Signature FOUND > > ----------- SCAN SUMMARY ----------- > Infected files: 1 > Time: 0.000 sec (0 m 0 s) > > But as it is the header then that is probably why it is not > giving a filename that has been scanned. [..] I am kind of wondering if the file(s) in ./ shouldn't be ingnored, I believe (Julian?) the only file in the ./ dir is the header file and the only rules that would trigger on a header file would be the SaneSecurity spam sigs. Julian, do you agree with skipping anything in the root of the ScanDir and let SA catch it (hopefully), or mark the entire message as bad? Rick -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From rcooper at dwford.com Thu Jul 19 13:18:29 2007 From: rcooper at dwford.com (Rick Cooper) Date: Thu Jul 19 13:18:34 2007 Subject: UNKNOWN CLAMD RETURN In-Reply-To: <14164257.1821184847081024.JavaMail.root@office.splatnix.net> References: <01bd01c7c9fb$8fcc1780$0301a8c0@SAHOMELT> <14164257.1821184847081024.JavaMail.root@office.splatnix.net> Message-ID: <01d401c7c9fe$eaae8310$0301a8c0@SAHOMELT> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On > Behalf Of UxBoD > Sent: Thursday, July 19, 2007 8:11 AM > To: MailScanner discussion > Subject: Re: UNKNOWN CLAMD RETURN > > Rick, > > SA is missing a lot of these whereas SANE is picking them > up. I have changed the code too be :- > > if ($filename =~ /.+?\sFOUND$/ && $rest eq '') { > $rest = $filename; > $filename = $childname; > $childname = 'header'; > } > > instead of using a '.' as it may get pattern matched later on. > How did that affect the handling of the message? I was hoping either '.' or perhaps setting childname to '' will cause MS to discard the entire message body. I *think* a blank childname causes the "the entire body" message. Of course as far as mailwatch goes it would flag as a virus when in fact it's spam so it could skew your stats a bit. Try setting childname to blank and see if it does cause MS to discard the entire body. Rick -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ja at conviator.com Thu Jul 19 13:18:00 2007 From: ja at conviator.com (Jan Agermose) Date: Thu Jul 19 13:19:10 2007 Subject: PDFInfo module Message-ID: <6B59FCF2EFD0334A8147A1BB463F111E0299BF3F@mail-17ps.atlarge.net> Hi I tried to install the PDFInfo module and it does load and everything, but it does not seam to hit any of the many, many PDF spam mails we are getting. I know its loaded as I can write rules like body LOCAL_PDF_MATCH_1 eval:pdf_name_regex('/\.pdf/') score LOCAL_PDF_MATCH_1 score 0.1 but Im trying to avoid namebased matching - also it seams I could just as easily do this with a subject match and I think this is better for performance? But any ideas as to why none of the GMD_ rules seams to match anything? Im expecting them to since why you anyone write them if they do not :-D what could I have done wrong in installing them. Does the module depend on something I might not have installed on the server? Best regards Jan From uxbod at splatnix.net Thu Jul 19 13:32:55 2007 From: uxbod at splatnix.net (UxBoD) Date: Thu Jul 19 13:31:44 2007 Subject: UNKNOWN CLAMD RETURN In-Reply-To: <01d401c7c9fe$eaae8310$0301a8c0@SAHOMELT> Message-ID: <9435460.1851184848375883.JavaMail.root@office.splatnix.net> Rick, That is the problem as it does not get flagged by MailWatch as a Virus, which I believe just grabs the whole line from MailScanner. Regards, ----- Original Message ----- From: "Rick Cooper" To: "MailScanner discussion" Sent: Thursday, July 19, 2007 1:18:29 PM (GMT) Europe/London Subject: RE: UNKNOWN CLAMD RETURN > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On > Behalf Of UxBoD > Sent: Thursday, July 19, 2007 8:11 AM > To: MailScanner discussion > Subject: Re: UNKNOWN CLAMD RETURN > > Rick, > > SA is missing a lot of these whereas SANE is picking them > up. I have changed the code too be :- > > if ($filename =~ /.+?\sFOUND$/ && $rest eq '') { > $rest = $filename; > $filename = $childname; > $childname = 'header'; > } > > instead of using a '.' as it may get pattern matched later on. > How did that affect the handling of the message? I was hoping either '.' or perhaps setting childname to '' will cause MS to discard the entire message body. I *think* a blank childname causes the "the entire body" message. Of course as far as mailwatch goes it would flag as a virus when in fact it's spam so it could skew your stats a bit. Try setting childname to blank and see if it does cause MS to discard the entire body. Rick -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From rcooper at dwford.com Thu Jul 19 13:50:47 2007 From: rcooper at dwford.com (Rick Cooper) Date: Thu Jul 19 13:50:53 2007 Subject: UNKNOWN CLAMD RETURN In-Reply-To: <9435460.1851184848375883.JavaMail.root@office.splatnix.net> References: <01d401c7c9fe$eaae8310$0301a8c0@SAHOMELT> <9435460.1851184848375883.JavaMail.root@office.splatnix.net> Message-ID: <023101c7ca03$6dccf610$0301a8c0@SAHOMELT> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On > Behalf Of UxBoD > Sent: Thursday, July 19, 2007 8:33 AM > To: MailScanner discussion > Subject: Re: UNKNOWN CLAMD RETURN > > Rick, > > That is the problem as it does not get flagged by MailWatch > as a Virus, which I believe just grabs the whole line from > MailScanner. > [...] I really wish I had that message |->( Try this: if ($filename =~ /.+?\sFOUND$/ && $childname =~ /^.+\.header$) { $rest = $filename; $filename = $childname; $childname =~ s/(.+)\.header$/$1/; } That should catch only the issue where the FOUND is the header file, and it should place the message ID in the child name and perhaps that will give MailScanner something to flag for the entire message. If that doesn't work change $filename = $childname to $filename = ''; Sorry I can't test this locally. Rick -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From rcooper at dwford.com Thu Jul 19 13:56:10 2007 From: rcooper at dwford.com (Rick Cooper) Date: Thu Jul 19 13:56:15 2007 Subject: UNKNOWN CLAMD RETURN In-Reply-To: <023101c7ca03$6dccf610$0301a8c0@SAHOMELT> References: <01d401c7c9fe$eaae8310$0301a8c0@SAHOMELT><9435460.1851184848375883.JavaMail.root@office.splatnix.net> <023101c7ca03$6dccf610$0301a8c0@SAHOMELT> Message-ID: <023b01c7ca04$2e3650e0$0301a8c0@SAHOMELT> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On > Behalf Of Rick Cooper > Sent: Thursday, July 19, 2007 8:51 AM > To: 'MailScanner discussion' > Subject: RE: UNKNOWN CLAMD RETURN > > > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info > > [mailto:mailscanner-bounces@lists.mailscanner.info] On > > Behalf Of UxBoD > > Sent: Thursday, July 19, 2007 8:33 AM > > To: MailScanner discussion > > Subject: Re: UNKNOWN CLAMD RETURN > > > > Rick, > > > > That is the problem as it does not get flagged by MailWatch > > as a Virus, which I believe just grabs the whole line from > > MailScanner. > > > [...] > > I really wish I had that message |->( > > Try this: > > if ($filename =~ /.+?\sFOUND$/ && $childname =~ > /^.+\.header$) { > $rest = $filename; > $filename = $childname; > $childname =~ s/(.+)\.header$/$1/; > } > [...] Doh! Of course the first line should be: if ($filename =~ /.+?\sFOUND$/ && $childname =~ /^.+\.header$/) { Forgot the last '/' in "$childname =~ /^.+\.header$/" sorry Rick -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From uxbod at splatnix.net Thu Jul 19 14:02:54 2007 From: uxbod at splatnix.net (UxBoD) Date: Thu Jul 19 14:01:40 2007 Subject: UNKNOWN CLAMD RETURN In-Reply-To: <023b01c7ca04$2e3650e0$0301a8c0@SAHOMELT> Message-ID: <19566872.1881184850174069.JavaMail.root@office.splatnix.net> Hi Rick, I changed the code too :- my ($dot,$childname,$filename,$rest) = split('/',$results); if ($filename =~ /.+?\sFOUND$/ && $rest eq '') { $rest = $filename; $childname =~ s/\.header//; $filename = "message.header"; } and it now detects okay, including in MailWatch :D Rank Virus Percentage of detection 1 Html.Loan.Gen006.Sanesecurity.06120200 43% 2 Html.Phishing.Bank.Rockv2Gen14.Sanesecurity.07060400 37% 3 Email.Stk.Gen596.Sanesecurity.07071900.pdf 11% 4 Html.Img.Gen013.Sanesecurity.06112900 2% 5 Email.Hdr.Sanesecurity.07061900 2% 6 Html.Phishing.Bank.Rockv2Gen28.Sanesecurity.07061800 2% 7 Email.Stk.Gen591.Sanesecurity.07071800.pdf 2% 8 Worm.Somefool.AR 2% ----- Original Message ----- From: "Rick Cooper" To: "MailScanner discussion" Sent: Thursday, July 19, 2007 1:56:10 PM (GMT) Europe/London Subject: RE: UNKNOWN CLAMD RETURN > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On > Behalf Of Rick Cooper > Sent: Thursday, July 19, 2007 8:51 AM > To: 'MailScanner discussion' > Subject: RE: UNKNOWN CLAMD RETURN > > > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info > > [mailto:mailscanner-bounces@lists.mailscanner.info] On > > Behalf Of UxBoD > > Sent: Thursday, July 19, 2007 8:33 AM > > To: MailScanner discussion > > Subject: Re: UNKNOWN CLAMD RETURN > > > > Rick, > > > > That is the problem as it does not get flagged by MailWatch > > as a Virus, which I believe just grabs the whole line from > > MailScanner. > > > [...] > > I really wish I had that message |->( > > Try this: > > if ($filename =~ /.+?\sFOUND$/ && $childname =~ > /^.+\.header$) { > $rest = $filename; > $filename = $childname; > $childname =~ s/(.+)\.header$/$1/; > } > [...] Doh! Of course the first line should be: if ($filename =~ /.+?\sFOUND$/ && $childname =~ /^.+\.header$/) { Forgot the last '/' in "$childname =~ /^.+\.header$/" sorry Rick -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070719/a18b7368/attachment.html From Richard.Frovarp at sendit.nodak.edu Thu Jul 19 14:03:55 2007 From: Richard.Frovarp at sendit.nodak.edu (Richard Frovarp) Date: Thu Jul 19 14:03:58 2007 Subject: Spamassin scores. In-Reply-To: References: Message-ID: <469F613B.8090206@sendit.nodak.edu> What version of SA are you running? To set custom scores, stick them in /etc/mail/spamassassin/local.cf. Carl Werner wrote: > Hi, > > When I run MS in debug mode, I I get the following: > > Use of uninitialized value in concatenation (.) or string at > /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin.pm line 1087. > Use of uninitialized value in concatenation (.) or string at > /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin.pm line 1089. > check: no loaded plugin implements 'check_main': cannot scan! at > /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/PerMsgStatus.pm line 164. > config: unparseable chars in 'if you are running SA 3.0.0 or higher, you > already have antidrug and this file': '3.0.0' > Ignore errors about failing to find EOCD signature > format error: can't find EOCD signature > at /usr/sbin/MailScanner line 820 > format error: can't find EOCD signature > at /usr/sbin/MailScanner line 820 > format error: can't find EOCD signature > at /usr/sbin/MailScanner line 820 > format error: can't find EOCD signature > at /usr/sbin/MailScanner line 820 > format error: can't find EOCD signature > at /usr/sbin/MailScanner line 820 > > Could any of this be the cause for Mailscanner not using my custom SA > scores? > > Thanks > > Carl > -----Original Message----- > From: Carl Werner [mailto:carl@theholidayclub.com] > Sent: 19 July 2007 10:53 AM > To: 'MailScanner discussion' > Subject: Spamassin scores. > > Hi, > > I have entered custom scores for some of the spamassassin rules in > spam.assassin.prefs.conf, but the changes do not reflect in the scores that > are used by Mailscanner. When I start Mailscanner it does say that it reads > that specific spam.assassin.prefs.conf file and SpamAssassin --Lint gives > the following: > > dbg: config: using "/etc/MailScanner/spam.assassin.prefs.conf" for user > prefs file > > Any idea where/how to look for the problem will be appreciated. > > Thanks > > Carl > > > From hofu12 at physik.tu-darmstadt.de Thu Jul 19 14:05:40 2007 From: hofu12 at physik.tu-darmstadt.de (jh) Date: Thu Jul 19 14:06:09 2007 Subject: PDFInfo module References: <6B59FCF2EFD0334A8147A1BB463F111E0299BF3F@mail-17ps.atlarge.net> Message-ID: Jan Agermose conviator.com> writes: > > Hi > I tried to install the PDFInfo module and it does load and everything, > but it does not seam to hit any of the many, many PDF spam mails we are > getting. I know its loaded as I can write rules like > > body LOCAL_PDF_MATCH_1 > eval:pdf_name_regex('/\.pdf/') > score LOCAL_PDF_MATCH_1 score 0.1 > > but Im trying to avoid namebased matching - also it seams I could just > as easily do this with a subject match and I think this is better for > performance? > > But any ideas as to why none of the GMD_ rules seams to match anything? > Im expecting them to since why you anyone write them if they do not :-D > what could I have done wrong in installing them. Does the module depend > on something I might not have installed on the server? > > Best regards > Jan Same here, too the new rules do not run via MS. spamassassin -t -D mail.eml finds the PDF spam correctly, however running them within MS does not catch those PDFInfo rules. Strange, I have been putting the .pm into any plugin dir I could grab. Running debug on MS and spamassassin says rules are loaded though.. But no scores are in the logfile output. j.h. From rcooper at dwford.com Thu Jul 19 14:11:31 2007 From: rcooper at dwford.com (Rick Cooper) Date: Thu Jul 19 14:11:41 2007 Subject: UNKNOWN CLAMD RETURN In-Reply-To: <19566872.1881184850174069.JavaMail.root@office.splatnix.net> References: <023b01c7ca04$2e3650e0$0301a8c0@SAHOMELT> <19566872.1881184850174069.JavaMail.root@office.splatnix.net> Message-ID: <024201c7ca06$5370e2b0$0301a8c0@SAHOMELT> _____ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of UxBoD Sent: Thursday, July 19, 2007 9:03 AM To: MailScanner discussion Subject: Re: UNKNOWN CLAMD RETURN Hi Rick, I changed the code too :- my ($dot,$childname,$filename,$rest) = split('/',$results); if ($filename =~ /.+?\sFOUND$/ && $rest eq '') { $rest = $filename; $childname =~ s/\.header//; $filename = "message.header"; } and it now detects okay, including in MailWatch :D [Rick Cooper] What is in the postmaster and user reports ? If the 'message.header shows up then perhaps it would work as $filename = "SPAM". Rick Rank Virus Percentage of detection 1 Html.Loan.Gen006.Sanesecurity.06120200 43% 2 Html.Phishing.Bank.Rockv2Gen14.Sanesecurity.07060400 37% 3 Email.Stk.Gen596.Sanesecurity.07071900.pdf 11% 4 Html.Img.Gen013.Sanesecurity.06112900 2% 5 Email.Hdr.Sanesecurity.07061900 2% 6 Html.Phishing.Bank.Rockv2Gen28.Sanesecurity.07061800 2% 7 Email.Stk.Gen591.Sanesecurity.07071800.pdf 2% 8 Worm.Somefool.AR 2% ----- Original Message ----- From: "Rick Cooper" To: "MailScanner discussion" Sent: Thursday, July 19, 2007 1:56:10 PM (GMT) Europe/London Subject: RE: UNKNOWN CLAMD RETURN > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On > Behalf Of Rick Cooper > Sent: Thursday, July 19, 2007 8:51 AM > To: 'MailScanner discussion' > Subject: RE: UNKNOWN CLAMD RETURN > > > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info > > [mailto:mailscanner-bounces@lists.mailscanner.info] On > > Behalf Of UxBoD > > Sent: Thursday, July 19, 2007 8:33 AM > > To: MailScanner discussion > > Subject: Re: UNKNOWN CLAMD RETURN > > > > Rick, > > > > That is the problem as it does not get flagged by MailWatch > > as a Virus, which I believe just grabs the whole line from > > MailScanner. > > > [...] > > I really wish I had that message |->( > > Try this: > > if ($filename =~ /.+?\sFOUND$/ && $childname =~ > /^.+\.header$) { > $rest = $filename; > $filename = $childname; > $childname =~ s/(.+)\.header$/$1/; > } > [...] Doh! Of course the first line should be: if ($filename =~ /.+?\sFOUND$/ && $childname =~ /^.+\.header$/) { Forgot the last '/' in "$childname =~ /^.+\.header$/" sorry Rick -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070719/c322a1e0/attachment-0001.html From uxbod at splatnix.net Thu Jul 19 14:13:59 2007 From: uxbod at splatnix.net (UxBoD) Date: Thu Jul 19 14:12:47 2007 Subject: PDFInfo module In-Reply-To: Message-ID: <13928278.1911184850839210.JavaMail.root@office.splatnix.net> add it to your v310.pre file :- loadplugin Mail::SpamAssassin::Plugin::PDFInfo /etc/mail/spamassassin/PDFInfo.pm ----- Original Message ----- From: "jh" To: mailscanner@lists.mailscanner.info Sent: Thursday, July 19, 2007 2:05:40 PM (GMT) Europe/London Subject: Re: PDFInfo module Jan Agermose conviator.com> writes: > > Hi > I tried to install the PDFInfo module and it does load and everything, > but it does not seam to hit any of the many, many PDF spam mails we are > getting. I know its loaded as I can write rules like > > body LOCAL_PDF_MATCH_1 > eval:pdf_name_regex('/\.pdf/') > score LOCAL_PDF_MATCH_1 score 0.1 > > but Im trying to avoid namebased matching - also it seams I could just > as easily do this with a subject match and I think this is better for > performance? > > But any ideas as to why none of the GMD_ rules seams to match anything? > Im expecting them to since why you anyone write them if they do not :-D > what could I have done wrong in installing them. Does the module depend > on something I might not have installed on the server? > > Best regards > Jan Same here, too the new rules do not run via MS. spamassassin -t -D mail.eml finds the PDF spam correctly, however running them within MS does not catch those PDFInfo rules. Strange, I have been putting the .pm into any plugin dir I could grab. Running debug on MS and spamassassin says rules are loaded though.. But no scores are in the logfile output. j.h. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From carl at theholidayclub.com Thu Jul 19 14:12:24 2007 From: carl at theholidayclub.com (Carl Werner) Date: Thu Jul 19 14:13:18 2007 Subject: Spamassin scores. In-Reply-To: <469F613B.8090206@sendit.nodak.edu> References: <469F613B.8090206@sendit.nodak.edu> Message-ID: <1D504C01DCE448EBAACE148F3F49ACA8@thccwerner> Im using SpamAssassin version 3.2.1 Will try that thanks -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Richard Frovarp Sent: 19 July 2007 03:04 PM To: MailScanner discussion Subject: Re: Spamassin scores. What version of SA are you running? To set custom scores, stick them in /etc/mail/spamassassin/local.cf. Carl Werner wrote: > Hi, > > When I run MS in debug mode, I I get the following: > > Use of uninitialized value in concatenation (.) or string at > /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin.pm line 1087. > Use of uninitialized value in concatenation (.) or string at > /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin.pm line 1089. > check: no loaded plugin implements 'check_main': cannot scan! at > /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/PerMsgStatus.pm line 164. > config: unparseable chars in 'if you are running SA 3.0.0 or higher, you > already have antidrug and this file': '3.0.0' > Ignore errors about failing to find EOCD signature > format error: can't find EOCD signature > at /usr/sbin/MailScanner line 820 > format error: can't find EOCD signature > at /usr/sbin/MailScanner line 820 > format error: can't find EOCD signature > at /usr/sbin/MailScanner line 820 > format error: can't find EOCD signature > at /usr/sbin/MailScanner line 820 > format error: can't find EOCD signature > at /usr/sbin/MailScanner line 820 > > Could any of this be the cause for Mailscanner not using my custom SA > scores? > > Thanks > > Carl > -----Original Message----- > From: Carl Werner [mailto:carl@theholidayclub.com] > Sent: 19 July 2007 10:53 AM > To: 'MailScanner discussion' > Subject: Spamassin scores. > > Hi, > > I have entered custom scores for some of the spamassassin rules in > spam.assassin.prefs.conf, but the changes do not reflect in the scores that > are used by Mailscanner. When I start Mailscanner it does say that it reads > that specific spam.assassin.prefs.conf file and SpamAssassin --Lint gives > the following: > > dbg: config: using "/etc/MailScanner/spam.assassin.prefs.conf" for user > prefs file > > Any idea where/how to look for the problem will be appreciated. > > Thanks > > Carl > > > -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ja at conviator.com Thu Jul 19 14:29:24 2007 From: ja at conviator.com (Jan Agermose) Date: Thu Jul 19 14:30:38 2007 Subject: SV: PDFInfo module In-Reply-To: <13928278.1911184850839210.JavaMail.root@office.splatnix.net> References: <13928278.1911184850839210.JavaMail.root@office.splatnix.net> Message-ID: <6B59FCF2EFD0334A8147A1BB463F111E0299BF58@mail-17ps.atlarge.net> Whats the difference in putting it in v310.pre vs init.pre in general and in terms of why would it start matching because of this change? -----Oprindelig meddelelse----- bounces@lists.mailscanner.info] P? vegne af UxBoD Emne: Re: PDFInfo module add it to your v310.pre file :- loadplugin Mail::SpamAssassin::Plugin::PDFInfo /etc/mail/spamassassin/PDFInfo.pm ----- Original Message ----- From hofu12 at physik.tu-darmstadt.de Thu Jul 19 14:33:51 2007 From: hofu12 at physik.tu-darmstadt.de (jh) Date: Thu Jul 19 14:34:14 2007 Subject: PDFInfo module References: <13928278.1911184850839210.JavaMail.root@office.splatnix.net> Message-ID: UxBoD splatnix.net> writes: > > add it to your v310.pre file :- > > loadplugin Mail::SpamAssassin::Plugin::PDFInfo > /etc/mail/spamassassin/PDFInfo.pm > > Jan Agermose conviator.com> writes: > > > > > Hi > > I tried to install the PDFInfo module and it does load and everything, > > but it does not seam to hit any of the many, many PDF spam mails we are > > getting. I know its loaded as I can write rules like > > > Same here, too > the new rules do not run via MS. spamassassin -t -D mail.eml > finds the PDF spam correctly, however running them within MS > does not catch those PDFInfo rules. > Strange, I have been putting the .pm into any plugin dir I could grab. > Running debug on MS and spamassassin says rules are loaded though.. > But no scores are in the logfile output. > j.h. > Well, I had it in init.pre as well as in v310.pre and directly in pdfinfo.cf still, no hit in MS, but hits in testing SA. thanks jh PS: MS 4.61.7, SA 3.1.8, SuSE 10.2 From uxbod at splatnix.net Thu Jul 19 14:36:21 2007 From: uxbod at splatnix.net (UxBoD) Date: Thu Jul 19 14:35:09 2007 Subject: UNKNOWN CLAMD RETURN In-Reply-To: <024201c7ca06$5370e2b0$0301a8c0@SAHOMELT> Message-ID: <27114160.1941184852181484.JavaMail.root@office.splatnix.net> Not sure on that Rick as we do not use the reports. In MailWatch it shows as :- Clamd: message.header was infected: Email.Hdr.Sanesecurity.07061900 FOUND so message.header could be changed to the word SPAM. ----- Original Message ----- From: "Rick Cooper" To: "MailScanner discussion" Sent: Thursday, July 19, 2007 2:11:31 PM (GMT) Europe/London Subject: RE: UNKNOWN CLAMD RETURN -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mkettler at evi-inc.com Thu Jul 19 14:38:59 2007 From: mkettler at evi-inc.com (Matt Kettler) Date: Thu Jul 19 14:39:54 2007 Subject: Spamassin scores. In-Reply-To: References: Message-ID: <469F6973.6050202@evi-inc.com> Carl Werner wrote: > /usr/lib/perl5/vendor_perl/5.8.8/Mail/SpamAssassin/PerMsgStatus.pm line 164. > config: unparseable chars in 'if you are running SA 3.0.0 or higher, you > already have antidrug and this file': '3.0.0' Please read your antidrug.cf file, the text at the top will explain why you should stop RDJing the file and delete it from your system. note: I'm the author of antidrug.cf, and I intentionally put up the file that's causing these errors to draw your attention to it. I've terminated my subscription to comcast, and thus the web account you downloaded it from. Any spammer might sign up for the same username on comcast's service, and publish a replacement file of their own design. From rcooper at dwford.com Thu Jul 19 14:44:37 2007 From: rcooper at dwford.com (Rick Cooper) Date: Thu Jul 19 14:44:41 2007 Subject: UNKNOWN CLAMD RETURN In-Reply-To: <27114160.1941184852181484.JavaMail.root@office.splatnix.net> References: <024201c7ca06$5370e2b0$0301a8c0@SAHOMELT> <27114160.1941184852181484.JavaMail.root@office.splatnix.net> Message-ID: <025901c7ca0a$f2d111a0$0301a8c0@SAHOMELT> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On > Behalf Of UxBoD > Sent: Thursday, July 19, 2007 9:36 AM > To: MailScanner discussion > Subject: Re: UNKNOWN CLAMD RETURN > > Not sure on that Rick as we do not use the reports. In > MailWatch it shows as :- > > Clamd: message.header was infected: > Email.Hdr.Sanesecurity.07061900 FOUND > > so message.header could be changed to the word SPAM. Do you know what happens to the message? The reason I ask is I can't remember what MailScanner does to the message when it cannot find $infections->{"$id"}{"$part"} in it's list of associated files (or safnames I think). It may pass the message untouched and it may remove the entire body I just cannot remember what the reflex would be in this situation. Perhaps Julian can answer that. MailWatch is just looking for something to match the regex in functions.php (IIRC) but MailScanner may end up delivering the message and I need to make sure that doesn't happen. Rick -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ms-list at alexb.ch Thu Jul 19 14:51:48 2007 From: ms-list at alexb.ch (Alex Broens) Date: Thu Jul 19 14:51:52 2007 Subject: PDFInfo module In-Reply-To: References: <13928278.1911184850839210.JavaMail.root@office.splatnix.net> Message-ID: <469F6C74.8030809@alexb.ch> On 7/19/2007 3:33 PM, jh wrote: > > UxBoD splatnix.net> writes: > >> add it to your v310.pre file :- >> >> loadplugin Mail::SpamAssassin::Plugin::PDFInfo >> /etc/mail/spamassassin/PDFInfo.pm > >> Jan Agermose conviator.com> writes: >> >>> Hi >>> I tried to install the PDFInfo module and it does load and everything, >>> but it does not seam to hit any of the many, many PDF spam mails we are >>> getting. I know its loaded as I can write rules like >> >> Same here, too >> the new rules do not run via MS. spamassassin -t -D mail.eml >> finds the PDF spam correctly, however running them within MS >> does not catch those PDFInfo rules. >> Strange, I have been putting the .pm into any plugin dir I could grab. >> Running debug on MS and spamassassin says rules are loaded though.. >> But no scores are in the logfile output. >> j.h. >> > > Well, I had it in init.pre as well as in v310.pre > and directly in pdfinfo.cf > still, no hit in MS, but hits in testing SA. what are your Max Spam Check Size Max SpamAssassin Size settings? From uxbod at splatnix.net Thu Jul 19 14:57:50 2007 From: uxbod at splatnix.net (UxBoD) Date: Thu Jul 19 14:56:36 2007 Subject: PDFInfo module In-Reply-To: Message-ID: <3753973.1971184853470753.JavaMail.root@office.splatnix.net> Doh! Sorry. I am testing it myself on a PDF spam and am getting the same. If I run spamassassin directly as the Postfix user it does detect, but not when ran from within MailScanner. Will investigate. ----- Original Message ----- From: "jh" To: mailscanner@lists.mailscanner.info Sent: Thursday, July 19, 2007 2:33:51 PM (GMT) Europe/London Subject: Re: PDFInfo module UxBoD splatnix.net> writes: > > add it to your v310.pre file :- > > loadplugin Mail::SpamAssassin::Plugin::PDFInfo > /etc/mail/spamassassin/PDFInfo.pm > > Jan Agermose conviator.com> writes: > > > > > Hi > > I tried to install the PDFInfo module and it does load and everything, > > but it does not seam to hit any of the many, many PDF spam mails we are > > getting. I know its loaded as I can write rules like > > > Same here, too > the new rules do not run via MS. spamassassin -t -D mail.eml > finds the PDF spam correctly, however running them within MS > does not catch those PDFInfo rules. > Strange, I have been putting the .pm into any plugin dir I could grab. > Running debug on MS and spamassassin says rules are loaded though.. > But no scores are in the logfile output. > j.h. > Well, I had it in init.pre as well as in v310.pre and directly in pdfinfo.cf still, no hit in MS, but hits in testing SA. thanks jh PS: MS 4.61.7, SA 3.1.8, SuSE 10.2 -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From uxbod at splatnix.net Thu Jul 19 15:03:21 2007 From: uxbod at splatnix.net (UxBoD) Date: Thu Jul 19 15:02:27 2007 Subject: PDFInfo module In-Reply-To: <469F6C74.8030809@alexb.ch> Message-ID: <6138719.2001184853801731.JavaMail.root@office.splatnix.net> Alex, Our settings here are 40000000 and 200k so that should be fine. ----- Original Message ----- From: "Alex Broens" To: "MailScanner discussion" Sent: Thursday, July 19, 2007 2:51:48 PM (GMT) Europe/London Subject: Re: PDFInfo module On 7/19/2007 3:33 PM, jh wrote: > > UxBoD splatnix.net> writes: > >> add it to your v310.pre file :- >> >> loadplugin Mail::SpamAssassin::Plugin::PDFInfo >> /etc/mail/spamassassin/PDFInfo.pm > >> Jan Agermose conviator.com> writes: >> >>> Hi >>> I tried to install the PDFInfo module and it does load and everything, >>> but it does not seam to hit any of the many, many PDF spam mails we are >>> getting. I know its loaded as I can write rules like >> >> Same here, too >> the new rules do not run via MS. spamassassin -t -D mail.eml >> finds the PDF spam correctly, however running them within MS >> does not catch those PDFInfo rules. >> Strange, I have been putting the .pm into any plugin dir I could grab. >> Running debug on MS and spamassassin says rules are loaded though.. >> But no scores are in the logfile output. >> j.h. >> > > Well, I had it in init.pre as well as in v310.pre > and directly in pdfinfo.cf > still, no hit in MS, but hits in testing SA. what are your Max Spam Check Size Max SpamAssassin Size settings? -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ja at conviator.com Thu Jul 19 15:03:06 2007 From: ja at conviator.com (Jan Agermose) Date: Thu Jul 19 15:04:22 2007 Subject: SV: PDFInfo module In-Reply-To: <469F6C74.8030809@alexb.ch> References: <13928278.1911184850839210.JavaMail.root@office.splatnix.net> <469F6C74.8030809@alexb.ch> Message-ID: <6B59FCF2EFD0334A8147A1BB463F111E0299BF6B@mail-17ps.atlarge.net> Max SpamAssassin Size: 30,000 Not sure about "Max Spam Check Size" - could it be the same as: "Max Unscanned Bytes Per Scan Number of bytes scanned per scan cycle" Then its 100,000,000 > still, no hit in MS, but hits in testing SA. what are your Max Spam Check Size Max SpamAssassin Size settings? -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From hofu12 at physik.tu-darmstadt.de Thu Jul 19 15:28:43 2007 From: hofu12 at physik.tu-darmstadt.de (jh) Date: Thu Jul 19 15:28:52 2007 Subject: PDFInfo module -- works for me now! References: <469F6C74.8030809@alexb.ch> <6138719.2001184853801731.JavaMail.root@office.splatnix.net> Message-ID: UxBoD splatnix.net> writes: > > Alex, > > Our settings here are 40000000 and 200k so that should be fine. > > what are your > Max Spam Check Size > Max SpamAssassin Size > settings? > Hi Guys thanks for the pointers!!! After cranking up max SpamAssassin Size to higher values I now get the GMD* scores in the logs and the PDF's detected as expected. (I had 40k , document was 75k) Thanks again bye for 2day. From ms-list at alexb.ch Thu Jul 19 16:17:56 2007 From: ms-list at alexb.ch (Alex Broens) Date: Thu Jul 19 16:18:13 2007 Subject: SV: PDFInfo module In-Reply-To: <6B59FCF2EFD0334A8147A1BB463F111E0299BF6B@mail-17ps.atlarge.net> References: <13928278.1911184850839210.JavaMail.root@office.splatnix.net> <469F6C74.8030809@alexb.ch> <6B59FCF2EFD0334A8147A1BB463F111E0299BF6B@mail-17ps.atlarge.net> Message-ID: <469F80A4.9060104@alexb.ch> On 7/19/2007 4:03 PM, Jan Agermose wrote: > Max SpamAssassin Size: 30,000 you're trucating the attachements SA doesn't get the full msg to calculate the fuzzies Try: Max Spam Check Size = 250000 Max SpamAssassin Size = 250000 (works for me and 14 boxes) > > Not sure about "Max Spam Check Size" - could it be the same as: > "Max Unscanned Bytes Per Scan > Number of bytes scanned per scan cycle" > > Then its 100,000,000 > > > >> still, no hit in MS, but hits in testing SA. > > > > what are your > Max Spam Check Size > Max SpamAssassin Size > settings? > > From cleveland at winnefox.org Thu Jul 19 16:50:20 2007 From: cleveland at winnefox.org (Jody Cleveland) Date: Thu Jul 19 16:50:31 2007 Subject: MCP - how to store high scoring emails? Message-ID: Hello, I recently setup mcp with MailScanner. In MailScanner.conf I have: MCP Required SpamAssassin Score = 1 MCP High SpamAssassin Score = 7 MCP Error Score = 1 And, then for High Scoring MCP Actions I have store. Now, in the .cf file I have several things setup, and emails coming in are getting mcp scores. What I'd like is, if the MCP score is => 7, store but don't deliver the message. I thought with what I have in the settings that would be the case. But, no matter the mcp score, the messages are still getting delivered. Is there a setting I'm missing or have incorrect? - jody From ralloway at winbeam.com Thu Jul 19 16:50:50 2007 From: ralloway at winbeam.com (Richard D Alloway) Date: Thu Jul 19 16:51:23 2007 Subject: Reason for whitelisting? Message-ID: >Matt Kettler wrote: >> >Richard D Alloway wrote: >> >> I am receiving some spam that should be getting flagged or deleted, but >> is being marked as "not spam (whitelisted)" by MailScanner. >> >> When I look at the logs for the offending message, I see things like: > > >> Jul 17 15:50:23 smtp-gateway-4 MailScanner[10318]: Message >> l6HJnjqf014254 from xx.xxx.xx.xx (gadaandstelecommbef xxxxxxxxxxxxxx) >is >> whitelisted >> Jul 17 15:50:29 smtp-gateway-4 MailScanner[10318]: Message >> l6HJnjqf014254 from xx.xxx.xx.xx >> (gadaandstelecommbef xxxxxxxxxxxxxxxxxx) to xxxxxxx is not spam >> (whitelisted), SpamAssassin (not cached, score=15.974, required 4, > > > >> >> None of the recipients, IP addresses, domain names, etc are in any of >> our configuration files at all. >> >> How can I track down the exact part of the message that is triggering >> the whitelisting in MailScanner? > >Take a look at the file pointed to by your "Is Definitely Not Spam" setting in >MailScanner.conf. > >By default this would be /etc/MailScanner/rules/spam.whitelist.rules Thanks, Matt, but that is one of the config files that I've already searched through and found nothing matching. -Rich From clacroix at cegep-ste-foy.qc.ca Thu Jul 19 16:58:44 2007 From: clacroix at cegep-ste-foy.qc.ca (Charles Lacroix) Date: Thu Jul 19 16:58:47 2007 Subject: MCP - how to store high scoring emails? In-Reply-To: References: Message-ID: <200707191158.44123.clacroix@cegep-ste-foy.qc.ca> Just add the "delete" in your "MCP Actions" On Thursday 19 July 2007 11:50, Jody Cleveland wrote: > Hello, > > I recently setup mcp with MailScanner. In MailScanner.conf I have: > > MCP Required SpamAssassin Score = 1 > MCP High SpamAssassin Score = 7 > MCP Error Score = 1 > > And, then for High Scoring MCP Actions I have store. > > Now, in the .cf file I have several things setup, and emails coming in are > getting mcp scores. What I'd like is, if the MCP score is => 7, store but > don't deliver the message. I thought with what I have in the settings that > would be the case. But, no matter the mcp score, the messages are still > getting delivered. > > Is there a setting I'm missing or have incorrect? > > - jody -- Charles Lacroix, Administrateur UNIX. Service des t?l?communications et des technologies C?gep de Sainte-Foy (418) 659-6600 # 4266 From ralloway at winbeam.com Thu Jul 19 16:59:28 2007 From: ralloway at winbeam.com (Richard D Alloway) Date: Thu Jul 19 16:59:47 2007 Subject: Reason for whitelisting? Message-ID: On 7/18/07, am.lists gmail.com> wrote: > >On 7/17/07, Richard D Alloway winbeam.com> wrote: >> >> I am receiving some spam that should be getting flagged or deleted, but is >> being marked as "not spam (whitelisted)" by MailScanner. >> >> When I look at the logs for the offending message, I see things like: >> >> Jul 17 15:49:57 smtp-gateway-4 milter-ahead[2117]: 61096 >> l6HJnjqf014254: cacheGet(b411110, 'robjulie xxxxxxxx', {st=0, cn=1}) >> Jul 17 15:49:57 smtp-gateway-4 milter-ahead[2117]: 61096 >> l6HJnjqf014254: cacheGet(b411110, 'rockwell xxxxxxxx', {st=0, cn=1}) >> Jul 17 15:49:57 smtp-gateway-4 milter-ahead[2117]: 61096 >> l6HJnjqf014254: cacheGet(b411110, 'rome74 xxxxxxx', {st=0, cn=1}) >> Jul 17 15:49:58 smtp-gateway-4 sendmail[14254]: >> l6HJnjqf014254: from= xxxxxxxxxxxxxx>, size=1713, >> class=0, nrcpts=11, msgid=<924405758.55504416941907 xxxxxxxxxxxxx>, >> proto=ESMTP, daemon=MTA, relay=xxxxxxxxxxxxxxxxxx [xx.xxx.xx.xx] (may >> be forged) >> Jul 17 15:50:23 smtp-gateway-4 MailScanner[10318]: Message l6HJnjqf014254 >from >> xx.xxx.xx.xx (gadaandstelecommbef xxxxxxxxxxxxxx) is whitelisted >> Jul 17 15:50:29 smtp-gateway-4 MailScanner[10318]: >> Message l6HJnjqf014254 from xx.xxx.xx.xx >> (gadaandstelecommbef xxxxxxxxxxxxxxxxxx) to xxxxxxx is not >> spam (whitelisted), >> SpamAssassin (not cached, score=15.974, required 4, autolearn=spam, BAYES_99 >> 8.00, HELO_DYNAMIC_DHCP 1.40, HTML_MESSAGE 0.00, RDNS_DYNAMIC 0.10, >>URIBL_BLACK >> 3.00, URIBL_JP_SURBL 1.50, URIBL_OB_SURBL 1.50, URIBL_SC_SURBL 0.47) >> Jul 17 15:50:36 smtp-gateway-4 MailScanner[10318]: >> tag found in message l6HJnjqf014254 from gadaandstelecommbef >>xxxxxxxxxxxxxxxx >> Jul 17 15:50:37 smtp-gateway-4 sendmail[14848]: l6HJnjqf014254: >> to= xxxxxxxx>, xxxxxxxx>, xxxxxxxx>, >>delay=00:00:40, >> xdelay=00:00:00, mailer=smtp, pri=421713, relay=mail.xxxxxxxxx >> [xx.xx.xx.xx], dsn=2.0.0, stat=Sent (ok 1184701833 qp 906) >> > >Robert, > >Did you by chance download/install a pre-configured kit? Some have >pre-defined "known-good" senders pre-populated in a sql table >somewhere. > >Also, the SARE rule 70_sare_whitelist.cf contains several known-good's too. > >Perhaps if you shared the final MTA's IP here some of us would be >willing to test for it in our systems as well. > >Regds, >Angelo Thanks, Angelo. This is a "from scratch" MailScanner installation (with custom MailScanner rulesets, of course) with Julian's ClamSA, Rules Du Jour and a couple custom spamassassin rules. I do not have 70_sare_whitelist.cf The IP for the last MTA (smtp-gateway-4) is 64.84.97.69. Thanks! -Rich From uxbod at splatnix.net Thu Jul 19 17:01:04 2007 From: uxbod at splatnix.net (UxBoD) Date: Thu Jul 19 17:00:05 2007 Subject: Watermarking Message-ID: <28507864.2091184860864557.JavaMail.root@office.splatnix.net> Hi, When watermarking is used in the latest version do the return emails bypass both SPAM and Virus checks ? If so, would it be possible to make it only bypass SPAM, incase they have replied and added a Virus ;) Regards, -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mkettler at evi-inc.com Thu Jul 19 17:07:03 2007 From: mkettler at evi-inc.com (Matt Kettler) Date: Thu Jul 19 17:08:07 2007 Subject: MCP - how to store high scoring emails? In-Reply-To: <200707191158.44123.clacroix@cegep-ste-foy.qc.ca> References: <200707191158.44123.clacroix@cegep-ste-foy.qc.ca> Message-ID: <469F8C27.5090704@evi-inc.com> Charles Lacroix wrote: > > Just add the "delete" in your "MCP Actions" Wouldn't that delete all messages matched by MCP, and not store any of them? Jody wants to store (ie: quarantine) them, and only the high scoring ones. > > On Thursday 19 July 2007 11:50, Jody Cleveland wrote: >> Hello, >> >> I recently setup mcp with MailScanner. In MailScanner.conf I have: >> >> MCP Required SpamAssassin Score = 1 >> MCP High SpamAssassin Score = 7 >> MCP Error Score = 1 >> >> And, then for High Scoring MCP Actions I have store. >> >> Now, in the .cf file I have several things setup, and emails coming in are >> getting mcp scores. What I'd like is, if the MCP score is => 7, store but >> don't deliver the message. I thought with what I have in the settings that >> would be the case. But, no matter the mcp score, the messages are still >> getting delivered. >> >> Is there a setting I'm missing or have incorrect? >> >> - jody > From mkettler at evi-inc.com Thu Jul 19 17:09:49 2007 From: mkettler at evi-inc.com (Matt Kettler) Date: Thu Jul 19 17:11:18 2007 Subject: Reason for whitelisting? In-Reply-To: <25a66d840707171727i4c89120aga3a5ac0cd7e9b11d@mail.gmail.com> References: <25a66d840707171727i4c89120aga3a5ac0cd7e9b11d@mail.gmail.com> Message-ID: <469F8CCD.2080705@evi-inc.com> am.lists wrote: >> Jul 17 15:50:23 smtp-gateway-4 MailScanner[10318]: Message >> l6HJnjqf014254 from >> xx.xxx.xx.xx (gadaandstelecommbef@xxxxxxxxxxxxxx) is whitelisted > > Robert, > > Did you by chance download/install a pre-configured kit? Some have > pre-defined "known-good" senders pre-populated in a sql table > somewhere. > > Also, the SARE rule 70_sare_whitelist.cf contains several known-good's > too. This is conclusively *NOT* 70_sare_whitelist.cf, or any other spamassassin-level whitelisting. Those would show up as a SpamAssassin rule-hit of USER_IN_WHITELIST. The "is whitelisted" message means it's whitelisted at the MailScanner level, as a part of the MailScannner.conf "Is Definitely Not Spam" mechanism, or some bug in, or misuse of, that mechanism. From mkettler at evi-inc.com Thu Jul 19 17:11:28 2007 From: mkettler at evi-inc.com (Matt Kettler) Date: Thu Jul 19 17:12:29 2007 Subject: Reason for whitelisting? In-Reply-To: References: Message-ID: <469F8D30.3010502@evi-inc.com> Richard D Alloway wrote: >> MailScanner.conf. >> >> By default this would be /etc/MailScanner/rules/spam.whitelist.rules > > Thanks, Matt, but that is one of the config files that I've already > searched through and found nothing matching. > Interesting. Did you double-check MailScanner.conf to make sure "Is Definitely Not Spam" still points to that file? From cleveland at winnefox.org Thu Jul 19 17:32:31 2007 From: cleveland at winnefox.org (Jody Cleveland) Date: Thu Jul 19 17:32:42 2007 Subject: MCP - how to store high scoring emails? In-Reply-To: <469F8C27.5090704@evi-inc.com> Message-ID: Hello, On 7/19/07 11:07 AM, "Matt Kettler" wrote: > Charles Lacroix wrote: >> >> Just add the "delete" in your "MCP Actions" > > Wouldn't that delete all messages matched by MCP, and not store any of them? > Jody wants to store (ie: quarantine) them, and only the high scoring ones. > Exactly. I'd like to store the high scoring ones, not delete them. - jody From ralloway at winbeam.com Thu Jul 19 17:24:12 2007 From: ralloway at winbeam.com (Richard D Alloway) Date: Thu Jul 19 17:32:54 2007 Subject: Reason for whitelisting? In-Reply-To: <469F8D30.3010502@evi-inc.com> References: <469F8D30.3010502@evi-inc.com> Message-ID: On Thu, 19 Jul 2007, Matt Kettler wrote: > Richard D Alloway wrote: >>> MailScanner.conf. >>> >>> By default this would be /etc/MailScanner/rules/spam.whitelist.rules >> >> Thanks, Matt, but that is one of the config files that I've already >> searched through and found nothing matching. >> > > Interesting. Did you double-check MailScanner.conf to make sure "Is Definitely > Not Spam" still points to that file? Aha! Yes, it does point to that file, but it helps to remember to use egrep (or 'grep -e') when searching for multiple patterns! "psy@xxxxxxx" was whitelisted, which caused the entire email to be whitelisted. It would be nice, still, if MailScanner reported the item that caused the entire message to be whitelisted. :) Thanks! -Rich From itdept at fractalweb.com Thu Jul 19 18:23:50 2007 From: itdept at fractalweb.com (Chris Yuzik) Date: Thu Jul 19 18:24:26 2007 Subject: Watermarking In-Reply-To: <28507864.2091184860864557.JavaMail.root@office.splatnix.net> References: <28507864.2091184860864557.JavaMail.root@office.splatnix.net> Message-ID: <469F9E26.1000102@fractalweb.com> UxBoD wrote: > When watermarking is used in the latest version do the return emails bypass both SPAM and Virus checks ? > If so, would it be possible to make it only bypass SPAM, incase they have replied and added a Virus ;) My understanding is that no, the replies bypass neither SPAM nor virus checks. Personally, I'd like that option, but it doesn't seem to be one of the features (yet? Julian?). Chris From ja at conviator.com Thu Jul 19 18:40:25 2007 From: ja at conviator.com (Jan Agermose) Date: Thu Jul 19 18:41:27 2007 Subject: SV: SV: PDFInfo module In-Reply-To: <469F80A4.9060104@alexb.ch> References: <13928278.1911184850839210.JavaMail.root@office.splatnix.net> <469F6C74.8030809@alexb.ch><6B59FCF2EFD0334A8147A1BB463F111E0299BF6B@mail-17ps.atlarge.net> <469F80A4.9060104@alexb.ch> Message-ID: <6B59FCF2EFD0334A8147A1BB463F111E0299C017@mail-17ps.atlarge.net> I was able to change the SA size to 80,000 and this did actually start getting hits on the rules! Perfect - thanks. Mvh Jan -----Oprindelig meddelelse----- Fra: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] P? vegne af Alex Broens Sendt: 19. juli 2007 17:18 Til: MailScanner discussion Emne: Re: SV: PDFInfo module On 7/19/2007 4:03 PM, Jan Agermose wrote: > Max SpamAssassin Size: 30,000 you're trucating the attachements SA doesn't get the full msg to calculate the fuzzies Try: Max Spam Check Size = 250000 Max SpamAssassin Size = 250000 (works for me and 14 boxes) > > Not sure about "Max Spam Check Size" - could it be the same as: > "Max Unscanned Bytes Per Scan > Number of bytes scanned per scan cycle" > > Then its 100,000,000 > > > >> still, no hit in MS, but hits in testing SA. > > > > what are your > Max Spam Check Size > Max SpamAssassin Size > settings? > > -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From MailScanner at ecs.soton.ac.uk Thu Jul 19 18:42:03 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jul 19 18:42:51 2007 Subject: Request for comments Message-ID: <469FA26B.6050905@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I am wondering if it would help if I added "Subject" to the list of things you could use in rulesets. Would it be useful? You would only be able to match against exact strings or regular expressions, and I'm not quite sure how I would parse it in the ruleset files. Exact strings would be in double-quotes, with '"' characters in the string doubled up as a means of escaping them. How I would find the end of a regular expression is another matter. I guess it would be surrounded with '/' characters, and I would look for the first '/' that wasn't preceded by a '\'. I would have to allow the 'i' on the end of a regexp match at least. Matching against a quoted exact string would be a substring match. It would be available just about anywhere you can use a ruleset, as I read the subject line near the point where I read the from and to addresses from the envelope. Multiple "Subject:" lines would be handled by adding them all together with a \n newline between each one. Your comments please.... Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGn6JsEfZZRxQVtlQRAmB+AJwI6uqeuSNgSEFOYfef6Pp5RVQ4ggCgv6PU hgrcKmoAhBaWV4V+CXyOAmM= =MvkD -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From sandrews at andrewscompanies.com Thu Jul 19 18:44:41 2007 From: sandrews at andrewscompanies.com (Steven Andrews) Date: Thu Jul 19 18:44:44 2007 Subject: Watermarking In-Reply-To: <469F9E26.1000102@fractalweb.com> References: <28507864.2091184860864557.JavaMail.root@office.splatnix.net> <469F9E26.1000102@fractalweb.com> Message-ID: <1964AAFBC212F742958F9275BF63DBB04B0F2F@winchester.andrewscompanies.com> I guess it should be an option, but I can't see a reason you'd want to bypass virus scan; just because it's a reply doesn't me it's not stuffed full of virii. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Chris Yuzik Sent: Thursday, July 19, 2007 1:24 PM To: MailScanner discussion Subject: Re: Watermarking UxBoD wrote: > When watermarking is used in the latest version do the return emails bypass both SPAM and Virus checks ? > If so, would it be possible to make it only bypass SPAM, incase they > have replied and added a Virus ;) My understanding is that no, the replies bypass neither SPAM nor virus checks. Personally, I'd like that option, but it doesn't seem to be one of the features (yet? Julian?). Chris -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From MailScanner at ecs.soton.ac.uk Thu Jul 19 18:49:57 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jul 19 18:50:35 2007 Subject: Thanks for previous answers + How to stop "cascading" MailScanners from multiple scans? In-Reply-To: <6159669.861184784940862.JavaMail.root@office.splatnix.net> References: <6159669.861184784940862.JavaMail.root@office.splatnix.net> Message-ID: <469FA445.8090000@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 That's not how the new watermarking code works. It only affects messages with no sender address, i.e. delivery errors. Read the new version of the docs at http://www.mailscanner.info/MailScanner.conf.index.html and you will see what it actually does. Jules. UxBoD wrote: > If using the latest release, with watermark, then as long as the SECRET is the same of each node will it not pass through without being scanned? > ----- Original Message ----- > From: "Alistair Carmichael" > To: "MailScanner discussion" > Sent: Wednesday, July 18, 2007 5:00:27 PM (GMT) Europe/London > Subject: RE: Thanks for previous answers + How to stop "cascading" MailScanners from multiple scans? > > >> Every part of an email message can be forged. If MailScanner had a >> facility whereby the scanning process could be skipped if a certain >> element (e.g. a header) was present, it would be trivial for the >> spammers and virus-writers to bypass MailScanner. >> >> So no, you can't do this. And no, you shouldn't try to :-) >> >> The headers are constructed and managed so that multiple MailScanners >> leave a tidy trail behind them. We can have messages in our system >> > which > >> might be scanned by 4 different MailScanner servers quite easily, if a >> > > >> campus address (2 servers) is .forward-ed to a department address, >> > which > >> takes it through 2 more (MX and delivery servers). >> >> Jules >> >> - -- >> Julian Field MEng CITP >> www.MailScanner.info >> Buy the MailScanner book at www.MailScanner.info/store >> >> Need help customising MailScanner? >> Contact me! >> Need help fixing or optimising your systems? >> Contact me! >> Need help getting you started solving new requirements from your boss? >> Contact me! >> >> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >> > > What about if the sendmail MTA that collects and delivers messages after > being scanned (normally from /var/spool/mqueue) is configured to listen > on an alternative TCP port, then set up nat policies either with > iptables or your own firewall on each of the server so traffic destined > for port 25 to the other mailscanner servers is translated to your > alternative port (this alternative port would also be firewalled to the > rest of the internet to avoid any spammers tracking this down. > Our situation we have multiple mailscanners and often mail will go > through lots of scanners especially when being forwarded but haven't ran > into any issues with this. > > Al > > This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: UTF-8 wj8DBQFGn6RGEfZZRxQVtlQRAldLAJ9FABBTOOVBwHnrPbiUXN0k3Kqc2wCfZwJp RVbV2Crl8kGWMxB+EwSbM7A= =zx5V -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Thu Jul 19 18:55:39 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jul 19 18:56:15 2007 Subject: clientip and CusomConfig.pm In-Reply-To: <39e688060707181317x2a0cfe27h8c52b4f3dae6e9f3@mail.gmail.com> References: <39e688060707181317x2a0cfe27h8c52b4f3dae6e9f3@mail.gmail.com> Message-ID: <469FA59B.2010303@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Matt Standish wrote: > Hi, > I recently posted a similar message to the mailwatch list and after > further research I think it may be better asked here. I would also > like to add that the MailScanner source is documented beautifully. > Thanks for a great product. Thanks! Glad you like the comments :-) I try to work by putting in the comments first, to form the code structure, then just drop in the code to do what the docs say it should do. Works most of the time. > > I would like to alter MailWatch.pm in customfunctions to to log the IP > address of the original sender of the message or the last sender > before my spamassassin trusted_networks list. Currently it logs > clientip which is the previous hop. This would do if I could list my > scanner as the MX but because of my institutions size this is simply > not possible. > > For example if I have a message that took this path: > > 10.10.100.1 badguy.spam.net > 192.168.100.1 evil.internet.com > 192.168.200.1 untrusted.internet.com > 192.168.1.1 trustedrelay.mydomain.com > 192.168.15.1 trustedrelay2.mydomain.com > 192.168.10.1 mymailscanner.mydomain.com > > spamassassin trusted_networds = 192.168.15.1/32 192.168.10.1/32 > 192.168.1.1/32 > > 192.168.1.1 and 192.168.15.1 would not be logged but 192.168.200.1 would. > > I am looking through Message.pm and CustomConfig.pm to try and create > another function to grab this info from the headers. Am I correct in > assuming that I would add the function in CustomConfig.pm to avoid > problems when upgrading? Am I even looking in the right place? Has > this already been done? You would have to parse the Received: headers, which SpamAssassin does, so you could borrow their code. You are right in saying the CustomConfig.pm (or any .pm file in the CustomFunctions directory, which may be easier to maintain) is the right place to put code that won't get over-written by an upgrade. You could add a CustomFunction to any old configuration setting that simply returns a yes/no value for example, with the side-effect of it working out a new property of the $message object. You could create your own property $message->{untrustedclientip} and then tweak MailWatch to log that property as well as, or instead of, the $message->{clientip} property. Hope that points you in the right direction. Jules. > > > Any ideas? > Thanks. Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGn6WcEfZZRxQVtlQRAkfBAKCnonp2GyDwWOQZS5a8gArl5Lvv0QCfYCu4 Vo4yyW6bC9kRstsArLp9W/s= =XBzz -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From campbell at cnpapers.com Thu Jul 19 18:57:52 2007 From: campbell at cnpapers.com (Steve Campbell) Date: Thu Jul 19 18:57:57 2007 Subject: FYI: PDFInfo and "Max SpamAssassin Size=40k" In-Reply-To: <469D4099.5040708@alexb.ch> References: <012101c7c8bc$5498dee0$5713cc40@OCEANII> <469D4099.5040708@alexb.ch> Message-ID: <469FA620.5030208@cnpapers.com> Alex Broens wrote: > On 7/17/2007 11:49 PM, Michael R. Dilworth wrote: >> Just to save some time for some of you, the 40k number >> can is on the small side for some of the PDF spams I've been receiving. > > FWI: I'm using: > > Max Spam Check Size = 250000 > Max SpamAssassin Size = 2500000 > > which, AFAIK are the default SA values. > > Alex > -- > *Spammer hell has no DSL* > > > Maybe it's because I'm not up-to-date on my MS, but I don't have a Max Spam Check Size parameter in my configuration file. The only "Size" parms I have are as follows: Maximum Message Size = 0 Maximum Attachment Size = -1 Minimum Attachment Size = -1 ClamAVmodule Maximum File Size = 10000000 # (10 Mbytes) Max SpamAssassin Size = 2500000 Max Custom Spam Scanner Size = 250000 MCP Max SpamAssassin Size = 100000 Can anyone explain what I should be doing to use the plugin. I get no errors with my lint, and I'm not even sure it's not working. I have not seen any GMD rules triggered in my logs. Just asking for information for all us turtles out here that are slow to upgrade. Thanks Steve Campbell From MailScanner at ecs.soton.ac.uk Thu Jul 19 18:57:51 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jul 19 18:58:33 2007 Subject: MailScanner Lint logic In-Reply-To: References: <469CDF29.D87E.0068.3@aafp.org> <469E1A06.D87E.0068.3@aafp.org> Message-ID: <469FA61F.6010409@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I can easily run CentOS 4 and 5, RedHat 4 and 5, and Solaris 9 and 10. I've got a new iMac with a monster disk in it so there's plenty of room for virtual machines :-) Anyone know any way of expanding the size of a virtual hard disk in Parallels on a Mac? My 40Gb VM is filling up, and I really don't want the hassle of reinstalling all the software on it! :-( Res wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > NotDashEscaped: You need GnuPG to verify this message > > Brad, OK, you might want to try the latest MailScanner and see if it > still exists, if it does, Julian runs CentOS so he should be able to > help you (amongst others), mine are all Slackware and Solaris, so I > will not be able to reproduce the problem to help sorry. > > > On Wed, 18 Jul 2007, Brad Beckenhauer wrote: > >> >> >>>>> Res 7/17/2007 4:48 PM >>> >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> NotDashEscaped: You need GnuPG to verify this message >> >> On Tue, 17 Jul 2007, Brad Beckenhauer wrote: >> >>> Julian, >>> If MailScanner is stopped and MailScanner --lint is run, the lint >>> outputs the below information. >>> Would you consider revising the lint logic to cleanup the output? >>> >>> # MailScanner --lint >>> Could not read file /var/run/MailScanner.pid at >>> /usr/lib/MailScanner/MailScanner/Config.pm line 2376 >>> Error in line 181, file "/var/run/MailScanner.pid" for pidfile does >> not >>> exist (or can not be read) at >> /usr/lib/MailScanner/MailScanner/Config.pm >>> line 2556 >> >> >> Brad, what version you running? I don't see this on tarball >> install... >> >> Running 4.60.8 on Centos 4.4, Installed via the rpm. >> I get the message when: >> # /etc/init.d/MailScanner stop >> # /usr/sbin/MailScanner --lint >> -rwxr-xr-x 1 root root 46171 Jun 1 04:51 /usr/sbin/MailScanner >> >> >> >> root@valhalla:~# /etc/rc.d/rc.sendmail mailscanner-stop >> Stopping MailScanner... Done. >> root@valhalla:~# /opt/MailScanner/bin/MailScanner --lint >> Read 797 hostnames from the phishing whitelist >> Checking version numbers... >> Version number in MailScanner.conf (4.61.7) is correct. >> >> Checking for SpamAssassin errors (if you use it)... >> SpamAssassin temporary working directory is >> /var/spool/MailScanner/incoming/SpamAssassin-Temp >> SpamAssassin temp dir = >> /var/spool/MailScanner/incoming/SpamAssassin-Temp >> Using SpamAssassin results cache >> Connected to SpamAssassin cache database >> SpamAssassin reported no errors. >> Using locktype = posix >> Creating hardcoded struct_flock subroutine for linux (Linux-type) >> MailScanner.conf says "Virus Scanners = f-prot" >> Found these virus scanners installed: f-prot >> >> >> > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGn6YiEfZZRxQVtlQRAuVAAJ97O1n7e1m04ZTJVU2BIcz9JMfYwACfRZU0 KgvYt00WlB/saelsiCPlUl4= =oApD -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Thu Jul 19 19:03:36 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jul 19 19:05:09 2007 Subject: UNKNOWN CLAMD RETURN In-Reply-To: <01bd01c7c9fb$8fcc1780$0301a8c0@SAHOMELT> References: <01a301c7c9f7$bbb38d00$0301a8c0@SAHOMELT> <24119617.1761184844933000.JavaMail.root@office.splatnix.net> <01bd01c7c9fb$8fcc1780$0301a8c0@SAHOMELT> Message-ID: <469FA778.7020707@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Rick Cooper wrote: > > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info > > [mailto:mailscanner-bounces@lists.mailscanner.info] On > > Behalf Of UxBoD > > Sent: Thursday, July 19, 2007 7:36 AM > > To: MailScanner discussion > > Subject: Re: UNKNOWN CLAMD RETURN > > > > Rick, > > > > Here is the output :- > > > > [root@bianchi tmp]# clamscan /tmp/eicar.com > > /tmp/eicar.com: Eicar-Test-Signature FOUND > > > > ----------- SCAN SUMMARY ----------- > > Known viruses: 154131 > > Engine version: 0.91.1 > > Scanned directories: 0 > > Scanned files: 1 > > Infected files: 1 > > Data scanned: 0.00 MB > > Time: 1.491 sec (0 m 1 s) > > [root@bianchi tmp]# clamdscan /tmp/eicar.com > > /tmp/eicar.com: Eicar-Test-Signature FOUND > > > > ----------- SCAN SUMMARY ----------- > > Infected files: 1 > > Time: 0.000 sec (0 m 0 s) > > > > But as it is the header then that is probably why it is not > > giving a filename that has been scanned. > > > [..] > > I am kind of wondering if the file(s) in ./ shouldn't be ingnored, I believe > (Julian?) the only file in the ./ dir is the header file and the only rules > that would trigger on a header file would be the SaneSecurity spam sigs. > > Julian, do you agree with skipping anything in the root of the ScanDir and > let SA catch it (hopefully), or mark the entire message as bad? > It should mark the entire message as bad in my view. Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGn6d5EfZZRxQVtlQRAkdNAKD75LUxupg8jTgI+eV/iOQpB6RA8ACgkXy2 LzItPwnH1QaszlsmOf1Knew= =BDPE -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Thu Jul 19 19:06:05 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jul 19 19:06:42 2007 Subject: UNKNOWN CLAMD RETURN In-Reply-To: <01d401c7c9fe$eaae8310$0301a8c0@SAHOMELT> References: <01bd01c7c9fb$8fcc1780$0301a8c0@SAHOMELT> <14164257.1821184847081024.JavaMail.root@office.splatnix.net> <01d401c7c9fe$eaae8310$0301a8c0@SAHOMELT> Message-ID: <469FA80D.7050503@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Rick Cooper wrote: > > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info > > [mailto:mailscanner-bounces@lists.mailscanner.info] On > > Behalf Of UxBoD > > Sent: Thursday, July 19, 2007 8:11 AM > > To: MailScanner discussion > > Subject: Re: UNKNOWN CLAMD RETURN > > > > Rick, > > > > SA is missing a lot of these whereas SANE is picking them > > up. I have changed the code too be :- > > > > if ($filename =~ /.+?\sFOUND$/ && $rest eq '') { > > $rest = $filename; > > $filename = $childname; > > $childname = 'header'; > > } > > > > instead of using a '.' as it may get pattern matched later on. > > > > How did that affect the handling of the message? I was hoping either '.' or > perhaps setting childname to '' will cause MS to discard the entire message > body. I *think* a blank childname causes the "the entire body" message. Of > course as far as mailwatch goes it would flag as a virus when in fact it's > spam so it could skew your stats a bit. Try setting childname to blank and > see if it does cause MS to discard the entire body. > Generating a virus report on "" will cause the entire message to be treated as infected. Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGn6gOEfZZRxQVtlQRAgppAJ4xhh5/GeWuTZ8imMjWMP+RDI5MKwCfS4eH GDX5ZDEXMPaKkqw5hM+4N/c= =pm9d -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Thu Jul 19 19:08:42 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jul 19 19:09:20 2007 Subject: UNKNOWN CLAMD RETURN In-Reply-To: <023b01c7ca04$2e3650e0$0301a8c0@SAHOMELT> References: <01d401c7c9fe$eaae8310$0301a8c0@SAHOMELT><9435460.1851184848375883.JavaMail.root@office.splatnix.net> <023101c7ca03$6dccf610$0301a8c0@SAHOMELT> <023b01c7ca04$2e3650e0$0301a8c0@SAHOMELT> Message-ID: <469FA8AA.6000307@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Rick Cooper wrote: > > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info > > [mailto:mailscanner-bounces@lists.mailscanner.info] On > > Behalf Of Rick Cooper > > Sent: Thursday, July 19, 2007 8:51 AM > > To: 'MailScanner discussion' > > Subject: RE: UNKNOWN CLAMD RETURN > > > > > > > > > -----Original Message----- > > > From: mailscanner-bounces@lists.mailscanner.info > > > [mailto:mailscanner-bounces@lists.mailscanner.info] On > > > Behalf Of UxBoD > > > Sent: Thursday, July 19, 2007 8:33 AM > > > To: MailScanner discussion > > > Subject: Re: UNKNOWN CLAMD RETURN > > > > > > Rick, > > > > > > That is the problem as it does not get flagged by MailWatch > > > as a Virus, which I believe just grabs the whole line from > > > MailScanner. > > > > > [...] > > > > I really wish I had that message |->( > > > > Try this: > > > > if ($filename =~ /.+?\sFOUND$/ && $childname =~ > > /^.+\.header$) { > > $rest = $filename; > > $filename = $childname; > > $childname =~ s/(.+)\.header$/$1/; > > } > > > > [...] > > Doh! Of course the first line should be: > > if ($filename =~ /.+?\sFOUND$/ && $childname =~ /^.+\.header$/) { > Surely that's the same as if ($filename =~ /\sFOUND$/ && $childname =~ /\.header$/) { You are already anchoring to the end of the string with $ so any initial regexp elements that match 'any character' are redundant and just slow it down. > Forgot the last '/' in "$childname =~ /^.+\.header$/" sorry > > Rick > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGn6iqEfZZRxQVtlQRAjm8AJ9ROcpxdbd2+8wXUxLzTNx2PTrfKACcCSRb ENr70MyO5l0PQACknxvQ+5Q= =BKeI -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From ssilva at sgvwater.com Thu Jul 19 19:07:58 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Jul 19 19:10:17 2007 Subject: FYI: PDFInfo and "Max SpamAssassin Size=40k" In-Reply-To: <469FA620.5030208@cnpapers.com> References: <012101c7c8bc$5498dee0$5713cc40@OCEANII> <469D4099.5040708@alexb.ch> <469FA620.5030208@cnpapers.com> Message-ID: Steve Campbell spake the following on 7/19/2007 10:57 AM: > > > Alex Broens wrote: >> On 7/17/2007 11:49 PM, Michael R. Dilworth wrote: >>> Just to save some time for some of you, the 40k number >>> can is on the small side for some of the PDF spams I've been receiving. >> >> FWI: I'm using: >> >> Max Spam Check Size = 250000 >> Max SpamAssassin Size = 2500000 >> >> which, AFAIK are the default SA values. >> >> Alex >> -- >> *Spammer hell has no DSL* >> >> >> > Maybe it's because I'm not up-to-date on my MS, but I don't have a Max > Spam Check Size parameter in my configuration file. > > The only "Size" parms I have are as follows: > > Maximum Message Size = 0 > Maximum Attachment Size = -1 > Minimum Attachment Size = -1 > ClamAVmodule Maximum File Size = 10000000 # (10 Mbytes) > Max SpamAssassin Size = 2500000 This setting will make mailscanner not send the message to spamassassin if it is over this size. Are the pdf spams bigger than that? -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From MailScanner at ecs.soton.ac.uk Thu Jul 19 19:12:26 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jul 19 19:13:01 2007 Subject: UNKNOWN CLAMD RETURN In-Reply-To: <025901c7ca0a$f2d111a0$0301a8c0@SAHOMELT> References: <024201c7ca06$5370e2b0$0301a8c0@SAHOMELT> <27114160.1941184852181484.JavaMail.root@office.splatnix.net> <025901c7ca0a$f2d111a0$0301a8c0@SAHOMELT> Message-ID: <469FA98A.1060308@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Rick Cooper wrote: > > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info > > [mailto:mailscanner-bounces@lists.mailscanner.info] On > > Behalf Of UxBoD > > Sent: Thursday, July 19, 2007 9:36 AM > > To: MailScanner discussion > > Subject: Re: UNKNOWN CLAMD RETURN > > > > Not sure on that Rick as we do not use the reports. In > > MailWatch it shows as :- > > > > Clamd: message.header was infected: > > Email.Hdr.Sanesecurity.07061900 FOUND > > > > so message.header could be changed to the word SPAM. > > > Do you know what happens to the message? The reason I ask is I can't > remember what MailScanner does to the message when it cannot find > $infections->{"$id"}{"$part"} in it's list of associated files (or safnames > I think). To add a report for the entire message, set $part to "". So if you add a virus report for the whole message, then the whole message will be treated as infected. Whether adding this will require a slight change to MailWatch, I don't know. But that's the right way to do it. Very dangerous to add a report for an attachment filename that doesn't exist! > It may pass the message untouched and it may remove the entire > body I just cannot remember what the reflex would be in this situation. > Perhaps Julian can answer that. MailWatch is just looking for something to > match the regex in functions.php (IIRC) but MailScanner may end up > delivering the message and I need to make sure that doesn't happen. > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGn6mLEfZZRxQVtlQRAhnpAJ9xtZT09+61Qcj1nuTUY3Vs0k9XIQCbBGpc blwTAMR0LVFvPtyU97LlbsQ= =hKZa -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From ms-list at alexb.ch Thu Jul 19 19:34:54 2007 From: ms-list at alexb.ch (Alex Broens) Date: Thu Jul 19 19:35:08 2007 Subject: FYI: PDFInfo and "Max SpamAssassin Size=40k" In-Reply-To: <469FA620.5030208@cnpapers.com> References: <012101c7c8bc$5498dee0$5713cc40@OCEANII> <469D4099.5040708@alexb.ch> <469FA620.5030208@cnpapers.com> Message-ID: <469FAECE.2040107@alexb.ch> On 7/19/2007 7:57 PM, Steve Campbell wrote: > > > Alex Broens wrote: >> On 7/17/2007 11:49 PM, Michael R. Dilworth wrote: >>> Just to save some time for some of you, the 40k number >>> can is on the small side for some of the PDF spams I've been receiving. >> >> FWI: I'm using: >> >> Max Spam Check Size = 250000 >> Max SpamAssassin Size = 2500000 >> >> which, AFAIK are the default SA values. >> >> Alex >> -- >> *Spammer hell has no DSL* >> >> >> > Maybe it's because I'm not up-to-date on my MS, but I don't have a Max > Spam Check Size parameter in my configuration file. > > The only "Size" parms I have are as follows: > > Maximum Message Size = 0 > Maximum Attachment Size = -1 > Minimum Attachment Size = -1 > ClamAVmodule Maximum File Size = 10000000 # (10 Mbytes) > Max SpamAssassin Size = 2500000 > Max Custom Spam Scanner Size = 250000 > MCP Max SpamAssassin Size = 100000 > > Can anyone explain what I should be doing to use the plugin. I get no > errors with my lint, and I'm not even sure it's not working. I have not > seen any GMD rules triggered in my logs. > > Just asking for information for all us turtles out here that are slow to > upgrade. run a: spamasassin --lint -D do you see the plugin loading? From ms-list at alexb.ch Thu Jul 19 19:40:26 2007 From: ms-list at alexb.ch (Alex Broens) Date: Thu Jul 19 19:40:35 2007 Subject: FYI: PDFInfo and "Max SpamAssassin Size=40k" In-Reply-To: References: <012101c7c8bc$5498dee0$5713cc40@OCEANII> <469D4099.5040708@alexb.ch> <469FA620.5030208@cnpapers.com> Message-ID: <469FB01A.1090501@alexb.ch> On 7/19/2007 8:07 PM, Scott Silva wrote: > Steve Campbell spake the following on 7/19/2007 10:57 AM: >> >> Alex Broens wrote: >>> On 7/17/2007 11:49 PM, Michael R. Dilworth wrote: >>>> Just to save some time for some of you, the 40k number >>>> can is on the small side for some of the PDF spams I've been receiving. >>> FWI: I'm using: >>> >>> Max Spam Check Size = 250000 >>> Max SpamAssassin Size = 2500000 >>> >>> which, AFAIK are the default SA values. >>> >>> Alex >>> -- >>> *Spammer hell has no DSL* >>> >>> >>> >> Maybe it's because I'm not up-to-date on my MS, but I don't have a Max >> Spam Check Size parameter in my configuration file. >> >> The only "Size" parms I have are as follows: >> >> Maximum Message Size = 0 >> Maximum Attachment Size = -1 >> Minimum Attachment Size = -1 >> ClamAVmodule Maximum File Size = 10000000 # (10 Mbytes) >> Max SpamAssassin Size = 2500000 > > This setting will make mailscanner not send the message to spamassassin if it > is over this size. Are the pdf spams bigger than that? nope... not yet, but others may be. 250000 keeps you in Sync with the way SA is setup by default It will also help fully make use of the Imageinfo and other SA plugins. The Bayes plugin doesn't really enjoy getting truncated msgs either While Jules' idea of saving resources by only sending chuncks or part of the msg thru SA is good, I have never made friends with the concept. (to me its like only allowing the doctor to check the top third of your body, but the pain is in your foot.) Alex From uxbod at splatnix.net Thu Jul 19 19:44:19 2007 From: uxbod at splatnix.net (UxBoD) Date: Thu Jul 19 19:42:57 2007 Subject: Watermarking In-Reply-To: <1964AAFBC212F742958F9275BF63DBB04B0F2F@winchester.andrewscompanies.com> Message-ID: <4390784.2181184870659844.JavaMail.root@office.splatnix.net> IMHO it should bypass SPAM but not Virii checks. ----- Original Message ----- From: "Steven Andrews" To: "MailScanner discussion" Sent: Thursday, July 19, 2007 6:44:41 PM (GMT) Europe/London Subject: RE: Watermarking I guess it should be an option, but I can't see a reason you'd want to bypass virus scan; just because it's a reply doesn't me it's not stuffed full of virii. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Chris Yuzik Sent: Thursday, July 19, 2007 1:24 PM To: MailScanner discussion Subject: Re: Watermarking UxBoD wrote: > When watermarking is used in the latest version do the return emails bypass both SPAM and Virus checks ? > If so, would it be possible to make it only bypass SPAM, incase they > have replied and added a Virus ;) My understanding is that no, the replies bypass neither SPAM nor virus checks. Personally, I'd like that option, but it doesn't seem to be one of the features (yet? Julian?). Chris -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From uxbod at splatnix.net Thu Jul 19 19:46:33 2007 From: uxbod at splatnix.net (UxBoD) Date: Thu Jul 19 19:45:10 2007 Subject: Request for comments In-Reply-To: <469FA26B.6050905@ecs.soton.ac.uk> Message-ID: <6170060.2211184870793223.JavaMail.root@office.splatnix.net> Personally I do not see the apparent benefit Jules. ----- Original Message ----- From: "Julian Field" To: "MailScanner discussion" Sent: Thursday, July 19, 2007 6:42:03 PM (GMT) Europe/London Subject: Request for comments -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I am wondering if it would help if I added "Subject" to the list of things you could use in rulesets. Would it be useful? You would only be able to match against exact strings or regular expressions, and I'm not quite sure how I would parse it in the ruleset files. Exact strings would be in double-quotes, with '"' characters in the string doubled up as a means of escaping them. How I would find the end of a regular expression is another matter. I guess it would be surrounded with '/' characters, and I would look for the first '/' that wasn't preceded by a '\'. I would have to allow the 'i' on the end of a regexp match at least. Matching against a quoted exact string would be a substring match. It would be available just about anywhere you can use a ruleset, as I read the subject line near the point where I read the from and to addresses from the envelope. Multiple "Subject:" lines would be handled by adding them all together with a \n newline between each one. Your comments please.... Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGn6JsEfZZRxQVtlQRAmB+AJwI6uqeuSNgSEFOYfef6Pp5RVQ4ggCgv6PU hgrcKmoAhBaWV4V+CXyOAmM= =MvkD -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From uxbod at splatnix.net Thu Jul 19 19:51:03 2007 From: uxbod at splatnix.net (UxBoD) Date: Thu Jul 19 19:49:41 2007 Subject: UNKNOWN CLAMD RETURN In-Reply-To: <469FA98A.1060308@ecs.soton.ac.uk> Message-ID: <18485165.2241184871063290.JavaMail.root@office.splatnix.net> Sorry, not at work now. But based on the original changes myself and Rick proposed where would I set $part too "" ? ----- Original Message ----- From: "Julian Field" To: "MailScanner discussion" Sent: Thursday, July 19, 2007 7:12:26 PM (GMT) Europe/London Subject: Re: UNKNOWN CLAMD RETURN -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Rick Cooper wrote: > > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info > > [mailto:mailscanner-bounces@lists.mailscanner.info] On > > Behalf Of UxBoD > > Sent: Thursday, July 19, 2007 9:36 AM > > To: MailScanner discussion > > Subject: Re: UNKNOWN CLAMD RETURN > > > > Not sure on that Rick as we do not use the reports. In > > MailWatch it shows as :- > > > > Clamd: message.header was infected: > > Email.Hdr.Sanesecurity.07061900 FOUND > > > > so message.header could be changed to the word SPAM. > > > Do you know what happens to the message? The reason I ask is I can't > remember what MailScanner does to the message when it cannot find > $infections->{"$id"}{"$part"} in it's list of associated files (or safnames > I think). To add a report for the entire message, set $part to "". So if you add a virus report for the whole message, then the whole message will be treated as infected. Whether adding this will require a slight change to MailWatch, I don't know. But that's the right way to do it. Very dangerous to add a report for an attachment filename that doesn't exist! > It may pass the message untouched and it may remove the entire > body I just cannot remember what the reflex would be in this situation. > Perhaps Julian can answer that. MailWatch is just looking for something to > match the regex in functions.php (IIRC) but MailScanner may end up > delivering the message and I need to make sure that doesn't happen. > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGn6mLEfZZRxQVtlQRAhnpAJ9xtZT09+61Qcj1nuTUY3Vs0k9XIQCbBGpc blwTAMR0LVFvPtyU97LlbsQ= =hKZa -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Thu Jul 19 19:50:55 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jul 19 19:51:30 2007 Subject: UNKNOWN CLAMD RETURN In-Reply-To: <469FA98A.1060308@ecs.soton.ac.uk> References: <024201c7ca06$5370e2b0$0301a8c0@SAHOMELT> <27114160.1941184852181484.JavaMail.root@office.splatnix.net> <025901c7ca0a$f2d111a0$0301a8c0@SAHOMELT> <469FA98A.1060308@ecs.soton.ac.uk> Message-ID: <469FB28F.2020601@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Please try the attached patch to SweepViruses.pm and let me know how you get on. MailWatch may well not like it completely, as I changed "$part was" to "headers were" so it will fail to match if Steve looks for "was", but I'm sticking to English grammar, unless "the entire message was" works better. Please try both and tell me if MailWatch is happy with "the entire message was" and I'll change my code. Has someone actually got an entire message that triggers this code, so that we can test it on a real message? Cheers, Jules. Julian Field wrote: > * PGP Signed: 07/19/07 at 19:12:27 > > > > Rick Cooper wrote: >> >> >> > -----Original Message----- >> > From: mailscanner-bounces@lists.mailscanner.info > >> [mailto:mailscanner-bounces@lists.mailscanner.info] On > Behalf Of >> UxBoD >> > Sent: Thursday, July 19, 2007 9:36 AM >> > To: MailScanner discussion >> > Subject: Re: UNKNOWN CLAMD RETURN >> > > Not sure on that Rick as we do not use the reports. In > >> MailWatch it shows as :- >> > > Clamd: message.header was infected: > >> Email.Hdr.Sanesecurity.07061900 FOUND >> > > so message.header could be changed to the word SPAM. >> >> >> Do you know what happens to the message? The reason I ask is I can't >> remember what MailScanner does to the message when it cannot find >> $infections->{"$id"}{"$part"} in it's list of associated files (or >> safnames >> I think). > To add a report for the entire message, set $part to "". So if you add > a virus report for the whole message, then the whole message will be > treated as infected. Whether adding this will require a slight change > to MailWatch, I don't know. But that's the right way to do it. Very > dangerous to add a report for an attachment filename that doesn't exist! > >> It may pass the message untouched and it may remove the entire >> body I just cannot remember what the reflex would be in this situation. >> Perhaps Julian can answer that. MailWatch is just looking for >> something to >> match the regex in functions.php (IIRC) but MailScanner may end up >> delivering the message and I need to make sure that doesn't happen. >> > > Jules > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGn7KQEfZZRxQVtlQRAojNAKCOxAstIJ9gfJrUtz8JDLfQ2RhBQQCeKxXj QYCQPOyExyl7ACN2z6DU374= =uSfc -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Thu Jul 19 20:02:21 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jul 19 20:02:58 2007 Subject: Watermarking In-Reply-To: <469F9E26.1000102@fractalweb.com> References: <28507864.2091184860864557.JavaMail.root@office.splatnix.net> <469F9E26.1000102@fractalweb.com> Message-ID: <469FB53D.1030207@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Chris Yuzik wrote: > UxBoD wrote: >> When watermarking is used in the latest version do the return emails >> bypass both SPAM and Virus checks ? >> If so, would it be possible to make it only bypass SPAM, incase they >> have replied and added a Virus ;) > > My understanding is that no, the replies bypass neither SPAM nor virus > checks. Personally, I'd like that option, but it doesn't seem to be > one of the features (yet? Julian?). The latest version of the documentation on the website at http://www.mailscanner.info/MailScanner.conf.index.html accurately reflects the functionality of the current watermarking (milter-null like) code. Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: UTF-8 wj8DBQFGn7U+EfZZRxQVtlQRAs+KAKCDYRbKFkqxbu+kplAFuAKVlZAKHACgqaeH 5kBBHKhbLfkoyNg2eayQkhY= =7el1 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From uxbod at splatnix.net Thu Jul 19 20:08:31 2007 From: uxbod at splatnix.net (UxBoD) Date: Thu Jul 19 20:07:13 2007 Subject: UNKNOWN CLAMD RETURN In-Reply-To: <469FB28F.2020601@ecs.soton.ac.uk> Message-ID: <14709257.2271184872111338.JavaMail.root@office.splatnix.net> I have about 600 messages which we have received today Jules ;) The SANE ClamAV signatures are working very well. Could you attach the patch please and I will try in the morning :) Thanks Rick and Jules. ----- Original Message ----- From: "Julian Field" To: "MailScanner discussion" Sent: Thursday, July 19, 2007 7:50:55 PM (GMT) Europe/London Subject: Re: UNKNOWN CLAMD RETURN -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Please try the attached patch to SweepViruses.pm and let me know how you get on. MailWatch may well not like it completely, as I changed "$part was" to "headers were" so it will fail to match if Steve looks for "was", but I'm sticking to English grammar, unless "the entire message was" works better. Please try both and tell me if MailWatch is happy with "the entire message was" and I'll change my code. Has someone actually got an entire message that triggers this code, so that we can test it on a real message? Cheers, Jules. Julian Field wrote: > * PGP Signed: 07/19/07 at 19:12:27 > > > > Rick Cooper wrote: >> >> >> > -----Original Message----- >> > From: mailscanner-bounces@lists.mailscanner.info > >> [mailto:mailscanner-bounces@lists.mailscanner.info] On > Behalf Of >> UxBoD >> > Sent: Thursday, July 19, 2007 9:36 AM >> > To: MailScanner discussion >> > Subject: Re: UNKNOWN CLAMD RETURN >> > > Not sure on that Rick as we do not use the reports. In > >> MailWatch it shows as :- >> > > Clamd: message.header was infected: > >> Email.Hdr.Sanesecurity.07061900 FOUND >> > > so message.header could be changed to the word SPAM. >> >> >> Do you know what happens to the message? The reason I ask is I can't >> remember what MailScanner does to the message when it cannot find >> $infections->{"$id"}{"$part"} in it's list of associated files (or >> safnames >> I think). > To add a report for the entire message, set $part to "". So if you add > a virus report for the whole message, then the whole message will be > treated as infected. Whether adding this will require a slight change > to MailWatch, I don't know. But that's the right way to do it. Very > dangerous to add a report for an attachment filename that doesn't exist! > >> It may pass the message untouched and it may remove the entire >> body I just cannot remember what the reflex would be in this situation. >> Perhaps Julian can answer that. MailWatch is just looking for >> something to >> match the regex in functions.php (IIRC) but MailScanner may end up >> delivering the message and I need to make sure that doesn't happen. >> > > Jules > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGn7KQEfZZRxQVtlQRAojNAKCOxAstIJ9gfJrUtz8JDLfQ2RhBQQCeKxXj QYCQPOyExyl7ACN2z6DU374= =uSfc -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From uxbod at splatnix.net Thu Jul 19 20:12:54 2007 From: uxbod at splatnix.net (UxBoD) Date: Thu Jul 19 20:11:29 2007 Subject: Watermarking In-Reply-To: <469FB53D.1030207@ecs.soton.ac.uk> Message-ID: <9932086.2301184872374193.JavaMail.root@office.splatnix.net> Okay so my understanding then is that if the MD5 matches correctly it is accepted otherwise rejected. Therefore on acceptance bypasses all checks. Would it be possible to perform just the Virii check ? Sorry if I have mis-understood. ----- Original Message ----- From: "Julian Field" To: "MailScanner discussion" Sent: Thursday, July 19, 2007 8:02:21 PM (GMT) Europe/London Subject: Re: Watermarking -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Chris Yuzik wrote: > UxBoD wrote: >> When watermarking is used in the latest version do the return emails >> bypass both SPAM and Virus checks ? >> If so, would it be possible to make it only bypass SPAM, incase they >> have replied and added a Virus ;) > > My understanding is that no, the replies bypass neither SPAM nor virus > checks. Personally, I'd like that option, but it doesn't seem to be > one of the features (yet? Julian?). The latest version of the documentation on the website at http://www.mailscanner.info/MailScanner.conf.index.html accurately reflects the functionality of the current watermarking (milter-null like) code. Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: UTF-8 wj8DBQFGn7U+EfZZRxQVtlQRAs+KAKCDYRbKFkqxbu+kplAFuAKVlZAKHACgqaeH 5kBBHKhbLfkoyNg2eayQkhY= =7el1 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From sandrews at andrewscompanies.com Thu Jul 19 20:16:37 2007 From: sandrews at andrewscompanies.com (Steven Andrews) Date: Thu Jul 19 20:16:40 2007 Subject: Request for comments In-Reply-To: <469FA26B.6050905@ecs.soton.ac.uk> References: <469FA26B.6050905@ecs.soton.ac.uk> Message-ID: <1964AAFBC212F742958F9275BF63DBB04B0F30@winchester.andrewscompanies.com> Yes please. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian Field Sent: Thursday, July 19, 2007 1:42 PM To: MailScanner discussion Subject: Request for comments -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I am wondering if it would help if I added "Subject" to the list of things you could use in rulesets. Would it be useful? You would only be able to match against exact strings or regular expressions, and I'm not quite sure how I would parse it in the ruleset files. Exact strings would be in double-quotes, with '"' characters in the string doubled up as a means of escaping them. How I would find the end of a regular expression is another matter. I guess it would be surrounded with '/' characters, and I would look for the first '/' that wasn't preceded by a '\'. I would have to allow the 'i' on the end of a regexp match at least. Matching against a quoted exact string would be a substring match. It would be available just about anywhere you can use a ruleset, as I read the subject line near the point where I read the from and to addresses from the envelope. Multiple "Subject:" lines would be handled by adding them all together with a \n newline between each one. Your comments please.... Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGn6JsEfZZRxQVtlQRAmB+AJwI6uqeuSNgSEFOYfef6Pp5RVQ4ggCgv6PU hgrcKmoAhBaWV4V+CXyOAmM= =MvkD -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From MailScanner at ecs.soton.ac.uk Thu Jul 19 20:16:07 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jul 19 20:16:46 2007 Subject: UNKNOWN CLAMD RETURN In-Reply-To: <469FB28F.2020601@ecs.soton.ac.uk> References: <024201c7ca06$5370e2b0$0301a8c0@SAHOMELT> <27114160.1941184852181484.JavaMail.root@office.splatnix.net> <025901c7ca0a$f2d111a0$0301a8c0@SAHOMELT> <469FA98A.1060308@ecs.soton.ac.uk> <469FB28F.2020601@ecs.soton.ac.uk> Message-ID: <469FB877.7010404@ecs.soton.ac.uk> Skipped content of type multipart/mixed-------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 195 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070719/443eff27/PGP.bin From MailScanner at ecs.soton.ac.uk Thu Jul 19 20:17:45 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jul 19 20:18:19 2007 Subject: Watermarking In-Reply-To: <9932086.2301184872374193.JavaMail.root@office.splatnix.net> References: <9932086.2301184872374193.JavaMail.root@office.splatnix.net> Message-ID: <469FB8D9.9070507@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 You have misunderstood. :-) If a message arrives with no sender address, and no matching Watermark, then it is thrown away as being a delivery error report for a message you didn't send. UxBoD wrote: > Okay so my understanding then is that if the MD5 matches correctly it is accepted otherwise rejected. Therefore on acceptance bypasses all checks. Would it be possible to perform just the Virii check ? Sorry if I have mis-understood. > ----- Original Message ----- > From: "Julian Field" > To: "MailScanner discussion" > Sent: Thursday, July 19, 2007 8:02:21 PM (GMT) Europe/London > Subject: Re: Watermarking > > > * PGP Signed by an unmatched address: 07/19/07 at 20:02:22 > > > > Chris Yuzik wrote: > >> UxBoD wrote: >> >>> When watermarking is used in the latest version do the return emails >>> bypass both SPAM and Virus checks ? >>> If so, would it be possible to make it only bypass SPAM, incase they >>> have replied and added a Virus ;) >>> >> My understanding is that no, the replies bypass neither SPAM nor virus >> checks. Personally, I'd like that option, but it doesn't seem to be >> one of the features (yet? Julian?). >> > The latest version of the documentation on the website at > http://www.mailscanner.info/MailScanner.conf.index.html > accurately reflects the functionality of the current watermarking > (milter-null like) code. > > Jules > > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: UTF-8 wj8DBQFGn7jaEfZZRxQVtlQRAs87AJ9VJjrmNy1hQWNrcZLPtwG87voHBQCggVuW NcMyBGYynqtokjV5m9NvSo4= =CCZI -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From sandrews at andrewscompanies.com Thu Jul 19 20:19:33 2007 From: sandrews at andrewscompanies.com (Steven Andrews) Date: Thu Jul 19 20:19:34 2007 Subject: Request for comments In-Reply-To: <6170060.2211184870793223.JavaMail.root@office.splatnix.net> References: <469FA26B.6050905@ecs.soton.ac.uk> <6170060.2211184870793223.JavaMail.root@office.splatnix.net> Message-ID: <1964AAFBC212F742958F9275BF63DBB04B0F31@winchester.andrewscompanies.com> Blacklist by subject comes to mind...or is there already a better way to do this? -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of UxBoD Sent: Thursday, July 19, 2007 2:47 PM To: MailScanner discussion Subject: Re: Request for comments Personally I do not see the apparent benefit Jules. ----- Original Message ----- From: "Julian Field" To: "MailScanner discussion" Sent: Thursday, July 19, 2007 6:42:03 PM (GMT) Europe/London Subject: Request for comments -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I am wondering if it would help if I added "Subject" to the list of things you could use in rulesets. Would it be useful? You would only be able to match against exact strings or regular expressions, and I'm not quite sure how I would parse it in the ruleset files. Exact strings would be in double-quotes, with '"' characters in the string doubled up as a means of escaping them. How I would find the end of a regular expression is another matter. I guess it would be surrounded with '/' characters, and I would look for the first '/' that wasn't preceded by a '\'. I would have to allow the 'i' on the end of a regexp match at least. Matching against a quoted exact string would be a substring match. It would be available just about anywhere you can use a ruleset, as I read the subject line near the point where I read the from and to addresses from the envelope. Multiple "Subject:" lines would be handled by adding them all together with a \n newline between each one. Your comments please.... Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGn6JsEfZZRxQVtlQRAmB+AJwI6uqeuSNgSEFOYfef6Pp5RVQ4ggCgv6PU hgrcKmoAhBaWV4V+CXyOAmM= =MvkD -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From uxbod at splatnix.net Thu Jul 19 20:36:11 2007 From: uxbod at splatnix.net (UxBoD) Date: Thu Jul 19 20:34:51 2007 Subject: Request for comments In-Reply-To: <1964AAFBC212F742958F9275BF63DBB04B0F31@winchester.andrewscompanies.com> Message-ID: <27577175.2361184873771771.JavaMail.root@office.splatnix.net> Why not just write a SA rule based on the subject ? Just thinking aloud. ----- Original Message ----- From: "Steven Andrews" To: "MailScanner discussion" Sent: Thursday, July 19, 2007 8:19:33 PM (GMT) Europe/London Subject: RE: Request for comments Blacklist by subject comes to mind...or is there already a better way to do this? -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of UxBoD Sent: Thursday, July 19, 2007 2:47 PM To: MailScanner discussion Subject: Re: Request for comments Personally I do not see the apparent benefit Jules. ----- Original Message ----- From: "Julian Field" To: "MailScanner discussion" Sent: Thursday, July 19, 2007 6:42:03 PM (GMT) Europe/London Subject: Request for comments -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I am wondering if it would help if I added "Subject" to the list of things you could use in rulesets. Would it be useful? You would only be able to match against exact strings or regular expressions, and I'm not quite sure how I would parse it in the ruleset files. Exact strings would be in double-quotes, with '"' characters in the string doubled up as a means of escaping them. How I would find the end of a regular expression is another matter. I guess it would be surrounded with '/' characters, and I would look for the first '/' that wasn't preceded by a '\'. I would have to allow the 'i' on the end of a regexp match at least. Matching against a quoted exact string would be a substring match. It would be available just about anywhere you can use a ruleset, as I read the subject line near the point where I read the from and to addresses from the envelope. Multiple "Subject:" lines would be handled by adding them all together with a \n newline between each one. Your comments please.... Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGn6JsEfZZRxQVtlQRAmB+AJwI6uqeuSNgSEFOYfef6Pp5RVQ4ggCgv6PU hgrcKmoAhBaWV4V+CXyOAmM= =MvkD -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ka at pacific.net Thu Jul 19 20:41:00 2007 From: ka at pacific.net (Ken A) Date: Thu Jul 19 20:41:05 2007 Subject: Request for comments In-Reply-To: <469FA26B.6050905@ecs.soton.ac.uk> References: <469FA26B.6050905@ecs.soton.ac.uk> Message-ID: <469FBE4C.3080604@pacific.net> Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > I am wondering if it would help if I added "Subject" to the list of > things you could use in rulesets. > > Would it be useful? > > You would only be able to match against exact strings or regular > expressions, and I'm not quite sure how I would parse it in the ruleset > files. Exact strings would be in double-quotes, with '"' characters in > the string doubled up as a means of escaping them. How I would find the > end of a regular expression is another matter. I guess it would be > surrounded with '/' characters, and I would look for the first '/' that > wasn't preceded by a '\'. > > I would have to allow the 'i' on the end of a regexp match at least. > Matching against a quoted exact string would be a substring match. > > It would be available just about anywhere you can use a ruleset, as I > read the subject line near the point where I read the from and to > addresses from the envelope. > > Multiple "Subject:" lines would be handled by adding them all together > with a \n newline between each one. > > Your comments please.... blacklist, whitelist, or other (new?) rule types that might lend themselves to a Subject based ruleset? "Subject:" can hold more information, so potentially be more useful. Nothing much comes to mind immediately, other than the obvious blacklist. We already use some subject based rules in the MTA (milter), but having those in a standard MailScanner ruleset would make maintenance easier. Not sure if anyone would use it really, but I'm for features that make MailScanner more flexible. Someone will do something cool with it. :-) Thanks, Ken > > Jules > > - -- > Julian Field MEng CITP > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > For all your IT requirements visit www.transtec.co.uk > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.6.2 (Build 2014) > Charset: ISO-8859-1 > > wj8DBQFGn6JsEfZZRxQVtlQRAmB+AJwI6uqeuSNgSEFOYfef6Pp5RVQ4ggCgv6PU > hgrcKmoAhBaWV4V+CXyOAmM= > =MvkD > -----END PGP SIGNATURE----- > -- Ken Anderson Pacific.Net From ms-list at alexb.ch Thu Jul 19 21:08:58 2007 From: ms-list at alexb.ch (Alex Broens) Date: Thu Jul 19 21:09:04 2007 Subject: Request for comments In-Reply-To: <1964AAFBC212F742958F9275BF63DBB04B0F30@winchester.andrewscompanies.com> References: <469FA26B.6050905@ecs.soton.ac.uk> <1964AAFBC212F742958F9275BF63DBB04B0F30@winchester.andrewscompanies.com> Message-ID: <469FC4DA.6030706@alexb.ch> On 7/19/2007 9:16 PM, Steven Andrews wrote: > Yes please. > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian > Field > Sent: Thursday, July 19, 2007 1:42 PM > To: MailScanner discussion > Subject: Request for comments > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > I am wondering if it would help if I added "Subject" to the list of > things you could use in rulesets. > > Would it be useful? SA does this nicely, isn't it redundant? + you have the meta advantage Alex From mkettler at evi-inc.com Thu Jul 19 21:15:36 2007 From: mkettler at evi-inc.com (Matt Kettler) Date: Thu Jul 19 21:16:47 2007 Subject: Request for comments In-Reply-To: <469FC4DA.6030706@alexb.ch> References: <469FA26B.6050905@ecs.soton.ac.uk> <1964AAFBC212F742958F9275BF63DBB04B0F30@winchester.andrewscompanies.com> <469FC4DA.6030706@alexb.ch> Message-ID: <469FC668.3040802@evi-inc.com> Alex Broens wrote: > On 7/19/2007 9:16 PM, Steven Andrews wrote: >> Yes please. >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian >> Field >> Sent: Thursday, July 19, 2007 1:42 PM >> To: MailScanner discussion >> Subject: Request for comments >> >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> I am wondering if it would help if I added "Subject" to the list of >> things you could use in rulesets. >> >> Would it be useful? > > SA does this nicely, isn't it redundant? > + you have the meta advantage No, since when are rulesets in MailScanner in any way redundant with SA? SA can't do something like: quarantine any message with subject text "You've won" delete any message with the subject text "postcard" Sure you can use SA's rule scores to force your "high scoring spam action", but you can't do *BOTH* of the above actions at the same time. But MailScanner rulesets can. From itdept at fractalweb.com Thu Jul 19 21:16:13 2007 From: itdept at fractalweb.com (Chris Yuzik) Date: Thu Jul 19 21:16:52 2007 Subject: Watermarking In-Reply-To: <9932086.2301184872374193.JavaMail.root@office.splatnix.net> References: <9932086.2301184872374193.JavaMail.root@office.splatnix.net> Message-ID: <469FC68D.7030409@fractalweb.com> UxBoD wrote: > Okay so my understanding then is that if the MD5 matches correctly it is accepted otherwise rejected. Yes > Therefore on acceptance bypasses all checks. Nope. As I said earlier, it still goes through spam and virus checks. Cheers, Chris From uxbod at splatnix.net Thu Jul 19 21:33:24 2007 From: uxbod at splatnix.net (UxBoD) Date: Thu Jul 19 21:31:58 2007 Subject: Request for comments In-Reply-To: <469FC668.3040802@evi-inc.com> Message-ID: <2806256.2391184877204468.JavaMail.root@office.splatnix.net> True. Go for it then Jules, and we can play :) ----- Original Message ----- From: "Matt Kettler" To: "MailScanner discussion" Sent: Thursday, July 19, 2007 9:15:36 PM (GMT) Europe/London Subject: Re: Request for comments Alex Broens wrote: > On 7/19/2007 9:16 PM, Steven Andrews wrote: >> Yes please. >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian >> Field >> Sent: Thursday, July 19, 2007 1:42 PM >> To: MailScanner discussion >> Subject: Request for comments >> >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> I am wondering if it would help if I added "Subject" to the list of >> things you could use in rulesets. >> >> Would it be useful? > > SA does this nicely, isn't it redundant? > + you have the meta advantage No, since when are rulesets in MailScanner in any way redundant with SA? SA can't do something like: quarantine any message with subject text "You've won" delete any message with the subject text "postcard" Sure you can use SA's rule scores to force your "high scoring spam action", but you can't do *BOTH* of the above actions at the same time. But MailScanner rulesets can. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From campbell at cnpapers.com Thu Jul 19 21:43:43 2007 From: campbell at cnpapers.com (Steve Campbell) Date: Thu Jul 19 21:43:50 2007 Subject: FYI: PDFInfo and "Max SpamAssassin Size=40k" In-Reply-To: References: <012101c7c8bc$5498dee0$5713cc40@OCEANII> <469D4099.5040708@alexb.ch> <469FA620.5030208@cnpapers.com> Message-ID: <469FCCFF.3080700@cnpapers.com> Scott Silva wrote: > Steve Campbell spake the following on 7/19/2007 10:57 AM: > >> Alex Broens wrote: >> >>> On 7/17/2007 11:49 PM, Michael R. Dilworth wrote: >>> >>>> Just to save some time for some of you, the 40k number >>>> can is on the small side for some of the PDF spams I've been receiving. >>>> >>> FWI: I'm using: >>> >>> Max Spam Check Size = 250000 >>> Max SpamAssassin Size = 2500000 >>> >>> which, AFAIK are the default SA values. >>> >>> Alex >>> -- >>> *Spammer hell has no DSL* >>> >>> >>> >>> >> Maybe it's because I'm not up-to-date on my MS, but I don't have a Max >> Spam Check Size parameter in my configuration file. >> >> The only "Size" parms I have are as follows: >> >> Maximum Message Size = 0 >> Maximum Attachment Size = -1 >> Minimum Attachment Size = -1 >> ClamAVmodule Maximum File Size = 10000000 # (10 Mbytes) >> Max SpamAssassin Size = 2500000 >> > > This setting will make mailscanner not send the message to spamassassin if it > is over this size. Are the pdf spams bigger than that? > > > Everyone is missing my point I meant to make. I don't have the "Max Spam Check Size" in my configuration file to change. It could have been missed in an upgrade, but I always use Julian's upgrade_MailScanner_conf script and this parm is missing on 3 different servers. Steve Campbell From campbell at cnpapers.com Thu Jul 19 21:46:25 2007 From: campbell at cnpapers.com (Steve Campbell) Date: Thu Jul 19 21:46:37 2007 Subject: FYI: PDFInfo and "Max SpamAssassin Size=40k" In-Reply-To: <469FAECE.2040107@alexb.ch> References: <012101c7c8bc$5498dee0$5713cc40@OCEANII> <469D4099.5040708@alexb.ch> <469FA620.5030208@cnpapers.com> <469FAECE.2040107@alexb.ch> Message-ID: <469FCDA1.7040303@cnpapers.com> Alex Broens wrote: > On 7/19/2007 7:57 PM, Steve Campbell wrote: >> >> >> Alex Broens wrote: >>> On 7/17/2007 11:49 PM, Michael R. Dilworth wrote: >>>> Just to save some time for some of you, the 40k number >>>> can is on the small side for some of the PDF spams I've been >>>> receiving. >>> >>> FWI: I'm using: >>> >>> Max Spam Check Size = 250000 >>> Max SpamAssassin Size = 2500000 >>> >>> which, AFAIK are the default SA values. >>> >>> Alex >>> -- >>> *Spammer hell has no DSL* >>> >>> >>> >> Maybe it's because I'm not up-to-date on my MS, but I don't have a >> Max Spam Check Size parameter in my configuration file. >> >> The only "Size" parms I have are as follows: >> >> Maximum Message Size = 0 >> Maximum Attachment Size = -1 >> Minimum Attachment Size = -1 >> ClamAVmodule Maximum File Size = 10000000 # (10 Mbytes) >> Max SpamAssassin Size = 2500000 >> Max Custom Spam Scanner Size = 250000 >> MCP Max SpamAssassin Size = 100000 >> >> Can anyone explain what I should be doing to use the plugin. I get no >> errors with my lint, and I'm not even sure it's not working. I have >> not seen any GMD rules triggered in my logs. >> >> Just asking for information for all us turtles out here that are slow >> to upgrade. > > run a: spamasassin --lint -D > > do you see the plugin loading? > > Yes the Plugin loads and the .cf file is read. I was more concerned about the parameter that is missing from my MailScanner.conf file. Steve From nboric at contexte.fr Thu Jul 19 21:48:21 2007 From: nboric at contexte.fr (nboric@contexte.fr) Date: Thu Jul 19 21:49:40 2007 Subject: Mailscanner & antivirus question In-Reply-To: <469FC4DA.6030706@alexb.ch> References: <469FA26B.6050905@ecs.soton.ac.uk> <1964AAFBC212F742958F9275BF63DBB04B0F30@winchester.andrewscompanies.com> <469FC4DA.6030706@alexb.ch> Message-ID: I have a question concerning the mailscanner antivirus treatment. When Spamassassin job is done, Mailscanner knows if the message is spam or not. If the spam score is high enough and message will be discarded anyway why call antivirus software after ? Regards, Nenad -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070719/880190d7/attachment.html From MailScanner at ecs.soton.ac.uk Thu Jul 19 21:54:53 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jul 19 21:56:24 2007 Subject: FYI: PDFInfo and "Max SpamAssassin Size=40k" In-Reply-To: <469FCDA1.7040303@cnpapers.com> References: <012101c7c8bc$5498dee0$5713cc40@OCEANII> <469D4099.5040708@alexb.ch> <469FA620.5030208@cnpapers.com> <469FAECE.2040107@alexb.ch> <469FCDA1.7040303@cnpapers.com> Message-ID: <469FCF9D.3070504@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 According to the Change Log I added it in version 4.57. You probably do have Max SpamAssassin Size though :-) Steve Campbell wrote: > > > Alex Broens wrote: >> On 7/19/2007 7:57 PM, Steve Campbell wrote: >>> >>> >>> Alex Broens wrote: >>>> On 7/17/2007 11:49 PM, Michael R. Dilworth wrote: >>>>> Just to save some time for some of you, the 40k number >>>>> can is on the small side for some of the PDF spams I've been >>>>> receiving. >>>> >>>> FWI: I'm using: >>>> >>>> Max Spam Check Size = 250000 >>>> Max SpamAssassin Size = 2500000 >>>> >>>> which, AFAIK are the default SA values. >>>> >>>> Alex >>>> -- >>>> *Spammer hell has no DSL* >>>> >>>> >>>> >>> Maybe it's because I'm not up-to-date on my MS, but I don't have a >>> Max Spam Check Size parameter in my configuration file. >>> >>> The only "Size" parms I have are as follows: >>> >>> Maximum Message Size = 0 >>> Maximum Attachment Size = -1 >>> Minimum Attachment Size = -1 >>> ClamAVmodule Maximum File Size = 10000000 # (10 Mbytes) >>> Max SpamAssassin Size = 2500000 >>> Max Custom Spam Scanner Size = 250000 >>> MCP Max SpamAssassin Size = 100000 >>> >>> Can anyone explain what I should be doing to use the plugin. I get >>> no errors with my lint, and I'm not even sure it's not working. I >>> have not seen any GMD rules triggered in my logs. >>> >>> Just asking for information for all us turtles out here that are >>> slow to upgrade. >> >> run a: spamasassin --lint -D >> >> do you see the plugin loading? >> >> > Yes the Plugin loads and the .cf file is read. I was more concerned > about the parameter that is missing from my MailScanner.conf file. > > Steve > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGn8+eEfZZRxQVtlQRApMBAJsH2vfAg2f6TwfUGF5lmHRB5kxc2wCfYJz6 y+JEzE2a4doFGcLPXojBSnw= =z+SU -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From shuttlebox at gmail.com Thu Jul 19 21:57:10 2007 From: shuttlebox at gmail.com (shuttlebox) Date: Thu Jul 19 21:57:13 2007 Subject: Mailscanner & antivirus question In-Reply-To: References: <469FA26B.6050905@ecs.soton.ac.uk> <1964AAFBC212F742958F9275BF63DBB04B0F30@winchester.andrewscompanies.com> <469FC4DA.6030706@alexb.ch> Message-ID: <625385e30707191357t2288f9e6i865829489c00769a@mail.gmail.com> On 7/19/07, nboric@contexte.fr wrote: > > I have a question concerning the mailscanner antivirus treatment. > > When Spamassassin job is done, Mailscanner knows if the message is spam or > not. If the spam score is high enough and message will be discarded anyway > why call antivirus software after ? It doesn't unless you have set it to keep quarantine clean. -- /peter From campbell at cnpapers.com Thu Jul 19 21:59:02 2007 From: campbell at cnpapers.com (Steve Campbell) Date: Thu Jul 19 21:59:23 2007 Subject: Mailscanner & antivirus question In-Reply-To: References: <469FA26B.6050905@ecs.soton.ac.uk> <1964AAFBC212F742958F9275BF63DBB04B0F30@winchester.andrewscompanies.com> <469FC4DA.6030706@alexb.ch> Message-ID: <469FD096.3060309@cnpapers.com> nboric@contexte.fr wrote: > > I have a question concerning the mailscanner antivirus treatment. > > When Spamassassin job is done, Mailscanner knows if the message is > spam or not. If the spam score is high enough and message will be > discarded anyway why call antivirus software after ? > > Regards, > > Nenad > Messages can become "undiscarded", especially when you use MailWatch. It would be beneficial to know if you are releasing a dangerous email or just a poorly scored false positive. Steve Campbell From campbell at cnpapers.com Thu Jul 19 22:04:17 2007 From: campbell at cnpapers.com (Steve Campbell) Date: Thu Jul 19 22:04:21 2007 Subject: FYI: PDFInfo and "Max SpamAssassin Size=40k" In-Reply-To: <469FCF9D.3070504@ecs.soton.ac.uk> References: <012101c7c8bc$5498dee0$5713cc40@OCEANII> <469D4099.5040708@alexb.ch> <469FA620.5030208@cnpapers.com> <469FAECE.2040107@alexb.ch> <469FCDA1.7040303@cnpapers.com> <469FCF9D.3070504@ecs.soton.ac.uk> Message-ID: <469FD1D1.3010002@cnpapers.com> Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > According to the Change Log I added it in version 4.57. > You probably do have Max SpamAssassin Size though :-) > > Steve Campbell wrote: > >> Alex Broens wrote: >> >>> On 7/19/2007 7:57 PM, Steve Campbell wrote: >>> >>>> Alex Broens wrote: >>>> >>>>> On 7/17/2007 11:49 PM, Michael R. Dilworth wrote: >>>>> >>>>>> Just to save some time for some of you, the 40k number >>>>>> can is on the small side for some of the PDF spams I've been >>>>>> receiving. >>>>>> >>>>> FWI: I'm using: >>>>> >>>>> Max Spam Check Size = 250000 >>>>> Max SpamAssassin Size = 2500000 >>>>> >>>>> which, AFAIK are the default SA values. >>>>> >>>>> Alex >>>>> -- >>>>> *Spammer hell has no DSL* >>>>> >>>>> >>>>> >>>>> >>>> Maybe it's because I'm not up-to-date on my MS, but I don't have a >>>> Max Spam Check Size parameter in my configuration file. >>>> >>>> The only "Size" parms I have are as follows: >>>> >>>> Maximum Message Size = 0 >>>> Maximum Attachment Size = -1 >>>> Minimum Attachment Size = -1 >>>> ClamAVmodule Maximum File Size = 10000000 # (10 Mbytes) >>>> Max SpamAssassin Size = 2500000 >>>> Max Custom Spam Scanner Size = 250000 >>>> MCP Max SpamAssassin Size = 100000 >>>> >>>> Can anyone explain what I should be doing to use the plugin. I get >>>> no errors with my lint, and I'm not even sure it's not working. I >>>> have not seen any GMD rules triggered in my logs. >>>> >>>> Just asking for information for all us turtles out here that are >>>> slow to upgrade. >>>> >>> run a: spamasassin --lint -D >>> >>> do you see the plugin loading? >>> >>> >>> >> Yes the Plugin loads and the .cf file is read. I was more concerned >> about the parameter that is missing from my MailScanner.conf file. >> >> Steve >> >> > > Jules > > > Yep, I'm running 4.52, so that's why it's not there. Kinda figured the reason, and hence, mentioned the turtle stuff a while back. Are there any consequences of not setting or being able to set the parm that anyone knows? Thanks Steve From alex at nkpanama.com Thu Jul 19 22:56:39 2007 From: alex at nkpanama.com (Alex Neuman) Date: Thu Jul 19 22:57:23 2007 Subject: Request for comments In-Reply-To: <469FA26B.6050905@ecs.soton.ac.uk> References: <469FA26B.6050905@ecs.soton.ac.uk> Message-ID: <469FDE17.9000704@nkpanama.com> Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > I am wondering if it would help if I added "Subject" to the list of > things you could use in rulesets. > > Would it be useful? > > Incredibly so. One of the major headaches for newbies consists of users calling in and complaining about "so and so can't send me messages", with no means for you to know even the slightest of details. The ability to whitelist, for example, based on Subject or any other particular header at the MailScanner level would allow some messages to make it through in an emergency. The rule could then be changed so it wouldn't be abused. From ms-list at alexb.ch Thu Jul 19 23:05:02 2007 From: ms-list at alexb.ch (Alex Broens) Date: Thu Jul 19 23:05:11 2007 Subject: Request for comments In-Reply-To: <2806256.2391184877204468.JavaMail.root@office.splatnix.net> References: <2806256.2391184877204468.JavaMail.root@office.splatnix.net> Message-ID: <469FE00E.7080603@alexb.ch> On 7/19/2007 10:33 PM, UxBoD wrote: > True. Go for it then Jules, and we can play :) > ----- Original Message ----- > From: "Matt Kettler" > To: "MailScanner discussion" > Sent: Thursday, July 19, 2007 9:15:36 PM (GMT) Europe/London > Subject: Re: Request for comments > > Alex Broens wrote: >> On 7/19/2007 9:16 PM, Steven Andrews wrote: >>> Yes please. >>> -----Original Message----- >>> From: mailscanner-bounces@lists.mailscanner.info >>> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian >>> Field >>> Sent: Thursday, July 19, 2007 1:42 PM >>> To: MailScanner discussion >>> Subject: Request for comments >>> >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> I am wondering if it would help if I added "Subject" to the list of >>> things you could use in rulesets. >>> >>> Would it be useful? >> SA does this nicely, isn't it redundant? >> + you have the meta advantage > > > No, since when are rulesets in MailScanner in any way redundant with SA? I didn't say the rulesets were redundant. What I feel is redundant is the fact that ppl will write regex in two places. If that is a target, I don't know. While they will offer domain/user possiblities, I'd prefer to see it going in SQL direction, I mentioned an idea to Justin Mason and apparently it wouldn't be too hard to add global/domain/user SQL suppport to the API /CLI spamasassin. (the same SQL support spamd/spamc impelements) If we get enough ppl requesting it, we can get all the SA rule features in SQL to interact with Mailscanner's rulesets. Now THAT would be power!!! > > SA can't do something like: > quarantine any message with subject text "You've won" > delete any message with the subject text "postcard" > > Sure you can use SA's rule scores to force your "high scoring spam action", but > you can't do *BOTH* of the above actions at the same time. > > But MailScanner rulesets can. I'm not yet 100% convinced. SA 3.2 has rule shortcircuiting aka SC(which apparently few know of or use). MailScanner could make use of SCing SA API output to provide the hard actions. This could apply to ANY SA rule type and would save you from writing a whole extra regex section. just my 2c Alex From ms-list at alexb.ch Thu Jul 19 23:25:34 2007 From: ms-list at alexb.ch (Alex Broens) Date: Thu Jul 19 23:25:40 2007 Subject: Request for comments In-Reply-To: <469FDE17.9000704@nkpanama.com> References: <469FA26B.6050905@ecs.soton.ac.uk> <469FDE17.9000704@nkpanama.com> Message-ID: <469FE4DE.6010602@alexb.ch> On 7/19/2007 11:56 PM, Alex Neuman wrote: > > > Julian Field wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> I am wondering if it would help if I added "Subject" to the list of >> things you could use in rulesets. >> >> Would it be useful? >> >> > Incredibly so. One of the major headaches for newbies consists of users > calling in and complaining about "so and so can't send me messages", > with no means for you to know even the slightest of details. Does "Can't send" equal "message tagged as spam" or "stuck in quarantine"? These problems are usually at SMTP level. > The ability to whitelist, for example, based on Subject or any other > particular header at the MailScanner level would allow some messages to > make it through in an emergency. The rule could then be changed so it > wouldn't be abused. what of this can't be done already? Among others, SA can, for example: whitelist_subject NICE*BLAH blacklist_subject UGLY*BLAH header rules body rules rawbody rules full rules shortcircuiting rules dunno... I think newbiews (I include myself as well) already have an arsenal of tools. If these are not thoroughly used, more tools won't make their life any happier. whatever... it's Julian's call anyway. Alex From alex at nkpanama.com Thu Jul 19 23:34:16 2007 From: alex at nkpanama.com (Alex Neuman) Date: Thu Jul 19 23:35:02 2007 Subject: Request for comments In-Reply-To: <469FE4DE.6010602@alexb.ch> References: <469FA26B.6050905@ecs.soton.ac.uk> <469FDE17.9000704@nkpanama.com> <469FE4DE.6010602@alexb.ch> Message-ID: <469FE6E8.4080801@nkpanama.com> Alex Broens wrote: > On 7/19/2007 11:56 PM, Alex Neuman wrote: >> >> >> Julian Field wrote: >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> I am wondering if it would help if I added "Subject" to the list of >>> things you could use in rulesets. >>> >>> Would it be useful? >>> >>> >> Incredibly so. One of the major headaches for newbies consists of >> users calling in and complaining about "so and so can't send me >> messages", with no means for you to know even the slightest of details. > > Does "Can't send" equal "message tagged as spam" or "stuck in > quarantine"? > > These problems are usually at SMTP level. > Not all the time. >> The ability to whitelist, for example, based on Subject or any other >> particular header at the MailScanner level would allow some messages >> to make it through in an emergency. The rule could then be changed so >> it wouldn't be abused. > > what of this can't be done already? > All of it, with the same level of flexibility as MailScanner. It's been detailed in another message in this thread. > Among others, SA can, for example: > > whitelist_subject NICE*BLAH > blacklist_subject UGLY*BLAH > header rules > body rules > rawbody rules > full rules > shortcircuiting rules > Which, IMHO, are nowhere near as intuitive and flexible (not to mention elegant) as Julian's rulesets. > dunno... I think newbiews (I include myself as well) already have an > arsenal of tools. If these are not thoroughly used, more tools won't > make their life any happier. > > whatever... it's Julian's call anyway. > > Alex > > From iulianld at gmail.com Fri Jul 20 01:04:20 2007 From: iulianld at gmail.com (Iulian L Dragomir) Date: Fri Jul 20 01:04:24 2007 Subject: Broken dependencies after installing MailScanner 4.62.3-1 Message-ID: Hi to all. I`m not a native English speaker so please excuse me Also I`m quite new to MailScanner. Reading the docs and the archive posts (not all) did not help me solve this problem. I have a test machine with Centos 5. The software on it is from Centos 5 repos (os, updates, addons, centosplus and extras), from DAG repo and few FC6 ( pyzor and arj ) With older versions of MailScanner ( 4.61.7-2 ) i had no problems but after i installed ( force parameter was not used ) the new beta 4.62.3-1 and after that 4.62.3-3 ( rpm version ) i have errors when i try to do maintenance updates. apt-get upgrade Reading Package Lists... Done Building Dependency Tree... Done You might want to run `apt-get --fix-broken install' to correct these. The following packages have unmet dependencies: perl: Obsoletes: perl-MIME-Base64 E: Unmet dependencies. Try using --fix-broken. MailScanner -v report follows MailScanner -v Running on Linux localhost.localdomain 2.6.18-8.1.8.el5.centos.plus #1 SMP Mon Jul 16 08:49:50 EDT 2007 i686 i686 i386 GNU/Linux This is CentOS release 5 (Final) This is Perl version 5.008008 (5.8.8) This is MailScanner version 4.62.3 Module versions are: 1.00 AnyDBM_File 1.16 Archive::Zip 1.04 Carp 1.119 Convert::BinHex 1.00 DirHandle 1.05 Fcntl 2.74 File::Basename 2.09 File::Copy 2.01 FileHandle 1.08 File::Path 0.16 File::Temp 0.92 Filesys::Df 1.35 HTML::Entities 3.56 HTML::Parser 2.37 HTML::TokeParser 1.22 IO 1.13 IO::File 1.13 IO::Pipe 1.77 Mail::Header 1.86 Math::BigInt 3.07 MIME::Base64 5.420 MIME::Decoder 5.420 MIME::Decoder::UU 5.420 MIME::Head 5.420 MIME::Parser 3.07 MIME::QuotedPrint 5.420 MIME::Tools 0.11 Net::CIDR 1.09 POSIX 1.18 Scalar::Util 1.78 Socket 1.4 Sys::Hostname::Long 0.18 Sys::Syslog 1.86 Time::HiRes 1.02 Time::localtime Optional module versions are: 1.32 Archive::Tar 0.21 bignum 1.84 Business::ISBN 1.14 Business::ISBN::Data 0.17 Convert::TNEF 1.08 Data::Dump 1.814 DB_File 1.13 DBD::SQLite 1.56 DBI 1.14 Digest 1.01 Digest::HMAC 2.36 Digest::MD5 2.11 Digest::SHA1 1.00 Encode::Detect 0.17008 Error 0.19 ExtUtils::CBuilder 2.18 ExtUtils::ParseXS 0.44 Inline 1.08 IO::String 1.05 IO::Zlib 2.23 IP::Country missing Mail::ClamAV 3.002001 Mail::SpamAssassin missing Mail::SPF 1.999001 Mail::SPF::Query 0.19 Math::BigRat 0.2808 Module::Build 0.20 Net::CIDR::Lite 0.59 Net::DNS 0.002.2 Net::DNS::Resolver::Programmable 0.33 Net::LDAP 4.004 NetAddr::IP 1.94 Parse::RecDescent missing SAVI 2.56 Test::Harness 1.14 Test::Manifest 1.95 Text::Balanced 1.35 URI 0.7203 version 0.62 YAML Any sugestion for fixing this ? Is there more informations / reports i can post regarding this problem ? Thanks to all for you kindly help. From am.lists at gmail.com Fri Jul 20 01:18:27 2007 From: am.lists at gmail.com (am.lists) Date: Fri Jul 20 01:18:31 2007 Subject: Reason for whitelisting? In-Reply-To: <469F8CCD.2080705@evi-inc.com> References: <25a66d840707171727i4c89120aga3a5ac0cd7e9b11d@mail.gmail.com> <469F8CCD.2080705@evi-inc.com> Message-ID: <25a66d840707191718x599c70c5n9a5e6de3cec61360@mail.gmail.com> On 7/19/07, Matt Kettler wrote: > am.lists wrote: > > Also, the SARE rule 70_sare_whitelist.cf contains several known-good's > > too. > > This is conclusively *NOT* 70_sare_whitelist.cf, or any other spamassassin-level > whitelisting. Those would show up as a SpamAssassin rule-hit of USER_IN_WHITELIST. > > The "is whitelisted" message means it's whitelisted at the MailScanner level, as > a part of the MailScannner.conf "Is Definitely Not Spam" mechanism, or some bug > in, or misuse of, that mechanism. Good point, you're correct. My bad indeed. /Angelo From res at ausics.net Fri Jul 20 01:32:54 2007 From: res at ausics.net (Res) Date: Fri Jul 20 01:33:05 2007 Subject: Request for comments In-Reply-To: <1964AAFBC212F742958F9275BF63DBB04B0F30@winchester.andrewscompanies.com> References: <469FA26B.6050905@ecs.soton.ac.uk> <1964AAFBC212F742958F9275BF63DBB04B0F30@winchester.andrewscompanies.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NotDashEscaped: You need GnuPG to verify this message On Thu, 19 Jul 2007, Steven Andrews wrote: > Yes please. Seconded, it wouldn't be a high priority, or something commonly used, but it would be advantagous to have the option if needed. -- Cheers Res -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFGoAK2sWhAmSIQh7MRAqoXAKCHnSoftVYCyktW5TpSyWwS3/o/AACfUSK0 G/C3hoNVDfdHthkH3OU8rx8= =RWAx -----END PGP SIGNATURE----- From res at ausics.net Fri Jul 20 01:38:47 2007 From: res at ausics.net (Res) Date: Fri Jul 20 01:38:57 2007 Subject: Request for comments In-Reply-To: <27577175.2361184873771771.JavaMail.root@office.splatnix.net> References: <27577175.2361184873771771.JavaMail.root@office.splatnix.net> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NotDashEscaped: You need GnuPG to verify this message On Thu, 19 Jul 2007, UxBoD wrote: > Why not just write a SA rule based on the subject ? Just thinking aloud. We run nntp to email gateways, as well as about half a dozen public lists and around 70 private lists, it would be handy where we could if we needed to set a ruleset From: blah and Subject: blah action like avoid double spam tests, and many other thigs, where we dont want to whitelist an entire servers posts etc... just one example that makes a ruleset like this handy -- Cheers Res -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFGoAQXsWhAmSIQh7MRApb9AKCsWyPQO69R/64zZs6uEUaAtzXUdgCfcuCx uM0BWa9UXs6k37Z9zjeF9jM= =caz1 -----END PGP SIGNATURE----- From uxbod at splatnix.net Fri Jul 20 07:53:19 2007 From: uxbod at splatnix.net (UxBoD) Date: Fri Jul 20 07:51:36 2007 Subject: Request for comments In-Reply-To: <469FE00E.7080603@alexb.ch> Message-ID: <10082375.2421184914399606.JavaMail.root@office.splatnix.net> Alex B, I have to agree with you on that. I would love to see the configuration being moved into SQL, preferably as a option. I know others are not so keen on this due to performance, but the majority of systems are adopting this approach and it does provide a lot of flexibility. Especially remote/webenabled configuration which cannot be a bad thing. Would make a domain based control panel very easy to implement :D What is your view of this Jules ? ----- Original Message ----- From: "Alex Broens" To: "MailScanner discussion" Sent: Thursday, July 19, 2007 11:05:02 PM (GMT) Europe/London Subject: Re: Request for comments On 7/19/2007 10:33 PM, UxBoD wrote: > True. Go for it then Jules, and we can play :) > ----- Original Message ----- > From: "Matt Kettler" > To: "MailScanner discussion" > Sent: Thursday, July 19, 2007 9:15:36 PM (GMT) Europe/London > Subject: Re: Request for comments > > Alex Broens wrote: >> On 7/19/2007 9:16 PM, Steven Andrews wrote: >>> Yes please. >>> -----Original Message----- >>> From: mailscanner-bounces@lists.mailscanner.info >>> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian >>> Field >>> Sent: Thursday, July 19, 2007 1:42 PM >>> To: MailScanner discussion >>> Subject: Request for comments >>> >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> I am wondering if it would help if I added "Subject" to the list of >>> things you could use in rulesets. >>> >>> Would it be useful? >> SA does this nicely, isn't it redundant? >> + you have the meta advantage > > > No, since when are rulesets in MailScanner in any way redundant with SA? I didn't say the rulesets were redundant. What I feel is redundant is the fact that ppl will write regex in two places. If that is a target, I don't know. While they will offer domain/user possiblities, I'd prefer to see it going in SQL direction, I mentioned an idea to Justin Mason and apparently it wouldn't be too hard to add global/domain/user SQL suppport to the API /CLI spamasassin. (the same SQL support spamd/spamc impelements) If we get enough ppl requesting it, we can get all the SA rule features in SQL to interact with Mailscanner's rulesets. Now THAT would be power!!! > > SA can't do something like: > quarantine any message with subject text "You've won" > delete any message with the subject text "postcard" > > Sure you can use SA's rule scores to force your "high scoring spam action", but > you can't do *BOTH* of the above actions at the same time. > > But MailScanner rulesets can. I'm not yet 100% convinced. SA 3.2 has rule shortcircuiting aka SC(which apparently few know of or use). MailScanner could make use of SCing SA API output to provide the hard actions. This could apply to ANY SA rule type and would save you from writing a whole extra regex section. just my 2c Alex -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From uxbod at splatnix.net Fri Jul 20 08:01:22 2007 From: uxbod at splatnix.net (UxBoD) Date: Fri Jul 20 07:59:37 2007 Subject: UNKNOWN CLAMD RETURN In-Reply-To: <469FB877.7010404@ecs.soton.ac.uk> Message-ID: <22537786.2451184914882668.JavaMail.root@office.splatnix.net> All looks good Jules :D Output from MailWatch :- 20/07/07 02:52:38 XXXXXX@XXXXXX XXXXXX@XXXXX.com cialis and viagra for Everyone! 2.5Kb 29.70 Spam Virus (Email.Hdr.Sanesecurity.07012400) cialis and viagra for Everyone! Size: 2.5Kb Anti-Virus/Dangerous Content Protection Virus: Y Blocked File: N Other Infection: N Report: Clamd: message.header was infected: Email.Hdr.Sanesecurity.07012400 FOUND Now able to report against Viruses/Malware and SPAM :) Rank Virus Percentage of detection Count 1 Email.Stk.Gen592.Sanesecurity.07071801.pdf 60% 129 2 Html.Phishing.Bank.Rockv2Gen14.Sanesecurity.07060400 11% 23 3 Email.Spam.Gen1007.Sanesecurity.07071800 8% 17 4 Html.Loan.Gen006.Sanesecurity.06120200 8% 17 5 Email.Hdr.Sanesecurity.07012400 6% 12 6 Email.Spam.Gen465.Sanesecurity.07050603 2% 5 7 Html.Img.Gen013.Sanesecurity.06112900 2% 5 8 Html.Phishing.Bank.Rockv2Gen28.Sanesecurity.07061800 1% 2 9 Email.Spam.Gen595.Sanesecurity.07052401 1% 2 10 Email.Spam.Gen903.Sanesecurity.07062812 1% 2 Another chink in the armour of the commercial AV/AP solution that the company I work for uses. MailScanner should be taking it over *very* soon now :D Thanks again to Rick and Jules. (and SaneSecurity for producing great additional ClamAV signatures) ----- Original Message ----- From: "Julian Field" To: "MailScanner discussion" Sent: Thursday, July 19, 2007 8:16:07 PM (GMT) Europe/London Subject: Re: UNKNOWN CLAMD RETURN Sorry, forgot the attachment as usual! Julian Field wrote: > * PGP Signed: 07/19/07 at 19:50:56 > > Please try the attached patch to SweepViruses.pm and let me know how > you get on. > > MailWatch may well not like it completely, as I changed "$part was" to > "headers were" so it will fail to match if Steve looks for "was", but > I'm sticking to English grammar, unless "the entire message was" works > better. > > Please try both and tell me if MailWatch is happy with "the entire > message was" and I'll change my code. > > Has someone actually got an entire message that triggers this code, so > that we can test it on a real message? > > Cheers, > Jules. > > > Julian Field wrote: >> > Old Signed: 07/19/07 at 19:12:27 >> >> >> >> Rick Cooper wrote: >>> >>> >>> > -----Original Message----- >>> > From: mailscanner-bounces@lists.mailscanner.info > >>> [mailto:mailscanner-bounces@lists.mailscanner.info] On > Behalf Of >>> UxBoD >>> > Sent: Thursday, July 19, 2007 9:36 AM >>> > To: MailScanner discussion >>> > Subject: Re: UNKNOWN CLAMD RETURN >>> > > Not sure on that Rick as we do not use the reports. In > >>> MailWatch it shows as :- >>> > > Clamd: message.header was infected: > >>> Email.Hdr.Sanesecurity.07061900 FOUND >>> > > so message.header could be changed to the word SPAM. >>> >>> >>> Do you know what happens to the message? The reason I ask is I can't >>> remember what MailScanner does to the message when it cannot find >>> $infections->{"$id"}{"$part"} in it's list of associated files (or >>> safnames >>> I think). >> To add a report for the entire message, set $part to "". So if you >> add a virus report for the whole message, then the whole message will >> be treated as infected. Whether adding this will require a slight >> change to MailWatch, I don't know. But that's the right way to do it. >> Very dangerous to add a report for an attachment filename that >> doesn't exist! >> >>> It may pass the message untouched and it may remove the entire >>> body I just cannot remember what the reflex would be in this situation. >>> Perhaps Julian can answer that. MailWatch is just looking for >>> something to >>> match the regex in functions.php (IIRC) but MailScanner may end up >>> delivering the message and I need to make sure that doesn't happen. >>> >> >> Jules >> > > Jules > Jules -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070720/7db180c2/attachment-0001.html From ms-list at alexb.ch Fri Jul 20 08:11:46 2007 From: ms-list at alexb.ch (Alex Broens) Date: Fri Jul 20 08:11:51 2007 Subject: Request for comments In-Reply-To: <10082375.2421184914399606.JavaMail.root@office.splatnix.net> References: <10082375.2421184914399606.JavaMail.root@office.splatnix.net> Message-ID: <46A06032.5060104@alexb.ch> On 7/20/2007 8:53 AM, UxBoD wrote: > Alex B, > > I have to agree with you on that. I would love to see the > configuration being moved into SQL, preferably as a option. I know > others are not so keen on this due to performance, but the majority > of systems are adopting this approach and it does provide a lot of > flexibility. Especially remote/webenabled configuration which cannot > be a bad thing. Performancewise, it might even be faster to read from SQL than reading from maybe tens or hundreds of rules files. MailScanner would only read at start and reloads, as it does now, for a default system SQLite would be just as performant or better than any file system. here's not extra engine required and its already used by MailScanner for caching so a requirement to setup MS anyway. > Would make a domain based control panel very easy to implement :D > What is your view of this Jules ? (also curious) Alex From john at tradoc.fr Fri Jul 20 08:26:39 2007 From: john at tradoc.fr (John Wilcock) Date: Fri Jul 20 08:26:50 2007 Subject: Request for comments In-Reply-To: <469FC668.3040802@evi-inc.com> References: <469FA26B.6050905@ecs.soton.ac.uk> <1964AAFBC212F742958F9275BF63DBB04B0F30@winchester.andrewscompanies.com> <469FC4DA.6030706@alexb.ch> <469FC668.3040802@evi-inc.com> Message-ID: <46A063AF.1080009@tradoc.fr> Matt Kettler wrote: > No, since when are rulesets in MailScanner in any way redundant with SA? > > SA can't do something like: > quarantine any message with subject text "You've won" > delete any message with the subject text "postcard" > > Sure you can use SA's rule scores to force your "high scoring spam action", but > you can't do *BOTH* of the above actions at the same time. > > But MailScanner rulesets can. An alternative suggestion would be to allow MailScanner rulesets based on SA rule names. This could be potentially far more flexible than just based on the Subject:, enabling you to take action on just about anything in the message. Simply write a custom rule, score it at 0.001 if you don't want it to affect the spam score, and trigger a MailScanner action as a result. Got doubts about a new rule's false positive rate? No problem, quarantine all messages that hit the rule. The possibilities are endless. John. -- -- Over 3000 webcams from ski resorts around the world - www.snoweye.com -- Translate your technical documents and web pages - www.tradoc.fr From matt at coders.co.uk Fri Jul 20 09:53:48 2007 From: matt at coders.co.uk (Matt Hampton) Date: Fri Jul 20 09:51:57 2007 Subject: Watermarking In-Reply-To: <28507864.2091184860864557.JavaMail.root@office.splatnix.net> References: <28507864.2091184860864557.JavaMail.root@office.splatnix.net> Message-ID: <46A0781C.20501@coders.co.uk> UxBoD wrote: > Hi, > > When watermarking is used in the latest version do the return emails bypass both SPAM and Virus checks ? > If so, would it be possible to make it only bypass SPAM, incase they have replied and added a Virus ;) Watermarking ONLY implements the milter-null functionality at present. So no this is not the case. matt From MailScanner at ecs.soton.ac.uk Fri Jul 20 11:16:41 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Jul 20 11:17:36 2007 Subject: UNKNOWN CLAMD RETURN In-Reply-To: <22537786.2451184914882668.JavaMail.root@office.splatnix.net> References: <22537786.2451184914882668.JavaMail.root@office.splatnix.net> Message-ID: <46A08B89.6080809@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 But can you try the exact wording I have in my infection message please? Does MailWatch handle that okay? UxBoD wrote: > All looks good Jules :D > > Output from MailWatch :- > > 20/07/07 > 02:52:38 XXXXXX@XXXXXX XXXXXX@XXXXX.com cialis > and viagra for Everyone! 2.5Kb 29.70 Spam > Virus (Email.Hdr.Sanesecurity.07012400) > > cialis and viagra for Everyone! > Size: 2.5Kb > Anti-Virus/Dangerous Content Protection > Virus: Y > Blocked File: N > Other Infection: N > Report: Clamd: message.header was infected: > Email.Hdr.Sanesecurity.07012400 FOUND > > Now able to report against Viruses/Malware and SPAM :) > > Rank Virus Percentage of detection Count > 1 Email.Stk.Gen592.Sanesecurity.07071801.pdf > 60% > > 129 > 2 Html.Phishing.Bank.Rockv2Gen14.Sanesecurity.07060400 > 11% > > 23 > 3 Email.Spam.Gen1007.Sanesecurity.07071800 > 8% > > 17 > 4 Html.Loan.Gen006.Sanesecurity.06120200 > 8% > > 17 > 5 Email.Hdr.Sanesecurity.07012400 > 6% > > 12 > 6 Email.Spam.Gen465.Sanesecurity.07050603 > 2% > > 5 > 7 Html.Img.Gen013.Sanesecurity.06112900 > 2% > > 5 > 8 Html.Phishing.Bank.Rockv2Gen28.Sanesecurity.07061800 > 1% > > 2 > 9 Email.Spam.Gen595.Sanesecurity.07052401 > 1% > > 2 > 10 Email.Spam.Gen903.Sanesecurity.07062812 > 1% > > 2 > > > Another chink in the armour of the commercial AV/AP solution that the > company I work for uses. MailScanner should be taking it over *very* > soon now :D > > Thanks again to Rick and Jules. (and SaneSecurity for producing great > additional ClamAV signatures) > > ----- Original Message ----- > From: "Julian Field" > To: "MailScanner discussion" > Sent: Thursday, July 19, 2007 8:16:07 PM (GMT) Europe/London > Subject: Re: UNKNOWN CLAMD RETURN > > Sorry, forgot the attachment as usual! > > Julian Field wrote: > > * PGP Signed: 07/19/07 at 19:50:56 > > > > Please try the attached patch to SweepViruses.pm and let me know how > > you get on. > > > > MailWatch may well not like it completely, as I changed "$part was" to > > "headers were" so it will fail to match if Steve looks for "was", but > > I'm sticking to English grammar, unless "the entire message was" works > > better. > > > > Please try both and tell me if MailWatch is happy with "the entire > > message was" and I'll change my code. > > > > Has someone actually got an entire message that triggers this code, so > > that we can test it on a real message? > > > > Cheers, > > Jules. > > > > > > Julian Field wrote: > >> > Old Signed: 07/19/07 at 19:12:27 > >> > >> > >> > >> Rick Cooper wrote: > >>> > >>> > >>> > -----Original Message----- > >>> > From: mailscanner-bounces@lists.mailscanner.info > > >>> [mailto:mailscanner-bounces@lists.mailscanner.info] On > Behalf Of > >>> UxBoD > >>> > Sent: Thursday, July 19, 2007 9:36 AM > >>> > To: MailScanner discussion > >>> > Subject: Re: UNKNOWN CLAMD RETURN > >>> > > Not sure on that Rick as we do not use the reports. In > > >>> MailWatch it shows as :- > >>> > > Clamd: message.header was infected: > > >>> Email.Hdr.Sanesecurity.07061900 FOUND > >>> > > so message.header could be changed to the word SPAM. > >>> > >>> > >>> Do you know what happens to the message? The reason I ask is I can't > >>> remember what MailScanner does to the message when it cannot find > >>> $infections->{"$id"}{"$part"} in it's list of associated files (or > >>> safnames > >>> I think). > >> To add a report for the entire message, set $part to "". So if you > >> add a virus report for the whole message, then the whole message will > >> be treated as infected. Whether adding this will require a slight > >> change to MailWatch, I don't know. But that's the right way to do it. > >> Very dangerous to add a report for an attachment filename that > >> doesn't exist! > >> > >>> It may pass the message untouched and it may remove the entire > >>> body I just cannot remember what the reflex would be in this > situation. > >>> Perhaps Julian can answer that. MailWatch is just looking for > >>> something to > >>> match the regex in functions.php (IIRC) but MailScanner may end up > >>> delivering the message and I need to make sure that doesn't happen. > >>> > >> > >> Jules > >> > > > > Jules > > > > Jules > > -- > Julian Field MEng CITP > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > For all your IT requirements visit www.transtec.co.uk > > > -- > This message has been scanned for viruses and > dangerous content by *MailScanner* , and is > believed to be clean. Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: UTF-8 wj8DBQFGoIuKEfZZRxQVtlQRAjgyAJ4wCb3qLBl23pEdBxxHF+Qb8Eci8QCcCDwu w643K2td+bPwQioYCko2I6Q= =n4Me -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From rcooper at dwford.com Fri Jul 20 11:42:46 2007 From: rcooper at dwford.com (Rick Cooper) Date: Fri Jul 20 11:42:57 2007 Subject: UNKNOWN CLAMD RETURN In-Reply-To: <469FB877.7010404@ecs.soton.ac.uk> References: <024201c7ca06$5370e2b0$0301a8c0@SAHOMELT> <27114160.1941184852181484.JavaMail.root@office.splatnix.net> <025901c7ca0a$f2d111a0$0301a8c0@SAHOMELT> <469FA98A.1060308@ecs.soton.ac.uk><469FB28F.2020601@ecs.soton.ac.uk> <469FB877.7010404@ecs.soton.ac.uk> Message-ID: <00de01c7caba$b7466440$0301a8c0@SAHOMELT> Julian, Thanks for jumping into this yesterday, I got buried yesterday and had problems just getting to the first few messages let alone getting to email period in the afternoon/evening. Thanks Rick > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On > Behalf Of Julian Field > Sent: Thursday, July 19, 2007 3:16 PM > To: MailScanner discussion > Subject: Re: UNKNOWN CLAMD RETURN > > Sorry, forgot the attachment as usual! > > Julian Field wrote: > > * PGP Signed: 07/19/07 at 19:50:56 > > > > Please try the attached patch to SweepViruses.pm and let > me know how > > you get on. > > > > MailWatch may well not like it completely, as I changed > "$part was" to > > "headers were" so it will fail to match if Steve looks for > "was", but > > I'm sticking to English grammar, unless "the entire > message was" works > > better. > > > > Please try both and tell me if MailWatch is happy with "the entire > > message was" and I'll change my code. > > > > Has someone actually got an entire message that triggers > this code, so > > that we can test it on a real message? > > > > Cheers, > > Jules. > > > > > > Julian Field wrote: > >> > Old Signed: 07/19/07 at 19:12:27 > >> > >> > >> > >> Rick Cooper wrote: > >>> > >>> > >>> > -----Original Message----- > >>> > From: mailscanner-bounces@lists.mailscanner.info > > >>> [mailto:mailscanner-bounces@lists.mailscanner.info] On > > Behalf Of > >>> UxBoD > >>> > Sent: Thursday, July 19, 2007 9:36 AM > >>> > To: MailScanner discussion > >>> > Subject: Re: UNKNOWN CLAMD RETURN > >>> > > Not sure on that Rick as we do not use the reports. In > > >>> MailWatch it shows as :- > >>> > > Clamd: message.header was infected: > > >>> Email.Hdr.Sanesecurity.07061900 FOUND > >>> > > so message.header could be changed to the word SPAM. > >>> > >>> > >>> Do you know what happens to the message? The reason I > ask is I can't > >>> remember what MailScanner does to the message when it cannot find > >>> $infections->{"$id"}{"$part"} in it's list of associated > files (or > >>> safnames > >>> I think). > >> To add a report for the entire message, set $part to "". > So if you > >> add a virus report for the whole message, then the whole > message will > >> be treated as infected. Whether adding this will require a slight > >> change to MailWatch, I don't know. But that's the right > way to do it. > >> Very dangerous to add a report for an attachment filename that > >> doesn't exist! > >> > >>> It may pass the message untouched and it may remove the entire > >>> body I just cannot remember what the reflex would be in > this situation. > >>> Perhaps Julian can answer that. MailWatch is just looking for > >>> something to > >>> match the regex in functions.php (IIRC) but MailScanner > may end up > >>> delivering the message and I need to make sure that > doesn't happen. > >>> > >> > >> Jules > >> > > > > Jules > > > > Jules > > -- > Julian Field MEng CITP > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system > administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > For all your IT requirements visit www.transtec.co.uk > > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From uxbod at splatnix.net Fri Jul 20 12:14:59 2007 From: uxbod at splatnix.net (UxBoD) Date: Fri Jul 20 12:13:55 2007 Subject: UNKNOWN CLAMD RETURN In-Reply-To: <46A08B89.6080809@ecs.soton.ac.uk> Message-ID: <14835291.2631184930099600.JavaMail.root@office.splatnix.net> I put the original .pm back in and applied the patch. This is what appears for a normal message :- Clamd: msg-19428-1.html was infected: Html.Phishing.Bank.Rockv2Gen14.Sanesecurity.07060400 FOUND in maillog I get this :- Jul 20 07:08:47 bianchi MailScanner[19442]: ERROR:: UNKNOWN CLAMD RETURN ./E36817CEF53.9B2FD.header/Email.Scam4.Gen824.Sanesecurity.07051409 FOUND :: /var/spool/MailScanner/incoming/19442 Should I have left my original code in ? ----- Original Message ----- From: "Julian Field" To: "MailScanner discussion" Sent: Friday, July 20, 2007 11:16:41 AM (GMT) Europe/London Subject: Re: UNKNOWN CLAMD RETURN -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 But can you try the exact wording I have in my infection message please? Does MailWatch handle that okay? UxBoD wrote: > All looks good Jules :D > > Output from MailWatch :- > > 20/07/07 > 02:52:38 XXXXXX@XXXXXX XXXXXX@XXXXX.com cialis > and viagra for Everyone! 2.5Kb 29.70 Spam > Virus (Email.Hdr.Sanesecurity.07012400) > > cialis and viagra for Everyone! > Size: 2.5Kb > Anti-Virus/Dangerous Content Protection > Virus: Y > Blocked File: N > Other Infection: N > Report: Clamd: message.header was infected: > Email.Hdr.Sanesecurity.07012400 FOUND > > Now able to report against Viruses/Malware and SPAM :) > > Rank Virus Percentage of detection Count > 1 Email.Stk.Gen592.Sanesecurity.07071801.pdf > 60% > > 129 > 2 Html.Phishing.Bank.Rockv2Gen14.Sanesecurity.07060400 > 11% > > 23 > 3 Email.Spam.Gen1007.Sanesecurity.07071800 > 8% > > 17 > 4 Html.Loan.Gen006.Sanesecurity.06120200 > 8% > > 17 > 5 Email.Hdr.Sanesecurity.07012400 > 6% > > 12 > 6 Email.Spam.Gen465.Sanesecurity.07050603 > 2% > > 5 > 7 Html.Img.Gen013.Sanesecurity.06112900 > 2% > > 5 > 8 Html.Phishing.Bank.Rockv2Gen28.Sanesecurity.07061800 > 1% > > 2 > 9 Email.Spam.Gen595.Sanesecurity.07052401 > 1% > > 2 > 10 Email.Spam.Gen903.Sanesecurity.07062812 > 1% > > 2 > > > Another chink in the armour of the commercial AV/AP solution that the > company I work for uses. MailScanner should be taking it over *very* > soon now :D > > Thanks again to Rick and Jules. (and SaneSecurity for producing great > additional ClamAV signatures) > > ----- Original Message ----- > From: "Julian Field" > To: "MailScanner discussion" > Sent: Thursday, July 19, 2007 8:16:07 PM (GMT) Europe/London > Subject: Re: UNKNOWN CLAMD RETURN > > Sorry, forgot the attachment as usual! > > Julian Field wrote: > > * PGP Signed: 07/19/07 at 19:50:56 > > > > Please try the attached patch to SweepViruses.pm and let me know how > > you get on. > > > > MailWatch may well not like it completely, as I changed "$part was" to > > "headers were" so it will fail to match if Steve looks for "was", but > > I'm sticking to English grammar, unless "the entire message was" works > > better. > > > > Please try both and tell me if MailWatch is happy with "the entire > > message was" and I'll change my code. > > > > Has someone actually got an entire message that triggers this code, so > > that we can test it on a real message? > > > > Cheers, > > Jules. > > > > > > Julian Field wrote: > >> > Old Signed: 07/19/07 at 19:12:27 > >> > >> > >> > >> Rick Cooper wrote: > >>> > >>> > >>> > -----Original Message----- > >>> > From: mailscanner-bounces@lists.mailscanner.info > > >>> [mailto:mailscanner-bounces@lists.mailscanner.info] On > Behalf Of > >>> UxBoD > >>> > Sent: Thursday, July 19, 2007 9:36 AM > >>> > To: MailScanner discussion > >>> > Subject: Re: UNKNOWN CLAMD RETURN > >>> > > Not sure on that Rick as we do not use the reports. In > > >>> MailWatch it shows as :- > >>> > > Clamd: message.header was infected: > > >>> Email.Hdr.Sanesecurity.07061900 FOUND > >>> > > so message.header could be changed to the word SPAM. > >>> > >>> > >>> Do you know what happens to the message? The reason I ask is I can't > >>> remember what MailScanner does to the message when it cannot find > >>> $infections->{"$id"}{"$part"} in it's list of associated files (or > >>> safnames > >>> I think). > >> To add a report for the entire message, set $part to "". So if you > >> add a virus report for the whole message, then the whole message will > >> be treated as infected. Whether adding this will require a slight > >> change to MailWatch, I don't know. But that's the right way to do it. > >> Very dangerous to add a report for an attachment filename that > >> doesn't exist! > >> > >>> It may pass the message untouched and it may remove the entire > >>> body I just cannot remember what the reflex would be in this > situation. > >>> Perhaps Julian can answer that. MailWatch is just looking for > >>> something to > >>> match the regex in functions.php (IIRC) but MailScanner may end up > >>> delivering the message and I need to make sure that doesn't happen. > >>> > >> > >> Jules > >> > > > > Jules > > > > Jules > > -- > Julian Field MEng CITP > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > For all your IT requirements visit www.transtec.co.uk > > > -- > This message has been scanned for viruses and > dangerous content by *MailScanner* , and is > believed to be clean. Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: UTF-8 wj8DBQFGoIuKEfZZRxQVtlQRAjgyAJ4wCb3qLBl23pEdBxxHF+Qb8Eci8QCcCDwu w643K2td+bPwQioYCko2I6Q= =n4Me -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From rcooper at dwford.com Fri Jul 20 12:38:43 2007 From: rcooper at dwford.com (Rick Cooper) Date: Fri Jul 20 12:38:49 2007 Subject: UNKNOWN CLAMD RETURN In-Reply-To: <14835291.2631184930099600.JavaMail.root@office.splatnix.net> References: <46A08B89.6080809@ecs.soton.ac.uk> <14835291.2631184930099600.JavaMail.root@office.splatnix.net> Message-ID: <00f701c7cac2$86c4d060$0301a8c0@SAHOMELT> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On > Behalf Of UxBoD > Sent: Friday, July 20, 2007 7:15 AM > To: MailScanner discussion > Subject: Re: UNKNOWN CLAMD RETURN > > I put the original .pm back in and applied the patch. self round face as I patched my modified one :(> > > This is what appears for a normal message :- > > Clamd: msg-19428-1.html was infected: > Html.Phishing.Bank.Rockv2Gen14.Sanesecurity.07060400 FOUND > > in maillog I get this :- > > Jul 20 07:08:47 bianchi MailScanner[19442]: ERROR:: UNKNOWN > CLAMD RETURN > ./E36817CEF53.9B2FD.header/Email.Scam4.Gen824.Sanesecurity.07 > 051409 FOUND :: /var/spool/MailScanner/incoming/19442 > > Should I have left my original code in ? > The patch is off. This won't work Matching ./E36817CEF53.9B2FD.header/Email.Scam4.Gen824.Sanesecurity.07051409 FOUND ^ dot ^ childname filename ^rest my ($dot,$childname,$filename,$rest) = split('/',$results); if ($childname =~ /\.header$/ && $rest =~ /\sFOUND$/) { Because $filename will match =~ /\sFOUND$/ and rest will be blank. Try if ($childname =~ /\.header$/ && $filename =~ /\sFOUND$/) { > ----- Original Message ----- > From: "Julian Field" > To: "MailScanner discussion" > Sent: Friday, July 20, 2007 11:16:41 AM (GMT) Europe/London > Subject: Re: UNKNOWN CLAMD RETURN > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > But can you try the exact wording I have in my infection > message please? > Does MailWatch handle that okay? > > UxBoD wrote: > > All looks good Jules :D > > > > Output from MailWatch :- > > > > 20/07/07 > > 02:52:38 XXXXXX@XXXXXX XXXXXX@XXXXX.com > cialis > > and viagra for Everyone! 2.5Kb 29.70 Spam > > Virus (Email.Hdr.Sanesecurity.07012400) > > > > cialis and viagra for Everyone! > > Size: 2.5Kb > > Anti-Virus/Dangerous Content Protection > > Virus: Y > > Blocked File: N > > Other Infection: N > > Report: Clamd: message.header was infected: > > Email.Hdr.Sanesecurity.07012400 FOUND > > > > Now able to report against Viruses/Malware and SPAM :) > > > > Rank Virus Percentage of detection Count > > 1 Email.Stk.Gen592.Sanesecurity.07071801.pdf > > 60% > > > > 129 > > 2 Html.Phishing.Bank.Rockv2Gen14.Sanesecurity.07060400 > > 11% > > > > 23 > > 3 Email.Spam.Gen1007.Sanesecurity.07071800 > > 8% > > > > 17 > > 4 Html.Loan.Gen006.Sanesecurity.06120200 > > 8% > > > > 17 > > 5 Email.Hdr.Sanesecurity.07012400 > > 6% > > > > 12 > > 6 Email.Spam.Gen465.Sanesecurity.07050603 > > 2% > > > > 5 > > 7 Html.Img.Gen013.Sanesecurity.06112900 > > 2% > > > > 5 > > 8 Html.Phishing.Bank.Rockv2Gen28.Sanesecurity.07061800 > > 1% > > > > 2 > > 9 Email.Spam.Gen595.Sanesecurity.07052401 > > 1% > > > > 2 > > 10 Email.Spam.Gen903.Sanesecurity.07062812 > > 1% > > > > 2 > > > > > > Another chink in the armour of the commercial AV/AP > solution that the > > company I work for uses. MailScanner should be taking it > over *very* > > soon now :D > > > > Thanks again to Rick and Jules. (and SaneSecurity for > producing great > > additional ClamAV signatures) > > > > ----- Original Message ----- > > From: "Julian Field" > > To: "MailScanner discussion" > > Sent: Thursday, July 19, 2007 8:16:07 PM (GMT) Europe/London > > Subject: Re: UNKNOWN CLAMD RETURN > > > > Sorry, forgot the attachment as usual! > > > > Julian Field wrote: > > > * PGP Signed: 07/19/07 at 19:50:56 > > > > > > Please try the attached patch to SweepViruses.pm and let > me know how > > > you get on. > > > > > > MailWatch may well not like it completely, as I changed > "$part was" to > > > "headers were" so it will fail to match if Steve looks > for "was", but > > > I'm sticking to English grammar, unless "the entire > message was" works > > > better. > > > > > > Please try both and tell me if MailWatch is happy with > "the entire > > > message was" and I'll change my code. > > > > > > Has someone actually got an entire message that triggers > this code, so > > > that we can test it on a real message? > > > > > > Cheers, > > > Jules. > > > > > > > > > Julian Field wrote: > > >> > Old Signed: 07/19/07 at 19:12:27 > > >> > > >> > > >> > > >> Rick Cooper wrote: > > >>> > > >>> > > >>> > -----Original Message----- > > >>> > From: mailscanner-bounces@lists.mailscanner.info > > > >>> [mailto:mailscanner-bounces@lists.mailscanner.info] On > > Behalf Of > > >>> UxBoD > > >>> > Sent: Thursday, July 19, 2007 9:36 AM > > >>> > To: MailScanner discussion > > >>> > Subject: Re: UNKNOWN CLAMD RETURN > > >>> > > Not sure on that Rick as we do not use the > reports. In > > > >>> MailWatch it shows as :- > > >>> > > Clamd: message.header was infected: > > > >>> Email.Hdr.Sanesecurity.07061900 FOUND > > >>> > > so message.header could be changed to the word SPAM. > > >>> > > >>> > > >>> Do you know what happens to the message? The reason I > ask is I can't > > >>> remember what MailScanner does to the message when it > cannot find > > >>> $infections->{"$id"}{"$part"} in it's list of > associated files (or > > >>> safnames > > >>> I think). > > >> To add a report for the entire message, set $part to > "". So if you > > >> add a virus report for the whole message, then the > whole message will > > >> be treated as infected. Whether adding this will > require a slight > > >> change to MailWatch, I don't know. But that's the right > way to do it. > > >> Very dangerous to add a report for an attachment filename that > > >> doesn't exist! > > >> > > >>> It may pass the message untouched and it may remove the entire > > >>> body I just cannot remember what the reflex would be in this > > situation. > > >>> Perhaps Julian can answer that. MailWatch is just looking for > > >>> something to > > >>> match the regex in functions.php (IIRC) but > MailScanner may end up > > >>> delivering the message and I need to make sure that > doesn't happen. > > >>> > > >> > > >> Jules > > >> > > > > > > Jules > > > > > > > Jules > > > > -- > > Julian Field MEng CITP > > www.MailScanner.info > > Buy the MailScanner book at www.MailScanner.info/store > > > > MailScanner customisation, or any advanced system > administration help? > > Contact me at Jules@Jules.FM > > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > For all your IT requirements visit www.transtec.co.uk > > > > > > -- > > This message has been scanned for viruses and > > dangerous content by *MailScanner* > , and is > > believed to be clean. > > Jules > > - -- > Julian Field MEng CITP > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system > administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > For all your IT requirements visit www.transtec.co.uk > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.6.2 (Build 2014) > Charset: UTF-8 > > wj8DBQFGoIuKEfZZRxQVtlQRAjgyAJ4wCb3qLBl23pEdBxxHF+Qb8Eci8QCcCDwu > w643K2td+bPwQioYCko2I6Q= > =n4Me > -----END PGP SIGNATURE----- > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > For all your IT requirements visit www.transtec.co.uk > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From uxbod at splatnix.net Fri Jul 20 13:09:46 2007 From: uxbod at splatnix.net (UxBoD) Date: Fri Jul 20 13:08:11 2007 Subject: UNKNOWN CLAMD RETURN In-Reply-To: <00f701c7cac2$86c4d060$0301a8c0@SAHOMELT> Message-ID: <16571602.2691184933386099.JavaMail.root@office.splatnix.net> Okay get this now in MailWatch :- Clamd: headers were infected: but not filename after it. ----- Original Message ----- From: "Rick Cooper" To: "MailScanner discussion" Sent: Friday, July 20, 2007 12:38:43 PM (GMT) Europe/London Subject: RE: UNKNOWN CLAMD RETURN > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On > Behalf Of UxBoD > Sent: Friday, July 20, 2007 7:15 AM > To: MailScanner discussion > Subject: Re: UNKNOWN CLAMD RETURN > > I put the original .pm back in and applied the patch. self round face as I patched my modified one :(> > > This is what appears for a normal message :- > > Clamd: msg-19428-1.html was infected: > Html.Phishing.Bank.Rockv2Gen14.Sanesecurity.07060400 FOUND > > in maillog I get this :- > > Jul 20 07:08:47 bianchi MailScanner[19442]: ERROR:: UNKNOWN > CLAMD RETURN > ./E36817CEF53.9B2FD.header/Email.Scam4.Gen824.Sanesecurity.07 > 051409 FOUND :: /var/spool/MailScanner/incoming/19442 > > Should I have left my original code in ? > The patch is off. This won't work Matching ./E36817CEF53.9B2FD.header/Email.Scam4.Gen824.Sanesecurity.07051409 FOUND ^ dot ^ childname filename ^rest my ($dot,$childname,$filename,$rest) = split('/',$results); if ($childname =~ /\.header$/ && $rest =~ /\sFOUND$/) { Because $filename will match =~ /\sFOUND$/ and rest will be blank. Try if ($childname =~ /\.header$/ && $filename =~ /\sFOUND$/) { > ----- Original Message ----- > From: "Julian Field" > To: "MailScanner discussion" > Sent: Friday, July 20, 2007 11:16:41 AM (GMT) Europe/London > Subject: Re: UNKNOWN CLAMD RETURN > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > But can you try the exact wording I have in my infection > message please? > Does MailWatch handle that okay? > > UxBoD wrote: > > All looks good Jules :D > > > > Output from MailWatch :- > > > > 20/07/07 > > 02:52:38 XXXXXX@XXXXXX XXXXXX@XXXXX.com > cialis > > and viagra for Everyone! 2.5Kb 29.70 Spam > > Virus (Email.Hdr.Sanesecurity.07012400) > > > > cialis and viagra for Everyone! > > Size: 2.5Kb > > Anti-Virus/Dangerous Content Protection > > Virus: Y > > Blocked File: N > > Other Infection: N > > Report: Clamd: message.header was infected: > > Email.Hdr.Sanesecurity.07012400 FOUND > > > > Now able to report against Viruses/Malware and SPAM :) > > > > Rank Virus Percentage of detection Count > > 1 Email.Stk.Gen592.Sanesecurity.07071801.pdf > > 60% > > > > 129 > > 2 Html.Phishing.Bank.Rockv2Gen14.Sanesecurity.07060400 > > 11% > > > > 23 > > 3 Email.Spam.Gen1007.Sanesecurity.07071800 > > 8% > > > > 17 > > 4 Html.Loan.Gen006.Sanesecurity.06120200 > > 8% > > > > 17 > > 5 Email.Hdr.Sanesecurity.07012400 > > 6% > > > > 12 > > 6 Email.Spam.Gen465.Sanesecurity.07050603 > > 2% > > > > 5 > > 7 Html.Img.Gen013.Sanesecurity.06112900 > > 2% > > > > 5 > > 8 Html.Phishing.Bank.Rockv2Gen28.Sanesecurity.07061800 > > 1% > > > > 2 > > 9 Email.Spam.Gen595.Sanesecurity.07052401 > > 1% > > > > 2 > > 10 Email.Spam.Gen903.Sanesecurity.07062812 > > 1% > > > > 2 > > > > > > Another chink in the armour of the commercial AV/AP > solution that the > > company I work for uses. MailScanner should be taking it > over *very* > > soon now :D > > > > Thanks again to Rick and Jules. (and SaneSecurity for > producing great > > additional ClamAV signatures) > > > > ----- Original Message ----- > > From: "Julian Field" > > To: "MailScanner discussion" > > Sent: Thursday, July 19, 2007 8:16:07 PM (GMT) Europe/London > > Subject: Re: UNKNOWN CLAMD RETURN > > > > Sorry, forgot the attachment as usual! > > > > Julian Field wrote: > > > * PGP Signed: 07/19/07 at 19:50:56 > > > > > > Please try the attached patch to SweepViruses.pm and let > me know how > > > you get on. > > > > > > MailWatch may well not like it completely, as I changed > "$part was" to > > > "headers were" so it will fail to match if Steve looks > for "was", but > > > I'm sticking to English grammar, unless "the entire > message was" works > > > better. > > > > > > Please try both and tell me if MailWatch is happy with > "the entire > > > message was" and I'll change my code. > > > > > > Has someone actually got an entire message that triggers > this code, so > > > that we can test it on a real message? > > > > > > Cheers, > > > Jules. > > > > > > > > > Julian Field wrote: > > >> > Old Signed: 07/19/07 at 19:12:27 > > >> > > >> > > >> > > >> Rick Cooper wrote: > > >>> > > >>> > > >>> > -----Original Message----- > > >>> > From: mailscanner-bounces@lists.mailscanner.info > > > >>> [mailto:mailscanner-bounces@lists.mailscanner.info] On > > Behalf Of > > >>> UxBoD > > >>> > Sent: Thursday, July 19, 2007 9:36 AM > > >>> > To: MailScanner discussion > > >>> > Subject: Re: UNKNOWN CLAMD RETURN > > >>> > > Not sure on that Rick as we do not use the > reports. In > > > >>> MailWatch it shows as :- > > >>> > > Clamd: message.header was infected: > > > >>> Email.Hdr.Sanesecurity.07061900 FOUND > > >>> > > so message.header could be changed to the word SPAM. > > >>> > > >>> > > >>> Do you know what happens to the message? The reason I > ask is I can't > > >>> remember what MailScanner does to the message when it > cannot find > > >>> $infections->{"$id"}{"$part"} in it's list of > associated files (or > > >>> safnames > > >>> I think). > > >> To add a report for the entire message, set $part to > "". So if you > > >> add a virus report for the whole message, then the > whole message will > > >> be treated as infected. Whether adding this will > require a slight > > >> change to MailWatch, I don't know. But that's the right > way to do it. > > >> Very dangerous to add a report for an attachment filename that > > >> doesn't exist! > > >> > > >>> It may pass the message untouched and it may remove the entire > > >>> body I just cannot remember what the reflex would be in this > > situation. > > >>> Perhaps Julian can answer that. MailWatch is just looking for > > >>> something to > > >>> match the regex in functions.php (IIRC) but > MailScanner may end up > > >>> delivering the message and I need to make sure that > doesn't happen. > > >>> > > >> > > >> Jules > > >> > > > > > > Jules > > > > > > > Jules > > > > -- > > Julian Field MEng CITP > > www.MailScanner.info > > Buy the MailScanner book at www.MailScanner.info/store > > > > MailScanner customisation, or any advanced system > administration help? > > Contact me at Jules@Jules.FM > > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > For all your IT requirements visit www.transtec.co.uk > > > > > > -- > > This message has been scanned for viruses and > > dangerous content by *MailScanner* > , and is > > believed to be clean. > > Jules > > - -- > Julian Field MEng CITP > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system > administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > For all your IT requirements visit www.transtec.co.uk > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.6.2 (Build 2014) > Charset: UTF-8 > > wj8DBQFGoIuKEfZZRxQVtlQRAjgyAJ4wCb3qLBl23pEdBxxHF+Qb8Eci8QCcCDwu > w643K2td+bPwQioYCko2I6Q= > =n4Me > -----END PGP SIGNATURE----- > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > For all your IT requirements visit www.transtec.co.uk > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Fri Jul 20 13:50:39 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Jul 20 13:47:25 2007 Subject: UNKNOWN CLAMD RETURN In-Reply-To: <16571602.2691184933386099.JavaMail.root@office.splatnix.net> References: <16571602.2691184933386099.JavaMail.root@office.splatnix.net> Message-ID: <46A0AF9F.6080906@ecs.soton.ac.uk> Correct, there shouldn't be a filename, as there was no infected attachment. What do you see in your maillog? And what appears in the message in the outgoing queue if you tell it to deliver virused messages. UxBoD wrote: > Okay get this now in MailWatch :- > > Clamd: headers were infected: > > but not filename after it. > ----- Original Message ----- > From: "Rick Cooper" > To: "MailScanner discussion" > Sent: Friday, July 20, 2007 12:38:43 PM (GMT) Europe/London > Subject: RE: UNKNOWN CLAMD RETURN > > > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info > > [mailto:mailscanner-bounces@lists.mailscanner.info] On > > Behalf Of UxBoD > > Sent: Friday, July 20, 2007 7:15 AM > > To: MailScanner discussion > > Subject: Re: UNKNOWN CLAMD RETURN > > > > I put the original .pm back in and applied the patch. > self round face as I patched my modified one :(> > > > > This is what appears for a normal message :- > > > > Clamd: msg-19428-1.html was infected: > > Html.Phishing.Bank.Rockv2Gen14.Sanesecurity.07060400 FOUND > > > > in maillog I get this :- > > > > Jul 20 07:08:47 bianchi MailScanner[19442]: ERROR:: UNKNOWN > > CLAMD RETURN > > ./E36817CEF53.9B2FD.header/Email.Scam4.Gen824.Sanesecurity.07 > > 051409 FOUND :: /var/spool/MailScanner/incoming/19442 > > > > Should I have left my original code in ? > > > > The patch is off. This won't work > Matching ./E36817CEF53.9B2FD.header/Email.Scam4.Gen824.Sanesecurity.07051409 > FOUND > ^ dot ^ childname filename > ^rest > > my ($dot,$childname,$filename,$rest) = split('/',$results); > if ($childname =~ /\.header$/ && $rest =~ /\sFOUND$/) { > > Because $filename will match =~ /\sFOUND$/ and rest will be blank. Try > > if ($childname =~ /\.header$/ && $filename =~ /\sFOUND$/) { > > > > > > > ----- Original Message ----- > > From: "Julian Field" > > To: "MailScanner discussion" > > Sent: Friday, July 20, 2007 11:16:41 AM (GMT) Europe/London > > Subject: Re: UNKNOWN CLAMD RETURN > > > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > But can you try the exact wording I have in my infection > > message please? > > Does MailWatch handle that okay? > > > > UxBoD wrote: > > > All looks good Jules :D > > > > > > Output from MailWatch :- > > > > > > 20/07/07 > > > 02:52:38 XXXXXX@XXXXXX XXXXXX@XXXXX.com > > cialis > > > and viagra for Everyone! 2.5Kb 29.70 Spam > > > Virus (Email.Hdr.Sanesecurity.07012400) > > > > > > cialis and viagra for Everyone! > > > Size: 2.5Kb > > > Anti-Virus/Dangerous Content Protection > > > Virus: Y > > > Blocked File: N > > > Other Infection: N > > > Report: Clamd: message.header was infected: > > > Email.Hdr.Sanesecurity.07012400 FOUND > > > > > > Now able to report against Viruses/Malware and SPAM :) > > > > > > Rank Virus Percentage of detection Count > > > 1 Email.Stk.Gen592.Sanesecurity.07071801.pdf > > > 60% > > > > > > 129 > > > 2 Html.Phishing.Bank.Rockv2Gen14.Sanesecurity.07060400 > > > 11% > > > > > > 23 > > > 3 Email.Spam.Gen1007.Sanesecurity.07071800 > > > 8% > > > > > > 17 > > > 4 Html.Loan.Gen006.Sanesecurity.06120200 > > > 8% > > > > > > 17 > > > 5 Email.Hdr.Sanesecurity.07012400 > > > 6% > > > > > > 12 > > > 6 Email.Spam.Gen465.Sanesecurity.07050603 > > > 2% > > > > > > 5 > > > 7 Html.Img.Gen013.Sanesecurity.06112900 > > > 2% > > > > > > 5 > > > 8 Html.Phishing.Bank.Rockv2Gen28.Sanesecurity.07061800 > > > 1% > > > > > > 2 > > > 9 Email.Spam.Gen595.Sanesecurity.07052401 > > > 1% > > > > > > 2 > > > 10 Email.Spam.Gen903.Sanesecurity.07062812 > > > 1% > > > > > > 2 > > > > > > > > > Another chink in the armour of the commercial AV/AP > > solution that the > > > company I work for uses. MailScanner should be taking it > > over *very* > > > soon now :D > > > > > > Thanks again to Rick and Jules. (and SaneSecurity for > > producing great > > > additional ClamAV signatures) > > > > > > ----- Original Message ----- > > > From: "Julian Field" > > > To: "MailScanner discussion" > > > Sent: Thursday, July 19, 2007 8:16:07 PM (GMT) Europe/London > > > Subject: Re: UNKNOWN CLAMD RETURN > > > > > > Sorry, forgot the attachment as usual! > > > > > > Julian Field wrote: > > > > * PGP Signed: 07/19/07 at 19:50:56 > > > > > > > > Please try the attached patch to SweepViruses.pm and let > > me know how > > > > you get on. > > > > > > > > MailWatch may well not like it completely, as I changed > > "$part was" to > > > > "headers were" so it will fail to match if Steve looks > > for "was", but > > > > I'm sticking to English grammar, unless "the entire > > message was" works > > > > better. > > > > > > > > Please try both and tell me if MailWatch is happy with > > "the entire > > > > message was" and I'll change my code. > > > > > > > > Has someone actually got an entire message that triggers > > this code, so > > > > that we can test it on a real message? > > > > > > > > Cheers, > > > > Jules. > > > > > > > > > > > > Julian Field wrote: > > > >> > Old Signed: 07/19/07 at 19:12:27 > > > >> > > > >> > > > >> > > > >> Rick Cooper wrote: > > > >>> > > > >>> > > > >>> > -----Original Message----- > > > >>> > From: mailscanner-bounces@lists.mailscanner.info > > > > >>> [mailto:mailscanner-bounces@lists.mailscanner.info] On > > > Behalf Of > > > >>> UxBoD > > > >>> > Sent: Thursday, July 19, 2007 9:36 AM > > > >>> > To: MailScanner discussion > > > >>> > Subject: Re: UNKNOWN CLAMD RETURN > > > >>> > > Not sure on that Rick as we do not use the > > reports. In > > > > >>> MailWatch it shows as :- > > > >>> > > Clamd: message.header was infected: > > > > >>> Email.Hdr.Sanesecurity.07061900 FOUND > > > >>> > > so message.header could be changed to the word SPAM. > > > >>> > > > >>> > > > >>> Do you know what happens to the message? The reason I > > ask is I can't > > > >>> remember what MailScanner does to the message when it > > cannot find > > > >>> $infections->{"$id"}{"$part"} in it's list of > > associated files (or > > > >>> safnames > > > >>> I think). > > > >> To add a report for the entire message, set $part to > > "". So if you > > > >> add a virus report for the whole message, then the > > whole message will > > > >> be treated as infected. Whether adding this will > > require a slight > > > >> change to MailWatch, I don't know. But that's the right > > way to do it. > > > >> Very dangerous to add a report for an attachment filename that > > > >> doesn't exist! > > > >> > > > >>> It may pass the message untouched and it may remove the entire > > > >>> body I just cannot remember what the reflex would be in this > > > situation. > > > >>> Perhaps Julian can answer that. MailWatch is just looking for > > > >>> something to > > > >>> match the regex in functions.php (IIRC) but > > MailScanner may end up > > > >>> delivering the message and I need to make sure that > > doesn't happen. > > > >>> > > > >> > > > >> Jules > > > >> > > > > > > > > Jules > > > > > > > > > > Jules > > > > > > -- > > > Julian Field MEng CITP > > > www.MailScanner.info > > > Buy the MailScanner book at www.MailScanner.info/store > > > > > > MailScanner customisation, or any advanced system > > administration help? > > > Contact me at Jules@Jules.FM > > > > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > For all your IT requirements visit www.transtec.co.uk > > > > > > > > > -- > > > This message has been scanned for viruses and > > > dangerous content by *MailScanner* > > , and is > > > believed to be clean. > > > > Jules > > > > - -- > > Julian Field MEng CITP > > www.MailScanner.info > > Buy the MailScanner book at www.MailScanner.info/store > > > > MailScanner customisation, or any advanced system > > administration help? > > Contact me at Jules@Jules.FM > > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > For all your IT requirements visit www.transtec.co.uk > > > > > > -----BEGIN PGP SIGNATURE----- > > Version: PGP Desktop 9.6.2 (Build 2014) > > Charset: UTF-8 > > > > wj8DBQFGoIuKEfZZRxQVtlQRAjgyAJ4wCb3qLBl23pEdBxxHF+Qb8Eci8QCcCDwu > > w643K2td+bPwQioYCko2I6Q= > > =n4Me > > -----END PGP SIGNATURE----- > > > > -- > > This message has been scanned for viruses and > > dangerous content by MailScanner, and is > > believed to be clean. > > For all your IT requirements visit www.transtec.co.uk > > > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > > -- > > This message has been scanned for viruses and > > dangerous content by MailScanner, and is > > believed to be clean. > > > > > > > > -- > > This message has been scanned for viruses and > > dangerous content by MailScanner, and is > > believed to be clean. > > > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > > -- > > This message has been scanned for viruses and > > dangerous content by MailScanner, and is > > believed to be clean. > > > > > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > > Jules -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From sandrews at andrewscompanies.com Fri Jul 20 13:48:58 2007 From: sandrews at andrewscompanies.com (Steven Andrews) Date: Fri Jul 20 13:49:01 2007 Subject: Request for comments In-Reply-To: <46A063AF.1080009@tradoc.fr> References: <469FA26B.6050905@ecs.soton.ac.uk> <1964AAFBC212F742958F9275BF63DBB04B0F30@winchester.andrewscompanies.com> <469FC4DA.6030706@alexb.ch><469FC668.3040802@evi-inc.com> <46A063AF.1080009@tradoc.fr> Message-ID: <1964AAFBC212F742958F9275BF63DBB04B0F35@winchester.andrewscompanies.com> A little off the topic here, but regarding new features...what about being able to add score to a TLD or domain by rule? Ex: Gmail.com yes 1.0 Hotmail.com yes 10.0 Mydominan.com yes -10.0 Otherdomain.com no -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of John Wilcock Sent: Friday, July 20, 2007 3:27 AM To: MailScanner discussion Subject: Re: Request for comments Matt Kettler wrote: > No, since when are rulesets in MailScanner in any way redundant with SA? > > SA can't do something like: > quarantine any message with subject text "You've won" > delete any message with the subject text "postcard" > > Sure you can use SA's rule scores to force your "high scoring spam > action", but you can't do *BOTH* of the above actions at the same time. > > But MailScanner rulesets can. An alternative suggestion would be to allow MailScanner rulesets based on SA rule names. This could be potentially far more flexible than just based on the Subject:, enabling you to take action on just about anything in the message. Simply write a custom rule, score it at 0.001 if you don't want it to affect the spam score, and trigger a MailScanner action as a result. Got doubts about a new rule's false positive rate? No problem, quarantine all messages that hit the rule. The possibilities are endless. John. -- -- Over 3000 webcams from ski resorts around the world - www.snoweye.com -- Translate your technical documents and web pages - www.tradoc.fr -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From uxbod at splatnix.net Fri Jul 20 13:52:58 2007 From: uxbod at splatnix.net (UxBoD) Date: Fri Jul 20 13:51:05 2007 Subject: UNKNOWN CLAMD RETURN In-Reply-To: <16571602.2691184933386099.JavaMail.root@office.splatnix.net> Message-ID: <9027536.2721184935978334.JavaMail.root@office.splatnix.net> Okay, Had to change the code, but now get in /var/log/messages :- Jul 20 08:41:33 XXXXXX MailScanner[32693]: INFECTED:: Email.Hdr.Sanesecurity.07012400 FOUND :: ./DA5777CF28A.F0607/ and in MailWatch :- Clamd: headers was infected: Email.Hdr.Sanesecurity.07012400 FOUND Jules, I had to change were to was for it to display on the main message screen. Plus fixed a type. Updated patch is attached. Cheers, ----- Original Message ----- From: "UxBoD" To: "MailScanner discussion" Sent: Friday, July 20, 2007 1:09:46 PM (GMT) Europe/London Subject: Re: UNKNOWN CLAMD RETURN Okay get this now in MailWatch :- Clamd: headers were infected: but not filename after it. ----- Original Message ----- From: "Rick Cooper" To: "MailScanner discussion" Sent: Friday, July 20, 2007 12:38:43 PM (GMT) Europe/London Subject: RE: UNKNOWN CLAMD RETURN > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On > Behalf Of UxBoD > Sent: Friday, July 20, 2007 7:15 AM > To: MailScanner discussion > Subject: Re: UNKNOWN CLAMD RETURN > > I put the original .pm back in and applied the patch. self round face as I patched my modified one :(> > > This is what appears for a normal message :- > > Clamd: msg-19428-1.html was infected: > Html.Phishing.Bank.Rockv2Gen14.Sanesecurity.07060400 FOUND > > in maillog I get this :- > > Jul 20 07:08:47 bianchi MailScanner[19442]: ERROR:: UNKNOWN > CLAMD RETURN > ./E36817CEF53.9B2FD.header/Email.Scam4.Gen824.Sanesecurity.07 > 051409 FOUND :: /var/spool/MailScanner/incoming/19442 > > Should I have left my original code in ? > The patch is off. This won't work Matching ./E36817CEF53.9B2FD.header/Email.Scam4.Gen824.Sanesecurity.07051409 FOUND ^ dot ^ childname filename ^rest my ($dot,$childname,$filename,$rest) = split('/',$results); if ($childname =~ /\.header$/ && $rest =~ /\sFOUND$/) { Because $filename will match =~ /\sFOUND$/ and rest will be blank. Try if ($childname =~ /\.header$/ && $filename =~ /\sFOUND$/) { > ----- Original Message ----- > From: "Julian Field" > To: "MailScanner discussion" > Sent: Friday, July 20, 2007 11:16:41 AM (GMT) Europe/London > Subject: Re: UNKNOWN CLAMD RETURN > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > But can you try the exact wording I have in my infection > message please? > Does MailWatch handle that okay? > > UxBoD wrote: > > All looks good Jules :D > > > > Output from MailWatch :- > > > > 20/07/07 > > 02:52:38 XXXXXX@XXXXXX XXXXXX@XXXXX.com > cialis > > and viagra for Everyone! 2.5Kb 29.70 Spam > > Virus (Email.Hdr.Sanesecurity.07012400) > > > > cialis and viagra for Everyone! > > Size: 2.5Kb > > Anti-Virus/Dangerous Content Protection > > Virus: Y > > Blocked File: N > > Other Infection: N > > Report: Clamd: message.header was infected: > > Email.Hdr.Sanesecurity.07012400 FOUND > > > > Now able to report against Viruses/Malware and SPAM :) > > > > Rank Virus Percentage of detection Count > > 1 Email.Stk.Gen592.Sanesecurity.07071801.pdf > > 60% > > > > 129 > > 2 Html.Phishing.Bank.Rockv2Gen14.Sanesecurity.07060400 > > 11% > > > > 23 > > 3 Email.Spam.Gen1007.Sanesecurity.07071800 > > 8% > > > > 17 > > 4 Html.Loan.Gen006.Sanesecurity.06120200 > > 8% > > > > 17 > > 5 Email.Hdr.Sanesecurity.07012400 > > 6% > > > > 12 > > 6 Email.Spam.Gen465.Sanesecurity.07050603 > > 2% > > > > 5 > > 7 Html.Img.Gen013.Sanesecurity.06112900 > > 2% > > > > 5 > > 8 Html.Phishing.Bank.Rockv2Gen28.Sanesecurity.07061800 > > 1% > > > > 2 > > 9 Email.Spam.Gen595.Sanesecurity.07052401 > > 1% > > > > 2 > > 10 Email.Spam.Gen903.Sanesecurity.07062812 > > 1% > > > > 2 > > > > > > Another chink in the armour of the commercial AV/AP > solution that the > > company I work for uses. MailScanner should be taking it > over *very* > > soon now :D > > > > Thanks again to Rick and Jules. (and SaneSecurity for > producing great > > additional ClamAV signatures) > > > > ----- Original Message ----- > > From: "Julian Field" > > To: "MailScanner discussion" > > Sent: Thursday, July 19, 2007 8:16:07 PM (GMT) Europe/London > > Subject: Re: UNKNOWN CLAMD RETURN > > > > Sorry, forgot the attachment as usual! > > > > Julian Field wrote: > > > * PGP Signed: 07/19/07 at 19:50:56 > > > > > > Please try the attached patch to SweepViruses.pm and let > me know how > > > you get on. > > > > > > MailWatch may well not like it completely, as I changed > "$part was" to > > > "headers were" so it will fail to match if Steve looks > for "was", but > > > I'm sticking to English grammar, unless "the entire > message was" works > > > better. > > > > > > Please try both and tell me if MailWatch is happy with > "the entire > > > message was" and I'll change my code. > > > > > > Has someone actually got an entire message that triggers > this code, so > > > that we can test it on a real message? > > > > > > Cheers, > > > Jules. > > > > > > > > > Julian Field wrote: > > >> > Old Signed: 07/19/07 at 19:12:27 > > >> > > >> > > >> > > >> Rick Cooper wrote: > > >>> > > >>> > > >>> > -----Original Message----- > > >>> > From: mailscanner-bounces@lists.mailscanner.info > > > >>> [mailto:mailscanner-bounces@lists.mailscanner.info] On > > Behalf Of > > >>> UxBoD > > >>> > Sent: Thursday, July 19, 2007 9:36 AM > > >>> > To: MailScanner discussion > > >>> > Subject: Re: UNKNOWN CLAMD RETURN > > >>> > > Not sure on that Rick as we do not use the > reports. In > > > >>> MailWatch it shows as :- > > >>> > > Clamd: message.header was infected: > > > >>> Email.Hdr.Sanesecurity.07061900 FOUND > > >>> > > so message.header could be changed to the word SPAM. > > >>> > > >>> > > >>> Do you know what happens to the message? The reason I > ask is I can't > > >>> remember what MailScanner does to the message when it > cannot find > > >>> $infections->{"$id"}{"$part"} in it's list of > associated files (or > > >>> safnames > > >>> I think). > > >> To add a report for the entire message, set $part to > "". So if you > > >> add a virus report for the whole message, then the > whole message will > > >> be treated as infected. Whether adding this will > require a slight > > >> change to MailWatch, I don't know. But that's the right > way to do it. > > >> Very dangerous to add a report for an attachment filename that > > >> doesn't exist! > > >> > > >>> It may pass the message untouched and it may remove the entire > > >>> body I just cannot remember what the reflex would be in this > > situation. > > >>> Perhaps Julian can answer that. MailWatch is just looking for > > >>> something to > > >>> match the regex in functions.php (IIRC) but > MailScanner may end up > > >>> delivering the message and I need to make sure that > doesn't happen. > > >>> > > >> > > >> Jules > > >> > > > > > > Jules > > > > > > > Jules > > > > -- > > Julian Field MEng CITP > > www.MailScanner.info > > Buy the MailScanner book at www.MailScanner.info/store > > > > MailScanner customisation, or any advanced system > administration help? > > Contact me at Jules@Jules.FM > > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > For all your IT requirements visit www.transtec.co.uk > > > > > > -- > > This message has been scanned for viruses and > > dangerous content by *MailScanner* > , and is > > believed to be clean. > > Jules > > - -- > Julian Field MEng CITP > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system > administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > For all your IT requirements visit www.transtec.co.uk > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.6.2 (Build 2014) > Charset: UTF-8 > > wj8DBQFGoIuKEfZZRxQVtlQRAjgyAJ4wCb3qLBl23pEdBxxHF+Qb8Eci8QCcCDwu > w643K2td+bPwQioYCko2I6Q= > =n4Me > -----END PGP SIGNATURE----- > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > For all your IT requirements visit www.transtec.co.uk > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- A non-text attachment was scrubbed... Name: SweepViruses.pm.patch Type: text/x-patch Size: 2253 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070720/4d511703/SweepViruses.pm.bin From rcooper at dwford.com Fri Jul 20 13:52:46 2007 From: rcooper at dwford.com (Rick Cooper) Date: Fri Jul 20 13:52:53 2007 Subject: UNKNOWN CLAMD RETURN In-Reply-To: <16571602.2691184933386099.JavaMail.root@office.splatnix.net> References: <00f701c7cac2$86c4d060$0301a8c0@SAHOMELT> <16571602.2691184933386099.JavaMail.root@office.splatnix.net> Message-ID: <010c01c7cacc$df602df0$0301a8c0@SAHOMELT> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On > Behalf Of UxBoD > Sent: Friday, July 20, 2007 8:10 AM > To: MailScanner discussion > Subject: Re: UNKNOWN CLAMD RETURN > > Okay get this now in MailWatch :- > > Clamd: headers were infected: I assume that MailScanner is now catching and logging correctly? > > but not filename after it. That is because filename was set to blank as message header was the source of the hit not a *file*. See without the sane sigs this would be caught (or not) by SpamAssassin and neither MailScanner nor MailWatch were designed with A/V flagging a spam message with a virus sig. The report in MailScanner would state that the file was "The Entire Message". In truth this message does not contain a virus, it's spam. Julian, when a message is exploded and the safename is used and is infected the filename returned is mapped to the original name from the safename, correct? How much trouble would it be to automatically add a psuedo filename such as SPAM to the $this->{safefile2file}{$safename} or {file2parent}{} = ? Would using a psudeo file name cause issues elsewhere? I have not run into any of these SaneSecurity header hits with MS because exim refuses them at delivery (because clamd is run on all incoming messages during the data phase). Rick > ----- Original Message ----- > From: "Rick Cooper" > To: "MailScanner discussion" > Sent: Friday, July 20, 2007 12:38:43 PM (GMT) Europe/London > Subject: RE: UNKNOWN CLAMD RETURN > > > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info > > [mailto:mailscanner-bounces@lists.mailscanner.info] On > > Behalf Of UxBoD > > Sent: Friday, July 20, 2007 7:15 AM > > To: MailScanner discussion > > Subject: Re: UNKNOWN CLAMD RETURN > > > > I put the original .pm back in and applied the patch. > self round face as I patched my modified one :(> > > > > This is what appears for a normal message :- > > > > Clamd: msg-19428-1.html was infected: > > Html.Phishing.Bank.Rockv2Gen14.Sanesecurity.07060400 FOUND > > > > in maillog I get this :- > > > > Jul 20 07:08:47 bianchi MailScanner[19442]: ERROR:: UNKNOWN > > CLAMD RETURN > > ./E36817CEF53.9B2FD.header/Email.Scam4.Gen824.Sanesecurity.07 > > 051409 FOUND :: /var/spool/MailScanner/incoming/19442 > > > > Should I have left my original code in ? > > > > The patch is off. This won't work > Matching > ./E36817CEF53.9B2FD.header/Email.Scam4.Gen824.Sanesecurity.07051409 > FOUND > ^ dot ^ childname filename > ^rest > > my ($dot,$childname,$filename,$rest) = split('/',$results); > if ($childname =~ /\.header$/ && $rest =~ /\sFOUND$/) { > > Because $filename will match =~ /\sFOUND$/ and rest will be > blank. Try > > if ($childname =~ /\.header$/ && $filename =~ /\sFOUND$/) { > > > > > > > ----- Original Message ----- > > From: "Julian Field" > > To: "MailScanner discussion" > > Sent: Friday, July 20, 2007 11:16:41 AM (GMT) Europe/London > > Subject: Re: UNKNOWN CLAMD RETURN > > > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > But can you try the exact wording I have in my infection > > message please? > > Does MailWatch handle that okay? > > > > UxBoD wrote: > > > All looks good Jules :D > > > > > > Output from MailWatch :- > > > > > > 20/07/07 > > > 02:52:38 XXXXXX@XXXXXX XXXXXX@XXXXX.com > > cialis > > > and viagra for Everyone! 2.5Kb 29.70 > Spam > > > Virus (Email.Hdr.Sanesecurity.07012400) > > > > > > cialis and viagra for Everyone! > > > Size: 2.5Kb > > > Anti-Virus/Dangerous Content Protection > > > Virus: Y > > > Blocked File: N > > > Other Infection: N > > > Report: Clamd: message.header was infected: > > > Email.Hdr.Sanesecurity.07012400 FOUND > > > > > > Now able to report against Viruses/Malware and SPAM :) > > > > > > Rank Virus Percentage of detection Count > > > 1 Email.Stk.Gen592.Sanesecurity.07071801.pdf > > > 60% > > > > > > 129 > > > 2 Html.Phishing.Bank.Rockv2Gen14.Sanesecurity.07060400 > > > 11% > > > > > > 23 > > > 3 Email.Spam.Gen1007.Sanesecurity.07071800 > > > 8% > > > > > > 17 > > > 4 Html.Loan.Gen006.Sanesecurity.06120200 > > > 8% > > > > > > 17 > > > 5 Email.Hdr.Sanesecurity.07012400 > > > 6% > > > > > > 12 > > > 6 Email.Spam.Gen465.Sanesecurity.07050603 > > > 2% > > > > > > 5 > > > 7 Html.Img.Gen013.Sanesecurity.06112900 > > > 2% > > > > > > 5 > > > 8 Html.Phishing.Bank.Rockv2Gen28.Sanesecurity.07061800 > > > 1% > > > > > > 2 > > > 9 Email.Spam.Gen595.Sanesecurity.07052401 > > > 1% > > > > > > 2 > > > 10 Email.Spam.Gen903.Sanesecurity.07062812 > > > 1% > > > > > > 2 > > > > > > > > > Another chink in the armour of the commercial AV/AP > > solution that the > > > company I work for uses. MailScanner should be taking it > > over *very* > > > soon now :D > > > > > > Thanks again to Rick and Jules. (and SaneSecurity for > > producing great > > > additional ClamAV signatures) > > > > > > ----- Original Message ----- > > > From: "Julian Field" > > > To: "MailScanner discussion" > > > > Sent: Thursday, July 19, 2007 8:16:07 PM (GMT) Europe/London > > > Subject: Re: UNKNOWN CLAMD RETURN > > > > > > Sorry, forgot the attachment as usual! > > > > > > Julian Field wrote: > > > > * PGP Signed: 07/19/07 at 19:50:56 > > > > > > > > Please try the attached patch to SweepViruses.pm and let > > me know how > > > > you get on. > > > > > > > > MailWatch may well not like it completely, as I changed > > "$part was" to > > > > "headers were" so it will fail to match if Steve looks > > for "was", but > > > > I'm sticking to English grammar, unless "the entire > > message was" works > > > > better. > > > > > > > > Please try both and tell me if MailWatch is happy with > > "the entire > > > > message was" and I'll change my code. > > > > > > > > Has someone actually got an entire message that triggers > > this code, so > > > > that we can test it on a real message? > > > > > > > > Cheers, > > > > Jules. > > > > > > > > > > > > Julian Field wrote: > > > >> > Old Signed: 07/19/07 at 19:12:27 > > > >> > > > >> > > > >> > > > >> Rick Cooper wrote: > > > >>> > > > >>> > > > >>> > -----Original Message----- > > > >>> > From: mailscanner-bounces@lists.mailscanner.info > > > > >>> [mailto:mailscanner-bounces@lists.mailscanner.info] On > > > Behalf Of > > > >>> UxBoD > > > >>> > Sent: Thursday, July 19, 2007 9:36 AM > > > >>> > To: MailScanner discussion > > > >>> > Subject: Re: UNKNOWN CLAMD RETURN > > > >>> > > Not sure on that Rick as we do not use the > > reports. In > > > > >>> MailWatch it shows as :- > > > >>> > > Clamd: message.header was infected: > > > > >>> Email.Hdr.Sanesecurity.07061900 FOUND > > > >>> > > so message.header could be changed to the word SPAM. > > > >>> > > > >>> > > > >>> Do you know what happens to the message? The reason I > > ask is I can't > > > >>> remember what MailScanner does to the message when it > > cannot find > > > >>> $infections->{"$id"}{"$part"} in it's list of > > associated files (or > > > >>> safnames > > > >>> I think). > > > >> To add a report for the entire message, set $part to > > "". So if you > > > >> add a virus report for the whole message, then the > > whole message will > > > >> be treated as infected. Whether adding this will > > require a slight > > > >> change to MailWatch, I don't know. But that's the right > > way to do it. > > > >> Very dangerous to add a report for an attachment > filename that > > > >> doesn't exist! > > > >> > > > >>> It may pass the message untouched and it may > remove the entire > > > >>> body I just cannot remember what the reflex would > be in this > > > situation. > > > >>> Perhaps Julian can answer that. MailWatch is just > looking for > > > >>> something to > > > >>> match the regex in functions.php (IIRC) but > > MailScanner may end up > > > >>> delivering the message and I need to make sure that > > doesn't happen. > > > >>> > > > >> > > > >> Jules > > > >> > > > > > > > > Jules > > > > > > > > > > Jules > > > > > > -- > > > Julian Field MEng CITP > > > www.MailScanner.info > > > Buy the MailScanner book at www.MailScanner.info/store > > > > > > MailScanner customisation, or any advanced system > > administration help? > > > Contact me at Jules@Jules.FM > > > > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > For all your IT requirements visit www.transtec.co.uk > > > > > > > > > -- > > > This message has been scanned for viruses and > > > dangerous content by *MailScanner* > > , and is > > > believed to be clean. > > > > Jules > > > > - -- > > Julian Field MEng CITP > > www.MailScanner.info > > Buy the MailScanner book at www.MailScanner.info/store > > > > MailScanner customisation, or any advanced system > > administration help? > > Contact me at Jules@Jules.FM > > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > For all your IT requirements visit www.transtec.co.uk > > > > > > -----BEGIN PGP SIGNATURE----- > > Version: PGP Desktop 9.6.2 (Build 2014) > > Charset: UTF-8 > > > > wj8DBQFGoIuKEfZZRxQVtlQRAjgyAJ4wCb3qLBl23pEdBxxHF+Qb8Eci8QCcCDwu > > w643K2td+bPwQioYCko2I6Q= > > =n4Me > > -----END PGP SIGNATURE----- > > > > -- > > This message has been scanned for viruses and > > dangerous content by MailScanner, and is > > believed to be clean. > > For all your IT requirements visit www.transtec.co.uk > > > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > > -- > > This message has been scanned for viruses and > > dangerous content by MailScanner, and is > > believed to be clean. > > > > > > > > -- > > This message has been scanned for viruses and > > dangerous content by MailScanner, and is > > believed to be clean. > > > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > > -- > > This message has been scanned for viruses and > > dangerous content by MailScanner, and is > > believed to be clean. > > > > > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From uxbod at splatnix.net Fri Jul 20 14:01:50 2007 From: uxbod at splatnix.net (UxBoD) Date: Fri Jul 20 14:00:01 2007 Subject: UNKNOWN CLAMD RETURN In-Reply-To: <010c01c7cacc$df602df0$0301a8c0@SAHOMELT> Message-ID: <6241714.2751184936510102.JavaMail.root@office.splatnix.net> True about "In truth this message does not contain a virus, it's spam." but ClamAV also detects SPAM in the body of the message, so headers should be treated in the same manner. All appears to be working a treat now, and it means additional virri/spam reporting can be achieved. ----- Original Message ----- From: "Rick Cooper" To: "MailScanner discussion" Sent: Friday, July 20, 2007 1:52:46 PM (GMT) Europe/London Subject: RE: UNKNOWN CLAMD RETURN > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On > Behalf Of UxBoD > Sent: Friday, July 20, 2007 8:10 AM > To: MailScanner discussion > Subject: Re: UNKNOWN CLAMD RETURN > > Okay get this now in MailWatch :- > > Clamd: headers were infected: I assume that MailScanner is now catching and logging correctly? > > but not filename after it. That is because filename was set to blank as message header was the source of the hit not a *file*. See without the sane sigs this would be caught (or not) by SpamAssassin and neither MailScanner nor MailWatch were designed with A/V flagging a spam message with a virus sig. The report in MailScanner would state that the file was "The Entire Message". In truth this message does not contain a virus, it's spam. Julian, when a message is exploded and the safename is used and is infected the filename returned is mapped to the original name from the safename, correct? How much trouble would it be to automatically add a psuedo filename such as SPAM to the $this->{safefile2file}{$safename} or {file2parent}{} = ? Would using a psudeo file name cause issues elsewhere? I have not run into any of these SaneSecurity header hits with MS because exim refuses them at delivery (because clamd is run on all incoming messages during the data phase). Rick > ----- Original Message ----- > From: "Rick Cooper" > To: "MailScanner discussion" > Sent: Friday, July 20, 2007 12:38:43 PM (GMT) Europe/London > Subject: RE: UNKNOWN CLAMD RETURN > > > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info > > [mailto:mailscanner-bounces@lists.mailscanner.info] On > > Behalf Of UxBoD > > Sent: Friday, July 20, 2007 7:15 AM > > To: MailScanner discussion > > Subject: Re: UNKNOWN CLAMD RETURN > > > > I put the original .pm back in and applied the patch. > self round face as I patched my modified one :(> > > > > This is what appears for a normal message :- > > > > Clamd: msg-19428-1.html was infected: > > Html.Phishing.Bank.Rockv2Gen14.Sanesecurity.07060400 FOUND > > > > in maillog I get this :- > > > > Jul 20 07:08:47 bianchi MailScanner[19442]: ERROR:: UNKNOWN > > CLAMD RETURN > > ./E36817CEF53.9B2FD.header/Email.Scam4.Gen824.Sanesecurity.07 > > 051409 FOUND :: /var/spool/MailScanner/incoming/19442 > > > > Should I have left my original code in ? > > > > The patch is off. This won't work > Matching > ./E36817CEF53.9B2FD.header/Email.Scam4.Gen824.Sanesecurity.07051409 > FOUND > ^ dot ^ childname filename > ^rest > > my ($dot,$childname,$filename,$rest) = split('/',$results); > if ($childname =~ /\.header$/ && $rest =~ /\sFOUND$/) { > > Because $filename will match =~ /\sFOUND$/ and rest will be > blank. Try > > if ($childname =~ /\.header$/ && $filename =~ /\sFOUND$/) { > > > > > > > ----- Original Message ----- > > From: "Julian Field" > > To: "MailScanner discussion" > > Sent: Friday, July 20, 2007 11:16:41 AM (GMT) Europe/London > > Subject: Re: UNKNOWN CLAMD RETURN > > > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > But can you try the exact wording I have in my infection > > message please? > > Does MailWatch handle that okay? > > > > UxBoD wrote: > > > All looks good Jules :D > > > > > > Output from MailWatch :- > > > > > > 20/07/07 > > > 02:52:38 XXXXXX@XXXXXX XXXXXX@XXXXX.com > > cialis > > > and viagra for Everyone! 2.5Kb 29.70 > Spam > > > Virus (Email.Hdr.Sanesecurity.07012400) > > > > > > cialis and viagra for Everyone! > > > Size: 2.5Kb > > > Anti-Virus/Dangerous Content Protection > > > Virus: Y > > > Blocked File: N > > > Other Infection: N > > > Report: Clamd: message.header was infected: > > > Email.Hdr.Sanesecurity.07012400 FOUND > > > > > > Now able to report against Viruses/Malware and SPAM :) > > > > > > Rank Virus Percentage of detection Count > > > 1 Email.Stk.Gen592.Sanesecurity.07071801.pdf > > > 60% > > > > > > 129 > > > 2 Html.Phishing.Bank.Rockv2Gen14.Sanesecurity.07060400 > > > 11% > > > > > > 23 > > > 3 Email.Spam.Gen1007.Sanesecurity.07071800 > > > 8% > > > > > > 17 > > > 4 Html.Loan.Gen006.Sanesecurity.06120200 > > > 8% > > > > > > 17 > > > 5 Email.Hdr.Sanesecurity.07012400 > > > 6% > > > > > > 12 > > > 6 Email.Spam.Gen465.Sanesecurity.07050603 > > > 2% > > > > > > 5 > > > 7 Html.Img.Gen013.Sanesecurity.06112900 > > > 2% > > > > > > 5 > > > 8 Html.Phishing.Bank.Rockv2Gen28.Sanesecurity.07061800 > > > 1% > > > > > > 2 > > > 9 Email.Spam.Gen595.Sanesecurity.07052401 > > > 1% > > > > > > 2 > > > 10 Email.Spam.Gen903.Sanesecurity.07062812 > > > 1% > > > > > > 2 > > > > > > > > > Another chink in the armour of the commercial AV/AP > > solution that the > > > company I work for uses. MailScanner should be taking it > > over *very* > > > soon now :D > > > > > > Thanks again to Rick and Jules. (and SaneSecurity for > > producing great > > > additional ClamAV signatures) > > > > > > ----- Original Message ----- > > > From: "Julian Field" > > > To: "MailScanner discussion" > > > > Sent: Thursday, July 19, 2007 8:16:07 PM (GMT) Europe/London > > > Subject: Re: UNKNOWN CLAMD RETURN > > > > > > Sorry, forgot the attachment as usual! > > > > > > Julian Field wrote: > > > > * PGP Signed: 07/19/07 at 19:50:56 > > > > > > > > Please try the attached patch to SweepViruses.pm and let > > me know how > > > > you get on. > > > > > > > > MailWatch may well not like it completely, as I changed > > "$part was" to > > > > "headers were" so it will fail to match if Steve looks > > for "was", but > > > > I'm sticking to English grammar, unless "the entire > > message was" works > > > > better. > > > > > > > > Please try both and tell me if MailWatch is happy with > > "the entire > > > > message was" and I'll change my code. > > > > > > > > Has someone actually got an entire message that triggers > > this code, so > > > > that we can test it on a real message? > > > > > > > > Cheers, > > > > Jules. > > > > > > > > > > > > Julian Field wrote: > > > >> > Old Signed: 07/19/07 at 19:12:27 > > > >> > > > >> > > > >> > > > >> Rick Cooper wrote: > > > >>> > > > >>> > > > >>> > -----Original Message----- > > > >>> > From: mailscanner-bounces@lists.mailscanner.info > > > > >>> [mailto:mailscanner-bounces@lists.mailscanner.info] On > > > Behalf Of > > > >>> UxBoD > > > >>> > Sent: Thursday, July 19, 2007 9:36 AM > > > >>> > To: MailScanner discussion > > > >>> > Subject: Re: UNKNOWN CLAMD RETURN > > > >>> > > Not sure on that Rick as we do not use the > > reports. In > > > > >>> MailWatch it shows as :- > > > >>> > > Clamd: message.header was infected: > > > > >>> Email.Hdr.Sanesecurity.07061900 FOUND > > > >>> > > so message.header could be changed to the word SPAM. > > > >>> > > > >>> > > > >>> Do you know what happens to the message? The reason I > > ask is I can't > > > >>> remember what MailScanner does to the message when it > > cannot find > > > >>> $infections->{"$id"}{"$part"} in it's list of > > associated files (or > > > >>> safnames > > > >>> I think). > > > >> To add a report for the entire message, set $part to > > "". So if you > > > >> add a virus report for the whole message, then the > > whole message will > > > >> be treated as infected. Whether adding this will > > require a slight > > > >> change to MailWatch, I don't know. But that's the right > > way to do it. > > > >> Very dangerous to add a report for an attachment > filename that > > > >> doesn't exist! > > > >> > > > >>> It may pass the message untouched and it may > remove the entire > > > >>> body I just cannot remember what the reflex would > be in this > > > situation. > > > >>> Perhaps Julian can answer that. MailWatch is just > looking for > > > >>> something to > > > >>> match the regex in functions.php (IIRC) but > > MailScanner may end up > > > >>> delivering the message and I need to make sure that > > doesn't happen. > > > >>> > > > >> > > > >> Jules > > > >> > > > > > > > > Jules > > > > > > > > > > Jules > > > > > > -- > > > Julian Field MEng CITP > > > www.MailScanner.info > > > Buy the MailScanner book at www.MailScanner.info/store > > > > > > MailScanner customisation, or any advanced system > > administration help? > > > Contact me at Jules@Jules.FM > > > > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > For all your IT requirements visit www.transtec.co.uk > > > > > > > > > -- > > > This message has been scanned for viruses and > > > dangerous content by *MailScanner* > > , and is > > > believed to be clean. > > > > Jules > > > > - -- > > Julian Field MEng CITP > > www.MailScanner.info > > Buy the MailScanner book at www.MailScanner.info/store > > > > MailScanner customisation, or any advanced system > > administration help? > > Contact me at Jules@Jules.FM > > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > For all your IT requirements visit www.transtec.co.uk > > > > > > -----BEGIN PGP SIGNATURE----- > > Version: PGP Desktop 9.6.2 (Build 2014) > > Charset: UTF-8 > > > > wj8DBQFGoIuKEfZZRxQVtlQRAjgyAJ4wCb3qLBl23pEdBxxHF+Qb8Eci8QCcCDwu > > w643K2td+bPwQioYCko2I6Q= > > =n4Me > > -----END PGP SIGNATURE----- > > > > -- > > This message has been scanned for viruses and > > dangerous content by MailScanner, and is > > believed to be clean. > > For all your IT requirements visit www.transtec.co.uk > > > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > > -- > > This message has been scanned for viruses and > > dangerous content by MailScanner, and is > > believed to be clean. > > > > > > > > -- > > This message has been scanned for viruses and > > dangerous content by MailScanner, and is > > believed to be clean. > > > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > > -- > > This message has been scanned for viruses and > > dangerous content by MailScanner, and is > > believed to be clean. > > > > > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Fri Jul 20 14:12:04 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Jul 20 14:08:46 2007 Subject: UNKNOWN CLAMD RETURN In-Reply-To: <9027536.2721184935978334.JavaMail.root@office.splatnix.net> References: <9027536.2721184935978334.JavaMail.root@office.splatnix.net> Message-ID: <46A0B4A4.50608@ecs.soton.ac.uk> I changed 2 bits of your patch. First was "headers was infected" is bad English. I changed it to "header was infected" as this keeps the "was" to make MailWatch happy, but is still correct English. Also, you have a / FOUND/ regexp which should be /\sFOUND/ for consistency with the others. UxBoD wrote: > Okay, Had to change the code, but now get in /var/log/messages :- > > Jul 20 08:41:33 XXXXXX MailScanner[32693]: INFECTED:: Email.Hdr.Sanesecurity.07012400 FOUND :: ./DA5777CF28A.F0607/ > > and in MailWatch :- > > Clamd: headers was infected: Email.Hdr.Sanesecurity.07012400 FOUND > > Jules, I had to change were to was for it to display on the main message screen. Plus fixed a type. > > Updated patch is attached. > > Cheers, > > > ----- Original Message ----- > From: "UxBoD" > To: "MailScanner discussion" > Sent: Friday, July 20, 2007 1:09:46 PM (GMT) Europe/London > Subject: Re: UNKNOWN CLAMD RETURN > > Okay get this now in MailWatch :- > > Clamd: headers were infected: > > but not filename after it. > ----- Original Message ----- > From: "Rick Cooper" > To: "MailScanner discussion" > Sent: Friday, July 20, 2007 12:38:43 PM (GMT) Europe/London > Subject: RE: UNKNOWN CLAMD RETURN > > > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info > > [mailto:mailscanner-bounces@lists.mailscanner.info] On > > Behalf Of UxBoD > > Sent: Friday, July 20, 2007 7:15 AM > > To: MailScanner discussion > > Subject: Re: UNKNOWN CLAMD RETURN > > > > I put the original .pm back in and applied the patch. > self round face as I patched my modified one :(> > > > > This is what appears for a normal message :- > > > > Clamd: msg-19428-1.html was infected: > > Html.Phishing.Bank.Rockv2Gen14.Sanesecurity.07060400 FOUND > > > > in maillog I get this :- > > > > Jul 20 07:08:47 bianchi MailScanner[19442]: ERROR:: UNKNOWN > > CLAMD RETURN > > ./E36817CEF53.9B2FD.header/Email.Scam4.Gen824.Sanesecurity.07 > > 051409 FOUND :: /var/spool/MailScanner/incoming/19442 > > > > Should I have left my original code in ? > > > > The patch is off. This won't work > Matching ./E36817CEF53.9B2FD.header/Email.Scam4.Gen824.Sanesecurity.07051409 > FOUND > ^ dot ^ childname filename > ^rest > > my ($dot,$childname,$filename,$rest) = split('/',$results); > if ($childname =~ /\.header$/ && $rest =~ /\sFOUND$/) { > > Because $filename will match =~ /\sFOUND$/ and rest will be blank. Try > > if ($childname =~ /\.header$/ && $filename =~ /\sFOUND$/) { > > > > > > > ----- Original Message ----- > > From: "Julian Field" > > To: "MailScanner discussion" > > Sent: Friday, July 20, 2007 11:16:41 AM (GMT) Europe/London > > Subject: Re: UNKNOWN CLAMD RETURN > > > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > But can you try the exact wording I have in my infection > > message please? > > Does MailWatch handle that okay? > > > > UxBoD wrote: > > > All looks good Jules :D > > > > > > Output from MailWatch :- > > > > > > 20/07/07 > > > 02:52:38 XXXXXX@XXXXXX XXXXXX@XXXXX.com > > cialis > > > and viagra for Everyone! 2.5Kb 29.70 Spam > > > Virus (Email.Hdr.Sanesecurity.07012400) > > > > > > cialis and viagra for Everyone! > > > Size: 2.5Kb > > > Anti-Virus/Dangerous Content Protection > > > Virus: Y > > > Blocked File: N > > > Other Infection: N > > > Report: Clamd: message.header was infected: > > > Email.Hdr.Sanesecurity.07012400 FOUND > > > > > > Now able to report against Viruses/Malware and SPAM :) > > > > > > Rank Virus Percentage of detection Count > > > 1 Email.Stk.Gen592.Sanesecurity.07071801.pdf > > > 60% > > > > > > 129 > > > 2 Html.Phishing.Bank.Rockv2Gen14.Sanesecurity.07060400 > > > 11% > > > > > > 23 > > > 3 Email.Spam.Gen1007.Sanesecurity.07071800 > > > 8% > > > > > > 17 > > > 4 Html.Loan.Gen006.Sanesecurity.06120200 > > > 8% > > > > > > 17 > > > 5 Email.Hdr.Sanesecurity.07012400 > > > 6% > > > > > > 12 > > > 6 Email.Spam.Gen465.Sanesecurity.07050603 > > > 2% > > > > > > 5 > > > 7 Html.Img.Gen013.Sanesecurity.06112900 > > > 2% > > > > > > 5 > > > 8 Html.Phishing.Bank.Rockv2Gen28.Sanesecurity.07061800 > > > 1% > > > > > > 2 > > > 9 Email.Spam.Gen595.Sanesecurity.07052401 > > > 1% > > > > > > 2 > > > 10 Email.Spam.Gen903.Sanesecurity.07062812 > > > 1% > > > > > > 2 > > > > > > > > > Another chink in the armour of the commercial AV/AP > > solution that the > > > company I work for uses. MailScanner should be taking it > > over *very* > > > soon now :D > > > > > > Thanks again to Rick and Jules. (and SaneSecurity for > > producing great > > > additional ClamAV signatures) > > > > > > ----- Original Message ----- > > > From: "Julian Field" > > > To: "MailScanner discussion" > > > Sent: Thursday, July 19, 2007 8:16:07 PM (GMT) Europe/London > > > Subject: Re: UNKNOWN CLAMD RETURN > > > > > > Sorry, forgot the attachment as usual! > > > > > > Julian Field wrote: > > > > * PGP Signed: 07/19/07 at 19:50:56 > > > > > > > > Please try the attached patch to SweepViruses.pm and let > > me know how > > > > you get on. > > > > > > > > MailWatch may well not like it completely, as I changed > > "$part was" to > > > > "headers were" so it will fail to match if Steve looks > > for "was", but > > > > I'm sticking to English grammar, unless "the entire > > message was" works > > > > better. > > > > > > > > Please try both and tell me if MailWatch is happy with > > "the entire > > > > message was" and I'll change my code. > > > > > > > > Has someone actually got an entire message that triggers > > this code, so > > > > that we can test it on a real message? > > > > > > > > Cheers, > > > > Jules. > > > > > > > > > > > > Julian Field wrote: > > > >> > Old Signed: 07/19/07 at 19:12:27 > > > >> > > > >> > > > >> > > > >> Rick Cooper wrote: > > > >>> > > > >>> > > > >>> > -----Original Message----- > > > >>> > From: mailscanner-bounces@lists.mailscanner.info > > > > >>> [mailto:mailscanner-bounces@lists.mailscanner.info] On > > > Behalf Of > > > >>> UxBoD > > > >>> > Sent: Thursday, July 19, 2007 9:36 AM > > > >>> > To: MailScanner discussion > > > >>> > Subject: Re: UNKNOWN CLAMD RETURN > > > >>> > > Not sure on that Rick as we do not use the > > reports. In > > > > >>> MailWatch it shows as :- > > > >>> > > Clamd: message.header was infected: > > > > >>> Email.Hdr.Sanesecurity.07061900 FOUND > > > >>> > > so message.header could be changed to the word SPAM. > > > >>> > > > >>> > > > >>> Do you know what happens to the message? The reason I > > ask is I can't > > > >>> remember what MailScanner does to the message when it > > cannot find > > > >>> $infections->{"$id"}{"$part"} in it's list of > > associated files (or > > > >>> safnames > > > >>> I think). > > > >> To add a report for the entire message, set $part to > > "". So if you > > > >> add a virus report for the whole message, then the > > whole message will > > > >> be treated as infected. Whether adding this will > > require a slight > > > >> change to MailWatch, I don't know. But that's the right > > way to do it. > > > >> Very dangerous to add a report for an attachment filename that > > > >> doesn't exist! > > > >> > > > >>> It may pass the message untouched and it may remove the entire > > > >>> body I just cannot remember what the reflex would be in this > > > situation. > > > >>> Perhaps Julian can answer that. MailWatch is just looking for > > > >>> something to > > > >>> match the regex in functions.php (IIRC) but > > MailScanner may end up > > > >>> delivering the message and I need to make sure that > > doesn't happen. > > > >>> > > > >> > > > >> Jules > > > >> > > > > > > > > Jules > > > > > > > > > > Jules > > > > > > -- > > > Julian Field MEng CITP > > > www.MailScanner.info > > > Buy the MailScanner book at www.MailScanner.info/store > > > > > > MailScanner customisation, or any advanced system > > administration help? > > > Contact me at Jules@Jules.FM > > > > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > For all your IT requirements visit www.transtec.co.uk > > > > > > > > > -- > > > This message has been scanned for viruses and > > > dangerous content by *MailScanner* > > , and is > > > believed to be clean. > > > > Jules > > > > - -- > > Julian Field MEng CITP > > www.MailScanner.info > > Buy the MailScanner book at www.MailScanner.info/store > > > > MailScanner customisation, or any advanced system > > administration help? > > Contact me at Jules@Jules.FM > > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > For all your IT requirements visit www.transtec.co.uk > > > > > > -----BEGIN PGP SIGNATURE----- > > Version: PGP Desktop 9.6.2 (Build 2014) > > Charset: UTF-8 > > > > wj8DBQFGoIuKEfZZRxQVtlQRAjgyAJ4wCb3qLBl23pEdBxxHF+Qb8Eci8QCcCDwu > > w643K2td+bPwQioYCko2I6Q= > > =n4Me > > -----END PGP SIGNATURE----- > > > > -- > > This message has been scanned for viruses and > > dangerous content by MailScanner, and is > > believed to be clean. > > For all your IT requirements visit www.transtec.co.uk > > > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > > -- > > This message has been scanned for viruses and > > dangerous content by MailScanner, and is > > believed to be clean. > > > > > > > > -- > > This message has been scanned for viruses and > > dangerous content by MailScanner, and is > > believed to be clean. > > > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > > -- > > This message has been scanned for viruses and > > dangerous content by MailScanner, and is > > believed to be clean. > > > > > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > > Jules -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Fri Jul 20 14:14:11 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Jul 20 14:10:36 2007 Subject: Request for comments In-Reply-To: <1964AAFBC212F742958F9275BF63DBB04B0F35@winchester.andrewscompanies.com> References: <469FA26B.6050905@ecs.soton.ac.uk> <1964AAFBC212F742958F9275BF63DBB04B0F30@winchester.andrewscompanies.com> <469FC4DA.6030706@alexb.ch><469FC668.3040802@evi-inc.com> <46A063AF.1080009@tradoc.fr> <1964AAFBC212F742958F9275BF63DBB04B0F35@winchester.andrewscompanies.com> Message-ID: <46A0B523.20401@ecs.soton.ac.uk> That would be easy to add. Would many people use it? It would just be an "Adjust SpamAssassin Score" configuration option. I'm still unconvinced that adding the Subject matching would actually get used by many people. Very few people have said "yes, I have a definite need and a use for it". Steven Andrews wrote: > A little off the topic here, but regarding new features...what about > being able to add score to a TLD or domain by rule? > > Ex: > > Gmail.com yes 1.0 > Hotmail.com yes 10.0 > Mydominan.com yes -10.0 > Otherdomain.com no > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of John > Wilcock > Sent: Friday, July 20, 2007 3:27 AM > To: MailScanner discussion > Subject: Re: Request for comments > > Matt Kettler wrote: > >> No, since when are rulesets in MailScanner in any way redundant with >> > SA? > >> SA can't do something like: >> quarantine any message with subject text "You've won" >> delete any message with the subject text "postcard" >> >> Sure you can use SA's rule scores to force your "high scoring spam >> action", but you can't do *BOTH* of the above actions at the same >> > time. > >> But MailScanner rulesets can. >> > > An alternative suggestion would be to allow MailScanner rulesets based > on SA rule names. This could be potentially far more flexible than just > based on the Subject:, enabling you to take action on just about > anything in the message. Simply write a custom rule, score it at 0.001 > if you don't want it to affect the spam score, and trigger a MailScanner > action as a result. Got doubts about a new rule's false positive rate? > No problem, quarantine all messages that hit the rule. The possibilities > are endless. > > John. > > Jules -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From support.mailscanner at stuttgart.mhz.de Fri Jul 20 14:17:53 2007 From: support.mailscanner at stuttgart.mhz.de (Support) Date: Fri Jul 20 14:17:54 2007 Subject: Password protect Message-ID: Hello i want that the password protetcted and encryptet messages are going to quarantine. Now they are deleted everytime. What i have to do?? Regads David From uxbod at splatnix.net Fri Jul 20 14:26:06 2007 From: uxbod at splatnix.net (UxBoD) Date: Fri Jul 20 14:25:47 2007 Subject: UNKNOWN CLAMD RETURN In-Reply-To: <46A0B4A4.50608@ecs.soton.ac.uk> Message-ID: <14804439.2781184937966578.JavaMail.root@office.splatnix.net> Me bad :) Yeah my perl is so so Jules ;) but reading and understanding your code is getting me upto speed :D ----- Original Message ----- From: "Julian Field" To: "MailScanner discussion" Sent: Friday, July 20, 2007 2:12:04 PM (GMT) Europe/London Subject: Re: UNKNOWN CLAMD RETURN I changed 2 bits of your patch. First was "headers was infected" is bad English. I changed it to "header was infected" as this keeps the "was" to make MailWatch happy, but is still correct English. Also, you have a / FOUND/ regexp which should be /\sFOUND/ for consistency with the others. UxBoD wrote: > Okay, Had to change the code, but now get in /var/log/messages :- > > Jul 20 08:41:33 XXXXXX MailScanner[32693]: INFECTED:: Email.Hdr.Sanesecurity.07012400 FOUND :: ./DA5777CF28A.F0607/ > > and in MailWatch :- > > Clamd: headers was infected: Email.Hdr.Sanesecurity.07012400 FOUND > > Jules, I had to change were to was for it to display on the main message screen. Plus fixed a type. > > Updated patch is attached. > > Cheers, > > > ----- Original Message ----- > From: "UxBoD" > To: "MailScanner discussion" > Sent: Friday, July 20, 2007 1:09:46 PM (GMT) Europe/London > Subject: Re: UNKNOWN CLAMD RETURN > > Okay get this now in MailWatch :- > > Clamd: headers were infected: > > but not filename after it. > ----- Original Message ----- > From: "Rick Cooper" > To: "MailScanner discussion" > Sent: Friday, July 20, 2007 12:38:43 PM (GMT) Europe/London > Subject: RE: UNKNOWN CLAMD RETURN > > > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info > > [mailto:mailscanner-bounces@lists.mailscanner.info] On > > Behalf Of UxBoD > > Sent: Friday, July 20, 2007 7:15 AM > > To: MailScanner discussion > > Subject: Re: UNKNOWN CLAMD RETURN > > > > I put the original .pm back in and applied the patch. > self round face as I patched my modified one :(> > > > > This is what appears for a normal message :- > > > > Clamd: msg-19428-1.html was infected: > > Html.Phishing.Bank.Rockv2Gen14.Sanesecurity.07060400 FOUND > > > > in maillog I get this :- > > > > Jul 20 07:08:47 bianchi MailScanner[19442]: ERROR:: UNKNOWN > > CLAMD RETURN > > ./E36817CEF53.9B2FD.header/Email.Scam4.Gen824.Sanesecurity.07 > > 051409 FOUND :: /var/spool/MailScanner/incoming/19442 > > > > Should I have left my original code in ? > > > > The patch is off. This won't work > Matching ./E36817CEF53.9B2FD.header/Email.Scam4.Gen824.Sanesecurity.07051409 > FOUND > ^ dot ^ childname filename > ^rest > > my ($dot,$childname,$filename,$rest) = split('/',$results); > if ($childname =~ /\.header$/ && $rest =~ /\sFOUND$/) { > > Because $filename will match =~ /\sFOUND$/ and rest will be blank. Try > > if ($childname =~ /\.header$/ && $filename =~ /\sFOUND$/) { > > > > > > > ----- Original Message ----- > > From: "Julian Field" > > To: "MailScanner discussion" > > Sent: Friday, July 20, 2007 11:16:41 AM (GMT) Europe/London > > Subject: Re: UNKNOWN CLAMD RETURN > > > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > But can you try the exact wording I have in my infection > > message please? > > Does MailWatch handle that okay? > > > > UxBoD wrote: > > > All looks good Jules :D > > > > > > Output from MailWatch :- > > > > > > 20/07/07 > > > 02:52:38 XXXXXX@XXXXXX XXXXXX@XXXXX.com > > cialis > > > and viagra for Everyone! 2.5Kb 29.70 Spam > > > Virus (Email.Hdr.Sanesecurity.07012400) > > > > > > cialis and viagra for Everyone! > > > Size: 2.5Kb > > > Anti-Virus/Dangerous Content Protection > > > Virus: Y > > > Blocked File: N > > > Other Infection: N > > > Report: Clamd: message.header was infected: > > > Email.Hdr.Sanesecurity.07012400 FOUND > > > > > > Now able to report against Viruses/Malware and SPAM :) > > > > > > Rank Virus Percentage of detection Count > > > 1 Email.Stk.Gen592.Sanesecurity.07071801.pdf > > > 60% > > > > > > 129 > > > 2 Html.Phishing.Bank.Rockv2Gen14.Sanesecurity.07060400 > > > 11% > > > > > > 23 > > > 3 Email.Spam.Gen1007.Sanesecurity.07071800 > > > 8% > > > > > > 17 > > > 4 Html.Loan.Gen006.Sanesecurity.06120200 > > > 8% > > > > > > 17 > > > 5 Email.Hdr.Sanesecurity.07012400 > > > 6% > > > > > > 12 > > > 6 Email.Spam.Gen465.Sanesecurity.07050603 > > > 2% > > > > > > 5 > > > 7 Html.Img.Gen013.Sanesecurity.06112900 > > > 2% > > > > > > 5 > > > 8 Html.Phishing.Bank.Rockv2Gen28.Sanesecurity.07061800 > > > 1% > > > > > > 2 > > > 9 Email.Spam.Gen595.Sanesecurity.07052401 > > > 1% > > > > > > 2 > > > 10 Email.Spam.Gen903.Sanesecurity.07062812 > > > 1% > > > > > > 2 > > > > > > > > > Another chink in the armour of the commercial AV/AP > > solution that the > > > company I work for uses. MailScanner should be taking it > > over *very* > > > soon now :D > > > > > > Thanks again to Rick and Jules. (and SaneSecurity for > > producing great > > > additional ClamAV signatures) > > > > > > ----- Original Message ----- > > > From: "Julian Field" > > > To: "MailScanner discussion" > > > Sent: Thursday, July 19, 2007 8:16:07 PM (GMT) Europe/London > > > Subject: Re: UNKNOWN CLAMD RETURN > > > > > > Sorry, forgot the attachment as usual! > > > > > > Julian Field wrote: > > > > * PGP Signed: 07/19/07 at 19:50:56 > > > > > > > > Please try the attached patch to SweepViruses.pm and let > > me know how > > > > you get on. > > > > > > > > MailWatch may well not like it completely, as I changed > > "$part was" to > > > > "headers were" so it will fail to match if Steve looks > > for "was", but > > > > I'm sticking to English grammar, unless "the entire > > message was" works > > > > better. > > > > > > > > Please try both and tell me if MailWatch is happy with > > "the entire > > > > message was" and I'll change my code. > > > > > > > > Has someone actually got an entire message that triggers > > this code, so > > > > that we can test it on a real message? > > > > > > > > Cheers, > > > > Jules. > > > > > > > > > > > > Julian Field wrote: > > > >> > Old Signed: 07/19/07 at 19:12:27 > > > >> > > > >> > > > >> > > > >> Rick Cooper wrote: > > > >>> > > > >>> > > > >>> > -----Original Message----- > > > >>> > From: mailscanner-bounces@lists.mailscanner.info > > > > >>> [mailto:mailscanner-bounces@lists.mailscanner.info] On > > > Behalf Of > > > >>> UxBoD > > > >>> > Sent: Thursday, July 19, 2007 9:36 AM > > > >>> > To: MailScanner discussion > > > >>> > Subject: Re: UNKNOWN CLAMD RETURN > > > >>> > > Not sure on that Rick as we do not use the > > reports. In > > > > >>> MailWatch it shows as :- > > > >>> > > Clamd: message.header was infected: > > > > >>> Email.Hdr.Sanesecurity.07061900 FOUND > > > >>> > > so message.header could be changed to the word SPAM. > > > >>> > > > >>> > > > >>> Do you know what happens to the message? The reason I > > ask is I can't > > > >>> remember what MailScanner does to the message when it > > cannot find > > > >>> $infections->{"$id"}{"$part"} in it's list of > > associated files (or > > > >>> safnames > > > >>> I think). > > > >> To add a report for the entire message, set $part to > > "". So if you > > > >> add a virus report for the whole message, then the > > whole message will > > > >> be treated as infected. Whether adding this will > > require a slight > > > >> change to MailWatch, I don't know. But that's the right > > way to do it. > > > >> Very dangerous to add a report for an attachment filename that > > > >> doesn't exist! > > > >> > > > >>> It may pass the message untouched and it may remove the entire > > > >>> body I just cannot remember what the reflex would be in this > > > situation. > > > >>> Perhaps Julian can answer that. MailWatch is just looking for > > > >>> something to > > > >>> match the regex in functions.php (IIRC) but > > MailScanner may end up > > > >>> delivering the message and I need to make sure that > > doesn't happen. > > > >>> > > > >> > > > >> Jules > > > >> > > > > > > > > Jules > > > > > > > > > > Jules > > > > > > -- > > > Julian Field MEng CITP > > > www.MailScanner.info > > > Buy the MailScanner book at www.MailScanner.info/store > > > > > > MailScanner customisation, or any advanced system > > administration help? > > > Contact me at Jules@Jules.FM > > > > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > For all your IT requirements visit www.transtec.co.uk > > > > > > > > > -- > > > This message has been scanned for viruses and > > > dangerous content by *MailScanner* > > , and is > > > believed to be clean. > > > > Jules > > > > - -- > > Julian Field MEng CITP > > www.MailScanner.info > > Buy the MailScanner book at www.MailScanner.info/store > > > > MailScanner customisation, or any advanced system > > administration help? > > Contact me at Jules@Jules.FM > > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > For all your IT requirements visit www.transtec.co.uk > > > > > > -----BEGIN PGP SIGNATURE----- > > Version: PGP Desktop 9.6.2 (Build 2014) > > Charset: UTF-8 > > > > wj8DBQFGoIuKEfZZRxQVtlQRAjgyAJ4wCb3qLBl23pEdBxxHF+Qb8Eci8QCcCDwu > > w643K2td+bPwQioYCko2I6Q= > > =n4Me > > -----END PGP SIGNATURE----- > > > > -- > > This message has been scanned for viruses and > > dangerous content by MailScanner, and is > > believed to be clean. > > For all your IT requirements visit www.transtec.co.uk > > > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > > -- > > This message has been scanned for viruses and > > dangerous content by MailScanner, and is > > believed to be clean. > > > > > > > > -- > > This message has been scanned for viruses and > > dangerous content by MailScanner, and is > > believed to be clean. > > > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > > -- > > This message has been scanned for viruses and > > dangerous content by MailScanner, and is > > believed to be clean. > > > > > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > > Jules -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From uxbod at splatnix.net Fri Jul 20 14:27:45 2007 From: uxbod at splatnix.net (UxBoD) Date: Fri Jul 20 14:25:50 2007 Subject: Request for comments In-Reply-To: <46A0B523.20401@ecs.soton.ac.uk> Message-ID: <4368574.2811184938065611.JavaMail.root@office.splatnix.net> Why not create a SA rule for that ? especially using META. ----- Original Message ----- From: "Julian Field" To: "MailScanner discussion" Sent: Friday, July 20, 2007 2:14:11 PM (GMT) Europe/London Subject: Re: Request for comments That would be easy to add. Would many people use it? It would just be an "Adjust SpamAssassin Score" configuration option. I'm still unconvinced that adding the Subject matching would actually get used by many people. Very few people have said "yes, I have a definite need and a use for it". Steven Andrews wrote: > A little off the topic here, but regarding new features...what about > being able to add score to a TLD or domain by rule? > > Ex: > > Gmail.com yes 1.0 > Hotmail.com yes 10.0 > Mydominan.com yes -10.0 > Otherdomain.com no > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of John > Wilcock > Sent: Friday, July 20, 2007 3:27 AM > To: MailScanner discussion > Subject: Re: Request for comments > > Matt Kettler wrote: > >> No, since when are rulesets in MailScanner in any way redundant with >> > SA? > >> SA can't do something like: >> quarantine any message with subject text "You've won" >> delete any message with the subject text "postcard" >> >> Sure you can use SA's rule scores to force your "high scoring spam >> action", but you can't do *BOTH* of the above actions at the same >> > time. > >> But MailScanner rulesets can. >> > > An alternative suggestion would be to allow MailScanner rulesets based > on SA rule names. This could be potentially far more flexible than just > based on the Subject:, enabling you to take action on just about > anything in the message. Simply write a custom rule, score it at 0.001 > if you don't want it to affect the spam score, and trigger a MailScanner > action as a result. Got doubts about a new rule's false positive rate? > No problem, quarantine all messages that hit the rule. The possibilities > are endless. > > John. > > Jules -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ms-list at alexb.ch Fri Jul 20 14:27:43 2007 From: ms-list at alexb.ch (Alex Broens) Date: Fri Jul 20 14:27:59 2007 Subject: Request for comments In-Reply-To: <46A0B523.20401@ecs.soton.ac.uk> References: <469FA26B.6050905@ecs.soton.ac.uk> <1964AAFBC212F742958F9275BF63DBB04B0F30@winchester.andrewscompanies.com> <469FC4DA.6030706@alexb.ch><469FC668.3040802@evi-inc.com> <46A063AF.1080009@tradoc.fr> <1964AAFBC212F742958F9275BF63DBB04B0F35@winchester.andrewscompanies.com> <46A0B523.20401@ecs.soton.ac.uk> Message-ID: <46A0B84F.7010100@alexb.ch> On 7/20/2007 3:14 PM, Julian Field wrote: > That would be easy to add. Would many people use it? > It would just be an "Adjust SpamAssassin Score" configuration option. > > I'm still unconvinced that adding the Subject matching would actually > get used by many people. Very few people have said "yes, I have a > definite need and a use for it". -1 as it won't bypass SA scanning anyway, just override the score. A shortcircuited rule does save resources. imo, Post-SA actions based on SA rules would definitely be nice to have. (see use in matrixing for business surroundings) FromTo:blah@blah SA_RULEXYZ Action: [Redirect:Delete:Quarantine:etc] wasn't John Sinteur already suggesting this? > Steven Andrews wrote: >> A little off the topic here, but regarding new features...what about >> being able to add score to a TLD or domain by rule? >> >> Ex: >> >> Gmail.com yes 1.0 >> Hotmail.com yes 10.0 >> Mydominan.com yes -10.0 >> Otherdomain.com no >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of John >> Wilcock >> Sent: Friday, July 20, 2007 3:27 AM >> To: MailScanner discussion >> Subject: Re: Request for comments >> >> Matt Kettler wrote: >> >>> No, since when are rulesets in MailScanner in any way redundant with >>> >> SA? >> >>> SA can't do something like: >>> quarantine any message with subject text "You've won" >>> delete any message with the subject text "postcard" >>> >>> Sure you can use SA's rule scores to force your "high scoring spam >>> action", but you can't do *BOTH* of the above actions at the same >>> >> time. >> >>> But MailScanner rulesets can. >>> >> >> An alternative suggestion would be to allow MailScanner rulesets based >> on SA rule names. This could be potentially far more flexible than just >> based on the Subject:, enabling you to take action on just about >> anything in the message. Simply write a custom rule, score it at 0.001 >> if you don't want it to affect the spam score, and trigger a MailScanner >> action as a result. Got doubts about a new rule's false positive rate? >> No problem, quarantine all messages that hit the rule. The possibilities >> are endless. >> >> John. >> >> > > Jules > From glenn.steen at gmail.com Fri Jul 20 15:21:06 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Jul 20 15:21:07 2007 Subject: Password protect In-Reply-To: References: Message-ID: <223f97700707200721g710f6846ga8807d99caea5f7d@mail.gmail.com> On 20/07/07, Support wrote: > Hello > i want that the password protetcted and encryptet messages are going to > quarantine. Now they are deleted everytime. What i have to do?? > > Regads David > 1. Set http://www.mailscanner.info/MailScanner.conf.index.html#Allow%20Password-Protected%20Archives either to yes (blanket allow) or to a ruleset allowing just a few (spefcific users). 2. Perhaps set how deep into archives you try scan to 0 (ie not alook inside at all). Only do this if it complains about it in the logs. 3. Check that your AV scanners don't detect them as viruses/suspicious files.... How to handle that depends on which scanners you use. Think that should be about it:-) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From sandrews at andrewscompanies.com Fri Jul 20 15:26:00 2007 From: sandrews at andrewscompanies.com (Steven Andrews) Date: Fri Jul 20 15:26:02 2007 Subject: Request for comments In-Reply-To: <46A0B523.20401@ecs.soton.ac.uk> References: <469FA26B.6050905@ecs.soton.ac.uk> <1964AAFBC212F742958F9275BF63DBB04B0F30@winchester.andrewscompanies.com> <469FC4DA.6030706@alexb.ch><469FC668.3040802@evi-inc.com> <46A063AF.1080009@tradoc.fr><1964AAFBC212F742958F9275BF63DBB04B0F35@winchester.andrewscompanies.com> <46A0B523.20401@ecs.soton.ac.uk> Message-ID: <1964AAFBC212F742958F9275BF63DBB04B0F38@winchester.andrewscompanies.com> I say do both. People didn't know how to use hammers until somebody made them first. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian Field Sent: Friday, July 20, 2007 9:14 AM To: MailScanner discussion Subject: Re: Request for comments That would be easy to add. Would many people use it? It would just be an "Adjust SpamAssassin Score" configuration option. I'm still unconvinced that adding the Subject matching would actually get used by many people. Very few people have said "yes, I have a definite need and a use for it". Steven Andrews wrote: > A little off the topic here, but regarding new features...what about > being able to add score to a TLD or domain by rule? > > Ex: > > Gmail.com yes 1.0 > Hotmail.com yes 10.0 > Mydominan.com yes -10.0 > Otherdomain.com no > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of John > Wilcock > Sent: Friday, July 20, 2007 3:27 AM > To: MailScanner discussion > Subject: Re: Request for comments > > Matt Kettler wrote: > >> No, since when are rulesets in MailScanner in any way redundant with >> > SA? > >> SA can't do something like: >> quarantine any message with subject text "You've won" >> delete any message with the subject text "postcard" >> >> Sure you can use SA's rule scores to force your "high scoring spam >> action", but you can't do *BOTH* of the above actions at the same >> > time. > >> But MailScanner rulesets can. >> > > An alternative suggestion would be to allow MailScanner rulesets based > on SA rule names. This could be potentially far more flexible than > just based on the Subject:, enabling you to take action on just about > anything in the message. Simply write a custom rule, score it at 0.001 > if you don't want it to affect the spam score, and trigger a > MailScanner action as a result. Got doubts about a new rule's false positive rate? > No problem, quarantine all messages that hit the rule. The > possibilities are endless. > > John. > > Jules -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From mkettler at evi-inc.com Fri Jul 20 15:31:35 2007 From: mkettler at evi-inc.com (Matt Kettler) Date: Fri Jul 20 15:32:46 2007 Subject: Request for comments In-Reply-To: <46A0B523.20401@ecs.soton.ac.uk> References: <469FA26B.6050905@ecs.soton.ac.uk> <1964AAFBC212F742958F9275BF63DBB04B0F30@winchester.andrewscompanies.com> <469FC4DA.6030706@alexb.ch><469FC668.3040802@evi-inc.com> <46A063AF.1080009@tradoc.fr> <1964AAFBC212F742958F9275BF63DBB04B0F35@winchester.andrewscompanies.com> <46A0B523.20401@ecs.soton.ac.uk> Message-ID: <46A0C747.7000103@evi-inc.com> Julian Field wrote: > That would be easy to add. Would many people use it? > It would just be an "Adjust SpamAssassin Score" configuration option. I don't think that would be useful Julian. If they wanted to adjust the SA score, that's easy to do in SA. It's also not what Steven was suggesting, at least as far as I can tell. As I understand it, Steven was to allow checking for a particular SA rule-hit in a ruleset (ie: SPF_FAIL). Not to modify the score. Unfortunately, the big question is what ruleset would you use this in? This could be useful in a "Spam Actions" ruleset. You could then use specific SA rules to further modify your spam actions. But really this would almost need the creation of a "All Messages Actions" ruleset. Because you'd really want to use it on all messages, not just ones over the spam or high-spam score thresholds. ie: If I wanted to quarantine all messages matching some rule, say one of the ImageInfo or PDFInfo rules, I'd want to do it to all messages, even FN's. > > I'm still unconvinced that adding the Subject matching would actually > get used by many people. Very few people have said "yes, I have a > definite need and a use for it". I somewhat agree.. I could possibly see it to bypass SpamAssassin scanning based on subject text, but other features of the message would be better for this than subject lines. (that said, matching a List-Id: or X-BeenThere: header might be nice for lists that keep changing their sending servers.) >> An alternative suggestion would be to allow MailScanner rulesets based >> on SA rule names. This could be potentially far more flexible than just >> based on the Subject:, enabling you to take action on just about >> anything in the message. Simply write a custom rule, score it at 0.001 >> if you don't want it to affect the spam score, and trigger a MailScanner >> action as a result. Got doubts about a new rule's false positive rate? >> No problem, quarantine all messages that hit the rule. The possibilities >> are endless. >> >> John. >> >> > > Jules > From sandrews at andrewscompanies.com Fri Jul 20 15:48:42 2007 From: sandrews at andrewscompanies.com (Steven Andrews) Date: Fri Jul 20 15:48:45 2007 Subject: Request for comments In-Reply-To: <46A0C747.7000103@evi-inc.com> References: <469FA26B.6050905@ecs.soton.ac.uk> <1964AAFBC212F742958F9275BF63DBB04B0F30@winchester.andrewscompanies.com> <469FC4DA.6030706@alexb.ch><469FC668.3040802@evi-inc.com> <46A063AF.1080009@tradoc.fr> <1964AAFBC212F742958F9275BF63DBB04B0F35@winchester.andrewscompanies.com><46A0B523.20401@ecs.soton.ac.uk> <46A0C747.7000103@evi-inc.com> Message-ID: <1964AAFBC212F742958F9275BF63DBB04B0F3A@winchester.andrewscompanies.com> No, I'm pretty sure I was suggesting an Adjust SA Score by a ruleset. Steve -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Matt Kettler Sent: Friday, July 20, 2007 10:32 AM To: MailScanner discussion Subject: Re: Request for comments Julian Field wrote: > That would be easy to add. Would many people use it? > It would just be an "Adjust SpamAssassin Score" configuration option. I don't think that would be useful Julian. If they wanted to adjust the SA score, that's easy to do in SA. It's also not what Steven was suggesting, at least as far as I can tell. As I understand it, Steven was to allow checking for a particular SA rule-hit in a ruleset (ie: SPF_FAIL). Not to modify the score. Unfortunately, the big question is what ruleset would you use this in? This could be useful in a "Spam Actions" ruleset. You could then use specific SA rules to further modify your spam actions. But really this would almost need the creation of a "All Messages Actions" ruleset. Because you'd really want to use it on all messages, not just ones over the spam or high-spam score thresholds. ie: If I wanted to quarantine all messages matching some rule, say one of the ImageInfo or PDFInfo rules, I'd want to do it to all messages, even FN's. > > I'm still unconvinced that adding the Subject matching would actually > get used by many people. Very few people have said "yes, I have a > definite need and a use for it". I somewhat agree.. I could possibly see it to bypass SpamAssassin scanning based on subject text, but other features of the message would be better for this than subject lines. (that said, matching a List-Id: or X-BeenThere: header might be nice for lists that keep changing their sending servers.) >> An alternative suggestion would be to allow MailScanner rulesets >> based on SA rule names. This could be potentially far more flexible >> than just based on the Subject:, enabling you to take action on just >> about anything in the message. Simply write a custom rule, score it >> at 0.001 if you don't want it to affect the spam score, and trigger a >> MailScanner action as a result. Got doubts about a new rule's false positive rate? >> No problem, quarantine all messages that hit the rule. The >> possibilities are endless. >> >> John. >> >> > > Jules > -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From dgottsc at emory.edu Fri Jul 20 17:12:08 2007 From: dgottsc at emory.edu (Gottschalk, David) Date: Fri Jul 20 17:12:31 2007 Subject: Password protect In-Reply-To: <223f97700707200721g710f6846ga8807d99caea5f7d@mail.gmail.com> References: <223f97700707200721g710f6846ga8807d99caea5f7d@mail.gmail.com> Message-ID: <8D2EFA3D9FD29C45BCEC3B532F0E2308412E3B3D3E@RDPEXCH2.Eu.Emory.Edu> Anyone know if its possible to send a bounce back to the sender if a password protected archive is quarantined? The "Notify Senders Of Blocked Filenames Or Filetypes" and "Notify Senders Of Other Blocked Content" don't seem to do anything with regards to encrypted archives. Thanks. David Gottschalk david.gottschalk@emory.edu -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Glenn Steen Sent: Friday, July 20, 2007 10:21 AM To: MailScanner discussion Subject: Re: Password protect On 20/07/07, Support wrote: > Hello > i want that the password protetcted and encryptet messages are going > to quarantine. Now they are deleted everytime. What i have to do?? > > Regads David > 1. Set http://www.mailscanner.info/MailScanner.conf.index.html#Allow%20Password-Protected%20Archives either to yes (blanket allow) or to a ruleset allowing just a few (spefcific users). 2. Perhaps set how deep into archives you try scan to 0 (ie not alook inside at all). Only do this if it complains about it in the logs. 3. Check that your AV scanners don't detect them as viruses/suspicious files.... How to handle that depends on which scanners you use. Think that should be about it:-) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From daniel.maher at ubisoft.com Fri Jul 20 17:18:10 2007 From: daniel.maher at ubisoft.com (Daniel Maher) Date: Fri Jul 20 17:18:16 2007 Subject: mailscanner occasionally denying certain blackberry emails Message-ID: <1E293D3FF63A3740B10AD5AAD88535D2057DC7CD@UBIMAIL1.ubisoft.org> Hello all, I have a situation where MailScanner will occasionally block attachments in emails generated by the Blackberry service. Normally the attachments are not blocked, but every once in a while, it gets replaced with the "Warning: This message has had one or more attachments removed..." message. The name of the attachment, in every instance, is "ETP.DAT", which shouldn't trigger filename rules (and, indeed, normally doesn't). Does anybody have any ideas where I could even start looking this intermittent, and bizarrely inconsistent, problem? Thanks! -- _ ?v? Daniel Maher /(_)\ Administrateur Syst?me Unix ^ ^ Unix System Administrator "The most incomprehensible thing about the world is that it is comprehensible." -- Albert Einstein. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070720/d91db352/attachment.html From mkettler at evi-inc.com Fri Jul 20 17:40:13 2007 From: mkettler at evi-inc.com (Matt Kettler) Date: Fri Jul 20 17:41:23 2007 Subject: Request for comments In-Reply-To: <1964AAFBC212F742958F9275BF63DBB04B0F3A@winchester.andrewscompanies.com> References: <469FA26B.6050905@ecs.soton.ac.uk> <1964AAFBC212F742958F9275BF63DBB04B0F30@winchester.andrewscompanies.com> <469FC4DA.6030706@alexb.ch><469FC668.3040802@evi-inc.com> <46A063AF.1080009@tradoc.fr> <1964AAFBC212F742958F9275BF63DBB04B0F35@winchester.andrewscompanies.com><46A0B523.20401@ecs.soton.ac.uk> <46A0C747.7000103@evi-inc.com> <1964AAFBC212F742958F9275BF63DBB04B0F3A@winchester.andrewscompanies.com> Message-ID: <46A0E56D.6040301@evi-inc.com> Steven Andrews wrote: > No, I'm pretty sure I was suggesting an Adjust SA Score by a ruleset. > > Steve But why? From glenn.steen at gmail.com Fri Jul 20 17:49:17 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Jul 20 17:49:19 2007 Subject: mailscanner occasionally denying certain blackberry emails In-Reply-To: <1E293D3FF63A3740B10AD5AAD88535D2057DC7CD@UBIMAIL1.ubisoft.org> References: <1E293D3FF63A3740B10AD5AAD88535D2057DC7CD@UBIMAIL1.ubisoft.org> Message-ID: <223f97700707200949x64c07c77ta326e1526bd1c16d@mail.gmail.com> On 20/07/07, Daniel Maher wrote: > > > > > Hello all, > > > > I have a situation where MailScanner will occasionally block attachments in > emails generated by the Blackberry service. Normally the attachments are > not blocked, but every once in a while, it gets replaced with the "Warning: > This message has had one or more attachments removed?" message. The name of > the attachment, in every instance, is "ETP.DAT", which shouldn't trigger > filename rules (and, indeed, normally doesn't). > > > > Does anybody have any ideas where I could even start looking this > intermittent, and bizarrely inconsistent, problem? > > > > Thanks! > Look closely at what it really say and you'll find that the binary file ETP.DAT (that is also attached as an ascii armored thing ... stupid, is what it all is... will sometimes "aggravate" your file command, specifically MS-DOS Executable "magic" patterns of one (1) byte. Simply remove these from your magic file (edit the text variant, use the file command to "recompile" it), and you'll be fine. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From jefframsey at tubafor.com Fri Jul 20 17:55:14 2007 From: jefframsey at tubafor.com (Jeff Ramsey) Date: Fri Jul 20 17:55:26 2007 Subject: Mailscanner Gateway does not reject unknown users (more of a sendmail question, I think) Message-ID: <46E2C5BC-2CEA-44F0-AB36-2F24CA19369F@tubafor.com> I have read a few places on the net that claim this has been well covered, but I cannot seem to find a configuration that works. It either forwards all nonspam email on to my internal sendmail server, or it rejects the unknown user messages but then does not relay any email onto the internal email server. If I list my domains in local-host-names, it does not relay any more email for those domains, period. If I don't list the domains there, it does not check incoming mail for a valid email address. Can anyone point me in the right direction? Jeff Ramsey MIS Administrator TMI Forest Products, Inc. jefframsey@tubafor.com 360.477.0738 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070720/ca1959dc/attachment.html From sandrews at andrewscompanies.com Fri Jul 20 17:55:30 2007 From: sandrews at andrewscompanies.com (Steven Andrews) Date: Fri Jul 20 17:55:32 2007 Subject: Request for comments In-Reply-To: <46A0E56D.6040301@evi-inc.com> References: <469FA26B.6050905@ecs.soton.ac.uk> <1964AAFBC212F742958F9275BF63DBB04B0F30@winchester.andrewscompanies.com> <469FC4DA.6030706@alexb.ch><469FC668.3040802@evi-inc.com> <46A063AF.1080009@tradoc.fr> <1964AAFBC212F742958F9275BF63DBB04B0F35@winchester.andrewscompanies.com><46A0B523.20401@ecs.soton.ac.uk> <46A0C747.7000103@evi-inc.com><1964AAFBC212F742958F9275BF63DBB04B0F3A@winchester.andrewscompanies.com> <46A0E56D.6040301@evi-inc.com> Message-ID: <1964AAFBC212F742958F9275BF63DBB04B0F3C@winchester.andrewscompanies.com> Why not? I know specious argument, but this would work well so you could apply a penalty or a credit to a certain domain. Blackberry devices are just an example, they always trigger certain rules that push their scores up. Are they going to change that fact? Nope. Do I want to lower the value of those rules? Nope. They catch other traffic. Do I want to whitelist blackberries entirely...no way. If I had a mechanism to punish or credit a certain domain, that would allow such a situation where I can keep rules intact but adjust the spamminess of a domain. As well, say you never want to get another email from new zeland (appoligies to new zelanders ahead of time), you just add a rule to make their mail so spammy you never see it. Some of you will say, this is better handled at the MTA; maybe so. But handling it after the MTA give me more flexibility as to what I want to do with it and then, say with mailwatch, easily track what I've done. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Matt Kettler Sent: Friday, July 20, 2007 12:40 PM To: MailScanner discussion Subject: Re: Request for comments Steven Andrews wrote: > No, I'm pretty sure I was suggesting an Adjust SA Score by a ruleset. > > Steve But why? -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From ms-list at alexb.ch Fri Jul 20 18:15:18 2007 From: ms-list at alexb.ch (Alex Broens) Date: Fri Jul 20 18:15:25 2007 Subject: Request for comments In-Reply-To: <1964AAFBC212F742958F9275BF63DBB04B0F3C@winchester.andrewscompanies.com> References: <469FA26B.6050905@ecs.soton.ac.uk> <1964AAFBC212F742958F9275BF63DBB04B0F30@winchester.andrewscompanies.com> <469FC4DA.6030706@alexb.ch><469FC668.3040802@evi-inc.com> <46A063AF.1080009@tradoc.fr> <1964AAFBC212F742958F9275BF63DBB04B0F35@winchester.andrewscompanies.com><46A0B523.20401@ecs.soton.ac.uk> <46A0C747.7000103@evi-inc.com><1964AAFBC212F742958F9275BF63DBB04B0F3A@winchester.andrewscompanies.com> <46A0E56D.6040301@evi-inc.com> <1964AAFBC212F742958F9275BF63DBB04B0F3C@winchester.andrewscompanies.com> Message-ID: <46A0EDA6.5030007@alexb.ch> On 7/20/2007 6:55 PM, Steven Andrews wrote: > Why not? I know specious argument, but this would work well so you > could apply a penalty or a credit to a certain domain. > > Blackberry devices are just an example, they always trigger certain > rules that push their scores up. Are they going to change that fact? > Nope. Do I want to lower the value of those rules? Nope. They catch > other traffic. Do I want to whitelist blackberries entirely...no way. > If I had a mechanism to punish or credit a certain domain, that would > allow such a situation where I can keep rules intact but adjust the > spamminess of a domain. header BLACKBERY_PASSTHRU Received =~ /smtp[0-9]{2}\.\w+\.\w+\.blackberry\.com\b/ score BLACKBERY_PASSTHRU -5.0 does the trick for me > > As well, say you never want to get another email from new zeland > (appoligies to new zelanders ahead of time), you just add a rule to make > their mail so spammy you never see it. use a SA header rule - works nicely for mail from paraguay I don't need on my home boxes. Score 200 = SMTP Reject > Some of you will say, this is better handled at the MTA; maybe so. But > handling it after the MTA give me more flexibility as to what I want to > do with it and then, say with mailwatch, easily track what I've done. SA rules in SQL would solve this... :-) > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Matt > Kettler > Sent: Friday, July 20, 2007 12:40 PM > To: MailScanner discussion > Subject: Re: Request for comments > > Steven Andrews wrote: >> No, I'm pretty sure I was suggesting an Adjust SA Score by a ruleset. >> >> Steve > > But why? > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From mkettler at evi-inc.com Fri Jul 20 18:19:20 2007 From: mkettler at evi-inc.com (Matt Kettler) Date: Fri Jul 20 18:20:51 2007 Subject: Request for comments In-Reply-To: <1964AAFBC212F742958F9275BF63DBB04B0F3C@winchester.andrewscompanies.com> References: <469FA26B.6050905@ecs.soton.ac.uk> <1964AAFBC212F742958F9275BF63DBB04B0F30@winchester.andrewscompanies.com> <469FC4DA.6030706@alexb.ch><469FC668.3040802@evi-inc.com> <46A063AF.1080009@tradoc.fr> <1964AAFBC212F742958F9275BF63DBB04B0F35@winchester.andrewscompanies.com><46A0B523.20401@ecs.soton.ac.uk> <46A0C747.7000103@evi-inc.com><1964AAFBC212F742958F9275BF63DBB04B0F3A@winchester.andrewscompanies.com> <46A0E56D.6040301@evi-inc.com> <1964AAFBC212F742958F9275BF63DBB04B0F3C@winchester.andrewscompanies.com> Message-ID: <46A0EE98.8060103@evi-inc.com> Steven Andrews wrote: > Why not? I know specious argument, but this would work well so you > could apply a penalty or a credit to a certain domain. > > Blackberry devices are just an example, they always trigger certain > rules that push their scores up. Are they going to change that fact? > Nope. Do I want to lower the value of those rules? Nope. They catch > other traffic. Do I want to whitelist blackberries entirely...no way. > If I had a mechanism to punish or credit a certain domain, that would > allow such a situation where I can keep rules intact but adjust the > spamminess of a domain. My question is why not do this in SpamAssassin directly. ie: what value is there in adding this feature to MailScanner. If you're just doing score adjustments, a simple SpamAssassin rule has by FAR more power and flexibility, and isn't difficult. Some trivial examples: header FROM_BB From =~ /\@blackberry\.net/ describe FROM_BB addressed from blackberry.net score FROM_BB -2.0 header SUBJ_SOMETHING Subject =~ /some trigger text/i describe SUBJ_SOMETHING has some trigger text in the subject score SUBJ_SOMETHING -1.0 From mkettler at evi-inc.com Fri Jul 20 18:36:08 2007 From: mkettler at evi-inc.com (Matt Kettler) Date: Fri Jul 20 18:37:29 2007 Subject: Request for comments In-Reply-To: <46A0EDA6.5030007@alexb.ch> References: <469FA26B.6050905@ecs.soton.ac.uk> <1964AAFBC212F742958F9275BF63DBB04B0F30@winchester.andrewscompanies.com> <469FC4DA.6030706@alexb.ch><469FC668.3040802@evi-inc.com> <46A063AF.1080009@tradoc.fr> <1964AAFBC212F742958F9275BF63DBB04B0F35@winchester.andrewscompanies.com><46A0B523.20401@ecs.soton.ac.uk> <46A0C747.7000103@evi-inc.com><1964AAFBC212F742958F9275BF63DBB04B0F3A@winchester.andrewscompanies.com> <46A0E56D.6040301@evi-inc.com> <1964AAFBC212F742958F9275BF63DBB04B0F3C@winchester.andrewscompanies.com> <46A0EDA6.5030007@alexb.ch> Message-ID: <46A0F288.4050005@evi-inc.com> Alex Broens wrote: > On 7/20/2007 6:55 PM, Steven Andrews wrote: >> Why not? I know specious argument, but this would work well so you >> could apply a penalty or a credit to a certain domain. >> >> Blackberry devices are just an example, they always trigger certain >> rules that push their scores up. Are they going to change that fact? >> Nope. Do I want to lower the value of those rules? Nope. They catch >> other traffic. Do I want to whitelist blackberries entirely...no way. >> If I had a mechanism to punish or credit a certain domain, that would >> allow such a situation where I can keep rules intact but adjust the >> spamminess of a domain. > > header BLACKBERY_PASSTHRU Received =~ > /smtp[0-9]{2}\.\w+\.\w+\.blackberry\.com\b/ > score BLACKBERY_PASSTHRU -5.0 > Even better, use X-Spam-Relays-Untrusted. It's a fake header generated by SA that contains pre-parsed Received: headers. Its format is constant and isn't MTA specific. The first entry is the host delivering to your last trusted server. ie: if your trusted_networks isn't broken the last trusted server, making the machine dropping mail off at your network the first untrusted. This little trick starts at the begining of the text (hence the first ^) and scans ahead for blackberry.com, but will sto if it encounters a ] (which would be the closing bracket of the end of the first entry) header BLACKBERY_PASSTHRU X-Spam-Relays-Untrusted =~ /^[^\]]+rdns=smtp[0-9]{2}\.\w+\.\w+\.blackberry\.com\n/ You can see X-Spam-Relays-Untrusted in a run of spamassassin -D... [5344] dbg: metadata: X-Spam-Relays-Untrusted: [ ip=83.98.192.7 rdns=safir.blacknight.ie helo=safir.blacknight.ie by=xanadu.evi-inc.co m ident= envfrom= intl=0 id=l6C5gCkB027160 auth= ] [ ip=127.0.0.1 rdns=safir.blacknight.ie helo=safir.blacknight.ie by=safir.blacknigh t.ie ident= envfrom= intl=0 id=l6C5eaJF002802 auth= ] From ka at pacific.net Fri Jul 20 18:52:15 2007 From: ka at pacific.net (Ken A) Date: Fri Jul 20 18:52:17 2007 Subject: Mailscanner Gateway does not reject unknown users (more of a sendmail question, I think) In-Reply-To: <46E2C5BC-2CEA-44F0-AB36-2F24CA19369F@tubafor.com> References: <46E2C5BC-2CEA-44F0-AB36-2F24CA19369F@tubafor.com> Message-ID: <46A0F64F.1070609@pacific.net> Jeff Ramsey wrote: > I have read a few places on the net that claim this has been well > covered, but I cannot seem to find a configuration that works. > > It either forwards all nonspam email on to my internal sendmail server, > or it rejects the unknown user messages but then does not relay any > email onto the internal email server. > > If I list my domains in local-host-names, it does not relay any more > email for those domains, period. If I don't list the domains there, it > does not check incoming mail for a valid email address. > > Can anyone point me in the right direction? mailertable domain.tld esmtp:[mailhub.otherdomain.tld] Ken > > > > Jeff Ramsey > MIS Administrator > TMI Forest Products, Inc. > jefframsey@tubafor.com > 360.477.0738 > > > > > > --This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- Ken Anderson Pacific.Net From ms-list at alexb.ch Fri Jul 20 18:59:56 2007 From: ms-list at alexb.ch (Alex Broens) Date: Fri Jul 20 19:00:07 2007 Subject: Request for comments In-Reply-To: <46A0F288.4050005@evi-inc.com> References: <469FA26B.6050905@ecs.soton.ac.uk> <1964AAFBC212F742958F9275BF63DBB04B0F30@winchester.andrewscompanies.com> <469FC4DA.6030706@alexb.ch><469FC668.3040802@evi-inc.com> <46A063AF.1080009@tradoc.fr> <1964AAFBC212F742958F9275BF63DBB04B0F35@winchester.andrewscompanies.com><46A0B523.20401@ecs.soton.ac.uk> <46A0C747.7000103@evi-inc.com><1964AAFBC212F742958F9275BF63DBB04B0F3A@winchester.andrewscompanies.com> <46A0E56D.6040301@evi-inc.com> <1964AAFBC212F742958F9275BF63DBB04B0F3C@winchester.andrewscompanies.com> <46A0EDA6.5030007@alexb.ch> <46A0F288.4050005@evi-inc.com> Message-ID: <46A0F81C.7070403@alexb.ch> On 7/20/2007 7:36 PM, Matt Kettler wrote: > Alex Broens wrote: >> On 7/20/2007 6:55 PM, Steven Andrews wrote: >>> Why not? I know specious argument, but this would work well so you >>> could apply a penalty or a credit to a certain domain. >>> >>> Blackberry devices are just an example, they always trigger certain >>> rules that push their scores up. Are they going to change that fact? >>> Nope. Do I want to lower the value of those rules? Nope. They catch >>> other traffic. Do I want to whitelist blackberries entirely...no way. >>> If I had a mechanism to punish or credit a certain domain, that would >>> allow such a situation where I can keep rules intact but adjust the >>> spamminess of a domain. >> header BLACKBERY_PASSTHRU Received =~ >> /smtp[0-9]{2}\.\w+\.\w+\.blackberry\.com\b/ >> score BLACKBERY_PASSTHRU -5.0 >> > > Even better, use X-Spam-Relays-Untrusted. It's a fake header generated by SA > that contains pre-parsed Received: headers. Its format is constant and isn't MTA > specific. The first entry is the host delivering to your last trusted server. > ie: if your trusted_networks isn't broken the last trusted server, making the > machine dropping mail off at your network the first untrusted. > > > This little trick starts at the begining of the text (hence the first ^) and > scans ahead for blackberry.com, but will sto if it encounters a ] (which would > be the closing bracket of the end of the first entry) > > header BLACKBERY_PASSTHRU X-Spam-Relays-Untrusted =~ > /^[^\]]+rdns=smtp[0-9]{2}\.\w+\.\w+\.blackberry\.com\n/ DOH! used that for other stuff.. dunno why I didn't think of it for the "blueberrries" thanks for the hint Alex From dgottsc at emory.edu Fri Jul 20 19:05:56 2007 From: dgottsc at emory.edu (Gottschalk, David) Date: Fri Jul 20 19:06:04 2007 Subject: MailScanner broken suddenly?!?! Message-ID: <8D2EFA3D9FD29C45BCEC3B532F0E2308412E3B3DB6@RDPEXCH2.Eu.Emory.Edu> I have 5 MailScanner machines. I had to do some configuration changes, so I restarted them. One of them now appears to be completely hosed. I've checked my configuration, and can't figure out what is going on. I don't see anything wrong at all. -sh-3.00$ sudo /usr/sbin/MailScanner --lint Checking version numbers... Version installed (4.60.8) does not match version stated in MailScanner.conf file (4.57.6), you may want to run upgrade_MailScanner_conf to ensure your MailScanner.conf file contains all the latest settings. Checking for SpamAssassin errors (if you use it)... Using SpamAssassin results cache Connected to SpamAssassin cache database SpamAssassin reported no errors. Using locktype = posix Creating hardcoded struct_flock subroutine for linux (Linux-type) MailScanner.conf says "Virus Scanners = auto" Found these virus scanners installed: bitdefender, clamavmodule Here is what is going on: 1. MailScanner starts, but just sits there does nothing: root 22553 1 0 13:58 ? 00:00:00 MailScanner: master waiting for children, sleeping root 22554 22553 70 13:58 ? 00:00:35 MailScanner: starting children root 22624 22553 69 13:58 ? 00:00:31 MailScanner: starting children root 22680 22553 67 13:58 ? 00:00:27 MailScanner: starting children root 22733 22553 73 13:58 ? 00:00:26 MailScanner: starting children root 22780 22553 44 13:58 ? 00:00:13 MailScanner: starting children root 22831 22553 42 13:58 ? 00:00:10 MailScanner: starting children root 22884 22553 47 13:58 ? 00:00:09 MailScanner: starting children root 22957 22553 44 13:59 ? 00:00:07 MailScanner: starting children root 23005 22553 31 13:59 ? 00:00:03 MailScanner: starting children root 23054 22553 49 13:59 ? 00:00:02 MailScanner: starting children If I trace a childre process, here is what it is doing over and over: sudo strace -p 19920 Process 19920 attached - interrupt to quit read(12, "b560c3b9f08759aa3aa90:Trojan.Spy"..., 4096) = 4096 read(12, ":Trojan.Spy-3720\n353280:f604589b"..., 4096) = 4096 read(12, "55d8571268b7:Trojan.Clicker-133\n"..., 4096) = 4096 read(12, "5b7b476404e1ea6dc24d48e50bdfa:Tr"..., 4096) = 4096 read(12, "ba8f709e8b588009a34ee19ee1:Troja"..., 4096) = 4096 read(12, "d5:Trojan.Spy-3998\n284672:7801e5"..., 4096) = 4096 read(12, "6\n12288:6bfa649c48fc5982b231a2bb"..., 4096) = 4096 brk(0x4f23000) = 0x4f23000 read(12, "n.Spy-4128\n21504:3b072d4e76b7173"..., 4096) = 4096 read(12, "bbe4f7d647f109b5317dd8794715:Tro"..., 4096) = 4096 read(12, "n.Downloader-4997\n36864:bcc236c3"..., 4096) = 4096 read(12, "der-5167\n29696:f7d986ddcc013d8e0"..., 4096) = 4096 read(12, "f7e121997:Trojan.Downloader-5070"..., 4096) = 4096 read(12, ".Downloader-5107\n10240:efd91a6ea"..., 4096) = 4096 read(12, "ec7:Trojan.Downloader-4916\n2048:"..., 4096) = 4096 read(12, "nloader-5244\n4768:096cc4cd04d5cf"..., 4096) = 4096 read(12, ":Trojan.Bancos-3284\n271360:2bc5f"..., 4096) = 4096 read(12, "ncos-3342\n377344:04230b7482e189a"..., 4096) = 4096 read(12, "an.Spy-4204\n35840:4c8d2cbaf9ccaf"..., 4096) = 4096 read(12, "jan.Bancos-3492\n659968:49df0eba0"..., 4096) = 4096 read(12, "0:25f16f5f7ee84dee66f40f6c86e9b8"..., 4096) = 4096 read(12, "86:Trojan.Small-1634\n229888:3579"..., 4096) = 4096 read(12, "4d30b8cfcfe247337e424db964d816:T"..., 4096) = 4096 read(12, "576:3c44fb4c3e7a07aa1d49ce91c492"..., 4096) = 4096 read(12, "082cd8ac62e6878348b79:Trojan.Ban"..., 4096) = 4096 2. Strangely enough, if I start just MailScanner it works fine (with sendmail not running) 3. If I start MailScanner with sendmail to, it will just hang there as described. If I stop it, the master process dies for MailScanner, but the children hang. 4. I did have this problem, but I resolved it quickly by changing the option in MailScanner.conf to look for *.inc files. Jul 20 13:28:37 mr1 MailScanner[9747]: None of the files matched by the "Monitors For ClamAV Updates" patterns exist! Jul 20 13:28:47 mr1 MailScanner[8644]: None of the files matched by the "Monitors For ClamAV Updates" patterns exist! Any ideas? I'm banging my head. David Gottschalk david.gottschalk@emory.edu -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070720/79dbdafa/attachment-0001.html From ssilva at sgvwater.com Fri Jul 20 19:07:57 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Fri Jul 20 19:08:09 2007 Subject: FYI: PDFInfo and "Max SpamAssassin Size=40k" In-Reply-To: <469FCCFF.3080700@cnpapers.com> References: <012101c7c8bc$5498dee0$5713cc40@OCEANII> <469D4099.5040708@alexb.ch> <469FA620.5030208@cnpapers.com> <469FCCFF.3080700@cnpapers.com> Message-ID: Steve Campbell spake the following on 7/19/2007 1:43 PM: > > > Scott Silva wrote: >> Steve Campbell spake the following on 7/19/2007 10:57 AM: >> >>> Alex Broens wrote: >>> >>>> On 7/17/2007 11:49 PM, Michael R. Dilworth wrote: >>>> >>>>> Just to save some time for some of you, the 40k number >>>>> can is on the small side for some of the PDF spams I've been >>>>> receiving. >>>>> >>>> FWI: I'm using: >>>> >>>> Max Spam Check Size = 250000 >>>> Max SpamAssassin Size = 2500000 >>>> >>>> which, AFAIK are the default SA values. >>>> >>>> Alex >>>> -- >>>> *Spammer hell has no DSL* >>>> >>>> >>>> >>>> >>> Maybe it's because I'm not up-to-date on my MS, but I don't have a Max >>> Spam Check Size parameter in my configuration file. >>> >>> The only "Size" parms I have are as follows: >>> >>> Maximum Message Size = 0 >>> Maximum Attachment Size = -1 >>> Minimum Attachment Size = -1 >>> ClamAVmodule Maximum File Size = 10000000 # (10 Mbytes) >>> Max SpamAssassin Size = 2500000 >>> >> >> This setting will make mailscanner not send the message to >> spamassassin if it >> is over this size. Are the pdf spams bigger than that? >> >> >> > Everyone is missing my point I meant to make. > > I don't have the "Max Spam Check Size" in my configuration file to > change. It could have been missed in an upgrade, but I always use > Julian's upgrade_MailScanner_conf script and this parm is missing on 3 > different servers. > > Steve Campbell > > Nor do I, and I am running the latest stable (4.61.7-2). It must be in the latest beta. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From sandrews at andrewscompanies.com Fri Jul 20 19:08:53 2007 From: sandrews at andrewscompanies.com (Steven Andrews) Date: Fri Jul 20 19:08:55 2007 Subject: Request for comments In-Reply-To: <46A0EE98.8060103@evi-inc.com> References: <469FA26B.6050905@ecs.soton.ac.uk> <1964AAFBC212F742958F9275BF63DBB04B0F30@winchester.andrewscompanies.com> <469FC4DA.6030706@alexb.ch><469FC668.3040802@evi-inc.com> <46A063AF.1080009@tradoc.fr> <1964AAFBC212F742958F9275BF63DBB04B0F35@winchester.andrewscompanies.com><46A0B523.20401@ecs.soton.ac.uk> <46A0C747.7000103@evi-inc.com><1964AAFBC212F742958F9275BF63DBB04B0F3A@winchester.andrewscompanies.com> <46A0E56D.6040301@evi-inc.com><1964AAFBC212F742958F9275BF63DBB04B0F3C@winchester.andrewscompanies.com> <46A0EE98.8060103@evi-inc.com> Message-ID: <1964AAFBC212F742958F9275BF63DBB04B0F3F@winchester.andrewscompanies.com> Ok, you got me there. You win. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Matt Kettler Sent: Friday, July 20, 2007 1:19 PM To: MailScanner discussion Subject: Re: Request for comments Steven Andrews wrote: > Why not? I know specious argument, but this would work well so you > could apply a penalty or a credit to a certain domain. > > Blackberry devices are just an example, they always trigger certain > rules that push their scores up. Are they going to change that fact? > Nope. Do I want to lower the value of those rules? Nope. They catch > other traffic. Do I want to whitelist blackberries entirely...no way. > If I had a mechanism to punish or credit a certain domain, that would > allow such a situation where I can keep rules intact but adjust the > spamminess of a domain. My question is why not do this in SpamAssassin directly. ie: what value is there in adding this feature to MailScanner. If you're just doing score adjustments, a simple SpamAssassin rule has by FAR more power and flexibility, and isn't difficult. Some trivial examples: header FROM_BB From =~ /\@blackberry\.net/ describe FROM_BB addressed from blackberry.net score FROM_BB -2.0 header SUBJ_SOMETHING Subject =~ /some trigger text/i describe SUBJ_SOMETHING has some trigger text in the subject score SUBJ_SOMETHING -1.0 -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From dgottsc at emory.edu Fri Jul 20 19:25:46 2007 From: dgottsc at emory.edu (Gottschalk, David) Date: Fri Jul 20 19:28:09 2007 Subject: MailScanner problem In-Reply-To: References: Message-ID: <8D2EFA3D9FD29C45BCEC3B532F0E2308412E3B3DCE@RDPEXCH2.Eu.Emory.Edu> Yes, I'm in EST. I just found the problem myself too. It happened on one of my only boxes first because it updated before the others. Then all of the others went down too. I resolved it by removing clamav from the "Virus Scanners" option in MailScanner.conf. Luckly, I use two virus scanners. If you only use one, just disable it entirely temporarily. David Gottschalk david.gottschalk@emory.edu ________________________________ From: Bryan Guest [mailto:bryan.guest@gmail.com] Sent: Friday, July 20, 2007 2:21 PM To: david.gottschalk@emory.edu Subject: re: MailScanner problem Hello: Are you in EST (gmt -05:00)? If so, the same thing happened to me at nearly the same time. It looks like a botched CLAMAV update that has hosed Mailscanner somehow. All my MailScanner processes hang at: starting children. Oddly it seems to only have happened to one machine. Let me know if you have any ideas. I am going to try to completely blow away the clamav database directory and start over there. Bryan Guest Bruce Telecom bryan.guest@gmail.com Message: 21 Date: Fri, 20 Jul 2007 14:05:56 -0400 From: "Gottschalk, David" > Subject: MailScanner broken suddenly?!?! To: MailScanner discussion < mailscanner@lists.mailscanner.info> Message-ID: <8D2EFA3D9FD29C45BCEC3B532F0E2308412E3B3DB6@RDPEXCH2.Eu.Emory.Edu > Content-Type: text/plain; charset="us-ascii" I have 5 MailScanner machines. I had to do some configuration changes, so I restarted them. One of them now appears to be completely hosed. I've checked my configuration, and can't figure out what is going on. I don't see anything wrong at all. -sh-3.00$ sudo /usr/sbin/MailScanner --lint Checking version numbers... Version installed (4.60.8) does not match version stated in MailScanner.conf file (4.57.6), you may want to run upgrade_MailScanner_conf to ensure your MailScanner.conf file contains all the latest settings. Checking for SpamAssassin errors (if you use it)... Using SpamAssassin results cache Connected to SpamAssassin cache database SpamAssassin reported no errors. Using locktype = posix Creating hardcoded struct_flock subroutine for linux (Linux-type) MailScanner.conf says "Virus Scanners = auto" Found these virus scanners installed: bitdefender, clamavmodule Here is what is going on: 1. MailScanner starts, but just sits there does nothing: root 22553 1 0 13:58 ? 00:00:00 MailScanner: master waiting for children, sleeping root 22554 22553 70 13:58 ? 00:00:35 MailScanner: starting children root 22624 22553 69 13:58 ? 00:00:31 MailScanner: starting children root 22680 22553 67 13:58 ? 00:00:27 MailScanner: starting children root 22733 22553 73 13:58 ? 00:00:26 MailScanner: starting children root 22780 22553 44 13:58 ? 00:00:13 MailScanner: starting children root 22831 22553 42 13:58 ? 00:00:10 MailScanner: starting children root 22884 22553 47 13:58 ? 00:00:09 MailScanner: starting children root 22957 22553 44 13:59 ? 00:00:07 MailScanner: starting children root 23005 22553 31 13:59 ? 00:00:03 MailScanner: starting children root 23054 22553 49 13:59 ? 00:00:02 MailScanner: starting children If I trace a childre process, here is what it is doing over and over: sudo strace -p 19920 Process 19920 attached - interrupt to quit read(12, "b560c3b9f08759aa3aa90:Trojan.Spy"..., 4096) = 4096 read(12, ":Trojan.Spy-3720\n353280:f604589b"..., 4096) = 4096 read(12, "55d8571268b7:Trojan.Clicker-133\n"..., 4096) = 4096 read(12, "5b7b476404e1ea6dc24d48e50bdfa:Tr"..., 4096) = 4096 read(12, "ba8f709e8b588009a34ee19ee1:Troja"..., 4096) = 4096 read(12, "d5:Trojan.Spy-3998\n284672:7801e5"..., 4096) = 4096 read(12, "6\n12288:6bfa649c48fc5982b231a2bb"..., 4096) = 4096 brk(0x4f23000) = 0x4f23000 read(12, "n.Spy-4128\n21504:3b072d4e76b7173"..., 4096) = 4096 read(12, "bbe4f7d647f109b5317dd8794715:Tro"..., 4096) = 4096 read(12, " n.Downloader-4997\n36864:bcc236c3"..., 4096) = 4096 read(12, "der-5167\n29696:f7d986ddcc013d8e0"..., 4096) = 4096 read(12, "f7e121997:Trojan.Downloader-5070"..., 4096) = 4096 read(12, ".Downloader-5107\n10240:efd91a6ea"..., 4096) = 4096 read(12, "ec7:Trojan.Downloader-4916\n2048:"..., 4096) = 4096 read(12, "nloader-5244\n4768:096cc4cd04d5cf"..., 4096) = 4096 read(12, ":Trojan.Bancos-3284\n271360:2bc5f"..., 4096) = 4096 read(12, "ncos-3342\n377344:04230b7482e189a"..., 4096) = 4096 read(12, "an.Spy-4204\n35840:4c8d2cbaf9ccaf"..., 4096) = 4096 read(12, "jan.Bancos-3492\n659968:49df0eba0"..., 4096) = 4096 read(12, "0:25f16f5f7ee84dee66f40f6c86e9b8"..., 4096) = 4096 read(12, "86:Trojan.Small-1634\n229888:3579"..., 4096) = 4096 read(12, "4d30b8cfcfe247337e424db964d816:T"..., 4096) = 4096 read(12, "576:3c44fb4c3e7a07aa1d49ce91c492"..., 4096) = 4096 read(12, "082cd8ac62e6878348b79:Trojan.Ban"..., 4096) = 4096 2. Strangely enough, if I start just MailScanner it works fine (with sendmail not running) 3. If I start MailScanner with sendmail to, it will just hang there as described. If I stop it, the master process dies for MailScanner, but the children hang. 4. I did have this problem, but I resolved it quickly by changing the option in MailScanner.conf to look for *.inc files. Jul 20 13:28:37 mr1 MailScanner[9747]: None of the files matched by the "Monitors For ClamAV Updates" patterns exist! Jul 20 13:28:47 mr1 MailScanner[8644]: None of the files matched by the "Monitors For ClamAV Updates" patterns exist! Any ideas? I'm banging my head. David Gottschalk david.gottschalk@emory.edu > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070720/a85cbc37/attachment.html From Richard.Frovarp at sendit.nodak.edu Fri Jul 20 19:28:16 2007 From: Richard.Frovarp at sendit.nodak.edu (Richard Frovarp) Date: Fri Jul 20 19:28:19 2007 Subject: MailScanner broken suddenly?!?! In-Reply-To: <8D2EFA3D9FD29C45BCEC3B532F0E2308412E3B3DB6@RDPEXCH2.Eu.Emory.Edu> References: <8D2EFA3D9FD29C45BCEC3B532F0E2308412E3B3DB6@RDPEXCH2.Eu.Emory.Edu> Message-ID: <46A0FEC0.9090200@sendit.nodak.edu> Gottschalk, David wrote: > I have 5 MailScanner machines. > > I had to do some configuration changes, so I restarted them. One of > them now appears to be completely hosed. I've checked my > configuration, and can't figure out what is going on. I don't see > anything wrong at all. > > -sh-3.00$ sudo /usr/sbin/MailScanner --lint > Checking version numbers... > Version installed (4.60.8) does not match version stated in > MailScanner.conf file (4.57.6), you may want to run > upgrade_MailScanner_conf > to ensure your MailScanner.conf file contains all the latest settings. > > Checking for SpamAssassin errors (if you use it)... > Using SpamAssassin results cache > Connected to SpamAssassin cache database > SpamAssassin reported no errors. > Using locktype = posix > Creating hardcoded struct_flock subroutine for linux (Linux-type) > MailScanner.conf says "Virus Scanners = auto" > Found these virus scanners installed: bitdefender, clamavmodule > > Here is what is going on: > > 1. MailScanner starts, but just sits there does nothing: > > root 22553 1 0 13:58 ? 00:00:00 MailScanner: master > waiting for children, sleeping > root 22554 22553 70 13:58 ? 00:00:35 MailScanner: starting > children > root 22624 22553 69 13:58 ? 00:00:31 MailScanner: starting > children > root 22680 22553 67 13:58 ? 00:00:27 MailScanner: starting > children > root 22733 22553 73 13:58 ? 00:00:26 MailScanner: starting > children > root 22780 22553 44 13:58 ? 00:00:13 MailScanner: starting > children > root 22831 22553 42 13:58 ? 00:00:10 MailScanner: starting > children > root 22884 22553 47 13:58 ? 00:00:09 MailScanner: starting > children > root 22957 22553 44 13:59 ? 00:00:07 MailScanner: starting > children > root 23005 22553 31 13:59 ? 00:00:03 MailScanner: starting > children > root 23054 22553 49 13:59 ? 00:00:02 MailScanner: starting > children > If I trace a childre process, here is what it is doing over and over: > > sudo strace -p 19920 > Process 19920 attached - interrupt to quit > read(12, "b560c3b9f08759aa3aa90:Trojan.Spy"..., 4096) = 4096 > read(12, ":Trojan.Spy-3720\n353280:f604589b"..., 4096) = 4096 > read(12, "55d8571268b7:Trojan.Clicker-133\n"..., 4096) = 4096 > read(12, "5b7b476404e1ea6dc24d48e50bdfa:Tr"..., 4096) = 4096 > read(12, "ba8f709e8b588009a34ee19ee1:Troja"..., 4096) = 4096 > read(12, "d5:Trojan.Spy-3998\n284672:7801e5"..., 4096) = 4096 > read(12, "6\n12288:6bfa649c48fc5982b231a2bb"..., 4096) = 4096 > brk(0x4f23000) = 0x4f23000 > read(12, "n.Spy-4128\n21504:3b072d4e76b7173"..., 4096) = 4096 > read(12, "bbe4f7d647f109b5317dd8794715:Tro"..., 4096) = 4096 > read(12, "n.Downloader-4997\n36864:bcc236c3"..., 4096) = 4096 > read(12, "der-5167\n29696:f7d986ddcc013d8e0"..., 4096) = 4096 > read(12, "f7e121997:Trojan.Downloader-5070"..., 4096) = 4096 > read(12, ".Downloader-5107\n10240:efd91a6ea"..., 4096) = 4096 > read(12, "ec7:Trojan.Downloader-4916\n2048:"..., 4096) = 4096 > read(12, "nloader-5244\n4768:096cc4cd04d5cf"..., 4096) = 4096 > read(12, ":Trojan.Bancos-3284\n271360:2bc5f"..., 4096) = 4096 > read(12, "ncos-3342\n377344:04230b7482e189a"..., 4096) = 4096 > read(12, "an.Spy-4204\n35840:4c8d2cbaf9ccaf"..., 4096) = 4096 > read(12, "jan.Bancos-3492\n659968:49df0eba0"..., 4096) = 4096 > read(12, "0:25f16f5f7ee84dee66f40f6c86e9b8"..., 4096) = 4096 > read(12, "86:Trojan.Small-1634\n229888:3579"..., 4096) = 4096 > read(12, "4d30b8cfcfe247337e424db964d816:T"..., 4096) = 4096 > read(12, "576:3c44fb4c3e7a07aa1d49ce91c492"..., 4096) = 4096 > read(12, "082cd8ac62e6878348b79:Trojan.Ban"..., 4096) = 4096 > > 2. Strangely enough, if I start just MailScanner it works fine (with > sendmail not running) > > 3. If I start MailScanner with sendmail to, it will just hang there as > described. If I stop it, the master process dies for MailScanner, but > the children hang. > > 4. I did have this problem, but I resolved it quickly by changing the > option in MailScanner.conf to look for *.inc files. > > Jul 20 13:28:37 mr1 MailScanner[9747]: None of the files matched by > the "Monitors For ClamAV Updates" patterns exist! > Jul 20 13:28:47 mr1 MailScanner[8644]: None of the files matched by > the "Monitors For ClamAV Updates" patterns exist! > > Any ideas? I'm banging my head. > > David Gottschalk > david.gottschalk@emory.edu > What version of ClamAV? 0.90 takes a very long time to load signatures. I do have one box in which it was very quick. The other ones took at least 3 minutes to get up and going. Upgrading to 0.91 fixed that. From dgottsc at emory.edu Fri Jul 20 19:41:14 2007 From: dgottsc at emory.edu (Gottschalk, David) Date: Fri Jul 20 19:41:23 2007 Subject: MailScanner broken suddenly?!?! In-Reply-To: <46A0FEC0.9090200@sendit.nodak.edu> References: <8D2EFA3D9FD29C45BCEC3B532F0E2308412E3B3DB6@RDPEXCH2.Eu.Emory.Edu> <46A0FEC0.9090200@sendit.nodak.edu> Message-ID: <8D2EFA3D9FD29C45BCEC3B532F0E2308412E87C1C3@RDPEXCH2.Eu.Emory.Edu> ClamAV 0.90.3/3707/Fri Jul 20 12:08:45 2007 I think this is a different problem though, because it happened all at once. The children were hanging for 20+ mins or more until I realized they were doing nothing but what that trace showed me. David Gottschalk -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Richard Frovarp Sent: Friday, July 20, 2007 2:28 PM To: MailScanner discussion Subject: Re: MailScanner broken suddenly?!?! Gottschalk, David wrote: > I have 5 MailScanner machines. > > I had to do some configuration changes, so I restarted them. One of > them now appears to be completely hosed. I've checked my > configuration, and can't figure out what is going on. I don't see > anything wrong at all. > > -sh-3.00$ sudo /usr/sbin/MailScanner --lint Checking version > numbers... > Version installed (4.60.8) does not match version stated in > MailScanner.conf file (4.57.6), you may want to run > upgrade_MailScanner_conf to ensure your MailScanner.conf file contains > all the latest settings. > > Checking for SpamAssassin errors (if you use it)... > Using SpamAssassin results cache > Connected to SpamAssassin cache database SpamAssassin reported no > errors. > Using locktype = posix > Creating hardcoded struct_flock subroutine for linux (Linux-type) > MailScanner.conf says "Virus Scanners = auto" > Found these virus scanners installed: bitdefender, clamavmodule > > Here is what is going on: > > 1. MailScanner starts, but just sits there does nothing: > > root 22553 1 0 13:58 ? 00:00:00 MailScanner: master > waiting for children, sleeping > root 22554 22553 70 13:58 ? 00:00:35 MailScanner: starting > children > root 22624 22553 69 13:58 ? 00:00:31 MailScanner: starting > children > root 22680 22553 67 13:58 ? 00:00:27 MailScanner: starting > children > root 22733 22553 73 13:58 ? 00:00:26 MailScanner: starting > children > root 22780 22553 44 13:58 ? 00:00:13 MailScanner: starting > children > root 22831 22553 42 13:58 ? 00:00:10 MailScanner: starting > children > root 22884 22553 47 13:58 ? 00:00:09 MailScanner: starting > children > root 22957 22553 44 13:59 ? 00:00:07 MailScanner: starting > children > root 23005 22553 31 13:59 ? 00:00:03 MailScanner: starting > children > root 23054 22553 49 13:59 ? 00:00:02 MailScanner: starting > children > If I trace a childre process, here is what it is doing over and over: > > sudo strace -p 19920 > Process 19920 attached - interrupt to quit read(12, > "b560c3b9f08759aa3aa90:Trojan.Spy"..., 4096) = 4096 read(12, > ":Trojan.Spy-3720\n353280:f604589b"..., 4096) = 4096 read(12, > "55d8571268b7:Trojan.Clicker-133\n"..., 4096) = 4096 read(12, > "5b7b476404e1ea6dc24d48e50bdfa:Tr"..., 4096) = 4096 read(12, > "ba8f709e8b588009a34ee19ee1:Troja"..., 4096) = 4096 read(12, > "d5:Trojan.Spy-3998\n284672:7801e5"..., 4096) = 4096 read(12, > "6\n12288:6bfa649c48fc5982b231a2bb"..., 4096) = 4096 > brk(0x4f23000) = 0x4f23000 > read(12, "n.Spy-4128\n21504:3b072d4e76b7173"..., 4096) = 4096 read(12, > "bbe4f7d647f109b5317dd8794715:Tro"..., 4096) = 4096 read(12, > "n.Downloader-4997\n36864:bcc236c3"..., 4096) = 4096 read(12, > "der-5167\n29696:f7d986ddcc013d8e0"..., 4096) = 4096 read(12, > "f7e121997:Trojan.Downloader-5070"..., 4096) = 4096 read(12, > ".Downloader-5107\n10240:efd91a6ea"..., 4096) = 4096 read(12, > "ec7:Trojan.Downloader-4916\n2048:"..., 4096) = 4096 read(12, > "nloader-5244\n4768:096cc4cd04d5cf"..., 4096) = 4096 read(12, > ":Trojan.Bancos-3284\n271360:2bc5f"..., 4096) = 4096 read(12, > "ncos-3342\n377344:04230b7482e189a"..., 4096) = 4096 read(12, > "an.Spy-4204\n35840:4c8d2cbaf9ccaf"..., 4096) = 4096 read(12, > "jan.Bancos-3492\n659968:49df0eba0"..., 4096) = 4096 read(12, > "0:25f16f5f7ee84dee66f40f6c86e9b8"..., 4096) = 4096 read(12, > "86:Trojan.Small-1634\n229888:3579"..., 4096) = 4096 read(12, > "4d30b8cfcfe247337e424db964d816:T"..., 4096) = 4096 read(12, > "576:3c44fb4c3e7a07aa1d49ce91c492"..., 4096) = 4096 read(12, > "082cd8ac62e6878348b79:Trojan.Ban"..., 4096) = 4096 > > 2. Strangely enough, if I start just MailScanner it works fine (with > sendmail not running) > > 3. If I start MailScanner with sendmail to, it will just hang there as > described. If I stop it, the master process dies for MailScanner, but > the children hang. > > 4. I did have this problem, but I resolved it quickly by changing the > option in MailScanner.conf to look for *.inc files. > > Jul 20 13:28:37 mr1 MailScanner[9747]: None of the files matched by > the "Monitors For ClamAV Updates" patterns exist! > Jul 20 13:28:47 mr1 MailScanner[8644]: None of the files matched by > the "Monitors For ClamAV Updates" patterns exist! > > Any ideas? I'm banging my head. > > David Gottschalk > david.gottschalk@emory.edu > What version of ClamAV? 0.90 takes a very long time to load signatures. I do have one box in which it was very quick. The other ones took at least 3 minutes to get up and going. Upgrading to 0.91 fixed that. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From dave.list at pixelhammer.com Fri Jul 20 19:49:22 2007 From: dave.list at pixelhammer.com (DAve) Date: Fri Jul 20 19:50:56 2007 Subject: MailScanner problem In-Reply-To: <8D2EFA3D9FD29C45BCEC3B532F0E2308412E3B3DCE@RDPEXCH2.Eu.Emory.Edu> References: <8D2EFA3D9FD29C45BCEC3B532F0E2308412E3B3DCE@RDPEXCH2.Eu.Emory.Edu> Message-ID: <46A103B2.50608@pixelhammer.com> Gottschalk, David wrote: > Yes, I'm in EST. > > I just found the problem myself too. > > It happened on one of my only boxes first because it updated before the > others. Then all of the others went down too. > > I resolved it by removing clamav from the "Virus Scanners" option in > MailScanner.conf. Luckly, I use two virus scanners. If you only use one, > just disable it entirely temporarily. > > David Gottschalk > david.gottschalk@emory.edu > > > ------------------------------------------------------------------------ > *From:* Bryan Guest [mailto:bryan.guest@gmail.com] > *Sent:* Friday, July 20, 2007 2:21 PM > *To:* david.gottschalk@emory.edu > *Subject:* re: MailScanner problem > > Hello: > > Are you in EST (gmt -05:00)? If so, the same thing happened to me at > nearly the same time. > > It looks like a botched CLAMAV update that has hosed Mailscanner > somehow. All my MailScanner processes hang at: starting children. > Oddly it seems to only have happened to one machine. > > Let me know if you have any ideas. I am going to try to completely blow > away the clamav database directory and start over there. > > Bryan Guest Hmmm, we are not running the new version of ClamAV yet except in testing. So far I am considering that a wise decision on my part. Just when I think issues in the new ClamAV are resolved, someone else gets a bloody nose. version 88.x is still catching everything and is stable as a rock, and my pager is silent. Looks like we will sit out another update, or three, before we take the plunge. DAve -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible. From michael at dilworth.net Fri Jul 20 19:52:24 2007 From: michael at dilworth.net (Michael R. Dilworth) Date: Fri Jul 20 19:52:45 2007 Subject: MailScanner broken suddenly?!?! In-Reply-To: <8D2EFA3D9FD29C45BCEC3B532F0E2308412E87C1C3@RDPEXCH2.Eu.Emory.Edu> Message-ID: <086301c7caff$1c3c8cf0$5713cc40@OCEANII> Happened here to just a few minutes ago. I wasted the ClamAV databases and at the moment freshclam can't connect to any of the mirrors. Same thing that happened last time ClamAV had a major update... I commented out ClamAV for now and all is fine at the moment (yes I have multiple virus scanners). Note all is fine until MailScanner restarts, then it will hang with 100% cpu usage. Remember MailScanner restarts at least once a day. > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info]On Behalf Of > Gottschalk, David > Sent: Friday, July 20, 2007 11:41 AM > To: MailScanner discussion > Subject: RE: MailScanner broken suddenly?!?! > > > > ClamAV 0.90.3/3707/Fri Jul 20 12:08:45 2007 > > I think this is a different problem though, because it happened all at once. The children > were hanging for 20+ mins or more until I realized they were doing nothing but what that > trace showed me. > > David Gottschalk > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Richard Frovarp > Sent: Friday, July 20, 2007 2:28 PM > To: MailScanner discussion > Subject: Re: MailScanner broken suddenly?!?! > > Gottschalk, David wrote: > > I have 5 MailScanner machines. > > > > I had to do some configuration changes, so I restarted them. One of > > them now appears to be completely hosed. I've checked my > > configuration, and can't figure out what is going on. I don't see > > anything wrong at all. > > > > -sh-3.00$ sudo /usr/sbin/MailScanner --lint Checking version > > numbers... > > Version installed (4.60.8) does not match version stated in > > MailScanner.conf file (4.57.6), you may want to run > > upgrade_MailScanner_conf to ensure your MailScanner.conf file contains > > all the latest settings. > > > > Checking for SpamAssassin errors (if you use it)... > > Using SpamAssassin results cache > > Connected to SpamAssassin cache database SpamAssassin reported no > > errors. > > Using locktype = posix > > Creating hardcoded struct_flock subroutine for linux (Linux-type) > > MailScanner.conf says "Virus Scanners = auto" > > Found these virus scanners installed: bitdefender, clamavmodule > > > > Here is what is going on: > > > > 1. MailScanner starts, but just sits there does nothing: > > > > root 22553 1 0 13:58 ? 00:00:00 MailScanner: master > > waiting for children, sleeping > > root 22554 22553 70 13:58 ? 00:00:35 MailScanner: starting > > children > > root 22624 22553 69 13:58 ? 00:00:31 MailScanner: starting > > children > > root 22680 22553 67 13:58 ? 00:00:27 MailScanner: starting > > children > > root 22733 22553 73 13:58 ? 00:00:26 MailScanner: starting > > children > > root 22780 22553 44 13:58 ? 00:00:13 MailScanner: starting > > children > > root 22831 22553 42 13:58 ? 00:00:10 MailScanner: starting > > children > > root 22884 22553 47 13:58 ? 00:00:09 MailScanner: starting > > children > > root 22957 22553 44 13:59 ? 00:00:07 MailScanner: starting > > children > > root 23005 22553 31 13:59 ? 00:00:03 MailScanner: starting > > children > > root 23054 22553 49 13:59 ? 00:00:02 MailScanner: starting > > children > > If I trace a childre process, here is what it is doing over and over: > > > > sudo strace -p 19920 > > Process 19920 attached - interrupt to quit read(12, > > "b560c3b9f08759aa3aa90:Trojan.Spy"..., 4096) = 4096 read(12, > > ":Trojan.Spy-3720\n353280:f604589b"..., 4096) = 4096 read(12, > > "55d8571268b7:Trojan.Clicker-133\n"..., 4096) = 4096 read(12, > > "5b7b476404e1ea6dc24d48e50bdfa:Tr"..., 4096) = 4096 read(12, > > "ba8f709e8b588009a34ee19ee1:Troja"..., 4096) = 4096 read(12, > > "d5:Trojan.Spy-3998\n284672:7801e5"..., 4096) = 4096 read(12, > > "6\n12288:6bfa649c48fc5982b231a2bb"..., 4096) = 4096 > > brk(0x4f23000) = 0x4f23000 > > read(12, "n.Spy-4128\n21504:3b072d4e76b7173"..., 4096) = 4096 read(12, > > "bbe4f7d647f109b5317dd8794715:Tro"..., 4096) = 4096 read(12, > > "n.Downloader-4997\n36864:bcc236c3"..., 4096) = 4096 read(12, > > "der-5167\n29696:f7d986ddcc013d8e0"..., 4096) = 4096 read(12, > > "f7e121997:Trojan.Downloader-5070"..., 4096) = 4096 read(12, > > ".Downloader-5107\n10240:efd91a6ea"..., 4096) = 4096 read(12, > > "ec7:Trojan.Downloader-4916\n2048:"..., 4096) = 4096 read(12, > > "nloader-5244\n4768:096cc4cd04d5cf"..., 4096) = 4096 read(12, > > ":Trojan.Bancos-3284\n271360:2bc5f"..., 4096) = 4096 read(12, > > "ncos-3342\n377344:04230b7482e189a"..., 4096) = 4096 read(12, > > "an.Spy-4204\n35840:4c8d2cbaf9ccaf"..., 4096) = 4096 read(12, > > "jan.Bancos-3492\n659968:49df0eba0"..., 4096) = 4096 read(12, > > "0:25f16f5f7ee84dee66f40f6c86e9b8"..., 4096) = 4096 read(12, > > "86:Trojan.Small-1634\n229888:3579"..., 4096) = 4096 read(12, > > "4d30b8cfcfe247337e424db964d816:T"..., 4096) = 4096 read(12, > > "576:3c44fb4c3e7a07aa1d49ce91c492"..., 4096) = 4096 read(12, > > "082cd8ac62e6878348b79:Trojan.Ban"..., 4096) = 4096 > > > > 2. Strangely enough, if I start just MailScanner it works fine (with > > sendmail not running) > > > > 3. If I start MailScanner with sendmail to, it will just hang there as > > described. If I stop it, the master process dies for MailScanner, but > > the children hang. > > > > 4. I did have this problem, but I resolved it quickly by changing the > > option in MailScanner.conf to look for *.inc files. > > > > Jul 20 13:28:37 mr1 MailScanner[9747]: None of the files matched by > > the "Monitors For ClamAV Updates" patterns exist! > > Jul 20 13:28:47 mr1 MailScanner[8644]: None of the files matched by > > the "Monitors For ClamAV Updates" patterns exist! > > > > Any ideas? I'm banging my head. > > > > David Gottschalk > > david.gottschalk@emory.edu > > > What version of ClamAV? 0.90 takes a very long time to load signatures. > I do have one box in which it was very quick. The other ones took at least 3 minutes to > get up and going. Upgrading to 0.91 fixed that. > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > From ms-list at alexb.ch Fri Jul 20 19:54:56 2007 From: ms-list at alexb.ch (Alex Broens) Date: Fri Jul 20 19:55:03 2007 Subject: FYI: PDFInfo and "Max SpamAssassin Size=40k" In-Reply-To: References: <012101c7c8bc$5498dee0$5713cc40@OCEANII> <469D4099.5040708@alexb.ch> <469FA620.5030208@cnpapers.com> <469FCCFF.3080700@cnpapers.com> Message-ID: <46A10500.3090709@alexb.ch> On 7/20/2007 8:07 PM, Scott Silva wrote: > Steve Campbell spake the following on 7/19/2007 1:43 PM: >> >> Scott Silva wrote: >>> Steve Campbell spake the following on 7/19/2007 10:57 AM: >>> >>>> Alex Broens wrote: >>>> >>>>> On 7/17/2007 11:49 PM, Michael R. Dilworth wrote: >>>>> >>>>>> Just to save some time for some of you, the 40k number >>>>>> can is on the small side for some of the PDF spams I've been >>>>>> receiving. >>>>>> >>>>> FWI: I'm using: >>>>> >>>>> Max Spam Check Size = 250000 >>>>> Max SpamAssassin Size = 2500000 >>>>> >>>>> which, AFAIK are the default SA values. >>>>> >>>>> Alex >>>>> -- >>>>> *Spammer hell has no DSL* >>>>> >>>>> >>>>> >>>>> >>>> Maybe it's because I'm not up-to-date on my MS, but I don't have a Max >>>> Spam Check Size parameter in my configuration file. >>>> >>>> The only "Size" parms I have are as follows: >>>> >>>> Maximum Message Size = 0 >>>> Maximum Attachment Size = -1 >>>> Minimum Attachment Size = -1 >>>> ClamAVmodule Maximum File Size = 10000000 # (10 Mbytes) >>>> Max SpamAssassin Size = 2500000 >>>> >>> This setting will make mailscanner not send the message to >>> spamassassin if it >>> is over this size. Are the pdf spams bigger than that? >>> >>> >>> >> Everyone is missing my point I meant to make. >> >> I don't have the "Max Spam Check Size" in my configuration file to >> change. It could have been missed in an upgrade, but I always use >> Julian's upgrade_MailScanner_conf script and this parm is missing on 3 >> different servers. >> >> Steve Campbell >> >> > Nor do I, and I am running the latest stable (4.61.7-2). It must be in the > latest beta. > I'm using "This is MailScanner version 4.57.6" with these parameters Alex From bryan.guest at bmts.com Fri Jul 20 19:56:08 2007 From: bryan.guest at bmts.com (Bryan Guest) Date: Fri Jul 20 19:56:13 2007 Subject: broken clamav update? Message-ID: <013f01c7caff$a22121a0$0b01010a@DGPTBH91> Hello: Is anyone else seeing MailScanner fail to process messages from what appears to be a botched ClamAV update? One of my blades got hosed sometime after 13:00 EST (gmt -05:00). Any assistance in clearing this up would be greatly appreciated. Bryan Guest Bruce Telecom From dgottsc at emory.edu Fri Jul 20 19:59:32 2007 From: dgottsc at emory.edu (Gottschalk, David) Date: Fri Jul 20 19:59:44 2007 Subject: MailScanner broken suddenly?!?! In-Reply-To: <8D2EFA3D9FD29C45BCEC3B532F0E2308412E87C1C3@RDPEXCH2.Eu.Emory.Edu> References: <8D2EFA3D9FD29C45BCEC3B532F0E2308412E3B3DB6@RDPEXCH2.Eu.Emory.Edu> <46A0FEC0.9090200@sendit.nodak.edu> <8D2EFA3D9FD29C45BCEC3B532F0E2308412E87C1C3@RDPEXCH2.Eu.Emory.Edu> Message-ID: <8D2EFA3D9FD29C45BCEC3B532F0E2308412E87C1DC@RDPEXCH2.Eu.Emory.Edu> So a few things I've just learned (I think everyone else is broken that is using clamav and doesn't know it yet, that's why they aren't replying) I just happened to be working on my boxes and noticed. I realized that the reason MailScanner worked temporarily is because I disabled scanning all together on the box with problems. I did this so my one broken box (at the time) could catch up since it was backed up big time. Clamscan takes forever to scan messages now. sudo clamscan -v mailertable.new Scanning mailertable.new mailertable.new: OK ----------- SCAN SUMMARY ----------- Known viruses: 139329 Engine version: 0.90.3 Scanned directories: 0 Scanned files: 1 Infected files: 0 Data scanned: 0.00 MB Time: 37.524 sec (0 m 37 s) -sh-3.00$ du -sh mailertable.new 12K mailertable.new All of my *.cvd directories in /usr/local/share/clamav are now gone. They are all renamed to *.inc at the time of the breakage. I think that could have been part of the problem, but I changed my config line in MailScanner, and that didn't resolve the hanging issue. David Gottschalk -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Gottschalk, David Sent: Friday, July 20, 2007 2:41 PM To: MailScanner discussion Subject: RE: MailScanner broken suddenly?!?! ClamAV 0.90.3/3707/Fri Jul 20 12:08:45 2007 I think this is a different problem though, because it happened all at once. The children were hanging for 20+ mins or more until I realized they were doing nothing but what that trace showed me. David Gottschalk -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Richard Frovarp Sent: Friday, July 20, 2007 2:28 PM To: MailScanner discussion Subject: Re: MailScanner broken suddenly?!?! Gottschalk, David wrote: > I have 5 MailScanner machines. > > I had to do some configuration changes, so I restarted them. One of > them now appears to be completely hosed. I've checked my > configuration, and can't figure out what is going on. I don't see > anything wrong at all. > > -sh-3.00$ sudo /usr/sbin/MailScanner --lint Checking version > numbers... > Version installed (4.60.8) does not match version stated in > MailScanner.conf file (4.57.6), you may want to run > upgrade_MailScanner_conf to ensure your MailScanner.conf file contains > all the latest settings. > > Checking for SpamAssassin errors (if you use it)... > Using SpamAssassin results cache > Connected to SpamAssassin cache database SpamAssassin reported no > errors. > Using locktype = posix > Creating hardcoded struct_flock subroutine for linux (Linux-type) > MailScanner.conf says "Virus Scanners = auto" > Found these virus scanners installed: bitdefender, clamavmodule > > Here is what is going on: > > 1. MailScanner starts, but just sits there does nothing: > > root 22553 1 0 13:58 ? 00:00:00 MailScanner: master > waiting for children, sleeping > root 22554 22553 70 13:58 ? 00:00:35 MailScanner: starting > children > root 22624 22553 69 13:58 ? 00:00:31 MailScanner: starting > children > root 22680 22553 67 13:58 ? 00:00:27 MailScanner: starting > children > root 22733 22553 73 13:58 ? 00:00:26 MailScanner: starting > children > root 22780 22553 44 13:58 ? 00:00:13 MailScanner: starting > children > root 22831 22553 42 13:58 ? 00:00:10 MailScanner: starting > children > root 22884 22553 47 13:58 ? 00:00:09 MailScanner: starting > children > root 22957 22553 44 13:59 ? 00:00:07 MailScanner: starting > children > root 23005 22553 31 13:59 ? 00:00:03 MailScanner: starting > children > root 23054 22553 49 13:59 ? 00:00:02 MailScanner: starting > children > If I trace a childre process, here is what it is doing over and over: > > sudo strace -p 19920 > Process 19920 attached - interrupt to quit read(12, > "b560c3b9f08759aa3aa90:Trojan.Spy"..., 4096) = 4096 read(12, > ":Trojan.Spy-3720\n353280:f604589b"..., 4096) = 4096 read(12, > "55d8571268b7:Trojan.Clicker-133\n"..., 4096) = 4096 read(12, > "5b7b476404e1ea6dc24d48e50bdfa:Tr"..., 4096) = 4096 read(12, > "ba8f709e8b588009a34ee19ee1:Troja"..., 4096) = 4096 read(12, > "d5:Trojan.Spy-3998\n284672:7801e5"..., 4096) = 4096 read(12, > "6\n12288:6bfa649c48fc5982b231a2bb"..., 4096) = 4096 > brk(0x4f23000) = 0x4f23000 > read(12, "n.Spy-4128\n21504:3b072d4e76b7173"..., 4096) = 4096 read(12, > "bbe4f7d647f109b5317dd8794715:Tro"..., 4096) = 4096 read(12, > "n.Downloader-4997\n36864:bcc236c3"..., 4096) = 4096 read(12, > "der-5167\n29696:f7d986ddcc013d8e0"..., 4096) = 4096 read(12, > "f7e121997:Trojan.Downloader-5070"..., 4096) = 4096 read(12, > ".Downloader-5107\n10240:efd91a6ea"..., 4096) = 4096 read(12, > "ec7:Trojan.Downloader-4916\n2048:"..., 4096) = 4096 read(12, > "nloader-5244\n4768:096cc4cd04d5cf"..., 4096) = 4096 read(12, > ":Trojan.Bancos-3284\n271360:2bc5f"..., 4096) = 4096 read(12, > "ncos-3342\n377344:04230b7482e189a"..., 4096) = 4096 read(12, > "an.Spy-4204\n35840:4c8d2cbaf9ccaf"..., 4096) = 4096 read(12, > "jan.Bancos-3492\n659968:49df0eba0"..., 4096) = 4096 read(12, > "0:25f16f5f7ee84dee66f40f6c86e9b8"..., 4096) = 4096 read(12, > "86:Trojan.Small-1634\n229888:3579"..., 4096) = 4096 read(12, > "4d30b8cfcfe247337e424db964d816:T"..., 4096) = 4096 read(12, > "576:3c44fb4c3e7a07aa1d49ce91c492"..., 4096) = 4096 read(12, > "082cd8ac62e6878348b79:Trojan.Ban"..., 4096) = 4096 > > 2. Strangely enough, if I start just MailScanner it works fine (with > sendmail not running) > > 3. If I start MailScanner with sendmail to, it will just hang there as > described. If I stop it, the master process dies for MailScanner, but > the children hang. > > 4. I did have this problem, but I resolved it quickly by changing the > option in MailScanner.conf to look for *.inc files. > > Jul 20 13:28:37 mr1 MailScanner[9747]: None of the files matched by > the "Monitors For ClamAV Updates" patterns exist! > Jul 20 13:28:47 mr1 MailScanner[8644]: None of the files matched by > the "Monitors For ClamAV Updates" patterns exist! > > Any ideas? I'm banging my head. > > David Gottschalk > david.gottschalk@emory.edu > What version of ClamAV? 0.90 takes a very long time to load signatures. I do have one box in which it was very quick. The other ones took at least 3 minutes to get up and going. Upgrading to 0.91 fixed that. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From dgottsc at emory.edu Fri Jul 20 20:02:22 2007 From: dgottsc at emory.edu (Gottschalk, David) Date: Fri Jul 20 20:02:29 2007 Subject: broken clamav update? In-Reply-To: <013f01c7caff$a22121a0$0b01010a@DGPTBH91> References: <013f01c7caff$a22121a0$0b01010a@DGPTBH91> Message-ID: <8D2EFA3D9FD29C45BCEC3B532F0E2308412E87C1E1@RDPEXCH2.Eu.Emory.Edu> Check out the other thread going on. The recent ClamAV update has broken MailScanner. Remove clamav from your Virus Scanners list, and you'll be OK. David Gottschalk AAIT Infrastructure Technology Services david.gottschalk@emory.edu 404.727.9744 -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Bryan Guest Sent: Friday, July 20, 2007 2:56 PM To: mailscanner@lists.mailscanner.info Subject: broken clamav update? Hello: Is anyone else seeing MailScanner fail to process messages from what appears to be a botched ClamAV update? One of my blades got hosed sometime after 13:00 EST (gmt -05:00). Any assistance in clearing this up would be greatly appreciated. Bryan Guest Bruce Telecom -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From mkercher at nfsmith.com Fri Jul 20 20:05:42 2007 From: mkercher at nfsmith.com (Mike Kercher) Date: Fri Jul 20 20:05:45 2007 Subject: broken clamav update? In-Reply-To: <013f01c7caff$a22121a0$0b01010a@DGPTBH91> References: <013f01c7caff$a22121a0$0b01010a@DGPTBH91> Message-ID: <441247027D4F274EB760A5F6E1ED9C7E020DB3@houpex02.nfsmith.info> This was just the reason I needed to add f-prot to all of my boxen. I'll add clamavmodule back after they get it fixed. Mike -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Bryan Guest Sent: Friday, July 20, 2007 1:56 PM To: mailscanner@lists.mailscanner.info Subject: broken clamav update? Hello: Is anyone else seeing MailScanner fail to process messages from what appears to be a botched ClamAV update? One of my blades got hosed sometime after 13:00 EST (gmt -05:00). Any assistance in clearing this up would be greatly appreciated. Bryan Guest Bruce Telecom -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From ka at pacific.net Fri Jul 20 20:15:19 2007 From: ka at pacific.net (Ken A) Date: Fri Jul 20 20:15:23 2007 Subject: broken clamav update? In-Reply-To: <441247027D4F274EB760A5F6E1ED9C7E020DB3@houpex02.nfsmith.info> References: <013f01c7caff$a22121a0$0b01010a@DGPTBH91> <441247027D4F274EB760A5F6E1ED9C7E020DB3@houpex02.nfsmith.info> Message-ID: <46A109C7.6060301@pacific.net> Mike Kercher wrote: > This was just the reason I needed to add f-prot to all of my boxen. > I'll add clamavmodule back after they get it fixed. Everything is fine here.. famous last words on a friday.. main.inc is up to date (version: 44, sigs: 133163, f-level: 20, builder: sven) daily.inc is up to date (version: 3708, sigs: 6165, f-level: 16, builder: ccordes) MailScanner is plugging along just fine, queues are moving along.. Freshclam runs okay. clamscan seems 'normal' speed ~1 sec or so. Ken -- Ken Anderson Pacific.Net From mkercher at nfsmith.com Fri Jul 20 20:17:43 2007 From: mkercher at nfsmith.com (Mike Kercher) Date: Fri Jul 20 20:17:47 2007 Subject: broken clamav update? In-Reply-To: <46A109C7.6060301@pacific.net> References: <013f01c7caff$a22121a0$0b01010a@DGPTBH91><441247027D4F274EB760A5F6E1ED9C7E020DB3@houpex02.nfsmith.info> <46A109C7.6060301@pacific.net> Message-ID: <441247027D4F274EB760A5F6E1ED9C7E020DB4@houpex02.nfsmith.info> Just keep an eye on it. It snuck up on me and bit me good! Mike -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Ken A Sent: Friday, July 20, 2007 2:15 PM To: MailScanner discussion Subject: Re: broken clamav update? Mike Kercher wrote: > This was just the reason I needed to add f-prot to all of my boxen. > I'll add clamavmodule back after they get it fixed. Everything is fine here.. famous last words on a friday.. main.inc is up to date (version: 44, sigs: 133163, f-level: 20, builder: sven) daily.inc is up to date (version: 3708, sigs: 6165, f-level: 16, builder: ccordes) MailScanner is plugging along just fine, queues are moving along.. Freshclam runs okay. clamscan seems 'normal' speed ~1 sec or so. Ken -- Ken Anderson Pacific.Net -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From Richard.Frovarp at sendit.nodak.edu Fri Jul 20 20:19:44 2007 From: Richard.Frovarp at sendit.nodak.edu (Richard Frovarp) Date: Fri Jul 20 20:19:47 2007 Subject: MailScanner broken suddenly?!?! In-Reply-To: <8D2EFA3D9FD29C45BCEC3B532F0E2308412E87C1DC@RDPEXCH2.Eu.Emory.Edu> References: <8D2EFA3D9FD29C45BCEC3B532F0E2308412E3B3DB6@RDPEXCH2.Eu.Emory.Edu> <46A0FEC0.9090200@sendit.nodak.edu> <8D2EFA3D9FD29C45BCEC3B532F0E2308412E87C1C3@RDPEXCH2.Eu.Emory.Edu> <8D2EFA3D9FD29C45BCEC3B532F0E2308412E87C1DC@RDPEXCH2.Eu.Emory.Edu> Message-ID: <46A10AD0.4080600@sendit.nodak.edu> Even before the update, 0.90.x had a known issue with loading the signatures taking an very very long time. I don't know that you can blame that on any update here. I just ran a freshclam manually. I'm running the latest definitions as reported on clamav.net (44 and 3708). However, freshclam was not able to connect a minute ago, now it can. Restarting MailScanner was not an issue against clamav 0.91.0. What people might be seeing is the effect of the known issue in 0.90.x. It could have been a broken update, that made things even worse. In short, latest sigs with 0.91 is not an issue. Gottschalk, David wrote: > So a few things I've just learned (I think everyone else is broken that is using clamav and doesn't know it yet, that's why they aren't replying) I just happened to be working on my boxes and noticed. > > I realized that the reason MailScanner worked temporarily is because I disabled scanning all together on the box with problems. I did this so my one broken box (at the time) could catch up since it was backed up big time. > > Clamscan takes forever to scan messages now. > > sudo clamscan -v mailertable.new > Scanning mailertable.new > mailertable.new: OK > > ----------- SCAN SUMMARY ----------- > Known viruses: 139329 > Engine version: 0.90.3 > Scanned directories: 0 > Scanned files: 1 > Infected files: 0 > Data scanned: 0.00 MB > Time: 37.524 sec (0 m 37 s) > -sh-3.00$ du -sh mailertable.new > 12K mailertable.new > > All of my *.cvd directories in /usr/local/share/clamav are now gone. > > They are all renamed to *.inc at the time of the breakage. I think that could have been part of the problem, but I changed my config line in MailScanner, and that didn't resolve the hanging issue. > > David Gottschalk > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Gottschalk, David > Sent: Friday, July 20, 2007 2:41 PM > To: MailScanner discussion > Subject: RE: MailScanner broken suddenly?!?! > > > ClamAV 0.90.3/3707/Fri Jul 20 12:08:45 2007 > > I think this is a different problem though, because it happened all at once. The children were hanging for 20+ mins or more until I realized they were doing nothing but what that trace showed me. > > David Gottschalk > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Richard Frovarp > Sent: Friday, July 20, 2007 2:28 PM > To: MailScanner discussion > Subject: Re: MailScanner broken suddenly?!?! > > Gottschalk, David wrote: > >> I have 5 MailScanner machines. >> >> I had to do some configuration changes, so I restarted them. One of >> them now appears to be completely hosed. I've checked my >> configuration, and can't figure out what is going on. I don't see >> anything wrong at all. >> >> -sh-3.00$ sudo /usr/sbin/MailScanner --lint Checking version >> numbers... >> Version installed (4.60.8) does not match version stated in >> MailScanner.conf file (4.57.6), you may want to run >> upgrade_MailScanner_conf to ensure your MailScanner.conf file contains >> all the latest settings. >> >> Checking for SpamAssassin errors (if you use it)... >> Using SpamAssassin results cache >> Connected to SpamAssassin cache database SpamAssassin reported no >> errors. >> Using locktype = posix >> Creating hardcoded struct_flock subroutine for linux (Linux-type) >> MailScanner.conf says "Virus Scanners = auto" >> Found these virus scanners installed: bitdefender, clamavmodule >> >> Here is what is going on: >> >> 1. MailScanner starts, but just sits there does nothing: >> >> root 22553 1 0 13:58 ? 00:00:00 MailScanner: master >> waiting for children, sleeping >> root 22554 22553 70 13:58 ? 00:00:35 MailScanner: starting >> children >> root 22624 22553 69 13:58 ? 00:00:31 MailScanner: starting >> children >> root 22680 22553 67 13:58 ? 00:00:27 MailScanner: starting >> children >> root 22733 22553 73 13:58 ? 00:00:26 MailScanner: starting >> children >> root 22780 22553 44 13:58 ? 00:00:13 MailScanner: starting >> children >> root 22831 22553 42 13:58 ? 00:00:10 MailScanner: starting >> children >> root 22884 22553 47 13:58 ? 00:00:09 MailScanner: starting >> children >> root 22957 22553 44 13:59 ? 00:00:07 MailScanner: starting >> children >> root 23005 22553 31 13:59 ? 00:00:03 MailScanner: starting >> children >> root 23054 22553 49 13:59 ? 00:00:02 MailScanner: starting >> children >> If I trace a childre process, here is what it is doing over and over: >> >> sudo strace -p 19920 >> Process 19920 attached - interrupt to quit read(12, >> "b560c3b9f08759aa3aa90:Trojan.Spy"..., 4096) = 4096 read(12, >> ":Trojan.Spy-3720\n353280:f604589b"..., 4096) = 4096 read(12, >> "55d8571268b7:Trojan.Clicker-133\n"..., 4096) = 4096 read(12, >> "5b7b476404e1ea6dc24d48e50bdfa:Tr"..., 4096) = 4096 read(12, >> "ba8f709e8b588009a34ee19ee1:Troja"..., 4096) = 4096 read(12, >> "d5:Trojan.Spy-3998\n284672:7801e5"..., 4096) = 4096 read(12, >> "6\n12288:6bfa649c48fc5982b231a2bb"..., 4096) = 4096 >> brk(0x4f23000) = 0x4f23000 >> read(12, "n.Spy-4128\n21504:3b072d4e76b7173"..., 4096) = 4096 read(12, >> "bbe4f7d647f109b5317dd8794715:Tro"..., 4096) = 4096 read(12, >> "n.Downloader-4997\n36864:bcc236c3"..., 4096) = 4096 read(12, >> "der-5167\n29696:f7d986ddcc013d8e0"..., 4096) = 4096 read(12, >> "f7e121997:Trojan.Downloader-5070"..., 4096) = 4096 read(12, >> ".Downloader-5107\n10240:efd91a6ea"..., 4096) = 4096 read(12, >> "ec7:Trojan.Downloader-4916\n2048:"..., 4096) = 4096 read(12, >> "nloader-5244\n4768:096cc4cd04d5cf"..., 4096) = 4096 read(12, >> ":Trojan.Bancos-3284\n271360:2bc5f"..., 4096) = 4096 read(12, >> "ncos-3342\n377344:04230b7482e189a"..., 4096) = 4096 read(12, >> "an.Spy-4204\n35840:4c8d2cbaf9ccaf"..., 4096) = 4096 read(12, >> "jan.Bancos-3492\n659968:49df0eba0"..., 4096) = 4096 read(12, >> "0:25f16f5f7ee84dee66f40f6c86e9b8"..., 4096) = 4096 read(12, >> "86:Trojan.Small-1634\n229888:3579"..., 4096) = 4096 read(12, >> "4d30b8cfcfe247337e424db964d816:T"..., 4096) = 4096 read(12, >> "576:3c44fb4c3e7a07aa1d49ce91c492"..., 4096) = 4096 read(12, >> "082cd8ac62e6878348b79:Trojan.Ban"..., 4096) = 4096 >> >> 2. Strangely enough, if I start just MailScanner it works fine (with >> sendmail not running) >> >> 3. If I start MailScanner with sendmail to, it will just hang there as >> described. If I stop it, the master process dies for MailScanner, but >> the children hang. >> >> 4. I did have this problem, but I resolved it quickly by changing the >> option in MailScanner.conf to look for *.inc files. >> >> Jul 20 13:28:37 mr1 MailScanner[9747]: None of the files matched by >> the "Monitors For ClamAV Updates" patterns exist! >> Jul 20 13:28:47 mr1 MailScanner[8644]: None of the files matched by >> the "Monitors For ClamAV Updates" patterns exist! >> >> Any ideas? I'm banging my head. >> >> David Gottschalk >> david.gottschalk@emory.edu >> >> > What version of ClamAV? 0.90 takes a very long time to load signatures. > I do have one box in which it was very quick. The other ones took at least 3 minutes to get up and going. Upgrading to 0.91 fixed that. > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- Richard Frovarp EduTech System Administrator 1-701-231-5127 or 1-800-774-1091 From Richard.Frovarp at sendit.nodak.edu Fri Jul 20 20:20:32 2007 From: Richard.Frovarp at sendit.nodak.edu (Richard Frovarp) Date: Fri Jul 20 20:20:34 2007 Subject: broken clamav update? In-Reply-To: <46A109C7.6060301@pacific.net> References: <013f01c7caff$a22121a0$0b01010a@DGPTBH91> <441247027D4F274EB760A5F6E1ED9C7E020DB3@houpex02.nfsmith.info> <46A109C7.6060301@pacific.net> Message-ID: <46A10B00.3030407@sendit.nodak.edu> Ken A wrote: > Mike Kercher wrote: >> This was just the reason I needed to add f-prot to all of my boxen. >> I'll add clamavmodule back after they get it fixed. > > Everything is fine here.. famous last words on a friday.. > > main.inc is up to date (version: 44, sigs: 133163, f-level: 20, > builder: sven) > daily.inc is up to date (version: 3708, sigs: 6165, f-level: 16, > builder: ccordes) > > MailScanner is plugging along just fine, queues are moving along.. > Freshclam runs okay. clamscan seems 'normal' speed ~1 sec or so. > > Ken > > Running 0.91.x? Everything is fine as well for me with those numbers. From dnsadmin at 1bigthink.com Fri Jul 20 20:21:45 2007 From: dnsadmin at 1bigthink.com (dnsadmin 1bigthink.com) Date: Fri Jul 20 20:22:07 2007 Subject: broken clamav update? In-Reply-To: <013f01c7caff$a22121a0$0b01010a@DGPTBH91> References: <013f01c7caff$a22121a0$0b01010a@DGPTBH91> Message-ID: <200707201922.l6KJM1Ew031894@mxt.1bigthink.com> Hello All, Is ClamAV getting updated via /etc/cron.hourly/update_virus_scanners? I just turned that off in hopes of not getting the hosed updates! Thanks, Glenn At 02:56 PM 7/20/2007, you wrote: >Hello: > >Is anyone else seeing MailScanner fail to process messages from what >appears to be a botched ClamAV update? > >One of my blades got hosed sometime after 13:00 EST (gmt -05:00). > >Any assistance in clearing this up would be greatly appreciated. > >Bryan Guest >Bruce Telecom >-- >MailScanner mailing list >mailscanner@lists.mailscanner.info >http://lists.mailscanner.info/mailman/listinfo/mailscanner > >Before posting, read http://wiki.mailscanner.info/posting > >Support MailScanner development - buy the book off the website! From dgottsc at emory.edu Fri Jul 20 20:24:38 2007 From: dgottsc at emory.edu (Gottschalk, David) Date: Fri Jul 20 20:24:51 2007 Subject: broken clamav update? In-Reply-To: <441247027D4F274EB760A5F6E1ED9C7E020DB4@houpex02.nfsmith.info> References: <013f01c7caff$a22121a0$0b01010a@DGPTBH91><441247027D4F274EB760A5F6E1ED9C7E020DB3@houpex02.nfsmith.info> <46A109C7.6060301@pacific.net> <441247027D4F274EB760A5F6E1ED9C7E020DB4@houpex02.nfsmith.info> Message-ID: <8D2EFA3D9FD29C45BCEC3B532F0E2308412E87C206@RDPEXCH2.Eu.Emory.Edu> Yeah no kidding! I had no clue what was going on at first since I was making conf changes at the same time, and restarting MailScanner. Try stopping mail entirely for 30k+ users, ahhhhhhh! David Gottschalk -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Mike Kercher Sent: Friday, July 20, 2007 3:18 PM To: MailScanner discussion Subject: RE: broken clamav update? Just keep an eye on it. It snuck up on me and bit me good! Mike -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Ken A Sent: Friday, July 20, 2007 2:15 PM To: MailScanner discussion Subject: Re: broken clamav update? Mike Kercher wrote: > This was just the reason I needed to add f-prot to all of my boxen. > I'll add clamavmodule back after they get it fixed. Everything is fine here.. famous last words on a friday.. main.inc is up to date (version: 44, sigs: 133163, f-level: 20, builder: sven) daily.inc is up to date (version: 3708, sigs: 6165, f-level: 16, builder: ccordes) MailScanner is plugging along just fine, queues are moving along.. Freshclam runs okay. clamscan seems 'normal' speed ~1 sec or so. Ken -- Ken Anderson Pacific.Net -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From dgottsc at emory.edu Fri Jul 20 20:26:02 2007 From: dgottsc at emory.edu (Gottschalk, David) Date: Fri Jul 20 20:26:31 2007 Subject: MailScanner broken suddenly?!?! In-Reply-To: <46A10AD0.4080600@sendit.nodak.edu> References: <8D2EFA3D9FD29C45BCEC3B532F0E2308412E3B3DB6@RDPEXCH2.Eu.Emory.Edu> <46A0FEC0.9090200@sendit.nodak.edu> <8D2EFA3D9FD29C45BCEC3B532F0E2308412E87C1C3@RDPEXCH2.Eu.Emory.Edu> <8D2EFA3D9FD29C45BCEC3B532F0E2308412E87C1DC@RDPEXCH2.Eu.Emory.Edu> <46A10AD0.4080600@sendit.nodak.edu> Message-ID: <8D2EFA3D9FD29C45BCEC3B532F0E2308412E87C20A@RDPEXCH2.Eu.Emory.Edu> Yeah, maybe it was a combination of factors. I don't know. To anyone else who had the problem, what version of clamav are you running? David Gottschalk -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Richard Frovarp Sent: Friday, July 20, 2007 3:20 PM To: MailScanner discussion Subject: Re: MailScanner broken suddenly?!?! Even before the update, 0.90.x had a known issue with loading the signatures taking an very very long time. I don't know that you can blame that on any update here. I just ran a freshclam manually. I'm running the latest definitions as reported on clamav.net (44 and 3708). However, freshclam was not able to connect a minute ago, now it can. Restarting MailScanner was not an issue against clamav 0.91.0. What people might be seeing is the effect of the known issue in 0.90.x. It could have been a broken update, that made things even worse. In short, latest sigs with 0.91 is not an issue. Gottschalk, David wrote: > So a few things I've just learned (I think everyone else is broken that is using clamav and doesn't know it yet, that's why they aren't replying) I just happened to be working on my boxes and noticed. > > I realized that the reason MailScanner worked temporarily is because I disabled scanning all together on the box with problems. I did this so my one broken box (at the time) could catch up since it was backed up big time. > > Clamscan takes forever to scan messages now. > > sudo clamscan -v mailertable.new > Scanning mailertable.new > mailertable.new: OK > > ----------- SCAN SUMMARY ----------- > Known viruses: 139329 > Engine version: 0.90.3 > Scanned directories: 0 > Scanned files: 1 > Infected files: 0 > Data scanned: 0.00 MB > Time: 37.524 sec (0 m 37 s) > -sh-3.00$ du -sh mailertable.new > 12K mailertable.new > > All of my *.cvd directories in /usr/local/share/clamav are now gone. > > They are all renamed to *.inc at the time of the breakage. I think that could have been part of the problem, but I changed my config line in MailScanner, and that didn't resolve the hanging issue. > > David Gottschalk > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of > Gottschalk, David > Sent: Friday, July 20, 2007 2:41 PM > To: MailScanner discussion > Subject: RE: MailScanner broken suddenly?!?! > > > ClamAV 0.90.3/3707/Fri Jul 20 12:08:45 2007 > > I think this is a different problem though, because it happened all at once. The children were hanging for 20+ mins or more until I realized they were doing nothing but what that trace showed me. > > David Gottschalk > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of > Richard Frovarp > Sent: Friday, July 20, 2007 2:28 PM > To: MailScanner discussion > Subject: Re: MailScanner broken suddenly?!?! > > Gottschalk, David wrote: > >> I have 5 MailScanner machines. >> >> I had to do some configuration changes, so I restarted them. One of >> them now appears to be completely hosed. I've checked my >> configuration, and can't figure out what is going on. I don't see >> anything wrong at all. >> >> -sh-3.00$ sudo /usr/sbin/MailScanner --lint Checking version >> numbers... >> Version installed (4.60.8) does not match version stated in >> MailScanner.conf file (4.57.6), you may want to run >> upgrade_MailScanner_conf to ensure your MailScanner.conf file >> contains all the latest settings. >> >> Checking for SpamAssassin errors (if you use it)... >> Using SpamAssassin results cache >> Connected to SpamAssassin cache database SpamAssassin reported no >> errors. >> Using locktype = posix >> Creating hardcoded struct_flock subroutine for linux (Linux-type) >> MailScanner.conf says "Virus Scanners = auto" >> Found these virus scanners installed: bitdefender, clamavmodule >> >> Here is what is going on: >> >> 1. MailScanner starts, but just sits there does nothing: >> >> root 22553 1 0 13:58 ? 00:00:00 MailScanner: master >> waiting for children, sleeping >> root 22554 22553 70 13:58 ? 00:00:35 MailScanner: starting >> children >> root 22624 22553 69 13:58 ? 00:00:31 MailScanner: starting >> children >> root 22680 22553 67 13:58 ? 00:00:27 MailScanner: starting >> children >> root 22733 22553 73 13:58 ? 00:00:26 MailScanner: starting >> children >> root 22780 22553 44 13:58 ? 00:00:13 MailScanner: starting >> children >> root 22831 22553 42 13:58 ? 00:00:10 MailScanner: starting >> children >> root 22884 22553 47 13:58 ? 00:00:09 MailScanner: starting >> children >> root 22957 22553 44 13:59 ? 00:00:07 MailScanner: starting >> children >> root 23005 22553 31 13:59 ? 00:00:03 MailScanner: starting >> children >> root 23054 22553 49 13:59 ? 00:00:02 MailScanner: starting >> children >> If I trace a childre process, here is what it is doing over and over: >> >> sudo strace -p 19920 >> Process 19920 attached - interrupt to quit read(12, >> "b560c3b9f08759aa3aa90:Trojan.Spy"..., 4096) = 4096 read(12, >> ":Trojan.Spy-3720\n353280:f604589b"..., 4096) = 4096 read(12, >> "55d8571268b7:Trojan.Clicker-133\n"..., 4096) = 4096 read(12, >> "5b7b476404e1ea6dc24d48e50bdfa:Tr"..., 4096) = 4096 read(12, >> "ba8f709e8b588009a34ee19ee1:Troja"..., 4096) = 4096 read(12, >> "d5:Trojan.Spy-3998\n284672:7801e5"..., 4096) = 4096 read(12, >> "6\n12288:6bfa649c48fc5982b231a2bb"..., 4096) = 4096 >> brk(0x4f23000) = 0x4f23000 >> read(12, "n.Spy-4128\n21504:3b072d4e76b7173"..., 4096) = 4096 >> read(12, "bbe4f7d647f109b5317dd8794715:Tro"..., 4096) = 4096 read(12, >> "n.Downloader-4997\n36864:bcc236c3"..., 4096) = 4096 read(12, >> "der-5167\n29696:f7d986ddcc013d8e0"..., 4096) = 4096 read(12, >> "f7e121997:Trojan.Downloader-5070"..., 4096) = 4096 read(12, >> ".Downloader-5107\n10240:efd91a6ea"..., 4096) = 4096 read(12, >> "ec7:Trojan.Downloader-4916\n2048:"..., 4096) = 4096 read(12, >> "nloader-5244\n4768:096cc4cd04d5cf"..., 4096) = 4096 read(12, >> ":Trojan.Bancos-3284\n271360:2bc5f"..., 4096) = 4096 read(12, >> "ncos-3342\n377344:04230b7482e189a"..., 4096) = 4096 read(12, >> "an.Spy-4204\n35840:4c8d2cbaf9ccaf"..., 4096) = 4096 read(12, >> "jan.Bancos-3492\n659968:49df0eba0"..., 4096) = 4096 read(12, >> "0:25f16f5f7ee84dee66f40f6c86e9b8"..., 4096) = 4096 read(12, >> "86:Trojan.Small-1634\n229888:3579"..., 4096) = 4096 read(12, >> "4d30b8cfcfe247337e424db964d816:T"..., 4096) = 4096 read(12, >> "576:3c44fb4c3e7a07aa1d49ce91c492"..., 4096) = 4096 read(12, >> "082cd8ac62e6878348b79:Trojan.Ban"..., 4096) = 4096 >> >> 2. Strangely enough, if I start just MailScanner it works fine (with >> sendmail not running) >> >> 3. If I start MailScanner with sendmail to, it will just hang there >> as described. If I stop it, the master process dies for MailScanner, >> but the children hang. >> >> 4. I did have this problem, but I resolved it quickly by changing the >> option in MailScanner.conf to look for *.inc files. >> >> Jul 20 13:28:37 mr1 MailScanner[9747]: None of the files matched by >> the "Monitors For ClamAV Updates" patterns exist! >> Jul 20 13:28:47 mr1 MailScanner[8644]: None of the files matched by >> the "Monitors For ClamAV Updates" patterns exist! >> >> Any ideas? I'm banging my head. >> >> David Gottschalk >> david.gottschalk@emory.edu >> >> > What version of ClamAV? 0.90 takes a very long time to load signatures. > I do have one box in which it was very quick. The other ones took at least 3 minutes to get up and going. Upgrading to 0.91 fixed that. > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- Richard Frovarp EduTech System Administrator 1-701-231-5127 or 1-800-774-1091 -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From raymond at prolocation.net Fri Jul 20 20:35:31 2007 From: raymond at prolocation.net (Raymond Dijkxhoorn) Date: Fri Jul 20 20:35:29 2007 Subject: MailScanner broken suddenly?!?! In-Reply-To: <8D2EFA3D9FD29C45BCEC3B532F0E2308412E3B3DB6@RDPEXCH2.Eu.Emory.Edu> References: <8D2EFA3D9FD29C45BCEC3B532F0E2308412E3B3DB6@RDPEXCH2.Eu.Emory.Edu> Message-ID: Hi! > Jul 20 13:28:37 mr1 MailScanner[9747]: None of the files matched by the "Monitors For ClamAV Updates" patterns exist! > Jul 20 13:28:47 mr1 MailScanner[8644]: None of the files matched by the "Monitors For ClamAV Updates" patterns exist! > > Any ideas? I'm banging my head. This is what i warned about. but wasnt needed according to Jules. See easlier postings. There was a new main.cvd out today, so this is what happened... And what will happen every time the main files will be updated. Bye, Raymond. From mkettler at evi-inc.com Fri Jul 20 20:37:45 2007 From: mkettler at evi-inc.com (Matt Kettler) Date: Fri Jul 20 20:39:08 2007 Subject: Request for comments In-Reply-To: <46A0F81C.7070403@alexb.ch> References: <469FA26B.6050905@ecs.soton.ac.uk> <1964AAFBC212F742958F9275BF63DBB04B0F30@winchester.andrewscompanies.com> <469FC4DA.6030706@alexb.ch><469FC668.3040802@evi-inc.com> <46A063AF.1080009@tradoc.fr> <1964AAFBC212F742958F9275BF63DBB04B0F35@winchester.andrewscompanies.com><46A0B523.20401@ecs.soton.ac.uk> <46A0C747.7000103@evi-inc.com><1964AAFBC212F742958F9275BF63DBB04B0F3A@winchester.andrewscompanies.com> <46A0E56D.6040301@evi-inc.com> <1964AAFBC212F742958F9275BF63DBB04B0F3C@winchester.andrewscompanies.com> <46A0EDA6.5030007@alexb.ch> <46A0F288.4050005@evi-inc.com> <46A0F81C.7070403@alexb.ch> Message-ID: <46A10F09.8040701@evi-inc.com> Alex Broens wrote: > On 7/20/2007 7:36 PM, Matt Kettler wrote: >> Alex Broens wrote: >>> On 7/20/2007 6:55 PM, Steven Andrews wrote: >>>> Why not? I know specious argument, but this would work well so you >>>> could apply a penalty or a credit to a certain domain. >>>> >>>> Blackberry devices are just an example, they always trigger certain >>>> rules that push their scores up. Are they going to change that fact? >>>> Nope. Do I want to lower the value of those rules? Nope. They catch >>>> other traffic. Do I want to whitelist blackberries entirely...no way. >>>> If I had a mechanism to punish or credit a certain domain, that would >>>> allow such a situation where I can keep rules intact but adjust the >>>> spamminess of a domain. >>> header BLACKBERY_PASSTHRU Received =~ >>> /smtp[0-9]{2}\.\w+\.\w+\.blackberry\.com\b/ >>> score BLACKBERY_PASSTHRU -5.0 >>> >> >> Even better, use X-Spam-Relays-Untrusted. It's a fake header generated >> by SA >> that contains pre-parsed Received: headers. Its format is constant and >> isn't MTA >> specific. The first entry is the host delivering to your last trusted >> server. >> ie: if your trusted_networks isn't broken the last trusted server, >> making the >> machine dropping mail off at your network the first untrusted. >> >> >> This little trick starts at the begining of the text (hence the first >> ^) and >> scans ahead for blackberry.com, but will sto if it encounters a ] >> (which would >> be the closing bracket of the end of the first entry) >> >> header BLACKBERY_PASSTHRU X-Spam-Relays-Untrusted =~ >> /^[^\]]+rdns=smtp[0-9]{2}\.\w+\.\w+\.blackberry\.com\n/ > > DOH! > > used that for other stuff.. dunno why I didn't think of it for the > "blueberrries" > > thanks for the hint No problem. From dennis at 28a.de Fri Jul 20 20:39:05 2007 From: dennis at 28a.de (Dennis Goebel) Date: Fri Jul 20 20:39:12 2007 Subject: broken clamav update? In-Reply-To: <013f01c7caff$a22121a0$0b01010a@DGPTBH91> References: <013f01c7caff$a22121a0$0b01010a@DGPTBH91> Message-ID: <46A10F59.4000907@28a.de> hello, my Mailscanner logged a message saying "None of the files matched by the "Monitors For ClamAV Updates" patterns exist!" My config file instructs MailScanner to monitor *cvd files: Monitors for ClamAV Updates = /var/lib/clamav/*.cvd After running the ClamAV update there are no *cvd files on my system anymore. I change this config line to: Monitors for ClamAV Updates = /var/lib/clamav/main.inc/*.db Now everything works fine again. Regards Dennis Bryan Guest schrieb: > Hello: > > Is anyone else seeing MailScanner fail to process messages from what > appears to be a botched ClamAV update? > > One of my blades got hosed sometime after 13:00 EST (gmt -05:00). > > Any assistance in clearing this up would be greatly appreciated. > > Bryan Guest > Bruce Telecom From MailScanner at ecs.soton.ac.uk Fri Jul 20 20:41:50 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Jul 20 20:42:24 2007 Subject: MailScanner broken suddenly?!?! In-Reply-To: <8D2EFA3D9FD29C45BCEC3B532F0E2308412E3B3DB6@RDPEXCH2.Eu.Emory.Edu> References: <8D2EFA3D9FD29C45BCEC3B532F0E2308412E3B3DB6@RDPEXCH2.Eu.Emory.Edu> Message-ID: <46A10FFE.6090706@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Upgrade to the latest version of ClamAV and this (temporary) problem will go away. If you leave the machine alone for 5 minutes and then come back and look, you'll find it is working. It's just the 0.90 version of ClamAV taking ages to load its signatures. All fixed in the latest version. Gottschalk, David wrote: > I have 5 MailScanner machines. > > I had to do some configuration changes, so I restarted them. One of > them now appears to be completely hosed. I've checked my > configuration, and can't figure out what is going on. I don't see > anything wrong at all. > > -sh-3.00$ sudo /usr/sbin/MailScanner --lint > Checking version numbers... > Version installed (4.60.8) does not match version stated in > MailScanner.conf file (4.57.6), you may want to run > upgrade_MailScanner_conf > to ensure your MailScanner.conf file contains all the latest settings. > > Checking for SpamAssassin errors (if you use it)... > Using SpamAssassin results cache > Connected to SpamAssassin cache database > SpamAssassin reported no errors. > Using locktype = posix > Creating hardcoded struct_flock subroutine for linux (Linux-type) > MailScanner.conf says "Virus Scanners = auto" > Found these virus scanners installed: bitdefender, clamavmodule > > Here is what is going on: > > 1. MailScanner starts, but just sits there does nothing: > > root 22553 1 0 13:58 ? 00:00:00 MailScanner: master > waiting for children, sleeping > root 22554 22553 70 13:58 ? 00:00:35 MailScanner: starting > children > root 22624 22553 69 13:58 ? 00:00:31 MailScanner: starting > children > root 22680 22553 67 13:58 ? 00:00:27 MailScanner: starting > children > root 22733 22553 73 13:58 ? 00:00:26 MailScanner: starting > children > root 22780 22553 44 13:58 ? 00:00:13 MailScanner: starting > children > root 22831 22553 42 13:58 ? 00:00:10 MailScanner: starting > children > root 22884 22553 47 13:58 ? 00:00:09 MailScanner: starting > children > root 22957 22553 44 13:59 ? 00:00:07 MailScanner: starting > children > root 23005 22553 31 13:59 ? 00:00:03 MailScanner: starting > children > root 23054 22553 49 13:59 ? 00:00:02 MailScanner: starting > children > If I trace a childre process, here is what it is doing over and over: > > sudo strace -p 19920 > Process 19920 attached - interrupt to quit > read(12, "b560c3b9f08759aa3aa90:Trojan.Spy"..., 4096) = 4096 > read(12, ":Trojan.Spy-3720\n353280:f604589b"..., 4096) = 4096 > read(12, "55d8571268b7:Trojan.Clicker-133\n"..., 4096) = 4096 > read(12, "5b7b476404e1ea6dc24d48e50bdfa:Tr"..., 4096) = 4096 > read(12, "ba8f709e8b588009a34ee19ee1:Troja"..., 4096) = 4096 > read(12, "d5:Trojan.Spy-3998\n284672:7801e5"..., 4096) = 4096 > read(12, "6\n12288:6bfa649c48fc5982b231a2bb"..., 4096) = 4096 > brk(0x4f23000) = 0x4f23000 > read(12, "n.Spy-4128\n21504:3b072d4e76b7173"..., 4096) = 4096 > read(12, "bbe4f7d647f109b5317dd8794715:Tro"..., 4096) = 4096 > read(12, "n.Downloader-4997\n36864:bcc236c3"..., 4096) = 4096 > read(12, "der-5167\n29696:f7d986ddcc013d8e0"..., 4096) = 4096 > read(12, "f7e121997:Trojan.Downloader-5070"..., 4096) = 4096 > read(12, ".Downloader-5107\n10240:efd91a6ea"..., 4096) = 4096 > read(12, "ec7:Trojan.Downloader-4916\n2048:"..., 4096) = 4096 > read(12, "nloader-5244\n4768:096cc4cd04d5cf"..., 4096) = 4096 > read(12, ":Trojan.Bancos-3284\n271360:2bc5f"..., 4096) = 4096 > read(12, "ncos-3342\n377344:04230b7482e189a"..., 4096) = 4096 > read(12, "an.Spy-4204\n35840:4c8d2cbaf9ccaf"..., 4096) = 4096 > read(12, "jan.Bancos-3492\n659968:49df0eba0"..., 4096) = 4096 > read(12, "0:25f16f5f7ee84dee66f40f6c86e9b8"..., 4096) = 4096 > read(12, "86:Trojan.Small-1634\n229888:3579"..., 4096) = 4096 > read(12, "4d30b8cfcfe247337e424db964d816:T"..., 4096) = 4096 > read(12, "576:3c44fb4c3e7a07aa1d49ce91c492"..., 4096) = 4096 > read(12, "082cd8ac62e6878348b79:Trojan.Ban"..., 4096) = 4096 > > 2. Strangely enough, if I start just MailScanner it works fine (with > sendmail not running) > > 3. If I start MailScanner with sendmail to, it will just hang there as > described. If I stop it, the master process dies for MailScanner, but > the children hang. > > 4. I did have this problem, but I resolved it quickly by changing the > option in MailScanner.conf to look for *.inc files. > > Jul 20 13:28:37 mr1 MailScanner[9747]: None of the files matched by > the "Monitors For ClamAV Updates" patterns exist! > Jul 20 13:28:47 mr1 MailScanner[8644]: None of the files matched by > the "Monitors For ClamAV Updates" patterns exist! > > Any ideas? I'm banging my head. > > David Gottschalk > david.gottschalk@emory.edu > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGoQ//EfZZRxQVtlQRAv0nAKCreDXFCVXrsOIyq2K/vCZQleN0iQCePVIj O62Opt0RnfM+g4P3fLEqboc= =XSQw -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From raymond at prolocation.net Fri Jul 20 20:42:51 2007 From: raymond at prolocation.net (Raymond Dijkxhoorn) Date: Fri Jul 20 20:42:49 2007 Subject: MailScanner broken suddenly?!?! In-Reply-To: <8D2EFA3D9FD29C45BCEC3B532F0E2308412E87C1C3@RDPEXCH2.Eu.Emory.Edu> References: <8D2EFA3D9FD29C45BCEC3B532F0E2308412E3B3DB6@RDPEXCH2.Eu.Emory.Edu> <46A0FEC0.9090200@sendit.nodak.edu> <8D2EFA3D9FD29C45BCEC3B532F0E2308412E87C1C3@RDPEXCH2.Eu.Emory.Edu> Message-ID: Hi! > I think this is a different problem though, because it happened all at > once. The children were hanging for 20+ mins or more until I realized > they were doing nothing but what that trace showed me. There was a new main update out, and like last time, exactly same thing, this breaks MailScanner. Look in the archive, after last update of the main clam files this exact same thing also happened. Jules, could you have a look, since this is really something that will bite us in a few months again, with the next clam update of their main files. Bye, Raymond. From cleveland at winnefox.org Fri Jul 20 20:43:40 2007 From: cleveland at winnefox.org (Jody Cleveland) Date: Fri Jul 20 20:43:54 2007 Subject: MCP - how to store high scoring emails? In-Reply-To: <200707191158.44123.clacroix@cegep-ste-foy.qc.ca> Message-ID: Ok, I just figured it out. If a message has a spam score, and an MCP score, it takes what's set for the spam score. Is there a way to tell it if it has an MCP score of 12, ignore spam checking? - jody On 7/19/07 10:58 AM, "Charles Lacroix" wrote: > > > Just add the "delete" in your "MCP Actions" > > On Thursday 19 July 2007 11:50, Jody Cleveland wrote: >> Hello, >> >> I recently setup mcp with MailScanner. In MailScanner.conf I have: >> >> MCP Required SpamAssassin Score = 1 >> MCP High SpamAssassin Score = 7 >> MCP Error Score = 1 >> >> And, then for High Scoring MCP Actions I have store. >> >> Now, in the .cf file I have several things setup, and emails coming in are >> getting mcp scores. What I'd like is, if the MCP score is => 7, store but >> don't deliver the message. I thought with what I have in the settings that >> would be the case. But, no matter the mcp score, the messages are still >> getting delivered. >> >> Is there a setting I'm missing or have incorrect? >> >> - jody From michael at dilworth.net Fri Jul 20 20:43:35 2007 From: michael at dilworth.net (Michael R. Dilworth) Date: Fri Jul 20 20:43:59 2007 Subject: MailScanner broken suddenly?!?! In-Reply-To: <8D2EFA3D9FD29C45BCEC3B532F0E2308412E87C20A@RDPEXCH2.Eu.Emory.Edu> Message-ID: <087a01c7cb06$4307dea0$5713cc40@OCEANII> MS 4.58.9 clamav 0.90.3 virus db 44 and 3708. Currently downloading Clamav 91 source, and MS 4.61.7-2 will hopefully be installing a MailScanner -> Clamd setup this afternoon. It was on my todo list, but it just got bumped to a priority. > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info]On Behalf Of > Gottschalk, David > Sent: Friday, July 20, 2007 12:26 PM > To: MailScanner discussion > Subject: RE: MailScanner broken suddenly?!?! > > > Yeah, maybe it was a combination of factors. I don't know. > > To anyone else who had the problem, what version of clamav are you running? > > David Gottschalk > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Richard Frovarp > Sent: Friday, July 20, 2007 3:20 PM > To: MailScanner discussion > Subject: Re: MailScanner broken suddenly?!?! > > Even before the update, 0.90.x had a known issue with loading the signatures taking an > very very long time. I don't know that you can blame that on any update here. > > I just ran a freshclam manually. I'm running the latest definitions as reported on > clamav.net (44 and 3708). However, freshclam was not able to connect a minute ago, now it > can. Restarting MailScanner was not an issue against clamav 0.91.0. What people might be > seeing is the effect of the known issue in 0.90.x. It could have been a broken update, > that made things even worse. > > In short, latest sigs with 0.91 is not an issue. > > Gottschalk, David wrote: > > So a few things I've just learned (I think everyone else is broken that is using clamav > and doesn't know it yet, that's why they aren't replying) I just happened to be working > on my boxes and noticed. > > > > I realized that the reason MailScanner worked temporarily is because I disabled > scanning all together on the box with problems. I did this so my one broken box (at the > time) could catch up since it was backed up big time. > > > > Clamscan takes forever to scan messages now. > > > > sudo clamscan -v mailertable.new > > Scanning mailertable.new > > mailertable.new: OK > > > > ----------- SCAN SUMMARY ----------- > > Known viruses: 139329 > > Engine version: 0.90.3 > > Scanned directories: 0 > > Scanned files: 1 > > Infected files: 0 > > Data scanned: 0.00 MB > > Time: 37.524 sec (0 m 37 s) > > -sh-3.00$ du -sh mailertable.new > > 12K mailertable.new > > > > All of my *.cvd directories in /usr/local/share/clamav are now gone. > > > > They are all renamed to *.inc at the time of the breakage. I think that could have > been part of the problem, but I changed my config line in MailScanner, and that didn't > resolve the hanging issue. > > > > David Gottschalk > > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info > > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of > > Gottschalk, David > > Sent: Friday, July 20, 2007 2:41 PM > > To: MailScanner discussion > > Subject: RE: MailScanner broken suddenly?!?! > > > > > > ClamAV 0.90.3/3707/Fri Jul 20 12:08:45 2007 > > > > I think this is a different problem though, because it happened all at once. The > children were hanging for 20+ mins or more until I realized they were doing nothing but > what that trace showed me. > > > > David Gottschalk > > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info > > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of > > Richard Frovarp > > Sent: Friday, July 20, 2007 2:28 PM > > To: MailScanner discussion > > Subject: Re: MailScanner broken suddenly?!?! > > > > Gottschalk, David wrote: > > > >> I have 5 MailScanner machines. > >> > >> I had to do some configuration changes, so I restarted them. One of > >> them now appears to be completely hosed. I've checked my > >> configuration, and can't figure out what is going on. I don't see > >> anything wrong at all. > >> > >> -sh-3.00$ sudo /usr/sbin/MailScanner --lint Checking version > >> numbers... > >> Version installed (4.60.8) does not match version stated in > >> MailScanner.conf file (4.57.6), you may want to run > >> upgrade_MailScanner_conf to ensure your MailScanner.conf file > >> contains all the latest settings. > >> > >> Checking for SpamAssassin errors (if you use it)... > >> Using SpamAssassin results cache > >> Connected to SpamAssassin cache database SpamAssassin reported no > >> errors. > >> Using locktype = posix > >> Creating hardcoded struct_flock subroutine for linux (Linux-type) > >> MailScanner.conf says "Virus Scanners = auto" > >> Found these virus scanners installed: bitdefender, clamavmodule > >> > >> Here is what is going on: > >> > >> 1. MailScanner starts, but just sits there does nothing: > >> > >> root 22553 1 0 13:58 ? 00:00:00 MailScanner: master > >> waiting for children, sleeping > >> root 22554 22553 70 13:58 ? 00:00:35 MailScanner: starting > >> children > >> root 22624 22553 69 13:58 ? 00:00:31 MailScanner: starting > >> children > >> root 22680 22553 67 13:58 ? 00:00:27 MailScanner: starting > >> children > >> root 22733 22553 73 13:58 ? 00:00:26 MailScanner: starting > >> children > >> root 22780 22553 44 13:58 ? 00:00:13 MailScanner: starting > >> children > >> root 22831 22553 42 13:58 ? 00:00:10 MailScanner: starting > >> children > >> root 22884 22553 47 13:58 ? 00:00:09 MailScanner: starting > >> children > >> root 22957 22553 44 13:59 ? 00:00:07 MailScanner: starting > >> children > >> root 23005 22553 31 13:59 ? 00:00:03 MailScanner: starting > >> children > >> root 23054 22553 49 13:59 ? 00:00:02 MailScanner: starting > >> children > >> If I trace a childre process, here is what it is doing over and over: > >> > >> sudo strace -p 19920 > >> Process 19920 attached - interrupt to quit read(12, > >> "b560c3b9f08759aa3aa90:Trojan.Spy"..., 4096) = 4096 read(12, > >> ":Trojan.Spy-3720\n353280:f604589b"..., 4096) = 4096 read(12, > >> "55d8571268b7:Trojan.Clicker-133\n"..., 4096) = 4096 read(12, > >> "5b7b476404e1ea6dc24d48e50bdfa:Tr"..., 4096) = 4096 read(12, > >> "ba8f709e8b588009a34ee19ee1:Troja"..., 4096) = 4096 read(12, > >> "d5:Trojan.Spy-3998\n284672:7801e5"..., 4096) = 4096 read(12, > >> "6\n12288:6bfa649c48fc5982b231a2bb"..., 4096) = 4096 > >> brk(0x4f23000) = 0x4f23000 > >> read(12, "n.Spy-4128\n21504:3b072d4e76b7173"..., 4096) = 4096 > >> read(12, "bbe4f7d647f109b5317dd8794715:Tro"..., 4096) = 4096 read(12, > >> "n.Downloader-4997\n36864:bcc236c3"..., 4096) = 4096 read(12, > >> "der-5167\n29696:f7d986ddcc013d8e0"..., 4096) = 4096 read(12, > >> "f7e121997:Trojan.Downloader-5070"..., 4096) = 4096 read(12, > >> ".Downloader-5107\n10240:efd91a6ea"..., 4096) = 4096 read(12, > >> "ec7:Trojan.Downloader-4916\n2048:"..., 4096) = 4096 read(12, > >> "nloader-5244\n4768:096cc4cd04d5cf"..., 4096) = 4096 read(12, > >> ":Trojan.Bancos-3284\n271360:2bc5f"..., 4096) = 4096 read(12, > >> "ncos-3342\n377344:04230b7482e189a"..., 4096) = 4096 read(12, > >> "an.Spy-4204\n35840:4c8d2cbaf9ccaf"..., 4096) = 4096 read(12, > >> "jan.Bancos-3492\n659968:49df0eba0"..., 4096) = 4096 read(12, > >> "0:25f16f5f7ee84dee66f40f6c86e9b8"..., 4096) = 4096 read(12, > >> "86:Trojan.Small-1634\n229888:3579"..., 4096) = 4096 read(12, > >> "4d30b8cfcfe247337e424db964d816:T"..., 4096) = 4096 read(12, > >> "576:3c44fb4c3e7a07aa1d49ce91c492"..., 4096) = 4096 read(12, > >> "082cd8ac62e6878348b79:Trojan.Ban"..., 4096) = 4096 > >> > >> 2. Strangely enough, if I start just MailScanner it works fine (with > >> sendmail not running) > >> > >> 3. If I start MailScanner with sendmail to, it will just hang there > >> as described. If I stop it, the master process dies for MailScanner, > >> but the children hang. > >> > >> 4. I did have this problem, but I resolved it quickly by changing the > >> option in MailScanner.conf to look for *.inc files. > >> > >> Jul 20 13:28:37 mr1 MailScanner[9747]: None of the files matched by > >> the "Monitors For ClamAV Updates" patterns exist! > >> Jul 20 13:28:47 mr1 MailScanner[8644]: None of the files matched by > >> the "Monitors For ClamAV Updates" patterns exist! > >> > >> Any ideas? I'm banging my head. > >> > >> David Gottschalk > >> david.gottschalk@emory.edu > >> > >> > > What version of ClamAV? 0.90 takes a very long time to load signatures. > > I do have one box in which it was very quick. The other ones took at least 3 minutes to > get up and going. Upgrading to 0.91 fixed that. > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > > > > > -- > Richard Frovarp > EduTech System Administrator > 1-701-231-5127 or > 1-800-774-1091 > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > From MailScanner at ecs.soton.ac.uk Fri Jul 20 20:43:26 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Jul 20 20:44:01 2007 Subject: MailScanner broken suddenly?!?! In-Reply-To: <086301c7caff$1c3c8cf0$5713cc40@OCEANII> References: <086301c7caff$1c3c8cf0$5713cc40@OCEANII> Message-ID: <46A1105E.40104@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Michael R. Dilworth wrote: > Happened here to just a few minutes ago. I wasted the ClamAV databases and at the > moment freshclam can't connect to any of the mirrors. Same thing that happened last > time ClamAV had a major update... I commented out ClamAV for now and all is fine > at the moment (yes I have multiple virus scanners). > > Note all is fine until MailScanner restarts, then it will hang with 100% cpu usage. > Nothing has hung, it's just taking a long time to do something (loading the signatures). > Remember MailScanner restarts at least once a day. > > > >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info]On Behalf Of >> Gottschalk, David >> Sent: Friday, July 20, 2007 11:41 AM >> To: MailScanner discussion >> Subject: RE: MailScanner broken suddenly?!?! >> >> >> >> ClamAV 0.90.3/3707/Fri Jul 20 12:08:45 2007 >> >> I think this is a different problem though, because it happened all at once. The children >> were hanging for 20+ mins or more until I realized they were doing nothing but what that >> trace showed me. >> >> David Gottschalk >> >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Richard Frovarp >> Sent: Friday, July 20, 2007 2:28 PM >> To: MailScanner discussion >> Subject: Re: MailScanner broken suddenly?!?! >> >> Gottschalk, David wrote: >> >>> I have 5 MailScanner machines. >>> >>> I had to do some configuration changes, so I restarted them. One of >>> them now appears to be completely hosed. I've checked my >>> configuration, and can't figure out what is going on. I don't see >>> anything wrong at all. >>> >>> -sh-3.00$ sudo /usr/sbin/MailScanner --lint Checking version >>> numbers... >>> Version installed (4.60.8) does not match version stated in >>> MailScanner.conf file (4.57.6), you may want to run >>> upgrade_MailScanner_conf to ensure your MailScanner.conf file contains >>> all the latest settings. >>> >>> Checking for SpamAssassin errors (if you use it)... >>> Using SpamAssassin results cache >>> Connected to SpamAssassin cache database SpamAssassin reported no >>> errors. >>> Using locktype = posix >>> Creating hardcoded struct_flock subroutine for linux (Linux-type) >>> MailScanner.conf says "Virus Scanners = auto" >>> Found these virus scanners installed: bitdefender, clamavmodule >>> >>> Here is what is going on: >>> >>> 1. MailScanner starts, but just sits there does nothing: >>> >>> root 22553 1 0 13:58 ? 00:00:00 MailScanner: master >>> waiting for children, sleeping >>> root 22554 22553 70 13:58 ? 00:00:35 MailScanner: starting >>> children >>> root 22624 22553 69 13:58 ? 00:00:31 MailScanner: starting >>> children >>> root 22680 22553 67 13:58 ? 00:00:27 MailScanner: starting >>> children >>> root 22733 22553 73 13:58 ? 00:00:26 MailScanner: starting >>> children >>> root 22780 22553 44 13:58 ? 00:00:13 MailScanner: starting >>> children >>> root 22831 22553 42 13:58 ? 00:00:10 MailScanner: starting >>> children >>> root 22884 22553 47 13:58 ? 00:00:09 MailScanner: starting >>> children >>> root 22957 22553 44 13:59 ? 00:00:07 MailScanner: starting >>> children >>> root 23005 22553 31 13:59 ? 00:00:03 MailScanner: starting >>> children >>> root 23054 22553 49 13:59 ? 00:00:02 MailScanner: starting >>> children >>> If I trace a childre process, here is what it is doing over and over: >>> >>> sudo strace -p 19920 >>> Process 19920 attached - interrupt to quit read(12, >>> "b560c3b9f08759aa3aa90:Trojan.Spy"..., 4096) = 4096 read(12, >>> ":Trojan.Spy-3720\n353280:f604589b"..., 4096) = 4096 read(12, >>> "55d8571268b7:Trojan.Clicker-133\n"..., 4096) = 4096 read(12, >>> "5b7b476404e1ea6dc24d48e50bdfa:Tr"..., 4096) = 4096 read(12, >>> "ba8f709e8b588009a34ee19ee1:Troja"..., 4096) = 4096 read(12, >>> "d5:Trojan.Spy-3998\n284672:7801e5"..., 4096) = 4096 read(12, >>> "6\n12288:6bfa649c48fc5982b231a2bb"..., 4096) = 4096 >>> brk(0x4f23000) = 0x4f23000 >>> read(12, "n.Spy-4128\n21504:3b072d4e76b7173"..., 4096) = 4096 read(12, >>> "bbe4f7d647f109b5317dd8794715:Tro"..., 4096) = 4096 read(12, >>> "n.Downloader-4997\n36864:bcc236c3"..., 4096) = 4096 read(12, >>> "der-5167\n29696:f7d986ddcc013d8e0"..., 4096) = 4096 read(12, >>> "f7e121997:Trojan.Downloader-5070"..., 4096) = 4096 read(12, >>> ".Downloader-5107\n10240:efd91a6ea"..., 4096) = 4096 read(12, >>> "ec7:Trojan.Downloader-4916\n2048:"..., 4096) = 4096 read(12, >>> "nloader-5244\n4768:096cc4cd04d5cf"..., 4096) = 4096 read(12, >>> ":Trojan.Bancos-3284\n271360:2bc5f"..., 4096) = 4096 read(12, >>> "ncos-3342\n377344:04230b7482e189a"..., 4096) = 4096 read(12, >>> "an.Spy-4204\n35840:4c8d2cbaf9ccaf"..., 4096) = 4096 read(12, >>> "jan.Bancos-3492\n659968:49df0eba0"..., 4096) = 4096 read(12, >>> "0:25f16f5f7ee84dee66f40f6c86e9b8"..., 4096) = 4096 read(12, >>> "86:Trojan.Small-1634\n229888:3579"..., 4096) = 4096 read(12, >>> "4d30b8cfcfe247337e424db964d816:T"..., 4096) = 4096 read(12, >>> "576:3c44fb4c3e7a07aa1d49ce91c492"..., 4096) = 4096 read(12, >>> "082cd8ac62e6878348b79:Trojan.Ban"..., 4096) = 4096 >>> >>> 2. Strangely enough, if I start just MailScanner it works fine (with >>> sendmail not running) >>> >>> 3. If I start MailScanner with sendmail to, it will just hang there as >>> described. If I stop it, the master process dies for MailScanner, but >>> the children hang. >>> >>> 4. I did have this problem, but I resolved it quickly by changing the >>> option in MailScanner.conf to look for *.inc files. >>> >>> Jul 20 13:28:37 mr1 MailScanner[9747]: None of the files matched by >>> the "Monitors For ClamAV Updates" patterns exist! >>> Jul 20 13:28:47 mr1 MailScanner[8644]: None of the files matched by >>> the "Monitors For ClamAV Updates" patterns exist! >>> >>> Any ideas? I'm banging my head. >>> >>> David Gottschalk >>> david.gottschalk@emory.edu >>> >>> >> What version of ClamAV? 0.90 takes a very long time to load signatures. >> I do have one box in which it was very quick. The other ones took at least 3 minutes to >> get up and going. Upgrading to 0.91 fixed that. >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> >> Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGoRBfEfZZRxQVtlQRAmnkAKDrUjo9bm4+mMwKxRHr7oi5pQ28VQCbBYKw 6s2GZ4BBO3e7qZOYT3EaFKM= =cK40 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From dgottsc at emory.edu Fri Jul 20 20:45:24 2007 From: dgottsc at emory.edu (Gottschalk, David) Date: Fri Jul 20 20:45:36 2007 Subject: MailScanner broken suddenly?!?! In-Reply-To: References: <8D2EFA3D9FD29C45BCEC3B532F0E2308412E3B3DB6@RDPEXCH2.Eu.Emory.Edu> Message-ID: <8D2EFA3D9FD29C45BCEC3B532F0E2308412E87C235@RDPEXCH2.Eu.Emory.Edu> Well, are they always changing to folder extension on the main files? If so, then we have a problem. I've never seen the folder named change till now though. David Gottschalk -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Raymond Dijkxhoorn Sent: Friday, July 20, 2007 3:36 PM To: MailScanner discussion Subject: Re: MailScanner broken suddenly?!?! Hi! > Jul 20 13:28:37 mr1 MailScanner[9747]: None of the files matched by the "Monitors For ClamAV Updates" patterns exist! > Jul 20 13:28:47 mr1 MailScanner[8644]: None of the files matched by the "Monitors For ClamAV Updates" patterns exist! > > Any ideas? I'm banging my head. This is what i warned about. but wasnt needed according to Jules. See easlier postings. There was a new main.cvd out today, so this is what happened... And what will happen every time the main files will be updated. Bye, Raymond. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From raymond at prolocation.net Fri Jul 20 20:52:35 2007 From: raymond at prolocation.net (Raymond Dijkxhoorn) Date: Fri Jul 20 20:52:33 2007 Subject: broken clamav update? In-Reply-To: <46A10F59.4000907@28a.de> References: <013f01c7caff$a22121a0$0b01010a@DGPTBH91> <46A10F59.4000907@28a.de> Message-ID: Hi! > Monitors for ClamAV Updates = /var/lib/clamav/*.cvd > > After running the ClamAV update there are no *cvd files on my system > anymore. > > I change this config line to: > Monitors for ClamAV Updates = /var/lib/clamav/main.inc/*.db > > Now everything works fine again. And this will break your setup after a few updates, so thats not really a smart solution. Bye, Raymond. From campbell at cnpapers.com Fri Jul 20 20:52:38 2007 From: campbell at cnpapers.com (Steve Campbell) Date: Fri Jul 20 20:52:44 2007 Subject: FYI: PDFInfo and "Max SpamAssassin Size=40k" In-Reply-To: <46A10500.3090709@alexb.ch> References: <012101c7c8bc$5498dee0$5713cc40@OCEANII> <469D4099.5040708@alexb.ch> <469FA620.5030208@cnpapers.com> <469FCCFF.3080700@cnpapers.com> <46A10500.3090709@alexb.ch> Message-ID: <46A11286.5060205@cnpapers.com> Alex Broens wrote: > On 7/20/2007 8:07 PM, Scott Silva wrote: >> Steve Campbell spake the following on 7/19/2007 1:43 PM: >>> >>> Scott Silva wrote: >>>> Steve Campbell spake the following on 7/19/2007 10:57 AM: >>>> >>>>> Alex Broens wrote: >>>>> >>>>>> On 7/17/2007 11:49 PM, Michael R. Dilworth wrote: >>>>>> >>>>>>> Just to save some time for some of you, the 40k number >>>>>>> can is on the small side for some of the PDF spams I've been >>>>>>> receiving. >>>>>>> >>>>>> FWI: I'm using: >>>>>> >>>>>> Max Spam Check Size = 250000 >>>>>> Max SpamAssassin Size = 2500000 >>>>>> >>>>>> which, AFAIK are the default SA values. >>>>>> >>>>>> Alex >>>>>> -- >>>>>> *Spammer hell has no DSL* >>>>>> >>>>>> >>>>>> >>>>>> >>>>> Maybe it's because I'm not up-to-date on my MS, but I don't have a >>>>> Max >>>>> Spam Check Size parameter in my configuration file. >>>>> >>>>> The only "Size" parms I have are as follows: >>>>> >>>>> Maximum Message Size = 0 >>>>> Maximum Attachment Size = -1 >>>>> Minimum Attachment Size = -1 >>>>> ClamAVmodule Maximum File Size = 10000000 # (10 Mbytes) >>>>> Max SpamAssassin Size = 2500000 >>>>> >>>> This setting will make mailscanner not send the message to >>>> spamassassin if it >>>> is over this size. Are the pdf spams bigger than that? >>>> >>>> >>>> >>> Everyone is missing my point I meant to make. >>> >>> I don't have the "Max Spam Check Size" in my configuration file to >>> change. It could have been missed in an upgrade, but I always use >>> Julian's upgrade_MailScanner_conf script and this parm is missing on 3 >>> different servers. >>> >>> Steve Campbell >>> >>> >> Nor do I, and I am running the latest stable (4.61.7-2). It must be >> in the >> latest beta. >> > > I'm using > > "This is MailScanner version 4.57.6" > > with these parameters > > Alex > Which parameters might "these" be? Steve > > From Denis.Beauchemin at USherbrooke.ca Fri Jul 20 20:54:36 2007 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Fri Jul 20 20:54:50 2007 Subject: broken clamav update? In-Reply-To: <46A10F59.4000907@28a.de> References: <013f01c7caff$a22121a0$0b01010a@DGPTBH91> <46A10F59.4000907@28a.de> Message-ID: <46A112FC.20206@USherbrooke.ca> Dennis Goebel a ?crit : > hello, > > my Mailscanner logged a message saying "None of the files matched by > the "Monitors For ClamAV Updates" patterns exist!" > > My config file instructs MailScanner to monitor *cvd files: > Monitors for ClamAV Updates = /var/lib/clamav/*.cvd > > After running the ClamAV update there are no *cvd files on my system > anymore. > > I change this config line to: > Monitors for ClamAV Updates = /var/lib/clamav/main.inc/*.db > > Now everything works fine again. > > > All is fine here too. Running with: ClamAV Updates = /usr/local/share/clamav/*.cvd /usr/local/share/clamav/daily.inc/daily.info /usr/local/share/clamav/main.inc/main.info /usr/local/share/clamav/*.?db Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 From MailScanner at ecs.soton.ac.uk Fri Jul 20 20:55:47 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Jul 20 20:56:38 2007 Subject: MailScanner broken suddenly?!?! In-Reply-To: References: <8D2EFA3D9FD29C45BCEC3B532F0E2308412E3B3DB6@RDPEXCH2.Eu.Emory.Edu> <46A0FEC0.9090200@sendit.nodak.edu> <8D2EFA3D9FD29C45BCEC3B532F0E2308412E87C1C3@RDPEXCH2.Eu.Emory.Edu> Message-ID: <46A11343.6060704@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Raymond, Can you explain to me exactly what the problem is and what you have found and diagnosed about it please? This thread has got very long and convoluted. I use clamav or clamavmodule on all my servers, and though clamscan seems to take 20 seconds or so to load the sigs at the moment, nothing worse than that is happening on my systems. So what is the problem? Jules. Raymond Dijkxhoorn wrote: > Hi! > >> I think this is a different problem though, because it happened all >> at once. The children were hanging for 20+ mins or more until I >> realized they were doing nothing but what that trace showed me. > > There was a new main update out, and like last time, exactly same > thing, this breaks MailScanner. > > Look in the archive, after last update of the main clam files this > exact same thing also happened. > > Jules, could you have a look, since this is really something that will > bite us in a few months again, with the next clam update of their main > files. > > Bye, > Raymond. Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGoRNDEfZZRxQVtlQRAkdGAJ9SyEasv4NmCRD2tiRfhJgqYsl30QCaAjzv EKBkBDStBiD4gKuhOxRwpxE= =6vo4 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From raymond at prolocation.net Fri Jul 20 20:59:14 2007 From: raymond at prolocation.net (Raymond Dijkxhoorn) Date: Fri Jul 20 20:59:11 2007 Subject: broken clamav update? In-Reply-To: References: <013f01c7caff$a22121a0$0b01010a@DGPTBH91> <46A10F59.4000907@28a.de> Message-ID: Hi! >> After running the ClamAV update there are no *cvd files on my system >> anymore. >> >> I change this config line to: >> Monitors for ClamAV Updates = /var/lib/clamav/main.inc/*.db >> >> Now everything works fine again. > > And this will break your setup after a few updates, so thats not really a > smart solution. Monitors for ClamAV Updates = /usr/local/share/clamav/*.inc/* /usr/local/share/clamav/*.cvd Thats what it should look like. BOTH should be checked. Bye, Raymond. From MailScanner at ecs.soton.ac.uk Fri Jul 20 20:59:15 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Jul 20 21:00:06 2007 Subject: broken clamav update? In-Reply-To: <46A10F59.4000907@28a.de> References: <013f01c7caff$a22121a0$0b01010a@DGPTBH91> <46A10F59.4000907@28a.de> Message-ID: <46A11413.3030209@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dennis Goebel wrote: > hello, > > my Mailscanner logged a message saying "None of the files matched by > the "Monitors For ClamAV Updates" patterns exist!" > > My config file instructs MailScanner to monitor *cvd files: > Monitors for ClamAV Updates = /var/lib/clamav/*.cvd > > After running the ClamAV update there are no *cvd files on my system > anymore. > > I change this config line to: > Monitors for ClamAV Updates = /var/lib/clamav/main.inc/*.db > You want to watch for the daily files too, they change far more frequently. Set it to this: Monitors for ClamAV Updates = /usr/local/share/clamav/*.inc/* /usr/local/share/clamav/*.cvd (All of that should be on one line, obviously) That will make it watch for everything it should be. > Now everything works fine again. > > Regards > Dennis > > > Bryan Guest schrieb: > >> Hello: >> >> Is anyone else seeing MailScanner fail to process messages from what >> appears to be a botched ClamAV update? >> >> One of my blades got hosed sometime after 13:00 EST (gmt -05:00). >> >> Any assistance in clearing this up would be greatly appreciated. >> >> Bryan Guest >> Bruce Telecom >> Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGoRQUEfZZRxQVtlQRAvA8AKC5mdK+uwGI4NLm6zCcroSP6NOxkACg6/JA x5yBT+jIRcqC1MJciGO44B8= =YQu4 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From raymond at prolocation.net Fri Jul 20 21:02:59 2007 From: raymond at prolocation.net (Raymond Dijkxhoorn) Date: Fri Jul 20 21:02:57 2007 Subject: MailScanner broken suddenly?!?! In-Reply-To: <087a01c7cb06$4307dea0$5713cc40@OCEANII> References: <087a01c7cb06$4307dea0$5713cc40@OCEANII> Message-ID: Hi! > MS 4.58.9 > clamav 0.90.3 virus db 44 and 3708. > > Currently downloading Clamav 91 source, and MS 4.61.7-2 will hopefully > be installing a MailScanner -> Clamd setup this afternoon. It was on > my todo list, but it just got bumped to a priority. Version dont have much to do with it. The new version will fix the slow loading times, but not your problem. This will: Monitors for ClamAV Updates = /usr/local/share/clamav/*.inc/* /usr/local/share/clamav/*.cvd Bye, Raymond. From ka at pacific.net Fri Jul 20 21:11:31 2007 From: ka at pacific.net (Ken A) Date: Fri Jul 20 21:11:34 2007 Subject: broken clamav update? In-Reply-To: <46A10B00.3030407@sendit.nodak.edu> References: <013f01c7caff$a22121a0$0b01010a@DGPTBH91> <441247027D4F274EB760A5F6E1ED9C7E020DB3@houpex02.nfsmith.info> <46A109C7.6060301@pacific.net> <46A10B00.3030407@sendit.nodak.edu> Message-ID: <46A116F3.9090107@pacific.net> Richard Frovarp wrote: > Ken A wrote: >> Mike Kercher wrote: >>> This was just the reason I needed to add f-prot to all of my boxen. >>> I'll add clamavmodule back after they get it fixed. >> >> Everything is fine here.. famous last words on a friday.. >> >> main.inc is up to date (version: 44, sigs: 133163, f-level: 20, >> builder: sven) >> daily.inc is up to date (version: 3708, sigs: 6165, f-level: 16, >> builder: ccordes) >> >> MailScanner is plugging along just fine, queues are moving along.. >> Freshclam runs okay. clamscan seems 'normal' speed ~1 sec or so. >> >> Ken >> >> > Running 0.91.x? Everything is fine as well for me with those numbers. 0.91.1 had no problems other than very slow freshclam download, no doubt due to heavy hits on mirrors with new main.cvd -- Ken Anderson Pacific.Net From raymond at prolocation.net Fri Jul 20 21:13:24 2007 From: raymond at prolocation.net (Raymond Dijkxhoorn) Date: Fri Jul 20 21:13:22 2007 Subject: MailScanner broken suddenly?!?! In-Reply-To: <8D2EFA3D9FD29C45BCEC3B532F0E2308412E87C235@RDPEXCH2.Eu.Emory.Edu> References: <8D2EFA3D9FD29C45BCEC3B532F0E2308412E3B3DB6@RDPEXCH2.Eu.Emory.Edu> <8D2EFA3D9FD29C45BCEC3B532F0E2308412E87C235@RDPEXCH2.Eu.Emory.Edu> Message-ID: Hi! > Well, are they always changing to folder extension on the main files? If so, then we have a problem. > > I've never seen the folder named change till now though. With a new install or update you most likely end up with " -rw-r--r-- 1 clamav clamav 193866 Jul 20 21:56 daily.cvd -rw-r--r-- 1 clamav clamav 10251443 Jul 20 21:56 main.cvd You really should monitor both, this is also whats default in the new MS default config. Monitors for ClamAV Updates = /usr/local/share/clamav/*.inc/* /usr/local/share/clamav/*.cvd Bye, Raymond. From raymond at prolocation.net Fri Jul 20 21:18:43 2007 From: raymond at prolocation.net (Raymond Dijkxhoorn) Date: Fri Jul 20 21:18:41 2007 Subject: MailScanner broken suddenly?!?! In-Reply-To: <46A11343.6060704@ecs.soton.ac.uk> References: <8D2EFA3D9FD29C45BCEC3B532F0E2308412E3B3DB6@RDPEXCH2.Eu.Emory.Edu> <46A0FEC0.9090200@sendit.nodak.edu> <8D2EFA3D9FD29C45BCEC3B532F0E2308412E87C1C3@RDPEXCH2.Eu.Emory.Edu> <46A11343.6060704@ecs.soton.ac.uk> Message-ID: Hi! > Can you explain to me exactly what the problem is and what you have > found and diagnosed about it please? > This thread has got very long and convoluted. I use clamav or > clamavmodule on all my servers, and though clamscan seems to take 20 > seconds or so to load the sigs at the moment, nothing worse than that is > happening on my systems. > So what is the problem? Most of the old users have only the line to monitor the .cvd files. In the new default config you are now sending along, this is fixed. There you have: Monitors for ClamAV Updates = /usr/local/share/clamav/*.inc/* /usr/local/share/clamav/*.cvd And thats fine. *ALL* users that were stuck now have not updated their config. Perhaps the udate config script should overwrite this value or something, donno, but they should really monitor both else they get in trouble after every update of the clamav main files. Thats what was happening today, they reversed back from the incremental files to a new release of the main files. See clamsite: ClamAV Virus Databases: main.cvd ver. 44 released on 20 Jul 2007 18:01 +0200 daily.cvd ver. 3709 released on 20 Jul 2007 19:59 +0000 So a lot of sites got issues after 20:00 and some more who just missed the update and now have the problems an hour later ;) So in short, the NEW MailScanner distributions allready have this issue fixed. Old users, taht dont manually edit this part of their config are stuck, and really SHOULD update it ;) To avoid more discussion after the next main database update ;) Bye, Raymond. From mailscanner at yeticomputers.com Fri Jul 20 21:20:32 2007 From: mailscanner at yeticomputers.com (Rick Chadderdon) Date: Fri Jul 20 21:20:42 2007 Subject: MailScanner broken suddenly?!?! In-Reply-To: <8D2EFA3D9FD29C45BCEC3B532F0E2308412E87C1C3@RDPEXCH2.Eu.Emory.Edu> References: <8D2EFA3D9FD29C45BCEC3B532F0E2308412E3B3DB6@RDPEXCH2.Eu.Emory.Edu> <46A0FEC0.9090200@sendit.nodak.edu> <8D2EFA3D9FD29C45BCEC3B532F0E2308412E87C1C3@RDPEXCH2.Eu.Emory.Edu> Message-ID: <46A11910.6030805@yeticomputers.com> Gottschalk, David wrote: > ClamAV 0.90.3/3707/Fri Jul 20 12:08:45 2007 > > I think this is a different problem though, because it happened all at once. The children were hanging for 20+ mins or more until I realized they were doing nothing but what that trace showed me. Yes, but the trace looks as though it's loading signatures. My server was taking about 5 minutes to launch 5 children until I upgraded clamav (and switched to clamd). The greater number of children you have might be strangling I/O trying to load up signatures that many times at once. I'll bet top shows your CPU completely consumed while those are starting. Rick From dennis at 28a.de Fri Jul 20 21:22:22 2007 From: dennis at 28a.de (Dennis Goebel) Date: Fri Jul 20 21:22:23 2007 Subject: broken clamav update? In-Reply-To: References: <013f01c7caff$a22121a0$0b01010a@DGPTBH91> <46A10F59.4000907@28a.de> Message-ID: <46A1197E.3070601@28a.de> Raymond Dijkxhoorn schrieb: >> And this will break your setup after a few updates, so thats not >> really a smart solution. > > Monitors for ClamAV Updates = /usr/local/share/clamav/*.inc/* > /usr/local/share/clamav/*.cvd > Thats what it should look like. BOTH should be checked. > Ok, this is a better solution than my very quick an dirty config change. ;) Dennis From ms-list at alexb.ch Fri Jul 20 21:30:47 2007 From: ms-list at alexb.ch (Alex Broens) Date: Fri Jul 20 21:30:53 2007 Subject: FYI: PDFInfo and "Max SpamAssassin Size=40k" In-Reply-To: <46A11286.5060205@cnpapers.com> References: <012101c7c8bc$5498dee0$5713cc40@OCEANII> <469D4099.5040708@alexb.ch> <469FA620.5030208@cnpapers.com> <469FCCFF.3080700@cnpapers.com> <46A10500.3090709@alexb.ch> <46A11286.5060205@cnpapers.com> Message-ID: <46A11B77.5010103@alexb.ch> On 7/20/2007 9:52 PM, Steve Campbell wrote: > > > Alex Broens wrote: >> On 7/20/2007 8:07 PM, Scott Silva wrote: >>> Steve Campbell spake the following on 7/19/2007 1:43 PM: >>>> >>>> Scott Silva wrote: >>>>> Steve Campbell spake the following on 7/19/2007 10:57 AM: >>>>> >>>>>> Alex Broens wrote: >>>>>> >>>>>>> On 7/17/2007 11:49 PM, Michael R. Dilworth wrote: >>>>>>> >>>>>>>> Just to save some time for some of you, the 40k number >>>>>>>> can is on the small side for some of the PDF spams I've been >>>>>>>> receiving. >>>>>>>> >>>>>>> FWI: I'm using: >>>>>>> >>>>>>> Max Spam Check Size = 250000 >>>>>>> Max SpamAssassin Size = 2500000 >>>>>>> >>>>>>> which, AFAIK are the default SA values. >>>>>>> >>>>>>> Alex >>>>>>> -- >>>>>>> *Spammer hell has no DSL* >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>> Maybe it's because I'm not up-to-date on my MS, but I don't have a >>>>>> Max >>>>>> Spam Check Size parameter in my configuration file. >>>>>> >>>>>> The only "Size" parms I have are as follows: >>>>>> >>>>>> Maximum Message Size = 0 >>>>>> Maximum Attachment Size = -1 >>>>>> Minimum Attachment Size = -1 >>>>>> ClamAVmodule Maximum File Size = 10000000 # (10 Mbytes) >>>>>> Max SpamAssassin Size = 2500000 >>>>>> >>>>> This setting will make mailscanner not send the message to >>>>> spamassassin if it >>>>> is over this size. Are the pdf spams bigger than that? >>>>> >>>>> >>>>> >>>> Everyone is missing my point I meant to make. >>>> >>>> I don't have the "Max Spam Check Size" in my configuration file to >>>> change. It could have been missed in an upgrade, but I always use >>>> Julian's upgrade_MailScanner_conf script and this parm is missing on 3 >>>> different servers. >>>> >>>> Steve Campbell >>>> >>>> >>> Nor do I, and I am running the latest stable (4.61.7-2). It must be >>> in the >>> latest beta. >>> >> >> I'm using >> >> "This is MailScanner version 4.57.6" >> >> with these parameters >> >> Alex >> > Which parameters might "these" be? I mean: Max Spam Check Size = 250000 Max SpamAssassin Size = 2500000 like posted above Alex From jefframsey at tubafor.com Fri Jul 20 21:40:38 2007 From: jefframsey at tubafor.com (Jeff Ramsey) Date: Fri Jul 20 21:44:41 2007 Subject: Mailscanner Gateway does not reject unknown users (more of a sendmail question, I think) (Ken A) In-Reply-To: <200707201808.l6KI8AvU005639@safir.blacknight.ie> References: <200707201808.l6KI8AvU005639@safir.blacknight.ie> Message-ID: On Jul 20, 2007, at 11:08 AM, mailscanner- request@lists.mailscanner.info wrote: > > Jeff Ramsey wrote: >> I have read a few places on the net that claim this has been well >> covered, but I cannot seem to find a configuration that works. >> >> It either forwards all nonspam email on to my internal sendmail >> server, >> or it rejects the unknown user messages but then does not relay any >> email onto the internal email server. >> >> If I list my domains in local-host-names, it does not relay any more >> email for those domains, period. If I don't list the domains >> there, it >> does not check incoming mail for a valid email address. >> >> Can anyone point me in the right direction? > > mailertable > > domain.tld esmtp:[mailhub.otherdomain.tld] > > Ken I checked, and my mailertable is already populated just like you suggest. Here is a copy of my mailertable: tubafor.com esmtp:[imap.tubafor.com] imap.tubafor.com esmtp:[imap.tubafor.com] smtpgw.tubafor.com esmtp:[imap.tubafor.com] tmiforestproducts.com esmtp:[imap.tubafor.com] tmiforestproducts.net esmtp:[imap.tubafor.com] tmiforestproducts.org esmtp:[imap.tubafor.com] tmiforestproducts.info esmtp:[imap.tubafor.com] tmiforestproducts.biz esmtp:[imap.tubafor.com] --- END /etc/mail/mailertable --- So I must have something else not set correctly. Just to clarify, should I have my local-host-names populated as well as mailertable, or just mailertable? I'll check out all other sendmail files and see if I can come up with anything. Most Internet forums suggest to put each email address in the access file with a RELAY status. I hope this is not the only way to accomplish this task. I'd have about a thousand to enter. Thanks for the help. Jeff Ramsey MIS Administrator TMI Forest Products, Inc. jefframsey@tubafor.com 360.477.0738 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070720/1bf0f04d/attachment-0001.html From campbell at cnpapers.com Fri Jul 20 21:49:27 2007 From: campbell at cnpapers.com (Steve Campbell) Date: Fri Jul 20 21:49:43 2007 Subject: FYI: PDFInfo and "Max SpamAssassin Size=40k" In-Reply-To: <46A11B77.5010103@alexb.ch> References: <012101c7c8bc$5498dee0$5713cc40@OCEANII> <469D4099.5040708@alexb.ch> <469FA620.5030208@cnpapers.com> <469FCCFF.3080700@cnpapers.com> <46A10500.3090709@alexb.ch> <46A11286.5060205@cnpapers.com> <46A11B77.5010103@alexb.ch> Message-ID: <46A11FD7.6080709@cnpapers.com> Thanks, Alex and Scott, I was getting a little confused about what is right and what is wrong. Apparently there is no side effects to not having both parameters as my machines are working just fine. Steve Alex Broens wrote: > On 7/20/2007 9:52 PM, Steve Campbell wrote: >> >> >> Alex Broens wrote: >>> On 7/20/2007 8:07 PM, Scott Silva wrote: >>>> Steve Campbell spake the following on 7/19/2007 1:43 PM: >>>>> >>>>> Scott Silva wrote: >>>>>> Steve Campbell spake the following on 7/19/2007 10:57 AM: >>>>>> >>>>>>> Alex Broens wrote: >>>>>>> >>>>>>>> On 7/17/2007 11:49 PM, Michael R. Dilworth wrote: >>>>>>>> >>>>>>>>> Just to save some time for some of you, the 40k number >>>>>>>>> can is on the small side for some of the PDF spams I've been >>>>>>>>> receiving. >>>>>>>>> >>>>>>>> FWI: I'm using: >>>>>>>> >>>>>>>> Max Spam Check Size = 250000 >>>>>>>> Max SpamAssassin Size = 2500000 >>>>>>>> >>>>>>>> which, AFAIK are the default SA values. >>>>>>>> >>>>>>>> Alex >>>>>>>> -- >>>>>>>> *Spammer hell has no DSL* >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> Maybe it's because I'm not up-to-date on my MS, but I don't have >>>>>>> a Max >>>>>>> Spam Check Size parameter in my configuration file. >>>>>>> >>>>>>> The only "Size" parms I have are as follows: >>>>>>> >>>>>>> Maximum Message Size = 0 >>>>>>> Maximum Attachment Size = -1 >>>>>>> Minimum Attachment Size = -1 >>>>>>> ClamAVmodule Maximum File Size = 10000000 # (10 Mbytes) >>>>>>> Max SpamAssassin Size = 2500000 >>>>>>> >>>>>> This setting will make mailscanner not send the message to >>>>>> spamassassin if it >>>>>> is over this size. Are the pdf spams bigger than that? >>>>>> >>>>>> >>>>>> >>>>> Everyone is missing my point I meant to make. >>>>> >>>>> I don't have the "Max Spam Check Size" in my configuration file to >>>>> change. It could have been missed in an upgrade, but I always use >>>>> Julian's upgrade_MailScanner_conf script and this parm is missing >>>>> on 3 >>>>> different servers. >>>>> >>>>> Steve Campbell >>>>> >>>>> >>>> Nor do I, and I am running the latest stable (4.61.7-2). It must be >>>> in the >>>> latest beta. >>>> >>> >>> I'm using >>> >>> "This is MailScanner version 4.57.6" >>> >>> with these parameters >>> >>> Alex >>> >> Which parameters might "these" be? > > I mean: > > Max Spam Check Size = 250000 > Max SpamAssassin Size = 2500000 > > like posted above > > Alex > From Carl.Andrews at crackerbarrel.com Fri Jul 20 21:55:36 2007 From: Carl.Andrews at crackerbarrel.com (Andrews Carl 455) Date: Fri Jul 20 21:55:11 2007 Subject: Broken MailScanner if Using CLAM!!! In-Reply-To: <200707201618.l6KGIvCa022537@smtpgw1.crackerbarrel.com> Message-ID: <113A0DFC086C984AB9EFDF6B8614F075017D31B2@exchange03.CBOCS.com> It appears that the clam definitions from noon are corrupt. I had to remove mine and restart mailscanner. cd /usr/local/share/clamav or 'locate main.ndb' rm -rf * freshclam I hope this helps if anyone else is having the same problem. Thanks! Carl -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070720/f42eb8b7/attachment.html From rcooper at dwford.com Fri Jul 20 21:58:02 2007 From: rcooper at dwford.com (Rick Cooper) Date: Fri Jul 20 21:58:09 2007 Subject: MailScanner broken suddenly?!?! In-Reply-To: <8D2EFA3D9FD29C45BCEC3B532F0E2308412E3B3DB6@RDPEXCH2.Eu.Emory.Edu> References: <8D2EFA3D9FD29C45BCEC3B532F0E2308412E3B3DB6@RDPEXCH2.Eu.Emory.Edu> Message-ID: <01c201c7cb10$a99aacb0$0301a8c0@SAHOMELT> _____ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Gottschalk, David Sent: Friday, July 20, 2007 2:06 PM To: MailScanner discussion Subject: MailScanner broken suddenly?!?! I have 5 MailScanner machines. I had to do some configuration changes, so I restarted them. One of them now appears to be completely hosed. I've checked my configuration, and can't figure out what is going on. I don't see anything wrong at all. -sh-3.00$ sudo /usr/sbin/MailScanner --lint Checking version numbers... Version installed (4.60.8) does not match version stated in MailScanner.conf file (4.57.6), you may want to run upgrade_MailScanner_conf to ensure your MailScanner.conf file contains all the latest settings. Checking for SpamAssassin errors (if you use it)... Using SpamAssassin results cache Connected to SpamAssassin cache database SpamAssassin reported no errors. Using locktype = posix Creating hardcoded struct_flock subroutine for linux (Linux-type) MailScanner.conf says "Virus Scanners = auto" Found these virus scanners installed: bitdefender, clamavmodule Here is what is going on: 1. MailScanner starts, but just sits there does nothing: root 22553 1 0 13:58 ? 00:00:00 MailScanner: master waiting for children, sleeping root 22554 22553 70 13:58 ? 00:00:35 MailScanner: starting children root 22624 22553 69 13:58 ? 00:00:31 MailScanner: starting children root 22680 22553 67 13:58 ? 00:00:27 MailScanner: starting children root 22733 22553 73 13:58 ? 00:00:26 MailScanner: starting children root 22780 22553 44 13:58 ? 00:00:13 MailScanner: starting children root 22831 22553 42 13:58 ? 00:00:10 MailScanner: starting children root 22884 22553 47 13:58 ? 00:00:09 MailScanner: starting children root 22957 22553 44 13:59 ? 00:00:07 MailScanner: starting children root 23005 22553 31 13:59 ? 00:00:03 MailScanner: starting children root 23054 22553 49 13:59 ? 00:00:02 MailScanner: starting children If I trace a childre process, here is what it is doing over and over: sudo strace -p 19920 Process 19920 attached - interrupt to quit read(12, "b560c3b9f08759aa3aa90:Trojan.Spy"..., 4096) = 4096 read(12, ":Trojan.Spy-3720\n353280:f604589b"..., 4096) = 4096 read(12, "55d8571268b7:Trojan.Clicker-133\n"..., 4096) = 4096 read(12, "5b7b476404e1ea6dc24d48e50bdfa:Tr"..., 4096) = 4096 read(12, "ba8f709e8b588009a34ee19ee1:Troja"..., 4096) = 4096 read(12, "d5:Trojan.Spy-3998\n284672:7801e5"..., 4096) = 4096 read(12, "6\n12288:6bfa649c48fc5982b231a2bb"..., 4096) = 4096 brk(0x4f23000) = 0x4f23000 read(12, "n.Spy-4128\n21504:3b072d4e76b7173"..., 4096) = 4096 read(12, "bbe4f7d647f109b5317dd8794715:Tro"..., 4096) = 4096 read(12, "n.Downloader-4997\n36864:bcc236c3"..., 4096) = 4096 read(12, "der-5167\n29696:f7d986ddcc013d8e0"..., 4096) = 4096 read(12, "f7e121997:Trojan.Downloader-5070"..., 4096) = 4096 read(12, ".Downloader-5107\n10240:efd91a6ea"..., 4096) = 4096 read(12, "ec7:Trojan.Downloader-4916\n2048:"..., 4096) = 4096 read(12, "nloader-5244\n4768:096cc4cd04d5cf"..., 4096) = 4096 read(12, ":Trojan.Bancos-3284\n271360:2bc5f"..., 4096) = 4096 read(12, "ncos-3342\n377344:04230b7482e189a"..., 4096) = 4096 read(12, "an.Spy-4204\n35840:4c8d2cbaf9ccaf"..., 4096) = 4096 read(12, "jan.Bancos-3492\n659968:49df0eba0"..., 4096) = 4096 read(12, "0:25f16f5f7ee84dee66f40f6c86e9b8"..., 4096) = 4096 read(12, "86:Trojan.Small-1634\n229888:3579"..., 4096) = 4096 read(12, "4d30b8cfcfe247337e424db964d816:T"..., 4096) = 4096 read(12, "576:3c44fb4c3e7a07aa1d49ce91c492"..., 4096) = 4096 read(12, "082cd8ac62e6878348b79:Trojan.Ban"..., 4096) = 4096 2. Strangely enough, if I start just MailScanner it works fine (with sendmail not running) 3. If I start MailScanner with sendmail to, it will just hang there as described. If I stop it, the master process dies for MailScanner, but the children hang. 4. I did have this problem, but I resolved it quickly by changing the option in MailScanner.conf to look for *.inc files. Jul 20 13:28:37 mr1 MailScanner[9747]: None of the files matched by the "Monitors For ClamAV Updates" patterns exist! Jul 20 13:28:47 mr1 MailScanner[8644]: None of the files matched by the "Monitors For ClamAV Updates" patterns exist! Any ideas? I'm banging my head. Need to watch only looking for .cvd or only looking for .inc (dir) because at one time or another only one type may exist. Try running clamscan and see if it reports a hosed db if so remove the damaged db (either .cvd or .inc dir) and run freshclam. If you are using a script to d/l 3d party sigs make sure you use one that tests the db before installing it into the clamav db dir Rick -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070720/9d1c512b/attachment.html From mailscanner at slackadelic.com Fri Jul 20 22:00:16 2007 From: mailscanner at slackadelic.com (Matt Hayes) Date: Fri Jul 20 22:00:24 2007 Subject: Broken MailScanner if Using CLAM!!! In-Reply-To: <113A0DFC086C984AB9EFDF6B8614F075017D31B2@exchange03.CBOCS.com> References: <113A0DFC086C984AB9EFDF6B8614F075017D31B2@exchange03.CBOCS.com> Message-ID: <46A12260.5050603@slackadelic.com> Andrews Carl 455 wrote: > It appears that the clam definitions from noon are corrupt. I had to > remove mine and restart mailscanner. > > > cd /usr/local/share/clamav or 'locate main.ndb' > rm -rf * > freshclam > > > > I hope this helps if anyone else is having the same problem. > > > Thanks! > Carl > > > > Uhhh, just cron the update process with a script for every hour update.. then you don't have to do that. -Matt From matt at coders.co.uk Fri Jul 20 22:04:30 2007 From: matt at coders.co.uk (Matt Hampton) Date: Fri Jul 20 22:02:15 2007 Subject: Mailscanner Gateway does not reject unknown users (more of a sendmail question, I think) (Ken A) In-Reply-To: References: <200707201808.l6KI8AvU005639@safir.blacknight.ie> Message-ID: <46A1235E.80400@coders.co.uk> Jeff Ramsey wrote: > I checked, and my mailertable is already populated just like you > suggest. Here is a copy of my mailertable: > > tubafor.com esmtp:[imap.tubafor.com] > imap.tubafor.com esmtp:[imap.tubafor.com] > smtpgw.tubafor.com esmtp:[imap.tubafor.com] > tmiforestproducts.com esmtp:[imap.tubafor.com] > tmiforestproducts.net esmtp:[imap.tubafor.com] > tmiforestproducts.org esmtp:[imap.tubafor.com] > tmiforestproducts.info esmtp:[imap.tubafor.com] > tmiforestproducts.biz esmtp:[imap.tubafor.com] > > --- END /etc/mail/mailertable --- Look at milter-ahead (www.snertsoft.org) or SMFS SAV. matt From Kevin_Miller at ci.juneau.ak.us Fri Jul 20 22:07:26 2007 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Fri Jul 20 22:07:30 2007 Subject: Mailscanner Gateway does not reject unknown users (more of asendmail question, I think) (Ken A) In-Reply-To: References: <200707201808.l6KI8AvU005639@safir.blacknight.ie> Message-ID: I've never used local-host-names (unless you mean /etc/hosts) but I do have entries in relay-domains to/for which I'll relay mail. Try adding your internal domains there... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 ________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Jeff Ramsey Sent: Friday, July 20, 2007 12:41 PM To: mailscanner@lists.mailscanner.info Subject: Re: Mailscanner Gateway does not reject unknown users (more of asendmail question, I think) (Ken A) On Jul 20, 2007, at 11:08 AM, mailscanner-request@lists.mailscanner.info wrote: Jeff Ramsey wrote: I have read a few places on the net that claim this has been well covered, but I cannot seem to find a configuration that works. It either forwards all nonspam email on to my internal sendmail server, or it rejects the unknown user messages but then does not relay any email onto the internal email server. If I list my domains in local-host-names, it does not relay any more email for those domains, period. If I don't list the domains there, it does not check incoming mail for a valid email address. Can anyone point me in the right direction? mailertable domain.tld esmtp:[mailhub.otherdomain.tld] Ken I checked, and my mailertable is already populated just like you suggest. Here is a copy of my mailertable: tubafor.com esmtp:[imap.tubafor.com] imap.tubafor.com esmtp:[imap.tubafor.com] smtpgw.tubafor.com esmtp:[imap.tubafor.com] tmiforestproducts.com esmtp:[imap.tubafor.com] tmiforestproducts.net esmtp:[imap.tubafor.com] tmiforestproducts.org esmtp:[imap.tubafor.com] tmiforestproducts.info esmtp:[imap.tubafor.com] tmiforestproducts.biz esmtp:[imap.tubafor.com] --- END /etc/mail/mailertable --- So I must have something else not set correctly. Just to clarify, should I have my local-host-names populated as well as mailertable, or just mailertable? I'll check out all other sendmail files and see if I can come up with anything. Most Internet forums suggest to put each email address in the access file with a RELAY status. I hope this is not the only way to accomplish this task. I'd have about a thousand to enter. Thanks for the help. Jeff Ramsey MIS Administrator TMI Forest Products, Inc. jefframsey@tubafor.com 360.477.0738 -- This message has been scanned for viruses and dangerous content by MailScanner , and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070720/42c191a0/attachment.html From rcooper at dwford.com Fri Jul 20 22:13:56 2007 From: rcooper at dwford.com (Rick Cooper) Date: Fri Jul 20 22:14:01 2007 Subject: MailScanner broken suddenly?!?! In-Reply-To: References: <8D2EFA3D9FD29C45BCEC3B532F0E2308412E3B3DB6@RDPEXCH2.Eu.Emory.Edu> Message-ID: <01d301c7cb12$e2ab8590$0301a8c0@SAHOMELT> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On > Behalf Of Raymond Dijkxhoorn > Sent: Friday, July 20, 2007 3:36 PM > To: MailScanner discussion > Subject: Re: MailScanner broken suddenly?!?! > > Hi! > > > Jul 20 13:28:37 mr1 MailScanner[9747]: None of the files > matched by the "Monitors For ClamAV Updates" patterns exist! > > Jul 20 13:28:47 mr1 MailScanner[8644]: None of the files > matched by the "Monitors For ClamAV Updates" patterns exist! > > > > Any ideas? I'm banging my head. > > This is what i warned about. but wasnt needed according to > Jules. See > easlier postings. There was a new main.cvd out today, so > this is what > happened... And what will happen every time the main files will be > updated. > Monitors for ClamAV Updates = /usr/local/share/clamav/*.inc/*.* /usr/local/share/clamav/*.cvd Because either .cvd or .inc can be missing at any given time. The cvd is not unpacked until updated the next time Rick -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From rcooper at dwford.com Fri Jul 20 22:18:45 2007 From: rcooper at dwford.com (Rick Cooper) Date: Fri Jul 20 22:18:48 2007 Subject: MailScanner broken suddenly?!?! In-Reply-To: <8D2EFA3D9FD29C45BCEC3B532F0E2308412E87C1DC@RDPEXCH2.Eu.Emory.Edu> References: <8D2EFA3D9FD29C45BCEC3B532F0E2308412E3B3DB6@RDPEXCH2.Eu.Emory.Edu><46A0FEC0.9090200@sendit.nodak.edu><8D2EFA3D9FD29C45BCEC3B532F0E2308412E87C1C3@RDPEXCH2.Eu.Emory.Edu> <8D2EFA3D9FD29C45BCEC3B532F0E2308412E87C1DC@RDPEXCH2.Eu.Emory.Edu> Message-ID: <01d401c7cb13$8ea120d0$0301a8c0@SAHOMELT> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On > Behalf Of Gottschalk, David > Sent: Friday, July 20, 2007 3:00 PM > To: MailScanner discussion > Subject: RE: MailScanner broken suddenly?!?! > > > So a few things I've just learned (I think everyone else is > broken that is using clamav and doesn't know it yet, that's > why they aren't replying) I just happened to be working on > my boxes and noticed. > > I realized that the reason MailScanner worked temporarily is > because I disabled scanning all together on the box with > problems. I did this so my one broken box (at the time) > could catch up since it was backed up big time. > > Clamscan takes forever to scan messages now. > > sudo clamscan -v mailertable.new > Scanning mailertable.new > mailertable.new: OK > > ----------- SCAN SUMMARY ----------- > Known viruses: 139329 > Engine version: 0.90.3 > Scanned directories: 0 > Scanned files: 1 > Infected files: 0 > Data scanned: 0.00 MB > Time: 37.524 sec (0 m 37 s) > -sh-3.00$ du -sh mailertable.new > 12K mailertable.new > > All of my *.cvd directories in /usr/local/share/clamav are now gone. > > They are all renamed to *.inc at the time of the breakage. > I think that could have been part of the problem, but I > changed my config line in MailScanner, and that didn't > resolve the hanging issue. > [...] Remember the .cvd is a file and the .inc is a directory so when you change/add a check on the .inc it should be Path/to/db/*.inc/* and the cvd check would be Path/to/db/*.cvd The .cvd files are unpacked the next time they are incrementally updated after the initial download (hence the .inc) Rick -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ka at pacific.net Fri Jul 20 22:23:28 2007 From: ka at pacific.net (Ken A) Date: Fri Jul 20 22:23:31 2007 Subject: Mailscanner Gateway does not reject unknown users (more of asendmail question, I think) (Ken A) In-Reply-To: References: <200707201808.l6KI8AvU005639@safir.blacknight.ie> Message-ID: <46A127D0.7070602@pacific.net> Kevin Miller wrote: > I've never used local-host-names (unless you mean /etc/hosts) but I do > have entries in relay-domains to/for which I'll relay mail. Try adding > your internal domains there... or in access: To:domain.tld RELAY Both should get things going. And if you don't already have a way to check for valid users, then use smf-sav or milter-ahead, unless you want to list them ALL in your access list. Ken > > > ...Kevin > -- > Kevin Miller Registered Linux User No: 307357 > CBJ MIS Dept. Network Systems Admin., Mail Admin. > 155 South Seward Street ph: (907) 586-0242 > Juneau, Alaska 99801 fax: (907 586-4500 > > > > > ________________________________ > > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Jeff > Ramsey > Sent: Friday, July 20, 2007 12:41 PM > To: mailscanner@lists.mailscanner.info > Subject: Re: Mailscanner Gateway does not reject unknown users (more of > asendmail question, I think) (Ken A) > > > > > On Jul 20, 2007, at 11:08 AM, mailscanner-request@lists.mailscanner.info > wrote: > > > > Jeff Ramsey wrote: > > I have read a few places on the net that claim this has > been well > covered, but I cannot seem to find a configuration that > works. > > It either forwards all nonspam email on to my internal > sendmail server, > or it rejects the unknown user messages but then does > not relay any > email onto the internal email server. > > If I list my domains in local-host-names, it does not > relay any more > email for those domains, period. If I don't list the > domains there, it > does not check incoming mail for a valid email address. > > Can anyone point me in the right direction? > > > mailertable > > domain.tld esmtp:[mailhub.otherdomain.tld] > > Ken > > > > I checked, and my mailertable is already populated just like you > suggest. Here is a copy of my mailertable: > > tubafor.com esmtp:[imap.tubafor.com] > imap.tubafor.com esmtp:[imap.tubafor.com] > smtpgw.tubafor.com esmtp:[imap.tubafor.com] > tmiforestproducts.com esmtp:[imap.tubafor.com] > tmiforestproducts.net esmtp:[imap.tubafor.com] > tmiforestproducts.org esmtp:[imap.tubafor.com] > tmiforestproducts.info esmtp:[imap.tubafor.com] > tmiforestproducts.biz esmtp:[imap.tubafor.com] > > --- END /etc/mail/mailertable --- > > > So I must have something else not set correctly. Just to clarify, should > I have my local-host-names populated as well as mailertable, or just > mailertable? I'll check out all other sendmail files and see if I can > come up with anything. Most Internet forums suggest to put each email > address in the access file with a RELAY status. I hope this is not the > only way to accomplish this task. I'd have about a thousand to enter. > > Thanks for the help. > > Jeff Ramsey > MIS Administrator > TMI Forest Products, Inc. > jefframsey@tubafor.com > 360.477.0738 > > > > > > -- Ken Anderson Pacific.Net From jscott at infoconex.com Fri Jul 20 22:26:09 2007 From: jscott at infoconex.com (Jim Scott) Date: Fri Jul 20 22:27:20 2007 Subject: Broken MailScanner if Using CLAM!!! References: <113A0DFC086C984AB9EFDF6B8614F075017D31B2@exchange03.CBOCS.com> Message-ID: <009c01c7cb14$9730a300$0569a8c0@COMP2> Message >cd /usr/local/share/clamav or 'locate main.ndb' >rm -rf * >freshclam I did the above and definitions downloaded and things to be working again. However I no longer have the .inc folders that once lived in /usr/local/share/clamav Should those have returned after running freshclam ? Jim From Carl.Andrews at crackerbarrel.com Fri Jul 20 22:46:50 2007 From: Carl.Andrews at crackerbarrel.com (Andrews Carl 455) Date: Fri Jul 20 22:46:59 2007 Subject: Broken MailScanner if Using CLAM!!! In-Reply-To: <200707202114.l6KLDvDC002069@smtpgw1.crackerbarrel.com> Message-ID: <113A0DFC086C984AB9EFDF6B8614F075017D31B3@exchange03.CBOCS.com> I have cron doing that (almost exactly) but it is every 4 hours :-< -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Matt Hayes Sent: Friday, July 20, 2007 4:00 PM To: MailScanner discussion Subject: Re: Broken MailScanner if Using CLAM!!! Andrews Carl 455 wrote: > It appears that the clam definitions from noon are corrupt. I had to > remove mine and restart mailscanner. > > > cd /usr/local/share/clamav or 'locate main.ndb' > rm -rf * > freshclam > > > > I hope this helps if anyone else is having the same problem. > > > Thanks! > Carl > > > > Uhhh, just cron the update process with a script for every hour update.. then you don't have to do that. -Matt -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From rcooper at dwford.com Fri Jul 20 22:53:48 2007 From: rcooper at dwford.com (Rick Cooper) Date: Fri Jul 20 22:53:52 2007 Subject: Broken MailScanner if Using CLAM!!! In-Reply-To: <009c01c7cb14$9730a300$0569a8c0@COMP2> References: <113A0DFC086C984AB9EFDF6B8614F075017D31B2@exchange03.CBOCS.com> <009c01c7cb14$9730a300$0569a8c0@COMP2> Message-ID: <01e101c7cb18$7407f280$0301a8c0@SAHOMELT> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On > Behalf Of Jim Scott > Sent: Friday, July 20, 2007 5:26 PM > To: MailScanner discussion > Subject: Re: Broken MailScanner if Using CLAM!!! > > Message > >cd /usr/local/share/clamav or 'locate main.ndb' > >rm -rf * > >freshclam > > I did the above and definitions downloaded and things to be > working again. > However I no longer have the .inc folders that once lived in > /usr/local/share/clamav > > Should those have returned after running freshclam ? > They will come back on the next *incremental* update and the correlating .cvd will disappear Rick -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From Carl.Andrews at crackerbarrel.com Fri Jul 20 22:56:08 2007 From: Carl.Andrews at crackerbarrel.com (Andrews Carl 455) Date: Fri Jul 20 22:56:12 2007 Subject: Broken MailScanner if Using CLAM!!! In-Reply-To: <200707202136.l6KLaVCq003839@smtpgw1.crackerbarrel.com> Message-ID: <113A0DFC086C984AB9EFDF6B8614F075017D31BA@exchange03.CBOCS.com> They will come back after future updates -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Jim Scott Sent: Friday, July 20, 2007 4:26 PM To: MailScanner discussion Subject: Re: Broken MailScanner if Using CLAM!!! Message >cd /usr/local/share/clamav or 'locate main.ndb' >rm -rf * >freshclam I did the above and definitions downloaded and things to be working again. However I no longer have the .inc folders that once lived in /usr/local/share/clamav Should those have returned after running freshclam ? Jim -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From rpoe at plattesheriff.org Fri Jul 20 23:02:14 2007 From: rpoe at plattesheriff.org (Rob Poe) Date: Fri Jul 20 23:02:49 2007 Subject: broken clamav update? Message-ID: <46A0EA96020000A2000065D3@platteco-2.plattesheriff.org> Or a busy real estate law firm that's trying to do a closing ... >>> "Gottschalk, David" 07/20/07 2:24 PM >>> Yeah no kidding! I had no clue what was going on at first since I was making conf changes at the same time, and restarting MailScanner. Try stopping mail entirely for 30k+ users, ahhhhhhh! David Gottschalk -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Mike Kercher Sent: Friday, July 20, 2007 3:18 PM To: MailScanner discussion Subject: RE: broken clamav update? Just keep an eye on it. It snuck up on me and bit me good! Mike -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Ken A Sent: Friday, July 20, 2007 2:15 PM To: MailScanner discussion Subject: Re: broken clamav update? Mike Kercher wrote: > This was just the reason I needed to add f-prot to all of my boxen. > I'll add clamavmodule back after they get it fixed. Everything is fine here.. famous last words on a friday.. main.inc is up to date (version: 44, sigs: 133163, f-level: 20, builder: sven) daily.inc is up to date (version: 3708, sigs: 6165, f-level: 16, builder: ccordes) MailScanner is plugging along just fine, queues are moving along.. Freshclam runs okay. clamscan seems 'normal' speed ~1 sec or so. Ken -- Ken Anderson Pacific.Net -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From rpoe at plattesheriff.org Fri Jul 20 23:03:05 2007 From: rpoe at plattesheriff.org (Rob Poe) Date: Fri Jul 20 23:03:54 2007 Subject: MailScanner broken suddenly?!?! Message-ID: <46A0EAC9020000A2000065D6@platteco-2.plattesheriff.org> ClamAV 0.90.3/3709/Fri Jul 20 14:59:01 2007 >>> "Gottschalk, David" 07/20/07 2:26 PM >>> Yeah, maybe it was a combination of factors. I don't know. To anyone else who had the problem, what version of clamav are you running? David Gottschalk -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Richard Frovarp Sent: Friday, July 20, 2007 3:20 PM To: MailScanner discussion Subject: Re: MailScanner broken suddenly?!?! Even before the update, 0.90.x had a known issue with loading the signatures taking an very very long time. I don't know that you can blame that on any update here. I just ran a freshclam manually. I'm running the latest definitions as reported on clamav.net (44 and 3708). However, freshclam was not able to connect a minute ago, now it can. Restarting MailScanner was not an issue against clamav 0.91.0. What people might be seeing is the effect of the known issue in 0.90.x. It could have been a broken update, that made things even worse. In short, latest sigs with 0.91 is not an issue. Gottschalk, David wrote: > So a few things I've just learned (I think everyone else is broken that is using clamav and doesn't know it yet, that's why they aren't replying) I just happened to be working on my boxes and noticed. > > I realized that the reason MailScanner worked temporarily is because I disabled scanning all together on the box with problems. I did this so my one broken box (at the time) could catch up since it was backed up big time. > > Clamscan takes forever to scan messages now. > > sudo clamscan -v mailertable.new > Scanning mailertable.new > mailertable.new: OK > > ----------- SCAN SUMMARY ----------- > Known viruses: 139329 > Engine version: 0.90.3 > Scanned directories: 0 > Scanned files: 1 > Infected files: 0 > Data scanned: 0.00 MB > Time: 37.524 sec (0 m 37 s) > -sh-3.00$ du -sh mailertable.new > 12K mailertable.new > > All of my *.cvd directories in /usr/local/share/clamav are now gone. > > They are all renamed to *.inc at the time of the breakage. I think that could have been part of the problem, but I changed my config line in MailScanner, and that didn't resolve the hanging issue. > > David Gottschalk > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of > Gottschalk, David > Sent: Friday, July 20, 2007 2:41 PM > To: MailScanner discussion > Subject: RE: MailScanner broken suddenly?!?! > > > ClamAV 0.90.3/3707/Fri Jul 20 12:08:45 2007 > > I think this is a different problem though, because it happened all at once. The children were hanging for 20+ mins or more until I realized they were doing nothing but what that trace showed me. > > David Gottschalk > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of > Richard Frovarp > Sent: Friday, July 20, 2007 2:28 PM > To: MailScanner discussion > Subject: Re: MailScanner broken suddenly?!?! > > Gottschalk, David wrote: > >> I have 5 MailScanner machines. >> >> I had to do some configuration changes, so I restarted them. One of >> them now appears to be completely hosed. I've checked my >> configuration, and can't figure out what is going on. I don't see >> anything wrong at all. >> >> -sh-3.00$ sudo /usr/sbin/MailScanner --lint Checking version >> numbers... >> Version installed (4.60.8) does not match version stated in >> MailScanner.conf file (4.57.6), you may want to run >> upgrade_MailScanner_conf to ensure your MailScanner.conf file >> contains all the latest settings. >> >> Checking for SpamAssassin errors (if you use it)... >> Using SpamAssassin results cache >> Connected to SpamAssassin cache database SpamAssassin reported no >> errors. >> Using locktype = posix >> Creating hardcoded struct_flock subroutine for linux (Linux-type) >> MailScanner.conf says "Virus Scanners = auto" >> Found these virus scanners installed: bitdefender, clamavmodule >> >> Here is what is going on: >> >> 1. MailScanner starts, but just sits there does nothing: >> >> root 22553 1 0 13:58 ? 00:00:00 MailScanner: master >> waiting for children, sleeping >> root 22554 22553 70 13:58 ? 00:00:35 MailScanner: starting >> children >> root 22624 22553 69 13:58 ? 00:00:31 MailScanner: starting >> children >> root 22680 22553 67 13:58 ? 00:00:27 MailScanner: starting >> children >> root 22733 22553 73 13:58 ? 00:00:26 MailScanner: starting >> children >> root 22780 22553 44 13:58 ? 00:00:13 MailScanner: starting >> children >> root 22831 22553 42 13:58 ? 00:00:10 MailScanner: starting >> children >> root 22884 22553 47 13:58 ? 00:00:09 MailScanner: starting >> children >> root 22957 22553 44 13:59 ? 00:00:07 MailScanner: starting >> children >> root 23005 22553 31 13:59 ? 00:00:03 MailScanner: starting >> children >> root 23054 22553 49 13:59 ? 00:00:02 MailScanner: starting >> children >> If I trace a childre process, here is what it is doing over and over: >> >> sudo strace -p 19920 >> Process 19920 attached - interrupt to quit read(12, >> "b560c3b9f08759aa3aa90:Trojan.Spy"..., 4096) = 4096 read(12, >> ":Trojan.Spy-3720\n353280:f604589b"..., 4096) = 4096 read(12, >> "55d8571268b7:Trojan.Clicker-133\n"..., 4096) = 4096 read(12, >> "5b7b476404e1ea6dc24d48e50bdfa:Tr"..., 4096) = 4096 read(12, >> "ba8f709e8b588009a34ee19ee1:Troja"..., 4096) = 4096 read(12, >> "d5:Trojan.Spy-3998\n284672:7801e5"..., 4096) = 4096 read(12, >> "6\n12288:6bfa649c48fc5982b231a2bb"..., 4096) = 4096 >> brk(0x4f23000) = 0x4f23000 >> read(12, "n.Spy-4128\n21504:3b072d4e76b7173"..., 4096) = 4096 >> read(12, "bbe4f7d647f109b5317dd8794715:Tro"..., 4096) = 4096 read(12, >> "n.Downloader-4997\n36864:bcc236c3"..., 4096) = 4096 read(12, >> "der-5167\n29696:f7d986ddcc013d8e0"..., 4096) = 4096 read(12, >> "f7e121997:Trojan.Downloader-5070"..., 4096) = 4096 read(12, >> ".Downloader-5107\n10240:efd91a6ea"..., 4096) = 4096 read(12, >> "ec7:Trojan.Downloader-4916\n2048:"..., 4096) = 4096 read(12, >> "nloader-5244\n4768:096cc4cd04d5cf"..., 4096) = 4096 read(12, >> ":Trojan.Bancos-3284\n271360:2bc5f"..., 4096) = 4096 read(12, >> "ncos-3342\n377344:04230b7482e189a"..., 4096) = 4096 read(12, >> "an.Spy-4204\n35840:4c8d2cbaf9ccaf"..., 4096) = 4096 read(12, >> "jan.Bancos-3492\n659968:49df0eba0"..., 4096) = 4096 read(12, >> "0:25f16f5f7ee84dee66f40f6c86e9b8"..., 4096) = 4096 read(12, >> "86:Trojan.Small-1634\n229888:3579"..., 4096) = 4096 read(12, >> "4d30b8cfcfe247337e424db964d816:T"..., 4096) = 4096 read(12, >> "576:3c44fb4c3e7a07aa1d49ce91c492"..., 4096) = 4096 read(12, >> "082cd8ac62e6878348b79:Trojan.Ban"..., 4096) = 4096 >> >> 2. Strangely enough, if I start just MailScanner it works fine (with >> sendmail not running) >> >> 3. If I start MailScanner with sendmail to, it will just hang there >> as described. If I stop it, the master process dies for MailScanner, >> but the children hang. >> >> 4. I did have this problem, but I resolved it quickly by changing the >> option in MailScanner.conf to look for *.inc files. >> >> Jul 20 13:28:37 mr1 MailScanner[9747]: None of the files matched by >> the "Monitors For ClamAV Updates" patterns exist! >> Jul 20 13:28:47 mr1 MailScanner[8644]: None of the files matched by >> the "Monitors For ClamAV Updates" patterns exist! >> >> Any ideas? I'm banging my head. >> >> David Gottschalk >> david.gottschalk@emory.edu >> >> > What version of ClamAV? 0.90 takes a very long time to load signatures. > I do have one box in which it was very quick. The other ones took at least 3 minutes to get up and going. Upgrading to 0.91 fixed that. > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- Richard Frovarp EduTech System Administrator 1-701-231-5127 or 1-800-774-1091 -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From jediknight2 at gmail.com Fri Jul 20 23:55:49 2007 From: jediknight2 at gmail.com (Kevin Smith) Date: Fri Jul 20 23:55:52 2007 Subject: MailScanner just stopped Message-ID: <1f1627f60707201555u59bac16evdffa442526c3f7e2@mail.gmail.com> I have something really odd going on on my server right now. Today MailScanner just STOPPED...I have changed NOTHING in the last month. I can see MailScanner running if I type in top...atleast four instances are running at 20% CPU....I know the system is taking mail because I ran a fetchmail and watched it connect and pull the message off of the server and disconnect. If I service MailScanner stop and then start sendmail...everything is fine.... Any suggestions? Where is the mail that it has grabbed? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070720/6e43e15e/attachment.html From mike at vesol.com Sat Jul 21 00:02:29 2007 From: mike at vesol.com (Mike Kercher) Date: Sat Jul 21 00:10:21 2007 Subject: MailScanner just stopped In-Reply-To: <1f1627f60707201555u59bac16evdffa442526c3f7e2@mail.gmail.com> References: <1f1627f60707201555u59bac16evdffa442526c3f7e2@mail.gmail.com> Message-ID: <6115482898C59848B35DB9D491C9A28E04BA3B@srv1.home.middlefinger.net> Using ClamAV? Upgrade your clamav installation and see if you were affected by the same thing the list has been discussing today. Mike ________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Kevin Smith Sent: Friday, July 20, 2007 5:56 PM To: mailscanner@lists.mailscanner.info Subject: MailScanner just stopped I have something really odd going on on my server right now. Today MailScanner just STOPPED...I have changed NOTHING in the last month. I can see MailScanner running if I type in top...atleast four instances are running at 20% CPU....I know the system is taking mail because I ran a fetchmail and watched it connect and pull the message off of the server and disconnect. If I service MailScanner stop and then start sendmail...everything is fine.... Any suggestions? Where is the mail that it has grabbed? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070720/f95e4cdf/attachment.html From res at ausics.net Sat Jul 21 02:03:58 2007 From: res at ausics.net (Res) Date: Sat Jul 21 02:04:09 2007 Subject: Request for comments In-Reply-To: <1964AAFBC212F742958F9275BF63DBB04B0F38@winchester.andrewscompanies.com> References: <469FA26B.6050905@ecs.soton.ac.uk> <1964AAFBC212F742958F9275BF63DBB04B0F30@winchester.andrewscompanies.com> <469FC4DA.6030706@alexb.ch><469FC668.3040802@evi-inc.com> <46A063AF.1080009@tradoc.fr><1964AAFBC212F742958F9275BF63DBB04B0F35@winchester.andrewscompanies.com> <46A0B523.20401@ecs.soton.ac.uk> <1964AAFBC212F742958F9275BF63DBB04B0F38@winchester.andrewscompanies.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NotDashEscaped: You need GnuPG to verify this message One thing some people have forgot, due to SA load and effect on real workhorse servers, some people do not and will not ever run SA, I still have 2 key servers that process 2200+ per minute, and SA just is not an option (unless they want to wait 3 days to get their mail) On Fri, 20 Jul 2007, Steven Andrews wrote: > I say do both. People didn't know how to use hammers until somebody > made them first. -- Cheers Res -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFGoVt+sWhAmSIQh7MRAnnjAJ4m0e1fE2Uor5J5Y+88kxp5OpMCawCbBgKk GMX2cVJCQgdwpJYxwDTtlGU= =wYGq -----END PGP SIGNATURE----- From res at ausics.net Sat Jul 21 02:17:17 2007 From: res at ausics.net (Res) Date: Sat Jul 21 02:17:26 2007 Subject: MailScanner broken suddenly?!?! In-Reply-To: References: <8D2EFA3D9FD29C45BCEC3B532F0E2308412E3B3DB6@RDPEXCH2.Eu.Emory.Edu> <46A0FEC0.9090200@sendit.nodak.edu> <8D2EFA3D9FD29C45BCEC3B532F0E2308412E87C1C3@RDPEXCH2.Eu.Emory.Edu> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NotDashEscaped: You need GnuPG to verify this message On Fri, 20 Jul 2007, Raymond Dijkxhoorn wrote: > Hi! > >> I think this is a different problem though, because it happened all at >> once. The children were hanging for 20+ mins or more until I realized they >> were doing nothing but what that trace showed me. > > There was a new main update out, and like last time, exactly same thing, this > breaks MailScanner. > > Look in the archive, after last update of the main clam files this exact same > thing also happened. Ok I admit I've missed most of this thread, but I don't see any of these errors on any box running clam with latest MS and latest stable Clamav # grep -i Monitors /var/log/mail/maillog # ~$ grep -i Monitors /var/log/qmail/* ~$ ..and so on.... -- Cheers Res -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFGoV6dsWhAmSIQh7MRAjovAKCx7T/yzDtzxz1bJXaVGfvvzp8+iACghoic zrKyVKK0DzTx2bCN98L4+sQ= =c3Xt -----END PGP SIGNATURE----- From res at ausics.net Sat Jul 21 02:31:10 2007 From: res at ausics.net (Res) Date: Sat Jul 21 02:31:19 2007 Subject: Mailscanner Gateway does not reject unknown users (more of a sendmail question, I think) (Ken A) In-Reply-To: References: <200707201808.l6KI8AvU005639@safir.blacknight.ie> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NotDashEscaped: You need GnuPG to verify this message On Fri, 20 Jul 2007, Jeff Ramsey wrote: > > tubafor.com esmtp:[imap.tubafor.com] > imap.tubafor.com esmtp:[imap.tubafor.com] FYI, you can cover sub domains by preceeding the domain with a period, however you still need a non period entry as well, ie: tubafor.com esmtp:[imap.tubafor.com] .tubafor.com esmtp:[imap.tubafor.com] The later is essentially user@*.tubafor.com, but SM's matching means user@tubafor.com is not seen in that match, which is why you need a non period entry as well. > So I must have something else not set correctly. Just to clarify, should I > have my local-host-names populated as well as mailertable, or just No, do not use local-host-names, a simple entry like this in access should be fine... To:tubafor.com RELAY -- Cheers Res -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFGoWHesWhAmSIQh7MRAuWBAJ9U0eWgZpMyfqOJSvlUaL/FnHmBugCgioQR FSgaOC9yvvj8SsboPTRvHhs= =LIBe -----END PGP SIGNATURE----- From res at ausics.net Sat Jul 21 02:34:00 2007 From: res at ausics.net (Res) Date: Sat Jul 21 02:34:10 2007 Subject: Broken MailScanner if Using CLAM!!! In-Reply-To: <113A0DFC086C984AB9EFDF6B8614F075017D31B2@exchange03.CBOCS.com> References: <113A0DFC086C984AB9EFDF6B8614F075017D31B2@exchange03.CBOCS.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NotDashEscaped: You need GnuPG to verify this message why oh why do people need to flood the list for 5 different topics of the same thing, if they bothered to read the emails in the list, they'd see its been flogged to death in past 12 hours. Basically, it's another reason you should stay current with all versions of what you run, if you don't there is no one else to blame but yourselves. On Fri, 20 Jul 2007, Andrews Carl 455 wrote: > It appears that the clam definitions from noon are corrupt. I had to > remove mine and restart mailscanner. -- Cheers Res -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFGoWKIsWhAmSIQh7MRAvYuAJ9gs6shJJbe87ZCBWqVAzRBAGyrnQCfTlOH qK4Nsmwq/KyJoE8v2voIZT8= =3pRX -----END PGP SIGNATURE----- From raymond at prolocation.net Sat Jul 21 07:03:20 2007 From: raymond at prolocation.net (Raymond Dijkxhoorn) Date: Sat Jul 21 07:03:23 2007 Subject: MailScanner just stopped In-Reply-To: <6115482898C59848B35DB9D491C9A28E04BA3B@srv1.home.middlefinger.net> References: <1f1627f60707201555u59bac16evdffa442526c3f7e2@mail.gmail.com> <6115482898C59848B35DB9D491C9A28E04BA3B@srv1.home.middlefinger.net> Message-ID: Hi! > Using ClamAV? Upgrade your clamav installation and see if you were > affected by the same thing the list has been discussing today. As explained, upgrading Clam will only temp fix his issues, so we will see the same postings in a few months. Please fix your config, THATS the issue. Monitors for ClamAV Updates = /usr/local/share/clamav/*.inc/* /usr/local/share/clamav/*.cvd Bye, Raymond. From ram at netcore.co.in Sat Jul 21 13:27:32 2007 From: ram at netcore.co.in (ram) Date: Sat Jul 21 13:27:39 2007 Subject: Is there a SRS plugin available for MailScanner Message-ID: <1185020852.25982.64.camel@localhost.localdomain> My mailserver forwards mails for a lot of ids I have been looking for SRS plugins for my postfix+MailScanner+cyrus server at the MTA level. Apparently there isnt any I think the way Mailscanner works it should be trivially easy to rewrite the Mail-From in MessageBatch.pm. Has someone already written an SRS plugin Thanks Ram From MailScanner at ecs.soton.ac.uk Sat Jul 21 17:00:46 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sat Jul 21 17:03:16 2007 Subject: Broken MailScanner if Using CLAM!!! In-Reply-To: <113A0DFC086C984AB9EFDF6B8614F075017D31B3@exchange03.CBOCS.com> References: <113A0DFC086C984AB9EFDF6B8614F075017D31B3@exchange03.CBOCS.com> Message-ID: <46A22DAE.5060002@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Linux RPM-based systems, the update_virus_scanners cron job will have been installed and will be updating all your virus scanners every hour any way. No need to add another cron job doing the same thing again. Andrews Carl 455 wrote: > I have cron doing that (almost exactly) but it is every 4 hours :-< > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Matt > Hayes > Sent: Friday, July 20, 2007 4:00 PM > To: MailScanner discussion > Subject: Re: Broken MailScanner if Using CLAM!!! > > > Andrews Carl 455 wrote: > >> It appears that the clam definitions from noon are corrupt. I had to >> remove mine and restart mailscanner. >> >> >> cd /usr/local/share/clamav or 'locate main.ndb' >> rm -rf * >> freshclam >> >> >> >> I hope this helps if anyone else is having the same problem. >> >> >> Thanks! >> Carl >> >> >> >> >> > > Uhhh, just cron the update process with a script for every hour update.. > > then you don't have to do that. > > -Matt > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGoi2vEfZZRxQVtlQRAqUcAJ4lNc946b1oj6IqdGOcoBzm3S1eUwCgjnOD GSv/T3Phwa4ChVJLvNEGF1A= =0Qi5 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Sat Jul 21 17:22:50 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sat Jul 21 17:26:19 2007 Subject: MailScanner just stopped In-Reply-To: References: <1f1627f60707201555u59bac16evdffa442526c3f7e2@mail.gmail.com> <6115482898C59848B35DB9D491C9A28E04BA3B@srv1.home.middlefinger.net> Message-ID: <46A232DA.3050209@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I have just added a check in upgrade_MailScanner_conf so that it checks to see if the strings "inc" and "cvd" both appear in the "Monitors for clamav updates" setting. If they don't it shows you what your setting should look like, so that you can correct it. I can't force the correction to happen in case you have installed ClamAV somewhere other than /usr/local. I don't want to rely on your virus.scanners.conf to be correct, when you are half way through an upgrade. Hopefully, with time, this will appease the situation a bit. It will be in the next release. Jules. Raymond Dijkxhoorn wrote: > Hi! > >> Using ClamAV? Upgrade your clamav installation and see if you were >> affected by the same thing the list has been discussing today. > > As explained, upgrading Clam will only temp fix his issues, so we will > see the same postings in a few months. > > Please fix your config, THATS the issue. > > Monitors for ClamAV Updates = /usr/local/share/clamav/*.inc/* > /usr/local/share/clamav/*.cvd > > Bye, > Raymond. Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGojLbEfZZRxQVtlQRAizRAJ0ShLhR9qP8RE99gBefwtuPfysMmgCg7InM g2YD7vxl1ZXO5vTcd73FQl0= =AsNz -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From raymond at prolocation.net Sat Jul 21 18:46:10 2007 From: raymond at prolocation.net (Raymond Dijkxhoorn) Date: Sat Jul 21 18:46:14 2007 Subject: MailScanner just stopped In-Reply-To: <46A232DA.3050209@ecs.soton.ac.uk> References: <1f1627f60707201555u59bac16evdffa442526c3f7e2@mail.gmail.com> <6115482898C59848B35DB9D491C9A28E04BA3B@srv1.home.middlefinger.net> <46A232DA.3050209@ecs.soton.ac.uk> Message-ID: Hi! > I have just added a check in upgrade_MailScanner_conf so that it checks > to see if the strings "inc" and "cvd" both appear in the "Monitors for > clamav updates" setting. If they don't it shows you what your setting > should look like, so that you can correct it. I can't force the > correction to happen in case you have installed ClamAV somewhere other > than /usr/local. I don't want to rely on your virus.scanners.conf to be > correct, when you are half way through an upgrade. > > Hopefully, with time, this will appease the situation a bit. > It will be in the next release. Thanks! I think this will at least point some people in the right direction. They have about 2-3 months now to fix this. Then the new main files will be pumped out ;) Bye, Raymond. From itdept at fractalweb.com Sat Jul 21 19:47:43 2007 From: itdept at fractalweb.com (Chris Yuzik) Date: Sat Jul 21 19:48:12 2007 Subject: OT: Sendmail weirdness Message-ID: <46A254CF.3040100@fractalweb.com> Sorry for posting a sendmail question here. I've asked on a forum and on usenet but haven't gotten a usable response yet, and the people on this list tend to have "guru status" at almost everything server related. I recently discovered that our system (Centos 4.4, Sendmail, Procmail, etc.) is ignoring users' .forward files even though they seem to be correctly formatted. At first I thought it might be a permissions issue, as I remember reading that if the permissions on the .forward file, or the dir or any parent subdirs its contained in must not be world writeable. The permissions are fine in all cases. Further investigation points to the format of the user accounts, in that everyone's user account is in the format of "user@domain.tld" and apparently sendmail doesn't process a .forward file if there is an "@" in the account name. The following seems to indicate that the .forward file is not even looked at. #sendmail -d27.2 -bv testuser@testdomain.com testuser@testdomain.com... deliverable: mailer local, user testuser\@testdomain.com One person indicated that there is likely a directive or something to put in the sendmail.cf file to change this behaviour, but I have been unable to find anything. Searching for help on this is particularly tricky as Google seems to ignore the "@" or the "\" sign from searches. Can anyone help? From MailScanner at ecs.soton.ac.uk Sat Jul 21 21:19:30 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sat Jul 21 21:21:46 2007 Subject: OT: Sendmail weirdness In-Reply-To: <46A254CF.3040100@fractalweb.com> References: <46A254CF.3040100@fractalweb.com> Message-ID: <46A26A52.1060300@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Chris Yuzik wrote: > Sorry for posting a sendmail question here. I've asked on a forum and > on usenet but haven't gotten a usable response yet, and the people on > this list tend to have "guru status" at almost everything server related. > > I recently discovered that our system (Centos 4.4, Sendmail, Procmail, > etc.) is ignoring users' .forward files even though they seem to be > correctly formatted. At first I thought it might be a permissions > issue, as I remember reading that if the permissions on the .forward > file, or the dir or any parent subdirs its contained in must not be > world writeable. The permissions are fine in all cases. > > Further investigation points to the format of the user accounts, in > that everyone's user account is in the format of "user@domain.tld" and > apparently sendmail doesn't process a .forward file if there is an "@" > in the account name. So you have usernames in the passwd file that say "user@domain.tld"? How very odd. > > The following seems to indicate that the .forward file is not even > looked at. > > #sendmail -d27.2 -bv testuser@testdomain.com > testuser@testdomain.com... deliverable: mailer local, user > testuser\@testdomain.com How come your sendmail is resulting in a user that is not just "testuser"? Solve that, and everything will start to work. You must have something odd in your config to cause that to happen. How about you post us a few of the relevant lines from each of the text files in your /etc/mail directory (and your /etc/aliases). Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGompSEfZZRxQVtlQRAuyNAJ9JZSdqeS3Y6yHlY5Fob5SDewSzFwCfS+oS 48CrbBSpBoRBPa/E0Hbj+hQ= =4Inm -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From itdept at fractalweb.com Sat Jul 21 22:37:38 2007 From: itdept at fractalweb.com (Chris Yuzik) Date: Sat Jul 21 22:38:15 2007 Subject: OT: Sendmail weirdness In-Reply-To: <46A26A52.1060300@ecs.soton.ac.uk> References: <46A254CF.3040100@fractalweb.com> <46A26A52.1060300@ecs.soton.ac.uk> Message-ID: <46A27CA2.7090607@fractalweb.com> Julian Field wrote: > So you have usernames in the passwd file that say "user@domain.tld"? How > very odd. Jules, Right. I guess it was done this way to support multiple virtual domains. If we just had "jsmith" then wouldn't we have an issue if there was a "jsmith@domain1.com" and a different jsmith at "jsmith@domain2.com"? > How come your sendmail is resulting in a user that is not just > "testuser"? Solve that, and everything will start to work. You must have > something odd in your config to cause that to happen. How about you post > us a few of the relevant lines from each of the text files in your > /etc/mail directory (and your /etc/aliases). I'd happily zip the whole lot for you, but I'd rather not post them to the list. Am I okay to email you directly with that? Thanks, Chris From r.berber at computer.org Sat Jul 21 23:44:44 2007 From: r.berber at computer.org (=?ISO-8859-1?Q?Ren=E9_Berber?=) Date: Sat Jul 21 23:45:05 2007 Subject: OT: Sendmail weirdness In-Reply-To: <46A27CA2.7090607@fractalweb.com> References: <46A254CF.3040100@fractalweb.com> <46A26A52.1060300@ecs.soton.ac.uk> <46A27CA2.7090607@fractalweb.com> Message-ID: Chris Yuzik wrote: > Julian Field wrote: >> So you have usernames in the passwd file that say "user@domain.tld"? >> How very odd. > > Jules, > > Right. I guess it was done this way to support multiple virtual domains. > If we just had "jsmith" then wouldn't we have an issue if there was a > "jsmith@domain1.com" and a different jsmith at "jsmith@domain2.com"? The important part is not just the user's name, but what is defined as those users home directory. If their home was correct sendmail would have no problem finding and using the .forward file. Anyway, all the tools to hack sendmail into doing this are in cf/README, you probably want to read on stickyhost, and a few other options. [snip] -- Ren? Berber From stork at openenterprise.ca Sun Jul 22 00:00:57 2007 From: stork at openenterprise.ca (Johnny Stork) Date: Sun Jul 22 00:01:08 2007 Subject: Relaying Mailscanner Mail Question Message-ID: <46A29029.6070508@openenterprise.ca> Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: stork.vcf Type: text/x-vcard Size: 330 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070721/db67e087/stork.vcf From hvdkooij at vanderkooij.org Sun Jul 22 08:18:03 2007 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sun Jul 22 08:18:13 2007 Subject: Request for comments In-Reply-To: <469FA26B.6050905@ecs.soton.ac.uk> References: <469FA26B.6050905@ecs.soton.ac.uk> Message-ID: On Thu, 19 Jul 2007, Julian Field wrote: > I am wondering if it would help if I added "Subject" to the list of > things you could use in rulesets. > > Would it be useful? It would have been 5-6 years ago with things like that VBS script rampaging the internet. (Love had nothing to do with it ;-) Having the option might still be usefull. But having a negative version might even be more usefull. Some organisations have the need for a keyword in outbound email message to mark it as allowed outbound traffic. Something like a 'declassified' stamp. > You would only be able to match against exact strings or regular > expressions, and I'm not quite sure how I would parse it in the ruleset > files. Exact strings would be in double-quotes, with '"' characters in > the string doubled up as a means of escaping them. How I would find the > end of a regular expression is another matter. I guess it would be > surrounded with '/' characters, and I would look for the first '/' that > wasn't preceded by a '\'. If you are working with the \ as escap character I would recommend to use it in literal strings as well. so one would have a \" in the string itself and not a "". Hugo. -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ This message is using 100% recycled electrons. Some men see computers as they are and say "Windows" I use computers with Linux and say "Why Windows?" (Thanks JFK, for the insight.) From hvdkooij at vanderkooij.org Sun Jul 22 09:20:31 2007 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sun Jul 22 09:20:43 2007 Subject: Request for comments In-Reply-To: <46A0B523.20401@ecs.soton.ac.uk> References: <469FA26B.6050905@ecs.soton.ac.uk> <1964AAFBC212F742958F9275BF63DBB04B0F30@winchester.andrewscompanies.com> <469FC4DA.6030706@alexb.ch><469FC668.3040802@evi-inc.com> <46A063AF.1080009@tradoc.fr> <1964AAFBC212F742958F9275BF63DBB04B0F35@winchester.andrewscompanies.com> <46A0B523.20401@ecs.soton.ac.uk> Message-ID: On Fri, 20 Jul 2007, Julian Field wrote: > That would be easy to add. Would many people use it? > It would just be an "Adjust SpamAssassin Score" configuration option. > > I'm still unconvinced that adding the Subject matching would actually get > used by many people. Very few people have said "yes, I have a definite need > and a use for it". Well I may never use the rules on just the subject as far as I can tell now. But things might change rapidly. I will most likly end up using a situation where I might play with rules based on SA keys as John suggested. I most definitly like that idea. Having the ability to classify based on domain namnes is rather usefull for me as I could lift the blacklist entry for hotmail.com in postfix and jusst add some penalty points to the message. Then family members with hotmail contacts will have to dig in the quarantine for those messages or whitelist the addresses them selves but it would free me of lots of other hotmail junk. (And they do indeed get send through the hotmail servers.) It beats having to drum up my own SA rules. Hugo. -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ This message is using 100% recycled electrons. Some men see computers as they are and say "Windows" I use computers with Linux and say "Why Windows?" (Thanks JFK, for the insight.) From hvdkooij at vanderkooij.org Sun Jul 22 09:28:51 2007 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sun Jul 22 09:28:59 2007 Subject: Request for comments In-Reply-To: <46A0EE98.8060103@evi-inc.com> References: <469FA26B.6050905@ecs.soton.ac.uk> <1964AAFBC212F742958F9275BF63DBB04B0F30@winchester.andrewscompanies.com> <469FC4DA.6030706@alexb.ch><469FC668.3040802@evi-inc.com> <46A063AF.1080009@tradoc.fr> <1964AAFBC212F742958F9275BF63DBB04B0F35@winchester.andrewscompanies.com><46A0B523.20401@ecs.soton.ac.uk> <46A0C747.7000103@evi-inc.com><1964AAFBC212F742958F9275BF63DBB04B0F3A@winchester.andrewscompanies.com> <46A0E56D.6040301@evi-inc.com> <1964AAFBC212F742958F9275BF63DBB04B0F3C@winchester.andrewscompanies.com> <46A0EE98.8060103@evi-inc.com> Message-ID: On Fri, 20 Jul 2007, Matt Kettler wrote: > Steven Andrews wrote: >> Why not? I know specious argument, but this would work well so you >> could apply a penalty or a credit to a certain domain. >> >> Blackberry devices are just an example, they always trigger certain >> rules that push their scores up. Are they going to change that fact? >> Nope. Do I want to lower the value of those rules? Nope. They catch >> other traffic. Do I want to whitelist blackberries entirely...no way. >> If I had a mechanism to punish or credit a certain domain, that would >> allow such a situation where I can keep rules intact but adjust the >> spamminess of a domain. > > My question is why not do this in SpamAssassin directly. ie: what value is there > in adding this feature to MailScanner. > > If you're just doing score adjustments, a simple SpamAssassin rule has by FAR > more power and flexibility, and isn't difficult. But SA rules are inerintly more complex. To be honest. Unless I really, realy, realy need them. I leave the SA rules alone. So having the option to do this in MailScanners makes for a much simpler configuration. It will not prevent you or anyone else from using SA to do the job. But it will offer a new way to configure things for those that need them. So I am 230% in favor for adding them if Jules feels like it. Hugo. -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ This message is using 100% recycled electrons. Some men see computers as they are and say "Windows" I use computers with Linux and say "Why Windows?" (Thanks JFK, for the insight.) From hvdkooij at vanderkooij.org Sun Jul 22 09:40:53 2007 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sun Jul 22 09:41:02 2007 Subject: broken clamav update? In-Reply-To: <013f01c7caff$a22121a0$0b01010a@DGPTBH91> References: <013f01c7caff$a22121a0$0b01010a@DGPTBH91> Message-ID: On Fri, 20 Jul 2007, Bryan Guest wrote: > Is anyone else seeing MailScanner fail to process messages from what appears > to be a botched ClamAV update? > > One of my blades got hosed sometime after 13:00 EST (gmt -05:00). > > Any assistance in clearing this up would be greatly appreciated. There is also a tiny BZIP2 file out there that explodes to MBs++ on disk. I have a sample in the collection and ClamAV is not having much fun with it. So if I were to send a batch of them to anyone running ClamAV in their AV setup it might explain the problem as well. Hugo. -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ This message is using 100% recycled electrons. Some men see computers as they are and say "Windows" I use computers with Linux and say "Why Windows?" (Thanks JFK, for the insight.) From ja at conviator.com Sun Jul 22 10:19:53 2007 From: ja at conviator.com (Jan Agermose) Date: Sun Jul 22 10:20:31 2007 Subject: pdf spam turned into excel spam Message-ID: <6B59FCF2EFD0334A8147A1BB463F111E02A03061@mail-17ps.atlarge.net> Hi I've noticed that what we have seen the last week as PDF spam is now getting send as excel files with spam. Im using this PDFInfo plugin and it works perfect - does anyone know if there is work on a excel plugin? Or has anyone written any other rules to counter this? Best regards Jan From hvdkooij at vanderkooij.org Sun Jul 22 11:31:02 2007 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sun Jul 22 11:31:12 2007 Subject: Spam amplifier found Message-ID: Hi, Be aware of this SPAM amplifier. They send this text along in their messages: Spam detection software, running on the system "mail1.mx.core.com", has identified this incoming email as possible spam. The original message has been attached to this so you can view it (if it isn't spam) or label similar future email. If you have any questions, see the administrator of that system for details. At least you now know that you may want to take preemtive measures to stop this. Perhaps someone might want to write a SA rule for this. Hugo. -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ This message is using 100% recycled electrons. Some men see computers as they are and say "Windows" I use computers with Linux and say "Why Windows?" (Thanks JFK, for the insight.) From MailScanner at ecs.soton.ac.uk Sun Jul 22 14:29:24 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sun Jul 22 14:31:46 2007 Subject: Request for comments In-Reply-To: <46A0C747.7000103@evi-inc.com> References: <469FA26B.6050905@ecs.soton.ac.uk> <1964AAFBC212F742958F9275BF63DBB04B0F30@winchester.andrewscompanies.com> <469FC4DA.6030706@alexb.ch><469FC668.3040802@evi-inc.com> <46A063AF.1080009@tradoc.fr> <1964AAFBC212F742958F9275BF63DBB04B0F35@winchester.andrewscompanies.com> <46A0B523.20401@ecs.soton.ac.uk> <46A0C747.7000103@evi-inc.com> Message-ID: <46A35BB4.6020503@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Matt Kettler wrote: > Julian Field wrote: > >> That would be easy to add. Would many people use it? >> It would just be an "Adjust SpamAssassin Score" configuration option. >> > > I don't think that would be useful Julian. If they wanted to adjust the SA > score, that's easy to do in SA. It's also not what Steven was suggesting, at > least as far as I can tell. > I agree with you here. Adding an SA rule to tweak the score based on simple things like the sender address is pretty easy to do. If you don't know how to do it, then read 'man Mail::SpamAssassin::Conf' will tell you most of what you need to do, and a quick look for an envelope rule in /usr/share/spamassassin will give you plenty of examples. I don't want to waste time and resources on things that SA already does perfectly well. Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGo1u1EfZZRxQVtlQRAjWJAKDD47Iua21R44f4AQZzU3n61+4qpACgtCDW 6SheO68dM0p1damsaYmXlR4= =wkiV -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Sun Jul 22 16:13:34 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sun Jul 22 16:15:55 2007 Subject: Request for comments 3 In-Reply-To: <46A35BB4.6020503@ecs.soton.ac.uk> References: <469FA26B.6050905@ecs.soton.ac.uk> <1964AAFBC212F742958F9275BF63DBB04B0F30@winchester.andrewscompanies.com> <469FC4DA.6030706@alexb.ch><469FC668.3040802@evi-inc.com> <46A063AF.1080009@tradoc.fr> <1964AAFBC212F742958F9275BF63DBB04B0F35@winchester.andrewscompanies.com> <46A0B523.20401@ecs.soton.ac.uk> <46A0C747.7000103@evi-inc.com> <46A35BB4.6020503@ecs.soton.ac.uk> Message-ID: <46A3741E.8060901@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 How about this instead? SpamAssassin Rule Actions = rulename=>action, rulename=>action, .... the "rulename"s are the names of individual SpamAssassin rules, and the "action"s are list those in "Spam Actions". To specify multiple actions for a rule, you specify the rulename several times, with one action for each. Expressions with SpamAssassin rules are done with SpamAssassin meta-rules. If the rule hits, the action is taken. I'll write a few examples of meta-rules so you can see how to write them in spam.assassin.rules.conf or wherever they need to go. Mr Kettler, can you correct me on this please? Does this sound more useful than the previous suggestions? Jules. Julian Field wrote: > * PGP Signed: 07/22/07 at 14:29:25 > > > > Matt Kettler wrote: >> Julian Field wrote: >> >>> That would be easy to add. Would many people use it? >>> It would just be an "Adjust SpamAssassin Score" configuration option. >>> >> >> I don't think that would be useful Julian. If they wanted to adjust >> the SA >> score, that's easy to do in SA. It's also not what Steven was >> suggesting, at >> least as far as I can tell. >> > I agree with you here. Adding an SA rule to tweak the score based on > simple things like the sender address is pretty easy to do. If you > don't know how to do it, then read 'man Mail::SpamAssassin::Conf' will > tell you most of what you need to do, and a quick look for an envelope > rule in /usr/share/spamassassin will give you plenty of examples. > > I don't want to waste time and resources on things that SA already > does perfectly well. > > Jules > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGo3QfEfZZRxQVtlQRAlCqAJ0fUcawziS5LPz5YEks3Xw5eAXC6ACg8CiS TEOzklMWLmOzCUUsj/n9lOo= =YOSl -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From ms-list at alexb.ch Sun Jul 22 16:29:23 2007 From: ms-list at alexb.ch (Alex Broens) Date: Sun Jul 22 16:29:35 2007 Subject: Request for comments 3 In-Reply-To: <46A3741E.8060901@ecs.soton.ac.uk> References: <469FA26B.6050905@ecs.soton.ac.uk> <1964AAFBC212F742958F9275BF63DBB04B0F30@winchester.andrewscompanies.com> <469FC4DA.6030706@alexb.ch><469FC668.3040802@evi-inc.com> <46A063AF.1080009@tradoc.fr> <1964AAFBC212F742958F9275BF63DBB04B0F35@winchester.andrewscompanies.com> <46A0B523.20401@ecs.soton.ac.uk> <46A0C747.7000103@evi-inc.com> <46A35BB4.6020503@ecs.soton.ac.uk> <46A3741E.8060901@ecs.soton.ac.uk> Message-ID: <46A377D3.5060103@alexb.ch> On 7/22/2007 5:13 PM, Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > How about this instead? > > SpamAssassin Rule Actions = rulename=>action, rulename=>action, .... > > the "rulename"s are the names of individual SpamAssassin rules, and the > "action"s are list those in "Spam Actions". To specify multiple actions > for a rule, you specify the rulename several times, with one action for > each. Expressions with SpamAssassin rules are done with SpamAssassin > meta-rules. If the rule hits, the action is taken. Yeah. sounds real nice! > I'll write a few examples of meta-rules so you can see how to write them > in spam.assassin.rules.conf or wherever they need to go. Mr Kettler, can > you correct me on this please? may I suggest the name: sa.actions.rules.conf? so is not mistaken with pure SA rules. > Does this sound more useful than the previous suggestions? I see this as the "gateway-procmail" - very powerful thanks Alex From uxbod at splatnix.net Sun Jul 22 16:45:43 2007 From: uxbod at splatnix.net (UxBoD) Date: Sun Jul 22 16:44:44 2007 Subject: Request for comments 3 In-Reply-To: <46A3741E.8060901@ecs.soton.ac.uk> Message-ID: <14492623.31185119143966.JavaMail.root@office.splatnix.net> That sounds pretty cool Jules. Would these rules take priority over the SA rules ? So that based on a particular rule you could say quarantine straight away without any further processing ? --[ UxBoD ]-- // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- Original Message ----- From: "Julian Field" To: "MailScanner discussion" Sent: 22 July 2007 16:13:34 o'clock (GMT) Europe/London Subject: Re: Request for comments 3 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 How about this instead? SpamAssassin Rule Actions = rulename=>action, rulename=>action, .... the "rulename"s are the names of individual SpamAssassin rules, and the "action"s are list those in "Spam Actions". To specify multiple actions for a rule, you specify the rulename several times, with one action for each. Expressions with SpamAssassin rules are done with SpamAssassin meta-rules. If the rule hits, the action is taken. I'll write a few examples of meta-rules so you can see how to write them in spam.assassin.rules.conf or wherever they need to go. Mr Kettler, can you correct me on this please? Does this sound more useful than the previous suggestions? Jules. Julian Field wrote: > * PGP Signed: 07/22/07 at 14:29:25 > > > > Matt Kettler wrote: >> Julian Field wrote: >> >>> That would be easy to add. Would many people use it? >>> It would just be an "Adjust SpamAssassin Score" configuration option. >>> >> >> I don't think that would be useful Julian. If they wanted to adjust >> the SA >> score, that's easy to do in SA. It's also not what Steven was >> suggesting, at >> least as far as I can tell. >> > I agree with you here. Adding an SA rule to tweak the score based on > simple things like the sender address is pretty easy to do. If you > don't know how to do it, then read 'man Mail::SpamAssassin::Conf' will > tell you most of what you need to do, and a quick look for an envelope > rule in /usr/share/spamassassin will give you plenty of examples. > > I don't want to waste time and resources on things that SA already > does perfectly well. > > Jules > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGo3QfEfZZRxQVtlQRAlCqAJ0fUcawziS5LPz5YEks3Xw5eAXC6ACg8CiS TEOzklMWLmOzCUUsj/n9lOo= =YOSl -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Sun Jul 22 17:06:11 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sun Jul 22 17:08:33 2007 Subject: Request for comments 3 In-Reply-To: <46A377D3.5060103@alexb.ch> References: <469FA26B.6050905@ecs.soton.ac.uk> <1964AAFBC212F742958F9275BF63DBB04B0F30@winchester.andrewscompanies.com> <469FC4DA.6030706@alexb.ch><469FC668.3040802@evi-inc.com> <46A063AF.1080009@tradoc.fr> <1964AAFBC212F742958F9275BF63DBB04B0F35@winchester.andrewscompanies.com> <46A0B523.20401@ecs.soton.ac.uk> <46A0C747.7000103@evi-inc.com> <46A35BB4.6020503@ecs.soton.ac.uk> <46A3741E.8060901@ecs.soton.ac.uk> <46A377D3.5060103@alexb.ch> Message-ID: <46A38073.50200@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Alex Broens wrote: > On 7/22/2007 5:13 PM, Julian Field wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> How about this instead? >> >> SpamAssassin Rule Actions = rulename=>action, rulename=>action, .... >> >> the "rulename"s are the names of individual SpamAssassin rules, and >> the "action"s are list those in "Spam Actions". To specify multiple >> actions for a rule, you specify the rulename several times, with one >> action for each. Expressions with SpamAssassin rules are done with >> SpamAssassin meta-rules. If the rule hits, the action is taken. > > Yeah. sounds real nice! > >> I'll write a few examples of meta-rules so you can see how to write >> them in spam.assassin.rules.conf or wherever they need to go. Mr >> Kettler, can you correct me on this please? > > may I suggest the name: > > sa.actions.rules.conf? Why would it need a conf file of its own? I see it just as a (potentially quite long) list of rulenames and actions to take. Or are you thinking of a conf file that looks like rulename list-of-actions rulename list-of-actions .... I'm not in favour of a separate conf file, it looks a bit over the top. > > so is not mistaken with pure SA rules. > >> Does this sound more useful than the previous suggestions? > > I see this as the "gateway-procmail" - very powerful > > thanks > > Alex > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGo4B0EfZZRxQVtlQRApJgAJ9xGGjXpsM0YeRniIs8dYh1thYytQCg3o3b n5oqUqM4XnBMmz9p8gaAR8k= =nsOn -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From ms-list at alexb.ch Sun Jul 22 17:09:52 2007 From: ms-list at alexb.ch (Alex Broens) Date: Sun Jul 22 17:09:58 2007 Subject: Request for comments 3 In-Reply-To: <14492623.31185119143966.JavaMail.root@office.splatnix.net> References: <14492623.31185119143966.JavaMail.root@office.splatnix.net> Message-ID: <46A38150.70200@alexb.ch> On 7/22/2007 5:45 PM, UxBoD wrote: > That sounds pretty cool Jules. Would these rules take priority over the SA rules ? So that based on a particular rule you could say quarantine straight away without any further processing ? Wouldn't that require a shortcircuited SA rule? I can imagine MS will have to wait till SA spits out its results before it can find the SA hit to apply its rule. > --[ UxBoD ]-- > // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" > // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B > // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B > // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net > > ----- Original Message ----- > From: "Julian Field" > To: "MailScanner discussion" > Sent: 22 July 2007 16:13:34 o'clock (GMT) Europe/London > Subject: Re: Request for comments 3 > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > How about this instead? > > SpamAssassin Rule Actions = rulename=>action, rulename=>action, .... > > the "rulename"s are the names of individual SpamAssassin rules, and the > "action"s are list those in "Spam Actions". To specify multiple actions > for a rule, you specify the rulename several times, with one action for > each. Expressions with SpamAssassin rules are done with SpamAssassin > meta-rules. If the rule hits, the action is taken. > > I'll write a few examples of meta-rules so you can see how to write them > in spam.assassin.rules.conf or wherever they need to go. Mr Kettler, can > you correct me on this please? > > Does this sound more useful than the previous suggestions? > > Jules. > > Julian Field wrote: >> * PGP Signed: 07/22/07 at 14:29:25 >> >> >> >> Matt Kettler wrote: >>> Julian Field wrote: >>> >>>> That would be easy to add. Would many people use it? >>>> It would just be an "Adjust SpamAssassin Score" configuration option. >>>> >>> I don't think that would be useful Julian. If they wanted to adjust >>> the SA >>> score, that's easy to do in SA. It's also not what Steven was >>> suggesting, at >>> least as far as I can tell. >>> >> I agree with you here. Adding an SA rule to tweak the score based on >> simple things like the sender address is pretty easy to do. If you >> don't know how to do it, then read 'man Mail::SpamAssassin::Conf' will >> tell you most of what you need to do, and a quick look for an envelope >> rule in /usr/share/spamassassin will give you plenty of examples. >> >> I don't want to waste time and resources on things that SA already >> does perfectly well. >> >> Jules >> > > Jules > > - -- > Julian Field MEng CITP > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > For all your IT requirements visit www.transtec.co.uk > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.6.2 (Build 2014) > Charset: ISO-8859-1 > > wj8DBQFGo3QfEfZZRxQVtlQRAlCqAJ0fUcawziS5LPz5YEks3Xw5eAXC6ACg8CiS > TEOzklMWLmOzCUUsj/n9lOo= > =YOSl > -----END PGP SIGNATURE----- > From MailScanner at ecs.soton.ac.uk Sun Jul 22 17:07:41 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sun Jul 22 17:10:01 2007 Subject: Request for comments 3 In-Reply-To: <14492623.31185119143966.JavaMail.root@office.splatnix.net> References: <14492623.31185119143966.JavaMail.root@office.splatnix.net> Message-ID: <46A380CD.7090704@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 UxBoD wrote: > That sounds pretty cool Jules. Would these rules take priority over the SA rules ? ? The rules referred to in this setting would be SA rules. It would use the results of the call to SA to get the list of "hits" that this setting would use. > So that based on a particular rule you could say quarantine straight away without any further processing ? > > --[ UxBoD ]-- > // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" > // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B > // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B > // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net > > ----- Original Message ----- > From: "Julian Field" > To: "MailScanner discussion" > Sent: 22 July 2007 16:13:34 o'clock (GMT) Europe/London > Subject: Re: Request for comments 3 > > > * PGP Signed by an unmatched address: 07/22/07 at 16:13:35 > > How about this instead? > > SpamAssassin Rule Actions = rulename=>action, rulename=>action, .... > > the "rulename"s are the names of individual SpamAssassin rules, and the > "action"s are list those in "Spam Actions". To specify multiple actions > for a rule, you specify the rulename several times, with one action for > each. Expressions with SpamAssassin rules are done with SpamAssassin > meta-rules. If the rule hits, the action is taken. > > I'll write a few examples of meta-rules so you can see how to write them > in spam.assassin.rules.conf or wherever they need to go. Mr Kettler, can > you correct me on this please? > > Does this sound more useful than the previous suggestions? > > Jules. > > Julian Field wrote: > >>> Old Signed: 07/22/07 at 14:29:25 >>> >> >> Matt Kettler wrote: >> >>> Julian Field wrote: >>> >>> >>>> That would be easy to add. Would many people use it? >>>> It would just be an "Adjust SpamAssassin Score" configuration option. >>>> >>>> >>> I don't think that would be useful Julian. If they wanted to adjust >>> the SA >>> score, that's easy to do in SA. It's also not what Steven was >>> suggesting, at >>> least as far as I can tell. >>> >>> >> I agree with you here. Adding an SA rule to tweak the score based on >> simple things like the sender address is pretty easy to do. If you >> don't know how to do it, then read 'man Mail::SpamAssassin::Conf' will >> tell you most of what you need to do, and a quick look for an envelope >> rule in /usr/share/spamassassin will give you plenty of examples. >> >> I don't want to waste time and resources on things that SA already >> does perfectly well. >> >> Jules >> >> > > Jules > > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: UTF-8 wj8DBQFGo4DOEfZZRxQVtlQRAp8nAJ0YQ3H1EioSB7HNqB45uLtncxQrmACg69KI RospUHOXalVwP04dto26Pf4= =Saw6 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From uxbod at splatnix.net Sun Jul 22 17:13:29 2007 From: uxbod at splatnix.net (UxBoD) Date: Sun Jul 22 17:12:35 2007 Subject: Request for comments 3 In-Reply-To: <46A38073.50200@ecs.soton.ac.uk> Message-ID: <20935029.61185120809383.JavaMail.root@office.splatnix.net> depends on how many rules people create Jules. If a lot then you may hit a limit within MailScanner.conf for a single line to parse. DBM or SQLquery would be great for this ;) (hint,hint) --[ UxBoD ]-- // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- Original Message ----- From: "Julian Field" To: "MailScanner discussion" Sent: 22 July 2007 17:06:11 o'clock (GMT) Europe/London Subject: Re: Request for comments 3 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Alex Broens wrote: > On 7/22/2007 5:13 PM, Julian Field wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> How about this instead? >> >> SpamAssassin Rule Actions = rulename=>action, rulename=>action, .... >> >> the "rulename"s are the names of individual SpamAssassin rules, and >> the "action"s are list those in "Spam Actions". To specify multiple >> actions for a rule, you specify the rulename several times, with one >> action for each. Expressions with SpamAssassin rules are done with >> SpamAssassin meta-rules. If the rule hits, the action is taken. > > Yeah. sounds real nice! > >> I'll write a few examples of meta-rules so you can see how to write >> them in spam.assassin.rules.conf or wherever they need to go. Mr >> Kettler, can you correct me on this please? > > may I suggest the name: > > sa.actions.rules.conf? Why would it need a conf file of its own? I see it just as a (potentially quite long) list of rulenames and actions to take. Or are you thinking of a conf file that looks like rulename list-of-actions rulename list-of-actions .... I'm not in favour of a separate conf file, it looks a bit over the top. > > so is not mistaken with pure SA rules. > >> Does this sound more useful than the previous suggestions? > > I see this as the "gateway-procmail" - very powerful > > thanks > > Alex > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGo4B0EfZZRxQVtlQRApJgAJ9xGGjXpsM0YeRniIs8dYh1thYytQCg3o3b n5oqUqM4XnBMmz9p8gaAR8k= =nsOn -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ms-list at alexb.ch Sun Jul 22 17:21:04 2007 From: ms-list at alexb.ch (Alex Broens) Date: Sun Jul 22 17:21:21 2007 Subject: Request for comments 3 In-Reply-To: <46A38073.50200@ecs.soton.ac.uk> References: <469FA26B.6050905@ecs.soton.ac.uk> <1964AAFBC212F742958F9275BF63DBB04B0F30@winchester.andrewscompanies.com> <469FC4DA.6030706@alexb.ch><469FC668.3040802@evi-inc.com> <46A063AF.1080009@tradoc.fr> <1964AAFBC212F742958F9275BF63DBB04B0F35@winchester.andrewscompanies.com> <46A0B523.20401@ecs.soton.ac.uk> <46A0C747.7000103@evi-inc.com> <46A35BB4.6020503@ecs.soton.ac.uk> <46A3741E.8060901@ecs.soton.ac.uk> <46A377D3.5060103@alexb.ch> <46A38073.50200@ecs.soton.ac.uk> Message-ID: <46A383F0.5090204@alexb.ch> On 7/22/2007 6:06 PM, Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > Alex Broens wrote: >> On 7/22/2007 5:13 PM, Julian Field wrote: >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> How about this instead? >>> >>> SpamAssassin Rule Actions = rulename=>action, rulename=>action, .... >>> >>> the "rulename"s are the names of individual SpamAssassin rules, and >>> the "action"s are list those in "Spam Actions". To specify multiple >>> actions for a rule, you specify the rulename several times, with one >>> action for each. Expressions with SpamAssassin rules are done with >>> SpamAssassin meta-rules. If the rule hits, the action is taken. >> Yeah. sounds real nice! >> >>> I'll write a few examples of meta-rules so you can see how to write >>> them in spam.assassin.rules.conf or wherever they need to go. Mr >>> Kettler, can you correct me on this please? >> may I suggest the name: >> >> sa.actions.rules.conf? > Why would it need a conf file of its own? I see it just as a > (potentially quite long) list of rulenames and actions to take. > Or are you thinking of a conf file that looks like > rulename list-of-actions > rulename list-of-actions > .... > I'm not in favour of a separate conf file, it looks a bit over the top. let me see if I got it right. (cheap example) should be all in one line: AXB_RCVD_ZOOBSEND To:blah1@domain.tld DELETE|QUARANTINE|FORWARD: blah22domain.tld AXB_RCVD_ZOOBSEND From:blah3@domain.tld DELETE|QUARANTINE|FORWARD|REDIRECT: blah33domain.tld (one action option per rule) I see a lot of potential uses for FORWARD/REDIRECT actions. Alex From ms-list at alexb.ch Sun Jul 22 17:23:40 2007 From: ms-list at alexb.ch (Alex Broens) Date: Sun Jul 22 17:23:48 2007 Subject: Request for comments 3 In-Reply-To: <20935029.61185120809383.JavaMail.root@office.splatnix.net> References: <20935029.61185120809383.JavaMail.root@office.splatnix.net> Message-ID: <46A3848C.1050409@alexb.ch> On 7/22/2007 6:13 PM, UxBoD wrote: > depends on how many rules people create Jules. If a lot then you may hit a limit within MailScanner.conf for a single line to parse. DBM or SQLquery would be great for this ;) (hint,hint) Nice one UxBoD!! SQL(lite/mysql) AND DBM :-))) yessss pleeeeeeeezzzzzeeee imo this feature should be linked to a separate custom function and not hardcoded into MS. > --[ UxBoD ]-- > // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" > // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B > // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B > // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net > > ----- Original Message ----- > From: "Julian Field" > To: "MailScanner discussion" > Sent: 22 July 2007 17:06:11 o'clock (GMT) Europe/London > Subject: Re: Request for comments 3 > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > Alex Broens wrote: >> On 7/22/2007 5:13 PM, Julian Field wrote: >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> How about this instead? >>> >>> SpamAssassin Rule Actions = rulename=>action, rulename=>action, .... >>> >>> the "rulename"s are the names of individual SpamAssassin rules, and >>> the "action"s are list those in "Spam Actions". To specify multiple >>> actions for a rule, you specify the rulename several times, with one >>> action for each. Expressions with SpamAssassin rules are done with >>> SpamAssassin meta-rules. If the rule hits, the action is taken. >> Yeah. sounds real nice! >> >>> I'll write a few examples of meta-rules so you can see how to write >>> them in spam.assassin.rules.conf or wherever they need to go. Mr >>> Kettler, can you correct me on this please? >> may I suggest the name: >> >> sa.actions.rules.conf? > Why would it need a conf file of its own? I see it just as a > (potentially quite long) list of rulenames and actions to take. > Or are you thinking of a conf file that looks like > rulename list-of-actions > rulename list-of-actions > .... > I'm not in favour of a separate conf file, it looks a bit over the top. > >> so is not mistaken with pure SA rules. >> >>> Does this sound more useful than the previous suggestions? >> I see this as the "gateway-procmail" - very powerful >> >> thanks >> >> Alex >> > > Jules > > - -- > Julian Field MEng CITP > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > For all your IT requirements visit www.transtec.co.uk > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.6.2 (Build 2014) > Charset: ISO-8859-1 > > wj8DBQFGo4B0EfZZRxQVtlQRApJgAJ9xGGjXpsM0YeRniIs8dYh1thYytQCg3o3b > n5oqUqM4XnBMmz9p8gaAR8k= > =nsOn > -----END PGP SIGNATURE----- > From MailScanner at ecs.soton.ac.uk Sun Jul 22 17:32:49 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sun Jul 22 17:35:09 2007 Subject: Request for comments 3 In-Reply-To: <46A38150.70200@alexb.ch> References: <14492623.31185119143966.JavaMail.root@office.splatnix.net> <46A38150.70200@alexb.ch> Message-ID: <46A386B1.7070604@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Alex Broens wrote: > On 7/22/2007 5:45 PM, UxBoD wrote: >> That sounds pretty cool Jules. Would these rules take priority over >> the SA rules ? So that based on a particular rule you could say >> quarantine straight away without any further processing ? > > Wouldn't that require a shortcircuited SA rule? > > I can imagine MS will have to wait till SA spits out its results > before it can find the SA hit to apply its rule. Correct. I would have to wait for SA to complete before I get given the list of hits. So it can't be used to speed things up, but I figured it might be useful to make the processing more adaptable. > > > >> --[ UxBoD ]-- >> // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" >> // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B >> // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B >> // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net >> >> ----- Original Message ----- >> From: "Julian Field" >> To: "MailScanner discussion" >> Sent: 22 July 2007 16:13:34 o'clock (GMT) Europe/London >> Subject: Re: Request for comments 3 >> >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> How about this instead? >> >> SpamAssassin Rule Actions = rulename=>action, rulename=>action, .... >> >> the "rulename"s are the names of individual SpamAssassin rules, and >> the "action"s are list those in "Spam Actions". To specify multiple >> actions for a rule, you specify the rulename several times, with one >> action for each. Expressions with SpamAssassin rules are done with >> SpamAssassin meta-rules. If the rule hits, the action is taken. >> >> I'll write a few examples of meta-rules so you can see how to write >> them in spam.assassin.rules.conf or wherever they need to go. Mr >> Kettler, can you correct me on this please? >> >> Does this sound more useful than the previous suggestions? >> >> Jules. >> >> Julian Field wrote: >>> * PGP Signed: 07/22/07 at 14:29:25 >>> >>> >>> >>> Matt Kettler wrote: >>>> Julian Field wrote: >>>> >>>>> That would be easy to add. Would many people use it? >>>>> It would just be an "Adjust SpamAssassin Score" configuration option. >>>>> >>>> I don't think that would be useful Julian. If they wanted to adjust >>>> the SA >>>> score, that's easy to do in SA. It's also not what Steven was >>>> suggesting, at >>>> least as far as I can tell. >>>> >>> I agree with you here. Adding an SA rule to tweak the score based on >>> simple things like the sender address is pretty easy to do. If you >>> don't know how to do it, then read 'man Mail::SpamAssassin::Conf' >>> will tell you most of what you need to do, and a quick look for an >>> envelope rule in /usr/share/spamassassin will give you plenty of >>> examples. >>> >>> I don't want to waste time and resources on things that SA already >>> does perfectly well. >>> >>> Jules >>> >> >> Jules >> >> - -- Julian Field MEng CITP >> www.MailScanner.info >> Buy the MailScanner book at www.MailScanner.info/store >> >> MailScanner customisation, or any advanced system administration help? >> Contact me at Jules@Jules.FM >> >> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >> For all your IT requirements visit www.transtec.co.uk >> >> >> -----BEGIN PGP SIGNATURE----- >> Version: PGP Desktop 9.6.2 (Build 2014) >> Charset: ISO-8859-1 >> >> wj8DBQFGo3QfEfZZRxQVtlQRAlCqAJ0fUcawziS5LPz5YEks3Xw5eAXC6ACg8CiS >> TEOzklMWLmOzCUUsj/n9lOo= >> =YOSl >> -----END PGP SIGNATURE----- >> > > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGo4ayEfZZRxQVtlQRAv3dAKDIvj78or88HOkYVggsgMNKPgvshACeONoo 9iuATgaXrhvqP5u0t4kR2S8= =4Uyq -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Sun Jul 22 17:34:13 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sun Jul 22 17:36:33 2007 Subject: Request for comments 3 In-Reply-To: <20935029.61185120809383.JavaMail.root@office.splatnix.net> References: <20935029.61185120809383.JavaMail.root@office.splatnix.net> Message-ID: <46A38705.2030208@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 UxBoD wrote: > depends on how many rules people create Jules. If a lot then you may hit a limit within MailScanner.conf for a single line to parse. There aren't any limits on the length of the lines. > DBM or SQLquery would be great for this ;) (hint,hint) > You can do this already with LDAP. The structure of the LDAP tree has been posted to this list before (a long time ago). > --[ UxBoD ]-- > // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" > // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B > // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B > // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net > > ----- Original Message ----- > From: "Julian Field" > To: "MailScanner discussion" > Sent: 22 July 2007 17:06:11 o'clock (GMT) Europe/London > Subject: Re: Request for comments 3 > > > * PGP Signed by an unmatched address: 07/22/07 at 17:06:12 > > > > Alex Broens wrote: > >> On 7/22/2007 5:13 PM, Julian Field wrote: >> >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> How about this instead? >>> >>> SpamAssassin Rule Actions = rulename=>action, rulename=>action, .... >>> >>> the "rulename"s are the names of individual SpamAssassin rules, and >>> the "action"s are list those in "Spam Actions". To specify multiple >>> actions for a rule, you specify the rulename several times, with one >>> action for each. Expressions with SpamAssassin rules are done with >>> SpamAssassin meta-rules. If the rule hits, the action is taken. >>> >> Yeah. sounds real nice! >> >> >>> I'll write a few examples of meta-rules so you can see how to write >>> them in spam.assassin.rules.conf or wherever they need to go. Mr >>> Kettler, can you correct me on this please? >>> >> may I suggest the name: >> >> sa.actions.rules.conf? >> > Why would it need a conf file of its own? I see it just as a > (potentially quite long) list of rulenames and actions to take. > Or are you thinking of a conf file that looks like > rulename list-of-actions > rulename list-of-actions > .... > I'm not in favour of a separate conf file, it looks a bit over the top. > > >> so is not mistaken with pure SA rules. >> >> >>> Does this sound more useful than the previous suggestions? >>> >> I see this as the "gateway-procmail" - very powerful >> >> thanks >> >> Alex >> >> > > Jules > > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: UTF-8 wj8DBQFGo4cGEfZZRxQVtlQRArB0AKCd4qC1yG1t5pACMQGtJUK3iqd05ACfWR0l 7ZPDBUszy4FKtrSTjB8DDAE= =/liW -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Sun Jul 22 17:38:00 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sun Jul 22 17:40:19 2007 Subject: Request for comments 3 In-Reply-To: <46A383F0.5090204@alexb.ch> References: <469FA26B.6050905@ecs.soton.ac.uk> <1964AAFBC212F742958F9275BF63DBB04B0F30@winchester.andrewscompanies.com> <469FC4DA.6030706@alexb.ch><469FC668.3040802@evi-inc.com> <46A063AF.1080009@tradoc.fr> <1964AAFBC212F742958F9275BF63DBB04B0F35@winchester.andrewscompanies.com> <46A0B523.20401@ecs.soton.ac.uk> <46A0C747.7000103@evi-inc.com> <46A35BB4.6020503@ecs.soton.ac.uk> <46A3741E.8060901@ecs.soton.ac.uk> <46A377D3.5060103@alexb.ch> <46A38073.50200@ecs.soton.ac.uk> <46A383F0.5090204@alexb.ch> Message-ID: <46A387E8.4020204@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Alex Broens wrote: > On 7/22/2007 6:06 PM, Julian Field wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> >> >> Alex Broens wrote: >>> On 7/22/2007 5:13 PM, Julian Field wrote: >>>> -----BEGIN PGP SIGNED MESSAGE----- >>>> Hash: SHA1 >>>> >>>> How about this instead? >>>> >>>> SpamAssassin Rule Actions = rulename=>action, rulename=>action, .... >>>> >>>> the "rulename"s are the names of individual SpamAssassin rules, and >>>> the "action"s are list those in "Spam Actions". To specify multiple >>>> actions for a rule, you specify the rulename several times, with >>>> one action for each. Expressions with SpamAssassin rules are done >>>> with SpamAssassin meta-rules. If the rule hits, the action is taken. >>> Yeah. sounds real nice! >>> >>>> I'll write a few examples of meta-rules so you can see how to write >>>> them in spam.assassin.rules.conf or wherever they need to go. Mr >>>> Kettler, can you correct me on this please? >>> may I suggest the name: >>> >>> sa.actions.rules.conf? >> Why would it need a conf file of its own? I see it just as a >> (potentially quite long) list of rulenames and actions to take. >> Or are you thinking of a conf file that looks like >> rulename list-of-actions >> rulename list-of-actions >> .... >> I'm not in favour of a separate conf file, it looks a bit over the top. > > let me see if I got it right. > > (cheap example) > > should be all in one line: > > AXB_RCVD_ZOOBSEND To:blah1@domain.tld DELETE|QUARANTINE|FORWARD: > blah22domain.tld Where in my spec above did I mention From or To? You can put a ruleset on this configuration setting, so you could create rules in a ruleset that looked like (for example) To: user1@domain1.com forward user2@domain2.com store deliver FromOrTo: domain3.com store delete From: user3@* deliver header "X-Wibble: yes" > > AXB_RCVD_ZOOBSEND From:blah3@domain.tld > DELETE|QUARANTINE|FORWARD|REDIRECT: blah33domain.tld > > (one action option per rule) > > I see a lot of potential uses for FORWARD/REDIRECT actions. > > Alex > > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGo4foEfZZRxQVtlQRAsg3AJ9NagZAOhxvt9uA5souk2qI5sQRtgCg5eGW 5xq1kO1qhQvkkbZ+WOpcu50= =+pP1 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From ms-list at alexb.ch Sun Jul 22 17:59:39 2007 From: ms-list at alexb.ch (Alex Broens) Date: Sun Jul 22 17:59:49 2007 Subject: Request for comments 3 In-Reply-To: <46A387E8.4020204@ecs.soton.ac.uk> References: <469FA26B.6050905@ecs.soton.ac.uk> <1964AAFBC212F742958F9275BF63DBB04B0F30@winchester.andrewscompanies.com> <469FC4DA.6030706@alexb.ch><469FC668.3040802@evi-inc.com> <46A063AF.1080009@tradoc.fr> <1964AAFBC212F742958F9275BF63DBB04B0F35@winchester.andrewscompanies.com> <46A0B523.20401@ecs.soton.ac.uk> <46A0C747.7000103@evi-inc.com> <46A35BB4.6020503@ecs.soton.ac.uk> <46A3741E.8060901@ecs.soton.ac.uk> <46A377D3.5060103@alexb.ch> <46A38073.50200@ecs.soton.ac.uk> <46A383F0.5090204@alexb.ch> <46A387E8.4020204@ecs.soton.ac.uk> Message-ID: <46A38CFB.3030000@alexb.ch> On 7/22/2007 6:38 PM, Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > Alex Broens wrote: >> On 7/22/2007 6:06 PM, Julian Field wrote: >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> >>> >>> Alex Broens wrote: >>>> On 7/22/2007 5:13 PM, Julian Field wrote: >>>>> -----BEGIN PGP SIGNED MESSAGE----- >>>>> Hash: SHA1 >>>>> >>>>> How about this instead? >>>>> >>>>> SpamAssassin Rule Actions = rulename=>action, rulename=>action, .... >>>>> >>>>> the "rulename"s are the names of individual SpamAssassin rules, and >>>>> the "action"s are list those in "Spam Actions". To specify multiple >>>>> actions for a rule, you specify the rulename several times, with >>>>> one action for each. Expressions with SpamAssassin rules are done >>>>> with SpamAssassin meta-rules. If the rule hits, the action is taken. >>>> Yeah. sounds real nice! >>>> >>>>> I'll write a few examples of meta-rules so you can see how to write >>>>> them in spam.assassin.rules.conf or wherever they need to go. Mr >>>>> Kettler, can you correct me on this please? >>>> may I suggest the name: >>>> >>>> sa.actions.rules.conf? >>> Why would it need a conf file of its own? I see it just as a >>> (potentially quite long) list of rulenames and actions to take. >>> Or are you thinking of a conf file that looks like >>> rulename list-of-actions >>> rulename list-of-actions >>> .... >>> I'm not in favour of a separate conf file, it looks a bit over the top. >> let me see if I got it right. >> >> (cheap example) >> >> should be all in one line: >> >> AXB_RCVD_ZOOBSEND To:blah1@domain.tld DELETE|QUARANTINE|FORWARD: >> blah22domain.tld > Where in my spec above did I mention From or To? You can put a ruleset > on this configuration setting, so you could create rules in a ruleset > that looked like (for example) > To: user1@domain1.com forward user2@domain2.com store deliver > FromOrTo: domain3.com store delete > From: user3@* deliver header "X-Wibble: yes" It sounded like you were asking/requesting for comments but if its spec is nailed, I guess the extra actions also go down the drain. (the ones which I believe would have really added value to the feature) >> AXB_RCVD_ZOOBSEND From:blah3@domain.tld >> DELETE|QUARANTINE|FORWARD|REDIRECT: blah33domain.tld >> >> (one action option per rule) >> >> I see a lot of potential uses for FORWARD/REDIRECT actions. Alex From uxbod at splatnix.net Sun Jul 22 18:26:50 2007 From: uxbod at splatnix.net (UxBoD) Date: Sun Jul 22 18:25:48 2007 Subject: Request for comments 3 In-Reply-To: <46A38705.2030208@ecs.soton.ac.uk> Message-ID: <5491898.91185125210417.JavaMail.root@office.splatnix.net> LDAP is quite heavy compared to DBM and a lite MySQL installation. Plus, SQL calls over local net is far better IMHO and easier for people aswell. Just my 2p worth Jules. More people know SQL coding. ----- Original Message ----- From: "Julian Field" To: "MailScanner discussion" Sent: 22 July 2007 17:34:13 o'clock (GMT) Europe/London Subject: Re: Request for comments 3 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 UxBoD wrote: > depends on how many rules people create Jules. If a lot then you may hit a limit within MailScanner.conf for a single line to parse. There aren't any limits on the length of the lines. > DBM or SQLquery would be great for this ;) (hint,hint) > You can do this already with LDAP. The structure of the LDAP tree has been posted to this list before (a long time ago). > --[ UxBoD ]-- > // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" > // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B > // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B > // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net > > ----- Original Message ----- > From: "Julian Field" > To: "MailScanner discussion" > Sent: 22 July 2007 17:06:11 o'clock (GMT) Europe/London > Subject: Re: Request for comments 3 > > > * PGP Signed by an unmatched address: 07/22/07 at 17:06:12 > > > > Alex Broens wrote: > >> On 7/22/2007 5:13 PM, Julian Field wrote: >> >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> How about this instead? >>> >>> SpamAssassin Rule Actions = rulename=>action, rulename=>action, .... >>> >>> the "rulename"s are the names of individual SpamAssassin rules, and >>> the "action"s are list those in "Spam Actions". To specify multiple >>> actions for a rule, you specify the rulename several times, with one >>> action for each. Expressions with SpamAssassin rules are done with >>> SpamAssassin meta-rules. If the rule hits, the action is taken. >>> >> Yeah. sounds real nice! >> >> >>> I'll write a few examples of meta-rules so you can see how to write >>> them in spam.assassin.rules.conf or wherever they need to go. Mr >>> Kettler, can you correct me on this please? >>> >> may I suggest the name: >> >> sa.actions.rules.conf? >> > Why would it need a conf file of its own? I see it just as a > (potentially quite long) list of rulenames and actions to take. > Or are you thinking of a conf file that looks like > rulename list-of-actions > rulename list-of-actions > .... > I'm not in favour of a separate conf file, it looks a bit over the top. > > >> so is not mistaken with pure SA rules. >> >> >>> Does this sound more useful than the previous suggestions? >>> >> I see this as the "gateway-procmail" - very powerful >> >> thanks >> >> Alex >> >> > > Jules > > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: UTF-8 wj8DBQFGo4cGEfZZRxQVtlQRArB0AKCd4qC1yG1t5pACMQGtJUK3iqd05ACfWR0l 7ZPDBUszy4FKtrSTjB8DDAE= =/liW -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Sun Jul 22 18:25:21 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sun Jul 22 18:27:42 2007 Subject: Request for comments 3 In-Reply-To: <46A38CFB.3030000@alexb.ch> References: <469FA26B.6050905@ecs.soton.ac.uk> <1964AAFBC212F742958F9275BF63DBB04B0F30@winchester.andrewscompanies.com> <469FC4DA.6030706@alexb.ch><469FC668.3040802@evi-inc.com> <46A063AF.1080009@tradoc.fr> <1964AAFBC212F742958F9275BF63DBB04B0F35@winchester.andrewscompanies.com> <46A0B523.20401@ecs.soton.ac.uk> <46A0C747.7000103@evi-inc.com> <46A35BB4.6020503@ecs.soton.ac.uk> <46A3741E.8060901@ecs.soton.ac.uk> <46A377D3.5060103@alexb.ch> <46A38073.50200@ecs.soton.ac.uk> <46A383F0.5090204@alexb.ch> <46A387E8.4020204@ecs.soton.ac.uk> <46A38CFB.3030000@alexb.ch> Message-ID: <46A39301.1090700@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Alex Broens wrote: > On 7/22/2007 6:38 PM, Julian Field wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> >> >> Alex Broens wrote: >>> On 7/22/2007 6:06 PM, Julian Field wrote: >>>> -----BEGIN PGP SIGNED MESSAGE----- >>>> Hash: SHA1 >>>> >>>> >>>> >>>> Alex Broens wrote: >>>>> On 7/22/2007 5:13 PM, Julian Field wrote: >>>>>> -----BEGIN PGP SIGNED MESSAGE----- >>>>>> Hash: SHA1 >>>>>> >>>>>> How about this instead? >>>>>> >>>>>> SpamAssassin Rule Actions = rulename=>action, rulename=>action, .... >>>>>> >>>>>> the "rulename"s are the names of individual SpamAssassin rules, >>>>>> and the "action"s are list those in "Spam Actions". To specify >>>>>> multiple actions for a rule, you specify the rulename several >>>>>> times, with one action for each. Expressions with SpamAssassin >>>>>> rules are done with SpamAssassin meta-rules. If the rule hits, >>>>>> the action is taken. >>>>> Yeah. sounds real nice! >>>>> >>>>>> I'll write a few examples of meta-rules so you can see how to >>>>>> write them in spam.assassin.rules.conf or wherever they need to >>>>>> go. Mr Kettler, can you correct me on this please? >>>>> may I suggest the name: >>>>> >>>>> sa.actions.rules.conf? >>>> Why would it need a conf file of its own? I see it just as a >>>> (potentially quite long) list of rulenames and actions to take. >>>> Or are you thinking of a conf file that looks like >>>> rulename list-of-actions >>>> rulename list-of-actions >>>> .... >>>> I'm not in favour of a separate conf file, it looks a bit over the >>>> top. >>> let me see if I got it right. >>> >>> (cheap example) >>> >>> should be all in one line: >>> >>> AXB_RCVD_ZOOBSEND To:blah1@domain.tld DELETE|QUARANTINE|FORWARD: >>> blah22domain.tld >> Where in my spec above did I mention From or To? You can put a >> ruleset on this configuration setting, so you could create rules in a >> ruleset that looked like (for example) >> To: user1@domain1.com forward user2@domain2.com store deliver >> FromOrTo: domain3.com store delete >> From: user3@* deliver header "X-Wibble: yes" > > It sounded like you were asking/requesting for comments but if its > spec is nailed, I guess the extra actions also go down the drain. > (the ones which I believe would have really added value to the feature) What were your extra actions you suggested? I couldn't understand your examples. Its spec isn't nailed by any means. "forward" already exists. > > > >>> AXB_RCVD_ZOOBSEND From:blah3@domain.tld >>> DELETE|QUARANTINE|FORWARD|REDIRECT: blah33domain.tld >>> >>> (one action option per rule) >>> >>> I see a lot of potential uses for FORWARD/REDIRECT actions. > > Alex > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGo5MCEfZZRxQVtlQRAswAAKCBwm5uKkOzJBOhW+MNzN+h8GavhgCbBx4N RUdQu3UFshGCQiZ3MiR8n70= =rMRz -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From ms-list at alexb.ch Sun Jul 22 18:51:27 2007 From: ms-list at alexb.ch (Alex Broens) Date: Sun Jul 22 18:51:32 2007 Subject: Request for comments 3 In-Reply-To: <46A39301.1090700@ecs.soton.ac.uk> References: <469FA26B.6050905@ecs.soton.ac.uk> <1964AAFBC212F742958F9275BF63DBB04B0F30@winchester.andrewscompanies.com> <469FC4DA.6030706@alexb.ch><469FC668.3040802@evi-inc.com> <46A063AF.1080009@tradoc.fr> <1964AAFBC212F742958F9275BF63DBB04B0F35@winchester.andrewscompanies.com> <46A0B523.20401@ecs.soton.ac.uk> <46A0C747.7000103@evi-inc.com> <46A35BB4.6020503@ecs.soton.ac.uk> <46A3741E.8060901@ecs.soton.ac.uk> <46A377D3.5060103@alexb.ch> <46A38073.50200@ecs.soton.ac.uk> <46A383F0.5090204@alexb.ch> <46A387E8.4020204@ecs.soton.ac.uk> <46A38CFB.3030000@alexb.ch> <46A39301.1090700@ecs.soton.ac.uk> Message-ID: <46A3991F.3090807@alexb.ch> On 7/22/2007 7:25 PM, Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > Alex Broens wrote: >> On 7/22/2007 6:38 PM, Julian Field wrote: >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> >>> >>> Alex Broens wrote: >>>> On 7/22/2007 6:06 PM, Julian Field wrote: >>>>> -----BEGIN PGP SIGNED MESSAGE----- >>>>> Hash: SHA1 >>>>> >>>>> >>>>> >>>>> Alex Broens wrote: >>>>>> On 7/22/2007 5:13 PM, Julian Field wrote: >>>>>>> -----BEGIN PGP SIGNED MESSAGE----- >>>>>>> Hash: SHA1 >>>>>>> >>>>>>> How about this instead? >>>>>>> >>>>>>> SpamAssassin Rule Actions = rulename=>action, rulename=>action, .... >>>>>>> >>>>>>> the "rulename"s are the names of individual SpamAssassin rules, >>>>>>> and the "action"s are list those in "Spam Actions". To specify >>>>>>> multiple actions for a rule, you specify the rulename several >>>>>>> times, with one action for each. Expressions with SpamAssassin >>>>>>> rules are done with SpamAssassin meta-rules. If the rule hits, >>>>>>> the action is taken. >>>>>> Yeah. sounds real nice! >>>>>> >>>>>>> I'll write a few examples of meta-rules so you can see how to >>>>>>> write them in spam.assassin.rules.conf or wherever they need to >>>>>>> go. Mr Kettler, can you correct me on this please? >>>>>> may I suggest the name: >>>>>> >>>>>> sa.actions.rules.conf? >>>>> Why would it need a conf file of its own? I see it just as a >>>>> (potentially quite long) list of rulenames and actions to take. >>>>> Or are you thinking of a conf file that looks like >>>>> rulename list-of-actions >>>>> rulename list-of-actions >>>>> .... >>>>> I'm not in favour of a separate conf file, it looks a bit over the >>>>> top. >>>> let me see if I got it right. >>>> >>>> (cheap example) >>>> >>>> should be all in one line: >>>> >>>> AXB_RCVD_ZOOBSEND To:blah1@domain.tld DELETE|QUARANTINE|FORWARD: >>>> blah22domain.tld >>> Where in my spec above did I mention From or To? You can put a >>> ruleset on this configuration setting, so you could create rules in a >>> ruleset that looked like (for example) >>> To: user1@domain1.com forward user2@domain2.com store deliver >>> FromOrTo: domain3.com store delete >>> From: user3@* deliver header "X-Wibble: yes" >> It sounded like you were asking/requesting for comments but if its >> spec is nailed, I guess the extra actions also go down the drain. >> (the ones which I believe would have really added value to the feature) > What were your extra actions you suggested? I couldn't understand your > examples. Its spec isn't nailed by any means. "forward" already exists. pls see below: AXB_RCVD_ZOOBSEND From:blah3@domain.tld DELETE|QUARANTINE|FORWARD|REDIRECT: blah33domain.tld In my understanding: FORWARD modifies the "From" REDIRECT doesn't so the sender is the original *Your* FORWARD equals *my* REDIRECT how to name the modified sender "Forward" ? dunno do I make any sense? Alex From ms-list at alexb.ch Sun Jul 22 18:57:11 2007 From: ms-list at alexb.ch (Alex Broens) Date: Sun Jul 22 18:57:20 2007 Subject: Request for comments 3 In-Reply-To: <5491898.91185125210417.JavaMail.root@office.splatnix.net> References: <5491898.91185125210417.JavaMail.root@office.splatnix.net> Message-ID: <46A39A77.8010308@alexb.ch> On 7/22/2007 7:26 PM, UxBoD wrote: > LDAP is quite heavy compared to DBM and a lite MySQL installation. > Plus, SQL calls over local net is far better IMHO and easier for > people aswell. Just my 2p worth Jules. More people know SQL coding. There's lots of ppl using Mailwatch and hacks of it, which would benefit from SQL as well. From what one reads on the list, LDAP issues never show up, so it would be interesting to know how many use LDAP and I assume that the ones who do, master it real well as here's not many asking about it. I've always avoided LDAP since my days using Critical Path stuff thoroughly depending on LDAP magic (which I ended up hating) Alex > ----- Original Message ----- From: "Julian Field" > To: "MailScanner discussion" > Sent: 22 July 2007 17:34:13 > o'clock (GMT) Europe/London Subject: Re: Request for comments 3 > > -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > > > > UxBoD wrote: >> depends on how many rules people create Jules. If a lot then you >> may hit a limit within MailScanner.conf for a single line to parse. >> > There aren't any limits on the length of the lines. >> DBM or SQLquery would be great for this ;) (hint,hint) >> > You can do this already with LDAP. The structure of the LDAP tree has > been posted to this list before (a long time ago). > >> --[ UxBoD ]-- // PGP Key: "curl -s >> https://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: >> C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: >> www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP >> Phone: uxbod@sip.splatnix.net >> >> ----- Original Message ----- From: "Julian Field" >> To: "MailScanner discussion" >> Sent: 22 July 2007 17:06:11 >> o'clock (GMT) Europe/London Subject: Re: Request for comments 3 >> >> >> * PGP Signed by an unmatched address: 07/22/07 at 17:06:12 >> >> >> >> Alex Broens wrote: >> >>> On 7/22/2007 5:13 PM, Julian Field wrote: >>> >>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >>>> >>>> How about this instead? >>>> >>>> SpamAssassin Rule Actions = rulename=>action, rulename=>action, >>>> .... >>>> >>>> the "rulename"s are the names of individual SpamAssassin rules, >>>> and the "action"s are list those in "Spam Actions". To specify >>>> multiple actions for a rule, you specify the rulename several >>>> times, with one action for each. Expressions with SpamAssassin >>>> rules are done with SpamAssassin meta-rules. If the rule hits, >>>> the action is taken. >>>> >>> Yeah. sounds real nice! >>> >>> >>>> I'll write a few examples of meta-rules so you can see how to >>>> write them in spam.assassin.rules.conf or wherever they need to >>>> go. Mr Kettler, can you correct me on this please? >>>> >>> may I suggest the name: >>> >>> sa.actions.rules.conf? >>> >> Why would it need a conf file of its own? I see it just as a >> (potentially quite long) list of rulenames and actions to take. Or >> are you thinking of a conf file that looks like rulename >> list-of-actions rulename list-of-actions .... I'm not in favour >> of a separate conf file, it looks a bit over the top. >> >> >>> so is not mistaken with pure SA rules. >>> >>> >>>> Does this sound more useful than the previous suggestions? >>>> >>> I see this as the "gateway-procmail" - very powerful >>> >>> thanks >>> >>> Alex >>> >>> >> Jules >> >> > > Jules > > - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner > book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration > help? Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For > all your IT requirements visit www.transtec.co.uk > > > -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) > Charset: UTF-8 > > wj8DBQFGo4cGEfZZRxQVtlQRArB0AKCd4qC1yG1t5pACMQGtJUK3iqd05ACfWR0l > 7ZPDBUszy4FKtrSTjB8DDAE= =/liW -----END PGP SIGNATURE----- > From MailScanner at ecs.soton.ac.uk Sun Jul 22 19:08:18 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sun Jul 22 19:10:38 2007 Subject: Request for comments 3 In-Reply-To: <46A3991F.3090807@alexb.ch> References: <469FA26B.6050905@ecs.soton.ac.uk> <1964AAFBC212F742958F9275BF63DBB04B0F30@winchester.andrewscompanies.com> <469FC4DA.6030706@alexb.ch><469FC668.3040802@evi-inc.com> <46A063AF.1080009@tradoc.fr> <1964AAFBC212F742958F9275BF63DBB04B0F35@winchester.andrewscompanies.com> <46A0B523.20401@ecs.soton.ac.uk> <46A0C747.7000103@evi-inc.com> <46A35BB4.6020503@ecs.soton.ac.uk> <46A3741E.8060901@ecs.soton.ac.uk> <46A377D3.5060103@alexb.ch> <46A38073.50200@ecs.soton.ac.uk> <46A383F0.5090204@alexb.ch> <46A387E8.4020204@ecs.soton.ac.uk> <46A38CFB.3030000@alexb.ch> <46A39301.1090700@ecs.soton.ac.uk> <46A3991F.3090807@alexb.ch> Message-ID: <46A39D12.7030807@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Alex Broens wrote: > On 7/22/2007 7:25 PM, Julian Field wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> >> >> Alex Broens wrote: >>> On 7/22/2007 6:38 PM, Julian Field wrote: >>>> -----BEGIN PGP SIGNED MESSAGE----- >>>> Hash: SHA1 >>>> >>>> >>>> >>>> Alex Broens wrote: >>>>> On 7/22/2007 6:06 PM, Julian Field wrote: >>>>>> -----BEGIN PGP SIGNED MESSAGE----- >>>>>> Hash: SHA1 >>>>>> >>>>>> >>>>>> >>>>>> Alex Broens wrote: >>>>>>> On 7/22/2007 5:13 PM, Julian Field wrote: >>>>>>>> -----BEGIN PGP SIGNED MESSAGE----- >>>>>>>> Hash: SHA1 >>>>>>>> >>>>>>>> How about this instead? >>>>>>>> >>>>>>>> SpamAssassin Rule Actions = rulename=>action, rulename=>action, >>>>>>>> .... >>>>>>>> >>>>>>>> the "rulename"s are the names of individual SpamAssassin rules, >>>>>>>> and the "action"s are list those in "Spam Actions". To specify >>>>>>>> multiple actions for a rule, you specify the rulename several >>>>>>>> times, with one action for each. Expressions with SpamAssassin >>>>>>>> rules are done with SpamAssassin meta-rules. If the rule hits, >>>>>>>> the action is taken. >>>>>>> Yeah. sounds real nice! >>>>>>> >>>>>>>> I'll write a few examples of meta-rules so you can see how to >>>>>>>> write them in spam.assassin.rules.conf or wherever they need to >>>>>>>> go. Mr Kettler, can you correct me on this please? >>>>>>> may I suggest the name: >>>>>>> >>>>>>> sa.actions.rules.conf? >>>>>> Why would it need a conf file of its own? I see it just as a >>>>>> (potentially quite long) list of rulenames and actions to take. >>>>>> Or are you thinking of a conf file that looks like >>>>>> rulename list-of-actions >>>>>> rulename list-of-actions >>>>>> .... >>>>>> I'm not in favour of a separate conf file, it looks a bit over >>>>>> the top. >>>>> let me see if I got it right. >>>>> >>>>> (cheap example) >>>>> >>>>> should be all in one line: >>>>> >>>>> AXB_RCVD_ZOOBSEND To:blah1@domain.tld DELETE|QUARANTINE|FORWARD: >>>>> blah22domain.tld >>>> Where in my spec above did I mention From or To? You can put a >>>> ruleset on this configuration setting, so you could create rules in >>>> a ruleset that looked like (for example) >>>> To: user1@domain1.com forward user2@domain2.com store deliver >>>> FromOrTo: domain3.com store delete >>>> From: user3@* deliver header "X-Wibble: yes" >>> It sounded like you were asking/requesting for comments but if its >>> spec is nailed, I guess the extra actions also go down the drain. >>> (the ones which I believe would have really added value to the feature) >> What were your extra actions you suggested? I couldn't understand >> your examples. Its spec isn't nailed by any means. "forward" already >> exists. > > pls see below: > > AXB_RCVD_ZOOBSEND From:blah3@domain.tld > DELETE|QUARANTINE|FORWARD|REDIRECT: blah33domain.tld > > In my understanding: > FORWARD modifies the "From" > REDIRECT doesn't so the sender is the original In MailScanner, forward doesn't modify the From, it just adds another recipient to the message. > > *Your* FORWARD equals *my* REDIRECT Yes. > how to name the modified sender "Forward" ? dunno > > do I make any sense? In your terminology, forward doesn't exist, only redirect. After all, as you say, what would I put in for the modified sender? I'm not willing to modify the sender address. So, with that said, what extras are you suggesting? Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGo50TEfZZRxQVtlQRAnvMAJ904soWVwgEQjAKmgzWf2pj/pAqKACeMPOJ fw/K4fWxkdzGwPMH9Rw+VbY= =W70q -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Sun Jul 22 19:39:13 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sun Jul 22 19:41:32 2007 Subject: Request for comments 3 In-Reply-To: <46A39A77.8010308@alexb.ch> References: <5491898.91185125210417.JavaMail.root@office.splatnix.net> <46A39A77.8010308@alexb.ch> Message-ID: <46A3A451.1030001@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I'm just starting thinking about SQL, I'm not starting implementing yet. I want to finish the chat about the SpamAssassin Rules Actions first. How about one of you guys start work on a database design for me. Remember I need ordered rulesets and Custom Functions. But can we concentrate on the SpamAssassin Rules Actions for now, please. Jules. Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGo6RSEfZZRxQVtlQRAmhjAKCwnsPw/pLr+p2u1YZ6XxMADDQlpACgkL8Z F5WkjIpzTFpBvxSut0eIyX8= =Rnyb -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From ms-list at alexb.ch Sun Jul 22 19:57:46 2007 From: ms-list at alexb.ch (Alex Broens) Date: Sun Jul 22 19:57:51 2007 Subject: Request for comments 3 In-Reply-To: <46A39D12.7030807@ecs.soton.ac.uk> References: <469FA26B.6050905@ecs.soton.ac.uk> <1964AAFBC212F742958F9275BF63DBB04B0F30@winchester.andrewscompanies.com> <469FC4DA.6030706@alexb.ch><469FC668.3040802@evi-inc.com> <46A063AF.1080009@tradoc.fr> <1964AAFBC212F742958F9275BF63DBB04B0F35@winchester.andrewscompanies.com> <46A0B523.20401@ecs.soton.ac.uk> <46A0C747.7000103@evi-inc.com> <46A35BB4.6020503@ecs.soton.ac.uk> <46A3741E.8060901@ecs.soton.ac.uk> <46A377D3.5060103@alexb.ch> <46A38073.50200@ecs.soton.ac.uk> <46A383F0.5090204@alexb.ch> <46A387E8.4020204@ecs.soton.ac.uk> <46A38CFB.3030000@alexb.ch> <46A39301.1090700@ecs.soton.ac.uk> <46A3991F.3090807@alexb.ch> <46A39D12.7030807@ecs.soton.ac.uk> Message-ID: <46A3A8AA.8010508@alexb.ch> On 7/22/2007 8:08 PM, Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > Alex Broens wrote: >> On 7/22/2007 7:25 PM, Julian Field wrote: >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> >>> >>> Alex Broens wrote: >>>> On 7/22/2007 6:38 PM, Julian Field wrote: >>>>> -----BEGIN PGP SIGNED MESSAGE----- >>>>> Hash: SHA1 >>>>> >>>>> >>>>> >>>>> Alex Broens wrote: >>>>>> On 7/22/2007 6:06 PM, Julian Field wrote: >>>>>>> -----BEGIN PGP SIGNED MESSAGE----- >>>>>>> Hash: SHA1 >>>>>>> >>>>>>> >>>>>>> >>>>>>> Alex Broens wrote: >>>>>>>> On 7/22/2007 5:13 PM, Julian Field wrote: >>>>>>>>> -----BEGIN PGP SIGNED MESSAGE----- >>>>>>>>> Hash: SHA1 >>>>>>>>> >>>>>>>>> How about this instead? >>>>>>>>> >>>>>>>>> SpamAssassin Rule Actions = rulename=>action, rulename=>action, >>>>>>>>> .... >>>>>>>>> >>>>>>>>> the "rulename"s are the names of individual SpamAssassin rules, >>>>>>>>> and the "action"s are list those in "Spam Actions". To specify >>>>>>>>> multiple actions for a rule, you specify the rulename several >>>>>>>>> times, with one action for each. Expressions with SpamAssassin >>>>>>>>> rules are done with SpamAssassin meta-rules. If the rule hits, >>>>>>>>> the action is taken. >>>>>>>> Yeah. sounds real nice! >>>>>>>> >>>>>>>>> I'll write a few examples of meta-rules so you can see how to >>>>>>>>> write them in spam.assassin.rules.conf or wherever they need to >>>>>>>>> go. Mr Kettler, can you correct me on this please? >>>>>>>> may I suggest the name: >>>>>>>> >>>>>>>> sa.actions.rules.conf? >>>>>>> Why would it need a conf file of its own? I see it just as a >>>>>>> (potentially quite long) list of rulenames and actions to take. >>>>>>> Or are you thinking of a conf file that looks like >>>>>>> rulename list-of-actions >>>>>>> rulename list-of-actions >>>>>>> .... >>>>>>> I'm not in favour of a separate conf file, it looks a bit over >>>>>>> the top. >>>>>> let me see if I got it right. >>>>>> >>>>>> (cheap example) >>>>>> >>>>>> should be all in one line: >>>>>> >>>>>> AXB_RCVD_ZOOBSEND To:blah1@domain.tld DELETE|QUARANTINE|FORWARD: >>>>>> blah22domain.tld >>>>> Where in my spec above did I mention From or To? You can put a >>>>> ruleset on this configuration setting, so you could create rules in >>>>> a ruleset that looked like (for example) >>>>> To: user1@domain1.com forward user2@domain2.com store deliver >>>>> FromOrTo: domain3.com store delete >>>>> From: user3@* deliver header "X-Wibble: yes" >>>> It sounded like you were asking/requesting for comments but if its >>>> spec is nailed, I guess the extra actions also go down the drain. >>>> (the ones which I believe would have really added value to the feature) >>> What were your extra actions you suggested? I couldn't understand >>> your examples. Its spec isn't nailed by any means. "forward" already >>> exists. >> pls see below: >> >> AXB_RCVD_ZOOBSEND From:blah3@domain.tld >> DELETE|QUARANTINE|FORWARD|REDIRECT: blah33domain.tld >> >> In my understanding: >> FORWARD modifies the "From" >> REDIRECT doesn't so the sender is the original > In MailScanner, forward doesn't modify the From, it just adds another > recipient to the message. > >> *Your* FORWARD equals *my* REDIRECT > Yes. >> how to name the modified sender "Forward" ? dunno >> >> do I make any sense? > In your terminology, forward doesn't exist, only redirect. After all, as > you say, what would I put in for the modified sender? I'm not willing to > modify the sender address. ok.. after rethinking, I agree. would be like a BCC FORWARD:someother.rcpt@someother.domain.tld (for archiving, notifying, responder, etc, requirements) > So, with that said, what extras are you suggesting? obviously all this can normaly be done at MTA level, but I believe it would be practical and unique to be able to do such stuff at gateway level. Alex From uxbod at splatnix.net Sun Jul 22 20:27:54 2007 From: uxbod at splatnix.net (UxBoD) Date: Sun Jul 22 20:26:50 2007 Subject: Request for comments 3 In-Reply-To: <46A3A451.1030001@ecs.soton.ac.uk> Message-ID: <6207056.151185132474845.JavaMail.root@office.splatnix.net> Jules, I gather from your tone that SQL integration is at the bottom of your list, but in the same manner I see that the recent RFC is not at the top of peoples agenda. With that said it would be certainly interesting to see how people would like MailScanner to develop in the future. Your work is second to none, and with your expertise your product will become even greater. With other products (O/S solutions) going down the SQL route for tighter integration then I do believe that now is the time to harness the technology and catapult a superb product forward. Integration is the key, you have already done this with commercial and O/S products, but now MS needs to integrate with the control panel. Flat files are fast and efficient, but controlling via a panel is a different breed all together. Permissions etc are a real pain on flat files. This is my own personal view, but one I believe is expressed through others from what I can see. M/S rocks and gets better and better, but perhaps now a distributed solution should be looked at aswell. My time would certainly help is this quest. FSL take on it is very clever using a Broadcast/Multicast approach, perhaps that sort of technology could be encapsulated within M/S ? Greatest Regards Jules, --[ UxBoD ]-- // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- Original Message ----- From: "Julian Field" To: "MailScanner discussion" Sent: 22 July 2007 19:39:13 o'clock (GMT) Europe/London Subject: Re: Request for comments 3 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I'm just starting thinking about SQL, I'm not starting implementing yet. I want to finish the chat about the SpamAssassin Rules Actions first. How about one of you guys start work on a database design for me. Remember I need ordered rulesets and Custom Functions. But can we concentrate on the SpamAssassin Rules Actions for now, please. Jules. Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGo6RSEfZZRxQVtlQRAmhjAKCwnsPw/pLr+p2u1YZ6XxMADDQlpACgkL8Z F5WkjIpzTFpBvxSut0eIyX8= =Rnyb -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ssilva at sgvwater.com Sun Jul 22 20:40:47 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Sun Jul 22 20:41:08 2007 Subject: FYI: PDFInfo and "Max SpamAssassin Size=40k" In-Reply-To: References: <012101c7c8bc$5498dee0$5713cc40@OCEANII> <469D4099.5040708@alexb.ch> <469FA620.5030208@cnpapers.com> <469FCCFF.3080700@cnpapers.com> Message-ID: Scott Silva spake the following on 7/20/2007 11:07 AM: > Steve Campbell spake the following on 7/19/2007 1:43 PM: >> >> Scott Silva wrote: >>> Steve Campbell spake the following on 7/19/2007 10:57 AM: >>> >>>> Alex Broens wrote: >>>> >>>>> On 7/17/2007 11:49 PM, Michael R. Dilworth wrote: >>>>> >>>>>> Just to save some time for some of you, the 40k number >>>>>> can is on the small side for some of the PDF spams I've been >>>>>> receiving. >>>>>> >>>>> FWI: I'm using: >>>>> >>>>> Max Spam Check Size = 250000 >>>>> Max SpamAssassin Size = 2500000 >>>>> >>>>> which, AFAIK are the default SA values. >>>>> >>>>> Alex >>>>> -- >>>>> *Spammer hell has no DSL* >>>>> >>>>> >>>>> >>>>> >>>> Maybe it's because I'm not up-to-date on my MS, but I don't have a Max >>>> Spam Check Size parameter in my configuration file. >>>> >>>> The only "Size" parms I have are as follows: >>>> >>>> Maximum Message Size = 0 >>>> Maximum Attachment Size = -1 >>>> Minimum Attachment Size = -1 >>>> ClamAVmodule Maximum File Size = 10000000 # (10 Mbytes) >>>> Max SpamAssassin Size = 2500000 >>>> >>> This setting will make mailscanner not send the message to >>> spamassassin if it >>> is over this size. Are the pdf spams bigger than that? >>> >>> >>> >> Everyone is missing my point I meant to make. >> >> I don't have the "Max Spam Check Size" in my configuration file to >> change. It could have been missed in an upgrade, but I always use >> Julian's upgrade_MailScanner_conf script and this parm is missing on 3 >> different servers. >> >> Steve Campbell >> >> > Nor do I, and I am running the latest stable (4.61.7-2). It must be in the > latest beta. > I retract that last statement. I was on the edge of the flu when I looked for that, and just missed it. Just today feeling better. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From uxbod at splatnix.net Sun Jul 22 21:04:12 2007 From: uxbod at splatnix.net (UxBoD) Date: Sun Jul 22 21:03:11 2007 Subject: FYI: PDFInfo and "Max SpamAssassin Size=40k" In-Reply-To: Message-ID: <14806363.181185134652109.JavaMail.root@office.splatnix.net> Hope your feeling better :) ----- Original Message ----- From: "Scott Silva" To: mailscanner@lists.mailscanner.info Sent: 22 July 2007 20:40:47 o'clock (GMT) Europe/London Subject: Re: FYI: PDFInfo and "Max SpamAssassin Size=40k" Scott Silva spake the following on 7/20/2007 11:07 AM: > Steve Campbell spake the following on 7/19/2007 1:43 PM: >> >> Scott Silva wrote: >>> Steve Campbell spake the following on 7/19/2007 10:57 AM: >>> >>>> Alex Broens wrote: >>>> >>>>> On 7/17/2007 11:49 PM, Michael R. Dilworth wrote: >>>>> >>>>>> Just to save some time for some of you, the 40k number >>>>>> can is on the small side for some of the PDF spams I've been >>>>>> receiving. >>>>>> >>>>> FWI: I'm using: >>>>> >>>>> Max Spam Check Size = 250000 >>>>> Max SpamAssassin Size = 2500000 >>>>> >>>>> which, AFAIK are the default SA values. >>>>> >>>>> Alex >>>>> -- >>>>> *Spammer hell has no DSL* >>>>> >>>>> >>>>> >>>>> >>>> Maybe it's because I'm not up-to-date on my MS, but I don't have a Max >>>> Spam Check Size parameter in my configuration file. >>>> >>>> The only "Size" parms I have are as follows: >>>> >>>> Maximum Message Size = 0 >>>> Maximum Attachment Size = -1 >>>> Minimum Attachment Size = -1 >>>> ClamAVmodule Maximum File Size = 10000000 # (10 Mbytes) >>>> Max SpamAssassin Size = 2500000 >>>> >>> This setting will make mailscanner not send the message to >>> spamassassin if it >>> is over this size. Are the pdf spams bigger than that? >>> >>> >>> >> Everyone is missing my point I meant to make. >> >> I don't have the "Max Spam Check Size" in my configuration file to >> change. It could have been missed in an upgrade, but I always use >> Julian's upgrade_MailScanner_conf script and this parm is missing on 3 >> different servers. >> >> Steve Campbell >> >> > Nor do I, and I am running the latest stable (4.61.7-2). It must be in the > latest beta. > I retract that last statement. I was on the edge of the flu when I looked for that, and just missed it. Just today feeling better. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ssilva at sgvwater.com Sun Jul 22 21:10:48 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Sun Jul 22 21:11:07 2007 Subject: MailScanner just stopped In-Reply-To: <1f1627f60707201555u59bac16evdffa442526c3f7e2@mail.gmail.com> References: <1f1627f60707201555u59bac16evdffa442526c3f7e2@mail.gmail.com> Message-ID: Kevin Smith spake the following on 7/20/2007 3:55 PM: > I have something really odd going on on my server right now. Today > MailScanner just STOPPED...I have changed NOTHING in the last month. I > can see MailScanner running if I type in top...atleast four instances > are running at 20% CPU....I know the system is taking mail because I ran > a fetchmail and watched it connect and pull the message off of the > server and disconnect. > > If I service MailScanner stop and then start sendmail...everything is > fine.... > > Any suggestions? Where is the mail that it has grabbed? > Doesn't anybody READ the list before they post? This is the third thread on this issue, and it was fixed at least THREE months ago. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From MailScanner at ecs.soton.ac.uk Sun Jul 22 21:08:55 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sun Jul 22 21:11:11 2007 Subject: Request for comments 3 In-Reply-To: <6207056.151185132474845.JavaMail.root@office.splatnix.net> References: <6207056.151185132474845.JavaMail.root@office.splatnix.net> Message-ID: <46A3B957.8060402@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 In which case, please help me out and tell me what sort of database structure you would like to see. I don't use any of these control panel products, and so I have little idea how one might structure a configuration database. That's mostly why it hasn't already happened. UxBoD wrote: > Jules, > > I gather from your tone that SQL integration is at the bottom of your list, but in the same manner I see that the recent RFC is not at the top of peoples agenda. > > With that said it would be certainly interesting to see how people would like MailScanner to develop in the future. Your work is second to none, and with your expertise your product will become even greater. > > With other products (O/S solutions) going down the SQL route for tighter integration then I do believe that now is the time to harness the technology and catapult a superb product forward. > > Integration is the key, you have already done this with commercial and O/S products, but now MS needs to integrate with the control panel. Flat files are fast and efficient, but controlling via a panel is a different breed all together. Permissions etc are a real pain on flat files. > > This is my own personal view, but one I believe is expressed through others from what I can see. > > M/S rocks and gets better and better, but perhaps now a distributed solution should be looked at aswell. > > My time would certainly help is this quest. FSL take on it is very clever using a Broadcast/Multicast approach, perhaps that sort of technology could be encapsulated within M/S ? > > Greatest Regards Jules, > > --[ UxBoD ]-- > // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" > // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B > // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B > // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net > > ----- Original Message ----- > From: "Julian Field" > To: "MailScanner discussion" > Sent: 22 July 2007 19:39:13 o'clock (GMT) Europe/London > Subject: Re: Request for comments 3 > > > * PGP Signed by an unmatched address: 07/22/07 at 19:39:14 > > I'm just starting thinking about SQL, I'm not starting implementing yet. > I want to finish the chat about the SpamAssassin Rules Actions first. > > How about one of you guys start work on a database design for me. > Remember I need ordered rulesets and Custom Functions. > > But can we concentrate on the SpamAssassin Rules Actions for now, please. > > Jules. > > Jules > > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: UTF-8 wj8DBQFGo7lXEfZZRxQVtlQRAocnAKCjfjy3ZHEIYXJKEYKift5Q6GiXdwCgjfhX 2mmyWpK3IM2CBJz/zYdNWl4= =zcWC -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From ssilva at sgvwater.com Sun Jul 22 21:16:30 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Sun Jul 22 21:16:51 2007 Subject: pdf spam turned into excel spam In-Reply-To: <6B59FCF2EFD0334A8147A1BB463F111E02A03061@mail-17ps.atlarge.net> References: <6B59FCF2EFD0334A8147A1BB463F111E02A03061@mail-17ps.atlarge.net> Message-ID: Jan Agermose spake the following on 7/22/2007 2:19 AM: > Hi > > I've noticed that what we have seen the last week as PDF spam is now > getting send as excel files with spam. > > Im using this PDFInfo plugin and it works perfect - does anyone know if > there is work on a excel plugin? Or has anyone written any other rules > to counter this? > > Best regards > Jan I'm sure the b&s!&rd$ will adapt again as soon as someone does. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ja at conviator.com Sun Jul 22 21:23:25 2007 From: ja at conviator.com (Jan Agermose) Date: Sun Jul 22 21:24:37 2007 Subject: SV: pdf spam turned into excel spam In-Reply-To: References: <6B59FCF2EFD0334A8147A1BB463F111E02A03061@mail-17ps.atlarge.net> Message-ID: <6B59FCF2EFD0334A8147A1BB463F111E02A030A9@mail-17ps.atlarge.net> Im sure you are right :-D Actually I got a link to a clamav extension if someone would find that interesting: http://sanesecurity.blogspot.com/2007/07/from-pdf-to-xls-stock-spam.html -----Oprindelig meddelelse----- Fra: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] P? vegne af Scott Silva Sendt: 22. juli 2007 22:17 Til: mailscanner@lists.mailscanner.info Emne: Re: pdf spam turned into excel spam Jan Agermose spake the following on 7/22/2007 2:19 AM: > Hi > > I've noticed that what we have seen the last week as PDF spam is now > getting send as excel files with spam. > > Im using this PDFInfo plugin and it works perfect - does anyone know if > there is work on a excel plugin? Or has anyone written any other rules > to counter this? > > Best regards > Jan I'm sure the b&s!&rd$ will adapt again as soon as someone does. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From ms-list at alexb.ch Sun Jul 22 21:43:03 2007 From: ms-list at alexb.ch (Alex Broens) Date: Sun Jul 22 21:43:06 2007 Subject: Request for comments 3 In-Reply-To: <46A3B957.8060402@ecs.soton.ac.uk> References: <6207056.151185132474845.JavaMail.root@office.splatnix.net> <46A3B957.8060402@ecs.soton.ac.uk> Message-ID: <46A3C157.10305@alexb.ch> On 7/22/2007 10:08 PM, Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > In which case, please help me out and tell me what sort of database > structure you would like to see. I don't use any of these control panel > products, and so I have little idea how one might structure a > configuration database. That's mostly why it hasn't already happened. Jules, I'd like to suggest you take the variables you have in MailScanner.conf, convert them to database tables and their parameters to table fields. Getting a startup design from a community will be like getting the globe to sign the Kyoto Protocol. Having a basic design, ppl will come up with the most creative ideas once they start working with the basics you've provided. Alex From uxbod at splatnix.net Sun Jul 22 22:26:01 2007 From: uxbod at splatnix.net (UxBoD) Date: Sun Jul 22 22:24:53 2007 Subject: Request for comments 3 In-Reply-To: <46A3B957.8060402@ecs.soton.ac.uk> Message-ID: <14322087.211185139561743.JavaMail.root@office.splatnix.net> Okay. Will run through the MS config over next few days and see what structure can come up with. Needs to be portable between different SQL formats including DBM hash. ----- Original Message ----- From: "Julian Field" To: "MailScanner discussion" Sent: 22 July 2007 21:08:55 o'clock (GMT) Europe/London Subject: Re: Request for comments 3 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 In which case, please help me out and tell me what sort of database structure you would like to see. I don't use any of these control panel products, and so I have little idea how one might structure a configuration database. That's mostly why it hasn't already happened. UxBoD wrote: > Jules, > > I gather from your tone that SQL integration is at the bottom of your list, but in the same manner I see that the recent RFC is not at the top of peoples agenda. > > With that said it would be certainly interesting to see how people would like MailScanner to develop in the future. Your work is second to none, and with your expertise your product will become even greater. > > With other products (O/S solutions) going down the SQL route for tighter integration then I do believe that now is the time to harness the technology and catapult a superb product forward. > > Integration is the key, you have already done this with commercial and O/S products, but now MS needs to integrate with the control panel. Flat files are fast and efficient, but controlling via a panel is a different breed all together. Permissions etc are a real pain on flat files. > > This is my own personal view, but one I believe is expressed through others from what I can see. > > M/S rocks and gets better and better, but perhaps now a distributed solution should be looked at aswell. > > My time would certainly help is this quest. FSL take on it is very clever using a Broadcast/Multicast approach, perhaps that sort of technology could be encapsulated within M/S ? > > Greatest Regards Jules, > > --[ UxBoD ]-- > // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" > // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B > // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B > // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net > > ----- Original Message ----- > From: "Julian Field" > To: "MailScanner discussion" > Sent: 22 July 2007 19:39:13 o'clock (GMT) Europe/London > Subject: Re: Request for comments 3 > > > * PGP Signed by an unmatched address: 07/22/07 at 19:39:14 > > I'm just starting thinking about SQL, I'm not starting implementing yet. > I want to finish the chat about the SpamAssassin Rules Actions first. > > How about one of you guys start work on a database design for me. > Remember I need ordered rulesets and Custom Functions. > > But can we concentrate on the SpamAssassin Rules Actions for now, please. > > Jules. > > Jules > > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: UTF-8 wj8DBQFGo7lXEfZZRxQVtlQRAocnAKCjfjy3ZHEIYXJKEYKift5Q6GiXdwCgjfhX 2mmyWpK3IM2CBJz/zYdNWl4= =zcWC -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From rich at mail.wvnet.edu Sun Jul 22 22:26:49 2007 From: rich at mail.wvnet.edu (Richard Lynch) Date: Sun Jul 22 22:26:54 2007 Subject: Request for comments 3 In-Reply-To: References: <6207056.151185132474845.JavaMail.root@office.splatnix.net> <46A3B957.8060402@ecs.soton.ac.uk> Message-ID: <46A3CB99.9050604@mail.wvnet.edu> Alex Broens wrote: > On 7/22/2007 10:08 PM, Julian Field wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> In which case, please help me out and tell me what sort of database >> structure you would like to see. I don't use any of these control >> panel products, and so I have little idea how one might structure a >> configuration database. That's mostly why it hasn't already happened. > > Jules, > > I'd like to suggest you take the variables you have in > MailScanner.conf, convert them to database tables and their parameters > to table fields. > > Getting a startup design from a community will be like getting the > globe to sign the Kyoto Protocol. > > Having a basic design, ppl will come up with the most creative ideas > once they start working with the basics you've provided. > > Alex > > > Well I, for one, would be against such a change. I prefer text configuration files. They're simple to understand and simple to change. I personally don't see the need for a SQL database in this regard. Use relational databases when you need access to complex indexed data. This is a classic SWAP (a solution without a problem). It you want to put a user friendly GUI on top of it that's fine as long as the underlying structure is simple text. Richard -- -------------- next part -------------- A non-text attachment was scrubbed... Name: rich.vcf Type: text/x-vcard Size: 299 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070722/78355f8d/rich.vcf From seamus at rheelweb.co.nz Sun Jul 22 22:43:57 2007 From: seamus at rheelweb.co.nz (Seamus Allan) Date: Sun Jul 22 22:44:18 2007 Subject: FuzzyOCR problems ... In-Reply-To: <469D15A2.7060409@niit.edu.pk> References: <469D15A2.7060409@niit.edu.pk> Message-ID: <46A3CF9D.1000602@rheelweb.co.nz> An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070723/c91c3546/attachment.html From yashodhan.barve at gmail.com Mon Jul 23 01:02:39 2007 From: yashodhan.barve at gmail.com (Yashodhan Barve) Date: Mon Jul 23 01:02:46 2007 Subject: Request for comments 3 In-Reply-To: <46A3CB99.9050604@mail.wvnet.edu> References: <6207056.151185132474845.JavaMail.root@office.splatnix.net> <46A3B957.8060402@ecs.soton.ac.uk> <46A3CB99.9050604@mail.wvnet.edu> Message-ID: <46A3F01F.4010005@gmail.com> Richard Lynch wrote: >> >> >> > Well I, for one, would be against such a change. I prefer text > configuration files. They're simple to understand and simple to > change. I personally don't see the need for a SQL database in this > regard. Use relational databases when you need access to complex > indexed data. This is a classic SWAP (a solution without a problem). > It you want to put a user friendly GUI on top of it that's fine as long > as the underlying structure is simple text. > > Richard > I share Richards' view and would be against such a change. The text files makes things like copying config files to another server, backing up configuration easy. It is also easy to diff your configurations with text files. imho, why fix something that is not broken? yashodhan From markee at bandwidthco.com Mon Jul 23 04:18:34 2007 From: markee at bandwidthco.com (markee) Date: Mon Jul 23 04:20:52 2007 Subject: Request for comments 3 In-Reply-To: <46A3CB99.9050604@mail.wvnet.edu> Message-ID: <004801c7ccd8$2728dc60$0300a8c0@bandwidthco.com> -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Richard Lynch Sent: Sunday, July 22, 2007 2:27 PM To: MailScanner discussion Subject: Re: Request for comments 3 Alex Broens wrote: > On 7/22/2007 10:08 PM, Julian Field wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> In which case, please help me out and tell me what sort of database >> structure you would like to see. I don't use any of these control >> panel products, and so I have little idea how one might structure a >> configuration database. That's mostly why it hasn't already happened. > > Jules, > > I'd like to suggest you take the variables you have in > MailScanner.conf, convert them to database tables and their parameters > to table fields. > > Getting a startup design from a community will be like getting the > globe to sign the Kyoto Protocol. > > Having a basic design, ppl will come up with the most creative ideas > once they start working with the basics you've provided. > > Alex > > > Well I, for one, would be against such a change. I prefer text configuration files. They're simple to understand and simple to change. I personally don't see the need for a SQL database in this regard. Use relational databases when you need access to complex indexed data. This is a classic SWAP (a solution without a problem). It you want to put a user friendly GUI on top of it that's fine as long as the underlying structure is simple text. Richard -- ########################## I agree with Richard. One of the things that makes MailScanner great is the "simplicity". I would want to know what benefits the added complexity might add to make it worthwhile. Complexity = new problems. ######################################################## This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. postmaster@bandwidthco.com MailScanner at Bandwidthco Computer Security is for your absolute protection. ######################################################## From uxbod at splatnix.net Mon Jul 23 05:06:38 2007 From: uxbod at splatnix.net (UxBoD) Date: Mon Jul 23 05:05:24 2007 Subject: Request for comments 3 In-Reply-To: <004801c7ccd8$2728dc60$0300a8c0@bandwidthco.com> Message-ID: <12144849.241185163598712.JavaMail.root@office.splatnix.net> All valid comments and understand the feelings expressed. ----- Original Message ----- From: "markee" To: "MailScanner discussion" Sent: 23 July 2007 04:18:34 o'clock (GMT) Europe/London Subject: RE: Request for comments 3 -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Richard Lynch Sent: Sunday, July 22, 2007 2:27 PM To: MailScanner discussion Subject: Re: Request for comments 3 Alex Broens wrote: > On 7/22/2007 10:08 PM, Julian Field wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> In which case, please help me out and tell me what sort of database >> structure you would like to see. I don't use any of these control >> panel products, and so I have little idea how one might structure a >> configuration database. That's mostly why it hasn't already happened. > > Jules, > > I'd like to suggest you take the variables you have in > MailScanner.conf, convert them to database tables and their parameters > to table fields. > > Getting a startup design from a community will be like getting the > globe to sign the Kyoto Protocol. > > Having a basic design, ppl will come up with the most creative ideas > once they start working with the basics you've provided. > > Alex > > > Well I, for one, would be against such a change. I prefer text configuration files. They're simple to understand and simple to change. I personally don't see the need for a SQL database in this regard. Use relational databases when you need access to complex indexed data. This is a classic SWAP (a solution without a problem). It you want to put a user friendly GUI on top of it that's fine as long as the underlying structure is simple text. Richard -- ########################## I agree with Richard. One of the things that makes MailScanner great is the "simplicity". I would want to know what benefits the added complexity might add to make it worthwhile. Complexity = new problems. ######################################################## This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. postmaster@bandwidthco.com MailScanner at Bandwidthco Computer Security is for your absolute protection. ######################################################## -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ms-list at alexb.ch Mon Jul 23 06:11:15 2007 From: ms-list at alexb.ch (Alex Broens) Date: Mon Jul 23 06:11:23 2007 Subject: Request for comments 3 In-Reply-To: <46A3F01F.4010005@gmail.com> References: <6207056.151185132474845.JavaMail.root@office.splatnix.net> <46A3B957.8060402@ecs.soton.ac.uk> <46A3CB99.9050604@mail.wvnet.edu> <46A3F01F.4010005@gmail.com> Message-ID: <46A43873.2090004@alexb.ch> On 7/23/2007 2:02 AM, Yashodhan Barve wrote: > Richard Lynch wrote: >>> >>> >> Well I, for one, would be against such a change. I prefer text >> configuration files. They're simple to understand and simple to >> change. I personally don't see the need for a SQL database in this >> regard. Use relational databases when you need access to complex >> indexed data. This is a classic SWAP (a solution without a problem). >> It you want to put a user friendly GUI on top of it that's fine as long >> as the underlying structure is simple text. >> >> Richard >> > > I share Richards' view and would be against such a change. The text > files makes things like copying config files to another server, backing > up configuration easy. > > It is also easy to diff your configurations with text files. > imho, why fix something that is not broken? Wasn't this about ADDING SQL support to MailScanner and NOT replacing the conf files with a DB layer? Alex From carl at theholidayclub.com Mon Jul 23 07:27:06 2007 From: carl at theholidayclub.com (Carl Werner) Date: Mon Jul 23 07:27:39 2007 Subject: Mailscanner Gateway does not reject unknown users (more of asendmail question, I think) (Ken A) In-Reply-To: References: <200707201808.l6KI8AvU005639@safir.blacknight.ie> Message-ID: Hi, Try the smf-sav milter for sendmail. In its configuration you add the destination email server and it check if the user exists. Regards Carl _____ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Jeff Ramsey Sent: 20 July 2007 10:41 PM To: mailscanner@lists.mailscanner.info Subject: Re: Mailscanner Gateway does not reject unknown users (more of asendmail question, I think) (Ken A) On Jul 20, 2007, at 11:08 AM, mailscanner-request@lists.mailscanner.info wrote: Jeff Ramsey wrote: I have read a few places on the net that claim this has been well covered, but I cannot seem to find a configuration that works. It either forwards all nonspam email on to my internal sendmail server, or it rejects the unknown user messages but then does not relay any email onto the internal email server. If I list my domains in local-host-names, it does not relay any more email for those domains, period. If I don't list the domains there, it does not check incoming mail for a valid email address. Can anyone point me in the right direction? mailertable domain.tld esmtp:[mailhub.otherdomain.tld] Ken I checked, and my mailertable is already populated just like you suggest. Here is a copy of my mailertable: tubafor.com esmtp:[imap.tubafor.com] imap.tubafor.com esmtp:[imap.tubafor.com] smtpgw.tubafor.com esmtp:[imap.tubafor.com] tmiforestproducts.com esmtp:[imap.tubafor.com] tmiforestproducts.net esmtp:[imap.tubafor.com] tmiforestproducts.org esmtp:[imap.tubafor.com] tmiforestproducts.info esmtp:[imap.tubafor.com] tmiforestproducts.biz esmtp:[imap.tubafor.com] --- END /etc/mail/mailertable --- So I must have something else not set correctly. Just to clarify, should I have my local-host-names populated as well as mailertable, or just mailertable? I'll check out all other sendmail files and see if I can come up with anything. Most Internet forums suggest to put each email address in the access file with a RELAY status. I hope this is not the only way to accomplish this task. I'd have about a thousand to enter. Thanks for the help. Jeff Ramsey MIS Administrator TMI Forest Products, Inc. jefframsey@tubafor.com 360.477.0738 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070723/936c8992/attachment-0001.html From uxbod at splatnix.net Mon Jul 23 08:14:36 2007 From: uxbod at splatnix.net (UxBoD) Date: Mon Jul 23 08:13:13 2007 Subject: Request for comments 3 In-Reply-To: <46A43873.2090004@alexb.ch> Message-ID: <28008069.331185174876903.JavaMail.root@office.splatnix.net> Alex, Yes my understanding, and what I would be in favour of, would be the choice between flat files or SQL. Regards. --[ UxBoD ]-- // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- Original Message ----- From: "Alex Broens" To: "MailScanner discussion" Sent: Monday, July 23, 2007 6:11:15 AM (GMT) Europe/London Subject: Re: Request for comments 3 On 7/23/2007 2:02 AM, Yashodhan Barve wrote: > Richard Lynch wrote: >>> >>> >> Well I, for one, would be against such a change. I prefer text >> configuration files. They're simple to understand and simple to >> change. I personally don't see the need for a SQL database in this >> regard. Use relational databases when you need access to complex >> indexed data. This is a classic SWAP (a solution without a problem). >> It you want to put a user friendly GUI on top of it that's fine as long >> as the underlying structure is simple text. >> >> Richard >> > > I share Richards' view and would be against such a change. The text > files makes things like copying config files to another server, backing > up configuration easy. > > It is also easy to diff your configurations with text files. > imho, why fix something that is not broken? Wasn't this about ADDING SQL support to MailScanner and NOT replacing the conf files with a DB layer? Alex -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From martinh at solidstatelogic.com Mon Jul 23 09:17:52 2007 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Mon Jul 23 09:18:24 2007 Subject: Fake MX records Message-ID: <086f7e06a703ec47a6db01c8a2c15d81@solidstatelogic.com> Just seen this.. http://wiki.apache.org/spamassassin/OtherTricks (Fake MX Record) on the SA-users list. Looks very useful, anyone here using this technique? -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From john at tradoc.fr Mon Jul 23 10:03:53 2007 From: john at tradoc.fr (John Wilcock) Date: Mon Jul 23 10:04:00 2007 Subject: Request for comments 3 In-Reply-To: <46A3741E.8060901@ecs.soton.ac.uk> References: <469FA26B.6050905@ecs.soton.ac.uk> <1964AAFBC212F742958F9275BF63DBB04B0F30@winchester.andrewscompanies.com> <469FC4DA.6030706@alexb.ch><469FC668.3040802@evi-inc.com> <46A063AF.1080009@tradoc.fr> <1964AAFBC212F742958F9275BF63DBB04B0F35@winchester.andrewscompanies.com> <46A0B523.20401@ecs.soton.ac.uk> <46A0C747.7000103@evi-inc.com> <46A35BB4.6020503@ecs.soton.ac.uk> <46A3741E.8060901@ecs.soton.ac.uk> Message-ID: <46A46EF9.70707@tradoc.fr> Julian Field wrote: > How about this instead? > > SpamAssassin Rule Actions = rulename=>action, rulename=>action, .... > > the "rulename"s are the names of individual SpamAssassin rules, and the > "action"s are list those in "Spam Actions". To specify multiple actions > for a rule, you specify the rulename several times, with one action for > each. Expressions with SpamAssassin rules are done with SpamAssassin > meta-rules. If the rule hits, the action is taken. > > I'll write a few examples of meta-rules so you can see how to write them > in spam.assassin.rules.conf or wherever they need to go. Mr Kettler, can > you correct me on this please? > > Does this sound more useful than the previous suggestions? Sounds good, yes. Are the actions intended to *replace* the default non spam, spam or high scoring spam actions, or are they taken in *addition* to those actions? IMO additional actions would be more flexible, but would need the ability to negate an action, i.e. take a particular action by default *unless* such-and-such rule hits. Non Spam Actions = deliver Spam Actions = deliver,store High Scoring Spam Actions = store SpamAssassin Rule Actions = MY_BADSPAM_RULE=>not-store, MY_SPECIAL_RULE=>forward theboss@domain John. -- -- Over 3000 webcams from ski resorts around the world - www.snoweye.com -- Translate your technical documents and web pages - www.tradoc.fr From jtm.koekkoek at home.nl Mon Jul 23 10:20:30 2007 From: jtm.koekkoek at home.nl (Jeroen Koekkoek) Date: Mon Jul 23 10:20:43 2007 Subject: Request for comments 3 In-Reply-To: <28008069.331185174876903.JavaMail.root@office.splatnix.net> References: <46A43873.2090004@alexb.ch> <28008069.331185174876903.JavaMail.root@office.splatnix.net> Message-ID: <000601c7cd0a$b7377320$25a65960$@koekkoek@home.nl> Hi All, I work for an ISP in the Netherlands and we use MailScanner to filter spam from ham. We currently use the LDAP backend to store rules. To let our customers make changes to their own rulesets, they would have to make changes to the default/global ruleset. This is a security issue since one user can make a change that could impact all users. In my spare time I came up with a solution, it's not yet implemented and I have to test the code I wrote. But basically it works like Postfix maps. Multiple maps can be specified, leaving the system default rules in txt files and allows our customer to make per user configuration settings. This feature makes it easy for administrators to come up with their own backends (MySQL, PostgreSQL, SQLite, LDAP, flat files, etc) and allows for different backends in one configuration. I would be more than happy to mail my code once I tested it. Regards. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of UxBoD Sent: Monday, July 23, 2007 9:15 AM To: MailScanner discussion Subject: Re: Request for comments 3 Alex, Yes my understanding, and what I would be in favour of, would be the choice between flat files or SQL. Regards. --[ UxBoD ]-- // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- Original Message ----- From: "Alex Broens" To: "MailScanner discussion" Sent: Monday, July 23, 2007 6:11:15 AM (GMT) Europe/London Subject: Re: Request for comments 3 On 7/23/2007 2:02 AM, Yashodhan Barve wrote: > Richard Lynch wrote: >>> >>> >> Well I, for one, would be against such a change. I prefer text >> configuration files. They're simple to understand and simple to >> change. I personally don't see the need for a SQL database in this >> regard. Use relational databases when you need access to complex >> indexed data. This is a classic SWAP (a solution without a problem). >> It you want to put a user friendly GUI on top of it that's fine as long >> as the underlying structure is simple text. >> >> Richard >> > > I share Richards' view and would be against such a change. The text > files makes things like copying config files to another server, backing > up configuration easy. > > It is also easy to diff your configurations with text files. > imho, why fix something that is not broken? Wasn't this about ADDING SQL support to MailScanner and NOT replacing the conf files with a DB layer? Alex -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From list-mailscanner at linguaphone.com Mon Jul 23 10:48:39 2007 From: list-mailscanner at linguaphone.com (Gareth) Date: Mon Jul 23 10:48:48 2007 Subject: postfix rbl checks Message-ID: <1185184118.31112.7.camel@gblades-suse.linguaphone-intranet.co.uk> I have been checking the RBL stats using mailwatch and the NJABL one looks like it will reject about 50% of the spam we receive with no false positives. In my postfix configuration I had the line :- smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination, reject_unknown_recipient_domain, reject_unverified_recipient I changed this to :- smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination, reject_unknown_recipient_domain, reject_unverified_recipient, reject_rbl_client dnsbl.njabl.org However after restarting postfix it is not working. Spam is still being accepted and mailscanner is matching some against the NJABL RBL. Any ideas what is going wrong? Thanks Gareth From matt at coders.co.uk Mon Jul 23 11:06:03 2007 From: matt at coders.co.uk (Matt Hampton) Date: Mon Jul 23 11:03:36 2007 Subject: postfix rbl checks In-Reply-To: <1185184118.31112.7.camel@gblades-suse.linguaphone-intranet.co.uk> References: <1185184118.31112.7.camel@gblades-suse.linguaphone-intranet.co.uk> Message-ID: <46A47D8B.70605@coders.co.uk> Gareth wrote: > However after restarting postfix it is not working. Spam is still being > accepted and mailscanner is matching some against the NJABL RBL. Don't forget that SA looks at all the headers in message whereas doing it at the MTA only looks at the connecting IP. matt From list-mailscanner at linguaphone.com Mon Jul 23 11:12:01 2007 From: list-mailscanner at linguaphone.com (Gareth) Date: Mon Jul 23 11:12:11 2007 Subject: postfix rbl checks In-Reply-To: <46A47D8B.70605@coders.co.uk> References: <1185184118.31112.7.camel@gblades-suse.linguaphone-intranet.co.uk> <46A47D8B.70605@coders.co.uk> Message-ID: <1185185521.31112.10.camel@gblades-suse.linguaphone-intranet.co.uk> On Mon, 2007-07-23 at 11:06, Matt Hampton wrote: > Gareth wrote: > > > However after restarting postfix it is not working. Spam is still being > > accepted and mailscanner is matching some against the NJABL RBL. > > Don't forget that SA looks at all the headers in message whereas doing > it at the MTA only looks at the connecting IP. Yes I tried telneting to the server from my home machine and sending a mail and it was accepted and later mailscanners RBL check matched. From jaearick at colby.edu Mon Jul 23 13:24:59 2007 From: jaearick at colby.edu (Jeff A. Earickson) Date: Mon Jul 23 13:25:12 2007 Subject: Fake MX records In-Reply-To: <086f7e06a703ec47a6db01c8a2c15d81@solidstatelogic.com> References: <086f7e06a703ec47a6db01c8a2c15d81@solidstatelogic.com> Message-ID: Martin, Yes, I've been using a fake high MX for a long time, with smtptrapd, see: http://smtptrapd.inodes.org It diverts a lotta crap away from my mail server. Never thought about putting my real MX in the middle though. Jeff Earickson Colby College On Mon, 23 Jul 2007, Martin.Hepworth wrote: > Date: Mon, 23 Jul 2007 09:17:52 +0100 > From: Martin.Hepworth > Reply-To: MailScanner discussion > To: MailScanner discussion > Subject: Fake MX records > > Just seen this.. > > http://wiki.apache.org/spamassassin/OtherTricks (Fake MX Record) > > on the SA-users list. > > Looks very useful, anyone here using this technique? > > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > > > > > ********************************************************************** > Confidentiality : This e-mail and any attachments are intended for the > addressee only and may be confidential. If they come to you in error > you must take no action based on them, nor must you copy or show them > to anyone. Please advise the sender by replying to this e-mail > immediately and then delete the original from your computer. > Opinion : Any opinions expressed in this e-mail are entirely those of > the author and unless specifically stated to the contrary, are not > necessarily those of the author's employer. > Security Warning : Internet e-mail is not necessarily a secure > communications medium and can be subject to data corruption. We advise > that you consider this fact when e-mailing us. > Viruses : We have taken steps to ensure that this e-mail and any > attachments are free from known viruses but in keeping with good > computing practice, you should ensure that they are virus free. > > Red Lion 49 Ltd T/A Solid State Logic > Registered as a limited company in England and Wales > (Company No:5362730) > Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, > United Kingdom > ********************************************************************** > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From dgottsc at emory.edu Mon Jul 23 13:50:04 2007 From: dgottsc at emory.edu (Gottschalk, David) Date: Mon Jul 23 13:50:25 2007 Subject: Password protect In-Reply-To: <8D2EFA3D9FD29C45BCEC3B532F0E2308412E3B3D3E@RDPEXCH2.Eu.Emory.Edu> References: <223f97700707200721g710f6846ga8807d99caea5f7d@mail.gmail.com> <8D2EFA3D9FD29C45BCEC3B532F0E2308412E3B3D3E@RDPEXCH2.Eu.Emory.Edu> Message-ID: <8D2EFA3D9FD29C45BCEC3B532F0E2308412E87C379@RDPEXCH2.Eu.Emory.Edu> Can anyone give me a answer on this? Thanks. David Gottschalk -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Gottschalk, David Sent: Friday, July 20, 2007 12:12 PM To: MailScanner discussion Subject: RE: Password protect Anyone know if its possible to send a bounce back to the sender if a password protected archive is quarantined? The "Notify Senders Of Blocked Filenames Or Filetypes" and "Notify Senders Of Other Blocked Content" don't seem to do anything with regards to encrypted archives. Thanks. David Gottschalk From dave.list at pixelhammer.com Mon Jul 23 14:26:12 2007 From: dave.list at pixelhammer.com (DAve) Date: Mon Jul 23 14:27:34 2007 Subject: MS Wiki and split recipients Message-ID: <46A4AC74.5020706@pixelhammer.com> Good morning everyone, I am working on a new MS install for testing. Testing MS, SA, and Clam as well as looking at VMWare for a test environment. Currently I have everything up and working sort of, my queue splitting is not working yet but I chasing it down. My question is this, I went back to the Wiki to double check my set up for splitting messages into single recipients, looking here, http://wiki.mailscanner.info/doku.php?id=documentation:configuration:mta:sendmail:how_to:split_mails_per_recipient and I noticed an addendum. I don't think the addendum will work as stated. I believe following the addendum instructions will cause Sendmail to accept only messages with a single recipient. Can someone confirm that, or clue bat me, as the case may be. Thanks, DAve -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible. From mike at tc3net.com Mon Jul 23 14:42:58 2007 From: mike at tc3net.com (Michael Baird) Date: Mon Jul 23 14:38:17 2007 Subject: MS Wiki and split recipients In-Reply-To: <46A4AC74.5020706@pixelhammer.com> References: <46A4AC74.5020706@pixelhammer.com> Message-ID: <46A4B062.9020702@tc3net.com> That is correct, I noticed that as well. Regards Michael Baird > Good morning everyone, > > I am working on a new MS install for testing. Testing MS, SA, and Clam > as well as looking at VMWare for a test environment. > > Currently I have everything up and working sort of, my queue splitting > is not working yet but I chasing it down. My question is this, I went > back to the Wiki to double check my set up for splitting messages into > single recipients, looking here, > > http://wiki.mailscanner.info/doku.php?id=documentation:configuration:mta:sendmail:how_to:split_mails_per_recipient > > > and I noticed an addendum. I don't think the addendum will work as > stated. I believe following the addendum instructions will cause > Sendmail to accept only messages with a single recipient. > > Can someone confirm that, or clue bat me, as the case may be. > > Thanks, > > DAve From matt at coders.co.uk Mon Jul 23 14:46:08 2007 From: matt at coders.co.uk (Matt Hampton) Date: Mon Jul 23 14:44:06 2007 Subject: MS Wiki and split recipients In-Reply-To: <46A4AC74.5020706@pixelhammer.com> References: <46A4AC74.5020706@pixelhammer.com> Message-ID: <46A4B120.6070307@coders.co.uk> DAve wrote: > and I noticed an addendum. I don't think the addendum will work as > stated. I believe following the addendum instructions will cause > Sendmail to accept only messages with a single recipient. > > Can someone confirm that, or clue bat me, as the case may be. > I think you are right (I re-wrote the original page and hadn't noticed the addendum). What it will cause is sendmail will accept the first recipient and then temp fail the rest. This would cause the message to require X attempts to deliver the message (where X is the number of recipients). matt From Richard.Frovarp at sendit.nodak.edu Mon Jul 23 15:03:35 2007 From: Richard.Frovarp at sendit.nodak.edu (Richard Frovarp) Date: Mon Jul 23 15:03:39 2007 Subject: Fake MX records In-Reply-To: <086f7e06a703ec47a6db01c8a2c15d81@solidstatelogic.com> References: <086f7e06a703ec47a6db01c8a2c15d81@solidstatelogic.com> Message-ID: <46A4B537.5060807@sendit.nodak.edu> Martin.Hepworth wrote: > Just seen this.. > > http://wiki.apache.org/spamassassin/OtherTricks (Fake MX Record) > > on the SA-users list. > > Looks very useful, anyone here using this technique? > We run a firewalled lowest MX. This machine only receives mail from the state gov't, k12, and higher ed networks in the state. I have seen at least one problem with this setup and have had to add an additional IP to let a poorly designed external system talk to this machine. This system only tries the lowest IP, then fails after 2 hours. Systems like this might have an issue with a fake lowest as well. I don't know how useful it is in stopping spam. We haven't seen a drop in number reaching our 3 standard machines. However, it does allow mail from our users to pass through very quickly, as spam attacks don't affect this machine. We're issuing a tcp-reset so the impact on systems communicating with us is minimal, as they don't have to wait for a timeout. Richard From mkettler at evi-inc.com Mon Jul 23 15:03:33 2007 From: mkettler at evi-inc.com (Matt Kettler) Date: Mon Jul 23 15:04:46 2007 Subject: Request for comments In-Reply-To: <46A35BB4.6020503@ecs.soton.ac.uk> References: <469FA26B.6050905@ecs.soton.ac.uk> <1964AAFBC212F742958F9275BF63DBB04B0F30@winchester.andrewscompanies.com> <469FC4DA.6030706@alexb.ch><469FC668.3040802@evi-inc.com> <46A063AF.1080009@tradoc.fr> <1964AAFBC212F742958F9275BF63DBB04B0F35@winchester.andrewscompanies.com> <46A0B523.20401@ecs.soton.ac.uk> <46A0C747.7000103@evi-inc.com> <46A35BB4.6020503@ecs.soton.ac.uk> Message-ID: <46A4B535.6000500@evi-inc.com> Julian Field wrote: > > > Matt Kettler wrote: >> Julian Field wrote: > >>> That would be easy to add. Would many people use it? >>> It would just be an "Adjust SpamAssassin Score" configuration option. >>> >> I don't think that would be useful Julian. If they wanted to adjust the SA >> score, that's easy to do in SA. It's also not what Steven was suggesting, at >> least as far as I can tell. > > I agree with you here. Wow, me and Jules agree on something.. Something is clearly amiss :) Adding an SA rule to tweak the score based on > simple things like the sender address is pretty easy to do. If you don't > know how to do it, then read 'man Mail::SpamAssassin::Conf' will tell > you most of what you need to do, and a quick look for an envelope rule > in /usr/share/spamassassin will give you plenty of examples. Even better, there's a really detailed guide at: http://wiki.apache.org/spamassassin/WritingRules (Disclaimer: I wrote a lot of the base text for this document, but it has been updated and expanded upon by others.) > I don't want to waste time and resources on things that SA already does > perfectly well. Agreed. From dave.list at pixelhammer.com Mon Jul 23 15:03:44 2007 From: dave.list at pixelhammer.com (DAve) Date: Mon Jul 23 15:05:07 2007 Subject: MS Wiki and split recipients In-Reply-To: <46A4B120.6070307@coders.co.uk> References: <46A4AC74.5020706@pixelhammer.com> <46A4B120.6070307@coders.co.uk> Message-ID: <46A4B540.8080406@pixelhammer.com> Matt Hampton wrote: > DAve wrote: > >> and I noticed an addendum. I don't think the addendum will work as >> stated. I believe following the addendum instructions will cause >> Sendmail to accept only messages with a single recipient. >> >> Can someone confirm that, or clue bat me, as the case may be. >> > > I think you are right (I re-wrote the original page and hadn't noticed > the addendum). > > What it will cause is sendmail will accept the first recipient and then > temp fail the rest. This would cause the message to require X attempts > to deliver the message (where X is the number of recipients). > > matt Do we know who added that? Can it be removed or correctly annotated? It would cause every message MailScanner sees to be single recipient, but at a high cost. My listmail software would be unhappy sending to some of our client's internal mail lists with 100+ subscribers. DAve -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible. From daniel.maher at ubisoft.com Mon Jul 23 16:10:08 2007 From: daniel.maher at ubisoft.com (Daniel Maher) Date: Mon Jul 23 16:10:15 2007 Subject: mailscanner occasionally denying certain blackberry emails In-Reply-To: <223f97700707200949x64c07c77ta326e1526bd1c16d@mail.gmail.com> Message-ID: <1E293D3FF63A3740B10AD5AAD88535D205847E6C@UBIMAIL1.ubisoft.org> > > I have a situation where MailScanner will occasionally block attachments > in > > emails generated by the Blackberry service. Normally the attachments > are > > not blocked, but every once in a while, it gets replaced with the > "Warning: > > This message has had one or more attachments removed..." message. The > name of > > the attachment, in every instance, is "ETP.DAT", which shouldn't trigger > > filename rules (and, indeed, normally doesn't). > > > Look closely at what it really say and you'll find that the binary > file ETP.DAT (that is also attached as an ascii armored thing ... > stupid, is what it all is... will sometimes "aggravate" your file > command, specifically MS-DOS Executable "magic" patterns of one (1) > byte. Simply remove these from your magic file (edit the text variant, > use the file command to "recompile" it), and you'll be fine. > > Cheers Thanks for the reply. Unfortunately, I'm not entirely sure I should be removing the magic data you're referring to. To wit: [user@mailserver file]# grep MS-DOS magic # the first file (0x01 through 0x09), and bytes 3 to 15 are the MS-DOS >7 byte 0 os: MS-DOS >35 byte 0 os: MS-DOS >16 byte =0x00 \b, from MS-DOS # Date in MS-DOS format (whatever that is) >9 byte =0x00 \b, from MS-DOS >>14 byte =0x00 os: MS-DOS >>17 byte =0x00 os: MS-DOS >0x8C string Invalid\ partition\ table \b, MS-DOS MBR >0x10F string Ung\201ltige\ Partitionstabelle \b, MS-DOS MBR, german version 4.10.1998, 4.10.2222 >0x8B string Ung\201ltige\ Partitionstabelle \b, MS-DOS MBR, german version 5.00 to 4.00.950 # Valid media descriptor bytes for MS-DOS: #>69 string dosa (Macintosh MS-DOS file system) # msdos: file(1) magic for MS-DOS files 0 string/c @echo\ off MS-DOS batch file text # So, for now, we assume the standard MS-DOS stub, which puts the 0 string MZ MS-DOS executable (EXE) #0 byte 0xe9 MS-DOS executable (COM) #0 byte 0x8c MS-DOS executable (COM) #0 byte 0xeb MS-DOS executable (COM) #0 byte 0xb8 MS-DOS executable (COM) 0 string LZ MS-DOS executable (built-in) #0 byte 0xf0 MS-DOS program library data If I comment out the (three) active 1-byte MS-DOS lines, won't file lose its ability to detect MS-DOS executables altogether? This is not a desired behaviour. :/ Would it not be possible to write some sort of MailScanner rule that would exempt files named "ETP.DAT", and coming from the Blackberry service, from being analysed with file? Thanks again for your input. -- _ ?v? Daniel Maher /(_)\ Administrateur Syst?me Unix ^ ^ Unix System Administrator "The most incomprehensible thing about the world is that it is comprehensible." -- Albert Einstein.off the website! From mailscanner at barendse.to Mon Jul 23 16:11:15 2007 From: mailscanner at barendse.to (Remco Barendse) Date: Mon Jul 23 16:11:27 2007 Subject: lstat() failed. ERROR ? Message-ID: Hi list! I am seeing this error in my logs, and mail is not being delivered. Jul 23 17:06:49 host MailScanner[24547]: /var/spool/MailScanner/incoming/24547/.: lstat() failed. ERROR Anyone ideas what this could mean? Restarting MailScanner didn't help. Thanks!! Remco From MailScanner at ecs.soton.ac.uk Mon Jul 23 16:24:40 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Jul 23 16:25:48 2007 Subject: Request for comments 3 In-Reply-To: <46A46EF9.70707@tradoc.fr> References: <469FA26B.6050905@ecs.soton.ac.uk> <1964AAFBC212F742958F9275BF63DBB04B0F30@winchester.andrewscompanies.com> <469FC4DA.6030706@alexb.ch><469FC668.3040802@evi-inc.com> <46A063AF.1080009@tradoc.fr> <1964AAFBC212F742958F9275BF63DBB04B0F35@winchester.andrewscompanies.com> <46A0B523.20401@ecs.soton.ac.uk> <46A0C747.7000103@evi-inc.com> <46A35BB4.6020503@ecs.soton.ac.uk> <46A3741E.8060901@ecs.soton.ac.uk> <46A46EF9.70707@tradoc.fr> Message-ID: <46A4C838.9070307@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 John Wilcock wrote: > Julian Field wrote: >> How about this instead? >> >> SpamAssassin Rule Actions = rulename=>action, rulename=>action, .... >> >> the "rulename"s are the names of individual SpamAssassin rules, and >> the "action"s are list those in "Spam Actions". To specify multiple >> actions for a rule, you specify the rulename several times, with one >> action for each. Expressions with SpamAssassin rules are done with >> SpamAssassin meta-rules. If the rule hits, the action is taken. >> >> I'll write a few examples of meta-rules so you can see how to write >> them in spam.assassin.rules.conf or wherever they need to go. Mr >> Kettler, can you correct me on this please? >> >> Does this sound more useful than the previous suggestions? > > Sounds good, yes. > > Are the actions intended to *replace* the default non spam, spam or > high scoring spam actions, or are they taken in *addition* to those > actions? In addition. > > IMO additional actions would be more flexible, but would need the > ability to negate an action, i.e. take a particular action by default > *unless* such-and-such rule hits. Hmmm..... That makes life a bit more complicated. If I evaluated them after the existing rules then I should be able to do that. Good point though. > > Non Spam Actions = deliver > Spam Actions = deliver,store > High Scoring Spam Actions = store > > SpamAssassin Rule Actions = > MY_BADSPAM_RULE=>not-store, > MY_SPECIAL_RULE=>forward theboss@domain > > John. > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGpMg5EfZZRxQVtlQRAl37AJ4v/J/ynKm+52FxgIqJAVY8xSNhsQCdEpca uTUryheTXXmNAwgGDHsZ4i4= =EPm4 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Mon Jul 23 16:30:31 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Jul 23 16:31:02 2007 Subject: lstat() failed. ERROR ? In-Reply-To: References: Message-ID: <46A4C997.7080608@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Check nothing silly has happened, like you haven't run out of disk space or inodes in that partition. df -h df -i <=== this reports inode usage Remco Barendse wrote: > Hi list! > > I am seeing this error in my logs, and mail is not being delivered. > > Jul 23 17:06:49 host MailScanner[24547]: > /var/spool/MailScanner/incoming/24547/.: lstat() failed. ERROR > > Anyone ideas what this could mean? Restarting MailScanner didn't help. > > Thanks!! > Remco > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGpMmYEfZZRxQVtlQRAr/vAJ4s8JM34dHTfiX0p5OpF/tCe88GdgCgyI59 2F32walfMha3e0e+xuzXSYU= =k1Tj -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From ssilva at sgvwater.com Mon Jul 23 16:32:27 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Jul 23 16:32:40 2007 Subject: FYI: PDFInfo and "Max SpamAssassin Size=40k" In-Reply-To: <14806363.181185134652109.JavaMail.root@office.splatnix.net> References: <14806363.181185134652109.JavaMail.root@office.splatnix.net> Message-ID: UxBoD spake the following on 7/22/2007 1:04 PM: > Hope your feeling better :) Thank you! ;-) It sure was a waste of a good weekend, though! -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From dimstef at materials.uoc.gr Mon Jul 23 16:35:27 2007 From: dimstef at materials.uoc.gr (Dimitris Stefanakis) Date: Mon Jul 23 16:34:54 2007 Subject: SpamAssassin stucked suddenly - Please help In-Reply-To: References: Message-ID: <46A4CABF.5080603@materials.uoc.gr> Suddenly SpamAssassin stucked and gave me the following logs: ...... MailScanner[24823]: Spam Checks: Starting ...... MailScanner[24796]: SpamAssassin cache hit for message l6NBnvC8016299 ...... MailScanner[24779]: SpamAssassin cache hit for message l6NBaCZh016011 ...... MailScanner[24752]: SpamAssassin cache hit for message l6NBZvNn015869 ...... MailScanner[24823]: SpamAssassin cache hit for message l6NC5TOm016520 ...... MailScanner[24796]: SpamAssassin cache hit for message l6NBnVa0016283 ...... MailScanner[24823]: SpamAssassin cache hit for message l6NC5UBU016521 and, after that the following: ...... MailScanner[3548]: SpamAssassin timed out and was killed, failure 2 of 40 ...... MailScanner[3499]: SpamAssassin timed out and was killed, failure 2 of 40 ...... MailScanner[3621]: SpamAssassin timed out and was killed, failure 2 of 40 ...... MailScanner[4795]: SpamAssassin timed out and was killed, failure 2 of 40 ...... MailScanner[4293]: SpamAssassin timed out and was killed, failure 2 of 40 ...... MailScanner[4641]: SpamAssassin timed out and was killed, failure 2 of 40 ...... MailScanner[3548]: SpamAssassin timed out and was killed, failure 3 of 40 What I have is: Linux: RHEL-4 AS MailScanner 4.61.7 clamav 0.91.1 SpamAssassin 3.2.1 PLEASE HELP!!! Dimitris Stefanakis From uxbod at splatnix.net Mon Jul 23 16:38:38 2007 From: uxbod at splatnix.net (UxBoD) Date: Mon Jul 23 16:37:10 2007 Subject: Request for comments 3 In-Reply-To: <46A4C838.9070307@ecs.soton.ac.uk> Message-ID: <27126217.1141185205118233.JavaMail.root@office.splatnix.net> Would this new functionality extend to MCP aswell Jules ? ----- Original Message ----- From: "Julian Field" To: "MailScanner discussion" Sent: Monday, July 23, 2007 4:24:40 PM (GMT) Europe/London Subject: Re: Request for comments 3 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 John Wilcock wrote: > Julian Field wrote: >> How about this instead? >> >> SpamAssassin Rule Actions = rulename=>action, rulename=>action, .... >> >> the "rulename"s are the names of individual SpamAssassin rules, and >> the "action"s are list those in "Spam Actions". To specify multiple >> actions for a rule, you specify the rulename several times, with one >> action for each. Expressions with SpamAssassin rules are done with >> SpamAssassin meta-rules. If the rule hits, the action is taken. >> >> I'll write a few examples of meta-rules so you can see how to write >> them in spam.assassin.rules.conf or wherever they need to go. Mr >> Kettler, can you correct me on this please? >> >> Does this sound more useful than the previous suggestions? > > Sounds good, yes. > > Are the actions intended to *replace* the default non spam, spam or > high scoring spam actions, or are they taken in *addition* to those > actions? In addition. > > IMO additional actions would be more flexible, but would need the > ability to negate an action, i.e. take a particular action by default > *unless* such-and-such rule hits. Hmmm..... That makes life a bit more complicated. If I evaluated them after the existing rules then I should be able to do that. Good point though. > > Non Spam Actions = deliver > Spam Actions = deliver,store > High Scoring Spam Actions = store > > SpamAssassin Rule Actions = > MY_BADSPAM_RULE=>not-store, > MY_SPECIAL_RULE=>forward theboss@domain > > John. > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGpMg5EfZZRxQVtlQRAl37AJ4v/J/ynKm+52FxgIqJAVY8xSNhsQCdEpca uTUryheTXXmNAwgGDHsZ4i4= =EPm4 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From glenn.steen at gmail.com Mon Jul 23 16:37:10 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Jul 23 16:37:13 2007 Subject: mailscanner occasionally denying certain blackberry emails In-Reply-To: <1E293D3FF63A3740B10AD5AAD88535D205847E6C@UBIMAIL1.ubisoft.org> References: <223f97700707200949x64c07c77ta326e1526bd1c16d@mail.gmail.com> <1E293D3FF63A3740B10AD5AAD88535D205847E6C@UBIMAIL1.ubisoft.org> Message-ID: <223f97700707230837k2659d07cmeed22f04d787b9de@mail.gmail.com> On 23/07/07, Daniel Maher wrote: > > > > I have a situation where MailScanner will occasionally block attachments > > in > > > emails generated by the Blackberry service. Normally the attachments > > are > > > not blocked, but every once in a while, it gets replaced with the > > "Warning: > > > This message has had one or more attachments removed..." message. The > > name of > > > the attachment, in every instance, is "ETP.DAT", which shouldn't trigger > > > filename rules (and, indeed, normally doesn't). > > > > > Look closely at what it really say and you'll find that the binary > > file ETP.DAT (that is also attached as an ascii armored thing ... > > stupid, is what it all is... will sometimes "aggravate" your file > > command, specifically MS-DOS Executable "magic" patterns of one (1) > > byte. Simply remove these from your magic file (edit the text variant, > > use the file command to "recompile" it), and you'll be fine. > > > > Cheers > > Thanks for the reply. Unfortunately, I'm not entirely sure I should be removing the magic data you're referring to. To wit: > > [user@mailserver file]# grep MS-DOS magic (snip) > #0 byte 0xe9 MS-DOS executable (COM) > #0 byte 0x8c MS-DOS executable (COM) > #0 byte 0xeb MS-DOS executable (COM) > #0 byte 0xb8 MS-DOS executable (COM) > 0 string LZ MS-DOS executable (built-in) > #0 byte 0xf0 MS-DOS program library data > > If I comment out the (three) active 1-byte MS-DOS lines, won't file lose its ability to detect MS-DOS executables altogether? This is not a desired behaviour. :/ > The "bad magic" I was getting at were the above ones (quite a bit to ... opportunistic:-)... And indeed, in a newer version of file (that I happen to have on my latest install), they aren't even there (so one needn't remove them/comment them, as you obviously already have done:-). If you run file on one of the offenders (the actual, quarantined, file ETP.DAT), what does it say about it? > Would it not be possible to write some sort of MailScanner rule that would exempt files named "ETP.DAT", and coming from the Blackberry service, from being analysed with file? > Oh yes, you could have a ruleset for *.blackberry.net on Filetype Rules .... the result would be a file that more or less said "allow" to everything:-). Best would be to do this "whitelist" on IP addresses, but... so far, I haven't been able to get a limited possible set of addresses/address ranges out of the BB people:-(. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From martinh at solidstatelogic.com Mon Jul 23 16:39:20 2007 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Mon Jul 23 16:39:19 2007 Subject: SpamAssassin stucked suddenly - Please help In-Reply-To: <46A4CABF.5080603@materials.uoc.gr> Message-ID: <61044509d201744ba9b19d9ddf0c1d9a@solidstatelogic.com> Sounds like DNS issues..... What does "spamassassin --lint" give you? -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Dimitris Stefanakis > Sent: 23 July 2007 16:35 > To: MailScanner discussion > Subject: SpamAssassin stucked suddenly - Please help > > Suddenly SpamAssassin stucked and gave me the following logs: > > ...... MailScanner[24823]: Spam Checks: Starting > ...... MailScanner[24796]: SpamAssassin cache hit for message > l6NBnvC8016299 > ...... MailScanner[24779]: SpamAssassin cache hit for message > l6NBaCZh016011 > ...... MailScanner[24752]: SpamAssassin cache hit for message > l6NBZvNn015869 > ...... MailScanner[24823]: SpamAssassin cache hit for message > l6NC5TOm016520 > ...... MailScanner[24796]: SpamAssassin cache hit for message > l6NBnVa0016283 > ...... MailScanner[24823]: SpamAssassin cache hit for message > l6NC5UBU016521 > > > and, after that the following: > > ...... MailScanner[3548]: SpamAssassin timed out and was killed, failure > 2 of 40 > ...... MailScanner[3499]: SpamAssassin timed out and was killed, failure > 2 of 40 > ...... MailScanner[3621]: SpamAssassin timed out and was killed, failure > 2 of 40 > ...... MailScanner[4795]: SpamAssassin timed out and was killed, failure > 2 of 40 > ...... MailScanner[4293]: SpamAssassin timed out and was killed, failure > 2 of 40 > ...... MailScanner[4641]: SpamAssassin timed out and was killed, failure > 2 of 40 > ...... MailScanner[3548]: SpamAssassin timed out and was killed, failure > 3 of 40 > > > What I have is: > Linux: RHEL-4 AS > MailScanner 4.61.7 > clamav 0.91.1 > SpamAssassin 3.2.1 > > PLEASE HELP!!! > > Dimitris Stefanakis > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From ssilva at sgvwater.com Mon Jul 23 16:39:07 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Jul 23 16:39:21 2007 Subject: Password protect In-Reply-To: <8D2EFA3D9FD29C45BCEC3B532F0E2308412E87C379@RDPEXCH2.Eu.Emory.Edu> References: <223f97700707200721g710f6846ga8807d99caea5f7d@mail.gmail.com> <8D2EFA3D9FD29C45BCEC3B532F0E2308412E3B3D3E@RDPEXCH2.Eu.Emory.Edu> <8D2EFA3D9FD29C45BCEC3B532F0E2308412E87C379@RDPEXCH2.Eu.Emory.Edu> Message-ID: >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Gottschalk, David >> Sent: Friday, July 20, 2007 12:12 PM >> To: MailScanner discussion >> Subject: RE: Password protect >> >> Anyone know if its possible to send a bounce back to the sender if a password protected archive is quarantined? >> >> The "Notify Senders Of Blocked Filenames Or Filetypes" and "Notify Senders Of Other Blocked Content" don't seem to do anything with regards to encrypted archives. >> >> Thanks. >> >> David Gottschalk >> > Can anyone give me a answer on this? > > Thanks. > > > David Gottschalk > Although I can't give you a specific answer, I think it would depend on if your file is caught by a mailscanner rule or by your virus scanner. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From dimstef at materials.uoc.gr Mon Jul 23 16:40:41 2007 From: dimstef at materials.uoc.gr (Dimitris Stefanakis) Date: Mon Jul 23 16:40:09 2007 Subject: SpamAssassin stucked suddenly - Please help In-Reply-To: References: <14806363.181185134652109.JavaMail.root@office.splatnix.net> Message-ID: <46A4CBF9.5060507@materials.uoc.gr> Suddenly SpamAssassin stucked and gave me the following logs: ...... MailScanner[24823]: Spam Checks: Starting ...... MailScanner[24796]: SpamAssassin cache hit for message l6NBnvC8016299 ...... MailScanner[24779]: SpamAssassin cache hit for message l6NBaCZh016011 ...... MailScanner[24752]: SpamAssassin cache hit for message l6NBZvNn015869 ...... MailScanner[24823]: SpamAssassin cache hit for message l6NC5TOm016520 ...... MailScanner[24796]: SpamAssassin cache hit for message l6NBnVa0016283 ...... MailScanner[24823]: SpamAssassin cache hit for message l6NC5UBU016521 and, after that the following: ...... MailScanner[3548]: SpamAssassin timed out and was killed, failure 2 of 40 ...... MailScanner[3499]: SpamAssassin timed out and was killed, failure 2 of 40 ...... MailScanner[3621]: SpamAssassin timed out and was killed, failure 2 of 40 ...... MailScanner[4795]: SpamAssassin timed out and was killed, failure 2 of 40 ...... MailScanner[4293]: SpamAssassin timed out and was killed, failure 2 of 40 ...... MailScanner[4641]: SpamAssassin timed out and was killed, failure 2 of 40 ...... MailScanner[3548]: SpamAssassin timed out and was killed, failure 3 of 40 What I have is: Linux: RHEL-4 AS MailScanner 4.61.7 clamav 0.91.1 SpamAssassin 3.2.1 PLEASE HELP!!! Dimitris Stefanakis From glenn.steen at gmail.com Mon Jul 23 16:48:10 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Jul 23 16:48:12 2007 Subject: SpamAssassin stucked suddenly - Please help In-Reply-To: <61044509d201744ba9b19d9ddf0c1d9a@solidstatelogic.com> References: <46A4CABF.5080603@materials.uoc.gr> <61044509d201744ba9b19d9ddf0c1d9a@solidstatelogic.com> Message-ID: <223f97700707230848p2f7601der67e6bc12ba99355e@mail.gmail.com> On 23/07/07, Martin.Hepworth wrote: > Sounds like DNS issues..... > > What does "spamassassin --lint" give you? > Could perhaps be bayes expiry problems too(?)... In which case there would be a lot of *expire* files in the bayes directory, I guess. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From MailScanner at ecs.soton.ac.uk Mon Jul 23 16:49:26 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Jul 23 16:49:58 2007 Subject: Request for comments 3 In-Reply-To: <27126217.1141185205118233.JavaMail.root@office.splatnix.net> References: <27126217.1141185205118233.JavaMail.root@office.splatnix.net> Message-ID: <46A4CE06.2000900@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Eventually yes. I want to get the design and code all working and settled for spam first though. UxBoD wrote: > Would this new functionality extend to MCP aswell Jules ? > ----- Original Message ----- > From: "Julian Field" > To: "MailScanner discussion" > Sent: Monday, July 23, 2007 4:24:40 PM (GMT) Europe/London > Subject: Re: Request for comments 3 > > > * PGP Signed by an unmatched address: 07/23/07 at 16:24:41 > > > > John Wilcock wrote: > >> Julian Field wrote: >> >>> How about this instead? >>> >>> SpamAssassin Rule Actions = rulename=>action, rulename=>action, .... >>> >>> the "rulename"s are the names of individual SpamAssassin rules, and >>> the "action"s are list those in "Spam Actions". To specify multiple >>> actions for a rule, you specify the rulename several times, with one >>> action for each. Expressions with SpamAssassin rules are done with >>> SpamAssassin meta-rules. If the rule hits, the action is taken. >>> >>> I'll write a few examples of meta-rules so you can see how to write >>> them in spam.assassin.rules.conf or wherever they need to go. Mr >>> Kettler, can you correct me on this please? >>> >>> Does this sound more useful than the previous suggestions? >>> >> Sounds good, yes. >> >> Are the actions intended to *replace* the default non spam, spam or >> high scoring spam actions, or are they taken in *addition* to those >> actions? >> > In addition. > >> IMO additional actions would be more flexible, but would need the >> ability to negate an action, i.e. take a particular action by default >> *unless* such-and-such rule hits. >> > Hmmm..... That makes life a bit more complicated. If I evaluated them > after the existing rules then I should be able to do that. Good point > though. > > >> Non Spam Actions = deliver >> Spam Actions = deliver,store >> High Scoring Spam Actions = store >> >> SpamAssassin Rule Actions = >> MY_BADSPAM_RULE=>not-store, >> MY_SPECIAL_RULE=>forward theboss@domain >> >> John. >> >> > > Jules > > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: UTF-8 wj8DBQFGpM4HEfZZRxQVtlQRAtS6AKDUpySRq4q0UjPCSSBVXfvKShDp5QCg0FUG SXu6PoIfnvVbMfwT5D0UmnI= =cxkm -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From ssilva at sgvwater.com Mon Jul 23 16:50:37 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Jul 23 16:50:48 2007 Subject: MS Wiki and split recipients In-Reply-To: <46A4B540.8080406@pixelhammer.com> References: <46A4AC74.5020706@pixelhammer.com> <46A4B120.6070307@coders.co.uk> <46A4B540.8080406@pixelhammer.com> Message-ID: DAve spake the following on 7/23/2007 7:03 AM: > Matt Hampton wrote: >> DAve wrote: >> >>> and I noticed an addendum. I don't think the addendum will work as >>> stated. I believe following the addendum instructions will cause >>> Sendmail to accept only messages with a single recipient. >>> >>> Can someone confirm that, or clue bat me, as the case may be. >>> >> >> I think you are right (I re-wrote the original page and hadn't noticed >> the addendum). >> >> What it will cause is sendmail will accept the first recipient and then >> temp fail the rest. This would cause the message to require X attempts >> to deliver the message (where X is the number of recipients). >> >> matt > > Do we know who added that? Can it be removed or correctly annotated? It > would cause every message MailScanner sees to be single recipient, but > at a high cost. My listmail software would be unhappy sending to some of > our client's internal mail lists with 100+ subscribers. > > DAve > If you are logged in you can see who made each change with the old revisions button, and even revert to an older page. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From dgottsc at emory.edu Mon Jul 23 16:52:44 2007 From: dgottsc at emory.edu (Gottschalk, David) Date: Mon Jul 23 16:52:53 2007 Subject: Password protect In-Reply-To: References: <223f97700707200721g710f6846ga8807d99caea5f7d@mail.gmail.com> <8D2EFA3D9FD29C45BCEC3B532F0E2308412E3B3D3E@RDPEXCH2.Eu.Emory.Edu> <8D2EFA3D9FD29C45BCEC3B532F0E2308412E87C379@RDPEXCH2.Eu.Emory.Edu> Message-ID: <8D2EFA3D9FD29C45BCEC3B532F0E2308412E87C4B7@RDPEXCH2.Eu.Emory.Edu> Well, I know MailScanner is catching it in this case, because the option is specifically set in MailScanner. David Gottschalk -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Scott Silva Sent: Monday, July 23, 2007 11:39 AM To: mailscanner@lists.mailscanner.info Subject: Re: Password protect >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of >> Gottschalk, David >> Sent: Friday, July 20, 2007 12:12 PM >> To: MailScanner discussion >> Subject: RE: Password protect >> >> Anyone know if its possible to send a bounce back to the sender if a password protected archive is quarantined? >> >> The "Notify Senders Of Blocked Filenames Or Filetypes" and "Notify Senders Of Other Blocked Content" don't seem to do anything with regards to encrypted archives. >> >> Thanks. >> >> David Gottschalk >> > Can anyone give me a answer on this? > > Thanks. > > > David Gottschalk > Although I can't give you a specific answer, I think it would depend on if your file is caught by a mailscanner rule or by your virus scanner. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From dimstef at materials.uoc.gr Mon Jul 23 16:59:40 2007 From: dimstef at materials.uoc.gr (Dimitris Stefanakis) Date: Mon Jul 23 16:59:08 2007 Subject: SpamAssassin stucked suddenly - Please help In-Reply-To: <61044509d201744ba9b19d9ddf0c1d9a@solidstatelogic.com> References: <61044509d201744ba9b19d9ddf0c1d9a@solidstatelogic.com> Message-ID: <46A4D06C.3040106@materials.uoc.gr> First of all, thanks for your immediate help!!! After 5 minutes of running,"spamassassin --lint" didn't give any result. Dimitris Martin.Hepworth wrote: > Sounds like DNS issues..... > > What does "spamassassin --lint" give you? > > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >> bounces@lists.mailscanner.info] On Behalf Of Dimitris Stefanakis >> Sent: 23 July 2007 16:35 >> To: MailScanner discussion >> Subject: SpamAssassin stucked suddenly - Please help >> >> Suddenly SpamAssassin stucked and gave me the following logs: >> >> ...... MailScanner[24823]: Spam Checks: Starting >> ...... MailScanner[24796]: SpamAssassin cache hit for message >> l6NBnvC8016299 >> ...... MailScanner[24779]: SpamAssassin cache hit for message >> l6NBaCZh016011 >> ...... MailScanner[24752]: SpamAssassin cache hit for message >> l6NBZvNn015869 >> ...... MailScanner[24823]: SpamAssassin cache hit for message >> l6NC5TOm016520 >> ...... MailScanner[24796]: SpamAssassin cache hit for message >> l6NBnVa0016283 >> ...... MailScanner[24823]: SpamAssassin cache hit for message >> l6NC5UBU016521 >> >> >> and, after that the following: >> >> ...... MailScanner[3548]: SpamAssassin timed out and was killed, >> > failure > >> 2 of 40 >> ...... MailScanner[3499]: SpamAssassin timed out and was killed, >> > failure > >> 2 of 40 >> ...... MailScanner[3621]: SpamAssassin timed out and was killed, >> > failure > >> 2 of 40 >> ...... MailScanner[4795]: SpamAssassin timed out and was killed, >> > failure > >> 2 of 40 >> ...... MailScanner[4293]: SpamAssassin timed out and was killed, >> > failure > >> 2 of 40 >> ...... MailScanner[4641]: SpamAssassin timed out and was killed, >> > failure > >> 2 of 40 >> ...... MailScanner[3548]: SpamAssassin timed out and was killed, >> > failure > >> 3 of 40 >> >> >> What I have is: >> Linux: RHEL-4 AS >> MailScanner 4.61.7 >> clamav 0.91.1 >> SpamAssassin 3.2.1 >> >> PLEASE HELP!!! >> >> Dimitris Stefanakis >> >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> > > > > > ********************************************************************** > Confidentiality : This e-mail and any attachments are intended for the > addressee only and may be confidential. If they come to you in error > you must take no action based on them, nor must you copy or show them > to anyone. Please advise the sender by replying to this e-mail > immediately and then delete the original from your computer. > Opinion : Any opinions expressed in this e-mail are entirely those of > the author and unless specifically stated to the contrary, are not > necessarily those of the author's employer. > Security Warning : Internet e-mail is not necessarily a secure > communications medium and can be subject to data corruption. We advise > that you consider this fact when e-mailing us. > Viruses : We have taken steps to ensure that this e-mail and any > attachments are free from known viruses but in keeping with good > computing practice, you should ensure that they are virus free. > > Red Lion 49 Ltd T/A Solid State Logic > Registered as a limited company in England and Wales > (Company No:5362730) > Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, > United Kingdom > ********************************************************************** > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070723/692e57cd/attachment.html From martinh at solidstatelogic.com Mon Jul 23 17:05:56 2007 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Mon Jul 23 17:06:01 2007 Subject: SpamAssassin stucked suddenly - Please help In-Reply-To: <46A4D06C.3040106@materials.uoc.gr> Message-ID: <74fb1b295b214242b6ee8d90d67bd29e@solidstatelogic.com> Dimitris Well there's your problem then..... spamassassin --lint -D will give you more detail about where it's got to. I'd check you've not an RBL or something in the config that's not responding -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Dimitris Stefanakis > Sent: 23 July 2007 17:00 > To: MailScanner discussion > Subject: Re: SpamAssassin stucked suddenly - Please help > > First of all, thanks for your immediate help!!! > After 5 minutes of running,"spamassassin --lint" didn't give any result. > Dimitris > > Martin.Hepworth wrote: > > Sounds like DNS issues..... > > What does "spamassassin --lint" give you? > > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Dimitris > Stefanakis > Sent: 23 July 2007 16:35 > To: MailScanner discussion > Subject: SpamAssassin stucked suddenly - Please help > > Suddenly SpamAssassin stucked and gave me the following logs: > > ...... MailScanner[24823]: Spam Checks: Starting > ...... MailScanner[24796]: SpamAssassin cache hit for message > l6NBnvC8016299 > ...... MailScanner[24779]: SpamAssassin cache hit for message > l6NBaCZh016011 > ...... MailScanner[24752]: SpamAssassin cache hit for message > l6NBZvNn015869 > ...... MailScanner[24823]: SpamAssassin cache hit for message > l6NC5TOm016520 > ...... MailScanner[24796]: SpamAssassin cache hit for message > l6NBnVa0016283 > ...... MailScanner[24823]: SpamAssassin cache hit for message > l6NC5UBU016521 > > > and, after that the following: > > ...... MailScanner[3548]: SpamAssassin timed out and was > killed, > > > failure > > > 2 of 40 > ...... MailScanner[3499]: SpamAssassin timed out and was > killed, > > > failure > > > 2 of 40 > ...... MailScanner[3621]: SpamAssassin timed out and was > killed, > > > failure > > > 2 of 40 > ...... MailScanner[4795]: SpamAssassin timed out and was > killed, > > > failure > > > 2 of 40 > ...... MailScanner[4293]: SpamAssassin timed out and was > killed, > > > failure > > > 2 of 40 > ...... MailScanner[4641]: SpamAssassin timed out and was > killed, > > > failure > > > 2 of 40 > ...... MailScanner[3548]: SpamAssassin timed out and was > killed, > > > failure > > > 3 of 40 > > > What I have is: > Linux: RHEL-4 AS > MailScanner 4.61.7 > clamav 0.91.1 > SpamAssassin 3.2.1 > > PLEASE HELP!!! > > Dimitris Stefanakis > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the > website! > > > > > > > ******************************************************************** > ** > Confidentiality : This e-mail and any attachments are intended for > the > addressee only and may be confidential. If they come to you in error > you must take no action based on them, nor must you copy or show > them > to anyone. Please advise the sender by replying to this e-mail > immediately and then delete the original from your computer. > Opinion : Any opinions expressed in this e-mail are entirely those > of > the author and unless specifically stated to the contrary, are not > necessarily those of the author's employer. > Security Warning : Internet e-mail is not necessarily a secure > communications medium and can be subject to data corruption. We > advise > that you consider this fact when e-mailing us. > Viruses : We have taken steps to ensure that this e-mail and any > attachments are free from known viruses but in keeping with good > computing practice, you should ensure that they are virus free. > > Red Lion 49 Ltd T/A Solid State Logic > Registered as a limited company in England and Wales > (Company No:5362730) > Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, > United Kingdom > ******************************************************************** > ** > > > ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From dave.list at pixelhammer.com Mon Jul 23 17:05:04 2007 From: dave.list at pixelhammer.com (DAve) Date: Mon Jul 23 17:06:28 2007 Subject: MS Wiki and split recipients In-Reply-To: References: <46A4AC74.5020706@pixelhammer.com> <46A4B120.6070307@coders.co.uk> <46A4B540.8080406@pixelhammer.com> Message-ID: <46A4D1B0.9040109@pixelhammer.com> Scott Silva wrote: > DAve spake the following on 7/23/2007 7:03 AM: >> Matt Hampton wrote: >>> DAve wrote: >>> >>>> and I noticed an addendum. I don't think the addendum will work as >>>> stated. I believe following the addendum instructions will cause >>>> Sendmail to accept only messages with a single recipient. >>>> >>>> Can someone confirm that, or clue bat me, as the case may be. >>>> >>> I think you are right (I re-wrote the original page and hadn't noticed >>> the addendum). >>> >>> What it will cause is sendmail will accept the first recipient and then >>> temp fail the rest. This would cause the message to require X attempts >>> to deliver the message (where X is the number of recipients). >>> >>> matt >> Do we know who added that? Can it be removed or correctly annotated? It >> would cause every message MailScanner sees to be single recipient, but >> at a high cost. My listmail software would be unhappy sending to some of >> our client's internal mail lists with 100+ subscribers. >> >> DAve >> > If you are logged in you can see who made each change with the old revisions > button, and even revert to an older page. > Looks like I will need a login then. I'll make a note to fix it when I get back to working on the test MS server. DAve -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible. From glenn.steen at gmail.com Mon Jul 23 17:12:39 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Jul 23 17:12:42 2007 Subject: SpamAssassin stucked suddenly - Please help In-Reply-To: <74fb1b295b214242b6ee8d90d67bd29e@solidstatelogic.com> References: <46A4D06C.3040106@materials.uoc.gr> <74fb1b295b214242b6ee8d90d67bd29e@solidstatelogic.com> Message-ID: <223f97700707230912s4d9ee4e7p23f86b769724d6ac@mail.gmail.com> On 23/07/07, Martin.Hepworth wrote: > Dimitris > > Well there's your problem then..... > > spamassassin --lint -D > > will give you more detail about where it's got to. > > I'd check you've not an RBL or something in the config that's not > responding > Um, Martin... Network tests in a --lint? I don't think so...:-). But the advice to look at the debug output (and perhaps post it here) is good. Please do Dimitris. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From gmane at tippingmar.com Mon Jul 23 18:52:18 2007 From: gmane at tippingmar.com (Mark Nienberg) Date: Mon Jul 23 18:52:40 2007 Subject: MailScanner init script on Fedora Message-ID: Usage: service MailScanner {start|stop|status|restart|reload|startin|startout|stopms} Usually when I want to upgrade MailScanner or SpamAssassin or ClamAV I do service MailScanner stopms which stops MailScanner but leaves the two sendmail processes running. After my upgrade, how do I start MailScanner again, without affecting the sendmail processes? Mark From hvdkooij at vanderkooij.org Mon Jul 23 19:12:29 2007 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Mon Jul 23 19:12:35 2007 Subject: Fake MX records In-Reply-To: <086f7e06a703ec47a6db01c8a2c15d81@solidstatelogic.com> References: <086f7e06a703ec47a6db01c8a2c15d81@solidstatelogic.com> Message-ID: On Mon, 23 Jul 2007, Martin.Hepworth wrote: > http://wiki.apache.org/spamassassin/OtherTricks (Fake MX Record) > > on the SA-users list. > > Looks very useful, anyone here using this technique? I use it partially. MX 10 is me. MX 100 is for backups. MX 1000 is me again as spammers favored the highest MX (lowest priority) to bypass (RBL) filters. Now they seem to take them at random and ignore the priorities. Hugo. -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ This message is using 100% recycled electrons. Some men see computers as they are and say "Windows" I use computers with Linux and say "Why Windows?" (Thanks JFK, for the insight.) From ssilva at sgvwater.com Mon Jul 23 19:13:15 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Jul 23 19:13:33 2007 Subject: MS Wiki and split recipients In-Reply-To: <46A4D1B0.9040109@pixelhammer.com> References: <46A4AC74.5020706@pixelhammer.com> <46A4B120.6070307@coders.co.uk> <46A4B540.8080406@pixelhammer.com> <46A4D1B0.9040109@pixelhammer.com> Message-ID: DAve spake the following on 7/23/2007 9:05 AM: > Scott Silva wrote: >> DAve spake the following on 7/23/2007 7:03 AM: >>> Matt Hampton wrote: >>>> DAve wrote: >>>> >>>>> and I noticed an addendum. I don't think the addendum will work as >>>>> stated. I believe following the addendum instructions will cause >>>>> Sendmail to accept only messages with a single recipient. >>>>> >>>>> Can someone confirm that, or clue bat me, as the case may be. >>>>> >>>> I think you are right (I re-wrote the original page and hadn't noticed >>>> the addendum). >>>> >>>> What it will cause is sendmail will accept the first recipient and then >>>> temp fail the rest. This would cause the message to require X attempts >>>> to deliver the message (where X is the number of recipients). >>>> >>>> matt >>> Do we know who added that? Can it be removed or correctly annotated? It >>> would cause every message MailScanner sees to be single recipient, but >>> at a high cost. My listmail software would be unhappy sending to some of >>> our client's internal mail lists with 100+ subscribers. >>> >>> DAve >>> >> If you are logged in you can see who made each change with the old >> revisions >> button, and even revert to an older page. >> > > Looks like I will need a login then. I'll make a note to fix it when I > get back to working on the test MS server. > > DAve > I can fix it if you give me an idea of where the error is. My sendmail is rather moldy. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ugob at lubik.ca Mon Jul 23 19:17:37 2007 From: ugob at lubik.ca (Ugo Bellavance) Date: Mon Jul 23 19:17:56 2007 Subject: Sign Messages Already Processed = no Message-ID: Hi, How does this setting work? Sign Messages Already Processed = no Does it uses headers, body text, other stuff? Is it made to avoid signatures in replies, or double signatures from 2 different servers in the same direction? Regards, Ugo From list-mailscanner at linguaphone.com Mon Jul 23 19:18:12 2007 From: list-mailscanner at linguaphone.com (Gareth) Date: Mon Jul 23 19:18:19 2007 Subject: MailScanner init script on Fedora In-Reply-To: Message-ID: You might want to have a look at http://www.gbnetwork.co.uk/mailscanner/ I posted a modified startup script there which has additional options such as startms and restartms for this purpose. > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info]On Behalf Of Mark > Nienberg > Sent: 23 July 2007 18:52 > To: mailscanner@lists.mailscanner.info > Subject: MailScanner init script on Fedora > > > Usage: service MailScanner > {start|stop|status|restart|reload|startin|startout|stopms} > > Usually when I want to upgrade MailScanner or SpamAssassin or ClamAV I do > > service MailScanner stopms > > which stops MailScanner but leaves the two sendmail processes > running. After my > upgrade, how do I start MailScanner again, without affecting the > sendmail processes? > > > Mark > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > From matt at coders.co.uk Mon Jul 23 19:21:13 2007 From: matt at coders.co.uk (Matt Hampton) Date: Mon Jul 23 19:19:22 2007 Subject: MS Wiki and split recipients In-Reply-To: References: <46A4AC74.5020706@pixelhammer.com> <46A4B120.6070307@coders.co.uk> <46A4B540.8080406@pixelhammer.com> <46A4D1B0.9040109@pixelhammer.com> Message-ID: <46A4F199.6040201@coders.co.uk> Scott Silva wrote: >> > I can fix it if you give me an idea of where the error is. My sendmail is > rather moldy. > Already done it. Matt From hvdkooij at vanderkooij.org Mon Jul 23 19:22:09 2007 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Mon Jul 23 19:22:15 2007 Subject: MailScanner init script on Fedora In-Reply-To: References: Message-ID: On Mon, 23 Jul 2007, Mark Nienberg wrote: > Usage: service MailScanner > {start|stop|status|restart|reload|startin|startout|stopms} > > Usually when I want to upgrade MailScanner or SpamAssassin or ClamAV I do > > service MailScanner stopms > > which stops MailScanner but leaves the two sendmail processes running. After > my upgrade, how do I start MailScanner again, without affecting the sendmail > processes? Have you tried `service MailScanner start`? If that does not do the trick you can restartso you only have a minimal outage. Hugo. -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ This message is using 100% recycled electrons. Some men see computers as they are and say "Windows" I use computers with Linux and say "Why Windows?" (Thanks JFK, for the insight.) From mailscanner at yeticomputers.com Mon Jul 23 19:35:18 2007 From: mailscanner at yeticomputers.com (Rick Chadderdon) Date: Mon Jul 23 19:35:27 2007 Subject: Password protect In-Reply-To: <8D2EFA3D9FD29C45BCEC3B532F0E2308412E3B3D3E@RDPEXCH2.Eu.Emory.Edu> References: <223f97700707200721g710f6846ga8807d99caea5f7d@mail.gmail.com> <8D2EFA3D9FD29C45BCEC3B532F0E2308412E3B3D3E@RDPEXCH2.Eu.Emory.Edu> Message-ID: <46A4F4E6.3060305@yeticomputers.com> Gottschalk, David wrote: > Anyone know if its possible to send a bounce back to the sender if a password protected archive is quarantined? > > The "Notify Senders Of Blocked Filenames Or Filetypes" and "Notify Senders Of Other Blocked Content" don't seem to do anything with regards to encrypted archives. Check the "Silent Viruses" line in MailScanner.conf. If it contains "All-Viruses" or "Zip-Password", it won't notify the sender. The comments above the line explain the options well. Rick From mailscanner at yeticomputers.com Mon Jul 23 19:39:24 2007 From: mailscanner at yeticomputers.com (Rick Chadderdon) Date: Mon Jul 23 19:39:34 2007 Subject: Password protect In-Reply-To: <46A4F4E6.3060305@yeticomputers.com> References: <223f97700707200721g710f6846ga8807d99caea5f7d@mail.gmail.com> <8D2EFA3D9FD29C45BCEC3B532F0E2308412E3B3D3E@RDPEXCH2.Eu.Emory.Edu> <46A4F4E6.3060305@yeticomputers.com> Message-ID: <46A4F5DC.1010603@yeticomputers.com> And, to add to my own reply, also look at "Non-Forging Viruses". Combining those two lines, you should be able to achieve what you're after. Rick Rick Chadderdon wrote: > Gottschalk, David wrote: > >> Anyone know if its possible to send a bounce back to the sender if a password protected archive is quarantined? >> >> The "Notify Senders Of Blocked Filenames Or Filetypes" and "Notify Senders Of Other Blocked Content" don't seem to do anything with regards to encrypted archives. >> > Check the "Silent Viruses" line in MailScanner.conf. If it contains > "All-Viruses" or "Zip-Password", it won't notify the sender. The > comments above the line explain the options well. > > Rick > From dave.list at pixelhammer.com Mon Jul 23 19:41:22 2007 From: dave.list at pixelhammer.com (DAve) Date: Mon Jul 23 19:42:46 2007 Subject: MS Wiki and split recipients In-Reply-To: References: <46A4AC74.5020706@pixelhammer.com> <46A4B120.6070307@coders.co.uk> <46A4B540.8080406@pixelhammer.com> <46A4D1B0.9040109@pixelhammer.com> Message-ID: <46A4F652.8080106@pixelhammer.com> Scott Silva wrote: > DAve spake the following on 7/23/2007 9:05 AM: >> Scott Silva wrote: >>> DAve spake the following on 7/23/2007 7:03 AM: >>>> Matt Hampton wrote: >>>>> DAve wrote: >>>>> >>>>>> and I noticed an addendum. I don't think the addendum will work as >>>>>> stated. I believe following the addendum instructions will cause >>>>>> Sendmail to accept only messages with a single recipient. >>>>>> >>>>>> Can someone confirm that, or clue bat me, as the case may be. >>>>>> >>>>> I think you are right (I re-wrote the original page and hadn't noticed >>>>> the addendum). >>>>> >>>>> What it will cause is sendmail will accept the first recipient and then >>>>> temp fail the rest. This would cause the message to require X attempts >>>>> to deliver the message (where X is the number of recipients). >>>>> >>>>> matt >>>> Do we know who added that? Can it be removed or correctly annotated? It >>>> would cause every message MailScanner sees to be single recipient, but >>>> at a high cost. My listmail software would be unhappy sending to some of >>>> our client's internal mail lists with 100+ subscribers. >>>> >>>> DAve >>>> >>> If you are logged in you can see who made each change with the old >>> revisions >>> button, and even revert to an older page. >>> >> Looks like I will need a login then. I'll make a note to fix it when I >> get back to working on the test MS server. >> >> DAve >> > I can fix it if you give me an idea of where the error is. My sendmail is > rather moldy. > I would remove the addendum completely, it is not a solution for the problem on that page. DAve -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible. From dgottsc at emory.edu Mon Jul 23 19:54:42 2007 From: dgottsc at emory.edu (Gottschalk, David) Date: Mon Jul 23 19:54:53 2007 Subject: Password protect In-Reply-To: <46A4F5DC.1010603@yeticomputers.com> References: <223f97700707200721g710f6846ga8807d99caea5f7d@mail.gmail.com> <8D2EFA3D9FD29C45BCEC3B532F0E2308412E3B3D3E@RDPEXCH2.Eu.Emory.Edu> <46A4F4E6.3060305@yeticomputers.com> <46A4F5DC.1010603@yeticomputers.com> Message-ID: <8D2EFA3D9FD29C45BCEC3B532F0E2308412E87C610@RDPEXCH2.Eu.Emory.Edu> Great, thanks for the tips. David Gottschalk -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Rick Chadderdon Sent: Monday, July 23, 2007 2:39 PM To: MailScanner discussion Subject: Re: Password protect And, to add to my own reply, also look at "Non-Forging Viruses". Combining those two lines, you should be able to achieve what you're after. Rick Rick Chadderdon wrote: > Gottschalk, David wrote: > >> Anyone know if its possible to send a bounce back to the sender if a password protected archive is quarantined? >> >> The "Notify Senders Of Blocked Filenames Or Filetypes" and "Notify Senders Of Other Blocked Content" don't seem to do anything with regards to encrypted archives. >> > Check the "Silent Viruses" line in MailScanner.conf. If it contains > "All-Viruses" or "Zip-Password", it won't notify the sender. The > comments above the line explain the options well. > > Rick > -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From dave.list at pixelhammer.com Mon Jul 23 19:54:10 2007 From: dave.list at pixelhammer.com (DAve) Date: Mon Jul 23 19:55:32 2007 Subject: MS Wiki and split recipients In-Reply-To: <46A4F199.6040201@coders.co.uk> References: <46A4AC74.5020706@pixelhammer.com> <46A4B120.6070307@coders.co.uk> <46A4B540.8080406@pixelhammer.com> <46A4D1B0.9040109@pixelhammer.com> <46A4F199.6040201@coders.co.uk> Message-ID: <46A4F952.4020803@pixelhammer.com> Matt Hampton wrote: > Scott Silva wrote: > >> I can fix it if you give me an idea of where the error is. My sendmail is >> rather moldy. >> > > Already done it. > > Matt Thanks! DAve -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible. From glenn.steen at gmail.com Mon Jul 23 20:09:44 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Jul 23 20:09:46 2007 Subject: MailScanner init script on Fedora In-Reply-To: References: Message-ID: <223f97700707231209x1734f2car94d8cb1499a2a31b@mail.gmail.com> On 23/07/07, Mark Nienberg wrote: > Usage: service MailScanner {start|stop|status|restart|reload|startin|startout|stopms} > > Usually when I want to upgrade MailScanner or SpamAssassin or ClamAV I do > > service MailScanner stopms > > which stops MailScanner but leaves the two sendmail processes running. After my > upgrade, how do I start MailScanner again, without affecting the sendmail processes? > > > Mark > I suppose check_MailScanner is the correct command to run for that;). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Mon Jul 23 20:13:01 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Jul 23 20:13:04 2007 Subject: MS Wiki and split recipients In-Reply-To: <46A4D1B0.9040109@pixelhammer.com> References: <46A4AC74.5020706@pixelhammer.com> <46A4B120.6070307@coders.co.uk> <46A4B540.8080406@pixelhammer.com> <46A4D1B0.9040109@pixelhammer.com> Message-ID: <223f97700707231213s3d7aa265k4a5b6019109ade5d@mail.gmail.com> On 23/07/07, DAve wrote: > Scott Silva wrote: > > DAve spake the following on 7/23/2007 7:03 AM: > >> Matt Hampton wrote: > >>> DAve wrote: > >>> > >>>> and I noticed an addendum. I don't think the addendum will work as > >>>> stated. I believe following the addendum instructions will cause > >>>> Sendmail to accept only messages with a single recipient. > >>>> > >>>> Can someone confirm that, or clue bat me, as the case may be. > >>>> > >>> I think you are right (I re-wrote the original page and hadn't noticed > >>> the addendum). > >>> > >>> What it will cause is sendmail will accept the first recipient and then > >>> temp fail the rest. This would cause the message to require X attempts > >>> to deliver the message (where X is the number of recipients). > >>> > >>> matt > >> Do we know who added that? Can it be removed or correctly annotated? It > >> would cause every message MailScanner sees to be single recipient, but > >> at a high cost. My listmail software would be unhappy sending to some of > >> our client's internal mail lists with 100+ subscribers. > >> > >> DAve > >> > > If you are logged in you can see who made each change with the old revisions > > button, and even revert to an older page. > > > > Looks like I will need a login then. I'll make a note to fix it when I > get back to working on the test MS server. > > DAve > It's the very idea with a wiki.... You see something that need changing... then you do it;-)... Or Matt, as it turned out this time:-D We can always have more fresh eyes/ideas pouring over/into the wiki..... So please do register. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From uxbod at splatnix.net Mon Jul 23 20:30:40 2007 From: uxbod at splatnix.net (UxBoD) Date: Mon Jul 23 20:28:59 2007 Subject: Request for comments 3 In-Reply-To: <46A4CE06.2000900@ecs.soton.ac.uk> Message-ID: <1892290.1231185219040748.JavaMail.root@office.splatnix.net> Cool. Thanks Jules. Have a great HR application for it :) ----- Original Message ----- From: "Julian Field" To: "MailScanner discussion" Sent: 23 July 2007 16:49:26 o'clock (GMT) Europe/London Subject: Re: Request for comments 3 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Eventually yes. I want to get the design and code all working and settled for spam first though. UxBoD wrote: > Would this new functionality extend to MCP aswell Jules ? > ----- Original Message ----- > From: "Julian Field" > To: "MailScanner discussion" > Sent: Monday, July 23, 2007 4:24:40 PM (GMT) Europe/London > Subject: Re: Request for comments 3 > > > * PGP Signed by an unmatched address: 07/23/07 at 16:24:41 > > > > John Wilcock wrote: > >> Julian Field wrote: >> >>> How about this instead? >>> >>> SpamAssassin Rule Actions = rulename=>action, rulename=>action, .... >>> >>> the "rulename"s are the names of individual SpamAssassin rules, and >>> the "action"s are list those in "Spam Actions". To specify multiple >>> actions for a rule, you specify the rulename several times, with one >>> action for each. Expressions with SpamAssassin rules are done with >>> SpamAssassin meta-rules. If the rule hits, the action is taken. >>> >>> I'll write a few examples of meta-rules so you can see how to write >>> them in spam.assassin.rules.conf or wherever they need to go. Mr >>> Kettler, can you correct me on this please? >>> >>> Does this sound more useful than the previous suggestions? >>> >> Sounds good, yes. >> >> Are the actions intended to *replace* the default non spam, spam or >> high scoring spam actions, or are they taken in *addition* to those >> actions? >> > In addition. > >> IMO additional actions would be more flexible, but would need the >> ability to negate an action, i.e. take a particular action by default >> *unless* such-and-such rule hits. >> > Hmmm..... That makes life a bit more complicated. If I evaluated them > after the existing rules then I should be able to do that. Good point > though. > > >> Non Spam Actions = deliver >> Spam Actions = deliver,store >> High Scoring Spam Actions = store >> >> SpamAssassin Rule Actions = >> MY_BADSPAM_RULE=>not-store, >> MY_SPECIAL_RULE=>forward theboss@domain >> >> John. >> >> > > Jules > > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: UTF-8 wj8DBQFGpM4HEfZZRxQVtlQRAtS6AKDUpySRq4q0UjPCSSBVXfvKShDp5QCg0FUG SXu6PoIfnvVbMfwT5D0UmnI= =cxkm -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From amoore at dekalbmemorial.com Mon Jul 23 20:46:42 2007 From: amoore at dekalbmemorial.com (Aaron K. Moore) Date: Mon Jul 23 20:46:46 2007 Subject: MailScanner init script on Fedora In-Reply-To: References: Message-ID: <60D398EB2DB948409CA1F50D8AF12257027B1BBF@exch1.dekalbmemorial.local> mailscanner-bounces@lists.mailscanner.info wrote: > On Mon, 23 Jul 2007, Mark Nienberg wrote: > >> Usage: service MailScanner >> {start|stop|status|restart|reload|startin|startout|stopms} >> >> Usually when I want to upgrade MailScanner or SpamAssassin or ClamAV >> I do >> >> service MailScanner stopms >> >> which stops MailScanner but leaves the two sendmail processes >> running. After my upgrade, how do I start MailScanner again, without >> affecting the sendmail processes? I always do a "service MailScanner restart" at that point. Yes it does take down sendmail, but it's only for a few seconds. -- Aaron Kent Moore Information Technology Services DeKalb Memorial Hospital, Inc. Auburn, Indiana Phone: 260.920.2808 E-Mail: amoore@dekalbmemorial.com From ssilva at sgvwater.com Mon Jul 23 20:44:51 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Jul 23 20:49:00 2007 Subject: MS Wiki and split recipients In-Reply-To: <223f97700707231213s3d7aa265k4a5b6019109ade5d@mail.gmail.com> References: <46A4AC74.5020706@pixelhammer.com> <46A4B120.6070307@coders.co.uk> <46A4B540.8080406@pixelhammer.com> <46A4D1B0.9040109@pixelhammer.com> <223f97700707231213s3d7aa265k4a5b6019109ade5d@mail.gmail.com> Message-ID: Glenn Steen spake the following on 7/23/2007 12:13 PM: > On 23/07/07, DAve wrote: >> Scott Silva wrote: >> > DAve spake the following on 7/23/2007 7:03 AM: >> >> Matt Hampton wrote: >> >>> DAve wrote: >> >>> >> >>>> and I noticed an addendum. I don't think the addendum will work as >> >>>> stated. I believe following the addendum instructions will cause >> >>>> Sendmail to accept only messages with a single recipient. >> >>>> >> >>>> Can someone confirm that, or clue bat me, as the case may be. >> >>>> >> >>> I think you are right (I re-wrote the original page and hadn't >> noticed >> >>> the addendum). >> >>> >> >>> What it will cause is sendmail will accept the first recipient and >> then >> >>> temp fail the rest. This would cause the message to require X >> attempts >> >>> to deliver the message (where X is the number of recipients). >> >>> >> >>> matt >> >> Do we know who added that? Can it be removed or correctly >> annotated? It >> >> would cause every message MailScanner sees to be single recipient, but >> >> at a high cost. My listmail software would be unhappy sending to >> some of >> >> our client's internal mail lists with 100+ subscribers. >> >> >> >> DAve >> >> >> > If you are logged in you can see who made each change with the old >> revisions >> > button, and even revert to an older page. >> > >> >> Looks like I will need a login then. I'll make a note to fix it when I >> get back to working on the test MS server. >> >> DAve >> > It's the very idea with a wiki.... You see something that need > changing... then you do it;-)... Or Matt, as it turned out this > time:-D > We can always have more fresh eyes/ideas pouring over/into the > wiki..... So please do register. > > Cheers It is also the downside of a wiki... You can have too many cooks seasoning the stew! -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ssilva at sgvwater.com Mon Jul 23 20:48:30 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Jul 23 20:50:08 2007 Subject: Sign Messages Already Processed = no In-Reply-To: References: Message-ID: Ugo Bellavance spake the following on 7/23/2007 11:17 AM: > Hi, > > How does this setting work? > > Sign Messages Already Processed = no > > Does it uses headers, body text, other stuff? > > Is it made to avoid signatures in replies, or double signatures from 2 > different servers in the same direction? > > Regards, > > Ugo > AFAIR I think it relies on the group of servers to have the same settings in %org-name% = -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ssilva at sgvwater.com Mon Jul 23 20:45:00 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Jul 23 20:55:04 2007 Subject: Fake MX records In-Reply-To: References: <086f7e06a703ec47a6db01c8a2c15d81@solidstatelogic.com> Message-ID: Hugo van der Kooij spake the following on 7/23/2007 11:12 AM: > On Mon, 23 Jul 2007, Martin.Hepworth wrote: > >> http://wiki.apache.org/spamassassin/OtherTricks (Fake MX Record) >> >> on the SA-users list. >> >> Looks very useful, anyone here using this technique? > > I use it partially. MX 10 is me. MX 100 is for backups. MX 1000 is me > again as spammers favored the highest MX (lowest priority) to bypass > (RBL) filters. Now they seem to take them at random and ignore the > priorities. > > Hugo. > If your low and high MX are the same address, I think they have some logic to detect that, because it didn't work for me either. Since I added the sane sigs to clam, my backup mx gets all the hits. Too bad for the spammers, because it is running MailScanner also. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From MailScanner at ecs.soton.ac.uk Mon Jul 23 20:58:34 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Jul 23 20:59:00 2007 Subject: Sign Messages Already Processed = no In-Reply-To: References: Message-ID: <46A5086A.3050804@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ugo Bellavance wrote: > Hi, > > How does this setting work? > > Sign Messages Already Processed = no > > Does it uses headers, body text, other stuff? It works off the presence of the MailScanner header. > > Is it made to avoid signatures in replies, or double signatures from 2 > different servers in the same direction? To avoid double signatures from 2 different server in the right direction. Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGpQhrEfZZRxQVtlQRAhU7AJ9maMn+yBduallZ6gdzXGNSRDnA7QCg2hS7 XE9Yl9qVFJT/SAg1SWtJJXk= =N6Je -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From Carl.Andrews at crackerbarrel.com Mon Jul 23 21:23:58 2007 From: Carl.Andrews at crackerbarrel.com (Andrews Carl 455) Date: Mon Jul 23 21:23:16 2007 Subject: Broken MailScanner if Using CLAM!!! In-Reply-To: <200707211607.l6LG7DgU016038@smtpgw1.crackerbarrel.com> Message-ID: <113A0DFC086C984AB9EFDF6B8614F075017D31E1@exchange03.CBOCS.com> I do not know why it did not work, but just running 'freshclam' did not correct the issue, nor did the update_virus_scanners. It was necessary to completely remove the corrupt definitions and allow it to start over fresh. Thanks, Carl -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian Field Sent: Saturday, July 21, 2007 11:01 AM To: MailScanner discussion Subject: Re: Broken MailScanner if Using CLAM!!! -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Linux RPM-based systems, the update_virus_scanners cron job will have been installed and will be updating all your virus scanners every hour any way. No need to add another cron job doing the same thing again. Andrews Carl 455 wrote: > I have cron doing that (almost exactly) but it is every 4 hours :-< > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Matt > Hayes > Sent: Friday, July 20, 2007 4:00 PM > To: MailScanner discussion > Subject: Re: Broken MailScanner if Using CLAM!!! > > > Andrews Carl 455 wrote: > >> It appears that the clam definitions from noon are corrupt. I had to >> remove mine and restart mailscanner. >> >> >> cd /usr/local/share/clamav or 'locate main.ndb' >> rm -rf * >> freshclam >> >> >> >> I hope this helps if anyone else is having the same problem. >> >> >> Thanks! >> Carl >> >> >> >> >> > > Uhhh, just cron the update process with a script for every hour > update.. > > then you don't have to do that. > > -Matt > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGoi2vEfZZRxQVtlQRAqUcAJ4lNc946b1oj6IqdGOcoBzm3S1eUwCgjnOD GSv/T3Phwa4ChVJLvNEGF1A= =0Qi5 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From Carl.Andrews at crackerbarrel.com Mon Jul 23 21:24:14 2007 From: Carl.Andrews at crackerbarrel.com (Andrews Carl 455) Date: Mon Jul 23 21:23:33 2007 Subject: Broken MailScanner if Using CLAM!!! In-Reply-To: <200707210136.l6L1aaCY016820@smtpgw1.crackerbarrel.com> Message-ID: <113A0DFC086C984AB9EFDF6B8614F075017D31E2@exchange03.CBOCS.com> I appologize. I was trying to be helpful! -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Res Sent: Friday, July 20, 2007 8:34 PM To: MailScanner discussion Subject: Re: Broken MailScanner if Using CLAM!!! -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NotDashEscaped: You need GnuPG to verify this message why oh why do people need to flood the list for 5 different topics of the same thing, if they bothered to read the emails in the list, they'd see its been flogged to death in past 12 hours. Basically, it's another reason you should stay current with all versions of what you run, if you don't there is no one else to blame but yourselves. On Fri, 20 Jul 2007, Andrews Carl 455 wrote: > It appears that the clam definitions from noon are corrupt. I had to > remove mine and restart mailscanner. -- Cheers Res -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFGoWKIsWhAmSIQh7MRAvYuAJ9gs6shJJbe87ZCBWqVAzRBAGyrnQCfTlOH qK4Nsmwq/KyJoE8v2voIZT8= =3pRX -----END PGP SIGNATURE----- -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From Kevin_Miller at ci.juneau.ak.us Mon Jul 23 21:36:50 2007 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Mon Jul 23 21:36:57 2007 Subject: Broken MailScanner if Using CLAM!!! In-Reply-To: <113A0DFC086C984AB9EFDF6B8614F075017D31E2@exchange03.CBOCS.com> References: <200707210136.l6L1aaCY016820@smtpgw1.crackerbarrel.com> <113A0DFC086C984AB9EFDF6B8614F075017D31E2@exchange03.CBOCS.com> Message-ID: Andrews Carl 455 wrote: > I appologize. I was trying to be helpful! No good deed goes unpunished Carl! ;-) ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From Carl.Andrews at crackerbarrel.com Mon Jul 23 21:46:42 2007 From: Carl.Andrews at crackerbarrel.com (Andrews Carl 455) Date: Mon Jul 23 21:46:00 2007 Subject: Broken MailScanner if Using CLAM!!! In-Reply-To: <200707232039.l6NKdAYh019727@smtpgw1.crackerbarrel.com> Message-ID: <113A0DFC086C984AB9EFDF6B8614F075017D31E5@exchange03.CBOCS.com> I noticed :-> -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Kevin Miller Sent: Monday, July 23, 2007 3:37 PM To: MailScanner discussion Subject: RE: Broken MailScanner if Using CLAM!!! Andrews Carl 455 wrote: > I appologize. I was trying to be helpful! No good deed goes unpunished Carl! ;-) ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From itdept at fractalweb.com Mon Jul 23 23:51:38 2007 From: itdept at fractalweb.com (Chris Yuzik) Date: Mon Jul 23 23:51:48 2007 Subject: anyone use the "malware block list"? Message-ID: <46A530FA.9010407@fractalweb.com> Does anyone use the "malware block list"? http://malware.hiperlinks.com.br/ I've been experimenting with it, but getting WAY too many false-positives. It has now started blocking anything with a link to www dot yousendit dot com, which isn't necessarily malware. Seems like a good idea on the surface, but the definition files are far too broad. Chris From ssilva at sgvwater.com Tue Jul 24 00:28:07 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Jul 24 00:28:25 2007 Subject: anyone use the "malware block list"? In-Reply-To: <46A530FA.9010407@fractalweb.com> References: <46A530FA.9010407@fractalweb.com> Message-ID: Chris Yuzik spake the following on 7/23/2007 3:51 PM: > Does anyone use the "malware block list"? http://malware.hiperlinks.com.br/ > > I've been experimenting with it, but getting WAY too many > false-positives. It has now started blocking anything with a link to www > dot yousendit dot com, which isn't necessarily malware. Seems like a > good idea on the surface, but the definition files are far too broad. > > Chris Are you dropping at MTA, at mailscanner, or scoring with spamassassin? I usually just score the more aggressive lists and let the numbers add up if it merits. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From gmane at tippingmar.com Tue Jul 24 00:58:48 2007 From: gmane at tippingmar.com (Mark Nienberg) Date: Tue Jul 24 00:59:00 2007 Subject: MailScanner init script on Fedora In-Reply-To: References: Message-ID: Hugo van der Kooij wrote: > On Mon, 23 Jul 2007, Mark Nienberg wrote: > >> Usage: service MailScanner >> {start|stop|status|restart|reload|startin|startout|stopms} >> >> Usually when I want to upgrade MailScanner or SpamAssassin or ClamAV I do >> >> service MailScanner stopms >> >> which stops MailScanner but leaves the two sendmail processes >> running. After my upgrade, how do I start MailScanner again, without >> affecting the sendmail processes? > > Have you tried `service MailScanner start`? If that does not do the > trick you can restartso you only have a minimal outage. Tried that. It starts up more instances of sendmail, which are then hard to stop. Leaving some zombies. Mark From gmane at tippingmar.com Tue Jul 24 01:02:54 2007 From: gmane at tippingmar.com (Mark Nienberg) Date: Tue Jul 24 01:05:15 2007 Subject: MailScanner init script on Fedora In-Reply-To: <223f97700707231209x1734f2car94d8cb1499a2a31b@mail.gmail.com> References: <223f97700707231209x1734f2car94d8cb1499a2a31b@mail.gmail.com> Message-ID: Glenn Steen wrote: > On 23/07/07, Mark Nienberg wrote: >> Usage: service MailScanner >> {start|stop|status|restart|reload|startin|startout|stopms} >> >> Usually when I want to upgrade MailScanner or SpamAssassin or ClamAV I do >> >> service MailScanner stopms >> >> which stops MailScanner but leaves the two sendmail processes >> running. After my >> upgrade, how do I start MailScanner again, without affecting the >> sendmail processes? > I suppose > check_MailScanner > is the correct command to run for that;). Hey, that is a good idea! Thanks, Mark From itdept at fractalweb.com Tue Jul 24 01:07:43 2007 From: itdept at fractalweb.com (Chris Yuzik) Date: Tue Jul 24 01:07:54 2007 Subject: anyone use the "malware block list"? In-Reply-To: References: <46A530FA.9010407@fractalweb.com> Message-ID: <46A542CF.9070005@fractalweb.com> Scott Silva wrote: > Are you dropping at MTA, at mailscanner, or scoring with spamassassin? > I usually just score the more aggressive lists and let the numbers add up if > it merits. Scott, We were using MBL definitions in ClamAv. Perhaps I'll consider using in SpamAssassin instead. Do you use the default scoring for their rules, or do you customize? Chris From mogens at fumlersoft.dk Tue Jul 24 01:41:39 2007 From: mogens at fumlersoft.dk (Mogens Melander) Date: Tue Jul 24 01:40:12 2007 Subject: MailScanner init script on Fedora In-Reply-To: References: Message-ID: <1493.90.184.16.67.1185237699.squirrel@mail.fumlersoft.dk> Something like: kill -TERM `pgrep MailScanner|head -n 1`;sleep ;check_mailscanner Might do it.. Normally i'd do a /etc/rc.d/rc.mailscanner restart Shutting down sendmail, mailscanner, dcc(ifd,m), clamd, ao., and starting the bunch up again. On Mon, July 23, 2007 19:52, Mark Nienberg wrote: > Usage: service MailScanner {start|stop|status|restart|reload|startin|startout|stopms} > > Usually when I want to upgrade MailScanner or SpamAssassin or ClamAV I do > > service MailScanner stopms > > which stops MailScanner but leaves the two sendmail processes running. After my > upgrade, how do I start MailScanner again, without affecting the sendmail processes? > > > Mark > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > -- Later Mogens Melander +45 40 85 71 38 +66 870 133 224 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mogens at fumlersoft.dk Tue Jul 24 02:11:02 2007 From: mogens at fumlersoft.dk (Mogens Melander) Date: Tue Jul 24 02:09:38 2007 Subject: Fake MX records In-Reply-To: References: <086f7e06a703ec47a6db01c8a2c15d81@solidstatelogic.com> Message-ID: <1533.90.184.16.67.1185239462.squirrel@mail.fumlersoft.dk> On Mon, July 23, 2007 20:12, Hugo van der Kooij wrote: > On Mon, 23 Jul 2007, Martin.Hepworth wrote: > >> http://wiki.apache.org/spamassassin/OtherTricks (Fake MX Record) >> >> on the SA-users list. >> >> Looks very useful, anyone here using this technique? > > I use it partially. MX 10 is me. MX 100 is for backups. MX 1000 is me > again as spammers favored the highest MX (lowest priority) to bypass > (RBL) filters. Now they seem to take them at random and ignore the > priorities. > I was thinking about a "thingy" that would query senders MX if sender was valid (accept mail to sender) but i don't like to waste too much bandwidth on a allready crowded internet, so i'm still thinking. This "Fake MX" would of cause break this idea, unless i'd make it retry until all MX's been "tasted", adding more trafic to the pool. But this could be done at MTA level, and thus, not be too expencive. As i'm not a perl/C hacker, i'll limit my tests to PHP, but if/when implemented, i'd be happy to share my results. -- Later Mogens Melander +45 40 85 71 38 +66 870 133 224 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From rich at mail.wvnet.edu Tue Jul 24 02:20:45 2007 From: rich at mail.wvnet.edu (Richard Lynch) Date: Tue Jul 24 02:20:55 2007 Subject: BarricadeMX experiences Message-ID: <46A553ED.3020505@mail.wvnet.edu> Note: I am not affiliated with Fort Systems Ltd in any way -- only as a satisfied customer. I spent this past weekend installing BarricadeMX on our MailScanner servers. We process about 1.7 million messages per weekday (mon-fri). We currently run with 5 servers. These are typical servers with dual cpus, scsi disks(raid), etc. We run MailScanner, SpamAssassin, DCC, etc. About 50% of the connections are dropped at the MTA using Spamhaus' xbl-sbl blacklists. The 1.7 million msg count does not included those messages stopped by the blacklists at the MTA. During the day on a weekend the processors run at near 40% utilization (using sar). Once BarricadeMX was installed the utilization dropped immediately to 7-8%. At first I thought something was wrong -- but it wasn't. Today was a good test. Four of the five systems ran fine all day. The fifth one got a little behind (300-400 messages in mqueue.in) during the peak load period but no one complained. The only complaint had to do with the spf policy which I ended up disabling. That was it. I received no other complaints all day and I usually get pounded about mail delays. Originally I was looking at getting yet another server but decided to give BarricadeMX a try first. My thinking now is to drop back to 2 or 3 servers and use the two freed up ones for other projects. My experiences so far with support is great as well. I had some problems with the software installation on Saturday. I posted a message to support@fsl.com and received an immediate solution within 10 minutes. I'm serious, it was 10 minutes and on a Saturday. I can't say enough about this product. I'm posting my experiences here because this list is where I first saw the product announcement and I believe any site running MailScanner can benefit from this package. It's reasonably priced, great support, and can actually save you money with the reduction in hardware alone. It's also easy to install and easy to take in and out. They'll also let you demo it. I know this comes off sounding like a sales pitch but it's hard to describe the experience without sounding like one. It really is an amazing product. Richard Lynch WVNET -- -------------- next part -------------- A non-text attachment was scrubbed... Name: rich.vcf Type: text/x-vcard Size: 299 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070723/13e11cd6/rich.vcf From mogens at fumlersoft.dk Tue Jul 24 03:33:05 2007 From: mogens at fumlersoft.dk (Mogens Melander) Date: Tue Jul 24 03:31:38 2007 Subject: anyone use the "malware block list"? In-Reply-To: <46A530FA.9010407@fractalweb.com> References: <46A530FA.9010407@fractalweb.com> Message-ID: <1712.90.184.16.67.1185244385.squirrel@mail.fumlersoft.dk> Yes , i have something in my /etc/mail/access com.br ERROR:"550 Reject : com.br - Spam source" That one seems to cach a lot :) On Tue, July 24, 2007 00:51, Chris Yuzik wrote: > Does anyone use the "malware block list"? http://malware.hiperlinks.com.br/ > > I've been experimenting with it, but getting WAY too many > false-positives. It has now started blocking anything with a link to www > dot yousendit dot com, which isn't necessarily malware. Seems like a > good idea on the surface, but the definition files are far too broad. > > Chris > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > -- Later Mogens Melander +45 40 85 71 38 +66 870 133 224 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mogens at fumlersoft.dk Tue Jul 24 04:04:31 2007 From: mogens at fumlersoft.dk (Mogens Melander) Date: Tue Jul 24 04:03:04 2007 Subject: BarricadeMX experiences In-Reply-To: <46A553ED.3020505@mail.wvnet.edu> References: <46A553ED.3020505@mail.wvnet.edu> Message-ID: <1782.90.184.16.67.1185246271.squirrel@mail.fumlersoft.dk> And what was your question ?? On Tue, July 24, 2007 03:20, Richard Lynch wrote: > > Note: I am not affiliated with Fort Systems Ltd in any way -- only as a > satisfied customer. > > I spent this past weekend installing BarricadeMX on our MailScanner > servers. We process about 1.7 million messages per weekday (mon-fri). > We currently run with 5 servers. These are typical servers with dual > cpus, scsi disks(raid), etc. We run MailScanner, SpamAssassin, DCC, > etc. About 50% of the connections are dropped at the MTA using > Spamhaus' xbl-sbl blacklists. The 1.7 million msg count does not > included those messages stopped by the blacklists at the MTA. > > During the day on a weekend the processors run at near 40% utilization > (using sar). Once BarricadeMX was installed the utilization dropped > immediately to 7-8%. At first I thought something was wrong -- but it > wasn't. Today was a good test. Four of the five systems ran fine all > day. The fifth one got a little behind (300-400 messages in mqueue.in) > during the peak load period but no one complained. The only complaint > had to do with the spf policy which I ended up disabling. That was it. > I received no other complaints all day and I usually get pounded about > mail delays. > > Originally I was looking at getting yet another server but decided to > give BarricadeMX a try first. My thinking now is to drop back to 2 or 3 > servers and use the two freed up ones for other projects. My > experiences so far with support is great as well. I had some problems > with the software installation on Saturday. I posted a message to > support@fsl.com and received an immediate solution within 10 minutes. > I'm serious, it was 10 minutes and on a Saturday. > > I can't say enough about this product. I'm posting my experiences here > because this list is where I first saw the product announcement and I > believe any site running MailScanner can benefit from this package. > It's reasonably priced, great support, and can actually save you money > with the reduction in hardware alone. It's also easy to install and > easy to take in and out. They'll also let you demo it. > > I know this comes off sounding like a sales pitch but it's hard to > describe the experience without sounding like one. It really is an > amazing product. > > > Richard Lynch > WVNET > > -- > > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- Later Mogens Melander +45 40 85 71 38 +66 870 133 224 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From febrianto at sioenasia.com Tue Jul 24 04:20:08 2007 From: febrianto at sioenasia.com (Budi Febrianto) Date: Tue Jul 24 04:14:24 2007 Subject: BarricadeMX experiences In-Reply-To: <1782.90.184.16.67.1185246271.squirrel@mail.fumlersoft.dk> Message-ID: mailscanner-bounces@lists.mailscanner.info wrote on 07-24-2007 10:04:31 AM: > And what was your question ?? > > On Tue, July 24, 2007 03:20, Richard Lynch wrote: > > > > Note: I am not affiliated with Fort Systems Ltd in any way -- only as a > > satisfied customer. > > > > I spent this past weekend installing BarricadeMX on our MailScanner > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > I believe this is not a question, but a testimony about BaricadeMX, and a positive one. From dave.list at pixelhammer.com Tue Jul 24 04:37:22 2007 From: dave.list at pixelhammer.com (DAve) Date: Tue Jul 24 04:38:54 2007 Subject: BarricadeMX experiences In-Reply-To: <1782.90.184.16.67.1185246271.squirrel@mail.fumlersoft.dk> References: <46A553ED.3020505@mail.wvnet.edu> <1782.90.184.16.67.1185246271.squirrel@mail.fumlersoft.dk> Message-ID: <46A573F2.6010906@pixelhammer.com> Mogens Melander wrote: > And what was your question ?? > > On Tue, July 24, 2007 03:20, Richard Lynch wrote: >> Note: I am not affiliated with Fort Systems Ltd in any way -- only as a >> satisfied customer. I found it informative. Since I am in the middle of planning our mail gateway replacements, I also found it timely. I am always interested in anything that works well with MailScanner to stop the insidious onslaught of foul spam from those wretched heathens, may they rot from the diseases of the eighth circle of hell with the other falsifiers for their sins... uh sorry, I digress. DAve -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible. From dave.list at pixelhammer.com Tue Jul 24 04:39:05 2007 From: dave.list at pixelhammer.com (DAve) Date: Tue Jul 24 04:40:29 2007 Subject: BarricadeMX experiences In-Reply-To: <46A553ED.3020505@mail.wvnet.edu> References: <46A553ED.3020505@mail.wvnet.edu> Message-ID: <46A57459.7070407@pixelhammer.com> Richard Lynch wrote: > > Note: I am not affiliated with Fort Systems Ltd in any way -- only as a > satisfied customer. > I can't say enough about this product. I'm posting my experiences here > because this list is where I first saw the product announcement and I > believe any site running MailScanner can benefit from this package. > It's reasonably priced, great support, and can actually save you money > with the reduction in hardware alone. It's also easy to install and > easy to take in and out. They'll also let you demo it. > I know this comes off sounding like a sales pitch but it's hard to > describe the experience without sounding like one. It really is an > amazing product. > > > Richard Lynch > WVNET How is it doing with the new attachment spams like PDF and XLS? DAve -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible. From mogens at fumlersoft.dk Tue Jul 24 05:04:31 2007 From: mogens at fumlersoft.dk (Mogens Melander) Date: Tue Jul 24 05:03:04 2007 Subject: BarricadeMX experiences In-Reply-To: <46A573F2.6010906@pixelhammer.com> References: <46A553ED.3020505@mail.wvnet.edu> <1782.90.184.16.67.1185246271.squirrel@mail.fumlersoft.dk> <46A573F2.6010906@pixelhammer.com> Message-ID: <1898.90.184.16.67.1185249871.squirrel@mail.fumlersoft.dk> On Tue, July 24, 2007 05:37, DAve wrote: > Mogens Melander wrote: >> And what was your question ?? >> >> On Tue, July 24, 2007 03:20, Richard Lynch wrote: >>> Note: I am not affiliated with Fort Systems Ltd in any way -- only as a >>> satisfied customer. > > I found it informative. Since I am in the middle of planning our mail > gateway replacements, I also found it timely. > > I am always interested in anything that works well with MailScanner to > stop the insidious onslaught of foul spam from those wretched heathens, > may they rot from the diseases of the eighth circle of hell with the > other falsifiers for their sins... uh sorry, I digress. Auch, ok, calm down. I was just (trying to) being funny 8^) -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From itdept at fractalweb.com Tue Jul 24 07:19:59 2007 From: itdept at fractalweb.com (Chris Yuzik) Date: Tue Jul 24 07:20:09 2007 Subject: anyone use the "malware block list"? In-Reply-To: <1712.90.184.16.67.1185244385.squirrel@mail.fumlersoft.dk> References: <46A530FA.9010407@fractalweb.com> <1712.90.184.16.67.1185244385.squirrel@mail.fumlersoft.dk> Message-ID: <46A59A0F.9060504@fractalweb.com> Mogens Melander wrote: > Yes , i have something in my /etc/mail/access > > com.br ERROR:"550 Reject : com.br - Spam source" > > That one seems to cach a lot :) *ahem*. Aren't you just blocking every commercial site from Brazil then? Seems like you might get a lot of false positives with that. From martinh at solidstatelogic.com Tue Jul 24 08:27:07 2007 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Tue Jul 24 08:27:21 2007 Subject: Fake MX records In-Reply-To: Message-ID: <3dbdbbaa490e3b438d169c57776afa18@solidstatelogic.com> Hugo Yeah I don't to have seen much drop in traffic over the last 18 hours, but I'll keep an eye out.. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Hugo van der Kooij > Sent: 23 July 2007 19:12 > To: MailScanner discussion > Subject: Re: Fake MX records > > On Mon, 23 Jul 2007, Martin.Hepworth wrote: > > > http://wiki.apache.org/spamassassin/OtherTricks (Fake MX Record) > > > > on the SA-users list. > > > > Looks very useful, anyone here using this technique? > > I use it partially. MX 10 is me. MX 100 is for backups. MX 1000 is me > again as spammers favored the highest MX (lowest priority) to bypass > (RBL) filters. Now they seem to take them at random and ignore the > priorities. > > Hugo. > > -- > hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ > This message is using 100% recycled electrons. > > Some men see computers as they are and say "Windows" > I use computers with Linux and say "Why Windows?" > (Thanks JFK, for the insight.) > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From fajarep at simplimobile.com Tue Jul 24 08:41:09 2007 From: fajarep at simplimobile.com (Fajar) Date: Tue Jul 24 08:41:39 2007 Subject: Problem with MailWatch Logging References: <3dbdbbaa490e3b438d169c57776afa18@solidstatelogic.com> Message-ID: <139901c7cdc6$0117bca0$0a0a0aac@Fajar> Sorry if I'm posting in wrong mailling list, maybe someone can help me. I think I mess with /linux mailscanner installation, when I'm adding mailwatch.pm into custom function, the message not logged into database. I saw this message : Could not use Custom Function code MailScanner::CustomConfig::InitMailWatchLogging, it could not be "eval"ed. Make sure the module is correct with perl -wc Can someone point me how to solve this? Thanks in advance. Fajar From uxbod at splatnix.net Tue Jul 24 08:53:20 2007 From: uxbod at splatnix.net (UxBoD) Date: Tue Jul 24 08:52:19 2007 Subject: Problem with MailWatch Logging In-Reply-To: <139901c7cdc6$0117bca0$0a0a0aac@Fajar> Message-ID: <16679909.1351185263600966.JavaMail.root@office.splatnix.net> What directory did you put MailWatch.pm in ? ----- Original Message ----- From: "Fajar" To: "MailScanner discussion" Sent: Tuesday, July 24, 2007 8:41:09 AM (GMT) Europe/London Subject: Problem with MailWatch Logging Sorry if I'm posting in wrong mailling list, maybe someone can help me. I think I mess with /linux mailscanner installation, when I'm adding mailwatch.pm into custom function, the message not logged into database. I saw this message : Could not use Custom Function code MailScanner::CustomConfig::InitMailWatchLogging, it could not be "eval"ed. Make sure the module is correct with perl -wc Can someone point me how to solve this? Thanks in advance. Fajar -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mogens at fumlersoft.dk Tue Jul 24 08:54:07 2007 From: mogens at fumlersoft.dk (Mogens Melander) Date: Tue Jul 24 08:52:45 2007 Subject: anyone use the "malware block list"? In-Reply-To: <46A59A0F.9060504@fractalweb.com> References: <46A530FA.9010407@fractalweb.com> <1712.90.184.16.67.1185244385.squirrel@mail.fumlersoft.dk> <46A59A0F.9060504@fractalweb.com> Message-ID: <3941.90.184.16.67.1185263647.squirrel@mail.fumlersoft.dk> On Tue, July 24, 2007 08:19, Chris Yuzik wrote: > Mogens Melander wrote: >> Yes , i have something in my /etc/mail/access >> >> com.br ERROR:"550 Reject : com.br - Spam source" >> >> That one seems to cach a lot :) > > *ahem*. Aren't you just blocking every commercial site from Brazil then? Yes, and? > Seems like you might get a lot of false positives with that. Nobody in com.br would have legit reasons to send e-mail this way, so no. And there is "a lot" of junk comming from there. This rule get hit a couple hundred times a day. -- Later Mogens Melander +45 40 85 71 38 +66 870 133 224 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mailscanner at barendse.to Tue Jul 24 09:05:25 2007 From: mailscanner at barendse.to (Remco Barendse) Date: Tue Jul 24 09:05:41 2007 Subject: Still getting false oversized ZIP Message-ID: Hi list! I am still getting message that zip files sent are oversized and therefore blocked, if i remember correctly it was due to clam giving false positives. I will google for the solution, but maybe in the meantime it would be nice to disable the feature of scanning for oversized zip files by default in MailScanner? Cheers! Remco From glenn.steen at gmail.com Tue Jul 24 09:06:30 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Jul 24 09:06:33 2007 Subject: BarricadeMX experiences In-Reply-To: <1898.90.184.16.67.1185249871.squirrel@mail.fumlersoft.dk> References: <46A553ED.3020505@mail.wvnet.edu> <1782.90.184.16.67.1185246271.squirrel@mail.fumlersoft.dk> <46A573F2.6010906@pixelhammer.com> <1898.90.184.16.67.1185249871.squirrel@mail.fumlersoft.dk> Message-ID: <223f97700707240106k6c1588c5pd5b44cfbbbf2e37d@mail.gmail.com> On 24/07/07, Mogens Melander wrote: > > On Tue, July 24, 2007 05:37, DAve wrote: > > Mogens Melander wrote: > >> And what was your question ?? > >> > >> On Tue, July 24, 2007 03:20, Richard Lynch wrote: > >>> Note: I am not affiliated with Fort Systems Ltd in any way -- only as a > >>> satisfied customer. > > > > I found it informative. Since I am in the middle of planning our mail > > gateway replacements, I also found it timely. > > > > I am always interested in anything that works well with MailScanner to > > stop the insidious onslaught of foul spam from those wretched heathens, > > may they rot from the diseases of the eighth circle of hell with the > > other falsifiers for their sins... uh sorry, I digress. > > Auch, ok, calm down. I was just (trying to) being funny 8^) > Always dangerous to do early a tuesday morning Mogens;-). I too found this interresting, and would very much like Richard to tell us what kind of drop (in a general "thumb-and-finger" manner) in incoming mails he has seen. Perhaps give it a few days to get a feel .... Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From fajarep at simplimobile.com Tue Jul 24 09:06:03 2007 From: fajarep at simplimobile.com (Fajar) Date: Tue Jul 24 09:09:59 2007 Subject: Problem with MailWatch Logging References: <16679909.1351185263600966.JavaMail.root@office.splatnix.net> Message-ID: <13b701c7cdc9$7e982810$0a0a0aac@Fajar> I put in this the file on this location : /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm ----- Original Message ----- From: "UxBoD" To: "MailScanner discussion" Sent: Tuesday, July 24, 2007 2:53 PM Subject: Re: Problem with MailWatch Logging > What directory did you put MailWatch.pm in ? > ----- Original Message ----- > From: "Fajar" > To: "MailScanner discussion" > Sent: Tuesday, July 24, 2007 8:41:09 AM (GMT) Europe/London > Subject: Problem with MailWatch Logging > > Sorry if I'm posting in wrong mailling list, maybe someone can help me. > > I think I mess with /linux mailscanner installation, when I'm adding > mailwatch.pm into custom function, > the message not logged into database. I saw this message : > Could not use Custom Function code > MailScanner::CustomConfig::InitMailWatchLogging, it could not be "eval"ed. > Make sure the module is correct with perl -wc > Can someone point me how to solve this? > > Thanks in advance. > > Fajar > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From glenn.steen at gmail.com Tue Jul 24 09:13:02 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Jul 24 09:13:04 2007 Subject: Fake MX records In-Reply-To: <1533.90.184.16.67.1185239462.squirrel@mail.fumlersoft.dk> References: <086f7e06a703ec47a6db01c8a2c15d81@solidstatelogic.com> <1533.90.184.16.67.1185239462.squirrel@mail.fumlersoft.dk> Message-ID: <223f97700707240113s3f845e3dsd5b6cbdba049d1e6@mail.gmail.com> On 24/07/07, Mogens Melander wrote: > > On Mon, July 23, 2007 20:12, Hugo van der Kooij wrote: > > On Mon, 23 Jul 2007, Martin.Hepworth wrote: > > > >> http://wiki.apache.org/spamassassin/OtherTricks (Fake MX Record) > >> > >> on the SA-users list. > >> > >> Looks very useful, anyone here using this technique? > > > > I use it partially. MX 10 is me. MX 100 is for backups. MX 1000 is me > > again as spammers favored the highest MX (lowest priority) to bypass > > (RBL) filters. Now they seem to take them at random and ignore the > > priorities. > > > > I was thinking about a "thingy" that would query senders MX if > sender was valid (accept mail to sender) but i don't like to > waste too much bandwidth on a allready crowded internet, so i'm > still thinking. This "Fake MX" would of cause break this idea, > unless i'd make it retry until all MX's been "tasted", adding > more trafic to the pool. But this could be done at MTA level, > and thus, not be too expencive. > > As i'm not a perl/C hacker, i'll limit my tests to PHP, but > if/when implemented, i'd be happy to share my results. > Um.... Do you mean something like Sender Address Verification? As done in milter-sender, smf-sav, piostfix "natively" (http://www.postfix.org/ADDRESS_VERIFICATION_README.html) .... I don't think you need waste time writing another. Or would yours do something extreme and different? Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Tue Jul 24 09:19:15 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Jul 24 09:19:18 2007 Subject: Problem with MailWatch Logging In-Reply-To: <139901c7cdc6$0117bca0$0a0a0aac@Fajar> References: <3dbdbbaa490e3b438d169c57776afa18@solidstatelogic.com> <139901c7cdc6$0117bca0$0a0a0aac@Fajar> Message-ID: <223f97700707240119ge362e8bh10c4a99a9b62eddf@mail.gmail.com> On 24/07/07, Fajar wrote: > Sorry if I'm posting in wrong mailling list, maybe someone can help me. Yes, this is the wrong forum. MailWatch has its own (very) active list. > I think I mess with /linux mailscanner installation, when I'm adding > mailwatch.pm into custom function, > the message not logged into database. I saw this message : > Could not use Custom Function code > MailScanner::CustomConfig::InitMailWatchLogging, it could not be "eval"ed. > Make sure the module is correct with perl -wc > Can someone point me how to solve this? A few things come to mind: - Did you try check your module with "perl -wc /path/to/MailWatch.pm"? What did it say? - Do you perhaps run your MTA (perhaps Postfix?) as a normal (non-root) user? In that case, have you checked that that user actually can read the file where it's at? - Did you perhaps edit the MailWatch.pm file in the CustomConfig directory? If so, check that your editor hasn't put some backup/checkpoint file in that directory... Some are famous for doing that .... like emacs... Lets start there and see where we go Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Tue Jul 24 09:23:07 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Jul 24 09:23:10 2007 Subject: anyone use the "malware block list"? In-Reply-To: <46A59A0F.9060504@fractalweb.com> References: <46A530FA.9010407@fractalweb.com> <1712.90.184.16.67.1185244385.squirrel@mail.fumlersoft.dk> <46A59A0F.9060504@fractalweb.com> Message-ID: <223f97700707240123i744c2676j2d0743bcf5711dc5@mail.gmail.com> On 24/07/07, Chris Yuzik wrote: > Mogens Melander wrote: > > Yes , i have something in my /etc/mail/access > > > > com.br ERROR:"550 Reject : com.br - Spam source" > > > > That one seems to cach a lot :) > > *ahem*. Aren't you just blocking every commercial site from Brazil then? > Seems like you might get a lot of false positives with that. In Denmark, not that many companies have ties to Brazil, I imagine... So this is just Mogens challanging Noel (Res) for the Evil Bunny Of The Month awards;-):-) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From uxbod at splatnix.net Tue Jul 24 09:25:27 2007 From: uxbod at splatnix.net (UxBoD) Date: Tue Jul 24 09:24:32 2007 Subject: Problem with MailWatch Logging In-Reply-To: <13b701c7cdc9$7e982810$0a0a0aac@Fajar> Message-ID: <20922080.1411185265527691.JavaMail.root@office.splatnix.net> What result do you get if you do perl -wc /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm ? ----- Original Message ----- From: "Fajar" To: "MailScanner discussion" Sent: Tuesday, July 24, 2007 9:06:03 AM (GMT) Europe/London Subject: Re: Problem with MailWatch Logging I put in this the file on this location : /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm ----- Original Message ----- From: "UxBoD" To: "MailScanner discussion" Sent: Tuesday, July 24, 2007 2:53 PM Subject: Re: Problem with MailWatch Logging > What directory did you put MailWatch.pm in ? > ----- Original Message ----- > From: "Fajar" > To: "MailScanner discussion" > Sent: Tuesday, July 24, 2007 8:41:09 AM (GMT) Europe/London > Subject: Problem with MailWatch Logging > > Sorry if I'm posting in wrong mailling list, maybe someone can help me. > > I think I mess with /linux mailscanner installation, when I'm adding > mailwatch.pm into custom function, > the message not logged into database. I saw this message : > Could not use Custom Function code > MailScanner::CustomConfig::InitMailWatchLogging, it could not be "eval"ed. > Make sure the module is correct with perl -wc > Can someone point me how to solve this? > > Thanks in advance. > > Fajar > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From list-mailscanner at linguaphone.com Tue Jul 24 09:25:23 2007 From: list-mailscanner at linguaphone.com (Gareth) Date: Tue Jul 24 09:25:29 2007 Subject: postfix rbl checks [fixed] In-Reply-To: <1185184118.31112.7.camel@gblades-suse.linguaphone-intranet.co.uk> References: <1185184118.31112.7.camel@gblades-suse.linguaphone-intranet.co.uk> Message-ID: <1185265522.1146.23.camel@gblades-suse.linguaphone-intranet.co.uk> On Mon, 2007-07-23 at 10:48, Gareth wrote: > I have been checking the RBL stats using mailwatch and the NJABL one > looks like it will reject about 50% of the spam we receive with no false > positives. > > In my postfix configuration I had the line :- > > smtpd_recipient_restrictions = permit_mynetworks, > reject_unauth_destination, reject_unknown_recipient_domain, > reject_unverified_recipient > > I changed this to :- > > smtpd_recipient_restrictions = permit_mynetworks, > reject_unauth_destination, reject_unknown_recipient_domain, > reject_unverified_recipient, reject_rbl_client dnsbl.njabl.org > > However after restarting postfix it is not working. Spam is still being > accepted and mailscanner is matching some against the NJABL RBL. > > Any ideas what is going wrong? Fixed the problem. dnsbl.njabl.org does not include their dialup list. For this you need to use their separate entry or do as I did and use combined.njabl.org. From fajarep at simplimobile.com Tue Jul 24 09:35:10 2007 From: fajarep at simplimobile.com (Fajar) Date: Tue Jul 24 09:36:25 2007 Subject: Problem with MailWatch Logging References: <20922080.1411185265527691.JavaMail.root@office.splatnix.net> Message-ID: <13ca01c7cdcd$8d1805a0$0a0a0aac@Fajar> Here is the permission of file, and response of perl -wc : # ls -l /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm -rw-r--r-- 1 root root 10881 Jul 24 14:13 /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm # perl -wc /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm Useless use of private variable in void context at /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm line 248. /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm syntax OK ----- Original Message ----- From: "UxBoD" To: "MailScanner discussion" Sent: Tuesday, July 24, 2007 3:25 PM Subject: Re: Problem with MailWatch Logging > What result do you get if you do perl -wc > /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm ? > ----- Original Message ----- > From: "Fajar" > To: "MailScanner discussion" > Sent: Tuesday, July 24, 2007 9:06:03 AM (GMT) Europe/London > Subject: Re: Problem with MailWatch Logging > > I put in this the file on this location : > /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm > > ----- Original Message ----- > From: "UxBoD" > To: "MailScanner discussion" > Sent: Tuesday, July 24, 2007 2:53 PM > Subject: Re: Problem with MailWatch Logging > > >> What directory did you put MailWatch.pm in ? >> ----- Original Message ----- >> From: "Fajar" >> To: "MailScanner discussion" >> Sent: Tuesday, July 24, 2007 8:41:09 AM (GMT) Europe/London >> Subject: Problem with MailWatch Logging >> >> Sorry if I'm posting in wrong mailling list, maybe someone can help me. >> >> I think I mess with /linux mailscanner installation, when I'm adding >> mailwatch.pm into custom function, >> the message not logged into database. I saw this message : >> Could not use Custom Function code >> MailScanner::CustomConfig::InitMailWatchLogging, it could not be >> "eval"ed. >> Make sure the module is correct with perl -wc >> Can someone point me how to solve this? >> >> Thanks in advance. >> >> Fajar >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> -- >> This message has been scanned for viruses and >> dangerous content by MailScanner, and is >> believed to be clean. >> >> >> >> -- >> This message has been scanned for viruses and >> dangerous content by MailScanner, and is >> believed to be clean. >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From glenn.steen at gmail.com Tue Jul 24 09:36:38 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Jul 24 09:36:40 2007 Subject: Still getting false oversized ZIP In-Reply-To: References: Message-ID: <223f97700707240136x24f09abcq6c2ac4d769fa0336@mail.gmail.com> On 24/07/07, Remco Barendse wrote: > Hi list! > > I am still getting message that zip files sent are oversized and therefore > blocked, if i remember correctly it was due to clam giving false > positives. > > I will google for the solution, but maybe in the meantime it would be nice > to disable the feature of scanning for oversized zip files by default in > MailScanner? Not really, this is solely a clamav problem, AFAICS. Did you upgrade clam resently? Perhaps skipping a few version? What version _do_ you use? Do you use ClamAVModule? Did you relink it (perhaps by "force") after the (possible) clamav upgrade? Did tyou adjust the max compression ratio setting (upwards) in MailScanner.conf? So many questions...:-) BTW, one more... Aren't you on Solaris or something? My memory isn't that good, perhaps you should tell more about your setup:-). > Cheers! Indeed! > Remco -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Tue Jul 24 09:50:06 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Jul 24 09:50:10 2007 Subject: Problem with MailWatch Logging In-Reply-To: <13ca01c7cdcd$8d1805a0$0a0a0aac@Fajar> References: <20922080.1411185265527691.JavaMail.root@office.splatnix.net> <13ca01c7cdcd$8d1805a0$0a0a0aac@Fajar> Message-ID: <223f97700707240150l56c0276dl8cc12ef1b5ea978d@mail.gmail.com> On 24/07/07, Fajar wrote: > Here is the permission of file, and response of perl -wc : > # ls -l /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm > -rw-r--r-- 1 root root 10881 Jul 24 14:13 > /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm > # perl -wc /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm > Useless use of private variable in void context at > /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm line 248. > /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm syntax OK > Fajar, I just did a little search of my private archives (that happen to cover a few years of MailScanner list:-), and if I'm not misstaken... you indeed are using Postfix. So, redo the perl -wc _as the postfix user_ ... "su - postfix -s /bin/bash" should get you a shell to do it in. Of course, I might be misstaken:-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From fajarep at simplimobile.com Tue Jul 24 09:57:39 2007 From: fajarep at simplimobile.com (Fajar) Date: Tue Jul 24 09:57:55 2007 Subject: Problem with MailWatch Logging References: <20922080.1411185265527691.JavaMail.root@office.splatnix.net><13ca01c7cdcd$8d1805a0$0a0a0aac@Fajar> <223f97700707240150l56c0276dl8cc12ef1b5ea978d@mail.gmail.com> Message-ID: <140201c7cdd0$b2dd55d0$0a0a0aac@Fajar> # su - postfix -s /bin/bash $ perl -wc /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm Useless use of private variable in void context at /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm line 248. /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm syntax OK same message like root user Thanks. Fajar ----- Original Message ----- From: "Glenn Steen" To: "MailScanner discussion" Sent: Tuesday, July 24, 2007 3:50 PM Subject: Re: Problem with MailWatch Logging > On 24/07/07, Fajar wrote: >> Here is the permission of file, and response of perl -wc : >> # ls -l /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm >> -rw-r--r-- 1 root root 10881 Jul 24 14:13 >> /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm >> # perl -wc /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm >> Useless use of private variable in void context at >> /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm line 248. >> /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm syntax OK >> > Fajar, I just did a little search of my private archives (that happen > to cover a few years of MailScanner list:-), and if I'm not > misstaken... you indeed are using Postfix. So, redo the perl -wc _as > the postfix user_ ... "su - postfix -s /bin/bash" should get you a > shell to do it in. > Of course, I might be misstaken:-). > > Cheers > -- > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From uxbod at splatnix.net Tue Jul 24 10:03:08 2007 From: uxbod at splatnix.net (UxBoD) Date: Tue Jul 24 10:03:07 2007 Subject: Problem with MailWatch Logging In-Reply-To: <13ca01c7cdcd$8d1805a0$0a0a0aac@Fajar> Message-ID: <3844932.1561185267788911.JavaMail.root@office.splatnix.net> Do you have the Perl Storable module installed ? What O/S are you on ? ----- Original Message ----- From: "Fajar" To: "MailScanner discussion" Sent: Tuesday, July 24, 2007 9:35:10 AM (GMT) Europe/London Subject: Re: Problem with MailWatch Logging Here is the permission of file, and response of perl -wc : # ls -l /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm -rw-r--r-- 1 root root 10881 Jul 24 14:13 /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm # perl -wc /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm Useless use of private variable in void context at /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm line 248. /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm syntax OK ----- Original Message ----- From: "UxBoD" To: "MailScanner discussion" Sent: Tuesday, July 24, 2007 3:25 PM Subject: Re: Problem with MailWatch Logging > What result do you get if you do perl -wc > /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm ? > ----- Original Message ----- > From: "Fajar" > To: "MailScanner discussion" > Sent: Tuesday, July 24, 2007 9:06:03 AM (GMT) Europe/London > Subject: Re: Problem with MailWatch Logging > > I put in this the file on this location : > /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm > > ----- Original Message ----- > From: "UxBoD" > To: "MailScanner discussion" > Sent: Tuesday, July 24, 2007 2:53 PM > Subject: Re: Problem with MailWatch Logging > > >> What directory did you put MailWatch.pm in ? >> ----- Original Message ----- >> From: "Fajar" >> To: "MailScanner discussion" >> Sent: Tuesday, July 24, 2007 8:41:09 AM (GMT) Europe/London >> Subject: Problem with MailWatch Logging >> >> Sorry if I'm posting in wrong mailling list, maybe someone can help me. >> >> I think I mess with /linux mailscanner installation, when I'm adding >> mailwatch.pm into custom function, >> the message not logged into database. I saw this message : >> Could not use Custom Function code >> MailScanner::CustomConfig::InitMailWatchLogging, it could not be >> "eval"ed. >> Make sure the module is correct with perl -wc >> Can someone point me how to solve this? >> >> Thanks in advance. >> >> Fajar >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> -- >> This message has been scanned for viruses and >> dangerous content by MailScanner, and is >> believed to be clean. >> >> >> >> -- >> This message has been scanned for viruses and >> dangerous content by MailScanner, and is >> believed to be clean. >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ms-list at alexb.ch Tue Jul 24 10:05:21 2007 From: ms-list at alexb.ch (Alex Broens) Date: Tue Jul 24 10:05:31 2007 Subject: postfix rbl checks [fixed] In-Reply-To: <1185265522.1146.23.camel@gblades-suse.linguaphone-intranet.co.uk> References: <1185184118.31112.7.camel@gblades-suse.linguaphone-intranet.co.uk> <1185265522.1146.23.camel@gblades-suse.linguaphone-intranet.co.uk> Message-ID: <46A5C0D1.5000302@alexb.ch> On 7/24/2007 10:25 AM, Gareth wrote: > On Mon, 2007-07-23 at 10:48, Gareth wrote: >> I have been checking the RBL stats using mailwatch and the NJABL one >> looks like it will reject about 50% of the spam we receive with no false >> positives. >> >> In my postfix configuration I had the line :- >> >> smtpd_recipient_restrictions = permit_mynetworks, >> reject_unauth_destination, reject_unknown_recipient_domain, >> reject_unverified_recipient >> >> I changed this to :- >> >> smtpd_recipient_restrictions = permit_mynetworks, >> reject_unauth_destination, reject_unknown_recipient_domain, >> reject_unverified_recipient, reject_rbl_client dnsbl.njabl.org >> >> However after restarting postfix it is not working. Spam is still being >> accepted and mailscanner is matching some against the NJABL RBL. >> >> Any ideas what is going wrong? > > Fixed the problem. dnsbl.njabl.org does not include their dialup list. > For this you need to use their separate entry or do as I did and use > combined.njabl.org. > afaik: the njabl dialup list is "obsolete", not maintained and has been integrated into Spamhaus' PBL (which is maintained) Alex From fajarep at simplimobile.com Tue Jul 24 10:23:13 2007 From: fajarep at simplimobile.com (Fajar) Date: Tue Jul 24 10:23:29 2007 Subject: Problem with MailWatch Logging [SOLVED] References: <3844932.1561185267788911.JavaMail.root@office.splatnix.net> Message-ID: <142901c7cdd4$439de2d0$0a0a0aac@Fajar> Thanks for the reply.. After reinstall perl storeable module, and still not working, i'm searching again through google, and i found that i don't have perl DBD mysql. After install it. It running fine now. Thanks for the help... Fajar ----- Original Message ----- From: "UxBoD" To: "MailScanner discussion" Sent: Tuesday, July 24, 2007 4:03 PM Subject: Re: Problem with MailWatch Logging > Do you have the Perl Storable module installed ? What O/S are you on ? > ----- Original Message ----- > From: "Fajar" > To: "MailScanner discussion" > Sent: Tuesday, July 24, 2007 9:35:10 AM (GMT) Europe/London > Subject: Re: Problem with MailWatch Logging > > Here is the permission of file, and response of perl -wc : > # ls -l /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm > -rw-r--r-- 1 root root 10881 Jul 24 14:13 > /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm > # perl -wc /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm > Useless use of private variable in void context at > /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm line 248. > /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm syntax OK > > ----- Original Message ----- > From: "UxBoD" > To: "MailScanner discussion" > Sent: Tuesday, July 24, 2007 3:25 PM > Subject: Re: Problem with MailWatch Logging > > >> What result do you get if you do perl -wc >> /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm ? >> ----- Original Message ----- >> From: "Fajar" >> To: "MailScanner discussion" >> Sent: Tuesday, July 24, 2007 9:06:03 AM (GMT) Europe/London >> Subject: Re: Problem with MailWatch Logging >> >> I put in this the file on this location : >> /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm >> >> ----- Original Message ----- >> From: "UxBoD" >> To: "MailScanner discussion" >> Sent: Tuesday, July 24, 2007 2:53 PM >> Subject: Re: Problem with MailWatch Logging >> >> >>> What directory did you put MailWatch.pm in ? >>> ----- Original Message ----- >>> From: "Fajar" >>> To: "MailScanner discussion" >>> Sent: Tuesday, July 24, 2007 8:41:09 AM (GMT) Europe/London >>> Subject: Problem with MailWatch Logging >>> >>> Sorry if I'm posting in wrong mailling list, maybe someone can help me. >>> >>> I think I mess with /linux mailscanner installation, when I'm adding >>> mailwatch.pm into custom function, >>> the message not logged into database. I saw this message : >>> Could not use Custom Function code >>> MailScanner::CustomConfig::InitMailWatchLogging, it could not be >>> "eval"ed. >>> Make sure the module is correct with perl -wc >>> Can someone point me how to solve this? >>> >>> Thanks in advance. >>> >>> Fajar >>> -- >>> MailScanner mailing list >>> mailscanner@lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! >>> >>> -- >>> This message has been scanned for viruses and >>> dangerous content by MailScanner, and is >>> believed to be clean. >>> >>> >>> >>> -- >>> This message has been scanned for viruses and >>> dangerous content by MailScanner, and is >>> believed to be clean. >>> >>> -- >>> MailScanner mailing list >>> mailscanner@lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> -- >> This message has been scanned for viruses and >> dangerous content by MailScanner, and is >> believed to be clean. >> >> >> >> -- >> This message has been scanned for viruses and >> dangerous content by MailScanner, and is >> believed to be clean. >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From uxbod at splatnix.net Tue Jul 24 10:38:33 2007 From: uxbod at splatnix.net (UxBoD) Date: Tue Jul 24 10:38:26 2007 Subject: Problem with MailWatch Logging [SOLVED] In-Reply-To: <142901c7cdd4$439de2d0$0a0a0aac@Fajar> Message-ID: <2344949.1591185269913301.JavaMail.root@office.splatnix.net> Cool, that was my next one :D ----- Original Message ----- From: "Fajar" To: "MailScanner discussion" Sent: Tuesday, July 24, 2007 10:23:13 AM (GMT) Europe/London Subject: Re: Problem with MailWatch Logging [SOLVED] Thanks for the reply.. After reinstall perl storeable module, and still not working, i'm searching again through google, and i found that i don't have perl DBD mysql. After install it. It running fine now. Thanks for the help... Fajar ----- Original Message ----- From: "UxBoD" To: "MailScanner discussion" Sent: Tuesday, July 24, 2007 4:03 PM Subject: Re: Problem with MailWatch Logging > Do you have the Perl Storable module installed ? What O/S are you on ? > ----- Original Message ----- > From: "Fajar" > To: "MailScanner discussion" > Sent: Tuesday, July 24, 2007 9:35:10 AM (GMT) Europe/London > Subject: Re: Problem with MailWatch Logging > > Here is the permission of file, and response of perl -wc : > # ls -l /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm > -rw-r--r-- 1 root root 10881 Jul 24 14:13 > /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm > # perl -wc /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm > Useless use of private variable in void context at > /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm line 248. > /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm syntax OK > > ----- Original Message ----- > From: "UxBoD" > To: "MailScanner discussion" > Sent: Tuesday, July 24, 2007 3:25 PM > Subject: Re: Problem with MailWatch Logging > > >> What result do you get if you do perl -wc >> /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm ? >> ----- Original Message ----- >> From: "Fajar" >> To: "MailScanner discussion" >> Sent: Tuesday, July 24, 2007 9:06:03 AM (GMT) Europe/London >> Subject: Re: Problem with MailWatch Logging >> >> I put in this the file on this location : >> /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm >> >> ----- Original Message ----- >> From: "UxBoD" >> To: "MailScanner discussion" >> Sent: Tuesday, July 24, 2007 2:53 PM >> Subject: Re: Problem with MailWatch Logging >> >> >>> What directory did you put MailWatch.pm in ? >>> ----- Original Message ----- >>> From: "Fajar" >>> To: "MailScanner discussion" >>> Sent: Tuesday, July 24, 2007 8:41:09 AM (GMT) Europe/London >>> Subject: Problem with MailWatch Logging >>> >>> Sorry if I'm posting in wrong mailling list, maybe someone can help me. >>> >>> I think I mess with /linux mailscanner installation, when I'm adding >>> mailwatch.pm into custom function, >>> the message not logged into database. I saw this message : >>> Could not use Custom Function code >>> MailScanner::CustomConfig::InitMailWatchLogging, it could not be >>> "eval"ed. >>> Make sure the module is correct with perl -wc >>> Can someone point me how to solve this? >>> >>> Thanks in advance. >>> >>> Fajar >>> -- >>> MailScanner mailing list >>> mailscanner@lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! >>> >>> -- >>> This message has been scanned for viruses and >>> dangerous content by MailScanner, and is >>> believed to be clean. >>> >>> >>> >>> -- >>> This message has been scanned for viruses and >>> dangerous content by MailScanner, and is >>> believed to be clean. >>> >>> -- >>> MailScanner mailing list >>> mailscanner@lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> -- >> This message has been scanned for viruses and >> dangerous content by MailScanner, and is >> believed to be clean. >> >> >> >> -- >> This message has been scanned for viruses and >> dangerous content by MailScanner, and is >> believed to be clean. >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mogens at fumlersoft.dk Tue Jul 24 11:03:16 2007 From: mogens at fumlersoft.dk (Mogens Melander) Date: Tue Jul 24 11:01:52 2007 Subject: Fake MX records In-Reply-To: <223f97700707240113s3f845e3dsd5b6cbdba049d1e6@mail.gmail.com> References: <086f7e06a703ec47a6db01c8a2c15d81@solidstatelogic.com> <1533.90.184.16.67.1185239462.squirrel@mail.fumlersoft.dk> <223f97700707240113s3f845e3dsd5b6cbdba049d1e6@mail.gmail.com> Message-ID: <4834.90.184.16.67.1185271396.squirrel@mail.fumlersoft.dk> On Tue, July 24, 2007 10:13, Glenn Steen wrote: > On 24/07/07, Mogens Melander wrote: >> >> On Mon, July 23, 2007 20:12, Hugo van der Kooij wrote: >> > On Mon, 23 Jul 2007, Martin.Hepworth wrote: >> > >> >> http://wiki.apache.org/spamassassin/OtherTricks (Fake MX Record) >> >> >> >> on the SA-users list. >> >> >> >> Looks very useful, anyone here using this technique? >> > >> > I use it partially. MX 10 is me. MX 100 is for backups. MX 1000 is me >> > again as spammers favored the highest MX (lowest priority) to bypass >> > (RBL) filters. Now they seem to take them at random and ignore the >> > priorities. >> > >> >> I was thinking about a "thingy" that would query senders MX if >> sender was valid (accept mail to sender) but i don't like to >> waste too much bandwidth on a allready crowded internet, so i'm >> still thinking. This "Fake MX" would of cause break this idea, >> unless i'd make it retry until all MX's been "tasted", adding >> more trafic to the pool. But this could be done at MTA level, >> and thus, not be too expencive. >> >> As i'm not a perl/C hacker, i'll limit my tests to PHP, but >> if/when implemented, i'd be happy to share my results. >> > Um.... Do you mean something like Sender Address Verification? As done > in milter-sender, smf-sav, piostfix "natively" > (http://www.postfix.org/ADDRESS_VERIFICATION_README.html) .... favourite MTA function for this:-)> Well, i did'nt think i invented "the weel", but i would like to develop my own platform to play with. > I don't think you need waste time writing another. Or would yours do > something extreme and different? Having had a sneek view into my /etc/mail/access you might guess that i had something extreme in mind, like counting hits from purely virtual senders, and adding them to either access file, or directly in iptables. My sendmail is MySQL aware, so i can store those "bad guys" directly in either. -- Later Mogens Melander +45 40 85 71 38 +66 870 133 224 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Tue Jul 24 11:12:00 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Jul 24 11:12:23 2007 Subject: Request for comments 3 In-Reply-To: <1892290.1231185219040748.JavaMail.root@office.splatnix.net> References: <1892290.1231185219040748.JavaMail.root@office.splatnix.net> Message-ID: <46A5D070.8050803@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Well, initial testing is showing it working very well. The aim is that you can have anything in the message (expressed as a SpamAssassin rule) trigger any action on the message, spam or not. So you can archive any message containing particular bits of text anywhere, or you can _not_ deliver any message with a certain bit of text in it. Say you have all mail copied to an archive, but you want certain sensitive mail of your own (or your boss's) not archived, then you can write an SA rule for some subject keyphrase or piece of text in the body of the message. You can then not archive any mail matching that SA rule. So the boss could have all his email CC'd to his secretary, except for personal mail containing "private" on the Subject line, or mail coming from his family. The potential for this really is limited by your imagination, and I believe it could be used to provide very powerful setups. Jules. UxBoD wrote: > Cool. Thanks Jules. Have a great HR application for it :) > ----- Original Message ----- > From: "Julian Field" > To: "MailScanner discussion" > Sent: 23 July 2007 16:49:26 o'clock (GMT) Europe/London > Subject: Re: Request for comments 3 > > > * PGP Signed by an unmatched address: 07/23/07 at 16:49:27 > > Eventually yes. I want to get the design and code all working and > settled for spam first though. > > UxBoD wrote: > >> Would this new functionality extend to MCP aswell Jules ? >> ----- Original Message ----- >> From: "Julian Field" >> To: "MailScanner discussion" >> Sent: Monday, July 23, 2007 4:24:40 PM (GMT) Europe/London >> Subject: Re: Request for comments 3 >> >> >> >>> Old Signed by an unmatched address: 07/23/07 at 16:24:41 >>> >> >> John Wilcock wrote: >> >> >>> Julian Field wrote: >>> >>> >>>> How about this instead? >>>> >>>> SpamAssassin Rule Actions = rulename=>action, rulename=>action, .... >>>> >>>> the "rulename"s are the names of individual SpamAssassin rules, and >>>> the "action"s are list those in "Spam Actions". To specify multiple >>>> actions for a rule, you specify the rulename several times, with one >>>> action for each. Expressions with SpamAssassin rules are done with >>>> SpamAssassin meta-rules. If the rule hits, the action is taken. >>>> >>>> I'll write a few examples of meta-rules so you can see how to write >>>> them in spam.assassin.rules.conf or wherever they need to go. Mr >>>> Kettler, can you correct me on this please? >>>> >>>> Does this sound more useful than the previous suggestions? >>>> >>>> >>> Sounds good, yes. >>> >>> Are the actions intended to *replace* the default non spam, spam or >>> high scoring spam actions, or are they taken in *addition* to those >>> actions? >>> >>> >> In addition. >> >> >>> IMO additional actions would be more flexible, but would need the >>> ability to negate an action, i.e. take a particular action by default >>> *unless* such-and-such rule hits. >>> >>> >> Hmmm..... That makes life a bit more complicated. If I evaluated them >> after the existing rules then I should be able to do that. Good point >> though. >> >> >> >>> Non Spam Actions = deliver >>> Spam Actions = deliver,store >>> High Scoring Spam Actions = store >>> >>> SpamAssassin Rule Actions = >>> MY_BADSPAM_RULE=>not-store, >>> MY_SPECIAL_RULE=>forward theboss@domain >>> >>> John. >>> >>> >>> >> Jules >> >> >> > > Jules > > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: UTF-8 wj8DBQFGpdBxEfZZRxQVtlQRAsUFAJwJpB8Z8iBmulX0F8uRJPL/V8OTeQCgiPzM liwZmw6DQHWnzc9oWUdQYSI= =GyGM -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From uxbod at splatnix.net Tue Jul 24 11:38:30 2007 From: uxbod at splatnix.net (UxBoD) Date: Tue Jul 24 11:37:51 2007 Subject: Request for comments 3 In-Reply-To: <46A5D070.8050803@ecs.soton.ac.uk> Message-ID: <321796.1741185273510384.JavaMail.root@office.splatnix.net> That is a similar scenario to what we would use it for, but in ours it would be to protect IPR leaks by scanning for keywords and archiving the mail off. Good work Jules, sounds like a real success. What do you believe is the timeline for first beta ? --[ UxBoD ]-- // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- Original Message ----- From: "Julian Field" To: "MailScanner discussion" Sent: Tuesday, July 24, 2007 11:12:00 AM (GMT) Europe/London Subject: Re: Request for comments 3 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Well, initial testing is showing it working very well. The aim is that you can have anything in the message (expressed as a SpamAssassin rule) trigger any action on the message, spam or not. So you can archive any message containing particular bits of text anywhere, or you can _not_ deliver any message with a certain bit of text in it. Say you have all mail copied to an archive, but you want certain sensitive mail of your own (or your boss's) not archived, then you can write an SA rule for some subject keyphrase or piece of text in the body of the message. You can then not archive any mail matching that SA rule. So the boss could have all his email CC'd to his secretary, except for personal mail containing "private" on the Subject line, or mail coming from his family. The potential for this really is limited by your imagination, and I believe it could be used to provide very powerful setups. Jules. UxBoD wrote: > Cool. Thanks Jules. Have a great HR application for it :) > ----- Original Message ----- > From: "Julian Field" > To: "MailScanner discussion" > Sent: 23 July 2007 16:49:26 o'clock (GMT) Europe/London > Subject: Re: Request for comments 3 > > > * PGP Signed by an unmatched address: 07/23/07 at 16:49:27 > > Eventually yes. I want to get the design and code all working and > settled for spam first though. > > UxBoD wrote: > >> Would this new functionality extend to MCP aswell Jules ? >> ----- Original Message ----- >> From: "Julian Field" >> To: "MailScanner discussion" >> Sent: Monday, July 23, 2007 4:24:40 PM (GMT) Europe/London >> Subject: Re: Request for comments 3 >> >> >> >>> Old Signed by an unmatched address: 07/23/07 at 16:24:41 >>> >> >> John Wilcock wrote: >> >> >>> Julian Field wrote: >>> >>> >>>> How about this instead? >>>> >>>> SpamAssassin Rule Actions = rulename=>action, rulename=>action, .... >>>> >>>> the "rulename"s are the names of individual SpamAssassin rules, and >>>> the "action"s are list those in "Spam Actions". To specify multiple >>>> actions for a rule, you specify the rulename several times, with one >>>> action for each. Expressions with SpamAssassin rules are done with >>>> SpamAssassin meta-rules. If the rule hits, the action is taken. >>>> >>>> I'll write a few examples of meta-rules so you can see how to write >>>> them in spam.assassin.rules.conf or wherever they need to go. Mr >>>> Kettler, can you correct me on this please? >>>> >>>> Does this sound more useful than the previous suggestions? >>>> >>>> >>> Sounds good, yes. >>> >>> Are the actions intended to *replace* the default non spam, spam or >>> high scoring spam actions, or are they taken in *addition* to those >>> actions? >>> >>> >> In addition. >> >> >>> IMO additional actions would be more flexible, but would need the >>> ability to negate an action, i.e. take a particular action by default >>> *unless* such-and-such rule hits. >>> >>> >> Hmmm..... That makes life a bit more complicated. If I evaluated them >> after the existing rules then I should be able to do that. Good point >> though. >> >> >> >>> Non Spam Actions = deliver >>> Spam Actions = deliver,store >>> High Scoring Spam Actions = store >>> >>> SpamAssassin Rule Actions = >>> MY_BADSPAM_RULE=>not-store, >>> MY_SPECIAL_RULE=>forward theboss@domain >>> >>> John. >>> >>> >>> >> Jules >> >> >> > > Jules > > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: UTF-8 wj8DBQFGpdBxEfZZRxQVtlQRAsUFAJwJpB8Z8iBmulX0F8uRJPL/V8OTeQCgiPzM liwZmw6DQHWnzc9oWUdQYSI= =GyGM -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mailscanner at barendse.to Tue Jul 24 12:18:19 2007 From: mailscanner at barendse.to (Remco Barendse) Date: Tue Jul 24 12:18:33 2007 Subject: Still getting false oversized ZIP In-Reply-To: <223f97700707240136x24f09abcq6c2ac4d769fa0336@mail.gmail.com> References: <223f97700707240136x24f09abcq6c2ac4d769fa0336@mail.gmail.com> Message-ID: On Tue, 24 Jul 2007, Glenn Steen wrote: > On 24/07/07, Remco Barendse wrote: >> Hi list! >> >> I am still getting message that zip files sent are oversized and therefore >> blocked, if i remember correctly it was due to clam giving false >> positives. >> >> I will google for the solution, but maybe in the meantime it would be nice >> to disable the feature of scanning for oversized zip files by default in >> MailScanner? > > Not really, this is solely a clamav problem, AFAICS. Yes i am aware of that :) But still i think that in that case the parameters MS is giving to clam should in this case be default to not check for 'oversized' zip files. :) > Did you upgrade clam resently? Perhaps skipping a few version? What > version _do_ you use? Do you use ClamAVModule? Did you relink it > (perhaps by "force") after the (possible) clamav upgrade? Did tyou > adjust the max compression ratio setting (upwards) in > MailScanner.conf? I update clam regularly, am now at the latest version 91.1 and it still gives me false positives. I already increased max compression rate by 10 times. > So many questions...:-) > BTW, one more... Aren't you on Solaris or something? My memory isn't > that good, perhaps you should tell more about your setup:-). No, just plain old CentOS 3.x and 4.x boxes :) But the problem really is with clam. From dimstef at materials.uoc.gr Tue Jul 24 10:38:11 2007 From: dimstef at materials.uoc.gr (Dimitris Stefanakis) Date: Tue Jul 24 12:34:02 2007 Subject: SpamAssassin stucked suddenly - Please help In-Reply-To: <223f97700707230848p2f7601der67e6bc12ba99355e@mail.gmail.com> References: <46A4CABF.5080603@materials.uoc.gr> <61044509d201744ba9b19d9ddf0c1d9a@solidstatelogic.com> <223f97700707230848p2f7601der67e6bc12ba99355e@mail.gmail.com> Message-ID: <46A5C883.3070204@materials.uoc.gr> Good morning (it is morning in Greece!!!). Here I am again. After some magic tricks I (probably) found the problem: I use the mailwatch web interface for screening my mails so went into the Tools/Links tab and gave Spamassassin Lint (Test). Some of the suspicious results are the following: [6506] dbg: config: read file /etc/mail/spamassassin/sa-blacklist.current.cf 10.87366 [6506] dbg: config: read file /etc/mail/spamassassin/sa-blacklist.current.uri.cf 34.90611 [6506] dbg: config: using "/etc/MailScanner/spam.assassin.prefs.conf" for user prefs file 2.90932 [6506] dbg: config: read file /etc/MailScanner/spam.assassin.prefs.conf 1.02871 [6506] dbg: plugin: loading Mail::SpamAssassin::Plugin::URIDNSBL from @INC 6.02605 [6506] dbg: plugin: loading Mail::SpamAssassin::Plugin::Hashcash from @INC 22.00475 [6506] dbg: rules: __MO_OL_9B90B merged duplicates: __MO_OL_C65FA 336.70288 I think that the most bad result is the last one. Can anybody tell me what is it? Thanks for your support. Glenn Steen wrote: > On 23/07/07, Martin.Hepworth wrote: >> Sounds like DNS issues..... >> >> What does "spamassassin --lint" give you? >> > Could perhaps be bayes expiry problems too(?)... In which case there > would be a lot of *expire* files in the bayes directory, I guess. > > Cheers -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070724/f32fecb0/attachment.html From ms-list at alexb.ch Tue Jul 24 12:49:52 2007 From: ms-list at alexb.ch (Alex Broens) Date: Tue Jul 24 12:50:07 2007 Subject: SpamAssassin stucked suddenly - Please help In-Reply-To: <46A5C883.3070204@materials.uoc.gr> References: <46A4CABF.5080603@materials.uoc.gr> <61044509d201744ba9b19d9ddf0c1d9a@solidstatelogic.com> <223f97700707230848p2f7601der67e6bc12ba99355e@mail.gmail.com> <46A5C883.3070204@materials.uoc.gr> Message-ID: <46A5E760.8070908@alexb.ch> On 7/24/2007 11:38 AM, Dimitris Stefanakis wrote: > Good morning (it is morning in Greece!!!). Here I am again. > After some magic tricks I (probably) found the problem: > I use the mailwatch web interface for screening my mails so went into > the Tools/Links tab and gave Spamassassin Lint (Test). > Some of the suspicious results are the following: > > [6506] dbg: config: read file > /etc/mail/spamassassin/sa-blacklist.current.cf 10.87366 > [6506] dbg: config: read file > /etc/mail/spamassassin/sa-blacklist.current.uri.cf 34.90611 get rid of both sa-blacklist* rules. they're huge, memory hogs and have been replaced by URIDNSBL lookups > [6506] dbg: config: using "/etc/MailScanner/spam.assassin.prefs.conf" > for user prefs file 2.90932 > [6506] dbg: config: read file > /etc/MailScanner/spam.assassin.prefs.conf 1.02871 > [6506] dbg: plugin: loading Mail::SpamAssassin::Plugin::URIDNSBL from > @INC 6.02605 > [6506] dbg: plugin: loading Mail::SpamAssassin::Plugin::Hashcash from > @INC 22.00475 > [6506] dbg: rules: __MO_OL_9B90B merged duplicates: __MO_OL_C65FA 336.70288 this is ok... duplicate rule after sa-update get merged. > I think that the most bad result is the last one. Can anybody tell me > what is it? no need to worry about that. h2h Alex From rcooper at dwford.com Tue Jul 24 13:30:38 2007 From: rcooper at dwford.com (Rick Cooper) Date: Tue Jul 24 13:30:45 2007 Subject: Still getting false oversized ZIP In-Reply-To: References: Message-ID: <02c001c7cdee$71678a30$0301a8c0@SAHOMELT> How are you calling clam (clamscan, clamavmodule, clamd)? Clamd would require you adjust the settings in clamd.conf and not MailScanner, if using clamscan look in the wrapper for ExtraScanOptions="$ExtraScanOptions --max-ratio= and set the value you want there Rick > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On > Behalf Of Remco Barendse > Sent: Tuesday, July 24, 2007 4:05 AM > To: MailScanner mailing list > Subject: Still getting false oversized ZIP > > Hi list! > > I am still getting message that zip files sent are oversized > and therefore > blocked, if i remember correctly it was due to clam giving false > positives. > > I will google for the solution, but maybe in the meantime it > would be nice > to disable the feature of scanning for oversized zip files > by default in > MailScanner? > > Cheers! > Remco > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From rich at mail.wvnet.edu Tue Jul 24 13:42:56 2007 From: rich at mail.wvnet.edu (Richard Lynch) Date: Tue Jul 24 13:43:01 2007 Subject: BarricadeMX experiences In-Reply-To: References: <46A553ED.3020505@mail.wvnet.edu> Message-ID: <46A5F3D0.5070500@mail.wvnet.edu> DAve wrote: > Richard Lynch wrote: >> >> Note: I am not affiliated with Fort Systems Ltd in any way -- only as >> a satisfied customer. > >> I can't say enough about this product. I'm posting my experiences >> here because this list is where I first saw the product announcement >> and I believe any site running MailScanner can benefit from this >> package. It's reasonably priced, great support, and can actually >> save you money with the reduction in hardware alone. It's also easy >> to install and easy to take in and out. They'll also let you demo it. >> I know this comes off sounding like a sales pitch but it's hard to >> describe the experience without sounding like one. It really is an >> amazing product. >> >> >> Richard Lynch >> WVNET > > How is it doing with the new attachment spams like PDF and XLS? > > DAve > > It's not gone but it is way down just like everything is way down. The cool thing is that this works at the MTA level. BarricadeMX acts as a proxy front ending sendmail-in/MS/SA/sendmail-out. The amazing thing (well, one of them) is that it detects spam not so much by the content of the message but by the behavior of the sender. Spammers don't act like regular mail severs. They don't follow protocol standards. I'm not going to say anything else about that because, frankly, I have some fears that I'll teach the spammers how to adjust. For us, 92%+ of our mail gets stopped before MS even sees it -- and no one complains. It's too good to be true. See... http://www.wvnet.edu/getmstat.php The graph only shows what made it into the servers. We're working on a way to include the BarricateMX stats. Last Friday (before the switchover) the stats were... Ham: 142,860 Spam: 1,202,240 Infected: 137 Total: 1,345,100 Yesterday it was.... Ham: 160,886 Spam: 45,167 Infected: 32 Total: 206,053 Fridays are generally lighter than Mondays. The switchover was done on Saturday, Jul 21st and so those stats are partial. Sunday, the 22nd was the first full day. Also, one of the five boxes was switched to BarricadeMX the previous weekend. We used that as a test in convincing ourselves that this world work. The week went great. We didn't have a single issue all week long. No complaints or performance problems. It just worked. Richard Lynch WVNET -- -------------- next part -------------- A non-text attachment was scrubbed... Name: rich.vcf Type: text/x-vcard Size: 299 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070724/25f9bd8f/rich.vcf From dave.list at pixelhammer.com Tue Jul 24 13:44:23 2007 From: dave.list at pixelhammer.com (DAve) Date: Tue Jul 24 13:45:54 2007 Subject: BarricadeMX experiences In-Reply-To: <1898.90.184.16.67.1185249871.squirrel@mail.fumlersoft.dk> References: <46A553ED.3020505@mail.wvnet.edu> <1782.90.184.16.67.1185246271.squirrel@mail.fumlersoft.dk> <46A573F2.6010906@pixelhammer.com> <1898.90.184.16.67.1185249871.squirrel@mail.fumlersoft.dk> Message-ID: <46A5F427.50302@pixelhammer.com> Mogens Melander wrote: > On Tue, July 24, 2007 05:37, DAve wrote: >> Mogens Melander wrote: >>> And what was your question ?? >>> >>> On Tue, July 24, 2007 03:20, Richard Lynch wrote: >>>> Note: I am not affiliated with Fort Systems Ltd in any way -- only as a >>>> satisfied customer. >> I found it informative. Since I am in the middle of planning our mail >> gateway replacements, I also found it timely. >> >> I am always interested in anything that works well with MailScanner to >> stop the insidious onslaught of foul spam from those wretched heathens, >> may they rot from the diseases of the eighth circle of hell with the >> other falsifiers for their sins... uh sorry, I digress. > > Auch, ok, calm down. I was just (trying to) being funny 8^) > It wasn't you I was ranting on ;^) Some days I know how to solve the Spam problem, but the law and my upbringing hold me back... DAve -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible. From dave.list at pixelhammer.com Tue Jul 24 13:59:01 2007 From: dave.list at pixelhammer.com (DAve) Date: Tue Jul 24 14:00:28 2007 Subject: OT - Recipient verification Message-ID: <46A5F795.1060307@pixelhammer.com> Just asking here because of the knowledge bank we have. Feel free to respond off list, though I suspect that are a lot of us running multiple copies of MS. Currently we use milter-ahead on our MailScanner gateways and we use milter-ahead to verify the recipient. We will be splitting our mail network geographically to take advantage of NOC-2 about 50 miles away. Half our MailScanner gateways and outbound servers will go to NOC-2. We can't move our toasters yet because the Maildirs are NFS mounted. If NOC-1 goes down I still want the MailScanner gateway in NOC-2 to accept mail. My problem is that milter-ahead needs to verify recipient addresses with the toaster in NOC-1. Every milter/MTA solution I have found verifies the recipient address by connecting to the destination MTA, our toaster, which may be unreachable. What I need is to verify the recipient address with a local store on the MailScanner gateway. I would like to use a SQL db as I can easily slave it off the toasters SQL store. Anyone have any ideas how to go about this? Thanks, DAve -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible. From glenn.steen at gmail.com Tue Jul 24 14:05:41 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Jul 24 14:05:42 2007 Subject: Fake MX records In-Reply-To: <4834.90.184.16.67.1185271396.squirrel@mail.fumlersoft.dk> References: <086f7e06a703ec47a6db01c8a2c15d81@solidstatelogic.com> <1533.90.184.16.67.1185239462.squirrel@mail.fumlersoft.dk> <223f97700707240113s3f845e3dsd5b6cbdba049d1e6@mail.gmail.com> <4834.90.184.16.67.1185271396.squirrel@mail.fumlersoft.dk> Message-ID: <223f97700707240605h1e74cae5we459c4e0fdddc4fe@mail.gmail.com> On 24/07/07, Mogens Melander wrote: > > On Tue, July 24, 2007 10:13, Glenn Steen wrote: > > On 24/07/07, Mogens Melander wrote: > >> > >> On Mon, July 23, 2007 20:12, Hugo van der Kooij wrote: > >> > On Mon, 23 Jul 2007, Martin.Hepworth wrote: > >> > > >> >> http://wiki.apache.org/spamassassin/OtherTricks (Fake MX Record) > >> >> > >> >> on the SA-users list. > >> >> > >> >> Looks very useful, anyone here using this technique? > >> > > >> > I use it partially. MX 10 is me. MX 100 is for backups. MX 1000 is me > >> > again as spammers favored the highest MX (lowest priority) to bypass > >> > (RBL) filters. Now they seem to take them at random and ignore the > >> > priorities. > >> > > >> > >> I was thinking about a "thingy" that would query senders MX if > >> sender was valid (accept mail to sender) but i don't like to > >> waste too much bandwidth on a allready crowded internet, so i'm > >> still thinking. This "Fake MX" would of cause break this idea, > >> unless i'd make it retry until all MX's been "tasted", adding > >> more trafic to the pool. But this could be done at MTA level, > >> and thus, not be too expencive. > >> > >> As i'm not a perl/C hacker, i'll limit my tests to PHP, but > >> if/when implemented, i'd be happy to share my results. > >> > > Um.... Do you mean something like Sender Address Verification? As done > > in milter-sender, smf-sav, piostfix "natively" > > (http://www.postfix.org/ADDRESS_VERIFICATION_README.html) .... > favourite MTA function for this:-)> > > Well, i did'nt think i invented "the weel", but i would like to develop > my own platform to play with. Ok. > > I don't think you need waste time writing another. Or would yours do > > something extreme and different? > > Having had a sneek view into my /etc/mail/access you might guess > that i had something extreme in mind, like counting hits from > purely virtual senders, and adding them to either access file, > or directly in iptables. My sendmail is MySQL aware, so i can > store those "bad guys" directly in either. > There is the IPBlock thing and Vispan that do some of those things, but not necessarily in that context. Could be worth your while to look at though (IIRC the IPBlock thing is in the CustomFinctions). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From uxbod at splatnix.net Tue Jul 24 14:10:18 2007 From: uxbod at splatnix.net (UxBoD) Date: Tue Jul 24 14:09:10 2007 Subject: OT - Recipient verification In-Reply-To: <46A5F795.1060307@pixelhammer.com> Message-ID: <291640.2101185282618419.JavaMail.root@office.splatnix.net> We use Lotus Notes here so on the front-end MTA's I just grab the user email addresses from LN-LDAP, write them to a flat file and Postfix takes care of everything else. Simple solution - great results. I presume you are using SendMail DAve ? ----- Original Message ----- From: "DAve" To: "MailScanner discussion" Sent: Tuesday, July 24, 2007 1:59:01 PM (GMT) Europe/London Subject: OT - Recipient verification Just asking here because of the knowledge bank we have. Feel free to respond off list, though I suspect that are a lot of us running multiple copies of MS. Currently we use milter-ahead on our MailScanner gateways and we use milter-ahead to verify the recipient. We will be splitting our mail network geographically to take advantage of NOC-2 about 50 miles away. Half our MailScanner gateways and outbound servers will go to NOC-2. We can't move our toasters yet because the Maildirs are NFS mounted. If NOC-1 goes down I still want the MailScanner gateway in NOC-2 to accept mail. My problem is that milter-ahead needs to verify recipient addresses with the toaster in NOC-1. Every milter/MTA solution I have found verifies the recipient address by connecting to the destination MTA, our toaster, which may be unreachable. What I need is to verify the recipient address with a local store on the MailScanner gateway. I would like to use a SQL db as I can easily slave it off the toasters SQL store. Anyone have any ideas how to go about this? Thanks, DAve -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From glenn.steen at gmail.com Tue Jul 24 14:13:32 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Jul 24 14:13:35 2007 Subject: BarricadeMX experiences In-Reply-To: <46A5F3D0.5070500@mail.wvnet.edu> References: <46A553ED.3020505@mail.wvnet.edu> <46A5F3D0.5070500@mail.wvnet.edu> Message-ID: <223f97700707240613o6e4cf340j1a52a8d865b4951f@mail.gmail.com> On 24/07/07, Richard Lynch wrote: > DAve wrote: > > Richard Lynch wrote: > >> > >> Note: I am not affiliated with Fort Systems Ltd in any way -- only as > >> a satisfied customer. > > > >> I can't say enough about this product. I'm posting my experiences > >> here because this list is where I first saw the product announcement > >> and I believe any site running MailScanner can benefit from this > >> package. It's reasonably priced, great support, and can actually > >> save you money with the reduction in hardware alone. It's also easy > >> to install and easy to take in and out. They'll also let you demo it. > >> I know this comes off sounding like a sales pitch but it's hard to > >> describe the experience without sounding like one. It really is an > >> amazing product. > >> > >> > >> Richard Lynch > >> WVNET > > > > How is it doing with the new attachment spams like PDF and XLS? > > > > DAve > > > > > > It's not gone but it is way down just like everything is way down. The > cool thing is that this works at the MTA level. BarricadeMX acts as a > proxy front ending sendmail-in/MS/SA/sendmail-out. The amazing thing > (well, one of them) is that it detects spam not so much by the content > of the message but by the behavior of the sender. Spammers don't act > like regular mail severs. They don't follow protocol standards. I'm > not going to say anything else about that because, frankly, I have some > fears that I'll teach the spammers how to adjust. For us, 92%+ of our > mail gets stopped before MS even sees it -- and no one complains. It's > too good to be true. > > > See... > > http://www.wvnet.edu/getmstat.php > > The graph only shows what made it into the servers. We're working on a > way to include the BarricateMX stats. Last Friday (before the > switchover) the stats were... > > Ham: 142,860 Spam: 1,202,240 Infected: 137 Total: 1,345,100 > > Yesterday it was.... > > Ham: 160,886 Spam: 45,167 Infected: 32 Total: 206,053 > > Fridays are generally lighter than Mondays. The switchover was done on > Saturday, Jul 21st and so those stats are partial. Sunday, the 22nd was > the first full day. Also, one of the five boxes was switched to > BarricadeMX the previous weekend. We used that as a test in convincing > ourselves that this world work. The week went great. We didn't have a > single issue all week long. No complaints or performance problems. It > just worked. > > Richard Lynch > WVNET > .... Wow ... Might be something to look at after all...:-). Thanks Richard. -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From Richard.Frovarp at sendit.nodak.edu Tue Jul 24 14:14:47 2007 From: Richard.Frovarp at sendit.nodak.edu (Richard Frovarp) Date: Tue Jul 24 14:14:50 2007 Subject: postfix rbl checks [fixed] In-Reply-To: <46A5C0D1.5000302@alexb.ch> References: <1185184118.31112.7.camel@gblades-suse.linguaphone-intranet.co.uk> <1185265522.1146.23.camel@gblades-suse.linguaphone-intranet.co.uk> <46A5C0D1.5000302@alexb.ch> Message-ID: <46A5FB47.3050606@sendit.nodak.edu> Alex Broens wrote: > On 7/24/2007 10:25 AM, Gareth wrote: >> On Mon, 2007-07-23 at 10:48, Gareth wrote: >>> I have been checking the RBL stats using mailwatch and the NJABL one >>> looks like it will reject about 50% of the spam we receive with no >>> false >>> positives. >>> >>> In my postfix configuration I had the line :- >>> >>> smtpd_recipient_restrictions = permit_mynetworks, >>> reject_unauth_destination, reject_unknown_recipient_domain, >>> reject_unverified_recipient >>> >>> I changed this to :- >>> >>> smtpd_recipient_restrictions = permit_mynetworks, >>> reject_unauth_destination, reject_unknown_recipient_domain, >>> reject_unverified_recipient, reject_rbl_client dnsbl.njabl.org >>> >>> However after restarting postfix it is not working. Spam is still being >>> accepted and mailscanner is matching some against the NJABL RBL. >>> >>> Any ideas what is going wrong? >> >> Fixed the problem. dnsbl.njabl.org does not include their dialup list. >> For this you need to use their separate entry or do as I did and use >> combined.njabl.org. >> > > afaik: the njabl dialup list is "obsolete", not maintained and has > been integrated into Spamhaus' PBL (which is maintained) > > > Alex > > You are correct. See: http://www.njabl.org/dynablock.html From MailScanner at ecs.soton.ac.uk Tue Jul 24 14:25:25 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Jul 24 14:21:55 2007 Subject: Request for comments 3 In-Reply-To: <321796.1741185273510384.JavaMail.root@office.splatnix.net> References: <321796.1741185273510384.JavaMail.root@office.splatnix.net> Message-ID: <46A5FDC5.3060109@ecs.soton.ac.uk> How about now? It's not in MCP yet, is that a problem? Shouldn't be, as it shouldn't actually make much difference to this functionality (it is working off SA rule names, not scores, so it doesn't matter if other rules fire as well). UxBoD wrote: > That is a similar scenario to what we would use it for, but in ours it would be to protect IPR leaks by scanning for keywords and archiving the mail off. > > Good work Jules, sounds like a real success. What do you believe is the timeline for first beta ? > > --[ UxBoD ]-- > // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" > // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B > // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B > // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net > > ----- Original Message ----- > From: "Julian Field" > To: "MailScanner discussion" > Sent: Tuesday, July 24, 2007 11:12:00 AM (GMT) Europe/London > Subject: Re: Request for comments 3 > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Well, initial testing is showing it working very well. The aim is that > you can have anything in the message (expressed as a SpamAssassin rule) > trigger any action on the message, spam or not. So you can archive any > message containing particular bits of text anywhere, or you can _not_ > deliver any message with a certain bit of text in it. > > Say you have all mail copied to an archive, but you want certain > sensitive mail of your own (or your boss's) not archived, then you can > write an SA rule for some subject keyphrase or piece of text in the body > of the message. You can then not archive any mail matching that SA rule. > > So the boss could have all his email CC'd to his secretary, except for > personal mail containing "private" on the Subject line, or mail coming > from his family. > > The potential for this really is limited by your imagination, and I > believe it could be used to provide very powerful setups. > > Jules. > > UxBoD wrote: > >> Cool. Thanks Jules. Have a great HR application for it :) >> ----- Original Message ----- >> From: "Julian Field" >> To: "MailScanner discussion" >> Sent: 23 July 2007 16:49:26 o'clock (GMT) Europe/London >> Subject: Re: Request for comments 3 >> >> >> * PGP Signed by an unmatched address: 07/23/07 at 16:49:27 >> >> Eventually yes. I want to get the design and code all working and >> settled for spam first though. >> >> UxBoD wrote: >> >> >>> Would this new functionality extend to MCP aswell Jules ? >>> ----- Original Message ----- >>> From: "Julian Field" >>> To: "MailScanner discussion" >>> Sent: Monday, July 23, 2007 4:24:40 PM (GMT) Europe/London >>> Subject: Re: Request for comments 3 >>> >>> >>> >>> >>>> Old Signed by an unmatched address: 07/23/07 at 16:24:41 >>>> >>>> >>> John Wilcock wrote: >>> >>> >>> >>>> Julian Field wrote: >>>> >>>> >>>> >>>>> How about this instead? >>>>> >>>>> SpamAssassin Rule Actions = rulename=>action, rulename=>action, .... >>>>> >>>>> the "rulename"s are the names of individual SpamAssassin rules, and >>>>> the "action"s are list those in "Spam Actions". To specify multiple >>>>> actions for a rule, you specify the rulename several times, with one >>>>> action for each. Expressions with SpamAssassin rules are done with >>>>> SpamAssassin meta-rules. If the rule hits, the action is taken. >>>>> >>>>> I'll write a few examples of meta-rules so you can see how to write >>>>> them in spam.assassin.rules.conf or wherever they need to go. Mr >>>>> Kettler, can you correct me on this please? >>>>> >>>>> Does this sound more useful than the previous suggestions? >>>>> >>>>> >>>>> >>>> Sounds good, yes. >>>> >>>> Are the actions intended to *replace* the default non spam, spam or >>>> high scoring spam actions, or are they taken in *addition* to those >>>> actions? >>>> >>>> >>>> >>> In addition. >>> >>> >>> >>>> IMO additional actions would be more flexible, but would need the >>>> ability to negate an action, i.e. take a particular action by default >>>> *unless* such-and-such rule hits. >>>> >>>> >>>> >>> Hmmm..... That makes life a bit more complicated. If I evaluated them >>> after the existing rules then I should be able to do that. Good point >>> though. >>> >>> >>> >>> >>>> Non Spam Actions = deliver >>>> Spam Actions = deliver,store >>>> High Scoring Spam Actions = store >>>> >>>> SpamAssassin Rule Actions = >>>> MY_BADSPAM_RULE=>not-store, >>>> MY_SPECIAL_RULE=>forward theboss@domain >>>> >>>> John. >>>> >>>> >>>> >>>> >>> Jules >>> >>> >>> >>> >> Jules >> >> >> > > Jules > > - -- > Julian Field MEng CITP > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > For all your IT requirements visit www.transtec.co.uk > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.6.2 (Build 2014) > Charset: UTF-8 > > wj8DBQFGpdBxEfZZRxQVtlQRAsUFAJwJpB8Z8iBmulX0F8uRJPL/V8OTeQCgiPzM > liwZmw6DQHWnzc9oWUdQYSI= > =GyGM > -----END PGP SIGNATURE----- > > Jules -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From brandonc at webpipe.net Tue Jul 24 14:24:54 2007 From: brandonc at webpipe.net (Brandon Checketts) Date: Tue Jul 24 14:22:50 2007 Subject: OT - Recipient verification In-Reply-To: <46A5F795.1060307@pixelhammer.com> References: <46A5F795.1060307@pixelhammer.com> Message-ID: <46A5FDA6.1000800@webpipe.net> We currently dump out a list of valid users to a plain text file that is shipped over to the mailscanner box periodically and imported into a postfix transport file. It works, but I don't like it very much, so I'm looking into implementing a postfix transport database via MySQL which should do what you want. Thanks, Brandon Checketts Webpipe.net System Administrator DAve wrote: > Just asking here because of the knowledge bank we have. Feel free to > respond off list, though I suspect that are a lot of us running multiple > copies of MS. > > Currently we use milter-ahead on our MailScanner gateways and we use > milter-ahead to verify the recipient. We will be splitting our mail > network geographically to take advantage of NOC-2 about 50 miles away. > Half our MailScanner gateways and outbound servers will go to NOC-2. We > can't move our toasters yet because the Maildirs are NFS mounted. > > If NOC-1 goes down I still want the MailScanner gateway in NOC-2 to > accept mail. My problem is that milter-ahead needs to verify recipient > addresses with the toaster in NOC-1. Every milter/MTA solution I have > found verifies the recipient address by connecting to the destination > MTA, our toaster, which may be unreachable. > > What I need is to verify the recipient address with a local store on the > MailScanner gateway. I would like to use a SQL db as I can easily slave > it off the toasters SQL store. Anyone have any ideas how to go about this? > > Thanks, > > DAve > From steve.freegard at fsl.com Tue Jul 24 14:27:24 2007 From: steve.freegard at fsl.com (Steve Freegard) Date: Tue Jul 24 14:27:31 2007 Subject: OT - Recipient verification In-Reply-To: <46A5F795.1060307@pixelhammer.com> References: <46A5F795.1060307@pixelhammer.com> Message-ID: <46A5FE3C.40407@fsl.com> Hi DAve, DAve wrote: > If NOC-1 goes down I still want the MailScanner gateway in NOC-2 to > accept mail. My problem is that milter-ahead needs to verify recipient > addresses with the toaster in NOC-1. Every milter/MTA solution I have > found verifies the recipient address by connecting to the destination > MTA, our toaster, which may be unreachable. > > What I need is to verify the recipient address with a local store on the > MailScanner gateway. I would like to use a SQL db as I can easily slave > it off the toasters SQL store. Anyone have any ideas how to go about this? I don't know of any call-ahead solutions that offer the ability to look up the users in a SQL DB. Why don't you simply enable the +backup-mx option in milter-ahead. When the call-ahead destination service is down - this will use the cache to answer (positive or negative) where possible but will accept messages for any users it doesn't already know about. Kind regards, Steve. From list-mailscanner at linguaphone.com Tue Jul 24 14:27:57 2007 From: list-mailscanner at linguaphone.com (Gareth) Date: Tue Jul 24 14:28:04 2007 Subject: dynablock.njabl.org Message-ID: <1185283677.1137.52.camel@gblades-suse.linguaphone-intranet.co.uk> Anyone know exactly when dynablock.njabl.org is due to stop working? Currently it is a mirror of pbl.spamhaus.org. The reason I ask is that :- 1) currently spamassassin 3.1.8 uses it and I am delaying upgrading until the new version of fuzzyocr is released. 2) We got blocked from spamhaus.org within 4 days of going live and I am currently trying to persuade the management to pay the mere $500 to subscribe to their private service. Currently the loss of XBL+SBL is not causing a problem with identifying spam but loosing dynablock will do. If I can tell them a date when things will go wrong I should be allowed to subscribe beforehand. From uxbod at splatnix.net Tue Jul 24 14:32:59 2007 From: uxbod at splatnix.net (UxBoD) Date: Tue Jul 24 14:32:01 2007 Subject: Request for comments 3 In-Reply-To: <46A5FDC5.3060109@ecs.soton.ac.uk> Message-ID: <14017296.2131185283979691.JavaMail.root@office.splatnix.net> Always up for some beta testing Jules :) Would also be a good way to test SA rules aswell. ie. archive to a spam account to ensure maximum hits are being generated. ----- Original Message ----- From: "Julian Field" To: "MailScanner discussion" Sent: Tuesday, July 24, 2007 2:25:25 PM (GMT) Europe/London Subject: Re: Request for comments 3 How about now? It's not in MCP yet, is that a problem? Shouldn't be, as it shouldn't actually make much difference to this functionality (it is working off SA rule names, not scores, so it doesn't matter if other rules fire as well). UxBoD wrote: > That is a similar scenario to what we would use it for, but in ours it would be to protect IPR leaks by scanning for keywords and archiving the mail off. > > Good work Jules, sounds like a real success. What do you believe is the timeline for first beta ? > > --[ UxBoD ]-- > // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" > // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B > // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B > // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net > > ----- Original Message ----- > From: "Julian Field" > To: "MailScanner discussion" > Sent: Tuesday, July 24, 2007 11:12:00 AM (GMT) Europe/London > Subject: Re: Request for comments 3 > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Well, initial testing is showing it working very well. The aim is that > you can have anything in the message (expressed as a SpamAssassin rule) > trigger any action on the message, spam or not. So you can archive any > message containing particular bits of text anywhere, or you can _not_ > deliver any message with a certain bit of text in it. > > Say you have all mail copied to an archive, but you want certain > sensitive mail of your own (or your boss's) not archived, then you can > write an SA rule for some subject keyphrase or piece of text in the body > of the message. You can then not archive any mail matching that SA rule. > > So the boss could have all his email CC'd to his secretary, except for > personal mail containing "private" on the Subject line, or mail coming > from his family. > > The potential for this really is limited by your imagination, and I > believe it could be used to provide very powerful setups. > > Jules. > > UxBoD wrote: > >> Cool. Thanks Jules. Have a great HR application for it :) >> ----- Original Message ----- >> From: "Julian Field" >> To: "MailScanner discussion" >> Sent: 23 July 2007 16:49:26 o'clock (GMT) Europe/London >> Subject: Re: Request for comments 3 >> >> >> * PGP Signed by an unmatched address: 07/23/07 at 16:49:27 >> >> Eventually yes. I want to get the design and code all working and >> settled for spam first though. >> >> UxBoD wrote: >> >> >>> Would this new functionality extend to MCP aswell Jules ? >>> ----- Original Message ----- >>> From: "Julian Field" >>> To: "MailScanner discussion" >>> Sent: Monday, July 23, 2007 4:24:40 PM (GMT) Europe/London >>> Subject: Re: Request for comments 3 >>> >>> >>> >>> >>>> Old Signed by an unmatched address: 07/23/07 at 16:24:41 >>>> >>>> >>> John Wilcock wrote: >>> >>> >>> >>>> Julian Field wrote: >>>> >>>> >>>> >>>>> How about this instead? >>>>> >>>>> SpamAssassin Rule Actions = rulename=>action, rulename=>action, .... >>>>> >>>>> the "rulename"s are the names of individual SpamAssassin rules, and >>>>> the "action"s are list those in "Spam Actions". To specify multiple >>>>> actions for a rule, you specify the rulename several times, with one >>>>> action for each. Expressions with SpamAssassin rules are done with >>>>> SpamAssassin meta-rules. If the rule hits, the action is taken. >>>>> >>>>> I'll write a few examples of meta-rules so you can see how to write >>>>> them in spam.assassin.rules.conf or wherever they need to go. Mr >>>>> Kettler, can you correct me on this please? >>>>> >>>>> Does this sound more useful than the previous suggestions? >>>>> >>>>> >>>>> >>>> Sounds good, yes. >>>> >>>> Are the actions intended to *replace* the default non spam, spam or >>>> high scoring spam actions, or are they taken in *addition* to those >>>> actions? >>>> >>>> >>>> >>> In addition. >>> >>> >>> >>>> IMO additional actions would be more flexible, but would need the >>>> ability to negate an action, i.e. take a particular action by default >>>> *unless* such-and-such rule hits. >>>> >>>> >>>> >>> Hmmm..... That makes life a bit more complicated. If I evaluated them >>> after the existing rules then I should be able to do that. Good point >>> though. >>> >>> >>> >>> >>>> Non Spam Actions = deliver >>>> Spam Actions = deliver,store >>>> High Scoring Spam Actions = store >>>> >>>> SpamAssassin Rule Actions = >>>> MY_BADSPAM_RULE=>not-store, >>>> MY_SPECIAL_RULE=>forward theboss@domain >>>> >>>> John. >>>> >>>> >>>> >>>> >>> Jules >>> >>> >>> >>> >> Jules >> >> >> > > Jules > > - -- > Julian Field MEng CITP > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > For all your IT requirements visit www.transtec.co.uk > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.6.2 (Build 2014) > Charset: UTF-8 > > wj8DBQFGpdBxEfZZRxQVtlQRAsUFAJwJpB8Z8iBmulX0F8uRJPL/V8OTeQCgiPzM > liwZmw6DQHWnzc9oWUdQYSI= > =GyGM > -----END PGP SIGNATURE----- > > Jules -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From dave.list at pixelhammer.com Tue Jul 24 14:35:36 2007 From: dave.list at pixelhammer.com (DAve) Date: Tue Jul 24 14:37:06 2007 Subject: OT - Recipient verification In-Reply-To: <291640.2101185282618419.JavaMail.root@office.splatnix.net> References: <291640.2101185282618419.JavaMail.root@office.splatnix.net> Message-ID: <46A60028.4080807@pixelhammer.com> UxBoD wrote: > We use Lotus Notes here so on the front-end MTA's I just grab the user email addresses from LN-LDAP, write them to a flat file and Postfix takes care of everything else. Simple solution - great results. > > I presume you are using SendMail DAve ? Yep, though I may change that to Postfix. DAve > ----- Original Message ----- > From: "DAve" > To: "MailScanner discussion" > Sent: Tuesday, July 24, 2007 1:59:01 PM (GMT) Europe/London > Subject: OT - Recipient verification > > Just asking here because of the knowledge bank we have. Feel free to > respond off list, though I suspect that are a lot of us running multiple > copies of MS. > > Currently we use milter-ahead on our MailScanner gateways and we use > milter-ahead to verify the recipient. We will be splitting our mail > network geographically to take advantage of NOC-2 about 50 miles away. > Half our MailScanner gateways and outbound servers will go to NOC-2. We > can't move our toasters yet because the Maildirs are NFS mounted. > > If NOC-1 goes down I still want the MailScanner gateway in NOC-2 to > accept mail. My problem is that milter-ahead needs to verify recipient > addresses with the toaster in NOC-1. Every milter/MTA solution I have > found verifies the recipient address by connecting to the destination > MTA, our toaster, which may be unreachable. > > What I need is to verify the recipient address with a local store on the > MailScanner gateway. I would like to use a SQL db as I can easily slave > it off the toasters SQL store. Anyone have any ideas how to go about this? > > Thanks, > > DAve > -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible. From steve.freegard at fsl.com Tue Jul 24 14:37:31 2007 From: steve.freegard at fsl.com (Steve Freegard) Date: Tue Jul 24 14:37:35 2007 Subject: Request for comments 3 In-Reply-To: <46A5FDC5.3060109@ecs.soton.ac.uk> References: <321796.1741185273510384.JavaMail.root@office.splatnix.net> <46A5FDC5.3060109@ecs.soton.ac.uk> Message-ID: <46A6009B.2060701@fsl.com> Hi Jules, Julian Field wrote: > How about now? It's not in MCP yet, is that a problem? Shouldn't be, as > it shouldn't actually make much difference to this functionality (it is > working off SA rule names, not scores, so it doesn't matter if other > rules fire as well). Exactly what I was thinking - wouldn't this new method enable MCP-type things but without the need for a second SA run (and the rather large associated overhead of doing this). You could simply create the MCP rules and score them as 0.001, then use the new feature to quarantine if any of the MCP rule actually fire. The only thing lacking here is the ability to quarantine the file in the mcp quarantine instead of the spam quarantine. Maybe adding 'store:mcp' could be an option to mark the message as MCP and store in the MCP quarantine directory??? Kind regards, Steve. From ms-list at alexb.ch Tue Jul 24 14:42:05 2007 From: ms-list at alexb.ch (Alex Broens) Date: Tue Jul 24 14:42:14 2007 Subject: dynablock.njabl.org In-Reply-To: <1185283677.1137.52.camel@gblades-suse.linguaphone-intranet.co.uk> References: <1185283677.1137.52.camel@gblades-suse.linguaphone-intranet.co.uk> Message-ID: <46A601AD.8010204@alexb.ch> On 7/24/2007 3:27 PM, Gareth wrote: > Anyone know exactly when dynablock.njabl.org is due to stop working? > Currently it is a mirror of pbl.spamhaus.org. > > The reason I ask is that :- > > 1) currently spamassassin 3.1.8 uses it and I am delaying upgrading > until the new version of fuzzyocr is released. > > 2) We got blocked from spamhaus.org within 4 days of going live and I am > currently trying to persuade the management to pay the mere $500 to > subscribe to their private service. > Currently the loss of XBL+SBL is not causing a problem with identifying > spam but loosing dynablock will do. If I can tell them a date when > things will go wrong I should be allowed to subscribe beforehand. come the day, an sa-update would most probably null it out and knowing the njabl operator it will be well announced. Alex From uxbod at splatnix.net Tue Jul 24 14:46:13 2007 From: uxbod at splatnix.net (UxBoD) Date: Tue Jul 24 14:45:28 2007 Subject: Request for comments 3 In-Reply-To: <46A6009B.2060701@fsl.com> Message-ID: <17879499.2161185284773186.JavaMail.root@office.splatnix.net> Nice idea Steve. This RFC seems to be getting better and better :D ----- Original Message ----- From: "Steve Freegard" To: "MailScanner discussion" Sent: Tuesday, July 24, 2007 2:37:31 PM (GMT) Europe/London Subject: Re: Request for comments 3 Hi Jules, Julian Field wrote: > How about now? It's not in MCP yet, is that a problem? Shouldn't be, as > it shouldn't actually make much difference to this functionality (it is > working off SA rule names, not scores, so it doesn't matter if other > rules fire as well). Exactly what I was thinking - wouldn't this new method enable MCP-type things but without the need for a second SA run (and the rather large associated overhead of doing this). You could simply create the MCP rules and score them as 0.001, then use the new feature to quarantine if any of the MCP rule actually fire. The only thing lacking here is the ability to quarantine the file in the mcp quarantine instead of the spam quarantine. Maybe adding 'store:mcp' could be an option to mark the message as MCP and store in the MCP quarantine directory??? Kind regards, Steve. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From dave.list at pixelhammer.com Tue Jul 24 14:44:59 2007 From: dave.list at pixelhammer.com (DAve) Date: Tue Jul 24 14:46:26 2007 Subject: OT - Recipient verification In-Reply-To: <46A5FE3C.40407@fsl.com> References: <46A5F795.1060307@pixelhammer.com> <46A5FE3C.40407@fsl.com> Message-ID: <46A6025B.4040100@pixelhammer.com> Steve Freegard wrote: > Hi DAve, > > DAve wrote: >> If NOC-1 goes down I still want the MailScanner gateway in NOC-2 to >> accept mail. My problem is that milter-ahead needs to verify recipient >> addresses with the toaster in NOC-1. Every milter/MTA solution I have >> found verifies the recipient address by connecting to the destination >> MTA, our toaster, which may be unreachable. >> >> What I need is to verify the recipient address with a local store on >> the MailScanner gateway. I would like to use a SQL db as I can easily >> slave it off the toasters SQL store. Anyone have any ideas how to go >> about this? > > I don't know of any call-ahead solutions that offer the ability to look > up the users in a SQL DB. > > Why don't you simply enable the +backup-mx option in milter-ahead. When > the call-ahead destination service is down - this will use the cache to > answer (positive or negative) where possible but will accept messages > for any users it doesn't already know about. > > Kind regards, > Steve. We recently acquired some new clients who came with a bonus, they brought along several large scale dictionary attacks. Those attacks have now spread to other domains on our mail servers. Accepting any message for an unknown account is completely out of the question. I am planning on the private fiber between NOC-1 and NOC-2 being down once a month for several hours, during business hours. Likely it will never go down, but planning on it now is better than finding a solution at 4pm election day, when it does go down under high traffic. Looking at Postfiz, been awhile since I used it but that is the whole point of the VMWare test bed right? DAve -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible. From uxbod at splatnix.net Tue Jul 24 14:48:52 2007 From: uxbod at splatnix.net (UxBoD) Date: Tue Jul 24 14:48:13 2007 Subject: OT - Recipient verification In-Reply-To: <46A60028.4080807@pixelhammer.com> Message-ID: <22425344.2191185284932319.JavaMail.root@office.splatnix.net> Cannot fault Postfix, though here good things about Exim aswell. ----- Original Message ----- From: "DAve" To: "MailScanner discussion" Sent: Tuesday, July 24, 2007 2:35:36 PM (GMT) Europe/London Subject: Re: OT - Recipient verification UxBoD wrote: > We use Lotus Notes here so on the front-end MTA's I just grab the user email addresses from LN-LDAP, write them to a flat file and Postfix takes care of everything else. Simple solution - great results. > > I presume you are using SendMail DAve ? Yep, though I may change that to Postfix. DAve > ----- Original Message ----- > From: "DAve" > To: "MailScanner discussion" > Sent: Tuesday, July 24, 2007 1:59:01 PM (GMT) Europe/London > Subject: OT - Recipient verification > > Just asking here because of the knowledge bank we have. Feel free to > respond off list, though I suspect that are a lot of us running multiple > copies of MS. > > Currently we use milter-ahead on our MailScanner gateways and we use > milter-ahead to verify the recipient. We will be splitting our mail > network geographically to take advantage of NOC-2 about 50 miles away. > Half our MailScanner gateways and outbound servers will go to NOC-2. We > can't move our toasters yet because the Maildirs are NFS mounted. > > If NOC-1 goes down I still want the MailScanner gateway in NOC-2 to > accept mail. My problem is that milter-ahead needs to verify recipient > addresses with the toaster in NOC-1. Every milter/MTA solution I have > found verifies the recipient address by connecting to the destination > MTA, our toaster, which may be unreachable. > > What I need is to verify the recipient address with a local store on the > MailScanner gateway. I would like to use a SQL db as I can easily slave > it off the toasters SQL store. Anyone have any ideas how to go about this? > > Thanks, > > DAve > -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From matt at coders.co.uk Tue Jul 24 14:50:13 2007 From: matt at coders.co.uk (Matt Hampton) Date: Tue Jul 24 14:48:19 2007 Subject: Request for comments 3 In-Reply-To: <46A6009B.2060701@fsl.com> References: <321796.1741185273510384.JavaMail.root@office.splatnix.net> <46A5FDC5.3060109@ecs.soton.ac.uk> <46A6009B.2060701@fsl.com> Message-ID: <46A60395.4040904@coders.co.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Steve Freegard wrote: > You could simply create the MCP rules and score them as 0.001, then use > the new feature to quarantine if any of the MCP rule actually fire. > > The only thing lacking here is the ability to quarantine the file in the > mcp quarantine instead of the spam quarantine. Maybe adding 'store:mcp' > could be an option to mark the message as MCP and store in the MCP > quarantine directory??? How about score them as 0 (currently they are still logged) and then have the option to hide 0 scoring rules. This would allow you to have customer specific rules without revealing them to others..... matt -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGpgOVXzs+uwryHW0RAuFBAKCZqHczGAqm7XNAF5eyeycCd5E1mQCfYhn1 BAEJ0TT7Uw/8WRE/kR6zfEM= =8m0L -----END PGP SIGNATURE----- From ka at pacific.net Tue Jul 24 14:52:18 2007 From: ka at pacific.net (Ken A) Date: Tue Jul 24 14:52:25 2007 Subject: OT - Recipient verification In-Reply-To: <46A60028.4080807@pixelhammer.com> References: <291640.2101185282618419.JavaMail.root@office.splatnix.net> <46A60028.4080807@pixelhammer.com> Message-ID: <46A60412.3020708@pacific.net> DAve wrote: > UxBoD wrote: >> We use Lotus Notes here so on the front-end MTA's I just grab the user >> email addresses from LN-LDAP, write them to a flat file and Postfix >> takes care of everything else. Simple solution - great results. >> >> I presume you are using SendMail DAve ? > > Yep, though I may change that to Postfix. You can do the same in a sendmail access list. # Entry for each valid user To:user1@domain.tld RELAY To:user2@domain.tld RELAY # # Default Entry to Reject all others # To:domain.tld ERROR:5.1.1:550 User unknown Ken > > DAve >> ----- Original Message ----- >> From: "DAve" >> To: "MailScanner discussion" >> Sent: Tuesday, July 24, 2007 1:59:01 PM (GMT) Europe/London >> Subject: OT - Recipient verification >> >> Just asking here because of the knowledge bank we have. Feel free to >> respond off list, though I suspect that are a lot of us running >> multiple copies of MS. >> >> Currently we use milter-ahead on our MailScanner gateways and we use >> milter-ahead to verify the recipient. We will be splitting our mail >> network geographically to take advantage of NOC-2 about 50 miles away. >> Half our MailScanner gateways and outbound servers will go to NOC-2. >> We can't move our toasters yet because the Maildirs are NFS mounted. >> >> If NOC-1 goes down I still want the MailScanner gateway in NOC-2 to >> accept mail. My problem is that milter-ahead needs to verify recipient >> addresses with the toaster in NOC-1. Every milter/MTA solution I have >> found verifies the recipient address by connecting to the destination >> MTA, our toaster, which may be unreachable. >> >> What I need is to verify the recipient address with a local store on >> the MailScanner gateway. I would like to use a SQL db as I can easily >> slave it off the toasters SQL store. Anyone have any ideas how to go >> about this? >> >> Thanks, >> >> DAve >> > > -- Ken Anderson Pacific.Net From Richard.Frovarp at sendit.nodak.edu Tue Jul 24 14:53:36 2007 From: Richard.Frovarp at sendit.nodak.edu (Richard Frovarp) Date: Tue Jul 24 14:53:38 2007 Subject: dynablock.njabl.org In-Reply-To: <1185283677.1137.52.camel@gblades-suse.linguaphone-intranet.co.uk> References: <1185283677.1137.52.camel@gblades-suse.linguaphone-intranet.co.uk> Message-ID: <46A60460.6000100@sendit.nodak.edu> Gareth wrote: > Anyone know exactly when dynablock.njabl.org is due to stop working? > Currently it is a mirror of pbl.spamhaus.org. > > The reason I ask is that :- > > 1) currently spamassassin 3.1.8 uses it and I am delaying upgrading > until the new version of fuzzyocr is released. > > 2) We got blocked from spamhaus.org within 4 days of going live and I am > currently trying to persuade the management to pay the mere $500 to > subscribe to their private service. > Currently the loss of XBL+SBL is not causing a problem with identifying > spam but loosing dynablock will do. If I can tell them a date when > things will go wrong I should be allowed to subscribe beforehand. > > What sort of volume to you handle? I've never heard of anyone being blocked by spamhaus. From johnnyb at marlboro.edu Tue Jul 24 15:03:42 2007 From: johnnyb at marlboro.edu (John Baker) Date: Tue Jul 24 15:03:54 2007 Subject: mailscanner MRTG trouble Message-ID: <46A606BE.4040704@marlboro.edu> Hello, I'm getting these mailed from cron.d every 5 minutes.: Subject: Cron env LANG=C /usr/bin/mrtg /etc/mrtg/mailscanner-mrtg.cfg >> /var/log/mrtg/mailscanner-mrtg.log Rateup WARNING: /usr/bin/rateup could not read the primary log file for sendmail Rateup ERROR: /usr/bin/rateup found sendmail's log file was corrupt or not in sorted order: time: 1167264000.Rateup WARNING: /usr/bin/rateup The backup log file for sendmail was invalid as well ERROR: Skipping webupdates because rateup did not return anything sensible WARNING: rateup died from Signal 0 with Exit Value 1 when doing router 'sendmail' Signal was 0, Returncode was 1 The best that I can figure when I look everything over is that for some reason it is no longer able to read the virus scan counts correctly. The MRTG graphs show everything else as working normally. The only change I come up with when I run diff on all the configuration files against older ones in backup is that I changed the SNMP string. But I don't see how that could effect parsing one part of the log files. Anyhow, its driving me nuts. Would anybody have any suggestions on where else to look for the trouble? -- John Baker Network Systems Administrator Marlboro College Phone: 451-7551 off campus; 551 on campus From ms-list at alexb.ch Tue Jul 24 15:12:37 2007 From: ms-list at alexb.ch (Alex Broens) Date: Tue Jul 24 15:12:42 2007 Subject: Request for comments 3 In-Reply-To: <46A60395.4040904@coders.co.uk> References: <321796.1741185273510384.JavaMail.root@office.splatnix.net> <46A5FDC5.3060109@ecs.soton.ac.uk> <46A6009B.2060701@fsl.com> <46A60395.4040904@coders.co.uk> Message-ID: <46A608D5.4000201@alexb.ch> On 7/24/2007 3:50 PM, Matt Hampton wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Steve Freegard wrote: >> You could simply create the MCP rules and score them as 0.001, then use >> the new feature to quarantine if any of the MCP rule actually fire. >> >> The only thing lacking here is the ability to quarantine the file in the >> mcp quarantine instead of the spam quarantine. Maybe adding 'store:mcp' >> could be an option to mark the message as MCP and store in the MCP >> quarantine directory??? > > How about score them as 0 (currently they are still logged) and then > have the option to hide 0 scoring rules. This would allow you to have > customer specific rules without revealing them to others..... > rules with scored = 0 are disabled you'd have to use 0.001 (logs as 0.0) Alex From uxbod at splatnix.net Tue Jul 24 15:14:46 2007 From: uxbod at splatnix.net (UxBoD) Date: Tue Jul 24 15:13:39 2007 Subject: Request for comments 3 In-Reply-To: <46A60395.4040904@coders.co.uk> Message-ID: <9403042.2221185286486652.JavaMail.root@office.splatnix.net> One great application have for this now is when KAM_CARD rule is triggered dump the email. Currently if people use MailWatch to release their quarantined email they could still infect network with virri. Would be great to send emails like that straight to /dev/null :) ----- Original Message ----- From: "Matt Hampton" To: "MailScanner discussion" Sent: Tuesday, July 24, 2007 2:50:13 PM (GMT) Europe/London Subject: Re: Request for comments 3 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Steve Freegard wrote: > You could simply create the MCP rules and score them as 0.001, then use > the new feature to quarantine if any of the MCP rule actually fire. > > The only thing lacking here is the ability to quarantine the file in the > mcp quarantine instead of the spam quarantine. Maybe adding 'store:mcp' > could be an option to mark the message as MCP and store in the MCP > quarantine directory??? How about score them as 0 (currently they are still logged) and then have the option to hide 0 scoring rules. This would allow you to have customer specific rules without revealing them to others..... matt -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGpgOVXzs+uwryHW0RAuFBAKCZqHczGAqm7XNAF5eyeycCd5E1mQCfYhn1 BAEJ0TT7Uw/8WRE/kR6zfEM= =8m0L -----END PGP SIGNATURE----- -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From list-mailscanner at linguaphone.com Tue Jul 24 15:17:55 2007 From: list-mailscanner at linguaphone.com (Gareth) Date: Tue Jul 24 15:18:07 2007 Subject: dynablock.njabl.org In-Reply-To: <46A60460.6000100@sendit.nodak.edu> References: <1185283677.1137.52.camel@gblades-suse.linguaphone-intranet.co.uk> <46A60460.6000100@sendit.nodak.edu> Message-ID: <1185286675.1145.54.camel@gblades-suse.linguaphone-intranet.co.uk> On Tue, 2007-07-24 at 14:53, Richard Frovarp wrote: > Gareth wrote: > > Anyone know exactly when dynablock.njabl.org is due to stop working? > > Currently it is a mirror of pbl.spamhaus.org. > > > > The reason I ask is that :- > > > > 1) currently spamassassin 3.1.8 uses it and I am delaying upgrading > > until the new version of fuzzyocr is released. > > > > 2) We got blocked from spamhaus.org within 4 days of going live and I am > > currently trying to persuade the management to pay the mere $500 to > > subscribe to their private service. > > Currently the loss of XBL+SBL is not causing a problem with identifying > > spam but loosing dynablock will do. If I can tell them a date when > > things will go wrong I should be allowed to subscribe beforehand. > > > > > What sort of volume to you handle? I've never heard of anyone being > blocked by spamhaus. About 3000 mails per day. From matt at coders.co.uk Tue Jul 24 15:20:51 2007 From: matt at coders.co.uk (Matt Hampton) Date: Tue Jul 24 15:18:58 2007 Subject: Request for comments 3 In-Reply-To: <46A608D5.4000201@alexb.ch> References: <321796.1741185273510384.JavaMail.root@office.splatnix.net> <46A5FDC5.3060109@ecs.soton.ac.uk> <46A6009B.2060701@fsl.com> <46A60395.4040904@coders.co.uk> <46A608D5.4000201@alexb.ch> Message-ID: <46A60AC3.4010109@coders.co.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Alex Broens wrote: > rules with scored = 0 are disabled > > you'd have to use 0.001 (logs as 0.0) Doh! Sorry having a bad day..... matt -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGpgrCXzs+uwryHW0RAgWIAJ9IRaLQqRnnRxXCxUXiXPag4HsktwCfeNac KKcyehiv6/3ugSQIVqrbSXs= =yVoL -----END PGP SIGNATURE----- From MailScanner at ecs.soton.ac.uk Tue Jul 24 15:25:29 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Jul 24 15:22:45 2007 Subject: Request for comments 3 In-Reply-To: <46A6009B.2060701@fsl.com> References: <321796.1741185273510384.JavaMail.root@office.splatnix.net> <46A5FDC5.3060109@ecs.soton.ac.uk> <46A6009B.2060701@fsl.com> Message-ID: <46A60BD9.8080903@ecs.soton.ac.uk> Steve Freegard wrote: > Hi Jules, > > Julian Field wrote: >> How about now? It's not in MCP yet, is that a problem? Shouldn't be, >> as it shouldn't actually make much difference to this functionality >> (it is working off SA rule names, not scores, so it doesn't matter if >> other rules fire as well). > > Exactly what I was thinking - wouldn't this new method enable MCP-type > things but without the need for a second SA run (and the rather large > associated overhead of doing this). > > You could simply create the MCP rules and score them as 0.001, then > use the new feature to quarantine if any of the MCP rule actually fire. > > The only thing lacking here is the ability to quarantine the file in > the mcp quarantine instead of the spam quarantine. Maybe adding > 'store:mcp' could be an option to mark the message as MCP and store in > the MCP quarantine directory??? I have just added 4 more actions: store-nonspam store-spam store-nonmcp store-mcp The original "store" action is still there and will work exactly how it always has done. This almost does away with MCP altogether. Yay! I'll get a beta out this afternoon some time very soon. > > Kind regards, > Steve. Jules -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From dave.list at pixelhammer.com Tue Jul 24 15:30:58 2007 From: dave.list at pixelhammer.com (DAve) Date: Tue Jul 24 15:32:24 2007 Subject: OT - Recipient verification In-Reply-To: <46A60412.3020708@pacific.net> References: <291640.2101185282618419.JavaMail.root@office.splatnix.net> <46A60028.4080807@pixelhammer.com> <46A60412.3020708@pacific.net> Message-ID: <46A60D22.3090108@pixelhammer.com> Ken A wrote: > DAve wrote: >> UxBoD wrote: >>> We use Lotus Notes here so on the front-end MTA's I just grab the >>> user email addresses from LN-LDAP, write them to a flat file and >>> Postfix takes care of everything else. Simple solution - great results. >>> >>> I presume you are using SendMail DAve ? >> >> Yep, though I may change that to Postfix. > > You can do the same in a sendmail access list. > > # Entry for each valid user > To:user1@domain.tld RELAY > To:user2@domain.tld RELAY > # > # Default Entry to Reject all others > # > To:domain.tld ERROR:5.1.1:550 User unknown > > Ken Well slap me sideways and call me goofy! I never even considered that. pushing a new recipient list when a SQL change occurs would be simple with perl/ruby + rsync + ssh. I got too focused on milters. Time to rethink everything. DAve > >> >> DAve >>> ----- Original Message ----- >>> From: "DAve" >>> To: "MailScanner discussion" >>> Sent: Tuesday, July 24, 2007 1:59:01 PM (GMT) Europe/London >>> Subject: OT - Recipient verification >>> >>> Just asking here because of the knowledge bank we have. Feel free to >>> respond off list, though I suspect that are a lot of us running >>> multiple copies of MS. >>> >>> Currently we use milter-ahead on our MailScanner gateways and we use >>> milter-ahead to verify the recipient. We will be splitting our mail >>> network geographically to take advantage of NOC-2 about 50 miles >>> away. Half our MailScanner gateways and outbound servers will go to >>> NOC-2. We can't move our toasters yet because the Maildirs are NFS >>> mounted. >>> >>> If NOC-1 goes down I still want the MailScanner gateway in NOC-2 to >>> accept mail. My problem is that milter-ahead needs to verify >>> recipient addresses with the toaster in NOC-1. Every milter/MTA >>> solution I have found verifies the recipient address by connecting to >>> the destination MTA, our toaster, which may be unreachable. >>> >>> What I need is to verify the recipient address with a local store on >>> the MailScanner gateway. I would like to use a SQL db as I can easily >>> slave it off the toasters SQL store. Anyone have any ideas how to go >>> about this? >>> >>> Thanks, >>> >>> DAve >>> >> >> > > -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible. From mkettler at evi-inc.com Tue Jul 24 15:36:32 2007 From: mkettler at evi-inc.com (Matt Kettler) Date: Tue Jul 24 15:37:45 2007 Subject: dynablock.njabl.org In-Reply-To: <46A60460.6000100@sendit.nodak.edu> References: <1185283677.1137.52.camel@gblades-suse.linguaphone-intranet.co.uk> <46A60460.6000100@sendit.nodak.edu> Message-ID: <46A60E70.1030706@evi-inc.com> Richard Frovarp wrote: > What sort of volume to you handle? I've never heard of anyone being > blocked by spamhaus. Spamhaus has very recently been restricting usage of their servers. The actual statement by them is if you have more than 100 users, you need a datafeed. A lot of this has to do with things like Barracuda boxes, which use spamhaus by default. Barracuda and other "spam appliance" companies have made and sold so many of these boxes to larger organizations without using a datafeed that it is beginning to swamp the spamhaus DNS servers. See also: http://www.spamhaus.org/faq/answers.lasso?section=Data%20Feed#134 AFAIK, Spamhaus is now using an automated rate-of-query analysis to detect servers which are maintaining a high rate of queries over a long period of time. Those sites are automatically blacklisted to cut load. From ka at pacific.net Tue Jul 24 15:40:54 2007 From: ka at pacific.net (Ken A) Date: Tue Jul 24 15:40:58 2007 Subject: Request for comments 3 In-Reply-To: <46A5D070.8050803@ecs.soton.ac.uk> References: <1892290.1231185219040748.JavaMail.root@office.splatnix.net> <46A5D070.8050803@ecs.soton.ac.uk> Message-ID: <46A60F76.5090604@pacific.net> Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Well, initial testing is showing it working very well. The aim is that > you can have anything in the message (expressed as a SpamAssassin rule) > trigger any action on the message, spam or not. So you can archive any > message containing particular bits of text anywhere, or you can _not_ > deliver any message with a certain bit of text in it. > > Say you have all mail copied to an archive, but you want certain > sensitive mail of your own (or your boss's) not archived, then you can > write an SA rule for some subject keyphrase or piece of text in the body > of the message. You can then not archive any mail matching that SA rule. > > So the boss could have all his email CC'd to his secretary, except for > personal mail containing "private" on the Subject line, or mail coming > from his family. > Very handy! What about (or is there already?) a MailScanner 'action' that says 'feed the message to a program', like is possible in sendmail's alias file, so that some processing could be done on the message? This would open up more possibilities, like processing mail for delivery to other devices (text message, etc), or adding some useful context to the message for archival and searching use. I know this sort of thing also opens up some possible security issues. ;-) Ken > The potential for this really is limited by your imagination, and I > believe it could be used to provide very powerful setups. > > Jules. > -- Ken Anderson Pacific.Net From steve.freegard at fsl.com Tue Jul 24 15:45:17 2007 From: steve.freegard at fsl.com (Steve Freegard) Date: Tue Jul 24 15:45:21 2007 Subject: Request for comments 3 In-Reply-To: <46A60BD9.8080903@ecs.soton.ac.uk> References: <321796.1741185273510384.JavaMail.root@office.splatnix.net> <46A5FDC5.3060109@ecs.soton.ac.uk> <46A6009B.2060701@fsl.com> <46A60BD9.8080903@ecs.soton.ac.uk> Message-ID: <46A6107D.9060708@fsl.com> Hi Jules, Julian Field wrote: > I have just added 4 more actions: > store-nonspam > store-spam > store-nonmcp > store-mcp > The original "store" action is still there and will work exactly how it > always has done. > > This almost does away with MCP altogether. Yay! > I'll get a beta out this afternoon some time very soon. Wow - nice one! Will these new options play nice with the current version of MailWatch? e.g. store-nonspam will set $message->{isspam} = 0, store-mcp will set $message->{ismcp} = 1 etc. and add the relevant paths in $message->{quarantineplaces)?? One other minor thing that I noticed recently relating to this is that if a message is marked as infected and deleted, MailScanner still reports that the message was quarantined via $message->{quarantineplaces} if keepspamachiveclean is set. Kind regards, Steve. From mkettler at evi-inc.com Tue Jul 24 15:46:17 2007 From: mkettler at evi-inc.com (Matt Kettler) Date: Tue Jul 24 15:47:13 2007 Subject: dynablock.njabl.org In-Reply-To: <46A60E70.1030706@evi-inc.com> References: <1185283677.1137.52.camel@gblades-suse.linguaphone-intranet.co.uk> <46A60460.6000100@sendit.nodak.edu> <46A60E70.1030706@evi-inc.com> Message-ID: <46A610B9.3070300@evi-inc.com> Matt Kettler wrote: > Richard Frovarp wrote: >> What sort of volume to you handle? I've never heard of anyone being >> blocked by spamhaus. > > Spamhaus has very recently been restricting usage of their servers. The actual > statement by them is if you have more than 100 users, you need a datafeed. > > A lot of this has to do with things like Barracuda boxes, which use spamhaus by > default. Barracuda and other "spam appliance" companies have made and sold so > many of these boxes to larger organizations without using a datafeed that it is > beginning to swamp the spamhaus DNS servers. > > See also: > > http://www.spamhaus.org/faq/answers.lasso?section=Data%20Feed#134 > > AFAIK, Spamhaus is now using an automated rate-of-query analysis to detect > servers which are maintaining a high rate of queries over a long period of time. > Those sites are automatically blacklisted to cut load. > > Side note before anyone misinterprets me: by "blacklisted" I mean blacklisted from querying the spamhaus DNS servers, not actually listed as a spammer in the SBL, XBL or PBL list. From uxbod at splatnix.net Tue Jul 24 15:48:53 2007 From: uxbod at splatnix.net (UxBoD) Date: Tue Jul 24 15:47:48 2007 Subject: OT - Recipient verification In-Reply-To: <46A60D22.3090108@pixelhammer.com> Message-ID: <22906080.2281185288533705.JavaMail.root@office.splatnix.net> triggers :) ----- Original Message ----- From: "DAve" To: "MailScanner discussion" Sent: Tuesday, July 24, 2007 3:30:58 PM (GMT) Europe/London Subject: Re: OT - Recipient verification Ken A wrote: > DAve wrote: >> UxBoD wrote: >>> We use Lotus Notes here so on the front-end MTA's I just grab the >>> user email addresses from LN-LDAP, write them to a flat file and >>> Postfix takes care of everything else. Simple solution - great results. >>> >>> I presume you are using SendMail DAve ? >> >> Yep, though I may change that to Postfix. > > You can do the same in a sendmail access list. > > # Entry for each valid user > To:user1@domain.tld RELAY > To:user2@domain.tld RELAY > # > # Default Entry to Reject all others > # > To:domain.tld ERROR:5.1.1:550 User unknown > > Ken Well slap me sideways and call me goofy! I never even considered that. pushing a new recipient list when a SQL change occurs would be simple with perl/ruby + rsync + ssh. I got too focused on milters. Time to rethink everything. DAve > >> >> DAve >>> ----- Original Message ----- >>> From: "DAve" >>> To: "MailScanner discussion" >>> Sent: Tuesday, July 24, 2007 1:59:01 PM (GMT) Europe/London >>> Subject: OT - Recipient verification >>> >>> Just asking here because of the knowledge bank we have. Feel free to >>> respond off list, though I suspect that are a lot of us running >>> multiple copies of MS. >>> >>> Currently we use milter-ahead on our MailScanner gateways and we use >>> milter-ahead to verify the recipient. We will be splitting our mail >>> network geographically to take advantage of NOC-2 about 50 miles >>> away. Half our MailScanner gateways and outbound servers will go to >>> NOC-2. We can't move our toasters yet because the Maildirs are NFS >>> mounted. >>> >>> If NOC-1 goes down I still want the MailScanner gateway in NOC-2 to >>> accept mail. My problem is that milter-ahead needs to verify >>> recipient addresses with the toaster in NOC-1. Every milter/MTA >>> solution I have found verifies the recipient address by connecting to >>> the destination MTA, our toaster, which may be unreachable. >>> >>> What I need is to verify the recipient address with a local store on >>> the MailScanner gateway. I would like to use a SQL db as I can easily >>> slave it off the toasters SQL store. Anyone have any ideas how to go >>> about this? >>> >>> Thanks, >>> >>> DAve >>> >> >> > > -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From list-mailscanner at linguaphone.com Tue Jul 24 15:49:18 2007 From: list-mailscanner at linguaphone.com (Gareth) Date: Tue Jul 24 15:49:32 2007 Subject: Request for comments 3 In-Reply-To: <46A60F76.5090604@pacific.net> References: <1892290.1231185219040748.JavaMail.root@office.splatnix.net> <46A5D070.8050803@ecs.soton.ac.uk> <46A60F76.5090604@pacific.net> Message-ID: <1185288558.1143.59.camel@gblades-suse.linguaphone-intranet.co.uk> On Tue, 2007-07-24 at 15:40, Ken A wrote: > Julian Field wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > Well, initial testing is showing it working very well. The aim is that > > you can have anything in the message (expressed as a SpamAssassin rule) > > trigger any action on the message, spam or not. So you can archive any > > message containing particular bits of text anywhere, or you can _not_ > > deliver any message with a certain bit of text in it. > > > > Say you have all mail copied to an archive, but you want certain > > sensitive mail of your own (or your boss's) not archived, then you can > > write an SA rule for some subject keyphrase or piece of text in the body > > of the message. You can then not archive any mail matching that SA rule. > > > > So the boss could have all his email CC'd to his secretary, except for > > personal mail containing "private" on the Subject line, or mail coming > > from his family. > > > > Very handy! What about (or is there already?) a MailScanner 'action' > that says 'feed the message to a program', like is possible in > sendmail's alias file, so that some processing could be done on the > message? This would open up more possibilities, like processing mail for > delivery to other devices (text message, etc), or adding some useful > context to the message for archival and searching use. I know this sort > of thing also opens up some possible security issues. ;-) Forgive me if this has already been mentioned but I have not been following this thread that closely. Your suggestion sounds like a very good idea. I have a few spamtrap addresses that I use for monitoring to see if any spams get through so I can write rules for them etc... Normally they are delivered and our internal mail server just delivers anything identified as spam. Now if I could pass all non spam straight through but for all identified spam automatically report it via pyzor and razor and then delete the mail that would be very usefull. From ms-list at alexb.ch Tue Jul 24 15:49:36 2007 From: ms-list at alexb.ch (Alex Broens) Date: Tue Jul 24 15:49:40 2007 Subject: Request for comments 3 In-Reply-To: <46A60F76.5090604@pacific.net> References: <1892290.1231185219040748.JavaMail.root@office.splatnix.net> <46A5D070.8050803@ecs.soton.ac.uk> <46A60F76.5090604@pacific.net> Message-ID: <46A61180.3000608@alexb.ch> On 7/24/2007 4:40 PM, Ken A wrote: > Julian Field wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Well, initial testing is showing it working very well. The aim is that >> you can have anything in the message (expressed as a SpamAssassin >> rule) trigger any action on the message, spam or not. So you can >> archive any message containing particular bits of text anywhere, or >> you can _not_ deliver any message with a certain bit of text in it. >> >> Say you have all mail copied to an archive, but you want certain >> sensitive mail of your own (or your boss's) not archived, then you can >> write an SA rule for some subject keyphrase or piece of text in the >> body of the message. You can then not archive any mail matching that >> SA rule. >> >> So the boss could have all his email CC'd to his secretary, except for >> personal mail containing "private" on the Subject line, or mail coming >> from his family. >> > > Very handy! What about (or is there already?) a MailScanner 'action' > that says 'feed the message to a program', like is possible in > sendmail's alias file, so that some processing could be done on the > message? This would open up more possibilities, like processing mail for > delivery to other devices (text message, etc), or adding some useful > context to the message for archival and searching use. I know this sort > of thing also opens up some possible security issues. ;-) force sa-learn --spam would be one without a security issue. or, if a message gets released from Mailwatch, sa-learn --ham From dave.list at pixelhammer.com Tue Jul 24 15:49:30 2007 From: dave.list at pixelhammer.com (DAve) Date: Tue Jul 24 15:50:57 2007 Subject: Request for comments 3 In-Reply-To: <46A60BD9.8080903@ecs.soton.ac.uk> References: <321796.1741185273510384.JavaMail.root@office.splatnix.net> <46A5FDC5.3060109@ecs.soton.ac.uk> <46A6009B.2060701@fsl.com> <46A60BD9.8080903@ecs.soton.ac.uk> Message-ID: <46A6117A.2040101@pixelhammer.com> Julian Field wrote: > > > Steve Freegard wrote: >> Hi Jules, >> >> Julian Field wrote: >>> How about now? It's not in MCP yet, is that a problem? Shouldn't be, >>> as it shouldn't actually make much difference to this functionality >>> (it is working off SA rule names, not scores, so it doesn't matter if >>> other rules fire as well). >> >> Exactly what I was thinking - wouldn't this new method enable MCP-type >> things but without the need for a second SA run (and the rather large >> associated overhead of doing this). >> >> You could simply create the MCP rules and score them as 0.001, then >> use the new feature to quarantine if any of the MCP rule actually fire. >> >> The only thing lacking here is the ability to quarantine the file in >> the mcp quarantine instead of the spam quarantine. Maybe adding >> 'store:mcp' could be an option to mark the message as MCP and store in >> the MCP quarantine directory??? > I have just added 4 more actions: > store-nonspam > store-spam > store-nonmcp > store-mcp > The original "store" action is still there and will work exactly how it > always has done. So can we believe that a dir structure like so is setup? store-nonspam and store-nonmcp are stored here, /var/spool/MailScanner/quarantine/[date]/ store-spam is stored here, /var/spool/MailScanner/quarantine/[date]/spam/ store-mcp is stored here, /var/spool/MailScanner/quarantine/[date]/mcp/ DAve -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible. From glenn.steen at gmail.com Tue Jul 24 16:14:34 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Jul 24 16:14:36 2007 Subject: Request for comments 3 In-Reply-To: <46A6117A.2040101@pixelhammer.com> References: <321796.1741185273510384.JavaMail.root@office.splatnix.net> <46A5FDC5.3060109@ecs.soton.ac.uk> <46A6009B.2060701@fsl.com> <46A60BD9.8080903@ecs.soton.ac.uk> <46A6117A.2040101@pixelhammer.com> Message-ID: <223f97700707240814r5bd2255p4371471c9267b655@mail.gmail.com> On 24/07/07, DAve wrote: > Julian Field wrote: > > > > > > Steve Freegard wrote: > >> Hi Jules, > >> > >> Julian Field wrote: > >>> How about now? It's not in MCP yet, is that a problem? Shouldn't be, > >>> as it shouldn't actually make much difference to this functionality > >>> (it is working off SA rule names, not scores, so it doesn't matter if > >>> other rules fire as well). > >> > >> Exactly what I was thinking - wouldn't this new method enable MCP-type > >> things but without the need for a second SA run (and the rather large > >> associated overhead of doing this). > >> > >> You could simply create the MCP rules and score them as 0.001, then > >> use the new feature to quarantine if any of the MCP rule actually fire. > >> > >> The only thing lacking here is the ability to quarantine the file in > >> the mcp quarantine instead of the spam quarantine. Maybe adding > >> 'store:mcp' could be an option to mark the message as MCP and store in > >> the MCP quarantine directory??? > > I have just added 4 more actions: > > store-nonspam > > store-spam > > store-nonmcp > > store-mcp > > The original "store" action is still there and will work exactly how it > > always has done. > > So can we believe that a dir structure like so is setup? > > store-nonspam and store-nonmcp are stored here, > /var/spool/MailScanner/quarantine/[date]/ That would be the "infections" quarantine... those should go to non-spam (and possibly non-mcp?! Haven't looked at code today... to much to do;-). > store-spam is stored here, > /var/spool/MailScanner/quarantine/[date]/spam/ > > store-mcp is stored here, > /var/spool/MailScanner/quarantine/[date]/mcp/ > > DAve > Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From MailScanner at ecs.soton.ac.uk Tue Jul 24 16:37:07 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Jul 24 16:34:14 2007 Subject: Request for comments 3 In-Reply-To: <46A6107D.9060708@fsl.com> References: <321796.1741185273510384.JavaMail.root@office.splatnix.net> <46A5FDC5.3060109@ecs.soton.ac.uk> <46A6009B.2060701@fsl.com> <46A60BD9.8080903@ecs.soton.ac.uk> <46A6107D.9060708@fsl.com> Message-ID: <46A61CA3.7040000@ecs.soton.ac.uk> Steve Freegard wrote: > Hi Jules, > > Julian Field wrote: >> I have just added 4 more actions: >> store-nonspam >> store-spam >> store-nonmcp >> store-mcp >> The original "store" action is still there and will work exactly how >> it always has done. >> >> This almost does away with MCP altogether. Yay! >> I'll get a beta out this afternoon some time very soon. > > Wow - nice one! > > Will these new options play nice with the current version of MailWatch? > > e.g. store-nonspam will set $message->{isspam} = 0, store-mcp will set > $message->{ismcp} = 1 etc. and add the relevant paths in > $message->{quarantineplaces)?? It wasn't going to do that, no. Simply choosing to store the message in a place doesn't change its spam status, surely? > > One other minor thing that I noticed recently relating to this is that > if a message is marked as infected and deleted, MailScanner still > reports that the message was quarantined via > $message->{quarantineplaces} if keepspamachiveclean is set. Euch, that's going to take some finding. A job for another day. > > Kind regards, > Steve. Jules -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Tue Jul 24 16:38:57 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Jul 24 16:35:22 2007 Subject: Request for comments 3 In-Reply-To: <46A6117A.2040101@pixelhammer.com> References: <321796.1741185273510384.JavaMail.root@office.splatnix.net> <46A5FDC5.3060109@ecs.soton.ac.uk> <46A6009B.2060701@fsl.com> <46A60BD9.8080903@ecs.soton.ac.uk> <46A6117A.2040101@pixelhammer.com> Message-ID: <46A61D11.4020907@ecs.soton.ac.uk> DAve wrote: > Julian Field wrote: >> >> >> Steve Freegard wrote: >>> Hi Jules, >>> >>> Julian Field wrote: >>>> How about now? It's not in MCP yet, is that a problem? Shouldn't >>>> be, as it shouldn't actually make much difference to this >>>> functionality (it is working off SA rule names, not scores, so it >>>> doesn't matter if other rules fire as well). >>> >>> Exactly what I was thinking - wouldn't this new method enable >>> MCP-type things but without the need for a second SA run (and the >>> rather large associated overhead of doing this). >>> >>> You could simply create the MCP rules and score them as 0.001, then >>> use the new feature to quarantine if any of the MCP rule actually fire. >>> >>> The only thing lacking here is the ability to quarantine the file in >>> the mcp quarantine instead of the spam quarantine. Maybe adding >>> 'store:mcp' could be an option to mark the message as MCP and store >>> in the MCP quarantine directory??? >> I have just added 4 more actions: >> store-nonspam >> store-spam >> store-nonmcp >> store-mcp >> The original "store" action is still there and will work exactly how >> it always has done. > > So can we believe that a dir structure like so is setup? Yes nearly. > > store-nonspam and store-nonmcp are stored here, > /var/spool/MailScanner/quarantine/[date]/ These are stored in /var/spool/MailScanner/quarantine/[date]/non-spam and .../non-mcp. > > store-spam is stored here, > /var/spool/MailScanner/quarantine/[date]/spam/ > > store-mcp is stored here, > /var/spool/MailScanner/quarantine/[date]/mcp/ > > DAve > Jules -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From brett at wrl.org Tue Jul 24 16:37:34 2007 From: brett at wrl.org (Brett Charbeneau) Date: Tue Jul 24 16:38:28 2007 Subject: ClamAV update to 0.91.1 going awry Message-ID: SPECIFICS: Debian 3.1, kernel 2.6.8-3 Sendmail 8.13.4, MailScanner 4.55.10, SpamAssassin 3.2.1 I've scoured the list archives on the issue were having and there's obviously been discussion on this issue but none of the suggested remedies has worked. I've been using the clamavmodule and Julian's ClamAV/SA update script for a few years now without a hitch. This morning I got the new ClamAV/SA package and ran the install script as usual (I'm already on SA 3.2.1, also from this script) but running freshclam shows I'm running still 0.90.2. I've always just run the script and restarted MailScanner in the past - have I missed something? Here is the output from running the install.sh script - http://pastebin.ca/631946 As suggested on the list I've altered "Monitors for ClamAV Updates" in MailScanner.conf to equal /usr/local/share/clamav/*.inc/* /usr/local/share/clamav/*.cvd but I'm still seeing the old version after restarting MS when I check. Can anyone offer any hints on where I'm missing the boat? -- ******************************************************************** Brett Charbeneau, GSEC Gold, GCIH Gold Network Administrator Williamsburg Regional Library 7770 Croaker Road Williamsburg, VA 23188-7064 (757)259-4044 www.wrl.org (757)259-4079 (fax) brett (A T) wrl.org ******************************************************************** From MailScanner at ecs.soton.ac.uk Tue Jul 24 16:50:19 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Jul 24 16:47:31 2007 Subject: Beta release 4.62.4 Message-ID: <46A61FBB.1030708@ecs.soton.ac.uk> I have just released a new beta, 4.62.4. This contains some bug-fixes, a few new minor features such as Kaspersky KAV4FS support, along with 2 major new ones: 1 - Addition of 4 new "store" actions, "store-nonmcp", "store-nonspam", "store-mcp" and "store-spam" so you can pick any particular bit of the quarantine you want as a message action. 2 - Addition of the "SpamAssassin Rule Actions" setting which is documented in the MailScanner.conf file. The documentation of SpamAssassin Rule Actions from MailScanner.conf is this: # This next setting is very powerful. It allows you to adjust the list of # actions taken on a message by adding or removing any action or actions, # depending on what SpamAssassin rules it matched. # It can be used to replace the functionality of MCP, but without the large # processing overhead that involves. # # The setting consists of a comma-separated list of 'SA_RULENAME=>action' # pairs, where 'SA_RULENAME' is the name of any SpamAssassin rule (or # meta-rule), and 'action' is the name of any of the actions listed above # the 'Spam Actions' configuration setting or the word "not-" preceding any # of the action names. # Preceding the action name with "not-" as in "not-deliver" or "not-forward # user@domain.com" will cause the action to be removed from the list of # actions that would normally be taken on this message. # If you want to execute multiple actions on 1 rule, simply specify multiple # 'SA_RULENAME=>action' pairs. # Example: Setting this to # SpamAssassin Rule Actions = FROM_BOSS_WIFE=>not-forward secretary@domain.com # would result in mail from the boss's wife not being forwarded to the boss's # secretary, which would be useful if the non-spam actions for the message # included forwarding to the boss's secretary. # # Combining this with a ruleset makes it even more powerful, as different # recipients and/or senders can have different sets of rules applied to them. # # This can also be the filename of a ruleset, in which case the filename # must end in ".rule" or ".rules". The full Change Log is this: * New Features and Improvements * 1 Improved non-Linux installer. 1 Improved Linux installer. 1 Updated OpenBSD installation guide. Thanks to Jeremy Evans for this. 1 Upgraded MIME::Base64 to 3.07. 1 Improved error reporting for clamd permissions problems. Thanks Rick. 2 Added SAUPDATEARGS to /etc/sysconfig/MailScanner and /usr/sbin/update_spamassassin. For a good use of this, see http://daryl.dostech.ca/sa-update/sare/sare-sa-update-howto.txt and search for "HOWTO" in the Subject: line of the MailScanner-discussion list archive. This process replaces RulesDuJour entirely. Another good ruleset to add to your setup is http://www.peregrinehw.com/downloads/SpamAssassin/contrib/KAM.cf To download this automatically every night, fetch http://www.mailscanner.info/files/4/KAM.cf.sh and put it in /etc/cron.daily and make it executable (type "chmod +x /etc/cron.daily/KAM.cf.sh"). 3 Added "Known Web Bug Servers" so you can blacklist images from known servers of web bug services. 3 Added functionality of "milter-null" to MailScanner so you no longer need to run this separately. It is called "Watermarking" and there is a whole section for the settings in MailScanner.conf. They are Add Watermark = yes Skip Spam Checks If Watermark Valid = yes Watermark Header = MailScanner-%org-name%-Watermark: Watermark Lifetime = 432000 # in seconds, = 5 days Watermark Secret = SET-THIS-TO-A-SECRET! Also added Digest::MD5 to the required list of Perl modules, this is needed for the watermarking code. 3 Added optional image to the clean message signature. You can also use this to add an arbitrary image attachment to any message, if you so wish. The main point is to be able to have graphical HTML signatures on messages. The settings are Attach Image To Signature = no Attach Image To HTML Message Only = yes Signature Image Filename = %report-dir%/sig.jpg Signature Image Filename = signature.jpg 4 Added support for Kaspersky kav4fs. Set virus.scanners.conf entry to point to /opt/kaspersky. 4 Changed default value to "Max SpamAssassin Size = 100k" as modern PDF spams are getting quite large, and PDFInfo.pm doesn't work with cropped messages. 4 Improved Clamd parser to handle Sane Security ClamAV signature databases which detect spam and so on from the contents of the headers, and hence find infections without attachment filenames. Thanks to various people for help with this, you know who you are :-) 4 Improved upgrade_MailScanner_conf so that it checks that the 'Monitors for ClamAV Updates' setting looks for inc and cvd files. Problems have recently been suffered by many due to the value of this setting being out of date. It doesn't automatically re-write their setting in case they have installed ClamAV somewhere odd and have customised it. 4 Changed 'Monitors for Sophos Updates' setting default value to point to appropriate file for Sophos version 5 and upwards, and have added check in upgrade_MailScanner_conf to ensure their setting now points to a new location. It prints a warning if sophos-av does not appear in the path. 4 Added configuration setting "SpamAssassin Rule Actions". This setting is very powerful and can be used to implement many things that MCP can do, without having the processing overhead of MCP. The documentation for it is in the MailScanner.conf file. Its power is limited by your imagination :-) Start combining it with rulesets and you can take (or _not_ take) any combination of actions dependent on any bit of content in the message or its headers. You could try out new SA tests by storing in quarantine every message that matches a new particular SpamAssassin rule (or meta-rule for creating more complex expressions). * Fixes * 2-2 Fixed error in RPM installer. 2-3 Fixed error in update_spamassassin. 3-2 The watermarking code should do something now :-) 3-3 Rewrote the watermarking docs so they reflect the truth. 4 --lint now reads all the Custom Functions properly. 4 Bug in auto-zip fixed where attachments could be deleted without being added to zip. Thanks to Matt Hampton. 4 Bug with '-' in HTML attribute names confusing phishing net fixed. Thanks to John Wilcock. Jules -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From glenn.steen at gmail.com Tue Jul 24 17:13:59 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Jul 24 17:14:00 2007 Subject: ClamAV update to 0.91.1 going awry In-Reply-To: References: Message-ID: <223f97700707240913y1c39df46o3ff82e0784c16242@mail.gmail.com> On 24/07/07, Brett Charbeneau wrote: > > SPECIFICS: > Debian 3.1, kernel 2.6.8-3 > Sendmail 8.13.4, MailScanner 4.55.10, SpamAssassin 3.2.1 > > I've scoured the list archives on the issue were having and there's > obviously been discussion on this issue but none of the suggested remedies has > worked. > I've been using the clamavmodule and Julian's ClamAV/SA update script > for a few years now without a hitch. This morning I got the new ClamAV/SA > package and ran the install script as usual (I'm already on SA 3.2.1, also from > this script) but running freshclam shows I'm running still 0.90.2. > I've always just run the script and restarted MailScanner in the past - > have I missed something? Here is the output from running the install.sh script - > > http://pastebin.ca/631946 > > As suggested on the list I've altered "Monitors for ClamAV Updates" in > MailScanner.conf to equal > > /usr/local/share/clamav/*.inc/* /usr/local/share/clamav/*.cvd > > but I'm still seeing the old version after restarting MS when I check. > Can anyone offer any hints on where I'm missing the boat? > > As you can see on line 355 and onward you have a linking problem... This seem to indicate that you have a general problem with your build environment. I googled "Debian multiple definition of `__i686.get_pc_thunk.bx" and could find this (specific to Debian, not clamav) to be (seemingly, at least:-) the case. Some seem to have resolved it by updating their gcc (to 4.0 ... Yes, unstable). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From mailadmin at baladia.gov.kw Tue Jul 24 16:48:37 2007 From: mailadmin at baladia.gov.kw (simon) Date: Tue Jul 24 17:25:45 2007 Subject: mailscanner trouble Message-ID: <3376.62.150.152.226.1185292117.squirrel@webmail.baladia.gov.kw> I have the following setup and was running fine for the past 2 years or so REDhat 8 bind-9.2.1-9 sendmail-8.12.5-7 mailScanner 4.28.6 spamassassin-2.31-16 clamav 0.91 domain name-- kmun.gov.kw jus abt 2 days back i found the users not gettin mail and when i checked the maillog i found the user mails were not gettin delivered to their mailboxes . also i tried to send mail from yahoo to my account n it was not gettin delivered but if i restart my server i cd get the mail. and then again there used to be problem now i stoped mailscanner n only started sendmail and my mails were getting delivered normally to users inboxes and was perfect. wht cd be wrong with my mailscanner.. or is there problem with clamav appreciet your help here below are some maillogs 1) as i see denail of service attack 2) RBL Check ORDB-RBL timed out and was killed, consecutive failure 2 of 7 -------------------------------------------------------------- Jul 22 09:36:49 kmdns MailScanner[24383]: Spam Checks: Starting Jul 22 09:36:54 kmdns MailScanner[25469]: RBL Check ORDB-RBL timed out and was killed, consecutive failure 2 of 7 Jul 22 09:36:58 kmdns MailScanner[24645]: RBL Check ORDB-RBL timed out and was killed, consecutive failure 5 of 7 Jul 22 09:36:59 kmdns MailScanner[24645]: Virus and Content Scanning: Starting Jul 22 09:36:59 kmdns MailScanner[24383]: RBL Check ORDB-RBL timed out and was killed, consecutive failure 7 of 7 Jul 22 09:37:00 kmdns MailScanner[24383]: RBL checks: l6M5agX6025576 found in SBL+XBL Jul 22 09:37:00 kmdns MailScanner[24383]: Message l6M5agX6025576 from 58.69.248.98 (jquintana_eu@yahoo.co.uk) to kmun.gov.kw is spam, SBL+XBL Jul 22 09:37:00 kmdns MailScanner[24383]: RBL checks: l6M5afX6025574 found in SBL+XBL Jul 22 09:37:01 kmdns MailScanner[24383]: Message l6M5afX6025574 from 58.69.248.98 (jquintana_eu@yahoo.co.uk) to kmun.gov.kw is spam, SBL+XBL Jul 22 09:37:02 kmdns MailScanner[24383]: Spam Checks: Found 2 spam messages Jul 22 09:37:02 kmdns MailScanner[24383]: Spam Actions: message l6M5agX6025576 actions are delete Jul 22 09:37:03 kmdns MailScanner[24383]: Spam Actions: message l6M5afX6025574 actions are delete Jul 22 09:37:04 kmdns MailScanner[24383]: Virus and Content Scanning: Starting Jul 22 09:37:05 kmdns MailScanner[25469]: RBL Check ORDB-RBL timed out and was killed, consecutive failure 3 of 7 Jul 22 09:37:16 kmdns MailScanner[25469]: RBL Check ORDB-RBL timed out and was killed, consecutive failure 4 of 7 Jul 22 09:37:17 kmdns MailScanner[25469]: Virus and Content Scanning: Starting Jul 22 09:41:34 kmdns MailScanner[24612]: Commercial scanner clamav timed out! Jul 22 09:41:35 kmdns MailScanner[24612]: Virus Scanning: Denial Of Service attack detected! Jul 22 09:41:35 kmdns MailScanner[24335]: Commercial scanner clamav timed out! Jul 22 09:41:35 kmdns MailScanner[24335]: Virus Scanning: Denial Of Service attack detected! Jul 22 09:41:35 kmdns MailScanner[24612]: New Batch: Found 7 messages waiting Jul 22 09:41:36 kmdns MailScanner[24612]: New Batch: Scanning 1 messages, 4711 bytes Jul 22 09:41:36 kmdns MailScanner[24612]: Spam Checks: Starting Jul 22 09:41:36 kmdns MailScanner[24335]: MailScanner child dying of old age Jul 22 09:41:37 kmdns MailScanner[24612]: RBL checks: l6M5aeX6025573 found in SBL+XBL Jul 22 09:41:37 kmdns MailScanner[24612]: Message l6M5aeX6025573 from 58.69.248.98 (jquintana_eu@yahoo.co.uk) to kmun.gov.kw is spam, SBL+XBL Jul 22 09:41:37 kmdns MailScanner[24612]: Spam Checks: Found 1 spam messages Jul 22 09:41:37 kmdns MailScanner[24612]: Spam Actions: message l6M5aeX6025573 actions are delete Jul 22 09:41:37 kmdns MailScanner[24612]: Virus and Content Scanning: Starting Jul 22 09:41:38 kmdns MailScanner[25614]: MailScanner E-Mail Virus Scanner version 4.28.6 starting... Jul 22 09:41:40 kmdns MailScanner[25614]: Using locktype = flock Jul 22 09:42:00 kmdns MailScanner[24645]: Commercial scanner clamav timed out! Jul 22 09:42:01 kmdns MailScanner[24645]: Virus Scanning: Denial Of Service attack detected! Jul 22 09:42:02 kmdns MailScanner[24383]: Commercial scanner clamav timed out! Jul 22 09:42:03 kmdns MailScanner[24383]: Virus Scanning: Denial Of Service attack detected! Jul 22 09:42:18 kmdns MailScanner[25469]: Commercial scanner clamav timed out! Jul 22 09:42:18 kmdns MailScanner[25469]: Virus Scanning: Denial Of Service attack ------------------------------------------------------------------- Regards simon -- Network Administrator From steve.freegard at fsl.com Tue Jul 24 17:27:58 2007 From: steve.freegard at fsl.com (Steve Freegard) Date: Tue Jul 24 17:28:01 2007 Subject: Request for comments 3 In-Reply-To: <46A61CA3.7040000@ecs.soton.ac.uk> References: <321796.1741185273510384.JavaMail.root@office.splatnix.net> <46A5FDC5.3060109@ecs.soton.ac.uk> <46A6009B.2060701@fsl.com> <46A60BD9.8080903@ecs.soton.ac.uk> <46A6107D.9060708@fsl.com> <46A61CA3.7040000@ecs.soton.ac.uk> Message-ID: <46A6288E.1090201@fsl.com> Julian Field wrote: >> e.g. store-nonspam will set $message->{isspam} = 0, store-mcp will set >> $message->{ismcp} = 1 etc. and add the relevant paths in >> $message->{quarantineplaces)?? > It wasn't going to do that, no. Simply choosing to store the message in > a place doesn't change its spam status, surely? Ok - true enough for spam, but to replace MCP with this new feature - setting store-mcp would need to set $message->{ismcp} otherwise MailWatch won't be able to tell the difference between them and the MCP stuff will get lost in the noise (and won't get counted toward the MCP stats). >> >> One other minor thing that I noticed recently relating to this is that >> if a message is marked as infected and deleted, MailScanner still >> reports that the message was quarantined via >> $message->{quarantineplaces} if keepspamachiveclean is set. > Euch, that's going to take some finding. A job for another day. Ok - I'll try and track this down. Cheers, Steve. From mkettler at evi-inc.com Tue Jul 24 17:36:58 2007 From: mkettler at evi-inc.com (Matt Kettler) Date: Tue Jul 24 17:38:38 2007 Subject: mailscanner trouble In-Reply-To: <3376.62.150.152.226.1185292117.squirrel@webmail.baladia.gov.kw> References: <3376.62.150.152.226.1185292117.squirrel@webmail.baladia.gov.kw> Message-ID: <46A62AAA.6060406@evi-inc.com> simon wrote: > I have the following setup and was running fine for the past 2 years or so > > > REDhat 8 > bind-9.2.1-9 > sendmail-8.12.5-7 > mailScanner 4.28.6 > spamassassin-2.31-16 > clamav 0.91 > domain name-- kmun.gov.kw > > Jul 22 09:41:34 kmdns MailScanner[24612]: Commercial scanner clamav timed > out! > Jul 22 09:41:35 kmdns MailScanner[24612]: Virus Scanning: Denial Of > Service attack detected! Based on that log message, clamav is running very, very slowly. You might want to try manually running clamscan on some files and see how long it takes. I know that clamav 0.90.3 had major delay problems, but 0.91 shouldn't. Make sure that you don't have some mistake where two different versions of clamav are on your system at the same time. Also, as a side note, your spamassassin version is *way* out of date. SA 2.31 was released 06/20/02, over 5 years ago. From martinh at solidstatelogic.com Tue Jul 24 17:39:29 2007 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Tue Jul 24 17:39:34 2007 Subject: mailscanner trouble In-Reply-To: <3376.62.150.152.226.1185292117.squirrel@webmail.baladia.gov.kw> Message-ID: <370b533d1822a74495c041c4eb1f76f4@solidstatelogic.com> Simon You're running really really old mailscanner and really really really old spamassassin! I'd suggest you update both to modern versions first.. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of simon > Sent: 24 July 2007 16:49 > To: MailScanner discussion > Subject: mailscanner trouble > > > I have the following setup and was running fine for the past 2 years or so > > > REDhat 8 > bind-9.2.1-9 > sendmail-8.12.5-7 > mailScanner 4.28.6 > spamassassin-2.31-16 > clamav 0.91 > domain name-- kmun.gov.kw > > jus abt 2 days back i found the users not gettin mail and when i checked > the maillog i found the user mails were not gettin delivered to their > mailboxes . > > also i tried to send mail from yahoo to my account n it was not gettin > delivered but if i restart my server i cd get the mail. and then again > there used to be problem > > now i stoped mailscanner n only started sendmail and my mails were getting > delivered normally to users inboxes and was perfect. > > wht cd be wrong with my mailscanner.. or is there problem with clamav > > appreciet your help > > here below are some maillogs > > 1) as i see denail of service attack > > 2) RBL Check ORDB-RBL timed out and was killed, consecutive failure 2 of 7 > > -------------------------------------------------------------- > Jul 22 09:36:49 kmdns MailScanner[24383]: Spam Checks: Starting > Jul 22 09:36:54 kmdns MailScanner[25469]: RBL Check ORDB-RBL timed out and > was killed, consecutive failure 2 of 7 > Jul 22 09:36:58 kmdns MailScanner[24645]: RBL Check ORDB-RBL timed out and > was killed, consecutive failure 5 of 7 > Jul 22 09:36:59 kmdns MailScanner[24645]: Virus and Content Scanning: > Starting > Jul 22 09:36:59 kmdns MailScanner[24383]: RBL Check ORDB-RBL timed out and > was killed, consecutive failure 7 of 7 > Jul 22 09:37:00 kmdns MailScanner[24383]: RBL checks: l6M5agX6025576 found > in SBL+XBL > Jul 22 09:37:00 kmdns MailScanner[24383]: Message l6M5agX6025576 from > 58.69.248.98 (jquintana_eu@yahoo.co.uk) to kmun.gov.kw is spam, SBL+XBL > Jul 22 09:37:00 kmdns MailScanner[24383]: RBL checks: l6M5afX6025574 found > in SBL+XBL > Jul 22 09:37:01 kmdns MailScanner[24383]: Message l6M5afX6025574 from > 58.69.248.98 (jquintana_eu@yahoo.co.uk) to kmun.gov.kw is spam, SBL+XBL > Jul 22 09:37:02 kmdns MailScanner[24383]: Spam Checks: Found 2 spam > messages > Jul 22 09:37:02 kmdns MailScanner[24383]: Spam Actions: message > l6M5agX6025576 actions are delete > Jul 22 09:37:03 kmdns MailScanner[24383]: Spam Actions: message > l6M5afX6025574 actions are delete > Jul 22 09:37:04 kmdns MailScanner[24383]: Virus and Content Scanning: > Starting > Jul 22 09:37:05 kmdns MailScanner[25469]: RBL Check ORDB-RBL timed out and > was killed, consecutive failure 3 of 7 > Jul 22 09:37:16 kmdns MailScanner[25469]: RBL Check ORDB-RBL timed out and > was killed, consecutive failure 4 of 7 > Jul 22 09:37:17 kmdns MailScanner[25469]: Virus and Content Scanning: > Starting > Jul 22 09:41:34 kmdns MailScanner[24612]: Commercial scanner clamav timed > out! > Jul 22 09:41:35 kmdns MailScanner[24612]: Virus Scanning: Denial Of > Service attack detected! > Jul 22 09:41:35 kmdns MailScanner[24335]: Commercial scanner clamav timed > out! > Jul 22 09:41:35 kmdns MailScanner[24335]: Virus Scanning: Denial Of > Service attack detected! > Jul 22 09:41:35 kmdns MailScanner[24612]: New Batch: Found 7 messages > waiting > Jul 22 09:41:36 kmdns MailScanner[24612]: New Batch: Scanning 1 messages, > 4711 bytes > Jul 22 09:41:36 kmdns MailScanner[24612]: Spam Checks: Starting > Jul 22 09:41:36 kmdns MailScanner[24335]: MailScanner child dying of old > age > Jul 22 09:41:37 kmdns MailScanner[24612]: RBL checks: l6M5aeX6025573 found > in SBL+XBL > Jul 22 09:41:37 kmdns MailScanner[24612]: Message l6M5aeX6025573 from > 58.69.248.98 (jquintana_eu@yahoo.co.uk) to kmun.gov.kw is spam, SBL+XBL > Jul 22 09:41:37 kmdns MailScanner[24612]: Spam Checks: Found 1 spam > messages > Jul 22 09:41:37 kmdns MailScanner[24612]: Spam Actions: message > l6M5aeX6025573 actions are delete > Jul 22 09:41:37 kmdns MailScanner[24612]: Virus and Content Scanning: > Starting > Jul 22 09:41:38 kmdns MailScanner[25614]: MailScanner E-Mail Virus Scanner > version 4.28.6 starting... > Jul 22 09:41:40 kmdns MailScanner[25614]: Using locktype = flock > Jul 22 09:42:00 kmdns MailScanner[24645]: Commercial scanner clamav timed > out! > Jul 22 09:42:01 kmdns MailScanner[24645]: Virus Scanning: Denial Of > Service attack detected! > Jul 22 09:42:02 kmdns MailScanner[24383]: Commercial scanner clamav timed > out! > Jul 22 09:42:03 kmdns MailScanner[24383]: Virus Scanning: Denial Of > Service attack detected! > Jul 22 09:42:18 kmdns MailScanner[25469]: Commercial scanner clamav timed > out! > Jul 22 09:42:18 kmdns MailScanner[25469]: Virus Scanning: Denial Of > Service attack > > ------------------------------------------------------------------- > > > > > Regards > > simon > > > -- > Network Administrator > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From mkettler at evi-inc.com Tue Jul 24 17:58:49 2007 From: mkettler at evi-inc.com (Matt Kettler) Date: Tue Jul 24 18:00:43 2007 Subject: mailscanner trouble In-Reply-To: <370b533d1822a74495c041c4eb1f76f4@solidstatelogic.com> References: <370b533d1822a74495c041c4eb1f76f4@solidstatelogic.com> Message-ID: <46A62FC9.90500@evi-inc.com> Martin.Hepworth wrote: > Simon > > You're running really really old mailscanner and really really really old spamassassin! > > I'd suggest you update both to modern versions first.. I'd agree.. however, he's also running a really really really old version of RedHat ( Redhat 8, circa 2002), which is no longer supported and thus no longer has security fixes posted. He's also running a really old sendmail which is likely full of exploits. I know sendmail-8.12.5-7 is vulnerable to at least this remote DoS attack. http://www.securityfocus.com/bid/8485 This version of RedHat also runs perl 5.0005, which would inhibit upgrading to anything too terribly modern. SpamAssassin ditched 5.0005 support with SA 3.0.0. 2.6x would be the newest build that would support such an old version of perl. While it's a lot of work, really Simon should be completely upgrading his entire OS. Centos might make a good option as it would be relatively familiar to a RedHat user and has fairly long-lived release cycles. Upgrading a couple tools won't help you when nearly every package on your entire system is 5 years old and doesn't have any security updates published. From MailScanner at ecs.soton.ac.uk Tue Jul 24 18:14:19 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Jul 24 18:15:22 2007 Subject: Request for comments 3 In-Reply-To: <46A6288E.1090201@fsl.com> References: <321796.1741185273510384.JavaMail.root@office.splatnix.net> <46A5FDC5.3060109@ecs.soton.ac.uk> <46A6009B.2060701@fsl.com> <46A60BD9.8080903@ecs.soton.ac.uk> <46A6107D.9060708@fsl.com> <46A61CA3.7040000@ecs.soton.ac.uk> <46A6288E.1090201@fsl.com> Message-ID: <46A6336B.1030804@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Steve Freegard wrote: > Julian Field wrote: >>> e.g. store-nonspam will set $message->{isspam} = 0, store-mcp will >>> set $message->{ismcp} = 1 etc. and add the relevant paths in >>> $message->{quarantineplaces)?? > >> It wasn't going to do that, no. Simply choosing to store the message >> in a place doesn't change its spam status, surely? > > Ok - true enough for spam, but to replace MCP with this new feature - > setting store-mcp would need to set $message->{ismcp} otherwise > MailWatch won't be able to tell the difference between them and the > MCP stuff will get lost in the noise (and won't get counted toward the > MCP stats). Okay, I could do that as well. It will be easy to add that. > >>> >>> One other minor thing that I noticed recently relating to this is >>> that if a message is marked as infected and deleted, MailScanner >>> still reports that the message was quarantined via >>> $message->{quarantineplaces} if keepspamachiveclean is set. > >> Euch, that's going to take some finding. A job for another day. > > Ok - I'll try and track this down. > > Cheers, > Steve. Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: UTF-8 wj8DBQFGpjNsEfZZRxQVtlQRAsLRAJ9auTZXTco/JZy+QmO48vEGd4HWPQCeJsEH S0ql8J3MlXyUX4eSyBumkMw= =B8j7 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From mailadmin at baladia.gov.kw Tue Jul 24 17:50:19 2007 From: mailadmin at baladia.gov.kw (simon) Date: Tue Jul 24 18:27:24 2007 Subject: mailscanner trouble In-Reply-To: <46A62FC9.90500@evi-inc.com> References: <370b533d1822a74495c041c4eb1f76f4@solidstatelogic.com> <46A62FC9.90500@evi-inc.com> Message-ID: <3516.62.150.152.226.1185295819.squirrel@webmail.baladia.gov.kw> Thanks a lot guy for ur quick replies.. btw I have already started to upgarde my system fully to CENTOS 5 with the latest mailscanner , clamav + spamassassin... and ofcouse sendmail too guess this type of problems will be eliminated but i was jus wondering why this problem dissapeared when i stopped mailScanner . that is i jus did a chkconfig MailScanner off and restarted the server and so far everythin is fine appreciet ur help n suggestions Regards simon From MailScanner at ecs.soton.ac.uk Tue Jul 24 18:29:35 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Jul 24 18:30:51 2007 Subject: Request for comments 3 In-Reply-To: <46A6336B.1030804@ecs.soton.ac.uk> References: <321796.1741185273510384.JavaMail.root@office.splatnix.net> <46A5FDC5.3060109@ecs.soton.ac.uk> <46A6009B.2060701@fsl.com> <46A60BD9.8080903@ecs.soton.ac.uk> <46A6107D.9060708@fsl.com> <46A61CA3.7040000@ecs.soton.ac.uk> <46A6288E.1090201@fsl.com> <46A6336B.1030804@ecs.soton.ac.uk> Message-ID: <46A636FF.9060608@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Julian Field wrote: > * PGP Signed: 07/24/07 at 18:14:20 > > > > Steve Freegard wrote: >> Julian Field wrote: >>>> e.g. store-nonspam will set $message->{isspam} = 0, store-mcp will >>>> set $message->{ismcp} = 1 etc. and add the relevant paths in >>>> $message->{quarantineplaces)?? >> >>> It wasn't going to do that, no. Simply choosing to store the message >>> in a place doesn't change its spam status, surely? >> >> Ok - true enough for spam, but to replace MCP with this new feature - >> setting store-mcp would need to set $message->{ismcp} otherwise >> MailWatch won't be able to tell the difference between them and the >> MCP stuff will get lost in the noise (and won't get counted toward >> the MCP stats). > Okay, I could do that as well. It will be easy to add that. Also, do you need me to do anything special if they use the store-spam in the Non-Spam Actions and other combinations? Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: UTF-8 wj8DBQFGpjcAEfZZRxQVtlQRAslAAJ9UHZsuApNS+pBNwMbU5ds12OgOPACdGd+2 g3daHzE+Tat3JYJelbWyKSA= =7NPm -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From brett at wrl.org Tue Jul 24 19:03:52 2007 From: brett at wrl.org (Brett Charbeneau) Date: Tue Jul 24 19:04:41 2007 Subject: ClamAV update to 0.91.1 going awry ( Message-ID: > As you can see on line 355 and onward you have a linking problem... > This seem to indicate that you have a general problem with your build > environment. I googled "Debian multiple definition of > `__i686.get_pc_thunk.bx" and could find this (specific to Debian, not > clamav) to be (seemingly, at least:-) the case. Some seem to have > resolved it by updating their gcc (to 4.0 ... Yes, unstable). Thanks for the response Glenn! Huh. Well, Debian lets me down so infrequently that I guess I can live with this quirk. I appreciate your pointing out the goofiness. -- ******************************************************************** Brett Charbeneau, GSEC Gold, GCIH Gold Network Administrator Williamsburg Regional Library 7770 Croaker Road Williamsburg, VA 23188-7064 (757)259-4044 www.wrl.org (757)259-4079 (fax) brett (A T) wrl.org ******************************************************************** From mkettler at evi-inc.com Tue Jul 24 19:06:19 2007 From: mkettler at evi-inc.com (Matt Kettler) Date: Tue Jul 24 19:07:52 2007 Subject: mailscanner trouble In-Reply-To: <3516.62.150.152.226.1185295819.squirrel@webmail.baladia.gov.kw> References: <370b533d1822a74495c041c4eb1f76f4@solidstatelogic.com> <46A62FC9.90500@evi-inc.com> <3516.62.150.152.226.1185295819.squirrel@webmail.baladia.gov.kw> Message-ID: <46A63F9B.4050503@evi-inc.com> simon wrote: > > Thanks a lot guy for ur quick replies.. > > > btw I have already started to upgarde my system fully to CENTOS 5 with the > latest mailscanner , clamav + spamassassin... and ofcouse sendmail too > > guess this type of problems will be eliminated > > but i was jus wondering why this problem dissapeared when i stopped > mailScanner . > > that is i jus did a chkconfig MailScanner off and restarted the server and > so far everythin is fine It sounds like you've got the "sendmail" service still enabled. Normally, the MailScanner script launches the two sendmail processes you need. One acts as a queue-only inbound MTA, and the other as a queue-runner outbound. If a "normal" sendmail (ie: one that both sends and receives) is running, it will end up screwing with MailScanner, which expects to be the only one placing files into /var/spool/mqueue. From mailadmin at baladia.gov.kw Tue Jul 24 18:45:02 2007 From: mailadmin at baladia.gov.kw (simon) Date: Tue Jul 24 19:22:09 2007 Subject: thnks for ur quick reply In-Reply-To: <46A63F9B.4050503@evi-inc.com> References: <370b533d1822a74495c041c4eb1f76f4@solidstatelogic.com> <46A62FC9.90500@evi-inc.com> <3516.62.150.152.226.1185295819.squirrel@webmail.baladia.gov.kw> <46A63F9B.4050503@evi-inc.com> Message-ID: <4028.62.150.152.226.1185299102.squirrel@webmail.baladia.gov.kw> Thanks for ur quick reply. btw let me explain.. right now i have only sendmail running and MailScanner is stopped so its workin perfect b4 when i had MailScanner running the sendmail service was off but had problems like mail not goin to user mailboxes and dos attack message in my maillog anywya i gonna upgrade but jus wanted to know where the actuall problem was with Mailscanner or clamav or spammassassin .. since without mail scanner being running everthing workin fine thnks and apprecite simon > simon wrote: >> >> Thanks a lot guy for ur quick replies.. >> >> >> btw I have already started to upgarde my system fully to CENTOS 5 with >> the >> latest mailscanner , clamav + spamassassin... and ofcouse sendmail too >> >> guess this type of problems will be eliminated >> >> but i was jus wondering why this problem dissapeared when i stopped >> mailScanner . >> >> that is i jus did a chkconfig MailScanner off and restarted the server >> and >> so far everythin is fine > > It sounds like you've got the "sendmail" service still enabled. > > Normally, the MailScanner script launches the two sendmail processes you > need. > One acts as a queue-only inbound MTA, and the other as a queue-runner > outbound. > > If a "normal" sendmail (ie: one that both sends and receives) is running, > it > will end up screwing with MailScanner, which expects to be the only one > placing > files into /var/spool/mqueue. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- Network Administrator From glenn.steen at gmail.com Tue Jul 24 20:00:28 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Jul 24 20:00:32 2007 Subject: thnks for ur quick reply In-Reply-To: <4028.62.150.152.226.1185299102.squirrel@webmail.baladia.gov.kw> References: <370b533d1822a74495c041c4eb1f76f4@solidstatelogic.com> <46A62FC9.90500@evi-inc.com> <3516.62.150.152.226.1185295819.squirrel@webmail.baladia.gov.kw> <46A63F9B.4050503@evi-inc.com> <4028.62.150.152.226.1185299102.squirrel@webmail.baladia.gov.kw> Message-ID: <223f97700707241200mc5ca6f3v6ddbffc369d2e161@mail.gmail.com> On 24/07/07, simon wrote: > Thanks for ur quick reply. > > btw let me explain.. > > right now i have only sendmail running and MailScanner is stopped so its > workin perfect > > b4 when i had MailScanner running the sendmail service was off but had > problems like mail not goin to user mailboxes and dos attack message in my > maillog > > anywya i gonna upgrade but jus wanted to know where the actuall problem was > > with Mailscanner or clamav or spammassassin .. since without mail scanner > being running everthing workin fine > >From the log snippet you posted, it'd seem that the problem was with clamav more than anything. But don't let that pull from your upgrade work:-):-). Amazingly old stuff:-)... But you are moving in the right direction, so I digress:) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From uxbod at splatnix.net Tue Jul 24 20:17:21 2007 From: uxbod at splatnix.net (UxBoD) Date: Tue Jul 24 20:16:06 2007 Subject: Request for comments 3 In-Reply-To: <46A636FF.9060608@ecs.soton.ac.uk> Message-ID: <29902981.2401185304641376.JavaMail.root@office.splatnix.net> Jules, I raised a question on the MailWatch list of whether it would be possible to not display a list of messages based on the SA rule. Due to changes in V2 Steve believes it would probably be better performed in MailScanner. My thoughts are based around Trojan messages, where at the moment they are some times tagged via SA rules, but users do have the potential to release those messages and hence pose a potential security risk. This would even happen if the message is quarantined. Using your newly introduced code, would it be possible to introduce a new field where a message could be marked as caution. It is not a virri but should be treated with respect. I know it could be deleted via the SA rule code, but what happens if it has been tagged a false positive. A caution flag could then be used by MailWatch, or any other application, to stop a user releasing it and perhaps asking them to fill in a form to contact tech support to check the message whether it is okay to release. What has prompted this RFC is the recent eCard SPAM/Malware that has been shown to download Trojans and Virii. What is your take on this, and anybody else who perhaps sees the benefits ? Regards, ps. You amaze me how quick you release new functionality :D --[ UxBoD ]-- // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- Original Message ----- From: "Julian Field" To: "MailScanner discussion" Sent: 24 July 2007 18:29:35 o'clock (GMT) Europe/London Subject: Re: Request for comments 3 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Julian Field wrote: > * PGP Signed: 07/24/07 at 18:14:20 > > > > Steve Freegard wrote: >> Julian Field wrote: >>>> e.g. store-nonspam will set $message->{isspam} = 0, store-mcp will >>>> set $message->{ismcp} = 1 etc. and add the relevant paths in >>>> $message->{quarantineplaces)?? >> >>> It wasn't going to do that, no. Simply choosing to store the message >>> in a place doesn't change its spam status, surely? >> >> Ok - true enough for spam, but to replace MCP with this new feature - >> setting store-mcp would need to set $message->{ismcp} otherwise >> MailWatch won't be able to tell the difference between them and the >> MCP stuff will get lost in the noise (and won't get counted toward >> the MCP stats). > Okay, I could do that as well. It will be easy to add that. Also, do you need me to do anything special if they use the store-spam in the Non-Spam Actions and other combinations? Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: UTF-8 wj8DBQFGpjcAEfZZRxQVtlQRAslAAJ9UHZsuApNS+pBNwMbU5ds12OgOPACdGd+2 g3daHzE+Tat3JYJelbWyKSA= =7NPm -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Tue Jul 24 20:23:43 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Jul 24 20:24:03 2007 Subject: Announce: Join the Facebook MailScanner group Message-ID: <46A651BF.3050805@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 All you Facebook users out there, join the MailScanner group! A great place for us to share experiences (good or bad) and arrange a meet somewhere (pick a country!). I hope there will be some good conversation on the message board, I'll announce news there, and you can have a chat rather more informally than under the public gaze of the mailing list. And how about a competition for the best-looking rack of MailScanner hardware? :-) Most stupid end-user's tech support query? And if you aren't on Facebook, why not? www.facebook.com Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGplHAEfZZRxQVtlQRAgppAKDSE1f/QCF27MWwrHTl4TagbjR8kACg/lFI mz0Wx3krAYDKG4Uv3Nhyu4M= =XCzJ -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Tue Jul 24 20:34:20 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Jul 24 20:34:45 2007 Subject: Request for comments 3 In-Reply-To: <29902981.2401185304641376.JavaMail.root@office.splatnix.net> References: <29902981.2401185304641376.JavaMail.root@office.splatnix.net> Message-ID: <46A6543C.8090803@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I'm not quite sure what you're asking or suggesting here. What would cause a message to be marked as "dangerous"? And what do I do with a "dangerous" message? UxBoD wrote: > Jules, > > I raised a question on the MailWatch list of whether it would be possible to not display a list of messages based on the SA rule. Due to changes in V2 Steve believes it would probably be better performed in MailScanner. > > My thoughts are based around Trojan messages, where at the moment they are some times tagged via SA rules, but users do have the potential to release those messages and hence pose a potential security risk. This would even happen if the message is quarantined. > > Using your newly introduced code, would it be possible to introduce a new field where a message could be marked as caution. It is not a virri but should be treated with respect. I know it could be deleted via the SA rule code, but what happens if it has been tagged a false positive. > > A caution flag could then be used by MailWatch, or any other application, to stop a user releasing it and perhaps asking them to fill in a form to contact tech support to check the message whether it is okay to release. > > What has prompted this RFC is the recent eCard SPAM/Malware that has been shown to download Trojans and Virii. > > What is your take on this, and anybody else who perhaps sees the benefits ? > > Regards, > > ps. You amaze me how quick you release new functionality :D > --[ UxBoD ]-- > // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" > // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B > // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B > // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net > > ----- Original Message ----- > From: "Julian Field" > To: "MailScanner discussion" > Sent: 24 July 2007 18:29:35 o'clock (GMT) Europe/London > Subject: Re: Request for comments 3 > > > * PGP Signed by an unmatched address: 07/24/07 at 18:29:36 > > > > Julian Field wrote: > >>> Old Signed: 07/24/07 at 18:14:20 >>> >> >> Steve Freegard wrote: >> >>> Julian Field wrote: >>> >>>>> e.g. store-nonspam will set $message->{isspam} = 0, store-mcp will >>>>> set $message->{ismcp} = 1 etc. and add the relevant paths in >>>>> $message->{quarantineplaces)?? >>>>> >>>> It wasn't going to do that, no. Simply choosing to store the message >>>> in a place doesn't change its spam status, surely? >>>> >>> Ok - true enough for spam, but to replace MCP with this new feature - >>> setting store-mcp would need to set $message->{ismcp} otherwise >>> MailWatch won't be able to tell the difference between them and the >>> MCP stuff will get lost in the noise (and won't get counted toward >>> the MCP stats). >>> >> Okay, I could do that as well. It will be easy to add that. >> > Also, do you need me to do anything special if they use the store-spam > in the Non-Spam Actions and other combinations? > > Jules > > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: UTF-8 wj8DBQFGplQ9EfZZRxQVtlQRAuyzAKD2X4cW6ZFPXhS1CqqV6EZp78A9qgCgkBzx agTtcGFfPpFWC4G4tU/NX3w= =G73/ -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From maillists at conactive.com Tue Jul 24 20:37:12 2007 From: maillists at conactive.com (Kai Schaetzl) Date: Tue Jul 24 20:37:16 2007 Subject: MailScanner and password protected archives Message-ID: There was a discussion about this in April and the problem got supposedly fixed with MS 4.60.1: - -- "clamavmodule" scanner no longer detects password-protected archives as viruses, allowing them to be easily released in MailWatch. I'm not sure if that really fixes the problem. I've seen this problem happen with clamav (not module) as well and it's not a Mailwatch problem. The password-protected archive gets detected as "Other Infection" (as shown by Mailwatch) and blocked. However, it does not get stored (no viruses get stored) and that's the reason why a release is not possible. Is this something I can fix in a clam.conf file or by another MailScanner setting or is it still waiting to be fixed? I'm using 4.54.6, btw, and it may have been fixed between 4.54.6 and 4.60.1 as a completely different issue. But, at least, I can't find anything about it. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From doc at maddoc.net Tue Jul 24 20:45:56 2007 From: doc at maddoc.net (Doc Schneider) Date: Tue Jul 24 20:46:03 2007 Subject: Announce: Join the Facebook MailScanner group In-Reply-To: <46A651BF.3050805@ecs.soton.ac.uk> References: <46A651BF.3050805@ecs.soton.ac.uk> Message-ID: <46A656F4.80501@maddoc.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Julian Field wrote: > All you Facebook users out there, join the MailScanner group! > > A great place for us to share experiences (good or bad) and arrange a > meet somewhere (pick a country!). I hope there will be some good > conversation on the message board, I'll announce news there, and you can > have a chat rather more informally than under the public gaze of the > mailing list. > > And how about a competition for the best-looking rack of MailScanner > hardware? :-) > Most stupid end-user's tech support query? > > And if you aren't on Facebook, why not? > www.facebook.com > > Jules > I've just joined it. But need to find a picture of me to add. /me thinks of adding a Harrison Ford pic. HAR! - -- - -Doc Lincoln, NE. http://www.genealogyforyou.com/ http://www.cairnproductions.com/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org iD8DBQFGplb0qOEeBwEpgcsRApXFAJ4m/7bPygWC83qSIxYKnaBoXSB88wCgiF2J P+x0iMpYg46l/J5iYuz9ORs= =OaUm -----END PGP SIGNATURE----- From mailadmin at baladia.gov.kw Tue Jul 24 20:14:42 2007 From: mailadmin at baladia.gov.kw (simon) Date: Tue Jul 24 20:51:45 2007 Subject: thnks for ur quick reply In-Reply-To: <223f97700707241200mc5ca6f3v6ddbffc369d2e161@mail.gmail.com> References: <370b533d1822a74495c041c4eb1f76f4@solidstatelogic.com> <46A62FC9.90500@evi-inc.com> <3516.62.150.152.226.1185295819.squirrel@webmail.baladia.gov.kw> <46A63F9B.4050503@evi-inc.com> <4028.62.150.152.226.1185299102.squirrel@webmail.baladia.gov.kw> <223f97700707241200mc5ca6f3v6ddbffc369d2e161@mail.gmail.com> Message-ID: <4169.62.150.152.226.1185304482.squirrel@webmail.baladia.gov.kw> Thanks a lot glen... do apprecite.. i already start the upgrade work thnkss regards simon > On 24/07/07, simon wrote: >> Thanks for ur quick reply. >> >> btw let me explain.. >> >> right now i have only sendmail running and MailScanner is stopped so its >> workin perfect >> >> b4 when i had MailScanner running the sendmail service was off but had >> problems like mail not goin to user mailboxes and dos attack message in >> my >> maillog >> >> anywya i gonna upgrade but jus wanted to know where the actuall problem >> was >> >> with Mailscanner or clamav or spammassassin .. since without mail >> scanner >> being running everthing workin fine >> >>From the log snippet you posted, it'd seem that the problem was with > clamav more than anything. But don't let that pull from your upgrade > work:-):-). Amazingly old stuff:-)... But you are moving in the right > direction, so I digress:) > > Cheers > -- > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- Network Administrator From uxbod at splatnix.net Tue Jul 24 20:53:35 2007 From: uxbod at splatnix.net (UxBoD) Date: Tue Jul 24 20:52:18 2007 Subject: Request for comments 3 In-Reply-To: <46A6543C.8090803@ecs.soton.ac.uk> Message-ID: <15742686.2491185306815635.JavaMail.root@office.splatnix.net> Sorry Jules, What I mean, for example KAM_CARD (as in KAM.cf), disguises a message as from a friend/worshipper etc, but contains a URL that *could* download a virri/trojan. Currently, this type of message gets marked as SPAM, which means a user could potentially release it from Quarantine. What would be nice is if a SA rule could trigger a "Caution Flag", which means that MailWatch/or a home brew application could check this flag and stop the user from releasing it. The user could be directed then to ask a techie to release the message once they had checked it out. This could also be used when a message contains potential IPR and it just gets flagged. Just seemed a useful idea to me, but please disregard if a daft idea ;) Cheers, --[ UxBoD ]-- // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- Original Message ----- From: "Julian Field" To: "MailScanner discussion" Sent: 24 July 2007 20:34:20 o'clock (GMT) Europe/London Subject: Re: Request for comments 3 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I'm not quite sure what you're asking or suggesting here. What would cause a message to be marked as "dangerous"? And what do I do with a "dangerous" message? UxBoD wrote: > Jules, > > I raised a question on the MailWatch list of whether it would be possible to not display a list of messages based on the SA rule. Due to changes in V2 Steve believes it would probably be better performed in MailScanner. > > My thoughts are based around Trojan messages, where at the moment they are some times tagged via SA rules, but users do have the potential to release those messages and hence pose a potential security risk. This would even happen if the message is quarantined. > > Using your newly introduced code, would it be possible to introduce a new field where a message could be marked as caution. It is not a virri but should be treated with respect. I know it could be deleted via the SA rule code, but what happens if it has been tagged a false positive. > > A caution flag could then be used by MailWatch, or any other application, to stop a user releasing it and perhaps asking them to fill in a form to contact tech support to check the message whether it is okay to release. > > What has prompted this RFC is the recent eCard SPAM/Malware that has been shown to download Trojans and Virii. > > What is your take on this, and anybody else who perhaps sees the benefits ? > > Regards, > > ps. You amaze me how quick you release new functionality :D > --[ UxBoD ]-- > // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" > // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B > // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B > // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net > > ----- Original Message ----- > From: "Julian Field" > To: "MailScanner discussion" > Sent: 24 July 2007 18:29:35 o'clock (GMT) Europe/London > Subject: Re: Request for comments 3 > > > * PGP Signed by an unmatched address: 07/24/07 at 18:29:36 > > > > Julian Field wrote: > >>> Old Signed: 07/24/07 at 18:14:20 >>> >> >> Steve Freegard wrote: >> >>> Julian Field wrote: >>> >>>>> e.g. store-nonspam will set $message->{isspam} = 0, store-mcp will >>>>> set $message->{ismcp} = 1 etc. and add the relevant paths in >>>>> $message->{quarantineplaces)?? >>>>> >>>> It wasn't going to do that, no. Simply choosing to store the message >>>> in a place doesn't change its spam status, surely? >>>> >>> Ok - true enough for spam, but to replace MCP with this new feature - >>> setting store-mcp would need to set $message->{ismcp} otherwise >>> MailWatch won't be able to tell the difference between them and the >>> MCP stuff will get lost in the noise (and won't get counted toward >>> the MCP stats). >>> >> Okay, I could do that as well. It will be easy to add that. >> > Also, do you need me to do anything special if they use the store-spam > in the Non-Spam Actions and other combinations? > > Jules > > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: UTF-8 wj8DBQFGplQ9EfZZRxQVtlQRAuyzAKD2X4cW6ZFPXhS1CqqV6EZp78A9qgCgkBzx agTtcGFfPpFWC4G4tU/NX3w= =G73/ -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From bbecken at aafp.org Tue Jul 24 20:57:52 2007 From: bbecken at aafp.org (Brad Beckenhauer) Date: Tue Jul 24 20:58:22 2007 Subject: install-Clam-0.91.1-SA-3.2.1.tar.gz configure error Message-ID: <46A61369.D87E.0068.3@aafp.org> Hi, I get a "configure error" when installing install-Clam-0.91.1-SA-3.2.1.tar.gz and clam will not install. I found that if zlib-devel is installed first, then the package installs. -Brad How I discovered it. Installed Centos 5.0, no GUI, no graphical at all. Customize config, deselect all packages. Download install-Clam-0.91.1-SA-3.2.1.tar.gz and unpack. run the install.sh install-Clam-0.91.1-SA-3.2.1/ install-Clam-0.91.1-SA-3.2.1/perl-tar/ install-Clam-0.91.1-SA-3.2.1/perl-tar/Data-Dump-1.08.tar.gz install-Clam-0.91.1-SA-3.2.1/perl-tar/ExtUtils-ParseXS-2.18.tar.gz install-Clam-0.91.1-SA-3.2.1/perl-tar/version-0.7203.tar.gz install-Clam-0.91.1-SA-3.2.1/perl-tar/IP-Country-2.21.tar.gz install-Clam-0.91.1-SA-3.2.1/perl-tar/Inline-0.44.tar.gz install-Clam-0.91.1-SA-3.2.1/perl-tar/Digest-1.15.tar.gz install-Clam-0.91.1-SA-3.2.1/perl-tar/Module-Build-0.2808.tar.gz install-Clam-0.91.1-SA-3.2.1/perl-tar/Error-0.17008.tar.gz install-Clam-0.91.1-SA-3.2.1/perl-tar/Sys-Hostname-Long-1.4.tar.gz install-Clam-0.91.1-SA-3.2.1/perl-tar/Archive-Tar-1.29.tar.gz install-Clam-0.91.1-SA-3.2.1/perl-tar/Digest-HMAC-1.01.tar.gz install-Clam-0.91.1-SA-3.2.1/perl-tar/DB_File-1.814.tar.gz install-Clam-0.91.1-SA-3.2.1/perl-tar/URI-1.35.tar.gz install-Clam-0.91.1-SA-3.2.1/perl-tar/Mail-SPF-2.004.tar.gz install-Clam-0.91.1-SA-3.2.1/perl-tar/Business-ISBN-1.82.tar.gz install-Clam-0.91.1-SA-3.2.1/perl-tar/Test-Harness-2.56.tar.gz install-Clam-0.91.1-SA-3.2.1/perl-tar/Net-CIDR-Lite-0.20.tar.gz install-Clam-0.91.1-SA-3.2.1/perl-tar/Net-DNS-0.60.tar.gz install-Clam-0.91.1-SA-3.2.1/perl-tar/Test-Manifest-0.95.tar.gz install-Clam-0.91.1-SA-3.2.1/perl-tar/Mail-SpamAssassin-3.2.1.tar.gz install-Clam-0.91.1-SA-3.2.1/perl-tar/Digest-MD5-2.36.tar.gz install-Clam-0.91.1-SA-3.2.1/perl-tar/NetAddr-IP-4.004.tar.gz install-Clam-0.91.1-SA-3.2.1/perl-tar/Net-IP-1.25.tar.gz install-Clam-0.91.1-SA-3.2.1/perl-tar/ExtUtils-CBuilder-0.18.tar.gz install-Clam-0.91.1-SA-3.2.1/perl-tar/Encode-Detect-1.00.tar.gz install-Clam-0.91.1-SA-3.2.1/perl-tar/IO-String-1.08.tar.gz install-Clam-0.91.1-SA-3.2.1/perl-tar/Digest-SHA1-2.10.tar.gz install-Clam-0.91.1-SA-3.2.1/perl-tar/Mail-ClamAV-0.20.tar.gz install-Clam-0.91.1-SA-3.2.1/perl-tar/IO-Zlib-1.04.tar.gz install-Clam-0.91.1-SA-3.2.1/perl-tar/Net-DNS-Resolver-Programmable-0.002.2.tar.gz install-Clam-0.91.1-SA-3.2.1/perl-tar/YAML-0.62.tar.gz install-Clam-0.91.1-SA-3.2.1/perl-tar/Business-ISBN-Data-1.10.tar.gz install-Clam-0.91.1-SA-3.2.1/perl-tar/HTML-Parser-3.56.tar.gz install-Clam-0.91.1-SA-3.2.1/perl-tar/Mail-SPF-Query-1.999.1.tar.gz install-Clam-0.91.1-SA-3.2.1/perl-tar/clamav-0.91.1.tar.gz install-Clam-0.91.1-SA-3.2.1/perl-tar/Parse-RecDescent-1.94.tar.gz install-Clam-0.91.1-SA-3.2.1/perl-tar/Test-Simple-0.70.tar.gz install-Clam-0.91.1-SA-3.2.1/perl-tar/Text-Balanced-1.98.tar.gz install-Clam-0.91.1-SA-3.2.1/install.sh install-Clam-0.91.1-SA-3.2.1/functions.sh install-Clam-0.91.1-SA-3.2.1/CheckModuleVersion Good, you appear to only have 1 copy of Perl installed: /usr/bin/perl Found gcc. cc is really gcc. Good, I have found GNU tar in /bin/tar. This script will pause for a few seconds after each major step, so do not worry if it appears to stop for a while. If you want it to stop so you can scroll back through the output then press Ctrl-S to stop the output and Ctrl-Q to start it again. If this fails due to dependency checks, and you wish to ignore these problems, you can run ./install.sh --nodeps Installing ClamAV There are 2 recommended ways of installing ClamAV, depending on various factors. If you want to use MailScanners support for Clamd (virus-scanning daemon) then I recommend you cancel this script now (press Ctrl-C) and install the RPMs for clamav, clamav-db and clamd from http://dag.wieers.com/rpm/packages/clamav Then re-run this script and tell me that clamscan is installed in /usr/bin. This will set up your virus.scanners.conf file for you. Otherwise you probably want me to install ClamAV now. So answer y. Do you want me to install ClamAV for you [y or n, default is y] ? y Do not worry about warnings or errors from the next 3 commands You can start worrying about errors again now About to build the ClamAV virus scanner checking build system type... i686-pc-linux-gnu checking host system type... i686-pc-linux-gnu checking target system type... i686-pc-linux-gnu creating target.h - canonical system defines checking for a BSD-compatible install... /usr/bin/install -c checking whether build environment is sane... yes checking for gawk... gawk checking whether make sets $(MAKE)... yes checking for gawk... (cached) gawk checking for gcc... gcc checking for C compiler default output file name... a.out checking whether the C compiler works... yes checking whether we are cross compiling... no checking for suffix of executables... checking for suffix of object files... o checking whether we are using the GNU C compiler... yes checking whether gcc accepts -g... yes checking for gcc option to accept ISO C89... none needed checking for style of include used by make... GNU checking dependency style of gcc... gcc3 checking for a BSD-compatible install... /usr/bin/install -c checking whether ln -s works... yes checking whether make sets $(MAKE)... (cached) yes checking for a sed that does not truncate output... /bin/sed checking for grep that handles long lines and -e... /bin/grep checking for egrep... /bin/grep -E checking for ld used by gcc... /usr/bin/ld checking if the linker (/usr/bin/ld) is GNU ld... yes checking for /usr/bin/ld option to reload object files... -r checking for BSD-compatible nm... /usr/bin/nm -B checking how to recognise dependent libraries... pass_all checking how to run the C preprocessor... gcc -E checking for ANSI C header files... yes checking for sys/types.h... yes checking for sys/stat.h... yes checking for stdlib.h... yes checking for string.h... yes checking for memory.h... yes checking for strings.h... yes checking for inttypes.h... yes checking for stdint.h... yes checking for unistd.h... yes checking dlfcn.h usability... yes checking dlfcn.h presence... yes checking for dlfcn.h... yes checking for g++... no checking for c++... no checking for gpp... no checking for aCC... no checking for CC... no checking for cxx... no checking for cc++... no checking for cl.exe... no checking for FCC... no checking for KCC... no checking for RCC... no checking for xlC_r... no checking for xlC... no checking whether we are using the GNU C++ compiler... no checking whether g++ accepts -g... no checking dependency style of g++... none checking for g77... no checking for xlf... no checking for f77... no checking for frt... no checking for pgf77... no checking for cf77... no checking for fort77... no checking for fl32... no checking for af77... no checking for xlf90... no checking for f90... no checking for pgf90... no checking for pghpf... no checking for epcf90... no checking for gfortran... no checking for g95... no checking for xlf95... no checking for f95... no checking for fort... no checking for ifort... no checking for ifc... no checking for efc... no checking for pgf95... no checking for lf95... no checking for ftn... no checking whether we are using the GNU Fortran 77 compiler... no checking whether accepts -g... no checking the maximum length of command line arguments... 32768 checking command to parse /usr/bin/nm -B output from gcc object... ok checking for objdir... .libs checking for ar... ar checking for ranlib... ranlib checking for strip... strip checking if gcc supports -fno-rtti -fno-exceptions... no checking for gcc option to produce PIC... -fPIC checking if gcc PIC flag -fPIC works... yes checking if gcc static flag -static works... yes checking if gcc supports -c -o file.o... yes checking whether the gcc linker (/usr/bin/ld) supports shared libraries... yes checking whether -lc should be explicitly linked in... no checking dynamic linker characteristics... cat: ld.so.conf.d/*.conf: No such file or directory GNU/Linux ld.so checking how to hardcode library paths into programs... immediate checking whether stripping libraries is possible... yes checking if libtool supports shared libraries... yes checking whether to build shared libraries... yes checking whether to build static libraries... yes configure: creating libtool appending configuration tag "CXX" to libtool appending configuration tag "F77" to libtool checking for ANSI C header files... (cached) yes checking for stdint.h... (cached) yes checking for unistd.h... (cached) yes checking sys/int_types.h usability... no checking sys/int_types.h presence... no checking for sys/int_types.h... no checking for dlfcn.h... (cached) yes checking for inttypes.h... (cached) yes checking sys/inttypes.h usability... no checking sys/inttypes.h presence... no checking for sys/inttypes.h... no checking for memory.h... (cached) yes checking ndir.h usability... no checking ndir.h presence... no checking for ndir.h... no checking for stdlib.h... (cached) yes checking for strings.h... (cached) yes checking for string.h... (cached) yes checking sys/mman.h usability... yes checking sys/mman.h presence... yes checking for sys/mman.h... yes checking sys/param.h usability... yes checking sys/param.h presence... yes checking for sys/param.h... yes checking for sys/stat.h... (cached) yes checking for sys/types.h... (cached) yes checking malloc.h usability... yes checking malloc.h presence... yes checking for malloc.h... yes checking poll.h usability... yes checking poll.h presence... yes checking for poll.h... yes checking regex.h usability... yes checking regex.h presence... yes checking for regex.h... yes checking limits.h usability... yes checking limits.h presence... yes checking for limits.h... yes checking sys/filio.h usability... no checking sys/filio.h presence... no checking for sys/filio.h... no checking sys/uio.h usability... yes checking sys/uio.h presence... yes checking for sys/uio.h... yes checking termios.h usability... yes checking termios.h presence... yes checking for termios.h... yes checking iconv.h usability... yes checking iconv.h presence... yes checking for iconv.h... yes checking stdbool.h usability... yes checking stdbool.h presence... yes checking for stdbool.h... yes checking pwd.h usability... yes checking pwd.h presence... yes checking for pwd.h... yes checking grp.h usability... yes checking grp.h presence... yes checking for grp.h... yes checking syslog.h usability... yes checking syslog.h presence... yes checking for syslog.h... yes checking for off_t... yes checking size of short... 2 checking size of int... 4 checking size of long... 4 checking size of long long... 8 checking for bind in -lsocket... no checking for gethostent in -lnsl... yes checking for libiconv_open in -liconv... no checking for poll... yes checking for setsid... yes checking for memcpy... yes checking for snprintf... yes checking for vsnprintf... yes checking for strerror_r... yes checking for strlcpy... no checking for strlcat... no checking for inet_ntop... yes checking for setgroups... yes checking for initgroups... yes checking for ctime_r... yes checking for mkstemp... yes checking for stdlib.h... (cached) yes checking for unistd.h... (cached) yes checking for getpagesize... yes checking for working mmap... yes checking for _LARGEFILE_SOURCE value needed for large files... no checking whether snprintf correctly terminates long strings... yes checking pthread.h usability... yes checking pthread.h presence... yes checking for pthread.h... yes checking whether to enable maintainer-specific portions of Makefiles... no checking for zlib installation... /usr configure: error: Please install zlib and zlib-devel packages make: *** No targets specified and no makefile found. Stop. make: *** No rule to make target `install'. Stop. From uxbod at splatnix.net Tue Jul 24 21:01:08 2007 From: uxbod at splatnix.net (UxBoD) Date: Tue Jul 24 20:59:54 2007 Subject: Announce: Join the Facebook MailScanner group In-Reply-To: <46A656F4.80501@maddoc.net> Message-ID: <8492978.2521185307268129.JavaMail.root@office.splatnix.net> I thought more of a Homer for myself ;) ----- Original Message ----- From: "Doc Schneider" To: "MailScanner discussion" Sent: 24 July 2007 20:45:56 o'clock (GMT) Europe/London Subject: Re: Announce: Join the Facebook MailScanner group -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Julian Field wrote: > All you Facebook users out there, join the MailScanner group! > > A great place for us to share experiences (good or bad) and arrange a > meet somewhere (pick a country!). I hope there will be some good > conversation on the message board, I'll announce news there, and you can > have a chat rather more informally than under the public gaze of the > mailing list. > > And how about a competition for the best-looking rack of MailScanner > hardware? :-) > Most stupid end-user's tech support query? > > And if you aren't on Facebook, why not? > www.facebook.com > > Jules > I've just joined it. But need to find a picture of me to add. /me thinks of adding a Harrison Ford pic. HAR! - -- - -Doc Lincoln, NE. http://www.genealogyforyou.com/ http://www.cairnproductions.com/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org iD8DBQFGplb0qOEeBwEpgcsRApXFAJ4m/7bPygWC83qSIxYKnaBoXSB88wCgiF2J P+x0iMpYg46l/J5iYuz9ORs= =OaUm -----END PGP SIGNATURE----- -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Tue Jul 24 21:26:57 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Jul 24 21:27:19 2007 Subject: MailScanner and password protected archives In-Reply-To: References: Message-ID: <46A66091.5030008@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Kai Schaetzl wrote: > There was a discussion about this in April and the problem got supposedly > fixed with MS 4.60.1: > > - -- "clamavmodule" scanner no longer detects password-protected archives > as viruses, allowing them to be easily released in MailWatch. > > I'm not sure if that really fixes the problem. I've seen this problem > happen with clamav (not module) as well and it's not a Mailwatch problem. > The password-protected archive gets detected as "Other Infection" (as > shown by Mailwatch) and blocked. However, it does not get stored (no > viruses get stored) and that's the reason why a release is not possible. > It will be caught, and logged as an "Other infection" if Allow Password Protected Archives = no Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGpmCSEfZZRxQVtlQRAgabAJ95CSTqumDdkg0EjhtsiX278pzxsACguf2C Fembio4ivJdr3uiZ0/bQ2Vk= =mhR8 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Tue Jul 24 21:30:26 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Jul 24 21:31:33 2007 Subject: Request for comments 3 In-Reply-To: <15742686.2491185306815635.JavaMail.root@office.splatnix.net> References: <15742686.2491185306815635.JavaMail.root@office.splatnix.net> Message-ID: <46A66162.9010507@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 So I wouldn't actually *do* anything with the result. You just want me to add a "use-caution" action that sets a $message->{usecaution}=1 flag in the message properties. Would this flag also be set on any virus-infected message? What other circumstances would cause the flag to be set? I do nothing with the flag, just set it for Custom Functions to use if they want to. UxBoD wrote: > Sorry Jules, > > What I mean, for example KAM_CARD (as in KAM.cf), disguises a message as from a friend/worshipper etc, but contains a URL that *could* download a virri/trojan. > > Currently, this type of message gets marked as SPAM, which means a user could potentially release it from Quarantine. > > What would be nice is if a SA rule could trigger a "Caution Flag", which means that MailWatch/or a home brew application could check this flag and stop the user from releasing it. The user could be directed then to ask a techie to release the message once they had checked it out. > > This could also be used when a message contains potential IPR and it just gets flagged. > > Just seemed a useful idea to me, but please disregard if a daft idea ;) > > Cheers, > > --[ UxBoD ]-- > // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" > // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B > // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B > // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net > > ----- Original Message ----- > From: "Julian Field" > To: "MailScanner discussion" > Sent: 24 July 2007 20:34:20 o'clock (GMT) Europe/London > Subject: Re: Request for comments 3 > > > * PGP Signed by an unmatched address: 07/24/07 at 20:34:21 > > I'm not quite sure what you're asking or suggesting here. What would > cause a message to be marked as "dangerous"? And what do I do with a > "dangerous" message? > > UxBoD wrote: > >> Jules, >> >> I raised a question on the MailWatch list of whether it would be possible to not display a list of messages based on the SA rule. Due to changes in V2 Steve believes it would probably be better performed in MailScanner. >> >> My thoughts are based around Trojan messages, where at the moment they are some times tagged via SA rules, but users do have the potential to release those messages and hence pose a potential security risk. This would even happen if the message is quarantined. >> >> Using your newly introduced code, would it be possible to introduce a new field where a message could be marked as caution. It is not a virri but should be treated with respect. I know it could be deleted via the SA rule code, but what happens if it has been tagged a false positive. >> >> A caution flag could then be used by MailWatch, or any other application, to stop a user releasing it and perhaps asking them to fill in a form to contact tech support to check the message whether it is okay to release. >> >> What has prompted this RFC is the recent eCard SPAM/Malware that has been shown to download Trojans and Virii. >> >> What is your take on this, and anybody else who perhaps sees the benefits ? >> >> Regards, >> >> ps. You amaze me how quick you release new functionality :D >> --[ UxBoD ]-- >> // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" >> // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B >> // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B >> // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net >> >> ----- Original Message ----- >> From: "Julian Field" >> To: "MailScanner discussion" >> Sent: 24 July 2007 18:29:35 o'clock (GMT) Europe/London >> Subject: Re: Request for comments 3 >> >> >> >>> Old Signed by an unmatched address: 07/24/07 at 18:29:36 >>> >> >> Julian Field wrote: >> >> >>>> Old Signed: 07/24/07 at 18:14:20 >>>> >>>> >>> Steve Freegard wrote: >>> >>> >>>> Julian Field wrote: >>>> >>>> >>>>>> e.g. store-nonspam will set $message->{isspam} = 0, store-mcp will >>>>>> set $message->{ismcp} = 1 etc. and add the relevant paths in >>>>>> $message->{quarantineplaces)?? >>>>>> >>>>>> >>>>> It wasn't going to do that, no. Simply choosing to store the message >>>>> in a place doesn't change its spam status, surely? >>>>> >>>>> >>>> Ok - true enough for spam, but to replace MCP with this new feature - >>>> setting store-mcp would need to set $message->{ismcp} otherwise >>>> MailWatch won't be able to tell the difference between them and the >>>> MCP stuff will get lost in the noise (and won't get counted toward >>>> the MCP stats). >>>> >>>> >>> Okay, I could do that as well. It will be easy to add that. >>> >>> >> Also, do you need me to do anything special if they use the store-spam >> in the Non-Spam Actions and other combinations? >> >> Jules >> >> >> > > Jules > > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: UTF-8 wj8DBQFGpmFjEfZZRxQVtlQRAv+5AKCrEaGeqAEvMryaXb4f/gmxGFDWJACgp2qW QxQC4JoALuXAAwv6Vi1a6QA= =bWH5 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From mkercher at nfsmith.com Tue Jul 24 21:41:28 2007 From: mkercher at nfsmith.com (Mike Kercher) Date: Tue Jul 24 21:47:43 2007 Subject: install-Clam-0.91.1-SA-3.2.1.tar.gz configure error In-Reply-To: <46A61369.D87E.0068.3@aafp.org> References: <46A61369.D87E.0068.3@aafp.org> Message-ID: <441247027D4F274EB760A5F6E1ED9C7E020DDB@houpex02.nfsmith.info> The error is in your text below: configure: error: Please install zlib and zlib-devel packages Mike -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Brad Beckenhauer Sent: Tuesday, July 24, 2007 2:58 PM To: mailscanner@lists.mailscanner.info Subject: install-Clam-0.91.1-SA-3.2.1.tar.gz configure error Hi, I get a "configure error" when installing install-Clam-0.91.1-SA-3.2.1.tar.gz and clam will not install. I found that if zlib-devel is installed first, then the package installs. -Brad How I discovered it. Installed Centos 5.0, no GUI, no graphical at all. Customize config, deselect all packages. Download install-Clam-0.91.1-SA-3.2.1.tar.gz and unpack. run the install.sh install-Clam-0.91.1-SA-3.2.1/ install-Clam-0.91.1-SA-3.2.1/perl-tar/ install-Clam-0.91.1-SA-3.2.1/perl-tar/Data-Dump-1.08.tar.gz install-Clam-0.91.1-SA-3.2.1/perl-tar/ExtUtils-ParseXS-2.18.tar.gz install-Clam-0.91.1-SA-3.2.1/perl-tar/version-0.7203.tar.gz install-Clam-0.91.1-SA-3.2.1/perl-tar/IP-Country-2.21.tar.gz install-Clam-0.91.1-SA-3.2.1/perl-tar/Inline-0.44.tar.gz install-Clam-0.91.1-SA-3.2.1/perl-tar/Digest-1.15.tar.gz install-Clam-0.91.1-SA-3.2.1/perl-tar/Module-Build-0.2808.tar.gz install-Clam-0.91.1-SA-3.2.1/perl-tar/Error-0.17008.tar.gz install-Clam-0.91.1-SA-3.2.1/perl-tar/Sys-Hostname-Long-1.4.tar.gz install-Clam-0.91.1-SA-3.2.1/perl-tar/Archive-Tar-1.29.tar.gz install-Clam-0.91.1-SA-3.2.1/perl-tar/Digest-HMAC-1.01.tar.gz install-Clam-0.91.1-SA-3.2.1/perl-tar/DB_File-1.814.tar.gz install-Clam-0.91.1-SA-3.2.1/perl-tar/URI-1.35.tar.gz install-Clam-0.91.1-SA-3.2.1/perl-tar/Mail-SPF-2.004.tar.gz install-Clam-0.91.1-SA-3.2.1/perl-tar/Business-ISBN-1.82.tar.gz install-Clam-0.91.1-SA-3.2.1/perl-tar/Test-Harness-2.56.tar.gz install-Clam-0.91.1-SA-3.2.1/perl-tar/Net-CIDR-Lite-0.20.tar.gz install-Clam-0.91.1-SA-3.2.1/perl-tar/Net-DNS-0.60.tar.gz install-Clam-0.91.1-SA-3.2.1/perl-tar/Test-Manifest-0.95.tar.gz install-Clam-0.91.1-SA-3.2.1/perl-tar/Mail-SpamAssassin-3.2.1.tar.gz install-Clam-0.91.1-SA-3.2.1/perl-tar/Digest-MD5-2.36.tar.gz install-Clam-0.91.1-SA-3.2.1/perl-tar/NetAddr-IP-4.004.tar.gz install-Clam-0.91.1-SA-3.2.1/perl-tar/Net-IP-1.25.tar.gz install-Clam-0.91.1-SA-3.2.1/perl-tar/ExtUtils-CBuilder-0.18.tar.gz install-Clam-0.91.1-SA-3.2.1/perl-tar/Encode-Detect-1.00.tar.gz install-Clam-0.91.1-SA-3.2.1/perl-tar/IO-String-1.08.tar.gz install-Clam-0.91.1-SA-3.2.1/perl-tar/Digest-SHA1-2.10.tar.gz install-Clam-0.91.1-SA-3.2.1/perl-tar/Mail-ClamAV-0.20.tar.gz install-Clam-0.91.1-SA-3.2.1/perl-tar/IO-Zlib-1.04.tar.gz install-Clam-0.91.1-SA-3.2.1/perl-tar/Net-DNS-Resolver-Programmable-0.00 2.2.tar.gz install-Clam-0.91.1-SA-3.2.1/perl-tar/YAML-0.62.tar.gz install-Clam-0.91.1-SA-3.2.1/perl-tar/Business-ISBN-Data-1.10.tar.gz install-Clam-0.91.1-SA-3.2.1/perl-tar/HTML-Parser-3.56.tar.gz install-Clam-0.91.1-SA-3.2.1/perl-tar/Mail-SPF-Query-1.999.1.tar.gz install-Clam-0.91.1-SA-3.2.1/perl-tar/clamav-0.91.1.tar.gz install-Clam-0.91.1-SA-3.2.1/perl-tar/Parse-RecDescent-1.94.tar.gz install-Clam-0.91.1-SA-3.2.1/perl-tar/Test-Simple-0.70.tar.gz install-Clam-0.91.1-SA-3.2.1/perl-tar/Text-Balanced-1.98.tar.gz install-Clam-0.91.1-SA-3.2.1/install.sh install-Clam-0.91.1-SA-3.2.1/functions.sh install-Clam-0.91.1-SA-3.2.1/CheckModuleVersion Good, you appear to only have 1 copy of Perl installed: /usr/bin/perl Found gcc. cc is really gcc. Good, I have found GNU tar in /bin/tar. This script will pause for a few seconds after each major step, so do not worry if it appears to stop for a while. If you want it to stop so you can scroll back through the output then press Ctrl-S to stop the output and Ctrl-Q to start it again. If this fails due to dependency checks, and you wish to ignore these problems, you can run ./install.sh --nodeps Installing ClamAV There are 2 recommended ways of installing ClamAV, depending on various factors. If you want to use MailScanners support for Clamd (virus-scanning daemon) then I recommend you cancel this script now (press Ctrl-C) and install the RPMs for clamav, clamav-db and clamd from http://dag.wieers.com/rpm/packages/clamav Then re-run this script and tell me that clamscan is installed in /usr/bin. This will set up your virus.scanners.conf file for you. Otherwise you probably want me to install ClamAV now. So answer y. Do you want me to install ClamAV for you [y or n, default is y] ? y Do not worry about warnings or errors from the next 3 commands You can start worrying about errors again now About to build the ClamAV virus scanner checking build system type... i686-pc-linux-gnu checking host system type... i686-pc-linux-gnu checking target system type... i686-pc-linux-gnu creating target.h - canonical system defines checking for a BSD-compatible install... /usr/bin/install -c checking whether build environment is sane... yes checking for gawk... gawk checking whether make sets $(MAKE)... yes checking for gawk... (cached) gawk checking for gcc... gcc checking for C compiler default output file name... a.out checking whether the C compiler works... yes checking whether we are cross compiling... no checking for suffix of executables... checking for suffix of object files... o checking whether we are using the GNU C compiler... yes checking whether gcc accepts -g... yes checking for gcc option to accept ISO C89... none needed checking for style of include used by make... GNU checking dependency style of gcc... gcc3 checking for a BSD-compatible install... /usr/bin/install -c checking whether ln -s works... yes checking whether make sets $(MAKE)... (cached) yes checking for a sed that does not truncate output... /bin/sed checking for grep that handles long lines and -e... /bin/grep checking for egrep... /bin/grep -E checking for ld used by gcc... /usr/bin/ld checking if the linker (/usr/bin/ld) is GNU ld... yes checking for /usr/bin/ld option to reload object files... -r checking for BSD-compatible nm... /usr/bin/nm -B checking how to recognise dependent libraries... pass_all checking how to run the C preprocessor... gcc -E checking for ANSI C header files... yes checking for sys/types.h... yes checking for sys/stat.h... yes checking for stdlib.h... yes checking for string.h... yes checking for memory.h... yes checking for strings.h... yes checking for inttypes.h... yes checking for stdint.h... yes checking for unistd.h... yes checking dlfcn.h usability... yes checking dlfcn.h presence... yes checking for dlfcn.h... yes checking for g++... no checking for c++... no checking for gpp... no checking for aCC... no checking for CC... no checking for cxx... no checking for cc++... no checking for cl.exe... no checking for FCC... no checking for KCC... no checking for RCC... no checking for xlC_r... no checking for xlC... no checking whether we are using the GNU C++ compiler... no checking whether g++ accepts -g... no checking dependency style of g++... none checking for g77... no checking for xlf... no checking for f77... no checking for frt... no checking for pgf77... no checking for cf77... no checking for fort77... no checking for fl32... no checking for af77... no checking for xlf90... no checking for f90... no checking for pgf90... no checking for pghpf... no checking for epcf90... no checking for gfortran... no checking for g95... no checking for xlf95... no checking for f95... no checking for fort... no checking for ifort... no checking for ifc... no checking for efc... no checking for pgf95... no checking for lf95... no checking for ftn... no checking whether we are using the GNU Fortran 77 compiler... no checking whether accepts -g... no checking the maximum length of command line arguments... 32768 checking command to parse /usr/bin/nm -B output from gcc object... ok checking for objdir... .libs checking for ar... ar checking for ranlib... ranlib checking for strip... strip checking if gcc supports -fno-rtti -fno-exceptions... no checking for gcc option to produce PIC... -fPIC checking if gcc PIC flag -fPIC works... yes checking if gcc static flag -static works... yes checking if gcc supports -c -o file.o... yes checking whether the gcc linker (/usr/bin/ld) supports shared libraries... yes checking whether -lc should be explicitly linked in... no checking dynamic linker characteristics... cat: ld.so.conf.d/*.conf: No such file or directory GNU/Linux ld.so checking how to hardcode library paths into programs... immediate checking whether stripping libraries is possible... yes checking if libtool supports shared libraries... yes checking whether to build shared libraries... yes checking whether to build static libraries... yes configure: creating libtool appending configuration tag "CXX" to libtool appending configuration tag "F77" to libtool checking for ANSI C header files... (cached) yes checking for stdint.h... (cached) yes checking for unistd.h... (cached) yes checking sys/int_types.h usability... no checking sys/int_types.h presence... no checking for sys/int_types.h... no checking for dlfcn.h... (cached) yes checking for inttypes.h... (cached) yes checking sys/inttypes.h usability... no checking sys/inttypes.h presence... no checking for sys/inttypes.h... no checking for memory.h... (cached) yes checking ndir.h usability... no checking ndir.h presence... no checking for ndir.h... no checking for stdlib.h... (cached) yes checking for strings.h... (cached) yes checking for string.h... (cached) yes checking sys/mman.h usability... yes checking sys/mman.h presence... yes checking for sys/mman.h... yes checking sys/param.h usability... yes checking sys/param.h presence... yes checking for sys/param.h... yes checking for sys/stat.h... (cached) yes checking for sys/types.h... (cached) yes checking malloc.h usability... yes checking malloc.h presence... yes checking for malloc.h... yes checking poll.h usability... yes checking poll.h presence... yes checking for poll.h... yes checking regex.h usability... yes checking regex.h presence... yes checking for regex.h... yes checking limits.h usability... yes checking limits.h presence... yes checking for limits.h... yes checking sys/filio.h usability... no checking sys/filio.h presence... no checking for sys/filio.h... no checking sys/uio.h usability... yes checking sys/uio.h presence... yes checking for sys/uio.h... yes checking termios.h usability... yes checking termios.h presence... yes checking for termios.h... yes checking iconv.h usability... yes checking iconv.h presence... yes checking for iconv.h... yes checking stdbool.h usability... yes checking stdbool.h presence... yes checking for stdbool.h... yes checking pwd.h usability... yes checking pwd.h presence... yes checking for pwd.h... yes checking grp.h usability... yes checking grp.h presence... yes checking for grp.h... yes checking syslog.h usability... yes checking syslog.h presence... yes checking for syslog.h... yes checking for off_t... yes checking size of short... 2 checking size of int... 4 checking size of long... 4 checking size of long long... 8 checking for bind in -lsocket... no checking for gethostent in -lnsl... yes checking for libiconv_open in -liconv... no checking for poll... yes checking for setsid... yes checking for memcpy... yes checking for snprintf... yes checking for vsnprintf... yes checking for strerror_r... yes checking for strlcpy... no checking for strlcat... no checking for inet_ntop... yes checking for setgroups... yes checking for initgroups... yes checking for ctime_r... yes checking for mkstemp... yes checking for stdlib.h... (cached) yes checking for unistd.h... (cached) yes checking for getpagesize... yes checking for working mmap... yes checking for _LARGEFILE_SOURCE value needed for large files... no checking whether snprintf correctly terminates long strings... yes checking pthread.h usability... yes checking pthread.h presence... yes checking for pthread.h... yes checking whether to enable maintainer-specific portions of Makefiles... no checking for zlib installation... /usr configure: error: Please install zlib and zlib-devel packages make: *** No targets specified and no makefile found. Stop. make: *** No rule to make target `install'. Stop. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From uxbod at splatnix.net Tue Jul 24 22:00:06 2007 From: uxbod at splatnix.net (UxBoD) Date: Tue Jul 24 21:59:02 2007 Subject: Request for comments 3 In-Reply-To: <46A66162.9010507@ecs.soton.ac.uk> Message-ID: <24341107.2581185310806422.JavaMail.root@office.splatnix.net> Virii is virii so set as it. The flag, IMHO, would ideally be triggered on user defined logic, around SA rules. ie. SA rule = /secret formula/i and action would be "tag it". HR could then review tagged messages, if a case has been brought to them that a individual was sending out confidential information. ----- Original Message ----- From: "Julian Field" To: "MailScanner discussion" Sent: 24 July 2007 21:30:26 o'clock (GMT) Europe/London Subject: Re: Request for comments 3 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 So I wouldn't actually *do* anything with the result. You just want me to add a "use-caution" action that sets a $message->{usecaution}=1 flag in the message properties. Would this flag also be set on any virus-infected message? What other circumstances would cause the flag to be set? I do nothing with the flag, just set it for Custom Functions to use if they want to. UxBoD wrote: > Sorry Jules, > > What I mean, for example KAM_CARD (as in KAM.cf), disguises a message as from a friend/worshipper etc, but contains a URL that *could* download a virri/trojan. > > Currently, this type of message gets marked as SPAM, which means a user could potentially release it from Quarantine. > > What would be nice is if a SA rule could trigger a "Caution Flag", which means that MailWatch/or a home brew application could check this flag and stop the user from releasing it. The user could be directed then to ask a techie to release the message once they had checked it out. > > This could also be used when a message contains potential IPR and it just gets flagged. > > Just seemed a useful idea to me, but please disregard if a daft idea ;) > > Cheers, > > --[ UxBoD ]-- > // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" > // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B > // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B > // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net > > ----- Original Message ----- > From: "Julian Field" > To: "MailScanner discussion" > Sent: 24 July 2007 20:34:20 o'clock (GMT) Europe/London > Subject: Re: Request for comments 3 > > > * PGP Signed by an unmatched address: 07/24/07 at 20:34:21 > > I'm not quite sure what you're asking or suggesting here. What would > cause a message to be marked as "dangerous"? And what do I do with a > "dangerous" message? > > UxBoD wrote: > >> Jules, >> >> I raised a question on the MailWatch list of whether it would be possible to not display a list of messages based on the SA rule. Due to changes in V2 Steve believes it would probably be better performed in MailScanner. >> >> My thoughts are based around Trojan messages, where at the moment they are some times tagged via SA rules, but users do have the potential to release those messages and hence pose a potential security risk. This would even happen if the message is quarantined. >> >> Using your newly introduced code, would it be possible to introduce a new field where a message could be marked as caution. It is not a virri but should be treated with respect. I know it could be deleted via the SA rule code, but what happens if it has been tagged a false positive. >> >> A caution flag could then be used by MailWatch, or any other application, to stop a user releasing it and perhaps asking them to fill in a form to contact tech support to check the message whether it is okay to release. >> >> What has prompted this RFC is the recent eCard SPAM/Malware that has been shown to download Trojans and Virii. >> >> What is your take on this, and anybody else who perhaps sees the benefits ? >> >> Regards, >> >> ps. You amaze me how quick you release new functionality :D >> --[ UxBoD ]-- >> // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" >> // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B >> // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B >> // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net >> >> ----- Original Message ----- >> From: "Julian Field" >> To: "MailScanner discussion" >> Sent: 24 July 2007 18:29:35 o'clock (GMT) Europe/London >> Subject: Re: Request for comments 3 >> >> >> >>> Old Signed by an unmatched address: 07/24/07 at 18:29:36 >>> >> >> Julian Field wrote: >> >> >>>> Old Signed: 07/24/07 at 18:14:20 >>>> >>>> >>> Steve Freegard wrote: >>> >>> >>>> Julian Field wrote: >>>> >>>> >>>>>> e.g. store-nonspam will set $message->{isspam} = 0, store-mcp will >>>>>> set $message->{ismcp} = 1 etc. and add the relevant paths in >>>>>> $message->{quarantineplaces)?? >>>>>> >>>>>> >>>>> It wasn't going to do that, no. Simply choosing to store the message >>>>> in a place doesn't change its spam status, surely? >>>>> >>>>> >>>> Ok - true enough for spam, but to replace MCP with this new feature - >>>> setting store-mcp would need to set $message->{ismcp} otherwise >>>> MailWatch won't be able to tell the difference between them and the >>>> MCP stuff will get lost in the noise (and won't get counted toward >>>> the MCP stats). >>>> >>>> >>> Okay, I could do that as well. It will be easy to add that. >>> >>> >> Also, do you need me to do anything special if they use the store-spam >> in the Non-Spam Actions and other combinations? >> >> Jules >> >> >> > > Jules > > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: UTF-8 wj8DBQFGpmFjEfZZRxQVtlQRAv+5AKCrEaGeqAEvMryaXb4f/gmxGFDWJACgp2qW QxQC4JoALuXAAwv6Vi1a6QA= =bWH5 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From doc at maddoc.net Tue Jul 24 22:01:53 2007 From: doc at maddoc.net (Doc Schneider) Date: Tue Jul 24 22:02:01 2007 Subject: Announce: Join the Facebook MailScanner group In-Reply-To: <8492978.2521185307268129.JavaMail.root@office.splatnix.net> References: <8492978.2521185307268129.JavaMail.root@office.splatnix.net> Message-ID: <46A668C1.6080806@maddoc.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 UxBoD wrote: > I thought more of a Homer for myself ;) Oh D'Oh! And my wife had a pic of the two of us and I uploaded it.... hmm... donuts... > ----- Original Message ----- > From: "Doc Schneider" > To: "MailScanner discussion" > Sent: 24 July 2007 20:45:56 o'clock (GMT) Europe/London > Subject: Re: Announce: Join the Facebook MailScanner group > > Julian Field wrote: >> All you Facebook users out there, join the MailScanner group! > >> A great place for us to share experiences (good or bad) and arrange a >> meet somewhere (pick a country!). I hope there will be some good >> conversation on the message board, I'll announce news there, and you can >> have a chat rather more informally than under the public gaze of the >> mailing list. > >> And how about a competition for the best-looking rack of MailScanner >> hardware? :-) >> Most stupid end-user's tech support query? > >> And if you aren't on Facebook, why not? >> www.facebook.com > >> Jules > > > I've just joined it. But need to find a picture of me to add. > /me thinks of adding a Harrison Ford pic. HAR! > - -- - -Doc Lincoln, NE. http://www.genealogyforyou.com/ http://www.cairnproductions.com/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org iD8DBQFGpmjBqOEeBwEpgcsRAhXaAJ9NkmUi+8hIYwWEaUa9Pv7gD17EWgCghiKo 9Y9587zy+AGs7otdEUtmL5I= =GmHz -----END PGP SIGNATURE----- From res at ausics.net Tue Jul 24 22:12:26 2007 From: res at ausics.net (Res) Date: Tue Jul 24 22:12:37 2007 Subject: BarricadeMX experiences In-Reply-To: <46A5F3D0.5070500@mail.wvnet.edu> References: <46A553ED.3020505@mail.wvnet.edu> <46A5F3D0.5070500@mail.wvnet.edu> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NotDashEscaped: You need GnuPG to verify this message On Tue, 24 Jul 2007, Richard Lynch wrote: > > The graph only shows what made it into the servers. We're working on a way > to include the BarricateMX stats. Last Friday (before the switchover) the > stats were... > > Ham: 142,860 Spam: 1,202,240 Infected: 137 Total: 1,345,100 > > Yesterday it was.... > > Ham: 160,886 Spam: 45,167 Infected: 32 Total: 206,053 Of course its going to be less if you run somthing else up front.. If I ran MIMEDefang on the MTA's, I'm sure MailScanner would also see very little, if any spam or problems. -- Cheers Res -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFGpms6sWhAmSIQh7MRAliYAJ9DG7JQZYNdeNVuZjjHCFEmO+7aeQCfcYcu o4r+2xzHXom7+fkCgy7VHKg= =Jnwr -----END PGP SIGNATURE----- From MailScanner at ecs.soton.ac.uk Tue Jul 24 22:21:12 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Jul 24 22:21:35 2007 Subject: Request for comments 3 In-Reply-To: <24341107.2581185310806422.JavaMail.root@office.splatnix.net> References: <24341107.2581185310806422.JavaMail.root@office.splatnix.net> Message-ID: <46A66D48.4080103@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 UxBoD wrote: > Virii is virii so set as it. I don't understand your English. Do you want me to tag virus-infected messages as 'use-caution'? > The flag, IMHO, would ideally be triggered on user defined logic, around SA rules. ie. SA rule = /secret formula/i and action would be "tag it". HR could then review tagged messages, if a case has been brought to them that a individual was sending out confidential information. > Yes, I get that bit. You want an action called "use-caution" which would set the flag. Are there any other circumstances (in MailScanner) that would cause the flag to be set? > ----- Original Message ----- > From: "Julian Field" > To: "MailScanner discussion" > Sent: 24 July 2007 21:30:26 o'clock (GMT) Europe/London > Subject: Re: Request for comments 3 > > > * PGP Signed by an unmatched address: 07/24/07 at 21:30:27 > > So I wouldn't actually *do* anything with the result. You just want me > to add a "use-caution" action that sets a $message->{usecaution}=1 flag > in the message properties. > Would this flag also be set on any virus-infected message? > What other circumstances would cause the flag to be set? > > I do nothing with the flag, just set it for Custom Functions to use if > they want to. > > UxBoD wrote: > >> Sorry Jules, >> >> What I mean, for example KAM_CARD (as in KAM.cf), disguises a message as from a friend/worshipper etc, but contains a URL that *could* download a virri/trojan. >> >> Currently, this type of message gets marked as SPAM, which means a user could potentially release it from Quarantine. >> >> What would be nice is if a SA rule could trigger a "Caution Flag", which means that MailWatch/or a home brew application could check this flag and stop the user from releasing it. The user could be directed then to ask a techie to release the message once they had checked it out. >> >> This could also be used when a message contains potential IPR and it just gets flagged. >> >> Just seemed a useful idea to me, but please disregard if a daft idea ;) >> >> Cheers, >> >> --[ UxBoD ]-- >> // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" >> // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B >> // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B >> // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net >> >> ----- Original Message ----- >> From: "Julian Field" >> To: "MailScanner discussion" >> Sent: 24 July 2007 20:34:20 o'clock (GMT) Europe/London >> Subject: Re: Request for comments 3 >> >> >> >>> Old Signed by an unmatched address: 07/24/07 at 20:34:21 >>> >> I'm not quite sure what you're asking or suggesting here. What would >> cause a message to be marked as "dangerous"? And what do I do with a >> "dangerous" message? >> >> UxBoD wrote: >> >> >>> Jules, >>> >>> I raised a question on the MailWatch list of whether it would be possible to not display a list of messages based on the SA rule. Due to changes in V2 Steve believes it would probably be better performed in MailScanner. >>> >>> My thoughts are based around Trojan messages, where at the moment they are some times tagged via SA rules, but users do have the potential to release those messages and hence pose a potential security risk. This would even happen if the message is quarantined. >>> >>> Using your newly introduced code, would it be possible to introduce a new field where a message could be marked as caution. It is not a virri but should be treated with respect. I know it could be deleted via the SA rule code, but what happens if it has been tagged a false positive. >>> >>> A caution flag could then be used by MailWatch, or any other application, to stop a user releasing it and perhaps asking them to fill in a form to contact tech support to check the message whether it is okay to release. >>> >>> What has prompted this RFC is the recent eCard SPAM/Malware that has been shown to download Trojans and Virii. >>> >>> What is your take on this, and anybody else who perhaps sees the benefits ? >>> >>> Regards, >>> >>> ps. You amaze me how quick you release new functionality :D >>> --[ UxBoD ]-- >>> // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" >>> // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B >>> // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B >>> // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net >>> >>> ----- Original Message ----- >>> From: "Julian Field" >>> To: "MailScanner discussion" >>> Sent: 24 July 2007 18:29:35 o'clock (GMT) Europe/London >>> Subject: Re: Request for comments 3 >>> >>> >>> >>> >>>> Old Signed by an unmatched address: 07/24/07 at 18:29:36 >>>> >>>> >>> Julian Field wrote: >>> >>> >>> >>>>> Old Signed: 07/24/07 at 18:14:20 >>>>> >>>>> >>>>> >>>> Steve Freegard wrote: >>>> >>>> >>>> >>>>> Julian Field wrote: >>>>> >>>>> >>>>> >>>>>>> e.g. store-nonspam will set $message->{isspam} = 0, store-mcp will >>>>>>> set $message->{ismcp} = 1 etc. and add the relevant paths in >>>>>>> $message->{quarantineplaces)?? >>>>>>> >>>>>>> >>>>>>> >>>>>> It wasn't going to do that, no. Simply choosing to store the message >>>>>> in a place doesn't change its spam status, surely? >>>>>> >>>>>> >>>>>> >>>>> Ok - true enough for spam, but to replace MCP with this new feature - >>>>> setting store-mcp would need to set $message->{ismcp} otherwise >>>>> MailWatch won't be able to tell the difference between them and the >>>>> MCP stuff will get lost in the noise (and won't get counted toward >>>>> the MCP stats). >>>>> >>>>> >>>>> >>>> Okay, I could do that as well. It will be easy to add that. >>>> >>>> >>>> >>> Also, do you need me to do anything special if they use the store-spam >>> in the Non-Spam Actions and other combinations? >>> >>> Jules >>> >>> >>> >>> >> Jules >> >> >> > > Jules > > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: UTF-8 wj8DBQFGpm1JEfZZRxQVtlQRAucJAJ9JWU5AlTGtjYAMu2mm4aw1uu7lDACeOZlO Ybplrcb3fWx+oPfVLAElpb4= =pQnb -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From uxbod at splatnix.net Tue Jul 24 22:31:53 2007 From: uxbod at splatnix.net (UxBoD) Date: Tue Jul 24 22:30:32 2007 Subject: Request for comments 3 In-Reply-To: <46A66D48.4080103@ecs.soton.ac.uk> Message-ID: <2941525.2611185312713754.JavaMail.root@office.splatnix.net> Nope. Just based on the new SA functionality, as Virri should never be released anyway, only other stuff is RBL so that would be subject to others comments. --[ UxBoD ]-- // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- Original Message ----- From: "Julian Field" To: "MailScanner discussion" Sent: 24 July 2007 22:21:12 o'clock (GMT) Europe/London Subject: Re: Request for comments 3 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 UxBoD wrote: > Virii is virii so set as it. I don't understand your English. Do you want me to tag virus-infected messages as 'use-caution'? > The flag, IMHO, would ideally be triggered on user defined logic, around SA rules. ie. SA rule = /secret formula/i and action would be "tag it". HR could then review tagged messages, if a case has been brought to them that a individual was sending out confidential information. > Yes, I get that bit. You want an action called "use-caution" which would set the flag. Are there any other circumstances (in MailScanner) that would cause the flag to be set? > ----- Original Message ----- > From: "Julian Field" > To: "MailScanner discussion" > Sent: 24 July 2007 21:30:26 o'clock (GMT) Europe/London > Subject: Re: Request for comments 3 > > > * PGP Signed by an unmatched address: 07/24/07 at 21:30:27 > > So I wouldn't actually *do* anything with the result. You just want me > to add a "use-caution" action that sets a $message->{usecaution}=1 flag > in the message properties. > Would this flag also be set on any virus-infected message? > What other circumstances would cause the flag to be set? > > I do nothing with the flag, just set it for Custom Functions to use if > they want to. > > UxBoD wrote: > >> Sorry Jules, >> >> What I mean, for example KAM_CARD (as in KAM.cf), disguises a message as from a friend/worshipper etc, but contains a URL that *could* download a virri/trojan. >> >> Currently, this type of message gets marked as SPAM, which means a user could potentially release it from Quarantine. >> >> What would be nice is if a SA rule could trigger a "Caution Flag", which means that MailWatch/or a home brew application could check this flag and stop the user from releasing it. The user could be directed then to ask a techie to release the message once they had checked it out. >> >> This could also be used when a message contains potential IPR and it just gets flagged. >> >> Just seemed a useful idea to me, but please disregard if a daft idea ;) >> >> Cheers, >> >> --[ UxBoD ]-- >> // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" >> // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B >> // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B >> // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net >> >> ----- Original Message ----- >> From: "Julian Field" >> To: "MailScanner discussion" >> Sent: 24 July 2007 20:34:20 o'clock (GMT) Europe/London >> Subject: Re: Request for comments 3 >> >> >> >>> Old Signed by an unmatched address: 07/24/07 at 20:34:21 >>> >> I'm not quite sure what you're asking or suggesting here. What would >> cause a message to be marked as "dangerous"? And what do I do with a >> "dangerous" message? >> >> UxBoD wrote: >> >> >>> Jules, >>> >>> I raised a question on the MailWatch list of whether it would be possible to not display a list of messages based on the SA rule. Due to changes in V2 Steve believes it would probably be better performed in MailScanner. >>> >>> My thoughts are based around Trojan messages, where at the moment they are some times tagged via SA rules, but users do have the potential to release those messages and hence pose a potential security risk. This would even happen if the message is quarantined. >>> >>> Using your newly introduced code, would it be possible to introduce a new field where a message could be marked as caution. It is not a virri but should be treated with respect. I know it could be deleted via the SA rule code, but what happens if it has been tagged a false positive. >>> >>> A caution flag could then be used by MailWatch, or any other application, to stop a user releasing it and perhaps asking them to fill in a form to contact tech support to check the message whether it is okay to release. >>> >>> What has prompted this RFC is the recent eCard SPAM/Malware that has been shown to download Trojans and Virii. >>> >>> What is your take on this, and anybody else who perhaps sees the benefits ? >>> >>> Regards, >>> >>> ps. You amaze me how quick you release new functionality :D >>> --[ UxBoD ]-- >>> // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" >>> // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B >>> // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B >>> // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net >>> >>> ----- Original Message ----- >>> From: "Julian Field" >>> To: "MailScanner discussion" >>> Sent: 24 July 2007 18:29:35 o'clock (GMT) Europe/London >>> Subject: Re: Request for comments 3 >>> >>> >>> >>> >>>> Old Signed by an unmatched address: 07/24/07 at 18:29:36 >>>> >>>> >>> Julian Field wrote: >>> >>> >>> >>>>> Old Signed: 07/24/07 at 18:14:20 >>>>> >>>>> >>>>> >>>> Steve Freegard wrote: >>>> >>>> >>>> >>>>> Julian Field wrote: >>>>> >>>>> >>>>> >>>>>>> e.g. store-nonspam will set $message->{isspam} = 0, store-mcp will >>>>>>> set $message->{ismcp} = 1 etc. and add the relevant paths in >>>>>>> $message->{quarantineplaces)?? >>>>>>> >>>>>>> >>>>>>> >>>>>> It wasn't going to do that, no. Simply choosing to store the message >>>>>> in a place doesn't change its spam status, surely? >>>>>> >>>>>> >>>>>> >>>>> Ok - true enough for spam, but to replace MCP with this new feature - >>>>> setting store-mcp would need to set $message->{ismcp} otherwise >>>>> MailWatch won't be able to tell the difference between them and the >>>>> MCP stuff will get lost in the noise (and won't get counted toward >>>>> the MCP stats). >>>>> >>>>> >>>>> >>>> Okay, I could do that as well. It will be easy to add that. >>>> >>>> >>>> >>> Also, do you need me to do anything special if they use the store-spam >>> in the Non-Spam Actions and other combinations? >>> >>> Jules >>> >>> >>> >>> >> Jules >> >> >> > > Jules > > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: UTF-8 wj8DBQFGpm1JEfZZRxQVtlQRAucJAJ9JWU5AlTGtjYAMu2mm4aw1uu7lDACeOZlO Ybplrcb3fWx+oPfVLAElpb4= =pQnb -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From uxbod at splatnix.net Tue Jul 24 22:33:00 2007 From: uxbod at splatnix.net (UxBoD) Date: Tue Jul 24 22:31:38 2007 Subject: BarricadeMX experiences In-Reply-To: Message-ID: <11090454.2641185312780535.JavaMail.root@office.splatnix.net> I ran it for a couple of days on test, and it does do what it says on the tin To: "MailScanner discussion" Sent: 24 July 2007 22:12:26 o'clock (GMT) Europe/London Subject: Re: BarricadeMX experiences -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NotDashEscaped: You need GnuPG to verify this message On Tue, 24 Jul 2007, Richard Lynch wrote: > > The graph only shows what made it into the servers. We're working on a way > to include the BarricateMX stats. Last Friday (before the switchover) the > stats were... > > Ham: 142,860 Spam: 1,202,240 Infected: 137 Total: 1,345,100 > > Yesterday it was.... > > Ham: 160,886 Spam: 45,167 Infected: 32 Total: 206,053 Of course its going to be less if you run somthing else up front.. If I ran MIMEDefang on the MTA's, I'm sure MailScanner would also see very little, if any spam or problems. -- Cheers Res -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFGpms6sWhAmSIQh7MRAliYAJ9DG7JQZYNdeNVuZjjHCFEmO+7aeQCfcYcu o4r+2xzHXom7+fkCgy7VHKg= =Jnwr -----END PGP SIGNATURE----- -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From alvaro at hostalia.com Tue Jul 24 22:34:12 2007 From: alvaro at hostalia.com (=?ISO-8859-1?Q?Alvaro_Mar=EDn?=) Date: Tue Jul 24 22:34:18 2007 Subject: Announce: Join the Facebook MailScanner group In-Reply-To: <46A651BF.3050805@ecs.soton.ac.uk> References: <46A651BF.3050805@ecs.soton.ac.uk> Message-ID: <46A67054.6050100@hostalia.com> Hello, > And if you aren't on Facebook, why not? > www.facebook.com Good question... I've just registered and joined it :-) Regards, -- Alvaro Mar?n Illera Hostalia Internet www.hostalia.com From MailScanner at ecs.soton.ac.uk Tue Jul 24 22:37:40 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Jul 24 22:39:00 2007 Subject: Request for comments 3 In-Reply-To: <46A66D48.4080103@ecs.soton.ac.uk> References: <24341107.2581185310806422.JavaMail.root@office.splatnix.net> <46A66D48.4080103@ecs.soton.ac.uk> Message-ID: <46A67124.5070909@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 As a variation, how about I create a "custom" action which takes a parameter. This is passed to a MailScanner::CustomConfig::CustomAction() function, including the parameter given. So you could create sub CustomAction { my($message, $parameter) = @_; $message->{usecaution} = 1 if $parameter eq 'caution'; } (It would be defined in one of the CustomFunction files in /usr/lib/MailScanner/MailScanner/CustomFunctions. I would put in a sample 'CustomAction.pm' file in there so that the function was always defined, if only to do nothing by default. That way you can extend the system to create whatever extra flags you want, and/or take any other actions you want with the message. And you can have as many variations as you like, all depending on what you pass in as the 'parameter'. Would this not be better than having a specific 'use-caution' flag with a definition that I create? Julian Field wrote: > * PGP Signed: 07/24/07 at 22:21:13 > > > > UxBoD wrote: >> Virii is virii so set as it. > I don't understand your English. Do you want me to tag virus-infected > messages as 'use-caution'? >> The flag, IMHO, would ideally be triggered on user defined logic, >> around SA rules. ie. SA rule = /secret formula/i and action would be >> "tag it". HR could then review tagged messages, if a case has been >> brought to them that a individual was sending out confidential >> information. >> > Yes, I get that bit. You want an action called "use-caution" which > would set the flag. > > Are there any other circumstances (in MailScanner) that would cause > the flag to be set? > >> ----- Original Message ----- >> From: "Julian Field" >> To: "MailScanner discussion" >> Sent: 24 July 2007 21:30:26 o'clock (GMT) Europe/London >> Subject: Re: Request for comments 3 >> >> >> > Old Signed by an unmatched address: 07/24/07 at 21:30:27 >> >> So I wouldn't actually *do* anything with the result. You just want >> me to add a "use-caution" action that sets a $message->{usecaution}=1 >> flag in the message properties. >> Would this flag also be set on any virus-infected message? >> What other circumstances would cause the flag to be set? >> >> I do nothing with the flag, just set it for Custom Functions to use >> if they want to. >> >> UxBoD wrote: >> >>> Sorry Jules, >>> >>> What I mean, for example KAM_CARD (as in KAM.cf), disguises a >>> message as from a friend/worshipper etc, but contains a URL that >>> *could* download a virri/trojan. >>> >>> Currently, this type of message gets marked as SPAM, which means a >>> user could potentially release it from Quarantine. >>> >>> What would be nice is if a SA rule could trigger a "Caution Flag", >>> which means that MailWatch/or a home brew application could check >>> this flag and stop the user from releasing it. The user could be >>> directed then to ask a techie to release the message once they had >>> checked it out. >>> >>> This could also be used when a message contains potential IPR and it >>> just gets flagged. >>> >>> Just seemed a useful idea to me, but please disregard if a daft idea ;) >>> >>> Cheers, >>> >>> --[ UxBoD ]-- >>> // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" >>> // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B >>> // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B >>> // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net >>> >>> ----- Original Message ----- >>> From: "Julian Field" >>> To: "MailScanner discussion" >>> Sent: 24 July 2007 20:34:20 o'clock (GMT) Europe/London >>> Subject: Re: Request for comments 3 >>> >>> >>> >>>> Old Signed by an unmatched address: 07/24/07 at 20:34:21 >>>> >>> I'm not quite sure what you're asking or suggesting here. What would >>> cause a message to be marked as "dangerous"? And what do I do with a >>> "dangerous" message? >>> >>> UxBoD wrote: >>> >>>> Jules, >>>> >>>> I raised a question on the MailWatch list of whether it would be >>>> possible to not display a list of messages based on the SA rule. >>>> Due to changes in V2 Steve believes it would probably be better >>>> performed in MailScanner. >>>> >>>> My thoughts are based around Trojan messages, where at the moment >>>> they are some times tagged via SA rules, but users do have the >>>> potential to release those messages and hence pose a potential >>>> security risk. This would even happen if the message is quarantined. >>>> >>>> Using your newly introduced code, would it be possible to introduce >>>> a new field where a message could be marked as caution. It is not >>>> a virri but should be treated with respect. I know it could be >>>> deleted via the SA rule code, but what happens if it has been >>>> tagged a false positive. >>>> >>>> A caution flag could then be used by MailWatch, or any other >>>> application, to stop a user releasing it and perhaps asking them to >>>> fill in a form to contact tech support to check the message whether >>>> it is okay to release. >>>> >>>> What has prompted this RFC is the recent eCard SPAM/Malware that >>>> has been shown to download Trojans and Virii. >>>> >>>> What is your take on this, and anybody else who perhaps sees the >>>> benefits ? >>>> >>>> Regards, >>>> >>>> ps. You amaze me how quick you release new functionality :D >>>> --[ UxBoD ]-- >>>> // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg >>>> --import" >>>> // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B >>>> // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B >>>> // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net >>>> >>>> ----- Original Message ----- >>>> From: "Julian Field" >>>> To: "MailScanner discussion" >>>> Sent: 24 July 2007 18:29:35 o'clock (GMT) Europe/London >>>> Subject: Re: Request for comments 3 >>>> >>>> >>>> >>>>> Old Signed by an unmatched address: 07/24/07 at 18:29:36 >>>>> >>>> Julian Field wrote: >>>> >>>>>> Old Signed: 07/24/07 at 18:14:20 >>>>>> >>>>> Steve Freegard wrote: >>>>> >>>>>> Julian Field wrote: >>>>>> >>>>>>>> e.g. store-nonspam will set $message->{isspam} = 0, store-mcp >>>>>>>> will set $message->{ismcp} = 1 etc. and add the relevant paths >>>>>>>> in $message->{quarantineplaces)?? >>>>>>>> >>>>>>> It wasn't going to do that, no. Simply choosing to store the >>>>>>> message in a place doesn't change its spam status, surely? >>>>>>> >>>>>> Ok - true enough for spam, but to replace MCP with this new >>>>>> feature - setting store-mcp would need to set $message->{ismcp} >>>>>> otherwise MailWatch won't be able to tell the difference between >>>>>> them and the MCP stuff will get lost in the noise (and won't get >>>>>> counted toward the MCP stats). >>>>>> >>>>> Okay, I could do that as well. It will be easy to add that. >>>>> >>>> Also, do you need me to do anything special if they use the >>>> store-spam in the Non-Spam Actions and other combinations? >>>> >>>> Jules >>>> >>>> >>> Jules >>> >>> >> >> Jules >> >> > > Jules > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: UTF-8 wj8DBQFGpnElEfZZRxQVtlQRAgxNAJwKvni93Yr7q8ClOxzjBC0A2lQrHwCfdfmI Tr2iUNb44tYa3J9b/shdk5g= =Ow1C -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From steve.swaney at fsl.com Tue Jul 24 22:49:40 2007 From: steve.swaney at fsl.com (Stephen Swaney) Date: Tue Jul 24 22:49:39 2007 Subject: BarricadeMX experiences In-Reply-To: References: <46A553ED.3020505@mail.wvnet.edu> <46A5F3D0.5070500@mail.wvnet.edu> Message-ID: <23ee01c7ce3c$89dcff70$9d96fe50$@swaney@fsl.com> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Res > Sent: Tuesday, July 24, 2007 5:12 PM > To: MailScanner discussion > Subject: Re: BarricadeMX experiences > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > NotDashEscaped: You need GnuPG to verify this message > > > On Tue, 24 Jul 2007, Richard Lynch wrote: > > > > > The graph only shows what made it into the servers. We're working on > a way > > to include the BarricateMX stats. Last Friday (before the > switchover) the > > stats were... > > > > Ham: 142,860 Spam: 1,202,240 Infected: 137 Total: 1,345,100 > > > > Yesterday it was.... > > > > Ham: 160,886 Spam: 45,167 Infected: 32 Total: 206,053 > > > Of course its going to be less if you run somthing else up front.. If I > ran MIMEDefang on the MTA's, I'm sure MailScanner would also see very > little, if any spam or problems. > > > > -- > Cheers > Res I've been watching this tread quietly but with much interest all day and would like to make a quick couple of points. I'm not knocking any solution that works, people like, and know how to use. We all know that it take a variety of tools to effectively stop the spammers and generally the more tools you use, the less spam you get. BarricadeMX is another tool. It's a very small (4MB on load), fast, light-weight, multi-threaded C program (not Perl) that can easily handle over 1,000 simultaneous sending MTA connections - even on relatively small servers. It works in front of any MTA and on several Operating Systems with more to come. BarricadeMX does not duplicate SpamAssassin tests but depends primarily on the behavior of the sending server. It is dead easy to install (rpms on Linux), update (from FSL yum repositories on Linux) and configure with the web interface. Most sites can be up and running quickly, blocking +90% of spam before it's even accepted. In a nutshell, you don't have to be a guru to run it effectively But while it's also good at stopping the little hard to catch spam that SpamAssassin still misses, it's probably not for every MailScanner site. It's really designed for high volume sites that process a LOT of mail or sites that are overloaded and don't want to buy additional servers. Thanks for listening and feel free to direct queries or flames direct to me :) Best regards, Steve Steve Swaney steve@fsl.com www.fsl.com From res at ausics.net Tue Jul 24 22:56:51 2007 From: res at ausics.net (Res) Date: Tue Jul 24 22:56:58 2007 Subject: BarricadeMX experiences In-Reply-To: <11090454.2641185312780535.JavaMail.root@office.splatnix.net> References: <11090454.2641185312780535.JavaMail.root@office.splatnix.net> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NotDashEscaped: You need GnuPG to verify this message On Tue, 24 Jul 2007, UxBoD wrote: > I ran it for a couple of days on test, and it does do what it says on the tin > It is a very clever logic engine. Yes but again, are you running this test on the same million or so emails on the same hardware once without it and once with it.. Like I said, if I ran MIMEDefang before MS I know I also would see very little hit MS, it stands to reason that if you run somthing at MTA level anything after that is going to see less, or you'd sure as hell sope so. The reason I left MIMEDefang (on sendmail) and qmailscanner is because of the holding of the SMTP session whilst doing all the tests, a few thousand concurrent on one box does make things a bit slow no mater how good your hardware is :) > ----- Original Message ----- > From: "Res" > To: "MailScanner discussion" > Sent: 24 July 2007 22:12:26 o'clock (GMT) Europe/London > Subject: Re: BarricadeMX experiences > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > NotDashEscaped: You need GnuPG to verify this message > > > On Tue, 24 Jul 2007, Richard Lynch wrote: > >> >> The graph only shows what made it into the servers. We're working on a way >> to include the BarricateMX stats. Last Friday (before the switchover) the >> stats were... >> >> Ham: 142,860 Spam: 1,202,240 Infected: 137 Total: 1,345,100 >> >> Yesterday it was.... >> >> Ham: 160,886 Spam: 45,167 Infected: 32 Total: 206,053 > > > Of course its going to be less if you run somthing else up front.. If I > ran MIMEDefang on the MTA's, I'm sure MailScanner would also see very > little, if any spam or problems. > > > > -- Cheers Res -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFGpnWjsWhAmSIQh7MRAqcQAKCm0DPqUWvjVzWS6d/GP+ZhHTvwGACgn44Z Xil0oZexr+xPauAqQKRIkzc= =CTJS -----END PGP SIGNATURE----- From res at ausics.net Tue Jul 24 23:05:27 2007 From: res at ausics.net (Res) Date: Tue Jul 24 23:05:39 2007 Subject: BarricadeMX experiences In-Reply-To: <23ee01c7ce3c$89dcff70$9d96fe50$@swaney@fsl.com> References: <46A553ED.3020505@mail.wvnet.edu> <46A5F3D0.5070500@mail.wvnet.edu> <23ee01c7ce3c$89dcff70$9d96fe50$@swaney@fsl.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NotDashEscaped: You need GnuPG to verify this message On Tue, 24 Jul 2007, Stephen Swaney wrote: > Thanks for listening and feel free to direct queries or flames direct to me See my comment in previous, have you done two separate tests and what are the results? I'd also hope it can do more than 1K concurrent, It's 8am here, a very quiet time and currently mx-in-2:~# ps ax | grep -c sendmail 604 This figure can easily triple at times. -- Cheers Res -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFGpnensWhAmSIQh7MRAqZ2AJ9/c/zA3BcFwPucZIOxaQ5tTUjP0ACfYdIR 8RyAvoQJh1nBtNn7whQKtlU= =zk7w -----END PGP SIGNATURE----- From rich at mail.wvnet.edu Tue Jul 24 23:13:16 2007 From: rich at mail.wvnet.edu (Richard Lynch) Date: Tue Jul 24 23:13:20 2007 Subject: BarricadeMX experiences In-Reply-To: References: <46A553ED.3020505@mail.wvnet.edu> <46A5F3D0.5070500@mail.wvnet.edu> Message-ID: <46A6797C.9090905@mail.wvnet.edu> Res wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > NotDashEscaped: You need GnuPG to verify this message > > > On Tue, 24 Jul 2007, Richard Lynch wrote: > >> >> The graph only shows what made it into the servers. We're working on >> a way to include the BarricateMX stats. Last Friday (before the >> switchover) the stats were... >> >> Ham: 142,860 Spam: 1,202,240 Infected: 137 Total: 1,345,100 >> >> Yesterday it was.... >> >> Ham: 160,886 Spam: 45,167 Infected: 32 Total: 206,053 > > > Of course its going to be less if you run somthing else up front.. If > I ran MIMEDefang on the MTA's, I'm sure MailScanner would also see > very little, if any spam or problems. > > > Yes, of course. However, MIMEDefang is a sendmail milter. It consists of some "C" code glue, and a lot of perl code to do the work. It is a content analysis framework that accepts the whole message, analyzes it with perl, and makes decisions. That's not the same thing. As I said before BMX operates mostly on the behavior rather than the content. I'd be really surprised if the MIMEDefang approach produced the same level of performance with deadly accurate results. If it can I'd like to see it. You could do that and post your findings to the list. I could be wrong after all. Richard Lynch WVNET -- -------------- next part -------------- A non-text attachment was scrubbed... Name: rich.vcf Type: text/x-vcard Size: 299 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070724/ba0317e4/rich.vcf From ms-list at alexb.ch Tue Jul 24 23:13:12 2007 From: ms-list at alexb.ch (Alex Broens) Date: Tue Jul 24 23:13:23 2007 Subject: BarricadeMX experiences In-Reply-To: References: <11090454.2641185312780535.JavaMail.root@office.splatnix.net> Message-ID: <46A67978.6000702@alexb.ch> On 7/24/2007 11:56 PM, Res wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > NotDashEscaped: You need GnuPG to verify this message > > > On Tue, 24 Jul 2007, UxBoD wrote: > >> I ran it for a couple of days on test, and it does do what it says on >> the tin > >> It is a very clever logic engine. > > Yes but again, are you running this test on the same million or so emails > on the same hardware once without it and once with it.. Like I said, if > I ran MIMEDefang before MS I know I also would see very little hit MS, > it stands to reason that if you run somthing at MTA level anything after > that is going to see less, or you'd sure as hell sope so. > > The reason I left MIMEDefang (on sendmail) and qmailscanner is because > of the holding of the SMTP session whilst doing all the tests, a few > thousand concurrent on one box does make things a bit slow no mater how > good your hardware is :) Have you tried it? From rich at mail.wvnet.edu Tue Jul 24 23:31:11 2007 From: rich at mail.wvnet.edu (Richard Lynch) Date: Tue Jul 24 23:31:15 2007 Subject: BarricadeMX experiences In-Reply-To: References: <46A553ED.3020505@mail.wvnet.edu> <46A5F3D0.5070500@mail.wvnet.edu> <23ee01c7ce3c$89dcff70$9d96fe50$@swaney@fsl.com> Message-ID: <46A67DAF.60301@mail.wvnet.edu> Res wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > NotDashEscaped: You need GnuPG to verify this message > > On Tue, 24 Jul 2007, Stephen Swaney wrote: > >> Thanks for listening and feel free to direct queries or flames direct >> to me > > See my comment in previous, have you done two separate tests and what > are the results? > > I'd also hope it can do more than 1K concurrent, It's 8am here, a very > quiet > time and currently mx-in-2:~# ps ax | grep -c sendmail > 604 > > This figure can easily triple at times. > > I gave before and after statistics. It was the same hardware and with our volume the input is pretty much the same each day. The results speak for themselves. What were overloaded servers with huge delays now run fine. The fact that MailScanner gets fewer messages isn't really the point other than it improves performance. Steve is correct, it's not for everybody. If your message load is small you probably don't need it. There really isn't much else to say about it. For us the results were dramatic! Richard Lynch WVNET -- -------------- next part -------------- A non-text attachment was scrubbed... Name: rich.vcf Type: text/x-vcard Size: 299 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070724/7d07cdf9/rich-0001.vcf From res at ausics.net Tue Jul 24 23:35:34 2007 From: res at ausics.net (Res) Date: Tue Jul 24 23:35:42 2007 Subject: BarricadeMX experiences In-Reply-To: <46A67978.6000702@alexb.ch> References: <11090454.2641185312780535.JavaMail.root@office.splatnix.net> <46A67978.6000702@alexb.ch> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NotDashEscaped: You need GnuPG to verify this message On Wed, 25 Jul 2007, Alex Broens wrote: > On 7/24/2007 11:56 PM, Res wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> NotDashEscaped: You need GnuPG to verify this message >> >> >> On Tue, 24 Jul 2007, UxBoD wrote: >> >>> I ran it for a couple of days on test, and it does do what it says on the >>> tin >> >>> It is a very clever logic engine. >> >> Yes but again, are you running this test on the same million or so emails >> on the same hardware once without it and once with it.. Like I said, if I >> ran MIMEDefang before MS I know I also would see very little hit MS, it >> stands to reason that if you run somthing at MTA level anything after that >> is going to see less, or you'd sure as hell sope so. >> >> The reason I left MIMEDefang (on sendmail) and qmailscanner is because of >> the holding of the SMTP session whilst doing all the tests, a few thousand >> concurrent on one box does make things a bit slow no mater how good your >> hardware is :) > > Have you tried it? since they claim only about 1018 concurrent connections, not likely to.. -- Cheers Res -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFGpn62sWhAmSIQh7MRAvusAJ9I4KzFKeX219ZyZ+F1eGcH1BDQCQCfXx+B eZvxyUu3FtAIvtOspKCafr8= =+Ocz -----END PGP SIGNATURE----- From mogens at fumlersoft.dk Tue Jul 24 23:48:11 2007 From: mogens at fumlersoft.dk (Mogens Melander) Date: Tue Jul 24 23:46:50 2007 Subject: Fake MX records In-Reply-To: <223f97700707240605h1e74cae5we459c4e0fdddc4fe@mail.gmail.com> References: <086f7e06a703ec47a6db01c8a2c15d81@solidstatelogic.com> <1533.90.184.16.67.1185239462.squirrel@mail.fumlersoft.dk> <223f97700707240113s3f845e3dsd5b6cbdba049d1e6@mail.gmail.com> <4834.90.184.16.67.1185271396.squirrel@mail.fumlersoft.dk> <223f97700707240605h1e74cae5we459c4e0fdddc4fe@mail.gmail.com> Message-ID: <2996.90.184.16.67.1185317291.squirrel@mail.fumlersoft.dk> On Tue, July 24, 2007 15:05, Glenn Steen wrote: > On 24/07/07, Mogens Melander wrote: >> >> On Tue, July 24, 2007 10:13, Glenn Steen wrote: >> > On 24/07/07, Mogens Melander wrote: >> >> >> >> On Mon, July 23, 2007 20:12, Hugo van der Kooij wrote: >> >> > On Mon, 23 Jul 2007, Martin.Hepworth wrote: >> >> > >> >> >> http://wiki.apache.org/spamassassin/OtherTricks (Fake MX Record) >> >> >> >> >> >> on the SA-users list. >> >> >> >> >> >> Looks very useful, anyone here using this technique? >> >> > >> >> > I use it partially. MX 10 is me. MX 100 is for backups. MX 1000 is me >> >> > again as spammers favored the highest MX (lowest priority) to bypass >> >> > (RBL) filters. Now they seem to take them at random and ignore the >> >> > priorities. >> >> > >> >> >> >> I was thinking about a "thingy" that would query senders MX if >> >> sender was valid (accept mail to sender) but i don't like to >> >> waste too much bandwidth on a allready crowded internet, so i'm >> >> still thinking. This "Fake MX" would of cause break this idea, >> >> unless i'd make it retry until all MX's been "tasted", adding >> >> more trafic to the pool. But this could be done at MTA level, >> >> and thus, not be too expencive. >> >> >> >> As i'm not a perl/C hacker, i'll limit my tests to PHP, but >> >> if/when implemented, i'd be happy to share my results. >> >> >> > Um.... Do you mean something like Sender Address Verification? As done >> > in milter-sender, smf-sav, piostfix "natively" >> > (http://www.postfix.org/ADDRESS_VERIFICATION_README.html) .... > > favourite MTA function for this:-)> >> >> Well, i did'nt think i invented "the weel", but i would like to develop >> my own platform to play with. > > Ok. > >> > I don't think you need waste time writing another. Or would yours do >> > something extreme and different? >> >> Having had a sneek view into my /etc/mail/access you might guess >> that i had something extreme in mind, like counting hits from >> purely virtual senders, and adding them to either access file, >> or directly in iptables. My sendmail is MySQL aware, so i can >> store those "bad guys" directly in either. >> > There is the IPBlock thing and Vispan that do some of those things, > but not necessarily in that context. Could be worth your while to look > at though (IIRC the IPBlock thing is in the CustomFinctions). I do run Vispan on production server, and it managed to blacklist blacknight.ie a few times, but otherwhise, it's a pretty cool app. I'll check out IPBlock tingy, and see if it fit my rather special taste. -- Later Mogens Melander +45 40 85 71 38 +66 870 133 224 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From steve.swaney at fsl.com Tue Jul 24 23:50:27 2007 From: steve.swaney at fsl.com (Stephen Swaney) Date: Tue Jul 24 23:50:17 2007 Subject: BarricadeMX experiences In-Reply-To: References: <46A553ED.3020505@mail.wvnet.edu> <46A5F3D0.5070500@mail.wvnet.edu> <23ee01c7ce3c$89dcff70$9d96fe50$@swaney@fsl.com> Message-ID: <243e01c7ce45$07b3aef0$171b0cd0$@swaney@fsl.com> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Res > Sent: Tuesday, July 24, 2007 6:05 PM > To: MailScanner discussion > Subject: RE: BarricadeMX experiences > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > NotDashEscaped: You need GnuPG to verify this message > > On Tue, 24 Jul 2007, Stephen Swaney wrote: > > > Thanks for listening and feel free to direct queries or flames direct > to me > > See my comment in previous, have you done two separate tests and what > are > the results? > > I'd also hope it can do more than 1K concurrent, It's 8am here, a very > quiet > time and currently > mx-in-2:~# ps ax | grep -c sendmail > 604 > > This figure can easily triple at times. > We've seen over +2000 simultaneous connections on a dual CPU system with 2GB of RAM. The applications seems to be limited only by the number of file descriptors allocated to the process (which can be changed in the web interface). I just saw a case where the load on one system with +1300 simultaneous connection was less than 0.2. This system was a single CPU / Dual core with 2 GB Of RAM. In fact we have yet to hit a limit. When we have hit the max number of connections allowed by the file descriptors, the application has not failed - just refused new connections. We have then raised the number of file descriptors available and all was again well. It should be mentioned that each connection requires only 2KB of memory and 2 file descriptors. Did I say this was pretty tightly coded :) Note that you cannot "replay" spam to test the system since the blocking depend on the quality of spammer's connection. The only way we can test is on live systems / spam traps. No system that we have yet installed has ever hit the capacity of BarricadeMX. As a result we don't know we don't how much mail any given system configuration can handle. We can only say that a system with w CPUS of x type / speed, and y RAM is handling a certain number of messages per day with an average load of z. Best regards, Steve steve@fsl.com www.fsl.com > > -- > Cheers > Res > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.7 (GNU/Linux) > > iD8DBQFGpnensWhAmSIQh7MRAqZ2AJ9/c/zA3BcFwPucZIOxaQ5tTUjP0ACfYdIR > 8RyAvoQJh1nBtNn7whQKtlU= > =zk7w > -----END PGP SIGNATURE----- > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From ssilva at sgvwater.com Wed Jul 25 00:50:14 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Jul 25 00:50:34 2007 Subject: Request for comments 3 In-Reply-To: <46A66D48.4080103@ecs.soton.ac.uk> References: <24341107.2581185310806422.JavaMail.root@office.splatnix.net> <46A66D48.4080103@ecs.soton.ac.uk> Message-ID: Julian Field spake the following on 7/24/2007 2:21 PM: > > > UxBoD wrote: >> Virii is virii so set as it. > I don't understand your English. Do you want me to tag virus-infected > messages as 'use-caution'? It looks as though he would like to be able to virus tag something also based on sa rule names. Maybe an option IsVirus or ???, so it will be treated by mailwatch as a virus and be un-releasable. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ssilva at sgvwater.com Wed Jul 25 01:02:27 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Jul 25 01:02:42 2007 Subject: anyone use the "malware block list"? In-Reply-To: <46A542CF.9070005@fractalweb.com> References: <46A530FA.9010407@fractalweb.com> <46A542CF.9070005@fractalweb.com> Message-ID: Chris Yuzik spake the following on 7/23/2007 5:07 PM: > Scott Silva wrote: >> Are you dropping at MTA, at mailscanner, or scoring with spamassassin? >> I usually just score the more aggressive lists and let the numbers add >> up if >> it merits. > > Scott, > > We were using MBL definitions in ClamAv. > > Perhaps I'll consider using in SpamAssassin instead. Do you use the > default scoring for their rules, or do you customize? > > Chris > > I rarely customize scores except to turn off rules that adversely affect me. But I do add rules and use outside rules extensively. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From bbecken at aafp.org Wed Jul 25 01:57:33 2007 From: bbecken at aafp.org (Brad Beckenhauer) Date: Wed Jul 25 01:58:03 2007 Subject: install-Clam-0.91.1-SA-3.2.1.tar.gz configure error Message-ID: <46A659AD02000068000D5717@MTA.AAFP.ORG> Exactly, I think you missed that I made note of just that in the original message. Julian is very good at identifying package dependancies, so I included the install log so Julian can review it and decide if he wants to include zlib/zlib-devel in his handy Clam-SA installer. thanks Brad >>> "Mike Kercher" 07/24/07 3:41 PM >>> The error is in your text below: configure: error: Please install zlib and zlib-devel packages Mike -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Brad Beckenhauer Sent: Tuesday, July 24, 2007 2:58 PM To: mailscanner@lists.mailscanner.info Subject: install-Clam-0.91.1-SA-3.2.1.tar.gz configure error Hi, I get a "configure error" when installing install-Clam-0.91.1-SA-3.2.1.tar.gz and clam will not install. I found that if zlib-devel is installed first, then the package installs. -Brad How I discovered it. Installed Centos 5.0, no GUI, no graphical at all. Customize config, deselect all packages. Download install-Clam-0.91.1-SA-3.2.1.tar.gz and unpack. run the install.sh install-Clam-0.91.1-SA-3.2.1/ install-Clam-0.91.1-SA-3.2.1/perl-tar/ install-Clam-0.91.1-SA-3.2.1/perl-tar/Data-Dump-1.08.tar.gz install-Clam-0.91.1-SA-3.2.1/perl-tar/ExtUtils-ParseXS-2.18.tar.gz install-Clam-0.91.1-SA-3.2.1/perl-tar/version-0.7203.tar.gz install-Clam-0.91.1-SA-3.2.1/perl-tar/IP-Country-2.21.tar.gz install-Clam-0.91.1-SA-3.2.1/perl-tar/Inline-0.44.tar.gz install-Clam-0.91.1-SA-3.2.1/perl-tar/Digest-1.15.tar.gz install-Clam-0.91.1-SA-3.2.1/perl-tar/Module-Build-0.2808.tar.gz install-Clam-0.91.1-SA-3.2.1/perl-tar/Error-0.17008.tar.gz install-Clam-0.91.1-SA-3.2.1/perl-tar/Sys-Hostname-Long-1.4.tar.gz install-Clam-0.91.1-SA-3.2.1/perl-tar/Archive-Tar-1.29.tar.gz install-Clam-0.91.1-SA-3.2.1/perl-tar/Digest-HMAC-1.01.tar.gz install-Clam-0.91.1-SA-3.2.1/perl-tar/DB_File-1.814.tar.gz install-Clam-0.91.1-SA-3.2.1/perl-tar/URI-1.35.tar.gz install-Clam-0.91.1-SA-3.2.1/perl-tar/Mail-SPF-2.004.tar.gz install-Clam-0.91.1-SA-3.2.1/perl-tar/Business-ISBN-1.82.tar.gz install-Clam-0.91.1-SA-3.2.1/perl-tar/Test-Harness-2.56.tar.gz install-Clam-0.91.1-SA-3.2.1/perl-tar/Net-CIDR-Lite-0.20.tar.gz install-Clam-0.91.1-SA-3.2.1/perl-tar/Net-DNS-0.60.tar.gz install-Clam-0.91.1-SA-3.2.1/perl-tar/Test-Manifest-0.95.tar.gz install-Clam-0.91.1-SA-3.2.1/perl-tar/Mail-SpamAssassin-3.2.1.tar.gz install-Clam-0.91.1-SA-3.2.1/perl-tar/Digest-MD5-2.36.tar.gz install-Clam-0.91.1-SA-3.2.1/perl-tar/NetAddr-IP-4.004.tar.gz install-Clam-0.91.1-SA-3.2.1/perl-tar/Net-IP-1.25.tar.gz install-Clam-0.91.1-SA-3.2.1/perl-tar/ExtUtils-CBuilder-0.18.tar.gz install-Clam-0.91.1-SA-3.2.1/perl-tar/Encode-Detect-1.00.tar.gz install-Clam-0.91.1-SA-3.2.1/perl-tar/IO-String-1.08.tar.gz install-Clam-0.91.1-SA-3.2.1/perl-tar/Digest-SHA1-2.10.tar.gz install-Clam-0.91.1-SA-3.2.1/perl-tar/Mail-ClamAV-0.20.tar.gz install-Clam-0.91.1-SA-3.2.1/perl-tar/IO-Zlib-1.04.tar.gz install-Clam-0.91.1-SA-3.2.1/perl-tar/Net-DNS-Resolver-Programmable-0.00 2.2.tar.gz install-Clam-0.91.1-SA-3.2.1/perl-tar/YAML-0.62.tar.gz install-Clam-0.91.1-SA-3.2.1/perl-tar/Business-ISBN-Data-1.10.tar.gz install-Clam-0.91.1-SA-3.2.1/perl-tar/HTML-Parser-3.56.tar.gz install-Clam-0.91.1-SA-3.2.1/perl-tar/Mail-SPF-Query-1.999.1.tar.gz install-Clam-0.91.1-SA-3.2.1/perl-tar/clamav-0.91.1.tar.gz install-Clam-0.91.1-SA-3.2.1/perl-tar/Parse-RecDescent-1.94.tar.gz install-Clam-0.91.1-SA-3.2.1/perl-tar/Test-Simple-0.70.tar.gz install-Clam-0.91.1-SA-3.2.1/perl-tar/Text-Balanced-1.98.tar.gz install-Clam-0.91.1-SA-3.2.1/install.sh install-Clam-0.91.1-SA-3.2.1/functions.sh install-Clam-0.91.1-SA-3.2.1/CheckModuleVersion Good, you appear to only have 1 copy of Perl installed: /usr/bin/perl Found gcc. cc is really gcc. Good, I have found GNU tar in /bin/tar. This script will pause for a few seconds after each major step, so do not worry if it appears to stop for a while. If you want it to stop so you can scroll back through the output then press Ctrl-S to stop the output and Ctrl-Q to start it again. If this fails due to dependency checks, and you wish to ignore these problems, you can run ./install.sh --nodeps Installing ClamAV There are 2 recommended ways of installing ClamAV, depending on various factors. If you want to use MailScanners support for Clamd (virus-scanning daemon) then I recommend you cancel this script now (press Ctrl-C) and install the RPMs for clamav, clamav-db and clamd from http://dag.wieers.com/rpm/packages/clamav Then re-run this script and tell me that clamscan is installed in /usr/bin. This will set up your virus.scanners.conf file for you. Otherwise you probably want me to install ClamAV now. So answer y. Do you want me to install ClamAV for you [y or n, default is y] ? y Do not worry about warnings or errors from the next 3 commands You can start worrying about errors again now About to build the ClamAV virus scanner checking build system type... i686-pc-linux-gnu checking host system type... i686-pc-linux-gnu checking target system type... i686-pc-linux-gnu creating target.h - canonical system defines checking for a BSD-compatible install... /usr/bin/install -c checking whether build environment is sane... yes checking for gawk... gawk checking whether make sets $(MAKE)... yes checking for gawk... (cached) gawk checking for gcc... gcc checking for C compiler default output file name... a.out checking whether the C compiler works... yes checking whether we are cross compiling... no checking for suffix of executables... checking for suffix of object files... o checking whether we are using the GNU C compiler... yes checking whether gcc accepts -g... yes checking for gcc option to accept ISO C89... none needed checking for style of include used by make... GNU checking dependency style of gcc... gcc3 checking for a BSD-compatible install... /usr/bin/install -c checking whether ln -s works... yes checking whether make sets $(MAKE)... (cached) yes checking for a sed that does not truncate output... /bin/sed checking for grep that handles long lines and -e... /bin/grep checking for egrep... /bin/grep -E checking for ld used by gcc... /usr/bin/ld checking if the linker (/usr/bin/ld) is GNU ld... yes checking for /usr/bin/ld option to reload object files... -r checking for BSD-compatible nm... /usr/bin/nm -B checking how to recognise dependent libraries... pass_all checking how to run the C preprocessor... gcc -E checking for ANSI C header files... yes checking for sys/types.h... yes checking for sys/stat.h... yes checking for stdlib.h... yes checking for string.h... yes checking for memory.h... yes checking for strings.h... yes checking for inttypes.h... yes checking for stdint.h... yes checking for unistd.h... yes checking dlfcn.h usability... yes checking dlfcn.h presence... yes checking for dlfcn.h... yes checking for g++... no checking for c++... no checking for gpp... no checking for aCC... no checking for CC... no checking for cxx... no checking for cc++... no checking for cl.exe... no checking for FCC... no checking for KCC... no checking for RCC... no checking for xlC_r... no checking for xlC... no checking whether we are using the GNU C++ compiler... no checking whether g++ accepts -g... no checking dependency style of g++... none checking for g77... no checking for xlf... no checking for f77... no checking for frt... no checking for pgf77... no checking for cf77... no checking for fort77... no checking for fl32... no checking for af77... no checking for xlf90... no checking for f90... no checking for pgf90... no checking for pghpf... no checking for epcf90... no checking for gfortran... no checking for g95... no checking for xlf95... no checking for f95... no checking for fort... no checking for ifort... no checking for ifc... no checking for efc... no checking for pgf95... no checking for lf95... no checking for ftn... no checking whether we are using the GNU Fortran 77 compiler... no checking whether accepts -g... no checking the maximum length of command line arguments... 32768 checking command to parse /usr/bin/nm -B output from gcc object... ok checking for objdir... .libs checking for ar... ar checking for ranlib... ranlib checking for strip... strip checking if gcc supports -fno-rtti -fno-exceptions... no checking for gcc option to produce PIC... -fPIC checking if gcc PIC flag -fPIC works... yes checking if gcc static flag -static works... yes checking if gcc supports -c -o file.o... yes checking whether the gcc linker (/usr/bin/ld) supports shared libraries... yes checking whether -lc should be explicitly linked in... no checking dynamic linker characteristics... cat: ld.so.conf.d/*.conf: No such file or directory GNU/Linux ld.so checking how to hardcode library paths into programs... immediate checking whether stripping libraries is possible... yes checking if libtool supports shared libraries... yes checking whether to build shared libraries... yes checking whether to build static libraries... yes configure: creating libtool appending configuration tag "CXX" to libtool appending configuration tag "F77" to libtool checking for ANSI C header files... (cached) yes checking for stdint.h... (cached) yes checking for unistd.h... (cached) yes checking sys/int_types.h usability... no checking sys/int_types.h presence... no checking for sys/int_types.h... no checking for dlfcn.h... (cached) yes checking for inttypes.h... (cached) yes checking sys/inttypes.h usability... no checking sys/inttypes.h presence... no checking for sys/inttypes.h... no checking for memory.h... (cached) yes checking ndir.h usability... no checking ndir.h presence... no checking for ndir.h... no checking for stdlib.h... (cached) yes checking for strings.h... (cached) yes checking for string.h... (cached) yes checking sys/mman.h usability... yes checking sys/mman.h presence... yes checking for sys/mman.h... yes checking sys/param.h usability... yes checking sys/param.h presence... yes checking for sys/param.h... yes checking for sys/stat.h... (cached) yes checking for sys/types.h... (cached) yes checking malloc.h usability... yes checking malloc.h presence... yes checking for malloc.h... yes checking poll.h usability... yes checking poll.h presence... yes checking for poll.h... yes checking regex.h usability... yes checking regex.h presence... yes checking for regex.h... yes checking limits.h usability... yes checking limits.h presence... yes checking for limits.h... yes checking sys/filio.h usability... no checking sys/filio.h presence... no checking for sys/filio.h... no checking sys/uio.h usability... yes checking sys/uio.h presence... yes checking for sys/uio.h... yes checking termios.h usability... yes checking termios.h presence... yes checking for termios.h... yes checking iconv.h usability... yes checking iconv.h presence... yes checking for iconv.h... yes checking stdbool.h usability... yes checking stdbool.h presence... yes checking for stdbool.h... yes checking pwd.h usability... yes checking pwd.h presence... yes checking for pwd.h... yes checking grp.h usability... yes checking grp.h presence... yes checking for grp.h... yes checking syslog.h usability... yes checking syslog.h presence... yes checking for syslog.h... yes checking for off_t... yes checking size of short... 2 checking size of int... 4 checking size of long... 4 checking size of long long... 8 checking for bind in -lsocket... no checking for gethostent in -lnsl... yes checking for libiconv_open in -liconv... no checking for poll... yes checking for setsid... yes checking for memcpy... yes checking for snprintf... yes checking for vsnprintf... yes checking for strerror_r... yes checking for strlcpy... no checking for strlcat... no checking for inet_ntop... yes checking for setgroups... yes checking for initgroups... yes checking for ctime_r... yes checking for mkstemp... yes checking for stdlib.h... (cached) yes checking for unistd.h... (cached) yes checking for getpagesize... yes checking for working mmap... yes checking for _LARGEFILE_SOURCE value needed for large files... no checking whether snprintf correctly terminates long strings... yes checking pthread.h usability... yes checking pthread.h presence... yes checking for pthread.h... yes checking whether to enable maintainer-specific portions of Makefiles... no checking for zlib installation... /usr configure: error: Please install zlib and zlib-devel packages make: *** No targets specified and no makefile found. Stop. make: *** No rule to make target `install'. Stop. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From am.lists at gmail.com Wed Jul 25 04:39:25 2007 From: am.lists at gmail.com (am.lists) Date: Wed Jul 25 04:39:29 2007 Subject: Fake MX records In-Reply-To: <2996.90.184.16.67.1185317291.squirrel@mail.fumlersoft.dk> References: <086f7e06a703ec47a6db01c8a2c15d81@solidstatelogic.com> <1533.90.184.16.67.1185239462.squirrel@mail.fumlersoft.dk> <223f97700707240113s3f845e3dsd5b6cbdba049d1e6@mail.gmail.com> <4834.90.184.16.67.1185271396.squirrel@mail.fumlersoft.dk> <223f97700707240605h1e74cae5we459c4e0fdddc4fe@mail.gmail.com> <2996.90.184.16.67.1185317291.squirrel@mail.fumlersoft.dk> Message-ID: <25a66d840707242039o192d8d26wd8c189f6c488f6ba@mail.gmail.com> I've read that article, and what it suggests has valid thinking behind it. The thing is now that the spammers/crappers/etc know this defense tactic they now have a one-up maneuver to outsmart that. In fact, one tactic I've seen lately is the attempt to deliver mail directly to a guessed A record in the domain. Anecdotal Sample: domain: hogswaggle.net published mx: mx.hogswaggle.net, distance = 5 fake.hogswaggle.net, distance = 10 setup: mx is a mailscanner box that forwards good mail to mail.hogswaggle.net. "mail" is not configured to accept mail from anyone but: the "mx" server, and anyone who is successfully smtp-auth'ed. reality: we see incoming spam connections coming in on mail.hogswaggle.net although this is neither posted publicly, nor has it ever been posted in any mx record. That leads me to believe that spammers are taking "bobsmith@hogswaggle.net" and targeting username @ and then prepending "mail." target domain and attempting the connection there. Not sure if anyone else has seen this or not, but I definitely have on more than one of my domains. -Angelo From Jeff.Mills at versacold.com.au Wed Jul 25 05:05:59 2007 From: Jeff.Mills at versacold.com.au (Jeff Mills) Date: Wed Jul 25 05:06:05 2007 Subject: Fake MX records References: <086f7e06a703ec47a6db01c8a2c15d81@solidstatelogic.com><1533.90.184.16.67.1185239462.squirrel@mail.fumlersoft.dk><223f97700707240113s3f845e3dsd5b6cbdba049d1e6@mail.gmail.com><4834.90.184.16.67.1185271396.squirrel@mail.fumlersoft.dk><223f97700707240605h1e74cae5we459c4e0fdddc4fe@mail.gmail.com><2996.90.184.16.67.1185317291.squirrel@mail.fumlersoft.dk> <25a66d840707242039o192d8d26wd8c189f6c488f6ba@mail.gmail.com> Message-ID: > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of am.lists > Sent: Wednesday, 25 July 2007 1:39 PM > To: MailScanner discussion > Subject: Re: Fake MX records > > reality: we see incoming spam connections coming in on > mail.hogswaggle.net although this is neither posted publicly, > nor has it ever been posted in any mx record. Inbound port 25 should be firewalled for the real mail server. The only way in should be via mailscanner and ideally, the mail server itself should not accept connections from anything other than your mailscanner server(s). Let the spammers randomly try addresses! From uxbod at splatnix.net Wed Jul 25 05:12:07 2007 From: uxbod at splatnix.net (UxBoD) Date: Wed Jul 25 05:10:34 2007 Subject: Request for comments 3 In-Reply-To: <46A67124.5070909@ecs.soton.ac.uk> Message-ID: <4664461.2671185336727232.JavaMail.root@office.splatnix.net> Sounds good to me :) Excellent. ----- Original Message ----- From: "Julian Field" To: "MailScanner discussion" Sent: 24 July 2007 22:37:40 o'clock (GMT) Europe/London Subject: Re: Request for comments 3 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 As a variation, how about I create a "custom" action which takes a parameter. This is passed to a MailScanner::CustomConfig::CustomAction() function, including the parameter given. So you could create sub CustomAction { my($message, $parameter) = @_; $message->{usecaution} = 1 if $parameter eq 'caution'; } (It would be defined in one of the CustomFunction files in /usr/lib/MailScanner/MailScanner/CustomFunctions. I would put in a sample 'CustomAction.pm' file in there so that the function was always defined, if only to do nothing by default. That way you can extend the system to create whatever extra flags you want, and/or take any other actions you want with the message. And you can have as many variations as you like, all depending on what you pass in as the 'parameter'. Would this not be better than having a specific 'use-caution' flag with a definition that I create? Julian Field wrote: > * PGP Signed: 07/24/07 at 22:21:13 > > > > UxBoD wrote: >> Virii is virii so set as it. > I don't understand your English. Do you want me to tag virus-infected > messages as 'use-caution'? >> The flag, IMHO, would ideally be triggered on user defined logic, >> around SA rules. ie. SA rule = /secret formula/i and action would be >> "tag it". HR could then review tagged messages, if a case has been >> brought to them that a individual was sending out confidential >> information. >> > Yes, I get that bit. You want an action called "use-caution" which > would set the flag. > > Are there any other circumstances (in MailScanner) that would cause > the flag to be set? > >> ----- Original Message ----- >> From: "Julian Field" >> To: "MailScanner discussion" >> Sent: 24 July 2007 21:30:26 o'clock (GMT) Europe/London >> Subject: Re: Request for comments 3 >> >> >> > Old Signed by an unmatched address: 07/24/07 at 21:30:27 >> >> So I wouldn't actually *do* anything with the result. You just want >> me to add a "use-caution" action that sets a $message->{usecaution}=1 >> flag in the message properties. >> Would this flag also be set on any virus-infected message? >> What other circumstances would cause the flag to be set? >> >> I do nothing with the flag, just set it for Custom Functions to use >> if they want to. >> >> UxBoD wrote: >> >>> Sorry Jules, >>> >>> What I mean, for example KAM_CARD (as in KAM.cf), disguises a >>> message as from a friend/worshipper etc, but contains a URL that >>> *could* download a virri/trojan. >>> >>> Currently, this type of message gets marked as SPAM, which means a >>> user could potentially release it from Quarantine. >>> >>> What would be nice is if a SA rule could trigger a "Caution Flag", >>> which means that MailWatch/or a home brew application could check >>> this flag and stop the user from releasing it. The user could be >>> directed then to ask a techie to release the message once they had >>> checked it out. >>> >>> This could also be used when a message contains potential IPR and it >>> just gets flagged. >>> >>> Just seemed a useful idea to me, but please disregard if a daft idea ;) >>> >>> Cheers, >>> >>> --[ UxBoD ]-- >>> // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" >>> // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B >>> // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B >>> // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net >>> >>> ----- Original Message ----- >>> From: "Julian Field" >>> To: "MailScanner discussion" >>> Sent: 24 July 2007 20:34:20 o'clock (GMT) Europe/London >>> Subject: Re: Request for comments 3 >>> >>> >>> >>>> Old Signed by an unmatched address: 07/24/07 at 20:34:21 >>>> >>> I'm not quite sure what you're asking or suggesting here. What would >>> cause a message to be marked as "dangerous"? And what do I do with a >>> "dangerous" message? >>> >>> UxBoD wrote: >>> >>>> Jules, >>>> >>>> I raised a question on the MailWatch list of whether it would be >>>> possible to not display a list of messages based on the SA rule. >>>> Due to changes in V2 Steve believes it would probably be better >>>> performed in MailScanner. >>>> >>>> My thoughts are based around Trojan messages, where at the moment >>>> they are some times tagged via SA rules, but users do have the >>>> potential to release those messages and hence pose a potential >>>> security risk. This would even happen if the message is quarantined. >>>> >>>> Using your newly introduced code, would it be possible to introduce >>>> a new field where a message could be marked as caution. It is not >>>> a virri but should be treated with respect. I know it could be >>>> deleted via the SA rule code, but what happens if it has been >>>> tagged a false positive. >>>> >>>> A caution flag could then be used by MailWatch, or any other >>>> application, to stop a user releasing it and perhaps asking them to >>>> fill in a form to contact tech support to check the message whether >>>> it is okay to release. >>>> >>>> What has prompted this RFC is the recent eCard SPAM/Malware that >>>> has been shown to download Trojans and Virii. >>>> >>>> What is your take on this, and anybody else who perhaps sees the >>>> benefits ? >>>> >>>> Regards, >>>> >>>> ps. You amaze me how quick you release new functionality :D >>>> --[ UxBoD ]-- >>>> // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg >>>> --import" >>>> // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B >>>> // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B >>>> // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net >>>> >>>> ----- Original Message ----- >>>> From: "Julian Field" >>>> To: "MailScanner discussion" >>>> Sent: 24 July 2007 18:29:35 o'clock (GMT) Europe/London >>>> Subject: Re: Request for comments 3 >>>> >>>> >>>> >>>>> Old Signed by an unmatched address: 07/24/07 at 18:29:36 >>>>> >>>> Julian Field wrote: >>>> >>>>>> Old Signed: 07/24/07 at 18:14:20 >>>>>> >>>>> Steve Freegard wrote: >>>>> >>>>>> Julian Field wrote: >>>>>> >>>>>>>> e.g. store-nonspam will set $message->{isspam} = 0, store-mcp >>>>>>>> will set $message->{ismcp} = 1 etc. and add the relevant paths >>>>>>>> in $message->{quarantineplaces)?? >>>>>>>> >>>>>>> It wasn't going to do that, no. Simply choosing to store the >>>>>>> message in a place doesn't change its spam status, surely? >>>>>>> >>>>>> Ok - true enough for spam, but to replace MCP with this new >>>>>> feature - setting store-mcp would need to set $message->{ismcp} >>>>>> otherwise MailWatch won't be able to tell the difference between >>>>>> them and the MCP stuff will get lost in the noise (and won't get >>>>>> counted toward the MCP stats). >>>>>> >>>>> Okay, I could do that as well. It will be easy to add that. >>>>> >>>> Also, do you need me to do anything special if they use the >>>> store-spam in the Non-Spam Actions and other combinations? >>>> >>>> Jules >>>> >>>> >>> Jules >>> >>> >> >> Jules >> >> > > Jules > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: UTF-8 wj8DBQFGpnElEfZZRxQVtlQRAgxNAJwKvni93Yr7q8ClOxzjBC0A2lQrHwCfdfmI Tr2iUNb44tYa3J9b/shdk5g= =Ow1C -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From uxbod at splatnix.net Wed Jul 25 05:13:41 2007 From: uxbod at splatnix.net (UxBoD) Date: Wed Jul 25 05:12:06 2007 Subject: Request for comments 3 In-Reply-To: Message-ID: <30438414.2701185336821046.JavaMail.root@office.splatnix.net> Jules was spot on with previous post in being able to create a custom flag. That would be perfect. ----- Original Message ----- From: "Scott Silva" To: mailscanner@lists.mailscanner.info Sent: 25 July 2007 00:50:14 o'clock (GMT) Europe/London Subject: Re: Request for comments 3 Julian Field spake the following on 7/24/2007 2:21 PM: > > > UxBoD wrote: >> Virii is virii so set as it. > I don't understand your English. Do you want me to tag virus-infected > messages as 'use-caution'? It looks as though he would like to be able to virus tag something also based on sa rule names. Maybe an option IsVirus or ???, so it will be treated by mailwatch as a virus and be un-releasable. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From am.lists at gmail.com Wed Jul 25 05:12:53 2007 From: am.lists at gmail.com (am.lists) Date: Wed Jul 25 05:12:57 2007 Subject: Fake MX records In-Reply-To: References: <086f7e06a703ec47a6db01c8a2c15d81@solidstatelogic.com> <1533.90.184.16.67.1185239462.squirrel@mail.fumlersoft.dk> <223f97700707240113s3f845e3dsd5b6cbdba049d1e6@mail.gmail.com> <4834.90.184.16.67.1185271396.squirrel@mail.fumlersoft.dk> <223f97700707240605h1e74cae5we459c4e0fdddc4fe@mail.gmail.com> <2996.90.184.16.67.1185317291.squirrel@mail.fumlersoft.dk> <25a66d840707242039o192d8d26wd8c189f6c488f6ba@mail.gmail.com> Message-ID: <25a66d840707242112leaec04dgd4969eb54a719049@mail.gmail.com> On 7/25/07, Jeff Mills wrote: > > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info > > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > > Of am.lists > > Sent: Wednesday, 25 July 2007 1:39 PM > > To: MailScanner discussion > > Subject: Re: Fake MX records > > > > > reality: we see incoming spam connections coming in on > > mail.hogswaggle.net although this is neither posted publicly, > > nor has it ever been posted in any mx record. > > Inbound port 25 should be firewalled for the real mail server. > The only way in should be via mailscanner and ideally, the mail server > itself should not accept connections from anything other than your > mailscanner server(s). Let the spammers randomly try addresses! Agreed 1000% -- but several users already have the mail.domain.tld:25 configured in their Outlook/other mail clients that they use for authorized outbound sending. Problem is that some (OL2K users particularly) have problems on ports !=25. So we're sorta stuck at the moment. I'd love to just flip the switch. Trust me. Angelo From michael at huntley.net Wed Jul 25 05:36:43 2007 From: michael at huntley.net (Michael Huntley) Date: Wed Jul 25 05:37:01 2007 Subject: Fake MX records In-Reply-To: <25a66d840707242039o192d8d26wd8c189f6c488f6ba@mail.gmail.com> References: <086f7e06a703ec47a6db01c8a2c15d81@solidstatelogic.com> <1533.90.184.16.67.1185239462.squirrel@mail.fumlersoft.dk> <223f97700707240113s3f845e3dsd5b6cbdba049d1e6@mail.gmail.com> <4834.90.184.16.67.1185271396.squirrel@mail.fumlersoft.dk> <223f97700707240605h1e74cae5we459c4e0fdddc4fe@mail.gmail.com> <2996.90.184.16.67.1185317291.squirrel@mail.fumlersoft.dk> <25a66d840707242039o192d8d26wd8c189f6c488f6ba@mail.gmail.com> Message-ID: <46A6D35B.5030307@huntley.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 You can stop the connections by only allowing authenticated clients, and your mx.hoswaggle.net box. Cheers! michael vinum vesco valens viscus am.lists wrote: > I've read that article, and what it suggests has valid thinking > behind it. > > The thing is now that the spammers/crappers/etc know this defense > tactic they now have a one-up maneuver to outsmart that. > > In fact, one tactic I've seen lately is the attempt to deliver mail > directly to a guessed A record in the domain. > > Anecdotal Sample: > > domain: hogswaggle.net > published mx: > mx.hogswaggle.net, distance = 5 > fake.hogswaggle.net, distance = 10 > setup: mx is a mailscanner box that forwards good mail to > mail.hogswaggle.net. "mail" is not configured to accept mail from > anyone but: the "mx" server, and anyone who is successfully > smtp-auth'ed. > > reality: we see incoming spam connections coming in on > mail.hogswaggle.net although this is neither posted publicly, nor has > it ever been posted in any mx record. > > That leads me to believe that spammers are taking > "bobsmith@hogswaggle.net" and targeting username @ and then prepending > "mail." target domain and attempting the connection there. > > Not sure if anyone else has seen this or not, but I definitely have on > more than one of my domains. > > -Angelo -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (MingW32) iD8DBQFGptNafPRuS9a8BkIRAioXAJ0cmbqjfp3UdQNZ4qFY21qnkOLBjQCfZZSU D+9ZW34c92R2bdoDRSqzBa8= =pQW7 -----END PGP SIGNATURE----- From steve.freegard at fsl.com Wed Jul 25 08:51:38 2007 From: steve.freegard at fsl.com (Steve Freegard) Date: Wed Jul 25 08:51:42 2007 Subject: Request for comments 3 In-Reply-To: <46A67124.5070909@ecs.soton.ac.uk> References: <24341107.2581185310806422.JavaMail.root@office.splatnix.net> <46A66D48.4080103@ecs.soton.ac.uk> <46A67124.5070909@ecs.soton.ac.uk> Message-ID: <46A7010A.80208@fsl.com> Hi Jules, Julian Field wrote: > Would this not be better than having a specific 'use-caution' flag with > a definition that I create? This is a great idea as it offers more than just the ability to set a flag, but makes the whole thing extendable via a CustomFunction. However I'm still mulling over what the original poster wanted to do, as everything that has been described so far is already done by MCP (In v2 of MailWatch - users cannot 'see' MCP messages or release them), so having having yet-another-flag for 'caution' is not really necessary IMO. But I'll happily change my mind one I've actually released v2 and people can see what it actually does. Kind regards, Steve. From glenn.steen at gmail.com Wed Jul 25 08:53:06 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Jul 25 08:53:09 2007 Subject: install-Clam-0.91.1-SA-3.2.1.tar.gz configure error In-Reply-To: <46A659AD02000068000D5717@MTA.AAFP.ORG> References: <46A659AD02000068000D5717@MTA.AAFP.ORG> Message-ID: <223f97700707250053r5c7a032er1169fab581dc23a@mail.gmail.com> On 25/07/07, Brad Beckenhauer wrote: > Exactly, > I think you missed that I made note of just that in the original > message. > > Julian is very good at identifying package dependancies, so I included > the install log so Julian can review it and decide if he wants to > include zlib/zlib-devel in his handy Clam-SA installer. > > thanks > Brad > Brad, I'm pretty certain he will not. As is, such dependencies are for you to fix, not him... And it isn't "Julian" finding this discrepancy... it is clamav. Jules doesn't do anything with the stock clamav source package. If you look at Jules' package, it only contain clamav itself and ... perl packages ... Same thing, almost, if you look at the MailScanner package... Sure, you have some other things too, like tnef, but no libs in sight. This is sane, since those libs would be installed by other measures... It would be a nasty thing to handle, not to mention that the clamav package handles it nicely... Don't hold your reath waiting for zlib and zlib-devel to be included;-). Then again, perhaps Jules installer should detect errors like that and pause afterwards, demanding some interaction ... Perhaps something one could turn on/off with an option? That might even be marginally useful:-):-) (snip) -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Wed Jul 25 08:57:32 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Jul 25 08:57:37 2007 Subject: Fake MX records In-Reply-To: <25a66d840707242039o192d8d26wd8c189f6c488f6ba@mail.gmail.com> References: <086f7e06a703ec47a6db01c8a2c15d81@solidstatelogic.com> <1533.90.184.16.67.1185239462.squirrel@mail.fumlersoft.dk> <223f97700707240113s3f845e3dsd5b6cbdba049d1e6@mail.gmail.com> <4834.90.184.16.67.1185271396.squirrel@mail.fumlersoft.dk> <223f97700707240605h1e74cae5we459c4e0fdddc4fe@mail.gmail.com> <2996.90.184.16.67.1185317291.squirrel@mail.fumlersoft.dk> <25a66d840707242039o192d8d26wd8c189f6c488f6ba@mail.gmail.com> Message-ID: <223f97700707250057n59ba4929m6d20f66de1a756c6@mail.gmail.com> On 25/07/07, am.lists wrote: > I've read that article, and what it suggests has valid thinking behind it. > > The thing is now that the spammers/crappers/etc know this defense > tactic they now have a one-up maneuver to outsmart that. > > In fact, one tactic I've seen lately is the attempt to deliver mail > directly to a guessed A record in the domain. > > Anecdotal Sample: > > domain: hogswaggle.net > published mx: > mx.hogswaggle.net, distance = 5 > fake.hogswaggle.net, distance = 10 > setup: mx is a mailscanner box that forwards good mail to > mail.hogswaggle.net. "mail" is not configured to accept mail from > anyone but: the "mx" server, and anyone who is successfully > smtp-auth'ed. > > reality: we see incoming spam connections coming in on > mail.hogswaggle.net although this is neither posted publicly, nor has > it ever been posted in any mx record. > > That leads me to believe that spammers are taking > "bobsmith@hogswaggle.net" and targeting username @ and then prepending > "mail." target domain and attempting the connection there. > > Not sure if anyone else has seen this or not, but I definitely have on > more than one of my domains. > > -Angelo Might be harvested from the Received: lines, no? From a mailing list or some such? Wouldn't be completely infeasible:) -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Wed Jul 25 09:01:45 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Jul 25 09:01:47 2007 Subject: Fake MX records In-Reply-To: <46A6D35B.5030307@huntley.net> References: <086f7e06a703ec47a6db01c8a2c15d81@solidstatelogic.com> <1533.90.184.16.67.1185239462.squirrel@mail.fumlersoft.dk> <223f97700707240113s3f845e3dsd5b6cbdba049d1e6@mail.gmail.com> <4834.90.184.16.67.1185271396.squirrel@mail.fumlersoft.dk> <223f97700707240605h1e74cae5we459c4e0fdddc4fe@mail.gmail.com> <2996.90.184.16.67.1185317291.squirrel@mail.fumlersoft.dk> <25a66d840707242039o192d8d26wd8c189f6c488f6ba@mail.gmail.com> <46A6D35B.5030307@huntley.net> Message-ID: <223f97700707250101j75a6ecdn30ad926f2bd96a01@mail.gmail.com> On 25/07/07, Michael Huntley wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > You can stop the connections by only allowing authenticated clients, > and your mx.hoswaggle.net box. > (snip) > > setup: mx is a mailscanner box that forwards good mail to > > mail.hogswaggle.net. "mail" is not configured to accept mail from > > anyone but: the "mx" server, and anyone who is successfully > > smtp-auth'ed. Methinks that is already the case Michael;-) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From list-mailscanner at linguaphone.com Wed Jul 25 09:06:05 2007 From: list-mailscanner at linguaphone.com (Gareth) Date: Wed Jul 25 09:06:14 2007 Subject: Announce: Join the Facebook MailScanner group In-Reply-To: <46A651BF.3050805@ecs.soton.ac.uk> References: <46A651BF.3050805@ecs.soton.ac.uk> Message-ID: <1185350765.3999.5.camel@gblades-suse.linguaphone-intranet.co.uk> Cant join facebook. Our 'BOFH' mail administrator has blocked their invites. Oh wait, thats me ;) On Tue, 2007-07-24 at 20:23, Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > All you Facebook users out there, join the MailScanner group! > > A great place for us to share experiences (good or bad) and arrange a > meet somewhere (pick a country!). I hope there will be some good > conversation on the message board, I'll announce news there, and you can > have a chat rather more informally than under the public gaze of the > mailing list. > > And how about a competition for the best-looking rack of MailScanner > hardware? :-) > Most stupid end-user's tech support query? > > And if you aren't on Facebook, why not? > www.facebook.com > > Jules > > - -- > Julian Field MEng CITP > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > For all your IT requirements visit www.transtec.co.uk > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.6.2 (Build 2014) > Charset: ISO-8859-1 > > wj8DBQFGplHAEfZZRxQVtlQRAgppAKDSE1f/QCF27MWwrHTl4TagbjR8kACg/lFI > mz0Wx3krAYDKG4Uv3Nhyu4M= > =XCzJ > -----END PGP SIGNATURE----- > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > For all your IT requirements visit www.transtec.co.uk From glenn.steen at gmail.com Wed Jul 25 09:08:46 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Jul 25 09:08:48 2007 Subject: Fake MX records In-Reply-To: <223f97700707250057n59ba4929m6d20f66de1a756c6@mail.gmail.com> References: <086f7e06a703ec47a6db01c8a2c15d81@solidstatelogic.com> <1533.90.184.16.67.1185239462.squirrel@mail.fumlersoft.dk> <223f97700707240113s3f845e3dsd5b6cbdba049d1e6@mail.gmail.com> <4834.90.184.16.67.1185271396.squirrel@mail.fumlersoft.dk> <223f97700707240605h1e74cae5we459c4e0fdddc4fe@mail.gmail.com> <2996.90.184.16.67.1185317291.squirrel@mail.fumlersoft.dk> <25a66d840707242039o192d8d26wd8c189f6c488f6ba@mail.gmail.com> <223f97700707250057n59ba4929m6d20f66de1a756c6@mail.gmail.com> Message-ID: <223f97700707250108n1e72d880sab5887c54faae867@mail.gmail.com> On 25/07/07, Glenn Steen wrote: > On 25/07/07, am.lists wrote: > > I've read that article, and what it suggests has valid thinking behind it. > > > > The thing is now that the spammers/crappers/etc know this defense > > tactic they now have a one-up maneuver to outsmart that. > > > > In fact, one tactic I've seen lately is the attempt to deliver mail > > directly to a guessed A record in the domain. > > > > Anecdotal Sample: > > > > domain: hogswaggle.net > > published mx: > > mx.hogswaggle.net, distance = 5 > > fake.hogswaggle.net, distance = 10 > > setup: mx is a mailscanner box that forwards good mail to > > mail.hogswaggle.net. "mail" is not configured to accept mail from > > anyone but: the "mx" server, and anyone who is successfully > > smtp-auth'ed. > > > > reality: we see incoming spam connections coming in on > > mail.hogswaggle.net although this is neither posted publicly, nor has > > it ever been posted in any mx record. > > > > That leads me to believe that spammers are taking > > "bobsmith@hogswaggle.net" and targeting username @ and then prepending > > "mail." target domain and attempting the connection there. > > > > Not sure if anyone else has seen this or not, but I definitely have on > > more than one of my domains. > > > > -Angelo > Might be harvested from the Received: lines, no? From a mailing list > or some such? > Wouldn't be completely infeasible:) > Just to clarify, I'm not telling you to "doctor" your Received lines, just pointing to a potential/intentional "leak" of such information. One _could_ make sure those Received lines were ... not there... but then one would be breaking one of the few cardinal rules of the RFC... Not that that would stop some from doing it (nor should it!;) ... :-). Once the $ENTRAPPED_SPIRIT has left the $CONTAINER ... there's not much to do. Depending on your userbase, you could pehaps make a "clean sweep"... Change thi IP on the backend mail host, firewall port 25 and tell them to use your nice pre-configured package .... Really yucky option, I know:-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From uxbod at splatnix.net Wed Jul 25 09:11:55 2007 From: uxbod at splatnix.net (UxBoD) Date: Wed Jul 25 09:10:16 2007 Subject: Request for comments 3 In-Reply-To: <46A7010A.80208@fsl.com> Message-ID: <26896644.2761185351115838.JavaMail.root@office.splatnix.net> Steve, That sheds a different light on the matter then :) Though I do agree that the CustomFunction would be a great addition to MailScanner. Endless possibilities. Regards, --[ UxBoD ]-- // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- Original Message ----- From: "Steve Freegard" To: "MailScanner discussion" Sent: Wednesday, July 25, 2007 8:51:38 AM (GMT) Europe/London Subject: Re: Request for comments 3 Hi Jules, Julian Field wrote: > Would this not be better than having a specific 'use-caution' flag with > a definition that I create? This is a great idea as it offers more than just the ability to set a flag, but makes the whole thing extendable via a CustomFunction. However I'm still mulling over what the original poster wanted to do, as everything that has been described so far is already done by MCP (In v2 of MailWatch - users cannot 'see' MCP messages or release them), so having having yet-another-flag for 'caution' is not really necessary IMO. But I'll happily change my mind one I've actually released v2 and people can see what it actually does. Kind regards, Steve. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From steve.freegard at fsl.com Wed Jul 25 09:40:24 2007 From: steve.freegard at fsl.com (Steve Freegard) Date: Wed Jul 25 09:40:29 2007 Subject: Request for comments 3 In-Reply-To: <46A636FF.9060608@ecs.soton.ac.uk> References: <321796.1741185273510384.JavaMail.root@office.splatnix.net> <46A5FDC5.3060109@ecs.soton.ac.uk> <46A6009B.2060701@fsl.com> <46A60BD9.8080903@ecs.soton.ac.uk> <46A6107D.9060708@fsl.com> <46A61CA3.7040000@ecs.soton.ac.uk> <46A6288E.1090201@fsl.com> <46A6336B.1030804@ecs.soton.ac.uk> <46A636FF.9060608@ecs.soton.ac.uk> Message-ID: <46A70C78.5030308@fsl.com> Hi Jules, Julian Field wrote: >> Steve Freegard wrote: >>> Julian Field wrote: >>>>> e.g. store-nonspam will set $message->{isspam} = 0, store-mcp will >>>>> set $message->{ismcp} = 1 etc. and add the relevant paths in >>>>> $message->{quarantineplaces)?? >>>> It wasn't going to do that, no. Simply choosing to store the message >>>> in a place doesn't change its spam status, surely? >>> Ok - true enough for spam, but to replace MCP with this new feature - >>> setting store-mcp would need to set $message->{ismcp} otherwise >>> MailWatch won't be able to tell the difference between them and the >>> MCP stuff will get lost in the noise (and won't get counted toward >>> the MCP stats). >> Okay, I could do that as well. It will be easy to add that. > Also, do you need me to do anything special if they use the store-spam > in the Non-Spam Actions and other combinations? Hmmm - not 100% sure on this - if non-spam actions specify store-spam then we could well set $message->{isspam} as that would clearly be the intent; same for the reverse. The admin is taking a concious decision to override to outcome. I'm just not sure if this would be useful or desirable. Cheers, Steve. From glenn.steen at gmail.com Wed Jul 25 09:50:18 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Jul 25 09:50:23 2007 Subject: Request for comments 3 In-Reply-To: <46A70C78.5030308@fsl.com> References: <321796.1741185273510384.JavaMail.root@office.splatnix.net> <46A5FDC5.3060109@ecs.soton.ac.uk> <46A6009B.2060701@fsl.com> <46A60BD9.8080903@ecs.soton.ac.uk> <46A6107D.9060708@fsl.com> <46A61CA3.7040000@ecs.soton.ac.uk> <46A6288E.1090201@fsl.com> <46A6336B.1030804@ecs.soton.ac.uk> <46A636FF.9060608@ecs.soton.ac.uk> <46A70C78.5030308@fsl.com> Message-ID: <223f97700707250150q1dcea4c2ua5f86698bdc228f1@mail.gmail.com> On 25/07/07, Steve Freegard wrote: > Hi Jules, > > Julian Field wrote: > >> Steve Freegard wrote: > >>> Julian Field wrote: > >>>>> e.g. store-nonspam will set $message->{isspam} = 0, store-mcp will > >>>>> set $message->{ismcp} = 1 etc. and add the relevant paths in > >>>>> $message->{quarantineplaces)?? > >>>> It wasn't going to do that, no. Simply choosing to store the message > >>>> in a place doesn't change its spam status, surely? > >>> Ok - true enough for spam, but to replace MCP with this new feature - > >>> setting store-mcp would need to set $message->{ismcp} otherwise > >>> MailWatch won't be able to tell the difference between them and the > >>> MCP stuff will get lost in the noise (and won't get counted toward > >>> the MCP stats). > >> Okay, I could do that as well. It will be easy to add that. > > Also, do you need me to do anything special if they use the store-spam > > in the Non-Spam Actions and other combinations? > > Hmmm - not 100% sure on this - if non-spam actions specify store-spam > then we could well set $message->{isspam} as that would clearly be the > intent; same for the reverse. The admin is taking a concious decision > to override to outcome. I'm just not sure if this would be useful or > desirable. > I think maybe that whether it is useful to set or not isn't that important... More important to be consistent in how we handle things... _if_ one can do as you describe, would it be logical to _not_ set it as spam? IMO... I think not. My .02 SEK Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From ram at netcore.co.in Wed Jul 25 10:30:57 2007 From: ram at netcore.co.in (ram) Date: Wed Jul 25 10:31:02 2007 Subject: Beta release 4.62.4 In-Reply-To: <46A61FBB.1030708@ecs.soton.ac.uk> References: <46A61FBB.1030708@ecs.soton.ac.uk> Message-ID: <1185355857.12234.87.camel@localhost.localdomain> On Tue, 2007-07-24 at 16:50 +0100, Julian Field wrote: > I have just released a new beta, 4.62.4. > > This contains some bug-fixes, a few new minor features such as Kaspersky > KAV4FS support, along with 2 major new ones: > > 1 - Addition of 4 new "store" actions, "store-nonmcp", "store-nonspam", > "store-mcp" and "store-spam" so you can pick any particular bit of the > quarantine you want as a message action. > 2 - Addition of the "SpamAssassin Rule Actions" setting which is > documented in the MailScanner.conf file. That is an excellent feature. What If I dont use spamassassin for spam-checks , but I still want to use this feature for internal policies. Would you recommend putting a use Spamassassin=yes and blank out all the cf files except for our policies.cf Thanks Ram From martinh at solidstatelogic.com Wed Jul 25 10:36:19 2007 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Wed Jul 25 10:36:24 2007 Subject: Beta release 4.62.4 In-Reply-To: <1185355857.12234.87.camel@localhost.localdomain> Message-ID: <6c49c701f05a7d4c91155ef7d2ad7f38@solidstatelogic.com> Ram So what you moved to for spam checks then? -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of ram > Sent: 25 July 2007 10:31 > To: MailScanner discussion > Cc: MailScanner-Beta mailing list > Subject: Re: Beta release 4.62.4 > > On Tue, 2007-07-24 at 16:50 +0100, Julian Field wrote: > > I have just released a new beta, 4.62.4. > > > > This contains some bug-fixes, a few new minor features such as Kaspersky > > KAV4FS support, along with 2 major new ones: > > > > 1 - Addition of 4 new "store" actions, "store-nonmcp", "store-nonspam", > > "store-mcp" and "store-spam" so you can pick any particular bit of the > > quarantine you want as a message action. > > 2 - Addition of the "SpamAssassin Rule Actions" setting which is > > documented in the MailScanner.conf file. > > That is an excellent feature. > What If I dont use spamassassin for spam-checks , but I still want to > use this feature for internal policies. > > Would you recommend putting a use Spamassassin=yes and blank out all the > cf files except for our policies.cf > > Thanks > Ram > > > > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From ramprasad at netcore.co.in Wed Jul 25 10:46:40 2007 From: ramprasad at netcore.co.in (ram) Date: Wed Jul 25 10:46:52 2007 Subject: Beta release 4.62.4 In-Reply-To: <46A61FBB.1030708@ecs.soton.ac.uk> References: <46A61FBB.1030708@ecs.soton.ac.uk> Message-ID: <1185356800.12234.92.camel@localhost.localdomain> On Tue, 2007-07-24 at 16:50 +0100, Julian Field wrote: > I have just released a new beta, 4.62.4. > > This contains some bug-fixes, a few new minor features such as Kaspersky > KAV4FS support, along with 2 major new ones: > > 1 - Addition of 4 new "store" actions, "store-nonmcp", "store-nonspam", > "store-mcp" and "store-spam" so you can pick any particular bit of the > quarantine you want as a message action. > 2 - Addition of the "SpamAssassin Rule Actions" setting which is > documented in the MailScanner.conf file. That is an excellent feature. What If I dont use spamassassin for spam-checks , but I still want to use this feature for internal policies. Would you recommend putting a use Spamassassin=yes and blank out all the cf files except for our policies.cf Thanks Ram From MailScanner at ecs.soton.ac.uk Wed Jul 25 10:57:31 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Jul 25 10:58:48 2007 Subject: Beta release 4.62.4 In-Reply-To: <1185356800.12234.92.camel@localhost.localdomain> References: <46A61FBB.1030708@ecs.soton.ac.uk> <1185356800.12234.92.camel@localhost.localdomain> Message-ID: <46A71E8B.9070600@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ram wrote: > On Tue, 2007-07-24 at 16:50 +0100, Julian Field wrote: > >> I have just released a new beta, 4.62.4. >> >> This contains some bug-fixes, a few new minor features such as Kaspersky >> KAV4FS support, along with 2 major new ones: >> >> 1 - Addition of 4 new "store" actions, "store-nonmcp", "store-nonspam", >> "store-mcp" and "store-spam" so you can pick any particular bit of the >> quarantine you want as a message action. >> 2 - Addition of the "SpamAssassin Rule Actions" setting which is >> documented in the MailScanner.conf file. >> > > > That is an excellent feature. > What If I dont use spamassassin for spam-checks , but I still want to > use this feature for internal policies. > > Would you recommend putting a use Spamassassin=yes and blank out all the > cf files except for our policies.cf > You could do that, yes. Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGpx6MEfZZRxQVtlQRAq8EAJwMisK+a8WiUVp9UdVzPoibQIoQDQCg2WOC NIh4ic6Uc0qqi3NIRj2qJzU= =uR4g -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From glenn.steen at gmail.com Wed Jul 25 11:29:56 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Jul 25 11:29:58 2007 Subject: Beta release 4.62.4 In-Reply-To: <46A71E8B.9070600@ecs.soton.ac.uk> References: <46A61FBB.1030708@ecs.soton.ac.uk> <1185356800.12234.92.camel@localhost.localdomain> <46A71E8B.9070600@ecs.soton.ac.uk> Message-ID: <223f97700707250329u28d3f43cy4554f59ed5ed7f4a@mail.gmail.com> On 25/07/07, Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > ram wrote: > > On Tue, 2007-07-24 at 16:50 +0100, Julian Field wrote: > > > >> I have just released a new beta, 4.62.4. > >> > >> This contains some bug-fixes, a few new minor features such as Kaspersky > >> KAV4FS support, along with 2 major new ones: > >> > >> 1 - Addition of 4 new "store" actions, "store-nonmcp", "store-nonspam", > >> "store-mcp" and "store-spam" so you can pick any particular bit of the > >> quarantine you want as a message action. > >> 2 - Addition of the "SpamAssassin Rule Actions" setting which is > >> documented in the MailScanner.conf file. > >> > > > > > > That is an excellent feature. > > What If I dont use spamassassin for spam-checks , but I still want to > > use this feature for internal policies. > > > > Would you recommend putting a use Spamassassin=yes and blank out all the > > cf files except for our policies.cf > > > You could do that, yes. > > Jules > Couldn't Ram as well stick to MCP "only" and still use this feature? That way he'd not need "blank" anything... since MCP is that ... by definition...:-) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From uxbod at splatnix.net Wed Jul 25 11:52:58 2007 From: uxbod at splatnix.net (UxBoD) Date: Wed Jul 25 11:51:57 2007 Subject: Beta release 4.62.4 In-Reply-To: <46A71E8B.9070600@ecs.soton.ac.uk> Message-ID: <8068434.2881185360778481.JavaMail.root@office.splatnix.net> Jules, The new code for headers does not appear to be working in the beta :- Jul 25 06:50:18 bianchi MailScanner[17940]: ERROR:: UNKNOWN CLAMD RETURN ./448577D1054.08BB2.header/Email.Hdr.Sanesecurity.07061900 FOUND :: /var/spool/MailScanner/incoming/17940 Going to debug it now. Cheers, --[ UxBoD ]-- // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- Original Message ----- From: "Julian Field" To: "MailScanner discussion" Sent: Wednesday, July 25, 2007 10:57:31 AM (GMT) Europe/London Subject: Re: Beta release 4.62.4 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ram wrote: > On Tue, 2007-07-24 at 16:50 +0100, Julian Field wrote: > >> I have just released a new beta, 4.62.4. >> >> This contains some bug-fixes, a few new minor features such as Kaspersky >> KAV4FS support, along with 2 major new ones: >> >> 1 - Addition of 4 new "store" actions, "store-nonmcp", "store-nonspam", >> "store-mcp" and "store-spam" so you can pick any particular bit of the >> quarantine you want as a message action. >> 2 - Addition of the "SpamAssassin Rule Actions" setting which is >> documented in the MailScanner.conf file. >> > > > That is an excellent feature. > What If I dont use spamassassin for spam-checks , but I still want to > use this feature for internal policies. > > Would you recommend putting a use Spamassassin=yes and blank out all the > cf files except for our policies.cf > You could do that, yes. Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGpx6MEfZZRxQVtlQRAq8EAJwMisK+a8WiUVp9UdVzPoibQIoQDQCg2WOC NIh4ic6Uc0qqi3NIRj2qJzU= =uR4g -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From uxbod at splatnix.net Wed Jul 25 12:03:32 2007 From: uxbod at splatnix.net (UxBoD) Date: Wed Jul 25 12:02:24 2007 Subject: Beta release 4.62.4 In-Reply-To: <8068434.2881185360778481.JavaMail.root@office.splatnix.net> Message-ID: <25075962.2911185361412078.JavaMail.root@office.splatnix.net> This appears to fix it :- --- SweepViruses.pm.orig 2007-07-25 06:59:27.000000000 -0400 +++ SweepViruses.pm 2007-07-25 06:59:43.000000000 -0400 @@ -3323,7 +3323,7 @@ # in '.header' and $rest ends in ' FOUND'. In this case we need # to report a null childname so the infection is mapped to the # entire message. - if ($childname =~ /\.header$/ && $rest =~ /\sFOUND$/) { + if ($childname =~ /\.header$/ && $filename =~ /\sFOUND$/) { $rest = $filename; $filename = ''; $childname =~ s/\.header$//; ----- Original Message ----- From: "UxBoD" To: "MailScanner discussion" Sent: Wednesday, July 25, 2007 11:52:58 AM (GMT) Europe/London Subject: Re: Beta release 4.62.4 Jules, The new code for headers does not appear to be working in the beta :- Jul 25 06:50:18 bianchi MailScanner[17940]: ERROR:: UNKNOWN CLAMD RETURN ./448577D1054.08BB2.header/Email.Hdr.Sanesecurity.07061900 FOUND :: /var/spool/MailScanner/incoming/17940 Going to debug it now. Cheers, --[ UxBoD ]-- // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- Original Message ----- From: "Julian Field" To: "MailScanner discussion" Sent: Wednesday, July 25, 2007 10:57:31 AM (GMT) Europe/London Subject: Re: Beta release 4.62.4 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ram wrote: > On Tue, 2007-07-24 at 16:50 +0100, Julian Field wrote: > >> I have just released a new beta, 4.62.4. >> >> This contains some bug-fixes, a few new minor features such as Kaspersky >> KAV4FS support, along with 2 major new ones: >> >> 1 - Addition of 4 new "store" actions, "store-nonmcp", "store-nonspam", >> "store-mcp" and "store-spam" so you can pick any particular bit of the >> quarantine you want as a message action. >> 2 - Addition of the "SpamAssassin Rule Actions" setting which is >> documented in the MailScanner.conf file. >> > > > That is an excellent feature. > What If I dont use spamassassin for spam-checks , but I still want to > use this feature for internal policies. > > Would you recommend putting a use Spamassassin=yes and blank out all the > cf files except for our policies.cf > You could do that, yes. Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGpx6MEfZZRxQVtlQRAq8EAJwMisK+a8WiUVp9UdVzPoibQIoQDQCg2WOC NIh4ic6Uc0qqi3NIRj2qJzU= =uR4g -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From uxbod at splatnix.net Wed Jul 25 12:06:31 2007 From: uxbod at splatnix.net (UxBoD) Date: Wed Jul 25 12:06:02 2007 Subject: Beta release 4.62.4 In-Reply-To: <8068434.2881185360778481.JavaMail.root@office.splatnix.net> Message-ID: <4146503.2971185361591432.JavaMail.root@office.splatnix.net> The MSRBL signatures for ClamAV also throw a wobbly aswell :- Jul 25 07:01:59 bianchi MailScanner[24140]: ERROR:: UNKNOWN CLAMD RETURN ./81D547D02E3.67382/img66.jpg/MSRBL-Images/3-0-0YD FOUND :: /var/spool/MailScanner/incoming/24140 due to a slash being in the reported name. ----- Original Message ----- From: "UxBoD" To: "MailScanner discussion" Sent: Wednesday, July 25, 2007 11:52:58 AM (GMT) Europe/London Subject: Re: Beta release 4.62.4 Jules, The new code for headers does not appear to be working in the beta :- Jul 25 06:50:18 bianchi MailScanner[17940]: ERROR:: UNKNOWN CLAMD RETURN ./448577D1054.08BB2.header/Email.Hdr.Sanesecurity.07061900 FOUND :: /var/spool/MailScanner/incoming/17940 Going to debug it now. Cheers, --[ UxBoD ]-- // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- Original Message ----- From: "Julian Field" To: "MailScanner discussion" Sent: Wednesday, July 25, 2007 10:57:31 AM (GMT) Europe/London Subject: Re: Beta release 4.62.4 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ram wrote: > On Tue, 2007-07-24 at 16:50 +0100, Julian Field wrote: > >> I have just released a new beta, 4.62.4. >> >> This contains some bug-fixes, a few new minor features such as Kaspersky >> KAV4FS support, along with 2 major new ones: >> >> 1 - Addition of 4 new "store" actions, "store-nonmcp", "store-nonspam", >> "store-mcp" and "store-spam" so you can pick any particular bit of the >> quarantine you want as a message action. >> 2 - Addition of the "SpamAssassin Rule Actions" setting which is >> documented in the MailScanner.conf file. >> > > > That is an excellent feature. > What If I dont use spamassassin for spam-checks , but I still want to > use this feature for internal policies. > > Would you recommend putting a use Spamassassin=yes and blank out all the > cf files except for our policies.cf > You could do that, yes. Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGpx6MEfZZRxQVtlQRAq8EAJwMisK+a8WiUVp9UdVzPoibQIoQDQCg2WOC NIh4ic6Uc0qqi3NIRj2qJzU= =uR4g -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From uxbod at splatnix.net Wed Jul 25 12:30:47 2007 From: uxbod at splatnix.net (UxBoD) Date: Wed Jul 25 12:29:07 2007 Subject: Beta release 4.62.4 In-Reply-To: <4146503.2971185361591432.JavaMail.root@office.splatnix.net> Message-ID: <32167184.3091185363047502.JavaMail.root@office.splatnix.net> Workaround patch for MSRBL-Images :- --- SweepViruses.pm.orig 2007-07-25 07:26:33.000000000 -0400 +++ SweepViruses.pm 2007-07-25 07:28:12.000000000 -0400 @@ -3311,6 +3311,8 @@ # name at the end of the scan so we discard that result when # we get to it next if $results =~ /^\.\/OK/; + # Work around for MSRBL-Images (http://www.msrbl.com/site/msrblimagesabout) + $results =~ s#MSRBL-Images/#MSRBL-Images.#; my ($dot,$childname,$filename,$rest) = split('/',$results); unless ($results) { MSRBL should use a '.' instead of a slash as per the ClamAV naming standards I believe. Will send the author a email. Regards, --[ UxBoD ]-- // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- Original Message ----- From: "UxBoD" To: "MailScanner discussion" Sent: Wednesday, July 25, 2007 12:06:31 PM (GMT) Europe/London Subject: Re: Beta release 4.62.4 The MSRBL signatures for ClamAV also throw a wobbly aswell :- Jul 25 07:01:59 bianchi MailScanner[24140]: ERROR:: UNKNOWN CLAMD RETURN ./81D547D02E3.67382/img66.jpg/MSRBL-Images/3-0-0YD FOUND :: /var/spool/MailScanner/incoming/24140 due to a slash being in the reported name. ----- Original Message ----- From: "UxBoD" To: "MailScanner discussion" Sent: Wednesday, July 25, 2007 11:52:58 AM (GMT) Europe/London Subject: Re: Beta release 4.62.4 Jules, The new code for headers does not appear to be working in the beta :- Jul 25 06:50:18 bianchi MailScanner[17940]: ERROR:: UNKNOWN CLAMD RETURN ./448577D1054.08BB2.header/Email.Hdr.Sanesecurity.07061900 FOUND :: /var/spool/MailScanner/incoming/17940 Going to debug it now. Cheers, --[ UxBoD ]-- // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- Original Message ----- From: "Julian Field" To: "MailScanner discussion" Sent: Wednesday, July 25, 2007 10:57:31 AM (GMT) Europe/London Subject: Re: Beta release 4.62.4 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ram wrote: > On Tue, 2007-07-24 at 16:50 +0100, Julian Field wrote: > >> I have just released a new beta, 4.62.4. >> >> This contains some bug-fixes, a few new minor features such as Kaspersky >> KAV4FS support, along with 2 major new ones: >> >> 1 - Addition of 4 new "store" actions, "store-nonmcp", "store-nonspam", >> "store-mcp" and "store-spam" so you can pick any particular bit of the >> quarantine you want as a message action. >> 2 - Addition of the "SpamAssassin Rule Actions" setting which is >> documented in the MailScanner.conf file. >> > > > That is an excellent feature. > What If I dont use spamassassin for spam-checks , but I still want to > use this feature for internal policies. > > Would you recommend putting a use Spamassassin=yes and blank out all the > cf files except for our policies.cf > You could do that, yes. Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGpx6MEfZZRxQVtlQRAq8EAJwMisK+a8WiUVp9UdVzPoibQIoQDQCg2WOC NIh4ic6Uc0qqi3NIRj2qJzU= =uR4g -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From uxbod at splatnix.net Wed Jul 25 13:02:49 2007 From: uxbod at splatnix.net (UxBoD) Date: Wed Jul 25 13:01:10 2007 Subject: Beta release 4.62.4 In-Reply-To: <32167184.3091185363047502.JavaMail.root@office.splatnix.net> Message-ID: <23321144.3151185364969364.JavaMail.root@office.splatnix.net> Missed a backslash on the replace - DOH! --- SweepViruses.pm.orig 2007-07-25 07:26:33.000000000 -0400 +++ SweepViruses.pm 2007-07-25 08:00:39.000000000 -0400 @@ -3311,6 +3311,8 @@ # name at the end of the scan so we discard that result when # we get to it next if $results =~ /^\.\/OK/; + # Work around for MSRBL-Images (http://www.msrbl.com/site/msrblimagesabout) + $results =~ s#MSRBL-Images/#MSRBL-Images\.#; my ($dot,$childname,$filename,$rest) = split('/',$results); unless ($results) { ----- Original Message ----- From: "UxBoD" To: "MailScanner discussion" Sent: Wednesday, July 25, 2007 12:30:47 PM (GMT) Europe/London Subject: Re: Beta release 4.62.4 Workaround patch for MSRBL-Images :- --- SweepViruses.pm.orig 2007-07-25 07:26:33.000000000 -0400 +++ SweepViruses.pm 2007-07-25 07:28:12.000000000 -0400 @@ -3311,6 +3311,8 @@ # name at the end of the scan so we discard that result when # we get to it next if $results =~ /^\.\/OK/; + # Work around for MSRBL-Images (http://www.msrbl.com/site/msrblimagesabout) + $results =~ s#MSRBL-Images/#MSRBL-Images.#; my ($dot,$childname,$filename,$rest) = split('/',$results); unless ($results) { MSRBL should use a '.' instead of a slash as per the ClamAV naming standards I believe. Will send the author a email. Regards, --[ UxBoD ]-- // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- Original Message ----- From: "UxBoD" To: "MailScanner discussion" Sent: Wednesday, July 25, 2007 12:06:31 PM (GMT) Europe/London Subject: Re: Beta release 4.62.4 The MSRBL signatures for ClamAV also throw a wobbly aswell :- Jul 25 07:01:59 bianchi MailScanner[24140]: ERROR:: UNKNOWN CLAMD RETURN ./81D547D02E3.67382/img66.jpg/MSRBL-Images/3-0-0YD FOUND :: /var/spool/MailScanner/incoming/24140 due to a slash being in the reported name. ----- Original Message ----- From: "UxBoD" To: "MailScanner discussion" Sent: Wednesday, July 25, 2007 11:52:58 AM (GMT) Europe/London Subject: Re: Beta release 4.62.4 Jules, The new code for headers does not appear to be working in the beta :- Jul 25 06:50:18 bianchi MailScanner[17940]: ERROR:: UNKNOWN CLAMD RETURN ./448577D1054.08BB2.header/Email.Hdr.Sanesecurity.07061900 FOUND :: /var/spool/MailScanner/incoming/17940 Going to debug it now. Cheers, --[ UxBoD ]-- // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- Original Message ----- From: "Julian Field" To: "MailScanner discussion" Sent: Wednesday, July 25, 2007 10:57:31 AM (GMT) Europe/London Subject: Re: Beta release 4.62.4 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ram wrote: > On Tue, 2007-07-24 at 16:50 +0100, Julian Field wrote: > >> I have just released a new beta, 4.62.4. >> >> This contains some bug-fixes, a few new minor features such as Kaspersky >> KAV4FS support, along with 2 major new ones: >> >> 1 - Addition of 4 new "store" actions, "store-nonmcp", "store-nonspam", >> "store-mcp" and "store-spam" so you can pick any particular bit of the >> quarantine you want as a message action. >> 2 - Addition of the "SpamAssassin Rule Actions" setting which is >> documented in the MailScanner.conf file. >> > > > That is an excellent feature. > What If I dont use spamassassin for spam-checks , but I still want to > use this feature for internal policies. > > Would you recommend putting a use Spamassassin=yes and blank out all the > cf files except for our policies.cf > You could do that, yes. Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGpx6MEfZZRxQVtlQRAq8EAJwMisK+a8WiUVp9UdVzPoibQIoQDQCg2WOC NIh4ic6Uc0qqi3NIRj2qJzU= =uR4g -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From maillists at conactive.com Wed Jul 25 13:25:20 2007 From: maillists at conactive.com (Kai Schaetzl) Date: Wed Jul 25 13:25:23 2007 Subject: install-Clam-0.91.1-SA-3.2.1.tar.gz configure error In-Reply-To: <46A659AD02000068000D5717@MTA.AAFP.ORG> References: <46A659AD02000068000D5717@MTA.AAFP.ORG> Message-ID: Brad Beckenhauer wrote on Tue, 24 Jul 2007 19:57:33 -0500: > if he wants to > include zlib/zlib-devel These should never get included as each distribution comes with it's own set of zlib and installing a new one, especially a different version of zlib-devel, is likely to break a lot of things. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From maillists at conactive.com Wed Jul 25 13:25:20 2007 From: maillists at conactive.com (Kai Schaetzl) Date: Wed Jul 25 13:25:29 2007 Subject: MailScanner and password protected archives In-Reply-To: <46A66091.5030008@ecs.soton.ac.uk> References: <46A66091.5030008@ecs.soton.ac.uk> Message-ID: Julian Field wrote on Tue, 24 Jul 2007 21:26:57 +0100: > It will be caught, and logged as an "Other infection" if > Allow Password Protected Archives = no Yeah. The point is that there is no way of releasing it as it doesn't get stored, it's handled like a virus. There is also no notification of the recipient about this. As I understand if I set "Allow Password Protected Archives = yes" it will just slip thru unchecked (at least unchecked for spam, clamav may still find a virus signature) which is not desirable. There is a good chance that a password protected archive is either spam or malware, so I want to stop it for good at the gate, but give any recipient the chance to release "good" password protected archives (their choice) as there are ones which are not spam or malware. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From dave.list at pixelhammer.com Wed Jul 25 14:04:08 2007 From: dave.list at pixelhammer.com (DAve) Date: Wed Jul 25 14:05:42 2007 Subject: Request for comments 3 - Re: MailScanner and password protected archives In-Reply-To: <46A7010A.80208@fsl.com> References: <24341107.2581185310806422.JavaMail.root@office.splatnix.net> <46A66D48.4080103@ecs.soton.ac.uk> <46A67124.5070909@ecs.soton.ac.uk> <46A7010A.80208@fsl.com> Message-ID: <46A74A48.5080400@pixelhammer.com> Possibly related to "Re: MailScanner and password protected archives" Steve Freegard wrote: > Hi Jules, > > Julian Field wrote: >> Would this not be better than having a specific 'use-caution' flag >> with a definition that I create? > > This is a great idea as it offers more than just the ability to set a > flag, but makes the whole thing extendable via a CustomFunction. > > However I'm still mulling over what the original poster wanted to do, as > everything that has been described so far is already done by MCP (In v2 > of MailWatch - users cannot 'see' MCP messages or release them), so > having having yet-another-flag for 'caution' is not really necessary > IMO. But I'll happily change my mind one I've actually released v2 and > people can see what it actually does. > I see a trend here, maybe it is just me. We (the MS community) have SA rules that catch viruses, we have Clam signatures that catch spam, we have MCP that catches stuff nobody wants to 'see'. It looks like people want a way to decide which messages go to which quarantine based on the rule that was triggered, and not the tool that was used. Some messages caught by Clam should go into the spam quarantine, some messages caught by SA should go to the virus quarantine. Possibly an override map that says "any rule matching this regex is actually treated as spam, any rule matching this regex is actually a virus". This would remove the need for special flags and custom functions. Create only two quarantines, one that is considered safe for release/viewing, one that is not. Then third party tools such as MailWatch could allow a user access to any message stored in quarantine 'safe', and no access to any message in quarantine 'unsafe'. Regardless of what tool/rule/function put them there. Sound right? DAve -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible. From matt at coders.co.uk Wed Jul 25 14:27:35 2007 From: matt at coders.co.uk (Matt Hampton) Date: Wed Jul 25 14:25:23 2007 Subject: [Fwd: ANNOUNCE: Apache SpamAssassin 3.2.2 available] Message-ID: <46A74FC7.9090604@coders.co.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Apache SpamAssassin 3.2.2 is now available! This is a maintenance release of the 3.2.x branch. Downloads are available from: http://spamassassin.apache.org/downloads.cgi The release file will also be available via CPAN in the near future. md5sum of archive files: 7423a1bca96b932d321882fc6092080b Mail-SpamAssassin-3.2.2.tar.bz2 87b2a8852f125060f781922c3663525f Mail-SpamAssassin-3.2.2.tar.gz 8dd32339bf82591b50c9eb307745c8fa Mail-SpamAssassin-3.2.2.zip sha1sum of archive files: 6dfaa36eb8e500f9315cf2461fbd3229ae92a2c7 Mail-SpamAssassin-3.2.2.tar.bz2 e8ea034fa4f695607af0e596c86c5daf82f234e0 Mail-SpamAssassin-3.2.2.tar.gz e9a9723bb1cbadaded2340ef0aa86a0329f03783 Mail-SpamAssassin-3.2.2.zip The release files also have a .asc accompanying them. The file serves as an external GPG signature for the given release file. The signing key is available via the wwwkeys.pgp.net key server, as well as http://spamassassin.apache.org/released/GPG-SIGNING-KEY The key information is: pub 1024D/265FA05B 2003-06-09 SpamAssassin Signing Key Key fingerprint = 26C9 00A4 6DD4 0CD5 AD24 F6D7 DEE0 1987 265F A05B 3.2.2 is a minor bug-fix release. Summary of changes: - - bug 5548: Certain mail input can take a long time to scan with 100% CPU utilisation, due to backtracking in a rule's regexp. fix - - bugs 5510, 5518, 5529: fix 'make test' when running as root, needed for CPAN - - bug 5419: kill -HUP of pidof spamd causes the ps name to change from spamd to perl. fixed - - bug 5535: 'make test' errors in Windows caused by nonportable use of getpwuid - - bug 5462: multiple DNS records for a host name should allow use of spamd -H for load balancing installs to work - - bugs 5509, 5511: fix network lookup timeouts, where lookups were being lost once a timeout was hit; also fix code to match documentation on rbl_timeout's scaling and minimum duration of 1 second; and attempt to collect already-received DNS responses when the timeout is reached; improve related debugging output. Thanks to Mark Martinec - - bugs 5412, 5478, 5522: Fix problems using the spamc -x option with certain other options; 'spamc -x -R' always returned 0, instead of the exit code, on error. Bug 5478: in addition, 'spamc -x -e /command' would still run the command, even if errors meant that the filtered text would be unavailable, which contradicted -x. - - bug 5445: body eval tests defined in user_rules cause ugly 'Subroutine _eval_tests_type11_prineg400_set3 redefined' warnings - - bug 5355: add in new entries for RegistrarBoundaries - - bug 5515: libsslspamc.so & libsslspamc.so can not build without -fPIC, but we were picking up the wrong CFLAGS to do this. - - bug 5501: zero score for FH_HAS_XID - - bug 5449: allow_user_rules causes sa-compile / Rule2XSBody plugin to emit spurious warnings; fix. also, add a new 'user_conf_parsing_end' plugin hook, which is called after the per-user configuration is parsed - - bug 5182: update the sa-learn doc to mention that -u is only usable w/ sql - - bug 5534: fix harmless-but-ugly C compiler warning in sa-compile -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGp0/GXzs+uwryHW0RAhrBAKDF8jXakhwQ/nGmNJ8aBLBouUAviQCdHbiu CDGf6raf6kiC8W4AzI1SQ2s= =qtRg -----END PGP SIGNATURE----- From prandal at herefordshire.gov.uk Wed Jul 25 14:31:05 2007 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Wed Jul 25 14:31:32 2007 Subject: [Fwd: ANNOUNCE: Apache SpamAssassin 3.2.2 available] In-Reply-To: <46A74FC7.9090604@coders.co.uk> References: <46A74FC7.9090604@coders.co.uk> Message-ID: <7EF0EE5CB3B263488C8C18823239BEBA03CEF3@HC-MBX02.herefordshire.gov.uk> If you can find a mirror carrying it you're cleverer than I am. As sod's law has it, I've just gone live with two new MailScanner boxes today. Cheers, Phil -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Matt Hampton Sent: 25 July 2007 14:28 To: MailScanner discussion Subject: [Fwd: ANNOUNCE: Apache SpamAssassin 3.2.2 available] -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Apache SpamAssassin 3.2.2 is now available! This is a maintenance release of the 3.2.x branch. Downloads are available from: http://spamassassin.apache.org/downloads.cgi The release file will also be available via CPAN in the near future. md5sum of archive files: 7423a1bca96b932d321882fc6092080b Mail-SpamAssassin-3.2.2.tar.bz2 87b2a8852f125060f781922c3663525f Mail-SpamAssassin-3.2.2.tar.gz 8dd32339bf82591b50c9eb307745c8fa Mail-SpamAssassin-3.2.2.zip sha1sum of archive files: 6dfaa36eb8e500f9315cf2461fbd3229ae92a2c7 Mail-SpamAssassin-3.2.2.tar.bz2 e8ea034fa4f695607af0e596c86c5daf82f234e0 Mail-SpamAssassin-3.2.2.tar.gz e9a9723bb1cbadaded2340ef0aa86a0329f03783 Mail-SpamAssassin-3.2.2.zip The release files also have a .asc accompanying them. The file serves as an external GPG signature for the given release file. The signing key is available via the wwwkeys.pgp.net key server, as well as http://spamassassin.apache.org/released/GPG-SIGNING-KEY The key information is: pub 1024D/265FA05B 2003-06-09 SpamAssassin Signing Key Key fingerprint = 26C9 00A4 6DD4 0CD5 AD24 F6D7 DEE0 1987 265F A05B 3.2.2 is a minor bug-fix release. Summary of changes: - - bug 5548: Certain mail input can take a long time to scan with 100% CPU utilisation, due to backtracking in a rule's regexp. fix - - bugs 5510, 5518, 5529: fix 'make test' when running as root, needed for CPAN - - bug 5419: kill -HUP of pidof spamd causes the ps name to change from spamd to perl. fixed - - bug 5535: 'make test' errors in Windows caused by nonportable use of getpwuid - - bug 5462: multiple DNS records for a host name should allow use of spamd -H for load balancing installs to work - - bugs 5509, 5511: fix network lookup timeouts, where lookups were being lost once a timeout was hit; also fix code to match documentation on rbl_timeout's scaling and minimum duration of 1 second; and attempt to collect already-received DNS responses when the timeout is reached; improve related debugging output. Thanks to Mark Martinec - - bugs 5412, 5478, 5522: Fix problems using the spamc -x option with certain other options; 'spamc -x -R' always returned 0, instead of the exit code, on error. Bug 5478: in addition, 'spamc -x -e /command' would still run the command, even if errors meant that the filtered text would be unavailable, which contradicted -x. - - bug 5445: body eval tests defined in user_rules cause ugly 'Subroutine _eval_tests_type11_prineg400_set3 redefined' warnings - - bug 5355: add in new entries for RegistrarBoundaries - - bug 5515: libsslspamc.so & libsslspamc.so can not build without -fPIC, but we were picking up the wrong CFLAGS to do this. - - bug 5501: zero score for FH_HAS_XID - - bug 5449: allow_user_rules causes sa-compile / Rule2XSBody plugin to emit spurious warnings; fix. also, add a new 'user_conf_parsing_end' plugin hook, which is called after the per-user configuration is parsed - - bug 5182: update the sa-learn doc to mention that -u is only usable w/ sql - - bug 5534: fix harmless-but-ugly C compiler warning in sa-compile -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGp0/GXzs+uwryHW0RAhrBAKDF8jXakhwQ/nGmNJ8aBLBouUAviQCdHbiu CDGf6raf6kiC8W4AzI1SQ2s= =qtRg -----END PGP SIGNATURE----- -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From bbecken at aafp.org Wed Jul 25 14:46:32 2007 From: bbecken at aafp.org (Brad Beckenhauer) Date: Wed Jul 25 14:46:50 2007 Subject: install-Clam-0.91.1-SA-3.2.1.tar.gz configure error In-Reply-To: <223f97700707250053r5c7a032er1169fab581dc23a@mail.gmail.com> References: <46A659AD02000068000D5717@MTA.AAFP.ORG> <223f97700707250053r5c7a032er1169fab581dc23a@mail.gmail.com> Message-ID: <46A70DDD.D87E.0068.3@aafp.org> >>> On 7/25/2007 at 2:53 AM, in message <223f97700707250053r5c7a032er1169fab581dc23a@mail.gmail.com>, "Glenn Steen" wrote: > On 25/07/07, Brad Beckenhauer wrote: >> Exactly, >> I think you missed that I made note of just that in the original >> message. >> >> Julian is very good at identifying package dependancies, so I included >> the install log so Julian can review it and decide if he wants to >> include zlib/zlib-devel in his handy Clam-SA installer. >> >> thanks >> Brad >> > Brad, I'm pretty certain he will not. As is, such dependencies are for > you to fix, not him... And it isn't "Julian" finding this > discrepancy... it is clamav. Jules doesn't do anything with the stock > clamav source package. If you look at Jules' package, it only contain > clamav itself and ... perl packages ... Hi Glenn, I'm perfectly fine with the Clam-SA installer not installing the zlib, my only intent was to point out that the installer failed and I thought I would post my observations to the MailScanner community. My original email only posted my observations and the findings, it wasn't asking for help. > > Same thing, almost, if you look at the MailScanner package... Sure, > you have some other things too, like tnef, but no libs in sight. This > is sane, since those libs would be installed by other measures... It > would be a nasty thing to handle, not to mention that the clamav > package handles it nicely... Don't hold your reath waiting for zlib > and zlib-devel to be included;-). > > Then again, perhaps Jules installer should detect errors like that and > pause afterwards, demanding some interaction ... Perhaps something one > could turn on/off with an option? > That might even be marginally useful:-):-) > I would like to be able to pass a "yes" option to the Clam-SA installer so the installer can be automated. > (snip) From root at doctor.nl2k.ab.ca Wed Jul 25 14:50:05 2007 From: root at doctor.nl2k.ab.ca (Dave Shariff Yadallee - System Administrator a.k.a. The Root of the Problem) Date: Wed Jul 25 14:51:33 2007 Subject: [jm@apache.org: ANNOUNCE: Apache SpamAssassin 3.2.2 available] Message-ID: <20070725135004.GA17929@doctor.nl2k.ab.ca> New Spamassassin, we think! ----- Forwarded message from Justin Mason ----- Resent-From: doctor@doctor.nl2k.ab.ca Resent-Date: Wed, 25 Jul 2007 07:46:30 -0600 Resent-Message-ID: <20070725134630.GB17144@doctor.nl2k.ab.ca> Resent-To: "Dave Shariff Yadallee - System Administrator a.k.a. The Root of the Problem" X-Spam-Filter: check_local@doctor.nl2k.ab.ca by digitalanswers.org Mailing-List: contact users-help@spamassassin.apache.org; run by ezmlm Precedence: bulk list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@spamassassin.apache.org X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_PASS X-Spam-Check-By: apache.org From: Justin Mason To: users@spamassassin.apache.org, dev@spamassassin.apache.org, announce@spamassassin.apache.org Subject: ANNOUNCE: Apache SpamAssassin 3.2.2 available Date: Wed, 25 Jul 2007 14:10:25 +0100 X-Virus-Checked: Checked by ClamAV on apache.org X-Null-Tag: ebcb0045ccab7050ddeb41051487a3be X-Null-Tag: 9671ba967781e1e5883891871019b18d X-NetKnow-InComing-4.62.2-3-MailScanner: Found to be clean, Found to be clean X-Spam-Status: No, No X-NetKnow-InComing-4.62.2-3-MailScanner-Information: Please contact the ISP for more information X-NetKnow-InComing-4.62.2-3-MailScanner-From: doctor@doctor.nl2k.ab.ca Apache SpamAssassin 3.2.2 is now available! This is a maintenance release of the 3.2.x branch. Downloads are available from: http://spamassassin.apache.org/downloads.cgi The release file will also be available via CPAN in the near future. md5sum of archive files: 7423a1bca96b932d321882fc6092080b Mail-SpamAssassin-3.2.2.tar.bz2 87b2a8852f125060f781922c3663525f Mail-SpamAssassin-3.2.2.tar.gz 8dd32339bf82591b50c9eb307745c8fa Mail-SpamAssassin-3.2.2.zip sha1sum of archive files: 6dfaa36eb8e500f9315cf2461fbd3229ae92a2c7 Mail-SpamAssassin-3.2.2.tar.bz2 e8ea034fa4f695607af0e596c86c5daf82f234e0 Mail-SpamAssassin-3.2.2.tar.gz e9a9723bb1cbadaded2340ef0aa86a0329f03783 Mail-SpamAssassin-3.2.2.zip The release files also have a .asc accompanying them. The file serves as an external GPG signature for the given release file. The signing key is available via the wwwkeys.pgp.net key server, as well as http://spamassassin.apache.org/released/GPG-SIGNING-KEY The key information is: pub 1024D/265FA05B 2003-06-09 SpamAssassin Signing Key Key fingerprint = 26C9 00A4 6DD4 0CD5 AD24 F6D7 DEE0 1987 265F A05B 3.2.2 is a minor bug-fix release. Summary of changes: - bug 5548: Certain mail input can take a long time to scan with 100% CPU utilisation, due to backtracking in a rule's regexp. fix - bugs 5510, 5518, 5529: fix 'make test' when running as root, needed for CPAN - bug 5419: kill -HUP of pidof spamd causes the ps name to change from spamd to perl. fixed - bug 5535: 'make test' errors in Windows caused by nonportable use of getpwuid - bug 5462: multiple DNS records for a host name should allow use of spamd -H for load balancing installs to work - bugs 5509, 5511: fix network lookup timeouts, where lookups were being lost once a timeout was hit; also fix code to match documentation on rbl_timeout's scaling and minimum duration of 1 second; and attempt to collect already-received DNS responses when the timeout is reached; improve related debugging output. Thanks to Mark Martinec - bugs 5412, 5478, 5522: Fix problems using the spamc -x option with certain other options; 'spamc -x -R' always returned 0, instead of the exit code, on error. Bug 5478: in addition, 'spamc -x -e /command' would still run the command, even if errors meant that the filtered text would be unavailable, which contradicted -x. - bug 5445: body eval tests defined in user_rules cause ugly 'Subroutine _eval_tests_type11_prineg400_set3 redefined' warnings - bug 5355: add in new entries for RegistrarBoundaries - bug 5515: libsslspamc.so & libsslspamc.so can not build without -fPIC, but we were picking up the wrong CFLAGS to do this. - bug 5501: zero score for FH_HAS_XID - bug 5449: allow_user_rules causes sa-compile / Rule2XSBody plugin to emit spurious warnings; fix. also, add a new 'user_conf_parsing_end' plugin hook, which is called after the per-user configuration is parsed - bug 5182: update the sa-learn doc to mention that -u is only usable w/ sql - bug 5534: fix harmless-but-ugly C compiler warning in sa-compile -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ----- End forwarded message ----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From glenn.steen at gmail.com Wed Jul 25 15:13:27 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Jul 25 15:13:30 2007 Subject: install-Clam-0.91.1-SA-3.2.1.tar.gz configure error In-Reply-To: <46A70DDD.D87E.0068.3@aafp.org> References: <46A659AD02000068000D5717@MTA.AAFP.ORG> <223f97700707250053r5c7a032er1169fab581dc23a@mail.gmail.com> <46A70DDD.D87E.0068.3@aafp.org> Message-ID: <223f97700707250713t76f4d4b7yc5759be0c8a62d8e@mail.gmail.com> On 25/07/07, Brad Beckenhauer wrote: > >>> On 7/25/2007 at 2:53 AM, in message > <223f97700707250053r5c7a032er1169fab581dc23a@mail.gmail.com>, "Glenn > Steen" > wrote: > > On 25/07/07, Brad Beckenhauer wrote: > >> Exactly, > >> I think you missed that I made note of just that in the original > >> message. > >> > >> Julian is very good at identifying package dependancies, so I > included > >> the install log so Julian can review it and decide if he wants to > >> include zlib/zlib-devel in his handy Clam-SA installer. > >> > >> thanks > >> Brad > >> > > Brad, I'm pretty certain he will not. As is, such dependencies are > for > > you to fix, not him... And it isn't "Julian" finding this > > discrepancy... it is clamav. Jules doesn't do anything with the > stock > > clamav source package. If you look at Jules' package, it only > contain > > clamav itself and ... perl packages ... > > Hi Glenn, > I'm perfectly fine with the Clam-SA installer not installing the zlib, > my only intent was to point out that the installer failed and I thought > I would post my observations to the MailScanner community. My original > email only posted my observations and the findings, it wasn't asking for > help. Sorry, I must have extrapolated a bit then:-). Zlib (and zlib-devel) have been a problem for a longish time... This is an easy fix, so... Perhaps we thought there was more to your mail than there really was, especially your comment about "Jules deciding what to do"...:) > > Same thing, almost, if you look at the MailScanner package... Sure, > > you have some other things too, like tnef, but no libs in sight. > This > > is sane, since those libs would be installed by other measures... It > > would be a nasty thing to handle, not to mention that the clamav > > package handles it nicely... Don't hold your reath waiting for zlib > > and zlib-devel to be included;-). > > > > Then again, perhaps Jules installer should detect errors like that > and > > pause afterwards, demanding some interaction ... Perhaps something > one > > could turn on/off with an option? > > That might even be marginally useful:-):-) > > > I would like to be able to pass a "yes" option to the Clam-SA installer > so the installer can be automated. > yes | ./install.sh But yes, something like that... or like the tar option, whether to bork out on errors or not... Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From MailScanner at ecs.soton.ac.uk Wed Jul 25 15:20:00 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Jul 25 15:16:14 2007 Subject: [Fwd: ANNOUNCE: Apache SpamAssassin 3.2.2 available] In-Reply-To: <46A74FC7.9090604@coders.co.uk> References: <46A74FC7.9090604@coders.co.uk> Message-ID: <46A75C10.9050007@ecs.soton.ac.uk> A new updated version of my ClamAV+SpamAssassin package is available from download from www.mailscanner.info Come and get it... :-) Jules. Matt Hampton wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Apache SpamAssassin 3.2.2 is now available! This is a maintenance > release of the 3.2.x branch. > > Downloads are available from: > http://spamassassin.apache.org/downloads.cgi > > The release file will also be available via CPAN in the near future. > > md5sum of archive files: > 7423a1bca96b932d321882fc6092080b Mail-SpamAssassin-3.2.2.tar.bz2 > 87b2a8852f125060f781922c3663525f Mail-SpamAssassin-3.2.2.tar.gz > 8dd32339bf82591b50c9eb307745c8fa Mail-SpamAssassin-3.2.2.zip > > sha1sum of archive files: > 6dfaa36eb8e500f9315cf2461fbd3229ae92a2c7 Mail-SpamAssassin-3.2.2.tar.bz2 > e8ea034fa4f695607af0e596c86c5daf82f234e0 Mail-SpamAssassin-3.2.2.tar.gz > e9a9723bb1cbadaded2340ef0aa86a0329f03783 Mail-SpamAssassin-3.2.2.zip > > The release files also have a .asc accompanying them. The file serves > as an external GPG signature for the given release file. The signing > key is available via the wwwkeys.pgp.net key server, as well as > http://spamassassin.apache.org/released/GPG-SIGNING-KEY > > The key information is: > > pub 1024D/265FA05B 2003-06-09 SpamAssassin Signing Key > > Key fingerprint = 26C9 00A4 6DD4 0CD5 AD24 F6D7 DEE0 1987 265F A05B > > > 3.2.2 is a minor bug-fix release. Summary of changes: > > - - bug 5548: Certain mail input can take a long time to scan with 100% CPU > utilisation, due to backtracking in a rule's regexp. fix > > - - bugs 5510, 5518, 5529: fix 'make test' when running as root, needed > for CPAN > > - - bug 5419: kill -HUP of pidof spamd causes the ps name to change from > spamd > to perl. fixed > > - - bug 5535: 'make test' errors in Windows caused by nonportable use of > getpwuid > > - - bug 5462: multiple DNS records for a host name should allow use of > spamd -H > for load balancing installs to work > > - - bugs 5509, 5511: fix network lookup timeouts, where lookups were being > lost > once a timeout was hit; also fix code to match documentation on > rbl_timeout's scaling and minimum duration of 1 second; and attempt to > collect already-received DNS responses when the timeout is reached; > improve > related debugging output. Thanks to Mark Martinec > > - - bugs 5412, 5478, 5522: Fix problems using the spamc -x option with > certain > other options; 'spamc -x -R' always returned 0, instead of the exit > code, on > error. Bug 5478: in addition, 'spamc -x -e /command' would still run the > command, even if errors meant that the filtered text would be unavailable, > which contradicted -x. > > - - bug 5445: body eval tests defined in user_rules cause ugly 'Subroutine > _eval_tests_type11_prineg400_set3 redefined' warnings > > - - bug 5355: add in new entries for RegistrarBoundaries > > - - bug 5515: libsslspamc.so & libsslspamc.so can not build without > -fPIC, but > we were picking up the wrong CFLAGS to do this. > > - - bug 5501: zero score for FH_HAS_XID > > - - bug 5449: allow_user_rules causes sa-compile / Rule2XSBody plugin to > emit > spurious warnings; fix. also, add a new 'user_conf_parsing_end' plugin > hook, which is called after the per-user configuration is parsed > > - - bug 5182: update the sa-learn doc to mention that -u is only usable > w/ sql > > - - bug 5534: fix harmless-but-ugly C compiler warning in sa-compile > > > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.7 (MingW32) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iD8DBQFGp0/GXzs+uwryHW0RAhrBAKDF8jXakhwQ/nGmNJ8aBLBouUAviQCdHbiu > CDGf6raf6kiC8W4AzI1SQ2s= > =qtRg > -----END PGP SIGNATURE----- > Jules -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From maillists at conactive.com Wed Jul 25 15:44:07 2007 From: maillists at conactive.com (Kai Schaetzl) Date: Wed Jul 25 15:44:09 2007 Subject: BarricadeMX experiences In-Reply-To: <46A67DAF.60301@mail.wvnet.edu> References: <46A553ED.3020505@mail.wvnet.edu> <46A5F3D0.5070500@mail.wvnet.edu> <23ee01c7ce3c$89dcff70$9d96fe50$@swaney@fsl.com> <46A67DAF.60301@mail.wvnet.edu> Message-ID: Richard Lynch wrote on Tue, 24 Jul 2007 18:31:11 -0400: > I gave before and after statistics. It was the same hardware and with > our volume the input is pretty much the same each day. The results > speak for themselves. What were overloaded servers with huge delays now > run fine. But you didn't seem to use any additional tools or measures at MTA level, did you? I'm not saying that BarricadeMX is not good or maybe even exceptionally good, but I'm sure that if you use a well-balanced set of milters, have greylisting, use a well balanced set of RBLs and access.db and then compare with *that* the comparison will be much different. BarricadeMX may still be better, but surely not as much as to what you compared. You cannot compare a BarricadeMX system with a more or less unprotected system. For instance, only about 10 - 15% of our incoming mail is spam because most of the spam is already rejected at MTA level, without BarricadeMX. And viruses almost never make it on the systems, either, because they are rejected on MTA level. May not be as good as BarricadeMX, but good enough, especially for ressource usage. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From bbecken at aafp.org Wed Jul 25 15:44:48 2007 From: bbecken at aafp.org (Brad Beckenhauer) Date: Wed Jul 25 15:45:08 2007 Subject: install-Clam-0.91.1-SA-3.2.1.tar.gz configure error In-Reply-To: <223f97700707250713t76f4d4b7yc5759be0c8a62d8e@mail.gmail.com> References: <46A659AD02000068000D5717@MTA.AAFP.ORG> <223f97700707250053r5c7a032er1169fab581dc23a@mail.gmail.com> <46A70DDD.D87E.0068.3@aafp.org> <223f97700707250713t76f4d4b7yc5759be0c8a62d8e@mail.gmail.com> Message-ID: <46A71B85.D87E.0068.3@aafp.org> >>> On 7/25/2007 at 9:13 AM, in message <223f97700707250713t76f4d4b7yc5759be0c8a62d8e@mail.gmail.com>, "Glenn Steen" wrote: > On 25/07/07, Brad Beckenhauer wrote: >> >>> On 7/25/2007 at 2:53 AM, in message >> <223f97700707250053r5c7a032er1169fab581dc23a@mail.gmail.com>, "Glenn >> Steen" >> wrote: >> > On 25/07/07, Brad Beckenhauer wrote: >> >> Exactly, >> >> I think you missed that I made note of just that in the original >> >> message. >> >> >> >> Julian is very good at identifying package dependancies, so I >> included >> >> the install log so Julian can review it and decide if he wants to >> >> include zlib/zlib-devel in his handy Clam-SA installer. >> >> >> >> thanks >> >> Brad >> >> >> > Brad, I'm pretty certain he will not. As is, such dependencies are >> for >> > you to fix, not him... And it isn't "Julian" finding this >> > discrepancy... it is clamav. Jules doesn't do anything with the >> stock >> > clamav source package. If you look at Jules' package, it only >> contain >> > clamav itself and ... perl packages ... >> >> Hi Glenn, >> I'm perfectly fine with the Clam-SA installer not installing the zlib, >> my only intent was to point out that the installer failed and I thought >> I would post my observations to the MailScanner community. My original >> email only posted my observations and the findings, it wasn't asking for >> help. > > Sorry, I must have extrapolated a bit then:-). > Zlib (and zlib-devel) have been a problem for a longish time... This > is an easy fix, so... Perhaps we thought there was more to your mail > than there really was, especially your comment about "Jules deciding > what to do"...:) No harm done... My comment about Julian deciding it is that 1) since he supports many O/S flavors (to his credit), I may have tried an install combination previously not considered and posted the results for his review/consideration/decision. I really wasn't thinking about the impact on other O/S's, but perhaps a check/notify/bail for the zlib package would be an good option. > >> > Same thing, almost, if you look at the MailScanner package... Sure, >> > you have some other things too, like tnef, but no libs in sight. >> This >> > is sane, since those libs would be installed by other measures... It >> > would be a nasty thing to handle, not to mention that the clamav >> > package handles it nicely... Don't hold your reath waiting for zlib >> > and zlib-devel to be included;-). >> > >> > Then again, perhaps Jules installer should detect errors like that >> and >> > pause afterwards, demanding some interaction ... Perhaps something >> one >> > could turn on/off with an option? >> > That might even be marginally useful:-):-) >> > >> I would like to be able to pass a "yes" option to the Clam-SA installer >> so the installer can be automated. >> > > yes | ./install.sh > clever :-) > But yes, something like that... or like the tar option, whether to > bork out on errors or not... > I was thinking something like the MailScanner install script for the Clam-SA script ie... install.sh --noprompt > Cheers From rcooper at dwford.com Wed Jul 25 15:52:45 2007 From: rcooper at dwford.com (Rick Cooper) Date: Wed Jul 25 15:52:52 2007 Subject: [Fwd: ANNOUNCE: Apache SpamAssassin 3.2.2 available] In-Reply-To: <7EF0EE5CB3B263488C8C18823239BEBA03CEF3@HC-MBX02.herefordshire.gov.uk> References: <46A74FC7.9090604@coders.co.uk> <7EF0EE5CB3B263488C8C18823239BEBA03CEF3@HC-MBX02.herefordshire.gov.uk> Message-ID: <051501c7cecb$76104850$0301a8c0@SAHOMELT> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On > Behalf Of Randal, Phil > Sent: Wednesday, July 25, 2007 9:31 AM > To: MailScanner discussion > Subject: RE: [Fwd: ANNOUNCE: Apache SpamAssassin 3.2.2 available] > > If you can find a mirror carrying it you're cleverer than I am. > > As sod's law has it, I've just gone live with two new > MailScanner boxes > today. > [...] http://apache.mirror.iphh.net/spamassassin/Mail-SpamAssassin-3.2.2.tar.gz -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From minduni at ti-edu.ch Wed Jul 25 15:54:07 2007 From: minduni at ti-edu.ch (Marco Induni) Date: Wed Jul 25 15:54:08 2007 Subject: Filename rule question In-Reply-To: <223f97700707091232q691a2277i75715cfe09c3be94@mail.gmail.com> References: <468A6663.8010907@ti-edu.ch> <468BC099.7060508@ti-edu.ch> <223f97700707041520j5e8be73bt17235c459ec441c5@mail.gmail.com> <468CACEF.30202@ti-edu.ch> <223f97700707050349y696668ccu92b618343da7d77b@mail.gmail.com> <468CDC23.7000500@ti-edu.ch> <223f97700707051316y462cffd5ka6ce8064d614350f@mail.gmail.com> <468E09B6.10605@ti-edu.ch> <223f97700707060540n7c7b022eye5700536d480541c@mail.gmail.com> <4691EC0A.3040209@ti-edu.ch> <223f97700707091232q691a2277i75715cfe09c3be94@mail.gmail.com> Message-ID: <46A7640F.9020803@ti-edu.ch> Hi Glenn I'm back, hpo you enjoyed your vacation > Good. . . I'm on vacation too;). > > On 09/07/07, Marco Induni wrote: >> Glenn Steen wrote: >> > On 06/07/07, Marco Induni wrote: >> >> Glenn Steen wrote: >> > (snip) >> >> >> >> >> >> >> >> > To my tired eyes that doesn't look that bad... More's the pity... >> >> Hope now you eyes are better >> > :-) >> > >> >> > Seems you don't install SA and Clamav by way of Jules easy >> package (or >> >> > else a lot more of the optional modules would be there)... Hm... One >> >> > could start installing those, of course, but I don't see them having >> >> > an effect. >> >> In fact, we use uvscan(mcafee) and sometime clamav AV, but they are >> >> installed apart (SA via CPAN / clamav make /make install) >> > Ok. I don't think you need remove/reinstall with Jules package... It >> > does more or less those, and then adds a lot of perl modules to make >> > Mail::ClamAV happy. Would be passing strange if that had any impact on >> > this problem. >> > >> >> > You did say that restoring the default filename/filetype >> >> > rules files and reloading/restarting MailScanner didn't have any >> >> > effect either? Most strange. >> >> Yes, it is so. >> > >> > This make me think there is something seriously wrong here... And >> > perhaps not _directly_ related to the rule file used... Unless of >> > course the files aren't readable or something strange like that... >> > Nah, probably not. >> > >> >> > How did you install the MIME::* packages? Via jules installer or via >> >> > distro or CPAN? >> >> Via jules. I've installed the new version a couple of days ago. >> >> >> > You could try reinstall them (force them from CPAN or something), just >> > to see that they build/install OK... I've extracted all the MIME from the Jules rpm and then installed manually (perl Makefile.pl / make / make install) this is the output of all the steps [root MIME-tools-5.420]# perl Makefile.PL Checking for module File::Path (version 1)... ok. Checking for module File::Spec (version 0.6)... ok. Checking for module IO::Stringy (version 1.211)... ok. Checking for module MIME::Base64 (version 3.03)... ok. Checking for module Mail::Field (version 1.05)... ok. Checking for module Mail::Header (version 1.01)... ok. Checking for module Mail::Internet (version 1.0203)... ok. Checking if your kit is complete... Looks good Writing Makefile for MIME-tools [root MIME-tools-5.420]# make cp lib/MIME/Decoder/Gzip64.pm blib/lib/MIME/Decoder/Gzip64.pm cp lib/MIME/Body.pm blib/lib/MIME/Body.pm cp lib/MIME/Field/ContDisp.pm blib/lib/MIME/Field/ContDisp.pm cp lib/MIME/Field/ContType.pm blib/lib/MIME/Field/ContType.pm cp lib/MIME/Decoder/NBit.pm blib/lib/MIME/Decoder/NBit.pm cp lib/MIME/Parser/Results.pm blib/lib/MIME/Parser/Results.pm cp lib/MIME/Words.pm blib/lib/MIME/Words.pm cp lib/MIME/Entity.pm blib/lib/MIME/Entity.pm cp lib/MIME/Parser/Filer.pm blib/lib/MIME/Parser/Filer.pm cp lib/MIME/Head.pm blib/lib/MIME/Head.pm cp lib/MIME/Field/ParamVal.pm blib/lib/MIME/Field/ParamVal.pm cp lib/MIME/Decoder/BinHex.pm blib/lib/MIME/Decoder/BinHex.pm cp lib/MIME/Tools.pm blib/lib/MIME/Tools.pm cp lib/MIME/Field/ConTraEnc.pm blib/lib/MIME/Field/ConTraEnc.pm cp lib/MIME/Decoder/Binary.pm blib/lib/MIME/Decoder/Binary.pm cp lib/MIME/Decoder.pm blib/lib/MIME/Decoder.pm cp lib/MIME/Decoder/UU.pm blib/lib/MIME/Decoder/UU.pm cp lib/MIME/Decoder/Base64.pm blib/lib/MIME/Decoder/Base64.pm cp lib/MIME/Decoder/QuotedPrint.pm blib/lib/MIME/Decoder/QuotedPrint.pm cp lib/MIME/WordDecoder.pm blib/lib/MIME/WordDecoder.pm cp lib/MIME/Parser.pm blib/lib/MIME/Parser.pm cp lib/MIME/Parser/Reader.pm blib/lib/MIME/Parser/Reader.pm Manifying blib/man3/MIME::Body.3pm Manifying blib/man3/MIME::Decoder::Gzip64.3pm Manifying blib/man3/MIME::Field::ContDisp.3pm Manifying blib/man3/MIME::Parser::Results.3pm Manifying blib/man3/MIME::Field::ContType.3pm Manifying blib/man3/MIME::Decoder::NBit.3pm Manifying blib/man3/MIME::Entity.3pm Manifying blib/man3/MIME::Head.3pm Manifying blib/man3/MIME::Parser::Filer.3pm Manifying blib/man3/MIME::Words.3pm Manifying blib/man3/MIME::Field::ParamVal.3pm Manifying blib/man3/MIME::Decoder::BinHex.3pm Manifying blib/man3/MIME::Tools.3pm Manifying blib/man3/MIME::Field::ConTraEnc.3pm Manifying blib/man3/MIME::Decoder::Binary.3pm Manifying blib/man3/MIME::Decoder.3pm Manifying blib/man3/MIME::Decoder::UU.3pm Manifying blib/man3/MIME::Decoder::QuotedPrint.3pm Manifying blib/man3/MIME::Decoder::Base64.3pm Manifying blib/man3/MIME::WordDecoder.3pm Manifying blib/man3/MIME::Parser::Reader.3pm Manifying blib/man3/MIME::Parser.3pm [root MIME-tools-5.420]# make test PERL_DL_NONLAZY=1 /usr/bin/perl "-MExtUtils::Command::MM" "-e" "test_harness(0, 'blib/lib', 'blib/arch')" t/*.t t/Body..............ok t/Decoder...........ok t/Entity............ok t/Gauntlet..........ok t/Head..............ok t/Misc..............ok t/Parser............ok t/ParserEncoded.....ok t/ParserPreamble....ok t/Ref...............ok t/WordDecoder.......ok t/Words.............ok All tests successful. Files=12, Tests=239, 4 wallclock secs ( 2.85 cusr + 0.24 csys = 3.09 CPU) [root MIME-tools-5.420]# make install Writing /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/auto/MIME-tools/.packlist Appending installation info to /usr/lib/perl5/5.8.0/i386-linux-thread-multi/perllocal.pod Also, I've tried to block the attachment with the Deny Filenames = default.asp directly on the Mailscanner.conf, but I received the mail with the attachment Cheers Marco >> > Apart from this, you don't see any strange log entries in the normal >> > syslog? We really need to get a handle on what is going bonkers here. >> > Cheers >> Glenn, >> I'm on vacation. I will do it all the test starting from 24 of july. >> So I will not bother you for 2 weeks ;-) >> >> Cheers >> Marco >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> > > -- Marco Induni Universita` della Svizzera italiana Servizi informatici / TI-EDU Galleria 2 CH-6928 Manno (Switzerland) E-mail: minduni@ti-edu.ch Tel: +41 58 666 6656 Fax: +41 58 666 6650 From root at doctor.nl2k.ab.ca Wed Jul 25 15:54:49 2007 From: root at doctor.nl2k.ab.ca (Dave Shariff Yadallee - System Administrator a.k.a. The Root of the Problem) Date: Wed Jul 25 15:56:06 2007 Subject: [francois.rousseau.tech@gmail.com: Re: ANNOUNCE: Apache SpamAssassin 3.2.2 available] Message-ID: <20070725145448.GA11903@doctor.nl2k.ab.ca> In case there are problems ... ----- Forwarded message from Fran?ois Rousseau ----- Resent-From: doctor@doctor.nl2k.ab.ca Resent-Date: Wed, 25 Jul 2007 08:27:12 -0600 Resent-Message-ID: <20070725142712.GA16360@doctor.nl2k.ab.ca> Resent-To: "Dave Shariff Yadallee - System Administrator a.k.a. The Root of the Problem" , mailscanner@lists.mailscanner.info X-Spam-Filter: check_local@doctor.nl2k.ab.ca by digitalanswers.org Mailing-List: contact users-help@spamassassin.apache.org; run by ezmlm Precedence: bulk list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@spamassassin.apache.org X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_PASS X-Spam-Check-By: apache.org DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=JlmiD9dTWNEGUX2Q9ffJkgtF/zaRNooBOd+FWBSkRXaTCiOCKTeFhu8lX9Vy6ViMfVoQ8htfImX+b8k3P+Lm1XQSSHXDzWvffjV11ahiNwACYt28pPBnq0ZMg6Bw1M12xpeRMcqATqvrWQdK5gWfdx4QE5JXXzxbbsjjRCKNMlY= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=F1oteAtCIA6NGNzU+zg45kQ8qv2sDN7FkmynwJgImGyFkt5hMJo7KRLIVEO/qCGdiK5zO3uk+b5jlLSObF/ixUL/opqXdQeu0ICddraZEqSj2o5ZXksB4ghDg/xY2DrnX9Va65sLq8nSrgZiMRQAEIt4BZjIjp2rW1LUyT+pRkI= Date: Wed, 25 Jul 2007 10:14:07 -0400 From: Fran?ois Rousseau To: users@spamassassin.apache.org Subject: Re: ANNOUNCE: Apache SpamAssassin 3.2.2 available In-Reply-To: <7EF0EE5CB3B263488C8C18823239BEBA03CEF2@HC-MBX02.herefordshire.gov.uk> X-Virus-Checked: Checked by ClamAV on apache.org X-Null-Tag: a26aef5e4a33effb2e5583f562e3320a X-Null-Tag: 5b4a12e5cabed36dd85f34f4aab90e89 X-NetKnow-InComing-4.62.2-3-MailScanner: Found to be clean, Found to be clean X-Spam-Status: No, No X-NetKnow-InComing-4.62.2-3-MailScanner-Information: Please contact the ISP for more information X-NetKnow-InComing-4.62.2-3-MailScanner-From: doctor@doctor.nl2k.ab.ca try http://www.apache.org/dist/spamassassin/source/Mail-SpamAssassin-3.2.2.tar.gz 2007/7/25, Randal, Phil : >Hmmm, > >Can't find a mirror carrying it, not even apache.org! > >Phil > >-----Original Message----- >From: jm@jmason.org [mailto:jm@jmason.org] On Behalf Of Justin Mason >Sent: 25 July 2007 14:10 >To: users@spamassassin.apache.org; dev@spamassassin.apache.org; >announce@spamassassin.apache.org >Subject: ANNOUNCE: Apache SpamAssassin 3.2.2 available > >Apache SpamAssassin 3.2.2 is now available! This is a maintenance >release of the 3.2.x branch. > >Downloads are available from: > http://spamassassin.apache.org/downloads.cgi > >The release file will also be available via CPAN in the near future. > > md5sum of archive files: > 7423a1bca96b932d321882fc6092080b Mail-SpamAssassin-3.2.2.tar.bz2 > 87b2a8852f125060f781922c3663525f Mail-SpamAssassin-3.2.2.tar.gz > 8dd32339bf82591b50c9eb307745c8fa Mail-SpamAssassin-3.2.2.zip > > sha1sum of archive files: > 6dfaa36eb8e500f9315cf2461fbd3229ae92a2c7 >Mail-SpamAssassin-3.2.2.tar.bz2 > e8ea034fa4f695607af0e596c86c5daf82f234e0 >Mail-SpamAssassin-3.2.2.tar.gz > e9a9723bb1cbadaded2340ef0aa86a0329f03783 Mail-SpamAssassin-3.2.2.zip > >The release files also have a .asc accompanying them. The file serves >as an external GPG signature for the given release file. The signing >key is available via the wwwkeys.pgp.net key server, as well as >http://spamassassin.apache.org/released/GPG-SIGNING-KEY > >The key information is: > >pub 1024D/265FA05B 2003-06-09 SpamAssassin Signing Key > > Key fingerprint = 26C9 00A4 6DD4 0CD5 AD24 F6D7 DEE0 1987 265F A05B > > >3.2.2 is a minor bug-fix release. Summary of changes: > >- bug 5548: Certain mail input can take a long time to scan with 100% >CPU > utilisation, due to backtracking in a rule's regexp. fix > >- bugs 5510, 5518, 5529: fix 'make test' when running as root, needed >for CPAN > >- bug 5419: kill -HUP of pidof spamd causes the ps name to change from >spamd > to perl. fixed > >- bug 5535: 'make test' errors in Windows caused by nonportable use of > getpwuid > >- bug 5462: multiple DNS records for a host name should allow use of >spamd -H > for load balancing installs to work > >- bugs 5509, 5511: fix network lookup timeouts, where lookups were being >lost > once a timeout was hit; also fix code to match documentation on > rbl_timeout's scaling and minimum duration of 1 second; and attempt to > collect already-received DNS responses when the timeout is reached; >improve > related debugging output. Thanks to Mark Martinec > >- bugs 5412, 5478, 5522: Fix problems using the spamc -x option with >certain > other options; 'spamc -x -R' always returned 0, instead of the exit >code, on > error. Bug 5478: in addition, 'spamc -x -e /command' would still run >the > command, even if errors meant that the filtered text would be >unavailable, > which contradicted -x. > >- bug 5445: body eval tests defined in user_rules cause ugly 'Subroutine > _eval_tests_type11_prineg400_set3 redefined' warnings > >- bug 5355: add in new entries for RegistrarBoundaries > >- bug 5515: libsslspamc.so & libsslspamc.so can not build without -fPIC, >but > we were picking up the wrong CFLAGS to do this. > >- bug 5501: zero score for FH_HAS_XID > >- bug 5449: allow_user_rules causes sa-compile / Rule2XSBody plugin to >emit > spurious warnings; fix. also, add a new 'user_conf_parsing_end' >plugin > hook, which is called after the per-user configuration is parsed > >- bug 5182: update the sa-learn doc to mention that -u is only usable w/ >sql > >- bug 5534: fix harmless-but-ugly C compiler warning in sa-compile > > > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ----- End forwarded message ----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Wed Jul 25 16:00:24 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Jul 25 16:03:39 2007 Subject: install-Clam-0.91.1-SA-3.2.1.tar.gz configure error In-Reply-To: <46A71B85.D87E.0068.3@aafp.org> References: <46A659AD02000068000D5717@MTA.AAFP.ORG> <223f97700707250053r5c7a032er1169fab581dc23a@mail.gmail.com> <46A70DDD.D87E.0068.3@aafp.org> <223f97700707250713t76f4d4b7yc5759be0c8a62d8e@mail.gmail.com> <46A71B85.D87E.0068.3@aafp.org> Message-ID: <46A76588.6030305@ecs.soton.ac.uk> Just to settle this one. I'm not going to take into account any libraries you may or may not have installed that you may need to install ClamAV or SpamAssassin, with the exception of perl modules. There are loads of libraries it uses, most of which any random system will probably have installed. In your case, you are missing one, I am not going to make the install.sh check for the existence of every single one in an OS-independent way, just so that I can tell you what the ClamAV installation process told you anyway. My installers pause at various important points, to give you a chance to stop the output and read any errors it produced. I don't see that I can reasonably do much more, without making it very OS-specific, which I'm not doing. Sorry guys. Brad Beckenhauer wrote: >>>> On 7/25/2007 at 9:13 AM, in message >>>> > <223f97700707250713t76f4d4b7yc5759be0c8a62d8e@mail.gmail.com>, "Glenn > Steen" > wrote: > >> On 25/07/07, Brad Beckenhauer wrote: >> >>>>>> On 7/25/2007 at 2:53 AM, in message >>>>>> >>> <223f97700707250053r5c7a032er1169fab581dc23a@mail.gmail.com>, >>> > "Glenn > >>> Steen" >>> wrote: >>> >>>> On 25/07/07, Brad Beckenhauer wrote: >>>> >>>>> Exactly, >>>>> I think you missed that I made note of just that in the original >>>>> message. >>>>> >>>>> Julian is very good at identifying package dependancies, so I >>>>> >>> included >>> >>>>> the install log so Julian can review it and decide if he wants >>>>> > to > >>>>> include zlib/zlib-devel in his handy Clam-SA installer. >>>>> >>>>> thanks >>>>> Brad >>>>> >>>>> >>>> Brad, I'm pretty certain he will not. As is, such dependencies >>>> > are > >>> for >>> >>>> you to fix, not him... And it isn't "Julian" finding this >>>> discrepancy... it is clamav. Jules doesn't do anything with the >>>> >>> stock >>> >>>> clamav source package. If you look at Jules' package, it only >>>> >>> contain >>> >>>> clamav itself and ... perl packages ... >>>> >>> Hi Glenn, >>> I'm perfectly fine with the Clam-SA installer not installing the >>> > zlib, > >>> my only intent was to point out that the installer failed and I >>> > thought > >>> I would post my observations to the MailScanner community. My >>> > original > >>> email only posted my observations and the findings, it wasn't asking >>> > for > >>> help. >>> >> Sorry, I must have extrapolated a bit then:-). >> Zlib (and zlib-devel) have been a problem for a longish time... This >> is an easy fix, so... Perhaps we thought there was more to your mail >> than there really was, especially your comment about "Jules deciding >> what to do"...:) >> > > No harm done... > My comment about Julian deciding it is that 1) since he supports many > O/S flavors (to his credit), I may have tried an install combination > previously not considered and posted the results for his > review/consideration/decision. I really wasn't thinking about the > impact on other O/S's, but perhaps a check/notify/bail for the zlib > package would be an good option. > > >>>> Same thing, almost, if you look at the MailScanner package... >>>> > Sure, > >>>> you have some other things too, like tnef, but no libs in sight. >>>> >>> This >>> >>>> is sane, since those libs would be installed by other measures... >>>> > It > >>>> would be a nasty thing to handle, not to mention that the clamav >>>> package handles it nicely... Don't hold your reath waiting for >>>> > zlib > >>>> and zlib-devel to be included;-). >>>> >>>> Then again, perhaps Jules installer should detect errors like >>>> > that > >>> and >>> >>>> pause afterwards, demanding some interaction ... Perhaps >>>> > something > >>> one >>> >>>> could turn on/off with an option? >>>> That might even be marginally useful:-):-) >>>> >>>> >>> I would like to be able to pass a "yes" option to the Clam-SA >>> > installer > >>> so the installer can be automated. >>> >>> >> >> yes | ./install.sh >> >> > clever :-) > > >> But yes, something like that... or like the tar option, whether to >> bork out on errors or not... >> >> > I was thinking something like the MailScanner install script for the > Clam-SA script > ie... install.sh --noprompt > > >> Cheers >> Jules -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From daniel.maher at ubisoft.com Wed Jul 25 16:04:24 2007 From: daniel.maher at ubisoft.com (Daniel Maher) Date: Wed Jul 25 16:04:32 2007 Subject: Announce: Join the Facebook MailScanner group In-Reply-To: <46A67054.6050100@hostalia.com> Message-ID: <1E293D3FF63A3740B10AD5AAD88535D2058DB7F4@UBIMAIL1.ubisoft.org> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Alvaro Mar?n > Sent: July 24, 2007 5:34 PM > To: MailScanner discussion > Subject: Re: Announce: Join the Facebook MailScanner group > > Hello, > > > And if you aren't on Facebook, why not? > > www.facebook.com > > Good question... I've just registered and joined it :-) > [theory="conspiracy"] http://www.google.ca/search?q=facebook+CIA [/theory] -- _ ?v? Daniel Maher /(_)\ Administrateur Syst?me Unix ^ ^ Unix System Administrator "The most incomprehensible thing about the world is that it is comprehensible." -- Albert Einstein. From martinh at solidstatelogic.com Wed Jul 25 16:10:31 2007 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Wed Jul 25 16:10:42 2007 Subject: Announce: Join the Facebook MailScanner group In-Reply-To: <1E293D3FF63A3740B10AD5AAD88535D2058DB7F4@UBIMAIL1.ubisoft.org> Message-ID: <1b22b957fe8e704caf640cd989acc087@solidstatelogic.com> Given lack of data protection legislation in the US I'm always wary about what services I give data to (including google). -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Daniel Maher > Sent: 25 July 2007 16:04 > To: MailScanner discussion > Subject: RE: Announce: Join the Facebook MailScanner group > > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > > bounces@lists.mailscanner.info] On Behalf Of Alvaro Mar?n > > Sent: July 24, 2007 5:34 PM > > To: MailScanner discussion > > Subject: Re: Announce: Join the Facebook MailScanner group > > > > Hello, > > > > > And if you aren't on Facebook, why not? > > > www.facebook.com > > > > Good question... I've just registered and joined it :-) > > > > [theory="conspiracy"] > > http://www.google.ca/search?q=facebook+CIA > > [/theory] > > > -- > _ > ?v? Daniel Maher > /(_)\ Administrateur Syst?me Unix > ^ ^ Unix System Administrator > > "The most incomprehensible thing about the world is that it is > comprehensible." -- Albert Einstein. > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From ka at pacific.net Wed Jul 25 16:18:28 2007 From: ka at pacific.net (Ken A) Date: Wed Jul 25 16:18:32 2007 Subject: Announce: Join the Facebook MailScanner group In-Reply-To: <1E293D3FF63A3740B10AD5AAD88535D2058DB7F4@UBIMAIL1.ubisoft.org> References: <1E293D3FF63A3740B10AD5AAD88535D2058DB7F4@UBIMAIL1.ubisoft.org> Message-ID: <46A769C4.8060606@pacific.net> Daniel Maher wrote: >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >> bounces@lists.mailscanner.info] On Behalf Of Alvaro Mar?n >> Sent: July 24, 2007 5:34 PM >> To: MailScanner discussion >> Subject: Re: Announce: Join the Facebook MailScanner group >> >> Hello, >> >>> And if you aren't on Facebook, why not? >>> www.facebook.com >> Good question... I've just registered and joined it :-) >> > > [theory="conspiracy"] > > http://www.google.ca/search?q=facebook+CIA > > [/theory] Ah, all you Orwellian sheep to the slaughter! bwah hah hah... Ken > > -- > _ > ?v? Daniel Maher > /(_)\ Administrateur Syst?me Unix > ^ ^ Unix System Administrator > > "The most incomprehensible thing about the world is that it is comprehensible." -- Albert Einstein. -- Ken Anderson Pacific.Net From sailer at bnl.gov Wed Jul 25 16:23:26 2007 From: sailer at bnl.gov (Tim Sailer) Date: Wed Jul 25 16:23:33 2007 Subject: Announce: Join the Facebook MailScanner group In-Reply-To: <1E293D3FF63A3740B10AD5AAD88535D2058DB7F4@UBIMAIL1.ubisoft.org> References: <46A67054.6050100@hostalia.com> <1E293D3FF63A3740B10AD5AAD88535D2058DB7F4@UBIMAIL1.ubisoft.org> Message-ID: <20070725152326.GC4459@bnl.gov> On Wed, Jul 25, 2007 at 11:04:24AM -0400, Daniel Maher wrote: > [theory="conspiracy"] > > http://www.google.ca/search?q=facebook+CIA > > [/theory] "Google is EvIl". If you have a gmail account, you just fed google that little tid-bit assiciated with your name. As far as the subject of the search, heh. "No Comment" Tim -- Tim Sailer DoE Intelligence and Counterintelligence - Cyber Division Northeast Regional Counterintelligence Office Brookhaven National Laboratory (631) 344-3001 From Richard.Frovarp at sendit.nodak.edu Wed Jul 25 17:32:06 2007 From: Richard.Frovarp at sendit.nodak.edu (Richard Frovarp) Date: Wed Jul 25 17:32:09 2007 Subject: BarricadeMX experiences In-Reply-To: References: <46A553ED.3020505@mail.wvnet.edu> <46A5F3D0.5070500@mail.wvnet.edu> <23ee01c7ce3c$89dcff70$9d96fe50$@swaney@fsl.com> <46A67DAF.60301@mail.wvnet.edu> Message-ID: <46A77B06.50106@sendit.nodak.edu> Kai Schaetzl wrote: > Richard Lynch wrote on Tue, 24 Jul 2007 18:31:11 -0400: > > >> I gave before and after statistics. It was the same hardware and with >> our volume the input is pretty much the same each day. The results >> speak for themselves. What were overloaded servers with huge delays now >> run fine. >> > > But you didn't seem to use any additional tools or measures at MTA level, > did you? I'm not saying that BarricadeMX is not good or maybe even > exceptionally good, but I'm sure that if you use a well-balanced set of > milters, have greylisting, use a well balanced set of RBLs and access.db > and then compare with *that* the comparison will be much different. > BarricadeMX may still be better, but surely not as much as to what you > compared. You cannot compare a BarricadeMX system with a more or less > unprotected system. For instance, only about 10 - 15% of our incoming mail > is spam because most of the spam is already rejected at MTA level, without > BarricadeMX. And viruses almost never make it on the systems, either, > because they are rejected on MTA level. May not be as good as BarricadeMX, > but good enough, especially for ressource usage. > > Kai > > The OP did say he was running sbl+xbl at the mta and that the numbers in the graphs did not include those rejects which accounted for 50% of the attempts. From Kevin_Miller at ci.juneau.ak.us Wed Jul 25 17:36:12 2007 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Wed Jul 25 17:36:17 2007 Subject: Beta release 4.62.4 In-Reply-To: <1185356800.12234.92.camel@localhost.localdomain> References: <46A61FBB.1030708@ecs.soton.ac.uk> <1185356800.12234.92.camel@localhost.localdomain> Message-ID: ram wrote: > Would you recommend putting a use Spamassassin=yes and blank out all > the cf files except for our policies.cf Be sure to turn off sa-updates... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From ssilva at sgvwater.com Wed Jul 25 17:40:04 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Jul 25 17:40:27 2007 Subject: mailscanner trouble In-Reply-To: <46A62FC9.90500@evi-inc.com> References: <370b533d1822a74495c041c4eb1f76f4@solidstatelogic.com> <46A62FC9.90500@evi-inc.com> Message-ID: Matt Kettler spake the following on 7/24/2007 9:58 AM: > Martin.Hepworth wrote: >> Simon >> >> You're running really really old mailscanner and really really really old spamassassin! >> >> I'd suggest you update both to modern versions first.. > > I'd agree.. however, he's also running a really really really old version of > RedHat ( Redhat 8, circa 2002), which is no longer supported and thus no longer > has security fixes posted. > > He's also running a really old sendmail which is likely full of exploits. > > I know sendmail-8.12.5-7 is vulnerable to at least this remote DoS attack. > http://www.securityfocus.com/bid/8485 > > This version of RedHat also runs perl 5.0005, which would inhibit upgrading to > anything too terribly modern. SpamAssassin ditched 5.0005 support with SA 3.0.0. > 2.6x would be the newest build that would support such an old version of perl. > > While it's a lot of work, really Simon should be completely upgrading his entire > OS. Centos might make a good option as it would be relatively familiar to a > RedHat user and has fairly long-lived release cycles. > > Upgrading a couple tools won't help you when nearly every package on your entire > system is 5 years old and doesn't have any security updates published. > > And probably hardware just as old. Kind of like quitting smoking "after" the doctor tells you that you have 3 months to live! ;-( -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From jan-peter at koopmann.eu Wed Jul 25 17:45:57 2007 From: jan-peter at koopmann.eu (Koopmann, Jan-Peter) Date: Wed Jul 25 17:45:12 2007 Subject: BarricadeMX experiences In-Reply-To: References: <11090454.2641185312780535.JavaMail.root@office.splatnix.net><46A67978.6000702@alexb.ch> Message-ID: > since they claim only about 1018 concurrent connections, not likely > to.. Two things: 1. As Steve pointed out they have yet to find/hit the limit. They had well over 2000 concurrent connections. And the claim is 1018 concurrent connections per CPU. 2. The question is why are your concurrent connections so high? One reason would be an enormously busy mail server. The other would be having to long SMTP sessions. The truth will be in between. BMX might even help you shorten the average SMTP session time since it will very quickly discover badly behaving servers and drop the connections without having to go through the SpamAssassin hussle. Why don't you simply try it out? You could do that very easily and get rid of it should you really be the first one to hit a limit in BMX. Regards, JP From ssilva at sgvwater.com Wed Jul 25 17:52:58 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Jul 25 17:53:21 2007 Subject: MailScanner and password protected archives In-Reply-To: References: <46A66091.5030008@ecs.soton.ac.uk> Message-ID: Kai Schaetzl spake the following on 7/25/2007 5:25 AM: > Julian Field wrote on Tue, 24 Jul 2007 21:26:57 +0100: > >> It will be caught, and logged as an "Other infection" if >> Allow Password Protected Archives = no > > Yeah. The point is that there is no way of releasing it as it doesn't get > stored, it's handled like a virus. There is also no notification of the > recipient about this. As I understand if I set "Allow Password Protected > Archives = yes" it will just slip thru unchecked (at least unchecked for > spam, clamav may still find a virus signature) which is not desirable. > There is a good chance that a password protected archive is either spam or > malware, so I want to stop it for good at the gate, but give any recipient > the chance to release "good" password protected archives (their choice) as > there are ones which are not spam or malware. > > Kai > Being a password protected archive, wouldn't it be "their choice" to just open it in the first place if set to "Allow Password Protected Archives = yes"? It seems an unnecessary step if you are still letting the end user release it. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ssilva at sgvwater.com Wed Jul 25 18:02:30 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Jul 25 18:02:51 2007 Subject: [Fwd: ANNOUNCE: Apache SpamAssassin 3.2.2 available] In-Reply-To: <7EF0EE5CB3B263488C8C18823239BEBA03CEF3@HC-MBX02.herefordshire.gov.uk> References: <46A74FC7.9090604@coders.co.uk> <7EF0EE5CB3B263488C8C18823239BEBA03CEF3@HC-MBX02.herefordshire.gov.uk> Message-ID: Randal, Phil spake the following on 7/25/2007 6:31 AM: > If you can find a mirror carrying it you're cleverer than I am. > > As sod's law has it, I've just gone live with two new MailScanner boxes > today. > You always have the root of the tree; http://www.apache.org/dist/spamassassin/ -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From rich at mail.wvnet.edu Wed Jul 25 18:41:36 2007 From: rich at mail.wvnet.edu (Richard Lynch) Date: Wed Jul 25 18:41:56 2007 Subject: BarricadeMX experiences In-Reply-To: References: <46A553ED.3020505@mail.wvnet.edu> <46A5F3D0.5070500@mail.wvnet.edu> <23ee01c7ce3c$89dcff70$9d96fe50$@swaney@fsl.com> <46A67DAF.60301@mail.wvnet.edu> Message-ID: <46A78B50.9080803@mail.wvnet.edu> Kai Schaetzl wrote: > Richard Lynch wrote on Tue, 24 Jul 2007 18:31:11 -0400: > > >> I gave before and after statistics. It was the same hardware and with >> our volume the input is pretty much the same each day. The results >> speak for themselves. What were overloaded servers with huge delays now >> run fine. >> > > But you didn't seem to use any additional tools or measures at MTA level, > did you? I'm not saying that BarricadeMX is not good or maybe even > exceptionally good, but I'm sure that if you use a well-balanced set of > milters, have greylisting, use a well balanced set of RBLs and access.db > and then compare with *that* the comparison will be much different. > BarricadeMX may still be better, but surely not as much as to what you > compared. You cannot compare a BarricadeMX system with a more or less > unprotected system. For instance, only about 10 - 15% of our incoming mail > is spam because most of the spam is already rejected at MTA level, without > BarricadeMX. And viruses almost never make it on the systems, either, > because they are rejected on MTA level. May not be as good as BarricadeMX, > but good enough, especially for ressource usage. > > Kai > It was what I said it was -- a before and after picture of my results. Nothing else. I did say that I used sbl-xbl at the MTA. Although I didn't mention it I also ran milter-limit and milter-null. Certainly there are other configurations that would work better than what I was doing but I would bet that many (even most) people run with a setup similar to mine. But that wasn't really the point of my post. I wasn't trying to prove anything. I was just showing my experiences -- that's all. If you or anyone else wants to demonstrate other solutions and compare them to BarricadeMX you are of course free to do that. If you want to compare my configuration and posted statistics to something else you can do that too. But please don't say that I was demonstrating something else or implying anything other than what I said in my posts. If you want to do some kind of overall study of various spam/virus solutions and give us your analysis then do it. I'm sure everyone , including me, would find something like that useful. Richard Lynch WVNET -- -------------- next part -------------- A non-text attachment was scrubbed... Name: rich.vcf Type: text/x-vcard Size: 299 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070725/2dbf731a/rich.vcf From hvdkooij at vanderkooij.org Wed Jul 25 18:47:06 2007 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Wed Jul 25 18:47:12 2007 Subject: Request for comments 3 In-Reply-To: <2941525.2611185312713754.JavaMail.root@office.splatnix.net> References: <2941525.2611185312713754.JavaMail.root@office.splatnix.net> Message-ID: On Tue, 24 Jul 2007, UxBoD wrote: > Nope. Just based on the new SA functionality, as Virri should never be released anyway, only other stuff is RBL so that would be subject to others comments. Anyone using ClamAV might have a false positive on a perfectly good message. It is unlikely but definitly not impossible if one uses additional sets that are totally geared towards SPAM instead of MalWare. Hugo. -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ This message is using 100% recycled electrons. Some men see computers as they are and say "Windows" I use computers with Linux and say "Why Windows?" (Thanks JFK, for the insight.) From maillists at conactive.com Wed Jul 25 19:13:03 2007 From: maillists at conactive.com (Kai Schaetzl) Date: Wed Jul 25 19:13:06 2007 Subject: MailScanner and password protected archives In-Reply-To: References: <46A66091.5030008@ecs.soton.ac.uk> Message-ID: Scott Silva wrote on Wed, 25 Jul 2007 09:52:58 -0700: > Being a password protected archive, wouldn't it be "their choice" to just open > it in the first place if set to "Allow Password Protected Archives = yes"? > It seems an unnecessary step if you are still letting the end user release it. Hm, if I get 100 password-protected archives and one of them is not spam/malware I surely prefer to stop them all at the gate and let the one user with the legitimate one release it instead of unnecessarily flooding other mailboxes with password-protected spam/malware. It's the same "their choice" as to let them open spam themselves to decide if it is spam or not. Do we do that? Most of us probably not, we quarantine it. Or did I understand your remark wrong? The problem is that it gets handled as a virus although it may not be a virus (and actually at the moment the chance is high that it is not a virus). Positive virus detection is very secure AFAIS, so *if* a virus is detected it's quite safe to discard it and not store it, as it's almost guaranteed to be correctly detected and no one would want to release it. That's not the case with password-protected archives. There is only a good chance that they are malware or spam, so you would want to store and give the chance to release it. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From ssilva at sgvwater.com Wed Jul 25 20:10:41 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Jul 25 20:11:02 2007 Subject: MailScanner and password protected archives In-Reply-To: References: <46A66091.5030008@ecs.soton.ac.uk> Message-ID: Kai Schaetzl spake the following on 7/25/2007 11:13 AM: > Scott Silva wrote on Wed, 25 Jul 2007 09:52:58 -0700: > >> Being a password protected archive, wouldn't it be "their choice" to just open >> it in the first place if set to "Allow Password Protected Archives = yes"? >> It seems an unnecessary step if you are still letting the end user release it. > > Hm, if I get 100 password-protected archives and one of them is not spam/malware > I surely prefer to stop them all at the gate and let the one user with the > legitimate one release it instead of unnecessarily flooding other mailboxes with > password-protected spam/malware. > It's the same "their choice" as to let them open spam themselves to decide if it > is spam or not. Do we do that? Most of us probably not, we quarantine it. > Or did I understand your remark wrong? > > The problem is that it gets handled as a virus although it may not be a virus > (and actually at the moment the chance is high that it is not a virus). Positive > virus detection is very secure AFAIS, so *if* a virus is detected it's quite > safe to discard it and not store it, as it's almost guaranteed to be correctly > detected and no one would want to release it. > That's not the case with password-protected archives. There is only a good > chance that they are malware or spam, so you would want to store and give the > chance to release it. > > Kai > I am not sure if virus scanners can scan in a password-protected archive. That is why they were used for malware last year. I personally don't allow password-protected archives at our site and none of my users have complained. If they did, I would add a ruleset only allowing it from a specified site to that user. I would think that if a user gets a password protected zip, they should know it is coming. If the password is in the e-mail with the archive, it is probably a virus/malware. Otherwise, why would you password protect it? -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From uxbod at splatnix.net Wed Jul 25 20:43:58 2007 From: uxbod at splatnix.net (UxBoD) Date: Wed Jul 25 20:42:03 2007 Subject: Request for comments 3 In-Reply-To: Message-ID: <18999137.3241185392638511.JavaMail.root@office.splatnix.net> True Hugo. Valid point hence posing question for comments :) ----- Original Message ----- From: "Hugo van der Kooij" To: "MailScanner discussion" Sent: 25 July 2007 18:47:06 o'clock (GMT) Europe/London Subject: Re: Request for comments 3 On Tue, 24 Jul 2007, UxBoD wrote: > Nope. Just based on the new SA functionality, as Virri should never be released anyway, only other stuff is RBL so that would be subject to others comments. Anyone using ClamAV might have a false positive on a perfectly good message. It is unlikely but definitly not impossible if one uses additional sets that are totally geared towards SPAM instead of MalWare. Hugo. -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ This message is using 100% recycled electrons. Some men see computers as they are and say "Windows" I use computers with Linux and say "Why Windows?" (Thanks JFK, for the insight.) -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ugob at lubik.ca Wed Jul 25 21:12:29 2007 From: ugob at lubik.ca (Ugo Bellavance) Date: Wed Jul 25 21:12:44 2007 Subject: After uninstall cannot chdir in mqueue.in Message-ID: Hi, I uninstalled MailScanner on one system to make it BarricadeMX + clamd + spamd only. Now, I get this error in logs... I can't seem to find why sendmail is still looking for mqueue.in. Jul 25 16:07:37 mailscan sendmail[18905]: NOQUEUE: SYSERR(root): can not chdir(/var/spool/mqueue.in/): No such file or directory Any idea? Ugo From bryan.guest at bmts.com Wed Jul 25 21:47:24 2007 From: bryan.guest at bmts.com (Bryan Guest) Date: Wed Jul 25 21:47:29 2007 Subject: switching clamavmodule -> clamd Message-ID: <008f01c7cefd$016dcf90$0b01010a@DGPTBH91> Hello: I am looking for a performance gain by switching from clamavmodule to clamd. I have been following the guide in the wiki ( http://wiki.mailscanner.info/doku.php?id=documentation:anti_virus:clamav:switch_to_rpm_clamd) and I would like to ask a couple of questions. 1) RPM's from Dag Wieers It seems that the easy install package (IE: install-Clam-0.91.1-SA-3.2.2.tar.gz) may install clamd. If this is the case, why is it recommended to use the rpm's from Dag Wieers? 2) Is clamd install from bundle possible? Is it forseeable that MailScanner may just be able to use the clamd compiled and installed with install-Clam-XXX-SA-XXX.tar.gz in the future? 3) Uninstall of source installation necessary? A note in step 4 of the wiki documentation suggests it is necessary to uninstall the source install using "make uninstall". This makes sense of course, prior to an RPM install. I just wanted to inquire if this is a critical step? The install-Clam package seems to clean up after itself. So unless I am mistaken, to clean up after this install package, it is necessary to unpack it again, then unpack the ClamAV tarball, run the configure script with --disable-zlib-vcheck) and then do "make uninstall" with the newly created makefile? 4) What if clamd dies? If clamd should fail, will Mailscanner continue to process mail? Should some monitor program such as supervise be put into place to automagically restart clamd? 5) Will switching to clamd help with botched clamav database updates? We have been trying to run the 0.9x versions of ClamAV and have been bitten twice by damaged or failed database updates when a major release occurs. Does switching to clamd have any affect on this situation? Many thanks to Julian Field and everyone on this list for MailScanner and the support it receives. I sincerely appreciate any feedback provided. Bryan Guest Bruce Telecom From bryan.guest at bmts.com Wed Jul 25 21:53:54 2007 From: bryan.guest at bmts.com (Bryan Guest) Date: Wed Jul 25 21:53:59 2007 Subject: OT: performance smf-sav vs milter-ahead Message-ID: <00be01c7cefd$e9cb48d0$0b01010a@DGPTBH91> Hello With my apologies for the off topic nature of this question, has anyone compared performance between SMF-SAV and Milter-Ahead? If so, is there an appreciable difference when using one or the other in conjuction with MailScanner? Many thanks to Julian Field and everyone on this list for MailScanner and the support it receives. I sincerely appreciate any feedback provided. Bryan Guest Bruce Telecom From MailScanner at ecs.soton.ac.uk Wed Jul 25 21:59:34 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Jul 25 21:59:54 2007 Subject: switching clamavmodule -> clamd In-Reply-To: <008f01c7cefd$016dcf90$0b01010a@DGPTBH91> References: <008f01c7cefd$016dcf90$0b01010a@DGPTBH91> Message-ID: <46A7B9B6.10201@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Bryan Guest wrote: > Hello: > > I am looking for a performance gain by switching from clamavmodule to > clamd. I have been following the guide in the wiki ( > http://wiki.mailscanner.info/doku.php?id=documentation:anti_virus:clamav:switch_to_rpm_clamd) > and I would like to ask a couple of questions. > > 1) RPM's from Dag Wieers > > It seems that the easy install package (IE: > install-Clam-0.91.1-SA-3.2.2.tar.gz) may install clamd. If this is the > case, why is it recommended to use the rpm's from Dag Wieers? It gets you the init.d script to run clamd. > > 2) Is clamd install from bundle possible? > > Is it forseeable that MailScanner may just be able to use the clamd > compiled and installed with install-Clam-XXX-SA-XXX.tar.gz in the future? It can now. Using the RPMs from Dag saves you writing your own init.d script to start and stop clamd. > > 3) Uninstall of source installation necessary? > > A note in step 4 of the wiki documentation suggests it is necessary to > uninstall the source install using "make uninstall". This makes sense > of course, prior to an RPM install. I just wanted to inquire if this > is a critical step? Not critical, no. But do make sure your /etc/MailScanner/virus.scanners.conf points to the right installation, as only that one will be kept up to date automatically by MailScanner. > > The install-Clam package seems to clean up after itself. So unless I > am mistaken, to clean up after this install package, it is necessary > to unpack it again, then unpack the ClamAV tarball, run the configure > script with --disable-zlib-vcheck) and then do "make uninstall" with > the newly created makefile? Correct. > > 4) What if clamd dies? > > If clamd should fail, will Mailscanner continue to process mail? > Should some monitor program such as supervise be put into place to > automagically restart clamd? I would use a clamd monitor script to keep an eye on it, such as "clamdwatch" (Google for it). > > 5) Will switching to clamd help with botched clamav database updates? > > We have been trying to run the 0.9x versions of ClamAV and have been > bitten twice by damaged or failed database updates when a major > release occurs. Does switching to clamd have any affect on this > situation? No. > > Many thanks to Julian Field and everyone on this list for MailScanner > and the support it receives. I sincerely appreciate any feedback > provided. Thanks! Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGp7m3EfZZRxQVtlQRAgsnAKD2LaZlH/0aFroNsi1lj1aexo5G5QCfeupT 9IOBXJrpf4Zi4A7DhyQiK/0= =ZjDH -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Wed Jul 25 22:05:29 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Jul 25 22:06:48 2007 Subject: OT: performance smf-sav vs milter-ahead In-Reply-To: <00be01c7cefd$e9cb48d0$0b01010a@DGPTBH91> References: <00be01c7cefd$e9cb48d0$0b01010a@DGPTBH91> Message-ID: <46A7BB19.60503@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Bryan Guest wrote: > Many thanks to Julian Field and everyone on this list for MailScanner > and the support it receives. I sincerely appreciate any feedback > provided. If anyone is feeling particularly generous right now, there's a book on my Amazon.co.uk wishlist that I would really like :-) Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGp7saEfZZRxQVtlQRArnmAJ9XiirEw+FJ7s7ltc/vPMIr+YYyZgCeNcYb 8Mthocl2ssXTt56UMltfG6I= =haeL -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From rcooper at dwford.com Wed Jul 25 22:17:16 2007 From: rcooper at dwford.com (Rick Cooper) Date: Wed Jul 25 22:17:19 2007 Subject: switching clamavmodule -> clamd In-Reply-To: <008f01c7cefd$016dcf90$0b01010a@DGPTBH91> References: <008f01c7cefd$016dcf90$0b01010a@DGPTBH91> Message-ID: <05b701c7cf01$2d6c55e0$0301a8c0@SAHOMELT> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On > Behalf Of Bryan Guest > Sent: Wednesday, July 25, 2007 4:47 PM > To: mailscanner@lists.mailscanner.info > Subject: switching clamavmodule -> clamd > > Hello: > > I am looking for a performance gain by switching from > clamavmodule to clamd. > I have been following the guide in the wiki ( > http://wiki.mailscanner.info/doku.php?id=documentation:anti_v > irus:clamav:switch_to_rpm_clamd) > and I would like to ask a couple of questions. > [...] > > 4) What if clamd dies? > > If clamd should fail, will Mailscanner continue to process > mail? Should some > monitor program such as supervise be put into place to > automagically restart > clamd? > You should monitor any important (is there another kind?) daemon, so absolutly. That said it's been a very long time since I had an issue with clamd dying, but I still monitor it. > 5) Will switching to clamd help with botched clamav database updates? > > We have been trying to run the 0.9x versions of ClamAV and > have been bitten > twice by damaged or failed database updates when a major > release occurs. > Does switching to clamd have any affect on this situation? This I cannot say for sure. FreshClam tests the downloaded updates and doesn't install corrupted dbs, however if you were bitten by the MailScanner monitor of clam db changes just make sure you use the newer, recommended MS clamdb monitor value. When the last major problem occurred with the damaged clamdb I got an email from freshclam stating there was a problem but looking at the update logs the broken db was never actually installed. BTW: Look at the following options in freshclam.conf: OnErrorExecute and OnOutdatedExecute I have a script they call with either (error or olddb) that sends me an email notification of a problem and the nature of the problem. Rick -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From maillists at conactive.com Wed Jul 25 22:17:31 2007 From: maillists at conactive.com (Kai Schaetzl) Date: Wed Jul 25 22:17:34 2007 Subject: MailScanner and password protected archives In-Reply-To: References: <46A66091.5030008@ecs.soton.ac.uk> Message-ID: Scott Silva wrote on Wed, 25 Jul 2007 12:10:41 -0700: > I am not sure if virus scanners can scan in a password-protected archive. That > is why they were used for malware last year. Yepp. It seems that they usually can, at least this is said about clamav, but the result may not be as reliable. I guess just zipping with different compression ratios will make any signatures useless. So, you cannot rely on that and have to treat every protected archive as possible malware with a significantly high rate of false positives. Which means you cannot treat them as a virus, the false positive rate forbids this. > > I personally don't allow password-protected archives at our site and none of > my users have complained. Well, I'm providing services for others, it's not feasible that they email me each time before getting such an archive. They get as much protection and as little bothering as possible. And, yes, it happens that legitimate password-protected archives get sent to my clients. That's how I found out that I had to tell them to ask for resending after I put the sender on the "no scan" list. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From maillists at conactive.com Wed Jul 25 22:17:32 2007 From: maillists at conactive.com (Kai Schaetzl) Date: Wed Jul 25 22:17:39 2007 Subject: After uninstall cannot chdir in mqueue.in In-Reply-To: References: Message-ID: Ugo Bellavance wrote on Wed, 25 Jul 2007 16:12:29 -0400: > Now, I get this error in logs... I can't seem to find why sendmail is > still looking for mqueue.in. Sure, that all old sendmail instances have been killed? Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From ssilva at sgvwater.com Wed Jul 25 22:32:48 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Jul 25 22:33:08 2007 Subject: switching clamavmodule -> clamd In-Reply-To: <46A7B9B6.10201@ecs.soton.ac.uk> References: <008f01c7cefd$016dcf90$0b01010a@DGPTBH91> <46A7B9B6.10201@ecs.soton.ac.uk> Message-ID: Julian Field spake the following on 7/25/2007 1:59 PM: > > > Bryan Guest wrote: >> Hello: > >> I am looking for a performance gain by switching from clamavmodule to >> clamd. I have been following the guide in the wiki ( >> http://wiki.mailscanner.info/doku.php?id=documentation:anti_virus:clamav:switch_to_rpm_clamd) >> and I would like to ask a couple of questions. > >> 1) RPM's from Dag Wieers > >> It seems that the easy install package (IE: >> install-Clam-0.91.1-SA-3.2.2.tar.gz) may install clamd. If this is the >> case, why is it recommended to use the rpm's from Dag Wieers? > It gets you the init.d script to run clamd. >> 2) Is clamd install from bundle possible? > >> Is it forseeable that MailScanner may just be able to use the clamd >> compiled and installed with install-Clam-XXX-SA-XXX.tar.gz in the future? > It can now. Using the RPMs from Dag saves you writing your own init.d > script to start and stop clamd. The clamav tarball has init-scrips for several variations of OS's. Just unpack it somewhere and look at them. The tarball install seems to have a clamd.conf file also, but it is in /usr/local/etc. I haven't tried to run it yet as I don't have enough volume to make much of a difference, although I got the clamd daemon to run and I could scan stuff with it. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ugob at lubik.ca Wed Jul 25 22:39:21 2007 From: ugob at lubik.ca (Ugo Bellavance) Date: Wed Jul 25 22:39:38 2007 Subject: After uninstall cannot chdir in mqueue.in In-Reply-To: References: Message-ID: Kai Schaetzl wrote: > Ugo Bellavance wrote on Wed, 25 Jul 2007 16:12:29 -0400: > >> Now, I get this error in logs... I can't seem to find why sendmail is >> still looking for mqueue.in. > > Sure, that all old sendmail instances have been killed? > I've done a 'killall sendmail' and then a 'service sendmail start' before posting... problem is still there. Ugo From alex at nkpanama.com Wed Jul 25 22:43:38 2007 From: alex at nkpanama.com (Alex Neuman van der Hans) Date: Wed Jul 25 22:44:32 2007 Subject: After uninstall cannot chdir in mqueue.in In-Reply-To: References: Message-ID: <46A7C40A.9050606@nkpanama.com> Ugo Bellavance wrote: > Kai Schaetzl wrote: >> Ugo Bellavance wrote on Wed, 25 Jul 2007 16:12:29 -0400: >> >>> Now, I get this error in logs... I can't seem to find why sendmail >>> is still looking for mqueue.in. >> >> Sure, that all old sendmail instances have been killed? >> > > I've done a 'killall sendmail' and then a 'service sendmail start' > before posting... problem is still there. > > Ugo > Have you tried a "palpatine-like" "wipe them out - all of them!" with killall -9? From mkettler at evi-inc.com Wed Jul 25 22:45:11 2007 From: mkettler at evi-inc.com (Matt Kettler) Date: Wed Jul 25 22:46:47 2007 Subject: After uninstall cannot chdir in mqueue.in In-Reply-To: References: Message-ID: <46A7C467.6010600@evi-inc.com> Ugo Bellavance wrote: > Kai Schaetzl wrote: >> Ugo Bellavance wrote on Wed, 25 Jul 2007 16:12:29 -0400: >> >>> Now, I get this error in logs... I can't seem to find why sendmail is >>> still looking for mqueue.in. >> >> Sure, that all old sendmail instances have been killed? >> > > I've done a 'killall sendmail' and then a 'service sendmail start' > before posting... problem is still there. > Interesting.. any chance your sendmail init script, or its sysconfig, has been modified to pass this to sendmail? grep mqueue.in /etc/init.d/sendmail grep mqueue.in /etc/sysconfig/sendmail From doc at maddoc.net Wed Jul 25 22:48:39 2007 From: doc at maddoc.net (Doc Schneider) Date: Wed Jul 25 22:48:50 2007 Subject: After uninstall cannot chdir in mqueue.in In-Reply-To: References: Message-ID: <46A7C537.30707@maddoc.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ugo Bellavance wrote: > Kai Schaetzl wrote: >> Ugo Bellavance wrote on Wed, 25 Jul 2007 16:12:29 -0400: >> >>> Now, I get this error in logs... I can't seem to find why sendmail is >>> still looking for mqueue.in. >> >> Sure, that all old sendmail instances have been killed? >> > > I've done a 'killall sendmail' and then a 'service sendmail start' > before posting... problem is still there. > > Ugo > in your sendmail.mc define(`QUEUE_DIR', `/var/spool/mqueue') and re-make it. - -- - -Doc Lincoln, NE. http://www.genealogyforyou.com/ http://www.cairnproductions.com/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org iD8DBQFGp8U3qOEeBwEpgcsRArgUAKCd8nA6Z2eKFBshOQl74okHR7MtnQCZATBQ X8s5PTpkSdgdGzvHWe2Mdxs= =QbuC -----END PGP SIGNATURE----- From hvdkooij at vanderkooij.org Wed Jul 25 22:59:45 2007 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Wed Jul 25 22:59:51 2007 Subject: MailScanner and password protected archives In-Reply-To: References: <46A66091.5030008@ecs.soton.ac.uk> Message-ID: On Wed, 25 Jul 2007, Scott Silva wrote: > I am not sure if virus scanners can scan in a password-protected archive. That > is why they were used for malware last year. I am not exactly sure how they do it. But some of the password protected ZIP files I have are listed as infected. >From the scanner logs I took just the details on 1 sample of such a file. * Avast: 2F8029F68AE25B84F6A51F30A68DF8F1.270849.win32/smiissm.exe [scan error: Archive is password protected] * Avira: 2F8029F68AE25B84F6A51F30A68DF8F1.270849.win32 <<< Is the Trojan horse TR/Dldr.Delf.HC.25 * BitDefender: 2F8029F68AE25B84F6A51F30A68DF8F1.270849.win32 infected: Trojan.Downloader.Delf.HC * DrWeb: 2F8029F68AE25B84F6A51F30A68DF8F1.270849.win32/smiissm.exe infected with Trojan.DownLoader.1567 * Kaspersky: 2F8029F68AE25B84F6A51F30A68DF8F1.270849.win32/smiissm.exe INFECTED Trojan-Downloader.Win32.Delf.hc * VBA32: 2F8029F68AE25B84F6A51F30A68DF8F1.270849.win32:\smiissm.exe : password protected - unable to scan Hugo. -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ This message is using 100% recycled electrons. Some men see computers as they are and say "Windows" I use computers with Linux and say "Why Windows?" (Thanks JFK, for the insight.) From ssilva at sgvwater.com Wed Jul 25 23:03:16 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Jul 25 23:03:34 2007 Subject: MailScanner and password protected archives In-Reply-To: References: <46A66091.5030008@ecs.soton.ac.uk> Message-ID: Kai Schaetzl spake the following on 7/25/2007 2:17 PM: > Scott Silva wrote on Wed, 25 Jul 2007 12:10:41 -0700: > >> I am not sure if virus scanners can scan in a password-protected archive. That >> is why they were used for malware last year. > > Yepp. It seems that they usually can, at least this is said about clamav, but > the result may not be as reliable. I guess just zipping with different > compression ratios will make any signatures useless. So, you cannot rely on that > and have to treat every protected archive as possible malware with a > significantly high rate of false positives. Which means you cannot treat them as > a virus, the false positive rate forbids this. > >> I personally don't allow password-protected archives at our site and none of >> my users have complained. > > Well, I'm providing services for others, it's not feasible that they email me > each time before getting such an archive. They get as much protection and as > little bothering as possible. And, yes, it happens that legitimate > password-protected archives get sent to my clients. That's how I found out that > I had to tell them to ask for resending after I put the sender on the "no scan" > list. > > > Kai > I keep forgetting that many of you run hosting facilities. The list seems to slip into informal mode so often. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From donald.dawson at bakerbotts.com Wed Jul 25 23:12:49 2007 From: donald.dawson at bakerbotts.com (donald.dawson@bakerbotts.com) Date: Wed Jul 25 23:12:56 2007 Subject: FW: score=0 problem: SpamAssassin (not cached, score=0, required 5, autolearn=) Message-ID: I have noticed that some spam has been creeping in. We have 4 inbound MX servers, but only has is experiencing this problem. We are running SpamAssassin version 3.2.0, Perl version 5.8.3, and MailScanner version 4.59.4. Here are the counts of 'is not spam' and 'is spam' with 'score=0,' (should not happen): fgrep "score=0," /var/log/maillog | grep 'is not spam' | wc -l -- 649 fgrep "score=0," /var/log/maillog | grep 'is spam' | wc -l -- 311 Spamassasin is not showing any errors, and '/usr/bin/spamassassin -D -p /etc/MailScanner/spam.assassin.prefs.conf --lint' does not show errors. There are files in /dev/shm/ (.spamassassin*) that are being created, and some are being left in that directory. Here is an example of a file that has been left on this ramdisk fs: # grep l6PJ1iYV029369 /var/log/maillog Jul 25 14:01:51 houmx05 milter-greylist: l6PJ1iYV029369: skipping greylist because this is the default action, (from==kimharrison2@srs.bis.na.blackberry.com>, rcpt=, addr=smtp02.bis.na.blackberry.com[216.9.248.49]) Jul 25 14:01:51 houmx05 sendmail[29369]: l6PJ1iYV029369: from=, size=654, class=0, nrcpts=1, msgid=<2074773001-1185390040-cardhu_decombobulator_blackberry.rim.net-11 01465393-@bxe017.bisx.prod.on.blac, proto=ESMTP, daemon=MTA, relay=smtp02.bis.na.blackberry.com [216.9.248.49] Jul 25 14:01:51 houmx05 sendmail[29369]: l6PJ1iYV029369: Milter add: header: X-Null-Tag: 3a576a56bd3b913802bbc7fd4c9f07ad Jul 25 14:01:51 houmx05 sendmail[29369]: l6PJ1iYV029369: Milter add: header: X-Greylist: Default is to whitelist mail, not delayed by milter-greylist-3.0rc3 (houmx05.bakerbotts.com [204.194.98.17]); Wed, 25 Jul 2007 14:01:51 -0500 (CDT) Jul 25 14:01:51 houmx05 sendmail[29369]: l6PJ1iYV029369: to=, delay=00:00:00, mailer=esmtp, pri=30654, stat=queued Jul 25 14:01:53 houmx05 MailScanner[6850]: Message l6PJ1iYV029369 from 216.9.248.49 (srs0=r44+k6=mx=tmo.blackberry.net=kimharrison2@srs.bis.na.blackberry.co m) to bakerbotts.com is not spam, SpamAssassin (not cached, score=0, required 5, autolearn=) Jul 25 14:01:56 houmx05 sendmail[29452]: l6PJ1iYV029369: to=, delay=00:00:05, xdelay=00:00:00, mailer=esmtp, pri=120654, relay=housweep01.bakerbotts.net. [10.20.254.236], dsn=2.0.0, stat=Sent (Message received OK) # l .spamassassin29421Mvfyimtmp -rw------- 1 root root 1307 Jul 25 14:01 .spamassassin29421Mvfyimtmp Wed Jul 25 14:12:06 CDT 2007 I'm wondering if it is a possible problem with the /dev/shm ram disk. Can spamassassin be pointed to use another directory? I would appreciate any help you can provide. Thanks, Donald Donald Dawson Security Administrator Baker Botts L.L.P. 713-229-2183 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070725/1e7dc3d2/attachment.html From glenn.steen at gmail.com Wed Jul 25 23:13:57 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Jul 25 23:13:59 2007 Subject: After uninstall cannot chdir in mqueue.in In-Reply-To: <46A7C40A.9050606@nkpanama.com> References: <46A7C40A.9050606@nkpanama.com> Message-ID: <223f97700707251513j17a8a935pfb2b9118b420719d@mail.gmail.com> On 25/07/07, Alex Neuman van der Hans wrote: > Ugo Bellavance wrote: > > Kai Schaetzl wrote: > >> Ugo Bellavance wrote on Wed, 25 Jul 2007 16:12:29 -0400: > >> > >>> Now, I get this error in logs... I can't seem to find why sendmail > >>> is still looking for mqueue.in. > >> > >> Sure, that all old sendmail instances have been killed? > >> > > > > I've done a 'killall sendmail' and then a 'service sendmail start' > > before posting... problem is still there. > > > > Ugo > > > > Have you tried a "palpatine-like" "wipe them out - all of them!" with > killall -9? this is a *bad thing to do but you do it anyway from time to time*> > - :-) I'm sure Ugo is capable of typing a good enough ps command to know if they all died.... Did you remeber to "chkconfig MailScanner off"? And "scoured" all sendmail configs for anything containging "mqueue.in"? Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Wed Jul 25 23:30:46 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Jul 25 23:30:48 2007 Subject: FW: score=0 problem: SpamAssassin (not cached, score=0, required 5, autolearn=) In-Reply-To: References: Message-ID: <223f97700707251530v4f57ae56i16e58cf22fb3043f@mail.gmail.com> On 26/07/07, donald.dawson@bakerbotts.com wrote: > > > > I have noticed that some spam has been creeping in. We have 4 inbound MX > servers, but only has is experiencing this problem. > > We are running SpamAssassin version 3.2.0, Perl version 5.8.3, and > MailScanner version 4.59.4. > > Here are the counts of 'is not spam' and 'is spam' with 'score=0,' (should > not happen): Which one do you mean? score=0 could happen.... and "is spam" too, provided it either was a cached entry, or hit an RBL in MS. > fgrep "score=0," /var/log/maillog | grep 'is not spam' | wc -l -- 649 > fgrep "score=0," /var/log/maillog | grep 'is spam' | wc -l -- 311 > > Spamassasin is not showing any errors, and '/usr/bin/spamassassin -D -p > /etc/MailScanner/spam.assassin.prefs.conf --lint' does not > show errors. > > There are files in /dev/shm/ (.spamassassin*) that are being created, and > some are being left in that directory. Here is an example of a file that > has been left on this ramdisk fs: > > # grep l6PJ1iYV029369 /var/log/maillog > Jul 25 14:01:51 houmx05 milter-greylist: l6PJ1iYV029369: skipping greylist > because this is the default action, > (from==kimharrison2@srs.bis.na.blackberry.com>, > rcpt=, > addr=smtp02.bis.na.blackberry.com[216.9.248.49]) > > Jul 25 14:01:51 houmx05 sendmail[29369]: l6PJ1iYV029369: > from=, > size=654, class=0, nrcpts=1, > msgid=<2074773001-1185390040-cardhu_decombobulator_blackberry.rim.net-1101465393-@bxe017.bisx.prod.on.blac, > proto=ESMTP, daemon=MTA, relay=smtp02.bis.na.blackberry.com [216.9.248.49] > > Jul 25 14:01:51 houmx05 sendmail[29369]: l6PJ1iYV029369: Milter add: header: > X-Null-Tag: 3a576a56bd3b913802bbc7fd4c9f07ad > > Jul 25 14:01:51 houmx05 sendmail[29369]: l6PJ1iYV029369: Milter add: header: > X-Greylist: Default is to whitelist mail, not delayed by > milter-greylist-3.0rc3 (houmx05.bakerbotts.com [204.194.98.17]); Wed, 25 Jul > 2007 14:01:51 -0500 (CDT) > > Jul 25 14:01:51 houmx05 sendmail[29369]: l6PJ1iYV029369: > to=, delay=00:00:00, > mailer=esmtp, pri=30654, stat=queued > > Jul 25 14:01:53 houmx05 MailScanner[6850]: Message l6PJ1iYV029369 from > 216.9.248.49 > (srs0=r44+k6=mx=tmo.blackberry.net=kimharrison2@srs.bis.na.blackberry.com) > to bakerbotts.com is not spam, SpamAssassin (not cached, score=0, required > 5, autolearn=) > > Jul 25 14:01:56 houmx05 sendmail[29452]: l6PJ1iYV029369: > to=, delay=00:00:05, > xdelay=00:00:00, mailer=esmtp, pri=120654, relay=housweep01.bakerbotts.net. > [10.20.254.236], dsn=2.0.0, stat=Sent (Message received OK) What did this crackberry message score when you ran SA on it manually? > # l .spamassassin29421Mvfyimtmp > -rw------- 1 root root 1307 Jul 25 14:01 .spamassassin29421Mvfyimtmp > Wed Jul 25 14:12:06 CDT 2007 > > I'm wondering if it is a possible problem with the /dev/shm ram disk. Can > spamassassin be pointed to use another directory? Might be something, yes... And the info on what it might be could be present in the logs, your grep isn't that ... perfect:-). Check the lines around that/during that time (minute), possibly pasting a more conclusive excerpt here. Upgrading SA is usually simple, so you could do that too (I have no knowledge that that would help, but it can't hurt (much) either:-). > I would appreciate any help you can provide. > > Thanks, > Donald Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From stork at openenterprise.ca Wed Jul 25 23:54:59 2007 From: stork at openenterprise.ca (Johnny Stork) Date: Wed Jul 25 23:54:58 2007 Subject: Spamhaus' xbl-sbl blacklists Question Message-ID: <46A7D4C3.6050603@openenterprise.ca> How/where can I confirm that I am using the Spamhaus' xbl-sbl blacklists in mailscanner? Thanks -------------- next part -------------- A non-text attachment was scrubbed... Name: stork.vcf Type: text/x-vcard Size: 330 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070725/7bf81acc/stork.vcf From ssilva at sgvwater.com Thu Jul 26 00:41:09 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Jul 26 00:41:24 2007 Subject: Spamhaus' xbl-sbl blacklists Question In-Reply-To: <46A7D4C3.6050603@openenterprise.ca> References: <46A7D4C3.6050603@openenterprise.ca> Message-ID: Johnny Stork spake the following on 7/25/2007 3:54 PM: > How/where can I confirm that I am using the Spamhaus' xbl-sbl blacklists > in mailscanner? > > Thanks > grep "Spam List =" /etc/MailScanner/MailScanner.conf -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From stork at openenterprise.ca Thu Jul 26 01:00:59 2007 From: stork at openenterprise.ca (Johnny Stork) Date: Thu Jul 26 01:01:09 2007 Subject: OT: BarricadeMX Help Message-ID: <46A7E43B.4060708@openenterprise.ca> Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: stork.vcf Type: text/x-vcard Size: 330 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070725/d493cf96/stork.vcf From res at ausics.net Thu Jul 26 02:09:32 2007 From: res at ausics.net (Res) Date: Thu Jul 26 02:09:41 2007 Subject: BarricadeMX experiences In-Reply-To: References: <11090454.2641185312780535.JavaMail.root@office.splatnix.net><46A67978.6000702@alexb.ch> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NotDashEscaped: You need GnuPG to verify this message On Wed, 25 Jul 2007, Koopmann, Jan-Peter wrote: >> since they claim only about 1018 concurrent connections, not likely >> to.. > > Two things: > > 1. As Steve pointed out they have yet to find/hit the limit. They had > well over 2000 concurrent connections. And the claim is 1018 concurrent > connections per CPU. Correct, figures I used are from his website. > 2. The question is why are your concurrent connections so high? One > reason would be an enormously busy mail server. Correct, and the load on these servers are minimal. > having to long SMTP sessions. The truth will be in between. BMX might > even help you shorten the average SMTP session time since it will very > quickly discover badly behaving servers and drop the connections without > having to go through the SpamAssassin hussle. 4 RBL's, a couple of sendmail extra checks like badmx, bad helo and of course no dns checks, greet pause, spf milter and another milter which does a few very nice tricks, not much spam gets in in the first place, and MailScanner seems to get 99% of what does. (I say 99% because to think any setup anywhere gets 100% is being just plain nieve) as an example, on only one sendmail box for yesterday (courtesy of logwatch)... MailScanner Status: 2904073 messages Scanned by MailScanner 314 Spam messages detected by MailScanner 27 Content Problems found by MailScanner Most acceptable values I think. -- Cheers Res -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFGp/RMsWhAmSIQh7MRAg0QAJ4rivtv5ty0l+ZmkdieGy3mVPmg9wCfal0M 9gJ/7yOoqiy4UFBRFiCYPCI= =v3Ek -----END PGP SIGNATURE----- From res at ausics.net Thu Jul 26 02:17:14 2007 From: res at ausics.net (Res) Date: Thu Jul 26 02:17:22 2007 Subject: OT: performance smf-sav vs milter-ahead In-Reply-To: <00be01c7cefd$e9cb48d0$0b01010a@DGPTBH91> References: <00be01c7cefd$e9cb48d0$0b01010a@DGPTBH91> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NotDashEscaped: You need GnuPG to verify this message Bryan, On Wed, 25 Jul 2007, Bryan Guest wrote: > compared performance between SMF-SAV and Milter-Ahead? Performance impact of smf-sav is not noticable, not used milter ahead as its commercial, was intending to try it, but since smf-sav does the job so well, never bothered. However, I have not used the check sender option, only recipient, I do intend to trial the sender checks one day when I get time to sit there and watch it for a few hours. > conjuction with MailScanner? Makes no difference, MS has nothing to do with it, thats all about MTA capability. -- Cheers Res -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFGp/YasWhAmSIQh7MRAkS/AKC0PtPvz7ofWjtNqbceNWlxwYc8ZACeNaxO zCgwvmZZz9j6CztBYyBghjA= =+ZWk -----END PGP SIGNATURE----- From ugob at lubik.ca Thu Jul 26 02:53:01 2007 From: ugob at lubik.ca (Ugo Bellavance) Date: Thu Jul 26 02:53:27 2007 Subject: After uninstall cannot chdir in mqueue.in In-Reply-To: <223f97700707251513j17a8a935pfb2b9118b420719d@mail.gmail.com> References: <46A7C40A.9050606@nkpanama.com> <223f97700707251513j17a8a935pfb2b9118b420719d@mail.gmail.com> Message-ID: Glenn Steen wrote: > On 25/07/07, Alex Neuman van der Hans wrote: >> Ugo Bellavance wrote: >> > Kai Schaetzl wrote: >> >> Ugo Bellavance wrote on Wed, 25 Jul 2007 16:12:29 -0400: >> >> >> >>> Now, I get this error in logs... I can't seem to find why sendmail >> >>> is still looking for mqueue.in. >> >> >> >> Sure, that all old sendmail instances have been killed? >> >> >> > >> > I've done a 'killall sendmail' and then a 'service sendmail start' >> > before posting... problem is still there. >> > >> > Ugo >> > >> >> Have you tried a "palpatine-like" "wipe them out - all of them!" with >> killall -9? > this is a *bad thing to do but you do it anyway from time to time*> >> > - > :-) > > I'm sure Ugo is capable of typing a good enough ps command to know if > they all died.... Yes. > Did you remeber to "chkconfig MailScanner off"? And I removed the mailscanner rpm, so there is no MailScanner init script anymore. > "scoured" all sendmail configs for anything containging "mqueue.in"? Yes. grep 'mqueue.in' -r /etc/ returns nothing. > > Cheers From stork at openenterprise.ca Thu Jul 26 05:32:34 2007 From: stork at openenterprise.ca (Johnny Stork) Date: Thu Jul 26 05:32:33 2007 Subject: CRM114 Message-ID: <46A823E2.1070903@openenterprise.ca> Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: stork.vcf Type: text/x-vcard Size: 330 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070725/7f1833ab/stork.vcf From prandal at herefordshire.gov.uk Thu Jul 26 08:27:17 2007 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Thu Jul 26 08:27:27 2007 Subject: Spamhaus' xbl-sbl blacklists Question In-Reply-To: <46A7D4C3.6050603@openenterprise.ca> References: <46A7D4C3.6050603@openenterprise.ca> Message-ID: <7EF0EE5CB3B263488C8C18823239BEBA013580CA@HC-MBX02.herefordshire.gov.uk> If you are using it, be aware that it has been superceded by zen.spamhaus.org. Cheers, Phil -- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Johnny Stork > Sent: 25 July 2007 23:55 > To: MailScanner discussion > Subject: Spamhaus' xbl-sbl blacklists Question > > How/where can I confirm that I am using the Spamhaus' xbl-sbl > blacklists > in mailscanner? > > Thanks > From uxbod at splatnix.net Thu Jul 26 08:30:14 2007 From: uxbod at splatnix.net (UxBoD) Date: Thu Jul 26 08:28:02 2007 Subject: CRM114 In-Reply-To: <46A823E2.1070903@openenterprise.ca> Message-ID: <31465241.3301185435014013.JavaMail.root@office.splatnix.net> Looks interesting. If Jules implements the new custom module it could be hooked in that way to learn anything marked as SPAM. Then, if the claimed results are that good, could be used in front of MailScanner perhaps @ MTA level. ----- Original Message ----- From: "Johnny Stork" To: "MailScanner discussion" Sent: Thursday, July 26, 2007 5:32:34 AM (GMT) Europe/London Subject: CRM114 -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From jan-peter at koopmann.eu Thu Jul 26 08:36:20 2007 From: jan-peter at koopmann.eu (Koopmann, Jan-Peter) Date: Thu Jul 26 08:35:33 2007 Subject: BarricadeMX Help In-Reply-To: References: Message-ID: May I kindly suggest contacting FSL at support@fsl.com ? They will most certainly be able to help you! Kind regards, JP From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Johnny Stork Sent: Thursday, July 26, 2007 2:01 AM To: MailScanner discussion Subject: OT: BarricadeMX Help I have been a happy MailScanner user for years and have heard enough good things about BMX that I thought I would give it a try. I already have a running Mailscanner system which handles all incoming mail and then forwards everything to an internal Scalix server. I was hoping to get some help installing the demo of BMX in front of my existing MailScanner setup. But after downloading the tarball and checking the docs, I am stuck with the cryptic sections on route-maps etc so I didnt want to bust my running system. I would be greatful if someone could provide some basic steps for installing on my existing MS system. I just dont want to break what is already working fine. I guess it would be best to contact me off list if anyone can help. I would be very greatful -- Johnny Stork Business & Technology Consultant stork@openenterprise.ca -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070726/e86aaf2f/attachment.html From mailadmin at baladia.gov.kw Thu Jul 26 08:11:50 2007 From: mailadmin at baladia.gov.kw (simon) Date: Thu Jul 26 08:48:31 2007 Subject: query if mailscanner using clamscan Message-ID: <2605.62.150.152.226.1185433910.squirrel@webmail.baladia.gov.kw> Dear All, i have recently installed new sendmail based mail server and installed mailscanner + jules packge spamassassin + clamAV and have instructed clamd virus scanning daemon to be used by mailScanner for scanning email when installing the package. i have also installed clamav, clamav-db and clamd from http://dag.wieers.com/rpm/packages/clamav and everythin workin OK. i have clamscan installed in /usr/bin but how could i know if mailscanner is really using clamd daemon n clamscan to scan emails Appreciate ur help regards simon -- Network Administrator From glenn.steen at gmail.com Thu Jul 26 09:27:37 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Jul 26 09:27:39 2007 Subject: After uninstall cannot chdir in mqueue.in In-Reply-To: References: <46A7C40A.9050606@nkpanama.com> <223f97700707251513j17a8a935pfb2b9118b420719d@mail.gmail.com> Message-ID: <223f97700707260127s32f51caw559a5957ae3e1323@mail.gmail.com> On 26/07/07, Ugo Bellavance wrote: > Glenn Steen wrote: > > On 25/07/07, Alex Neuman van der Hans wrote: > >> Ugo Bellavance wrote: > >> > Kai Schaetzl wrote: > >> >> Ugo Bellavance wrote on Wed, 25 Jul 2007 16:12:29 -0400: > >> >> > >> >>> Now, I get this error in logs... I can't seem to find why sendmail > >> >>> is still looking for mqueue.in. > >> >> > >> >> Sure, that all old sendmail instances have been killed? > >> >> > >> > > >> > I've done a 'killall sendmail' and then a 'service sendmail start' > >> > before posting... problem is still there. > >> > > >> > Ugo > >> > > >> > >> Have you tried a "palpatine-like" "wipe them out - all of them!" with > >> killall -9? >> this is a *bad thing to do but you do it anyway from time to time*> > >> > > - > > :-) > > > > I'm sure Ugo is capable of typing a good enough ps command to know if > > they all died.... > > Yes. > > > Did you remeber to "chkconfig MailScanner off"? And > > I removed the mailscanner rpm, so there is no MailScanner init script > anymore. > > > "scoured" all sendmail configs for anything containging "mqueue.in"? > > Yes. grep 'mqueue.in' -r /etc/ returns nothing. > > > > > Cheers > Ok. And doing like Doc suggested didn't help either? I'm certainly no Sendmail guru, but doesn't it keep some form of "binary" state files etc around? That might not be in /etc, nor match a simple grep? Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Thu Jul 26 09:37:34 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Jul 26 09:37:36 2007 Subject: query if mailscanner using clamscan In-Reply-To: <2605.62.150.152.226.1185433910.squirrel@webmail.baladia.gov.kw> References: <2605.62.150.152.226.1185433910.squirrel@webmail.baladia.gov.kw> Message-ID: <223f97700707260137g7340fac3wca18e3e1d2e5eb80@mail.gmail.com> On 26/07/07, simon wrote: > Dear All, > > i have recently installed new sendmail based mail server and installed > mailscanner + jules packge spamassassin + clamAV and have instructed clamd > virus scanning daemon to be used by mailScanner for scanning email when > installing the package. i have also installed clamav, clamav-db and clamd > from http://dag.wieers.com/rpm/packages/clamav > and everythin workin OK. > i have clamscan installed in /usr/bin > > but how could i know if mailscanner is really using clamd daemon n > clamscan to scan emails > > > Appreciate ur help > > > regards > > simon > Send an EICAR through. Look at the logs/reports. Look at http://wiki.mailscanner.info/doku.php?id=documentation:test_troubleshoot:virus and (for an easy way of sending it) http://wiki.mailscanner.info/doku.php?id=documentation:test_troubleshoot:mta:connexion#eicar_test_message Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From uxbod at splatnix.net Thu Jul 26 09:45:11 2007 From: uxbod at splatnix.net (UxBoD) Date: Thu Jul 26 09:42:57 2007 Subject: After uninstall cannot chdir in mqueue.in In-Reply-To: <223f97700707260127s32f51caw559a5957ae3e1323@mail.gmail.com> Message-ID: <6702394.3391185439511068.JavaMail.root@office.splatnix.net> Well you normally change sendmail.m4 and then run a make which compiles it into the sendmail.mc. But all is clear text so should have been found via the grep. ----- Original Message ----- From: "Glenn Steen" To: "MailScanner discussion" Sent: Thursday, July 26, 2007 9:27:37 AM (GMT) Europe/London Subject: Re: After uninstall cannot chdir in mqueue.in On 26/07/07, Ugo Bellavance wrote: > Glenn Steen wrote: > > On 25/07/07, Alex Neuman van der Hans wrote: > >> Ugo Bellavance wrote: > >> > Kai Schaetzl wrote: > >> >> Ugo Bellavance wrote on Wed, 25 Jul 2007 16:12:29 -0400: > >> >> > >> >>> Now, I get this error in logs... I can't seem to find why sendmail > >> >>> is still looking for mqueue.in. > >> >> > >> >> Sure, that all old sendmail instances have been killed? > >> >> > >> > > >> > I've done a 'killall sendmail' and then a 'service sendmail start' > >> > before posting... problem is still there. > >> > > >> > Ugo > >> > > >> > >> Have you tried a "palpatine-like" "wipe them out - all of them!" with > >> killall -9? >> this is a *bad thing to do but you do it anyway from time to time*> > >> > > - > > :-) > > > > I'm sure Ugo is capable of typing a good enough ps command to know if > > they all died.... > > Yes. > > > Did you remeber to "chkconfig MailScanner off"? And > > I removed the mailscanner rpm, so there is no MailScanner init script > anymore. > > > "scoured" all sendmail configs for anything containging "mqueue.in"? > > Yes. grep 'mqueue.in' -r /etc/ returns nothing. > > > > > Cheers > Ok. And doing like Doc suggested didn't help either? I'm certainly no Sendmail guru, but doesn't it keep some form of "binary" state files etc around? That might not be in /etc, nor match a simple grep? Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From glenn.steen at gmail.com Thu Jul 26 09:58:20 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Jul 26 09:58:23 2007 Subject: After uninstall cannot chdir in mqueue.in In-Reply-To: <6702394.3391185439511068.JavaMail.root@office.splatnix.net> References: <223f97700707260127s32f51caw559a5957ae3e1323@mail.gmail.com> <6702394.3391185439511068.JavaMail.root@office.splatnix.net> Message-ID: <223f97700707260158r68232f9ex3e167e1c72f44350@mail.gmail.com> On 26/07/07, UxBoD wrote: > Well you normally change sendmail.m4 and then run a make which compiles it into the sendmail.mc. But all is clear text so should have been found via the grep. I know Phil, and that is what Doc suggested, more or less. What I was thinking of was some history or state thing ISTR, but ... that shouldn't have this effect. Grasping at straws, as usual:-). We postmix types should just back out from this one and let the Rendmaulers take care of their own;-) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From uxbod at splatnix.net Thu Jul 26 10:27:39 2007 From: uxbod at splatnix.net (UxBoD) Date: Thu Jul 26 10:25:25 2007 Subject: After uninstall cannot chdir in mqueue.in In-Reply-To: <223f97700707260158r68232f9ex3e167e1c72f44350@mail.gmail.com> Message-ID: <17102073.3451185442059957.JavaMail.root@office.splatnix.net> Ugo. Since doing all the stop/restarts is it the same PID that is being reported in your logfile ? If so, do a ps -fp against to see if it shows up. If not then stop/restart syslog and see if the error still gets produced. If it does then potentially your process stack is corrupt and not showing the process. I would imagine it is somebody more simple, and plain obvious than the above though. Regards, --[ UxBoD ]-- // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- Original Message ----- From: "Glenn Steen" To: "MailScanner discussion" Sent: Thursday, July 26, 2007 9:58:20 AM (GMT) Europe/London Subject: Re: After uninstall cannot chdir in mqueue.in On 26/07/07, UxBoD wrote: > Well you normally change sendmail.m4 and then run a make which compiles it into the sendmail.mc. But all is clear text so should have been found via the grep. I know Phil, and that is what Doc suggested, more or less. What I was thinking of was some history or state thing ISTR, but ... that shouldn't have this effect. Grasping at straws, as usual:-). We postmix types should just back out from this one and let the Rendmaulers take care of their own;-) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Thu Jul 26 11:16:52 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jul 26 11:17:56 2007 Subject: query if mailscanner using clamscan In-Reply-To: <2605.62.150.152.226.1185433910.squirrel@webmail.baladia.gov.kw> References: <2605.62.150.152.226.1185433910.squirrel@webmail.baladia.gov.kw> Message-ID: <46A87494.6060002@ecs.soton.ac.uk> What does you /etc/MailScanner/virus.scanners.conf say for the clam lines? What does the "Virus Scanners = " line in MailScanner.conf say? simon wrote: > Dear All, > > i have recently installed new sendmail based mail server and installed > mailscanner + jules packge spamassassin + clamAV and have instructed clamd > virus scanning daemon to be used by mailScanner for scanning email when > installing the package. i have also installed clamav, clamav-db and clamd > from http://dag.wieers.com/rpm/packages/clamav > and everythin workin OK. > i have clamscan installed in /usr/bin > > but how could i know if mailscanner is really using clamd daemon n > clamscan to scan emails > > > Appreciate ur help > > > regards > > simon > > > > Jules -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From maillists at conactive.com Thu Jul 26 12:46:17 2007 From: maillists at conactive.com (Kai Schaetzl) Date: Thu Jul 26 12:46:21 2007 Subject: After uninstall cannot chdir in mqueue.in In-Reply-To: References: Message-ID: Ugo Bellavance wrote on Wed, 25 Jul 2007 17:39:21 -0400: > I've done a 'killall sendmail' and then a 'service sendmail start' > before posting... problem is still there. Hm. Do the other instances startup? Is there a chance a symlink that you created long ago interferes? (f.i. init.d/sendmail pointing to some test version of the MS init script or so). As UxBoD suggested I'd try if a reboot sorts it out. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From maillists at conactive.com Thu Jul 26 13:06:34 2007 From: maillists at conactive.com (Kai Schaetzl) Date: Thu Jul 26 13:06:35 2007 Subject: BarricadeMX experiences In-Reply-To: <46A77B06.50106@sendit.nodak.edu> References: <46A553ED.3020505@mail.wvnet.edu> <46A5F3D0.5070500@mail.wvnet.edu> <23ee01c7ce3c$89dcff70$9d96fe50$@swaney@fsl.com> <46A67DAF.60301@mail.wvnet.edu> <46A77B06.50106@sendit.nodak.edu> Message-ID: Richard Frovarp wrote on Wed, 25 Jul 2007 11:32:06 -0500: > The OP did say he was running sbl+xbl at the mta Yes, but that seems to be the only "protection" for the MTA. Looking at our figures Spamhaus rejections (although the single most source of rejections) account for only 20% of our rejections after greylisting (not sure if rejections occur before or after greylisting). For instance I reject almost as much because of bogus HELOs. Which is also part of BarricadeMX. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From maillists at conactive.com Thu Jul 26 13:06:34 2007 From: maillists at conactive.com (Kai Schaetzl) Date: Thu Jul 26 13:06:37 2007 Subject: MailScanner and password protected archives In-Reply-To: <46A66091.5030008@ecs.soton.ac.uk> References: <46A66091.5030008@ecs.soton.ac.uk> Message-ID: So, Jules, what can we do about that? As I said this seems to have been solved partially in 4.60.1 > - -- "clamavmodule" scanner no longer detects password-protected archives > as viruses, allowing them to be easily released in MailWatch. It's also not clear to me if the "Other Infection" message is because of "Allow Password Protected Archives = no" (so set by MS) or because clamav (not clamavmodule) detects password-protected archives as a virus (so set by clamav). One should be able to store and release password-protected archives with Allow Password Protected Archives = no Keep Spam And MCP Archive Clean = Yes because a password-protected archive is not a virus per se. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From rob at techniumcast.com Thu Jul 26 14:02:19 2007 From: rob at techniumcast.com (Rob Shepherd) Date: Thu Jul 26 14:02:24 2007 Subject: disable virus scanning for one user Message-ID: <46A89B5B.6060000@techniumcast.com> Dear Mailscanner users, I have Mailscanner and Sophos. I've attempted to place a ruleset for virus scanning. Virus Scanning = %rules-dir%/my_virus_scanning.rules I'd like to use To: oneuserinparticular@* no To: default yes but It doesn't seem to work. The conf file notes say all matches lead to a scan (scan) plus the example for virus scanning has a default as "No". Is there a way to reach my desired configuration? any pointers most appreciated. Thanks and kindest regards Rob -- Rob Shepherd BEng PhD | Computer and Network Engineer | CAST Ltd Technium CAST | LL57 4HJ | http://www.techniumcast.com From maillists at conactive.com Thu Jul 26 14:09:39 2007 From: maillists at conactive.com (Kai Schaetzl) Date: Thu Jul 26 14:09:42 2007 Subject: BarricadeMX experiences In-Reply-To: <46A78B50.9080803@mail.wvnet.edu> References: <46A553ED.3020505@mail.wvnet.edu> <46A5F3D0.5070500@mail.wvnet.edu> <23ee01c7ce3c$89dcff70$9d96fe50$@swaney@fsl.com> <46A67DAF.60301@mail.wvnet.edu> <46A78B50.9080803@mail.wvnet.edu> Message-ID: Reply-To: mailscanner@lists.mailscanner.info Richard Lynch wrote on Wed, 25 Jul 2007 13:41:36 -0400: > If you or anyone else wants to demonstrate other solutions and compare > them to BarricadeMX you are of course free to do that. Uh? I'm merely telling that you compared apples with oranges and not one sort of apples with another. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From MailScanner at ecs.soton.ac.uk Thu Jul 26 14:08:33 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jul 26 14:09:49 2007 Subject: MailScanner and password protected archives In-Reply-To: References: <46A66091.5030008@ecs.soton.ac.uk> Message-ID: <46A89CD1.1090801@ecs.soton.ac.uk> Kai Schaetzl wrote: > So, Jules, what can we do about that? As I said this seems to have been > solved partially in 4.60.1 > Only the "Allow Password protected archives" setting will have anything to do with this now. Neither ClamAV or clamavmodule will detect them as viruses. > >> - -- "clamavmodule" scanner no longer detects password-protected archives >> as viruses, allowing them to be easily released in MailWatch. >> > > It's also not clear to me if the "Other Infection" message is because of > "Allow Password Protected Archives = no" (so set by MS) or because clamav > (not clamavmodule) detects password-protected archives as a virus (so set by > clamav). > > One should be able to store and release password-protected archives with > > Allow Password Protected Archives = no > Keep Spam And MCP Archive Clean = Yes > > because a password-protected archive is not a virus per se. > > > > Kai > > Jules -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From martinh at solidstatelogic.com Thu Jul 26 14:13:24 2007 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Thu Jul 26 14:13:29 2007 Subject: disable virus scanning for one user In-Reply-To: <46A89B5B.6060000@techniumcast.com> Message-ID: <5fe525a075faa548a221ab3ea0a7d905@solidstatelogic.com> Rob Last line should be.. FromOrTo: default yes I think.. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Rob Shepherd > Sent: 26 July 2007 14:02 > To: MailScanner discussion > Subject: disable virus scanning for one user > > Dear Mailscanner users, > > I have Mailscanner and Sophos. > > I've attempted to place a ruleset for virus scanning. > > Virus Scanning = %rules-dir%/my_virus_scanning.rules > > I'd like to use > > To: oneuserinparticular@* no > To: default yes > > but It doesn't seem to work. The conf file notes say all matches lead to > a scan (scan) plus the example for virus scanning has a default as "No". > > Is there a way to reach my desired configuration? > > any pointers most appreciated. > > Thanks and kindest regards > > Rob > -- > Rob Shepherd BEng PhD | Computer and Network Engineer | CAST Ltd > Technium CAST | LL57 4HJ | http://www.techniumcast.com > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From MailScanner at ecs.soton.ac.uk Thu Jul 26 14:13:39 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jul 26 14:14:50 2007 Subject: disable virus scanning for one user In-Reply-To: <46A89B5B.6060000@techniumcast.com> References: <46A89B5B.6060000@techniumcast.com> Message-ID: <46A89E03.5040203@ecs.soton.ac.uk> Rob Shepherd wrote: > Dear Mailscanner users, > > I have Mailscanner and Sophos. > > I've attempted to place a ruleset for virus scanning. > > Virus Scanning = %rules-dir%/my_virus_scanning.rules > > I'd like to use > > To: oneuserinparticular@* no > To: default yes > > but It doesn't seem to work. Have you done a "service MailScanner reload" after putting the ruleset file in place? And you put your rules in /etc/MailScanner/rules/my_virus_scanning.rules ? Otherwise, it should work. Personally I would advise changing the 2nd line to Fromorto: default yes but that shouldn't make much difference. > The conf file notes say all matches lead to a scan (scan) plus the > example for virus scanning has a default as "No". > > Is there a way to reach my desired configuration? > > any pointers most appreciated. > > Thanks and kindest regards > > Rob Jules -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From maillists at conactive.com Thu Jul 26 14:17:17 2007 From: maillists at conactive.com (Kai Schaetzl) Date: Thu Jul 26 14:17:19 2007 Subject: disable virus scanning for one user In-Reply-To: <46A89B5B.6060000@techniumcast.com> References: <46A89B5B.6060000@techniumcast.com> Message-ID: Rob Shepherd wrote on Thu, 26 Jul 2007 14:02:19 +0100: > but It doesn't seem to work. make sure it matches the envelope-to, that may differ from the header-to. Also, this format may cause undesired reults: oneuserinparticular@* as there can be the same username part under different domains but pointing to different "real" users. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From campbell at cnpapers.com Thu Jul 26 14:24:47 2007 From: campbell at cnpapers.com (Steve Campbell) Date: Thu Jul 26 14:25:09 2007 Subject: Dag's repo Message-ID: <46A8A09F.60304@cnpapers.com> I'm having trouble accessing rpms from Dag's site. I can get the overview and all but when I try the particular rpm, I get connection errors. I just built a new box and was trying to get the rpmforge-release rpm. Is it me or something else (temporary or permanent)? Anyone else having problems? Thanks Steve Campbell From glenn.steen at gmail.com Thu Jul 26 14:25:20 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Jul 26 14:25:23 2007 Subject: disable virus scanning for one user In-Reply-To: References: <46A89B5B.6060000@techniumcast.com> Message-ID: <223f97700707260625u7608b670s62cdd4ee4a5374b0@mail.gmail.com> On 26/07/07, Kai Schaetzl wrote: > Rob Shepherd wrote on Thu, 26 Jul 2007 14:02:19 +0100: > > > but It doesn't seem to work. > > make sure it matches the envelope-to, that may differ from the header-to. > Also, this format may cause undesired reults: oneuserinparticular@* > as there can be the same username part under different domains but > pointing to different "real" users. > > Kai > ... And check that it is correct with # MailScanner --value=virusscanning --to=someuser@somewhere.com Looked up internal option name "virusscan" With sender = recipient = someuser@somewhere.com Client IP = Virus = Result is "1" 0=No 1=Yes # Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From rob at techniumcast.com Thu Jul 26 14:26:21 2007 From: rob at techniumcast.com (Rob Shepherd) Date: Thu Jul 26 14:26:24 2007 Subject: disable virus scanning for one user In-Reply-To: References: <46A89B5B.6060000@techniumcast.com> Message-ID: <46A8A0FD.7080009@techniumcast.com> Thanks to Martin R, Julian F, Kai S for your responses. I recreated the rules file and retyped the configuration in MailScanner.conf, according to what was mentioned and it works. virtually the same as my original, must have been a typo error. It was good to have it confirmed though. I wasn't and still aren't sure of the meaning of the notes above 'Virus Scanning'. Buy anyhow, problem solved. thanks again Rob -- Rob Shepherd BEng PhD | Computer and Network Engineer | CAST Ltd Technium CAST | LL57 4HJ | http://www.techniumcast.com rob@techniumcast.com | 01248 675024 | 077988 72480 From maillists at conactive.com Thu Jul 26 14:28:50 2007 From: maillists at conactive.com (Kai Schaetzl) Date: Thu Jul 26 14:28:53 2007 Subject: MailScanner and password protected archives In-Reply-To: <46A89CD1.1090801@ecs.soton.ac.uk> References: <46A66091.5030008@ecs.soton.ac.uk> <46A89CD1.1090801@ecs.soton.ac.uk> Message-ID: Julian Field wrote on Thu, 26 Jul 2007 14:08:33 +0100: > Only the "Allow Password protected archives" setting will have anything > to do with this now. Neither ClamAV or clamavmodule will detect them as > viruses. which means that Keep Spam And MCP Archive Clean = Yes has not an impact either after 4.60.1 and the protected archive will be stored in the quarantine? Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From maillists at conactive.com Thu Jul 26 14:34:35 2007 From: maillists at conactive.com (Kai Schaetzl) Date: Thu Jul 26 14:34:37 2007 Subject: Dag's repo In-Reply-To: <46A8A09F.60304@cnpapers.com> References: <46A8A09F.60304@cnpapers.com> Message-ID: Steve Campbell wrote on Thu, 26 Jul 2007 09:24:47 -0400: > I'm having trouble accessing rpms from Dag's site. I can get the > overview and all but when I try the particular rpm, I get connection > errors. I just built a new box and was trying to get the > rpmforge-release rpm. Do you mean a link on http://dag.wieers.com/rpm/packages/rpmforge-release/ ? Yes, there seem to be problems, can't get the one I tested. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From MailScanner at ecs.soton.ac.uk Thu Jul 26 14:36:55 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jul 26 14:38:30 2007 Subject: disable virus scanning for one user In-Reply-To: <46A8A0FD.7080009@techniumcast.com> References: <46A89B5B.6060000@techniumcast.com> <46A8A0FD.7080009@techniumcast.com> Message-ID: <46A8A377.5010908@ecs.soton.ac.uk> Rob Shepherd wrote: > Thanks to Martin R, Julian F, Kai S for your responses. > > I recreated the rules file and retyped the configuration in > MailScanner.conf, according to what was mentioned and it works. > > virtually the same as my original, must have been a typo error. It was > good to have it confirmed though. I wasn't and still aren't sure of > the meaning of the notes above 'Virus Scanning'. What bit don't you understand about the notes? I would like to make them easy to understand. > > Buy anyhow, problem solved. > > thanks again > > Rob > Jules -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From stork at openenterprise.ca Thu Jul 26 14:50:54 2007 From: stork at openenterprise.ca (Johnny Stork) Date: Thu Jul 26 14:51:18 2007 Subject: BarricadeMX Help In-Reply-To: References: Message-ID: <46A8A6BE.4020500@openenterprise.ca> Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: stork.vcf Type: text/x-vcard Size: 330 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070726/7f173d92/stork.vcf From campbell at cnpapers.com Thu Jul 26 14:56:50 2007 From: campbell at cnpapers.com (Steve Campbell) Date: Thu Jul 26 14:56:56 2007 Subject: Dag's repo In-Reply-To: References: <46A8A09F.60304@cnpapers.com> Message-ID: <46A8A822.7040204@cnpapers.com> All better now. Thanks Kai for the posting. Steve Kai Schaetzl wrote: > Steve Campbell wrote on Thu, 26 Jul 2007 09:24:47 -0400: > > >> I'm having trouble accessing rpms from Dag's site. I can get the >> overview and all but when I try the particular rpm, I get connection >> errors. I just built a new box and was trying to get the >> rpmforge-release rpm. >> > > Do you mean a link on http://dag.wieers.com/rpm/packages/rpmforge-release/ > ? Yes, there seem to be problems, can't get the one I tested. > > Kai > > From rob at techniumcast.com Thu Jul 26 15:00:54 2007 From: rob at techniumcast.com (Rob Shepherd) Date: Thu Jul 26 15:00:58 2007 Subject: disable virus scanning for one user In-Reply-To: <46A8A377.5010908@ecs.soton.ac.uk> References: <46A89B5B.6060000@techniumcast.com> <46A8A0FD.7080009@techniumcast.com> <46A8A377.5010908@ecs.soton.ac.uk> Message-ID: <46A8A916.9070907@techniumcast.com> Julian Field wrote: > What bit don't you understand about the notes? I would like to make them > easy to understand. > > Jules > Thanks Jules, for your motivation.... :) Here's the text, taken from stable http://www.mailscanner.info/files/4/tar/MailScanner-install-4.61.7-2.tar.gz > # Virus Scanning and Vulnerability Testing > # ---------------------------------------- > # > > # Do you want to scan email for viruses? > # A few people don't have a virus scanner licence and so want to disable > # all the virus scanning. > # If you use a ruleset for this setting, then the mail will be scanned if > # *any* of the rules match (except the default). That way unscanned mail > # never reaches a user who is having their mail virus-scanned. > # > # If you want to be able to switch scanning on/off for different users or > # different domains, set this to the filename of a ruleset. > # This can also be the filename of a ruleset. > Virus Scanning = yes looking at.... "mail will be scanned if *any* of the rules match (except the default)" I read this as.... given file syntax.... direction pattern result result will always be "yes" if direction and pattern positively match. thus returning... Virus Scanning = "yes" to MailScanner.conf This has proved not to be the case as I have sucessfully produced a file with explicit Virus Scanning = "no" substitutions from rules with the default => yes. I didn't take the time to work out what the subsequent statement means regarding unscanned mail etc... Cheers Rob -- Rob Shepherd BEng PhD | Computer and Network Engineer | CAST Ltd Technium CAST | LL57 4HJ | http://www.techniumcast.com rob@techniumcast.com | 01248 675024 | 077988 72480 From ka at pacific.net Thu Jul 26 15:10:13 2007 From: ka at pacific.net (Ken A) Date: Thu Jul 26 15:10:16 2007 Subject: OT: performance smf-sav vs milter-ahead In-Reply-To: <00be01c7cefd$e9cb48d0$0b01010a@DGPTBH91> References: <00be01c7cefd$e9cb48d0$0b01010a@DGPTBH91> Message-ID: <46A8AB45.5030001@pacific.net> Bryan Guest wrote: > Hello > > With my apologies for the off topic nature of this question, has anyone > compared performance between SMF-SAV and Milter-Ahead? > > If so, is there an appreciable difference when using one or the other in > conjuction with MailScanner? > > Many thanks to Julian Field and everyone on this list for MailScanner > and the support it receives. I sincerely appreciate any feedback provided. > > Bryan Guest > Bruce Telecom smf-sav seems okay, but watch out for: // if (verify && strcmp(verify, "OK") == 0) return SMFIS_ACCEPT; ..which says "If the client ssl client certificate verifies with an authority, then skip the milters". That's a bad assumption. I just commented out the line in the code and recompiled(Yes, I reported it). I have not looked at how milter-ahead handles this, or how well it works, though it's codebase is certainly more mature and well tested. Ken -- Ken Anderson Pacific.Net From Richard.Frovarp at sendit.nodak.edu Thu Jul 26 15:39:56 2007 From: Richard.Frovarp at sendit.nodak.edu (Richard Frovarp) Date: Thu Jul 26 15:40:00 2007 Subject: BarricadeMX experiences In-Reply-To: References: <46A553ED.3020505@mail.wvnet.edu> <46A5F3D0.5070500@mail.wvnet.edu> <23ee01c7ce3c$89dcff70$9d96fe50$@swaney@fsl.com> <46A67DAF.60301@mail.wvnet.edu> <46A77B06.50106@sendit.nodak.edu> Message-ID: <46A8B23C.6060801@sendit.nodak.edu> Kai Schaetzl wrote: > Richard Frovarp wrote on Wed, 25 Jul 2007 11:32:06 -0500: > > >> The OP did say he was running sbl+xbl at the mta >> > > Yes, but that seems to be the only "protection" for the MTA. Looking at > our figures Spamhaus rejections (although the single most source of > rejections) account for only 20% of our rejections after greylisting (not > sure if rejections occur before or after greylisting). For instance I > reject almost as much because of bogus HELOs. Which is also part of > BarricadeMX. > > Kai > > From my testing it goes: greet pause rbls greylist bad user I'm guessing that the bogus HELOs would be around the rbl time. greylisting doesn't reject until the rcpt to, and it does it before a valid user check is done against LDAP. From Richard.Frovarp at sendit.nodak.edu Thu Jul 26 15:41:58 2007 From: Richard.Frovarp at sendit.nodak.edu (Richard Frovarp) Date: Thu Jul 26 15:42:00 2007 Subject: switching clamavmodule -> clamd In-Reply-To: <008f01c7cefd$016dcf90$0b01010a@DGPTBH91> References: <008f01c7cefd$016dcf90$0b01010a@DGPTBH91> Message-ID: <46A8B2B6.3070906@sendit.nodak.edu> Bryan Guest wrote: > 5) Will switching to clamd help with botched clamav database updates? > > We have been trying to run the 0.9x versions of ClamAV and have been > bitten twice by damaged or failed database updates when a major > release occurs. Does switching to clamd have any affect on this > situation? As others have said, you need to make sure you have the correct value for Monitors for ClamAV Updates. We have 5 boxes running clamavmodule and haven't had an issue with any of the updates this year, or ever to my knowledge. From mailadmin at baladia.gov.kw Thu Jul 26 15:07:33 2007 From: mailadmin at baladia.gov.kw (simon) Date: Thu Jul 26 15:44:06 2007 Subject: query if mailscanner using clamscan In-Reply-To: <46A87494.6060002@ecs.soton.ac.uk> References: <2605.62.150.152.226.1185433910.squirrel@webmail.baladia.gov.kw> <46A87494.6060002@ecs.soton.ac.uk> Message-ID: <1597.62.150.152.226.1185458853.squirrel@webmail.baladia.gov.kw> Thanks Guys for you quick reply, Btw i did forget to mention and ask u wht new should be added to virus.scanners.conf file since after the script was run there is a /etc/MailScanner/virus.scanners.conf.bak file here the clam lines for the /etc/MailScanner/virus.scanners.conf ------------------------ clamav /usr/lib/MailScanner/clamav-wrapper /usr clamd /bin/false /usr clamavmodule /bin/false /tmp ------------------------------------------ i guess this above file does not reference clamscan if im right.. do let me know if i hav to edit this file. my clamscan is is /usr/bin n clamd is in /usr/sbin and in MailScanner.conf it says Virus Scanners = auto i did keep it auto as i will install bitdefender latter and would like MS to search for the installed antivirus software Appreciate your help Thanks and regards simon > What does you /etc/MailScanner/virus.scanners.conf say for the clam lines? > What does the "Virus Scanners = " line in MailScanner.conf say? > > simon wrote: >> Dear All, >> >> i have recently installed new sendmail based mail server and installed >> mailscanner + jules packge spamassassin + clamAV and have instructed >> clamd >> virus scanning daemon to be used by mailScanner for scanning email when >> installing the package. i have also installed clamav, clamav-db and >> clamd >> from http://dag.wieers.com/rpm/packages/clamav >> and everythin workin OK. >> i have clamscan installed in /usr/bin >> >> but how could i know if mailscanner is really using clamd daemon n >> clamscan to scan emails >> >> >> Appreciate ur help >> >> >> regards >> >> simon >> >> >> >> > > Jules > > -- > Julian Field MEng CITP > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > For all your IT requirements visit www.transtec.co.uk > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- Network Administrator From MailScanner at ecs.soton.ac.uk Thu Jul 26 15:49:27 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jul 26 15:49:43 2007 Subject: query if mailscanner using clamscan In-Reply-To: <1597.62.150.152.226.1185458853.squirrel@webmail.baladia.gov.kw> References: <2605.62.150.152.226.1185433910.squirrel@webmail.baladia.gov.kw> <46A87494.6060002@ecs.soton.ac.uk> <1597.62.150.152.226.1185458853.squirrel@webmail.baladia.gov.kw> Message-ID: <46A8B477.60603@ecs.soton.ac.uk> If you are running the RPM version of clamav then your virus.scanners.conf file is right, as clamscan is in /usr/bin/clamscan. Check that 'auto' is picking them up correctly by doing a "MailScanner --lint". simon wrote: > Thanks Guys for you quick reply, > > Btw i did forget to mention and ask u wht new should be added to > virus.scanners.conf file since after the script was run there is a > /etc/MailScanner/virus.scanners.conf.bak file > > here the clam lines for the /etc/MailScanner/virus.scanners.conf > > ------------------------ > > clamav /usr/lib/MailScanner/clamav-wrapper /usr > clamd /bin/false /usr > clamavmodule /bin/false /tmp > > ------------------------------------------ > i guess this above file does not reference clamscan if im right.. > do let me know if i hav to edit this file. > my clamscan is is /usr/bin > n clamd is in /usr/sbin > > and in MailScanner.conf it says > > Virus Scanners = auto > > i did keep it auto as i will install bitdefender latter and would like MS > to search for the installed antivirus software > > Appreciate your help > > Thanks and regards > > simon > > > > > > > >> What does you /etc/MailScanner/virus.scanners.conf say for the clam lines? >> What does the "Virus Scanners = " line in MailScanner.conf say? >> >> simon wrote: >> >>> Dear All, >>> >>> i have recently installed new sendmail based mail server and installed >>> mailscanner + jules packge spamassassin + clamAV and have instructed >>> clamd >>> virus scanning daemon to be used by mailScanner for scanning email when >>> installing the package. i have also installed clamav, clamav-db and >>> clamd >>> from http://dag.wieers.com/rpm/packages/clamav >>> and everythin workin OK. >>> i have clamscan installed in /usr/bin >>> >>> but how could i know if mailscanner is really using clamd daemon n >>> clamscan to scan emails >>> >>> >>> Appreciate ur help >>> >>> >>> regards >>> >>> simon >>> >>> >>> >>> >>> >> Jules >> >> -- >> Julian Field MEng CITP >> www.MailScanner.info >> Buy the MailScanner book at www.MailScanner.info/store >> >> Need help customising MailScanner? >> Contact me! >> Need help fixing or optimising your systems? >> Contact me! >> Need help getting you started solving new requirements from your boss? >> Contact me! >> >> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >> >> >> -- >> This message has been scanned for viruses and >> dangerous content by MailScanner, and is >> believed to be clean. >> For all your IT requirements visit www.transtec.co.uk >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> > > > Jules -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From glenn.steen at gmail.com Thu Jul 26 15:54:23 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Jul 26 15:54:24 2007 Subject: query if mailscanner using clamscan In-Reply-To: <1597.62.150.152.226.1185458853.squirrel@webmail.baladia.gov.kw> References: <2605.62.150.152.226.1185433910.squirrel@webmail.baladia.gov.kw> <46A87494.6060002@ecs.soton.ac.uk> <1597.62.150.152.226.1185458853.squirrel@webmail.baladia.gov.kw> Message-ID: <223f97700707260754u2871dfe0id2706cc38a8e70f7@mail.gmail.com> On 26/07/07, simon wrote: > > > Thanks Guys for you quick reply, > > Btw i did forget to mention and ask u wht new should be added to > virus.scanners.conf file since after the script was run there is a > /etc/MailScanner/virus.scanners.conf.bak file > > here the clam lines for the /etc/MailScanner/virus.scanners.conf > > ------------------------ > > clamav /usr/lib/MailScanner/clamav-wrapper /usr > clamd /bin/false /usr > clamavmodule /bin/false /tmp > > ------------------------------------------ > i guess this above file does not reference clamscan if im right.. No. Since you are running with Dags RPMs, the first one (clamav) is actually for clamscan... and it is correct. The other ones are for clamd and clamavmodule respectively, but they need the first one to be correct for freshclam updates. > do let me know if i hav to edit this file. > my clamscan is is /usr/bin > n clamd is in /usr/sbin No edits needed, no. > > and in MailScanner.conf it says > > Virus Scanners = auto IIRC that would lead to clamavmodule being used. Which is OK. When the module is being used, you will see no clamav processes, but you'll see it in the logs. > i did keep it auto as i will install bitdefender latter and would like MS > to search for the installed antivirus software > > Appreciate your help > > Thanks and regards > > simon > Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From steve.freegard at fsl.com Thu Jul 26 16:07:24 2007 From: steve.freegard at fsl.com (Steve Freegard) Date: Thu Jul 26 16:07:28 2007 Subject: BarricadeMX experiences In-Reply-To: References: <11090454.2641185312780535.JavaMail.root@office.splatnix.net><46A67978.6000702@alexb.ch> Message-ID: <46A8B8AC.1030104@fsl.com> Res wrote: >> Two things: >> >> 1. As Steve pointed out they have yet to find/hit the limit. They had >> well over 2000 concurrent connections. And the claim is 1018 concurrent >> connections per CPU. > > Correct, figures I used are from his website. > Yes - as mentioned by Steve earlier earlier - we have yet to find the limit on the number of concurrent connections that it will handle. I've hit other limits in the Linux TCP stack first (which required a bit of kernel tuning via /proc). We believe in truth in our Marketing materials, so we picked a value that we knew we could achieve that we had seen on a live system. I don't personally believe in publishing pie-in-the-sky figures based on testing in a 'lab' as there is no way to accurately emulate a live SMTP stream from thousands of clients with varing latency and behaviour. > 4 RBL's, a couple of sendmail extra checks like badmx, bad helo and of > course no dns checks, greet pause, spf milter and another milter which > does a few very nice tricks, not much spam gets in in the first place, > and MailScanner seems to get 99% of what does. (I say 99% because to > think any setup anywhere gets 100% is being just plain nieve) Now - who is quoting figures without basis. Have *you* done two separate tests on the same million or so mails and published the results like you asked of the original poster? The reason we decided to go the SMTP proxy route with BarricadeMX instead of a 'super' milter (e.g. like MIMEdefang) was because the milter API is too much of a limiting factor as there are things that you simply cannot do with it. > as an example, on only one sendmail box for yesterday (courtesy of > logwatch)... > MailScanner Status: > 2904073 messages Scanned by MailScanner > 314 Spam messages detected by MailScanner > 27 Content Problems found by MailScanner > > Most acceptable values I think. > Yes - those figures are OK. It depends on a lot of factors though doesn't it. Kind regards, Steve. From mailadmin at baladia.gov.kw Thu Jul 26 15:31:45 2007 From: mailadmin at baladia.gov.kw (simon) Date: Thu Jul 26 16:08:18 2007 Subject: query if mailscanner using clamscan In-Reply-To: <46A8B477.60603@ecs.soton.ac.uk> References: <2605.62.150.152.226.1185433910.squirrel@webmail.baladia.gov.kw> <46A87494.6060002@ecs.soton.ac.uk> <1597.62.150.152.226.1185458853.squirrel@webmail.baladia.gov.kw> <46A8B477.60603@ecs.soton.ac.uk> Message-ID: <1872.62.150.152.226.1185460305.squirrel@webmail.baladia.gov.kw> Thanks agin guys for ur immediate reply here the MailScanner --lint output.. Read 797 hostnames from the phishing whitelist Checking version numbers... Version number in MailScanner.conf (4.61.7) is correct. -------------------------------------------------------------- Checking for SpamAssassin errors (if you use it)... SpamAssassin temporary working directory is /var/spool/MailScanner/incoming/SpamAssassin-Temp SpamAssassin temp dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp Using SpamAssassin results cache Connected to SpamAssassin cache database SpamAssassin reported no errors. Using locktype = posix Creating hardcoded struct_flock subroutine for linux (Linux-type) MailScanner.conf says "Virus Scanners = auto" Found these virus scanners installed: clamav ----------------------------------------------------------------- gues sits fine... but it has no reference to clamscan or clamd regards simon > If you are running the RPM version of clamav then your > virus.scanners.conf file is right, as clamscan is in /usr/bin/clamscan. > Check that 'auto' is picking them up correctly by doing a "MailScanner > --lint". > > simon wrote: >> Thanks Guys for you quick reply, >> >> Btw i did forget to mention and ask u wht new should be added to >> virus.scanners.conf file since after the script was run there is a >> /etc/MailScanner/virus.scanners.conf.bak file >> >> here the clam lines for the /etc/MailScanner/virus.scanners.conf >> >> ------------------------ >> >> clamav /usr/lib/MailScanner/clamav-wrapper /usr >> clamd /bin/false /usr >> clamavmodule /bin/false /tmp >> >> ------------------------------------------ >> i guess this above file does not reference clamscan if im right.. >> do let me know if i hav to edit this file. >> my clamscan is is /usr/bin >> n clamd is in /usr/sbin >> >> and in MailScanner.conf it says >> >> Virus Scanners = auto >> >> i did keep it auto as i will install bitdefender latter and would like >> MS >> to search for the installed antivirus software >> >> Appreciate your help >> >> Thanks and regards >> >> simon >> >> >> >> >> >> >> >>> What does you /etc/MailScanner/virus.scanners.conf say for the clam >>> lines? >>> What does the "Virus Scanners = " line in MailScanner.conf say? >>> >>> simon wrote: >>> >>>> Dear All, >>>> >>>> i have recently installed new sendmail based mail server and installed >>>> mailscanner + jules packge spamassassin + clamAV and have instructed >>>> clamd >>>> virus scanning daemon to be used by mailScanner for scanning email >>>> when >>>> installing the package. i have also installed clamav, clamav-db and >>>> clamd >>>> from http://dag.wieers.com/rpm/packages/clamav >>>> and everythin workin OK. >>>> i have clamscan installed in /usr/bin >>>> >>>> but how could i know if mailscanner is really using clamd daemon n >>>> clamscan to scan emails >>>> >>>> >>>> Appreciate ur help >>>> >>>> >>>> regards >>>> >>>> simon >>>> >>>> >>>> >>>> >>>> >>> Jules >>> >>> -- >>> Julian Field MEng CITP >>> www.MailScanner.info >>> Buy the MailScanner book at www.MailScanner.info/store >>> >>> Need help customising MailScanner? >>> Contact me! >>> Need help fixing or optimising your systems? >>> Contact me! >>> Need help getting you started solving new requirements from your boss? >>> Contact me! >>> >>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >>> >>> >>> -- >>> This message has been scanned for viruses and >>> dangerous content by MailScanner, and is >>> believed to be clean. >>> For all your IT requirements visit www.transtec.co.uk >>> >>> -- >>> MailScanner mailing list >>> mailscanner@lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! >>> >>> >> >> >> > > Jules > > -- > Julian Field MEng CITP > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > For all your IT requirements visit www.transtec.co.uk > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- Network Administrator From gmatt at nerc.ac.uk Thu Jul 26 16:17:15 2007 From: gmatt at nerc.ac.uk (Greg Matthews) Date: Thu Jul 26 16:17:24 2007 Subject: BarricadeMX experiences In-Reply-To: <46A8B8AC.1030104@fsl.com> References: <11090454.2641185312780535.JavaMail.root@office.splatnix.net><46A67978.6000702@alexb.ch> <46A8B8AC.1030104@fsl.com> Message-ID: <46A8BAFB.6060802@nerc.ac.uk> Steve Freegard wrote: > We believe in truth in our Marketing materials, so we picked a value > that we knew we could achieve that we had seen on a live system. I > don't personally believe in publishing pie-in-the-sky figures based on > testing in a 'lab' as there is no way to accurately emulate a live SMTP > stream from thousands of clients with varing latency and behaviour. um... just stick a promiscuous MTA configuration on the 'net and publish the MX. You'll soon have thousands of clients of all "colour" limited only by your bandwidth! We use a system with a lower priority MX record for "live" testing. G -- Greg Matthews 01491 692445 Head of UNIX/Linux, iTSS Wallingford -- This message (and any attachments) is for the recipient only. NERC is subject to the Freedom of Information Act 2000 and the contents of this email and any reply you make may be disclosed by NERC unless it is exempt from release under the Act. Any material supplied to NERC may be stored in an electronic records management system. From steve.freegard at fsl.com Thu Jul 26 16:20:49 2007 From: steve.freegard at fsl.com (Steve Freegard) Date: Thu Jul 26 16:20:53 2007 Subject: BarricadeMX experiences In-Reply-To: <46A8B23C.6060801@sendit.nodak.edu> References: <46A553ED.3020505@mail.wvnet.edu> <46A5F3D0.5070500@mail.wvnet.edu> <23ee01c7ce3c$89dcff70$9d96fe50$@swaney@fsl.com> <46A67DAF.60301@mail.wvnet.edu> <46A77B06.50106@sendit.nodak.edu> <46A8B23C.6060801@sendit.nodak.edu> Message-ID: <46A8BBD1.7020308@fsl.com> Richard Frovarp wrote: > Kai Schaetzl wrote: >> Richard Frovarp wrote on Wed, 25 Jul 2007 11:32:06 -0500: >> >> >>> The OP did say he was running sbl+xbl at the mta >>> >> >> Yes, but that seems to be the only "protection" for the MTA. Looking >> at our figures Spamhaus rejections (although the single most source of >> rejections) account for only 20% of our rejections after greylisting >> (not sure if rejections occur before or after greylisting). For >> instance I reject almost as much because of bogus HELOs. Which is also >> part of BarricadeMX. >> >> Kai >> >> > > From my testing it goes: > > greet pause > rbls > greylist > bad user > > I'm guessing that the bogus HELOs would be around the rbl time. > greylisting doesn't reject until the rcpt to, and it does it before a > valid user check is done against LDAP. All this sort of stuff will vary massively over each site as there are lots of variables (e.g. number of domains, average age of the domain, type of user, user habits etc. etc.) that govern the type of spam each site will get and thus the types of rejections that are possible. So what works well for one site won't necessarily work well for the other. While a couple of people (Res mainly) have noted that you can use milters, Exim routers or Postfix policy daemons to achieve some of the common stuff to get rid of spam at the MTA level - the reason we chose to develop BarricadeMX as an SMTP proxy was because none of these methods gave us enough control over what we wanted to be able to do. For example - the milter API does not allow you to instruct Sendmail to rate limit it's command reponses or give feedback on how many other concurrent connections a given IP address has etc. it also suffers from the fact all the communications have to go via a socket etc. Here are some typical stats from a running BarricadeMX system, not all of the percentages relate to rejections, some are informational only and some are not enabled - but it gives an idea of the amount of tests that are carried out. 214-2.0.0 smtpf/1.0.146 (runtime) 214-2.0.0 start-time=Wed, 25 Jul 2007 00:03:08 -0400 214-2.0.0 age=125422 214-2.0.0 active-connections=725 214-2.0.0 high-connections=1382 (100.00%) 214-2.0.0 high-connections-per-second=22 (100.00%) 214-2.0.0 high-session-time=4624 (100.00%) 214-2.0.0 total-KB=7153778 (100.00%) 214-2.0.0 CLIENTS=1237908 (100.00%) 214-2.0.0 dropped=1049469 (84.78%) 214-2.0.0 data-354=91549 (7.40%) 214-2.0.0 client-io-error=164995 (13.33%) 214-2.0.0 client-timeout=12933 (1.04%) 214-2.0.0 server-io-error=55353 (4.47%) 214-2.0.0 admin-commands=2 (0.00%) 214-2.0.0 auth-pass=0 (0.00%) 214-2.0.0 auth-fail=0 (0.00%) 214-2.0.0 bogus-helo=857 (0.07%) 214-2.0.0 concurrent=587 (0.05%) 214-2.0.0 connect-bl=82395 (6.66%) 214-2.0.0 connect-lan=0 (0.00%) 214-2.0.0 connect-localhost=5 (0.00%) 214-2.0.0 connect-relay=5 (0.00%) 214-2.0.0 connect-wl=961 (0.08%) 214-2.0.0 dns-bl=416763 (33.67%) 214-2.0.0 dns-gl=24269 (1.96%) 214-2.0.0 dns-wl=0 (0.00%) 214-2.0.0 ehlo-no-helo=29930 (2.42%) 214-2.0.0 helo-claims-us=0 (0.00%) 214-2.0.0 helo-ip-mismatch=33414 (2.70%) 214-2.0.0 helo-schizophrenic=7282 (0.59%) 214-2.0.0 idle-retest-timer=87 (0.01%) 214-2.0.0 rate-client=40199 (3.25%) 214-2.0.0 rate-throttle=8105 (0.65%) 214-2.0.0 client-ip-in-ptr=0 (0.00%) 214-2.0.0 client-ptr-required=311762 (25.18%) 214-2.0.0 client-ptr-required-error=18088 (1.46%) 214-2.0.0 rfc2821-strict-helo=12541 (1.01%) 214-2.0.0 smtp-command-non-ascii=3055 (0.25%) 214-2.0.0 smtp-command-pause=89673 (7.24%) 214-2.0.0 smtp-drop-after=1152 (0.09%) 214-2.0.0 smtp-drop-unknown=452 (0.04%) 214-2.0.0 smtp-enable-esmtp=350765 (28.34%) 214-2.0.0 smtp-greet-pause=195045 (15.76%) 214-2.0.0 smtp-reject-delay=0 (0.00%) 214-2.0.0 uri-bl-helo=1658 (0.13%) 214-2.0.0 uri-bl-ptr=7906 (0.64%) 214-2.0.0 SENDERS=671843 (100.00%) 214-2.0.0 null-sender=68425 (10.18%) 214-2.0.0 call-back-cache=0 (0.00%) 214-2.0.0 call-back-made=0 (0.00%) 214-2.0.0 cli-envelope=0 (0.00%) 214-2.0.0 client-is-mx=64122 (9.54%) 214-2.0.0 grey-continue=6468 (0.96%) 214-2.0.0 grey-tempfail=54954 (8.18%) 214-2.0.0 mail-bl=129 (0.02%) 214-2.0.0 mail-wl=300 (0.04%) 214-2.0.0 mail-parse=1238 (0.18%) 214-2.0.0 require-sender-mx=530 (0.08%) 214-2.0.0 require-sender-mx-error=1138 (0.17%) 214-2.0.0 siq-query-cache=0 (0.00%) 214-2.0.0 siq-query-made=0 (0.00%) 214-2.0.0 siq-score-reject=0 (0.00%) 214-2.0.0 siq-score-tag=0 (0.00%) 214-2.0.0 spf-pass=16970 (2.53%) 214-2.0.0 spf-fail=2678 (0.40%) 214-2.0.0 spf-none=176221 (26.23%) 214-2.0.0 spf-neutral=3591 (0.53%) 214-2.0.0 spf-softfail=8241 (1.23%) 214-2.0.0 spf-perm-error=555 (0.08%) 214-2.0.0 spf-temp-error=7835 (1.17%) 214-2.0.0 uri-bl-mail=19467 (2.90%) 214-2.0.0 RECIPIENTS=201118 (100.00%) 214-2.0.0 rcpt-reject=51545 (25.63%) 214-2.0.0 one-rcpt-per-null=9 (0.00%) 214-2.0.0 rcpt-bl=0 (0.00%) 214-2.0.0 rcpt-wl=49 (0.02%) 214-2.0.0 rcpt-parse=4 (0.00%) 214-2.0.0 MESSAGES=95646 (100.00%) 214-2.0.0 msg-accept=81757 (85.48%) 214-2.0.0 msg-discard=0 (0.00%) 214-2.0.0 msg-drop=331 (0.35%) 214-2.0.0 msg-reject=13497 (14.11%) 214-2.0.0 dsn-sent=216 (0.23%) 214-2.0.0 7bit-headers=0 (0.00%) 214-2.0.0 cli-content=0 (0.00%) 214-2.0.0 infected=0 (0.00%) 214-2.0.0 junk-mail=0 (0.00%) 214-2.0.0 line-length=0 (0.00%) 214-2.0.0 message-limit=0 (0.00%) 214-2.0.0 message-size=0 (0.00%) 214-2.0.0 ret-pass=0 (0.00%) 214-2.0.0 ret-fail=0 (0.00%) 214-2.0.0 ret-ttl=0 (0.00%) 214-2.0.0 strict-dot=0 (0.00%) 214-2.0.0 uri-bl=13475 (14.09%) 214-2.0.0 uri-max-limit=0 (0.00%) 214-2.0.0 uri-max-test=3685 (3.85%) 214 2.0.0 End. I can also tell you that no one who tries this will get the same results - there are simply too many factors. What I can tell you is that no MTA or MTA plug-in can do some of these tests as they simply are not able to (the only thing that might come close is qpsmtpd) and it will significantly reduce the amount of messages input to your MTA and to MailScanner to allow it to scale better on the same amount of hardware as that was it's original design goal. Kind regards, Steve. From MailScanner at ecs.soton.ac.uk Thu Jul 26 16:23:20 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jul 26 16:23:34 2007 Subject: query if mailscanner using clamscan In-Reply-To: <1872.62.150.152.226.1185460305.squirrel@webmail.baladia.gov.kw> References: <2605.62.150.152.226.1185433910.squirrel@webmail.baladia.gov.kw> <46A87494.6060002@ecs.soton.ac.uk> <1597.62.150.152.226.1185458853.squirrel@webmail.baladia.gov.kw> <46A8B477.60603@ecs.soton.ac.uk> <1872.62.150.152.226.1185460305.squirrel@webmail.baladia.gov.kw> Message-ID: <46A8BC68.1020901@ecs.soton.ac.uk> In which case 'auto' will only use 'clamav'. To find 'clamavmodule' you must have the module installed. To find 'clamd' the daemon must be running, and the Clamd-specific MailScanner.conf options must be set correctly. simon wrote: > Thanks agin guys for ur immediate reply > > here the MailScanner --lint output.. > > Read 797 hostnames from the phishing whitelist > Checking version numbers... > Version number in MailScanner.conf (4.61.7) is correct. > -------------------------------------------------------------- > Checking for SpamAssassin errors (if you use it)... > SpamAssassin temporary working directory is > /var/spool/MailScanner/incoming/SpamAssassin-Temp > SpamAssassin temp dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp > Using SpamAssassin results cache > Connected to SpamAssassin cache database > SpamAssassin reported no errors. > Using locktype = posix > Creating hardcoded struct_flock subroutine for linux (Linux-type) > MailScanner.conf says "Virus Scanners = auto" > Found these virus scanners installed: clamav > > > ----------------------------------------------------------------- > > gues sits fine... but it has no reference to clamscan or clamd > > > regards > > simon > > >> If you are running the RPM version of clamav then your >> virus.scanners.conf file is right, as clamscan is in /usr/bin/clamscan. >> Check that 'auto' is picking them up correctly by doing a "MailScanner >> --lint". >> >> simon wrote: >> >>> Thanks Guys for you quick reply, >>> >>> Btw i did forget to mention and ask u wht new should be added to >>> virus.scanners.conf file since after the script was run there is a >>> /etc/MailScanner/virus.scanners.conf.bak file >>> >>> here the clam lines for the /etc/MailScanner/virus.scanners.conf >>> >>> ------------------------ >>> >>> clamav /usr/lib/MailScanner/clamav-wrapper /usr >>> clamd /bin/false /usr >>> clamavmodule /bin/false /tmp >>> >>> ------------------------------------------ >>> i guess this above file does not reference clamscan if im right.. >>> do let me know if i hav to edit this file. >>> my clamscan is is /usr/bin >>> n clamd is in /usr/sbin >>> >>> and in MailScanner.conf it says >>> >>> Virus Scanners = auto >>> >>> i did keep it auto as i will install bitdefender latter and would like >>> MS >>> to search for the installed antivirus software >>> >>> Appreciate your help >>> >>> Thanks and regards >>> >>> simon >>> >>> >>> >>> >>> >>> >>> >>> >>>> What does you /etc/MailScanner/virus.scanners.conf say for the clam >>>> lines? >>>> What does the "Virus Scanners = " line in MailScanner.conf say? >>>> >>>> simon wrote: >>>> >>>> >>>>> Dear All, >>>>> >>>>> i have recently installed new sendmail based mail server and installed >>>>> mailscanner + jules packge spamassassin + clamAV and have instructed >>>>> clamd >>>>> virus scanning daemon to be used by mailScanner for scanning email >>>>> when >>>>> installing the package. i have also installed clamav, clamav-db and >>>>> clamd >>>>> from http://dag.wieers.com/rpm/packages/clamav >>>>> and everythin workin OK. >>>>> i have clamscan installed in /usr/bin >>>>> >>>>> but how could i know if mailscanner is really using clamd daemon n >>>>> clamscan to scan emails >>>>> >>>>> >>>>> Appreciate ur help >>>>> >>>>> >>>>> regards >>>>> >>>>> simon >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>> Jules >>>> >>>> -- >>>> Julian Field MEng CITP >>>> www.MailScanner.info >>>> Buy the MailScanner book at www.MailScanner.info/store >>>> >>>> Need help customising MailScanner? >>>> Contact me! >>>> Need help fixing or optimising your systems? >>>> Contact me! >>>> Need help getting you started solving new requirements from your boss? >>>> Contact me! >>>> >>>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >>>> >>>> >>>> -- >>>> This message has been scanned for viruses and >>>> dangerous content by MailScanner, and is >>>> believed to be clean. >>>> For all your IT requirements visit www.transtec.co.uk >>>> >>>> -- >>>> MailScanner mailing list >>>> mailscanner@lists.mailscanner.info >>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>> >>>> Before posting, read http://wiki.mailscanner.info/posting >>>> >>>> Support MailScanner development - buy the book off the website! >>>> >>>> >>>> >>> >>> >> Jules >> >> -- >> Julian Field MEng CITP >> www.MailScanner.info >> Buy the MailScanner book at www.MailScanner.info/store >> >> Need help customising MailScanner? >> Contact me! >> Need help fixing or optimising your systems? >> Contact me! >> Need help getting you started solving new requirements from your boss? >> Contact me! >> >> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >> >> >> -- >> This message has been scanned for viruses and >> dangerous content by MailScanner, and is >> believed to be clean. >> For all your IT requirements visit www.transtec.co.uk >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> > > > Jules -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From ugob at lubik.ca Thu Jul 26 16:27:48 2007 From: ugob at lubik.ca (Ugo Bellavance) Date: Thu Jul 26 16:28:15 2007 Subject: BarricadeMX experiences In-Reply-To: <46A67DAF.60301@mail.wvnet.edu> References: <46A553ED.3020505@mail.wvnet.edu> <46A5F3D0.5070500@mail.wvnet.edu> <23ee01c7ce3c$89dcff70$9d96fe50$@swaney@fsl.com> <46A67DAF.60301@mail.wvnet.edu> Message-ID: Richard Lynch wrote: > > I gave before and after statistics. It was the same hardware and with > our volume the input is pretty much the same each day. The results > speak for themselves. What were overloaded servers with huge delays now > run fine. The fact that MailScanner gets fewer messages isn't really > the point other than it improves performance. Steve is correct, it's > not for everybody. If your message load is small you probably don't > need it. You can tell BarricadeMX to use spamd and clamd. I just migrated a small site that was a MailScanner setup with SpamAssassin + Clamd to a setup with BarricadeMX + spamd + clamd. It seems to be running perfectly. All spam detected by BarricadeMX (smtpf) is rejected at the SMTP transaction. Same for viruses. For spamd, I set the score to reject at 10, so everything that gets a score of 10 or more is rejected at the MTA. No more quarantine to manage, false positives always get a notification... I cannot talk about load because it was minimal before. Ugo From ugob at lubik.ca Thu Jul 26 16:32:14 2007 From: ugob at lubik.ca (Ugo Bellavance) Date: Thu Jul 26 16:35:04 2007 Subject: BarricadeMX experiences In-Reply-To: References: <46A553ED.3020505@mail.wvnet.edu> <46A5F3D0.5070500@mail.wvnet.edu> <23ee01c7ce3c$89dcff70$9d96fe50$@swaney@fsl.com> <46A67DAF.60301@mail.wvnet.edu> Message-ID: Kai Schaetzl wrote: > Richard Lynch wrote on Tue, 24 Jul 2007 18:31:11 -0400: > >> I gave before and after statistics. It was the same hardware and with >> our volume the input is pretty much the same each day. The results >> speak for themselves. What were overloaded servers with huge delays now >> run fine. > > But you didn't seem to use any additional tools or measures at MTA level, > did you? I'm not saying that BarricadeMX is not good or maybe even > exceptionally good, but I'm sure that if you use a well-balanced set of > milters, have greylisting, use a well balanced set of RBLs and access.db > and then compare with *that* the comparison will be much different. > BarricadeMX may still be better, but surely not as much as to what you > compared. You cannot compare a BarricadeMX system with a more or less > unprotected system. For instance, only about 10 - 15% of our incoming mail > is spam because most of the spam is already rejected at MTA level, without > BarricadeMX. And viruses almost never make it on the systems, either, > because they are rejected on MTA level. May not be as good as BarricadeMX, > but good enough, especially for ressource usage. I've seen a few sites that were running milter-link, milter-ahead, greylisting, zen.spamhaus.org at MTA level, and still saw a lot of benefit on the resource usage. Spam catching improvement was not as good, but on 3 or 4 systems that were running constantly at load about 12X # of CPUs, they are now running around 3-4X # of CPUs. From Carl.Andrews at crackerbarrel.com Thu Jul 26 16:36:54 2007 From: Carl.Andrews at crackerbarrel.com (Andrews Carl 455) Date: Thu Jul 26 16:36:13 2007 Subject: Spamassassin Greeting Card Question In-Reply-To: <200707261527.l6QFRLNd022959@smtpgw1.crackerbarrel.com> Message-ID: <113A0DFC086C984AB9EFDF6B8614F075017D327C@exchange03.CBOCS.com> Anyone have a spamassassin rule for the "You've received a greeting/ecard ..." spams? I have this but it is not working: Thanks for any help, Carl GreetingCard.cf: header CBGREET99 Subject =~ /You've received a greeting card from a school-mate/i score CBGREET99 99 describe CBGREET99 Greeting Card Spam and Virus. header CBGREET99 Subject =~ /You've received a greeting ecard from a class mate!/i score CBGREET99 99 describe CBGREET99 Greeting Card Spam and Virus. header CBGREET99 Subject =~ /You've received a greeting ecard from a neighbour!/i score CBGREET99 99 describe CBGREET99 Greeting Card Spam and Virus. header CBGREET99 Subject =~ /You've received a greeting postcard from a partner!/i score CBGREET99 99 describe CBGREET99 Greeting Card Spam and Virus. header CBGREET99 Subject =~ /You've received a greeting postcard from a worshipper!/i score CBGREET99 99 describe CBGREET99 Greeting Card Spam and Virus. header CBGREET99 Subject =~ /You've received a postcard from a family member!/i score CBGREET99 99 describe CBGREET99 Greeting Card Spam and Virus. header CBGREET99 Subject =~ /You've received a postcard from a neighbour!/i score CBGREET99 99 describe CBGREET99 Greeting Card Spam and Virus. header CBGREET99 Subject =~ /You've received a postcard from a worshipper!/i score CBGREET99 99 describe CBGREET99 Greeting Card Spam and Virus. header CBGREET99 Subject =~ /You've received an ecard from a colleague!/i score CBGREET99 99 describe CBGREET99 Greeting Card Spam and Virus. header CBGREET99 Subject =~ /You've received a greeting ecard from a Worshipper!/i score CBGREET99 99 describe CBGREET99 Greeting Card Spam and Virus. header CBGREET99 Subject =~ /You've received a postcard from a Worshipper!/i score CBGREET99 99 describe CBGREET99 Greeting Card Spam and Virus. header CBGREET99 Subject =~ /You've received a greeting ecard from a School friend!/i score CBGREET99 99 describe CBGREET99 Greeting Card Spam and Virus. From MailScanner at ecs.soton.ac.uk Thu Jul 26 16:42:35 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jul 26 16:42:49 2007 Subject: Spamassassin Greeting Card Question In-Reply-To: <113A0DFC086C984AB9EFDF6B8614F075017D327C@exchange03.CBOCS.com> References: <113A0DFC086C984AB9EFDF6B8614F075017D327C@exchange03.CBOCS.com> Message-ID: <46A8C0EB.6080006@ecs.soton.ac.uk> Err... your rules have to have different names. You can't give a bunch of rules the same name, or else how does it tell the difference between which rule score (and description) applies to which rule? Andrews Carl 455 wrote: > Anyone have a spamassassin rule for the "You've received a > greeting/ecard ..." spams? I have this but it is not working: > > Thanks for any help, > Carl > > GreetingCard.cf: > > header CBGREET99 Subject =~ /You've received a greeting card from a > school-mate/i > score CBGREET99 99 > describe CBGREET99 Greeting Card Spam and Virus. > > header CBGREET99 Subject =~ /You've received a greeting ecard from a > class mate!/i > score CBGREET99 99 > describe CBGREET99 Greeting Card Spam and Virus. > > header CBGREET99 Subject =~ /You've received a greeting ecard from a > neighbour!/i > score CBGREET99 99 > describe CBGREET99 Greeting Card Spam and Virus. > > header CBGREET99 Subject =~ /You've received a greeting postcard from a > partner!/i > score CBGREET99 99 > describe CBGREET99 Greeting Card Spam and Virus. > > header CBGREET99 Subject =~ /You've received a greeting postcard from a > worshipper!/i > score CBGREET99 99 > describe CBGREET99 Greeting Card Spam and Virus. > > header CBGREET99 Subject =~ /You've received a postcard from a family > member!/i > score CBGREET99 99 > describe CBGREET99 Greeting Card Spam and Virus. > > header CBGREET99 Subject =~ /You've received a postcard from a > neighbour!/i > score CBGREET99 99 > describe CBGREET99 Greeting Card Spam and Virus. > > header CBGREET99 Subject =~ /You've received a postcard from a > worshipper!/i > score CBGREET99 99 > describe CBGREET99 Greeting Card Spam and Virus. > > header CBGREET99 Subject =~ /You've received an ecard from a > colleague!/i > score CBGREET99 99 > describe CBGREET99 Greeting Card Spam and Virus. > > header CBGREET99 Subject =~ /You've received a greeting ecard from a > Worshipper!/i > score CBGREET99 99 > describe CBGREET99 Greeting Card Spam and Virus. > > header CBGREET99 Subject =~ /You've received a postcard from a > Worshipper!/i > score CBGREET99 99 > describe CBGREET99 Greeting Card Spam and Virus. > > header CBGREET99 Subject =~ /You've received a greeting ecard from a > School friend!/i > score CBGREET99 99 > describe CBGREET99 Greeting Card Spam and Virus. > Jules -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From campbell at cnpapers.com Thu Jul 26 16:47:03 2007 From: campbell at cnpapers.com (Steve Campbell) Date: Thu Jul 26 16:47:15 2007 Subject: Spamassassin Greeting Card Question In-Reply-To: <113A0DFC086C984AB9EFDF6B8614F075017D327C@exchange03.CBOCS.com> References: <113A0DFC086C984AB9EFDF6B8614F075017D327C@exchange03.CBOCS.com> Message-ID: <46A8C1F7.5030006@cnpapers.com> Andrews Carl 455 wrote: > Anyone have a spamassassin rule for the "You've received a > greeting/ecard ..." spams? I have this but it is not working: > > Thanks for any help, > Carl > > GreetingCard.cf: > > header CBGREET99 Subject =~ /You've received a greeting card from a > school-mate/i > score CBGREET99 99 > describe CBGREET99 Greeting Card Spam and Virus. > > header CBGREET99 Subject =~ /You've received a greeting ecard from a > class mate!/i > score CBGREET99 99 > describe CBGREET99 Greeting Card Spam and Virus. > > header CBGREET99 Subject =~ /You've received a greeting ecard from a > neighbour!/i > score CBGREET99 99 > describe CBGREET99 Greeting Card Spam and Virus. > > header CBGREET99 Subject =~ /You've received a greeting postcard from a > partner!/i > score CBGREET99 99 > describe CBGREET99 Greeting Card Spam and Virus. > > header CBGREET99 Subject =~ /You've received a greeting postcard from a > worshipper!/i > score CBGREET99 99 > describe CBGREET99 Greeting Card Spam and Virus. > > header CBGREET99 Subject =~ /You've received a postcard from a family > member!/i > score CBGREET99 99 > describe CBGREET99 Greeting Card Spam and Virus. > > header CBGREET99 Subject =~ /You've received a postcard from a > neighbour!/i > score CBGREET99 99 > describe CBGREET99 Greeting Card Spam and Virus. > > header CBGREET99 Subject =~ /You've received a postcard from a > worshipper!/i > score CBGREET99 99 > describe CBGREET99 Greeting Card Spam and Virus. > > header CBGREET99 Subject =~ /You've received an ecard from a > colleague!/i > score CBGREET99 99 > describe CBGREET99 Greeting Card Spam and Virus. > > header CBGREET99 Subject =~ /You've received a greeting ecard from a > Worshipper!/i > score CBGREET99 99 > describe CBGREET99 Greeting Card Spam and Virus. > > header CBGREET99 Subject =~ /You've received a postcard from a > Worshipper!/i > score CBGREET99 99 > describe CBGREET99 Greeting Card Spam and Virus. > > header CBGREET99 Subject =~ /You've received a greeting ecard from a > School friend!/i > score CBGREET99 99 > describe CBGREET99 Greeting Card Spam and Virus. > You didn't really name all of the rules the same thing did you? I use a few rules like the ones you have listed but make them less specific. For instance "received a greeting ecard", "received a greeting card" , and also use the KAM.cf ruleset. It's about eliminated the stuff. What you have will only work on whatever the last one is set to, I believe, as you are redefining the rule over and over. Steve Campbell From ms-list at alexb.ch Thu Jul 26 17:01:15 2007 From: ms-list at alexb.ch (Alex Broens) Date: Thu Jul 26 17:01:27 2007 Subject: mcr - In-Reply-To: <113A0DFC086C984AB9EFDF6B8614F075017D327C@exchange03.CBOCS.com> References: <113A0DFC086C984AB9EFDF6B8614F075017D327C@exchange03.CBOCS.com> Message-ID: <46A8C54B.6020906@alexb.ch> On 7/26/2007 5:36 PM, Andrews Carl 455 wrote: > Anyone have a spamassassin rule for the "You've received a > greeting/ecard ..." spams? I have this but it is not working: apart from the repeated rule name, you could reduce it to one rule: header CBGREET99 Subject =~ /^You\'ve received a (?:greeting|card|ecard|postcard|blahcard) from a \w+/ (all in one line) THIS IS UNTESTED!!!! Alex From mkettler at evi-inc.com Thu Jul 26 17:00:40 2007 From: mkettler at evi-inc.com (Matt Kettler) Date: Thu Jul 26 17:02:19 2007 Subject: Spamassassin Greeting Card Question In-Reply-To: <113A0DFC086C984AB9EFDF6B8614F075017D327C@exchange03.CBOCS.com> References: <113A0DFC086C984AB9EFDF6B8614F075017D327C@exchange03.CBOCS.com> Message-ID: <46A8C528.2090404@evi-inc.com> Andrews Carl 455 wrote: > Anyone have a spamassassin rule for the "You've received a > greeting/ecard ..." spams? I have this but it is not working: > > Thanks for any help, > Carl > > GreetingCard.cf: As Julian pointed out, all your rules have the same name, so only the last one exists. All the others will be over-written by each other. That said, I'm currently using this one rule, which covers pretty much everything I've seen. (note: beware of line-wraps, there's only 3 lines here) header L_S_SUBJPOSTCARD Subject =~/\bYou've received a (?:greeting)? (?:e|post)?card from a .{4,20}!/ describe L_S_SUBJPOSTCARD greeting card virus score L_S_SUBJPOSTCARD 1.5 From ssilva at sgvwater.com Thu Jul 26 17:02:44 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Jul 26 17:02:55 2007 Subject: OT: performance smf-sav vs milter-ahead In-Reply-To: <46A8AB45.5030001@pacific.net> References: <00be01c7cefd$e9cb48d0$0b01010a@DGPTBH91> <46A8AB45.5030001@pacific.net> Message-ID: Ken A spake the following on 7/26/2007 7:10 AM: > Bryan Guest wrote: >> Hello >> >> With my apologies for the off topic nature of this question, has >> anyone compared performance between SMF-SAV and Milter-Ahead? >> >> If so, is there an appreciable difference when using one or the other >> in conjuction with MailScanner? >> >> Many thanks to Julian Field and everyone on this list for MailScanner >> and the support it receives. I sincerely appreciate any feedback >> provided. >> >> Bryan Guest >> Bruce Telecom > > smf-sav seems okay, but watch out for: > > // if (verify && strcmp(verify, "OK") == 0) return SMFIS_ACCEPT; > > ..which says "If the client ssl client certificate verifies with an > authority, then skip the milters". That's a bad assumption. I just > commented out the line in the code and recompiled(Yes, I reported it). I > have not looked at how milter-ahead handles this, or how well it works, > though it's codebase is certainly more mature and well tested. > > Ken > > I agree. Even a spammer can buy a certificate. I have been meaning to give it a shot, but spent so much time getting it going with mimedefang, I didn't want to touch a running system. I will give it a shot when I build the new mailservers probably next month. I also wanted to try the patch for smf-sav to do the recipient verificatins first, and not bother with sender verify if the recipient fails. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From steve.freegard at fsl.com Thu Jul 26 17:05:22 2007 From: steve.freegard at fsl.com (Steve Freegard) Date: Thu Jul 26 17:05:24 2007 Subject: Spamassassin Greeting Card Question In-Reply-To: <46A8C0EB.6080006@ecs.soton.ac.uk> References: <113A0DFC086C984AB9EFDF6B8614F075017D327C@exchange03.CBOCS.com> <46A8C0EB.6080006@ecs.soton.ac.uk> Message-ID: <46A8C642.3010201@fsl.com> Julian Field wrote: > Err... your rules have to have different names. You can't give a bunch > of rules the same name, or else how does it tell the difference between > which rule score (and description) applies to which rule? And why don't you condense all these rules into a single rule? header CBGREET99 Subjet =~ /^You've received (?:a|an) (?:greeting){0,1}\s{0,1}(?:e|post){0,1}card from a (?:.+)!$/ score CBGREET99 99 describe CBGREET99 Greeting card spam and virus Would probably work (untested). Cheers, Steve. From Carl.Andrews at crackerbarrel.com Thu Jul 26 17:07:09 2007 From: Carl.Andrews at crackerbarrel.com (Andrews Carl 455) Date: Thu Jul 26 17:06:29 2007 Subject: Spamassassin Greeting Card Question In-Reply-To: <200707261545.l6QFjRNb024349@smtpgw1.crackerbarrel.com> Message-ID: <113A0DFC086C984AB9EFDF6B8614F075017D3282@exchange03.CBOCS.com> Oh. No wonder it did not work. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian Field Sent: Thursday, July 26, 2007 10:43 AM To: MailScanner discussion Subject: Re: Spamassassin Greeting Card Question Err... your rules have to have different names. You can't give a bunch of rules the same name, or else how does it tell the difference between which rule score (and description) applies to which rule? Andrews Carl 455 wrote: > Anyone have a spamassassin rule for the "You've received a > greeting/ecard ..." spams? I have this but it is not working: > > Thanks for any help, > Carl > > GreetingCard.cf: > > header CBGREET99 Subject =~ /You've received a greeting card from a > school-mate/i > score CBGREET99 99 > describe CBGREET99 Greeting Card Spam and Virus. > > header CBGREET99 Subject =~ /You've received a greeting ecard from a > class mate!/i > score CBGREET99 99 > describe CBGREET99 Greeting Card Spam and Virus. > > header CBGREET99 Subject =~ /You've received a greeting ecard from a > neighbour!/i > score CBGREET99 99 > describe CBGREET99 Greeting Card Spam and Virus. > > header CBGREET99 Subject =~ /You've received a greeting postcard from > a partner!/i > score CBGREET99 99 > describe CBGREET99 Greeting Card Spam and Virus. > > header CBGREET99 Subject =~ /You've received a greeting postcard from > a worshipper!/i > score CBGREET99 99 > describe CBGREET99 Greeting Card Spam and Virus. > > header CBGREET99 Subject =~ /You've received a postcard from a family > member!/i > score CBGREET99 99 > describe CBGREET99 Greeting Card Spam and Virus. > > header CBGREET99 Subject =~ /You've received a postcard from a > neighbour!/i > score CBGREET99 99 > describe CBGREET99 Greeting Card Spam and Virus. > > header CBGREET99 Subject =~ /You've received a postcard from a > worshipper!/i > score CBGREET99 99 > describe CBGREET99 Greeting Card Spam and Virus. > > header CBGREET99 Subject =~ /You've received an ecard from a > colleague!/i > score CBGREET99 99 > describe CBGREET99 Greeting Card Spam and Virus. > > header CBGREET99 Subject =~ /You've received a greeting ecard from a > Worshipper!/i > score CBGREET99 99 > describe CBGREET99 Greeting Card Spam and Virus. > > header CBGREET99 Subject =~ /You've received a postcard from a > Worshipper!/i > score CBGREET99 99 > describe CBGREET99 Greeting Card Spam and Virus. > > header CBGREET99 Subject =~ /You've received a greeting ecard from a > School friend!/i > score CBGREET99 99 > describe CBGREET99 Greeting Card Spam and Virus. > Jules -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From Carl.Andrews at crackerbarrel.com Thu Jul 26 17:08:51 2007 From: Carl.Andrews at crackerbarrel.com (Andrews Carl 455) Date: Thu Jul 26 17:08:11 2007 Subject: Spamassassin Greeting Card Question In-Reply-To: <200707261549.l6QFnZNl024578@smtpgw1.crackerbarrel.com> Message-ID: <113A0DFC086C984AB9EFDF6B8614F075017D3283@exchange03.CBOCS.com> Yeah, my first attempt at a spamassassin rule - I did not do as well as the spammers :-< KAM.cf - I am going to go find that one. I am using rules_du_jour but do not see that one. Thanks! -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Steve Campbell Sent: Thursday, July 26, 2007 10:47 AM To: MailScanner discussion Subject: Re: Spamassassin Greeting Card Question Andrews Carl 455 wrote: > Anyone have a spamassassin rule for the "You've received a > greeting/ecard ..." spams? I have this but it is not working: > > Thanks for any help, > Carl > > GreetingCard.cf: > > header CBGREET99 Subject =~ /You've received a greeting card from a > school-mate/i > score CBGREET99 99 > describe CBGREET99 Greeting Card Spam and Virus. > > header CBGREET99 Subject =~ /You've received a greeting ecard from a > class mate!/i > score CBGREET99 99 > describe CBGREET99 Greeting Card Spam and Virus. > > header CBGREET99 Subject =~ /You've received a greeting ecard from a > neighbour!/i > score CBGREET99 99 > describe CBGREET99 Greeting Card Spam and Virus. > > header CBGREET99 Subject =~ /You've received a greeting postcard from > a partner!/i > score CBGREET99 99 > describe CBGREET99 Greeting Card Spam and Virus. > > header CBGREET99 Subject =~ /You've received a greeting postcard from > a worshipper!/i > score CBGREET99 99 > describe CBGREET99 Greeting Card Spam and Virus. > > header CBGREET99 Subject =~ /You've received a postcard from a family > member!/i > score CBGREET99 99 > describe CBGREET99 Greeting Card Spam and Virus. > > header CBGREET99 Subject =~ /You've received a postcard from a > neighbour!/i > score CBGREET99 99 > describe CBGREET99 Greeting Card Spam and Virus. > > header CBGREET99 Subject =~ /You've received a postcard from a > worshipper!/i > score CBGREET99 99 > describe CBGREET99 Greeting Card Spam and Virus. > > header CBGREET99 Subject =~ /You've received an ecard from a > colleague!/i > score CBGREET99 99 > describe CBGREET99 Greeting Card Spam and Virus. > > header CBGREET99 Subject =~ /You've received a greeting ecard from a > Worshipper!/i > score CBGREET99 99 > describe CBGREET99 Greeting Card Spam and Virus. > > header CBGREET99 Subject =~ /You've received a postcard from a > Worshipper!/i > score CBGREET99 99 > describe CBGREET99 Greeting Card Spam and Virus. > > header CBGREET99 Subject =~ /You've received a greeting ecard from a > School friend!/i > score CBGREET99 99 > describe CBGREET99 Greeting Card Spam and Virus. > You didn't really name all of the rules the same thing did you? I use a few rules like the ones you have listed but make them less specific. For instance "received a greeting ecard", "received a greeting card" , and also use the KAM.cf ruleset. It's about eliminated the stuff. What you have will only work on whatever the last one is set to, I believe, as you are redefining the rule over and over. Steve Campbell -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From ms-list at alexb.ch Thu Jul 26 17:12:22 2007 From: ms-list at alexb.ch (Alex Broens) Date: Thu Jul 26 17:12:29 2007 Subject: Spamassassin Greeting Card Question In-Reply-To: <46A8C528.2090404@evi-inc.com> References: <113A0DFC086C984AB9EFDF6B8614F075017D327C@exchange03.CBOCS.com> <46A8C528.2090404@evi-inc.com> Message-ID: <46A8C7E6.4070608@alexb.ch> On 7/26/2007 6:00 PM, Matt Kettler wrote: > Andrews Carl 455 wrote: >> Anyone have a spamassassin rule for the "You've received a >> greeting/ecard ..." spams? I have this but it is not working: >> >> Thanks for any help, >> Carl >> >> GreetingCard.cf: > > As Julian pointed out, all your rules have the same name, so only the last one > exists. All the others will be over-written by each other. > > That said, I'm currently using this one rule, which covers pretty much > everything I've seen. > > (note: beware of line-wraps, there's only 3 lines here) > > header L_S_SUBJPOSTCARD Subject =~/\bYou've received a (?:greeting)? > (?:e|post)?card from a .{4,20}!/ > describe L_S_SUBJPOSTCARD greeting card virus > score L_S_SUBJPOSTCARD 1.5 or reduce it to? body ECARD_BLAH /^SEEING YOUR CARD$/ Alex From ssilva at sgvwater.com Thu Jul 26 17:16:02 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Jul 26 17:16:18 2007 Subject: Spamassassin Greeting Card Question In-Reply-To: <113A0DFC086C984AB9EFDF6B8614F075017D3283@exchange03.CBOCS.com> References: <200707261549.l6QFnZNl024578@smtpgw1.crackerbarrel.com> <113A0DFC086C984AB9EFDF6B8614F075017D3283@exchange03.CBOCS.com> Message-ID: Andrews Carl 455 spake the following on 7/26/2007 9:08 AM: > Yeah, my first attempt at a spamassassin rule - I did not do as well as > the spammers :-< > KAM.cf - I am going to go find that one. I am using rules_du_jour but do > not see that one. > > Thanks! Search the archives. Julian posted a howto to enable the sa-update method to replace rulesdujour. It has a script to get the kam.cf file. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From Richard.Frovarp at sendit.nodak.edu Thu Jul 26 17:32:05 2007 From: Richard.Frovarp at sendit.nodak.edu (Richard Frovarp) Date: Thu Jul 26 17:32:08 2007 Subject: BarricadeMX experiences In-Reply-To: <46A8BBD1.7020308@fsl.com> References: <46A553ED.3020505@mail.wvnet.edu> <46A5F3D0.5070500@mail.wvnet.edu> <23ee01c7ce3c$89dcff70$9d96fe50$@swaney@fsl.com> <46A67DAF.60301@mail.wvnet.edu> <46A77B06.50106@sendit.nodak.edu> <46A8B23C.6060801@sendit.nodak.edu> <46A8BBD1.7020308@fsl.com> Message-ID: <46A8CC85.6090203@sendit.nodak.edu> Steve Freegard wrote: > Richard Frovarp wrote: >> Kai Schaetzl wrote: >>> Richard Frovarp wrote on Wed, 25 Jul 2007 11:32:06 -0500: >>> >>> >>>> The OP did say he was running sbl+xbl at the mta >>>> >>> >>> Yes, but that seems to be the only "protection" for the MTA. Looking >>> at our figures Spamhaus rejections (although the single most source >>> of rejections) account for only 20% of our rejections after >>> greylisting (not sure if rejections occur before or after >>> greylisting). For instance I reject almost as much because of bogus >>> HELOs. Which is also part of BarricadeMX. >>> >>> Kai >>> >>> >> >> From my testing it goes: >> >> greet pause >> rbls >> greylist >> bad user >> >> I'm guessing that the bogus HELOs would be around the rbl time. >> greylisting doesn't reject until the rcpt to, and it does it before a >> valid user check is done against LDAP. > > > All this sort of stuff will vary massively over each site as there are > lots of variables (e.g. number of domains, average age of the domain, > type of user, user habits etc. etc.) that govern the type of spam each > site will get and thus the types of rejections that are possible. So > what works well for one site won't necessarily work well for the other. I'm sorry, that is the order that the tests are applied when using milter-greylist against sendmail, not effectiveness. Sorry I forgot to mention that. So from my setup anything that fails the sendmail greet pause won't even be checked by the RBLs, since it's already been rejected. The one unfortunate thing you'll see in that ordering is as mail has to get past the greylisting before valid user is checked. However, at my site we don't get many invalid user attempts, at least not many that make it past the earlier layers. From hmkash at arl.army.mil Thu Jul 26 18:00:43 2007 From: hmkash at arl.army.mil (Kash, Howard (Civ, ARL/CISD)) Date: Thu Jul 26 17:59:02 2007 Subject: Beta release 4.62.4 (UNCLASSIFIED) In-Reply-To: <46A61FBB.1030708@ecs.soton.ac.uk> References: <46A61FBB.1030708@ecs.soton.ac.uk> Message-ID: <88991ECEE371C644986F0C8837C207B70173B2F3@ARLABML01.DS.ARL.ARMY.MIL> Classification: UNCLASSIFIED Caveats: NONE > 4 Improved Clamd parser to handle Sane Security ClamAV signature databases > which detect spam and so on from the contents of the headers, and hence > find infections without attachment filenames. Thanks to various people for > help with this, you know who you are :-) Would this be similar to the following problem reported with McAfee? If so, can it be fixed as well? http://lists.mailscanner.info/pipermail/mailscanner/2006-October/066261. html http://lists.mailscanner.info/pipermail/mailscanner/2007-February/070615 .html Thanks, Howard Classification: UNCLASSIFIED Caveats: NONE From MailScanner at ecs.soton.ac.uk Thu Jul 26 18:21:00 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jul 26 18:21:40 2007 Subject: Beta release 4.62.4 (UNCLASSIFIED) In-Reply-To: <88991ECEE371C644986F0C8837C207B70173B2F3@ARLABML01.DS.ARL.ARMY.MIL> References: <46A61FBB.1030708@ecs.soton.ac.uk> <88991ECEE371C644986F0C8837C207B70173B2F3@ARLABML01.DS.ARL.ARMY.MIL> Message-ID: <46A8D7FC.2070904@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Fixed. This will be in the next release (4.62.6). Kash, Howard (Civ, ARL/CISD) wrote: > Classification: UNCLASSIFIED > Caveats: NONE > > > >> 4 Improved Clamd parser to handle Sane Security ClamAV signature >> > databases > >> which detect spam and so on from the contents of the headers, and >> > hence > >> find infections without attachment filenames. Thanks to various >> > people for > >> help with this, you know who you are :-) >> > > Would this be similar to the following problem reported with McAfee? If > so, can it be fixed as well? > > http://lists.mailscanner.info/pipermail/mailscanner/2006-October/066261. > html > http://lists.mailscanner.info/pipermail/mailscanner/2007-February/070615 > .html > > > Thanks, > Howard > Classification: UNCLASSIFIED > Caveats: NONE > > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGqNf9EfZZRxQVtlQRAiAiAJsHCDtWQPFIdGMoCO1LMqpxbO+5eACfZ2kZ hcL+eZTSvhi1BRektCBMKpo= =QvX2 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From dgottsc at emory.edu Thu Jul 26 18:25:09 2007 From: dgottsc at emory.edu (Gottschalk, David) Date: Thu Jul 26 18:25:55 2007 Subject: Password protect In-Reply-To: <46A4F5DC.1010603@yeticomputers.com> References: <223f97700707200721g710f6846ga8807d99caea5f7d@mail.gmail.com> <8D2EFA3D9FD29C45BCEC3B532F0E2308412E3B3D3E@RDPEXCH2.Eu.Emory.Edu> <46A4F4E6.3060305@yeticomputers.com> <46A4F5DC.1010603@yeticomputers.com> Message-ID: <8D2EFA3D9FD29C45BCEC3B532F0E2308412E9ECF5B@RDPEXCH2.Eu.Emory.Edu> Well, I've tried these options, and can't get anything to work. ClamAV or BitDefender (the two virus engines I'm using) aren't catching the password encrypted archives as a virus, so I think that is why thoose two options won't work. I have the MailScanner option "Allow Password-Protected Archives" to no. Anyone have any other ideas? I really need this to work. Thanks. David Gottschalk -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Rick Chadderdon Sent: Monday, July 23, 2007 2:39 PM To: MailScanner discussion Subject: Re: Password protect And, to add to my own reply, also look at "Non-Forging Viruses". Combining those two lines, you should be able to achieve what you're after. Rick Rick Chadderdon wrote: > Gottschalk, David wrote: > >> Anyone know if its possible to send a bounce back to the sender if a password protected archive is quarantined? >> >> The "Notify Senders Of Blocked Filenames Or Filetypes" and "Notify Senders Of Other Blocked Content" don't seem to do anything with regards to encrypted archives. >> > Check the "Silent Viruses" line in MailScanner.conf. If it contains > "All-Viruses" or "Zip-Password", it won't notify the sender. The > comments above the line explain the options well. > > Rick > -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From MailScanner at ecs.soton.ac.uk Thu Jul 26 18:32:44 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jul 26 18:33:18 2007 Subject: Release 4.62.6 beta Message-ID: <46A8DABC.1010900@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi folks! I have just released 4.62.6 which includes the new "custom(parameter)" spam action. This calls a function in /usr/lib/MailScanner/MailScanner/CustomFunctions/CustomAction.pm which you can tailor to do anything you like with a message. You can have multiple "custom()" actions listed, and each will be called in turn. Put different parameters in these actions, and you can do any combination of things you want. This version also includes a fix for the McAfee problem just mentioned on the mailing list. Download as usual from www.mailscanner.info. The full Change Log is this: * New Features and Improvements * 1 Improved non-Linux installer. 1 Improved Linux installer. 1 Updated OpenBSD installation guide. Thanks to Jeremy Evans for this. 1 Upgraded MIME::Base64 to 3.07. 1 Improved error reporting for clamd permissions problems. Thanks Rick. 2 Added SAUPDATEARGS to /etc/sysconfig/MailScanner and /usr/sbin/update_spamassassin. For a good use of this, see http://daryl.dostech.ca/sa-update/sare/sare-sa-update-howto.txt and search for "HOWTO" in the Subject: line of the MailScanner-discussion list archive. This process replaces RulesDuJour entirely. Another good ruleset to add to your setup is http://www.peregrinehw.com/downloads/SpamAssassin/contrib/KAM.cf To download this automatically every night, fetch http://www.mailscanner.info/files/4/KAM.cf.sh and put it in /etc/cron.daily and make it executable (type "chmod +x /etc/cron.daily/KAM.cf.sh"). 3 Added "Known Web Bug Servers" so you can blacklist images from known servers of web bug services. 3 Added functionality of "milter-null" to MailScanner so you no longer need to run this separately. It is called "Watermarking" and there is a whole section for the settings in MailScanner.conf. They are Add Watermark = yes Skip Spam Checks If Watermark Valid = yes Watermark Header = MailScanner-%org-name%-Watermark: Watermark Lifetime = 432000 # in seconds, = 5 days Watermark Secret = SET-THIS-TO-A-SECRET! Also added Digest::MD5 to the required list of Perl modules, this is needed for the watermarking code. 3 Added optional image to the clean message signature. You can also use this to add an arbitrary image attachment to any message, if you so wish. The main point is to be able to have graphical HTML signatures on messages. The settings are Attach Image To Signature = no Attach Image To HTML Message Only = yes Signature Image Filename = %report-dir%/sig.jpg Signature Image Filename = signature.jpg 4 Added support for Kaspersky kav4fs. Set virus.scanners.conf entry to point to /opt/kaspersky. 4 Changed default value to "Max SpamAssassin Size = 100k" as modern PDF spams are getting quite large, and PDFInfo.pm doesn't work with cropped messages. 4 Improved Clamd parser to handle Sane Security ClamAV signature databases which detect spam and so on from the contents of the headers, and hence find infections without attachment filenames. Thanks to various people for help with this, you know who you are :-) 4 Improved upgrade_MailScanner_conf so that it checks that the 'Monitors for ClamAV Updates' setting looks for inc and cvd files. Problems have recently been suffered by many due to the value of this setting being out of date. It doesn't automatically re-write their setting in case they have installed ClamAV somewhere odd and have customised it. 4 Changed 'Monitors for Sophos Updates' setting default value to point to appropriate file for Sophos version 5 and upwards, and have added check in upgrade_MailScanner_conf to ensure their setting now points to a new location. It prints a warning if sophos-av does not appear in the path. 4 Added configuration setting "SpamAssassin Rule Actions". This setting is very powerful and can be used to implement many things that MCP can do, without having the processing overhead of MCP. The documentation for it is in the MailScanner.conf file. Its power is limited by your imagination :-) Start combining it with rulesets and you can take (or _not_ take) any combination of actions dependent on any bit of content in the message or its headers. You could try out new SA tests by storing in quarantine every message that matches a new particular SpamAssassin rule (or meta-rule for creating more complex expressions). 5 Added "custom" spam action, which takes a parameter. This is passed into the CustomAction function in CustomAction.pm in the CustomFunctions directory. This can be used to implement anything your heart desires, depending on the contents of a message. * Fixes * 2-2 Fixed error in RPM installer. 2-3 Fixed error in update_spamassassin. 3-2 The watermarking code should do something now :-) 3-3 Rewrote the watermarking docs so they reflect the truth. 4 --lint now reads all the Custom Functions properly. 4 Bug in auto-zip fixed where attachments could be deleted without being added to zip. Thanks to Matt Hampton. 4 Bug with '-' in HTML attribute names confusing phishing net fixed. Thanks to John Wilcock. 5 Fixed 2 bugs in MSRBL clamav-signature handler. Thanks to UxBoD. 6 Fixed bug from October 2006 involving McAfee finding infections in headers. Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGqNq9EfZZRxQVtlQRAjhpAJ4z1I6MP1z3D2ywOuK4MBYDZUp/4ACgvW21 4ygQK+XELqQnbu1l8BDg67s= =K/V+ -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Thu Jul 26 18:45:36 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jul 26 18:46:03 2007 Subject: Password protect In-Reply-To: <8D2EFA3D9FD29C45BCEC3B532F0E2308412E9ECF5B@RDPEXCH2.Eu.Emory.Edu> References: <223f97700707200721g710f6846ga8807d99caea5f7d@mail.gmail.com> <8D2EFA3D9FD29C45BCEC3B532F0E2308412E3B3D3E@RDPEXCH2.Eu.Emory.Edu> <46A4F4E6.3060305@yeticomputers.com> <46A4F5DC.1010603@yeticomputers.com> <8D2EFA3D9FD29C45BCEC3B532F0E2308412E9ECF5B@RDPEXCH2.Eu.Emory.Edu> Message-ID: <46A8DDC0.3050300@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 With Notify Senders Of Other Blocked Content = yes Notify Senders = yes Non-Forging Viruses = Zip-Password Allow Password-Protected Archives = no then I think it should notify senders of password-protected zip archives. Gottschalk, David wrote: > Well, I've tried these options, and can't get anything to work. > > ClamAV or BitDefender (the two virus engines I'm using) aren't catching the password encrypted archives as a virus, so I think that is why thoose two options won't work. I have the MailScanner option "Allow Password-Protected Archives" to no. > > Anyone have any other ideas? I really need this to work. > > Thanks. > > David Gottschalk > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Rick Chadderdon > Sent: Monday, July 23, 2007 2:39 PM > To: MailScanner discussion > Subject: Re: Password protect > > And, to add to my own reply, also look at "Non-Forging Viruses". > Combining those two lines, you should be able to achieve what you're after. > > Rick > > Rick Chadderdon wrote: > >> Gottschalk, David wrote: >> >> >>> Anyone know if its possible to send a bounce back to the sender if a password protected archive is quarantined? >>> >>> The "Notify Senders Of Blocked Filenames Or Filetypes" and "Notify Senders Of Other Blocked Content" don't seem to do anything with regards to encrypted archives. >>> >>> >> Check the "Silent Viruses" line in MailScanner.conf. If it contains >> "All-Viruses" or "Zip-Password", it won't notify the sender. The >> comments above the line explain the options well. >> >> Rick >> >> > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGqN3BEfZZRxQVtlQRAodZAJ4+eTz5vhEVPDjHRP6h+6zw5qTNaQCg4xy/ 0wszO8+WNj/dpfvmp8PJW8M= =1hYZ -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From mkettler at evi-inc.com Thu Jul 26 19:43:30 2007 From: mkettler at evi-inc.com (Matt Kettler) Date: Thu Jul 26 19:45:19 2007 Subject: Spamassassin Greeting Card Question In-Reply-To: <46A8C7E6.4070608@alexb.ch> References: <113A0DFC086C984AB9EFDF6B8614F075017D327C@exchange03.CBOCS.com> <46A8C528.2090404@evi-inc.com> <46A8C7E6.4070608@alexb.ch> Message-ID: <46A8EB52.8000508@evi-inc.com> Alex Broens wrote: >> That said, I'm currently using this one rule, which covers pretty much >> everything I've seen. >> >> (note: beware of line-wraps, there's only 3 lines here) >> >> header L_S_SUBJPOSTCARD Subject =~/\bYou've received a (?:greeting)? >> (?:e|post)?card from a .{4,20}!/ >> describe L_S_SUBJPOSTCARD greeting card virus >> score L_S_SUBJPOSTCARD 1.5 > > or reduce it to? > > body ECARD_BLAH /^SEEING YOUR CARD$/ That would work too.. Although I'm not sure why.. body rules should be run with linewraps stripped, so that shouldn't match. However, it does work properly, and also matches if a linewrap is inserted between the words. Hmm, wonder how SA does that.. However, there would be benefit to using both with moderate scores, as it would be more mutation resistant that way. They're both looking at different features of the email. As an added plus, doing both makes the autolearner more likely to kick in. The autolearner needs at least 3.0 of header and 3.0 of body rules in order to learn spam. Biasing both categories up is a good thing.. To that end, I just added 3 body rules: body L_S_BODY_CARD1 /^SEEING YOUR CARD$/ score L_S_BODY_CARD1 1.0 body L_S_BODY_CARD2 /See your card as often as you wish during the next/ score L_S_BODY_CARD2 1.0 body L_S_BODY_CARD3 /We hope you enjoy your awesome card/ score L_S_BODY_CARD3 1.0 From uxbod at splatnix.net Thu Jul 26 20:28:48 2007 From: uxbod at splatnix.net (UxBoD) Date: Thu Jul 26 20:26:23 2007 Subject: Beta release 4.62.4 (UNCLASSIFIED) In-Reply-To: <88991ECEE371C644986F0C8837C207B70173B2F3@ARLABML01.DS.ARL.ARMY.MIL> Message-ID: <1166261.4081185478128555.JavaMail.root@office.splatnix.net> Can you check your logfile and see what is being reported. If you can, please post a example and I will check the code. It should be very easy though. ----- Original Message ----- From: "Howard Kash (Civ, ARL/CISD)" To: "MailScanner discussion" Sent: 26 July 2007 18:00:43 o'clock (GMT) Europe/London Subject: RE: Beta release 4.62.4 (UNCLASSIFIED) Classification: UNCLASSIFIED Caveats: NONE > 4 Improved Clamd parser to handle Sane Security ClamAV signature databases > which detect spam and so on from the contents of the headers, and hence > find infections without attachment filenames. Thanks to various people for > help with this, you know who you are :-) Would this be similar to the following problem reported with McAfee? If so, can it be fixed as well? http://lists.mailscanner.info/pipermail/mailscanner/2006-October/066261. html http://lists.mailscanner.info/pipermail/mailscanner/2007-February/070615 .html Thanks, Howard Classification: UNCLASSIFIED Caveats: NONE -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From uxbod at splatnix.net Thu Jul 26 20:32:00 2007 From: uxbod at splatnix.net (UxBoD) Date: Thu Jul 26 20:29:34 2007 Subject: Spamassassin Greeting Card Question In-Reply-To: <113A0DFC086C984AB9EFDF6B8614F075017D3283@exchange03.CBOCS.com> Message-ID: <28217545.4111185478320892.JavaMail.root@office.splatnix.net> http://www.peregrinehw.com/downloads/SpamAssassin/contrib/KAM.cf It has successfully blocked all eCards so far. Though I am sure they will alter it soon! ----- Original Message ----- From: "Andrews Carl 455" To: "MailScanner discussion" Sent: 26 July 2007 17:08:51 o'clock (GMT) Europe/London Subject: RE: Spamassassin Greeting Card Question Yeah, my first attempt at a spamassassin rule - I did not do as well as the spammers :-< KAM.cf - I am going to go find that one. I am using rules_du_jour but do not see that one. Thanks! -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Steve Campbell Sent: Thursday, July 26, 2007 10:47 AM To: MailScanner discussion Subject: Re: Spamassassin Greeting Card Question Andrews Carl 455 wrote: > Anyone have a spamassassin rule for the "You've received a > greeting/ecard ..." spams? I have this but it is not working: > > Thanks for any help, > Carl > > GreetingCard.cf: > > header CBGREET99 Subject =~ /You've received a greeting card from a > school-mate/i > score CBGREET99 99 > describe CBGREET99 Greeting Card Spam and Virus. > > header CBGREET99 Subject =~ /You've received a greeting ecard from a > class mate!/i > score CBGREET99 99 > describe CBGREET99 Greeting Card Spam and Virus. > > header CBGREET99 Subject =~ /You've received a greeting ecard from a > neighbour!/i > score CBGREET99 99 > describe CBGREET99 Greeting Card Spam and Virus. > > header CBGREET99 Subject =~ /You've received a greeting postcard from > a partner!/i > score CBGREET99 99 > describe CBGREET99 Greeting Card Spam and Virus. > > header CBGREET99 Subject =~ /You've received a greeting postcard from > a worshipper!/i > score CBGREET99 99 > describe CBGREET99 Greeting Card Spam and Virus. > > header CBGREET99 Subject =~ /You've received a postcard from a family > member!/i > score CBGREET99 99 > describe CBGREET99 Greeting Card Spam and Virus. > > header CBGREET99 Subject =~ /You've received a postcard from a > neighbour!/i > score CBGREET99 99 > describe CBGREET99 Greeting Card Spam and Virus. > > header CBGREET99 Subject =~ /You've received a postcard from a > worshipper!/i > score CBGREET99 99 > describe CBGREET99 Greeting Card Spam and Virus. > > header CBGREET99 Subject =~ /You've received an ecard from a > colleague!/i > score CBGREET99 99 > describe CBGREET99 Greeting Card Spam and Virus. > > header CBGREET99 Subject =~ /You've received a greeting ecard from a > Worshipper!/i > score CBGREET99 99 > describe CBGREET99 Greeting Card Spam and Virus. > > header CBGREET99 Subject =~ /You've received a postcard from a > Worshipper!/i > score CBGREET99 99 > describe CBGREET99 Greeting Card Spam and Virus. > > header CBGREET99 Subject =~ /You've received a greeting ecard from a > School friend!/i > score CBGREET99 99 > describe CBGREET99 Greeting Card Spam and Virus. > You didn't really name all of the rules the same thing did you? I use a few rules like the ones you have listed but make them less specific. For instance "received a greeting ecard", "received a greeting card" , and also use the KAM.cf ruleset. It's about eliminated the stuff. What you have will only work on whatever the last one is set to, I believe, as you are redefining the rule over and over. Steve Campbell -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From doc at maddoc.net Thu Jul 26 20:35:36 2007 From: doc at maddoc.net (Doc Schneider) Date: Thu Jul 26 20:35:46 2007 Subject: Grreting card scams Message-ID: <46A8F788.2060601@maddoc.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 All the ones I've been getting are all being caught with ClamAV. I get thousands of them per day too! Just my 2 cents. - -- - -Doc Lincoln, NE. http://www.genealogyforyou.com/ http://www.cairnproductions.com/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org iD8DBQFGqPeIqOEeBwEpgcsRAl7lAJ9TGj9XjLzeZfIoKpHehYhxAzDzGACfULVE O152hoV1+p4wjP4TTgtFS94= =rWyE -----END PGP SIGNATURE----- From Carl.Andrews at crackerbarrel.com Thu Jul 26 20:46:35 2007 From: Carl.Andrews at crackerbarrel.com (Andrews Carl 455) Date: Thu Jul 26 20:46:56 2007 Subject: Spamassassin Greeting Card Question In-Reply-To: <200707261617.l6QGHhNd026869@smtpgw1.crackerbarrel.com> Message-ID: <113A0DFC086C984AB9EFDF6B8614F075017D328E@exchange03.CBOCS.com> Thanks everyone! I still do not have my rule working, but the KAM is catching them now. I also did not realize that rules_du_jour and sa-update were getting the same rules and causing me to scan using the same rules multiple times. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Scott Silva Sent: Thursday, July 26, 2007 11:16 AM To: mailscanner@lists.mailscanner.info Subject: Re: Spamassassin Greeting Card Question Andrews Carl 455 spake the following on 7/26/2007 9:08 AM: > Yeah, my first attempt at a spamassassin rule - I did not do as well > as the spammers :-< KAM.cf - I am going to go find that one. I am > using rules_du_jour but do not see that one. > > Thanks! Search the archives. Julian posted a howto to enable the sa-update method to replace rulesdujour. It has a script to get the kam.cf file. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From uxbod at splatnix.net Thu Jul 26 20:52:25 2007 From: uxbod at splatnix.net (UxBoD) Date: Thu Jul 26 20:49:56 2007 Subject: BarricadeMX experiences In-Reply-To: <46A8CC85.6090203@sendit.nodak.edu> Message-ID: <23098803.4141185479545743.JavaMail.root@office.splatnix.net> BarricadeMX (SMTPF) uses a logic engine. Unless FSL release the logic code nobody will work out what it is doing. Best way is to try it yourself, as it does work very well. Sorry, but this thread seems to be going on and on, for something that is a commercial product, and nothing really to do with MailScanner. Just my 2p worth ;) ----- Original Message ----- From: "Richard Frovarp" To: "MailScanner discussion" Sent: 26 July 2007 17:32:05 o'clock (GMT) Europe/London Subject: Re: BarricadeMX experiences Steve Freegard wrote: > Richard Frovarp wrote: >> Kai Schaetzl wrote: >>> Richard Frovarp wrote on Wed, 25 Jul 2007 11:32:06 -0500: >>> >>> >>>> The OP did say he was running sbl+xbl at the mta >>>> >>> >>> Yes, but that seems to be the only "protection" for the MTA. Looking >>> at our figures Spamhaus rejections (although the single most source >>> of rejections) account for only 20% of our rejections after >>> greylisting (not sure if rejections occur before or after >>> greylisting). For instance I reject almost as much because of bogus >>> HELOs. Which is also part of BarricadeMX. >>> >>> Kai >>> >>> >> >> From my testing it goes: >> >> greet pause >> rbls >> greylist >> bad user >> >> I'm guessing that the bogus HELOs would be around the rbl time. >> greylisting doesn't reject until the rcpt to, and it does it before a >> valid user check is done against LDAP. > > > All this sort of stuff will vary massively over each site as there are > lots of variables (e.g. number of domains, average age of the domain, > type of user, user habits etc. etc.) that govern the type of spam each > site will get and thus the types of rejections that are possible. So > what works well for one site won't necessarily work well for the other. I'm sorry, that is the order that the tests are applied when using milter-greylist against sendmail, not effectiveness. Sorry I forgot to mention that. So from my setup anything that fails the sendmail greet pause won't even be checked by the RBLs, since it's already been rejected. The one unfortunate thing you'll see in that ordering is as mail has to get past the greylisting before valid user is checked. However, at my site we don't get many invalid user attempts, at least not many that make it past the earlier layers. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From uxbod at splatnix.net Thu Jul 26 20:54:32 2007 From: uxbod at splatnix.net (UxBoD) Date: Thu Jul 26 20:52:04 2007 Subject: BarricadeMX experiences In-Reply-To: <46A8BBD1.7020308@fsl.com> Message-ID: <10806190.4171185479672572.JavaMail.root@office.splatnix.net> Any reported FPs Steve ? ----- Original Message ----- From: "Steve Freegard" To: "MailScanner discussion" Sent: 26 July 2007 16:20:49 o'clock (GMT) Europe/London Subject: Re: BarricadeMX experiences Richard Frovarp wrote: > Kai Schaetzl wrote: >> Richard Frovarp wrote on Wed, 25 Jul 2007 11:32:06 -0500: >> >> >>> The OP did say he was running sbl+xbl at the mta >>> >> >> Yes, but that seems to be the only "protection" for the MTA. Looking >> at our figures Spamhaus rejections (although the single most source of >> rejections) account for only 20% of our rejections after greylisting >> (not sure if rejections occur before or after greylisting). For >> instance I reject almost as much because of bogus HELOs. Which is also >> part of BarricadeMX. >> >> Kai >> >> > > From my testing it goes: > > greet pause > rbls > greylist > bad user > > I'm guessing that the bogus HELOs would be around the rbl time. > greylisting doesn't reject until the rcpt to, and it does it before a > valid user check is done against LDAP. All this sort of stuff will vary massively over each site as there are lots of variables (e.g. number of domains, average age of the domain, type of user, user habits etc. etc.) that govern the type of spam each site will get and thus the types of rejections that are possible. So what works well for one site won't necessarily work well for the other. While a couple of people (Res mainly) have noted that you can use milters, Exim routers or Postfix policy daemons to achieve some of the common stuff to get rid of spam at the MTA level - the reason we chose to develop BarricadeMX as an SMTP proxy was because none of these methods gave us enough control over what we wanted to be able to do. For example - the milter API does not allow you to instruct Sendmail to rate limit it's command reponses or give feedback on how many other concurrent connections a given IP address has etc. it also suffers from the fact all the communications have to go via a socket etc. Here are some typical stats from a running BarricadeMX system, not all of the percentages relate to rejections, some are informational only and some are not enabled - but it gives an idea of the amount of tests that are carried out. 214-2.0.0 smtpf/1.0.146 (runtime) 214-2.0.0 start-time=Wed, 25 Jul 2007 00:03:08 -0400 214-2.0.0 age=125422 214-2.0.0 active-connections=725 214-2.0.0 high-connections=1382 (100.00%) 214-2.0.0 high-connections-per-second=22 (100.00%) 214-2.0.0 high-session-time=4624 (100.00%) 214-2.0.0 total-KB=7153778 (100.00%) 214-2.0.0 CLIENTS=1237908 (100.00%) 214-2.0.0 dropped=1049469 (84.78%) 214-2.0.0 data-354=91549 (7.40%) 214-2.0.0 client-io-error=164995 (13.33%) 214-2.0.0 client-timeout=12933 (1.04%) 214-2.0.0 server-io-error=55353 (4.47%) 214-2.0.0 admin-commands=2 (0.00%) 214-2.0.0 auth-pass=0 (0.00%) 214-2.0.0 auth-fail=0 (0.00%) 214-2.0.0 bogus-helo=857 (0.07%) 214-2.0.0 concurrent=587 (0.05%) 214-2.0.0 connect-bl=82395 (6.66%) 214-2.0.0 connect-lan=0 (0.00%) 214-2.0.0 connect-localhost=5 (0.00%) 214-2.0.0 connect-relay=5 (0.00%) 214-2.0.0 connect-wl=961 (0.08%) 214-2.0.0 dns-bl=416763 (33.67%) 214-2.0.0 dns-gl=24269 (1.96%) 214-2.0.0 dns-wl=0 (0.00%) 214-2.0.0 ehlo-no-helo=29930 (2.42%) 214-2.0.0 helo-claims-us=0 (0.00%) 214-2.0.0 helo-ip-mismatch=33414 (2.70%) 214-2.0.0 helo-schizophrenic=7282 (0.59%) 214-2.0.0 idle-retest-timer=87 (0.01%) 214-2.0.0 rate-client=40199 (3.25%) 214-2.0.0 rate-throttle=8105 (0.65%) 214-2.0.0 client-ip-in-ptr=0 (0.00%) 214-2.0.0 client-ptr-required=311762 (25.18%) 214-2.0.0 client-ptr-required-error=18088 (1.46%) 214-2.0.0 rfc2821-strict-helo=12541 (1.01%) 214-2.0.0 smtp-command-non-ascii=3055 (0.25%) 214-2.0.0 smtp-command-pause=89673 (7.24%) 214-2.0.0 smtp-drop-after=1152 (0.09%) 214-2.0.0 smtp-drop-unknown=452 (0.04%) 214-2.0.0 smtp-enable-esmtp=350765 (28.34%) 214-2.0.0 smtp-greet-pause=195045 (15.76%) 214-2.0.0 smtp-reject-delay=0 (0.00%) 214-2.0.0 uri-bl-helo=1658 (0.13%) 214-2.0.0 uri-bl-ptr=7906 (0.64%) 214-2.0.0 SENDERS=671843 (100.00%) 214-2.0.0 null-sender=68425 (10.18%) 214-2.0.0 call-back-cache=0 (0.00%) 214-2.0.0 call-back-made=0 (0.00%) 214-2.0.0 cli-envelope=0 (0.00%) 214-2.0.0 client-is-mx=64122 (9.54%) 214-2.0.0 grey-continue=6468 (0.96%) 214-2.0.0 grey-tempfail=54954 (8.18%) 214-2.0.0 mail-bl=129 (0.02%) 214-2.0.0 mail-wl=300 (0.04%) 214-2.0.0 mail-parse=1238 (0.18%) 214-2.0.0 require-sender-mx=530 (0.08%) 214-2.0.0 require-sender-mx-error=1138 (0.17%) 214-2.0.0 siq-query-cache=0 (0.00%) 214-2.0.0 siq-query-made=0 (0.00%) 214-2.0.0 siq-score-reject=0 (0.00%) 214-2.0.0 siq-score-tag=0 (0.00%) 214-2.0.0 spf-pass=16970 (2.53%) 214-2.0.0 spf-fail=2678 (0.40%) 214-2.0.0 spf-none=176221 (26.23%) 214-2.0.0 spf-neutral=3591 (0.53%) 214-2.0.0 spf-softfail=8241 (1.23%) 214-2.0.0 spf-perm-error=555 (0.08%) 214-2.0.0 spf-temp-error=7835 (1.17%) 214-2.0.0 uri-bl-mail=19467 (2.90%) 214-2.0.0 RECIPIENTS=201118 (100.00%) 214-2.0.0 rcpt-reject=51545 (25.63%) 214-2.0.0 one-rcpt-per-null=9 (0.00%) 214-2.0.0 rcpt-bl=0 (0.00%) 214-2.0.0 rcpt-wl=49 (0.02%) 214-2.0.0 rcpt-parse=4 (0.00%) 214-2.0.0 MESSAGES=95646 (100.00%) 214-2.0.0 msg-accept=81757 (85.48%) 214-2.0.0 msg-discard=0 (0.00%) 214-2.0.0 msg-drop=331 (0.35%) 214-2.0.0 msg-reject=13497 (14.11%) 214-2.0.0 dsn-sent=216 (0.23%) 214-2.0.0 7bit-headers=0 (0.00%) 214-2.0.0 cli-content=0 (0.00%) 214-2.0.0 infected=0 (0.00%) 214-2.0.0 junk-mail=0 (0.00%) 214-2.0.0 line-length=0 (0.00%) 214-2.0.0 message-limit=0 (0.00%) 214-2.0.0 message-size=0 (0.00%) 214-2.0.0 ret-pass=0 (0.00%) 214-2.0.0 ret-fail=0 (0.00%) 214-2.0.0 ret-ttl=0 (0.00%) 214-2.0.0 strict-dot=0 (0.00%) 214-2.0.0 uri-bl=13475 (14.09%) 214-2.0.0 uri-max-limit=0 (0.00%) 214-2.0.0 uri-max-test=3685 (3.85%) 214 2.0.0 End. I can also tell you that no one who tries this will get the same results - there are simply too many factors. What I can tell you is that no MTA or MTA plug-in can do some of these tests as they simply are not able to (the only thing that might come close is qpsmtpd) and it will significantly reduce the amount of messages input to your MTA and to MailScanner to allow it to scale better on the same amount of hardware as that was it's original design goal. Kind regards, Steve. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From uxbod at splatnix.net Thu Jul 26 20:56:17 2007 From: uxbod at splatnix.net (UxBoD) Date: Thu Jul 26 20:53:49 2007 Subject: Grreting card scams In-Reply-To: <46A8F788.2060601@maddoc.net> Message-ID: <15610735.4201185479777536.JavaMail.root@office.splatnix.net> Really? I use latest release and signatures and they don't get hit by ClamAV. KAM.cf gets them all for me. Odd. ----- Original Message ----- From: "Doc Schneider" To: "MailScanner discussion" Sent: 26 July 2007 20:35:36 o'clock (GMT) Europe/London Subject: Grreting card scams -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 All the ones I've been getting are all being caught with ClamAV. I get thousands of them per day too! Just my 2 cents. - -- - -Doc Lincoln, NE. http://www.genealogyforyou.com/ http://www.cairnproductions.com/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org iD8DBQFGqPeIqOEeBwEpgcsRAl7lAJ9TGj9XjLzeZfIoKpHehYhxAzDzGACfULVE O152hoV1+p4wjP4TTgtFS94= =rWyE -----END PGP SIGNATURE----- -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mkettler at evi-inc.com Thu Jul 26 20:58:21 2007 From: mkettler at evi-inc.com (Matt Kettler) Date: Thu Jul 26 20:59:56 2007 Subject: Grreting card scams In-Reply-To: <46A8F788.2060601@maddoc.net> References: <46A8F788.2060601@maddoc.net> Message-ID: <46A8FCDD.7070303@evi-inc.com> Doc Schneider wrote: > All the ones I've been getting are all being caught with ClamAV. > > I get thousands of them per day too! > > Just my 2 cents. Are you using something like the sanesecurity add-on signatures? I'm using stock clamav 0.91.1 and it hasn't caught a single one. From uxbod at splatnix.net Thu Jul 26 21:02:49 2007 From: uxbod at splatnix.net (UxBoD) Date: Thu Jul 26 21:00:19 2007 Subject: Spamassassin Greeting Card Question In-Reply-To: <113A0DFC086C984AB9EFDF6B8614F075017D328E@exchange03.CBOCS.com> Message-ID: <16748090.4231185480169415.JavaMail.root@office.splatnix.net> clean you rules up, and if on SA.3.2 then also run sa-compile. ----- Original Message ----- From: "Andrews Carl 455" To: "MailScanner discussion" Sent: 26 July 2007 20:46:35 o'clock (GMT) Europe/London Subject: RE: Spamassassin Greeting Card Question Thanks everyone! I still do not have my rule working, but the KAM is catching them now. I also did not realize that rules_du_jour and sa-update were getting the same rules and causing me to scan using the same rules multiple times. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Scott Silva Sent: Thursday, July 26, 2007 11:16 AM To: mailscanner@lists.mailscanner.info Subject: Re: Spamassassin Greeting Card Question Andrews Carl 455 spake the following on 7/26/2007 9:08 AM: > Yeah, my first attempt at a spamassassin rule - I did not do as well > as the spammers :-< KAM.cf - I am going to go find that one. I am > using rules_du_jour but do not see that one. > > Thanks! Search the archives. Julian posted a howto to enable the sa-update method to replace rulesdujour. It has a script to get the kam.cf file. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From doc at maddoc.net Thu Jul 26 21:04:01 2007 From: doc at maddoc.net (Doc Schneider) Date: Thu Jul 26 21:04:12 2007 Subject: Grreting card scams In-Reply-To: <46A8FCDD.7070303@evi-inc.com> References: <46A8F788.2060601@maddoc.net> <46A8FCDD.7070303@evi-inc.com> Message-ID: <46A8FE31.8080908@maddoc.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Matt Kettler wrote: > Doc Schneider wrote: >> All the ones I've been getting are all being caught with ClamAV. >> >> I get thousands of them per day too! >> >> Just my 2 cents. > > Are you using something like the sanesecurity add-on signatures? > > I'm using stock clamav 0.91.1 and it hasn't caught a single one. Nope, nothing added. I'm just using stock clamav 0.91.1 Email.Phishing.RB-1222 and numbers around that are what are catching them. - -- - -Doc Lincoln, NE. http://www.genealogyforyou.com/ http://www.cairnproductions.com/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org iD8DBQFGqP4wqOEeBwEpgcsRArUKAKCd0ILsO4zw0CQux+hNT02JAUWK5wCbBdxx uXlFg8DyeRHarxjtHGU4DmY= =Yx/S -----END PGP SIGNATURE----- From uxbod at splatnix.net Thu Jul 26 21:10:31 2007 From: uxbod at splatnix.net (UxBoD) Date: Thu Jul 26 21:08:04 2007 Subject: Grreting card scams In-Reply-To: <46A8FE31.8080908@maddoc.net> Message-ID: <17023707.4291185480631581.JavaMail.root@office.splatnix.net> Hmmm. That is in my signatures :- mailhub opt # sigtool --list | grep RB-1222 Email.Phishing.RB-1222 but no hits. Will check again, but sure everything has been KAM, even at work where we get 10k+ a day of these. ----- Original Message ----- From: "Doc Schneider" To: "MailScanner discussion" Sent: 26 July 2007 21:04:01 o'clock (GMT) Europe/London Subject: Re: Grreting card scams -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Matt Kettler wrote: > Doc Schneider wrote: >> All the ones I've been getting are all being caught with ClamAV. >> >> I get thousands of them per day too! >> >> Just my 2 cents. > > Are you using something like the sanesecurity add-on signatures? > > I'm using stock clamav 0.91.1 and it hasn't caught a single one. Nope, nothing added. I'm just using stock clamav 0.91.1 Email.Phishing.RB-1222 and numbers around that are what are catching them. - -- - -Doc Lincoln, NE. http://www.genealogyforyou.com/ http://www.cairnproductions.com/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org iD8DBQFGqP4wqOEeBwEpgcsRArUKAKCd0ILsO4zw0CQux+hNT02JAUWK5wCbBdxx uXlFg8DyeRHarxjtHGU4DmY= =Yx/S -----END PGP SIGNATURE----- -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From r.berber at computer.org Thu Jul 26 21:25:00 2007 From: r.berber at computer.org (=?UTF-8?B?UmVuw6kgQmVyYmVy?=) Date: Thu Jul 26 21:25:11 2007 Subject: Grreting card scams In-Reply-To: <17023707.4291185480631581.JavaMail.root@office.splatnix.net> References: <46A8FE31.8080908@maddoc.net> <17023707.4291185480631581.JavaMail.root@office.splatnix.net> Message-ID: UxBoD wrote: > Hmmm. That is in my signatures :- > > mailhub opt # sigtool --list | grep RB-1222 > Email.Phishing.RB-1222 > > but no hits. Will check again, but sure everything has been KAM, even at work where we get 10k+ a day of these. Is the option disabled in clamd.conf? PhishingSignatures yes PhishingScanURLs yes It used to be disabled on older versions than 0.91.x -- Ren? Berber From doc at maddoc.net Thu Jul 26 21:25:40 2007 From: doc at maddoc.net (Doc Schneider) Date: Thu Jul 26 21:25:54 2007 Subject: Grreting card scams In-Reply-To: <17023707.4291185480631581.JavaMail.root@office.splatnix.net> References: <17023707.4291185480631581.JavaMail.root@office.splatnix.net> Message-ID: <46A90344.1050607@maddoc.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 UxBoD wrote: > Hmmm. That is in my signatures :- > > mailhub opt # sigtool --list | grep RB-1222 > Email.Phishing.RB-1222 > > but no hits. Will check again, but sure everything has been KAM, even at work where we get 10k+ a day of these. Weird, I just checked on my MailScanner server and the greeting card ones aren't being marked by ClamAV, although my other servers running clamav-milter and clamdscan--via /etc/procmailrc--catch them. Time to do some debugging to figure out why MailScanner isn't doing it with ClamAV. > ----- Original Message ----- > From: "Doc Schneider" > To: "MailScanner discussion" > Sent: 26 July 2007 21:04:01 o'clock (GMT) Europe/London > Subject: Re: Grreting card scams > > Matt Kettler wrote: >> Doc Schneider wrote: >>> All the ones I've been getting are all being caught with ClamAV. >>> >>> I get thousands of them per day too! >>> >>> Just my 2 cents. >> Are you using something like the sanesecurity add-on signatures? > >> I'm using stock clamav 0.91.1 and it hasn't caught a single one. > > Nope, nothing added. I'm just using stock clamav 0.91.1 > > Email.Phishing.RB-1222 and numbers around that are what are catching them. > - -- - -Doc Lincoln, NE. http://www.genealogyforyou.com/ http://www.cairnproductions.com/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org iD8DBQFGqQNDqOEeBwEpgcsRAvwJAJ4/Ikq89yet74lLCa0uvem/dj1XMQCffHM0 YwxM3JQ/f/53wSmdsqL+o6Q= =lJ/i -----END PGP SIGNATURE----- From uxbod at splatnix.net Thu Jul 26 21:32:01 2007 From: uxbod at splatnix.net (UxBoD) Date: Thu Jul 26 21:29:34 2007 Subject: Grreting card scams In-Reply-To: Message-ID: <18371235.4381185481921172.JavaMail.root@office.splatnix.net> Enabled by default, but I have set to yes incase bug. Good spot. ----- Original Message ----- From: "Ren? Berber" To: mailscanner@lists.mailscanner.info Sent: 26 July 2007 21:25:00 o'clock (GMT) Europe/London Subject: Re: Grreting card scams UxBoD wrote: > Hmmm. That is in my signatures :- > > mailhub opt # sigtool --list | grep RB-1222 > Email.Phishing.RB-1222 > > but no hits. Will check again, but sure everything has been KAM, even at work where we get 10k+ a day of these. Is the option disabled in clamd.conf? PhishingSignatures yes PhishingScanURLs yes It used to be disabled on older versions than 0.91.x -- Ren? Berber -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From steve.freegard at fsl.com Thu Jul 26 21:52:45 2007 From: steve.freegard at fsl.com (Steve Freegard) Date: Thu Jul 26 21:52:52 2007 Subject: BarricadeMX experiences In-Reply-To: <10806190.4171185479672572.JavaMail.root@office.splatnix.net> References: <46A8BBD1.7020308@fsl.com> <10806190.4171185479672572.JavaMail.root@office.splatnix.net> Message-ID: <46A9099D.3060100@fsl.com> UxBoD wrote: > Any reported FPs Steve ? Yes - of course. We recommend a set of tests and configuration that we've done the most testing with and each user can add or remove tests as they see fit. Most existing sites have a handful of whitelist entries and no site is exactly the same. Some SMTP servers are terminally broken as are some sites configuration (DNS etc.) - it depends on your definition of a false-positive in some cases too. Anyway as everything is done at the SMTP level then these are quickly caught as the sender knows that delivery was unsuccessful via a DSN generated by their mail system. We've got a number of safeguards around some tests to help reduce or eliminite false positives. Our greylisting functions for example are completely different to all the other existing implementations and has far less problems than with traditional greylisting - ours copes nicely with clustered or NFS mounted spools where the sending system is potentially different on each retry (for example you don't need to exempt Hotmail/Yahoo/Gmail as they will pass greylisting and become auto-whitelisted). Kind regards, Steve. From mkettler at evi-inc.com Thu Jul 26 22:01:44 2007 From: mkettler at evi-inc.com (Matt Kettler) Date: Thu Jul 26 22:03:24 2007 Subject: Grreting card scams In-Reply-To: <46A90344.1050607@maddoc.net> References: <17023707.4291185480631581.JavaMail.root@office.splatnix.net> <46A90344.1050607@maddoc.net> Message-ID: <46A90BB8.3050803@evi-inc.com> Doc Schneider wrote: > UxBoD wrote: >> Hmmm. That is in my signatures :- > >> mailhub opt # sigtool --list | grep RB-1222 >> Email.Phishing.RB-1222 > >> but no hits. Will check again, but sure everything has been KAM, even at work where we get 10k+ a day of these. > > Weird, I just checked on my MailScanner server and the greeting card > ones aren't being marked by ClamAV, although my other servers running > clamav-milter and clamdscan--via /etc/procmailrc--catch them. Time to do > some debugging to figure out why MailScanner isn't doing it with ClamAV. Ditto. I figure it's because my MS isn't exactly current. (4.58.9) Also, I'm using "clamav" not "clamavmodule" or "clamd" as my virus scanner mode (yes, I know this is slow, but my version doesn't do clamd, and clamavmodule eats too much memory atm) From uxbod at splatnix.net Thu Jul 26 22:11:50 2007 From: uxbod at splatnix.net (UxBoD) Date: Thu Jul 26 22:09:19 2007 Subject: Grreting card scams In-Reply-To: <46A90BB8.3050803@evi-inc.com> Message-ID: <26023224.4501185484310230.JavaMail.root@office.splatnix.net> Then if one of those emails has been quarantined as SPAM, what happens if you run clamscan against the quarantined file? ----- Original Message ----- From: "Matt Kettler" To: "MailScanner discussion" Sent: 26 July 2007 22:01:44 o'clock (GMT) Europe/London Subject: Re: Grreting card scams Doc Schneider wrote: > UxBoD wrote: >> Hmmm. That is in my signatures :- > >> mailhub opt # sigtool --list | grep RB-1222 >> Email.Phishing.RB-1222 > >> but no hits. Will check again, but sure everything has been KAM, even at work where we get 10k+ a day of these. > > Weird, I just checked on my MailScanner server and the greeting card > ones aren't being marked by ClamAV, although my other servers running > clamav-milter and clamdscan--via /etc/procmailrc--catch them. Time to do > some debugging to figure out why MailScanner isn't doing it with ClamAV. Ditto. I figure it's because my MS isn't exactly current. (4.58.9) Also, I'm using "clamav" not "clamavmodule" or "clamd" as my virus scanner mode (yes, I know this is slow, but my version doesn't do clamd, and clamavmodule eats too much memory atm) -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From doc at maddoc.net Thu Jul 26 22:11:07 2007 From: doc at maddoc.net (Doc Schneider) Date: Thu Jul 26 22:11:17 2007 Subject: Grreting card scams In-Reply-To: <46A90BB8.3050803@evi-inc.com> References: <17023707.4291185480631581.JavaMail.root@office.splatnix.net> <46A90344.1050607@maddoc.net> <46A90BB8.3050803@evi-inc.com> Message-ID: <46A90DEB.1000808@maddoc.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Matt Kettler wrote: > Doc Schneider wrote: >> UxBoD wrote: >>> Hmmm. That is in my signatures :- >>> mailhub opt # sigtool --list | grep RB-1222 >>> Email.Phishing.RB-1222 >>> but no hits. Will check again, but sure everything has been KAM, even at work where we get 10k+ a day of these. >> Weird, I just checked on my MailScanner server and the greeting card >> ones aren't being marked by ClamAV, although my other servers running >> clamav-milter and clamdscan--via /etc/procmailrc--catch them. Time to do >> some debugging to figure out why MailScanner isn't doing it with ClamAV. > > Ditto. > > I figure it's because my MS isn't exactly current. (4.58.9) > > Also, I'm using "clamav" not "clamavmodule" or "clamd" as my virus scanner mode > (yes, I know this is slow, but my version doesn't do clamd, and clamavmodule > eats too much memory atm) > > I'm running the latest Stable. 4.61.7 using clamavmodule. I've never had any memory issues using the module so just leave it. Guess it is time to dust off my Ninja skills and get to whacking on it. HAR! - -- - -Doc Lincoln, NE. http://www.genealogyforyou.com/ http://www.cairnproductions.com/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org iD8DBQFGqQ3rqOEeBwEpgcsRAn+kAJ9xYXLcj/0gr2eeLwxiIFRrK6osvgCcCyOD 4gHiOkU8aUR0z3Bx/AUyKqA= =MMnd -----END PGP SIGNATURE----- From itdept at fractalweb.com Thu Jul 26 22:11:39 2007 From: itdept at fractalweb.com (Chris Yuzik) Date: Thu Jul 26 22:12:03 2007 Subject: CRM114 In-Reply-To: <46A823E2.1070903@openenterprise.ca> References: <46A823E2.1070903@openenterprise.ca> Message-ID: <46A90E0B.4060001@fractalweb.com> Johnny Stork wrote: > Are there any plans to implement CRM114 into MailScanner? Johnny, Up until you mentioned it, I had never even heard of CRM114. After doing a bit of reading, this thing looks like bayes on steroids. Have you had any experience with it? Chris From uxbod at splatnix.net Thu Jul 26 22:20:49 2007 From: uxbod at splatnix.net (UxBoD) Date: Thu Jul 26 22:18:18 2007 Subject: CRM114 In-Reply-To: <46A90E0B.4060001@fractalweb.com> Message-ID: <23952952.4591185484849210.JavaMail.root@office.splatnix.net> As said before, if Jules implements the customcode function the message could be passed through CRM114. Then using the dictionary tests could be done to compare against Bayes. I do agree though it does look very slick. ----- Original Message ----- From: "Chris Yuzik" To: "MailScanner discussion" Sent: 26 July 2007 22:11:39 o'clock (GMT) Europe/London Subject: Re: CRM114 Johnny Stork wrote: > Are there any plans to implement CRM114 into MailScanner? Johnny, Up until you mentioned it, I had never even heard of CRM114. After doing a bit of reading, this thing looks like bayes on steroids. Have you had any experience with it? Chris -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Thu Jul 26 22:27:05 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jul 26 22:27:49 2007 Subject: CRM114 In-Reply-To: <23952952.4591185484849210.JavaMail.root@office.splatnix.net> References: <23952952.4591185484849210.JavaMail.root@office.splatnix.net> Message-ID: <46A911A9.3070907@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 There's already a plugin socket for a Custom Spam Scanner, unless I'm very much mistaken. So if someone wants to implement it, fire away. It's not top of my list. UxBoD wrote: > As said before, if Jules implements the customcode function the message could be passed through CRM114. Then using the dictionary tests could be done to compare against Bayes. I do agree though it does look very slick. > ----- Original Message ----- > From: "Chris Yuzik" > To: "MailScanner discussion" > Sent: 26 July 2007 22:11:39 o'clock (GMT) Europe/London > Subject: Re: CRM114 > > Johnny Stork wrote: > >> Are there any plans to implement CRM114 into MailScanner? >> > > Johnny, > > Up until you mentioned it, I had never even heard of CRM114. After doing > a bit of reading, this thing looks like bayes on steroids. Have you had > any experience with it? > > Chris > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: UTF-8 wj8DBQFGqRGqEfZZRxQVtlQRAuARAJ0W3+qJQmTzVYxDPWSOi2yE46zUNQCgtv2C O/Rqv6YQ7BAQKoEEFw5UOTo= =McJc -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From mailadmin at baladia.gov.kw Thu Jul 26 21:52:50 2007 From: mailadmin at baladia.gov.kw (simon) Date: Thu Jul 26 22:29:20 2007 Subject: query if mailscanner using clamscan In-Reply-To: <46A8BC68.1020901@ecs.soton.ac.uk> References: <2605.62.150.152.226.1185433910.squirrel@webmail.baladia.gov.kw> <46A87494.6060002@ecs.soton.ac.uk> <1597.62.150.152.226.1185458853.squirrel@webmail.baladia.gov.kw> <46A8B477.60603@ecs.soton.ac.uk> <1872.62.150.152.226.1185460305.squirrel@webmail.baladia.gov.kw> <46A8BC68.1020901@ecs.soton.ac.uk> Message-ID: <2038.62.150.152.226.1185483170.squirrel@webmail.baladia.gov.kw> Dear All, Thanks once again julian.. btw i removed virus scanning =auto from my MailScanner.conf file and now i have virus scanning = clamav clamd so that i would like mailscanner to clamscan every incommin n outgoin mail message. but now when i restart mailscanner i see in maillogs Cannot find Socket (/tmp/clamd) Exiting! if i say service clamd status clamd (pid 1779) is running... so clamd daemon is running really apprecite ur help Thanks and Regards simon > In which case 'auto' will only use 'clamav'. To find 'clamavmodule' you > must have the module installed. To find 'clamd' the daemon must be > running, and the Clamd-specific MailScanner.conf options must be set > correctly. > > simon wrote: >> Thanks agin guys for ur immediate reply >> >> here the MailScanner --lint output.. >> >> Read 797 hostnames from the phishing whitelist >> Checking version numbers... >> Version number in MailScanner.conf (4.61.7) is correct. >> -------------------------------------------------------------- >> Checking for SpamAssassin errors (if you use it)... >> SpamAssassin temporary working directory is >> /var/spool/MailScanner/incoming/SpamAssassin-Temp >> SpamAssassin temp dir = >> /var/spool/MailScanner/incoming/SpamAssassin-Temp >> Using SpamAssassin results cache >> Connected to SpamAssassin cache database >> SpamAssassin reported no errors. >> Using locktype = posix >> Creating hardcoded struct_flock subroutine for linux (Linux-type) >> MailScanner.conf says "Virus Scanners = auto" >> Found these virus scanners installed: clamav >> >> >> ----------------------------------------------------------------- >> >> gues sits fine... but it has no reference to clamscan or clamd >> >> >> regards >> >> simon >> >> >>> If you are running the RPM version of clamav then your >>> virus.scanners.conf file is right, as clamscan is in /usr/bin/clamscan. >>> Check that 'auto' is picking them up correctly by doing a "MailScanner >>> --lint". >>> >>> simon wrote: >>> >>>> Thanks Guys for you quick reply, >>>> >>>> Btw i did forget to mention and ask u wht new should be added to >>>> virus.scanners.conf file since after the script was run there is a >>>> /etc/MailScanner/virus.scanners.conf.bak file >>>> >>>> here the clam lines for the /etc/MailScanner/virus.scanners.conf >>>> >>>> ------------------------ >>>> >>>> clamav /usr/lib/MailScanner/clamav-wrapper /usr >>>> clamd /bin/false /usr >>>> clamavmodule /bin/false /tmp >>>> >>>> ------------------------------------------ >>>> i guess this above file does not reference clamscan if im right.. >>>> do let me know if i hav to edit this file. >>>> my clamscan is is /usr/bin >>>> n clamd is in /usr/sbin >>>> >>>> and in MailScanner.conf it says >>>> >>>> Virus Scanners = auto >>>> >>>> i did keep it auto as i will install bitdefender latter and would like >>>> MS >>>> to search for the installed antivirus software >>>> >>>> Appreciate your help >>>> >>>> Thanks and regards >>>> >>>> simon >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>>> What does you /etc/MailScanner/virus.scanners.conf say for the clam >>>>> lines? >>>>> What does the "Virus Scanners = " line in MailScanner.conf say? >>>>> >>>>> simon wrote: >>>>> >>>>> >>>>>> Dear All, >>>>>> >>>>>> i have recently installed new sendmail based mail server and >>>>>> installed >>>>>> mailscanner + jules packge spamassassin + clamAV and have instructed >>>>>> clamd >>>>>> virus scanning daemon to be used by mailScanner for scanning email >>>>>> when >>>>>> installing the package. i have also installed clamav, clamav-db and >>>>>> clamd >>>>>> from http://dag.wieers.com/rpm/packages/clamav >>>>>> and everythin workin OK. >>>>>> i have clamscan installed in /usr/bin >>>>>> >>>>>> but how could i know if mailscanner is really using clamd daemon n >>>>>> clamscan to scan emails >>>>>> >>>>>> >>>>>> Appreciate ur help >>>>>> >>>>>> >>>>>> regards >>>>>> >>>>>> simon >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>> Jules >>>>> >>>>> -- >>>>> Julian Field MEng CITP >>>>> www.MailScanner.info >>>>> Buy the MailScanner book at www.MailScanner.info/store >>>>> >>>>> Need help customising MailScanner? >>>>> Contact me! >>>>> Need help fixing or optimising your systems? >>>>> Contact me! >>>>> Need help getting you started solving new requirements from your >>>>> boss? >>>>> Contact me! >>>>> >>>>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >>>>> >>>>> >>>>> -- >>>>> This message has been scanned for viruses and >>>>> dangerous content by MailScanner, and is >>>>> believed to be clean. >>>>> For all your IT requirements visit www.transtec.co.uk >>>>> >>>>> -- >>>>> MailScanner mailing list >>>>> mailscanner@lists.mailscanner.info >>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>>> >>>>> Before posting, read http://wiki.mailscanner.info/posting >>>>> >>>>> Support MailScanner development - buy the book off the website! >>>>> >>>>> >>>>> >>>> >>>> >>> Jules >>> >>> -- >>> Julian Field MEng CITP >>> www.MailScanner.info >>> Buy the MailScanner book at www.MailScanner.info/store >>> >>> Need help customising MailScanner? >>> Contact me! >>> Need help fixing or optimising your systems? >>> Contact me! >>> Need help getting you started solving new requirements from your boss? >>> Contact me! >>> >>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >>> >>> >>> -- >>> This message has been scanned for viruses and >>> dangerous content by MailScanner, and is >>> believed to be clean. >>> For all your IT requirements visit www.transtec.co.uk >>> >>> -- >>> MailScanner mailing list >>> mailscanner@lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! >>> >>> >> >> >> > > Jules > > -- > Julian Field MEng CITP > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > For all your IT requirements visit www.transtec.co.uk > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- Network Administrator From mkettler at evi-inc.com Thu Jul 26 22:30:11 2007 From: mkettler at evi-inc.com (Matt Kettler) Date: Thu Jul 26 22:31:51 2007 Subject: Grreting card scams In-Reply-To: <26023224.4501185484310230.JavaMail.root@office.splatnix.net> References: <26023224.4501185484310230.JavaMail.root@office.splatnix.net> Message-ID: <46A91263.7070804@evi-inc.com> UxBoD wrote: > Then if one of those emails has been quarantined as SPAM, what happens if you run clamscan against the quarantined file? I don't quarantine spam. I tag only. However, If I copy one of the messages back onto the server and scan it with clamscan, clamscan does detect it as a virus. However, none of them have ever been detected as a virus while going through MailScanner. Ever. (I just searched all my postmaster notices from MailScanner and the word "You've" doesn't appear in any of them, which would be part of the subject-line quite.). Note that my MailScanner setup does detect phishing signatures. ie: Report: ClamAV: msg-9454-234.html contains HTML.Phishing.Pay-36 Report: ClamAV: msg-17765-74.html contains Email.Phishing.RB-1260 But there are no Email.Phishing.RB-1222's in there anywhere. From uxbod at splatnix.net Thu Jul 26 22:42:48 2007 From: uxbod at splatnix.net (UxBoD) Date: Thu Jul 26 22:40:16 2007 Subject: CRM114 In-Reply-To: <46A911A9.3070907@ecs.soton.ac.uk> Message-ID: <28020962.4651185486168402.JavaMail.root@office.splatnix.net> Always up for a challenge :) Want to learn more about MailScanner anyway. Thanks Jules. ----- Original Message ----- From: "Julian Field" To: "MailScanner discussion" Sent: 26 July 2007 22:27:05 o'clock (GMT) Europe/London Subject: Re: CRM114 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 There's already a plugin socket for a Custom Spam Scanner, unless I'm very much mistaken. So if someone wants to implement it, fire away. It's not top of my list. UxBoD wrote: > As said before, if Jules implements the customcode function the message could be passed through CRM114. Then using the dictionary tests could be done to compare against Bayes. I do agree though it does look very slick. > ----- Original Message ----- > From: "Chris Yuzik" > To: "MailScanner discussion" > Sent: 26 July 2007 22:11:39 o'clock (GMT) Europe/London > Subject: Re: CRM114 > > Johnny Stork wrote: > >> Are there any plans to implement CRM114 into MailScanner? >> > > Johnny, > > Up until you mentioned it, I had never even heard of CRM114. After doing > a bit of reading, this thing looks like bayes on steroids. Have you had > any experience with it? > > Chris > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: UTF-8 wj8DBQFGqRGqEfZZRxQVtlQRAuARAJ0W3+qJQmTzVYxDPWSOi2yE46zUNQCgtv2C O/Rqv6YQ7BAQKoEEFw5UOTo= =McJc -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From uxbod at splatnix.net Thu Jul 26 22:44:23 2007 From: uxbod at splatnix.net (UxBoD) Date: Thu Jul 26 22:41:52 2007 Subject: query if mailscanner using clamscan In-Reply-To: <2038.62.150.152.226.1185483170.squirrel@webmail.baladia.gov.kw> Message-ID: <10035446.4681185486263178.JavaMail.root@office.splatnix.net> what is the socket set to in clamd.conf ? make sure that it maps to what is in MailScanner.conf. Either will be in /tmp or /var/run I believe. ----- Original Message ----- From: "simon" To: "MailScanner discussion" Sent: 26 July 2007 21:52:50 o'clock (GMT) Europe/London Subject: Re: query if mailscanner using clamscan Dear All, Thanks once again julian.. btw i removed virus scanning =auto from my MailScanner.conf file and now i have virus scanning = clamav clamd so that i would like mailscanner to clamscan every incommin n outgoin mail message. but now when i restart mailscanner i see in maillogs Cannot find Socket (/tmp/clamd) Exiting! if i say service clamd status clamd (pid 1779) is running... so clamd daemon is running really apprecite ur help Thanks and Regards simon > In which case 'auto' will only use 'clamav'. To find 'clamavmodule' you > must have the module installed. To find 'clamd' the daemon must be > running, and the Clamd-specific MailScanner.conf options must be set > correctly. > > simon wrote: >> Thanks agin guys for ur immediate reply >> >> here the MailScanner --lint output.. >> >> Read 797 hostnames from the phishing whitelist >> Checking version numbers... >> Version number in MailScanner.conf (4.61.7) is correct. >> -------------------------------------------------------------- >> Checking for SpamAssassin errors (if you use it)... >> SpamAssassin temporary working directory is >> /var/spool/MailScanner/incoming/SpamAssassin-Temp >> SpamAssassin temp dir = >> /var/spool/MailScanner/incoming/SpamAssassin-Temp >> Using SpamAssassin results cache >> Connected to SpamAssassin cache database >> SpamAssassin reported no errors. >> Using locktype = posix >> Creating hardcoded struct_flock subroutine for linux (Linux-type) >> MailScanner.conf says "Virus Scanners = auto" >> Found these virus scanners installed: clamav >> >> >> ----------------------------------------------------------------- >> >> gues sits fine... but it has no reference to clamscan or clamd >> >> >> regards >> >> simon >> >> >>> If you are running the RPM version of clamav then your >>> virus.scanners.conf file is right, as clamscan is in /usr/bin/clamscan. >>> Check that 'auto' is picking them up correctly by doing a "MailScanner >>> --lint". >>> >>> simon wrote: >>> >>>> Thanks Guys for you quick reply, >>>> >>>> Btw i did forget to mention and ask u wht new should be added to >>>> virus.scanners.conf file since after the script was run there is a >>>> /etc/MailScanner/virus.scanners.conf.bak file >>>> >>>> here the clam lines for the /etc/MailScanner/virus.scanners.conf >>>> >>>> ------------------------ >>>> >>>> clamav /usr/lib/MailScanner/clamav-wrapper /usr >>>> clamd /bin/false /usr >>>> clamavmodule /bin/false /tmp >>>> >>>> ------------------------------------------ >>>> i guess this above file does not reference clamscan if im right.. >>>> do let me know if i hav to edit this file. >>>> my clamscan is is /usr/bin >>>> n clamd is in /usr/sbin >>>> >>>> and in MailScanner.conf it says >>>> >>>> Virus Scanners = auto >>>> >>>> i did keep it auto as i will install bitdefender latter and would like >>>> MS >>>> to search for the installed antivirus software >>>> >>>> Appreciate your help >>>> >>>> Thanks and regards >>>> >>>> simon >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>>> What does you /etc/MailScanner/virus.scanners.conf say for the clam >>>>> lines? >>>>> What does the "Virus Scanners = " line in MailScanner.conf say? >>>>> >>>>> simon wrote: >>>>> >>>>> >>>>>> Dear All, >>>>>> >>>>>> i have recently installed new sendmail based mail server and >>>>>> installed >>>>>> mailscanner + jules packge spamassassin + clamAV and have instructed >>>>>> clamd >>>>>> virus scanning daemon to be used by mailScanner for scanning email >>>>>> when >>>>>> installing the package. i have also installed clamav, clamav-db and >>>>>> clamd >>>>>> from http://dag.wieers.com/rpm/packages/clamav >>>>>> and everythin workin OK. >>>>>> i have clamscan installed in /usr/bin >>>>>> >>>>>> but how could i know if mailscanner is really using clamd daemon n >>>>>> clamscan to scan emails >>>>>> >>>>>> >>>>>> Appreciate ur help >>>>>> >>>>>> >>>>>> regards >>>>>> >>>>>> simon >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>> Jules >>>>> >>>>> -- >>>>> Julian Field MEng CITP >>>>> www.MailScanner.info >>>>> Buy the MailScanner book at www.MailScanner.info/store >>>>> >>>>> Need help customising MailScanner? >>>>> Contact me! >>>>> Need help fixing or optimising your systems? >>>>> Contact me! >>>>> Need help getting you started solving new requirements from your >>>>> boss? >>>>> Contact me! >>>>> >>>>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >>>>> >>>>> >>>>> -- >>>>> This message has been scanned for viruses and >>>>> dangerous content by MailScanner, and is >>>>> believed to be clean. >>>>> For all your IT requirements visit www.transtec.co.uk >>>>> >>>>> -- >>>>> MailScanner mailing list >>>>> mailscanner@lists.mailscanner.info >>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>>> >>>>> Before posting, read http://wiki.mailscanner.info/posting >>>>> >>>>> Support MailScanner development - buy the book off the website! >>>>> >>>>> >>>>> >>>> >>>> >>> Jules >>> >>> -- >>> Julian Field MEng CITP >>> www.MailScanner.info >>> Buy the MailScanner book at www.MailScanner.info/store >>> >>> Need help customising MailScanner? >>> Contact me! >>> Need help fixing or optimising your systems? >>> Contact me! >>> Need help getting you started solving new requirements from your boss? >>> Contact me! >>> >>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >>> >>> >>> -- >>> This message has been scanned for viruses and >>> dangerous content by MailScanner, and is >>> believed to be clean. >>> For all your IT requirements visit www.transtec.co.uk >>> >>> -- >>> MailScanner mailing list >>> mailscanner@lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! >>> >>> >> >> >> > > Jules > > -- > Julian Field MEng CITP > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > For all your IT requirements visit www.transtec.co.uk > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- Network Administrator -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Thu Jul 26 22:42:42 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Jul 26 22:43:12 2007 Subject: query if mailscanner using clamscan In-Reply-To: <2038.62.150.152.226.1185483170.squirrel@webmail.baladia.gov.kw> References: <2605.62.150.152.226.1185433910.squirrel@webmail.baladia.gov.kw> <46A87494.6060002@ecs.soton.ac.uk> <1597.62.150.152.226.1185458853.squirrel@webmail.baladia.gov.kw> <46A8B477.60603@ecs.soton.ac.uk> <1872.62.150.152.226.1185460305.squirrel@webmail.baladia.gov.kw> <46A8BC68.1020901@ecs.soton.ac.uk> <2038.62.150.152.226.1185483170.squirrel@webmail.baladia.gov.kw> Message-ID: <46A91552.5060809@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 simon wrote: > Dear All, > > Thanks once again julian.. > btw i removed virus scanning =auto from my MailScanner.conf file and now i > have virus scanning = clamav clamd so that i would like mailscanner to > clamscan every incommin n outgoin mail message. > but now when i restart mailscanner i see in maillogs > For starters there is no point specifying clamav and clamd as you will just be scanning everything twice with the same virus scanner! > Cannot find Socket (/tmp/clamd) Exiting! > > if i say service clamd status > > clamd (pid 1779) is running... > > so clamd daemon is running > > really apprecite ur help > Check to see if the socket /tmp/clamd actually exists, and compare the clamd-specific settings in MailScanner.conf with those in clamd.conf. > > Thanks and Regards > > simon > > > > > >> In which case 'auto' will only use 'clamav'. To find 'clamavmodule' you >> must have the module installed. To find 'clamd' the daemon must be >> running, and the Clamd-specific MailScanner.conf options must be set >> correctly. >> >> simon wrote: >> >>> Thanks agin guys for ur immediate reply >>> >>> here the MailScanner --lint output.. >>> >>> Read 797 hostnames from the phishing whitelist >>> Checking version numbers... >>> Version number in MailScanner.conf (4.61.7) is correct. >>> -------------------------------------------------------------- >>> Checking for SpamAssassin errors (if you use it)... >>> SpamAssassin temporary working directory is >>> /var/spool/MailScanner/incoming/SpamAssassin-Temp >>> SpamAssassin temp dir = >>> /var/spool/MailScanner/incoming/SpamAssassin-Temp >>> Using SpamAssassin results cache >>> Connected to SpamAssassin cache database >>> SpamAssassin reported no errors. >>> Using locktype = posix >>> Creating hardcoded struct_flock subroutine for linux (Linux-type) >>> MailScanner.conf says "Virus Scanners = auto" >>> Found these virus scanners installed: clamav >>> >>> >>> ----------------------------------------------------------------- >>> >>> gues sits fine... but it has no reference to clamscan or clamd >>> >>> >>> regards >>> >>> simon >>> >>> >>> >>>> If you are running the RPM version of clamav then your >>>> virus.scanners.conf file is right, as clamscan is in /usr/bin/clamscan. >>>> Check that 'auto' is picking them up correctly by doing a "MailScanner >>>> --lint". >>>> >>>> simon wrote: >>>> >>>> >>>>> Thanks Guys for you quick reply, >>>>> >>>>> Btw i did forget to mention and ask u wht new should be added to >>>>> virus.scanners.conf file since after the script was run there is a >>>>> /etc/MailScanner/virus.scanners.conf.bak file >>>>> >>>>> here the clam lines for the /etc/MailScanner/virus.scanners.conf >>>>> >>>>> ------------------------ >>>>> >>>>> clamav /usr/lib/MailScanner/clamav-wrapper /usr >>>>> clamd /bin/false /usr >>>>> clamavmodule /bin/false /tmp >>>>> >>>>> ------------------------------------------ >>>>> i guess this above file does not reference clamscan if im right.. >>>>> do let me know if i hav to edit this file. >>>>> my clamscan is is /usr/bin >>>>> n clamd is in /usr/sbin >>>>> >>>>> and in MailScanner.conf it says >>>>> >>>>> Virus Scanners = auto >>>>> >>>>> i did keep it auto as i will install bitdefender latter and would like >>>>> MS >>>>> to search for the installed antivirus software >>>>> >>>>> Appreciate your help >>>>> >>>>> Thanks and regards >>>>> >>>>> simon >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>>> What does you /etc/MailScanner/virus.scanners.conf say for the clam >>>>>> lines? >>>>>> What does the "Virus Scanners = " line in MailScanner.conf say? >>>>>> >>>>>> simon wrote: >>>>>> >>>>>> >>>>>> >>>>>>> Dear All, >>>>>>> >>>>>>> i have recently installed new sendmail based mail server and >>>>>>> installed >>>>>>> mailscanner + jules packge spamassassin + clamAV and have instructed >>>>>>> clamd >>>>>>> virus scanning daemon to be used by mailScanner for scanning email >>>>>>> when >>>>>>> installing the package. i have also installed clamav, clamav-db and >>>>>>> clamd >>>>>>> from http://dag.wieers.com/rpm/packages/clamav >>>>>>> and everythin workin OK. >>>>>>> i have clamscan installed in /usr/bin >>>>>>> >>>>>>> but how could i know if mailscanner is really using clamd daemon n >>>>>>> clamscan to scan emails >>>>>>> >>>>>>> >>>>>>> Appreciate ur help >>>>>>> >>>>>>> >>>>>>> regards >>>>>>> >>>>>>> simon >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>> Jules >>>>>> >>>>>> -- >>>>>> Julian Field MEng CITP >>>>>> www.MailScanner.info >>>>>> Buy the MailScanner book at www.MailScanner.info/store >>>>>> >>>>>> Need help customising MailScanner? >>>>>> Contact me! >>>>>> Need help fixing or optimising your systems? >>>>>> Contact me! >>>>>> Need help getting you started solving new requirements from your >>>>>> boss? >>>>>> Contact me! >>>>>> >>>>>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >>>>>> >>>>>> >>>>>> -- >>>>>> This message has been scanned for viruses and >>>>>> dangerous content by MailScanner, and is >>>>>> believed to be clean. >>>>>> For all your IT requirements visit www.transtec.co.uk >>>>>> >>>>>> -- >>>>>> MailScanner mailing list >>>>>> mailscanner@lists.mailscanner.info >>>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>>>> >>>>>> Before posting, read http://wiki.mailscanner.info/posting >>>>>> >>>>>> Support MailScanner development - buy the book off the website! >>>>>> >>>>>> >>>>>> >>>>>> >>>>> >>>> Jules >>>> >>>> -- >>>> Julian Field MEng CITP >>>> www.MailScanner.info >>>> Buy the MailScanner book at www.MailScanner.info/store >>>> >>>> Need help customising MailScanner? >>>> Contact me! >>>> Need help fixing or optimising your systems? >>>> Contact me! >>>> Need help getting you started solving new requirements from your boss? >>>> Contact me! >>>> >>>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >>>> >>>> >>>> -- >>>> This message has been scanned for viruses and >>>> dangerous content by MailScanner, and is >>>> believed to be clean. >>>> For all your IT requirements visit www.transtec.co.uk >>>> >>>> -- >>>> MailScanner mailing list >>>> mailscanner@lists.mailscanner.info >>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>> >>>> Before posting, read http://wiki.mailscanner.info/posting >>>> >>>> Support MailScanner development - buy the book off the website! >>>> >>>> >>>> >>> >>> >> Jules >> >> -- >> Julian Field MEng CITP >> www.MailScanner.info >> Buy the MailScanner book at www.MailScanner.info/store >> >> Need help customising MailScanner? >> Contact me! >> Need help fixing or optimising your systems? >> Contact me! >> Need help getting you started solving new requirements from your boss? >> Contact me! >> >> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >> >> >> -- >> This message has been scanned for viruses and >> dangerous content by MailScanner, and is >> believed to be clean. >> For all your IT requirements visit www.transtec.co.uk >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> > > > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGqRVTEfZZRxQVtlQRAkkrAKCqECvP3FSpi8+QPFa/H1HIHsmujQCfQYzM ksCe+s24DfHgPgwPBEa07ok= =GiIT -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From res at ausics.net Thu Jul 26 22:44:24 2007 From: res at ausics.net (Res) Date: Thu Jul 26 22:44:38 2007 Subject: BarricadeMX experiences In-Reply-To: <46A8B8AC.1030104@fsl.com> References: <11090454.2641185312780535.JavaMail.root@office.splatnix.net><46A67978.6000702@alexb.ch> <46A8B8AC.1030104@fsl.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NotDashEscaped: You need GnuPG to verify this message On Thu, 26 Jul 2007, Steve Freegard wrote: > Now - who is quoting figures without basis. Have *you* done two separate > tests on the same million or so mails and published the results like you > asked of the original poster? Since the OP essentially spammed this list (it is after all MailScanner list, not BMX list, how long do you think anyone would last here if they conducted a conversation advertising MIMEDefang), he sprouted figures I simply showed that I don't need to goto commercial apps to have a tight network, it's one of the reasons we got rid of that sophos implementation a few years back, and more recently ironport. Using milters, feeding the same crud into it over a week, MailScanner still came out ahead, it beats MIMEDefang only in efficiency of handling large continual concurrent connections. -- Cheers Res -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFGqRW4sWhAmSIQh7MRAi/iAKCRewbjv6iKefmSMe7PGtrdfW0xrgCfWz1k RSdRPyKwkcvMsQ8qppCsPZ8= =trrA -----END PGP SIGNATURE----- From rcooper at dwford.com Thu Jul 26 22:46:50 2007 From: rcooper at dwford.com (Rick Cooper) Date: Thu Jul 26 22:46:58 2007 Subject: query if mailscanner using clamscan In-Reply-To: <2038.62.150.152.226.1185483170.squirrel@webmail.baladia.gov.kw> References: <2605.62.150.152.226.1185433910.squirrel@webmail.baladia.gov.kw><46A87494.6060002@ecs.soton.ac.uk><1597.62.150.152.226.1185458853.squirrel@webmail.baladia.gov.kw><46A8B477.60603@ecs.soton.ac.uk><1872.62.150.152.226.1185460305.squirrel@webmail.baladia.gov.kw><46A8BC68.1020901@ecs.soton.ac.uk> <2038.62.150.152.226.1185483170.squirrel@webmail.baladia.gov.kw> Message-ID: <080e01c7cfce$7ad572d0$0301a8c0@SAHOMELT> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On > Behalf Of simon > Sent: Thursday, July 26, 2007 4:53 PM > To: MailScanner discussion > Subject: Re: query if mailscanner using clamscan > > Dear All, > > Thanks once again julian.. > btw i removed virus scanning =auto from my MailScanner.conf > file and now i > have virus scanning = clamav clamd so that i would like > mailscanner to > clamscan every incommin n outgoin mail message. > but now when i restart mailscanner i see in maillogs > > Cannot find Socket (/tmp/clamd) Exiting! > > if i say service clamd status > > clamd (pid 1779) is running... > > so clamd daemon is running > > really apprecite ur help > [...] Look in your clamd.conf and see where it's placing the socket, if it's using UNIX sockets at all. It's not /tmp/clamd. You can also change the clamd settings to use 127.0.0.1 if you are not using UNIX sockets, but it appears you have not matched your MailScanner settings to your actual clamd settings Rick -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From rcooper at dwford.com Thu Jul 26 22:49:36 2007 From: rcooper at dwford.com (Rick Cooper) Date: Thu Jul 26 22:49:43 2007 Subject: Grreting card scams In-Reply-To: <46A91263.7070804@evi-inc.com> References: <26023224.4501185484310230.JavaMail.root@office.splatnix.net> <46A91263.7070804@evi-inc.com> Message-ID: <080f01c7cfce$ddd7aba0$0301a8c0@SAHOMELT> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On > Behalf Of Matt Kettler > Sent: Thursday, July 26, 2007 5:30 PM > To: MailScanner discussion > Subject: Re: Grreting card scams > > > > UxBoD wrote: > > Then if one of those emails has been quarantined as SPAM, > what happens if you run clamscan against the quarantined file? > > I don't quarantine spam. I tag only. > > However, If I copy one of the messages back onto the server > and scan it with > clamscan, clamscan does detect it as a virus. > > However, none of them have ever been detected as a virus > while going through > MailScanner. Ever. (I just searched all my postmaster > notices from MailScanner > and the word "You've" doesn't appear in any of them, which > would be part of the > subject-line quite.). > > Note that my MailScanner setup does detect phishing signatures. > > ie: > Report: ClamAV: msg-9454-234.html contains HTML.Phishing.Pay-36 > Report: ClamAV: msg-17765-74.html contains Email.Phishing.RB-1260 > > But there are no Email.Phishing.RB-1222's in there anywhere. > What do you get if you run sigtool --list-sigs|grep Email.Phishing.RB-1222 Perhaps something amiss with the clamdb updates? Accidental dupe installs? Rick > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mkettler at evi-inc.com Thu Jul 26 23:23:11 2007 From: mkettler at evi-inc.com (Matt Kettler) Date: Thu Jul 26 23:24:33 2007 Subject: Grreting card scams In-Reply-To: <080f01c7cfce$ddd7aba0$0301a8c0@SAHOMELT> References: <26023224.4501185484310230.JavaMail.root@office.splatnix.net> <46A91263.7070804@evi-inc.com> <080f01c7cfce$ddd7aba0$0301a8c0@SAHOMELT> Message-ID: <46A91ECF.8040807@evi-inc.com> Rick Cooper wrote: > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info > > [mailto:mailscanner-bounces@lists.mailscanner.info] On > > Behalf Of Matt Kettler > > > > However, If I copy one of the messages back onto the server > > and scan it with > > clamscan, clamscan does detect it as a virus. > > > > However, none of them have ever been detected as a virus > > while going through > > MailScanner. Ever. (I just searched all my postmaster > > notices from MailScanner > > and the word "You've" doesn't appear in any of them, which > > would be part of the > > subject-line quite.). > > > > Note that my MailScanner setup does detect phishing signatures. > > > > ie: > > Report: ClamAV: msg-9454-234.html contains HTML.Phishing.Pay-36 > > Report: ClamAV: msg-17765-74.html contains Email.Phishing.RB-1260 > > > > But there are no Email.Phishing.RB-1222's in there anywhere. > > > > What do you get if you run > > sigtool --list-sigs|grep Email.Phishing.RB-1222 > > Perhaps something amiss with the clamdb updates? Accidental dupe installs? > > Rick Given that running clamscan on the email file outside of MailScanner detects it as a virus, I've already conclusively proven clamav has the signature and it works properly. One observation, though, the specific test messages I used detected as 1221 not 1222, but they're all related. ecardspam1.eml: Email.Phishing.RB-1221 FOUND ecardspam2.eml: Email.Phishing.RB-1221 FOUND ecardspam3.eml: Email.Phishing.RB-1221 FOUND However, if you insist: # sigtool --list-sigs|grep Email.Phishing.RB-1222 Email.Phishing.RB-1222 Yes, it's there. Yes, clamscan can use it, and clamscan properly detects the messages as viruses when executed manually. No, clamav via MailScanner cannot detect it. From glenn.steen at gmail.com Thu Jul 26 23:42:44 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Jul 26 23:42:45 2007 Subject: Grreting card scams In-Reply-To: <46A91ECF.8040807@evi-inc.com> References: <26023224.4501185484310230.JavaMail.root@office.splatnix.net> <46A91263.7070804@evi-inc.com> <080f01c7cfce$ddd7aba0$0301a8c0@SAHOMELT> <46A91ECF.8040807@evi-inc.com> Message-ID: <223f97700707261542u5256ba81s30ce53bdc5ae7149@mail.gmail.com> On 27/07/07, Matt Kettler wrote: > Rick Cooper wrote: > > > > -----Original Message----- > > > From: mailscanner-bounces@lists.mailscanner.info > > > [mailto:mailscanner-bounces@lists.mailscanner.info] On > > > Behalf Of Matt Kettler > > > > > > However, If I copy one of the messages back onto the server > > > and scan it with > > > clamscan, clamscan does detect it as a virus. > > > > > > However, none of them have ever been detected as a virus > > > while going through > > > MailScanner. Ever. (I just searched all my postmaster > > > notices from MailScanner > > > and the word "You've" doesn't appear in any of them, which > > > would be part of the > > > subject-line quite.). > > > > > > Note that my MailScanner setup does detect phishing signatures. > > > > > > ie: > > > Report: ClamAV: msg-9454-234.html contains HTML.Phishing.Pay-36 > > > Report: ClamAV: msg-17765-74.html contains Email.Phishing.RB-1260 > > > > > > But there are no Email.Phishing.RB-1222's in there anywhere. > > > > > > > What do you get if you run > > > > sigtool --list-sigs|grep Email.Phishing.RB-1222 > > > > Perhaps something amiss with the clamdb updates? Accidental dupe installs? > > > > Rick > > Given that running clamscan on the email file outside of MailScanner detects it > as a virus, I've already conclusively proven clamav has the signature and it > works properly. > > One observation, though, the specific test messages I used detected as 1221 not > 1222, but they're all related. > > ecardspam1.eml: Email.Phishing.RB-1221 FOUND > ecardspam2.eml: Email.Phishing.RB-1221 FOUND > ecardspam3.eml: Email.Phishing.RB-1221 FOUND > > However, if you insist: > # sigtool --list-sigs|grep Email.Phishing.RB-1222 > Email.Phishing.RB-1222 > > Yes, it's there. Yes, clamscan can use it, and clamscan properly detects the > messages as viruses when executed manually. No, clamav via MailScanner cannot > detect it. > Could this perhaps have anything to do with how clam gets fed the message in MailScanner....? If I'm not completely senile (always a possibility:-), MS doesn't feed it the complete message, hence some newstyle sigs will never (be able to) trigger. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From doc at maddoc.net Thu Jul 26 23:51:06 2007 From: doc at maddoc.net (Doc Schneider) Date: Thu Jul 26 23:51:16 2007 Subject: Grreting card scams In-Reply-To: <223f97700707261542u5256ba81s30ce53bdc5ae7149@mail.gmail.com> References: <26023224.4501185484310230.JavaMail.root@office.splatnix.net> <46A91263.7070804@evi-inc.com> <080f01c7cfce$ddd7aba0$0301a8c0@SAHOMELT> <46A91ECF.8040807@evi-inc.com> <223f97700707261542u5256ba81s30ce53bdc5ae7149@mail.gmail.com> Message-ID: <46A9255A.10307@maddoc.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Glenn Steen wrote: > On 27/07/07, Matt Kettler wrote: >> Rick Cooper wrote: >> >> > > -----Original Message----- >> > > From: mailscanner-bounces@lists.mailscanner.info >> > > [mailto:mailscanner-bounces@lists.mailscanner.info] On >> > > Behalf Of Matt Kettler >> > > >> > > However, If I copy one of the messages back onto the server >> > > and scan it with >> > > clamscan, clamscan does detect it as a virus. >> > > >> > > However, none of them have ever been detected as a virus >> > > while going through >> > > MailScanner. Ever. (I just searched all my postmaster >> > > notices from MailScanner >> > > and the word "You've" doesn't appear in any of them, which >> > > would be part of the >> > > subject-line quite.). >> > > >> > > Note that my MailScanner setup does detect phishing signatures. >> > > >> > > ie: >> > > Report: ClamAV: msg-9454-234.html contains HTML.Phishing.Pay-36 >> > > Report: ClamAV: msg-17765-74.html contains >> Email.Phishing.RB-1260 >> > > >> > > But there are no Email.Phishing.RB-1222's in there anywhere. >> > > >> > >> > What do you get if you run >> > >> > sigtool --list-sigs|grep Email.Phishing.RB-1222 >> > >> > Perhaps something amiss with the clamdb updates? Accidental dupe >> installs? >> > >> > Rick >> >> Given that running clamscan on the email file outside of MailScanner >> detects it >> as a virus, I've already conclusively proven clamav has the signature >> and it >> works properly. >> >> One observation, though, the specific test messages I used detected as >> 1221 not >> 1222, but they're all related. >> >> ecardspam1.eml: Email.Phishing.RB-1221 FOUND >> ecardspam2.eml: Email.Phishing.RB-1221 FOUND >> ecardspam3.eml: Email.Phishing.RB-1221 FOUND >> >> However, if you insist: >> # sigtool --list-sigs|grep Email.Phishing.RB-1222 >> Email.Phishing.RB-1222 >> >> Yes, it's there. Yes, clamscan can use it, and clamscan properly >> detects the >> messages as viruses when executed manually. No, clamav via MailScanner >> cannot >> detect it. >> > Could this perhaps have anything to do with how clam gets fed the > message in MailScanner....? If I'm not completely senile (always a > possibility:-), MS doesn't feed it the complete message, hence some > newstyle sigs will never (be able to) trigger. > > Cheers This makes sense... or else we know Jules has been into the "Guiness(sic)" again! HAR! - -- - -Doc Lincoln, NE. http://www.genealogyforyou.com/ http://www.cairnproductions.com/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org iD8DBQFGqSVaqOEeBwEpgcsRAtp1AJsFDG1AQYOI5Foxfy5rNrD06ZDy2wCZAfMF WQCbBM2nqqKrHxIu3aNi+Ks= =bX2c -----END PGP SIGNATURE----- From mailadmin at baladia.gov.kw Fri Jul 27 07:41:53 2007 From: mailadmin at baladia.gov.kw (simon) Date: Fri Jul 27 08:18:19 2007 Subject: query if mailscanner using clamscan In-Reply-To: <46A91552.5060809@ecs.soton.ac.uk> References: <2605.62.150.152.226.1185433910.squirrel@webmail.baladia.gov.kw> <46A87494.6060002@ecs.soton.ac.uk> <1597.62.150.152.226.1185458853.squirrel@webmail.baladia.gov.kw> <46A8B477.60603@ecs.soton.ac.uk> <1872.62.150.152.226.1185460305.squirrel@webmail.baladia.gov.kw> <46A8BC68.1020901@ecs.soton.ac.uk> <2038.62.150.152.226.1185483170.squirrel@webmail.baladia.gov.kw> <46A91552.5060809@ecs.soton.ac.uk> Message-ID: <1734.62.150.152.226.1185518513.squirrel@webmail.baladia.gov.kw> Thanks Julian and guys there was a path mismatch in my MailScanner.conf and clamd.conf file.. its Ok now .. works fine really do appreciate but as julian says i dont need 2 .. i mean clamav n clamd as its gonna scan 2 times with the same virus scanner.. btw all this queries i have been writing is I ONLY WANT MY INCOMING AND OUTGOIN MAILS TO BE SCANNED BY THE CLAMD DAEMON as per jules SA+clamav script the script says ............................................... 'If you want to use MailScanners support for Clamd (virus-scanning' echo 'daemon) then I recommend you cancel this script now (press Ctrl-C)' echo 'and install the RPMs for clamav, clamav-db and clamd from' echo ' http://dag.wieers.com/rpm/packages/clamav' echo 'Then re-run this script and tell me that clamscan is installed in' echo '/usr/bin. This will set up your virus.scanners.conf file for you.' ..................................................... now i have installed as per the instructions and see that clamscan is in /usr/bin my MailScanner.conf file has the following settings ---------------------------------------------------------- i tried Virus Scanners = auto and also Virus Scanners = clamav clamd ------------------------------------------------------------- my virus.scanners.conf settings for clam* ------------------------------------------------------ clamav /usr/lib/MailScanner/clamav-wrapper /usr/local clamd /bin/false /usr/local clamavmodule /bin/false /tmp ..................................................................... Now how do i know if MailScanner support for Clamd (virus-scanning daemon ) is actually working .. which logs will tell me tht in mailScanner.conf the setting VirusScanners =auto is fine or i have to say VirusScanners= clamav clamd right now having either in my MailScanner.conf file the maillog logs is the same does the below line of my logs mean that MailScanner is using clamd ( the virus scanning daemon ) -------------- Jul 27 09:40:16 kmdnstest MailScanner[7454]: Virus and Content Scanning: Starting ------------------------------------ apprecite your help pls here below is my maillog : pls ignore the receipents ---------------------------------------------------------- Jul 27 09:40:01 kmdnstest sendmail[7463]: l6R6e05H007463: to=guy20034u@yahoo.com, ctladdr=root (0/0), delay=00:00:01, xdelay=00:00:00, mailer=relay, pri=30048, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (l6R6e12k007465 Message accepted for delivery) Jul 27 09:40:04 kmdnstest MailScanner[7454]: New Batch: Scanning 1 messages, 817 bytes Jul 27 09:40:16 kmdnstest MailScanner[7454]: Virus and Content Scanning: Starting Jul 27 09:40:34 kmdnstest MailScanner[7454]: Uninfected: Delivered 1 messages Jul 27 09:40:43 kmdnstest sendmail[7481]: l6R6e12k007465: to=, ctladdr= (0/0), delay=00:00:42, xdelay=00:00:08, mailer=esmtp, pri=120347, relay=f.mx.mail.yahoo.com. [68.142.202.247], dsn=2.0.0, stat=Sent (ok dirdel) ----------------------------------------------------------------- Thnaks in advance Regards simon > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > simon wrote: >> Dear All, >> >> Thanks once again julian.. >> btw i removed virus scanning =auto from my MailScanner.conf file and now >> i >> have virus scanning = clamav clamd so that i would like mailscanner to >> clamscan every incommin n outgoin mail message. >> but now when i restart mailscanner i see in maillogs >> > For starters there is no point specifying clamav and clamd as you will > just be scanning everything twice with the same virus scanner! > >> Cannot find Socket (/tmp/clamd) Exiting! >> >> if i say service clamd status >> >> clamd (pid 1779) is running... >> >> so clamd daemon is running >> >> really apprecite ur help >> > Check to see if the socket /tmp/clamd actually exists, and compare the > clamd-specific settings in MailScanner.conf with those in clamd.conf. > >> >> Thanks and Regards >> >> simon >> >> >> >> >> >>> In which case 'auto' will only use 'clamav'. To find 'clamavmodule' you >>> must have the module installed. To find 'clamd' the daemon must be >>> running, and the Clamd-specific MailScanner.conf options must be set >>> correctly. >>> >>> simon wrote: >>> >>>> Thanks agin guys for ur immediate reply >>>> >>>> here the MailScanner --lint output.. >>>> >>>> Read 797 hostnames from the phishing whitelist >>>> Checking version numbers... >>>> Version number in MailScanner.conf (4.61.7) is correct. >>>> -------------------------------------------------------------- >>>> Checking for SpamAssassin errors (if you use it)... >>>> SpamAssassin temporary working directory is >>>> /var/spool/MailScanner/incoming/SpamAssassin-Temp >>>> SpamAssassin temp dir = >>>> /var/spool/MailScanner/incoming/SpamAssassin-Temp >>>> Using SpamAssassin results cache >>>> Connected to SpamAssassin cache database >>>> SpamAssassin reported no errors. >>>> Using locktype = posix >>>> Creating hardcoded struct_flock subroutine for linux (Linux-type) >>>> MailScanner.conf says "Virus Scanners = auto" >>>> Found these virus scanners installed: clamav >>>> >>>> >>>> ----------------------------------------------------------------- >>>> >>>> gues sits fine... but it has no reference to clamscan or clamd >>>> >>>> >>>> regards >>>> >>>> simon >>>> >>>> >>>> >>>>> If you are running the RPM version of clamav then your >>>>> virus.scanners.conf file is right, as clamscan is in >>>>> /usr/bin/clamscan. >>>>> Check that 'auto' is picking them up correctly by doing a >>>>> "MailScanner >>>>> --lint". >>>>> >>>>> simon wrote: >>>>> >>>>> >>>>>> Thanks Guys for you quick reply, >>>>>> >>>>>> Btw i did forget to mention and ask u wht new should be added to >>>>>> virus.scanners.conf file since after the script was run there is a >>>>>> /etc/MailScanner/virus.scanners.conf.bak file >>>>>> >>>>>> here the clam lines for the /etc/MailScanner/virus.scanners.conf >>>>>> >>>>>> ------------------------ >>>>>> >>>>>> clamav /usr/lib/MailScanner/clamav-wrapper /usr >>>>>> clamd /bin/false /usr >>>>>> clamavmodule /bin/false /tmp >>>>>> >>>>>> ------------------------------------------ >>>>>> i guess this above file does not reference clamscan if im right.. >>>>>> do let me know if i hav to edit this file. >>>>>> my clamscan is is /usr/bin >>>>>> n clamd is in /usr/sbin >>>>>> >>>>>> and in MailScanner.conf it says >>>>>> >>>>>> Virus Scanners = auto >>>>>> >>>>>> i did keep it auto as i will install bitdefender latter and would >>>>>> like >>>>>> MS >>>>>> to search for the installed antivirus software >>>>>> >>>>>> Appreciate your help >>>>>> >>>>>> Thanks and regards >>>>>> >>>>>> simon >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>>> What does you /etc/MailScanner/virus.scanners.conf say for the clam >>>>>>> lines? >>>>>>> What does the "Virus Scanners = " line in MailScanner.conf say? >>>>>>> >>>>>>> simon wrote: >>>>>>> >>>>>>> >>>>>>> >>>>>>>> Dear All, >>>>>>>> >>>>>>>> i have recently installed new sendmail based mail server and >>>>>>>> installed >>>>>>>> mailscanner + jules packge spamassassin + clamAV and have >>>>>>>> instructed >>>>>>>> clamd >>>>>>>> virus scanning daemon to be used by mailScanner for scanning email >>>>>>>> when >>>>>>>> installing the package. i have also installed clamav, clamav-db >>>>>>>> and >>>>>>>> clamd >>>>>>>> from http://dag.wieers.com/rpm/packages/clamav >>>>>>>> and everythin workin OK. >>>>>>>> i have clamscan installed in /usr/bin >>>>>>>> >>>>>>>> but how could i know if mailscanner is really using clamd daemon n >>>>>>>> clamscan to scan emails >>>>>>>> >>>>>>>> >>>>>>>> Appreciate ur help >>>>>>>> >>>>>>>> >>>>>>>> regards >>>>>>>> >>>>>>>> simon >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> Jules >>>>>>> >>>>>>> -- >>>>>>> Julian Field MEng CITP >>>>>>> www.MailScanner.info >>>>>>> Buy the MailScanner book at www.MailScanner.info/store >>>>>>> >>>>>>> Need help customising MailScanner? >>>>>>> Contact me! >>>>>>> Need help fixing or optimising your systems? >>>>>>> Contact me! >>>>>>> Need help getting you started solving new requirements from your >>>>>>> boss? >>>>>>> Contact me! >>>>>>> >>>>>>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> This message has been scanned for viruses and >>>>>>> dangerous content by MailScanner, and is >>>>>>> believed to be clean. >>>>>>> For all your IT requirements visit www.transtec.co.uk >>>>>>> >>>>>>> -- >>>>>>> MailScanner mailing list >>>>>>> mailscanner@lists.mailscanner.info >>>>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>>>>> >>>>>>> Before posting, read http://wiki.mailscanner.info/posting >>>>>>> >>>>>>> Support MailScanner development - buy the book off the website! >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>> Jules >>>>> >>>>> -- >>>>> Julian Field MEng CITP >>>>> www.MailScanner.info >>>>> Buy the MailScanner book at www.MailScanner.info/store >>>>> >>>>> Need help customising MailScanner? >>>>> Contact me! >>>>> Need help fixing or optimising your systems? >>>>> Contact me! >>>>> Need help getting you started solving new requirements from your >>>>> boss? >>>>> Contact me! >>>>> >>>>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >>>>> >>>>> >>>>> -- >>>>> This message has been scanned for viruses and >>>>> dangerous content by MailScanner, and is >>>>> believed to be clean. >>>>> For all your IT requirements visit www.transtec.co.uk >>>>> >>>>> -- >>>>> MailScanner mailing list >>>>> mailscanner@lists.mailscanner.info >>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>>> >>>>> Before posting, read http://wiki.mailscanner.info/posting >>>>> >>>>> Support MailScanner development - buy the book off the website! >>>>> >>>>> >>>>> >>>> >>>> >>> Jules >>> >>> -- >>> Julian Field MEng CITP >>> www.MailScanner.info >>> Buy the MailScanner book at www.MailScanner.info/store >>> >>> Need help customising MailScanner? >>> Contact me! >>> Need help fixing or optimising your systems? >>> Contact me! >>> Need help getting you started solving new requirements from your boss? >>> Contact me! >>> >>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >>> >>> >>> -- >>> This message has been scanned for viruses and >>> dangerous content by MailScanner, and is >>> believed to be clean. >>> For all your IT requirements visit www.transtec.co.uk >>> >>> -- >>> MailScanner mailing list >>> mailscanner@lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! >>> >>> >> >> >> > > Jules > > - -- > Julian Field MEng CITP > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > For all your IT requirements visit www.transtec.co.uk > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.6.2 (Build 2014) > Charset: ISO-8859-1 > > wj8DBQFGqRVTEfZZRxQVtlQRAkkrAKCqECvP3FSpi8+QPFa/H1HIHsmujQCfQYzM > ksCe+s24DfHgPgwPBEa07ok= > =GiIT > -----END PGP SIGNATURE----- > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > For all your IT requirements visit www.transtec.co.uk > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- Network Administrator From martinh at solidstatelogic.com Fri Jul 27 08:26:57 2007 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Fri Jul 27 08:27:13 2007 Subject: Grreting card scams In-Reply-To: <46A9255A.10307@maddoc.net> Message-ID: <0f2128a6b1153845b39435c7f8a065a4@solidstatelogic.com> Following SA hits are typical on my system for these emails.. score=24.878 5 required autolearn=spam 5.40 BAYES_99 Bayesian spam probability is 99 to 100% 5.00 BOTNET Relay might be a spambot or virusbot 0.77 DIGEST_MULTIPLE Message hits more than one network digest check 0.67 FH_HOST_EQ_D_D_D_D Host starts with d-d-d-d 0.98 HOST_EQ_CPE 0.31 HOST_MISMATCH_COM 4.00 NORMAL_HTTP_TO_IP Uses a dotted-decimal IP address in URL 3.70 PYZOR_CHECK Listed in Pyzor (http://pyzor.sf.net/) 0.50 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50% 1.50 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level above 50% 0.50 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) 1.56 RCVD_IN_BL_SPAMCOP_NET Received via a relay in bl.spamcop.net -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Doc Schneider > Sent: 26 July 2007 23:51 > To: MailScanner discussion > Subject: Re: Grreting card scams > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Glenn Steen wrote: > > On 27/07/07, Matt Kettler wrote: > >> Rick Cooper wrote: > >> > >> > > -----Original Message----- > >> > > From: mailscanner-bounces@lists.mailscanner.info > >> > > [mailto:mailscanner-bounces@lists.mailscanner.info] On > >> > > Behalf Of Matt Kettler > >> > > > >> > > However, If I copy one of the messages back onto the server > >> > > and scan it with > >> > > clamscan, clamscan does detect it as a virus. > >> > > > >> > > However, none of them have ever been detected as a virus > >> > > while going through > >> > > MailScanner. Ever. (I just searched all my postmaster > >> > > notices from MailScanner > >> > > and the word "You've" doesn't appear in any of them, which > >> > > would be part of the > >> > > subject-line quite.). > >> > > > >> > > Note that my MailScanner setup does detect phishing signatures. > >> > > > >> > > ie: > >> > > Report: ClamAV: msg-9454-234.html contains HTML.Phishing.Pay- > 36 > >> > > Report: ClamAV: msg-17765-74.html contains > >> Email.Phishing.RB-1260 > >> > > > >> > > But there are no Email.Phishing.RB-1222's in there anywhere. > >> > > > >> > > >> > What do you get if you run > >> > > >> > sigtool --list-sigs|grep Email.Phishing.RB-1222 > >> > > >> > Perhaps something amiss with the clamdb updates? Accidental dupe > >> installs? > >> > > >> > Rick > >> > >> Given that running clamscan on the email file outside of MailScanner > >> detects it > >> as a virus, I've already conclusively proven clamav has the signature > >> and it > >> works properly. > >> > >> One observation, though, the specific test messages I used detected as > >> 1221 not > >> 1222, but they're all related. > >> > >> ecardspam1.eml: Email.Phishing.RB-1221 FOUND > >> ecardspam2.eml: Email.Phishing.RB-1221 FOUND > >> ecardspam3.eml: Email.Phishing.RB-1221 FOUND > >> > >> However, if you insist: > >> # sigtool --list-sigs|grep Email.Phishing.RB-1222 > >> Email.Phishing.RB-1222 > >> > >> Yes, it's there. Yes, clamscan can use it, and clamscan properly > >> detects the > >> messages as viruses when executed manually. No, clamav via MailScanner > >> cannot > >> detect it. > >> > > Could this perhaps have anything to do with how clam gets fed the > > message in MailScanner....? If I'm not completely senile (always a > > possibility:-), MS doesn't feed it the complete message, hence some > > newstyle sigs will never (be able to) trigger. > > > > Cheers > > This makes sense... or else we know Jules has been into the > "Guiness(sic)" again! HAR! > > - -- > - -Doc > Lincoln, NE. > http://www.genealogyforyou.com/ > http://www.cairnproductions.com/ > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.5 (GNU/Linux) > Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org > > iD8DBQFGqSVaqOEeBwEpgcsRAtp1AJsFDG1AQYOI5Foxfy5rNrD06ZDy2wCZAfMF > WQCbBM2nqqKrHxIu3aNi+Ks= > =bX2c > -----END PGP SIGNATURE----- > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From uxbod at splatnix.net Fri Jul 27 08:39:59 2007 From: uxbod at splatnix.net (UxBoD) Date: Fri Jul 27 08:37:22 2007 Subject: query if mailscanner using clamscan In-Reply-To: <1734.62.150.152.226.1185518513.squirrel@webmail.baladia.gov.kw> Message-ID: <12184506.4741185521999162.JavaMail.root@office.splatnix.net> Simon, Looks like ClamAV is installed twice. Please check for clamdscan in /usr/local/sbin and /usr/sbin. I guess it will be in both places. The RPM will install to /usr and Jules package will install too /usr/local. Decide which one you wish to use and remove the other. Once that has been done set virus.scanners.conf to where the directory for clamd is, which would be either /usr or /usr/local. Set the VirusScanners = clamd in MailScanner.conf Ensure that the socket is being created in the same place that MailScanner.conf is set to use. Remember! if you switch from RPM too Jules package, or vice verse, the socket path will change. Please consult either /etc/clamd.conf or /usr/local/etc/clamd.conf. Hope this makes sense? Regards, --[ UxBoD ]-- // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- Original Message ----- From: "simon" To: "MailScanner discussion" Sent: Friday, July 27, 2007 7:41:53 AM (GMT) Europe/London Subject: Re: query if mailscanner using clamscan Thanks Julian and guys there was a path mismatch in my MailScanner.conf and clamd.conf file.. its Ok now .. works fine really do appreciate but as julian says i dont need 2 .. i mean clamav n clamd as its gonna scan 2 times with the same virus scanner.. btw all this queries i have been writing is I ONLY WANT MY INCOMING AND OUTGOIN MAILS TO BE SCANNED BY THE CLAMD DAEMON as per jules SA+clamav script the script says ............................................... 'If you want to use MailScanners support for Clamd (virus-scanning' echo 'daemon) then I recommend you cancel this script now (press Ctrl-C)' echo 'and install the RPMs for clamav, clamav-db and clamd from' echo ' http://dag.wieers.com/rpm/packages/clamav' echo 'Then re-run this script and tell me that clamscan is installed in' echo '/usr/bin. This will set up your virus.scanners.conf file for you.' ..................................................... now i have installed as per the instructions and see that clamscan is in /usr/bin my MailScanner.conf file has the following settings ---------------------------------------------------------- i tried Virus Scanners = auto and also Virus Scanners = clamav clamd ------------------------------------------------------------- my virus.scanners.conf settings for clam* ------------------------------------------------------ clamav /usr/lib/MailScanner/clamav-wrapper /usr/local clamd /bin/false /usr/local clamavmodule /bin/false /tmp ..................................................................... Now how do i know if MailScanner support for Clamd (virus-scanning daemon ) is actually working .. which logs will tell me tht in mailScanner.conf the setting VirusScanners =auto is fine or i have to say VirusScanners= clamav clamd right now having either in my MailScanner.conf file the maillog logs is the same does the below line of my logs mean that MailScanner is using clamd ( the virus scanning daemon ) -------------- Jul 27 09:40:16 kmdnstest MailScanner[7454]: Virus and Content Scanning: Starting ------------------------------------ apprecite your help pls here below is my maillog : pls ignore the receipents ---------------------------------------------------------- Jul 27 09:40:01 kmdnstest sendmail[7463]: l6R6e05H007463: to=guy20034u@yahoo.com, ctladdr=root (0/0), delay=00:00:01, xdelay=00:00:00, mailer=relay, pri=30048, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (l6R6e12k007465 Message accepted for delivery) Jul 27 09:40:04 kmdnstest MailScanner[7454]: New Batch: Scanning 1 messages, 817 bytes Jul 27 09:40:16 kmdnstest MailScanner[7454]: Virus and Content Scanning: Starting Jul 27 09:40:34 kmdnstest MailScanner[7454]: Uninfected: Delivered 1 messages Jul 27 09:40:43 kmdnstest sendmail[7481]: l6R6e12k007465: to=, ctladdr= (0/0), delay=00:00:42, xdelay=00:00:08, mailer=esmtp, pri=120347, relay=f.mx.mail.yahoo.com. [68.142.202.247], dsn=2.0.0, stat=Sent (ok dirdel) ----------------------------------------------------------------- Thnaks in advance Regards simon > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > simon wrote: >> Dear All, >> >> Thanks once again julian.. >> btw i removed virus scanning =auto from my MailScanner.conf file and now >> i >> have virus scanning = clamav clamd so that i would like mailscanner to >> clamscan every incommin n outgoin mail message. >> but now when i restart mailscanner i see in maillogs >> > For starters there is no point specifying clamav and clamd as you will > just be scanning everything twice with the same virus scanner! > >> Cannot find Socket (/tmp/clamd) Exiting! >> >> if i say service clamd status >> >> clamd (pid 1779) is running... >> >> so clamd daemon is running >> >> really apprecite ur help >> > Check to see if the socket /tmp/clamd actually exists, and compare the > clamd-specific settings in MailScanner.conf with those in clamd.conf. > >> >> Thanks and Regards >> >> simon >> >> >> >> >> >>> In which case 'auto' will only use 'clamav'. To find 'clamavmodule' you >>> must have the module installed. To find 'clamd' the daemon must be >>> running, and the Clamd-specific MailScanner.conf options must be set >>> correctly. >>> >>> simon wrote: >>> >>>> Thanks agin guys for ur immediate reply >>>> >>>> here the MailScanner --lint output.. >>>> >>>> Read 797 hostnames from the phishing whitelist >>>> Checking version numbers... >>>> Version number in MailScanner.conf (4.61.7) is correct. >>>> -------------------------------------------------------------- >>>> Checking for SpamAssassin errors (if you use it)... >>>> SpamAssassin temporary working directory is >>>> /var/spool/MailScanner/incoming/SpamAssassin-Temp >>>> SpamAssassin temp dir = >>>> /var/spool/MailScanner/incoming/SpamAssassin-Temp >>>> Using SpamAssassin results cache >>>> Connected to SpamAssassin cache database >>>> SpamAssassin reported no errors. >>>> Using locktype = posix >>>> Creating hardcoded struct_flock subroutine for linux (Linux-type) >>>> MailScanner.conf says "Virus Scanners = auto" >>>> Found these virus scanners installed: clamav >>>> >>>> >>>> ----------------------------------------------------------------- >>>> >>>> gues sits fine... but it has no reference to clamscan or clamd >>>> >>>> >>>> regards >>>> >>>> simon >>>> >>>> >>>> >>>>> If you are running the RPM version of clamav then your >>>>> virus.scanners.conf file is right, as clamscan is in >>>>> /usr/bin/clamscan. >>>>> Check that 'auto' is picking them up correctly by doing a >>>>> "MailScanner >>>>> --lint". >>>>> >>>>> simon wrote: >>>>> >>>>> >>>>>> Thanks Guys for you quick reply, >>>>>> >>>>>> Btw i did forget to mention and ask u wht new should be added to >>>>>> virus.scanners.conf file since after the script was run there is a >>>>>> /etc/MailScanner/virus.scanners.conf.bak file >>>>>> >>>>>> here the clam lines for the /etc/MailScanner/virus.scanners.conf >>>>>> >>>>>> ------------------------ >>>>>> >>>>>> clamav /usr/lib/MailScanner/clamav-wrapper /usr >>>>>> clamd /bin/false /usr >>>>>> clamavmodule /bin/false /tmp >>>>>> >>>>>> ------------------------------------------ >>>>>> i guess this above file does not reference clamscan if im right.. >>>>>> do let me know if i hav to edit this file. >>>>>> my clamscan is is /usr/bin >>>>>> n clamd is in /usr/sbin >>>>>> >>>>>> and in MailScanner.conf it says >>>>>> >>>>>> Virus Scanners = auto >>>>>> >>>>>> i did keep it auto as i will install bitdefender latter and would >>>>>> like >>>>>> MS >>>>>> to search for the installed antivirus software >>>>>> >>>>>> Appreciate your help >>>>>> >>>>>> Thanks and regards >>>>>> >>>>>> simon >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>>> What does you /etc/MailScanner/virus.scanners.conf say for the clam >>>>>>> lines? >>>>>>> What does the "Virus Scanners = " line in MailScanner.conf say? >>>>>>> >>>>>>> simon wrote: >>>>>>> >>>>>>> >>>>>>> >>>>>>>> Dear All, >>>>>>>> >>>>>>>> i have recently installed new sendmail based mail server and >>>>>>>> installed >>>>>>>> mailscanner + jules packge spamassassin + clamAV and have >>>>>>>> instructed >>>>>>>> clamd >>>>>>>> virus scanning daemon to be used by mailScanner for scanning email >>>>>>>> when >>>>>>>> installing the package. i have also installed clamav, clamav-db >>>>>>>> and >>>>>>>> clamd >>>>>>>> from http://dag.wieers.com/rpm/packages/clamav >>>>>>>> and everythin workin OK. >>>>>>>> i have clamscan installed in /usr/bin >>>>>>>> >>>>>>>> but how could i know if mailscanner is really using clamd daemon n >>>>>>>> clamscan to scan emails >>>>>>>> >>>>>>>> >>>>>>>> Appreciate ur help >>>>>>>> >>>>>>>> >>>>>>>> regards >>>>>>>> >>>>>>>> simon >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> Jules >>>>>>> >>>>>>> -- >>>>>>> Julian Field MEng CITP >>>>>>> www.MailScanner.info >>>>>>> Buy the MailScanner book at www.MailScanner.info/store >>>>>>> >>>>>>> Need help customising MailScanner? >>>>>>> Contact me! >>>>>>> Need help fixing or optimising your systems? >>>>>>> Contact me! >>>>>>> Need help getting you started solving new requirements from your >>>>>>> boss? >>>>>>> Contact me! >>>>>>> >>>>>>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> This message has been scanned for viruses and >>>>>>> dangerous content by MailScanner, and is >>>>>>> believed to be clean. >>>>>>> For all your IT requirements visit www.transtec.co.uk >>>>>>> >>>>>>> -- >>>>>>> MailScanner mailing list >>>>>>> mailscanner@lists.mailscanner.info >>>>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>>>>> >>>>>>> Before posting, read http://wiki.mailscanner.info/posting >>>>>>> >>>>>>> Support MailScanner development - buy the book off the website! >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>> Jules >>>>> >>>>> -- >>>>> Julian Field MEng CITP >>>>> www.MailScanner.info >>>>> Buy the MailScanner book at www.MailScanner.info/store >>>>> >>>>> Need help customising MailScanner? >>>>> Contact me! >>>>> Need help fixing or optimising your systems? >>>>> Contact me! >>>>> Need help getting you started solving new requirements from your >>>>> boss? >>>>> Contact me! >>>>> >>>>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >>>>> >>>>> >>>>> -- >>>>> This message has been scanned for viruses and >>>>> dangerous content by MailScanner, and is >>>>> believed to be clean. >>>>> For all your IT requirements visit www.transtec.co.uk >>>>> >>>>> -- >>>>> MailScanner mailing list >>>>> mailscanner@lists.mailscanner.info >>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>>> >>>>> Before posting, read http://wiki.mailscanner.info/posting >>>>> >>>>> Support MailScanner development - buy the book off the website! >>>>> >>>>> >>>>> >>>> >>>> >>> Jules >>> >>> -- >>> Julian Field MEng CITP >>> www.MailScanner.info >>> Buy the MailScanner book at www.MailScanner.info/store >>> >>> Need help customising MailScanner? >>> Contact me! >>> Need help fixing or optimising your systems? >>> Contact me! >>> Need help getting you started solving new requirements from your boss? >>> Contact me! >>> >>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >>> >>> >>> -- >>> This message has been scanned for viruses and >>> dangerous content by MailScanner, and is >>> believed to be clean. >>> For all your IT requirements visit www.transtec.co.uk >>> >>> -- >>> MailScanner mailing list >>> mailscanner@lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! >>> >>> >> >> >> > > Jules > > - -- > Julian Field MEng CITP > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > For all your IT requirements visit www.transtec.co.uk > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.6.2 (Build 2014) > Charset: ISO-8859-1 > > wj8DBQFGqRVTEfZZRxQVtlQRAkkrAKCqECvP3FSpi8+QPFa/H1HIHsmujQCfQYzM > ksCe+s24DfHgPgwPBEa07ok= > =GiIT > -----END PGP SIGNATURE----- > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > For all your IT requirements visit www.transtec.co.uk > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- Network Administrator -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From uxbod at splatnix.net Fri Jul 27 08:41:48 2007 From: uxbod at splatnix.net (UxBoD) Date: Fri Jul 27 08:39:03 2007 Subject: Grreting card scams In-Reply-To: <0f2128a6b1153845b39435c7f8a065a4@solidstatelogic.com> Message-ID: <11969838.4771185522108304.JavaMail.root@office.splatnix.net> Mine :- cached not score=17.504 10 required 12.00 KAM_CARD Trojan or Virus Payload from fake ecard notice 0.00 NORMAL_HTTP_TO_IP Uses a dotted-decimal IP address in URL 1.80 RCVD_IN_DSBL Received via a relay in list.dsbl.org 1.71 RCVD_IN_NJABL_DUL 0.00 RCVD_IN_PBL Received via a relay in Spamhaus PBL 1.99 RCVD_IN_SORBS_DUL SORBS: sent directly from dynamic IP address --[ UxBoD ]-- // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- Original Message ----- From: "Martin.Hepworth" To: "MailScanner discussion" Sent: Friday, July 27, 2007 8:26:57 AM (GMT) Europe/London Subject: RE: Grreting card scams Following SA hits are typical on my system for these emails.. score=24.878 5 required autolearn=spam 5.40 BAYES_99 Bayesian spam probability is 99 to 100% 5.00 BOTNET Relay might be a spambot or virusbot 0.77 DIGEST_MULTIPLE Message hits more than one network digest check 0.67 FH_HOST_EQ_D_D_D_D Host starts with d-d-d-d 0.98 HOST_EQ_CPE 0.31 HOST_MISMATCH_COM 4.00 NORMAL_HTTP_TO_IP Uses a dotted-decimal IP address in URL 3.70 PYZOR_CHECK Listed in Pyzor (http://pyzor.sf.net/) 0.50 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50% 1.50 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level above 50% 0.50 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) 1.56 RCVD_IN_BL_SPAMCOP_NET Received via a relay in bl.spamcop.net -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Doc Schneider > Sent: 26 July 2007 23:51 > To: MailScanner discussion > Subject: Re: Grreting card scams > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Glenn Steen wrote: > > On 27/07/07, Matt Kettler wrote: > >> Rick Cooper wrote: > >> > >> > > -----Original Message----- > >> > > From: mailscanner-bounces@lists.mailscanner.info > >> > > [mailto:mailscanner-bounces@lists.mailscanner.info] On > >> > > Behalf Of Matt Kettler > >> > > > >> > > However, If I copy one of the messages back onto the server > >> > > and scan it with > >> > > clamscan, clamscan does detect it as a virus. > >> > > > >> > > However, none of them have ever been detected as a virus > >> > > while going through > >> > > MailScanner. Ever. (I just searched all my postmaster > >> > > notices from MailScanner > >> > > and the word "You've" doesn't appear in any of them, which > >> > > would be part of the > >> > > subject-line quite.). > >> > > > >> > > Note that my MailScanner setup does detect phishing signatures. > >> > > > >> > > ie: > >> > > Report: ClamAV: msg-9454-234.html contains HTML.Phishing.Pay- > 36 > >> > > Report: ClamAV: msg-17765-74.html contains > >> Email.Phishing.RB-1260 > >> > > > >> > > But there are no Email.Phishing.RB-1222's in there anywhere. > >> > > > >> > > >> > What do you get if you run > >> > > >> > sigtool --list-sigs|grep Email.Phishing.RB-1222 > >> > > >> > Perhaps something amiss with the clamdb updates? Accidental dupe > >> installs? > >> > > >> > Rick > >> > >> Given that running clamscan on the email file outside of MailScanner > >> detects it > >> as a virus, I've already conclusively proven clamav has the signature > >> and it > >> works properly. > >> > >> One observation, though, the specific test messages I used detected as > >> 1221 not > >> 1222, but they're all related. > >> > >> ecardspam1.eml: Email.Phishing.RB-1221 FOUND > >> ecardspam2.eml: Email.Phishing.RB-1221 FOUND > >> ecardspam3.eml: Email.Phishing.RB-1221 FOUND > >> > >> However, if you insist: > >> # sigtool --list-sigs|grep Email.Phishing.RB-1222 > >> Email.Phishing.RB-1222 > >> > >> Yes, it's there. Yes, clamscan can use it, and clamscan properly > >> detects the > >> messages as viruses when executed manually. No, clamav via MailScanner > >> cannot > >> detect it. > >> > > Could this perhaps have anything to do with how clam gets fed the > > message in MailScanner....? If I'm not completely senile (always a > > possibility:-), MS doesn't feed it the complete message, hence some > > newstyle sigs will never (be able to) trigger. > > > > Cheers > > This makes sense... or else we know Jules has been into the > "Guiness(sic)" again! HAR! > > - -- > - -Doc > Lincoln, NE. > http://www.genealogyforyou.com/ > http://www.cairnproductions.com/ > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.5 (GNU/Linux) > Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org > > iD8DBQFGqSVaqOEeBwEpgcsRAtp1AJsFDG1AQYOI5Foxfy5rNrD06ZDy2wCZAfMF > WQCbBM2nqqKrHxIu3aNi+Ks= > =bX2c > -----END PGP SIGNATURE----- > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From glenn.steen at gmail.com Fri Jul 27 08:47:15 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Jul 27 08:47:17 2007 Subject: query if mailscanner using clamscan In-Reply-To: <1734.62.150.152.226.1185518513.squirrel@webmail.baladia.gov.kw> References: <2605.62.150.152.226.1185433910.squirrel@webmail.baladia.gov.kw> <46A87494.6060002@ecs.soton.ac.uk> <1597.62.150.152.226.1185458853.squirrel@webmail.baladia.gov.kw> <46A8B477.60603@ecs.soton.ac.uk> <1872.62.150.152.226.1185460305.squirrel@webmail.baladia.gov.kw> <46A8BC68.1020901@ecs.soton.ac.uk> <2038.62.150.152.226.1185483170.squirrel@webmail.baladia.gov.kw> <46A91552.5060809@ecs.soton.ac.uk> <1734.62.150.152.226.1185518513.squirrel@webmail.baladia.gov.kw> Message-ID: <223f97700707270047q350fac70n95878b33cab3563d@mail.gmail.com> On 27/07/07, simon wrote: > Thanks Julian and guys > > there was a path mismatch in my MailScanner.conf and clamd.conf file.. > its Ok now .. works fine > really do appreciate > but as julian says i dont need 2 .. i mean clamav n clamd as its gonna > scan 2 times with the same virus scanner.. > > btw all this queries i have been writing is > > I ONLY WANT MY INCOMING AND OUTGOIN MAILS TO BE SCANNED BY THE CLAMD > DAEMON as per jules SA+clamav script > the script says > > ............................................... > 'If you want to use MailScanners support for Clamd (virus-scanning' > echo 'daemon) then I recommend you cancel this script now (press Ctrl-C)' > echo 'and install the RPMs for clamav, clamav-db and clamd from' > echo ' http://dag.wieers.com/rpm/packages/clamav' > echo 'Then re-run this script and tell me that clamscan is installed in' > echo '/usr/bin. This will set up your virus.scanners.conf file for you.' > ..................................................... > > now i have installed as per the instructions and see that > clamscan is in /usr/bin > > my MailScanner.conf file has the following settings > ---------------------------------------------------------- > i tried Virus Scanners = auto > and also Virus Scanners = clamav clamd > ------------------------------------------------------------- > > my virus.scanners.conf settings for clam* > ------------------------------------------------------ > clamav /usr/lib/MailScanner/clamav-wrapper /usr/local > clamd /bin/false /usr/local > clamavmodule /bin/false /tmp > ..................................................................... > > Now how do i know if MailScanner support for Clamd (virus-scanning daemon ) > is actually working .. which logs will tell me tht > > in mailScanner.conf > the setting VirusScanners =auto is fine or i have to say > VirusScanners= clamav clamd > right now having either in my MailScanner.conf file the maillog logs is > the same Simon, you've been shown how to determine what the "auto" setting will use... Just do a MailScanner --lint and look at the last lines ... The scanner(s) found will be the scanners used. If you want to be specific, you should detail Virus Scanners = clamd OR Virus Scanners = clamavmodule OR Virus Scanners = clamav ... Where the first one gives you Clamd support, the second ClamAVModule and the last clamscan ... Clear? > does the below line of my logs mean that MailScanner is using clamd ( the > virus scanning daemon ) > -------------- > > Jul 27 09:40:16 kmdnstest MailScanner[7454]: Virus and Content Scanning: > Starting No, it means it is trying to scan the message with all available "commercial" AV scanners. Send an EICAR through and look on the log entries for that specific message. The maillog is where these things are at, so there is where you need look. > ------------------------------------ > > apprecite your help pls > > here below is my maillog : pls ignore the receipents > ---------------------------------------------------------- > > Jul 27 09:40:01 kmdnstest sendmail[7463]: l6R6e05H007463: > to=guy20034u@yahoo.com, ctladdr=root (0/0), delay=00:00:01, > xdelay=00:00:00, mailer=relay, pri=30048, relay=[127.0.0.1] [127.0.0.1], > dsn=2.0.0, stat=Sent (l6R6e12k007465 Message accepted for delivery) > Jul 27 09:40:04 kmdnstest MailScanner[7454]: New Batch: Scanning 1 > messages, 817 bytes > Jul 27 09:40:16 kmdnstest MailScanner[7454]: Virus and Content Scanning: > Starting > Jul 27 09:40:34 kmdnstest MailScanner[7454]: Uninfected: Delivered 1 messages > Jul 27 09:40:43 kmdnstest sendmail[7481]: l6R6e12k007465: > to=, ctladdr= (0/0), > delay=00:00:42, xdelay=00:00:08, mailer=esmtp, pri=120347, > relay=f.mx.mail.yahoo.com. [68.142.202.247], dsn=2.0.0, stat=Sent (ok > dirdel) > ----------------------------------------------------------------- These log entries are inconclusive, since we don't know whether there was a virus in that message or not. Use an EICAR (as I already showed you how) and you'll see... If it looks like this, then something is up;-). > Thnaks in advance > Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From martinh at solidstatelogic.com Fri Jul 27 08:50:07 2007 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Fri Jul 27 08:50:11 2007 Subject: Grreting card scams In-Reply-To: <11969838.4771185522108304.JavaMail.root@office.splatnix.net> Message-ID: Hmm I don't the DUL RBL's on SA as I they give FP's for us....we have a lot of customers/dealers etc that run their connections over DUL so I turn these off.. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of UxBoD > Sent: 27 July 2007 08:42 > To: MailScanner discussion > Subject: Re: Grreting card scams > > Mine :- > > cached not > score=17.504 > 10 required > 12.00 KAM_CARD Trojan or Virus Payload from fake ecard notice > 0.00 NORMAL_HTTP_TO_IP Uses a dotted-decimal IP address in URL > 1.80 RCVD_IN_DSBL Received via a relay in list.dsbl.org > 1.71 RCVD_IN_NJABL_DUL > 0.00 RCVD_IN_PBL Received via a relay in Spamhaus PBL > 1.99 RCVD_IN_SORBS_DUL SORBS: sent directly from dynamic IP address > > --[ UxBoD ]-- > // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" > // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B > // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B > // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net > > ----- Original Message ----- > From: "Martin.Hepworth" > To: "MailScanner discussion" > Sent: Friday, July 27, 2007 8:26:57 AM (GMT) Europe/London > Subject: RE: Grreting card scams > > Following SA hits are typical on my system for these emails.. > > score=24.878 > 5 required > autolearn=spam > 5.40 BAYES_99 Bayesian spam probability is 99 to 100% > 5.00 BOTNET Relay might be a spambot or virusbot > 0.77 DIGEST_MULTIPLE Message hits more than one network digest check > 0.67 FH_HOST_EQ_D_D_D_D Host starts with d-d-d-d > 0.98 HOST_EQ_CPE > 0.31 HOST_MISMATCH_COM > 4.00 NORMAL_HTTP_TO_IP Uses a dotted-decimal IP address in URL > 3.70 PYZOR_CHECK Listed in Pyzor (http://pyzor.sf.net/) > 0.50 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50% > 1.50 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level > above 50% > 0.50 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) > 1.56 RCVD_IN_BL_SPAMCOP_NET Received via a relay in bl.spamcop.net > > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > > bounces@lists.mailscanner.info] On Behalf Of Doc Schneider > > Sent: 26 July 2007 23:51 > > To: MailScanner discussion > > Subject: Re: Grreting card scams > > > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > Glenn Steen wrote: > > > On 27/07/07, Matt Kettler wrote: > > >> Rick Cooper wrote: > > >> > > >> > > -----Original Message----- > > >> > > From: mailscanner-bounces@lists.mailscanner.info > > >> > > [mailto:mailscanner-bounces@lists.mailscanner.info] On > > >> > > Behalf Of Matt Kettler > > >> > > > > >> > > However, If I copy one of the messages back onto the server > > >> > > and scan it with > > >> > > clamscan, clamscan does detect it as a virus. > > >> > > > > >> > > However, none of them have ever been detected as a virus > > >> > > while going through > > >> > > MailScanner. Ever. (I just searched all my postmaster > > >> > > notices from MailScanner > > >> > > and the word "You've" doesn't appear in any of them, which > > >> > > would be part of the > > >> > > subject-line quite.). > > >> > > > > >> > > Note that my MailScanner setup does detect phishing signatures. > > >> > > > > >> > > ie: > > >> > > Report: ClamAV: msg-9454-234.html contains > HTML.Phishing.Pay- > > 36 > > >> > > Report: ClamAV: msg-17765-74.html contains > > >> Email.Phishing.RB-1260 > > >> > > > > >> > > But there are no Email.Phishing.RB-1222's in there anywhere. > > >> > > > > >> > > > >> > What do you get if you run > > >> > > > >> > sigtool --list-sigs|grep Email.Phishing.RB-1222 > > >> > > > >> > Perhaps something amiss with the clamdb updates? Accidental dupe > > >> installs? > > >> > > > >> > Rick > > >> > > >> Given that running clamscan on the email file outside of MailScanner > > >> detects it > > >> as a virus, I've already conclusively proven clamav has the signature > > >> and it > > >> works properly. > > >> > > >> One observation, though, the specific test messages I used detected > as > > >> 1221 not > > >> 1222, but they're all related. > > >> > > >> ecardspam1.eml: Email.Phishing.RB-1221 FOUND > > >> ecardspam2.eml: Email.Phishing.RB-1221 FOUND > > >> ecardspam3.eml: Email.Phishing.RB-1221 FOUND > > >> > > >> However, if you insist: > > >> # sigtool --list-sigs|grep Email.Phishing.RB-1222 > > >> Email.Phishing.RB-1222 > > >> > > >> Yes, it's there. Yes, clamscan can use it, and clamscan properly > > >> detects the > > >> messages as viruses when executed manually. No, clamav via > MailScanner > > >> cannot > > >> detect it. > > >> > > > Could this perhaps have anything to do with how clam gets fed the > > > message in MailScanner....? If I'm not completely senile (always a > > > possibility:-), MS doesn't feed it the complete message, hence some > > > newstyle sigs will never (be able to) trigger. > > > > > > Cheers > > > > This makes sense... or else we know Jules has been into the > > "Guiness(sic)" again! HAR! > > > > - -- > > - -Doc > > Lincoln, NE. > > http://www.genealogyforyou.com/ > > http://www.cairnproductions.com/ > > > > -----BEGIN PGP SIGNATURE----- > > Version: GnuPG v1.4.5 (GNU/Linux) > > Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org > > > > iD8DBQFGqSVaqOEeBwEpgcsRAtp1AJsFDG1AQYOI5Foxfy5rNrD06ZDy2wCZAfMF > > WQCbBM2nqqKrHxIu3aNi+Ks= > > =bX2c > > -----END PGP SIGNATURE----- > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > > > ********************************************************************** > Confidentiality : This e-mail and any attachments are intended for the > addressee only and may be confidential. If they come to you in error > you must take no action based on them, nor must you copy or show them > to anyone. Please advise the sender by replying to this e-mail > immediately and then delete the original from your computer. > Opinion : Any opinions expressed in this e-mail are entirely those of > the author and unless specifically stated to the contrary, are not > necessarily those of the author's employer. > Security Warning : Internet e-mail is not necessarily a secure > communications medium and can be subject to data corruption. We advise > that you consider this fact when e-mailing us. > Viruses : We have taken steps to ensure that this e-mail and any > attachments are free from known viruses but in keeping with good > computing practice, you should ensure that they are virus free. > > Red Lion 49 Ltd T/A Solid State Logic > Registered as a limited company in England and Wales > (Company No:5362730) > Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, > United Kingdom > ********************************************************************** > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From glenn.steen at gmail.com Fri Jul 27 09:02:22 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Jul 27 09:02:23 2007 Subject: Grreting card scams In-Reply-To: References: <11969838.4771185522108304.JavaMail.root@office.splatnix.net> Message-ID: <223f97700707270102m4232a751p9ac58ef32d667a5b@mail.gmail.com> On 27/07/07, Martin.Hepworth wrote: > Hmm I don't the DUL RBL's on SA as I they give FP's for us....we have a lot of customers/dealers etc that run their connections over DUL so I turn these off.. > Phil&Martin, That SA can (and with the right rules will) catch these feels like a bit of a side issue here, doesn't it? (Although I do like what you show there...:) The fact that a whole bunch of clam sigs are simply missed by use of MailScanner is, IMO, where we should focus. The question is if there is anything we (or rather Jules) can do about it... Making clam a special case, where the header/body separation is ... undone, at least for the stage of passing it into the scanner... could be one thing. Some of you boast that you have quite a few such messages, could you try splitting one into header and body part and see what clamscan says about the idnividual parts? Just to determine that the theory is correct...:) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From uxbod at splatnix.net Fri Jul 27 09:37:50 2007 From: uxbod at splatnix.net (UxBoD) Date: Fri Jul 27 09:35:05 2007 Subject: Grreting card scams In-Reply-To: <223f97700707270102m4232a751p9ac58ef32d667a5b@mail.gmail.com> Message-ID: <9690934.4801185525470092.JavaMail.root@office.splatnix.net> Once I get the production Oracle database back online :( I will take a look see. ----- Original Message ----- From: "Glenn Steen" To: "MailScanner discussion" Sent: Friday, July 27, 2007 9:02:22 AM (GMT) Europe/London Subject: Re: Grreting card scams On 27/07/07, Martin.Hepworth wrote: > Hmm I don't the DUL RBL's on SA as I they give FP's for us....we have a lot of customers/dealers etc that run their connections over DUL so I turn these off.. > Phil&Martin, That SA can (and with the right rules will) catch these feels like a bit of a side issue here, doesn't it? (Although I do like what you show there...:) The fact that a whole bunch of clam sigs are simply missed by use of MailScanner is, IMO, where we should focus. The question is if there is anything we (or rather Jules) can do about it... Making clam a special case, where the header/body separation is ... undone, at least for the stage of passing it into the scanner... could be one thing. Some of you boast that you have quite a few such messages, could you try splitting one into header and body part and see what clamscan says about the idnividual parts? Just to determine that the theory is correct...:) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From uxbod at splatnix.net Fri Jul 27 10:20:18 2007 From: uxbod at splatnix.net (UxBoD) Date: Fri Jul 27 10:17:42 2007 Subject: Grreting card scams In-Reply-To: <223f97700707270102m4232a751p9ac58ef32d667a5b@mail.gmail.com> Message-ID: <14517533.4831185528018245.JavaMail.root@office.splatnix.net> Okay, have done some testing. For the signature to trigger it has to have a source file that contains the message body, and the following headers :- MIME-Version: 1.0 Content-Type: text/plain; otherwise it reports the file as being okay. Regards, --[ UxBoD ]-- // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- Original Message ----- From: "Glenn Steen" To: "MailScanner discussion" Sent: Friday, July 27, 2007 9:02:22 AM (GMT) Europe/London Subject: Re: Grreting card scams On 27/07/07, Martin.Hepworth wrote: > Hmm I don't the DUL RBL's on SA as I they give FP's for us....we have a lot of customers/dealers etc that run their connections over DUL so I turn these off.. > Phil&Martin, That SA can (and with the right rules will) catch these feels like a bit of a side issue here, doesn't it? (Although I do like what you show there...:) The fact that a whole bunch of clam sigs are simply missed by use of MailScanner is, IMO, where we should focus. The question is if there is anything we (or rather Jules) can do about it... Making clam a special case, where the header/body separation is ... undone, at least for the stage of passing it into the scanner... could be one thing. Some of you boast that you have quite a few such messages, could you try splitting one into header and body part and see what clamscan says about the idnividual parts? Just to determine that the theory is correct...:) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From glenn.steen at gmail.com Fri Jul 27 10:50:40 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Jul 27 10:50:41 2007 Subject: Grreting card scams In-Reply-To: <14517533.4831185528018245.JavaMail.root@office.splatnix.net> References: <223f97700707270102m4232a751p9ac58ef32d667a5b@mail.gmail.com> <14517533.4831185528018245.JavaMail.root@office.splatnix.net> Message-ID: <223f97700707270250m353539b4o61121eb05384a1ac@mail.gmail.com> On 27/07/07, UxBoD wrote: > Okay, have done some testing. For the signature to trigger it has to have a source file that contains the message body, and the following headers :- > > MIME-Version: 1.0 > Content-Type: text/plain; > > otherwise it reports the file as being okay. Kind of what I thought... It doesn't understand that it is a mail it is handling.:-( Jules, how would you like to play this one? I suspect that whatever we do might end up being ... less than elegant... Unless you have some inspiration...:-) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From MailScanner at ecs.soton.ac.uk Fri Jul 27 11:47:31 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Jul 27 11:47:55 2007 Subject: Grreting card scams In-Reply-To: <223f97700707270250m353539b4o61121eb05384a1ac@mail.gmail.com> References: <223f97700707270102m4232a751p9ac58ef32d667a5b@mail.gmail.com> <14517533.4831185528018245.JavaMail.root@office.splatnix.net> <223f97700707270250m353539b4o61121eb05384a1ac@mail.gmail.com> Message-ID: <46A9CD43.2090806@ecs.soton.ac.uk> Glenn Steen wrote: > On 27/07/07, UxBoD wrote: > >> Okay, have done some testing. For the signature to trigger it has to have a source file that contains the message body, and the following headers :- >> >> MIME-Version: 1.0 >> Content-Type: text/plain; >> >> otherwise it reports the file as being okay. >> > > Kind of what I thought... It doesn't understand that it is a mail it > is handling.:-( > > Jules, how would you like to play this one? > I suspect that whatever we do might end up being ... less than > elegant... Unless you have some inspiration...:-) > Yuck. I would have to copy the entire message into the scanning directory as well and alter every single parser to look out for it. Nasty job. Jules -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From gmatt at nerc.ac.uk Fri Jul 27 11:54:56 2007 From: gmatt at nerc.ac.uk (Greg Matthews) Date: Fri Jul 27 11:55:19 2007 Subject: Grreting card scams In-Reply-To: <223f97700707270250m353539b4o61121eb05384a1ac@mail.gmail.com> References: <223f97700707270102m4232a751p9ac58ef32d667a5b@mail.gmail.com> <14517533.4831185528018245.JavaMail.root@office.splatnix.net> <223f97700707270250m353539b4o61121eb05384a1ac@mail.gmail.com> Message-ID: <46A9CF00.70606@nerc.ac.uk> Glenn Steen wrote: > On 27/07/07, UxBoD wrote: >> Okay, have done some testing. For the signature to trigger it has >> to have a source file that contains the message body, and the >> following headers :- >> >> MIME-Version: 1.0 Content-Type: text/plain; >> >> otherwise it reports the file as being okay. > > Kind of what I thought... It doesn't understand that it is a mail it > is handling.:-( > > Jules, how would you like to play this one? I suspect that whatever > we do might end up being ... less than elegant... Unless you have > some inspiration...:-) surely if clam doesnt catch it when called by MS then you should catch it with SA instead. Clam already muddies the waters between spam and viruses, why go to any trouble to catch this when there is an adequate solution (using KAM.cf)? GREG > > Cheers -- Greg Matthews 01491 692445 Head of UNIX/Linux, iTSS Wallingford -- This message (and any attachments) is for the recipient only. NERC is subject to the Freedom of Information Act 2000 and the contents of this email and any reply you make may be disclosed by NERC unless it is exempt from release under the Act. Any material supplied to NERC may be stored in an electronic records management system. From uxbod at splatnix.net Fri Jul 27 11:59:16 2007 From: uxbod at splatnix.net (UxBoD) Date: Fri Jul 27 11:56:58 2007 Subject: Grreting card scams In-Reply-To: <223f97700707270250m353539b4o61121eb05384a1ac@mail.gmail.com> Message-ID: <7229133.4861185533956423.JavaMail.root@office.splatnix.net> Okay, had a look at the code and it should be fairly easy to sort out. What I was thinking was something along the lines of the WriteHeaderFile subroutine in Message.pm that would create a new file without any attachments called .message, and this would then get scanned by the batch process. This would then trigger the signature. Okay it would take long to process each message as instead of .head + N attachements, it would have an extra one to do. Just need to find out the bit of code which strips the attachements off. Regards, --[ UxBoD ]-- // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- Original Message ----- From: "Glenn Steen" To: "MailScanner discussion" Sent: Friday, July 27, 2007 10:50:40 AM (GMT) Europe/London Subject: Re: Grreting card scams On 27/07/07, UxBoD wrote: > Okay, have done some testing. For the signature to trigger it has to have a source file that contains the message body, and the following headers :- > > MIME-Version: 1.0 > Content-Type: text/plain; > > otherwise it reports the file as being okay. Kind of what I thought... It doesn't understand that it is a mail it is handling.:-( Jules, how would you like to play this one? I suspect that whatever we do might end up being ... less than elegant... Unless you have some inspiration...:-) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ms-list at alexb.ch Fri Jul 27 11:58:39 2007 From: ms-list at alexb.ch (Alex Broens) Date: Fri Jul 27 11:58:47 2007 Subject: Grreting card scams In-Reply-To: <46A9CD43.2090806@ecs.soton.ac.uk> References: <223f97700707270102m4232a751p9ac58ef32d667a5b@mail.gmail.com> <14517533.4831185528018245.JavaMail.root@office.splatnix.net> <223f97700707270250m353539b4o61121eb05384a1ac@mail.gmail.com> <46A9CD43.2090806@ecs.soton.ac.uk> Message-ID: <46A9CFDF.9020005@alexb.ch> On 7/27/2007 12:47 PM, Julian Field wrote: > > > Glenn Steen wrote: >> On 27/07/07, UxBoD wrote: >> >>> Okay, have done some testing. For the signature to trigger it has to >>> have a source file that contains the message body, and the following >>> headers :- >>> >>> MIME-Version: 1.0 >>> Content-Type: text/plain; >>> >>> otherwise it reports the file as being okay. >>> >> >> Kind of what I thought... It doesn't understand that it is a mail it >> is handling.:-( >> >> Jules, how would you like to play this one? >> I suspect that whatever we do might end up being ... less than >> elegant... Unless you have some inspiration...:-) >> > Yuck. > I would have to copy the entire message into the scanning directory as > well and alter every single parser to look out for it. Nasty job. Wouldn't the ClamAV SA plugin catch these? for those using clamd its trivial to implement. maybe that plugin could be hacked to use the clam module instead. Alex From glenn.steen at gmail.com Fri Jul 27 12:22:49 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Jul 27 12:22:51 2007 Subject: Grreting card scams In-Reply-To: <46A9CD43.2090806@ecs.soton.ac.uk> References: <223f97700707270102m4232a751p9ac58ef32d667a5b@mail.gmail.com> <14517533.4831185528018245.JavaMail.root@office.splatnix.net> <223f97700707270250m353539b4o61121eb05384a1ac@mail.gmail.com> <46A9CD43.2090806@ecs.soton.ac.uk> Message-ID: <223f97700707270422o4b14295doa26906ec2ad74e6f@mail.gmail.com> On 27/07/07, Julian Field wrote: > > > Glenn Steen wrote: > > On 27/07/07, UxBoD wrote: > > > >> Okay, have done some testing. For the signature to trigger it has to have a source file that contains the message body, and the following headers :- > >> > >> MIME-Version: 1.0 > >> Content-Type: text/plain; > >> > >> otherwise it reports the file as being okay. > >> > > > > Kind of what I thought... It doesn't understand that it is a mail it > > is handling.:-( > > > > Jules, how would you like to play this one? > > I suspect that whatever we do might end up being ... less than > > elegant... Unless you have some inspiration...:-) > > > Yuck. > I would have to copy the entire message into the scanning directory as > well and alter every single parser to look out for it. Nasty job. > Agreed, not nice at all. But we miss out on some sigs here, and could well be set (if the mumblings I've heard here and there arre true) to miss out on quite a few more. So perhaps there would be reason in doing something about it, even if it is ... icky. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Fri Jul 27 12:25:09 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Jul 27 12:25:10 2007 Subject: Grreting card scams In-Reply-To: <46A9CF00.70606@nerc.ac.uk> References: <223f97700707270102m4232a751p9ac58ef32d667a5b@mail.gmail.com> <14517533.4831185528018245.JavaMail.root@office.splatnix.net> <223f97700707270250m353539b4o61121eb05384a1ac@mail.gmail.com> <46A9CF00.70606@nerc.ac.uk> Message-ID: <223f97700707270425u4738ddcexdadc2008556b5728@mail.gmail.com> On 27/07/07, Greg Matthews wrote: > Glenn Steen wrote: > > On 27/07/07, UxBoD wrote: > >> Okay, have done some testing. For the signature to trigger it has > >> to have a source file that contains the message body, and the > >> following headers :- > >> > >> MIME-Version: 1.0 Content-Type: text/plain; > >> > >> otherwise it reports the file as being okay. > > > > Kind of what I thought... It doesn't understand that it is a mail it > > is handling.:-( > > > > Jules, how would you like to play this one? I suspect that whatever > > we do might end up being ... less than elegant... Unless you have > > some inspiration...:-) > > surely if clam doesnt catch it when called by MS then you should catch > it with SA instead. Clam already muddies the waters between spam and > viruses, why go to any trouble to catch this when there is an adequate > solution (using KAM.cf)? > AFAICS I catch them all with SA _without_ KAM.cf...;) So yes, this might not be a big problem, for now. But as someone mentioned (somewhere:-) this will be an increased problem over time... So I'm not sure we can just ignore it. -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Fri Jul 27 12:26:43 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Jul 27 12:26:45 2007 Subject: Grreting card scams In-Reply-To: <7229133.4861185533956423.JavaMail.root@office.splatnix.net> References: <223f97700707270250m353539b4o61121eb05384a1ac@mail.gmail.com> <7229133.4861185533956423.JavaMail.root@office.splatnix.net> Message-ID: <223f97700707270426r2bb3641exc0da6565b71a6ac6@mail.gmail.com> On 27/07/07, UxBoD wrote: > Okay, had a look at the code and it should be fairly easy to sort out. What I was thinking was something along the lines of the WriteHeaderFile subroutine in Message.pm that would create a new file without any attachments called .message, and this would then get scanned by the batch process. This would then trigger the signature. Okay it would take long to process each message as instead of .head + N attachements, it would have an extra one to do. Just need to find out the bit of code which strips the attachements off. > > Regards, > Yes... But this is "clam-centric", wouldn't we need handle things for all AVs too? To avoid silly "double detections"? Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Fri Jul 27 12:28:22 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Jul 27 12:28:23 2007 Subject: Grreting card scams In-Reply-To: <46A9CFDF.9020005@alexb.ch> References: <223f97700707270102m4232a751p9ac58ef32d667a5b@mail.gmail.com> <14517533.4831185528018245.JavaMail.root@office.splatnix.net> <223f97700707270250m353539b4o61121eb05384a1ac@mail.gmail.com> <46A9CD43.2090806@ecs.soton.ac.uk> <46A9CFDF.9020005@alexb.ch> Message-ID: <223f97700707270428q3ac6edd9l3970c6a771956e68@mail.gmail.com> On 27/07/07, Alex Broens wrote: > On 7/27/2007 12:47 PM, Julian Field wrote: > > > > > > Glenn Steen wrote: > >> On 27/07/07, UxBoD wrote: > >> > >>> Okay, have done some testing. For the signature to trigger it has to > >>> have a source file that contains the message body, and the following > >>> headers :- > >>> > >>> MIME-Version: 1.0 > >>> Content-Type: text/plain; > >>> > >>> otherwise it reports the file as being okay. > >>> > >> > >> Kind of what I thought... It doesn't understand that it is a mail it > >> is handling.:-( > >> > >> Jules, how would you like to play this one? > >> I suspect that whatever we do might end up being ... less than > >> elegant... Unless you have some inspiration...:-) > >> > > Yuck. > > I would have to copy the entire message into the scanning directory as > > well and alter every single parser to look out for it. Nasty job. > > Wouldn't the ClamAV SA plugin catch these? > for those using clamd its trivial to implement. > > maybe that plugin could be hacked to use the clam module instead. > > Alex > You've got a link to share on that one Alex (yeah, I'm exceptionally lazy today... It's Firday afternoon (here), after all:-)? Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From uxbod at splatnix.net Fri Jul 27 12:44:31 2007 From: uxbod at splatnix.net (UxBoD) Date: Fri Jul 27 12:41:43 2007 Subject: Grreting card scams In-Reply-To: <46A9CD43.2090806@ecs.soton.ac.uk> Message-ID: <25779385.4891185536670995.JavaMail.root@office.splatnix.net> Hmmm, its only ProcessClamAVOutput and ClamAVModule that needs to change isn't it Jules? An alternative would be to write the file into the subdirectory and it would be scanned correctly my ClamAV, ClamAVmodule and ClamD, from what I can see as it would be treated as a seperate file. Regards, --[ UxBoD ]-- // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- Original Message ----- From: "Julian Field" To: "MailScanner discussion" Sent: Friday, July 27, 2007 11:47:31 AM (GMT) Europe/London Subject: Re: Grreting card scams Glenn Steen wrote: > On 27/07/07, UxBoD wrote: > >> Okay, have done some testing. For the signature to trigger it has to have a source file that contains the message body, and the following headers :- >> >> MIME-Version: 1.0 >> Content-Type: text/plain; >> >> otherwise it reports the file as being okay. >> > > Kind of what I thought... It doesn't understand that it is a mail it > is handling.:-( > > Jules, how would you like to play this one? > I suspect that whatever we do might end up being ... less than > elegant... Unless you have some inspiration...:-) > Yuck. I would have to copy the entire message into the scanning directory as well and alter every single parser to look out for it. Nasty job. Jules -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ms-list at alexb.ch Fri Jul 27 12:42:12 2007 From: ms-list at alexb.ch (Alex Broens) Date: Fri Jul 27 12:42:22 2007 Subject: Grreting card scams In-Reply-To: <223f97700707270428q3ac6edd9l3970c6a771956e68@mail.gmail.com> References: <223f97700707270102m4232a751p9ac58ef32d667a5b@mail.gmail.com> <14517533.4831185528018245.JavaMail.root@office.splatnix.net> <223f97700707270250m353539b4o61121eb05384a1ac@mail.gmail.com> <46A9CD43.2090806@ecs.soton.ac.uk> <46A9CFDF.9020005@alexb.ch> <223f97700707270428q3ac6edd9l3970c6a771956e68@mail.gmail.com> Message-ID: <46A9DA14.7090303@alexb.ch> On 7/27/2007 1:28 PM, Glenn Steen wrote: > On 27/07/07, Alex Broens wrote: >> On 7/27/2007 12:47 PM, Julian Field wrote: >>> >>> Glenn Steen wrote: >>>> On 27/07/07, UxBoD wrote: >>>> >>>>> Okay, have done some testing. For the signature to trigger it has to >>>>> have a source file that contains the message body, and the following >>>>> headers :- >>>>> >>>>> MIME-Version: 1.0 >>>>> Content-Type: text/plain; >>>>> >>>>> otherwise it reports the file as being okay. >>>>> >>>> Kind of what I thought... It doesn't understand that it is a mail it >>>> is handling.:-( >>>> >>>> Jules, how would you like to play this one? >>>> I suspect that whatever we do might end up being ... less than >>>> elegant... Unless you have some inspiration...:-) >>>> >>> Yuck. >>> I would have to copy the entire message into the scanning directory as >>> well and alter every single parser to look out for it. Nasty job. >> Wouldn't the ClamAV SA plugin catch these? >> for those using clamd its trivial to implement. >> >> maybe that plugin could be hacked to use the clam module instead. >> >> Alex >> > You've got a link to share on that one Alex (yeah, I'm exceptionally > lazy today... It's Firday afternoon (here), after all:-)? Its Friday afternoon here as well (CH) :-) http://wiki.apache.org/spamassassin/ClamAVPlugin keep us posted... Alex From uxbod at splatnix.net Fri Jul 27 12:48:19 2007 From: uxbod at splatnix.net (UxBoD) Date: Fri Jul 27 12:45:33 2007 Subject: Grreting card scams In-Reply-To: <223f97700707270426r2bb3641exc0da6565b71a6ac6@mail.gmail.com> Message-ID: <27663966.4921185536899544.JavaMail.root@office.splatnix.net> You could say that Glenn, but who knows how each AV company would implement the changes for this type of virii detection. If the company changes the results message in any way ie. FOUND becomes DETECTED then that AVs parser would need to change. Regards, --[ UxBoD ]-- // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- Original Message ----- From: "Glenn Steen" To: "MailScanner discussion" Sent: Friday, July 27, 2007 12:26:43 PM (GMT) Europe/London Subject: Re: Grreting card scams On 27/07/07, UxBoD wrote: > Okay, had a look at the code and it should be fairly easy to sort out. What I was thinking was something along the lines of the WriteHeaderFile subroutine in Message.pm that would create a new file without any attachments called .message, and this would then get scanned by the batch process. This would then trigger the signature. Okay it would take long to process each message as instead of .head + N attachements, it would have an extra one to do. Just need to find out the bit of code which strips the attachements off. > > Regards, > Yes... But this is "clam-centric", wouldn't we need handle things for all AVs too? To avoid silly "double detections"? Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From prandal at herefordshire.gov.uk Fri Jul 27 12:45:29 2007 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Fri Jul 27 12:45:43 2007 Subject: Release 4.62.6 beta In-Reply-To: <46A8DABC.1010900@ecs.soton.ac.uk> References: <46A8DABC.1010900@ecs.soton.ac.uk> Message-ID: <7EF0EE5CB3B263488C8C18823239BEBA01358300@HC-MBX02.herefordshire.gov.uk> "4 Improved upgrade_MailScanner_conf so that it checks that the 'Monitors for ClamAV Updates' setting looks for inc and cvd files. Problems have recently been suffered by many due to the value of this setting being out of date. It doesn't automatically re-write their setting in case they have installed ClamAV somewhere odd and have customised it. 4 Changed 'Monitors for Sophos Updates' setting default value to point to appropriate file for Sophos version 5 and upwards, and have added check in upgrade_MailScanner_conf to ensure their setting now points to a new location. It prints a warning if sophos-av does not appear in the path" Works fine in upgrade_MailScanner_conf but breaks in upgrade_languages_conf, always reporting both. Cheers, Phil -- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Julian Field > Sent: 26 July 2007 18:33 > To: MailScanner discussion; MailScanner beta testers > Subject: Release 4.62.6 beta > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi folks! > > I have just released 4.62.6 which includes the new > "custom(parameter)" > spam action. This calls a function in > /usr/lib/MailScanner/MailScanner/CustomFunctions/CustomAction. > pm which > you can tailor to do anything you like with a message. You can have > multiple "custom()" actions listed, and each will be called > in turn. Put > different parameters in these actions, and you can do any > combination of > things you want. > > This version also includes a fix for the McAfee problem just > mentioned > on the mailing list. > > Download as usual from www.mailscanner.info. > > The full Change Log is this: > > * New Features and Improvements * > 1 Improved non-Linux installer. > 1 Improved Linux installer. > 1 Updated OpenBSD installation guide. Thanks to Jeremy Evans for this. > 1 Upgraded MIME::Base64 to 3.07. > 1 Improved error reporting for clamd permissions problems. > Thanks Rick. > 2 Added SAUPDATEARGS to /etc/sysconfig/MailScanner and > /usr/sbin/update_spamassassin. For a good use of this, see > > http://daryl.dostech.ca/sa-update/sare/sare-sa-update-howto.tx > t and search > for "HOWTO" in the Subject: line of the MailScanner-discussion list > archive. > This process replaces RulesDuJour entirely. > Another good ruleset to add to your setup is > http://www.peregrinehw.com/downloads/SpamAssassin/contrib/KAM.cf > To download this automatically every night, fetch > http://www.mailscanner.info/files/4/KAM.cf.sh and put it in > /etc/cron.daily > and make it executable (type "chmod +x /etc/cron.daily/KAM.cf.sh"). > 3 Added "Known Web Bug Servers" so you can blacklist images > from known > servers > of web bug services. > 3 Added functionality of "milter-null" to MailScanner so you > no longer > need to > run this separately. It is called "Watermarking" and there > is a whole > section for the settings in MailScanner.conf. They are > Add Watermark = yes > Skip Spam Checks If Watermark Valid = yes > Watermark Header = MailScanner-%org-name%-Watermark: > Watermark Lifetime = 432000 # in seconds, = 5 days > Watermark Secret = SET-THIS-TO-A-SECRET! > Also added Digest::MD5 to the required list of Perl > modules, this is > needed > for the watermarking code. > 3 Added optional image to the clean message signature. You > can also use this > to add an arbitrary image attachment to any message, if you > so wish. The > main point is to be able to have graphical HTML signatures > on messages. > The settings are > Attach Image To Signature = no > Attach Image To HTML Message Only = yes > Signature Image Filename = %report-dir%/sig.jpg > Signature Image Filename = signature.jpg > 4 Added support for Kaspersky kav4fs. Set virus.scanners.conf entry to > point to /opt/kaspersky. > 4 Changed default value to "Max SpamAssassin Size = 100k" as > modern PDF > spams > are getting quite large, and PDFInfo.pm doesn't work with cropped > messages. > 4 Improved Clamd parser to handle Sane Security ClamAV > signature databases > which detect spam and so on from the contents of the > headers, and hence > find infections without attachment filenames. Thanks to > various people for > help with this, you know who you are :-) > 4 Improved upgrade_MailScanner_conf so that it checks that > the 'Monitors for > ClamAV Updates' setting looks for inc and cvd files. Problems have > recently > been suffered by many due to the value of this setting > being out of date. > It doesn't automatically re-write their setting in case they have > installed > ClamAV somewhere odd and have customised it. > 4 Changed 'Monitors for Sophos Updates' setting default value > to point to > appropriate file for Sophos version 5 and upwards, and have > added check > in upgrade_MailScanner_conf to ensure their setting now > points to a new > location. It prints a warning if sophos-av does not appear > in the path. > 4 Added configuration setting "SpamAssassin Rule Actions". > This setting is > very powerful and can be used to implement many things that > MCP can do, > without having the processing overhead of MCP. The > documentation for it is > in the MailScanner.conf file. Its power is limited by your > imagination :-) > Start combining it with rulesets and you can take (or _not_ > take) any > combination of actions dependent on any bit of content in > the message > or its > headers. You could try out new SA tests by storing in > quarantine every > message that matches a new particular SpamAssassin rule (or > meta-rule for > creating more complex expressions). > 5 Added "custom" spam action, which takes a parameter. This is passed > into the > CustomAction function in CustomAction.pm in the > CustomFunctions directory. > This can be used to implement anything your heart desires, > depending > on the > contents of a message. > > * Fixes * > 2-2 Fixed error in RPM installer. > 2-3 Fixed error in update_spamassassin. > 3-2 The watermarking code should do something now :-) > 3-3 Rewrote the watermarking docs so they reflect the truth. > 4 --lint now reads all the Custom Functions properly. > 4 Bug in auto-zip fixed where attachments could be deleted > without being > added to zip. Thanks to Matt Hampton. > 4 Bug with '-' in HTML attribute names confusing phishing > net fixed. > Thanks > to John Wilcock. > 5 Fixed 2 bugs in MSRBL clamav-signature handler. Thanks to UxBoD. > 6 Fixed bug from October 2006 involving McAfee finding > infections in > headers. > > > Jules > > - -- > Julian Field MEng CITP > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > For all your IT requirements visit www.transtec.co.uk > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.6.2 (Build 2014) > Charset: ISO-8859-1 > > wj8DBQFGqNq9EfZZRxQVtlQRAjhpAJ4z1I6MP1z3D2ywOuK4MBYDZUp/4ACgvW21 > 4ygQK+XELqQnbu1l8BDg67s= > =K/V+ > -----END PGP SIGNATURE----- > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > For all your IT requirements visit www.transtec.co.uk > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From uxbod at splatnix.net Fri Jul 27 13:00:56 2007 From: uxbod at splatnix.net (UxBoD) Date: Fri Jul 27 12:58:14 2007 Subject: Grreting card scams In-Reply-To: <46A9DA14.7090303@alexb.ch> Message-ID: <29724744.4951185537656961.JavaMail.root@office.splatnix.net> The plugin looks good, but would also mean the message is scanned twice. Also would require the new code Jules has written for setting the message as Virus when the SA ruleset is hit. Double edged sword really as both incur a time/processing overhead IMHO. Regards, --[ UxBoD ]-- // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- Original Message ----- From: "Alex Broens" To: "MailScanner discussion" Sent: Friday, July 27, 2007 12:42:12 PM (GMT) Europe/London Subject: Re: Grreting card scams On 7/27/2007 1:28 PM, Glenn Steen wrote: > On 27/07/07, Alex Broens wrote: >> On 7/27/2007 12:47 PM, Julian Field wrote: >>> >>> Glenn Steen wrote: >>>> On 27/07/07, UxBoD wrote: >>>> >>>>> Okay, have done some testing. For the signature to trigger it has to >>>>> have a source file that contains the message body, and the following >>>>> headers :- >>>>> >>>>> MIME-Version: 1.0 >>>>> Content-Type: text/plain; >>>>> >>>>> otherwise it reports the file as being okay. >>>>> >>>> Kind of what I thought... It doesn't understand that it is a mail it >>>> is handling.:-( >>>> >>>> Jules, how would you like to play this one? >>>> I suspect that whatever we do might end up being ... less than >>>> elegant... Unless you have some inspiration...:-) >>>> >>> Yuck. >>> I would have to copy the entire message into the scanning directory as >>> well and alter every single parser to look out for it. Nasty job. >> Wouldn't the ClamAV SA plugin catch these? >> for those using clamd its trivial to implement. >> >> maybe that plugin could be hacked to use the clam module instead. >> >> Alex >> > You've got a link to share on that one Alex (yeah, I'm exceptionally > lazy today... It's Firday afternoon (here), after all:-)? Its Friday afternoon here as well (CH) :-) http://wiki.apache.org/spamassassin/ClamAVPlugin keep us posted... Alex -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From maillists at conactive.com Fri Jul 27 13:04:51 2007 From: maillists at conactive.com (Kai Schaetzl) Date: Fri Jul 27 13:04:54 2007 Subject: BarricadeMX experiences In-Reply-To: References: <46A553ED.3020505@mail.wvnet.edu> <46A5F3D0.5070500@mail.wvnet.edu> <23ee01c7ce3c$89dcff70$9d96fe50$@swaney@fsl.com> <46A67DAF.60301@mail.wvnet.edu> Message-ID: Ugo Bellavance wrote on Thu, 26 Jul 2007 11:32:14 -0400: > I've seen a few sites that were running milter-link, milter-ahead, > greylisting, zen.spamhaus.org at MTA level, and still saw a lot of > benefit on the resource usage. I surely would expect that, otherwise it wouldn't make sense to use it. As BarricadeMX seems to be a combination of the snertsoft milters and some other techniques in one piece of software there *should* be better ressource usage *and* better protection. My point was that the original poster compared that with an almost unprotected system and was very impressed. He *should* be very impressed, if not the system wouldn't be worth much. My point is not against BarricadeMX at all, I'm confident it works very good and is worth the money. A point I didn't mention is that I think that you still need MailScanner and a quarantine. My point-of-view is that users should be bothered with as few spam as possible. You can't achieve that with blocking all high scoring spam (although I have to admit that most detected spam is high scoring). There's always a "middle range" where the false positive rate is too high to just reject them - and I really would not want to just tag them and send on. Not to mention the other things that MailScanner can do. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From glenn.steen at gmail.com Fri Jul 27 13:13:27 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Jul 27 13:13:28 2007 Subject: Grreting card scams In-Reply-To: <29724744.4951185537656961.JavaMail.root@office.splatnix.net> References: <46A9DA14.7090303@alexb.ch> <29724744.4951185537656961.JavaMail.root@office.splatnix.net> Message-ID: <223f97700707270513g6bc43bb1n11d4c8f14baca462@mail.gmail.com> On 27/07/07, UxBoD wrote: > The plugin looks good, but would also mean the message is scanned twice. Also would require the new code Jules has written for setting the message as Virus when the SA ruleset is hit. > > Double edged sword really as both incur a time/processing overhead IMHO. > > Regards, > If you go this way it'd likely mean that you'd lift ClamAV out of MS and just use the SA plugin... Which would kind of stand things on their head:). And yes, it'd need the new features to be meaningful (so that you could still handle viruses as viruses, not spam). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From ms-list at alexb.ch Fri Jul 27 13:14:04 2007 From: ms-list at alexb.ch (Alex Broens) Date: Fri Jul 27 13:14:13 2007 Subject: Grreting card scams In-Reply-To: <29724744.4951185537656961.JavaMail.root@office.splatnix.net> References: <29724744.4951185537656961.JavaMail.root@office.splatnix.net> Message-ID: <46A9E18C.2050303@alexb.ch> On 7/27/2007 2:00 PM, UxBoD wrote: > The plugin looks good, but would also mean the message is scanned twice. Also would require the new code Jules has written for setting the message as Virus when the SA ruleset is hit. > > Double edged sword really as both incur a time/processing overhead IMHO. Hoping not to start a philosophy war: you *could* set MS to *only* use your *Highly respected Commercial AV* and the plugin to use the Clam plugin. *Highly respected Commercial AV* will kill the msg after Clam plugin tagged as infected. (did I get my MS flow right?) so what's left over in Quarantine is phishes and possibly new viri tagged with Clam's generic sigs, tagged as spam, (which comes in handy to report to *Highly respected Commercial AV*'s dev team :-) lots of ways to do stuff... Alex > Regards, > > --[ UxBoD ]-- > // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" > // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B > // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B > // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net > > ----- Original Message ----- > From: "Alex Broens" > To: "MailScanner discussion" > Sent: Friday, July 27, 2007 12:42:12 PM (GMT) Europe/London > Subject: Re: Grreting card scams > > On 7/27/2007 1:28 PM, Glenn Steen wrote: >> On 27/07/07, Alex Broens wrote: >>> On 7/27/2007 12:47 PM, Julian Field wrote: >>>> Glenn Steen wrote: >>>>> On 27/07/07, UxBoD wrote: >>>>> >>>>>> Okay, have done some testing. For the signature to trigger it has to >>>>>> have a source file that contains the message body, and the following >>>>>> headers :- >>>>>> >>>>>> MIME-Version: 1.0 >>>>>> Content-Type: text/plain; >>>>>> >>>>>> otherwise it reports the file as being okay. >>>>>> >>>>> Kind of what I thought... It doesn't understand that it is a mail it >>>>> is handling.:-( >>>>> >>>>> Jules, how would you like to play this one? >>>>> I suspect that whatever we do might end up being ... less than >>>>> elegant... Unless you have some inspiration...:-) >>>>> >>>> Yuck. >>>> I would have to copy the entire message into the scanning directory as >>>> well and alter every single parser to look out for it. Nasty job. >>> Wouldn't the ClamAV SA plugin catch these? >>> for those using clamd its trivial to implement. >>> >>> maybe that plugin could be hacked to use the clam module instead. >>> >>> Alex >>> >> You've got a link to share on that one Alex (yeah, I'm exceptionally >> lazy today... It's Firday afternoon (here), after all:-)? > > Its Friday afternoon here as well (CH) :-) > > http://wiki.apache.org/spamassassin/ClamAVPlugin > > keep us posted... > > Alex > From jlcostinha at halla.pt Fri Jul 27 13:14:55 2007 From: jlcostinha at halla.pt (Jorge Costinha) Date: Fri Jul 27 13:15:12 2007 Subject: test and install a custum ruleset into SA Message-ID: <46A9E1BF.4090306@halla.pt> regarding custom ruleset KAM. by just have KAM.cf in /etc/mail/spamassassin is enough for SA use the ruleset? i have it and now i am looking for a way to track the effects of this ruleset, any advice on how to accomplish this? thanks in advance. Jorge From glenn.steen at gmail.com Fri Jul 27 13:22:43 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Jul 27 13:22:44 2007 Subject: Grreting card scams In-Reply-To: <46A9E18C.2050303@alexb.ch> References: <29724744.4951185537656961.JavaMail.root@office.splatnix.net> <46A9E18C.2050303@alexb.ch> Message-ID: <223f97700707270522p6a4d4ffbk70bc49b81ba9b13@mail.gmail.com> On 27/07/07, Alex Broens wrote: > On 7/27/2007 2:00 PM, UxBoD wrote: > > The plugin looks good, but would also mean the message is scanned twice. Also would require the new code Jules has written for setting the message as Virus when the SA ruleset is hit. > > > > Double edged sword really as both incur a time/processing overhead IMHO. > > Hoping not to start a philosophy war: > > you *could* set MS to *only* use your *Highly respected Commercial AV* > and the plugin to use the Clam plugin. > > *Highly respected Commercial AV* will kill the msg after Clam plugin > tagged as infected. > (did I get my MS flow right?) > > so what's left over in Quarantine is phishes and possibly new viri > tagged with Clam's generic sigs, tagged as spam, (which comes in handy > to report to *Highly respected Commercial AV*'s dev team :-) > > > lots of ways to do stuff... > > Alex > Yes, you got it right:-). And with the new features, depending on exactly where in the process they're applied, the *HRCAV*s might not even see them. Upside on this approach is that there would eb a way to get the sigs to work without having to alter MailScanner core (source/concepts) behavior ... sort of. Jules will be happy:-). If I find time away from my DBs today, and that very much overdue update to thenetwork topology chart the PHB has been moaning about, I might try this on today. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Fri Jul 27 13:31:08 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Jul 27 13:31:10 2007 Subject: test and install a custum ruleset into SA In-Reply-To: <46A9E1BF.4090306@halla.pt> References: <46A9E1BF.4090306@halla.pt> Message-ID: <223f97700707270531v7f54eff4if5c9f9aea1b6986@mail.gmail.com> On 27/07/07, Jorge Costinha wrote: > regarding custom ruleset KAM. > > by just have KAM.cf in /etc/mail/spamassassin is enough for SA use the > ruleset? > > i have it and now i am looking for a way to track the effects of this > ruleset, any advice on how to accomplish this? > > thanks in advance. > Jorge > > This is one of the areas where MailWatch really shines... One just apply some sane filters on the report page, and presto... there it is:-). You'd probably want to look at limiting to the last couple of days, and see if SpamReport contains the KAM_ string ... Simple as that. If you always include the spamassassin report, you'll see where it hit on ham (or seeming ham... call it SHAM:-D:-) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From prandal at herefordshire.gov.uk Fri Jul 27 13:38:04 2007 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Fri Jul 27 13:38:18 2007 Subject: Envelope From Header inconsistencies Message-ID: <7EF0EE5CB3B263488C8C18823239BEBA0135831B@HC-MBX02.herefordshire.gov.uk> There's a slight inconsistency in MailScanner's config files regarding the Envelope From Header. MailScanner.conf.rpmnew:Envelope From Header = X-%org-name%-MailScanner-From: spam.assassin.prefs.conf.rpmnew:envelope_sender_header X-MailScanner-From That's not going to work correctly out of the box. Is this inconsistency something that MailScanner --lint could catch in future? Cheers, Phil -- Phil Randal Network Engineer Herefordshire Council Hereford, UK From maillists at conactive.com Fri Jul 27 13:58:55 2007 From: maillists at conactive.com (Kai Schaetzl) Date: Fri Jul 27 13:58:59 2007 Subject: test and install a custum ruleset into SA In-Reply-To: <46A9E1BF.4090306@halla.pt> References: <46A9E1BF.4090306@halla.pt> Message-ID: Jorge Costinha wrote on Fri, 27 Jul 2007 13:14:55 +0100: > by just have KAM.cf in /etc/mail/spamassassin is enough for SA use the > ruleset? You have to restart/reload MS. > i have it and now i am looking for a way to track the effects of this > ruleset, any advice on how to accomplish this? spamassassin < message.in > message.out Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From uxbod at splatnix.net Fri Jul 27 14:09:34 2007 From: uxbod at splatnix.net (UxBoD) Date: Fri Jul 27 14:06:48 2007 Subject: Grreting card scams In-Reply-To: <223f97700707270522p6a4d4ffbk70bc49b81ba9b13@mail.gmail.com> Message-ID: <31831537.4981185541774530.JavaMail.root@office.splatnix.net> And so endeth Open Source Virus Scanners ! Remember, not everyone can afford or even wish to use a commercial virus scanner. Regards, --[ UxBoD ]-- // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- Original Message ----- From: "Glenn Steen" To: "MailScanner discussion" Sent: Friday, July 27, 2007 1:22:43 PM (GMT) Europe/London Subject: Re: Grreting card scams On 27/07/07, Alex Broens wrote: > On 7/27/2007 2:00 PM, UxBoD wrote: > > The plugin looks good, but would also mean the message is scanned twice. Also would require the new code Jules has written for setting the message as Virus when the SA ruleset is hit. > > > > Double edged sword really as both incur a time/processing overhead IMHO. > > Hoping not to start a philosophy war: > > you *could* set MS to *only* use your *Highly respected Commercial AV* > and the plugin to use the Clam plugin. > > *Highly respected Commercial AV* will kill the msg after Clam plugin > tagged as infected. > (did I get my MS flow right?) > > so what's left over in Quarantine is phishes and possibly new viri > tagged with Clam's generic sigs, tagged as spam, (which comes in handy > to report to *Highly respected Commercial AV*'s dev team :-) > > > lots of ways to do stuff... > > Alex > Yes, you got it right:-). And with the new features, depending on exactly where in the process they're applied, the *HRCAV*s might not even see them. Upside on this approach is that there would eb a way to get the sigs to work without having to alter MailScanner core (source/concepts) behavior ... sort of. Jules will be happy:-). If I find time away from my DBs today, and that very much overdue update to thenetwork topology chart the PHB has been moaning about, I might try this on today. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From uxbod at splatnix.net Fri Jul 27 14:15:41 2007 From: uxbod at splatnix.net (UxBoD) Date: Fri Jul 27 14:12:52 2007 Subject: test and install a custum ruleset into SA In-Reply-To: <223f97700707270531v7f54eff4if5c9f9aea1b6986@mail.gmail.com> Message-ID: <29528605.5011185542141758.JavaMail.root@office.splatnix.net> mysql> select count(*) from maillog where spamreport like '%KAM_CARD%' and isspam = 1; +----------+ | count(*) | +----------+ | 1340 | +----------+ 1 row in set (0.28 sec) mysql> select count(*) from maillog where spamreport like '%KAM_CARD%' and isspam = 0; +----------+ | count(*) | +----------+ | 0 | +----------+ 1 row in set (0.25 sec) Regards, --[ UxBoD ]-- // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- Original Message ----- From: "Glenn Steen" To: "MailScanner discussion" Sent: Friday, July 27, 2007 1:31:08 PM (GMT) Europe/London Subject: Re: test and install a custum ruleset into SA On 27/07/07, Jorge Costinha wrote: > regarding custom ruleset KAM. > > by just have KAM.cf in /etc/mail/spamassassin is enough for SA use the > ruleset? > > i have it and now i am looking for a way to track the effects of this > ruleset, any advice on how to accomplish this? > > thanks in advance. > Jorge > > This is one of the areas where MailWatch really shines... One just apply some sane filters on the report page, and presto... there it is:-). You'd probably want to look at limiting to the last couple of days, and see if SpamReport contains the KAM_ string ... Simple as that. If you always include the spamassassin report, you'll see where it hit on ham (or seeming ham... call it SHAM:-D:-) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ms-list at alexb.ch Fri Jul 27 14:15:54 2007 From: ms-list at alexb.ch (Alex Broens) Date: Fri Jul 27 14:15:59 2007 Subject: Grreting card scams In-Reply-To: <31831537.4981185541774530.JavaMail.root@office.splatnix.net> References: <31831537.4981185541774530.JavaMail.root@office.splatnix.net> Message-ID: <46A9F00A.8080007@alexb.ch> On 7/27/2007 3:09 PM, UxBoD wrote: > And so endeth Open Source Virus Scanners ! Remember, not everyone can > afford or even wish to use a commercial virus scanner. So true... so what happens if one uses the Clam plugin with MCP? (never used MCP) Alex > > --[ UxBoD ]-- // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc > | gpg --import" // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 > B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // > Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net > > ----- Original Message ----- From: "Glenn Steen" > To: "MailScanner discussion" > Sent: Friday, July 27, 2007 > 1:22:43 PM (GMT) Europe/London Subject: Re: Grreting card scams > > On 27/07/07, Alex Broens wrote: >> On 7/27/2007 2:00 PM, UxBoD wrote: >>> The plugin looks good, but would also mean the message is scanned >>> twice. Also would require the new code Jules has written for >>> setting the message as Virus when the SA ruleset is hit. >>> >>> Double edged sword really as both incur a time/processing >>> overhead IMHO. >> Hoping not to start a philosophy war: >> >> you *could* set MS to *only* use your *Highly respected Commercial >> AV* and the plugin to use the Clam plugin. >> >> *Highly respected Commercial AV* will kill the msg after Clam >> plugin tagged as infected. (did I get my MS flow right?) >> >> so what's left over in Quarantine is phishes and possibly new viri >> tagged with Clam's generic sigs, tagged as spam, (which comes in >> handy to report to *Highly respected Commercial AV*'s dev team :-) >> >> >> lots of ways to do stuff... >> >> Alex >> > Yes, you got it right:-). And with the new features, depending on > exactly where in the process they're applied, the *HRCAV*s might not > even see them. Upside on this approach is that there would eb a way > to get the sigs to work without having to alter MailScanner core > (source/concepts) behavior ... sort of. Jules will be happy:-). > > If I find time away from my DBs today, and that very much overdue > update to thenetwork topology chart the PHB has been moaning about, I > might try this on today. > > Cheers From ms-list at alexb.ch Fri Jul 27 14:19:17 2007 From: ms-list at alexb.ch (Alex Broens) Date: Fri Jul 27 14:19:24 2007 Subject: test and install a custum ruleset into SA In-Reply-To: <29528605.5011185542141758.JavaMail.root@office.splatnix.net> References: <29528605.5011185542141758.JavaMail.root@office.splatnix.net> Message-ID: <46A9F0D5.3010000@alexb.ch> one box: Pfix body rule: cat /var/log/maillog | grep 'SEEING YOUR CARD' | wc -l 1118 SA cat /var/log/maillog | grep 'ECARD_SIG' | wc -l 1 On 7/27/2007 3:15 PM, UxBoD wrote: > mysql> select count(*) from maillog where spamreport like '%KAM_CARD%' and isspam = 1; > +----------+ > | count(*) | > +----------+ > | 1340 | > +----------+ > 1 row in set (0.28 sec) > > mysql> select count(*) from maillog where spamreport like '%KAM_CARD%' and isspam = 0; > +----------+ > | count(*) | > +----------+ > | 0 | > +----------+ > 1 row in set (0.25 sec) > > > Regards, > > --[ UxBoD ]-- > // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" > // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B > // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B > // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net > > ----- Original Message ----- > From: "Glenn Steen" > To: "MailScanner discussion" > Sent: Friday, July 27, 2007 1:31:08 PM (GMT) Europe/London > Subject: Re: test and install a custum ruleset into SA > > On 27/07/07, Jorge Costinha wrote: >> regarding custom ruleset KAM. >> >> by just have KAM.cf in /etc/mail/spamassassin is enough for SA use the >> ruleset? >> >> i have it and now i am looking for a way to track the effects of this >> ruleset, any advice on how to accomplish this? >> >> thanks in advance. >> Jorge >> >> > This is one of the areas where MailWatch really shines... One just > apply some sane filters on the report page, and presto... there it > is:-). You'd probably want to look at limiting to the last couple of > days, and see if SpamReport contains the KAM_ string ... Simple as > that. If you always include the spamassassin report, you'll see where > it hit on ham (or seeming ham... call it SHAM:-D:-) > > Cheers From rich at mail.wvnet.edu Fri Jul 27 14:20:16 2007 From: rich at mail.wvnet.edu (Richard Lynch) Date: Fri Jul 27 14:20:20 2007 Subject: BarricadeMX experiences In-Reply-To: References: <46A553ED.3020505@mail.wvnet.edu> <46A5F3D0.5070500@mail.wvnet.edu> <23ee01c7ce3c$89dcff70$9d96fe50$@swaney@fsl.com> <46A67DAF.60301@mail.wvnet.edu> Message-ID: <46A9F110.3030803@mail.wvnet.edu> Kai Schaetzl wrote: > Ugo Bellavance wrote on Thu, 26 Jul 2007 11:32:14 -0400: > > >> I've seen a few sites that were running milter-link, milter-ahead, >> greylisting, zen.spamhaus.org at MTA level, and still saw a lot of >> benefit on the resource usage. >> > > I surely would expect that, otherwise it wouldn't make sense to use it. As > BarricadeMX seems to be a combination of the snertsoft milters and some > other techniques in one piece of software there *should* be better > ressource usage *and* better protection. My point was that the original > poster compared that with an almost unprotected system and was very > impressed. He *should* be very impressed, if not the system wouldn't be > worth much. My point is not against BarricadeMX at all, I'm confident it > works very good and is worth the money. > A point I didn't mention is that I think that you still need MailScanner > and a quarantine. My point-of-view is that users should be bothered with > as few spam as possible. You can't achieve that with blocking all high > scoring spam (although I have to admit that most detected spam is high > scoring). There's always a "middle range" where the false positive rate is > too high to just reject them - and I really would not want to just tag > them and send on. Not to mention the other things that MailScanner can do. > > Kai > > For the record, I agree. I wasn't advocating not continuing to use MailScanner. I would never do that. I was merely pointing out the effectiveness and performance of BarricadeMX. I was also not commenting one way or the other on the benefits of using other techniques in front of MailScanner. Certainly there are effective ways of doing that. And, my systems were not all that unprotected! I did use RBLs at the MTA and milter-limit and milter-null plus MailScanner/SA. It was detecting about 90% of the total inbound messages as spam. I did have a big problem with overloaded systems however. When that happens there's only two possible ways of dealing with it -- more hardware or more software (or both). I chose software -- BarricadeMX. I think it was a good choice for me. And lastly, I wasn't spamming the list at all. The product was first announced on this list by the list's owner. That's how I found out about it. Giving a report on implementation of a product that was announced here is certainly within the purview of this group. More information about effective anti-spam techniques in combination with MS is good, right? Richard Lynch WVNET -- From res at ausics.net Fri Jul 27 14:25:53 2007 From: res at ausics.net (Res) Date: Fri Jul 27 14:26:02 2007 Subject: BarricadeMX experiences In-Reply-To: <46A9F110.3030803@mail.wvnet.edu> References: <46A553ED.3020505@mail.wvnet.edu> <46A5F3D0.5070500@mail.wvnet.edu> <23ee01c7ce3c$89dcff70$9d96fe50$@swaney@fsl.com> <46A67DAF.60301@mail.wvnet.edu> <46A9F110.3030803@mail.wvnet.edu> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NotDashEscaped: You need GnuPG to verify this message On Fri, 27 Jul 2007, Richard Lynch wrote: > And lastly, I wasn't spamming the list at all. The product was first well, aint that typical, spammers never think what they do is spamming, by its very defination you did exactly that, intentionally or otherwise, it doesnt matter, the end result is the same. -- Cheers Res -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFGqfJhsWhAmSIQh7MRAl8sAJwJbbNVvvjjMT2ExYPcBM94uX0cmQCgq8gV rWgNiFFxGIv+OoP4doE2C7c= =DzsU -----END PGP SIGNATURE----- From MailScanner at ecs.soton.ac.uk Fri Jul 27 14:29:26 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Jul 27 14:29:47 2007 Subject: Release 4.62.6 beta In-Reply-To: <7EF0EE5CB3B263488C8C18823239BEBA01358300@HC-MBX02.herefordshire.gov.uk> References: <46A8DABC.1010900@ecs.soton.ac.uk> <7EF0EE5CB3B263488C8C18823239BEBA01358300@HC-MBX02.herefordshire.gov.uk> Message-ID: <46A9F336.4040708@ecs.soton.ac.uk> Randal, Phil wrote: > "4 Improved upgrade_MailScanner_conf so that it checks that the > 'Monitors for > ClamAV Updates' setting looks for inc and cvd files. Problems have > recently > been suffered by many due to the value of this setting being out of > date. > It doesn't automatically re-write their setting in case they have > installed > ClamAV somewhere odd and have customised it. > 4 Changed 'Monitors for Sophos Updates' setting default value to point > to > appropriate file for Sophos version 5 and upwards, and have added > check > in upgrade_MailScanner_conf to ensure their setting now points to a > new > location. It prints a warning if sophos-av does not appear in the > path" > > Works fine in upgrade_MailScanner_conf but breaks in > upgrade_languages_conf, always reporting both. > Thanks for that. Fixed now. > >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf >> Of Julian Field >> Sent: 26 July 2007 18:33 >> To: MailScanner discussion; MailScanner beta testers >> Subject: Release 4.62.6 beta >> >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Hi folks! >> >> I have just released 4.62.6 which includes the new >> "custom(parameter)" >> spam action. This calls a function in >> /usr/lib/MailScanner/MailScanner/CustomFunctions/CustomAction. >> pm which >> you can tailor to do anything you like with a message. You can have >> multiple "custom()" actions listed, and each will be called >> in turn. Put >> different parameters in these actions, and you can do any >> combination of >> things you want. >> >> This version also includes a fix for the McAfee problem just >> mentioned >> on the mailing list. >> >> Download as usual from www.mailscanner.info. >> >> The full Change Log is this: >> >> * New Features and Improvements * >> 1 Improved non-Linux installer. >> 1 Improved Linux installer. >> 1 Updated OpenBSD installation guide. Thanks to Jeremy Evans for this. >> 1 Upgraded MIME::Base64 to 3.07. >> 1 Improved error reporting for clamd permissions problems. >> Thanks Rick. >> 2 Added SAUPDATEARGS to /etc/sysconfig/MailScanner and >> /usr/sbin/update_spamassassin. For a good use of this, see >> >> http://daryl.dostech.ca/sa-update/sare/sare-sa-update-howto.tx >> t and search >> for "HOWTO" in the Subject: line of the MailScanner-discussion list >> archive. >> This process replaces RulesDuJour entirely. >> Another good ruleset to add to your setup is >> http://www.peregrinehw.com/downloads/SpamAssassin/contrib/KAM.cf >> To download this automatically every night, fetch >> http://www.mailscanner.info/files/4/KAM.cf.sh and put it in >> /etc/cron.daily >> and make it executable (type "chmod +x /etc/cron.daily/KAM.cf.sh"). >> 3 Added "Known Web Bug Servers" so you can blacklist images >> from known >> servers >> of web bug services. >> 3 Added functionality of "milter-null" to MailScanner so you >> no longer >> need to >> run this separately. It is called "Watermarking" and there >> is a whole >> section for the settings in MailScanner.conf. They are >> Add Watermark = yes >> Skip Spam Checks If Watermark Valid = yes >> Watermark Header = MailScanner-%org-name%-Watermark: >> Watermark Lifetime = 432000 # in seconds, = 5 days >> Watermark Secret = SET-THIS-TO-A-SECRET! >> Also added Digest::MD5 to the required list of Perl >> modules, this is >> needed >> for the watermarking code. >> 3 Added optional image to the clean message signature. You >> can also use this >> to add an arbitrary image attachment to any message, if you >> so wish. The >> main point is to be able to have graphical HTML signatures >> on messages. >> The settings are >> Attach Image To Signature = no >> Attach Image To HTML Message Only = yes >> Signature Image Filename = %report-dir%/sig.jpg >> Signature Image Filename = signature.jpg >> 4 Added support for Kaspersky kav4fs. Set virus.scanners.conf entry to >> point to /opt/kaspersky. >> 4 Changed default value to "Max SpamAssassin Size = 100k" as >> modern PDF >> spams >> are getting quite large, and PDFInfo.pm doesn't work with cropped >> messages. >> 4 Improved Clamd parser to handle Sane Security ClamAV >> signature databases >> which detect spam and so on from the contents of the >> headers, and hence >> find infections without attachment filenames. Thanks to >> various people for >> help with this, you know who you are :-) >> 4 Improved upgrade_MailScanner_conf so that it checks that >> the 'Monitors for >> ClamAV Updates' setting looks for inc and cvd files. Problems have >> recently >> been suffered by many due to the value of this setting >> being out of date. >> It doesn't automatically re-write their setting in case they have >> installed >> ClamAV somewhere odd and have customised it. >> 4 Changed 'Monitors for Sophos Updates' setting default value >> to point to >> appropriate file for Sophos version 5 and upwards, and have >> added check >> in upgrade_MailScanner_conf to ensure their setting now >> points to a new >> location. It prints a warning if sophos-av does not appear >> in the path. >> 4 Added configuration setting "SpamAssassin Rule Actions". >> This setting is >> very powerful and can be used to implement many things that >> MCP can do, >> without having the processing overhead of MCP. The >> documentation for it is >> in the MailScanner.conf file. Its power is limited by your >> imagination :-) >> Start combining it with rulesets and you can take (or _not_ >> take) any >> combination of actions dependent on any bit of content in >> the message >> or its >> headers. You could try out new SA tests by storing in >> quarantine every >> message that matches a new particular SpamAssassin rule (or >> meta-rule for >> creating more complex expressions). >> 5 Added "custom" spam action, which takes a parameter. This is passed >> into the >> CustomAction function in CustomAction.pm in the >> CustomFunctions directory. >> This can be used to implement anything your heart desires, >> depending >> on the >> contents of a message. >> >> * Fixes * >> 2-2 Fixed error in RPM installer. >> 2-3 Fixed error in update_spamassassin. >> 3-2 The watermarking code should do something now :-) >> 3-3 Rewrote the watermarking docs so they reflect the truth. >> 4 --lint now reads all the Custom Functions properly. >> 4 Bug in auto-zip fixed where attachments could be deleted >> without being >> added to zip. Thanks to Matt Hampton. >> 4 Bug with '-' in HTML attribute names confusing phishing >> net fixed. >> Thanks >> to John Wilcock. >> 5 Fixed 2 bugs in MSRBL clamav-signature handler. Thanks to UxBoD. >> 6 Fixed bug from October 2006 involving McAfee finding >> infections in >> headers. >> >> >> Jules >> >> - -- >> Julian Field MEng CITP >> www.MailScanner.info >> Buy the MailScanner book at www.MailScanner.info/store >> >> MailScanner customisation, or any advanced system administration help? >> Contact me at Jules@Jules.FM >> >> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >> For all your IT requirements visit www.transtec.co.uk >> >> >> -----BEGIN PGP SIGNATURE----- >> Version: PGP Desktop 9.6.2 (Build 2014) >> Charset: ISO-8859-1 >> >> wj8DBQFGqNq9EfZZRxQVtlQRAjhpAJ4z1I6MP1z3D2ywOuK4MBYDZUp/4ACgvW21 >> 4ygQK+XELqQnbu1l8BDg67s= >> =K/V+ >> -----END PGP SIGNATURE----- >> >> -- >> This message has been scanned for viruses and >> dangerous content by MailScanner, and is >> believed to be clean. >> For all your IT requirements visit www.transtec.co.uk >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> Jules -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Fri Jul 27 14:33:23 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Jul 27 14:33:45 2007 Subject: Envelope From Header inconsistencies In-Reply-To: <7EF0EE5CB3B263488C8C18823239BEBA0135831B@HC-MBX02.herefordshire.gov.uk> References: <7EF0EE5CB3B263488C8C18823239BEBA0135831B@HC-MBX02.herefordshire.gov.uk> Message-ID: <46A9F423.3020701@ecs.soton.ac.uk> Randal, Phil wrote: > There's a slight inconsistency in MailScanner's config files regarding > the Envelope From Header. > > MailScanner.conf.rpmnew:Envelope From Header = > X-%org-name%-MailScanner-From: > > spam.assassin.prefs.conf.rpmnew:envelope_sender_header > X-MailScanner-From > > That's not going to work correctly out of the box. > Yes, you need to customise the spam.assassin.prefs.conf file to get the envelope_sender_header correct. I can't easily customise it for you. > Is this inconsistency something that MailScanner --lint could catch in > future? > Yes, it could. I'll take a look at doing that. > Cheers, > > Phil > -- > Phil Randal > Network Engineer > Herefordshire Council > Hereford, UK > Jules -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Fri Jul 27 14:45:30 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Jul 27 14:45:47 2007 Subject: BarricadeMX experiences In-Reply-To: References: <46A553ED.3020505@mail.wvnet.edu> <46A5F3D0.5070500@mail.wvnet.edu> <23ee01c7ce3c$89dcff70$9d96fe50$@swaney@fsl.com> <46A67DAF.60301@mail.wvnet.edu> <46A9F110.3030803@mail.wvnet.edu> Message-ID: <46A9F6FA.2010409@ecs.soton.ac.uk> Res wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > NotDashEscaped: You need GnuPG to verify this message > > On Fri, 27 Jul 2007, Richard Lynch wrote: > >> And lastly, I wasn't spamming the list at all. The product was first > > well, aint that typical, spammers never think what they do is > spamming, by its very defination you did exactly that, intentionally > or otherwise, it doesnt matter, the end result is the same. It's my list, and as far as I'm concerned he wasn't spamming the list. He even had the nice manners to ask my permission first before posting his experiences. And I have no problem with people publishing their experiences of using a product in which I have an interest :-) But please remember that the OP was not publishing a comprehensive or objective review of the product. He was publishing his subjective experiences of it, and it shouldn't be taken as being any more than that. If you want to write an objective review, go ahead; but don't criticise him for not doing so. Jules -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From dave.list at pixelhammer.com Fri Jul 27 14:47:40 2007 From: dave.list at pixelhammer.com (DAve) Date: Fri Jul 27 14:49:22 2007 Subject: BarricadeMX experiences In-Reply-To: References: <46A553ED.3020505@mail.wvnet.edu> <46A5F3D0.5070500@mail.wvnet.edu> <23ee01c7ce3c$89dcff70$9d96fe50$@swaney@fsl.com> <46A67DAF.60301@mail.wvnet.edu> <46A9F110.3030803@mail.wvnet.edu> Message-ID: <46A9F77C.9000107@pixelhammer.com> Res wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > NotDashEscaped: You need GnuPG to verify this message > > On Fri, 27 Jul 2007, Richard Lynch wrote: > >> And lastly, I wasn't spamming the list at all. The product was first > > well, aint that typical, spammers never think what they do is spamming, > by its very defination you did exactly that, intentionally or otherwise, > it doesnt matter, the end result is the same. > > The longer this thread continues the less chance anyone will bother to report performance stats, techniques, or third party add ons to the list again. I doubt I would do so now. DAve -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible. From uxbod at splatnix.net Fri Jul 27 15:06:13 2007 From: uxbod at splatnix.net (UxBoD) Date: Fri Jul 27 15:03:25 2007 Subject: BarricadeMX experiences In-Reply-To: <46A9F77C.9000107@pixelhammer.com> Message-ID: <16765962.5041185545173697.JavaMail.root@office.splatnix.net> Jules, why not create a mailscanner-ot list ;) Regards, --[ UxBoD ]-- // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- Original Message ----- From: "DAve" To: "MailScanner discussion" Sent: Friday, July 27, 2007 2:47:40 PM (GMT) Europe/London Subject: Re: BarricadeMX experiences Res wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > NotDashEscaped: You need GnuPG to verify this message > > On Fri, 27 Jul 2007, Richard Lynch wrote: > >> And lastly, I wasn't spamming the list at all. The product was first > > well, aint that typical, spammers never think what they do is spamming, > by its very defination you did exactly that, intentionally or otherwise, > it doesnt matter, the end result is the same. > > The longer this thread continues the less chance anyone will bother to report performance stats, techniques, or third party add ons to the list again. I doubt I would do so now. DAve -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ryanw at falsehope.com Fri Jul 27 15:11:30 2007 From: ryanw at falsehope.com (Ryan Weaver) Date: Fri Jul 27 15:11:43 2007 Subject: MailScanner, ClamAV, and Sanesecurity References: <004f01c7a927$af2a6b80$0d7f4280$@com> <1181255740.23153.24.camel@csmdv.axint.net> Message-ID: <000001c7d058$08bef420$1a3cdc60$@com> Ryan Weaver Wrote on Monday, June 11, 2007 11:42 AM > Chris Stone Wrote on Thursday, June 07, 2007 5:36 PM > > > > On Thu, 2007-06-07 at 12:17 -0500, Ryan Weaver wrote: > > > I've started using the Sanesecurity signatures that have been mentioned on > > > the list. I also use Vispan for its reporting and blocking features. > > > > > > The problem I have run into is that in the maillog, when the Sanesecurity > > > signatures are matched the following is the output: > > > > > > Jun 7 12:07:30 c01 MailScanner[7634]: Infected message > > > l57H05nK007460.header came from > > > Jun 7 12:07:30 c01 MailScanner[7634]: Infected message > > > l57H19sG007620.header came from > > > > Not picked up by MailWatch.pm and shown as viruses in MailWatch either. > > I only note it though for the Email.Hdr.Sanesecurity* signatures - all > > the rest report just fine, just not these - e.g.: > > > > Jun 7 16:32:49 smtp1 MailScanner[5919]: /var/spool/MailScanner/incoming/5919/./l57MWISF012136.header: Email.Hdr.Sanesecurity.07012400 FOUND > > Jun 7 16:32:50 smtp1 MailScanner[5919]: Virus Scanning: ClamAV found 1 infections > > Jun 7 16:32:51 smtp1 MailScanner[5919]: Infected message l57MWISF012136.header came from > > Jun 7 16:32:51 smtp1 MailScanner[5919]: Virus Scanning: Found 1 viruses > > Jun 7 16:32:51 smtp1 MailScanner[5919]: Logging message l57MWISF012136 to SQL > > Jun 7 16:32:51 smtp1 MailScanner[6700]: l57MWISF012136: Logged to MailWatch SQL > > > > And even though MailWatch is logged as adding to SQL, when I look in the > > database table, the message is not logged....... > > Anyone have any ideas about this ?? > > Thanks, > Ryan Any movement on this front? Thanks, Ryan From jlcostinha at halla.pt Fri Jul 27 15:13:12 2007 From: jlcostinha at halla.pt (Jorge Costinha) Date: Fri Jul 27 15:13:31 2007 Subject: test and install a custum ruleset into SA In-Reply-To: <29528605.5011185542141758.JavaMail.root@office.splatnix.net> References: <29528605.5011185542141758.JavaMail.root@office.splatnix.net> Message-ID: <46A9FD78.8060701@halla.pt> clever! thanks. UxBoD wrote: > mysql> select count(*) from maillog where spamreport like '%KAM_CARD%' and isspam = 1; > +----------+ > | count(*) | > +----------+ > | 1340 | > +----------+ > 1 row in set (0.28 sec) > > mysql> select count(*) from maillog where spamreport like '%KAM_CARD%' and isspam = 0; > +----------+ > | count(*) | > +----------+ > | 0 | > +----------+ > 1 row in set (0.25 sec) > > > Regards, > > --[ UxBoD ]-- > // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" > // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B > // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B > // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net > > ----- Original Message ----- > From: "Glenn Steen" > To: "MailScanner discussion" > Sent: Friday, July 27, 2007 1:31:08 PM (GMT) Europe/London > Subject: Re: test and install a custum ruleset into SA > > On 27/07/07, Jorge Costinha wrote: > >> regarding custom ruleset KAM. >> >> by just have KAM.cf in /etc/mail/spamassassin is enough for SA use the >> ruleset? >> >> i have it and now i am looking for a way to track the effects of this >> ruleset, any advice on how to accomplish this? >> >> thanks in advance. >> Jorge >> >> >> > This is one of the areas where MailWatch really shines... One just > apply some sane filters on the report page, and presto... there it > is:-). You'd probably want to look at limiting to the last couple of > days, and see if SpamReport contains the KAM_ string ... Simple as > that. If you always include the spamassassin report, you'll see where > it hit on ham (or seeming ham... call it SHAM:-D:-) > > Cheers > From mkettler at evi-inc.com Fri Jul 27 15:15:11 2007 From: mkettler at evi-inc.com (Matt Kettler) Date: Fri Jul 27 15:16:05 2007 Subject: Grreting card scams In-Reply-To: <223f97700707261542u5256ba81s30ce53bdc5ae7149@mail.gmail.com> References: <26023224.4501185484310230.JavaMail.root@office.splatnix.net> <46A91263.7070804@evi-inc.com> <080f01c7cfce$ddd7aba0$0301a8c0@SAHOMELT> <46A91ECF.8040807@evi-inc.com> <223f97700707261542u5256ba81s30ce53bdc5ae7149@mail.gmail.com> Message-ID: <46A9FDEF.4040309@evi-inc.com> Glenn Steen wrote: > On 27/07/07, Matt Kettler wrote: >> Rick Cooper wrote: >> >> Given that running clamscan on the email file outside of MailScanner >> detects it >> as a virus, I've already conclusively proven clamav has the signature >> and it >> works properly. >> >> One observation, though, the specific test messages I used detected as >> 1221 not >> 1222, but they're all related. >> >> ecardspam1.eml: Email.Phishing.RB-1221 FOUND >> ecardspam2.eml: Email.Phishing.RB-1221 FOUND >> ecardspam3.eml: Email.Phishing.RB-1221 FOUND >> >> However, if you insist: >> # sigtool --list-sigs|grep Email.Phishing.RB-1222 >> Email.Phishing.RB-1222 >> >> Yes, it's there. Yes, clamscan can use it, and clamscan properly >> detects the >> messages as viruses when executed manually. No, clamav via MailScanner >> cannot >> detect it. >> > Could this perhaps have anything to do with how clam gets fed the > message in MailScanner....? If I'm not completely senile (always a > possibility:-), MS doesn't feed it the complete message, hence some > newstyle sigs will never (be able to) trigger. That goes back to my original statement that I felt that the difference had to do with the fact that my MailScanner isn't up-to-date. I'm quite convinced that this is a MailScanner interfacing issue, as it is quite clear clamav is working properly outside MS. (Note: Personally I don't have a problem with this "issue", I was merely joining in and commenting on it hoping my observations could help others who do have problems with it.) From Richard.Frovarp at sendit.nodak.edu Fri Jul 27 15:21:45 2007 From: Richard.Frovarp at sendit.nodak.edu (Richard Frovarp) Date: Fri Jul 27 15:21:48 2007 Subject: Spamassassin Greeting Card Question In-Reply-To: <113A0DFC086C984AB9EFDF6B8614F075017D328E@exchange03.CBOCS.com> References: <113A0DFC086C984AB9EFDF6B8614F075017D328E@exchange03.CBOCS.com> Message-ID: <46A9FF79.6000103@sendit.nodak.edu> Andrews Carl 455 wrote: > Thanks everyone! > > I still do not have my rule working, but the KAM is catching them now. I > also did not realize that rules_du_jour and sa-update were getting the > same rules and causing me to scan using the same rules multiple times. > Actually this doesn't happen. SA can only have one rule for each name. Anything in /etc/mail/spamassassin was overriding anything loaded earlier, like those from sa-update. So make sure you remove the rules from /etc/mail/spamassassin if you aren't using RDJ anymore. SA 3.2 will even go so far as to remove rules with duplicate regexs but different names. It would do that at load time, which is when a MailScanner child starts. From dave.list at pixelhammer.com Fri Jul 27 15:21:13 2007 From: dave.list at pixelhammer.com (DAve) Date: Fri Jul 27 15:22:53 2007 Subject: BarricadeMX experiences In-Reply-To: <16765962.5041185545173697.JavaMail.root@office.splatnix.net> References: <16765962.5041185545173697.JavaMail.root@office.splatnix.net> Message-ID: <46A9FF59.1030807@pixelhammer.com> UxBoD wrote: > Jules, > > why not create a mailscanner-ot list ;) Someone would complain if you posted MS info there, because it would be on topic. No wait, if it is MS info then it is off topic, for the MS off topic list. But that IS off topic, and off topic is on topic for the off topic list, right? Hold on here, the MS off topic list would have posts that are off topic on the MS list be on topic for the off topic list, and posts on topic for the off topic list would be off topic for the on topic list. So which list would this post go on? Yea, it's been one of those weeks. DAve > > Regards, > > --[ UxBoD ]-- > // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" > // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B > // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B > // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net > > ----- Original Message ----- > From: "DAve" > To: "MailScanner discussion" > Sent: Friday, July 27, 2007 2:47:40 PM (GMT) Europe/London > Subject: Re: BarricadeMX experiences > > Res wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> NotDashEscaped: You need GnuPG to verify this message >> >> On Fri, 27 Jul 2007, Richard Lynch wrote: >> >>> And lastly, I wasn't spamming the list at all. The product was first >> well, aint that typical, spammers never think what they do is spamming, >> by its very defination you did exactly that, intentionally or otherwise, >> it doesnt matter, the end result is the same. >> >> > The longer this thread continues the less chance anyone will bother to > report performance stats, techniques, or third party add ons to the list > again. > > I doubt I would do so now. > > DAve > -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible. From Richard.Frovarp at sendit.nodak.edu Fri Jul 27 15:24:31 2007 From: Richard.Frovarp at sendit.nodak.edu (Richard Frovarp) Date: Fri Jul 27 15:24:34 2007 Subject: Grreting card scams In-Reply-To: <46A9FDEF.4040309@evi-inc.com> References: <26023224.4501185484310230.JavaMail.root@office.splatnix.net> <46A91263.7070804@evi-inc.com> <080f01c7cfce$ddd7aba0$0301a8c0@SAHOMELT> <46A91ECF.8040807@evi-inc.com> <223f97700707261542u5256ba81s30ce53bdc5ae7149@mail.gmail.com> <46A9FDEF.4040309@evi-inc.com> Message-ID: <46AA001F.8090406@sendit.nodak.edu> Matt Kettler wrote: > Glenn Steen wrote: > >> On 27/07/07, Matt Kettler wrote: >> >>> Rick Cooper wrote: >>> >>> Given that running clamscan on the email file outside of MailScanner >>> detects it >>> as a virus, I've already conclusively proven clamav has the signature >>> and it >>> works properly. >>> >>> One observation, though, the specific test messages I used detected as >>> 1221 not >>> 1222, but they're all related. >>> >>> ecardspam1.eml: Email.Phishing.RB-1221 FOUND >>> ecardspam2.eml: Email.Phishing.RB-1221 FOUND >>> ecardspam3.eml: Email.Phishing.RB-1221 FOUND >>> >>> However, if you insist: >>> # sigtool --list-sigs|grep Email.Phishing.RB-1222 >>> Email.Phishing.RB-1222 >>> >>> Yes, it's there. Yes, clamscan can use it, and clamscan properly >>> detects the >>> messages as viruses when executed manually. No, clamav via MailScanner >>> cannot >>> detect it. >>> >>> >> Could this perhaps have anything to do with how clam gets fed the >> message in MailScanner....? If I'm not completely senile (always a >> possibility:-), MS doesn't feed it the complete message, hence some >> newstyle sigs will never (be able to) trigger. >> > > That goes back to my original statement that I felt that the difference had to > do with the fact that my MailScanner isn't up-to-date. > > I'm quite convinced that this is a MailScanner interfacing issue, as it is quite > clear clamav is working properly outside MS. > > (Note: Personally I don't have a problem with this "issue", I was merely joining > in and commenting on it hoping my observations could help others who do have > problems with it.) > > > > I don't have that one tripping either. I figure it is due to the fact that I stop a lot at the MTA and delete high scoring spam so they never even reach clam. From gmatt at nerc.ac.uk Fri Jul 27 15:32:40 2007 From: gmatt at nerc.ac.uk (Greg Matthews) Date: Fri Jul 27 15:32:48 2007 Subject: mailscanner.cf Message-ID: <46AA0208.3010003@nerc.ac.uk> I've just found a problem with the symbolic link /etc/mail/spamassassin/mailscanner.cf The problem is that the .cf files are parsed in alphabetical order so if you set a score in mailscanner.cf it may get reset by subsequent .cf files. This is not merely academic, I stumbled on this whilst trying to adjust the scores in pdfinfo.cf used by a lot of people recently to help with the pdf attachment spam. The "correct" way to do this is to use a line like: score GMD_PDF_ENCRYPTED 1.0 in /etc/MailScanner/spam.assassin.prefs.conf which is linked to by /etc/mail/spamassassin/mailscanner.cf The workaround was to rename the symbolic link zz-mailscanner.cf but this will not survive an upgrade (presumably). Any chance this link could be renamed permanently? Or suggest a different solution? GREG -- Greg Matthews 01491 692445 Head of UNIX/Linux, iTSS Wallingford -- This message (and any attachments) is for the recipient only. NERC is subject to the Freedom of Information Act 2000 and the contents of this email and any reply you make may be disclosed by NERC unless it is exempt from release under the Act. Any material supplied to NERC may be stored in an electronic records management system. From MailScanner at ecs.soton.ac.uk Fri Jul 27 15:42:08 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Jul 27 15:42:31 2007 Subject: Grreting card scams In-Reply-To: <46AA001F.8090406@sendit.nodak.edu> References: <26023224.4501185484310230.JavaMail.root@office.splatnix.net> <46A91263.7070804@evi-inc.com> <080f01c7cfce$ddd7aba0$0301a8c0@SAHOMELT> <46A91ECF.8040807@evi-inc.com> <223f97700707261542u5256ba81s30ce53bdc5ae7149@mail.gmail.com> <46A9FDEF.4040309@evi-inc.com> <46AA001F.8090406@sendit.nodak.edu> Message-ID: <46AA0440.4090601@ecs.soton.ac.uk> Richard Frovarp wrote: > Matt Kettler wrote: >> Glenn Steen wrote: >> >>> On 27/07/07, Matt Kettler wrote: >>> >>>> Rick Cooper wrote: >>>> >>>> Given that running clamscan on the email file outside of MailScanner >>>> detects it >>>> as a virus, I've already conclusively proven clamav has the signature >>>> and it >>>> works properly. >>>> >>>> One observation, though, the specific test messages I used detected as >>>> 1221 not >>>> 1222, but they're all related. >>>> >>>> ecardspam1.eml: Email.Phishing.RB-1221 FOUND >>>> ecardspam2.eml: Email.Phishing.RB-1221 FOUND >>>> ecardspam3.eml: Email.Phishing.RB-1221 FOUND >>>> >>>> However, if you insist: >>>> # sigtool --list-sigs|grep Email.Phishing.RB-1222 >>>> Email.Phishing.RB-1222 >>>> >>>> Yes, it's there. Yes, clamscan can use it, and clamscan properly >>>> detects the >>>> messages as viruses when executed manually. No, clamav via MailScanner >>>> cannot >>>> detect it. >>>> >>>> >>> Could this perhaps have anything to do with how clam gets fed the >>> message in MailScanner....? If I'm not completely senile (always a >>> possibility:-), MS doesn't feed it the complete message, hence some >>> newstyle sigs will never (be able to) trigger. >>> >> >> That goes back to my original statement that I felt that the >> difference had to >> do with the fact that my MailScanner isn't up-to-date. >> >> I'm quite convinced that this is a MailScanner interfacing issue, as >> it is quite >> clear clamav is working properly outside MS. >> >> (Note: Personally I don't have a problem with this "issue", I was >> merely joining >> in and commenting on it hoping my observations could help others who >> do have >> problems with it.) >> >> >> >> > I don't have that one tripping either. I figure it is due to the fact > that I stop a lot at the MTA and delete high scoring spam so they > never even reach clam. I have now written support for passing entire messages to the ClamAV scanners. There is a new setting called "Reliably Detect Spam With ClamAV" which is "no" by default as it has a speed impact. It has no effect when the ClamAV scanners are not being used. I'll release a new beta shortly. Jules -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From maillists at conactive.com Fri Jul 27 15:43:42 2007 From: maillists at conactive.com (Kai Schaetzl) Date: Fri Jul 27 15:43:47 2007 Subject: BarricadeMX experiences In-Reply-To: <46A9F110.3030803@mail.wvnet.edu> References: <46A553ED.3020505@mail.wvnet.edu> <46A5F3D0.5070500@mail.wvnet.edu> <23ee01c7ce3c$89dcff70$9d96fe50$@swaney@fsl.com> <46A67DAF.60301@mail.wvnet.edu> <46A9F110.3030803@mail.wvnet.edu> Message-ID: Richard Lynch wrote on Fri, 27 Jul 2007 09:20:16 -0400: > And lastly, I wasn't spamming the list at all. I never implied that, I think you refer to something else. As I understand the main difference for you is the drop in ressource usage. That's very valuable and I can logically follow that. Other topic: there is a problem with all of your replies as they get threaded incorrectly. Checking your references and in-reply-to header lines I see that your software is rewriting all referenced message-ids: > This is *very very very* wrong. Looking thru the list I think it is definitely the BarricadeMX milter-null like functionality that is doing this. Since I don't use the original milter-null I don't know if milter-null has the same bug. Can the BarricadeMX people please fix this bug? Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From MailScanner at ecs.soton.ac.uk Fri Jul 27 15:43:55 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Jul 27 15:44:30 2007 Subject: MailScanner, ClamAV, and Sanesecurity In-Reply-To: <000001c7d058$08bef420$1a3cdc60$@com> References: <004f01c7a927$af2a6b80$0d7f4280$@com> <1181255740.23153.24.camel@csmdv.axint.net> <000001c7d058$08bef420$1a3cdc60$@com> Message-ID: <46AA04AB.3010602@ecs.soton.ac.uk> Ryan Weaver wrote: > Ryan Weaver Wrote on Monday, June 11, 2007 11:42 AM > >> Chris Stone Wrote on Thursday, June 07, 2007 5:36 PM >> >>> On Thu, 2007-06-07 at 12:17 -0500, Ryan Weaver wrote: >>> >>>> I've started using the Sanesecurity signatures that have been >>>> > mentioned on > >>>> the list. I also use Vispan for its reporting and blocking features. >>>> >>>> The problem I have run into is that in the maillog, when the >>>> > Sanesecurity > >>>> signatures are matched the following is the output: >>>> >>>> Jun 7 12:07:30 c01 MailScanner[7634]: Infected message >>>> l57H05nK007460.header came from >>>> Jun 7 12:07:30 c01 MailScanner[7634]: Infected message >>>> l57H19sG007620.header came from >>>> >>> Not picked up by MailWatch.pm and shown as viruses in MailWatch either. >>> I only note it though for the Email.Hdr.Sanesecurity* signatures - all >>> the rest report just fine, just not these - e.g.: >>> >>> Jun 7 16:32:49 smtp1 MailScanner[5919]: >>> > /var/spool/MailScanner/incoming/5919/./l57MWISF012136.header: > Email.Hdr.Sanesecurity.07012400 FOUND > >>> Jun 7 16:32:50 smtp1 MailScanner[5919]: Virus Scanning: ClamAV found 1 >>> > infections > >>> Jun 7 16:32:51 smtp1 MailScanner[5919]: Infected message >>> > l57MWISF012136.header came from > >>> Jun 7 16:32:51 smtp1 MailScanner[5919]: Virus Scanning: Found 1 viruses >>> Jun 7 16:32:51 smtp1 MailScanner[5919]: Logging message l57MWISF012136 >>> > to SQL > >>> Jun 7 16:32:51 smtp1 MailScanner[6700]: l57MWISF012136: Logged to >>> > MailWatch SQL > >>> And even though MailWatch is logged as adding to SQL, when I look in the >>> database table, the message is not logged....... >>> >> Anyone have any ideas about this ?? >> >> Thanks, >> Ryan >> > > Any movement on this front? > You may find this is fixed in the next beta, I have changed quite a lot of the clamav "infection" detection, so that the sanesecurity signatures can work reliably. > Thanks, > Ryan > > Jules -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From ms-list at alexb.ch Fri Jul 27 15:49:07 2007 From: ms-list at alexb.ch (Alex Broens) Date: Fri Jul 27 15:49:13 2007 Subject: mailscanner.cf In-Reply-To: <46AA0208.3010003@nerc.ac.uk> References: <46AA0208.3010003@nerc.ac.uk> Message-ID: <46AA05E3.2090006@alexb.ch> On 7/27/2007 4:32 PM, Greg Matthews wrote: > I've just found a problem with the symbolic link > /etc/mail/spamassassin/mailscanner.cf > > The problem is that the .cf files are parsed in alphabetical order so if > you set a score in mailscanner.cf it may get reset by subsequent .cf > files. This is not merely academic, I stumbled on this whilst trying to > adjust the scores in pdfinfo.cf used by a lot of people recently to help > with the pdf attachment spam. The "correct" way to do this is to use a > line like: > > score GMD_PDF_ENCRYPTED 1.0 > > in /etc/MailScanner/spam.assassin.prefs.conf which is linked to by > /etc/mail/spamassassin/mailscanner.cf > > The workaround was to rename the symbolic link zz-mailscanner.cf but > this will not survive an upgrade (presumably). > > Any chance this link could be renamed permanently? Or suggest a > different solution? no need to use links: a plain /etc/mail/spamasassin/zzzzzmy_scores.cf for example, would be the last file parsed so any rule or score in there will never be overriden by other files unless you place one even later down the chain. h2h Alex From maillists at conactive.com Fri Jul 27 15:50:19 2007 From: maillists at conactive.com (Kai Schaetzl) Date: Fri Jul 27 15:50:22 2007 Subject: mailscanner.cf In-Reply-To: <46AA0208.3010003@nerc.ac.uk> References: <46AA0208.3010003@nerc.ac.uk> Message-ID: Greg Matthews wrote on Fri, 27 Jul 2007 15:32:40 +0100: > Any chance this link could be renamed permanently? Or suggest a > different solution? The correct solution is to use your own scores and rules files and only edit pre-existing values in mailscanner.cf. Do not *add* any custom stuff here. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From ms-list at alexb.ch Fri Jul 27 15:52:11 2007 From: ms-list at alexb.ch (Alex Broens) Date: Fri Jul 27 15:52:19 2007 Subject: Grreting card scams In-Reply-To: <46AA0440.4090601@ecs.soton.ac.uk> References: <26023224.4501185484310230.JavaMail.root@office.splatnix.net> <46A91263.7070804@evi-inc.com> <080f01c7cfce$ddd7aba0$0301a8c0@SAHOMELT> <46A91ECF.8040807@evi-inc.com> <223f97700707261542u5256ba81s30ce53bdc5ae7149@mail.gmail.com> <46A9FDEF.4040309@evi-inc.com> <46AA001F.8090406@sendit.nodak.edu> <46AA0440.4090601@ecs.soton.ac.uk> Message-ID: <46AA069B.3080906@alexb.ch> On 7/27/2007 4:42 PM, Julian Field wrote: > > > Richard Frovarp wrote: >> Matt Kettler wrote: >>> Glenn Steen wrote: >>> >>>> On 27/07/07, Matt Kettler wrote: >>>> >>>>> Rick Cooper wrote: >>>>> >>>>> Given that running clamscan on the email file outside of MailScanner >>>>> detects it >>>>> as a virus, I've already conclusively proven clamav has the signature >>>>> and it >>>>> works properly. >>>>> >>>>> One observation, though, the specific test messages I used detected as >>>>> 1221 not >>>>> 1222, but they're all related. >>>>> >>>>> ecardspam1.eml: Email.Phishing.RB-1221 FOUND >>>>> ecardspam2.eml: Email.Phishing.RB-1221 FOUND >>>>> ecardspam3.eml: Email.Phishing.RB-1221 FOUND >>>>> >>>>> However, if you insist: >>>>> # sigtool --list-sigs|grep Email.Phishing.RB-1222 >>>>> Email.Phishing.RB-1222 >>>>> >>>>> Yes, it's there. Yes, clamscan can use it, and clamscan properly >>>>> detects the >>>>> messages as viruses when executed manually. No, clamav via MailScanner >>>>> cannot >>>>> detect it. >>>>> >>>>> >>>> Could this perhaps have anything to do with how clam gets fed the >>>> message in MailScanner....? If I'm not completely senile (always a >>>> possibility:-), MS doesn't feed it the complete message, hence some >>>> newstyle sigs will never (be able to) trigger. >>>> >>> >>> That goes back to my original statement that I felt that the >>> difference had to >>> do with the fact that my MailScanner isn't up-to-date. >>> >>> I'm quite convinced that this is a MailScanner interfacing issue, as >>> it is quite >>> clear clamav is working properly outside MS. >>> >>> (Note: Personally I don't have a problem with this "issue", I was >>> merely joining >>> in and commenting on it hoping my observations could help others who >>> do have >>> problems with it.) >>> >>> >>> >>> >> I don't have that one tripping either. I figure it is due to the fact >> that I stop a lot at the MTA and delete high scoring spam so they >> never even reach clam. > I have now written support for passing entire messages to the ClamAV > scanners. There is a new setting called "Reliably Detect Spam With > ClamAV" which is "no" by default as it has a speed impact. It has no > effect when the ClamAV scanners are not being used. > > I'll release a new beta shortly. Jules "Reliably Detect Spam With ClamAV" is misleading. its not really spam ist detecting, it could be anything. something like "ClamAV Raw Message Parsing" may be more appropiate tho that's no nice either. Alex From glenn.steen at gmail.com Fri Jul 27 15:54:33 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Jul 27 15:54:34 2007 Subject: Grreting card scams In-Reply-To: <46AA0440.4090601@ecs.soton.ac.uk> References: <26023224.4501185484310230.JavaMail.root@office.splatnix.net> <46A91263.7070804@evi-inc.com> <080f01c7cfce$ddd7aba0$0301a8c0@SAHOMELT> <46A91ECF.8040807@evi-inc.com> <223f97700707261542u5256ba81s30ce53bdc5ae7149@mail.gmail.com> <46A9FDEF.4040309@evi-inc.com> <46AA001F.8090406@sendit.nodak.edu> <46AA0440.4090601@ecs.soton.ac.uk> Message-ID: <223f97700707270754h17c71aeew98ba7778f3712773@mail.gmail.com> On 27/07/07, Julian Field wrote: > > > Richard Frovarp wrote: > > Matt Kettler wrote: > >> Glenn Steen wrote: > >> > >>> On 27/07/07, Matt Kettler wrote: > >>> > >>>> Rick Cooper wrote: > >>>> > >>>> Given that running clamscan on the email file outside of MailScanner > >>>> detects it > >>>> as a virus, I've already conclusively proven clamav has the signature > >>>> and it > >>>> works properly. > >>>> > >>>> One observation, though, the specific test messages I used detected as > >>>> 1221 not > >>>> 1222, but they're all related. > >>>> > >>>> ecardspam1.eml: Email.Phishing.RB-1221 FOUND > >>>> ecardspam2.eml: Email.Phishing.RB-1221 FOUND > >>>> ecardspam3.eml: Email.Phishing.RB-1221 FOUND > >>>> > >>>> However, if you insist: > >>>> # sigtool --list-sigs|grep Email.Phishing.RB-1222 > >>>> Email.Phishing.RB-1222 > >>>> > >>>> Yes, it's there. Yes, clamscan can use it, and clamscan properly > >>>> detects the > >>>> messages as viruses when executed manually. No, clamav via MailScanner > >>>> cannot > >>>> detect it. > >>>> > >>>> > >>> Could this perhaps have anything to do with how clam gets fed the > >>> message in MailScanner....? If I'm not completely senile (always a > >>> possibility:-), MS doesn't feed it the complete message, hence some > >>> newstyle sigs will never (be able to) trigger. > >>> > >> > >> That goes back to my original statement that I felt that the > >> difference had to > >> do with the fact that my MailScanner isn't up-to-date. > >> > >> I'm quite convinced that this is a MailScanner interfacing issue, as > >> it is quite > >> clear clamav is working properly outside MS. > >> > >> (Note: Personally I don't have a problem with this "issue", I was > >> merely joining > >> in and commenting on it hoping my observations could help others who > >> do have > >> problems with it.) > >> > >> > >> > >> > > I don't have that one tripping either. I figure it is due to the fact > > that I stop a lot at the MTA and delete high scoring spam so they > > never even reach clam. > I have now written support for passing entire messages to the ClamAV > scanners. There is a new setting called "Reliably Detect Spam With > ClamAV" which is "no" by default as it has a speed impact. It has no > effect when the ClamAV scanners are not being used. > > I'll release a new beta shortly. > > Jules You know what Jules... You're an absolute wonder!:) Was that a book you had on your list, or is it gone already? Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Fri Jul 27 15:58:45 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Jul 27 15:58:48 2007 Subject: mailscanner.cf In-Reply-To: <46AA0208.3010003@nerc.ac.uk> References: <46AA0208.3010003@nerc.ac.uk> Message-ID: <223f97700707270758l172a34abvc8e4db0c56eb3e61@mail.gmail.com> On 27/07/07, Greg Matthews wrote: > I've just found a problem with the symbolic link > /etc/mail/spamassassin/mailscanner.cf > > The problem is that the .cf files are parsed in alphabetical order so if > you set a score in mailscanner.cf it may get reset by subsequent .cf > files. This is not merely academic, I stumbled on this whilst trying to > adjust the scores in pdfinfo.cf used by a lot of people recently to help > with the pdf attachment spam. The "correct" way to do this is to use a > line like: > > score GMD_PDF_ENCRYPTED 1.0 > > in /etc/MailScanner/spam.assassin.prefs.conf which is linked to by > /etc/mail/spamassassin/mailscanner.cf > > The workaround was to rename the symbolic link zz-mailscanner.cf but > this will not survive an upgrade (presumably). > > Any chance this link could be renamed permanently? Or suggest a > different solution? > > GREG As you say Greg, this is indeed a limitation of the SA "config system"... And a small interference with the MS installer. What I'd do would be to have the zz-mailscanner.cf link point to mailscanner.cf ... Should work without too much problem (a slight inefficiency, but you should be able to live with that;-) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From MailScanner at ecs.soton.ac.uk Fri Jul 27 16:04:06 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Jul 27 16:04:20 2007 Subject: Grreting card scams In-Reply-To: <223f97700707270754h17c71aeew98ba7778f3712773@mail.gmail.com> References: <26023224.4501185484310230.JavaMail.root@office.splatnix.net> <46A91263.7070804@evi-inc.com> <080f01c7cfce$ddd7aba0$0301a8c0@SAHOMELT> <46A91ECF.8040807@evi-inc.com> <223f97700707261542u5256ba81s30ce53bdc5ae7149@mail.gmail.com> <46A9FDEF.4040309@evi-inc.com> <46AA001F.8090406@sendit.nodak.edu> <46AA0440.4090601@ecs.soton.ac.uk> <223f97700707270754h17c71aeew98ba7778f3712773@mail.gmail.com> Message-ID: <46AA0966.5090901@ecs.soton.ac.uk> Glenn Steen wrote: > On 27/07/07, Julian Field wrote: > >> Richard Frovarp wrote: >> >>> Matt Kettler wrote: >>> >>>> Glenn Steen wrote: >>>> >>>> >>>>> On 27/07/07, Matt Kettler wrote: >>>>> >>>>> >>>>>> Rick Cooper wrote: >>>>>> >>>>>> Given that running clamscan on the email file outside of MailScanner >>>>>> detects it >>>>>> as a virus, I've already conclusively proven clamav has the signature >>>>>> and it >>>>>> works properly. >>>>>> >>>>>> One observation, though, the specific test messages I used detected as >>>>>> 1221 not >>>>>> 1222, but they're all related. >>>>>> >>>>>> ecardspam1.eml: Email.Phishing.RB-1221 FOUND >>>>>> ecardspam2.eml: Email.Phishing.RB-1221 FOUND >>>>>> ecardspam3.eml: Email.Phishing.RB-1221 FOUND >>>>>> >>>>>> However, if you insist: >>>>>> # sigtool --list-sigs|grep Email.Phishing.RB-1222 >>>>>> Email.Phishing.RB-1222 >>>>>> >>>>>> Yes, it's there. Yes, clamscan can use it, and clamscan properly >>>>>> detects the >>>>>> messages as viruses when executed manually. No, clamav via MailScanner >>>>>> cannot >>>>>> detect it. >>>>>> >>>>>> >>>>>> >>>>> Could this perhaps have anything to do with how clam gets fed the >>>>> message in MailScanner....? If I'm not completely senile (always a >>>>> possibility:-), MS doesn't feed it the complete message, hence some >>>>> newstyle sigs will never (be able to) trigger. >>>>> >>>>> >>>> That goes back to my original statement that I felt that the >>>> difference had to >>>> do with the fact that my MailScanner isn't up-to-date. >>>> >>>> I'm quite convinced that this is a MailScanner interfacing issue, as >>>> it is quite >>>> clear clamav is working properly outside MS. >>>> >>>> (Note: Personally I don't have a problem with this "issue", I was >>>> merely joining >>>> in and commenting on it hoping my observations could help others who >>>> do have >>>> problems with it.) >>>> >>>> >>>> >>>> >>>> >>> I don't have that one tripping either. I figure it is due to the fact >>> that I stop a lot at the MTA and delete high scoring spam so they >>> never even reach clam. >>> >> I have now written support for passing entire messages to the ClamAV >> scanners. There is a new setting called "Reliably Detect Spam With >> ClamAV" which is "no" by default as it has a speed impact. It has no >> effect when the ClamAV scanners are not being used. >> >> I'll release a new beta shortly. >> >> Jules >> > You know what Jules... You're an absolute wonder!:) > Was that a book you had on your list, or is it gone already? > The book is still there... Jules -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From glenn.steen at gmail.com Fri Jul 27 16:09:19 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Jul 27 16:09:21 2007 Subject: BarricadeMX experiences In-Reply-To: <46A9FF59.1030807@pixelhammer.com> References: <16765962.5041185545173697.JavaMail.root@office.splatnix.net> <46A9FF59.1030807@pixelhammer.com> Message-ID: <223f97700707270809u3b0317aaxcb45662eb03ad99a@mail.gmail.com> On 27/07/07, DAve wrote: > UxBoD wrote: > > Jules, > > > > why not create a mailscanner-ot list ;) > > Someone would complain if you posted MS info there, because it would be > on topic. No wait, if it is MS info then it is off topic, for the MS off > topic list. But that IS off topic, and off topic is on topic for the off > topic list, right? > > Hold on here, the MS off topic list would have posts that are off topic > on the MS list be on topic for the off topic list, and posts on topic > for the off topic list would be off topic for the on topic list. > > So which list would this post go on? Yea, it's been one of those weeks. > > DAve > Obviously... Talk about "Friday afternoon syndrome"...:-D Oh BTW, this is off-topic wrt most anything in any list:P Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Fri Jul 27 16:11:28 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Jul 27 16:11:30 2007 Subject: Grreting card scams In-Reply-To: <46AA0966.5090901@ecs.soton.ac.uk> References: <26023224.4501185484310230.JavaMail.root@office.splatnix.net> <46A91263.7070804@evi-inc.com> <080f01c7cfce$ddd7aba0$0301a8c0@SAHOMELT> <46A91ECF.8040807@evi-inc.com> <223f97700707261542u5256ba81s30ce53bdc5ae7149@mail.gmail.com> <46A9FDEF.4040309@evi-inc.com> <46AA001F.8090406@sendit.nodak.edu> <46AA0440.4090601@ecs.soton.ac.uk> <223f97700707270754h17c71aeew98ba7778f3712773@mail.gmail.com> <46AA0966.5090901@ecs.soton.ac.uk> Message-ID: <223f97700707270811i1a41c089neec9026c61e49465@mail.gmail.com> On 27/07/07, Julian Field wrote: > > > Glenn Steen wrote: > > On 27/07/07, Julian Field wrote: > > > >> Richard Frovarp wrote: > >> > >>> Matt Kettler wrote: > >>> > >>>> Glenn Steen wrote: > >>>> > >>>> > >>>>> On 27/07/07, Matt Kettler wrote: > >>>>> > >>>>> > >>>>>> Rick Cooper wrote: > >>>>>> > >>>>>> Given that running clamscan on the email file outside of MailScanner > >>>>>> detects it > >>>>>> as a virus, I've already conclusively proven clamav has the signature > >>>>>> and it > >>>>>> works properly. > >>>>>> > >>>>>> One observation, though, the specific test messages I used detected as > >>>>>> 1221 not > >>>>>> 1222, but they're all related. > >>>>>> > >>>>>> ecardspam1.eml: Email.Phishing.RB-1221 FOUND > >>>>>> ecardspam2.eml: Email.Phishing.RB-1221 FOUND > >>>>>> ecardspam3.eml: Email.Phishing.RB-1221 FOUND > >>>>>> > >>>>>> However, if you insist: > >>>>>> # sigtool --list-sigs|grep Email.Phishing.RB-1222 > >>>>>> Email.Phishing.RB-1222 > >>>>>> > >>>>>> Yes, it's there. Yes, clamscan can use it, and clamscan properly > >>>>>> detects the > >>>>>> messages as viruses when executed manually. No, clamav via MailScanner > >>>>>> cannot > >>>>>> detect it. > >>>>>> > >>>>>> > >>>>>> > >>>>> Could this perhaps have anything to do with how clam gets fed the > >>>>> message in MailScanner....? If I'm not completely senile (always a > >>>>> possibility:-), MS doesn't feed it the complete message, hence some > >>>>> newstyle sigs will never (be able to) trigger. > >>>>> > >>>>> > >>>> That goes back to my original statement that I felt that the > >>>> difference had to > >>>> do with the fact that my MailScanner isn't up-to-date. > >>>> > >>>> I'm quite convinced that this is a MailScanner interfacing issue, as > >>>> it is quite > >>>> clear clamav is working properly outside MS. > >>>> > >>>> (Note: Personally I don't have a problem with this "issue", I was > >>>> merely joining > >>>> in and commenting on it hoping my observations could help others who > >>>> do have > >>>> problems with it.) > >>>> > >>>> > >>>> > >>>> > >>>> > >>> I don't have that one tripping either. I figure it is due to the fact > >>> that I stop a lot at the MTA and delete high scoring spam so they > >>> never even reach clam. > >>> > >> I have now written support for passing entire messages to the ClamAV > >> scanners. There is a new setting called "Reliably Detect Spam With > >> ClamAV" which is "no" by default as it has a speed impact. It has no > >> effect when the ClamAV scanners are not being used. > >> > >> I'll release a new beta shortly. > >> > >> Jules > >> > > You know what Jules... You're an absolute wonder!:) > > Was that a book you had on your list, or is it gone already? > > > The book is still there... > I'll see what I can do about that ... later tonight... Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From dgottsc at emory.edu Fri Jul 27 16:15:49 2007 From: dgottsc at emory.edu (Gottschalk, David) Date: Fri Jul 27 16:15:57 2007 Subject: Password protect In-Reply-To: <46A8DDC0.3050300@ecs.soton.ac.uk> References: <223f97700707200721g710f6846ga8807d99caea5f7d@mail.gmail.com> <8D2EFA3D9FD29C45BCEC3B532F0E2308412E3B3D3E@RDPEXCH2.Eu.Emory.Edu> <46A4F4E6.3060305@yeticomputers.com> <46A4F5DC.1010603@yeticomputers.com> <8D2EFA3D9FD29C45BCEC3B532F0E2308412E9ECF5B@RDPEXCH2.Eu.Emory.Edu> <46A8DDC0.3050300@ecs.soton.ac.uk> Message-ID: <8D2EFA3D9FD29C45BCEC3B532F0E2308412E9ED2C4@RDPEXCH2.Eu.Emory.Edu> That did it. Thanks so much! David Gottschalk -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian Field Sent: Thursday, July 26, 2007 1:46 PM To: MailScanner discussion Subject: Re: Password protect -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 With Notify Senders Of Other Blocked Content = yes Notify Senders = yes Non-Forging Viruses = Zip-Password Allow Password-Protected Archives = no then I think it should notify senders of password-protected zip archives. Gottschalk, David wrote: > Well, I've tried these options, and can't get anything to work. > > ClamAV or BitDefender (the two virus engines I'm using) aren't catching the password encrypted archives as a virus, so I think that is why thoose two options won't work. I have the MailScanner option "Allow Password-Protected Archives" to no. > > Anyone have any other ideas? I really need this to work. > > Thanks. > > David Gottschalk > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Rick > Chadderdon > Sent: Monday, July 23, 2007 2:39 PM > To: MailScanner discussion > Subject: Re: Password protect > > And, to add to my own reply, also look at "Non-Forging Viruses". > Combining those two lines, you should be able to achieve what you're after. > > Rick > > Rick Chadderdon wrote: > >> Gottschalk, David wrote: >> >> >>> Anyone know if its possible to send a bounce back to the sender if a password protected archive is quarantined? >>> >>> The "Notify Senders Of Blocked Filenames Or Filetypes" and "Notify Senders Of Other Blocked Content" don't seem to do anything with regards to encrypted archives. >>> >>> >> Check the "Silent Viruses" line in MailScanner.conf. If it contains >> "All-Viruses" or "Zip-Password", it won't notify the sender. The >> comments above the line explain the options well. >> >> Rick >> >> > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGqN3BEfZZRxQVtlQRAodZAJ4+eTz5vhEVPDjHRP6h+6zw5qTNaQCg4xy/ 0wszO8+WNj/dpfvmp8PJW8M= =1hYZ -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From MailScanner at ecs.soton.ac.uk Fri Jul 27 16:21:52 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Jul 27 16:22:05 2007 Subject: Grreting card scams In-Reply-To: <223f97700707270811i1a41c089neec9026c61e49465@mail.gmail.com> References: <26023224.4501185484310230.JavaMail.root@office.splatnix.net> <46A91263.7070804@evi-inc.com> <080f01c7cfce$ddd7aba0$0301a8c0@SAHOMELT> <46A91ECF.8040807@evi-inc.com> <223f97700707261542u5256ba81s30ce53bdc5ae7149@mail.gmail.com> <46A9FDEF.4040309@evi-inc.com> <46AA001F.8090406@sendit.nodak.edu> <46AA0440.4090601@ecs.soton.ac.uk> <223f97700707270754h17c71aeew98ba7778f3712773@mail.gmail.com> <46AA0966.5090901@ecs.soton.ac.uk> <223f97700707270811i1a41c089neec9026c61e49465@mail.gmail.com> Message-ID: <46AA0D90.8020109@ecs.soton.ac.uk> Glenn Steen wrote: > On 27/07/07, Julian Field wrote: > >> Glenn Steen wrote: >> >>> On 27/07/07, Julian Field wrote: >>> >>> >>>> Richard Frovarp wrote: >>>> >>>> >>>>> Matt Kettler wrote: >>>>> >>>>> >>>>>> Glenn Steen wrote: >>>>>> >>>>>> >>>>>> >>>>>>> On 27/07/07, Matt Kettler wrote: >>>>>>> >>>>>>> >>>>>>> >>>>>>>> Rick Cooper wrote: >>>>>>>> >>>>>>>> Given that running clamscan on the email file outside of MailScanner >>>>>>>> detects it >>>>>>>> as a virus, I've already conclusively proven clamav has the signature >>>>>>>> and it >>>>>>>> works properly. >>>>>>>> >>>>>>>> One observation, though, the specific test messages I used detected as >>>>>>>> 1221 not >>>>>>>> 1222, but they're all related. >>>>>>>> >>>>>>>> ecardspam1.eml: Email.Phishing.RB-1221 FOUND >>>>>>>> ecardspam2.eml: Email.Phishing.RB-1221 FOUND >>>>>>>> ecardspam3.eml: Email.Phishing.RB-1221 FOUND >>>>>>>> >>>>>>>> However, if you insist: >>>>>>>> # sigtool --list-sigs|grep Email.Phishing.RB-1222 >>>>>>>> Email.Phishing.RB-1222 >>>>>>>> >>>>>>>> Yes, it's there. Yes, clamscan can use it, and clamscan properly >>>>>>>> detects the >>>>>>>> messages as viruses when executed manually. No, clamav via MailScanner >>>>>>>> cannot >>>>>>>> detect it. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> Could this perhaps have anything to do with how clam gets fed the >>>>>>> message in MailScanner....? If I'm not completely senile (always a >>>>>>> possibility:-), MS doesn't feed it the complete message, hence some >>>>>>> newstyle sigs will never (be able to) trigger. >>>>>>> >>>>>>> >>>>>>> >>>>>> That goes back to my original statement that I felt that the >>>>>> difference had to >>>>>> do with the fact that my MailScanner isn't up-to-date. >>>>>> >>>>>> I'm quite convinced that this is a MailScanner interfacing issue, as >>>>>> it is quite >>>>>> clear clamav is working properly outside MS. >>>>>> >>>>>> (Note: Personally I don't have a problem with this "issue", I was >>>>>> merely joining >>>>>> in and commenting on it hoping my observations could help others who >>>>>> do have >>>>>> problems with it.) >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>> I don't have that one tripping either. I figure it is due to the fact >>>>> that I stop a lot at the MTA and delete high scoring spam so they >>>>> never even reach clam. >>>>> >>>>> >>>> I have now written support for passing entire messages to the ClamAV >>>> scanners. There is a new setting called "Reliably Detect Spam With >>>> ClamAV" which is "no" by default as it has a speed impact. It has no >>>> effect when the ClamAV scanners are not being used. >>>> >>>> I'll release a new beta shortly. >>>> >>>> Jules >>>> >>>> >>> You know what Jules... You're an absolute wonder!:) >>> Was that a book you had on your list, or is it gone already? >>> >>> >> The book is still there... >> >> > I'll see what I can do about that ... later tonight... > Thank you! Jules -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From gmatt at nerc.ac.uk Fri Jul 27 16:30:54 2007 From: gmatt at nerc.ac.uk (Greg Matthews) Date: Fri Jul 27 16:31:13 2007 Subject: mailscanner.cf In-Reply-To: References: <46AA0208.3010003@nerc.ac.uk> Message-ID: <46AA0FAE.8090100@nerc.ac.uk> Kai Schaetzl wrote: > Greg Matthews wrote on Fri, 27 Jul 2007 15:32:40 +0100: > >> Any chance this link could be renamed permanently? Or suggest a >> different solution? > > The correct solution is to use your own scores and rules files and only > edit pre-existing values in mailscanner.cf. Do not *add* any custom stuff > here. forgive me if I'm wrong but I am under the impression that there are already score adjustments in this file as shipped with MailScanner... bogus-virus-warnings for instance, I myself already have slightly customised Bayes scores. Having custom score adjustments in different places is daft and more work to maintain. Why not rename the file as suggested and then all customisations will be read after other rulesets. Glen's suggestion to create a second link would certainly work and survive an upgrade but it is... inelegant, resulting in the custom .cf file getting read twice. At the moment its probably the best solution unless Jules renames the link. GREG > > Kai > -- Greg Matthews 01491 692445 Head of UNIX/Linux, iTSS Wallingford -- This message (and any attachments) is for the recipient only. NERC is subject to the Freedom of Information Act 2000 and the contents of this email and any reply you make may be disclosed by NERC unless it is exempt from release under the Act. Any material supplied to NERC may be stored in an electronic records management system. From MailScanner at ecs.soton.ac.uk Fri Jul 27 16:36:25 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Jul 27 16:36:41 2007 Subject: mailscanner.cf In-Reply-To: <46AA0FAE.8090100@nerc.ac.uk> References: <46AA0208.3010003@nerc.ac.uk> <46AA0FAE.8090100@nerc.ac.uk> Message-ID: <46AA10F9.3050604@ecs.soton.ac.uk> Greg Matthews wrote: > Kai Schaetzl wrote: >> Greg Matthews wrote on Fri, 27 Jul 2007 15:32:40 +0100: >> >>> Any chance this link could be renamed permanently? Or suggest a >>> different solution? >> >> The correct solution is to use your own scores and rules files and >> only edit pre-existing values in mailscanner.cf. Do not *add* any >> custom stuff here. > > forgive me if I'm wrong but I am under the impression that there are > already score adjustments in this file as shipped with MailScanner... > bogus-virus-warnings for instance, I myself already have slightly > customised Bayes scores. Having custom score adjustments in different > places is daft and more work to maintain. Why not rename the file as > suggested and then all customisations will be read after other rulesets. > > Glen's suggestion to create a second link would certainly work and > survive an upgrade but it is... inelegant, resulting in the custom .cf > file getting read twice. At the moment its probably the best solution > unless Jules renames the link. Would anyone object to me renaming it to zzzMailScanner.cf ? > > GREG > >> >> Kai >> > > Jules -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From dave.list at pixelhammer.com Fri Jul 27 16:40:26 2007 From: dave.list at pixelhammer.com (DAve) Date: Fri Jul 27 16:42:14 2007 Subject: BarricadeMX experiences In-Reply-To: <223f97700707270809u3b0317aaxcb45662eb03ad99a@mail.gmail.com> References: <16765962.5041185545173697.JavaMail.root@office.splatnix.net> <46A9FF59.1030807@pixelhammer.com> <223f97700707270809u3b0317aaxcb45662eb03ad99a@mail.gmail.com> Message-ID: <46AA11EA.4070600@pixelhammer.com> Glenn Steen wrote: > On 27/07/07, DAve wrote: >> UxBoD wrote: >>> Jules, >>> >>> why not create a mailscanner-ot list ;) >> Someone would complain if you posted MS info there, because it would be >> on topic. No wait, if it is MS info then it is off topic, for the MS off >> topic list. But that IS off topic, and off topic is on topic for the off >> topic list, right? >> >> Hold on here, the MS off topic list would have posts that are off topic >> on the MS list be on topic for the off topic list, and posts on topic >> for the off topic list would be off topic for the on topic list. >> >> So which list would this post go on? Yea, it's been one of those weeks. >> >> DAve >> > Obviously... Talk about "Friday afternoon syndrome"...:-D > Oh BTW, this is off-topic wrt most anything in any list:P > > Cheers It is Friday, finally Friday, God bless Friday 8^) DAve -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible. From itdept at fractalweb.com Fri Jul 27 17:21:12 2007 From: itdept at fractalweb.com (Chris Yuzik) Date: Fri Jul 27 17:21:38 2007 Subject: mailscanner.cf In-Reply-To: <46AA10F9.3050604@ecs.soton.ac.uk> References: <46AA0208.3010003@nerc.ac.uk> <46AA0FAE.8090100@nerc.ac.uk> <46AA10F9.3050604@ecs.soton.ac.uk> Message-ID: <46AA1B78.4030702@fractalweb.com> Julian Field wrote: > Would anyone object to me renaming it to zzzMailScanner.cf ? Jules, I'm fine with that. I suppose there'd have to be something in the docs about the name change and a note to remove the original MailScanner.cf file, especially for upgraders. Chris From maillists at conactive.com Fri Jul 27 17:29:34 2007 From: maillists at conactive.com (Kai Schaetzl) Date: Fri Jul 27 17:29:38 2007 Subject: mailscanner.cf In-Reply-To: <46AA0FAE.8090100@nerc.ac.uk> References: <46AA0208.3010003@nerc.ac.uk> <46AA0FAE.8090100@nerc.ac.uk> Message-ID: Greg Matthews wrote on Fri, 27 Jul 2007 16:30:54 +0100: > forgive me if I'm wrong but I am under the impression that there are > already score adjustments in this file as shipped with MailScanner That's correct. Still you should maintain your own files if you *add* to that. After all, that's what the method of parsing the whole directory is for. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From ms-list at alexb.ch Fri Jul 27 17:36:03 2007 From: ms-list at alexb.ch (Alex Broens) Date: Fri Jul 27 17:36:10 2007 Subject: mailscanner.cf In-Reply-To: <46AA10F9.3050604@ecs.soton.ac.uk> References: <46AA0208.3010003@nerc.ac.uk> <46AA0FAE.8090100@nerc.ac.uk> <46AA10F9.3050604@ecs.soton.ac.uk> Message-ID: <46AA1EF3.9030300@alexb.ch> On 7/27/2007 5:36 PM, Julian Field wrote: > > > Greg Matthews wrote: >> Kai Schaetzl wrote: >>> Greg Matthews wrote on Fri, 27 Jul 2007 15:32:40 +0100: >>> >>>> Any chance this link could be renamed permanently? Or suggest a >>>> different solution? >>> >>> The correct solution is to use your own scores and rules files and >>> only edit pre-existing values in mailscanner.cf. Do not *add* any >>> custom stuff here. >> >> forgive me if I'm wrong but I am under the impression that there are >> already score adjustments in this file as shipped with MailScanner... >> bogus-virus-warnings for instance, I myself already have slightly >> customised Bayes scores. Having custom score adjustments in different >> places is daft and more work to maintain. Why not rename the file as >> suggested and then all customisations will be read after other rulesets. >> >> Glen's suggestion to create a second link would certainly work and >> survive an upgrade but it is... inelegant, resulting in the custom .cf >> file getting read twice. At the moment its probably the best solution >> unless Jules renames the link. > Would anyone object to me renaming it to zzzMailScanner.cf ? on April 1, no problem :-)))) IMO, MailScanner.cf is no problem as it is - it even comes aftr SA's default local.cf which makes sense for the default system. if ppl want to change scores after MailScanner.cf and or local.cf they can use their on zz_top.cf Alex From uxbod at splatnix.net Fri Jul 27 17:53:26 2007 From: uxbod at splatnix.net (UxBoD) Date: Fri Jul 27 17:50:31 2007 Subject: Grreting card scams In-Reply-To: <46AA0440.4090601@ecs.soton.ac.uk> Message-ID: <12704071.5101185555206678.JavaMail.root@office.splatnix.net> Your the man :D Regards, --[ UxBoD ]-- // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- Original Message ----- From: "Julian Field" To: "MailScanner discussion" Sent: 27 July 2007 15:42:08 o'clock (GMT) Europe/London Subject: Re: Grreting card scams Richard Frovarp wrote: > Matt Kettler wrote: >> Glenn Steen wrote: >> >>> On 27/07/07, Matt Kettler wrote: >>> >>>> Rick Cooper wrote: >>>> >>>> Given that running clamscan on the email file outside of MailScanner >>>> detects it >>>> as a virus, I've already conclusively proven clamav has the signature >>>> and it >>>> works properly. >>>> >>>> One observation, though, the specific test messages I used detected as >>>> 1221 not >>>> 1222, but they're all related. >>>> >>>> ecardspam1.eml: Email.Phishing.RB-1221 FOUND >>>> ecardspam2.eml: Email.Phishing.RB-1221 FOUND >>>> ecardspam3.eml: Email.Phishing.RB-1221 FOUND >>>> >>>> However, if you insist: >>>> # sigtool --list-sigs|grep Email.Phishing.RB-1222 >>>> Email.Phishing.RB-1222 >>>> >>>> Yes, it's there. Yes, clamscan can use it, and clamscan properly >>>> detects the >>>> messages as viruses when executed manually. No, clamav via MailScanner >>>> cannot >>>> detect it. >>>> >>>> >>> Could this perhaps have anything to do with how clam gets fed the >>> message in MailScanner....? If I'm not completely senile (always a >>> possibility:-), MS doesn't feed it the complete message, hence some >>> newstyle sigs will never (be able to) trigger. >>> >> >> That goes back to my original statement that I felt that the >> difference had to >> do with the fact that my MailScanner isn't up-to-date. >> >> I'm quite convinced that this is a MailScanner interfacing issue, as >> it is quite >> clear clamav is working properly outside MS. >> >> (Note: Personally I don't have a problem with this "issue", I was >> merely joining >> in and commenting on it hoping my observations could help others who >> do have >> problems with it.) >> >> >> >> > I don't have that one tripping either. I figure it is due to the fact > that I stop a lot at the MTA and delete high scoring spam so they > never even reach clam. I have now written support for passing entire messages to the ClamAV scanners. There is a new setting called "Reliably Detect Spam With ClamAV" which is "no" by default as it has a speed impact. It has no effect when the ClamAV scanners are not being used. I'll release a new beta shortly. Jules -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From uxbod at splatnix.net Fri Jul 27 17:54:19 2007 From: uxbod at splatnix.net (UxBoD) Date: Fri Jul 27 17:51:23 2007 Subject: Grreting card scams In-Reply-To: <223f97700707270811i1a41c089neec9026c61e49465@mail.gmail.com> Message-ID: <24797434.5131185555259775.JavaMail.root@office.splatnix.net> Snap. Unless Glenn buys them all ;) Regards, --[ UxBoD ]-- // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- Original Message ----- From: "Glenn Steen" To: "MailScanner discussion" Sent: 27 July 2007 16:11:28 o'clock (GMT) Europe/London Subject: Re: Grreting card scams On 27/07/07, Julian Field wrote: > > > Glenn Steen wrote: > > On 27/07/07, Julian Field wrote: > > > >> Richard Frovarp wrote: > >> > >>> Matt Kettler wrote: > >>> > >>>> Glenn Steen wrote: > >>>> > >>>> > >>>>> On 27/07/07, Matt Kettler wrote: > >>>>> > >>>>> > >>>>>> Rick Cooper wrote: > >>>>>> > >>>>>> Given that running clamscan on the email file outside of MailScanner > >>>>>> detects it > >>>>>> as a virus, I've already conclusively proven clamav has the signature > >>>>>> and it > >>>>>> works properly. > >>>>>> > >>>>>> One observation, though, the specific test messages I used detected as > >>>>>> 1221 not > >>>>>> 1222, but they're all related. > >>>>>> > >>>>>> ecardspam1.eml: Email.Phishing.RB-1221 FOUND > >>>>>> ecardspam2.eml: Email.Phishing.RB-1221 FOUND > >>>>>> ecardspam3.eml: Email.Phishing.RB-1221 FOUND > >>>>>> > >>>>>> However, if you insist: > >>>>>> # sigtool --list-sigs|grep Email.Phishing.RB-1222 > >>>>>> Email.Phishing.RB-1222 > >>>>>> > >>>>>> Yes, it's there. Yes, clamscan can use it, and clamscan properly > >>>>>> detects the > >>>>>> messages as viruses when executed manually. No, clamav via MailScanner > >>>>>> cannot > >>>>>> detect it. > >>>>>> > >>>>>> > >>>>>> > >>>>> Could this perhaps have anything to do with how clam gets fed the > >>>>> message in MailScanner....? If I'm not completely senile (always a > >>>>> possibility:-), MS doesn't feed it the complete message, hence some > >>>>> newstyle sigs will never (be able to) trigger. > >>>>> > >>>>> > >>>> That goes back to my original statement that I felt that the > >>>> difference had to > >>>> do with the fact that my MailScanner isn't up-to-date. > >>>> > >>>> I'm quite convinced that this is a MailScanner interfacing issue, as > >>>> it is quite > >>>> clear clamav is working properly outside MS. > >>>> > >>>> (Note: Personally I don't have a problem with this "issue", I was > >>>> merely joining > >>>> in and commenting on it hoping my observations could help others who > >>>> do have > >>>> problems with it.) > >>>> > >>>> > >>>> > >>>> > >>>> > >>> I don't have that one tripping either. I figure it is due to the fact > >>> that I stop a lot at the MTA and delete high scoring spam so they > >>> never even reach clam. > >>> > >> I have now written support for passing entire messages to the ClamAV > >> scanners. There is a new setting called "Reliably Detect Spam With > >> ClamAV" which is "no" by default as it has a speed impact. It has no > >> effect when the ClamAV scanners are not being used. > >> > >> I'll release a new beta shortly. > >> > >> Jules > >> > > You know what Jules... You're an absolute wonder!:) > > Was that a book you had on your list, or is it gone already? > > > The book is still there... > I'll see what I can do about that ... later tonight... Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From uxbod at splatnix.net Fri Jul 27 17:54:58 2007 From: uxbod at splatnix.net (UxBoD) Date: Fri Jul 27 17:52:02 2007 Subject: Grreting card scams In-Reply-To: <46AA069B.3080906@alexb.ch> Message-ID: <26697843.5161185555298829.JavaMail.root@office.splatnix.net> ClamAV Full Message Scan: Regards, --[ UxBoD ]-- // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- Original Message ----- From: "Alex Broens" To: "MailScanner discussion" Sent: 27 July 2007 15:52:11 o'clock (GMT) Europe/London Subject: Re: Grreting card scams On 7/27/2007 4:42 PM, Julian Field wrote: > > > Richard Frovarp wrote: >> Matt Kettler wrote: >>> Glenn Steen wrote: >>> >>>> On 27/07/07, Matt Kettler wrote: >>>> >>>>> Rick Cooper wrote: >>>>> >>>>> Given that running clamscan on the email file outside of MailScanner >>>>> detects it >>>>> as a virus, I've already conclusively proven clamav has the signature >>>>> and it >>>>> works properly. >>>>> >>>>> One observation, though, the specific test messages I used detected as >>>>> 1221 not >>>>> 1222, but they're all related. >>>>> >>>>> ecardspam1.eml: Email.Phishing.RB-1221 FOUND >>>>> ecardspam2.eml: Email.Phishing.RB-1221 FOUND >>>>> ecardspam3.eml: Email.Phishing.RB-1221 FOUND >>>>> >>>>> However, if you insist: >>>>> # sigtool --list-sigs|grep Email.Phishing.RB-1222 >>>>> Email.Phishing.RB-1222 >>>>> >>>>> Yes, it's there. Yes, clamscan can use it, and clamscan properly >>>>> detects the >>>>> messages as viruses when executed manually. No, clamav via MailScanner >>>>> cannot >>>>> detect it. >>>>> >>>>> >>>> Could this perhaps have anything to do with how clam gets fed the >>>> message in MailScanner....? If I'm not completely senile (always a >>>> possibility:-), MS doesn't feed it the complete message, hence some >>>> newstyle sigs will never (be able to) trigger. >>>> >>> >>> That goes back to my original statement that I felt that the >>> difference had to >>> do with the fact that my MailScanner isn't up-to-date. >>> >>> I'm quite convinced that this is a MailScanner interfacing issue, as >>> it is quite >>> clear clamav is working properly outside MS. >>> >>> (Note: Personally I don't have a problem with this "issue", I was >>> merely joining >>> in and commenting on it hoping my observations could help others who >>> do have >>> problems with it.) >>> >>> >>> >>> >> I don't have that one tripping either. I figure it is due to the fact >> that I stop a lot at the MTA and delete high scoring spam so they >> never even reach clam. > I have now written support for passing entire messages to the ClamAV > scanners. There is a new setting called "Reliably Detect Spam With > ClamAV" which is "no" by default as it has a speed impact. It has no > effect when the ClamAV scanners are not being used. > > I'll release a new beta shortly. Jules "Reliably Detect Spam With ClamAV" is misleading. its not really spam ist detecting, it could be anything. something like "ClamAV Raw Message Parsing" may be more appropiate tho that's no nice either. Alex -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From dave.list at pixelhammer.com Fri Jul 27 17:59:00 2007 From: dave.list at pixelhammer.com (DAve) Date: Fri Jul 27 18:00:40 2007 Subject: mailscanner.cf In-Reply-To: <46AA10F9.3050604@ecs.soton.ac.uk> References: <46AA0208.3010003@nerc.ac.uk> <46AA0FAE.8090100@nerc.ac.uk> <46AA10F9.3050604@ecs.soton.ac.uk> Message-ID: <46AA2454.1090100@pixelhammer.com> Julian Field wrote: > > > Greg Matthews wrote: >> Kai Schaetzl wrote: >>> Greg Matthews wrote on Fri, 27 Jul 2007 15:32:40 +0100: >>> >>>> Any chance this link could be renamed permanently? Or suggest a >>>> different solution? >>> >>> The correct solution is to use your own scores and rules files and >>> only edit pre-existing values in mailscanner.cf. Do not *add* any >>> custom stuff here. >> >> forgive me if I'm wrong but I am under the impression that there are >> already score adjustments in this file as shipped with MailScanner... >> bogus-virus-warnings for instance, I myself already have slightly >> customised Bayes scores. Having custom score adjustments in different >> places is daft and more work to maintain. Why not rename the file as >> suggested and then all customisations will be read after other rulesets. >> >> Glen's suggestion to create a second link would certainly work and >> survive an upgrade but it is... inelegant, resulting in the custom .cf >> file getting read twice. At the moment its probably the best solution >> unless Jules renames the link. > Would anyone object to me renaming it to zzzMailScanner.cf ? We already have a last used cf file that all our local rules go into so they override SA and MS scoring. That is also the only file we edit except to remove unneeded plugins in the *.pre files. I guess I could name our file zzzzzzz_really_last.cf. DAve -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible. From Kevin_Miller at ci.juneau.ak.us Fri Jul 27 18:02:06 2007 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Fri Jul 27 18:02:17 2007 Subject: mailscanner.cf In-Reply-To: <46AA10F9.3050604@ecs.soton.ac.uk> References: <46AA0208.3010003@nerc.ac.uk> <46AA0FAE.8090100@nerc.ac.uk> <46AA10F9.3050604@ecs.soton.ac.uk> Message-ID: Julian Field wrote: > Would anyone object to me renaming it to zzzMailScanner.cf ? Well, yes, but only for esthetic reasons. But I'm puzzled as to why one would need to. If it's a parsing problem, then put any customizations in local.cf (or make a Custom.cf if case matters) both of which should kick off before MailScanner.cf. Not much difference between editing MailScanner.cf and Custom.cf in my mind. But maybe I'm just missing something... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From ms-list at alexb.ch Fri Jul 27 18:29:04 2007 From: ms-list at alexb.ch (Alex Broens) Date: Fri Jul 27 18:29:11 2007 Subject: mailscanner.cf In-Reply-To: References: <46AA0208.3010003@nerc.ac.uk> <46AA0FAE.8090100@nerc.ac.uk> <46AA10F9.3050604@ecs.soton.ac.uk> Message-ID: <46AA2B60.4070306@alexb.ch> On 7/27/2007 7:02 PM, Kevin Miller wrote: > Julian Field wrote: > >> Would anyone object to me renaming it to zzzMailScanner.cf ? > > Well, yes, but only for esthetic reasons. > > But I'm puzzled as to why one would need to. If it's a parsing problem, > then put any customizations in local.cf (or make a Custom.cf if case > matters) both of which should kick off before MailScanner.cf. > > Not much difference between editing MailScanner.cf and Custom.cf in my > mind. But maybe I'm just missing something... afaik, if you create a meta in local.cf with rules in MailScanner.cf it won't hit - SA rule files get parsed in alphabetic order so last rule should be in last file, alphabetically. Matt K. will correct me if I'm off-clue Alex From Kevin_Miller at ci.juneau.ak.us Fri Jul 27 19:12:34 2007 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Fri Jul 27 19:12:43 2007 Subject: mailscanner.cf In-Reply-To: <46AA2B60.4070306@alexb.ch> References: <46AA0208.3010003@nerc.ac.uk> <46AA0FAE.8090100@nerc.ac.uk> <46AA10F9.3050604@ecs.soton.ac.uk> <46AA2B60.4070306@alexb.ch> Message-ID: Alex Broens wrote: > > afaik, if you create a meta in local.cf with rules in MailScanner.cf > it won't hit - SA rule files get parsed in alphabetic order so last > rule should be in last file, alphabetically. I've never quite understood the metas, but to be honest I've never looked into them so that's not surprising. That said, what I was getting at, is put any local customizations in local.cf which should get parsed before MailScanner.cf (unless case is an issue in which instance a capital M may coollate before lowercase l. I can't remember w/o looking at an ASCII table). If M comes before l, then create a Custom.cf which will parse before MailScanner.cf. I.e., it should be pretty easy for MailScanner.cf to come last, and as long as you don't put anything in it that clobbers whatever is in Custom.cf or local.cf (whichever is needful) than you're golden. I know there's some adjustments in MailScanner.cf but the advantage of using a local/Custom ruleset and not putting additional one's in MailScanner is that in an upgrade you don't have to update the file. I just took a look at my MailScanner.cf and most of it is commented out, except for a few MS specific things. That makes sense to me - put MS related stuff there, and SA customizations elsewhere and don't duplicate rulesets in multiple places - then there's no issue. But that's what works for me... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From maillists at conactive.com Fri Jul 27 19:25:59 2007 From: maillists at conactive.com (Kai Schaetzl) Date: Fri Jul 27 19:26:02 2007 Subject: mailscanner.cf In-Reply-To: References: <46AA0208.3010003@nerc.ac.uk> <46AA0FAE.8090100@nerc.ac.uk> <46AA10F9.3050604@ecs.soton.ac.uk> Message-ID: Kevin Miller wrote on Fri, 27 Jul 2007 09:02:06 -0800: > If it's a parsing problem, > then put any customizations in local.cf (or make a Custom.cf if case > matters) both of which should kick off before MailScanner.cf. That's exactly the problem if it concerns scores. If you set a score in local.cf that is set in MailScanner.cf the latter overrides the former. You may not want that. Thinking this over I don't quite understand, though, why MailScanner.conf needs to comes last (or almost last). The shipping MailScanner.conf should contain only scores that affect the *shipping* SA rules and these are not in this directory! (except for local.cf which is definitely before M) It should not contain scores for any third-party rules as not anybody has them. And the same is true for your own rules. If anybody puts his own rules in there he just fell in that trap. As I said: put your own rules/scores in your own file, obviously higher than M and all is well. There is absolutely no need to rename MailScanner.cf. People putting there own scores there simply do it wrong. (btw: is there already an install option to avoid creation of the symlink at all? If not I would like to see that.) Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From maillists at conactive.com Fri Jul 27 19:31:12 2007 From: maillists at conactive.com (Kai Schaetzl) Date: Fri Jul 27 19:31:14 2007 Subject: mailscanner.cf In-Reply-To: References: <46AA0208.3010003@nerc.ac.uk> <46AA0FAE.8090100@nerc.ac.uk> <46AA10F9.3050604@ecs.soton.ac.uk> <46AA2B60.4070306@alexb.ch> Message-ID: Kevin Miller wrote on Fri, 27 Jul 2007 10:12:34 -0800: > I know there's some adjustments in MailScanner.cf but the advantage of > using a local/Custom ruleset and not putting additional one's in > MailScanner is that in an upgrade you don't have to update the file. I > just took a look at my MailScanner.cf and most of it is commented out, > except for a few MS specific things. That makes sense to me - put MS > related stuff there, and SA customizations elsewhere and don't duplicate > rulesets in multiple places - then there's no issue. Exactly. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From Kevin_Miller at ci.juneau.ak.us Fri Jul 27 19:34:19 2007 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Fri Jul 27 19:34:24 2007 Subject: mailscanner.cf In-Reply-To: References: <46AA0208.3010003@nerc.ac.uk><46AA0FAE.8090100@nerc.ac.uk> <46AA10F9.3050604@ecs.soton.ac.uk> Message-ID: Kai Schaetzl wrote: > That's exactly the problem if it concerns scores. If you set a score > in local.cf that is set in MailScanner.cf the latter overrides the > former. You may not want that. Right - I took that approach, because the OP wanted MailScanner.cf to run last. But maybe someone else wants it first or in the middle, so zzzMailScanner.cf isn't a universal fix all. As you and I both more or less said, put your own rules in their own space and don't duplicate them in multiple files and there's no problem... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From MailScanner at ecs.soton.ac.uk Fri Jul 27 19:34:07 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Jul 27 19:34:32 2007 Subject: mailscanner.cf In-Reply-To: <46AA1B78.4030702@fractalweb.com> References: <46AA0208.3010003@nerc.ac.uk> <46AA0FAE.8090100@nerc.ac.uk> <46AA10F9.3050604@ecs.soton.ac.uk> <46AA1B78.4030702@fractalweb.com> Message-ID: <46AA3A9F.2070805@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Chris Yuzik wrote: > Julian Field wrote: >> Would anyone object to me renaming it to zzzMailScanner.cf ? > > Jules, > > I'm fine with that. I suppose there'd have to be something in the docs > about the name change and a note to remove the original MailScanner.cf > file, especially for upgraders. I'll try to make the RPM file remove the old link and replace it with the new one. Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGqjqhEfZZRxQVtlQRAqymAKCFXPWE45XZ7RLSiI20X1IAGKHfewCfR9Zd c18Gbg1g5FGOZsse2Ja8NSs= =1acA -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Fri Jul 27 19:57:32 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Jul 27 19:57:53 2007 Subject: mailscanner.cf In-Reply-To: References: <46AA0208.3010003@nerc.ac.uk> <46AA0FAE.8090100@nerc.ac.uk> <46AA10F9.3050604@ecs.soton.ac.uk> Message-ID: <46AA401C.9050707@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Kai Schaetzl wrote: > Kevin Miller wrote on Fri, 27 Jul 2007 09:02:06 -0800: > > >> If it's a parsing problem, >> then put any customizations in local.cf (or make a Custom.cf if case >> matters) both of which should kick off before MailScanner.cf. >> > > That's exactly the problem if it concerns scores. If you set a score in > local.cf that is set in MailScanner.cf the latter overrides the former. > You may not want that. > > Thinking this over I don't quite understand, though, why MailScanner.conf > needs to comes last (or almost last). The shipping MailScanner.conf should > contain only scores that affect the *shipping* SA rules and these are not > in this directory! (except for local.cf which is definitely before M) > > It should not contain scores for any third-party rules as not anybody has > them. > > And the same is true for your own rules. If anybody puts his own rules in > there he just fell in that trap. As I said: put your own rules/scores in > your own file, obviously higher than M and all is well. There is > absolutely no need to rename MailScanner.cf. People putting there own > scores there simply do it wrong. > > (btw: is there already an install option to avoid creation of the symlink > at all? If not I would like to see that.) > Yes, you spell it rm -f /etc/mail/spamassassin/mailscanner.cf :-) Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGqkAdEfZZRxQVtlQRAmPpAKD9+q7VdyGDY44GR/rA0p+v/E6hPgCg1mLB R3cjP68RElSSlSkd4lfumwM= =DSo2 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From hvdkooij at vanderkooij.org Fri Jul 27 20:19:42 2007 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Fri Jul 27 20:19:49 2007 Subject: BarricadeMX experiences In-Reply-To: <46A9FF59.1030807@pixelhammer.com> References: <16765962.5041185545173697.JavaMail.root@office.splatnix.net> <46A9FF59.1030807@pixelhammer.com> Message-ID: On Fri, 27 Jul 2007, DAve wrote: > Someone would complain if you posted MS info there, because it would be on > topic. No wait, if it is MS info then it is off topic, for the MS off topic > list. But that IS off topic, and off topic is on topic for the off topic > list, right? > > Hold on here, the MS off topic list would have posts that are off topic on > the MS list be on topic for the off topic list, and posts on topic for the > off topic list would be off topic for the on topic list. > > So which list would this post go on? Yea, it's been one of those weeks. Someone call a medic. We have an coffee OD here. (Yep, I am definitly NOT calling for a doctor ;-) Hugo. -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ This message is using 100% recycled electrons. Some men see computers as they are and say "Windows" I use computers with Linux and say "Why Windows?" (Thanks JFK, for the insight.) From ms-list at alexb.ch Fri Jul 27 20:21:27 2007 From: ms-list at alexb.ch (Alex Broens) Date: Fri Jul 27 20:21:34 2007 Subject: mailscanner.cf In-Reply-To: <46AA401C.9050707@ecs.soton.ac.uk> References: <46AA0208.3010003@nerc.ac.uk> <46AA0FAE.8090100@nerc.ac.uk> <46AA10F9.3050604@ecs.soton.ac.uk> <46AA401C.9050707@ecs.soton.ac.uk> Message-ID: <46AA45B7.5070409@alexb.ch> On 7/27/2007 8:57 PM, Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > Kai Schaetzl wrote: >> Kevin Miller wrote on Fri, 27 Jul 2007 09:02:06 -0800: >> >> >>> If it's a parsing problem, >>> then put any customizations in local.cf (or make a Custom.cf if case >>> matters) both of which should kick off before MailScanner.cf. >>> >> That's exactly the problem if it concerns scores. If you set a score in >> local.cf that is set in MailScanner.cf the latter overrides the former. >> You may not want that. >> >> Thinking this over I don't quite understand, though, why MailScanner.conf >> needs to comes last (or almost last). The shipping MailScanner.conf should >> contain only scores that affect the *shipping* SA rules and these are not >> in this directory! (except for local.cf which is definitely before M) >> >> It should not contain scores for any third-party rules as not anybody has >> them. >> >> And the same is true for your own rules. If anybody puts his own rules in >> there he just fell in that trap. As I said: put your own rules/scores in >> your own file, obviously higher than M and all is well. There is >> absolutely no need to rename MailScanner.cf. People putting there own >> scores there simply do it wrong. >> >> (btw: is there already an install option to avoid creation of the symlink >> at all? If not I would like to see that.) >> > Yes, you spell it > rm -f /etc/mail/spamassassin/mailscanner.cf > :-) and that will be replaced with what? zzzMailScanner.cf? Alex From hvdkooij at vanderkooij.org Fri Jul 27 20:25:20 2007 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Fri Jul 27 20:25:26 2007 Subject: CRM114 In-Reply-To: <28020962.4651185486168402.JavaMail.root@office.splatnix.net> References: <28020962.4651185486168402.JavaMail.root@office.splatnix.net> Message-ID: On Thu, 26 Jul 2007, UxBoD wrote: > Always up for a challenge :) Want to learn more about MailScanner anyway. Thanks Jules. If you are really trying to compete with Jules you should be done by monday. ;-) Hugo. -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ This message is using 100% recycled electrons. Some men see computers as they are and say "Windows" I use computers with Linux and say "Why Windows?" (Thanks JFK, for the insight.) From MailScanner at ecs.soton.ac.uk Fri Jul 27 20:29:15 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Jul 27 20:29:38 2007 Subject: CRM114 In-Reply-To: References: <28020962.4651185486168402.JavaMail.root@office.splatnix.net> Message-ID: <46AA478B.1030807@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hugo van der Kooij wrote: > On Thu, 26 Jul 2007, UxBoD wrote: > >> Always up for a challenge :) Want to learn more about MailScanner >> anyway. Thanks Jules. > > If you are really trying to compete with Jules you should be done by > monday. ;-) Oh, you want it documented and stress-tested as well? After all, I've got the whole weekend :-) > > Hugo. > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGqkeMEfZZRxQVtlQRAuljAJ0Y5Zk7gFuLt/JKumcYkE1U1TQLYACgi3EM L20K8Rv3umSJGnmcrltEvYQ= =NTTt -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From glenn.steen at gmail.com Fri Jul 27 20:35:44 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Jul 27 20:35:48 2007 Subject: Grreting card scams In-Reply-To: <46AA0D90.8020109@ecs.soton.ac.uk> References: <26023224.4501185484310230.JavaMail.root@office.splatnix.net> <46A91ECF.8040807@evi-inc.com> <223f97700707261542u5256ba81s30ce53bdc5ae7149@mail.gmail.com> <46A9FDEF.4040309@evi-inc.com> <46AA001F.8090406@sendit.nodak.edu> <46AA0440.4090601@ecs.soton.ac.uk> <223f97700707270754h17c71aeew98ba7778f3712773@mail.gmail.com> <46AA0966.5090901@ecs.soton.ac.uk> <223f97700707270811i1a41c089neec9026c61e49465@mail.gmail.com> <46AA0D90.8020109@ecs.soton.ac.uk> Message-ID: <223f97700707271235r30340c18x5ca75d96367eaf17@mail.gmail.com> On 27/07/07, Julian Field wrote: > > > Glenn Steen wrote: > > On 27/07/07, Julian Field wrote: > > > >> Glenn Steen wrote: > >> > >>> On 27/07/07, Julian Field wrote: (snip) > >>>> I have now written support for passing entire messages to the ClamAV > >>>> scanners. There is a new setting called "Reliably Detect Spam With > >>>> ClamAV" which is "no" by default as it has a speed impact. It has no > >>>> effect when the ClamAV scanners are not being used. > >>>> > >>>> I'll release a new beta shortly. > >>>> > >>>> Jules > >>>> > >>>> > >>> You know what Jules... You're an absolute wonder!:) > >>> Was that a book you had on your list, or is it gone already? > >>> > >>> > >> The book is still there... > >> > >> > > I'll see what I can do about that ... later tonight... > > > Thank you! > > Jules > Should be delivered to you on Tuesday or Wednesday... Yeah, I"cheaped out" on the delivery option:-) I hope that Field Guide comes in handy:) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Fri Jul 27 20:37:16 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Jul 27 20:37:18 2007 Subject: Grreting card scams In-Reply-To: <26697843.5161185555298829.JavaMail.root@office.splatnix.net> References: <46AA069B.3080906@alexb.ch> <26697843.5161185555298829.JavaMail.root@office.splatnix.net> Message-ID: <223f97700707271237m3802b6a2v48be1ec3fac6b2bb@mail.gmail.com> On 27/07/07, UxBoD wrote: > ClamAV Full Message Scan: > > Regards, This one isn't half bad, provided one has a really good explanation comment....:) > --[ UxBoD ]-- > // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" > // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B > // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B > // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net > > ----- Original Message ----- > From: "Alex Broens" > To: "MailScanner discussion" > Sent: 27 July 2007 15:52:11 o'clock (GMT) Europe/London > Subject: Re: Grreting card scams > > On 7/27/2007 4:42 PM, Julian Field wrote: > > > > > > Richard Frovarp wrote: > >> Matt Kettler wrote: > >>> Glenn Steen wrote: > >>> > >>>> On 27/07/07, Matt Kettler wrote: > >>>> > >>>>> Rick Cooper wrote: > >>>>> > >>>>> Given that running clamscan on the email file outside of MailScanner > >>>>> detects it > >>>>> as a virus, I've already conclusively proven clamav has the signature > >>>>> and it > >>>>> works properly. > >>>>> > >>>>> One observation, though, the specific test messages I used detected as > >>>>> 1221 not > >>>>> 1222, but they're all related. > >>>>> > >>>>> ecardspam1.eml: Email.Phishing.RB-1221 FOUND > >>>>> ecardspam2.eml: Email.Phishing.RB-1221 FOUND > >>>>> ecardspam3.eml: Email.Phishing.RB-1221 FOUND > >>>>> > >>>>> However, if you insist: > >>>>> # sigtool --list-sigs|grep Email.Phishing.RB-1222 > >>>>> Email.Phishing.RB-1222 > >>>>> > >>>>> Yes, it's there. Yes, clamscan can use it, and clamscan properly > >>>>> detects the > >>>>> messages as viruses when executed manually. No, clamav via MailScanner > >>>>> cannot > >>>>> detect it. > >>>>> > >>>>> > >>>> Could this perhaps have anything to do with how clam gets fed the > >>>> message in MailScanner....? If I'm not completely senile (always a > >>>> possibility:-), MS doesn't feed it the complete message, hence some > >>>> newstyle sigs will never (be able to) trigger. > >>>> > >>> > >>> That goes back to my original statement that I felt that the > >>> difference had to > >>> do with the fact that my MailScanner isn't up-to-date. > >>> > >>> I'm quite convinced that this is a MailScanner interfacing issue, as > >>> it is quite > >>> clear clamav is working properly outside MS. > >>> > >>> (Note: Personally I don't have a problem with this "issue", I was > >>> merely joining > >>> in and commenting on it hoping my observations could help others who > >>> do have > >>> problems with it.) > >>> > >>> > >>> > >>> > >> I don't have that one tripping either. I figure it is due to the fact > >> that I stop a lot at the MTA and delete high scoring spam so they > >> never even reach clam. > > I have now written support for passing entire messages to the ClamAV > > scanners. There is a new setting called "Reliably Detect Spam With > > ClamAV" which is "no" by default as it has a speed impact. It has no > > effect when the ClamAV scanners are not being used. > > > > I'll release a new beta shortly. > > Jules > "Reliably Detect Spam With ClamAV" is misleading. > > its not really spam ist detecting, it could be anything. > > something like "ClamAV Raw Message Parsing" may be more appropiate tho > that's no nice either. > > Alex > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Fri Jul 27 20:42:26 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Jul 27 20:42:27 2007 Subject: mailscanner.cf In-Reply-To: <46AA1EF3.9030300@alexb.ch> References: <46AA0208.3010003@nerc.ac.uk> <46AA0FAE.8090100@nerc.ac.uk> <46AA10F9.3050604@ecs.soton.ac.uk> <46AA1EF3.9030300@alexb.ch> Message-ID: <223f97700707271242u2bebd7aftde842103ec238ef4@mail.gmail.com> On 27/07/07, Alex Broens wrote: > On 7/27/2007 5:36 PM, Julian Field wrote: > > > > > > Greg Matthews wrote: > >> Kai Schaetzl wrote: > >>> Greg Matthews wrote on Fri, 27 Jul 2007 15:32:40 +0100: > >>> > >>>> Any chance this link could be renamed permanently? Or suggest a > >>>> different solution? > >>> > >>> The correct solution is to use your own scores and rules files and > >>> only edit pre-existing values in mailscanner.cf. Do not *add* any > >>> custom stuff here. > >> > >> forgive me if I'm wrong but I am under the impression that there are > >> already score adjustments in this file as shipped with MailScanner... > >> bogus-virus-warnings for instance, I myself already have slightly > >> customised Bayes scores. Having custom score adjustments in different > >> places is daft and more work to maintain. Why not rename the file as > >> suggested and then all customisations will be read after other rulesets. > >> > >> Glen's suggestion to create a second link would certainly work and > >> survive an upgrade but it is... inelegant, resulting in the custom .cf > >> file getting read twice. At the moment its probably the best solution > >> unless Jules renames the link. > > Would anyone object to me renaming it to zzzMailScanner.cf ? > > on April 1, no problem :-)))) > > IMO, MailScanner.cf is no problem as it is - it even comes aftr SA's > default local.cf which makes sense for the default system. > > if ppl want to change scores after MailScanner.cf and or local.cf they > can use their on zz_top.cf > > Alex > Got a Beard Alex?:-) Anyway, the namechange would be fine, if it wasn't for the ... humoristic ... effect...:-) The upgrade process would take care of it, of course (is it the clam+SA package that does that?! I forget...) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Fri Jul 27 20:43:59 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Jul 27 20:44:00 2007 Subject: mailscanner.cf In-Reply-To: <46AA0FAE.8090100@nerc.ac.uk> References: <46AA0208.3010003@nerc.ac.uk> <46AA0FAE.8090100@nerc.ac.uk> Message-ID: <223f97700707271243x2450d937y9ccb11e00d9b8468@mail.gmail.com> On 27/07/07, Greg Matthews wrote: (snip) > Glen's suggestion to create a second link would certainly work and > survive an upgrade but it is... inelegant, resulting in the custom .cf > file getting read twice. At the moment its probably the best solution > unless Jules renames the link. Never claimed it'd be elegant,just that it'd work;-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Fri Jul 27 20:46:55 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Jul 27 20:46:57 2007 Subject: CRM114 In-Reply-To: <46AA478B.1030807@ecs.soton.ac.uk> References: <28020962.4651185486168402.JavaMail.root@office.splatnix.net> <46AA478B.1030807@ecs.soton.ac.uk> Message-ID: <223f97700707271246k7fe8cd52w1f8c08dad8cc8c4@mail.gmail.com> On 27/07/07, Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > Hugo van der Kooij wrote: > > On Thu, 26 Jul 2007, UxBoD wrote: > > > >> Always up for a challenge :) Want to learn more about MailScanner > >> anyway. Thanks Jules. > > > > If you are really trying to compete with Jules you should be done by > > monday. ;-) > Oh, you want it documented and stress-tested as well? After all, I've > got the whole weekend :-) No Jules, you should practice the fine art of relaxing... Try doing nothing for a while, much harder than it sounds;-). -- -- Glenn a.k.a. Mother Hen email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From MailScanner at ecs.soton.ac.uk Fri Jul 27 20:48:40 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Jul 27 20:49:02 2007 Subject: Grreting card scams In-Reply-To: <223f97700707271235r30340c18x5ca75d96367eaf17@mail.gmail.com> References: <26023224.4501185484310230.JavaMail.root@office.splatnix.net> <46A91ECF.8040807@evi-inc.com> <223f97700707261542u5256ba81s30ce53bdc5ae7149@mail.gmail.com> <46A9FDEF.4040309@evi-inc.com> <46AA001F.8090406@sendit.nodak.edu> <46AA0440.4090601@ecs.soton.ac.uk> <223f97700707270754h17c71aeew98ba7778f3712773@mail.gmail.com> <46AA0966.5090901@ecs.soton.ac.uk> <223f97700707270811i1a41c089neec9026c61e49465@mail.gmail.com> <46AA0D90.8020109@ecs.soton.ac.uk> <223f97700707271235r30340c18x5ca75d96367eaf17@mail.gmail.com> Message-ID: <46AA4C18.9060501@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Glenn Steen wrote: > On 27/07/07, Julian Field wrote: > >> Glenn Steen wrote: >> >>> On 27/07/07, Julian Field wrote: >>> >>> >>>> Glenn Steen wrote: >>>> >>>> >>>>> On 27/07/07, Julian Field wrote: >>>>> > (snip) > >>>>>> I have now written support for passing entire messages to the ClamAV >>>>>> scanners. There is a new setting called "Reliably Detect Spam With >>>>>> ClamAV" which is "no" by default as it has a speed impact. It has no >>>>>> effect when the ClamAV scanners are not being used. >>>>>> >>>>>> I'll release a new beta shortly. >>>>>> >>>>>> Jules >>>>>> >>>>>> >>>>>> >>>>> You know what Jules... You're an absolute wonder!:) >>>>> Was that a book you had on your list, or is it gone already? >>>>> >>>>> >>>>> >>>> The book is still there... >>>> >>>> >>>> >>> I'll see what I can do about that ... later tonight... >>> >>> >> Thank you! >> >> Jules >> >> > Should be delivered to you on Tuesday or Wednesday... Yeah, I"cheaped > out" on the delivery option:-) > > I hope that Field Guide comes in handy:) > You're a star, sir! There are a few things the camera can do that I'm not quite sure about. After all, what does ADI flash metering do for you on a good day? Thanks a lot, Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGqkwYEfZZRxQVtlQRAtv2AKCbI18zyuLVGsuhr52e0JO46TjEFgCgpJVb M9QHACT85APK+eHDzlJ7pDE= =WwVh -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Fri Jul 27 21:13:08 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Jul 27 21:13:29 2007 Subject: CRM114 In-Reply-To: <223f97700707271246k7fe8cd52w1f8c08dad8cc8c4@mail.gmail.com> References: <28020962.4651185486168402.JavaMail.root@office.splatnix.net> <46AA478B.1030807@ecs.soton.ac.uk> <223f97700707271246k7fe8cd52w1f8c08dad8cc8c4@mail.gmail.com> Message-ID: <46AA51D4.5010207@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Glenn Steen wrote: > On 27/07/07, Julian Field wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> >> >> Hugo van der Kooij wrote: >> >>> On Thu, 26 Jul 2007, UxBoD wrote: >>> >>> >>>> Always up for a challenge :) Want to learn more about MailScanner >>>> anyway. Thanks Jules. >>>> >>> If you are really trying to compete with Jules you should be done by >>> monday. ;-) >>> >> Oh, you want it documented and stress-tested as well? After all, I've >> got the whole weekend :-) >> > > No Jules, you should practice the fine art of relaxing... Try doing > nothing for a while, much harder than it sounds;-). > Do nothing? Isn't that, well, kinda boring? I'm not very good at that (not that you would notice). On a totally OT, I just got a mail from Logitech tech support telling me they have finally managed to get my Harmony 785 Remote control working with EyeTV so I can navigate the menus and program guide at a decent speed. It was stuck working about 1.3 seconds per button press, and they have fixed it so it works nice and quickly. It beat their first and second line tech support people, it took the database guys 2 attempts to fix it, but they managed it in the end. So I can finally pension off my old Sony programmable remote. Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGqlHVEfZZRxQVtlQRAjhaAJ422ejfHbv9stcL/VukGjtcce6KdwCg4fEz 8EWgjBBrXOvPtNKEIgW2XKw= =sqaG -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From campbell at cnpapers.com Fri Jul 27 21:29:58 2007 From: campbell at cnpapers.com (Steve Campbell) Date: Fri Jul 27 21:30:07 2007 Subject: OT - Quck DNS MX question. Message-ID: <46AA55C6.2020008@cnpapers.com> We host a few different outside domains for people as a courtesy. They are usually on older servers, don't require much maintenance, stuff like that. I did have one of them misconfigured, or at least it was that way maybe when I took it over, having an IP instead of a host name with a reverse pointer for the MX record. A local ISP ran a report on dnsstuff.com reporting all of this terrible stuff in big red boxes and sent it to the office of the company owning the domain. They said they couldn't connect to the domain to send mail. Now I have ran into this before, ususally because of the reverse record, but mail seems to have always went through to the domain. What kind of SMTP doesn't send mail to such a receiving server? Is that part of how sendmail works also? I believe it was always Exchange that complained. I always thought it was up to the receiving server to decide on the mail transaction. It sort of POed me the way they threw the scare tactics at these guys at this little company. Thanks Steve Campbell From rickt at rickt.org Fri Jul 27 21:45:02 2007 From: rickt at rickt.org (Rick Tait) Date: Fri Jul 27 21:45:06 2007 Subject: OT - Quck DNS MX question. In-Reply-To: <46AA55C6.2020008@cnpapers.com> References: <46AA55C6.2020008@cnpapers.com> Message-ID: <798375e00707271345v400d7474v8ebe7833c30ab6a2@mail.gmail.com> Agreed. The scare tactics were unecessary. But these sort of issues are kind of like religion (the vi vs. emacs one I mean). Some people are all like, "ooooh you must ALWAYS because if you don't the wrath of Postel's ghost shall strike thee down from above", whereas in reality things like this *are* (you're correct) usually handled by the receiving side. Some MTA's have their own quirks just by design, or through an admin's temperament/policy thrust down from above; some require PTR's, or are fascist about HELO vs. EHLO formatting or they block vs. warn on SPF records, just like some admins are fascist about how they get their knickers in a twist about a whole lotta nothing and then broadcast their diatribe to as many people as they can to try and make their bosses think they're doing a bang-up job. -RMT. On 7/27/07, Steve Campbell wrote: > I always thought it was up to the receiving server to decide on the mail > transaction. It sort of POed me the way they threw the scare tactics at > these guys at this little company. > > Thanks > > Steve Campbell > -- Vescere bracis meis. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070727/cf6b38d5/attachment.html From dave.list at pixelhammer.com Fri Jul 27 21:52:43 2007 From: dave.list at pixelhammer.com (DAve) Date: Fri Jul 27 21:54:24 2007 Subject: OT - Quck DNS MX question. In-Reply-To: <46AA55C6.2020008@cnpapers.com> References: <46AA55C6.2020008@cnpapers.com> Message-ID: <46AA5B1B.2050509@pixelhammer.com> Steve Campbell wrote: > We host a few different outside domains for people as a courtesy. They > are usually on older servers, don't require much maintenance, stuff like > that. > > I did have one of them misconfigured, or at least it was that way maybe > when I took it over, having an IP instead of a host name with a reverse > pointer for the MX record. > > A local ISP ran a report on dnsstuff.com reporting all of this terrible > stuff in big red boxes and sent it to the office of the company owning > the domain. They said they couldn't connect to the domain to send mail. Ask for a copy of the email headers. If they cannot provide them, ala not reproducible, remind your client of the storm window salesmen who used to make sales calls in the evening and use a light meter to show how "your windows are leaking energy!". > > Now I have ran into this before, ususally because of the reverse record, > but mail seems to have always went through to the domain. What kind of > SMTP doesn't send mail to such a receiving server? Is that part of how > sendmail works also? I believe it was always Exchange that complained. I've used Postfix, Sendmail, Qmail, and anyone remember EIMS? Never had a mail server refuse to send if a MX lookup succeeded, and port 25 answered. > > I always thought it was up to the receiving server to decide on the mail > transaction. It sort of POed me the way they threw the scare tactics at > these guys at this little company. Yea, we got a few of those, one who convinces our client's to drop us for email and then installs Exchange on the client's location. Funny thing, they use us scrub their own incoming mail through our MS install. DAve -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible. From ssilva at sgvwater.com Fri Jul 27 22:02:34 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Fri Jul 27 22:02:52 2007 Subject: mailscanner.cf In-Reply-To: <46AA3A9F.2070805@ecs.soton.ac.uk> References: <46AA0208.3010003@nerc.ac.uk> <46AA0FAE.8090100@nerc.ac.uk> <46AA10F9.3050604@ecs.soton.ac.uk> <46AA1B78.4030702@fractalweb.com> <46AA3A9F.2070805@ecs.soton.ac.uk> Message-ID: Julian Field spake the following on 7/27/2007 11:34 AM: > > > Chris Yuzik wrote: >> Julian Field wrote: >>> Would anyone object to me renaming it to zzzMailScanner.cf ? >> Jules, > >> I'm fine with that. I suppose there'd have to be something in the docs >> about the name change and a note to remove the original MailScanner.cf >> file, especially for upgraders. > I'll try to make the RPM file remove the old link and replace it with > the new one. > > Jules > You might want to test if it is actually a link, and not a file, if that is possible with rpm. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From campbell at cnpapers.com Fri Jul 27 22:12:58 2007 From: campbell at cnpapers.com (Steve Campbell) Date: Fri Jul 27 22:13:07 2007 Subject: OT - Quck DNS MX question. In-Reply-To: <798375e00707271345v400d7474v8ebe7833c30ab6a2@mail.gmail.com> References: <46AA55C6.2020008@cnpapers.com> <798375e00707271345v400d7474v8ebe7833c30ab6a2@mail.gmail.com> Message-ID: <46AA5FDA.30708@cnpapers.com> Nicely put. Steve Rick Tait wrote: > Agreed. The scare tactics were unecessary. But these sort of issues > are kind of like religion (the vi vs. emacs one I mean). Some people > are all like, "ooooh you must ALWAYS because if you > don't the wrath of Postel's ghost shall strike thee down from above", > whereas in reality things like this *are* (you're correct) usually > handled by the receiving side. Some MTA's have their own quirks just > by design, or through an admin's temperament/policy thrust down from > above; some require PTR's, or are fascist about HELO vs. EHLO > formatting or they block vs. warn on SPF records, just like some > admins are fascist about how they get their knickers in a twist about > a whole lotta nothing and then broadcast their diatribe to as many > people as they can to try and make their bosses think they're doing a > bang-up job. > > > > -RMT. > > On 7/27/07, *Steve Campbell* > wrote: > > I always thought it was up to the receiving server to decide on > the mail > transaction. It sort of POed me the way they threw the scare > tactics at > these guys at this little company. > > Thanks > > Steve Campbell > > > > -- Vescere bracis meis. From MailScanner at ecs.soton.ac.uk Fri Jul 27 22:26:11 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Jul 27 22:27:19 2007 Subject: mailscanner.cf In-Reply-To: References: <46AA0208.3010003@nerc.ac.uk> <46AA0FAE.8090100@nerc.ac.uk> <46AA10F9.3050604@ecs.soton.ac.uk> <46AA1B78.4030702@fractalweb.com> <46AA3A9F.2070805@ecs.soton.ac.uk> Message-ID: <46AA62F3.5050909@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Scott Silva wrote: > Julian Field spake the following on 7/27/2007 11:34 AM: > >> Chris Yuzik wrote: >> >>> Julian Field wrote: >>> >>>> Would anyone object to me renaming it to zzzMailScanner.cf ? >>>> >>> Jules, >>> >>> I'm fine with that. I suppose there'd have to be something in the docs >>> about the name change and a note to remove the original MailScanner.cf >>> file, especially for upgraders. >>> >> I'll try to make the RPM file remove the old link and replace it with >> the new one. >> >> Jules >> >> > You might want to test if it is actually a link, and not a file, if that is > possible with rpm. > Don't worry, I was going to do that anyway. But having read more comments from other people, it's not actually going to make much difference to most people what I call it, so I'm just going to leave it alone. Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGqmL0EfZZRxQVtlQRAlctAKDytcfxZsWEj4u3E7OZy0FoLx/p5gCghQhq vR3k1fU2wtn/OTIM7snQjjk= =3aMP -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From glenn.steen at gmail.com Fri Jul 27 22:27:27 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Jul 27 22:27:29 2007 Subject: mailscanner.cf In-Reply-To: References: <46AA0208.3010003@nerc.ac.uk> <46AA0FAE.8090100@nerc.ac.uk> <46AA10F9.3050604@ecs.soton.ac.uk> <46AA1B78.4030702@fractalweb.com> <46AA3A9F.2070805@ecs.soton.ac.uk> Message-ID: <223f97700707271427v10702b66xc9d9d5d0d790aae8@mail.gmail.com> On 27/07/07, Scott Silva wrote: > Julian Field spake the following on 7/27/2007 11:34 AM: > > > > > > Chris Yuzik wrote: > >> Julian Field wrote: > >>> Would anyone object to me renaming it to zzzMailScanner.cf ? > >> Jules, > > > >> I'm fine with that. I suppose there'd have to be something in the docs > >> about the name change and a note to remove the original MailScanner.cf > >> file, especially for upgraders. > > I'll try to make the RPM file remove the old link and replace it with > > the new one. > > > > Jules > > > You might want to test if it is actually a link, and not a file, if that is > possible with rpm. Or skip it altogether. The more I think on it, the better I like the zz_top.cf suggestion(s). The clueless masses don't care either way, it'll just work mostly anyway... And the cluefull ones demanding this change could well just adjust their strategy. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Fri Jul 27 22:37:34 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Jul 27 22:37:35 2007 Subject: Grreting card scams In-Reply-To: <46AA4C18.9060501@ecs.soton.ac.uk> References: <26023224.4501185484310230.JavaMail.root@office.splatnix.net> <46A9FDEF.4040309@evi-inc.com> <46AA001F.8090406@sendit.nodak.edu> <46AA0440.4090601@ecs.soton.ac.uk> <223f97700707270754h17c71aeew98ba7778f3712773@mail.gmail.com> <46AA0966.5090901@ecs.soton.ac.uk> <223f97700707270811i1a41c089neec9026c61e49465@mail.gmail.com> <46AA0D90.8020109@ecs.soton.ac.uk> <223f97700707271235r30340c18x5ca75d96367eaf17@mail.gmail.com> <46AA4C18.9060501@ecs.soton.ac.uk> Message-ID: <223f97700707271437p7fe180e0m2c63c84b6fbb14ef@mail.gmail.com> On 27/07/07, Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > Glenn Steen wrote: > > On 27/07/07, Julian Field wrote: > > > >> Glenn Steen wrote: > >> > >>> On 27/07/07, Julian Field wrote: > >>> > >>> > >>>> Glenn Steen wrote: > >>>> > >>>> > >>>>> On 27/07/07, Julian Field wrote: > >>>>> > > (snip) > > > >>>>>> I have now written support for passing entire messages to the ClamAV > >>>>>> scanners. There is a new setting called "Reliably Detect Spam With > >>>>>> ClamAV" which is "no" by default as it has a speed impact. It has no > >>>>>> effect when the ClamAV scanners are not being used. > >>>>>> > >>>>>> I'll release a new beta shortly. > >>>>>> > >>>>>> Jules > >>>>>> > >>>>>> > >>>>>> > >>>>> You know what Jules... You're an absolute wonder!:) > >>>>> Was that a book you had on your list, or is it gone already? > >>>>> > >>>>> > >>>>> > >>>> The book is still there... > >>>> > >>>> > >>>> > >>> I'll see what I can do about that ... later tonight... > >>> > >>> > >> Thank you! > >> > >> Jules > >> > >> > > Should be delivered to you on Tuesday or Wednesday... Yeah, I"cheaped > > out" on the delivery option:-) > > > > I hope that Field Guide comes in handy:) > > > You're a star, sir! > There are a few things the camera can do that I'm not quite sure about. > After all, what does ADI flash metering do for you on a good day? Isn't that for timing the flash in a "multi-photo-grab" thing? Can't say I'm much of a camera guru (either!) but that ... sounds familiar:-). > Thanks a lot, Hope it answers that question for you:-). > Jules > Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From ms-list at alexb.ch Fri Jul 27 22:38:16 2007 From: ms-list at alexb.ch (Alex Broens) Date: Fri Jul 27 22:38:22 2007 Subject: mailscanner.cf In-Reply-To: <46AA62F3.5050909@ecs.soton.ac.uk> References: <46AA0208.3010003@nerc.ac.uk> <46AA0FAE.8090100@nerc.ac.uk> <46AA10F9.3050604@ecs.soton.ac.uk> <46AA1B78.4030702@fractalweb.com> <46AA3A9F.2070805@ecs.soton.ac.uk> <46AA62F3.5050909@ecs.soton.ac.uk> Message-ID: <46AA65C8.50504@alexb.ch> On 7/27/2007 11:26 PM, Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > Scott Silva wrote: >> Julian Field spake the following on 7/27/2007 11:34 AM: >> >>> Chris Yuzik wrote: >>> >>>> Julian Field wrote: >>>> >>>>> Would anyone object to me renaming it to zzzMailScanner.cf ? >>>>> >>>> Jules, >>>> >>>> I'm fine with that. I suppose there'd have to be something in the docs >>>> about the name change and a note to remove the original MailScanner.cf >>>> file, especially for upgraders. >>>> >>> I'll try to make the RPM file remove the old link and replace it with >>> the new one. >>> >>> Jules >>> >>> >> You might want to test if it is actually a link, and not a file, if that is >> possible with rpm. >> > Don't worry, I was going to do that anyway. > But having read more comments from other people, it's not actually going > to make much difference to most people what I call it, so I'm just going > to leave it alone. I applaud that decision and would even consider suggesting you use local.cf for new setups and do away with spam.assassin.prefs.conf altogether & write your defaults into local.cf (its designed for stuff like this) If you need to add a paramter to local.cf, its easyly appendable, commented out and add a comment in changelog so ppl are not surprised by new config options which *could* cause sideeffects and instructing to enabled if needed my 2 SA-Addict cents (just invented a new currency) Alex From glenn.steen at gmail.com Fri Jul 27 22:43:34 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Jul 27 22:43:36 2007 Subject: CRM114 In-Reply-To: <46AA51D4.5010207@ecs.soton.ac.uk> References: <28020962.4651185486168402.JavaMail.root@office.splatnix.net> <46AA478B.1030807@ecs.soton.ac.uk> <223f97700707271246k7fe8cd52w1f8c08dad8cc8c4@mail.gmail.com> <46AA51D4.5010207@ecs.soton.ac.uk> Message-ID: <223f97700707271443v4de0961dx240b88514c0b448@mail.gmail.com> On 27/07/07, Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > Glenn Steen wrote: > > On 27/07/07, Julian Field wrote: > > > >> -----BEGIN PGP SIGNED MESSAGE----- > >> Hash: SHA1 > >> > >> > >> > >> Hugo van der Kooij wrote: > >> > >>> On Thu, 26 Jul 2007, UxBoD wrote: > >>> > >>> > >>>> Always up for a challenge :) Want to learn more about MailScanner > >>>> anyway. Thanks Jules. > >>>> > >>> If you are really trying to compete with Jules you should be done by > >>> monday. ;-) > >>> > >> Oh, you want it documented and stress-tested as well? After all, I've > >> got the whole weekend :-) > >> > > > > No Jules, you should practice the fine art of relaxing... Try doing > > nothing for a while, much harder than it sounds;-). > > > Do nothing? Isn't that, well, kinda boring? I'm not very good at that > (not that you would notice). Yep, boring as h*ll... That is why it is hard:-). > On a totally OT, I just got a mail from Logitech tech support telling me > they have finally managed to get my Harmony 785 Remote control working > with EyeTV so I can navigate the menus and program guide at a decent > speed. It was stuck working about 1.3 seconds per button press, and they > have fixed it so it works nice and quickly. It beat their first and > second line tech support people, it took the database guys 2 attempts to > fix it, but they managed it in the end. So I can finally pension off my > old Sony programmable remote. > > Jules > Is it as easy to program as advertised? I've got a really nice (old-style) Philips .... programmed to perfection, controlling everything... Until the kids spilled some form of fluid into it, and repeatedly dropped it on the floor... Still works some of the time, but ... I might be shopping for a new one:-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From res at ausics.net Fri Jul 27 22:48:41 2007 From: res at ausics.net (Res) Date: Fri Jul 27 22:48:49 2007 Subject: BarricadeMX experiences In-Reply-To: <46A9F77C.9000107@pixelhammer.com> References: <46A553ED.3020505@mail.wvnet.edu> <46A5F3D0.5070500@mail.wvnet.edu> <23ee01c7ce3c$89dcff70$9d96fe50$@swaney@fsl.com> <46A67DAF.60301@mail.wvnet.edu> <46A9F110.3030803@mail.wvnet.edu> <46A9F77C.9000107@pixelhammer.com> Message-ID: On Fri, 27 Jul 2007, DAve wrote: >> > The longer this thread continues the less chance anyone will bother to report > performance stats, techniques, or third party add ons to the list again. > > I doubt I would do so now. Add-ons and techniques belong on the wiki, I have for several years provided Qmail support for MailScanner, but you wouldn't know that because you don't see me spamming the list saying so, only on a couple of occasions where someone has asked I have referred them to the site, either via list or private email. I am however considering withdrawing that support, an alternative will however remain with the more restrictive proprietory openprotect method which I think they have recently updated, so I deem their good product active and therefore if I choose to move from MailScanner back to MIMEDefang its no loss to the Qmail community. I also wont announce its removal, It along with me will just silently piss off :) From MailScanner at ecs.soton.ac.uk Fri Jul 27 22:54:40 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Jul 27 22:55:02 2007 Subject: CRM114 In-Reply-To: <223f97700707271443v4de0961dx240b88514c0b448@mail.gmail.com> References: <28020962.4651185486168402.JavaMail.root@office.splatnix.net> <46AA478B.1030807@ecs.soton.ac.uk> <223f97700707271246k7fe8cd52w1f8c08dad8cc8c4@mail.gmail.com> <46AA51D4.5010207@ecs.soton.ac.uk> <223f97700707271443v4de0961dx240b88514c0b448@mail.gmail.com> Message-ID: <46AA69A0.7090208@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Glenn Steen wrote: > On 27/07/07, Julian Field wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> >> >> Glenn Steen wrote: >> >>> On 27/07/07, Julian Field wrote: >>> >>> >>>> -----BEGIN PGP SIGNED MESSAGE----- >>>> Hash: SHA1 >>>> >>>> >>>> >>>> Hugo van der Kooij wrote: >>>> >>>> >>>>> On Thu, 26 Jul 2007, UxBoD wrote: >>>>> >>>>> >>>>> >>>>>> Always up for a challenge :) Want to learn more about MailScanner >>>>>> anyway. Thanks Jules. >>>>>> >>>>>> >>>>> If you are really trying to compete with Jules you should be done by >>>>> monday. ;-) >>>>> >>>>> >>>> Oh, you want it documented and stress-tested as well? After all, I've >>>> got the whole weekend :-) >>>> >>>> >>> No Jules, you should practice the fine art of relaxing... Try doing >>> nothing for a while, much harder than it sounds;-). >>> >>> >> Do nothing? Isn't that, well, kinda boring? I'm not very good at that >> (not that you would notice). >> > Yep, boring as h*ll... That is why it is hard:-). > > >> On a totally OT, I just got a mail from Logitech tech support telling me >> they have finally managed to get my Harmony 785 Remote control working >> with EyeTV so I can navigate the menus and program guide at a decent >> speed. It was stuck working about 1.3 seconds per button press, and they >> have fixed it so it works nice and quickly. It beat their first and >> second line tech support people, it took the database guys 2 attempts to >> fix it, but they managed it in the end. So I can finally pension off my >> old Sony programmable remote. >> >> Jules >> >> > Is it as easy to program as advertised? I've got a really nice > (old-style) Philips .... programmed to perfection, controlling > everything... Until the kids spilled some form of fluid into it, and > repeatedly dropped it on the floor... Still works some of the time, > but ... I might be shopping for a new one:-). > It will take you an hour or two to program it. And make sure you start off with the latest software available from their website, I would ignore the CD that comes with it. If you need a replacement anyway, then they're good. I haven't really had mine working long enough to tell you if I really like it or not. The first one I got died within 36 hours of unpacking it, I didn't even get the setup finished completely before it died. Then I had to jump through the tech support hoops to get them to send me another one. Then I couldn't get my EyeTV software working with it properly, and had to get their back-room database guys to produce a fix for that. It's only been working properly for about 3 hours now. Not really long enough to say much. Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGqmmhEfZZRxQVtlQRApUUAKC/CsUK364DplGlyPZXtF487SPtrgCff0wr 0eAPlFj++V6YDVeg82MgfnM= =2SPj -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From glenn.steen at gmail.com Fri Jul 27 23:09:30 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Jul 27 23:09:32 2007 Subject: BarricadeMX experiences In-Reply-To: References: <46A553ED.3020505@mail.wvnet.edu> <46A67DAF.60301@mail.wvnet.edu> <46A9F110.3030803@mail.wvnet.edu> <46A9F77C.9000107@pixelhammer.com> Message-ID: <223f97700707271509r3f9b2b89n77ed842fb7138060@mail.gmail.com> On 27/07/07, Res wrote: > On Fri, 27 Jul 2007, DAve wrote: > > >> > > The longer this thread continues the less chance anyone will bother to report > > performance stats, techniques, or third party add ons to the list again. > > > > I doubt I would do so now. > > Add-ons and techniques belong on the wiki, I have for several years > provided Qmail support for MailScanner, but you wouldn't know that > because you don't see me spamming the list saying so, only on a couple of > occasions where someone has asked I have referred them to the site, either > via list or private email. > > I am however considering withdrawing that support, an alternative will > however remain with the more restrictive proprietory openprotect method > which I think they have recently updated, so I deem their good product > active and therefore if I choose to move from MailScanner back to MIMEDefang > its no loss to the Qmail community. I also wont announce its removal, It > along with me will just silently piss off :) So we'd lose the Evil Bunny to MIMEDefang....? C'mon Noel, why would you do that? All I've read from you is that you are actually (deep down, in a hidden corner somewhere...) really satified with MS... Right? -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From itdept at fractalweb.com Fri Jul 27 23:26:07 2007 From: itdept at fractalweb.com (Chris Yuzik) Date: Fri Jul 27 23:26:35 2007 Subject: CRM114 In-Reply-To: <223f97700707271443v4de0961dx240b88514c0b448@mail.gmail.com> References: <28020962.4651185486168402.JavaMail.root@office.splatnix.net> <46AA478B.1030807@ecs.soton.ac.uk> <223f97700707271246k7fe8cd52w1f8c08dad8cc8c4@mail.gmail.com> <46AA51D4.5010207@ecs.soton.ac.uk> <223f97700707271443v4de0961dx240b88514c0b448@mail.gmail.com> Message-ID: <46AA70FF.3060000@fractalweb.com> Glenn Steen wrote: > Is it as easy to program as advertised? I've got a really nice > (old-style) Philips .... programmed to perfection, controlling > everything... Until the kids spilled some form of fluid into it, and > repeatedly dropped it on the floor... Still works some of the time, > but ... I might be shopping for a new one:-). Glenn, In my experience, NOTHING beats the Logitech Harmony remotes for value and ease-of-use. I've insisted that my inlaws get on because they wouldn't likely even be able to use their home theater I put together without one. We have a very complicated setup, and even our babysitters can handle the system with the Logitech. Costco carries them, btw. Go get one! Chris From mogens at fumlersoft.dk Fri Jul 27 23:40:11 2007 From: mogens at fumlersoft.dk (Mogens Melander) Date: Fri Jul 27 23:38:31 2007 Subject: BarricadeMX experiences In-Reply-To: References: <46A553ED.3020505@mail.wvnet.edu> <46A5F3D0.5070500@mail.wvnet.edu> <23ee01c7ce3c$89dcff70$9d96fe50$@swaney@fsl.com> <46A67DAF.60301@mail.wvnet.edu> <46A9F110.3030803@mail.wvnet.edu> Message-ID: <3435.90.184.16.67.1185576011.squirrel@mail.fumlersoft.dk> On Fri, July 27, 2007 15:25, Res wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > NotDashEscaped: You need GnuPG to verify this message > > On Fri, 27 Jul 2007, Richard Lynch wrote: > >> And lastly, I wasn't spamming the list at all. The product was first > > well, aint that typical, spammers never think what they do is spamming, by > its very defination you did exactly that, intentionally or otherwise, it > doesnt matter, the end result is the same. Actualy, i don't see it as spam, it seems to morph into something with similaraties towards worm infection ;^) -- Later Mogens Melander +45 40 85 71 38 +66 870 133 224 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mogens at fumlersoft.dk Fri Jul 27 23:52:01 2007 From: mogens at fumlersoft.dk (Mogens Melander) Date: Fri Jul 27 23:50:21 2007 Subject: BarricadeMX experiences In-Reply-To: <46A9FF59.1030807@pixelhammer.com> References: <16765962.5041185545173697.JavaMail.root@office.splatnix.net> <46A9FF59.1030807@pixelhammer.com> Message-ID: <3452.90.184.16.67.1185576721.squirrel@mail.fumlersoft.dk> On Fri, July 27, 2007 16:21, DAve wrote: > UxBoD wrote: >> Jules, >> >> why not create a mailscanner-ot list ;) > > Someone would complain if you posted MS info there, because it would be > on topic. No wait, if it is MS info then it is off topic, for the MS off > topic list. But that IS off topic, and off topic is on topic for the off > topic list, right? > > Hold on here, the MS off topic list would have posts that are off topic > on the MS list be on topic for the off topic list, and posts on topic > for the off topic list would be off topic for the on topic list. > > So which list would this post go on? Yea, it's been one of those weeks. Yo, Dave, where can i get some of whatever you've been drinking 8^) -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From glenn.steen at gmail.com Fri Jul 27 23:52:23 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Jul 27 23:52:25 2007 Subject: CRM114 In-Reply-To: <46AA70FF.3060000@fractalweb.com> References: <28020962.4651185486168402.JavaMail.root@office.splatnix.net> <46AA478B.1030807@ecs.soton.ac.uk> <223f97700707271246k7fe8cd52w1f8c08dad8cc8c4@mail.gmail.com> <46AA51D4.5010207@ecs.soton.ac.uk> <223f97700707271443v4de0961dx240b88514c0b448@mail.gmail.com> <46AA70FF.3060000@fractalweb.com> Message-ID: <223f97700707271552n540115bbv6bcf29bd25d18b08@mail.gmail.com> On 28/07/07, Chris Yuzik wrote: > Glenn Steen wrote: > > Is it as easy to program as advertised? I've got a really nice > > (old-style) Philips .... programmed to perfection, controlling > > everything... Until the kids spilled some form of fluid into it, and > > repeatedly dropped it on the floor... Still works some of the time, > > but ... I might be shopping for a new one:-). > > Glenn, > > In my experience, NOTHING beats the Logitech Harmony remotes for value > and ease-of-use. I've insisted that my inlaws get on because they > wouldn't likely even be able to use their home theater I put together > without one. We have a very complicated setup, and even our babysitters > can handle the system with the Logitech. > > Costco carries them, btw. Go get one! > > Chris One semi-disgruntled customer (Jules) and one very happy.... I might just do that Chris;) -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From ssilva at sgvwater.com Fri Jul 27 23:57:40 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Fri Jul 27 23:58:06 2007 Subject: Grreting card scams In-Reply-To: <223f97700707271437p7fe180e0m2c63c84b6fbb14ef@mail.gmail.com> References: <26023224.4501185484310230.JavaMail.root@office.splatnix.net> <46A9FDEF.4040309@evi-inc.com> <46AA001F.8090406@sendit.nodak.edu> <46AA0440.4090601@ecs.soton.ac.uk> <223f97700707270754h17c71aeew98ba7778f3712773@mail.gmail.com> <46AA0966.5090901@ecs.soton.ac.uk> <223f97700707270811i1a41c089neec9026c61e49465@mail.gmail.com> <46AA0D90.8020109@ecs.soton.ac.uk> <223f97700707271235r30340c18x5ca75d96367eaf17@mail.gmail.com> <46AA4C18.9060501@ecs.soton.ac.uk> <223f97700707271437p7fe180e0m2c63c84b6fbb14ef@mail.gmail.com> Message-ID: Glenn Steen spake the following on 7/27/2007 2:37 PM: > On 27/07/07, Julian Field wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> >> >> Glenn Steen wrote: >>> On 27/07/07, Julian Field wrote: >>> >>>> Glenn Steen wrote: >>>> >>>>> On 27/07/07, Julian Field wrote: >>>>> >>>>> >>>>>> Glenn Steen wrote: >>>>>> >>>>>> >>>>>>> On 27/07/07, Julian Field wrote: >>>>>>> >>> (snip) >>> >>>>>>>> I have now written support for passing entire messages to the ClamAV >>>>>>>> scanners. There is a new setting called "Reliably Detect Spam With >>>>>>>> ClamAV" which is "no" by default as it has a speed impact. It has no >>>>>>>> effect when the ClamAV scanners are not being used. >>>>>>>> >>>>>>>> I'll release a new beta shortly. >>>>>>>> >>>>>>>> Jules >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> You know what Jules... You're an absolute wonder!:) >>>>>>> Was that a book you had on your list, or is it gone already? >>>>>>> >>>>>>> >>>>>>> >>>>>> The book is still there... >>>>>> >>>>>> >>>>>> >>>>> I'll see what I can do about that ... later tonight... >>>>> >>>>> >>>> Thank you! >>>> >>>> Jules >>>> >>>> >>> Should be delivered to you on Tuesday or Wednesday... Yeah, I"cheaped >>> out" on the delivery option:-) >>> >>> I hope that Field Guide comes in handy:) >>> >> You're a star, sir! >> There are a few things the camera can do that I'm not quite sure about. >> After all, what does ADI flash metering do for you on a good day? > > Isn't that for timing the flash in a "multi-photo-grab" thing? Can't > say I'm much of a camera guru (either!) but that ... sounds > familiar:-). > >> Thanks a lot, > Hope it answers that question for you:-). > >> Jules >> > Cheers ADI flash metering is supposed to meter the exposure even with real poor backgrounds like shiny white or dull flat dark. It seems to meter in zones and do some math for the exposure. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ssilva at sgvwater.com Sat Jul 28 00:04:12 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Sat Jul 28 00:04:30 2007 Subject: mailscanner.cf In-Reply-To: <46AA62F3.5050909@ecs.soton.ac.uk> References: <46AA0208.3010003@nerc.ac.uk> <46AA0FAE.8090100@nerc.ac.uk> <46AA10F9.3050604@ecs.soton.ac.uk> <46AA1B78.4030702@fractalweb.com> <46AA3A9F.2070805@ecs.soton.ac.uk> <46AA62F3.5050909@ecs.soton.ac.uk> Message-ID: Julian Field spake the following on 7/27/2007 2:26 PM: > > > Scott Silva wrote: >> Julian Field spake the following on 7/27/2007 11:34 AM: > >>> Chris Yuzik wrote: >>> >>>> Julian Field wrote: >>>> >>>>> Would anyone object to me renaming it to zzzMailScanner.cf ? >>>>> >>>> Jules, >>>> >>>> I'm fine with that. I suppose there'd have to be something in the docs >>>> about the name change and a note to remove the original MailScanner.cf >>>> file, especially for upgraders. >>>> >>> I'll try to make the RPM file remove the old link and replace it with >>> the new one. >>> >>> Jules >>> >>> >> You might want to test if it is actually a link, and not a file, if that is >> possible with rpm. > > Don't worry, I was going to do that anyway. > But having read more comments from other people, it's not actually going > to make much difference to most people what I call it, so I'm just going > to leave it alone. > > Jules > It is a very advanced use of MailScanner. I guess if someone is that advanced, they can fix it any way they want. Leaving it alone still achieves your original goal -- to have MailScanner be fully functioning for a beginner right out of "the box". -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From glenn.steen at gmail.com Sat Jul 28 00:19:52 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Sat Jul 28 00:19:54 2007 Subject: Grreting card scams In-Reply-To: References: <26023224.4501185484310230.JavaMail.root@office.splatnix.net> <46AA0440.4090601@ecs.soton.ac.uk> <223f97700707270754h17c71aeew98ba7778f3712773@mail.gmail.com> <46AA0966.5090901@ecs.soton.ac.uk> <223f97700707270811i1a41c089neec9026c61e49465@mail.gmail.com> <46AA0D90.8020109@ecs.soton.ac.uk> <223f97700707271235r30340c18x5ca75d96367eaf17@mail.gmail.com> <46AA4C18.9060501@ecs.soton.ac.uk> <223f97700707271437p7fe180e0m2c63c84b6fbb14ef@mail.gmail.com> Message-ID: <223f97700707271619t6a37c8ceoe17c512097d6aee2@mail.gmail.com> On 28/07/07, Scott Silva wrote: > Glenn Steen spake the following on 7/27/2007 2:37 PM: > > On 27/07/07, Julian Field wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- > >> Hash: SHA1 > >> > >> > >> > >> Glenn Steen wrote: > >>> On 27/07/07, Julian Field wrote: > >>> > >>>> Glenn Steen wrote: > >>>> > >>>>> On 27/07/07, Julian Field wrote: > >>>>> > >>>>> > >>>>>> Glenn Steen wrote: > >>>>>> > >>>>>> > >>>>>>> On 27/07/07, Julian Field wrote: > >>>>>>> > >>> (snip) > >>> > >>>>>>>> I have now written support for passing entire messages to the ClamAV > >>>>>>>> scanners. There is a new setting called "Reliably Detect Spam With > >>>>>>>> ClamAV" which is "no" by default as it has a speed impact. It has no > >>>>>>>> effect when the ClamAV scanners are not being used. > >>>>>>>> > >>>>>>>> I'll release a new beta shortly. > >>>>>>>> > >>>>>>>> Jules > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>> You know what Jules... You're an absolute wonder!:) > >>>>>>> Was that a book you had on your list, or is it gone already? > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>> The book is still there... > >>>>>> > >>>>>> > >>>>>> > >>>>> I'll see what I can do about that ... later tonight... > >>>>> > >>>>> > >>>> Thank you! > >>>> > >>>> Jules > >>>> > >>>> > >>> Should be delivered to you on Tuesday or Wednesday... Yeah, I"cheaped > >>> out" on the delivery option:-) > >>> > >>> I hope that Field Guide comes in handy:) > >>> > >> You're a star, sir! > >> There are a few things the camera can do that I'm not quite sure about. > >> After all, what does ADI flash metering do for you on a good day? > > > > Isn't that for timing the flash in a "multi-photo-grab" thing? Can't > > say I'm much of a camera guru (either!) but that ... sounds > > familiar:-). > > > >> Thanks a lot, > > Hope it answers that question for you:-). > > > >> Jules > >> > > Cheers > ADI flash metering is supposed to meter the exposure even with real poor > backgrounds like shiny white or dull flat dark. It seems to meter in zones and > do some math for the exposure. > ... not only good with a pipe wrench.... Cheers mate-- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From campbell at cnpapers.com Sat Jul 28 02:17:34 2007 From: campbell at cnpapers.com (Steve Campbell) Date: Sat Jul 28 02:17:50 2007 Subject: OT - Quck DNS MX question. In-Reply-To: <46AA5B1B.2050509@pixelhammer.com> References: <46AA55C6.2020008@cnpapers.com> <46AA5B1B.2050509@pixelhammer.com> Message-ID: <1185585454.46aa992ee72e4@perdition.cnpapers.net> Quoting DAve : > Steve Campbell wrote: > > We host a few different outside domains for people as a courtesy. They > > are usually on older servers, don't require much maintenance, stuff like > > that. > > > > I did have one of them misconfigured, or at least it was that way maybe > > when I took it over, having an IP instead of a host name with a reverse > > pointer for the MX record. > > > > A local ISP ran a report on dnsstuff.com reporting all of this terrible > > stuff in big red boxes and sent it to the office of the company owning > > the domain. They said they couldn't connect to the domain to send mail. > > Ask for a copy of the email headers. If they cannot provide them, ala > not reproducible, remind your client of the storm window salesmen who > used to make sales calls in the evening and use a light meter to show > how "your windows are leaking energy!". > > > > > Now I have ran into this before, ususally because of the reverse record, > > but mail seems to have always went through to the domain. What kind of > > SMTP doesn't send mail to such a receiving server? Is that part of how > > sendmail works also? I believe it was always Exchange that complained. > > I've used Postfix, Sendmail, Qmail, and anyone remember EIMS? Never had > a mail server refuse to send if a MX lookup succeeded, and port 25 answered. > > > > > I always thought it was up to the receiving server to decide on the mail > > transaction. It sort of POed me the way they threw the scare tactics at > > these guys at this little company. > > Yea, we got a few of those, one who convinces our client's to drop us > for email and then installs Exchange on the client's location. Funny > thing, they use us scrub their own incoming mail through our MS install. The thing is - I really wouldn't mind them leaving. I bend over backwards for them teaching them how to use their Outlook, and the like. We have another client who has done that very same thing with Exchange and their system. They got some hotshot rookie Exchange admin to install Exchange on their system, taking out what they used to have. There was a definite need for something on site, but I'm not sure Exchange was the best solution. Anyway, he wanted us to continue being their MX and even hubbing their mailboxes. He then set up something like fetchmail to retrieve the mail and put it in their local mailboxes. That way, they got the benefit of our MS/Clam/SA etc. It's all fine except when his fetchmail-whatever script doesn't work, or they get a new employee. They keep calling me about the problems and I have to keep telling them over and over that I don't do that part anymore. Oh well. Thanks for the reply. Steve > > DAve > > -- ------------------------------------------------- This mail sent through IMP: http://horde.org/imp/ From rickt at rickt.org Sat Jul 28 03:07:13 2007 From: rickt at rickt.org (Rick Tait) Date: Sat Jul 28 03:07:17 2007 Subject: OT - Quck DNS MX question. In-Reply-To: <1185585454.46aa992ee72e4@perdition.cnpapers.net> References: <46AA55C6.2020008@cnpapers.com> <46AA5B1B.2050509@pixelhammer.com> <1185585454.46aa992ee72e4@perdition.cnpapers.net> Message-ID: <798375e00707271907k2d94ffdbxf04da71f89190604@mail.gmail.com> On 7/27/07, Steve Campbell wrote: > > > They got some hotshot rookie Exchange admin to install Exchange on their > system, > taking out what they used to have. There was a definite need for something > on > site, but I'm not sure Exchange was the best solution. Anyway, he wanted > us to > continue being their MX and even hubbing their mailboxes. He then set up > something like fetchmail to retrieve the mail and put it in their local > mailboxes. That way, they got the benefit of our MS/Clam/SA etc. It's all > fine > except when his fetchmail-whatever script doesn't work, or they get a new > employee. They keep calling me about the problems and I have to keep > telling > them over and over that I don't do that part anymore. Wow!!! They're getting a sweet deal... What's with the store, store, store, store-n-forward though? What's wrong with the usual behaviour of you being /bastion/ MX and then immediately relay via postfix transport map (etc, sorry dont know what you run) right away? Then you don't have to worry about storing all their stuff (sucks that you have to do that, as an admin its just one more thing you could care less about but have to keep an eye on). And of course they still get the bennies of the MS/Clam/SA. Plus it ain't your problem Jack if they get mailbombed or DoS'd and its their filesystems not yours that fill up. Why should you be paying for their disk? I was doing something similar (free) for a friend/ex-colleague for a long time and I just eventually got pissed off enough about it to do something. He was a bit of a crazy type A guy so rather than just tell him to sling his hook I basically made some crap up (which may or may not be true but I guess probably is) about my not wanting to be potentially liable under various tech laws for having stored his company emails on my own servers, and would rather it be a quick anti-spam/anti-virus scan and then I whizz it off immediately to his end delivery MTA (Exchange 2000). I mentioned my server being public and his being private and I think his own paranoia just kicked in and he quickly arranged his own end such that I was simply his first-hit relay and his stuff was no longer being stored on my "public" servers. -RMT. -- Vescere bracis meis. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070727/d7b55844/attachment.html From glenn.steen at gmail.com Sat Jul 28 10:21:55 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Sat Jul 28 10:21:57 2007 Subject: OT - Quck DNS MX question. In-Reply-To: <798375e00707271907k2d94ffdbxf04da71f89190604@mail.gmail.com> References: <46AA55C6.2020008@cnpapers.com> <46AA5B1B.2050509@pixelhammer.com> <1185585454.46aa992ee72e4@perdition.cnpapers.net> <798375e00707271907k2d94ffdbxf04da71f89190604@mail.gmail.com> Message-ID: <223f97700707280221l41413e70i1dc317635ea619a4@mail.gmail.com> On 28/07/07, Rick Tait wrote: > On 7/27/07, Steve Campbell wrote: > > > > They got some hotshot rookie Exchange admin to install Exchange on their > system, > > taking out what they used to have. There was a definite need for something > on > > site, but I'm not sure Exchange was the best solution. Anyway, he wanted > us to > > continue being their MX and even hubbing their mailboxes. He then set up > > something like fetchmail to retrieve the mail and put it in their local > > mailboxes. That way, they got the benefit of our MS/Clam/SA etc. It's all > fine > > except when his fetchmail-whatever script doesn't work, or they get a new > > employee. They keep calling me about the problems and I have to keep > telling > > them over and over that I don't do that part anymore. > > Wow!!! They're getting a sweet deal... What's with the store, store, store, > store-n-forward though? What's wrong with the usual behaviour of you being > /bastion/ MX and then immediately relay via postfix transport map (etc, > sorry dont know what you run) right away? Then you don't have to worry about > storing all their stuff (sucks that you have to do that, as an admin its > just one more thing you could care less about but have to keep an eye on). > And of course they still get the bennies of the MS/Clam/SA. Plus it ain't > your problem Jack if they get mailbombed or DoS'd and its their filesystems > not yours that fill up. Why should you be paying for their disk? Steve runs a Rendmaul shop. Basically agree though.... Unless there is significant moneay involved, why do that...:-) > I was doing something similar (free) for a friend/ex-colleague for a long > time and I just eventually got pissed off enough about it to do something. > He was a bit of a crazy type A guy so rather than just tell him to sling his > hook I basically made some crap up (which may or may not be true but I guess > probably is) about my not wanting to be potentially liable under various > tech laws for having stored his company emails on my own servers, and would > rather it be a quick anti-spam/anti-virus scan and then I whizz it off > immediately to his end delivery MTA (Exchange 2000). I mentioned my server > being public and his being private and I think his own paranoia just kicked > in and he quickly arranged his own end such that I was simply his first-hit > relay and his stuff was no longer being stored on my "public" servers. > :-) You'd better hope he doesn't read this public forum then.... those type As can be vicious;-) > > -RMT. > > > -- Vescere bracis meis. Not that hungry, so I'll pass.... Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From jayesha_shinde at yahoo.com Sat Jul 28 10:28:13 2007 From: jayesha_shinde at yahoo.com (jayesh shinde) Date: Sat Jul 28 10:28:16 2007 Subject: Inbound mails increase, MS get slow Message-ID: <802541.38957.qm@web54407.mail.yahoo.com> Dear All , I have the following 2 queries :-- 1) I have Email server with "Fc2 +sendmail(sendmail-8.12.11-4.6) + MailScanner + mailwatch+ f-prot + spamassassin-3.1.7-1+ DCC+razor+pyzor+SpamAssassin rulesets " which is acting as MX server and it is deliver nonspam emails to othere server where pop email id are present.I am getting daily around 45,000+ mails on this MX server.(most of them are spams) Now from 1-2 weeks i am getting lots spam emails on the MX server. Some time my inbound is gets very high i.e upto 12,000 .Because of this all the email are process very slowly, I observered that the emails which are in inbound queue are not get scann immediatly, but the mails which are came after this inbound emails are get scann immediatly. I found one option in MailScanner.conf file i.e Max Normal Queue Size = 800 I change this value as Max Normal Queue Size = 22000 and restart the Mailscanner. But my problem is not get solved by this. Can any boudy plz guide what should be the correct setting should i do in MailScanner.conf file for this buzy server,so that even if inbound emails get increase MS proccess should not get slow. 2) The MS mailing list "search tab" is not working; is the MS mailing search site is change for search tab ? I looking for this in http://dir.gmane.org/gmane.mail.virus.mailscanner Plz guid me for the above Thanks & Regards Jayesh Shinde --------------------------------- Looking for a deal? Find great prices on flights and hotels with Yahoo! FareChase. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070728/145ef229/attachment.html From mailadmin at baladia.gov.kw Sat Jul 28 10:34:16 2007 From: mailadmin at baladia.gov.kw (simon) Date: Sat Jul 28 11:10:29 2007 Subject: query if mailscanner using clamscan In-Reply-To: <223f97700707270047q350fac70n95878b33cab3563d@mail.gmail.com> References: <2605.62.150.152.226.1185433910.squirrel@webmail.baladia.gov.kw> <46A87494.6060002@ecs.soton.ac.uk> <1597.62.150.152.226.1185458853.squirrel@webmail.baladia.gov.kw> <46A8B477.60603@ecs.soton.ac.uk> <1872.62.150.152.226.1185460305.squirrel@webmail.baladia.gov.kw> <46A8BC68.1020901@ecs.soton.ac.uk> <2038.62.150.152.226.1185483170.squirrel@webmail.baladia.gov.kw> <46A91552.5060809@ecs.soton.ac.uk> <1734.62.150.152.226.1185518513.squirrel@webmail.baladia.gov.kw> <223f97700707270047q350fac70n95878b33cab3563d@mail.gmail.com> Message-ID: <40337.62.150.152.60.1185615256.squirrel@webmail.baladia.gov.kw> Dear ALL Really appreciate you guys for all the earlier advise n help been so prompt by the way i still hav doubt about my query regarding mailscanner using clamscan probably was not able to explain myself properly n clearly. sorry for tht let me be more precise. as per jules SA+CLAM AV script which says if MAilScanner support for clamd (virus scanning daemon ) is required then i do hav to download following rpm from dag wiers.. i have followed all the steps required as per the script and also as per the replies recived from my earlier postings just wanaa know if my settings below confirm that MailScanner is using clamav and also support for clamd now her below r my settings mailscanner.lint Read 797 hostnames from the phishing whitelist Checking version numbers... Version number in MailScanner.conf (4.61.7) is correct. Checking for SpamAssassin errors (if you use it)... SpamAssassin temporary working directory is /var/spool/MailScanner/incoming/SpamAssassin-Temp SpamAssassin temp dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp Using SpamAssassin results cache Connected to SpamAssassin cache database SpamAssassin reported no errors. Using locktype = posix Creating hardcoded struct_flock subroutine for linux (Linux-type) MailScanner.conf says "Virus Scanners = clamav clamd clamavmodule" Found these virus scanners installed: clamavmodule, clamd -------------------------------------------------------------------- in MailScanner.conf Virus Scanners = clamav clamd clamavmodule ------------------------------------------------- virusscanners.conf file clamav /usr/lib/MailScanner/clamav-wrapper /usr/local clamd /usr/lib/MailScanner/clamd-wrapper /usr/local clamavmodule /bin/false /tmp ------------------------------------------------------------------ are the above settings Ok or do i need to do any changes really do apprecite your help regards simon From uxbod at splatnix.net Sat Jul 28 12:12:05 2007 From: uxbod at splatnix.net (UxBoD) Date: Sat Jul 28 12:08:44 2007 Subject: Inbound mails increase, MS get slow In-Reply-To: <802541.38957.qm@web54407.mail.yahoo.com> Message-ID: <32540375.5191185621125078.JavaMail.root@office.splatnix.net> How manys CPUs are in the server ? How much memory does it have ? What rulesets are you using with SA ? What RBLs are you using with MS ? All these elements could slow down mail delivery dependant on how your server is setup. Regards, --[ UxBoD ]-- // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- Original Message ----- From: "jayesh shinde" To: mailscanner@lists.mailscanner.info Sent: 28 July 2007 10:28:13 o'clock (GMT) Europe/London Subject: Inbound mails increase, MS get slow -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Sat Jul 28 12:12:47 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sat Jul 28 12:13:11 2007 Subject: query if mailscanner using clamscan In-Reply-To: <40337.62.150.152.60.1185615256.squirrel@webmail.baladia.gov.kw> References: <2605.62.150.152.226.1185433910.squirrel@webmail.baladia.gov.kw> <46A87494.6060002@ecs.soton.ac.uk> <1597.62.150.152.226.1185458853.squirrel@webmail.baladia.gov.kw> <46A8B477.60603@ecs.soton.ac.uk> <1872.62.150.152.226.1185460305.squirrel@webmail.baladia.gov.kw> <46A8BC68.1020901@ecs.soton.ac.uk> <2038.62.150.152.226.1185483170.squirrel@webmail.baladia.gov.kw> <46A91552.5060809@ecs.soton.ac.uk> <1734.62.150.152.226.1185518513.squirrel@webmail.baladia.gov.kw> <223f97700707270047q350fac70n95878b33cab3563d@mail.gmail.com> <40337.62.150.152.60.1185615256.squirrel@webmail.baladia.gov.kw> Message-ID: <46AB24AF.7060804@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 simon wrote: > Dear ALL > > Really appreciate you guys for all the earlier advise n help > been so prompt > > by the way i still hav doubt about my query regarding mailscanner using > clamscan > > probably was not able to explain myself properly n clearly. sorry for tht > > let me be more precise. > > as per jules SA+CLAM AV script which says if MAilScanner support for clamd > (virus scanning daemon ) is required then i do hav to download following > rpm from dag wiers.. > > i have followed all the steps required as per the script and also as per > the replies recived from my earlier postings > just wanaa know if my settings below confirm that MailScanner is using > clamav and also support for clamd > > now her below r my settings > > > mailscanner.lint > > Read 797 hostnames from the phishing whitelist > Checking version numbers... > Version number in MailScanner.conf (4.61.7) is correct. > > Checking for SpamAssassin errors (if you use it)... > SpamAssassin temporary working directory is > /var/spool/MailScanner/incoming/SpamAssassin-Temp > SpamAssassin temp dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp > Using SpamAssassin results cache > Connected to SpamAssassin cache database > SpamAssassin reported no errors. > Using locktype = posix > Creating hardcoded struct_flock subroutine for linux (Linux-type) > MailScanner.conf says "Virus Scanners = clamav clamd clamavmodule" > That means you are scanning each message 3 times with the same scanner! That's silly. Just set it to Virus Scanners = clamd. The MailScanner - --lint output confirms that your clamd settings are probably right, as it can talk to the daemon. So just set Virus Scanners = clamd and you'll be okay. > Found these virus scanners installed: clamavmodule, clamd > -------------------------------------------------------------------- > > in MailScanner.conf > > Virus Scanners = clamav clamd clamavmodule > ------------------------------------------------- > virusscanners.conf file > > clamav /usr/lib/MailScanner/clamav-wrapper /usr/local > clamd /usr/lib/MailScanner/clamd-wrapper /usr/local > clamavmodule /bin/false /tmp > ------------------------------------------------------------------ > are the above settings Ok or do i need to do any changes > > really do apprecite your help > > > regards > > simon > > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGqySxEfZZRxQVtlQRAv+VAJ4hAYi0raFL1eu/rHls/pnz5wGfIACgvOgh WYygLVze6g4O0ri32M2BAOI= =Y5Un -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From maillists at conactive.com Sat Jul 28 12:31:28 2007 From: maillists at conactive.com (Kai Schaetzl) Date: Sat Jul 28 12:31:32 2007 Subject: query if mailscanner using clamscan In-Reply-To: <40337.62.150.152.60.1185615256.squirrel@webmail.baladia.gov.kw> References: <2605.62.150.152.226.1185433910.squirrel@webmail.baladia.gov.kw> <46A87494.6060002@ecs.soton.ac.uk> <1597.62.150.152.226.1185458853.squirrel@webmail.baladia.gov.kw> <46A8B477.60603@ecs.soton.ac.uk> <1872.62.150.152.226.1185460305.squirrel@webmail.baladia.gov.kw> <46A8BC68.1020901@ecs.soton.ac.uk> <2038.62.150.152.226.1185483170.squirrel@webmail.baladia.gov.kw> <46A91552.5060809@ecs.soton.ac.uk> <1734.62.150.152.226.1185518513.squirrel@webmail.baladia.gov.kw> <40337.62.150.152.60.1185615256.squi Message-ID: rrel@webmail.baladia.gov.kw> Reply-To: mailscanner@lists.mailscanner.info X-Rcpt-To: Simon wrote on Sat, 28 Jul 2007 13:34:16 +0400 (ADT): > MailScanner.conf says "Virus Scanners = clamav clamd clamavmodule" why? Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From maillists at conactive.com Sat Jul 28 12:31:28 2007 From: maillists at conactive.com (Kai Schaetzl) Date: Sat Jul 28 12:31:35 2007 Subject: Inbound mails increase, MS get slow In-Reply-To: <802541.38957.qm@web54407.mail.yahoo.com> References: <802541.38957.qm@web54407.mail.yahoo.com> Message-ID: Jayesh shinde wrote on Sat, 28 Jul 2007 02:28:13 -0700 (PDT): > Can any boudy plz guide what should be the correct setting should i do in MailScanner.conf file for this buzy server,so that even if inbound emails get increase MS proccess should not get slow. You want to reduce what actually gets scanned by MailScanner. Most of us reject about 80-90% of the spam because of technical criteria right at the MTA, with RBLs and with several milters and with some sendmail options. You also want to make sure that you don't accept mail for non-existing mailboxes. All of this gets discussed on this list regularly, just search back. You can also use BarricadeMX for this, there have just been discussions about it here. As for your question about gmane.org, you should direct it to the people that drive gmane.org. gmane.org just aggregates this list, this list is not affiliated with them. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From hvdkooij at vanderkooij.org Sat Jul 28 12:34:01 2007 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sat Jul 28 12:34:13 2007 Subject: query if mailscanner using clamscan In-Reply-To: <46AB24AF.7060804@ecs.soton.ac.uk> References: <2605.62.150.152.226.1185433910.squirrel@webmail.baladia.gov.kw> <46A87494.6060002@ecs.soton.ac.uk> <1597.62.150.152.226.1185458853.squirrel@webmail.baladia.gov.kw> <46A8B477.60603@ecs.soton.ac.uk> <1872.62.150.152.226.1185460305.squirrel@webmail.baladia.gov.kw> <46A8BC68.1020901@ecs.soton.ac.uk> <2038.62.150.152.226.1185483170.squirrel@webmail.baladia.gov.kw> <46A91552.5060809@ecs.soton.ac.uk> <1734.62.150.152.226.1185518513.squirrel@webmail.baladia.gov.kw> <223f97700707270047q350fac70n95878b33cab3563d@mail.gmail.com> <40337.62.150.152.60.1185615256.squirrel@webmail.baladia.gov.kw> <46AB24AF.7060804@ecs.soton.ac.uk> Message-ID: On Sat, 28 Jul 2007, Julian Field wrote: >> Checking for SpamAssassin errors (if you use it)... >> SpamAssassin temporary working directory is >> /var/spool/MailScanner/incoming/SpamAssassin-Temp >> SpamAssassin temp dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp >> Using SpamAssassin results cache >> Connected to SpamAssassin cache database >> SpamAssassin reported no errors. >> Using locktype = posix >> Creating hardcoded struct_flock subroutine for linux (Linux-type) >> MailScanner.conf says "Virus Scanners = clamav clamd clamavmodule" >> > That means you are scanning each message 3 times with the same scanner! > That's silly. Just set it to Virus Scanners = clamd. The MailScanner > - --lint output confirms that your clamd settings are probably right, as > it can talk to the daemon. So just set Virus Scanners = clamd and you'll > be okay. How about adding some logic inside MailScanner to see which of these CLAMAV options are available and then choose to use only one? Hugo. -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ This message is using 100% recycled electrons. Some men see computers as they are and say "Windows" I use computers with Linux and say "Why Windows?" (Thanks JFK, for the insight.) From MailScanner at ecs.soton.ac.uk Sat Jul 28 13:14:07 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sat Jul 28 13:15:28 2007 Subject: query if mailscanner using clamscan In-Reply-To: References: <2605.62.150.152.226.1185433910.squirrel@webmail.baladia.gov.kw> <46A87494.6060002@ecs.soton.ac.uk> <1597.62.150.152.226.1185458853.squirrel@webmail.baladia.gov.kw> <46A8B477.60603@ecs.soton.ac.uk> <1872.62.150.152.226.1185460305.squirrel@webmail.baladia.gov.kw> <46A8BC68.1020901@ecs.soton.ac.uk> <2038.62.150.152.226.1185483170.squirrel@webmail.baladia.gov.kw> <46A91552.5060809@ecs.soton.ac.uk> <1734.62.150.152.226.1185518513.squirrel@webmail.baladia.gov.kw> <223f97700707270047q350fac70n95878b33cab3563d@mail.gmail.com> <40337.62.150.152.60.1185615256.squirrel@webmail.baladia.gov.kw> <46AB24AF.7060804@ecs.soton.ac.uk> Message-ID: <46AB330F.2080204@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hugo van der Kooij wrote: > On Sat, 28 Jul 2007, Julian Field wrote: > >>> Checking for SpamAssassin errors (if you use it)... >>> SpamAssassin temporary working directory is >>> /var/spool/MailScanner/incoming/SpamAssassin-Temp >>> SpamAssassin temp dir = >>> /var/spool/MailScanner/incoming/SpamAssassin-Temp >>> Using SpamAssassin results cache >>> Connected to SpamAssassin cache database >>> SpamAssassin reported no errors. >>> Using locktype = posix >>> Creating hardcoded struct_flock subroutine for linux (Linux-type) >>> MailScanner.conf says "Virus Scanners = clamav clamd clamavmodule" >>> >> That means you are scanning each message 3 times with the same scanner! >> That's silly. Just set it to Virus Scanners = clamd. The MailScanner >> - --lint output confirms that your clamd settings are probably right, as >> it can talk to the daemon. So just set Virus Scanners = clamd and you'll >> be okay. > > How about adding some logic inside MailScanner to see which of these > CLAMAV options are available and then choose to use only one? I don't want to second-guess what clamav scanner you might want to use. Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGqzMQEfZZRxQVtlQRAhBtAJ9mSIGwsicjHdH7fbc1YNf/erQFtgCePvPA NwJoxyTBXVT8vxkW2r+ojZA= =upLf -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From campbell at cnpapers.com Sat Jul 28 13:52:28 2007 From: campbell at cnpapers.com (Steve Campbell) Date: Sat Jul 28 13:52:47 2007 Subject: OT - Quck DNS MX question. In-Reply-To: <223f97700707280221l41413e70i1dc317635ea619a4@mail.gmail.com> References: <46AA55C6.2020008@cnpapers.com> <46AA5B1B.2050509@pixelhammer.com> <1185585454.46aa992ee72e4@perdition.cnpapers.net> <798375e00707271907k2d94ffdbxf04da71f89190604@mail.gmail.com> <223f97700707280221l41413e70i1dc317635ea619a4@mail.gmail.com> Message-ID: <1185627148.46ab3c0cd5038@perdition.cnpapers.net> Quoting Glenn Steen : > On 28/07/07, Rick Tait wrote: > > On 7/27/07, Steve Campbell wrote: > > > > > > They got some hotshot rookie Exchange admin to install Exchange on their > > system, > > > taking out what they used to have. There was a definite need for > something > > on > > > site, but I'm not sure Exchange was the best solution. Anyway, he wanted > > us to > > > continue being their MX and even hubbing their mailboxes. He then set up > > > something like fetchmail to retrieve the mail and put it in their local > > > mailboxes. That way, they got the benefit of our MS/Clam/SA etc. It's > all > > fine > > > except when his fetchmail-whatever script doesn't work, or they get a > new > > > employee. They keep calling me about the problems and I have to keep > > telling > > > them over and over that I don't do that part anymore. > > > > Wow!!! They're getting a sweet deal... What's with the store, store, > store, > > store-n-forward though? What's wrong with the usual behaviour of you being > > /bastion/ MX and then immediately relay via postfix transport map (etc, > > sorry dont know what you run) right away? Then you don't have to worry > about > > storing all their stuff (sucks that you have to do that, as an admin its > > just one more thing you could care less about but have to keep an eye on). > > And of course they still get the bennies of the MS/Clam/SA. Plus it ain't > > your problem Jack if they get mailbombed or DoS'd and its their > filesystems > > not yours that fill up. Why should you be paying for their disk? > Steve runs a Rendmaul shop. Basically agree though.... Unless there is > significant moneay involved, why do that...:-) The world revolves around the mighty penny and lowly marketing departments. Don't know if I mentioned it before or not, but I work for a few newspapers. Our marketing department will set up any type of scheme an advertiser requests if we can just get them to commit to a contract. Well, guess what the advertiser wanted. Originally, we were just their MX/POP server. It was no big deal as there were only a few accounts on a dedicated RH 7.3 server. If it filled up, it was their loss. Then came the new offer of having their own server, and all the rest of the deal. Instead of saying goodbye, marketing allowed them to do pretty much whatever their new admin wanted, just to keep the pennies flowing. And of course, I don't cost my company anything more to run their server or not to run it. Hey, I just work there and the money isn't all that great either!! Steve > > > I was doing something similar (free) for a friend/ex-colleague for a long > > time and I just eventually got pissed off enough about it to do something. > > He was a bit of a crazy type A guy so rather than just tell him to sling > his > > hook I basically made some crap up (which may or may not be true but I > guess > > probably is) about my not wanting to be potentially liable under various > > tech laws for having stored his company emails on my own servers, and > would > > rather it be a quick anti-spam/anti-virus scan and then I whizz it off > > immediately to his end delivery MTA (Exchange 2000). I mentioned my server > > being public and his being private and I think his own paranoia just > kicked > > in and he quickly arranged his own end such that I was simply his > first-hit > > relay and his stuff was no longer being stored on my "public" servers. > > > :-) You'd better hope he doesn't read this public forum then.... those > type As can be vicious;-) > > > > -RMT. > > > > > > -- Vescere bracis meis. > Not that hungry, so I'll pass.... > > Cheers > -- > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se > -- ------------------------------------------------- This mail sent through IMP: http://horde.org/imp/ From stork at openenterprise.ca Sat Jul 28 16:56:57 2007 From: stork at openenterprise.ca (Johnny Stork) Date: Sat Jul 28 16:58:14 2007 Subject: CRM114 In-Reply-To: <46A90E0B.4060001@fractalweb.com> References: <46A823E2.1070903@openenterprise.ca> <46A90E0B.4060001@fractalweb.com> Message-ID: <46AB6749.60600@openenterprise.ca> Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: stork.vcf Type: text/x-vcard Size: 330 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070728/8dcafb34/stork.vcf From MailScanner at ecs.soton.ac.uk Sat Jul 28 17:59:23 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sat Jul 28 17:59:43 2007 Subject: CRM114 In-Reply-To: <46AA478B.1030807@ecs.soton.ac.uk> References: <28020962.4651185486168402.JavaMail.root@office.splatnix.net> <46AA478B.1030807@ecs.soton.ac.uk> Message-ID: <46AB75EB.50903@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Julian Field wrote: > * PGP Signed: 07/27/07 at 20:29:16 > > > > Hugo van der Kooij wrote: >> On Thu, 26 Jul 2007, UxBoD wrote: >> >>> Always up for a challenge :) Want to learn more about MailScanner >>> anyway. Thanks Jules. >> >> If you are really trying to compete with Jules you should be done by >> monday. ;-) > Oh, you want it documented and stress-tested as well? After all, I've > got the whole weekend :-) There's a SpamAssassin CRM114 plugin already. Look up http://mschuette.name/files/crm114.pm http://mschuette.name/files/crm114.cf Does somebody fancy trying it out? Told you it wouldn't take long :-) Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGq3XsEfZZRxQVtlQRAocUAKCYixVEY9OO58tN4pAtmAWvuEkPzACg6rXj smmHbgIzIY0XW39ySzSglaQ= =Q/Ec -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From hvdkooij at vanderkooij.org Sat Jul 28 19:56:57 2007 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sat Jul 28 19:57:04 2007 Subject: query if mailscanner using clamscan In-Reply-To: <46AB330F.2080204@ecs.soton.ac.uk> References: <2605.62.150.152.226.1185433910.squirrel@webmail.baladia.gov.kw> <46A87494.6060002@ecs.soton.ac.uk> <1597.62.150.152.226.1185458853.squirrel@webmail.baladia.gov.kw> <46A8B477.60603@ecs.soton.ac.uk> <1872.62.150.152.226.1185460305.squirrel@webmail.baladia.gov.kw> <46A8BC68.1020901@ecs.soton.ac.uk> <2038.62.150.152.226.1185483170.squirrel@webmail.baladia.gov.kw> <46A91552.5060809@ecs.soton.ac.uk> <1734.62.150.152.226.1185518513.squirrel@webmail.baladia.gov.kw> <223f97700707270047q350fac70n95878b33cab3563d@mail.gmail.com> <40337.62.150.152.60.1185615256.squirrel@webmail.baladia.gov.kw> <46AB24AF.7060804@ecs.soton.ac.uk> <46AB330F.2080204@ecs.soton.ac.uk> Message-ID: On Sat, 28 Jul 2007, Julian Field wrote: > Hugo van der Kooij wrote: >> On Sat, 28 Jul 2007, Julian Field wrote: >> >>>> Checking for SpamAssassin errors (if you use it)... >>>> SpamAssassin temporary working directory is >>>> /var/spool/MailScanner/incoming/SpamAssassin-Temp >>>> SpamAssassin temp dir = >>>> /var/spool/MailScanner/incoming/SpamAssassin-Temp >>>> Using SpamAssassin results cache >>>> Connected to SpamAssassin cache database >>>> SpamAssassin reported no errors. >>>> Using locktype = posix >>>> Creating hardcoded struct_flock subroutine for linux (Linux-type) >>>> MailScanner.conf says "Virus Scanners = clamav clamd clamavmodule" >>>> >>> That means you are scanning each message 3 times with the same scanner! >>> That's silly. Just set it to Virus Scanners = clamd. The MailScanner >>> - --lint output confirms that your clamd settings are probably right, as >>> it can talk to the daemon. So just set Virus Scanners = clamd and you'll >>> be okay. >> >> How about adding some logic inside MailScanner to see which of these >> CLAMAV options are available and then choose to use only one? > I don't want to second-guess what clamav scanner you might want to use. Isn't using all of them as much second guessing? How does one call it if you do it thrice? tripple guessing? Detecting that overlapping options are available should at least be noted. Wether it needs to be fixed automagically or lead to a halt untill fixed is negotiable. But just letting it go is not right in my view. Throwing in a warning about triplicity usage is a minimal change I suggest. (Yeah, I know. It is just one man with one opinion. I just happen to voice it rather loudly from time to time if I feel another view is not correct.) Hugo. -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ This message is using 100% recycled electrons. Some men see computers as they are and say "Windows" I use computers with Linux and say "Why Windows?" (Thanks JFK, for the insight.) From MailScanner at ecs.soton.ac.uk Sat Jul 28 20:17:49 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sat Jul 28 20:18:25 2007 Subject: Release 4.62.7 beta Message-ID: <46AB965D.60704@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I have just released another beta, 4.62.7. Download as usual from www.mailscanner.info. - -- The ability to skip spam checks if there is a valid watermark has returned. If you have more than 1 MX with MailScanner on it, this can be used to avoid doing multiple sets of spam checks. It will do it on the first MailScanner the message hits, and skip them on subsequent MailScanners. - -- "ClamAV Full Message Scan = yes" will make ClamAV get the full message as 1 file, so all the ClamAV 'type 4' signatures which spot spam will always work reliably. This will help you a lot if you are using the sanesecurity signatures or any others like it. If you're not using this, I strongly recommend it as it will help a lot with your spam detection. As the Change Log is now so enormous, there will be a stable release at the start of August. But please do still test this release for me! I rely on your help for this, please don't let me down. The full Change Log for this version is now this: * New Features and Improvements * 1 Improved non-Linux installer. 1 Improved Linux installer. 1 Updated OpenBSD installation guide. Thanks to Jeremy Evans for this. 1 Upgraded MIME::Base64 to 3.07. 1 Improved error reporting for clamd permissions problems. Thanks Rick. 2 Added SAUPDATEARGS to /etc/sysconfig/MailScanner and /usr/sbin/update_spamassassin. For a good use of this, see http://daryl.dostech.ca/sa-update/sare/sare-sa-update-howto.txt and search for "HOWTO" in the Subject: line of the MailScanner-discussion list archive. This process replaces RulesDuJour entirely. Another good ruleset to add to your setup is http://www.peregrinehw.com/downloads/SpamAssassin/contrib/KAM.cf To download this automatically every night, fetch http://www.mailscanner.info/files/4/KAM.cf.sh and put it in /etc/cron.daily and make it executable (type "chmod +x /etc/cron.daily/KAM.cf.sh"). 3 Added "Known Web Bug Servers" so you can blacklist images from known servers of web bug services. 3 Added functionality of "milter-null" to MailScanner so you no longer need to run this separately. It is called "Watermarking" and there is a whole section for the settings in MailScanner.conf. They are Add Watermark = yes Skip Spam Checks If Watermark Valid = yes Watermark Header = MailScanner-%org-name%-Watermark: Watermark Lifetime = 432000 # in seconds, = 5 days Watermark Secret = SET-THIS-TO-A-SECRET! Also added Digest::MD5 to the required list of Perl modules, this is needed for the watermarking code. 3 Added optional image to the clean message signature. You can also use this to add an arbitrary image attachment to any message, if you so wish. The main point is to be able to have graphical HTML signatures on messages. The settings are Attach Image To Signature = no Attach Image To HTML Message Only = yes Signature Image Filename = %report-dir%/sig.jpg Signature Image Filename = signature.jpg 4 Added support for Kaspersky kav4fs. Set virus.scanners.conf entry to point to /opt/kaspersky. 4 Changed default value to "Max SpamAssassin Size = 100k" as modern PDF spams are getting quite large, and PDFInfo.pm doesn't work with cropped messages. 4 Improved Clamd parser to handle Sane Security ClamAV signature databases which detect spam and so on from the contents of the headers, and hence find infections without attachment filenames. Thanks to various people for help with this, you know who you are :-) 4 Improved upgrade_MailScanner_conf so that it checks that the 'Monitors for ClamAV Updates' setting looks for inc and cvd files. Problems have recently been suffered by many due to the value of this setting being out of date. It doesn't automatically re-write their setting in case they have installed ClamAV somewhere odd and have customised it. 4 Changed 'Monitors for Sophos Updates' setting default value to point to appropriate file for Sophos version 5 and upwards, and have added check in upgrade_MailScanner_conf to ensure their setting now points to a new location. It prints a warning if sophos-av does not appear in the path. 4 Added configuration setting "SpamAssassin Rule Actions". This setting is very powerful and can be used to implement many things that MCP can do, without having the processing overhead of MCP. The documentation for it is in the MailScanner.conf file. Its power is limited by your imagination :-) Start combining it with rulesets and you can take (or _not_ take) any combination of actions dependent on any bit of content in the message or its headers. You could try out new SA tests by storing in quarantine every message that matches a new particular SpamAssassin rule (or meta-rule for creating more complex expressions). 5 Added "custom" spam action, which takes a parameter. This is passed into the CustomAction function in CustomAction.pm in the CustomFunctions directory. This can be used to implement anything your heart desires, depending on the contents of a message. 7 When clamav, clamavmodule or clamd parsers are being used and new setting "ClamAV Full Message Scan" is set to "yes", pass each of the entire messages to ClamAV as well as the attachments so that the signatures that detect spam can work reliably. This is set to "no" be default as it has a speed impact. 7 The watermark options have been tweaked and renamed a bit, and one new feature has been added. "upgrade_MailScanner_conf" will show you the renames and the new feature is designed to save resources on sites with more than 1 MailScanner. Currently, if you have a message delivered to a secondary MX (with MailScanner) which relays mail to the primary MX (also with MailScanner) for delivery to users' mailboxes, the spam checks will be done twice; this is a waste of resources. The new setting "Check Watermarks To Skip Spam Checks = yes" will remove this waste by skipping the spam checks on the primary MX as the secondary has already done them. * Fixes * 2-2 Fixed error in RPM installer. 2-3 Fixed error in update_spamassassin. 3-2 The watermarking code should do something now :-) 3-3 Rewrote the watermarking docs so they reflect the truth. 4 --lint now reads all the Custom Functions properly. 4 Bug in auto-zip fixed where attachments could be deleted without being added to zip. Thanks to Matt Hampton. 4 Bug with '-' in HTML attribute names confusing phishing net fixed. Thanks to John Wilcock. 5 Fixed 2 bugs in MSRBL clamav-signature handler. Thanks to UxBoD. 6 Fixed bug from October 2006 involving McAfee finding infections in headers. 7 Fixed bug when unpacking TNEF files with external decoder. 7 Fixed 'monitor files' check in upgrade_MailScanner_conf so it doesn't check inadvertently when doing an upgrade_languages_conf. Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGq5ZeEfZZRxQVtlQRAhuGAJ9yRrrL8XOYf4Q7LT4CBV+AcGtcYQCghKhd ml+GerQHlzQWtue03N4r4X4= =o/5z -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From v at vladville.com Sat Jul 28 21:19:51 2007 From: v at vladville.com (Vlad Mazek) Date: Sat Jul 28 21:19:54 2007 Subject: sendmail split queues and MailScanner Message-ID: A while back someone wrote about the sendmail implementation with split quarantines where one was processing mail that got one more more RBL hits and the other one processed the mail that wasn't on blacklists at all; figuring that it would speed up the delivery of non-spam and still not risk rejection of legitimate mail sent by servers that could have ended up on an RBL for a number of reasons. I cannot track down who wrote up the original post but has anyone implemented / used this in production and has anyone put together any documentation on how to get this up and running? -Vlad -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070728/b3914b74/attachment.html From matt at coders.co.uk Sat Jul 28 21:33:40 2007 From: matt at coders.co.uk (Matt Hampton) Date: Sat Jul 28 21:31:36 2007 Subject: sendmail split queues and MailScanner In-Reply-To: References: Message-ID: <46ABA824.70403@coders.co.uk> Vlad Mazek wrote: > A while back someone wrote about the sendmail implementation with split > quarantines where one was processing mail that got one more more RBL > hits and the other one processed the mail that wasn't on blacklists at > all; figuring that it would speed up the delivery of non-spam and still > not risk rejection of legitimate mail sent by servers that could have > ended up on an RBL for a number of reasons. That was me. However it was based on the assumption that MailScanner can prioritize one queue over another which it can't at present. It is on my long list to look at again after the baby is born (due this week :-) ) matt From v at vladville.com Sat Jul 28 21:52:43 2007 From: v at vladville.com (Vlad Mazek) Date: Sat Jul 28 21:52:46 2007 Subject: sendmail split queues and MailScanner In-Reply-To: <46ABA824.70403@coders.co.uk> References: <46ABA824.70403@coders.co.uk> Message-ID: Congratulations! On 7/28/07, Matt Hampton wrote: > > Vlad Mazek wrote: > > A while back someone wrote about the sendmail implementation with split > > quarantines where one was processing mail that got one more more RBL > > hits and the other one processed the mail that wasn't on blacklists at > > all; figuring that it would speed up the delivery of non-spam and still > > not risk rejection of legitimate mail sent by servers that could have > > ended up on an RBL for a number of reasons. > > That was me. However it was based on the assumption that MailScanner > can prioritize one queue over another which it can't at present. > > It is on my long list to look at again after the baby is born (due this > week :-) ) > > matt > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- -Vlad -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070728/27dd51e2/attachment.html From r.berber at computer.org Sat Jul 28 22:27:00 2007 From: r.berber at computer.org (=?ISO-8859-1?Q?Ren=E9_Berber?=) Date: Sat Jul 28 22:27:17 2007 Subject: query if mailscanner using clamscan In-Reply-To: References: <2605.62.150.152.226.1185433910.squirrel@webmail.baladia.gov.kw> <46A87494.6060002@ecs.soton.ac.uk> <1597.62.150.152.226.1185458853.squirrel@webmail.baladia.gov.kw> <46A8B477.60603@ecs.soton.ac.uk> <1872.62.150.152.226.1185460305.squirrel@webmail.baladia.gov.kw> <46A8BC68.1020901@ecs.soton.ac.uk> <2038.62.150.152.226.1185483170.squirrel@webmail.baladia.gov.kw> <46A91552.5060809@ecs.soton.ac.uk> <1734.62.150.152.226.1185518513.squirrel@webmail.baladia.gov.kw> <223f97700707270047q350fac70n95878b33cab3563d@mail.gmail.com> <40337.62.150.152.60.1185615256.squirrel@webmail.baladia.gov.kw> <46AB24AF.7060804@ecs.soton.ac.uk> <46AB330F.2080204@ecs.soton.ac.uk> Message-ID: Hugo van der Kooij wrote: [snip] >>> How about adding some logic inside MailScanner to see which of these >>> CLAMAV options are available and then choose to use only one? >> I don't want to second-guess what clamav scanner you might want to use. > > Isn't using all of them as much second guessing? How does one call it if > you do it thrice? tripple guessing? There was no guessing on the first place, the user specified that he wanted to use all 3, nothing to guess. > Detecting that overlapping options are available should at least be > noted. Wether it needs to be fixed automagically or lead to a halt > untill fixed is negotiable. There's no overlapping, each clam option is different: they need different things installed and configured, even if those are subsets of the same complete package. > But just letting it go is not right in my view. Throwing in a warning > about triplicity usage is a minimal change I suggest. > > (Yeah, I know. It is just one man with one opinion. I just happen to > voice it rather loudly from time to time if I feel another view is not > correct.) Think before you shoot. -- Ren? Berber From uxbod at splatnix.net Sat Jul 28 23:15:48 2007 From: uxbod at splatnix.net (UxBoD) Date: Sat Jul 28 23:12:12 2007 Subject: CRM114 In-Reply-To: <46AB75EB.50903@ecs.soton.ac.uk> Message-ID: <2020080.5311185660948721.JavaMail.root@office.splatnix.net> Will give it a go tomorrow. Just had Champagne and Dover sole, so not in the best frame to do anything now Regards, --[ UxBoD ]-- // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- Original Message ----- From: "Julian Field" To: "MailScanner discussion" Sent: 28 July 2007 17:59:23 o'clock (GMT) Europe/London Subject: Re: CRM114 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Julian Field wrote: > * PGP Signed: 07/27/07 at 20:29:16 > > > > Hugo van der Kooij wrote: >> On Thu, 26 Jul 2007, UxBoD wrote: >> >>> Always up for a challenge :) Want to learn more about MailScanner >>> anyway. Thanks Jules. >> >> If you are really trying to compete with Jules you should be done by >> monday. ;-) > Oh, you want it documented and stress-tested as well? After all, I've > got the whole weekend :-) There's a SpamAssassin CRM114 plugin already. Look up http://mschuette.name/files/crm114.pm http://mschuette.name/files/crm114.cf Does somebody fancy trying it out? Told you it wouldn't take long :-) Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGq3XsEfZZRxQVtlQRAocUAKCYixVEY9OO58tN4pAtmAWvuEkPzACg6rXj smmHbgIzIY0XW39ySzSglaQ= =Q/Ec -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From glenn.steen at gmail.com Sat Jul 28 23:35:48 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Sat Jul 28 23:35:50 2007 Subject: CRM114 In-Reply-To: <2020080.5311185660948721.JavaMail.root@office.splatnix.net> References: <46AB75EB.50903@ecs.soton.ac.uk> <2020080.5311185660948721.JavaMail.root@office.splatnix.net> Message-ID: <223f97700707281535j2d392288jfb153243a74584d2@mail.gmail.com> On 29/07/07, UxBoD wrote: > Will give it a go tomorrow. Just had Champagne and Dover sole, so not in the best frame to do anything now > -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Sat Jul 28 23:38:23 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Sat Jul 28 23:38:29 2007 Subject: CRM114 In-Reply-To: <223f97700707281535j2d392288jfb153243a74584d2@mail.gmail.com> References: <46AB75EB.50903@ecs.soton.ac.uk> <2020080.5311185660948721.JavaMail.root@office.splatnix.net> <223f97700707281535j2d392288jfb153243a74584d2@mail.gmail.com> Message-ID: <223f97700707281538s35daec1ege101bbca97cc5bc4@mail.gmail.com> On 29/07/07, Glenn Steen wrote: > On 29/07/07, UxBoD wrote: > > Will give it a go tomorrow. Just had Champagne and Dover sole, so not in the best frame to do anything now > > (was going to say the following, accidentally slipped (is there any other way?) and hit send.... SIgh.) Tempting... Both what you drank there, and being censored.....:-) BTW, I find my best thinking is done under the influence... Just can't remember it later on:-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Sat Jul 28 23:42:57 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Sat Jul 28 23:42:59 2007 Subject: sendmail split queues and MailScanner In-Reply-To: <46ABA824.70403@coders.co.uk> References: <46ABA824.70403@coders.co.uk> Message-ID: <223f97700707281542j484d8bf9w18234f5432ac1b7e@mail.gmail.com> On 28/07/07, Matt Hampton wrote: > Vlad Mazek wrote: > > A while back someone wrote about the sendmail implementation with split > > quarantines where one was processing mail that got one more more RBL > > hits and the other one processed the mail that wasn't on blacklists at > > all; figuring that it would speed up the delivery of non-spam and still > > not risk rejection of legitimate mail sent by servers that could have > > ended up on an RBL for a number of reasons. > > That was me. However it was based on the assumption that MailScanner > can prioritize one queue over another which it can't at present. > > It is on my long list to look at again after the baby is born (due this > week :-) ) > > matt First one? Then you can settle in... might be ... *any* time... litteraly:-) Anyway, congrats! Always exciting that... Being part of the whole thing is still the highpoints of my life, so far. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From hvdkooij at vanderkooij.org Sun Jul 29 00:46:29 2007 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sun Jul 29 00:46:39 2007 Subject: query if mailscanner using clamscan In-Reply-To: References: <2605.62.150.152.226.1185433910.squirrel@webmail.baladia.gov.kw> <46A87494.6060002@ecs.soton.ac.uk> <1597.62.150.152.226.1185458853.squirrel@webmail.baladia.gov.kw> <46A8B477.60603@ecs.soton.ac.uk> <1872.62.150.152.226.1185460305.squirrel@webmail.baladia.gov.kw> <46A8BC68.1020901@ecs.soton.ac.uk> <2038.62.150.152.226.1185483170.squirrel@webmail.baladia.gov.kw> <46A91552.5060809@ecs.soton.ac.uk> <1734.62.150.152.226.1185518513.squirrel@webmail.baladia.gov.kw> <223f97700707270047q350fac70n95878b33cab3563d@mail.gmail.com> <40337.62.150.152.60.1185615256.squirrel@webmail.baladia.gov.kw> <46AB24AF.7060804@ecs.soton.ac.uk> <46AB330F.2080204@ecs.soton.ac.uk> Message-ID: On Sat, 28 Jul 2007, Ren? Berber wrote: > Hugo van der Kooij wrote: > [snip] >>>> How about adding some logic inside MailScanner to see which of these >>>> CLAMAV options are available and then choose to use only one? >>> I don't want to second-guess what clamav scanner you might want to use. >> >> Isn't using all of them as much second guessing? How does one call it if >> you do it thrice? tripple guessing? > > There was no guessing on the first place, the user specified that he wanted to > use all 3, nothing to guess. My interpretation of that original bit of config is that it was using auto mode: "and in MailScanner.conf it says Virus Scanners = auto" Is there another interpretation of that section possible? So for those cases MS is selecting all of the availables ones. On my scanner test machine it is set to auto as it only handles a handfull of messages per day but the number of scanners used is increasing. At present it reports: I have found bitdefender f-prot avastd drweb clamavmodule clamd avast mcafee norman antivir scanners installed, and will use them all by default. Preferably MS would avoid using duplicate scanners. And perhaps also detect broken scanners. In this case Norman dies a horrible death on anything but Centos 4. On my Centos 5 and FC 4 machines it will not run but crash with some unexplicable crash which Norman is yet to fix after it was reported nearly 2 years ago. Hugo. -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ This message is using 100% recycled electrons. Some men see computers as they are and say "Windows" I use computers with Linux and say "Why Windows?" (Thanks JFK, for the insight.) From r.berber at computer.org Sun Jul 29 01:30:52 2007 From: r.berber at computer.org (=?ISO-8859-1?Q?Ren=E9_Berber?=) Date: Sun Jul 29 01:31:17 2007 Subject: query if mailscanner using clamscan In-Reply-To: References: <2605.62.150.152.226.1185433910.squirrel@webmail.baladia.gov.kw> <46A87494.6060002@ecs.soton.ac.uk> <1597.62.150.152.226.1185458853.squirrel@webmail.baladia.gov.kw> <46A8B477.60603@ecs.soton.ac.uk> <1872.62.150.152.226.1185460305.squirrel@webmail.baladia.gov.kw> <46A8BC68.1020901@ecs.soton.ac.uk> <2038.62.150.152.226.1185483170.squirrel@webmail.baladia.gov.kw> <46A91552.5060809@ecs.soton.ac.uk> <1734.62.150.152.226.1185518513.squirrel@webmail.baladia.gov.kw> <223f97700707270047q350fac70n95878b33cab3563d@mail.gmail.com> <40337.62.150.152.60.1185615256.squirrel@webmail.baladia.gov.kw> <46AB24AF.7060804@ecs.soton.ac.uk> <46AB330F.2080204@ecs.soton.ac.uk> Message-ID: Hugo van der Kooij wrote: > On Sat, 28 Jul 2007, Ren? Berber wrote: > >> Hugo van der Kooij wrote: [snip] >>>>> How about adding some logic inside MailScanner to see which of these >>>>> CLAMAV options are available and then choose to use only one? >>>> I don't want to second-guess what clamav scanner you might want to use. >>>> >>> >>> Isn't using all of them as much second guessing? How does one call it if >>> you do it thrice? tripple guessing? >> >> There was no guessing on the first place, the user specified that he wanted >> to use all 3, nothing to guess. > > My interpretation of that original bit of config is that it was using auto > mode: No it wasn't, in fact its the second time Julian has told the OP to not use multiple clamav scans. > "and in MailScanner.conf it says Virus Scanners = auto" Where did you get that? From this message http://permalink.gmane.org/gmane.mail.virus.mailscanner/55372, which is the one Julian was responding to, the OP says: "in MailScanner.conf Virus Scanners = clamav clamd clamavmodule " > Is there another interpretation of that section possible? > > So for those cases MS is selecting all of the availables ones. On my scanner > test machine it is set to auto as it only handles a handfull of messages per > day but the number of scanners used is increasing. > > At present it reports: I have found bitdefender f-prot avastd drweb > clamavmodule clamd avast mcafee norman antivir scanners installed, and will > use them all by default. > > Preferably MS would avoid using duplicate scanners. And perhaps also detect > broken scanners. > > In this case Norman dies a horrible death on anything but Centos 4. On my > Centos 5 and FC 4 machines it will not run but crash with some unexplicable > crash which Norman is yet to fix after it was reported nearly 2 years ago. I understand the confusion, the report or the interpretation is probably wrong, I think MS defaults to using clamavmodule when more than one clam option is available. -- Ren? Berber From MailScanner at ecs.soton.ac.uk Sun Jul 29 11:39:27 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sun Jul 29 11:40:01 2007 Subject: CRM114 In-Reply-To: <223f97700707281538s35daec1ege101bbca97cc5bc4@mail.gmail.com> References: <46AB75EB.50903@ecs.soton.ac.uk> <2020080.5311185660948721.JavaMail.root@office.splatnix.net> <223f97700707281535j2d392288jfb153243a74584d2@mail.gmail.com> <223f97700707281538s35daec1ege101bbca97cc5bc4@mail.gmail.com> Message-ID: <46AC6E5F.60908@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Glenn Steen wrote: > On 29/07/07, Glenn Steen wrote: > >> On 29/07/07, UxBoD wrote: >> >>> Will give it a go tomorrow. Just had Champagne and Dover sole, so not in the best frame to do anything now >>> >>> > (was going to say the following, accidentally slipped (is there any > other way?) and hit send.... SIgh.) > Tempting... Both what you drank there, and being censored.....:-) > BTW, I find my best thinking is done under the influence... Just can't > remember it later on:-). > Not remembering it later on is why invented subversion. Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGrG5gEfZZRxQVtlQRAtUMAJ4+TDG7GdtIMi6yLWt5oemKkSpLuACfVPg7 ZDfZ5vjwjBblHt7aD5xxU5E= =VsCY -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Sun Jul 29 12:01:23 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sun Jul 29 12:02:15 2007 Subject: query if mailscanner using clamscan In-Reply-To: References: <2605.62.150.152.226.1185433910.squirrel@webmail.baladia.gov.kw> <46A87494.6060002@ecs.soton.ac.uk> <1597.62.150.152.226.1185458853.squirrel@webmail.baladia.gov.kw> <46A8B477.60603@ecs.soton.ac.uk> <1872.62.150.152.226.1185460305.squirrel@webmail.baladia.gov.kw> <46A8BC68.1020901@ecs.soton.ac.uk> <2038.62.150.152.226.1185483170.squirrel@webmail.baladia.gov.kw> <46A91552.5060809@ecs.soton.ac.uk> <1734.62.150.152.226.1185518513.squirrel@webmail.baladia.gov.kw> <223f97700707270047q350fac70n95878b33cab3563d@mail.gmail.com> <40337.62.150.152.60.1185615256.squirrel@webmail.baladia.gov.kw> <46AB24AF.7060804@ecs.soton.ac.uk> <46AB330F.2080204@ecs.soton.ac.uk> Message-ID: <46AC7383.1010904@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hugo, You have your wish. 4.62.7-2 will detect multiple clam scanners installed and will use the most sensible one, when you specify "Virus Scanners = auto". The scanners actually used will be in the maillog. Please download it and give it a try. I can't see a way to easily test to see if a scanner is broken, sorry. Jules. Hugo van der Kooij wrote: > On Sat, 28 Jul 2007, Ren? Berber wrote: > >> Hugo van der Kooij wrote: >> [snip] >>>>> How about adding some logic inside MailScanner to see which of these >>>>> CLAMAV options are available and then choose to use only one? >>>> I don't want to second-guess what clamav scanner you might want to >>>> use. >>> >>> Isn't using all of them as much second guessing? How does one call >>> it if >>> you do it thrice? tripple guessing? >> >> There was no guessing on the first place, the user specified that he >> wanted to >> use all 3, nothing to guess. > > My interpretation of that original bit of config is that it was using > auto mode: > > "and in MailScanner.conf it says > Virus Scanners = auto" > > Is there another interpretation of that section possible? > > So for those cases MS is selecting all of the availables ones. On my > scanner test machine it is set to auto as it only handles a handfull > of messages per day but the number of scanners used is increasing. > > At present it reports: > I have found bitdefender f-prot avastd drweb clamavmodule clamd avast > mcafee norman antivir scanners installed, and will use them all by > default. > > Preferably MS would avoid using duplicate scanners. And perhaps also > detect broken scanners. > > In this case Norman dies a horrible death on anything but Centos 4. On > my Centos 5 and FC 4 machines it will not run but crash with some > unexplicable crash which Norman is yet to fix after it was reported > nearly 2 years ago. > > Hugo. > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGrHOFEfZZRxQVtlQRArXkAJ4+tL8DsZvVtlAgojP53SUd0fn4UACcDg1J QKWY+E4eMRyB/8fmSlFeU0U= =krRR -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From uxbod at splatnix.net Sun Jul 29 12:31:25 2007 From: uxbod at splatnix.net (UxBoD) Date: Sun Jul 29 12:27:26 2007 Subject: CRM114 In-Reply-To: <46AC6E5F.60908@ecs.soton.ac.uk> Message-ID: <19623251.5491185708685494.JavaMail.root@office.splatnix.net> Well I have installed it, so lets see what happens ;) Regards, --[ UxBoD ]-- // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- Original Message ----- From: "Julian Field" To: "MailScanner discussion" Sent: 29 July 2007 11:39:27 o'clock (GMT) Europe/London Subject: Re: CRM114 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Glenn Steen wrote: > On 29/07/07, Glenn Steen wrote: > >> On 29/07/07, UxBoD wrote: >> >>> Will give it a go tomorrow. Just had Champagne and Dover sole, so not in the best frame to do anything now >>> >>> > (was going to say the following, accidentally slipped (is there any > other way?) and hit send.... SIgh.) > Tempting... Both what you drank there, and being censored.....:-) > BTW, I find my best thinking is done under the influence... Just can't > remember it later on:-). > Not remembering it later on is why invented subversion. Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGrG5gEfZZRxQVtlQRAtUMAJ4+TDG7GdtIMi6yLWt5oemKkSpLuACfVPg7 ZDfZ5vjwjBblHt7aD5xxU5E= =VsCY -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From hvdkooij at vanderkooij.org Sun Jul 29 13:54:19 2007 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sun Jul 29 13:54:30 2007 Subject: query if mailscanner using clamscan In-Reply-To: <46AC7383.1010904@ecs.soton.ac.uk> References: <2605.62.150.152.226.1185433910.squirrel@webmail.baladia.gov.kw> <46A87494.6060002@ecs.soton.ac.uk> <1597.62.150.152.226.1185458853.squirrel@webmail.baladia.gov.kw> <46A8B477.60603@ecs.soton.ac.uk> <1872.62.150.152.226.1185460305.squirrel@webmail.baladia.gov.kw> <46A8BC68.1020901@ecs.soton.ac.uk> <2038.62.150.152.226.1185483170.squirrel@webmail.baladia.gov.kw> <46A91552.5060809@ecs.soton.ac.uk> <1734.62.150.152.226.1185518513.squirrel@webmail.baladia.gov.kw> <223f97700707270047q350fac70n95878b33cab3563d@mail.gmail.com> <40337.62.150.152.60.1185615256.squirrel@webmail.baladia.gov.kw> <46AB24AF.7060804@ecs.soton.ac.uk> <46AB330F.2080204@ecs.soton.ac.uk> <46AC7383.1010904@ecs.soton.ac.uk> Message-ID: On Sun, 29 Jul 2007, Julian Field wrote: > You have your wish. 4.62.7-2 will detect multiple clam scanners > installed and will use the most sensible one, when you specify "Virus > Scanners = auto". The scanners actually used will be in the maillog. > > Please download it and give it a try. > > I can't see a way to easily test to see if a scanner is broken, sorry. I was afraid of that. I can not think of a simple test scenario either. Perhaps if the error condition is clear enough in the log I can think of a trigger within logwatch and report on it. Hugo. -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ This message is using 100% recycled electrons. Some men see computers as they are and say "Windows" I use computers with Linux and say "Why Windows?" (Thanks JFK, for the insight.) From MailScanner at ecs.soton.ac.uk Sun Jul 29 15:19:35 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sun Jul 29 15:20:43 2007 Subject: query if mailscanner using clamscan In-Reply-To: References: <2605.62.150.152.226.1185433910.squirrel@webmail.baladia.gov.kw> <46A87494.6060002@ecs.soton.ac.uk> <1597.62.150.152.226.1185458853.squirrel@webmail.baladia.gov.kw> <46A8B477.60603@ecs.soton.ac.uk> <1872.62.150.152.226.1185460305.squirrel@webmail.baladia.gov.kw> <46A8BC68.1020901@ecs.soton.ac.uk> <2038.62.150.152.226.1185483170.squirrel@webmail.baladia.gov.kw> <46A91552.5060809@ecs.soton.ac.uk> <1734.62.150.152.226.1185518513.squirrel@webmail.baladia.gov.kw> <223f97700707270047q350fac70n95878b33cab3563d@mail.gmail.com> <40337.62.150.152.60.1185615256.squirrel@webmail.baladia.gov.kw> <46AB24AF.7060804@ecs.soton.ac.uk> <46AB330F.2080204@ecs.soton.ac.uk> <46AC7383.1010904@ecs.soton.ac.uk> Message-ID: <46ACA1F7.7060805@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hugo van der Kooij wrote: > On Sun, 29 Jul 2007, Julian Field wrote: > >> You have your wish. 4.62.7-2 will detect multiple clam scanners >> installed and will use the most sensible one, when you specify "Virus >> Scanners = auto". The scanners actually used will be in the maillog. >> >> Please download it and give it a try. >> >> I can't see a way to easily test to see if a scanner is broken, sorry. > > I was afraid of that. I can not think of a simple test scenario either. The only thing I can think of is to ship with a copy of Eicar. Copy the Eicar file into the MailScanner/incoming/ directory, where message-id is a number I make up (1 would do). Call the installed scanners and check that they all return a valid virus report containing a report on the file and nothing else (no error messages or anything like that). So it's quite possible to do. I just think that it will be some work to write, and I'm not 100% convinced it is really worth the bother. As far as I can remember, I think you are the only person to ever ask for this. Maybe one day. > > Perhaps if the error condition is clear enough in the log I can think > of a trigger within logwatch and report on it. I have never used logwatch myself, but was quite pleased to see it had direct MailScanner support within it. Always nice to see that someone thinks my work is useful enough for some other people to write support for it into their own utilities. :-) Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGrKH4EfZZRxQVtlQRAvoWAJ9gSEoAGlJDgL56MUfLTtrd2eezFACfbq/9 33XsqtOci3Ue1ALiEaSUYrU= =o7N3 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From doc at maddoc.net Sun Jul 29 19:03:56 2007 From: doc at maddoc.net (Doc Schneider) Date: Sun Jul 29 19:04:07 2007 Subject: Release 4.62.7 beta In-Reply-To: <46AB965D.60704@ecs.soton.ac.uk> References: <46AB965D.60704@ecs.soton.ac.uk> Message-ID: <46ACD68C.2030103@maddoc.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Julian Field wrote: > I have just released another beta, 4.62.7. > Download as usual from www.mailscanner.info. > -- "ClamAV Full Message Scan = yes" will make ClamAV get the full > message as 1 file, so all the ClamAV 'type 4' signatures which spot spam > will always work reliably. This will help you a lot if you are using the > sanesecurity signatures or any others like it. If you're not using this, > I strongly recommend it as it will help a lot with your spam detection. This is working great now! And is detecting those e-card scam. ClamAV Module: message was infected: Email.Phishing.RB-1216 Good job Jules. - -- - -Doc Lincoln, NE. http://www.genealogyforyou.com/ http://www.cairnproductions.com/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org iD8DBQFGrNaLqOEeBwEpgcsRAs7jAJ9X40KE4TG0Dk6uSRX3reoy1tw+WwCgkCrP oj5Oi5jRuWoCUQPKvTvzFbQ= =gvD+ -----END PGP SIGNATURE----- From denis at croombs.org Sun Jul 29 19:05:07 2007 From: denis at croombs.org (Denis Croombs) Date: Sun Jul 29 19:09:29 2007 Subject: Release 4.62.7 beta In-Reply-To: <46AB965D.60704@ecs.soton.ac.uk> Message-ID: <200707291809.l6TI9MhC009267@mail.deniscroombs.org> > I have just released another beta, 4.62.7. > Download as usual from www.mailscanner.info. > > - -- The ability to skip spam checks if there is a valid > watermark has returned. If you have more than 1 MX with > MailScanner on it, this can be used to avoid doing multiple > sets of spam checks. It will do it on the first MailScanner > the message hits, and skip them on subsequent MailScanners. > > - -- "ClamAV Full Message Scan = yes" will make ClamAV get > the full message as 1 file, so all the ClamAV 'type 4' > signatures which spot spam will always work reliably. This > will help you a lot if you are using the sanesecurity > signatures or any others like it. If you're not using this, I > strongly recommend it as it will help a lot with your spam detection. > > As the Change Log is now so enormous, there will be a stable > release at the start of August. But please do still test this > release for me! I rely on your help for this, please don't > let me down. > > The full Change Log for this version is now this: > > * New Features and Improvements * > 1 Improved non-Linux installer. > 1 Improved Linux installer. > 1 Updated OpenBSD installation guide. Thanks to Jeremy Evans for this. > 1 Upgraded MIME::Base64 to 3.07. > 1 Improved error reporting for clamd permissions problems. > Thanks Rick. > 2 Added SAUPDATEARGS to /etc/sysconfig/MailScanner and > /usr/sbin/update_spamassassin. For a good use of this, see > > http://daryl.dostech.ca/sa-update/sare/sare-sa-update-howto.tx t and search > for "HOWTO" in the Subject: line of the > MailScanner-discussion list archive. > This process replaces RulesDuJour entirely. > Another good ruleset to add to your setup is > http://www.peregrinehw.com/downloads/SpamAssassin/contrib/KAM.cf > To download this automatically every night, fetch > http://www.mailscanner.info/files/4/KAM.cf.sh and put it in > /etc/cron.daily > and make it executable (type "chmod +x /etc/cron.daily/KAM.cf.sh"). > 3 Added "Known Web Bug Servers" so you can blacklist images > from known servers > of web bug services. > 3 Added functionality of "milter-null" to MailScanner so you > no longer need to > run this separately. It is called "Watermarking" and there > is a whole > section for the settings in MailScanner.conf. They are > Add Watermark = yes > Skip Spam Checks If Watermark Valid = yes > Watermark Header = MailScanner-%org-name%-Watermark: > Watermark Lifetime = 432000 # in seconds, = 5 days > Watermark Secret = SET-THIS-TO-A-SECRET! > Also added Digest::MD5 to the required list of Perl > modules, this is needed > for the watermarking code. > 3 Added optional image to the clean message signature. You > can also use this > to add an arbitrary image attachment to any message, if you > so wish. The > main point is to be able to have graphical HTML signatures > on messages. > The settings are > Attach Image To Signature = no > Attach Image To HTML Message Only = yes > Signature Image Filename = %report-dir%/sig.jpg > Signature Image Filename = signature.jpg > 4 Added support for Kaspersky kav4fs. Set virus.scanners.conf entry to > point to /opt/kaspersky. > 4 Changed default value to "Max SpamAssassin Size = 100k" as > modern PDF spams > are getting quite large, and PDFInfo.pm doesn't work with > cropped messages. > 4 Improved Clamd parser to handle Sane Security ClamAV > signature databases > which detect spam and so on from the contents of the > headers, and hence > find infections without attachment filenames. Thanks to > various people for > help with this, you know who you are :-) > 4 Improved upgrade_MailScanner_conf so that it checks that > the 'Monitors for > ClamAV Updates' setting looks for inc and cvd files. > Problems have recently > been suffered by many due to the value of this setting > being out of date. > It doesn't automatically re-write their setting in case > they have installed > ClamAV somewhere odd and have customised it. > 4 Changed 'Monitors for Sophos Updates' setting default value > to point to > appropriate file for Sophos version 5 and upwards, and have > added check > in upgrade_MailScanner_conf to ensure their setting now > points to a new > location. It prints a warning if sophos-av does not appear > in the path. > 4 Added configuration setting "SpamAssassin Rule Actions". > This setting is > very powerful and can be used to implement many things that > MCP can do, > without having the processing overhead of MCP. The > documentation for it is > in the MailScanner.conf file. Its power is limited by your > imagination :-) > Start combining it with rulesets and you can take (or _not_ > take) any > combination of actions dependent on any bit of content in > the message or its > headers. You could try out new SA tests by storing in > quarantine every > message that matches a new particular SpamAssassin rule (or > meta-rule for > creating more complex expressions). > 5 Added "custom" spam action, which takes a parameter. This > is passed into the > CustomAction function in CustomAction.pm in the > CustomFunctions directory. > This can be used to implement anything your heart desires, > depending on the > contents of a message. > 7 When clamav, clamavmodule or clamd parsers are being used > and new setting > "ClamAV Full Message Scan" is set to "yes", pass each of the entire > messages to ClamAV as well as the attachments so that the > signatures that > detect spam can work reliably. This is set to "no" be > default as it has a > speed impact. > 7 The watermark options have been tweaked and renamed a bit, > and one new > feature has been added. "upgrade_MailScanner_conf" will > show you the renames > and the new feature is designed to save resources on sites > with more than > 1 MailScanner. Currently, if you have a message delivered > to a secondary MX > (with MailScanner) which relays mail to the primary MX (also with > MailScanner) for delivery to users' mailboxes, the spam > checks will be > done twice; this is a waste of resources. The new setting > "Check Watermarks > To Skip Spam Checks = yes" will remove this waste by > skipping the spam > checks on the primary MX as the secondary has already done them. > > * Fixes * > 2-2 Fixed error in RPM installer. > 2-3 Fixed error in update_spamassassin. > 3-2 The watermarking code should do something now :-) > 3-3 Rewrote the watermarking docs so they reflect the truth. > 4 --lint now reads all the Custom Functions properly. > 4 Bug in auto-zip fixed where attachments could be deleted > without being > added to zip. Thanks to Matt Hampton. > 4 Bug with '-' in HTML attribute names confusing phishing > net fixed. > Thanks > to John Wilcock. > 5 Fixed 2 bugs in MSRBL clamav-signature handler. Thanks to UxBoD. > 6 Fixed bug from October 2006 involving McAfee finding > infections in > headers. > 7 Fixed bug when unpacking TNEF files with external decoder. > 7 Fixed 'monitor files' check in upgrade_MailScanner_conf so it > doesn't check > inadvertently when doing an upgrade_languages_conf. > > Jules > Working 100% OK here. Regards Denis From MailScanner at ecs.soton.ac.uk Sun Jul 29 19:30:48 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sun Jul 29 19:31:13 2007 Subject: query if mailscanner using clamscan In-Reply-To: References: <2605.62.150.152.226.1185433910.squirrel@webmail.baladia.gov.kw> <46A87494.6060002@ecs.soton.ac.uk> <1597.62.150.152.226.1185458853.squirrel@webmail.baladia.gov.kw> <46A8B477.60603@ecs.soton.ac.uk> <1872.62.150.152.226.1185460305.squirrel@webmail.baladia.gov.kw> <46A8BC68.1020901@ecs.soton.ac.uk> <2038.62.150.152.226.1185483170.squirrel@webmail.baladia.gov.kw> <46A91552.5060809@ecs.soton.ac.uk> <1734.62.150.152.226.1185518513.squirrel@webmail.baladia.gov.kw> <223f97700707270047q350fac70n95878b33cab3563d@mail.gmail.com> <40337.62.150.152.60.1185615256.squirrel@webmail.baladia.gov.kw> <46AB24AF.7060804@ecs.soton.ac.uk> <46AB330F.2080204@ecs.soton.ac.uk> <46AC7383.1010904@ecs.soton.ac.uk> Message-ID: <46ACDCD8.8030502@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hugo, You should be a happy man :-) "MailScanner --lint" now scans an actual email message containing Eicar with every installed virus scanner and reports the results. Any that didn't find it are obviously not configured correctly. I said it wasn't simple, I never said I couldn't do it ;-) Best regards, Jules. Hugo van der Kooij wrote: > On Sun, 29 Jul 2007, Julian Field wrote: > >> You have your wish. 4.62.7-2 will detect multiple clam scanners >> installed and will use the most sensible one, when you specify "Virus >> Scanners = auto". The scanners actually used will be in the maillog. >> >> Please download it and give it a try. >> >> I can't see a way to easily test to see if a scanner is broken, sorry. > > I was afraid of that. I can not think of a simple test scenario either. > > Perhaps if the error condition is clear enough in the log I can think > of a trigger within logwatch and report on it. > > Hugo. > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGrNzZEfZZRxQVtlQRAuxTAJ90VEtYlPkoEAIRod1+DIlFsYKPIgCgmwYS 8Yt35IX44uW2q8Gk08To4x8= =A2n1 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From uxbod at splatnix.net Sun Jul 29 20:19:21 2007 From: uxbod at splatnix.net (UxBoD) Date: Sun Jul 29 20:15:55 2007 Subject: query if mailscanner using clamscan In-Reply-To: <46ACDCD8.8030502@ecs.soton.ac.uk> Message-ID: <17976414.5641185736761405.JavaMail.root@office.splatnix.net> Jules, Do you ever turn off your PC @ the weekend ? ;) Regards, --[ UxBoD ]-- // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- Original Message ----- From: "Julian Field" To: "MailScanner discussion" Sent: 29 July 2007 19:30:48 o'clock (GMT) Europe/London Subject: Re: query if mailscanner using clamscan -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hugo, You should be a happy man :-) "MailScanner --lint" now scans an actual email message containing Eicar with every installed virus scanner and reports the results. Any that didn't find it are obviously not configured correctly. I said it wasn't simple, I never said I couldn't do it ;-) Best regards, Jules. Hugo van der Kooij wrote: > On Sun, 29 Jul 2007, Julian Field wrote: > >> You have your wish. 4.62.7-2 will detect multiple clam scanners >> installed and will use the most sensible one, when you specify "Virus >> Scanners = auto". The scanners actually used will be in the maillog. >> >> Please download it and give it a try. >> >> I can't see a way to easily test to see if a scanner is broken, sorry. > > I was afraid of that. I can not think of a simple test scenario either. > > Perhaps if the error condition is clear enough in the log I can think > of a trigger within logwatch and report on it. > > Hugo. > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGrNzZEfZZRxQVtlQRAuxTAJ90VEtYlPkoEAIRod1+DIlFsYKPIgCgmwYS 8Yt35IX44uW2q8Gk08To4x8= =A2n1 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From r.berber at computer.org Mon Jul 30 02:09:31 2007 From: r.berber at computer.org (=?ISO-8859-1?Q?Ren=E9_Berber?=) Date: Mon Jul 30 02:09:52 2007 Subject: Patch for languages.conf in spanish Message-ID: Hi, Tought this may be useful, I updated the strings that are still in english in the above mentioned file for the current beta. --- MailScanner-4.62.7/etc/reports/es/languages.conf-orig 2007-07-30 01:07:28.437500000 +0000 +++ MailScanner-4.62.7/etc/reports/es/languages.conf 2007-07-30 01:08:19.250000000 +0000 @@ -69,7 +69,7 @@ MCPblacklisted = MCP-Blacklisted MCPwhitelisted = MCP-Whitelisted MCPsadisabled = MCP disabled -MCPsanoheaders = MCP Message had no headers +MCPsanoheaders = MCP mensaje sin encabezados MCPsatimedout = MCP timed out # Used in passworded-archives checks UnreadableArchive = El mensaje contiene un anexo comprimido que no se puede leer @@ -87,7 +87,7 @@ PossibleFraudEnd = NumericLinkWarning = MailScanner le advierte: los links numericos son comunmente utilizados en actividades maliciosas: # Used in "From:" header of many reports -PostmasterName = Alerce +PostmasterName = Postmaster GSDisabled = El Analizador de Mensajes no deseados a medida fue deshabilitado debido a fallas repetidas # Used in simple filename allow/deny rules (not filename.rules.conf) FoundBlockedFilename = Se detecto un nombre de archivo bloqueado @@ -96,7 +96,7 @@ cached = almacenado notcached = no almacenado # Used when testing message size against Max Spam Check Size -skippedastoobig = not spam (too large) +skippedastoobig = no es spam (demasiado grande) # Used in the watermarking spam report watermarked = watermarked -NoticeSizeInfected = Attachment detected outside size limits +NoticeSizeInfected = Adjunto detectado fuera de limites de tama?o -- Ren? Berber From rgills at intratechsystems.com Mon Jul 30 02:32:04 2007 From: rgills at intratechsystems.com (Rob Gills) Date: Mon Jul 30 02:37:00 2007 Subject: log message MailScanner: waiting for children to die In-Reply-To: <463829EE.7080009@filmakademie.de> References: <463829EE.7080009@filmakademie.de> Message-ID: G'day All, This is not a problem posting, just want to share something that discovered while setting up a new system last week. Perhaps it will assist someone else one day. I administer quite a number of email systems, and have been using the MailScanner/Sendmail/Mailwatch combination for a long time. When I setup a replacement server for a hardware upgrade, I, of course, use copy and paste to get all the config files whipped into shape, duplicating the retiring server configuration where applicable. During the course of building a replacement server recently, I installed MailScanner and the ClamAV/Spamassassin package, and tested the install, everything was perfect. I then install Mailwatch and the problem started. MailScanner would start at boot and then within two minutes kill and restart continuously. Mail would be processed thru the server, but as a result of the constant MailScanner restarting, mail would process slowly. The following line would appear repeatedly in the messages log file: MailScanner: waiting for children to die: Process did not exit cleanly, returned 255 with signal 0 I knew that Spamassassin was running clean, so I tried MailScanner --debug, and also checked all the version info with MailScanner -v. All the version info seemed ok. The debug run would spit out what seemed to be an erroneous message, sometimes the first message below, sometimes the second message below: Commmit ineffective while AutoCommit is on at /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm line 93, line 1. Can't use an undefined value as an ARRAY reference at /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm line 223 It turned out that the error that I made was to have inadvertently pasted &MailWatchLogging on TWO lines in MailScanner.conf as follows: Always Looked Up Last = &MailWatchLogging Always Looked Up Last After Batch = &MailWatchLogging As soon as I commented out the 'Always Looked Up Last After Batch = &MailWatchLogging' line......the system works flawlessly. I just wanted to share this in case it helps someone someday. Kudos to Julian for the fantastic contribution that you make to email administrators sanity!! Kudos to all who contribute here by answering posts and assisting with resolutions!! Cheers, Rob Gills Ontario, Canada -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of G?tz Reinicke Sent: May 2, 2007 2:05 AM To: mailscanner@lists.mailscanner.info Subject: log message MailScanner: waiting for children to die Hi, we recently upgraded our mailserver from Red Hat Enterprise Linux 4 to RHEL 5. We use the latest release of mailscanner and sendmail-8.13.8. Everything is up and running very good, beside I do get the following message lots of time: MailScanner: waiting for children to die: Process did not exit cleanly, returned 255 with signal 0 I'm using our "old" configuration from RHEL4 which worked without the message for a couple off years. Any ideas or tips? Best regards G?tz Reinicke -- G?tz Reinicke IT Koordinator Tel. +49 7141 969 420 Fax +49 7141 969 55 420 E-Mail goetz.reinicke@filmakademie.de Filmakademie Baden-W?rttemberg GmbH Mathildenstr. 20 71638 Ludwigsburg www.filmakademie.de Eintragung Amtsgericht Stuttgart HRB 205016 Vorsitzender des Aufsichtsrats: Dr. Christoph Palmer, MdL, Minister a.D. Gesch?ftsf?hrer: Prof. Thomas Schadt -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content, and is believed to be clean. -- This message has been scanned for viruses and dangerous content, and is believed to be clean. From hvdkooij at vanderkooij.org Mon Jul 30 06:38:57 2007 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Mon Jul 30 06:39:07 2007 Subject: query if mailscanner using clamscan In-Reply-To: <46ACDCD8.8030502@ecs.soton.ac.uk> References: <2605.62.150.152.226.1185433910.squirrel@webmail.baladia.gov.kw> <46A8B477.60603@ecs.soton.ac.uk> <1872.62.150.152.226.1185460305.squirrel@webmail.baladia.gov.kw> <46A8BC68.1020901@ecs.soton.ac.uk> <2038.62.150.152.226.1185483170.squirrel@webmail.baladia.gov.kw> <46A91552.5060809@ecs.soton.ac.uk> <1734.62.150.152.226.1185518513.squirrel@webmail.baladia.gov.kw> <223f97700707270047q350fac70n95878b33cab3563d@mail.gmail.com> <40337.62.150.152.60.1185615256.squirrel@webmail.baladia.gov.kw> <46AB24AF.7060804@ecs.soton.ac.uk> <46AB330F.2080204@ecs.soton.ac.uk> <46AC7383.1010904@ecs.soton.ac.uk> <46ACDCD8.8030502@ecs.soton.ac.uk> Message-ID: On Sun, 29 Jul 2007, Julian Field wrote: > You should be a happy man :-) > > "MailScanner --lint" now scans an actual email message containing Eicar > with every installed virus scanner and reports the results. Any that > didn't find it are obviously not configured correctly. > > I said it wasn't simple, I never said I couldn't do it ;-) I am happy MS wise. But I have been fighting all weekened with a laptop to make it understand Linux. So far only OpenSuSE is able to activate the network card. Both Centos and Mandriva did not make it. So I will burn a Fedora 7 DVD and try that one tonight. (OpenSuSE is a bit too much GUI config for my taste.) After that I will give the new beta a shot. Hugo. PS: Window is not an option. This is an actual laptop without getting Windows pushed along with it. -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ This message is using 100% recycled electrons. Some men see computers as they are and say "Windows" I use computers with Linux and say "Why Windows?" (Thanks JFK, for the insight.) From jayesha_shinde at yahoo.com Mon Jul 30 07:58:52 2007 From: jayesha_shinde at yahoo.com (jayesh shinde) Date: Mon Jul 30 07:58:55 2007 Subject: Inbound mails increase, MS get slow Message-ID: <490363.66576.qm@web54408.mail.yahoo.com> Hi; > How manys CPUs are in the server ? How much memory does it have ? What > rulesets are you using with SA ? What RBLs are you using with MS ? All > these elements could slow down mail delivery dependant on how your > server is setup. Thanks for ur reply.Here is the info for above, one cpu Pentium(R) 4 CPU 3.00GHz, 2GB RAM,i am using SA rules from www.rulesemporium.com, With MS i am using SBL+XBL For my above problem I increase the max children from 5 to 10 in MS as "Max Children = 10" Then I stop scanning of email through SA in MS for 2 hours, After this bove 2 changes my problem solved and all queue get clear, I am guessing that MY problem is related to SA only. Any suggestion for me on this UxBoD. Thanks & Regards Jayesh Shinde --------------------------------- Get the Yahoo! toolbar and be alerted to new email wherever you're surfing. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070729/994502d3/attachment.html From uxbod at splatnix.net Mon Jul 30 08:37:06 2007 From: uxbod at splatnix.net (UxBoD) Date: Mon Jul 30 08:33:39 2007 Subject: Inbound mails increase, MS get slow In-Reply-To: <490363.66576.qm@web54408.mail.yahoo.com> Message-ID: <8248938.5701185781026942.JavaMail.root@office.splatnix.net> Hi, I would change XBL+SBL to be spamhaus-ZEN, as I believe they are now merged together. May also be useful to post a lint output so we can see what is happening. Regards, --[ UxBoD ]-- // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- Original Message ----- From: "jayesh shinde" To: mailscanner@lists.mailscanner.info Sent: Monday, July 30, 2007 7:58:52 AM (GMT) Europe/London Subject: Re: Inbound mails increase, MS get slow -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From uxbod at splatnix.net Mon Jul 30 09:56:33 2007 From: uxbod at splatnix.net (UxBoD) Date: Mon Jul 30 09:53:07 2007 Subject: Release 4.62.7 beta In-Reply-To: <46ACD68C.2030103@maddoc.net> Message-ID: <6959088.5791185785793474.JavaMail.root@office.splatnix.net> Jules, installed the RPM @ work and get the following error :- Not a SCALAR reference at /usr/lib/MailScanner/MailScanner/SweepViruses.pm line 1331. There is a extra $ on the line :- chown $global::MS->{work}->{uid}, $$global::MS->{work}->{gid}, $filename Regards, --[ UxBoD ]-- // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- Original Message ----- From: "Doc Schneider" To: "MailScanner discussion" Sent: Sunday, July 29, 2007 7:03:56 PM (GMT) Europe/London Subject: Re: Release 4.62.7 beta -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Julian Field wrote: > I have just released another beta, 4.62.7. > Download as usual from www.mailscanner.info. > -- "ClamAV Full Message Scan = yes" will make ClamAV get the full > message as 1 file, so all the ClamAV 'type 4' signatures which spot spam > will always work reliably. This will help you a lot if you are using the > sanesecurity signatures or any others like it. If you're not using this, > I strongly recommend it as it will help a lot with your spam detection. This is working great now! And is detecting those e-card scam. ClamAV Module: message was infected: Email.Phishing.RB-1216 Good job Jules. - -- - -Doc Lincoln, NE. http://www.genealogyforyou.com/ http://www.cairnproductions.com/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org iD8DBQFGrNaLqOEeBwEpgcsRAs7jAJ9X40KE4TG0Dk6uSRX3reoy1tw+WwCgkCrP oj5Oi5jRuWoCUQPKvTvzFbQ= =gvD+ -----END PGP SIGNATURE----- -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From minduni at ti-edu.ch Mon Jul 30 10:07:13 2007 From: minduni at ti-edu.ch (Marco Induni) Date: Mon Jul 30 10:07:15 2007 Subject: Filename rule question In-Reply-To: <223f97700707091232q691a2277i75715cfe09c3be94@mail.gmail.com> References: <468A6663.8010907@ti-edu.ch> <468BC099.7060508@ti-edu.ch> <223f97700707041520j5e8be73bt17235c459ec441c5@mail.gmail.com> <468CACEF.30202@ti-edu.ch> <223f97700707050349y696668ccu92b618343da7d77b@mail.gmail.com> <468CDC23.7000500@ti-edu.ch> <223f97700707051316y462cffd5ka6ce8064d614350f@mail.gmail.com> <468E09B6.10605@ti-edu.ch> <223f97700707060540n7c7b022eye5700536d480541c@mail.gmail.com> <4691EC0A.3040209@ti-edu.ch> <223f97700707091232q691a2277i75715cfe09c3be94@mail.gmail.com> Message-ID: <46ADAA41.6030501@ti-edu.ch> Hi Glenn, any news about my email ? Thank you ------------------------------------ Hi Glenn I'm back, hpo you enjoyed your vacation > Good. . . I'm on vacation too;). > > On 09/07/07, Marco Induni wrote: >> Glenn Steen wrote: >> > On 06/07/07, Marco Induni wrote: >> >> Glenn Steen wrote: >> > (snip) >> >> >> >> >> >> >> >> > To my tired eyes that doesn't look that bad... More's the pity... >> >> Hope now you eyes are better >> > :-) >> > >> >> > Seems you don't install SA and Clamav by way of Jules easy >> package (or >> >> > else a lot more of the optional modules would be there)... Hm... One >> >> > could start installing those, of course, but I don't see them having >> >> > an effect. >> >> In fact, we use uvscan(mcafee) and sometime clamav AV, but they are >> >> installed apart (SA via CPAN / clamav make /make install) >> > Ok. I don't think you need remove/reinstall with Jules package... It >> > does more or less those, and then adds a lot of perl modules to make >> > Mail::ClamAV happy. Would be passing strange if that had any impact on >> > this problem. >> > >> >> > You did say that restoring the default filename/filetype >> >> > rules files and reloading/restarting MailScanner didn't have any >> >> > effect either? Most strange. >> >> Yes, it is so. >> > >> > This make me think there is something seriously wrong here... And >> > perhaps not _directly_ related to the rule file used... Unless of >> > course the files aren't readable or something strange like that... >> > Nah, probably not. >> > >> >> > How did you install the MIME::* packages? Via jules installer or via >> >> > distro or CPAN? >> >> Via jules. I've installed the new version a couple of days ago. >> >> >> > You could try reinstall them (force them from CPAN or something), just >> > to see that they build/install OK... I've extracted all the MIME from the Jules rpm and then installed manually (perl Makefile.pl / make / make install) this is the output of all the steps [root MIME-tools-5.420]# perl Makefile.PL Checking for module File::Path (version 1)... ok. Checking for module File::Spec (version 0.6)... ok. Checking for module IO::Stringy (version 1.211)... ok. Checking for module MIME::Base64 (version 3.03)... ok. Checking for module Mail::Field (version 1.05)... ok. Checking for module Mail::Header (version 1.01)... ok. Checking for module Mail::Internet (version 1.0203)... ok. Checking if your kit is complete... Looks good Writing Makefile for MIME-tools [root MIME-tools-5.420]# make cp lib/MIME/Decoder/Gzip64.pm blib/lib/MIME/Decoder/Gzip64.pm cp lib/MIME/Body.pm blib/lib/MIME/Body.pm cp lib/MIME/Field/ContDisp.pm blib/lib/MIME/Field/ContDisp.pm cp lib/MIME/Field/ContType.pm blib/lib/MIME/Field/ContType.pm cp lib/MIME/Decoder/NBit.pm blib/lib/MIME/Decoder/NBit.pm cp lib/MIME/Parser/Results.pm blib/lib/MIME/Parser/Results.pm cp lib/MIME/Words.pm blib/lib/MIME/Words.pm cp lib/MIME/Entity.pm blib/lib/MIME/Entity.pm cp lib/MIME/Parser/Filer.pm blib/lib/MIME/Parser/Filer.pm cp lib/MIME/Head.pm blib/lib/MIME/Head.pm cp lib/MIME/Field/ParamVal.pm blib/lib/MIME/Field/ParamVal.pm cp lib/MIME/Decoder/BinHex.pm blib/lib/MIME/Decoder/BinHex.pm cp lib/MIME/Tools.pm blib/lib/MIME/Tools.pm cp lib/MIME/Field/ConTraEnc.pm blib/lib/MIME/Field/ConTraEnc.pm cp lib/MIME/Decoder/Binary.pm blib/lib/MIME/Decoder/Binary.pm cp lib/MIME/Decoder.pm blib/lib/MIME/Decoder.pm cp lib/MIME/Decoder/UU.pm blib/lib/MIME/Decoder/UU.pm cp lib/MIME/Decoder/Base64.pm blib/lib/MIME/Decoder/Base64.pm cp lib/MIME/Decoder/QuotedPrint.pm blib/lib/MIME/Decoder/QuotedPrint.pm cp lib/MIME/WordDecoder.pm blib/lib/MIME/WordDecoder.pm cp lib/MIME/Parser.pm blib/lib/MIME/Parser.pm cp lib/MIME/Parser/Reader.pm blib/lib/MIME/Parser/Reader.pm Manifying blib/man3/MIME::Body.3pm Manifying blib/man3/MIME::Decoder::Gzip64.3pm Manifying blib/man3/MIME::Field::ContDisp.3pm Manifying blib/man3/MIME::Parser::Results.3pm Manifying blib/man3/MIME::Field::ContType.3pm Manifying blib/man3/MIME::Decoder::NBit.3pm Manifying blib/man3/MIME::Entity.3pm Manifying blib/man3/MIME::Head.3pm Manifying blib/man3/MIME::Parser::Filer.3pm Manifying blib/man3/MIME::Words.3pm Manifying blib/man3/MIME::Field::ParamVal.3pm Manifying blib/man3/MIME::Decoder::BinHex.3pm Manifying blib/man3/MIME::Tools.3pm Manifying blib/man3/MIME::Field::ConTraEnc.3pm Manifying blib/man3/MIME::Decoder::Binary.3pm Manifying blib/man3/MIME::Decoder.3pm Manifying blib/man3/MIME::Decoder::UU.3pm Manifying blib/man3/MIME::Decoder::QuotedPrint.3pm Manifying blib/man3/MIME::Decoder::Base64.3pm Manifying blib/man3/MIME::WordDecoder.3pm Manifying blib/man3/MIME::Parser::Reader.3pm Manifying blib/man3/MIME::Parser.3pm [root MIME-tools-5.420]# make test PERL_DL_NONLAZY=1 /usr/bin/perl "-MExtUtils::Command::MM" "-e" "test_harness(0, 'blib/lib', 'blib/arch')" t/*.t t/Body..............ok t/Decoder...........ok t/Entity............ok t/Gauntlet..........ok t/Head..............ok t/Misc..............ok t/Parser............ok t/ParserEncoded.....ok t/ParserPreamble....ok t/Ref...............ok t/WordDecoder.......ok t/Words.............ok All tests successful. Files=12, Tests=239, 4 wallclock secs ( 2.85 cusr + 0.24 csys = 3.09 CPU) [root MIME-tools-5.420]# make install Writing /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/auto/MIME-tools/.packlist Appending installation info to /usr/lib/perl5/5.8.0/i386-linux-thread-multi/perllocal.pod Also, I've tried to block the attachment with the Deny Filenames = default.asp directly on the Mailscanner.conf, but I received the mail with the attachment Cheers Marco >> > Apart from this, you don't see any strange log entries in the normal >> > syslog? We really need to get a handle on what is going bonkers here. >> > Cheers >> Glenn, >> I'm on vacation. I will do it all the test starting from 24 of july. >> So I will not bother you for 2 weeks ;-) >> >> Cheers >> Marco >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> > > -- Marco Induni Universita` della Svizzera italiana Servizi informatici / TI-EDU Galleria 2 CH-6928 Manno (Switzerland) E-mail: minduni@ti-edu.ch Tel: +41 58 666 6656 Fax: +41 58 666 6650 From matt at coders.co.uk Mon Jul 30 10:25:20 2007 From: matt at coders.co.uk (Matt Hampton) Date: Mon Jul 30 10:22:46 2007 Subject: CRM114 In-Reply-To: <19623251.5491185708685494.JavaMail.root@office.splatnix.net> References: <19623251.5491185708685494.JavaMail.root@office.splatnix.net> Message-ID: <46ADAE80.3030603@coders.co.uk> UxBoD wrote: > Well I have installed it, so lets see what happens ;) Probably just me - but where did you get it from - all of the links in the wiki are dead. matt From uxbod at splatnix.net Mon Jul 30 10:35:59 2007 From: uxbod at splatnix.net (UxBoD) Date: Mon Jul 30 10:32:22 2007 Subject: CRM114 In-Reply-To: <46ADAE80.3030603@coders.co.uk> Message-ID: <674211.5821185788159882.JavaMail.root@office.splatnix.net> emerge crm :) or use the RPM from rpmfind.net Regards, --[ UxBoD ]-- // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- Original Message ----- From: "Matt Hampton" To: "MailScanner discussion" Sent: Monday, July 30, 2007 10:25:20 AM (GMT) Europe/London Subject: Re: CRM114 UxBoD wrote: > Well I have installed it, so lets see what happens ;) Probably just me - but where did you get it from - all of the links in the wiki are dead. matt -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From uxbod at splatnix.net Mon Jul 30 10:46:00 2007 From: uxbod at splatnix.net (UxBoD) Date: Mon Jul 30 10:42:24 2007 Subject: CRM114 In-Reply-To: <46ADAE80.3030603@coders.co.uk> Message-ID: <23817080.5851185788760395.JavaMail.root@office.splatnix.net> Have had it running on the works mail stream for about 10 minutes and the results are looking pretty good :) cached not score=34.425 10 required autolearn=spam 3.00 BAYES_95 Bayesian spam probability is 95 to 99% 7.36 CRM114_CHECK 0.00 FH_HELO_EQ_D_D_D_D Helo is d-d-d-d 1.85 FM_SEX_HELODDDD Sex words + helo = dddd 1.40 HELO_DYNAMIC_DHCP Relay HELO'd using suspicious hostname (DHCP) 2.43 HELO_DYNAMIC_IPADDR Relay HELO'd using suspicious hostname (IP addr 1) 1.96 RCVD_IN_BL_SPAMCOP_NET Received via a relay in bl.spamcop.net 0.96 RCVD_IN_DSBL Received via a relay in list.dsbl.org 0.62 RCVD_IN_SORBS_WEB SORBS: sender is a abuseable web server 3.03 RCVD_IN_XBL Received via a relay in Spamhaus XBL 0.10 RDNS_DYNAMIC Delivered to trusted network by host with dynamic-looking rDNS 1.67 SARE_OBFU_PART_ORG obfusciation of word containing org 1.00 SARE_SUB_PORN_WORD11 Adult spammer words 3.00 URIBL_BLACK Contains an URL listed in the URIBL blacklist 1.50 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist 1.50 URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist 1.08 URIBL_RHS_DOB Contains an URI of a new domain (Day Old Bread) 0.47 URIBL_SC_SURBL Contains an URL listed in the SC SURBL blocklist 1.50 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist Regards, --[ UxBoD ]-- // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- Original Message ----- From: "Matt Hampton" To: "MailScanner discussion" Sent: Monday, July 30, 2007 10:25:20 AM (GMT) Europe/London Subject: Re: CRM114 UxBoD wrote: > Well I have installed it, so lets see what happens ;) Probably just me - but where did you get it from - all of the links in the wiki are dead. matt -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From glenn.steen at gmail.com Mon Jul 30 11:37:44 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Jul 30 11:37:45 2007 Subject: Filename rule question In-Reply-To: <46ADAA41.6030501@ti-edu.ch> References: <468A6663.8010907@ti-edu.ch> <468CACEF.30202@ti-edu.ch> <223f97700707050349y696668ccu92b618343da7d77b@mail.gmail.com> <468CDC23.7000500@ti-edu.ch> <223f97700707051316y462cffd5ka6ce8064d614350f@mail.gmail.com> <468E09B6.10605@ti-edu.ch> <223f97700707060540n7c7b022eye5700536d480541c@mail.gmail.com> <4691EC0A.3040209@ti-edu.ch> <223f97700707091232q691a2277i75715cfe09c3be94@mail.gmail.com> <46ADAA41.6030501@ti-edu.ch> Message-ID: <223f97700707300337gb9c8a8l55e517a09e4afab4@mail.gmail.com> On 30/07/07, Marco Induni wrote: > Hi Glenn, any news about my email ? > > Thank you Hi Marco, sorry I didn't get back to you sooner... Been a somewhat hectic return from vacation...:). (snip) That all looked pretty good, unfortunately. I've been thinking that you might have changed some limits to ... unreasonable values... What do you have for Maximum Message Size Maximum Attachment Size Minimum Attachment Size in MailScanner.conf? Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From MailScanner at ecs.soton.ac.uk Mon Jul 30 11:50:04 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Jul 30 11:51:12 2007 Subject: Release 4.62.7 beta In-Reply-To: <6959088.5791185785793474.JavaMail.root@office.splatnix.net> References: <6959088.5791185785793474.JavaMail.root@office.splatnix.net> Message-ID: <46ADC25C.3070005@ecs.soton.ac.uk> Thanks. Fixed. I'll update the beta before the USA start trying it. UxBoD wrote: > Jules, > > installed the RPM @ work and get the following error :- > > Not a SCALAR reference at /usr/lib/MailScanner/MailScanner/SweepViruses.pm line 1331. > > There is a extra $ on the line :- > > chown $global::MS->{work}->{uid}, $$global::MS->{work}->{gid}, $filename > > > Regards, > > --[ UxBoD ]-- > // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" > // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B > // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B > // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net > > ----- Original Message ----- > From: "Doc Schneider" > To: "MailScanner discussion" > Sent: Sunday, July 29, 2007 7:03:56 PM (GMT) Europe/London > Subject: Re: Release 4.62.7 beta > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Julian Field wrote: > >> I have just released another beta, 4.62.7. >> Download as usual from www.mailscanner.info. >> > > >> -- "ClamAV Full Message Scan = yes" will make ClamAV get the full >> message as 1 file, so all the ClamAV 'type 4' signatures which spot spam >> will always work reliably. This will help you a lot if you are using the >> sanesecurity signatures or any others like it. If you're not using this, >> I strongly recommend it as it will help a lot with your spam detection. >> > > This is working great now! And is detecting those e-card scam. > > ClamAV Module: message was infected: Email.Phishing.RB-1216 > > Good job Jules. > > - -- > - -Doc > Lincoln, NE. > http://www.genealogyforyou.com/ > http://www.cairnproductions.com/ > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.5 (GNU/Linux) > Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org > > iD8DBQFGrNaLqOEeBwEpgcsRAs7jAJ9X40KE4TG0Dk6uSRX3reoy1tw+WwCgkCrP > oj5Oi5jRuWoCUQPKvTvzFbQ= > =gvD+ > -----END PGP SIGNATURE----- > Jules -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Mon Jul 30 11:56:56 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Jul 30 11:57:17 2007 Subject: Release beta 4.62.8 Message-ID: <46ADC3F8.2060101@ecs.soton.ac.uk> I have just released another new beta, due to a typo in the code in the previous one. -- As well as fixing that error, you should now find that "MailScanner --lint" does rather more than it used to. It now checks that your installed virus scanners actually successfully detect a virus. -- "Virus Scanners = auto" now handles multiple different types of installation of ClamAV and will use clamd in preference, else clamavmodule, else clamav. Download as usual from www.mailscanner.info. The full Change Log is now this (enormous!) * New Features and Improvements * 1 Improved non-Linux installer. 1 Improved Linux installer. 1 Updated OpenBSD installation guide. Thanks to Jeremy Evans for this. 1 Upgraded MIME::Base64 to 3.07. 1 Improved error reporting for clamd permissions problems. Thanks Rick. 2 Added SAUPDATEARGS to /etc/sysconfig/MailScanner and /usr/sbin/update_spamassassin. For a good use of this, see http://daryl.dostech.ca/sa-update/sare/sare-sa-update-howto.txt and search for "HOWTO" in the Subject: line of the MailScanner-discussion list archive. This process replaces RulesDuJour entirely. Another good ruleset to add to your setup is http://www.peregrinehw.com/downloads/SpamAssassin/contrib/KAM.cf To download this automatically every night, fetch http://www.mailscanner.info/files/4/KAM.cf.sh and put it in /etc/cron.daily and make it executable (type "chmod +x /etc/cron.daily/KAM.cf.sh"). 3 Added "Known Web Bug Servers" so you can blacklist images from known servers of web bug services. 3 Added functionality of "milter-null" to MailScanner so you no longer need to run this separately. It is called "Watermarking" and there is a whole section for the settings in MailScanner.conf. They are Add Watermark = yes Skip Spam Checks If Watermark Valid = yes Watermark Header = MailScanner-%org-name%-Watermark: Watermark Lifetime = 432000 # in seconds, = 5 days Watermark Secret = SET-THIS-TO-A-SECRET! Also added Digest::MD5 to the required list of Perl modules, this is needed for the watermarking code. 3 Added optional image to the clean message signature. You can also use this to add an arbitrary image attachment to any message, if you so wish. The main point is to be able to have graphical HTML signatures on messages. The settings are Attach Image To Signature = no Attach Image To HTML Message Only = yes Signature Image Filename = %report-dir%/sig.jpg Signature Image Filename = signature.jpg 4 Added support for Kaspersky kav4fs. Set virus.scanners.conf entry to point to /opt/kaspersky. 4 Changed default value to "Max SpamAssassin Size = 100k" as modern PDF spams are getting quite large, and PDFInfo.pm doesn't work with cropped messages. 4 Improved Clamd parser to handle Sane Security ClamAV signature databases which detect spam and so on from the contents of the headers, and hence find infections without attachment filenames. Thanks to various people for help with this, you know who you are :-) 4 Improved upgrade_MailScanner_conf so that it checks that the 'Monitors for ClamAV Updates' setting looks for inc and cvd files. Problems have recently been suffered by many due to the value of this setting being out of date. It doesn't automatically re-write their setting in case they have installed ClamAV somewhere odd and have customised it. 4 Changed 'Monitors for Sophos Updates' setting default value to point to appropriate file for Sophos version 5 and upwards, and have added check in upgrade_MailScanner_conf to ensure their setting now points to a new location. It prints a warning if sophos-av does not appear in the path. 4 Added configuration setting "SpamAssassin Rule Actions". This setting is very powerful and can be used to implement many things that MCP can do, without having the processing overhead of MCP. The documentation for it is in the MailScanner.conf file. Its power is limited by your imagination :-) Start combining it with rulesets and you can take (or _not_ take) any combination of actions dependent on any bit of content in the message or its headers. You could try out new SA tests by storing in quarantine every message that matches a new particular SpamAssassin rule (or meta-rule for creating more complex expressions). 5 Added "custom" spam action, which takes a parameter. This is passed into the CustomAction function in CustomAction.pm in the CustomFunctions directory. This can be used to implement anything your heart desires, depending on the contents of a message. 7 When clamav, clamavmodule or clamd parsers are being used and new setting "ClamAV Full Message Scan" is set to "yes", pass each of the entire messages to ClamAV as well as the attachments so that the signatures that detect spam can work reliably. This is set to "no" be default as it has a speed impact. 7 The watermark options have been tweaked and renamed a bit, and one new feature has been added. "upgrade_MailScanner_conf" will show you the renames and the new feature is designed to save resources on sites with more than 1 MailScanner. Currently, if you have a message delivered to a secondary MX (with MailScanner) which relays mail to the primary MX (also with MailScanner) for delivery to users' mailboxes, the spam checks will be done twice; this is a waste of resources. The new setting "Check Watermarks To Skip Spam Checks = yes" will remove this waste by skipping the spam checks on the primary MX as the secondary has already done them. 7 "Virus Scanners = auto" will detect multiple types of ClamAV installed and tend towards the most useful one. It will use clamd else clamavmodule else clamav. This helps if you have all 3 installed, which is quite likely. 8 Greatly improved "MailScanner --lint". It now actually tests every virus scanner that you have installed, and checks that they can successfully scan a message containing the Eicar test-virus pattern. It reports the results from each scanner and warns you about checking any that are not reported. * Fixes * 2-2 Fixed error in RPM installer. 2-3 Fixed error in update_spamassassin. 3-2 The watermarking code should do something now :-) 3-3 Rewrote the watermarking docs so they reflect the truth. 4 --lint now reads all the Custom Functions properly. 4 Bug in auto-zip fixed where attachments could be deleted without being added to zip. Thanks to Matt Hampton. 4 Bug with '-' in HTML attribute names confusing phishing net fixed. Thanks to John Wilcock. 5 Fixed 2 bugs in MSRBL clamav-signature handler. Thanks to UxBoD. 6 Fixed bug from October 2006 involving McAfee finding infections in headers. 7 Fixed bug when unpacking TNEF files with external decoder. 7 Fixed 'monitor files' check in upgrade_MailScanner_conf so it doesn't check inadvertently when doing an upgrade_languages_conf. 7-3 Fixed bug in full message file creation in scanning dir as permissions were wrong. Jules -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From maillists at conactive.com Mon Jul 30 12:31:13 2007 From: maillists at conactive.com (Kai Schaetzl) Date: Mon Jul 30 12:31:16 2007 Subject: Release 4.62.7 beta In-Reply-To: <200707291809.l6TI9MhC009267@mail.deniscroombs.org> References: <200707291809.l6TI9MhC009267@mail.deniscroombs.org> Message-ID: Denis Croombs wrote on Sun, 29 Jul 2007 19:05:07 +0100: > Working 100% OK here. Sorry, Dennis, that I take out your posting, there are others, but it just hit my threshold of "Wow, was that really necessary?". Is it really necessary that people have to scroll down for years just to find you added one line? I find it surprising that quite a few people on this list talk about best practices of running a mail server but don't exercise best practices of mail writing and replying. Folks, please dedicate a second to the thought if you really need to quote just *everything* before hitting "OK" or "Send". Thanks. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From maillists at conactive.com Mon Jul 30 12:59:36 2007 From: maillists at conactive.com (Kai Schaetzl) Date: Mon Jul 30 12:59:37 2007 Subject: CRM114 In-Reply-To: <23817080.5851185788760395.JavaMail.root@office.splatnix.net> References: <23817080.5851185788760395.JavaMail.root@office.splatnix.net> Message-ID: In what way is this "pretty good"? Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From prandal at herefordshire.gov.uk Mon Jul 30 13:00:21 2007 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Mon Jul 30 13:00:33 2007 Subject: Envelope From Header inconsistencies In-Reply-To: <46A9F423.3020701@ecs.soton.ac.uk> References: <7EF0EE5CB3B263488C8C18823239BEBA0135831B@HC-MBX02.herefordshire.gov.uk> <46A9F423.3020701@ecs.soton.ac.uk> Message-ID: <7EF0EE5CB3B263488C8C18823239BEBA013584A1@HC-MBX02.herefordshire.gov.uk> That would be great. It's an easily overlooked misconfig which would prevent spamassassin's SPF checking from working. The things you find when you lock yourself away in a quiet room for a few days and sanity-check everything without having to deal with the phone ringing every 10 minutes :-) Cheers, Phil -- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Julian Field > Sent: 27 July 2007 14:33 > To: MailScanner discussion > Subject: Re: Envelope From Header inconsistencies > > > > Randal, Phil wrote: > > There's a slight inconsistency in MailScanner's config > files regarding > > the Envelope From Header. > > > > MailScanner.conf.rpmnew:Envelope From Header = > > X-%org-name%-MailScanner-From: > > > > spam.assassin.prefs.conf.rpmnew:envelope_sender_header > > X-MailScanner-From > > > > That's not going to work correctly out of the box. > > > Yes, you need to customise the spam.assassin.prefs.conf file > to get the > envelope_sender_header correct. I can't easily customise it for you. > > Is this inconsistency something that MailScanner --lint > could catch in > > future? > > > Yes, it could. I'll take a look at doing that. > > > Cheers, > > > > Phil > > -- > > Phil Randal > > Network Engineer > > Herefordshire Council > > Hereford, UK > > > > Jules > > -- > Julian Field MEng CITP > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > For all your IT requirements visit www.transtec.co.uk > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From res at ausics.net Mon Jul 30 13:03:54 2007 From: res at ausics.net (Res) Date: Mon Jul 30 13:04:04 2007 Subject: Release 4.62.7 beta In-Reply-To: References: <200707291809.l6TI9MhC009267@mail.deniscroombs.org> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NotDashEscaped: You need GnuPG to verify this message On Mon, 30 Jul 2007, Kai Schaetzl wrote: > hardly a rant Kai, I agree... > Is it really necessary that people have to scroll down for years just to > find you added one line? I find it surprising that quite a few people on > this list talk about best practices of running a mail server but don't > exercise best practices of mail writing and replying. well put, but we'll be ridiculed, but the "we'll do what we want when we want but you cant" selft appointed in-crew -- Cheers Res -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFGrdOqsWhAmSIQh7MRAndQAJ4u2Km0YKtrsMsTJjOuNWC6Yuvh3wCfVoNB qftspmJbTmfzsSKg+32LGTU= =maP4 -----END PGP SIGNATURE----- From uxbod at splatnix.net Mon Jul 30 13:13:18 2007 From: uxbod at splatnix.net (UxBoD) Date: Mon Jul 30 13:09:41 2007 Subject: CRM114 In-Reply-To: Message-ID: <27485834.6091185797598436.JavaMail.root@office.splatnix.net> Hi Kai, So far no FPs from using CRM114 in combination with SA. Now it has been running for a couple of hours and has learnt 5000 documents our overall SPAM detection rate has increased from 91% too 98%. So IMHO thanks to the kind person who raised the question of its use with MS in the first place. Regards, --[ UxBoD ]-- // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- Original Message ----- From: "Kai Schaetzl" To: mailscanner@lists.mailscanner.info Sent: Monday, July 30, 2007 12:59:36 PM (GMT) Europe/London Subject: Re: CRM114 > In what way is this "pretty good"? -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From prandal at herefordshire.gov.uk Mon Jul 30 13:17:02 2007 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Mon Jul 30 13:17:30 2007 Subject: CRM114 In-Reply-To: <27485834.6091185797598436.JavaMail.root@office.splatnix.net> References: <27485834.6091185797598436.JavaMail.root@office.splatnix.net> Message-ID: <7EF0EE5CB3B263488C8C18823239BEBA013584AC@HC-MBX02.herefordshire.gov.uk> Would anyone care to put a CRM114 howto in the MailScanner Wiki? Cheers, Phil -- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of UxBoD > Sent: 30 July 2007 13:13 > To: MailScanner discussion > Subject: Re: CRM114 > > Hi Kai, > > So far no FPs from using CRM114 in combination with SA. Now > it has been running for a couple of hours and has learnt 5000 > documents our overall SPAM detection rate has increased from > 91% too 98%. So IMHO thanks to the kind person who raised > the question of its use with MS in the first place. > > Regards, > > --[ UxBoD ]-- > // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg > --import" > // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B > // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B > // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net > > ----- Original Message ----- > From: "Kai Schaetzl" > To: mailscanner@lists.mailscanner.info > Sent: Monday, July 30, 2007 12:59:36 PM (GMT) Europe/London > Subject: Re: CRM114 > > > In what way is this "pretty good"? > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From prandal at herefordshire.gov.uk Mon Jul 30 13:28:19 2007 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Mon Jul 30 13:28:44 2007 Subject: Watermarking quirks still in 4.62.8 Message-ID: <7EF0EE5CB3B263488C8C18823239BEBA013584B1@HC-MBX02.herefordshire.gov.uk> A couple of issues with watermarking: 1: Read receipts are getting blocked ("spam(no null-header or sender address)") 2: If I send an email from outside to a non-existent email address here, the bounce message from our Exchange server gets blocked. I've worked around this using a ruleset, but shouldn't MailScanner be letting through bounces originating from the internal network (or RFC1918 addresses) anyhow? Cheers, Phil -- Phil Randal Network Engineer Herefordshire Council Hereford, UK From matt at coders.co.uk Mon Jul 30 13:38:18 2007 From: matt at coders.co.uk (Matt Hampton) Date: Mon Jul 30 13:35:57 2007 Subject: Watermarking quirks still in 4.62.8 In-Reply-To: <7EF0EE5CB3B263488C8C18823239BEBA013584B1@HC-MBX02.herefordshire.gov.uk> References: <7EF0EE5CB3B263488C8C18823239BEBA013584B1@HC-MBX02.herefordshire.gov.uk> Message-ID: <46ADDBBA.3080701@coders.co.uk> Randal, Phil wrote: > A couple of issues with watermarking: > > 1: Read receipts are getting blocked ("spam(no null-header or sender > address)") Read receipts from where to where (or is this all). > > 2: If I send an email from outside to a non-existent email address here, > the bounce message from our Exchange server gets blocked. I've worked > around this using a ruleset, but shouldn't MailScanner be letting > through bounces originating from the internal network (or RFC1918 > addresses) anyhow? It should work in this case as the Watermark will be added on the incoming message and the bounce should be containing the Watermark in the headers on the way out. Is it possible for you to put up an example of a bounce on web page somewhere so I can look at it? regards Matt From paul.hutchings at mira.co.uk Mon Jul 30 14:06:43 2007 From: paul.hutchings at mira.co.uk (Paul Hutchings) Date: Mon Jul 30 14:06:47 2007 Subject: Location of signature? Message-ID: From what I've read in the docs I think I know the answer to this one but here goes.. Is there any way to specify where in an email to insert the signature/disclaimer? I ask because if an email is finally being forwarded outside of the company, the signature will appear at the very end of the email rather than after the senders message. Can't see it being possible because after all, how would it "know" where the latest addition to the message ends, but I may as well check for sure. Cheers, Paul Paul Hutchings Network Administrator, MIRA Ltd. Tel: 44 (0)24 7635 5378 Fax: 44 (0)24 7635 8378 mailto:paul.hutchings@mira.co.uk -- MIRA Ltd Watling Street, Nuneaton, Warwickshire, CV10 0TU, England. Registered in England and Wales No. 402570 VAT Registration GB 114 5409 96 The contents of this e-mail are confidential and are solely for the use of the intended recipient. If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax. You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited. From prandal at herefordshire.gov.uk Mon Jul 30 14:05:21 2007 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Mon Jul 30 14:08:33 2007 Subject: Watermarking quirks still in 4.62.8 In-Reply-To: <46ADDBBA.3080701@coders.co.uk> References: <7EF0EE5CB3B263488C8C18823239BEBA013584B1@HC-MBX02.herefordshire.gov.uk> <46ADDBBA.3080701@coders.co.uk> Message-ID: <7EF0EE5CB3B263488C8C18823239BEBA013584C5@HC-MBX02.herefordshire.gov.uk> Oops, my bad. Double-checked and can't reproduce the bounce problem. Note to myself: Make sure all MailScanner boxes are configured identically! An internal user sends an email to the ouside world requesting a read-receipt. Recipient's Outlook generates a read-receipt which gets blocked by MailScanner. The orginal email's headers are not included in the receipt message, so there is no watermark to check. Sanitised read receipt below: Subject: Read: xxxxx Date: Mon, 30 Jul 2007 12:54:18 +0100 MIME-Version: 1.0 Content-Type: multipart/report; boundary="----=_NextPart_000_0025_01C7D2A8.BE212390"; report-type=disposition-notification X-Mailer: Microsoft Office Outlook, Build 11.0.6353 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3138 Thread-Index: AcfKzQ0n7j/g6jVpSo6RfWZRbz2L0gDFrJygACqgSvABBFFGYAAAL41L In-Reply-To: AAAAALxmnSrmiFpFjRWg8ttEtPck1iMA Message-Id: <20070730115101.368B748B8A@raq2.kc3.net> X-Virus-Scanned: by amavisd-new at localhost X-Greylist: Default is to whitelist mail, not delayed by milter-greylist-3.0 (mx0.herefordshire.gov.uk [172.29.97.109]); Mon, 30 Jul 2007 12:54:35 +0100 (BST) This is a multi-part message in MIME format. ------=_NextPart_000_0025_01C7D2A8.BE212390 Content-Type: multipart/alternative; boundary="----=_NextPart_001_0026_01C7D2A8.BE212390" ------=_NextPart_001_0026_01C7D2A8.BE212390 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Your message To: someone@out.there Subject: FW: xxxxxx Sent: 30/07/2007 12:50 was read on 30/07/2007 12:53. ------=_NextPart_001_0026_01C7D2A8.BE212390 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Read: Heritage Open Days

Your message

    To:  someone@out.there
    Subject:  FW: xxxxxxxx
    Sent:  30/07/2007 12:50

was read on 30/07/2007 12:53.

------=_NextPart_001_0026_01C7D2A8.BE212390-- ------=_NextPart_000_0025_01C7D2A8.BE212390 Content-Type: message/disposition-notification Content-Transfer-Encoding: 7bit Reporting-UA: D71QML1J; Microsoft Office Outlook, Build 11.0.6353 Final-Recipient: rfc822;someone@out.there Original-Message-ID: AAAAALxmnSrmiFpFjRWg8ttEtPck1iMA Disposition: manual-action/MDN-sent-automatically; displayed ------=_NextPart_000_0025_01C7D2A8.BE212390-- Cheers, Phil -- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Matt Hampton > Sent: 30 July 2007 13:38 > To: MailScanner discussion > Subject: Re: Watermarking quirks still in 4.62.8 > > Randal, Phil wrote: > > A couple of issues with watermarking: > > > > 1: Read receipts are getting blocked ("spam(no null-header or sender > > address)") > > Read receipts from where to where (or is this all). > > > > > 2: If I send an email from outside to a non-existent email > address here, > > the bounce message from our Exchange server gets blocked. > I've worked > > around this using a ruleset, but shouldn't MailScanner be letting > > through bounces originating from the internal network (or RFC1918 > > addresses) anyhow? > > It should work in this case as the Watermark will be added on the > incoming message and the bounce should be containing the Watermark in > the headers on the way out. > > > Is it possible for you to put up an example of a bounce on web page > somewhere so I can look at it? > > regards > > Matt > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From MailScanner at ecs.soton.ac.uk Mon Jul 30 14:29:26 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Jul 30 14:29:41 2007 Subject: Envelope From Header inconsistencies In-Reply-To: <7EF0EE5CB3B263488C8C18823239BEBA013584A1@HC-MBX02.herefordshire.gov.uk> References: <7EF0EE5CB3B263488C8C18823239BEBA0135831B@HC-MBX02.herefordshire.gov.uk> <46A9F423.3020701@ecs.soton.ac.uk> <7EF0EE5CB3B263488C8C18823239BEBA013584A1@HC-MBX02.herefordshire.gov.uk> Message-ID: <46ADE7B6.7090103@ecs.soton.ac.uk> I have just added a check to MailScanner --lint to check these settings match. Randal, Phil wrote: > That would be great. > > It's an easily overlooked misconfig which would prevent spamassassin's > SPF checking from working. > > The things you find when you lock yourself away in a quiet room for a > few days and sanity-check everything without having to deal with the > phone ringing every 10 minutes :-) > > Cheers, > > Phil > > -- > Phil Randal > Network Engineer > Herefordshire Council > Hereford, UK > > >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf >> Of Julian Field >> Sent: 27 July 2007 14:33 >> To: MailScanner discussion >> Subject: Re: Envelope From Header inconsistencies >> >> >> >> Randal, Phil wrote: >> >>> There's a slight inconsistency in MailScanner's config >>> >> files regarding >> >>> the Envelope From Header. >>> >>> MailScanner.conf.rpmnew:Envelope From Header = >>> X-%org-name%-MailScanner-From: >>> >>> spam.assassin.prefs.conf.rpmnew:envelope_sender_header >>> X-MailScanner-From >>> >>> That's not going to work correctly out of the box. >>> >>> >> Yes, you need to customise the spam.assassin.prefs.conf file >> to get the >> envelope_sender_header correct. I can't easily customise it for you. >> >>> Is this inconsistency something that MailScanner --lint >>> >> could catch in >> >>> future? >>> >>> >> Yes, it could. I'll take a look at doing that. >> >> >>> Cheers, >>> >>> Phil >>> -- >>> Phil Randal >>> Network Engineer >>> Herefordshire Council >>> Hereford, UK >>> >>> >> Jules >> >> -- >> Julian Field MEng CITP >> www.MailScanner.info >> Buy the MailScanner book at www.MailScanner.info/store >> >> Need help customising MailScanner? >> Contact me! >> Need help fixing or optimising your systems? >> Contact me! >> Need help getting you started solving new requirements from your boss? >> Contact me! >> >> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >> >> >> -- >> This message has been scanned for viruses and >> dangerous content by MailScanner, and is >> believed to be clean. >> For all your IT requirements visit www.transtec.co.uk >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> Jules -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Mon Jul 30 14:30:23 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Jul 30 14:30:42 2007 Subject: Location of signature? In-Reply-To: References: Message-ID: <46ADE7EF.60107@ecs.soton.ac.uk> You're quite right, it can't be done. It can only be added at the end of the message. Paul Hutchings wrote: > From what I've read in the docs I think I know the answer to this one > but here goes.. > > Is there any way to specify where in an email to insert the > signature/disclaimer? I ask because if an email is finally being > forwarded outside of the company, the signature will appear at the very > end of the email rather than after the senders message. > > Can't see it being possible because after all, how would it "know" where > the latest addition to the message ends, but I may as well check for > sure. > > Cheers, > Paul > > Paul Hutchings > Network Administrator, MIRA Ltd. > Tel: 44 (0)24 7635 5378 > Fax: 44 (0)24 7635 8378 > mailto:paul.hutchings@mira.co.uk > > > Jules -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From stork at openenterprise.ca Mon Jul 30 14:43:41 2007 From: stork at openenterprise.ca (Johnny Stork) Date: Mon Jul 30 14:43:45 2007 Subject: CRM114 In-Reply-To: <27485834.6091185797598436.JavaMail.root@office.splatnix.net> References: <27485834.6091185797598436.JavaMail.root@office.splatnix.net> Message-ID: <46ADEB0D.7030207@openenterprise.ca> Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: stork.vcf Type: text/x-vcard Size: 330 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070730/727e28ad/stork.vcf From MailScanner at ecs.soton.ac.uk Mon Jul 30 14:53:35 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Jul 30 14:53:55 2007 Subject: CRM114 In-Reply-To: <46ADEB0D.7030207@openenterprise.ca> References: <27485834.6091185797598436.JavaMail.root@office.splatnix.net> <46ADEB0D.7030207@openenterprise.ca> Message-ID: <46ADED5F.70002@ecs.soton.ac.uk> Basically, install http://mschuette.name/files/crm114.pm in /usr/lib/perl5/site_perl/5.*/Mail/SpamAssassin/Plugin/ and http://mschuette.name/files/crm114.cf in /etc/mail/spamassassin. In v320.pre add a loadplugin line for crm114: loadplugin Mail::SpamAssassin::Plugin::crm114 Then restart MailScanner. Johnny Stork wrote: > Well this sure sounds like great news (I posted the first > question)....I am looking forward to running it myself. Maybe some > quick steps to getting it installed could be posted? > > UxBoD wrote: >> Hi Kai, >> >> So far no FPs from using CRM114 in combination with SA. Now it has been running for a couple of hours and has learnt 5000 documents our overall SPAM detection rate has increased from 91% too 98%. So IMHO thanks to the kind person who raised the question of its use with MS in the first place. >> >> Regards, >> >> --[ UxBoD ]-- >> // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" >> // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B >> // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B >> // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net >> >> ----- Original Message ----- >> From: "Kai Schaetzl" >> To: mailscanner@lists.mailscanner.info >> Sent: Monday, July 30, 2007 12:59:36 PM (GMT) Europe/London >> Subject: Re: CRM114 >> >> >>> In what way is this "pretty good"? >>> >> >> >> > > -- > *Johnny Stork* > Business & Technology Consultant > stork@openenterprise.ca > > ______________________________________________ > *Open Enterprise Solutions* > /"Empowering Business With Open Solutions"/ > http://www.openenterprise.ca > > *Dreamscape Media* > /"Multimedia, Photography and VR Panorama's"/ > http://www.dreamscapemedia.ca > > *Open Source News* > /"Global Open Source and Technology News"/ > http://www.opensourcenews.ca Jules -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From stork at openenterprise.ca Mon Jul 30 14:58:48 2007 From: stork at openenterprise.ca (Johnny Stork) Date: Mon Jul 30 14:58:53 2007 Subject: CRM114 In-Reply-To: <46ADED5F.70002@ecs.soton.ac.uk> References: <27485834.6091185797598436.JavaMail.root@office.splatnix.net> <46ADEB0D.7030207@openenterprise.ca> <46ADED5F.70002@ecs.soton.ac.uk> Message-ID: <46ADEE98.1020706@openenterprise.ca> Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: stork.vcf Type: text/x-vcard Size: 330 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070730/0e2158db/stork.vcf From uxbod at splatnix.net Mon Jul 30 15:18:59 2007 From: uxbod at splatnix.net (UxBoD) Date: Mon Jul 30 15:15:36 2007 Subject: CRM114 In-Reply-To: <46ADED5F.70002@ecs.soton.ac.uk> Message-ID: <8384902.6331185805139308.JavaMail.root@office.splatnix.net> The plugin is automatically loaded via the .cf. The way I set it up was :- 1) Install CRM software 2) Create /etc/mail/spamassassin/crm114 3) cd /etc/mail/spamassassin/crm114 4) cssutil -b -r spam.css 5) cssutil -b -r nonspam.css 6) Modified mailfilter.cf with local settings 7) Same permissions on directory and files to same user that MailScanner runs as 8) Installed crm114.pm and crm114.cf 9) Modified crm114.cf to local settings 10) spamassassin -D --lint > /tmp/crm.test 2>&1 (as user in point 7) and check that all is okay 11) Restart MailScanner 12) After a few minutes check documents are being loaded ie. cssutil -b -r /etc/mail/spamassassin/crm114/spam.css with something like :- [root@bianchi crm114]# cssutil -r -b spam.css Sparse spectra file spam.css statistics: Total available buckets : 1048577 Total buckets in use : 108553 Total in-use zero-count buckets : 0 Total buckets with value >= max : 0 Total hashed datums in file : 126637 Documents learned : 3223 Features learned : 126638 Average datums per bucket : 1.17 Maximum length of overflow chain : 7 Average length of overflow chain : 1.18 Average packing density : 0.10 13) If using MailWatch create a report filter with "sareport contains CRM", and see how it is scoring emails 14) Sit back, relax, and enjoy :) Regards, --[ UxBoD ]-- // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- Original Message ----- From: "Julian Field" To: "MailScanner discussion" Sent: Monday, July 30, 2007 2:53:35 PM (GMT) Europe/London Subject: Re: CRM114 Basically, install http://mschuette.name/files/crm114.pm in /usr/lib/perl5/site_perl/5.*/Mail/SpamAssassin/Plugin/ and http://mschuette.name/files/crm114.cf in /etc/mail/spamassassin. In v320.pre add a loadplugin line for crm114: loadplugin Mail::SpamAssassin::Plugin::crm114 Then restart MailScanner. Johnny Stork wrote: > Well this sure sounds like great news (I posted the first > question)....I am looking forward to running it myself. Maybe some > quick steps to getting it installed could be posted? > > UxBoD wrote: >> Hi Kai, >> >> So far no FPs from using CRM114 in combination with SA. Now it has been running for a couple of hours and has learnt 5000 documents our overall SPAM detection rate has increased from 91% too 98%. So IMHO thanks to the kind person who raised the question of its use with MS in the first place. >> >> Regards, >> >> --[ UxBoD ]-- >> // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" >> // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B >> // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B >> // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net >> >> ----- Original Message ----- >> From: "Kai Schaetzl" >> To: mailscanner@lists.mailscanner.info >> Sent: Monday, July 30, 2007 12:59:36 PM (GMT) Europe/London >> Subject: Re: CRM114 >> >> >>> In what way is this "pretty good"? >>> >> >> >> > > -- > *Johnny Stork* > Business & Technology Consultant > stork@openenterprise.ca > > ______________________________________________ > *Open Enterprise Solutions* > /"Empowering Business With Open Solutions"/ > http://www.openenterprise.ca > > *Dreamscape Media* > /"Multimedia, Photography and VR Panorama's"/ > http://www.dreamscapemedia.ca > > *Open Source News* > /"Global Open Source and Technology News"/ > http://www.opensourcenews.ca Jules -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ms-list at alexb.ch Mon Jul 30 15:28:23 2007 From: ms-list at alexb.ch (Alex Broens) Date: Mon Jul 30 15:28:31 2007 Subject: CRM114 In-Reply-To: <8384902.6331185805139308.JavaMail.root@office.splatnix.net> References: <8384902.6331185805139308.JavaMail.root@office.splatnix.net> Message-ID: <46ADF587.8050908@alexb.ch> On 7/30/2007 4:18 PM, UxBoD wrote: > The plugin is automatically loaded via the .cf. > If anyone finds working Centos 4.x RPMs (or succesfully installed from sources) pls post your results/method/whatever thx Alex From matt at coders.co.uk Mon Jul 30 15:44:04 2007 From: matt at coders.co.uk (Matt Hampton) Date: Mon Jul 30 15:41:22 2007 Subject: CRM114 In-Reply-To: <46ADF587.8050908@alexb.ch> References: <8384902.6331185805139308.JavaMail.root@office.splatnix.net> <46ADF587.8050908@alexb.ch> Message-ID: <46ADF934.3020404@coders.co.uk> Alex Broens wrote: > On 7/30/2007 4:18 PM, UxBoD wrote: >> The plugin is automatically loaded via the .cf. >> > > If anyone finds working Centos 4.x RPMs (or succesfully installed from > sources) pls post your results/method/whatever Down load the source RPMS ftp://fr.rpmfind.net/linux/fedora/extras/development/SRPMS/crm114-0-0.4.20070301.fc7.src.rpm ftp://fr.rpmfind.net/linux/fedora/extras/development/SRPMS/tre-0.7.5-1.fc7.src.rpm From maillists at conactive.com Mon Jul 30 16:00:11 2007 From: maillists at conactive.com (Kai Schaetzl) Date: Mon Jul 30 16:00:15 2007 Subject: Watermarking quirks still in 4.62.8 In-Reply-To: <7EF0EE5CB3B263488C8C18823239BEBA013584C5@HC-MBX02.herefordshire.gov.uk> References: <7EF0EE5CB3B263488C8C18823239BEBA013584B1@HC-MBX02.herefordshire.gov.uk> <46ADDBBA.3080701@coders.co.uk> <7EF0EE5CB3B263488C8C18823239BEBA013584C5@HC-MBX02.herefordshire.gov.uk> Message-ID: Phil Randal wrote on Mon, 30 Jul 2007 14:05:21 +0100: > In-Reply-To: AAAAALxmnSrmiFpFjRWg8ttEtPck1iMA This could be used in identifying it as a response. (I guess that "structure" is because of your sanitation and you got a "good" MID there back?) In general I find that quite a few DSNs don't list important or any parts of the mail or mail header, especially not headers that are uncommon. So, these will all be blocked. But it doesn't happen that often that mail to your frequent mail contact bounces, so you will rarely notice it. The read-receipt is a good example where you notice it quicker ;-) Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From maillists at conactive.com Mon Jul 30 16:25:25 2007 From: maillists at conactive.com (Kai Schaetzl) Date: Mon Jul 30 16:25:28 2007 Subject: CRM114 In-Reply-To: <27485834.6091185797598436.JavaMail.root@office.splatnix.net> References: <27485834.6091185797598436.JavaMail.root@office.splatnix.net> Message-ID: UxBoD wrote on Mon, 30 Jul 2007 13:13:18 +0100 (BST): > So far no FPs from using CRM114 in combination with SA. Now it has been running for a couple of hours and has learnt 5000 documents our overall SPAM detection rate has increased from 91% too 98%. So IMHO thanks to the kind person who raised the question of its use with MS in the first place. Thanks. I can't deduce that from your original comment. > our overall SPAM detection rate has increased from 91% too 98%. Well, I'm sure you could achieve this with setting your score to the default of 5, too. Setting CRM114 to a score of 7.36 boosts any message lower than 2.64 over the threshold. That is somewhat scary in my eyes. Or do I misunderstand? How does it compare to Bayes and how did you train it? (I suppose you have to train it, from their documentation.) Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From mkercher at nfsmith.com Mon Jul 30 16:28:52 2007 From: mkercher at nfsmith.com (Mike Kercher) Date: Mon Jul 30 16:28:56 2007 Subject: CRM114 In-Reply-To: <8384902.6331185805139308.JavaMail.root@office.splatnix.net> References: <46ADED5F.70002@ecs.soton.ac.uk> <8384902.6331185805139308.JavaMail.root@office.splatnix.net> Message-ID: <441247027D4F274EB760A5F6E1ED9C7E020E50@houpex02.nfsmith.info> -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of UxBoD Sent: Monday, July 30, 2007 9:19 AM To: MailScanner discussion Subject: Re: CRM114 The plugin is automatically loaded via the .cf. The way I set it up was :- 1) Install CRM software 2) Create /etc/mail/spamassassin/crm114 3) cd /etc/mail/spamassassin/crm114 4) cssutil -b -r spam.css 5) cssutil -b -r nonspam.css 6) Modified mailfilter.cf with local settings 7) Same permissions on directory and files to same user that MailScanner runs as 8) Installed crm114.pm and crm114.cf 9) Modified crm114.cf to local settings 10) spamassassin -D --lint > /tmp/crm.test 2>&1 (as user in point 7) and check that all is okay 11) Restart MailScanner 12) After a few minutes check documents are being loaded ie. cssutil -b -r /etc/mail/spamassassin/crm114/spam.css with something like :- [root@bianchi crm114]# cssutil -r -b spam.css Sparse spectra file spam.css statistics: Total available buckets : 1048577 Total buckets in use : 108553 Total in-use zero-count buckets : 0 Total buckets with value >= max : 0 Total hashed datums in file : 126637 Documents learned : 3223 Features learned : 126638 Average datums per bucket : 1.17 Maximum length of overflow chain : 7 Average length of overflow chain : 1.18 Average packing density : 0.10 13) If using MailWatch create a report filter with "sareport contains CRM", and see how it is scoring emails 14) Sit back, relax, and enjoy :) Regards, --[ UxBoD ]-- I tried installing this and got errors in my --lint: [19709] dbg: plugin: loading Mail::SpamAssassin::Plugin::crm114 from @INC [19709] warn: plugin: failed to create instance of plugin Mail::SpamAssassin::Plugin::crm114: Can't locate object method "new" via package "Mail::SpamAssassin::Plugin::crm114" at (eval 133) line 1 What did I miss? Mike From maillists at conactive.com Mon Jul 30 16:30:15 2007 From: maillists at conactive.com (Kai Schaetzl) Date: Mon Jul 30 16:30:17 2007 Subject: mailscanner.cf In-Reply-To: <46AA45B7.5070409@alexb.ch> References: <46AA0208.3010003@nerc.ac.uk> <46AA0FAE.8090100@nerc.ac.uk> <46AA10F9.3050604@ecs.soton.ac.uk> <46AA401C.9050707@ecs.soton.ac.uk> <46AA45B7.5070409@alexb.ch> Message-ID: Alex Broens wrote on Fri, 27 Jul 2007 21:21:27 +0200: > and that will be replaced with what? > > zzzMailScanner.cf? You misunderstood Jules', ahm, "humorous" remark, there won't be any name change. Some people run their own SA settings, for instance in local.cf. And the automatic addition of this symlink is a nuisance as it adds completely unwanted or doubled settings to Spamassassin in this case. A setup option to avoid its creation would be enjoyable. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From martinh at solidstatelogic.com Mon Jul 30 16:30:46 2007 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Mon Jul 30 16:30:47 2007 Subject: MS 4.62.8 beta and read receipts Message-ID: <544001786ab4ed449ff07be7357024ff@solidstatelogic.com> Matt I got a funny as well - the MS box returned a read receipt for some reason.. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From MailScanner at ecs.soton.ac.uk Mon Jul 30 16:38:11 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Jul 30 16:38:29 2007 Subject: mailscanner.cf In-Reply-To: References: <46AA0208.3010003@nerc.ac.uk> <46AA0FAE.8090100@nerc.ac.uk> <46AA10F9.3050604@ecs.soton.ac.uk> <46AA401C.9050707@ecs.soton.ac.uk> <46AA45B7.5070409@alexb.ch> Message-ID: <46AE05E3.3010004@ecs.soton.ac.uk> Kai Schaetzl wrote: > Alex Broens wrote on Fri, 27 Jul 2007 21:21:27 +0200: > > >> and that will be replaced with what? >> >> zzzMailScanner.cf? >> > > You misunderstood Jules', ahm, "humorous" remark, there won't be any name > change. Some people run their own SA settings, for instance in local.cf. > And the automatic addition of this symlink is a nuisance as it adds > completely unwanted or doubled settings to Spamassassin in this case. A > setup option to avoid its creation would be enjoyable. > I'm going to leave it as is. It is suitable for most beginners, and the advanced ones among you do all sorts of weird things anyway, so it doesn't make any difference to you what I do. I'm certainly not going to put in some install.sh-time question as to whether the link should be put in or not. 99% of users won't understand the question, and the other 1% can delete the symlink if they want to. Jules -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From ms-list at alexb.ch Mon Jul 30 16:40:39 2007 From: ms-list at alexb.ch (Alex Broens) Date: Mon Jul 30 16:40:46 2007 Subject: CRM114 In-Reply-To: <441247027D4F274EB760A5F6E1ED9C7E020E50@houpex02.nfsmith.info> References: <46ADED5F.70002@ecs.soton.ac.uk> <8384902.6331185805139308.JavaMail.root@office.splatnix.net> <441247027D4F274EB760A5F6E1ED9C7E020E50@houpex02.nfsmith.info> Message-ID: <46AE0677.7070205@alexb.ch> On 7/30/2007 5:28 PM, Mike Kercher wrote: > > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of UxBoD > Sent: Monday, July 30, 2007 9:19 AM > To: MailScanner discussion > Subject: Re: CRM114 > > The plugin is automatically loaded via the .cf. > > The way I set it up was :- > > 1) Install CRM software > 2) Create /etc/mail/spamassassin/crm114 > 3) cd /etc/mail/spamassassin/crm114 > 4) cssutil -b -r spam.css > 5) cssutil -b -r nonspam.css > 6) Modified mailfilter.cf with local settings > 7) Same permissions on directory and files to same user that MailScanner > runs as > 8) Installed crm114.pm and crm114.cf > 9) Modified crm114.cf to local settings > 10) spamassassin -D --lint > /tmp/crm.test 2>&1 (as user in point 7) and > check that all is okay > 11) Restart MailScanner > 12) After a few minutes check documents are being loaded ie. cssutil -b > -r /etc/mail/spamassassin/crm114/spam.css with something like :- > > [root@bianchi crm114]# cssutil -r -b spam.css > > Sparse spectra file spam.css statistics: > > Total available buckets : 1048577 > Total buckets in use : 108553 > Total in-use zero-count buckets : 0 > Total buckets with value >= max : 0 > Total hashed datums in file : 126637 > Documents learned : 3223 > Features learned : 126638 > Average datums per bucket : 1.17 > Maximum length of overflow chain : 7 > Average length of overflow chain : 1.18 > Average packing density : 0.10 > > 13) If using MailWatch create a report filter with "sareport contains > CRM", and see how it is scoring emails > 14) Sit back, relax, and enjoy :) > > Regards, > > --[ UxBoD ]-- > > > > I tried installing this and got errors in my --lint: > > [19709] dbg: plugin: loading Mail::SpamAssassin::Plugin::crm114 from > @INC > [19709] warn: plugin: failed to create instance of plugin > Mail::SpamAssassin::Plugin::crm114: Can't locate object method "new" via > package "Mail::SpamAssassin::Plugin::crm114" at (eval 133) line 1 > > What did I miss? edit crm114.cf, line 33 loadplugin crm114 /etc/mail/spamassassin/crm114.pm your next hurdle will be line 47 crm114_command /usr/bin/crm -u /etc/mail/spamassassin/crm114 mailreaver.crm UxBod doesn't get my direct mails so I'm asking here (tho its sorta off-topi- sorry) would you be so kind and mail me/us your mailfilter.cf or whatever you'e using? or add to Wiki thx Alex From ms-list at alexb.ch Mon Jul 30 16:42:26 2007 From: ms-list at alexb.ch (Alex Broens) Date: Mon Jul 30 16:42:32 2007 Subject: mailscanner.cf In-Reply-To: <46AE05E3.3010004@ecs.soton.ac.uk> References: <46AA0208.3010003@nerc.ac.uk> <46AA0FAE.8090100@nerc.ac.uk> <46AA10F9.3050604@ecs.soton.ac.uk> <46AA401C.9050707@ecs.soton.ac.uk> <46AA45B7.5070409@alexb.ch> <46AE05E3.3010004@ecs.soton.ac.uk> Message-ID: <46AE06E2.8050800@alexb.ch> On 7/30/2007 5:38 PM, Julian Field wrote: > Kai Schaetzl wrote: >> Alex Broens wrote on Fri, 27 Jul 2007 21:21:27 +0200: >> >> >>> and that will be replaced with what? >>> >>> zzzMailScanner.cf? > I'm going to leave it as is. It is suitable for most beginners, and the > advanced ones among you do all sorts of weird things anyway, so it > doesn't make any difference to you what I do. > > I'm certainly not going to put in some install.sh-time question as to > whether the link should be put in or not. 99% of users won't understand > the question, and the other 1% can delete the symlink if they want to. now its clear - thanks a lot Alex From a.peacock at chime.ucl.ac.uk Mon Jul 30 16:42:58 2007 From: a.peacock at chime.ucl.ac.uk (Anthony Peacock) Date: Mon Jul 30 16:43:02 2007 Subject: mailscanner.cf In-Reply-To: <46AE05E3.3010004@ecs.soton.ac.uk> References: <46AA0208.3010003@nerc.ac.uk> <46AA0FAE.8090100@nerc.ac.uk> <46AA10F9.3050604@ecs.soton.ac.uk> <46AA401C.9050707@ecs.soton.ac.uk> <46AA45B7.5070409@alexb.ch> <46AE05E3.3010004@ecs.soton.ac.uk> Message-ID: <46AE0702.7070708@chime.ucl.ac.uk> Hi Julian, Julian Field wrote: > Kai Schaetzl wrote: >> Alex Broens wrote on Fri, 27 Jul 2007 21:21:27 +0200: >> >> >>> and that will be replaced with what? >>> >>> zzzMailScanner.cf? >>> >> >> You misunderstood Jules', ahm, "humorous" remark, there won't be any >> name change. Some people run their own SA settings, for instance in >> local.cf. And the automatic addition of this symlink is a nuisance as >> it adds completely unwanted or doubled settings to Spamassassin in >> this case. A setup option to avoid its creation would be enjoyable. >> > I'm going to leave it as is. It is suitable for most beginners, and the > advanced ones among you do all sorts of weird things anyway, so it > doesn't make any difference to you what I do. > > I'm certainly not going to put in some install.sh-time question as to > whether the link should be put in or not. 99% of users won't understand > the question, and the other 1% can delete the symlink if they want to. I agree entirely with this approach. I was too busy last week to chip in to the original discussion. The symlink works well for making sure things work as expcected for people who don't want to bother with the details. People who understand, or do things differently tend to know what to do anyway. If someone is starting to tweak the setting to the point where the order of processing of .cf files is important than they need to understand the relationship and can manually move the link file if needed. -- Anthony Peacock CHIME, Royal Free & University College Medical School WWW: http://www.chime.ucl.ac.uk/~rmhiajp/ "A CAT scan should take less time than a PET scan. For a CAT scan, they're only looking for one thing, whereas a PET scan could result in a lot of things." - Carl Princi, 2002/07/19 From matt at coders.co.uk Mon Jul 30 16:46:52 2007 From: matt at coders.co.uk (Matt Hampton) Date: Mon Jul 30 16:44:08 2007 Subject: MS 4.62.8 beta and read receipts In-Reply-To: <544001786ab4ed449ff07be7357024ff@solidstatelogic.com> References: <544001786ab4ed449ff07be7357024ff@solidstatelogic.com> Message-ID: <46AE07EC.20207@coders.co.uk> Martin.Hepworth wrote: > Matt > > I got a funny as well - the MS box returned a read receipt for some reason.. > Hmmm I have justed tested this on milter-null and I get the same........ Don't see how we can fix this without getting into the realms of the patent.... Any suggestions welcome matt From ssilva at sgvwater.com Mon Jul 30 16:44:56 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Jul 30 16:45:24 2007 Subject: mailscanner.cf In-Reply-To: References: <46AA0208.3010003@nerc.ac.uk> <46AA0FAE.8090100@nerc.ac.uk> <46AA10F9.3050604@ecs.soton.ac.uk> <46AA401C.9050707@ecs.soton.ac.uk> <46AA45B7.5070409@alexb.ch> Message-ID: Kai Schaetzl spake the following on 7/30/2007 8:30 AM: > Alex Broens wrote on Fri, 27 Jul 2007 21:21:27 +0200: > >> and that will be replaced with what? >> >> zzzMailScanner.cf? > > You misunderstood Jules', ahm, "humorous" remark, there won't be any name > change. Some people run their own SA settings, for instance in local.cf. > And the automatic addition of this symlink is a nuisance as it adds > completely unwanted or doubled settings to Spamassassin in this case. A > setup option to avoid its creation would be enjoyable. > > Kai > If you make your own symlink pointing to a blank file, will Julian's scripts overwrite it? -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From uxbod at splatnix.net Mon Jul 30 16:50:12 2007 From: uxbod at splatnix.net (UxBoD) Date: Mon Jul 30 16:46:55 2007 Subject: CRM114 In-Reply-To: Message-ID: <26987733.6481185810612044.JavaMail.root@office.splatnix.net> We raised our SA score from 5 too 12 as it was far to aggressive. The 7.36 score is dynamically created by CRM based on the content within the CSS, so a HAM could (and I have seen) have a score of -40. With respect to the training there is a option in the plugin that if SA scores a email as either HAM/SPAM then the message will be learnt by CRM in the same manner. So in essence they are truly working together. Regards, --[ UxBoD ]-- // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- Original Message ----- From: "Kai Schaetzl" To: mailscanner@lists.mailscanner.info Sent: Monday, July 30, 2007 4:25:25 PM (GMT) Europe/London Subject: Re: CRM114 UxBoD wrote on Mon, 30 Jul 2007 13:13:18 +0100 (BST): > So far no FPs from using CRM114 in combination with SA. Now it has been running for a couple of hours and has learnt 5000 documents our overall SPAM detection rate has increased from 91% too 98%. So IMHO thanks to the kind person who raised the question of its use with MS in the first place. Thanks. I can't deduce that from your original comment. > our overall SPAM detection rate has increased from 91% too 98%. Well, I'm sure you could achieve this with setting your score to the default of 5, too. Setting CRM114 to a score of 7.36 boosts any message lower than 2.64 over the threshold. That is somewhat scary in my eyes. Or do I misunderstand? How does it compare to Bayes and how did you train it? (I suppose you have to train it, from their documentation.) Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From uxbod at splatnix.net Mon Jul 30 16:51:45 2007 From: uxbod at splatnix.net (UxBoD) Date: Mon Jul 30 16:47:55 2007 Subject: CRM114 In-Reply-To: <441247027D4F274EB760A5F6E1ED9C7E020E50@houpex02.nfsmith.info> Message-ID: <6328591.6511185810705210.JavaMail.root@office.splatnix.net> > What did I miss? Where did you put the crm114.pm file ? SA is unable to find it. Regards, --[ UxBoD ]-- // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ssilva at sgvwater.com Mon Jul 30 16:48:51 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Jul 30 16:50:12 2007 Subject: OT - Quck DNS MX question. In-Reply-To: <223f97700707280221l41413e70i1dc317635ea619a4@mail.gmail.com> References: <46AA55C6.2020008@cnpapers.com> <46AA5B1B.2050509@pixelhammer.com> <1185585454.46aa992ee72e4@perdition.cnpapers.net> <798375e00707271907k2d94ffdbxf04da71f89190604@mail.gmail.com> <223f97700707280221l41413e70i1dc317635ea619a4@mail.gmail.com> Message-ID: Glenn Steen spake the following on 7/28/2007 2:21 AM: <> >> > :-) You'd better hope he doesn't read this public forum then.... those > type As can be vicious;-) >> -RMT. >> >> >> -- Vescere bracis meis. > Not that hungry, so I'll pass.... > > Cheers Quidquid latine dictum sit, altum sonatur! -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From MailScanner at ecs.soton.ac.uk Mon Jul 30 16:52:04 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Jul 30 16:53:00 2007 Subject: mailscanner.cf In-Reply-To: References: <46AA0208.3010003@nerc.ac.uk> <46AA0FAE.8090100@nerc.ac.uk> <46AA10F9.3050604@ecs.soton.ac.uk> <46AA401C.9050707@ecs.soton.ac.uk> <46AA45B7.5070409@alexb.ch> Message-ID: <46AE0924.9060508@ecs.soton.ac.uk> Scott Silva wrote: > Kai Schaetzl spake the following on 7/30/2007 8:30 AM: > >> Alex Broens wrote on Fri, 27 Jul 2007 21:21:27 +0200: >> >> >>> and that will be replaced with what? >>> >>> zzzMailScanner.cf? >>> >> You misunderstood Jules', ahm, "humorous" remark, there won't be any name >> change. Some people run their own SA settings, for instance in local.cf. >> And the automatic addition of this symlink is a nuisance as it adds >> completely unwanted or doubled settings to Spamassassin in this case. A >> setup option to avoid its creation would be enjoyable. >> >> Kai >> >> > If you make your own symlink pointing to a blank file, will Julian's scripts > overwrite it? > It does this: ln -s -f /etc/MailScanner/spam.assassin.prefs.conf ${SADIR}/mailscanner.cf But if spam.assassin.prefs.conf is modified (or is empty, of course) then it won't overwrite the file when it upgrades. So you can make spam.assassin.prefs.conf empty and put all your settings in some other file. Then the mailscanner.cf will always link to an empty file. Jules -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From mkercher at nfsmith.com Mon Jul 30 16:54:48 2007 From: mkercher at nfsmith.com (Mike Kercher) Date: Mon Jul 30 16:54:51 2007 Subject: CRM114 In-Reply-To: <6328591.6511185810705210.JavaMail.root@office.splatnix.net> References: <441247027D4F274EB760A5F6E1ED9C7E020E50@houpex02.nfsmith.info> <6328591.6511185810705210.JavaMail.root@office.splatnix.net> Message-ID: <441247027D4F274EB760A5F6E1ED9C7E020E54@houpex02.nfsmith.info> -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of UxBoD Sent: Monday, July 30, 2007 10:52 AM To: MailScanner discussion Subject: Re: CRM114 > What did I miss? Where did you put the crm114.pm file ? SA is unable to find it. Regards, --[ UxBoD ]-- I put it under the site_perl path Jules specified. I fixed that in my crm114.cf and also modified the crm114_command to crm114_command /usr/bin/crm /usr/share/crm114/mailreaver.crm Still getting errors in the spamassassin -D --lint like: [25986] dbg: crm114: crm114_command run ERROR: mailreaver.crm broke. Here's the error\: ERROR: /usr/bin/crm: *ERROR* Can't CALL the nonexistent label: :load_cf_file: Sorry, but this program is very sick and probably should be killed off. This happened at line 125 of file /usr/share/crm114/mailreaver.crm And [25986] dbg: plugin: loading Mail::SpamAssassin::Plugin::crm114 from @INC [25986] warn: plugin: failed to create instance of plugin Mail::SpamAssassin::Plugin::crm114: Can't locate object method "new" via package "Mail::SpamAssassin::Plugin::crm114" at (eval 133) line 1. Mike From ka at pacific.net Mon Jul 30 16:59:21 2007 From: ka at pacific.net (Ken A) Date: Mon Jul 30 16:59:27 2007 Subject: MS 4.62.8 beta and read receipts In-Reply-To: <46AE07EC.20207@coders.co.uk> References: <544001786ab4ed449ff07be7357024ff@solidstatelogic.com> <46AE07EC.20207@coders.co.uk> Message-ID: <46AE0AD9.1040007@pacific.net> Matt Hampton wrote: > Martin.Hepworth wrote: >> Matt >> >> I got a funny as well - the MS box returned a read receipt for some reason.. >> > > Hmmm > > I have justed tested this on milter-null and I get the same........ > > Don't see how we can fix this without getting into the realms of the > patent.... > > Any suggestions welcome > > matt > define(`confPRIVACY_FLAGS', `noetrn,goaway,restrictqrun,noreceipts')dnl ? Then again, I'm not really sure what you are talking about here, especially as it has to do with the 'patent', since that is a somewhat nebulous thing around here. :-) Ken -- Ken Anderson Pacific.Net From uxbod at splatnix.net Mon Jul 30 17:01:38 2007 From: uxbod at splatnix.net (UxBoD) Date: Mon Jul 30 16:59:34 2007 Subject: CRM114 In-Reply-To: <46AE0677.7070205@alexb.ch> Message-ID: <19019092.6541185811298754.JavaMail.root@office.splatnix.net> I do and I replied :) I only changed a couple of things in mailfilter.cf :- :spw: // :log_to_allmail.txt: /no/ :rewrites_enabled: /no/ Regards, --[ UxBoD ]-- // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From uxbod at splatnix.net Mon Jul 30 17:05:28 2007 From: uxbod at splatnix.net (UxBoD) Date: Mon Jul 30 17:01:49 2007 Subject: CRM114 In-Reply-To: <441247027D4F274EB760A5F6E1ED9C7E020E54@houpex02.nfsmith.info> Message-ID: <12149935.6571185811528805.JavaMail.root@office.splatnix.net> It will be looking for the mailfilter.cf in the same directory. if it helps this is what is in my /etc/mail/spamassassin/crm114 :- [root@bianchi ~]# ls -l /etc/mail/spamassassin/crm114 total 50400 -rw-r--r-- 1 postfix root 1053690 Jul 30 05:32 allmail.txt -rwxr-xr-x 1 postfix root 17415 Jul 30 05:57 mailfilter.cf -rwxr-xr-x 1 postfix root 44537 Jul 30 05:11 mailfilter.crm -rw-r--r-- 1 postfix root 14511 Jul 30 05:11 maillib.crm -rwxr-xr-x 1 postfix root 22740 Jul 30 05:11 mailreaver.crm -rwxr-xr-x 1 postfix root 37621 Jul 30 05:11 mailtrainer.crm -rw-r--r-- 1 postfix root 25165848 Jul 30 12:02 nonspam.css -rw-r--r-- 1 postfix root 0 Jul 30 05:14 priolist.mfp drwxr-xr-x 8 postfix root 4096 Jul 30 05:23 reaver_cache -rw-r--r-- 1 postfix root 0 Jul 30 05:23 rewrites.mfp -rw-r--r-- 1 postfix root 25165848 Jul 30 12:02 spam.css Regards, --[ UxBoD ]-- // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From glenn.steen at gmail.com Mon Jul 30 17:09:08 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Jul 30 17:09:10 2007 Subject: OT - Quck DNS MX question. In-Reply-To: References: <46AA55C6.2020008@cnpapers.com> <46AA5B1B.2050509@pixelhammer.com> <1185585454.46aa992ee72e4@perdition.cnpapers.net> <798375e00707271907k2d94ffdbxf04da71f89190604@mail.gmail.com> <223f97700707280221l41413e70i1dc317635ea619a4@mail.gmail.com> Message-ID: <223f97700707300909w2a572ffcg796c4daa2123a054@mail.gmail.com> On 30/07/07, Scott Silva wrote: > Glenn Steen spake the following on 7/28/2007 2:21 AM: > <> > >> > > :-) You'd better hope he doesn't read this public forum then.... those > > type As can be vicious;-) > >> -RMT. > >> > >> > >> -- Vescere bracis meis. > > Not that hungry, so I'll pass.... > > > > Cheers > Quidquid latine dictum sit, altum sonatur! > Quite true:-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From ssilva at sgvwater.com Mon Jul 30 17:13:51 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Jul 30 17:14:23 2007 Subject: Inbound mails increase, MS get slow In-Reply-To: <802541.38957.qm@web54407.mail.yahoo.com> References: <802541.38957.qm@web54407.mail.yahoo.com> Message-ID: jayesh shinde spake the following on 7/28/2007 2:28 AM: > Dear All , > I have the following 2 queries :-- > 1) > I have Email server with "Fc2 +sendmail(sendmail-8.12.11-4.6) > + MailScanner + mailwatch+ f-prot + spamassassin-3.1.7-1+ > DCC+razor+pyzor+SpamAssassin rulesets " which is acting as MX server > and it is deliver nonspam emails to othere server where pop email id > are present.I am getting daily around 45,000+ mails on this MX > server.(most of them are spams) > > Now from 1-2 weeks i am getting lots spam emails on the MX > server. Some time my inbound is gets very high i.e upto 12,000 .Because > of this all the email are process very slowly, I observered that the > emails which are in inbound queue are not get scann immediatly, but the > mails which are came after this inbound emails are get scann immediatly. > I found one option in MailScanner.conf file i.e Max Normal Queue > Size = 800 > I change this value as Max Normal Queue Size = 22000 and restart the > Mailscanner. > But my problem is not get solved by this. > Can any boudy plz guide what should be the correct setting should i > do in MailScanner.conf file for this buzy server,so that even if inbound > emails get increase MS proccess should not get slow. > > 2) > The MS mailing list "search tab" is not working; is the MS mailing > search site is change for search tab ? I looking for this in > http://dir.gmane.org/gmane.mail.virus.mailscanner > > Plz guid me for the above If you would consider upgrading to a newer Fedora version, sendmail (8.13) has a new feature called "greet-pause" that can help with some of the spam load. FC2 is somewhat outdated, and sendmail 8.12 has some nasty security vulnerabilities. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From martinh at solidstatelogic.com Mon Jul 30 17:18:49 2007 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Mon Jul 30 17:19:02 2007 Subject: MS 4.62.8 beta and read receipts In-Reply-To: <46AE07EC.20207@coders.co.uk> Message-ID: <03f23d93216f114581a85b97f0c1b9f5@solidstatelogic.com> Matt I'll turn off the watermarking for a bit then... -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Matt Hampton > Sent: 30 July 2007 16:47 > To: MailScanner discussion > Subject: Re: MS 4.62.8 beta and read receipts > > Martin.Hepworth wrote: > > Matt > > > > I got a funny as well - the MS box returned a read receipt for some > reason.. > > > > Hmmm > > I have justed tested this on milter-null and I get the same........ > > Don't see how we can fix this without getting into the realms of the > patent.... > > Any suggestions welcome > > matt > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From ssilva at sgvwater.com Mon Jul 30 17:20:39 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Jul 30 17:20:57 2007 Subject: Release 4.62.7 beta In-Reply-To: References: <200707291809.l6TI9MhC009267@mail.deniscroombs.org> Message-ID: Res spake the following on 7/30/2007 5:03 AM: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > NotDashEscaped: You need GnuPG to verify this message > > On Mon, 30 Jul 2007, Kai Schaetzl wrote: > >> > > hardly a rant Kai, I agree... > >> Is it really necessary that people have to scroll down for years just to >> find you added one line? I find it surprising that quite a few people on >> this list talk about best practices of running a mail server but don't >> exercise best practices of mail writing and replying. > > well put, but we'll be ridiculed, but the "we'll do what we want when we > want but you cant" selft appointed in-crew > > "Don't top post", "Don't fullquote", "Eat your vegetables" ... It is like being 10 years old again! -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ssilva at sgvwater.com Mon Jul 30 17:23:40 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Jul 30 17:25:05 2007 Subject: sendmail split queues and MailScanner In-Reply-To: <46ABA824.70403@coders.co.uk> References: <46ABA824.70403@coders.co.uk> Message-ID: Matt Hampton spake the following on 7/28/2007 1:33 PM: > Vlad Mazek wrote: >> A while back someone wrote about the sendmail implementation with split >> quarantines where one was processing mail that got one more more RBL >> hits and the other one processed the mail that wasn't on blacklists at >> all; figuring that it would speed up the delivery of non-spam and still >> not risk rejection of legitimate mail sent by servers that could have >> ended up on an RBL for a number of reasons. > > That was me. However it was based on the assumption that MailScanner > can prioritize one queue over another which it can't at present. > > It is on my long list to look at again after the baby is born (due this > week :-) ) > > matt The list just gets longer after they are born!!! Congrats! -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ssilva at sgvwater.com Mon Jul 30 17:27:19 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Jul 30 17:30:15 2007 Subject: Release beta 4.62.8 In-Reply-To: <46ADC3F8.2060101@ecs.soton.ac.uk> References: <46ADC3F8.2060101@ecs.soton.ac.uk> Message-ID: Julian Field spake the following on 7/30/2007 3:56 AM: > I have just released another new beta, due to a typo in the code in the > previous one. > -- As well as fixing that error, you should now find that "MailScanner > --lint" does rather more than it used to. It now checks that your > installed virus scanners actually successfully detect a virus. > -- "Virus Scanners = auto" now handles multiple different types of > installation of ClamAV and will use clamd in preference, else > clamavmodule, else clamav. > You must be feeling better. The volume of code and the new ideas are flowing abundantly! -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ssilva at sgvwater.com Mon Jul 30 17:32:27 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Jul 30 17:35:05 2007 Subject: Watermarking quirks still in 4.62.8 In-Reply-To: <7EF0EE5CB3B263488C8C18823239BEBA013584B1@HC-MBX02.herefordshire.gov.uk> References: <7EF0EE5CB3B263488C8C18823239BEBA013584B1@HC-MBX02.herefordshire.gov.uk> Message-ID: Randal, Phil spake the following on 7/30/2007 5:28 AM: > A couple of issues with watermarking: > > 1: Read receipts are getting blocked ("spam(no null-header or sender > address)") > > 2: If I send an email from outside to a non-existent email address here, > the bounce message from our Exchange server gets blocked. I've worked > around this using a ruleset, but shouldn't MailScanner be letting > through bounces originating from the internal network (or RFC1918 > addresses) anyhow? > You really need to have the first point of contact in your network do the checks for non-existing users. Otherwise you risk Joe Jobbing the rest of the world. It is much better to drop the connection with an error than to bounce something back to a possibly forged address. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From MailScanner at ecs.soton.ac.uk Mon Jul 30 17:35:15 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Jul 30 17:35:39 2007 Subject: Release beta 4.62.8 In-Reply-To: References: <46ADC3F8.2060101@ecs.soton.ac.uk> Message-ID: <46AE1343.6050805@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Scott Silva wrote: > Julian Field spake the following on 7/30/2007 3:56 AM: > >> I have just released another new beta, due to a typo in the code in the >> previous one. >> -- As well as fixing that error, you should now find that "MailScanner >> --lint" does rather more than it used to. It now checks that your >> installed virus scanners actually successfully detect a virus. >> -- "Virus Scanners = auto" now handles multiple different types of >> installation of ClamAV and will use clamd in preference, else >> clamavmodule, else clamav. >> >> > You must be feeling better. The volume of code and the new ideas are flowing > abundantly! > That's true actually. Must be a good sign that I am getting better. The volume of code this month is unbelievable. 11 new configuration settings, for starters, mostly linked to new ideas (some of which are mine for once!). Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGrhNEEfZZRxQVtlQRAph+AKCIuYr0iPsewKiY6DHk6GlwTeQl0QCguBxt Ftssh0idGhAYtB5avElyQMQ= =lefe -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Mon Jul 30 17:45:21 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Jul 30 17:45:47 2007 Subject: Release beta 4.62.8 In-Reply-To: <46AE1343.6050805@ecs.soton.ac.uk> References: <46ADC3F8.2060101@ecs.soton.ac.uk> <46AE1343.6050805@ecs.soton.ac.uk> Message-ID: <46AE15A1.1010509@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Known Web Bug Servers Add Watermark = yes Skip Spam Checks If Watermark Valid = yes Watermark Header = MailScanner-%org-name%-Watermark: Watermark Lifetime = 432000 # in seconds, = 5 days Watermark Secret = SET-THIS-TO-A-SECRET! Attach Image To Signature = no Attach Image To HTML Message Only = yes Signature Image Filename = %report-dir%/sig.jpg Signature Image Filename = signature.jpg SpamAssassin Rule Actions ClamAV Full Message Scan Check Watermarks To Skip Spam Checks = yes I correct myself, that's 13 new settings this month! And there's a new spam action "custom()" as well. We have just gone over 300 settings in MailScanner.conf. Julian Field wrote: > * PGP Signed: 07/30/07 at 17:35:16 > > > > Scott Silva wrote: >> Julian Field spake the following on 7/30/2007 3:56 AM: >> >>> I have just released another new beta, due to a typo in the code in the >>> previous one. >>> -- As well as fixing that error, you should now find that "MailScanner >>> --lint" does rather more than it used to. It now checks that your >>> installed virus scanners actually successfully detect a virus. >>> -- "Virus Scanners = auto" now handles multiple different types of >>> installation of ClamAV and will use clamd in preference, else >>> clamavmodule, else clamav. >>> >>> >> You must be feeling better. The volume of code and the new ideas are >> flowing >> abundantly! >> > That's true actually. Must be a good sign that I am getting better. > The volume of code this month is unbelievable. 11 new configuration > settings, for starters, mostly linked to new ideas (some of which are > mine for once!). > > Jules > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGrhWiEfZZRxQVtlQRAmPhAKDOm6uNKtCauwEL0aFXmb3BrRAtEwCaAx2M QE+akmSy+mH+72Y8CZLp5TM= =hzcH -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From maillists at conactive.com Mon Jul 30 17:59:52 2007 From: maillists at conactive.com (Kai Schaetzl) Date: Mon Jul 30 17:59:55 2007 Subject: mailscanner.cf In-Reply-To: References: <46AA0208.3010003@nerc.ac.uk> <46AA0FAE.8090100@nerc.ac.uk> <46AA10F9.3050604@ecs.soton.ac.uk> <46AA401C.9050707@ecs.soton.ac.uk> <46AA45B7.5070409@alexb.ch> Message-ID: Scott Silva wrote on Mon, 30 Jul 2007 08:44:56 -0700: > If you make your own symlink pointing to a blank file, will Julian's scripts > overwrite it? I think I can put a read-only blank file (not a symlink) there. I think ln -s barks about this and won't remove it. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From maillists at conactive.com Mon Jul 30 17:59:52 2007 From: maillists at conactive.com (Kai Schaetzl) Date: Mon Jul 30 17:59:59 2007 Subject: CRM114 In-Reply-To: <26987733.6481185810612044.JavaMail.root@office.splatnix.net> References: <26987733.6481185810612044.JavaMail.root@office.splatnix.net> Message-ID: UxBoD wrote on Mon, 30 Jul 2007 16:50:12 +0100 (BST): > We raised our SA score from 5 too 12 as it was far to aggressive. The 7.36 score is > dynamically created by CRM based on the content within the CSS, so a HAM could (and I have > seen) have a score of -40. Ah, I see. I was already wondering if it is applying scores based on weight as the 7.36 didn't look like something a human would put in. > With respect to the training there is a option in the plugin that if SA scores a email as > either HAM/SPAM then the message will be learnt by CRM in the same manner. So in essence > they are truly working together. So, you didn't have to train it before use? Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From maillists at conactive.com Mon Jul 30 17:59:52 2007 From: maillists at conactive.com (Kai Schaetzl) Date: Mon Jul 30 18:00:01 2007 Subject: mailscanner.cf In-Reply-To: <46AE05E3.3010004@ecs.soton.ac.uk> References: <46AA0208.3010003@nerc.ac.uk> <46AA0FAE.8090100@nerc.ac.uk> <46AA10F9.3050604@ecs.soton.ac.uk> <46AA401C.9050707@ecs.soton.ac.uk> <46AA45B7.5070409@alexb.ch> <46AE05E3.3010004@ecs.soton.ac.uk> Message-ID: Julian Field wrote on Mon, 30 Jul 2007 16:38:11 +0100: > I'm going to leave it as is. It is suitable for most beginners, and the > advanced ones among you do all sorts of weird things anyway, so it > doesn't make any difference to you what I do. Well, I asked because you add or offer to add a lot of stuff I personally wouldn't bother to add. ;-) A simple command-line switch would do ... But that's probably not feasible with an rpm, only with an unpacked install.sh. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From shuttlebox at gmail.com Mon Jul 30 18:09:50 2007 From: shuttlebox at gmail.com (shuttlebox) Date: Mon Jul 30 18:09:53 2007 Subject: query if mailscanner using clamscan In-Reply-To: <46ACA1F7.7060805@ecs.soton.ac.uk> References: <2605.62.150.152.226.1185433910.squirrel@webmail.baladia.gov.kw> <46AB24AF.7060804@ecs.soton.ac.uk> <46AB330F.2080204@ecs.soton.ac.uk> <46AC7383.1010904@ecs.soton.ac.uk> <46ACA1F7.7060805@ecs.soton.ac.uk> Message-ID: <625385e30707301009y3b9ae26cm6297d170b34bcd2d@mail.gmail.com> On 7/29/07, Julian Field wrote: > The only thing I can think of is to ship with a copy of Eicar. Please don't ship Eicar with MailScanner. That will make many of us not able to download MailScanner since http-scanning will detect a virus in it. The ClamAV module used to contain Eicar so it could be used during make test and it stopped me from downloading it. I got the author to stop shipping Eicar and I hope you do to. Just let us get Eicar ourselves. If it's present in the correct location it will be used for the lint, otherwise not. -- /peter From donald.dawson at bakerbotts.com Mon Jul 30 18:43:49 2007 From: donald.dawson at bakerbotts.com (donald.dawson@bakerbotts.com) Date: Mon Jul 30 18:47:32 2007 Subject: MailScanner/Spamassassin slow after version upgrade Message-ID: Skipped content of type multipart/alternative-------------- next part -------------- 2493] dbg: logger: adding facilities: all [2493] dbg: logger: logging level is DBG [2493] dbg: generic: SpamAssassin version 3.2.2 [2493] dbg: config: score set 0 chosen. [2493] dbg: util: running in taint mode? yes [2493] dbg: util: taint mode: deleting unsafe environment variables, resetting PATH [2493] dbg: util: PATH included '/usr/kerberos/sbin', keeping [2493] dbg: util: PATH included '/usr/kerberos/bin', keeping [2493] dbg: util: PATH included '/usr/local/sbin', keeping [2493] dbg: util: PATH included '/usr/local/bin', keeping [2493] dbg: util: PATH included '/sbin', keeping [2493] dbg: util: PATH included '/bin', keeping [2493] dbg: util: PATH included '/usr/sbin', keeping [2493] dbg: util: PATH included '/usr/bin', keeping [2493] dbg: util: PATH included '/usr/X11R6/bin', keeping [2493] dbg: util: PATH included '/root/bin', which doesn't exist, dropping [2493] dbg: util: final PATH set to: /usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/X11R6/bin [2493] dbg: dns: no ipv6 [2493] dbg: dns: is Net::DNS::Resolver available? yes [2493] dbg: dns: Net::DNS version: 0.60 [2493] dbg: diag: perl platform: 5.008005 linux [2493] dbg: diag: module installed: Digest::SHA1, version 2.10 [2493] dbg: diag: module installed: HTML::Parser, version 3.56 [2493] dbg: diag: module installed: Net::DNS, version 0.60 [2493] dbg: diag: module installed: MIME::Base64, version 3.05 [2493] dbg: diag: module installed: DB_File, version 1.814 [2493] dbg: diag: module installed: Net::SMTP, version 2.30 [2493] dbg: diag: module installed: Mail::SPF, version v2.004 [2493] dbg: diag: module installed: Mail::SPF::Query, version 1.999001 [2493] dbg: diag: module installed: IP::Country::Fast, version 604.001 [2493] dbg: diag: module installed: Razor2::Client::Agent, version 2.84 [2493] dbg: diag: module not installed: Net::Ident ('require' failed) [2493] dbg: diag: module not installed: IO::Socket::INET6 ('require' failed) [2493] dbg: diag: module installed: IO::Socket::SSL, version 1.06 [2493] dbg: diag: module installed: Compress::Zlib, version 1.41 [2493] dbg: diag: module installed: Time::HiRes, version 1.68 [2493] dbg: diag: module not installed: Mail::DomainKeys ('require' failed) [2493] dbg: diag: module not installed: Mail::DKIM ('require' failed) [2493] dbg: diag: module installed: DBI, version 1.56 [2493] dbg: diag: module installed: Getopt::Long, version 2.36 [2493] dbg: diag: module installed: LWP::UserAgent, version 2.033 [2493] dbg: diag: module installed: HTTP::Date, version 1.47 [2493] dbg: diag: module installed: Archive::Tar, version 1.30 [2493] dbg: diag: module installed: IO::Zlib, version 1.04 [2493] dbg: diag: module installed: Encode::Detect, version 1.00 [2493] dbg: ignore: using a test message to lint rules [2493] dbg: config: using "/etc/mail/spamassassin" for site rules pre files [2493] dbg: config: read file /etc/mail/spamassassin/init.pre [2493] dbg: config: read file /etc/mail/spamassassin/v310.pre [2493] dbg: config: read file /etc/mail/spamassassin/v312.pre [2493] dbg: config: read file /etc/mail/spamassassin/v320.pre [2493] dbg: config: using "/var/lib/spamassassin/3.002002" for sys rules pre files [2493] dbg: config: using "/var/lib/spamassassin/3.002002" for default rules dir [2493] dbg: config: read file /var/lib/spamassassin/3.002002/70_sare_adult_cf_sare_sa-update_dostech_net.cf [2493] dbg: config: read file /var/lib/spamassassin/3.002002/70_sare_bayes_poison_nxm_cf_sare_sa-update_dostech_net.cf [2493] dbg: config: read file /var/lib/spamassassin/3.002002/70_sare_evilnum0_cf_sare_sa-update_dostech_net.cf [2493] dbg: config: read file /var/lib/spamassassin/3.002002/70_sare_genlsubj0_cf_sare_sa-update_dostech_net.cf [2493] dbg: config: read file /var/lib/spamassassin/3.002002/70_sare_genlsubj1_cf_sare_sa-update_dostech_net.cf [2493] dbg: config: read file /var/lib/spamassassin/3.002002/70_sare_genlsubj2_cf_sare_sa-update_dostech_net.cf [2493] dbg: config: read file /var/lib/spamassassin/3.002002/70_sare_header_cf_sare_sa-update_dostech_net.cf [2493] dbg: config: read file /var/lib/spamassassin/3.002002/70_sare_highrisk_cf_sare_sa-update_dostech_net.cf [2493] dbg: config: read file /var/lib/spamassassin/3.002002/70_sare_html_cf_sare_sa-update_dostech_net.cf [2493] dbg: config: read file /var/lib/spamassassin/3.002002/70_sare_obfu_cf_sare_sa-update_dostech_net.cf [2493] dbg: config: read file /var/lib/spamassassin/3.002002/70_sare_oem_cf_sare_sa-update_dostech_net.cf [2493] dbg: config: read file /var/lib/spamassassin/3.002002/70_sare_random_cf_sare_sa-update_dostech_net.cf [2493] dbg: config: read file /var/lib/spamassassin/3.002002/70_sare_specific_cf_sare_sa-update_dostech_net.cf [2493] dbg: config: read file /var/lib/spamassassin/3.002002/70_sare_spoof_cf_sare_sa-update_dostech_net.cf [2493] dbg: config: read file /var/lib/spamassassin/3.002002/70_sare_stocks_cf_sare_sa-update_dostech_net.cf [2493] dbg: config: read file /var/lib/spamassassin/3.002002/70_sare_unsub_cf_sare_sa-update_dostech_net.cf [2493] dbg: config: read file /var/lib/spamassassin/3.002002/70_sare_uri0_cf_sare_sa-update_dostech_net.cf [2493] dbg: config: read file /var/lib/spamassassin/3.002002/70_sare_uri1_cf_sare_sa-update_dostech_net.cf [2493] dbg: config: read file /var/lib/spamassassin/3.002002/70_sare_uri2_cf_sare_sa-update_dostech_net.cf [2493] dbg: config: read file /var/lib/spamassassin/3.002002/70_sare_whitelist_cf_sare_sa-update_dostech_net.cf [2493] dbg: config: read file /var/lib/spamassassin/3.002002/70_sare_whitelist_rcvd_cf_sare_sa-update_dostech_net.cf [2493] dbg: config: read file /var/lib/spamassassin/3.002002/70_sare_whitelist_spf_cf_sare_sa-update_dostech_net.cf [2493] dbg: config: read file /var/lib/spamassassin/3.002002/72_sare_bml_post25x_cf_sare_sa-update_dostech_net.cf [2493] dbg: config: read file /var/lib/spamassassin/3.002002/72_sare_redirect_post3_0_0_cf_sare_sa-update_dostech_net.cf [2493] dbg: config: read file /var/lib/spamassassin/3.002002/88_fvgt_headers_cf_sare_sa-update_dostech_net.cf [2493] dbg: config: read file /var/lib/spamassassin/3.002002/99_fvgt_tripwire_cf_sare_sa-update_dostech_net.cf [2493] dbg: config: read file /var/lib/spamassassin/3.002002/99_sare_fraud_post25x_cf_sare_sa-update_dostech_net.cf [2493] dbg: config: read file /var/lib/spamassassin/3.002002/updates_spamassassin_org.cf [2493] dbg: config: using "/etc/mail/spamassassin" for site rules dir [2493] dbg: config: read file /etc/mail/spamassassin/Botnet.cf [2493] dbg: config: read file /etc/mail/spamassassin/KAM.cf [2493] dbg: config: read file /etc/mail/spamassassin/bakerbotts.cf [2493] dbg: config: read file /etc/mail/spamassassin/local.cf [2493] dbg: config: read file /etc/mail/spamassassin/mailscanner.cf [2493] dbg: config: read file /etc/mail/spamassassin/pdfinfo.cf [2493] dbg: config: using "/etc/MailScanner/spam.assassin.prefs.conf" for user prefs file [2493] dbg: config: read file /etc/MailScanner/spam.assassin.prefs.conf [2493] dbg: plugin: loading Mail::SpamAssassin::Plugin::URIDNSBL from @INC [2493] dbg: plugin: loading Mail::SpamAssassin::Plugin::Hashcash from @INC [2493] dbg: plugin: loading Mail::SpamAssassin::Plugin::SPF from @INC [2493] dbg: plugin: loading Mail::SpamAssassin::Plugin::DCC from @INC [2493] dbg: dcc: local tests only, disabling DCC [2493] dbg: plugin: loading Mail::SpamAssassin::Plugin::Razor2 from @INC [2493] dbg: razor2: local tests only, skipping Razor [2493] dbg: plugin: loading Mail::SpamAssassin::Plugin::SpamCop from @INC [2493] dbg: reporter: local tests only, disabling SpamCop [2493] dbg: plugin: loading Mail::SpamAssassin::Plugin::AWL from @INC [2493] dbg: plugin: loading Mail::SpamAssassin::Plugin::AutoLearnThreshold from @INC [2493] dbg: plugin: loading Mail::SpamAssassin::Plugin::TextCat from @INC [2493] dbg: textcat: loading languages file... [2493] dbg: textcat: loaded 73 language models [2493] dbg: plugin: loading Mail::SpamAssassin::Plugin::WhiteListSubject from @INC [2493] dbg: plugin: loading Mail::SpamAssassin::Plugin::MIMEHeader from @INC [2493] dbg: plugin: loading Mail::SpamAssassin::Plugin::ReplaceTags from @INC [2493] dbg: plugin: loading Mail::SpamAssassin::Plugin::PDFInfo from /usr/lib/MailScanner/MailScanner/PDFInfo.pm [2493] dbg: plugin: loading Mail::SpamAssassin::Plugin::Pyzor from @INC [2493] dbg: pyzor: local tests only, disabling Pyzor [2493] dbg: plugin: loading Mail::SpamAssassin::Plugin::Razor2 from @INC [2493] dbg: razor2: local tests only, skipping Razor [2493] dbg: plugin: did not register Mail::SpamAssassin::Plugin::Razor2=HASH(0x8a01f34), already registered [2493] dbg: plugin: loading Mail::SpamAssassin::Plugin::SpamCop from @INC [2493] dbg: reporter: local tests only, disabling SpamCop [2493] dbg: plugin: did not register Mail::SpamAssassin::Plugin::SpamCop=HASH(0x981ad64), already registered [2493] dbg: plugin: loading Mail::SpamAssassin::Plugin::AWL from @INC [2493] dbg: plugin: did not register Mail::SpamAssassin::Plugin::AWL=HASH(0x9c8b214), already registered [2493] dbg: plugin: loading Mail::SpamAssassin::Plugin::AutoLearnThreshold from @INC [2493] dbg: plugin: did not register Mail::SpamAssassin::Plugin::AutoLearnThreshold=HASH(0x981ae84), already registered [2493] dbg: plugin: loading Mail::SpamAssassin::Plugin::WhiteListSubject from @INC [2493] dbg: plugin: did not register Mail::SpamAssassin::Plugin::WhiteListSubject=HASH(0x981ae00), already registered [2493] dbg: plugin: loading Mail::SpamAssassin::Plugin::MIMEHeader from @INC [2493] dbg: plugin: did not register Mail::SpamAssassin::Plugin::MIMEHeader=HASH(0x9c8d0ac), already registered [2493] dbg: plugin: loading Mail::SpamAssassin::Plugin::ReplaceTags from @INC [2493] dbg: plugin: did not register Mail::SpamAssassin::Plugin::ReplaceTags=HASH(0x981aff8), already registered [2493] dbg: plugin: loading Mail::SpamAssassin::Plugin::RelayCountry from @INC [2493] dbg: plugin: loading Mail::SpamAssassin::Plugin::SPF from @INC [2493] dbg: plugin: did not register Mail::SpamAssassin::Plugin::SPF=HASH(0x9c92b14), already registered [2493] dbg: plugin: loading Mail::SpamAssassin::Plugin::URIDNSBL from @INC [2493] dbg: plugin: did not register Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x97595cc), already registered [2493] dbg: plugin: loading Mail::SpamAssassin::Plugin::ASN from @INC [2493] dbg: plugin: loading Mail::SpamAssassin::Plugin::Check from @INC [2493] dbg: plugin: loading Mail::SpamAssassin::Plugin::HTTPSMismatch from @INC [2493] dbg: plugin: loading Mail::SpamAssassin::Plugin::URIDetail from @INC [2493] dbg: plugin: loading Mail::SpamAssassin::Plugin::Bayes from @INC [2493] dbg: plugin: loading Mail::SpamAssassin::Plugin::BodyEval from @INC [2493] dbg: plugin: loading Mail::SpamAssassin::Plugin::DNSEval from @INC [2493] dbg: plugin: loading Mail::SpamAssassin::Plugin::HTMLEval from @INC [2493] dbg: plugin: loading Mail::SpamAssassin::Plugin::HeaderEval from @INC [2493] dbg: plugin: loading Mail::SpamAssassin::Plugin::MIMEEval from @INC [2493] dbg: plugin: loading Mail::SpamAssassin::Plugin::RelayEval from @INC [2493] dbg: plugin: loading Mail::SpamAssassin::Plugin::URIEval from @INC [2493] dbg: plugin: loading Mail::SpamAssassin::Plugin::WLBLEval from @INC [2493] dbg: plugin: loading Mail::SpamAssassin::Plugin::VBounce from @INC [2493] dbg: plugin: loading Mail::SpamAssassin::Plugin::Rule2XSBody from @INC [2493] dbg: plugin: loading Mail::SpamAssassin::Plugin::ImageInfo from @INC [2493] dbg: plugin: loading Mail::SpamAssassin::Plugin::RelayCountry from @INC [2493] dbg: plugin: did not register Mail::SpamAssassin::Plugin::RelayCountry=HASH(0x9d90b48), already registered [2493] dbg: plugin: loading Mail::SpamAssassin::Plugin::SPF from @INC [2493] dbg: plugin: did not register Mail::SpamAssassin::Plugin::SPF=HASH(0x981f838), already registered [2493] dbg: plugin: loading Mail::SpamAssassin::Plugin::URIDNSBL from @INC [2493] dbg: plugin: did not register Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x9c948c8), already registered [2493] dbg: plugin: loading Mail::SpamAssassin::Plugin::Razor2 from @INC [2493] dbg: razor2: local tests only, skipping Razor [2493] dbg: plugin: did not register Mail::SpamAssassin::Plugin::Razor2=HASH(0x9c94a6c), already registered [2493] dbg: plugin: loading Mail::SpamAssassin::Plugin::ASN from @INC [2493] dbg: plugin: did not register Mail::SpamAssassin::Plugin::ASN=HASH(0x9c8b190), already registered [2493] dbg: config: fixed relative path: /var/lib/spamassassin/3.002002/70_sare_adult_cf_sare_sa-update_dostech_net/200705210700.cf [2493] dbg: config: using "/var/lib/spamassassin/3.002002/70_sare_adult_cf_sare_sa-update_dostech_net/200705210700.cf" for included file [2493] dbg: config: read file /var/lib/spamassassin/3.002002/70_sare_adult_cf_sare_sa-update_dostech_net/200705210700.cf [2493] dbg: config: fixed relative path: /var/lib/spamassassin/3.002002/70_sare_bayes_poison_nxm_cf_sare_sa-update_dostech_net/200506020000.cf [2493] dbg: config: using "/var/lib/spamassassin/3.002002/70_sare_bayes_poison_nxm_cf_sare_sa-update_dostech_net/200506020000.cf" for included file [2493] dbg: config: read file /var/lib/spamassassin/3.002002/70_sare_bayes_poison_nxm_cf_sare_sa-update_dostech_net/200506020000.cf [2493] dbg: config: fixed relative path: /var/lib/spamassassin/3.002002/70_sare_evilnum0_cf_sare_sa-update_dostech_net/200510052000.cf [2493] dbg: config: using "/var/lib/spamassassin/3.002002/70_sare_evilnum0_cf_sare_sa-update_dostech_net/200510052000.cf" for included file [2493] dbg: config: read file /var/lib/spamassassin/3.002002/70_sare_evilnum0_cf_sare_sa-update_dostech_net/200510052000.cf [2493] dbg: config: fixed relative path: /var/lib/spamassassin/3.002002/70_sare_genlsubj0_cf_sare_sa-update_dostech_net/200512270000.cf [2493] dbg: config: using "/var/lib/spamassassin/3.002002/70_sare_genlsubj0_cf_sare_sa-update_dostech_net/200512270000.cf" for included file [2493] dbg: config: read file /var/lib/spamassassin/3.002002/70_sare_genlsubj0_cf_sare_sa-update_dostech_net/200512270000.cf [2493] dbg: config: fixed relative path: /var/lib/spamassassin/3.002002/70_sare_genlsubj1_cf_sare_sa-update_dostech_net/200611141600.cf [2493] dbg: config: using "/var/lib/spamassassin/3.002002/70_sare_genlsubj1_cf_sare_sa-update_dostech_net/200611141600.cf" for included file [2493] dbg: config: read file /var/lib/spamassassin/3.002002/70_sare_genlsubj1_cf_sare_sa-update_dostech_net/200611141600.cf [2493] dbg: config: fixed relative path: /var/lib/spamassassin/3.002002/70_sare_genlsubj2_cf_sare_sa-update_dostech_net/200512270000.cf [2493] dbg: config: using "/var/lib/spamassassin/3.002002/70_sare_genlsubj2_cf_sare_sa-update_dostech_net/200512270000.cf" for included file [2493] dbg: config: read file /var/lib/spamassassin/3.002002/70_sare_genlsubj2_cf_sare_sa-update_dostech_net/200512270000.cf [2493] dbg: config: fixed relative path: /var/lib/spamassassin/3.002002/70_sare_header_cf_sare_sa-update_dostech_net/200510301100.cf [2493] dbg: config: using "/var/lib/spamassassin/3.002002/70_sare_header_cf_sare_sa-update_dostech_net/200510301100.cf" for included file [2493] dbg: config: read file /var/lib/spamassassin/3.002002/70_sare_header_cf_sare_sa-update_dostech_net/200510301100.cf [2493] dbg: config: fixed relative path: /var/lib/spamassassin/3.002002/70_sare_highrisk_cf_sare_sa-update_dostech_net/200506020000.cf [2493] dbg: config: using "/var/lib/spamassassin/3.002002/70_sare_highrisk_cf_sare_sa-update_dostech_net/200506020000.cf" for included file [2493] dbg: config: read file /var/lib/spamassassin/3.002002/70_sare_highrisk_cf_sare_sa-update_dostech_net/200506020000.cf [2493] dbg: config: fixed relative path: /var/lib/spamassassin/3.002002/70_sare_html_cf_sare_sa-update_dostech_net/200606040500.cf [2493] dbg: config: using "/var/lib/spamassassin/3.002002/70_sare_html_cf_sare_sa-update_dostech_net/200606040500.cf" for included file [2493] dbg: config: read file /var/lib/spamassassin/3.002002/70_sare_html_cf_sare_sa-update_dostech_net/200606040500.cf [2493] dbg: config: fixed relative path: /var/lib/spamassassin/3.002002/70_sare_obfu_cf_sare_sa-update_dostech_net/200706050800.cf [2493] dbg: config: using "/var/lib/spamassassin/3.002002/70_sare_obfu_cf_sare_sa-update_dostech_net/200706050800.cf" for included file [2493] dbg: config: read file /var/lib/spamassassin/3.002002/70_sare_obfu_cf_sare_sa-update_dostech_net/200706050800.cf [2493] dbg: config: fixed relative path: /var/lib/spamassassin/3.002002/70_sare_oem_cf_sare_sa-update_dostech_net/200512271200.cf [2493] dbg: config: using "/var/lib/spamassassin/3.002002/70_sare_oem_cf_sare_sa-update_dostech_net/200512271200.cf" for included file [2493] dbg: config: read file /var/lib/spamassassin/3.002002/70_sare_oem_cf_sare_sa-update_dostech_net/200512271200.cf [2493] dbg: config: fixed relative path: /var/lib/spamassassin/3.002002/70_sare_random_cf_sare_sa-update_dostech_net/200512121000.cf [2493] dbg: config: using "/var/lib/spamassassin/3.002002/70_sare_random_cf_sare_sa-update_dostech_net/200512121000.cf" for included file [2493] dbg: config: read file /var/lib/spamassassin/3.002002/70_sare_random_cf_sare_sa-update_dostech_net/200512121000.cf [2493] dbg: config: fixed relative path: /var/lib/spamassassin/3.002002/70_sare_specific_cf_sare_sa-update_dostech_net/200605280300.cf [2493] dbg: config: using "/var/lib/spamassassin/3.002002/70_sare_specific_cf_sare_sa-update_dostech_net/200605280300.cf" for included file [2493] dbg: config: read file /var/lib/spamassassin/3.002002/70_sare_specific_cf_sare_sa-update_dostech_net/200605280300.cf [2493] dbg: config: fixed relative path: /var/lib/spamassassin/3.002002/70_sare_spoof_cf_sare_sa-update_dostech_net/200701151000.cf [2493] dbg: config: using "/var/lib/spamassassin/3.002002/70_sare_spoof_cf_sare_sa-update_dostech_net/200701151000.cf" for included file [2493] dbg: config: read file /var/lib/spamassassin/3.002002/70_sare_spoof_cf_sare_sa-update_dostech_net/200701151000.cf [2493] dbg: config: fixed relative path: /var/lib/spamassassin/3.002002/70_sare_stocks_cf_sare_sa-update_dostech_net/200705062100.cf [2493] dbg: config: using "/var/lib/spamassassin/3.002002/70_sare_stocks_cf_sare_sa-update_dostech_net/200705062100.cf" for included file [2493] dbg: config: read file /var/lib/spamassassin/3.002002/70_sare_stocks_cf_sare_sa-update_dostech_net/200705062100.cf [2493] dbg: config: fixed relative path: /var/lib/spamassassin/3.002002/70_sare_unsub_cf_sare_sa-update_dostech_net/200511121000.cf [2493] dbg: config: using "/var/lib/spamassassin/3.002002/70_sare_unsub_cf_sare_sa-update_dostech_net/200511121000.cf" for included file [2493] dbg: config: read file /var/lib/spamassassin/3.002002/70_sare_unsub_cf_sare_sa-update_dostech_net/200511121000.cf [2493] dbg: config: fixed relative path: /var/lib/spamassassin/3.002002/70_sare_uri0_cf_sare_sa-update_dostech_net/200510042200.cf [2493] dbg: config: using "/var/lib/spamassassin/3.002002/70_sare_uri0_cf_sare_sa-update_dostech_net/200510042200.cf" for included file [2493] dbg: config: read file /var/lib/spamassassin/3.002002/70_sare_uri0_cf_sare_sa-update_dostech_net/200510042200.cf [2493] dbg: config: fixed relative path: /var/lib/spamassassin/3.002002/70_sare_uri1_cf_sare_sa-update_dostech_net/200510102200.cf [2493] dbg: config: using "/var/lib/spamassassin/3.002002/70_sare_uri1_cf_sare_sa-update_dostech_net/200510102200.cf" for included file [2493] dbg: config: read file /var/lib/spamassassin/3.002002/70_sare_uri1_cf_sare_sa-update_dostech_net/200510102200.cf [2493] dbg: config: fixed relative path: /var/lib/spamassassin/3.002002/70_sare_uri2_cf_sare_sa-update_dostech_net/200510050800.cf [2493] dbg: config: using "/var/lib/spamassassin/3.002002/70_sare_uri2_cf_sare_sa-update_dostech_net/200510050800.cf" for included file [2493] dbg: config: read file /var/lib/spamassassin/3.002002/70_sare_uri2_cf_sare_sa-update_dostech_net/200510050800.cf [2493] dbg: config: fixed relative path: /var/lib/spamassassin/3.002002/70_sare_whitelist_cf_sare_sa-update_dostech_net/200605160300.cf [2493] dbg: config: using "/var/lib/spamassassin/3.002002/70_sare_whitelist_cf_sare_sa-update_dostech_net/200605160300.cf" for included file [2493] dbg: config: read file /var/lib/spamassassin/3.002002/70_sare_whitelist_cf_sare_sa-update_dostech_net/200605160300.cf [2493] dbg: config: fixed relative path: /var/lib/spamassassin/3.002002/70_sare_whitelist_rcvd_cf_sare_sa-update_dostech_net/200605160300.cf [2493] dbg: config: using "/var/lib/spamassassin/3.002002/70_sare_whitelist_rcvd_cf_sare_sa-update_dostech_net/200605160300.cf" for included file [2493] dbg: config: read file /var/lib/spamassassin/3.002002/70_sare_whitelist_rcvd_cf_sare_sa-update_dostech_net/200605160300.cf [2493] dbg: config: fixed relative path: /var/lib/spamassassin/3.002002/70_sare_whitelist_spf_cf_sare_sa-update_dostech_net/200608271034.cf [2493] dbg: config: using "/var/lib/spamassassin/3.002002/70_sare_whitelist_spf_cf_sare_sa-update_dostech_net/200608271034.cf" for included file [2493] dbg: config: read file /var/lib/spamassassin/3.002002/70_sare_whitelist_spf_cf_sare_sa-update_dostech_net/200608271034.cf [2493] dbg: config: fixed relative path: /var/lib/spamassassin/3.002002/72_sare_bml_post25x_cf_sare_sa-update_dostech_net/200705210700.cf [2493] dbg: config: using "/var/lib/spamassassin/3.002002/72_sare_bml_post25x_cf_sare_sa-update_dostech_net/200705210700.cf" for included file [2493] dbg: config: read file /var/lib/spamassassin/3.002002/72_sare_bml_post25x_cf_sare_sa-update_dostech_net/200705210700.cf [2493] dbg: config: fixed relative path: /var/lib/spamassassin/3.002002/72_sare_redirect_post3_0_0_cf_sare_sa-update_dostech_net/200605160300.cf [2493] dbg: config: using "/var/lib/spamassassin/3.002002/72_sare_redirect_post3_0_0_cf_sare_sa-update_dostech_net/200605160300.cf" for included file [2493] dbg: config: read file /var/lib/spamassassin/3.002002/72_sare_redirect_post3_0_0_cf_sare_sa-update_dostech_net/200605160300.cf [2493] dbg: config: fixed relative path: /var/lib/spamassassin/3.002002/88_fvgt_headers_cf_sare_sa-update_dostech_net/200701020900.cf [2493] dbg: config: using "/var/lib/spamassassin/3.002002/88_fvgt_headers_cf_sare_sa-update_dostech_net/200701020900.cf" for included file [2493] dbg: config: read file /var/lib/spamassassin/3.002002/88_fvgt_headers_cf_sare_sa-update_dostech_net/200701020900.cf [2493] dbg: config: fixed relative path: /var/lib/spamassassin/3.002002/99_fvgt_tripwire_cf_sare_sa-update_dostech_net/200506020000.cf [2493] dbg: config: using "/var/lib/spamassassin/3.002002/99_fvgt_tripwire_cf_sare_sa-update_dostech_net/200506020000.cf" for included file [2493] dbg: config: read file /var/lib/spamassassin/3.002002/99_fvgt_tripwire_cf_sare_sa-update_dostech_net/200506020000.cf [2493] dbg: config: fixed relative path: /var/lib/spamassassin/3.002002/99_sare_fraud_post25x_cf_sare_sa-update_dostech_net/200506020000.cf [2493] dbg: config: using "/var/lib/spamassassin/3.002002/99_sare_fraud_post25x_cf_sare_sa-update_dostech_net/200506020000.cf" for included file [2493] dbg: config: read file /var/lib/spamassassin/3.002002/99_sare_fraud_post25x_cf_sare_sa-update_dostech_net/200506020000.cf [2493] dbg: config: fixed relative path: /var/lib/spamassassin/3.002002/updates_spamassassin_org/10_default_prefs.cf [2493] dbg: config: using "/var/lib/spamassassin/3.002002/updates_spamassassin_org/10_default_prefs.cf" for included file [2493] dbg: config: read file /var/lib/spamassassin/3.002002/updates_spamassassin_org/10_default_prefs.cf [2493] dbg: config: fixed relative path: /var/lib/spamassassin/3.002002/updates_spamassassin_org/20_advance_fee.cf [2493] dbg: config: using "/var/lib/spamassassin/3.002002/updates_spamassassin_org/20_advance_fee.cf" for included file [2493] dbg: config: read file /var/lib/spamassassin/3.002002/updates_spamassassin_org/20_advance_fee.cf [2493] dbg: config: fixed relative path: /var/lib/spamassassin/3.002002/updates_spamassassin_org/20_body_tests.cf [2493] dbg: config: using "/var/lib/spamassassin/3.002002/updates_spamassassin_org/20_body_tests.cf" for included file [2493] dbg: config: read file /var/lib/spamassassin/3.002002/updates_spamassassin_org/20_body_tests.cf [2493] dbg: config: fixed relative path: /var/lib/spamassassin/3.002002/updates_spamassassin_org/20_compensate.cf [2493] dbg: config: using "/var/lib/spamassassin/3.002002/updates_spamassassin_org/20_compensate.cf" for included file [2493] dbg: config: read file /var/lib/spamassassin/3.002002/updates_spamassassin_org/20_compensate.cf [2493] dbg: config: fixed relative path: /var/lib/spamassassin/3.002002/updates_spamassassin_org/20_dnsbl_tests.cf [2493] dbg: config: using "/var/lib/spamassassin/3.002002/updates_spamassassin_org/20_dnsbl_tests.cf" for included file [2493] dbg: config: read file /var/lib/spamassassin/3.002002/updates_spamassassin_org/20_dnsbl_tests.cf [2493] dbg: config: fixed relative path: /var/lib/spamassassin/3.002002/updates_spamassassin_org/20_drugs.cf [2493] dbg: config: using "/var/lib/spamassassin/3.002002/updates_spamassassin_org/20_drugs.cf" for included file [2493] dbg: config: read file /var/lib/spamassassin/3.002002/updates_spamassassin_org/20_drugs.cf [2493] dbg: config: fixed relative path: /var/lib/spamassassin/3.002002/updates_spamassassin_org/20_dynrdns.cf [2493] dbg: config: using "/var/lib/spamassassin/3.002002/updates_spamassassin_org/20_dynrdns.cf" for included file [2493] dbg: config: read file /var/lib/spamassassin/3.002002/updates_spamassassin_org/20_dynrdns.cf [2493] dbg: config: fixed relative path: /var/lib/spamassassin/3.002002/updates_spamassassin_org/20_fake_helo_tests.cf [2493] dbg: config: using "/var/lib/spamassassin/3.002002/updates_spamassassin_org/20_fake_helo_tests.cf" for included file [2493] dbg: config: read file /var/lib/spamassassin/3.002002/updates_spamassassin_org/20_fake_helo_tests.cf [2493] dbg: config: fixed relative path: /var/lib/spamassassin/3.002002/updates_spamassassin_org/20_head_tests.cf [2493] dbg: config: using "/var/lib/spamassassin/3.002002/updates_spamassassin_org/20_head_tests.cf" for included file [2493] dbg: config: read file /var/lib/spamassassin/3.002002/updates_spamassassin_org/20_head_tests.cf [2493] dbg: config: fixed relative path: /var/lib/spamassassin/3.002002/updates_spamassassin_org/20_html_tests.cf [2493] dbg: config: using "/var/lib/spamassassin/3.002002/updates_spamassassin_org/20_html_tests.cf" for included file [2493] dbg: config: read file /var/lib/spamassassin/3.002002/updates_spamassassin_org/20_html_tests.cf [2493] dbg: config: fixed relative path: /var/lib/spamassassin/3.002002/updates_spamassassin_org/20_imageinfo.cf [2493] dbg: config: using "/var/lib/spamassassin/3.002002/updates_spamassassin_org/20_imageinfo.cf" for included file [2493] dbg: config: read file /var/lib/spamassassin/3.002002/updates_spamassassin_org/20_imageinfo.cf [2493] dbg: config: fixed relative path: /var/lib/spamassassin/3.002002/updates_spamassassin_org/20_meta_tests.cf [2493] dbg: config: using "/var/lib/spamassassin/3.002002/updates_spamassassin_org/20_meta_tests.cf" for included file [2493] dbg: config: read file /var/lib/spamassassin/3.002002/updates_spamassassin_org/20_meta_tests.cf [2493] dbg: config: fixed relative path: /var/lib/spamassassin/3.002002/updates_spamassassin_org/20_net_tests.cf [2493] dbg: config: using "/var/lib/spamassassin/3.002002/updates_spamassassin_org/20_net_tests.cf" for included file [2493] dbg: config: read file /var/lib/spamassassin/3.002002/updates_spamassassin_org/20_net_tests.cf [2493] dbg: config: fixed relative path: /var/lib/spamassassin/3.002002/updates_spamassassin_org/20_phrases.cf [2493] dbg: config: using "/var/lib/spamassassin/3.002002/updates_spamassassin_org/20_phrases.cf" for included file [2493] dbg: config: read file /var/lib/spamassassin/3.002002/updates_spamassassin_org/20_phrases.cf [2493] dbg: config: fixed relative path: /var/lib/spamassassin/3.002002/updates_spamassassin_org/20_porn.cf [2493] dbg: config: using "/var/lib/spamassassin/3.002002/updates_spamassassin_org/20_porn.cf" for included file [2493] dbg: config: read file /var/lib/spamassassin/3.002002/updates_spamassassin_org/20_porn.cf [2493] dbg: config: fixed relative path: /var/lib/spamassassin/3.002002/updates_spamassassin_org/20_ratware.cf [2493] dbg: config: using "/var/lib/spamassassin/3.002002/updates_spamassassin_org/20_ratware.cf" for included file [2493] dbg: config: read file /var/lib/spamassassin/3.002002/updates_spamassassin_org/20_ratware.cf [2493] dbg: config: fixed relative path: /var/lib/spamassassin/3.002002/updates_spamassassin_org/20_uri_tests.cf [2493] dbg: config: using "/var/lib/spamassassin/3.002002/updates_spamassassin_org/20_uri_tests.cf" for included file [2493] dbg: config: read file /var/lib/spamassassin/3.002002/updates_spamassassin_org/20_uri_tests.cf [2493] dbg: config: fixed relative path: /var/lib/spamassassin/3.002002/updates_spamassassin_org/20_vbounce.cf [2493] dbg: config: using "/var/lib/spamassassin/3.002002/updates_spamassassin_org/20_vbounce.cf" for included file [2493] dbg: config: read file /var/lib/spamassassin/3.002002/updates_spamassassin_org/20_vbounce.cf [2493] dbg: config: fixed relative path: /var/lib/spamassassin/3.002002/updates_spamassassin_org/23_bayes.cf [2493] dbg: config: using "/var/lib/spamassassin/3.002002/updates_spamassassin_org/23_bayes.cf" for included file [2493] dbg: config: read file /var/lib/spamassassin/3.002002/updates_spamassassin_org/23_bayes.cf [2493] dbg: config: fixed relative path: /var/lib/spamassassin/3.002002/updates_spamassassin_org/25_accessdb.cf [2493] dbg: config: using "/var/lib/spamassassin/3.002002/updates_spamassassin_org/25_accessdb.cf" for included file [2493] dbg: config: read file /var/lib/spamassassin/3.002002/updates_spamassassin_org/25_accessdb.cf [2493] dbg: config: fixed relative path: /var/lib/spamassassin/3.002002/updates_spamassassin_org/25_antivirus.cf [2493] dbg: config: using "/var/lib/spamassassin/3.002002/updates_spamassassin_org/25_antivirus.cf" for included file [2493] dbg: config: read file /var/lib/spamassassin/3.002002/updates_spamassassin_org/25_antivirus.cf [2493] dbg: config: fixed relative path: /var/lib/spamassassin/3.002002/updates_spamassassin_org/25_asn.cf [2493] dbg: config: using "/var/lib/spamassassin/3.002002/updates_spamassassin_org/25_asn.cf" for included file [2493] dbg: config: read file /var/lib/spamassassin/3.002002/updates_spamassassin_org/25_asn.cf [2493] dbg: config: fixed relative path: /var/lib/spamassassin/3.002002/updates_spamassassin_org/25_dcc.cf [2493] dbg: config: using "/var/lib/spamassassin/3.002002/updates_spamassassin_org/25_dcc.cf" for included file [2493] dbg: config: read file /var/lib/spamassassin/3.002002/updates_spamassassin_org/25_dcc.cf [2493] dbg: config: fixed relative path: /var/lib/spamassassin/3.002002/updates_spamassassin_org/25_dkim.cf [2493] dbg: config: using "/var/lib/spamassassin/3.002002/updates_spamassassin_org/25_dkim.cf" for included file [2493] dbg: config: read file /var/lib/spamassassin/3.002002/updates_spamassassin_org/25_dkim.cf [2493] dbg: config: fixed relative path: /var/lib/spamassassin/3.002002/updates_spamassassin_org/25_domainkeys.cf [2493] dbg: config: using "/var/lib/spamassassin/3.002002/updates_spamassassin_org/25_domainkeys.cf" for included file [2493] dbg: config: read file /var/lib/spamassassin/3.002002/updates_spamassassin_org/25_domainkeys.cf [2493] dbg: config: fixed relative path: /var/lib/spamassassin/3.002002/updates_spamassassin_org/25_hashcash.cf [2493] dbg: config: using "/var/lib/spamassassin/3.002002/updates_spamassassin_org/25_hashcash.cf" for included file [2493] dbg: config: read file /var/lib/spamassassin/3.002002/updates_spamassassin_org/25_hashcash.cf [2493] dbg: config: fixed relative path: /var/lib/spamassassin/3.002002/updates_spamassassin_org/25_pyzor.cf [2493] dbg: config: using "/var/lib/spamassassin/3.002002/updates_spamassassin_org/25_pyzor.cf" for included file [2493] dbg: config: read file /var/lib/spamassassin/3.002002/updates_spamassassin_org/25_pyzor.cf [2493] dbg: config: fixed relative path: /var/lib/spamassassin/3.002002/updates_spamassassin_org/25_razor2.cf [2493] dbg: config: using "/var/lib/spamassassin/3.002002/updates_spamassassin_org/25_razor2.cf" for included file [2493] dbg: config: read file /var/lib/spamassassin/3.002002/updates_spamassassin_org/25_razor2.cf [2493] dbg: config: fixed relative path: /var/lib/spamassassin/3.002002/updates_spamassassin_org/25_replace.cf [2493] dbg: config: using "/var/lib/spamassassin/3.002002/updates_spamassassin_org/25_replace.cf" for included file [2493] dbg: config: read file /var/lib/spamassassin/3.002002/updates_spamassassin_org/25_replace.cf [2493] dbg: config: fixed relative path: /var/lib/spamassassin/3.002002/updates_spamassassin_org/25_spf.cf [2493] dbg: config: using "/var/lib/spamassassin/3.002002/updates_spamassassin_org/25_spf.cf" for included file [2493] dbg: config: read file /var/lib/spamassassin/3.002002/updates_spamassassin_org/25_spf.cf [2493] dbg: config: fixed relative path: /var/lib/spamassassin/3.002002/updates_spamassassin_org/25_textcat.cf [2493] dbg: config: using "/var/lib/spamassassin/3.002002/updates_spamassassin_org/25_textcat.cf" for included file [2493] dbg: config: read file /var/lib/spamassassin/3.002002/updates_spamassassin_org/25_textcat.cf [2493] dbg: config: fixed relative path: /var/lib/spamassassin/3.002002/updates_spamassassin_org/25_uribl.cf [2493] dbg: config: using "/var/lib/spamassassin/3.002002/updates_spamassassin_org/25_uribl.cf" for included file [2493] dbg: config: read file /var/lib/spamassassin/3.002002/updates_spamassassin_org/25_uribl.cf [2493] dbg: config: fixed relative path: /var/lib/spamassassin/3.002002/updates_spamassassin_org/30_text_de.cf [2493] dbg: config: using "/var/lib/spamassassin/3.002002/updates_spamassassin_org/30_text_de.cf" for included file [2493] dbg: config: read file /var/lib/spamassassin/3.002002/updates_spamassassin_org/30_text_de.cf [2493] dbg: config: fixed relative path: /var/lib/spamassassin/3.002002/updates_spamassassin_org/30_text_fr.cf [2493] dbg: config: using "/var/lib/spamassassin/3.002002/updates_spamassassin_org/30_text_fr.cf" for included file [2493] dbg: config: read file /var/lib/spamassassin/3.002002/updates_spamassassin_org/30_text_fr.cf [2493] dbg: config: fixed relative path: /var/lib/spamassassin/3.002002/updates_spamassassin_org/30_text_it.cf [2493] dbg: config: using "/var/lib/spamassassin/3.002002/updates_spamassassin_org/30_text_it.cf" for included file [2493] dbg: config: read file /var/lib/spamassassin/3.002002/updates_spamassassin_org/30_text_it.cf [2493] dbg: config: fixed relative path: /var/lib/spamassassin/3.002002/updates_spamassassin_org/30_text_nl.cf [2493] dbg: config: using "/var/lib/spamassassin/3.002002/updates_spamassassin_org/30_text_nl.cf" for included file [2493] dbg: config: read file /var/lib/spamassassin/3.002002/updates_spamassassin_org/30_text_nl.cf [2493] dbg: config: fixed relative path: /var/lib/spamassassin/3.002002/updates_spamassassin_org/30_text_pl.cf [2493] dbg: config: using "/var/lib/spamassassin/3.002002/updates_spamassassin_org/30_text_pl.cf" for included file [2493] dbg: config: read file /var/lib/spamassassin/3.002002/updates_spamassassin_org/30_text_pl.cf [2493] dbg: config: fixed relative path: /var/lib/spamassassin/3.002002/updates_spamassassin_org/30_text_pt_br.cf [2493] dbg: config: using "/var/lib/spamassassin/3.002002/updates_spamassassin_org/30_text_pt_br.cf" for included file [2493] dbg: config: read file /var/lib/spamassassin/3.002002/updates_spamassassin_org/30_text_pt_br.cf [2493] dbg: config: fixed relative path: /var/lib/spamassassin/3.002002/updates_spamassassin_org/50_scores.cf [2493] dbg: config: using "/var/lib/spamassassin/3.002002/updates_spamassassin_org/50_scores.cf" for included file [2493] dbg: config: read file /var/lib/spamassassin/3.002002/updates_spamassassin_org/50_scores.cf [2493] dbg: config: fixed relative path: /var/lib/spamassassin/3.002002/updates_spamassassin_org/60_awl.cf [2493] dbg: config: using "/var/lib/spamassassin/3.002002/updates_spamassassin_org/60_awl.cf" for included file [2493] dbg: config: read file /var/lib/spamassassin/3.002002/updates_spamassassin_org/60_awl.cf [2493] dbg: config: fixed relative path: /var/lib/spamassassin/3.002002/updates_spamassassin_org/60_shortcircuit.cf [2493] dbg: config: using "/var/lib/spamassassin/3.002002/updates_spamassassin_org/60_shortcircuit.cf" for included file [2493] dbg: config: read file /var/lib/spamassassin/3.002002/updates_spamassassin_org/60_shortcircuit.cf [2493] dbg: config: fixed relative path: /var/lib/spamassassin/3.002002/updates_spamassassin_org/60_whitelist.cf [2493] dbg: config: using "/var/lib/spamassassin/3.002002/updates_spamassassin_org/60_whitelist.cf" for included file [2493] dbg: config: read file /var/lib/spamassassin/3.002002/updates_spamassassin_org/60_whitelist.cf [2493] dbg: config: fixed relative path: /var/lib/spamassassin/3.002002/updates_spamassassin_org/60_whitelist_dk.cf [2493] dbg: config: using "/var/lib/spamassassin/3.002002/updates_spamassassin_org/60_whitelist_dk.cf" for included file [2493] dbg: config: read file /var/lib/spamassassin/3.002002/updates_spamassassin_org/60_whitelist_dk.cf [2493] dbg: config: fixed relative path: /var/lib/spamassassin/3.002002/updates_spamassassin_org/60_whitelist_dkim.cf [2493] dbg: config: using "/var/lib/spamassassin/3.002002/updates_spamassassin_org/60_whitelist_dkim.cf" for included file [2493] dbg: config: read file /var/lib/spamassassin/3.002002/updates_spamassassin_org/60_whitelist_dkim.cf [2493] dbg: config: fixed relative path: /var/lib/spamassassin/3.002002/updates_spamassassin_org/60_whitelist_spf.cf [2493] dbg: config: using "/var/lib/spamassassin/3.002002/updates_spamassassin_org/60_whitelist_spf.cf" for included file [2493] dbg: config: read file /var/lib/spamassassin/3.002002/updates_spamassassin_org/60_whitelist_spf.cf [2493] dbg: config: fixed relative path: /var/lib/spamassassin/3.002002/updates_spamassassin_org/60_whitelist_subject.cf [2493] dbg: config: using "/var/lib/spamassassin/3.002002/updates_spamassassin_org/60_whitelist_subject.cf" for included file [2493] dbg: config: read file /var/lib/spamassassin/3.002002/updates_spamassassin_org/60_whitelist_subject.cf [2493] dbg: config: fixed relative path: /var/lib/spamassassin/3.002002/updates_spamassassin_org/72_active.cf [2493] dbg: config: using "/var/lib/spamassassin/3.002002/updates_spamassassin_org/72_active.cf" for included file [2493] dbg: config: read file /var/lib/spamassassin/3.002002/updates_spamassassin_org/72_active.cf [2493] dbg: config: fixed relative path: /var/lib/spamassassin/3.002002/updates_spamassassin_org/72_scores.cf [2493] dbg: config: using "/var/lib/spamassassin/3.002002/updates_spamassassin_org/72_scores.cf" for included file [2493] dbg: config: read file /var/lib/spamassassin/3.002002/updates_spamassassin_org/72_scores.cf [2493] dbg: config: fixed relative path: /var/lib/spamassassin/3.002002/updates_spamassassin_org/80_additional.cf [2493] dbg: config: using "/var/lib/spamassassin/3.002002/updates_spamassassin_org/80_additional.cf" for included file [2493] dbg: config: read file /var/lib/spamassassin/3.002002/updates_spamassassin_org/80_additional.cf [2493] dbg: config: fixed relative path: /etc/mail/spamassassin/Botnet.pm [2493] dbg: plugin: loading Mail::SpamAssassin::Plugin::Botnet from /etc/mail/spamassassin/Botnet.pm [2493] dbg: Botnet: version 0.7 [2493] dbg: plugin: Mail::SpamAssassin::Plugin::Botnet=HASH(0xa1ca75c) implements 'parse_config', priority 0 [2493] dbg: Botnet: setting botnet_pass_auth to 0 [2493] dbg: Botnet: setting botnet_pass_trusted to public [2493] dbg: Botnet: adding ^127\.0\.0\.1$ to botnet_skip_ip [2493] dbg: Botnet: adding ^10\..*$ to botnet_skip_ip [2493] dbg: Botnet: adding ^172\.1[6789]\..*$ to botnet_skip_ip [2493] dbg: Botnet: adding ^172\.2[0-9]\..*$ to botnet_skip_ip [2493] dbg: Botnet: adding ^172\.3[01]\..*$ to botnet_skip_ip [2493] dbg: Botnet: adding ^192\.168\..*$ to botnet_skip_ip [2493] dbg: Botnet: adding ^128\.223\.98\.16$ to botnet_pass_ip [2493] dbg: Botnet: adding (\.|\A)amazon\.com$ to botnet_pass_domains [2493] dbg: Botnet: adding (\.|\A)apple\.com$ to botnet_pass_domains [2493] dbg: Botnet: adding (\.|\A)ebay\.com$ to botnet_pass_domains [2493] dbg: Botnet: adding (\b|\d)(a|s|d(yn)?)?dsl(\b|\d) to botnet_clientwords [2493] dbg: Botnet: adding (\b|\d)cable(\b|\d) to botnet_clientwords [2493] dbg: Botnet: adding (\b|\d)catv(\b|\d) to botnet_clientwords [2493] dbg: Botnet: adding (\b|\d)ddns(\b|\d) to botnet_clientwords [2493] dbg: Botnet: adding (\b|\d)dhcp(\b|\d) to botnet_clientwords [2493] dbg: Botnet: adding (\b|\d)dial(-?up)?(\b|\d) to botnet_clientwords [2493] dbg: Botnet: adding (\b|\d)dip(\b|\d) to botnet_clientwords [2493] dbg: Botnet: adding (\b|\d)docsis(\b|\d) to botnet_clientwords [2493] dbg: Botnet: adding (\b|\d)dyn(amic)?(ip)?(\b|\d) to botnet_clientwords [2493] dbg: Botnet: adding (\b|\d)modem(\b|\d) to botnet_clientwords [2493] dbg: Botnet: adding (\b|\d)ppp(\b|\d) to botnet_clientwords [2493] dbg: Botnet: adding (\b|\d)res(net|ident(ial)?)?(\b|\d) to botnet_clientwords [2493] dbg: Botnet: adding (\b|\d)client(\b|\d) to botnet_clientwords [2493] dbg: Botnet: adding (\b|\d)fixed(\b|\d) to botnet_clientwords [2493] dbg: Botnet: adding (\b|\d)ip(\b|\d) to botnet_clientwords [2493] dbg: Botnet: adding (\b|\d)pool(\b|\d) to botnet_clientwords [2493] dbg: Botnet: adding (\b|\d)static(\b|\d) to botnet_clientwords [2493] dbg: Botnet: adding (\b|\d)user(\b|\d) to botnet_clientwords [2493] dbg: Botnet: adding (\b|\d)mail(\b|\d) to botnet_serverwords [2493] dbg: Botnet: adding (\b|\d)mta(\b|\d) to botnet_serverwords [2493] dbg: Botnet: adding (\b|\d)mx(\b|\d) to botnet_serverwords [2493] dbg: Botnet: adding (\b|\d)relay(\b|\d) to botnet_serverwords [2493] dbg: Botnet: adding (\b|\d)smtp(\b|\d) to botnet_serverwords [2493] dbg: Botnet: adding (\b|\d)exch(ange)?(\b|\d) to botnet_serverwords [2493] warn: netset: cannot include 204.194.96.0/21 as it has already been included [2493] warn: netset: cannot include 69.7.179.66/32 as it has already been included [2493] warn: netset: cannot include 10.0.0.0/8 as it has already been included [2493] dbg: rules: __XM_OL_22B61 merged duplicates: __XM_OL_A842E [2493] dbg: rules: PREVENT_NONDELIVERY merged duplicates: SARE_HEAD_HDR_PREVNDR [2493] dbg: rules: __SARE_HEAD_HDR_IDKEY merged duplicates: SARE_HEAD_HDR_XIDKEY [2493] dbg: rules: __XM_OL_07794 merged duplicates: __XM_OL_25340 __XM_OL_3857F __XM_OL_4F240 __XM_OL_58CB5 __XM_OL_6554A __XM_OL_812FF __XM_OL_C65FA __XM_OL_CF0C0 __XM_OL_F475E __XM_OL_F6D01 [2493] dbg: rules: __HTML_IMG_ONLY merged duplicates: __IMG_ONLY [2493] dbg: rules: FU_UKGEOCITIES merged duplicates: __SARE_SPEC_XX2GEOCIT [2493] dbg: rules: FB_FAKE_NUMBERS merged duplicates: SARE_OBFU_NUMBERS [2493] dbg: rules: FH_MSGID_01C67 merged duplicates: __MSGID_VGA [2493] dbg: rules: __KAM_GOODAOL merged duplicates: __SARE_FROM_GOODAOL [2493] dbg: rules: FS_NEW_SOFT_UPLOAD merged duplicates: HS_SUBJ_NEW_SOFTWARE [2493] dbg: rules: __XM_OL_5E7ED merged duplicates: __XM_OL_D03AB [2493] dbg: rules: SARE_SUB_2UNDERSCORES merged duplicates: SARE_SUB_6_FIG_INC SARE_SUB_ACCT_UPD SARE_SUB_ACTION_OB SARE_SUB_ADV_DB SARE_SUB_ADV_SEARCH SARE_SUB_AGING SARE_SUB_ALL_LEAD SARE_SUB_AM_MED_DICT SARE_SUB_ASSIST SARE_SUB_AS_LOW_AS SARE_SUB_BETTER_DEAL SARE_SUB_BETTER_OB2 SARE_SUB_BIGGER SARE_SUB_BIGGER_OB SARE_SUB_BOOST SARE_SUB_BOOST_OB SARE_SUB_BREAKTHRU SARE_SUB_BREAKTHRU_OB SARE_SUB_BULK_EMAIL SARE_SUB_BUY_CHEAP SARE_SUB_BUY_OB SARE_SUB_BUY_OB1 SARE_SUB_CALL_NOW SARE_SUB_CARD_BILLED SARE_SUB_CARTRIDGE_OB SARE_SUB_CAR_INSURANCE SARE_SUB_CASINO_OB SARE_SUB_CHANGE_LIFE SARE_SUB_CHARGE_OB SARE_SUB_CHEAP_OB SARE_SUB_COMM_MAILERS SARE_SUB_CONFIDENTIAL SARE_SUB_CONFID_OB SARE_SUB_CONSULTATION SARE_SUB_CONSULTN_OB SARE_SUB_CURRENT_NEWS SARE_SUB_DBL_MEDICTN SARE_SUB_DBL_PHARM SARE_SUB_DEBT SARE_SUB_DEBTS_COURT SARE_SUB_DOLLARS SARE_SUB_DOWNLOAD_OB SARE_SUB_EBAY_OB SARE_SUB_EXCL_OB SARE_SUB_EXPIRED SARE_SUB_FORECLOSURE SARE_SUB_FOREVER SARE_SUB_FOR_WOMEN SARE_SUB_FREE_SAMPLE SARE_SUB_GAPPY_3 SARE_SUB_GAPPY_4 SARE_SUB_GAPPY_5 SARE_SUB_GAPPY_6 SARE_SUB_GAPPY_7 SARE_SUB_GAPPY_8 SARE_SUB_GROW_BUSINESS SARE_SUB_HARD_OB SARE_SUB_HOMEOWNER_OB SARE_SUB_INCHES SARE_SUB_INC_ONLINE SARE_SUB_INEXPEN SARE_SUB_INKJET SARE_SUB_INKJET_OB SARE_SUB_INVESTMENTS SARE_SUB_INVESTORS SARE_SUB_JOB SARE_SUB_LEAD_PUNCT SARE_SUB_LINES_CREDIT SARE_SUB_LONG_SUBJ_140 SARE_SUB_LONG_SUBJ_170 SARE_SUB_LOSE_OB SARE_SUB_LOTS_PUNC_21 SARE_SUB_LOTS_PUNC_26 SARE_SUB_MED_USE SARE_SUB_MENS_HEALTH SARE_SUB_MINUTES SARE_SUB_MISC_1 SARE_SUB_MORTGAGE SARE_SUB_MORTGAGE_OB SARE_SUB_MOVE_OB SARE_SUB_MSGSUB SARE_SUB_NEXT_DOOR SARE_SUB_NOW_TIME SARE_SUB_ONLINE_OB SARE_SUB_ORIG_SOFT_OB SARE_SUB_PAREN_NUM2 SARE_SUB_PASSION_OB SARE_SUB_PENIS_OB SARE_SUB_PERFECTLY SARE_SUB_PHOTOS_OB SARE_SUB_PHYSICIAN SARE_SUB_PHYSICIAN_OB SARE_SUB_PLEASE_OB SARE_SUB_PORN_WORD10 SARE_SUB_PRINTER_OB SARE_SUB_PROVEN_OB SARE_SUB_RAND_UC SARE_SUB_REAL_OB SARE_SUB_SEXY SARE_SUB_SION_OB SARE_SUB_STRETCH_MARK SARE_SUB_STRONG SARE_SUB_STRONG_OB SARE_SUB_TAXES SARE_SUB_TION_OB SARE_SUB_TONER SARE_SUB_TONER_OB SARE_SUB_VIDEO_OB SARE_SUB_VIRUSQ SARE_SUB_WINNER SARE_SUB_YOUNGER SARE_SUB_YOUNGER_OB [2493] dbg: rules: __MO_OL_22B61 merged duplicates: __MO_OL_4F240 __MO_OL_ADFF7 [2493] dbg: rules: __MO_OL_812FF merged duplicates: __MO_OL_BC7E6 [2493] dbg: rules: __SARE_HEAD_FALSE merged duplicates: __SARE_SUB_FALSE [2493] dbg: rules: SARE_SUBJ_SLUT merged duplicates: __FPS_SLUT [2493] dbg: rules: __FVGT_RAPE merged duplicates: __WORD_RAPED [2493] dbg: rules: SARE_HTML_URI_OC merged duplicates: SARE_URI_OC [2493] dbg: rules: SARE_USERAG_BAT merged duplicates: __SARE_HEAD_MAIL_BAT2 [2493] dbg: rules: __XM_OL_C7C33 merged duplicates: __XM_OL_C9068 __XM_OL_EF20B [2493] dbg: rules: __FH_RCV_53 merged duplicates: __RCVD_53 [2493] dbg: rules: __MO_OL_72641 merged duplicates: __MO_OL_A842E [2493] dbg: rules: SARE_BOUNDARY_D8 merged duplicates: SARE_FROM_NUM_9DIG SARE_FROM_SPACE2 SARE_FROM_SPAM_CHAR0 SARE_FROM_SPAM_WORD0 SARE_FROM_UK2NET2 SARE_HEAD_DATE18 SARE_HEAD_HDR_XACWGHT SARE_HEAD_HDR_XAUTOGN SARE_HEAD_HDR_XCONTAC SARE_HEAD_HDR_XENVID SARE_HEAD_HDR_XMCAVTP SARE_HEAD_HDR_XMLFILT SARE_HELO_MAIL SARE_MSGID_2KDD SARE_MSGID_DBL_AT SARE_MSGID_EMPTY SARE_MSGID_LONG35 SARE_MSGID_LONG55 SARE_MSGID_LONG65 SARE_MSGID_LONG75 SARE_MULT_RATW_02 SARE_MULT_VIA_FWCATS SARE_OBFU_AFFORD SARE_OBFU_AMP SARE_OBFU_BETTER_SUB SARE_OBFU_CARTRDGE_SUB SARE_OBFU_CIALIS SARE_OBFU_OBLIGATION SARE_OBFU_SEX_SPL SARE_OBFU_TBL_05 SARE_RECV_IP_064080 SARE_RECV_IP_066114b SARE_RECV_IP_071004246 SARE_RECV_ISWEST SARE_RECV_SPAM_DOMN3 SARE_RECV_SPAM_DOMN81 SARE_RECV_SPAM_NAME0 SARE_RECV_SUSP_3 SARE_REPLY_SPAMWORD0 SARE_TOCC_BCC_MANY SARE_TOCC_COMBO1 SARE_URI_AFF_DIG SARE_URI_CAMPAIGNID SARE_URI_CASINO SARE_URI_DIET SARE_URI_DIG_LET_PIC SARE_URI_DOM_ENDU SARE_URI_H0 SARE_URI_HOUSE SARE_URI_IPPORT3333 SARE_URI_MIXED_CASE SARE_URI_MRTG SARE_URI_OPTOUT SARE_URI_P8 SARE_URI_PORTD4 SARE_URI_REFID2 SARE_URI_REFID3 SARE_URI_SIXCAPS SARE_URI_SQUARE SARE_URI_SUCCEZZ SARE_USERAG_Dig SARE_XMAIL_XMAIL [2493] dbg: rules: __MO_OL_5E7ED merged duplicates: __MO_OL_C7C33 [2493] dbg: rules: __MO_OL_4BF4C merged duplicates: __MO_OL_F6D01 [2493] dbg: rules: __MO_OL_07794 merged duplicates: __MO_OL_8627E __MO_OL_F3B05 [2493] dbg: rules: SARE_SPOOF_COM2OTH merged duplicates: SPOOF_COM2COM [2493] dbg: rules: __MO_OL_9B90B merged duplicates: __MO_OL_C65FA [2493] dbg: rules: SARE_HEAD_HDR_AUTSUBD merged duplicates: SARE_HEAD_HDR_XRMDTXT [2493] dbg: rules: __FH_FRM_53 merged duplicates: __FROM_53 [2493] dbg: rules: __FH_HAS_XMSMAIL merged duplicates: __HAS_MSMAIL_PRI [2493] dbg: rules: KAM_STOCKOTC merged duplicates: KAM_STOCKTIP15 KAM_STOCKTIP20 KAM_STOCKTIP21 KAM_STOCKTIP4 KAM_STOCKTIP6 [2493] dbg: rules: __XM_OL_015D5 merged duplicates: __XM_OL_4BF4C __XM_OL_4EEDB __XM_OL_5B79A __XM_OL_9B90B __XM_OL_ADFF7 __XM_OL_B30D1 __XM_OL_B4B40 __XM_OL_BC7E6 __XM_OL_F3B05 __XM_OL_FF5C8 [2493] dbg: rules: __MO_OL_91287 merged duplicates: __MO_OL_B30D1 __MO_OL_CF0C0 [2493] dbg: rules: __MO_OL_015D5 merged duplicates: __MO_OL_6554A [2493] dbg: rules: __MO_OL_25340 merged duplicates: __MO_OL_4EEDB __MO_OL_7533E [2493] dbg: rules: __MO_OL_58CB5 merged duplicates: __MO_OL_B4B40 [2493] dbg: rules: __DOS_HAS_ANY_URI merged duplicates: __HAS_ANY_URI __SARE_URI_ANY [2493] dbg: rules: SARE_HTML_ALT_WAIT1 merged duplicates: SARE_HTML_ALT_WAIT2 SARE_HTML_A_NULL SARE_HTML_BADOPEN SARE_HTML_BAD_FG_CLR SARE_HTML_COLOR_NWHT3 SARE_HTML_FONT_INVIS2 SARE_HTML_FSIZE_1ALL SARE_HTML_GIF_DIM SARE_HTML_H2_CLK SARE_HTML_HTML_AFTER SARE_HTML_INV_TAGA SARE_HTML_JSCRIPT_ENC SARE_HTML_JVS_HREF SARE_HTML_MANY_BR10 SARE_HTML_NO_BODY SARE_HTML_NO_HTML1 SARE_HTML_P_JUSTIFY SARE_HTML_URI_2SLASH SARE_HTML_URI_AXEL SARE_HTML_URI_BADQRY SARE_HTML_URI_BUG SARE_HTML_URI_FORMPHP SARE_HTML_URI_HREF SARE_HTML_URI_MANYP2 SARE_HTML_URI_MANYP3 SARE_HTML_URI_NUMPHP3 SARE_HTML_URI_OBFU4 SARE_HTML_URI_OBFU4a SARE_HTML_URI_OPTPHP SARE_HTML_URI_REFID SARE_HTML_URI_RID SARE_HTML_URI_RM SARE_HTML_USL_MULT [2493] dbg: rules: __MO_OL_F475E merged duplicates: __MO_OL_FF5C8 [2493] dbg: conf: finish parsing [2493] dbg: plugin: Mail::SpamAssassin::Plugin::ReplaceTags=HASH(0x9c18474) implements 'finish_parsing_end', priority 0 [2493] dbg: plugin: Mail::SpamAssassin::Plugin::Rule2XSBody=HASH(0x9d7da04) implements 'finish_parsing_end', priority 0 [2493] dbg: replacetags: replacing tags [2493] dbg: replacetags: done replacing tags [2493] dbg: zoom: loading compiled ruleset from /var/lib/spamassassin/compiled/3.002002 [2493] dbg: zoom: using compiled ruleset in /var/lib/spamassassin/compiled/3.002002/Mail/SpamAssassin/CompiledRegexps/body_0.pm for Mail::SpamAssassin::CompiledRegexps::body_0 [2493] dbg: zoom: able to use 904/904 'body_0' compiled rules (100%) [2493] dbg: zoom: using compiled ruleset in /var/lib/spamassassin/compiled/3.002002/Mail/SpamAssassin/CompiledRegexps/body_500.pm for Mail::SpamAssassin::CompiledRegexps::body_500 [2493] dbg: zoom: able to use 1/1 'body_500' compiled rules (100%) [2493] dbg: bayes: tie-ing to DB file R/O /var/spool/spamassassin/bayes_toks [2493] dbg: bayes: tie-ing to DB file R/O /var/spool/spamassassin/bayes_seen [2493] dbg: bayes: found bayes db version 3 [2493] dbg: bayes: DB journal sync: last sync: 1179746733 [2493] dbg: bayes: opportunistic call found journal sync due [2493] dbg: bayes: bayes journal sync starting [2493] dbg: locker: safe_lock: created /var/spool/spamassassin/bayes.mutex [2493] dbg: locker: safe_lock: trying to get lock on /var/spool/spamassassin/bayes with 10 timeout [2493] dbg: locker: safe_lock: link to /var/spool/spamassassin/bayes.mutex: link ok [2493] dbg: bayes: tie-ing to DB file R/W /var/spool/spamassassin/bayes_toks [2493] dbg: bayes: tie-ing to DB file R/W /var/spool/spamassassin/bayes_seen [2493] dbg: bayes: found bayes db version 3 [2493] dbg: locker: refresh_lock: refresh /var/spool/spamassassin/bayes.mutex [2493] dbg: bayes: synced databases from journal in 0 seconds: 52 unique entries (52 total entries) [2493] dbg: bayes: bayes journal sync completed [2493] dbg: bayes: not available for scanning, only 0 spam(s) in bayes DB < 200 [2493] dbg: bayes: untie-ing [2493] dbg: bayes: files locked, now unlocking lock [2493] dbg: locker: safe_unlock: unlocked /var/spool/spamassassin/bayes.mutex [2493] dbg: config: score set 0 chosen. [2493] dbg: message: main message type: text/plain [2493] dbg: message: ---- MIME PARSER START ---- [2493] dbg: message: parsing normal part [2493] dbg: message: ---- MIME PARSER END ---- [2493] dbg: plugin: Mail::SpamAssassin::Plugin::DNSEval=HASH(0x9cedce0) implements 'check_start', priority 0 [2493] dbg: plugin: Mail::SpamAssassin::Plugin::Rule2XSBody=HASH(0x9d7da04) implements 'check_start', priority 0 [2493] dbg: bayes: tie-ing to DB file R/O /var/spool/spamassassin/bayes_toks [2493] dbg: bayes: tie-ing to DB file R/O /var/spool/spamassassin/bayes_seen [2493] dbg: bayes: found bayes db version 3 [2493] dbg: bayes: DB journal sync: last sync: 1179746733 [2493] dbg: check: scoreset 0 but bayes is available, switching scoresets [2493] dbg: config: score set 2 chosen. [2493] dbg: plugin: Mail::SpamAssassin::Plugin::Check=HASH(0x9cc5e84) implements 'check_main', priority 0 [2493] dbg: conf: internal_networks not configured, using trusted_networks configuration for internal_networks; if you really want internal_networks to only contain the required 127/8 add 'internal_networks !0/0' to your configuration [2493] dbg: metadata: X-Spam-Relays-Trusted: [2493] dbg: metadata: X-Spam-Relays-Untrusted: [2493] dbg: metadata: X-Spam-Relays-Internal: [2493] dbg: metadata: X-Spam-Relays-External: [2493] dbg: plugin: Mail::SpamAssassin::Plugin::TextCat=HASH(0x9956070) implements 'extract_metadata', priority 0 [2493] dbg: plugin: Mail::SpamAssassin::Plugin::RelayCountry=HASH(0x9c92aa8) implements 'extract_metadata', priority 0 [2493] dbg: message: no encoding detected [2493] dbg: textcat: classifying, skipping: yi sco lv is bs sl la ga sa eu et rm cy eo fy gd lt [2493] dbg: textcat: language possibly: en [2493] dbg: textcat: X-Languages: "en", X-Languages-Length: 1342 [2493] dbg: metadata: X-Relay-Countries: [2493] dbg: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8a061e8) implements 'parsed_metadata', priority 0 [2493] dbg: plugin: Mail::SpamAssassin::Plugin::RelayCountry=HASH(0x9c92aa8) implements 'parsed_metadata', priority 0 [2493] dbg: plugin: Mail::SpamAssassin::Plugin::ASN=HASH(0x9c9e0e0) implements 'parsed_metadata', priority 0 [2493] dbg: dns: is DNS available? 0 [2493] dbg: asn: DNS is not available, skipping ASN checks [2493] dbg: rules: local tests only, ignoring RBL eval [2493] dbg: check: running tests for priority: -1000 [2493] dbg: plugin: Mail::SpamAssassin::Plugin::Rule2XSBody=HASH(0x9d7da04) implements 'check_rules_at_priority', priority 0 [2493] dbg: rules: running one_line_body tests; score so far=0 [2493] dbg: rules: compiled one_line_body tests [2493] dbg: plugin: Mail::SpamAssassin::Plugin::Rule2XSBody=HASH(0x9d7da04) implements 'run_body_fast_scan', priority 0 [2493] dbg: rules: running head tests; score so far=0 [2493] dbg: rules: compiled head tests [2493] dbg: eval: all '*From' addrs: ignore@compiling.spamassassin.taint.org [2493] dbg: eval: all '*To' addrs: [2493] dbg: rules: running body tests; score so far=0 [2493] dbg: rules: compiled body tests [2493] dbg: rules: running uri tests; score so far=0 [2493] dbg: rules: compiled uri tests [2493] dbg: rules: running rawbody tests; score so far=0 [2493] dbg: rules: compiled rawbody tests [2493] dbg: rules: running full tests; score so far=0 [2493] dbg: rules: compiled full tests [2493] dbg: rules: running meta tests; score so far=0 [2493] dbg: rules: compiled meta tests [2493] dbg: check: running tests for priority: -950 [2493] dbg: rules: running one_line_body tests; score so far=0 [2493] dbg: rules: compiled one_line_body tests [2493] dbg: rules: running head tests; score so far=0 [2493] dbg: rules: compiled head tests [2493] dbg: rules: running body tests; score so far=0 [2493] dbg: rules: compiled body tests [2493] dbg: rules: running uri tests; score so far=0 [2493] dbg: rules: compiled uri tests [2493] dbg: rules: running rawbody tests; score so far=0 [2493] dbg: rules: compiled rawbody tests [2493] dbg: rules: running full tests; score so far=0 [2493] dbg: rules: compiled full tests [2493] dbg: rules: running meta tests; score so far=0 [2493] dbg: rules: compiled meta tests [2493] dbg: check: running tests for priority: -900 [2493] dbg: rules: running one_line_body tests; score so far=0 [2493] dbg: rules: compiled one_line_body tests [2493] dbg: rules: running head tests; score so far=0 [2493] dbg: rules: compiled head tests [2493] dbg: rules: running body tests; score so far=0 [2493] dbg: rules: compiled body tests [2493] dbg: rules: running uri tests; score so far=0 [2493] dbg: rules: compiled uri tests [2493] dbg: rules: running rawbody tests; score so far=0 [2493] dbg: rules: compiled rawbody tests [2493] dbg: rules: running full tests; score so far=0 [2493] dbg: rules: compiled full tests [2493] dbg: rules: running meta tests; score so far=0 [2493] dbg: rules: compiled meta tests [2493] dbg: check: running tests for priority: -400 [2493] dbg: rules: running one_line_body tests; score so far=0 [2493] dbg: rules: compiled one_line_body tests [2493] dbg: rules: running head tests; score so far=0 [2493] dbg: rules: compiled head tests [2493] dbg: rules: running body tests; score so far=0 [2493] dbg: rules: compiled body tests [2493] dbg: rules: running uri tests; score so far=0 [2493] dbg: rules: compiled uri tests [2493] dbg: plugin: Mail::SpamAssassin::Plugin::WLBLEval=HASH(0x9d6706c) implements 'check_wb_list', priority 0 [2493] dbg: bayes: DB journal sync: last sync: 1179746733 [2493] dbg: bayes: corpus size: nspam = 6328345, nham = 211849 [2493] dbg: bayes: score = 0.29595946325305 [2493] dbg: bayes: DB journal sync: last sync: 1179746733 [2493] dbg: bayes: untie-ing [2493] dbg: rules: running rawbody tests; score so far=0 [2493] dbg: rules: compiled rawbody tests [2493] dbg: rules: running full tests; score so far=0 [2493] dbg: rules: compiled full tests [2493] dbg: rules: running meta tests; score so far=0 [2493] dbg: rules: compiled meta tests [2493] dbg: check: running tests for priority: 0 [2493] dbg: rules: running one_line_body tests; score so far=0 [2493] dbg: rules: compiled one_line_body tests [2493] dbg: zoom: run_body_fast_scan for body_0 start [2493] dbg: zoom: run_body_fast_scan for body_0 done [2493] dbg: rules: running head tests; score so far=0 [2493] dbg: rules: compiled head tests [2493] dbg: rules: ran header rule __SARE_WHITELIST_FLAG ======> got hit: "i" [2493] dbg: rules: ran header rule __MSGID_OK_HOST ======> got hit: "@lint_rules>" [2493] dbg: rules: ran header rule __MSGID_OK_DIGITS ======> got hit: "1185816763" [2493] dbg: rules: ran header rule __MISSING_REF ======> got hit: "UNSET" [2493] dbg: rules: ran header rule __MSOE_MID_WRONG_CASE ======> got hit: " [2493] dbg: rules: Message-Id: " [2493] dbg: rules: ran header rule MISSING_DATE ======> got hit: "UNSET" [2493] dbg: rules: ran header rule __BOTNET_NOTRUST ======> got hit: "negative match" [2493] dbg: rules: ran header rule __HAS_MSGID ======> got hit: "<" [2493] dbg: rules: ran header rule __SANE_MSGID ======> got hit: "<1185816763@lint_rules> [2493] dbg: rules: " [2493] dbg: spf: checking to see if the message has a Received-SPF header that we can use [2493] dbg: Botnet: checking BADDNS [2493] dbg: Botnet: no trusted relays [2493] dbg: Botnet: All skipped/no untrusted [2493] dbg: Botnet: BADDNS skipped [2493] dbg: spf: already checked for Received-SPF headers, proceeding with DNS based checks [2493] dbg: spf: already checked for Received-SPF headers, proceeding with DNS based checks [2493] dbg: Botnet: checking CLIENTWORDS [2493] dbg: Botnet: client words regexp is((\b|\d)(a|s|d(yn)?)?dsl(\b|\d))|((\b|\d)cable(\b|\d))|((\b|\d)catv(\b|\d))|((\b|\d)ddns(\b|\d))|((\b|\d)dhcp(\b|\d))|((\b|\d)dial(-?up)?(\b|\d))|((\b|\d)dip(\b|\d))|((\b|\d)docsis(\b|\d))|((\b|\d)dyn(amic)?(ip)?(\b|\d))|((\b|\d)modem(\b|\d))|((\b|\d)ppp(\b|\d))|((\b|\d)res(net|ident(ial)?)?(\b|\d))|((\b|\d)client(\b|\d))|((\b|\d)fixed(\b|\d))|((\b|\d)ip(\b|\d))|((\b|\d)pool(\b|\d))|((\b|\d)static(\b|\d))|((\b|\d)user(\b|\d)) [2493] dbg: Botnet: no trusted relays [2493] dbg: Botnet: All skipped/no untrusted [2493] dbg: Botnet: CLIENTWORDS skipped [2493] dbg: rules: ran eval rule NO_RELAYS ======> got hit (1) [2493] dbg: spf: already checked for Received-SPF headers, proceeding with DNS based checks [2493] dbg: Botnet: checking SERVERWORDS [2493] dbg: Botnet: server words list is((\b|\d)mail(\b|\d))|((\b|\d)mta(\b|\d))|((\b|\d)mx(\b|\d))|((\b|\d)relay(\b|\d))|((\b|\d)smtp(\b|\d))|((\b|\d)exch(ange)?(\b|\d)) [2493] dbg: Botnet: no trusted relays [2493] dbg: Botnet: All skipped/no untrusted [2493] dbg: Botnet: SERVERWORDS skipped [2493] dbg: Botnet: starting [2493] dbg: Botnet: no trusted relays [2493] dbg: Botnet: All skipped/no untrusted [2493] dbg: Botnet: skipping [2493] dbg: spf: already checked for Received-SPF headers, proceeding with DNS based checks [2493] dbg: Botnet: checking IPINHOSTNAME [2493] dbg: Botnet: no trusted relays [2493] dbg: Botnet: All skipped/no untrusted [2493] dbg: Botnet: IPINHOSTNAME skipped [2493] dbg: Botnet: checking for CLIENT [2493] dbg: Botnet: no trusted relays [2493] dbg: Botnet: All skipped/no untrusted [2493] dbg: Botnet: CLIENT skipped [2493] dbg: Botnet: checking for SOHO server [2493] dbg: Botnet: no trusted relays [2493] dbg: Botnet: All skipped/no untrusted [2493] dbg: Botnet: SOHO skipped [2493] dbg: Botnet: checking NORDNS [2493] dbg: Botnet: no trusted relays [2493] dbg: Botnet: All skipped/no untrusted [2493] dbg: Botnet: NORDNS skipped [2493] dbg: spf: cannot get Envelope-From, cannot use SPF [2493] dbg: spf: def_spf_whitelist_from: could not find useable envelope sender [2493] dbg: spf: already checked for Received-SPF headers, proceeding with DNS based checks [2493] dbg: spf: already checked for Received-SPF headers, proceeding with DNS based checks [2493] dbg: spf: already checked for Received-SPF headers, proceeding with DNS based checks [2493] dbg: rules: ran eval rule __UNUSABLE_MSGID ======> got hit (1) [2493] dbg: rules: ran eval rule MISSING_HEADERS ======> got hit (1) [2493] dbg: spf: spf_whitelist_from: could not find useable envelope sender [2493] dbg: rules: running body tests; score so far=1.5 [2493] dbg: rules: compiled body tests [2493] dbg: rules: ran body rule __NONEMPTY_BODY ======> got hit: "I" [2493] dbg: rules: running uri tests; score so far=1.5 [2493] dbg: rules: compiled uri tests [2493] dbg: pdfinfo: Identified 0 possible mime parts that need checked for PDF content [2493] dbg: pdfinfo: set_tag called for PDFCOUNT 0 [2493] dbg: pdfinfo: set_tag called for PDFIMGCOUNT 0 [2493] dbg: https_http_mismatch: anchors 0 [2493] dbg: rules: ran eval rule BAYES_40 ======> got hit (1) [2493] dbg: eval: stock info total: 0 [2493] dbg: rules: running rawbody tests; score so far=1.315 [2493] dbg: rules: compiled rawbody tests [2493] dbg: rules: ran rawbody rule __TVD_BODY ======> got hit: "need" [2493] dbg: rules: running full tests; score so far=1.315 [2493] dbg: rules: compiled full tests [2493] dbg: rules: running meta tests; score so far=1.315 [2493] dbg: rules: compiled meta tests [2493] dbg: check: running tests for priority: 500 [2493] dbg: rules: running one_line_body tests; score so far=1.315 [2493] dbg: rules: compiled one_line_body tests [2493] dbg: zoom: run_body_fast_scan for body_500 start [2493] dbg: zoom: run_body_fast_scan for body_500 done [2493] dbg: rules: running head tests; score so far=1.315 [2493] dbg: rules: compiled head tests [2493] dbg: rules: running body tests; score so far=1.315 [2493] dbg: rules: compiled body tests [2493] dbg: rules: running uri tests; score so far=1.315 [2493] dbg: rules: compiled uri tests [2493] dbg: rules: running rawbody tests; score so far=1.315 [2493] dbg: rules: compiled rawbody tests [2493] dbg: rules: running full tests; score so far=1.315 [2493] dbg: rules: compiled full tests [2493] dbg: rules: running meta tests; score so far=1.315 [2493] info: rules: meta test FM_DDDD_TIMES_2 has dependency 'FH_HOST_EQ_D_D_D_D' with a zero score [2493] info: rules: meta test FM_SEX_HOSTDDDD has dependency 'FH_HOST_EQ_D_D_D_D' with a zero score [2493] dbg: rules: meta test KAM_BLANK01 has undefined dependency 'UNDISC_RECIPS' [2493] dbg: rules: meta test KAM_BLANK01 has undefined dependency 'FM_NO_FROM_OR_TO' [2493] dbg: rules: meta test KAM_BLANK01 has undefined dependency 'FM_NO_TO' [2493] dbg: rules: meta test KAM_BLANK02 has undefined dependency 'MSGID_FROM_MTA_ID' [2493] dbg: rules: meta test SARE_HEAD_SUBJ_RAND has undefined dependency 'SARE_XMAIL_SUSP2' [2493] dbg: rules: meta test SARE_HEAD_SUBJ_RAND has undefined dependency 'SARE_HEAD_XAUTH_WARN' [2493] dbg: rules: meta test SARE_HEAD_SUBJ_RAND has undefined dependency 'X_AUTH_WARN_FAKED' [2493] dbg: rules: meta test SARE_HEAD_8BIT_NOSPM has undefined dependency '__SARE_HEAD_8BIT_DATE' [2493] dbg: rules: meta test SARE_HEAD_8BIT_NOSPM has undefined dependency '__SARE_HEAD_8BIT_RECV' [2493] dbg: rules: meta test SARE_MULT_RATW_03 has undefined dependency '__SARE_MULT_RATW_03E' [2493] dbg: rules: meta test KAM_NUMBER has undefined dependency 'HTML_SHORT_LENGTH' [2493] dbg: rules: meta test SARE_RD_SAFE has undefined dependency 'SARE_RD_SAFE_MKSHRT' [2493] dbg: rules: meta test SARE_RD_SAFE has undefined dependency 'SARE_RD_SAFE_GT' [2493] dbg: rules: meta test SARE_RD_SAFE has undefined dependency 'SARE_RD_SAFE_TINY' [2493] dbg: rules: meta test SARE_MSGID_LONG40 has undefined dependency '__SARE_MSGID_LONG50' [2493] dbg: rules: meta test SARE_MSGID_LONG40 has undefined dependency '__SARE_MSGID_LONG55' [2493] dbg: rules: meta test SARE_MSGID_LONG40 has undefined dependency '__SARE_MSGID_LONG65' [2493] dbg: rules: meta test SARE_MSGID_LONG40 has undefined dependency '__SARE_MSGID_LONG75' [2493] dbg: rules: meta test SARE_MSGID_LONG45 has undefined dependency '__SARE_MSGID_LONG50' [2493] dbg: rules: meta test SARE_MSGID_LONG45 has undefined dependency '__SARE_MSGID_LONG55' [2493] dbg: rules: meta test SARE_MSGID_LONG45 has undefined dependency '__SARE_MSGID_LONG65' [2493] dbg: rules: meta test SARE_MSGID_LONG45 has undefined dependency '__SARE_MSGID_LONG75' [2493] dbg: rules: compiled meta tests [2493] dbg: check: running tests for priority: 1000 [2493] dbg: rules: running one_line_body tests; score so far=3.79 [2493] dbg: rules: compiled one_line_body tests [2493] dbg: rules: running head tests; score so far=3.79 [2493] dbg: rules: compiled head tests [2493] dbg: rules: running body tests; score so far=3.79 [2493] dbg: rules: compiled body tests [2493] dbg: rules: running uri tests; score so far=3.79 [2493] dbg: rules: compiled uri tests [2493] dbg: rules: running rawbody tests; score so far=3.79 [2493] dbg: rules: compiled rawbody tests [2493] dbg: rules: running full tests; score so far=3.79 [2493] dbg: rules: compiled full tests [2493] dbg: rules: running meta tests; score so far=3.79 [2493] dbg: rules: compiled meta tests [2493] dbg: check: is spam? score=3.79 required=5 [2493] dbg: check: tests=BAYES_40,MISSING_DATE,MISSING_HEADERS,MISSING_SUBJECT,NO_RECEIVED,NO_RELAYS [2493] dbg: check: subtests=__BOTNET_NOTRUST,__HAS_MSGID,__MISSING_REF,__MSGID_OK_DIGITS,__MSGID_OK_HOST,__MSOE_MID_WRONG_CASE,__NONEMPTY_BODY,__SANE_MSGID,__SARE_WHITELIST_FLAG,__TVD_BODY,__UNUSABLE_MSGID From MailScanner at ecs.soton.ac.uk Mon Jul 30 19:01:28 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Jul 30 19:01:58 2007 Subject: query if mailscanner using clamscan In-Reply-To: <625385e30707301009y3b9ae26cm6297d170b34bcd2d@mail.gmail.com> References: <2605.62.150.152.226.1185433910.squirrel@webmail.baladia.gov.kw> <46AB24AF.7060804@ecs.soton.ac.uk> <46AB330F.2080204@ecs.soton.ac.uk> <46AC7383.1010904@ecs.soton.ac.uk> <46ACA1F7.7060805@ecs.soton.ac.uk> <625385e30707301009y3b9ae26cm6297d170b34bcd2d@mail.gmail.com> Message-ID: <46AE2778.4030804@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 shuttlebox wrote: > On 7/29/07, Julian Field wrote: > >> The only thing I can think of is to ship with a copy of Eicar. >> > > Please don't ship Eicar with MailScanner. That will make many of us > not able to download MailScanner since http-scanning will detect a > virus in it. > > The ClamAV module used to contain Eicar so it could be used during > make test and it stopped me from downloading it. I got the author to > stop shipping Eicar and I hope you do to. Just let us get Eicar > ourselves. If it's present in the correct location it will be used for > the lint, otherwise not. > I have tried scanning the file with ClamAV and F-Prot and neither of them find it, I've hidden it well enough. It was one of my greatest concerns too. Try downloading it before complaining, you might well find you don't have a problem. It's in the latest beta. Try downloading it and tell me what happens. Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGrid5EfZZRxQVtlQRAl4zAKCX0zrhYtm7uxg2UlhNuLJQj2M1rwCg15K1 w/Y3HizF4JX1QlIQ35ZE8TM= =ArpV -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From dgottsc at emory.edu Mon Jul 30 19:01:52 2007 From: dgottsc at emory.edu (Gottschalk, David) Date: Mon Jul 30 19:02:07 2007 Subject: MailScanner/Spamassassin slow after version upgrade In-Reply-To: References: Message-ID: <8D2EFA3D9FD29C45BCEC3B532F0E2308412E9ED815@RDPEXCH2.Eu.Emory.Edu> How many children are you running? Are you running a caching DNS server for SA lookups? what does 'MailScanner --debug -debug-sa' look like? One thing that made a difference for me was uping my children from 5 to 10. Also lowering my "Max Unsafe Messages Per Scan" to 10, and my "Max Unscanned Messages Per Scan" to 10 helped speed things up as well. Hope that helps. David Gottschalk ________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of donald.dawson@bakerbotts.com Sent: Monday, July 30, 2007 1:44 PM To: mailscanner@lists.mailscanner.info Subject: MailScanner/Spamassassin slow after version upgrade The time it takes to process an email has doubled since Friday (7/26/07) when I upgraded to MS 4.62.6 and SA 3.2.2. It was around 3.5 seconds, and now it is averaging 7 seconds. We use DCC and razor2 - no pyzor. Jul 30 12:36:35 houmx05 MailScanner[21682]: Batch (30 messages) processed in 187.50 seconds Jul 30 12:37:06 houmx05 MailScanner[21662]: Batch (16 messages) processed in 105.59 seconds Jul 30 12:37:24 houmx05 MailScanner[21727]: Batch (30 messages) processed in 196.20 seconds Jul 30 12:37:28 houmx05 MailScanner[21776]: Batch (30 messages) processed in 211.89 seconds Jul 30 12:37:38 houmx05 MailScanner[21793]: Batch (30 messages) processed in 223.64 seconds sar -u shows idle CPU time: 12:00:01 AM CPU %user %nice %system %iowait %idle Average: all 10.49 0.00 4.99 1.00 83.51 # uptime is normal 12:38:30 up 5 days, 25 min, 1 user, load average: 0.81, 0.79, 0.83 I have implemented sa-compile using re2c expecting to get a performance boost. 'MailScanner --lint' doesn't show any errors, except noting that we have clamav processing turned off (output attached). <> I have included output from spamassassin's lint command. /etc/mail/spamassassin contents: bakerbotts.cf - custom local rule file Botnet.cf Botnet.pm init.pre init.pre.pre-v310 KAM.cf local.cf mailscanner.cf pdfinfo.cf sare-sa-update-channels.txt sa-update-keys v310.pre v312.pre v320.pre contents of sare-sa-update-channels.txt used by update_spamassassin: updates.spamassassin.org 70_sare_adult.cf.sare.sa-update.dostech.net 70_sare_bayes_poison_nxm.cf.sare.sa-update.dostech.net 70_sare_evilnum0.cf.sare.sa-update.dostech.net 70_sare_genlsubj0.cf.sare.sa-update.dostech.net 70_sare_genlsubj1.cf.sare.sa-update.dostech.net 70_sare_genlsubj2.cf.sare.sa-update.dostech.net 70_sare_header.cf.sare.sa-update.dostech.net 70_sare_highrisk.cf.sare.sa-update.dostech.net 70_sare_html.cf.sare.sa-update.dostech.net 70_sare_obfu.cf.sare.sa-update.dostech.net 70_sare_oem.cf.sare.sa-update.dostech.net 70_sare_random.cf.sare.sa-update.dostech.net 70_sare_specific.cf.sare.sa-update.dostech.net 70_sare_spoof.cf.sare.sa-update.dostech.net 70_sare_stocks.cf.sare.sa-update.dostech.net 70_sare_unsub.cf.sare.sa-update.dostech.net 70_sare_uri0.cf.sare.sa-update.dostech.net 70_sare_uri1.cf.sare.sa-update.dostech.net 70_sare_uri2.cf.sare.sa-update.dostech.net 70_sare_whitelist.cf.sare.sa-update.dostech.net 70_sare_whitelist_rcvd.cf.sare.sa-update.dostech.net 70_sare_whitelist_spf.cf.sare.sa-update.dostech.net 72_sare_bml_post25x.cf.sare.sa-update.dostech.net 72_sare_redirect_post3.0.0.cf.sare.sa-update.dostech.net 88_FVGT_headers.cf.sare.sa-update.dostech.net 99_FVGT_Tripwire.cf.sare.sa-update.dostech.net 99_sare_fraud_post25x.cf.sare.sa-update.dostech.net Any ideas would be greatly appreciated. Thanks, Donald Donald Dawson Security Administrator Baker Botts L.L.P. 713-229-2183 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070730/0fdd5b30/attachment.html From MailScanner at ecs.soton.ac.uk Mon Jul 30 19:03:01 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Jul 30 19:03:30 2007 Subject: MailScanner/Spamassassin slow after version upgrade In-Reply-To: References: Message-ID: <46AE27D5.3040305@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 What version were you running before? Are you sure it's nothing else that has changed since the weekend? donald.dawson@bakerbotts.com wrote: > > The time it takes to process an email has doubled since Friday > (7/26/07) when I upgraded to MS 4.62.6 and SA 3.2.2. It was around > 3.5 seconds, and now it is averaging 7 seconds. > > We use DCC and razor2 - no pyzor. > > Jul 30 12:36:35 houmx05 MailScanner[21682]: Batch (30 messages) > processed in 187.50 seconds > Jul 30 12:37:06 houmx05 MailScanner[21662]: Batch (16 messages) > processed in 105.59 seconds > Jul 30 12:37:24 houmx05 MailScanner[21727]: Batch (30 messages) > processed in 196.20 seconds > Jul 30 12:37:28 houmx05 MailScanner[21776]: Batch (30 messages) > processed in 211.89 seconds > Jul 30 12:37:38 houmx05 MailScanner[21793]: Batch (30 messages) > processed in 223.64 seconds > > sar -u shows idle CPU time: > 12:00:01 AM CPU %user %nice %system %iowait %idle > Average: all 10.49 0.00 4.99 1.00 83.51 > > # uptime is normal > 12:38:30 up 5 days, 25 min, 1 user, load average: 0.81, 0.79, 0.83 > > I have implemented sa-compile using re2c expecting to get a > performance boost. > > 'MailScanner --lint' doesn't show any errors, except noting that we > have clamav processing turned off (output attached). > > <> > I have included output from spamassassin's lint command. > > /etc/mail/spamassassin contents: > bakerbotts.cf - custom local rule file > Botnet.cf > Botnet.pm > init.pre > init.pre.pre-v310 > KAM.cf > local.cf > mailscanner.cf > pdfinfo.cf > sare-sa-update-channels.txt > sa-update-keys > v310.pre > v312.pre > v320.pre > > contents of sare-sa-update-channels.txt used by update_spamassassin: > > updates.spamassassin.org > 70_sare_adult.cf.sare.sa-update.dostech.net > 70_sare_bayes_poison_nxm.cf.sare.sa-update.dostech.net > 70_sare_evilnum0.cf.sare.sa-update.dostech.net > 70_sare_genlsubj0.cf.sare.sa-update.dostech.net > 70_sare_genlsubj1.cf.sare.sa-update.dostech.net > 70_sare_genlsubj2.cf.sare.sa-update.dostech.net > 70_sare_header.cf.sare.sa-update.dostech.net > 70_sare_highrisk.cf.sare.sa-update.dostech.net > 70_sare_html.cf.sare.sa-update.dostech.net > 70_sare_obfu.cf.sare.sa-update.dostech.net > 70_sare_oem.cf.sare.sa-update.dostech.net > 70_sare_random.cf.sare.sa-update.dostech.net > 70_sare_specific.cf.sare.sa-update.dostech.net > 70_sare_spoof.cf.sare.sa-update.dostech.net > 70_sare_stocks.cf.sare.sa-update.dostech.net > 70_sare_unsub.cf.sare.sa-update.dostech.net > 70_sare_uri0.cf.sare.sa-update.dostech.net > 70_sare_uri1.cf.sare.sa-update.dostech.net > 70_sare_uri2.cf.sare.sa-update.dostech.net > 70_sare_whitelist.cf.sare.sa-update.dostech.net > 70_sare_whitelist_rcvd.cf.sare.sa-update.dostech.net > 70_sare_whitelist_spf.cf.sare.sa-update.dostech.net > 72_sare_bml_post25x.cf.sare.sa-update.dostech.net > 72_sare_redirect_post3.0.0.cf.sare.sa-update.dostech.net > 88_FVGT_headers.cf.sare.sa-update.dostech.net > 99_FVGT_Tripwire.cf.sare.sa-update.dostech.net > 99_sare_fraud_post25x.cf.sare.sa-update.dostech.net > > Any ideas would be greatly appreciated. > > Thanks, > Donald > > Donald Dawson > Security Administrator > Baker Botts L.L.P. > 713-229-2183 > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGrifWEfZZRxQVtlQRAkCVAKCodhgF9y3OF0H62hdZeu/wblrQiwCgsBEE PezwqCVH4PdyoQJbJhECVaA= =wEnB -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Mon Jul 30 19:09:45 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Jul 30 19:10:27 2007 Subject: MailScanner/Spamassassin slow after version upgrade In-Reply-To: <8D2EFA3D9FD29C45BCEC3B532F0E2308412E9ED815@RDPEXCH2.Eu.Emory.Edu> References: <8D2EFA3D9FD29C45BCEC3B532F0E2308412E9ED815@RDPEXCH2.Eu.Emory.Edu> Message-ID: <46AE2969.9040107@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Also, what new settings did it add when you did the upgrade_MailScanner_conf? Are any of those options on when you would prefer them to be off? The new code should only ever look up new config options, and not execute new code if you don't have them switched on. Also, how easy is it for you to downgrade again? upgrade_MailScanner_conf will happily downgrade as well as upgrade. Gottschalk, David wrote: > How many children are you running? > > Are you running a caching DNS server for SA lookups? > > what does 'MailScanner --debug -debug-sa' look like? > > One thing that made a difference for me was uping my children from 5 > to 10. Also lowering my "Max Unsafe Messages Per Scan" to 10, and my > "Max Unscanned Messages Per Scan" to 10 helped speed things up as well. > > Hope that helps. > > David Gottschalk > > ------------------------------------------------------------------------ > *From:* mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] *On Behalf Of > *donald.dawson@bakerbotts.com > *Sent:* Monday, July 30, 2007 1:44 PM > *To:* mailscanner@lists.mailscanner.info > *Subject:* MailScanner/Spamassassin slow after version upgrade > > The time it takes to process an email has doubled since Friday > (7/26/07) when I upgraded to MS 4.62.6 and SA 3.2.2. It was around > 3.5 seconds, and now it is averaging 7 seconds. > > We use DCC and razor2 - no pyzor. > > Jul 30 12:36:35 houmx05 MailScanner[21682]: Batch (30 messages) > processed in 187.50 seconds > Jul 30 12:37:06 houmx05 MailScanner[21662]: Batch (16 messages) > processed in 105.59 seconds > Jul 30 12:37:24 houmx05 MailScanner[21727]: Batch (30 messages) > processed in 196.20 seconds > Jul 30 12:37:28 houmx05 MailScanner[21776]: Batch (30 messages) > processed in 211.89 seconds > Jul 30 12:37:38 houmx05 MailScanner[21793]: Batch (30 messages) > processed in 223.64 seconds > > sar -u shows idle CPU time: > 12:00:01 AM CPU %user %nice %system %iowait %idle > Average: all 10.49 0.00 4.99 1.00 83.51 > > # uptime is normal > 12:38:30 up 5 days, 25 min, 1 user, load average: 0.81, 0.79, 0.83 > > I have implemented sa-compile using re2c expecting to get a > performance boost. > > 'MailScanner --lint' doesn't show any errors, except noting that we > have clamav processing turned off (output attached). > > <> > I have included output from spamassassin's lint command. > > /etc/mail/spamassassin contents: > bakerbotts.cf - custom local rule file > Botnet.cf > Botnet.pm > init.pre > init.pre.pre-v310 > KAM.cf > local.cf > mailscanner.cf > pdfinfo.cf > sare-sa-update-channels.txt > sa-update-keys > v310.pre > v312.pre > v320.pre > > contents of sare-sa-update-channels.txt used by update_spamassassin: > > updates.spamassassin.org > 70_sare_adult.cf.sare.sa-update.dostech.net > 70_sare_bayes_poison_nxm.cf.sare.sa-update.dostech.net > 70_sare_evilnum0.cf.sare.sa-update.dostech.net > 70_sare_genlsubj0.cf.sare.sa-update.dostech.net > 70_sare_genlsubj1.cf.sare.sa-update.dostech.net > 70_sare_genlsubj2.cf.sare.sa-update.dostech.net > 70_sare_header.cf.sare.sa-update.dostech.net > 70_sare_highrisk.cf.sare.sa-update.dostech.net > 70_sare_html.cf.sare.sa-update.dostech.net > 70_sare_obfu.cf.sare.sa-update.dostech.net > 70_sare_oem.cf.sare.sa-update.dostech.net > 70_sare_random.cf.sare.sa-update.dostech.net > 70_sare_specific.cf.sare.sa-update.dostech.net > 70_sare_spoof.cf.sare.sa-update.dostech.net > 70_sare_stocks.cf.sare.sa-update.dostech.net > 70_sare_unsub.cf.sare.sa-update.dostech.net > 70_sare_uri0.cf.sare.sa-update.dostech.net > 70_sare_uri1.cf.sare.sa-update.dostech.net > 70_sare_uri2.cf.sare.sa-update.dostech.net > 70_sare_whitelist.cf.sare.sa-update.dostech.net > 70_sare_whitelist_rcvd.cf.sare.sa-update.dostech.net > 70_sare_whitelist_spf.cf.sare.sa-update.dostech.net > 72_sare_bml_post25x.cf.sare.sa-update.dostech.net > 72_sare_redirect_post3.0.0.cf.sare.sa-update.dostech.net > 88_FVGT_headers.cf.sare.sa-update.dostech.net > 99_FVGT_Tripwire.cf.sare.sa-update.dostech.net > 99_sare_fraud_post25x.cf.sare.sa-update.dostech.net > > Any ideas would be greatly appreciated. > > Thanks, > Donald > > Donald Dawson > Security Administrator > Baker Botts L.L.P. > 713-229-2183 > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGrilqEfZZRxQVtlQRAi2RAJ4280SEQjRWFol//o6+uCgUoYCqVQCggoQe +N11/ZhGl/e6VHtCnWRsHYY= =rDAY -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From uxbod at splatnix.net Mon Jul 30 19:25:26 2007 From: uxbod at splatnix.net (UxBoD) Date: Mon Jul 30 19:21:35 2007 Subject: CRM114 In-Reply-To: Message-ID: <16273999.6601185819926012.JavaMail.root@office.splatnix.net> > So, you didn't have to train it before use? Nope, as we allowing the plugin to control the learning using what SA decided as being SPAM or HAM. Though you can train it before hand using SPAM or HAM that you already have. Regards, --[ UxBoD ]-- // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- Original Message ----- From: "Kai Schaetzl" To: mailscanner@lists.mailscanner.info Sent: Monday, July 30, 2007 5:59:52 PM (GMT) Europe/London Subject: Re: CRM114 UxBoD wrote on Mon, 30 Jul 2007 16:50:12 +0100 (BST): > We raised our SA score from 5 too 12 as it was far to aggressive. The 7.36 score is > dynamically created by CRM based on the content within the CSS, so a HAM could (and I have > seen) have a score of -40. Ah, I see. I was already wondering if it is applying scores based on weight as the 7.36 didn't look like something a human would put in. > With respect to the training there is a option in the plugin that if SA scores a email as > either HAM/SPAM then the message will be learnt by CRM in the same manner. So in essence > they are truly working together. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mkercher at nfsmith.com Mon Jul 30 19:22:39 2007 From: mkercher at nfsmith.com (Mike Kercher) Date: Mon Jul 30 19:22:43 2007 Subject: CRM114 In-Reply-To: <12149935.6571185811528805.JavaMail.root@office.splatnix.net> References: <441247027D4F274EB760A5F6E1ED9C7E020E54@houpex02.nfsmith.info> <12149935.6571185811528805.JavaMail.root@office.splatnix.net> Message-ID: <441247027D4F274EB760A5F6E1ED9C7E020E58@houpex02.nfsmith.info> -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of UxBoD Sent: Monday, July 30, 2007 11:05 AM To: MailScanner discussion Subject: Re: CRM114 It will be looking for the mailfilter.cf in the same directory. if it helps this is what is in my /etc/mail/spamassassin/crm114 :- [root@bianchi ~]# ls -l /etc/mail/spamassassin/crm114 total 50400 -rw-r--r-- 1 postfix root 1053690 Jul 30 05:32 allmail.txt -rwxr-xr-x 1 postfix root 17415 Jul 30 05:57 mailfilter.cf -rwxr-xr-x 1 postfix root 44537 Jul 30 05:11 mailfilter.crm -rw-r--r-- 1 postfix root 14511 Jul 30 05:11 maillib.crm -rwxr-xr-x 1 postfix root 22740 Jul 30 05:11 mailreaver.crm -rwxr-xr-x 1 postfix root 37621 Jul 30 05:11 mailtrainer.crm -rw-r--r-- 1 postfix root 25165848 Jul 30 12:02 nonspam.css -rw-r--r-- 1 postfix root 0 Jul 30 05:14 priolist.mfp drwxr-xr-x 8 postfix root 4096 Jul 30 05:23 reaver_cache -rw-r--r-- 1 postfix root 0 Jul 30 05:23 rewrites.mfp -rw-r--r-- 1 postfix root 25165848 Jul 30 12:02 spam.css Regards, --[ UxBoD ]-- OK...I got CRM working with SA, but it's not scoring anything at all. All of my log entries have something like this: Jul 30 13:18:13 HOUPMS01 MailScanner[31354]: Message l6UIHuwr010077 from 208.79.167.21 (secretsrevealed@ghv.affairthrust.com) to domain.com is spam, SpamAssassin (not cached, score=22.517, required 6.1, autolearn=spam, BAYES_99 3.50, CRM114_CHECK -0.00, DCC_CHECK 2.17, DIGEST_MULTIPLE 0.00, HTML_IMAGE_ONLY_04 2.04, HTML_MESSAGE 0.00, HTML_MIME_NO_HTML_TAG 0.10, HTML_SHORT_LINK_IMG_1 0.00, KAM_ADVERT2 0.55, MIME_HTML_ONLY 1.46, PYZOR_CHECK 3.70, RAZOR2_CF_RANGE_51_100 0.50, RAZOR2_CF_RANGE_E4_51_100 1.50, RAZOR2_CF_RANGE_E8_51_100 1.50, RAZOR2_CHECK 0.50, SPF_HELO_PASS -0.00, URIBL_BLACK 5.00) From MailScanner at ecs.soton.ac.uk Mon Jul 30 19:22:58 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Jul 30 19:23:27 2007 Subject: query if mailscanner using clamscan In-Reply-To: <625385e30707301009y3b9ae26cm6297d170b34bcd2d@mail.gmail.com> References: <2605.62.150.152.226.1185433910.squirrel@webmail.baladia.gov.kw> <46AB24AF.7060804@ecs.soton.ac.uk> <46AB330F.2080204@ecs.soton.ac.uk> <46AC7383.1010904@ecs.soton.ac.uk> <46ACA1F7.7060805@ecs.soton.ac.uk> <625385e30707301009y3b9ae26cm6297d170b34bcd2d@mail.gmail.com> Message-ID: <46AE2C82.6010606@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 shuttlebox wrote: > On 7/29/07, Julian Field wrote: > >> The only thing I can think of is to ship with a copy of Eicar. >> > > Please don't ship Eicar with MailScanner. That will make many of us > not able to download MailScanner since http-scanning will detect a > virus in it. > I have just had 2 people test this, as I didn't think it would be a problem. And it's not. Please don't jump to conclusions until you have some evidence to back it up :-) Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGriyDEfZZRxQVtlQRAiiJAKCoOdJ9kw+Z0q04TL5UEKgLSfjs5gCgyP8+ bpVnt6jZZRcgMeFCv0MUjAA= =YUAY -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From uxbod at splatnix.net Mon Jul 30 19:31:03 2007 From: uxbod at splatnix.net (UxBoD) Date: Mon Jul 30 19:27:11 2007 Subject: CRM114 In-Reply-To: <441247027D4F274EB760A5F6E1ED9C7E020E58@houpex02.nfsmith.info> Message-ID: <9217031.6631185820263023.JavaMail.root@office.splatnix.net> what does cssutil -b -r spam.css show ? are the timestamps being updated on the files aswell ? if you could send a list of the directory aswell ? Regards, --[ UxBoD ]-- // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net OK...I got CRM working with SA, but it's not scoring anything at all. All of my log entries have something like this: Jul 30 13:18:13 HOUPMS01 MailScanner[31354]: Message l6UIHuwr010077 from 208.79.167.21 (secretsrevealed@ghv.affairthrust.com) to domain.com is spam, SpamAssassin (not cached, score=22.517, required 6.1, autolearn=spam, BAYES_99 3.50, CRM114_CHECK -0.00, DCC_CHECK 2.17, DIGEST_MULTIPLE 0.00, HTML_IMAGE_ONLY_04 2.04, HTML_MESSAGE 0.00, HTML_MIME_NO_HTML_TAG 0.10, HTML_SHORT_LINK_IMG_1 0.00, KAM_ADVERT2 0.55, MIME_HTML_ONLY 1.46, PYZOR_CHECK 3.70, RAZOR2_CF_RANGE_51_100 0.50, RAZOR2_CF_RANGE_E4_51_100 1.50, RAZOR2_CF_RANGE_E8_51_100 1.50, RAZOR2_CHECK 0.50, SPF_HELO_PASS -0.00, URIBL_BLACK 5.00) -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From donald.dawson at bakerbotts.com Mon Jul 30 19:35:24 2007 From: donald.dawson at bakerbotts.com (donald.dawson@bakerbotts.com) Date: Mon Jul 30 19:35:53 2007 Subject: MailScanner/Spamassassin slow after version upgrade In-Reply-To: <46AE2969.9040107@ecs.soton.ac.uk> Message-ID: Here are the differences between the old and new conf file: # diff MailScanner.conf old/MailScanner.conf.07262007 < Zip Attachments = no < Attachments Zip Filename = MessageAttachments.zip < Attachments Min Total Size To Zip = 100k < Attachment Extensions Not To Zip = .zip .rar .gz .tgz .jpg .jpeg .mpg .mpe .mpeg .mp3 .rpm .htm .html .eml < Monitors for ClamAV Updates = /usr/local/share/clamav/*.inc/* /usr/local/share/clamav/*.cvd > Monitors for ClamAV Updates = /usr/local/share/clamav/*.cvd < Clamd Port = 3310 < Clamd Socket = /tmp/clamd < Clamd Lock File = # /var/lock/subsys/clamd < Clamd Use Threads = no < Known Web Bug Servers = msgtag.com < Signature Image Filename = %report-dir%/sig.jpg < Signature Image Filename = signature.jpg < Attach Image To Signature = no < Attach Image To HTML Message Only = yes < Spam List = # spamhaus-ZEN # You can un-comment this to enable them > Spam List = SBL+XBL < Ignore Spam Whitelist If Recipients Exceed = 40 > Ignore Spam Whitelist If Recipients Exceed = 75 < Add Watermark = yes < Check Watermarks = yes < Treat Invalid Watermarks as Spam = spam < Watermark Secret = %org-name%-Secretfrog < Watermark Lifetime = 604800 < Watermark Header = X-%org-name%-MailScanner-Watermark: < Max SpamAssassin Size = 100k > Max SpamAssassin Size = 90k < Max SpamAssassin Timeouts = 10 > Max SpamAssassin Timeouts = 20 < SpamAssassin Rule Actions = < SpamAssassin Temporary Dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp < MailScanner Version Number = 4.62.6 > MailScanner Version Number = 4.59.4 I could downgrade, but I am reticent to do so. What I may do is work on another mail server and upgrade in pieces. 1) Upgrade MS, but not SA. 2) turn off watermarking at first 3) leave rule sets the same, then implement changes one by one 4) sa-compile after the other tests 5) upgrade SA -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian Field Sent: Monday, July 30, 2007 1:10 PM To: MailScanner discussion Subject: Re: MailScanner/Spamassassin slow after version upgrade -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Also, what new settings did it add when you did the upgrade_MailScanner_conf? Are any of those options on when you would prefer them to be off? The new code should only ever look up new config options, and not execute new code if you don't have them switched on. Also, how easy is it for you to downgrade again? upgrade_MailScanner_conf will happily downgrade as well as upgrade. Gottschalk, David wrote: > How many children are you running? > > Are you running a caching DNS server for SA lookups? > > what does 'MailScanner --debug -debug-sa' look like? > > One thing that made a difference for me was uping my children from 5 > to 10. Also lowering my "Max Unsafe Messages Per Scan" to 10, and my > "Max Unscanned Messages Per Scan" to 10 helped speed things up as well. > > Hope that helps. > > David Gottschalk > > ------------------------------------------------------------------------ > *From:* mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] *On Behalf Of > *donald.dawson@bakerbotts.com > *Sent:* Monday, July 30, 2007 1:44 PM > *To:* mailscanner@lists.mailscanner.info > *Subject:* MailScanner/Spamassassin slow after version upgrade > > The time it takes to process an email has doubled since Friday > (7/26/07) when I upgraded to MS 4.62.6 and SA 3.2.2. It was around > 3.5 seconds, and now it is averaging 7 seconds. > > We use DCC and razor2 - no pyzor. > > Jul 30 12:36:35 houmx05 MailScanner[21682]: Batch (30 messages) > processed in 187.50 seconds > Jul 30 12:37:06 houmx05 MailScanner[21662]: Batch (16 messages) > processed in 105.59 seconds > Jul 30 12:37:24 houmx05 MailScanner[21727]: Batch (30 messages) > processed in 196.20 seconds > Jul 30 12:37:28 houmx05 MailScanner[21776]: Batch (30 messages) > processed in 211.89 seconds > Jul 30 12:37:38 houmx05 MailScanner[21793]: Batch (30 messages) > processed in 223.64 seconds > > sar -u shows idle CPU time: > 12:00:01 AM CPU %user %nice %system %iowait %idle > Average: all 10.49 0.00 4.99 1.00 83.51 > > # uptime is normal > 12:38:30 up 5 days, 25 min, 1 user, load average: 0.81, 0.79, 0.83 > > I have implemented sa-compile using re2c expecting to get a > performance boost. > > 'MailScanner --lint' doesn't show any errors, except noting that we > have clamav processing turned off (output attached). > > <> > I have included output from spamassassin's lint command. > > /etc/mail/spamassassin contents: > bakerbotts.cf - custom local rule file > Botnet.cf > Botnet.pm > init.pre > init.pre.pre-v310 > KAM.cf > local.cf > mailscanner.cf > pdfinfo.cf > sare-sa-update-channels.txt > sa-update-keys > v310.pre > v312.pre > v320.pre > > contents of sare-sa-update-channels.txt used by update_spamassassin: > > updates.spamassassin.org > 70_sare_adult.cf.sare.sa-update.dostech.net > 70_sare_bayes_poison_nxm.cf.sare.sa-update.dostech.net > 70_sare_evilnum0.cf.sare.sa-update.dostech.net > 70_sare_genlsubj0.cf.sare.sa-update.dostech.net > 70_sare_genlsubj1.cf.sare.sa-update.dostech.net > 70_sare_genlsubj2.cf.sare.sa-update.dostech.net > 70_sare_header.cf.sare.sa-update.dostech.net > 70_sare_highrisk.cf.sare.sa-update.dostech.net > 70_sare_html.cf.sare.sa-update.dostech.net > 70_sare_obfu.cf.sare.sa-update.dostech.net > 70_sare_oem.cf.sare.sa-update.dostech.net > 70_sare_random.cf.sare.sa-update.dostech.net > 70_sare_specific.cf.sare.sa-update.dostech.net > 70_sare_spoof.cf.sare.sa-update.dostech.net > 70_sare_stocks.cf.sare.sa-update.dostech.net > 70_sare_unsub.cf.sare.sa-update.dostech.net > 70_sare_uri0.cf.sare.sa-update.dostech.net > 70_sare_uri1.cf.sare.sa-update.dostech.net > 70_sare_uri2.cf.sare.sa-update.dostech.net > 70_sare_whitelist.cf.sare.sa-update.dostech.net > 70_sare_whitelist_rcvd.cf.sare.sa-update.dostech.net > 70_sare_whitelist_spf.cf.sare.sa-update.dostech.net > 72_sare_bml_post25x.cf.sare.sa-update.dostech.net > 72_sare_redirect_post3.0.0.cf.sare.sa-update.dostech.net > 88_FVGT_headers.cf.sare.sa-update.dostech.net > 99_FVGT_Tripwire.cf.sare.sa-update.dostech.net > 99_sare_fraud_post25x.cf.sare.sa-update.dostech.net > > Any ideas would be greatly appreciated. > > Thanks, > Donald > > Donald Dawson > Security Administrator > Baker Botts L.L.P. > 713-229-2183 > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGrilqEfZZRxQVtlQRAi2RAJ4280SEQjRWFol//o6+uCgUoYCqVQCggoQe +N11/ZhGl/e6VHtCnWRsHYY= =rDAY -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From mkercher at nfsmith.com Mon Jul 30 19:36:08 2007 From: mkercher at nfsmith.com (Mike Kercher) Date: Mon Jul 30 19:36:10 2007 Subject: CRM114 In-Reply-To: <9217031.6631185820263023.JavaMail.root@office.splatnix.net> References: <441247027D4F274EB760A5F6E1ED9C7E020E58@houpex02.nfsmith.info> <9217031.6631185820263023.JavaMail.root@office.splatnix.net> Message-ID: <441247027D4F274EB760A5F6E1ED9C7E020E59@houpex02.nfsmith.info> Sparse spectra file spam.css statistics: Total available buckets : 1048577 Total buckets in use : 0 Total in-use zero-count buckets : 0 Total buckets with value >= max : 0 Total hashed datums in file : 0 Documents learned : 1 Features learned : 1 Average datums per bucket : 0.00 Maximum length of overflow chain : 0 Average length of overflow chain : 0.00 Average packing density : 0.00 The timestamp is the same as when I created them this morning. Mike -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of UxBoD Sent: Monday, July 30, 2007 1:31 PM To: MailScanner discussion Subject: Re: CRM114 what does cssutil -b -r spam.css show ? are the timestamps being updated on the files aswell ? if you could send a list of the directory aswell ? Regards, --[ UxBoD ]-- OK...I got CRM working with SA, but it's not scoring anything at all. All of my log entries have something like this: Jul 30 13:18:13 HOUPMS01 MailScanner[31354]: Message l6UIHuwr010077 from 208.79.167.21 (secretsrevealed@ghv.affairthrust.com) to domain.com is spam, SpamAssassin (not cached, score=22.517, required 6.1, autolearn=spam, BAYES_99 3.50, CRM114_CHECK -0.00, DCC_CHECK 2.17, DIGEST_MULTIPLE 0.00, HTML_IMAGE_ONLY_04 2.04, HTML_MESSAGE 0.00, HTML_MIME_NO_HTML_TAG 0.10, HTML_SHORT_LINK_IMG_1 0.00, KAM_ADVERT2 0.55, MIME_HTML_ONLY 1.46, PYZOR_CHECK 3.70, RAZOR2_CF_RANGE_51_100 0.50, RAZOR2_CF_RANGE_E4_51_100 1.50, RAZOR2_CF_RANGE_E8_51_100 1.50, RAZOR2_CHECK 0.50, SPF_HELO_PASS -0.00, URIBL_BLACK 5.00) -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From donald.dawson at bakerbotts.com Mon Jul 30 19:38:04 2007 From: donald.dawson at bakerbotts.com (donald.dawson@bakerbotts.com) Date: Mon Jul 30 19:38:28 2007 Subject: MailScanner/Spamassassin slow after version upgrade In-Reply-To: <8D2EFA3D9FD29C45BCEC3B532F0E2308412E9ED815@RDPEXCH2.Eu.Emory.Edu> Message-ID: Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: sa-debug.z-pfile Type: application/octet-stream Size: 17771 bytes Desc: sa-debug.z-pfile Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070730/d33a008d/sa-debug-0001.obj From jan-peter at koopmann.eu Mon Jul 30 19:41:08 2007 From: jan-peter at koopmann.eu (Koopmann, Jan-Peter) Date: Mon Jul 30 19:40:16 2007 Subject: CRM114 In-Reply-To: References: Message-ID: Hi, > > So, you didn't have to train it before use? > > Nope, as we allowing the plugin to control the learning using what SA > decided as being SPAM or HAM. Though you can train it before hand > using SPAM or HAM that you already have. > > Regards, How do you achieve this? Is this the default setting? I remember having seen some autolearn setting in the .cf that was accompanied with a WARNING. :-) Regards, JP From uxbod at splatnix.net Mon Jul 30 19:44:57 2007 From: uxbod at splatnix.net (UxBoD) Date: Mon Jul 30 19:41:06 2007 Subject: CRM114 In-Reply-To: <441247027D4F274EB760A5F6E1ED9C7E020E59@houpex02.nfsmith.info> Message-ID: <22273059.6721185821097215.JavaMail.root@office.splatnix.net> Okay, within the crm114.cf did you set the option for it to autolearn based on whether SA believes it is SPAM or HAM ? If not then you have to feed in the mail outside of SA. Regards, --[ UxBoD ]-- // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- Original Message ----- From: "Mike Kercher" To: "MailScanner discussion" Sent: Monday, July 30, 2007 7:36:08 PM (GMT) Europe/London Subject: RE: CRM114 Sparse spectra file spam.css statistics: Total available buckets : 1048577 Total buckets in use : 0 Total in-use zero-count buckets : 0 Total buckets with value >= max : 0 Total hashed datums in file : 0 Documents learned : 1 Features learned : 1 Average datums per bucket : 0.00 Maximum length of overflow chain : 0 Average length of overflow chain : 0.00 Average packing density : 0.00 The timestamp is the same as when I created them this morning. Mike -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of UxBoD Sent: Monday, July 30, 2007 1:31 PM To: MailScanner discussion Subject: Re: CRM114 what does cssutil -b -r spam.css show ? are the timestamps being updated on the files aswell ? if you could send a list of the directory aswell ? Regards, --[ UxBoD ]-- OK...I got CRM working with SA, but it's not scoring anything at all. All of my log entries have something like this: Jul 30 13:18:13 HOUPMS01 MailScanner[31354]: Message l6UIHuwr010077 from 208.79.167.21 (secretsrevealed@ghv.affairthrust.com) to domain.com is spam, SpamAssassin (not cached, score=22.517, required 6.1, autolearn=spam, BAYES_99 3.50, CRM114_CHECK -0.00, DCC_CHECK 2.17, DIGEST_MULTIPLE 0.00, HTML_IMAGE_ONLY_04 2.04, HTML_MESSAGE 0.00, HTML_MIME_NO_HTML_TAG 0.10, HTML_SHORT_LINK_IMG_1 0.00, KAM_ADVERT2 0.55, MIME_HTML_ONLY 1.46, PYZOR_CHECK 3.70, RAZOR2_CF_RANGE_51_100 0.50, RAZOR2_CF_RANGE_E4_51_100 1.50, RAZOR2_CF_RANGE_E8_51_100 1.50, RAZOR2_CHECK 0.50, SPF_HELO_PASS -0.00, URIBL_BLACK 5.00) -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From uxbod at splatnix.net Mon Jul 30 19:46:43 2007 From: uxbod at splatnix.net (UxBoD) Date: Mon Jul 30 19:42:52 2007 Subject: MailScanner/Spamassassin slow after version upgrade In-Reply-To: Message-ID: <11409629.6751185821203403.JavaMail.root@office.splatnix.net> How long does it take if you feed a message manually through SA ? ie. spamassassin -D < spam.eml Regards, --[ UxBoD ]-- // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From Carl.Andrews at crackerbarrel.com Mon Jul 30 19:43:44 2007 From: Carl.Andrews at crackerbarrel.com (Andrews Carl 455) Date: Mon Jul 30 19:43:50 2007 Subject: query if mailscanner using clamscan In-Reply-To: <200707301808.l6UI7x0o027888@smtpgw1.crackerbarrel.com> Message-ID: <113A0DFC086C984AB9EFDF6B8614F075017D3312@exchange03.CBOCS.com> FYI - I just downloaded the beta - 4.62.8-1 - through a Bluecoat/SV running kapersky with no problems. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian Field Sent: Monday, July 30, 2007 1:01 PM To: MailScanner discussion Subject: Re: query if mailscanner using clamscan -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 shuttlebox wrote: > On 7/29/07, Julian Field wrote: > >> The only thing I can think of is to ship with a copy of Eicar. >> > > Please don't ship Eicar with MailScanner. That will make many of us > not able to download MailScanner since http-scanning will detect a > virus in it. > > The ClamAV module used to contain Eicar so it could be used during > make test and it stopped me from downloading it. I got the author to > stop shipping Eicar and I hope you do to. Just let us get Eicar > ourselves. If it's present in the correct location it will be used for > the lint, otherwise not. > I have tried scanning the file with ClamAV and F-Prot and neither of them find it, I've hidden it well enough. It was one of my greatest concerns too. Try downloading it before complaining, you might well find you don't have a problem. It's in the latest beta. Try downloading it and tell me what happens. Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGrid5EfZZRxQVtlQRAl4zAKCX0zrhYtm7uxg2UlhNuLJQj2M1rwCg15K1 w/Y3HizF4JX1QlIQ35ZE8TM= =ArpV -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From mkercher at nfsmith.com Mon Jul 30 19:48:37 2007 From: mkercher at nfsmith.com (Mike Kercher) Date: Mon Jul 30 19:48:40 2007 Subject: CRM114 In-Reply-To: <22273059.6721185821097215.JavaMail.root@office.splatnix.net> References: <441247027D4F274EB760A5F6E1ED9C7E020E59@houpex02.nfsmith.info> <22273059.6721185821097215.JavaMail.root@office.splatnix.net> Message-ID: <441247027D4F274EB760A5F6E1ED9C7E020E5A@houpex02.nfsmith.info> That was probably the culprit. Changed that and the timestamped changed upon restarting MS. I DIDN'T change that because: # should CRM114 be trained by SA-autolearn? # If enabled, then SA's autolearn also calls the CRM114 plugin. # # This is different from :automatic_training: in CRM114's mailfilter.cf # because SA's score is influenced by several different factors while # CRM114 has to rely on its own classification. # But anyway: Only activate this if you know what you're doing! # default: 0 #crm114_autolearn 0 I didn't know what I was doing :) Thanks! Mike -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of UxBoD Sent: Monday, July 30, 2007 1:45 PM To: MailScanner discussion Subject: Re: CRM114 Okay, within the crm114.cf did you set the option for it to autolearn based on whether SA believes it is SPAM or HAM ? If not then you have to feed in the mail outside of SA. Regards, --[ UxBoD ]-- // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- Original Message ----- From: "Mike Kercher" To: "MailScanner discussion" Sent: Monday, July 30, 2007 7:36:08 PM (GMT) Europe/London Subject: RE: CRM114 Sparse spectra file spam.css statistics: Total available buckets : 1048577 Total buckets in use : 0 Total in-use zero-count buckets : 0 Total buckets with value >= max : 0 Total hashed datums in file : 0 Documents learned : 1 Features learned : 1 Average datums per bucket : 0.00 Maximum length of overflow chain : 0 Average length of overflow chain : 0.00 Average packing density : 0.00 The timestamp is the same as when I created them this morning. Mike -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of UxBoD Sent: Monday, July 30, 2007 1:31 PM To: MailScanner discussion Subject: Re: CRM114 what does cssutil -b -r spam.css show ? are the timestamps being updated on the files aswell ? if you could send a list of the directory aswell ? Regards, --[ UxBoD ]-- OK...I got CRM working with SA, but it's not scoring anything at all. All of my log entries have something like this: Jul 30 13:18:13 HOUPMS01 MailScanner[31354]: Message l6UIHuwr010077 from 208.79.167.21 (secretsrevealed@ghv.affairthrust.com) to domain.com is spam, SpamAssassin (not cached, score=22.517, required 6.1, autolearn=spam, BAYES_99 3.50, CRM114_CHECK -0.00, DCC_CHECK 2.17, DIGEST_MULTIPLE 0.00, HTML_IMAGE_ONLY_04 2.04, HTML_MESSAGE 0.00, HTML_MIME_NO_HTML_TAG 0.10, HTML_SHORT_LINK_IMG_1 0.00, KAM_ADVERT2 0.55, MIME_HTML_ONLY 1.46, PYZOR_CHECK 3.70, RAZOR2_CF_RANGE_51_100 0.50, RAZOR2_CF_RANGE_E4_51_100 1.50, RAZOR2_CF_RANGE_E8_51_100 1.50, RAZOR2_CHECK 0.50, SPF_HELO_PASS -0.00, URIBL_BLACK 5.00) -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From MailScanner at ecs.soton.ac.uk Mon Jul 30 19:49:18 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Jul 30 19:49:54 2007 Subject: MailScanner/Spamassassin slow after version upgrade In-Reply-To: References: Message-ID: <46AE32AE.8000808@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 donald.dawson@bakerbotts.com wrote: > Max Children = 7 > We have a caching DNS server running (named) > Max Unsafe Messages Per Scan = 30 > Max Unscanned Messages Per Scan = 30 > I've attached output from the debug command. > > I did change the mix of rule sets - dropped several and added a few. > > I noticed the incoming emails were creating > .spamassassin26705z2e3egtmp files (example) in /dev/shm, a ram disk, > but they are now being created in > /var/spool/MailScanner/incoming/SpamAssassin-Temp (part of normal > mounted file system). Mount /var/spool/MailScanner/incoming with tmpfs for starters, or else change SpamAssassin Temporary Dir = /dev/shm You really should mount ..../incoming with tmpfs as that will make a significant speed improvement. It's 100% safe. > > dd > > -----Original Message----- > *From:* mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] *On Behalf Of > *Gottschalk, David > *Sent:* Monday, July 30, 2007 1:02 PM > *To:* MailScanner discussion > *Subject:* RE: MailScanner/Spamassassin slow after version upgrade > > How many children are you running? > > Are you running a caching DNS server for SA lookups? > > what does 'MailScanner --debug -debug-sa' look like? > > One thing that made a difference for me was uping my children from > 5 to 10. Also lowering my "Max Unsafe Messages Per Scan" to 10, > and my "Max Unscanned Messages Per Scan" to 10 helped speed things > up as well. > > Hope that helps. > > David Gottschalk > > ------------------------------------------------------------------------ > *From:* mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] *On Behalf Of > *donald.dawson@bakerbotts.com > *Sent:* Monday, July 30, 2007 1:44 PM > *To:* mailscanner@lists.mailscanner.info > *Subject:* MailScanner/Spamassassin slow after version upgrade > > The time it takes to process an email has doubled since Friday > (7/26/07) when I upgraded to MS 4.62.6 and SA 3.2.2. It was > around 3.5 seconds, and now it is averaging 7 seconds. > > We use DCC and razor2 - no pyzor. > > Jul 30 12:36:35 houmx05 MailScanner[21682]: Batch (30 messages) > processed in 187.50 seconds > Jul 30 12:37:06 houmx05 MailScanner[21662]: Batch (16 messages) > processed in 105.59 seconds > Jul 30 12:37:24 houmx05 MailScanner[21727]: Batch (30 messages) > processed in 196.20 seconds > Jul 30 12:37:28 houmx05 MailScanner[21776]: Batch (30 messages) > processed in 211.89 seconds > Jul 30 12:37:38 houmx05 MailScanner[21793]: Batch (30 messages) > processed in 223.64 seconds > > sar -u shows idle CPU time: > 12:00:01 AM CPU %user %nice %system %iowait %idle > Average: all 10.49 0.00 4.99 1.00 > 83.51 > > # uptime is normal > 12:38:30 up 5 days, 25 min, 1 user, load average: 0.81, 0.79, 0.83 > > I have implemented sa-compile using re2c expecting to get a > performance boost. > > 'MailScanner --lint' doesn't show any errors, except noting that > we have clamav processing turned off (output attached). > > <> > I have included output from spamassassin's lint command. > > /etc/mail/spamassassin contents: > bakerbotts.cf - custom local rule file > Botnet.cf > Botnet.pm > init.pre > init.pre.pre-v310 > KAM.cf > local.cf > mailscanner.cf > pdfinfo.cf > sare-sa-update-channels.txt > sa-update-keys > v310.pre > v312.pre > v320.pre > > contents of sare-sa-update-channels.txt used by update_spamassassin: > > updates.spamassassin.org > 70_sare_adult.cf.sare.sa-update.dostech.net > 70_sare_bayes_poison_nxm.cf.sare.sa-update.dostech.net > 70_sare_evilnum0.cf.sare.sa-update.dostech.net > 70_sare_genlsubj0.cf.sare.sa-update.dostech.net > 70_sare_genlsubj1.cf.sare.sa-update.dostech.net > 70_sare_genlsubj2.cf.sare.sa-update.dostech.net > 70_sare_header.cf.sare.sa-update.dostech.net > 70_sare_highrisk.cf.sare.sa-update.dostech.net > 70_sare_html.cf.sare.sa-update.dostech.net > 70_sare_obfu.cf.sare.sa-update.dostech.net > 70_sare_oem.cf.sare.sa-update.dostech.net > 70_sare_random.cf.sare.sa-update.dostech.net > 70_sare_specific.cf.sare.sa-update.dostech.net > 70_sare_spoof.cf.sare.sa-update.dostech.net > 70_sare_stocks.cf.sare.sa-update.dostech.net > 70_sare_unsub.cf.sare.sa-update.dostech.net > 70_sare_uri0.cf.sare.sa-update.dostech.net > 70_sare_uri1.cf.sare.sa-update.dostech.net > 70_sare_uri2.cf.sare.sa-update.dostech.net > 70_sare_whitelist.cf.sare.sa-update.dostech.net > 70_sare_whitelist_rcvd.cf.sare.sa-update.dostech.net > 70_sare_whitelist_spf.cf.sare.sa-update.dostech.net > 72_sare_bml_post25x.cf.sare.sa-update.dostech.net > 72_sare_redirect_post3.0.0.cf.sare.sa-update.dostech.net > 88_FVGT_headers.cf.sare.sa-update.dostech.net > 99_FVGT_Tripwire.cf.sare.sa-update.dostech.net > 99_sare_fraud_post25x.cf.sare.sa-update.dostech.net > > Any ideas would be greatly appreciated. > > Thanks, > Donald > > Donald Dawson > Security Administrator > Baker Botts L.L.P. > 713-229-2183 > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGrjKvEfZZRxQVtlQRAhztAKCIMUCFRg8YWlo65DmcJFp7wcvfsQCg1POp NgfZUbbDKEVyPXhgKLjPfhU= =eKvZ -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Mon Jul 30 19:50:54 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Jul 30 19:51:30 2007 Subject: MailScanner/Spamassassin slow after version upgrade In-Reply-To: References: Message-ID: <46AE330E.7030004@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Also, currently to disable watermarking, set *all* the watermarking options to no. Not just "Add Watermark". That problem will hopefully go away by the time I release it as stable. donald.dawson@bakerbotts.com wrote: > Here are the differences between the old and new conf file: > > # diff MailScanner.conf old/MailScanner.conf.07262007 > < Zip Attachments = no > < Attachments Zip Filename = MessageAttachments.zip > < Attachments Min Total Size To Zip = 100k > < Attachment Extensions Not To Zip = .zip .rar .gz .tgz .jpg .jpeg .mpg > .mpe .mpeg .mp3 .rpm .htm .html .eml > < Monitors for ClamAV Updates = /usr/local/share/clamav/*.inc/* > /usr/local/share/clamav/*.cvd > >> Monitors for ClamAV Updates = /usr/local/share/clamav/*.cvd >> > < Clamd Port = 3310 > < Clamd Socket = /tmp/clamd > < Clamd Lock File = # /var/lock/subsys/clamd > < Clamd Use Threads = no > < Known Web Bug Servers = msgtag.com > < Signature Image Filename = %report-dir%/sig.jpg > < Signature Image Filename = signature.jpg > < Attach Image To Signature = no > < Attach Image To HTML Message Only = yes > < Spam List = # spamhaus-ZEN # You can un-comment this to enable them > >> Spam List = SBL+XBL >> > < Ignore Spam Whitelist If Recipients Exceed = 40 > >> Ignore Spam Whitelist If Recipients Exceed = 75 >> > < Add Watermark = yes > < Check Watermarks = yes > < Treat Invalid Watermarks as Spam = spam > < Watermark Secret = %org-name%-Secretfrog > < Watermark Lifetime = 604800 > < Watermark Header = X-%org-name%-MailScanner-Watermark: > < Max SpamAssassin Size = 100k > >> Max SpamAssassin Size = 90k >> > < Max SpamAssassin Timeouts = 10 > >> Max SpamAssassin Timeouts = 20 >> > < SpamAssassin Rule Actions = > < SpamAssassin Temporary Dir = > /var/spool/MailScanner/incoming/SpamAssassin-Temp > < MailScanner Version Number = 4.62.6 > >> MailScanner Version Number = 4.59.4 >> > > I could downgrade, but I am reticent to do so. > > What I may do is work on another mail server and upgrade in pieces. > > 1) Upgrade MS, but not SA. > 2) turn off watermarking at first > 3) leave rule sets the same, then implement changes one by one > 4) sa-compile after the other tests > 5) upgrade SA > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian > Field > Sent: Monday, July 30, 2007 1:10 PM > To: MailScanner discussion > Subject: Re: MailScanner/Spamassassin slow after version upgrade > > > > * PGP Bad Signature, Signed by an unverified key: 07/30/07 at 19:09:46 > > Also, what new settings did it add when you did the > upgrade_MailScanner_conf? > Are any of those options on when you would prefer them to be off? > The new code should only ever look up new config options, and not > execute new code if you don't have them switched on. > > Also, how easy is it for you to downgrade again? > upgrade_MailScanner_conf will happily downgrade as well as upgrade. > > Gottschalk, David wrote: > >> How many children are you running? >> >> Are you running a caching DNS server for SA lookups? >> >> what does 'MailScanner --debug -debug-sa' look like? >> >> One thing that made a difference for me was uping my children from 5 >> to 10. Also lowering my "Max Unsafe Messages Per Scan" to 10, and my >> "Max Unscanned Messages Per Scan" to 10 helped speed things up as >> > well. > >> >> Hope that helps. >> >> David Gottschalk >> >> >> > ------------------------------------------------------------------------ > >> *From:* mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] *On Behalf Of >> *donald.dawson@bakerbotts.com >> *Sent:* Monday, July 30, 2007 1:44 PM >> *To:* mailscanner@lists.mailscanner.info >> *Subject:* MailScanner/Spamassassin slow after version upgrade >> >> The time it takes to process an email has doubled since Friday >> (7/26/07) when I upgraded to MS 4.62.6 and SA 3.2.2. It was around >> 3.5 seconds, and now it is averaging 7 seconds. >> >> We use DCC and razor2 - no pyzor. >> >> Jul 30 12:36:35 houmx05 MailScanner[21682]: Batch (30 messages) >> processed in 187.50 seconds >> Jul 30 12:37:06 houmx05 MailScanner[21662]: Batch (16 messages) >> processed in 105.59 seconds >> Jul 30 12:37:24 houmx05 MailScanner[21727]: Batch (30 messages) >> processed in 196.20 seconds >> Jul 30 12:37:28 houmx05 MailScanner[21776]: Batch (30 messages) >> processed in 211.89 seconds >> Jul 30 12:37:38 houmx05 MailScanner[21793]: Batch (30 messages) >> processed in 223.64 seconds >> >> sar -u shows idle CPU time: >> 12:00:01 AM CPU %user %nice %system %iowait %idle >> Average: all 10.49 0.00 4.99 1.00 >> > 83.51 > >> # uptime is normal >> 12:38:30 up 5 days, 25 min, 1 user, load average: 0.81, 0.79, 0.83 >> >> I have implemented sa-compile using re2c expecting to get a >> performance boost. >> >> 'MailScanner --lint' doesn't show any errors, except noting that we >> have clamav processing turned off (output attached). >> >> <> >> I have included output from spamassassin's lint command. >> >> /etc/mail/spamassassin contents: >> bakerbotts.cf - custom local rule file >> Botnet.cf >> Botnet.pm >> init.pre >> init.pre.pre-v310 >> KAM.cf >> local.cf >> mailscanner.cf >> pdfinfo.cf >> sare-sa-update-channels.txt >> sa-update-keys >> v310.pre >> v312.pre >> v320.pre >> >> contents of sare-sa-update-channels.txt used by update_spamassassin: >> >> updates.spamassassin.org >> 70_sare_adult.cf.sare.sa-update.dostech.net >> 70_sare_bayes_poison_nxm.cf.sare.sa-update.dostech.net >> 70_sare_evilnum0.cf.sare.sa-update.dostech.net >> 70_sare_genlsubj0.cf.sare.sa-update.dostech.net >> 70_sare_genlsubj1.cf.sare.sa-update.dostech.net >> 70_sare_genlsubj2.cf.sare.sa-update.dostech.net >> 70_sare_header.cf.sare.sa-update.dostech.net >> 70_sare_highrisk.cf.sare.sa-update.dostech.net >> 70_sare_html.cf.sare.sa-update.dostech.net >> 70_sare_obfu.cf.sare.sa-update.dostech.net >> 70_sare_oem.cf.sare.sa-update.dostech.net >> 70_sare_random.cf.sare.sa-update.dostech.net >> 70_sare_specific.cf.sare.sa-update.dostech.net >> 70_sare_spoof.cf.sare.sa-update.dostech.net >> 70_sare_stocks.cf.sare.sa-update.dostech.net >> 70_sare_unsub.cf.sare.sa-update.dostech.net >> 70_sare_uri0.cf.sare.sa-update.dostech.net >> 70_sare_uri1.cf.sare.sa-update.dostech.net >> 70_sare_uri2.cf.sare.sa-update.dostech.net >> 70_sare_whitelist.cf.sare.sa-update.dostech.net >> 70_sare_whitelist_rcvd.cf.sare.sa-update.dostech.net >> 70_sare_whitelist_spf.cf.sare.sa-update.dostech.net >> 72_sare_bml_post25x.cf.sare.sa-update.dostech.net >> 72_sare_redirect_post3.0.0.cf.sare.sa-update.dostech.net >> 88_FVGT_headers.cf.sare.sa-update.dostech.net >> 99_FVGT_Tripwire.cf.sare.sa-update.dostech.net >> 99_sare_fraud_post25x.cf.sare.sa-update.dostech.net >> >> Any ideas would be greatly appreciated. >> >> Thanks, >> Donald >> >> Donald Dawson >> Security Administrator >> Baker Botts L.L.P. >> 713-229-2183 >> >> > > Jules > > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGrjMPEfZZRxQVtlQRAn8TAKC/LeeqyN22LViGl8q3qn6uwyWKMACg7MiB vgyIaHs+LOFMsjwfFyV8C6k= =T7lo -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From uxbod at splatnix.net Mon Jul 30 20:00:57 2007 From: uxbod at splatnix.net (UxBoD) Date: Mon Jul 30 19:57:05 2007 Subject: CRM114 In-Reply-To: Message-ID: <15274597.6811185822057467.JavaMail.root@office.splatnix.net> > WARNING Yes, because if your SA is not tuned correctly then CRM would be populated with rubbish data ;) Regards, --[ UxBoD ]-- // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Mon Jul 30 19:59:24 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Jul 30 19:59:49 2007 Subject: query if mailscanner using clamscan In-Reply-To: <113A0DFC086C984AB9EFDF6B8614F075017D3312@exchange03.CBOCS.com> References: <113A0DFC086C984AB9EFDF6B8614F075017D3312@exchange03.CBOCS.com> Message-ID: <46AE350C.9000809@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Thought it would. Thanks for confirming that. Cheers, Jules. Andrews Carl 455 wrote: > FYI - I just downloaded the beta - 4.62.8-1 - through a Bluecoat/SV > running kapersky with no problems. > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian > Field > Sent: Monday, July 30, 2007 1:01 PM > To: MailScanner discussion > Subject: Re: query if mailscanner using clamscan > > > > * PGP Bad Signature, Signed by an unverified key: 07/30/07 at 19:01:29 > > > > shuttlebox wrote: > >> On 7/29/07, Julian Field wrote: >> >> >>> The only thing I can think of is to ship with a copy of Eicar. >>> >>> >> Please don't ship Eicar with MailScanner. That will make many of us >> not able to download MailScanner since http-scanning will detect a >> virus in it. >> >> The ClamAV module used to contain Eicar so it could be used during >> make test and it stopped me from downloading it. I got the author to >> stop shipping Eicar and I hope you do to. Just let us get Eicar >> ourselves. If it's present in the correct location it will be used for >> > > >> the lint, otherwise not. >> >> > I have tried scanning the file with ClamAV and F-Prot and neither of > them find it, I've hidden it well enough. It was one of my greatest > concerns too. Try downloading it before complaining, you might well find > > you don't have a problem. > > It's in the latest beta. Try downloading it and tell me what happens. > > Jules > > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGrjUNEfZZRxQVtlQRAiAnAKCOmLZ0Yf07tLc3FghQhkoHbHG3+gCgyQcT hZV1rpx/zkudYGnOsmb0J9w= =KXeb -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From rich at mail.wvnet.edu Mon Jul 30 20:18:09 2007 From: rich at mail.wvnet.edu (Richard Lynch) Date: Mon Jul 30 20:18:16 2007 Subject: Release beta 4.62.8 In-Reply-To: References: Message-ID: <46AE3971.2030401@mail.wvnet.edu> Julian Field wrote: > I have just released another new beta, due to a typo in the code in > the previous one. > -- As well as fixing that error, you should now find that "MailScanner > --lint" does rather more than it used to. It now checks that your > installed virus scanners actually successfully detect a virus. I have never been able to get "MailScanner --lint" to work. I get... [root@otis ~]# MailScanner --lint Cannot open config file --lint, No such file or directory at /usr/lib/MailScanner/MailScanner/Config.pm line 656. Compilation failed in require at /usr/sbin/MailScanner line 69. BEGIN failed--compilation aborted at /usr/sbin/MailScanner line 69. Looks like it's trying to find a config file called "--lint". This is on a RHEL4 system. What am I doing wrong? Richard Lynch WVNET -- From donald.dawson at bakerbotts.com Mon Jul 30 20:21:02 2007 From: donald.dawson at bakerbotts.com (donald.dawson@bakerbotts.com) Date: Mon Jul 30 20:21:12 2007 Subject: MailScanner/Spamassassin slow after version upgrade In-Reply-To: <11409629.6751185821203403.JavaMail.root@office.splatnix.net> Message-ID: about 8 seconds -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of UxBoD Sent: Monday, July 30, 2007 1:47 PM To: MailScanner discussion Subject: Re: MailScanner/Spamassassin slow after version upgrade How long does it take if you feed a message manually through SA ? ie. spamassassin -D < spam.eml Regards, --[ UxBoD ]-- // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- A non-text attachment was scrubbed... Name: spam-d.z-p Type: application/octet-stream Size: 12072 bytes Desc: spam-d.z-p Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070730/e777c00f/spam-d.obj From raymond at prolocation.net Mon Jul 30 20:21:17 2007 From: raymond at prolocation.net (Raymond Dijkxhoorn) Date: Mon Jul 30 20:21:15 2007 Subject: {Spam?} MailScanner/Spamassassin slow after version upgrade In-Reply-To: References: Message-ID: Hi! > The time it takes to process an email has doubled since Friday (7/26/07) > when I upgraded to MS 4.62.6 and SA 3.2.2. It was around 3.5 seconds, > and now it is averaging 7 seconds. > > We use DCC and razor2 - no pyzor. > > Jul 30 12:36:35 houmx05 MailScanner[21682]: Batch (30 messages) > processed in 187.50 seconds > Jul 30 12:37:06 houmx05 MailScanner[21662]: Batch (16 messages) > processed in 105.59 seconds > Jul 30 12:37:24 houmx05 MailScanner[21727]: Batch (30 messages) > processed in 196.20 seconds > Jul 30 12:37:28 houmx05 MailScanner[21776]: Batch (30 messages) > processed in 211.89 seconds > Jul 30 12:37:38 houmx05 MailScanner[21793]: Batch (30 messages) > processed in 223.64 seconds This is extremely slow if i may say. Are you running on a 286 ? :) > Any ideas would be greatly appreciated. DNS issues ? Bye, Raymond. From MailScanner at ecs.soton.ac.uk Mon Jul 30 20:21:23 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Jul 30 20:21:57 2007 Subject: CRM114 In-Reply-To: <15274597.6811185822057467.JavaMail.root@office.splatnix.net> References: <15274597.6811185822057467.JavaMail.root@office.splatnix.net> Message-ID: <46AE3A33.4050504@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Can someone write up installing crm114 as a HOWTO on the mailscanner wiki please? UxBoD wrote: >> WARNING >> > > Yes, because if your SA is not tuned correctly then CRM would be populated with rubbish data ;) > > Regards, > > --[ UxBoD ]-- > // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" > // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B > // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B > // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net > > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: UTF-8 wj8DBQFGrjo0EfZZRxQVtlQRAlKXAJ9lhd+SrrsfXqJBMAIOsH6y9JUeUgCgniMk FdBT9IcnOfUmmMaNHokpwrE= =h9c0 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From donald.dawson at bakerbotts.com Mon Jul 30 20:22:26 2007 From: donald.dawson at bakerbotts.com (donald.dawson@bakerbotts.com) Date: Mon Jul 30 20:22:35 2007 Subject: MailScanner/Spamassassin slow after version upgrade In-Reply-To: <46AE32AE.8000808@ecs.soton.ac.uk> Message-ID: thanks - already have it mounted as tempfs (/var/spool/MailScanner/incoming). I've attached another sa-debug -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian Field Sent: Monday, July 30, 2007 1:49 PM To: MailScanner discussion Subject: Re: MailScanner/Spamassassin slow after version upgrade -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 donald.dawson@bakerbotts.com wrote: > Max Children = 7 > We have a caching DNS server running (named) > Max Unsafe Messages Per Scan = 30 > Max Unscanned Messages Per Scan = 30 > I've attached output from the debug command. > > I did change the mix of rule sets - dropped several and added a few. > > I noticed the incoming emails were creating > .spamassassin26705z2e3egtmp files (example) in /dev/shm, a ram disk, > but they are now being created in > /var/spool/MailScanner/incoming/SpamAssassin-Temp (part of normal > mounted file system). Mount /var/spool/MailScanner/incoming with tmpfs for starters, or else change SpamAssassin Temporary Dir = /dev/shm You really should mount ..../incoming with tmpfs as that will make a significant speed improvement. It's 100% safe. > > dd > > -----Original Message----- > *From:* mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] *On Behalf Of > *Gottschalk, David > *Sent:* Monday, July 30, 2007 1:02 PM > *To:* MailScanner discussion > *Subject:* RE: MailScanner/Spamassassin slow after version upgrade > > How many children are you running? > > Are you running a caching DNS server for SA lookups? > > what does 'MailScanner --debug -debug-sa' look like? > > One thing that made a difference for me was uping my children from > 5 to 10. Also lowering my "Max Unsafe Messages Per Scan" to 10, > and my "Max Unscanned Messages Per Scan" to 10 helped speed things > up as well. > > Hope that helps. > > David Gottschalk > > ------------------------------------------------------------------------ > *From:* mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] *On Behalf Of > *donald.dawson@bakerbotts.com > *Sent:* Monday, July 30, 2007 1:44 PM > *To:* mailscanner@lists.mailscanner.info > *Subject:* MailScanner/Spamassassin slow after version upgrade > > The time it takes to process an email has doubled since Friday > (7/26/07) when I upgraded to MS 4.62.6 and SA 3.2.2. It was > around 3.5 seconds, and now it is averaging 7 seconds. > > We use DCC and razor2 - no pyzor. > > Jul 30 12:36:35 houmx05 MailScanner[21682]: Batch (30 messages) > processed in 187.50 seconds > Jul 30 12:37:06 houmx05 MailScanner[21662]: Batch (16 messages) > processed in 105.59 seconds > Jul 30 12:37:24 houmx05 MailScanner[21727]: Batch (30 messages) > processed in 196.20 seconds > Jul 30 12:37:28 houmx05 MailScanner[21776]: Batch (30 messages) > processed in 211.89 seconds > Jul 30 12:37:38 houmx05 MailScanner[21793]: Batch (30 messages) > processed in 223.64 seconds > > sar -u shows idle CPU time: > 12:00:01 AM CPU %user %nice %system %iowait %idle > Average: all 10.49 0.00 4.99 1.00 > 83.51 > > # uptime is normal > 12:38:30 up 5 days, 25 min, 1 user, load average: 0.81, 0.79, 0.83 > > I have implemented sa-compile using re2c expecting to get a > performance boost. > > 'MailScanner --lint' doesn't show any errors, except noting that > we have clamav processing turned off (output attached). > > <> > I have included output from spamassassin's lint command. > > /etc/mail/spamassassin contents: > bakerbotts.cf - custom local rule file > Botnet.cf > Botnet.pm > init.pre > init.pre.pre-v310 > KAM.cf > local.cf > mailscanner.cf > pdfinfo.cf > sare-sa-update-channels.txt > sa-update-keys > v310.pre > v312.pre > v320.pre > > contents of sare-sa-update-channels.txt used by update_spamassassin: > > updates.spamassassin.org > 70_sare_adult.cf.sare.sa-update.dostech.net > 70_sare_bayes_poison_nxm.cf.sare.sa-update.dostech.net > 70_sare_evilnum0.cf.sare.sa-update.dostech.net > 70_sare_genlsubj0.cf.sare.sa-update.dostech.net > 70_sare_genlsubj1.cf.sare.sa-update.dostech.net > 70_sare_genlsubj2.cf.sare.sa-update.dostech.net > 70_sare_header.cf.sare.sa-update.dostech.net > 70_sare_highrisk.cf.sare.sa-update.dostech.net > 70_sare_html.cf.sare.sa-update.dostech.net > 70_sare_obfu.cf.sare.sa-update.dostech.net > 70_sare_oem.cf.sare.sa-update.dostech.net > 70_sare_random.cf.sare.sa-update.dostech.net > 70_sare_specific.cf.sare.sa-update.dostech.net > 70_sare_spoof.cf.sare.sa-update.dostech.net > 70_sare_stocks.cf.sare.sa-update.dostech.net > 70_sare_unsub.cf.sare.sa-update.dostech.net > 70_sare_uri0.cf.sare.sa-update.dostech.net > 70_sare_uri1.cf.sare.sa-update.dostech.net > 70_sare_uri2.cf.sare.sa-update.dostech.net > 70_sare_whitelist.cf.sare.sa-update.dostech.net > 70_sare_whitelist_rcvd.cf.sare.sa-update.dostech.net > 70_sare_whitelist_spf.cf.sare.sa-update.dostech.net > 72_sare_bml_post25x.cf.sare.sa-update.dostech.net > 72_sare_redirect_post3.0.0.cf.sare.sa-update.dostech.net > 88_FVGT_headers.cf.sare.sa-update.dostech.net > 99_FVGT_Tripwire.cf.sare.sa-update.dostech.net > 99_sare_fraud_post25x.cf.sare.sa-update.dostech.net > > Any ideas would be greatly appreciated. > > Thanks, > Donald > > Donald Dawson > Security Administrator > Baker Botts L.L.P. > 713-229-2183 > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGrjKvEfZZRxQVtlQRAhztAKCIMUCFRg8YWlo65DmcJFp7wcvfsQCg1POp NgfZUbbDKEVyPXhgKLjPfhU= =eKvZ -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- A non-text attachment was scrubbed... Name: ms_debug2.z-p Type: application/octet-stream Size: 12838 bytes Desc: ms_debug2.z-p Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070730/740a40c8/ms_debug2-0001.obj From uxbod at splatnix.net Mon Jul 30 20:37:41 2007 From: uxbod at splatnix.net (UxBoD) Date: Mon Jul 30 20:33:49 2007 Subject: CRM114 In-Reply-To: <46AE3A33.4050504@ecs.soton.ac.uk> Message-ID: <13428375.6841185824261665.JavaMail.root@office.splatnix.net> If no other takers will do it Jules (as long as somebody can correctly my english ;)) Regards, --[ UxBoD ]-- // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- Original Message ----- From: "Julian Field" To: "MailScanner discussion" Sent: Monday, July 30, 2007 8:21:23 PM (GMT) Europe/London Subject: Re: CRM114 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Can someone write up installing crm114 as a HOWTO on the mailscanner wiki please? UxBoD wrote: >> WARNING >> > > Yes, because if your SA is not tuned correctly then CRM would be populated with rubbish data ;) > > Regards, > > --[ UxBoD ]-- > // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" > // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B > // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B > // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net > > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: UTF-8 wj8DBQFGrjo0EfZZRxQVtlQRAlKXAJ9lhd+SrrsfXqJBMAIOsH6y9JUeUgCgniMk FdBT9IcnOfUmmMaNHokpwrE= =h9c0 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From r.berber at computer.org Mon Jul 30 20:39:08 2007 From: r.berber at computer.org (=?ISO-8859-1?Q?Ren=E9_Berber?=) Date: Mon Jul 30 20:39:26 2007 Subject: Watermarking quirks still in 4.62.8 In-Reply-To: <7EF0EE5CB3B263488C8C18823239BEBA013584B1@HC-MBX02.herefordshire.gov.uk> References: <7EF0EE5CB3B263488C8C18823239BEBA013584B1@HC-MBX02.herefordshire.gov.uk> Message-ID: Randal, Phil wrote: > A couple of issues with watermarking: > > 1: Read receipts are getting blocked ("spam(no null-header or sender > address)") No problem in my setup (sendmail). How are you guys testing the watermark functionality? I see the added header, and "Forwarding 1 unscanned messages" in the log, is that the only clue that it worked as expected? -- Ren? Berber From ssilva at sgvwater.com Mon Jul 30 20:41:59 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Jul 30 20:42:10 2007 Subject: query if mailscanner using clamscan In-Reply-To: <46AE2778.4030804@ecs.soton.ac.uk> References: <2605.62.150.152.226.1185433910.squirrel@webmail.baladia.gov.kw> <46AB24AF.7060804@ecs.soton.ac.uk> <46AB330F.2080204@ecs.soton.ac.uk> <46AC7383.1010904@ecs.soton.ac.uk> <46ACA1F7.7060805@ecs.soton.ac.uk> <625385e30707301009y3b9ae26cm6297d170b34bcd2d@mail.gmail.com> <46AE2778.4030804@ecs.soton.ac.uk> Message-ID: Julian Field spake the following on 7/30/2007 11:01 AM: > > > shuttlebox wrote: >> On 7/29/07, Julian Field wrote: > >>> The only thing I can think of is to ship with a copy of Eicar. >>> >> Please don't ship Eicar with MailScanner. That will make many of us >> not able to download MailScanner since http-scanning will detect a >> virus in it. > >> The ClamAV module used to contain Eicar so it could be used during >> make test and it stopped me from downloading it. I got the author to >> stop shipping Eicar and I hope you do to. Just let us get Eicar >> ourselves. If it's present in the correct location it will be used for >> the lint, otherwise not. > > I have tried scanning the file with ClamAV and F-Prot and neither of > them find it, I've hidden it well enough. It was one of my greatest > concerns too. Try downloading it before complaining, you might well find > you don't have a problem. > > It's in the latest beta. Try downloading it and tell me what happens. > > Jules > McAfee doesn't catch it either. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From mkercher at nfsmith.com Mon Jul 30 20:42:59 2007 From: mkercher at nfsmith.com (Mike Kercher) Date: Mon Jul 30 20:43:03 2007 Subject: CRM114 In-Reply-To: <13428375.6841185824261665.JavaMail.root@office.splatnix.net> References: <46AE3A33.4050504@ecs.soton.ac.uk> <13428375.6841185824261665.JavaMail.root@office.splatnix.net> Message-ID: <441247027D4F274EB760A5F6E1ED9C7E020E5E@houpex02.nfsmith.info> Your English is better than my ! Mike -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of UxBoD Sent: Monday, July 30, 2007 2:38 PM To: MailScanner discussion Subject: Re: CRM114 If no other takers will do it Jules (as long as somebody can correctly my english ;)) Regards, --[ UxBoD ]-- // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- Original Message ----- From: "Julian Field" To: "MailScanner discussion" Sent: Monday, July 30, 2007 8:21:23 PM (GMT) Europe/London Subject: Re: CRM114 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Can someone write up installing crm114 as a HOWTO on the mailscanner wiki please? UxBoD wrote: >> WARNING >> > > Yes, because if your SA is not tuned correctly then CRM would be > populated with rubbish data ;) > > Regards, > > --[ UxBoD ]-- > // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" > // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // > Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 > 2749 SIP Phone: uxbod@sip.splatnix.net > > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: UTF-8 wj8DBQFGrjo0EfZZRxQVtlQRAlKXAJ9lhd+SrrsfXqJBMAIOsH6y9JUeUgCgniMk FdBT9IcnOfUmmMaNHokpwrE= =h9c0 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From ssilva at sgvwater.com Mon Jul 30 20:44:20 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Jul 30 20:45:08 2007 Subject: Release beta 4.62.8 In-Reply-To: <46AE3971.2030401@mail.wvnet.edu> References: <46AE3971.2030401@mail.wvnet.edu> Message-ID: Richard Lynch spake the following on 7/30/2007 12:18 PM: > Julian Field wrote: >> I have just released another new beta, due to a typo in the code in >> the previous one. >> -- As well as fixing that error, you should now find that "MailScanner >> --lint" does rather more than it used to. It now checks that your >> installed virus scanners actually successfully detect a virus. > I have never been able to get "MailScanner --lint" to work. I get... > > [root@otis ~]# MailScanner --lint > Cannot open config file --lint, No such file or directory at > /usr/lib/MailScanner/MailScanner/Config.pm line 656. > Compilation failed in require at /usr/sbin/MailScanner line 69. > BEGIN failed--compilation aborted at /usr/sbin/MailScanner line 69. > > > Looks like it's trying to find a config file called "--lint". This is > on a RHEL4 system. > > What am I doing wrong? > What version are you running? -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From uxbod at splatnix.net Mon Jul 30 20:55:00 2007 From: uxbod at splatnix.net (UxBoD) Date: Mon Jul 30 20:51:05 2007 Subject: CRM114 In-Reply-To: <441247027D4F274EB760A5F6E1ED9C7E020E5E@houpex02.nfsmith.info> Message-ID: <1063931.6871185825300392.JavaMail.root@office.splatnix.net> If anybody had any errors when installing CRM114, and found a workaround, could they let me know off-list and I will compile it all together. Not used a WiKi before, but first time for anything. Not sure if there is a way we could put some statistics on there aswell? Regards, --[ UxBoD ]-- // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Mon Jul 30 21:16:30 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Jul 30 21:16:55 2007 Subject: Release beta 4.62.8 In-Reply-To: <46AE3971.2030401@mail.wvnet.edu> References: <46AE3971.2030401@mail.wvnet.edu> Message-ID: <46AE471E.90003@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Richard Lynch wrote: > Julian Field wrote: >> I have just released another new beta, due to a typo in the code in >> the previous one. >> -- As well as fixing that error, you should now find that >> "MailScanner --lint" does rather more than it used to. It now checks >> that your installed virus scanners actually successfully detect a virus. > I have never been able to get "MailScanner --lint" to work. I get... > > [root@otis ~]# MailScanner --lint > Cannot open config file --lint, No such file or directory at > /usr/lib/MailScanner/MailScanner/Config.pm line 656. > Compilation failed in require at /usr/sbin/MailScanner line 69. > BEGIN failed--compilation aborted at /usr/sbin/MailScanner line 69. > > > Looks like it's trying to find a config file called "--lint". This is > on a RHEL4 system. > > What am I doing wrong? Update your copy of Getopt::Long and try again. It calls GetOptions which should pull out the options and leave your command-line blank. > > Richard Lynch > WVNET > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGrkcfEfZZRxQVtlQRAohxAJsGITmrP44ZVh2LUQiRP66hFRmiqgCfZvjA WywIARRgJhrelrkAeZuStVo= =lgoY -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Mon Jul 30 21:18:07 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Jul 30 21:18:33 2007 Subject: Release beta 4.62.8 In-Reply-To: <46AE3971.2030401@mail.wvnet.edu> References: <46AE3971.2030401@mail.wvnet.edu> Message-ID: <46AE477F.5020206@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I've got Getopt::Long version 2.35. perl -MGetopt::Long -e 'print $Getopt::Long::VERSION;' will tell you the version number. (Sorry for top-posting, but it saves you lots of scrolling :) Richard Lynch wrote: > Julian Field wrote: >> I have just released another new beta, due to a typo in the code in >> the previous one. >> -- As well as fixing that error, you should now find that >> "MailScanner --lint" does rather more than it used to. It now checks >> that your installed virus scanners actually successfully detect a virus. > I have never been able to get "MailScanner --lint" to work. I get... > > [root@otis ~]# MailScanner --lint > Cannot open config file --lint, No such file or directory at > /usr/lib/MailScanner/MailScanner/Config.pm line 656. > Compilation failed in require at /usr/sbin/MailScanner line 69. > BEGIN failed--compilation aborted at /usr/sbin/MailScanner line 69. > > > Looks like it's trying to find a config file called "--lint". This is > on a RHEL4 system. > > What am I doing wrong? > > Richard Lynch > WVNET > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGrkeAEfZZRxQVtlQRAoJsAJ9c4QaDOoWdBMR5VcPs6E4xqU6CBQCg3LTx 1DXnodDEIoUoSZqIVD4azn4= =5a5V -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Mon Jul 30 21:19:30 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Jul 30 21:20:06 2007 Subject: MailScanner/Spamassassin slow after version upgrade In-Reply-To: References: Message-ID: <46AE47D2.1020508@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Just checking, but you do mean tmpfs and not tempfs don't you? donald.dawson@bakerbotts.com wrote: > thanks - already have it mounted as tempfs > (/var/spool/MailScanner/incoming). > > I've attached another sa-debug > > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian > Field > Sent: Monday, July 30, 2007 1:49 PM > To: MailScanner discussion > Subject: Re: MailScanner/Spamassassin slow after version upgrade > > > > * PGP Bad Signature, Signed by an unverified key: 07/30/07 at 19:49:19 > > > > donald.dawson@bakerbotts.com wrote: > >> Max Children = 7 >> We have a caching DNS server running (named) >> Max Unsafe Messages Per Scan = 30 >> Max Unscanned Messages Per Scan = 30 >> I've attached output from the debug command. >> >> I did change the mix of rule sets - dropped several and added a few. >> >> I noticed the incoming emails were creating >> .spamassassin26705z2e3egtmp files (example) in /dev/shm, a ram disk, >> but they are now being created in >> /var/spool/MailScanner/incoming/SpamAssassin-Temp (part of normal >> mounted file system). >> > Mount /var/spool/MailScanner/incoming with tmpfs for starters, or else > change > SpamAssassin Temporary Dir = /dev/shm > You really should mount ..../incoming with tmpfs as that will make a > significant speed improvement. It's 100% safe. > > >> >> dd >> >> -----Original Message----- >> *From:* mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] *On Behalf Of >> *Gottschalk, David >> *Sent:* Monday, July 30, 2007 1:02 PM >> *To:* MailScanner discussion >> *Subject:* RE: MailScanner/Spamassassin slow after version upgrade >> >> How many children are you running? >> >> Are you running a caching DNS server for SA lookups? >> >> what does 'MailScanner --debug -debug-sa' look like? >> >> One thing that made a difference for me was uping my children from >> 5 to 10. Also lowering my "Max Unsafe Messages Per Scan" to 10, >> and my "Max Unscanned Messages Per Scan" to 10 helped speed things >> up as well. >> >> Hope that helps. >> >> David Gottschalk >> >> >> > ------------------------------------------------------------------------ > >> *From:* mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] *On Behalf Of >> *donald.dawson@bakerbotts.com >> *Sent:* Monday, July 30, 2007 1:44 PM >> *To:* mailscanner@lists.mailscanner.info >> *Subject:* MailScanner/Spamassassin slow after version upgrade >> >> The time it takes to process an email has doubled since Friday >> (7/26/07) when I upgraded to MS 4.62.6 and SA 3.2.2. It was >> around 3.5 seconds, and now it is averaging 7 seconds. >> >> We use DCC and razor2 - no pyzor. >> >> Jul 30 12:36:35 houmx05 MailScanner[21682]: Batch (30 messages) >> processed in 187.50 seconds >> Jul 30 12:37:06 houmx05 MailScanner[21662]: Batch (16 messages) >> processed in 105.59 seconds >> Jul 30 12:37:24 houmx05 MailScanner[21727]: Batch (30 messages) >> processed in 196.20 seconds >> Jul 30 12:37:28 houmx05 MailScanner[21776]: Batch (30 messages) >> processed in 211.89 seconds >> Jul 30 12:37:38 houmx05 MailScanner[21793]: Batch (30 messages) >> processed in 223.64 seconds >> >> sar -u shows idle CPU time: >> 12:00:01 AM CPU %user %nice %system %iowait %idle >> Average: all 10.49 0.00 4.99 1.00 >> 83.51 >> >> # uptime is normal >> 12:38:30 up 5 days, 25 min, 1 user, load average: 0.81, 0.79, >> > 0.83 > >> I have implemented sa-compile using re2c expecting to get a >> performance boost. >> >> 'MailScanner --lint' doesn't show any errors, except noting that >> we have clamav processing turned off (output attached). >> >> <> >> I have included output from spamassassin's lint command. >> >> /etc/mail/spamassassin contents: >> bakerbotts.cf - custom local rule file >> Botnet.cf >> Botnet.pm >> init.pre >> init.pre.pre-v310 >> KAM.cf >> local.cf >> mailscanner.cf >> pdfinfo.cf >> sare-sa-update-channels.txt >> sa-update-keys >> v310.pre >> v312.pre >> v320.pre >> >> contents of sare-sa-update-channels.txt used by >> > update_spamassassin: > >> updates.spamassassin.org >> 70_sare_adult.cf.sare.sa-update.dostech.net >> 70_sare_bayes_poison_nxm.cf.sare.sa-update.dostech.net >> 70_sare_evilnum0.cf.sare.sa-update.dostech.net >> 70_sare_genlsubj0.cf.sare.sa-update.dostech.net >> 70_sare_genlsubj1.cf.sare.sa-update.dostech.net >> 70_sare_genlsubj2.cf.sare.sa-update.dostech.net >> 70_sare_header.cf.sare.sa-update.dostech.net >> 70_sare_highrisk.cf.sare.sa-update.dostech.net >> 70_sare_html.cf.sare.sa-update.dostech.net >> 70_sare_obfu.cf.sare.sa-update.dostech.net >> 70_sare_oem.cf.sare.sa-update.dostech.net >> 70_sare_random.cf.sare.sa-update.dostech.net >> 70_sare_specific.cf.sare.sa-update.dostech.net >> 70_sare_spoof.cf.sare.sa-update.dostech.net >> 70_sare_stocks.cf.sare.sa-update.dostech.net >> 70_sare_unsub.cf.sare.sa-update.dostech.net >> 70_sare_uri0.cf.sare.sa-update.dostech.net >> 70_sare_uri1.cf.sare.sa-update.dostech.net >> 70_sare_uri2.cf.sare.sa-update.dostech.net >> 70_sare_whitelist.cf.sare.sa-update.dostech.net >> 70_sare_whitelist_rcvd.cf.sare.sa-update.dostech.net >> 70_sare_whitelist_spf.cf.sare.sa-update.dostech.net >> 72_sare_bml_post25x.cf.sare.sa-update.dostech.net >> 72_sare_redirect_post3.0.0.cf.sare.sa-update.dostech.net >> 88_FVGT_headers.cf.sare.sa-update.dostech.net >> 99_FVGT_Tripwire.cf.sare.sa-update.dostech.net >> 99_sare_fraud_post25x.cf.sare.sa-update.dostech.net >> >> Any ideas would be greatly appreciated. >> >> Thanks, >> Donald >> >> Donald Dawson >> Security Administrator >> Baker Botts L.L.P. >> 713-229-2183 >> >> > > Jules > > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGrkfTEfZZRxQVtlQRAsccAKCBHMfOvn/hm86LPQiHdJyzPveqKwCgmWgA TZJSk9IQSOBE/K13QRf00z0= =3Y6G -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From uxbod at splatnix.net Mon Jul 30 21:33:12 2007 From: uxbod at splatnix.net (UxBoD) Date: Mon Jul 30 21:29:19 2007 Subject: Potential use for custom SPAM action ? Message-ID: <26544701.6961185827592662.JavaMail.root@office.splatnix.net> Have been thinking what I could use this for and have this idea. Using the idea from http://wiki.mailscanner.info/doku.php?id=documentation:anti_spam:rbls:all:your_own_onemore&s=rbl how about if a certain SA score is achieved then it would write into a MySQL table the IP, time, delta seconds since last seen and count. If count > n times then write into the RBL the IP. What do you think ? Regards, --[ UxBoD ]-- // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From donald.dawson at bakerbotts.com Mon Jul 30 21:31:01 2007 From: donald.dawson at bakerbotts.com (donald.dawson@bakerbotts.com) Date: Mon Jul 30 21:31:30 2007 Subject: MailScanner/Spamassassin slow after version upgrade In-Reply-To: <46AE47D2.1020508@ecs.soton.ac.uk> Message-ID: yes, sorry -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian Field Sent: Monday, July 30, 2007 3:20 PM To: MailScanner discussion Subject: Re: MailScanner/Spamassassin slow after version upgrade -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Just checking, but you do mean tmpfs and not tempfs don't you? donald.dawson@bakerbotts.com wrote: > thanks - already have it mounted as tempfs > (/var/spool/MailScanner/incoming). > > I've attached another sa-debug > > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian > Field > Sent: Monday, July 30, 2007 1:49 PM > To: MailScanner discussion > Subject: Re: MailScanner/Spamassassin slow after version upgrade > > > > * PGP Bad Signature, Signed by an unverified key: 07/30/07 at 19:49:19 > > > > donald.dawson@bakerbotts.com wrote: > >> Max Children = 7 >> We have a caching DNS server running (named) >> Max Unsafe Messages Per Scan = 30 >> Max Unscanned Messages Per Scan = 30 >> I've attached output from the debug command. >> >> I did change the mix of rule sets - dropped several and added a few. >> >> I noticed the incoming emails were creating >> .spamassassin26705z2e3egtmp files (example) in /dev/shm, a ram disk, >> but they are now being created in >> /var/spool/MailScanner/incoming/SpamAssassin-Temp (part of normal >> mounted file system). >> > Mount /var/spool/MailScanner/incoming with tmpfs for starters, or else > change > SpamAssassin Temporary Dir = /dev/shm > You really should mount ..../incoming with tmpfs as that will make a > significant speed improvement. It's 100% safe. > > >> >> dd >> >> -----Original Message----- >> *From:* mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] *On Behalf Of >> *Gottschalk, David >> *Sent:* Monday, July 30, 2007 1:02 PM >> *To:* MailScanner discussion >> *Subject:* RE: MailScanner/Spamassassin slow after version upgrade >> >> How many children are you running? >> >> Are you running a caching DNS server for SA lookups? >> >> what does 'MailScanner --debug -debug-sa' look like? >> >> One thing that made a difference for me was uping my children from >> 5 to 10. Also lowering my "Max Unsafe Messages Per Scan" to 10, >> and my "Max Unscanned Messages Per Scan" to 10 helped speed things >> up as well. >> >> Hope that helps. >> >> David Gottschalk >> >> >> > ------------------------------------------------------------------------ > >> *From:* mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] *On Behalf Of >> *donald.dawson@bakerbotts.com >> *Sent:* Monday, July 30, 2007 1:44 PM >> *To:* mailscanner@lists.mailscanner.info >> *Subject:* MailScanner/Spamassassin slow after version upgrade >> >> The time it takes to process an email has doubled since Friday >> (7/26/07) when I upgraded to MS 4.62.6 and SA 3.2.2. It was >> around 3.5 seconds, and now it is averaging 7 seconds. >> >> We use DCC and razor2 - no pyzor. >> >> Jul 30 12:36:35 houmx05 MailScanner[21682]: Batch (30 messages) >> processed in 187.50 seconds >> Jul 30 12:37:06 houmx05 MailScanner[21662]: Batch (16 messages) >> processed in 105.59 seconds >> Jul 30 12:37:24 houmx05 MailScanner[21727]: Batch (30 messages) >> processed in 196.20 seconds >> Jul 30 12:37:28 houmx05 MailScanner[21776]: Batch (30 messages) >> processed in 211.89 seconds >> Jul 30 12:37:38 houmx05 MailScanner[21793]: Batch (30 messages) >> processed in 223.64 seconds >> >> sar -u shows idle CPU time: >> 12:00:01 AM CPU %user %nice %system %iowait %idle >> Average: all 10.49 0.00 4.99 1.00 >> 83.51 >> >> # uptime is normal >> 12:38:30 up 5 days, 25 min, 1 user, load average: 0.81, 0.79, >> > 0.83 > >> I have implemented sa-compile using re2c expecting to get a >> performance boost. >> >> 'MailScanner --lint' doesn't show any errors, except noting that >> we have clamav processing turned off (output attached). >> >> <> >> I have included output from spamassassin's lint command. >> >> /etc/mail/spamassassin contents: >> bakerbotts.cf - custom local rule file >> Botnet.cf >> Botnet.pm >> init.pre >> init.pre.pre-v310 >> KAM.cf >> local.cf >> mailscanner.cf >> pdfinfo.cf >> sare-sa-update-channels.txt >> sa-update-keys >> v310.pre >> v312.pre >> v320.pre >> >> contents of sare-sa-update-channels.txt used by >> > update_spamassassin: > >> updates.spamassassin.org >> 70_sare_adult.cf.sare.sa-update.dostech.net >> 70_sare_bayes_poison_nxm.cf.sare.sa-update.dostech.net >> 70_sare_evilnum0.cf.sare.sa-update.dostech.net >> 70_sare_genlsubj0.cf.sare.sa-update.dostech.net >> 70_sare_genlsubj1.cf.sare.sa-update.dostech.net >> 70_sare_genlsubj2.cf.sare.sa-update.dostech.net >> 70_sare_header.cf.sare.sa-update.dostech.net >> 70_sare_highrisk.cf.sare.sa-update.dostech.net >> 70_sare_html.cf.sare.sa-update.dostech.net >> 70_sare_obfu.cf.sare.sa-update.dostech.net >> 70_sare_oem.cf.sare.sa-update.dostech.net >> 70_sare_random.cf.sare.sa-update.dostech.net >> 70_sare_specific.cf.sare.sa-update.dostech.net >> 70_sare_spoof.cf.sare.sa-update.dostech.net >> 70_sare_stocks.cf.sare.sa-update.dostech.net >> 70_sare_unsub.cf.sare.sa-update.dostech.net >> 70_sare_uri0.cf.sare.sa-update.dostech.net >> 70_sare_uri1.cf.sare.sa-update.dostech.net >> 70_sare_uri2.cf.sare.sa-update.dostech.net >> 70_sare_whitelist.cf.sare.sa-update.dostech.net >> 70_sare_whitelist_rcvd.cf.sare.sa-update.dostech.net >> 70_sare_whitelist_spf.cf.sare.sa-update.dostech.net >> 72_sare_bml_post25x.cf.sare.sa-update.dostech.net >> 72_sare_redirect_post3.0.0.cf.sare.sa-update.dostech.net >> 88_FVGT_headers.cf.sare.sa-update.dostech.net >> 99_FVGT_Tripwire.cf.sare.sa-update.dostech.net >> 99_sare_fraud_post25x.cf.sare.sa-update.dostech.net >> >> Any ideas would be greatly appreciated. >> >> Thanks, >> Donald >> >> Donald Dawson >> Security Administrator >> Baker Botts L.L.P. >> 713-229-2183 >> >> > > Jules > > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGrkfTEfZZRxQVtlQRAsccAKCBHMfOvn/hm86LPQiHdJyzPveqKwCgmWgA TZJSk9IQSOBE/K13QRf00z0= =3Y6G -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From MailScanner at ecs.soton.ac.uk Mon Jul 30 21:36:37 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Jul 30 21:37:07 2007 Subject: MailScanner/Spamassassin slow after version upgrade In-Reply-To: References: Message-ID: <46AE4BD5.7030903@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 In which case the SA temp files will be running fast like they were when they were in /dev/shm. They are in tmpfs which is what /dev/shm is. donald.dawson@bakerbotts.com wrote: > yes, sorry > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian > Field > Sent: Monday, July 30, 2007 3:20 PM > To: MailScanner discussion > Subject: Re: MailScanner/Spamassassin slow after version upgrade > > > > * PGP Bad Signature, Signed by an unverified key: 07/30/07 at 21:19:31 > > Just checking, but you do mean tmpfs and not tempfs don't you? > > donald.dawson@bakerbotts.com wrote: > >> thanks - already have it mounted as tempfs >> (/var/spool/MailScanner/incoming). >> >> I've attached another sa-debug >> >> >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of >> > Julian > >> Field >> Sent: Monday, July 30, 2007 1:49 PM >> To: MailScanner discussion >> Subject: Re: MailScanner/Spamassassin slow after version upgrade >> >> >> >> >>> Old Bad Signature, Signed by an unverified key: 07/30/07 at 19:49:19 >>> >> >> donald.dawson@bakerbotts.com wrote: >> >> >>> Max Children = 7 >>> We have a caching DNS server running (named) >>> Max Unsafe Messages Per Scan = 30 >>> Max Unscanned Messages Per Scan = 30 >>> I've attached output from the debug command. >>> >>> I did change the mix of rule sets - dropped several and added a few. >>> >>> I noticed the incoming emails were creating >>> .spamassassin26705z2e3egtmp files (example) in /dev/shm, a ram disk, >>> but they are now being created in >>> /var/spool/MailScanner/incoming/SpamAssassin-Temp (part of normal >>> mounted file system). >>> >>> >> Mount /var/spool/MailScanner/incoming with tmpfs for starters, or else >> > > >> change >> SpamAssassin Temporary Dir = /dev/shm >> You really should mount ..../incoming with tmpfs as that will make a >> significant speed improvement. It's 100% safe. >> >> >> >>> >>> dd >>> >>> -----Original Message----- >>> *From:* mailscanner-bounces@lists.mailscanner.info >>> [mailto:mailscanner-bounces@lists.mailscanner.info] *On Behalf Of >>> *Gottschalk, David >>> *Sent:* Monday, July 30, 2007 1:02 PM >>> *To:* MailScanner discussion >>> *Subject:* RE: MailScanner/Spamassassin slow after version >>> > upgrade > >>> How many children are you running? >>> >>> Are you running a caching DNS server for SA lookups? >>> >>> what does 'MailScanner --debug -debug-sa' look like? >>> >>> One thing that made a difference for me was uping my children >>> > from > >>> 5 to 10. Also lowering my "Max Unsafe Messages Per Scan" to 10, >>> and my "Max Unscanned Messages Per Scan" to 10 helped speed >>> > things > >>> up as well. >>> >>> Hope that helps. >>> >>> David Gottschalk >>> >>> >>> >>> > ------------------------------------------------------------------------ > >> >> >>> *From:* mailscanner-bounces@lists.mailscanner.info >>> [mailto:mailscanner-bounces@lists.mailscanner.info] *On Behalf Of >>> *donald.dawson@bakerbotts.com >>> *Sent:* Monday, July 30, 2007 1:44 PM >>> *To:* mailscanner@lists.mailscanner.info >>> *Subject:* MailScanner/Spamassassin slow after version upgrade >>> >>> The time it takes to process an email has doubled since Friday >>> (7/26/07) when I upgraded to MS 4.62.6 and SA 3.2.2. It was >>> around 3.5 seconds, and now it is averaging 7 seconds. >>> >>> We use DCC and razor2 - no pyzor. >>> >>> Jul 30 12:36:35 houmx05 MailScanner[21682]: Batch (30 messages) >>> processed in 187.50 seconds >>> Jul 30 12:37:06 houmx05 MailScanner[21662]: Batch (16 messages) >>> processed in 105.59 seconds >>> Jul 30 12:37:24 houmx05 MailScanner[21727]: Batch (30 messages) >>> processed in 196.20 seconds >>> Jul 30 12:37:28 houmx05 MailScanner[21776]: Batch (30 messages) >>> processed in 211.89 seconds >>> Jul 30 12:37:38 houmx05 MailScanner[21793]: Batch (30 messages) >>> processed in 223.64 seconds >>> >>> sar -u shows idle CPU time: >>> 12:00:01 AM CPU %user %nice %system %iowait %idle >>> Average: all 10.49 0.00 4.99 1.00 >>> 83.51 >>> >>> # uptime is normal >>> 12:38:30 up 5 days, 25 min, 1 user, load average: 0.81, 0.79, >>> >>> >> 0.83 >> >> >>> I have implemented sa-compile using re2c expecting to get a >>> performance boost. >>> >>> 'MailScanner --lint' doesn't show any errors, except noting that >>> we have clamav processing turned off (output attached). >>> >>> <> >>> I have included output from spamassassin's lint command. >>> >>> /etc/mail/spamassassin contents: >>> bakerbotts.cf - custom local rule file >>> Botnet.cf >>> Botnet.pm >>> init.pre >>> init.pre.pre-v310 >>> KAM.cf >>> local.cf >>> mailscanner.cf >>> pdfinfo.cf >>> sare-sa-update-channels.txt >>> sa-update-keys >>> v310.pre >>> v312.pre >>> v320.pre >>> >>> contents of sare-sa-update-channels.txt used by >>> >>> >> update_spamassassin: >> >> >>> updates.spamassassin.org >>> 70_sare_adult.cf.sare.sa-update.dostech.net >>> 70_sare_bayes_poison_nxm.cf.sare.sa-update.dostech.net >>> 70_sare_evilnum0.cf.sare.sa-update.dostech.net >>> 70_sare_genlsubj0.cf.sare.sa-update.dostech.net >>> 70_sare_genlsubj1.cf.sare.sa-update.dostech.net >>> 70_sare_genlsubj2.cf.sare.sa-update.dostech.net >>> 70_sare_header.cf.sare.sa-update.dostech.net >>> 70_sare_highrisk.cf.sare.sa-update.dostech.net >>> 70_sare_html.cf.sare.sa-update.dostech.net >>> 70_sare_obfu.cf.sare.sa-update.dostech.net >>> 70_sare_oem.cf.sare.sa-update.dostech.net >>> 70_sare_random.cf.sare.sa-update.dostech.net >>> 70_sare_specific.cf.sare.sa-update.dostech.net >>> 70_sare_spoof.cf.sare.sa-update.dostech.net >>> 70_sare_stocks.cf.sare.sa-update.dostech.net >>> 70_sare_unsub.cf.sare.sa-update.dostech.net >>> 70_sare_uri0.cf.sare.sa-update.dostech.net >>> 70_sare_uri1.cf.sare.sa-update.dostech.net >>> 70_sare_uri2.cf.sare.sa-update.dostech.net >>> 70_sare_whitelist.cf.sare.sa-update.dostech.net >>> 70_sare_whitelist_rcvd.cf.sare.sa-update.dostech.net >>> 70_sare_whitelist_spf.cf.sare.sa-update.dostech.net >>> 72_sare_bml_post25x.cf.sare.sa-update.dostech.net >>> 72_sare_redirect_post3.0.0.cf.sare.sa-update.dostech.net >>> 88_FVGT_headers.cf.sare.sa-update.dostech.net >>> 99_FVGT_Tripwire.cf.sare.sa-update.dostech.net >>> 99_sare_fraud_post25x.cf.sare.sa-update.dostech.net >>> >>> Any ideas would be greatly appreciated. >>> >>> Thanks, >>> Donald >>> >>> Donald Dawson >>> Security Administrator >>> Baker Botts L.L.P. >>> 713-229-2183 >>> >>> >>> >> Jules >> >> >> > > Jules > > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGrkvWEfZZRxQVtlQRAktRAKD4BcLNtZjfGtEUfLmddw+ucn2kOQCfVxSz tjknqcYSuxAUzfu0YsMDyKs= =/A7n -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From MailScanner at ecs.soton.ac.uk Mon Jul 30 21:37:41 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Jul 30 21:38:26 2007 Subject: Potential use for custom SPAM action ? In-Reply-To: <26544701.6961185827592662.JavaMail.root@office.splatnix.net> References: <26544701.6961185827592662.JavaMail.root@office.splatnix.net> Message-ID: <46AE4C15.8060006@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Sure, that should work. DIY RBL :-) UxBoD wrote: > Have been thinking what I could use this for and have this idea. Using the idea from http://wiki.mailscanner.info/doku.php?id=documentation:anti_spam:rbls:all:your_own_onemore&s=rbl how about if a certain SA score is achieved then it would write into a MySQL table the IP, time, delta seconds since last seen and count. If count > n times then write into the RBL the IP. > > What do you think ? > > Regards, > > --[ UxBoD ]-- > // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" > // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B > // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B > // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net > > > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: UTF-8 wj8DBQFGrkwWEfZZRxQVtlQRAhfmAJwJYVFeDyfsvh4ouhlRsEOqj+9KhQCbBvSm fVqEgTkaLkOCUdZN5OHq8GA= =pFhX -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From uxbod at splatnix.net Mon Jul 30 21:56:54 2007 From: uxbod at splatnix.net (UxBoD) Date: Mon Jul 30 21:53:02 2007 Subject: MailScanner/Spamassassin slow after version upgrade In-Reply-To: <46AE4BD5.7030903@ecs.soton.ac.uk> Message-ID: <25612254.6991185829014455.JavaMail.root@office.splatnix.net> If feeling adventerous then you could try running MailScanner in debug mode using strace. Then have a look though the output to see where the most time is being used. Regards, --[ UxBoD ]-- // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ka at pacific.net Mon Jul 30 21:53:46 2007 From: ka at pacific.net (Ken A) Date: Mon Jul 30 21:53:51 2007 Subject: Potential use for custom SPAM action ? In-Reply-To: <26544701.6961185827592662.JavaMail.root@office.splatnix.net> References: <26544701.6961185827592662.JavaMail.root@office.splatnix.net> Message-ID: <46AE4FDA.4070606@pacific.net> UxBoD wrote: > Have been thinking what I could use this for and have this idea. > Using the idea from http://wiki.mailscanner.info/doku.php?id=documentation:anti_spam:rbls:all:your_own_onemore&s=rbl how about if a certain SA score is achieved then it would write into a MySQL table the IP, time, delta seconds since last seen and count. If count > n times then write into the RBL the IP. > > What do you think ? > Simple is Good! But there are always those IPs that are shared and deliver lots of mail(at least there are here!), so be sure to build some whitelisting ability - by cidr blocks is best. Or, instead of output to an rbl, you could generate iptables (DROP) rules to cost the spammer a bit more. Might be nice to have an option for either rbldnsd or iptables formatted output. :-) Ken > Regards, > > --[ UxBoD ]-- > // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" > // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B > // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B > // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net > > -- Ken Anderson Pacific.Net From uxbod at splatnix.net Mon Jul 30 22:08:13 2007 From: uxbod at splatnix.net (UxBoD) Date: Mon Jul 30 22:04:18 2007 Subject: Potential use for custom SPAM action ? In-Reply-To: <46AE4FDA.4070606@pacific.net> Message-ID: <25375072.7021185829693378.JavaMail.root@office.splatnix.net> Hmmm, Very true Ken. As we have the sareport then perhaps check whether the IP address appears on other RBLs that the admin has defined. If it does, and it matches the MailScanner.conf setting "Spam Lists To Reach High Score" then commit the IP. Hopefully that would be safer. Regards, --[ UxBoD ]-- // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- Original Message ----- From: "Ken A" To: "MailScanner discussion" Sent: Monday, July 30, 2007 9:53:46 PM (GMT) Europe/London Subject: Re: Potential use for custom SPAM action ? UxBoD wrote: > Have been thinking what I could use this for and have this idea. > Using the idea from http://wiki.mailscanner.info/doku.php?id=documentation:anti_spam:rbls:all:your_own_onemore&s=rbl how about if a certain SA score is achieved then it would write into a MySQL table the IP, time, delta seconds since last seen and count. If count > n times then write into the RBL the IP. > > What do you think ? > Simple is Good! But there are always those IPs that are shared and deliver lots of mail(at least there are here!), so be sure to build some whitelisting ability - by cidr blocks is best. Or, instead of output to an rbl, you could generate iptables (DROP) rules to cost the spammer a bit more. Might be nice to have an option for either rbldnsd or iptables formatted output. :-) Ken > Regards, > > --[ UxBoD ]-- > // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" > // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B > // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B > // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net > > -- Ken Anderson Pacific.Net -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From dhawal at netmagicsolutions.com Mon Jul 30 22:08:04 2007 From: dhawal at netmagicsolutions.com (Dhawal Doshy) Date: Mon Jul 30 22:08:31 2007 Subject: {Spam?} Potential use for custom SPAM action ? In-Reply-To: <26544701.6961185827592662.JavaMail.root@office.splatnix.net> References: <26544701.6961185827592662.JavaMail.root@office.splatnix.net> Message-ID: <022401c7d2ed$b99facc0$2cdf0640$@com> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of UxBoD > Sent: Monday, July 30, 2007 1:33 PM > To: MailScanner discussion > Subject: {Spam?} Potential use for custom SPAM action ? > > Have been thinking what I could use this for and have this idea. Using > the idea from > http://wiki.mailscanner.info/doku.php?id=documentation:anti_spam:rbls:a > ll:your_own_onemore&s=rbl how about if a certain SA score is achieved > then it would write into a MySQL table the IP, time, delta seconds > since last seen and count. If count > n times then write into the RBL > the IP. The data already exists in mysql (maybe not the count, been too long since I did this).. To achieve what you want, simply modify some values in your spam.sec This line defines your required score for pattern matching. pattern=Message (\S+) from (\S+) (\S+) to (\S+) is spam, SpamAssassin .*cached, score=(\S+), required 5 The "9" out here is your high scoring spam value context= =( scalar($5) > 9 ) The time span in seconds in a shifting window. window=60 The number of times a pattern matches in the above time span thresh=3 Let me know if you need more answers (and make sure to whitelist as Ken mentioned) - dhawal From dave.list at pixelhammer.com Mon Jul 30 22:29:27 2007 From: dave.list at pixelhammer.com (DAve) Date: Mon Jul 30 22:31:25 2007 Subject: Potential use for custom SPAM action ? In-Reply-To: <26544701.6961185827592662.JavaMail.root@office.splatnix.net> References: <26544701.6961185827592662.JavaMail.root@office.splatnix.net> Message-ID: <46AE5837.7040400@pixelhammer.com> UxBoD wrote: > Have been thinking what I could use this for and have this idea. Using the idea from http://wiki.mailscanner.info/doku.php?id=documentation:anti_spam:rbls:all:your_own_onemore&s=rbl how about if a certain SA score is achieved then it would write into a MySQL table the IP, time, delta seconds since last seen and count. If count > n times then write into the RBL the IP. > > What do you think ? > > Regards, > I am intrigued by the idea. My next big project, after our move to load balanced services is completed, is a private RBL. We want to feed it via MS+MailWatch. The idea is to blacklist an IP that sends spam over a defined threshold (activity level, score, etc), return a hard fail to the smtp connection with a URL to the evidence. A cron job runs through the MailWatch logs and populates a SQL db. The SQL db is queried and evidence messages pulled from quarantine and redacted. Sendmail does the blocking via a private RBL server. The IP comes from the maillogs. The threshold comes from the MS spam score. The evidence comes from MailWatch. I can see where the custom spam action could make this easier. I had been doing that manually for years, the largest our accessdbs got were several thousands of IP, many entire blocks. I eventually dropped them all just to see who came back. It was becoming too much work to maintain manually. We had no complaints from clients, most IPs were wannadoo, tiscali, comcast, etc. DAve -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible. From matt at coders.co.uk Mon Jul 30 22:40:47 2007 From: matt at coders.co.uk (Matt Hampton) Date: Mon Jul 30 22:38:28 2007 Subject: MS 4.62.8 beta and read receipts In-Reply-To: <03f23d93216f114581a85b97f0c1b9f5@solidstatelogic.com> References: <03f23d93216f114581a85b97f0c1b9f5@solidstatelogic.com> Message-ID: <46AE5ADF.8010207@coders.co.uk> Martin.Hepworth wrote: >>> I got a funny as well - the MS box returned a read receipt for some >> reason.. >> Hmmm >> >> I have justed tested this on milter-null and I get the same........ >> >> Don't see how we can fix this without getting into the realms of the >> patent.... >> >> Any suggestions welcome Martin If you are able to generate a few more of these and you can send me the queue files for both the message and the read recipt I think I have just spotted something I can use. Anyway - off to bed..... matt From res at ausics.net Mon Jul 30 22:31:25 2007 From: res at ausics.net (Res) Date: Mon Jul 30 23:29:17 2007 Subject: query if mailscanner using clamscan In-Reply-To: <46AE2C82.6010606@ecs.soton.ac.uk> References: <2605.62.150.152.226.1185433910.squirrel@webmail.baladia.gov.kw> <46AB24AF.7060804@ecs.soton.ac.uk> <46AB330F.2080204@ecs.soton.ac.uk> <46AC7383.1010904@ecs.soton.ac.uk> <46ACA1F7.7060805@ecs.soton.ac.uk> <625385e30707301009y3b9ae26cm6297d170b34bcd2d@mail.gmail.com> <46AE2C82.6010606@ecs.soton.ac.uk> Message-ID: On Mon, 30 Jul 2007, Julian Field wrote: > shuttlebox wrote: >> On 7/29/07, Julian Field wrote: >> >>> The only thing I can think of is to ship with a copy of Eicar. >>> >> >> Please don't ship Eicar with MailScanner. That will make many of us >> not able to download MailScanner since http-scanning will detect a >> virus in it. >> > I have just had 2 people test this, as I didn't think it would be a > problem. And it's not. Please don't jump to conclusions until you have > some evidence to back it up :-) > Just a suggestion, how about making MailScanner available via ftp and/or rsync? That way anyone who is/may/might_be affected by any policies or proxies or other interception techniques, will not have to worry. -- Cheers Res From itdept at fractalweb.com Tue Jul 31 00:32:57 2007 From: itdept at fractalweb.com (Chris Yuzik) Date: Tue Jul 31 00:33:43 2007 Subject: CRM114 In-Reply-To: <441247027D4F274EB760A5F6E1ED9C7E020E5A@houpex02.nfsmith.info> References: <441247027D4F274EB760A5F6E1ED9C7E020E59@houpex02.nfsmith.info> <22273059.6721185821097215.JavaMail.root@office.splatnix.net> <441247027D4F274EB760A5F6E1ED9C7E020E5A@houpex02.nfsmith.info> Message-ID: <46AE7529.9030502@fractalweb.com> Slight problem with crm114 plugin. I get the following message when I do a "spamassassin --lint -D": [24625] dbg: plugin: loading Mail::SpamAssassin::Plugin::crm114 from @INC [24625] warn: plugin: failed to create instance of plugin Mail::SpamAssassin::Plugin::crm114: Can't locate object method "new" via package "Mail::SpamAssassin::Plugin::crm114" at (eval 131) line 1. Also, from what I can see so far, there are no changes to either of the .css files. Haven't seen any headers yet. I must be doing something wrong. From mike at vesol.com Tue Jul 31 01:20:42 2007 From: mike at vesol.com (Mike Kercher) Date: Tue Jul 31 01:21:58 2007 Subject: CRM114 In-Reply-To: <46AE7529.9030502@fractalweb.com> References: <441247027D4F274EB760A5F6E1ED9C7E020E59@houpex02.nfsmith.info> <22273059.6721185821097215.JavaMail.root@office.splatnix.net><441247027D4F274EB760A5F6E1ED9C7E020E5A@houpex02.nfsmith.info> <46AE7529.9030502@fractalweb.com> Message-ID: <6115482898C59848B35DB9D491C9A28E04BAA1@srv1.home.middlefinger.net> Go back a few steps in this thread. The solution is there. One thing was to follow UxBod's instructions instead of Julian's. If you follow Julian's AND UxBod's, you will see errors like this. Mike > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Chris Yuzik > Sent: Monday, July 30, 2007 6:33 PM > To: MailScanner discussion > Subject: Re: CRM114 > > Slight problem with crm114 plugin. I get the following > message when I do a "spamassassin --lint -D": > > [24625] dbg: plugin: loading > Mail::SpamAssassin::Plugin::crm114 from @INC [24625] warn: > plugin: failed to create instance of plugin > Mail::SpamAssassin::Plugin::crm114: Can't locate object > method "new" via package "Mail::SpamAssassin::Plugin::crm114" > at (eval 131) line 1. > > Also, from what I can see so far, there are no changes to > either of the .css files. Haven't seen any headers yet. I > must be doing something wrong. > > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From itdept at fractalweb.com Tue Jul 31 01:25:43 2007 From: itdept at fractalweb.com (Chris Yuzik) Date: Tue Jul 31 01:26:30 2007 Subject: CRM114 In-Reply-To: <6115482898C59848B35DB9D491C9A28E04BAA1@srv1.home.middlefinger.net> References: <441247027D4F274EB760A5F6E1ED9C7E020E59@houpex02.nfsmith.info> <22273059.6721185821097215.JavaMail.root@office.splatnix.net><441247027D4F274EB760A5F6E1ED9C7E020E5A@houpex02.nfsmith.info> <46AE7529.9030502@fractalweb.com> <6115482898C59848B35DB9D491C9A28E04BAA1@srv1.home.middlefinger.net> Message-ID: <46AE8187.3090803@fractalweb.com> Mike Kercher wrote: > Go back a few steps in this thread. The solution is there. > > One thing was to follow UxBod's instructions instead of Julian's. If > you follow Julian's AND UxBod's, you will see errors like this. Mike, I suppose I followed both UxBod's and Julian's instructions. I'll go back and only follow UxBod's. Do I have to go all the way back and start drinking Champagne? ;-) Chris From mike at vesol.com Tue Jul 31 01:30:23 2007 From: mike at vesol.com (Mike Kercher) Date: Tue Jul 31 01:31:39 2007 Subject: CRM114 In-Reply-To: <46AE8187.3090803@fractalweb.com> References: <441247027D4F274EB760A5F6E1ED9C7E020E59@houpex02.nfsmith.info> <22273059.6721185821097215.JavaMail.root@office.splatnix.net><441247027D4F274EB760A5F6E1ED9C7E020E5A@houpex02.nfsmith.info> <46AE7529.9030502@fractalweb.com><6115482898C59848B35DB9D491C9A28E04BAA1@srv1.home.middlefinger.net> <46AE8187.3090803@fractalweb.com> Message-ID: <6115482898C59848B35DB9D491C9A28E04BAA2@srv1.home.middlefinger.net> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Chris Yuzik > Sent: Monday, July 30, 2007 7:26 PM > To: MailScanner discussion > Subject: Re: CRM114 > > Mike Kercher wrote: > > Go back a few steps in this thread. The solution is there. > > > > One thing was to follow UxBod's instructions instead of > Julian's. If > > you follow Julian's AND UxBod's, you will see errors like this. > > Mike, > > I suppose I followed both UxBod's and Julian's instructions. > I'll go back and only follow UxBod's. > > Do I have to go all the way back and start drinking Champagne? ;-) > > Chris It does help numb the pain! :) Mike From itdept at fractalweb.com Tue Jul 31 01:50:42 2007 From: itdept at fractalweb.com (Chris Yuzik) Date: Tue Jul 31 01:51:29 2007 Subject: CRM114 In-Reply-To: <6115482898C59848B35DB9D491C9A28E04BAA2@srv1.home.middlefinger.net> References: <441247027D4F274EB760A5F6E1ED9C7E020E59@houpex02.nfsmith.info> <22273059.6721185821097215.JavaMail.root@office.splatnix.net><441247027D4F274EB760A5F6E1ED9C7E020E5A@houpex02.nfsmith.info> <46AE7529.9030502@fractalweb.com><6115482898C59848B35DB9D491C9A28E04BAA1@srv1.home.middlefinger.net> <46AE8187.3090803@fractalweb.com> <6115482898C59848B35DB9D491C9A28E04BAA2@srv1.home.middlefinger.net> Message-ID: <46AE8762.400@fractalweb.com> Mike Kercher wrote: > It does help numb the pain! :) Mike, I need something to numb the pain; this has been one seriously painful install, and so far, still no joy. I've gone back and followed UxBod's instructions, but I must have missed something or perhaps done something extra that I wasn't supposed to do. 1. CRM114 seems to be installed okay: # crm -v This is CRM114, version 20070723-BlameTheInterns (TRE 0.7.5 (LGPL)) Copyright 2001-2006 William S. Yerazunis This software is licensed under the GPL with ABSOLUTELY NO WARRANTY 2. Am I supposed to be loading the plugin via an entry in v320.pre? Like so? loadplugin Mail::SpamAssassin::Plugin::crm114 If I do load the module, I get the error in spamassassin --lint as below. # spamassassin --lint [12894] warn: plugin: failed to create instance of plugin Mail::SpamAssassin::Plugin::crm114: Can't locate object method "new" via package "Mail::SpamAssassin::Plugin::crm114" at (eval 131) line 1. 3. FWIW, here's my crm114 dir contents: # pwd /etc/mail/spamassassin/crm114 # ls -lh total 25M -rw-r--r-- 1 root root 4.7K Jul 30 17:37 crm114.cf -rw-r--r-- 1 root root 18K Jul 30 17:29 mailfilter.cf -rw-r--r-- 1 root root 44K Jul 30 16:18 mailfilter.crm -rw-r--r-- 1 root root 15K Jul 30 16:19 maillib.crm -rw-r--r-- 1 root root 23K Jul 30 16:18 mailreaver.crm -rw-r--r-- 1 root root 37K Jul 30 16:18 mailtrainer.crm -rw-r--r-- 1 root root 13M Jul 30 15:57 nonspam.css -rw-r--r-- 1 root root 0 Jul 30 15:57 priolist.mfp -rw-r--r-- 1 root root 0 Jul 30 16:09 rewrites.mfp -rw-r--r-- 1 root root 13M Jul 30 15:57 spam.css Help! Cheers, Chris From mike at vesol.com Tue Jul 31 01:52:59 2007 From: mike at vesol.com (Mike Kercher) Date: Tue Jul 31 01:54:15 2007 Subject: CRM114 In-Reply-To: <46AE8762.400@fractalweb.com> References: <441247027D4F274EB760A5F6E1ED9C7E020E59@houpex02.nfsmith.info> <22273059.6721185821097215.JavaMail.root@office.splatnix.net><441247027D4F274EB760A5F6E1ED9C7E020E5A@houpex02.nfsmith.info> <46AE7529.9030502@fractalweb.com><6115482898C59848B35DB9D491C9A28E04BAA1@srv1.home.middlefinger.net> <46AE8187.3090803@fractalweb.com><6115482898C59848B35DB9D491C9A28E04BAA2@srv1.home.middlefinger.net> <46AE8762.400@fractalweb.com> Message-ID: <6115482898C59848B35DB9D491C9A28E04BAA3@srv1.home.middlefinger.net> 2. NO The crm114.cf loads the plugin. I put the crm114.cf in /etc/mail/spamassassin Mike > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Chris Yuzik > Sent: Monday, July 30, 2007 7:51 PM > To: MailScanner discussion > Subject: Re: CRM114 > > Mike Kercher wrote: > > It does help numb the pain! :) > > Mike, > > I need something to numb the pain; this has been one > seriously painful install, and so far, still no joy. I've > gone back and followed UxBod's instructions, but I must have > missed something or perhaps done something extra that I > wasn't supposed to do. > > 1. CRM114 seems to be installed okay: > # crm -v > This is CRM114, version 20070723-BlameTheInterns (TRE 0.7.5 (LGPL)) > Copyright 2001-2006 William S. Yerazunis > This software is licensed under the GPL with ABSOLUTELY NO WARRANTY > > 2. Am I supposed to be loading the plugin via an entry in > v320.pre? Like so? > loadplugin Mail::SpamAssassin::Plugin::crm114 > > If I do load the module, I get the error in spamassassin > --lint as below. > # spamassassin --lint > [12894] warn: plugin: failed to create instance of plugin > Mail::SpamAssassin::Plugin::crm114: Can't locate object > method "new" via package "Mail::SpamAssassin::Plugin::crm114" > at (eval 131) line 1. > > 3. FWIW, here's my crm114 dir contents: > > # pwd > /etc/mail/spamassassin/crm114 > > # ls -lh > total 25M > -rw-r--r-- 1 root root 4.7K Jul 30 17:37 crm114.cf > -rw-r--r-- 1 root root 18K Jul 30 17:29 mailfilter.cf > -rw-r--r-- 1 root root 44K Jul 30 16:18 mailfilter.crm > -rw-r--r-- 1 root root 15K Jul 30 16:19 maillib.crm > -rw-r--r-- 1 root root 23K Jul 30 16:18 mailreaver.crm > -rw-r--r-- 1 root root 37K Jul 30 16:18 mailtrainer.crm > -rw-r--r-- 1 root root 13M Jul 30 15:57 nonspam.css > -rw-r--r-- 1 root root 0 Jul 30 15:57 priolist.mfp > -rw-r--r-- 1 root root 0 Jul 30 16:09 rewrites.mfp > -rw-r--r-- 1 root root 13M Jul 30 15:57 spam.css > > Help! > > Cheers, > Chris > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From itdept at fractalweb.com Tue Jul 31 02:23:10 2007 From: itdept at fractalweb.com (Chris Yuzik) Date: Tue Jul 31 02:23:59 2007 Subject: CRM114 In-Reply-To: <6115482898C59848B35DB9D491C9A28E04BAA3@srv1.home.middlefinger.net> References: <441247027D4F274EB760A5F6E1ED9C7E020E59@houpex02.nfsmith.info> <22273059.6721185821097215.JavaMail.root@office.splatnix.net><441247027D4F274EB760A5F6E1ED9C7E020E5A@houpex02.nfsmith.info> <46AE7529.9030502@fractalweb.com><6115482898C59848B35DB9D491C9A28E04BAA1@srv1.home.middlefinger.net> <46AE8187.3090803@fractalweb.com><6115482898C59848B35DB9D491C9A28E04BAA2@srv1.home.middlefinger.net> <46AE8762.400@fractalweb.com> <6115482898C59848B35DB9D491C9A28E04BAA3@srv1.home.middlefinger.net> Message-ID: <46AE8EFE.8010706@fractalweb.com> Mike Kercher wrote: > 2. NO > > The crm114.cf loads the plugin. I put the crm114.cf in > /etc/mail/spamassassin Mike, Thanks for your help. I've moved crm114.cf to /etc/mail/spamassassin, restarted MailScanner, did the spamassassin --lint (which now returns nothing, so that's progress). Although I am now seeing the "CRM114_CHECK" in the spam report, I'm not seeing any changes to spam.css and nonspam.css. Likely one more file to tweak? Chris From mike at vesol.com Tue Jul 31 02:30:00 2007 From: mike at vesol.com (Mike Kercher) Date: Tue Jul 31 02:31:17 2007 Subject: CRM114 In-Reply-To: <46AE8EFE.8010706@fractalweb.com> References: <441247027D4F274EB760A5F6E1ED9C7E020E59@houpex02.nfsmith.info> <22273059.6721185821097215.JavaMail.root@office.splatnix.net><441247027D4F274EB760A5F6E1ED9C7E020E5A@houpex02.nfsmith.info> <46AE7529.9030502@fractalweb.com><6115482898C59848B35DB9D491C9A28E04BAA1@srv1.home.middlefinger.net> <46AE8187.3090803@fractalweb.com><6115482898C59848B35DB9D491C9A28E04BAA2@srv1.home.middlefinger.net> <46AE8762.400@fractalweb.com><6115482898C59848B35DB9D491C9A28E04BAA3@srv1.home.middlefinger.net> <46AE8EFE.8010706@fractalweb.com> Message-ID: <6115482898C59848B35DB9D491C9A28E04BAA4@srv1.home.middlefinger.net> You need to modify crm114.cf: # should CRM114 be trained by SA-autolearn? # If enabled, then SA's autolearn also calls the CRM114 plugin. # # This is different from :automatic_training: in CRM114's mailfilter.cf # because SA's score is influenced by several different factors while # CRM114 has to rely on its own classification. # But anyway: Only activate this if you know what you're doing! # default: 0 crm114_autolearn 1 Mike > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Chris Yuzik > Sent: Monday, July 30, 2007 8:23 PM > To: MailScanner discussion > Subject: Re: CRM114 > > Mike Kercher wrote: > > 2. NO > > > > The crm114.cf loads the plugin. I put the crm114.cf in > > /etc/mail/spamassassin > > Mike, > > Thanks for your help. I've moved crm114.cf to > /etc/mail/spamassassin, restarted MailScanner, did the > spamassassin --lint (which now returns nothing, so that's progress). > > Although I am now seeing the "CRM114_CHECK" in the spam > report, I'm not seeing any changes to spam.css and > nonspam.css. Likely one more file to tweak? > > Chris > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From itdept at fractalweb.com Tue Jul 31 02:34:39 2007 From: itdept at fractalweb.com (Chris Yuzik) Date: Tue Jul 31 02:35:24 2007 Subject: CRM114 In-Reply-To: <6115482898C59848B35DB9D491C9A28E04BAA4@srv1.home.middlefinger.net> References: <441247027D4F274EB760A5F6E1ED9C7E020E59@houpex02.nfsmith.info> <22273059.6721185821097215.JavaMail.root@office.splatnix.net><441247027D4F274EB760A5F6E1ED9C7E020E5A@houpex02.nfsmith.info> <46AE7529.9030502@fractalweb.com><6115482898C59848B35DB9D491C9A28E04BAA1@srv1.home.middlefinger.net> <46AE8187.3090803@fractalweb.com><6115482898C59848B35DB9D491C9A28E04BAA2@srv1.home.middlefinger.net> <46AE8762.400@fractalweb.com><6115482898C59848B35DB9D491C9A28E04BAA3@srv1.home.middlefinger.net> <46AE8EFE.8010706@fractalweb.com> <6115482898C59848B35DB9D491C9A28E04BAA4@srv1.home.middlefinger.net> Message-ID: <46AE91AF.1090903@fractalweb.com> Mike Kercher wrote: > You need to modify crm114.cf: > > # should CRM114 be trained by SA-autolearn? > # If enabled, then SA's autolearn also calls the CRM114 plugin. > # > # This is different from :automatic_training: in CRM114's mailfilter.cf > # because SA's score is influenced by several different factors while # > CRM114 has to rely on its own classification. > # But anyway: Only activate this if you know what you're doing! > # default: 0 > crm114_autolearn 1 Mike, I think I have that already: # grep -v '^#' /etc/mail/spamassassin/crm114.cf loadplugin crm114 /usr/lib/perl5/vendor_perl/5.8.5/Mail/SpamAssassin/Plugin/crm114.pm full CRM114_CHECK eval:check_crm() priority CRM114_CHECK 899 crm114_command /usr/bin/crm -u /etc/mail/spamassassin/crm114/ mailreaver.crm add_header all CRM114-Status _CRM114STATUS_ ( _CRM114SCORE_ ) crm114_dynscore 1 crm114_learn 1 crm114_autolearn 1 Still no change to the timestamps of any of the .css files. Chris From mike at vesol.com Tue Jul 31 03:28:07 2007 From: mike at vesol.com (Mike Kercher) Date: Tue Jul 31 03:29:23 2007 Subject: CRM114 In-Reply-To: <46AE91AF.1090903@fractalweb.com> References: <441247027D4F274EB760A5F6E1ED9C7E020E59@houpex02.nfsmith.info> <22273059.6721185821097215.JavaMail.root@office.splatnix.net><441247027D4F274EB760A5F6E1ED9C7E020E5A@houpex02.nfsmith.info> <46AE7529.9030502@fractalweb.com><6115482898C59848B35DB9D491C9A28E04BAA1@srv1.home.middlefinger.net> <46AE8187.3090803@fractalweb.com><6115482898C59848B35DB9D491C9A28E04BAA2@srv1.home.middlefinger.net> <46AE8762.400@fractalweb.com><6115482898C59848B35DB9D491C9A28E04BAA3@srv1.home.middlefinger.net> <46AE8EFE.8010706@fractalweb.com><6115482898C59848B35DB9D491C9A28E04BAA4@srv1.home.middlefinger.net> <46AE91AF.1090903@fractalweb.com> Message-ID: <6115482898C59848B35DB9D491C9A28E04BAA5@srv1.home.middlefinger.net> I put the .pm in the same directory as the .cf /etc/mail/spamassassin > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Chris Yuzik > Sent: Monday, July 30, 2007 8:35 PM > To: MailScanner discussion > Subject: Re: CRM114 > > Mike Kercher wrote: > > You need to modify crm114.cf: > > > > # should CRM114 be trained by SA-autolearn? > > # If enabled, then SA's autolearn also calls the CRM114 plugin. > > # > > # This is different from :automatic_training: in CRM114's > > mailfilter.cf # because SA's score is influenced by several > different > > factors while # > > CRM114 has to rely on its own classification. > > # But anyway: Only activate this if you know what you're doing! > > # default: 0 > > crm114_autolearn 1 > > Mike, > > I think I have that already: > > # grep -v '^#' /etc/mail/spamassassin/crm114.cf loadplugin > crm114 > /usr/lib/perl5/vendor_perl/5.8.5/Mail/SpamAssassin/Plugin/crm114.pm > full CRM114_CHECK eval:check_crm() > priority CRM114_CHECK 899 > crm114_command /usr/bin/crm -u /etc/mail/spamassassin/crm114/ > mailreaver.crm add_header all CRM114-Status _CRM114STATUS_ ( > _CRM114SCORE_ ) crm114_dynscore 1 crm114_learn 1 crm114_autolearn 1 > > Still no change to the timestamps of any of the .css files. > > Chris > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From stork at openenterprise.ca Tue Jul 31 06:10:36 2007 From: stork at openenterprise.ca (Johnny Stork) Date: Tue Jul 31 06:10:40 2007 Subject: CRM114 - Problems with install In-Reply-To: <8384902.6331185805139308.JavaMail.root@office.splatnix.net> References: <8384902.6331185805139308.JavaMail.root@office.splatnix.net> Message-ID: <46AEC44C.6000500@openenterprise.ca> Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: stork.vcf Type: text/x-vcard Size: 330 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070730/c8e53554/stork.vcf From stork at openenterprise.ca Tue Jul 31 06:20:03 2007 From: stork at openenterprise.ca (Johnny Stork) Date: Tue Jul 31 06:20:06 2007 Subject: {Disarmed} Re: CRM114 - Problems with install In-Reply-To: <46AEC44C.6000500@openenterprise.ca> References: <8384902.6331185805139308.JavaMail.root@office.splatnix.net> <46AEC44C.6000500@openenterprise.ca> Message-ID: <46AEC683.9050707@openenterprise.ca> Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: stork.vcf Type: text/x-vcard Size: 330 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070730/8cba3399/stork-0001.vcf From stork at openenterprise.ca Tue Jul 31 06:35:52 2007 From: stork at openenterprise.ca (Johnny Stork) Date: Tue Jul 31 06:35:52 2007 Subject: CRM114 - Problems with install In-Reply-To: <46AEC683.9050707@openenterprise.ca> References: <8384902.6331185805139308.JavaMail.root@office.splatnix.net> <46AEC44C.6000500@openenterprise.ca> <46AEC683.9050707@openenterprise.ca> Message-ID: <46AECA38.2030004@openenterprise.ca> Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: stork.vcf Type: text/x-vcard Size: 330 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070730/4f2e650a/stork.vcf From ms-list at alexb.ch Tue Jul 31 06:52:13 2007 From: ms-list at alexb.ch (Alex Broens) Date: Tue Jul 31 06:52:20 2007 Subject: CRM114 - Problems with install In-Reply-To: <46AECA38.2030004@openenterprise.ca> References: <8384902.6331185805139308.JavaMail.root@office.splatnix.net> <46AEC44C.6000500@openenterprise.ca> <46AEC683.9050707@openenterprise.ca> <46AECA38.2030004@openenterprise.ca> Message-ID: <46AECE0D.5040402@alexb.ch> On 7/31/2007 7:35 AM, Johnny Stork wrote: > I also seem to be missing some files? Chris Yuzik shows these files... > > > # ls -lh > total 25M > -rw-r--r-- 1 root root 4.7K Jul 30 17:37 crm114.cf > -rw-r--r-- 1 root root 18K Jul 30 17:29 mailfilter.cf > -rw-r--r-- 1 root root 44K Jul 30 16:18 mailfilter.crm > -rw-r--r-- 1 root root 15K Jul 30 16:19 maillib.crm > -rw-r--r-- 1 root root 23K Jul 30 16:18 mailreaver.crm > -rw-r--r-- 1 root root 37K Jul 30 16:18 mailtrainer.crm > -rw-r--r-- 1 root root 13M Jul 30 15:57 nonspam.css > -rw-r--r-- 1 root root 0 Jul 30 15:57 priolist.mfp > -rw-r--r-- 1 root root 0 Jul 30 16:09 rewrites.mfp > -rw-r--r-- 1 root root 13M Jul 30 15:57 spam.css > > I have these?? (my crm114.cf is in /etc/mail/spamassassin > > > ls -la /etc/mail/spamassassin/crm114 > total 24752 > drwxr-xr-x 2 root root 4096 Jul 30 22:25 . > drwxr-xr-x 6 root root 4096 Jul 30 21:42 .. > -rwxr-xr-x 1 root root 44537 Jul 30 22:25 mailfilter.crm > -rwxr-xr-x 1 root root 14511 Jul 30 22:25 maillib.crm > -rwxr-xr-x 1 root root 22740 Jul 30 22:25 mailreaver.crm > -rwxr-xr-x 1 root root 37621 Jul 30 22:25 mailtrainer.crm > -rw-r--r-- 1 root root 12582924 Jul 30 21:27 nonspam.css > -rw-r--r-- 1 root root 12582924 Jul 30 21:26 spam.css add those extra files if you still see: [24354] warn: plugin: failed to create instance of plugin Mail::SpamAssassin::Plugin::crm114: Can't locate object method "new" via package "Mail::SpamAssassin::Plugin::crm114" at (eval 78) line 1. see if the loadplugin command in crm114.cf is pointing to the right file/path does that help? Alex From stork at openenterprise.ca Tue Jul 31 07:02:43 2007 From: stork at openenterprise.ca (Johnny Stork) Date: Tue Jul 31 07:02:47 2007 Subject: CRM114 - Problems with install In-Reply-To: <46AECE0D.5040402@alexb.ch> References: <8384902.6331185805139308.JavaMail.root@office.splatnix.net> <46AEC44C.6000500@openenterprise.ca> <46AEC683.9050707@openenterprise.ca> <46AECA38.2030004@openenterprise.ca> <46AECE0D.5040402@alexb.ch> Message-ID: <46AED083.8000607@openenterprise.ca> Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: stork.vcf Type: text/x-vcard Size: 330 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070730/db54e165/stork.vcf From ms-list at alexb.ch Tue Jul 31 07:21:13 2007 From: ms-list at alexb.ch (Alex Broens) Date: Tue Jul 31 07:21:21 2007 Subject: CRM114 - Problems with install In-Reply-To: <46AED083.8000607@openenterprise.ca> References: <8384902.6331185805139308.JavaMail.root@office.splatnix.net> <46AEC44C.6000500@openenterprise.ca> <46AEC683.9050707@openenterprise.ca> <46AECA38.2030004@openenterprise.ca> <46AECE0D.5040402@alexb.ch> <46AED083.8000607@openenterprise.ca> Message-ID: <46AED4D9.6040303@alexb.ch> On 7/31/2007 8:02 AM, Johnny Stork wrote: > Where do I "add those extra files" from? Or do I just create them as > empty files? samples are in /usr/share/doc/crm114-0/mailfilter.cf depending on setup/OS they may be someplace different try: locate *.mfp locate mailfilter.cf etc (see below for your own list of missing files) > > The loadplugin directive in crm114.cf shows "loadplugin crm114 > crm114.pm" and crm114.pm is also in the same location as crm114.cf > (/etc/mail/spamassassin) then edit that line to show to the full path: loadplugin crm114 /etc/mail/spamassassin/crm114.pm > > Alex Broens wrote: >> On 7/31/2007 7:35 AM, Johnny Stork wrote: >>> I also seem to be missing some files? Chris Yuzik shows these files... >>> >>> >>> # ls -lh >>> total 25M >>> -rw-r--r-- 1 root root 4.7K Jul 30 17:37 crm114.cf >>> -rw-r--r-- 1 root root 18K Jul 30 17:29 mailfilter.cf >>> -rw-r--r-- 1 root root 44K Jul 30 16:18 mailfilter.crm >>> -rw-r--r-- 1 root root 15K Jul 30 16:19 maillib.crm >>> -rw-r--r-- 1 root root 23K Jul 30 16:18 mailreaver.crm >>> -rw-r--r-- 1 root root 37K Jul 30 16:18 mailtrainer.crm >>> -rw-r--r-- 1 root root 13M Jul 30 15:57 nonspam.css >>> -rw-r--r-- 1 root root 0 Jul 30 15:57 priolist.mfp >>> -rw-r--r-- 1 root root 0 Jul 30 16:09 rewrites.mfp >>> -rw-r--r-- 1 root root 13M Jul 30 15:57 spam.css >>> >>> I have these?? (my crm114.cf is in /etc/mail/spamassassin >>> >>> >>> ls -la /etc/mail/spamassassin/crm114 >>> total 24752 >>> drwxr-xr-x 2 root root 4096 Jul 30 22:25 . >>> drwxr-xr-x 6 root root 4096 Jul 30 21:42 .. >>> -rwxr-xr-x 1 root root 44537 Jul 30 22:25 mailfilter.crm >>> -rwxr-xr-x 1 root root 14511 Jul 30 22:25 maillib.crm >>> -rwxr-xr-x 1 root root 22740 Jul 30 22:25 mailreaver.crm >>> -rwxr-xr-x 1 root root 37621 Jul 30 22:25 mailtrainer.crm >>> -rw-r--r-- 1 root root 12582924 Jul 30 21:27 nonspam.css >>> -rw-r--r-- 1 root root 12582924 Jul 30 21:26 spam.css >> >> >> add those extra files >> >> if you still see: >> >> [24354] warn: plugin: failed to create instance of plugin >> Mail::SpamAssassin::Plugin::crm114: Can't locate object method "new" >> via package "Mail::SpamAssassin::Plugin::crm114" at (eval 78) line 1. >> >> >> see if the loadplugin command in crm114.cf is pointing to the right >> file/path >> >> does that help? >> >> Alex >> >> >> > From stork at openenterprise.ca Tue Jul 31 07:28:32 2007 From: stork at openenterprise.ca (Johnny Stork) Date: Tue Jul 31 07:28:40 2007 Subject: CRM114 - Problems with install In-Reply-To: <46AED4D9.6040303@alexb.ch> References: <8384902.6331185805139308.JavaMail.root@office.splatnix.net> <46AEC44C.6000500@openenterprise.ca> <46AEC683.9050707@openenterprise.ca> <46AECA38.2030004@openenterprise.ca> <46AECE0D.5040402@alexb.ch> <46AED083.8000607@openenterprise.ca> <46AED4D9.6040303@alexb.ch> Message-ID: <46AED690.2090003@openenterprise.ca> Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: stork.vcf Type: text/x-vcard Size: 330 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070730/20956a42/stork.vcf From ms-list at alexb.ch Tue Jul 31 07:34:31 2007 From: ms-list at alexb.ch (Alex Broens) Date: Tue Jul 31 07:34:39 2007 Subject: CRM114 - Problems with install In-Reply-To: <46AED690.2090003@openenterprise.ca> References: <8384902.6331185805139308.JavaMail.root@office.splatnix.net> <46AEC44C.6000500@openenterprise.ca> <46AEC683.9050707@openenterprise.ca> <46AECA38.2030004@openenterprise.ca> <46AECE0D.5040402@alexb.ch> <46AED083.8000607@openenterprise.ca> <46AED4D9.6040303@alexb.ch> <46AED690.2090003@openenterprise.ca> Message-ID: <46AED7F7.70605@alexb.ch> On 7/31/2007 8:28 AM, Johnny Stork wrote: > I did finally locate the /usr/share/doc/crm114-0/mailfilter.cf and I > just used the priolist example with cp > /usr/share/doc/crm114-0/priolist.mfp.example > /etc/mail/spamassassin/crm114/priolist.mfp > > But I dont seem to have rewrites.mfp? on my test box: [axb@ms1 crm114]# locate rewrites.* /usr/src/redhat/BUILD/crm114-20070301-BlameBaltar.no-TRE.src/rewrites.mfp > > > Alex Broens wrote: >> On 7/31/2007 8:02 AM, Johnny Stork wrote: >>> Where do I "add those extra files" from? Or do I just create them as >>> empty files? >> >> samples are in >> /usr/share/doc/crm114-0/mailfilter.cf >> >> depending on setup/OS they may be someplace different >> >> try: >> >> locate *.mfp >> locate mailfilter.cf >> etc >> >> (see below for your own list of missing files) >> >>> >>> The loadplugin directive in crm114.cf shows "loadplugin crm114 >>> crm114.pm" and crm114.pm is also in the same location as crm114.cf >>> (/etc/mail/spamassassin) >> >> then edit that line to show to the full path: >> >> loadplugin crm114 /etc/mail/spamassassin/crm114.pm >> >> >> >>> >>> Alex Broens wrote: >>>> On 7/31/2007 7:35 AM, Johnny Stork wrote: >>>>> I also seem to be missing some files? Chris Yuzik shows these files... >>>>> >>>>> >>>>> # ls -lh >>>>> total 25M >>>>> -rw-r--r-- 1 root root 4.7K Jul 30 17:37 crm114.cf >>>>> -rw-r--r-- 1 root root 18K Jul 30 17:29 mailfilter.cf >>>>> -rw-r--r-- 1 root root 44K Jul 30 16:18 mailfilter.crm >>>>> -rw-r--r-- 1 root root 15K Jul 30 16:19 maillib.crm >>>>> -rw-r--r-- 1 root root 23K Jul 30 16:18 mailreaver.crm >>>>> -rw-r--r-- 1 root root 37K Jul 30 16:18 mailtrainer.crm >>>>> -rw-r--r-- 1 root root 13M Jul 30 15:57 nonspam.css >>>>> -rw-r--r-- 1 root root 0 Jul 30 15:57 priolist.mfp >>>>> -rw-r--r-- 1 root root 0 Jul 30 16:09 rewrites.mfp >>>>> -rw-r--r-- 1 root root 13M Jul 30 15:57 spam.css >>>>> >>>>> I have these?? (my crm114.cf is in /etc/mail/spamassassin >>>>> >>>>> >>>>> ls -la /etc/mail/spamassassin/crm114 >>>>> total 24752 >>>>> drwxr-xr-x 2 root root 4096 Jul 30 22:25 . >>>>> drwxr-xr-x 6 root root 4096 Jul 30 21:42 .. >>>>> -rwxr-xr-x 1 root root 44537 Jul 30 22:25 mailfilter.crm >>>>> -rwxr-xr-x 1 root root 14511 Jul 30 22:25 maillib.crm >>>>> -rwxr-xr-x 1 root root 22740 Jul 30 22:25 mailreaver.crm >>>>> -rwxr-xr-x 1 root root 37621 Jul 30 22:25 mailtrainer.crm >>>>> -rw-r--r-- 1 root root 12582924 Jul 30 21:27 nonspam.css >>>>> -rw-r--r-- 1 root root 12582924 Jul 30 21:26 spam.css >>>> >>>> >>>> add those extra files >>>> >>>> if you still see: >>>> >>>> [24354] warn: plugin: failed to create instance of plugin >>>> Mail::SpamAssassin::Plugin::crm114: Can't locate object method "new" >>>> via package "Mail::SpamAssassin::Plugin::crm114" at (eval 78) line 1. >>>> >>>> >>>> see if the loadplugin command in crm114.cf is pointing to the right >>>> file/path >>>> >>>> does that help? >>>> >>>> Alex >>>> >>>> >>>> >>> >> >> > From stork at openenterprise.ca Tue Jul 31 07:48:16 2007 From: stork at openenterprise.ca (Johnny Stork) Date: Tue Jul 31 07:48:28 2007 Subject: CRM114 - Problems with install In-Reply-To: <46AED7F7.70605@alexb.ch> References: <8384902.6331185805139308.JavaMail.root@office.splatnix.net> <46AEC44C.6000500@openenterprise.ca> <46AEC683.9050707@openenterprise.ca> <46AECA38.2030004@openenterprise.ca> <46AECE0D.5040402@alexb.ch> <46AED083.8000607@openenterprise.ca> <46AED4D9.6040303@alexb.ch> <46AED690.2090003@openenterprise.ca> <46AED7F7.70605@alexb.ch> Message-ID: <46AEDB30.7040406@openenterprise.ca> Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: stork.vcf Type: text/x-vcard Size: 330 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070730/c28a4237/stork-0001.vcf From stork at openenterprise.ca Tue Jul 31 08:04:53 2007 From: stork at openenterprise.ca (Johnny Stork) Date: Tue Jul 31 08:05:07 2007 Subject: CRM114 - Problems with install In-Reply-To: <46AEDB30.7040406@openenterprise.ca> References: <8384902.6331185805139308.JavaMail.root@office.splatnix.net> <46AEC44C.6000500@openenterprise.ca> <46AEC683.9050707@openenterprise.ca> <46AECA38.2030004@openenterprise.ca> <46AECE0D.5040402@alexb.ch> <46AED083.8000607@openenterprise.ca> <46AED4D9.6040303@alexb.ch> <46AED690.2090003@openenterprise.ca> <46AED7F7.70605@alexb.ch> <46AEDB30.7040406@openenterprise.ca> Message-ID: <46AEDF15.4060202@openenterprise.ca> Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: stork.vcf Type: text/x-vcard Size: 330 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070731/d6664413/stork.vcf From brent.addis at pronet.co.nz Tue Jul 31 08:32:42 2007 From: brent.addis at pronet.co.nz (Brent Addis) Date: Tue Jul 31 08:33:17 2007 Subject: image content scanning Message-ID: <7EF1F27F7292534D82933F70AB6996CC25CE23@pro-ak-exch01.hosted.pronet.net.nz> ? Hi, Has anyone found anything useful for looking at porn images in email, not just from a spam perspective, but from a general content perspective. Something that checks skin tone for example. I am not really concerned how many cpu cycles that this sort of thing consumes. Is there a plugin for spamassassin or mailscanner that isn't widely known about that will do this? Thanks, Brent -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070731/285298a9/attachment.html From martinh at solidstatelogic.com Tue Jul 31 08:39:44 2007 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Tue Jul 31 08:39:48 2007 Subject: MS 4.62.8 beta and read receipts In-Reply-To: <46AE5ADF.8010207@coders.co.uk> Message-ID: Matt I can, I run Exim if that's not a problem....let me knwow -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Matt Hampton > Sent: 30 July 2007 22:41 > To: MailScanner discussion > Subject: Re: MS 4.62.8 beta and read receipts > > Martin.Hepworth wrote: > > >>> I got a funny as well - the MS box returned a read receipt for some > >> reason.. > >> Hmmm > >> > >> I have justed tested this on milter-null and I get the same........ > >> > >> Don't see how we can fix this without getting into the realms of the > >> patent.... > >> > >> Any suggestions welcome > > Martin > > If you are able to generate a few more of these and you can send me the > queue files for both the message and the read recipt I think I have just > spotted something I can use. > > Anyway - off to bed..... > > matt > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From alvaro at hostalia.com Tue Jul 31 08:46:39 2007 From: alvaro at hostalia.com (=?UTF-8?B?QWx2YXJvIE1hcsOtbg==?=) Date: Tue Jul 31 08:46:52 2007 Subject: Potential use for custom SPAM action ? In-Reply-To: <46AE5837.7040400@pixelhammer.com> References: <26544701.6961185827592662.JavaMail.root@office.splatnix.net> <46AE5837.7040400@pixelhammer.com> Message-ID: <46AEE8DF.1070201@hostalia.com> Hello, I've a CustomFunction that checks if $message->{ishigh} is "1" and saves the IP of that spam message in an archive with a timestamp. Then, in a cronjob, I check those archives and the IP that appears X times in X time, is added to a blacklist. Easy :) Regards, -- Alvaro Mar?n Illera Hostalia Internet www.hostalia.com From matt at coders.co.uk Tue Jul 31 08:49:49 2007 From: matt at coders.co.uk (Matt Hampton) Date: Tue Jul 31 08:48:23 2007 Subject: CRM114 - Problems with install In-Reply-To: <46AEDF15.4060202@openenterprise.ca> References: <8384902.6331185805139308.JavaMail.root@office.splatnix.net> <46AEC44C.6000500@openenterprise.ca> <46AEC683.9050707@openenterprise.ca> <46AECA38.2030004@openenterprise.ca> <46AECE0D.5040402@alexb.ch> <46AED083.8000607@openenterprise.ca> <46AED4D9.6040303@alexb.ch> <46AED690.2090003@openenterprise.ca> <46AED7F7.70605@alexb.ch> <46AEDB30.7040406@openenterprise.ca> <46AEDF15.4060202@openenterprise.ca> Message-ID: <46AEE99D.9050205@coders.co.uk> Johnny Stork wrote: > Wow, even worse now. This must be the most messed up and confusing > install ever with innacurate docs, files that dont exist etc. The how-to > indicates > I will just have to wait for complete and accurate instructions from somewhere. Below is my take on it (CENTOS4.4) UxBoD - any joy with the Wiki yet or shall I cut and paste this in? matt 1) Install CRM software Use the rpms from ftp://fr.rpmfind.net/linux/fedora/extras/development/SRPMS/crm114-0-0.4.20070301.fc7.src.rpm ftp://fr.rpmfind.net/linux/fedora/extras/development/SRPMS/tre-0.7.5-1.fc7.src.rpm rpmbuild --rebuild crm114-0-0.4.20070301.fc7.src.rpm rpmbuild --rebuild tre-0.7.5-1.fc7.src.rpm rpm -ivh /usr/src/redhat/RPMS/i386/tre-0.7.5-1.i386.rpm \ /usr/src/redhat/RPMS/i386/tre-devel-0.7.5-1.i386.rpm \ /usr/src/redhat/RPMS/i386/crm114-0-0.4.20070301.i386.rpm 2) Create /etc/mail/spamassassin/crm114 (now refered to as $PREFIX) 3) cd $PREFIX 4) cssutil -b -r spam.css 5) cssutil -b -r nonspam.css touch blacklist.mfp whitelist.mfp copy all .crm from source examples to $PREFIX (haven't worked out which one is necessary) 6) Modified mailfilter.cf with local settings Change :spw: /DEFAULT-PASSWORD/ to :spw: /SOMETHING-SECRET/ 7) Same permissions on directory and files to same user that MailScanner runs as 8) Installed crm114.pm and crm114.cf 9) Modified crm114.cf to local settings loadplugin crm114 /etc/mail/spamassassin/crm114.pm crm114_learn 1 crm114_autolearn 1 crm114_dynscore_factor -0.01 < to begin with whilst testing crm114_command /usr/bin/crm -u $PREFIX mailreaver.crm 10) spamassassin -D --lint > /tmp/crm.test 2>&1 (as user in point 7) and check that all is okay 11) Restart MailScanner 12) After a few minutes check documents are being loaded ie. cssutil -b -r /etc/mail/spamassassin/crm114/spam.css with something like :- From matt at coders.co.uk Tue Jul 31 08:51:11 2007 From: matt at coders.co.uk (Matt Hampton) Date: Tue Jul 31 08:48:35 2007 Subject: MS 4.62.8 beta and read receipts In-Reply-To: References: Message-ID: <46AEE9EF.9080206@coders.co.uk> Martin.Hepworth wrote: > Matt > > I can, I run Exim if that's not a problem....let me knwow > The more the merrier! matt From uxbod at splatnix.net Tue Jul 31 08:56:33 2007 From: uxbod at splatnix.net (UxBoD) Date: Tue Jul 31 08:52:22 2007 Subject: CRM114 - Problems with install In-Reply-To: <46AEDF15.4060202@openenterprise.ca> Message-ID: <2312568.7081185868593139.JavaMail.root@office.splatnix.net> Johnny, Sorry you are having so many problems :( Just download the binary from here http://rpmfind.net/linux/rpm2html/search.php?query=crm114&submit=Search+...&system=&arch=i386 Once installed follow my previous instructions. For simplicity put the .pm and .cf in your site rules directory ie. /etc/mail/spamassassin Create the crm114 under /etc/mail/spamassassin. Create the .css files. Modify mailfilter.cf. Modify crm114.cf to local settings, and switch on autolearn in this file, otherwise you will need a mechanism for the messages to be learnt. Don't give up hope. Regards, --[ UxBoD ]-- // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From uxbod at splatnix.net Tue Jul 31 09:05:14 2007 From: uxbod at splatnix.net (UxBoD) Date: Tue Jul 31 09:01:07 2007 Subject: Potential use for custom SPAM action ? In-Reply-To: <46AEE8DF.1070201@hostalia.com> Message-ID: <1394419.7111185869114192.JavaMail.root@office.splatnix.net> Some good ideas coming out, and I do like DAve's idea about the URL for checking. MailWatch DB has all the details, but was thinking about storing the message ID aswell in the RBL DB. That would make it easier to then cross reference against the MailWatch DB, both from a end-user and admin perspective. Also, When deciding which IPs should be entered into the RBL set a watermark, and work out the average score from 'n' messages and compare that. Rationale for that is the potential for a FP which could skew the figures. At least taking a average for flatten the score out a little. Regards, --[ UxBoD ]-- // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- Original Message ----- From: "Alvaro Mar?n" To: "MailScanner discussion" Sent: Tuesday, July 31, 2007 8:46:39 AM (GMT) Europe/London Subject: Re: Potential use for custom SPAM action ? Hello, I've a CustomFunction that checks if $message->{ishigh} is "1" and saves the IP of that spam message in an archive with a timestamp. Then, in a cronjob, I check those archives and the IP that appears X times in X time, is added to a blacklist. Easy :) Regards, -- Alvaro Mar?n Illera Hostalia Internet www.hostalia.com -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From martinh at solidstatelogic.com Tue Jul 31 09:04:42 2007 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Tue Jul 31 09:04:47 2007 Subject: MS 4.62.8 beta and read receipts In-Reply-To: <46AEE9EF.9080206@coders.co.uk> Message-ID: Matt I sent you a pastebin link off list of this.. For the mean time I've disabled watermarking.. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Matt Hampton > Sent: 31 July 2007 08:51 > To: MailScanner discussion > Subject: Re: MS 4.62.8 beta and read receipts > > Martin.Hepworth wrote: > > Matt > > > > I can, I run Exim if that's not a problem....let me knwow > > > The more the merrier! > > matt > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From uxbod at splatnix.net Tue Jul 31 09:13:59 2007 From: uxbod at splatnix.net (UxBoD) Date: Tue Jul 31 09:09:51 2007 Subject: CRM114 - Problems with install In-Reply-To: <46AEE99D.9050205@coders.co.uk> Message-ID: <6712818.7171185869639368.JavaMail.root@office.splatnix.net> Hi Matt, Please feel free :) Only just got into the office anyway. I will update with the Gentoo instructions. The necessary .crm's are :- mailfilter.crm maillib.crm mailreaver.crm mailtrainer.crm also, rewrites.mfp can be a blank file. It will not learn as good, but will reduce the CPU overhead. If the .pm is in the same directory as the .cf then you do not need to change the load_plugin line as it takes the path as relative. Also check that the MIME decoder :- :mime_decoder: /base64 -d/ and :cache_dupe_command: /\/bin\/ln/ have been set correctly in mailfilter.cf Regards, --[ UxBoD ]-- // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- Original Message ----- From: "Matt Hampton" To: "MailScanner discussion" Sent: Tuesday, July 31, 2007 8:49:49 AM (GMT) Europe/London Subject: Re: CRM114 - Problems with install Johnny Stork wrote: > Wow, even worse now. This must be the most messed up and confusing > install ever with innacurate docs, files that dont exist etc. The how-to > indicates > I will just have to wait for complete and accurate instructions from somewhere. Below is my take on it (CENTOS4.4) UxBoD - any joy with the Wiki yet or shall I cut and paste this in? matt 1) Install CRM software Use the rpms from ftp://fr.rpmfind.net/linux/fedora/extras/development/SRPMS/crm114-0-0.4.20070301.fc7.src.rpm ftp://fr.rpmfind.net/linux/fedora/extras/development/SRPMS/tre-0.7.5-1.fc7.src.rpm rpmbuild --rebuild crm114-0-0.4.20070301.fc7.src.rpm rpmbuild --rebuild tre-0.7.5-1.fc7.src.rpm rpm -ivh /usr/src/redhat/RPMS/i386/tre-0.7.5-1.i386.rpm \ /usr/src/redhat/RPMS/i386/tre-devel-0.7.5-1.i386.rpm \ /usr/src/redhat/RPMS/i386/crm114-0-0.4.20070301.i386.rpm 2) Create /etc/mail/spamassassin/crm114 (now refered to as $PREFIX) 3) cd $PREFIX 4) cssutil -b -r spam.css 5) cssutil -b -r nonspam.css touch blacklist.mfp whitelist.mfp copy all .crm from source examples to $PREFIX (haven't worked out which one is necessary) 6) Modified mailfilter.cf with local settings Change :spw: /DEFAULT-PASSWORD/ to :spw: /SOMETHING-SECRET/ 7) Same permissions on directory and files to same user that MailScanner runs as 8) Installed crm114.pm and crm114.cf 9) Modified crm114.cf to local settings loadplugin crm114 /etc/mail/spamassassin/crm114.pm crm114_learn 1 crm114_autolearn 1 crm114_dynscore_factor -0.01 < to begin with whilst testing crm114_command /usr/bin/crm -u $PREFIX mailreaver.crm 10) spamassassin -D --lint > /tmp/crm.test 2>&1 (as user in point 7) and check that all is okay 11) Restart MailScanner 12) After a few minutes check documents are being loaded ie. cssutil -b -r /etc/mail/spamassassin/crm114/spam.css with something like :- -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ms-list at alexb.ch Tue Jul 31 09:16:25 2007 From: ms-list at alexb.ch (Alex Broens) Date: Tue Jul 31 09:16:32 2007 Subject: CRM114 - Problems with install In-Reply-To: <6712818.7171185869639368.JavaMail.root@office.splatnix.net> References: <6712818.7171185869639368.JavaMail.root@office.splatnix.net> Message-ID: <46AEEFD9.3040501@alexb.ch> On 7/31/2007 10:13 AM, UxBoD wrote: > Hi Matt, > > Please feel free :) Only just got into the office anyway. I will update with the Gentoo instructions. The necessary .crm's are :- > > mailfilter.crm maillib.crm mailreaver.crm mailtrainer.crm > > also, rewrites.mfp can be a blank file. It will not learn as good, but will reduce the CPU overhead. > > If the .pm is in the same directory as the .cf then you do not need to change the load_plugin line as it takes the path as relative. > > Also check that the MIME decoder :- > > :mime_decoder: /base64 -d/ > > and :cache_dupe_command: /\/bin\/ln/ > > have been set correctly in mailfilter.cf Suggestion: unlesss you want to fill up your drive: /etc/mail/spamassassin/crm114/mailfilter.cf change: :log_to_allmail.txt: /yes/ to :log_to_allmail.txt: /no/ Alex From prandal at herefordshire.gov.uk Tue Jul 31 10:19:14 2007 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Tue Jul 31 10:19:45 2007 Subject: Watermarking quirks still in 4.62.8 In-Reply-To: References: <7EF0EE5CB3B263488C8C18823239BEBA013584B1@HC-MBX02.herefordshire.gov.uk> Message-ID: <7EF0EE5CB3B263488C8C18823239BEBA01358598@HC-MBX02.herefordshire.gov.uk> Hang on, A legitimate email is accidentally sent to the wrong email address because of a simple typo. It should be bounced back. Spam we deal with in other ways. Phil -- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Scott Silva > Sent: 30 July 2007 17:32 > To: mailscanner@lists.mailscanner.info > Subject: Re: Watermarking quirks still in 4.62.8 > > Randal, Phil spake the following on 7/30/2007 5:28 AM: > > A couple of issues with watermarking: > > > > 1: Read receipts are getting blocked ("spam(no null-header or sender > > address)") > > > > 2: If I send an email from outside to a non-existent email > address here, > > the bounce message from our Exchange server gets blocked. > I've worked > > around this using a ruleset, but shouldn't MailScanner be letting > > through bounces originating from the internal network (or RFC1918 > > addresses) anyhow? > > > You really need to have the first point of contact in your > network do the > checks for non-existing users. Otherwise you risk Joe Jobbing > the rest of the > world. It is much better to drop the connection with an error > than to bounce > something back to a possibly forged address. > > -- > > MailScanner is like deodorant... > You hope everybody uses it, and > you notice quickly if they don't!!!! > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From prandal at herefordshire.gov.uk Tue Jul 31 10:21:54 2007 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Tue Jul 31 10:22:05 2007 Subject: MailScanner/Spamassassin slow after version upgrade In-Reply-To: References: Message-ID: <7EF0EE5CB3B263488C8C18823239BEBA01358599@HC-MBX02.herefordshire.gov.uk> You left out a few key facts. What did you upgrade from? (MailScanner and SA versions). And most importantly, which OS and Perl versions? Cheers, Phil -- Phil Randal Network Engineer Herefordshire Council Hereford, UK ________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of donald.dawson@bakerbotts.com Sent: 30 July 2007 18:44 To: mailscanner@lists.mailscanner.info Subject: MailScanner/Spamassassin slow after version upgrade The time it takes to process an email has doubled since Friday (7/26/07) when I upgraded to MS 4.62.6 and SA 3.2.2. It was around 3.5 seconds, and now it is averaging 7 seconds. We use DCC and razor2 - no pyzor. Jul 30 12:36:35 houmx05 MailScanner[21682]: Batch (30 messages) processed in 187.50 seconds Jul 30 12:37:06 houmx05 MailScanner[21662]: Batch (16 messages) processed in 105.59 seconds Jul 30 12:37:24 houmx05 MailScanner[21727]: Batch (30 messages) processed in 196.20 seconds Jul 30 12:37:28 houmx05 MailScanner[21776]: Batch (30 messages) processed in 211.89 seconds Jul 30 12:37:38 houmx05 MailScanner[21793]: Batch (30 messages) processed in 223.64 seconds sar -u shows idle CPU time: 12:00:01 AM CPU %user %nice %system %iowait %idle Average: all 10.49 0.00 4.99 1.00 83.51 # uptime is normal 12:38:30 up 5 days, 25 min, 1 user, load average: 0.81, 0.79, 0.83 I have implemented sa-compile using re2c expecting to get a performance boost. 'MailScanner --lint' doesn't show any errors, except noting that we have clamav processing turned off (output attached). <> I have included output from spamassassin's lint command. /etc/mail/spamassassin contents: bakerbotts.cf - custom local rule file Botnet.cf Botnet.pm init.pre init.pre.pre-v310 KAM.cf local.cf mailscanner.cf pdfinfo.cf sare-sa-update-channels.txt sa-update-keys v310.pre v312.pre v320.pre contents of sare-sa-update-channels.txt used by update_spamassassin: updates.spamassassin.org 70_sare_adult.cf.sare.sa-update.dostech.net 70_sare_bayes_poison_nxm.cf.sare.sa-update.dostech.net 70_sare_evilnum0.cf.sare.sa-update.dostech.net 70_sare_genlsubj0.cf.sare.sa-update.dostech.net 70_sare_genlsubj1.cf.sare.sa-update.dostech.net 70_sare_genlsubj2.cf.sare.sa-update.dostech.net 70_sare_header.cf.sare.sa-update.dostech.net 70_sare_highrisk.cf.sare.sa-update.dostech.net 70_sare_html.cf.sare.sa-update.dostech.net 70_sare_obfu.cf.sare.sa-update.dostech.net 70_sare_oem.cf.sare.sa-update.dostech.net 70_sare_random.cf.sare.sa-update.dostech.net 70_sare_specific.cf.sare.sa-update.dostech.net 70_sare_spoof.cf.sare.sa-update.dostech.net 70_sare_stocks.cf.sare.sa-update.dostech.net 70_sare_unsub.cf.sare.sa-update.dostech.net 70_sare_uri0.cf.sare.sa-update.dostech.net 70_sare_uri1.cf.sare.sa-update.dostech.net 70_sare_uri2.cf.sare.sa-update.dostech.net 70_sare_whitelist.cf.sare.sa-update.dostech.net 70_sare_whitelist_rcvd.cf.sare.sa-update.dostech.net 70_sare_whitelist_spf.cf.sare.sa-update.dostech.net 72_sare_bml_post25x.cf.sare.sa-update.dostech.net 72_sare_redirect_post3.0.0.cf.sare.sa-update.dostech.net 88_FVGT_headers.cf.sare.sa-update.dostech.net 99_FVGT_Tripwire.cf.sare.sa-update.dostech.net 99_sare_fraud_post25x.cf.sare.sa-update.dostech.net Any ideas would be greatly appreciated. Thanks, Donald Donald Dawson Security Administrator Baker Botts L.L.P. 713-229-2183 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070731/bf597489/attachment.html From brent.addis at pronet.co.nz Tue Jul 31 10:27:39 2007 From: brent.addis at pronet.co.nz (Brent Addis) Date: Tue Jul 31 10:30:15 2007 Subject: Watermarking quirks still in 4.62.8 References: <7EF0EE5CB3B263488C8C18823239BEBA013584B1@HC-MBX02.herefordshire.gov.uk> <7EF0EE5CB3B263488C8C18823239BEBA01358598@HC-MBX02.herefordshire.gov.uk> Message-ID: <7EF1F27F7292534D82933F70AB6996CC25CE27@pro-ak-exch01.hosted.pronet.net.nz> no, it shouldn't be bounced back. The mta should stop it and report an error to the recieving end, in the same data connection. Bounces are so 90's. Maybe you have never been jo-jobbed? ________________________________ From: mailscanner-bounces@lists.mailscanner.info on behalf of Randal, Phil Sent: Tue 7/31/2007 9:19 PM To: MailScanner discussion Subject: RE: Watermarking quirks still in 4.62.8 Hang on, A legitimate email is accidentally sent to the wrong email address because of a simple typo. It should be bounced back. Spam we deal with in other ways. Phil -- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Scott Silva > Sent: 30 July 2007 17:32 > To: mailscanner@lists.mailscanner.info > Subject: Re: Watermarking quirks still in 4.62.8 > > Randal, Phil spake the following on 7/30/2007 5:28 AM: > > A couple of issues with watermarking: > > > > 1: Read receipts are getting blocked ("spam(no null-header or sender > > address)") > > > > 2: If I send an email from outside to a non-existent email > address here, > > the bounce message from our Exchange server gets blocked. > I've worked > > around this using a ruleset, but shouldn't MailScanner be letting > > through bounces originating from the internal network (or RFC1918 > > addresses) anyhow? > > > You really need to have the first point of contact in your > network do the > checks for non-existing users. Otherwise you risk Joe Jobbing > the rest of the > world. It is much better to drop the connection with an error > than to bounce > something back to a possibly forged address. > > -- > > MailScanner is like deodorant... > You hope everybody uses it, and > you notice quickly if they don't!!!! > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/ms-tnef Size: 6220 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070731/57f49fb0/attachment.bin From glenn.steen at gmail.com Tue Jul 31 12:01:46 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Jul 31 12:01:48 2007 Subject: image content scanning In-Reply-To: <7EF1F27F7292534D82933F70AB6996CC25CE23@pro-ak-exch01.hosted.pronet.net.nz> References: <7EF1F27F7292534D82933F70AB6996CC25CE23@pro-ak-exch01.hosted.pronet.net.nz> Message-ID: <223f97700707310401s646f4eddg27b5187e65429a3e@mail.gmail.com> On 31/07/07, Brent Addis wrote: > ? > Hi, > > Has anyone found anything useful for looking at porn images in email, not > just from a spam perspective, but from a general content perspective. > Something that checks skin tone for example. I am not really concerned how > many cpu cycles that this sort of thing consumes. Is there a plugin for > spamassassin or mailscanner that isn't widely known about that will do this? > > Thanks, > > Brent You already use ImageInfo (http://www.rulesemporium.com/plugins.htm), I presume? Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From campbell at cnpapers.com Tue Jul 31 13:41:02 2007 From: campbell at cnpapers.com (Steve Campbell) Date: Tue Jul 31 13:41:20 2007 Subject: CRM114 version specifics? Message-ID: <46AF2DDE.7010605@cnpapers.com> The turtle Steve, who seems to always be behind in updates, here. Is all of this CRM114 stuff version specific or will it run under recent/any versions of SA? Now for a little soapboxing: I see a small problem brewing with these init.pre, v300.pre, v310.pre, etc files where people are told to add things to this specific one, or that specific one, when some of these don't exist and for the most part, it doesn't matter which one you append to. I don't have v320.pre because I haven't installed it yet. Might it not be a better idea to suggest people add things to the latest *.pre they have? Should there be an update_pre script somewhere that moves things from a current .pre to the new .pre when installing upgrades? I don't think it really matters as SA will just report duplicates or something, but there could come a time when it does matter. Alright - done for now. Steve From binaryflow at gmail.com Tue Jul 31 13:43:32 2007 From: binaryflow at gmail.com (Douglas Ward) Date: Tue Jul 31 13:43:34 2007 Subject: Sanesecurity not blocking messages Message-ID: We have a properly functioning MailScanner server that I have recently downloaded the sanesecurity definitions to. I am hoping that it will reject the message the same way it does if there is a virus detection. I have downloaded the update script and verified that the signature files are in the same location as the main clamav databases. I assume it is ok to have the following directory structure: [root@mailscanner MailScanner]# ls -lah /usr/local/share/clamav/ total 4.4M drwxrwxr-x 4 clamav clamav 1.0K Jul 31 08:30 ./ drwxr-xr-x 5 root root 1.0K Jul 3 17:09 ../ drwxr-xr-x 2 clamav clamav 1.0K Jul 31 06:05 daily.inc/ drwxr-xr-x 2 clamav clamav 1.0K Jul 20 13:07 main.inc/ -rw------- 1 clamav clamav 1.4K Jul 31 08:30 mirrors.dat -rw-r--r-- 1 clamav clamav 514K Jul 31 07:50 MSRBL-Images.hdb -rw-r--r-- 1 clamav clamav 224K Jul 31 05:15 MSRBL-SPAM.ndb -rw-rw-r-- 1 clamav clamav 1.1M Jul 31 08:07 phish.ndb -rw-rw-r-- 1 clamav clamav 182K Jul 31 03:19 phish.ndb.gz -rw-rw-r-- 1 clamav clamav 1.1M Jul 31 08:07 phish.old -rw-rw-r-- 1 clamav clamav 596K Jul 31 08:07 scam.ndb -rw-rw-r-- 1 clamav clamav 120K Jul 31 03:20 scam.ndb.gz -rw-rw-r-- 1 clamav clamav 596K Jul 31 08:07 scam.old This is what I am seeing in the log: Jul 31 08:11:22 mailscanner MailScanner[12975]: Message C8DEF122D.8ACFF from 192.168.x.x (user@gmail.com) to nccumc.org is not spam, SpamAssassin (not cached, score=-0.909, required 6, AWL -0.53, BAYES_00 -2.60, HTML_MESSAGE 0.00, TVD_SPACE_RATIO 2.22) Jul 31 08:11:23 mailscanner MailScanner[12975]: /var/spool/MailScanner/incoming/12975/./C8DEF122D.8ACFF/phish_sigtest.txt: Html.Phishing.Sanesecurity.TestSig FOUND Jul 31 08:11:25 mailscanner MailScanner[12975]: Infected message C8DEF122D.8ACFF came from 192.168.10.25 Jul 31 08:11:25 mailscanner MailScanner[12975]: Filename Checks: Allowing C8DEF122D.8ACFF msg-12975-4.txt Jul 31 08:11:25 mailscanner MailScanner[12975]: Filename Checks: Allowing C8DEF122D.8ACFF phish_sigtest.txt Jul 31 08:11:25 mailscanner MailScanner[12975]: Filename Checks: Allowing C8DEF122D.8ACFF msg-12975-5.html (no rule matched) Jul 31 08:11:25 mailscanner MailScanner[12975]: Filetype Checks: Allowing C8DEF122D.8ACFF msg-12975-4.txt Jul 31 08:11:25 mailscanner MailScanner[12975]: Filetype Checks: Allowing C8DEF122D.8ACFF msg-12975-5.html Jul 31 08:11:25 mailscanner MailScanner[12975]: Filetype Checks: Allowing C8DEF122D.8ACFF phish_sigtest.txt Jul 31 08:11:25 mailscanner MailScanner[12975]: Logging message C8DEF122D.8ACFF to SQL Jul 31 08:11:25 mailscanner MailScanner[12900]: C8DEF122D.8ACFF: Logged to MailWatch SQL MailScanner dutifully sends the message on. It is flagged as a phishing scam but no action is taken. Is there something I need to change in MailScanner? It would appear that sanesecurity is doing its job but the message still slips through. My apologies if this is not MailScanner related. I searched google, the clamav site, the sansecurity site and the MailScanner list archives extensively before writing. I appreciate any help you could offer. Thank you. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070731/d4f1206a/attachment.html From MailScanner at ecs.soton.ac.uk Tue Jul 31 13:55:47 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Jul 31 13:57:02 2007 Subject: {Disarmed} Sanesecurity not blocking messages In-Reply-To: References: Message-ID: <46AF3153.1030207@ecs.soton.ac.uk> But did it actually claim to deliver it? Douglas Ward wrote: > We have a properly functioning MailScanner server that I have recently > downloaded the sanesecurity definitions to. I am hoping that it will > reject the message the same way it does if there is a virus > detection. I have downloaded the update script and verified that the > signature files are in the same location as the main clamav > databases. I assume it is ok to have the following directory structure: > > [root@mailscanner MailScanner]# ls -lah /usr/local/share/clamav/ > total 4.4M > drwxrwxr-x 4 clamav clamav 1.0K Jul 31 08:30 ./ > drwxr-xr-x 5 root root 1.0K Jul 3 17:09 ../ > drwxr-xr-x 2 clamav clamav 1.0K Jul 31 06:05 daily.inc/ > drwxr-xr-x 2 clamav clamav 1.0K Jul 20 13:07 main.inc/ > -rw------- 1 clamav clamav 1.4K Jul 31 08:30 mirrors.dat > -rw-r--r-- 1 clamav clamav 514K Jul 31 07:50 MSRBL-Images.hdb > -rw-r--r-- 1 clamav clamav 224K Jul 31 05:15 MSRBL-SPAM.ndb > -rw-rw-r-- 1 clamav clamav 1.1M Jul 31 08:07 phish.ndb > -rw-rw-r-- 1 clamav clamav 182K Jul 31 03:19 phish.ndb.gz > -rw-rw-r-- 1 clamav clamav 1.1M Jul 31 08:07 phish.old > -rw-rw-r-- 1 clamav clamav 596K Jul 31 08:07 scam.ndb > -rw-rw-r-- 1 clamav clamav 120K Jul 31 03:20 scam.ndb.gz > -rw-rw-r-- 1 clamav clamav 596K Jul 31 08:07 scam.old > > > This is what I am seeing in the log: > > Jul 31 08:11:22 mailscanner MailScanner[12975]: Message > C8DEF122D.8ACFF from 192.168.x.x (user@gmail.com > ) to nccumc.org is not > spam, SpamAssassin (not cached, score=-0.909, required 6, AWL -0.53, > BAYES_00 -2.60 , HTML_MESSAGE 0.00, TVD_SPACE_RATIO 2.22) > Jul 31 08:11:23 mailscanner MailScanner[12975]: > /var/spool/MailScanner/incoming/12975/./C8DEF122D.8ACFF/phish_sigtest.txt: > Html.Phishing.Sanesecurity.TestSig FOUND > Jul 31 08:11:25 mailscanner MailScanner[12975]: Infected message > C8DEF122D.8ACFF came from > Jul 31 08:11:25 mailscanner MailScanner[12975]: Filename Checks: > Allowing C8DEF122D.8ACFF msg-12975-4.txt > Jul 31 08:11:25 mailscanner MailScanner[12975]: Filename Checks: > Allowing C8DEF122D.8ACFF phish_sigtest.txt > Jul 31 08:11:25 mailscanner MailScanner[12975]: Filename Checks: > Allowing C8DEF122D.8ACFF msg-12975-5.html (no rule matched) > Jul 31 08:11:25 mailscanner MailScanner[12975]: Filetype Checks: > Allowing C8DEF122D.8ACFF msg-12975-4.txt > Jul 31 08:11:25 mailscanner MailScanner[12975]: Filetype Checks: > Allowing C8DEF122D.8ACFF msg-12975-5.html > Jul 31 08:11:25 mailscanner MailScanner[12975]: Filetype Checks: > Allowing C8DEF122D.8ACFF phish_sigtest.txt > Jul 31 08:11:25 mailscanner MailScanner[12975]: Logging message > C8DEF122D.8ACFF to SQL > Jul 31 08:11:25 mailscanner MailScanner[12900]: C8DEF122D.8ACFF: > Logged to MailWatch SQL > > MailScanner dutifully sends the message on. It is flagged as a > phishing scam but no action is taken. Is there something I need to > change in MailScanner? It would appear that sanesecurity is doing its > job but the message still slips through. My apologies if this is not > MailScanner related. I searched google, the clamav site, the > sansecurity site and the MailScanner list archives extensively before > writing. I appreciate any help you could offer. Thank you. Jules -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From ms-list at alexb.ch Tue Jul 31 14:01:30 2007 From: ms-list at alexb.ch (Alex Broens) Date: Tue Jul 31 14:01:37 2007 Subject: CRM114 version specifics? In-Reply-To: <46AF2DDE.7010605@cnpapers.com> References: <46AF2DDE.7010605@cnpapers.com> Message-ID: <46AF32AA.80201@alexb.ch> On 7/31/2007 2:41 PM, Steve Campbell wrote: > The turtle Steve, who seems to always be behind in updates, here. > > Is all of this CRM114 stuff version specific or will it run under > recent/any versions of SA? > > Now for a little soapboxing: > > I see a small problem brewing with these init.pre, v300.pre, v310.pre, > etc files where people are told to add things to this specific one, or > that specific one, when some of these don't exist and for the most part, > it doesn't matter which one you append to. I don't have v320.pre because > I haven't installed it yet. Might it not be a better idea to suggest > people add things to the latest *.pre they have? Should there be an > update_pre script somewhere that moves things from a current .pre to the > new .pre when installing upgrades? I don't think it really matters as SA > will just report duplicates or something, but there could come a time > when it does matter. To be safe, always use your own files for your custom stuff so the logical step would be to add your custom plugins load commands to something like a "myplugins.pre" file. A SA setup/update won't touch that file and you can stop worrying. Alex From dward at nccumc.org Tue Jul 31 14:04:11 2007 From: dward at nccumc.org (Douglas Ward) Date: Tue Jul 31 14:04:18 2007 Subject: {Disarmed} Sanesecurity not blocking messages In-Reply-To: <46AF3153.1030207@ecs.soton.ac.uk> References: <46AF3153.1030207@ecs.soton.ac.uk> Message-ID: It did deliver it. The message listed below was something I sent to me from me as a test message. On 7/31/07, Julian Field wrote: > > But did it actually claim to deliver it? > > Douglas Ward wrote: > > We have a properly functioning MailScanner server that I have recently > > downloaded the sanesecurity definitions to. I am hoping that it will > > reject the message the same way it does if there is a virus > > detection. I have downloaded the update script and verified that the > > signature files are in the same location as the main clamav > > databases. I assume it is ok to have the following directory structure: > > > > [root@mailscanner MailScanner]# ls -lah /usr/local/share/clamav/ > > total 4.4M > > drwxrwxr-x 4 clamav clamav 1.0K Jul 31 08:30 ./ > > drwxr-xr-x 5 root root 1.0K Jul 3 17:09 ../ > > drwxr-xr-x 2 clamav clamav 1.0K Jul 31 06:05 daily.inc/ > > drwxr-xr-x 2 clamav clamav 1.0K Jul 20 13:07 main.inc/ > > -rw------- 1 clamav clamav 1.4K Jul 31 08:30 mirrors.dat > > -rw-r--r-- 1 clamav clamav 514K Jul 31 07:50 MSRBL-Images.hdb > > -rw-r--r-- 1 clamav clamav 224K Jul 31 05:15 MSRBL-SPAM.ndb > > -rw-rw-r-- 1 clamav clamav 1.1M Jul 31 08:07 phish.ndb > > -rw-rw-r-- 1 clamav clamav 182K Jul 31 03:19 phish.ndb.gz > > -rw-rw-r-- 1 clamav clamav 1.1M Jul 31 08:07 phish.old > > -rw-rw-r-- 1 clamav clamav 596K Jul 31 08:07 scam.ndb > > -rw-rw-r-- 1 clamav clamav 120K Jul 31 03:20 scam.ndb.gz > > -rw-rw-r-- 1 clamav clamav 596K Jul 31 08:07 scam.old > > > > > > This is what I am seeing in the log: > > > > Jul 31 08:11:22 mailscanner MailScanner[12975]: Message > > C8DEF122D.8ACFF from 192.168.x.x (user@gmail.com > > ) to nccumc.org is not > > spam, SpamAssassin (not cached, score=-0.909, required 6, AWL -0.53, > > BAYES_00 -2.60 , HTML_MESSAGE 0.00, TVD_SPACE_RATIO 2.22) > > Jul 31 08:11:23 mailscanner MailScanner[12975]: > > > /var/spool/MailScanner/incoming/12975/./C8DEF122D.8ACFF/phish_sigtest.txt: > > Html.Phishing.Sanesecurity.TestSig FOUND > > Jul 31 08:11:25 mailscanner MailScanner[12975]: Infected message > > C8DEF122D.8ACFF came from > > Jul 31 08:11:25 mailscanner MailScanner[12975]: Filename Checks: > > Allowing C8DEF122D.8ACFF msg-12975-4.txt > > Jul 31 08:11:25 mailscanner MailScanner[12975]: Filename Checks: > > Allowing C8DEF122D.8ACFF phish_sigtest.txt > > Jul 31 08:11:25 mailscanner MailScanner[12975]: Filename Checks: > > Allowing C8DEF122D.8ACFF msg-12975-5.html (no rule matched) > > Jul 31 08:11:25 mailscanner MailScanner[12975]: Filetype Checks: > > Allowing C8DEF122D.8ACFF msg-12975-4.txt > > Jul 31 08:11:25 mailscanner MailScanner[12975]: Filetype Checks: > > Allowing C8DEF122D.8ACFF msg-12975-5.html > > Jul 31 08:11:25 mailscanner MailScanner[12975]: Filetype Checks: > > Allowing C8DEF122D.8ACFF phish_sigtest.txt > > Jul 31 08:11:25 mailscanner MailScanner[12975]: Logging message > > C8DEF122D.8ACFF to SQL > > Jul 31 08:11:25 mailscanner MailScanner[12900]: C8DEF122D.8ACFF: > > Logged to MailWatch SQL > > > > MailScanner dutifully sends the message on. It is flagged as a > > phishing scam but no action is taken. Is there something I need to > > change in MailScanner? It would appear that sanesecurity is doing its > > job but the message still slips through. My apologies if this is not > > MailScanner related. I searched google, the clamav site, the > > sansecurity site and the MailScanner list archives extensively before > > writing. I appreciate any help you could offer. Thank you. > > Jules > > -- > Julian Field MEng CITP > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > For all your IT requirements visit www.transtec.co.uk > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070731/8539fc4a/attachment.html From campbell at cnpapers.com Tue Jul 31 14:16:47 2007 From: campbell at cnpapers.com (Steve Campbell) Date: Tue Jul 31 14:16:56 2007 Subject: CRM114 version specifics? In-Reply-To: <46AF32AA.80201@alexb.ch> References: <46AF2DDE.7010605@cnpapers.com> <46AF32AA.80201@alexb.ch> Message-ID: <46AF363F.6030604@cnpapers.com> Thanks Alex, I wasn't aware that .pre files were scanned for and loaded similar to the way .cf files are. Steve Alex Broens wrote: > On 7/31/2007 2:41 PM, Steve Campbell wrote: >> The turtle Steve, who seems to always be behind in updates, here. >> >> Is all of this CRM114 stuff version specific or will it run under >> recent/any versions of SA? >> >> Now for a little soapboxing: >> >> I see a small problem brewing with these init.pre, v300.pre, >> v310.pre, etc files where people are told to add things to this >> specific one, or that specific one, when some of these don't exist >> and for the most part, it doesn't matter which one you append to. I >> don't have v320.pre because I haven't installed it yet. Might it not >> be a better idea to suggest people add things to the latest *.pre >> they have? Should there be an update_pre script somewhere that moves >> things from a current .pre to the new .pre when installing upgrades? >> I don't think it really matters as SA will just report duplicates or >> something, but there could come a time when it does matter. > > To be safe, always use your own files for your custom stuff so the > logical step would be to add your custom plugins load commands to > something like a "myplugins.pre" file. > > A SA setup/update won't touch that file and you can stop worrying. > > > Alex > From carl at theholidayclub.com Tue Jul 31 14:18:38 2007 From: carl at theholidayclub.com (Carl Werner) Date: Tue Jul 31 14:19:14 2007 Subject: Spamasassin Message-ID: <99935896826149E1BD0B0EF0AB6DDA9C@thccwerner> Hi there, My MailScanner email gateway suddenly started having spamassassin constantly timing out and then not process any mail. Spamassassin -lint -D gives the following which seems to be the problem(this is only an excerpt as there is a lot similar lines): [3450] warn: "my" variable $l masks earlier declaration in same scope at /etc/mail/spamassassin/70_sare_html1.cf, rule SARE_HTML_URI_LHOST31, line 14. [3450] warn: "my" variable $l masks earlier declaration in same scope at /etc/mail/spamassassin/70_zmi_german.cf, rule ZMIde_URIPORN8, line 14. [3450] warn: "my" variable $l masks earlier declaration in same scope at /etc/mail/spamassassin/72_sare_redirect_post3.0.0.cf, rule SARE_URI_EQUALS, line 14. [3450] warn: "my" variable $l masks earlier declaration in same scope at /etc/mail/spamassassin/70_sare_spoof.cf, rule __URI_WESTERN, line 14. [3450] warn: "my" variable $l masks earlier declaration in same scope at /etc/mail/spamassassin/70_sare_spoof.cf, rule __URI_IS_IP, line 14. [3450] warn: "my" variable $l masks earlier declaration in same scope at /etc/mail/spamassassin/70_zmi_german.cf, rule ZMIde_URIPORN5, line 14. [3450] warn: "my" variable $l masks earlier declaration in same scope at /etc/mail/spamassassin/70_sare_uri1.cf, rule SARE_URI_ITEM, line 14. [3450] warn: "my" variable $l masks earlier declaration in same scope at /etc/mail/spamassassin/70_zmi_german.cf, rule __ZMIde_URIVALORADE, line 14. [3450] warn: "my" variable $l masks earlier declaration in same scope at /etc/mail/spamassassin/70_sare_unsub.cf, rule SARE_UNSUB39, line 14. [3450] warn: "my" variable $l masks earlier declaration in same scope at /etc/mail/spamassassin/70_sare_uri1.cf, rule SARE_URI_ANUMA, line 14. [3450] warn: "my" variable $l masks earlier declaration in same scope at /etc/mail/spamassassin/70_sare_uri0.cf, rule SARE_URI_SEABOURN, line 14. [3450] warn: "my" variable $l masks earlier declaration in same scope at /var/lib/spamassassin/3.002001/updates_spamassassin_org/20_uri_tests.cf, rule URI_NOVOWEL, line 14. [3450] warn: "my" variable $l masks earlier declaration in same scope at /etc/mail/spamassassin/70_sare_spoof.cf, rule __URI_2CO, line 14. [3450] warn: "my" variable $l masks earlier declaration in same scope at /etc/mail/spamassassin/70_zmi_german.cf, rule ZMIde_FREEWORLDCCURI, line 14. [3450] warn: "my" variable $l masks earlier declaration in same scope at /etc/mail/spamassassin/70_sare_specific.cf, rule __SARE_SPEC_PROLEO4, line 14. [3450] warn: "my" variable $l masks earlier declaration in same scope at /var/lib/spamassassin/3.002001/updates_spamassassin_org/72_active.cf, rule __DOS_HAS_ANY_URI, line 14. Im using spamassassin 3.2.1 with rulesdujour. Any help will be greatly appreciated. Thanks Carl -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070731/f5181c39/attachment.html From glenn.steen at gmail.com Tue Jul 31 14:50:11 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Jul 31 14:50:14 2007 Subject: {Disarmed} Sanesecurity not blocking messages In-Reply-To: References: <46AF3153.1030207@ecs.soton.ac.uk> Message-ID: <223f97700707310650s6cb32c17ye7683a281e422c3f@mail.gmail.com> On 31/07/07, Douglas Ward wrote: > It did deliver it. The message listed below was something I sent to me from > me as a test message. > > > On 7/31/07, Julian Field < MailScanner@ecs.soton.ac.uk> wrote: > > But did it actually claim to deliver it? > > > > Douglas Ward wrote: > > > We have a properly functioning MailScanner server that I have recently > > > downloaded the sanesecurity definitions to. I am hoping that it will > > > reject the message the same way it does if there is a virus > > > detection. I have downloaded the update script and verified that the > > > signature files are in the same location as the main clamav > > > databases. I assume it is ok to have the following directory structure: > > > > > > [root@mailscanner MailScanner]# ls -lah /usr/local/share/clamav/ > > > total 4.4M (snip) Hi Doug, What version of MailScanner and ClamAV are you running? What way do you call clamav (clamscan (clamav), clamavmodule or clamd ... Probably clamscan, but it doesn't hurt to ask:-)? Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Tue Jul 31 14:55:41 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Jul 31 14:55:43 2007 Subject: CRM114 version specifics? In-Reply-To: <46AF32AA.80201@alexb.ch> References: <46AF2DDE.7010605@cnpapers.com> <46AF32AA.80201@alexb.ch> Message-ID: <223f97700707310655n115acce2h3df50e985758ffcb@mail.gmail.com> On 31/07/07, Alex Broens wrote: > On 7/31/2007 2:41 PM, Steve Campbell wrote: > > The turtle Steve, who seems to always be behind in updates, here. > > > > Is all of this CRM114 stuff version specific or will it run under > > recent/any versions of SA? > > > > Now for a little soapboxing: > > > > I see a small problem brewing with these init.pre, v300.pre, v310.pre, > > etc files where people are told to add things to this specific one, or > > that specific one, when some of these don't exist and for the most part, > > it doesn't matter which one you append to. I don't have v320.pre because > > I haven't installed it yet. Might it not be a better idea to suggest > > people add things to the latest *.pre they have? Should there be an > > update_pre script somewhere that moves things from a current .pre to the > > new .pre when installing upgrades? I don't think it really matters as SA > > will just report duplicates or something, but there could come a time > > when it does matter. > > To be safe, always use your own files for your custom stuff so the > logical step would be to add your custom plugins load commands to > something like a "myplugins.pre" file. > > A SA setup/update won't touch that file and you can stop worrying. > Actually, the "plethora" of .pre files is to facilitate safe upgrades (and downgrades)... Each is meant to only hold stuff that is specific the version where it is introduced (and later versions, of course)... At least assuming IUC;-). Matt K will slap us silly if we get it wrong:-D. But having your own for that too is safe and probably even a good idea. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Tue Jul 31 15:00:41 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Jul 31 15:00:43 2007 Subject: Spamasassin In-Reply-To: <99935896826149E1BD0B0EF0AB6DDA9C@thccwerner> References: <99935896826149E1BD0B0EF0AB6DDA9C@thccwerner> Message-ID: <223f97700707310700m5f64c478sc7a320e157e89486@mail.gmail.com> On 31/07/07, Carl Werner wrote: > > > > > Hi there, > > > > My MailScanner email gateway suddenly started having spamassassin constantly > timing out and then not process any mail. > > Spamassassin ?lint ?D gives the following which seems to be the problem(this > is only an excerpt as there is a lot similar lines): > > > > [3450] warn: "my" variable $l masks earlier declaration in same scope at > /etc/mail/spamassassin/70_sare_html1.cf, rule > SARE_HTML_URI_LHOST31, line 14. > > [3450] warn: "my" variable $l masks earlier declaration in same scope at > /etc/mail/spamassassin/70_zmi_german.cf, rule > ZMIde_URIPORN8, line 14. > > [3450] warn: "my" variable $l masks earlier declaration in same scope at > /etc/mail/spamassassin/72_sare_redirect_post3.0.0.cf, rule > SARE_URI_EQUALS, line 14. > > [3450] warn: "my" variable $l masks earlier declaration in same scope at > /etc/mail/spamassassin/70_sare_spoof.cf, rule > __URI_WESTERN, line 14. > > [3450] warn: "my" variable $l masks earlier declaration in same scope at > /etc/mail/spamassassin/70_sare_spoof.cf, rule __URI_IS_IP, > line 14. > > [3450] warn: "my" variable $l masks earlier declaration in same scope at > /etc/mail/spamassassin/70_zmi_german.cf, rule > ZMIde_URIPORN5, line 14. > > [3450] warn: "my" variable $l masks earlier declaration in same scope at > /etc/mail/spamassassin/70_sare_uri1.cf, rule SARE_URI_ITEM, > line 14. > > [3450] warn: "my" variable $l masks earlier declaration in same scope at > /etc/mail/spamassassin/70_zmi_german.cf, rule > __ZMIde_URIVALORADE, line 14. > > [3450] warn: "my" variable $l masks earlier declaration in same scope at > /etc/mail/spamassassin/70_sare_unsub.cf, rule SARE_UNSUB39, > line 14. > > [3450] warn: "my" variable $l masks earlier declaration in same scope at > /etc/mail/spamassassin/70_sare_uri1.cf, rule > SARE_URI_ANUMA, line 14. > > [3450] warn: "my" variable $l masks earlier declaration in same scope at > /etc/mail/spamassassin/70_sare_uri0.cf, rule > SARE_URI_SEABOURN, line 14. > > [3450] warn: "my" variable $l masks earlier declaration in same scope at > /var/lib/spamassassin/3.002001/updates_spamassassin_org/20_uri_tests.cf, > rule URI_NOVOWEL, line 14. > > [3450] warn: "my" variable $l masks earlier declaration in same scope at > /etc/mail/spamassassin/70_sare_spoof.cf, rule __URI_2CO, > line 14. > > [3450] warn: "my" variable $l masks earlier declaration in same scope at > /etc/mail/spamassassin/70_zmi_german.cf, rule > ZMIde_FREEWORLDCCURI, line 14. > > [3450] warn: "my" variable $l masks earlier declaration in same scope at > /etc/mail/spamassassin/70_sare_specific.cf, rule > __SARE_SPEC_PROLEO4, line 14. > > [3450] warn: "my" variable $l masks earlier declaration in same scope at > /var/lib/spamassassin/3.002001/updates_spamassassin_org/72_active.cf, > rule __DOS_HAS_ANY_URI, line 14. > > > > Im using spamassassin 3.2.1 with rulesdujour. Any help will be greatly > appreciated. > Did you try remove the SARE rules and re-get them? Same results? Also, there seems to be a shift away from rylesdujour to sa-update for SARE... you might search the list archives (pretty recent) or even the wiki (ISTR someone (Jules perhaps) adding and article on how to set up sa-update to get them. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From mkettler at evi-inc.com Tue Jul 31 15:12:57 2007 From: mkettler at evi-inc.com (Matt Kettler) Date: Tue Jul 31 15:13:44 2007 Subject: CRM114 version specifics? In-Reply-To: <223f97700707310655n115acce2h3df50e985758ffcb@mail.gmail.com> References: <46AF2DDE.7010605@cnpapers.com> <46AF32AA.80201@alexb.ch> <223f97700707310655n115acce2h3df50e985758ffcb@mail.gmail.com> Message-ID: <46AF4369.7080808@evi-inc.com> Glenn Steen wrote: > On 31/07/07, Alex Broens wrote: >> On 7/31/2007 2:41 PM, Steve Campbell wrote: >>> The turtle Steve, who seems to always be behind in updates, here. >>> >>> Is all of this CRM114 stuff version specific or will it run under >>> recent/any versions of SA? >>> >>> Now for a little soapboxing: >>> >>> I see a small problem brewing with these init.pre, v300.pre, v310.pre, >>> etc files where people are told to add things to this specific one, or >>> that specific one, when some of these don't exist and for the most part, >>> it doesn't matter which one you append to. I don't have v320.pre because >>> I haven't installed it yet. Might it not be a better idea to suggest >>> people add things to the latest *.pre they have? Should there be an >>> update_pre script somewhere that moves things from a current .pre to the >>> new .pre when installing upgrades? I don't think it really matters as SA >>> will just report duplicates or something, but there could come a time >>> when it does matter. >> To be safe, always use your own files for your custom stuff so the >> logical step would be to add your custom plugins load commands to >> something like a "myplugins.pre" file. >> >> A SA setup/update won't touch that file and you can stop worrying. >> > Actually, the "plethora" of .pre files is to facilitate safe upgrades > (and downgrades)... Each is meant to only hold stuff that is specific > the version where it is introduced (and later versions, of course)... > At least assuming IUC;-). Matt K will slap us silly if we get it > wrong:-D. > But having your own for that too is safe and probably even a good idea. I agree.. when adding on my own plugins, I create a separate .pre file, OR, sometimes, I include the loadplugin in the .cf file for the plugin. Many add-on plugins do this by default, and it is safe as long as the plugin isn't referenced by any rules that might be parsed before the loadplugin command. This is true for all add-on plugins, unless it is trying to replace one of the ones that comes with SA (a "standard" plugin, and I know of none that do this at present) The primary reason the standard plugins that come with SA are in .pre files is that /etc/mail/spamassassin/*.pre gets loaded before the default rules (ie: /usr/share/spamassassin/* or /var/lib/spamassassin//updates_spamassassin_org.cf). Rules in the default set actually check for the various standard plugins, but that only works if the plugin is loaded first. (otherwise the check fails and the rules get skipped). Thus, the .pre files are needed so the plugins get loaded first. However, an add-on plugin won't be referenced by the standard rules, only the ones that come with the plugin. In general As long as the loadplugin occurs before any of the rules that use it, you're fine. From dward at nccumc.org Tue Jul 31 15:16:12 2007 From: dward at nccumc.org (Douglas Ward) Date: Tue Jul 31 15:16:17 2007 Subject: {Disarmed} Sanesecurity not blocking messages In-Reply-To: <223f97700707310650s6cb32c17ye7683a281e422c3f@mail.gmail.com> References: <46AF3153.1030207@ecs.soton.ac.uk> <223f97700707310650s6cb32c17ye7683a281e422c3f@mail.gmail.com> Message-ID: On 7/31/07, Glenn Steen wrote: > > On 31/07/07, Douglas Ward wrote: > > It did deliver it. The message listed below was something I sent to me > from > > me as a test message. > > > > > > On 7/31/07, Julian Field < MailScanner@ecs.soton.ac.uk> wrote: > > > But did it actually claim to deliver it? > > > > > > Douglas Ward wrote: > > > > We have a properly functioning MailScanner server that I have > recently > > > > downloaded the sanesecurity definitions to. I am hoping that it > will > > > > reject the message the same way it does if there is a virus > > > > detection. I have downloaded the update script and verified that > the > > > > signature files are in the same location as the main clamav > > > > databases. I assume it is ok to have the following directory > structure: > > > > > > > > [root@mailscanner MailScanner]# ls -lah /usr/local/share/clamav/ > > > > total 4.4M > (snip) > > Hi Doug, > > What version of MailScanner and ClamAV are you running? What way do > you call clamav (clamscan (clamav), clamavmodule or clamd ... Probably > clamscan, but it doesn't hurt to ask:-)? > > Cheers > -- > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > My apologies, I should have included this in the post: Mandriva 2007.1 server MailScanner-4.61.7-2 (installed through ./install.sh) clamav-0.91.1 (compiled from source) - running clamav-wrapper (not clamd) SpamAssassin-3.2.1 (compiled from source) -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070731/90d85696/attachment.html From Chris.Russell at knowledgeit.co.uk Tue Jul 31 15:23:07 2007 From: Chris.Russell at knowledgeit.co.uk (Chris Russell) Date: Tue Jul 31 15:23:13 2007 Subject: Sanesecurity not blocking messages In-Reply-To: References: <46AF3153.1030207@ecs.soton.ac.uk><223f97700707310650s6cb32c17ye7683a281e422c3f@mail.gmail.com> Message-ID: <1638CDD827D51E4D8E9B2741290E1C9101093AF0@wkits02.knowledgeit.co.uk> > It did deliver it. The message listed below was something I sent to me from > me as a test message. Could it be that this is being marked as silent virus ? what do you have set for the delivery of silent viruses ? Thanks Chris The contents of this e-mail may be privileged and are confidential. It may not be disclosed to or used by anyone other than the addressee(s), nor copied in any way. Any views or opinions presented are solely those of the author and do not necessarily represent those of Knowledge Limited. If received in error, please advise the sender, then delete it from your system. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070731/73a3f130/attachment.html From dward at nccumc.org Tue Jul 31 15:28:31 2007 From: dward at nccumc.org (Douglas Ward) Date: Tue Jul 31 15:28:35 2007 Subject: Sanesecurity not blocking messages In-Reply-To: <1638CDD827D51E4D8E9B2741290E1C9101093AF0@wkits02.knowledgeit.co.uk> References: <46AF3153.1030207@ecs.soton.ac.uk> <223f97700707310650s6cb32c17ye7683a281e422c3f@mail.gmail.com> <1638CDD827D51E4D8E9B2741290E1C9101093AF0@wkits02.knowledgeit.co.uk> Message-ID: It is being tagged as a silent virus. Here is my setting in MailScanner.conf: Silent Viruses = HTML-IFrame All-Viruses Still Deliver Silent Viruses = no On 7/31/07, Chris Russell wrote: > > > It did deliver it. The message listed below was something I sent to me > from > > me as a test message. > > Could it be that this is being marked as silent virus ? what do you have > set for the delivery of silent viruses ? > > Thanks > > Chris > > The contents of this e-mail may be privileged and are confidential. > It may not be disclosed to or used by anyone other than the addressee(s), > nor copied in any way. Any views or opinions presented are solely those of > the author and do not necessarily represent those of Knowledge Limited. > > If received in error, please advise the sender, then delete it from your > system. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070731/291ba9c3/attachment.html From MailScanner at ecs.soton.ac.uk Tue Jul 31 15:33:10 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Jul 31 15:34:14 2007 Subject: Sanesecurity not blocking messages In-Reply-To: References: <46AF3153.1030207@ecs.soton.ac.uk> <223f97700707310650s6cb32c17ye7683a281e422c3f@mail.gmail.com> <1638CDD827D51E4D8E9B2741290E1C9101093AF0@wkits02.knowledgeit.co.uk> Message-ID: <46AF4826.8070700@ecs.soton.ac.uk> Can you put a copy of the file on a website somewhere so I can test it please? Douglas Ward wrote: > It is being tagged as a silent virus. Here is my setting in > MailScanner.conf: > > Silent Viruses = HTML-IFrame All-Viruses > Still Deliver Silent Viruses = no > > > On 7/31/07, * Chris Russell* > wrote: > > > It did deliver it. The message listed below was something I > sent to me from > > me as a test message. > > Could it be that this is being marked as silent virus ? what do > you have set for the delivery of silent viruses ? > > Thanks > > Chris > > The contents of this e-mail may be privileged and are confidential. > It may not be disclosed to or used by anyone other than the > addressee(s), nor copied in any way. Any views or opinions > presented are solely those of the author and do not necessarily > represent those of Knowledge Limited. > > If received in error, please advise the sender, then delete it > from your system. > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > Jules -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From uxbod at splatnix.net Tue Jul 31 15:39:50 2007 From: uxbod at splatnix.net (UxBoD) Date: Tue Jul 31 15:35:37 2007 Subject: CRM114 version specifics? In-Reply-To: <46AF4369.7080808@evi-inc.com> Message-ID: <15145954.8091185892790821.JavaMail.root@office.splatnix.net> Hence why the loadplugin is in crm114.cf :) Regards, --[ UxBoD ]-- // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From glenn.steen at gmail.com Tue Jul 31 15:38:53 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Jul 31 15:38:55 2007 Subject: CRM114 version specifics? In-Reply-To: <46AF4369.7080808@evi-inc.com> References: <46AF2DDE.7010605@cnpapers.com> <46AF32AA.80201@alexb.ch> <223f97700707310655n115acce2h3df50e985758ffcb@mail.gmail.com> <46AF4369.7080808@evi-inc.com> Message-ID: <223f97700707310738y68c860f4l268b05ba887d1c4c@mail.gmail.com> On 31/07/07, Matt Kettler wrote: > Glenn Steen wrote: > > On 31/07/07, Alex Broens wrote: > >> On 7/31/2007 2:41 PM, Steve Campbell wrote: > >>> The turtle Steve, who seems to always be behind in updates, here. > >>> > >>> Is all of this CRM114 stuff version specific or will it run under > >>> recent/any versions of SA? > >>> > >>> Now for a little soapboxing: > >>> > >>> I see a small problem brewing with these init.pre, v300.pre, v310.pre, > >>> etc files where people are told to add things to this specific one, or > >>> that specific one, when some of these don't exist and for the most part, > >>> it doesn't matter which one you append to. I don't have v320.pre because > >>> I haven't installed it yet. Might it not be a better idea to suggest > >>> people add things to the latest *.pre they have? Should there be an > >>> update_pre script somewhere that moves things from a current .pre to the > >>> new .pre when installing upgrades? I don't think it really matters as SA > >>> will just report duplicates or something, but there could come a time > >>> when it does matter. > >> To be safe, always use your own files for your custom stuff so the > >> logical step would be to add your custom plugins load commands to > >> something like a "myplugins.pre" file. > >> > >> A SA setup/update won't touch that file and you can stop worrying. > >> > > Actually, the "plethora" of .pre files is to facilitate safe upgrades > > (and downgrades)... Each is meant to only hold stuff that is specific > > the version where it is introduced (and later versions, of course)... > > At least assuming IUC;-). Matt K will slap us silly if we get it > > wrong:-D. > > But having your own for that too is safe and probably even a good idea. > > I agree.. when adding on my own plugins, I create a separate .pre file, > > OR, sometimes, I include the loadplugin in the .cf file for the plugin. Many > add-on plugins do this by default, and it is safe as long as the plugin isn't > referenced by any rules that might be parsed before the loadplugin command. This > is true for all add-on plugins, unless it is trying to replace one of the ones > that comes with SA (a "standard" plugin, and I know of none that do this at present) > > The primary reason the standard plugins that come with SA are in .pre files is > that /etc/mail/spamassassin/*.pre gets loaded before the default rules (ie: > /usr/share/spamassassin/* or > /var/lib/spamassassin//updates_spamassassin_org.cf). > > Rules in the default set actually check for the various standard plugins, but > that only works if the plugin is loaded first. (otherwise the check fails and > the rules get skipped). Thus, the .pre files are needed so the plugins get > loaded first. > > However, an add-on plugin won't be referenced by the standard rules, only the > ones that come with the plugin. > > In general As long as the loadplugin occurs before any of the rules that use it, > you're fine. > Thanks Matt for the explanation. Always a pleasure. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From dward at nccumc.org Tue Jul 31 15:42:21 2007 From: dward at nccumc.org (Douglas Ward) Date: Tue Jul 31 15:42:30 2007 Subject: Sanesecurity not blocking messages In-Reply-To: <46AF4826.8070700@ecs.soton.ac.uk> References: <46AF3153.1030207@ecs.soton.ac.uk> <223f97700707310650s6cb32c17ye7683a281e422c3f@mail.gmail.com> <1638CDD827D51E4D8E9B2741290E1C9101093AF0@wkits02.knowledgeit.co.uk> <46AF4826.8070700@ecs.soton.ac.uk> Message-ID: http://www.sanesecurity.co.uk/clamav/scam_sigtest.txt http://www.sanesecurity.co.uk/clamav/phish_sigtest.txt On 7/31/07, Julian Field wrote: > > Can you put a copy of the file on a website somewhere so I can test it > please? > > Douglas Ward wrote: > > It is being tagged as a silent virus. Here is my setting in > > MailScanner.conf: > > > > Silent Viruses = HTML-IFrame All-Viruses > > Still Deliver Silent Viruses = no > > > > > > On 7/31/07, * Chris Russell* > > wrote: > > > > > It did deliver it. The message listed below was something I > > sent to me from > > > me as a test message. > > > > Could it be that this is being marked as silent virus ? what do > > you have set for the delivery of silent viruses ? > > > > Thanks > > > > Chris > > > > The contents of this e-mail may be privileged and are confidential. > > It may not be disclosed to or used by anyone other than the > > addressee(s), nor copied in any way. Any views or opinions > > presented are solely those of the author and do not necessarily > > represent those of Knowledge Limited. > > > > If received in error, please advise the sender, then delete it > > from your system. > > > > > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > > > > Jules > > -- > Julian Field MEng CITP > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > For all your IT requirements visit www.transtec.co.uk > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070731/967e14f2/attachment.html From ms-list at alexb.ch Tue Jul 31 15:44:24 2007 From: ms-list at alexb.ch (Alex Broens) Date: Tue Jul 31 15:44:32 2007 Subject: CRM114 version specifics? In-Reply-To: <15145954.8091185892790821.JavaMail.root@office.splatnix.net> References: <15145954.8091185892790821.JavaMail.root@office.splatnix.net> Message-ID: <46AF4AC8.3070403@alexb.ch> On 7/31/2007 4:39 PM, UxBoD wrote: > Hence why the loadplugin is in crm114.cf :) > which isn't really wise coz if you add the CRM114 rule to a meta rule, you'd have to place the rule in a .cf file starting with d_blah.cf. To have plugin rules readily available to your whole custom SA rule set, using a .pre file saves you time figuring out why a meta isn't hitting. (been there) - hence, good practice: use your myplugins.pre :-) Alex From campbell at cnpapers.com Tue Jul 31 15:48:13 2007 From: campbell at cnpapers.com (Steve Campbell) Date: Tue Jul 31 15:48:20 2007 Subject: CRM114 version specifics? In-Reply-To: <46AF4369.7080808@evi-inc.com> References: <46AF2DDE.7010605@cnpapers.com> <46AF32AA.80201@alexb.ch> <223f97700707310655n115acce2h3df50e985758ffcb@mail.gmail.com> <46AF4369.7080808@evi-inc.com> Message-ID: <46AF4BAD.3000809@cnpapers.com> Thanks all for the info. Now, what about version specifics. Will CRM114 run with older versions of SA? Is it pretty generic or real specific? It's been around for a long time, as I read it, but wasn't used specifically with SA, so I wonder if it will run with my 3.0.1 SA. Steve says thanks Matt Kettler wrote: > Glenn Steen wrote: > >> On 31/07/07, Alex Broens wrote: >> >>> On 7/31/2007 2:41 PM, Steve Campbell wrote: >>> >>>> The turtle Steve, who seems to always be behind in updates, here. >>>> >>>> Is all of this CRM114 stuff version specific or will it run under >>>> recent/any versions of SA? >>>> >>>> Now for a little soapboxing: >>>> >>>> I see a small problem brewing with these init.pre, v300.pre, v310.pre, >>>> etc files where people are told to add things to this specific one, or >>>> that specific one, when some of these don't exist and for the most part, >>>> it doesn't matter which one you append to. I don't have v320.pre because >>>> I haven't installed it yet. Might it not be a better idea to suggest >>>> people add things to the latest *.pre they have? Should there be an >>>> update_pre script somewhere that moves things from a current .pre to the >>>> new .pre when installing upgrades? I don't think it really matters as SA >>>> will just report duplicates or something, but there could come a time >>>> when it does matter. >>>> >>> To be safe, always use your own files for your custom stuff so the >>> logical step would be to add your custom plugins load commands to >>> something like a "myplugins.pre" file. >>> >>> A SA setup/update won't touch that file and you can stop worrying. >>> >>> >> Actually, the "plethora" of .pre files is to facilitate safe upgrades >> (and downgrades)... Each is meant to only hold stuff that is specific >> the version where it is introduced (and later versions, of course)... >> At least assuming IUC;-). Matt K will slap us silly if we get it >> wrong:-D. >> But having your own for that too is safe and probably even a good idea. >> > > I agree.. when adding on my own plugins, I create a separate .pre file, > > OR, sometimes, I include the loadplugin in the .cf file for the plugin. Many > add-on plugins do this by default, and it is safe as long as the plugin isn't > referenced by any rules that might be parsed before the loadplugin command. This > is true for all add-on plugins, unless it is trying to replace one of the ones > that comes with SA (a "standard" plugin, and I know of none that do this at present) > > The primary reason the standard plugins that come with SA are in .pre files is > that /etc/mail/spamassassin/*.pre gets loaded before the default rules (ie: > /usr/share/spamassassin/* or > /var/lib/spamassassin//updates_spamassassin_org.cf). > > Rules in the default set actually check for the various standard plugins, but > that only works if the plugin is loaded first. (otherwise the check fails and > the rules get skipped). Thus, the .pre files are needed so the plugins get > loaded first. > > However, an add-on plugin won't be referenced by the standard rules, only the > ones that come with the plugin. > > In general As long as the loadplugin occurs before any of the rules that use it, > you're fine. > > > > > > > > From stork at openenterprise.ca Tue Jul 31 15:48:30 2007 From: stork at openenterprise.ca (Johnny Stork) Date: Tue Jul 31 15:48:37 2007 Subject: CRM114 - Problems with install In-Reply-To: <46AEE99D.9050205@coders.co.uk> References: <8384902.6331185805139308.JavaMail.root@office.splatnix.net> <46AEC44C.6000500@openenterprise.ca> <46AEC683.9050707@openenterprise.ca> <46AECA38.2030004@openenterprise.ca> <46AECE0D.5040402@alexb.ch> <46AED083.8000607@openenterprise.ca> <46AED4D9.6040303@alexb.ch> <46AED690.2090003@openenterprise.ca> <46AED7F7.70605@alexb.ch> <46AEDB30.7040406@openenterprise.ca> <46AEDF15.4060202@openenterprise.ca> <46AEE99D.9050205@coders.co.uk> Message-ID: <46AF4BBE.50401@openenterprise.ca> Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: stork.vcf Type: text/x-vcard Size: 330 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070731/e8dcaa1d/stork.vcf From donald.dawson at bakerbotts.com Tue Jul 31 15:48:40 2007 From: donald.dawson at bakerbotts.com (donald.dawson@bakerbotts.com) Date: Tue Jul 31 15:48:49 2007 Subject: MailScanner/Spamassassin slow after version upgrade In-Reply-To: <7EF0EE5CB3B263488C8C18823239BEBA01358599@HC-MBX02.herefordshire.gov.uk> Message-ID: -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Randal, Phil Sent: Tuesday, July 31, 2007 4:22 AM To: MailScanner discussion Subject: RE: MailScanner/Spamassassin slow after version upgrade You left out a few key facts. What did you upgrade from? (MailScanner and SA versions). And most importantly, which OS and Perl versions? Cheers, Phil -- Phil Randal Network Engineer Herefordshire Council Hereford, UK I upgraded from MS 4.59.4 and SA 3.2.0. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070731/de52bf33/attachment.html From mkettler at evi-inc.com Tue Jul 31 15:48:57 2007 From: mkettler at evi-inc.com (Matt Kettler) Date: Tue Jul 31 15:49:43 2007 Subject: CRM114 version specifics? In-Reply-To: <46AF4AC8.3070403@alexb.ch> References: <15145954.8091185892790821.JavaMail.root@office.splatnix.net> <46AF4AC8.3070403@alexb.ch> Message-ID: <46AF4BD9.4030305@evi-inc.com> Alex Broens wrote: > On 7/31/2007 4:39 PM, UxBoD wrote: >> Hence why the loadplugin is in crm114.cf :) >> > > which isn't really wise coz if you add the CRM114 rule to a meta rule, > you'd have to place the rule in a .cf file starting with d_blah.cf. If it's a meta rule, the loading of the plugin is irrelevant. The only thing that matters is if the RULE exists. The rule doesn't exist until crm114.cf is parsed, even if the plugin is loaded earlier. Therefore, you'll *always* have to put it in d_blah.cf, even if the loadplugin is in foobar.pre. From donald.dawson at bakerbotts.com Tue Jul 31 15:50:34 2007 From: donald.dawson at bakerbotts.com (donald.dawson@bakerbotts.com) Date: Tue Jul 31 15:50:44 2007 Subject: MailScanner/Spamassassin slow after version upgrade In-Reply-To: <7EF0EE5CB3B263488C8C18823239BEBA01358599@HC-MBX02.herefordshire.gov.uk> Message-ID: -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Randal, Phil Sent: Tuesday, July 31, 2007 4:22 AM To: MailScanner discussion Subject: RE: MailScanner/Spamassassin slow after version upgrade You left out a few key facts. What did you upgrade from? (MailScanner and SA versions). And most importantly, which OS and Perl versions? Cheers, Phil -- Phil Randal Network Engineer Herefordshire Council Hereford, UK I upgraded from MS 4.59.4 to 4.62.6 and SA from 3.2.0 to 3.2.2. Linux houmx05.bakerbotts.com 2.6.9-1.667smp #1 SMP Tue Nov 2 14:59:52 EST 2004 i686 i686 i386 GNU/Linux This is Fedora Core release 3 (Heidelberg) This is Perl version 5.008005 (5.8.5) dd -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070731/1b5b5c0f/attachment.html From stork at openenterprise.ca Tue Jul 31 15:51:29 2007 From: stork at openenterprise.ca (Johnny Stork) Date: Tue Jul 31 15:51:32 2007 Subject: CRM114 - Problems with install In-Reply-To: <2312568.7081185868593139.JavaMail.root@office.splatnix.net> References: <2312568.7081185868593139.JavaMail.root@office.splatnix.net> Message-ID: <46AF4C71.40406@openenterprise.ca> Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: stork.vcf Type: text/x-vcard Size: 330 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070731/e088c253/stork.vcf From mkettler at evi-inc.com Tue Jul 31 16:00:52 2007 From: mkettler at evi-inc.com (Matt Kettler) Date: Tue Jul 31 16:01:38 2007 Subject: CRM114 version specifics? In-Reply-To: <46AF4BAD.3000809@cnpapers.com> References: <46AF2DDE.7010605@cnpapers.com> <46AF32AA.80201@alexb.ch> <223f97700707310655n115acce2h3df50e985758ffcb@mail.gmail.com> <46AF4369.7080808@evi-inc.com> <46AF4BAD.3000809@cnpapers.com> Message-ID: <46AF4EA4.6080609@evi-inc.com> Steve Campbell wrote: > Thanks all for the info. > > Now, what about version specifics. Will CRM114 run with older versions > of SA? Is it pretty generic or real specific? It's been around for a > long time, as I read it, but wasn't used specifically with SA, so I > wonder if it will run with my 3.0.1 SA. You should be worried about upgrading before adding CRM114. Unless your 3.0.1 is vendor-patched, you've got numerous security vulnerabilities, mostly DoS attacks that exploit cases where the message parsing can be made to burn lots of CPU by feeding it malformed messages. http://wiki.apache.org/spamassassin/Security Known to affect 3.0.1: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1266 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2447 (note: 2006-2447 requires spamd, so irrelevant to MailScanner) Might affect you (never verified against such an old version): http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3351 From ms-list at alexb.ch Tue Jul 31 16:01:35 2007 From: ms-list at alexb.ch (Alex Broens) Date: Tue Jul 31 16:01:45 2007 Subject: CRM114 version specifics? In-Reply-To: <46AF4BD9.4030305@evi-inc.com> References: <15145954.8091185892790821.JavaMail.root@office.splatnix.net> <46AF4AC8.3070403@alexb.ch> <46AF4BD9.4030305@evi-inc.com> Message-ID: <46AF4ECF.6030602@alexb.ch> On 7/31/2007 4:48 PM, Matt Kettler wrote: > Alex Broens wrote: >> On 7/31/2007 4:39 PM, UxBoD wrote: >>> Hence why the loadplugin is in crm114.cf :) >>> >> which isn't really wise coz if you add the CRM114 rule to a meta rule, >> you'd have to place the rule in a .cf file starting with d_blah.cf. > > > If it's a meta rule, the loading of the plugin is irrelevant. The only thing > that matters is if the RULE exists. The rule doesn't exist until crm114.cf is > parsed, even if the plugin is loaded earlier. > > Therefore, you'll *always* have to put it in d_blah.cf, even if the loadplugin > is in foobar.pre. you're soooooooooo right... got it totally mixed up thx Alex From mkercher at nfsmith.com Tue Jul 31 16:04:07 2007 From: mkercher at nfsmith.com (Mike Kercher) Date: Tue Jul 31 16:04:13 2007 Subject: CRM114 Installation on Centos 4 Message-ID: <441247027D4F274EB760A5F6E1ED9C7E020E79@houpex02.nfsmith.info> Here are the steps I used to install CRM114 on Centos 4: yum install tre tre-devel wget ftp://fr.rpmfind.net/linux/fedora/extras/development/SRPMS/crm114-0-0.4. 20070301.fc7.src.rpm rpmbuild --rebuild crm114-0-0.4.20070301.fc7.src.rpm rpm -Uvh /usr/src/redhat/RPMS/i386/crm114-0-0.4.20070301.i386.rpm cd /etc/mail/spamassassin/ wget http://mschuette.name/files/crm114.pm wget http://mschuette.name/files/crm114.cf vi crm114.cf # commandline to execute CRM114 # default: crm -u ~/.crm114 mailreaver.crm crm114_command /usr/bin/crm -u /etc/mail/spamassassin/crm114 mailreaver.crm # should CRM114 be trained by SA-autolearn? # If enabled, then SA's autolearn also calls the CRM114 plugin. # # This is different from :automatic_training: in CRM114's mailfilter.cf # because SA's score is influenced by several different factors while # CRM114 has to rely on its own classification. # But anyway: Only activate this if you know what you're doing! # default: 0 crm114_autolearn 1 mkdir crm114 cd crm114 cssutil -b -r spam.css cssutil -b -r nonspam.css cp /usr/share/doc/crm114-0/mailfilter.cf . cp /usr/share/crm114/*.crm . touch blacklist.mfp touch whitelist.mfp touch rewrites.mfp cp /usr/share/doc/crm114-0/priolist.mfp.example priolist.mfp vi mailfilter.cf :spw: /YOUR_PASSWORD/ :rewrites_enabled: /no/ :log_to_allmail.txt: /no/ cd .. spamassassin -D --lint > /tmp/crm.test 2>&1 vi /tmp/crm.test service MailScanner restart From campbell at cnpapers.com Tue Jul 31 16:18:06 2007 From: campbell at cnpapers.com (Steve Campbell) Date: Tue Jul 31 16:18:45 2007 Subject: CRM114 version specifics? In-Reply-To: <46AF4EA4.6080609@evi-inc.com> References: <46AF2DDE.7010605@cnpapers.com> <46AF32AA.80201@alexb.ch> <223f97700707310655n115acce2h3df50e985758ffcb@mail.gmail.com> <46AF4369.7080808@evi-inc.com> <46AF4BAD.3000809@cnpapers.com> <46AF4EA4.6080609@evi-inc.com> Message-ID: <46AF52AE.6080400@cnpapers.com> You are correct here Matt, but just shutting down things for a few minutes make the phones ring with angry execs at the end of the line. You probably know the rest of the story. Until I can upgrade, I add what I can to the lot. Thanks though, Steve Matt Kettler wrote: > Steve Campbell wrote: > >> Thanks all for the info. >> >> Now, what about version specifics. Will CRM114 run with older versions >> of SA? Is it pretty generic or real specific? It's been around for a >> long time, as I read it, but wasn't used specifically with SA, so I >> wonder if it will run with my 3.0.1 SA. >> > > You should be worried about upgrading before adding CRM114. > > Unless your 3.0.1 is vendor-patched, you've got numerous security > vulnerabilities, mostly DoS attacks that exploit cases where the message parsing > can be made to burn lots of CPU by feeding it malformed messages. > > http://wiki.apache.org/spamassassin/Security > > > Known to affect 3.0.1: > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1266 > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2447 > (note: 2006-2447 requires spamd, so irrelevant to MailScanner) > > Might affect you (never verified against such an old version): > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3351 > > From uxbod at splatnix.net Tue Jul 31 16:26:28 2007 From: uxbod at splatnix.net (UxBoD) Date: Tue Jul 31 16:23:17 2007 Subject: OT: DNS Question Message-ID: <7490667.8121185895588633.JavaMail.root@office.splatnix.net> Hi, I am attempting to setup our own RBL (that bit has gone fine) but on the DNS servers I need to define a subdomain. I have in out db.example.com the following :- $TTL 172800 ; 2 days $ORIGIN example.com. @ IN SOA ns1.example.com. root.ns1.example.com. ( 2007073108 ; serial 900 ; refresh (15 minutes) 300 ; retry (5 minutes) 604800 ; expire (1 week) 2592000 ; minimum (4 weeks 2 days) ) NS ns1 NS ns2 MX 5 mail ... ... $ORIGIN dnsrbl.example.com. IN NS rblserver.example.com. If I do a dig against example.com I get back ns1 and ns2. But if I do a dig against dnsrbl.example.com I get nothing. What is wrong with my syntax ? Regards, --[ UxBoD ]-- // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From rob at robhq.com Tue Jul 31 16:28:03 2007 From: rob at robhq.com (Rob Freeman) Date: Tue Jul 31 16:28:06 2007 Subject: zip only spam Message-ID: I see instead of using pdf spam, they have switched to zip spam. I have a rule to block the pdf only spam, but when I changed it to zip, it is not working: # ZIP only spam full ZIP_ONLY_SPAM /encoding\:\s+7bit(\n?)+[\-0-9]+.{1,40}type\:\s+application\/zip\;.{1,40}name\=.{1,40}\.zip.{1,50}disposition\:\s+inline\;.{1,40}filename\=.{1,40}\.zip/is describe ZIP_ONLY_SPAM ZIP only Message, no text in message body score ZIP_ONLY_SPAM 6.0 I am unable to block zip files as we have customers who send them to us. What are other people doing to prevent this latest spam attack? Thanks in advance Rob -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070731/29d60067/attachment.html From stork at openenterprise.ca Tue Jul 31 16:28:45 2007 From: stork at openenterprise.ca (Johnny Stork) Date: Tue Jul 31 16:28:51 2007 Subject: CRM114 - Problems with install In-Reply-To: <46AEEFD9.3040501@alexb.ch> References: <6712818.7171185869639368.JavaMail.root@office.splatnix.net> <46AEEFD9.3040501@alexb.ch> Message-ID: <46AF552D.3010503@openenterprise.ca> Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: stork.vcf Type: text/x-vcard Size: 330 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070731/f0e8e9c0/stork.vcf From itdept at fractalweb.com Tue Jul 31 16:29:18 2007 From: itdept at fractalweb.com (Chris Yuzik) Date: Tue Jul 31 16:30:27 2007 Subject: CRM114 Installation on Centos 4 In-Reply-To: <441247027D4F274EB760A5F6E1ED9C7E020E79@houpex02.nfsmith.info> References: <441247027D4F274EB760A5F6E1ED9C7E020E79@houpex02.nfsmith.info> Message-ID: <46AF554E.6020308@fractalweb.com> Mike, You're a genius! I wiped out everything I had done yesterday and followed your instructions to the letter and everything is working flawlessly on my Centos 4.x system. The nonspam.css and spam.css files are being updated, and messages are being learned. Wonderful. I'm sure many others will benefit from your great howto. Any chance you can post the Centos/RHEL instructions to the wiki somewhere? Thanks, Chris Mike Kercher wrote: > Here are the steps I used to install CRM114 on Centos 4: > > yum install tre tre-devel > wget > ftp://fr.rpmfind.net/linux/fedora/extras/development/SRPMS/crm114-0-0.4. > 20070301.fc7.src.rpm > rpmbuild --rebuild crm114-0-0.4.20070301.fc7.src.rpm > rpm -Uvh /usr/src/redhat/RPMS/i386/crm114-0-0.4.20070301.i386.rpm > cd /etc/mail/spamassassin/ > wget http://mschuette.name/files/crm114.pm > wget http://mschuette.name/files/crm114.cf > vi crm114.cf > # commandline to execute CRM114 > # default: crm -u ~/.crm114 mailreaver.crm > crm114_command /usr/bin/crm -u /etc/mail/spamassassin/crm114 > mailreaver.crm > > # should CRM114 be trained by SA-autolearn? > # If enabled, then SA's autolearn also calls the CRM114 plugin. > # > # This is different from :automatic_training: in CRM114's > mailfilter.cf > # because SA's score is influenced by several different factors > while > # CRM114 has to rely on its own classification. > # But anyway: Only activate this if you know what you're doing! > # default: 0 > crm114_autolearn 1 > > mkdir crm114 > cd crm114 > cssutil -b -r spam.css > cssutil -b -r nonspam.css > cp /usr/share/doc/crm114-0/mailfilter.cf . > cp /usr/share/crm114/*.crm . > touch blacklist.mfp > touch whitelist.mfp > touch rewrites.mfp > cp /usr/share/doc/crm114-0/priolist.mfp.example priolist.mfp > vi mailfilter.cf > :spw: /YOUR_PASSWORD/ > :rewrites_enabled: /no/ > :log_to_allmail.txt: /no/ > cd .. > spamassassin -D --lint > /tmp/crm.test 2>&1 > vi /tmp/crm.test > service MailScanner restart From itdept at fractalweb.com Tue Jul 31 16:35:56 2007 From: itdept at fractalweb.com (Chris Yuzik) Date: Tue Jul 31 16:36:47 2007 Subject: CRM114 version specifics? In-Reply-To: <46AF52AE.6080400@cnpapers.com> References: <46AF2DDE.7010605@cnpapers.com> <46AF32AA.80201@alexb.ch> <223f97700707310655n115acce2h3df50e985758ffcb@mail.gmail.com> <46AF4369.7080808@evi-inc.com> <46AF4BAD.3000809@cnpapers.com> <46AF4EA4.6080609@evi-inc.com> <46AF52AE.6080400@cnpapers.com> Message-ID: <46AF56DC.6020004@fractalweb.com> Steve Campbell wrote: > You are correct here Matt, but just shutting down things for a few > minutes make the phones ring with angry execs at the end of the line. > > You probably know the rest of the story. Until I can upgrade, I add what > I can to the lot. Steve, I'm in a similar situation to you. Phones ring immediately if anything goes down, even for a couple of minutes. That said, I keep our systems very patched and very much up-to-date. I'm not sure what distro you're on, but I've done upgrades to Spamassassin on a busy wednesday afternoon on our production machine (after first testing the upgrade on a test box to make sure it works properly) without anything more than a couple of seconds of downtime. That's about as long as it takes for a "service MailScanner restart" command to take. We're on Centos 4.x and keep everything updated using the yum command. Think how much down time you could have if one of these well-known and well-published vulnerabilities gets exploited and unleashed to your server. My $0.02 worth. Chris From uxbod at splatnix.net Tue Jul 31 16:49:29 2007 From: uxbod at splatnix.net (UxBoD) Date: Tue Jul 31 16:46:20 2007 Subject: CRM114 - Problems with install In-Reply-To: <46AF552D.3010503@openenterprise.ca> Message-ID: <3573023.8151185896969303.JavaMail.root@office.splatnix.net> Sounds like you have put the crm114.pm in both /etc/mail/spamassassin and /etc/mail/spamassassin/crm114. Regards, --[ UxBoD ]-- // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- Original Message ----- From: "Johnny Stork" To: "MailScanner discussion" Sent: Tuesday, July 31, 2007 4:28:45 PM (GMT) Europe/London Subject: Re: CRM114 - Problems with install -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From stork at openenterprise.ca Tue Jul 31 16:47:33 2007 From: stork at openenterprise.ca (Johnny Stork) Date: Tue Jul 31 16:47:40 2007 Subject: CRM114 - Problems with install - Lint Errors In-Reply-To: <46AF552D.3010503@openenterprise.ca> References: <6712818.7171185869639368.JavaMail.root@office.splatnix.net> <46AEEFD9.3040501@alexb.ch> <46AF552D.3010503@openenterprise.ca> Message-ID: <46AF5995.6060302@openenterprise.ca> Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: stork.vcf Type: text/x-vcard Size: 330 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070731/9d1cb8d0/stork.vcf From stork at openenterprise.ca Tue Jul 31 16:56:08 2007 From: stork at openenterprise.ca (Johnny Stork) Date: Tue Jul 31 16:56:11 2007 Subject: CRM114 - Problems with install In-Reply-To: <3573023.8151185896969303.JavaMail.root@office.splatnix.net> References: <3573023.8151185896969303.JavaMail.root@office.splatnix.net> Message-ID: <46AF5B98.8070702@openenterprise.ca> Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: stork.vcf Type: text/x-vcard Size: 330 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070731/30521cfb/stork.vcf From uxbod at splatnix.net Tue Jul 31 17:01:50 2007 From: uxbod at splatnix.net (UxBoD) Date: Tue Jul 31 16:58:20 2007 Subject: CRM114 - Problems with install - Lint Errors In-Reply-To: <46AF5995.6060302@openenterprise.ca> Message-ID: <15026663.8181185897710507.JavaMail.root@office.splatnix.net> Johnny, I would recommend moving the crm114.pm and crm114.cf out of /etc/mail/spamassassin/crm114 into /etc/mail/spamassassin. Regards, --[ UxBoD ]-- // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- Original Message ----- From: "Johnny Stork" To: "MailScanner discussion" Sent: Tuesday, July 31, 2007 4:47:33 PM (GMT) Europe/London Subject: Re: CRM114 - Problems with install - Lint Errors -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mkercher at nfsmith.com Tue Jul 31 17:08:42 2007 From: mkercher at nfsmith.com (Mike Kercher) Date: Tue Jul 31 17:08:47 2007 Subject: CRM114 Installation on Centos 4 In-Reply-To: <46AF554E.6020308@fractalweb.com> References: <441247027D4F274EB760A5F6E1ED9C7E020E79@houpex02.nfsmith.info> <46AF554E.6020308@fractalweb.com> Message-ID: <441247027D4F274EB760A5F6E1ED9C7E020E7F@houpex02.nfsmith.info> I have added this to the wiki: http://wiki.mailscanner.info/doku.php?id=documentation:anti_spam:spamass assin:plugins:crm114 The formatting is all FUBAR is someone wants to go clean it up. I'm a wiki n00b. Mike -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Chris Yuzik Sent: Tuesday, July 31, 2007 10:29 AM To: MailScanner discussion Subject: Re: CRM114 Installation on Centos 4 Mike, You're a genius! I wiped out everything I had done yesterday and followed your instructions to the letter and everything is working flawlessly on my Centos 4.x system. The nonspam.css and spam.css files are being updated, and messages are being learned. Wonderful. I'm sure many others will benefit from your great howto. Any chance you can post the Centos/RHEL instructions to the wiki somewhere? Thanks, Chris Mike Kercher wrote: > Here are the steps I used to install CRM114 on Centos 4: > > yum install tre tre-devel > wget > ftp://fr.rpmfind.net/linux/fedora/extras/development/SRPMS/crm114-0-0.4. > 20070301.fc7.src.rpm > rpmbuild --rebuild crm114-0-0.4.20070301.fc7.src.rpm rpm -Uvh > /usr/src/redhat/RPMS/i386/crm114-0-0.4.20070301.i386.rpm > cd /etc/mail/spamassassin/ > wget http://mschuette.name/files/crm114.pm > wget http://mschuette.name/files/crm114.cf > vi crm114.cf > # commandline to execute CRM114 > # default: crm -u ~/.crm114 mailreaver.crm > crm114_command /usr/bin/crm -u /etc/mail/spamassassin/crm114 > mailreaver.crm > > # should CRM114 be trained by SA-autolearn? > # If enabled, then SA's autolearn also calls the CRM114 plugin. > # > # This is different from :automatic_training: in CRM114's > mailfilter.cf > # because SA's score is influenced by several different factors while > # CRM114 has to rely on its own classification. > # But anyway: Only activate this if you know what you're doing! > # default: 0 > crm114_autolearn 1 > > mkdir crm114 > cd crm114 > cssutil -b -r spam.css > cssutil -b -r nonspam.css > cp /usr/share/doc/crm114-0/mailfilter.cf . > cp /usr/share/crm114/*.crm . > touch blacklist.mfp > touch whitelist.mfp > touch rewrites.mfp > cp /usr/share/doc/crm114-0/priolist.mfp.example priolist.mfp vi > mailfilter.cf > :spw: /YOUR_PASSWORD/ > :rewrites_enabled: /no/ > :log_to_allmail.txt: /no/ > cd .. > spamassassin -D --lint > /tmp/crm.test 2>&1 vi /tmp/crm.test service > MailScanner restart -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From Kevin_Miller at ci.juneau.ak.us Tue Jul 31 17:15:45 2007 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Tue Jul 31 17:16:03 2007 Subject: DNS Question In-Reply-To: <7490667.8121185895588633.JavaMail.root@office.splatnix.net> References: <7490667.8121185895588633.JavaMail.root@office.splatnix.net> Message-ID: UxBoD wrote: > Hi, > > I am attempting to setup our own RBL (that bit has gone fine) but on > the DNS servers I need to define a subdomain. I have in out > db.example.com the following :- > > $TTL 172800 ; 2 days > $ORIGIN example.com. > @ IN SOA ns1.example.com. > root.ns1.example.com. ( 2007073108 ; > serial 900 ; refresh (15 > minutes) 300 ; retry (5 > minutes) 604800 ; expire (1 week) > 2592000 ; minimum (4 weeks 2 days) > ) > NS ns1 > NS ns2 > > MX 5 mail > > ... ... > > > $ORIGIN dnsrbl.example.com. > IN NS rblserver.example.com. > > If I do a dig against example.com I get back ns1 and ns2. But if I > do a dig against dnsrbl.example.com I get nothing. > > What is wrong with my syntax ? > > Regards, It's been ages since I played with DNS so I'm pretty fuzzy, but do you actually have a host named rblserver.example.com? Don't know that it needs to be a separate box from your main dns, but it needs an a record at the least. You don't show enough of your configuration to know - "All the A records" is a bit vague... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From uxbod at splatnix.net Tue Jul 31 17:24:07 2007 From: uxbod at splatnix.net (UxBoD) Date: Tue Jul 31 17:19:45 2007 Subject: OT: DNS Question [RESOLVED] In-Reply-To: <7490667.8121185895588633.JavaMail.root@office.splatnix.net> Message-ID: <20703168.8211185899047640.JavaMail.root@office.splatnix.net> Didn't add the glue record! DOH!!! Regards, --[ UxBoD ]-- // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From brose at med.wayne.edu Tue Jul 31 17:20:07 2007 From: brose at med.wayne.edu (Rose, Bobby) Date: Tue Jul 31 17:20:14 2007 Subject: CRM114 - Problems with install In-Reply-To: <46AF5B98.8070702@openenterprise.ca> References: <3573023.8151185896969303.JavaMail.root@office.splatnix.net> <46AF5B98.8070702@openenterprise.ca> Message-ID: <8F2A53954C22554EB75D9643FCCE0C6B0472D3DA@MED-CORE03-MS1.med.wayne.edu> I followed UxBoD's instructions and it worked fine however I found that using the BlametheInterns distro which has the lastest date would result in mailreaver errors so I tried the BlameBaltar dated in March and it worked fine. BlameBaltar is the link listed on the website but is a broken link but if you go to http://crm114.sourceforge.net/tarballs/ you can download it from the exposed dir. ________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Johnny Stork Sent: Tuesday, July 31, 2007 11:56 AM To: MailScanner discussion Subject: Re: CRM114 - Problems with install I went through and removed crm114.pm from /etc/mail/spamassassin and all the locations suggested first by Julian in /usr/lib/perl5..... so it is now only in /etc/mail/spamassassin/crm114/ But I still get those lint parse errors and the maillib.crm errors in the last post UxBoD wrote: Sounds like you have put the crm114.pm in both /etc/mail/spamassassin and /etc/mail/spamassassin/crm114. Regards, --[ UxBoD ]-- // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- Original Message ----- From: "Johnny Stork" To: "MailScanner discussion" Sent: Tuesday, July 31, 2007 4:28:45 PM (GMT) Europe/London Subject: Re: CRM114 - Problems with install -- Johnny Stork Business & Technology Consultant stork@openenterprise.ca -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070731/7af3f980/attachment.html From stork at openenterprise.ca Tue Jul 31 17:23:59 2007 From: stork at openenterprise.ca (Johnny Stork) Date: Tue Jul 31 17:24:04 2007 Subject: CRM114 - Problems with install - Lint Errors In-Reply-To: <15026663.8181185897710507.JavaMail.root@office.splatnix.net> References: <15026663.8181185897710507.JavaMail.root@office.splatnix.net> Message-ID: <46AF621F.6070405@openenterprise.ca> Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: stork.vcf Type: text/x-vcard Size: 330 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070731/74c07cd1/stork.vcf From uxbod at splatnix.net Tue Jul 31 17:35:08 2007 From: uxbod at splatnix.net (UxBoD) Date: Tue Jul 31 17:30:53 2007 Subject: CRM114 - Problems with install - Lint Errors In-Reply-To: <46AF621F.6070405@openenterprise.ca> Message-ID: <2105581.8241185899708573.JavaMail.root@office.splatnix.net> Okay. So within crm114.cf do you have the line :- crm114_command /usr/bin/crm -u /etc/mail/spamassassin/crm114 mailreaver.crm and have you put the necessary files into the crm114 directory like :- -rwxr-xr-x 1 postfix root 17415 Jul 30 05:57 mailfilter.cf -rwxr-xr-x 1 postfix root 44537 Jul 30 05:11 mailfilter.crm -rw-r--r-- 1 postfix root 14511 Jul 30 05:11 maillib.crm -rwxr-xr-x 1 postfix root 22740 Jul 30 05:11 mailreaver.crm -rwxr-xr-x 1 postfix root 37621 Jul 30 05:11 mailtrainer.crm -rw-r--r-- 1 postfix root 0 Jul 30 05:14 priolist.mfp drwxr-xr-x 8 postfix root 4096 Jul 30 05:23 reaver_cache -rw-r--r-- 1 postfix root 0 Jul 30 05:23 rewrites.mfp I have excluded spam.css and nonspam.css from the above. Regards, --[ UxBoD ]-- // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- Original Message ----- From: "Johnny Stork" To: "MailScanner discussion" Sent: Tuesday, July 31, 2007 5:23:59 PM (GMT) Europe/London Subject: Re: CRM114 - Problems with install - Lint Errors -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From stork at openenterprise.ca Tue Jul 31 17:35:38 2007 From: stork at openenterprise.ca (Johnny Stork) Date: Tue Jul 31 17:35:42 2007 Subject: CRM114 - Problems with install In-Reply-To: <8F2A53954C22554EB75D9643FCCE0C6B0472D3DA@MED-CORE03-MS1.med.wayne.edu> References: <3573023.8151185896969303.JavaMail.root@office.splatnix.net> <46AF5B98.8070702@openenterprise.ca> <8F2A53954C22554EB75D9643FCCE0C6B0472D3DA@MED-CORE03-MS1.med.wayne.edu> Message-ID: <46AF64DA.4080105@openenterprise.ca> Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: stork.vcf Type: text/x-vcard Size: 330 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070731/9b0239d0/stork.vcf From stork at openenterprise.ca Tue Jul 31 17:43:25 2007 From: stork at openenterprise.ca (Johnny Stork) Date: Tue Jul 31 17:43:28 2007 Subject: CRM114 - Problems with install - Lint Errors In-Reply-To: <2105581.8241185899708573.JavaMail.root@office.splatnix.net> References: <2105581.8241185899708573.JavaMail.root@office.splatnix.net> Message-ID: <46AF66AD.5050906@openenterprise.ca> Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: stork.vcf Type: text/x-vcard Size: 330 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070731/3fce7904/stork.vcf From stork at openenterprise.ca Tue Jul 31 17:45:43 2007 From: stork at openenterprise.ca (Johnny Stork) Date: Tue Jul 31 17:45:43 2007 Subject: CRM114 - Problems with install - Lint Errors In-Reply-To: <2105581.8241185899708573.JavaMail.root@office.splatnix.net> References: <2105581.8241185899708573.JavaMail.root@office.splatnix.net> Message-ID: <46AF6737.8050509@openenterprise.ca> Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: stork.vcf Type: text/x-vcard Size: 330 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070731/b568f0dd/stork-0001.vcf From hmkash at arl.army.mil Tue Jul 31 17:55:44 2007 From: hmkash at arl.army.mil (Kash, Howard (Civ, ARL/CISD)) Date: Tue Jul 31 17:53:56 2007 Subject: CRM114 - Problems with install (UNCLASSIFIED) In-Reply-To: <8F2A53954C22554EB75D9643FCCE0C6B0472D3DA@MED-CORE03-MS1.med.wayne.edu> References: <3573023.8151185896969303.JavaMail.root@office.splatnix.net><46AF5B98.8070702@openenterprise.ca> <8F2A53954C22554EB75D9643FCCE0C6B0472D3DA@MED-CORE03-MS1.med.wayne.edu> Message-ID: <88991ECEE371C644986F0C8837C207B70173B30C@ARLABML01.DS.ARL.ARMY.MIL> Classification: UNCLASSIFIED Caveats: NONE Here's the fix for the BlameTheInterns release if you get the "Too many close parenthesis" error: http://sourceforge.net/mailarchive/message.php?msg_id=20070722185714.643 0%40gmx.net Howard -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Rose, Bobby Sent: Tuesday, July 31, 2007 12:20 PM To: MailScanner discussion Subject: RE: CRM114 - Problems with install I followed UxBoD's instructions and it worked fine however I found that using the BlametheInterns distro which has the lastest date would result in mailreaver errors so I tried the BlameBaltar dated in March and it worked fine. BlameBaltar is the link listed on the website but is a broken link but if you go to http://crm114.sourceforge.net/tarballs/ you can download it from the exposed dir. ________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Johnny Stork Sent: Tuesday, July 31, 2007 11:56 AM To: MailScanner discussion Subject: Re: CRM114 - Problems with install I went through and removed crm114.pm from /etc/mail/spamassassin and all the locations suggested first by Julian in /usr/lib/perl5..... so it is now only in /etc/mail/spamassassin/crm114/ But I still get those lint parse errors and the maillib.crm errors in the last post UxBoD wrote: Sounds like you have put the crm114.pm in both /etc/mail/spamassassin and /etc/mail/spamassassin/crm114. Regards, --[ UxBoD ]-- // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- Original Message ----- From: "Johnny Stork" To: "MailScanner discussion" Sent: Tuesday, July 31, 2007 4:28:45 PM (GMT) Europe/London Subject: Re: CRM114 - Problems with install -- Johnny Stork Business & Technology Consultant stork@openenterprise.ca Classification: UNCLASSIFIED Caveats: NONE From ssilva at sgvwater.com Tue Jul 31 17:57:54 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Jul 31 17:58:10 2007 Subject: CRM114 In-Reply-To: <46AE8187.3090803@fractalweb.com> References: <441247027D4F274EB760A5F6E1ED9C7E020E59@houpex02.nfsmith.info> <22273059.6721185821097215.JavaMail.root@office.splatnix.net><441247027D4F274EB760A5F6E1ED9C7E020E5A@houpex02.nfsmith.info> <46AE7529.9030502@fractalweb.com> <6115482898C59848B35DB9D491C9A28E04BAA1@srv1.home.middlefinger.net> <46AE8187.3090803@fractalweb.com> Message-ID: Chris Yuzik spake the following on 7/30/2007 5:25 PM: > Mike Kercher wrote: >> Go back a few steps in this thread. The solution is there. >> >> One thing was to follow UxBod's instructions instead of Julian's. If >> you follow Julian's AND UxBod's, you will see errors like this. > > Mike, > > I suppose I followed both UxBod's and Julian's instructions. I'll go > back and only follow UxBod's. > > Do I have to go all the way back and start drinking Champagne? ;-) > > Chris Oh, you stopped drinking? You have to start over. ;-P -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From stork at openenterprise.ca Tue Jul 31 18:02:28 2007 From: stork at openenterprise.ca (Johnny Stork) Date: Tue Jul 31 18:02:33 2007 Subject: CRM114 - Problems with install - Almost There In-Reply-To: <46AF6737.8050509@openenterprise.ca> References: <2105581.8241185899708573.JavaMail.root@office.splatnix.net> <46AF6737.8050509@openenterprise.ca> Message-ID: <46AF6B24.8040103@openenterprise.ca> Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: stork.vcf Type: text/x-vcard Size: 330 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070731/0a558022/stork.vcf From steinkel at pa.net Tue Jul 31 18:03:36 2007 From: steinkel at pa.net (Leland J. Steinke) Date: Tue Jul 31 18:03:43 2007 Subject: zip only spam In-Reply-To: References: Message-ID: <46AF6B68.1040706@pa.net> Rob Freeman wrote: > I see instead of using pdf spam, they have switched to zip spam. I have > a rule to block the pdf only spam, but when I changed it to zip, it is > not working: > > # ZIP only spam > full ZIP_ONLY_SPAM > /encoding\:\s+7bit(\n?)+[\-0-9]+.{1,40}type\:\s+application\/zip\;.{1,40}name\=.{1,40}\.zip.{1,50}disposition\:\s+inline\;.{1,40}filename\=.{1,40}\.zip/is s/zip/octet-stream/ Also, these are RAR files. I updated my filetype.rules.conf to block 'em, after jacking up the spam score to get the sending IPs blocked as well. Good luck, Leland From mkettler at evi-inc.com Tue Jul 31 18:17:19 2007 From: mkettler at evi-inc.com (Matt Kettler) Date: Tue Jul 31 18:19:28 2007 Subject: zip only spam In-Reply-To: <46AF6B68.1040706@pa.net> References: <46AF6B68.1040706@pa.net> Message-ID: <46AF6E9F.2080502@evi-inc.com> Leland J. Steinke wrote: > Rob Freeman wrote: >> I see instead of using pdf spam, they have switched to zip spam. I >> have a rule to block the pdf only spam, but when I changed it to zip, >> it is not working: >> >> # ZIP only spam >> full ZIP_ONLY_SPAM >> /encoding\:\s+7bit(\n?)+[\-0-9]+.{1,40}type\:\s+application\/zip\;.{1,40}name\=.{1,40}\.zip.{1,50}disposition\:\s+inline\;.{1,40}filename\=.{1,40}\.zip/is > > > s/zip/octet-stream/ > > Also, these are RAR files. I updated my filetype.rules.conf to block > 'em, after jacking up the spam score to get the sending IPs blocked as > well. I'm blocking them in filename.rules.conf, the zipfile names are the same generic ones used by the old Beagle/Bagel worms.. The rules I had in place forever ago appear to be covering it just fine. deny ^msg\.zip$ Beagle.H worm Beagle.H worm deny ^moreinfo\.zip$ Beagle.H worm Beagle.H worm deny ^attachedfile\.zip$ Beagle.H worm Beagle.H worm deny ^TextDocument\.zip$ Beagle.H worm Beagle.H worm deny ^Readme\.zip$ Beagle.H worm Beagle.H worm deny ^Msginfo\.zip$ Beagle.H worm Beagle.H worm deny ^Document\.zip$ Beagle.H worm Beagle.H worm deny ^Info\.zip$ Beagle.H worm Beagle.H worm deny ^Attacheddocument\.zip$ Beagle.H worm Beagle.H worm deny ^Text\.zip$ Beagle.H worm Beagle.H worm deny ^TextFile\.zip$ Beagle.H worm Beagle.H worm deny ^Letter\.zip$ Beagle.H worm Beagle.H worm deny ^MoreInfo\.zip$ Beagle.H worm Beagle.H worm deny ^Message\.zip$ Beagle.H worm Beagle.H worm deny ^Attach\.zip$ Beagle.K worm Beagle.K worm deny ^Information\.zip$ Beagle.K worm Beagle.K worm Also, spamassassin is tearing them up, mostly on RBLs: X-EVI-MailScanner-SpamCheck: spam, SpamAssassin (score=10.811, required 5, BAYES_99 3.50, INFO_GREYLIST_DELAYED 0.40, RCVD_IN_BL_SPAMCOP_NET 1.56, RCVD_IN_SORBS_WEB 1.46, RCVD_IN_XBL 3.90) X-EVI-MailScanner-SpamCheck: spam, SpamAssassin (score=12.311, required 5, BAYES_99 3.50, DCC_CHECK 1.50, INFO_GREYLIST_DELAYED 0.40, RCVD_IN_BL_SPAMCOP_NET 1.56, RCVD_IN_SORBS_WEB 1.46, RCVD_IN_XBL 3.90) (note: INFO_GREYLIST_DELAYED is a local rule, and points out the message was delayed by my milter-greylist config) From jwoltz at gmail.com Tue Jul 31 18:22:54 2007 From: jwoltz at gmail.com (JC Woltz) Date: Tue Jul 31 18:22:58 2007 Subject: OT: DNS Question In-Reply-To: <7490667.8121185895588633.JavaMail.root@office.splatnix.net> References: <7490667.8121185895588633.JavaMail.root@office.splatnix.net> Message-ID: On 7/31/07, UxBoD wrote: > > Hi, > > I am attempting to setup our own RBL (that bit has gone fine) but on the > DNS servers I need to define a subdomain. I have in out db.example.comthe following :- > > $TTL 172800 ; 2 days > $ORIGIN example.com. > @ IN SOA ns1.example.com. root.ns1.example.com. ( > 2007073108 ; serial > 900 ; refresh (15 minutes) > 300 ; retry (5 minutes) > 604800 ; expire (1 week) > 2592000 ; minimum (4 weeks 2 days) > ) > NS ns1 > NS ns2 > > MX 5 mail > > ... ... > > > $ORIGIN dnsrbl.example.com. > IN NS rblserver.example.com. > > If I do a dig against example.com I get back ns1 and ns2. But if I do a > dig against dnsrbl.example.com I get nothing. > > What is wrong with my syntax ? UxBoD, You might need some glue in dnsrbl.example.com for rblserver.example.com, or move everything into your emaple.com domain. What if you try something like: $TTL 172800 ; 2 days $ORIGIN example.com. @ IN SOA ns1.example.com. root.ns1.example.com. ( 2007073108 ; serial 900 ; refresh (15 minutes) 300 ; retry (5 minutes) 604800 ; expire (1 week) 2592000 ; minimum (4 weeks 2 days) ) NS ns1 NS ns2 MX 5 mail rblserver IN A 10.10.1.1 dnsrbl IN NS rblserver.example.com. JC Regards, > > --[ UxBoD ]-- > // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" > // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B > // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B > // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070731/97064830/attachment.html From ssilva at sgvwater.com Tue Jul 31 19:01:53 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Jul 31 19:02:15 2007 Subject: CRM114 Installation on Centos 4 In-Reply-To: <441247027D4F274EB760A5F6E1ED9C7E020E7F@houpex02.nfsmith.info> References: <441247027D4F274EB760A5F6E1ED9C7E020E79@houpex02.nfsmith.info> <46AF554E.6020308@fractalweb.com> <441247027D4F274EB760A5F6E1ED9C7E020E7F@houpex02.nfsmith.info> Message-ID: Mike Kercher spake the following on 7/31/2007 9:08 AM: > I have added this to the wiki: > > http://wiki.mailscanner.info/doku.php?id=documentation:anti_spam:spamass > assin:plugins:crm114 > > The formatting is all FUBAR is someone wants to go clean it up. I'm a > wiki n00b. > > Mike Did a little cleanup. See if you are happy with it. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From mkercher at nfsmith.com Tue Jul 31 19:10:47 2007 From: mkercher at nfsmith.com (Mike Kercher) Date: Tue Jul 31 19:10:51 2007 Subject: CRM114 Installation on Centos 4 In-Reply-To: References: <441247027D4F274EB760A5F6E1ED9C7E020E79@houpex02.nfsmith.info> <46AF554E.6020308@fractalweb.com><441247027D4F274EB760A5F6E1ED9C7E020E7F@houpex02.nfsmith.info> Message-ID: <441247027D4F274EB760A5F6E1ED9C7E020E89@houpex02.nfsmith.info> Looks MUCH better! Thanks! Mike -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Scott Silva Sent: Tuesday, July 31, 2007 1:02 PM To: mailscanner@lists.mailscanner.info Subject: Re: CRM114 Installation on Centos 4 Mike Kercher spake the following on 7/31/2007 9:08 AM: > I have added this to the wiki: > > http://wiki.mailscanner.info/doku.php?id=documentation:anti_spam:spama > ss > assin:plugins:crm114 > > The formatting is all FUBAR is someone wants to go clean it up. I'm a > wiki n00b. > > Mike Did a little cleanup. See if you are happy with it. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From uxbod at splatnix.net Tue Jul 31 20:04:09 2007 From: uxbod at splatnix.net (UxBoD) Date: Tue Jul 31 19:59:46 2007 Subject: CRM114 - Problems with install - Almost There In-Reply-To: <46AF6B24.8040103@openenterprise.ca> Message-ID: <16720961.8331185908649200.JavaMail.root@office.splatnix.net> What version of SA are you running ? Would you run a spamassassin -D --lint and post the result pls. Regards, --[ UxBoD ]-- // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- Original Message ----- From: "Johnny Stork" To: "MailScanner discussion" Sent: Tuesday, July 31, 2007 6:02:28 PM (GMT) Europe/London Subject: Re: CRM114 - Problems with install - Almost There -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From stork at openenterprise.ca Tue Jul 31 20:17:19 2007 From: stork at openenterprise.ca (Johnny Stork) Date: Tue Jul 31 20:17:37 2007 Subject: {Disarmed} Re: CRM114 - Problems with install - Almost There In-Reply-To: <16720961.8331185908649200.JavaMail.root@office.splatnix.net> References: <16720961.8331185908649200.JavaMail.root@office.splatnix.net> Message-ID: <46AF8ABF.7030006@openenterprise.ca> Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: stork.vcf Type: text/x-vcard Size: 330 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070731/510b532a/stork-0001.vcf From mkercher at nfsmith.com Tue Jul 31 20:31:00 2007 From: mkercher at nfsmith.com (Mike Kercher) Date: Tue Jul 31 20:31:04 2007 Subject: CRM114 Installation on Centos 4 In-Reply-To: <441247027D4F274EB760A5F6E1ED9C7E020E89@houpex02.nfsmith.info> References: <441247027D4F274EB760A5F6E1ED9C7E020E79@houpex02.nfsmith.info> <46AF554E.6020308@fractalweb.com><441247027D4F274EB760A5F6E1ED9C7E020E7F@houpex02.nfsmith.info> <441247027D4F274EB760A5F6E1ED9C7E020E89@houpex02.nfsmith.info> Message-ID: <441247027D4F274EB760A5F6E1ED9C7E020E8A@houpex02.nfsmith.info> I just installed CRM114 on another box following these instructions and had it running in under 5 minutes. Mike -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Mike Kercher Sent: Tuesday, July 31, 2007 1:11 PM To: MailScanner discussion Subject: RE: CRM114 Installation on Centos 4 Looks MUCH better! Thanks! Mike -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Scott Silva Sent: Tuesday, July 31, 2007 1:02 PM To: mailscanner@lists.mailscanner.info Subject: Re: CRM114 Installation on Centos 4 Mike Kercher spake the following on 7/31/2007 9:08 AM: > I have added this to the wiki: > > http://wiki.mailscanner.info/doku.php?id=documentation:anti_spam:spama > ss > assin:plugins:crm114 > > The formatting is all FUBAR is someone wants to go clean it up. I'm a > wiki n00b. > > Mike Did a little cleanup. See if you are happy with it. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From theodrake at comcast.net Tue Jul 31 20:35:54 2007 From: theodrake at comcast.net (Ed Bruce) Date: Tue Jul 31 20:36:00 2007 Subject: {Disarmed} Re: CRM114 - Problems with install - Almost There In-Reply-To: <46AF8ABF.7030006@openenterprise.ca> References: <16720961.8331185908649200.JavaMail.root@office.splatnix.net> <46AF8ABF.7030006@openenterprise.ca> Message-ID: <46AF8F1A.2040508@comcast.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 420] dbg: config: read file /etc/mail/spamassassin/mailfilter.cf ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ I believe you don't want this file in this directory. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (Cygwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGr48XpdNaP9x3McgRArW2AJ4vADkapB0MBF0k97ZlpiwMGswUOACguJDm erXqpmQcUjBCV/TkrZJnTwQ= =Kx2h -----END PGP SIGNATURE----- From info at acousticsounds.com Tue Jul 31 20:40:08 2007 From: info at acousticsounds.com (Ron) Date: Tue Jul 31 20:39:58 2007 Subject: image content scanning In-Reply-To: <223f97700707310401s646f4eddg27b5187e65429a3e@mail.gmail.com> References: <7EF1F27F7292534D82933F70AB6996CC25CE23@pro-ak-exch01.hosted.pronet.net.nz> <223f97700707310401s646f4eddg27b5187e65429a3e@mail.gmail.com> Message-ID: <46AF9018.2090507@acousticsounds.com> An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070731/5d289b8f/attachment.html From ssilva at sgvwater.com Tue Jul 31 20:44:02 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Jul 31 20:44:20 2007 Subject: CRM114 Installation on Centos 4 In-Reply-To: <441247027D4F274EB760A5F6E1ED9C7E020E89@houpex02.nfsmith.info> References: <441247027D4F274EB760A5F6E1ED9C7E020E79@houpex02.nfsmith.info> <46AF554E.6020308@fractalweb.com><441247027D4F274EB760A5F6E1ED9C7E020E7F@houpex02.nfsmith.info> <441247027D4F274EB760A5F6E1ED9C7E020E89@houpex02.nfsmith.info> Message-ID: Mike Kercher spake the following on 7/31/2007 11:10 AM: > Looks MUCH better! > > Thanks! > > Mike I don't get the last "vi /tmp/crm.test" at the end of the doc. What purpose does it serve? -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From uxbod at splatnix.net Tue Jul 31 20:52:43 2007 From: uxbod at splatnix.net (UxBoD) Date: Tue Jul 31 20:48:11 2007 Subject: {Disarmed} Re: CRM114 - Problems with install - Almost There In-Reply-To: <46AF8F1A.2040508@comcast.net> Message-ID: <27938274.8361185911563784.JavaMail.root@office.splatnix.net> Darn, ya beat me to it :) SA is attempting to parse CRMs config file. Great spot Ed. Regards, --[ UxBoD ]-- // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- Original Message ----- From: "Ed Bruce" To: "MailScanner discussion" Sent: Tuesday, July 31, 2007 8:35:54 PM (GMT) Europe/London Subject: Re: {Disarmed} Re: CRM114 - Problems with install - Almost There -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 420] dbg: config: read file /etc/mail/spamassassin/mailfilter.cf ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ I believe you don't want this file in this directory. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (Cygwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGr48XpdNaP9x3McgRArW2AJ4vADkapB0MBF0k97ZlpiwMGswUOACguJDm erXqpmQcUjBCV/TkrZJnTwQ= =Kx2h -----END PGP SIGNATURE----- -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From uxbod at splatnix.net Tue Jul 31 21:03:15 2007 From: uxbod at splatnix.net (UxBoD) Date: Tue Jul 31 20:58:42 2007 Subject: CRM114 Installation on Centos 4 In-Reply-To: Message-ID: <19245889.8391185912195350.JavaMail.root@office.splatnix.net> To check the SA debug for warns etc. Regards, --[ UxBoD ]-- // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- Original Message ----- From: "Scott Silva" To: mailscanner@lists.mailscanner.info Sent: Tuesday, July 31, 2007 8:44:02 PM (GMT) Europe/London Subject: Re: CRM114 Installation on Centos 4 Mike Kercher spake the following on 7/31/2007 11:10 AM: > Looks MUCH better! > > Thanks! > > Mike I don't get the last "vi /tmp/crm.test" at the end of the doc. What purpose does it serve? -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mkercher at nfsmith.com Tue Jul 31 20:59:07 2007 From: mkercher at nfsmith.com (Mike Kercher) Date: Tue Jul 31 20:59:11 2007 Subject: CRM114 Installation on Centos 4 In-Reply-To: References: <441247027D4F274EB760A5F6E1ED9C7E020E79@houpex02.nfsmith.info> <46AF554E.6020308@fractalweb.com><441247027D4F274EB760A5F6E1ED9C7E020E7F@houpex02.nfsmith.info> <441247027D4F274EB760A5F6E1ED9C7E020E89@houpex02.nfsmith.info> Message-ID: <441247027D4F274EB760A5F6E1ED9C7E020E8C@houpex02.nfsmith.info> Just to look at the output of the spamassassin -D --lint to look for any errors. Mike -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Scott Silva Sent: Tuesday, July 31, 2007 2:44 PM To: mailscanner@lists.mailscanner.info Subject: Re: CRM114 Installation on Centos 4 Mike Kercher spake the following on 7/31/2007 11:10 AM: > Looks MUCH better! > > Thanks! > > Mike I don't get the last "vi /tmp/crm.test" at the end of the doc. What purpose does it serve? -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From uxbod at splatnix.net Tue Jul 31 21:06:00 2007 From: uxbod at splatnix.net (UxBoD) Date: Tue Jul 31 21:01:44 2007 Subject: CRM114 Installation on Centos 4 In-Reply-To: <441247027D4F274EB760A5F6E1ED9C7E020E8A@houpex02.nfsmith.info> Message-ID: <25934599.8421185912360760.JavaMail.root@office.splatnix.net> Mike, did you have to set the permissions on the reaper_cache, or is your umask set in such a way that the user MS runs under is able to write to that directory ? Regards, --[ UxBoD ]-- // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- Original Message ----- From: "Mike Kercher" To: "MailScanner discussion" Sent: Tuesday, July 31, 2007 8:31:00 PM (GMT) Europe/London Subject: RE: CRM114 Installation on Centos 4 I just installed CRM114 on another box following these instructions and had it running in under 5 minutes. Mike -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Mike Kercher Sent: Tuesday, July 31, 2007 1:11 PM To: MailScanner discussion Subject: RE: CRM114 Installation on Centos 4 Looks MUCH better! Thanks! Mike -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Scott Silva Sent: Tuesday, July 31, 2007 1:02 PM To: mailscanner@lists.mailscanner.info Subject: Re: CRM114 Installation on Centos 4 Mike Kercher spake the following on 7/31/2007 9:08 AM: > I have added this to the wiki: > > http://wiki.mailscanner.info/doku.php?id=documentation:anti_spam:spama > ss > assin:plugins:crm114 > > The formatting is all FUBAR is someone wants to go clean it up. I'm a > wiki n00b. > > Mike Did a little cleanup. See if you are happy with it. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mkercher at nfsmith.com Tue Jul 31 21:07:34 2007 From: mkercher at nfsmith.com (Mike Kercher) Date: Tue Jul 31 21:07:37 2007 Subject: CRM114 Installation on Centos 4 In-Reply-To: <25934599.8421185912360760.JavaMail.root@office.splatnix.net> References: <441247027D4F274EB760A5F6E1ED9C7E020E8A@houpex02.nfsmith.info> <25934599.8421185912360760.JavaMail.root@office.splatnix.net> Message-ID: <441247027D4F274EB760A5F6E1ED9C7E020E8E@houpex02.nfsmith.info> I didn't have to change any permissions. I'm running sendmail which runs as the root user. Mike -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of UxBoD Sent: Tuesday, July 31, 2007 3:06 PM To: MailScanner discussion Subject: Re: CRM114 Installation on Centos 4 Mike, did you have to set the permissions on the reaper_cache, or is your umask set in such a way that the user MS runs under is able to write to that directory ? Regards, --[ UxBoD ]-- // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- Original Message ----- From: "Mike Kercher" To: "MailScanner discussion" Sent: Tuesday, July 31, 2007 8:31:00 PM (GMT) Europe/London Subject: RE: CRM114 Installation on Centos 4 I just installed CRM114 on another box following these instructions and had it running in under 5 minutes. Mike -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Mike Kercher Sent: Tuesday, July 31, 2007 1:11 PM To: MailScanner discussion Subject: RE: CRM114 Installation on Centos 4 Looks MUCH better! Thanks! Mike -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Scott Silva Sent: Tuesday, July 31, 2007 1:02 PM To: mailscanner@lists.mailscanner.info Subject: Re: CRM114 Installation on Centos 4 Mike Kercher spake the following on 7/31/2007 9:08 AM: > I have added this to the wiki: > > http://wiki.mailscanner.info/doku.php?id=documentation:anti_spam:spama > ss > assin:plugins:crm114 > > The formatting is all FUBAR is someone wants to go clean it up. I'm a > wiki n00b. > > Mike Did a little cleanup. See if you are happy with it. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From prandal at herefordshire.gov.uk Tue Jul 31 21:22:01 2007 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Tue Jul 31 21:22:07 2007 Subject: CRM114 Installation on Centos 4 In-Reply-To: <441247027D4F274EB760A5F6E1ED9C7E020E8E@houpex02.nfsmith.info> References: <441247027D4F274EB760A5F6E1ED9C7E020E8A@houpex02.nfsmith.info><25934599.8421185912360760.JavaMail.root@office.splatnix.net> <441247027D4F274EB760A5F6E1ED9C7E020E8E@houpex02.nfsmith.info> Message-ID: <7EF0EE5CB3B263488C8C18823239BEBA03CEF5@HC-MBX02.herefordshire.gov.uk> On CentOS 5 x64 I had to chmod +x *.crm To get it to work. I've added that step into the Wiki. Cheers, Phil -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Mike Kercher Sent: 31 July 2007 21:08 To: MailScanner discussion Subject: RE: CRM114 Installation on Centos 4 I didn't have to change any permissions. I'm running sendmail which runs as the root user. Mike -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of UxBoD Sent: Tuesday, July 31, 2007 3:06 PM To: MailScanner discussion Subject: Re: CRM114 Installation on Centos 4 Mike, did you have to set the permissions on the reaper_cache, or is your umask set in such a way that the user MS runs under is able to write to that directory ? Regards, --[ UxBoD ]-- // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- Original Message ----- From: "Mike Kercher" To: "MailScanner discussion" Sent: Tuesday, July 31, 2007 8:31:00 PM (GMT) Europe/London Subject: RE: CRM114 Installation on Centos 4 I just installed CRM114 on another box following these instructions and had it running in under 5 minutes. Mike -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Mike Kercher Sent: Tuesday, July 31, 2007 1:11 PM To: MailScanner discussion Subject: RE: CRM114 Installation on Centos 4 Looks MUCH better! Thanks! Mike -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Scott Silva Sent: Tuesday, July 31, 2007 1:02 PM To: mailscanner@lists.mailscanner.info Subject: Re: CRM114 Installation on Centos 4 Mike Kercher spake the following on 7/31/2007 9:08 AM: > I have added this to the wiki: > > http://wiki.mailscanner.info/doku.php?id=documentation:anti_spam:spama > ss > assin:plugins:crm114 > > The formatting is all FUBAR is someone wants to go clean it up. I'm a > wiki n00b. > > Mike Did a little cleanup. See if you are happy with it. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From brose at med.wayne.edu Tue Jul 31 21:27:58 2007 From: brose at med.wayne.edu (Rose, Bobby) Date: Tue Jul 31 21:28:10 2007 Subject: {Disarmed} Re: CRM114 - Problems with install - Almost There In-Reply-To: <46AF8ABF.7030006@openenterprise.ca> References: <16720961.8331185908649200.JavaMail.root@office.splatnix.net> <46AF8ABF.7030006@openenterprise.ca> Message-ID: <8F2A53954C22554EB75D9643FCCE0C6B0472D3E1@MED-CORE03-MS1.med.wayne.edu> FYI your CRM spw was exposed in the debug so you'll want to change that now. ________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Johnny Stork Sent: Tuesday, July 31, 2007 3:17 PM To: MailScanner discussion Subject: {Disarmed} Re: CRM114 - Problems with install - Almost There Thanks again...here's the output. root@gateway:~# spamassassin -D --lint [420] dbg: logger: adding facilities: all [420] dbg: logger: logging level is DBG [420] dbg: generic: SpamAssassin version 3.1.7 [420] dbg: config: score set 0 chosen. [420] dbg: util: running in taint mode? yes [420] dbg: util: taint mode: deleting unsafe environment variables, resetting PATH [420] dbg: util: PATH included '/usr/kerberos/sbin', keeping [420] dbg: util: PATH included '/usr/kerberos/bin', keeping [420] dbg: util: PATH included '/usr/local/sbin', keeping [420] dbg: util: PATH included '/usr/local/bin', keeping [420] dbg: util: PATH included '/sbin', keeping [420] dbg: util: PATH included '/bin', keeping [420] dbg: util: PATH included '/usr/sbin', keeping [420] dbg: util: PATH included '/usr/bin', keeping [420] dbg: util: PATH included '/usr/X11R6/bin', keeping [420] dbg: util: PATH included '/root/bin', which doesn't exist, dropping [420] dbg: util: final PATH set to: /usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:/usr/local/bin:/sbi n:/bin:/usr/sbin:/usr/bin:/usr/X11R6/bin [420] dbg: message: ---- MIME PARSER START ---- [420] dbg: message: main message type: text/plain [420] dbg: message: parsing normal part [420] dbg: message: added part, type: text/plain [420] dbg: message: ---- MIME PARSER END ---- [420] dbg: dns: is Net::DNS::Resolver available? yes [420] dbg: dns: Net::DNS version: 0.59 [420] dbg: diag: perl platform: 5.008008 linux [420] dbg: diag: module installed: Digest::SHA1, version 2.10 [420] dbg: diag: module installed: Time::HiRes, version 1.86 [420] dbg: diag: module installed: DBI, version 1.50 [420] dbg: diag: module installed: Getopt::Long, version 2.35 [420] dbg: diag: module installed: LWP::UserAgent, version 2.033 [420] dbg: diag: module installed: HTTP::Date, version 1.47 [420] dbg: diag: module installed: Archive::Tar, version 1.29 [420] dbg: diag: module installed: IO::Zlib, version 1.04 [420] dbg: diag: module installed: HTML::Parser, version 3.54 [420] dbg: diag: module installed: MIME::Base64, version 3.07 [420] dbg: diag: module installed: DB_File, version 1.814 [420] dbg: diag: module installed: Net::DNS, version 0.59 [420] dbg: diag: module installed: Net::SMTP, version 2.29 [420] dbg: diag: module installed: Mail::SPF::Query, version 1.999001 [420] dbg: diag: module installed: IP::Country::Fast, version 604.001 [420] dbg: diag: module installed: Razor2::Client::Agent, version 2.77 [420] dbg: diag: module installed: Net::Ident, version 1.20 [420] dbg: diag: module installed: IO::Socket::INET6, version 2.51 [420] dbg: diag: module installed: IO::Socket::SSL, version 0.97 [420] dbg: ignore: using a test message to lint rules [420] dbg: config: using "/etc/mail/spamassassin" for site rules pre files [420] dbg: config: read file /etc/mail/spamassassin/init.pre [420] dbg: config: read file /etc/mail/spamassassin/v310.pre [420] dbg: config: read file /etc/mail/spamassassin/v312.pre [420] dbg: config: using "/usr/share/spamassassin" for sys rules pre files [420] dbg: config: using "/usr/share/spamassassin" for default rules dir [420] dbg: config: read file /usr/share/spamassassin/10_misc.cf [420] dbg: config: read file /usr/share/spamassassin/20_advance_fee.cf [420] dbg: config: read file /usr/share/spamassassin/20_anti_ratware.cf [420] dbg: config: read file /usr/share/spamassassin/20_body_tests.cf [420] dbg: config: read file /usr/share/spamassassin/20_compensate.cf [420] dbg: config: read file /usr/share/spamassassin/20_dnsbl_tests.cf [420] dbg: config: read file /usr/share/spamassassin/20_drugs.cf [420] dbg: config: read file /usr/share/spamassassin/20_fake_helo_tests.cf [420] dbg: config: read file /usr/share/spamassassin/20_head_tests.cf [420] dbg: config: read file /usr/share/spamassassin/20_html_tests.cf [420] dbg: config: read file /usr/share/spamassassin/20_meta_tests.cf [420] dbg: config: read file /usr/share/spamassassin/20_net_tests.cf [420] dbg: config: read file /usr/share/spamassassin/20_phrases.cf [420] dbg: config: read file /usr/share/spamassassin/20_porn.cf [420] dbg: config: read file /usr/share/spamassassin/20_ratware.cf [420] dbg: config: read file /usr/share/spamassassin/20_uri_tests.cf [420] dbg: config: read file /usr/share/spamassassin/23_bayes.cf [420] dbg: config: read file /usr/share/spamassassin/25_accessdb.cf [420] dbg: config: read file /usr/share/spamassassin/25_antivirus.cf [420] dbg: config: read file /usr/share/spamassassin/25_body_tests_es.cf [420] dbg: config: read file /usr/share/spamassassin/25_body_tests_pl.cf [420] dbg: config: read file /usr/share/spamassassin/25_dcc.cf [420] dbg: config: read file /usr/share/spamassassin/25_dkim.cf [420] dbg: config: read file /usr/share/spamassassin/25_domainkeys.cf [420] dbg: config: read file /usr/share/spamassassin/25_hashcash.cf [420] dbg: config: read file /usr/share/spamassassin/25_pyzor.cf [420] dbg: config: read file /usr/share/spamassassin/25_razor2.cf [420] dbg: config: read file /usr/share/spamassassin/25_replace.cf [420] dbg: config: read file /usr/share/spamassassin/25_spf.cf [420] dbg: config: read file /usr/share/spamassassin/25_textcat.cf [420] dbg: config: read file /usr/share/spamassassin/25_uribl.cf [420] dbg: config: read file /usr/share/spamassassin/30_text_de.cf [420] dbg: config: read file /usr/share/spamassassin/30_text_fr.cf [420] dbg: config: read file /usr/share/spamassassin/30_text_it.cf [420] dbg: config: read file /usr/share/spamassassin/30_text_nl.cf [420] dbg: config: read file /usr/share/spamassassin/30_text_pl.cf [420] dbg: config: read file /usr/share/spamassassin/30_text_pt_br.cf [420] dbg: config: read file /usr/share/spamassassin/50_scores.cf [420] dbg: config: read file /usr/share/spamassassin/60_awl.cf [420] dbg: config: read file /usr/share/spamassassin/60_whitelist.cf [420] dbg: config: read file /usr/share/spamassassin/60_whitelist_dk.cf [420] dbg: config: read file /usr/share/spamassassin/60_whitelist_dkim.cf [420] dbg: config: read file /usr/share/spamassassin/60_whitelist_spf.cf [420] dbg: config: read file /usr/share/spamassassin/60_whitelist_subject.cf [420] dbg: config: using "/etc/mail/spamassassin" for site rules dir [420] dbg: config: read file /etc/mail/spamassassin/70_sare_adult.cf [420] dbg: config: read file /etc/mail/spamassassin/70_sare_bayes_poison_nxm.cf [420] dbg: config: read file /etc/mail/spamassassin/70_sare_evilnum2.cf [420] dbg: config: read file /etc/mail/spamassassin/70_sare_genlsubj0.cf [420] dbg: config: read file /etc/mail/spamassassin/70_sare_genlsubj1.cf [420] dbg: config: read file /etc/mail/spamassassin/70_sare_genlsubj2.cf [420] dbg: config: read file /etc/mail/spamassassin/70_sare_genlsubj3.cf [420] dbg: config: read file /etc/mail/spamassassin/70_sare_obfu.cf [420] dbg: config: read file /etc/mail/spamassassin/70_sare_oem.cf [420] dbg: config: read file /etc/mail/spamassassin/70_sare_random.cf [420] dbg: config: read file /etc/mail/spamassassin/70_sare_specific.cf [420] dbg: config: read file /etc/mail/spamassassin/70_sare_spoof.cf [420] dbg: config: read file /etc/mail/spamassassin/70_sare_stocks.cf [420] dbg: config: read file /etc/mail/spamassassin/70_sare_unsub.cf [420] dbg: config: read file /etc/mail/spamassassin/70_sare_uri0.cf [420] dbg: config: read file /etc/mail/spamassassin/70_sare_uri1.cf [420] dbg: config: read file /etc/mail/spamassassin/70_sare_uri3.cf [420] dbg: config: read file /etc/mail/spamassassin/70_sare_whitelist_rcvd.cf [420] dbg: config: read file /etc/mail/spamassassin/70_sare_whitelist_spf.cf [420] dbg: config: read file /etc/mail/spamassassin/70_sc_top200.cf [420] dbg: config: read file /etc/mail/spamassassin/72_sare_bml_post25x.cf [420] dbg: config: read file /etc/mail/spamassassin/72_sare_redirect_post3.0.0.cf [420] dbg: config: read file /etc/mail/spamassassin/99_sare_fraud_post25x.cf [420] dbg: config: read file /etc/mail/spamassassin/bogus-virus-warnings.cf [420] dbg: config: read file /etc/mail/spamassassin/crm114.cf [420] dbg: config: read file /etc/mail/spamassassin/local.cf [420] dbg: config: read file /etc/mail/spamassassin/mailfilter.cf [420] dbg: config: read file /etc/mail/spamassassin/mailscanner.cf [420] dbg: config: using "/root/.spamassassin/user_prefs" for user prefs file [420] dbg: config: read file /root/.spamassassin/user_prefs [420] dbg: plugin: loading Mail::SpamAssassin::Plugin::DomainKeys from @INC [420] dbg: plugin: registered Mail::SpamAssassin::Plugin::DomainKeys=HASH(0xa5c5e6c) [420] dbg: plugin: loading Mail::SpamAssassin::Plugin::DCC from @INC [420] dbg: dcc: local tests only, disabling DCC [420] dbg: plugin: registered Mail::SpamAssassin::Plugin::DCC=HASH(0xa603830) [420] dbg: plugin: loading Mail::SpamAssassin::Plugin::Pyzor from @INC [420] dbg: pyzor: local tests only, disabling Pyzor [420] dbg: plugin: registered Mail::SpamAssassin::Plugin::Pyzor=HASH(0xa61e898) [420] dbg: plugin: loading Mail::SpamAssassin::Plugin::SpamCop from @INC [420] dbg: reporter: local tests only, disabling SpamCop [420] dbg: plugin: registered Mail::SpamAssassin::Plugin::SpamCop=HASH(0xa639a8c) [420] dbg: plugin: loading Mail::SpamAssassin::Plugin::AWL from @INC [420] dbg: plugin: registered Mail::SpamAssassin::Plugin::AWL=HASH(0xa658970) [420] dbg: plugin: loading Mail::SpamAssassin::Plugin::AutoLearnThreshold from @INC [420] dbg: plugin: registered Mail::SpamAssassin::Plugin::AutoLearnThreshold=HASH(0xa5cc8f4) [420] dbg: plugin: loading Mail::SpamAssassin::Plugin::WhiteListSubject from @INC [420] dbg: plugin: registered Mail::SpamAssassin::Plugin::WhiteListSubject=HASH(0xa5cd368) [420] dbg: plugin: loading Mail::SpamAssassin::Plugin::MIMEHeader from @INC [420] dbg: plugin: registered Mail::SpamAssassin::Plugin::MIMEHeader=HASH(0xa5ce04c) [420] dbg: plugin: loading Mail::SpamAssassin::Plugin::ReplaceTags from @INC [420] dbg: plugin: registered Mail::SpamAssassin::Plugin::ReplaceTags=HASH(0xa5cf0d8) [420] dbg: plugin: loading Mail::SpamAssassin::Plugin::RelayCountry from @INC [420] dbg: plugin: registered Mail::SpamAssassin::Plugin::RelayCountry=HASH(0xa5cfa50) [420] dbg: plugin: loading Mail::SpamAssassin::Plugin::SPF from @INC [420] dbg: plugin: registered Mail::SpamAssassin::Plugin::SPF=HASH(0xa5d2210) [420] dbg: plugin: loading Mail::SpamAssassin::Plugin::URIDNSBL from @INC [420] dbg: plugin: registered Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0xa6ec240) [420] dbg: plugin: loading Mail::SpamAssassin::Plugin::Razor2 from @INC [420] dbg: razor2: local tests only, skipping Razor [420] dbg: plugin: registered Mail::SpamAssassin::Plugin::Razor2=HASH(0xa6f2c90) [420] dbg: config: adding redirector regex: /^http:\/\/chkpt\.zdnet\.com\/chkpt\/\w+\/(.*)$/i [420] dbg: config: adding redirector regex: /^http:\/\/www(?:\d+)?\.nate\.com\/r\/\w+\/(.*)$/i [420] dbg: config: adding redirector regex: /^http:\/\/.+\.gov\/(?:.*\/)?externalLink\.jhtml\?.*url=(.*?)(?:&.*)?$/i [420] dbg: config: adding redirector regex: /^http:\/\/redir\.internet\.com\/.+?\/.+?\/(.*)$/i [420] dbg: config: adding redirector regex: /^http:\/\/(?:.*?\.)?adtech\.de\/.*(?:;|\|)link=(.*?)(?:;|$)/i [420] dbg: config: adding redirector regex: m'^http.*?/redirect\.php\?.*(?<=[?&])goto=(.*?)(?:$|[&#])'i [420] dbg: config: adding redirector regex: m'^https?:/*(?:[^/]+\.)?emf\d\.com/r\.cfm.*?&r=(.*)'i [420] dbg: config: adding redirector regex: m'/(?:index.php)?\?.*(?<=[?&])URL=(.*?)(?:$|[&#])'i [420] dbg: config: adding redirector regex: m'^MailScanner has detected a possible fraud attempt from "http:" claiming to be http:/*(?:\w+\.)?google(?:\.\w{2,3 }){1,2}/url\?.*?(?<=[?&])q=(.*?)(?:$|[&#])'i [420] dbg: config: adding redirector regex: m'^MailScanner has detected a possible fraud attempt from "http:" claiming to be http:/*(?:\w+\.)?google(?:\.\w{2,3 }){1,2}/search\?.*?(?<=[?&])q=[^&]*?(?<=%20|..[=+\s])site:(.*?)(?:$|%20| [\s+&#])'i [420] dbg: config: adding redirector regex: m'^MailScanner has detected a possible fraud attempt from "http:" claiming to be http:/*(?:\w+\.)?google(?:\.\w{2,3 }){1,2}/search\?.*?(?<=[?&])q=[^&]*?(?<=%20|..[=+\s])(?:"|%22)(.*?)(?:$| %22|["\s+&#])'i [420] dbg: config: adding redirector regex: m'^MailScanner has detected a possible fraud attempt from "http:" claiming to be http:/*(?:\w+\.)?google(?:\.\w{2,3 }){1,2}/translate\?.*?(?<=[?&])u=(.*?)(?:$|[&#])'i [420] dbg: plugin: loading crm114 from /etc/mail/spamassassin/crm114.pm [420] dbg: plugin: registered crm114=HASH(0xa665a24) [420] warn: config: failed to parse line, skipping: :spw: /LinuxRocks/ [420] warn: config: failed to parse line, skipping: :verbose_startup: // [420] warn: config: failed to parse line, skipping: :do_base64: /yes/ [420] warn: config: failed to parse line, skipping: :mime_decoder: /base64 -d/ [420] warn: config: failed to parse line, skipping: :cache_dupe_command: /\/bin\/ln/ [420] warn: config: failed to parse line, skipping: :general_fails_to: // [420] warn: config: failed to parse line, skipping: :rejected_mail_exit_code: /0/ [420] warn: config: failed to parse line, skipping: :accepted_mail_exit_code: /0/ [420] warn: config: failed to parse line, skipping: :unsure_mail_exit_code: /0/ [420] warn: config: failed to parse line, skipping: :program_fault_exit_code: /1/ [420] warn: config: failed to parse line, skipping: :add_headers: /yes/ [420] warn: config: failed to parse line, skipping: :add_verbose_stats: /yes/ [420] warn: config: failed to parse line, skipping: :add_mailtrainer_report: /yes/ [420] warn: config: failed to parse line, skipping: :add_extra_stuff: /no/ [420] warn: config: failed to parse line, skipping: :spam_flag_subject_string: /ADV:/ [420] warn: config: failed to parse line, skipping: :good_flag_subject_string: // [420] warn: config: failed to parse line, skipping: :unsure_flag_subject_string: /UNS:/ [420] warn: config: failed to parse line, skipping: :confirm_flag_subject_string: /TCF:/ [420] warn: config: failed to parse line, skipping: :rewrites_enabled: /yes/ [420] warn: config: failed to parse line, skipping: :log_to_allmail.txt: /yes/ [420] warn: config: failed to parse line, skipping: :log_all_mail_to_file: // [420] warn: config: failed to parse line, skipping: :text_cache: /reaver_cache/ [420] warn: config: failed to parse line, skipping: :trainer_invoke_command: /.\/mailtrainer.crm/ [420] warn: config: failed to parse line, skipping: :trainer_randomizer_command: /.\/shuffle.crm/ [420] warn: config: failed to parse line, skipping: :trainer_randomizer_command: /.\/crm114_tre shuffle.crm/ [420] warn: config: failed to parse line, skipping: :log_rejections: /yes/ [420] warn: config: failed to parse line, skipping: :log_rejections_to_file: // [420] warn: config: failed to parse line, skipping: :inoculations_enabled: /no/ [420] warn: config: failed to parse line, skipping: :decision_length: /16000/ [420] warn: config: failed to parse line, skipping: :expand_urls: /no/ [420] warn: config: failed to parse line, skipping: :url_fetch_cmd: /wget -T 30 -O - / [420] warn: config: failed to parse line, skipping: :url_trim_cmd: / head -c 16000 / [420] warn: config: failed to parse line, skipping: :clf: /osb unique microgroom/ [420] warn: config: failed to parse line, skipping: :thick_threshold: /10.0/ [420] warn: config: failed to parse line, skipping: :lcr: /[[:graph:]]+/ [420] warn: config: failed to parse line, skipping: :undo_interruptus: /no/ [420] warn: config: failed to parse line, skipping: :automatic_training: /no/ [420] dbg: plugin: Mail::SpamAssassin::Plugin::ReplaceTags=HASH(0xa5cf0d8) implements 'finish_parsing_end' [420] dbg: replacetags: replacing tags [420] dbg: replacetags: done replacing tags [420] dbg: bayes: tie-ing to DB file R/O /etc/MailScanner/bayes/bayes_toks [420] dbg: bayes: tie-ing to DB file R/O /etc/MailScanner/bayes/bayes_seen [420] dbg: bayes: found bayes db version 3 [420] dbg: bayes: DB journal sync: last sync: 1185906307 [420] dbg: config: score set 2 chosen. [420] dbg: message: ---- MIME PARSER START ---- [420] dbg: message: main message type: text/plain [420] dbg: message: parsing normal part [420] dbg: message: added part, type: text/plain [420] dbg: message: ---- MIME PARSER END ---- [420] dbg: dns: is DNS available? 0 [420] dbg: metadata: X-Spam-Relays-Trusted: [420] dbg: metadata: X-Spam-Relays-Untrusted: [420] dbg: metadata: X-Spam-Relays-Internal: [420] dbg: metadata: X-Spam-Relays-External: [420] dbg: plugin: Mail::SpamAssassin::Plugin::RelayCountry=HASH(0xa5cfa50) implements 'extract_metadata' [420] dbg: metadata: X-Relay-Countries: [420] dbg: message: no encoding detected [420] dbg: plugin: Mail::SpamAssassin::Plugin::RelayCountry=HASH(0xa5cfa50) implements 'parsed_metadata' [420] dbg: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0xa6ec240) implements 'parsed_metadata' [420] dbg: rules: local tests only, ignoring RBL eval [420] dbg: check: running tests for priority: 0 [420] dbg: rules: running header regexp tests; score so far=0 [420] dbg: rules: ran header rule __HAS_MSGID ======> got hit: "<" [420] dbg: rules: ran header rule __SARE_WHITELIST_FLAG ======> got hit: "i" [420] dbg: rules: ran header rule __SANE_MSGID ======> got hit: "<1185909357@lint_rules> [420] dbg: rules: " [420] dbg: rules: ran header rule __MSGID_OK_HOST ======> got hit: "@lint_rules>" [420] dbg: rules: ran header rule __MSGID_OK_DIGITS ======> got hit: "1185909357" [420] dbg: eval: all '*From' addrs: ignore@compiling.spamassassin.taint.org [420] dbg: eval: all '*To' addrs: [420] dbg: rules: ran eval rule NO_RELAYS ======> got hit [420] dbg: rules: ran eval rule __UNUSABLE_MSGID ======> got hit [420] dbg: rules: running body-text per-line regexp tests; score so far=-0.001 [420] dbg: rules: ran body rule __NONEMPTY_BODY ======> got hit: "I" [420] dbg: uri: running uri tests; score so far=-0.001 [420] dbg: bayes: DB journal sync: last sync: 1185906307 [420] dbg: bayes: corpus size: nspam = 29339, nham = 72699 [420] dbg: bayes: score = 0.510471515312524 [420] dbg: bayes: DB journal sync: last sync: 1185906307 [420] dbg: bayes: untie-ing [420] dbg: bayes: untie-ing db_toks [420] dbg: bayes: untie-ing db_seen [420] dbg: rules: ran eval rule BAYES_50 ======> got hit [420] dbg: rules: running raw-body-text per-line regexp tests; score so far=0 [420] dbg: rules: running full-text regexp tests; score so far=0 [420] dbg: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0xa6ec240) implements 'check_tick' [420] dbg: check: running tests for priority: 500 [420] dbg: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0xa6ec240) implements 'check_post_dnsbl' [420] dbg: rules: running meta tests; score so far=0 [420] info: rules: meta test SARE_SUB_ACCEPT_CCARDS has undefined dependency '__SARE_SUB_FROM_PAYPAL' [420] info: rules: meta test SARE_RD_SAFE has undefined dependency 'SARE_RD_SAFE_MKSHRT' [420] info: rules: meta test SARE_RD_SAFE has undefined dependency 'SARE_RD_SAFE_GT' [420] info: rules: meta test SARE_RD_SAFE has undefined dependency 'SARE_RD_SAFE_TINY' [420] info: rules: meta test VIRUS_WARNING_DOOM_BNC has undefined dependency 'VIRUS_WARNING_MYDOOM4' [420] info: rules: meta test SARE_OBFU_CIALIS has undefined dependency 'SARE_OBFU_CIALIS2' [420] info: rules: meta test FP_MIXED_PORN3 has undefined dependency 'FP_PENETRATION' [420] dbg: rules: running header regexp tests; score so far=2.157 [420] dbg: rules: running body-text per-line regexp tests; score so far=2.157 [420] dbg: uri: running uri tests; score so far=2.157 [420] dbg: rules: running raw-body-text per-line regexp tests; score so far=2.157 [420] dbg: rules: running full-text regexp tests; score so far=2.157 [420] dbg: check: running tests for priority: 899 [420] dbg: rules: running meta tests; score so far=2.157 [420] dbg: rules: running header regexp tests; score so far=2.157 [420] dbg: rules: running body-text per-line regexp tests; score so far=2.157 [420] dbg: uri: running uri tests; score so far=2.157 [420] dbg: rules: running raw-body-text per-line regexp tests; score so far=2.157 [420] dbg: rules: running full-text regexp tests; score so far=2.157 [420] dbg: crm114: call_crm() called, action: check [420] dbg: info: entering helper-app run mode [420] dbg: crm114: crm114_command run [420] dbg: crm114: found version 20070301-BlameBaltar ( 0.6.8 ) MR-BD9991E2 [420] dbg: crm114: found CacheID sfid-20070731_121600_556583_C0E4263D [420] dbg: crm114: found status UNSURE and score 0.00 [420] dbg: crm114: found Notice Please train this message. [420] dbg: info: leaving helper-app run mode [420] dbg: crm114: call_crm returns (UNSURE, 0.00) [420] dbg: crm114: score is 0.0000, translated to SA score: -0.0000, linear factor was -0.0100 [420] dbg: check: running tests for priority: 1000 [420] dbg: rules: running meta tests; score so far=2.157 [420] dbg: rules: running header regexp tests; score so far=2.157 [420] dbg: rules: running body-text per-line regexp tests; score so far=2.157 [420] dbg: uri: running uri tests; score so far=2.157 [420] dbg: rules: running raw-body-text per-line regexp tests; score so far=2.157 [420] dbg: rules: running full-text regexp tests; score so far=2.157 [420] dbg: check: is spam? score=2.157 required=5 [420] dbg: check: tests=BAYES_50,CRM114_CHECK,MISSING_SUBJECT,NO_RECEIVED,NO_RELAYS,TO_CC_ NONE [420] dbg: check: subtests=__HAS_MSGID,__MSGID_OK_DIGITS,__MSGID_OK_HOST,__NONEMPTY_BODY,_ _SANE_MSGID,__SARE_WHITELIST_FLAG,__UNUSABLE_MSGID [420] warn: lint: 37 issues detected, please rerun with debug enabled for more information UxBoD wrote: What version of SA are you running ? Would you run a spamassassin -D --lint and post the result pls. Regards, --[ UxBoD ]-- // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- Original Message ----- From: "Johnny Stork" To: "MailScanner discussion" Sent: Tuesday, July 31, 2007 6:02:28 PM (GMT) Europe/London Subject: Re: CRM114 - Problems with install - Almost There -- Johnny Stork Business & Technology Consultant stork@openenterprise.ca ______________________________________________ Open Enterprise Solutions "Empowering Business With Open Solutions" http://www.openenterprise.ca Dreamscape Media "Multimedia, Photography and VR Panorama's" http://www.dreamscapemedia.ca Open Source News "Global Open Source and Technology News" http://www.opensourcenews.ca -- This message has been scanned for viruses and dangerous content by MailScanner , and is believed to be clean. Check out Open Enterprise Solutions for your own powerful open-source Virus/Spam/Content detection solutions and mail gateway. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070731/af01c3db/attachment.html From uxbod at splatnix.net Tue Jul 31 21:36:23 2007 From: uxbod at splatnix.net (UxBoD) Date: Tue Jul 31 21:31:53 2007 Subject: CRM114 Installation on Centos 4 In-Reply-To: <441247027D4F274EB760A5F6E1ED9C7E020E8E@houpex02.nfsmith.info> Message-ID: <8819172.8481185914183040.JavaMail.root@office.splatnix.net> Are okay :) Will add to the wiki tomorrow then to safe if running as non-root then set permissions accordingly. Regards, --[ UxBoD ]-- // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- Original Message ----- From: "Mike Kercher" To: "MailScanner discussion" Sent: Tuesday, July 31, 2007 9:07:34 PM (GMT) Europe/London Subject: RE: CRM114 Installation on Centos 4 I didn't have to change any permissions. I'm running sendmail which runs as the root user. Mike -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of UxBoD Sent: Tuesday, July 31, 2007 3:06 PM To: MailScanner discussion Subject: Re: CRM114 Installation on Centos 4 Mike, did you have to set the permissions on the reaper_cache, or is your umask set in such a way that the user MS runs under is able to write to that directory ? Regards, --[ UxBoD ]-- // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- Original Message ----- From: "Mike Kercher" To: "MailScanner discussion" Sent: Tuesday, July 31, 2007 8:31:00 PM (GMT) Europe/London Subject: RE: CRM114 Installation on Centos 4 I just installed CRM114 on another box following these instructions and had it running in under 5 minutes. Mike -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Mike Kercher Sent: Tuesday, July 31, 2007 1:11 PM To: MailScanner discussion Subject: RE: CRM114 Installation on Centos 4 Looks MUCH better! Thanks! Mike -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Scott Silva Sent: Tuesday, July 31, 2007 1:02 PM To: mailscanner@lists.mailscanner.info Subject: Re: CRM114 Installation on Centos 4 Mike Kercher spake the following on 7/31/2007 9:08 AM: > I have added this to the wiki: > > http://wiki.mailscanner.info/doku.php?id=documentation:anti_spam:spama > ss > assin:plugins:crm114 > > The formatting is all FUBAR is someone wants to go clean it up. I'm a > wiki n00b. > > Mike Did a little cleanup. See if you are happy with it. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From stork at openenterprise.ca Tue Jul 31 21:34:13 2007 From: stork at openenterprise.ca (Johnny Stork) Date: Tue Jul 31 21:34:31 2007 Subject: {Disarmed} Re: CRM114 - Problems with install - Almost There In-Reply-To: <27938274.8361185911563784.JavaMail.root@office.splatnix.net> References: <27938274.8361185911563784.JavaMail.root@office.splatnix.net> Message-ID: <46AF9CC5.2040707@openenterprise.ca> Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: stork.vcf Type: text/x-vcard Size: 330 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070731/8f168ef9/stork.vcf From stork at openenterprise.ca Tue Jul 31 21:35:26 2007 From: stork at openenterprise.ca (Johnny Stork) Date: Tue Jul 31 21:35:43 2007 Subject: {Disarmed} Re: CRM114 - Problems with install - Almost There In-Reply-To: <8F2A53954C22554EB75D9643FCCE0C6B0472D3E1@MED-CORE03-MS1.med.wayne.edu> References: <16720961.8331185908649200.JavaMail.root@office.splatnix.net> <46AF8ABF.7030006@openenterprise.ca> <8F2A53954C22554EB75D9643FCCE0C6B0472D3E1@MED-CORE03-MS1.med.wayne.edu> Message-ID: <46AF9D0E.5050205@openenterprise.ca> Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: stork.vcf Type: text/x-vcard Size: 330 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070731/327eb547/stork.vcf From mkercher at nfsmith.com Tue Jul 31 21:37:37 2007 From: mkercher at nfsmith.com (Mike Kercher) Date: Tue Jul 31 21:37:41 2007 Subject: {Disarmed} Re: CRM114 - Problems with install - Almost There In-Reply-To: <46AF9CC5.2040707@openenterprise.ca> References: <27938274.8361185911563784.JavaMail.root@office.splatnix.net> <46AF9CC5.2040707@openenterprise.ca> Message-ID: <441247027D4F274EB760A5F6E1ED9C7E020E8F@houpex02.nfsmith.info> Did you turn autolearn on in mailfilter.cf? Have a look at the new wiki entry. Mike ________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Johnny Stork Sent: Tuesday, July 31, 2007 3:34 PM To: MailScanner discussion Subject: Re: {Disarmed} Re: CRM114 - Problems with install - Almost There Thank you both (Ed and UxBod), removed mailfilter.cf from /etc/mail/spamassassin/ and the parse errors are gone. CRM seems to be running now but should I not start seeing something with this?? Sparse spectra file /etc/mail/spamassassin/crm114/spam.css statistics: Total available buckets : 1048577 Total buckets in use : 0 Total in-use zero-count buckets : 0 Total buckets with value >= max : 0 Total hashed datums in file : 0 Documents learned : 1 Features learned : 1 Average datums per bucket : 0.00 Maximum length of overflow chain : 0 Average length of overflow chain : 0.00 Average packing density : 0.00 And maybe something in each messages header? UxBoD wrote: Darn, ya beat me to it :) SA is attempting to parse CRMs config file. Great spot Ed. Regards, --[ UxBoD ]-- // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- Original Message ----- From: "Ed Bruce" To: "MailScanner discussion" Sent: Tuesday, July 31, 2007 8:35:54 PM (GMT) Europe/London Subject: Re: {Disarmed} Re: CRM114 - Problems with install - Almost There -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 420] dbg: config: read file /etc/mail/spamassassin/mailfilter.cf ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ I believe you don't want this file in this directory. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (Cygwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGr48XpdNaP9x3McgRArW2AJ4vADkapB0MBF0k97ZlpiwMGswUOACguJDm erXqpmQcUjBCV/TkrZJnTwQ= =Kx2h -----END PGP SIGNATURE----- -- Johnny Stork Business & Technology Consultant stork@openenterprise.ca ______________________________________________ Open Enterprise Solutions "Empowering Business With Open Solutions" http://www.openenterprise.ca Dreamscape Media "Multimedia, Photography and VR Panorama's" http://www.dreamscapemedia.ca Open Source News "Global Open Source and Technology News" http://www.opensourcenews.ca -- This message has been scanned for viruses and dangerous content by MailScanner , and is believed to be clean. Check out Open Enterprise Solutions for your own powerful open-source Virus/Spam/Content detection solutions and mail gateway. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070731/f0d402bb/attachment.html From prandal at herefordshire.gov.uk Tue Jul 31 21:40:46 2007 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Tue Jul 31 21:40:56 2007 Subject: {Disarmed} Re: CRM114 - Problems with install - Almost There In-Reply-To: <46AF9CC5.2040707@openenterprise.ca> References: <27938274.8361185911563784.JavaMail.root@office.splatnix.net> <46AF9CC5.2040707@openenterprise.ca> Message-ID: <7EF0EE5CB3B263488C8C18823239BEBA03CEF6@HC-MBX02.herefordshire.gov.uk> You should be seeing "CRM114_CHECK" in your spam report. Check that /etc/mail/spamassassin/crm114/*.crm are flagged as executable. Phil ________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Johnny Stork Sent: 31 July 2007 21:34 To: MailScanner discussion Subject: Re: {Disarmed} Re: CRM114 - Problems with install - Almost There Thank you both (Ed and UxBod), removed mailfilter.cf from /etc/mail/spamassassin/ and the parse errors are gone. CRM seems to be running now but should I not start seeing something with this?? Sparse spectra file /etc/mail/spamassassin/crm114/spam.css statistics: Total available buckets : 1048577 Total buckets in use : 0 Total in-use zero-count buckets : 0 Total buckets with value >= max : 0 Total hashed datums in file : 0 Documents learned : 1 Features learned : 1 Average datums per bucket : 0.00 Maximum length of overflow chain : 0 Average length of overflow chain : 0.00 Average packing density : 0.00 And maybe something in each messages header? UxBoD wrote: Darn, ya beat me to it :) SA is attempting to parse CRMs config file. Great spot Ed. Regards, --[ UxBoD ]-- // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- Original Message ----- From: "Ed Bruce" To: "MailScanner discussion" Sent: Tuesday, July 31, 2007 8:35:54 PM (GMT) Europe/London Subject: Re: {Disarmed} Re: CRM114 - Problems with install - Almost There -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 420] dbg: config: read file /etc/mail/spamassassin/mailfilter.cf ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ I believe you don't want this file in this directory. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (Cygwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGr48XpdNaP9x3McgRArW2AJ4vADkapB0MBF0k97ZlpiwMGswUOACguJDm erXqpmQcUjBCV/TkrZJnTwQ= =Kx2h -----END PGP SIGNATURE----- -- Johnny Stork Business & Technology Consultant stork@openenterprise.ca ______________________________________________ Open Enterprise Solutions "Empowering Business With Open Solutions" http://www.openenterprise.ca Dreamscape Media "Multimedia, Photography and VR Panorama's" http://www.dreamscapemedia.ca Open Source News "Global Open Source and Technology News" http://www.opensourcenews.ca -- This message has been scanned for viruses and dangerous content by MailScanner , and is believed to be clean. Check out Open Enterprise Solutions for your own powerful open-source Virus/Spam/Content detection solutions and mail gateway. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070731/885351bf/attachment-0001.html From jase at sensis.com Tue Jul 31 21:44:51 2007 From: jase at sensis.com (Desai, Jason) Date: Tue Jul 31 21:45:19 2007 Subject: {Disarmed} Re: CRM114 - Problems with install - Almost There In-Reply-To: <46AF9CC5.2040707@openenterprise.ca> Message-ID: <1951DC816E1A9F469307B05FA183F4389DC9D7@corpatsmail1.corp.sensis.com> What MTA are you running? You may need to change the owner of /etc/mail/spamassassin/crm114 and /etc/mail/spamassassin/crm114/* to be the user that you are running your MTA as. For me, I did a chown -R Debian-exim.Debian-exim /etc/mail/spamassassin/crm114 and that got things working. Jase > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Johnny Stork > Sent: Tuesday, July 31, 2007 4:34 PM > To: MailScanner discussion > Subject: Re: {Disarmed} Re: CRM114 - Problems with install - > Almost There > > Thank you both (Ed and UxBod), removed mailfilter.cf from > /etc/mail/spamassassin/ and the parse errors are gone. CRM > seems to be running now but should I not start seeing > something with this?? > > Sparse spectra file /etc/mail/spamassassin/crm114/spam.css > statistics: > > Total available buckets : 1048577 > Total buckets in use : 0 > Total in-use zero-count buckets : 0 > Total buckets with value >= max : 0 > Total hashed datums in file : 0 > Documents learned : 1 > Features learned : 1 > Average datums per bucket : 0.00 > Maximum length of overflow chain : 0 > Average length of overflow chain : 0.00 > Average packing density : 0.00 > > > And maybe something in each messages header? > From uxbod at splatnix.net Tue Jul 31 21:53:07 2007 From: uxbod at splatnix.net (UxBoD) Date: Tue Jul 31 21:48:36 2007 Subject: {Disarmed} Re: CRM114 - Problems with install - Almost There In-Reply-To: <46AF9CC5.2040707@openenterprise.ca> Message-ID: <1081714.8511185915187154.JavaMail.root@office.splatnix.net> Have you restarted MailScanner ? Have you definately updated crm114.cf to autolearn from SA ? Are the permissions on the .css files writable by the user that MailScanner is running under ? Regards, --[ UxBoD ]-- // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- Original Message ----- From: "Johnny Stork" To: "MailScanner discussion" Sent: Tuesday, July 31, 2007 9:34:13 PM (GMT) Europe/London Subject: Re: {Disarmed} Re: CRM114 - Problems with install - Almost There -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From stork at openenterprise.ca Tue Jul 31 21:52:24 2007 From: stork at openenterprise.ca (Johnny Stork) Date: Tue Jul 31 21:52:47 2007 Subject: {Disarmed} Re: CRM114 - Problems with install - Almost There In-Reply-To: <441247027D4F274EB760A5F6E1ED9C7E020E8F@houpex02.nfsmith.info> References: <27938274.8361185911563784.JavaMail.root@office.splatnix.net> <46AF9CC5.2040707@openenterprise.ca> <441247027D4F274EB760A5F6E1ED9C7E020E8F@houpex02.nfsmith.info> Message-ID: <46AFA108.1020806@openenterprise.ca> Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: stork.vcf Type: text/x-vcard Size: 330 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070731/f602528d/stork.vcf From MailScanner at ecs.soton.ac.uk Tue Jul 31 22:01:36 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Jul 31 22:02:22 2007 Subject: MailScanner ANNOUNCE: Version 4.62.9 released Message-ID: <46AFA330.7010206@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I have just released a new version of MailScanner, 4.62.9. I don't normally bother releasing a new version for August, as it's normally very quiet and it isn't worth it. However, this year July has been absolutely hectic and the list of new features and changes this month is enormous! So here goes for the highlights: - --- New "Known Web Bug Servers" setting to list sites you know host web-bug services, so you can blacklist all images from their servers. The default value lists the main offender. - --- New "watermarking" functionality. 2 uses for this: firstly to provide the same functionality as milter-null, so you don't have to install that if, for example, you use Exim and so can't use it, or if you don't want to install another piece of software on your system. Also, you can use it to create a trust relationship between your MailScanner servers so that the spam scanning only has to be done once on any message, on the first server it hits and not on subsequent ones. - --- New "ClamAV Full Message Scan" setting, and improvements to the ClamAV parser so that the SANESecurity phishing- and spam-detection signatures can be reliably used. Note this new setting is disabled by default, as it has a slight speed impact. - --- New "SpamAssassin Rule Actions" setting so that any SpamAssassin rule firing can trigger any action on a message, including the... - --- New "custom()" spam action which allows you to do absolutely anything based on any property of a message. Immensely powerful, just get your thinking caps on. :-) - --- Major improvements to "MailScanner --lint". This now checks more, and actually tries scanning a real virus-infected message (don't worry, it's totally harmless!) to show you the reports from your virus scanners to check they are all actually working. - --- HTML clean message signature can contain an image, so you can have graphical sigs on your email messages with the image embedded in the message so the recipient always sees it. - --- Improvements to handling of "Virus Scanners = auto" with multiple ClamAV methods installed (ie. clamav, clamavmodule and clamd). - --- Improvements to upgrade_MailScanner_conf. That's not everything, that's just the important bits! Download as usual from www.mailscanner.info. The full Change Log is this: * New Features and Improvements * 1 Improved non-Linux installer. 1 Improved Linux installer. 1 Updated OpenBSD installation guide. Thanks to Jeremy Evans for this. 1 Upgraded MIME::Base64 to 3.07. 1 Improved error reporting for clamd permissions problems. Thanks Rick. 2 Added SAUPDATEARGS to /etc/sysconfig/MailScanner and /usr/sbin/update_spamassassin. For a good use of this, see http://daryl.dostech.ca/sa-update/sare/sare-sa-update-howto.txt and search for "HOWTO" in the Subject: line of the MailScanner-discussion list archive. This process replaces RulesDuJour entirely. Another good ruleset to add to your setup is http://www.peregrinehw.com/downloads/SpamAssassin/contrib/KAM.cf To download this automatically every night, fetch http://www.mailscanner.info/files/4/KAM.cf.sh and put it in /etc/cron.daily and make it executable (type "chmod +x /etc/cron.daily/KAM.cf.sh"). 3 Added "Known Web Bug Servers" so you can blacklist images from known servers of web bug services. 3 Added functionality of "milter-null" to MailScanner so you no longer need to run this separately. It is called "Watermarking" and there is a whole section for the settings in MailScanner.conf. They are Add Watermark = yes Skip Spam Checks If Watermark Valid = yes Watermark Header = MailScanner-%org-name%-Watermark: Watermark Lifetime = 432000 # in seconds, = 5 days Watermark Secret = SET-THIS-TO-A-SECRET! Also added Digest::MD5 to the required list of Perl modules, this is needed for the watermarking code. 3 Added optional image to the clean message signature. You can also use this to add an arbitrary image attachment to any message, if you so wish. The main point is to be able to have graphical HTML signatures on messages. The settings are Attach Image To Signature = no Attach Image To HTML Message Only = yes Signature Image Filename = %report-dir%/sig.jpg Signature Image Filename = signature.jpg 4 Added support for Kaspersky kav4fs. Set virus.scanners.conf entry to point to /opt/kaspersky. 4 Changed default value to "Max SpamAssassin Size = 100k" as modern PDF spams are getting quite large, and PDFInfo.pm doesn't work with cropped messages. 4 Improved Clamd parser to handle Sane Security ClamAV signature databases which detect spam and so on from the contents of the headers, and hence find infections without attachment filenames. Thanks to various people for help with this, you know who you are :-) 4 Improved upgrade_MailScanner_conf so that it checks that the 'Monitors for ClamAV Updates' setting looks for inc and cvd files. Problems have recently been suffered by many due to the value of this setting being out of date. It doesn't automatically re-write their setting in case they have installed ClamAV somewhere odd and have customised it. 4 Changed 'Monitors for Sophos Updates' setting default value to point to appropriate file for Sophos version 5 and upwards, and have added check in upgrade_MailScanner_conf to ensure their setting now points to a new location. It prints a warning if sophos-av does not appear in the path. 4 Added configuration setting "SpamAssassin Rule Actions". This setting is very powerful and can be used to implement many things that MCP can do, without having the processing overhead of MCP. The documentation for it is in the MailScanner.conf file. Its power is limited by your imagination :-) Start combining it with rulesets and you can take (or _not_ take) any combination of actions dependent on any bit of content in the message or its headers. You could try out new SA tests by storing in quarantine every message that matches a new particular SpamAssassin rule (or meta-rule for creating more complex expressions). 5 Added "custom" spam action, which takes a parameter. This is passed into the CustomAction function in CustomAction.pm in the CustomFunctions directory. This can be used to implement anything your heart desires, depending on the contents of a message. 7 When clamav, clamavmodule or clamd parsers are being used and new setting "ClamAV Full Message Scan" is set to "yes", pass each of the entire messages to ClamAV as well as the attachments so that the signatures that detect spam can work reliably. This is set to "no" be default as it has a speed impact. 7 The watermark options have been tweaked and renamed a bit, and one new feature has been added. "upgrade_MailScanner_conf" will show you the renames and the new feature is designed to save resources on sites with more than 1 MailScanner. Currently, if you have a message delivered to a secondary MX (with MailScanner) which relays mail to the primary MX (also with MailScanner) for delivery to users' mailboxes, the spam checks will be done twice; this is a waste of resources. The new setting "Check Watermarks To Skip Spam Checks = yes" will remove this waste by skipping the spam checks on the primary MX as the secondary has already done them. 7 "Virus Scanners = auto" will detect multiple types of ClamAV installed and tend towards the most useful one. It will use clamd else clamavmodule else clamav. This helps if you have all 3 installed, which is quite likely. 8 Greatly improved "MailScanner --lint". It now actually tests every virus scanner that you have installed, and checks that they can successfully scan a message containing the Eicar test-virus pattern. It reports the results from each scanner and warns you about checking any that are not reported. 9 Added check to "MailScanner --lint" to check envelope_sender_header in spam.assassin.prefs.conf is correct and matches MailScanner.conf. 9 Added new setting "Use Watermarking = yes" to give overall control of all watermarking features. * Fixes * 2-2 Fixed error in RPM installer. 2-3 Fixed error in update_spamassassin. 3-2 The watermarking code should do something now :-) 3-3 Rewrote the watermarking docs so they reflect the truth. 4 --lint now reads all the Custom Functions properly. 4 Bug in auto-zip fixed where attachments could be deleted without being added to zip. Thanks to Matt Hampton. 4 Bug with '-' in HTML attribute names confusing phishing net fixed. Thanks to John Wilcock. 5 Fixed 2 bugs in MSRBL clamav-signature handler. Thanks to UxBoD. 6 Fixed bug from October 2006 involving McAfee finding infections in headers. 7 Fixed bug when unpacking TNEF files with external decoder. 7 Fixed 'monitor files' check in upgrade_MailScanner_conf so it doesn't check inadvertently when doing an upgrade_languages_conf. 7-3 Fixed bug in full message file creation in scanning dir as permissions were wrong. 9 Added use POSIX to top of MessageBatch.pm so WNOHANG is defined. Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGr6MxEfZZRxQVtlQRAvyFAKDXxb2x96bxiV+oQgYhMYrnhzUw5gCfXI1m hEfYtogRPhdHzVFDEaLY688= =nqu3 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From support.mailscanner at stuttgart.mhz.de Fri Jul 20 09:20:30 2007 From: support.mailscanner at stuttgart.mhz.de (Support) Date: Tue Jul 31 22:09:30 2007 Subject: Password protected file Message-ID: Hello, i want that Password protected and encrypted files are going to quarantine. What i have to change in the config? I need help!!! Regards David From brent.addis at pronet.co.nz Tue Jul 31 22:09:38 2007 From: brent.addis at pronet.co.nz (Brent Addis) Date: Tue Jul 31 22:10:41 2007 Subject: image content scanning References: <7EF1F27F7292534D82933F70AB6996CC25CE23@pro-ak-exch01.hosted.pronet.net.nz> <223f97700707310401s646f4eddg27b5187e65429a3e@mail.gmail.com> Message-ID: <7EF1F27F7292534D82933F70AB6996CC25CE2C@pro-ak-exch01.hosted.pronet.net.nz> yeah I do, its pretty average at what we need. It does catch some, but not some of the more hardcore stuff. ________________________________ From: mailscanner-bounces@lists.mailscanner.info on behalf of Glenn Steen Sent: Tue 31/07/2007 11:01 p.m. To: MailScanner discussion Subject: Re: image content scanning On 31/07/07, Brent Addis wrote: > ? > Hi, > > Has anyone found anything useful for looking at porn images in email, not > just from a spam perspective, but from a general content perspective. > Something that checks skin tone for example. I am not really concerned how > many cpu cycles that this sort of thing consumes. Is there a plugin for > spamassassin or mailscanner that isn't widely known about that will do this? > > Thanks, > > Brent You already use ImageInfo (http://www.rulesemporium.com/plugins.htm), I presume? Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/ms-tnef Size: 4483 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070801/2eb9d6ce/attachment.bin From ms-list at alexb.ch Tue Jul 31 22:12:40 2007 From: ms-list at alexb.ch (Alex Broens) Date: Tue Jul 31 22:12:46 2007 Subject: CRM114 Installation on Centos 4 In-Reply-To: <8819172.8481185914183040.JavaMail.root@office.splatnix.net> References: <8819172.8481185914183040.JavaMail.root@office.splatnix.net> Message-ID: <46AFA5C8.30100@alexb.ch> Note for Wiki unless someone has a better answer/idea/suggestion: Apparently there's no provision to limit the size of /etc/mail/spamassassin/crm114/reaver_cache's contents. Running on a *very* low traffic test box, the directory has grown to 59MB in less than 24 hrs. If you do *not* intend to perform manual re-training to correct ham /spam detection, it may be wise to set: /etc/mail/spamassassin/crm114/mailfilter.cf :text_cache: /reaver_cache/ to :text_cache: // This will disable msg caching of all your mail traffic (keeping a copy of all ham/spam could also be against corp. policy) Disabling "reaver_cache" may speed up CRM114 processing by avoiding the extra msg write operations to "reaver_cache" categories. Alex From vanhorn at whidbey.com Tue Jul 31 22:15:28 2007 From: vanhorn at whidbey.com (G. Armour Van Horn) Date: Tue Jul 31 22:14:39 2007 Subject: filename *and* user test Message-ID: <46AFA670.8000806@whidbey.com> One user on one of my servers has a lot of valid files being blocked from one specific client. Specifically, the sender can't seem to avoid putting a whole string of spaces in their filenames. For the moment, I've simply allowed excessive whitespace, but I don't really like that. Is there a way to allow exception to this rule for a specific destination address? Van -- ---------------------------------------------------------- Sign up now for Quotes of the Day, a handful of quotations on a theme delivered every morning. Enlightenment! Daily, for free! mailto:twisted@whidbey.com?subject=Subscribe_QOTD For photography, web design, hosting, and maintenance, visit Van's home page: http://www.domainvanhorn.com/van/ ----------------------------------------------------------- From minduni at ti-edu.ch Tue Jul 31 22:15:05 2007 From: minduni at ti-edu.ch (Marco Induni) Date: Tue Jul 31 22:15:08 2007 Subject: Filename rule question In-Reply-To: <223f97700707300337gb9c8a8l55e517a09e4afab4@mail.gmail.com> References: <468A6663.8010907@ti-edu.ch> <468CACEF.30202@ti-edu.ch> <223f97700707050349y696668ccu92b618343da7d77b@mail.gmail.com> <468CDC23.7000500@ti-edu.ch> <223f97700707051316y462cffd5ka6ce8064d614350f@mail.gmail.com> <468E09B6.10605@ti-edu.ch> <223f97700707060540n7c7b022eye5700536d480541c@mail.gmail.com> <4691EC0A.3040209@ti-edu.ch> <223f97700707091232q691a2277i75715cfe09c3be94@mail.gmail.com> <46ADAA41.6030501@ti-edu.ch> <223f97700707300337gb9c8a8l55e517a09e4afab4@mail.gmail.com> Message-ID: <46AFA659.3090206@ti-edu.ch> Glenn Steen wrote: > On 30/07/07, Marco Induni wrote: >> Hi Glenn, any news about my email ? >> >> Thank you > > Hi Marco, sorry I didn't get back to you sooner... Been a somewhat > hectic return from vacation...:). No problem > > > (snip) > That all looked pretty good, unfortunately. > > I've been thinking that you might have changed some limits to ... > unreasonable values... > What do you have for > Maximum Message Size > Maximum Attachment Size > Minimum Attachment Size > in MailScanner.conf? > Maximum Message Size = 0 Maximum Attachment Size = -1 Minimum Attachment Size = -1 Last hope ? Hope not ;-) Cheers Marco > Cheers -- Marco Induni Universita` della Svizzera italiana Servizi informatici / TI-EDU Galleria 2 CH-6928 Manno (Switzerland) E-mail: minduni@ti-edu.ch Tel: +41 58 666 6656 Fax: +41 58 666 6650 From shuttlebox at gmail.com Tue Jul 31 22:27:05 2007 From: shuttlebox at gmail.com (shuttlebox) Date: Tue Jul 31 22:27:09 2007 Subject: filename *and* user test In-Reply-To: <46AFA670.8000806@whidbey.com> References: <46AFA670.8000806@whidbey.com> Message-ID: <625385e30707311427w3d09a669le4725f2784a4f90e@mail.gmail.com> On 7/31/07, G. Armour Van Horn wrote: > One user on one of my servers has a lot of valid files being blocked > from one specific client. Specifically, the sender can't seem to avoid > putting a whole string of spaces in their filenames. For the moment, > I've simply allowed excessive whitespace, but I don't really like that. > Is there a way to allow exception to this rule for a specific > destination address? Look here: http://wiki.mailscanner.info/doku.php?id=documentation:configuration:rulesets:overloading -- /peter From donald.dawson at bakerbotts.com Tue Jul 31 22:27:45 2007 From: donald.dawson at bakerbotts.com (donald.dawson@bakerbotts.com) Date: Tue Jul 31 22:27:50 2007 Subject: MailScanner ANNOUNCE: Version 4.62.9 released In-Reply-To: <46AFA330.7010206@ecs.soton.ac.uk> Message-ID: Is this the stable August release, or will there be a 4.63 shortly? -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian Field Sent: Tuesday, July 31, 2007 4:02 PM To: MailScanner discussion; MailScanner-Announce mailing list list Subject: MailScanner ANNOUNCE: Version 4.62.9 released -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I have just released a new version of MailScanner, 4.62.9. I don't normally bother releasing a new version for August, as it's normally very quiet and it isn't worth it. However, this year July has been absolutely hectic and the list of new features and changes this month is enormous! So here goes for the highlights: - --- New "Known Web Bug Servers" setting to list sites you know host web-bug services, so you can blacklist all images from their servers. The default value lists the main offender. - --- New "watermarking" functionality. 2 uses for this: firstly to provide the same functionality as milter-null, so you don't have to install that if, for example, you use Exim and so can't use it, or if you don't want to install another piece of software on your system. Also, you can use it to create a trust relationship between your MailScanner servers so that the spam scanning only has to be done once on any message, on the first server it hits and not on subsequent ones. - --- New "ClamAV Full Message Scan" setting, and improvements to the ClamAV parser so that the SANESecurity phishing- and spam-detection signatures can be reliably used. Note this new setting is disabled by default, as it has a slight speed impact. - --- New "SpamAssassin Rule Actions" setting so that any SpamAssassin rule firing can trigger any action on a message, including the... - --- New "custom()" spam action which allows you to do absolutely anything based on any property of a message. Immensely powerful, just get your thinking caps on. :-) - --- Major improvements to "MailScanner --lint". This now checks more, and actually tries scanning a real virus-infected message (don't worry, it's totally harmless!) to show you the reports from your virus scanners to check they are all actually working. - --- HTML clean message signature can contain an image, so you can have graphical sigs on your email messages with the image embedded in the message so the recipient always sees it. - --- Improvements to handling of "Virus Scanners = auto" with multiple ClamAV methods installed (ie. clamav, clamavmodule and clamd). - --- Improvements to upgrade_MailScanner_conf. That's not everything, that's just the important bits! Download as usual from www.mailscanner.info. The full Change Log is this: * New Features and Improvements * 1 Improved non-Linux installer. 1 Improved Linux installer. 1 Updated OpenBSD installation guide. Thanks to Jeremy Evans for this. 1 Upgraded MIME::Base64 to 3.07. 1 Improved error reporting for clamd permissions problems. Thanks Rick. 2 Added SAUPDATEARGS to /etc/sysconfig/MailScanner and /usr/sbin/update_spamassassin. For a good use of this, see http://daryl.dostech.ca/sa-update/sare/sare-sa-update-howto.txt and search for "HOWTO" in the Subject: line of the MailScanner-discussion list archive. This process replaces RulesDuJour entirely. Another good ruleset to add to your setup is http://www.peregrinehw.com/downloads/SpamAssassin/contrib/KAM.cf To download this automatically every night, fetch http://www.mailscanner.info/files/4/KAM.cf.sh and put it in /etc/cron.daily and make it executable (type "chmod +x /etc/cron.daily/KAM.cf.sh"). 3 Added "Known Web Bug Servers" so you can blacklist images from known servers of web bug services. 3 Added functionality of "milter-null" to MailScanner so you no longer need to run this separately. It is called "Watermarking" and there is a whole section for the settings in MailScanner.conf. They are Add Watermark = yes Skip Spam Checks If Watermark Valid = yes Watermark Header = MailScanner-%org-name%-Watermark: Watermark Lifetime = 432000 # in seconds, = 5 days Watermark Secret = SET-THIS-TO-A-SECRET! Also added Digest::MD5 to the required list of Perl modules, this is needed for the watermarking code. 3 Added optional image to the clean message signature. You can also use this to add an arbitrary image attachment to any message, if you so wish. The main point is to be able to have graphical HTML signatures on messages. The settings are Attach Image To Signature = no Attach Image To HTML Message Only = yes Signature Image Filename = %report-dir%/sig.jpg Signature Image Filename = signature.jpg 4 Added support for Kaspersky kav4fs. Set virus.scanners.conf entry to point to /opt/kaspersky. 4 Changed default value to "Max SpamAssassin Size = 100k" as modern PDF spams are getting quite large, and PDFInfo.pm doesn't work with cropped messages. 4 Improved Clamd parser to handle Sane Security ClamAV signature databases which detect spam and so on from the contents of the headers, and hence find infections without attachment filenames. Thanks to various people for help with this, you know who you are :-) 4 Improved upgrade_MailScanner_conf so that it checks that the 'Monitors for ClamAV Updates' setting looks for inc and cvd files. Problems have recently been suffered by many due to the value of this setting being out of date. It doesn't automatically re-write their setting in case they have installed ClamAV somewhere odd and have customised it. 4 Changed 'Monitors for Sophos Updates' setting default value to point to appropriate file for Sophos version 5 and upwards, and have added check in upgrade_MailScanner_conf to ensure their setting now points to a new location. It prints a warning if sophos-av does not appear in the path. 4 Added configuration setting "SpamAssassin Rule Actions". This setting is very powerful and can be used to implement many things that MCP can do, without having the processing overhead of MCP. The documentation for it is in the MailScanner.conf file. Its power is limited by your imagination :-) Start combining it with rulesets and you can take (or _not_ take) any combination of actions dependent on any bit of content in the message or its headers. You could try out new SA tests by storing in quarantine every message that matches a new particular SpamAssassin rule (or meta-rule for creating more complex expressions). 5 Added "custom" spam action, which takes a parameter. This is passed into the CustomAction function in CustomAction.pm in the CustomFunctions directory. This can be used to implement anything your heart desires, depending on the contents of a message. 7 When clamav, clamavmodule or clamd parsers are being used and new setting "ClamAV Full Message Scan" is set to "yes", pass each of the entire messages to ClamAV as well as the attachments so that the signatures that detect spam can work reliably. This is set to "no" be default as it has a speed impact. 7 The watermark options have been tweaked and renamed a bit, and one new feature has been added. "upgrade_MailScanner_conf" will show you the renames and the new feature is designed to save resources on sites with more than 1 MailScanner. Currently, if you have a message delivered to a secondary MX (with MailScanner) which relays mail to the primary MX (also with MailScanner) for delivery to users' mailboxes, the spam checks will be done twice; this is a waste of resources. The new setting "Check Watermarks To Skip Spam Checks = yes" will remove this waste by skipping the spam checks on the primary MX as the secondary has already done them. 7 "Virus Scanners = auto" will detect multiple types of ClamAV installed and tend towards the most useful one. It will use clamd else clamavmodule else clamav. This helps if you have all 3 installed, which is quite likely. 8 Greatly improved "MailScanner --lint". It now actually tests every virus scanner that you have installed, and checks that they can successfully scan a message containing the Eicar test-virus pattern. It reports the results from each scanner and warns you about checking any that are not reported. 9 Added check to "MailScanner --lint" to check envelope_sender_header in spam.assassin.prefs.conf is correct and matches MailScanner.conf. 9 Added new setting "Use Watermarking = yes" to give overall control of all watermarking features. * Fixes * 2-2 Fixed error in RPM installer. 2-3 Fixed error in update_spamassassin. 3-2 The watermarking code should do something now :-) 3-3 Rewrote the watermarking docs so they reflect the truth. 4 --lint now reads all the Custom Functions properly. 4 Bug in auto-zip fixed where attachments could be deleted without being added to zip. Thanks to Matt Hampton. 4 Bug with '-' in HTML attribute names confusing phishing net fixed. Thanks to John Wilcock. 5 Fixed 2 bugs in MSRBL clamav-signature handler. Thanks to UxBoD. 6 Fixed bug from October 2006 involving McAfee finding infections in headers. 7 Fixed bug when unpacking TNEF files with external decoder. 7 Fixed 'monitor files' check in upgrade_MailScanner_conf so it doesn't check inadvertently when doing an upgrade_languages_conf. 7-3 Fixed bug in full message file creation in scanning dir as permissions were wrong. 9 Added use POSIX to top of MessageBatch.pm so WNOHANG is defined. Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGr6MxEfZZRxQVtlQRAvyFAKDXxb2x96bxiV+oQgYhMYrnhzUw5gCfXI1m hEfYtogRPhdHzVFDEaLY688= =nqu3 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From stork at openenterprise.ca Tue Jul 31 22:30:45 2007 From: stork at openenterprise.ca (Johnny Stork) Date: Tue Jul 31 22:31:10 2007 Subject: {Disarmed} Re: CRM114 - Problems with install - Almost There In-Reply-To: <1081714.8511185915187154.JavaMail.root@office.splatnix.net> References: <1081714.8511185915187154.JavaMail.root@office.splatnix.net> Message-ID: <46AFAA05.3020101@openenterprise.ca> Yes, but I have both settings shown below in crm114.cf crm114_learn 1 crm114_autolearn 1 MailScanner has been restarted, I set all files to be world writable to test, and MailScanner runs as root. The only location that seems to be getting written to is the reaver_cache, content in known_good, known_bad, texts etc is getting written root@gateway:~# ls -la /etc/mail/spamassassin/crm114/reaver_cache/ total 48 drwx------ 8 root root 4096 Jul 31 09:41 . drwxr-xr-x 3 root root 4096 Jul 31 09:41 .. drwx------ 2 root root 4096 Jul 31 09:41 empty drwx------ 2 root root 4096 Jul 31 14:19 known_good drwx------ 2 root root 4096 Jul 31 13:22 known_spam drwx------ 2 root root 4096 Jul 31 14:19 prob_good drwx------ 2 root root 4096 Jul 31 09:41 prob_spam drwx------ 2 root root 20480 Jul 31 14:26 texts UxBoD wrote: > Have you restarted MailScanner ? Have you definately updated crm114.cf to autolearn from SA ? Are the permissions on the .css files writable by the user that MailScanner is running under ? > > Regards, > > --[ UxBoD ]-- > // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" > // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B > // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B > // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net > > ----- Original Message ----- > From: "Johnny Stork" > To: "MailScanner discussion" > Sent: Tuesday, July 31, 2007 9:34:13 PM (GMT) Europe/London > Subject: Re: {Disarmed} Re: CRM114 - Problems with install - Almost There > > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. Check out Open Enterprise Solutions for your own powerful open-source Virus/Spam/Content detection solutions and mail gateway. -------------- next part -------------- A non-text attachment was scrubbed... Name: stork.vcf Type: text/x-vcard Size: 330 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070731/7a05319e/stork.vcf From prandal at herefordshire.gov.uk Tue Jul 31 22:33:24 2007 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Tue Jul 31 22:33:35 2007 Subject: {Disarmed} Re: CRM114 - Problems with install - Almost There In-Reply-To: <46AFAA05.3020101@openenterprise.ca> References: <1081714.8511185915187154.JavaMail.root@office.splatnix.net> <46AFAA05.3020101@openenterprise.ca> Message-ID: <7EF0EE5CB3B263488C8C18823239BEBA03CEF7@HC-MBX02.herefordshire.gov.uk> What does the ls -l of /etc/mail/spamassassin/crm114 show? Phil -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Johnny Stork Sent: 31 July 2007 22:31 To: MailScanner discussion Subject: Re: {Disarmed} Re: CRM114 - Problems with install - Almost There Yes, but I have both settings shown below in crm114.cf crm114_learn 1 crm114_autolearn 1 MailScanner has been restarted, I set all files to be world writable to test, and MailScanner runs as root. The only location that seems to be getting written to is the reaver_cache, content in known_good, known_bad, texts etc is getting written root@gateway:~# ls -la /etc/mail/spamassassin/crm114/reaver_cache/ total 48 drwx------ 8 root root 4096 Jul 31 09:41 . drwxr-xr-x 3 root root 4096 Jul 31 09:41 .. drwx------ 2 root root 4096 Jul 31 09:41 empty drwx------ 2 root root 4096 Jul 31 14:19 known_good drwx------ 2 root root 4096 Jul 31 13:22 known_spam drwx------ 2 root root 4096 Jul 31 14:19 prob_good drwx------ 2 root root 4096 Jul 31 09:41 prob_spam drwx------ 2 root root 20480 Jul 31 14:26 texts UxBoD wrote: > Have you restarted MailScanner ? Have you definately updated crm114.cf to autolearn from SA ? Are the permissions on the .css files writable by the user that MailScanner is running under ? > > Regards, > > --[ UxBoD ]-- > // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import" > // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F 5DB5 687B > // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B > // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net > > ----- Original Message ----- > From: "Johnny Stork" > To: "MailScanner discussion" > Sent: Tuesday, July 31, 2007 9:34:13 PM (GMT) Europe/London > Subject: Re: {Disarmed} Re: CRM114 - Problems with install - Almost There > > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. Check out Open Enterprise Solutions for your own powerful open-source Virus/Spam/Content detection solutions and mail gateway. From mike at vesol.com Tue Jul 31 22:34:39 2007 From: mike at vesol.com (Mike Kercher) Date: Tue Jul 31 22:36:00 2007 Subject: {Disarmed} Re: CRM114 - Problems with install - Almost There In-Reply-To: <46AFAA05.3020101@openenterprise.ca> References: <1081714.8511185915187154.JavaMail.root@office.splatnix.net> <46AFAA05.3020101@openenterprise.ca> Message-ID: <6115482898C59848B35DB9D491C9A28E04BAA7@srv1.home.middlefinger.net> The file size of your .css files is not going to change. Bear that in mind. Mike > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Johnny Stork > Sent: Tuesday, July 31, 2007 4:31 PM > To: MailScanner discussion > Subject: Re: {Disarmed} Re: CRM114 - Problems with install - > Almost There > > Yes, but I have both settings shown below in crm114.cf > > crm114_learn 1 > crm114_autolearn 1 > > MailScanner has been restarted, I set all files to be world > writable to test, and MailScanner runs as root. > > The only location that seems to be getting written to is the > reaver_cache, content in known_good, known_bad, texts etc is > getting written > > root@gateway:~# ls -la /etc/mail/spamassassin/crm114/reaver_cache/ > total 48 > drwx------ 8 root root 4096 Jul 31 09:41 . > drwxr-xr-x 3 root root 4096 Jul 31 09:41 .. > drwx------ 2 root root 4096 Jul 31 09:41 empty > drwx------ 2 root root 4096 Jul 31 14:19 known_good > drwx------ 2 root root 4096 Jul 31 13:22 known_spam > drwx------ 2 root root 4096 Jul 31 14:19 prob_good > drwx------ 2 root root 4096 Jul 31 09:41 prob_spam > drwx------ 2 root root 20480 Jul 31 14:26 texts > > > UxBoD wrote: > > Have you restarted MailScanner ? Have you definately > updated crm114.cf to autolearn from SA ? Are the permissions > on the .css files writable by the user that MailScanner is > running under ? > > > > Regards, > > > > --[ UxBoD ]-- > > // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | > gpg --import" > > // Fingerprint: C759 8F52 1D17 B3C5 5854 36BD 1FB1 B02F > 5DB5 687B // > > Keyserver: www.keyserver.net Key-ID: 0x5DB5687B // Phone: > +44 845 869 > > 2749 SIP Phone: uxbod@sip.splatnix.net > > > > ----- Original Message ----- > > From: "Johnny Stork" > > To: "MailScanner discussion" > > Sent: Tuesday, July 31, 2007 9:34:13 PM (GMT) Europe/London > > Subject: Re: {Disarmed} Re: CRM114 - Problems with install - Almost > > There > > > > > > > -- > This message has been scanned for viruses and dangerous > content by MailScanner, and is believed to be clean. Check > out Open Enterprise Solutions for your own powerful > open-source Virus/Spam/Content detection solutions and mail gateway. > > From mike at vesol.com Tue Jul 31 22:35:26 2007 From: mike at vesol.com (Mike Kercher) Date: Tue Jul 31 22:36:44 2007 Subject: CRM114 Installation on Centos 4 In-Reply-To: <46AFA5C8.30100@alexb.ch> References: <8819172.8481185914183040.JavaMail.root@office.splatnix.net> <46AFA5C8.30100@alexb.ch> Message-ID: <6115482898C59848B35DB9D491C9A28E04BAA8@srv1.home.middlefinger.net> Good idea! Mike > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Alex Broens > Sent: Tuesday, July 31, 2007 4:13 PM > To: MailScanner discussion > Subject: Re: CRM114 Installation on Centos 4 > > Note for Wiki unless someone has a better answer/idea/suggestion: > > Apparently there's no provision to limit the size of > > /etc/mail/spamassassin/crm114/reaver_cache's contents. > > Running on a *very* low traffic test box, the directory has > grown to 59MB in less than 24 hrs. > > If you do *not* intend to perform manual re-training to > correct ham /spam detection, it may be wise to set: > > /etc/mail/spamassassin/crm114/mailfilter.cf > > :text_cache: /reaver_cache/ > > to > > :text_cache: // > > This will disable msg caching of all your mail traffic > (keeping a copy of all ham/spam could also be against corp. policy) > > Disabling "reaver_cache" may speed up CRM114 processing by > avoiding the extra msg write operations to "reaver_cache" categories. > > Alex > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From res at ausics.net Tue Jul 31 22:49:02 2007 From: res at ausics.net (Res) Date: Tue Jul 31 22:49:11 2007 Subject: MailScanner ANNOUNCE: Version 4.62.9 released In-Reply-To: References: Message-ID: On Tue, 31 Jul 2007, donald.dawson@bakerbotts.com wrote: > Is this the stable August release, or will there be a 4.63 shortly? This is a stable release. In fact I agree it could be confusing, and perhaps the numbering scheme should be revised? Let us say for example, 4.63 for this major, and 4.64b(1|2|3+) for betas of nxt version, then its stable would be simply 4.64, falling into line with 99% of the software numbering schemes in use would be more benficial and less confusing to new MailScanner users. -- Cheers Res From MailScanner at ecs.soton.ac.uk Tue Jul 31 22:49:56 2007 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Jul 31 22:50:33 2007 Subject: MailScanner ANNOUNCE: Version 4.62.9 released In-Reply-To: References: Message-ID: <46AFAE84.6090602@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 It's the stable August release. I just decided to release a few hours early. donald.dawson@bakerbotts.com wrote: > Is this the stable August release, or will there be a 4.63 shortly? > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian > Field > Sent: Tuesday, July 31, 2007 4:02 PM > To: MailScanner discussion; MailScanner-Announce mailing list list > Subject: MailScanner ANNOUNCE: Version 4.62.9 released > > > > * PGP Bad Signature, Signed by an unverified key: 07/31/07 at 22:01:37 > > I have just released a new version of MailScanner, 4.62.9. I don't > normally bother releasing a new version for August, as it's normally > very quiet and it isn't worth it. However, this year July has been > absolutely hectic and the list of new features and changes this month is > > enormous! > > So here goes for the highlights: > > --- New "Known Web Bug Servers" setting to list sites you know host > web-bug services, so you can blacklist all images from their servers. > The default value lists the main offender. > --- New "watermarking" functionality. 2 uses for this: firstly to > provide the same functionality as milter-null, so you don't have to > install that if, for example, you use Exim and so can't use it, or if > you don't want to install another piece of software on your system. > Also, you can use it to create a trust relationship between your > MailScanner servers so that the spam scanning only has to be done once > on any message, on the first server it hits and not on subsequent ones. > --- New "ClamAV Full Message Scan" setting, and improvements to the > ClamAV parser so that the SANESecurity phishing- and spam-detection > signatures can be reliably used. Note this new setting is disabled by > default, as it has a slight speed impact. > --- New "SpamAssassin Rule Actions" setting so that any SpamAssassin > rule firing can trigger any action on a message, including the... > --- New "custom()" spam action which allows you to do absolutely > anything based on any property of a message. Immensely powerful, just > get your thinking caps on. :-) > --- Major improvements to "MailScanner --lint". This now checks more, > and actually tries scanning a real virus-infected message (don't worry, > it's totally harmless!) to show you the reports from your virus scanners > > to check they are all actually working. > --- HTML clean message signature can contain an image, so you can have > > graphical sigs on your email messages with the image embedded in the > message so the recipient always sees it. > --- Improvements to handling of "Virus Scanners = auto" with multiple > ClamAV methods installed (ie. clamav, clamavmodule and clamd). > --- Improvements to upgrade_MailScanner_conf. > > That's not everything, that's just the important bits! > > Download as usual from www.mailscanner.info. > > The full Change Log is this: > * New Features and Improvements * > 1 Improved non-Linux installer. > 1 Improved Linux installer. > 1 Updated OpenBSD installation guide. Thanks to Jeremy Evans for this. > 1 Upgraded MIME::Base64 to 3.07. > 1 Improved error reporting for clamd permissions problems. Thanks Rick. > 2 Added SAUPDATEARGS to /etc/sysconfig/MailScanner and > /usr/sbin/update_spamassassin. For a good use of this, see > http://daryl.dostech.ca/sa-update/sare/sare-sa-update-howto.txt and > search > for "HOWTO" in the Subject: line of the MailScanner-discussion list > archive. > This process replaces RulesDuJour entirely. > Another good ruleset to add to your setup is > http://www.peregrinehw.com/downloads/SpamAssassin/contrib/KAM.cf > To download this automatically every night, fetch > http://www.mailscanner.info/files/4/KAM.cf.sh and put it in > /etc/cron.daily > and make it executable (type "chmod +x /etc/cron.daily/KAM.cf.sh"). > 3 Added "Known Web Bug Servers" so you can blacklist images from known > servers > of web bug services. > 3 Added functionality of "milter-null" to MailScanner so you no longer > need to > run this separately. It is called "Watermarking" and there is a whole > section for the settings in MailScanner.conf. They are > Add Watermark = yes > Skip Spam Checks If Watermark Valid = yes > Watermark Header = MailScanner-%org-name%-Watermark: > Watermark Lifetime = 432000 # in seconds, = 5 days > Watermark Secret = SET-THIS-TO-A-SECRET! > Also added Digest::MD5 to the required list of Perl modules, this is > needed > for the watermarking code. > 3 Added optional image to the clean message signature. You can also use > this > to add an arbitrary image attachment to any message, if you so wish. > The > main point is to be able to have graphical HTML signatures on > messages. > The settings are > Attach Image To Signature = no > Attach Image To HTML Message Only = yes > Signature Image Filename = %report-dir%/sig.jpg > Signature Image Filename = signature.jpg > 4 Added support for Kaspersky kav4fs. Set virus.scanners.conf entry to > point to /opt/kaspersky. > 4 Changed default value to "Max SpamAssassin Size = 100k" as modern PDF > spams > are getting quite large, and PDFInfo.pm doesn't work with cropped > messages. > 4 Improved Clamd parser to handle Sane Security ClamAV signature > databases > which detect spam and so on from the contents of the headers, and > hence > find infections without attachment filenames. Thanks to various people > for > help with this, you know who you are :-) > 4 Improved upgrade_MailScanner_conf so that it checks that the 'Monitors > for > ClamAV Updates' setting looks for inc and cvd files. Problems have > recently > been suffered by many due to the value of this setting being out of > date. > It doesn't automatically re-write their setting in case they have > installed > ClamAV somewhere odd and have customised it. > 4 Changed 'Monitors for Sophos Updates' setting default value to point > to > appropriate file for Sophos version 5 and upwards, and have added > check > in upgrade_MailScanner_conf to ensure their setting now points to a > new > location. It prints a warning if sophos-av does not appear in the > path. > 4 Added configuration setting "SpamAssassin Rule Actions". This setting > is > very powerful and can be used to implement many things that MCP can > do, > without having the processing overhead of MCP. The documentation for > it is > in the MailScanner.conf file. Its power is limited by your imagination > :-) > Start combining it with rulesets and you can take (or _not_ take) any > combination of actions dependent on any bit of content in the message > or its > headers. You could try out new SA tests by storing in quarantine every > message that matches a new particular SpamAssassin rule (or meta-rule > for > creating more complex expressions). > 5 Added "custom" spam action, which takes a parameter. This is passed > into the > CustomAction function in CustomAction.pm in the CustomFunctions > directory. > This can be used to implement anything your heart desires, depending > on the > contents of a message. > 7 When clamav, clamavmodule or clamd parsers are being used and new > setting > "ClamAV Full Message Scan" is set to "yes", pass each of the entire > messages to ClamAV as well as the attachments so that the signatures > that > detect spam can work reliably. This is set to "no" be default as it > has a > speed impact. > 7 The watermark options have been tweaked and renamed a bit, and one new > feature has been added. "upgrade_MailScanner_conf" will show you the > renames > and the new feature is designed to save resources on sites with more > than > 1 MailScanner. Currently, if you have a message delivered to a > secondary MX > (with MailScanner) which relays mail to the primary MX (also with > MailScanner) for delivery to users' mailboxes, the spam checks will be > done twice; this is a waste of resources. The new setting "Check > Watermarks > To Skip Spam Checks = yes" will remove this waste by skipping the spam > checks on the primary MX as the secondary has already done them. > 7 "Virus Scanners = auto" will detect multiple types of ClamAV installed > and > tend towards the most useful one. It will use clamd else clamavmodule > else > clamav. This helps if you have all 3 installed, which is quite likely. > 8 Greatly improved "MailScanner --lint". It now actually tests every > virus > scanner that you have installed, and checks that they can successfully > > scan > a message containing the Eicar test-virus pattern. It reports the > results > from each scanner and warns you about checking any that are not > reported. > 9 Added check to "MailScanner --lint" to check envelope_sender_header in > spam.assassin.prefs.conf is correct and matches MailScanner.conf. > 9 Added new setting "Use Watermarking = yes" to give overall control of > all > watermarking features. > > * Fixes * > 2-2 Fixed error in RPM installer. > 2-3 Fixed error in update_spamassassin. > 3-2 The watermarking code should do something now :-) > 3-3 Rewrote the watermarking docs so they reflect the truth. > 4 --lint now reads all the Custom Functions properly. > 4 Bug in auto-zip fixed where attachments could be deleted without > being > added to zip. Thanks to Matt Hampton. > 4 Bug with '-' in HTML attribute names confusing phishing net fixed. > Thanks > to John Wilcock. > 5 Fixed 2 bugs in MSRBL clamav-signature handler. Thanks to UxBoD. > 6 Fixed bug from October 2006 involving McAfee finding infections in > headers. > 7 Fixed bug when unpacking TNEF files with external decoder. > 7 Fixed 'monitor files' check in upgrade_MailScanner_conf so it > doesn't check > inadvertently when doing an upgrade_languages_conf. > 7-3 Fixed bug in full message file creation in scanning dir as > permissions > were wrong. > 9 Added use POSIX to top of MessageBatch.pm so WNOHANG is defined. > > Jules > > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGr66FEfZZRxQVtlQRAmzyAKCQf5GlbHUG1qGubOVpltJvmtuRSwCfWgpq tB+kbG00sSyczsivEGOGsTI= =CR5m -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From stork at openenterprise.ca Tue Jul 31 22:53:06 2007 From: stork at openenterprise.ca (Johnny Stork) Date: Tue Jul 31 22:53:35 2007 Subject: {Disarmed} Re: CRM114 - Problems with install - Almost There In-Reply-To: <6115482898C59848B35DB9D491C9A28E04BAA7@srv1.home.middlefinger.net> References: <1081714.8511185915187154.JavaMail.root@office.splatnix.net> <46AFAA05.3020101@openenterprise.ca> <6115482898C59848B35DB9D491C9A28E04BAA7@srv1.home.middlefinger.net> Message-ID: <46AFAF42.2030606@openenterprise.ca> Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: stork.vcf Type: text/x-vcard Size: 330 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070731/60242c10/stork.vcf From donald.dawson at bakerbotts.com Tue Jul 31 23:05:02 2007 From: donald.dawson at bakerbotts.com (donald.dawson@bakerbotts.com) Date: Tue Jul 31 23:05:12 2007 Subject: MailScanner ANNOUNCE: Version 4.62.9 released In-Reply-To: <46AFAE84.6090602@ecs.soton.ac.uk> Message-ID: thanks! -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian Field Sent: Tuesday, July 31, 2007 4:50 PM To: MailScanner discussion Subject: Re: MailScanner ANNOUNCE: Version 4.62.9 released -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 It's the stable August release. I just decided to release a few hours early. donald.dawson@bakerbotts.com wrote: > Is this the stable August release, or will there be a 4.63 shortly? > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian > Field > Sent: Tuesday, July 31, 2007 4:02 PM > To: MailScanner discussion; MailScanner-Announce mailing list list > Subject: MailScanner ANNOUNCE: Version 4.62.9 released > > > > * PGP Bad Signature, Signed by an unverified key: 07/31/07 at 22:01:37 > > I have just released a new version of MailScanner, 4.62.9. I don't > normally bother releasing a new version for August, as it's normally > very quiet and it isn't worth it. However, this year July has been > absolutely hectic and the list of new features and changes this month is > > enormous! > > So here goes for the highlights: > > --- New "Known Web Bug Servers" setting to list sites you know host > web-bug services, so you can blacklist all images from their servers. > The default value lists the main offender. > --- New "watermarking" functionality. 2 uses for this: firstly to > provide the same functionality as milter-null, so you don't have to > install that if, for example, you use Exim and so can't use it, or if > you don't want to install another piece of software on your system. > Also, you can use it to create a trust relationship between your > MailScanner servers so that the spam scanning only has to be done once > on any message, on the first server it hits and not on subsequent ones. > --- New "ClamAV Full Message Scan" setting, and improvements to the > ClamAV parser so that the SANESecurity phishing- and spam-detection > signatures can be reliably used. Note this new setting is disabled by > default, as it has a slight speed impact. > --- New "SpamAssassin Rule Actions" setting so that any SpamAssassin > rule firing can trigger any action on a message, including the... > --- New "custom()" spam action which allows you to do absolutely > anything based on any property of a message. Immensely powerful, just > get your thinking caps on. :-) > --- Major improvements to "MailScanner --lint". This now checks more, > and actually tries scanning a real virus-infected message (don't worry, > it's totally harmless!) to show you the reports from your virus scanners > > to check they are all actually working. > --- HTML clean message signature can contain an image, so you can have > > graphical sigs on your email messages with the image embedded in the > message so the recipient always sees it. > --- Improvements to handling of "Virus Scanners = auto" with multiple > ClamAV methods installed (ie. clamav, clamavmodule and clamd). > --- Improvements to upgrade_MailScanner_conf. > > That's not everything, that's just the important bits! > > Download as usual from www.mailscanner.info. > > The full Change Log is this: > * New Features and Improvements * > 1 Improved non-Linux installer. > 1 Improved Linux installer. > 1 Updated OpenBSD installation guide. Thanks to Jeremy Evans for this. > 1 Upgraded MIME::Base64 to 3.07. > 1 Improved error reporting for clamd permissions problems. Thanks Rick. > 2 Added SAUPDATEARGS to /etc/sysconfig/MailScanner and > /usr/sbin/update_spamassassin. For a good use of this, see > http://daryl.dostech.ca/sa-update/sare/sare-sa-update-howto.txt and > search > for "HOWTO" in the Subject: line of the MailScanner-discussion list > archive. > This process replaces RulesDuJour entirely. > Another good ruleset to add to your setup is > http://www.peregrinehw.com/downloads/SpamAssassin/contrib/KAM.cf > To download this automatically every night, fetch > http://www.mailscanner.info/files/4/KAM.cf.sh and put it in > /etc/cron.daily > and make it executable (type "chmod +x /etc/cron.daily/KAM.cf.sh"). > 3 Added "Known Web Bug Servers" so you can blacklist images from known > servers > of web bug services. > 3 Added functionality of "milter-null" to MailScanner so you no longer > need to > run this separately. It is called "Watermarking" and there is a whole > section for the settings in MailScanner.conf. They are > Add Watermark = yes > Skip Spam Checks If Watermark Valid = yes > Watermark Header = MailScanner-%org-name%-Watermark: > Watermark Lifetime = 432000 # in seconds, = 5 days > Watermark Secret = SET-THIS-TO-A-SECRET! > Also added Digest::MD5 to the required list of Perl modules, this is > needed > for the watermarking code. > 3 Added optional image to the clean message signature. You can also use > this > to add an arbitrary image attachment to any message, if you so wish. > The > main point is to be able to have graphical HTML signatures on > messages. > The settings are > Attach Image To Signature = no > Attach Image To HTML Message Only = yes > Signature Image Filename = %report-dir%/sig.jpg > Signature Image Filename = signature.jpg > 4 Added support for Kaspersky kav4fs. Set virus.scanners.conf entry to > point to /opt/kaspersky. > 4 Changed default value to "Max SpamAssassin Size = 100k" as modern PDF > spams > are getting quite large, and PDFInfo.pm doesn't work with cropped > messages. > 4 Improved Clamd parser to handle Sane Security ClamAV signature > databases > which detect spam and so on from the contents of the headers, and > hence > find infections without attachment filenames. Thanks to various people > for > help with this, you know who you are :-) > 4 Improved upgrade_MailScanner_conf so that it checks that the 'Monitors > for > ClamAV Updates' setting looks for inc and cvd files. Problems have > recently > been suffered by many due to the value of this setting being out of > date. > It doesn't automatically re-write their setting in case they have > installed > ClamAV somewhere odd and have customised it. > 4 Changed 'Monitors for Sophos Updates' setting default value to point > to > appropriate file for Sophos version 5 and upwards, and have added > check > in upgrade_MailScanner_conf to ensure their setting now points to a > new > location. It prints a warning if sophos-av does not appear in the > path. > 4 Added configuration setting "SpamAssassin Rule Actions". This setting > is > very powerful and can be used to implement many things that MCP can > do, > without having the processing overhead of MCP. The documentation for > it is > in the MailScanner.conf file. Its power is limited by your imagination > :-) > Start combining it with rulesets and you can take (or _not_ take) any > combination of actions dependent on any bit of content in the message > or its > headers. You could try out new SA tests by storing in quarantine every > message that matches a new particular SpamAssassin rule (or meta-rule > for > creating more complex expressions). > 5 Added "custom" spam action, which takes a parameter. This is passed > into the > CustomAction function in CustomAction.pm in the CustomFunctions > directory. > This can be used to implement anything your heart desires, depending > on the > contents of a message. > 7 When clamav, clamavmodule or clamd parsers are being used and new > setting > "ClamAV Full Message Scan" is set to "yes", pass each of the entire > messages to ClamAV as well as the attachments so that the signatures > that > detect spam can work reliably. This is set to "no" be default as it > has a > speed impact. > 7 The watermark options have been tweaked and renamed a bit, and one new > feature has been added. "upgrade_MailScanner_conf" will show you the > renames > and the new feature is designed to save resources on sites with more > than > 1 MailScanner. Currently, if you have a message delivered to a > secondary MX > (with MailScanner) which relays mail to the primary MX (also with > MailScanner) for delivery to users' mailboxes, the spam checks will be > done twice; this is a waste of resources. The new setting "Check > Watermarks > To Skip Spam Checks = yes" will remove this waste by skipping the spam > checks on the primary MX as the secondary has already done them. > 7 "Virus Scanners = auto" will detect multiple types of ClamAV installed > and > tend towards the most useful one. It will use clamd else clamavmodule > else > clamav. This helps if you have all 3 installed, which is quite likely. > 8 Greatly improved "MailScanner --lint". It now actually tests every > virus > scanner that you have installed, and checks that they can successfully > > scan > a message containing the Eicar test-virus pattern. It reports the > results > from each scanner and warns you about checking any that are not > reported. > 9 Added check to "MailScanner --lint" to check envelope_sender_header in > spam.assassin.prefs.conf is correct and matches MailScanner.conf. > 9 Added new setting "Use Watermarking = yes" to give overall control of > all > watermarking features. > > * Fixes * > 2-2 Fixed error in RPM installer. > 2-3 Fixed error in update_spamassassin. > 3-2 The watermarking code should do something now :-) > 3-3 Rewrote the watermarking docs so they reflect the truth. > 4 --lint now reads all the Custom Functions properly. > 4 Bug in auto-zip fixed where attachments could be deleted without > being > added to zip. Thanks to Matt Hampton. > 4 Bug with '-' in HTML attribute names confusing phishing net fixed. > Thanks > to John Wilcock. > 5 Fixed 2 bugs in MSRBL clamav-signature handler. Thanks to UxBoD. > 6 Fixed bug from October 2006 involving McAfee finding infections in > headers. > 7 Fixed bug when unpacking TNEF files with external decoder. > 7 Fixed 'monitor files' check in upgrade_MailScanner_conf so it > doesn't check > inadvertently when doing an upgrade_languages_conf. > 7-3 Fixed bug in full message file creation in scanning dir as > permissions > were wrong. > 9 Added use POSIX to top of MessageBatch.pm so WNOHANG is defined. > > Jules > > Jules - -- Julian Field MEng CITP www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 For all your IT requirements visit www.transtec.co.uk -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.2 (Build 2014) Charset: ISO-8859-1 wj8DBQFGr66FEfZZRxQVtlQRAmzyAKCQf5GlbHUG1qGubOVpltJvmtuRSwCfWgpq tB+kbG00sSyczsivEGOGsTI= =CR5m -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website!