From Kevin_Miller at ci.juneau.ak.us Thu Mar 1 00:06:28 2007 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Wed Feb 28 23:11:51 2007 Subject: Image spam In-Reply-To: <45E60854.3010402@fractalweb.com> References: <45E5C5B1.9080208@fractalweb.com> <45E5CD22.3050206@lexairinc.com> <45E5DEE0.4090802@fractalweb.com> <022b01c75b76$977738f0$c665aad0$@swaney@fsl.com> <45E5E754.6060004@fractalweb.com><024301c75b8a$8b082610$a1187230$@swaney@fsl.com> <45E60854.3010402@fractalweb.com> Message-ID: Chris Yuzik wrote: > Stephen Swaney wrote: >>> How long of a GreetPause are you using? >>> >>> >> >> 650 ms on our service bureau for a long time now and never one >> complaint. >> > Steve, > > And do you have any stats on just how effective the greet_pause is? Is > it blocking 5% of spam? More? > > Chris Can't speak for Steve, but when I finally did it here I saw about a 30-40% decrease in the number of messages accepted by sendmail. Had to add a couple of servers to the access file, but only a couple. The rest were zombies as nearly as I can tell. It's a simple addition with a huge impact as far as I'm concerned... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From itdept at fractalweb.com Thu Mar 1 00:37:02 2007 From: itdept at fractalweb.com (Chris Yuzik) Date: Wed Feb 28 23:44:02 2007 Subject: Image spam In-Reply-To: References: <45E5C5B1.9080208@fractalweb.com> <45E5CD22.3050206@lexairinc.com> <45E5DEE0.4090802@fractalweb.com> <022b01c75b76$977738f0$c665aad0$@swaney@fsl.com> <45E5E754.6060004@fractalweb.com><024301c75b8a$8b082610$a1187230$@swaney@fsl.com> <45E60854.3010402@fractalweb.com> Message-ID: <45E6121E.4040709@fractalweb.com> Kevin Miller wrote: > > Can't speak for Steve, but when I finally did it here I saw about a > 30-40% decrease in the number of messages accepted by sendmail. Had to > add a couple of servers to the access file, but only a couple. The rest > were zombies as nearly as I can tell. It's a simple addition with a > huge impact as far as I'm concerned... > Kevin, Wow. 30+% is HUGE! Can't wait to get that going here. Thanks, Chris From ka at pacific.net Thu Mar 1 00:43:39 2007 From: ka at pacific.net (Ken A) Date: Wed Feb 28 23:45:17 2007 Subject: URIBL FP-- better example In-Reply-To: <45E5E8D6.80403@chapman.edu> References: <45E5E8D6.80403@chapman.edu> Message-ID: <45E613AB.9060504@pacific.net> heh.. host auth.info.multi.uribl.com auth.info.multi.uribl.com has address 127.0.0.2 That's funny. blacklisted syslog config! Ken A. Pacific.Net Jay Chandler wrote: > Here's a better example-- I checked all the URLs I could find by hand... > > > -------- Original Message -------- > > > Return-Path: > X-Original-To: redacted@chapman.edu > Delivered-To: redacted@chapman.edu > Received: from smtp2.mathworks.com (smtp2.mathworks.com [144.212.95.218]) > by spacecowboy.chapman.edu (Postfix) with ESMTP id 1E5F15C13F; > Wed, 28 Feb 2007 10:56:08 -0800 (PST) > Received: from mail-vif.mathworks.com (fred-ce0.mathworks.com > [144.212.95.18]) > by smtp2.mathworks.com (8.13.8/8.12.11) with ESMTP id > l1SInvOG009769; > Wed, 28 Feb 2007 13:52:10 -0500 (EST) > Received: from fred-ce0.mathworks.com (mail-vif [144.212.95.101]) > by mail-vif.mathworks.com (8.11.7/8.11.7) with ESMTP id > l1SIeXd09937; > Wed, 28 Feb 2007 13:40:33 -0500 (EST) > Received: (from majordom@localhost) > by fred-ce0.mathworks.com (8.11.7/8.11.6) id l1SIeX709933; > Wed, 28 Feb 2007 13:40:33 -0500 (EST) > X-Authentication-Warning: fred.mathworks.com: majordom set sender to > owner-toasters@mathworks.com using -f > Received: from smtp.mathworks.com (ginger [144.212.95.28]) > by mail-vif.mathworks.com (8.11.7/8.11.7) with ESMTP id l1SIeQd09821 > for ; Wed, 28 Feb 2007 13:40:26 -0500 (EST) > Received: from mx2.netapp.com (mx2.netapp.com [216.240.18.37]) > by smtp.mathworks.com (8.13.8/8.12.11) with SMTP id l1SIeO8o006090 > for ; Wed, 28 Feb 2007 13:40:25 -0500 (EST) > Received: from smtp2.corp.netapp.com ([10.57.159.114]) > by mx2.netapp.com with ESMTP; 28 Feb 2007 10:37:10 -0800 > X-IronPort-AV: i="4.14,231,1170662400"; d="scan'208"; > a="37155937:sNHT30089311" > Received: from svlexc02.hq.netapp.com (svlexc02.corp.netapp.com > [10.57.157.136]) > by smtp2.corp.netapp.com (8.13.1/8.13.1/NTAP-1.6) with ESMTP id > l1SIb9PL008173; > Wed, 28 Feb 2007 10:37:09 -0800 (PST) > Received: from SACEXMV01.hq.netapp.com ([10.99.190.107]) by > svlexc02.hq.netapp.com with Microsoft SMTPSVC(5.0.2195.6713); > Wed, 28 Feb 2007 10:38:17 -0800 > x-mimeole: Produced By Microsoft Exchange V6.5 > Content-class: urn:content-classes:message > MIME-Version: 1.0 > Content-Type: text/plain; > charset="us-ascii" > Date: Wed, 28 Feb 2007 10:37:08 -0800 > Message-ID: > > In-Reply-To: > <33A166465FC5A042A53EDA8EB7681610014FD74D@satladmdlmb37.delta.rl.delta.com> > X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: autosupport stops > functioning Thread-Index: > AcdadAYGFBWHqExdTu+usTKdpoxkzwAL57RAAC4/reAAAgU/QA== > References: > <33A166465FC5A042A53EDA8EB7681610014FD74D@satladmdlmb37.delta.rl.delta.com> > From: "Learmonth, Peter" > To: "Bender, Marilee" , > X-OriginalArrivalTime: 28 Feb 2007 18:38:17.0279 (UTC) > FILETIME=[9CBDC4F0:01C75B67] > X-Greylist: Delayed for 00:03:14 by milter-greylist-2.0.2 > (smtp.mathworks.com [144.212.95.12]); Wed, 28 Feb 2007 13:40:25 -0500 (EST) > X-PMX-Version: 4.7.1.128075, Antispam-Engine: 2.5.0.283055, Antispam-Data: > 2007.2.28.100436 > X-PerlMx-Spam: Gauge=IIIIIII, Probability=7%, Report='__C230066_P5 0, __CT > 0, __CTE 0, __CTYPE_CHARSET_QUOTED 0, __CT_TEXT_PLAIN 0, __HAS_MSGID 0, > __IMS_MSGID 0, __MIME_TEXT_ONLY 0, __MIME_VERSION 0, __SANE_MSGID 0' > Content-Transfer-Encoding: 8bit > X-MIME-Autoconverted: from quoted-printable to 8bit by > mail-vif.mathworks.com id l1SIeUd09880 > Sender: owner-toasters@mathworks.com > Precedence: bulk > X-Chapman-MailScanner-Information: Please contact the ISP for more > information > X-Chapman-MailScanner: Found to be clean > X-Chapman-MailScanner-SpamCheck: spam, SpamAssassin (not cached, score=6.7, > required 6, BAYES_50 0.10, J_CHICKENPOX_21 0.60, URIBL_BLACK 6.00) > X-Chapman-MailScanner-SpamScore: ssssss > X-Chapman-MailScanner-From: owner-toasters@mathworks.com > Subject: *****SPAM***** RE: autosupport stops functioning > X-Spam-Status: Yes > > > -----Original Message----- > From: owner-toasters@mathworks.com [mailto:owner-toasters@mathworks.com] On > Behalf Of Learmonth, Peter > Sent: Wednesday, February 28, 2007 10:37 AM > To: Bender, Marilee; toasters@mathworks.com > Subject: *****SPAM***** RE: autosupport stops functioning > > Hi There > I realize some of you may know this, but just in case... > > Asup to NetApp, as of around 6.4 or 6.5, has the option of sending to > NetApp via HTTP or HTTPS. This was implemented because of issues Mike > Sphar mentioned (SMTP relays not being configured to allow the filer to > send to netapp.com or the config changing). Unless you block HTTP out > of your datacenter, you should really use this transport. If you block > direct HTTP, but have a proxy, there's an option for that too. > > autosupport.support.enable on > autosupport.support.proxy > autosupport.support.to autosupport@netapp.com <<<< Only used > for SMTP > autosupport.support.transport https > autosupport.support.url > support.netapp.com/asupprod/post/1.0/postAsup > (url is hard-coded) > > HTTPS is the default for new installs. Systems that have been installed > since before this option existed, or have been upgraded from an install > that predates this may still be set to their original SMTP settings. I > don't know off top of my head if any ONTAP upgrades change this at all. > > HTTP does not have the same message size limits that SMTP usually does. > > These options must be set from the CLI (console or telnet/SSH), since > they're not exposed in FilerView. > > If you want to check if asup is working at all, when you might not be > getting messages, ask support or your SE to check for asups at our end. > The filer also syslogs errors encountered by asup, by default in > /etc/messages and on the console, if connected when the problem occurs. > > The other reason I bring this up is that even if your filer is not under > support, NetApp will still receive the asup messages. We just won't > open or act on cases automatically if there is no support in place. The > messages are still useful in many ways, including if you ever decide to > reactivate support, we have history we can use to help you. Also, if > you want to upgrade (add-on or head swap), your NetApp SE can give you > advice based on the asup info. > > Share and enjoy! > > Peter > > -----Original Message----- > From: Bender, Marilee [mailto:Marilee.Bender@delta.com] Sent: Wednesday, > February 28, 2007 9:26 AM > To: toasters@mathworks.com > Subject: FW: autosupport stops functioning > We had this issue too. I agree with the post below that it could be > message size. However, if it's just past asups that were too large > because of the messages file (or one of the other attachments), you can > set the autosupport.content size to minimal to delete all the queued > asups, then "doit" to generate one without the attachments to see if you > receive it, then put the content back to complete. It cleared the issue > on one of our NearStores....the other one appears to have a "corrupt" > character in the data chunk as viewed from the smtp server logs. > > -----Original Message----- > From: owner-toasters@mathworks.com [mailto:owner-toasters@mathworks.com] > On Behalf Of Sphar, Mike > Sent: Tuesday, February 27, 2007 2:19 PM > To: toasters@mathworks.com > Subject: RE: autosupport stops functioning > I don't think this is the same problem as the one originally posted, but > we once had a similar problem here where autosupport messages stopped > being received by netapp because our mail gateway was rejecting all > messages larger than a certain size. We didn't even know they were > bouncing (we weren't getting the bounces) until one of the mail admins > finally said something about it. > > > -- > Michael W. Sphar - IS&T - Lead Systems Administrator SMBU Engineering > Support Services, BMC Software > > > -----Original Message----- > From: owner-toasters@mathworks.com [mailto:owner-toasters@mathworks.com] > On Behalf Of Stephen C. Losen > Sent: Tuesday, February 27, 2007 6:55 AM > To: Leeds, Daniel > Cc: toasters@mathworks.com > Subject: Re: autosupport stops functioning >> >> anyone else have this happen? >> >> suddenly one of our filers stops generating autosupport messages. > both autosupport.enable and autosupport.support.enable are on. if > i generate a test email with the autosupport.doit option nothing > happens. > not even a failed message, the console just sits there as if i never > generated one. >> >> needless to say neither netapp or our email server gets anything from > this filer and nothing hits the console about generating any > autosupport > emails. >> >> > > One of our filers stopped sending weekly autosupports because > the /etc/messages file was huge (170MB). It gets sent to netapp > as part of the autosupport. I got an automatic email > from Netapp support telling me that they hadn't received an > autosupport for two weeks. Buried in my huge /etc/messages > file was an error indicating that autosupport had failed, but > no reason why. > > This particular filer holds our home directories and gets a lot of > CIFS logins, which we want to log. We have enabled CIFS login > tracing, which is very verbose. > > I used /etc/syslog.conf to divert the CIFS auth messages to another > file: > > *.warning;auth.none /dev/console > *.info;auth.none /etc/messages > auth.info /etc/cifs_auth_log > > I rotate the cifs_auth_log with a cron job because I think ONTAP > will only rotate /etc/messages. > > Now /etc/messages only grows to about 200K and autosupport is working > again. > > > Steve Losen scl@virginia.edu phone: 434-924-0640 > > University of Virginia ITC Unix Support > > From mkettler at evi-inc.com Thu Mar 1 01:07:58 2007 From: mkettler at evi-inc.com (Matt Kettler) Date: Thu Mar 1 00:13:40 2007 Subject: URIBL FP-- better example In-Reply-To: <45E613AB.9060504@pacific.net> References: <45E5E8D6.80403@chapman.edu> <45E613AB.9060504@pacific.net> Message-ID: <45E6195E.1000202@evi-inc.com> Ken A wrote: > heh.. > host auth.info.multi.uribl.com > auth.info.multi.uribl.com has address 127.0.0.2 > > That's funny. > blacklisted syslog config! It's also a registered domain, albeit with no NS records atm. Domain Name:AUTH.INFO Created On:20-Sep-2001 12:39:43 UTC Last Updated On:21-Aug-2005 04:05:10 UTC Registrant Name:Masato Kajimoto Strangely it got listed in URIBL black on 2006-11-09 09:08:11 GMT, but I can find no signs of any spam anywhere using this domain. Perhaps it had a server back in November and someone hijacked it.. From ka at pacific.net Thu Mar 1 01:34:32 2007 From: ka at pacific.net (Ken A) Date: Thu Mar 1 00:36:18 2007 Subject: URIBL FP-- better example In-Reply-To: <45E6195E.1000202@evi-inc.com> References: <45E5E8D6.80403@chapman.edu> <45E613AB.9060504@pacific.net> <45E6195E.1000202@evi-inc.com> Message-ID: <45E61F98.7080504@pacific.net> There should probably be some exceptions to the uri parser in SA, assuming this is SA we are talking about. Now if it had a https?:// in front of it, that would be different, but this was just plain text. I wouldn't blame this on uribl.com. Ken A Pacific.Net ( p.s. I put some spaces in the domain in question below to get around filters, and to hopefully avoid that lame auto-responding anti-spam system... ) Matt Kettler wrote: > Ken A wrote: >> heh.. >> host auth .info.multi.uribl.com >> auth. info.multi.uribl.com has address 127.0.0.2 >> >> That's funny. >> blacklisted syslog config! > > It's also a registered domain, albeit with no NS records atm. > > Domain Name:AUTH. INFO > Created On:20-Sep-2001 12:39:43 UTC > Last Updated On:21-Aug-2005 04:05:10 UTC > Registrant Name:Masato Kajimoto > > > Strangely it got listed in URIBL black on 2006-11-09 09:08:11 GMT, but I can > find no signs of any spam anywhere using this domain. > > Perhaps it had a server back in November and someone hijacked it.. From mkettler at evi-inc.com Thu Mar 1 01:39:38 2007 From: mkettler at evi-inc.com (Matt Kettler) Date: Thu Mar 1 00:45:14 2007 Subject: URIBL FP-- better example In-Reply-To: <45E61F98.7080504@pacific.net> References: <45E5E8D6.80403@chapman.edu> <45E613AB.9060504@pacific.net> <45E6195E.1000202@evi-inc.com> <45E61F98.7080504@pacific.net> Message-ID: <45E620CA.6080208@evi-inc.com> Ken A wrote: > There should probably be some exceptions to the uri parser in SA, > assuming this is SA we are talking about. True. but you can do this pretty easily in SA. No need to hack the parser. uridnsbl_skip_domain auth.info > ( p.s. I put some spaces in the domain in question below to get around > filters, and to hopefully avoid that lame auto-responding anti-spam > system... ) Which one? (I rarely see these, as I blacklist such servers immediately to make sure they never DoS my server with their malicious misconfiguration.) From ssilva at sgvwater.com Thu Mar 1 01:50:41 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Mar 1 00:56:21 2007 Subject: Image spam In-Reply-To: References: <45E5C5B1.9080208@fractalweb.com> <45E5CD22.3050206@lexairinc.com> <45E5DEE0.4090802@fractalweb.com> <022b01c75b76$977738f0$c665aad0$@swaney@fsl.com> <45E5E754.6060004@fractalweb.com> <45E5EDD9.6000900@nkpanama.com> Message-ID: Hugo van der Kooij spake the following on 2/28/2007 1:21 PM: > On Wed, 28 Feb 2007, Alex Neuman van der Hans wrote: > >> Hugo van der Kooij wrote: >>> Well. Snert in Dutch is either: >>> >>> - A thick pee soup. In orde to qualify one must be able to stick a >>> sppon >>> in and it should not fall sideway immediatly. It is closely >>> related to >>> skating outdoor. (But global warming disabled that feature here.) >> My ancestors were Dutch - but I don't recall them having anything >> closely resembling "pee soup" or any other dish which calls for "pee" >> as an ingredient ... ;-) > > s/pee/pea (Sometimes there is a odd mismatch between mind and fingers > resulting is funny typo's.) > > See also: http://en.wikipedia.org/wiki/Pea_soup > > Hugo. > It sure didn't sound very appetizing! -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ka at pacific.net Thu Mar 1 02:01:41 2007 From: ka at pacific.net (Ken A) Date: Thu Mar 1 01:04:05 2007 Subject: URIBL FP-- better example In-Reply-To: <45E620CA.6080208@evi-inc.com> References: <45E5E8D6.80403@chapman.edu> <45E613AB.9060504@pacific.net> <45E6195E.1000202@evi-inc.com> <45E61F98.7080504@pacific.net> <45E620CA.6080208@evi-inc.com> Message-ID: <45E625F5.8090000@pacific.net> Matt Kettler wrote: > Ken A wrote: >> There should probably be some exceptions to the uri parser in SA, >> assuming this is SA we are talking about. > > True. but you can do this pretty easily in SA. No need to hack the parser. > > uridnsbl_skip_domain auth.info Thanks! I didn't know that existed. > >> ( p.s. I put some spaces in the domain in question below to get around >> filters, and to hopefully avoid that lame auto-responding anti-spam >> system... ) > > Which one? > Received: from DMZen-MTA by mail.macpuarsa.es with Novell_GroupWise; Thu, 01 Mar 2007 00:44:07 +0100 Message-Id: X-Mailer: Novell GroupWise Internet Agent 6.5.6 Date: Thu, 01 Mar 2007 00:43:47 +0100 From: "MANUEL CANSECO GARCIA" Sender: Postmaster@macpuarsa.es Reply-To: MCG@mpsistemas.es Errors-To: Postmaster@macpuarsa.es To: "Ken A" Subject: Re: *****POSIBLE SPAM***** Re: URIBL FP-- better example Mime-Version: 1.0 It was in spanish, so I'm not really sure what it said, but I don't really care either. :-\ Ken > (I rarely see these, as I blacklist such servers immediately to make sure they > never DoS my server with their malicious misconfiguration.) > > From michael at dilworth.net Thu Mar 1 02:00:52 2007 From: michael at dilworth.net (Michael R. Dilworth) Date: Thu Mar 1 01:06:33 2007 Subject: Julian Field in hospital In-Reply-To: Message-ID: <146d01c75b9d$0f895500$5713cc40@OCEANII> > Boy was I depressed when I read the gmane thread. I've always thought > that Jules was a hero for writing MailScanner, but he has moved into > superhero status now -- doing amazing things in impossible circumstances. > The rest of us would be happy just to tie our shoes if we had to put > up with such pain and massive painkiller pills. How does Jules write > such great code? > > My hat is off to you and my prayers are with you. > > Jeff Earickson > Colby College > Seconded, words fail me, prayers don't. (Add Santa Cruz,ca to the list...) From itdept at fractalweb.com Thu Mar 1 06:24:36 2007 From: itdept at fractalweb.com (Chris Yuzik) Date: Thu Mar 1 05:31:14 2007 Subject: RBLs - in MailScanner, SpamAssassin, or right in Sendmail? Message-ID: <45E66394.40309@fractalweb.com> Hi Everyone, Putting some final spit and polish on the new server before beginning to move users over to it in the next few days. As I'm editing and tweaking countless lines of .conf files, the thought came to me *gasp* that there just might be a better way to do things than the way I've always done them. So. Best practice. RBLs in MailScanner.conf? Or better in SpamAssassin? Or better yet in Sendmail.mc? Obviously I want the magical sweet spot where I block 100.0000% of spam, with 0.000000% false positives. ;-) Furthermore, which RBLs should I use? Others? Not some of these? I was considering: 1) Spamhaus-Zen? 2) Spamcop.net 3) NJABL 4) safe.dnsbl.sorbs.net Thanks, Chris From ka at pacific.net Thu Mar 1 07:26:04 2007 From: ka at pacific.net (Ken) Date: Thu Mar 1 06:31:42 2007 Subject: RBLs - in MailScanner, SpamAssassin, or right in Sendmail? In-Reply-To: <45E66394.40309@fractalweb.com> References: <45E66394.40309@fractalweb.com> Message-ID: <45E671FC.3050007@pacific.net> Chris Yuzik wrote: > Hi Everyone, > > Putting some final spit and polish on the new server before beginning > to move users over to it in the next few days. > > As I'm editing and tweaking countless lines of .conf files, the > thought came to me *gasp* that there just might be a better way to do > things than the way I've always done them. > > So. Best practice. depends on your userbase, you management's thinking on email (that is a pita) > RBLs in MailScanner.conf? not usually.... > Or better in SpamAssassin? more often this is the recommended way - give them a weight. > Or better yet in Sendmail.mc? Obviously I want the magical sweet spot > where I block 100.0000% of spam, with 0.000000% false positives. ;-) > Amen. Maybe Zen? Maybe Surbl? I'd say at least SBL. Opinions on this get religious, so just test in SA and if something hits 100% for YOU, then put it into something that blocks at sendmail, be it a milter or whatever. > Furthermore, which RBLs should I use? Others? Not some of these? I was > considering: > 1) Spamhaus-Zen? Absolutely > 2) Spamcop.net Yes, in SA > 3) NJABL Some parts, I think are in Zen, but yes also in SA > 4) safe.dnsbl.sorbs.net dunno. > Thanks, > Chris Just my $.02, from some experience with ~300k emails a day at a rural ISP. ymmv. Ken A Pacific.Net From hvdkooij at vanderkooij.org Thu Mar 1 07:55:50 2007 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Thu Mar 1 07:01:26 2007 Subject: RBLs - in MailScanner, SpamAssassin, or right in Sendmail? In-Reply-To: <45E66394.40309@fractalweb.com> References: <45E66394.40309@fractalweb.com> Message-ID: On Wed, 28 Feb 2007, Chris Yuzik wrote: > So. Best practice. RBLs in MailScanner.conf? Or better in SpamAssassin? Or > better yet in Sendmail.mc? Obviously I want the magical sweet spot where I > block 100.0000% of spam, with 0.000000% false positives. ;-) > > Furthermore, which RBLs should I use? Others? Not some of these? I was > considering: > 1) Spamhaus-Zen? > 2) Spamcop.net > 3) NJABL > 4) safe.dnsbl.sorbs.net SORBS is sure gonne kill your 0% false positives record. Hugo. -- hvdkooij@vanderkooij.org http://hvdkooij.xs4all.nl/ This message is using 100% recycled electrons. Some men see computers as they are and say "Windows" I use computers with Linux and say "Why Windows?" (Thanks JFK, for the insight.) From mikechoo at opensos.net Thu Mar 1 08:41:05 2007 From: mikechoo at opensos.net (Michael Choo) Date: Thu Mar 1 07:47:00 2007 Subject: Besides clamav what other AV for MS In-Reply-To: References: Message-ID: <31999662-0FD0-423C-A271-D2060F978B3D@opensos.net> On 01 Mar 2007, at 12:22 AM, Kevin Miller wrote: > Truth be told however, I see very few viruses hitting my MailScanner > box. I reject an awful lot of emails at the MTA via greet-pause and > recipient/sender checking. I suspect that many of what would be virus > laden messages are thus squelched before they're allowed anywhere near > my mail servers. That shouldn't be construed as a suggestion that > anybody slacken their AV profile - I'm just curious to know what > sort of > virus hit rate others see... I run several MailScanner boxes. With Greet-pause & sender checking, I get about 0.002% to 0.15% With Greet-pause but without sender checking, I get about the same 0.001% I guess most of it got stopped at Greet pause? or rather, virus infected mails are not so common nowadays. Phishing on the other hand. cheers -Mike -- Michael Choo ACTC, APP 2006 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070301/bf771d52/attachment.html From res at ausics.net Thu Mar 1 09:16:33 2007 From: res at ausics.net (Res) Date: Thu Mar 1 08:22:21 2007 Subject: RBLs - in MailScanner, SpamAssassin, or right in Sendmail? In-Reply-To: <45E66394.40309@fractalweb.com> References: <45E66394.40309@fractalweb.com> Message-ID: On Wed, 28 Feb 2007, Chris Yuzik wrote: > So. Best practice. RBLs in MailScanner.conf? Or better in SpamAssassin? Or > better yet in Sendmail.mc? Obviously I want the magical sweet spot where I In Sendmail, why accpt all that exta trash, just to dump it later. > block 100.0000% of spam, with 0.000000% false positives. ;-) You will never get that, no matter what you use, RBL's S.A, anything. Hope your using 8.14.0, and enable: FEATURE(`require_rdns')dnl FEATURE(`block_bad_helo')dnl ...As a side note on bad_helo, you will need delay_checks enabled as well or the feature wont work at all... (the docs are modified for this for next release and something else I added to them which escapes me) ......Oh yeah, that's it :) don't rely on the access file for bypassing bad_helo checks (for your winblows users who conenct saying HELO home.computer), you need the IP ranges in the /etc/mail/relay-domains file. > 1) Spamhaus-Zen? Yes, highest hit count > 2) Spamcop.net Yes, catches a lot of voerflow > 3) NJABL These guys used to be good, but i recent years the hit rate is very low, you could do without it, but it wont hurt to use combined.njabl, however sicne zen takes the DUL its double lookup > 4) safe.dnsbl.sorbs.net Yes, catches even mopre overflow I just use dnsbl.sorbs.net, aggressive, yes, they are non forgiving, ie: where near all other 'wussy' RBLs not dare block hotmail or yahoo or gmail (even though these three still count for just over 50% of the spammers) SORBS will, still worth using though, in processing over a million emails a day we never saw more than a dozen complaints a month. -- Cheers Res "We can be Heroes, just for one day" - Davey (Jones) Bowie From glenn.steen at gmail.com Thu Mar 1 09:52:27 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Mar 1 08:58:03 2007 Subject: clamav and mailscanner In-Reply-To: <31180.209.104.55.7.1172698169.squirrel@mail.ziff.net> References: <0e5c1b86ea5f784cbbe5cc5739a4766d@solidstatelogic.com> <4106.209.104.55.7.1172525095.squirrel@mail.ziff.net> <1172648388.21763.0.camel@miyagip.ziff.net.> <26942.209.104.55.7.1172685554.squirrel@mail.ziff.net> <223f97700702281106m3e6fdf70sef8c2701a725bc18@mail.gmail.com> <22107.209.104.55.7.1172690830.squirrel@mail.ziff.net> <59E4A3A1069C2640959AD0F7518C48122F08A0@FLN1.fln.local> <31180.209.104.55.7.1172698169.squirrel@mail.ziff.net> Message-ID: <223f97700703010052k12a6aafci4d113687b791dc0c@mail.gmail.com> On 28/02/07, Zivago Lee wrote: > > Could be selinux . I hate that thing. It can be dissabled/enabled untill > > reboot, or completely. > > I hate selinux too. :) Definitely disabled here, too... > Well... After changing it again yesterday, did it "anti-magically" return to 0700 during the night? There are things you could try I suppose, like running a manual freshclam (after changing the permissions) as root and see whether that resets them (rather doubt that:-), and check through any cron scripts that might be involved (the freshclam one would be the first to read through:). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From res at ausics.net Thu Mar 1 10:00:16 2007 From: res at ausics.net (Res) Date: Thu Mar 1 09:06:04 2007 Subject: RBLs - in MailScanner, SpamAssassin, or right in Sendmail? In-Reply-To: References: <45E66394.40309@fractalweb.com> Message-ID: My my, damn typos, I need to get some sleep.. On Thu, 1 Mar 2007, Res wrote: > (even though these three still count for just over 50% of the spammers) SORBS > will, still worth using though, in processing over a > million emails a day we never saw more than a dozen complaints a month. > Just to clarify this, that's a dozen all told, with SORBS, spamcop and spamhaus combined. Nite! -- Cheers Res "We can be Heroes, just for one day" - Davey (Jones) Bowie From garry at glendown.de Thu Mar 1 11:01:14 2007 From: garry at glendown.de (Garry Glendown) Date: Thu Mar 1 10:06:00 2007 Subject: Julian Field in hospital In-Reply-To: <20070226163637.GC29278@login.ecs.soton.ac.uk> References: <20070226163637.GC29278@login.ecs.soton.ac.uk> Message-ID: <45E6A46A.1080707@glendown.de> Best wishes for quick recovery (as good as it can get at least, read through the "short" description Julian gave ... :( )!!! -garry From tenderby at mailwash.com.au Thu Mar 1 11:10:49 2007 From: tenderby at mailwash.com.au (Tony Enderby) Date: Thu Mar 1 10:16:43 2007 Subject: Clamav 0.90 Message-ID: <45E6A6A9.9080905@mailwash.com.au> Apologies to the list if this has been answered earlier. Just wondering if the mailscanner auto signature update scripts are working with the new diff scheme that clamav 0.90 is using and if not is there a workaround available? Thanks in advance. Tony. ----------------------------------------------------------------------------------- Scanned by MailWash Australia - http://www.mailwash.com.au ----------------------------------------------------------------------------------- From glenn.steen at gmail.com Thu Mar 1 11:29:26 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Mar 1 10:35:04 2007 Subject: Clamav 0.90 In-Reply-To: <45E6A6A9.9080905@mailwash.com.au> References: <45E6A6A9.9080905@mailwash.com.au> Message-ID: <223f97700703010229h48ae03eib40f2cd217e797d@mail.gmail.com> On 01/03/07, Tony Enderby wrote: > Apologies to the list if this has been answered earlier. > > Just wondering if the mailscanner auto signature update scripts are > working with the new diff scheme > that clamav 0.90 is using and if not is there a workaround available? > > Thanks in advance. > > Tony. The autoupdate for clam is a wrapper around freshclam, more or less, so it _should_ work OK. -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Thu Mar 1 11:33:40 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Mar 1 10:39:13 2007 Subject: Clamav 0.90 In-Reply-To: <223f97700703010229h48ae03eib40f2cd217e797d@mail.gmail.com> References: <45E6A6A9.9080905@mailwash.com.au> <223f97700703010229h48ae03eib40f2cd217e797d@mail.gmail.com> Message-ID: <223f97700703010233pb2d06b5ia753bf2388970a67@mail.gmail.com> On 01/03/07, Glenn Steen wrote: > On 01/03/07, Tony Enderby wrote: > > Apologies to the list if this has been answered earlier. > > > > Just wondering if the mailscanner auto signature update scripts are > > working with the new diff scheme > > that clamav 0.90 is using and if not is there a workaround available? > > > > Thanks in advance. > > > > Tony. > > The autoupdate for clam is a wrapper around freshclam, more or less, > so it _should_ work OK. > ... if you use clamavmodule, you might want to add the new "incremental" thingies to the watched files (in MailScanner.conf)... Search the "recent past" list archive, there was some post about it. -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From Howard at harper-adams.ac.uk Thu Mar 1 11:33:44 2007 From: Howard at harper-adams.ac.uk (Howard Robinson) Date: Thu Mar 1 10:40:13 2007 Subject: Fwd: Moving Quarantine DONE Message-ID: Dear list On the 27 th I posted this query which Glenn Steen kindly replied to. "I would like to move the whole quarantine directory to another partition to make better use of disk space and reduce the chance of running out of disk space on the /var partition which is getting fairly full. Am I right in adopting the following? Is it that simple? 1) stop mailscanner 2) copy quarantine to it's new location. 3) alter MailScanner.conf so it points to the new location. 4) restart MailScanner. " His answer and now mine is yes it is that simple and by moving to the new quarantine directory and using cp /var/spool/MailScanner/quarantine/. . -prv All files rights etc were copied over and Mailscanner and MailWatch are both now using the new location. Thanks Regards Howard Robinson, (Senior Technical Development Officer), Harper Adams University College, Edgmond, Newport, Shropshire , TF10 8NB. Tel. Direct 01952 815253 Tel. Switch Board 01952 820280 Fax 01952 814783 Email hrobinson@harper-adams.ac.uk Web www.harper-adams.ac.uk -------------- next part -------------- An embedded message was scrubbed... From: "Howard Robinson" Subject: Moving Quarantine Date: Tue, 27 Feb 2007 09:51:29 +0000 Size: 1174 Url: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070301/0cf37d05/attachment.mht From tenderby at mailwash.com.au Thu Mar 1 11:42:53 2007 From: tenderby at mailwash.com.au (Tony Enderby) Date: Thu Mar 1 10:48:44 2007 Subject: Clamav 0.90 In-Reply-To: <223f97700703010233pb2d06b5ia753bf2388970a67@mail.gmail.com> References: <45E6A6A9.9080905@mailwash.com.au> <223f97700703010229h48ae03eib40f2cd217e797d@mail.gmail.com> <223f97700703010233pb2d06b5ia753bf2388970a67@mail.gmail.com> Message-ID: <45E6AE2D.7030700@mailwash.com.au> Cheers Glenn. Will check it out. Glenn Steen wrote: > On 01/03/07, Glenn Steen wrote: >> On 01/03/07, Tony Enderby wrote: >> > Apologies to the list if this has been answered earlier. >> > >> > Just wondering if the mailscanner auto signature update scripts are >> > working with the new diff scheme >> > that clamav 0.90 is using and if not is there a workaround available? >> > >> > Thanks in advance. >> > >> > Tony. >> >> The autoupdate for clam is a wrapper around freshclam, more or less, >> so it _should_ work OK. >> > ... if you use clamavmodule, you might want to add the new > "incremental" thingies to the watched files (in MailScanner.conf)... > Search the "recent past" list archive, there was some post about it. > -- Kind Regards, Tony Enderby. Technical Director - MailWash Australia. Premium Anti-Spam / Anti Virus / Identity theft protection. http://www.mailwash.com.au ----------------------------------------------------------------------------------- Scanned by MailWash Australia - http://www.mailwash.com.au ----------------------------------------------------------------------------------- From prandal at herefordshire.gov.uk Thu Mar 1 12:26:41 2007 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Thu Mar 1 11:32:31 2007 Subject: Clamav 0.90 Message-ID: <79755AA4E018084793EE618A2731F24C02B421@HC-MBX01.herefordshire.gov.uk> The file to watch is /usr/local/share/clamav/daily.inc/daily.info Check to see where your daily.info directory is and adjust accordingly. Cheers, Phil -- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Tony Enderby > Sent: 01 March 2007 10:43 > To: MailScanner discussion > Subject: Re: Clamav 0.90 > > Cheers Glenn. > > Will check it out. > > Glenn Steen wrote: > > On 01/03/07, Glenn Steen wrote: > >> On 01/03/07, Tony Enderby wrote: > >> > Apologies to the list if this has been answered earlier. > >> > > >> > Just wondering if the mailscanner auto signature update > scripts are > >> > working with the new diff scheme > >> > that clamav 0.90 is using and if not is there a > workaround available? > >> > > >> > Thanks in advance. > >> > > >> > Tony. > >> > >> The autoupdate for clam is a wrapper around freshclam, > more or less, > >> so it _should_ work OK. > >> > > ... if you use clamavmodule, you might want to add the new > > "incremental" thingies to the watched files (in MailScanner.conf)... > > Search the "recent past" list archive, there was some post about it. > > > > -- > Kind Regards, > > Tony Enderby. > > Technical Director - MailWash Australia. > Premium Anti-Spam / Anti Virus / Identity theft protection. > http://www.mailwash.com.au > > > -------------------------------------------------------------- > --------------------- > Scanned by MailWash Australia - http://www.mailwash.com.au > -------------------------------------------------------------- > --------------------- > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From prandal at herefordshire.gov.uk Thu Mar 1 12:32:20 2007 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Thu Mar 1 11:38:07 2007 Subject: RBLs - in MailScanner, SpamAssassin, or right in Sendmail? Message-ID: <79755AA4E018084793EE618A2731F24C02B429@HC-MBX01.herefordshire.gov.uk> Read spamhaus's terms of use for zen (can't give you the url because www.spamhaus.org is temporarily unavailable) - if you're a high-volume site you're supposed to subscribe. Alternatively use cbl.abuseat.org (incorporasted in zen) at the MTA level. I've seen too many false positives with spamcop to be able to use it at the MTA level. Cheers, Phil -- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Chris Yuzik > Sent: 01 March 2007 05:25 > To: MailScanner discussion > Subject: RBLs - in MailScanner, SpamAssassin, or right in Sendmail? > > Hi Everyone, > > Putting some final spit and polish on the new server before > beginning to > move users over to it in the next few days. > > As I'm editing and tweaking countless lines of .conf files, > the thought > came to me *gasp* that there just might be a better way to do things > than the way I've always done them. > > So. Best practice. RBLs in MailScanner.conf? Or better in > SpamAssassin? > Or better yet in Sendmail.mc? Obviously I want the magical sweet spot > where I block 100.0000% of spam, with 0.000000% false positives. ;-) > > Furthermore, which RBLs should I use? Others? Not some of > these? I was > considering: > 1) Spamhaus-Zen? > 2) Spamcop.net > 3) NJABL > 4) safe.dnsbl.sorbs.net > > Thanks, > Chris > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From campbell at cnpapers.com Thu Mar 1 15:18:22 2007 From: campbell at cnpapers.com (Steve Campbell) Date: Thu Mar 1 14:24:30 2007 Subject: Julian Field in hospital References: <20070226163637.GC29278@login.ecs.soton.ac.uk> Message-ID: <01ad01c75c0c$78552f40$0705000a@ddf5dw71> After discussing a few issues off-list with Mr. Julian Field, I discovered that he is truly a very warm and generous individual. I can only hope that he recovers quickly as the world is always in need of his presence and influence. I really like the postcard thing. They are such a forgotten means of communication that can be personalized, held and kept forever. Get well soon from West Virginia, USA. Steve Campbell campbell@cnpapers.com Charleston Newspapers ----- Original Message ----- From: "Tim Chown" To: Sent: Monday, February 26, 2007 11:36 AM Subject: Julian Field in hospital > Hi, > > I work with Jules at the University of Southampton and sadly we have > to report that he was admitted to hospital on Friday having been > found collapsed at home. > > He's currently in a critical condition in hospital, but is stable. > > Obviously there will not be any mailscanner development or maintenence > by Jules for the immediate future, but we hope everyone on this list > will join us in wishing him all the best towards a full recovery. > > We'll let the list know of significant changes in his condition, and > in due course where get well messages or cards can be sent. > > If someone here has permissions to post the message on to the mailscanner > announce list, please do so. > > -- > Tim > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From Jim at jameswest.com Thu Mar 1 17:43:19 2007 From: Jim at jameswest.com (Jim West) Date: Thu Mar 1 16:49:24 2007 Subject: Julian Field in hospital In-Reply-To: References: <20070226163637.GC29278@login.ecs.soton.ac.uk> <20070227224833.GC6003@login.ecs.soton.ac.uk> Message-ID: <7.0.1.0.2.20070301094218.05689008@jameswest.com> >Get well soon! Our thoughts are with you from Colorado. - Jim West From sboone at pyrontechnologies.com Thu Mar 1 17:52:45 2007 From: sboone at pyrontechnologies.com (Steve Boone) Date: Thu Mar 1 17:00:03 2007 Subject: Julian Field in hospital References: <20070226163637.GC29278@login.ecs.soton.ac.uk> Message-ID: Hope you get well soon Julian! All of our thoughts and prayers are with you from Missoula, Montana, US. Best wishes for a speedy recovery and we look forward to hearing from you on the list again soon! Sincerely, Steven Boone System Engineer Pyron Technologies Inc. sboone@pyrontechnologies.com -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Tim Chown Sent: Monday, February 26, 2007 9:37 AM To: mailscanner@lists.mailscanner.info Subject: Julian Field in hospital Hi, I work with Jules at the University of Southampton and sadly we have to report that he was admitted to hospital on Friday having been found collapsed at home. He's currently in a critical condition in hospital, but is stable. Obviously there will not be any mailscanner development or maintenence by Jules for the immediate future, but we hope everyone on this list will join us in wishing him all the best towards a full recovery. We'll let the list know of significant changes in his condition, and in due course where get well messages or cards can be sent. If someone here has permissions to post the message on to the mailscanner announce list, please do so. -- Tim -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From tjc at ecs.soton.ac.uk Thu Mar 1 18:26:38 2007 From: tjc at ecs.soton.ac.uk (Tim Chown) Date: Thu Mar 1 17:32:44 2007 Subject: Julian Field in hospital In-Reply-To: <45E59A97.6010506@coders.co.uk> References: <45E58D82.8060409@coders.co.uk> <45E595A8.30308@pixelhammer.com> <45E59A97.6010506@coders.co.uk> Message-ID: <20070301172638.GB702@login.ecs.soton.ac.uk> Hi all, Today's update is that Jules had a 'minor' operation midday to stem some more bleeding, but this was deemed a qualified success (in that a minor complication arose that was dealt with). He's now back in the ICU under watch. -- Tim From z at ziff.net Thu Mar 1 19:11:08 2007 From: z at ziff.net (Zivago Lee) Date: Thu Mar 1 18:17:00 2007 Subject: clamav and mailscanner In-Reply-To: <223f97700703010052k12a6aafci4d113687b791dc0c@mail.gmail.com> References: <0e5c1b86ea5f784cbbe5cc5739a4766d@solidstatelogic.com> <4106.209.104.55.7.1172525095.squirrel@mail.ziff.net> <1172648388.21763.0.camel@miyagip.ziff.net.> <26942.209.104.55.7.1172685554.squirrel@mail.ziff.net> <223f97700702281106m3e6fdf70sef8c2701a725bc18@mail.gmail.com> <22107.209.104.55.7.1172690830.squirrel@mail.ziff.net> <59E4A3A1069C2640959AD0F7518C48122F08A0@FLN1.fln.local> <31180.209.104.55.7.1172698169.squirrel@mail.ziff.net> <223f97700703010052k12a6aafci4d113687b791dc0c@mail.gmail.com> Message-ID: <32765.209.104.55.7.1172772668.squirrel@mail.ziff.net> > Well... After changing it again yesterday, did it "anti-magically" > return to 0700 during the night? > There are things you could try I suppose, like running a manual > freshclam (after changing the permissions) as root and see whether > that resets them (rather doubt that:-), and check through any cron > scripts that might be involved (the freshclam one would be the first > to read through:). Actually, yes it did. I was just on the clamav-users list and here is an email from the Tomasz: ==== On Thu, 01 Mar 2007 11:09:49 -0500 Craig Green wrote: > The failure happens when the perms on the daily.inc directory > mysteriously become 700 and thus deny group reads. Since the vast Thanks for the good report, the problem is now fixed in SVN. -- oo ..... Tomasz Kojm (\/)\......... http://www.ClamAV.net/gpg/tkojm.gpg \..........._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Thu Mar 1 17:47:37 CET 2007 ==== I guess I will turn off the freshclam daemon for the timebeing and just manually do it everyday. Thanks, Zivago -- Zivago Lee z@ziff.net From glenn.steen at gmail.com Thu Mar 1 19:35:53 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Mar 1 18:41:44 2007 Subject: clamav and mailscanner In-Reply-To: <32765.209.104.55.7.1172772668.squirrel@mail.ziff.net> References: <0e5c1b86ea5f784cbbe5cc5739a4766d@solidstatelogic.com> <1172648388.21763.0.camel@miyagip.ziff.net.> <26942.209.104.55.7.1172685554.squirrel@mail.ziff.net> <223f97700702281106m3e6fdf70sef8c2701a725bc18@mail.gmail.com> <22107.209.104.55.7.1172690830.squirrel@mail.ziff.net> <59E4A3A1069C2640959AD0F7518C48122F08A0@FLN1.fln.local> <31180.209.104.55.7.1172698169.squirrel@mail.ziff.net> <223f97700703010052k12a6aafci4d113687b791dc0c@mail.gmail.com> <32765.209.104.55.7.1172772668.squirrel@mail.ziff.net> Message-ID: <223f97700703011035j7ab50fdcm89968d7b87dec08@mail.gmail.com> On 01/03/07, Zivago Lee wrote: > > Well... After changing it again yesterday, did it "anti-magically" > > return to 0700 during the night? > > There are things you could try I suppose, like running a manual > > freshclam (after changing the permissions) as root and see whether > > that resets them (rather doubt that:-), and check through any cron > > scripts that might be involved (the freshclam one would be the first > > to read through:). > > Actually, yes it did. I was just on the clamav-users list and here is an > email from the Tomasz: > > ==== > On Thu, 01 Mar 2007 11:09:49 -0500 > Craig Green wrote: > > > The failure happens when the perms on the daily.inc directory > > mysteriously become 700 and thus deny group reads. Since the vast > > Thanks for the good report, the problem is now fixed in SVN. > > -- > oo ..... Tomasz Kojm > (\/)\......... http://www.ClamAV.net/gpg/tkojm.gpg > \..........._ 0DCA5A08407D5288279DB43454822DC8985A444B > //\ /\ Thu Mar 1 17:47:37 CET 2007 > ==== > > I guess I will turn off the freshclam daemon for the timebeing and just > manually do it everyday. > > Thanks, > Zivago > Thanks for the update Zivago. As a stopgap you _could_ enhace the autoupdate script to reset the perms, but that might be run as postfix too... which might not work that well:-). Or just gut it out till they produce an update. As it is rather big change going to .90, I'd guess that we'll see a new one rather soner than later (that always being the trend with any software version X.0:-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From z at ziff.net Thu Mar 1 20:02:46 2007 From: z at ziff.net (Zivago Lee) Date: Thu Mar 1 19:08:30 2007 Subject: clamav and mailscanner In-Reply-To: <223f97700703011035j7ab50fdcm89968d7b87dec08@mail.gmail.com> References: <0e5c1b86ea5f784cbbe5cc5739a4766d@solidstatelogic.com> <1172648388.21763.0.camel@miyagip.ziff.net.> <26942.209.104.55.7.1172685554.squirrel@mail.ziff.net> <223f97700702281106m3e6fdf70sef8c2701a725bc18@mail.gmail.com> <22107.209.104.55.7.1172690830.squirrel@mail.ziff.net> <59E4A3A1069C2640959AD0F7518C48122F08A0@FLN1.fln.local> <31180.209.104.55.7.1172698169.squirrel@mail.ziff.net> <223f97700703010052k12a6aafci4d113687b791dc0c@mail.gmail.com> <32765.209.104.55.7.1172772668.squirrel@mail.ziff.net> <223f97700703011035j7ab50fdcm89968d7b87dec08@mail.gmail.com> Message-ID: <10257.209.104.55.7.1172775766.squirrel@mail.ziff.net> > On 01/03/07, Zivago Lee wrote: >> > Well... After changing it again yesterday, did it "anti-magically" >> > return to 0700 during the night? >> > There are things you could try I suppose, like running a manual >> > freshclam (after changing the permissions) as root and see whether >> > that resets them (rather doubt that:-), and check through any cron >> > scripts that might be involved (the freshclam one would be the first >> > to read through:). >> >> Actually, yes it did. I was just on the clamav-users list and here is >> an >> email from the Tomasz: >> >> ==== >> On Thu, 01 Mar 2007 11:09:49 -0500 >> Craig Green wrote: >> >> > The failure happens when the perms on the daily.inc directory >> > mysteriously become 700 and thus deny group reads. Since the vast >> >> Thanks for the good report, the problem is now fixed in SVN. >> >> -- >> oo ..... Tomasz Kojm >> (\/)\......... http://www.ClamAV.net/gpg/tkojm.gpg >> \..........._ 0DCA5A08407D5288279DB43454822DC8985A444B >> //\ /\ Thu Mar 1 17:47:37 CET 2007 >> ==== >> >> I guess I will turn off the freshclam daemon for the timebeing and just >> manually do it everyday. >> > Thanks for the update Zivago. As a stopgap you _could_ enhace the > autoupdate script to reset the perms, but that might be run as postfix > too... which might not work that well:-). > Or just gut it out till they produce an update. As it is rather big > change going to .90, I'd guess that we'll see a new one rather soner > than later (that always being the trend with any software version > X.0:-). I was looking at the freshclam.conf, I saw this: #OnUpdateExecute command Maybe I could have it chmod 755 the dir after it does an update. -- Zivago Lee z@ziff.net From itdept at fractalweb.com Thu Mar 1 20:14:14 2007 From: itdept at fractalweb.com (Chris Yuzik) Date: Thu Mar 1 19:20:31 2007 Subject: implementing SPF, which milter? Message-ID: <45E72606.2090004@fractalweb.com> I understand that I need a milter to implement SPF (we use Sendmail). Anyone have any recommendations? From Kevin_Miller at ci.juneau.ak.us Thu Mar 1 20:21:40 2007 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Thu Mar 1 19:27:07 2007 Subject: implementing SPF, which milter? In-Reply-To: <45E72606.2090004@fractalweb.com> References: <45E72606.2090004@fractalweb.com> Message-ID: Chris Yuzik wrote: > I understand that I need a milter to implement SPF (we use Sendmail). > Anyone have any recommendations? You don't strictly need it - spamassassin will score based on spf. But it's good to have one. I'm not yet running SPF on my MTA (need to get to that!) but have been using the smf-sav milter and have been happy with it. There's an smf-spf milter too. Might give that one a try - that's what I'll install when I get some time... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From itdept at fractalweb.com Thu Mar 1 20:40:19 2007 From: itdept at fractalweb.com (Chris Yuzik) Date: Thu Mar 1 19:47:04 2007 Subject: implementing SPF, which milter? In-Reply-To: References: <45E72606.2090004@fractalweb.com> Message-ID: <45E72C23.1030600@fractalweb.com> Kevin Miller wrote: > You don't strictly need it - spamassassin will score based on spf. But > it's good to have one. I'm not yet running SPF on my MTA (need to get > to that!) but have been using the smf-sav milter and have been happy > with it. There's an smf-spf milter too. Might give that one a try - > that's what I'll install when I get some time... > Kevin, Thanks for the quick response. I wasn't aware that spamassassin will score based on spf; any idea what version this started with? I suppose it would be better to run SMF-SPF, thereby putting less load on MailScanner (and friends). Thanks, Chris From mkettler at evi-inc.com Thu Mar 1 20:48:03 2007 From: mkettler at evi-inc.com (Matt Kettler) Date: Thu Mar 1 19:53:48 2007 Subject: implementing SPF, which milter? In-Reply-To: <45E72C23.1030600@fractalweb.com> References: <45E72606.2090004@fractalweb.com> <45E72C23.1030600@fractalweb.com> Message-ID: <45E72DF3.8010200@evi-inc.com> Chris Yuzik wrote: > Kevin Miller wrote: >> You don't strictly need it - spamassassin will score based on spf. But >> it's good to have one. I'm not yet running SPF on my MTA (need to get >> to that!) but have been using the smf-sav milter and have been happy >> with it. There's an smf-spf milter too. Might give that one a try - >> that's what I'll install when I get some time... >> > Kevin, > > Thanks for the quick response. I wasn't aware that spamassassin will > score based on spf; any idea what version this started with? SPF support debuted in version 3.0.0 You may need to modify init.pre to load the SPF plugin. You also need to install Mail::SPF::Query and Net::DNS >= 0.34, otherwise SA wont' use SPF. > I suppose it would be better to run SMF-SPF, thereby putting less load > on MailScanner (and friends). This is true. From glenn.steen at gmail.com Thu Mar 1 21:36:11 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Mar 1 20:42:07 2007 Subject: clamav and mailscanner In-Reply-To: <10257.209.104.55.7.1172775766.squirrel@mail.ziff.net> References: <0e5c1b86ea5f784cbbe5cc5739a4766d@solidstatelogic.com> <26942.209.104.55.7.1172685554.squirrel@mail.ziff.net> <223f97700702281106m3e6fdf70sef8c2701a725bc18@mail.gmail.com> <22107.209.104.55.7.1172690830.squirrel@mail.ziff.net> <59E4A3A1069C2640959AD0F7518C48122F08A0@FLN1.fln.local> <31180.209.104.55.7.1172698169.squirrel@mail.ziff.net> <223f97700703010052k12a6aafci4d113687b791dc0c@mail.gmail.com> <32765.209.104.55.7.1172772668.squirrel@mail.ziff.net> <223f97700703011035j7ab50fdcm89968d7b87dec08@mail.gmail.com> <10257.209.104.55.7.1172775766.squirrel@mail.ziff.net> Message-ID: <223f97700703011236l2e93048cx1c6f66edc534255f@mail.gmail.com> On 01/03/07, Zivago Lee wrote: > > > On 01/03/07, Zivago Lee wrote: (snip) > > Thanks for the update Zivago. As a stopgap you _could_ enhace the > > autoupdate script to reset the perms, but that might be run as postfix > > too... which might not work that well:-). > > Or just gut it out till they produce an update. As it is rather big > > change going to .90, I'd guess that we'll see a new one rather soner > > than later (that always being the trend with any software version > > X.0:-). > > I was looking at the freshclam.conf, I saw this: > > #OnUpdateExecute command > > Maybe I could have it chmod 755 the dir after it does an update. Definitely worth trying. Let us know how it goes. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From ssilva at sgvwater.com Thu Mar 1 21:43:15 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Mar 1 20:49:08 2007 Subject: clamav and mailscanner In-Reply-To: <223f97700703011236l2e93048cx1c6f66edc534255f@mail.gmail.com> References: <0e5c1b86ea5f784cbbe5cc5739a4766d@solidstatelogic.com> <26942.209.104.55.7.1172685554.squirrel@mail.ziff.net> <223f97700702281106m3e6fdf70sef8c2701a725bc18@mail.gmail.com> <22107.209.104.55.7.1172690830.squirrel@mail.ziff.net> <59E4A3A1069C2640959AD0F7518C48122F08A0@FLN1.fln.local> <31180.209.104.55.7.1172698169.squirrel@mail.ziff.net> <223f97700703010052k12a6aafci4d113687b791dc0c@mail.gmail.com> <32765.209.104.55.7.1172772668.squirrel@mail.ziff.net> <223f97700703011035j7ab50fdcm89968d7b87dec08@mail.gmail.com> <10257.209.104.55.7.1172775766.squirrel@mail.ziff.net> <223f97700703011236l2e93048cx1c6f66edc534255f@mail.gmail.com> Message-ID: Glenn Steen spake the following on 3/1/2007 12:36 PM: > On 01/03/07, Zivago Lee wrote: >> >> > On 01/03/07, Zivago Lee wrote: > (snip) >> > Thanks for the update Zivago. As a stopgap you _could_ enhace the >> > autoupdate script to reset the perms, but that might be run as postfix >> > too... which might not work that well:-). >> > Or just gut it out till they produce an update. As it is rather big >> > change going to .90, I'd guess that we'll see a new one rather soner >> > than later (that always being the trend with any software version >> > X.0:-). >> >> I was looking at the freshclam.conf, I saw this: >> >> #OnUpdateExecute command >> >> Maybe I could have it chmod 755 the dir after it does an update. > Definitely worth trying. Let us know how it goes. > > Cheers Is that only a problem with postfix installs? I have had it running for over a week and my daily.inc dir is still 755. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From glenn.steen at gmail.com Thu Mar 1 22:14:44 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Mar 1 21:20:54 2007 Subject: clamav and mailscanner In-Reply-To: References: <0e5c1b86ea5f784cbbe5cc5739a4766d@solidstatelogic.com> <22107.209.104.55.7.1172690830.squirrel@mail.ziff.net> <59E4A3A1069C2640959AD0F7518C48122F08A0@FLN1.fln.local> <31180.209.104.55.7.1172698169.squirrel@mail.ziff.net> <223f97700703010052k12a6aafci4d113687b791dc0c@mail.gmail.com> <32765.209.104.55.7.1172772668.squirrel@mail.ziff.net> <223f97700703011035j7ab50fdcm89968d7b87dec08@mail.gmail.com> <10257.209.104.55.7.1172775766.squirrel@mail.ziff.net> <223f97700703011236l2e93048cx1c6f66edc534255f@mail.gmail.com> Message-ID: <223f97700703011314o1b76e8cdlc30990551b0e6181@mail.gmail.com> On 01/03/07, Scott Silva wrote: > Glenn Steen spake the following on 3/1/2007 12:36 PM: > > On 01/03/07, Zivago Lee wrote: > >> > >> > On 01/03/07, Zivago Lee wrote: > > (snip) > >> > Thanks for the update Zivago. As a stopgap you _could_ enhace the > >> > autoupdate script to reset the perms, but that might be run as postfix > >> > too... which might not work that well:-). > >> > Or just gut it out till they produce an update. As it is rather big > >> > change going to .90, I'd guess that we'll see a new one rather soner > >> > than later (that always being the trend with any software version > >> > X.0:-). > >> > >> I was looking at the freshclam.conf, I saw this: > >> > >> #OnUpdateExecute command > >> > >> Maybe I could have it chmod 755 the dir after it does an update. > > Definitely worth trying. Let us know how it goes. > > > > Cheers > Is that only a problem with postfix installs? > I have had it running for over a week and my daily.inc dir is still 755. Any MTA running as something other than root, more or less meaning PF, yes:-) I've been holding off a bit (lack time for major, or even minor, changes ATM), but I suppose I'll have to move up sooner or later ... perhaps tomorrow:-) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From res at ausics.net Thu Mar 1 22:22:37 2007 From: res at ausics.net (Res) Date: Thu Mar 1 21:28:32 2007 Subject: implementing SPF, which milter? In-Reply-To: <45E72606.2090004@fractalweb.com> References: <45E72606.2090004@fractalweb.com> Message-ID: On Thu, 1 Mar 2007, Chris Yuzik wrote: > I understand that I need a milter to implement SPF (we use Sendmail). Anyone > have any recommendations? smf-spf > -- Cheers Res "We can be Heroes, just for one day" - Davey (Jones) Bowie From jfagan at firstlightnetworks.com Thu Mar 1 22:46:37 2007 From: jfagan at firstlightnetworks.com (James Fagan) Date: Thu Mar 1 21:50:53 2007 Subject: implementing SPF, which milter? In-Reply-To: References: <45E72606.2090004@fractalweb.com> Message-ID: <59E4A3A1069C2640959AD0F7518C48122F08AC@FLN1.fln.local> > On Thu, 1 Mar 2007, Chris Yuzik wrote: > > > I understand that I need a milter to implement SPF (we use Sendmail). > Anyone > > have any recommendations? > > smf-spf > I used this for a while. The reason I stopped using this milter is that SO many systems have invalid spf records and some other weird shared IP hosting That made it more trouble than it was worth and this was nearly impossible to explain to our customers. Yes, there is a whitelist you can impliment, but I don't want to have to add domains a day to this file. I love the idea of spf, but I don't think there are enough correctly configured domains to warrant its use. I would continue to let spamassassin catch them for you. Of cource your experience may be different then mine. Good Luck! James From res at ausics.net Thu Mar 1 22:50:55 2007 From: res at ausics.net (Res) Date: Thu Mar 1 21:56:47 2007 Subject: implementing SPF, which milter? In-Reply-To: <59E4A3A1069C2640959AD0F7518C48122F08AC@FLN1.fln.local> References: <45E72606.2090004@fractalweb.com> <59E4A3A1069C2640959AD0F7518C48122F08AC@FLN1.fln.local> Message-ID: On Thu, 1 Mar 2007, James Fagan wrote: >> On Thu, 1 Mar 2007, Chris Yuzik wrote: >> >>> I understand that I need a milter to implement SPF (we use > Sendmail). >> Anyone >>> have any recommendations? >> >> smf-spf >> > > > I used this for a while. The reason I stopped using this milter is that > SO many systems have invalid spf records and some other weird shared IP > hosting > That made it more trouble than it was worth and this was nearly > impossible to explain to our customers. Yes, there is a whitelist you > can impliment, but I don't want to have to add domains a day to this > file. Keeping them blocked is an incentive for them to fix the spf dns records. Just like im not going to whitelist a mail server because some twit doesnt know how to configure DNS, or whitelist some server because they can't stop their spammers who keep getting them into RBL's. The more that enforce it, the better chance there is of THEM getting off their lazy but and fixing THEIR problem. If they have no clue, offer to fix it for them, at a nice cost of course :) -- Cheers Res "We can be Heroes, just for one day" - Davey (Jones) Bowie From alex at nkpanama.com Thu Mar 1 22:55:03 2007 From: alex at nkpanama.com (Alex Neuman van der Hans) Date: Thu Mar 1 22:01:20 2007 Subject: Julian Field in hospital In-Reply-To: <20070301172638.GB702@login.ecs.soton.ac.uk> References: <45E58D82.8060409@coders.co.uk> <45E595A8.30308@pixelhammer.com> <45E59A97.6010506@coders.co.uk> <20070301172638.GB702@login.ecs.soton.ac.uk> Message-ID: <45E74BB7.2070107@nkpanama.com> Tim Chown wrote: > Hi all, > > Today's update is that Jules had a 'minor' operation midday to stem some > more bleeding, but this was deemed a qualified success (in that a minor > complication arose that was dealt with). > > He's now back in the ICU under watch. > > Thanks for the update... Let's hope this is the last complication he gets to suffer through - and that he gets back on his feet soon. From z at ziff.net Thu Mar 1 22:55:56 2007 From: z at ziff.net (Zivago Lee) Date: Thu Mar 1 22:01:35 2007 Subject: clamav and mailscanner In-Reply-To: <223f97700703011236l2e93048cx1c6f66edc534255f@mail.gmail.com> References: <0e5c1b86ea5f784cbbe5cc5739a4766d@solidstatelogic.com> <26942.209.104.55.7.1172685554.squirrel@mail.ziff.net> <223f97700702281106m3e6fdf70sef8c2701a725bc18@mail.gmail.com> <22107.209.104.55.7.1172690830.squirrel@mail.ziff.net> <59E4A3A1069C2640959AD0F7518C48122F08A0@FLN1.fln.local> <31180.209.104.55.7.1172698169.squirrel@mail.ziff.net> <223f97700703010052k12a6aafci4d113687b791dc0c@mail.gmail.com> <32765.209.104.55.7.1172772668.squirrel@mail.ziff.net> <223f97700703011035j7ab50fdcm89968d7b87dec08@mail.gmail.com> <10257.209.104.55.7.1172775766.squirrel@mail.ziff.net> <223f97700703011236l2e93048cx1c6f66edc534255f@mail.gmail.com> Message-ID: <18419.209.104.55.7.1172786156.squirrel@mail.ziff.net> > On 01/03/07, Zivago Lee wrote: >> >> > On 01/03/07, Zivago Lee wrote: > (snip) >> > Thanks for the update Zivago. As a stopgap you _could_ enhace the >> > autoupdate script to reset the perms, but that might be run as postfix >> > too... which might not work that well:-). >> > Or just gut it out till they produce an update. As it is rather big >> > change going to .90, I'd guess that we'll see a new one rather soner >> > than later (that always being the trend with any software version >> > X.0:-). >> >> I was looking at the freshclam.conf, I saw this: >> >> #OnUpdateExecute command >> >> Maybe I could have it chmod 755 the dir after it does an update. > Definitely worth trying. Let us know how it goes. Someone else on the clamav-users list is using it successfully so I'll be using that until the fix gets pushed out as a real release. -- Zivago Lee z@ziff.net From am.lists at gmail.com Thu Mar 1 23:14:33 2007 From: am.lists at gmail.com (am.lists) Date: Thu Mar 1 22:20:15 2007 Subject: "Intention Analysis" Message-ID: <25a66d840703011414w638fd0ck62f128b3e2c4946b@mail.gmail.com> This is something that the Barracuda says it has. But googling for "intention analysis" doesn't turn up much. Is this a marketing thing, or do the Barracuda folks have something that they've made that is proprietary and an actual edge over running MailScanner? Angelo From martinh at solidstatelogic.com Thu Mar 1 23:20:03 2007 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Thu Mar 1 22:25:57 2007 Subject: "Intention Analysis" In-Reply-To: <25a66d840703011414w638fd0ck62f128b3e2c4946b@mail.gmail.com> Message-ID: <4fef926b21a1f044adb233915cb32c1b@solidstatelogic.com> Sounds like more marketing drivel from Barracuda - they're very good at this. Like all the crap about blocking image spam... -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of am.lists > Sent: 01 March 2007 22:15 > To: MailScanner discussion > Subject: "Intention Analysis" > > This is something that the Barracuda says it has. But googling for > "intention analysis" doesn't turn up much. > > Is this a marketing thing, or do the Barracuda folks have something > that they've made that is proprietary and an actual edge over running > MailScanner? > > Angelo > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From matt at coders.co.uk Thu Mar 1 23:21:12 2007 From: matt at coders.co.uk (Matt Hampton) Date: Thu Mar 1 22:26:52 2007 Subject: "Intention Analysis" In-Reply-To: <25a66d840703011414w638fd0ck62f128b3e2c4946b@mail.gmail.com> References: <25a66d840703011414w638fd0ck62f128b3e2c4946b@mail.gmail.com> Message-ID: <45E751D8.6060808@coders.co.uk> am.lists wrote: > This is something that the Barracuda says it has. But googling for > "intention analysis" doesn't turn up much. > > Is this a marketing thing, or do the Barracuda folks have something > that they've made that is proprietary and an actual edge over running > MailScanner? > > Angelo Ummm. This seems to be little more than look for a url in the message, if it is in a black list tag the message as spam. SpamAssassin can already do this using surbl.org black list. (Personally I do it using milter-link) It would be a nice feature of MailScanner actually. matt From hvdkooij at vanderkooij.org Thu Mar 1 23:26:00 2007 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Thu Mar 1 22:31:43 2007 Subject: "Intention Analysis" In-Reply-To: <25a66d840703011414w638fd0ck62f128b3e2c4946b@mail.gmail.com> References: <25a66d840703011414w638fd0ck62f128b3e2c4946b@mail.gmail.com> Message-ID: On Thu, 1 Mar 2007, am.lists wrote: > This is something that the Barracuda says it has. But googling for > "intention analysis" doesn't turn up much. > > Is this a marketing thing, or do the Barracuda folks have something > that they've made that is proprietary and an actual edge over running > MailScanner? I am a restricted in my statements in this matter as I have actuall access to them for support activities. So I will not go in details here! Intend analyses is a feature not present in MailScanner/SpamAssassin at the moment. Having said that I do not have a Barracuda at home but I do run MailScanner. With MailWatch added I have the main functionality for the rest of the family added. Hugo. -- hvdkooij@vanderkooij.org http://hvdkooij.xs4all.nl/ This message is using 100% recycled electrons. Some men see computers as they are and say "Windows" I use computers with Linux and say "Why Windows?" (Thanks JFK, for the insight.) From mkettler at evi-inc.com Thu Mar 1 23:39:47 2007 From: mkettler at evi-inc.com (Matt Kettler) Date: Thu Mar 1 22:45:29 2007 Subject: "Intention Analysis" In-Reply-To: <45E751D8.6060808@coders.co.uk> References: <25a66d840703011414w638fd0ck62f128b3e2c4946b@mail.gmail.com> <45E751D8.6060808@coders.co.uk> Message-ID: <45E75633.2000906@evi-inc.com> Matt Hampton wrote: > am.lists wrote: >> This is something that the Barracuda says it has. But googling for >> "intention analysis" doesn't turn up much. >> >> Is this a marketing thing, or do the Barracuda folks have something >> that they've made that is proprietary and an actual edge over running >> MailScanner? >> >> Angelo > > Ummm. This seems to be little more than look for a url in the message, > if it is in a black list tag the message as spam. > > SpamAssassin can already do this using surbl.org black list. > > (Personally I do it using milter-link) > > It would be a nice feature of MailScanner actually. Actually, I think it's not blacklist based. Personally, it sounds like a collection of rules that look for general directives to the end user like "Click here" "check out stock symbol xyz" "please validate your account". Note they use a URL as an example, but later in the description they use more general terms about finding an action they're trying to get you to take.. It really sounds to me like a marketing label for a particular group of body-text rules. Some SpamAssassin rules that jump out at me as "intention analysis". HTML_LINK_OPT_OUT HTML_LINK_PUSH_HERE REMOVE_BEFORE_LINK CLICK_BELOW_CAPS CLICK_TO_REMOVE_1 EXCUSE_REMOVE STRONG_BUY STOCK_ALERT MORTGAGE_PITCH CONSOLIDATE_DEBT REFINANCE_YOUR_HOME REFINANCE_NOW FREE_SAMPLE REPLICA_WATCH Now, they might be doing something more complex, like doing a little natural language processing, then checking that against a set list of "spam actions". They might process out a wide variety of phrases to result in just "buy watch", and text compare that.. Something like a simplified version of the concept presented here: http://www.research.ibm.com/journal/sj/404/nasukawa.html Could be used as a form of preprocessor before applying spam rules. From Jeff.Mills at versacold.com.au Fri Mar 2 00:11:49 2007 From: Jeff.Mills at versacold.com.au (Jeff Mills) Date: Thu Mar 1 23:17:31 2007 Subject: Strange Missing Mail References: <59759.194.70.180.170.1172577687.squirrel@www.technologytiger.net> Message-ID: This problem is still happening. Had a couple more today. > > I doubt it as Postfix won't have split the queue file so the > message will have either gone missing or been delivered. What > is there in the logs? Can you post a log excerpt for the > relevent message? (Postfix also logs number of recipients :) ) Mar 2 09:21:31 proxy2 postfix/qmgr[6368]: CABEE2B06D9: from=, size=289109, nrcpt=1 (queue active) Mar 2 09:21:31 proxy2 postfix/qmgr[6368]: CABEE2B06D9: to=, relay=none, delay=2.9, delays=2.9/0.01/0/0, dsn=4.3.2, status=def So postfix sees only one recipient. The headers still show three though: From: "Some, User" To: "Some, User2 \(Aus.\)" , , "Some, User4" The only user to get the message was the user without a real name attached. So I guess the problem is obviously not MailScanner, because postfix is only seeing one recipient. I have found out today that this is happening from more than one source company, so I doubt it's a problem with the source server, although they are both probably exchange. From gerard at seibercom.net Fri Mar 2 00:28:52 2007 From: gerard at seibercom.net (Gerard Seibert) Date: Thu Mar 1 23:34:12 2007 Subject: Strange Missing Mail In-Reply-To: References: <59759.194.70.180.170.1172577687.squirrel@www.technologytiger.net> Message-ID: <20070301182623.3FCB.GERARD@seibercom.net> On Thursday March 01, 2007 at 06:11:49 (PM) Jeff Mills wrote: > Mar 2 09:21:31 proxy2 postfix/qmgr[6368]: CABEE2B06D9: > from=, size=289109, nrcpt=1 (queue active) > Mar 2 09:21:31 proxy2 postfix/qmgr[6368]: CABEE2B06D9: > to=, relay=none, delay=2.9, > delays=2.9/0.01/0/0, dsn=4.3.2, status=def > > So postfix sees only one recipient. > The headers still show three though: > > From: "Some, User" > To: "Some, User2 \(Aus.\)" , > , > "Some, User4" > > The only user to get the message was the user without a real name > attached. Have your tried posting this on the Postfix forum? You might be better served with this problem there since it appears to be related to Postfix. Also, what version of Postfix are you employing? -- Gerard Bumper snicker: To err is human, to forgive divine. Neither is Marine Corps policy From ssilva at sgvwater.com Fri Mar 2 00:26:40 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Mar 1 23:53:57 2007 Subject: implementing SPF, which milter? In-Reply-To: <59E4A3A1069C2640959AD0F7518C48122F08AC@FLN1.fln.local> References: <45E72606.2090004@fractalweb.com> <59E4A3A1069C2640959AD0F7518C48122F08AC@FLN1.fln.local> Message-ID: James Fagan spake the following on 3/1/2007 1:46 PM: >> On Thu, 1 Mar 2007, Chris Yuzik wrote: >> >>> I understand that I need a milter to implement SPF (we use > Sendmail). >> Anyone >>> have any recommendations? >> smf-spf >> > > > I used this for a while. The reason I stopped using this milter is that > SO many systems have invalid spf records and some other weird shared IP > hosting > That made it more trouble than it was worth and this was nearly > impossible to explain to our customers. Yes, there is a whitelist you > can impliment, but I don't want to have to add domains a day to this > file. > > I love the idea of spf, but I don't think there are enough correctly > configured domains to warrant its use. I would continue to let > spamassassin catch them for you. Of cource your experience may be > different then mine. > > Good Luck! > > > James And too many wildcarded SPF records out there! -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From mikechoo at opensos.net Fri Mar 2 02:19:13 2007 From: mikechoo at opensos.net (Michael Choo) Date: Fri Mar 2 01:25:04 2007 Subject: implementing SPF, which milter? In-Reply-To: <59E4A3A1069C2640959AD0F7518C48122F08AC@FLN1.fln.local> References: <45E72606.2090004@fractalweb.com> <59E4A3A1069C2640959AD0F7518C48122F08AC@FLN1.fln.local> Message-ID: <3194DA77-0B1D-4B82-B730-1A2C775790D6@opensos.net> On 02 Mar 2007, at 5:46 AM, James Fagan wrote: >> On Thu, 1 Mar 2007, Chris Yuzik wrote: >> >>> I understand that I need a milter to implement SPF (we use > Sendmail). >> Anyone >>> have any recommendations? >> >> smf-spf >> I use spamilter > > > I used this for a while. The reason I stopped using this milter is > that > SO many systems have invalid spf records and some other weird > shared IP > hosting > That made it more trouble than it was worth and this was nearly > impossible to explain to our customers. Yes, there is a whitelist you > can impliment, but I don't want to have to add domains a day to > this > file. > > I love the idea of spf, but I don't think there are enough correctly > configured domains to warrant its use. I would continue to let > spamassassin catch them for you. Of cource your experience may be > different then mine. I had to disable SPF for one of our customers as they had users travelling in europe and middle east and were forced to use the ISP's SMTP server. Anyone in Europe can verify or explain? -- Michael Choo ACTC, APP 2006 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070302/82faaa95/attachment-0001.html From brent.addis at pronet.co.nz Fri Mar 2 03:05:21 2007 From: brent.addis at pronet.co.nz (Brent Addis) Date: Fri Mar 2 02:11:20 2007 Subject: quarantined non-spam attachments Message-ID: <45E78661.2050508@pronet.co.nz> Hi. We currently store mail in quarantine for a few users, for a set period of days. this includes non spam. Some of these clients have messages numbering in the thousands. Now, obviously releasing all of these messages with mailwatch is a bit difficult (Being that it releases one at a time). Is there an easilly scriptable way of either, sending these messages to the client, in such a way that they can actually see attachments and use them, or copying out the attachment, which I can put into a directory for the client to access. Sending standard text as attachments is easy enough, however the attached files also come through as text, which is less than helpful for things such as word documents. I currently have a script that runs through all the quarantine directories, copies needed messages into a directory, and either mails them off, or lets the client access them via ftp/smb/webdav Having mailscanner email messages to an email address does not really work in this situation. any ideas, or software that may be able to help? -- From am.lists at gmail.com Fri Mar 2 04:00:58 2007 From: am.lists at gmail.com (am.lists) Date: Fri Mar 2 03:06:39 2007 Subject: "Intention Analysis" In-Reply-To: References: <25a66d840703011414w638fd0ck62f128b3e2c4946b@mail.gmail.com> Message-ID: <25a66d840703011900t1eb7fda5qa8ebb19aadf72623@mail.gmail.com> On 3/1/07, Hugo van der Kooij wrote: > I am a restricted in my statements in this matter as I have actuall access > to them for support activities. So I will not go in details here! Hugo, Usually, having access to support <> being under an NDA. If you're not under NDA, then by all means, please share. If you are under NDA, please share off-list. :-) Just kidding, of course. >Having said that I do not have a Barracuda at home but I do run >MailScanner. With MailWatch added I have the main functionality for the >rest of the family added. Are you saying that minus the Barracuda, but with MS/MW, your opinion is that you have equivalent (or near-equivalent) functionality? Regards, Angelo From am.lists at gmail.com Fri Mar 2 04:05:45 2007 From: am.lists at gmail.com (am.lists) Date: Fri Mar 2 03:11:23 2007 Subject: Domain Keys In-Reply-To: <25a66d840702280601j2c8620a4j9118b3e0682c14ee@mail.gmail.com> References: <25a66d840702280601j2c8620a4j9118b3e0682c14ee@mail.gmail.com> Message-ID: <25a66d840703011905x2bb86d97vf8eb246465df335b@mail.gmail.com> On 2/28/07, am. lists wrote: > If you're using them, are you giving hefty rewards for pass/verify or > just penalties for failing? > > I currently am in "pilot" mode on DK, so my scores are +/- 0.001 for > the tests, but I'm seeing stuff that should be spam showing up with > the potential of being rewarded for being a legitimate company and > knowing how to put a DK signature on mails. > > Has anyone else had any experience on this? I guess it sorta comes > back to what we want our policy to be on this sort of thing. > > Angelo > ... anyone? From lars+lister.mailscanner at adventuras.no Fri Mar 2 04:07:46 2007 From: lars+lister.mailscanner at adventuras.no (Lars Kristiansen) Date: Fri Mar 2 03:15:04 2007 Subject: implementing SPF, which milter? In-Reply-To: <3194DA77-0B1D-4B82-B730-1A2C775790D6@opensos.net> References: <45E72606.2090004@fractalweb.com> <59E4A3A1069C2640959AD0F7518C48122F08AC@FLN1.fln.local> <3194DA77-0B1D-4B82-B730-1A2C775790D6@opensos.net> Message-ID: <45E79502.4010201@adventuras.no> > I had to disable SPF for one of our customers as they had users > travelling in europe and middle east and were forced to use the ISP's > SMTP server. > Anyone in Europe can verify or explain? Hi! Some providers block port 25 as a way to fight spam from botnets within. You might think of port 25 as for communications between mailservers. Port 587 is the correct port for mail submission from clients. This is best solved by configuring your mailservers for mailsubmission for authenticated clients on port 587. Regards, from Lars And all the best to Julian. > > -- > Michael Choo > ACTC, APP 2006 > > From itdept at fractalweb.com Fri Mar 2 05:08:43 2007 From: itdept at fractalweb.com (Chris Yuzik) Date: Fri Mar 2 04:16:35 2007 Subject: implementing SPF, which milter? In-Reply-To: <3194DA77-0B1D-4B82-B730-1A2C775790D6@opensos.net> References: <45E72606.2090004@fractalweb.com> <59E4A3A1069C2640959AD0F7518C48122F08AC@FLN1.fln.local> <3194DA77-0B1D-4B82-B730-1A2C775790D6@opensos.net> Message-ID: <45E7A34B.8090807@fractalweb.com> Michael Choo wrote: > I had to disable SPF for one of our customers as they had users > travelling in europe and middle east and were forced to use the ISP's > SMTP server. > Anyone in Europe can verify or explain? Michael, Here in Canada, a number of ISPs (for example, Telus), including cable and DSL, block outbound access on port 25. They do seem to allow outbound access on port 587 though. Additionally, with some fancy footwork with iptables, you can configure a port-forward from some unused port to port 25 which we do as a backup just in case port 587 isn't available either. Chris From mikechoo at opensos.net Fri Mar 2 07:35:58 2007 From: mikechoo at opensos.net (Michael Choo) Date: Fri Mar 2 06:41:56 2007 Subject: implementing SPF, which milter? In-Reply-To: <45E7A34B.8090807@fractalweb.com> References: <45E72606.2090004@fractalweb.com> <59E4A3A1069C2640959AD0F7518C48122F08AC@FLN1.fln.local> <3194DA77-0B1D-4B82-B730-1A2C775790D6@opensos.net> <45E7A34B.8090807@fractalweb.com> Message-ID: thanks. However the users that travel and are affected are senior management with no clue. the only thing they can do is raise lots of fuss about mails being rejected by their clients. I think i'll try the port 587 solution and see how that goes. cheers -Mike On 02 Mar 2007, at 12:08 PM, Chris Yuzik wrote: > Michael Choo wrote: >> I had to disable SPF for one of our customers as they had users >> travelling in europe and middle east and were forced to use the >> ISP's SMTP server. >> Anyone in Europe can verify or explain? > Michael, > > Here in Canada, a number of ISPs (for example, Telus), including > cable and DSL, block outbound access on port 25. They do seem to > allow outbound access on port 587 though. Additionally, with some > fancy footwork with iptables, you can configure a port-forward from > some unused port to port 25 which we do as a backup just in case > port 587 isn't available either. > > Chris > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -- Michael Choo ACTC, APP 2006 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070302/0433d3f1/attachment.html From hvdkooij at vanderkooij.org Fri Mar 2 07:52:34 2007 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Fri Mar 2 06:58:15 2007 Subject: "Intention Analysis" In-Reply-To: <25a66d840703011900t1eb7fda5qa8ebb19aadf72623@mail.gmail.com> References: <25a66d840703011414w638fd0ck62f128b3e2c4946b@mail.gmail.com> <25a66d840703011900t1eb7fda5qa8ebb19aadf72623@mail.gmail.com> Message-ID: On Thu, 1 Mar 2007, am.lists wrote: > On 3/1/07, Hugo van der Kooij wrote: >> I am a restricted in my statements in this matter as I have actuall access >> to them for support activities. So I will not go in details here! > > Usually, having access to support <> being under an NDA. If you're not > under NDA, then by all means, please share. If you are under NDA, > please share off-list. :-) Just kidding, of course. Most of it is under NDA. But at times there seems to be conflict between NDA and GPL in my view. >> Having said that I do not have a Barracuda at home but I do run >> MailScanner. With MailWatch added I have the main functionality for the >> rest of the family added. > > Are you saying that minus the Barracuda, but with MS/MW, your opinion > is that you have equivalent (or near-equivalent) functionality? The Barracuda solution is fine for those networks whose admins find clicking on the right spots in exchange is a challenge. It has a decent set of tools and it is actively maintained so at present I find it is the best boxed solution you can find with a reasonably good track record. If you really know what you are doing and have the time to babysit your own solution then building your own solution with proper defense in depth is likely to do at least slightly better. Mainly becuase you are investing significant time to optimize for your own network and users. If you happen to have the right people on an IT staff the homebrew solution is the best in all likelyhood. Given the fact that the average company does not have the required skill levels they need to fall back to a vendor to do the job for them. Hugo. -- hvdkooij@vanderkooij.org http://hvdkooij.xs4all.nl/ This message is using 100% recycled electrons. Some men see computers as they are and say "Windows" I use computers with Linux and say "Why Windows?" (Thanks JFK, for the insight.) From hvdkooij at vanderkooij.org Fri Mar 2 08:13:14 2007 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Fri Mar 2 07:19:01 2007 Subject: implementing SPF, which milter? In-Reply-To: References: <45E72606.2090004@fractalweb.com> <59E4A3A1069C2640959AD0F7518C48122F08AC@FLN1.fln.local> <3194DA77-0B1D-4B82-B730-1A2C775790D6@opensos.net> <45E7A34B.8090807@fractalweb.com> Message-ID: On Fri, 2 Mar 2007, Michael Choo wrote: > thanks. However the users that travel and are affected are senior management > with no clue. > the only thing they can do is raise lots of fuss about mails being rejected > by their clients. > > I think i'll try the port 587 solution and see how that goes. Pardon me. But if they send message directly to clients and they get rejected their admins should get a smack on the head for not building a proper infrastructure. These people, like everyone else in the company, should deliver their mail through the company network. They should be given VPN access to their own office so they can do this sort of things the right way. However solutions like this come with a price tag and sometimes the same persons who do not wish to pay for a proper infrastructure are the most profound in spitting their anger for getting the results of a poor infrastructure. Just tell them internet is like a battlefield. (Well it is in fact.) So if they go out without proper protection they are likely to get themselves in a fix out there. As usual admins are the people who get stuck between a rock and a hard place in these discussions. Hugo. -- hvdkooij@vanderkooij.org http://hvdkooij.xs4all.nl/ This message is using 100% recycled electrons. Some men see computers as they are and say "Windows" I use computers with Linux and say "Why Windows?" (Thanks JFK, for the insight.) From tenderby at mailwash.com.au Fri Mar 2 08:23:09 2007 From: tenderby at mailwash.com.au (Tony Enderby) Date: Fri Mar 2 07:29:02 2007 Subject: Clamav 0.90 In-Reply-To: <79755AA4E018084793EE618A2731F24C02B421@HC-MBX01.herefordshire.gov.uk> References: <79755AA4E018084793EE618A2731F24C02B421@HC-MBX01.herefordshire.gov.uk> Message-ID: <45E7D0DD.7090401@mailwash.com.au> Just wondering if multiple file extensions can be included on this line? I am running some third party signature databases that use a different extension to the original clam distributions. Tony. Randal, Phil wrote: > The file to watch is /usr/local/share/clamav/daily.inc/daily.info > > Check to see where your daily.info directory is and adjust accordingly. > > Cheers, > > Phil > > -- > Phil Randal > Network Engineer > Herefordshire Council > Hereford, UK > > >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf >> Of Tony Enderby >> Sent: 01 March 2007 10:43 >> To: MailScanner discussion >> Subject: Re: Clamav 0.90 >> >> Cheers Glenn. >> >> Will check it out. >> >> Glenn Steen wrote: >> >>> On 01/03/07, Glenn Steen wrote: >>> >>>> On 01/03/07, Tony Enderby wrote: >>>> >>>>> Apologies to the list if this has been answered earlier. >>>>> >>>>> Just wondering if the mailscanner auto signature update >>>>> >> scripts are >> >>>>> working with the new diff scheme >>>>> that clamav 0.90 is using and if not is there a >>>>> >> workaround available? >> >>>>> Thanks in advance. >>>>> >>>>> Tony. >>>>> >>>> The autoupdate for clam is a wrapper around freshclam, >>>> >> more or less, >> >>>> so it _should_ work OK. >>>> >>>> >>> ... if you use clamavmodule, you might want to add the new >>> "incremental" thingies to the watched files (in MailScanner.conf)... >>> Search the "recent past" list archive, there was some post about it. >>> >>> >> -- >> Kind Regards, >> >> Tony Enderby. >> >> Technical Director - MailWash Australia. >> Premium Anti-Spam / Anti Virus / Identity theft protection. >> http://www.mailwash.com.au >> >> >> -------------------------------------------------------------- >> --------------------- >> Scanned by MailWash Australia - http://www.mailwash.com.au >> -------------------------------------------------------------- >> --------------------- >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> ----------------------------------------------------------------------------------- Scanned by MailWash Australia - http://www.mailwash.com.au ----------------------------------------------------------------------------------- From glenn.steen at gmail.com Fri Mar 2 09:35:00 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Mar 2 08:40:48 2007 Subject: quarantined non-spam attachments In-Reply-To: <45E78661.2050508@pronet.co.nz> References: <45E78661.2050508@pronet.co.nz> Message-ID: <223f97700703020035w6706b53bieaaad7b1ad86dc19@mail.gmail.com> On 02/03/07, Brent Addis wrote: > Hi. > > We currently store mail in quarantine for a few users, for a set period > of days. this includes non spam. Some of these clients have messages > numbering in the thousands. Now, obviously releasing all of these > messages with mailwatch is a bit difficult (Being that it releases one > at a time). > > Is there an easilly scriptable way of either, sending these messages to > the client, in such a way that they can actually see attachments and use > them, or copying out the attachment, which I can put into a directory > for the client to access. Sending standard text as attachments is easy > enough, however the attached files also come through as text, which is > less than helpful for things such as word documents. > > I currently have a script that runs through all the quarantine > directories, copies needed messages into a directory, and either mails > them off, or lets the client access them via ftp/smb/webdav > > Having mailscanner email messages to an email address does not really > work in this situation. > > any ideas, or software that may be able to help? The Message Operations page will let you release them 50/page. You find that on the reports page, so it is simple to limit to one customer or other. Scripting should be equally simple: Get the IDs out of the maillog table with an appropriate SQL statement (look at the MW code for ideas), use that and the sendmail command with the envelope recipient on the actual message file for that ID (it just contain the RFC822 message, including all attachments) and you should be fine. Or am I missing what you are trying to do here? Why would you do this type of "bulk releasing"? Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Fri Mar 2 09:40:57 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Mar 2 08:46:35 2007 Subject: "Intention Analysis" In-Reply-To: References: <25a66d840703011414w638fd0ck62f128b3e2c4946b@mail.gmail.com> <25a66d840703011900t1eb7fda5qa8ebb19aadf72623@mail.gmail.com> Message-ID: <223f97700703020040r2492749fx551f3c481d08ac7f@mail.gmail.com> On 02/03/07, Hugo van der Kooij wrote: > On Thu, 1 Mar 2007, am.lists wrote: > > > On 3/1/07, Hugo van der Kooij wrote: > >> I am a restricted in my statements in this matter as I have actuall access > >> to them for support activities. So I will not go in details here! > > > > Usually, having access to support <> being under an NDA. If you're not > > under NDA, then by all means, please share. If you are under NDA, > > please share off-list. :-) Just kidding, of course. > > Most of it is under NDA. But at times there seems to be conflict between > NDA and GPL in my view. > > >> Having said that I do not have a Barracuda at home but I do run > >> MailScanner. With MailWatch added I have the main functionality for the > >> rest of the family added. > > > > Are you saying that minus the Barracuda, but with MS/MW, your opinion > > is that you have equivalent (or near-equivalent) functionality? > > The Barracuda solution is fine for those networks whose admins find > clicking on the right spots in exchange is a challenge. It has a decent > set of tools and it is actively maintained so at present I find it is the > best boxed solution you can find with a reasonably good track record. > Hm, have you compared this in-depth with DefenderMX (which is available in an appliance as well as not:)? DefenderMX is the commercial variant of MailScanner/MailWatch sold by FSL, if you haven't heard of it. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Fri Mar 2 09:51:16 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Mar 2 08:56:55 2007 Subject: implementing SPF, which milter? In-Reply-To: References: <45E72606.2090004@fractalweb.com> <59E4A3A1069C2640959AD0F7518C48122F08AC@FLN1.fln.local> <3194DA77-0B1D-4B82-B730-1A2C775790D6@opensos.net> <45E7A34B.8090807@fractalweb.com> Message-ID: <223f97700703020051n17847fa3qbefc5145e1b9b0b0@mail.gmail.com> On 02/03/07, Hugo van der Kooij wrote: > On Fri, 2 Mar 2007, Michael Choo wrote: > > > thanks. However the users that travel and are affected are senior management > > with no clue. > > the only thing they can do is raise lots of fuss about mails being rejected > > by their clients. > > > > I think i'll try the port 587 solution and see how that goes. > > Pardon me. But if they send message directly to clients and they get > rejected their admins should get a smack on the head for not building a > proper infrastructure. > > These people, like everyone else in the company, should deliver their mail > through the company network. They should be given VPN access to their own > office so they can do this sort of things the right way. Arhum, this isn't technology. It is policy. Different companies/organizations will have very different policies, depending on need. Not that I really dissagree;-). Personally I see to it that mail is only accessible via some form of VPN. But that is based on our policy;-). > However solutions like this come with a price tag and sometimes the same > persons who do not wish to pay for a proper infrastructure are the most > profound in spitting their anger for getting the results of a poor > infrastructure. If they're cheap, there actually is a very workable solution for SSL-VPN, namely SSL-Explorer (http://www.3sp.com). It'll give either RAT-access, or some form of proxied webmail access (we use it for OWA... And we actually bought an enterprise license too, to get at the enhanced authentication methods (RADIUS mainly)) > Just tell them internet is like a battlefield. (Well it is in fact.) So if > they go out without proper protection they are likely to get themselves in > a fix out there. Oh yes. > As usual admins are the people who get stuck between a rock and a hard > place in these discussions. :-). See it as an opportunity to ask for more money in next periods budget;-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Fri Mar 2 09:56:25 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Mar 2 09:02:05 2007 Subject: Clamav 0.90 In-Reply-To: <45E7D0DD.7090401@mailwash.com.au> References: <79755AA4E018084793EE618A2731F24C02B421@HC-MBX01.herefordshire.gov.uk> <45E7D0DD.7090401@mailwash.com.au> Message-ID: <223f97700703020056v3a415e2co33b1b1e8de8881b1@mail.gmail.com> On 02/03/07, Tony Enderby wrote: > Just wondering if multiple file extensions can be included on this line? > > I am running some third party signature databases that use a different > extension to the original clam distributions. > > Tony. > Yes. This is from Phils original message in the "SpamAssassin 3.1.8" thread: --- Monitors for ClamAV Updates = /usr/local/share/clamav/daily.inc/daily.info /usr/local/share/clamav/*.?db --- As I understand it he is using this to monitor the sanesecurity updates as well as the "official" ones. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From arturs at netvision.net.il Fri Mar 2 10:00:04 2007 From: arturs at netvision.net.il (Arthur Sherman) Date: Fri Mar 2 09:07:04 2007 Subject: implementing SPF, which milter? In-Reply-To: <3194DA77-0B1D-4B82-B730-1A2C775790D6@opensos.net> Message-ID: <00c601c75ca9$2b3c77c0$0dfb1bac@lapxp> a ISP SMTP could be whitelisted. Also, your travelling customers could use Webmail, thus eliminating the need to involve third party mail server at all. i feel guys that this "either 100% or 0%" approach is doubtful. it is just another filter. i use it mostly so that well-configured mailers (hopefuly, mine is among these :) with SPF checks enabled would drop SPAM impersonating my clients domains. If that mailer didn't check it out and let SPAM in - his bad! my good... ;) Best, -- Arthur Sherman +972-52-4878851 CPTeam _____ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Michael Choo Sent: Friday, March 02, 2007 3:19 AM To: MailScanner discussion Subject: Re: implementing SPF, which milter? On 02 Mar 2007, at 5:46 AM, James Fagan wrote: On Thu, 1 Mar 2007, Chris Yuzik wrote: I understand that I need a milter to implement SPF (we use Sendmail). Anyone have any recommendations? smf-spf I use spamilter I used this for a while. The reason I stopped using this milter is that SO many systems have invalid spf records and some other weird shared IP hosting That made it more trouble than it was worth and this was nearly impossible to explain to our customers. Yes, there is a whitelist you can impliment, but I don't want to have to add domains a day to this file. I love the idea of spf, but I don't think there are enough correctly configured domains to warrant its use. I would continue to let spamassassin catch them for you. Of cource your experience may be different then mine. I had to disable SPF for one of our customers as they had users travelling in europe and middle east and were forced to use the ISP's SMTP server. Anyone in Europe can verify or explain? -- Michael Choo ACTC, APP 2006 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070302/8ebfdf74/attachment.html From arturs at netvision.net.il Fri Mar 2 10:05:21 2007 From: arturs at netvision.net.il (Arthur Sherman) Date: Fri Mar 2 09:12:19 2007 Subject: OT: implementing SMF-SPF milter? In-Reply-To: <45E79502.4010201@adventuras.no> Message-ID: <00cc01c75ca9$e80664b0$0dfb1bac@lapxp> Hi, I have problem installing the milter. Actually, I even could not install libSPF2 library (on CentOS-4.4@x86) - it failed on 'make check' Obviously, I sent the bug report to the dev, but the letter returned with 'user unknown' Could anyone here share his/her/their experience in this installation? Thanks! Best, -- Arthur Sherman +972-52-4878851 CPTeam From tenderby at mailwash.com.au Fri Mar 2 10:50:09 2007 From: tenderby at mailwash.com.au (Tony Enderby) Date: Fri Mar 2 09:56:07 2007 Subject: Clamav 0.90 In-Reply-To: <223f97700703020056v3a415e2co33b1b1e8de8881b1@mail.gmail.com> References: <79755AA4E018084793EE618A2731F24C02B421@HC-MBX01.herefordshire.gov.uk> <45E7D0DD.7090401@mailwash.com.au> <223f97700703020056v3a415e2co33b1b1e8de8881b1@mail.gmail.com> Message-ID: <45E7F351.4090005@mailwash.com.au> Thanks again Glenn, If you're ever in Oz, it's my shout. Tony. Glenn Steen wrote: > On 02/03/07, Tony Enderby wrote: >> Just wondering if multiple file extensions can be included on this line? >> >> I am running some third party signature databases that use a different >> extension to the original clam distributions. >> >> Tony. >> > Yes. This is from Phils original message in the "SpamAssassin 3.1.8" > thread: > --- > Monitors for ClamAV Updates = > /usr/local/share/clamav/daily.inc/daily.info > /usr/local/share/clamav/*.?db > --- > As I understand it he is using this to monitor the sanesecurity > updates as well as the "official" ones. > > Cheers -- Kind Regards, Tony Enderby. Technical Director - MailWash Australia. Premium Anti-Spam / Anti Virus / Identity theft protection. http://www.mailwash.com.au ----------------------------------------------------------------------------------- Scanned by MailWash Australia - http://www.mailwash.com.au ----------------------------------------------------------------------------------- From tenderby at mailwash.com.au Fri Mar 2 11:27:23 2007 From: tenderby at mailwash.com.au (Tony Enderby) Date: Fri Mar 2 10:33:39 2007 Subject: Consolidated spammy countries rbl Message-ID: <45E7FC0B.9010807@mailwash.com.au> If anyone is interested, I have a test rbldnsd zone running that I would like to make available to this list at spammy_countries.sme-secure.com The ISO country codes included in this zone are listed below so if you would like to add it to your spam.lists.conf or your SA config make sure you do not need to receive email from these countries. The IP data is a direct feed from the singular country zones at countries.nerd.dk consolidated into the one zone. To test before implementing simply run the following command from a shell and you should get 127.0.0.2 as the record for the ip address. host 32.33.12.62.spammy_countries.sme-secure.com Please send me a message on the list if you decide to use this zone so I can keep a close eye on the machines serving the zone to ensure availability. - Tony. ae ar br ca cl cn de eg fr hk il in jp kr ma my ng nl pe pl ru sg th tr tw ua uy za -------------- ----------------------------------------------------------------------------------- Scanned by MailWash Australia - http://www.mailwash.com.au ----------------------------------------------------------------------------------- From paul.maddox at office-shadow.com Fri Mar 2 12:19:37 2007 From: paul.maddox at office-shadow.com (Paul Maddox) Date: Fri Mar 2 11:26:34 2007 Subject: Spam score/reports in quarantined messages Message-ID: <605EEBB34D9E14438D3B4164FE220989255126@mail.sidlow.office-shadow.com> Hi, I would like to have the spam related headers (eg: MailScanner-SpamCheck) added into the headers of quarantined emails. Currently if an email is considered not to be spam and successfully delivered these headers are present in the emails but after an hour of searching through the various MailScanner configuration files I cannot seem to find how to get MailScanner to add these headers into spam emails before they are quarantined. Is this normal MailScanner behaviour? Is there an option I'm missing? Is there a hack to get around this? Thanks, Paul -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070302/5064ce16/attachment.html From glenn.steen at gmail.com Fri Mar 2 12:42:59 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Mar 2 11:48:38 2007 Subject: Spam score/reports in quarantined messages In-Reply-To: <605EEBB34D9E14438D3B4164FE220989255126@mail.sidlow.office-shadow.com> References: <605EEBB34D9E14438D3B4164FE220989255126@mail.sidlow.office-shadow.com> Message-ID: <223f97700703020342l7a818c6difa99d83197741353@mail.gmail.com> On 02/03/07, Paul Maddox wrote: > > Hi, > > I would like to have the spam related headers (eg: MailScanner-SpamCheck) > added into the headers of quarantined emails. > > Currently if an email is considered not to be spam and successfully > delivered these headers are present in the emails but after an hour of > searching through the various MailScanner configuration files I cannot seem > to find how to get MailScanner to add these headers into spam emails before > they are quarantined. > > Is this normal MailScanner behaviour? Is there an option I'm missing? Is > there a hack to get around this? > Hi Paul, This is perfectly normal... MailScanner will put the more or less unchanged message into the quarantine. This is by design. There is no option to change this, all you can do is choose if you'd like to store the queue file or the RFC822 message file in the quarantine. Either rely on your log or, better yet, implement MailWatch (http://mailwatch.sf.net) ... the latter will make all this information readily available in a nice web-UI, with noce report/search functions. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From prandal at herefordshire.gov.uk Fri Mar 2 13:28:25 2007 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Fri Mar 2 12:35:40 2007 Subject: ClamAV 0.90.1 is out Message-ID: <79755AA4E018084793EE618A2731F24C1223F3@HC-MBX01.herefordshire.gov.uk> I dropped it into the perl-tar subdirectory of install-ClamSA. This patch to install.sh is needed - ldconfig needs running unconditionally: --- install.sh.old 2007-03-02 12:26:48.000000000 +0000 +++ install.sh 2007-03-02 12:26:17.000000000 +0000 @@ -1,6 +1,6 @@ #!/bin/sh -CLAMAVVERSION=0.90 +CLAMAVVERSION=0.90.1 export CLAMAVVERSION LDSOCONF=/etc/ld.so.conf CLAMETC=/usr/local/etc @@ -232,8 +232,8 @@ echo the ClamAV library can be found by the clamavmodule and echo clamav virus scanners. echo /usr/local/lib >> $LDSOCONF - /sbin/ldconfig fi + /sbin/ldconfig sleep 2 else echo You may need to add /usr/local/lib to the directories searched Cheers, Phil -- Phil Randal Network Engineer Herefordshire Council Hereford, UK From am.lists at gmail.com Fri Mar 2 13:40:06 2007 From: am.lists at gmail.com (am.lists) Date: Fri Mar 2 12:45:46 2007 Subject: "Intention Analysis" In-Reply-To: References: <25a66d840703011414w638fd0ck62f128b3e2c4946b@mail.gmail.com> <25a66d840703011900t1eb7fda5qa8ebb19aadf72623@mail.gmail.com> Message-ID: <25a66d840703020440h1583864bx89a1d23ad4dbf816@mail.gmail.com> On 3/2/07, Hugo van der Kooij wrote: > On Thu, 1 Mar 2007, am.lists wrote: > > > On 3/1/07, Hugo van der Kooij wrote: > >> I am a restricted in my statements in this matter as I have actuall access > >> to them for support activities. So I will not go in details here! > > > > Usually, having access to support <> being under an NDA. If you're not > > under NDA, then by all means, please share. If you are under NDA, > > please share off-list. :-) Just kidding, of course. > > Most of it is under NDA. But at times there seems to be conflict between > NDA and GPL in my view. > > >> Having said that I do not have a Barracuda at home but I do run > >> MailScanner. With MailWatch added I have the main functionality for the > >> rest of the family added. > > > > Are you saying that minus the Barracuda, but with MS/MW, your opinion > > is that you have equivalent (or near-equivalent) functionality? > > The Barracuda solution is fine for those networks whose admins find > clicking on the right spots in exchange is a challenge. It has a decent > set of tools and it is actively maintained so at present I find it is the > best boxed solution you can find with a reasonably good track record. > > If you really know what you are doing and have the time to babysit your > own solution then building your own solution with proper defense in depth > is likely to do at least slightly better. Mainly becuase you are investing > significant time to optimize for your own network and users. > > If you happen to have the right people on an IT staff the homebrew > solution is the best in all likelyhood. Given the fact that the average > company does not have the required skill levels they need to fall back to > a vendor to do the job for them. > > Hugo. > Hugo, This was a very fair, informative, and insightful response. I truly appreciate it. Thanks again. Angelo From martinh at solidstatelogic.com Fri Mar 2 13:44:08 2007 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Fri Mar 2 12:49:59 2007 Subject: ClamAV 0.90.1 is out In-Reply-To: <79755AA4E018084793EE618A2731F24C1223F3@HC-MBX01.herefordshire.gov.uk> Message-ID: <79842d7f929ac646b51746e414b52cff@solidstatelogic.com> Phil Wonderful, anyone summarised the changelog into something readable....ie what's changed in a nutshell. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Randal, Phil > Sent: 02 March 2007 12:28 > To: MailScanner (mailscanner@lists.mailscanner.info) > Subject: ClamAV 0.90.1 is out > > I dropped it into the perl-tar subdirectory of install-ClamSA. > > This patch to install.sh is needed - ldconfig needs running > unconditionally: > > --- install.sh.old 2007-03-02 12:26:48.000000000 +0000 > +++ install.sh 2007-03-02 12:26:17.000000000 +0000 > @@ -1,6 +1,6 @@ > #!/bin/sh > > -CLAMAVVERSION=0.90 > +CLAMAVVERSION=0.90.1 > export CLAMAVVERSION > LDSOCONF=/etc/ld.so.conf > CLAMETC=/usr/local/etc > @@ -232,8 +232,8 @@ > echo the ClamAV library can be found by the clamavmodule and > echo clamav virus scanners. > echo /usr/local/lib >> $LDSOCONF > - /sbin/ldconfig > fi > + /sbin/ldconfig > sleep 2 > else > echo You may need to add /usr/local/lib to the directories searched > > Cheers, > > Phil > > -- > Phil Randal > Network Engineer > Herefordshire Council > Hereford, UK > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From prandal at herefordshire.gov.uk Fri Mar 2 14:03:10 2007 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Fri Mar 2 13:09:11 2007 Subject: ClamAV 0.90.1 is out Message-ID: <79755AA4E018084793EE618A2731F24C1223F9@HC-MBX01.herefordshire.gov.uk> Improved RAR, tar, zip, and PDF handling, permissions fix in freshclam, several memory leaks fixed in libclamav, and a load more: ----------------------------------------------------------------------- This release includes various bugfixes and code enhancements. Please see ChangeLog for complete list of changes. Important note: please run 'ldconfig' after installing this version. Changes: Fri Mar 2 02:02:31 CET 2007 (tk) --------------------------------- * 0.90.1 (released with JS and PST code removed) Fri Mar 2 01:44:10 CET 2007 (tk) --------------------------------- * shared/output.c: revert patch for bb#360 (didn't work properly when mprintf() was called from logg()) Thu Mar 1 22:12:22 CET 2007 (tk) --------------------------------- * clamd/server-th.c: make more attempts when cl_load returns CL_ELOCKDB Thu Mar 1 18:50:01 GMT 2007 (njh) ---------------------------------- * libclamav/blob.h: NAME_MAX is now in others.h Thu Mar 1 17:42:07 CET 2007 (tk) --------------------------------- * shared/misc: dircopy: use 0755 permissions for new directories (fixes possible permission problems with backup directories in freshclam) Thu Mar 1 17:23:31 CET 2007 (tk) --------------------------------- * libclamav/lockdb.c: fix handling of read locks Thu Mar 1 16:21:48 CET 2007 (tk) --------------------------------- * shared/output.c: fix handling of special characters in mprintf (bb#360) Thu Mar 1 14:56:44 GMT 2007 (njh) ---------------------------------- * libclamav/mbox.c: Fix bug 358 Thu Mar 1 14:25:12 GMT 2007 (njh) ---------------------------------- * libclamav/pdf.c: Fix compilation error on machines without mmap() Thu Mar 1 11:24:40 GMT 2007 (trog) ----------------------------------- * libclamav/unrar/unrar.c, unrarvm.c: better fix for bb#350 Thu Mar 1 11:43:07 CET 2007 (tk) --------------------------------- * libclamav/unrar/unrar.c: skip all files inside multi-volume solid archives (but still scan their metadata) Thu Mar 1 09:10:04 GMT 2007 (njh) ---------------------------------- * libclamav/pdf.c: Try with both real and calculated Length fields, since the Length object can't always be trusted Improved backing out of unhandled formats (e.g. Predictor for images and embedded fonts) Thu Mar 1 02:36:40 CET 2007 (tk) --------------------------------- * libclamav/unrar/unrar.c: improve handling of multi-volume archives: do not report CL_ESUPPORT, instead scan all complete files and do full metadata scan Wed Feb 28 23:40:04 CET 2007 (tk) --------------------------------- * libclamav/others.h: update NAME_MAX block and add workaround for HP-UX (bb#367) Wed Feb 28 21:55:22 CET 2007 (tk) --------------------------------- * libclamav/unrar/unrar.c: fix leak in cli_unrar_extract_next_prepare (bb#352) Patch from Edwin Wed Feb 28 21:48:59 CET 2007 (tk) --------------------------------- * libclamav/unrar/unrar.c: fix rarvm memory leak (bb#350), patch from Edwin Wed Feb 28 16:22:08 CET 2007 (tk) --------------------------------- * libclamav/filetypes.c: comment out dead code (see bb#373), spotted by "alex" <alex77*vip.sina.com> Wed Feb 28 02:17:39 CET 2007 (tk) --------------------------------- * shared: merge win32 patches from NJH Wed Feb 28 01:48:27 CET 2007 (tk) --------------------------------- * drop shared/memory.[ch] Wed Feb 28 01:14:19 CET 2007 (tk) --------------------------------- * libclamav: minor cleanup (bb#247) Tue Feb 27 23:25:46 CET 2007 (acab) ----------------------------------- * libclamav/petite.c: invalid read in valgrind (bb#369) Mon Feb 26 20:16:14 CET 2007 (acab) ----------------------------------- * libclamav/pe.c: minor cleanup (bb#247) Sun Feb 25 20:50:54 CET 2007 (tk) --------------------------------- * libclamav/scanners.c: fix small memory leak (bb#359) Sun Feb 25 17:00:31 CET 2007 (acab) ----------------------------------- * libclamav/pe.c: fix leaks on upack return (bb#351) Sun Feb 25 14:40:10 CET 2007 (tk) --------------------------------- * libclamav/unzip.c: fix memory leak when extracting stored files Sun Feb 25 12:18:42 CET 2007 (tk) --------------------------------- * libclamav/readdb.c,lockdb.c: merge win32 patches from NJH Sun Feb 25 01:58:55 CET 2007 (tk) --------------------------------- * clamscan: merge win32 patches from NJH Sat Feb 24 22:47:28 GMT 2007 (njh) ---------------------------------- * libclamav/pdf.c: Remove warning on FreeBSD4.11 Sat Feb 24 19:40:01 CET 2007 (tk) --------------------------------- * clamscan, clamdscan, clamconf: compile with CL_NOTHREADS defined Sat Feb 24 17:47:54 CET 2007 (tk) --------------------------------- * libclamav: fix memory leaks in db handling code Sat Feb 24 11:44:34 GMT 2007 (njh) ---------------------------------- * libclamav/mbox.c: Fix confusion when recursing to multipart/related Sat Feb 24 02:32:57 CET 2007 (tk) --------------------------------- * configure, libclamav: add support for HP-UX 11.11 with native compiler (bb#180), thanks to Edwin Fri Feb 23 21:42:08 CET 2007 (tk) --------------------------------- * configure: use -pthread also for FreeBSD 6.x Fri Feb 23 20:22:20 GMT 2007 (njh) ---------------------------------- * libclamav/untar.c: Added extra functionality (bug 269) - based on patches from Andy Fiddaman clamav * fiddaman.net Fri Feb 23 19:22:43 GMT 2007 (njh) ---------------------------------- * clamav-milter/clamav-milter.c: Fix compilation error on Solaris (bug 347) Fri Feb 23 18:19:43 CET 2007 (tk) --------------------------------- * clamd/scanner.c: fix compilation error on Solaris (bb#341) Fri Feb 23 15:37:40 GMT 2007 (njh) ---------------------------------- * libclamav/mbox.c: Handle wide characters on Windows Thu Feb 22 18:40:20 GMT 2007 (njh) ---------------------------------- * libclamav/tnef.c: Remove warning messages Thu Feb 22 19:03:50 CET 2007 (tk) --------------------------------- * freshclam: merge win32 patches from NJH Thu Feb 22 18:12:53 CET 2007 (tk) --------------------------------- * clamd/clamd.c: print some more information in Foreground mode (bb#317) Thu Feb 22 17:16:54 CET 2007 (tk) --------------------------------- * shared/misc.c: drop rmdirs() and use cli_rmdirs() instead Thu Feb 22 16:51:33 CET 2007 (tk) --------------------------------- * libclamav: new scan setting CL_SCAN_PDF * clamd: new option ScanPDF (default: no) * clamscan: new switch --no-pdf (PDF scanning enabled by default) * docs: update Thu Feb 22 15:32:33 GMT 2007 (njh) ---------------------------------- * libclamav: s/sanitiseFilename/cli_sanitise_filename/, patch from trog Changed some strdup to cli_strdup Thu Feb 22 15:43:33 CET 2007 (acab) ----------------------------------- * clamd: handle signals while polling in select mode Thu Feb 22 14:57:10 GMT 2007 (njh) ---------------------------------- * clamav-milter/clamav-milter.c: Fix typo Thu Feb 22 13:28:00 CET 2007 (tk) --------------------------------- * shared/misc.c: daemonize: don't re-utilize descriptor 0 Thu Feb 22 10:31:23 CET 2007 (acab) ----------------------------------- * clamd: handle signals while polling the sockets in the main loop (bb#320) Thu Feb 22 09:00:31 GMT 2007 (njh) ---------------------------------- * clamav-milter/clamav-milter.c: Better recovery when a remote clamd goes down Wed Feb 21 20:40:49 GMT 2007 (njh) ---------------------------------- * libclamav/message.c: Better warning message, bug 311 Wed Feb 21 20:07:00 GMT 2007 (njh) ---------------------------------- * libclamav/pst.c: Include upstream patches * libclamav/mbox.c: Fix bug 326, reported by Edvin Wed Feb 21 19:10:42 GMT 2007 (njh) ---------------------------------- * clamav-milter/clamav-milter.c: Use logg() functions instead of syslog. Needed for code tidy, and also possibly fixes bug 332. Wed Feb 21 17:26:00 CET 2007 (edwin) ------------------------------------ * libclamav/entconv.c: don't cache iconv_open() failures. (bb #329) Tue Feb 20 21:11:29 CET 2007 (tk) --------------------------------- * configure: fix compilation errors on FreeBSD (bb#306) Tue Feb 20 20:51:57 CET 2007 (tk) --------------------------------- * configure: add support for osf/tru64 Tue Feb 20 20:19:04 CET 2007 (tk) --------------------------------- * clamd: merge multiscan() with dirscan() (also closes bb#302) Tue Feb 20 16:43:27 CET 2007 (tk) --------------------------------- * libclamav/others.c: increase f-level to activate RTF extractor Tue Feb 20 15:59:12 CET 2007 (tk) --------------------------------- * clamd, clamconf: merge win32 patches from NJH Tue Feb 20 11:53:47 GMT 2007 (trog) ----------------------------------- * libclamav/unrar: allow for sparc aligned access requirements (bb#304) Mon Feb 19 18:28:52 CET 2007 (tk) --------------------------------- * libclamav/sis.c: improve debug messages Sun Feb 18 21:26:26 CET 2007 (acab) ----------------------------------- * libclamav/pe.c: improved broken detection - closes bb#305 Sun Feb 18 21:23:12 CET 2007 (tk) --------------------------------- * libclamav/lockdb.c: win32 fix (bb#255) Sun Feb 18 16:42:45 CET 2007 (edwin) ------------------------------------ * libclamav/phish_*.c, regex_list.c: Remove obsolete $Log$ keyword. Sun Feb 18 15:32:45 CET 2007 (tk) --------------------------------- * libclamav/filetypes.c: add more tags to HTML rule set (bb#218) Sun Feb 18 15:03:37 CET 2007 (tk) --------------------------------- * libclamav/unzip.c: handle some deflate64 compressed files Sat Feb 17 11:20:17 CET 2007 (edwin) ------------------------------------ * libclamav/entconv.c: Don't normalize buffer shorter than 2 bytes. Sat Feb 17 11:20:17 CET 2007 (edwin) ------------------------------------ * libclamav/rtf.c: Fix possible memory leak, and add more sanity checks. Sat Feb 17 02:34:17 CET 2007 (acab) ----------------------------------- * libclamav/rtf.c: Don't spin on on cli_readn (bb#312) - patch from Edvin Sat Feb 17 01:31:45 CET 2007 (acab) ----------------------------------- * libclamav/regex_list.c: Close #303 - patch from Edvin Fri Feb 16 12:29:51 GMT 2007 (njh) ---------------------------------- * libclamav/clamav-milter.c: Added support for sendmail 8.14, bug 267, patch from Andy Fiddaman <clam fiddaman.net> Thu Feb 15 16:34:48 CET 2007 (tk) --------------------------------- * libclamav/rtf.c: add more sanity checks (Edwin) Thu Feb 15 16:18:53 CET 2007 (tk) --------------------------------- * freshclam/manager.c: fix warning message (bb#292) Thu Feb 15 12:27:22 GMT 2007 (njh) ---------------------------------- * libclamav/mbox.c: Fixed bugs in the handling of boundary lines Improved handling of the warning messages associated with recursion limits Fixed handling of OK_ATTACHMENTS_NOT_SAVED in some larger files Wed Feb 14 13:15:25 CET 2007 (tk) --------------------------------- * libclamav/entconv.c: fix incorrect use of isspace() in experimental code Tue Feb 13 22:34:40 CET 2007 (tk) --------------------------------- * libclamav: fix some debug messages Tue Feb 13 19:48:22 GMT 2007 (njh) ---------------------------------- * libclamav/mbox.c: Fix BeOS link error Tue Feb 13 19:24:49 GMT 2007 (njh) ---------------------------------- * libclamav/phishcheck.c: Fix warning message, patch from Edvin Tue Feb 13 19:04:35 GMT 2007 (njh) ---------------------------------- * libclamav/mbox.c,phishcheck.c: Fix compilation errors on BeOS -- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Martin.Hepworth > Sent: 02 March 2007 12:44 > To: MailScanner discussion > Subject: RE: ClamAV 0.90.1 is out > > Phil > > Wonderful, anyone summarised the changelog into something > readable....ie > what's changed in a nutshell. > > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner- > > bounces@lists.mailscanner.info] On Behalf Of Randal, Phil > > Sent: 02 March 2007 12:28 > > To: MailScanner (mailscanner@lists.mailscanner.info) > > Subject: ClamAV 0.90.1 is out > > > > I dropped it into the perl-tar subdirectory of install-ClamSA. > > > > This patch to install.sh is needed - ldconfig needs running > > unconditionally: > > > > --- install.sh.old 2007-03-02 12:26:48.000000000 +0000 > > +++ install.sh 2007-03-02 12:26:17.000000000 +0000 > > @@ -1,6 +1,6 @@ > > #!/bin/sh > > > > -CLAMAVVERSION=0.90 > > +CLAMAVVERSION=0.90.1 > > export CLAMAVVERSION > > LDSOCONF=/etc/ld.so.conf > > CLAMETC=/usr/local/etc > > @@ -232,8 +232,8 @@ > > echo the ClamAV library can be found by the clamavmodule and > > echo clamav virus scanners. > > echo /usr/local/lib >> $LDSOCONF > > - /sbin/ldconfig > > fi > > + /sbin/ldconfig > > sleep 2 > > else > > echo You may need to add /usr/local/lib to the > directories searched > > > > Cheers, > > > > Phil > > > > -- > > Phil Randal > > Network Engineer > > Herefordshire Council > > Hereford, UK > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > > > ********************************************************************** > Confidentiality : This e-mail and any attachments are > intended for the > addressee only and may be confidential. If they come to you in error > you must take no action based on them, nor must you copy or show them > to anyone. Please advise the sender by replying to this e-mail > immediately and then delete the original from your computer. > > Opinion : Any opinions expressed in this e-mail are entirely those of > the author and unless specifically stated to the contrary, are not > necessarily those of the author's employer. > > Security Warning : Internet e-mail is not necessarily a secure > communications medium and can be subject to data corruption. > We advise > that you consider this fact when e-mailing us. > > Viruses : We have taken steps to ensure that this e-mail and any > attachments are free from known viruses but in keeping with good > computing practice, you should ensure that they are virus free. > > Red Lion 49 Ltd T/A Solid State Logic > Registered as a limited company in England and Wales > (Company No:5362730) > Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, > United Kingdom > ********************************************************************** > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From sandrews at andrewscompanies.com Fri Mar 2 15:27:17 2007 From: sandrews at andrewscompanies.com (sandrews@andrewscompanies.com) Date: Fri Mar 2 14:32:56 2007 Subject: Consolidated spammy countries rbl References: <45E7FC0B.9010807@mailwash.com.au> Message-ID: <1964AAFBC212F742958F9275BF63DBB04B02D3@winchester.andrewscompanies.com> I'm gonna give it a run today. What's your plan for this? Are you thinking about releasing what you've got on this so folks could implement on their own? Steve -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Tony Enderby Sent: Friday, March 02, 2007 5:27 AM To: MailScanner discussion Subject: Consolidated spammy countries rbl If anyone is interested, I have a test rbldnsd zone running that I would like to make available to this list at spammy_countries.sme-secure.com The ISO country codes included in this zone are listed below so if you would like to add it to your spam.lists.conf or your SA config make sure you do not need to receive email from these countries. The IP data is a direct feed from the singular country zones at countries.nerd.dk consolidated into the one zone. To test before implementing simply run the following command from a shell and you should get 127.0.0.2 as the record for the ip address. host 32.33.12.62.spammy_countries.sme-secure.com Please send me a message on the list if you decide to use this zone so I can keep a close eye on the machines serving the zone to ensure availability. - Tony. ae ar br ca cl cn de eg fr hk il in jp kr ma my ng nl pe pl ru sg th tr tw ua uy za -------------- ------------------------------------------------------------------------ ----------- Scanned by MailWash Australia - http://www.mailwash.com.au ------------------------------------------------------------------------ ----------- -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From campbell at cnpapers.com Fri Mar 2 15:28:35 2007 From: campbell at cnpapers.com (Steve Campbell) Date: Fri Mar 2 14:34:32 2007 Subject: quarantined non-spam attachments References: <45E78661.2050508@pronet.co.nz> <223f97700703020035w6706b53bieaaad7b1ad86dc19@mail.gmail.com> Message-ID: <00c101c75cd7$0ffde510$0705000a@ddf5dw71> ----- Original Message ----- From: "Glenn Steen" To: "MailScanner discussion" Sent: Friday, March 02, 2007 3:35 AM Subject: Re: quarantined non-spam attachments > On 02/03/07, Brent Addis wrote: >> Hi. >> >> We currently store mail in quarantine for a few users, for a set period >> of days. this includes non spam. Some of these clients have messages >> numbering in the thousands. Now, obviously releasing all of these >> messages with mailwatch is a bit difficult (Being that it releases one >> at a time). >> >> Is there an easilly scriptable way of either, sending these messages to >> the client, in such a way that they can actually see attachments and use >> them, or copying out the attachment, which I can put into a directory >> for the client to access. Sending standard text as attachments is easy >> enough, however the attached files also come through as text, which is >> less than helpful for things such as word documents. >> >> I currently have a script that runs through all the quarantine >> directories, copies needed messages into a directory, and either mails >> them off, or lets the client access them via ftp/smb/webdav >> >> Having mailscanner email messages to an email address does not really >> work in this situation. >> >> any ideas, or software that may be able to help? > > The Message Operations page will let you release them 50/page. You > find that on the reports page, so it is simple to limit to one > customer or other. Sorry to interject into this thread, but I only see where I can set these as Spam, Ham, or Forget these in Bayes or Clear the flags. All of this is with a "Learn" button. I do not see where I can release any of these. Could you explain a little please? Thanks Steve Campbell campbell@cnpapers.com Charleston Newspapers From glenn.steen at gmail.com Fri Mar 2 16:01:13 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Mar 2 15:06:53 2007 Subject: quarantined non-spam attachments In-Reply-To: <00c101c75cd7$0ffde510$0705000a@ddf5dw71> References: <45E78661.2050508@pronet.co.nz> <223f97700703020035w6706b53bieaaad7b1ad86dc19@mail.gmail.com> <00c101c75cd7$0ffde510$0705000a@ddf5dw71> Message-ID: <223f97700703020701p5a0963d9xc64bf986a8115b44@mail.gmail.com> On 02/03/07, Steve Campbell wrote: > > ----- Original Message ----- > From: "Glenn Steen" > To: "MailScanner discussion" > Sent: Friday, March 02, 2007 3:35 AM > Subject: Re: quarantined non-spam attachments > > > > On 02/03/07, Brent Addis wrote: > >> Hi. > >> > >> We currently store mail in quarantine for a few users, for a set period > >> of days. this includes non spam. Some of these clients have messages > >> numbering in the thousands. Now, obviously releasing all of these > >> messages with mailwatch is a bit difficult (Being that it releases one > >> at a time). > >> > >> Is there an easilly scriptable way of either, sending these messages to > >> the client, in such a way that they can actually see attachments and use > >> them, or copying out the attachment, which I can put into a directory > >> for the client to access. Sending standard text as attachments is easy > >> enough, however the attached files also come through as text, which is > >> less than helpful for things such as word documents. > >> > >> I currently have a script that runs through all the quarantine > >> directories, copies needed messages into a directory, and either mails > >> them off, or lets the client access them via ftp/smb/webdav > >> > >> Having mailscanner email messages to an email address does not really > >> work in this situation. > >> > >> any ideas, or software that may be able to help? > > > > The Message Operations page will let you release them 50/page. You > > find that on the reports page, so it is simple to limit to one > > customer or other. > > Sorry to interject into this thread, but I only see where I can set these as > Spam, Ham, or Forget these in Bayes or Clear the flags. All of this is with > a "Learn" button. I do not see where I can release any of these. Could you > explain a little please? > Right you are, my bad. I was looking at my rather ... non-standard... MessageOps. Sorry. Not sure I can produce a usable patch from this. -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From gianluca.simoni at cstnet.it Fri Mar 2 16:08:41 2007 From: gianluca.simoni at cstnet.it (Gianluca Simoni) Date: Fri Mar 2 15:14:27 2007 Subject: KickMessage failed as couldn't write to /var/spool/postfix/public/qmgr Message-ID: <20070302150902.15A212EC9A@flick.local> Hi, I've installed MailScanner-4.58.9 e I'm running Postfix 2.3.7 . All is running but I've this error in the log: "KickMessage failed as couldn't write to /var/spool/postfix/public/qmgr, No such device address " I've read in the miling list archive about a problem of Postfix.pm and function KickMessage but think regard old MailScanner version. This is the permission on the directory: root@flick:/var/spool/postfix/public> ls -lrt total 8 drwxr-xr-x 21 root postfix 4096 Mar 1 16:42 .. srw-rw-rw- 1 postfix postfix 0 Mar 1 17:55 showq srw-rw-rw- 1 postfix postfix 0 Mar 1 17:55 qmgr srw-rw-rw- 1 postfix postfix 0 Mar 1 17:55 pickup srw-rw-rw- 1 postfix postfix 0 Mar 1 17:55 flush srw-rw-rw- 1 postfix postfix 0 Mar 1 17:55 cleanup drwx--x--- 2 postfix postdrop 4096 Mar 1 17:55 and the setting in MailScanner.conf: ##################################################### Run As User = postfix Run As Group = postfix Incoming Queue Dir = /var/spool/postfix/hold Outgoing Queue Dir = /var/spool/postfix/incoming MTA = postfix ##################################################### This is the output of MailScanner --lint root@flick:/opt/MailScanner/bin> ./MailScanner --lint Read 764 hostnames from the phishing whitelist Checking version numbers... Version number in MailScanner.conf (4.58.9) is correct. MailScanner setting GID to (51) MailScanner setting UID to (51) Checking for SpamAssassin errors (if you use it)... Using SpamAssassin results cache Connected to SpamAssassin cache database SpamAssassin reported no errors. Using locktype = flock MailScanner.conf says "Virus Scanners = clamav" Found these virus scanners installed: clamavmodule Can anyone help me? Thanks, Gianluca -- Il messaggio e' stato analizzato alla ricerca di virus o contenuti pericolosi da MailScanner, ed e' risultato non infetto. From am.lists at gmail.com Fri Mar 2 17:12:56 2007 From: am.lists at gmail.com (am.lists) Date: Fri Mar 2 16:18:36 2007 Subject: quarantined non-spam attachments In-Reply-To: <223f97700703020701p5a0963d9xc64bf986a8115b44@mail.gmail.com> References: <45E78661.2050508@pronet.co.nz> <223f97700703020035w6706b53bieaaad7b1ad86dc19@mail.gmail.com> <00c101c75cd7$0ffde510$0705000a@ddf5dw71> <223f97700703020701p5a0963d9xc64bf986a8115b44@mail.gmail.com> Message-ID: <25a66d840703020812p58fe8fe6k55c09a2a879542d3@mail.gmail.com> Brent, Glenn is referring to the "multiple release" mod. It allows you to bulk-release messages. The instructions on how to do this is available here: http://mailwatch.sourceforge.net/doku.php?id=mailwatch:tipandtricks:multirelease Angelo From glenn.steen at gmail.com Fri Mar 2 17:55:44 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Mar 2 17:01:24 2007 Subject: quarantined non-spam attachments In-Reply-To: <25a66d840703020812p58fe8fe6k55c09a2a879542d3@mail.gmail.com> References: <45E78661.2050508@pronet.co.nz> <223f97700703020035w6706b53bieaaad7b1ad86dc19@mail.gmail.com> <00c101c75cd7$0ffde510$0705000a@ddf5dw71> <223f97700703020701p5a0963d9xc64bf986a8115b44@mail.gmail.com> <25a66d840703020812p58fe8fe6k55c09a2a879542d3@mail.gmail.com> Message-ID: <223f97700703020855n23df992cu92cf7fdbbde5ee81@mail.gmail.com> On 02/03/07, am.lists wrote: > Brent, > > Glenn is referring to the "multiple release" mod. It allows you to > bulk-release messages. > > The instructions on how to do this is available here: > > http://mailwatch.sourceforge.net/doku.php?id=mailwatch:tipandtricks:multirelease > > Angelo Thanks Angelo, I had completely forgotten _where_ I got that mod:-). Combined with the usual "quarantined > 0" oneline patch (the Dahwal patch;) to rep_message_ops.php one indeed do get the effect I mentioned in the original message. Sigh, I have to start making better notes:-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From gdoris at rogers.com Fri Mar 2 20:30:58 2007 From: gdoris at rogers.com (Gerry Doris) Date: Fri Mar 2 19:36:40 2007 Subject: ClamAV 0.90.1 is out In-Reply-To: <79755AA4E018084793EE618A2731F24C1223F3@HC-MBX01.herefordshire.gov.uk> References: <79755AA4E018084793EE618A2731F24C1223F3@HC-MBX01.herefordshire.gov.uk> Message-ID: <45E87B72.60804@rogers.com> Randal, Phil wrote: > I dropped it into the perl-tar subdirectory of install-ClamSA. > > This patch to install.sh is needed - ldconfig needs running > unconditionally: > > --- install.sh.old 2007-03-02 12:26:48.000000000 +0000 > +++ install.sh 2007-03-02 12:26:17.000000000 +0000 > @@ -1,6 +1,6 @@ > #!/bin/sh > > -CLAMAVVERSION=0.90 > +CLAMAVVERSION=0.90.1 > export CLAMAVVERSION > LDSOCONF=/etc/ld.so.conf > CLAMETC=/usr/local/etc > @@ -232,8 +232,8 @@ > echo the ClamAV library can be found by the clamavmodule and > echo clamav virus scanners. > echo /usr/local/lib >> $LDSOCONF > - /sbin/ldconfig > fi > + /sbin/ldconfig > sleep 2 > else > echo You may need to add /usr/local/lib to the directories searched > > Cheers, > > Phil > > -- > Phil Randal > Network Engineer > Herefordshire Council > Hereford, UK I'm sorry but I've lost track of what's been going on with ClamAV. I know there was a problem with version 0.90 and clamavmodule. Is that now fixed with 0.90.1 and the patch you provided? From rgreen at trayerproducts.com Fri Mar 2 20:31:04 2007 From: rgreen at trayerproducts.com (Rodney Green) Date: Fri Mar 2 19:36:44 2007 Subject: Julian Field in hospital In-Reply-To: <45E74BB7.2070107@nkpanama.com> References: <45E58D82.8060409@coders.co.uk> <45E595A8.30308@pixelhammer.com> <45E59A97.6010506@coders.co.uk> <20070301172638.GB702@login.ecs.soton.ac.uk> <45E74BB7.2070107@nkpanama.com> Message-ID: <31e7748d0703021131g4882e323k8810aea64225576f@mail.gmail.com> Any updates on Julian today? From dominian at slackadelic.com Fri Mar 2 20:41:46 2007 From: dominian at slackadelic.com (Matt Hayes) Date: Fri Mar 2 19:47:31 2007 Subject: Julian Field in hospital In-Reply-To: <31e7748d0703021131g4882e323k8810aea64225576f@mail.gmail.com> References: <45E58D82.8060409@coders.co.uk> <45E595A8.30308@pixelhammer.com> <45E59A97.6010506@coders.co.uk> <20070301172638.GB702@login.ecs.soton.ac.uk> <45E74BB7.2070107@nkpanama.com> <31e7748d0703021131g4882e323k8810aea64225576f@mail.gmail.com> Message-ID: <45E87DFA.2050801@slackadelic.com> Not that I'm aware of. Although in IRC we found that an issue with the website has caused it to be "unavailable" for now. Maybe they are linked ;) -Matt Rodney Green wrote: > Any updates on Julian today? From z at ziff.net Fri Mar 2 20:47:11 2007 From: z at ziff.net (Zivago Lee) Date: Fri Mar 2 19:53:03 2007 Subject: ClamAV 0.90.1 is out In-Reply-To: <45E87B72.60804@rogers.com> References: <79755AA4E018084793EE618A2731F24C1223F3@HC-MBX01.herefordshire.gov.uk> <45E87B72.60804@rogers.com> Message-ID: <2558.209.104.55.7.1172864831.squirrel@mail.ziff.net> > Randal, Phil wrote: >> I dropped it into the perl-tar subdirectory of install-ClamSA. >> >> This patch to install.sh is needed - ldconfig needs running >> unconditionally: >> >> --- install.sh.old 2007-03-02 12:26:48.000000000 +0000 >> +++ install.sh 2007-03-02 12:26:17.000000000 +0000 >> @@ -1,6 +1,6 @@ >> #!/bin/sh >> >> -CLAMAVVERSION=0.90 >> +CLAMAVVERSION=0.90.1 >> export CLAMAVVERSION >> LDSOCONF=/etc/ld.so.conf >> CLAMETC=/usr/local/etc >> @@ -232,8 +232,8 @@ >> echo the ClamAV library can be found by the clamavmodule and >> echo clamav virus scanners. >> echo /usr/local/lib >> $LDSOCONF >> - /sbin/ldconfig >> fi >> + /sbin/ldconfig >> sleep 2 >> else >> echo You may need to add /usr/local/lib to the directories searched >> >> Cheers, >> >> Phil >> >> -- >> Phil Randal >> Network Engineer >> Herefordshire Council >> Hereford, UK > > I'm sorry but I've lost track of what's been going on with ClamAV. I > know there was a problem with version 0.90 and clamavmodule. Is that > now fixed with 0.90.1 and the patch you provided? The problem between 0.90 and the clamavmodule is fixed by getting the latest version of the Mail::ClamAV (0.20, I believe). 0.90.1 fixes a few other issues, one where it makes the the daily.inc directory with 700 permissions unnecessarily everytime it updates. -- Zivago Lee z@ziff.net From michele at blacknight.ie Fri Mar 2 20:54:44 2007 From: michele at blacknight.ie (Michele Neylon :: Blacknight) Date: Fri Mar 2 20:00:30 2007 Subject: Julian Field in hospital In-Reply-To: <45E87DFA.2050801@slackadelic.com> References: <45E58D82.8060409@coders.co.uk> <45E595A8.30308@pixelhammer.com> <45E59A97.6010506@coders.co.uk> <20070301172638.GB702@login.ecs.soton.ac.uk> <45E74BB7.2070107@nkpanama.com> <31e7748d0703021131g4882e323k8810aea64225576f@mail.gmail.com> <45E87DFA.2050801@slackadelic.com> Message-ID: <45E88104.4020404@blacknight.ie> Matt Hayes wrote: > Not that I'm aware of. Although in IRC we found that an issue with the > website has caused it to be "unavailable" for now. Maybe they are > linked ;) The site should be working fine! /me grumbles loudly -- Mr Michele Neylon Blacknight Solutions Hosting & Colocation, Brand Protection http://www.blacknight.ie/ http://blog.blacknight.ie/ Tel. 1850 927 280 Intl. +353 (0) 59 9183072 UK: 0870 163 0607 Fax. +353 (0) 59 9164239 From jonbjorn at mbl.is Fri Mar 2 21:21:11 2007 From: jonbjorn at mbl.is (Jon Bjorn Njalsson) Date: Fri Mar 2 20:26:55 2007 Subject: disable spamcheck for a user Message-ID: <22366.85.197.196.95.1172866871.squirrel@postur.mbl.is> Hi all. First of all, Julian, best wishes for quick recovery from Iceland. Second I run a mailserver for few domains, have one user who want?s all spam in his inbox, how can I disable spamscan for that user ? regards Jon From michele at blacknight.ie Fri Mar 2 21:31:07 2007 From: michele at blacknight.ie (Michele Neylon :: Blacknight) Date: Fri Mar 2 20:36:56 2007 Subject: disable spamcheck for a user In-Reply-To: <22366.85.197.196.95.1172866871.squirrel@postur.mbl.is> References: <22366.85.197.196.95.1172866871.squirrel@postur.mbl.is> Message-ID: <45E8898B.5020701@blacknight.ie> Jon Bjorn Njalsson wrote: > I run a mailserver for few domains, have one user who want?s all spam in > his inbox, how can I disable spamscan for that user ? Using a ruleset :) You'd basically want to change your spamchecking to a ruleset and then turn the default setting to on with a specific rule for your "special" user's email address(es) Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting & Colocation, Brand Protection http://www.blacknight.ie/ http://blog.blacknight.ie/ Tel. 1850 927 280 Intl. +353 (0) 59 9183072 UK: 0870 163 0607 Fax. +353 (0) 59 9164239 From Denis.Beauchemin at USherbrooke.ca Fri Mar 2 21:46:17 2007 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Fri Mar 2 20:52:05 2007 Subject: disable spamcheck for a user In-Reply-To: <45E8898B.5020701@blacknight.ie> References: <22366.85.197.196.95.1172866871.squirrel@postur.mbl.is> <45E8898B.5020701@blacknight.ie> Message-ID: <45E88D19.90201@USherbrooke.ca> Michele Neylon :: Blacknight a ?crit : > Jon Bjorn Njalsson wrote: > > I run a mailserver for few domains, have one user who want?s all spam in > >> his inbox, how can I disable spamscan for that user ? >> > > Using a ruleset :) > > You'd basically want to change your spamchecking to a ruleset and then > turn the default setting to on with a specific rule for your "special" > user's email address(es) > > Regards > > Michele > > > Don't forget that you'll need to split each incoming message to individual recipients if you don't want any annoying side effects... Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3595 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070302/f6938da7/smime.bin From prandal at herefordshire.gov.uk Fri Mar 2 22:03:16 2007 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Fri Mar 2 21:09:04 2007 Subject: ClamAV 0.90.1 is out Message-ID: <79755AA4E018084793EE618A2731F24C03A5EF@HC-MBX01.herefordshire.gov.uk> > I'm sorry but I've lost track of what's been going on > with ClamAV. I know there was a problem with version > 0.90 and clamavmodule. Is that now fixed with 0.90.1 > and the patch you provided? No, my additional instructions were an adjunct to my post of 27th February to this list (Subject was "Re: Spamassassin 3.1.8"). Cheers, Phil From hvdkooij at vanderkooij.org Fri Mar 2 22:03:59 2007 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Fri Mar 2 21:09:43 2007 Subject: "Intention Analysis" In-Reply-To: <223f97700703020040r2492749fx551f3c481d08ac7f@mail.gmail.com> References: <25a66d840703011414w638fd0ck62f128b3e2c4946b@mail.gmail.com> <25a66d840703011900t1eb7fda5qa8ebb19aadf72623@mail.gmail.com> <223f97700703020040r2492749fx551f3c481d08ac7f@mail.gmail.com> Message-ID: On Fri, 2 Mar 2007, Glenn Steen wrote: > On 02/03/07, Hugo van der Kooij wrote: >> >> The Barracuda solution is fine for those networks whose admins find >> clicking on the right spots in exchange is a challenge. It has a decent >> set of tools and it is actively maintained so at present I find it is the >> best boxed solution you can find with a reasonably good track record. >> > Hm, have you compared this in-depth with DefenderMX (which is > available in an appliance as well as not:)? DefenderMX is the > commercial variant of MailScanner/MailWatch sold by FSL, if you > haven't heard of it. I have not tested it head to head against DefenderMX. We have some AV manufacters who think they unerstand SPAM and ..... (Well let me suffice to say you don't want to maintain their anti-spam configuration.) I will give it a thought next week with our Product Manager. It is one thing to write up marketing papers it is another to see how the actual implementation holds out in a field trial. Hugo. -- hvdkooij@vanderkooij.org http://hvdkooij.xs4all.nl/ This message is using 100% recycled electrons. Some men see computers as they are and say "Windows" I use computers with Linux and say "Why Windows?" (Thanks JFK, for the insight.) From tjc at ecs.soton.ac.uk Fri Mar 2 22:14:49 2007 From: tjc at ecs.soton.ac.uk (Tim Chown) Date: Fri Mar 2 21:20:47 2007 Subject: Julian Field in hospital In-Reply-To: <31e7748d0703021131g4882e323k8810aea64225576f@mail.gmail.com> References: <45E58D82.8060409@coders.co.uk> <45E595A8.30308@pixelhammer.com> <45E59A97.6010506@coders.co.uk> <20070301172638.GB702@login.ecs.soton.ac.uk> <45E74BB7.2070107@nkpanama.com> <31e7748d0703021131g4882e323k8810aea64225576f@mail.gmail.com> Message-ID: <20070302211449.GC2418@login.ecs.soton.ac.uk> On Fri, Mar 02, 2007 at 02:31:04PM -0500, Rodney Green wrote: > Any updates on Julian today? His dad said that he had a good night on Thursday and looked much better in general this morning. The next step is bringing him roun from under the drugs... they are likely to try today or tomorrow. So the last two days have been as good as we could have hoped :) -- Tim From dyioulos at firstbhph.com Fri Mar 2 22:24:04 2007 From: dyioulos at firstbhph.com (Dimitri Yioulos) Date: Fri Mar 2 21:29:57 2007 Subject: Julian Field in hospital In-Reply-To: <20070302211449.GC2418@login.ecs.soton.ac.uk> References: <45E58D82.8060409@coders.co.uk> <31e7748d0703021131g4882e323k8810aea64225576f@mail.gmail.com> <20070302211449.GC2418@login.ecs.soton.ac.uk> Message-ID: <200703021624.05820.dyioulos@firstbhph.com> On Friday 02 March 2007 4:14 pm, Tim Chown wrote: > On Fri, Mar 02, 2007 at 02:31:04PM -0500, Rodney Green wrote: > > Any updates on Julian today? > > His dad said that he had a good night on Thursday and looked much better > in general this morning. The next step is bringing him roun from > under the drugs... they are likely to try today or tomorrow. > > So the last two days have been as good as we could have hoped :) > > -- > Tim > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! Thanks for the update, Tim. All the thoughts and prayers, and Julian's tenacity, seem to be working. Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From TGFurnish at herffjones.com Fri Mar 2 22:52:40 2007 From: TGFurnish at herffjones.com (Furnish, Trever G) Date: Fri Mar 2 21:59:14 2007 Subject: message is spam because it was sent from mailscanner... Message-ID: <57573D714A832C43B9D80EAFBDA48D0302BAC94D@inex3.herffjones.hj-int> Ok, not a problem, just a bit of irony to share. I was just asked to break down why a particular message was marked as spam, and one of the highly scored rules that triggered turned out to be INFO_TLD ("contains a URL in the INFO top-level domain"). What URL was it? Why http://www.mailscanner.info, of course. It was in the standard MS footer. So in effect someone else's use of mailscanner contributed to my mailscanner tagging their mail as spam. Again, not a problem, no need to tell me how to fix it, just a bit of irony to share for a Friday afternoon. :-) -- Trever Furnish, tgfurnish@herffjones.com Herff Jones, Inc. Unix / Network Administrator Phone: 317.612.3519 Any sufficiently advanced technology is indistinguishable from Unix. From mkettler at evi-inc.com Fri Mar 2 23:43:35 2007 From: mkettler at evi-inc.com (Matt Kettler) Date: Fri Mar 2 22:49:19 2007 Subject: message is spam because it was sent from mailscanner... In-Reply-To: <57573D714A832C43B9D80EAFBDA48D0302BAC94D@inex3.herffjones.hj-int> References: <57573D714A832C43B9D80EAFBDA48D0302BAC94D@inex3.herffjones.hj-int> Message-ID: <45E8A897.6050808@evi-inc.com> Perhaps you should update your SA rules. The current set of rules from sa-update has had INFO_TLD removed.. Furnish, Trever G wrote: > Ok, not a problem, just a bit of irony to share. > > I was just asked to break down why a particular message was marked as > spam, and one of the highly scored rules that triggered turned out to be > INFO_TLD ("contains a URL in the INFO top-level domain"). What URL was > it? Why http://www.mailscanner.info, of course. It was in the standard > MS footer. So in effect someone else's use of mailscanner contributed > to my mailscanner tagging their mail as spam. > > Again, not a problem, no need to tell me how to fix it, just a bit of > irony to share for a Friday afternoon. :-) > From mkettler at evi-inc.com Sat Mar 3 00:00:36 2007 From: mkettler at evi-inc.com (Matt Kettler) Date: Fri Mar 2 23:06:27 2007 Subject: message is spam because it was sent from mailscanner... In-Reply-To: <45E8A897.6050808@evi-inc.com> References: <57573D714A832C43B9D80EAFBDA48D0302BAC94D@inex3.herffjones.hj-int> <45E8A897.6050808@evi-inc.com> Message-ID: <45E8AC94.9080409@evi-inc.com> Matt Kettler wrote: > Perhaps you should update your SA rules. > > The current set of rules from sa-update has had INFO_TLD removed.. > For further reference, this appears to have happened somewhere between update 487253 published 12/15/2006, and 488380, published 12/19/2006. Note that even though SpamAssassin 3.1.8 was published after this change, it still contains more-or-less the original 3.1.0 ruleset, with only the more serious bugfixes in it. From ssilva at sgvwater.com Sat Mar 3 00:13:45 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Fri Mar 2 23:19:48 2007 Subject: message is spam because it was sent from mailscanner... In-Reply-To: <57573D714A832C43B9D80EAFBDA48D0302BAC94D@inex3.herffjones.hj-int> References: <57573D714A832C43B9D80EAFBDA48D0302BAC94D@inex3.herffjones.hj-int> Message-ID: Furnish, Trever G spake the following on 3/2/2007 1:52 PM: > Ok, not a problem, just a bit of irony to share. > > I was just asked to break down why a particular message was marked as > spam, and one of the highly scored rules that triggered turned out to be > INFO_TLD ("contains a URL in the INFO top-level domain"). What URL was > it? Why http://www.mailscanner.info, of course. It was in the standard > MS footer. So in effect someone else's use of mailscanner contributed > to my mailscanner tagging their mail as spam. > > Again, not a problem, no need to tell me how to fix it, just a bit of > irony to share for a Friday afternoon. :-) Maybe that is why mailscanner caused swapping! ;-P I couldn't resist! /hangs head in shame -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From mgt at stellarcore.net Sat Mar 3 01:30:48 2007 From: mgt at stellarcore.net (Mike Tremaine) Date: Sat Mar 3 00:36:34 2007 Subject: Julian Field in hospital In-Reply-To: <200703022131.l22LVEvJ005233@safir.blacknight.ie> References: <200703022131.l22LVEvJ005233@safir.blacknight.ie> Message-ID: <45E8C1B8.9030203@stellarcore.net> > On Fri, Mar 02, 2007 at 02:31:04PM -0500, Rodney Green wrote: >> > Any updates on Julian today? > > His dad said that he had a good night on Thursday and looked much better > in general this morning. The next step is bringing him roun from > under the drugs... they are likely to try today or tomorrow. > > So the last two days have been as good as we could have hoped :) > > -- Tim This is great to hear! I've been on pins and needles waiting to hear some good news. Best wishes Julian from San Diego, Ca.... -Mike From am.lists at gmail.com Sat Mar 3 01:48:09 2007 From: am.lists at gmail.com (am.lists) Date: Sat Mar 3 00:53:51 2007 Subject: SOT: Image Spam: Stocks Message-ID: <25a66d840703021648g12324c5cq9b16f527f16eed1f@mail.gmail.com> Has anyone ever looked at the tickers that are spammed out in those image spam stock scams? Just curious. I occasionally look them up to see if the "big news" ever comes, or if the stocks that are mentioned ever move. I bet it would be interesting to track them. I looked one up recently (the speculative one regarding fruit) and that stock seems to be completely stagnant. Being the case, at least with this one, I have to wonder how it is that the spammers feel this is worth spending their botnets' bandwidth on? No money seems to be trading hands on these issues, so no one is really making money, only wasting it. Angelo From gerard at seibercom.net Sat Mar 3 02:09:18 2007 From: gerard at seibercom.net (Gerard Seibert) Date: Sat Mar 3 01:15:04 2007 Subject: SOT: Image Spam: Stocks In-Reply-To: <25a66d840703021648g12324c5cq9b16f527f16eed1f@mail.gmail.com> References: <25a66d840703021648g12324c5cq9b16f527f16eed1f@mail.gmail.com> Message-ID: <20070302200918.662b150f@localhost> On Fri, 2 Mar 2007 19:48:09 -0500 "am.lists" wrote: > Has anyone ever looked at the tickers that are spammed out in those > image spam stock scams? > > Just curious. I occasionally look them up to see if the "big news" > ever comes, or if the stocks that are mentioned ever move. I bet it > would be interesting to track them. > > I looked one up recently (the speculative one regarding fruit) and > that stock seems to be completely stagnant. > > Being the case, at least with this one, I have to wonder how it is > that the spammers feel this is worth spending their botnets' bandwidth > on? No money seems to be trading hands on these issues, so no one is > really making money, only wasting it. There was an article in the NY Times awhile ago regarding this STOCK SPAM phenomena. It seems that the perpetrators of these schemes actually do make razor thin profits since they buy in before the stock is recommended to potential buyers via SPAM. -- Gerard Hacker's Law: The belief that enhanced understanding will necessarily stir a nation to action is one of mankind's oldest illusions. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 187 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070302/f277beb4/signature.bin From res at ausics.net Sat Mar 3 02:09:45 2007 From: res at ausics.net (Res) Date: Sat Mar 3 01:15:54 2007 Subject: Julian Field in hospital In-Reply-To: <45E88104.4020404@blacknight.ie> References: <45E58D82.8060409@coders.co.uk> <45E595A8.30308@pixelhammer.com> <45E59A97.6010506@coders.co.uk> <20070301172638.GB702@login.ecs.soton.ac.uk> <45E74BB7.2070107@nkpanama.com> <31e7748d0703021131g4882e323k8810aea64225576f@mail.gmail.com> <45E87DFA.2050801@slackadelic.com> <45E88104.4020404@blacknight.ie> Message-ID: On Fri, 2 Mar 2007, Michele Neylon :: Blacknight wrote: > Matt Hayes wrote: >> Not that I'm aware of. Although in IRC we found that an issue with the >> website has caused it to be "unavailable" for now. Maybe they are >> linked ;) > > The site should be working fine! > > /me grumbles loudly It certainly works, but it is rather slow, those on low speed links may perceive this as "not working", takes almost 20 seconds to load all images on gigabit. -- Cheers Res "We can be Heroes, just for one day" - Davey (Jones) Bowie From michele at blacknight.ie Sat Mar 3 02:29:09 2007 From: michele at blacknight.ie (Michele Neylon :: Blacknight) Date: Sat Mar 3 01:35:01 2007 Subject: Julian Field in hospital In-Reply-To: References: <45E58D82.8060409@coders.co.uk> <45E595A8.30308@pixelhammer.com> <45E59A97.6010506@coders.co.uk> <20070301172638.GB702@login.ecs.soton.ac.uk> <45E74BB7.2070107@nkpanama.com> <31e7748d0703021131g4882e323k8810aea64225576f@mail.gmail.com> <45E87DFA.2050801@slackadelic.com> <45E88104.4020404@blacknight.ie> Message-ID: <45E8CF65.70604@blacknight.ie> Res wrote: > It certainly works, but it is rather slow, those on low speed links may > perceive this as "not working", takes almost 20 seconds to load all > images on gigabit. We'll be looking into moving it back to Dublin next week, but we had to move it from where it was in a hurry :) Michele -- Mr Michele Neylon Blacknight Solutions Hosting & Colocation, Brand Protection http://www.blacknight.ie/ http://blog.blacknight.ie/ Tel. 1850 927 280 Intl. +353 (0) 59 9183072 UK: 0870 163 0607 Fax. +353 (0) 59 9164239 From spamtrap71892316634 at anime.net Sat Mar 3 02:40:55 2007 From: spamtrap71892316634 at anime.net (Dan Hollis) Date: Sat Mar 3 01:46:38 2007 Subject: SOT: Image Spam: Stocks In-Reply-To: <20070302200918.662b150f@localhost> References: <25a66d840703021648g12324c5cq9b16f527f16eed1f@mail.gmail.com> <20070302200918.662b150f@localhost> Message-ID: On Fri, 2 Mar 2007, Gerard Seibert wrote: > On Fri, 2 Mar 2007 19:48:09 -0500 > "am.lists" wrote: >> Being the case, at least with this one, I have to wonder how it is >> that the spammers feel this is worth spending their botnets' bandwidth >> on? No money seems to be trading hands on these issues, so no one is >> really making money, only wasting it. > There was an article in the NY Times awhile ago regarding this STOCK > SPAM phenomena. It seems that the perpetrators of these schemes actually > do make razor thin profits since they buy in before the stock is > recommended to potential buyers via SPAM. Wouldn't that make them easy to track and prosecute for pump&dump? -Dan From res at ausics.net Sat Mar 3 02:46:24 2007 From: res at ausics.net (Res) Date: Sat Mar 3 01:52:31 2007 Subject: Julian Field in hospital In-Reply-To: <45E8CF65.70604@blacknight.ie> References: <45E58D82.8060409@coders.co.uk> <45E595A8.30308@pixelhammer.com> <45E59A97.6010506@coders.co.uk> <20070301172638.GB702@login.ecs.soton.ac.uk> <45E74BB7.2070107@nkpanama.com> <31e7748d0703021131g4882e323k8810aea64225576f@mail.gmail.com> <45E87DFA.2050801@slackadelic.com> <45E88104.4020404@blacknight.ie> <45E8CF65.70604@blacknight.ie> Message-ID: On Sat, 3 Mar 2007, Michele Neylon :: Blacknight wrote: > Res wrote: >> It certainly works, but it is rather slow, those on low speed links may >> perceive this as "not working", takes almost 20 seconds to load all >> images on gigabit. > We'll be looking into moving it back to Dublin next week, but we had to > move it from where it was in a hurry :) This is excellent news, maybe someone who frequents IRC can advise those on it if they see anyone having issues. It's been a few years since I've used any IRC, used to mostly use (read: lived on) undernet back when I had no life :P I should fire up xchat again one day and see who and whats around... -- Cheers Res "We can be Heroes, just for one day" - Davey (Jones) Bowie From michele at blacknight.ie Sat Mar 3 02:53:28 2007 From: michele at blacknight.ie (Michele Neylon :: Blacknight) Date: Sat Mar 3 01:59:18 2007 Subject: Julian Field in hospital In-Reply-To: References: <45E58D82.8060409@coders.co.uk> <45E595A8.30308@pixelhammer.com> <45E59A97.6010506@coders.co.uk> <20070301172638.GB702@login.ecs.soton.ac.uk> <45E74BB7.2070107@nkpanama.com> <31e7748d0703021131g4882e323k8810aea64225576f@mail.gmail.com> <45E87DFA.2050801@slackadelic.com> <45E88104.4020404@blacknight.ie> <45E8CF65.70604@blacknight.ie> Message-ID: <45E8D518.3090309@blacknight.ie> Res wrote: > On Sat, 3 Mar 2007, Michele Neylon :: Blacknight wrote: > >> Res wrote: >>> It certainly works, but it is rather slow, those on low speed links may >>> perceive this as "not working", takes almost 20 seconds to load all >>> images on gigabit. >> We'll be looking into moving it back to Dublin next week, but we had to >> move it from where it was in a hurry :) > > This is excellent news, maybe someone who frequents IRC can advise those > on it if they see anyone having issues. It's been a few years since I've > used any IRC, used to mostly use (read: lived on) undernet back when I > had no life :P I should fire up xchat again one day and see who and > whats around... > > Well I said looking and I was vague and non-commital about it.. so don't get too excited about it :) -- Mr Michele Neylon Blacknight Solutions Hosting & Colocation, Brand Protection http://www.blacknight.ie/ http://blog.blacknight.ie/ Tel. 1850 927 280 Intl. +353 (0) 59 9183072 UK: 0870 163 0607 Fax. +353 (0) 59 9164239 From res at ausics.net Sat Mar 3 03:03:51 2007 From: res at ausics.net (Res) Date: Sat Mar 3 02:09:59 2007 Subject: Julian Field in hospital In-Reply-To: <45E8D518.3090309@blacknight.ie> References: <45E58D82.8060409@coders.co.uk> <45E595A8.30308@pixelhammer.com> <45E59A97.6010506@coders.co.uk> <20070301172638.GB702@login.ecs.soton.ac.uk> <45E74BB7.2070107@nkpanama.com> <31e7748d0703021131g4882e323k8810aea64225576f@mail.gmail.com> <45E87DFA.2050801@slackadelic.com> <45E88104.4020404@blacknight.ie> <45E8CF65.70604@blacknight.ie> <45E8D518.3090309@blacknight.ie> Message-ID: On Sat, 3 Mar 2007, Michele Neylon :: Blacknight wrote: > Well I said looking and I was vague and non-commital about it.. so don't > get too excited about it :) hehe it gives them hope tho :) -- Cheers Res "comp.mail.sendmail nntp-email gateway @ http://ecartis.ausics.net" From am.lists at gmail.com Sat Mar 3 04:05:48 2007 From: am.lists at gmail.com (am.lists) Date: Sat Mar 3 03:11:29 2007 Subject: SOT: Image Spam: Stocks In-Reply-To: References: <25a66d840703021648g12324c5cq9b16f527f16eed1f@mail.gmail.com> <20070302200918.662b150f@localhost> Message-ID: <25a66d840703021905o7284a53eoefab973cf11d9735@mail.gmail.com> On 3/2/07, Dan Hollis wrote: > On Fri, 2 Mar 2007, Gerard Seibert wrote: > > On Fri, 2 Mar 2007 19:48:09 -0500 > > "am.lists" wrote: > >> Being the case, at least with this one, I have to wonder how it is > >> that the spammers feel this is worth spending their botnets' bandwidth > Wouldn't that make them easy to track and prosecute for pump&dump? > > -Dan Let's see... I'm not a lawyer, nor an expert on SEC matters, but from what I can tell, most of the tickers go to over the counter (OTC) or other off-the-wall markets that might not be subject to the same trade regulations as a NASDAQ or NYSE-traded issue. That might make them subject to a different book of rules. Even so, I would think the trades should be trackable. I just think of the money, time, and effort that has went into the systems that distribute this stuff. For one, the combination of plain text, then the obfuscated/bogus html tags, and now, the inline gifs with dynamically generated text (ok, so ImageMagic isn't exactly rocket science) and now the skewed text... they really are a formidable and somewhat sophisticated foe. Actually, now that I'm reading what I'm typing, I'm wondering if there might be some common signature to a gif or other output from the dynamic text, aside from scanning it through OCR software. Sort of like how you can ascertain that a PDF was saved by a certain version of Acrobat or something. I know GIF specifies GIF87, 89, and 89a... has anyone came across something common? Just thinking that there should be a way to add one more rule/check that might help our cause. Angelo From itdept at fractalweb.com Sat Mar 3 06:52:05 2007 From: itdept at fractalweb.com (Chris Yuzik) Date: Sat Mar 3 05:58:19 2007 Subject: SOT: Image Spam: Stocks In-Reply-To: <25a66d840703021648g12324c5cq9b16f527f16eed1f@mail.gmail.com> References: <25a66d840703021648g12324c5cq9b16f527f16eed1f@mail.gmail.com> Message-ID: <45E90D05.9000202@fractalweb.com> am.lists wrote: > Has anyone ever looked at the tickers that are spammed out in those > image spam stock scams? > > Just curious. I occasionally look them up to see if the "big news" > ever comes, or if the stocks that are mentioned ever move. I bet it > would be interesting to track them. > > I looked one up recently (the speculative one regarding fruit) and > that stock seems to be completely stagnant. > > Being the case, at least with this one, I have to wonder how it is > that the spammers feel this is worth spending their botnets' bandwidth > on? No money seems to be trading hands on these issues, so no one is > really making money, only wasting it. > > Angelo Angelo, Here you go: www.*spamstocktracker*.com Chris From james at mindman.com.tw Sat Mar 3 07:38:48 2007 From: james at mindman.com.tw (James C.C. Chien) Date: Sat Mar 3 06:44:40 2007 Subject: Julian Field in hospital In-Reply-To: <20070302211449.GC2418@login.ecs.soton.ac.uk> Message-ID: Thanks for Tim's update. Best wishes from Taipei, Taiwan. Get well soon ! James C.H. Chien -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Tim Chown Sent: Saturday, March 03, 2007 5:15 AM To: MailScanner discussion Subject: Re: Julian Field in hospital On Fri, Mar 02, 2007 at 02:31:04PM -0500, Rodney Green wrote: > Any updates on Julian today? His dad said that he had a good night on Thursday and looked much better in general this morning. The next step is bringing him roun from under the drugs... they are likely to try today or tomorrow. So the last two days have been as good as we could have hoped :) -- Tim -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From itdept at fractalweb.com Sat Mar 3 08:56:49 2007 From: itdept at fractalweb.com (Chris Yuzik) Date: Sat Mar 3 08:03:07 2007 Subject: implementing SPF, which milter? In-Reply-To: References: <45E72606.2090004@fractalweb.com> <59E4A3A1069C2640959AD0F7518C48122F08AC@FLN1.fln.local> <3194DA77-0B1D-4B82-B730-1A2C775790D6@opensos.net> <45E7A34B.8090807@fractalweb.com> Message-ID: <45E92A41.1000509@fractalweb.com> Michael Choo wrote: > thanks. However the users that travel and are affected are senior > management with no clue. > the only thing they can do is raise lots of fuss about mails being > rejected by their clients. > > I think i'll try the port 587 solution and see how that goes. > Mike, We have tons of very non-technical "no clue" road-warriors; port 587 seems to do the trick, and btw, WE set it up for them. We don't want to leave anything up for mistakes by non-technical people, so obviously, I recommend that you set it up for them. Cheers, Chris From brent.addis at pronet.co.nz Sat Mar 3 09:51:41 2007 From: brent.addis at pronet.co.nz (Brent Addis) Date: Sat Mar 3 08:57:51 2007 Subject: quarantined non-spam attachments In-Reply-To: <25a66d840703020812p58fe8fe6k55c09a2a879542d3@mail.gmail.com> References: <45E78661.2050508@pronet.co.nz> <223f97700703020035w6706b53bieaaad7b1ad86dc19@mail.gmail.com> <00c101c75cd7$0ffde510$0705000a@ddf5dw71> <223f97700703020701p5a0963d9xc64bf986a8115b44@mail.gmail.com> <25a66d840703020812p58fe8fe6k55c09a2a879542d3@mail.gmail.com> Message-ID: <45E9371D.3000600@pronet.co.nz> Ah rightyo, I was a little confused what Glenn was talking about ;) Thanks guys! am.lists wrote: > Brent, > > Glenn is referring to the "multiple release" mod. It allows you to > bulk-release messages. > > The instructions on how to do this is available here: > > http://mailwatch.sourceforge.net/doku.php?id=mailwatch:tipandtricks:multirelease > > > Angelo -- From tenderby at mailwash.com.au Sat Mar 3 13:15:29 2007 From: tenderby at mailwash.com.au (Tony Enderby) Date: Sat Mar 3 12:22:21 2007 Subject: Consolidated spammy countries rbl In-Reply-To: <1964AAFBC212F742958F9275BF63DBB04B02D3@winchester.andrewscompanies.com> Message-ID: I'd be happy to provide the zone if you'd like to implement it locally. I will not have time to rig something up until mid next week though. Tony. On 3/2/2007, "sandrews@andrewscompanies.com" wrote: >I'm gonna give it a run today. > >What's your plan for this? Are you thinking about releasing what you've >got on this so folks could implement on their own? > >Steve > >-----Original Message----- >From: mailscanner-bounces@lists.mailscanner.info >[mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Tony >Enderby >Sent: Friday, March 02, 2007 5:27 AM >To: MailScanner discussion >Subject: Consolidated spammy countries rbl > >If anyone is interested, I have a test rbldnsd zone running that I would >like to make available to this list at > >spammy_countries.sme-secure.com > >The ISO country codes included in this zone are listed below so if you >would like to add it to your spam.lists.conf or your SA config make sure >you do not need to receive email from these countries. >The IP data is a direct feed from the singular country zones at >countries.nerd.dk consolidated into the one zone. > >To test before implementing simply run the following command from a >shell and you should get 127.0.0.2 as the record for the ip address. > >host 32.33.12.62.spammy_countries.sme-secure.com > >Please send me a message on the list if you decide to use this zone so I >can keep a close eye on the machines serving the zone to ensure >availability. - Tony. > >ae >ar >br >ca >cl >cn >de >eg >fr >hk >il >in >jp >kr >ma >my >ng >nl >pe >pl >ru >sg >th >tr >tw >ua >uy >za > >-------------- > > > >------------------------------------------------------------------------ >----------- >Scanned by MailWash Australia - http://www.mailwash.com.au >------------------------------------------------------------------------ >----------- > >-- >MailScanner mailing list >mailscanner@lists.mailscanner.info >http://lists.mailscanner.info/mailman/listinfo/mailscanner > >Before posting, read http://wiki.mailscanner.info/posting > >Support MailScanner development - buy the book off the website! > >-- >MailScanner mailing list >mailscanner@lists.mailscanner.info >http://lists.mailscanner.info/mailman/listinfo/mailscanner > >Before posting, read http://wiki.mailscanner.info/posting > >Support MailScanner development - buy the book off the website! > >----------------------------------------------------------------------------------- >Scanned by MailWash Australia - http://www.mailwash.com.au >----------------------------------------------------------------------------------- > > ----------------------------------------------------------------------------------- Scanned by MailWash Australia - http://www.mailwash.com.au ----------------------------------------------------------------------------------- From hvdkooij at vanderkooij.org Sat Mar 3 13:39:58 2007 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sat Mar 3 12:45:46 2007 Subject: Consolidated spammy countries rbl In-Reply-To: References: Message-ID: On Sat, 3 Mar 2007, Tony Enderby wrote: > > I'd be happy to provide the zone if you'd like to implement it locally. > I will not have time to rig something up until mid next week though. Why not use geoIP to map IP info to countries? (Like MailWatch does for example.) Hugo. -- hvdkooij@vanderkooij.org http://hvdkooij.xs4all.nl/ This message is using 100% recycled electrons. Some men see computers as they are and say "Windows" I use computers with Linux and say "Why Windows?" (Thanks JFK, for the insight.) From hvdkooij at vanderkooij.org Sat Mar 3 13:57:21 2007 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sat Mar 3 13:03:10 2007 Subject: Consolidated spammy countries rbl In-Reply-To: <45E7FC0B.9010807@mailwash.com.au> References: <45E7FC0B.9010807@mailwash.com.au> Message-ID: On Fri, 2 Mar 2007, Tony Enderby wrote: > If anyone is interested, I have a test rbldnsd zone running that I would like > to make available > to this list at > > spammy_countries.sme-secure.com .... > ae > ar > br > ca > cl > cn > de > eg > fr > hk > il > in > jp > kr > ma > my > ng > nl > pe > pl > ru > sg > th > tr > tw > ua > uy > za Is there any reason to warrant this list? To call it arbitrary is being way to gentle. In fact the whole concept of listing IP blocks just because they happen to be in one country or another is definitly flawed by design. Why didn't you list the number 1 spam sending country? The USA outranks everyone when it comes to sending spam/virus junk: [US] United States: 1269 [KR] Korea, Republic of: 922 [CN] China: 705 [RO] Romania: 369 [BR] Brazil: 353 [PL] Poland: 344 [ES] Spain: 280 [FR] France: 274 [DE] Germany: 234 [TH] Thailand: 228 [IN] India: 227 [TW] Taiwan: 213 All of these had over 200 spam/virus related connections blocked in a week time. Hugo. -- hvdkooij@vanderkooij.org http://hvdkooij.xs4all.nl/ This message is using 100% recycled electrons. Some men see computers as they are and say "Windows" I use computers with Linux and say "Why Windows?" (Thanks JFK, for the insight.) From sandrews at andrewscompanies.com Sat Mar 3 15:00:47 2007 From: sandrews at andrewscompanies.com (sandrews@andrewscompanies.com) Date: Sat Mar 3 14:06:32 2007 Subject: Consolidated spammy countries rbl References: Message-ID: <1964AAFBC212F742958F9275BF63DBB04B02E2@winchester.andrewscompanies.com> That'd be great; thanks. I've always wondered how these things work and reviewing your work would be a great exercise for me; not to mention, it'd take the load off of your servers. Thanks, Steve -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Tony Enderby Sent: Saturday, March 03, 2007 7:15 AM To: mailscanner@lists.mailscanner.info Subject: RE: Consolidated spammy countries rbl I'd be happy to provide the zone if you'd like to implement it locally. I will not have time to rig something up until mid next week though. Tony. On 3/2/2007, "sandrews@andrewscompanies.com" wrote: >I'm gonna give it a run today. > >What's your plan for this? Are you thinking about releasing what >you've got on this so folks could implement on their own? > >Steve > >-----Original Message----- >From: mailscanner-bounces@lists.mailscanner.info >[mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Tony >Enderby >Sent: Friday, March 02, 2007 5:27 AM >To: MailScanner discussion >Subject: Consolidated spammy countries rbl > >If anyone is interested, I have a test rbldnsd zone running that I >would like to make available to this list at > >spammy_countries.sme-secure.com > >The ISO country codes included in this zone are listed below so if you >would like to add it to your spam.lists.conf or your SA config make >sure you do not need to receive email from these countries. >The IP data is a direct feed from the singular country zones at >countries.nerd.dk consolidated into the one zone. > >To test before implementing simply run the following command from a >shell and you should get 127.0.0.2 as the record for the ip address. > >host 32.33.12.62.spammy_countries.sme-secure.com > >Please send me a message on the list if you decide to use this zone so >I can keep a close eye on the machines serving the zone to ensure >availability. - Tony. > >ae >ar >br >ca >cl >cn >de >eg >fr >hk >il >in >jp >kr >ma >my >ng >nl >pe >pl >ru >sg >th >tr >tw >ua >uy >za > >-------------- > > > >----------------------------------------------------------------------- >- >----------- >Scanned by MailWash Australia - http://www.mailwash.com.au >----------------------------------------------------------------------- >- >----------- > >-- >MailScanner mailing list >mailscanner@lists.mailscanner.info >http://lists.mailscanner.info/mailman/listinfo/mailscanner > >Before posting, read http://wiki.mailscanner.info/posting > >Support MailScanner development - buy the book off the website! > >-- >MailScanner mailing list >mailscanner@lists.mailscanner.info >http://lists.mailscanner.info/mailman/listinfo/mailscanner > >Before posting, read http://wiki.mailscanner.info/posting > >Support MailScanner development - buy the book off the website! > >----------------------------------------------------------------------- >------------ Scanned by MailWash Australia - http://www.mailwash.com.au >----------------------------------------------------------------------- >------------ > > ------------------------------------------------------------------------ ----------- Scanned by MailWash Australia - http://www.mailwash.com.au ------------------------------------------------------------------------ ----------- -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From sandrews at andrewscompanies.com Sat Mar 3 15:18:42 2007 From: sandrews at andrewscompanies.com (sandrews@andrewscompanies.com) Date: Sat Mar 3 14:24:28 2007 Subject: Consolidated spammy countries rbl References: <45E7FC0B.9010807@mailwash.com.au> Message-ID: <1964AAFBC212F742958F9275BF63DBB04A0B67@winchester.andrewscompanies.com> I think it's a reasonable list but probably isn't applicable to everyone here. That's one of the reasons I asked that he release his code so we can implement locally and adjust the inclusion/exclusion of countries as we see fit. For the majority of my clients in the US, this list is worthwhile for them, but again, YMMV. If you've got clients that are ok with blocking everything from the US, that would be reasonable too for them. The whole notion that any server should accept mail from any other place and pass it along, although part of the original plan, is long since gone. You, yourself have a hall of shame of poorly run networks. Is blocking them flawed by design? I dunno, I hate the way SORBS acts in that you get penalized if you happen to be hosted close to poorly run networks when they block ranges, but I guess the only thing I don't like about it is the perceived extortion to get unblocked. More and more I'm of the opinion that the sheer fact I accept your mail (not you specifically, but anyone) is a privilege that may be revoked at any time. I'm not militant enough to block everything and then only accept upon request and application, but that day is coming for all of us. 80% of all email on the internet is junk and that's just freaking ridiculous. Steve -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Hugo van der Kooij Sent: Saturday, March 03, 2007 7:57 AM To: MailScanner discussion Subject: Re: Consolidated spammy countries rbl On Fri, 2 Mar 2007, Tony Enderby wrote: > If anyone is interested, I have a test rbldnsd zone running that I > would like to make available to this list at > > spammy_countries.sme-secure.com .... > ae > ar > br > ca > cl > cn > de > eg > fr > hk > il > in > jp > kr > ma > my > ng > nl > pe > pl > ru > sg > th > tr > tw > ua > uy > za Is there any reason to warrant this list? To call it arbitrary is being way to gentle. In fact the whole concept of listing IP blocks just because they happen to be in one country or another is definitly flawed by design. Why didn't you list the number 1 spam sending country? The USA outranks everyone when it comes to sending spam/virus junk: [US] United States: 1269 [KR] Korea, Republic of: 922 [CN] China: 705 [RO] Romania: 369 [BR] Brazil: 353 [PL] Poland: 344 [ES] Spain: 280 [FR] France: 274 [DE] Germany: 234 [TH] Thailand: 228 [IN] India: 227 [TW] Taiwan: 213 All of these had over 200 spam/virus related connections blocked in a week time. Hugo. -- hvdkooij@vanderkooij.org http://hvdkooij.xs4all.nl/ This message is using 100% recycled electrons. Some men see computers as they are and say "Windows" I use computers with Linux and say "Why Windows?" (Thanks JFK, for the insight.) -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From hvdkooij at vanderkooij.org Sat Mar 3 15:48:49 2007 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sat Mar 3 14:54:37 2007 Subject: Consolidated spammy countries rbl In-Reply-To: <1964AAFBC212F742958F9275BF63DBB04A0B67@winchester.andrewscompanies.com> References: <45E7FC0B.9010807@mailwash.com.au> <1964AAFBC212F742958F9275BF63DBB04A0B67@winchester.andrewscompanies.com> Message-ID: On Sat, 3 Mar 2007, sandrews@andrewscompanies.com wrote: > I think it's a reasonable list but probably isn't applicable to everyone > here. That's one of the reasons I asked that he release his code so we > can implement locally and adjust the inclusion/exclusion of countries as > we see fit. > > For the majority of my clients in the US, this list is worthwhile for > them, but again, YMMV. If you've got clients that are ok with blocking > everything from the US, that would be reasonable too for them. The > whole notion that any server should accept mail from any other place and > pass it along, although part of the original plan, is long since gone. > > You, yourself have a hall of shame of poorly run networks. Is blocking > them flawed by design? I dunno, I hate the way SORBS acts in that you > get penalized if you happen to be hosted close to poorly run networks > when they block ranges, but I guess the only thing I don't like about it > is the perceived extortion to get unblocked. More and more I'm of the > opinion that the sheer fact I accept your mail (not you specifically, > but anyone) is a privilege that may be revoked at any time. I'm not > militant enough to block everything and then only accept upon request > and application, but that day is coming for all of us. 80% of all email > on the internet is junk and that's just freaking ridiculous. Blocking based on assigned network blocks is much more accurate. In the few listed instances it is rather clear the owner of the netblock is not taking any action at all against problems on their network. Country bounderies are not relevant on internet. IP delegations are. And they are my blocking actions. You can see they are present and why. But I do not publish them on some RBL list. But publishing countries in a DNS blacklist for public usage in this totally random yes/no style is flawed by design at best. In case of the Netherlands we have quite a bit of detection points that alert any Dutch ISP as soon as we notice odd behaviours from any Dutch ISP network. Hugo. -- hvdkooij@vanderkooij.org http://hvdkooij.xs4all.nl/ This message is using 100% recycled electrons. Some men see computers as they are and say "Windows" I use computers with Linux and say "Why Windows?" (Thanks JFK, for the insight.) From sandrews at andrewscompanies.com Sat Mar 3 16:33:38 2007 From: sandrews at andrewscompanies.com (sandrews@andrewscompanies.com) Date: Sat Mar 3 15:39:24 2007 Subject: Consolidated spammy countries rbl References: <45E7FC0B.9010807@mailwash.com.au><1964AAFBC212F742958F9275BF63DBB04A0B67@winchester.andrewscompanies.com> Message-ID: <1964AAFBC212F742958F9275BF63DBB04A0B68@winchester.andrewscompanies.com> I think we'll have to agree to disagree here. I do see your point, from an ISP perspective you are probably correct. If my upstream provider wants to block those networks at the firewall I'm completely fine with that...down at the customer level, if my clients see no reason to accept mail from X Y Z countries, that a useful too for them to further cut spam. We're just talking about an RBL here that increases score on a message. This solution tells my mailscanner that messages from X Y Z countries should be more suspicous. I've got multiple RBL checks and if they hit on 2, I call it spam. This country list is one of them. If your mail is clean, it'll get through anyway. Steve -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Hugo van der Kooij Sent: Saturday, March 03, 2007 9:49 AM To: MailScanner discussion Subject: RE: Consolidated spammy countries rbl On Sat, 3 Mar 2007, sandrews@andrewscompanies.com wrote: > I think it's a reasonable list but probably isn't applicable to > everyone here. That's one of the reasons I asked that he release his > code so we can implement locally and adjust the inclusion/exclusion of > countries as we see fit. > > For the majority of my clients in the US, this list is worthwhile for > them, but again, YMMV. If you've got clients that are ok with > blocking everything from the US, that would be reasonable too for > them. The whole notion that any server should accept mail from any > other place and pass it along, although part of the original plan, is long since gone. > > You, yourself have a hall of shame of poorly run networks. Is > blocking them flawed by design? I dunno, I hate the way SORBS acts in > that you get penalized if you happen to be hosted close to poorly run > networks when they block ranges, but I guess the only thing I don't > like about it is the perceived extortion to get unblocked. More and > more I'm of the opinion that the sheer fact I accept your mail (not > you specifically, but anyone) is a privilege that may be revoked at > any time. I'm not militant enough to block everything and then only > accept upon request and application, but that day is coming for all of > us. 80% of all email on the internet is junk and that's just freaking ridiculous. Blocking based on assigned network blocks is much more accurate. In the few listed instances it is rather clear the owner of the netblock is not taking any action at all against problems on their network. Country bounderies are not relevant on internet. IP delegations are. And they are my blocking actions. You can see they are present and why. But I do not publish them on some RBL list. But publishing countries in a DNS blacklist for public usage in this totally random yes/no style is flawed by design at best. In case of the Netherlands we have quite a bit of detection points that alert any Dutch ISP as soon as we notice odd behaviours from any Dutch ISP network. Hugo. -- hvdkooij@vanderkooij.org http://hvdkooij.xs4all.nl/ This message is using 100% recycled electrons. Some men see computers as they are and say "Windows" I use computers with Linux and say "Why Windows?" (Thanks JFK, for the insight.) -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From ka at pacific.net Sat Mar 3 19:05:16 2007 From: ka at pacific.net (Ken) Date: Sat Mar 3 18:11:03 2007 Subject: Consolidated spammy countries rbl In-Reply-To: References: Message-ID: <45E9B8DC.1070606@pacific.net> Hugo van der Kooij wrote: > On Sat, 3 Mar 2007, Tony Enderby wrote: > >> >> I'd be happy to provide the zone if you'd like to implement it locally. >> I will not have time to rig something up until mid next week though. > > Why not use geoIP to map IP info to countries? (Like MailWatch does > for example.) Or the RelayCountry SA plugin which uses IP::Country::Fast so is faster than a dns lookup. How is this differerent than zz.countries.nerd.dk? Is it just a smaller zone, with a "spam country" prejudice? One thing that is nice about listing _all_ countries in a zone, is that you can make yourself less of a DoS target by saying things like "We don't block spam" on your website. A lot of dnsrbls have gone under in the past. Look out! ;-) Ken A. Pacific.Net > > Hugo. > From itdept at fractalweb.com Sat Mar 3 23:03:04 2007 From: itdept at fractalweb.com (Chris Yuzik) Date: Sat Mar 3 22:09:09 2007 Subject: OT: strange sendmail issue Message-ID: <45E9F098.50508@fractalweb.com> Hi everyone, I'm having a rather strange sendmail issue. A couple of people cannot send email using our development server, while most other people can without problems. This seems to be more of an issue with their systems as opposed to their email client, but I'm not certain of this. We've tested on Outlook 2007, Vista Windows Mail, and Thunderbird. All have a different way of saying, "no such luck, buddy" (paraphrasing slightly) but more often something like "None of the authentication methods supported by this client are supported by your server" or similar. When MOST people connect, after their mail client issues the "EHLO xxx", there is something that looks exactly like this: 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-8BITMIME 250-SIZE 250-DSN 250-AUTH DIGEST-MD5 CRAM-MD5 LOGIN PLAIN 250-STARTTLS 250-DELIVERBY 250 HELP But when some users connect and after their machine issues the "EHLO xxx", they only get this: 250 ENHANCEDSTATUSCODES After which, their mail client promptly generates an error and it's all over. We've confirmed the same behaviour from Telnet as well. I thought it might have been related to unsigned-certificates on the server or something, but I don't think so. Anyone have any ideas how to troubleshoot something like this? Thanks, Chris From res at ausics.net Sat Mar 3 23:53:50 2007 From: res at ausics.net (Res) Date: Sat Mar 3 23:00:07 2007 Subject: Consolidated spammy countries rbl In-Reply-To: References: Message-ID: On Sat, 3 Mar 2007, Hugo van der Kooij wrote: > On Sat, 3 Mar 2007, Tony Enderby wrote: > >> >> I'd be happy to provide the zone if you'd like to implement it locally. >> I will not have time to rig something up until mid next week though. > > Why not use geoIP to map IP info to countries? (Like MailWatch does for > example.) Because its highly UNreliable putting many people in other countries up to 10K miles away :) -- Cheers Res "comp.mail.sendmail nntp-email gateway @ http://ecartis.ausics.net" From res at ausics.net Sun Mar 4 00:01:20 2007 From: res at ausics.net (Res) Date: Sat Mar 3 23:07:39 2007 Subject: OT: strange sendmail issue In-Reply-To: <45E9F098.50508@fractalweb.com> References: <45E9F098.50508@fractalweb.com> Message-ID: this question is more suited to comp.mail.sendmail if you have no access to nntp, there is an nntp-email gateway for the group On Sat, 3 Mar 2007, Chris Yuzik wrote: > Hi everyone, > > I'm having a rather strange sendmail issue. A couple of people cannot send > email using our development server, while most other people can without > problems. This seems to be more of an issue with their systems as opposed to > their email client, but I'm not certain of this. We've tested on Outlook > 2007, Vista Windows Mail, and Thunderbird. All have a different way of > saying, "no such luck, buddy" (paraphrasing slightly) but more often > something like "None of the authentication methods supported by this client > are supported by your server" or similar. > > When MOST people connect, after their mail client issues the "EHLO xxx", > there is something that looks exactly like this: > > 250-ENHANCEDSTATUSCODES > 250-PIPELINING > 250-8BITMIME > 250-SIZE > 250-DSN > 250-AUTH DIGEST-MD5 CRAM-MD5 LOGIN PLAIN > 250-STARTTLS > 250-DELIVERBY > 250 HELP > > > But when some users connect and after their machine issues the "EHLO xxx", > they only get this: > > 250 ENHANCEDSTATUSCODES > > > After which, their mail client promptly generates an error and it's all over. > > We've confirmed the same behaviour from Telnet as well. > > I thought it might have been related to unsigned-certificates on the server > or something, but I don't think so. > > Anyone have any ideas how to troubleshoot something like this? > > Thanks, > Chris > > -- Cheers Res From hvdkooij at vanderkooij.org Sun Mar 4 00:17:01 2007 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sat Mar 3 23:22:55 2007 Subject: Consolidated spammy countries rbl In-Reply-To: References: Message-ID: On Sun, 4 Mar 2007, Res wrote: > On Sat, 3 Mar 2007, Hugo van der Kooij wrote: > >> On Sat, 3 Mar 2007, Tony Enderby wrote: >> >> > I'd be happy to provide the zone if you'd like to implement it locally. >> > I will not have time to rig something up until mid next week though. >> >> Why not use geoIP to map IP info to countries? (Like MailWatch does for >> example.) > > Because its highly UNreliable putting many people in other countries up to > 10K miles away :) And that is based on a current database? Because I update the monthly free ones from maxmind and they do pretty well if you match hostnames and whois info against their results these days. There is also another free GeoIP perl modules out there which is rather inaccurate. So I would have to guess you were propably working with the wrong type. I just happened to have tested them both in my own perl scripts I use for generating weekly overviews. Hugo. -- hvdkooij@vanderkooij.org http://hvdkooij.xs4all.nl/ This message is using 100% recycled electrons. Some men see computers as they are and say "Windows" I use computers with Linux and say "Why Windows?" (Thanks JFK, for the insight.) From r.berber at computer.org Sun Mar 4 01:14:49 2007 From: r.berber at computer.org (=?ISO-8859-1?Q?Ren=E9_Berber?=) Date: Sun Mar 4 00:20:55 2007 Subject: OT: strange sendmail issue In-Reply-To: <45E9F098.50508@fractalweb.com> References: <45E9F098.50508@fractalweb.com> Message-ID: Chris Yuzik wrote: [snip] > When MOST people connect, after their mail client issues the "EHLO xxx", > there is something that looks exactly like this: > > 250-ENHANCEDSTATUSCODES > 250-PIPELINING > 250-8BITMIME > 250-SIZE > 250-DSN > 250-AUTH DIGEST-MD5 CRAM-MD5 LOGIN PLAIN > 250-STARTTLS > 250-DELIVERBY > 250 HELP > > > But when some users connect and after their machine issues the "EHLO > xxx", they only get this: > > 250 ENHANCEDSTATUSCODES That means they are "blacklisted", I've done it with tcp-wrappers (added the guilty party to /etc/hosts.deny) but perhaps there are other ways to blacklist clients (access database is another good place). -- Ren? Berber From tenderby at mailwash.com.au Sun Mar 4 01:26:09 2007 From: tenderby at mailwash.com.au (Tony Enderby) Date: Sun Mar 4 00:32:15 2007 Subject: Consolidated spammy countries rbl In-Reply-To: References: <45E7FC0B.9010807@mailwash.com.au> <1964AAFBC212F742958F9275BF63DBB04A0B67@winchester.andrewscompanies.com> Message-ID: <45EA1221.5050105@mailwash.com.au> Hugo, I should have prefaced my original post about this zone with the fact that I put it together based on the current geographic flow of email that my clients receive. It certainly isn't for everyone, nor does it intelligently discern. The point about including the US zone is very valid as you noted, it ranks amongst the top countries of spam origin. The networks I service however receive a significant amount of email from the US and although a percentage of it is Spam, the majority of it is legitimate. Most of the other countries in the zone however send nothing but Spam to my networks and my client base have no desire to receive email from these locations either. I have been using this for a quite a while and when going back through the list posts I noticed there were some individuals who were interested in blocking by country. I only posted it because of this and to save folks who wanted to do it the need to include individual zones provided by countries.nerd.dk Tony. Hugo van der Kooij wrote: > On Sat, 3 Mar 2007, sandrews@andrewscompanies.com wrote: > >> I think it's a reasonable list but probably isn't applicable to everyone >> here. That's one of the reasons I asked that he release his code so we >> can implement locally and adjust the inclusion/exclusion of countries as >> we see fit. >> >> For the majority of my clients in the US, this list is worthwhile for >> them, but again, YMMV. If you've got clients that are ok with blocking >> everything from the US, that would be reasonable too for them. The >> whole notion that any server should accept mail from any other place and >> pass it along, although part of the original plan, is long since gone. >> >> You, yourself have a hall of shame of poorly run networks. Is blocking >> them flawed by design? I dunno, I hate the way SORBS acts in that you >> get penalized if you happen to be hosted close to poorly run networks >> when they block ranges, but I guess the only thing I don't like about it >> is the perceived extortion to get unblocked. More and more I'm of the >> opinion that the sheer fact I accept your mail (not you specifically, >> but anyone) is a privilege that may be revoked at any time. I'm not >> militant enough to block everything and then only accept upon request >> and application, but that day is coming for all of us. 80% of all email >> on the internet is junk and that's just freaking ridiculous. > > Blocking based on assigned network blocks is much more accurate. In > the few listed instances it is rather clear the owner of the netblock > is not taking any action at all against problems on their network. > > Country bounderies are not relevant on internet. IP delegations are. > > And they are my blocking actions. You can see they are present and > why. But I do not publish them on some RBL list. > > But publishing countries in a DNS blacklist for public usage in this > totally random yes/no style is flawed by design at best. > > In case of the Netherlands we have quite a bit of detection points > that alert any Dutch ISP as soon as we notice odd behaviours from any > Dutch ISP network. > > Hugo. > -- Kind Regards, Tony Enderby. Technical Director - MailWash Australia. Premium Anti-Spam / Anti Virus / Identity theft protection. http://www.mailwash.com.au ----------------------------------------------------------------------------------- Scanned by MailWash Australia - http://www.mailwash.com.au ----------------------------------------------------------------------------------- From res at ausics.net Sun Mar 4 02:10:29 2007 From: res at ausics.net (Res) Date: Sun Mar 4 01:16:47 2007 Subject: Consolidated spammy countries rbl In-Reply-To: References: Message-ID: On Sun, 4 Mar 2007, Hugo van der Kooij wrote: > On Sun, 4 Mar 2007, Res wrote: > >> On Sat, 3 Mar 2007, Hugo van der Kooij wrote: >> >>> On Sat, 3 Mar 2007, Tony Enderby wrote: >>> >>> > I'd be happy to provide the zone if you'd like to implement it locally. >>> > I will not have time to rig something up until mid next week though. >>> >>> Why not use geoIP to map IP info to countries? (Like MailWatch does for >>> example.) >> >> Because its highly UNreliable putting many people in other countries up to >> 10K miles away :) > > And that is based on a current database? AFAIK correct. I use nothing that involves geoip, it's what other sites use that shows wrong. -- Cheers Res From res at ausics.net Sun Mar 4 02:17:00 2007 From: res at ausics.net (Res) Date: Sun Mar 4 01:23:17 2007 Subject: Consolidated spammy countries rbl In-Reply-To: <45EA1221.5050105@mailwash.com.au> References: <45E7FC0B.9010807@mailwash.com.au> <1964AAFBC212F742958F9275BF63DBB04A0B67@winchester.andrewscompanies.com> <45EA1221.5050105@mailwash.com.au> Message-ID: On Sun, 4 Mar 2007, Tony Enderby wrote: > The point about including the US zone is very valid as you noted, it ranks > amongst the top countries of > spam origin. The networks I service however receive a significant amount of > email from the US and although > a percentage of it is Spam, the majority of it is legitimate. Most of the I guess he doesn't depend on getting flash notices from Sun, corporate deals from HP or security alerts from Foundry, Cisco and Juniper :) I noted .ca ? I've never seen spam from Canada, ever, they seem to be the most friendliest people on the planet. -- Cheers Res From hvdkooij at vanderkooij.org Sun Mar 4 08:36:50 2007 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sun Mar 4 07:42:41 2007 Subject: Consolidated spammy countries rbl In-Reply-To: <45EA1221.5050105@mailwash.com.au> References: <45E7FC0B.9010807@mailwash.com.au> <1964AAFBC212F742958F9275BF63DBB04A0B67@winchester.andrewscompanies.com> <45EA1221.5050105@mailwash.com.au> Message-ID: On Sun, 4 Mar 2007, Tony Enderby wrote: > Hugo, > > I should have prefaced my original post about this zone with the fact that I > put it together > based on the current geographic flow of email that my clients receive. It > certainly isn't for everyone, nor > does it intelligently discern. > > The point about including the US zone is very valid as you noted, it ranks > amongst the top countries of > spam origin. The networks I service however receive a significant amount of > email from the US and although > a percentage of it is Spam, the majority of it is legitimate. Most of the > other countries in the zone however send > nothing but Spam to my networks and my client base have no desire to receive > email from these locations either. > > I have been using this for a quite a while and when going back through the > list posts I noticed there were some individuals > who were interested in blocking by country. I only posted it because of this > and to save folks who wanted to do it the need > to include individual zones provided by countries.nerd.dk And that is your flaw. Whatever fits your traffic pattern will not match someone elses. So show them the trick to build their own list but do not publish yours as RBL. Hugo. -- hvdkooij@vanderkooij.org http://hvdkooij.xs4all.nl/ This message is using 100% recycled electrons. Some men see computers as they are and say "Windows" I use computers with Linux and say "Why Windows?" (Thanks JFK, for the insight.) From hvdkooij at vanderkooij.org Sun Mar 4 08:53:29 2007 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sun Mar 4 07:59:21 2007 Subject: Consolidated spammy countries rbl In-Reply-To: References: <45E7FC0B.9010807@mailwash.com.au> <1964AAFBC212F742958F9275BF63DBB04A0B67@winchester.andrewscompanies.com> <45EA1221.5050105@mailwash.com.au> Message-ID: On Sun, 4 Mar 2007, Res wrote: > On Sun, 4 Mar 2007, Tony Enderby wrote: > >> The point about including the US zone is very valid as you noted, it ranks >> amongst the top countries of >> spam origin. The networks I service however receive a significant amount >> of email from the US and although >> a percentage of it is Spam, the majority of it is legitimate. Most of the > > I guess he doesn't depend on getting flash notices from Sun, corporate deals > from HP or security alerts from Foundry, Cisco and Juniper :) Well I dodn't blacklist on country. I just keep track per country. > I noted .ca ? I've never seen spam from Canada, ever, they seem to be the > most friendliest people on the planet. I beg to differ here. While not as bad as the US they have their share of incidents. You may may not have noticed them based on the domain name as various carriers work in both US and CA. But they made the list the pas week: [US] United States: 1321 [IT] Italy: 1051 [CN] China: 814 [KR] Korea, Republic of: 672 [PL] Poland: 381 [DE] Germany: 333 [ES] Spain: 256 [FR] France: 249 [RU] Russian Federation: 249 [BR] Brazil: 228 [GB] United Kingdom: 215 [IN] India: 187 [TR] Turkey: 151 [GR] Greece: 142 [IL] Israel: 125 [JP] Japan: 123 [RO] Romania: 123 [TW] Taiwan: 116 [CA] Canada: 114 [MX] Mexico: 108 That puts them right smack in the middle group of spam as usual. The high ranking networks: 195.46.1: 132 GR Greece 220.160.164: 59 CN China 158.38.152: 41 NO Norway 200.1.105: 32 TT Trinidad and Tobago 218.24.41: 27 CN China 59.45.103: 26 CN China 193.252.22: 24 FR France 212.254.75: 20 CH Switzerland Greece is mainly 1 PC on 1 specific network which is rather presistent. Hugo. -- hvdkooij@vanderkooij.org http://hvdkooij.xs4all.nl/ This message is using 100% recycled electrons. Some men see computers as they are and say "Windows" I use computers with Linux and say "Why Windows?" (Thanks JFK, for the insight.) From res at ausics.net Sun Mar 4 11:46:35 2007 From: res at ausics.net (Res) Date: Sun Mar 4 10:53:01 2007 Subject: Consolidated spammy countries rbl In-Reply-To: References: <45E7FC0B.9010807@mailwash.com.au> <1964AAFBC212F742958F9275BF63DBB04A0B67@winchester.andrewscompanies.com> <45EA1221.5050105@mailwash.com.au> Message-ID: Hugo, would you allow any email into your network if you did not just score them ? Sorry but that list is just plain B.S, and you wont find many serious networks using it, it will create too much drama for the CSR's who have to field the complaints from end users. But, different parts of the world get attacked from different countries, the highest in order here for instance are tw kr cn then on a lesser scale of around the same level are br, it, wanadoo.fr/nl and casema.nl and from the US the likes of roadrunner, verizon and comcast. So should I block all of nl as well because I get spam from 2 ISP's there? I dont think so, and I'm rather well known for being anal retentive when it comes to dealing with spammers and there ISP's. The biggest issue with tw/kr/cn is most likely language barrier, they dont act upon english speaking spam complaints because they probably understand english as much as we do their language. 3 US ISP's out of god knows how many, does not warrant including US, not in the asia/pacific rim anyway. On Sun, 4 Mar 2007, Hugo van der Kooij wrote: > On Sun, 4 Mar 2007, Res wrote: > >> On Sun, 4 Mar 2007, Tony Enderby wrote: >> >>> The point about including the US zone is very valid as you noted, it >>> ranks >>> amongst the top countries of >>> spam origin. The networks I service however receive a significant amount >>> of email from the US and although >>> a percentage of it is Spam, the majority of it is legitimate. Most of the >> >> I guess he doesn't depend on getting flash notices from Sun, corporate >> deals from HP or security alerts from Foundry, Cisco and Juniper :) > > Well I dodn't blacklist on country. I just keep track per country. > >> I noted .ca ? I've never seen spam from Canada, ever, they seem to be the >> most friendliest people on the planet. > > I beg to differ here. While not as bad as the US they have their share of > incidents. You may may not have noticed them based on the domain name as > various carriers work in both US and CA. > > But they made the list the pas week: > > [US] United States: 1321 > [IT] Italy: 1051 > [CN] China: 814 > [KR] Korea, Republic of: 672 > [PL] Poland: 381 > [DE] Germany: 333 > [ES] Spain: 256 > [FR] France: 249 > [RU] Russian Federation: 249 > [BR] Brazil: 228 > [GB] United Kingdom: 215 > [IN] India: 187 > [TR] Turkey: 151 > [GR] Greece: 142 > [IL] Israel: 125 > [JP] Japan: 123 > [RO] Romania: 123 > [TW] Taiwan: 116 > [CA] Canada: 114 > [MX] Mexico: 108 > > That puts them right smack in the middle group of spam as usual. > > The high ranking networks: > > 195.46.1: 132 GR Greece > 220.160.164: 59 CN China > 158.38.152: 41 NO Norway > 200.1.105: 32 TT Trinidad and Tobago > 218.24.41: 27 CN China > 59.45.103: 26 CN China > 193.252.22: 24 FR France > 212.254.75: 20 CH Switzerland > > Greece is mainly 1 PC on 1 specific network which is rather presistent. > > Hugo. > > -- Cheers Res From tenderby at mailwash.com.au Sun Mar 4 12:52:04 2007 From: tenderby at mailwash.com.au (Tony Enderby) Date: Sun Mar 4 11:58:49 2007 Subject: Consolidated spammy countries rbl In-Reply-To: References: <45E7FC0B.9010807@mailwash.com.au> <1964AAFBC212F742958F9275BF63DBB04A0B67@winchester.andrewscompanies.com> <45EA1221.5050105@mailwash.com.au> Message-ID: <45EAB2E4.8020102@mailwash.com.au> Hi Again, I perceive it's only a flaw if it's advertised to do something that it doesn't. I indicated in my original post that if you received email from any of the countries in the zone it would not be wise to use it. I'm also well aware of the philosophical debate as well as the technical one for why blocking a whole country is not a good idea but in my case it works well. The US zone as I mentioned in my last post was not included because there's a measurable percentage of email that is legitimate. If there's a measurable percentage no matter how small, the relevant country blocks are omitted from the zone. Each country included in the zone has sent a significant amount of Spam to my networks over the past year with zero legitimate email content. It's a big, dumb blanket approach but why even receive email and then process it from (insert country here) if you don't need to. Tony. Hugo van der Kooij wrote: > On Sun, 4 Mar 2007, Tony Enderby wrote: > >> Hugo, >> >> I should have prefaced my original post about this zone with the fact >> that I put it together >> based on the current geographic flow of email that my clients >> receive. It certainly isn't for everyone, nor >> does it intelligently discern. >> >> The point about including the US zone is very valid as you noted, it >> ranks amongst the top countries of >> spam origin. The networks I service however receive a significant >> amount of email from the US and although >> a percentage of it is Spam, the majority of it is legitimate. Most of >> the other countries in the zone however send >> nothing but Spam to my networks and my client base have no desire to >> receive email from these locations either. >> >> I have been using this for a quite a while and when going back >> through the list posts I noticed there were some individuals >> who were interested in blocking by country. I only posted it because >> of this and to save folks who wanted to do it the need >> to include individual zones provided by countries.nerd.dk > > And that is your flaw. Whatever fits your traffic pattern will not > match someone elses. So show them the trick to build their own list > but do not publish yours as RBL. > > Hugo. > -- Kind Regards, Tony Enderby. Technical Director - MailWash Australia. Premium Anti-Spam / Anti Virus / Identity theft protection. http://www.mailwash.com.au ----------------------------------------------------------------------------------- Scanned by MailWash Australia - http://www.mailwash.com.au ----------------------------------------------------------------------------------- From hvdkooij at vanderkooij.org Sun Mar 4 13:05:40 2007 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sun Mar 4 12:11:34 2007 Subject: Building a log gathering agent Message-ID: Hi, I am attempting to build a more concise overview of infections based on MailScanner logs. The first stage is to write an agent to gather the logs. I wrote one that can understand ClamAV, F-Prot and McAfee output as far as I could test it on my logs. If you are willing to assist me I would appreciate it if you can get the perl script from: http://hugo.vanderkooij.org/email/stats/maillog-virus.pl You need the following perl modules: File::Basename; Getopt::Std; Parse::Syslog; Time::Local; (Centos users should be able to get all of the through `yum install` commands. But I will not document it at this time.) Please run it against 1 of your logfiles and store the output. If you get anything other than a overview of the number of hits on scanners I would very appriciate it if you could send me the output file along with a filtered output of your logfile by email so I can anticipate other scanners and other detection strings. For example: ./maillog-virus.pl -l /var/log/maillog.1 > /tmp/hvdkooij-output grep "Viruses marked as silent" > /tmp/hvdkooij-syslog tar -tzf /tmp/hvdkooij.tar.gz /tmp/hvdkooij-output /tmp/hvdkooij-syslog If you use your own initials instead of mine I can keep the seperated more easily. I will try to update the script based on your feedback the upcoming week. Thanks, Hugo. -- hvdkooij@vanderkooij.org http://hvdkooij.xs4all.nl/ This message is using 100% recycled electrons. Some men see computers as they are and say "Windows" I use computers with Linux and say "Why Windows?" (Thanks JFK, for the insight.) From hvdkooij at vanderkooij.org Sun Mar 4 13:32:11 2007 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sun Mar 4 12:38:06 2007 Subject: Consolidated spammy countries rbl In-Reply-To: References: <45E7FC0B.9010807@mailwash.com.au> <1964AAFBC212F742958F9275BF63DBB04A0B67@winchester.andrewscompanies.com> <45EA1221.5050105@mailwash.com.au> Message-ID: On Sun, 4 Mar 2007, Res wrote: > But, different parts of the world get attacked from different countries, > the highest in order here for instance are > > tw > kr > cn > > then on a lesser scale of around the same level are > br, it, wanadoo.fr/nl and casema.nl and from the US the likes of roadrunner, > verizon and comcast. > > So should I block all of nl as well because I get spam from 2 ISP's there? I > dont think so, and I'm rather well known for being anal retentive when it > comes to dealing with spammers and there ISP's. Pardon me. But I wasn't writing in Dutch. Was I? I was being rather clear one should NOT use country lists in my opinion but your response now seems to suggest I am al in favor. Among the blocking entries in my postfix config is a number of header checks on charactersets no one is able to read here. So I loose a lot of Russian and Korean spam that way. As far as complaints go. If the ISP at hand is not acting you can contact the CERT team which covers the area. Hugo. -- hvdkooij@vanderkooij.org http://hvdkooij.xs4all.nl/ This message is using 100% recycled electrons. Some men see computers as they are and say "Windows" I use computers with Linux and say "Why Windows?" (Thanks JFK, for the insight.) From tenderby at mailwash.com.au Sun Mar 4 15:25:13 2007 From: tenderby at mailwash.com.au (Tony Enderby) Date: Sun Mar 4 14:32:22 2007 Subject: Wow, Av engine accelerator hardware. In-Reply-To: References: <45E7FC0B.9010807@mailwash.com.au> <1964AAFBC212F742958F9275BF63DBB04A0B67@winchester.andrewscompanies.com> <45EA1221.5050105@mailwash.com.au> Message-ID: <45EAD6C9.90702@mailwash.com.au> They've done it with Graphics, Audio and Physics, and now AV ?? Apparently ClamAV 0.90 supports these .. has anyone used them? http://www.sensorynetworks.com/Products/Acceleration/ Tony. ----------------------------------------------------------------------------------- Scanned by MailWash Australia - http://www.mailwash.com.au ----------------------------------------------------------------------------------- From itdept at fractalweb.com Sun Mar 4 23:14:17 2007 From: itdept at fractalweb.com (Chris Yuzik) Date: Sun Mar 4 22:20:31 2007 Subject: test - please ignore Message-ID: <45EB44B9.9030000@fractalweb.com> Sorry, just making sure I can still receive messages from the list; since moving servers the list has been silent. From arturs at netvision.net.il Mon Mar 5 02:50:37 2007 From: arturs at netvision.net.il (Arthur Sherman) Date: Mon Mar 5 01:57:55 2007 Subject: After upgrade, MailScanner --debug-sa --lint' says it sees SA as 3.1.7 instead of 3.1.8 Message-ID: <02a501c75ec8$abcfc920$0dfb1bac@lapxp> Hi, I just upgraded MailScanner to 4.58.9 and SpamAssassin to 3.1.8 on CentOS-4.4.x86. Re-edited configs, ran sa-update... Running 'MailScanner --debug-sa --lint' says it sees SA as 3.1.7 instead of 3.1.8, and refuses to test *.cf files. Something like this: --- config: configuration file "/usr/share/spamassassin/20_uri_tests.cf" requires version 3.001008 of SpamAssassin, but this is code version 3.001007. Maybe you need to use the -C switch, or remove the old config files? Skipping this file at /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/Conf/Parser.pm line 345. --- What old configs have I left?? Rpm says I have only one SA in the system - 3.1.8 Maybe MS takes it from some cache or else? Or am I in wrong direction? :) Attached output from the command. Looking for your insight. Best, -- Arthur Sherman +972-52-4878851 http://www.cpt.co.il/ -------------- next part -------------- [root@ns1 spamassassin]# MailScanner --debug-sa --lint Read 764 hostnames from the phishing whitelist Checking version numbers... Version number in MailScanner.conf (4.58.9) is correct. Checking for SpamAssassin errors (if you use it)... Using SpamAssassin results cache Connected to SpamAssassin cache database config: configuration file "/usr/share/spamassassin/20_advance_fee.cf" requires version 3.001008 of SpamAssassin, but this is code version 3.001007. Maybe you need to use the -C switch, or remove the old config files? Skipping this file at /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/Conf/Parser.pm line 345. config: configuration file "/usr/share/spamassassin/20_body_tests.cf" requires version 3.001008 of SpamAssassin, but this is code version 3.001007. Maybe you need to use the -C switch, or remove the old config files? Skipping this file at /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/Conf/Parser.pm line 345. config: configuration file "/usr/share/spamassassin/20_compensate.cf" requires version 3.001008 of SpamAssassin, but this is code version 3.001007. Maybe you need to use the -C switch, or remove the old config files? Skipping this file at /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/Conf/Parser.pm line 345. config: configuration file "/usr/share/spamassassin/20_dnsbl_tests.cf" requires version 3.001008 of SpamAssassin, but this is code version 3.001007. Maybe you need to use the -C switch, or remove the old config files? Skipping this file at /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/Conf/Parser.pm line 345. config: configuration file "/usr/share/spamassassin/20_drugs.cf" requires version 3.001008 of SpamAssassin, but this is code version 3.001007. Maybe you need to use the -C switch, or remove the old config files? Skipping this file at /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/Conf/Parser.pm line 345. config: configuration file "/usr/share/spamassassin/20_fake_helo_tests.cf" requires version 3.001008 of SpamAssassin, but this is code version 3.001007. Maybe you need to use the -C switch, or remove the old config files? Skipping this file at /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/Conf/Parser.pm line 345. config: configuration file "/usr/share/spamassassin/20_head_tests.cf" requires version 3.001008 of SpamAssassin, but this is code version 3.001007. Maybe you need to use the -C switch, or remove the old config files? Skipping this file at /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/Conf/Parser.pm line 345. config: configuration file "/usr/share/spamassassin/20_html_tests.cf" requires version 3.001008 of SpamAssassin, but this is code version 3.001007. Maybe you need to use the -C switch, or remove the old config files? Skipping this file at /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/Conf/Parser.pm line 345. config: configuration file "/usr/share/spamassassin/20_meta_tests.cf" requires version 3.001008 of SpamAssassin, but this is code version 3.001007. Maybe you need to use the -C switch, or remove the old config files? Skipping this file at /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/Conf/Parser.pm line 345. config: configuration file "/usr/share/spamassassin/20_net_tests.cf" requires version 3.001008 of SpamAssassin, but this is code version 3.001007. Maybe you need to use the -C switch, or remove the old config files? Skipping this file at /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/Conf/Parser.pm line 345. config: configuration file "/usr/share/spamassassin/20_phrases.cf" requires version 3.001008 of SpamAssassin, but this is code version 3.001007. Maybe you need to use the -C switch, or remove the old config files? Skipping this file at /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/Conf/Parser.pm line 345. config: configuration file "/usr/share/spamassassin/20_porn.cf" requires version 3.001008 of SpamAssassin, but this is code version 3.001007. Maybe you need to use the -C switch, or remove the old config files? Skipping this file at /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/Conf/Parser.pm line 345. config: configuration file "/usr/share/spamassassin/20_uri_tests.cf" requires version 3.001008 of SpamAssassin, but this is code version 3.001007. Maybe you need to use the -C switch, or remove the old config files? Skipping this file at /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/Conf/Parser.pm line 345. config: configuration file "/usr/share/spamassassin/23_bayes.cf" requires version 3.001008 of SpamAssassin, but this is code version 3.001007. Maybe you need to use the -C switch, or remove the old config files? Skipping this file at /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/Conf/Parser.pm line 345. config: warning: score set for non-existent rule DEAR_SOMETHING config: warning: score set for non-existent rule SUB_HELLO config: warning: score set for non-existent rule MORTGAGE_BEST config: warning: score set for non-existent rule HTML_IMAGE_RATIO_06 config: warning: score set for non-existent rule CLICK_TO_REMOVE_1 config: warning: score set for non-existent rule REMOVE_PAGE config: warning: score set for non-existent rule DIET_3 config: warning: score set for non-existent rule MSGID_NO_HOST config: warning: score set for non-existent rule HTML_SHORT_LINK_IMG_3 config: warning: score set for non-existent rule MIME_BASE64_TEXT config: warning: score set for non-existent rule HELO_DYNAMIC_DIALIN config: warning: score set for non-existent rule SUBJECT_ENCODED_TWICE config: warning: score set for non-existent rule RCVD_IN_NJABL_SPAM config: warning: score set for non-existent rule HTML_SHOUTING5 config: warning: score set for non-existent rule MAILTO_TO_SPAM_ADDR config: warning: score set for non-existent rule FAKE_HELO_MAIL_COM_DOM config: warning: score set for non-existent rule SUBJ_HAS_SPACES config: warning: score set for non-existent rule DISGUISE_PORN config: warning: score set for non-existent rule ENGLISH_UCE_SUBJECT config: warning: score set for non-existent rule ADDR_FREE config: warning: score set for non-existent rule X_MESSAGE_FLAG_ODD config: warning: score set for non-existent rule UNIQUE_WORDS config: warning: score set for non-existent rule MISSING_SUBJECT config: warning: score set for non-existent rule MSGID_SPAM_99X9XX99 config: warning: score set for non-existent rule SOME_BREAKTHROUGH config: warning: score set for non-existent rule HTML_OBFUSCATE_10_20 config: warning: score set for non-existent rule HTML_IMAGE_ONLY_24 config: warning: score set for non-existent rule MIME_CHARSET_FARAWAY config: warning: score set for non-existent rule URI_REDIRECTOR config: warning: score set for non-existent rule SUBJ_LIFE_INSURANCE config: warning: score set for non-existent rule HTML_FONT_SIZE_HUGE config: warning: score set for non-existent rule AMATEUR_PORN config: warning: score set for non-existent rule GUARANTEED_STUFF config: warning: score set for non-existent rule BILL_1618 config: warning: score set for non-existent rule RCVD_IN_SBL config: warning: score set for non-existent rule URI_4YOU config: warning: score set for non-existent rule HELO_DYNAMIC_COMCAST config: warning: score set for non-existent rule MSGID_RANDY config: warning: score set for non-existent rule FULL_REFUND config: warning: score set for non-existent rule URI_AFFILIATE config: warning: score set for non-existent rule FAKE_HELO_MSN config: warning: score set for non-existent rule FROM_NO_USER config: warning: score set for non-existent rule HTML_OBFUSCATE_50_60 config: warning: score set for non-existent rule FROM_LOCAL_DIGITS config: warning: score set for non-existent rule HEAD_LONG config: warning: score set for non-existent rule PERCENT_RANDOM config: warning: score set for non-existent rule NASTY_GIRLS config: warning: score set for non-existent rule DRUGS_SLEEP_EREC config: warning: score set for non-existent rule PLING_QUERY config: warning: score set for non-existent rule HTML_OBFUSCATE_70_80 config: warning: score set for non-existent rule CONSOLIDATE_DEBT config: warning: score set for non-existent rule RCVD_IN_SORBS_ZOMBIE config: warning: score set for non-existent rule HELO_DYNAMIC_RR2 config: warning: score set for non-existent rule HTML_BADTAG_80_90 config: warning: score set for non-existent rule JAPANESE_UCE_SUBJECT config: warning: score set for non-existent rule HTML_TAG_EXIST_BGSOUND config: warning: score set for non-existent rule URI_NO_WWW_ANY_CGI config: warning: score set for non-existent rule X_AUTH_WARN_FAKED config: warning: score set for non-existent rule HTML_BADTAG_40_50 config: warning: score set for non-existent rule SATIS_GUAR config: warning: score set for non-existent rule FAKE_HELO_EMAIL_COM config: warning: score set for non-existent rule SUBJ_FREE_CAP config: warning: score set for non-existent rule MPART_ALT_DIFF config: warning: score set for non-existent rule MISSING_MIMEOLE config: warning: score set for non-existent rule HTML_70_80 config: warning: score set for non-existent rule HTML_10_20 config: warning: score set for non-existent rule RCVD_IN_BSP_TRUSTED config: warning: score set for non-existent rule HTML_LINK_PUSH_HERE config: warning: score set for non-existent rule HTML_BACKHAIR_2 config: warning: score set for non-existent rule PREVENT_NONDELIVERY config: warning: score set for non-existent rule FAKE_HELO_EUDORAMAIL config: warning: score set for non-existent rule FORGED_TELESP_RCVD config: warning: score set for non-existent rule FROM_LOCAL_NOVOWEL config: warning: score set for non-existent rule HTML_MIME_NO_HTML_TAG config: warning: score set for non-existent rule HTML_IMAGE_ONLY_20 config: warning: score set for non-existent rule CONFIRMED_FORGED config: warning: score set for non-existent rule HTML_NONELEMENT_50_60 config: warning: score set for non-existent rule RCVD_IN_SORBS_WEB config: warning: score set for non-existent rule TERRA_ES config: warning: score set for non-existent rule PLING_PLING config: warning: score set for non-existent rule TO_ADDRESS_EQ_REAL config: warning: score set for non-existent rule TO_MALFORMED config: warning: score set for non-existent rule FROM_NO_LOWER config: warning: score set for non-existent rule OBSCURED_EMAIL config: warning: score set for non-existent rule HTML_FONT_FACE_CAPS config: warning: score set for non-existent rule DRUG_ED_ONLINE config: warning: score set for non-existent rule WHILE_YOU_SLEEP config: warning: score set for non-existent rule MSGID_MULTIPLE_AT config: warning: score set for non-existent rule WE_HONOR_ALL config: warning: score set for non-existent rule BILLION_DOLLARS config: warning: score set for non-existent rule RESISTANCE_IS_FUTILE config: warning: score set for non-existent rule SUBJ_ALL_CAPS config: warning: score set for non-existent rule MIME_BOUND_DIGITS_7 config: warning: score set for non-existent rule BAYES_50 config: warning: score set for non-existent rule HTML_FONT_BIG config: warning: score set for non-existent rule INVALID_TZ_GMT config: warning: score set for non-existent rule SAVE_THOUSANDS config: warning: score set for non-existent rule ADVANCE_FEE_3 config: warning: score set for non-existent rule HTML_EHTML2 config: warning: score set for non-existent rule MIME_HTML_ONLY config: warning: score set for non-existent rule SUBJ_YOUR_FAMILY config: warning: score set for non-existent rule FROM_OFFERS config: warning: score set for non-existent rule DATE_IN_FUTURE_24_48 config: warning: score set for non-existent rule PORN_16 config: warning: score set for non-existent rule SUBJECT_EXCESS_BASE64 config: warning: score set for non-existent rule DRUGS_ANXIETY config: warning: score set for non-existent rule DRUGS_MANYKINDS config: warning: score set for non-existent rule __RCVD_IN_NJABL config: warning: score set for non-existent rule SUB_FREE_OFFER config: warning: score set for non-existent rule HTML_FORMACTION_MAILTO config: warning: score set for non-existent rule DNS_FROM_RFC_DSN config: warning: score set for non-existent rule DRUGS_PAIN_OBFU config: warning: score set for non-existent rule ONE_TIME config: warning: score set for non-existent rule ROUND_THE_WORLD_LOCAL config: warning: score set for non-existent rule SUBJECT_DRUG_GAP_VIC config: warning: score set for non-existent rule OBFUSCATING_COMMENT config: warning: score set for non-existent rule UPPERCASE_50_75 config: warning: score set for non-existent rule HTML_OBFUSCATE_20_30 config: warning: score set for non-existent rule FROM_ENDS_IN_NUMS config: warning: score set for non-existent rule HTML_TITLE_UNTITLED config: warning: score set for non-existent rule DRUGS_PAIN config: warning: score set for non-existent rule HELO_DYNAMIC_HOME_NL config: warning: score set for non-existent rule HTML_CHARSET_FARAWAY config: warning: score set for non-existent rule FORGED_MSGID_YAHOO config: warning: score set for non-existent rule CONFIDENTIAL_ORDER config: warning: score set for non-existent rule MANY_EXCLAMATIONS config: warning: score set for non-existent rule SUSPICIOUS_RECIPS config: warning: score set for non-existent rule HTML_SHORT_LENGTH config: warning: score set for non-existent rule RCVD_DOUBLE_IP_LOOSE config: warning: score set for non-existent rule FROM_ALL_NUMS config: warning: score set for non-existent rule DOMAIN_4U2 config: warning: score set for non-existent rule EXTRA_CASH config: warning: score set for non-existent rule HIGH_CODEPAGE_URI config: warning: score set for non-existent rule RCVD_IN_BL_SPAMCOP_NET config: warning: score set for non-existent rule SEE_FOR_YOURSELF config: warning: score set for non-existent rule HABEAS_ACCREDITED_SOI config: warning: score set for non-existent rule HTML_FONT_FACE_BAD config: warning: score set for non-existent rule DNS_FROM_RFC_BOGUSMX config: warning: score set for non-existent rule SPOOF_COM2COM config: warning: score set for non-existent rule SOMETHING_FOR_ADULTS config: warning: score set for non-existent rule HIDE_WIN_STATUS config: warning: score set for non-existent rule DATE_SPAMWARE_Y2K config: warning: score set for non-existent rule URI_UPPER_LOWER config: warning: score set for non-existent rule HTML_BADTAG_50_60 config: warning: score set for non-existent rule RCVD_IN_MAPS_RSS config: warning: score set for non-existent rule HTML_FONT_TINY config: warning: score set for non-existent rule MISSING_MIME_HB_SEP config: warning: score set for non-existent rule RCVD_ILLEGAL_IP config: warning: score set for non-existent rule MONEY_BACK config: warning: score set for non-existent rule MISSING_DATE config: warning: score set for non-existent rule SUBJ_GUARANTEED config: warning: score set for non-existent rule HTML_SHOUTING4 config: warning: score set for non-existent rule HTML_BADTAG_20_30 config: warning: score set for non-existent rule OFFSHORE_SCAM config: warning: score set for non-existent rule DIGEST_MULTIPLE config: warning: score set for non-existent rule MIME_BOUND_DIGITS_15 config: warning: score set for non-existent rule NO_MEDICAL config: warning: score set for non-existent rule URG_BIZ config: warning: score set for non-existent rule REPLY_TO_EMPTY config: warning: score set for non-existent rule RCVD_IN_SORBS_BLOCK config: warning: score set for non-existent rule URI_OFFERS config: warning: score set for non-existent rule HTML_OBFUSCATE_60_70 config: warning: score set for non-existent rule URI_SCHEME_MIXED_CASE config: warning: score set for non-existent rule SUBJECT_DRUG_GAP_VA config: warning: score set for non-existent rule BANG_OPRAH config: warning: score set for non-existent rule HTTP_ESCAPED_HOST config: warning: score set for non-existent rule DEEP_DISC_MEDS config: warning: score set for non-existent rule TO_TXT config: warning: score set for non-existent rule MIME_BASE64_NO_NAME config: warning: score set for non-existent rule DRUGS_ERECTILE_OBFU config: warning: score set for non-existent rule HTML_30_40 config: warning: score set for non-existent rule DRUGS_SMEAR1 config: warning: score set for non-existent rule HTML_OBFUSCATE_90_100 config: warning: score set for non-existent rule LIVE_PORN config: warning: score set for non-existent rule INVALID_TZ_EST config: warning: score set for non-existent rule SUBJ_HAS_UNIQ_ID config: warning: score set for non-existent rule UPPERCASE_25_50 config: warning: score set for non-existent rule HIDDEN_CHARGES config: warning: score set for non-existent rule URI_UNSUBSCRIBE config: warning: score set for non-existent rule HTML_COMMENT_SHORT config: warning: score set for non-existent rule RCVD_IN_MAPS_RBL config: warning: score set for non-existent rule HTML_SHORT_LINK_IMG_2 config: warning: score set for non-existent rule EXCUSE_12 config: warning: score set for non-existent rule BLANK_LINES_90_100 config: warning: score set for non-existent rule RCVD_IN_SORBS_SOCKS config: warning: score set for non-existent rule HG_HORMONE config: warning: score set for non-existent rule MSGID_SPAM_ALPHA_NUM config: warning: score set for non-existent rule HTML_LINK_OPT_OUT config: warning: score set for non-existent rule HTML_TITLE_EMPTY config: warning: score set for non-existent rule BLANK_LINES_70_80 config: warning: score set for non-existent rule MILLION_USD config: warning: score set for non-existent rule HTML_IMAGE_ONLY_16 config: warning: score set for non-existent rule MISSING_HEADERS config: warning: score set for non-existent rule ROUND_THE_WORLD config: warning: score set for non-existent rule SUBJ_YOUR_OWN config: warning: score set for non-existent rule MIME_BAD_ISO_CHARSET config: warning: score set for non-existent rule X_MAILER_SPAM config: warning: score set for non-existent rule MIME_HEADER_CTYPE_ONLY config: warning: score set for non-existent rule DRUG_ED_GENERIC config: warning: score set for non-existent rule MSGID_DOLLARS_RANDOM config: warning: score set for non-existent rule SUBJ_YOUR_DEBT config: warning: score set for non-existent rule HTML_OBFUSCATE_30_40 config: warning: score set for non-existent rule REMOVE_POSTAL config: warning: score set for non-existent rule URI_NOVOWEL config: warning: score set for non-existent rule RCVD_IN_SORBS_DUL config: warning: score set for non-existent rule DRUGS_DIET_OBFU config: warning: score set for non-existent rule HTML_SHOUTING3 config: warning: score set for non-existent rule NO_PRESCRIPTION config: warning: score set for non-existent rule HTTPS_IP_MISMATCH config: warning: score set for non-existent rule EXCUSE_6 config: warning: score set for non-existent rule EMAIL_ROT13 config: warning: score set for non-existent rule SUBJECT_DRUG_GAP_C config: warning: score set for non-existent rule HTML_BACKHAIR_8 config: warning: score set for non-existent rule RCVD_AM_PM config: warning: score set for non-existent rule BODY_ENHANCEMENT config: warning: score set for non-existent rule HTML_IMAGE_RATIO_04 config: warning: score set for non-existent rule HTML_FONT_SIZE_NONE config: warning: score set for non-existent rule DNS_FROM_SECURITYSAGE config: warning: score set for non-existent rule HTTP_77 config: warning: score set for non-existent rule HTML_NONELEMENT_20_30 config: warning: score set for non-existent rule HTML_MESSAGE config: warning: score set for non-existent rule DIET_2 config: warning: score set for non-existent rule GET_PAID config: warning: score set for non-existent rule FROM_AND_TO_SAME config: warning: score set for non-existent rule ORG_MIME_TOOLS config: warning: score set for non-existent rule INVALID_MSGID config: warning: score set for non-existent rule CHARSET_FARAWAY_HEADER config: warning: score set for non-existent rule RCVD_IN_DSBL config: warning: score set for non-existent rule BAYES_99 config: warning: score set for non-existent rule SUBJECT_EXCESS_QP config: warning: score set for non-existent rule FROM_EXCESS_BASE64 config: warning: score set for non-existent rule RCVD_BY_IP config: warning: score set for non-existent rule URI_HEX config: warning: score set for non-existent rule SENT_IN_COMPLIANCE config: warning: score set for non-existent rule HTML_BADTAG_90_100 config: warning: score set for non-existent rule HTML_TAG_BALANCE_BODY config: warning: score set for non-existent rule HTML_BADTAG_00_10 config: warning: score set for non-existent rule HELO_DYNAMIC_DHCP config: warning: score set for non-existent rule X_IP config: warning: score set for non-existent rule MEET_SINGLES config: warning: score set for non-existent rule HTML_COMMENT_SAVED_URL config: warning: score set for non-existent rule HTTP_EXCESSIVE_ESCAPES config: warning: score set for non-existent rule FORGED_AOL_RCVD config: warning: score set for non-existent rule HTML_EXTRA_CLOSE config: warning: score set for non-existent rule FORGED_HOTMAIL_RCVD2 config: warning: score set for non-existent rule SUBJ_CONSONANTS config: warning: score set for non-existent rule INFO_TLD config: warning: score set for non-existent rule ADVANCE_FEE_2 config: warning: score set for non-existent rule FIN_FREE config: warning: score set for non-existent rule CHINA_HEADER config: warning: score set for non-existent rule HTML_TITLE_SUBJ_DIFF config: warning: score set for non-existent rule DRUGS_ANXIETY_EREC config: warning: score set for non-existent rule RCVD_DOUBLE_IP_SPAM config: warning: score set for non-existent rule FROM_HAS_ULINE_NUMS config: warning: score set for non-existent rule FAKE_HELO_YAHOO_CA config: warning: score set for non-existent rule CUM_SHOT config: warning: score set for non-existent rule ACT_NOW_CAPS config: warning: score set for non-existent rule HTML_IMAGE_ONLY_08 config: warning: score set for non-existent rule DRUG_ED_COMBO config: warning: score set for non-existent rule SUBJECT_DRUG_GAP_L config: warning: score set for non-existent rule BIZ_TLD config: warning: score set for non-existent rule RCVD_IN_NJABL_CGI config: warning: score set for non-existent rule BAD_ENC_HEADER config: warning: score set for non-existent rule HTML_NONELEMENT_70_80 config: warning: score set for non-existent rule MALE_ENHANCE config: warning: score set for non-existent rule FORWARD_LOOKING config: warning: score set for non-existent rule REFINANCE_NOW config: warning: score set for non-existent rule EARN_PER_WEEK config: warning: score set for non-existent rule URI_NO_WWW_INFO_CGI config: warning: score set for non-existent rule HELO_DYNAMIC_OOL config: warning: score set for non-existent rule FREE_ACCESS config: warning: score set for non-existent rule HOT_NASTY config: warning: score set for non-existent rule ALL_NATURAL config: warning: score set for non-existent rule FROM_ILLEGAL_CHARS config: warning: score set for non-existent rule HTML_NONELEMENT_80_90 config: warning: score set for non-existent rule DNS_FROM_RFC_ABUSE config: warning: score set for non-existent rule HELO_DYNAMIC_VTR config: warning: score set for non-existent rule FORGED_MSGID_AOL config: warning: score set for non-existent rule HTML_00_10 config: warning: score set for non-existent rule STRONG_BUY config: warning: score set for non-existent rule ML_MARKETING config: warning: score set for non-existent rule PORN_URL_MISC config: warning: score set for non-existent rule HTML_TITLE_LONG config: warning: score set for non-existent rule BANG_MORE config: warning: score set for non-existent rule TO_CC_NONE config: warning: score set for non-existent rule SUBJECT_DRUG_GAP_P config: warning: score set for non-existent rule OPTING_OUT_CAPS config: warning: score set for non-existent rule MARKETING_PARTNERS config: warning: score set for non-existent rule DATE_IN_FUTURE_03_06 config: warning: score set for non-existent rule DEAR_FRIEND config: warning: score set for non-existent rule HTML_FONT_INVISIBLE config: warning: score set for non-existent rule RCVD_IN_WHOIS_INVALID config: warning: score set for non-existent rule HTML_90_100 config: warning: score set for non-existent rule RCVD_IN_MAPS_NML config: warning: score set for non-existent rule NA_DOLLARS config: warning: score set for non-existent rule LOW_PRICE config: warning: score set for non-existent rule HTML_SHOUTING7 config: warning: score set for non-existent rule FROM_LOCAL_HEX config: warning: score set for non-existent rule RCVD_IN_NJABL_DUL config: warning: score set for non-existent rule HTML_TAG_EXIST_MARQUEE config: warning: score set for non-existent rule BANG_GUAR config: warning: score set for non-existent rule SUBJ_FOR_ONLY config: warning: score set for non-existent rule MIME_HTML_ONLY_MULTI config: warning: score set for non-existent rule BAYES_95 config: warning: score set for non-existent rule RCVD_IN_WHOIS_HIJACKED config: warning: score set for non-existent rule HABEAS_CHECKED config: warning: score set for non-existent rule FORGED_MUA_MOZILLA config: warning: score set for non-existent rule EXCUSE_23 config: warning: score set for non-existent rule MSGID_SHORT config: warning: score set for non-existent rule DAV_NON_HOTMAIL config: warning: score set for non-existent rule ENTITY_DEC_ALPHANUM config: warning: score set for non-existent rule NOT_ADVISOR config: warning: score set for non-existent rule X_PRIORITY_HIGH config: warning: score set for non-existent rule HTML_80_90 config: warning: score set for non-existent rule HTML_FONT_SIZE_TINY config: warning: score set for non-existent rule SUBJ_ILLEGAL_CHARS config: warning: score set for non-existent rule DRUG_ED_SILD config: warning: score set for non-existent rule RCVD_IN_XBL config: warning: score set for non-existent rule HABEAS_ACCREDITED_COI config: warning: score set for non-existent rule ONLINE_PHARMACY config: warning: score set for non-existent rule YAHOO_RD_REDIR config: warning: score set for non-existent rule HTML_BADTAG_10_20 config: warning: score set for non-existent rule UNDISC_RECIPS config: warning: score set for non-existent rule JOIN_MILLIONS config: warning: score set for non-existent rule RCVD_IN_SORBS_HTTP config: warning: score set for non-existent rule DATE_IN_FUTURE_48_96 config: warning: score set for non-existent rule X_MSMAIL_PRIORITY_HIGH config: warning: score set for non-existent rule MSGID_OUTLOOK_INVALID config: warning: score set for non-existent rule QUALIFY_FOR_THIS config: warning: score set for non-existent rule WHY_PAY_MORE config: warning: score set for non-existent rule DRUGS_ERECTILE config: warning: score set for non-existent rule DRUGS_ANXIETY_OBFU config: warning: score set for non-existent rule GAPPY_SUBJECT config: warning: score set for non-existent rule URI_IS_POUND config: warning: score set for non-existent rule UPPERCASE_75_100 config: warning: score set for non-existent rule MULTI_FORGED config: warning: score set for non-existent rule HAIR_LOSS config: warning: score set for non-existent rule SPOOF_COM2OTH config: warning: score set for non-existent rule MICRO_CAP_WARNING config: warning: score set for non-existent rule MAILTO_TO_REMOVE config: warning: score set for non-existent rule __RCVD_IN_SORBS config: warning: score set for non-existent rule HTML_FONT_LOW_CONTRAST config: warning: score set for non-existent rule FREE_PREVIEW config: warning: score set for non-existent rule HTML_OBFUSCATE_40_50 config: warning: score set for non-existent rule LOCALPART_IN_SUBJECT config: warning: score set for non-existent rule HELO_DYNAMIC_TELIA config: warning: score set for non-existent rule ALL_TRUSTED config: warning: score set for non-existent rule HTML_IMAGE_ONLY_04 config: warning: score set for non-existent rule BAYES_20 config: warning: score set for non-existent rule HELO_DYNAMIC_CHELLO_NL config: warning: score set for non-existent rule MSGID_YAHOO_CAPS config: warning: score set for non-existent rule DRUG_ED_CAPS config: warning: score set for non-existent rule NO_RELAYS config: warning: score set for non-existent rule MIME_BOUND_RKFINDY config: warning: score set for non-existent rule DATE_IN_FUTURE_12_24 config: warning: score set for non-existent rule HTML_OBFUSCATE_80_90 config: warning: score set for non-existent rule MPART_ALT_DIFF_COUNT config: warning: score set for non-existent rule SUBJECT_DRUG_GAP_S config: warning: score set for non-existent rule AMAZING_STUFF config: warning: score set for non-existent rule BEST_PORN config: warning: score set for non-existent rule HTML_SHORT_LINK_IMG_1 config: warning: score set for non-existent rule MSGID_SPAM_LETTERS config: warning: score set for non-existent rule BAYES_00 config: warning: score set for non-existent rule TO_NO_USER config: warning: score set for non-existent rule RECEIVE_OFFER config: warning: score set for non-existent rule UNCLAIMED_MONEY config: warning: score set for non-existent rule STOCK_ALERT config: warning: score set for non-existent rule HELO_DYNAMIC_ADELPHIA config: warning: score set for non-existent rule WEIRD_QUOTING config: warning: score set for non-existent rule TRACKER_ID config: warning: score set for non-existent rule DATE_IN_PAST_24_48 config: warning: score set for non-existent rule BARGAIN_URL config: warning: score set for non-existent rule EXCUSE_REMOVE config: warning: score set for non-existent rule HEAD_ILLEGAL_CHARS config: warning: score set for non-existent rule SUBJECT_NOVOWEL config: warning: score set for non-existent rule UNPARSEABLE_RELAY config: warning: score set for non-existent rule BAYES_05 config: warning: score set for non-existent rule DOMAIN_RATIO config: warning: score set for non-existent rule HELO_DYNAMIC_VELOX config: warning: score set for non-existent rule NO_DNS_FOR_FROM config: warning: score set for non-existent rule NO_REAL_NAME config: warning: score set for non-existent rule FROM_BLANK_NAME config: warning: score set for non-existent rule HELO_DYNAMIC_HEXIP config: warning: score set for non-existent rule NO_FORMS config: warning: score set for non-existent rule HTML_BADTAG_30_40 config: warning: score set for non-existent rule HARDCORE_PORN config: warning: score set for non-existent rule MORE_SEX config: warning: score set for non-existent rule WHY_WAIT config: warning: score set for non-existent rule INVALID_DATE_TZ_ABSURD config: warning: score set for non-existent rule TO_EMPTY config: warning: score set for non-existent rule INVALID_DATE config: warning: score set for non-existent rule PRICES_ARE_AFFORDABLE config: warning: score set for non-existent rule RCVD_IN_IADB_VOUCHED config: warning: score set for non-existent rule SPOOF_NET2COM config: warning: score set for non-existent rule HTML_40_50 config: warning: score set for non-existent rule HTML_IMAGE_ONLY_12 config: warning: score set for non-existent rule HTML_TEXT_AFTER_HTML config: warning: score set for non-existent rule RISK_FREE config: warning: score set for non-existent rule DATE_IN_PAST_48_96 config: warning: score set for non-existent rule HTML_MISSING_CTYPE config: warning: score set for non-existent rule SUBJ_DOLLARS config: warning: score set for non-existent rule HTML_FONT_SIZE_LARGE config: warning: score set for non-existent rule WITH_LC_SMTP config: warning: score set for non-existent rule PORN_URL_SLUT config: warning: score set for non-existent rule PREST_NON_ACCREDITED config: warning: score set for non-existent rule HTML_SHOUTING6 config: warning: score set for non-existent rule DNS_FROM_RFC_WHOIS config: warning: score set for non-existent rule COMPETE config: warning: score set for non-existent rule INTERRUPTUS config: warning: score set for non-existent rule HTML_TAG_BALANCE_HEAD config: warning: score set for non-existent rule CHARSET_FARAWAY config: warning: score set for non-existent rule IMPOTENCE config: warning: score set for non-existent rule FROM_STARTS_WITH_NUMS config: warning: score set for non-existent rule HTML_60_70 config: warning: score set for non-existent rule HTML_SHORT_COMMENT config: warning: score set for non-existent rule MSGID_DOLLARS config: warning: score set for non-existent rule MIME_BOUND_MANY_HEX config: warning: score set for non-existent rule MSGID_FROM_MTA_HEADER config: warning: score set for non-existent rule FROM_DOMAIN_NOVOWEL config: warning: score set for non-existent rule HTML_IMAGE_RATIO_08 config: warning: score set for non-existent rule HTML_20_30 config: warning: score set for non-existent rule RCVD_IN_NJABL_RELAY config: warning: score set for non-existent rule BLANK_LINES_80_90 config: warning: score set for non-existent rule HTML_IMAGE_RATIO_02 config: warning: score set for non-existent rule US_DOLLARS_3 config: warning: score set for non-existent rule BE_BOSS config: warning: score set for non-existent rule FORGED_YAHOO_RCVD config: warning: score set for non-existent rule FREE_QUOTE_INSTANT config: warning: score set for non-existent rule RCVD_IN_SORBS_MISC config: warning: score set for non-existent rule HELO_DYNAMIC_SPLIT_IP config: warning: score set for non-existent rule INVESTMENT_EXPERT config: warning: score set for non-existent rule FRAGMENTED_MESSAGE config: warning: score set for non-existent rule WEIRD_PORT config: warning: score set for non-existent rule HELO_DYNAMIC_IPADDR config: warning: score set for non-existent rule MIME_MISSING_BOUNDARY config: warning: score set for non-existent rule INVALID_TZ_CST config: warning: score set for non-existent rule HTML_BADTAG_60_70 config: warning: score set for non-existent rule ADVANCE_FEE_1 config: warning: score set for non-existent rule REPLICA_WATCH config: warning: score set for non-existent rule HTML_EVENT_UNSAFE config: warning: score set for non-existent rule SPOOF_OURI config: warning: score set for non-existent rule RCVD_IN_SORBS_SMTP config: warning: score set for non-existent rule X_MIME_AUTOCONVERTED config: warning: score set for non-existent rule CLICK_BELOW_CAPS config: warning: score set for non-existent rule HTML_IMAGE_ONLY_32 config: warning: score set for non-existent rule MAILTO_SUBJ_REMOVE config: warning: score set for non-existent rule NORMAL_HTTP_TO_IP config: warning: score set for non-existent rule RCVD_IN_MAPS_DUL config: warning: score set for non-existent rule EXCUSE_4 config: warning: score set for non-existent rule HTML_ATTR_UNIQUE config: warning: score set for non-existent rule PORN_15 config: warning: score set for non-existent rule HELO_DYNAMIC_CHELLO_NO config: warning: score set for non-existent rule DATE_IN_FUTURE_96_XX config: warning: score set for non-existent rule JS_FROMCHARCODE config: warning: score set for non-existent rule SUBJECT_DRUG_GAP_X config: warning: score set for non-existent rule FORGED_MSGID_MSN config: warning: score set for non-existent rule FORGED_RCVD_HELO config: warning: score set for non-existent rule HTML_IMAGE_ONLY_28 config: warning: score set for non-existent rule HTML_ATTR_BAD config: warning: score set for non-existent rule BAYES_60 config: warning: score set for non-existent rule EMPTY_MESSAGE config: warning: score set for non-existent rule DIET_1 config: warning: score set for non-existent rule URI_DIGITS config: warning: score set for non-existent rule HELO_DYNAMIC_HCC config: warning: score set for non-existent rule NONEXISTENT_CHARSET config: warning: score set for non-existent rule RCVD_HELO_IP_MISMATCH config: warning: score set for non-existent rule LOTS_OF_STUFF config: warning: score set for non-existent rule HTML_BACKHAIR_4 config: warning: score set for non-existent rule DATE_IN_FUTURE_06_12 config: warning: score set for non-existent rule HELO_DYNAMIC_ROGERS config: warning: score set for non-existent rule RCVD_IN_WHOIS_BOGONS config: warning: score set for non-existent rule HTML_NONELEMENT_30_40 config: warning: score set for non-existent rule MORTGAGE_RATES config: warning: score set for non-existent rule __RFC_IGNORANT_ENVFROM config: warning: score set for non-existent rule FRONTPAGE config: warning: score set for non-existent rule FAKE_HELO_MAIL_COM config: warning: score set for non-existent rule EM_ROLEX config: warning: score set for non-existent rule HTML_TINY_FONT config: warning: score set for non-existent rule BAYES_40 config: warning: score set for non-existent rule DRUGS_MUSCLE config: warning: score set for non-existent rule NO_RDNS_DOTCOM_HELO config: warning: score set for non-existent rule YOU_CAN_SEARCH config: warning: score set for non-existent rule DATE_IN_PAST_12_24 config: warning: score set for non-existent rule FAKE_HELO_EXCITE config: warning: score set for non-existent rule BODY_ENHANCEMENT2 config: warning: score set for non-existent rule HTTP_CTRL_CHARS_HOST config: warning: score set for non-existent rule HTML_BADTAG_70_80 config: warning: score set for non-existent rule MSGID_SPAM_ZEROES config: warning: score set for non-existent rule YAHOO_DRS_REDIR config: warning: score set for non-existent rule X_ORIG_IP_NOT_IPV4 config: warning: score set for non-existent rule AS_SEEN_ON config: warning: score set for non-existent rule BAD_CREDIT config: warning: score set for non-existent rule FORGED_JUNO_RCVD config: warning: score set for non-existent rule PRIORITY_NO_NAME config: warning: score set for non-existent rule LONGWORDS config: warning: score set for non-existent rule RCVD_FAKE_HELO_DOTCOM config: warning: score set for non-existent rule FAKE_OUTBLAZE_RCVD config: warning: score set for non-existent rule HTML_SHORT_CENTER config: warning: score set for non-existent rule RCVD_IN_NJABL_MULTI config: warning: score set for non-existent rule DNS_FROM_RFC_POST config: warning: score set for non-existent rule RUDE_HTML config: warning: score set for non-existent rule HELO_DYNAMIC_IPADDR2 config: warning: score set for non-existent rule HELO_DYNAMIC_YAHOOBB config: warning: score set for non-existent rule DRUG_DOSAGE config: warning: score set for non-existent rule FORGED_MSGID_HOTMAIL config: warning: score set for non-existent rule FORGED_HOTMAIL_RCVD config: warning: score set for non-existent rule HELO_DYNAMIC_ATTBI config: warning: score set for non-existent rule HTML_NONELEMENT_60_70 config: warning: score set for non-existent rule DRUGS_DIET config: warning: score set for non-existent rule HTML_NONELEMENT_00_10 config: warning: score set for non-existent rule MSGID_SPAM_CAPS config: warning: score set for non-existent rule ADDR_NUMS_AT_BIGSITE config: warning: score set for non-existent rule GUARANTEED_100_PERCENT config: warning: score set for non-existent rule UNRESOLVED_TEMPLATE config: warning: score set for non-existent rule DISGUISE_PORN_MUNDANE config: warning: score set for non-existent rule NUMERIC_HTTP_ADDR config: warning: score set for non-existent rule X_LIBRARY config: warning: score set for non-existent rule PORN_URL_SEX config: warning: score set for non-existent rule X_PRIORITY_CC config: warning: score set for non-existent rule UNCLOSED_BRACKET config: warning: score set for non-existent rule HTML_TEXT_AFTER_BODY config: warning: score set for non-existent rule DNS_FROM_AHBL_RHSBL config: warning: score set for non-existent rule GTUBE config: warning: score set for non-existent rule MIME_BOUND_DD_DIGITS config: warning: score set for non-existent rule REMOVE_BEFORE_LINK config: warning: score set for non-existent rule HTML_TAG_EXIST_TBODY config: warning: score set for non-existent rule REFINANCE_YOUR_HOME config: warning: score set for non-existent rule DATE_IN_PAST_03_06 config: warning: score set for non-existent rule HTML_NONELEMENT_10_20 config: warning: score set for non-existent rule SUBJ_AS_SEEN config: warning: score set for non-existent rule NO_COST config: warning: score set for non-existent rule FREE_PORN config: warning: score set for non-existent rule USERPASS config: warning: score set for non-existent rule MIME_BOUND_NEXTPART config: warning: score set for non-existent rule MIME_BASE64_BLANKS config: warning: score set for non-existent rule HTML_EMBEDS config: warning: score set for non-existent rule VIA_GAP_GRA config: warning: score set for non-existent rule MORTGAGE_PITCH config: warning: score set for non-existent rule MIME_HTML_MOSTLY config: warning: score set for non-existent rule FORGED_MSGID_EXCITE config: warning: score set for non-existent rule FREE_SAMPLE config: warning: score set for non-existent rule FROM_EXCESS_QP config: warning: score set for non-existent rule HELO_DYNAMIC_NTL config: warning: score set for non-existent rule REVERSE_AGING config: warning: score set for non-existent rule MSGID_LONG config: warning: score set for non-existent rule FORGED_GW05_RCVD config: warning: score set for non-existent rule RCVD_NUMERIC_HELO config: warning: score set for non-existent rule WRINKLES config: warning: score set for non-existent rule DRUGS_SLEEP config: warning: score set for non-existent rule SUBJ_2_NUM_PARENS config: warning: score set for non-existent rule BANG_EXERCISE config: warning: score set for non-existent rule SORTED_RECIPS config: warning: score set for non-existent rule RCVD_IN_BSP_OTHER config: warning: score set for non-existent rule FROM_HAS_MIXED_NUMS config: warning: score set for non-existent rule DATE_IN_PAST_96_XX config: warning: score set for non-existent rule FORGED_EUDORAMAIL_RCVD config: warning: score set for non-existent rule HTML_NONELEMENT_40_50 config: warning: score set for non-existent rule FAKED_UNDISC_RECIPS config: warning: score set for non-existent rule MSGID_FROM_MTA_HOTMAIL config: warning: score set for non-existent rule DATE_IN_PAST_06_12 config: warning: score set for non-existent rule BAYES_80 config: warning: score set for non-existent rule HTML_OBFUSCATE_05_10 config: warning: score set for non-existent rule HEADER_COUNT_CTYPE config: warning: score set for non-existent rule URI_NO_WWW_BIZ_CGI config: warning: score set for non-existent rule EXTRA_MPART_TYPE config: warning: score set for non-existent rule HTML_50_60 config: warning: score set for non-existent rule SUBJECT_SEXUAL config: warning: score set for non-existent rule NO_OBLIGATION config: warning: score set for non-existent rule EXCUSE_10 config: warning: score set for non-existent rule IP_LINK_PLUS config: warning: score set for non-existent rule NO_RECEIVED config: warning: score set for non-existent rule KOREAN_UCE_SUBJECT config: warning: score set for non-existent rule SUBJ_BUY config: warning: score set for non-existent rule MSGID_FROM_MTA_ID config: warning: score set for non-existent rule TO_RECIP_MARKER config: warning: score set for non-existent rule INVESTMENT_ADVICE config: warning: score set for non-existent rule MISSING_HB_SEP config: warning: score set for non-existent rule FROM_NONSENDING_DOMAIN config: warning: score set for non-existent rule HTML_NONELEMENT_90_100 config: warning: score set for non-existent rule ADDRESS_IN_SUBJECT config: warning: score set for non-existent rule ADVANCE_FEE_4 config: warning: score set for non-existent rule EXCUSE_24 config: warning: score set for non-existent rule FAKE_HELO_LYCOS config: warning: score set for non-existent rule RCVD_IN_NJABL_PROXY [8041] info: rules: meta test REPTO_QUOTE_YAHOO has undefined dependency '__FROM_YAHOO_COM' [8041] info: rules: meta test REPTO_QUOTE_YAHOO has undefined dependency '__AT_YAHOO_MSGID' [8041] info: rules: meta test __SARE_HEAD_FALSE has undefined dependency '__FROM_AOL_COM' [8041] info: rules: meta test __SARE_HEAD_FALSE has undefined dependency '__FROM_AOL_COM' [8041] info: rules: meta test RATWARE_OUTLOOK_NONAME has undefined dependency '__MSGID_DOLLARS_OK' [8041] info: rules: meta test RATWARE_OUTLOOK_NONAME has undefined dependency '__HAS_X_MAILER' [8041] info: rules: meta test HEBREWSPAM_33 has undefined dependency 'HEBREW_SPAM_30' [8041] info: rules: meta test SARE_SPEC_PROLEO_M2a has dependency 'MIME_QP_LONG_LINE' with a zero score [8041] info: rules: meta test HEBREWSPAM_33H has undefined dependency 'HEBREW_SPAM_3H' [8041] info: rules: meta test RATWARE_MS_HASH has undefined dependency '__MSGID_DOLLARS_OK' [8041] info: rules: meta test SARE_HEAD_SUBJ_RAND has undefined dependency 'SARE_XMAIL_SUSP2' [8041] info: rules: meta test SARE_HEAD_SUBJ_RAND has undefined dependency 'SARE_HEAD_XAUTH_WARN' [8041] info: rules: meta test SARE_RD_SAFE has undefined dependency 'SARE_RD_SAFE_MKSHRT' [8041] info: rules: meta test SARE_RD_SAFE has undefined dependency 'SARE_RD_SAFE_GT' [8041] info: rules: meta test SARE_RD_SAFE has undefined dependency 'SARE_RD_SAFE_TINY' [8041] info: rules: meta test VIRUS_WARNING_DOOM_BNC has undefined dependency 'VIRUS_WARNING_MYDOOM4' [8041] info: rules: meta test __SARE_SUB_FALSE has undefined dependency '__FROM_AOL_COM' [8041] info: rules: meta test __SARE_SUB_FALSE has undefined dependency '__FROM_AOL_COM' [8041] info: rules: meta test REPTO_QUOTE_MSN has undefined dependency '__FROM_MSN_COM' [8041] info: rules: meta test REPTO_QUOTE_MSN has undefined dependency '__AT_MSN_MSGID' SpamAssassin reported an error. Using locktype = posix Creating hardcoded struct_flock subroutine for linux (Linux-type) MailScanner.conf says "Virus Scanners = f-prot" Found these virus scanners installed: f-prot, clamav [root@ns1 spamassassin]# From febrianto at sioenasia.com Mon Mar 5 03:33:36 2007 From: febrianto at sioenasia.com (Budi Febrianto) Date: Mon Mar 5 02:34:28 2007 Subject: OOT: Problem with upgrading clamav from 0.90 to 0.90.1 Message-ID: Dear Guru's, In the weekend I try to upgrade clamav from 0.90 to 0.90.1. No error in compiling and installing but when I try to run clamav or freshclam, it give an error like this. "error while loading shared libraries: libclamav.so.2: cannot open shared object file: No such file or directory" So I revert back to clamav 0.90, and runs ok. When I tried to upgrade again this morning, it still give me an error. Something I did wrong? Best Regards From azher at niit.edu.pk Mon Mar 5 04:21:12 2007 From: azher at niit.edu.pk (Azher Amin) Date: Mon Mar 5 03:21:14 2007 Subject: OOT: Problem with upgrading clamav from 0.90 to 0.90.1 In-Reply-To: References: Message-ID: <4603469C.6030108@niit.edu.pk> I got the same error. Try running ldconfig after your clamav make install. -Azher Budi Febrianto wrote: >Dear Guru's, >In the weekend I try to upgrade clamav from 0.90 to 0.90.1. >No error in compiling and installing but when I try to run clamav or >freshclam, it give an error like this. >"error while loading shared libraries: libclamav.so.2: cannot open shared >object file: No such file or directory" > >So I revert back to clamav 0.90, and runs ok. When I tried to upgrade again >this morning, it still give me an error. Something I did wrong? > >Best Regards > > > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From febrianto at sioenasia.com Mon Mar 5 04:40:25 2007 From: febrianto at sioenasia.com (Budi Febrianto) Date: Mon Mar 5 03:41:17 2007 Subject: OOT: Problem with upgrading clamav from 0.90 to 0.90.1 In-Reply-To: <4603469C.6030108@niit.edu.pk> Message-ID: It works. Many thanks. mailscanner-bounces@lists.mailscanner.info wrote on 03-23-2007 10:16:44 AM: > I got the same error. Try running ldconfig after your clamav make install. > > -Azher > > Budi Febrianto wrote: > > >Dear Guru's, > >In the weekend I try to upgrade clamav from 0.90 to 0.90.1. > >No error in compiling and installing but when I try to run clamav or > >freshclam, it give an error like this. > >"error while loading shared libraries: libclamav.so.2: cannot open shared > >object file: No such file or directory" From raymond at prolocation.net Mon Mar 5 09:34:38 2007 From: raymond at prolocation.net (Raymond Dijkxhoorn) Date: Mon Mar 5 08:40:29 2007 Subject: OOT: Problem with upgrading clamav from 0.90 to 0.90.1 In-Reply-To: References: Message-ID: Hi! > In the weekend I try to upgrade clamav from 0.90 to 0.90.1. > No error in compiling and installing but when I try to run clamav or > freshclam, it give an error like this. > "error while loading shared libraries: libclamav.so.2: cannot open shared > object file: No such file or directory" > > So I revert back to clamav 0.90, and runs ok. When I tried to upgrade again > this morning, it still give me an error. Something I did wrong? You didnt run ldconfig after compiling. Bye, Raymond. From febrianto at sioenasia.com Mon Mar 5 09:54:01 2007 From: febrianto at sioenasia.com (Budi Febrianto) Date: Mon Mar 5 08:54:57 2007 Subject: OOT: Problem with upgrading clamav from 0.90 to 0.90.1 In-Reply-To: Message-ID: > > So I revert back to clamav 0.90, and runs ok. When I tried to upgrade again > > this morning, it still give me an error. Something I did wrong? > > You didnt run ldconfig after compiling. > > Bye, > Raymond. > -- My mistake. Almost a year, upgrading clamav without a problem, makes me over self confidence so I just skip the README file. From martinh at solidstatelogic.com Mon Mar 5 09:50:59 2007 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Mon Mar 5 08:57:04 2007 Subject: Wow, Av engine accelerator hardware. In-Reply-To: <45EAD6C9.90702@mailwash.com.au> Message-ID: <5f5d0f4b1809d942a7c12bffeb531ee3@solidstatelogic.com> Given the fact that spam scanning is way slower than AV scanning I'd be more interested in something that helped SA....;-) -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Tony Enderby > Sent: 04 March 2007 14:25 > To: MailScanner discussion > Subject: Wow, Av engine accelerator hardware. > > They've done it with Graphics, Audio and Physics, and now AV ?? > > Apparently ClamAV 0.90 supports these .. has anyone used them? > > http://www.sensorynetworks.com/Products/Acceleration/ > > Tony. > > ------------------------------------------------------------------------ -- > --------- > Scanned by MailWash Australia - http://www.mailwash.com.au > ------------------------------------------------------------------------ -- > --------- > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From itdept at fractalweb.com Mon Mar 5 10:52:28 2007 From: itdept at fractalweb.com (Chris Yuzik) Date: Mon Mar 5 09:58:43 2007 Subject: dealing with dictionary attacks Message-ID: <45EBE85C.90507@fractalweb.com> We're beginning to really try to harden our external mail server. MailScanner is generally doing great. As I watch my maillog data flow up my screen, I'm seeing tons of "... User unknown" messages and many of them are coming from a handful of IP addresses.Obviously, I would like the server's bandwidth and cpu cycles to be used for more productive things than dealing with what is (likely) a zombie machine running through a list of possible accounts at our domain. Is there a trustworthy milter that will say, for example, "15 bad email addresses to our server within an hour and bang...the sender is blacklisted for say 36 hours"? Thanks From uxbod at splatnix.net Mon Mar 5 11:10:03 2007 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Mon Mar 5 10:15:58 2007 Subject: dealing with dictionary attacks In-Reply-To: <45EBE85C.90507@fractalweb.com> References: <45EBE85C.90507@fractalweb.com> Message-ID: <20070305101003.5da114cd@uxbod.splatnix.net> On Mon, 05 Mar 2007 01:52:28 -0800 Chris Yuzik wrote: > We're beginning to really try to harden our external mail server. > MailScanner is generally doing great. > > As I watch my maillog data flow up my screen, I'm seeing tons of "... > User unknown" messages and many of them are coming from a handful of IP > addresses.Obviously, I would like the server's bandwidth and cpu cycles > to be used for more productive things than dealing with what is (likely) > a zombie machine running through a list of possible accounts at our domain. > > Is there a trustworthy milter that will say, for example, "15 bad email > addresses to our server within an hour and bang...the sender is > blacklisted for say 36 hours"? > > Thanks http://policyd.sourceforge.net -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: 543A E778 7F2D 98F1 3E50 9C1F F190 93E0 E8E8 0CF8 // Keyserver: www.keyserver.net Key-ID: 0xE8E80CF8 // SIP:uxbod@sip.splatnix.net // Phone:+44 845 869 2749 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From dhawal at netmagicsolutions.com Mon Mar 5 11:20:48 2007 From: dhawal at netmagicsolutions.com (Dhawal Doshy) Date: Mon Mar 5 10:26:54 2007 Subject: dealing with dictionary attacks In-Reply-To: <20070305101003.5da114cd@uxbod.splatnix.net> References: <45EBE85C.90507@fractalweb.com> <20070305101003.5da114cd@uxbod.splatnix.net> Message-ID: <45EBEF00.4070803@netmagicsolutions.com> --[ UxBoD ]-- wrote: > On Mon, 05 Mar 2007 01:52:28 -0800 > Chris Yuzik wrote: > >> We're beginning to really try to harden our external mail server. >> MailScanner is generally doing great. >> >> As I watch my maillog data flow up my screen, I'm seeing tons of "... >> User unknown" messages and many of them are coming from a handful of IP >> addresses.Obviously, I would like the server's bandwidth and cpu cycles >> to be used for more productive things than dealing with what is (likely) >> a zombie machine running through a list of possible accounts at our domain. >> >> Is there a trustworthy milter that will say, for example, "15 bad email >> addresses to our server within an hour and bang...the sender is >> blacklisted for say 36 hours"? >> >> Thanks > http://policyd.sourceforge.net You do not need a policy server for this.. simply use smtpd_hard_error_limit.. however from the OP's mail it looks like he is a sendmail user.. Now for the OP: Did you even google for "your_mta dictionary attack" before asking the list? for sendmail here are the first and second links from google. http://www.technoids.org/dossed.html#3.2 http://notbrainsurgery.livejournal.com/23066.html From uxbod at splatnix.net Mon Mar 5 11:36:13 2007 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Mon Mar 5 10:42:20 2007 Subject: dealing with dictionary attacks In-Reply-To: <45EBEF00.4070803@netmagicsolutions.com> References: <45EBE85C.90507@fractalweb.com> <20070305101003.5da114cd@uxbod.splatnix.net> <45EBEF00.4070803@netmagicsolutions.com> Message-ID: <20070305103613.12529976@uxbod.splatnix.net> On Mon, 05 Mar 2007 15:50:48 +0530 Dhawal Doshy wrote: > --[ UxBoD ]-- wrote: > > On Mon, 05 Mar 2007 01:52:28 -0800 > > Chris Yuzik wrote: > > > >> We're beginning to really try to harden our external mail server. > >> MailScanner is generally doing great. > >> > >> As I watch my maillog data flow up my screen, I'm seeing tons of "... > >> User unknown" messages and many of them are coming from a handful of IP > >> addresses.Obviously, I would like the server's bandwidth and cpu cycles > >> to be used for more productive things than dealing with what is (likely) > >> a zombie machine running through a list of possible accounts at our domain. > >> > >> Is there a trustworthy milter that will say, for example, "15 bad email > >> addresses to our server within an hour and bang...the sender is > >> blacklisted for say 36 hours"? > >> > >> Thanks > > http://policyd.sourceforge.net > > You do not need a policy server for this.. simply use > smtpd_hard_error_limit.. however from the OP's mail it looks like he is > a sendmail user.. > > Now for the OP: > Did you even google for "your_mta dictionary attack" before asking the > list? for sendmail here are the first and second links from google. > http://www.technoids.org/dossed.html#3.2 > http://notbrainsurgery.livejournal.com/23066.html Dhawal, I agree that smtp_hard_error_limit could be used, but the OP is asking about block the remote MTA for a period of time. Yes, it does like the OP is using Sendmail so Policyd would not work anyway ;) -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: 543A E778 7F2D 98F1 3E50 9C1F F190 93E0 E8E8 0CF8 // Keyserver: www.keyserver.net Key-ID: 0xE8E80CF8 // SIP:uxbod@sip.splatnix.net -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From itdept at fractalweb.com Mon Mar 5 11:38:10 2007 From: itdept at fractalweb.com (Chris Yuzik) Date: Mon Mar 5 10:44:26 2007 Subject: dealing with dictionary attacks In-Reply-To: <45EBEF00.4070803@netmagicsolutions.com> References: <45EBE85C.90507@fractalweb.com> <20070305101003.5da114cd@uxbod.splatnix.net> <45EBEF00.4070803@netmagicsolutions.com> Message-ID: <45EBF312.9020505@fractalweb.com> Dhawal Doshy wrote: > You do not need a policy server for this.. simply use > smtpd_hard_error_limit.. however from the OP's mail it looks like he > is a sendmail user.. Yes, Sendmail. Sorry, should have mentioned that in my post. The "smtpd_hard_error_limit" would be a good thing, but not being a sendmail guru, I'm not aware of an equivalent. > Now for the OP: > Did you even google for "your_mta dictionary attack" before asking the > list? for sendmail here are the first and second links from google. > http://www.technoids.org/dossed.html#3.2 > http://notbrainsurgery.livejournal.com/23066.html You bet. I've spent the last couple of hours googling this very thing, and already have those sendmail tweaks (and more) going. BUT, I'm still watching machines trying random users at our domains...over and over again. Not 50 per minute or anything, but I would say dozens an hour. It seems to me a good thing to simply put that IP in some sort of a penalty box for a couple of days and not have it bother the server while it's there. Thanks. Cheers, Chris From dhawal at netmagicsolutions.com Mon Mar 5 11:46:13 2007 From: dhawal at netmagicsolutions.com (Dhawal Doshy) Date: Mon Mar 5 10:52:23 2007 Subject: dealing with dictionary attacks In-Reply-To: <20070305103613.12529976@uxbod.splatnix.net> References: <45EBE85C.90507@fractalweb.com> <20070305101003.5da114cd@uxbod.splatnix.net> <45EBEF00.4070803@netmagicsolutions.com> <20070305103613.12529976@uxbod.splatnix.net> Message-ID: <45EBF4F5.5010904@netmagicsolutions.com> --[ UxBoD ]-- wrote: > On Mon, 05 Mar 2007 15:50:48 +0530 > Dhawal Doshy wrote: > >> --[ UxBoD ]-- wrote: >>> On Mon, 05 Mar 2007 01:52:28 -0800 >>> Chris Yuzik wrote: >>> >>>> We're beginning to really try to harden our external mail server. >>>> MailScanner is generally doing great. >>>> >>>> As I watch my maillog data flow up my screen, I'm seeing tons of "... >>>> User unknown" messages and many of them are coming from a handful of IP >>>> addresses.Obviously, I would like the server's bandwidth and cpu cycles >>>> to be used for more productive things than dealing with what is (likely) >>>> a zombie machine running through a list of possible accounts at our domain. >>>> >>>> Is there a trustworthy milter that will say, for example, "15 bad email >>>> addresses to our server within an hour and bang...the sender is >>>> blacklisted for say 36 hours"? >>>> >>>> Thanks >>> http://policyd.sourceforge.net >> You do not need a policy server for this.. simply use >> smtpd_hard_error_limit.. however from the OP's mail it looks like he is >> a sendmail user.. >> >> Now for the OP: >> Did you even google for "your_mta dictionary attack" before asking the >> list? for sendmail here are the first and second links from google. >> http://www.technoids.org/dossed.html#3.2 >> http://notbrainsurgery.livejournal.com/23066.html > Dhawal, > > I agree that smtp_hard_error_limit could be used, but the OP is asking about block the remote MTA for a period of time. > Yes, it does like the OP is using Sendmail so Policyd would not work anyway ;) oops, as usual i love to be trigger happy.. SEC/Swatch can be used for something like this, example: http://wiki.mailscanner.info/doku.php?id=documentation:anti_spam:rbls:all:your_own_onemore You can eliminate the database and rbldnsd and start appending "IP:Deny #Timestamp" to /etc/mail/access (in the correct format for sendmail) and write another a cron script to cleanup older entries based on the timestamp. From norbert.schmidt at interactivedata.com Mon Mar 5 11:52:40 2007 From: norbert.schmidt at interactivedata.com (Norbert Schmidt) Date: Mon Mar 5 10:59:35 2007 Subject: Norbert Schmidt ist =?iso-8859-1?q?au=DFer_Haus=2E?= Message-ID: I will be out of the office starting 05.03.2007 and will not return until 08.03.2007. I'll answer to your mail, when I get back. If it is an urgent problem, please contact joerg.weiskirch@interactivedata.com Ich werde Deine Mail nach meiner R?ckkehr beantworten... -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070305/087c76b4/attachment.html From res at ausics.net Mon Mar 5 12:17:49 2007 From: res at ausics.net (Res) Date: Mon Mar 5 11:24:29 2007 Subject: dealing with dictionary attacks In-Reply-To: <45EBF312.9020505@fractalweb.com> References: <45EBE85C.90507@fractalweb.com> <20070305101003.5da114cd@uxbod.splatnix.net> <45EBEF00.4070803@netmagicsolutions.com> <45EBF312.9020505@fractalweb.com> Message-ID: I've not seen a post on the sendmail list/newsgroup The appropriate place for NON mailscanner info is the MTA of choices list/newsgroup On Mon, 5 Mar 2007, Chris Yuzik wrote: > Dhawal Doshy wrote: >> You do not need a policy server for this.. simply use >> smtpd_hard_error_limit.. however from the OP's mail it looks like he is a >> sendmail user.. > Yes, Sendmail. Sorry, should have mentioned that in my post. > > The "smtpd_hard_error_limit" would be a good thing, but not being a sendmail > guru, I'm not aware of an equivalent. >> Now for the OP: >> Did you even google for "your_mta dictionary attack" before asking the >> list? for sendmail here are the first and second links from google. >> http://www.technoids.org/dossed.html#3.2 >> http://notbrainsurgery.livejournal.com/23066.html > You bet. I've spent the last couple of hours googling this very thing, and > already have those sendmail tweaks (and more) going. BUT, I'm still watching > machines trying random users at our domains...over and over again. Not 50 per > minute or anything, but I would say dozens an hour. It seems to me a good > thing to simply put that IP in some sort of a penalty box for a couple of > days and not have it bother the server while it's there. > > Thanks. > > Cheers, > Chris > -- Cheers Res "If I lay here, If I just lay here, would you lay with with me and just forget the world?" From res at ausics.net Mon Mar 5 12:19:23 2007 From: res at ausics.net (Res) Date: Mon Mar 5 11:25:56 2007 Subject: Norbert Schmidt ist =?iso-8859-1?q?au=DFer_Haus=2E?= In-Reply-To: References: Message-ID: That's cool I'll be sure to ensure you have a lot of bopunce messgae in your inbox for when you get back :) *shakes head* On Mon, 5 Mar 2007, Norbert Schmidt wrote: > > > I will be out of the office starting 05.03.2007 and will not return until > 08.03.2007. > > I'll answer to your mail, when I get back. If it is an urgent problem, > please contact joerg.weiskirch@interactivedata.com > Ich werde Deine Mail nach meiner Rückkehr beantworten... > -- Cheers Res "If I lay here, If I just lay here, would you lay with with me and just forget the world?" From davor at oscecro.org Mon Mar 5 12:24:48 2007 From: davor at oscecro.org (davor) Date: Mon Mar 5 11:31:59 2007 Subject: dealing with dictionary attacks Message-ID: <000001c75f18$e2cf9fe0$3d01220a@ITU4> Why don't you give a try to http://www.ossec.net/ Ossec is doing block with IPTABLES Regards davor >>> Dhawal Doshy 3/5/2007 11:46 AM >>> --[ UxBoD ]-- wrote: > On Mon, 05 Mar 2007 15:50:48 +0530 > Dhawal Doshy wrote: > >> --[ UxBoD ]-- wrote: >>> On Mon, 05 Mar 2007 01:52:28 -0800 >>> Chris Yuzik wrote: >>> >>>> We're beginning to really try to harden our external mail server. >>>> MailScanner is generally doing great. >>>> >>>> As I watch my maillog data flow up my screen, I'm seeing tons of "... >>>> User unknown" messages and many of them are coming from a handful of IP >>>> addresses.Obviously, I would like the server's bandwidth and cpu cycles >>>> to be used for more productive things than dealing with what is (likely) >>>> a zombie machine running through a list of possible accounts at our domain. >>>> >>>> Is there a trustworthy milter that will say, for example, "15 bad email >>>> addresses to our server within an hour and bang...the sender is >>>> blacklisted for say 36 hours"? >>>> >>>> Thanks >>> http://policyd.sourceforge.net >> You do not need a policy server for this.. simply use >> smtpd_hard_error_limit.. however from the OP's mail it looks like he is >> a sendmail user.. >> >> Now for the OP: >> Did you even google for "your_mta dictionary attack" before asking the >> list? for sendmail here are the first and second links from google. >> http://www.technoids.org/dossed.html#3.2 >> http://notbrainsurgery.livejournal.com/23066.html > Dhawal, > > I agree that smtp_hard_error_limit could be used, but the OP is asking about block the remote MTA for a period of time. > Yes, it does like the OP is using Sendmail so Policyd would not work anyway ;) oops, as usual i love to be trigger happy.. SEC/Swatch can be used for something like this, example: http://wiki.mailscanner.info/doku.php?id=documentation:anti_spam:rbls:all:yo ur_own_onemore You can eliminate the database and rbldnsd and start appending "IP:Deny #Timestamp" to /etc/mail/access (in the correct format for sendmail) and write another a cron script to cleanup older entries based on the timestamp. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070305/39a1411f/attachment.html From gerard at seibercom.net Mon Mar 5 12:42:49 2007 From: gerard at seibercom.net (Gerard Seibert) Date: Mon Mar 5 11:48:51 2007 Subject: Norbert Schmidt ist =?iso-8859-1?q?au=DFer?= Haus. In-Reply-To: References: Message-ID: <20070305064249.6a635885@localhost> On Mon, 5 Mar 2007 21:19:23 +1000 (EST) Res wrote: > That's cool I'll be sure to ensure you have a lot of bopunce messgae > in your inbox for when you get back :) > > *shakes head* //rant// I know that I am just as guilty as you are now; however, responding to these asinine "OOO" messages, as if I really cared if he/she were going to be in there office to begin with, is just a waste of time and bandwidth. If these morons cannot figure out how to configure their MUA's to not send auto replies and/or vacation messages to mailing lists, then they should not be allowed to participate in mail forums until they do learn. //rant off// -- Gerard The attacker must vanquish; the defender need only survive. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 187 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070305/9c8d9ed0/signature.bin From hvdkooij at vanderkooij.org Mon Mar 5 12:44:38 2007 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Mon Mar 5 11:50:34 2007 Subject: Norbert Schmidt ist =?iso-8859-1?q?au=DFer_Haus=2E?= In-Reply-To: References: Message-ID: On Mon, 5 Mar 2007, Norbert Schmidt wrote: > I will be out of the office starting 05.03.2007 and will not return until > 08.03.2007. > > I'll answer to your mail, when I get back. If it is an urgent problem, > please contact joerg.weiskirch@interactivedata.com > Ich werde Deine Mail nach meiner R?ckkehr beantworten... Anyone with a SA ruleset to kill these? Hugo. -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ This message is using 100% recycled electrons. Some men see computers as they are and say "Windows" I use computers with Linux and say "Why Windows?" (Thanks JFK, for the insight.) From glenn.steen at gmail.com Mon Mar 5 12:51:51 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Mar 5 11:57:44 2007 Subject: =?iso-8859-1?q?Re=3A_Norbert_Schmidt_ist_au=DFer_Haus=2E?= In-Reply-To: References: Message-ID: <223f97700703050351g70bbe3bew31592d8fd97ac9e4@mail.gmail.com> On 05/03/07, Hugo van der Kooij wrote: > On Mon, 5 Mar 2007, Norbert Schmidt wrote: > > > I will be out of the office starting 05.03.2007 and will not return until > > 08.03.2007. > > > > I'll answer to your mail, when I get back. If it is an urgent problem, > > please contact joerg.weiskirch@interactivedata.com > > Ich werde Deine Mail nach meiner R?ckkehr beantworten... > > Anyone with a SA ruleset to kill these? > > Hugo. Unfortunately no, at least I have none. What seems an easy enough thing to do turns into a veritable nightmare since the language/wording changes and most aren't really that discernible in the headers. In better times, when he's up and about, our friend Jules would handle these by temporarily suspending them from the list... Perhaps Paul or Michele has the right to do so too? Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From abitran at omegasystems.cl Mon Mar 5 13:49:05 2007 From: abitran at omegasystems.cl (Alejandro Bitran) Date: Mon Mar 5 12:55:03 2007 Subject: Julian Field in hospital Message-ID: <1A2758D93A13E84782FECF528EC675F32E09D9@omegapdc.omegasystems.local> Be strong Jules!! All my wishes. BH? Regards, ------------------------------------ Alejandro Bitran B. -----Mensaje original----- De: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] En nombre de Tim Chown Enviado el: Monday, February 26, 2007 1:37 PM Para: mailscanner@lists.mailscanner.info Asunto: Julian Field in hospital Hi, I work with Jules at the University of Southampton and sadly we have to report that he was admitted to hospital on Friday having been found collapsed at home. He's currently in a critical condition in hospital, but is stable. Obviously there will not be any mailscanner development or maintenence by Jules for the immediate future, but we hope everyone on this list will join us in wishing him all the best towards a full recovery. We'll let the list know of significant changes in his condition, and in due course where get well messages or cards can be sent. If someone here has permissions to post the message on to the mailscanner announce list, please do so. -- Tim -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From rgreen at trayerproducts.com Mon Mar 5 14:28:11 2007 From: rgreen at trayerproducts.com (Rodney Green) Date: Mon Mar 5 13:34:06 2007 Subject: clamav update advice Message-ID: <31e7748d0703050528l3ced3f70t5f3102b057472f60@mail.gmail.com> Hello, I'm looking at upgrading ClamAV to version 0.90.1; I'm currently running version 0.88.4 which was installed using Julian's install package. The instructions for 0.90.1 says that I have to uninstall the previous version. I've attempted to run "make uninstall" from the source directory for 0.88.4, but I'm getting a "No rule to make target 'uninstall'" error. How can I uninstall the previous version? Any advice is welcome. :-) Thanks, Rod From arturs at netvision.net.il Mon Mar 5 14:28:00 2007 From: arturs at netvision.net.il (Arthur Sherman) Date: Mon Mar 5 13:35:18 2007 Subject: Julian Field in hospital In-Reply-To: <1A2758D93A13E84782FECF528EC675F32E09D9@omegapdc.omegasystems.local> Message-ID: <034d01c75f2a$1865ac10$0dfb1bac@lapxp> Fastest recovery! Best, -- Arthur Sherman +972-52-4878851 http://www.cpt.co.il/ > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Alejandro Bitran > Sent: Monday, March 05, 2007 2:49 PM > To: MailScanner discussion > Subject: RE: Julian Field in hospital > > Be strong Jules!! All my wishes. BH? > > Regards, > ------------------------------------ > Alejandro Bitran B. > > > > > -----Mensaje original----- > De: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] En nombre > de Tim Chown > Enviado el: Monday, February 26, 2007 1:37 PM > Para: mailscanner@lists.mailscanner.info > Asunto: Julian Field in hospital > > Hi, > > I work with Jules at the University of Southampton and sadly we have > to report that he was admitted to hospital on Friday having been > found collapsed at home. > > He's currently in a critical condition in hospital, but is stable. > > Obviously there will not be any mailscanner development or maintenence > by Jules for the immediate future, but we hope everyone on this list > will join us in wishing him all the best towards a full recovery. > > We'll let the list know of significant changes in his condition, and > in due course where get well messages or cards can be sent. > > If someone here has permissions to post the message on to the > mailscanner > announce list, please do so. > > -- > Tim > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From am.lists at gmail.com Mon Mar 5 14:31:36 2007 From: am.lists at gmail.com (am.lists) Date: Mon Mar 5 13:37:28 2007 Subject: spam.blacklist.rules Syntax question Message-ID: <25a66d840703050531w75f07214rdad0fe9497fbbe1d@mail.gmail.com> I'm seeing a boatload of spam coming from a particular set of domains. They're pretty slick, but I'm catching them with scoring. I'd just like to not have to score it every time if I already know they're junk coming in. Since I know they're very-well-known and aren't ever likely to send anything legit, I'd like to block their entire domain. Let's say their domain is "mx01.net" -- and their MTA IP is 1.2.3.4 with a reverse lookup of something.mx01.net. In my spam.blacklist.rules, I added: From: .mx01.net yes Thinking that would match. I'm still seeing messages from them that are going through scoring and not just getting stopped at the blacklist. I didn't want to block by IP range in case they move. Would this be better moved to a postfix block instead of where I'm [attempting] to do it? I know this comes back to strategy and there's more than one way to accomplish this. --Angelo From gerard at seibercom.net Mon Mar 5 14:37:36 2007 From: gerard at seibercom.net (Gerard Seibert) Date: Mon Mar 5 13:43:31 2007 Subject: clamav update advice In-Reply-To: <31e7748d0703050528l3ced3f70t5f3102b057472f60@mail.gmail.com> References: <31e7748d0703050528l3ced3f70t5f3102b057472f60@mail.gmail.com> Message-ID: <20070305083736.58a1cbac@localhost> On Mon, 5 Mar 2007 08:28:11 -0500 "Rodney Green" wrote: > I'm looking at upgrading ClamAV to version 0.90.1; I'm currently > running version 0.88.4 which was installed using Julian's install > package. > The instructions for 0.90.1 says that I have to uninstall the previous > version. I've attempted to run "make uninstall" from the source > directory for 0.88.4, but I'm getting a "No rule to make target > 'uninstall'" error. How can I uninstall the previous version? Any > advice is welcome. :-) What OS are you employing? -- Gerard National security is in your hands - guard it well. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 187 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070305/78cce8d8/signature.bin From daniel.maher at ubisoft.com Mon Mar 5 14:57:09 2007 From: daniel.maher at ubisoft.com (Daniel Maher) Date: Mon Mar 5 14:03:03 2007 Subject: Image spam In-Reply-To: <45E6121E.4040709@fractalweb.com> Message-ID: <1E293D3FF63A3740B10AD5AAD88535D204836224@UBIMAIL1.ubisoft.org> > Kevin Miller wrote: > > > > Can't speak for Steve, but when I finally did it here I saw about a > > 30-40% decrease in the number of messages accepted by sendmail. Had to > > add a couple of servers to the access file, but only a couple. The rest > > were zombies as nearly as I can tell. It's a simple addition with a > > huge impact as far as I'm concerned... > > > Kevin, > > Wow. 30+% is HUGE! > > Can't wait to get that going here. Is there a way to implement this functionality (greetpause) on Postfix? Thanks! -- _ ?v? Daniel Maher /(_)\ Administrateur Syst?me Unix ^ ^ Unix System Administrator Four elements!! From dhawal at netmagicsolutions.com Mon Mar 5 15:27:17 2007 From: dhawal at netmagicsolutions.com (Dhawal Doshy) Date: Mon Mar 5 14:33:27 2007 Subject: Image spam In-Reply-To: <1E293D3FF63A3740B10AD5AAD88535D204836224@UBIMAIL1.ubisoft.org> References: <1E293D3FF63A3740B10AD5AAD88535D204836224@UBIMAIL1.ubisoft.org> Message-ID: <45EC28C5.60606@netmagicsolutions.com> Daniel Maher wrote: >> Kevin Miller wrote: >>> Can't speak for Steve, but when I finally did it here I saw about a >>> 30-40% decrease in the number of messages accepted by sendmail. Had to >>> add a couple of servers to the access file, but only a couple. The rest >>> were zombies as nearly as I can tell. It's a simple addition with a >>> huge impact as far as I'm concerned... >>> >> Kevin, >> >> Wow. 30+% is HUGE! >> >> Can't wait to get that going here. > > Is there a way to implement this functionality (greetpause) on Postfix? See sleep under smtpd_client_restrictions, available for postfix > 2.3 http://www.postfix.org/postconf.5.html#smtpd_client_restrictions From Denis.Beauchemin at USherbrooke.ca Mon Mar 5 15:38:48 2007 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Mon Mar 5 14:44:52 2007 Subject: clamav update advice In-Reply-To: <31e7748d0703050528l3ced3f70t5f3102b057472f60@mail.gmail.com> References: <31e7748d0703050528l3ced3f70t5f3102b057472f60@mail.gmail.com> Message-ID: <45EC2B78.8040607@USherbrooke.ca> Rodney Green a ?crit : > Hello, > I'm looking at upgrading ClamAV to version 0.90.1; I'm currently > running version 0.88.4 which was installed using Julian's install > package. > The instructions for 0.90.1 says that I have to uninstall the previous > version. I've attempted to run "make uninstall" from the source > directory for 0.88.4, but I'm getting a "No rule to make target > 'uninstall'" error. How can I uninstall the previous version? Any > advice is welcome. :-) > > Thanks, > Rod Rodney, I didn't uninstall anything and it works just fine on RHEL4. Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3595 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070305/b61c3f1f/smime.bin From glenn.steen at gmail.com Mon Mar 5 15:43:36 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Mar 5 14:49:30 2007 Subject: spam.blacklist.rules Syntax question In-Reply-To: <25a66d840703050531w75f07214rdad0fe9497fbbe1d@mail.gmail.com> References: <25a66d840703050531w75f07214rdad0fe9497fbbe1d@mail.gmail.com> Message-ID: <223f97700703050643v529a356x461636a43706ee52@mail.gmail.com> On 05/03/07, am.lists wrote: > I'm seeing a boatload of spam coming from a particular set of domains. > They're pretty slick, but I'm catching them with scoring. I'd just > like to not have to score it every time if I already know they're junk > coming in. If you get several similar, the SA result cache should take care of this. > Since I know they're very-well-known and aren't ever likely to send > anything legit, I'd like to block their entire domain. > > Let's say their domain is "mx01.net" -- and their MTA IP is 1.2.3.4 > with a reverse lookup of something.mx01.net. > > In my spam.blacklist.rules, I added: > > From: .mx01.net yes These aren't really like the ones in PF, place something like From: *@*.mx01.net yes From: *@mx01.net yes > Thinking that would match. I'm still seeing messages from them that > are going through scoring and not just getting stopped at the > blacklist. Are you sure you are reacting on the correct information? Nothing spoofable/spoofed? Envelope information is what it needs be;) > I didn't want to block by IP range in case they move. > > Would this be better moved to a postfix block instead of where I'm > [attempting] to do it? Might be a good idea, saves even more. > I know this comes back to strategy and there's more than one way to > accomplish this. > Oh yes:-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From am.lists at gmail.com Mon Mar 5 15:50:20 2007 From: am.lists at gmail.com (am.lists) Date: Mon Mar 5 14:56:13 2007 Subject: spam.blacklist.rules Syntax question In-Reply-To: <223f97700703050643v529a356x461636a43706ee52@mail.gmail.com> References: <25a66d840703050531w75f07214rdad0fe9497fbbe1d@mail.gmail.com> <223f97700703050643v529a356x461636a43706ee52@mail.gmail.com> Message-ID: <25a66d840703050650u22e3020fof151a96c76f6a075@mail.gmail.com> On 3/5/07, Glenn Steen wrote: > On 05/03/07, am.lists wrote: > > I'm seeing a boatload of spam coming from a particular set of domains. > > They're pretty slick, but I'm catching them with scoring. I'd just > > like to not have to score it every time if I already know they're junk > > coming in. > If you get several similar, the SA result cache should take care of this. > > > Since I know they're very-well-known and aren't ever likely to send > > anything legit, I'd like to block their entire domain. > > > > Let's say their domain is "m01.net" -- and their MTA IP is 1.2.3.4 > > with a reverse lookup of something.mx01.net. > > > > In my spam.blacklist.rules, I added: > > > > From: .m01.net yes > These aren't really like the ones in PF, place something like > From: *@*.m01.net yes > From: *@m01.net yes > Thanks for the clarification. > > Thinking that would match. I'm still seeing messages from them that > > are going through scoring and not just getting stopped at the > > blacklist. > Are you sure you are reacting on the correct information? Nothing > spoofable/spoofed? > Envelope information is what it needs be;) Yes. I verified the reverse lookup. I went to the www version of their domain name and it only has a generic unsubscribe page. > > I didn't want to block by IP range in case they move. > > > > Would this be better moved to a postfix block instead of where I'm > > [attempting] to do it? > Might be a good idea, saves even more. The only downside is I don't get the instrumentation of how effective my blocking is if I do it there, right? Thanks.. Angelo (PS: I modified the urls/domains listed because they are getting this thread flagged.) From Q.G.Campbell at newcastle.ac.uk Mon Mar 5 16:05:25 2007 From: Q.G.Campbell at newcastle.ac.uk (Quentin Campbell) Date: Mon Mar 5 15:11:23 2007 Subject: dealing with dictionary attacks In-Reply-To: <45EBE85C.90507@fractalweb.com> References: <45EBE85C.90507@fractalweb.com> Message-ID: <4165CF7A7F12DE4B96622CCBB905864709949FEF@largo.campus.ncl.ac.uk> >-----Original Message----- >From: mailscanner-bounces@lists.mailscanner.info >[mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf >Of Chris Yuzik >Sent: 05 March 2007 09:52 >To: MailScanner discussion >Subject: dealing with dictionary attacks > [snip] >Is there a trustworthy milter that will say, for example, "15 >bad email addresses to our server within an hour and bang...the sender is >blacklisted for say 36 hours"? > Chris There are a number of MailScanner + Sendmail sites that also use various milters from Snert Soft - see http://www.snert.com/Software/software.html and click on the "Sendmail Milters" page. Quentin --- PHONE: +44 191 222 8209 Information Systems and Services (ISS), Newcastle University, Newcastle upon Tyne, FAX: +44 191 222 8765 United Kingdom, NE1 7RU. ------------------------------------------------------------------ From glenn.steen at gmail.com Mon Mar 5 16:11:12 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Mar 5 15:17:04 2007 Subject: clamav update advice In-Reply-To: <45EC2B78.8040607@USherbrooke.ca> References: <31e7748d0703050528l3ced3f70t5f3102b057472f60@mail.gmail.com> <45EC2B78.8040607@USherbrooke.ca> Message-ID: <223f97700703050711k65932ca9q415301481690db06@mail.gmail.com> On 05/03/07, Denis Beauchemin wrote: > Rodney Green a ?crit : > > Hello, > > I'm looking at upgrading ClamAV to version 0.90.1; I'm currently > > running version 0.88.4 which was installed using Julian's install > > package. > > The instructions for 0.90.1 says that I have to uninstall the previous > > version. I've attempted to run "make uninstall" from the source > > directory for 0.88.4, but I'm getting a "No rule to make target > > 'uninstall'" error. How can I uninstall the previous version? Any > > advice is welcome. :-) > > > > Thanks, > > Rod > Rodney, > > I didn't uninstall anything and it works just fine on RHEL4. > > Denis Same here for Mandriva -06/-07. I'm not sure if this is a new addition to the advice, it might've been there for ages, but I suspect it has to do with them bumping up version number for libclamav ... But since you'd need relink/recompile anything depending on this anyway (specifically Mail::ClamAV, I guess) I suppose we really don't _need_ remove anything. Freshclam takes care of changing over from daily.cvd to daily.inc ... To do an "uninstall" you'd need determine what the source package installed by Jules package actually installed. Easiest is usually to do a make -n install and try to decipher what it'd actually try copy where... and then use that info to remove it:-). Usually all you need remove is rm -rf /usr/local/bin/*clam* /usr/local/share/clamav /usr/local/lib/*clam* ... at least with Jules easy-install-package (might be some man-pages that should be cleaned out too:). -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From Denis.Beauchemin at USherbrooke.ca Mon Mar 5 16:11:51 2007 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Mon Mar 5 15:17:54 2007 Subject: Building a log gathering agent In-Reply-To: References: Message-ID: <45EC3337.7010905@USherbrooke.ca> Hugo van der Kooij a ?crit : > Hi, > > I am attempting to build a more concise overview of infections based > on MailScanner logs. > > The first stage is to write an agent to gather the logs. I wrote one > that can understand ClamAV, F-Prot and McAfee output as far as I could > test it on my logs. > > If you are willing to assist me I would appreciate it if you can get > the perl script from: > http://hugo.vanderkooij.org/email/stats/maillog-virus.pl > > You need the following perl modules: > File::Basename; > Getopt::Std; > Parse::Syslog; > Time::Local; > (Centos users should be able to get all of the through `yum install` > commands. But I will not document it at this time.) > > Please run it against 1 of your logfiles and store the output. If you > get anything other than a overview of the number of hits on scanners I > would very appriciate it if you could send me the output file along > with a filtered output of your logfile by email so I can anticipate > other scanners and other detection strings. > > For example: > ./maillog-virus.pl -l /var/log/maillog.1 > /tmp/hvdkooij-output > grep "Viruses marked as silent" > /tmp/hvdkooij-syslog > tar -tzf /tmp/hvdkooij.tar.gz /tmp/hvdkooij-output /tmp/hvdkooij-syslog > > If you use your own initials instead of mine I can keep the seperated > more easily. > > I will try to update the script based on your feedback the upcoming week. > > Thanks, > Hugo. > Hi Hugo, It's awfully slow on my 471,455 lines maillog: 3m36.936s; I have a similar script that goes through the same file in 0m0.196s! Besides it doesn't seems to know about "ClamAV Module:" nor "Bitdefender:" (but you didn't mention this one as supported). Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3595 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070305/e0568f8a/smime.bin From glenn.steen at gmail.com Mon Mar 5 16:17:27 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Mar 5 15:23:20 2007 Subject: spam.blacklist.rules Syntax question In-Reply-To: <25a66d840703050650u22e3020fof151a96c76f6a075@mail.gmail.com> References: <25a66d840703050531w75f07214rdad0fe9497fbbe1d@mail.gmail.com> <223f97700703050643v529a356x461636a43706ee52@mail.gmail.com> <25a66d840703050650u22e3020fof151a96c76f6a075@mail.gmail.com> Message-ID: <223f97700703050717r70f4e0cdt16d9dd80ff3b03ed@mail.gmail.com> On 05/03/07, am.lists wrote: (snip) > > > Would this be better moved to a postfix block instead of where I'm > > > [attempting] to do it? > > Might be a good idea, saves even more. > > The only downside is I don't get the instrumentation of how effective > my blocking is if I do it there, right? > Quite true. Blocking later in the processing will give you more information to work with... The question you should perhaps ask yourself is "is it worth it";-). Blacklisting in MailScanner isn't that expensive, unless the blocked/blacklisted messages are relatively huge. Your system, your call:-) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Mon Mar 5 16:19:47 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Mar 5 15:25:40 2007 Subject: spam.blacklist.rules Syntax question In-Reply-To: <223f97700703050717r70f4e0cdt16d9dd80ff3b03ed@mail.gmail.com> References: <25a66d840703050531w75f07214rdad0fe9497fbbe1d@mail.gmail.com> <223f97700703050643v529a356x461636a43706ee52@mail.gmail.com> <25a66d840703050650u22e3020fof151a96c76f6a075@mail.gmail.com> <223f97700703050717r70f4e0cdt16d9dd80ff3b03ed@mail.gmail.com> Message-ID: <223f97700703050719ub9ff4b8i49deeb2dc2563165@mail.gmail.com> On 05/03/07, Glenn Steen wrote: > On 05/03/07, am.lists wrote: > (snip) > > > > Would this be better moved to a postfix block instead of where I'm > > > > [attempting] to do it? > > > Might be a good idea, saves even more. > > > > The only downside is I don't get the instrumentation of how effective > > my blocking is if I do it there, right? > > > Quite true. Blocking later in the processing will give you more > information to work with... The question you should perhaps ask > yourself is "is it worth it";-). But (unless my memory fails me completely ... I cannot use things like this due to laws/policy... Don't ask) you should still get a fairly informative log entry to the effect that it had been dropped... Unless you use FW rules to do the blocking:) -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From am.lists at gmail.com Mon Mar 5 17:22:41 2007 From: am.lists at gmail.com (am.lists) Date: Mon Mar 5 16:28:35 2007 Subject: dealing with dictionary attacks In-Reply-To: <4165CF7A7F12DE4B96622CCBB905864709949FEF@largo.campus.ncl.ac.uk> References: <45EBE85C.90507@fractalweb.com> <4165CF7A7F12DE4B96622CCBB905864709949FEF@largo.campus.ncl.ac.uk> Message-ID: <25a66d840703050822s3061e517mffe1ed8d40035722@mail.gmail.com> So does anyone have any advice re: postgrey vs policyd? Policyd seems more inclusive but postgrey still seems effective in my setup. I read the info on the policyd site and it seems "thin" -- and so that scares me a bit. The examples given were in the form of SQL Insert queries. I don't fancy managing my server by sending commands at the mysql> prompt all day. I would like to set up some sort of rate limiting / DoS throttling, and policyd seems capable, but is the management really as archaic as it looks? Angelo From dhawal at netmagicsolutions.com Mon Mar 5 17:42:11 2007 From: dhawal at netmagicsolutions.com (Dhawal Doshy) Date: Mon Mar 5 16:48:22 2007 Subject: dealing with dictionary attacks In-Reply-To: <25a66d840703050822s3061e517mffe1ed8d40035722@mail.gmail.com> References: <45EBE85C.90507@fractalweb.com> <4165CF7A7F12DE4B96622CCBB905864709949FEF@largo.campus.ncl.ac.uk> <25a66d840703050822s3061e517mffe1ed8d40035722@mail.gmail.com> Message-ID: <45EC4863.5070702@netmagicsolutions.com> am.lists wrote: > So does anyone have any advice re: postgrey vs policyd? This question truly belongs to the postfix list.. > Policyd seems more inclusive but postgrey still seems effective in my > setup. postgrey will simply greylist (and/or selectively greylist), policyd can do much more.. > I read the info on the policyd site and it seems "thin" -- and so that > scares me a bit. The examples given were in the form of SQL Insert > queries. I don't fancy managing my server by sending commands at the > mysql> prompt all day. If you want to build a front-end to all the whitelisting and other things, a SQL backend makes it simpler.. also see sqlgrey and sgwi (http://www.vanheusden.com/sgwi/) > I would like to set up some sort of rate limiting / DoS throttling, > and policyd seems capable, but is the management really as archaic as > it looks? no it is not.. but you'd really get better answers on the policyd list OR the postfix list.. i could go on about various other policy servers that do a similar job (apolicy, ppolicyd etc.) but not in this list. From TGFurnish at herffjones.com Mon Mar 5 17:44:38 2007 From: TGFurnish at herffjones.com (Furnish, Trever G) Date: Mon Mar 5 16:50:33 2007 Subject: message is spam because it was sent from mailscanner... In-Reply-To: <45E8AC94.9080409@evi-inc.com> Message-ID: <57573D714A832C43B9D80EAFBDA48D0302BAC961@inex3.herffjones.hj-int> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Matt Kettler > Sent: Friday, March 02, 2007 6:01 PM > To: MailScanner discussion > Subject: Re: message is spam because it was sent from mailscanner... > > > Matt Kettler wrote: > > Perhaps you should update your SA rules. > > > > The current set of rules from sa-update has had INFO_TLD removed.. > > > > For further reference, this appears to have happened > somewhere between update > 487253 published 12/15/2006, and 488380, published 12/19/2006. > > Note that even though SpamAssassin 3.1.8 was published after > this change, it still contains more-or-less the original > 3.1.0 ruleset, with only the more serious bugfixes in it. Hmmm. Thanks for the info. My last rules update was just the rules, updated using sa-update, on February 13th. That was also my *first* use of sa-update -- had been doing full SA rip-out-and-replace upgrades before then -- so I perhaps I missed something. :-( Here are my versions: [root@relay2 sysadm]# spamassassin --version SpamAssassin version 3.1.3 running on Perl version 5.8.0 [root@relay2 sysadm]# sa-update --version sa-update version svn408695 running on Perl version 5.8.0 I'll run another sa-update and then go looking for INFO_TLD. I needed to get in and find X_IP today regardless -- had a few ham hitting that and I'm not finding much info on why the presence of an X-IP header merits such a high score contribution. From am.lists at gmail.com Mon Mar 5 17:47:08 2007 From: am.lists at gmail.com (am.lists) Date: Mon Mar 5 16:53:00 2007 Subject: dealing with dictionary attacks In-Reply-To: <45EC4863.5070702@netmagicsolutions.com> References: <45EBE85C.90507@fractalweb.com> <4165CF7A7F12DE4B96622CCBB905864709949FEF@largo.campus.ncl.ac.uk> <25a66d840703050822s3061e517mffe1ed8d40035722@mail.gmail.com> <45EC4863.5070702@netmagicsolutions.com> Message-ID: <25a66d840703050847t714a1612l1fdf502eabeeff15@mail.gmail.com> On 3/5/07, Dhawal Doshy wrote: > no it is not.. but you'd really get better answers on the policyd list > OR the postfix list.. i could go on about various other policy servers > that do a similar job (apolicy, ppolicyd etc.) but not in this list. Thanks Dhawal. I'll ask over there instead. Thanks for the other tips as well. Best, Angelo From cparker at swatgear.com Mon Mar 5 17:58:45 2007 From: cparker at swatgear.com (Chris W. Parker) Date: Mon Mar 5 17:04:38 2007 Subject: Julian Field in hospital Message-ID: <97FD54B5E57A1842AA1A4B232E47611775FF1E@ati-ex-02.ati.local> On Monday, February 26, 2007 8:37 AM Tim Chown <> said: > I work with Jules at the University of Southampton and sadly we have > to report that he was admitted to hospital on Friday having been > found collapsed at home. > > He's currently in a critical condition in hospital, but is stable. Get well soon Julian. From hvdkooij at vanderkooij.org Mon Mar 5 18:04:17 2007 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Mon Mar 5 17:10:17 2007 Subject: spam.blacklist.rules Syntax question In-Reply-To: <223f97700703050719ub9ff4b8i49deeb2dc2563165@mail.gmail.com> References: <25a66d840703050531w75f07214rdad0fe9497fbbe1d@mail.gmail.com> <223f97700703050643v529a356x461636a43706ee52@mail.gmail.com> <25a66d840703050650u22e3020fof151a96c76f6a075@mail.gmail.com> <223f97700703050717r70f4e0cdt16d9dd80ff3b03ed@mail.gmail.com> <223f97700703050719ub9ff4b8i49deeb2dc2563165@mail.gmail.com> Message-ID: On Mon, 5 Mar 2007, Glenn Steen wrote: > On 05/03/07, Glenn Steen wrote: >> On 05/03/07, am.lists wrote: >> (snip) >> > > > Would this be better moved to a postfix block instead of where I'm >> > > > [attempting] to do it? >> > > Might be a good idea, saves even more. >> > >> > The only downside is I don't get the instrumentation of how effective >> > my blocking is if I do it there, right? >> > >> Quite true. Blocking later in the processing will give you more >> information to work with... The question you should perhaps ask >> yourself is "is it worth it";-). > But (unless my memory fails me completely ... I cannot use things like > this due to laws/policy... Don't ask) you should still get a fairly > informative log entry to the effect that it had been dropped... Unless > you use FW rules to do the blocking:) I do delay the postfix blocking actions untill I have: - foreign IP - helo - sender - recipient That will give enough information in the log like: Mar 5 17:59:53 faramir postfix/smtpd[24556]: NOQUEUE: reject: RCPT from g207070.upc-g.chello.nl[80.57.207.70]: 554 : Client host rejected: Dynamic (Cable, Dialup or DSL) network access denied; Use a smarthost instead (http://en.wikipedia.org/wiki/Smart_host); from= to= proto=ESMTP helo= For postfix you need in main.conf: # Delay reject untill we know enough smtpd_delay_reject = yes Hugo. -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ This message is using 100% recycled electrons. Some men see computers as they are and say "Windows" I use computers with Linux and say "Why Windows?" (Thanks JFK, for the insight.) From hvdkooij at vanderkooij.org Mon Mar 5 18:33:49 2007 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Mon Mar 5 17:39:50 2007 Subject: Building a log gathering agent In-Reply-To: <45EC3337.7010905@USherbrooke.ca> References: <45EC3337.7010905@USherbrooke.ca> Message-ID: On Mon, 5 Mar 2007, Denis Beauchemin wrote: > Hugo van der Kooij a ?crit : >> Hi, >> >> I am attempting to build a more concise overview of infections based on >> MailScanner logs. >> >> The first stage is to write an agent to gather the logs. I wrote one that >> can understand ClamAV, F-Prot and McAfee output as far as I could test it >> on my logs. >> >> If you are willing to assist me I would appreciate it if you can get the >> perl script from: http://hugo.vanderkooij.org/email/stats/maillog-virus.pl >> >> You need the following perl modules: >> File::Basename; >> Getopt::Std; >> Parse::Syslog; >> Time::Local; >> (Centos users should be able to get all of the through `yum install` >> commands. But I will not document it at this time.) >> >> Please run it against 1 of your logfiles and store the output. If you get >> anything other than a overview of the number of hits on scanners I would >> very appriciate it if you could send me the output file along with a >> filtered output of your logfile by email so I can anticipate other >> scanners and other detection strings. >> >> For example: >> ./maillog-virus.pl -l /var/log/maillog.1 > /tmp/hvdkooij-output >> grep "Viruses marked as silent" > /tmp/hvdkooij-syslog >> tar -tzf /tmp/hvdkooij.tar.gz /tmp/hvdkooij-output /tmp/hvdkooij-syslog >> >> If you use your own initials instead of mine I can keep the seperated more >> easily. >> >> I will try to update the script based on your feedback the upcoming week. > > It's awfully slow on my 471,455 lines maillog: 3m36.936s; I have a similar > script that goes through the same file in 0m0.196s! If you prefilter the file with grep it propably is a bit faster. I suspect it is the added syslog parser that is the main killer. At present I don't need it to gather the details to learn to parse all those scanners. But later on I want to use the timestamps to build the accuracy into the system. And I don't trust myself (yet) to write a good timestamp parser. > Besides it doesn't seems to know about "ClamAV Module:" nor "Bitdefender:" > (but you didn't mention this one as supported). If you are willing to share a log file you could gzip it and send it of to me. Preferably after the grep shown above. Hugo. -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ This message is using 100% recycled electrons. Some men see computers as they are and say "Windows" I use computers with Linux and say "Why Windows?" (Thanks JFK, for the insight.) From fssilva at gmail.com Mon Mar 5 21:44:45 2007 From: fssilva at gmail.com (Fabio Silva) Date: Mon Mar 5 20:50:39 2007 Subject: Problem! Release Message! Message-ID: Hi all, im receiving some files attached on mails, files called like this "tst~02.doc" and the mailscanner put this message in qurantine, and if i try to release this message to the user, the message is blocked again.. what can i do to solve it? to release this message??? Regards, -- Fabio S. Silva From hvdkooij at vanderkooij.org Mon Mar 5 21:49:19 2007 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Mon Mar 5 20:55:17 2007 Subject: Building a log gathering agent In-Reply-To: References: <45EC3337.7010905@USherbrooke.ca> Message-ID: On Mon, 5 Mar 2007, Hugo van der Kooij wrote: > On Mon, 5 Mar 2007, Denis Beauchemin wrote: > >> It's awfully slow on my 471,455 lines maillog: 3m36.936s; I have a >> similar script that goes through the same file in 0m0.196s! > > If you prefilter the file with grep it propably is a bit faster. I suspect it > is the added syslog parser that is the main killer. At present I don't need > it to gather the details to learn to parse all those scanners. But later on I > want to use the timestamps to build the accuracy into the system. And I don't > trust myself (yet) to write a good timestamp parser. > >> Besides it doesn't seems to know about "ClamAV Module:" nor "Bitdefender:" >> (but you didn't mention this one as supported). > > If you are willing to share a log file you could gzip it and send it of to > me. Preferably after the grep shown above. There is a new version out which now handles ClamAV module, BitDefender and McAfee in the french version as well. I also dropped the syslog module for now. So it flies instead of crawling. Get it at http://hugo.vanderkooij.org/email/scans/maillog-virus.pl If you got any scanner active not yet listed or doubt it will work for you give this new one a shot. Hugo. -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ This message is using 100% recycled electrons. Some men see computers as they are and say "Windows" I use computers with Linux and say "Why Windows?" (Thanks JFK, for the insight.) From hvdkooij at vanderkooij.org Mon Mar 5 21:55:17 2007 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Mon Mar 5 21:01:14 2007 Subject: Problem! Release Message! In-Reply-To: References: Message-ID: On Mon, 5 Mar 2007, Fabio Silva wrote: > Hi all, im receiving some files attached on mails, files called like > this "tst~02.doc" and the mailscanner put this message in qurantine, > and if i try to release this message to the user, the message is > blocked again.. > what can i do to solve it? to release this message??? Sounds like a well documented case: http://mailwatch.sourceforge.net/doku.php?id=mailwatch:faq Hugo. -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ This message is using 100% recycled electrons. Some men see computers as they are and say "Windows" I use computers with Linux and say "Why Windows?" (Thanks JFK, for the insight.) From Denis.Beauchemin at USherbrooke.ca Mon Mar 5 22:01:24 2007 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Mon Mar 5 21:07:57 2007 Subject: Building a log gathering agent In-Reply-To: References: <45EC3337.7010905@USherbrooke.ca> Message-ID: <45EC8524.7020106@USherbrooke.ca> Hugo van der Kooij a ?crit : > On Mon, 5 Mar 2007, Hugo van der Kooij wrote: > > > There is a new version out which now handles ClamAV module, > BitDefender and McAfee in the french version as well. > > I also dropped the syslog module for now. So it flies instead of > crawling. > > Get it at http://hugo.vanderkooij.org/email/scans/maillog-virus.pl > > If you got any scanner active not yet listed or doubt it will work for > you give this new one a shot. > > Hugo. > Hugo, The right URL is: http://hugo.vanderkooij.org/email/stats/maillog-virus.pl The French version of McAfee messages is probably only running at USherbrooke.ca... ;) Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3595 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070305/c6d9e723/smime.bin From Denis.Beauchemin at USherbrooke.ca Mon Mar 5 22:12:05 2007 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Mon Mar 5 21:18:08 2007 Subject: Building a log gathering agent In-Reply-To: <45EC8524.7020106@USherbrooke.ca> References: <45EC3337.7010905@USherbrooke.ca> <45EC8524.7020106@USherbrooke.ca> Message-ID: <45EC87A5.40602@USherbrooke.ca> Denis Beauchemin a ?crit : > Hugo van der Kooij a ?crit : >> On Mon, 5 Mar 2007, Hugo van der Kooij wrote: >> >> >> There is a new version out which now handles ClamAV module, >> BitDefender and McAfee in the french version as well. >> >> I also dropped the syslog module for now. So it flies instead of >> crawling. >> >> Get it at http://hugo.vanderkooij.org/email/scans/maillog-virus.pl >> >> If you got any scanner active not yet listed or doubt it will work >> for you give this new one a shot. >> >> Hugo. >> > Hugo, > > The right URL is: > http://hugo.vanderkooij.org/email/stats/maillog-virus.pl > > The French version of McAfee messages is probably only running at > USherbrooke.ca... ;) > > Denis > After testing the new version I find it much more interesting! I had the following misinterpreted line: McAfee: /l255g8Ct024133/msg-16689-948.txt/Update-KB7187-x86.zip/UPDATE-KB7187-X86.EXE Found trojan or variant New Malware.n:1 I would also like to be able to call it without the "-l logfile" arguments, such as for: zcat /var/log/old/maillog.20070301.gz | ./maillog-virus.pl or zcat /var/log/old/maillog.20070301.gz | ./maillog-virus.pl -l - but the script just won't let me. Thanks! Denis PS: replying to myself... yes I am thinking about switching to Postfix! ;-) -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3595 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070305/f8d35d5d/smime.bin From hvdkooij at vanderkooij.org Mon Mar 5 23:22:54 2007 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Mon Mar 5 22:28:54 2007 Subject: Building a log gathering agent In-Reply-To: <45EC87A5.40602@USherbrooke.ca> References: <45EC3337.7010905@USherbrooke.ca> <45EC8524.7020106@USherbrooke.ca> <45EC87A5.40602@USherbrooke.ca> Message-ID: On Mon, 5 Mar 2007, Denis Beauchemin wrote: > After testing the new version I find it much more interesting! > > I had the following misinterpreted line: > McAfee: > /l255g8Ct024133/msg-16689-948.txt/Update-KB7187-x86.zip/UPDATE-KB7187-X86.EXE > Found trojan or variant New Malware.n:1 > > I would also like to be able to call it without the "-l logfile" arguments, > such as for: > zcat /var/log/old/maillog.20070301.gz | ./maillog-virus.pl > or > zcat /var/log/old/maillog.20070301.gz | ./maillog-virus.pl -l - > but the script just won't let me. It does now accept - as filedescriptor if you fetch a new version or apply this major patch: --- maillog-virus.pl-20070305 2007-03-05 21:32:20.000000000 +0100 +++ maillog-virus.pl 2007-03-05 23:16:46.000000000 +0100 @@ -13,7 +13,7 @@ getopt('l'); if ($opt_l) { $syslogfile = $opt_l; - if (!(-r $syslogfile)) { + if (!(-r $syslogfile) && $syslogfile != "-") { print "\n\tError:\tThe syslog file $syslogfile is not readable!\n\n"; exit; } Hugo. -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ This message is using 100% recycled electrons. Some men see computers as they are and say "Windows" I use computers with Linux and say "Why Windows?" (Thanks JFK, for the insight.) From jjohanns at sewanee.edu Mon Mar 5 23:33:38 2007 From: jjohanns at sewanee.edu (Johannes Johannsson) Date: Mon Mar 5 22:40:24 2007 Subject: Julian Field in hospital In-Reply-To: <20070226163637.GC29278@login.ecs.soton.ac.uk> Message-ID: <013301c75f76$51cda600$941e6198@jjoh2> Best wishes to Julian for a speedy recovery from Sewanee Tennessee. Joi Johannsson > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From tomc at bostonpost.com Tue Mar 6 03:24:41 2007 From: tomc at bostonpost.com (Thomas A. Cameron) Date: Tue Mar 6 02:31:04 2007 Subject: Skipping users Message-ID: <4DEBDDAFBB23C04BA17EFE3914442113014A9935@exchange.bostonpost.com> I'm not completely sure what the terminology is for what I'm trying to do or what layer would be best to do it on, so I'm mailing the list. I'll start out by saying I'm extremely pleased with MailScanner. The entire suite works extremely well, and in the short time I've been using it I have already seen better results than from any other package I have ever experienced with other packages. Having said all of that, I have a user that believes he doesn't need SPAM protection. He believes he can handle the problem better than any tool. If I had a way to do it, I wouldn't block connections with an RBL either, just to show him what he's in for. But, that's not something I really want to get into. My question is this. How can I tell MailScanner to blindly accept any email destined for several addresses? Would I be better off doing this on the postfix level with a header check that tests positive on every address except his few? I use the SQL whitelist function of MailWatch, so I can't whitelist wildcards for his address. Is it possible to chain rule files & modules for the "is definitely not spam" option? Any suggestions would REALLY be appreciated. This is such a backward idea, I'm not even sure what I would call it. -- Thomas Cameron Phone: 1.603.669.8551 tomc@bostonpost.com -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From chandler.lists at chapman.edu Tue Mar 6 03:50:29 2007 From: chandler.lists at chapman.edu (Jay Chandler) Date: Tue Mar 6 02:56:26 2007 Subject: Skipping users In-Reply-To: <4DEBDDAFBB23C04BA17EFE3914442113014A9935@exchange.bostonpost.com> References: <4DEBDDAFBB23C04BA17EFE3914442113014A9935@exchange.bostonpost.com> Message-ID: <45ECD6F5.3010306@chapman.edu> Thomas A. Cameron wrote: > I'm not completely sure what the terminology is for what I'm trying to do or what layer would be best to do it on, so I'm mailing the list. > > I'll start out by saying I'm extremely pleased with MailScanner. The entire suite works extremely well, and in the short time I've been using it I have already seen better results than from any other package I have ever experienced with other packages. > > Having said all of that, I have a user that believes he doesn't need SPAM protection. He believes he can handle the problem better than any tool. If I had a way to do it, I wouldn't block connections with an RBL either, just to show him what he's in for. But, that's not something I really want to get into. > > My question is this. How can I tell MailScanner to blindly accept any email destined for several addresses? Would I be better off doing this on the postfix level with a header check that tests positive on every address except his few? I use the SQL whitelist function of MailWatch, so I can't whitelist wildcards for his address. Is it possible to chain rule files & modules for the "is definitely not spam" option? > > Any suggestions would REALLY be appreciated. This is such a backward idea, I'm not even sure what I would call it. > > -- > Thomas Cameron > Phone: 1.603.669.8551 > tomc@bostonpost.com > > > I do this right now for abuse@ here. Simple enough to set up, just put it in spam.whitelist.rules. I'd also do it within your MTA because I'm twisted like that... --Jay From tomc at bostonpost.com Tue Mar 6 04:15:03 2007 From: tomc at bostonpost.com (Thomas A. Cameron) Date: Tue Mar 6 03:23:15 2007 Subject: Skipping users References: <4DEBDDAFBB23C04BA17EFE3914442113014A9935@exchange.bostonpost.com> <45ECD6F5.3010306@chapman.edu> Message-ID: <4DEBDDAFBB23C04BA17EFE3914442113014A9936@exchange.bostonpost.com> Yeah, but by specifying &SQLWhitelist instead of spam.whitelist.rules, I'm not sure I can do that. If I can specify both &SQLWhitelist and spam.whitelist.rules at the same time, then no problem. Is that possible? -- Thomas Cameron Phone: 1.603.669.8551 tomc@bostonpost.com -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info on behalf of Jay Chandler Sent: Mon 03/05/2007 21:50 To: MailScanner discussion Subject: Re: Skipping users Thomas A. Cameron wrote: > I'm not completely sure what the terminology is for what I'm trying to do or what layer would be best to do it on, so I'm mailing the list. > > I'll start out by saying I'm extremely pleased with MailScanner. The entire suite works extremely well, and in the short time I've been using it I have already seen better results than from any other package I have ever experienced with other packages. > > Having said all of that, I have a user that believes he doesn't need SPAM protection. He believes he can handle the problem better than any tool. If I had a way to do it, I wouldn't block connections with an RBL either, just to show him what he's in for. But, that's not something I really want to get into. > > My question is this. How can I tell MailScanner to blindly accept any email destined for several addresses? Would I be better off doing this on the postfix level with a header check that tests positive on every address except his few? I use the SQL whitelist function of MailWatch, so I can't whitelist wildcards for his address. Is it possible to chain rule files & modules for the "is definitely not spam" option? > > Any suggestions would REALLY be appreciated. This is such a backward idea, I'm not even sure what I would call it. > > -- > Thomas Cameron > Phone: 1.603.669.8551 > tomc@bostonpost.com > > > I do this right now for abuse@ here. Simple enough to set up, just put it in spam.whitelist.rules. I'd also do it within your MTA because I'm twisted like that... --Jay -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From hvdkooij at vanderkooij.org Tue Mar 6 07:56:29 2007 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Tue Mar 6 07:02:29 2007 Subject: Skipping users In-Reply-To: <4DEBDDAFBB23C04BA17EFE3914442113014A9935@exchange.bostonpost.com> References: <4DEBDDAFBB23C04BA17EFE3914442113014A9935@exchange.bostonpost.com> Message-ID: On Mon, 5 Mar 2007, Thomas A. Cameron wrote: > I'm not completely sure what the terminology is for what I'm trying to > do or what layer would be best to do it on, so I'm mailing the list. > > I'll start out by saying I'm extremely pleased with MailScanner. The > entire suite works extremely well, and in the short time I've been > using it I have already seen better results than from any other package > I have ever experienced with other packages. > > Having said all of that, I have a user that believes he doesn't need > SPAM protection. He believes he can handle the problem better than any > tool. If I had a way to do it, I wouldn't block connections with an RBL > either, just to show him what he's in for. But, that's not something I > really want to get into. > My question is this. How can I tell MailScanner to blindly accept any > email destined for several addresses? Would I be better off doing this > on the postfix level with a header check that tests positive on every > address except his few? I use the SQL whitelist function of MailWatch, > so I can't whitelist wildcards for his address. Is it possible to chain > rule files & modules for the "is definitely not spam" option? > Any suggestions would REALLY be appreciated. This is such a backward > idea, I'm not even sure what I would call it. Well if they want all the spam they want. Let them have it. 1. Put some hidden links with a mailto: to they email address on line. 2. Exclude every check for that user by white listing them in postfix. 3. Exclude them in your MailScanner with a rule in spam.whitelist.rules like: To: haasje@vanderkooij.org yes I use it for a few addresses but for another reason. (Some addresses are used as bait to educate my bayesian filterin manualy.) But if they want it. Let them have is and let them pay for the additional resources like bandwidth and such. Hugo. -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ This message is using 100% recycled electrons. Some men see computers as they are and say "Windows" I use computers with Linux and say "Why Windows?" (Thanks JFK, for the insight.) From tgc at statsbiblioteket.dk Tue Mar 6 09:09:13 2007 From: tgc at statsbiblioteket.dk (Tom G. Christensen) Date: Tue Mar 6 08:15:10 2007 Subject: Building a log gathering agent In-Reply-To: References: Message-ID: <45ED21A9.2060501@statsbiblioteket.dk> Hugo van der Kooij wrote: > Hi, > > I am attempting to build a more concise overview of infections based on > MailScanner logs. > > The first stage is to write an agent to gather the logs. I wrote one > that can understand ClamAV, F-Prot and McAfee output as far as I could > test it on my logs. > > If you are willing to assist me I would appreciate it if you can get the > perl script from: http://hugo.vanderkooij.org/email/stats/maillog-virus.pl > > You need the following perl modules: > File::Basename; > Getopt::Std; > Parse::Syslog; > Time::Local; > (Centos users should be able to get all of the through `yum install` > commands. But I will not document it at this time.) > > Please run it against 1 of your logfiles and store the output. If you > get anything other than a overview of the number of hits on scanners I > would very appriciate it if you could send me the output file along with > a filtered output of your logfile by email so I can anticipate other > scanners and other detection strings. > > For example: > ./maillog-virus.pl -l /var/log/maillog.1 > /tmp/hvdkooij-output > grep "Viruses marked as silent" > /tmp/hvdkooij-syslog > tar -tzf /tmp/hvdkooij.tar.gz /tmp/hvdkooij-output /tmp/hvdkooij-syslog > > If you use your own initials instead of mine I can keep the seperated > more easily. > > I will try to update the script based on your feedback the upcoming week. > I just grabbed the script and ran it on the maillog from my primary MX. I use ClamAV and Etrust for antivirus and the script fails miserably. The output just starts of with lines like this: msg-9239-45.txt contains Email.Img.Gen018.Sanesecurity.06122000 .. and ends like this: Scanner hits: Virus hits: : 1226 --- Pretty useless :) Unfortunately I cannot share my logs with you but if there's some specific type of logline you'd like to see I can grab and sanitize a few examples for you. I've also attached the script I use locally to generate some stats. The script is based on something I picked up from this list in 2002 when MailScanner 3.x was current and I've then updated it to work with 4.x and extended it to other stuff I have in my logs (like smf-sav). -tgc -------------- next part -------------- A non-text attachment was scrubbed... Name: mailscannerstatsv4x.pl Type: application/x-perl Size: 7051 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070306/412ba06e/mailscannerstatsv4x.bin From glenn.steen at gmail.com Tue Mar 6 09:51:33 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Mar 6 08:57:30 2007 Subject: Skipping users In-Reply-To: <4DEBDDAFBB23C04BA17EFE3914442113014A9936@exchange.bostonpost.com> References: <4DEBDDAFBB23C04BA17EFE3914442113014A9935@exchange.bostonpost.com> <45ECD6F5.3010306@chapman.edu> <4DEBDDAFBB23C04BA17EFE3914442113014A9936@exchange.bostonpost.com> Message-ID: <223f97700703060051s3ff2d49er1a6517958070515e@mail.gmail.com> On 06/03/07, Thomas A. Cameron wrote: > Yeah, but by specifying &SQLWhitelist instead of spam.whitelist.rules, I'm not sure I can do that. If I can specify both &SQLWhitelist and spam.whitelist.rules at the same time, then no problem. Is that possible? > And why wouldn't a specific entry (put there by you, the admin) in the Lists page have the effect you want? Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From nats at sscrmnl.edu.ph Tue Mar 6 12:34:13 2007 From: nats at sscrmnl.edu.ph (Jose Nathaniel Nengasca) Date: Tue Mar 6 11:40:40 2007 Subject: Julian Field in hospital In-Reply-To: <013301c75f76$51cda600$941e6198@jjoh2> Message-ID: <001e01c75fe3$5df487b0$ed7aa7cb@NATS> Best Wishes to Julian! We all hope on behalf of San Sebastian College - Recoletos and the entire Philippines as well, that you gonna have a speedy recovery. Forget momentarily about mailscanner, its your health which is more important. God Speed! Jose Nathaniel G. Nengasca -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Johannes Johannsson Sent: Tuesday, March 06, 2007 6:34 AM To: 'MailScanner discussion' Subject: RE: Julian Field in hospital Best wishes to Julian for a speedy recovery from Sewanee Tennessee. Joi Johannsson > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From tomc at bostonpost.com Tue Mar 6 13:16:54 2007 From: tomc at bostonpost.com (Thomas A. Cameron) Date: Tue Mar 6 12:25:37 2007 Subject: Skipping users References: <4DEBDDAFBB23C04BA17EFE3914442113014A9935@exchange.bostonpost.com><45ECD6F5.3010306@chapman.edu><4DEBDDAFBB23C04BA17EFE3914442113014A9936@exchange.bostonpost.com> <223f97700703060051s3ff2d49er1a6517958070515e@mail.gmail.com> Message-ID: <4DEBDDAFBB23C04BA17EFE3914442113014A9937@exchange.bostonpost.com> When I tried white-listing the destination address, it told me I had to provide a source address. That was the first thing I tried. -- Thomas Cameron Phone: 1.603.669.8551 tomc@bostonpost.com -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info on behalf of Glenn Steen Sent: Tue 03/06/2007 03:51 To: MailScanner discussion Subject: Re: Skipping users On 06/03/07, Thomas A. Cameron wrote: > Yeah, but by specifying &SQLWhitelist instead of spam.whitelist.rules, I'm not sure I can do that. If I can specify both &SQLWhitelist and spam.whitelist.rules at the same time, then no problem. Is that possible? > And why wouldn't a specific entry (put there by you, the admin) in the Lists page have the effect you want? Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From glenn.steen at gmail.com Tue Mar 6 13:31:07 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Mar 6 12:37:04 2007 Subject: Skipping users In-Reply-To: <4DEBDDAFBB23C04BA17EFE3914442113014A9937@exchange.bostonpost.com> References: <4DEBDDAFBB23C04BA17EFE3914442113014A9935@exchange.bostonpost.com> <45ECD6F5.3010306@chapman.edu> <4DEBDDAFBB23C04BA17EFE3914442113014A9936@exchange.bostonpost.com> <223f97700703060051s3ff2d49er1a6517958070515e@mail.gmail.com> <4DEBDDAFBB23C04BA17EFE3914442113014A9937@exchange.bostonpost.com> Message-ID: <223f97700703060431i543a791bm7973b2948cf12f26@mail.gmail.com> On 06/03/07, Thomas A. Cameron wrote: > When I tried white-listing the destination address, it told me I had to provide a source address. That was the first thing I tried. > And if you set that as "default"? ISTR that this should be interpreted as "the any address":-). Look at http://mailwatch.sourceforge.net/doku.php?id=mailwatch:faq#can_i_use_wildcards_when_using_the_blacklist_whitelist_sqlblackwhitelist ... seem I recalled right:-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From tenderby at mailwash.com.au Tue Mar 6 13:30:52 2007 From: tenderby at mailwash.com.au (Tony Enderby) Date: Tue Mar 6 12:37:07 2007 Subject: Animated image spam Message-ID: <45ED5EFC.2020804@mailwash.com.au> Just started receiving some of these today, anyone else seeing this type of thing? http://www.mailwash.com.au/tools/viewpart.gif Tony. ----------------------------------------------------------------------------------- Scanned by MailWash Australia - http://www.mailwash.com.au ----------------------------------------------------------------------------------- From gerard at seibercom.net Tue Mar 6 13:47:45 2007 From: gerard at seibercom.net (Gerard Seibert) Date: Tue Mar 6 12:53:47 2007 Subject: Animated image spam In-Reply-To: <45ED5EFC.2020804@mailwash.com.au> References: <45ED5EFC.2020804@mailwash.com.au> Message-ID: <20070306074745.1baa4fae@localhost> On Tue, 06 Mar 2007 23:30:52 +1100 Tony Enderby wrote: > Just started receiving some of these today, anyone else seeing this > type of thing? > > http://www.mailwash.com.au/tools/viewpart.gif Only the first few frames are animated. I didn't waste my time getting the exact properties regarding the image. To the best of my knowledge, I have not gotten any lately, but then again I don't waste my time studying them. -- Gerard Suspicion always haunts the guilty mind. William Shakespeare -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 187 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070306/d74b0018/signature.bin From andoni.auzmendi at robertwalters.com Tue Mar 6 14:02:43 2007 From: andoni.auzmendi at robertwalters.com (Andoni Auzmendi) Date: Tue Mar 6 13:09:09 2007 Subject: Julian Field in hospital Message-ID: <5450254EC7E7B54193C8AEFD904AA363950D35@PAT.internal.robertwalters.com> Jules, All my best wishes and have a prompt recovery. I hope all your health issues get sorted out for the long term too. Andoni ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. www.mimesweeper.com ********************************************************************** From tjc at ecs.soton.ac.uk Tue Mar 6 12:00:20 2007 From: tjc at ecs.soton.ac.uk (Tim Chown) Date: Tue Mar 6 13:50:27 2007 Subject: Good news on Julian Field, and get well cards welcome Message-ID: <20070306110020.GG1829@login.ecs.soton.ac.uk> Hi all, Hopefully not tempting fate by saying there's good news on Julian. Just had a call from his dad at the hospital and he reports that Jules is coming round from under the sedation. They've been lowering the dose over the last three days during which he's had no relapses, and this morning Jules woke slightly and managed to give a thumbs up sign. I saw Jules yesterday afternoon and he was back to a very normal colour, was moving his head and had 'REM'-like eye movement, so was looking then like he was close to coming round. It will clearly be quite a while before Jules is in any position to use a laptop, but the last three days have gone really well, and we'll just need to be patient now as the gently gently recovery continues. His parents are very keen for people to send cards now (please, no flowers!) and we'll handle these through his work address, so, please, feel free to send your 'get well' cards to: Julian Field School of Electronics and Computer Science University of Southampton Highfield Southampton SO17 1BJ United Kingdom I'm sure his parents would also be very proud to see a good response; if you've all used Jules' code it doesn't take much by way of thanks to get a card in the post :) Also, every message here was printed out and every one was read to him while he was under. We hope he'll be looking through them in person soon! -- Tim From tomc at bostonpost.com Tue Mar 6 14:54:35 2007 From: tomc at bostonpost.com (Thomas A. Cameron) Date: Tue Mar 6 14:00:59 2007 Subject: Skipping users In-Reply-To: <223f97700703060051s3ff2d49er1a6517958070515e@mail.gmail.com> References: <4DEBDDAFBB23C04BA17EFE3914442113014A9935@exchange.bostonpost.com> <45ECD6F5.3010306@chapman.edu> <4DEBDDAFBB23C04BA17EFE3914442113014A9936@exchange.bostonpost.com> <223f97700703060051s3ff2d49er1a6517958070515e@mail.gmail.com> Message-ID: <1173189275.30674.0.camel@tomc-ubuntu.bostonpost.com> Thank you. Obviously I was having a dense moment. I searched for whitelist help on the site, but that page did not come up. Where's an SEO when you need one?? :-) Thanks again! Tom On Tue, 2007-03-06 at 09:51 +0100, Glenn Steen wrote: > On 06/03/07, Thomas A. Cameron wrote: > > Yeah, but by specifying &SQLWhitelist instead of spam.whitelist.rules, I'm not sure I can do that. If I can specify both &SQLWhitelist and spam.whitelist.rules at the same time, then no problem. Is that possible? > > > And why wouldn't a specific entry (put there by you, the admin) in the > Lists page have the effect you want? > > Cheers > -- > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- Tom Cameron E. tomc@bostonpost.com P. (603) 669-8551 x.6932 C. (603) 315-9262 F. (603) 669-0085 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070306/73fa893f/attachment.bin From glenn.steen at gmail.com Tue Mar 6 14:57:28 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Mar 6 14:03:26 2007 Subject: Good news on Julian Field, and get well cards welcome In-Reply-To: <20070306110020.GG1829@login.ecs.soton.ac.uk> References: <20070306110020.GG1829@login.ecs.soton.ac.uk> Message-ID: <223f97700703060557x4dd66c57q25e3ce086cee8eff@mail.gmail.com> On 06/03/07, Tim Chown wrote: > Hi all, > > Hopefully not tempting fate by saying there's good news on Julian. Just > had a call from his dad at the hospital and he reports that Jules is > coming round from under the sedation. They've been lowering the dose > over the last three days during which he's had no relapses, and this > morning Jules woke slightly and managed to give a thumbs up sign. > > I saw Jules yesterday afternoon and he was back to a very normal colour, > was moving his head and had 'REM'-like eye movement, so was looking then > like he was close to coming round. > > It will clearly be quite a while before Jules is in any position to > use a laptop, but the last three days have gone really well, and we'll > just need to be patient now as the gently gently recovery continues. > > His parents are very keen for people to send cards now (please, no flowers!) > and we'll handle these through his work address, so, please, feel free > to send your 'get well' cards to: > > Julian Field > School of Electronics and Computer Science > University of Southampton > Highfield > Southampton SO17 1BJ > United Kingdom > > I'm sure his parents would also be very proud to see a good response; if > you've all used Jules' code it doesn't take much by way of thanks to get > a card in the post :) > > Also, every message here was printed out and every one was read to him while > he was under. We hope he'll be looking through them in person soon! > Tim, Thank you for this encouraging news! You are truly a prince among humans, with the service you provided us, as well as Jules. A postcard will hit the snailmail ASAP! Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From dave.list at pixelhammer.com Tue Mar 6 15:17:44 2007 From: dave.list at pixelhammer.com (DAve) Date: Tue Mar 6 14:23:50 2007 Subject: Good news on Julian Field, and get well cards welcome In-Reply-To: <20070306110020.GG1829@login.ecs.soton.ac.uk> References: <20070306110020.GG1829@login.ecs.soton.ac.uk> Message-ID: <45ED7808.1010407@pixelhammer.com> Tim Chown wrote: > Hi all, Thank you Tim, your time spent to keep us updated was very very much appreciated. > > Hopefully not tempting fate by saying there's good news on Julian. Just > had a call from his dad at the hospital and he reports that Jules is > coming round from under the sedation. They've been lowering the dose > over the last three days during which he's had no relapses, and this > morning Jules woke slightly and managed to give a thumbs up sign. > > I saw Jules yesterday afternoon and he was back to a very normal colour, > was moving his head and had 'REM'-like eye movement, so was looking then > like he was close to coming round. > > It will clearly be quite a while before Jules is in any position to > use a laptop, but the last three days have gone really well, and we'll > just need to be patient now as the gently gently recovery continues. > > His parents are very keen for people to send cards now (please, no flowers!) > and we'll handle these through his work address, so, please, feel free > to send your 'get well' cards to: > > Julian Field > School of Electronics and Computer Science > University of Southampton > Highfield > Southampton SO17 1BJ > United Kingdom It will be my personal mission to get one out today. DAve > > I'm sure his parents would also be very proud to see a good response; if > you've all used Jules' code it doesn't take much by way of thanks to get > a card in the post :) > > Also, every message here was printed out and every one was read to him while > he was under. We hope he'll be looking through them in person soon! > -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible. From Denis.Beauchemin at USherbrooke.ca Tue Mar 6 15:49:31 2007 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Tue Mar 6 14:55:46 2007 Subject: Good news on Julian Field, and get well cards welcome In-Reply-To: <20070306110020.GG1829@login.ecs.soton.ac.uk> References: <20070306110020.GG1829@login.ecs.soton.ac.uk> Message-ID: <45ED7F7B.3030502@USherbrooke.ca> Tim Chown a ?crit : > Hi all, > > Hopefully not tempting fate by saying there's good news on Julian. Just > had a call from his dad at the hospital and he reports that Jules is > coming round from under the sedation. They've been lowering the dose > over the last three days during which he's had no relapses, and this > morning Jules woke slightly and managed to give a thumbs up sign. > > I saw Jules yesterday afternoon and he was back to a very normal colour, > was moving his head and had 'REM'-like eye movement, so was looking then > like he was close to coming round. > > It will clearly be quite a while before Jules is in any position to > use a laptop, but the last three days have gone really well, and we'll > just need to be patient now as the gently gently recovery continues. > > His parents are very keen for people to send cards now (please, no flowers!) > and we'll handle these through his work address, so, please, feel free > to send your 'get well' cards to: > > Julian Field > School of Electronics and Computer Science > University of Southampton > Highfield > Southampton SO17 1BJ > United Kingdom > > I'm sure his parents would also be very proud to see a good response; if > you've all used Jules' code it doesn't take much by way of thanks to get > a card in the post :) > > Also, every message here was printed out and every one was read to him while > he was under. We hope he'll be looking through them in person soon! > > Thanks Tim! I just sent my postcard. Best wishes to you, Julian and his family. Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3595 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070306/929f4c1a/smime.bin From uxbod at splatnix.net Tue Mar 6 16:25:06 2007 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Tue Mar 6 15:31:12 2007 Subject: Good news on Julian Field, and get well cards welcome In-Reply-To: <20070306110020.GG1829@login.ecs.soton.ac.uk> References: <20070306110020.GG1829@login.ecs.soton.ac.uk> Message-ID: <20070306152506.58b396e4@uxbod.splatnix.net> On Tue, 6 Mar 2007 11:00:20 +0000 Tim Chown wrote: > Hi all, > > Hopefully not tempting fate by saying there's good news on Julian. Just > had a call from his dad at the hospital and he reports that Jules is > coming round from under the sedation. They've been lowering the dose > over the last three days during which he's had no relapses, and this > morning Jules woke slightly and managed to give a thumbs up sign. > > I saw Jules yesterday afternoon and he was back to a very normal colour, > was moving his head and had 'REM'-like eye movement, so was looking then > like he was close to coming round. > > It will clearly be quite a while before Jules is in any position to > use a laptop, but the last three days have gone really well, and we'll > just need to be patient now as the gently gently recovery continues. > > His parents are very keen for people to send cards now (please, no flowers!) > and we'll handle these through his work address, so, please, feel free > to send your 'get well' cards to: > > Julian Field > School of Electronics and Computer Science > University of Southampton > Highfield > Southampton SO17 1BJ > United Kingdom > > I'm sure his parents would also be very proud to see a good response; if > you've all used Jules' code it doesn't take much by way of thanks to get > a card in the post :) > > Also, every message here was printed out and every one was read to him while > he was under. We hope he'll be looking through them in person soon! > Hi Tim, I second, third, fourth and fifth the previous comments and thank you for keeping us posted. This is very encouraging news, and I wish Julian a very speedy recovery, and best wishes to his parents who must be going through a difficult time. Card will be despatched tomorrow. Regards, -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: 543A E778 7F2D 98F1 3E50 9C1F F190 93E0 E8E8 0CF8 // Keyserver: www.keyserver.net Key-ID: 0xE8E80CF8 // SIP:uxbod@sip.splatnix.net // Phone:+44 845 869 2749 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ssilva at sgvwater.com Tue Mar 6 17:20:38 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Mar 6 16:27:05 2007 Subject: Skipping users In-Reply-To: References: <4DEBDDAFBB23C04BA17EFE3914442113014A9935@exchange.bostonpost.com> Message-ID: Hugo van der Kooij spake the following on 3/5/2007 10:56 PM: > On Mon, 5 Mar 2007, Thomas A. Cameron wrote: > >> I'm not completely sure what the terminology is for what I'm trying to >> do or what layer would be best to do it on, so I'm mailing the list. >> >> I'll start out by saying I'm extremely pleased with MailScanner. The >> entire suite works extremely well, and in the short time I've been >> using it I have already seen better results than from any other >> package I have ever experienced with other packages. >> >> Having said all of that, I have a user that believes he doesn't need >> SPAM protection. He believes he can handle the problem better than any >> tool. If I had a way to do it, I wouldn't block connections with an >> RBL either, just to show him what he's in for. But, that's not >> something I really want to get into. > >> My question is this. How can I tell MailScanner to blindly accept any >> email destined for several addresses? Would I be better off doing this >> on the postfix level with a header check that tests positive on every >> address except his few? I use the SQL whitelist function of MailWatch, >> so I can't whitelist wildcards for his address. Is it possible to >> chain rule files & modules for the "is definitely not spam" option? > >> Any suggestions would REALLY be appreciated. This is such a backward >> idea, I'm not even sure what I would call it. > > Well if they want all the spam they want. Let them have it. > > 1. Put some hidden links with a mailto: to they email address on line. > 2. Exclude every check for that user by white listing them in postfix. > 3. Exclude them in your MailScanner with a rule in > spam.whitelist.rules like: > > To: haasje@vanderkooij.org yes > > I use it for a few addresses but for another reason. (Some addresses are > used as bait to educate my bayesian filterin manualy.) > > But if they want it. Let them have is and let them pay for the > additional resources like bandwidth and such. > > Hugo. > You forgot one; high scoring spam action = delete forward lame-user@mydomain.com -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From bpumphrey at woodmclaw.com Tue Mar 6 17:46:20 2007 From: bpumphrey at woodmclaw.com (Billy A. Pumphrey) Date: Tue Mar 6 16:52:28 2007 Subject: Good news on Julian Field, and get well cards welcome In-Reply-To: <20070306110020.GG1829@login.ecs.soton.ac.uk> Message-ID: <04D932B0071FE34FA63EBB1977B48D15024FBC41@woodenex.woodmaclaw.local> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Tim Chown > Sent: Tuesday, March 06, 2007 6:00 AM > To: MailScanner discussion > Subject: Good news on Julian Field, and get well cards welcome > > Hi all, > > Hopefully not tempting fate by saying there's good news on Julian. Just > had a call from his dad at the hospital and he reports that Jules is > coming round from under the sedation. They've been lowering the dose > over the last three days during which he's had no relapses, and this > morning Jules woke slightly and managed to give a thumbs up sign. > > I saw Jules yesterday afternoon and he was back to a very normal colour, > was moving his head and had 'REM'-like eye movement, so was looking then > like he was close to coming round. > > It will clearly be quite a while before Jules is in any position to > use a laptop, but the last three days have gone really well, and we'll > just need to be patient now as the gently gently recovery continues. > > His parents are very keen for people to send cards now (please, no > flowers!) > and we'll handle these through his work address, so, please, feel free > to send your 'get well' cards to: > > Julian Field > School of Electronics and Computer Science > University of Southampton > Highfield > Southampton SO17 1BJ > United Kingdom > > I'm sure his parents would also be very proud to see a good response; if > you've all used Jules' code it doesn't take much by way of thanks to get > a card in the post :) > > Also, every message here was printed out and every one was read to him > while > he was under. We hope he'll be looking through them in person soon! > > -- > Tim > -- That is awesome news! I am glad to hear that these post were printed and read to him and I hoped that they brought a smile to his face. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From james at gray.net.au Tue Mar 6 18:07:57 2007 From: james at gray.net.au (James Gray) Date: Tue Mar 6 17:14:08 2007 Subject: Good news on Julian Field, and get well cards welcome In-Reply-To: <20070306110020.GG1829@login.ecs.soton.ac.uk> References: <20070306110020.GG1829@login.ecs.soton.ac.uk> Message-ID: On 06/03/2007, at 10:00 PM, Tim Chown wrote: > Hopefully not tempting fate by saying there's good news on Julian. > Just > had a call from his dad at the hospital and he reports that Jules is > coming round from under the sedation. They've been lowering the > dose > over the last three days during which he's had no relapses, and this > morning Jules woke slightly and managed to give a thumbs up sign. This is excellent news! Let's all hope and pray his recovery continues and he is back to health full strength as soon as possible. Not so he can necessarily get back to cutting code, but because Julian is such a top bloke he deserves to feel well. It's 4am (the life of an admin *sigh*) and I had to check the list to see if there was news about Jules - this has made tonight's system barf all worth it! It also puts into perspective how late-night pages really aren't so bad, compared to Julian's situation. Ah, perspective. > His parents are very keen for people to send cards now (please, no > flowers!) > and we'll handle these through his work address, so, please, feel free > to send your 'get well' cards to: > > Julian Field > School of Electronics and Computer Science > University of Southampton > Highfield > Southampton SO17 1BJ > United Kingdom The news agent on the walk between the train station and the office will be raided and a card sent within a few hours :) > I'm sure his parents would also be very proud to see a good > response; if > you've all used Jules' code it doesn't take much by way of thanks > to get > a card in the post :) His parent's may get the shock of their life too - I wonder what sort of "card-alanche" is considered "hazardous" to a person's health?? > Also, every message here was printed out and every one was read to > him while > he was under. We hope he'll be looking through them in person soon! That is extremely comforting to know. Despite being spread all over the globe, it's nice to think we (this list) may have had some part in making his recovery a little less painful or lonely. Thanks for all the updates Tim. Please pass on my warmest wishes to both Jules and his family. -- James -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2417 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070307/dcc65dfd/smime.bin From chandler.lists at chapman.edu Tue Mar 6 19:48:25 2007 From: chandler.lists at chapman.edu (Jay Chandler) Date: Tue Mar 6 18:54:26 2007 Subject: Good news on Julian Field, and get well cards welcome In-Reply-To: <20070306110020.GG1829@login.ecs.soton.ac.uk> References: <20070306110020.GG1829@login.ecs.soton.ac.uk> Message-ID: <45EDB779.40707@chapman.edu> Tim Chown wrote: > Also, every message here was printed out and every one was read to him while > he was under. > "Dear List, I'm having some trouble whitelisting certain user accounts..." I'm sure he regrets waking up. ;-) Best wishes to him, I'll get a card out shortly. --Jay From ssilva at sgvwater.com Tue Mar 6 20:14:36 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Mar 6 19:21:05 2007 Subject: Good news on Julian Field, and get well cards welcome In-Reply-To: <45EDB779.40707@chapman.edu> References: <20070306110020.GG1829@login.ecs.soton.ac.uk> <45EDB779.40707@chapman.edu> Message-ID: Jay Chandler spake the following on 3/6/2007 10:48 AM: > Tim Chown wrote: >> Also, every message here was printed out and every one was read to him >> while he was under. > "Dear List, > > I'm having some trouble whitelisting certain user accounts..." > > I'm sure he regrets waking up. ;-) > > Best wishes to him, I'll get a card out shortly. > > --Jay > There are plenty of people to help keep the current stable version going while he gets as much rest and relaxation as he needs to get better. And several people have been patching his clam-sa tarball to keep it current while he recuperates! Here is to the day we hear from Julian as he sips on a nice Merlot while relaxing at home! -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From Denis.Beauchemin at USherbrooke.ca Tue Mar 6 20:33:04 2007 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Tue Mar 6 19:39:17 2007 Subject: Good news on Julian Field, and get well cards welcome In-Reply-To: References: <20070306110020.GG1829@login.ecs.soton.ac.uk> <45EDB779.40707@chapman.edu> Message-ID: <45EDC1F0.3070705@USherbrooke.ca> Scott Silva a ?crit : > Jay Chandler spake the following on 3/6/2007 10:48 AM: > > Here is to the day we hear from Julian as he sips on a nice Merlot while > relaxing at home! > > IIRC Julian prefers Chablis... ;-) Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3595 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070306/d7631168/smime.bin From dnsadmin at 1bigthink.com Tue Mar 6 20:42:35 2007 From: dnsadmin at 1bigthink.com (dnsadmin 1bigthink.com) Date: Tue Mar 6 19:48:46 2007 Subject: Good news on Julian Field, and get well cards welcome In-Reply-To: References: <20070306110020.GG1829@login.ecs.soton.ac.uk> <45EDB779.40707@chapman.edu> Message-ID: <200703061942.l26Jgogb000679@mxt.1bigthink.com> At 02:14 PM 3/6/2007, you wrote: >Jay Chandler spake the following on 3/6/2007 10:48 AM: > > Tim Chown wrote: > >> Also, every message here was printed out and every one was read to him > >> while he was under. > > "Dear List, > > > > I'm having some trouble whitelisting certain user accounts..." > > > > I'm sure he regrets waking up. ;-) > > > > Best wishes to him, I'll get a card out shortly. > > > > --Jay > > >There are plenty of people to help keep the current stable version going while >he gets as much rest and relaxation as he needs to get better. And several >people have been patching his clam-sa tarball to keep it current while he >recuperates! > >Here is to the day we hear from Julian as he sips on a nice Merlot while >relaxing at home! Here! Here! From steinkel at pa.net Tue Mar 6 20:45:33 2007 From: steinkel at pa.net (Leland J. Steinke) Date: Tue Mar 6 19:51:43 2007 Subject: MSRBL-Images and Incredimail Message-ID: <45EDC4DD.8090805@pa.net> OK, I thought I knew what to do when the MSRBL-Images clamav signature file started blocking Incredimail messages. I added "MSRBL-Images/0-OeW" to the "Non-Forging Viruses" line in MailScanner.conf. If that it worked, I wouldn't be sending this message... We have a combination of Fedora and CentOS boxes, all running MS 4.56.8 and ClamAV 0.88.7, with a download-check every other hour from http://download.mirror.msrbl.com/MSRBL-Images.hdb. Other relevant MailScanner.conf entries include: > Silent Viruses = HTML-IFrame All-Viruses > Still Deliver Silent Viruses = no > Non-Forging Viruses = Joke/ OF97/ WM97/ W97M/ MSRBL-Images/0-OeW Am I missing anything blatantly obvious? Thanks, Leland From ssilva at sgvwater.com Tue Mar 6 20:52:19 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Mar 6 19:58:37 2007 Subject: MSRBL-Images and Incredimail In-Reply-To: <45EDC4DD.8090805@pa.net> References: <45EDC4DD.8090805@pa.net> Message-ID: Leland J. Steinke spake the following on 3/6/2007 11:45 AM: > OK, I thought I knew what to do when the MSRBL-Images clamav signature > file started blocking Incredimail messages. I added > "MSRBL-Images/0-OeW" to the "Non-Forging Viruses" line in > MailScanner.conf. If that it worked, I wouldn't be sending this message... > > We have a combination of Fedora and CentOS boxes, all running MS 4.56.8 > and ClamAV 0.88.7, with a download-check every other hour from > http://download.mirror.msrbl.com/MSRBL-Images.hdb. Other relevant > MailScanner.conf entries include: > >> Silent Viruses = HTML-IFrame All-Viruses >> Still Deliver Silent Viruses = no >> Non-Forging Viruses = Joke/ OF97/ WM97/ W97M/ MSRBL-Images/0-OeW > > Am I missing anything blatantly obvious? > Other than incredimail is evil adware. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From steinkel at pa.net Tue Mar 6 20:55:31 2007 From: steinkel at pa.net (Leland J. Steinke) Date: Tue Mar 6 20:02:12 2007 Subject: MSRBL-Images and Incredimail In-Reply-To: <45EDC4DD.8090805@pa.net> References: <45EDC4DD.8090805@pa.net> Message-ID: <45EDC733.2010409@pa.net> Leland J. Steinke wrote: > > Am I missing anything blatantly obvious? > Just after I sent this message, I saw my test message in my inbox. So what I am missing is "patience". Sorry for the false alarm. Leland From ssilva at sgvwater.com Tue Mar 6 21:05:20 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Mar 6 20:16:04 2007 Subject: MSRBL-Images and Incredimail In-Reply-To: <45EDC733.2010409@pa.net> References: <45EDC4DD.8090805@pa.net> <45EDC733.2010409@pa.net> Message-ID: Leland J. Steinke spake the following on 3/6/2007 11:55 AM: > Leland J. Steinke wrote: >> >> Am I missing anything blatantly obvious? >> > Just after I sent this message, I saw my test message in my inbox. So > what I am missing is "patience". > > Sorry for the false alarm. > > > Leland Patience isn't in the default install for any linux distro. ;-P It has many hard to resolve dependencies. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From steinkel at pa.net Tue Mar 6 21:12:13 2007 From: steinkel at pa.net (Leland J. Steinke) Date: Tue Mar 6 20:18:24 2007 Subject: MSRBL-Images and Incredimail In-Reply-To: References: <45EDC4DD.8090805@pa.net> Message-ID: <45EDCB1D.8090203@pa.net> Scott Silva wrote: > > Other than incredimail is evil adware. > I can neither confirm nor deny that statement (in a public forum). ;-) Leland From res at ausics.net Tue Mar 6 22:08:44 2007 From: res at ausics.net (Res) Date: Tue Mar 6 21:15:36 2007 Subject: Good news on Julian Field, and get well cards welcome In-Reply-To: <20070306110020.GG1829@login.ecs.soton.ac.uk> References: <20070306110020.GG1829@login.ecs.soton.ac.uk> Message-ID: On Tue, 6 Mar 2007, Tim Chown wrote: > Hi all, > > Hopefully not tempting fate by saying there's good news on Julian. Just > had a call from his dad at the hospital and he reports that Jules is > coming round from under the sedation. They've been lowering the dose > over the last three days during which he's had no relapses, and this > morning Jules woke slightly and managed to give a thumbs up sign. Tim, thanks for the update, this is excellent news! -- Cheers Res "If I lay here, If I just lay here, would you lay with with me and just forget the world?" From dstraka at caspercollege.edu Tue Mar 6 22:58:51 2007 From: dstraka at caspercollege.edu (Daniel Straka) Date: Tue Mar 6 22:05:15 2007 Subject: Best way to allow attachments with it5 extension through Message-ID: <45ED81AC.61A4.0000.0@caspercollege.edu> I've scoured the MailScanner list archives for an answer and have come up with several answers. I'm looking for a quick and easy solution to allow attached files with the extension .it5 through. Right now they're being returned with the following message: --------------------------- Subject: Warning: E-mail viruses detected Our e-mail content detector has just been triggered by a message you sent: One or more of the attachments (land.it5) are on the list of unacceptable attachments for this site and will not have been delivered. Consider renaming the files to avoid this constraint. The virus detector said this about the message: Report: Report: MailScanner: No programs allowed (land.it5) -- MailScanner Email Virus Scanner Casper College www.caspercollege.edu MailScanner thanks transtec Computers for their support ----------------------------------- Dan Straka Systems Coordinator Casper College 307.268.2399 -- This message has been scanned for viruses and dangerous content by MailScanner at caspercollege.edu and is believed to be clean. -------------- next part -------------- BEGIN:VCARD VERSION:2.1 FN:Straka, Daniel TEL:307.268.2399 EMAIL:Dstraka@caspercollege.edu ORG:Casper College TITLE:Systems Coordinator URL:http://wind.caspercollege.edu/~dstraka/ END:VCARD From hvdkooij at vanderkooij.org Tue Mar 6 22:59:30 2007 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Tue Mar 6 22:05:38 2007 Subject: Building a log gathering agent In-Reply-To: <45ED21A9.2060501@statsbiblioteket.dk> References: <45ED21A9.2060501@statsbiblioteket.dk> Message-ID: On Tue, 6 Mar 2007, Tom G. Christensen wrote: > Hugo van der Kooij wrote: >> grep "Viruses marked as silent" > /tmp/hvdkooij-syslog >> > I just grabbed the script and ran it on the maillog from my primary MX. > I use ClamAV and Etrust for antivirus and the script fails miserably. > > The output just starts of with lines like this: > msg-9239-45.txt contains Email.Img.Gen018.Sanesecurity.06122000 > .. > and ends like this: > Scanner hits: > > Virus hits: > : 1226 > --- > > Pretty useless :) > > Unfortunately I cannot share my logs with you but if there's some specific > type of logline you'd like to see I can grab and sanitize a few examples for > you. I doubt if there is anything exiting left after you perform the grep as indicated. It only contains filenames. And a (bit of) sample log would do wonders at it will show me what needs to be parsed. Hugo. -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ This message is using 100% recycled electrons. Some men see computers as they are and say "Windows" I use computers with Linux and say "Why Windows?" (Thanks JFK, for the insight.) From hvdkooij at vanderkooij.org Tue Mar 6 23:14:45 2007 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Tue Mar 6 22:20:48 2007 Subject: Best way to allow attachments with it5 extension through In-Reply-To: <45ED81AC.61A4.0000.0@caspercollege.edu> References: <45ED81AC.61A4.0000.0@caspercollege.edu> Message-ID: On Tue, 6 Mar 2007, Daniel Straka wrote: > I've scoured the MailScanner list archives for an answer and have come up with several answers. > I'm looking for a quick and easy solution to allow attached files with the extension .it5 through. > Right now they're being returned with the following message: > > --------------------------- > Subject: Warning: E-mail viruses detected > > Our e-mail content detector has just been triggered by a message you sent: > > One or more of the attachments (land.it5) are on > the list of unacceptable attachments for this site and will not have > been delivered. How about editing the list? (filename.rules.conf) In there you find: deny \.its$ Dangerous Internet Document Set (according to Microsoft) Dangerous attachment according to Microsoft Q883260 That is. That is what it looked like straight out of the box. I think you will find a similar rule for your extension. Hugo. -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ This message is using 100% recycled electrons. Some men see computers as they are and say "Windows" I use computers with Linux and say "Why Windows?" (Thanks JFK, for the insight.) From res at ausics.net Tue Mar 6 23:23:56 2007 From: res at ausics.net (Res) Date: Tue Mar 6 22:30:47 2007 Subject: Best way to allow attachments with it5 extension through In-Reply-To: <45ED81AC.61A4.0000.0@caspercollege.edu> References: <45ED81AC.61A4.0000.0@caspercollege.edu> Message-ID: On Tue, 6 Mar 2007, Daniel Straka wrote: > I've scoured the MailScanner list archives for an answer and have come up with several answers. > I'm looking for a quick and easy solution to allow attached files with the extension .it5 through. > Right now they're being returned with the following message: > > --------------------------- > Subject: Warning: E-mail viruses detected > > Our e-mail content detector has just been triggered by a message you sent: > > One or more of the attachments (land.it5) are on > the list of unacceptable attachments for this site and will not have > been delivered. > > Consider renaming the files to avoid this constraint. > > The virus detector said this about the message: > Report: Report: MailScanner: No programs allowed (land.it5) If Hugo's advice fails, get a copy of this file (by ftp if need be) then run: file land.it5 and then change the filetype.rules.conf to accomodate. It sounds like you may have to allow exe in filetype, and then control the allows in filename.rules.conf, it might be enough to allow in filetype without changing filename, often you need to 'allow' in filetype but you can still deny 'exe' in filename. -- Cheers Res "If I lay here, If I just lay here, would you lay with with me and just forget the world?" From dstraka at caspercollege.edu Tue Mar 6 23:52:32 2007 From: dstraka at caspercollege.edu (Daniel Straka) Date: Tue Mar 6 22:58:53 2007 Subject: Best way to allow attachments with it5 extension through In-Reply-To: References: <45ED81AC.61A4.0000.0@caspercollege.edu> Message-ID: <45ED8E41.61A4.0000.0@caspercollege.edu> -- Dan Straka Systems Coordinator Casper College 307.268.2399 >>> On 3/6/2007 at 3:14 PM, in message , Hugo van der Kooij wrote: > On Tue, 6 Mar 2007, Daniel Straka wrote: > >> I've scoured the MailScanner list archives for an answer and have come up > with several answers. >> I'm looking for a quick and easy solution to allow attached files with the > extension .it5 through. >> Right now they're being returned with the following message: >> >> --------------------------- >> Subject: Warning: E-mail viruses detected >> >> Our e-mail content detector has just been triggered by a message you sent: >> >> One or more of the attachments (land.it5) are on >> the list of unacceptable attachments for this site and will not have >> been delivered. > > How about editing the list? (filename.rules.conf) > > In there you find: > deny \.its$ Dangerous Internet Document Set (according to > Microsoft) Dangerous attachment according to Microsoft Q883260 > > That is. That is what it looked like straight out of the box. > > I think you will find a similar rule for your extension. > > Hugo. Thanks Hugo, but This is a data file for a mapping program and it's extension is it5(five) not s. It's not in the default configuration of the (filename.rules.conf) file. When it's run against the "File" program it's determined to be an executable, so even if I "allowed" it in (filename.rules.conf) I don't think MailScanner will allow it. -- This message has been scanned for viruses and dangerous content by MailScanner at caspercollege.edu and is believed to be clean. -------------- next part -------------- BEGIN:VCARD VERSION:2.1 FN:Straka, Daniel TEL:307.268.2399 EMAIL:Dstraka@caspercollege.edu ORG:Casper College TITLE:Systems Coordinator URL:http://wind.caspercollege.edu/~dstraka/ END:VCARD From nats at sscrmnl.edu.ph Wed Mar 7 01:12:01 2007 From: nats at sscrmnl.edu.ph (Jose Nathaniel Nengasca) Date: Wed Mar 7 00:18:27 2007 Subject: Good news on Julian Field, and get well cards welcome In-Reply-To: Message-ID: <007001c7604d$3ae6eff0$ed7aa7cb@NATS> This is a great news! The best news that I have read far from the newspapers today. Get well soon Julian. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Res Sent: Wednesday, March 07, 2007 5:09 AM To: MailScanner discussion Subject: Re: Good news on Julian Field, and get well cards welcome On Tue, 6 Mar 2007, Tim Chown wrote: > Hi all, > > Hopefully not tempting fate by saying there's good news on Julian. > Just had a call from his dad at the hospital and he reports that Jules is > coming round from under the sedation. They've been lowering the dose > over the last three days during which he's had no relapses, and this > morning Jules woke slightly and managed to give a thumbs up sign. Tim, thanks for the update, this is excellent news! -- Cheers Res "If I lay here, If I just lay here, would you lay with with me and just forget the world?" -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From philippe at beau.nom.fr Wed Mar 7 06:59:27 2007 From: philippe at beau.nom.fr (Philippe BEAU) Date: Wed Mar 7 06:05:30 2007 Subject: Julian address ? Message-ID: <45EE54BF.3080801@beau.nom.fr> Here all, Can anyone give me Julian's postal address to send him a postcard ? Best regards & best wishes to Julian Philippe, From craig at csfs.co.za Wed Mar 7 07:38:14 2007 From: craig at csfs.co.za (Craig Retief) Date: Wed Mar 7 06:44:27 2007 Subject: Julian address ? In-Reply-To: <45EE54BF.3080801@beau.nom.fr> References: <45EE54BF.3080801@beau.nom.fr> Message-ID: Here you go: Julian Field School of Electronics and Computer Science University of Southampton Highfield Southampton SO17 1BJ United Kingdom ----------------------------------------------------------------------- Here all, Can anyone give me Julian's postal address to send him a postcard ? Best regards & best wishes to Julian Philippe, -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From glenn.steen at gmail.com Wed Mar 7 10:38:51 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Mar 7 09:44:52 2007 Subject: Skipping users In-Reply-To: References: <4DEBDDAFBB23C04BA17EFE3914442113014A9935@exchange.bostonpost.com> Message-ID: <223f97700703070138jfbe8494q28757071ae40f893@mail.gmail.com> On 06/03/07, Scott Silva wrote: > Hugo van der Kooij spake the following on 3/5/2007 10:56 PM: > > On Mon, 5 Mar 2007, Thomas A. Cameron wrote: > > > >> I'm not completely sure what the terminology is for what I'm trying to > >> do or what layer would be best to do it on, so I'm mailing the list. > >> > >> I'll start out by saying I'm extremely pleased with MailScanner. The > >> entire suite works extremely well, and in the short time I've been > >> using it I have already seen better results than from any other > >> package I have ever experienced with other packages. > >> > >> Having said all of that, I have a user that believes he doesn't need > >> SPAM protection. He believes he can handle the problem better than any > >> tool. If I had a way to do it, I wouldn't block connections with an > >> RBL either, just to show him what he's in for. But, that's not > >> something I really want to get into. > > > >> My question is this. How can I tell MailScanner to blindly accept any > >> email destined for several addresses? Would I be better off doing this > >> on the postfix level with a header check that tests positive on every > >> address except his few? I use the SQL whitelist function of MailWatch, > >> so I can't whitelist wildcards for his address. Is it possible to > >> chain rule files & modules for the "is definitely not spam" option? > > > >> Any suggestions would REALLY be appreciated. This is such a backward > >> idea, I'm not even sure what I would call it. > > > > Well if they want all the spam they want. Let them have it. > > > > 1. Put some hidden links with a mailto: to they email address on line. > > 2. Exclude every check for that user by white listing them in postfix. > > 3. Exclude them in your MailScanner with a rule in > > spam.whitelist.rules like: > > > > To: haasje@vanderkooij.org yes > > > > I use it for a few addresses but for another reason. (Some addresses are > > used as bait to educate my bayesian filterin manualy.) > > > > But if they want it. Let them have is and let them pay for the > > additional resources like bandwidth and such. > > > > Hugo. > > > You forgot one; > high scoring spam action = delete forward lame-user@mydomain.com > Challenging Res for the "most evil bunny on list" title, are we Scott? :-) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Wed Mar 7 10:50:06 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Mar 7 09:56:07 2007 Subject: Best way to allow attachments with it5 extension through In-Reply-To: <45ED8E41.61A4.0000.0@caspercollege.edu> References: <45ED81AC.61A4.0000.0@caspercollege.edu> <45ED8E41.61A4.0000.0@caspercollege.edu> Message-ID: <223f97700703070150v15d5e368j77252378ef1bc756@mail.gmail.com> On 06/03/07, Daniel Straka wrote: > > -- > > Dan Straka > Systems Coordinator > Casper College > 307.268.2399 > > > >>> On 3/6/2007 at 3:14 PM, in message > , Hugo van der > Kooij wrote: > > On Tue, 6 Mar 2007, Daniel Straka wrote: > > > >> I've scoured the MailScanner list archives for an answer and have come up > > with several answers. > >> I'm looking for a quick and easy solution to allow attached files with the > > extension .it5 through. > >> Right now they're being returned with the following message: > >> > >> --------------------------- > >> Subject: Warning: E-mail viruses detected > >> > >> Our e-mail content detector has just been triggered by a message you sent: > >> > >> One or more of the attachments (land.it5) are on > >> the list of unacceptable attachments for this site and will not have > >> been delivered. > > > > How about editing the list? (filename.rules.conf) > > > > In there you find: > > deny \.its$ Dangerous Internet Document Set (according to > > Microsoft) Dangerous attachment according to Microsoft Q883260 > > > > That is. That is what it looked like straight out of the box. > > > > I think you will find a similar rule for your extension. > > > > Hugo. > > Thanks Hugo, but > This is a data file for a mapping program and it's extension is it5(five) not s. It's not in the default configuration of the (filename.rules.conf) file. > When it's run against the "File" program it's determined to be an executable, so even if I "allowed" it in (filename.rules.conf) I don't think MailScanner will allow it. > The problem isn't about names at all, it is about file TYPE;-). Run the file command on the offending file and see _why_ it gets labled as an executable... Permanent solutions might lie in the direction of getting your file command patched, interrim solutions might be editing your magic file so that the file command detects it as the correct thing, or at least not as an executable. Or you could make an exception for the sender/recipient combo in MailScanner ... requires a ruleset on the filtetype rules setting and an "overload" file as described in the wiki (http://wiki.mailscanner.info/doku.php?id=documentation:configuration:rulesets:overloading) ... just remember to do something appropriate for the _filetype_ rules, not filenames;-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From housey at sme-ecom.co.uk Wed Mar 7 13:38:53 2007 From: housey at sme-ecom.co.uk (Paul Houselander) Date: Wed Mar 7 12:44:57 2007 Subject: Increase in Spam getting through today? Message-ID: Hi Just a quick one, weve had a massive increase in spam getting through today, lots of stock ones, I wondered if anyone else was seeing the same? There scoring 0 even though they look very spammy to me. There defintly not timing out and im still stopping a large amount of spam. I cant figure out if spammers have all of a sudden got very clever at bypassing spamassasin or if something is wrong with my filters! I use Spamassasin 3.1.7, sa-update, rules_du_jour, fuzzyocr, DCC, Pyzor and Razor and Bayes is enabled. Ive run spamassasin -t -D < message on several of the messages and DCC is firing now (but only DCC), so I know Spamassasin is being run on the message but no other rules are being hit! Kind Regards Paul From hvdkooij at vanderkooij.org Wed Mar 7 14:17:38 2007 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Wed Mar 7 13:23:42 2007 Subject: Increase in Spam getting through today? In-Reply-To: References: Message-ID: On Wed, 7 Mar 2007, Paul Houselander wrote: > Just a quick one, weve had a massive increase in spam getting through today, > lots of stock ones, I wondered if anyone else was seeing the same? > > There scoring 0 even though they look very spammy to me. > > There defintly not timing out and im still stopping a large amount of spam. > I cant figure out if spammers have all of a sudden got very clever at > bypassing spamassasin or if something is wrong with my filters! > > I use Spamassasin 3.1.7, sa-update, rules_du_jour, fuzzyocr, DCC, Pyzor and > Razor and Bayes is enabled. > > Ive run spamassasin -t -D < message on several of the messages and DCC is > firing now (but only DCC), so I know Spamassasin is being run on the message > but no other rules are being hit! Sounds like your SA database is polutted. In my experience it is wise to keep a sample set op SPAM and HAM messages at hand. (both just over 200 examples) Then kill your bayesian database and relearn. I find that afetr such an action filtering with SpamAssassin is much more accurate on all messages. Hugo. -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ This message is using 100% recycled electrons. Some men see computers as they are and say "Windows" I use computers with Linux and say "Why Windows?" (Thanks JFK, for the insight.) From a.peacock at chime.ucl.ac.uk Wed Mar 7 14:26:21 2007 From: a.peacock at chime.ucl.ac.uk (Anthony Peacock) Date: Wed Mar 7 13:33:26 2007 Subject: Increase in Spam getting through today? In-Reply-To: References: Message-ID: <45EEBD7D.6090809@chime.ucl.ac.uk> Hi, Hugo van der Kooij wrote: > On Wed, 7 Mar 2007, Paul Houselander wrote: > >> Just a quick one, weve had a massive increase in spam getting through >> today, >> lots of stock ones, I wondered if anyone else was seeing the same? >> >> There scoring 0 even though they look very spammy to me. >> >> There defintly not timing out and im still stopping a large amount of >> spam. >> I cant figure out if spammers have all of a sudden got very clever at >> bypassing spamassasin or if something is wrong with my filters! >> >> I use Spamassasin 3.1.7, sa-update, rules_du_jour, fuzzyocr, DCC, >> Pyzor and >> Razor and Bayes is enabled. >> >> Ive run spamassasin -t -D < message on several of the messages and DCC is >> firing now (but only DCC), so I know Spamassasin is being run on the >> message >> but no other rules are being hit! > > Sounds like your SA database is polutted. > > In my experience it is wise to keep a sample set op SPAM and HAM > messages at hand. (both just over 200 examples) > > Then kill your bayesian database and relearn. > > I find that afetr such an action filtering with SpamAssassin is much > more accurate on all messages. You may be right... But I don't think there is enough evidence in the original problem description to warrant such a drastic action. In my experience Bayes is very stable, I have never had to rebuild the database because it became "polluted". If the OP can place an example message (with full headers) on a web site where we can get to it, many people here will be able to run that message through their systems. Also post the output you get from running spamassassin -t -D on the message, someone may be able to spot where things are going wrong. -- Anthony Peacock CHIME, Royal Free & University College Medical School WWW: http://www.chime.ucl.ac.uk/~rmhiajp/ "If you have an apple and I have an apple and we exchange apples then you and I will still each have one apple. But if you have an idea and I have an idea and we exchange these ideas, then each of us will have two ideas." -- George Bernard Shaw From tjc at ecs.soton.ac.uk Wed Mar 7 14:54:39 2007 From: tjc at ecs.soton.ac.uk (Tim Chown) Date: Wed Mar 7 14:01:45 2007 Subject: Jules is drinking tea Message-ID: <20070307135439.GA8331@login.ecs.soton.ac.uk> Hi again, Today's news is that Jules is very awake and alert, and is drinking tea. Those who know him well know he gets through a fair few gallons of tea, so this is a good sign :) Also the doctors are wanting to get him out of intensive care as soon as a bed in another ward becomes free, another good sign. Let's hope the recovery continues. It may be hard to keep him offline before long! I'll ramp down the reporting frequency a bit now unless there's anything significant to say. Please do keep cards coming, I'm sure they'll continue to be very well received. Tim From joost at waversveld.nl Wed Mar 7 15:09:14 2007 From: joost at waversveld.nl (Joost Waversveld) Date: Wed Mar 7 14:16:01 2007 Subject: Jules is drinking tea In-Reply-To: <20070307135439.GA8331@login.ecs.soton.ac.uk> References: <20070307135439.GA8331@login.ecs.soton.ac.uk> Message-ID: <45EEC78A.9000709@waversveld.nl> Tim Chown wrote: > Hi again, > > Today's news is that Jules is very awake and alert, and is drinking tea. > Those who know him well know he gets through a fair few gallons of tea, > so this is a good sign :) > > Also the doctors are wanting to get him out of intensive care as soon as > a bed in another ward becomes free, another good sign. > > That's a very good sign. Very good to hear this!! Right at the moment I read this message the sun starts shining!! > Let's hope the recovery continues. It may be hard to keep him offline > before long! > I hope he takes the time to recover well... At this moment his health is more important then MailScanner... > I'll ramp down the reporting frequency a bit now unless there's anything > significant to say. Please do keep cards coming, I'm sure they'll > continue to be very well received. > > Tim > Thanks Tim for the information :-) From Denis.Beauchemin at USherbrooke.ca Wed Mar 7 15:11:48 2007 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Wed Mar 7 14:18:09 2007 Subject: Jules is drinking tea In-Reply-To: <20070307135439.GA8331@login.ecs.soton.ac.uk> References: <20070307135439.GA8331@login.ecs.soton.ac.uk> Message-ID: <45EEC824.1000202@USherbrooke.ca> Tim Chown a ?crit : > Hi again, > > Today's news is that Jules is very awake and alert, and is drinking tea. > Those who know him well know he gets through a fair few gallons of tea, > so this is a good sign :) > > Also the doctors are wanting to get him out of intensive care as soon as > a bed in another ward becomes free, another good sign. > > Let's hope the recovery continues. It may be hard to keep him offline > before long! > > I'll ramp down the reporting frequency a bit now unless there's anything > significant to say. Please do keep cards coming, I'm sure they'll > continue to be very well received. > > Tim > Thanks Tim! This is great news! It makes my day start with a big smile! Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3595 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070307/08935196/smime.bin From housey at sme-ecom.co.uk Wed Mar 7 15:25:03 2007 From: housey at sme-ecom.co.uk (Paul Houselander) Date: Wed Mar 7 14:31:10 2007 Subject: Increase in Spam getting through today? {Scanned by Allteks Mailsafe} In-Reply-To: <45EEBD7D.6090809@chime.ucl.ac.uk> Message-ID: -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info]On Behalf Of Anthony Peacock Sent: 07 March 2007 13:26 To: MailScanner discussion Subject: Re: Increase in Spam getting through today? {Scanned by Allteks Mailsafe} Hi, Hugo van der Kooij wrote: > On Wed, 7 Mar 2007, Paul Houselander wrote: > >> Just a quick one, weve had a massive increase in spam getting through >> today, >> lots of stock ones, I wondered if anyone else was seeing the same? >> >> There scoring 0 even though they look very spammy to me. >> >> There defintly not timing out and im still stopping a large amount of >> spam. >> I cant figure out if spammers have all of a sudden got very clever at >> bypassing spamassasin or if something is wrong with my filters! >> >> I use Spamassasin 3.1.7, sa-update, rules_du_jour, fuzzyocr, DCC, >> Pyzor and >> Razor and Bayes is enabled. >> >> Ive run spamassasin -t -D < message on several of the messages and DCC is >> firing now (but only DCC), so I know Spamassasin is being run on the >> message >> but no other rules are being hit! > > Sounds like your SA database is polutted. > > In my experience it is wise to keep a sample set op SPAM and HAM > messages at hand. (both just over 200 examples) > > Then kill your bayesian database and relearn. > > I find that afetr such an action filtering with SpamAssassin is much > more accurate on all messages. >You may be right... But I don't think there is enough evidence in the >original problem description to warrant such a drastic action. In my >experience Bayes is very stable, I have never had to rebuild the >database because it became "polluted". >If the OP can place an example message (with full headers) on a web site >where we can get to it, many people here will be able to run that >message through their systems. >Also post the output you get from running spamassassin -t -D on the >message, someone may be able to spot where things are going wrong. Hi Thanks for responding. Manged to solve the problem it was a rule I recently added (got of someone on the spamassasin mailing list) that was causing a problem body __HILO_STOCKS1 /(High|Low|Curr[e3]nt|Cur(r|\r.|r[e3]nt|\.)\Price|Price)[\:\ \t]+\$[\d\ ]+?(.*)(Last|Low|Growth|High|Sale|Price)/i body __HILO_STOCKS2 /(hotlist|r[e3]cord|publicity|n[e3]ws|invest|incr[e3]as[e3]|[e3]xplosion|exp lotion|pric[e3]|high|pr[e3]mium|mark[e3]t|al[e3]rt|sym[b8]ol)/i meta HILO_STOCKS ( __HILO_STOCKS1 && __HILO_STOCKS2 ) describe HILO_STOCKS Looks like stocks scam score HILO_STOCKS 4.0 I ran one of the messages through it with debug enabled and saw the following error: [28988] dbg: rules: ran body rule SARE_MLB_Stock1 ======> got hit: "Target price:" Can't find Unicode property definition "r" at /etc/mail/spamassassin/mailscanner.cf, rule __HILO_STOCKS1, line 1. Ive removed the rule now and all is working ok, can you see whats wrong with the rule? Cheers Paul From bryan.guest at bmts.com Wed Mar 7 15:42:24 2007 From: bryan.guest at bmts.com (Bryan Guest) Date: Wed Mar 7 14:48:29 2007 Subject: request for summary - update clamAV Message-ID: <000f01c760c6$d20c96e0$0b01010a@DGPTBH91> Hello: I apologize, but I have been having a little trouble following along with the steps to use Julian's easy install package but to upgrade to the latest ClamAV. Could someone who has done this successfully please submit a summary to the list? And if one was posted, and I missed it, shame on me. Julian, thanks for all your work, and all the best from Ontario, Canada. Get Well Soon! Bryan Guest From edwardbruce at sbcglobal.net Wed Mar 7 16:28:27 2007 From: edwardbruce at sbcglobal.net (Ed Bruce) Date: Wed Mar 7 15:34:30 2007 Subject: dealing with dictionary attacks In-Reply-To: <45EC4863.5070702@netmagicsolutions.com> References: <45EBE85C.90507@fractalweb.com> <4165CF7A7F12DE4B96622CCBB905864709949FEF@largo.campus.ncl.ac.uk> <25a66d840703050822s3061e517mffe1ed8d40035722@mail.gmail.com> <45EC4863.5070702@netmagicsolutions.com> Message-ID: <45EEDA1B.4010200@sbcglobal.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dhawal Doshy wrote: > am.lists wrote: >> So does anyone have any advice re: postgrey vs policyd? > > This question truly belongs to the postfix list.. > Why is only Postfix discussions being asked to take it off list. I see many topics about sendmail, clamav, and spamassassin. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (Cygwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFF7tobpdNaP9x3McgRAhY0AKCJX6ez7ljWzLZDBFdiBlFvfMkIsgCguG3D HeeY9wR4XU505bshd7wyZvI= =GyDW -----END PGP SIGNATURE----- From dean.plant at roke.co.uk Wed Mar 7 16:30:08 2007 From: dean.plant at roke.co.uk (Plant, Dean) Date: Wed Mar 7 15:36:22 2007 Subject: Small problem after ClamAV upgrade Message-ID: <2181C5F19DD0254692452BFF3EAF1D6802671DF5@rsys005a.comm.ad.roke.co.uk> Firstly, quick thanks to Phil Randal for posting the changes required to make a install-Clam-0.90.1-SA-3.1.8.tar.gz in Julian's absence. Now my problem. After upgrading to Mail-ClamAV-0.20 & ClamAV 0.90.1 I have a small issue with attachments in a mail detected as broken executables. I know I can report these to ClamAV but as I have never (knowingly) had this option turned on would like it turned off. The original mail virus scanned without problem but was quarantined as we don't allow executables. When I try to release the mail from quarantine (Mailwatch) the mail is blocked as ClamAV detects it as a broken executable. It seems like I have the option "--detect-broken" turned on but I am not sure where. Any idea's? In /etc/MailScannner/MailScanner.conf Virus Scanners = clamavmodule A clamscan is fine # clamscan ./* ./backup.exe: OK ./decdisk.exe: OK ./dispefs.exe: OK ./message: OK ./PD 8_01_01.zip: OK Setting --detect-broken shows ClamAV incorrectly detecting the files as broken. # clamscan --detect-broken ./* ./backup.exe: Broken.Executable FOUND ./decdisk.exe: Broken.Executable FOUND ./dispefs.exe: Broken.Executable FOUND ./message: Broken.Executable FOUND ./PD 8_01_01.zip: Broken.Executable FOUND Using the MailScanner clamav-wrapper is ok # /usr/lib/MailScanner/clamav-wrapper /usr/local/ /var/spool/MailScanner/quarantine/20070307/l278IMl1006594 /var/spool/MailScanner/quarantine/20070307/l278IMl1006594/message: OK /var/spool/MailScanner/quarantine/20070307/l278IMl1006594/backup.exe: OK /var/spool/MailScanner/quarantine/20070307/l278IMl1006594/decdisk.exe: OK /var/spool/MailScanner/quarantine/20070307/l278IMl1006594/dispefs.exe: OK /var/spool/MailScanner/quarantine/20070307/l278IMl1006594/PD 8_01_01.zip: OK >From /var/log/maillog Mar 7 08:19:16 rsys002x MailScanner[11252]: ClamAVModule::INFECTED:: Broken.Executable:: ./l278IMl1006594/dispefs.exe Mar 7 08:19:16 rsys002x MailScanner[11252]: ClamAVModule::INFECTED:: Broken.Executable:: ./l278IMl1006594/decdisk.exe Mar 7 08:19:16 rsys002x MailScanner[11252]: ClamAVModule::INFECTED:: Broken.Executable:: ./l278IMl1006594/backup.exe Mar 7 08:19:21 rsys002x MailScanner[11252]: ClamAVModule::INFECTED:: Broken.Executable:: ./l278IMl1006594/PD 8_01_01.zip Dean From prandal at herefordshire.gov.uk Wed Mar 7 16:25:06 2007 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Wed Mar 7 15:38:27 2007 Subject: request for summary - update clamAV In-Reply-To: <000f01c760c6$d20c96e0$0b01010a@DGPTBH91> References: <000f01c760c6$d20c96e0$0b01010a@DGPTBH91> Message-ID: <7EF0EE5CB3B263488C8C18823239BEBA944D@HC-MBX02.herefordshire.gov.uk> Check the archives for posts from me. Drop the clamav-0.90.1.tar.gz file into the unpacked install-Clam-SA/perl-tar directory. Apply the following patch to install.sh, and then run install.sh: --- install.sh.old 2007-03-02 12:26:48.000000000 +0000 +++ install.sh 2007-03-02 12:26:17.000000000 +0000 @@ -1,6 +1,6 @@ #!/bin/sh -CLAMAVVERSION=0.88.7 +CLAMAVVERSION=0.90.1 export CLAMAVVERSION LDSOCONF=/etc/ld.so.conf CLAMETC=/usr/local/etc @@ -232,8 +232,8 @@ echo the ClamAV library can be found by the clamavmodule and echo clamav virus scanners. echo /usr/local/lib >> $LDSOCONF - /sbin/ldconfig fi + /sbin/ldconfig sleep 2 else echo You may need to add /usr/local/lib to the directories searched Cheers, Phil -- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Bryan Guest > Sent: 07 March 2007 14:42 > To: mailscanner@lists.mailscanner.info > Subject: request for summary - update clamAV > > Hello: > > I apologize, but I have been having a little trouble > following along with > the steps to use Julian's easy install package but to upgrade > to the latest > ClamAV. > > Could someone who has done this successfully please submit a > summary to the > list? And if one was posted, and I missed it, shame on me. > > Julian, thanks for all your work, and all the best from > Ontario, Canada. > Get Well Soon! > > Bryan Guest > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From satya at fsl.com Wed Mar 7 16:52:04 2007 From: satya at fsl.com (SatyaDev Sharma) Date: Wed Mar 7 15:58:06 2007 Subject: Jules is drinking tea In-Reply-To: <45EEC824.1000202@USherbrooke.ca> References: <20070307135439.GA8331@login.ecs.soton.ac.uk> <45EEC824.1000202@USherbrooke.ca> Message-ID: <8d5fd62c0703070752j3c12ff61y3bff743f5afebc62@mail.gmail.com> Thats really good news ! Thanx Tim !! Many Thanx to GOD, and pray for his fastest recovery. ~Satya On 3/7/07, Denis Beauchemin wrote: > > Tim Chown a ?crit : > > Hi again, > > > > Today's news is that Jules is very awake and alert, and is drinking tea. > > Those who know him well know he gets through a fair few gallons of tea, > > so this is a good sign :) > > > > Also the doctors are wanting to get him out of intensive care as soon as > > a bed in another ward becomes free, another good sign. > > > > Let's hope the recovery continues. It may be hard to keep him offline > > before long! > > > > I'll ramp down the reporting frequency a bit now unless there's anything > > significant to say. Please do keep cards coming, I'm sure they'll > > continue to be very well received. > > > > Tim > > > Thanks Tim! > > This is great news! It makes my day start with a big smile! > > Denis > > -- > _ > ?v? Denis Beauchemin, analyste > /(_)\ Universit? de Sherbrooke, S.T.I . > ^ ^ T: 819.821.8000x62252 F: 819.821.8045 > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070307/7af17eea/attachment.html From ka at pacific.net Wed Mar 7 17:09:59 2007 From: ka at pacific.net (Ken A) Date: Wed Mar 7 16:11:56 2007 Subject: Jules is drinking tea In-Reply-To: <20070307135439.GA8331@login.ecs.soton.ac.uk> References: <20070307135439.GA8331@login.ecs.soton.ac.uk> Message-ID: <45EEE3D7.9080307@pacific.net> Tim Chown wrote: > Hi again, > > Today's news is that Jules is very awake and alert, and is drinking tea. > Those who know him well know he gets through a fair few gallons of tea, > so this is a good sign :) Tim, Wonderful news. Glad to hear he's on the mend! And thank you for keeping us informed. It's appreciated. > Also the doctors are wanting to get him out of intensive care as soon as > a bed in another ward becomes free, another good sign. > > Let's hope the recovery continues. It may be hard to keep him offline > before long! Julian - take the opportunity to rest! Hopefully, you don't get another excuse this good for a long while. :-) Ken A Pacific.Net > I'll ramp down the reporting frequency a bit now unless there's anything > significant to say. Please do keep cards coming, I'm sure they'll > continue to be very well received. > > Tim From Denis.Beauchemin at USherbrooke.ca Wed Mar 7 17:10:16 2007 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Wed Mar 7 16:16:36 2007 Subject: Small problem after ClamAV upgrade In-Reply-To: <2181C5F19DD0254692452BFF3EAF1D6802671DF5@rsys005a.comm.ad.roke.co.uk> References: <2181C5F19DD0254692452BFF3EAF1D6802671DF5@rsys005a.comm.ad.roke.co.uk> Message-ID: <45EEE3E8.5050302@USherbrooke.ca> Plant, Dean a ?crit : > Firstly, quick thanks to Phil Randal for posting the changes required to > make a install-Clam-0.90.1-SA-3.1.8.tar.gz in Julian's absence. > > Now my problem. > > After upgrading to Mail-ClamAV-0.20 & ClamAV 0.90.1 I have a small issue > with attachments in a mail detected as broken executables. I know I can > report these to ClamAV but as I have never (knowingly) had this option > turned on would like it turned off. > > Dean, Look into /usr/lib/MailScanner/MailScanner/SweepViruses.pm for Mail::ClamAV::CL_SCAN_BLOCKBROKEN() and comment it out (it's there twice). I don't think this can be configured by other means. Then restart MS. Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3595 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070307/751a850f/smime.bin From dean.plant at roke.co.uk Wed Mar 7 17:32:48 2007 From: dean.plant at roke.co.uk (Plant, Dean) Date: Wed Mar 7 16:38:54 2007 Subject: Small problem after ClamAV upgrade Message-ID: <2181C5F19DD0254692452BFF3EAF1D6802671DF7@rsys005a.comm.ad.roke.co.uk> Denis Beauchemin wrote: > Plant, Dean a ?crit : >> Firstly, quick thanks to Phil Randal for posting the changes >> required to make a install-Clam-0.90.1-SA-3.1.8.tar.gz in Julian's >> absence. >> >> Now my problem. >> >> After upgrading to Mail-ClamAV-0.20 & ClamAV 0.90.1 I have a small >> issue with attachments in a mail detected as broken executables. I >> know I can report these to ClamAV but as I have never (knowingly) >> had this option turned on would like it turned off. >> >> > Dean, > > Look into /usr/lib/MailScanner/MailScanner/SweepViruses.pm for > Mail::ClamAV::CL_SCAN_BLOCKBROKEN() and comment it out (it's there > twice). I don't think this can be configured by other means. Then > restart MS. > > Denis Thank you. Looks like I have always been detecting broken executables without knowing it and the upgrade was just coincidence. Dean. From prandal at herefordshire.gov.uk Wed Mar 7 17:18:21 2007 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Wed Mar 7 16:53:36 2007 Subject: request for summary - update clamAV In-Reply-To: <7EF0EE5CB3B263488C8C18823239BEBA944D@HC-MBX02.herefordshire.gov.uk> References: <000f01c760c6$d20c96e0$0b01010a@DGPTBH91> <7EF0EE5CB3B263488C8C18823239BEBA944D@HC-MBX02.herefordshire.gov.uk> Message-ID: <7EF0EE5CB3B263488C8C18823239BEBA944F@HC-MBX02.herefordshire.gov.uk> Oops, If you're using libclamav and not calamscan you'll need to install Mail::ClamAV from CPAN too. Phil -- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Randal, Phil > Sent: 07 March 2007 15:25 > To: MailScanner discussion > Subject: RE: request for summary - update clamAV > > Check the archives for posts from me. > > Drop the clamav-0.90.1.tar.gz file into the unpacked > install-Clam-SA/perl-tar directory. > > Apply the following patch to install.sh, and then run install.sh: > > --- install.sh.old 2007-03-02 12:26:48.000000000 +0000 > +++ install.sh 2007-03-02 12:26:17.000000000 +0000 > @@ -1,6 +1,6 @@ > #!/bin/sh > > -CLAMAVVERSION=0.88.7 > +CLAMAVVERSION=0.90.1 > export CLAMAVVERSION > LDSOCONF=/etc/ld.so.conf > CLAMETC=/usr/local/etc > @@ -232,8 +232,8 @@ > echo the ClamAV library can be found by the clamavmodule and > echo clamav virus scanners. > echo /usr/local/lib >> $LDSOCONF > - /sbin/ldconfig > fi > + /sbin/ldconfig > sleep 2 > else > echo You may need to add /usr/local/lib to the directories searched > > > Cheers, > > Phil > -- > Phil Randal > Network Engineer > Herefordshire Council > Hereford, UK > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info > > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > > Of Bryan Guest > > Sent: 07 March 2007 14:42 > > To: mailscanner@lists.mailscanner.info > > Subject: request for summary - update clamAV > > > > Hello: > > > > I apologize, but I have been having a little trouble > > following along with > > the steps to use Julian's easy install package but to upgrade > > to the latest > > ClamAV. > > > > Could someone who has done this successfully please submit a > > summary to the > > list? And if one was posted, and I missed it, shame on me. > > > > Julian, thanks for all your work, and all the best from > > Ontario, Canada. > > Get Well Soon! > > > > Bryan Guest > > > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From martinh at solidstatelogic.com Wed Mar 7 17:46:54 2007 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Wed Mar 7 16:53:55 2007 Subject: Freds rules from Rulesemporium.com Message-ID: <8b462f456b0dbc4ab05ddd3e35515ced@solidstatelogic.com> All Well after five months some of us on the IRC channel have finally noticed that a lot of Fred's Rules on www.rulesemporium.com/other-rules.htm have moved to one big file. It's mentioned in the comments on the files, but a lot of us seem to have missed this...so I thought I'd give a heads up to others. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From prandal at herefordshire.gov.uk Wed Mar 7 17:20:13 2007 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Wed Mar 7 16:54:51 2007 Subject: Small problem after ClamAV upgrade In-Reply-To: <2181C5F19DD0254692452BFF3EAF1D6802671DF5@rsys005a.comm.ad.roke.co.uk> References: <2181C5F19DD0254692452BFF3EAF1D6802671DF5@rsys005a.comm.ad.roke.co.uk> Message-ID: <7EF0EE5CB3B263488C8C18823239BEBA9450@HC-MBX02.herefordshire.gov.uk> My bad. I forgot to tell you to install the latest Mail::ClamAV too. perl -MCPAN -e shell install Mail::ClamAV quit service MailScanner reload Cheers, Phil -- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Plant, Dean > Sent: 07 March 2007 15:30 > To: MailScanner discussion > Subject: Small problem after ClamAV upgrade > > Firstly, quick thanks to Phil Randal for posting the changes > required to > make a install-Clam-0.90.1-SA-3.1.8.tar.gz in Julian's absence. > > Now my problem. > > After upgrading to Mail-ClamAV-0.20 & ClamAV 0.90.1 I have a > small issue > with attachments in a mail detected as broken executables. I > know I can > report these to ClamAV but as I have never (knowingly) had this option > turned on would like it turned off. > > The original mail virus scanned without problem but was quarantined as > we don't allow executables. When I try to release the mail from > quarantine (Mailwatch) the mail is blocked as ClamAV detects it as a > broken executable. It seems like I have the option "--detect-broken" > turned on but I am not sure where. Any idea's? > > In /etc/MailScannner/MailScanner.conf > > Virus Scanners = clamavmodule > > A clamscan is fine > > # clamscan ./* > ./backup.exe: OK > ./decdisk.exe: OK > ./dispefs.exe: OK > ./message: OK > ./PD 8_01_01.zip: OK > > Setting --detect-broken shows ClamAV incorrectly detecting > the files as > broken. > > # clamscan --detect-broken ./* > ./backup.exe: Broken.Executable FOUND > ./decdisk.exe: Broken.Executable FOUND > ./dispefs.exe: Broken.Executable FOUND > ./message: Broken.Executable FOUND > ./PD 8_01_01.zip: Broken.Executable FOUND > > Using the MailScanner clamav-wrapper is ok > > # /usr/lib/MailScanner/clamav-wrapper /usr/local/ > /var/spool/MailScanner/quarantine/20070307/l278IMl1006594 > /var/spool/MailScanner/quarantine/20070307/l278IMl1006594/message: OK > /var/spool/MailScanner/quarantine/20070307/l278IMl1006594/back > up.exe: OK > /var/spool/MailScanner/quarantine/20070307/l278IMl1006594/decdisk.exe: > OK > /var/spool/MailScanner/quarantine/20070307/l278IMl1006594/dispefs.exe: > OK > /var/spool/MailScanner/quarantine/20070307/l278IMl1006594/PD > 8_01_01.zip: OK > > >From /var/log/maillog > > Mar 7 08:19:16 rsys002x MailScanner[11252]: ClamAVModule::INFECTED:: > Broken.Executable:: ./l278IMl1006594/dispefs.exe > Mar 7 08:19:16 rsys002x MailScanner[11252]: ClamAVModule::INFECTED:: > Broken.Executable:: ./l278IMl1006594/decdisk.exe > Mar 7 08:19:16 rsys002x MailScanner[11252]: ClamAVModule::INFECTED:: > Broken.Executable:: ./l278IMl1006594/backup.exe > Mar 7 08:19:21 rsys002x MailScanner[11252]: ClamAVModule::INFECTED:: > Broken.Executable:: ./l278IMl1006594/PD 8_01_01.zip > > Dean > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From ssilva at sgvwater.com Wed Mar 7 19:05:43 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Mar 7 18:12:34 2007 Subject: Skipping users In-Reply-To: <223f97700703070138jfbe8494q28757071ae40f893@mail.gmail.com> References: <4DEBDDAFBB23C04BA17EFE3914442113014A9935@exchange.bostonpost.com> <223f97700703070138jfbe8494q28757071ae40f893@mail.gmail.com> Message-ID: Glenn Steen spake the following on 3/7/2007 1:38 AM: > On 06/03/07, Scott Silva wrote: >> Hugo van der Kooij spake the following on 3/5/2007 10:56 PM: >> > On Mon, 5 Mar 2007, Thomas A. Cameron wrote: >> > >> >> I'm not completely sure what the terminology is for what I'm trying to >> >> do or what layer would be best to do it on, so I'm mailing the list. >> >> >> >> I'll start out by saying I'm extremely pleased with MailScanner. The >> >> entire suite works extremely well, and in the short time I've been >> >> using it I have already seen better results than from any other >> >> package I have ever experienced with other packages. >> >> >> >> Having said all of that, I have a user that believes he doesn't need >> >> SPAM protection. He believes he can handle the problem better than any >> >> tool. If I had a way to do it, I wouldn't block connections with an >> >> RBL either, just to show him what he's in for. But, that's not >> >> something I really want to get into. >> > >> >> My question is this. How can I tell MailScanner to blindly accept any >> >> email destined for several addresses? Would I be better off doing this >> >> on the postfix level with a header check that tests positive on every >> >> address except his few? I use the SQL whitelist function of MailWatch, >> >> so I can't whitelist wildcards for his address. Is it possible to >> >> chain rule files & modules for the "is definitely not spam" option? >> > >> >> Any suggestions would REALLY be appreciated. This is such a backward >> >> idea, I'm not even sure what I would call it. >> > >> > Well if they want all the spam they want. Let them have it. >> > >> > 1. Put some hidden links with a mailto: to they email address on line. >> > 2. Exclude every check for that user by white listing them in postfix. >> > 3. Exclude them in your MailScanner with a rule in >> > spam.whitelist.rules like: >> > >> > To: haasje@vanderkooij.org yes >> > >> > I use it for a few addresses but for another reason. (Some addresses >> are >> > used as bait to educate my bayesian filterin manualy.) >> > >> > But if they want it. Let them have is and let them pay for the >> > additional resources like bandwidth and such. >> > >> > Hugo. >> > >> You forgot one; >> high scoring spam action = delete forward lame-user@mydomain.com >> > Challenging Res for the "most evil bunny on list" title, are we Scott? :-) > > Cheers I have no problem being second! "We're not last! We're not last!!!" Besides, if I wanted to be the "most evil bunny on list" I would have added the same to the low scoring spam options. And then I would put their e-mail address in every newsgroup I could find and also add it to the meta-data of some web sites! MMMUUUUHHHHAaaaaaaaaa!!! And there is also rm -rf /home/lame-user/ /need coffee!!! must calm down! -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ssilva at sgvwater.com Wed Mar 7 19:18:33 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Mar 7 18:24:56 2007 Subject: Jules is drinking tea In-Reply-To: <20070307135439.GA8331@login.ecs.soton.ac.uk> References: <20070307135439.GA8331@login.ecs.soton.ac.uk> Message-ID: Tim Chown spake the following on 3/7/2007 5:54 AM: > Hi again, > > Today's news is that Jules is very awake and alert, and is drinking tea. > Those who know him well know he gets through a fair few gallons of tea, > so this is a good sign :) > > Also the doctors are wanting to get him out of intensive care as soon as > a bed in another ward becomes free, another good sign. > > Let's hope the recovery continues. It may be hard to keep him offline > before long! > > I'll ramp down the reporting frequency a bit now unless there's anything > significant to say. Please do keep cards coming, I'm sure they'll > continue to be very well received. > > Tim You just can't keep a good man down!! Speedy recovery Jules! You're probably still feeling knackered, but it will get better! -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ssilva at sgvwater.com Wed Mar 7 19:25:35 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Mar 7 18:32:26 2007 Subject: request for summary - update clamAV In-Reply-To: <000f01c760c6$d20c96e0$0b01010a@DGPTBH91> References: <000f01c760c6$d20c96e0$0b01010a@DGPTBH91> Message-ID: Bryan Guest spake the following on 3/7/2007 6:42 AM: > Hello: > > I apologize, but I have been having a little trouble following along > with the steps to use Julian's easy install package but to upgrade to > the latest ClamAV. > > Could someone who has done this successfully please submit a summary to > the list? And if one was posted, and I missed it, shame on me. > > Julian, thanks for all your work, and all the best from Ontario, Canada. > Get Well Soon! > > Bryan Guest http://tinyurl.com/2wox4q Has clam 0.90.1, spamassassin 3.18, and Mail::ClamAV 0.20 -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From hvdkooij at vanderkooij.org Wed Mar 7 20:23:11 2007 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Wed Mar 7 19:29:17 2007 Subject: Skipping users In-Reply-To: References: <4DEBDDAFBB23C04BA17EFE3914442113014A9935@exchange.bostonpost.com> <223f97700703070138jfbe8494q28757071ae40f893@mail.gmail.com> Message-ID: On Wed, 7 Mar 2007, Scott Silva wrote: > /need coffee!!! must calm down! I was thinking coffee had another purpose. Hugo. -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ This message is using 100% recycled electrons. Some men see computers as they are and say "Windows" I use computers with Linux and say "Why Windows?" (Thanks JFK, for the insight.) From hden at kcbbs.gen.nz Wed Mar 7 20:51:55 2007 From: hden at kcbbs.gen.nz (Hendrik den Hartog) Date: Wed Mar 7 19:38:51 2007 Subject: Fake domains - revisiting.. In-Reply-To: References: <4DEBDDAFBB23C04BA17EFE3914442113014A9935@exchange.bostonpost.com> <223f97700703070138jfbe8494q28757071ae40f893@mail.gmail.com> Message-ID: <20070307195155.GA16668@mew.kcbbs.gen.nz> Hello We use Mailscanner on our schools firewall. We have the not uncommon issue with mail entering with fake domain names, that is, mail pretending to come from our domain. (How on earth they glean the email names to use is mind boggling to me?) I've read a few historic threads RE: this, but I'm after the current recommended procedure to deal with this issue. Running CentOS 3.3/sendmail-8.12.11-4 I've added our domain name to sendmails access database (From:OurDomain.name.com), but suspect this may be a crude option to take - although it seems to work? Advice, Feedback appreciated... Cheers! Dave From ncanepa at fcen.uba.ar Wed Mar 7 20:35:19 2007 From: ncanepa at fcen.uba.ar (Nicolas Canepa) Date: Wed Mar 7 19:41:24 2007 Subject: RBL's Message-ID: <45EF13F7.3050602@fcen.uba.ar> I need a recomendation on RBL lists to use in mailscanner. MailScanner has been blocking a lot of legitimate mail from hotmail, and I cannot tell people not to receive mail from hotmail, alltough I'd like to. txs, -- *Nicol?s C?nepa* ncanepa@fcen.uba.ar www.ccc.fcen.uba.ar *Tel?fono* - /4576-3382/ *CCC* - /Centro de Comunicaci?n Cient?fica/ *UBA* - /Facultad de Ciencias Exactas y Naturales/ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070307/f34a71a6/attachment.html From michele at blacknight.ie Wed Mar 7 20:39:05 2007 From: michele at blacknight.ie (Michele Neylon :: Blacknight) Date: Wed Mar 7 19:45:12 2007 Subject: Fake domains - revisiting.. In-Reply-To: <20070307195155.GA16668@mew.kcbbs.gen.nz> References: <4DEBDDAFBB23C04BA17EFE3914442113014A9935@exchange.bostonpost.com> <223f97700703070138jfbe8494q28757071ae40f893@mail.gmail.com> <20070307195155.GA16668@mew.kcbbs.gen.nz> Message-ID: <45EF14D9.500@blacknight.ie> Hendrik den Hartog wrote: > Hello > > We use Mailscanner on our schools firewall. > > We have the not uncommon issue with mail entering with fake domain names, that is, > mail pretending to come from our domain. (How on earth they glean the email names to > use is mind boggling to me?) > > > I've read a few historic threads RE: this, but I'm after the current recommended > procedure to deal with this issue. > > Running CentOS 3.3/sendmail-8.12.11-4 > > I've added our domain name to sendmails access database (From:OurDomain.name.com), but > suspect this may be a crude option to take - although it seems to work? > > Advice, Feedback appreciated... > > Cheers! > Dave Dave Does all mail from your domain come from the same server? ie. the server in the school OR is it possible that someone could use the domain from outside eg. at home or wherever? Michele -- Mr Michele Neylon Blacknight Solutions Hosting & Colocation, Brand Protection http://www.blacknight.ie/ http://blog.blacknight.ie/ Tel. 1850 927 280 Intl. +353 (0) 59 9183072 UK: 0870 163 0607 Fax. +353 (0) 59 9164239 From michele at blacknight.ie Wed Mar 7 20:41:18 2007 From: michele at blacknight.ie (Michele Neylon :: Blacknight) Date: Wed Mar 7 19:47:24 2007 Subject: RBL's In-Reply-To: <45EF13F7.3050602@fcen.uba.ar> References: <45EF13F7.3050602@fcen.uba.ar> Message-ID: <45EF155E.1010309@blacknight.ie> Nicolas Canepa wrote: > I need a recomendation on RBL lists to use in mailscanner. MailScanner > has been blocking a lot of legitimate mail from hotmail, and I cannot > tell people not to receive mail from hotmail, alltough I'd like to. > > txs, > Which DNSBLs are you currently using and how are you implementing them? MTA level or within MailScanner? -- Mr Michele Neylon Blacknight Solutions Hosting & Colocation, Brand Protection http://www.blacknight.ie/ http://blog.blacknight.ie/ Tel. 1850 927 280 Intl. +353 (0) 59 9183072 UK: 0870 163 0607 Fax. +353 (0) 59 9164239 From ssilva at sgvwater.com Wed Mar 7 20:48:00 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Mar 7 19:54:23 2007 Subject: Skipping users In-Reply-To: References: <4DEBDDAFBB23C04BA17EFE3914442113014A9935@exchange.bostonpost.com> <223f97700703070138jfbe8494q28757071ae40f893@mail.gmail.com> Message-ID: Hugo van der Kooij spake the following on 3/7/2007 11:23 AM: > On Wed, 7 Mar 2007, Scott Silva wrote: > >> /need coffee!!! must calm down! > > I was thinking coffee had another purpose. > > Hugo. > Getting the coffee gives a much needed break. A few minutes with the newspaper. Maybe a casual conversation with someone that DOESN'T start with "My computer (is|isn't|hasn't|won't) ....." I'm sure you get the same thing. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ncanepa at fcen.uba.ar Wed Mar 7 20:50:37 2007 From: ncanepa at fcen.uba.ar (Nicolas Canepa) Date: Wed Mar 7 19:56:43 2007 Subject: RBL's In-Reply-To: <45EF155E.1010309@blacknight.ie> References: <45EF13F7.3050602@fcen.uba.ar> <45EF155E.1010309@blacknight.ie> Message-ID: <45EF178D.5030909@fcen.uba.ar> Michele Neylon :: Blacknight wrote: > Nicolas Canepa wrote: > >> I need a recomendation on RBL lists to use in mailscanner. >> MailScanner has been blocking a lot of legitimate mail from hotmail, >> and I cannot tell people not to receive mail from hotmail, alltough >> I'd like to. >> >> txs, >> > Which DNSBLs are you currently using and how are you implementing > them? MTA level or within MailScanner? > > > I was using these since yesterday(set in MailScanner.conf): Spam List = spamhaus.org spamhaus-XBL SORBS-SMTP SORBS-ZOMBIE SORBS-HTTP SORBS-SOCKS SORBS-WEB CBL RSL DSBL BLITZEDALL FABELSOURCES PSBL And I was using these: Spam List = spamhaus.org spamhaus-XBL SORBS-DNSBL SORBS-SMTP SORBS-SPAM SORBS-BLOCK SORBS-ZOMBIE SBL+XBL SORBS-DNSBL SORBS-HTTP SORBS-SOCKS SORBS-MISC SORBS-WEB SORBS-DUL SORBS-RHSBL CBL RSL DSBL BLITZEDALL spamcop.net -- *Nicol?s C?nepa* ncanepa@fcen.uba.ar www.ccc.fcen.uba.ar *Tel?fono* - /4576-3382/ *CCC* - /Centro de Comunicaci?n Cient?fica/ *UBA* - /Facultad de Ciencias Exactas y Naturales/ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070307/29689a0f/attachment.html From hden at kcbbs.gen.nz Wed Mar 7 21:12:11 2007 From: hden at kcbbs.gen.nz (Hendrik den Hartog) Date: Wed Mar 7 19:59:06 2007 Subject: Fake domains - revisiting.. In-Reply-To: <45EF14D9.500@blacknight.ie> References: <4DEBDDAFBB23C04BA17EFE3914442113014A9935@exchange.bostonpost.com> <223f97700703070138jfbe8494q28757071ae40f893@mail.gmail.com> <20070307195155.GA16668@mew.kcbbs.gen.nz> <45EF14D9.500@blacknight.ie> Message-ID: <20070307201211.GA16687@mew.kcbbs.gen.nz> Only access from the 'outside' is via WEB pages, so connecting to the server, or via Outlook RPC over http. Cheers! Dave On Wed, Mar 07, 2007 at 07:39:05PM +0000, Michele Neylon :: Blacknight wrote: > Hendrik den Hartog wrote: > >Hello > > > >We use Mailscanner on our schools firewall. > > > >We have the not uncommon issue with mail entering with fake domain names, > >that is, > >mail pretending to come from our domain. (How on earth they glean the > >email names to > >use is mind boggling to me?) > > > > > >I've read a few historic threads RE: this, but I'm after the current > >recommended procedure to deal with this issue. > > > >Running CentOS 3.3/sendmail-8.12.11-4 > > > >I've added our domain name to sendmails access database > >(From:OurDomain.name.com), but > >suspect this may be a crude option to take - although it seems to work? > > > >Advice, Feedback appreciated... > > > >Cheers! > >Dave > Dave > > Does all mail from your domain come from the same server? ie. the server > in the school OR is it possible that someone could use the domain from > outside eg. at home or wherever? > > Michele > > -- > Mr Michele Neylon > Blacknight Solutions > Hosting & Colocation, Brand Protection > http://www.blacknight.ie/ > http://blog.blacknight.ie/ > Tel. 1850 927 280 > Intl. +353 (0) 59 9183072 > UK: 0870 163 0607 > Fax. +353 (0) 59 9164239 > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From jfagan at firstlightnetworks.com Wed Mar 7 20:56:22 2007 From: jfagan at firstlightnetworks.com (James Fagan) Date: Wed Mar 7 20:01:06 2007 Subject: Fake domains - revisiting.. In-Reply-To: <20070307195155.GA16668@mew.kcbbs.gen.nz> References: <4DEBDDAFBB23C04BA17EFE3914442113014A9935@exchange.bostonpost.com><223f97700703070138jfbe8494q28757071ae40f893@mail.gmail.com> <20070307195155.GA16668@mew.kcbbs.gen.nz> Message-ID: <59E4A3A1069C2640959AD0F7518C48122F08C3@FLN1.fln.local> > Subject: Fake domains - revisiting.. > > Hello > > We use Mailscanner on our schools firewall. > > We have the not uncommon issue with mail entering with fake domain names, > that is, > mail pretending to come from our domain. (How on earth they glean the > email names to > use is mind boggling to me?) > > > I've read a few historic threads RE: this, but I'm after the current > recommended > procedure to deal with this issue. > > Running CentOS 3.3/sendmail-8.12.11-4 > > I've added our domain name to sendmails access database > (From:OurDomain.name.com), but > suspect this may be a crude option to take - although it seems to work? > > Advice, Feedback appreciated... > > Cheers! > Dave Dave, You may want to look into a couple options. For starters if not already, impliment zen from spamhaus http://www.spamhaus.org/zen/index.lasso , I believe they have educational pricing if you have enough traffic. That seems to catch a LOT garbage regardless of the domain name used on the envelope. Also, look at smf-sav http://smfs.sourceforge.net/smf-sav.html sender address verification. Another is to use SPF records, you set them up with your DNS then use a milter, smf-spf http://smfs.sourceforge.net/smf-spf.html this will match the domain with the IP from where the connection is made and check if it is the same one(s) listed in your DNS records. This seemed a bit much to manage actualy in my experience, but will definatly work. Good Luck, James From michele at blacknight.ie Wed Mar 7 20:56:52 2007 From: michele at blacknight.ie (Michele Neylon :: Blacknight) Date: Wed Mar 7 20:03:04 2007 Subject: RBL's In-Reply-To: <45EF178D.5030909@fcen.uba.ar> References: <45EF13F7.3050602@fcen.uba.ar> <45EF155E.1010309@blacknight.ie> <45EF178D.5030909@fcen.uba.ar> Message-ID: <45EF1904.9040409@blacknight.ie> Nicolas Canepa wrote: > > I was using these since yesterday(set in MailScanner.conf): > Spam List = spamhaus.org spamhaus-XBL SORBS-SMTP SORBS-ZOMBIE > SORBS-HTTP SORBS-SOCKS SORBS-WEB CBL RSL DSBL BLITZEDALL FABELSOURCES PSBL > And I was using these: > Spam List = spamhaus.org spamhaus-XBL SORBS-DNSBL SORBS-SMTP SORBS-SPAM > SORBS-BLOCK SORBS-ZOMBIE SBL+XBL SORBS-DNSBL SORBS-HTTP SORBS-SOCKS > SORBS-MISC SORBS-WEB SORBS-DUL SORBS-RHSBL CBL RSL DSBL BLITZEDALL > spamcop.net > > I'm not surprised you're having issues Spamcop, for example, is fine for scoring, but blocking based on it will hurt you. XBL includes CBL, so there's little point in doubling up on the entries. spamhaus.org and spamhaus-XBL do not look like correct entries and are probably throwing errors in your logs (you have checked them I hope!) You should _always_ read the listing criteria for any DNSBL _before_ you start using it. If you are unsure do not use it. Have a read of: http://www.mneylon.com/blog/archives/2004/08/07/email-filtering-pragmatism-vs-accuracy/ It's a bit old, but a lot of what I say in it is still true. Michele -- Mr Michele Neylon Blacknight Solutions Hosting & Colocation, Brand Protection http://www.blacknight.ie/ http://blog.blacknight.ie/ Tel. 1850 927 280 Intl. +353 (0) 59 9183072 UK: 0870 163 0607 Fax. +353 (0) 59 9164239 From mkettler at evi-inc.com Wed Mar 7 21:03:09 2007 From: mkettler at evi-inc.com (Matt Kettler) Date: Wed Mar 7 20:09:25 2007 Subject: Increase in Spam getting through today? In-Reply-To: References: Message-ID: <45EF1A7D.3090802@evi-inc.com> Paul Houselander wrote: > Hi > > Just a quick one, weve had a massive increase in spam getting through today, > lots of stock ones, I wondered if anyone else was seeing the same? > > There scoring 0 even though they look very spammy to me. > > There defintly not timing out and im still stopping a large amount of spam. > I cant figure out if spammers have all of a sudden got very clever at > bypassing spamassasin or if something is wrong with my filters! > > I use Spamassasin 3.1.7, sa-update, rules_du_jour, fuzzyocr, DCC, Pyzor and > Razor and Bayes is enabled. > > Ive run spamassasin -t -D < message on several of the messages and DCC is > firing now (but only DCC), so I know Spamassasin is being run on the message > but no other rules are being hit! It is possible the messages are exploiting the vulnerability in 3.1.7. Is there a reason you've not upgraded to 3.1.8? http://spamassassin.apache.org/advisories/cve-2007-0451.txt Such exploits would probably show up as "spamassassin timed out and was killed" messages from MailScanner. From ncanepa at fcen.uba.ar Wed Mar 7 21:05:33 2007 From: ncanepa at fcen.uba.ar (Nicolas Canepa) Date: Wed Mar 7 20:11:38 2007 Subject: RBL's In-Reply-To: <45EF1904.9040409@blacknight.ie> References: <45EF13F7.3050602@fcen.uba.ar> <45EF155E.1010309@blacknight.ie> <45EF178D.5030909@fcen.uba.ar> <45EF1904.9040409@blacknight.ie> Message-ID: <57500.157.92.32.1.1173297933.squirrel@webmail.fcen.uba.ar> > Nicolas Canepa wrote: >> >> I was using these since yesterday(set in MailScanner.conf): >> Spam List = spamhaus.org spamhaus-XBL SORBS-SMTP SORBS-ZOMBIE >> SORBS-HTTP SORBS-SOCKS SORBS-WEB CBL RSL DSBL BLITZEDALL FABELSOURCES >> PSBL >> And I was using these: >> Spam List = spamhaus.org spamhaus-XBL SORBS-DNSBL SORBS-SMTP SORBS-SPAM >> SORBS-BLOCK SORBS-ZOMBIE SBL+XBL SORBS-DNSBL SORBS-HTTP SORBS-SOCKS >> SORBS-MISC SORBS-WEB SORBS-DUL SORBS-RHSBL CBL RSL DSBL BLITZEDALL >> spamcop.net >> >> > > I'm not surprised you're having issues > > Spamcop, for example, is fine for scoring, but blocking based on it will > hurt you. > > XBL includes CBL, so there's little point in doubling up on the entries. > > spamhaus.org and spamhaus-XBL do not look like correct entries and are > probably throwing errors in your logs (you have checked them I hope!) > > You should _always_ read the listing criteria for any DNSBL _before_ you > start using it. If you are unsure do not use it. > > Have a read of: > > http://www.mneylon.com/blog/archives/2004/08/07/email-filtering-pragmatism-vs-accuracy/ > > It's a bit old, but a lot of what I say in it is still true. > > > Michele > > -- > Mr Michele Neylon > Blacknight Solutions > Hosting & Colocation, Brand Protection > http://www.blacknight.ie/ > http://blog.blacknight.ie/ > Tel. 1850 927 280 > Intl. +353 (0) 59 9183072 > UK: 0870 163 0607 > Fax. +353 (0) 59 9164239 > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > Este mensaje ha sido analizado por el servidor AntiSpam de FCEyN. > y esta libre de virus y otros contenidos peligrosos. > Por consultas sobre correo electronico comuniquese con ccc@fcen.uba.ar > > Thank you!! -- Nicol?s C?nepa ncanepa@fcen.uba.ar CCC - Centro de Comunicaciones Cient?ficas UBA - Facultad de Ciencias Exactas y Naturales From bpumphrey at woodmclaw.com Wed Mar 7 21:08:10 2007 From: bpumphrey at woodmclaw.com (Billy A. Pumphrey) Date: Wed Mar 7 20:14:19 2007 Subject: RBL's In-Reply-To: <45EF13F7.3050602@fcen.uba.ar> Message-ID: <04D932B0071FE34FA63EBB1977B48D15024FC0BC@woodenex.woodmaclaw.local> I turned all mine off because of false positives. Then I started only using SORBS-DNSBL. From reading the post in the list, seemed like people recommended it. A week later after checking on some questions about not getting email, a lot of hotmail.com email was getting blocked because of SORBS-DNSBL. ________________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Nicolas Canepa Sent: Wednesday, March 07, 2007 2:35 PM To: mailscanner@lists.mailscanner.info Subject: RBL's I need a recomendation on RBL lists to use in mailscanner. MailScanner has been blocking a lot of legitimate mail from hotmail, and I cannot tell people not to receive mail from hotmail, alltough I'd like to. txs, -- Nicol?s C?nepa ncanepa@fcen.uba.ar www.ccc.fcen.uba.ar Tel?fono - 4576-3382 CCC - Centro de Comunicaci?n Cient?fica UBA - Facultad de Ciencias Exactas y Naturales -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From glenn.steen at gmail.com Wed Mar 7 21:13:48 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Mar 7 20:19:52 2007 Subject: Skipping users In-Reply-To: References: <4DEBDDAFBB23C04BA17EFE3914442113014A9935@exchange.bostonpost.com> <223f97700703070138jfbe8494q28757071ae40f893@mail.gmail.com> Message-ID: <223f97700703071213h65380592l46afe3ed78713c10@mail.gmail.com> On 07/03/07, Scott Silva wrote: > Glenn Steen spake the following on 3/7/2007 1:38 AM: > > On 06/03/07, Scott Silva wrote: > >> Hugo van der Kooij spake the following on 3/5/2007 10:56 PM: > >> > On Mon, 5 Mar 2007, Thomas A. Cameron wrote: > >> > > >> >> I'm not completely sure what the terminology is for what I'm trying to > >> >> do or what layer would be best to do it on, so I'm mailing the list. > >> >> > >> >> I'll start out by saying I'm extremely pleased with MailScanner. The > >> >> entire suite works extremely well, and in the short time I've been > >> >> using it I have already seen better results than from any other > >> >> package I have ever experienced with other packages. > >> >> > >> >> Having said all of that, I have a user that believes he doesn't need > >> >> SPAM protection. He believes he can handle the problem better than any > >> >> tool. If I had a way to do it, I wouldn't block connections with an > >> >> RBL either, just to show him what he's in for. But, that's not > >> >> something I really want to get into. > >> > > >> >> My question is this. How can I tell MailScanner to blindly accept any > >> >> email destined for several addresses? Would I be better off doing this > >> >> on the postfix level with a header check that tests positive on every > >> >> address except his few? I use the SQL whitelist function of MailWatch, > >> >> so I can't whitelist wildcards for his address. Is it possible to > >> >> chain rule files & modules for the "is definitely not spam" option? > >> > > >> >> Any suggestions would REALLY be appreciated. This is such a backward > >> >> idea, I'm not even sure what I would call it. > >> > > >> > Well if they want all the spam they want. Let them have it. > >> > > >> > 1. Put some hidden links with a mailto: to they email address on line. > >> > 2. Exclude every check for that user by white listing them in postfix. > >> > 3. Exclude them in your MailScanner with a rule in > >> > spam.whitelist.rules like: > >> > > >> > To: haasje@vanderkooij.org yes > >> > > >> > I use it for a few addresses but for another reason. (Some addresses > >> are > >> > used as bait to educate my bayesian filterin manualy.) > >> > > >> > But if they want it. Let them have is and let them pay for the > >> > additional resources like bandwidth and such. > >> > > >> > Hugo. > >> > > >> You forgot one; > >> high scoring spam action = delete forward lame-user@mydomain.com > >> > > Challenging Res for the "most evil bunny on list" title, are we Scott? :-) > > > > Cheers > I have no problem being second! :-) > > "We're not last! We're not last!!!" ... > > Besides, if I wanted to be the "most evil bunny on list" I would have added > the same to the low scoring spam options. And then I would put their e-mail > address in every newsgroup I could find and also add it to the meta-data of > some web sites! MMMUUUUHHHHAaaaaaaaaa!!! > > And there is also rm -rf /home/lame-user/ See, with a little attention to detail you're putting out a real challenge;-):-) > /need coffee!!! must calm down! Black -> Speed, hyertension, mania... Amber -> Calm... Perhaps not during office hours though:-) Cheers friend -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Wed Mar 7 21:15:27 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Mar 7 20:21:31 2007 Subject: Skipping users In-Reply-To: References: <4DEBDDAFBB23C04BA17EFE3914442113014A9935@exchange.bostonpost.com> <223f97700703070138jfbe8494q28757071ae40f893@mail.gmail.com> Message-ID: <223f97700703071215k758d0d8dpf332debb33141a1@mail.gmail.com> On 07/03/07, Scott Silva wrote: > Hugo van der Kooij spake the following on 3/7/2007 11:23 AM: > > On Wed, 7 Mar 2007, Scott Silva wrote: > > > >> /need coffee!!! must calm down! > > > > I was thinking coffee had another purpose. > > > > Hugo. > > > Getting the coffee gives a much needed break. A few minutes with the > newspaper. Maybe a casual conversation with someone that DOESN'T start with > "My computer (is|isn't|hasn't|won't) ....." > I'm sure you get the same thing. > Oh yes. Problem is just to stay out of sight from the abovementioned crowd while getting the coffee&newspaper&chat... But you know all about that too:-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From gerard at seibercom.net Wed Mar 7 21:20:55 2007 From: gerard at seibercom.net (Gerard Seibert) Date: Wed Mar 7 20:27:01 2007 Subject: RBL's In-Reply-To: <04D932B0071FE34FA63EBB1977B48D15024FC0BC@woodenex.woodmaclaw.local> References: <45EF13F7.3050602@fcen.uba.ar> <04D932B0071FE34FA63EBB1977B48D15024FC0BC@woodenex.woodmaclaw.local> Message-ID: <20070307152055.14adc557@localhost> On Wed, 7 Mar 2007 15:08:10 -0500 "Billy A. Pumphrey" wrote: > I turned all mine off because of false positives. Then I started > only using SORBS-DNSBL. From reading the post in the list, seemed > like people recommended it. A week later after checking on some > questions about not getting email, a lot of hotmail.com email was > getting blocked because of SORBS-DNSBL. You'll probably get a log of GMail email blocked also; although that may be a blessing. -- Gerard When some people discover the truth, they just can't understand why everybody isn't eager to hear it. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 187 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070307/f6fde31f/signature.bin From campbell at cnpapers.com Wed Mar 7 21:21:02 2007 From: campbell at cnpapers.com (Steve Campbell) Date: Wed Mar 7 20:27:31 2007 Subject: Fake domains - revisiting.. References: <4DEBDDAFBB23C04BA17EFE3914442113014A9935@exchange.bostonpost.com><223f97700703070138jfbe8494q28757071ae40f893@mail.gmail.com> <20070307195155.GA16668@mew.kcbbs.gen.nz> Message-ID: <004101c760f6$208a3be0$0705000a@ddf5dw71> Hendrik/Dave, ----- Original Message ----- From: "Hendrik den Hartog" To: "MailScanner discussion" Sent: Wednesday, March 07, 2007 2:51 PM Subject: Fake domains - revisiting.. > Hello > > We use Mailscanner on our schools firewall. > > We have the not uncommon issue with mail entering with fake domain names, > that is, > mail pretending to come from our domain. (How on earth they glean the > email names to > use is mind boggling to me?) > > > I've read a few historic threads RE: this, but I'm after the current > recommended > procedure to deal with this issue. > > Running CentOS 3.3/sendmail-8.12.11-4 > > I've added our domain name to sendmails access database > (From:OurDomain.name.com), but > suspect this may be a crude option to take - although it seems to work? I would take this out and put it back to where you had it. You are already receiving mail from your domain plus the mail from the spoofed 'your domain'. > > Advice, Feedback appreciated... You mentioned later in a post that you use webmail, though http(?). If this is done through your http servers, then you can add this to your access file, but only by IP, not name. You should also whitelist your MX server by IP in MailScanner/SA, not by name. If you have an internal network, use that for all communication between MXs, mailservers, mail hub, mail stores, whatever you want to call them. A lot depends on how you have your network, and mail system, set up. The more you can isolate the outside world, the easier this all becomes to manage. NICs and switches are all very cheap nowadays. Setting up an internal network with multihomed servers is a snap. HTH Steve > > Cheers! > Dave > -- From lhaig at haigmail.com Wed Mar 7 21:24:36 2007 From: lhaig at haigmail.com (Lance Haig) Date: Wed Mar 7 20:30:38 2007 Subject: Jules is drinking tea In-Reply-To: <20070307135439.GA8331@login.ecs.soton.ac.uk> References: <20070307135439.GA8331@login.ecs.soton.ac.uk> Message-ID: <45EF1F84.5000609@haigmail.com> This is wonderful news I am so happy Keep getting better Julian Lance Tim Chown wrote: > Hi again, > > Today's news is that Jules is very awake and alert, and is drinking tea. > Those who know him well know he gets through a fair few gallons of tea, > so this is a good sign :) > > Also the doctors are wanting to get him out of intensive care as soon as > a bed in another ward becomes free, another good sign. > > Let's hope the recovery continues. It may be hard to keep him offline > before long! > > I'll ramp down the reporting frequency a bit now unless there's anything > significant to say. Please do keep cards coming, I'm sure they'll > continue to be very well received. > > Tim > From bpumphrey at woodmclaw.com Wed Mar 7 21:24:37 2007 From: bpumphrey at woodmclaw.com (Billy A. Pumphrey) Date: Wed Mar 7 20:30:44 2007 Subject: RBL's In-Reply-To: <20070307152055.14adc557@localhost> Message-ID: <04D932B0071FE34FA63EBB1977B48D15024FC0CC@woodenex.woodmaclaw.local> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Gerard Seibert > Sent: Wednesday, March 07, 2007 3:21 PM > To: MailScanner discussion > Subject: Re: RBL's > > On Wed, 7 Mar 2007 15:08:10 -0500 > "Billy A. Pumphrey" wrote: > > > I turned all mine off because of false positives. Then I started > > only using SORBS-DNSBL. From reading the post in the list, seemed > > like people recommended it. A week later after checking on some > > questions about not getting email, a lot of hotmail.com email was > > getting blocked because of SORBS-DNSBL. > > You'll probably get a log of GMail email blocked also; although that > may be a blessing. > > -- > Gerard > > When some people discover the truth, they just > can't understand why everybody isn't eager to hear it. Indeed, some of those were blocked as well. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From glenn.steen at gmail.com Wed Mar 7 21:27:04 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Mar 7 20:33:07 2007 Subject: RBL's In-Reply-To: <45EF178D.5030909@fcen.uba.ar> References: <45EF13F7.3050602@fcen.uba.ar> <45EF155E.1010309@blacknight.ie> <45EF178D.5030909@fcen.uba.ar> Message-ID: <223f97700703071227x6e6add65lb3f71c73d7bff16c@mail.gmail.com> On 07/03/07, Nicolas Canepa wrote: > > Michele Neylon :: Blacknight wrote: > Nicolas Canepa wrote: > > I need a recomendation on RBL lists to use in mailscanner. MailScanner has > been blocking a lot of legitimate mail from hotmail, and I cannot tell > people not to receive mail from hotmail, alltough I'd like to. > > txs, > > Which DNSBLs are you currently using and how are you implementing them? MTA > level or within MailScanner? > > > > I was using these since yesterday(set in MailScanner.conf): > Spam List = spamhaus.org spamhaus-XBL SORBS-SMTP SORBS-ZOMBIE SORBS-HTTP > SORBS-SOCKS SORBS-WEB CBL RSL DSBL BLITZEDALL FABELSOURCES PSBL > And I was using these: > Spam List = spamhaus.org spamhaus-XBL SORBS-DNSBL SORBS-SMTP SORBS-SPAM > SORBS-BLOCK SORBS-ZOMBIE SBL+XBL SORBS-DNSBL SORBS-HTTP SORBS-SOCKS > SORBS-MISC SORBS-WEB SORBS-DUL SORBS-RHSBL CBL RSL DSBL BLITZEDALL > spamcop.net > I don't think Michele or Billy mentions this, but ... you are using way to many in MailScanner to be really healthy for your processing times... MailScanner will do the lookups serially, one after the other. Far better to defer most to SpamAssassin, which will do them in parallell. Many prefer to do a few (or all) RBLs in the MTA, to be able to handle the refused ones as little as possible. Some, like me, who (for diverse reasons that we won't go into here) can't use them at the MTA level will use one or possibly two in MailScanner and the rest in SA. Having them all as you do... could spell trouble of another sort than the obvious one you've already seen:-) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From michele at blacknight.ie Wed Mar 7 21:32:53 2007 From: michele at blacknight.ie (Michele Neylon :: Blacknight) Date: Wed Mar 7 20:39:01 2007 Subject: RBL's In-Reply-To: <223f97700703071227x6e6add65lb3f71c73d7bff16c@mail.gmail.com> References: <45EF13F7.3050602@fcen.uba.ar> <45EF155E.1010309@blacknight.ie> <45EF178D.5030909@fcen.uba.ar> <223f97700703071227x6e6add65lb3f71c73d7bff16c@mail.gmail.com> Message-ID: <45EF2175.9020604@blacknight.ie> Glenn Steen wrote: > I don't think Michele or Billy mentions this, but ... you are using > way to many in MailScanner to be really healthy for your processing > times... I was on my best behaviour :) I was tempted to say "eek! that's madness", but I didn't... Oh wait, I just did :) > MailScanner will do the lookups serially, one after the other. Far > better to defer most to SpamAssassin, which will do them in parallell. > Many prefer to do a few (or all) RBLs in the MTA, to be able to handle > the refused ones as little as possible. Some, like me, who (for > diverse reasons that we won't go into here) can't use them at the MTA > level will use one or possibly two in MailScanner and the rest in SA. > > Having them all as you do... could spell trouble of another sort than > the obvious one you've already seen:-) The other thing worth mentioning, is that you should try to mirror some of them as close to you as possible if you can. Regardless of where the lookup is being done (SA, MTA or MS) the closer the DNSBL is to you the faster the response -- Mr Michele Neylon Blacknight Solutions Hosting & Colocation, Brand Protection http://www.blacknight.ie/ http://blog.blacknight.ie/ Tel. 1850 927 280 Intl. +353 (0) 59 9183072 UK: 0870 163 0607 Fax. +353 (0) 59 9164239 From ssilva at sgvwater.com Wed Mar 7 21:46:14 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Mar 7 20:52:48 2007 Subject: Skipping users In-Reply-To: <223f97700703071213h65380592l46afe3ed78713c10@mail.gmail.com> References: <4DEBDDAFBB23C04BA17EFE3914442113014A9935@exchange.bostonpost.com> <223f97700703070138jfbe8494q28757071ae40f893@mail.gmail.com> <223f97700703071213h65380592l46afe3ed78713c10@mail.gmail.com> Message-ID: Glenn Steen spake the following on 3/7/2007 12:13 PM: > On 07/03/07, Scott Silva wrote: >> Glenn Steen spake the following on 3/7/2007 1:38 AM: >> > On 06/03/07, Scott Silva wrote: >> >> Hugo van der Kooij spake the following on 3/5/2007 10:56 PM: >> >> > On Mon, 5 Mar 2007, Thomas A. Cameron wrote: >> >> > >> >> >> I'm not completely sure what the terminology is for what I'm >> trying to >> >> >> do or what layer would be best to do it on, so I'm mailing the >> list. >> >> >> >> >> >> I'll start out by saying I'm extremely pleased with MailScanner. >> The >> >> >> entire suite works extremely well, and in the short time I've been >> >> >> using it I have already seen better results than from any other >> >> >> package I have ever experienced with other packages. >> >> >> >> >> >> Having said all of that, I have a user that believes he doesn't >> need >> >> >> SPAM protection. He believes he can handle the problem better >> than any >> >> >> tool. If I had a way to do it, I wouldn't block connections with an >> >> >> RBL either, just to show him what he's in for. But, that's not >> >> >> something I really want to get into. >> >> > >> >> >> My question is this. How can I tell MailScanner to blindly >> accept any >> >> >> email destined for several addresses? Would I be better off >> doing this >> >> >> on the postfix level with a header check that tests positive on >> every >> >> >> address except his few? I use the SQL whitelist function of >> MailWatch, >> >> >> so I can't whitelist wildcards for his address. Is it possible to >> >> >> chain rule files & modules for the "is definitely not spam" option? >> >> > >> >> >> Any suggestions would REALLY be appreciated. This is such a >> backward >> >> >> idea, I'm not even sure what I would call it. >> >> > >> >> > Well if they want all the spam they want. Let them have it. >> >> > >> >> > 1. Put some hidden links with a mailto: to they email address on >> line. >> >> > 2. Exclude every check for that user by white listing them in >> postfix. >> >> > 3. Exclude them in your MailScanner with a rule in >> >> > spam.whitelist.rules like: >> >> > >> >> > To: haasje@vanderkooij.org yes >> >> > >> >> > I use it for a few addresses but for another reason. (Some addresses >> >> are >> >> > used as bait to educate my bayesian filterin manualy.) >> >> > >> >> > But if they want it. Let them have is and let them pay for the >> >> > additional resources like bandwidth and such. >> >> > >> >> > Hugo. >> >> > >> >> You forgot one; >> >> high scoring spam action = delete forward lame-user@mydomain.com >> >> >> > Challenging Res for the "most evil bunny on list" title, are we >> Scott? :-) >> > >> > Cheers >> I have no problem being second! > :-) >> >> "We're not last! We're not last!!!" > ... >> >> Besides, if I wanted to be the "most evil bunny on list" I would have >> added >> the same to the low scoring spam options. And then I would put their >> e-mail >> address in every newsgroup I could find and also add it to the >> meta-data of >> some web sites! MMMUUUUHHHHAaaaaaaaaa!!! >> >> And there is also rm -rf /home/lame-user/ > See, with a little attention to detail you're putting out a real > challenge;-):-) > >> /need coffee!!! must calm down! > Black -> Speed, hyertension, mania... > Amber -> Calm... > Perhaps not during office hours though:-) > > Cheers friend That comes after work! BTW.. In American english, amber is a different thing. Not something easily consumed... But I think I know what you are referring to. ;-P See http://en.wikipedia.org/wiki/Amber -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From dave.list at pixelhammer.com Wed Mar 7 21:52:20 2007 From: dave.list at pixelhammer.com (DAve) Date: Wed Mar 7 20:58:37 2007 Subject: Jules is drinking tea In-Reply-To: <20070307135439.GA8331@login.ecs.soton.ac.uk> References: <20070307135439.GA8331@login.ecs.soton.ac.uk> Message-ID: <45EF2604.6030703@pixelhammer.com> Tim Chown wrote: > Hi again, > > Today's news is that Jules is very awake and alert, and is drinking tea. > Those who know him well know he gets through a fair few gallons of tea, > so this is a good sign :) > > Also the doctors are wanting to get him out of intensive care as soon as > a bed in another ward becomes free, another good sign. > > Let's hope the recovery continues. It may be hard to keep him offline > before long! > > I'll ramp down the reporting frequency a bit now unless there's anything > significant to say. Please do keep cards coming, I'm sure they'll > continue to be very well received. > > Tim Good news! I sent a postcard, a local tourist postcard. It ain't the Jules World Tour, but at least he can see GreenField's famous courthouse in KodaColor if not in person. DAve -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible. From pete at enitech.com.au Wed Mar 7 23:00:32 2007 From: pete at enitech.com.au (Peter Russell) Date: Wed Mar 7 22:06:45 2007 Subject: Freds rules from Rulesemporium.com In-Reply-To: <8b462f456b0dbc4ab05ddd3e35515ced@solidstatelogic.com> References: <8b462f456b0dbc4ab05ddd3e35515ced@solidstatelogic.com> Message-ID: <45EF3600.80409@enitech.com.au> Thanks for that. Not easy to find any automagic way of updating these? Is it in RDJ and i am just too blind to see? Also it says "SOME RULES REQUIRE THAT YOU HAVE TRUSTED_NETWORKS SET PROPERLY" Where is the best guide for setting this up properly? Seems like something i could slightly wrong and have a big impact. Many thanks Pete Martin.Hepworth wrote: > All > > Well after five months some of us on the IRC channel have finally > noticed that a lot of Fred's Rules on > www.rulesemporium.com/other-rules.htm have moved to one big file. > > It's mentioned in the comments on the files, but a lot of us seem to > have missed this...so I thought I'd give a heads up to others. > > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > > > > > ********************************************************************** > Confidentiality : This e-mail and any attachments are intended for the > addressee only and may be confidential. If they come to you in error > you must take no action based on them, nor must you copy or show them > to anyone. Please advise the sender by replying to this e-mail > immediately and then delete the original from your computer. > > Opinion : Any opinions expressed in this e-mail are entirely those of > the author and unless specifically stated to the contrary, are not > necessarily those of the author's employer. > > Security Warning : Internet e-mail is not necessarily a secure > communications medium and can be subject to data corruption. We advise > that you consider this fact when e-mailing us. > > Viruses : We have taken steps to ensure that this e-mail and any > attachments are free from known viruses but in keeping with good > computing practice, you should ensure that they are virus free. > > Red Lion 49 Ltd T/A Solid State Logic > Registered as a limited company in England and Wales > (Company No:5362730) > Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, > United Kingdom > ********************************************************************** > From ssilva at sgvwater.com Wed Mar 7 23:13:08 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Mar 7 22:19:17 2007 Subject: Freds rules from Rulesemporium.com In-Reply-To: <45EF3600.80409@enitech.com.au> References: <8b462f456b0dbc4ab05ddd3e35515ced@solidstatelogic.com> <45EF3600.80409@enitech.com.au> Message-ID: Peter Russell spake the following on 3/7/2007 2:00 PM: > Thanks for that. Not easy to find any automagic way of updating these? > Is it in RDJ and i am just too blind to see? > > Also it says > "SOME RULES REQUIRE THAT YOU HAVE TRUSTED_NETWORKS SET PROPERLY" > > Where is the best guide for setting this up properly? Seems like > something i could slightly wrong and have a big impact. > http://wiki.apache.org/spamassassin/TrustPath will help you a lot, but basically, it is just the address ranges that "your" mail should either come from or be relayed from. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From hvdkooij at vanderkooij.org Wed Mar 7 23:28:42 2007 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Wed Mar 7 22:34:53 2007 Subject: Maillog-virus.pl 20070307 Message-ID: Hi, I did manage to get the timestamps sorted out a bit. (If someone has a log file of last year they could see if the timestamps are ok on those.) Anything over 11 months old will propably get an inaccurate timestamp. Download: http://hugo.vanderkooij.org/email/stats/maillog-virus.pl So I now seem to have a way to get the 3 ingredients I want to collect: timestamp; AV tool; infection name. The next thing is to write a collector to handle these reports, put them in a database and show some nice statistics about them. That way there is a way to build a insight into current malware activity. At least it could tell what is hot today or what was hot yesterday or last week or .... And finaly it need to be secured so only participating parties can have their logs analyzed and added to the database so there is at least a reasonable amount of accuracy. In the end it should resemble the dshield way of doing things by publishing the interchange format so people can write their own collectors. So please give this script a spin to see if the collecting is nearing accuracy for systems running MailScanner and logging silent virusses including the AV info. The MailScanner config I use contains: Virus Scanning = yes Virus Scanners = clamav f-prot mcafee Silent Viruses = HTML-IFrame All-Viruses Log Silent Viruses = yes (I also wrote a bit to parse BitDefender for now.) Hugo. -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ This message is using 100% recycled electrons. Some men see computers as they are and say "Windows" I use computers with Linux and say "Why Windows?" (Thanks JFK, for the insight.) From glenn.steen at gmail.com Wed Mar 7 23:45:19 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Mar 7 22:57:39 2007 Subject: Skipping users In-Reply-To: References: <4DEBDDAFBB23C04BA17EFE3914442113014A9935@exchange.bostonpost.com> <223f97700703070138jfbe8494q28757071ae40f893@mail.gmail.com> <223f97700703071213h65380592l46afe3ed78713c10@mail.gmail.com> Message-ID: <223f97700703071445m4fc3cfcaq8e9b0e704a8d31fe@mail.gmail.com> On 07/03/07, Scott Silva wrote: > Glenn Steen spake the following on 3/7/2007 12:13 PM: > > On 07/03/07, Scott Silva wrote: > >> Glenn Steen spake the following on 3/7/2007 1:38 AM: > >> > On 06/03/07, Scott Silva wrote: > >> >> Hugo van der Kooij spake the following on 3/5/2007 10:56 PM: > >> >> > On Mon, 5 Mar 2007, Thomas A. Cameron wrote: > >> >> > > >> >> >> I'm not completely sure what the terminology is for what I'm > >> trying to > >> >> >> do or what layer would be best to do it on, so I'm mailing the > >> list. > >> >> >> > >> >> >> I'll start out by saying I'm extremely pleased with MailScanner. > >> The > >> >> >> entire suite works extremely well, and in the short time I've been > >> >> >> using it I have already seen better results than from any other > >> >> >> package I have ever experienced with other packages. > >> >> >> > >> >> >> Having said all of that, I have a user that believes he doesn't > >> need > >> >> >> SPAM protection. He believes he can handle the problem better > >> than any > >> >> >> tool. If I had a way to do it, I wouldn't block connections with an > >> >> >> RBL either, just to show him what he's in for. But, that's not > >> >> >> something I really want to get into. > >> >> > > >> >> >> My question is this. How can I tell MailScanner to blindly > >> accept any > >> >> >> email destined for several addresses? Would I be better off > >> doing this > >> >> >> on the postfix level with a header check that tests positive on > >> every > >> >> >> address except his few? I use the SQL whitelist function of > >> MailWatch, > >> >> >> so I can't whitelist wildcards for his address. Is it possible to > >> >> >> chain rule files & modules for the "is definitely not spam" option? > >> >> > > >> >> >> Any suggestions would REALLY be appreciated. This is such a > >> backward > >> >> >> idea, I'm not even sure what I would call it. > >> >> > > >> >> > Well if they want all the spam they want. Let them have it. > >> >> > > >> >> > 1. Put some hidden links with a mailto: to they email address on > >> line. > >> >> > 2. Exclude every check for that user by white listing them in > >> postfix. > >> >> > 3. Exclude them in your MailScanner with a rule in > >> >> > spam.whitelist.rules like: > >> >> > > >> >> > To: haasje@vanderkooij.org yes > >> >> > > >> >> > I use it for a few addresses but for another reason. (Some addresses > >> >> are > >> >> > used as bait to educate my bayesian filterin manualy.) > >> >> > > >> >> > But if they want it. Let them have is and let them pay for the > >> >> > additional resources like bandwidth and such. > >> >> > > >> >> > Hugo. > >> >> > > >> >> You forgot one; > >> >> high scoring spam action = delete forward lame-user@mydomain.com > >> >> > >> > Challenging Res for the "most evil bunny on list" title, are we > >> Scott? :-) > >> > > >> > Cheers > >> I have no problem being second! > > :-) > >> > >> "We're not last! We're not last!!!" > > ... > >> > >> Besides, if I wanted to be the "most evil bunny on list" I would have > >> added > >> the same to the low scoring spam options. And then I would put their > >> e-mail > >> address in every newsgroup I could find and also add it to the > >> meta-data of > >> some web sites! MMMUUUUHHHHAaaaaaaaaa!!! > >> > >> And there is also rm -rf /home/lame-user/ > > See, with a little attention to detail you're putting out a real > > challenge;-):-) > > > >> /need coffee!!! must calm down! > > Black -> Speed, hyertension, mania... > > Amber -> Calm... > > Perhaps not during office hours though:-) > > > > Cheers friend > That comes after work! > BTW.. In American english, amber is a different thing. Not something easily > consumed... But I think I know what you are referring to. ;-P > > See http://en.wikipedia.org/wiki/Amber It is in referral to the color of the drink (same as what named the fossilised resin in the first place, or perhaps the other way around, at least according to http://en.wikipedia.org/wiki/Amber_(color) :-). ... My personal preference is the Single Malt variant... where some, if not all, to my colourblind eyes are indistinguishable (in colour) from the Amber that is oh so very common around here (semi-rock... fossilised resin... No good for drinking, indeed:). Cheers! -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From ssilva at sgvwater.com Thu Mar 8 00:29:43 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Mar 7 23:35:36 2007 Subject: Skipping users In-Reply-To: <223f97700703071445m4fc3cfcaq8e9b0e704a8d31fe@mail.gmail.com> References: <4DEBDDAFBB23C04BA17EFE3914442113014A9935@exchange.bostonpost.com> <223f97700703070138jfbe8494q28757071ae40f893@mail.gmail.com> <223f97700703071213h65380592l46afe3ed78713c10@mail.gmail.com> <223f97700703071445m4fc3cfcaq8e9b0e704a8d31fe@mail.gmail.com> Message-ID: Glenn Steen spake the following on 3/7/2007 2:45 PM: > On 07/03/07, Scott Silva wrote: >> Glenn Steen spake the following on 3/7/2007 12:13 PM: >> > On 07/03/07, Scott Silva wrote: >> >> Glenn Steen spake the following on 3/7/2007 1:38 AM: >> >> > On 06/03/07, Scott Silva wrote: >> >> >> Hugo van der Kooij spake the following on 3/5/2007 10:56 PM: >> >> >> > On Mon, 5 Mar 2007, Thomas A. Cameron wrote: >> >> >> > >> >> >> >> I'm not completely sure what the terminology is for what I'm >> >> trying to >> >> >> >> do or what layer would be best to do it on, so I'm mailing the >> >> list. >> >> >> >> >> >> >> >> I'll start out by saying I'm extremely pleased with MailScanner. >> >> The >> >> >> >> entire suite works extremely well, and in the short time >> I've been >> >> >> >> using it I have already seen better results than from any other >> >> >> >> package I have ever experienced with other packages. >> >> >> >> >> >> >> >> Having said all of that, I have a user that believes he doesn't >> >> need >> >> >> >> SPAM protection. He believes he can handle the problem better >> >> than any >> >> >> >> tool. If I had a way to do it, I wouldn't block connections >> with an >> >> >> >> RBL either, just to show him what he's in for. But, that's not >> >> >> >> something I really want to get into. >> >> >> > >> >> >> >> My question is this. How can I tell MailScanner to blindly >> >> accept any >> >> >> >> email destined for several addresses? Would I be better off >> >> doing this >> >> >> >> on the postfix level with a header check that tests positive on >> >> every >> >> >> >> address except his few? I use the SQL whitelist function of >> >> MailWatch, >> >> >> >> so I can't whitelist wildcards for his address. Is it >> possible to >> >> >> >> chain rule files & modules for the "is definitely not spam" >> option? >> >> >> > >> >> >> >> Any suggestions would REALLY be appreciated. This is such a >> >> backward >> >> >> >> idea, I'm not even sure what I would call it. >> >> >> > >> >> >> > Well if they want all the spam they want. Let them have it. >> >> >> > >> >> >> > 1. Put some hidden links with a mailto: to they email address on >> >> line. >> >> >> > 2. Exclude every check for that user by white listing them in >> >> postfix. >> >> >> > 3. Exclude them in your MailScanner with a rule in >> >> >> > spam.whitelist.rules like: >> >> >> > >> >> >> > To: haasje@vanderkooij.org yes >> >> >> > >> >> >> > I use it for a few addresses but for another reason. (Some >> addresses >> >> >> are >> >> >> > used as bait to educate my bayesian filterin manualy.) >> >> >> > >> >> >> > But if they want it. Let them have is and let them pay for the >> >> >> > additional resources like bandwidth and such. >> >> >> > >> >> >> > Hugo. >> >> >> > >> >> >> You forgot one; >> >> >> high scoring spam action = delete forward lame-user@mydomain.com >> >> >> >> >> > Challenging Res for the "most evil bunny on list" title, are we >> >> Scott? :-) >> >> > >> >> > Cheers >> >> I have no problem being second! >> > :-) >> >> >> >> "We're not last! We're not last!!!" >> > ... >> >> >> >> Besides, if I wanted to be the "most evil bunny on list" I would have >> >> added >> >> the same to the low scoring spam options. And then I would put their >> >> e-mail >> >> address in every newsgroup I could find and also add it to the >> >> meta-data of >> >> some web sites! MMMUUUUHHHHAaaaaaaaaa!!! >> >> >> >> And there is also rm -rf /home/lame-user/ >> > See, with a little attention to detail you're putting out a real >> > challenge;-):-) >> > >> >> /need coffee!!! must calm down! >> > Black -> Speed, hyertension, mania... >> > Amber -> Calm... >> > Perhaps not during office hours though:-) >> > >> > Cheers friend >> That comes after work! >> BTW.. In American english, amber is a different thing. Not something >> easily >> consumed... But I think I know what you are referring to. ;-P >> >> See http://en.wikipedia.org/wiki/Amber > It is in referral to the color of the drink (same as what named the > fossilised resin in the first place, or perhaps the other way around, > at least according to http://en.wikipedia.org/wiki/Amber_(color) :-). > ... My personal preference is the Single Malt variant... where some, > if not all, to my colourblind eyes are indistinguishable (in colour) > from the Amber that is oh so very common around here (semi-rock... > fossilised resin... No good for drinking, indeed:). > > Cheers! My American roots aside, I tend to favor a good Bourbon, but will try anything once! But that is more habit and availability then actual preference. But we are straying a little bit again! Cheers!! -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From arturs at netvision.net.il Thu Mar 8 01:16:12 2007 From: arturs at netvision.net.il (Arthur Sherman) Date: Thu Mar 8 00:23:48 2007 Subject: DKIM with MailScanner Message-ID: <062a01c76116$faff5240$0dfb1bac@lapxp> I tried to install DKIM with MailScanner and now it neither signs w/ DKIM nor scans with MailScanner (X-CPTeam-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=0,required 4, autolearn=not spam) Everything was fine before. When I run 'MailScanner --debug-sa --lint' it throws me this error: Maybe you could help me with this. TIA -- [root@ns1 ~]# MailScanner --debug-sa --lint Read 764 hostnames from the phishing whitelist Checking version numbers... Version number in MailScanner.conf (4.58.9) is correct. Checking for SpamAssassin errors (if you use it)... Using SpamAssassin results cache Connected to SpamAssassin cache database plugin: failed to parse plugin (from @INC): Can't locate Mail/DKIM.pm in @INC (@INC contains: lib /usr/sbin /usr/sbin/MailScanner /usr/lib/MailScanner /usr/lib/perl5/5.8.5/i386-linux-thread-multi /usr/lib/perl5/5.8.5 /usr/lib/perl5/site_perl/5.8.5/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.4/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.3/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.2/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.5 /usr/lib/perl5/site_perl/5.8.4 /usr/lib/perl5/site_perl/5.8.3 /usr/lib/perl5/site_perl/5.8.2 /usr/lib/perl5/site_perl/5.8.1 /usr/lib/perl5/site_perl/5.8.0 /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl/5.8.5/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.4/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.3/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.2/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.1/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.5 /usr/lib/perl5/vendor_perl/5.8.4 /usr/lib/perl5/vendor_perl/5.8.3 /usr/lib/perl5/vendor_perl/5.8.2 /usr/lib/perl5/vendor_perl/5.8.1 /usr/lib/perl5/vendor_perl/5.8.0 /usr/lib/perl5/vendor_perl . /usr/lib/MailScanner/5.8.5/i386-linux-thread-multi /usr/lib/MailScanner/5.8.5 /usr/lib/MailScanner/i386-linux-thread-multi /usr/lib/MailScanner/5.8.4 /usr/lib/MailScanner/5.8.3 /usr/lib/MailScanner/5.8.2 /usr/lib/MailScanner/5.8.1 /usr/lib/MailScanner/5.8.0) at /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/Plugin/DKIM.pm line 60. BEGIN failed--compilation aborted at /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/Plugin/DKIM.pm line 60. Compilation failed in require at (eval 90) line 1. plugin: failed to create instance of plugin Mail::SpamAssassin::Plugin::DKIM: Can't locate object method "new" via package "Mail::SpamAssassin::Plugin::DKIM" at (eval 91) line 1. config: configuration file "/usr/share/spamassassin/20_advance_fee.cf" requires version 3.001008 of SpamAssassin, but this is code version 3.001007. Maybe you need to use the -C switch, or remove the old config files? Skipping this file at /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/Conf/Parser.pm line 345. ---LAST LINE REPEATS MANY TIMES--- config: warning: score set for non-existent rule DEAR_SOMETHING config: warning: score set for non-existent rule SUB_HELLO config: warning: score set for non-existent rule MORTGAGE_BEST config: warning: score set for non-existent rule HTML_IMAGE_RATIO_06 config: warning: score set for non-existent rule CLICK_TO_REMOVE_1 config: warning: score set for non-existent rule REMOVE_PAGE config: warning: score set for non-existent rule DIET_3 config: warning: score set for non-existent rule MSGID_NO_HOST config: warning: score set for non-existent rule HTML_SHORT_LINK_IMG_3 config: warning: score set for non-existent rule MIME_BASE64_TEXT config: warning: score set for non-existent rule HELO_DYNAMIC_DIALIN config: warning: score set for non-existent rule SUBJECT_ENCODED_TWICE config: warning: score set for non-existent rule RCVD_IN_NJABL_SPAM config: warning: score set for non-existent rule HTML_SHOUTING5 config: warning: score set for non-existent rule MAILTO_TO_SPAM_ADDR config: warning: score set for non-existent rule FAKE_HELO_MAIL_COM_DOM config: warning: score set for non-existent rule SUBJ_HAS_SPACES config: warning: score set for non-existent rule DISGUISE_PORN config: warning: score set for non-existent rule ENGLISH_UCE_SUBJECT config: warning: score set for non-existent rule ADDR_FREE config: warning: score set for non-existent rule X_MESSAGE_FLAG_ODD config: warning: score set for non-existent rule UNIQUE_WORDS config: warning: score set for non-existent rule MISSING_SUBJECT config: warning: score set for non-existent rule MSGID_SPAM_99X9XX99 config: warning: score set for non-existent rule SOME_BREAKTHROUGH config: warning: score set for non-existent rule HTML_OBFUSCATE_10_20 config: warning: score set for non-existent rule HTML_IMAGE_ONLY_24 config: warning: score set for non-existent rule MIME_CHARSET_FARAWAY config: warning: score set for non-existent rule URI_REDIRECTOR config: warning: score set for non-existent rule SUBJ_LIFE_INSURANCE config: warning: score set for non-existent rule HTML_FONT_SIZE_HUGE config: warning: score set for non-existent rule AMATEUR_PORN config: warning: score set for non-existent rule GUARANTEED_STUFF config: warning: score set for non-existent rule BILL_1618 config: warning: score set for non-existent rule RCVD_IN_SBL config: warning: score set for non-existent rule URI_4YOU config: warning: score set for non-existent rule HELO_DYNAMIC_COMCAST config: warning: score set for non-existent rule MSGID_RANDY config: warning: score set for non-existent rule FULL_REFUND config: warning: score set for non-existent rule URI_AFFILIATE config: warning: score set for non-existent rule FAKE_HELO_MSN config: warning: score set for non-existent rule FROM_NO_USER config: warning: score set for non-existent rule HTML_OBFUSCATE_50_60 config: warning: score set for non-existent rule FROM_LOCAL_DIGITS config: warning: score set for non-existent rule HEAD_LONG config: warning: score set for non-existent rule PERCENT_RANDOM config: warning: score set for non-existent rule NASTY_GIRLS config: warning: score set for non-existent rule DRUGS_SLEEP_EREC config: warning: score set for non-existent rule PLING_QUERY config: warning: score set for non-existent rule HTML_OBFUSCATE_70_80 config: warning: score set for non-existent rule CONSOLIDATE_DEBT config: warning: score set for non-existent rule RCVD_IN_SORBS_ZOMBIE config: warning: score set for non-existent rule HELO_DYNAMIC_RR2 config: warning: score set for non-existent rule HTML_BADTAG_80_90 config: warning: score set for non-existent rule JAPANESE_UCE_SUBJECT config: warning: score set for non-existent rule HTML_TAG_EXIST_BGSOUND config: warning: score set for non-existent rule URI_NO_WWW_ANY_CGI config: warning: score set for non-existent rule X_AUTH_WARN_FAKED config: warning: score set for non-existent rule HTML_BADTAG_40_50 config: warning: score set for non-existent rule SATIS_GUAR config: warning: score set for non-existent rule FAKE_HELO_EMAIL_COM config: warning: score set for non-existent rule SUBJ_FREE_CAP config: warning: score set for non-existent rule MPART_ALT_DIFF config: warning: score set for non-existent rule MISSING_MIMEOLE config: warning: score set for non-existent rule HTML_70_80 config: warning: score set for non-existent rule HTML_10_20 config: warning: score set for non-existent rule RCVD_IN_BSP_TRUSTED config: warning: score set for non-existent rule HTML_LINK_PUSH_HERE config: warning: score set for non-existent rule HTML_BACKHAIR_2 config: warning: score set for non-existent rule PREVENT_NONDELIVERY config: warning: score set for non-existent rule FAKE_HELO_EUDORAMAIL config: warning: score set for non-existent rule FORGED_TELESP_RCVD config: warning: score set for non-existent rule FROM_LOCAL_NOVOWEL config: warning: score set for non-existent rule HTML_MIME_NO_HTML_TAG config: warning: score set for non-existent rule HTML_IMAGE_ONLY_20 config: warning: score set for non-existent rule CONFIRMED_FORGED config: warning: score set for non-existent rule HTML_NONELEMENT_50_60 config: warning: score set for non-existent rule RCVD_IN_SORBS_WEB config: warning: score set for non-existent rule TERRA_ES config: warning: score set for non-existent rule PLING_PLING config: warning: score set for non-existent rule TO_ADDRESS_EQ_REAL config: warning: score set for non-existent rule TO_MALFORMED config: warning: score set for non-existent rule FROM_NO_LOWER config: warning: score set for non-existent rule OBSCURED_EMAIL config: warning: score set for non-existent rule HTML_FONT_FACE_CAPS config: warning: score set for non-existent rule DRUG_ED_ONLINE config: warning: score set for non-existent rule WHILE_YOU_SLEEP config: warning: score set for non-existent rule MSGID_MULTIPLE_AT config: warning: score set for non-existent rule WE_HONOR_ALL config: warning: score set for non-existent rule BILLION_DOLLARS config: warning: score set for non-existent rule RESISTANCE_IS_FUTILE config: warning: score set for non-existent rule SUBJ_ALL_CAPS config: warning: score set for non-existent rule MIME_BOUND_DIGITS_7 config: warning: score set for non-existent rule BAYES_50 config: warning: score set for non-existent rule HTML_FONT_BIG config: warning: score set for non-existent rule INVALID_TZ_GMT config: warning: score set for non-existent rule SAVE_THOUSANDS config: warning: score set for non-existent rule ADVANCE_FEE_3 config: warning: score set for non-existent rule HTML_EHTML2 config: warning: score set for non-existent rule MIME_HTML_ONLY config: warning: score set for non-existent rule SUBJ_YOUR_FAMILY config: warning: score set for non-existent rule FROM_OFFERS config: warning: score set for non-existent rule DATE_IN_FUTURE_24_48 config: warning: score set for non-existent rule PORN_16 config: warning: score set for non-existent rule SUBJECT_EXCESS_BASE64 config: warning: score set for non-existent rule DRUGS_ANXIETY config: warning: score set for non-existent rule DRUGS_MANYKINDS config: warning: score set for non-existent rule __RCVD_IN_NJABL config: warning: score set for non-existent rule SUB_FREE_OFFER config: warning: score set for non-existent rule HTML_FORMACTION_MAILTO config: warning: score set for non-existent rule DNS_FROM_RFC_DSN config: warning: score set for non-existent rule DRUGS_PAIN_OBFU config: warning: score set for non-existent rule ONE_TIME config: warning: score set for non-existent rule ROUND_THE_WORLD_LOCAL config: warning: score set for non-existent rule SUBJECT_DRUG_GAP_VIC config: warning: score set for non-existent rule OBFUSCATING_COMMENT config: warning: score set for non-existent rule UPPERCASE_50_75 config: warning: score set for non-existent rule HTML_OBFUSCATE_20_30 config: warning: score set for non-existent rule FROM_ENDS_IN_NUMS config: warning: score set for non-existent rule HTML_TITLE_UNTITLED config: warning: score set for non-existent rule DRUGS_PAIN config: warning: score set for non-existent rule HELO_DYNAMIC_HOME_NL config: warning: score set for non-existent rule HTML_CHARSET_FARAWAY config: warning: score set for non-existent rule FORGED_MSGID_YAHOO config: warning: score set for non-existent rule CONFIDENTIAL_ORDER config: warning: score set for non-existent rule MANY_EXCLAMATIONS config: warning: score set for non-existent rule SUSPICIOUS_RECIPS config: warning: score set for non-existent rule HTML_SHORT_LENGTH config: warning: score set for non-existent rule RCVD_DOUBLE_IP_LOOSE config: warning: score set for non-existent rule FROM_ALL_NUMS config: warning: score set for non-existent rule DOMAIN_4U2 config: warning: score set for non-existent rule EXTRA_CASH config: warning: score set for non-existent rule HIGH_CODEPAGE_URI config: warning: score set for non-existent rule RCVD_IN_BL_SPAMCOP_NET config: warning: score set for non-existent rule SEE_FOR_YOURSELF config: warning: score set for non-existent rule HABEAS_ACCREDITED_SOI config: warning: score set for non-existent rule HTML_FONT_FACE_BAD config: warning: score set for non-existent rule DNS_FROM_RFC_BOGUSMX config: warning: score set for non-existent rule SPOOF_COM2COM config: warning: score set for non-existent rule SOMETHING_FOR_ADULTS config: warning: score set for non-existent rule HIDE_WIN_STATUS config: warning: score set for non-existent rule DATE_SPAMWARE_Y2K config: warning: score set for non-existent rule URI_UPPER_LOWER config: warning: score set for non-existent rule HTML_BADTAG_50_60 config: warning: score set for non-existent rule RCVD_IN_MAPS_RSS config: warning: score set for non-existent rule HTML_FONT_TINY config: warning: score set for non-existent rule MISSING_MIME_HB_SEP config: warning: score set for non-existent rule RCVD_ILLEGAL_IP config: warning: score set for non-existent rule MONEY_BACK config: warning: score set for non-existent rule MISSING_DATE config: warning: score set for non-existent rule SUBJ_GUARANTEED config: warning: score set for non-existent rule HTML_SHOUTING4 config: warning: score set for non-existent rule HTML_BADTAG_20_30 config: warning: score set for non-existent rule OFFSHORE_SCAM config: warning: score set for non-existent rule DIGEST_MULTIPLE config: warning: score set for non-existent rule MIME_BOUND_DIGITS_15 config: warning: score set for non-existent rule NO_MEDICAL config: warning: score set for non-existent rule URG_BIZ config: warning: score set for non-existent rule REPLY_TO_EMPTY config: warning: score set for non-existent rule RCVD_IN_SORBS_BLOCK config: warning: score set for non-existent rule URI_OFFERS config: warning: score set for non-existent rule HTML_OBFUSCATE_60_70 config: warning: score set for non-existent rule URI_SCHEME_MIXED_CASE config: warning: score set for non-existent rule SUBJECT_DRUG_GAP_VA config: warning: score set for non-existent rule BANG_OPRAH config: warning: score set for non-existent rule HTTP_ESCAPED_HOST config: warning: score set for non-existent rule DEEP_DISC_MEDS config: warning: score set for non-existent rule TO_TXT config: warning: score set for non-existent rule MIME_BASE64_NO_NAME config: warning: score set for non-existent rule DRUGS_ERECTILE_OBFU config: warning: score set for non-existent rule HTML_30_40 config: warning: score set for non-existent rule DRUGS_SMEAR1 config: warning: score set for non-existent rule HTML_OBFUSCATE_90_100 config: warning: score set for non-existent rule LIVE_PORN config: warning: score set for non-existent rule INVALID_TZ_EST config: warning: score set for non-existent rule SUBJ_HAS_UNIQ_ID config: warning: score set for non-existent rule UPPERCASE_25_50 config: warning: score set for non-existent rule HIDDEN_CHARGES config: warning: score set for non-existent rule URI_UNSUBSCRIBE config: warning: score set for non-existent rule HTML_COMMENT_SHORT config: warning: score set for non-existent rule RCVD_IN_MAPS_RBL config: warning: score set for non-existent rule HTML_SHORT_LINK_IMG_2 config: warning: score set for non-existent rule EXCUSE_12 config: warning: score set for non-existent rule BLANK_LINES_90_100 config: warning: score set for non-existent rule RCVD_IN_SORBS_SOCKS config: warning: score set for non-existent rule HG_HORMONE config: warning: score set for non-existent rule MSGID_SPAM_ALPHA_NUM config: warning: score set for non-existent rule HTML_LINK_OPT_OUT config: warning: score set for non-existent rule HTML_TITLE_EMPTY config: warning: score set for non-existent rule BLANK_LINES_70_80 config: warning: score set for non-existent rule MILLION_USD config: warning: score set for non-existent rule HTML_IMAGE_ONLY_16 config: warning: score set for non-existent rule MISSING_HEADERS config: warning: score set for non-existent rule ROUND_THE_WORLD config: warning: score set for non-existent rule SUBJ_YOUR_OWN config: warning: score set for non-existent rule MIME_BAD_ISO_CHARSET config: warning: score set for non-existent rule X_MAILER_SPAM config: warning: score set for non-existent rule MIME_HEADER_CTYPE_ONLY config: warning: score set for non-existent rule DRUG_ED_GENERIC config: warning: score set for non-existent rule MSGID_DOLLARS_RANDOM config: warning: score set for non-existent rule SUBJ_YOUR_DEBT config: warning: score set for non-existent rule HTML_OBFUSCATE_30_40 config: warning: score set for non-existent rule REMOVE_POSTAL config: warning: score set for non-existent rule URI_NOVOWEL config: warning: score set for non-existent rule RCVD_IN_SORBS_DUL config: warning: score set for non-existent rule DRUGS_DIET_OBFU config: warning: score set for non-existent rule HTML_SHOUTING3 config: warning: score set for non-existent rule NO_PRESCRIPTION config: warning: score set for non-existent rule HTTPS_IP_MISMATCH config: warning: score set for non-existent rule EXCUSE_6 config: warning: score set for non-existent rule EMAIL_ROT13 config: warning: score set for non-existent rule SUBJECT_DRUG_GAP_C config: warning: score set for non-existent rule HTML_BACKHAIR_8 config: warning: score set for non-existent rule RCVD_AM_PM config: warning: score set for non-existent rule BODY_ENHANCEMENT config: warning: score set for non-existent rule HTML_IMAGE_RATIO_04 config: warning: score set for non-existent rule HTML_FONT_SIZE_NONE config: warning: score set for non-existent rule DNS_FROM_SECURITYSAGE config: warning: score set for non-existent rule HTTP_77 config: warning: score set for non-existent rule HTML_NONELEMENT_20_30 config: warning: score set for non-existent rule HTML_MESSAGE config: warning: score set for non-existent rule DIET_2 config: warning: score set for non-existent rule GET_PAID config: warning: score set for non-existent rule FROM_AND_TO_SAME config: warning: score set for non-existent rule ORG_MIME_TOOLS config: warning: score set for non-existent rule INVALID_MSGID config: warning: score set for non-existent rule CHARSET_FARAWAY_HEADER config: warning: score set for non-existent rule RCVD_IN_DSBL config: warning: score set for non-existent rule BAYES_99 config: warning: score set for non-existent rule SUBJECT_EXCESS_QP config: warning: score set for non-existent rule FROM_EXCESS_BASE64 config: warning: score set for non-existent rule RCVD_BY_IP config: warning: score set for non-existent rule URI_HEX config: warning: score set for non-existent rule SENT_IN_COMPLIANCE config: warning: score set for non-existent rule HTML_BADTAG_90_100 config: warning: score set for non-existent rule HTML_TAG_BALANCE_BODY config: warning: score set for non-existent rule HTML_BADTAG_00_10 config: warning: score set for non-existent rule HELO_DYNAMIC_DHCP config: warning: score set for non-existent rule X_IP config: warning: score set for non-existent rule MEET_SINGLES config: warning: score set for non-existent rule HTML_COMMENT_SAVED_URL config: warning: score set for non-existent rule HTTP_EXCESSIVE_ESCAPES config: warning: score set for non-existent rule FORGED_AOL_RCVD config: warning: score set for non-existent rule HTML_EXTRA_CLOSE config: warning: score set for non-existent rule FORGED_HOTMAIL_RCVD2 config: warning: score set for non-existent rule SUBJ_CONSONANTS config: warning: score set for non-existent rule INFO_TLD config: warning: score set for non-existent rule ADVANCE_FEE_2 config: warning: score set for non-existent rule FIN_FREE config: warning: score set for non-existent rule CHINA_HEADER config: warning: score set for non-existent rule HTML_TITLE_SUBJ_DIFF config: warning: score set for non-existent rule DRUGS_ANXIETY_EREC config: warning: score set for non-existent rule RCVD_DOUBLE_IP_SPAM config: warning: score set for non-existent rule FROM_HAS_ULINE_NUMS config: warning: score set for non-existent rule FAKE_HELO_YAHOO_CA config: warning: score set for non-existent rule CUM_SHOT config: warning: score set for non-existent rule ACT_NOW_CAPS config: warning: score set for non-existent rule HTML_IMAGE_ONLY_08 config: warning: score set for non-existent rule DRUG_ED_COMBO config: warning: score set for non-existent rule SUBJECT_DRUG_GAP_L config: warning: score set for non-existent rule BIZ_TLD config: warning: score set for non-existent rule RCVD_IN_NJABL_CGI config: warning: score set for non-existent rule BAD_ENC_HEADER config: warning: score set for non-existent rule HTML_NONELEMENT_70_80 config: warning: score set for non-existent rule MALE_ENHANCE config: warning: score set for non-existent rule FORWARD_LOOKING config: warning: score set for non-existent rule REFINANCE_NOW config: warning: score set for non-existent rule EARN_PER_WEEK config: warning: score set for non-existent rule URI_NO_WWW_INFO_CGI config: warning: score set for non-existent rule HELO_DYNAMIC_OOL config: warning: score set for non-existent rule FREE_ACCESS config: warning: score set for non-existent rule HOT_NASTY config: warning: score set for non-existent rule ALL_NATURAL config: warning: score set for non-existent rule FROM_ILLEGAL_CHARS config: warning: score set for non-existent rule HTML_NONELEMENT_80_90 config: warning: score set for non-existent rule DNS_FROM_RFC_ABUSE config: warning: score set for non-existent rule HELO_DYNAMIC_VTR config: warning: score set for non-existent rule FORGED_MSGID_AOL config: warning: score set for non-existent rule HTML_00_10 config: warning: score set for non-existent rule STRONG_BUY config: warning: score set for non-existent rule ML_MARKETING config: warning: score set for non-existent rule PORN_URL_MISC config: warning: score set for non-existent rule HTML_TITLE_LONG config: warning: score set for non-existent rule BANG_MORE config: warning: score set for non-existent rule TO_CC_NONE config: warning: score set for non-existent rule SUBJECT_DRUG_GAP_P config: warning: score set for non-existent rule OPTING_OUT_CAPS config: warning: score set for non-existent rule MARKETING_PARTNERS config: warning: score set for non-existent rule DATE_IN_FUTURE_03_06 config: warning: score set for non-existent rule DEAR_FRIEND config: warning: score set for non-existent rule HTML_FONT_INVISIBLE config: warning: score set for non-existent rule RCVD_IN_WHOIS_INVALID config: warning: score set for non-existent rule HTML_90_100 config: warning: score set for non-existent rule RCVD_IN_MAPS_NML config: warning: score set for non-existent rule NA_DOLLARS config: warning: score set for non-existent rule LOW_PRICE config: warning: score set for non-existent rule HTML_SHOUTING7 config: warning: score set for non-existent rule FROM_LOCAL_HEX config: warning: score set for non-existent rule RCVD_IN_NJABL_DUL config: warning: score set for non-existent rule HTML_TAG_EXIST_MARQUEE config: warning: score set for non-existent rule BANG_GUAR config: warning: score set for non-existent rule SUBJ_FOR_ONLY config: warning: score set for non-existent rule MIME_HTML_ONLY_MULTI config: warning: score set for non-existent rule BAYES_95 config: warning: score set for non-existent rule RCVD_IN_WHOIS_HIJACKED config: warning: score set for non-existent rule HABEAS_CHECKED config: warning: score set for non-existent rule FORGED_MUA_MOZILLA config: warning: score set for non-existent rule EXCUSE_23 config: warning: score set for non-existent rule MSGID_SHORT config: warning: score set for non-existent rule DAV_NON_HOTMAIL config: warning: score set for non-existent rule ENTITY_DEC_ALPHANUM config: warning: score set for non-existent rule NOT_ADVISOR config: warning: score set for non-existent rule X_PRIORITY_HIGH config: warning: score set for non-existent rule HTML_80_90 config: warning: score set for non-existent rule HTML_FONT_SIZE_TINY config: warning: score set for non-existent rule SUBJ_ILLEGAL_CHARS config: warning: score set for non-existent rule DRUG_ED_SILD config: warning: score set for non-existent rule RCVD_IN_XBL config: warning: score set for non-existent rule HABEAS_ACCREDITED_COI config: warning: score set for non-existent rule ONLINE_PHARMACY config: warning: score set for non-existent rule YAHOO_RD_REDIR config: warning: score set for non-existent rule HTML_BADTAG_10_20 config: warning: score set for non-existent rule UNDISC_RECIPS config: warning: score set for non-existent rule JOIN_MILLIONS config: warning: score set for non-existent rule RCVD_IN_SORBS_HTTP config: warning: score set for non-existent rule DATE_IN_FUTURE_48_96 config: warning: score set for non-existent rule X_MSMAIL_PRIORITY_HIGH config: warning: score set for non-existent rule MSGID_OUTLOOK_INVALID config: warning: score set for non-existent rule QUALIFY_FOR_THIS config: warning: score set for non-existent rule WHY_PAY_MORE config: warning: score set for non-existent rule DRUGS_ERECTILE config: warning: score set for non-existent rule DRUGS_ANXIETY_OBFU config: warning: score set for non-existent rule GAPPY_SUBJECT config: warning: score set for non-existent rule URI_IS_POUND config: warning: score set for non-existent rule UPPERCASE_75_100 config: warning: score set for non-existent rule MULTI_FORGED config: warning: score set for non-existent rule HAIR_LOSS config: warning: score set for non-existent rule SPOOF_COM2OTH config: warning: score set for non-existent rule MICRO_CAP_WARNING config: warning: score set for non-existent rule MAILTO_TO_REMOVE config: warning: score set for non-existent rule __RCVD_IN_SORBS config: warning: score set for non-existent rule HTML_FONT_LOW_CONTRAST config: warning: score set for non-existent rule FREE_PREVIEW config: warning: score set for non-existent rule HTML_OBFUSCATE_40_50 config: warning: score set for non-existent rule LOCALPART_IN_SUBJECT config: warning: score set for non-existent rule HELO_DYNAMIC_TELIA config: warning: score set for non-existent rule ALL_TRUSTED config: warning: score set for non-existent rule HTML_IMAGE_ONLY_04 config: warning: score set for non-existent rule BAYES_20 config: warning: score set for non-existent rule HELO_DYNAMIC_CHELLO_NL config: warning: score set for non-existent rule MSGID_YAHOO_CAPS config: warning: score set for non-existent rule DRUG_ED_CAPS config: warning: score set for non-existent rule NO_RELAYS config: warning: score set for non-existent rule MIME_BOUND_RKFINDY config: warning: score set for non-existent rule DATE_IN_FUTURE_12_24 config: warning: score set for non-existent rule HTML_OBFUSCATE_80_90 config: warning: score set for non-existent rule MPART_ALT_DIFF_COUNT config: warning: score set for non-existent rule SUBJECT_DRUG_GAP_S config: warning: score set for non-existent rule AMAZING_STUFF config: warning: score set for non-existent rule BEST_PORN config: warning: score set for non-existent rule HTML_SHORT_LINK_IMG_1 config: warning: score set for non-existent rule MSGID_SPAM_LETTERS config: warning: score set for non-existent rule BAYES_00 config: warning: score set for non-existent rule TO_NO_USER config: warning: score set for non-existent rule RECEIVE_OFFER config: warning: score set for non-existent rule UNCLAIMED_MONEY config: warning: score set for non-existent rule STOCK_ALERT config: warning: score set for non-existent rule HELO_DYNAMIC_ADELPHIA config: warning: score set for non-existent rule WEIRD_QUOTING config: warning: score set for non-existent rule TRACKER_ID config: warning: score set for non-existent rule DATE_IN_PAST_24_48 config: warning: score set for non-existent rule BARGAIN_URL config: warning: score set for non-existent rule EXCUSE_REMOVE config: warning: score set for non-existent rule HEAD_ILLEGAL_CHARS config: warning: score set for non-existent rule SUBJECT_NOVOWEL config: warning: score set for non-existent rule UNPARSEABLE_RELAY config: warning: score set for non-existent rule BAYES_05 config: warning: score set for non-existent rule DOMAIN_RATIO config: warning: score set for non-existent rule HELO_DYNAMIC_VELOX config: warning: score set for non-existent rule NO_DNS_FOR_FROM config: warning: score set for non-existent rule NO_REAL_NAME config: warning: score set for non-existent rule FROM_BLANK_NAME config: warning: score set for non-existent rule HELO_DYNAMIC_HEXIP config: warning: score set for non-existent rule NO_FORMS config: warning: score set for non-existent rule HTML_BADTAG_30_40 config: warning: score set for non-existent rule HARDCORE_PORN config: warning: score set for non-existent rule MORE_SEX config: warning: score set for non-existent rule WHY_WAIT config: warning: score set for non-existent rule INVALID_DATE_TZ_ABSURD config: warning: score set for non-existent rule TO_EMPTY config: warning: score set for non-existent rule INVALID_DATE config: warning: score set for non-existent rule PRICES_ARE_AFFORDABLE config: warning: score set for non-existent rule RCVD_IN_IADB_VOUCHED config: warning: score set for non-existent rule SPOOF_NET2COM config: warning: score set for non-existent rule HTML_40_50 config: warning: score set for non-existent rule HTML_IMAGE_ONLY_12 config: warning: score set for non-existent rule HTML_TEXT_AFTER_HTML config: warning: score set for non-existent rule RISK_FREE config: warning: score set for non-existent rule DATE_IN_PAST_48_96 config: warning: score set for non-existent rule HTML_MISSING_CTYPE config: warning: score set for non-existent rule SUBJ_DOLLARS config: warning: score set for non-existent rule HTML_FONT_SIZE_LARGE config: warning: score set for non-existent rule WITH_LC_SMTP config: warning: score set for non-existent rule PORN_URL_SLUT config: warning: score set for non-existent rule PREST_NON_ACCREDITED config: warning: score set for non-existent rule HTML_SHOUTING6 config: warning: score set for non-existent rule DNS_FROM_RFC_WHOIS config: warning: score set for non-existent rule COMPETE config: warning: score set for non-existent rule INTERRUPTUS config: warning: score set for non-existent rule HTML_TAG_BALANCE_HEAD config: warning: score set for non-existent rule CHARSET_FARAWAY config: warning: score set for non-existent rule IMPOTENCE config: warning: score set for non-existent rule FROM_STARTS_WITH_NUMS config: warning: score set for non-existent rule HTML_60_70 config: warning: score set for non-existent rule HTML_SHORT_COMMENT config: warning: score set for non-existent rule MSGID_DOLLARS config: warning: score set for non-existent rule MIME_BOUND_MANY_HEX config: warning: score set for non-existent rule MSGID_FROM_MTA_HEADER config: warning: score set for non-existent rule FROM_DOMAIN_NOVOWEL config: warning: score set for non-existent rule HTML_IMAGE_RATIO_08 config: warning: score set for non-existent rule HTML_20_30 config: warning: score set for non-existent rule RCVD_IN_NJABL_RELAY config: warning: score set for non-existent rule BLANK_LINES_80_90 config: warning: score set for non-existent rule HTML_IMAGE_RATIO_02 config: warning: score set for non-existent rule US_DOLLARS_3 config: warning: score set for non-existent rule BE_BOSS config: warning: score set for non-existent rule FORGED_YAHOO_RCVD config: warning: score set for non-existent rule FREE_QUOTE_INSTANT config: warning: score set for non-existent rule RCVD_IN_SORBS_MISC config: warning: score set for non-existent rule HELO_DYNAMIC_SPLIT_IP config: warning: score set for non-existent rule INVESTMENT_EXPERT config: warning: score set for non-existent rule FRAGMENTED_MESSAGE config: warning: score set for non-existent rule WEIRD_PORT config: warning: score set for non-existent rule HELO_DYNAMIC_IPADDR config: warning: score set for non-existent rule MIME_MISSING_BOUNDARY config: warning: score set for non-existent rule INVALID_TZ_CST config: warning: score set for non-existent rule HTML_BADTAG_60_70 config: warning: score set for non-existent rule ADVANCE_FEE_1 config: warning: score set for non-existent rule REPLICA_WATCH config: warning: score set for non-existent rule HTML_EVENT_UNSAFE config: warning: score set for non-existent rule SPOOF_OURI config: warning: score set for non-existent rule RCVD_IN_SORBS_SMTP config: warning: score set for non-existent rule X_MIME_AUTOCONVERTED config: warning: score set for non-existent rule CLICK_BELOW_CAPS config: warning: score set for non-existent rule HTML_IMAGE_ONLY_32 config: warning: score set for non-existent rule MAILTO_SUBJ_REMOVE config: warning: score set for non-existent rule NORMAL_HTTP_TO_IP config: warning: score set for non-existent rule RCVD_IN_MAPS_DUL config: warning: score set for non-existent rule EXCUSE_4 config: warning: score set for non-existent rule HTML_ATTR_UNIQUE config: warning: score set for non-existent rule PORN_15 config: warning: score set for non-existent rule HELO_DYNAMIC_CHELLO_NO config: warning: score set for non-existent rule DATE_IN_FUTURE_96_XX config: warning: score set for non-existent rule JS_FROMCHARCODE config: warning: score set for non-existent rule SUBJECT_DRUG_GAP_X config: warning: score set for non-existent rule FORGED_MSGID_MSN config: warning: score set for non-existent rule FORGED_RCVD_HELO config: warning: score set for non-existent rule HTML_IMAGE_ONLY_28 config: warning: score set for non-existent rule HTML_ATTR_BAD config: warning: score set for non-existent rule BAYES_60 config: warning: score set for non-existent rule EMPTY_MESSAGE config: warning: score set for non-existent rule DIET_1 config: warning: score set for non-existent rule URI_DIGITS config: warning: score set for non-existent rule HELO_DYNAMIC_HCC config: warning: score set for non-existent rule NONEXISTENT_CHARSET config: warning: score set for non-existent rule RCVD_HELO_IP_MISMATCH config: warning: score set for non-existent rule LOTS_OF_STUFF config: warning: score set for non-existent rule HTML_BACKHAIR_4 config: warning: score set for non-existent rule DATE_IN_FUTURE_06_12 config: warning: score set for non-existent rule HELO_DYNAMIC_ROGERS config: warning: score set for non-existent rule RCVD_IN_WHOIS_BOGONS config: warning: score set for non-existent rule HTML_NONELEMENT_30_40 config: warning: score set for non-existent rule MORTGAGE_RATES config: warning: score set for non-existent rule __RFC_IGNORANT_ENVFROM config: warning: score set for non-existent rule FRONTPAGE config: warning: score set for non-existent rule FAKE_HELO_MAIL_COM config: warning: score set for non-existent rule EM_ROLEX config: warning: score set for non-existent rule HTML_TINY_FONT config: warning: score set for non-existent rule BAYES_40 config: warning: score set for non-existent rule DRUGS_MUSCLE config: warning: score set for non-existent rule NO_RDNS_DOTCOM_HELO config: warning: score set for non-existent rule YOU_CAN_SEARCH config: warning: score set for non-existent rule DATE_IN_PAST_12_24 config: warning: score set for non-existent rule FAKE_HELO_EXCITE config: warning: score set for non-existent rule BODY_ENHANCEMENT2 config: warning: score set for non-existent rule HTTP_CTRL_CHARS_HOST config: warning: score set for non-existent rule HTML_BADTAG_70_80 config: warning: score set for non-existent rule MSGID_SPAM_ZEROES config: warning: score set for non-existent rule YAHOO_DRS_REDIR config: warning: score set for non-existent rule X_ORIG_IP_NOT_IPV4 config: warning: score set for non-existent rule AS_SEEN_ON config: warning: score set for non-existent rule BAD_CREDIT config: warning: score set for non-existent rule FORGED_JUNO_RCVD config: warning: score set for non-existent rule PRIORITY_NO_NAME config: warning: score set for non-existent rule LONGWORDS config: warning: score set for non-existent rule RCVD_FAKE_HELO_DOTCOM config: warning: score set for non-existent rule FAKE_OUTBLAZE_RCVD config: warning: score set for non-existent rule HTML_SHORT_CENTER config: warning: score set for non-existent rule RCVD_IN_NJABL_MULTI config: warning: score set for non-existent rule DNS_FROM_RFC_POST config: warning: score set for non-existent rule RUDE_HTML config: warning: score set for non-existent rule HELO_DYNAMIC_IPADDR2 config: warning: score set for non-existent rule HELO_DYNAMIC_YAHOOBB config: warning: score set for non-existent rule DRUG_DOSAGE config: warning: score set for non-existent rule FORGED_MSGID_HOTMAIL config: warning: score set for non-existent rule FORGED_HOTMAIL_RCVD config: warning: score set for non-existent rule HELO_DYNAMIC_ATTBI config: warning: score set for non-existent rule HTML_NONELEMENT_60_70 config: warning: score set for non-existent rule DRUGS_DIET config: warning: score set for non-existent rule HTML_NONELEMENT_00_10 config: warning: score set for non-existent rule MSGID_SPAM_CAPS config: warning: score set for non-existent rule ADDR_NUMS_AT_BIGSITE config: warning: score set for non-existent rule GUARANTEED_100_PERCENT config: warning: score set for non-existent rule UNRESOLVED_TEMPLATE config: warning: score set for non-existent rule DISGUISE_PORN_MUNDANE config: warning: score set for non-existent rule NUMERIC_HTTP_ADDR config: warning: score set for non-existent rule X_LIBRARY config: warning: score set for non-existent rule PORN_URL_SEX config: warning: score set for non-existent rule X_PRIORITY_CC config: warning: score set for non-existent rule UNCLOSED_BRACKET config: warning: score set for non-existent rule HTML_TEXT_AFTER_BODY config: warning: score set for non-existent rule DNS_FROM_AHBL_RHSBL config: warning: score set for non-existent rule GTUBE config: warning: score set for non-existent rule MIME_BOUND_DD_DIGITS config: warning: score set for non-existent rule REMOVE_BEFORE_LINK config: warning: score set for non-existent rule HTML_TAG_EXIST_TBODY config: warning: score set for non-existent rule REFINANCE_YOUR_HOME config: warning: score set for non-existent rule DATE_IN_PAST_03_06 config: warning: score set for non-existent rule HTML_NONELEMENT_10_20 config: warning: score set for non-existent rule SUBJ_AS_SEEN config: warning: score set for non-existent rule NO_COST config: warning: score set for non-existent rule FREE_PORN config: warning: score set for non-existent rule USERPASS config: warning: score set for non-existent rule MIME_BOUND_NEXTPART config: warning: score set for non-existent rule MIME_BASE64_BLANKS config: warning: score set for non-existent rule HTML_EMBEDS config: warning: score set for non-existent rule VIA_GAP_GRA config: warning: score set for non-existent rule MORTGAGE_PITCH config: warning: score set for non-existent rule MIME_HTML_MOSTLY config: warning: score set for non-existent rule FORGED_MSGID_EXCITE config: warning: score set for non-existent rule FREE_SAMPLE config: warning: score set for non-existent rule FROM_EXCESS_QP config: warning: score set for non-existent rule HELO_DYNAMIC_NTL config: warning: score set for non-existent rule REVERSE_AGING config: warning: score set for non-existent rule MSGID_LONG config: warning: score set for non-existent rule FORGED_GW05_RCVD config: warning: score set for non-existent rule RCVD_NUMERIC_HELO config: warning: score set for non-existent rule WRINKLES config: warning: score set for non-existent rule DRUGS_SLEEP config: warning: score set for non-existent rule SUBJ_2_NUM_PARENS config: warning: score set for non-existent rule BANG_EXERCISE config: warning: score set for non-existent rule SORTED_RECIPS config: warning: score set for non-existent rule RCVD_IN_BSP_OTHER config: warning: score set for non-existent rule FROM_HAS_MIXED_NUMS config: warning: score set for non-existent rule DATE_IN_PAST_96_XX config: warning: score set for non-existent rule FORGED_EUDORAMAIL_RCVD config: warning: score set for non-existent rule HTML_NONELEMENT_40_50 config: warning: score set for non-existent rule FAKED_UNDISC_RECIPS config: warning: score set for non-existent rule MSGID_FROM_MTA_HOTMAIL config: warning: score set for non-existent rule DATE_IN_PAST_06_12 config: warning: score set for non-existent rule BAYES_80 config: warning: score set for non-existent rule HTML_OBFUSCATE_05_10 config: warning: score set for non-existent rule HEADER_COUNT_CTYPE config: warning: score set for non-existent rule URI_NO_WWW_BIZ_CGI config: warning: score set for non-existent rule EXTRA_MPART_TYPE config: warning: score set for non-existent rule HTML_50_60 config: warning: score set for non-existent rule SUBJECT_SEXUAL config: warning: score set for non-existent rule NO_OBLIGATION config: warning: score set for non-existent rule EXCUSE_10 config: warning: score set for non-existent rule IP_LINK_PLUS config: warning: score set for non-existent rule NO_RECEIVED config: warning: score set for non-existent rule KOREAN_UCE_SUBJECT config: warning: score set for non-existent rule SUBJ_BUY config: warning: score set for non-existent rule MSGID_FROM_MTA_ID config: warning: score set for non-existent rule TO_RECIP_MARKER config: warning: score set for non-existent rule INVESTMENT_ADVICE config: warning: score set for non-existent rule MISSING_HB_SEP config: warning: score set for non-existent rule FROM_NONSENDING_DOMAIN config: warning: score set for non-existent rule HTML_NONELEMENT_90_100 config: warning: score set for non-existent rule ADDRESS_IN_SUBJECT config: warning: score set for non-existent rule ADVANCE_FEE_4 config: warning: score set for non-existent rule EXCUSE_24 config: warning: score set for non-existent rule FAKE_HELO_LYCOS config: warning: score set for non-existent rule RCVD_IN_NJABL_PROXY [11017] info: rules: meta test REPTO_QUOTE_YAHOO has undefined dependency '__FROM_YAHOO_COM' [11017] info: rules: meta test REPTO_QUOTE_YAHOO has undefined dependency '__AT_YAHOO_MSGID' [11017] info: rules: meta test __SARE_HEAD_FALSE has undefined dependency '__FROM_AOL_COM' [11017] info: rules: meta test __SARE_HEAD_FALSE has undefined dependency '__FROM_AOL_COM' [11017] info: rules: meta test RATWARE_OUTLOOK_NONAME has undefined dependency '__MSGID_DOLLARS_OK' [11017] info: rules: meta test RATWARE_OUTLOOK_NONAME has undefined dependency '__HAS_X_MAILER' [11017] info: rules: meta test HEBREWSPAM_33 has undefined dependency 'HEBREW_SPAM_30' [11017] info: rules: meta test SARE_SPEC_PROLEO_M2a has dependency 'MIME_QP_LONG_LINE' with a zero score [11017] info: rules: meta test HEBREWSPAM_33H has undefined dependency 'HEBREW_SPAM_3H' [11017] info: rules: meta test RATWARE_MS_HASH has undefined dependency '__MSGID_DOLLARS_OK' [11017] info: rules: meta test SARE_HEAD_SUBJ_RAND has undefined dependency 'SARE_XMAIL_SUSP2' [11017] info: rules: meta test SARE_HEAD_SUBJ_RAND has undefined dependency 'SARE_HEAD_XAUTH_WARN' [11017] info: rules: meta test SARE_RD_SAFE has undefined dependency 'SARE_RD_SAFE_MKSHRT' [11017] info: rules: meta test SARE_RD_SAFE has undefined dependency 'SARE_RD_SAFE_GT' [11017] info: rules: meta test SARE_RD_SAFE has undefined dependency 'SARE_RD_SAFE_TINY' [11017] info: rules: meta test VIRUS_WARNING_DOOM_BNC has undefined dependency 'VIRUS_WARNING_MYDOOM4' [11017] info: rules: meta test __SARE_SUB_FALSE has undefined dependency '__FROM_AOL_COM' [11017] info: rules: meta test __SARE_SUB_FALSE has undefined dependency '__FROM_AOL_COM' [11017] info: rules: meta test REPTO_QUOTE_MSN has undefined dependency '__FROM_MSN_COM' [11017] info: rules: meta test REPTO_QUOTE_MSN has undefined dependency '__AT_MSN_MSGID' SpamAssassin reported an error. Using locktype = posix Creating hardcoded struct_flock subroutine for linux (Linux-type) MailScanner.conf says "Virus Scanners = f-prot" Found these virus scanners installed: f-prot, clamav [root@ns1 ~]# -- Best, -- Arthur Sherman +972-52-4878851 http://www.cpt.co.il/ From am.lists at gmail.com Thu Mar 8 01:38:40 2007 From: am.lists at gmail.com (am.lists) Date: Thu Mar 8 00:44:45 2007 Subject: DKIM with MailScanner In-Reply-To: <062a01c76116$faff5240$0dfb1bac@lapxp> References: <062a01c76116$faff5240$0dfb1bac@lapxp> Message-ID: <25a66d840703071638m1cef68cfk5ca8892d66ed4143@mail.gmail.com> On 3/7/07, Arthur Sherman wrote: > > I tried to install DKIM with MailScanner and now it neither signs w/ DKIM > nor scans with MailScanner (X-CPTeam-MailScanner-SpamCheck: not spam, > SpamAssassin (not cached, score=0,required 4, autolearn=not spam) > > Everything was fine before. > > When I run 'MailScanner --debug-sa --lint' it throws me this error: > Maybe you could help me with this. > > TIA > -- > [root@ns1 ~]# MailScanner --debug-sa --lint > Read 764 hostnames from the phishing whitelist > Checking version numbers... > Version number in MailScanner.conf (4.58.9) is correct. > > Checking for SpamAssassin errors (if you use it)... > Using SpamAssassin results cache > Connected to SpamAssassin cache database > plugin: failed to parse plugin (from @INC): Can't locate Mail/DKIM.pm in You need to install the Mail::DKIM perl modules. e.g. #cpan install Mail::DKIM ... ... >quit make sure in (mine is here) /etc/mail/spamassassin/v312.pre: loadplugin Mail::SpamAssassin::Plugin::DKIM and is not commented out. then try the lint. The default rules score at 0.001 and -0.001 so the rule will fire and appear in the spam report but do no alteration (statistically at least) to your messages. Angelo From res at ausics.net Thu Mar 8 03:01:26 2007 From: res at ausics.net (Res) Date: Thu Mar 8 02:08:29 2007 Subject: dealing with dictionary attacks In-Reply-To: <45EEDA1B.4010200@sbcglobal.net> References: <45EBE85C.90507@fractalweb.com> <4165CF7A7F12DE4B96622CCBB905864709949FEF@largo.campus.ncl.ac.uk> <25a66d840703050822s3061e517mffe1ed8d40035722@mail.gmail.com> <45EC4863.5070702@netmagicsolutions.com> <45EEDA1B.4010200@sbcglobal.net> Message-ID: On Wed, 7 Mar 2007, Ed Bruce wrote: > Why is only Postfix discussions being asked to take it off list. I see > many topics about sendmail, clamav, and spamassassin. We chip em when we see em, SA is close related to MS, a damned sight more than postfix, majority of MTA issues are completely unrelated to this list and should never be posted here, it is done because people are lazy to google or too lazy to sub to another list. The frequence of postfix related topics is high for obvious reasons, those using sendmail, qmail and exim rarely have problems, PF is a higher maintenance MTA for users of MS compared to the formers. -- Cheers Res "If I lay here, If I just lay here, would you lay with with me and just forget the world?" From hvdkooij at vanderkooij.org Thu Mar 8 07:38:17 2007 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Thu Mar 8 06:44:26 2007 Subject: dealing with dictionary attacks In-Reply-To: References: <45EBE85C.90507@fractalweb.com> <4165CF7A7F12DE4B96622CCBB905864709949FEF@largo.campus.ncl.ac.uk> <25a66d840703050822s3061e517mffe1ed8d40035722@mail.gmail.com> <45EC4863.5070702@netmagicsolutions.com> <45EEDA1B.4010200@sbcglobal.net> Message-ID: On Thu, 8 Mar 2007, Res wrote: > On Wed, 7 Mar 2007, Ed Bruce wrote: > >> Why is only Postfix discussions being asked to take it off list. I see >> many topics about sendmail, clamav, and spamassassin. > > We chip em when we see em, SA is close related to MS, a damned sight more > than postfix, majority of MTA issues are completely unrelated to this list > and should never be posted here, it is done because people are lazy to google > or too lazy to sub to another list. > > The frequence of postfix related topics is high for obvious reasons, those > using sendmail, qmail and exim rarely have problems, PF is a higher > maintenance MTA for users of MS compared to the formers. Having run sendmail for a long time I beg to differ. Before one masters the MC config files to build a sane sendmail config you need to jump through at least as many hoops as one has to do with postfix. I can now do things with postfix I could not do as easily with sendmail. (If at all.) Hugo. -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ This message is using 100% recycled electrons. Some men see computers as they are and say "Windows" I use computers with Linux and say "Why Windows?" (Thanks JFK, for the insight.) From nats at sscrmnl.edu.ph Thu Mar 8 08:04:29 2007 From: nats at sscrmnl.edu.ph (Jose Nathaniel Nengasca) Date: Thu Mar 8 07:11:08 2007 Subject: Jules is drinking tea In-Reply-To: <45EEC824.1000202@USherbrooke.ca> Message-ID: <00f801c76150$04a52c00$ed7aa7cb@NATS> This is really great news! thanks for the info... OT : I wonder if Bill Gates have nice e-well-wishers just like Jules, if his in the hospital? Maybe he'll get "spam-cards" .. Just kidding.. :) Peace Bill! -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Denis Beauchemin Sent: Wednesday, March 07, 2007 10:12 PM To: MailScanner discussion Subject: Re: Jules is drinking tea Tim Chown a ?crit : > Hi again, > > Today's news is that Jules is very awake and alert, and is drinking tea. > Those who know him well know he gets through a fair few gallons of > tea, so this is a good sign :) > > Also the doctors are wanting to get him out of intensive care as soon > as a bed in another ward becomes free, another good sign. > > Let's hope the recovery continues. It may be hard to keep him offline > before long! > > I'll ramp down the reporting frequency a bit now unless there's anything > significant to say. Please do keep cards coming, I'm sure they'll > continue to be very well received. > > Tim > Thanks Tim! This is great news! It makes my day start with a big smile! Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From res at ausics.net Thu Mar 8 08:19:43 2007 From: res at ausics.net (Res) Date: Thu Mar 8 07:26:49 2007 Subject: dealing with dictionary attacks In-Reply-To: References: <45EBE85C.90507@fractalweb.com> <4165CF7A7F12DE4B96622CCBB905864709949FEF@largo.campus.ncl.ac.uk> <25a66d840703050822s3061e517mffe1ed8d40035722@mail.gmail.com> <45EC4863.5070702@netmagicsolutions.com> <45EEDA1B.4010200@sbcglobal.net> Message-ID: On Thu, 8 Mar 2007, Hugo van der Kooij wrote: >> We chip em when we see em, SA is close related to MS, a damned sight more >> than postfix, majority of MTA issues are completely unrelated to this list >> and should never be posted here, it is done because people are lazy to >> google or too lazy to sub to another list. >> >> The frequence of postfix related topics is high for obvious reasons, those >> using sendmail, qmail and exim rarely have problems, PF is a higher >> maintenance MTA for users of MS compared to the formers. > > Having run sendmail for a long time I beg to differ. Before one masters the I beg to difer, a recent check of archives shows pf has the most problems with MS, and its a well known fact,m even admitted to b ythe regular postmix weenies. > MC config files to build a sane sendmail config you need to jump through at > least as many hoops as one has to do with postfix. It's the same as anything, if you bother to learn it you'll master it. I've used sendmail for well over 15 years, maybe close to 20, getting too old to give a dman to count :) Tried all the others, the only other MTA that I'll use is Qmail, but each to our own. anyway this is all OT, yet AGAIN... if you want to continue by all means send to my pvt inbox. -- Cheers Res "If I lay here, If I just lay here, would you lay with with me and just forget the world?" From uxbod at splatnix.net Thu Mar 8 10:00:04 2007 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Thu Mar 8 09:01:38 2007 Subject: Jules is drinking tea In-Reply-To: <20070307135439.GA8331@login.ecs.soton.ac.uk> References: <20070307135439.GA8331@login.ecs.soton.ac.uk> Message-ID: <20070308090004.7d029ce7@uxbod.splatnix.net> On Wed, 7 Mar 2007 13:54:39 +0000 Tim Chown wrote: > Hi again, > > Today's news is that Jules is very awake and alert, and is drinking > tea. Those who know him well know he gets through a fair few gallons > of tea, so this is a good sign :) > > Also the doctors are wanting to get him out of intensive care as soon > as a bed in another ward becomes free, another good sign. > > Let's hope the recovery continues. It may be hard to keep him > offline before long! > > I'll ramp down the reporting frequency a bit now unless there's > anything significant to say. Please do keep cards coming, I'm sure > they'll continue to be very well received. > > Tim I believe you are right Tim I reckon it won't be long before he is back on a laptop ! Glad to hear Jules is on the mend, and enjoying a fresh brew :) -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From martinh at solidstatelogic.com Thu Mar 8 10:10:06 2007 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Thu Mar 8 09:16:38 2007 Subject: Freds rules from Rulesemporium.com In-Reply-To: <45EF3600.80409@enitech.com.au> Message-ID: <9b9d27fefaea9447a71bb3a8caebe93d@solidstatelogic.com> Pete You need to deine a new custom ruleset in RDJ... In /etc/rulesdujour/config add something like the following at the bottom.. FVGT_file=9016; CF_URLS[9016]="http://www.rulesemporium.com/rules/00_FVGT_File001. cf"; CF_FILES[9016]="00_FVGT_File001.cf"; CF_NAMES[9016]="Fred's Collection of Rules File 001"; PARSE_NEW_VER_SCRIPTS[9016]="${PERL} -ne 'print if /^\s*#.*(version|rev|revision )[:\.\s]*[0-9]/i ;' | sort | tail -1"; # CF_MUNGE_SCRIPTS[9016]="nothing for this ruleset."; (watch out for newlines in the wrong place..) Then in TRUSTEDRULESETS you can add FVGT_file... -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Peter Russell > Sent: 07 March 2007 22:01 > To: MailScanner discussion > Subject: Re: Freds rules from Rulesemporium.com > > Thanks for that. Not easy to find any automagic way of updating these? > Is it in RDJ and i am just too blind to see? > > Also it says > "SOME RULES REQUIRE THAT YOU HAVE TRUSTED_NETWORKS SET PROPERLY" > > Where is the best guide for setting this up properly? Seems like > something i could slightly wrong and have a big impact. > > Many thanks > Pete > > Martin.Hepworth wrote: > > All > > > > Well after five months some of us on the IRC channel have finally > > noticed that a lot of Fred's Rules on > > www.rulesemporium.com/other-rules.htm have moved to one big file. > > > > It's mentioned in the comments on the files, but a lot of us seem to > > have missed this...so I thought I'd give a heads up to others. > > > > -- > > Martin Hepworth > > Snr Systems Administrator > > Solid State Logic > > Tel: +44 (0)1865 842300 > > > > > > > > > > > > ********************************************************************** > > Confidentiality : This e-mail and any attachments are intended for the > > addressee only and may be confidential. If they come to you in error > > you must take no action based on them, nor must you copy or show them > > to anyone. Please advise the sender by replying to this e-mail > > immediately and then delete the original from your computer. > > > > Opinion : Any opinions expressed in this e-mail are entirely those of > > the author and unless specifically stated to the contrary, are not > > necessarily those of the author's employer. > > > > Security Warning : Internet e-mail is not necessarily a secure > > communications medium and can be subject to data corruption. We advise > > that you consider this fact when e-mailing us. > > > > Viruses : We have taken steps to ensure that this e-mail and any > > attachments are free from known viruses but in keeping with good > > computing practice, you should ensure that they are virus free. > > > > Red Lion 49 Ltd T/A Solid State Logic > > Registered as a limited company in England and Wales > > (Company No:5362730) > > Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, > > United Kingdom > > ********************************************************************** > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From dean.plant at roke.co.uk Thu Mar 8 10:10:38 2007 From: dean.plant at roke.co.uk (Plant, Dean) Date: Thu Mar 8 09:16:47 2007 Subject: Small problem after ClamAV upgrade Message-ID: <2181C5F19DD0254692452BFF3EAF1D6802671DFE@rsys005a.comm.ad.roke.co.uk> Denis Beauchemin wrote: > > Look into /usr/lib/MailScanner/MailScanner/SweepViruses.pm for > Mail::ClamAV::CL_SCAN_BLOCKBROKEN() and comment it out (it's there > twice). I don't think this can be configured by other means. Then > restart MS. > > Denis After looking in SweepViruses.pm I thought I better read up on the options in Mail-ClamAV-0.20 >From http://search.cpan.org/src/SABECK/Mail-ClamAV-0.20/README there are a few new options that are not in Mail-ClamAV-0.17 so it would seem that unless we add these options to /usr/lib/MailScanner/MailScanner/SweepViruses.pm we are not enabling the new features of ClamAV 0.90.1. Is this correct? If so what are the lists thoughts on which options should be added? I think all of these options are enabled by default if using ClamAV via the command line scanner with MailScanner. New options in Mail-ClamAV-0.20 not listed in SweepViruses.pm: CL_SCAN_ELF Enable support for ELF files. CL_SCAN_ALGORITHMIC Enable algorithmic detection of viruses. CL_SCAN_PHISHING_DOMAINLIST Phishing module: restrict URL scanning to domains from .pdf (RECOMMENDED). CL_SCAN_PHISHING_BLOCKSSL Phishing module: always block SSL mismatches in URLs. CL_SCAN_PHISHING_BLOCKCLOAK Phishing module: always block cloaked URLs. Dean From arturs at netvision.net.il Thu Mar 8 10:09:38 2007 From: arturs at netvision.net.il (Arthur Sherman) Date: Thu Mar 8 09:17:12 2007 Subject: DKIM with MailScanner In-Reply-To: <25a66d840703071638m1cef68cfk5ca8892d66ed4143@mail.gmail.com> Message-ID: <067801c76161$80141430$0dfb1bac@lapxp> > You need to install the Mail::DKIM perl modules. Angelo, Thanks for the tip. It solved part of the problem, except for rules and score warnings. Most of mails come scored=0. -- [root@ns1 spamassassin]# MailScanner -D --lint Option d is ambiguous (debug, debug-sa) Read 764 hostnames from the phishing whitelist Checking version numbers... Version number in MailScanner.conf (4.58.9) is correct. Checking for SpamAssassin errors (if you use it)... Using SpamAssassin results cache Connected to SpamAssassin cache database config: configuration file "/usr/share/spamassassin/20_advance_fee.cf" requires version 3.001008 of SpamAssassin, but this is code version 3.001007. Maybe you need to use the -C switch, or remove the old config files? Skipping this file at /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/Conf/Parser.pm line 345. config: warning: score set for non-existent rule DEAR_SOMETHING config: warning: score set for non-existent rule SUB_HELLO [7457] info: rules: meta test REPTO_QUOTE_YAHOO has undefined dependency '__FROM_YAHOO_COM' SpamAssassin reported an error. Using locktype = posix Creating hardcoded struct_flock subroutine for linux (Linux-type) MailScanner.conf says "Virus Scanners = f-prot" Found these virus scanners installed: f-prot, clamav -- Also, i couldn't find any complete guide to installing and configuring DomainKeys with sendmail and MS, athough Google gives plenty choises. If you know one, I'd be happy to get my hands on it. Best, -- Arthur Sherman +972-52-4878851 http://www.cpt.co.il/ From support-lists at petdoctors.co.uk Thu Mar 8 10:14:36 2007 From: support-lists at petdoctors.co.uk (Nigel Kendrick) Date: Thu Mar 8 09:21:04 2007 Subject: Jules is drinking tea In-Reply-To: <20070307135439.GA8331@login.ecs.soton.ac.uk> Message-ID: <010801c76162$3166f9f0$3c65a8c0@support01> -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Tim Chown Sent: Wednesday, March 07, 2007 1:55 PM To: MailScanner discussion Subject: Jules is drinking tea Hi again, Today's news is that Jules is very awake and alert, and is drinking tea. Those who know him well know he gets through a fair few gallons of tea, so this is a good sign :) Also the doctors are wanting to get him out of intensive care as soon as a bed in another ward becomes free, another good sign. Let's hope the recovery continues. It may be hard to keep him offline before long! I'll ramp down the reporting frequency a bit now unless there's anything significant to say. Please do keep cards coming, I'm sure they'll continue to be very well received. Tim -- Never mind that - does he have a laptop and a wifi connection yet!? Best Wishes from down the road in West Sussex From glenn.steen at gmail.com Thu Mar 8 10:41:32 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Mar 8 09:47:37 2007 Subject: dealing with dictionary attacks In-Reply-To: References: <45EBE85C.90507@fractalweb.com> <4165CF7A7F12DE4B96622CCBB905864709949FEF@largo.campus.ncl.ac.uk> <25a66d840703050822s3061e517mffe1ed8d40035722@mail.gmail.com> <45EC4863.5070702@netmagicsolutions.com> <45EEDA1B.4010200@sbcglobal.net> Message-ID: <223f97700703080141l53809f0dk444a3a75e631d4ef@mail.gmail.com> On 08/03/07, Res wrote: > On Wed, 7 Mar 2007, Ed Bruce wrote: > > > Why is only Postfix discussions being asked to take it off list. I see > > many topics about sendmail, clamav, and spamassassin. > > We chip em when we see em, SA is close related to MS, a damned sight > more than postfix, majority of MTA issues are completely unrelated to > this list and should never be posted here, it is done because people are > lazy to google or too lazy to sub to another list. I do agree that these aren't related, and mostly due to laziness... and shouldn't be "aired" here. > The frequence of postfix related topics is high for obvious reasons, > those using sendmail, qmail and exim rarely have problems, PF is a higher > maintenance MTA for users of MS compared to the formers. The frequency of unrelated Sendmail and Postfix posts are actually quite close. Methinks you are mixing things a bit here Res, there are quite a few _related_ posts about PF, which simply wouldn't count... And for that matter a few related Sendmail posts, true, but less so than for PF. The MTAs that are really quiet on this list (unrelated stuff-wise:-), are Qmail (since this list does not handle that MS port, anything about it is mostly unrelated... Now, who is it that usually posts about that MTA:-):-), Exim and Zmailer ... Either not used much, or a very well-behaved crowd;-). But I do understand the psycoligy behind all the unrelated posts for PF, breather "MailScanner" on that user list and you'll get stomped with a surprising amount of unrelated "advice"... So asking on a friendlier list, even though it be off-topic for that list, will seem like a good idea:-). 'nuff about this, we only disagree about the relative proportions of the sinners... which really isn't that interresting... not on topic... So... Lets call it a truce:) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Thu Mar 8 10:43:28 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Mar 8 09:49:34 2007 Subject: dealing with dictionary attacks In-Reply-To: References: <45EBE85C.90507@fractalweb.com> <4165CF7A7F12DE4B96622CCBB905864709949FEF@largo.campus.ncl.ac.uk> <25a66d840703050822s3061e517mffe1ed8d40035722@mail.gmail.com> <45EC4863.5070702@netmagicsolutions.com> <45EEDA1B.4010200@sbcglobal.net> Message-ID: <223f97700703080143q3b6dd5d8rd0f2017bd54e0c76@mail.gmail.com> On 08/03/07, Res wrote: > On Thu, 8 Mar 2007, Hugo van der Kooij wrote: > > >> We chip em when we see em, SA is close related to MS, a damned sight more > >> than postfix, majority of MTA issues are completely unrelated to this list > >> and should never be posted here, it is done because people are lazy to > >> google or too lazy to sub to another list. > >> > >> The frequence of postfix related topics is high for obvious reasons, those > >> using sendmail, qmail and exim rarely have problems, PF is a higher > >> maintenance MTA for users of MS compared to the formers. > > > > Having run sendmail for a long time I beg to differ. Before one masters the > > I beg to difer, a recent check of archives shows pf has the most > problems with MS, and its a well known fact,m even admitted to b ythe > regular postmix weenies. > > > MC config files to build a sane sendmail config you need to jump through at > > least as many hoops as one has to do with postfix. > > It's the same as anything, if you bother to learn it you'll master it. > I've used sendmail for well over 15 years, maybe close to 20, getting too > old to give a dman to count :) Tried all the others, the only > other MTA that I'll use is Qmail, but each to our own. > > anyway this is all OT, yet AGAIN... if you want to continue by all means > send to my pvt inbox. > Hm, seems I should bother to read the whole thread before replying:-). As usual, we're really not far apart as views go;) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From gerard at seibercom.net Thu Mar 8 11:56:06 2007 From: gerard at seibercom.net (Gerard Seibert) Date: Thu Mar 8 11:02:15 2007 Subject: Jules is drinking tea In-Reply-To: <00f801c76150$04a52c00$ed7aa7cb@NATS> References: <45EEC824.1000202@USherbrooke.ca> <00f801c76150$04a52c00$ed7aa7cb@NATS> Message-ID: <20070308055606.572777a4@localhost> On Thu, 8 Mar 2007 15:04:29 +0800 "Jose Nathaniel Nengasca" wrote: > OT : I wonder if Bill Gates have nice e-well-wishers just like Jules, > if his in the hospital? Maybe he'll get "spam-cards" .. Just > kidding.. :) Peace Bill! Of all the useless garbage appended to an email, yours wins the prize. -- Gerard WARNING TO ALL PERSONNEL: Firings will continue until morale improves. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 187 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070308/ac2dcc18/signature.bin From posti2007 at gmail.com Thu Mar 8 12:53:13 2007 From: posti2007 at gmail.com (nocaster nocaster) Date: Thu Mar 8 11:59:17 2007 Subject: MailScanner signature problems... Message-ID: <80bc587f0703080353r4466d351u2106a033ec0c013f@mail.gmail.com> I''m running FC6 + MailScanner 4.58, SA, etc. my LANG setting have been alltheway LANG=en_US.UTF-8 Did not export any other setting when compiling perl codes or other... Now everything works fine, but if send a message with UTF-8 coding ( for example from Mobile phone or from Gmail ) My MailScanner inline signature gets messed up --> scandinavian letters ( ?????????? ) in signature are shown wrong could someone help me with this RGds, Pona -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070308/ca45a4ed/attachment.html From am.lists at gmail.com Thu Mar 8 14:06:35 2007 From: am.lists at gmail.com (am.lists) Date: Thu Mar 8 13:12:42 2007 Subject: DKIM with MailScanner In-Reply-To: <067801c76161$80141430$0dfb1bac@lapxp> References: <25a66d840703071638m1cef68cfk5ca8892d66ed4143@mail.gmail.com> <067801c76161$80141430$0dfb1bac@lapxp> Message-ID: <25a66d840703080506y155d2ba9kf01d8d81ee415789@mail.gmail.com> On 3/8/07, Arthur Sherman wrote: > > You need to install the Mail::DKIM perl modules. > > Angelo, > > Thanks for the tip. It solved part of the problem, except for rules and > score warnings. > Most of mails come scored=0. > > -- > [root@ns1 spamassassin]# MailScanner -D --lint > Option d is ambiguous (debug, debug-sa) > Read 764 hostnames from the phishing whitelist > Checking version numbers... > Version number in MailScanner.conf (4.58.9) is correct. > > Checking for SpamAssassin errors (if you use it)... > Using SpamAssassin results cache > Connected to SpamAssassin cache database > config: configuration file "/usr/share/spamassassin/20_advance_fee.cf" > requires version 3.001008 of SpamAssassin, but this is code version > 3.001007. Maybe you need to use the -C switch, or remove the old config > files? Skipping this file at > /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/Conf/Parser.pm line 345. > > config: warning: score set for non-existent rule DEAR_SOMETHING > config: warning: score set for non-existent rule SUB_HELLO > > [7457] info: rules: meta test REPTO_QUOTE_YAHOO has undefined dependency > '__FROM_YAHOO_COM' > > SpamAssassin reported an error. > Using locktype = posix > Creating hardcoded struct_flock subroutine for linux (Linux-type) > MailScanner.conf says "Virus Scanners = f-prot" > Found these virus scanners installed: f-prot, clamav > -- > > Also, i couldn't find any complete guide to installing and configuring > DomainKeys with sendmail and MS, athough Google gives plenty choises. > If you know one, I'd be happy to get my hands on it. > > > Best, > > -- > Arthur Sherman The score warnings you see in your lint now are not related to DKIM. I assume when you say that the scores are still showing up as 0 you are referring to DKIM (e.g. DKIM_SIGNED, DKIM_VERIFIED, etc.) The default rules are something miniscule, like 0.001 and -0.001, just so that the rule appears int he report while you figure out what your policy should be. Now, it's up to you to decide what your DKIM policy shall be. I asked on this list a couple weeks ago with no replies. But, I'm finding that entities who may use a DK or DKIM signature are still spammy sometimes. Take for example a large mail-order catalogue company. Their mail would normally get caught by rules for things like image weight, textual intention of trying to sell something, etc. Now, you go and reward them heavily for passing a DKIM test and now their mail suddenly gets through. Personally, I'm not sure I want to be that kind. On the other hand, you could give a hefty penalty for those who have a forged DKIM signature, but I haven't seen a forgery attempt with either DK or DKIM yet. I'm interested in others' opinions on this as well. From tjc at ecs.soton.ac.uk Thu Mar 8 15:39:23 2007 From: tjc at ecs.soton.ac.uk (Tim Chown) Date: Thu Mar 8 14:45:56 2007 Subject: Message from Jules Message-ID: <20070308143922.GN30357@login.ecs.soton.ac.uk> Hi, I visited Jules for an hour and a half yesterday, he's mentally fine and quite with it, but obviously physically weak from being unable to use any muscles for a while. He is asking for his laptop, but I don't think he'll be using it for just a while yet (the hosptial may have something to say...) He said he'd like to thank everyone for the messages which he has on the table by his bed, to tell you all that's he's making good progress, and that normal service will be resumed as soon as possible :) Best wishes, Tim From adrik at salesmanager.nl Thu Mar 8 15:44:09 2007 From: adrik at salesmanager.nl (Adri Koppes) Date: Thu Mar 8 14:50:15 2007 Subject: Message from Jules Message-ID: That's excellent news. :-) Jules, take it easy and give yourself some time and relax before playing with MailScanner again. Best wishes, Adri. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Tim Chown Sent: donderdag 8 maart 2007 15:39 To: MailScanner discussion Subject: Message from Jules Hi, I visited Jules for an hour and a half yesterday, he's mentally fine and quite with it, but obviously physically weak from being unable to use any muscles for a while. He is asking for his laptop, but I don't think he'll be using it for just a while yet (the hosptial may have something to say...) He said he'd like to thank everyone for the messages which he has on the table by his bed, to tell you all that's he's making good progress, and that normal service will be resumed as soon as possible :) Best wishes, Tim -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From dominian at slackadelic.com Thu Mar 8 15:44:10 2007 From: dominian at slackadelic.com (Matt Hayes) Date: Thu Mar 8 14:50:24 2007 Subject: Message from Jules In-Reply-To: <20070308143922.GN30357@login.ecs.soton.ac.uk> References: <20070308143922.GN30357@login.ecs.soton.ac.uk> Message-ID: <45F0213A.9080902@slackadelic.com> Tim Chown wrote: > Hi, > > I visited Jules for an hour and a half yesterday, he's mentally fine > and quite with it, but obviously physically weak from being unable to > use any muscles for a while. > > He is asking for his laptop, but I don't think he'll be using it for just > a while yet (the hosptial may have something to say...) > > He said he'd like to thank everyone for the messages which he has on the > table by his bed, to tell you all that's he's making good progress, and > that normal service will be resumed as soon as possible :) > > Best wishes, > Tim Like a true Geek; he needs his laptop! Glad to hear he's doing well. -Matt From edwardbruce at sbcglobal.net Thu Mar 8 15:47:41 2007 From: edwardbruce at sbcglobal.net (Ed Bruce) Date: Thu Mar 8 14:53:48 2007 Subject: Message from Jules In-Reply-To: <20070308143922.GN30357@login.ecs.soton.ac.uk> References: <20070308143922.GN30357@login.ecs.soton.ac.uk> Message-ID: <45F0220D.1080602@sbcglobal.net> Tim Chown wrote: > Hi, > > I visited Jules for an hour and a half yesterday, he's mentally fine > and quite with it, but obviously physically weak from being unable to > use any muscles for a while. > > He is asking for his laptop, but I don't think he'll be using it for just > a while yet (the hosptial may have something to say...) > > He said he'd like to thank everyone for the messages which he has on the > table by his bed, to tell you all that's he's making good progress, and > that normal service will be resumed as soon as possible :) > > Best wishes, > Tim Glad to hear. From rcooper at dwford.com Thu Mar 8 15:51:44 2007 From: rcooper at dwford.com (Rick Cooper) Date: Thu Mar 8 14:57:58 2007 Subject: Small problem after ClamAV upgrade In-Reply-To: <2181C5F19DD0254692452BFF3EAF1D6802671DFE@rsys005a.comm.ad.roke.co.uk> Message-ID: <001201c76191$4bea58b0$0301a8c0@SAHOMELT> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Plant, Dean > Sent: Thursday, March 08, 2007 4:11 AM > To: MailScanner discussion > Subject: RE: Small problem after ClamAV upgrade > > Denis Beauchemin wrote: > > > > Look into /usr/lib/MailScanner/MailScanner/SweepViruses.pm for > > Mail::ClamAV::CL_SCAN_BLOCKBROKEN() and comment it out (it's there > > twice). I don't think this can be configured by other means. Then > > restart MS. > > > > Denis > > After looking in SweepViruses.pm I thought I better read up on the > options in Mail-ClamAV-0.20 > > >From > http://search.cpan.org/src/SABECK/Mail-ClamAV-0.20/README there are > a few new options that are not in Mail-ClamAV-0.17 so it > would seem that > unless we add these options to > /usr/lib/MailScanner/MailScanner/SweepViruses.pm we are not > enabling the > new features of ClamAV 0.90.1. Is this correct? If so what > are the lists > thoughts on which options should be added? I think all of > these options > are enabled by default if using ClamAV via the command line > scanner with > MailScanner. > > New options in Mail-ClamAV-0.20 not listed in SweepViruses.pm: > > CL_SCAN_ELF > Enable support for ELF files. > > CL_SCAN_ALGORITHMIC > Enable algorithmic detection of viruses. > > CL_SCAN_PHISHING_DOMAINLIST > Phishing module: restrict URL scanning to domains from .pdf > (RECOMMENDED). > > CL_SCAN_PHISHING_BLOCKSSL > Phishing module: always block SSL mismatches in URLs. > > CL_SCAN_PHISHING_BLOCKCLOAK > Phishing module: always block cloaked URLs. > [...] I believe the export CL_SCAN_STDOPT is there specifically to enable the default scan options in the even that libclamav introduces new scanning options. From the ClamAV.pm: ==================================== CL_SCAN_STDOPT This is an alias for a recommended set of scan options. You should use it to make your software ready for new features in the future versions of libclamav =================================================== So if they are enabled by default in clamav they should automatically be used in Mail::ClamAV unless disabled within the scanner script (in this case MailScanner). Rick -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From chen at hhmi.umbc.edu Thu Mar 8 15:53:26 2007 From: chen at hhmi.umbc.edu (Yu Chen) Date: Thu Mar 8 15:01:27 2007 Subject: Message from Jules In-Reply-To: References: Message-ID: > That's excellent news. :-) > > Jules, take it easy and give yourself some time and relax before playing > with MailScanner again. Second that, take time, don't rush, your health is more important! Best wishes, Chen > > Best wishes, > > Adri. > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Tim > Chown > Sent: donderdag 8 maart 2007 15:39 > To: MailScanner discussion > Subject: Message from Jules > > Hi, > > I visited Jules for an hour and a half yesterday, he's mentally fine > and quite with it, but obviously physically weak from being unable to > use any muscles for a while. > > He is asking for his laptop, but I don't think he'll be using it for > just > a while yet (the hosptial may have something to say...) > > He said he'd like to thank everyone for the messages which he has on the > > table by his bed, to tell you all that's he's making good progress, and > that normal service will be resumed as soon as possible :) > > Best wishes, > Tim > =========================================== Yu Chen Howard Hughes Medical Institute Chemistry Building, Rm 182 University of Maryland at Baltimore County 1000 Hilltop Circle Baltimore, MD 21250 phone: (410)455-6347 (primary) (410)455-2718 (secondary) fax: (410)455-1174 email: chen@hhmi.umbc.edu =========================================== From gordon at itnt.co.za Thu Mar 8 16:07:21 2007 From: gordon at itnt.co.za (Gordon Colyn) Date: Thu Mar 8 15:13:47 2007 Subject: duplicate emails being generated from outbound mailscanner queue Message-ID: <093601c76193$7e5c8d70$0a02a8c0@Gordon> ITNT Banner CampaignI have an intermittent problem with my Mailscanner at the moment with emails larger than 2mb. The mail will sit in the outbound queue and Mailscanner will continually attempt to deliver the email without success, getting a deferred timeout error. On the receiving server however the mail is accepted each time and delivered to the users mailbox creating a duplicate mail at each attempt until the email is deleted from the Mailscanner queue. Both servers are on the same lan and subnet. I am running; Mandriva 2006 MailScanner 4.57.6 sendmail 8.13.4 clamav 0.87 This server is delivering to a Mandrake 10.1 server with sendmail 8.13.1 How can I sort this problem out? Regards Gordon Colyn InTheNet Technologies www.itnt.co.za MSN: gordoncolyn@hotmail.com SKYPE: gordoncolyn 086 123 ITNT (4868) 086 682 5204 (Fax) +27 (0)83 296 7534 Confidentiality: This e-mail including any attachments is intended for the above named addressee(s) only and contains confidential information. If you have received this email in error you must take no action based on its contents, nor must you reproduce or show the e-mail or any attachments or any part thereof or communicate the contents to anyone; please reply to the sender of this e-mail informing them of the error. Viruses: We recommend that in keeping with good computing practice the recipient should ensure that e-mails received are virus free before opening. From dave.list at pixelhammer.com Thu Mar 8 16:13:54 2007 From: dave.list at pixelhammer.com (DAve) Date: Thu Mar 8 15:20:17 2007 Subject: Message from Jules In-Reply-To: <20070308143922.GN30357@login.ecs.soton.ac.uk> References: <20070308143922.GN30357@login.ecs.soton.ac.uk> Message-ID: <45F02832.5080204@pixelhammer.com> Tim Chown wrote: > Hi, > > I visited Jules for an hour and a half yesterday, he's mentally fine > and quite with it, but obviously physically weak from being unable to > use any muscles for a while. > > He is asking for his laptop, but I don't think he'll be using it for just > a while yet (the hosptial may have something to say...) > > He said he'd like to thank everyone for the messages which he has on the > table by his bed, to tell you all that's he's making good progress, and > that normal service will be resumed as soon as possible :) > > Best wishes, > Tim Don't do it, his health is more important than MailScanner, I am sure his family would agree. There is nothing so broken in MS that we couldn't live with it for another month without "New Release Fever" kicking in. DAve -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible. From dyioulos at firstbhph.com Thu Mar 8 16:16:41 2007 From: dyioulos at firstbhph.com (Dimitri Yioulos) Date: Thu Mar 8 15:22:52 2007 Subject: Message from Jules In-Reply-To: <20070308143922.GN30357@login.ecs.soton.ac.uk> References: <20070308143922.GN30357@login.ecs.soton.ac.uk> Message-ID: <200703081016.41847.dyioulos@firstbhph.com> On Thursday 08 March 2007 9:39 am, Tim Chown wrote: > Hi, > > I visited Jules for an hour and a half yesterday, he's mentally fine > and quite with it, but obviously physically weak from being unable to > use any muscles for a while. > > He is asking for his laptop, but I don't think he'll be using it for just > a while yet (the hosptial may have something to say...) > > He said he'd like to thank everyone for the messages which he has on the > table by his bed, to tell you all that's he's making good progress, and > that normal service will be resumed as soon as possible :) > > Best wishes, > Tim > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! Great news! Better 'n' better every day. My very best to Julian. Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From Denis.Beauchemin at USherbrooke.ca Thu Mar 8 16:21:41 2007 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Thu Mar 8 15:28:59 2007 Subject: Maillog-virus.pl 20070307 In-Reply-To: References: Message-ID: <45F02A05.6040902@USherbrooke.ca> Hugo van der Kooij a ?crit : > Hi, > > I did manage to get the timestamps sorted out a bit. (If someone has a > log file of last year they could see if the timestamps are ok on > those.) Anything over 11 months old will propably get an inaccurate > timestamp. > > Download: http://hugo.vanderkooij.org/email/stats/maillog-virus.pl > > So I now seem to have a way to get the 3 ingredients I want to collect: > timestamp; AV tool; infection name. > > The next thing is to write a collector to handle these reports, put > them in a database and show some nice statistics about them. > > That way there is a way to build a insight into current malware > activity. At least it could tell what is hot today or what was hot > yesterday or last week or .... > > And finaly it need to be secured so only participating parties can > have their logs analyzed and added to the database so there is at > least a reasonable amount of accuracy. > > In the end it should resemble the dshield way of doing things by > publishing the interchange format so people can write their own > collectors. > > So please give this script a spin to see if the collecting is nearing > accuracy for systems running MailScanner and logging silent virusses > including the AV info. > > The MailScanner config I use contains: > Virus Scanning = yes > Virus Scanners = clamav f-prot mcafee > Silent Viruses = HTML-IFrame All-Viruses > Log Silent Viruses = yes > > (I also wrote a bit to parse BitDefender for now.) Hugo, Seems fine here but I would rather write the date in this format: YYYY-MM-DD (such as 2006-03-08 for today). It's easier to parse and quite easy to read also (it's the format I always use). Many years ago I wrote an add-on to logrotate to rename all log files to include the date in the file's name (such as maillog.20061225) so it's easy for me to locate a log and know its contents. I have played with RHEL 5 and it has this feature built-in (logrotate-3.7.4-7): > dateext > Archive old versions of log files adding a daily > extension like YYYYMMDD instead of > simply adding a number. Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3595 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070308/02dcd90c/smime.bin From jaearick at colby.edu Thu Mar 8 16:24:56 2007 From: jaearick at colby.edu (Jeff A. Earickson) Date: Thu Mar 8 15:31:13 2007 Subject: Message from Jules In-Reply-To: <45F02832.5080204@pixelhammer.com> References: <20070308143922.GN30357@login.ecs.soton.ac.uk> <45F02832.5080204@pixelhammer.com> Message-ID: On Thu, 8 Mar 2007, DAve wrote: > Tim Chown wrote: >> Hi, >> >> I visited Jules for an hour and a half yesterday, he's mentally fine >> and quite with it, but obviously physically weak from being unable to >> use any muscles for a while. >> >> He is asking for his laptop, but I don't think he'll be using it for just >> a while yet (the hosptial may have something to say...) >> >> He said he'd like to thank everyone for the messages which he has on the >> table by his bed, to tell you all that's he's making good progress, and >> that normal service will be resumed as soon as possible :) >> >> Best wishes, >> Tim > > Don't do it, his health is more important than MailScanner, I am sure his > family would agree. There is nothing so broken in MS that we couldn't live > with it for another month without "New Release Fever" kicking in. > > DAve Agreed. He probably has larger issues to think about than MailScanner anyway. He should be receiving a get-well card from me in a few days via snail-mail. Jeff Earickson Colby College From edwardbruce at sbcglobal.net Thu Mar 8 16:38:23 2007 From: edwardbruce at sbcglobal.net (Ed Bruce) Date: Thu Mar 8 15:44:36 2007 Subject: Message from Jules In-Reply-To: <45F02832.5080204@pixelhammer.com> References: <20070308143922.GN30357@login.ecs.soton.ac.uk> <45F02832.5080204@pixelhammer.com> Message-ID: <45F02DEF.3010609@sbcglobal.net> DAve wrote: > Tim Chown wrote: >> Hi, >> >> I visited Jules for an hour and a half yesterday, he's mentally fine >> and quite with it, but obviously physically weak from being unable to >> use any muscles for a while. >> >> He is asking for his laptop, but I don't think he'll be using it for just >> a while yet (the hosptial may have something to say...) >> >> He said he'd like to thank everyone for the messages which he has on >> the table by his bed, to tell you all that's he's making good >> progress, and that normal service will be resumed as soon as possible :) >> >> Best wishes, >> Tim > > Don't do it, his health is more important than MailScanner, I am sure > his family would agree. There is nothing so broken in MS that we > couldn't live with it for another month without "New Release Fever" > kicking in. > > DAve > Having just spent a day in the ER and then spending several days having all sorts of lab work done on me, I can attest that having something to do can be quite beneficial. I believe it could be very beneficial for Julian to have something to keep his mind occupied, but of course I'm not a doctor, just a geek that loves to have his laptop with him too :) From alex at nkpanama.com Thu Mar 8 16:42:08 2007 From: alex at nkpanama.com (Alex Neuman van der Hans) Date: Thu Mar 8 15:48:55 2007 Subject: dealing with dictionary attacks In-Reply-To: References: <45EBE85C.90507@fractalweb.com> <4165CF7A7F12DE4B96622CCBB905864709949FEF@largo.campus.ncl.ac.uk> <25a66d840703050822s3061e517mffe1ed8d40035722@mail.gmail.com> <45EC4863.5070702@netmagicsolutions.com> <45EEDA1B.4010200@sbcglobal.net> Message-ID: <45F02ED0.30906@nkpanama.com> Res wrote: > The frequence of postfix related topics is high for obvious reasons, > those using sendmail, qmail and exim rarely have problems, PF is a > higher maintenance MTA for users of MS compared to the formers. My impression is that PF is a higher maintenance MTA - with or without MS. It's only my impression from reading the list, though... And besides, who would want to use it when MailScanner causes swapping! :-) From Denis.Beauchemin at USherbrooke.ca Thu Mar 8 16:46:47 2007 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Thu Mar 8 15:53:02 2007 Subject: duplicate emails being generated from outbound mailscanner queue In-Reply-To: <093601c76193$7e5c8d70$0a02a8c0@Gordon> References: <093601c76193$7e5c8d70$0a02a8c0@Gordon> Message-ID: <45F02FE7.1010809@USherbrooke.ca> Gordon Colyn a ?crit : > ITNT Banner CampaignI have an intermittent problem with my Mailscanner at > the moment with emails larger than 2mb. The mail will sit in the outbound > queue and Mailscanner will continually attempt to deliver the email without > success, getting a deferred timeout error. On the receiving server however > the mail is accepted each time and delivered to the users mailbox creating a > duplicate mail at each attempt until the email is deleted from the > Mailscanner queue. Both servers are on the same lan and subnet. > > I am running; > Mandriva 2006 > MailScanner 4.57.6 > sendmail 8.13.4 > clamav 0.87 > > This server is delivering to a Mandrake 10.1 server with sendmail 8.13.1 > > How can I sort this problem out? > > Gordon, If the mails are in the outqueue then MS has done its job and it is now sendmail's job to deliver them. So look into sendmail config instead of MS'. Any hints in your maillog? Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3595 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070308/2c582532/smime.bin From R.Sterenborg at netsourcing.nl Thu Mar 8 16:59:55 2007 From: R.Sterenborg at netsourcing.nl (Rob Sterenborg) Date: Thu Mar 8 16:06:53 2007 Subject: dealing with dictionary attacks In-Reply-To: <45F02ED0.30906@nkpanama.com> References: <45EBE85C.90507@fractalweb.com> <4165CF7A7F12DE4B96622CCBB905864709949FEF@largo.campus.ncl.ac.uk> <25a66d840703050822s3061e517mffe1ed8d40035722@mail.gmail.com> <45EC4863.5070702@netmagicsolutions.com> <45EEDA1B.4010200@sbcglobal.net> <45F02ED0.30906@nkpanama.com> Message-ID: <74ACEB3E6A055643A89B8CEC74C7BF2488DF5F@WISENT.dcyb.net> Alex Neuman van der Hans [alex@nkpanama.com] wrote: > And besides, who would want to use it when MailScanner > causes swapping! :-) Please explain: how is it PF's fault when MS causes swapping? Grts, Rob From ylacan at teicam.com Thu Mar 8 17:06:52 2007 From: ylacan at teicam.com (Youri LACAN-BARTLEY) Date: Thu Mar 8 16:13:11 2007 Subject: Message from Jules In-Reply-To: <20070308143922.GN30357@login.ecs.soton.ac.uk> References: <20070308143922.GN30357@login.ecs.soton.ac.uk> Message-ID: <45F0349C.9020908@teicam.com> Tim Chown wrote: > Hi, > > I visited Jules for an hour and a half yesterday, he's mentally fine > and quite with it, but obviously physically weak from being unable to > use any muscles for a while. > I'm really glad to hear about this. > He is asking for his laptop, but I don't think he'll be using it for just > a while yet (the hosptial may have something to say...) Good luck to you Jules, and just take it easy for now okay :) > > He said he'd like to thank everyone for the messages which he has on the > table by his bed, to tell you all that's he's making good progress, and > that normal service will be resumed as soon as possible :) > Thanks for keeping us posted Tim. I try and keep an eye on Jules' recovery whenever I can. > Best wishes, > Tim All the best, Youri (France) From alex at nkpanama.com Thu Mar 8 17:11:16 2007 From: alex at nkpanama.com (Alex Neuman van der Hans) Date: Thu Mar 8 16:18:01 2007 Subject: dealing with dictionary attacks In-Reply-To: <74ACEB3E6A055643A89B8CEC74C7BF2488DF5F@WISENT.dcyb.net> References: <45EBE85C.90507@fractalweb.com> <4165CF7A7F12DE4B96622CCBB905864709949FEF@largo.campus.ncl.ac.uk> <25a66d840703050822s3061e517mffe1ed8d40035722@mail.gmail.com> <45EC4863.5070702@netmagicsolutions.com> <45EEDA1B.4010200@sbcglobal.net> <45F02ED0.30906@nkpanama.com> <74ACEB3E6A055643A89B8CEC74C7BF2488DF5F@WISENT.dcyb.net> Message-ID: <45F035A4.5080100@nkpanama.com> Rob Sterenborg wrote: > Alex Neuman van der Hans [alex@nkpanama.com] wrote: > >> And besides, who would want to use it when MailScanner >> causes swapping! :-) >> > > Please explain: how is it PF's fault when MS causes swapping? > > > Grts, > Rob > It's a long running joke... Check the list for more details... ;-) From martinh at solidstatelogic.com Thu Mar 8 17:18:13 2007 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Thu Mar 8 16:24:33 2007 Subject: duplicate emails being generated from outbound mailscanner queue In-Reply-To: <093601c76193$7e5c8d70$0a02a8c0@Gordon> Message-ID: <929c742002403044b6ca2de222f5e86e@solidstatelogic.com> Gordon MailScanner doesn't do any delivery - this is down to the MTA (sendmail in your case). Is this happening for a single remote server, or many. If any similarities in the remote MTA (MS-Exch etc).. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Gordon Colyn > Sent: 08 March 2007 15:07 > To: MailScanner discussion > Subject: duplicate emails being generated from outbound mailscanner queue > > ITNT Banner CampaignI have an intermittent problem with my Mailscanner at > the moment with emails larger than 2mb. The mail will sit in the outbound > queue and Mailscanner will continually attempt to deliver the email > without > success, getting a deferred timeout error. On the receiving server > however > the mail is accepted each time and delivered to the users mailbox creating > a > duplicate mail at each attempt until the email is deleted from the > Mailscanner queue. Both servers are on the same lan and subnet. > > I am running; > Mandriva 2006 > MailScanner 4.57.6 > sendmail 8.13.4 > clamav 0.87 > > This server is delivering to a Mandrake 10.1 server with sendmail 8.13.1 > > How can I sort this problem out? > > Regards > Gordon Colyn > InTheNet Technologies > www.itnt.co.za > MSN: gordoncolyn@hotmail.com > SKYPE: gordoncolyn > 086 123 ITNT (4868) > 086 682 5204 (Fax) > +27 (0)83 296 7534 > Confidentiality: This e-mail including any attachments is intended for the > above named addressee(s) only and contains confidential information. If > you > have received this email in error you must take no action based on its > contents, nor must you reproduce or show the e-mail or any attachments or > any part thereof or communicate the contents to anyone; please reply to > the > sender of this e-mail informing them of the error. > Viruses: We recommend that in keeping with good computing practice the > recipient should ensure that e-mails received are virus free before > opening. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From hvdkooij at vanderkooij.org Thu Mar 8 17:20:57 2007 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Thu Mar 8 16:27:08 2007 Subject: duplicate emails being generated from outbound mailscanner queue In-Reply-To: <093601c76193$7e5c8d70$0a02a8c0@Gordon> References: <093601c76193$7e5c8d70$0a02a8c0@Gordon> Message-ID: On Thu, 8 Mar 2007, Gordon Colyn wrote: > ITNT Banner CampaignI have an intermittent problem with my Mailscanner at > the moment with emails larger than 2mb. The mail will sit in the outbound > queue and Mailscanner will continually attempt to deliver the email without > success, getting a deferred timeout error. On the receiving server however > the mail is accepted each time and delivered to the users mailbox creating a > duplicate mail at each attempt until the email is deleted from the > Mailscanner queue. Both servers are on the same lan and subnet. This is between your MTA and theirs. Just sniff the suspected SMTP session and see if the other party correctly signs off the SMTP session. Then you know which MTA you need to smack on the head. Hugo. -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ This message is using 100% recycled electrons. Some men see computers as they are and say "Windows" I use computers with Linux and say "Why Windows?" (Thanks JFK, for the insight.) From hvdkooij at vanderkooij.org Thu Mar 8 17:24:18 2007 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Thu Mar 8 16:30:44 2007 Subject: Maillog-virus.pl 20070307 In-Reply-To: <45F02A05.6040902@USherbrooke.ca> References: <45F02A05.6040902@USherbrooke.ca> Message-ID: On Thu, 8 Mar 2007, Denis Beauchemin wrote: > Seems fine here but I would rather write the date in this format: YYYY-MM-DD > (such as 2006-03-08 for today). It's easier to parse and quite easy to read > also (it's the format I always use). The date is a verbatim copy from the log file. All I will use is the timestamp as it will be correctly corrected to UTC. It is just a temporary debug line. Hugo. -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ This message is using 100% recycled electrons. Some men see computers as they are and say "Windows" I use computers with Linux and say "Why Windows?" (Thanks JFK, for the insight.) From ssilva at sgvwater.com Thu Mar 8 17:38:53 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Mar 8 16:43:34 2007 Subject: Message from Jules In-Reply-To: <45F02DEF.3010609@sbcglobal.net> References: <20070308143922.GN30357@login.ecs.soton.ac.uk> <45F02832.5080204@pixelhammer.com> <45F02DEF.3010609@sbcglobal.net> Message-ID: Ed Bruce spake the following on 3/8/2007 7:38 AM: > DAve wrote: >> Tim Chown wrote: >>> Hi, >>> >>> I visited Jules for an hour and a half yesterday, he's mentally fine >>> and quite with it, but obviously physically weak from being unable to >>> use any muscles for a while. >>> >>> He is asking for his laptop, but I don't think he'll be using it for just >>> a while yet (the hosptial may have something to say...) >>> >>> He said he'd like to thank everyone for the messages which he has on >>> the table by his bed, to tell you all that's he's making good >>> progress, and that normal service will be resumed as soon as possible :) >>> >>> Best wishes, >>> Tim >> Don't do it, his health is more important than MailScanner, I am sure >> his family would agree. There is nothing so broken in MS that we >> couldn't live with it for another month without "New Release Fever" >> kicking in. >> >> DAve >> > > Having just spent a day in the ER and then spending several days having > all sorts of lab work done on me, I can attest that having something to > do can be quite beneficial. I believe it could be very beneficial for > Julian to have something to keep his mind occupied, but of course I'm > not a doctor, just a geek that loves to have his laptop with him too :) If he gets a laptop in front of him, he will start coding! He needs to sleep as much as he can. That is when the most healing happens. And if his job finds out he is "connected" they might sneak in requests also. If he wants to reply to some of the messages, he should wait, or have someone do it for him. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From rpoe at plattesheriff.org Thu Mar 8 17:44:58 2007 From: rpoe at plattesheriff.org (Rob Poe) Date: Thu Mar 8 16:51:41 2007 Subject: Message from Jules In-Reply-To: <200703081016.41847.dyioulos@firstbhph.com> References: <20070308143922.GN30357@login.ecs.soton.ac.uk> <200703081016.41847.dyioulos@firstbhph.com> Message-ID: <45EFE92A.65ED.00A2.0@plattesheriff.org> Get the man his damn laptop, but banish him from even TOUCHING perl for a while ... >>> Dimitri Yioulos 3/8/2007 9:16 AM >>> On Thursday 08 March 2007 9:39 am, Tim Chown wrote: > Hi, > > I visited Jules for an hour and a half yesterday, he's mentally fine > and quite with it, but obviously physically weak from being unable to > use any muscles for a while. > > He is asking for his laptop, but I don't think he'll be using it for just > a while yet (the hosptial may have something to say...) > > He said he'd like to thank everyone for the messages which he has on the > table by his bed, to tell you all that's he's making good progress, and > that normal service will be resumed as soon as possible :) > > Best wishes, > Tim > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! Great news! Better 'n' better every day. My very best to Julian. Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From campbell at cnpapers.com Thu Mar 8 17:47:25 2007 From: campbell at cnpapers.com (Steve Campbell) Date: Thu Mar 8 16:53:37 2007 Subject: dealing with dictionary attacks References: <45EBE85C.90507@fractalweb.com> <4165CF7A7F12DE4B96622CCBB905864709949FEF@largo.campus.ncl.ac.uk> <25a66d840703050822s3061e517mffe1ed8d40035722@mail.gmail.com> <45EC4863.5070702@netmagicsolutions.com> <45EEDA1B.4010200@sbcglobal.net> <45F02ED0.30906@nkpanama.com><74ACEB3E6A055643A89B8CEC74C7BF2488DF5F@WISENT.dcyb.net> <45F035A4.5080100@nkpanama.com> Message-ID: <006a01c761a1$731e4120$0705000a@ddf5dw71> ----- Original Message ----- From: "Alex Neuman van der Hans" To: "MailScanner discussion" Sent: Thursday, March 08, 2007 11:11 AM Subject: Re: dealing with dictionary attacks > Rob Sterenborg wrote: >> Alex Neuman van der Hans [alex@nkpanama.com] wrote: >> >>> And besides, who would want to use it when MailScanner >>> causes swapping! :-) >>> >> >> Please explain: how is it PF's fault when MS causes swapping? >> >> >> Grts, >> Rob >> > It's a long running joke... Check the list for more details... ;-) You mean you guys have just been kidding about this all this time!!! Steve > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From arturs at netvision.net.il Thu Mar 8 17:56:03 2007 From: arturs at netvision.net.il (Arthur Sherman) Date: Thu Mar 8 17:03:38 2007 Subject: DKIM with MailScanner In-Reply-To: <25a66d840703080506y155d2ba9kf01d8d81ee415789@mail.gmail.com> Message-ID: <06c001c761a2$a7ef69f0$0dfb1bac@lapxp> > The score warnings you see in your lint now are not related to DKIM. I > assume when you say that the scores are still showing up as 0 you are > referring to DKIM (e.g. DKIM_SIGNED, DKIM_VERIFIED, etc.) My bad. I mean that mail comes unscored by MS: --- X-CPTeam-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=0, required 4, autolearn=not spam) -- DKIM is unscored too. > The default rules are something miniscule, like 0.001 and -0.001, just > so that the rule appears int he report while you figure out what your > policy should be. Now, it's up to you to decide what your DKIM policy > shall be. What config should I alter to definy policy? > I asked on this list a couple weeks ago with no replies. But, I'm > finding that entities who may use a DK or DKIM signature are still > spammy sometimes. Take for example a large mail-order catalogue > company. Their mail would normally get caught by rules for things like > image weight, textual intention of trying to sell something, etc. Now, > you go and reward them heavily for passing a DKIM test and now their > mail suddenly gets through. > > Personally, I'm not sure I want to be that kind. On the other hand, > you could give a hefty penalty for those who have a forged DKIM > signature, but I haven't seen a forgery attempt with either DK or DKIM > yet. > > I'm interested in others' opinions on this as well. Make me think about it again. Probably the best start is low score, indeed. Best, -- Arthur Sherman +972-52-4878851 http://www.cpt.co.il/ From cleveland at winnefox.org Thu Mar 8 18:49:37 2007 From: cleveland at winnefox.org (Jody Cleveland) Date: Thu Mar 8 17:55:45 2007 Subject: Message from Jules In-Reply-To: <20070308143922.GN30357@login.ecs.soton.ac.uk> Message-ID: That is excellent news! I pray you have a full recovery, and greetings from Wisconsin. Thank you so much, Tim, for keeping us all up to date on his progress. - jody On 3/8/07 8:39 AM, "Tim Chown" wrote: > Hi, > > I visited Jules for an hour and a half yesterday, he's mentally fine > and quite with it, but obviously physically weak from being unable to > use any muscles for a while. > > He is asking for his laptop, but I don't think he'll be using it for just > a while yet (the hosptial may have something to say...) > > He said he'd like to thank everyone for the messages which he has on the > table by his bed, to tell you all that's he's making good progress, and > that normal service will be resumed as soon as possible :) > > Best wishes, > Tim From bamcomp at yahoo.com Thu Mar 8 18:57:25 2007 From: bamcomp at yahoo.com (Brett Moss) Date: Thu Mar 8 18:03:32 2007 Subject: Message from Jules In-Reply-To: <20070308143922.GN30357@login.ecs.soton.ac.uk> Message-ID: <490764.15221.qm@web30006.mail.mud.yahoo.com> --- Tim Chown wrote: > Hi, > > I visited Jules for an hour and a half yesterday, > he's mentally fine > and quite with it, but obviously physically weak > from being unable to > use any muscles for a while. > > He is asking for his laptop, but I don't think he'll > be using it for just > a while yet (the hosptial may have something to > say...) > > He said he'd like to thank everyone for the messages > which he has on the > table by his bed, to tell you all that's he's making > good progress, and > that normal service will be resumed as soon as > possible :) > > Best wishes, > Tim > -- This is fantastic news! Julian is in my family's thoughts and prayers. Brett ____________________________________________________________________________________ It's here! Your new message! Get new email alerts with the free Yahoo! Toolbar. http://tools.search.yahoo.com/toolbar/features/mail/ From am.lists at gmail.com Thu Mar 8 19:03:36 2007 From: am.lists at gmail.com (am.lists) Date: Thu Mar 8 18:09:43 2007 Subject: DKIM with MailScanner In-Reply-To: <06c001c761a2$a7ef69f0$0dfb1bac@lapxp> References: <25a66d840703080506y155d2ba9kf01d8d81ee415789@mail.gmail.com> <06c001c761a2$a7ef69f0$0dfb1bac@lapxp> Message-ID: <25a66d840703081003v2511ac3bs2b5d8108cf38d889@mail.gmail.com> On 3/8/07, Arthur Sherman wrote: > What config should I alter to definy policy? > Let's start by understanding which rules are out there: # snippet from /usr/share/spamassassin/50_scores.cf # DON'T MODIFY THIS FILE # DKIM ifplugin Mail::SpamAssassin::Plugin::DKIM score DKIM_POLICY_SIGNALL 0.001 score DKIM_POLICY_SIGNSOME 0 score DKIM_POLICY_TESTING 0.001 score DKIM_SIGNED 0.001 score DKIM_VERIFIED -0.001 endif # Mail::SpamAssassin::Plugin::DKIM Now, on its own, by default, this isn't very useful. But: Consider this: We know some things. If there's a policy that says "I sign all" and the message is not signed, we can penalize. But you have to make a combination (meta) rule to do this: Example of how: (in my /etc/mail/spamassassin folder, add to mailscanner.cf at the bottom, under "Your Edits Go Here" section) meta DKIM_FAIL_NOTSIGNED (DKIM_POLICY_SIGNALL && !DKIM_SIGNED) describe DKIM_FAIL_NOTSIGNED DKIM Policy says they sign all messages, but messaege not signed. score DKIM_FAIL_NOTSIGNED 3.0 Translated into English, "let's create a new rule called DKIM_FAIL_NOTSIGNED that fires when DKIM_POLICY_SIGNALL evaluates true and DKIM_SIGNED evaulates false and give this a 3.0 score" We can't do anything with the sign-some policy (remember, my policy is that I'm not rewarding anyone, only penalizing the blatently bad). Personally, I'm mostly worried that spammy organizations that I really don't want mail from will start signing messages with DK / DKIM and get through under the score thresholds. But your purpose and mission may vary. Your policy may state that as long as the message passes verification you should accept it. Best, Angelo From KGoods at AIAInsurance.com Thu Mar 8 19:10:00 2007 From: KGoods at AIAInsurance.com (Ken Goods) Date: Thu Mar 8 18:16:26 2007 Subject: Message from Jules Message-ID: <13C0059880FDD3118DC600508B6D4A6D01C29237@aiainsurance.com> Rob Poe wrote: > Get the man his damn laptop, but banish him from even TOUCHING perl > for a while ... > Who said he wanted his laptop to tackle code???? I noticed that he hasn't logged on to his MySpace page for a long time... so now we know the real reason he wants his laptop so badly..... :) Sorry Jules... I couldn't resist. (sheepish grin) But you know... humor and sleep are the best medicine!!! :) My positive thoughts and prayers continue to be with you and I hope that your recovery is painless and swift!!! Take care, and take your time getting better. Kind regards, Ken Ken Goods Network Administrator CropUSA Insurance, Inc. From dave.list at pixelhammer.com Thu Mar 8 19:21:52 2007 From: dave.list at pixelhammer.com (DAve) Date: Thu Mar 8 18:28:18 2007 Subject: Message from Jules In-Reply-To: <45EFE92A.65ED.00A2.0@plattesheriff.org> References: <20070308143922.GN30357@login.ecs.soton.ac.uk> <200703081016.41847.dyioulos@firstbhph.com> <45EFE92A.65ED.00A2.0@plattesheriff.org> Message-ID: <45F05440.4040200@pixelhammer.com> Rob Poe wrote: > Get the man his damn laptop, but banish him from even TOUCHING perl for > a while ... > Are we not like a bunch of little old ladies arguing over what is best for him? -> Chicken soup <- no, beef broth -> soup! <- broth! -> SOUP I SAY! <- BROTH BROTH BROTH! All well intentioned. I am sure his family and doctors will do what is best, regardless of what we say ;^) I have to say it is nice to be on a list concerning email and see well behaved and friendly, helpful posts. From someone as jaded as I am towards the internet in general, it is reassuring to see so many people actually caring about an OS developer. Just a passing moment of reflection, carry on.... DAve > > >>>> Dimitri Yioulos 3/8/2007 9:16 AM >>> > On Thursday 08 March 2007 9:39 am, Tim Chown wrote: >> Hi, >> >> I visited Jules for an hour and a half yesterday, he's mentally fine >> and quite with it, but obviously physically weak from being unable > to >> use any muscles for a while. >> >> He is asking for his laptop, but I don't think he'll be using it for > just >> a while yet (the hosptial may have something to say...) >> >> He said he'd like to thank everyone for the messages which he has on > the >> table by his bed, to tell you all that's he's making good progress, > and >> that normal service will be resumed as soon as possible :) >> >> Best wishes, >> Tim >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! > > > Great news! Better 'n' better every day. My very best to Julian. > > Dimitri > -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible. From rpoe at plattesheriff.org Thu Mar 8 19:50:19 2007 From: rpoe at plattesheriff.org (Rob Poe) Date: Thu Mar 8 18:58:10 2007 Subject: Message from Jules In-Reply-To: <45F05440.4040200@pixelhammer.com> References: <20070308143922.GN30357@login.ecs.soton.ac.uk> <200703081016.41847.dyioulos@firstbhph.com> <45EFE92A.65ED.00A2.0@plattesheriff.org><45EFE92A.65ED.00A2.0@plattesheriff.org> <45F05440.4040200@pixelhammer.com> Message-ID: <45F0068C.65ED.00A2.0@plattesheriff.org> >>Get the man his damn laptop, but banish him from even TOUCHING perl for >>a while ... >Are we not like a bunch of little old ladies arguing over what is best for him? We are ... :) I know that no matter what, I'd want my laptop, if only for the comfort factor of being able to hack into the pharmacy to get more pain killers. From gcle at smcaus.com.au Thu Mar 8 22:10:02 2007 From: gcle at smcaus.com.au (Gerard Cleary) Date: Thu Mar 8 21:16:25 2007 Subject: Message from Jules In-Reply-To: <20070308143922.GN30357@login.ecs.soton.ac.uk> References: <20070308143922.GN30357@login.ecs.soton.ac.uk> Message-ID: <200703090810.02406.gcle@smcaus.com.au> On Fri, 9 Mar 2007 01:39, Tim Chown wrote: > Hi, > > I visited Jules for an hour and a half yesterday, he's mentally fine > and quite with it, but obviously physically weak from being unable to > use any muscles for a while. > > He is asking for his laptop, but I don't think he'll be using it for just > a while yet (the hosptial may have something to say...) > > He said he'd like to thank everyone for the messages which he has on the > table by his bed, to tell you all that's he's making good progress, and > that normal service will be resumed as soon as possible :) > > Best wishes, > Tim Thanks Tim for keeping us up to date with Jules' recovery. I wish him all the best and hope that he draws strength from all these messages of good will to help him cope with his health problems. Card on the way from Australia. Gerard. -- Gerard Cleary System Administrator SMC Pneumatics Australia Pty Ltd PH: (02) 9354 8222 -- This email message and any related attachments are confidential and should only be read by those persons to whom they were addressed. They may contain copyright, personal or legally privileged information. If you are not the intended recipient of this email, any use of this information is strictly prohibited and it must be deleted from your system. Views expressed in this message are the views of the sender and are not necessarily views of SMC Corporation, or it's subsidiaries, except where the message expressly states otherwise. Any advice contained herein should be treated as preliminary advice only and subject to formal written confirmation. Although this email and any attachments are believed to be free of any virus or any other defect which may cause damage or loss, it is the responsibility of the recipient to ensure that they are virus-free. SMC accepts no liability for any loss or damage that may occur as a result of the transmission of this email or its attachments to the recipient. From arturs at netvision.net.il Thu Mar 8 22:43:08 2007 From: arturs at netvision.net.il (Arthur Sherman) Date: Thu Mar 8 21:50:44 2007 Subject: Message from Jules In-Reply-To: <45F0068C.65ED.00A2.0@plattesheriff.org> Message-ID: <06f001c761ca$c2cc5e90$0dfb1bac@lapxp> > >>Get the man his damn laptop, but banish him from even TOUCHING perl > for > >>a while ... > > >Are we not like a bunch of little old ladies arguing over > what is best > for him? > > We are ... :) > > I know that no matter what, I'd want my laptop, if only for > the comfort > factor of being able to hack into the pharmacy to get more pain > killers. > LOL Best, -- Arthur Sherman +972-52-4878851 http://www.cpt.co.il/ From arturs at netvision.net.il Thu Mar 8 22:43:08 2007 From: arturs at netvision.net.il (Arthur Sherman) Date: Thu Mar 8 21:50:45 2007 Subject: Message from Jules In-Reply-To: <200703090810.02406.gcle@smcaus.com.au> Message-ID: <06f101c761ca$c2edc940$0dfb1bac@lapxp> All the Best, -- Arthur Sherman +972-52-4878851 http://www.cpt.co.il/ > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Gerard Cleary > Sent: Thursday, March 08, 2007 11:10 PM > To: MailScanner discussion > Subject: Re: Message from Jules > > On Fri, 9 Mar 2007 01:39, Tim Chown wrote: > > Hi, > > > > I visited Jules for an hour and a half yesterday, he's mentally fine > > and quite with it, but obviously physically weak from being > unable to > > use any muscles for a while. > > > > He is asking for his laptop, but I don't think he'll be > using it for just > > a while yet (the hosptial may have something to say...) > > > > He said he'd like to thank everyone for the messages which > he has on the > > table by his bed, to tell you all that's he's making good > progress, and > > that normal service will be resumed as soon as possible :) > > > > Best wishes, > > Tim > > > Thanks Tim for keeping us up to date with Jules' recovery. I > wish him all the > best and hope that he draws strength from all these messages > of good will to > help him cope with his health problems. > Card on the way from Australia. > Gerard. > > -- > Gerard Cleary > System Administrator SMC Pneumatics Australia Pty Ltd > PH: (02) 9354 8222 > > > -- > This email message and any related attachments are > confidential and should > only be read by those persons to whom they were addressed. > They may contain > copyright, personal or legally privileged information. If you > are not the > intended recipient of this email, any use of this information > is strictly > prohibited and it must be deleted from your system. Views > expressed in this > message are the views of the sender and are not necessarily > views of SMC > Corporation, or it's subsidiaries, except where the message > expressly states > otherwise. > Any advice contained herein should be treated as preliminary > advice only and > subject to formal written confirmation. Although this email and any > attachments are believed to be free of any virus or any other > defect which may > cause damage or loss, it is the responsibility of the > recipient to ensure that > they are virus-free. SMC accepts no liability for any loss or > damage that may > occur as a result of the transmission of this email or its > attachments to the > recipient. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From rpoe at plattesheriff.org Thu Mar 8 23:15:02 2007 From: rpoe at plattesheriff.org (Rob Poe) Date: Thu Mar 8 22:21:46 2007 Subject: Question about MailWatch Message-ID: <45F03686020000A2000053E9@platteco-2.plattesheriff.org> I noticed in the latest update I did of MailWatch (1.03?) there is a place for each user to have a custom spam score. If you do not set it, it is set to "Default". Where do you set Default. Is that even what SQLSpamScore.pm does? Thanks Ro From res at ausics.net Thu Mar 8 23:24:15 2007 From: res at ausics.net (Res) Date: Thu Mar 8 22:31:27 2007 Subject: dealing with dictionary attacks In-Reply-To: <45F02ED0.30906@nkpanama.com> References: <45EBE85C.90507@fractalweb.com> <4165CF7A7F12DE4B96622CCBB905864709949FEF@largo.campus.ncl.ac.uk> <25a66d840703050822s3061e517mffe1ed8d40035722@mail.gmail.com> <45EC4863.5070702@netmagicsolutions.com> <45EEDA1B.4010200@sbcglobal.net> <45F02ED0.30906@nkpanama.com> Message-ID: On Thu, 8 Mar 2007, Alex Neuman van der Hans wrote: > Res wrote: >> The frequence of postfix related topics is high for obvious reasons, those >> using sendmail, qmail and exim rarely have problems, PF is a higher >> maintenance MTA for users of MS compared to the formers. > > My impression is that PF is a higher maintenance MTA - with or without MS. > It's only my impression from reading the list, though... And besides, who > would want to use it when MailScanner causes swapping! :-) ROFL, agreed :) > -- Cheers Res "If I lay here, If I just lay here, would you lay with with me and just forget the world?" From res at ausics.net Thu Mar 8 23:26:15 2007 From: res at ausics.net (Res) Date: Thu Mar 8 22:33:28 2007 Subject: dealing with dictionary attacks In-Reply-To: <006a01c761a1$731e4120$0705000a@ddf5dw71> References: <45EBE85C.90507@fractalweb.com> <4165CF7A7F12DE4B96622CCBB905864709949FEF@largo.campus.ncl.ac.uk> <25a66d840703050822s3061e517mffe1ed8d40035722@mail.gmail.com> <45EC4863.5070702@netmagicsolutions.com> <45EEDA1B.4010200@sbcglobal.net> <45F02ED0.30906@nkpanama.com><74ACEB3E6A055643A89B8CEC74C7BF2488DF5F@WISENT.dcyb.net> <45F035A4.5080100@nkpanama.com> <006a01c761a1$731e4120$0705000a@ddf5dw71> Message-ID: On Thu, 8 Mar 2007, Steve Campbell wrote: >>> Please explain: how is it PF's fault when MS causes swapping? >> It's a long running joke... Check the list for more details... ;-) > You mean you guys have just been kidding about this all this time!!! Uhoh, Alex... Sounds like you just spoilt someones fun :) -- Cheers Res "If I lay here, If I just lay here, would you lay with with me and just forget the world?" From res at ausics.net Thu Mar 8 23:30:54 2007 From: res at ausics.net (Res) Date: Thu Mar 8 22:38:07 2007 Subject: duplicate emails being generated from outbound mailscanner queue In-Reply-To: <093601c76193$7e5c8d70$0a02a8c0@Gordon> References: <093601c76193$7e5c8d70$0a02a8c0@Gordon> Message-ID: On Thu, 8 Mar 2007, Gordon Colyn wrote: > sendmail 8.13.4 This is 2004/2005, You've missed a few versions... 8.14.0 is current, please upgrade ASAP, and check your 'lock type' in MailScanner.conf, must be 'posix'. -- Cheers Res "If I lay here, If I just lay here, would you lay with with me and just forget the world?" From res at ausics.net Thu Mar 8 23:38:01 2007 From: res at ausics.net (Res) Date: Thu Mar 8 22:45:12 2007 Subject: Message from Jules In-Reply-To: References: Message-ID: On Thu, 8 Mar 2007, Yu Chen wrote: >> That's excellent news. :-) Bloody oath! >> Jules, take it easy and give yourself some time and relax before playing >> with MailScanner again. > > Second that, take time, don't rush, your health is more important! I fully agree, rushing back into your old routine can have serious consequences, take the time off to relax and get back to normal at your bodies capable pace, not the pace you want, and then, no more working as much as you have been, it's not good for you, trust me, I know :) I was once a sweet kind person, hard to believe hey :P -- Cheers Res "If I lay here, If I just lay here, would you lay with with me and just forget the world?" From res at ausics.net Thu Mar 8 23:41:18 2007 From: res at ausics.net (Res) Date: Thu Mar 8 22:48:30 2007 Subject: Question about MailWatch In-Reply-To: <45F03686020000A2000053E9@platteco-2.plattesheriff.org> References: <45F03686020000A2000053E9@platteco-2.plattesheriff.org> Message-ID: On Thu, 8 Mar 2007, Rob Poe wrote: > I noticed in the latest update I did of MailWatch (1.03?) there is a place for each user to have a custom spam score. Maybe if you ask on mailwatch list you get a better answer :) MailScanner != MailWatch -- Cheers Res "If I lay here, If I just lay here, would you lay with with me and just forget the world?" From taz at taz-mania.com Thu Mar 8 23:58:54 2007 From: taz at taz-mania.com (Dennis Willson) Date: Thu Mar 8 23:05:01 2007 Subject: Question about MailWatch In-Reply-To: <45F03686020000A2000053E9@platteco-2.plattesheriff.org> Message-ID: There are two defaults, one for the system and one for a specific domain. The system defaults come from a user called admin. The domain defaults come from the domain administrator ID. If the users has not set their own values, then it drops to using the domian defaults. If there are no domain defaults, then it drops to using the system defaults. Hope this helps. On Thu, 08 Mar 2007 16:15:02 -0600 "Rob Poe" wrote: >I noticed in the latest update I did of MailWatch (1.03?) there is a >place for each user to have a custom spam score. > >If you do not set it, it is set to "Default". > >Where do you set Default. Is that even what SQLSpamScore.pm does? > >Thanks > >Ro >-- >MailScanner mailing list >mailscanner@lists.mailscanner.info >http://lists.mailscanner.info/mailman/listinfo/mailscanner > >Before posting, read http://wiki.mailscanner.info/posting > >Support MailScanner development - buy the book off the website! -------------------------------------------------- Dennis Willson taz@taz-mania.com http://www.taz-mania.com Ham (Extra Class): KA6LSW GMRS : WQGF680 Scuba: Rescue Diver, EANx, Wreck, Night, Alt, Equip, UW Photographer, Gas Blender Life should not be a journey to the grave with the intention of arriving safely in a nice looking and well preserved body, but rather to skid in broadside, thoroughly used up, totally worn out, and loudly proclaiming, "WOW! WHAT A RIDE!" From damian at workgroupsolutions.com Fri Mar 9 01:55:25 2007 From: damian at workgroupsolutions.com (Damian Mendoza) Date: Fri Mar 9 01:01:35 2007 Subject: Message from Jules In-Reply-To: <13C0059880FDD3118DC600508B6D4A6D01C29237@aiainsurance.com> Message-ID: <0C941442AC84A8449448BA2207DD4F4D216133@core01.workgroupsolutions.com> Jules, Charge a nominal fee for MailScanner usage in a commercial environment, increase the price of the book and dump the day job. That should remove some stress from your life. Best wishes from Mission Viejo, California Regards, Damian -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Ken Goods Sent: Thursday, March 08, 2007 10:10 AM To: 'MailScanner discussion' Subject: RE: Message from Jules Rob Poe wrote: > Get the man his damn laptop, but banish him from even TOUCHING perl > for a while ... > Who said he wanted his laptop to tackle code???? I noticed that he hasn't logged on to his MySpace page for a long time... so now we know the real reason he wants his laptop so badly..... :) Sorry Jules... I couldn't resist. (sheepish grin) But you know... humor and sleep are the best medicine!!! :) My positive thoughts and prayers continue to be with you and I hope that your recovery is painless and swift!!! Take care, and take your time getting better. Kind regards, Ken Ken Goods Network Administrator CropUSA Insurance, Inc. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From markee at bandwidthco.com Fri Mar 9 04:44:44 2007 From: markee at bandwidthco.com (markee) Date: Fri Mar 9 03:52:55 2007 Subject: Message from Jules In-Reply-To: <0C941442AC84A8449448BA2207DD4F4D216133@core01.workgroupsolutions.com> Message-ID: <007501c761fd$46e32560$0300a8c0@bandwidthco.com> To Damian: Amen Damian. To Julian: You only live once. Do it doing what you love most. You should be a rich man already on your GREAT accomplishments. Relax and enjoy life. There are plenty of us out there who can provide you with the advice and support you need to live the rest of your life based on the BEST and most PRODUCTIVE & EFFECTIVE application of Perl EVER. Additionally, you are already six months or more ahead of Barracuda and the rest. So there is a six month vacation alone. Take it. We will wait for you and be just fine. We are here for you now because you have always been there for us. Jules, Charge a nominal fee for MailScanner usage in a commercial environment, increase the price of the book and dump the day job. That should remove some stress from your life. Best wishes from Mission Viejo, California Regards, Damian ######################################################## This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. postmaster@bandwidthco.com MailScanner at Bandwidthco Computer Security is for your absolute protection. ######################################################## From hvdkooij at vanderkooij.org Fri Mar 9 08:38:27 2007 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Fri Mar 9 07:44:43 2007 Subject: Message from Jules In-Reply-To: <0C941442AC84A8449448BA2207DD4F4D216133@core01.workgroupsolutions.com> References: <0C941442AC84A8449448BA2207DD4F4D216133@core01.workgroupsolutions.com> Message-ID: On Thu, 8 Mar 2007, Damian Mendoza wrote: > Charge a nominal fee for MailScanner usage in a commercial environment, > increase the price of the book and dump the day job. That should remove > some stress from your life. I'm not the 'me too' type. So I have been quiet on the subject for now. But I think we should leave decisions like this to Julian himself. It is one thing to see the friendly shoulderbashing type of remarks of the past days. But I think we ought to let serious advise come from those near Julian. I am sure the intention is good but let the man enjoy his life the way he feels it should. I suspect Julian suffers at least as much from a 'Florence Nightingale syndrom' as I do. Which for me means there is no greater joy then to spot a problem and work out a solution. But I risk becoming to serious here. So don't feel to much larted. (http://en.wikipedia.org/wiki/Luser) It's just me so who cares what I say anyway? Yeah, I also did overcome my usual snailmail aversion and posted a card so Julian can beat the Pope next time be saying 'Get well' in at least as many languages as the Pope can say 'Merry Christmas'. Julian: Get well (or at least better) and never fear to hit me on the head for not doing the right thing. Hugo. -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ This message is using 100% recycled electrons. Some men see computers as they are and say "Windows" I use computers with Linux and say "Why Windows?" (Thanks JFK, for the insight.) From lhaig at haigmail.com Fri Mar 9 09:12:08 2007 From: lhaig at haigmail.com (Lance Haig) Date: Fri Mar 9 08:18:18 2007 Subject: Message from Jules In-Reply-To: <20070308143922.GN30357@login.ecs.soton.ac.uk> References: <20070308143922.GN30357@login.ecs.soton.ac.uk> Message-ID: <45F116D8.2050302@haigmail.com> This is fantastic news. Great stuff Julian. Lance Tim Chown wrote: > Hi, > > I visited Jules for an hour and a half yesterday, he's mentally fine > and quite with it, but obviously physically weak from being unable to > use any muscles for a while. > > He is asking for his laptop, but I don't think he'll be using it for just > a while yet (the hosptial may have something to say...) > > He said he'd like to thank everyone for the messages which he has on the > table by his bed, to tell you all that's he's making good progress, and > that normal service will be resumed as soon as possible :) > > Best wishes, > Tim > From clamun at gmail.com Fri Mar 9 10:45:51 2007 From: clamun at gmail.com (Claudio Mundin) Date: Fri Mar 9 09:52:01 2007 Subject: MailSacanner don't work Message-ID: <7e78dc1f0703090145q1dfe95fdl98ba7d511a9cc682@mail.gmail.com> Hi, I install MailSacanner with out any errors, but when i try to star up MailScanner (/etc/init.d/MailScanner start) and I try to see the status, the result of status is dead. where can i see information about the error?? THANK -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070309/afd2e20f/attachment.html From martinh at solidstatelogic.com Fri Mar 9 10:51:59 2007 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Fri Mar 9 09:58:19 2007 Subject: MailSacanner don't work In-Reply-To: <7e78dc1f0703090145q1dfe95fdl98ba7d511a9cc682@mail.gmail.com> Message-ID: <798176981de13f4fa9405a1247c7bd61@solidstatelogic.com> Claudio How are you looking for the 'status'. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Claudio Mundin > Sent: 09 March 2007 09:46 > To: mailscanner@lists.mailscanner.info > Subject: MailSacanner don't work > > Hi, > > I install MailSacanner with out any errors, but when i try to star up > MailScanner (/etc/init.d/MailScanner start) and I try to see the status, > the result of status is dead. > > where can i see information about the error?? > > THANK ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From uxbod at splatnix.net Fri Mar 9 10:58:59 2007 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Fri Mar 9 10:03:27 2007 Subject: MailSacanner don't work In-Reply-To: <7e78dc1f0703090145q1dfe95fdl98ba7d511a9cc682@mail.gmail.com> References: <7e78dc1f0703090145q1dfe95fdl98ba7d511a9cc682@mail.gmail.com> Message-ID: <20070309095859.3339ce35@uxbod.splatnix.net> On Fri, 9 Mar 2007 06:45:51 -0300 "Claudio Mundin" wrote: > Hi, > > I install MailSacanner with out any errors, but when i try to star up > MailScanner (/etc/init.d/MailScanner start) and I try to see the > status, the result of status is dead. > > where can i see information about the error?? > > THANK > Dependant on O/S but try /var/log/messages as a starter. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From clamun at gmail.com Fri Mar 9 11:02:18 2007 From: clamun at gmail.com (Claudio Mundin) Date: Fri Mar 9 10:08:28 2007 Subject: MailSacanner don't work In-Reply-To: <798176981de13f4fa9405a1247c7bd61@solidstatelogic.com> References: <7e78dc1f0703090145q1dfe95fdl98ba7d511a9cc682@mail.gmail.com> <798176981de13f4fa9405a1247c7bd61@solidstatelogic.com> Message-ID: <7e78dc1f0703090202x2c0208d5k8263ae966c127209@mail.gmail.com> After /etc/init.d/MailScanner start I have the next proces: 3650 ? Ss 0:00 MailScanner: master waiting for children, sleeping 3651 ? S 0:02 \_ MailScanner: waiting for messages 3655 ? S 0:02 \_ MailScanner: waiting for messages 3665 ? S 0:02 \_ MailScanner: waiting for messages 3671 ? S 0:02 \_ MailScanner: waiting for messages 3675 ? S 0:02 \_ MailScanner: waiting for messages 3821 ? Ss 0:00 sendmail: accepting connections 3826 ? Ss 0:00 sendmail: Queue control 3827 ? S 0:00 \_ sendmail: running queue: /var/spool/mqueue 3839 ? Ss 0:00 sendmail: Queue runner@00:30:00 for /var/spool/mqueue the output of netstat: tcp 0 0 192.168.10.165:427 0.0.0.0:* LISTEN 3008/slpd tcp 0 0 127.0.0.1:427 0.0.0.0:* LISTEN 3008/slpd tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 2419/portmap tcp 0 0 127.0.0.1:2544 0.0.0.0:* LISTEN 2515/zmd tcp 0 0 192.168.10.165:53 0.0.0.0:* LISTEN 2755/named tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 2755/named tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 3821/sendmail: acce tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 2755/named tcp 0 0 :::52005 :::* LISTEN 2609/sshd tcp 0 0 :::80 :::* LISTEN 3013/httpd2-prefork tcp 0 0 ::1:953 :::* LISTEN 2755/named tcp 0 0 192.168.10.165:52005 192.168.10.58:41439 ESTABLISHED 3164/0 tcp 0 0 192.168.10.165:52005 192.168.10.58:41440 ESTABLISHED 3194/1 udp 0 0 0.0.0.0:32768 0.0.0.0:* 2755/named udp 0 0 255.255.255.255:427 0.0.0.0:* 3008/slpd udp 0 0 192.168.10.165:427 0.0.0.0:* 3008/slpd udp 0 0 224.0.1.22:427 0.0.0.0:* 3008/slpd udp 0 0 239.255.255.253:427 0.0.0.0:* 3008/slpd udp 0 0 192.168.10.165:53 0.0.0.0:* 2755/named udp 0 0 127.0.0.1:53 0.0.0.0:* 2755/named udp 0 0 0.0.0.0:111 0.0.0.0:* 2419/portmap udp 0 0 :::32769 :::* 2755/named where only have the proces sendmail in 127.0.0.1:25 and i don't mailscanner proces Then with /etc/init.d/MailScanner status the output is: Checking for service MailScanner: dead 2007/3/9, Martin.Hepworth : > > Claudio > > How are you looking for the 'status'. > > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > > bounces@lists.mailscanner.info] On Behalf Of Claudio Mundin > > Sent: 09 March 2007 09:46 > > To: mailscanner@lists.mailscanner.info > > Subject: MailSacanner don't work > > > > Hi, > > > > I install MailSacanner with out any errors, but when i try to star up > > MailScanner (/etc/init.d/MailScanner start) and I try to see the > status, > > the result of status is dead. > > > > where can i see information about the error?? > > > > THANK > > > > > > ********************************************************************** > Confidentiality : This e-mail and any attachments are intended for the > addressee only and may be confidential. If they come to you in error > you must take no action based on them, nor must you copy or show them > to anyone. Please advise the sender by replying to this e-mail > immediately and then delete the original from your computer. > > Opinion : Any opinions expressed in this e-mail are entirely those of > the author and unless specifically stated to the contrary, are not > necessarily those of the author's employer. > > Security Warning : Internet e-mail is not necessarily a secure > communications medium and can be subject to data corruption. We advise > that you consider this fact when e-mailing us. > > Viruses : We have taken steps to ensure that this e-mail and any > attachments are free from known viruses but in keeping with good > computing practice, you should ensure that they are virus free. > > Red Lion 49 Ltd T/A Solid State Logic > Registered as a limited company in England and Wales > (Company No:5362730) > Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, > United Kingdom > ********************************************************************** > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070309/b2acc1c5/attachment.html From clamun at gmail.com Fri Mar 9 11:08:29 2007 From: clamun at gmail.com (Claudio Mundin) Date: Fri Mar 9 10:14:41 2007 Subject: MailSacanner don't work In-Reply-To: <20070309095859.3339ce35@uxbod.splatnix.net> References: <7e78dc1f0703090145q1dfe95fdl98ba7d511a9cc682@mail.gmail.com> <20070309095859.3339ce35@uxbod.splatnix.net> Message-ID: <7e78dc1f0703090208w2d0e7059mbbe70466e5a10e5f@mail.gmail.com> I install in Suse 10 Enterprise the log with some output is /var/log/mail and the out put is: Mar 9 07:06:14 fw sendmail-client[4132]: starting daemon (8.13.6): persistent-queueing@00:01:00 Mar 9 07:06:14 fw sendmail-client[4132]: unable to write pid to /var/spool/clientmqueue/sm-client.pid: Permission denied Mar 9 07:06:14 fw sendmail-out[4136]: starting daemon (8.13.6): queueing@00 :30:00 Mar 9 07:06:16 fw MailScanner[4156]: MailScanner E-Mail Virus Scanner version 4.54.6 starting... Mar 9 07:06:16 fw MailScanner[4156]: Read 764 hostnames from the phishing whitelist Mar 9 07:06:17 fw MailScanner[4156]: Using SpamAssassin results cache Mar 9 07:06:17 fw MailScanner[4156]: Connected to SpamAssassin cache database Mar 9 07:06:17 fw MailScanner[4156]: Enabling SpamAssassin auto-whitelist functionality... Mar 9 07:06:24 fw MailScanner[4156]: ClamAV scanner using unrar command /usr/bin/unrar Mar 9 07:06:24 fw MailScanner[4156]: Using locktype = flock 2007/3/9, --[ UxBoD ]-- : > > On Fri, 9 Mar 2007 06:45:51 -0300 > "Claudio Mundin" wrote: > > > Hi, > > > > I install MailSacanner with out any errors, but when i try to star up > > MailScanner (/etc/init.d/MailScanner start) and I try to see the > > status, the result of status is dead. > > > > where can i see information about the error?? > > > > THANK > > > Dependant on O/S but try /var/log/messages as a starter. > > -- > This message has been scanned for viruses and dangerous content by > MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070309/9c558914/attachment-0001.html From martinh at solidstatelogic.com Fri Mar 9 11:09:03 2007 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Fri Mar 9 10:15:27 2007 Subject: {Disarmed} Re: MailSacanner don't work In-Reply-To: <7e78dc1f0703090202x2c0208d5k8263ae966c127209@mail.gmail.com> Message-ID: <140bc0b58d969b4e8defb436c9dcaa08@solidstatelogic.com> Looks like it's fine to me..... maybe the status check in the init script is broke... You check is it's actually doing stuff by entries in /var/log/maillog for the mailscanner processes and also X--MailScanner: headers in the email. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Claudio Mundin > Sent: 09 March 2007 10:02 > To: MailScanner discussion > Subject: {Disarmed} Re: MailSacanner don't work > > After /etc/init.d/MailScanner start > > I have the next proces: > > 3650 ? Ss 0:00 MailScanner: master waiting for children, > sleeping > 3651 ? S 0:02 \_ MailScanner: waiting for messages > 3655 ? S 0:02 \_ MailScanner: waiting for messages > 3665 ? S 0:02 \_ MailScanner: waiting for messages > 3671 ? S 0:02 \_ MailScanner: waiting for messages > 3675 ? S 0:02 \_ MailScanner: waiting for messages > 3821 ? Ss 0:00 sendmail: accepting connections > 3826 ? Ss 0:00 sendmail: Queue control > 3827 ? S 0:00 \_ sendmail: running queue: /var/spool/mqueue > 3839 ? Ss 0:00 sendmail: Queue runner@00:30:00 for > /var/spool/mqueue > > > the output of netstat: > > tcp 0 0 MailScanner warning: numerical links are often > malicious: 192.168.10.165:427 0.0.0.0:* > LISTEN 3008/slpd > tcp 0 0 MailScanner warning: numerical links are often > malicious: 127.0.0.1:427 0.0.0.0:* > LISTEN 3008/slpd > tcp 0 0 MailScanner warning: numerical links are often > malicious: 0.0.0.0:111 0.0.0.0:* > LISTEN 2419/portmap > tcp 0 0 MailScanner warning: numerical links are often > malicious: 127.0.0.1:2544 0.0.0.0:* > LISTEN 2515/zmd > tcp 0 0 MailScanner warning: numerical links are often > malicious: 192.168.10.165:53 0.0.0.0:* > LISTEN 2755/named > tcp 0 0 MailScanner warning: numerical links are often > malicious: 127.0.0.1:53 0.0.0.0:* > LISTEN 2755/named > tcp 0 0 MailScanner warning: numerical links are often > malicious: 127.0.0.1:25 0.0.0.0:* > LISTEN 3821/sendmail: acce > tcp 0 0 MailScanner warning: numerical links are often > malicious: 127.0.0.1:953 0.0.0.0:* > LISTEN 2755/named > tcp 0 0 :::52005 :::* LISTEN > 2609/sshd > tcp 0 0 :::80 :::* LISTEN > 3013/httpd2-prefork > tcp 0 0 ::1:953 :::* LISTEN > 2755/named > tcp 0 0 MailScanner warning: numerical links are often > malicious: 192.168.10.165:52005 > MailScanner warning: numerical links are often malicious: > 192.168.10.58:41439 ESTABLISHED 3164/0 > tcp 0 0 MailScanner warning: numerical links are often > malicious: 192.168.10.165:52005 > MailScanner warning: numerical links are often malicious: > 192.168.10.58:41440 ESTABLISHED 3194/1 > udp 0 0 MailScanner warning: numerical links are often > malicious: 0.0.0.0:32768 0.0.0.0:* > 2755/named > udp 0 0 MailScanner warning: numerical links are often > malicious: 255.255.255.255:427 0.0.0.0:* > 3008/slpd > udp 0 0 MailScanner warning: numerical links are often > malicious: 192.168.10.165:427 0.0.0.0:* > 3008/slpd > udp 0 0 MailScanner warning: numerical links are often > malicious: 224.0.1.22:427 0.0.0.0:* > 3008/slpd > udp 0 0 MailScanner warning: numerical links are often > malicious: 239.255.255.253:427 0.0.0.0:* > 3008/slpd > udp 0 0 MailScanner warning: numerical links are often > malicious: 192.168.10.165:53 0.0.0.0:* > 2755/named > udp 0 0 MailScanner warning: numerical links are often > malicious: 127.0.0.1:53 0.0.0.0:* > 2755/named > udp 0 0 MailScanner warning: numerical links are often > malicious: 0.0.0.0:111 0.0.0.0:* > 2419/portmap > udp 0 0 :::32769 :::* > 2755/named > > where only have the proces sendmail in MailScanner warning: numerical > links are often malicious: 127.0.0.1:25 and i don't > mailscanner proces > > Then with /etc/init.d/MailScanner status the output is: > > Checking for service MailScanner: dead > > > > > > > 2007/3/9, Martin.Hepworth : > > Claudio > > How are you looking for the 'status'. > > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner- > > bounces@lists.mailscanner.info] On Behalf Of Claudio Mundin > > Sent: 09 March 2007 09:46 > > To: mailscanner@lists.mailscanner.info > > Subject: MailSacanner don't work > > > > Hi, > > > > I install MailSacanner with out any errors, but when i try to star > up > > MailScanner (/etc/init.d/MailScanner start) and I try to see the > status, > > the result of status is dead. > > > > where can i see information about the error?? > > > > THANK > > > > > > ******************************************************************** > ** > Confidentiality : This e-mail and any attachments are intended for > the > addressee only and may be confidential. If they come to you in error > you must take no action based on them, nor must you copy or show > them > to anyone. Please advise the sender by replying to this e-mail > immediately and then delete the original from your computer. > > Opinion : Any opinions expressed in this e-mail are entirely those > of > the author and unless specifically stated to the contrary, are not > necessarily those of the author's employer. > > Security Warning : Internet e-mail is not necessarily a secure > communications medium and can be subject to data corruption. We > advise > that you consider this fact when e-mailing us. > > Viruses : We have taken steps to ensure that this e-mail and any > attachments are free from known viruses but in keeping with good > computing practice, you should ensure that they are virus free. > > Red Lion 49 Ltd T/A Solid State Logic > Registered as a limited company in England and Wales > (Company No:5362730) > Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, > United Kingdom > ******************************************************************** > ** > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From martinh at solidstatelogic.com Fri Mar 9 11:12:08 2007 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Fri Mar 9 10:18:29 2007 Subject: MailSacanner don't work In-Reply-To: <7e78dc1f0703090208w2d0e7059mbbe70466e5a10e5f@mail.gmail.com> Message-ID: <20c0867dfe200f42bb386bd9e4210ae5@solidstatelogic.com> You should also information about emails being processed. Unless of course you've not done the rest of the setup - setup 2 sendmail queues, edited MailScanner.conf to point at the correct queues etc etc. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Claudio Mundin > Sent: 09 March 2007 10:08 > To: MailScanner discussion > Subject: Re: MailSacanner don't work > > I install in Suse 10 Enterprise > > the log with some output is /var/log/mail > > and the out put is: > > > Mar 9 07:06:14 fw sendmail-client[4132]: starting daemon (8.13.6): > persistent-queueing@00:01:00 > Mar 9 07:06:14 fw sendmail-client[4132]: unable to write pid to > /var/spool/clientmqueue/sm- client.pid: Permission denied > Mar 9 07:06:14 fw sendmail-out[4136]: starting daemon (8.13.6): > queueing@00:30:00 > Mar 9 07:06:16 fw MailScanner[4156]: MailScanner E-Mail Virus Scanner > version 4.54.6 starting... > Mar 9 07:06:16 fw MailScanner[4156]: Read 764 hostnames from the phishing > whitelist > Mar 9 07:06:17 fw MailScanner[4156]: Using SpamAssassin results cache > Mar 9 07:06:17 fw MailScanner[4156]: Connected to SpamAssassin cache > database > Mar 9 07:06:17 fw MailScanner[4156]: Enabling SpamAssassin auto-whitelist > functionality... > Mar 9 07:06:24 fw MailScanner[4156]: ClamAV scanner using unrar command > /usr/bin/unrar > Mar 9 07:06:24 fw MailScanner[4156]: Using locktype = flock > > > 2007/3/9, --[ UxBoD ]-- < uxbod@splatnix.net>: > > On Fri, 9 Mar 2007 06:45:51 -0300 > "Claudio Mundin" wrote: > > > Hi, > > > > I install MailSacanner with out any errors, but when i try to star > up > > MailScanner (/etc/init.d/MailScanner start) and I try to see the > > status, the result of status is dead. > > > > where can i see information about the error?? > > > > THANK > > > Dependant on O/S but try /var/log/messages as a starter. > > -- > This message has been scanned for viruses and dangerous content by > MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From uxbod at splatnix.net Fri Mar 9 11:18:02 2007 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Fri Mar 9 10:19:38 2007 Subject: {***FRAUD***} {***DISARMED***} Re: MailSacanner don't work In-Reply-To: <7e78dc1f0703090202x2c0208d5k8263ae966c127209@mail.gmail.com> References: <7e78dc1f0703090145q1dfe95fdl98ba7d511a9cc682@mail.gmail.com> <798176981de13f4fa9405a1247c7bd61@solidstatelogic.com> <7e78dc1f0703090202x2c0208d5k8263ae966c127209@mail.gmail.com> Message-ID: <20070309101802.3dcb92aa@uxbod.splatnix.net> On Fri, 9 Mar 2007 07:02:18 -0300 "Claudio Mundin" wrote: > After /etc/init.d/MailScanner start > > I have the next proces: > > 3650 ? Ss 0:00 MailScanner: master waiting for children, > sleeping > 3651 ? S 0:02 \_ MailScanner: waiting for messages > 3655 ? S 0:02 \_ MailScanner: waiting for messages > 3665 ? S 0:02 \_ MailScanner: waiting for messages > 3671 ? S 0:02 \_ MailScanner: waiting for messages > 3675 ? S 0:02 \_ MailScanner: waiting for messages > 3821 ? Ss 0:00 sendmail: accepting connections > 3826 ? Ss 0:00 sendmail: Queue control > 3827 ? S 0:00 \_ sendmail: running > queue: /var/spool/mqueue 3839 ? Ss 0:00 sendmail: Queue > runner@00:30:00 for /var/spool/mqueue > > > the output of netstat: > > tcp 0 0 192.168.10.165:427 0.0.0.0:* > LISTEN 3008/slpd > tcp 0 0 127.0.0.1:427 0.0.0.0:* > LISTEN 3008/slpd > tcp 0 0 0.0.0.0:111 0.0.0.0:* > LISTEN 2419/portmap > tcp 0 0 127.0.0.1:2544 0.0.0.0:* > LISTEN 2515/zmd > tcp 0 0 192.168.10.165:53 0.0.0.0:* > LISTEN 2755/named > tcp 0 0 127.0.0.1:53 0.0.0.0:* > LISTEN 2755/named > tcp 0 0 127.0.0.1:25 0.0.0.0:* > LISTEN 3821/sendmail: acce > tcp 0 0 127.0.0.1:953 0.0.0.0:* > LISTEN 2755/named > tcp 0 0 :::52005 :::* > LISTEN 2609/sshd > tcp 0 0 :::80 :::* > LISTEN 3013/httpd2-prefork > tcp 0 0 ::1:953 :::* > LISTEN 2755/named > tcp 0 0 192.168.10.165:52005 192.168.10.58:41439 > ESTABLISHED 3164/0 > tcp 0 0 192.168.10.165:52005 192.168.10.58:41440 > ESTABLISHED 3194/1 > udp 0 0 0.0.0.0:32768 0.0.0.0:* > 2755/named > udp 0 0 255.255.255.255:427 0.0.0.0:* > 3008/slpd > udp 0 0 192.168.10.165:427 0.0.0.0:* > 3008/slpd > udp 0 0 224.0.1.22:427 0.0.0.0:* > 3008/slpd > udp 0 0 239.255.255.253:427 0.0.0.0:* > 3008/slpd > udp 0 0 192.168.10.165:53 0.0.0.0:* > 2755/named > udp 0 0 127.0.0.1:53 0.0.0.0:* > 2755/named > udp 0 0 0.0.0.0:111 0.0.0.0:* > 2419/portmap > udp 0 0 :::32769 > :::* 2755/named > > where only have the proces sendmail in 127.0.0.1:25 and i don't > mailscanner proces > > Then with /etc/init.d/MailScanner status the output is: > > Checking for service MailScanner: > dead > > > > > > 2007/3/9, Martin.Hepworth : > > > > Claudio > > > > How are you looking for the 'status'. > > > > -- > > Martin Hepworth > > Snr Systems Administrator > > Solid State Logic > > Tel: +44 (0)1865 842300 > > > > > -----Original Message----- > > > From: mailscanner-bounces@lists.mailscanner.info > > > [mailto:mailscanner- bounces@lists.mailscanner.info] On Behalf Of > > > Claudio Mundin Sent: 09 March 2007 09:46 > > > To: mailscanner@lists.mailscanner.info > > > Subject: MailSacanner don't work > > > > > > Hi, > > > > > > I install MailSacanner with out any errors, but when i try to > > > star up MailScanner (/etc/init.d/MailScanner start) and I try to > > > see the > > status, > > > the result of status is dead. > > > > > > where can i see information about the error?? > > > > > > THANK > > > > > > > > > > > > ********************************************************************** > > Confidentiality : This e-mail and any attachments are intended for > > the addressee only and may be confidential. If they come to you in > > error you must take no action based on them, nor must you copy or > > show them to anyone. Please advise the sender by replying to this > > e-mail immediately and then delete the original from your computer. > > > > Opinion : Any opinions expressed in this e-mail are entirely those > > of the author and unless specifically stated to the contrary, are > > not necessarily those of the author's employer. > > > > Security Warning : Internet e-mail is not necessarily a secure > > communications medium and can be subject to data corruption. We > > advise that you consider this fact when e-mailing us. > > > > Viruses : We have taken steps to ensure that this e-mail and any > > attachments are free from known viruses but in keeping with good > > computing practice, you should ensure that they are virus free. > > > > Red Lion 49 Ltd T/A Solid State Logic > > Registered as a limited company in England and Wales > > (Company No:5362730) > > Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, > > United Kingdom > > ********************************************************************** > > > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > Shutdown MailScanner and then run in debug mode. /opt/MailScanner/bin/MailScanner --debug and see what that reports. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From clamun at gmail.com Fri Mar 9 11:43:00 2007 From: clamun at gmail.com (Claudio Mundin) Date: Fri Mar 9 10:49:20 2007 Subject: {***FRAUD***} {***DISARMED***} Re: MailSacanner don't work In-Reply-To: <20070309101802.3dcb92aa@uxbod.splatnix.net> References: <7e78dc1f0703090145q1dfe95fdl98ba7d511a9cc682@mail.gmail.com> <798176981de13f4fa9405a1247c7bd61@solidstatelogic.com> <7e78dc1f0703090202x2c0208d5k8263ae966c127209@mail.gmail.com> <20070309101802.3dcb92aa@uxbod.splatnix.net> Message-ID: <7e78dc1f0703090243s7e44aa89oa91f8caec9c859cc@mail.gmail.com> the output is: In Debugging mode, not forking... 2007/3/9, --[ UxBoD ]-- : > > On Fri, 9 Mar 2007 07:02:18 -0300 > "Claudio Mundin" wrote: > > > After /etc/init.d/MailScanner start > > > > I have the next proces: > > > > 3650 ? Ss 0:00 MailScanner: master waiting for children, > > sleeping > > 3651 ? S 0:02 \_ MailScanner: waiting for messages > > 3655 ? S 0:02 \_ MailScanner: waiting for messages > > 3665 ? S 0:02 \_ MailScanner: waiting for messages > > 3671 ? S 0:02 \_ MailScanner: waiting for messages > > 3675 ? S 0:02 \_ MailScanner: waiting for messages > > 3821 ? Ss 0:00 sendmail: accepting connections > > 3826 ? Ss 0:00 sendmail: Queue control > > 3827 ? S 0:00 \_ sendmail: running > > queue: /var/spool/mqueue 3839 ? Ss 0:00 sendmail: Queue > > runner@00:30:00 for /var/spool/mqueue > > > > > > the output of netstat: > > > > tcp 0 0 192.168.10.165:427 0.0.0.0:* > > LISTEN 3008/slpd > > tcp 0 0 127.0.0.1:427 0.0.0.0:* > > LISTEN 3008/slpd > > tcp 0 0 0.0.0.0:111 0.0.0.0:* > > LISTEN 2419/portmap > > tcp 0 0 127.0.0.1:2544 0.0.0.0:* > > LISTEN 2515/zmd > > tcp 0 0 192.168.10.165:53 0.0.0.0:* > > LISTEN 2755/named > > tcp 0 0 127.0.0.1:53 0.0.0.0:* > > LISTEN 2755/named > > tcp 0 0 127.0.0.1:25 0.0.0.0:* > > LISTEN 3821/sendmail: acce > > tcp 0 0 127.0.0.1:953 0.0.0.0:* > > LISTEN 2755/named > > tcp 0 0 :::52005 :::* > > LISTEN 2609/sshd > > tcp 0 0 :::80 :::* > > LISTEN 3013/httpd2-prefork > > tcp 0 0 ::1:953 :::* > > LISTEN 2755/named > > tcp 0 0 192.168.10.165:52005 192.168.10.58:41439 > > ESTABLISHED 3164/0 > > tcp 0 0 192.168.10.165:52005 192.168.10.58:41440 > > ESTABLISHED 3194/1 > > udp 0 0 0.0.0.0:32768 0.0.0.0:* > > 2755/named > > udp 0 0 255.255.255.255:427 0.0.0.0:* > > 3008/slpd > > udp 0 0 192.168.10.165:427 0.0.0.0:* > > 3008/slpd > > udp 0 0 224.0.1.22:427 0.0.0.0:* > > 3008/slpd > > udp 0 0 239.255.255.253:427 0.0.0.0:* > > 3008/slpd > > udp 0 0 192.168.10.165:53 0.0.0.0:* > > 2755/named > > udp 0 0 127.0.0.1:53 0.0.0.0:* > > 2755/named > > udp 0 0 0.0.0.0:111 0.0.0.0:* > > 2419/portmap > > udp 0 0 :::32769 > > :::* 2755/named > > > > where only have the proces sendmail in 127.0.0.1:25 and i don't > > mailscanner proces > > > > Then with /etc/init.d/MailScanner status the output is: > > > > Checking for service MailScanner: > > dead > > > > > > > > > > > > 2007/3/9, Martin.Hepworth : > > > > > > Claudio > > > > > > How are you looking for the 'status'. > > > > > > -- > > > Martin Hepworth > > > Snr Systems Administrator > > > Solid State Logic > > > Tel: +44 (0)1865 842300 > > > > > > > -----Original Message----- > > > > From: mailscanner-bounces@lists.mailscanner.info > > > > [mailto:mailscanner- bounces@lists.mailscanner.info] On Behalf Of > > > > Claudio Mundin Sent: 09 March 2007 09:46 > > > > To: mailscanner@lists.mailscanner.info > > > > Subject: MailSacanner don't work > > > > > > > > Hi, > > > > > > > > I install MailSacanner with out any errors, but when i try to > > > > star up MailScanner (/etc/init.d/MailScanner start) and I try to > > > > see the > > > status, > > > > the result of status is dead. > > > > > > > > where can i see information about the error?? > > > > > > > > THANK > > > > > > > > > > > > > > > > > > ********************************************************************** > > > Confidentiality : This e-mail and any attachments are intended for > > > the addressee only and may be confidential. If they come to you in > > > error you must take no action based on them, nor must you copy or > > > show them to anyone. Please advise the sender by replying to this > > > e-mail immediately and then delete the original from your computer. > > > > > > Opinion : Any opinions expressed in this e-mail are entirely those > > > of the author and unless specifically stated to the contrary, are > > > not necessarily those of the author's employer. > > > > > > Security Warning : Internet e-mail is not necessarily a secure > > > communications medium and can be subject to data corruption. We > > > advise that you consider this fact when e-mailing us. > > > > > > Viruses : We have taken steps to ensure that this e-mail and any > > > attachments are free from known viruses but in keeping with good > > > computing practice, you should ensure that they are virus free. > > > > > > Red Lion 49 Ltd T/A Solid State Logic > > > Registered as a limited company in England and Wales > > > (Company No:5362730) > > > Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, > > > United Kingdom > > > ********************************************************************** > > > > > > -- > > > MailScanner mailing list > > > mailscanner@lists.mailscanner.info > > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > > > Support MailScanner development - buy the book off the website! > > > > > > Shutdown MailScanner and then run in debug > mode. /opt/MailScanner/bin/MailScanner --debug and see what that > reports. > > -- > This message has been scanned for viruses and dangerous content by > MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070309/d190b167/attachment.html From penguin at dhcp.net Fri Mar 9 11:55:05 2007 From: penguin at dhcp.net (A. Eijkhoudt) Date: Fri Mar 9 11:01:59 2007 Subject: MailSacanner don't work In-Reply-To: <7e78dc1f0703090208w2d0e7059mbbe70466e5a10e5f@mail.gmail.com> References: <7e78dc1f0703090145q1dfe95fdl98ba7d511a9cc682@mail.gmail.com> <20070309095859.3339ce35@uxbod.splatnix.net> <7e78dc1f0703090208w2d0e7059mbbe70466e5a10e5f@mail.gmail.com> Message-ID: <45F13D09.8060000@dhcp.net> Hello Claudio, So far I've seen nothing in your E-mails to indicate that MailScanner should not be working properly. You seem to have both the Sendmail processes (queue runners) running, and your process list shows MailScanner with its childs forked & running as well. Please note that MailScanner will NOT show up 'listening on a port' with netstat. It is merely a program that sits idly by until it sees the sendmail processes put mail in their respective queues. Also, the init script might just be 'thinking' MailScanner is dead because it is not seeing the correct process id(s). Could you please tell us how you concluded that MailScanner is not working? Have you sent an E-mail while running a 'tail -f' of your mail.log/maillog file and seen anything happen (errors or not)? Regards, A. Eijkhoudt Claudio Mundin wrote: > I install in Suse 10 Enterprise > > the log with some output is /var/log/mail > > and the out put is: > > > Mar 9 07:06:14 fw sendmail-client[4132]: starting daemon (8.13.6): > persistent-queueing@00:01:00 > Mar 9 07:06:14 fw sendmail-client[4132]: unable to write pid to > /var/spool/clientmqueue/sm- client.pid: Permission denied > Mar 9 07:06:14 fw sendmail-out[4136]: starting daemon (8.13.6): > queueing@00:30:00 > Mar 9 07:06:16 fw MailScanner[4156]: MailScanner E-Mail Virus Scanner > version 4.54.6 starting... > Mar 9 07:06:16 fw MailScanner[4156]: Read 764 hostnames from the > phishing whitelist > Mar 9 07:06:17 fw MailScanner[4156]: Using SpamAssassin results cache > Mar 9 07:06:17 fw MailScanner[4156]: Connected to SpamAssassin cache > database > Mar 9 07:06:17 fw MailScanner[4156]: Enabling SpamAssassin > auto-whitelist functionality... > Mar 9 07:06:24 fw MailScanner[4156]: ClamAV scanner using unrar command > /usr/bin/unrar > Mar 9 07:06:24 fw MailScanner[4156]: Using locktype = flock > > 2007/3/9, --[ UxBoD ]-- < uxbod@splatnix.net >: > > On Fri, 9 Mar 2007 06:45:51 -0300 > "Claudio Mundin" > wrote: > > > Hi, > > > > I install MailSacanner with out any errors, but when i try to star up > > MailScanner (/etc/init.d/MailScanner start) and I try to see the > > status, the result of status is dead. > > > > where can i see information about the error?? > > > > THANK > > > Dependant on O/S but try /var/log/messages as a starter. > > -- > This message has been scanned for viruses and dangerous content by > MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > From campbell at cnpapers.com Fri Mar 9 12:02:52 2007 From: campbell at cnpapers.com (Steve Campbell) Date: Fri Mar 9 11:09:15 2007 Subject: dealing with dictionary attacks In-Reply-To: References: <45EBE85C.90507@fractalweb.com> <4165CF7A7F12DE4B96622CCBB905864709949FEF@largo.campus.ncl.ac.uk> <25a66d840703050822s3061e517mffe1ed8d40035722@mail.gmail.com> <45EC4863.5070702@netmagicsolutions.com> <45EEDA1B.4010200@sbcglobal.net> <45F02ED0.30906@nkpanama.com><74ACEB3E6A055643A89B8CEC74C7BF2488DF5F@WISENT.dcyb.net> <45F035A4.5080100@nkpanama.com> <006a01c761a1$731e4120$0705000a@ddf5dw71> Message-ID: <1173438172.45f13edccf188@perdition.cnpapers.net> Quoting Res : > On Thu, 8 Mar 2007, Steve Campbell wrote: > > >>> Please explain: how is it PF's fault when MS causes swapping? > > >> It's a long running joke... Check the list for more details... ;-) > > > You mean you guys have just been kidding about this all this time!!! > > Uhoh, Alex... Sounds like you just spoilt someones fun :) > So what do I do with this huge patch I have compiled that fixes it all? Steve > > -- > Cheers > Res > "If I lay here, If I just lay here, would you lay with with me and just > forget the world?" And you better quit asking me to lay with you!! Steve again. ------------------------------------------------- This mail sent through IMP: http://horde.org/imp/ From res at ausics.net Fri Mar 9 12:09:56 2007 From: res at ausics.net (Res) Date: Fri Mar 9 11:17:13 2007 Subject: dealing with dictionary attacks In-Reply-To: <1173438172.45f13edccf188@perdition.cnpapers.net> References: <45EBE85C.90507@fractalweb.com> <4165CF7A7F12DE4B96622CCBB905864709949FEF@largo.campus.ncl.ac.uk> <25a66d840703050822s3061e517mffe1ed8d40035722@mail.gmail.com> <45EC4863.5070702@netmagicsolutions.com> <45EEDA1B.4010200@sbcglobal.net> <45F02ED0.30906@nkpanama.com><74ACEB3E6A055643A89B8CEC74C7BF2488DF5F@WISENT.dcyb.net> <45F035A4.5080100@nkpanama.com> <006a01c761a1$731e4120$0705000a@ddf5dw71> <1173438172.45f13edccf188@perdition.cnpapers.net> Message-ID: On Fri, 9 Mar 2007, Steve Campbell wrote: > So what do I do with this huge patch I have compiled that fixes it all? I dunno :) since I nor anyone else that I noticed, could reproduce the problem on linux or slowaris at least. >> "If I lay here, If I just lay here, would you lay with with me and just >> forget the world?" > > And you better quit asking me to lay with you!! LOL, your not my type :P I have a few gay friends though and I've already bitch slapped one of them for making lude comments on my sig :P I happen to love that Snow Patrol song, I sing it to my girl every time I ... errr ok i'll shut up now ;) -- Cheers Res "If I lay here, If I just lay here, would you lay with with me and just forget the world?" From roger at rudnick.com.br Fri Mar 9 12:33:46 2007 From: roger at rudnick.com.br (Roger Jochem) Date: Fri Mar 9 11:44:35 2007 Subject: Clamav References: <0e5c1b86ea5f784cbbe5cc5739a4766d@solidstatelogic.com><4106.209.104.55.7.1172525095.squirrel@mail.ziff.net><1172648388.21763.0.camel@miyagip.ziff.net.><26942.209.104.55.7.1172685554.squirrel@mail.ziff.net><223f97700702281106m3e6fdf70sef8c2701a725bc18@mail.gmail.com> <22107.209.104.55.7.1172690830.squirrel@mail.ziff.net> Message-ID: <018a01c7623e$dd463a10$0600a8c0@roger> Did someone updated Install-Clam-SA package with clamav 0.91? Regards Roger Jochem From james at gray.net.au Fri Mar 9 12:59:47 2007 From: james at gray.net.au (James Gray) Date: Fri Mar 9 12:06:03 2007 Subject: Clamav In-Reply-To: <018a01c7623e$dd463a10$0600a8c0@roger> References: <0e5c1b86ea5f784cbbe5cc5739a4766d@solidstatelogic.com><4106.209.104.55.7.1172525095.squirrel@mail.ziff.net><1172648388.21763.0.camel@miyagip.ziff.net.><26942.209.104.55.7.1172685554.squirrel@mail.ziff.net><223f97700702281106m3e6fdf70sef8c2701a725bc18@mail.gmail.com> <22107.209.104.55.7.1172690830.squirrel@mail.ziff.net> <018a01c7623e$dd463a10$0600a8c0@roger> Message-ID: <4B413F74-00B5-49C5-9AC5-9412BCDC4254@gray.net.au> On 09/03/2007, at 10:33 PM, Roger Jochem wrote: > Did someone updated Install-Clam-SA package with clamav 0.91? > Regards > > Roger Jochem Yes - both work together with MailScanner's "clamavmodule" scanner. Here's the frufru on my Mac OSX server: $ clamscan --version ClamAV 0.90.1/2785/Fri Mar 9 18:10:04 2007 I'm assuming the clam version in your question should've read "0.90.1" not "0.91"...according to http://www.clamav.net/, 0.90.1 is the latest stable release. $ /opt/MailScanncer/bin/MailScanner --version ... This is MailScanner version 4.55.8 ... 0.20 Mail::ClamAV ... Yeh, yeh, yeh...I'm a bit behind on the MS version - so sue me! ;) HTH, James -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2417 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070309/9c437325/smime.bin From glenn.steen at gmail.com Fri Mar 9 13:03:43 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Mar 9 12:09:54 2007 Subject: dealing with dictionary attacks In-Reply-To: References: <45EBE85C.90507@fractalweb.com> <45EEDA1B.4010200@sbcglobal.net> <45F02ED0.30906@nkpanama.com> <74ACEB3E6A055643A89B8CEC74C7BF2488DF5F@WISENT.dcyb.net> <45F035A4.5080100@nkpanama.com> <006a01c761a1$731e4120$0705000a@ddf5dw71> <1173438172.45f13edccf188@perdition.cnpapers.net> Message-ID: <223f97700703090403k74332eb7p7a716d47d4eb3dd1@mail.gmail.com> On 09/03/07, Res wrote: > On Fri, 9 Mar 2007, Steve Campbell wrote: > > > So what do I do with this huge patch I have compiled that fixes it all? > > I dunno :) since I nor anyone else that I noticed, could reproduce the > problem on linux or slowaris at least. > > >> "If I lay here, If I just lay here, would you lay with with me and just > >> forget the world?" > > > > And you better quit asking me to lay with you!! > > LOL, your not my type :P I have a few gay friends though and I've already > bitch slapped one of them for making lude comments on my sig :P > I happen to love that Snow Patrol song, I sing it to my girl every time > I ... errr ok i'll shut up now ;) > > ... This is so on-topic one could weep...:-) BTW, is the singing related to the swapping perceived...? MS swapping, hm, isn't that more popularily called swinging? Or is that when it involves MRS swapping...?:-) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From james at gray.net.au Fri Mar 9 13:03:46 2007 From: james at gray.net.au (James Gray) Date: Fri Mar 9 12:10:02 2007 Subject: Message from Jules In-Reply-To: <20070308143922.GN30357@login.ecs.soton.ac.uk> References: <20070308143922.GN30357@login.ecs.soton.ac.uk> Message-ID: On 09/03/2007, at 1:39 AM, Tim Chown wrote: > Hi, > > I visited Jules for an hour and a half yesterday, he's mentally fine > and quite with it, but obviously physically weak from being unable to > use any muscles for a while. > > He is asking for his laptop, but I don't think he'll be using it > for just > a while yet (the hosptial may have something to say...) Sweet. This is excellent news! Nice to know his priorities are still in the right order: 1. Wake up 2. Get lappy! 3. what? There's a "3"?! Take it easy Jules - the ship hasn't sunk while you've been offline, but a lot of us have gone a nice shade of blue while we held our breaths! Take care and enjoy the sponge baths. Cheers, James -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2417 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070309/eada21da/smime.bin From glenn.steen at gmail.com Fri Mar 9 13:08:09 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Mar 9 12:14:20 2007 Subject: Clamav In-Reply-To: <018a01c7623e$dd463a10$0600a8c0@roger> References: <0e5c1b86ea5f784cbbe5cc5739a4766d@solidstatelogic.com> <4106.209.104.55.7.1172525095.squirrel@mail.ziff.net> <1172648388.21763.0.camel@miyagip.ziff.net.> <26942.209.104.55.7.1172685554.squirrel@mail.ziff.net> <223f97700702281106m3e6fdf70sef8c2701a725bc18@mail.gmail.com> <22107.209.104.55.7.1172690830.squirrel@mail.ziff.net> <018a01c7623e$dd463a10$0600a8c0@roger> Message-ID: <223f97700703090408o6811f5a8nb0616d06d63a77ef@mail.gmail.com> On 09/03/07, Roger Jochem wrote: > Did someone updated Install-Clam-SA package with clamav 0.91? > > Regards > > Roger Jochem Look for posts on the subject by Phil Randall ... He even posted a micro-patch for it:-). Basically you drop the clamav tar-ball into the perl-tar directory of the ungziped clamav+SA package (take the latest from www.mailscanner.info, contains SA 3.1.8), edit install.sh and change the version at the top... then run the install... when done, get Mail::ClamAV from CPAN (version 0.20) and you're done. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From fssilva at gmail.com Fri Mar 9 13:20:01 2007 From: fssilva at gmail.com (Fabio Silva) Date: Fri Mar 9 12:26:11 2007 Subject: Spam Learn Message-ID: Hi all, i have some problem with mailscanner... i make the installation and its getting spam and virus.. its ok... but i need to teach mailscanner to learn some mails that is spam and some mails that isnt spam... If i go to mailwatch and then Reports --> Message Operations --> select a mail that IS SPAM but mailscanner didnt catch it as spam and then click in Learn... nothing is showed to me after it.. I dont know more what do to solve this problem... somebody has it working properly? how can i teach spamassassin by another way? If i click in Tools / Links --> "SpamAssassin Bayes Database Info" i get no result too... butt i can see in my error_log of apache the following message.. "ERROR: Bayes dump returned an error, please re-run with -D for more information" But if i run the command sa-learn -p /etc/MailScanner/spam.assassin.prefs.conf --dump magic with the user root, i get the following 0.000 0 3 0 non-token data: bayes db version 0.000 0 2531 0 non-token data: nspam 0.000 0 8026 0 non-token data: nham 0.000 0 144779 0 non-token data: ntokens 0.000 0 1173112958 0 non-token data: oldest atime 0.000 0 1173374560 0 non-token data: newest atime 0.000 0 1173373226 0 non-token data: last journal sync atime 0.000 0 1173355798 0 non-token data: last expiry atime 0.000 0 242835 0 non-token data: last expire atime delta 0.000 0 18010 0 non-token data: last expire reduction count Any ideia? Best Regards, -- Fabio S. Silva From clamun at gmail.com Fri Mar 9 13:20:19 2007 From: clamun at gmail.com (Claudio Mundin) Date: Fri Mar 9 12:26:31 2007 Subject: MailSacanner don't work In-Reply-To: <45F13D09.8060000@dhcp.net> References: <7e78dc1f0703090145q1dfe95fdl98ba7d511a9cc682@mail.gmail.com> <20070309095859.3339ce35@uxbod.splatnix.net> <7e78dc1f0703090208w2d0e7059mbbe70466e5a10e5f@mail.gmail.com> <45F13D09.8060000@dhcp.net> Message-ID: <7e78dc1f0703090420y1b25f496p60f843889f4926f0@mail.gmail.com> OK, but the proces to send mail is up in 127.0.0.1 port 25 then how can send mail with a client. For example if I try to connect with a telnet to the server telnet server 25, but I can't connect because the smtp in ther server. is correct that sendmail startup in the localhost interface (127.0.0.1) and i haven't a proces that startup in 0.0.0.0 port 25???? 2007/3/9, A. Eijkhoudt : > > Hello Claudio, > > So far I've seen nothing in your E-mails to indicate that MailScanner > should not be working properly. You seem to have both the Sendmail > processes (queue runners) running, and your process list shows > MailScanner with its childs forked & running as well. > > Please note that MailScanner will NOT show up 'listening on a port' with > netstat. It is merely a program that sits idly by until it sees the > sendmail processes put mail in their respective queues. > > Also, the init script might just be 'thinking' MailScanner is dead > because it is not seeing the correct process id(s). > > Could you please tell us how you concluded that MailScanner is not > working? Have you sent an E-mail while running a 'tail -f' of your > mail.log/maillog file and seen anything happen (errors or not)? > > Regards, > > A. Eijkhoudt > > Claudio Mundin wrote: > > I install in Suse 10 Enterprise > > > > the log with some output is /var/log/mail > > > > and the out put is: > > > > > > Mar 9 07:06:14 fw sendmail-client[4132]: starting daemon (8.13.6): > > persistent-queueing@00:01:00 > > Mar 9 07:06:14 fw sendmail-client[4132]: unable to write pid to > > /var/spool/clientmqueue/sm- client.pid: Permission denied > > Mar 9 07:06:14 fw sendmail-out[4136]: starting daemon (8.13.6): > > queueing@00:30:00 > > Mar 9 07:06:16 fw MailScanner[4156]: MailScanner E-Mail Virus Scanner > > version 4.54.6 starting... > > Mar 9 07:06:16 fw MailScanner[4156]: Read 764 hostnames from the > > phishing whitelist > > Mar 9 07:06:17 fw MailScanner[4156]: Using SpamAssassin results cache > > Mar 9 07:06:17 fw MailScanner[4156]: Connected to SpamAssassin cache > > database > > Mar 9 07:06:17 fw MailScanner[4156]: Enabling SpamAssassin > > auto-whitelist functionality... > > Mar 9 07:06:24 fw MailScanner[4156]: ClamAV scanner using unrar command > > /usr/bin/unrar > > Mar 9 07:06:24 fw MailScanner[4156]: Using locktype = flock > > > > 2007/3/9, --[ UxBoD ]-- < uxbod@splatnix.net >>: > > > > On Fri, 9 Mar 2007 06:45:51 -0300 > > "Claudio Mundin" > wrote: > > > > > Hi, > > > > > > I install MailSacanner with out any errors, but when i try to > star up > > > MailScanner (/etc/init.d/MailScanner start) and I try to see the > > > status, the result of status is dead. > > > > > > where can i see information about the error?? > > > > > > THANK > > > > > Dependant on O/S but try /var/log/messages as a starter. > > > > -- > > This message has been scanned for viruses and dangerous content by > > MailScanner, and is > > believed to be clean. > > > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070309/4f8159e7/attachment.html From res at ausics.net Fri Mar 9 13:36:27 2007 From: res at ausics.net (Res) Date: Fri Mar 9 12:43:46 2007 Subject: dealing with dictionary attacks In-Reply-To: <223f97700703090403k74332eb7p7a716d47d4eb3dd1@mail.gmail.com> References: <45EBE85C.90507@fractalweb.com> <45EEDA1B.4010200@sbcglobal.net> <45F02ED0.30906@nkpanama.com> <74ACEB3E6A055643A89B8CEC74C7BF2488DF5F@WISENT.dcyb.net> <45F035A4.5080100@nkpanama.com> <006a01c761a1$731e4120$0705000a@ddf5dw71> <1173438172.45f13edccf188@perdition.cnpapers.net> <223f97700703090403k74332eb7p7a716d47d4eb3dd1@mail.gmail.com> Message-ID: On Fri, 9 Mar 2007, Glenn Steen wrote: > ... This is so on-topic one could weep...:-) > BTW, is the singing related to the swapping perceived...? MS swapping, LOL yes, I could never get my MS to swap, so I tried singing to it, to no avail and I conclude if that didn't make it want to escape memory nothing will :P > hm, isn't that more popularily called swinging? Or is that when it > involves MRS swapping...?:-) LOL :P -- Cheers Res "If I lay here, If I just lay here, would you lay with with me and just forget the world?" From martinh at solidstatelogic.com Fri Mar 9 13:39:48 2007 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Fri Mar 9 12:46:04 2007 Subject: {Disarmed} Re: MailSacanner don't work In-Reply-To: <7e78dc1f0703090420y1b25f496p60f843889f4926f0@mail.gmail.com> Message-ID: <9eb08b05a1fb184faf4f0d9cea865e89@solidstatelogic.com> Claudio Sendmail still processes emails, maiLScanner sits between TWO sendmail processes (and queues) and moves valid email from the 'inbound' queue to the 'oubound' queue, from where the second sendmail delivers it as normal. You need to setup sendmail in this gateway mode...see the wiki http://www.mailscanner.info/sendmail.html -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 _____ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Claudio Mundin Sent: 09 March 2007 12:20 To: MailScanner discussion Subject: {Disarmed} Re: MailSacanner don't work OK, but the proces to send mail is up in MailScanner warning: numerical links are often malicious: 127.0.0.1 port 25 then how can send mail with a client. For example if I try to connect with a telnet to the server telnet server 25, but I can't connect because the smtp in ther server. is correct that sendmail startup in the localhost interface ( MailScanner warning: numerical links are often malicious: 127.0.0.1) and i haven't a proces that startup in MailScanner warning: numerical links are often malicious: 0.0.0.0 port 25???? 2007/3/9, A. Eijkhoudt : Hello Claudio, So far I've seen nothing in your E-mails to indicate that MailScanner should not be working properly. You seem to have both the Sendmail processes (queue runners) running, and your process list shows MailScanner with its childs forked & running as well. Please note that MailScanner will NOT show up 'listening on a port' with netstat. It is merely a program that sits idly by until it sees the sendmail processes put mail in their respective queues. Also, the init script might just be 'thinking' MailScanner is dead because it is not seeing the correct process id(s). Could you please tell us how you concluded that MailScanner is not working? Have you sent an E-mail while running a 'tail -f' of your mail.log/maillog file and seen anything happen (errors or not)? Regards, A. Eijkhoudt Claudio Mundin wrote: > I install in Suse 10 Enterprise > > the log with some output is /var/log/mail > > and the out put is: > > > Mar 9 07:06:14 fw sendmail-client[4132]: starting daemon (8.13.6): > persistent-queueing@00:01:00 > Mar 9 07:06:14 fw sendmail-client[4132]: unable to write pid to > /var/spool/clientmqueue/sm- client.pid: Permission denied > Mar 9 07:06:14 fw sendmail-out[4136]: starting daemon (8.13.6): > queueing@00:30:00 > Mar 9 07:06:16 fw MailScanner[4156]: MailScanner E-Mail Virus Scanner > version 4.54.6 starting... > Mar 9 07:06:16 fw MailScanner[4156]: Read 764 hostnames from the > phishing whitelist > Mar 9 07:06:17 fw MailScanner[4156]: Using SpamAssassin results cache > Mar 9 07:06:17 fw MailScanner[4156]: Connected to SpamAssassin cache > database > Mar 9 07:06:17 fw MailScanner[4156]: Enabling SpamAssassin > auto-whitelist functionality... > Mar 9 07:06:24 fw MailScanner[4156]: ClamAV scanner using unrar command > /usr/bin/unrar > Mar 9 07:06:24 fw MailScanner[4156]: Using locktype = flock > > 2007/3/9, --[ UxBoD ]-- < uxbod@splatnix.net >: > > On Fri, 9 Mar 2007 06:45:51 -0300 > "Claudio Mundin" > wrote: > > > Hi, > > > > I install MailSacanner with out any errors, but when i try to star up > > MailScanner (/etc/init.d/MailScanner start) and I try to see the > > status, the result of status is dead. > > > > where can i see information about the error?? > > > > THANK > > > Dependant on O/S but try /var/log/messages as a starter. > > -- > This message has been scanned for viruses and dangerous content by > MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070309/655eb2a2/attachment.html From glenn.steen at gmail.com Fri Mar 9 15:08:28 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Mar 9 14:14:39 2007 Subject: Spam Learn In-Reply-To: References: Message-ID: <223f97700703090608g73bdf17bo9ca4ab3bc3637311@mail.gmail.com> On 09/03/07, Fabio Silva wrote: > Hi all, i have some problem with mailscanner... i make the > installation and its getting spam and virus.. its ok... but i need to > teach mailscanner to learn some mails that is spam and some mails that > isnt spam... > > If i go to mailwatch and then Reports --> Message Operations --> > select a mail that IS SPAM but mailscanner didnt catch it as spam and > then click in Learn... nothing is showed to me after it.. I dont know > more what do to solve this problem... somebody has it working > properly? how can i teach spamassassin by another way? > > If i click in Tools / Links --> "SpamAssassin Bayes Database Info" i > get no result too... butt i can see in my error_log of apache the > following message.. > "ERROR: Bayes dump returned an error, please re-run with -D for more > information" > > But if i run the command > sa-learn -p /etc/MailScanner/spam.assassin.prefs.conf --dump magic > with the user root, i get the following > 0.000 0 3 0 non-token data: bayes db version > 0.000 0 2531 0 non-token data: nspam > 0.000 0 8026 0 non-token data: nham > 0.000 0 144779 0 non-token data: ntokens > 0.000 0 1173112958 0 non-token data: oldest atime > 0.000 0 1173374560 0 non-token data: newest atime > 0.000 0 1173373226 0 non-token data: last journal sync atime > 0.000 0 1173355798 0 non-token data: last expiry atime > 0.000 0 242835 0 non-token data: last expire atime delta > 0.000 0 18010 0 non-token data: last expire > reduction count > > Any ideia? > > Best Regards, 1) You are asking on the wrong list.... MailWatch has a very active list of its own. 2) Your apache webserver runs as an unprivileged user/group, like "apache:apache", which likely has neither read nor write permissions on the bayes files. Fix that and things should start working (tip: "su - apache -s /bin/bash" and then try access the files;) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Fri Mar 9 15:10:30 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Mar 9 14:16:42 2007 Subject: MailSacanner don't work In-Reply-To: <7e78dc1f0703090420y1b25f496p60f843889f4926f0@mail.gmail.com> References: <7e78dc1f0703090145q1dfe95fdl98ba7d511a9cc682@mail.gmail.com> <20070309095859.3339ce35@uxbod.splatnix.net> <7e78dc1f0703090208w2d0e7059mbbe70466e5a10e5f@mail.gmail.com> <45F13D09.8060000@dhcp.net> <7e78dc1f0703090420y1b25f496p60f843889f4926f0@mail.gmail.com> Message-ID: <223f97700703090610v3f475cbr23af29305b92aa33@mail.gmail.com> On 09/03/07, Claudio Mundin wrote: > OK, but the proces to send mail is up in 127.0.0.1 port 25 then how can send > mail with a client. > For example if I try to connect with a telnet to the server telnet server > 25, but I can't connect because the smtp in ther server. > > > is correct that sendmail startup in the localhost interface (127.0.0.1) and > i haven't a proces that startup in 0.0.0.0 port 25???? > This has nothing to do with MailScanner... Look in the archives for how to make sendmail listen on the NIC interface as well as the loopback... Or ask in a sendmail forum. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From Denis.Beauchemin at USherbrooke.ca Fri Mar 9 15:17:09 2007 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Fri Mar 9 14:23:28 2007 Subject: MailSacanner don't work In-Reply-To: <7e78dc1f0703090145q1dfe95fdl98ba7d511a9cc682@mail.gmail.com> References: <7e78dc1f0703090145q1dfe95fdl98ba7d511a9cc682@mail.gmail.com> Message-ID: <45F16C65.2080309@USherbrooke.ca> Claudio Mundin a ?crit : > Hi, > > I install MailSacanner with out any errors, but when i try to star up > MailScanner (/etc/init.d/MailScanner start) and I try to see the > status, the result of status is dead. > > where can i see information about the error?? > > THANK Claudio, Your sendmail doesn't seem to be configured to listen to the external world. Try to comment out the following line in /etc/mail/sendmail.mc (or wherever it is on your Suse server): DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl becomes: dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl then run make to recreate sendmail.cf and restart MS. Don't forget to make sure your server's firewall let port 25 flow through... Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3595 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070309/187f8386/smime.bin From apl at ecs.soton.ac.uk Fri Mar 9 15:17:51 2007 From: apl at ecs.soton.ac.uk (Andrew Paul Landells) Date: Fri Mar 9 14:26:47 2007 Subject: Retrieving attachments from MailScanner quarantine Message-ID: <9FCDACD2-141F-4077-9D51-892E41E3D5EF@ecs.soton.ac.uk> In Julian's absence, I've found myself looking after the ECS email service and thought it might be a smart move to join the MailScanner list. :-) One of the tools I've been working on is a web interface to recover attachments from the MailScanner quarantine, which seems to be a common request amongst MailScanner users. At the moment, it's functional but not overly user-friendly to set up. I'd be interested if anyone's interested in trying it out, and I'm certainly interested in bug reports and feature requests etc. You can download the current version from: http://www.ecs.soton.ac.uk/~sysapl/quarantine/ Regards, -- Andrew Paul Landells Systems Administrator & Programmer Systems Help Desk (B59/2231) Email: apl@ecs.soton.ac.uk School of Electronics & Computer Science Tel: 023 8059 6879 University of Southampton, UK. SO17 1BJ -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. For all your IT requirements visit www.transtec.co.uk From clamun at gmail.com Fri Mar 9 15:36:10 2007 From: clamun at gmail.com (Claudio Mundin) Date: Fri Mar 9 14:42:23 2007 Subject: MailSacanner don't work In-Reply-To: <45F16C65.2080309@USherbrooke.ca> References: <7e78dc1f0703090145q1dfe95fdl98ba7d511a9cc682@mail.gmail.com> <45F16C65.2080309@USherbrooke.ca> Message-ID: <7e78dc1f0703090636g39007979u10668986b783bb5d@mail.gmail.com> If I startup only sendmail then sendmail listen in 0.0.0.0 25 But the script of MailScanner throw option tu sendamil that listen in 127.0.0.1 2007/3/10, Denis Beauchemin : > Claudio Mundin a ?crit : > > Hi, > > > > I install MailSacanner with out any errors, but when i try to star up > > MailScanner (/etc/init.d/MailScanner start) and I try to see the > > status, the result of status is dead. > > > > where can i see information about the error?? > > > > THANK > Claudio, > > Your sendmail doesn't seem to be configured to listen to the external > world. Try to comment out the following line in /etc/mail/sendmail.mc > (or wherever it is on your Suse server): > DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl > becomes: > dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl > > then run make to recreate sendmail.cf and restart MS. > > Don't forget to make sure your server's firewall let port 25 flow through... > > Denis > > -- > _ > ?v? Denis Beauchemin, analyste > /(_)\ Universit? de Sherbrooke, S.T.I. > ^ ^ T: 819.821.8000x62252 F: 819.821.8045 > > > From Denis.Beauchemin at USherbrooke.ca Fri Mar 9 15:45:09 2007 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Fri Mar 9 14:51:34 2007 Subject: MailSacanner don't work In-Reply-To: <7e78dc1f0703090636g39007979u10668986b783bb5d@mail.gmail.com> References: <7e78dc1f0703090145q1dfe95fdl98ba7d511a9cc682@mail.gmail.com> <45F16C65.2080309@USherbrooke.ca> <7e78dc1f0703090636g39007979u10668986b783bb5d@mail.gmail.com> Message-ID: <45F172F5.3040304@USherbrooke.ca> Claudio Mundin a ?crit : > If I startup only sendmail then sendmail listen in 0.0.0.0 25 > But the script of MailScanner throw option tu sendamil that listen in > 127.0.0.1 > Can anyone using Suse confirm this? It starts fine on RH... Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3595 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070309/0c688d1e/smime-0001.bin From glenn.steen at gmail.com Fri Mar 9 15:54:41 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Mar 9 15:00:56 2007 Subject: Retrieving attachments from MailScanner quarantine In-Reply-To: <9FCDACD2-141F-4077-9D51-892E41E3D5EF@ecs.soton.ac.uk> References: <9FCDACD2-141F-4077-9D51-892E41E3D5EF@ecs.soton.ac.uk> Message-ID: <223f97700703090654hec982f8sd271ac10a1437be2@mail.gmail.com> On 09/03/07, Andrew Paul Landells wrote: > In Julian's absence, I've found myself looking after the ECS email > service and thought it might be a smart move to join the MailScanner > list. :-) > > One of the tools I've been working on is a web interface to recover > attachments from the MailScanner quarantine, which seems to be a > common request amongst MailScanner users. At the moment, it's > functional but not overly user-friendly to set up. I'd be interested > if anyone's interested in trying it out, and I'm certainly interested > in bug reports and feature requests etc. > > You can download the current version from: > http://www.ecs.soton.ac.uk/~sysapl/quarantine/ > > Regards, Eh, have you heard of MailWatch:-). It does this a a bit more;)... I suppose yours is a bit simpler, perhaps. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Fri Mar 9 16:03:46 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Mar 9 15:09:57 2007 Subject: Retrieving attachments from MailScanner quarantine In-Reply-To: <223f97700703090654hec982f8sd271ac10a1437be2@mail.gmail.com> References: <9FCDACD2-141F-4077-9D51-892E41E3D5EF@ecs.soton.ac.uk> <223f97700703090654hec982f8sd271ac10a1437be2@mail.gmail.com> Message-ID: <223f97700703090703r5ec675f4r35cbe63cf8691d61@mail.gmail.com> On 09/03/07, Glenn Steen wrote: > On 09/03/07, Andrew Paul Landells wrote: > > In Julian's absence, I've found myself looking after the ECS email > > service and thought it might be a smart move to join the MailScanner > > list. :-) > > > > One of the tools I've been working on is a web interface to recover > > attachments from the MailScanner quarantine, which seems to be a > > common request amongst MailScanner users. At the moment, it's > > functional but not overly user-friendly to set up. I'd be interested > > if anyone's interested in trying it out, and I'm certainly interested > > in bug reports and feature requests etc. > > > > You can download the current version from: > > http://www.ecs.soton.ac.uk/~sysapl/quarantine/ > > > > Regards, > > Eh, have you heard of MailWatch:-). It does this a a bit more;)... I > suppose yours is a bit simpler, perhaps. > > Cheers Ok, looking at it a bit... Looks a bit like what the Quarantine Report thingies would give you. I suppose this could be usefull, perhaps even if one use MailWatch:-). Thanks for sharing. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From campbell at cnpapers.com Fri Mar 9 16:07:32 2007 From: campbell at cnpapers.com (Steve Campbell) Date: Fri Mar 9 15:14:34 2007 Subject: MailSacanner don't work References: <7e78dc1f0703090145q1dfe95fdl98ba7d511a9cc682@mail.gmail.com><20070309095859.3339ce35@uxbod.splatnix.net> <7e78dc1f0703090208w2d0e7059mbbe70466e5a10e5f@mail.gmail.com> Message-ID: <015401c7625c$a9c287c0$0705000a@ddf5dw71> ----- Original Message ----- From: "Claudio Mundin" To: "MailScanner discussion" Sent: Friday, March 09, 2007 5:08 AM Subject: Re: MailSacanner don't work > Mar 9 07:06:24 fw MailScanner[4156]: Using locktype = flock I'm not sure with this flavor of Linux, but you should probably set in your MailScanner.conf the following line: Lock Type = posix This isn't going to fix the problem you are seeing now, but might prevent other problems following the solution to what you are asking about. I'm not sure if flock or posix is proper for Suse and sendmail. Steve > > From martinh at solidstatelogic.com Fri Mar 9 16:11:45 2007 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Fri Mar 9 15:18:11 2007 Subject: MailSacanner don't work In-Reply-To: <015401c7625c$a9c287c0$0705000a@ddf5dw71> Message-ID: <343f281d29a3444e81494b209436a0b0@solidstatelogic.com> Steve Well spotted - this must be an old version of MailScanner as recent ones default to posix for sendmail MTAs. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Steve Campbell > Sent: 09 March 2007 15:08 > To: MailScanner discussion > Subject: Re: MailSacanner don't work > > > ----- Original Message ----- > From: "Claudio Mundin" > To: "MailScanner discussion" > Sent: Friday, March 09, 2007 5:08 AM > Subject: Re: MailSacanner don't work > > > > Mar 9 07:06:24 fw MailScanner[4156]: Using locktype = flock > > I'm not sure with this flavor of Linux, but you should probably set in > your > MailScanner.conf the following line: > > Lock Type = posix > > This isn't going to fix the problem you are seeing now, but might prevent > other problems following the solution to what you are asking about. I'm > not > sure if flock or posix is proper for Suse and sendmail. > > Steve > > > > > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From campbell at cnpapers.com Fri Mar 9 16:13:30 2007 From: campbell at cnpapers.com (Steve Campbell) Date: Fri Mar 9 15:20:01 2007 Subject: dealing with dictionary attacks References: <45EBE85C.90507@fractalweb.com><4165CF7A7F12DE4B96622CCBB905864709949FEF@largo.campus.ncl.ac.uk><25a66d840703050822s3061e517mffe1ed8d40035722@mail.gmail.com><45EC4863.5070702@netmagicsolutions.com><45EEDA1B.4010200@sbcglobal.net><45F02ED0.30906@nkpanama.com><74ACEB3E6A055643A89B8CEC74C7BF2488DF5F@WISENT.dcyb.net><45F035A4.5080100@nkpanama.com><006a01c761a1$731e4120$0705000a@ddf5dw71><1173438172.45f13edccf188@perdition.cnpapers.net> Message-ID: <015d01c7625d$7ec5a0b0$0705000a@ddf5dw71> ----- Original Message ----- From: "Res" To: "MailScanner discussion" Sent: Friday, March 09, 2007 6:09 AM Subject: Re: dealing with dictionary attacks > On Fri, 9 Mar 2007, Steve Campbell wrote: > >> So what do I do with this huge patch I have compiled that fixes it all? > > I dunno :) since I nor anyone else that I noticed, could reproduce the > problem on linux or slowaris at least. Well, ever since I applied the patch here on my servers MailScanner doesn't swap. You don't think one of my assistants published my patch without telling me and you all have been using it, do you? Steve > > > > -- > Cheers > Res > From campbell at cnpapers.com Fri Mar 9 16:20:15 2007 From: campbell at cnpapers.com (Steve Campbell) Date: Fri Mar 9 15:26:45 2007 Subject: dealing with dictionary attacks References: <45EBE85C.90507@fractalweb.com> <45EEDA1B.4010200@sbcglobal.net><45F02ED0.30906@nkpanama.com><74ACEB3E6A055643A89B8CEC74C7BF2488DF5F@WISENT.dcyb.net><45F035A4.5080100@nkpanama.com><006a01c761a1$731e4120$0705000a@ddf5dw71><1173438172.45f13edccf188@perdition.cnpapers.net> <223f97700703090403k74332eb7p7a716d47d4eb3dd1@mail.gmail.com> Message-ID: <017e01c7625e$704868f0$0705000a@ddf5dw71> ----- Original Message ----- From: "Glenn Steen" To: "MailScanner discussion" Sent: Friday, March 09, 2007 7:03 AM Subject: Re: dealing with dictionary attacks > On 09/03/07, Res wrote: >> On Fri, 9 Mar 2007, Steve Campbell wrote: >> >> > So what do I do with this huge patch I have compiled that fixes it all? >> >> I dunno :) since I nor anyone else that I noticed, could reproduce the >> problem on linux or slowaris at least. >> >> >> "If I lay here, If I just lay here, would you lay with with me and >> >> just >> >> forget the world?" >> > >> > And you better quit asking me to lay with you!! >> >> LOL, your not my type :P I have a few gay friends though and I've already >> bitch slapped one of them for making lude comments on my sig :P >> I happen to love that Snow Patrol song, I sing it to my girl every time >> I ... errr ok i'll shut up now ;) >> >> > ... This is so on-topic one could weep...:-) > BTW, is the singing related to the swapping perceived...? MS swapping, > hm, isn't that more popularily called swinging? Or is that when it > involves MRS swapping...?:-) > > Cheers > -- > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se > -- Glenn, Thanks for tying this all together now. All's I can remember about this swapping thing is how hyper Julian got when the original thread started. Hopefully, he can giggle at it now, as it really makes me smile every time someone pops that "Does MS cause swapping" line in a thread. Steve From res at ausics.net Fri Mar 9 16:21:36 2007 From: res at ausics.net (Res) Date: Fri Mar 9 15:28:55 2007 Subject: dealing with dictionary attacks In-Reply-To: <015d01c7625d$7ec5a0b0$0705000a@ddf5dw71> References: <45EBE85C.90507@fractalweb.com><4165CF7A7F12DE4B96622CCBB905864709949FEF@largo.campus.ncl.ac.uk><25a66d840703050822s3061e517mffe1ed8d40035722@mail.gmail.com><45EC4863.5070702@netmagicsolutions.com><45EEDA1B.4010200@sbcglobal.net><45F02ED0.30906@nkpanama.com><74ACEB3E6A055643A89B8CEC74C7BF2488DF5F@WISENT.dcyb.net><45F035A4.5080100@nkpanama.com><006a01c761a1$731e4120$0705000a@ddf5dw71><1173438172.45f13edccf188@perdition.cnpapers.net> <015d01c7625d$7ec5a0b0$0705000a@ddf5dw71> Message-ID: On Fri, 9 Mar 2007, Steve Campbell wrote: > > ----- Original Message ----- From: "Res" > To: "MailScanner discussion" > Sent: Friday, March 09, 2007 6:09 AM > Subject: Re: dealing with dictionary attacks > > >> On Fri, 9 Mar 2007, Steve Campbell wrote: >> >>> So what do I do with this huge patch I have compiled that fixes it all? >> >> I dunno :) since I nor anyone else that I noticed, could reproduce the >> problem on linux or slowaris at least. > > Well, ever since I applied the patch here on my servers MailScanner doesn't > swap. You don't think one of my assistants published my patch without telling > me and you all have been using it, do you? certainly not :) Since you were the only one to have the issue, surely if it was not site specific others would have noticed the problem. An issue is not an issue if only one person has the symptoms. With both sendmail and qmail servers on linux and solaris, processing millions of messages a day, I, like others have never seen your issue, not even on my fairly gutless secondary MX which only has a mere 1G ram of which 512M is reserved for ram drive. -- Cheers Res "If I lay here, If I just lay here, would you lay with with me and just forget the world?" From campbell at cnpapers.com Fri Mar 9 16:35:24 2007 From: campbell at cnpapers.com (Steve Campbell) Date: Fri Mar 9 15:42:01 2007 Subject: dealing with dictionary attacks References: <45EBE85C.90507@fractalweb.com><4165CF7A7F12DE4B96622CCBB905864709949FEF@largo.campus.ncl.ac.uk><25a66d840703050822s3061e517mffe1ed8d40035722@mail.gmail.com><45EC4863.5070702@netmagicsolutions.com><45EEDA1B.4010200@sbcglobal.net><45F02ED0.30906@nkpanama.com><74ACEB3E6A055643A89B8CEC74C7BF2488DF5F@WISENT.dcyb.net><45F035A4.5080100@nkpanama.com><006a01c761a1$731e4120$0705000a@ddf5dw71><1173438172.45f13edccf188@perdition.cnpapers.net><015d01c7625d$7ec5a0b0$0705000a@ddf5dw71> Message-ID: <020101c76260$907de260$0705000a@ddf5dw71> Hey Res!!!! You're not supposed to be taking me serious. I never had the problem (what problem?) that you couldn't reproduce. It's no wonder you couldn't reproduce it. And I just stated I applied a patch that fixed a non-existant problem. How did this get transferred to _my_ problem? Have a great day, I'm backing out of this one for now. Steve Campbell campbell@cnpapers.com Charleston Newspapers ----- Original Message ----- From: "Res" To: "MailScanner discussion" Sent: Friday, March 09, 2007 10:21 AM Subject: Re: dealing with dictionary attacks > On Fri, 9 Mar 2007, Steve Campbell wrote: > >> >> ----- Original Message ----- From: "Res" >> To: "MailScanner discussion" >> Sent: Friday, March 09, 2007 6:09 AM >> Subject: Re: dealing with dictionary attacks >> >> >>> On Fri, 9 Mar 2007, Steve Campbell wrote: >>> >>>> So what do I do with this huge patch I have compiled that fixes it all? >>> >>> I dunno :) since I nor anyone else that I noticed, could reproduce the >>> problem on linux or slowaris at least. >> >> Well, ever since I applied the patch here on my servers MailScanner >> doesn't swap. You don't think one of my assistants published my patch >> without telling me and you all have been using it, do you? > > certainly not :) > > Since you were the only one to have the issue, surely if it was not site > specific others would have noticed the problem. > > An issue is not an issue if only one person has the symptoms. > > With both sendmail and qmail servers on linux and solaris, processing > millions of messages a day, I, like others have never seen your issue, > not even on my fairly gutless secondary MX which only has a mere 1G ram > of which 512M is reserved for ram drive. > > > -- > Cheers > Res > > "If I lay here, If I just lay here, would you lay with with me and just > forget the world?" > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From glenn.steen at gmail.com Fri Mar 9 16:39:42 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Mar 9 15:45:53 2007 Subject: dealing with dictionary attacks In-Reply-To: <017e01c7625e$704868f0$0705000a@ddf5dw71> References: <45EBE85C.90507@fractalweb.com> <45F02ED0.30906@nkpanama.com> <74ACEB3E6A055643A89B8CEC74C7BF2488DF5F@WISENT.dcyb.net> <45F035A4.5080100@nkpanama.com> <006a01c761a1$731e4120$0705000a@ddf5dw71> <1173438172.45f13edccf188@perdition.cnpapers.net> <223f97700703090403k74332eb7p7a716d47d4eb3dd1@mail.gmail.com> <017e01c7625e$704868f0$0705000a@ddf5dw71> Message-ID: <223f97700703090739l5641043dq640fe38736aeb533@mail.gmail.com> On 09/03/07, Steve Campbell wrote: > > ----- Original Message ----- > From: "Glenn Steen" > To: "MailScanner discussion" > Sent: Friday, March 09, 2007 7:03 AM > Subject: Re: dealing with dictionary attacks > > > > On 09/03/07, Res wrote: > >> On Fri, 9 Mar 2007, Steve Campbell wrote: > >> > >> > So what do I do with this huge patch I have compiled that fixes it all? > >> > >> I dunno :) since I nor anyone else that I noticed, could reproduce the > >> problem on linux or slowaris at least. > >> > >> >> "If I lay here, If I just lay here, would you lay with with me and > >> >> just > >> >> forget the world?" > >> > > >> > And you better quit asking me to lay with you!! > >> > >> LOL, your not my type :P I have a few gay friends though and I've already > >> bitch slapped one of them for making lude comments on my sig :P > >> I happen to love that Snow Patrol song, I sing it to my girl every time > >> I ... errr ok i'll shut up now ;) > >> > >> > > ... This is so on-topic one could weep...:-) > > BTW, is the singing related to the swapping perceived...? MS swapping, > > hm, isn't that more popularily called swinging? Or is that when it > > involves MRS swapping...?:-) > > > > Cheers > > -- > > -- Glenn > > email: glenn < dot > steen < at > gmail < dot > com > > work: glenn < dot > steen < at > ap1 < dot > se > > -- > Glenn, > > Thanks for tying this all together now. :-) > All's I can remember about this swapping thing is how hyper Julian got when > the original thread started. Hopefully, he can giggle at it now, as it > really makes me smile every time someone pops that "Does MS cause swapping" > line in a thread. I remember the thread, as well as most of the ones following... Not entirely senile ... yet;-) I do hope you're right, about Jules finding this last recurrence of it at least moderatly funny:). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Fri Mar 9 16:42:13 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Mar 9 15:48:24 2007 Subject: dealing with dictionary attacks In-Reply-To: <020101c76260$907de260$0705000a@ddf5dw71> References: <45EBE85C.90507@fractalweb.com> <74ACEB3E6A055643A89B8CEC74C7BF2488DF5F@WISENT.dcyb.net> <45F035A4.5080100@nkpanama.com> <006a01c761a1$731e4120$0705000a@ddf5dw71> <1173438172.45f13edccf188@perdition.cnpapers.net> <015d01c7625d$7ec5a0b0$0705000a@ddf5dw71> <020101c76260$907de260$0705000a@ddf5dw71> Message-ID: <223f97700703090742q2216c143x8722d5dacae2cbf0@mail.gmail.com> On 09/03/07, Steve Campbell wrote: > Hey Res!!!! > > You're not supposed to be taking me serious. I never had the problem (what > problem?) that you couldn't reproduce. It's no wonder you couldn't reproduce > it. And I just stated I applied a patch that fixed a non-existant problem. > > How did this get transferred to _my_ problem? > > Have a great day, I'm backing out of this one for now. > Shocking, that... being taken serously:-). If you sprinkle a few smileys or similar emotional triggers in your messages, I'm sure Res will get it too;). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Fri Mar 9 16:49:55 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Mar 9 15:56:06 2007 Subject: Message from Jules In-Reply-To: References: <20070308143922.GN30357@login.ecs.soton.ac.uk> Message-ID: <223f97700703090749g35de17c0m8179e77257fd4498@mail.gmail.com> On 09/03/07, James Gray wrote: > > On 09/03/2007, at 1:39 AM, Tim Chown wrote: > > > Hi, > > > > I visited Jules for an hour and a half yesterday, he's mentally fine > > and quite with it, but obviously physically weak from being unable to > > use any muscles for a while. > > > > He is asking for his laptop, but I don't think he'll be using it > > for just > > a while yet (the hosptial may have something to say...) > > Sweet. This is excellent news! Nice to know his priorities are > still in the right order: > 1. Wake up > 2. Get lappy! > 3. what? There's a "3"?! > > Take it easy Jules - the ship hasn't sunk while you've been offline, > but a lot of us have gone a nice shade of blue while we held our > breaths! Take care and enjoy the sponge baths. > > Cheers, > > James > CC... We wouldn't be the nerdy geeks we are if the priorities were wanything other:-). BTW, just a reminder to any who might've missed it: Matt Hampton has set up a clustrmap page, that will be printed and gifted to Jules eventually... So if you haven't already, visit http://www2.clustrmaps.com/counter/maps.php?url=http://www.bastionmail.co.uk/best-wishes-to-jules-field/ to be counted (and why not leave a little message there too:) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From campbell at cnpapers.com Fri Mar 9 17:00:11 2007 From: campbell at cnpapers.com (Steve Campbell) Date: Fri Mar 9 16:07:36 2007 Subject: dealing with dictionary attacks References: <45EBE85C.90507@fractalweb.com><74ACEB3E6A055643A89B8CEC74C7BF2488DF5F@WISENT.dcyb.net><45F035A4.5080100@nkpanama.com><006a01c761a1$731e4120$0705000a@ddf5dw71><1173438172.45f13edccf188@perdition.cnpapers.net><015d01c7625d$7ec5a0b0$0705000a@ddf5dw71><020101c76260$907de260$0705000a@ddf5dw71> <223f97700703090742q2216c143x8722d5dacae2cbf0@mail.gmail.com> Message-ID: <022b01c76264$04b08f40$0705000a@ddf5dw71> > Shocking, that... being taken serously:-). > If you sprinkle a few smileys or similar emotional triggers in your > messages, I'm sure Res will get it too;). > > Cheers > -- > -- Glenn You're absolutely right about the smileys. I guess I just thought everyone took the MS->swapping thing as a joke. Apologies if I sounded harsh. Please don't bitch slap (?) me. Ok, backing out for the last time. Steve Campbell campbell@cnpapers.com Charleston Newspapers From ka at pacific.net Fri Mar 9 17:01:54 2007 From: ka at pacific.net (Ken A) Date: Fri Mar 9 16:08:07 2007 Subject: dealing with dictionary attacks In-Reply-To: <015d01c7625d$7ec5a0b0$0705000a@ddf5dw71> References: <45EBE85C.90507@fractalweb.com><4165CF7A7F12DE4B96622CCBB905864709949FEF@largo.campus.ncl.ac.uk><25a66d840703050822s3061e517mffe1ed8d40035722@mail.gmail.com><45EC4863.5070702@netmagicsolutions.com><45EEDA1B.4010200@sbcglobal.net><45F02ED0.30906@nkpanama.com><74ACEB3E6A055643A89B8CEC74C7BF2488DF5F@WISENT.dcyb.net><45F035A4.5080100@nkpanama.com><006a01c761a1$731e4120$0705000a@ddf5dw71><1173438172.45f13edccf188@perdition.cnpapers.net> <015d01c7625d$7ec5a0b0$0705000a@ddf5dw71> Message-ID: <45F184F2.50305@pacific.net> Steve Campbell wrote: > > ----- Original Message ----- From: "Res" > To: "MailScanner discussion" > Sent: Friday, March 09, 2007 6:09 AM > Subject: Re: dealing with dictionary attacks > > >> On Fri, 9 Mar 2007, Steve Campbell wrote: >> >>> So what do I do with this huge patch I have compiled that fixes it all? >> >> I dunno :) since I nor anyone else that I noticed, could reproduce the >> problem on linux or slowaris at least. > > Well, ever since I applied the patch here on my servers MailScanner > doesn't swap. You don't think one of my assistants published my patch > without telling me and you all have been using it, do you? Would you please just post your patch to the wiki already? Just be sure to obfuscate the code! I loaded my swap as a tmpfs, so that solved my problem. ;-) Ken A Pacific.Net > > Steve >> >> >> >> -- >> Cheers >> Res >> > > From campbell at cnpapers.com Fri Mar 9 17:07:34 2007 From: campbell at cnpapers.com (Steve Campbell) Date: Fri Mar 9 16:13:59 2007 Subject: dealing with dictionary attacks References: <45EBE85C.90507@fractalweb.com><4165CF7A7F12DE4B96622CCBB905864709949FEF@largo.campus.ncl.ac.uk><25a66d840703050822s3061e517mffe1ed8d40035722@mail.gmail.com><45EC4863.5070702@netmagicsolutions.com><45EEDA1B.4010200@sbcglobal.net><45F02ED0.30906@nkpanama.com><74ACEB3E6A055643A89B8CEC74C7BF2488DF5F@WISENT.dcyb.net><45F035A4.5080100@nkpanama.com><006a01c761a1$731e4120$0705000a@ddf5dw71><1173438172.45f13edccf188@perdition.cnpapers.net> <015d01c7625d$7ec5a0b0$0705000a@ddf5dw71> <45F184F2.50305@pacific.net> Message-ID: <023501c76265$0c8af240$0705000a@ddf5dw71> OH NO, WHAT HAVE I DONE? Sorry Ken, there is no patch to fix my non-existant problem. Steve Campbell campbell@cnpapers.com Charleston Newspapers ----- Original Message ----- From: "Ken A" To: "MailScanner discussion" Sent: Friday, March 09, 2007 11:01 AM Subject: Re: dealing with dictionary attacks > > > Steve Campbell wrote: >> >> ----- Original Message ----- From: "Res" >> To: "MailScanner discussion" >> Sent: Friday, March 09, 2007 6:09 AM >> Subject: Re: dealing with dictionary attacks >> >> >>> On Fri, 9 Mar 2007, Steve Campbell wrote: >>> >>>> So what do I do with this huge patch I have compiled that fixes it all? >>> >>> I dunno :) since I nor anyone else that I noticed, could reproduce the >>> problem on linux or slowaris at least. >> >> Well, ever since I applied the patch here on my servers MailScanner >> doesn't swap. You don't think one of my assistants published my patch >> without telling me and you all have been using it, do you? > > Would you please just post your patch to the wiki already? > Just be sure to obfuscate the code! I loaded my swap as a tmpfs, so that > solved my problem. ;-) > Ken A > Pacific.Net > > From ka at pacific.net Fri Mar 9 17:26:46 2007 From: ka at pacific.net (Ken A) Date: Fri Mar 9 16:32:58 2007 Subject: dealing with dictionary attacks In-Reply-To: <023501c76265$0c8af240$0705000a@ddf5dw71> References: <45EBE85C.90507@fractalweb.com><4165CF7A7F12DE4B96622CCBB905864709949FEF@largo.campus.ncl.ac.uk><25a66d840703050822s3061e517mffe1ed8d40035722@mail.gmail.com><45EC4863.5070702@netmagicsolutions.com><45EEDA1B.4010200@sbcglobal.net><45F02ED0.30906@nkpanama.com><74ACEB3E6A055643A89B8CEC74C7BF2488DF5F@WISENT.dcyb.net><45F035A4.5080100@nkpanama.com><006a01c761a1$731e4120$0705000a@ddf5dw71><1173438172.45f13edccf188@perdition.cnpapers.net> <015d01c7625d$7ec5a0b0$0705000a@ddf5dw71> <45F184F2.50305@pacific.net> <023501c76265$0c8af240$0705000a@ddf5dw71> Message-ID: <45F18AC6.4090409@pacific.net> Steve Campbell wrote: > OH NO, WHAT HAVE I DONE? > > Sorry Ken, there is no patch to fix my non-existant problem. Now, darn it.. I did put a SMILEY in my email too! Here's another one ;-) Ken > > Steve Campbell > campbell@cnpapers.com > Charleston Newspapers > > ----- Original Message ----- From: "Ken A" > To: "MailScanner discussion" > Sent: Friday, March 09, 2007 11:01 AM > Subject: Re: dealing with dictionary attacks > > >> >> >> Steve Campbell wrote: >>> >>> ----- Original Message ----- From: "Res" >>> To: "MailScanner discussion" >>> Sent: Friday, March 09, 2007 6:09 AM >>> Subject: Re: dealing with dictionary attacks >>> >>> >>>> On Fri, 9 Mar 2007, Steve Campbell wrote: >>>> >>>>> So what do I do with this huge patch I have compiled that fixes it >>>>> all? >>>> >>>> I dunno :) since I nor anyone else that I noticed, could reproduce >>>> the problem on linux or slowaris at least. >>> >>> Well, ever since I applied the patch here on my servers MailScanner >>> doesn't swap. You don't think one of my assistants published my patch >>> without telling me and you all have been using it, do you? >> >> Would you please just post your patch to the wiki already? >> Just be sure to obfuscate the code! I loaded my swap as a tmpfs, so >> that solved my problem. ;-) >> Ken A >> Pacific.Net >> >> > > From campbell at cnpapers.com Fri Mar 9 17:33:28 2007 From: campbell at cnpapers.com (Steve Campbell) Date: Fri Mar 9 16:40:16 2007 Subject: dealing with dictionary attacks References: <45EBE85C.90507@fractalweb.com><4165CF7A7F12DE4B96622CCBB905864709949FEF@largo.campus.ncl.ac.uk><25a66d840703050822s3061e517mffe1ed8d40035722@mail.gmail.com><45EC4863.5070702@netmagicsolutions.com><45EEDA1B.4010200@sbcglobal.net><45F02ED0.30906@nkpanama.com><74ACEB3E6A055643A89B8CEC74C7BF2488DF5F@WISENT.dcyb.net><45F035A4.5080100@nkpanama.com><006a01c761a1$731e4120$0705000a@ddf5dw71><1173438172.45f13edccf188@perdition.cnpapers.net> <015d01c7625d$7ec5a0b0$0705000a@ddf5dw71> <45F184F2.50305@pacific.net><023501c76265$0c8af240$0705000a@ddf5dw71> <45F18AC6.4090409@pacific.net> Message-ID: <026401c76268$aaedcae0$0705000a@ddf5dw71> ----- Original Message ----- From: "Ken A" To: "MailScanner discussion" Sent: Friday, March 09, 2007 11:26 AM Subject: Re: dealing with dictionary attacks > > > Steve Campbell wrote: >> OH NO, WHAT HAVE I DONE? >> >> Sorry Ken, there is no patch to fix my non-existant problem. > > Now, darn it.. I did put a SMILEY in my email too! > Here's another one ;-) > Ken > Sorry again Ken, I didn't see it. I also forgot to say I was backing out of this thread for the last time in the last post. ;-) Backing out of this thread for the last time. Steve Campbell campbell@cnpapers.com Charleston Newspapers >> >> Steve Campbell >> campbell@cnpapers.com >> Charleston Newspapers >> >> ----- Original Message ----- From: "Ken A" >> To: "MailScanner discussion" >> Sent: Friday, March 09, 2007 11:01 AM >> Subject: Re: dealing with dictionary attacks >> >> >>> >>> >>> Steve Campbell wrote: >>>> >>>> ----- Original Message ----- From: "Res" >>>> To: "MailScanner discussion" >>>> Sent: Friday, March 09, 2007 6:09 AM >>>> Subject: Re: dealing with dictionary attacks >>>> >>>> >>>>> On Fri, 9 Mar 2007, Steve Campbell wrote: >>>>> >>>>>> So what do I do with this huge patch I have compiled that fixes it >>>>>> all? >>>>> >>>>> I dunno :) since I nor anyone else that I noticed, could reproduce the >>>>> problem on linux or slowaris at least. >>>> >>>> Well, ever since I applied the patch here on my servers MailScanner >>>> doesn't swap. You don't think one of my assistants published my patch >>>> without telling me and you all have been using it, do you? >>> >>> Would you please just post your patch to the wiki already? >>> Just be sure to obfuscate the code! I loaded my swap as a tmpfs, so that >>> solved my problem. ;-) >>> Ken A >>> Pacific.Net >>> >>> >> >> > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From pedretti at eco.unibs.it Fri Mar 9 18:26:09 2007 From: pedretti at eco.unibs.it (Fabio Pedretti) Date: Fri Mar 9 17:30:06 2007 Subject: ClamAV suggestion Message-ID: <20070309182609.31x3akra8gkooccs@luna.eco.unibs.it> Hi, I am using MailScanner 4.44.6 (I know it's old, but seems that my suggestions are not implemented in current code) with clamscan 0.90.1 (not Mail::Clam module). I have some suggestions for using it with clamav: 1) clamscan is called with the option --disable-summary , which is deprecated. --no-summary should be used instead. 2) I noticed that some phishing mail are not blocked (I am also using the signatures of sanesecurity). If I do a clamscan on the full original mail with headers, clamscan find the virus (I can provide a sample if needed). Seems the problem is that MailScanner extracts the content of the mail (body + attachment) and scans it, but some phishing mail are only detected if the full headers are present (in the clamav DB in the extended signature format, option 4 is for mail files, look at signatures.pdf in clamav source, and are detected only if full mail with headers is scanned). MailScanner should be modified so that all the original mail (with headers and without extracting attachment) should be passed to clamscan, so all virus can be catched. 3) Would be nice to have a module which directly uses clamd and then fallback to clamscan if it's not working, other than clamscan or Mail::Clam options. 4) Would be nice to have the possibility to quarantine only the entire message and not also the attachments: worse is that if there are some compressed files, the original file as well as the content are quarantined, doubling the space on the disk. Fabio From clamun at gmail.com Fri Mar 9 19:10:23 2007 From: clamun at gmail.com (Claudio Mundin) Date: Fri Mar 9 18:16:36 2007 Subject: MailSacanner don't work In-Reply-To: <343f281d29a3444e81494b209436a0b0@solidstatelogic.com> References: <015401c7625c$a9c287c0$0705000a@ddf5dw71> <343f281d29a3444e81494b209436a0b0@solidstatelogic.com> Message-ID: <7e78dc1f0703091010k3a077adfj55726771ee84f44@mail.gmail.com> Here is the /etc/init.d/MailScanner script #!/bin/bash # # mailscanner This shell script takes care of starting and stopping # MailScanner, and its associated copies of sendmail. # ### BEGIN INIT INFO # Provides: MailScanner # Required-Start: $syslog $remote_fs # X-UnitedLinux-Should-Start: $time $network $named ypbind # Required-Stop: # X-UnitedLinux-Should-Stop: # Default-Start: 3 5 # Default-Stop: 0 1 2 6 # Short-Description: MailScanner and sendmail daemons # Description: Start sendmail and MailScanner to provide # SMTP service with virus, dangerous contents and spam scanning. ### END INIT INFO # Check for missing binaries (stale symlinks should not happen) MAILSCANNER_BIN=/usr/sbin/check_MailScanner test -x $MAILSCANNER_BIN || exit 5 # # Set the default values. # DON'T EDIT THESE, EDIT /etc/sysconfig/MailScanner INSTEAD! # MTA=sendmail POSTFIX=/usr/sbin/postfix POSTFIXINCF=/etc/postfix.in POSTFIXOUTCF=/etc/postfix POSTFIXWORKOWNER=postfix POSTFIXQUAROWNER=postfix MAILSCANNER_WORKDIR="/var/spool/MailScanner/incoming" MAILSCANNER_INQDIR="/var/spool/mqueue.in" MAILSCANNER_RUNAS=root SENDMAIL_IN_ARGS="-L sendmail-in -Am -bd -om" SENDMAIL_CLIENT_ARGS="-L sendmail-client -Ac -q30m" SENDMAIL_OUT_ARGS="-L sendmail-out -Am -q30m -om" SENDMAIL="/usr/sbin/sendmail" RESTART_DELAY=10 # Check for existence of needed config files and read them test -s /etc/sysconfig/mail && \ . /etc/sysconfig/mail test -s /etc/sysconfig/sendmail && \ . /etc/sysconfig/sendmail test -s /etc/sysconfig/MailScanner && \ . /etc/sysconfig/MailScanner msppid=/var/spool/clientmqueue/sm-client.pid srvpid=/var/run/sendmail.pid srvoutpid=/var/run/sendmail-out.pid mspid=/var/run/MailScanner.pid if test "$SMTPD_LISTEN_REMOTE" != "yes" ; then SENDMAIL_IN_ARGS="-O DaemonPortOptions=Addr=127.0.0.1$SENDMAIL_IN_ARGS" fi if test "$MTA" = "sendmail" ; then test -x $SENDMAIL || exit 5 fi SENDMAIL_IN_ARGS="-OPrivacyOptions=noetrn -ODeliveryMode=queueonly -OQueueDirectory=$MAILSCANNER_INQDIR -OPidFile=$srvpid $SENDMAIL_IN_ARGS" SENDMAIL_CLIENT_ARGS="-OPidFile=$msppid $SENDMAIL_CLIENT_ARGS" SENDMAIL_OUT_ARGS="-OPidFile=$srvoutpid $SENDMAIL_OUT_ARGS" StartInSendmail() { echo -n "Initializing incoming $MTA" if [ $MTA = 'postfix' ]; then if test -x $POSTFIX ; then if [ -f $POSTFIXINCF/main.cf ]; then $POSTFIX -c $POSTFIXINCF start 2> /dev/null rc_status -v fi else echo echo "Assuming you are using a single Postfix instance (hold queue method)" fi elif [ $MTA = 'sendmail' ]; then startproc -p $srvpid $SENDMAIL $SENDMAIL_IN_ARGS startproc -f -p $msppid $SENDMAIL $SENDMAIL_CLIENT_ARGS rc_status -v elif [ $MTA = 'exim' ]; then startproc -p $srvpid $EXIM -C $EXIMINCF -bd 2> /dev/null rc_status -v fi } StartOutSendmail() { echo -n "Initializing outgoing $MTA" if [ $MTA = 'postfix' ]; then if test -x $POSTFIX -a -f $POSTFIXOUTCF/main.cf ; then $POSTFIX -c $POSTFIXOUTCF start 2> /dev/null rc_status -v else echo echo "Error: Could not find Postfix installation, see /etc/sysconfig/MailScanner" fi elif [ $MTA = 'sendmail' ]; then startproc -f -p $srvoutpid $SENDMAIL $SENDMAIL_OUT_ARGS rc_status elif [ $MTA = 'exim' ]; then startproc -p $srvpid $EXIM -C $EXIMOUTCF -bd 2> /dev/null rc_status fi rc_status -v } . /etc/rc.status rc_reset case "$1" in startin) StartInSendmail ;; startout) StartOutSendmail ;; start) StartInSendmail StartOutSendmail echo -n "Initializing MailScanner" if [ $MTA = 'postfix' ]; then :> $mspid chown $MAILSCANNER_RUNAS $mspid chown $POSTFIXWORKOWNER $MAILSCANNER_WORKDIR #chown $POSTFIXQUAROWNER $MAILSCANNER_QUARDIR fi startproc -f -p $mspid /usr/sbin/check_MailScanner >/dev/null # This didn't work as expected: rc_status -v rm -f /var/lock/subsys/MailScanner.off >/dev/null 2>&1 echo ;; stop) echo -n "Shutting down $MTA and MailScanner" if [ $MTA = 'postfix' ]; then if [ -f $POSTFIXINCF/main.cf ]; then $POSTFIX -c $POSTFIXINCF stop 2>/dev/null rc_status fi $POSTFIX -c $POSTFIXOUTCF stop 2>/dev/null rc_status elif [ $MTA = 'exim' ]; then killproc -p $srvpid -TERM $EXIM rc_status killproc -p $srvoutpid -TERM $EXIM rc_status elif [ $MTA = 'sendmail' ]; then killproc -p $msppid -TERM $SENDMAIL rc_status killproc -p $srvpid -TERM $SENDMAIL rc_status killproc -p $srvoutpid -TERM $SENDMAIL rc_status fi # Patch courtesy of Peter Peters killproc -p $mspid -TERM MailScanner rc_status -v # Clear out all the old pid files rm -f $mspid # Clear out the old incoming dirs cd $MAILSCANNER_WORKDIR && ls | egrep '^[0123456789]+$' | xargs /bin/rm -rf 2>/dev/null touch /var/lock/subsys/MailScanner.off >/dev/null 2>&1 ;; try-restart) $0 stop && sleep $RESTART_DELAY && $0 start rc_status ;; restart) $0 stop sleep $RESTART_DELAY $0 start rc_status ;; reload|force-reload) echo -n "Reload service MailScanner" killproc -p $mspid -HUP /usr/sbin/MailScanner rc_status -v ;; status) echo -n "Checking for service MailScanner: " if [ $MTA = 'postfix' ]; then if [ -f $POSTFIXINCF/main.cf ]; then $POSTFIX -c $POSTFIXINCF status fi $POSTFIX -c $POSTFIXOUTCF status elif [ $MTA = 'exim' ]; then checkproc -p $srvpid $EXIM rc_status checkproc -p $srvoutpid $EXIM rc_status elif [ $MTA = 'sendmail' ]; then checkproc -p $msppid $SENDMAIL rc_status checkproc -p $srvpid $SENDMAIL rc_status checkproc -p $srvoutpid $SENDMAIL rc_status fi checkproc -p $mspid /usr/sbin/MailScanner rc_status -v ;; probe) test /etc/sendmail.cf -nt $srvpid -o /etc/mail/submit.cf -nt $msppid \ -o /etc/MailScanner/MailScanner.conf -nt $mspid && echo reload ;; *) echo "Usage: $0 {start|stop|status|try-restart|restart|force-reload|reload|probe|startin|startout}" exit 1 esac rc_exit 2007/3/9, Martin.Hepworth : > > Steve > > Well spotted - this must be an old version of MailScanner as recent ones > default to posix for sendmail MTAs. > > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > > bounces@lists.mailscanner.info] On Behalf Of Steve Campbell > > Sent: 09 March 2007 15:08 > > To: MailScanner discussion > > Subject: Re: MailSacanner don't work > > > > > > ----- Original Message ----- > > From: "Claudio Mundin" > > To: "MailScanner discussion" > > Sent: Friday, March 09, 2007 5:08 AM > > Subject: Re: MailSacanner don't work > > > > > > > Mar 9 07:06:24 fw MailScanner[4156]: Using locktype = flock > > > > I'm not sure with this flavor of Linux, but you should probably set in > > your > > MailScanner.conf the following line: > > > > Lock Type = posix > > > > This isn't going to fix the problem you are seeing now, but might > prevent > > other problems following the solution to what you are asking about. > I'm > > not > > sure if flock or posix is proper for Suse and sendmail. > > > > Steve > > > > > > > > > > > > > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > > > ********************************************************************** > Confidentiality : This e-mail and any attachments are intended for the > addressee only and may be confidential. If they come to you in error > you must take no action based on them, nor must you copy or show them > to anyone. Please advise the sender by replying to this e-mail > immediately and then delete the original from your computer. > > Opinion : Any opinions expressed in this e-mail are entirely those of > the author and unless specifically stated to the contrary, are not > necessarily those of the author's employer. > > Security Warning : Internet e-mail is not necessarily a secure > communications medium and can be subject to data corruption. We advise > that you consider this fact when e-mailing us. > > Viruses : We have taken steps to ensure that this e-mail and any > attachments are free from known viruses but in keeping with good > computing practice, you should ensure that they are virus free. > > Red Lion 49 Ltd T/A Solid State Logic > Registered as a limited company in England and Wales > (Company No:5362730) > Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, > United Kingdom > ********************************************************************** > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070309/6af1edb4/attachment.html From glenn.steen at gmail.com Fri Mar 9 19:19:20 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Mar 9 18:25:33 2007 Subject: dealing with dictionary attacks In-Reply-To: <026401c76268$aaedcae0$0705000a@ddf5dw71> References: <45EBE85C.90507@fractalweb.com> <006a01c761a1$731e4120$0705000a@ddf5dw71> <1173438172.45f13edccf188@perdition.cnpapers.net> <015d01c7625d$7ec5a0b0$0705000a@ddf5dw71> <45F184F2.50305@pacific.net> <023501c76265$0c8af240$0705000a@ddf5dw71> <45F18AC6.4090409@pacific.net> <026401c76268$aaedcae0$0705000a@ddf5dw71> Message-ID: <223f97700703091019g3c910545td74d411a8ac7af42@mail.gmail.com> On 09/03/07, Steve Campbell wrote: (snip) > I also forgot to say I was backing out of this thread for the last time in > the last post. > > ;-) > > Backing out of this thread for the last time. Oh no you don't... Not until you give us that patch!:-D On the matter of MS causing swapping, swinging and singing... If you ever swing by these parts I'd like to swap some choir note booklets (Benjamin Brittens Festival Te Deum, Max Regers Palmsonntagmorgen ...) for some new vocal chords (mine are taking exception to the mentioned works:-):-) Oh ... are off topic enough yet?;-) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Fri Mar 9 19:35:43 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Mar 9 18:41:56 2007 Subject: ClamAV suggestion In-Reply-To: <20070309182609.31x3akra8gkooccs@luna.eco.unibs.it> References: <20070309182609.31x3akra8gkooccs@luna.eco.unibs.it> Message-ID: <223f97700703091035rfb242d8s7139cd1ad97de6b1@mail.gmail.com> On 09/03/07, Fabio Pedretti wrote: > Hi, > I am using MailScanner 4.44.6 (I know it's old, but seems that my > suggestions are not implemented in current code) with clamscan 0.90.1 > (not Mail::Clam module). I have some suggestions for using it with > clamav: This simply cannot be the sole reason to hold off an upgrade. You should seriously consider spending the approximately 10 minutes it takes ot perform and perhaps 30 minutes it takes to adjust defaults to new settings afterward. How to perform an upgrade is mentioned in the MAQ. > 1) clamscan is called with the option --disable-summary , which is > deprecated. --no-summary should be used instead. I would assume this is the same in the latest MS since it predates the 0.90 release of clamav... And since Jules is hospitalised at the moment, I wouldn't expect any adjustment to this in the near future... But having said that, it is quite simple to do yourself: Simply edit the appropriate clamav initialisation stanza in the SweepViruses.pm ... If you feel like it, make a patch/diff and post it here. > 2) I noticed that some phishing mail are not blocked (I am also using > the signatures of sanesecurity). If I do a clamscan on the full > original mail with headers, clamscan find the virus (I can provide a > sample if needed). Seems the problem is that MailScanner extracts the > content of the mail (body + attachment) and scans it, but some > phishing mail are only detected if the full headers are present (in > the clamav DB in the extended signature format, option 4 is for mail > files, look at signatures.pdf in clamav source, and are detected only > if full mail with headers is scanned). > MailScanner should be modified so that all the original mail (with > headers and without extracting attachment) should be passed to > clamscan, so all virus can be catched. I'm not close to any code, but ... thios is probably not true. Maybe a bug in your old version, but I don't think this is how it works (the headers should be included too). Hm. Will have to find time/energy to look at some code to say more. > 3) Would be nice to have a module which directly uses clamd and then > fallback to clamscan if it's not working, other than clamscan or > Mail::Clam options. The consensus thus far is that it'd be a waste of effort, but then again... I do beleive some have modified the clamscan wrapper to run clamdscan, and further make it "fall back" on clamscan should be rather trivial... Again, will have to look at some code to say more. -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From jfagan at firstlightnetworks.com Fri Mar 9 19:46:00 2007 From: jfagan at firstlightnetworks.com (James Fagan) Date: Fri Mar 9 18:50:55 2007 Subject: Clamav In-Reply-To: <018a01c7623e$dd463a10$0600a8c0@roger> References: <0e5c1b86ea5f784cbbe5cc5739a4766d@solidstatelogic.com><4106.209.104.55.7.1172525095.squirrel@mail.ziff.net><1172648388.21763.0.camel@miyagip.ziff.net.><26942.209.104.55.7.1172685554.squirrel@mail.ziff.net><223f97700702281106m3e6fdf70sef8c2701a725bc18@mail.gmail.com><22107.209.104.55.7.1172690830.squirrel@mail.ziff.net> <018a01c7623e$dd463a10$0600a8c0@roger> Message-ID: <59E4A3A1069C2640959AD0F7518C48122F08CA@FLN1.fln.local> > Did someone updated Install-Clam-SA package with clamav 0.91? > > Regards > > Roger Jochem Yes there is a package avalable here http://tinyurl.com/2wox4q Also I mirrored this just in case here http://jfworks.net/files/install-Clam-0.90.1-SA-3.1.8.tar.gz Who put this together? Im sure its in the archives, but thanks! Works well, installed it on a few systems. James From Denis.Beauchemin at USherbrooke.ca Fri Mar 9 19:59:35 2007 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Fri Mar 9 19:05:57 2007 Subject: MailSacanner don't work In-Reply-To: <7e78dc1f0703091010k3a077adfj55726771ee84f44@mail.gmail.com> References: <015401c7625c$a9c287c0$0705000a@ddf5dw71> <343f281d29a3444e81494b209436a0b0@solidstatelogic.com> <7e78dc1f0703091010k3a077adfj55726771ee84f44@mail.gmail.com> Message-ID: <45F1AE97.6000205@USherbrooke.ca> Claudio Mundin a ?crit : > Here is the /etc/init.d/MailScanner script > > #!/bin/bash > # > # mailscanner This shell script takes care of starting and stopping > # MailScanner, and its associated copies of sendmail. > # > ### BEGIN INIT INFO > # Provides: MailScanner > # Required-Start: $syslog $remote_fs > # X-UnitedLinux-Should-Start: $time $network $named ypbind > # Required-Stop: > # X-UnitedLinux-Should-Stop: > # Default-Start: 3 5 > # Default-Stop: 0 1 2 6 > # Short-Description: MailScanner and sendmail daemons > # Description: Start sendmail and MailScanner to provide > # SMTP service with virus, dangerous contents and spam scanning. > ### END INIT INFO > > # Check for missing binaries (stale symlinks should not happen) > MAILSCANNER_BIN=/usr/sbin/check_MailScanner > test -x $MAILSCANNER_BIN || exit 5 > > # > # Set the default values. > # DON'T EDIT THESE, EDIT /etc/sysconfig/MailScanner INSTEAD! > # > MTA=sendmail > POSTFIX=/usr/sbin/postfix > POSTFIXINCF=/etc/postfix.in > POSTFIXOUTCF=/etc/postfix > POSTFIXWORKOWNER=postfix > POSTFIXQUAROWNER=postfix > MAILSCANNER_WORKDIR="/var/spool/MailScanner/incoming" > MAILSCANNER_INQDIR="/var/spool/mqueue.in" > MAILSCANNER_RUNAS=root > SENDMAIL_IN_ARGS="-L sendmail-in -Am -bd -om" > SENDMAIL_CLIENT_ARGS="-L sendmail-client -Ac -q30m" > SENDMAIL_OUT_ARGS="-L sendmail-out -Am -q30m -om" > SENDMAIL="/usr/sbin/sendmail" > RESTART_DELAY=10 > > # Check for existence of needed config files and read them > test -s /etc/sysconfig/mail && \ > . /etc/sysconfig/mail > > test -s /etc/sysconfig/sendmail && \ > . /etc/sysconfig/sendmail > > test -s /etc/sysconfig/MailScanner && \ > . /etc/sysconfig/MailScanner > > > msppid=/var/spool/clientmqueue/sm-client.pid > srvpid=/var/run/sendmail.pid > srvoutpid=/var/run/sendmail-out.pid > mspid=/var/run/MailScanner.pid > > if test "$SMTPD_LISTEN_REMOTE" != "yes" ; then > SENDMAIL_IN_ARGS="-O DaemonPortOptions=Addr=127.0.0.1 > $SENDMAIL_IN_ARGS" > fi > Claudio, Looks like "$SMTPD_LISTEN_REMOTE" is not set to "yes". As for why it isn't... I can't tell... Either define the variable (SMTPD_LISTEN_REMOTE=yes) before its use or comment out the whole "if" clause to make it go away. Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3595 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070309/08cfc4a8/smime.bin From campbell at cnpapers.com Fri Mar 9 20:02:46 2007 From: campbell at cnpapers.com (Steve Campbell) Date: Fri Mar 9 19:09:23 2007 Subject: MailSacanner don't work References: <015401c7625c$a9c287c0$0705000a@ddf5dw71><343f281d29a3444e81494b209436a0b0@solidstatelogic.com> <7e78dc1f0703091010k3a077adfj55726771ee84f44@mail.gmail.com> Message-ID: <007201c7627d$867b2580$0705000a@ddf5dw71> Claudio, I don't know about everyone else that is following this thread, but I got lost quite a bit ago as to where this has been. I would wait and see what anyone else posts after this to see if it's necessary, but I would suggest doing the following, sort of from scratch. Firstly, if you can afford to do so, stop Mailscanner through whatever means you would normally do this. Kill all of the sendmail processes (killall sendmail) Note any errors that each of the two commands generate. Make the changes to your sendmail.mc file to allow your sendmail to handle mail on more that just the loopback as Denis mentioned before. This means to add the 'dnl' part to the line below if it isn't already there. Then regenerate your sendmail.cf using this file. dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl Use whatever means you have to ensure sendmail does not start on its own. RH uses either the service command or can be done through chkconfig. Make sure you don't have one of those systems that starts things if it notices something is not running! Now start MailScanner in the way it would normally start. A nice way to do this in RH is something like the following: /etc/rc.d/init.d/MailScanner start; tail -f /var/log/maillog This will start what is required and then immediately start showing your maillog as it changes. Control-C ends the maillog scroll. Next stop MailScanner and ensure it all stops OK. You should see two sendmail and one MailScanner stopping. It really didn't look like you had a problem, and _I_ didn't see where it was happening other than the sendmail.mc misconfiguration. Then look at your maillog from the time you started it until you stopped it and let us know of any error messages you saw. I never was sure if you could use sendmail without Mailscanner before all of this started, so that would be nice to know also. Mailscanner doesn't really change your sendmail in any form. It just creates the second instance for input. You should always be able to stop MailScanner, and start sendmail using the normal default way and it should work as sendmail would work before you installed mailscanner. Hope this helps, and any info you can throw our way would help us help you. Steve Campbell campbell@cnpapers.com Charleston Newspapers ----- Original Message ----- From: "Claudio Mundin" To: "MailScanner discussion" Sent: Friday, March 09, 2007 1:10 PM Subject: Re: MailSacanner don't work > Here is the /etc/init.d/MailScanner script > > #!/bin/bash > # > # mailscanner This shell script takes care of starting and stopping > # MailScanner, and its associated copies of sendmail. > # > ### BEGIN INIT INFO > # Provides: MailScanner > # Required-Start: $syslog $remote_fs > # X-UnitedLinux-Should-Start: $time $network $named ypbind > # Required-Stop: > # X-UnitedLinux-Should-Stop: > # Default-Start: 3 5 > # Default-Stop: 0 1 2 6 > # Short-Description: MailScanner and sendmail daemons > # Description: Start sendmail and MailScanner to provide > # SMTP service with virus, dangerous contents and spam scanning. > ### END INIT INFO > > # Check for missing binaries (stale symlinks should not happen) > MAILSCANNER_BIN=/usr/sbin/check_MailScanner > test -x $MAILSCANNER_BIN || exit 5 > > # > # Set the default values. > # DON'T EDIT THESE, EDIT /etc/sysconfig/MailScanner INSTEAD! > # > MTA=sendmail > POSTFIX=/usr/sbin/postfix > POSTFIXINCF=/etc/postfix.in > POSTFIXOUTCF=/etc/postfix > POSTFIXWORKOWNER=postfix > POSTFIXQUAROWNER=postfix > MAILSCANNER_WORKDIR="/var/spool/MailScanner/incoming" > MAILSCANNER_INQDIR="/var/spool/mqueue.in" > MAILSCANNER_RUNAS=root > SENDMAIL_IN_ARGS="-L sendmail-in -Am -bd -om" > SENDMAIL_CLIENT_ARGS="-L sendmail-client -Ac -q30m" > SENDMAIL_OUT_ARGS="-L sendmail-out -Am -q30m -om" > SENDMAIL="/usr/sbin/sendmail" > RESTART_DELAY=10 > > # Check for existence of needed config files and read them > test -s /etc/sysconfig/mail && \ > . /etc/sysconfig/mail > > test -s /etc/sysconfig/sendmail && \ > . /etc/sysconfig/sendmail > > test -s /etc/sysconfig/MailScanner && \ > . /etc/sysconfig/MailScanner > > > msppid=/var/spool/clientmqueue/sm-client.pid > srvpid=/var/run/sendmail.pid > srvoutpid=/var/run/sendmail-out.pid > mspid=/var/run/MailScanner.pid > > if test "$SMTPD_LISTEN_REMOTE" != "yes" ; then > SENDMAIL_IN_ARGS="-O > DaemonPortOptions=Addr=127.0.0.1$SENDMAIL_IN_ARGS" > fi > if test "$MTA" = "sendmail" ; then > test -x $SENDMAIL || exit 5 > fi > SENDMAIL_IN_ARGS="-OPrivacyOptions=noetrn -ODeliveryMode=queueonly > -OQueueDirectory=$MAILSCANNER_INQDIR -OPidFile=$srvpid $SENDMAIL_IN_ARGS" > SENDMAIL_CLIENT_ARGS="-OPidFile=$msppid $SENDMAIL_CLIENT_ARGS" > SENDMAIL_OUT_ARGS="-OPidFile=$srvoutpid $SENDMAIL_OUT_ARGS" > > StartInSendmail() { > echo -n "Initializing incoming $MTA" > if [ $MTA = 'postfix' ]; then > if test -x $POSTFIX ; then > if [ -f $POSTFIXINCF/main.cf ]; then > $POSTFIX -c $POSTFIXINCF start 2> /dev/null > rc_status -v > fi > else > echo > echo "Assuming you are using a single Postfix instance (hold > queue method)" > fi > elif [ $MTA = 'sendmail' ]; then > startproc -p $srvpid $SENDMAIL $SENDMAIL_IN_ARGS > startproc -f -p $msppid $SENDMAIL $SENDMAIL_CLIENT_ARGS > rc_status -v > elif [ $MTA = 'exim' ]; then > startproc -p $srvpid $EXIM -C $EXIMINCF -bd 2> /dev/null > rc_status -v > fi > } > > StartOutSendmail() { > echo -n "Initializing outgoing $MTA" > if [ $MTA = 'postfix' ]; then > if test -x $POSTFIX -a -f $POSTFIXOUTCF/main.cf ; then > $POSTFIX -c $POSTFIXOUTCF start 2> /dev/null > rc_status -v > else > echo > echo "Error: Could not find Postfix installation, see > /etc/sysconfig/MailScanner" > fi > elif [ $MTA = 'sendmail' ]; then > startproc -f -p $srvoutpid $SENDMAIL $SENDMAIL_OUT_ARGS > rc_status > elif [ $MTA = 'exim' ]; then > startproc -p $srvpid $EXIM -C $EXIMOUTCF -bd 2> /dev/null > rc_status > fi > rc_status -v > } > > . /etc/rc.status > rc_reset > case "$1" in > startin) > StartInSendmail > ;; > startout) > StartOutSendmail > ;; > start) > StartInSendmail > StartOutSendmail > > echo -n "Initializing MailScanner" > if [ $MTA = 'postfix' ]; then > :> $mspid > chown $MAILSCANNER_RUNAS $mspid > chown $POSTFIXWORKOWNER $MAILSCANNER_WORKDIR > #chown $POSTFIXQUAROWNER $MAILSCANNER_QUARDIR > fi > startproc -f -p $mspid /usr/sbin/check_MailScanner >/dev/null > # This didn't work as expected: rc_status -v > rm -f /var/lock/subsys/MailScanner.off >/dev/null 2>&1 > echo > ;; > stop) > echo -n "Shutting down $MTA and MailScanner" > if [ $MTA = 'postfix' ]; then > if [ -f $POSTFIXINCF/main.cf ]; then > $POSTFIX -c $POSTFIXINCF stop 2>/dev/null > rc_status > fi > $POSTFIX -c $POSTFIXOUTCF stop 2>/dev/null > rc_status > elif [ $MTA = 'exim' ]; then > killproc -p $srvpid -TERM $EXIM > rc_status > killproc -p $srvoutpid -TERM $EXIM > rc_status > elif [ $MTA = 'sendmail' ]; then > killproc -p $msppid -TERM $SENDMAIL > rc_status > killproc -p $srvpid -TERM $SENDMAIL > rc_status > killproc -p $srvoutpid -TERM $SENDMAIL > rc_status > fi > # Patch courtesy of Peter Peters > killproc -p $mspid -TERM MailScanner > rc_status -v > # Clear out all the old pid files > rm -f $mspid > # Clear out the old incoming dirs > cd $MAILSCANNER_WORKDIR && ls | egrep '^[0123456789]+$' | xargs > /bin/rm -rf 2>/dev/null > touch /var/lock/subsys/MailScanner.off >/dev/null 2>&1 > ;; > try-restart) > $0 stop && sleep $RESTART_DELAY && $0 start > rc_status > ;; > restart) > $0 stop > sleep $RESTART_DELAY > $0 start > rc_status > ;; > reload|force-reload) > echo -n "Reload service MailScanner" > killproc -p $mspid -HUP /usr/sbin/MailScanner > rc_status -v > ;; > status) > echo -n "Checking for service MailScanner: " > if [ $MTA = 'postfix' ]; then > if [ -f $POSTFIXINCF/main.cf ]; then > $POSTFIX -c $POSTFIXINCF status > fi > $POSTFIX -c $POSTFIXOUTCF status > elif [ $MTA = 'exim' ]; then > checkproc -p $srvpid $EXIM > rc_status > checkproc -p $srvoutpid $EXIM > rc_status > elif [ $MTA = 'sendmail' ]; then > checkproc -p $msppid $SENDMAIL > rc_status > checkproc -p $srvpid $SENDMAIL > rc_status > checkproc -p $srvoutpid $SENDMAIL > rc_status > fi > checkproc -p $mspid /usr/sbin/MailScanner > rc_status -v > ;; > probe) > test /etc/sendmail.cf -nt $srvpid -o /etc/mail/submit.cf -nt > $msppid > \ > -o /etc/MailScanner/MailScanner.conf -nt $mspid && echo reload > ;; > *) > echo "Usage: $0 > {start|stop|status|try-restart|restart|force-reload|reload|probe|startin|startout}" > exit 1 > esac > rc_exit > > > 2007/3/9, Martin.Hepworth : >> >> Steve >> >> Well spotted - this must be an old version of MailScanner as recent ones >> default to posix for sendmail MTAs. >> >> -- >> Martin Hepworth >> Snr Systems Administrator >> Solid State Logic >> Tel: +44 (0)1865 842300 >> >> > -----Original Message----- >> > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >> > bounces@lists.mailscanner.info] On Behalf Of Steve Campbell >> > Sent: 09 March 2007 15:08 >> > To: MailScanner discussion >> > Subject: Re: MailSacanner don't work >> > >> > >> > ----- Original Message ----- >> > From: "Claudio Mundin" >> > To: "MailScanner discussion" >> > Sent: Friday, March 09, 2007 5:08 AM >> > Subject: Re: MailSacanner don't work >> > >> > >> > > Mar 9 07:06:24 fw MailScanner[4156]: Using locktype = flock >> > >> > I'm not sure with this flavor of Linux, but you should probably set in >> > your >> > MailScanner.conf the following line: >> > >> > Lock Type = posix >> > >> > This isn't going to fix the problem you are seeing now, but might >> prevent >> > other problems following the solution to what you are asking about. >> I'm >> > not >> > sure if flock or posix is proper for Suse and sendmail. >> > >> > Steve >> > >> > > >> > > >> > >> > >> > -- >> > MailScanner mailing list >> > mailscanner@lists.mailscanner.info >> > http://lists.mailscanner.info/mailman/listinfo/mailscanner >> > >> > Before posting, read http://wiki.mailscanner.info/posting >> > >> > Support MailScanner development - buy the book off the website! >> >> >> >> >> ********************************************************************** >> Confidentiality : This e-mail and any attachments are intended for the >> addressee only and may be confidential. If they come to you in error >> you must take no action based on them, nor must you copy or show them >> to anyone. Please advise the sender by replying to this e-mail >> immediately and then delete the original from your computer. >> >> Opinion : Any opinions expressed in this e-mail are entirely those of >> the author and unless specifically stated to the contrary, are not >> necessarily those of the author's employer. >> >> Security Warning : Internet e-mail is not necessarily a secure >> communications medium and can be subject to data corruption. We advise >> that you consider this fact when e-mailing us. >> >> Viruses : We have taken steps to ensure that this e-mail and any >> attachments are free from known viruses but in keeping with good >> computing practice, you should ensure that they are virus free. >> >> Red Lion 49 Ltd T/A Solid State Logic >> Registered as a limited company in England and Wales >> (Company No:5362730) >> Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, >> United Kingdom >> ********************************************************************** >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> > -------------------------------------------------------------------------------- > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From roger at rudnick.com.br Fri Mar 9 20:08:31 2007 From: roger at rudnick.com.br (Roger Jochem) Date: Fri Mar 9 19:14:16 2007 Subject: Clamav References: <0e5c1b86ea5f784cbbe5cc5739a4766d@solidstatelogic.com><4106.209.104.55.7.1172525095.squirrel@mail.ziff.net><1172648388.21763.0.camel@miyagip.ziff.net.><26942.209.104.55.7.1172685554.squirrel@mail.ziff.net><223f97700702281106m3e6fdf70sef8c2701a725bc18@mail.gmail.com><22107.209.104.55.7.1172690830.squirrel@mail.ziff.net><018a01c7623e$dd463a10$0600a8c0@roger> <59E4A3A1069C2640959AD0F7518C48122F08CA@FLN1.fln.local> Message-ID: <061f01c7627e$53d0e970$0600a8c0@roger> Thanks! Just what I was looking for... Regards Roger Jochem ----- Original Message ----- From: "James Fagan" To: "MailScanner discussion" Sent: Friday, March 09, 2007 3:46 PM Subject: RE: Clamav >> Did someone updated Install-Clam-SA package with clamav 0.91? >> >> Regards >> >> Roger Jochem > > Yes there is a package avalable here > > http://tinyurl.com/2wox4q > > Also I mirrored this just in case here > > http://jfworks.net/files/install-Clam-0.90.1-SA-3.1.8.tar.gz > > Who put this together? Im sure its in the archives, but thanks! > Works well, installed it on a few systems. > > James > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From mailscanner at yeticomputers.com Fri Mar 9 21:59:16 2007 From: mailscanner at yeticomputers.com (Rick Chadderdon) Date: Fri Mar 9 21:05:40 2007 Subject: dealing with dictionary attacks In-Reply-To: References: <45EBE85C.90507@fractalweb.com> <4165CF7A7F12DE4B96622CCBB905864709949FEF@largo.campus.ncl.ac.uk> <25a66d840703050822s3061e517mffe1ed8d40035722@mail.gmail.com> <45EC4863.5070702@netmagicsolutions.com> <45EEDA1B.4010200@sbcglobal.net> Message-ID: <45F1CAA4.9050300@yeticomputers.com> Res wrote: > I beg to difer, a recent check of archives shows pf has the most > problems with MS, and its a well known fact,m even admitted to b ythe > regular postmix weenies. Just for reference, my archives - which are complete from Aug 08, 2005 - have a count of 3589 posts with the word "sendmail" in the body and 2269 with "postfix". I made no effort to read all of those posts to rate their content, but the numbers lead me to think that your comment might be a bit biased. Let's just say that people working with *any* mail server that they're unfamiliar with are going to have questions and problems for which they will seek help. This is a great place to find it, and being helpful even when a post is ostenibly off-topic can only help MailScanner's popularity. I don't think that "this topic doesn't belong here" and "your mail server sucks" replies help anyone, and if one is asking questions about Postfix+MailScanner, this list is a far better place to look for help than the Postfix list. Even if the question seems to relate to just Postfix, if it even gets mentioned in passing that one is using MailScanner in a message to the Postifix list, sometimes the entire thread degrades into anti-MailScanner rhetoric. As an aside, I've used probably every major Unix mail server over the last 15-20 years, and a few of the minor ones. (As well as several on Windows, a couple of which were quite good. Exchange doesn't count among the good ones.) My current choice is Postfix, for a number of reasons - none of which make me a weenie. I know sendmail very well, although I have to admit to not using it much since I switched to qmail in 1997-1998. I no longer use qmail, sendmail, exim or courier for a variety of reasons. I don't call people who choose any of those (or other) servers names, although I could certainly think of some for people who insist on using either sendmail or qmail. (Bendmail weenies? Nah, too derivative... :P ) Rick From drew at technologytiger.net Fri Mar 9 22:32:19 2007 From: drew at technologytiger.net (Drew Marshall) Date: Fri Mar 9 21:38:35 2007 Subject: dealing with dictionary attacks In-Reply-To: <45F1CAA4.9050300@yeticomputers.com> References: <45EBE85C.90507@fractalweb.com> <4165CF7A7F12DE4B96622CCBB905864709949FEF@largo.campus.ncl.ac.uk> <25a66d840703050822s3061e517mffe1ed8d40035722@mail.gmail.com> <45EC4863.5070702@netmagicsolutions.com> <45EEDA1B.4010200@sbcglobal.net> <45F1CAA4.9050300@yeticomputers.com> Message-ID: On 9 Mar 2007, at 20:59, Rick Chadderdon wrote: > Res wrote: >> I beg to difer, a recent check of archives shows pf has the most >> problems with MS, and its a well known fact,m even admitted to b ythe >> regular postmix weenies. > Just for reference, my archives - which are complete from Aug 08, > 2005 - > have a count of 3589 posts with the word "sendmail" in the body and > 2269 > with "postfix". I made no effort to read all of those posts to rate > their content, but the numbers lead me to think that your comment > might > be a bit biased. Let's just say that people working with *any* mail > server that they're unfamiliar with are going to have questions and > problems for which they will seek help. This is a great place to find > it, and being helpful even when a post is ostenibly off-topic can only > help MailScanner's popularity. We knew he was wrong any way :-) > > I don't think that "this topic doesn't belong here" and "your mail > server sucks" replies help anyone, and if one is asking questions > about > Postfix+MailScanner, this list is a far better place to look for help > than the Postfix list. Even if the question seems to relate to just > Postfix, if it even gets mentioned in passing that one is using > MailScanner in a message to the Postifix list, sometimes the entire > thread degrades into anti-MailScanner rhetoric. Absolutely agreed. I would whole hartedly agree that any one who uses Postfix with MailScanner shouldn't mention it in public to the Postfix list or you stand a good chance of being tar and feathered and being obliged to hang an 'unclean' bell round your mail electrons for the rest of you life. > > As an aside, I've used probably every major Unix mail server over the > last 15-20 years, and a few of the minor ones. (As well as several on > Windows, a couple of which were quite good. Exchange doesn't count > among the good ones.) My current choice is Postfix, for a number of > reasons - none of which make me a weenie. I know sendmail very well, > although I have to admit to not using it much since I switched to > qmail > in 1997-1998. I no longer use qmail, sendmail, exim or courier for a > variety of reasons. I don't call people who choose any of those (or > other) servers names, although I could certainly think of some for > people who insist on using either sendmail or qmail. (Bendmail > weenies? Nah, too derivative... :P ) You have to remember that Res, being the list's number 1 resident nasty guy, he does 'fire from the hip' and one should make allowances for this ;-) I feel quite safe saying this publicly as he will be very busy patching all those 'Bendmail' boxes with Steve's patch to prevent swapping, while checking his lock type and patching against the next security hole :-) (While I, as a Postfix user, will just reply to myself as is our want) :-) Drew -- In line with our policy, this message has been scanned for viruses and dangerous content by the Technology Tiger MailScanner. Further information can be found at www.technologytiger.net/policy Technology Tiger Limited is registered in Scotland with registration number: 310997 Registered Office 55-57 West High Street Inverurie AB51 3QQ From campbell at cnpapers.com Fri Mar 9 22:44:17 2007 From: campbell at cnpapers.com (Steve Campbell) Date: Fri Mar 9 21:51:04 2007 Subject: dealing with dictionary attacks References: <45EBE85C.90507@fractalweb.com> <4165CF7A7F12DE4B96622CCBB905864709949FEF@largo.campus.ncl.ac.uk> <25a66d840703050822s3061e517mffe1ed8d40035722@mail.gmail.com> <45EC4863.5070702@netmagicsolutions.com> <45EEDA1B.4010200@sbcglobal.net> <45F1CAA4.9050300@yeticomputers.com> Message-ID: <003801c76294$16e35eb0$0705000a@ddf5dw71> How do we deal with dictionary attacks? Steve Campbell campbell@cnpapers.com Charleston Newspapers ----- Original Message ----- From: "Drew Marshall" To: "MailScanner discussion" Sent: Friday, March 09, 2007 4:32 PM Subject: Re: dealing with dictionary attacks > On 9 Mar 2007, at 20:59, Rick Chadderdon wrote: > >> Res wrote: >>> I beg to difer, a recent check of archives shows pf has the most >>> problems with MS, and its a well known fact,m even admitted to b ythe >>> regular postmix weenies. >> Just for reference, my archives - which are complete from Aug 08, 2005 - >> have a count of 3589 posts with the word "sendmail" in the body and 2269 >> with "postfix". I made no effort to read all of those posts to rate >> their content, but the numbers lead me to think that your comment might >> be a bit biased. Let's just say that people working with *any* mail >> server that they're unfamiliar with are going to have questions and >> problems for which they will seek help. This is a great place to find >> it, and being helpful even when a post is ostenibly off-topic can only >> help MailScanner's popularity. > > We knew he was wrong any way :-) > >> >> I don't think that "this topic doesn't belong here" and "your mail >> server sucks" replies help anyone, and if one is asking questions about >> Postfix+MailScanner, this list is a far better place to look for help >> than the Postfix list. Even if the question seems to relate to just >> Postfix, if it even gets mentioned in passing that one is using >> MailScanner in a message to the Postifix list, sometimes the entire >> thread degrades into anti-MailScanner rhetoric. > > Absolutely agreed. I would whole hartedly agree that any one who uses > Postfix with MailScanner shouldn't mention it in public to the Postfix > list or you stand a good chance of being tar and feathered and being > obliged to hang an 'unclean' bell round your mail electrons for the rest > of you life. > >> >> As an aside, I've used probably every major Unix mail server over the >> last 15-20 years, and a few of the minor ones. (As well as several on >> Windows, a couple of which were quite good. Exchange doesn't count >> among the good ones.) My current choice is Postfix, for a number of >> reasons - none of which make me a weenie. I know sendmail very well, >> although I have to admit to not using it much since I switched to qmail >> in 1997-1998. I no longer use qmail, sendmail, exim or courier for a >> variety of reasons. I don't call people who choose any of those (or >> other) servers names, although I could certainly think of some for >> people who insist on using either sendmail or qmail. (Bendmail >> weenies? Nah, too derivative... :P ) > > You have to remember that Res, being the list's number 1 resident nasty > guy, he does 'fire from the hip' and one should make allowances for this > ;-) > > I feel quite safe saying this publicly as he will be very busy patching > all those 'Bendmail' boxes with Steve's patch to prevent swapping, while > checking his lock type and patching against the next security hole :-) > > (While I, as a Postfix user, will just reply to myself as is our want) > > :-) > > Drew > > -- > In line with our policy, this message has been scanned for viruses and > dangerous content by the Technology Tiger MailScanner. > Further information can be found at www.technologytiger.net/policy > > Technology Tiger Limited is registered in Scotland with registration > number: 310997 > Registered Office 55-57 West High Street Inverurie AB51 3QQ > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From res at ausics.net Fri Mar 9 22:49:31 2007 From: res at ausics.net (Res) Date: Fri Mar 9 21:56:53 2007 Subject: dealing with dictionary attacks In-Reply-To: <022b01c76264$04b08f40$0705000a@ddf5dw71> References: <45EBE85C.90507@fractalweb.com><74ACEB3E6A055643A89B8CEC74C7BF2488DF5F@WISENT.dcyb.net><45F035A4.5080100@nkpanama.com><006a01c761a1$731e4120$0705000a@ddf5dw71><1173438172.45f13edccf188@perdition.cnpapers.net><015d01c7625d$7ec5a0b0$0705000a@ddf5dw71><020101c76260$907de260$0705000a@ddf5dw71> <223f97700703090742q2216c143x8722d5dacae2cbf0@mail.gmail.com> <022b01c76264$04b08f40$0705000a@ddf5dw71> Message-ID: On Fri, 9 Mar 2007, Steve Campbell wrote: > Please don't bitch slap (?) me. > > Ok, backing out for the last time. I did :) thats why one should never post at 1am, and the sad thing is I went to bed at 2.30 and I've been up for an hour already, oh is THIS going to be a good day :) -- Cheers Res "If I lay here, If I just lay here, would you lay with with me and just forget the world?" From res at ausics.net Fri Mar 9 22:50:54 2007 From: res at ausics.net (Res) Date: Fri Mar 9 21:58:18 2007 Subject: dealing with dictionary attacks In-Reply-To: <023501c76265$0c8af240$0705000a@ddf5dw71> References: <45EBE85C.90507@fractalweb.com><4165CF7A7F12DE4B96622CCBB905864709949FEF@largo.campus.ncl.ac.uk><25a66d840703050822s3061e517mffe1ed8d40035722@mail.gmail.com><45EC4863.5070702@netmagicsolutions.com><45EEDA1B.4010200@sbcglobal.net><45F02ED0.30906@nkpanama.com><74ACEB3E6A055643A89B8CEC74C7BF2488DF5F@WISENT.dcyb.net><45F035A4.5080100@nkpanama.com><006a01c761a1$731e4120$0705000a@ddf5dw71><1173438172.45f13edccf188@perdition.cnpapers.net> <015d01c7625d$7ec5a0b0$0705000a@ddf5dw71> <45F184F2.50305@pacific.net> <023501c76265$0c8af240$0705000a@ddf5dw71> Message-ID: On Fri, 9 Mar 2007, Steve Campbell wrote: > OH NO, WHAT HAVE I DONE? > > Sorry Ken, there is no patch to fix my non-existant problem. OK since your now in denial and wont patch it, I will write a generic patch that might help ;) > > Steve Campbell > campbell@cnpapers.com > Charleston Newspapers > > ----- Original Message ----- From: "Ken A" > To: "MailScanner discussion" > Sent: Friday, March 09, 2007 11:01 AM > Subject: Re: dealing with dictionary attacks > > >> >> >> Steve Campbell wrote: >>> >>> ----- Original Message ----- From: "Res" >>> To: "MailScanner discussion" >>> Sent: Friday, March 09, 2007 6:09 AM >>> Subject: Re: dealing with dictionary attacks >>> >>> >>>> On Fri, 9 Mar 2007, Steve Campbell wrote: >>>> >>>>> So what do I do with this huge patch I have compiled that fixes it all? >>>> >>>> I dunno :) since I nor anyone else that I noticed, could reproduce the >>>> problem on linux or slowaris at least. >>> >>> Well, ever since I applied the patch here on my servers MailScanner >>> doesn't swap. You don't think one of my assistants published my patch >>> without telling me and you all have been using it, do you? >> >> Would you please just post your patch to the wiki already? >> Just be sure to obfuscate the code! I loaded my swap as a tmpfs, so that >> solved my problem. ;-) >> Ken A >> Pacific.Net >> >> > > > -- Cheers Res "If I lay here, If I just lay here, would you lay with with me and just forget the world?" From res at ausics.net Fri Mar 9 23:00:38 2007 From: res at ausics.net (Res) Date: Fri Mar 9 22:08:00 2007 Subject: MailSacanner don't work In-Reply-To: <007201c7627d$867b2580$0705000a@ddf5dw71> References: <015401c7625c$a9c287c0$0705000a@ddf5dw71><343f281d29a3444e81494b209436a0b0@solidstatelogic.com> <7e78dc1f0703091010k3a077adfj55726771ee84f44@mail.gmail.com> <007201c7627d$867b2580$0705000a@ddf5dw71> Message-ID: On Fri, 9 Mar 2007, Steve Campbell wrote: > dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl $SMTPD_LISTEN_REMOTE appears to be his problem, damn these butchering distributors. WTF they can't leave well enough alone I'll never know. It seems Novell might be outed of the linux world anyway, sooner the better I say ;) -- Cheers Res "If I lay here, If I just lay here, would you lay with with me and just forget the world?" From drew at technologytiger.net Fri Mar 9 23:02:59 2007 From: drew at technologytiger.net (Drew Marshall) Date: Fri Mar 9 22:09:16 2007 Subject: dealing with dictionary attacks In-Reply-To: <003801c76294$16e35eb0$0705000a@ddf5dw71> References: <45EBE85C.90507@fractalweb.com> <4165CF7A7F12DE4B96622CCBB905864709949FEF@largo.campus.ncl.ac.uk> <25a66d840703050822s3061e517mffe1ed8d40035722@mail.gmail.com> <45EC4863.5070702@netmagicsolutions.com> <45EEDA1B.4010200@sbcglobal.net> <45F1CAA4.9050300@yeticomputers.com> <003801c76294$16e35eb0$0705000a@ddf5dw71> Message-ID: <47958F79-F5A3-4DCF-9EB3-6EC679CE2193@technologytiger.net> On 9 Mar 2007, at 21:44, Steve Campbell wrote: > How do we deal with dictionary attacks? With which MTA? Postfix does much of it by default. in_flow_delay is one such feature: # A Postfix process will pause for $in_flow_delay seconds before # accepting a new message, when the message arrival rate exceeds the # message delivery rate. With the default 50 SMTP server process # limit, this limits the mail inflow to 50 messages a second more # than the number of messages delivered per second. # then you can also play with the smtpd_error limits, both hard and soft and tailor those to suit your environment. Other wise there's always the firewall or the pub either of which can provide good short term relief :-) Drew -- In line with our policy, this message has been scanned for viruses and dangerous content by the Technology Tiger MailScanner. Further information can be found at www.technologytiger.net/policy Technology Tiger Limited is registered in Scotland with registration number: 310997 Registered Office 55-57 West High Street Inverurie AB51 3QQ From res at ausics.net Fri Mar 9 23:15:28 2007 From: res at ausics.net (Res) Date: Fri Mar 9 22:22:54 2007 Subject: dealing with dictionary attacks In-Reply-To: <45F1CAA4.9050300@yeticomputers.com> References: <45EBE85C.90507@fractalweb.com> <4165CF7A7F12DE4B96622CCBB905864709949FEF@largo.campus.ncl.ac.uk> <25a66d840703050822s3061e517mffe1ed8d40035722@mail.gmail.com> <45EC4863.5070702@netmagicsolutions.com> <45EEDA1B.4010200@sbcglobal.net> <45F1CAA4.9050300@yeticomputers.com> Message-ID: On Fri, 9 Mar 2007, Rick Chadderdon wrote: > Res wrote: >> I beg to difer, a recent check of archives shows pf has the most >> problems with MS, and its a well known fact,m even admitted to b ythe >> regular postmix weenies. > Just for reference, my archives - which are complete from Aug 08, 2005 - Those like me who've been on the list for years longer than that and read the posts know. The intergration of sendmail and MS are semless, as it was designed for it originally. > Let's just say that people working with *any* mail > server that they're unfamiliar with are going to have questions and Something we agree on. > it, and being helpful even when a post is ostenibly off-topic can only > help MailScanner's popularity. So by your count, we should now support microsoft windows email client problems, sorry OT is OT, there is a reason there are postmix lists, mailwatch lists, clam lists, and so on, because thats their specialty, not ours. > MailScanner in a message to the Postifix list, sometimes the entire > thread degrades into anti-MailScanner rhetoric. Yes, we know. Venma is worse, way way way way worse then DJB used to be, but at least Dan and his 'in crew' don't attack MS. > As an aside, I've used probably every major Unix mail server over the > last 15-20 years, and a few of the minor ones. (As well as several on > Windows, a couple of which were quite good. Exchange doesn't count likewise, except for winblows, and wont ever run it :) > although I have to admit to not using it much since I switched to qmail > in 1997-1998. I no longer use qmail, sendmail, exim or courier for a Each to our own, I've used all you've mentioned, for us sendmail is best except for shared hosting where qmail in a NAS environment is far superier than anything. > variety of reasons. I don't call people who choose any of those (or > other) servers names, although I could certainly think of some for > people who insist on using either sendmail or qmail. (Bendmail > weenies? Nah, too derivative... :P ) You are new around here arnt ya :) its rendmaul, akin to postmix, can't say I've seen another name for qmail tho, its been a long time standing joke between a few of us. Glenn: What should we call qmail ?? we gota have a nick for it ;) -- Cheers Res "If I lay here, If I just lay here, would you lay with with me and just forget the world?" From res at ausics.net Fri Mar 9 23:19:52 2007 From: res at ausics.net (Res) Date: Fri Mar 9 22:27:13 2007 Subject: dealing with dictionary attacks In-Reply-To: References: <45EBE85C.90507@fractalweb.com> <4165CF7A7F12DE4B96622CCBB905864709949FEF@largo.campus.ncl.ac.uk> <25a66d840703050822s3061e517mffe1ed8d40035722@mail.gmail.com> <45EC4863.5070702@netmagicsolutions.com> <45EEDA1B.4010200@sbcglobal.net> <45F1CAA4.9050300@yeticomputers.com> Message-ID: On Fri, 9 Mar 2007, Drew Marshall wrote: > You have to remember that Res, being the list's number 1 resident nasty guy, > he does 'fire from the hip' and one should make allowances for this ;-) They dont call me 'evil bunny' for nothing :) > I feel quite safe saying this publicly as he will be very busy patching all > those 'Bendmail' boxes with Steve's patch to prevent swapping, while checking jez Drewy, get it right its enshrined as rendmaul, if you go changing it now Glenn might sue you for patent violation lol. > his lock type and patching against the next security hole :-) can't remember the last security hole we had :) and postmix users wouldnt know if they had security holes, they are not put in the changelog, they are called " new additions" to disguise it :D -- Cheers Res "If I lay here, If I just lay here, would you lay with with me and just forget the world?" From drew at technologytiger.net Fri Mar 9 23:50:02 2007 From: drew at technologytiger.net (Drew Marshall) Date: Fri Mar 9 22:56:16 2007 Subject: dealing with dictionary attacks In-Reply-To: References: <45EBE85C.90507@fractalweb.com> <4165CF7A7F12DE4B96622CCBB905864709949FEF@largo.campus.ncl.ac.uk> <25a66d840703050822s3061e517mffe1ed8d40035722@mail.gmail.com> <45EC4863.5070702@netmagicsolutions.com> <45EEDA1B.4010200@sbcglobal.net> <45F1CAA4.9050300@yeticomputers.com> Message-ID: <1DD504C9-C777-4068-BC29-F19C4B1D3007@technologytiger.net> On 9 Mar 2007, at 22:19, Res wrote: >> I feel quite safe saying this publicly as he will be very busy >> patching all those 'Bendmail' boxes with Steve's patch to prevent >> swapping, while checking > > jez Drewy, get it right its enshrined as rendmaul, if you go > changing it now Glenn might sue you for patent violation lol. Oops, sorry ;-) rendmaul it is. Dictionary duly updated > > >> his lock type and patching against the next security hole :-) > > can't remember the last security hole we had :) > and postmix users wouldnt know if they had security holes, they are > not put in the changelog, they are called " new additions" to > disguise it :D I think you will find these things are called 'features'. Some features are worth shouting about and others are best removed/ hidden at a later date (and I have heard that some can cause swapping but let's not go back there :-) ) Drew -- In line with our policy, this message has been scanned for viruses and dangerous content by the Technology Tiger MailScanner. Further information can be found at www.technologytiger.net/policy Technology Tiger Limited is registered in Scotland with registration number: 310997 Registered Office 55-57 West High Street Inverurie AB51 3QQ From hvdkooij at vanderkooij.org Fri Mar 9 23:59:46 2007 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Fri Mar 9 23:06:09 2007 Subject: Peace proposal: postfix+sendmail+mailscanner Message-ID: Right, In this holy war of MTA's may I suggest a peace proposal? At least humor me and read it in full before you start firing again. Just a few assumptions: - MailScanner is designed to work on mailqueues. (batch wise) - sendmail's way of working with mailqueues does fit MailScanner. - postfix prefers SMTP conversations between postfix and 3rd party components. As some prefer to maintain postfix configurations instead of sendmail configurations there is a gap left between the MailScanner and postfix ideologies. How about using a stripped down sendmail config to bridge that gap? That config could be generic as far as I can figure it out. The flow would then be something like: Outside world ==SMTP==> postfix:25 postfix ==SMTP==> sendmail:10225 sendmail ==QUEUE==> MailScanner ...... MailScanner (doing a lot of tricks) MailScanner ==QUEUE==> sendmail sendmail ==SMTP==> postfix:10025 postfix delivery as usual Basically sendmail would be a stripped down solution to translate from SMTP to inbound queue and outbound queue to SMTP again. >From the postfix perspective sendmail is just another filter pretty much like one would do for amavisd, ..... The trick is to build a sendmail config that would do the trick and does not require changes for multidomain handling. The SmartHost option would be sufficient to handle the hand of back to postfix. (Even I can write that part. ;-) Hugo. -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ This message is using 100% recycled electrons. Some men see computers as they are and say "Windows" I use computers with Linux and say "Why Windows?" (Thanks JFK, for the insight.) From am.lists at gmail.com Sat Mar 10 00:09:57 2007 From: am.lists at gmail.com (am.lists) Date: Fri Mar 9 23:16:09 2007 Subject: Peace proposal: postfix+sendmail+mailscanner In-Reply-To: References: Message-ID: <25a66d840703091509q2d10a290ob7f54b59a75bd26e@mail.gmail.com> On 3/9/07, Hugo van der Kooij wrote: > Right, > > In this holy war of MTA's may I suggest a peace proposal? At least humor > me and read it in full before you start firing again. > > Just a few assumptions: > - MailScanner is designed to work on mailqueues. (batch wise) > - sendmail's way of working with mailqueues does fit MailScanner. > - postfix prefers SMTP conversations between postfix and 3rd party > components. > > As some prefer to maintain postfix configurations instead of sendmail > configurations there is a gap left between the MailScanner and postfix > ideologies. > > How about using a stripped down sendmail config to bridge that gap? That > config could be generic as far as I can figure it out. > > The flow would then be something like: > > Outside world ==SMTP==> postfix:25 > postfix ==SMTP==> sendmail:10225 > sendmail ==QUEUE==> MailScanner > ...... MailScanner (doing a lot of tricks) > MailScanner ==QUEUE==> sendmail > sendmail ==SMTP==> postfix:10025 > postfix delivery as usual > > Basically sendmail would be a stripped down solution to translate from > SMTP to inbound queue and outbound queue to SMTP again. > > >From the postfix perspective sendmail is just another filter pretty much > like one would do for amavisd, ..... > > The trick is to build a sendmail config that would do the trick and does > not require changes for multidomain handling. The SmartHost option would > be sufficient to handle the hand of back to postfix. (Even I can write > that part. ;-) > > Hugo. > Pardon my ignorance here, but are we attempting to get around Wietse's ALL CAPS statement that MailScanner uses unsupported methods to manipulate Postfix? If that's our goal to solve, why don't we simply have Jules and Wietse have a conference together and discuss the access methods. Perhaps Jules is doing this 'unsupported' access in a completely harmless way, such that if Wietse understood it more fully (I'm not suggesting that he doesn't...) then perhaps Wietse would be more forgiving and amend his statement that "as of such and such version, MailScanner uses supported methods..." or something. I think having another layer for transport is not necessarily a good thing. It's one more thing to troubleshoot when things get ... well, you know how they can get. Just my $0.04 worth (that's ~?0.02 for those on the other side of the pond) Angelo From res at ausics.net Sat Mar 10 01:06:26 2007 From: res at ausics.net (Res) Date: Sat Mar 10 00:06:28 2007 Subject: dealing with dictionary attacks In-Reply-To: <1DD504C9-C777-4068-BC29-F19C4B1D3007@technologytiger.net> References: <45EBE85C.90507@fractalweb.com> <4165CF7A7F12DE4B96622CCBB905864709949FEF@largo.campus.ncl.ac.uk> <25a66d840703050822s3061e517mffe1ed8d40035722@mail.gmail.com> <45EC4863.5070702@netmagicsolutions.com> <45EEDA1B.4010200@sbcglobal.net> <45F1CAA4.9050300@yeticomputers.com> <1DD504C9-C777-4068-BC29-F19C4B1D3007@technologytiger.net> Message-ID: On Fri, 9 Mar 2007, Drew Marshall wrote: > Oops, sorry ;-) rendmaul it is. Dictionary duly updated Thank you :) > I think you will find these things are called 'features'. Some features are > worth shouting about and others are best removed/ hidden at a later date (and > I have heard that some can cause swapping but let's not go back there :-) ) I am working on a patch to force swapping? is that what everyone wants? trust me it'll be a quick 3 line patch I can upload this afternoon when I get back home ;) -- Cheers Res "If I lay here, If I just lay here, would you lay with with me and just forget the world?" From res at ausics.net Sat Mar 10 01:23:16 2007 From: res at ausics.net (Res) Date: Sat Mar 10 00:23:18 2007 Subject: Peace proposal: postfix+sendmail+mailscanner In-Reply-To: References: Message-ID: On Fri, 9 Mar 2007, Hugo van der Kooij wrote: > In this holy war of MTA's may I suggest a peace proposal? At least humor me You may propose, but like many others proposes all over the world in all different kinds of forums for so many years, so long as there is more than one MTA there will be many holy wars.. but lets continue :) > Just a few assumptions: > - MailScanner is designed to work on mailqueues. (batch wise) > - sendmail's way of working with mailqueues does fit MailScanner. Fact 1 - MailScanner it was written for sendmail :) > - postfix prefers SMTP conversations between postfix and 3rd party > components. I'll go along with that. > How about using a stripped down sendmail config to bridge that gap? That > config could be generic as far as I can figure it out. Sendmail is only ever as bloated as the features you add in, It disgusts me the traps that hte like sof RedHat/Fedora anmd Debian and Novell put in there packages, it asks for trouble :) And if i'm not mistaken you are suggesting 2 MTA's? or is it just my lack of sleep? >> From the postfix perspective sendmail is just another filter pretty much > like one would do for amavisd, ..... This is weistes way because of his close relationship with that amav... why should we change to suite them? when it works fine of 3 other most commonly used MTA's? > > The trick is to build a sendmail config that would do the trick and does not > require changes for multidomain handling. The SmartHost option would be > sufficient to handle the hand of back to postfix. (Even I can write that > part. ;-) > LOL thats almost as crazy as those that say, use postmix with vpopmail, but yet you still need qmail installed ;) Having said that, and the crazy bugger that I am, your idea is not totally insane, I have done (because of qmails inability to be secure without spending 3 days patching it) a setup as follows which I think is not that far from what you are saying... sendmail/MS ----[ ] sendmail/MS ----[qmail no bells whistles]---[NFS to netapp filer] sendmail/MS ----[ ] qmail is used as on the mail delivery box to just collect and store into users MailDir leaving sendmail boxes to do the hard yards, it and several pop3/webmail servers all mount /home/vpopmail/domains (all NFS stuff is on separate gbit and uses pvt address space) Sure it's a cheap, and very very very nasty setup, but it worked last time I did it, and worked very very well :) -- Cheers Res "If I lay here, If I just lay here, would you lay with with me and just forget the world?" From glenn.steen at gmail.com Sat Mar 10 01:29:25 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Sat Mar 10 00:35:38 2007 Subject: dealing with dictionary attacks In-Reply-To: References: <45EBE85C.90507@fractalweb.com> <4165CF7A7F12DE4B96622CCBB905864709949FEF@largo.campus.ncl.ac.uk> <25a66d840703050822s3061e517mffe1ed8d40035722@mail.gmail.com> <45EC4863.5070702@netmagicsolutions.com> <45EEDA1B.4010200@sbcglobal.net> <45F1CAA4.9050300@yeticomputers.com> Message-ID: <223f97700703091629l25076f4fr4d98d00f1330f342@mail.gmail.com> On 09/03/07, Res wrote: > > On Fri, 9 Mar 2007, Rick Chadderdon wrote: > > > Res wrote: (snip) > > variety of reasons. I don't call people who choose any of those (or > > other) servers names, although I could certainly think of some for > > people who insist on using either sendmail or qmail. (Bendmail > > weenies? Nah, too derivative... :P ) > > You are new around here arnt ya :) its rendmaul, akin to postmix, can't > say I've seen another name for qmail tho, its been a long time standing > joke between a few of us. > > Glenn: What should we call qmail ?? we gota have a nick for it ;) Unlike Rendmaul and Postmix, qmail isn't that readily .... renamed.... Then again, since the Q stand for quirky, perhaps one don't need to:-). I haven't sampled enough amber stuff yet for the really whacky suggestions to start flowing:-):-)... Oh, and Rick... Chill out, take a $TEMPERATURE $BEVERAGE... Res is nice guy under the prickly surface... He just hasn't seen the light (yet) :-D And we know he is the evil bunny of Monty Pythonian fame... Now, where did I put that Holy Handgranede...;-) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Sat Mar 10 01:36:25 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Sat Mar 10 00:42:39 2007 Subject: dealing with dictionary attacks In-Reply-To: References: <45EBE85C.90507@fractalweb.com> <25a66d840703050822s3061e517mffe1ed8d40035722@mail.gmail.com> <45EC4863.5070702@netmagicsolutions.com> <45EEDA1B.4010200@sbcglobal.net> <45F1CAA4.9050300@yeticomputers.com> Message-ID: <223f97700703091636y9f40695m1b50f3f81f902ae6@mail.gmail.com> On 09/03/07, Res wrote: > On Fri, 9 Mar 2007, Drew Marshall wrote: > > > You have to remember that Res, being the list's number 1 resident nasty guy, > > he does 'fire from the hip' and one should make allowances for this ;-) > > They dont call me 'evil bunny' for nothing :) Ah, try insight! At last! :-) > > I feel quite safe saying this publicly as he will be very busy patching all > > those 'Bendmail' boxes with Steve's patch to prevent swapping, while checking > > jez Drewy, get it right its enshrined as rendmaul, if you go changing it > now Glenn might sue you for patent violation lol. I wouldn't do that... Far to nice and wellbehaved:-). And we postmixers stick together ...;-D > > his lock type and patching against the next security hole :-) > > can't remember the last security hole we had :) > and postmix users wouldnt know if they had security holes, they are not > put in the changelog, they are called " new additions" to disguise it :D Ah, so *that* was what all that "p record" thingies were all about!:-) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From ssilva at sgvwater.com Sat Mar 10 01:45:39 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Sat Mar 10 00:50:01 2007 Subject: Clamav In-Reply-To: <59E4A3A1069C2640959AD0F7518C48122F08CA@FLN1.fln.local> References: <0e5c1b86ea5f784cbbe5cc5739a4766d@solidstatelogic.com><4106.209.104.55.7.1172525095.squirrel@mail.ziff.net><1172648388.21763.0.camel@miyagip.ziff.net.><26942.209.104.55.7.1172685554.squirrel@mail.ziff.net><223f97700702281106m3e6fdf70sef8c2701a725bc18@mail.gmail.com><22107.209.104.55.7.1172690830.squirrel@mail.ziff.net> <018a01c7623e$dd463a10$0600a8c0@roger> <59E4A3A1069C2640959AD0F7518C48122F08CA@FLN1.fln.local> Message-ID: James Fagan spake the following on 3/9/2007 10:46 AM: >> Did someone updated Install-Clam-SA package with clamav 0.91? >> >> Regards >> >> Roger Jochem > > Yes there is a package avalable here > > http://tinyurl.com/2wox4q > > Also I mirrored this just in case here > > http://jfworks.net/files/install-Clam-0.90.1-SA-3.1.8.tar.gz > > Who put this together? Im sure its in the archives, but thanks! > Works well, installed it on a few systems. > > James I did it last week. Just trying to take some load off of Julian while he recovers. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ssilva at sgvwater.com Sat Mar 10 01:52:22 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Sat Mar 10 00:56:48 2007 Subject: dealing with dictionary attacks In-Reply-To: References: <45EBE85C.90507@fractalweb.com> <4165CF7A7F12DE4B96622CCBB905864709949FEF@largo.campus.ncl.ac.uk> <25a66d840703050822s3061e517mffe1ed8d40035722@mail.gmail.com> <45EC4863.5070702@netmagicsolutions.com> <45EEDA1B.4010200@sbcglobal.net> <45F1CAA4.9050300@yeticomputers.com> <1DD504C9-C777-4068-BC29-F19C4B1D3007@technologytiger.net> Message-ID: Res spake the following on 8/7/1998 5:37 AM: > On Fri, 9 Mar 2007, Drew Marshall wrote: > >> Oops, sorry ;-) rendmaul it is. Dictionary duly updated > > Thank you :) > >> I think you will find these things are called 'features'. Some >> features are worth shouting about and others are best removed/ hidden >> at a later date (and > >> I have heard that some can cause swapping but let's not go back there >> :-) ) > > I am working on a patch to force swapping? is that what everyone wants? > trust me it'll be a quick 3 line patch I can upload this afternoon when > I get back home ;) > > I tried to apply that patch to my wife, but it tainted her kernel! ;-P -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ssilva at sgvwater.com Sat Mar 10 02:02:17 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Sat Mar 10 01:06:57 2007 Subject: Message from Jules In-Reply-To: <0C941442AC84A8449448BA2207DD4F4D216133@core01.workgroupsolutions.com> References: <13C0059880FDD3118DC600508B6D4A6D01C29237@aiainsurance.com> <0C941442AC84A8449448BA2207DD4F4D216133@core01.workgroupsolutions.com> Message-ID: Damian Mendoza spake the following on 3/8/2007 4:55 PM: > Jules, > > Charge a nominal fee for MailScanner usage in a commercial environment, > increase the price of the book and dump the day job. That should remove > some stress from your life. > But how will he achieve world domination if he doesn't at least stay in touch? ;-P -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ssilva at sgvwater.com Sat Mar 10 02:09:05 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Sat Mar 10 01:14:11 2007 Subject: MailSacanner don't work In-Reply-To: <7e78dc1f0703090202x2c0208d5k8263ae966c127209@mail.gmail.com> References: <7e78dc1f0703090145q1dfe95fdl98ba7d511a9cc682@mail.gmail.com> <798176981de13f4fa9405a1247c7bd61@solidstatelogic.com> <7e78dc1f0703090202x2c0208d5k8263ae966c127209@mail.gmail.com> Message-ID: Claudio Mundin spake the following on 3/9/2007 2:02 AM: > After /etc/init.d/MailScanner start > > I have the next proces: > Did you have sendmail working before you installed mailscanner? You need to do some things with sendmail so it accepts mail from other addresses. First you need to edit /etc/mail/sendmail.mc, find the following section: dnl This changes sendmail to only listen on the loopback device 127.0.0.1 dnl and not on any other network devices. Comment this out if you want dnl to accept email over the network. DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA') Change the line to DAEMON_OPTIONS(`Port=smtp, Name=MTA') You will then need to rebuild the file: m4 /etc/mail/sendmail.mc > /etc/sendmail.cf -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From drew at technologytiger.net Sat Mar 10 02:08:13 2007 From: drew at technologytiger.net (Drew Marshall) Date: Sat Mar 10 01:14:27 2007 Subject: dealing with dictionary attacks In-Reply-To: References: <45EBE85C.90507@fractalweb.com> <4165CF7A7F12DE4B96622CCBB905864709949FEF@largo.campus.ncl.ac.uk> <25a66d840703050822s3061e517mffe1ed8d40035722@mail.gmail.com> <45EC4863.5070702@netmagicsolutions.com> <45EEDA1B.4010200@sbcglobal.net> <45F1CAA4.9050300@yeticomputers.com> <1DD504C9-C777-4068-BC29-F19C4B1D3007@technologytiger.net> Message-ID: On 10 Mar 2007, at 00:52, Scott Silva wrote: > Res spake the following on 8/7/1998 5:37 AM: >> On Fri, 9 Mar 2007, Drew Marshall wrote: >> >>> Oops, sorry ;-) rendmaul it is. Dictionary duly updated >> >> Thank you :) >> >>> I think you will find these things are called 'features'. Some >>> features are worth shouting about and others are best removed/ >>> hidden >>> at a later date (and >> >>> I have heard that some can cause swapping but let's not go back >>> there >>> :-) ) >> >> I am working on a patch to force swapping? is that what everyone >> wants? >> trust me it'll be a quick 3 line patch I can upload this >> afternoon when >> I get back home ;) >> >> > I tried to apply that patch to my wife, but it tainted her kernel! ;-P That's always the problem if you upgrade from Girlfriend >v3.x to wife v1.0. I did the same and I too can't get her to swap properly either. Every time it's even suggested there is a warning message about this process needing me to pay a huge fee both to consultants and in some form of licence fee. I have to admit to not liking the sound of this and always selecting cancel and going back to searching Google for a work round :-) I hasten to add, I have not found one ;-) Drew -- In line with our policy, this message has been scanned for viruses and dangerous content by the Technology Tiger MailScanner. Further information can be found at www.technologytiger.net/policy Technology Tiger Limited is registered in Scotland with registration number: 310997 Registered Office 55-57 West High Street Inverurie AB51 3QQ From glenn.steen at gmail.com Sat Mar 10 02:31:54 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Sat Mar 10 01:38:07 2007 Subject: Peace proposal: postfix+sendmail+mailscanner In-Reply-To: <25a66d840703091509q2d10a290ob7f54b59a75bd26e@mail.gmail.com> References: <25a66d840703091509q2d10a290ob7f54b59a75bd26e@mail.gmail.com> Message-ID: <223f97700703091731j23434da3g7d63e20d7538b800@mail.gmail.com> On 10/03/07, am.lists wrote: > On 3/9/07, Hugo van der Kooij wrote: > > Right, > > > > In this holy war of MTA's may I suggest a peace proposal? At least humor > > me and read it in full before you start firing again. > > > > Just a few assumptions: > > - MailScanner is designed to work on mailqueues. (batch wise) > > - sendmail's way of working with mailqueues does fit MailScanner. > > - postfix prefers SMTP conversations between postfix and 3rd party > > components. > > > > As some prefer to maintain postfix configurations instead of sendmail > > configurations there is a gap left between the MailScanner and postfix > > ideologies. > > > > How about using a stripped down sendmail config to bridge that gap? That > > config could be generic as far as I can figure it out. > > > > The flow would then be something like: > > > > Outside world ==SMTP==> postfix:25 > > postfix ==SMTP==> sendmail:10225 > > sendmail ==QUEUE==> MailScanner > > ...... MailScanner (doing a lot of tricks) > > MailScanner ==QUEUE==> sendmail > > sendmail ==SMTP==> postfix:10025 > > postfix delivery as usual > > > > Basically sendmail would be a stripped down solution to translate from > > SMTP to inbound queue and outbound queue to SMTP again. > > > > >From the postfix perspective sendmail is just another filter pretty much > > like one would do for amavisd, ..... > > > > The trick is to build a sendmail config that would do the trick and does > > not require changes for multidomain handling. The SmartHost option would > > be sufficient to handle the hand of back to postfix. (Even I can write > > that part. ;-) > > > > Hugo. > > > > > Pardon my ignorance here, but are we attempting to get around Wietse's > ALL CAPS statement that MailScanner uses unsupported methods to > manipulate Postfix? Hi Hugo & Angelo, You just had to spoil the friday night fun we were having by turning this serious, now didn't you:-). Read on, I'll be very serious indeed... > If that's our goal to solve, why don't we simply have Jules and Wietse > have a conference together and discuss the access methods. Perhaps > Jules is doing this 'unsupported' access in a completely harmless way, > such that if Wietse understood it more fully (I'm not suggesting that > he doesn't...) then perhaps Wietse would be more forgiving and amend > his statement that "as of such and such version, MailScanner uses > supported methods..." or something. This has been proposed a few times, but neither Jules nor Mr Venema has shown any inclination to take up any form of negotiations. If you search the archives very thotoughly you'll find a few threads were we've discussed this in the past (Dahwal Doshy has been a brave soul and tried to get something out of Viktor and Wietse a while back)... In one you'll see that Wietse at one time let slip a "list of demands" that MailScanner would have to fulfill to be termed "marginally supported"(:-) ... As it turned out, Jules had implemented his Postfix support exactly like Wietse stipulated it had to be (HOLD feature style, mind you). Central in these "demands" were that one couldn't copy the postfix queue file around, but rather had to deconstruct the old one and reconstruct a completely new queue file... Which is exactly what we do. Now, last I looked the code for postfix is free to look at, so ... the moaning about SW engineering practises and safe uses of published APIs becomes less relevant or beleivable. But, as it stands, Wietse will never endorse MailScanner in any way shape or form, and this might not have that much to do with anything other than him not liking things NIH, for all I know. > I think having another layer for transport is not necessarily a good > thing. It's one more thing to troubleshoot when things get ... well, > you know how they can get. Indeed. When one looks at list archives, particularily the postfix users one, one can stumble on some very old suggestions on how to overcome this "unsupported usages" viewpoint... Like using a script (some FILTER thing, don't remember all the details) to capture the messages to another type of queue file (non-postfix, with envelope data preserved) for MS to process. This approach never got much support from any camp. Anyway, the "politics" page in the wiki (http://wiki.mailscanner.info/doku.php?id=documentation:configuration:mta:postfix:politics) has become a bit old, but it still contain some of the historical debate/ciewpoints. It accurately pinpoint one central thing: This indeed is politics, not technology. > Just my $0.04 worth (that's ~?0.02 for those on the other side of the pond) > > Angelo Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From campbell at cnpapers.com Sat Mar 10 02:41:48 2007 From: campbell at cnpapers.com (Steve Campbell) Date: Sat Mar 10 01:48:21 2007 Subject: dealing with dictionary attacks In-Reply-To: References: <45EBE85C.90507@fractalweb.com><4165CF7A7F12DE4B96622CCBB905864709949FEF@largo.campus.ncl.ac.uk><25a66d840703050822s3061e517mffe1ed8d40035722@mail.gmail.com><45EC4863.5070702@netmagicsolutions.com><45EEDA1B.4010200@sbcglobal.net><45F02ED0.30906@nkpanama.com><74ACEB3E6A055643A89B8CEC74C7BF2488DF5F@WISENT.dcyb.net><45F035A4.5080100@nkpanama.com><006a01c761a1$731e4120$0705000a@ddf5dw71><1173438172.45f13edccf188@perdition.cnpapers.net> <015d01c7625d$7ec5a0b0$0705000a@ddf5dw71> <45F184F2.50305@pacific.net> <023501c76265$0c8af240$0705000a@ddf5dw71> Message-ID: <1173490907.45f20cdc0072c@perdition.cnpapers.net> Quoting Res : > On Fri, 9 Mar 2007, Steve Campbell wrote: > > > OH NO, WHAT HAVE I DONE? > > > > Sorry Ken, there is no patch to fix my non-existant problem. > > OK since your now in denial and wont patch it, I will write a generic > patch that might help ;) > Well, I had one, but I was afraid people might really use it;-). It basically renames the init.d MS script, symlinks MS to the original sendmail init script, and voila, no more MS swapping, and mail still gets delivered. If it fails, remove the MS symlink, and rename the original MS init script back. Now, since people say I have a very dry sense of humor, never smile when I say these strange things (or put smiley faces anywhere), that they never can tell when I'm joking. So I'm really serious here when I say: DON'T DO THIS UNLESS YOU REALLY UNDERSTAND THAT I AM NOT SINCERE ABOUT DOING THIS. OK, I'm backing out of this now for the last time. Steve > > > > > Steve Campbell > > campbell@cnpapers.com > > Charleston Newspapers > > > > ----- Original Message ----- From: "Ken A" > > To: "MailScanner discussion" > > Sent: Friday, March 09, 2007 11:01 AM > > Subject: Re: dealing with dictionary attacks > > > > > >> > >> > >> Steve Campbell wrote: > >>> > >>> ----- Original Message ----- From: "Res" > >>> To: "MailScanner discussion" > >>> Sent: Friday, March 09, 2007 6:09 AM > >>> Subject: Re: dealing with dictionary attacks > >>> > >>> > >>>> On Fri, 9 Mar 2007, Steve Campbell wrote: > >>>> > >>>>> So what do I do with this huge patch I have compiled that fixes it > all? > >>>> > >>>> I dunno :) since I nor anyone else that I noticed, could reproduce the > >>>> problem on linux or slowaris at least. > >>> > >>> Well, ever since I applied the patch here on my servers MailScanner > >>> doesn't swap. You don't think one of my assistants published my patch > >>> without telling me and you all have been using it, do you? > >> > >> Would you please just post your patch to the wiki already? > >> Just be sure to obfuscate the code! I loaded my swap as a tmpfs, so that > >> solved my problem. ;-) > >> Ken A > >> Pacific.Net > >> > >> > > > > > > > > -- > Cheers > Res > > "If I lay here, If I just lay here, would you lay with with me and just > forget the world?" > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > ------------------------------------------------- This mail sent through IMP: http://horde.org/imp/ From campbell at cnpapers.com Sat Mar 10 02:43:49 2007 From: campbell at cnpapers.com (Steve Campbell) Date: Sat Mar 10 01:50:13 2007 Subject: dealing with dictionary attacks In-Reply-To: <47958F79-F5A3-4DCF-9EB3-6EC679CE2193@technologytiger.net> References: <45EBE85C.90507@fractalweb.com> <4165CF7A7F12DE4B96622CCBB905864709949FEF@largo.campus.ncl.ac.uk> <25a66d840703050822s3061e517mffe1ed8d40035722@mail.gmail.com> <45EC4863.5070702@netmagicsolutions.com> <45EEDA1B.4010200@sbcglobal.net> <45F1CAA4.9050300@yeticomputers.com> <003801c76294$16e35eb0$0705000a@ddf5dw71> <47958F79-F5A3-4DCF-9EB3-6EC679CE2193@technologytiger.net> Message-ID: <1173491029.45f20d55955f8@perdition.cnpapers.net> Quoting Drew Marshall : > On 9 Mar 2007, at 21:44, Steve Campbell wrote: > > > How do we deal with dictionary attacks? Damn, I forgot that smiley face again!! Thanks, though Drew. Steve. > > With which MTA? Postfix does much of it by default. in_flow_delay is > one such feature: > > # A Postfix process will pause for $in_flow_delay seconds before > # accepting a new message, when the message arrival rate exceeds the > # message delivery rate. With the default 50 SMTP server process > # limit, this limits the mail inflow to 50 messages a second more > # than the number of messages delivered per second. > # > > then you can also play with the smtpd_error limits, both hard and > soft and tailor those to suit your environment. > > Other wise there's always the firewall or the pub either of which can > provide good short term relief :-) > > Drew > > -- > In line with our policy, this message has been scanned > for viruses and dangerous content by the Technology Tiger MailScanner. > Further information can be found at www.technologytiger.net/policy > > Technology Tiger Limited is registered in Scotland with registration number: > 310997 > Registered Office 55-57 West High Street Inverurie AB51 3QQ > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > ------------------------------------------------- This mail sent through IMP: http://horde.org/imp/ From glenn.steen at gmail.com Sat Mar 10 02:46:46 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Sat Mar 10 01:52:59 2007 Subject: dealing with dictionary attacks In-Reply-To: References: <45EBE85C.90507@fractalweb.com> <45F1CAA4.9050300@yeticomputers.com> <1DD504C9-C777-4068-BC29-F19C4B1D3007@technologytiger.net> Message-ID: <223f97700703091746h2943b968s70715d4c1197cbbd@mail.gmail.com> On 10/03/07, Drew Marshall wrote: > On 10 Mar 2007, at 00:52, Scott Silva wrote: > > > Res spake the following on 8/7/1998 5:37 AM: > >> On Fri, 9 Mar 2007, Drew Marshall wrote: > >> > >>> Oops, sorry ;-) rendmaul it is. Dictionary duly updated > >> > >> Thank you :) > >> > >>> I think you will find these things are called 'features'. Some > >>> features are worth shouting about and others are best removed/ > >>> hidden > >>> at a later date (and > >> > >>> I have heard that some can cause swapping but let's not go back > >>> there > >>> :-) ) > >> > >> I am working on a patch to force swapping? is that what everyone > >> wants? > >> trust me it'll be a quick 3 line patch I can upload this > >> afternoon when > >> I get back home ;) > >> > >> > > I tried to apply that patch to my wife, but it tainted her kernel! ;-P > > That's always the problem if you upgrade from Girlfriend >v3.x to > wife v1.0. IIRC Scott is already at version 2.0 of wife. Whther this is due to the whole MRS swapping problem or not, I'll defer to comment on. > I did the same and I too can't get her to swap properly either. Every > time it's even suggested there is a warning message about this > process needing me to pay a huge fee both to consultants and in some > form of licence fee. I have to admit to not liking the sound of this > and always selecting cancel and going back to searching Google for a > work round :-) > > I hasten to add, I have not found one ;-) Well ... the only viable option AFAICS is the single thread semi-swapping variation... Some might call that "cheating" though, so be careful... Might otherwise lead to a forced upgrade from wife v1.0, and the license fees/consultants kicking in ... in an inopportune manner;-) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From res at ausics.net Sat Mar 10 02:59:15 2007 From: res at ausics.net (Res) Date: Sat Mar 10 02:05:34 2007 Subject: dealing with dictionary attacks In-Reply-To: <223f97700703091629l25076f4fr4d98d00f1330f342@mail.gmail.com> References: <45EBE85C.90507@fractalweb.com> <4165CF7A7F12DE4B96622CCBB905864709949FEF@largo.campus.ncl.ac.uk> <25a66d840703050822s3061e517mffe1ed8d40035722@mail.gmail.com> <45EC4863.5070702@netmagicsolutions.com> <45EEDA1B.4010200@sbcglobal.net> <45F1CAA4.9050300@yeticomputers.com> <223f97700703091629l25076f4fr4d98d00f1330f342@mail.gmail.com> Message-ID: On Sat, 10 Mar 2007, Glenn Steen wrote: >> Glenn: What should we call qmail ?? we gota have a nick for it ;) > Unlike Rendmaul and Postmix, qmail isn't that readily .... renamed.... > Then again, since the Q stand for quirky, perhaps one don't need > to:-). I haven't sampled enough amber stuff yet for the really whacky > suggestions to start flowing:-):-)... > > Oh, and Rick... Chill out, take a $TEMPERATURE $BEVERAGE... Res is > nice guy under the prickly surface... He just hasn't seen the light SHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH you will ruin my reputation if u say things like that, and i'll deny it of course !!@! :) > (yet) :-D never!!@!#!! already tried it, was more cumfy with rendmaul and quirky :) > And we know he is the evil bunny of Monty Pythonian fame... Now, where > did I put that Holy Handgranede...;-) I pinched it, I just lobbed it at time.nist.gov 3 times today its set some of our servers to 1998 and some to 2032! So if anyone uses them, just be careful, I've since changed to denmark, and its so far been fine. First I knew was when i got an alert for pop3 daemon down, i thought that couldnt be right, logs said killing itself for some silly time, and yes date confirmed it, the news server also hissy fitted wouldnt let anyone connect saying invalid key year, sendmail and mailscanner ( to stay on topic :P ) were happily accepting and processing mail, every server was slackware, thought it was a bug, but then checked date on my RH desktop and yes, I was magically teleported into 2032, i can tell you in the year 2032, 9th of November, in Brisbane Australia, it will be 32 celcius, overcast and 88% humidity :) -- Cheers Res "If I lay here, If I just lay here, would you lay with with me and just forget the world?" From res at ausics.net Sat Mar 10 03:01:05 2007 From: res at ausics.net (Res) Date: Sat Mar 10 02:07:22 2007 Subject: dealing with dictionary attacks In-Reply-To: <223f97700703091636y9f40695m1b50f3f81f902ae6@mail.gmail.com> References: <45EBE85C.90507@fractalweb.com> <25a66d840703050822s3061e517mffe1ed8d40035722@mail.gmail.com> <45EC4863.5070702@netmagicsolutions.com> <45EEDA1B.4010200@sbcglobal.net> <45F1CAA4.9050300@yeticomputers.com> <223f97700703091636y9f40695m1b50f3f81f902ae6@mail.gmail.com> Message-ID: On Sat, 10 Mar 2007, Glenn Steen wrote: >> now Glenn might sue you for patent violation lol. > I wouldn't do that... Far to nice and wellbehaved:-). And we > postmixers stick together ...;-D Ohhhhh, I gathered that a long time ago :) > Ah, so *that* was what all that "p record" thingies were all about!:-) Yes, its actually his version of ' how to screwup mail processing even more' ... hes hardly going to put that in a changelog is he ;) -- Cheers Res "If I lay here, If I just lay here, would you lay with with me and just forget the world?" From pete at enitech.com.au Sat Mar 10 10:00:13 2007 From: pete at enitech.com.au (Pete Russell) Date: Sat Mar 10 09:06:47 2007 Subject: dealing with dictionary attacks In-Reply-To: <1173490907.45f20cdc0072c@perdition.cnpapers.net> References: <45EBE85C.90507@fractalweb.com><4165CF7A7F12DE4B96622CCBB905864709949FEF@largo.campus.ncl.ac.uk><25a66d840703050822s3061e517mffe1ed8d40035722@mail.gmail.com><45EC4863.5070702@netmagicsolutions.com><45EEDA1B.4010200@sbcglobal.net><45F02ED0.30906@nkpanama.com><74ACEB3E6A055643A89B8CEC74C7BF2488DF5F@WISENT.dcyb.net><45F035A4.5080100@nkpanama.com><006a01c761a1$731e4120$0705000a@ddf5dw71><1173438172.45f13edccf188@perdition.cnpapers.net> <015d01c7625d$7ec5a0b0$0705000a@ddf5dw71> <45F184F2.50305@pacific.net> <023501c76265$0c8af240$0705000a@ddf5dw71> <1173490907.45f20cdc0072c@perdition.cnpapers.net> Message-ID: <45F2739D.1010609@enitech.com.au> With the combined 29317 years of Sys Admin experience boasted about in this thread, i would have thought 1 of you would have come accross IRC by now? :-) From res at ausics.net Sat Mar 10 10:58:00 2007 From: res at ausics.net (Res) Date: Sat Mar 10 10:04:42 2007 Subject: dealing with dictionary attacks In-Reply-To: <45F2739D.1010609@enitech.com.au> References: <45EBE85C.90507@fractalweb.com><4165CF7A7F12DE4B96622CCBB905864709949FEF@largo.campus.ncl.ac.uk><25a66d840703050822s3061e517mffe1ed8d40035722@mail.gmail.com><45EC4863.5070702@netmagicsolutions.com><45EEDA1B.4010200@sbcglobal.net><45F02ED0.30906@nkpanama.com><74ACEB3E6A055643A89B8CEC74C7BF2488DF5F@WISENT.dcyb.net><45F035A4.5080100@nkpanama.com><006a01c761a1$731e4120$0705000a@ddf5dw71><1173438172.45f13edccf188@perdition.cnpapers.net> <015d01c7625d$7ec5a0b0$0705000a@ddf5dw71> <45F184F2.50305@pacific.net> <023501c76265$0c8af240$0705000a@ddf5dw71> <1173490907.45f20cdc0072c@perdition.cnpapers.net> <45F2739D.1010609@enitech.com.au> Message-ID: On Sat, 10 Mar 2007, Pete Russell wrote: > With the combined 29317 years of Sys Admin experience boasted about in this > thread, i would have thought 1 of you would have come accross IRC by now? not been there for a couple years, I have threatend to return one day tho :) -- Cheers Res Let Novell known what you think of their back door deal with the devil. Sign the petition today: http://techp.org/p/1/ From res at ausics.net Sat Mar 10 11:02:03 2007 From: res at ausics.net (Res) Date: Sat Mar 10 10:08:24 2007 Subject: dealing with dictionary attacks In-Reply-To: <1173490907.45f20cdc0072c@perdition.cnpapers.net> References: <45EBE85C.90507@fractalweb.com><4165CF7A7F12DE4B96622CCBB905864709949FEF@largo.campus.ncl.ac.uk><25a66d840703050822s3061e517mffe1ed8d40035722@mail.gmail.com><45EC4863.5070702@netmagicsolutions.com><45EEDA1B.4010200@sbcglobal.net><45F02ED0.30906@nkpanama.com><74ACEB3E6A055643A89B8CEC74C7BF2488DF5F@WISENT.dcyb.net><45F035A4.5080100@nkpanama.com><006a01c761a1$731e4120$0705000a@ddf5dw71><1173438172.45f13edccf188@perdition.cnpapers.net> <015d01c7625d$7ec5a0b0$0705000a@ddf5dw71> <45F184F2.50305@pacific.net> <023501c76265$0c8af240$0705000a@ddf5dw71> <1173490907.45f20cdc0072c@perdition.cnpapers.net> Message-ID: On Fri, 9 Mar 2007, Steve Campbell wrote: >> OK since your now in denial and wont patch it, I will write a generic >> patch that might help ;) > Well, I had one, but I was afraid people might really use it;-). It basically LOL, I'd like to think that those of us on this list would know better :) unless it comes from Jules hehe. > renames the init.d MS script, symlinks MS to the original sendmail init script, > and voila, no more MS swapping, and mail still gets delivered. > Mine seeks out and destroys postmix machines ;) then installs a good secure version of rendmaul, it also checks to see if you have a mailscanner supplied install or a butchered distro one, if later, removes it, and installs a real version, finally, it will send copious amounts of coffee bean pics out your printer. -- Cheers Res Let Novell known what you think of their back door deal with the devil. Sign the petition today: http://techp.org/p/1/ From hvdkooij at vanderkooij.org Sat Mar 10 13:46:30 2007 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sat Mar 10 12:52:49 2007 Subject: dealing with dictionary attacks In-Reply-To: <45F2739D.1010609@enitech.com.au> References: <45EBE85C.90507@fractalweb.com><4165CF7A7F12DE4B96622CCBB905864709949FEF@largo.campus.ncl.ac.uk><25a66d840703050822s3061e517mffe1ed8d40035722@mail.gmail.com><45EC4863.5070702@netmagicsolutions.com><45EEDA1B.4010200@sbcglobal.net><45F02ED0.30906@nkpanama.com><74ACEB3E6A055643A89B8CEC74C7BF2488DF5F@WISENT.dcyb.net><45F035A4.5080100@nkpanama.com><006a01c761a1$731e4120$0705000a@ddf5dw71><1173438172.45f13edccf188@perdition.cnpapers.net> <015d01c7625d$7ec5a0b0$0705000a@ddf5dw71> <45F184F2.50305@pacific.net> <023501c76265$0c8af240$0705000a@ddf5dw71> <1173490907.45f20cdc0072c@perdition.cnpapers.net> <45F2739D.1010609@enitech.com.au> Message-ID: On Sat, 10 Mar 2007, Pete Russell wrote: > With the combined 29317 years of Sys Admin experience boasted about in this > thread, i would have thought 1 of you would have come accross IRC by now? You think sysadmins have time for that? They love to smack around with a good lart instead. Hugo. -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ This message is using 100% recycled electrons. Some men see computers as they are and say "Windows" I use computers with Linux and say "Why Windows?" (Thanks JFK, for the insight.) From hvdkooij at vanderkooij.org Sat Mar 10 13:53:17 2007 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sat Mar 10 12:59:35 2007 Subject: dealing with dictionary attacks In-Reply-To: References: <45EBE85C.90507@fractalweb.com><4165CF7A7F12DE4B96622CCBB905864709949FEF@largo.campus.ncl.ac.uk><25a66d840703050822s3061e517mffe1ed8d40035722@mail.gmail.com><45EC4863.5070702@netmagicsolutions.com><45EEDA1B.4010200@sbcglobal.net><45F02ED0.30906@nkpanama.com><74ACEB3E6A055643A89B8CEC74C7BF2488DF5F@WISENT.dcyb.net><45F035A4.5080100@nkpanama.com><006a01c761a1$731e4120$0705000a@ddf5dw71><1173438172.45f13edccf188@perdition.cnpapers.net> <015d01c7625d$7ec5a0b0$0705000a@ddf5dw71> <45F184F2.50305@pacific.net> <023501c76265$0c8af240$0705000a@ddf5dw71> <1173490907.45f20cdc0072c@perdition.cnpapers.net> Message-ID: On Sat, 10 Mar 2007, Res wrote: > Mine seeks out and destroys postmix machines ;) > then installs a good secure version of rendmaul, it also checks to see if you > have a mailscanner supplied install or a butchered distro one, if later, > removes it, and installs a real version, finally, it will send copious > amounts of coffee bean pics out your printer. My postfix has the right to defend itself with legal force against RESource killers. And the ROE allow preemtive strickes. I just got a great deal on some never user second-hand SS-N-20 units. Anyone got a matching working sub? Hugo. -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ This message is using 100% recycled electrons. Some men see computers as they are and say "Windows" I use computers with Linux and say "Why Windows?" (Thanks JFK, for the insight.) From glenn.steen at gmail.com Sat Mar 10 14:15:16 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Sat Mar 10 13:21:32 2007 Subject: dealing with dictionary attacks In-Reply-To: References: <45EBE85C.90507@fractalweb.com> <45EC4863.5070702@netmagicsolutions.com> <45EEDA1B.4010200@sbcglobal.net> <45F1CAA4.9050300@yeticomputers.com> <223f97700703091629l25076f4fr4d98d00f1330f342@mail.gmail.com> Message-ID: <223f97700703100515l65c6c10ma2dba1757c997b05@mail.gmail.com> On 10/03/07, Res wrote: > On Sat, 10 Mar 2007, Glenn Steen wrote: > > >> Glenn: What should we call qmail ?? we gota have a nick for it ;) > > > Unlike Rendmaul and Postmix, qmail isn't that readily .... renamed.... > > Then again, since the Q stand for quirky, perhaps one don't need > > to:-). I haven't sampled enough amber stuff yet for the really whacky > > suggestions to start flowing:-):-)... > > > > > Oh, and Rick... Chill out, take a $TEMPERATURE $BEVERAGE... Res is > > nice guy under the prickly surface... He just hasn't seen the light > SHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH > you will ruin my reputation if u say things like that, and i'll deny > it of course !!@! :) Res, something seems to be up with your keaboard... Consider swapping it for a new one:-) > > (yet) :-D > never!!@!#!! already tried it, was more cumfy with rendmaul and quirky :) Still something wrong with the keyboard... (That's right... Always start out by blaming it on the HW... Makes it easier to buy new hardware while solving the problem;). > > And we know he is the evil bunny of Monty Pythonian fame... Now, where > > did I put that Holy Handgranede...;-) > > I pinched it, I just lobbed it at time.nist.gov 3 times today its set > some of our servers to 1998 and some to 2032! > So if anyone uses them, just be careful, I've since changed to denmark, > and its so far been fine. Res, set up more time servers. Never ever rely on one NTP source. IIRC the recommendation is to use three disjunct sets at least (look at http://ntp.isc.org/bin/view/Servers/NTPPoolServers ... Yeah yeah, you knew that already:-). Otherwise you kind of kick the feet out from under NTPs logic for deeming a timesource reliable. Then again, using something rock solid is an alternative (time1.stupi.se is _really_ good). > First I knew was when i got an alert for pop3 daemon down, i thought that > couldnt be right, logs said killing itself for some silly time, and yes > date confirmed it, the news server also hissy fitted wouldnt let anyone > connect saying invalid key year, sendmail and mailscanner ( to stay on > topic :P ) were happily accepting and processing mail, every server was > slackware, thought it was a bug, but then checked date on my RH desktop > and yes, I was magically teleported into 2032, i can tell you in the > year 2032, 9th of November, in Brisbane Australia, it will be 32 celcius, > overcast and 88% humidity :) While you're looking into the future weather... Could you tell me how it'll be in Singapore and on Tioman island (Malaysia) the first two weeks in April? :-) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Sat Mar 10 14:26:47 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Sat Mar 10 13:33:02 2007 Subject: dealing with dictionary attacks In-Reply-To: References: <45EBE85C.90507@fractalweb.com> <1173438172.45f13edccf188@perdition.cnpapers.net> <015d01c7625d$7ec5a0b0$0705000a@ddf5dw71> <45F184F2.50305@pacific.net> <023501c76265$0c8af240$0705000a@ddf5dw71> <1173490907.45f20cdc0072c@perdition.cnpapers.net> <45F2739D.1010609@enitech.com.au> Message-ID: <223f97700703100526x2c7990eeo761df9f48eb6ae7c@mail.gmail.com> On 10/03/07, Hugo van der Kooij wrote: > On Sat, 10 Mar 2007, Pete Russell wrote: > > > With the combined 29317 years of Sys Admin experience boasted about in this > > thread, i would have thought 1 of you would have come accross IRC by now? > > You think sysadmins have time for that? They love to smack around with a > good lart instead. > > Hugo. Amen. Besides, why would we want to have anything to do with IRresposible Chipmunks? No reason at all...:-) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Sat Mar 10 14:31:16 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Sat Mar 10 13:37:31 2007 Subject: dealing with dictionary attacks In-Reply-To: References: <45EBE85C.90507@fractalweb.com> <1173438172.45f13edccf188@perdition.cnpapers.net> <015d01c7625d$7ec5a0b0$0705000a@ddf5dw71> <45F184F2.50305@pacific.net> <023501c76265$0c8af240$0705000a@ddf5dw71> <1173490907.45f20cdc0072c@perdition.cnpapers.net> Message-ID: <223f97700703100531q6c8afb4ag7db5a33ab732480b@mail.gmail.com> On 10/03/07, Hugo van der Kooij wrote: > On Sat, 10 Mar 2007, Res wrote: > > > Mine seeks out and destroys postmix machines ;) > > then installs a good secure version of rendmaul, it also checks to see if you > > have a mailscanner supplied install or a butchered distro one, if later, > > removes it, and installs a real version, finally, it will send copious > > amounts of coffee bean pics out your printer. > > My postfix has the right to defend itself with legal force against > RESource killers. And the ROE allow preemtive strickes. I just got a great We wouldn't want to defend against the RESource _killers_ ... That'd be our henchmen, wouldn't it?! On a mission to Aussie-land...:) > deal on some never user second-hand SS-N-20 units. Anyone got a matching > working sub? Dunno, talk to the .ru-participants on the list...IIUC the Russians will sell anything... A bit blunt as LARTs go, though:-) ... It's official then... Hugo has a sense of humour too...:) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From shuttlebox at gmail.com Sat Mar 10 14:55:30 2007 From: shuttlebox at gmail.com (shuttlebox) Date: Sat Mar 10 14:01:46 2007 Subject: dealing with dictionary attacks In-Reply-To: <223f97700703100531q6c8afb4ag7db5a33ab732480b@mail.gmail.com> References: <45EBE85C.90507@fractalweb.com> <015d01c7625d$7ec5a0b0$0705000a@ddf5dw71> <45F184F2.50305@pacific.net> <023501c76265$0c8af240$0705000a@ddf5dw71> <1173490907.45f20cdc0072c@perdition.cnpapers.net> <223f97700703100531q6c8afb4ag7db5a33ab732480b@mail.gmail.com> Message-ID: <625385e30703100555v616d7bg5d7a5341750dc945@mail.gmail.com> On 3/10/07, Glenn Steen wrote: Can't you all just stop this thread now? It's a list about antispam and you (as in not just you Glenn) are spamming right now. Please. -- /peter From glenn.steen at gmail.com Sat Mar 10 15:08:08 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Sat Mar 10 14:14:22 2007 Subject: dealing with dictionary attacks In-Reply-To: <625385e30703100555v616d7bg5d7a5341750dc945@mail.gmail.com> References: <45EBE85C.90507@fractalweb.com> <015d01c7625d$7ec5a0b0$0705000a@ddf5dw71> <45F184F2.50305@pacific.net> <023501c76265$0c8af240$0705000a@ddf5dw71> <1173490907.45f20cdc0072c@perdition.cnpapers.net> <223f97700703100531q6c8afb4ag7db5a33ab732480b@mail.gmail.com> <625385e30703100555v616d7bg5d7a5341750dc945@mail.gmail.com> Message-ID: <223f97700703100608x5b2f8b50jb62bb53d745881a8@mail.gmail.com> On 10/03/07, shuttlebox wrote: > On 3/10/07, Glenn Steen wrote: > > Can't you all just stop this thread now? It's a list about antispam > and you (as in not just you Glenn) are spamming right now. > > Please. Quite true. Will do. -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From dave.list at pixelhammer.com Sat Mar 10 18:38:39 2007 From: dave.list at pixelhammer.com (DAve) Date: Sat Mar 10 17:45:41 2007 Subject: dealing with dictionary attacks In-Reply-To: <223f97700703091629l25076f4fr4d98d00f1330f342@mail.gmail.com> References: <45EBE85C.90507@fractalweb.com> <4165CF7A7F12DE4B96622CCBB905864709949FEF@largo.campus.ncl.ac.uk> <25a66d840703050822s3061e517mffe1ed8d40035722@mail.gmail.com> <45EC4863.5070702@netmagicsolutions.com> <45EEDA1B.4010200@sbcglobal.net> <45F1CAA4.9050300@yeticomputers.com> <223f97700703091629l25076f4fr4d98d00f1330f342@mail.gmail.com> Message-ID: <45F2ED1F.4000005@pixelhammer.com> Glenn Steen wrote: > On 09/03/07, Res wrote: >> >> On Fri, 9 Mar 2007, Rick Chadderdon wrote: >> >> > Res wrote: > (snip) >> > variety of reasons. I don't call people who choose any of those (or >> > other) servers names, although I could certainly think of some for >> > people who insist on using either sendmail or qmail. (Bendmail >> > weenies? Nah, too derivative... :P ) >> >> You are new around here arnt ya :) its rendmaul, akin to postmix, can't >> say I've seen another name for qmail tho, its been a long time standing >> joke between a few of us. >> >> Glenn: What should we call qmail ?? we gota have a nick for it ;) > Unlike Rendmaul and Postmix, qmail isn't that readily .... renamed.... > Then again, since the Q stand for quirky, perhaps one don't need > to:-). I haven't sampled enough amber stuff yet for the really whacky > suggestions to start flowing:-):-)... I love qmail, I can do things with qmail I can't do with any other MTA, it makes a wunnerful toaster. But, and I gotta say it even though I don't think the rumours are true, it should be nick'd "patchmail", just because everyone thinks it takes 200k of source and 6gb of diffs to install it ;^) DAve -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible. From technician at cenpac.net.nr Sat Mar 10 21:32:35 2007 From: technician at cenpac.net.nr (Jon Leeman) Date: Sat Mar 10 20:38:59 2007 Subject: dealing with dictionary attacks In-Reply-To: References: <45EBE85C.90507@fractalweb.com> <4165CF7A7F12DE4B96622CCBB905864709949FEF@largo.campus.ncl.ac.uk> <25a66d840703050822s3061e517mffe1ed8d40035722@mail.gmail.com> <45EC4863.5070702@netmagicsolutions.com> <45EEDA1B.4010200@sbcglobal.net> <45F1CAA4.9050300@yeticomputers.com> <1DD504C9-C777-4068-BC29-F19C4B1D3007@technologytiger.net> Message-ID: <45F315E3.9030207@cenpac.net.nr> > I hasten to add, I have not found one ;-) Drew, When you do..........and pass on the info............not only is financial security guarenteed for you but my, (and a LOT of people here), eternal gratitude will yours. Jon (Nauru 0829 28 Deg. C. clear skies {with apologies to Mr Steen}) From res at ausics.net Sat Mar 10 22:49:26 2007 From: res at ausics.net (Res) Date: Sat Mar 10 21:55:50 2007 Subject: dealing with dictionary attacks In-Reply-To: References: <45EBE85C.90507@fractalweb.com><4165CF7A7F12DE4B96622CCBB905864709949FEF@largo.campus.ncl.ac.uk><25a66d840703050822s3061e517mffe1ed8d40035722@mail.gmail.com><45EC4863.5070702@netmagicsolutions.com><45EEDA1B.4010200@sbcglobal.net><45F02ED0.30906@nkpanama.com><74ACEB3E6A055643A89B8CEC74C7BF2488DF5F@WISENT.dcyb.net><45F035A4.5080100@nkpanama.com><006a01c761a1$731e4120$0705000a@ddf5dw71><1173438172.45f13edccf188@perdition.cnpapers.net> <015d01c7625d$7ec5a0b0$0705000a@ddf5dw71> <45F184F2.50305@pacific.net> <023501c76265$0c8af240$0705000a@ddf5dw71> <1173490907.45f20cdc0072c@perdition.cnpapers.net> Message-ID: On Sat, 10 Mar 2007, Hugo van der Kooij wrote: > On Sat, 10 Mar 2007, Res wrote: > >> Mine seeks out and destroys postmix machines ;) >> then installs a good secure version of rendmaul, it also checks to see if >> you have a mailscanner supplied install or a butchered distro one, if >> later, removes it, and installs a real version, finally, it will send >> copious amounts of coffee bean pics out your printer. > > My postfix has the right to defend itself with legal force against RESource but can it defende itself from itsefl with the infamous p-records, maybe thats weitsies new internal self destruct mechanism :) -- Cheers Res Let Novell known what you think of their back door deal with the devil. Sign the petition today: http://techp.org/p/1/ From res at ausics.net Sat Mar 10 22:53:49 2007 From: res at ausics.net (Res) Date: Sat Mar 10 22:00:11 2007 Subject: dealing with dictionary attacks In-Reply-To: <223f97700703100515l65c6c10ma2dba1757c997b05@mail.gmail.com> References: <45EBE85C.90507@fractalweb.com> <45EC4863.5070702@netmagicsolutions.com> <45EEDA1B.4010200@sbcglobal.net> <45F1CAA4.9050300@yeticomputers.com> <223f97700703091629l25076f4fr4d98d00f1330f342@mail.gmail.com> <223f97700703100515l65c6c10ma2dba1757c997b05@mail.gmail.com> Message-ID: On Sat, 10 Mar 2007, Glenn Steen wrote: >> SHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH >> you will ruin my reputation if u say things like that, and i'll deny >> it of course !!@! :) > Res, something seems to be up with your keaboard... Consider swapping > it for a new one:-) lol >> > And we know he is the evil bunny of Monty Pythonian fame... Now, where >> > did I put that Holy Handgranede...;-) >> >> I pinched it, I just lobbed it at time.nist.gov 3 times today its set >> some of our servers to 1998 and some to 2032! >> So if anyone uses them, just be careful, I've since changed to denmark, >> and its so far been fine. > Res, set up more time servers. Never ever rely on one NTP source. IIRC > the recommendation is to use three disjunct sets at least (look at > http://ntp.isc.org/bin/view/Servers/NTPPoolServers ... Yeah yeah, you > knew that already:-). I do :) use time.nist.gov time-a.nist.gov and time-b.nist.gov now I use 3 non-us ones, the momenty i changed to primary denmark serer all servers returned to real time, and I don't use pool, I use Stratum 1 servers. > While you're looking into the future weather... Could you tell me how > it'll be in Singapore and on Tioman island (Malaysia) the first two > weeks in April? :-) Sorry, teleported back about 20 mins later ): -- Cheers Res Let Novell known what you think of their back door deal with the devil. Sign the petition today: http://techp.org/p/1/ From res at ausics.net Sat Mar 10 22:57:15 2007 From: res at ausics.net (Res) Date: Sat Mar 10 22:03:37 2007 Subject: dealing with dictionary attacks In-Reply-To: <625385e30703100555v616d7bg5d7a5341750dc945@mail.gmail.com> References: <45EBE85C.90507@fractalweb.com> <015d01c7625d$7ec5a0b0$0705000a@ddf5dw71> <45F184F2.50305@pacific.net> <023501c76265$0c8af240$0705000a@ddf5dw71> <1173490907.45f20cdc0072c@perdition.cnpapers.net> <223f97700703100531q6c8afb4ag7db5a33ab732480b@mail.gmail.com> <625385e30703100555v616d7bg5d7a5341750dc945@mail.gmail.com> Message-ID: Thank you shuttle, you have just proved what I set out to do.. prove that the OK to be OT is very selective around here. by the way, nobody is holding a gun at your head making you read this thread. You are most welcome to killfile me if you feel the need to. and lastly its not spam, not even close by its broadest definition. On Sat, 10 Mar 2007, shuttlebox wrote: > On 3/10/07, Glenn Steen wrote: > > Can't you all just stop this thread now? It's a list about antispam > and you (as in not just you Glenn) are spamming right now. > > Please. > > -- Cheers Res Let Novell known what you think of their back door deal with the devil. Sign the petition today: http://techp.org/p/1/ From res at ausics.net Sat Mar 10 23:00:21 2007 From: res at ausics.net (Res) Date: Sat Mar 10 22:06:44 2007 Subject: dealing with dictionary attacks In-Reply-To: <45F2ED1F.4000005@pixelhammer.com> References: <45EBE85C.90507@fractalweb.com> <4165CF7A7F12DE4B96622CCBB905864709949FEF@largo.campus.ncl.ac.uk> <25a66d840703050822s3061e517mffe1ed8d40035722@mail.gmail.com> <45EC4863.5070702@netmagicsolutions.com> <45EEDA1B.4010200@sbcglobal.net> <45F1CAA4.9050300@yeticomputers.com> <223f97700703091629l25076f4fr4d98d00f1330f342@mail.gmail.com> <45F2ED1F.4000005@pixelhammer.com> Message-ID: On Sat, 10 Mar 2007, DAve wrote: > I love qmail, I can do things with qmail I can't do with any other MTA, it Definately, nothing will ever beat it when it comes to real handling of virtual domains, none of this alias or mapping BS required by others. > makes a wunnerful toaster. But, and I gotta say it even though I don't think > the rumours are true, it should be nick'd "patchmail", just because everyone > thinks it takes 200k of source and 6gb of diffs to install it ;^) PATCHMAIL! thats what w'll call it ;) lol, it would be OK if all hte patches went through DJB, that way they'd be all happy rather than having to manually patch everything cause of the patch conflicts. I have a master source backed up everywhere, so I dont have to spend 2 days patching if I need to do another install of qmail. -- Cheers Res Let Novell known what you think of their back door deal with the devil. Sign the petition today: http://techp.org/p/1/ From shuttlebox at gmail.com Sat Mar 10 23:25:06 2007 From: shuttlebox at gmail.com (shuttlebox) Date: Sat Mar 10 22:31:23 2007 Subject: dealing with dictionary attacks In-Reply-To: References: <45EBE85C.90507@fractalweb.com> <45F184F2.50305@pacific.net> <023501c76265$0c8af240$0705000a@ddf5dw71> <1173490907.45f20cdc0072c@perdition.cnpapers.net> <223f97700703100531q6c8afb4ag7db5a33ab732480b@mail.gmail.com> <625385e30703100555v616d7bg5d7a5341750dc945@mail.gmail.com> Message-ID: <625385e30703101425k2d6985d2j7c717cddbe125de5@mail.gmail.com> On 3/10/07, Res wrote: > > Thank you shuttle, you have just proved what I set out to do.. prove that > the OK to be OT is very selective around here. > > by the way, nobody is holding a gun at your head making you read this > thread. You are most welcome to killfile me if you feel the need to. > > and lastly its not spam, not even close by its broadest definition. You're always giving people a hard time when they are not up to your high standards so it's kind of surprising to me that you of all people ask for more OT leeway. And I am kind of forced to read this since I'm subscribed to this otherwise excellent list and several of you often post technically interesting stuff. Therefor I can't block your posts or delete them without reading or at least looking at them first. The broadest definition of spam I know of is simply unwanted mail and this is definitely that to me. -- /peter From campbell at cnpapers.com Sun Mar 11 00:37:43 2007 From: campbell at cnpapers.com (Steve Campbell) Date: Sat Mar 10 23:44:12 2007 Subject: dealing with dictionary attacks In-Reply-To: <625385e30703101425k2d6985d2j7c717cddbe125de5@mail.gmail.com> References: <45EBE85C.90507@fractalweb.com> <45F184F2.50305@pacific.net> <023501c76265$0c8af240$0705000a@ddf5dw71> <1173490907.45f20cdc0072c@perdition.cnpapers.net> <223f97700703100531q6c8afb4ag7db5a33ab732480b@mail.gmail.com> <625385e30703100555v616d7bg5d7a5341750dc945@mail.gmail.com> <625385e30703101425k2d6985d2j7c717cddbe125de5@mail.gmail.com> Message-ID: <1173569863.45f3414799a43@perdition.cnpapers.net> Quoting shuttlebox : > On 3/10/07, Res wrote: > > > > Thank you shuttle, you have just proved what I set out to do.. prove that > > the OK to be OT is very selective around here. > > > > by the way, nobody is holding a gun at your head making you read this > > thread. You are most welcome to killfile me if you feel the need to. > > > > and lastly its not spam, not even close by its broadest definition. > > You're always giving people a hard time when they are not up to your > high standards so it's kind of surprising to me that you of all people > ask for more OT leeway. > > And I am kind of forced to read this since I'm subscribed to this > otherwise excellent list and several of you often post technically > interesting stuff. Therefor I can't block your posts or delete them > without reading or at least looking at them first. > > The broadest definition of spam I know of is simply unwanted mail and > this is definitely that to me. > > -- > /peter > -- Hey shuttle, At least he quit asking everyone to sleep with him. Steve ------------------------------------------------- This mail sent through IMP: http://horde.org/imp/ From john at katy.com Sun Mar 11 08:42:47 2007 From: john at katy.com (John Schmerold) Date: Sun Mar 11 07:49:08 2007 Subject: RBL's In-Reply-To: <20070307152055.14adc557@localhost> References: <45EF13F7.3050602@fcen.uba.ar> <04D932B0071FE34FA63EBB1977B48D15024FC0BC@woodenex.woodmaclaw.local> <20070307152055.14adc557@localhost> Message-ID: <45F3B2F7.2010405@katy.com> We've been happy with: combined.njabl.org cbl.abuseat.org ws.surbl.org zen.spamhaus.org John Schmerold Katy Computer & Wireless 347 Clarkson Rd Ellisville MO 63011 636-394-1900 v 775-227-6947 f Gerard Seibert wrote: > On Wed, 7 Mar 2007 15:08:10 -0500 > "Billy A. Pumphrey" wrote: > > >> I turned all mine off because of false positives. Then I started >> only using SORBS-DNSBL. From reading the post in the list, seemed >> like people recommended it. A week later after checking on some >> questions about not getting email, a lot of hotmail.com email was >> getting blocked because of SORBS-DNSBL. >> > > You'll probably get a log of GMail email blocked also; although that > may be a blessing. > > -------------- next part -------------- A non-text attachment was scrubbed... Name: john.vcf Type: text/x-vcard Size: 241 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070311/66e36ddc/john.vcf From glenn.steen at gmail.com Sun Mar 11 11:00:59 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Sun Mar 11 10:07:18 2007 Subject: Message from Jules In-Reply-To: <223f97700703090749g35de17c0m8179e77257fd4498@mail.gmail.com> References: <20070308143922.GN30357@login.ecs.soton.ac.uk> <223f97700703090749g35de17c0m8179e77257fd4498@mail.gmail.com> Message-ID: <223f97700703110300n239aa81eqaef6d3b68aff9616@mail.gmail.com> On 09/03/07, Glenn Steen wrote: (snip) > BTW, just a reminder to any who might've missed it: > Matt Hampton has set up a clustrmap page, that will be printed and > gifted to Jules eventually... So if you haven't already, visit > http://www2.clustrmaps.com/counter/maps.php?url=http://www.bastionmail.co.uk/best-wishes-to-jules-field/ > to be counted (and why not leave a little message there too:) Wrong link to visit above.... Of course it should be http://www.bastionmail.co.uk/best-wishes-to-jules-field/ and nothing else (the other one is theresult", not the coutter. Sigh. I really should make an effort to read my own submission immediately:-). Click away! Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From ms-list at alexb.ch Sun Mar 11 12:45:55 2007 From: ms-list at alexb.ch (Alex Broens) Date: Sun Mar 11 11:52:19 2007 Subject: RBL's In-Reply-To: <45F3B2F7.2010405@katy.com> References: <45EF13F7.3050602@fcen.uba.ar> <04D932B0071FE34FA63EBB1977B48D15024FC0BC@woodenex.woodmaclaw.local> <20070307152055.14adc557@localhost> <45F3B2F7.2010405@katy.com> Message-ID: <45F3EBF3.6030700@alexb.ch> On 3/11/2007 8:42 AM, John Schmerold wrote: > We've been happy with: > combined.njabl.org > cbl.abuseat.org CBL is included in ZEN - you can save on the extra query. > ws.surbl.org ws.surbl.org should not be queried as an MTA IP RBL - only as a SURBL with the URIBL plugin. Are you sure you get any positive results from it? Alex > zen.spamhaus.org > > John Schmerold > Katy Computer & Wireless > 347 Clarkson Rd > Ellisville MO 63011 > 636-394-1900 v > 775-227-6947 f > > > > Gerard Seibert wrote: >> On Wed, 7 Mar 2007 15:08:10 -0500 >> "Billy A. Pumphrey" wrote: >> >> >>> I turned all mine off because of false positives. Then I started >>> only using SORBS-DNSBL. From reading the post in the list, seemed >>> like people recommended it. A week later after checking on some >>> questions about not getting email, a lot of hotmail.com email was >>> getting blocked because of SORBS-DNSBL. >>> >> >> You'll probably get a log of GMail email blocked also; although that >> may be a blessing. >> >> From evanderleun at hal9000.nl Sun Mar 11 13:39:51 2007 From: evanderleun at hal9000.nl (Erik van der Leun) Date: Sun Mar 11 12:46:12 2007 Subject: Maillog-virus.pl 20070307 In-Reply-To: References: Message-ID: <45F3F897.804@hal9000.nl> Hugo van der Kooij wrote: > Hi, > > I did manage to get the timestamps sorted out a bit. (If someone has a > log file of last year they could see if the timestamps are ok on > those.) Anything over 11 months old will propably get an inaccurate > timestamp. > > Download: http://hugo.vanderkooij.org/email/stats/maillog-virus.pl > > So I now seem to have a way to get the 3 ingredients I want to collect: > timestamp; AV tool; infection name. > > The next thing is to write a collector to handle these reports, put > them in a database and show some nice statistics about them. > > That way there is a way to build a insight into current malware > activity. At least it could tell what is hot today or what was hot > yesterday or last week or .... > > And finaly it need to be secured so only participating parties can > have their logs analyzed and added to the database so there is at > least a reasonable amount of accuracy. > > In the end it should resemble the dshield way of doing things by > publishing the interchange format so people can write their own > collectors. > > So please give this script a spin to see if the collecting is nearing > accuracy for systems running MailScanner and logging silent virusses > including the AV info. > > The MailScanner config I use contains: > Virus Scanning = yes > Virus Scanners = clamav f-prot mcafee > Silent Viruses = HTML-IFrame All-Viruses > Log Silent Viruses = yes > > (I also wrote a bit to parse BitDefender for now.) > > Hugo. > > -- > hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ > This message is using 100% recycled electrons. > > Some men see computers as they are and say "Windows" > I use computers with Linux and say "Why Windows?" > (Thanks JFK, for the insight.) Nice script :^> The filename made me look carefully what it did though :) -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070311/ce3f5b00/attachment.html From ssilva at sgvwater.com Sun Mar 11 22:42:45 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Sun Mar 11 21:47:50 2007 Subject: dealing with dictionary attacks In-Reply-To: <223f97700703091746h2943b968s70715d4c1197cbbd@mail.gmail.com> References: <45EBE85C.90507@fractalweb.com> <45F1CAA4.9050300@yeticomputers.com> <1DD504C9-C777-4068-BC29-F19C4B1D3007@technologytiger.net> <223f97700703091746h2943b968s70715d4c1197cbbd@mail.gmail.com> Message-ID: Glenn Steen spake the following on 3/9/2007 5:46 PM: > On 10/03/07, Drew Marshall wrote: >> On 10 Mar 2007, at 00:52, Scott Silva wrote: >> >> > Res spake the following on 8/7/1998 5:37 AM: >> >> On Fri, 9 Mar 2007, Drew Marshall wrote: >> >> >> >>> Oops, sorry ;-) rendmaul it is. Dictionary duly updated >> >> >> >> Thank you :) >> >> >> >>> I think you will find these things are called 'features'. Some >> >>> features are worth shouting about and others are best removed/ >> >>> hidden >> >>> at a later date (and >> >> >> >>> I have heard that some can cause swapping but let's not go back >> >>> there >> >>> :-) ) >> >> >> >> I am working on a patch to force swapping? is that what everyone >> >> wants? >> >> trust me it'll be a quick 3 line patch I can upload this >> >> afternoon when >> >> I get back home ;) >> >> >> >> >> > I tried to apply that patch to my wife, but it tainted her kernel! ;-P >> >> That's always the problem if you upgrade from Girlfriend >v3.x to >> wife v1.0. > IIRC Scott is already at version 2.0 of wife. Whther this is due to > the whole MRS swapping problem or not, I'll defer to comment on. > True, I am at wife 2.0, but only because wife 1.0 was interacting with every other daemon on the system, but failed to interact with critical core processes. A recompile failed to fix the problem, and I had to delete her files. I'm sure she is happily corrupting someone else's system, but my processes seem soo much smoother. And the system load is far more tolerable! >> I did the same and I too can't get her to swap properly either. Every >> time it's even suggested there is a warning message about this >> process needing me to pay a huge fee both to consultants and in some >> form of licence fee. I have to admit to not liking the sound of this >> and always selecting cancel and going back to searching Google for a >> work round :-) >> >> I hasten to add, I have not found one ;-) > Well ... the only viable option AFAICS is the single thread > semi-swapping variation... Some might call that "cheating" though, so > be careful... Might otherwise lead to a forced upgrade from wife v1.0, > and the license fees/consultants kicking in ... in an inopportune > manner;-) > > Cheers Luckily, the license fees were more tolerable than the constant system crashes. ;-P -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ssilva at sgvwater.com Sun Mar 11 22:44:37 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Sun Mar 11 21:51:34 2007 Subject: dealing with dictionary attacks In-Reply-To: References: <45EBE85C.90507@fractalweb.com> <25a66d840703050822s3061e517mffe1ed8d40035722@mail.gmail.com> <45EC4863.5070702@netmagicsolutions.com> <45EEDA1B.4010200@sbcglobal.net> <45F1CAA4.9050300@yeticomputers.com> <223f97700703091636y9f40695m1b50f3f81f902ae6@mail.gmail.com> Message-ID: Res spake the following on 3/9/2007 6:01 PM: > On Sat, 10 Mar 2007, Glenn Steen wrote: > >>> now Glenn might sue you for patent violation lol. >> I wouldn't do that... Far to nice and wellbehaved:-). And we >> postmixers stick together ...;-D > > Ohhhhh, I gathered that a long time ago :) > >> Ah, so *that* was what all that "p record" thingies were all about!:-) > > Yes, its actually his version of ' how to screwup mail processing even > more' ... hes hardly going to put that in a changelog is he ;) > Or "how to stick it to the mailscanner people because they won't play the way I want them too!!" -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ssilva at sgvwater.com Sun Mar 11 22:57:44 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Sun Mar 11 22:02:25 2007 Subject: MailSacanner don't work In-Reply-To: <7e78dc1f0703090636g39007979u10668986b783bb5d@mail.gmail.com> References: <7e78dc1f0703090145q1dfe95fdl98ba7d511a9cc682@mail.gmail.com> <45F16C65.2080309@USherbrooke.ca> <7e78dc1f0703090636g39007979u10668986b783bb5d@mail.gmail.com> Message-ID: Claudio Mundin spake the following on 3/9/2007 6:36 AM: > If I startup only sendmail then sendmail listen in 0.0.0.0 25 > But the script of MailScanner throw option tu sendamil that listen in > 127.0.0.1 > > 2007/3/10, Denis Beauchemin : >> Claudio Mundin a ?crit : >> > Hi, >> > >> > I install MailSacanner with out any errors, but when i try to star up >> > MailScanner (/etc/init.d/MailScanner start) and I try to see the >> > status, the result of status is dead. >> > >> > where can i see information about the error?? >> > >> > THANK >> Claudio, >> >> Your sendmail doesn't seem to be configured to listen to the external >> world. Try to comment out the following line in /etc/mail/sendmail.mc >> (or wherever it is on your Suse server): >> DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl >> becomes: >> dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl >> >> then run make to recreate sendmail.cf and restart MS. >> >> Don't forget to make sure your server's firewall let port 25 flow >> through... >> >> Denis >> >> -- >> _ >> ?v? Denis Beauchemin, analyste >> /(_)\ Universit? de Sherbrooke, S.T.I. >> ^ ^ T: 819.821.8000x62252 F: 819.821.8045 >> >> >> Could you have a sendmail.cf in /etc AND /etc/mail ? -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From john at katy.com Mon Mar 12 10:56:49 2007 From: john at katy.com (John Schmerold) Date: Mon Mar 12 10:03:16 2007 Subject: RBL's In-Reply-To: <45F3EBF3.6030700@alexb.ch> References: <45EF13F7.3050602@fcen.uba.ar> <04D932B0071FE34FA63EBB1977B48D15024FC0BC@woodenex.woodmaclaw.local> <20070307152055.14adc557@localhost> <45F3B2F7.2010405@katy.com> <45F3EBF3.6030700@alexb.ch> Message-ID: <45F523E1.1080501@katy.com> We do cbl.abuseat.org before Zen to keep from exceeding Zen's daily lookup policy. We're pretty close to 100 users and do not want to get into high volume category. Thanks for heads up regarding ws.surbl.org, good example of a little knowledge being a bad thing. Alex Broens wrote: > On 3/11/2007 8:42 AM, John Schmerold wrote: >> We've been happy with: >> combined.njabl.org >> cbl.abuseat.org > > CBL is included in ZEN - you can save on the extra query. > >> ws.surbl.org > > ws.surbl.org should not be queried as an MTA IP RBL - only as a SURBL > with the URIBL plugin. > Are you sure you get any positive results from it? > > Alex > > -------------- next part -------------- A non-text attachment was scrubbed... Name: john.vcf Type: text/x-vcard Size: 241 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070312/a0f33510/john.vcf From res at ausics.net Mon Mar 12 11:20:37 2007 From: res at ausics.net (Res) Date: Mon Mar 12 10:27:08 2007 Subject: dealing with dictionary attacks In-Reply-To: <625385e30703101425k2d6985d2j7c717cddbe125de5@mail.gmail.com> References: <45EBE85C.90507@fractalweb.com> <45F184F2.50305@pacific.net> <023501c76265$0c8af240$0705000a@ddf5dw71> <1173490907.45f20cdc0072c@perdition.cnpapers.net> <223f97700703100531q6c8afb4ag7db5a33ab732480b@mail.gmail.com> <625385e30703100555v616d7bg5d7a5341750dc945@mail.gmail.com> <625385e30703101425k2d6985d2j7c717cddbe125de5@mail.gmail.com> Message-ID: On Sat, 10 Mar 2007, shuttlebox wrote: > On 3/10/07, Res wrote: >> >> Thank you shuttle, you have just proved what I set out to do.. prove that >> the OK to be OT is very selective around here. > > You're always giving people a hard time when they are not up to your > high standards so it's kind of surprising to me that you of all people > ask for more OT leeway. I'm not asking for any leeway, OT = OT, my point was made, that being some people seem to think some unrelated to MailScanner crud is OK, where other unrelated topics are not. > And I am kind of forced to read this since I'm subscribed to this > otherwise excellent list and several of you often post technically No one said remove yourself, I said filter me, if your email providor can not do that, then I think it's time to maybe use your own service where you have direct control. > delete them without reading or at least looking at them first. Sure you can, if you know how to work filters, look in the message ID, I only use this client in this group. > The broadest definition of spam I know of is simply unwanted mail and > this is definitely that to me. rubbish, Spam = unsolicited commercial or broadcast email, you voluntarily subscribed to this list, therefore you accept any and all posted content from the list, if you so desire not to, then you filter said person. -- Cheers Res Let Novell known what you think of their back door deal with the devil. Sign the petition today: http://techp.org/p/1/ From res at ausics.net Mon Mar 12 11:21:23 2007 From: res at ausics.net (Res) Date: Mon Mar 12 10:27:53 2007 Subject: dealing with dictionary attacks In-Reply-To: <1173569863.45f3414799a43@perdition.cnpapers.net> References: <45EBE85C.90507@fractalweb.com> <45F184F2.50305@pacific.net> <023501c76265$0c8af240$0705000a@ddf5dw71> <1173490907.45f20cdc0072c@perdition.cnpapers.net> <223f97700703100531q6c8afb4ag7db5a33ab732480b@mail.gmail.com> <625385e30703100555v616d7bg5d7a5341750dc945@mail.gmail.com> <625385e30703101425k2d6985d2j7c717cddbe125de5@mail.gmail.com> <1173569863.45f3414799a43@perdition.cnpapers.net> Message-ID: On Sat, 10 Mar 2007, Steve Campbell wrote: > At least he quit asking everyone to sleep with him. LOL, I had to, I was getting too many proposals ;) -- Cheers Res Let Novell known what you think of their back door deal with the devil. Sign the petition today: http://techp.org/p/1/ From res at ausics.net Mon Mar 12 11:22:38 2007 From: res at ausics.net (Res) Date: Mon Mar 12 10:29:06 2007 Subject: dealing with dictionary attacks In-Reply-To: References: <45EBE85C.90507@fractalweb.com> <25a66d840703050822s3061e517mffe1ed8d40035722@mail.gmail.com> <45EC4863.5070702@netmagicsolutions.com> <45EEDA1B.4010200@sbcglobal.net> <45F1CAA4.9050300@yeticomputers.com> <223f97700703091636y9f40695m1b50f3f81f902ae6@mail.gmail.com> Message-ID: On Sun, 11 Mar 2007, Scott Silva wrote: >> Yes, its actually his version of ' how to screwup mail processing even >> more' ... hes hardly going to put that in a changelog is he ;) >> > Or "how to stick it to the mailscanner people because they won't play the way > I want them too!!" now you mention it, yes :) -- Cheers Res Let Novell known what you think of their back door deal with the devil. Sign the petition today: http://techp.org/p/1/ From clamun at gmail.com Mon Mar 12 11:48:07 2007 From: clamun at gmail.com (Claudio Mundin) Date: Mon Mar 12 10:54:32 2007 Subject: MailSacanner don't work In-Reply-To: References: <7e78dc1f0703090145q1dfe95fdl98ba7d511a9cc682@mail.gmail.com> <45F16C65.2080309@USherbrooke.ca> <7e78dc1f0703090636g39007979u10668986b783bb5d@mail.gmail.com> Message-ID: <7e78dc1f0703120348r1ba99480k862b62ae21500cfc@mail.gmail.com> Scott and Steve thank for your help, but my sendmail is work ok with out MailSacanner, in some post before I say that the mailscanner script startup sendmail only in the loopback interface. The problem was resolve using the SMTPD_LISTEN_REMOTE variable with the yes value. In this moment sendmail is startup in 0.0.0.0 port 25 but the result of /etc/init.d/MailScanner status is dead. 2007/3/11, Scott Silva : > > Claudio Mundin spake the following on 3/9/2007 6:36 AM: > > If I startup only sendmail then sendmail listen in 0.0.0.0 25 > > But the script of MailScanner throw option tu sendamil that listen in > > 127.0.0.1 > > > > 2007/3/10, Denis Beauchemin : > >> Claudio Mundin a ?crit : > >> > Hi, > >> > > >> > I install MailSacanner with out any errors, but when i try to star up > >> > MailScanner (/etc/init.d/MailScanner start) and I try to see the > >> > status, the result of status is dead. > >> > > >> > where can i see information about the error?? > >> > > >> > THANK > >> Claudio, > >> > >> Your sendmail doesn't seem to be configured to listen to the external > >> world. Try to comment out the following line in /etc/mail/sendmail.mc > >> (or wherever it is on your Suse server): > >> DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl > >> becomes: > >> dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl > >> > >> then run make to recreate sendmail.cf and restart MS. > >> > >> Don't forget to make sure your server's firewall let port 25 flow > >> through... > >> > >> Denis > >> > >> -- > >> _ > >> ?v? Denis Beauchemin, analyste > >> /(_)\ Universit? de Sherbrooke, S.T.I. > >> ^ ^ T: 819.821.8000x62252 F: 819.821.8045 > >> > >> > >> > Could you have a sendmail.cf in /etc AND /etc/mail ? > > > -- > > MailScanner is like deodorant... > You hope everybody uses it, and > you notice quickly if they don't!!!! > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070312/daa85081/attachment.html From pedretti at eco.unibs.it Mon Mar 12 12:27:58 2007 From: pedretti at eco.unibs.it (Fabio Pedretti) Date: Mon Mar 12 11:31:42 2007 Subject: ClamAV suggestion In-Reply-To: <223f97700703091035rfb242d8s7139cd1ad97de6b1@mail.gmail.com> References: <20070309182609.31x3akra8gkooccs@luna.eco.unibs.it> <223f97700703091035rfb242d8s7139cd1ad97de6b1@mail.gmail.com> Message-ID: <20070312122758.7zpnz79qckscocck@luna.eco.unibs.it> Citando Glenn Steen : > On 09/03/07, Fabio Pedretti wrote: >> Hi, >> I am using MailScanner 4.44.6 (I know it's old, but seems that my >> suggestions are not implemented in current code) with clamscan 0.90.1 >> (not Mail::Clam module). I have some suggestions for using it with >> clamav: > This simply cannot be the sole reason to hold off an upgrade. > You should seriously consider spending the approximately 10 minutes it > takes ot perform and perhaps 30 minutes it takes to adjust defaults to > new settings afterward. How to perform an upgrade is mentioned in the > MAQ. I'll look at it, thanks. However I am not inclined to have to upgrade a critical software on a server serving hundreds of users, unless there are security problems. >> 1) clamscan is called with the option --disable-summary , which is >> deprecated. --no-summary should be used instead. > I would assume this is the same in the latest MS since it predates the > 0.90 release of clamav... It was not deprecated in 0.90, but at least in 0.70, released on 2004-04-16. > And since Jules is hospitalised at the moment, I'm sorry of that. > I wouldn't expect any adjustment to this in the near future... > But having said that, it is quite simple to do yourself: > Simply edit the appropriate clamav initialisation stanza in the > SweepViruses.pm ... If you feel like it, make a patch/diff and post it > here. > >> 2) I noticed that some phishing mail are not blocked (I am also using >> the signatures of sanesecurity). If I do a clamscan on the full >> original mail with headers, clamscan find the virus (I can provide a >> sample if needed). Seems the problem is that MailScanner extracts the >> content of the mail (body + attachment) and scans it, but some >> phishing mail are only detected if the full headers are present (in >> the clamav DB in the extended signature format, option 4 is for mail >> files, look at signatures.pdf in clamav source, and are detected only >> if full mail with headers is scanned). >> MailScanner should be modified so that all the original mail (with >> headers and without extracting attachment) should be passed to >> clamscan, so all virus can be catched. > I'm not close to any code, but ... thios is probably not true. Maybe a > bug in your old version, but I don't think this is how it works (the > headers should be included too). Hm. Will have to find time/energy to > look at some code to say more. I can confirm this is the way scanning works in 4.44.6. I'll look at newer version... if I'll find some time. >> 3) Would be nice to have a module which directly uses clamd and then >> fallback to clamscan if it's not working, other than clamscan or >> Mail::Clam options. > The consensus thus far is that it'd be a waste of effort, but then > again... I do beleive some have modified the clamscan wrapper to run > clamdscan, and further make it "fall back" on clamscan should be > rather trivial... Again, will have to look at some code to say more. That's what I am also doing now. However, best would be to connect to clamd directly to its socket from MailScanner, without call clamdscan (and adding a new module). From Gerhard.Bressler at meinhart.at Mon Mar 12 13:15:41 2007 From: Gerhard.Bressler at meinhart.at (Gerhard Bressler) Date: Mon Mar 12 13:11:47 2007 Subject: MCP Attachments Message-ID: <45F5527D.9CB2.0030.0@meinhart.at> Hi, I am using Mailscanner with MCP. Works fine for finding keywords in mailbody. But, is there a way to search for keywords in non-text attachments like .doc, .xls, .pdf? Gerhard From jbayer at bayertechnologygroup.com Mon Mar 12 14:37:35 2007 From: jbayer at bayertechnologygroup.com (Jonathan B Bayer) Date: Mon Mar 12 13:44:14 2007 Subject: Spam score is negative, yet message is still marked as spam Message-ID: <97621114.20070312093735@BayerTechnologyGroup.com> Hello mailscanner, Hello all. I have a new installation of MailScanner installed on a new mail server. The basic configuration is: RedHat Enterprise 3 Postfix 2.1.3 Mailscanner 4.58.9-1 One of the users has been sending messages to the company president. These messages are being marked as spam and moved to the spam folder. However, when I examined the message headers, I found the following: X-*****************_com-MailScanner-Information: Please contact the ISP for more information X-*****************_com-MailScanner: Found to be clean X-*****************_com-MailScanner-SpamCheck: spam, spamhaus-ZEN, SpamAssassin (not cached, score=-4.17, required 6, autolearn=not spam, ALL_TRUSTED -1.80, BAYES_00 -2.60, HTML_MESSAGE 0.00, HTML_TAG_BALANCE_BODY 0.23) X-*****************_com-MailScanner-From: dmakhijani@*****************.com X-Spam-Status: Yes and the subject had the {Spam?} inserted. Why would this be marked as spam, if the score is -4.17 ? What's even stranger is that the user's computer connects directly with the mail server to send the email, so it isn't even going through another relay. Thanks in advance. JBB --- Superior solutions for small business, home office and home users Jonathan B Bayer,CEO mailto:jbayer@BayerTechnologyGroup.com Bayer Technology Group Work: (609) 632-1200 23 Exeter Rd. Mobile: (609) 658-9408 East Windsor, NJ 08520 From a.peacock at chime.ucl.ac.uk Mon Mar 12 14:42:14 2007 From: a.peacock at chime.ucl.ac.uk (Anthony Peacock) Date: Mon Mar 12 13:48:52 2007 Subject: Spam score is negative, yet message is still marked as spam In-Reply-To: <97621114.20070312093735@BayerTechnologyGroup.com> References: <97621114.20070312093735@BayerTechnologyGroup.com> Message-ID: <45F558B6.8030303@chime.ucl.ac.uk> Hi, Jonathan B Bayer wrote: > Hello mailscanner, > > Hello all. > > I have a new installation of MailScanner installed on a new mail > server. The basic configuration is: > > RedHat Enterprise 3 > Postfix 2.1.3 > Mailscanner 4.58.9-1 > > One of the users has been sending messages to the company president. > These messages are being marked as spam and moved to the spam folder. > > However, when I examined the message headers, I found the following: > > X-*****************_com-MailScanner-Information: Please contact the ISP for more information > X-*****************_com-MailScanner: Found to be clean > X-*****************_com-MailScanner-SpamCheck: spam, spamhaus-ZEN, ^^^^^^^^^^^^ This mail hit the spamhaus-ZEN RBL, and you have MailScanner configured to mark as spam any message that hits on your RBLs. Personally I don't have MailScanner set to check any RBLs, I use the scoring features on SpamAssassin for that. > SpamAssassin (not cached, score=-4.17, required 6, > autolearn=not spam, ALL_TRUSTED -1.80, BAYES_00 -2.60, > HTML_MESSAGE 0.00, HTML_TAG_BALANCE_BODY 0.23) > X-*****************_com-MailScanner-From: dmakhijani@*****************.com > X-Spam-Status: Yes > > > and the subject had the {Spam?} inserted. > > Why would this be marked as spam, if the score is -4.17 ? > > What's even stranger is that the user's computer connects directly > with the mail server to send the email, so it isn't even going through > another relay. > > > Thanks in advance. > > > JBB > --- > Superior solutions for small business, home office and home users > > Jonathan B Bayer,CEO mailto:jbayer@BayerTechnologyGroup.com > Bayer Technology Group Work: (609) 632-1200 > 23 Exeter Rd. Mobile: (609) 658-9408 > East Windsor, NJ 08520 > -- Anthony Peacock CHIME, Royal Free & University College Medical School WWW: http://www.chime.ucl.ac.uk/~rmhiajp/ "If you have an apple and I have an apple and we exchange apples then you and I will still each have one apple. But if you have an idea and I have an idea and we exchange these ideas, then each of us will have two ideas." -- George Bernard Shaw From daniel.maher at ubisoft.com Mon Mar 12 14:43:24 2007 From: daniel.maher at ubisoft.com (Daniel Maher) Date: Mon Mar 12 13:49:49 2007 Subject: Spam score is negative, yet message is still marked as spam In-Reply-To: <97621114.20070312093735@BayerTechnologyGroup.com> Message-ID: <1E293D3FF63A3740B10AD5AAD88535D2048CAF77@UBIMAIL1.ubisoft.org> > One of the users has been sending messages to the company president. > These messages are being marked as spam and moved to the spam folder. > > However, when I examined the message headers, I found the following: > > X-*****************_com-MailScanner-Information: Please contact the ISP > for more information > X-*****************_com-MailScanner: Found to be clean > X-*****************_com-MailScanner-SpamCheck: spam, spamhaus-ZEN, > SpamAssassin (not cached, score=-4.17, required 6, > autolearn=not spam, ALL_TRUSTED -1.80, BAYES_00 -2.60, > HTML_MESSAGE 0.00, HTML_TAG_BALANCE_BODY 0.23) > X-*****************_com-MailScanner-From: dmakhijani@*****************.com > X-Spam-Status: Yes > > > and the subject had the {Spam?} inserted. > > Why would this be marked as spam, if the score is -4.17 ? MailScanner hit it on the spamhaus-ZEN RBL, and it MS sees it on an RBL, it will tag it as spam, regardless of what SpamAssassin thinks. This is why some people decide not to do RBL checks in MS at all, and leave it entirely for SA. -- _ ?v? Daniel Maher /(_)\ Administrateur Syst?me Unix ^ ^ Unix System Administrator "To accomplish great things, we must not only act but also dream, not only plan but also believe.". - Anatole France (1844-1924) From am.lists at gmail.com Mon Mar 12 14:45:02 2007 From: am.lists at gmail.com (am.lists) Date: Mon Mar 12 13:51:27 2007 Subject: Spam score is negative, yet message is still marked as spam In-Reply-To: <97621114.20070312093735@BayerTechnologyGroup.com> References: <97621114.20070312093735@BayerTechnologyGroup.com> Message-ID: <25a66d840703120645r1684286cyfffb4b028e223273@mail.gmail.com> On 3/12/07, Jonathan B Bayer wrote: > Hello mailscanner, > > Hello all. > > I have a new installation of MailScanner installed on a new mail > server. The basic configuration is: > > RedHat Enterprise 3 > Postfix 2.1.3 > Mailscanner 4.58.9-1 > > One of the users has been sending messages to the company president. > These messages are being marked as spam and moved to the spam folder. > > However, when I examined the message headers, I found the following: > > X-*****************_com-MailScanner-Information: Please contact the ISP for more information > X-*****************_com-MailScanner: Found to be clean > X-*****************_com-MailScanner-SpamCheck: spam, spamhaus-ZEN, > SpamAssassin (not cached, score=-4.17, required 6, > autolearn=not spam, ALL_TRUSTED -1.80, BAYES_00 -2.60, > HTML_MESSAGE 0.00, HTML_TAG_BALANCE_BODY 0.23) > X-*****************_com-MailScanner-From: dmakhijani@*****************.com > X-Spam-Status: Yes > > > and the subject had the {Spam?} inserted. > > Why would this be marked as spam, if the score is -4.17 ? > > What's even stranger is that the user's computer connects directly > with the mail server to send the email, so it isn't even going through > another relay. I think you nailed it right there. The user's computer connected directly to the mail server. -- I'm guessing (without seeing the IP or a log) that you had a RBL lookup notice that the client computer was a dial-up or otherwise dynamic IP and flagged it as an RBL. RBL hits will trigger the low-score spam action, even if the SA score is below. Angelo From gerard at seibercom.net Mon Mar 12 15:00:44 2007 From: gerard at seibercom.net (Gerard Seibert) Date: Mon Mar 12 14:07:13 2007 Subject: Spam score is negative, yet message is still marked as spam In-Reply-To: <97621114.20070312093735@BayerTechnologyGroup.com> References: <97621114.20070312093735@BayerTechnologyGroup.com> Message-ID: <20070312100044.4cb2156b@localhost> On Mon, 12 Mar 2007 09:37:35 -0400 Jonathan B Bayer wrote: > I have a new installation of MailScanner installed on a new mail > server. The basic configuration is: > > RedHat Enterprise 3 > Postfix 2.1.3 > Mailscanner 4.58.9-1 [snip] I am somewhat perplexed. First you claim this is a 'new' installation of MailScanner on a new mail server. Then you list an obsolete (very depreciated) version of Postfix. At the very least, I would update that to version => 2.3 (version 2.4 is in RC stage presently and is due for release on or about April 1st). You might want to investigate updating it. It also works better with MailScanner from what I have been told. I never used that old of a version with MS personally. -- Gerard "The only secure computer is one that's unplugged, locked in a safe, and buried 20 feet under the ground in a secret location ... and I'm not even too sure about that one" Dennis Huges, F.B.I. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 187 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070312/a157b6d0/signature.bin From jbayer at bayertechnologygroup.com Mon Mar 12 15:10:13 2007 From: jbayer at bayertechnologygroup.com (Jonathan B Bayer) Date: Mon Mar 12 14:16:50 2007 Subject: Spam score is negative, yet message is still marked as spam In-Reply-To: <20070312100044.4cb2156b@localhost> References: <97621114.20070312093735@BayerTechnologyGroup.com> <20070312100044.4cb2156b@localhost> Message-ID: <9010224481.20070312101013@BayerTechnologyGroup.com> Hello Gerard, That is the version of Postfix that is supplied with RedHat Enterprise 3. They will be coming out with Enterprise 4 soon, but I'm trying to keep this as standard as possible. JBB Monday, March 12, 2007, 10:00:44 AM, you wrote: > On Mon, 12 Mar 2007 09:37:35 -0400 > Jonathan B Bayer wrote: >> I have a new installation of MailScanner installed on a new mail >> server. The basic configuration is: >> >> RedHat Enterprise 3 >> Postfix 2.1.3 >> Mailscanner 4.58.9-1 > [snip] > I am somewhat perplexed. First you claim this is a 'new' installation > of MailScanner on a new mail server. Then you list an obsolete (very > depreciated) version of Postfix. At the very least, I would update that to version =>> 2.3 (version 2.4 is in RC stage presently and is due for > release on or about April 1st). You might want to investigate updating > it. It also works better with MailScanner from what I have been told. I > never used that old of a version with MS personally. -- Superior solutions for small business, home office and home users Jonathan B Bayer,CEO mailto:jbayer@BayerTechnologyGroup.com Bayer Technology Group Work: (609) 632-1200 23 Exeter Rd. Mobile: (609) 658-9408 East Windsor, NJ 08520 From jbayer at bayertechnologygroup.com Mon Mar 12 15:15:37 2007 From: jbayer at bayertechnologygroup.com (Jonathan B Bayer) Date: Mon Mar 12 14:22:13 2007 Subject: Spam score is negative, yet message is still marked as spam In-Reply-To: <45F558B6.8030303@chime.ucl.ac.uk> References: <97621114.20070312093735@BayerTechnologyGroup.com> <45F558B6.8030303@chime.ucl.ac.uk> Message-ID: <1631615583.20070312101537@BayerTechnologyGroup.com> Hello Anthony, OK, I understand that. I've looked at SpamAssassin, and while I see where it enables RBL checks, I don't see where I can specify which RBL checks to do. JBB Monday, March 12, 2007, 9:42:14 AM, you wrote: > Hi, > Jonathan B Bayer wrote: >> Hello mailscanner, >> >> Hello all. >> >> I have a new installation of MailScanner installed on a new mail >> server. The basic configuration is: >> >> RedHat Enterprise 3 >> Postfix 2.1.3 >> Mailscanner 4.58.9-1 >> >> One of the users has been sending messages to the company president. >> These messages are being marked as spam and moved to the spam folder. >> >> However, when I examined the message headers, I found the following: >> >> X-*****************_com-MailScanner-Information: Please contact the ISP for more information >> X-*****************_com-MailScanner: Found to be clean >> X-*****************_com-MailScanner-SpamCheck: spam, spamhaus-ZEN, > ^^^^^^^^^^^^ > This mail hit the spamhaus-ZEN RBL, and you have MailScanner configured > to mark as spam any message that hits on your RBLs. > Personally I don't have MailScanner set to check any RBLs, I use the > scoring features on SpamAssassin for that. >> SpamAssassin (not cached, score=-4.17, required 6, >> autolearn=not spam, ALL_TRUSTED -1.80, BAYES_00 -2.60, >> HTML_MESSAGE 0.00, HTML_TAG_BALANCE_BODY 0.23) >> X-*****************_com-MailScanner-From: dmakhijani@*****************.com >> X-Spam-Status: Yes >> >> >> and the subject had the {Spam?} inserted. >> >> Why would this be marked as spam, if the score is -4.17 ? >> >> What's even stranger is that the user's computer connects directly >> with the mail server to send the email, so it isn't even going through >> another relay. >> >> >> Thanks in advance. >> >> >> JBB >> --- >> Superior solutions for small business, home office and home users >> >> Jonathan B Bayer,CEO mailto:jbayer@BayerTechnologyGroup.com >> Bayer Technology Group Work: (609) 632-1200 >> 23 Exeter Rd. Mobile: (609) 658-9408 >> East Windsor, NJ 08520 >> > -- > Anthony Peacock > CHIME, Royal Free & University College Medical School > WWW: http://www.chime.ucl.ac.uk/~rmhiajp/ > "If you have an apple and I have an apple and we exchange apples > then you and I will still each have one apple. But if you have an > idea and I have an idea and we exchange these ideas, then each of us > will have two ideas." -- George Bernard Shaw -- Superior solutions for small business, home office and home users Jonathan B Bayer,CEO mailto:jbayer@BayerTechnologyGroup.com Bayer Technology Group Work: (609) 632-1200 23 Exeter Rd. Mobile: (609) 658-9408 East Windsor, NJ 08520 From joakim at cefalk.com Mon Mar 12 15:23:29 2007 From: joakim at cefalk.com (Joakim Cefalk) Date: Mon Mar 12 14:30:19 2007 Subject: Spam score is negative, yet message is still marked as spam In-Reply-To: <1631615583.20070312101537@BayerTechnologyGroup.com> References: <97621114.20070312093735@BayerTechnologyGroup.com> <45F558B6.8030303@chime.ucl.ac.uk> <1631615583.20070312101537@BayerTechnologyGroup.com> Message-ID: <45F56261.8030905@cefalk.com> Check for this line # This is the list of spam blacklists (RBLs) which you are using. Spam List = # ORDB-RBL SBL+XBL # You can un-comment this to enable them Jonathan B Bayer skrev: > Hello Anthony, > > OK, I understand that. I've looked at SpamAssassin, and while I see > where it enables RBL checks, I don't see where I can specify which RBL > checks to do. > > > JBB > > > Monday, March 12, 2007, 9:42:14 AM, you wrote: > > >> Hi, >> > > >> Jonathan B Bayer wrote: >> >>> Hello mailscanner, >>> >>> Hello all. >>> >>> I have a new installation of MailScanner installed on a new mail >>> server. The basic configuration is: >>> >>> RedHat Enterprise 3 >>> Postfix 2.1.3 >>> Mailscanner 4.58.9-1 >>> >>> One of the users has been sending messages to the company president. >>> These messages are being marked as spam and moved to the spam folder. >>> >>> However, when I examined the message headers, I found the following: >>> >>> X-*****************_com-MailScanner-Information: Please contact the ISP for more information >>> X-*****************_com-MailScanner: Found to be clean >>> X-*****************_com-MailScanner-SpamCheck: spam, spamhaus-ZEN, >>> >> ^^^^^^^^^^^^ >> > > >> This mail hit the spamhaus-ZEN RBL, and you have MailScanner configured >> to mark as spam any message that hits on your RBLs. >> > > > >> Personally I don't have MailScanner set to check any RBLs, I use the >> scoring features on SpamAssassin for that. >> > > > > >>> SpamAssassin (not cached, score=-4.17, required 6, >>> autolearn=not spam, ALL_TRUSTED -1.80, BAYES_00 -2.60, >>> HTML_MESSAGE 0.00, HTML_TAG_BALANCE_BODY 0.23) >>> X-*****************_com-MailScanner-From: dmakhijani@*****************.com >>> X-Spam-Status: Yes >>> >>> >>> and the subject had the {Spam?} inserted. >>> >>> Why would this be marked as spam, if the score is -4.17 ? >>> >>> What's even stranger is that the user's computer connects directly >>> with the mail server to send the email, so it isn't even going through >>> another relay. >>> >>> >>> Thanks in advance. >>> >>> >>> JBB >>> --- >>> Superior solutions for small business, home office and home users >>> >>> Jonathan B Bayer,CEO mailto:jbayer@BayerTechnologyGroup.com >>> Bayer Technology Group Work: (609) 632-1200 >>> 23 Exeter Rd. Mobile: (609) 658-9408 >>> East Windsor, NJ 08520 >>> >>> > > > >> -- >> Anthony Peacock >> CHIME, Royal Free & University College Medical School >> WWW: http://www.chime.ucl.ac.uk/~rmhiajp/ >> "If you have an apple and I have an apple and we exchange apples >> then you and I will still each have one apple. But if you have an >> idea and I have an idea and we exchange these ideas, then each of us >> will have two ideas." -- George Bernard Shaw >> > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070312/7876e012/attachment.html From a.peacock at chime.ucl.ac.uk Mon Mar 12 15:25:01 2007 From: a.peacock at chime.ucl.ac.uk (Anthony Peacock) Date: Mon Mar 12 14:31:44 2007 Subject: Spam score is negative, yet message is still marked as spam In-Reply-To: <1631615583.20070312101537@BayerTechnologyGroup.com> References: <97621114.20070312093735@BayerTechnologyGroup.com> <45F558B6.8030303@chime.ucl.ac.uk> <1631615583.20070312101537@BayerTechnologyGroup.com> Message-ID: <45F562BD.2030705@chime.ucl.ac.uk> Hi, Jonathan B Bayer wrote: > Hello Anthony, > > OK, I understand that. I've looked at SpamAssassin, and while I see > where it enables RBL checks, I don't see where I can specify which RBL > checks to do. This is documented in the SA Wiki here: http://wiki.apache.org/spamassassin/DnsBlocklists You should also make sure that you have skip_rbl_checks set to 0 in either your SA local.cf or your MailScanner spamassin_user_prefs file. > > > JBB > > > Monday, March 12, 2007, 9:42:14 AM, you wrote: > >> Hi, > >> Jonathan B Bayer wrote: >>> Hello mailscanner, >>> >>> Hello all. >>> >>> I have a new installation of MailScanner installed on a new mail >>> server. The basic configuration is: >>> >>> RedHat Enterprise 3 >>> Postfix 2.1.3 >>> Mailscanner 4.58.9-1 >>> >>> One of the users has been sending messages to the company president. >>> These messages are being marked as spam and moved to the spam folder. >>> >>> However, when I examined the message headers, I found the following: >>> >>> X-*****************_com-MailScanner-Information: Please contact the ISP for more information >>> X-*****************_com-MailScanner: Found to be clean >>> X-*****************_com-MailScanner-SpamCheck: spam, spamhaus-ZEN, >> ^^^^^^^^^^^^ > >> This mail hit the spamhaus-ZEN RBL, and you have MailScanner configured >> to mark as spam any message that hits on your RBLs. > > >> Personally I don't have MailScanner set to check any RBLs, I use the >> scoring features on SpamAssassin for that. > > > >>> SpamAssassin (not cached, score=-4.17, required 6, >>> autolearn=not spam, ALL_TRUSTED -1.80, BAYES_00 -2.60, >>> HTML_MESSAGE 0.00, HTML_TAG_BALANCE_BODY 0.23) >>> X-*****************_com-MailScanner-From: dmakhijani@*****************.com >>> X-Spam-Status: Yes >>> >>> >>> and the subject had the {Spam?} inserted. >>> >>> Why would this be marked as spam, if the score is -4.17 ? >>> >>> What's even stranger is that the user's computer connects directly >>> with the mail server to send the email, so it isn't even going through >>> another relay. >>> >>> >>> Thanks in advance. >>> >>> >>> JBB >>> --- >>> Superior solutions for small business, home office and home users >>> >>> Jonathan B Bayer,CEO mailto:jbayer@BayerTechnologyGroup.com >>> Bayer Technology Group Work: (609) 632-1200 >>> 23 Exeter Rd. Mobile: (609) 658-9408 >>> East Windsor, NJ 08520 >>> > > >> -- >> Anthony Peacock >> CHIME, Royal Free & University College Medical School >> WWW: http://www.chime.ucl.ac.uk/~rmhiajp/ >> "If you have an apple and I have an apple and we exchange apples >> then you and I will still each have one apple. But if you have an >> idea and I have an idea and we exchange these ideas, then each of us >> will have two ideas." -- George Bernard Shaw > > > -- Anthony Peacock CHIME, Royal Free & University College Medical School WWW: http://www.chime.ucl.ac.uk/~rmhiajp/ "If you have an apple and I have an apple and we exchange apples then you and I will still each have one apple. But if you have an idea and I have an idea and we exchange these ideas, then each of us will have two ideas." -- George Bernard Shaw From daniel.maher at ubisoft.com Mon Mar 12 15:28:34 2007 From: daniel.maher at ubisoft.com (Daniel Maher) Date: Mon Mar 12 14:34:59 2007 Subject: Spam score is negative, yet message is still marked as spam In-Reply-To: <20070312100044.4cb2156b@localhost> Message-ID: <1E293D3FF63A3740B10AD5AAD88535D2048CB07A@UBIMAIL1.ubisoft.org> > > Mailscanner 4.58.9-1 > > [snip] > > I am somewhat perplexed. First you claim this is a 'new' installation > of MailScanner on a new mail server. Then you list an obsolete (very > depreciated) version of Postfix. At the very least, I would update that > to version => 2.3 (version 2.4 is in RC stage presently and is due for > release on or about April 1st). You might want to investigate updating > it. It also works better with MailScanner from what I have been told. I > never used that old of a version with MS personally. Just for reference, I am /currently/ using MailScanner on three Postfix 2.0.x boxes, which collectively handle about a million connections a day. Let it also be known that I plan to upgrade to 2.3.x in the very near future. :) -- _ ?v? Daniel Maher /(_)\ Administrateur Syst?me Unix ^ ^ Unix System Administrator "To accomplish great things, we must not only act but also dream, not only plan but also believe.". - Anatole France (1844-1924) From jon at radel.com Mon Mar 12 15:30:27 2007 From: jon at radel.com (Jon Radel) Date: Mon Mar 12 14:37:00 2007 Subject: Spam score is negative, yet message is still marked as spam In-Reply-To: <9010224481.20070312101013@BayerTechnologyGroup.com> References: <97621114.20070312093735@BayerTechnologyGroup.com> <20070312100044.4cb2156b@localhost> <9010224481.20070312101013@BayerTechnologyGroup.com> Message-ID: <45F56403.6070209@radel.com> Jonathan B Bayer wrote: > Hello Gerard, > > That is the version of Postfix that is supplied with RedHat Enterprise > 3. They will be coming out with Enterprise 4 soon, but I'm trying to > keep this as standard as possible. Who's they? :-) RHE v 3 came out in Sept 2003 and RHE v 4 came out in Feb 2005. RHE v 5 is the one coming out soon from Red Hat. I hope. --Jon Radel -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 2828 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070312/9f9a0f0d/smime.bin From jbayer at bayertechnologygroup.com Mon Mar 12 15:39:14 2007 From: jbayer at bayertechnologygroup.com (Jonathan B Bayer) Date: Mon Mar 12 14:45:53 2007 Subject: Spam score is negative, yet message is still marked as spam In-Reply-To: <45F56261.8030905@cefalk.com> References: <97621114.20070312093735@BayerTechnologyGroup.com> <45F558B6.8030303@chime.ucl.ac.uk> <1631615583.20070312101537@BayerTechnologyGroup.com> <45F56261.8030905@cefalk.com> Message-ID: <1809542422.20070312103914@BayerTechnologyGroup.com> Hello Joakim, Monday, March 12, 2007, 10:23:29 AM, you wrote: > > Check for this line > > # This is the list of spam blacklists (RBLs) which you are using. > Spam List = # ORDB-RBL SBL+XBL # You can un-comment this to enable them That is in MailScanner.conf. I'm looking to do this in SpamAssassin. JBB > > > Jonathan B Bayer skrev: > > Hello Anthony, > OK, I understand that. I've looked at SpamAssassin, and while I see > where it enables RBL checks, I don't see where I can specify which RBL > checks to do. > JBB > Monday, March 12, 2007, 9:42:14 AM, you wrote: > > > Hi, > > > > > > Jonathan B Bayer wrote: > > > Hello mailscanner, > Hello all. > I have a new installation of MailScanner installed on a new mail > server. The basic configuration is: > RedHat Enterprise 3 > Postfix 2.1.3 > Mailscanner 4.58.9-1 > One of the users has been sending messages to the company president. > These messages are being marked as spam and moved to the spam folder. > However, when I examined the message headers, I found the following: > X-*****************_com-MailScanner-Information: Please contact the ISP for more information > X-*****************_com-MailScanner: Found to be clean > X-*****************_com-MailScanner-SpamCheck: spam, spamhaus-ZEN, > > > ^^^^^^^^^^^^ > > > > > > This mail hit the spamhaus-ZEN RBL, and you have MailScanner configured > to mark as spam any message that hits on your RBLs. > > > > > > Personally I don't have MailScanner set to check any RBLs, I use the > scoring features on SpamAssassin for that. > > > > > > > SpamAssassin (not cached, score=-4.17, required 6, > autolearn=not spam, ALL_TRUSTED -1.80, BAYES_00 -2.60, > HTML_MESSAGE 0.00, HTML_TAG_BALANCE_BODY 0.23) > X-*****************_com-MailScanner-From: > dmakhijani@*****************.comX-Spam-Status: Yes > and the subject had the {Spam?} inserted. > Why would this be marked as spam, if the score is -4.17 ? > What's even stranger is that the user's computer connects directly > with the mail server to send the email, so it isn't even going through > another relay. > Thanks in advance. > JBB > --- > Superior solutions for small business, home office and home users > Jonathan B Bayer,CEO mailto:jbayer@BayerTechnologyGroup.comBayer > Technology Group Work: (609) 632-1200 > 23 Exeter Rd. Mobile: (609) 658-9408 > East Windsor, NJ 08520 > > > > > > -- Superior solutions for small business, home office and home users Jonathan B Bayer,CEO mailto:jbayer@BayerTechnologyGroup.com Bayer Technology Group Work: (609) 632-1200 23 Exeter Rd. Mobile: (609) 658-9408 East Windsor, NJ 08520 From jbayer at bayertechnologygroup.com Mon Mar 12 15:40:18 2007 From: jbayer at bayertechnologygroup.com (Jonathan B Bayer) Date: Mon Mar 12 14:46:56 2007 Subject: Spam score is negative, yet message is still marked as spam In-Reply-To: <45F56403.6070209@radel.com> References: <97621114.20070312093735@BayerTechnologyGroup.com> <20070312100044.4cb2156b@localhost> <9010224481.20070312101013@BayerTechnologyGroup.com> <45F56403.6070209@radel.com> Message-ID: <141193871.20070312104018@BayerTechnologyGroup.com> Hello Jon, I got the version of RHE wrong. What I have is: Red Hat Enterprise Linux ES release 4 (Nahant Update 4) JBB Monday, March 12, 2007, 10:30:27 AM, you wrote: > Jonathan B Bayer wrote: >> Hello Gerard, >> >> That is the version of Postfix that is supplied with RedHat Enterprise >> 3. They will be coming out with Enterprise 4 soon, but I'm trying to >> keep this as standard as possible. > Who's they? :-) RHE v 3 came out in Sept 2003 and RHE v 4 came out in > Feb 2005. RHE v 5 is the one coming out soon from Red Hat. I hope. > --Jon Radel -- Superior solutions for small business, home office and home users Jonathan B Bayer,CEO mailto:jbayer@BayerTechnologyGroup.com Bayer Technology Group Work: (609) 632-1200 23 Exeter Rd. Mobile: (609) 658-9408 East Windsor, NJ 08520 From gerard at seibercom.net Mon Mar 12 16:01:39 2007 From: gerard at seibercom.net (Gerard Seibert) Date: Mon Mar 12 15:08:10 2007 Subject: Spam score is negative, yet message is still marked as spam In-Reply-To: <1E293D3FF63A3740B10AD5AAD88535D2048CB07A@UBIMAIL1.ubisoft.org> References: <20070312100044.4cb2156b@localhost> <1E293D3FF63A3740B10AD5AAD88535D2048CB07A@UBIMAIL1.ubisoft.org> Message-ID: <20070312110139.23fcce52@localhost> On Mon, 12 Mar 2007 10:28:34 -0400 "Daniel Maher" wrote: > Let it also be known that I plan to upgrade to 2.3.x in the very near > future. :) Why not '2.4' instead? It has several improvements for SASL and TLS, among other changes. I have used the 2.4 beta for over a year now, always keeping up to date with the snapshots, and find it to be a very stable program. -- Gerard The best audience is intelligent, well-educated and a little drunk. Maurice Baring -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 187 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070312/eb11dc10/signature.bin From akostocker at gmail.com Mon Mar 12 16:02:07 2007 From: akostocker at gmail.com (Tony Stocker) Date: Mon Mar 12 15:08:33 2007 Subject: SpamAssassin 3.1.8 In-Reply-To: References: <79755AA4E018084793EE618A2731F24C02B32B@HC-MBX01.herefordshire.gov.uk> <20070228130412.GC235@doctor.nl2k.ab.ca> Message-ID: <7801ad8f0703120802i42bad7c3k4f8a1b8aecac44a5@mail.gmail.com> All, I APPEAR to be having problems with SA 3.1.8 and MailScanner. I've used the RedHat rpm of spamassassin from the beginning without problems. However on Tue Mar 6 this package was updated to "spamassassin-3.1.8-2.el4". Ever since this package was updated a lot more spam is coming through and not receiving any markings at all, most of it has a score line similar to this: "MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=0,required 3, autolearn=not spam)" A number of these emails are HTML emails and I have a custom rule in /etc/MailScanner/spam.assassin.prefs.conf which says: "score HTML_MESSAGE 1.0" So at the very least I would expect to see these messages score a 1. But it's like the rule isn't being seen at all. However messages that trigger a URIBL rule are being scored: "MailScanner-SpamCheck: spam, SpamAssassin (cached, score=8.726, required 3, URIBL_BLACK 3.00, URIBL_JP_SURBL 4.09, URIBL_SBL 1.64)" I have NOT made any other changes to my configuration, and this configuration was working *very* well until this package update. What additional information can I provide to help you help me? :) Thanks, Tony From a.peacock at chime.ucl.ac.uk Mon Mar 12 16:10:55 2007 From: a.peacock at chime.ucl.ac.uk (Anthony Peacock) Date: Mon Mar 12 15:17:57 2007 Subject: SpamAssassin 3.1.8 In-Reply-To: <7801ad8f0703120802i42bad7c3k4f8a1b8aecac44a5@mail.gmail.com> References: <79755AA4E018084793EE618A2731F24C02B32B@HC-MBX01.herefordshire.gov.uk> <20070228130412.GC235@doctor.nl2k.ab.ca> <7801ad8f0703120802i42bad7c3k4f8a1b8aecac44a5@mail.gmail.com> Message-ID: <45F56D7F.4030604@chime.ucl.ac.uk> Hi, Tony Stocker wrote: > All, > > I APPEAR to be having problems with SA 3.1.8 and MailScanner. > > I've used the RedHat rpm of spamassassin from the beginning without > problems. However on Tue Mar 6 this package was updated to > "spamassassin-3.1.8-2.el4". Ever since this package was updated a lot > more spam is coming through and not receiving any markings at all, > most of it has a score line similar to this: > > "MailScanner-SpamCheck: not spam, SpamAssassin (not cached, > score=0,required 3, autolearn=not spam)" > > A number of these emails are HTML emails and I have a custom rule in > /etc/MailScanner/spam.assassin.prefs.conf which says: > "score HTML_MESSAGE 1.0" > > So at the very least I would expect to see these messages score a 1. > But it's like the rule isn't being seen at all. However messages that > trigger a URIBL rule are being scored: > > "MailScanner-SpamCheck: spam, SpamAssassin (cached, score=8.726, > required 3, URIBL_BLACK 3.00, URIBL_JP_SURBL 4.09, URIBL_SBL 1.64)" > > I have NOT made any other changes to my configuration, and this > configuration was working *very* well until this package update. > > What additional information can I provide to help you help me? :) To debug this I would first run spamassassin from the command line to make sure there are no warnings, so... spamassassin --lint spamassassin --lint --debug < sample-email.txt And go from there. -- Anthony Peacock CHIME, Royal Free & University College Medical School WWW: http://www.chime.ucl.ac.uk/~rmhiajp/ "If you have an apple and I have an apple and we exchange apples then you and I will still each have one apple. But if you have an idea and I have an idea and we exchange these ideas, then each of us will have two ideas." -- George Bernard Shaw From daniel.maher at ubisoft.com Mon Mar 12 16:13:57 2007 From: daniel.maher at ubisoft.com (Daniel Maher) Date: Mon Mar 12 15:20:23 2007 Subject: Spam score is negative, yet message is still marked as spam In-Reply-To: <20070312110139.23fcce52@localhost> Message-ID: <1E293D3FF63A3740B10AD5AAD88535D2048CB195@UBIMAIL1.ubisoft.org> > > Let it also be known that I plan to upgrade to 2.3.x in the very near > > future. :) > > Why not '2.4' instead? It has several improvements for SASL and TLS, > among other changes. I have used the 2.4 beta for over a year now, > always keeping up to date with the snapshots, and find it to be a very > stable program. Frankly stated, my management here is very scared of the word "beta". As a general rule, we run stable only, unless there is no other option. This seems to be a pretty standard reality for most corporate environments I've worked in. :/ -- _ ?v? Daniel Maher /(_)\ Administrateur Syst?me Unix ^ ^ Unix System Administrator "To accomplish great things, we must not only act but also dream, not only plan but also believe.". - Anatole France (1844-1924) From akostocker at gmail.com Mon Mar 12 16:18:09 2007 From: akostocker at gmail.com (Tony Stocker) Date: Mon Mar 12 15:24:35 2007 Subject: SpamAssassin 3.1.8 In-Reply-To: <45F56D7F.4030604@chime.ucl.ac.uk> References: <79755AA4E018084793EE618A2731F24C02B32B@HC-MBX01.herefordshire.gov.uk> <20070228130412.GC235@doctor.nl2k.ab.ca> <7801ad8f0703120802i42bad7c3k4f8a1b8aecac44a5@mail.gmail.com> <45F56D7F.4030604@chime.ucl.ac.uk> Message-ID: <7801ad8f0703120818k6d1e7827qaee0ed36923a830@mail.gmail.com> On 3/12/07, Anthony Peacock wrote: Anthony, First thanks for the quick response and suggestions. Something does seem to be up, interspersed output below. > > To debug this I would first run spamassassin from the command line to > make sure there are no warnings, so... > Okay, I definitely got warnings. I'm guessing that the allowed formats changed or something. Output of --lint is below. If anyone can help point me in the direction of 'correcting' my config file (which was working prior to this SA 3.1.8 upgrade) I'd really appreciate it. Changing acceptable formats for config files between versions is a pretty unfriendly thing to do. > spamassassin --lint > # spamassassin --lint [21412] warn: config: SpamAssassin failed to parse line, "= 450000" is not valid for "bayes_expiry_max_db_size", skipping: bayes_expiry_max_db_size = 450000 [21412] warn: config: SpamAssassin failed to parse line, "/usr/bin/pyzor" is not valid for "pyzor_path", skipping: pyzor_path /usr/bin/pyzor [21412] warn: config: failed to parse line, skipping: dcc_path /usr/local/bin/dccproc [21412] warn: config: warning: score set for non-existent rule HTML_IMAGE_ONLY_* [21412] warn: lint: 4 issues detected, please rerun with debug enabled for more information > And go from there. > > -- > Anthony Peacock > CHIME, Royal Free & University College Medical School From akostocker at gmail.com Mon Mar 12 16:26:56 2007 From: akostocker at gmail.com (Tony Stocker) Date: Mon Mar 12 15:33:23 2007 Subject: SpamAssassin 3.1.8 In-Reply-To: <7801ad8f0703120818k6d1e7827qaee0ed36923a830@mail.gmail.com> References: <79755AA4E018084793EE618A2731F24C02B32B@HC-MBX01.herefordshire.gov.uk> <20070228130412.GC235@doctor.nl2k.ab.ca> <7801ad8f0703120802i42bad7c3k4f8a1b8aecac44a5@mail.gmail.com> <45F56D7F.4030604@chime.ucl.ac.uk> <7801ad8f0703120818k6d1e7827qaee0ed36923a830@mail.gmail.com> Message-ID: <7801ad8f0703120826i4fb5af4focf7623ab53a9e690@mail.gmail.com> On the other hand, if I run a message through spamassassin from the command line using 'spamassassin -t -D < [message]" I get a very high score, for a message that previously scored 0: pts rule name description ---- ---------------------- -------------------------------------------------- 1.3 INFO_TLD URI: Contains an URL in the INFO top-level domain 0.1 HTML_TEXT_AFTER_BODY BODY: HTML contains text after BODY close tag 1.0 HTML_MESSAGE BODY: HTML included in message 15 BAYES_99 BODY: Bayesian spam probability is 99 to 100% [score: 1.0000] 1.4 HTML_10_20 BODY: Message is 10% to 20% HTML 1.2 MIME_HTML_ONLY BODY: Message only has text/html MIME parts 1.6 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net [Blocked - see ] So at some level my spamassassin config is working. From dhawal at netmagicsolutions.com Mon Mar 12 16:31:10 2007 From: dhawal at netmagicsolutions.com (Dhawal Doshy) Date: Mon Mar 12 15:37:53 2007 Subject: Spam score is negative, yet message is still marked as spam In-Reply-To: <20070312110139.23fcce52@localhost> References: <20070312100044.4cb2156b@localhost> <1E293D3FF63A3740B10AD5AAD88535D2048CB07A@UBIMAIL1.ubisoft.org> <20070312110139.23fcce52@localhost> Message-ID: <45F5723E.9060808@netmagicsolutions.com> Gerard Seibert wrote: > On Mon, 12 Mar 2007 10:28:34 -0400 > "Daniel Maher" wrote: > >> Let it also be known that I plan to upgrade to 2.3.x in the very near >> future. :) > > Why not '2.4' instead? It has several improvements for SASL and TLS, > among other changes. I have used the 2.4 beta for over a year now, > always keeping up to date with the snapshots, and find it to be a very > stable program. 2.4 is still a release candidate.. btw devel for 2.4 started late last year (post a stable milter implementation in 2.3.3).. what are your sources for a 2.4 beta releases for over a year?? i am sure you do that for every part of your distro.. run the latest beta for everything.. right? some of us have better things to do than wget whatever.tgz, tar xzf whatever.tgz,cd whatever, ./conifgure, make, make install.. for every package in $DISTRO. From a.peacock at chime.ucl.ac.uk Mon Mar 12 16:36:24 2007 From: a.peacock at chime.ucl.ac.uk (Anthony Peacock) Date: Mon Mar 12 15:42:59 2007 Subject: SpamAssassin 3.1.8 In-Reply-To: <7801ad8f0703120818k6d1e7827qaee0ed36923a830@mail.gmail.com> References: <79755AA4E018084793EE618A2731F24C02B32B@HC-MBX01.herefordshire.gov.uk> <20070228130412.GC235@doctor.nl2k.ab.ca> <7801ad8f0703120802i42bad7c3k4f8a1b8aecac44a5@mail.gmail.com> <45F56D7F.4030604@chime.ucl.ac.uk> <7801ad8f0703120818k6d1e7827qaee0ed36923a830@mail.gmail.com> Message-ID: <45F57378.8060002@chime.ucl.ac.uk> Hi, Tony Stocker wrote: > On 3/12/07, Anthony Peacock wrote: > > Anthony, > > First thanks for the quick response and suggestions. Something does > seem to be up, interspersed output below. > >> >> To debug this I would first run spamassassin from the command line to >> make sure there are no warnings, so... >> > > Okay, I definitely got warnings. I'm guessing that the allowed > formats changed or something. Output of --lint is below. If anyone > can help point me in the direction of 'correcting' my config file > (which was working prior to this SA 3.1.8 upgrade) I'd really > appreciate it. Changing acceptable formats for config files between > versions is a pretty unfriendly thing to do. > > >> spamassassin --lint >> > > # spamassassin --lint > [21412] warn: config: SpamAssassin failed to parse line, "= 450000" is > not valid for "bayes_expiry_max_db_size", skipping: > bayes_expiry_max_db_size = 450000 > [21412] warn: config: SpamAssassin failed to parse line, > "/usr/bin/pyzor" is not valid for "pyzor_path", skipping: pyzor_path > /usr/bin/pyzor > [21412] warn: config: failed to parse line, skipping: dcc_path > /usr/local/bin/dccproc > [21412] warn: config: warning: score set for non-existent rule > HTML_IMAGE_ONLY_* > [21412] warn: lint: 4 issues detected, please rerun with debug enabled > for more information The syntax for bayes_expiry_max_db_size does not include a '=' character, it should be: bayes_expiry_max_db_size 450000 The syntax has been like this for ages, it hasn't changed for the new version. What I do seem to recall however, is that the latest version is a bit more noisy about syntax errors in the config files. -- Anthony Peacock CHIME, Royal Free & University College Medical School WWW: http://www.chime.ucl.ac.uk/~rmhiajp/ "If you have an apple and I have an apple and we exchange apples then you and I will still each have one apple. But if you have an idea and I have an idea and we exchange these ideas, then each of us will have two ideas." -- George Bernard Shaw From martinh at solidstatelogic.com Mon Mar 12 16:41:08 2007 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Mon Mar 12 15:47:59 2007 Subject: SpamAssassin 3.1.8 In-Reply-To: <7801ad8f0703120826i4fb5af4focf7623ab53a9e690@mail.gmail.com> Message-ID: <571c1f8d3bbcc54aa4c6b7cd446f086e@solidstatelogic.com> Tony I'd check you haven't still got the old spamassassin version lying around, and that's being found by MailScanner. "MailScanner -debug -debug-sa" will help. Did you install the original SA using the RH RPMS? -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Tony Stocker > Sent: 12 March 2007 15:27 > To: MailScanner discussion > Subject: Re: SpamAssassin 3.1.8 > > On the other hand, if I run a message through spamassassin from the > command line using 'spamassassin -t -D < [message]" I get a very high > score, for a message that previously scored 0: > > pts rule name description > ---- ---------------------- ---------------------------------------------- > ---- > 1.3 INFO_TLD URI: Contains an URL in the INFO top-level > domain > 0.1 HTML_TEXT_AFTER_BODY BODY: HTML contains text after BODY close tag > 1.0 HTML_MESSAGE BODY: HTML included in message > 15 BAYES_99 BODY: Bayesian spam probability is 99 to 100% > [score: 1.0000] > 1.4 HTML_10_20 BODY: Message is 10% to 20% HTML > 1.2 MIME_HTML_ONLY BODY: Message only has text/html MIME parts > 1.6 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net > [Blocked - see > ] > > So at some level my spamassassin config is working. > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From akostocker at gmail.com Mon Mar 12 16:56:50 2007 From: akostocker at gmail.com (Tony Stocker) Date: Mon Mar 12 16:03:19 2007 Subject: SpamAssassin 3.1.8 In-Reply-To: <571c1f8d3bbcc54aa4c6b7cd446f086e@solidstatelogic.com> References: <7801ad8f0703120826i4fb5af4focf7623ab53a9e690@mail.gmail.com> <571c1f8d3bbcc54aa4c6b7cd446f086e@solidstatelogic.com> Message-ID: <7801ad8f0703120856t197f6041hfe25e524d621d98@mail.gmail.com> On 3/12/07, Martin.Hepworth wrote: > Tony Martin, Okay, apparently there IS a mismatch. > > I'd check you haven't still got the old spamassassin version lying > around, and that's being found by MailScanner. > > "MailScanner -debug -debug-sa" will help. > [22833] dbg: generic: SpamAssassin version 3.1.3 config: configuration file "/usr/share/spamassassin/20_advance_fee.cf" requires version 3.001008 of SpamAssassin, but this is code version 3.001003. Maybe you need to use the -C switch, or remove the old config files? Skipping this file at /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/Conf/Parser.pm line 344. > Did you install the original SA using the RH RPMS? > Going back through my notes it appears that I used the MailScanner-ClamAV-SA package. The original RH spamassassin RPM package was already installed prior to installing it. What's the best way to resolve this? Should I install the latest mailscanner-clam-sa package? Thanks for the help, Tony > -- > Martin Hepworth > Snr Systems Administrator From ssilva at sgvwater.com Mon Mar 12 17:17:19 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Mar 12 16:31:36 2007 Subject: RBL's In-Reply-To: <45F523E1.1080501@katy.com> References: <45EF13F7.3050602@fcen.uba.ar> <04D932B0071FE34FA63EBB1977B48D15024FC0BC@woodenex.woodmaclaw.local> <20070307152055.14adc557@localhost> <45F3B2F7.2010405@katy.com> <45F3EBF3.6030700@alexb.ch> <45F523E1.1080501@katy.com> Message-ID: John Schmerold spake the following on 3/12/2007 2:56 AM: > We do cbl.abuseat.org before Zen to keep from exceeding Zen's daily > lookup policy. We're pretty close to 100 users and do not want to get > into high volume category. > > Thanks for heads up regarding ws.surbl.org, good example of a little > knowledge being a bad thing. > But won't that just double the lookups? Or do the lookups end on the first hit? -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ssilva at sgvwater.com Mon Mar 12 17:29:27 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Mar 12 16:36:48 2007 Subject: SpamAssassin 3.1.8 In-Reply-To: <7801ad8f0703120856t197f6041hfe25e524d621d98@mail.gmail.com> References: <7801ad8f0703120826i4fb5af4focf7623ab53a9e690@mail.gmail.com> <571c1f8d3bbcc54aa4c6b7cd446f086e@solidstatelogic.com> <7801ad8f0703120856t197f6041hfe25e524d621d98@mail.gmail.com> Message-ID: Tony Stocker spake the following on 3/12/2007 8:56 AM: > On 3/12/07, Martin.Hepworth wrote: >> Tony > > Martin, > > Okay, apparently there IS a mismatch. > >> >> I'd check you haven't still got the old spamassassin version lying >> around, and that's being found by MailScanner. >> >> "MailScanner -debug -debug-sa" will help. >> > > [22833] dbg: generic: SpamAssassin version 3.1.3 > > config: configuration file "/usr/share/spamassassin/20_advance_fee.cf" > requires version 3.001008 of SpamAssassin, but this is code version > 3.001003. Maybe you need to use the -C switch, or remove the old > config files? Skipping this file at > /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/Conf/Parser.pm line > 344. > > > >> Did you install the original SA using the RH RPMS? >> > > Going back through my notes it appears that I used the > MailScanner-ClamAV-SA package. The original RH spamassassin RPM > package was already installed prior to installing it. > > What's the best way to resolve this? Should I install the latest > mailscanner-clam-sa package? > > Thanks for the help, You need to pick ONE method of installing this, and stick with it. If you are going to use the clam-sa package, use it every time and rpm -e spamassassin. If you are going to use the rpm's, you will need to manually go and find / delete the spamassassin installed by the clam-sa package. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ssilva at sgvwater.com Mon Mar 12 17:15:16 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Mar 12 16:46:36 2007 Subject: dealing with dictionary attacks In-Reply-To: References: <45EBE85C.90507@fractalweb.com> <45F184F2.50305@pacific.net> <023501c76265$0c8af240$0705000a@ddf5dw71> <1173490907.45f20cdc0072c@perdition.cnpapers.net> <223f97700703100531q6c8afb4ag7db5a33ab732480b@mail.gmail.com> <625385e30703100555v616d7bg5d7a5341750dc945@mail.gmail.com> <625385e30703101425k2d6985d2j7c717cddbe125de5@mail.gmail.com> Message-ID: Res spake the following on 3/12/2007 3:20 AM: > On Sat, 10 Mar 2007, shuttlebox wrote: > >> On 3/10/07, Res wrote: >>> >>> Thank you shuttle, you have just proved what I set out to do.. prove >>> that >>> the OK to be OT is very selective around here. > >> >> You're always giving people a hard time when they are not up to your >> high standards so it's kind of surprising to me that you of all people >> ask for more OT leeway. > > I'm not asking for any leeway, OT = OT, my point was made, that being > some people seem to think some unrelated to MailScanner crud is OK, > where other unrelated topics are not. > >> And I am kind of forced to read this since I'm subscribed to this >> otherwise excellent list and several of you often post technically > > No one said remove yourself, I said filter me, if your email providor > can not do that, then I think it's time to maybe use your own service > where you have direct control. > >> delete them without reading or at least looking at them first. > > Sure you can, if you know how to work filters, look in the message ID, I > only use this client in this group. > > > >> The broadest definition of spam I know of is simply unwanted mail and >> this is definitely that to me. > > rubbish, Spam = unsolicited commercial or broadcast email, you > voluntarily subscribed to this list, therefore you accept any and all > posted content from the list, if you so desire not to, then you filter > said person. > > So I can start posting those Vi#@$ra ads? -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From gerard at seibercom.net Mon Mar 12 18:19:00 2007 From: gerard at seibercom.net (Gerard Seibert) Date: Mon Mar 12 17:25:31 2007 Subject: Spam score is negative, yet message is still marked as spam In-Reply-To: <45F5723E.9060808@netmagicsolutions.com> References: <20070312100044.4cb2156b@localhost> <1E293D3FF63A3740B10AD5AAD88535D2048CB07A@UBIMAIL1.ubisoft.org> <20070312110139.23fcce52@localhost> <45F5723E.9060808@netmagicsolutions.com> Message-ID: <20070312131900.3b2ade92@localhost> On Mon, 12 Mar 2007 21:01:10 +0530 Dhawal Doshy wrote: > 2.4 is still a release candidate.. btw devel for 2.4 started late > last year (post a stable milter implementation in 2.3.3).. what are > your sources for a 2.4 beta releases for over a year?? > > i am sure you do that for every part of your distro.. run the latest > beta for everything.. right? some of us have better things to do than > wget whatever.tgz, tar xzf whatever.tgz,cd whatever, ./conifgure, > make, make install.. for every package in $DISTRO. I am using FreeBSD-6.2 presently. The updating of the port, in this case Postfix, is virtually automatic. This is the: /usr/ports/mail/postfix-current port specifically. To update the port, all I need do is run 'portsnap fetch update' to get a current port image and then run 'portmanager -u -l' to update all files or just 'portmanager /mail/postfix-current -l' to update that port by itself. Actually, yes I do try and keep my system relatively up-to-date. I have it all set to run from a script I created and then have CRON execute it once weekly. Simple, easy and painless. I am not sure exactly when 2.4 was released; however, I was using it, if I remember correctly, last June or so. Not really very important though. -- Gerard "Outside of a dog, a book is a man's best friend: and inside a dog, it's too dark to read." Groucho Marx -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 187 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070312/693bb4b0/signature.bin From john at katy.com Mon Mar 12 18:20:47 2007 From: john at katy.com (John Schmerold) Date: Mon Mar 12 17:27:27 2007 Subject: RBL's In-Reply-To: References: <45EF13F7.3050602@fcen.uba.ar> <04D932B0071FE34FA63EBB1977B48D15024FC0BC@woodenex.woodmaclaw.local> <20070307152055.14adc557@localhost> <45F3B2F7.2010405@katy.com> <45F3EBF3.6030700@alexb.ch> <45F523E1.1080501@katy.com> Message-ID: <45F58BEF.3030603@katy.com> Good question. Postfix stops after first hit: [root@mx1 ~]# grep -ric "blocked using zen.spamhaus.org" /var/log/maillog.1 207 [root@mx1 ~]# grep -ric "blocked using cbl.abuseat.org" /var/log/maillog.1 3251 [root@mx1 ~]# [root@mx1 ~]# grep -ri 213.160.182.228 /var/log/maillog Mar 12 07:38:33 mx1 postfix/smtpd[28494]: connect from static-dsl-228.213-160-182.telecom.sk[213.160.182.228] Mar 12 07:38:34 mx1 postfix/smtpd[28494]: NOQUEUE: reject_warning: EHLO from static-dsl-228.213-160-182.telecom.sk[213.160.182.228]: 450 : Helo command rejected: Host not found; proto=SMTP helo= Mar 12 07:38:34 mx1 postfix/smtpd[28494]: NOQUEUE: reject: RCPT from static-dsl-228.213-160-182.telecom.sk[213.160.182.228]: 554 Service unavai lable; Client host [213.160.182.228] blocked using cbl.abuseat.org; Blocked - see http://cbl.abuseat.org/lookup.cgi?ip=213.160.182.228; from= to= proto=ESMTP helo= Mar 12 07:38:34 mx1 postfix/smtpd[28494]: disconnect from static-dsl-228.213-160-182.telecom.sk[213.160.182.228] [root@mx1 ~]# Scott Silva wrote: > John Schmerold spake the following on 3/12/2007 2:56 AM: >> We do cbl.abuseat.org before Zen to keep from exceeding Zen's daily >> lookup policy. We're pretty close to 100 users and do not want to get >> into high volume category. >> >> Thanks for heads up regarding ws.surbl.org, good example of a little >> knowledge being a bad thing. >> > But won't that just double the lookups? Or do the lookups end on the first hit? > > > From akostocker at gmail.com Mon Mar 12 18:17:08 2007 From: akostocker at gmail.com (Tony Stocker) Date: Mon Mar 12 17:30:43 2007 Subject: SpamAssassin 3.1.8 In-Reply-To: References: <7801ad8f0703120826i4fb5af4focf7623ab53a9e690@mail.gmail.com> <571c1f8d3bbcc54aa4c6b7cd446f086e@solidstatelogic.com> <7801ad8f0703120856t197f6041hfe25e524d621d98@mail.gmail.com> Message-ID: <7801ad8f0703121017r4bcf352dx30574cd4d98b501b@mail.gmail.com> On 3/12/07, Scott Silva wrote: > You need to pick ONE method of installing this, and stick with it. If you are > going to use the clam-sa package, use it every time and rpm -e spamassassin. > If you are going to use the rpm's, you will need to manually go and find / > delete the spamassassin installed by the clam-sa package. > Scott, Okay, I removed the RH rpm of spamassassin, but this has the side effect of removing all of the SA rules in /usr/share/spamassassin. Since these rules are not recreated with the install-Clam-0.88.7-SA-3.1.8 package, I'm assuming that I have to get a spamassassin tarball in order to install them. Correct? Without these rules in place, I go back to the problem of no scoring. I recovered the directory from backup, rather than reinstall the rpm, and it alleviated it. Basically the current situation is this: * Installed install-Clam-0.88.7-SA-3.1.8 * Removed RH rpm of spamassassin * Recovered /usr/share/spamassassin directory and contents * Status: Spam scoring working once again, as expected. I just want to know for the future if I'll need to download and install a spamassassin tar file as well as the MailScanner Clam-SA tar file. Thanks for all the help everybody. Tony From ssilva at sgvwater.com Mon Mar 12 18:34:48 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Mar 12 17:41:44 2007 Subject: SpamAssassin 3.1.8 In-Reply-To: <7801ad8f0703121017r4bcf352dx30574cd4d98b501b@mail.gmail.com> References: <7801ad8f0703120826i4fb5af4focf7623ab53a9e690@mail.gmail.com> <571c1f8d3bbcc54aa4c6b7cd446f086e@solidstatelogic.com> <7801ad8f0703120856t197f6041hfe25e524d621d98@mail.gmail.com> <7801ad8f0703121017r4bcf352dx30574cd4d98b501b@mail.gmail.com> Message-ID: Tony Stocker spake the following on 3/12/2007 10:17 AM: > On 3/12/07, Scott Silva wrote: >> You need to pick ONE method of installing this, and stick with it. If >> you are >> going to use the clam-sa package, use it every time and rpm -e >> spamassassin. >> If you are going to use the rpm's, you will need to manually go and >> find / >> delete the spamassassin installed by the clam-sa package. >> > Scott, > > Okay, I removed the RH rpm of spamassassin, but this has the side > effect of removing all of the SA rules in /usr/share/spamassassin. > Since these rules are not recreated with the > install-Clam-0.88.7-SA-3.1.8 package, I'm assuming that I have to get > a spamassassin tarball in order to install them. Correct? Without > these rules in place, I go back to the problem of no scoring. I > recovered the directory from backup, rather than reinstall the rpm, > and it alleviated it. > > Basically the current situation is this: > * Installed install-Clam-0.88.7-SA-3.1.8 > * Removed RH rpm of spamassassin > * Recovered /usr/share/spamassassin directory and contents > * Status: Spam scoring working once again, as expected. > > I just want to know for the future if I'll need to download and > install a spamassassin tar file as well as the MailScanner Clam-SA tar > file. > > Thanks for all the help everybody. > > Tony You should always remove the rpm BEFORE installing with the clam-sa package. Otherwise, you will get the effect you saw. RPM will remove all files it thinks it installed. There is a newer tarball floating around with clam 0.90.1 if you want it. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From mailscanner at yeticomputers.com Mon Mar 12 18:39:17 2007 From: mailscanner at yeticomputers.com (Rick Chadderdon) Date: Mon Mar 12 17:45:54 2007 Subject: dealing with dictionary attacks In-Reply-To: References: <45EBE85C.90507@fractalweb.com> <45F184F2.50305@pacific.net> <023501c76265$0c8af240$0705000a@ddf5dw71> <1173490907.45f20cdc0072c@perdition.cnpapers.net> <223f97700703100531q6c8afb4ag7db5a33ab732480b@mail.gmail.com> <625385e30703100555v616d7bg5d7a5341750dc945@mail.gmail.com> <625385e30703101425k2d6985d2j7c717cddbe125de5@mail.gmail.com> Message-ID: <45F59045.6050905@yeticomputers.com> Res wrote: > I'm not asking for any leeway, OT = OT, my point was made, that being > some people seem to think some unrelated to MailScanner crud is OK, > where other unrelated topics are not. I agree, Res. OT=OT. That said, I still don't think that OT posts are a bad thing. In fact, it's the OT posts that build a sense of community. Without this kind of discussion people with strong opinions and a lot of attitude (like myself, maybe, or... maybe someone else in this discussion) become known for just their opinions and not for what kind of person they are, what their background is, etc.. Without off-topic discussions, nobody would know to tell me that you're a "nice guy under the prickly surface", something which I already knew - from reading the off-topic posts. (And obviously I don't post enough, because if I did, Glenn would have known that I don't need to "chill out" - that one certainly wasn't one of my "unchilled" posts. :) ) I wouldn't know that you're an old-timer like me. We wouldn't know that English isn't Glenn's native tongue. (It's refreshing to know that native speakers are still better at mangling the language. :) ) It is, of course, up to the owner of any mailing list to set the policy for their list, but I believe that a strict rule barring off-topic posts stifles the usefulness of such things. Rick From dhawal at netmagicsolutions.com Mon Mar 12 18:40:19 2007 From: dhawal at netmagicsolutions.com (Dhawal Doshy) Date: Mon Mar 12 17:46:59 2007 Subject: Spam score is negative, yet message is still marked as spam In-Reply-To: <20070312131900.3b2ade92@localhost> References: <20070312100044.4cb2156b@localhost> <1E293D3FF63A3740B10AD5AAD88535D2048CB07A@UBIMAIL1.ubisoft.org> <20070312110139.23fcce52@localhost> <45F5723E.9060808@netmagicsolutions.com> <20070312131900.3b2ade92@localhost> Message-ID: <45F59083.3080805@netmagicsolutions.com> Gerard Seibert wrote: > On Mon, 12 Mar 2007 21:01:10 +0530 > Dhawal Doshy wrote: > >> 2.4 is still a release candidate.. btw devel for 2.4 started late >> last year (post a stable milter implementation in 2.3.3).. what are >> your sources for a 2.4 beta releases for over a year?? >> >> i am sure you do that for every part of your distro.. run the latest >> beta for everything.. right? some of us have better things to do than >> wget whatever.tgz, tar xzf whatever.tgz,cd whatever, ./conifgure, >> make, make install.. for every package in $DISTRO. > > I am using FreeBSD-6.2 presently. The updating of the port, in this Why 6.2 and not 7.0-CURRENT?? you only need to answer this question to yourself.. anyways there was a nice reply by Viktor on the postfix list today in reference to postfix versions, which does validate your point of view as well but at the same time says 'whatever rocks your boat' (as Glenn puts it), i'll paste the URL here for convenience.. http://article.gmane.org/gmane.mail.postfix.user/160371 While running the latest/greatest does have its advantages.. if an older version does fit the requirements, then there is no urge/reason to upgrade.. Finally if your distro (say rhel for instance) backports important fixes, all the more reason to not run bleeding-edge and stick to distro-stable. For some the thrill lies in latest/greatest, for others the thrill is in stability (dealing with the known devil).. whatever rocks your boat.. ;-) From akostocker at gmail.com Mon Mar 12 18:43:24 2007 From: akostocker at gmail.com (Tony Stocker) Date: Mon Mar 12 17:49:50 2007 Subject: SpamAssassin 3.1.8 In-Reply-To: References: <7801ad8f0703120826i4fb5af4focf7623ab53a9e690@mail.gmail.com> <571c1f8d3bbcc54aa4c6b7cd446f086e@solidstatelogic.com> <7801ad8f0703120856t197f6041hfe25e524d621d98@mail.gmail.com> <7801ad8f0703121017r4bcf352dx30574cd4d98b501b@mail.gmail.com> Message-ID: <7801ad8f0703121043v7b6ea368iae56bcf53ad2f6b0@mail.gmail.com> On 3/12/07, Scott Silva wrote: > You should always remove the rpm BEFORE installing with the clam-sa package. > Otherwise, you will get the effect you saw. RPM will remove all files it > thinks it installed. There is a newer tarball floating around with clam 0.90.1 > if you want it. > Scott, I thought that was the case, so I reinstalled the install-Clam-SA tarball (after removing the RPM), but it did not appear to create these files anywhere. That's why I was wondering if I needed to install another package in addition to it, in order to get those .cf files. Thanks for the help! Tony From dhawal at netmagicsolutions.com Mon Mar 12 19:02:27 2007 From: dhawal at netmagicsolutions.com (Dhawal Doshy) Date: Mon Mar 12 18:09:10 2007 Subject: dealing with dictionary attacks In-Reply-To: <45F59045.6050905@yeticomputers.com> References: <45EBE85C.90507@fractalweb.com> <45F184F2.50305@pacific.net> <023501c76265$0c8af240$0705000a@ddf5dw71> <1173490907.45f20cdc0072c@perdition.cnpapers.net> <223f97700703100531q6c8afb4ag7db5a33ab732480b@mail.gmail.com> <625385e30703100555v616d7bg5d7a5341750dc945@mail.gmail.com> <625385e30703101425k2d6985d2j7c717cddbe125de5@mail.gmail.com> <45F59045.6050905@yeticomputers.com> Message-ID: <45F595B3.1080301@netmagicsolutions.com> Rick Chadderdon wrote: > Res wrote: >> I'm not asking for any leeway, OT = OT, my point was made, that being >> some people seem to think some unrelated to MailScanner crud is OK, >> where other unrelated topics are not. > I agree, Res. OT=OT. That said, I still don't think that OT posts are > a bad thing. In fact, it's the OT posts that build a sense of > community. Without this kind of discussion people with strong opinions > and a lot of attitude (like myself, maybe, or... maybe someone else in > this discussion) become known for just their opinions and not for what > kind of person they are, what their background is, etc.. Without > off-topic discussions, nobody would know to tell me that you're a "nice > guy under the prickly surface", something which I already knew - from > reading the off-topic posts. (And obviously I don't post enough, because > if I did, Glenn would have known that I don't need to "chill out" - that > one certainly wasn't one of my "unchilled" posts. :) ) I wouldn't know > that you're an old-timer like me. We wouldn't know that English isn't > Glenn's native tongue. (It's refreshing to know that native speakers > are still better at mangling the language. :) ) > > It is, of course, up to the owner of any mailing list to set the policy > for their list, but I believe that a strict rule barring off-topic posts > stifles the usefulness of such things. it all depends on the signal-to-noise ratio.. once any list starts reducing in usefulness, there are people who'll either complain OR simply quit.. For something like anti-spam, there are bound to be off-but-related-topics once in a while and at some times out-weigh relevant topics.. For instance mailscanner without a MTA is mostly useless (unless you use it with squid OR a blog).. similarly mailscanner without spamassassin is a yes/no approach rather than a probabilistic approach. There are always going to be questions about integration / installation issues with $MTA, SA, AV etc.. there is not much you can do about it.. no matter how well it may be documented in the wiki, FAQ, MAQ.. From gerard at seibercom.net Mon Mar 12 19:12:36 2007 From: gerard at seibercom.net (Gerard Seibert) Date: Mon Mar 12 18:19:09 2007 Subject: Spam score is negative, yet message is still marked as spam In-Reply-To: <45F59083.3080805@netmagicsolutions.com> References: <20070312100044.4cb2156b@localhost> <1E293D3FF63A3740B10AD5AAD88535D2048CB07A@UBIMAIL1.ubisoft.org> <20070312110139.23fcce52@localhost> <45F5723E.9060808@netmagicsolutions.com> <20070312131900.3b2ade92@localhost> <45F59083.3080805@netmagicsolutions.com> Message-ID: <20070312141236.5682e8aa@localhost> On Mon, 12 Mar 2007 23:10:19 +0530 Dhawal Doshy wrote: > Why 6.2 and not 7.0-CURRENT?? you only need to answer this question > to yourself.. anyways there was a nice reply by Viktor on the postfix > list today in reference to postfix versions, which does validate your > point of view as well but at the same time says 'whatever rocks your > boat' (as Glenn puts it), i'll paste the URL here for convenience.. > > http://article.gmane.org/gmane.mail.postfix.user/160371 Yes, I read that post when it appeared on the Postfix forum. As far as '7.0' goes, I only have three computers at the present that I can mess with personally. Updating a program is one this; an entire OS is quite another. Besides, I hope to install '7.0' on another PC I am getting soon. > While running the latest/greatest does have its advantages.. if an > older version does fit the requirements, then there is no urge/reason > to upgrade.. Finally if your distro (say rhel for instance) backports > important fixes, all the more reason to not run bleeding-edge and > stick to distro-stable. For some the thrill lies in latest/greatest, > for others the thrill is in stability (dealing with the known devil).. Since I am running FBSD, I am not sure what exactly you are referring to. I have never ran anything other that this and Windows obviously. I think FBSD offers a lot more options when it comes to keeping a system current than some of the other OS's that I have investigated. That is one of the prime reasons I choose to use it. From what you were describing in your previous post regarding updating, I am sure of it. If I had to go through all that just to update a program, I would go back to Microsoft. As you stated though, whatever ... -- Gerard QOTD: Money isn't everything, but at least it keeps the kids in touch. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 187 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070312/5f7517ad/signature.bin From dhawal at netmagicsolutions.com Mon Mar 12 19:50:50 2007 From: dhawal at netmagicsolutions.com (Dhawal Doshy) Date: Mon Mar 12 18:57:33 2007 Subject: Spam score is negative, yet message is still marked as spam In-Reply-To: <20070312141236.5682e8aa@localhost> References: <20070312100044.4cb2156b@localhost> <1E293D3FF63A3740B10AD5AAD88535D2048CB07A@UBIMAIL1.ubisoft.org> <20070312110139.23fcce52@localhost> <45F5723E.9060808@netmagicsolutions.com> <20070312131900.3b2ade92@localhost> <45F59083.3080805@netmagicsolutions.com> <20070312141236.5682e8aa@localhost> Message-ID: <45F5A10A.1040404@netmagicsolutions.com> Gerard Seibert wrote: > On Mon, 12 Mar 2007 23:10:19 +0530 > Dhawal Doshy wrote: > >> While running the latest/greatest does have its advantages.. if an >> older version does fit the requirements, then there is no urge/reason >> to upgrade.. Finally if your distro (say rhel for instance) backports >> important fixes, all the more reason to not run bleeding-edge and >> stick to distro-stable. For some the thrill lies in latest/greatest, >> for others the thrill is in stability (dealing with the known devil).. > > Since I am running FBSD, I am not sure what exactly you are referring > to. I have never ran anything other that this and Windows obviously. I > think FBSD offers a lot more options when it comes to keeping a system > current than some of the other OS's that I have investigated. That is > one of the prime reasons I choose to use it. From what you were > describing in your previous post regarding updating, I am sure of it. > If I had to go through all that just to update a program, I would go > back to Microsoft. There we go again.. its not about your $OS is better than mine.. its about the stable v/s bleeding-edge $app.. but now that you mention, all that $myos requires is a 'yum update app' OR 'yum --enablerepo=bleeding-edge update app' and not a port* this, port* that. From ssilva at sgvwater.com Mon Mar 12 20:30:50 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Mar 12 19:37:48 2007 Subject: SpamAssassin 3.1.8 In-Reply-To: <7801ad8f0703121043v7b6ea368iae56bcf53ad2f6b0@mail.gmail.com> References: <7801ad8f0703120826i4fb5af4focf7623ab53a9e690@mail.gmail.com> <571c1f8d3bbcc54aa4c6b7cd446f086e@solidstatelogic.com> <7801ad8f0703120856t197f6041hfe25e524d621d98@mail.gmail.com> <7801ad8f0703121017r4bcf352dx30574cd4d98b501b@mail.gmail.com> <7801ad8f0703121043v7b6ea368iae56bcf53ad2f6b0@mail.gmail.com> Message-ID: Tony Stocker spake the following on 3/12/2007 10:43 AM: > On 3/12/07, Scott Silva wrote: >> You should always remove the rpm BEFORE installing with the clam-sa >> package. >> Otherwise, you will get the effect you saw. RPM will remove all files it >> thinks it installed. There is a newer tarball floating around with >> clam 0.90.1 >> if you want it. >> > Scott, > > I thought that was the case, so I reinstalled the install-Clam-SA > tarball (after removing the RPM), but it did not appear to create > these files anywhere. That's why I was wondering if I needed to > install another package in addition to it, in order to get those .cf > files. > > Thanks for the help! > Tony The script seems to check if you are running the one included in the tarball. It probably didn't install it again since it thought it was installed. I have been installing from the tarball since 3.0.0, and have never had a problem. If you need the spamassassin tarball it is already in the main clam-sa tarball as that is where it is installed from. Try installing in a clean environment with the clam-sa tarball if you aren't sure you want to trust it. You can use a vmware image or some other virtualization product to play with this. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ssilva at sgvwater.com Mon Mar 12 20:38:00 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Mar 12 19:44:40 2007 Subject: dealing with dictionary attacks In-Reply-To: <45F595B3.1080301@netmagicsolutions.com> References: <45EBE85C.90507@fractalweb.com> <45F184F2.50305@pacific.net> <023501c76265$0c8af240$0705000a@ddf5dw71> <1173490907.45f20cdc0072c@perdition.cnpapers.net> <223f97700703100531q6c8afb4ag7db5a33ab732480b@mail.gmail.com> <625385e30703100555v616d7bg5d7a5341750dc945@mail.gmail.com> <625385e30703101425k2d6985d2j7c717cddbe125de5@mail.gmail.com> <45F59045.6050905@yeticomputers.com> <45F595B3.1080301@netmagicsolutions.com> Message-ID: Dhawal Doshy spake the following on 3/12/2007 11:02 AM: > Rick Chadderdon wrote: >> Res wrote: >>> I'm not asking for any leeway, OT = OT, my point was made, that being >>> some people seem to think some unrelated to MailScanner crud is OK, >>> where other unrelated topics are not. >> I agree, Res. OT=OT. That said, I still don't think that OT posts are >> a bad thing. In fact, it's the OT posts that build a sense of >> community. Without this kind of discussion people with strong opinions >> and a lot of attitude (like myself, maybe, or... maybe someone else in >> this discussion) become known for just their opinions and not for what >> kind of person they are, what their background is, etc.. Without >> off-topic discussions, nobody would know to tell me that you're a "nice >> guy under the prickly surface", something which I already knew - from >> reading the off-topic posts. (And obviously I don't post enough, because >> if I did, Glenn would have known that I don't need to "chill out" - that >> one certainly wasn't one of my "unchilled" posts. :) ) I wouldn't know >> that you're an old-timer like me. We wouldn't know that English isn't >> Glenn's native tongue. (It's refreshing to know that native speakers >> are still better at mangling the language. :) ) >> >> It is, of course, up to the owner of any mailing list to set the policy >> for their list, but I believe that a strict rule barring off-topic posts >> stifles the usefulness of such things. > > it all depends on the signal-to-noise ratio.. once any list starts > reducing in usefulness, there are people who'll either complain OR > simply quit.. > > For something like anti-spam, there are bound to be > off-but-related-topics once in a while and at some times out-weigh > relevant topics.. For instance mailscanner without a MTA is mostly > useless (unless you use it with squid OR a blog).. similarly mailscanner > without spamassassin is a yes/no approach rather than a probabilistic > approach. There are always going to be questions about integration / > installation issues with $MTA, SA, AV etc.. there is not much you can do > about it.. no matter how well it may be documented in the wiki, FAQ, MAQ.. > Would it appease the anti OT people if something was added to the subject stating that it is OT? That way you could filter any OT that you don't want to see. I just read the list through GMANE, and mark thread as read if I lose interest in a topic. I have to agree that a too-strict list will stop the building of relationships between people from diverse and interesting locales. How would I know anything about some of the more colorful people on this list? I doubt I will be able to visit their countries any time soon. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From mikael at syska.dk Mon Mar 12 20:40:43 2007 From: mikael at syska.dk (Mikael Syska) Date: Mon Mar 12 19:47:28 2007 Subject: What MTA ... Message-ID: <45F5ACBB.8040108@syska.dk> Hi, First off ... I dont want to start a flamewar of any kind here ..... please. I have used Postfix for about a year and its fairly easy to use, used it with VDA ... and multiple domains ... so I wanted to try a new MTA. One of the 3 others ... So my question is ... what works best with MS? since Postfix got some issues with MS ( not that it have any effect, after what I have read ) I still wants to try a new ... maybe I will like Postfix best after I have tried the other, you'll never know.... // ouT From campbell at cnpapers.com Mon Mar 12 21:18:15 2007 From: campbell at cnpapers.com (Steve Campbell) Date: Mon Mar 12 20:24:57 2007 Subject: dealing with dictionary attacks References: <45EBE85C.90507@fractalweb.com><45F184F2.50305@pacific.net> <023501c76265$0c8af240$0705000a@ddf5dw71> <1173490907.45f20cdc0072c@perdition.cnpapers.net> <223f97700703100531q6c8afb4ag7db5a33ab732480b@mail.gmail.com> <625385e30703100555v616d7bg5d7a5341750dc945@mail.gmail.com> <625385e30703101425k2d6985d2j7c717cddbe125de5@mail.gmail.com> <45F59045.6050905@yeticomputers.com> Message-ID: <022c01c764e3$91217030$0705000a@ddf5dw71> ----- Original Message ----- From: "Rick Chadderdon" To: "MailScanner discussion" Sent: Monday, March 12, 2007 1:39 PM Subject: Re: dealing with dictionary attacks > It is, of course, up to the owner of any mailing list to set the policy > for their list, but I believe that a strict rule barring off-topic posts > stifles the usefulness of such things. > > Rick > -- I agree that OT is a good thing within reason. I have learned most of what I know about Sendmail from this list. (That is - two of the three things I know about Sendmail). A gracious reply to my OT question as opposed to a "get it out of this list" or "look it up yourself" does wonders for the respect a list and its members gain from me. 'Course I always try to Google first. Steve From ssilva at sgvwater.com Mon Mar 12 21:20:09 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Mar 12 20:29:24 2007 Subject: What MTA ... In-Reply-To: <45F5ACBB.8040108@syska.dk> References: <45F5ACBB.8040108@syska.dk> Message-ID: Mikael Syska spake the following on 3/12/2007 12:40 PM: > Hi, > > First off ... I dont want to start a flamewar of any kind here ..... > please. > > I have used Postfix for about a year and its fairly easy to use, used it > with VDA ... and multiple domains ... so I wanted to try a new MTA. > > One of the 3 others ... > > So my question is ... what works best with MS? since Postfix got some > issues with MS ( not that it have any effect, after what I have read ) I > still wants to try a new ... maybe I will like Postfix best after I have > tried the other, you'll never know.... > > // ouT > > Mailscanner was originally designed on sendmail, but it seems that all are fairly equal as to the support they get. All but qmail, which you will have to go to openprotect to get a mailscanner that is patched to work with qmail. I am thinking of playing with alternate MTA's also, but just so I have a better background with design and support. Every MTA has its pluses and minuses, you should pick a MTA on its own merits, as mailscanner works basically the same on all of them. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From am.lists at gmail.com Mon Mar 12 21:24:57 2007 From: am.lists at gmail.com (am.lists) Date: Mon Mar 12 20:31:24 2007 Subject: What MTA ... In-Reply-To: References: <45F5ACBB.8040108@syska.dk> Message-ID: <25a66d840703121324s63aceefdx4c5f86c86eacded@mail.gmail.com> On 3/12/07, Scott Silva wrote: > Mikael Syska spake the following on 3/12/2007 12:40 PM: > > Hi, > > > > First off ... I dont want to start a flamewar of any kind here ..... > > please. > > > > I have used Postfix for about a year and its fairly easy to use, used it > > with VDA ... and multiple domains ... so I wanted to try a new MTA. > > > > One of the 3 others ... > > > > So my question is ... what works best with MS? since Postfix got some > > issues with MS ( not that it have any effect, after what I have read ) I > > still wants to try a new ... maybe I will like Postfix best after I have > > tried the other, you'll never know.... > > > > // ouT > > > > > Mailscanner was originally designed on sendmail, but it seems that all are > fairly equal as to the support they get. All but qmail, which you will have to > go to openprotect to get a mailscanner that is patched to work with qmail. > > I am thinking of playing with alternate MTA's also, but just so I have a > better background with design and support. Every MTA has its pluses and > minuses, you should pick a MTA on its own merits, as mailscanner works > basically the same on all of them. > Has anyone ever tried MS SMTP on Windows with MailScanner running in a Cygwin environment? /ducks, runs. From res at ausics.net Mon Mar 12 22:47:51 2007 From: res at ausics.net (Res) Date: Mon Mar 12 21:54:23 2007 Subject: dealing with dictionary attacks In-Reply-To: References: <45EBE85C.90507@fractalweb.com> <45F184F2.50305@pacific.net> <023501c76265$0c8af240$0705000a@ddf5dw71> <1173490907.45f20cdc0072c@perdition.cnpapers.net> <223f97700703100531q6c8afb4ag7db5a33ab732480b@mail.gmail.com> <625385e30703100555v616d7bg5d7a5341750dc945@mail.gmail.com> <625385e30703101425k2d6985d2j7c717cddbe125de5@mail.gmail.com> Message-ID: On Mon, 12 Mar 2007, Scott Silva wrote: >> > So I can start posting those Vi#@$ra ads? Might as well, so long as you try claim it runs postmix :) -- Cheers Res Let Novell known what you think of their back door deal with the devil. Sign the petition today: http://techp.org/p/1/ From res at ausics.net Mon Mar 12 22:50:24 2007 From: res at ausics.net (Res) Date: Mon Mar 12 21:56:54 2007 Subject: dealing with dictionary attacks In-Reply-To: <45F59045.6050905@yeticomputers.com> References: <45EBE85C.90507@fractalweb.com> <45F184F2.50305@pacific.net> <023501c76265$0c8af240$0705000a@ddf5dw71> <1173490907.45f20cdc0072c@perdition.cnpapers.net> <223f97700703100531q6c8afb4ag7db5a33ab732480b@mail.gmail.com> <625385e30703100555v616d7bg5d7a5341750dc945@mail.gmail.com> <625385e30703101425k2d6985d2j7c717cddbe125de5@mail.gmail.com> <45F59045.6050905@yeticomputers.com> Message-ID: On Mon, 12 Mar 2007, Rick Chadderdon wrote: > It is, of course, up to the owner of any mailing list to set the policy > for their list, but I believe that a strict rule barring off-topic posts > stifles the usefulness of such things. Exactly! However that will not be forthcoming for a few weeks yet, and maybe when he's up and at it again, he needs to set the rules, as there are none at present, once he speaks, and says OT is OK or OT = NONO then everyone will be able to STFU on the matter, yes including me :) > > Rick > -- Cheers Res Let Novell known what you think of their back door deal with the devil. Sign the petition today: http://techp.org/p/1/ From res at ausics.net Mon Mar 12 22:52:51 2007 From: res at ausics.net (Res) Date: Mon Mar 12 21:59:23 2007 Subject: What MTA ... In-Reply-To: <45F5ACBB.8040108@syska.dk> References: <45F5ACBB.8040108@syska.dk> Message-ID: On Mon, 12 Mar 2007, Mikael Syska wrote: > Hi, > > First off ... I dont want to start a flamewar of any kind here ..... please. > > I have used Postfix for about a year and its fairly easy to use, used it with > VDA ... and multiple domains ... so I wanted to try a new MTA. Most in this order, however you have started an OT holy war with this question :) sendmail/exim = very easy, MailScanner was written for sendmail. qmail postfix But it comes down to what you are familiar with. -- Cheers Res Let Novell known what you think of their back door deal with the devil. Sign the petition today: http://techp.org/p/1/ From res at ausics.net Mon Mar 12 22:56:34 2007 From: res at ausics.net (Res) Date: Mon Mar 12 22:03:04 2007 Subject: dealing with dictionary attacks In-Reply-To: <022c01c764e3$91217030$0705000a@ddf5dw71> References: <45EBE85C.90507@fractalweb.com><45F184F2.50305@pacific.net> <023501c76265$0c8af240$0705000a@ddf5dw71> <1173490907.45f20cdc0072c@perdition.cnpapers.net> <223f97700703100531q6c8afb4ag7db5a33ab732480b@mail.gmail.com> <625385e30703100555v616d7bg5d7a5341750dc945@mail.gmail.com> <625385e30703101425k2d6985d2j7c717cddbe125de5@mail.gmail.com> <45F59045.6050905@yeticomputers.com> <022c01c764e3$91217030$0705000a@ddf5dw71> Message-ID: On Mon, 12 Mar 2007, Steve Campbell wrote: > it out of this list" or "look it up yourself" does wonders for the respect a This is why I removed myself from one of the key early day redhat mailing lists, when you wanted help you would go to this list, right? no! too many lamers on there can only post RTFM, or yahoo it etc, leaving those of us who were there to help the newbies outnumberd and in the end all but 1 of us left the list, on some other RH lists im on even today, the same attitude still exists, and the funny thing, some of those very people have posted 'help' questions , any wonder they are ignored ;) -- Cheers Res Let Novell known what you think of their back door deal with the devil. Sign the petition today: http://techp.org/p/1/ From pete at enitech.com.au Mon Mar 12 23:05:27 2007 From: pete at enitech.com.au (Peter Russell) Date: Mon Mar 12 22:11:58 2007 Subject: What MTA ... In-Reply-To: <25a66d840703121324s63aceefdx4c5f86c86eacded@mail.gmail.com> References: <45F5ACBB.8040108@syska.dk> <25a66d840703121324s63aceefdx4c5f86c86eacded@mail.gmail.com> Message-ID: <45F5CEA7.8080408@enitech.com.au> >> > >> > So my question is ... what works best with MS? since Postfix got some >> > issues with MS ( not that it have any effect, after what I have read >> ) I >> > still wants to try a new ... maybe I will like Postfix best after I >> have >> > tried the other, you'll never know.... >> > The correct way to do this is to document all of your requirements/needs - that would be the MTA needs of your company, not you personally. Then you would find an MTA that closely meets those needs. An easy way to do this is is to score each of the requirements. This exercise is called a requirements or needs analysis - your document to measure the features against the needs is called a comparison matrix. Good habit to get into when making choices like this. From john at katy.com Tue Mar 13 00:03:46 2007 From: john at katy.com (John Schmerold) Date: Mon Mar 12 23:10:14 2007 Subject: What MTA ... In-Reply-To: References: <45F5ACBB.8040108@syska.dk> Message-ID: <45F5DC52.7020307@katy.com> It would be interesting to hear about things people are doing with one of the options that cannot be done with the others. For example, it's said that qmail with vpopmail (Inter7 states they support Postfix with vpopmail as well) offers superior multi-domain support. A pet project of mine is intelligent attachment handling. I for one would be interested in hearing what people are doing with Exim and attachments for example. Another area of interest would be recipient verification if one of the MTAs does a better job of this than the others. The Postfix swaps with Sendmail (aka my drive is bigger than your drive) stories are no longer interesting. John Schmerold Katy Computer & Wireless 347 Clarkson Rd Ellisville MO 63011 636-394-1900 v 775-227-6947 f Res wrote: > On Mon, 12 Mar 2007, Mikael Syska wrote: > >> Hi, >> >> First off ... I dont want to start a flamewar of any kind here ..... >> please. >> >> I have used Postfix for about a year and its fairly easy to use, used >> it with VDA ... and multiple domains ... so I wanted to try a new MTA. > > Most in this order, however you have started an OT holy war with this > question :) > sendmail/exim = very easy, MailScanner was written for sendmail. > qmail > postfix > > But it comes down to what you are familiar with. > > -------------- next part -------------- A non-text attachment was scrubbed... Name: john.vcf Type: text/x-vcard Size: 241 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070312/b00baf42/john.vcf From res at ausics.net Tue Mar 13 01:59:42 2007 From: res at ausics.net (Res) Date: Tue Mar 13 01:06:15 2007 Subject: What MTA ... In-Reply-To: <45F5DC52.7020307@katy.com> References: <45F5ACBB.8040108@syska.dk> <45F5DC52.7020307@katy.com> Message-ID: On Mon, 12 Mar 2007, John Schmerold wrote: > qmail with vpopmail (Inter7 states they support Postfix with vpopmail as The only problem with this is, you also need qmail installed, kind of makes it a waste of time to install postmix since you already have an efficient, secure and (if patched) modern MTA, so you might as well just use qmail. The sendmail/cyrus combo works well also, I dont like cyrus's mbox proprietory, and it can be a bugger to fine tune cyrus, even to install it if you have left over berkely db's apparently (which is the biggest problem they have, OS upgrades always tend to leave some stuff behind) -- Cheers Res Let Novell known what you think of their back door deal with the devil. Sign the petition today: http://techp.org/p/1/ From tjc at ecs.soton.ac.uk Tue Mar 13 11:00:57 2007 From: tjc at ecs.soton.ac.uk (Tim Chown) Date: Tue Mar 13 10:07:50 2007 Subject: Jules update Message-ID: <20070313100057.GB1929@login.ecs.soton.ac.uk> Hi, Just a quick note to say Jules is continuing to recover well. He's now in a general ward, in a room to himself. He's received many cards, and I'm sure he will thank people personally in due course. If anyone else wants to send one, send it to the university and we'll pass it on: Julian Field School of Electronics and Computer Science University of Southampton Highfield Southampton SO17 1BJ United Kingdom I'll send another update in a week or so; Jules is on the mend, it'll just take a bit of time but in his own words normal service will be resumed :) Cheers, Tim From drew at technologytiger.net Tue Mar 13 11:26:09 2007 From: drew at technologytiger.net (Drew Marshall) Date: Tue Mar 13 10:32:51 2007 Subject: Jules update In-Reply-To: <20070313100057.GB1929@login.ecs.soton.ac.uk> References: <20070313100057.GB1929@login.ecs.soton.ac.uk> Message-ID: <34589.194.70.180.170.1173781569.squirrel@www.technologytiger.net> On Tue, March 13, 2007 10:00, Tim Chown wrote: > Hi, > > Just a quick note to say Jules is continuing to recover well. He's > now in a general ward, in a room to himself. > > He's received many cards, and I'm sure he will thank people personally > in due course. If anyone else wants to send one, send it to the > university > and we'll pass it on: > > Julian Field > School of Electronics and Computer Science > University of Southampton > Highfield > Southampton SO17 1BJ > United Kingdom > > I'll send another update in a week or so; Jules is on the mend, it'll > just take a bit of time but in his own words normal service will be > resumed :) Brilliant news! Thanks for the update Tim. Regards Drew -- In line with our policy, this message has been scanned for viruses and dangerous content by the Technology Tiger MailScanner. Further information can be found at www.technologytiger.net/policy Technology Tiger Limited is registered in Scotland with registration number: 310997 Registered Office 55-57 West High Street Inverurie AB51 3QQ From arturs at netvision.net.il Tue Mar 13 11:29:35 2007 From: arturs at netvision.net.il (Arthur Sherman) Date: Tue Mar 13 10:37:57 2007 Subject: Jules update In-Reply-To: <34589.194.70.180.170.1173781569.squirrel@www.technologytiger.net> Message-ID: <015501c7655a$7f064d90$3701a8c0@lapxp> :) Best, -- Arthur Sherman +972-52-4878851 http://www.cpt.co.il/ > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Drew Marshall > Sent: Tuesday, March 13, 2007 12:26 PM > To: MailScanner discussion > Subject: Re: Jules update > > On Tue, March 13, 2007 10:00, Tim Chown wrote: > > Hi, > > > > Just a quick note to say Jules is continuing to recover well. He's > > now in a general ward, in a room to himself. > > > > He's received many cards, and I'm sure he will thank people > personally > > in due course. If anyone else wants to send one, send it to the > > university > > and we'll pass it on: > > > > Julian Field > > School of Electronics and Computer Science > > University of Southampton > > Highfield > > Southampton SO17 1BJ > > United Kingdom > > > > I'll send another update in a week or so; Jules is on the > mend, it'll > > just take a bit of time but in his own words normal service will be > > resumed :) > > Brilliant news! Thanks for the update Tim. > > Regards > > Drew > > > -- > In line with our policy, this message has been scanned > for viruses and dangerous content by the Technology Tiger MailScanner. > Further information can be found at www.technologytiger.net/policy > > Technology Tiger Limited is registered in Scotland with > registration number: 310997 > Registered Office 55-57 West High Street Inverurie AB51 3QQ > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From joost at waversveld.nl Tue Mar 13 11:51:31 2007 From: joost at waversveld.nl (Joost Waversveld) Date: Tue Mar 13 10:58:16 2007 Subject: Jules update In-Reply-To: <20070313100057.GB1929@login.ecs.soton.ac.uk> References: <20070313100057.GB1929@login.ecs.soton.ac.uk> Message-ID: <45F68233.4090009@waversveld.nl> Tim Chown wrote: > Hi, > > Just a quick note to say Jules is continuing to recover well. He's > now in a general ward, in a room to himself. > > He's received many cards, and I'm sure he will thank people personally > in due course. If anyone else wants to send one, send it to the university > and we'll pass it on: > > Julian Field > School of Electronics and Computer Science > University of Southampton > Highfield > Southampton SO17 1BJ > United Kingdom > > I'll send another update in a week or so; Jules is on the mend, it'll > just take a bit of time but in his own words normal service will be resumed :) > > Cheers, > Tim > Good to hear... our card is already on it's way ;-) Thanx for the update Tim. cheers, Joost Waversveld From denis at croombs.org Tue Mar 13 12:28:56 2007 From: denis at croombs.org (Denis Croombs) Date: Tue Mar 13 11:35:28 2007 Subject: Jules update In-Reply-To: <20070313100057.GB1929@login.ecs.soton.ac.uk> References: <20070313100057.GB1929@login.ecs.soton.ac.uk> Message-ID: <14468.87.238.80.64.1173785336.squirrel@www.croombs.org> > Just a quick note to say Jules is continuing to recover well. He's > now in a general ward, in a room to himself. > > He's received many cards, and I'm sure he will thank people personally > in due course. If anyone else wants to send one, send it to the > university > and we'll pass it on: > > Julian Field > School of Electronics and Computer Science > University of Southampton > Highfield > Southampton SO17 1BJ > United Kingdom > > I'll send another update in a week or so; Jules is on the mend, it'll > just take a bit of time but in his own words normal service will be > resumed :) That is great news, long may it continue. Regards Denis From res at ausics.net Tue Mar 13 13:13:41 2007 From: res at ausics.net (Res) Date: Tue Mar 13 12:20:22 2007 Subject: Jules update In-Reply-To: <20070313100057.GB1929@login.ecs.soton.ac.uk> References: <20070313100057.GB1929@login.ecs.soton.ac.uk> Message-ID: On Tue, 13 Mar 2007, Tim Chown wrote: > Hi, > > Just a quick note to say Jules is continuing to recover well. He's > now in a general ward, in a room to himself. Excellent news! -- Cheers Res Let Novell known what you think of their back door deal with the devil. Sign the petition today: http://techp.org/p/1/ From dominian at slackadelic.com Tue Mar 13 13:46:03 2007 From: dominian at slackadelic.com (Matt Hayes) Date: Tue Mar 13 12:52:47 2007 Subject: Jules update In-Reply-To: <20070313100057.GB1929@login.ecs.soton.ac.uk> References: <20070313100057.GB1929@login.ecs.soton.ac.uk> Message-ID: <45F69D0B.9050901@slackadelic.com> Tim Chown wrote: > Hi, > > Just a quick note to say Jules is continuing to recover well. He's > now in a general ward, in a room to himself. > > He's received many cards, and I'm sure he will thank people personally > in due course. If anyone else wants to send one, send it to the university > and we'll pass it on: > > Julian Field > School of Electronics and Computer Science > University of Southampton > Highfield > Southampton SO17 1BJ > United Kingdom > > I'll send another update in a week or so; Jules is on the mend, it'll > just take a bit of time but in his own words normal service will be resumed :) > > Cheers, > Tim That is great news! -Matt From bpumphrey at woodmclaw.com Tue Mar 13 14:19:16 2007 From: bpumphrey at woodmclaw.com (Billy A. Pumphrey) Date: Tue Mar 13 13:25:52 2007 Subject: Jules update In-Reply-To: <20070313100057.GB1929@login.ecs.soton.ac.uk> Message-ID: <04D932B0071FE34FA63EBB1977B48D1502574C2B@woodenex.woodmaclaw.local> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Tim Chown > Sent: Tuesday, March 13, 2007 6:01 AM > To: MailScanner discussion > Subject: Jules update > > Hi, > > Just a quick note to say Jules is continuing to recover well. He's > now in a general ward, in a room to himself. > > He's received many cards, and I'm sure he will thank people personally > in due course. If anyone else wants to send one, send it to the > university > and we'll pass it on: > > Julian Field > School of Electronics and Computer Science > University of Southampton > Highfield > Southampton SO17 1BJ > United Kingdom > > I'll send another update in a week or so; Jules is on the mend, it'll > just take a bit of time but in his own words normal service will be > resumed :) > > Cheers, > Tim > -- I did not read every single post about his hospital stay, but I did not see if the cause of the collapse was determined. Is there a reason that was found? -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From nightduke2005 at yahoo.es Tue Mar 13 14:50:02 2007 From: nightduke2005 at yahoo.es (night duke) Date: Tue Mar 13 13:56:35 2007 Subject: mailscanner qmail Message-ID: <20070313135002.98584.qmail@web27806.mail.ukl.yahoo.com> Hi i'm intersted in mailscanner but i wish to know if there's a howto or any guide to install it with qmail. Thanks --------------------------------- LLama Gratis a cualquier PC del Mundo. Llamadas a fijos y m?viles desde 1 c?ntimo por minuto. http://es.voice.yahoo.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070313/8ee9cd00/attachment.html From dhawal at netmagicsolutions.com Tue Mar 13 14:55:30 2007 From: dhawal at netmagicsolutions.com (Dhawal Doshy) Date: Tue Mar 13 14:02:12 2007 Subject: mailscanner qmail In-Reply-To: <20070313135002.98584.qmail@web27806.mail.ukl.yahoo.com> References: <20070313135002.98584.qmail@web27806.mail.ukl.yahoo.com> Message-ID: <45F6AD52.1080501@netmagicsolutions.com> night duke wrote: > Hi i'm intersted in mailscanner but i wish to know if there's a howto or > any guide to install it with qmail. All on one line.. http://wiki.mailscanner.info/doku.php?id=documentation:instructions_for_integrating_mailscanner_with_qmail From ka at pacific.net Tue Mar 13 16:27:33 2007 From: ka at pacific.net (Ken A) Date: Tue Mar 13 15:34:00 2007 Subject: sendmail milter bug shows up on gateway with 8.14.0 Message-ID: <45F6C2E5.2010900@pacific.net> http://www.sendmail.org/releases/8.14.0.php#ERRATA > (2007-02-06) Recipients that are rejected by a milter are not removed > from an internal list and hence mail will be delivered to them if the > transaction is accepted. A preliminary patch is available. If you are using a milter that rejects based on recipient (common on MailScanner boxes) and sendmail 8.14.0, you'll see some DSNs being generated by sendmail that /should/ have been rejected in envelope phase instead. You can either live with it, patch or rpm Uvh --oldpackage 8.13.x Ken A. Pacific.Net From Kevin_Miller at ci.juneau.ak.us Tue Mar 13 17:07:16 2007 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Tue Mar 13 16:13:34 2007 Subject: MailSacanner don't work In-Reply-To: <45F172F5.3040304@USherbrooke.ca> References: <7e78dc1f0703090145q1dfe95fdl98ba7d511a9cc682@mail.gmail.com> <45F16C65.2080309@USherbrooke.ca><7e78dc1f0703090636g39007979u10668986b783bb5d@mail.gmail.com> <45F172F5.3040304@USherbrooke.ca> Message-ID: Denis Beauchemin wrote: > Claudio Mundin a ?crit : >> If I startup only sendmail then sendmail listen in 0.0.0.0 25 >> But the script of MailScanner throw option tu sendamil that listen >> in 127.0.0.1 >> > > Can anyone using Suse confirm this? It starts fine on RH... > > Denis I was out ill last week so this may be already answered, but with SUSE you need to edit /etc/sysconfig/mail, changing the following: MAIL_CREATE_CONFIG="yes" SMTPD_LISTEN_REMOTE="no" to MAIL_CREATE_CONFIG="no" SMTPD_LISTEN_REMOTE="yes" It's easiest to do that in Yast/Syscofig editor, as it will then apply the changes... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From clamun at gmail.com Tue Mar 13 18:19:27 2007 From: clamun at gmail.com (Claudio Mundin) Date: Tue Mar 13 17:25:57 2007 Subject: MailSacanner don't work In-Reply-To: References: <7e78dc1f0703090145q1dfe95fdl98ba7d511a9cc682@mail.gmail.com> <45F16C65.2080309@USherbrooke.ca> <7e78dc1f0703090636g39007979u10668986b783bb5d@mail.gmail.com> <45F172F5.3040304@USherbrooke.ca> Message-ID: <7e78dc1f0703131019l6baba2c1x1d70d186aaf8d600@mail.gmail.com> Hi Kevin, i make this change in the last day but te problem persist. I don't what happend 2007/3/13, Kevin Miller : > > Denis Beauchemin wrote: > > Claudio Mundin a ?crit : > >> If I startup only sendmail then sendmail listen in 0.0.0.0 25 > >> But the script of MailScanner throw option tu sendamil that listen > >> in 127.0.0.1 > >> > > > > Can anyone using Suse confirm this? It starts fine on RH... > > > > Denis > > I was out ill last week so this may be already answered, but with SUSE you > need to edit /etc/sysconfig/mail, changing the following: > > MAIL_CREATE_CONFIG="yes" > SMTPD_LISTEN_REMOTE="no" > to > MAIL_CREATE_CONFIG="no" > SMTPD_LISTEN_REMOTE="yes" > > It's easiest to do that in Yast/Syscofig editor, as it will then apply the > changes... > > > ...Kevin > -- > Kevin Miller Registered Linux User No: 307357 > CBJ MIS Dept. Network Systems Admin., Mail Admin. > 155 South Seward Street ph: (907) 586-0242 > Juneau, Alaska 99801 fax: (907 586-4500 > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070313/8a4df936/attachment.html From Kevin_Miller at ci.juneau.ak.us Tue Mar 13 18:59:02 2007 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Tue Mar 13 18:05:23 2007 Subject: OT: PHB time... Message-ID: OK, so my boss who is normally an otherwise reasonable guy, calls me into his office and says one of the department heads wants out of office turned on for internet mail. He knows that people are tarred and feathered for doing that on mail lists, but thinks that the mail lists should be filtering those - that with a short case statement they could easily do that. I tried to persuade him otherwise, but he's going to poll the other directors and see if it's something they want. Of course they will, not understanding a broader perspective. Sigh. It seems like there were other reasons than just list servers that make it a bad idea to have out of office messages turned on but I'm not really sure what they might be. I suggested that they provide feedback to spammers but he was unconvinced. So, although it's somewhat OT, I'm asking here because I can't think of a more enlightened group of mail admins; what are some good solid reasons beyond people on list servers hate them, not to publish an out of office reply over the internet? Thanks... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From dominian at slackadelic.com Tue Mar 13 19:03:57 2007 From: dominian at slackadelic.com (Matt Hayes) Date: Tue Mar 13 18:10:35 2007 Subject: OT: PHB time... In-Reply-To: References: Message-ID: <45F6E78D.5040306@slackadelic.com> Kevin Miller wrote: > OK, so my boss who is normally an otherwise reasonable guy, calls me > into his office and says one of the department heads wants out of office > turned on for internet mail. He knows that people are tarred and > feathered for doing that on mail lists, but thinks that the mail lists > should be filtering those - that with a short case statement they could > easily do that. I tried to persuade him otherwise, but he's going to > poll the other directors and see if it's something they want. Of course > they will, not understanding a broader perspective. Sigh. > > It seems like there were other reasons than just list servers that make > it a bad idea to have out of office messages turned on but I'm not > really sure what they might be. I suggested that they provide feedback > to spammers but he was unconvinced. So, although it's somewhat OT, I'm > asking here because I can't think of a more enlightened group of mail > admins; what are some good solid reasons beyond people on list servers > hate them, not to publish an out of office reply over the internet? > > Thanks... > > ...Kevin Spammers are a big reason for that. If you get 100 spam connections in a few minutes and those people have out of office reply on.. a vicious cycle starts... That's going unmentioned of the mailing lists of course ;) -Matt From am.lists at gmail.com Tue Mar 13 19:10:25 2007 From: am.lists at gmail.com (am.lists) Date: Tue Mar 13 18:16:55 2007 Subject: OT: PHB time... In-Reply-To: <45F6E78D.5040306@slackadelic.com> References: <45F6E78D.5040306@slackadelic.com> Message-ID: <25a66d840703131110k6e521aa9q45b44a77023be18d@mail.gmail.com> On 3/13/07, Matt Hayes wrote: > Kevin Miller wrote: > > OK, so my boss who is normally an otherwise reasonable guy, calls me > > into his office and says one of the department heads wants out of office > > turned on for internet mail. He knows that people are tarred and > > feathered for doing that on mail lists, but thinks that the mail lists > > should be filtering those - that with a short case statement they could > > easily do that. I tried to persuade him otherwise, but he's going to > > poll the other directors and see if it's something they want. Of course > > they will, not understanding a broader perspective. Sigh. > > > > It seems like there were other reasons than just list servers that make > > it a bad idea to have out of office messages turned on but I'm not > > really sure what they might be. I suggested that they provide feedback > > to spammers but he was unconvinced. So, although it's somewhat OT, I'm > > asking here because I can't think of a more enlightened group of mail > > admins; what are some good solid reasons beyond people on list servers > > hate them, not to publish an out of office reply over the internet? > > > > Thanks... > > > > ...Kevin You mention this guy being a director... How about the security threat (information disclosure) that this guy: #1 has a valid email address to spammers, #2 it could reveal his real name (e.g. "Jim Bob Malloy is out of the office") to a hacker. #3 it could reveal his real name and the fact that he is out of the office to a phisher/other person with malfeasance on their minds, especially if it says when he'll be back; that gives criminals a definite window of opportunity. If you have a security (aka IT Risk Management) group, they may have some "policy" cards they could deal out in cases like this. From david at gnsa.us Tue Mar 13 19:14:44 2007 From: david at gnsa.us (David Nalley) Date: Tue Mar 13 18:20:56 2007 Subject: OT: PHB time... In-Reply-To: References: Message-ID: <45F6EA14.7040900@gnsa.us> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Kevin Miller wrote: > OK, so my boss who is normally an otherwise reasonable guy, calls me > into his office and says one of the department heads wants out of office > turned on for internet mail. He knows that people are tarred and > feathered for doing that on mail lists, but thinks that the mail lists > should be filtering those - that with a short case statement they could > easily do that. I tried to persuade him otherwise, but he's going to > poll the other directors and see if it's something they want. Of course > they will, not understanding a broader perspective. Sigh. > > It seems like there were other reasons than just list servers that make > it a bad idea to have out of office messages turned on but I'm not > really sure what they might be. I suggested that they provide feedback > to spammers but he was unconvinced. So, although it's somewhat OT, I'm > asking here because I can't think of a more enlightened group of mail > admins; what are some good solid reasons beyond people on list servers > hate them, not to publish an out of office reply over the internet? > > Thanks... > > ...Kevin There is also the security perspective - it potentially opens up 'inside' information for social engineering purposes. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFF9uoUkZOYj+cNI1cRAgmgAKCGKQ/L4xFRhLg13Iu3nuonKtgeHgCfaxR8 9FtQo39G2SyBon7dkg06ns8= =kpIj -----END PGP SIGNATURE----- From ka at pacific.net Tue Mar 13 19:29:06 2007 From: ka at pacific.net (Ken A) Date: Tue Mar 13 18:35:34 2007 Subject: OT: PHB time... In-Reply-To: <25a66d840703131110k6e521aa9q45b44a77023be18d@mail.gmail.com> References: <45F6E78D.5040306@slackadelic.com> <25a66d840703131110k6e521aa9q45b44a77023be18d@mail.gmail.com> Message-ID: <45F6ED72.6030002@pacific.net> am.lists wrote: > On 3/13/07, Matt Hayes wrote: >> Kevin Miller wrote: >> > OK, so my boss who is normally an otherwise reasonable guy, calls me >> > into his office and says one of the department heads wants out of >> office >> > turned on for internet mail. He knows that people are tarred and >> > feathered for doing that on mail lists, but thinks that the mail lists >> > should be filtering those - that with a short case statement they could >> > easily do that. I tried to persuade him otherwise, but he's going to >> > poll the other directors and see if it's something they want. Of >> course >> > they will, not understanding a broader perspective. Sigh. >> > >> > It seems like there were other reasons than just list servers that make >> > it a bad idea to have out of office messages turned on but I'm not >> > really sure what they might be. I suggested that they provide feedback >> > to spammers but he was unconvinced. So, although it's somewhat OT, I'm >> > asking here because I can't think of a more enlightened group of mail >> > admins; what are some good solid reasons beyond people on list servers >> > hate them, not to publish an out of office reply over the internet? >> > >> > Thanks... >> > >> > ...Kevin > > You mention this guy being a director... How about the security threat > (information disclosure) that this guy: #1 has a valid email address > to spammers, #2 it could reveal his real name (e.g. "Jim Bob Malloy is > out of the office") to a hacker. #3 it could reveal his real name and > the fact that he is out of the office to a phisher/other person with > malfeasance on their minds, especially if it says when he'll be back; > that gives criminals a definite window of opportunity. > > If you have a security (aka IT Risk Management) group, they may have > some "policy" cards they could deal out in cases like this. Another thing to mention is that people don't maintain them, so they cause other creeping issues. Often these messages contain bad info after a while. A friend of mine who works for a corp that forces these things on people, went on vacation and his old cell phone number was emailed to hundreds of people. The current owner of that number was quite upset, since the OOM contained info about him being off for surgery, there were quite a few calls! :-( Ken A Pacific.Net From dave.list at pixelhammer.com Tue Mar 13 19:33:39 2007 From: dave.list at pixelhammer.com (DAve) Date: Tue Mar 13 18:40:58 2007 Subject: OT: PHB time... In-Reply-To: References: Message-ID: <45F6EE83.8090501@pixelhammer.com> Kevin Miller wrote: > OK, so my boss who is normally an otherwise reasonable guy, calls me > into his office and says one of the department heads wants out of office > turned on for internet mail. He knows that people are tarred and > feathered for doing that on mail lists, but thinks that the mail lists > should be filtering those - that with a short case statement they could > easily do that. I tried to persuade him otherwise, but he's going to > poll the other directors and see if it's something they want. Of course > they will, not understanding a broader perspective. Sigh. > > It seems like there were other reasons than just list servers that make > it a bad idea to have out of office messages turned on but I'm not > really sure what they might be. I suggested that they provide feedback > to spammers but he was unconvinced. So, although it's somewhat OT, I'm > asking here because I can't think of a more enlightened group of mail > admins; what are some good solid reasons beyond people on list servers > hate them, not to publish an out of office reply over the internet? > > Thanks... > > ...Kevin Lots of good reasons, but I lost that battle. One good dictionary attack (if you don't have a really good, properly functioning, intelligent, AR program) can get you blacklisted. See "Joe-Job". On the flip-side, one good dictionary attack on a business domain with 10 users on vacation, can get you a new server. Worked for me ;^) DAve -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible. From hvdkooij at vanderkooij.org Tue Mar 13 21:26:44 2007 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Tue Mar 13 20:33:19 2007 Subject: OT: PHB time... In-Reply-To: References: Message-ID: On Tue, 13 Mar 2007, Kevin Miller wrote: > OK, so my boss who is normally an otherwise reasonable guy, calls me > into his office and says one of the department heads wants out of office > turned on for internet mail. He knows that people are tarred and > feathered for doing that on mail lists, but thinks that the mail lists > should be filtering those - that with a short case statement they could > easily do that. I tried to persuade him otherwise, but he's going to > poll the other directors and see if it's something they want. Of course > they will, not understanding a broader perspective. Sigh. I think it is decisions like this that got me buy the nukes in the first places. Everytime one of those blasted things hit my MTA I educate it to nuke it and blacklist the sender. Hugo. -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ This message is using 100% recycled electrons. Some men see computers as they are and say "Windows" I use computers with Linux and say "Why Windows?" (Thanks JFK, for the insight.) From am.lists at gmail.com Tue Mar 13 21:52:44 2007 From: am.lists at gmail.com (am.lists) Date: Tue Mar 13 20:59:14 2007 Subject: OT: PHB time... In-Reply-To: References: Message-ID: <25a66d840703131352v5da53a69x35487aee1b8a741d@mail.gmail.com> On 3/13/07, Hugo van der Kooij wrote: > On Tue, 13 Mar 2007, Kevin Miller wrote: > > > OK, so my boss who is normally an otherwise reasonable guy, calls me > > into his office and says one of the department heads wants out of office > > turned on for internet mail. He knows that people are tarred and > > feathered for doing that on mail lists, but thinks that the mail lists > > should be filtering those - that with a short case statement they could > > easily do that. I tried to persuade him otherwise, but he's going to > > poll the other directors and see if it's something they want. Of course > > they will, not understanding a broader perspective. Sigh. > > I think it is decisions like this that got me buy the nukes in the first > places. Everytime one of those blasted things hit my MTA I educate it to > nuke it and blacklist the sender. > > Hugo. Interesting approach. So, let the guy that wants to do this know that this behavior can get the entire organization banned from having their mail accepted. Something along the lines of "We really shouldn't even think of enabling this. Aside from the obvious security concerns, other mail admins who we exchange email with could take aggressive action and block our mail completely for doing this." From mrm at medicine.wisc.edu Tue Mar 13 22:09:43 2007 From: mrm at medicine.wisc.edu (Michael Masse) Date: Tue Mar 13 21:16:40 2007 Subject: OT: PHB time... In-Reply-To: <25a66d840703131352v5da53a69x35487aee1b8a741d@mail.gmail.com> References: <25a66d840703131352v5da53a69x35487aee1b8a741d@mail.gmail.com> Message-ID: <45F6CCC6.7FBE.00FC.3@medicine.wisc.edu> >> On Tue, 13 Mar 2007, Kevin Miller wrote: >> >> > OK, so my boss who is normally an otherwise reasonable guy, calls me >> > into his office and says one of the department heads wants out of office >> > turned on for internet mail. He knows that people are tarred and >> > feathered for doing that on mail lists, but thinks that the mail lists >> > should be filtering those - that with a short case statement they could >> > easily do that. I tried to persuade him otherwise, but he's going to >> > poll the other directors and see if it's something they want. Of course >> > they will, not understanding a broader perspective. Sigh. Ask if his personal or the company's reputation matter, because that's what's going to suffer when that person's autoreplies are bouncing around back and forth on all of those lists pissing people off. In regards to his belief that lists should be filtering the autoreplies. Lots of people believe things should work a certain way. Some people believe bottom posting is taboo. I believe that I should be able to legally ignore all speed limits on the highway, but how much of a chance do you think I have of that happening? The percentage is about the same as all email lists filtering out autoreplies. Mike From ssilva at sgvwater.com Tue Mar 13 22:20:05 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Mar 13 21:27:01 2007 Subject: Jules update In-Reply-To: <04D932B0071FE34FA63EBB1977B48D1502574C2B@woodenex.woodmaclaw.local> References: <20070313100057.GB1929@login.ecs.soton.ac.uk> <04D932B0071FE34FA63EBB1977B48D1502574C2B@woodenex.woodmaclaw.local> Message-ID: Billy A. Pumphrey spake the following on 3/13/2007 6:19 AM: >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >> bounces@lists.mailscanner.info] On Behalf Of Tim Chown >> Sent: Tuesday, March 13, 2007 6:01 AM >> To: MailScanner discussion >> Subject: Jules update >> >> Hi, >> >> Just a quick note to say Jules is continuing to recover well. He's >> now in a general ward, in a room to himself. >> >> He's received many cards, and I'm sure he will thank people personally >> in due course. If anyone else wants to send one, send it to the >> university >> and we'll pass it on: >> >> Julian Field >> School of Electronics and Computer Science >> University of Southampton >> Highfield >> Southampton SO17 1BJ >> United Kingdom >> >> I'll send another update in a week or so; Jules is on the mend, it'll >> just take a bit of time but in his own words normal service will be >> resumed :) >> >> Cheers, >> Tim >> -- > > I did not read every single post about his hospital stay, but I did not > see if the cause of the collapse was determined. Is there a reason that > was found? > Julian has had a long running illness that has caused or required many surgeries to try and correct. You can see how he has described his condition here; http://comments.gmane.org/gmane.mail.virus.mailscanner/47823 -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From gcle at smcaus.com.au Tue Mar 13 23:03:57 2007 From: gcle at smcaus.com.au (Gerard Cleary) Date: Tue Mar 13 22:10:55 2007 Subject: Jules update In-Reply-To: <20070313100057.GB1929@login.ecs.soton.ac.uk> References: <20070313100057.GB1929@login.ecs.soton.ac.uk> Message-ID: <200703140904.02850.gcle@smcaus.com.au> On Tue, 13 Mar 2007 21:00, Tim Chown wrote: > Hi, > > Just a quick note to say Jules is continuing to recover well. He's > now in a general ward, in a room to himself. > > > Cheers, > Tim Fantastic news, Tim. I hope he recharges his batteries in the way that he knows best for himself. All the best from Australia. Gerard. -- Gerard Cleary System Administrator SMC Pneumatics Australia Pty Ltd PH: (02) 9354 8222 -- This email message and any related attachments are confidential and should only be read by those persons to whom they were addressed. They may contain copyright, personal or legally privileged information. If you are not the intended recipient of this email, any use of this information is strictly prohibited and it must be deleted from your system. Views expressed in this message are the views of the sender and are not necessarily views of SMC Corporation, or it's subsidiaries, except where the message expressly states otherwise. Any advice contained herein should be treated as preliminary advice only and subject to formal written confirmation. Although this email and any attachments are believed to be free of any virus or any other defect which may cause damage or loss, it is the responsibility of the recipient to ensure that they are virus-free. SMC accepts no liability for any loss or damage that may occur as a result of the transmission of this email or its attachments to the recipient. From ITDept at fractalweb.com Tue Mar 13 23:20:53 2007 From: ITDept at fractalweb.com (Chris Yuzik) Date: Tue Mar 13 22:27:33 2007 Subject: What MTA ... In-Reply-To: <45F5ACBB.8040108@syska.dk> References: <45F5ACBB.8040108@syska.dk> Message-ID: <45F723C5.6010407@fractalweb.com> FWIW, we went through exactly the same consideration a few weeks ago, but after weighing all of the pros and cons decided on Sendmail. Chris From Kevin_Miller at ci.juneau.ak.us Tue Mar 13 23:42:56 2007 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Tue Mar 13 22:49:18 2007 Subject: MailSacanner don't work In-Reply-To: <7e78dc1f0703131019l6baba2c1x1d70d186aaf8d600@mail.gmail.com> References: <7e78dc1f0703090145q1dfe95fdl98ba7d511a9cc682@mail.gmail.com><45F16C65.2080309@USherbrooke.ca><7e78dc1f0703090636g39007979u10668986b783bb5d@mail.gmail.com><45F172F5.3040304@USherbrooke.ca> <7e78dc1f0703131019l6baba2c1x1d70d186aaf8d600@mail.gmail.com> Message-ID: Without knowing exactly what you've done so far, it's hard to say what's the matter, but in a nutshell, you want to do the following: Configure sendmail as below. As root do the following: chkconfig sendmail off chkconfig MailScanner on install the MailScanner SUSE rpm install spamassassin & antivirus - the combined package on the MailScanner site is a good way to go as it takes care of some mundane steps for you. Edit /etc/MailScanner.conf as appropriate for your configuration. There are some things in there (like org-name) which *must* be set by you. Most things are fine with thet default setting. But you need to go through it line by line to make choices that work best for your location. ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 ________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Claudio Mundin Sent: Tuesday, March 13, 2007 9:19 AM To: MailScanner discussion Subject: Re: MailSacanner don't work Hi Kevin, i make this change in the last day but te problem persist. I don't what happend 2007/3/13, Kevin Miller : Denis Beauchemin wrote: > Claudio Mundin a ?crit : >> If I startup only sendmail then sendmail listen in MailScanner warning: numerical links are often malicious: 0.0.0.0 25 >> But the script of MailScanner throw option tu sendamil that listen >> in MailScanner warning: numerical links are often malicious: 127.0.0.1 >> > > Can anyone using Suse confirm this? It starts fine on RH... > > Denis I was out ill last week so this may be already answered, but with SUSE you need to edit /etc/sysconfig/mail, changing the following: MAIL_CREATE_CONFIG="yes" SMTPD_LISTEN_REMOTE="no" to MAIL_CREATE_CONFIG="no" SMTPD_LISTEN_REMOTE="yes" It's easiest to do that in Yast/Syscofig editor, as it will then apply the changes... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070313/f4974f07/attachment.html From arturs at netvision.net.il Wed Mar 14 00:31:25 2007 From: arturs at netvision.net.il (Arthur Sherman) Date: Tue Mar 13 23:39:36 2007 Subject: Don't check mail from localhost Message-ID: <01d801c765c7$b79c2770$3701a8c0@lapxp> Hi do I set MailScanner not to scan mail from localhost? I stopped getting mail from root Best, -- Arthur Sherman +972-52-4878851 http://www.cpt.co.il/ From hvdkooij at vanderkooij.org Wed Mar 14 00:38:24 2007 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Tue Mar 13 23:45:00 2007 Subject: Jules update In-Reply-To: <20070313100057.GB1929@login.ecs.soton.ac.uk> References: <20070313100057.GB1929@login.ecs.soton.ac.uk> Message-ID: On Tue, 13 Mar 2007, Tim Chown wrote: > I'll send another update in a week or so; Jules is on the mend, it'll > just take a bit of time but in his own words normal service will be resumed : So he is back from crash recovery mode into single user mode. Well not entirely. He seems to have asked for his networking deamon to start which should be runlevel 2. Great. Let's hope he can soon return to his usual runlevel. Hugo. -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ This message is using 100% recycled electrons. Some men see computers as they are and say "Windows" I use computers with Linux and say "Why Windows?" (Thanks JFK, for the insight.) From ITDept at fractalweb.com Wed Mar 14 00:47:39 2007 From: ITDept at fractalweb.com (Chris Yuzik) Date: Tue Mar 13 23:54:22 2007 Subject: Don't check mail from localhost In-Reply-To: <01d801c765c7$b79c2770$3701a8c0@lapxp> References: <01d801c765c7$b79c2770$3701a8c0@lapxp> Message-ID: <45F7381B.2080806@fractalweb.com> Arthur Sherman wrote: > Hi do I set MailScanner not to scan mail from localhost? I stopped getting > mail from root > That root guy only sends spam anyways. ;-) Seriously, this is a two-step process. 1) Create a file called "content.scanning.rules" or similar and put it in your /etc/MailScanner/rules/ dir. Contents should be: From: 127.0.0.1 no FromOrTo: default yes 2) Make a change to your MailScanner.conf file. Find the line that reads: Dangerous Content Scanning = yes and change it to: Dangerous Content Scanning = %rules-dir%/content.scanning.rules 3) save, and restart MailScanner. HTH. Cheers, Chris From arturs at netvision.net.il Wed Mar 14 01:10:19 2007 From: arturs at netvision.net.il (Arthur Sherman) Date: Wed Mar 14 00:18:25 2007 Subject: Don't check mail from localhost In-Reply-To: <45F7381B.2080806@fractalweb.com> Message-ID: <01dd01c765cd$26bc6390$3701a8c0@lapxp> > > Hi do I set MailScanner not to scan mail from localhost? I > stopped getting > > mail from root > > > That root guy only sends spam anyways. ;-) > > Seriously, this is a two-step process. > > 1) Create a file called "content.scanning.rules" or similar > and put it > in your /etc/MailScanner/rules/ dir. Contents should be: > > From: 127.0.0.1 no > FromOrTo: default yes > > 2) Make a change to your MailScanner.conf file. Find the line that > reads: Dangerous Content Scanning = yes and change it to: > Dangerous Content Scanning = %rules-dir%/content.scanning.rules > > 3) save, and restart MailScanner. > > HTH. > > Cheers, > Chris Thanks, Chris! Best, -- Arthur Sherman +972-52-4878851 http://www.cpt.co.il/ From pete at enitech.com.au Wed Mar 14 03:47:18 2007 From: pete at enitech.com.au (Peter Russell) Date: Wed Mar 14 02:53:59 2007 Subject: Jules update In-Reply-To: <015501c7655a$7f064d90$3701a8c0@lapxp> References: <015501c7655a$7f064d90$3701a8c0@lapxp> Message-ID: <45F76236.20208@enitech.com.au> Just tell him Wietse has offered to take over development of MailScanner - that should speed up his recovery :) All the best Jules Pete Arthur Sherman wrote: > :) > > > Best, > > -- > Arthur Sherman > > +972-52-4878851 > http://www.cpt.co.il/ > >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf >> Of Drew Marshall >> Sent: Tuesday, March 13, 2007 12:26 PM >> To: MailScanner discussion >> Subject: Re: Jules update >> >> On Tue, March 13, 2007 10:00, Tim Chown wrote: >>> Hi, >>> >>> Just a quick note to say Jules is continuing to recover well. He's >>> now in a general ward, in a room to himself. >>> >>> He's received many cards, and I'm sure he will thank people >> personally >>> in due course. If anyone else wants to send one, send it to the >>> university >>> and we'll pass it on: >>> >>> Julian Field >>> School of Electronics and Computer Science >>> University of Southampton >>> Highfield >>> Southampton SO17 1BJ >>> United Kingdom >>> >>> I'll send another update in a week or so; Jules is on the >> mend, it'll >>> just take a bit of time but in his own words normal service will be >>> resumed :) >> Brilliant news! Thanks for the update Tim. >> >> Regards >> >> Drew >> >> >> -- >> In line with our policy, this message has been scanned >> for viruses and dangerous content by the Technology Tiger MailScanner. >> Further information can be found at www.technologytiger.net/policy >> >> Technology Tiger Limited is registered in Scotland with >> registration number: 310997 >> Registered Office 55-57 West High Street Inverurie AB51 3QQ >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> > > From ITDept at fractalweb.com Wed Mar 14 04:47:19 2007 From: ITDept at fractalweb.com (Chris Yuzik) Date: Wed Mar 14 03:54:04 2007 Subject: RBL's In-Reply-To: References: <45EF13F7.3050602@fcen.uba.ar> <04D932B0071FE34FA63EBB1977B48D15024FC0BC@woodenex.woodmaclaw.local> <20070307152055.14adc557@localhost> <45F3B2F7.2010405@katy.com> <45F3EBF3.6030700@alexb.ch> <45F523E1.1080501@katy.com> Message-ID: <45F77047.9020403@fractalweb.com> Scott Silva wrote: > But won't that just double the lookups? Or do the lookups end on the first hit? > We use Sendmail, and from what I can tell from our logs, the lookups stop after the first hit. Chris From ms-list at alexb.ch Wed Mar 14 07:46:21 2007 From: ms-list at alexb.ch (Alex Broens) Date: Wed Mar 14 06:53:02 2007 Subject: SA 3.2 Message-ID: <45F79A3D.1010702@alexb.ch> Good Day all.. Has anyone started to play with MailScanner and SA 3.2 preX On my test box, so far it has ben working fine except for the shortcircuit rules which apparently need direct MS support. has anybody notice this as well? any other issues I may have missed so far? Alex From arturs at netvision.net.il Wed Mar 14 10:45:31 2007 From: arturs at netvision.net.il (Arthur Sherman) Date: Wed Mar 14 09:53:42 2007 Subject: Jules update In-Reply-To: <45F76236.20208@enitech.com.au> Message-ID: <020801c7661d$81b22910$3701a8c0@lapxp> That would kill the poor man... Best, -- Arthur Sherman +972-52-4878851 http://www.cpt.co.il/ > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Peter Russell > Sent: Wednesday, March 14, 2007 4:47 AM > To: MailScanner discussion > Subject: Re: Jules update > > Just tell him Wietse has offered to take over development of > MailScanner > - that should speed up his recovery :) > > All the best Jules > Pete > > Arthur Sherman wrote: > > :) > > > > > > Best, > > > > -- > > Arthur Sherman > > > > +972-52-4878851 > > http://www.cpt.co.il/ > > > >> -----Original Message----- > >> From: mailscanner-bounces@lists.mailscanner.info > >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > >> Of Drew Marshall > >> Sent: Tuesday, March 13, 2007 12:26 PM > >> To: MailScanner discussion > >> Subject: Re: Jules update > >> > >> On Tue, March 13, 2007 10:00, Tim Chown wrote: > >>> Hi, > >>> > >>> Just a quick note to say Jules is continuing to recover > well. He's > >>> now in a general ward, in a room to himself. > >>> > >>> He's received many cards, and I'm sure he will thank people > >> personally > >>> in due course. If anyone else wants to send one, send it to the > >>> university > >>> and we'll pass it on: > >>> > >>> Julian Field > >>> School of Electronics and Computer Science > >>> University of Southampton > >>> Highfield > >>> Southampton SO17 1BJ > >>> United Kingdom > >>> > >>> I'll send another update in a week or so; Jules is on the > >> mend, it'll > >>> just take a bit of time but in his own words normal > service will be > >>> resumed :) > >> Brilliant news! Thanks for the update Tim. > >> > >> Regards > >> > >> Drew > >> > >> > >> -- > >> In line with our policy, this message has been scanned > >> for viruses and dangerous content by the Technology Tiger > MailScanner. > >> Further information can be found at www.technologytiger.net/policy > >> > >> Technology Tiger Limited is registered in Scotland with > >> registration number: 310997 > >> Registered Office 55-57 West High Street Inverurie AB51 3QQ > >> > >> -- > >> MailScanner mailing list > >> mailscanner@lists.mailscanner.info > >> http://lists.mailscanner.info/mailman/listinfo/mailscanner > >> > >> Before posting, read http://wiki.mailscanner.info/posting > >> > >> Support MailScanner development - buy the book off the website! > >> > > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From j.ede at birchenallhowden.co.uk Wed Mar 14 11:21:07 2007 From: j.ede at birchenallhowden.co.uk (Jason Ede) Date: Wed Mar 14 10:27:57 2007 Subject: Don't check mail from localhost In-Reply-To: <01dd01c765cd$26bc6390$3701a8c0@lapxp> References: <45F7381B.2080806@fractalweb.com>, <01dd01c765cd$26bc6390$3701a8c0@lapxp> Message-ID: However, don't do this if you have fetchmail enabled for any pop pickups as that will also bypass scanning. Jason From: Arthur Sherman Sent: Wed 14/03/2007 00:10 To: 'MailScanner discussion' Subject: RE: Don't check mail from localhost > > Hi do I set MailScanner not to scan mail from localhost? I > stopped getting > > mail from root > > > That root guy only sends spam anyways. ;-) > > Seriously, this is a two-step process. > > 1) Create a file called "content.scanning.rules" or similar > and put it > in your /etc/MailScanner/rules/ dir. Contents should be: > > From: 127.0.0.1 no > FromOrTo: default yes > > 2) Make a change to your MailScanner.conf file. Find the line that > reads: Dangerous Content Scanning = yes and change it to: > Dangerous Content Scanning = %rules-dir%/content.scanning.rules > > 3) save, and restart MailScanner. > > HTH. > > Cheers, > Chris Thanks, Chris! Best, -- Arthur Sherman +972-52-4878851 http://www.cpt.co.il/ -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! ----------------------------------------------------------- The information in this e-mail and any attachments is confidential. It is intended solely for the attention and use of the named addressee(s). If you are not the intended recipient, or person responsible for delivering this information to the intended recipient, please notify the sender or email postmaster@birchenallhowden.co.uk and delete it from your computer systems. Unless you are the intended recipient or his/her representative you are not authorised to, and must not, read, copy, distribute, use or retain this message or any part of it. All messages are scanned by Mailscanner and are believed to be clean. Recipients are advised to apply their own virus checks to any message on delivery. No liability is accepted by BirchenallHowden Ltd for any losses caused by viruses contracted during transit over the internet or present in any receiving system. BirchenallHowden Ltd, 233 Edmund Road, Sheffield, S2 4EL -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070314/4ee01e5d/attachment.html From arturs at netvision.net.il Wed Mar 14 11:21:43 2007 From: arturs at netvision.net.il (Arthur Sherman) Date: Wed Mar 14 10:30:37 2007 Subject: Don't check mail from localhost In-Reply-To: <45F7381B.2080806@fractalweb.com> Message-ID: <021301c76622$905af5f0$3701a8c0@lapxp> > > Hi do I set MailScanner not to scan mail from localhost? I > stopped getting > > mail from root > > > That root guy only sends spam anyways. ;-) > > Seriously, this is a two-step process. > > 1) Create a file called "content.scanning.rules" or similar > and put it > in your /etc/MailScanner/rules/ dir. Contents should be: > > From: 127.0.0.1 no > FromOrTo: default yes > > 2) Make a change to your MailScanner.conf file. Find the line that > reads: Dangerous Content Scanning = yes and change it to: > Dangerous Content Scanning = %rules-dir%/content.scanning.rules > > 3) save, and restart MailScanner. > > HTH. > > Cheers, > Chris Chris, MailScanner still marks them as SPAM. More precisely, SA gets cache hit. And all I have is message ID, not the message itself, so I can not force sa-learn to forget and re-learn, can i? Well, this is probably OT now. Maybe, I better post it to SA list instead. Thanks! Best, -- Arthur Sherman +972-52-4878851 http://www.cpt.co.il/ From arturs at netvision.net.il Wed Mar 14 11:54:52 2007 From: arturs at netvision.net.il (Arthur Sherman) Date: Wed Mar 14 11:03:01 2007 Subject: Don't check mail from localhost In-Reply-To: Message-ID: <021b01c76627$318e8550$3701a8c0@lapxp> i have not. Thanks! Best, -- Arthur Sherman +972-52-4878851 http://www.cpt.co.il/ _____ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Jason Ede Sent: Wednesday, March 14, 2007 12:21 PM To: MailScanner discussion Subject: RE: Don't check mail from localhost However, don't do this if you have fetchmail enabled for any pop pickups as that will also bypass scanning. Jason _____ From: Arthur Sherman Sent: Wed 14/03/2007 00:10 To: 'MailScanner discussion' Subject: RE: Don't check mail from localhost > > Hi do I set MailScanner not to scan mail from localhost? I > stopped getting > > mail from root > > > That root guy only sends spam anyways. ;-) > > Seriously, this is a two-step process. > > 1) Create a file called "content.scanning.rules" or similar > and put it > in your /etc/MailScanner/rules/ dir. Contents should be: > > From: 127.0.0.1 no > FromOrTo: default yes > > 2) Make a change to your MailScanner.conf file. Find the line that > reads: Dangerous Content Scanning = yes and change it to: > Dangerous Content Scanning = %rules-dir%/content.scanning.rules > > 3) save, and restart MailScanner. > > HTH. > > Cheers, > Chris Thanks, Chris! Best, -- Arthur Sherman +972-52-4878851 http://www.cpt.co.il/ -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! ----------------------------------------------------------- The information in this e-mail and any attachments is confidential. It is intended solely for the attention and use of the named addressee(s). If you are not the intended recipient, or person responsible for delivering this information to the intended recipient, please notify the sender or email postmaster@birchenallhowden.co.uk and delete it from your computer systems. Unless you are the intended recipient or his/her representative you are not authorised to, and must not, read, copy, distribute, use or retain this message or any part of it. All messages are scanned by Mailscanner and are believed to be clean. Recipients are advised to apply their own virus checks to any message on delivery. No liability is accepted by BirchenallHowden Ltd for any losses caused by viruses contracted during transit over the internet or present in any receiving system. BirchenallHowden Ltd, 233 Edmund Road, Sheffield S2 4EL. ----- BirchenallHowden -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070314/7d7d43b8/attachment.html From clamun at gmail.com Wed Mar 14 12:10:24 2007 From: clamun at gmail.com (Claudio Mundin) Date: Wed Mar 14 11:16:58 2007 Subject: MailSacanner don't work In-Reply-To: References: <7e78dc1f0703090145q1dfe95fdl98ba7d511a9cc682@mail.gmail.com> <45F16C65.2080309@USherbrooke.ca> <7e78dc1f0703090636g39007979u10668986b783bb5d@mail.gmail.com> <45F172F5.3040304@USherbrooke.ca> <7e78dc1f0703131019l6baba2c1x1d70d186aaf8d600@mail.gmail.com> Message-ID: <7e78dc1f0703140410n588b810ay18c9490e7ac3173d@mail.gmail.com> Finally I startup all proces manually anda my Server recive mail but don't send in this moment. I think taht is not a problem of mail scanner but I'll test. 2007/3/13, Kevin Miller : > > Without knowing exactly what you've done so far, it's hard to say what's > the matter, but in a nutshell, you want to do the following: > > Configure sendmail as below. > As root do the following: > chkconfig sendmail off > chkconfig MailScanner on > install the MailScanner SUSE rpm > install spamassassin & antivirus - the combined package on the MailScanner > site is a good way to go as it takes care of some mundane steps for you. > Edit /etc/MailScanner.conf as appropriate for your configuration. There > are some things in there (like org-name) which *must* be set by you. Most > things are fine with thet default setting. But you need to go through it > line by line to make choices that work best for your location. > > ...Kevin > -- > Kevin Miller Registered Linux User No: 307357 > CBJ MIS Dept. Network Systems Admin., Mail Admin. > 155 South Seward Street ph: (907) 586-0242 > Juneau, Alaska 99801 fax: (907 586-4500 > > > > ------------------------------ > *From:* mailscanner-bounces@lists.mailscanner.info [mailto: > mailscanner-bounces@lists.mailscanner.info] *On Behalf Of *Claudio Mundin > *Sent:* Tuesday, March 13, 2007 9:19 AM > *To:* MailScanner discussion > *Subject:* Re: MailSacanner don't work > > Hi Kevin, i make this change in the last day but te problem persist. I > don't what happend > > 2007/3/13, Kevin Miller : > > > > Denis Beauchemin wrote: > > > Claudio Mundin a ?crit : > > >> If I startup only sendmail then sendmail listen in *MailScanner > > warning: numerical links are often malicious:* 0.0.0.0 25 > > >> But the script of MailScanner throw option tu sendamil that listen > > >> in *MailScanner warning: numerical links are often malicious:*127.0.0.1 > > >> > > > > > > Can anyone using Suse confirm this? It starts fine on RH... > > > > > > Denis > > > > I was out ill last week so this may be already answered, but with SUSE > > you need to edit /etc/sysconfig/mail, changing the following: > > > > MAIL_CREATE_CONFIG="yes" > > SMTPD_LISTEN_REMOTE="no" > > to > > MAIL_CREATE_CONFIG="no" > > SMTPD_LISTEN_REMOTE="yes" > > > > It's easiest to do that in Yast/Syscofig editor, as it will then apply > > the changes... > > > > > > ...Kevin > > -- > > Kevin Miller Registered Linux User No: 307357 > > CBJ MIS Dept. Network Systems Admin., Mail Admin. > > 155 South Seward Street ph: (907) 586-0242 > > Juneau, Alaska 99801 fax: (907 586-4500 > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070314/a84b5d56/attachment.html From dhawal at netmagicsolutions.com Wed Mar 14 12:12:05 2007 From: dhawal at netmagicsolutions.com (Dhawal Doshy) Date: Wed Mar 14 11:17:58 2007 Subject: noticesizeinfected in language translation file In-Reply-To: <1951DC816E1A9F469307B05FA183F4385FF79D@corpatsmail1.corp.sensis.com> References: <1951DC816E1A9F469307B05FA183F4385FF79D@corpatsmail1.corp.sensis.com> Message-ID: <45F7D885.10400@netmagicsolutions.com> Desai, Jason wrote: >>>>> Hi, >>>>> >>>>> I get this error on some of my servers (4.56.8). I looked in >>>>> /etc/MailScanner/reports/en and I can't find an rpmnew >> file or this >>>>> string in the current languages.conf file. >>>>> >>>>> Looked up unknown string noticesizeinfected in language >>>> translation file >>>>> /etc/MailScanner/reports/en/languages.conf >>>>> >>>>> Has it been ommited? >>>>> >>>>> Regards, >>>>> >>>>> Ugo >>>>> >>>> Can anyone check that on their system? >>>> >>>> Ugo >>> It is missing from my system. Running 4.56.8 from the tar >> distribution. >>> Jase >> Do you have errors in your logs about this string? > > Yes. Ugo / Jason, Did you manage to figure out this error?? we are getting this on one of our setups as well.. Am running 4.58.9-1 (the rpm variant) on centos 4.4 - dhawal From ITDept at fractalweb.com Wed Mar 14 12:53:07 2007 From: ITDept at fractalweb.com (Chris Yuzik) Date: Wed Mar 14 11:59:52 2007 Subject: Don't check mail from localhost In-Reply-To: <021301c76622$905af5f0$3701a8c0@lapxp> References: <021301c76622$905af5f0$3701a8c0@lapxp> Message-ID: <45F7E223.8080301@fractalweb.com> Arthur Sherman wrote: > MailScanner still marks them as SPAM. > > More precisely, SA gets cache hit. And all I have is message ID, not the > message itself, so I can not force sa-learn to forget and re-learn, can i? > Well, this is probably OT now. Maybe, I better post it to SA list instead. > Arthur, That's odd. If you check your headers, is it your customized header that shows that it's tagged as spam? You don't happen to have spamd running on its own, or some sort of milter that does spam checks, do you? On our system, when a message comes from root, it's whitelisted...hmmm. Have you tried simply whitelisting anything from 127.0.0.1 that goes to you? Chris From arturs at netvision.net.il Wed Mar 14 15:02:50 2007 From: arturs at netvision.net.il (Arthur Sherman) Date: Wed Mar 14 14:12:16 2007 Subject: Don't check mail from localhost In-Reply-To: <45F7E223.8080301@fractalweb.com> Message-ID: <025b01c76641$740c2990$3701a8c0@lapxp> > Have you tried simply whitelisting anything from 127.0.0.1 > that goes to you? That's it! I had to whitelist it in both MailScanner.conf and spam.assassin.prefs.conf Thank you! -- Arthur Sherman From clamun at gmail.com Wed Mar 14 15:22:01 2007 From: clamun at gmail.com (Claudio Mundin) Date: Wed Mar 14 14:28:39 2007 Subject: MailSacanner don't work In-Reply-To: <7e78dc1f0703140410n588b810ay18c9490e7ac3173d@mail.gmail.com> References: <7e78dc1f0703090145q1dfe95fdl98ba7d511a9cc682@mail.gmail.com> <45F16C65.2080309@USherbrooke.ca> <7e78dc1f0703090636g39007979u10668986b783bb5d@mail.gmail.com> <45F172F5.3040304@USherbrooke.ca> <7e78dc1f0703131019l6baba2c1x1d70d186aaf8d600@mail.gmail.com> <7e78dc1f0703140410n588b810ay18c9490e7ac3173d@mail.gmail.com> Message-ID: <7e78dc1f0703140722y2cad67efw7a581661e6526904@mail.gmail.com> I solve the problem. The problem was a firewall that don't permit send mail Thank for your help 2007/3/14, Claudio Mundin : > > Finally I startup all proces manually anda my Server recive mail but > don't send in this moment. I think taht is not a problem of mail scanner but > I'll test. > > 2007/3/13, Kevin Miller < Kevin_Miller@ci.juneau.ak.us>: > > > > Without knowing exactly what you've done so far, it's hard to say > > what's the matter, but in a nutshell, you want to do the following: > > > > Configure sendmail as below. > > As root do the following: > > chkconfig sendmail off > > chkconfig MailScanner on > > install the MailScanner SUSE rpm > > install spamassassin & antivirus - the combined package on the > > MailScanner site is a good way to go as it takes care of some mundane steps > > for you. > > Edit /etc/MailScanner.conf as appropriate for your configuration. There > > are some things in there (like org-name) which *must* be set by you. Most > > things are fine with thet default setting. But you need to go through it > > line by line to make choices that work best for your location. > > > > ...Kevin > > -- > > Kevin Miller Registered Linux User No: 307357 > > CBJ MIS Dept. Network Systems Admin., Mail Admin. > > 155 South Seward Street ph: (907) 586-0242 > > Juneau, Alaska 99801 fax: (907 586-4500 > > > > > > > > ------------------------------ > > *From:* mailscanner-bounces@lists.mailscanner.info [mailto: > > mailscanner-bounces@lists.mailscanner.info] *On Behalf Of *Claudio > > Mundin > > *Sent:* Tuesday, March 13, 2007 9:19 AM > > *To:* MailScanner discussion > > *Subject:* Re: MailSacanner don't work > > > > Hi Kevin, i make this change in the last day but te problem persist. I > > don't what happend > > > > 2007/3/13, Kevin Miller : > > > > > > Denis Beauchemin wrote: > > > > Claudio Mundin a ?crit : > > > >> If I startup only sendmail then sendmail listen in *MailScanner > > > warning: numerical links are often malicious:* 0.0.0.025 > > > >> But the script of MailScanner throw option tu sendamil that listen > > > >> in *MailScanner warning: numerical links are often malicious:*127.0.0.1 > > > >> > > > > > > > > Can anyone using Suse confirm this? It starts fine on RH... > > > > > > > > Denis > > > > > > I was out ill last week so this may be already answered, but with SUSE > > > you need to edit /etc/sysconfig/mail, changing the following: > > > > > > MAIL_CREATE_CONFIG="yes" > > > SMTPD_LISTEN_REMOTE="no" > > > to > > > MAIL_CREATE_CONFIG="no" > > > SMTPD_LISTEN_REMOTE="yes" > > > > > > It's easiest to do that in Yast/Syscofig editor, as it will then apply > > > the changes... > > > > > > > > > ...Kevin > > > -- > > > Kevin Miller Registered Linux User No: 307357 > > > CBJ MIS Dept. Network Systems Admin., Mail Admin. > > > 155 South Seward Street ph: (907) 586-0242 > > > Juneau, Alaska 99801 fax: (907 586-4500 > > > -- > > > MailScanner mailing list > > > mailscanner@lists.mailscanner.info > > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > > > Support MailScanner development - buy the book off the website! > > > > > > > > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070314/90950791/attachment.html From webmaster at boucinhas.com.br Wed Mar 14 15:43:45 2007 From: webmaster at boucinhas.com.br (Webmaster Boucinhas & Campos) Date: Wed Mar 14 14:50:35 2007 Subject: How to convert a queue file to eml ou mbox? Message-ID: <001101c76647$2b4a28a0$1803010a@10205> hello, I enable the option "Archive Mail=/var/spool/MailScanner/archive" in /etc/MailScanner/MailScanner.conf. How I convert the archived file to other format like mbox or eml? Thanks. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070314/d9e77f76/attachment.html From bpumphrey at woodmclaw.com Wed Mar 14 14:41:13 2007 From: bpumphrey at woodmclaw.com (Billy A. Pumphrey) Date: Wed Mar 14 14:51:48 2007 Subject: MailScanner machine has an error now, please help Message-ID: <04D932B0071FE34FA63EBB1977B48D1502574FA3@woodenex.woodmaclaw.local> I edited the access file, then done a restart of the service, now I get: [root@WoodenMS2 ~]# service MailScanner restart Shutting down MailScanner daemons: MailScanner: [FAILED] incoming sendmail: [ OK ] outgoing sendmail: [ OK ] Starting MailScanner daemons: incoming sendmail: [ OK ] outgoing sendmail: [ OK ] MailScanner: Can't locate IO/Wrap.pm in @INC (@INC contains: /usr /lib/MailScanner /usr/lib/perl5/5.8.5/i386-linux-thread-multi /usr/lib/perl5/5.8 .5 /usr/lib/perl5/site_perl/5.8.5/i386-linux-thread-multi /usr/lib/perl5/site_pe rl/5.8.4/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.3/i386-linux-threa d-multi /usr/lib/perl5/site_perl/5.8.2/i386-linux-thread-multi /usr/lib/perl5/si te_perl/5.8.1/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.0/i386-linux- thread-multi /usr/lib/perl5/site_perl/5.8.5 /usr/lib/perl5/site_perl/5.8.4 /usr/ lib/perl5/site_perl/5.8.3 /usr/lib/perl5/site_perl/5.8.2 /usr/lib/perl5/site_per l/5.8.1 /usr/lib/perl5/site_perl/5.8.0 /usr/lib/perl5/site_perl /usr/lib/perl5/v endor_perl/5.8.5/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.4/i386-l inux-thread-multi /usr/lib/perl5/vendor_perl/5.8.3/i386-linux-thread-multi /usr/ lib/perl5/vendor_perl/5.8.2/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5 .8.1/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread- multi /usr/lib/perl5/vendor_perl/5.8.5 /usr/lib/perl5/vendor_perl/5.8.4 /usr/lib /perl5/vendor_perl/5.8.3 /usr/lib/perl5/vendor_perl/5.8.2 /usr/lib/perl5/vendor_ perl/5.8.1 /usr/lib/perl5/vendor_perl/5.8.0 /usr/lib/perl5/vendor_perl . /usr/li b/MailScanner/5.8.5/i386-linux-thread-multi /usr/lib/MailScanner/5.8.5 /usr/lib/ MailScanner/i386-linux-thread-multi /usr/lib/MailScanner/5.8.4 /usr/lib/MailScan ner/5.8.3 /usr/lib/MailScanner/5.8.2 /usr/lib/MailScanner/5.8.1 /usr/lib/MailSca nner/5.8.0 /usr/lib/MailScanner) at /usr/lib/perl5/site_perl/5.8.5/MIME/Parser.p m line 134. BEGIN failed--compilation aborted at /usr/lib/perl5/site_perl/5.8.5/MIME/Parser. pm line 134. Compilation failed in require at /usr/lib/MailScanner/MailScanner/MCPMessage.pm line 41. BEGIN failed--compilation aborted at /usr/lib/MailScanner/MailScanner/MCPMessage .pm line 41. Compilation failed in require at /usr/sbin/MailScanner line 78. BEGIN failed--compilation aborted at /usr/sbin/MailScanner line 78. [ OK ] Any ideas please? -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From dominian at slackadelic.com Wed Mar 14 15:52:20 2007 From: dominian at slackadelic.com (Matt Hayes) Date: Wed Mar 14 14:59:02 2007 Subject: MailScanner machine has an error now, please help In-Reply-To: <04D932B0071FE34FA63EBB1977B48D1502574FA3@woodenex.woodmaclaw.local> References: <04D932B0071FE34FA63EBB1977B48D1502574FA3@woodenex.woodmaclaw.local> Message-ID: <45F80C24.1020403@slackadelic.com> Billy A. Pumphrey wrote: > I edited the access file, then done a restart of the service, now I get: > > [root@WoodenMS2 ~]# service MailScanner restart > Shutting down MailScanner daemons: > MailScanner: [FAILED] > incoming sendmail: [ OK ] > outgoing sendmail: [ OK ] > Starting MailScanner daemons: > incoming sendmail: [ OK ] > outgoing sendmail: [ OK ] > MailScanner: Can't locate IO/Wrap.pm in @INC (@INC *snip* Right there is the issue... you need to install the IO::Wrap perl module. -Matt From tonyc at foe.co.uk Wed Mar 14 16:01:16 2007 From: tonyc at foe.co.uk (Tony Canning) Date: Wed Mar 14 15:08:01 2007 Subject: Problem with password protected spreadsheets Message-ID: <200703141501.l2EF1Ga00552@portia.foe.co.uk> I have a problem which is upsetting several of our network users - password protected excel (.xls) files are not delivered, in-bound or out-bound. I am using MailScanner-4.57.6, with Sophos, ClamAV & Spamassassin under Solaris. Here is a sample of the problem from the system log: Mar 13 17:03:31 localhost MailScanner[6078]: Virus Scanning: ClamAV found 1 infections Mar 13 17:03:31 localhost MailScanner[6078]: Infected message l2DH2wid008740 came from 172.16.1.13 Mar 13 17:03:31 localhost MailScanner[6078]: Virus Scanning: Found 1 viruses Mar 13 17:03:31 localhost MailScanner[6078]: tag found in message l2DH2wid008740 from v.harwood-smart@foe.co.uk Mar 13 17:03:31 localhost MailScanner[6078]: Virus Scanning completed at 959 bytes per second Mar 13 17:03:31 localhost MailScanner[6078]: Viruses marked as silent: Password protected file ./l2DH2wid008740/rolling phone upgrade gift aid decs.zip/rolling phone upgrade gift aid decs.txt It appears from the above that ClamAV is treating it as false positive virus? I have the following parameters configured: Silent Viruses = HTML-IFrame All-Viruses Still Deliver Silent Viruses = no Block Encrypted Messages = no Allow Password-Protected Archives = yes Allowed Sophos Error Messages = "File was encrypted" The only way around this that I have found so far is to exempt scanning completely for the sender and/or recepient in scan.messages.rules, but this is not very satisfactory. I'd be most grateful for any advice. Tony Canning Infrastructure Officer Friends of the Earth England, Wales & N.Ireland From Kevin_Miller at ci.juneau.ak.us Wed Mar 14 16:32:50 2007 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Wed Mar 14 15:39:18 2007 Subject: MailSacanner don't work In-Reply-To: <7e78dc1f0703140722y2cad67efw7a581661e6526904@mail.gmail.com> References: <7e78dc1f0703090145q1dfe95fdl98ba7d511a9cc682@mail.gmail.com><45F16C65.2080309@USherbrooke.ca><7e78dc1f0703090636g39007979u10668986b783bb5d@mail.gmail.com><45F172F5.3040304@USherbrooke.ca><7e78dc1f0703131019l6baba2c1x1d70d186aaf8d600@mail.gmail.com><7e78dc1f0703140410n588b810ay18c9490e7ac3173d@mail.gmail.com> <7e78dc1f0703140722y2cad67efw7a581661e6526904@mail.gmail.com> Message-ID: Excellent. Lots of different pieces to the puzzle - glad you were able to get it sorted out... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 ________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Claudio Mundin Sent: Wednesday, March 14, 2007 6:22 AM To: MailScanner discussion Subject: Re: MailSacanner don't work I solve the problem. The problem was a firewall that don't permit send mail Thank for your help From mkettler at evi-inc.com Wed Mar 14 16:44:25 2007 From: mkettler at evi-inc.com (Matt Kettler) Date: Wed Mar 14 15:51:16 2007 Subject: Problem with password protected spreadsheets In-Reply-To: <200703141501.l2EF1Ga00552@portia.foe.co.uk> References: <200703141501.l2EF1Ga00552@portia.foe.co.uk> Message-ID: <45F81859.2040506@evi-inc.com> Tony Canning wrote: > I have a problem which is upsetting several of our network users - password protected excel (.xls) files are not delivered, in-bound or out-bound. > > I am using MailScanner-4.57.6, with Sophos, ClamAV & Spamassassin under Solaris. > Here is a sample of the problem from the system log: > > Mar 13 17:03:31 localhost MailScanner[6078]: Virus Scanning: ClamAV found 1 infections > Mar 13 17:03:31 localhost MailScanner[6078]: Infected message l2DH2wid008740 came from 172.16.1.13 > Mar 13 17:03:31 localhost MailScanner[6078]: Virus Scanning: Found 1 viruses > Mar 13 17:03:31 localhost MailScanner[6078]: tag found in message l2DH2wid008740 from v.harwood-smart@foe.co.uk > Mar 13 17:03:31 localhost MailScanner[6078]: Virus Scanning completed at 959 bytes per second > Mar 13 17:03:31 localhost MailScanner[6078]: Viruses marked as silent: Password protected file ./l2DH2wid008740/rolling phone upgrade gift aid decs.zip/rolling phone upgrade gift aid decs.txt > > It appears from the above that ClamAV is treating it as false positive virus? That's not a password protected XLS, it's a password protected .zip file containing a .txt file. > I have the following parameters configured: > > Silent Viruses = HTML-IFrame All-Viruses > Still Deliver Silent Viruses = no > Block Encrypted Messages = no > Allow Password-Protected Archives = yes > Allowed Sophos Error Messages = "File was encrypted" > >From the looks of it, you're using clamav, not clamavmodule. do you have the "block-encrypted" option in /usr/lib/MailScanner/clamav-wrapper? From bpumphrey at woodmclaw.com Wed Mar 14 17:15:04 2007 From: bpumphrey at woodmclaw.com (Billy A. Pumphrey) Date: Wed Mar 14 16:21:37 2007 Subject: MailScanner machine has an error now, please help In-Reply-To: <45F80C24.1020403@slackadelic.com> Message-ID: <04D932B0071FE34FA63EBB1977B48D15025750BC@woodenex.woodmaclaw.local> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Matt Hayes > Sent: Wednesday, March 14, 2007 10:52 AM > To: MailScanner discussion > Subject: Re: MailScanner machine has an error now, please help > > Billy A. Pumphrey wrote: > > I edited the access file, then done a restart of the service, now I get: > > > > [root@WoodenMS2 ~]# service MailScanner restart > > Shutting down MailScanner daemons: > > MailScanner: [FAILED] > > incoming sendmail: [ OK ] > > outgoing sendmail: [ OK ] > > Starting MailScanner daemons: > > incoming sendmail: [ OK ] > > outgoing sendmail: [ OK ] > > MailScanner: Can't locate IO/Wrap.pm in @INC (@INC > *snip* > > Right there is the issue... you need to install the IO::Wrap perl module. > > -Matt > > > -- Thank you for the response. With my windows mind I could not figure it out. I also failed to remember that my email would not reach the list as email both incoming and outgoing were not working as they go through mailscanner. Through instant messenger someone helped point out the Wrap module and that done the trick. Thank you From am.lists at gmail.com Wed Mar 14 17:16:28 2007 From: am.lists at gmail.com (am.lists) Date: Wed Mar 14 16:23:07 2007 Subject: MailScanner and Licensing Message-ID: <25a66d840703140916j6c95a1b7ge1f7d305b9b5de16@mail.gmail.com> I am a value-added hosting provider. That is, I host domains, develop websites, and manage mail for my clients. I've recently come to know the love of MailScanner (with it's usual set of accessories), and have began migrating away from the commercial products we had been using. My question is now what, if anything, am I obligated to do, change, disclose, etc. to stay in line with the spirit and intent of using the software in this way? Angelo From fssilva at gmail.com Wed Mar 14 17:24:30 2007 From: fssilva at gmail.com (Fabio Silva) Date: Wed Mar 14 16:31:05 2007 Subject: Message Blocked Message-ID: Hi all, i had a mail that was blocked on mailscanner, the message has no executable file, just a attach with the name msg-29120-102.txt but the message is marked with "Bad Content" and when i open the message in mailwatch i have this line above in the report option "Report: MailScanner: No programs allowed (msg-29120-102.txt)" In my filename.rules.conf has no deny to .txt just one allow. Why?? Why this message is blocked? Regards, -- Fabio S. Silva From Kevin_Miller at ci.juneau.ak.us Wed Mar 14 17:31:32 2007 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Wed Mar 14 16:37:55 2007 Subject: MailScanner and Licensing In-Reply-To: <25a66d840703140916j6c95a1b7ge1f7d305b9b5de16@mail.gmail.com> References: <25a66d840703140916j6c95a1b7ge1f7d305b9b5de16@mail.gmail.com> Message-ID: am.lists wrote: > I am a value-added hosting provider. That is, I host domains, develop > websites, and manage mail for my clients. > > I've recently come to know the love of MailScanner (with it's usual > set of accessories), and have began migrating away from the commercial > products we had been using. > > My question is now what, if anything, am I obligated to do, change, > disclose, etc. to stay in line with the spirit and intent of using the > software in this way? > > Angelo Pretty simple really: Buy the book. Follow the list, upgrade in a reasonably timely manner, & chime in when you can to help others. Send Julian a postcard. And if you really want to reward the architects, buy an appliance from Fortress Systems... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From am.lists at gmail.com Wed Mar 14 17:42:45 2007 From: am.lists at gmail.com (am.lists) Date: Wed Mar 14 16:49:21 2007 Subject: Message Blocked In-Reply-To: References: Message-ID: <25a66d840703140942wf4e1e71hb2cc948e921dbf5f@mail.gmail.com> On 3/14/07, Fabio Silva wrote: > Hi all, i had a mail that was blocked on mailscanner, the message has > no executable file, just a attach with the name msg-29120-102.txt but > the message is marked with "Bad Content" and when i open the message > in mailwatch i have this line above in the report option > > "Report: MailScanner: No programs allowed (msg-29120-102.txt)" > > In my filename.rules.conf has no deny to .txt just one allow. > > Why?? Why this message is blocked? If you can ftp / scp the file over to the server and run the "file" command on it, what kind of file does the OS think it is? e.g. [root@mymailgw]# file /var/www/html/index.html /var/www/html/index.html: HTML document text but cp index.html to index.txt... [root@mymailgw]# file index.txt index.txt: HTML document text And you can see that the file extension is not relevant... the file command still knows how to sniff the file type. Seeing the output of the file command would tell the story. Angelo From denis at croombs.org Wed Mar 14 17:42:46 2007 From: denis at croombs.org (Denis Croombs) Date: Wed Mar 14 16:49:23 2007 Subject: MailScanner and Licensing In-Reply-To: <25a66d840703140916j6c95a1b7ge1f7d305b9b5de16@mail.gmail.com> References: <25a66d840703140916j6c95a1b7ge1f7d305b9b5de16@mail.gmail.com> Message-ID: <15571.87.238.80.64.1173890566.squirrel@www.croombs.org> > I am a value-added hosting provider. That is, I host domains, develop > websites, and manage mail for my clients. > > I've recently come to know the love of MailScanner (with it's usual > set of accessories), and have began migrating away from the commercial > products we had been using. > > My question is now what, if anything, am I obligated to do, change, > disclose, etc. to stay in line with the spirit and intent of using the > software in this way? > Just buy Julian a pressy from Amazon wish list ! Denis From mkettler at evi-inc.com Wed Mar 14 17:49:36 2007 From: mkettler at evi-inc.com (Matt Kettler) Date: Wed Mar 14 16:56:14 2007 Subject: Message Blocked In-Reply-To: References: Message-ID: <45F827A0.8060407@evi-inc.com> Fabio Silva wrote: > Hi all, i had a mail that was blocked on mailscanner, the message has > no executable file, just a attach with the name msg-29120-102.txt but > the message is marked with "Bad Content" and when i open the message > in mailwatch i have this line above in the report option > > "Report: MailScanner: No programs allowed (msg-29120-102.txt)" > > In my filename.rules.conf has no deny to .txt just one allow. > > Why?? Why this message is blocked? Odds are it's a text attachment that's an embedded mail message, typical of mail clients configured to "Forward as attachment". The embedded mail message probably has a .exe file attached to it, which your mail client would understand, and MailScanner detected. Take a look at the text file in your quarantine and see what it is. From ssilva at sgvwater.com Wed Mar 14 18:07:32 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Mar 14 17:14:21 2007 Subject: RBL's In-Reply-To: <45F77047.9020403@fractalweb.com> References: <45EF13F7.3050602@fcen.uba.ar> <04D932B0071FE34FA63EBB1977B48D15024FC0BC@woodenex.woodmaclaw.local> <20070307152055.14adc557@localhost> <45F3B2F7.2010405@katy.com> <45F3EBF3.6030700@alexb.ch> <45F523E1.1080501@katy.com> <45F77047.9020403@fractalweb.com> Message-ID: Chris Yuzik spake the following on 3/13/2007 8:47 PM: > Scott Silva wrote: >> But won't that just double the lookups? Or do the lookups end on the >> first hit? >> > We use Sendmail, and from what I can tell from our logs, the lookups > stop after the first hit. > > Chris > > I just never thought about it. Maybe I will re-arrange some things. I just love the sheer amount of knowledge I see on the lists! -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ssilva at sgvwater.com Wed Mar 14 18:12:17 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Mar 14 17:21:42 2007 Subject: Don't check mail from localhost In-Reply-To: <01dd01c765cd$26bc6390$3701a8c0@lapxp> References: <45F7381B.2080806@fractalweb.com> <01dd01c765cd$26bc6390$3701a8c0@lapxp> Message-ID: Arthur Sherman spake the following on 3/13/2007 5:10 PM: >>> Hi do I set MailScanner not to scan mail from localhost? I >> stopped getting >>> mail from root >>> >> That root guy only sends spam anyways. ;-) >> >> Seriously, this is a two-step process. >> >> 1) Create a file called "content.scanning.rules" or similar >> and put it >> in your /etc/MailScanner/rules/ dir. Contents should be: >> >> From: 127.0.0.1 no >> FromOrTo: default yes >> >> 2) Make a change to your MailScanner.conf file. Find the line that >> reads: Dangerous Content Scanning = yes and change it to: >> Dangerous Content Scanning = %rules-dir%/content.scanning.rules >> >> 3) save, and restart MailScanner. >> You can enhance this by adding an "and" clause. Example ; From: 127.0.0.1 and from root@localhost no FromOrTo: default yes Just use the root address mail is sent from. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ncanepa at fcen.uba.ar Wed Mar 14 18:25:28 2007 From: ncanepa at fcen.uba.ar (Nicolas Canepa) Date: Wed Mar 14 17:32:09 2007 Subject: Mailscanner + spamassassin +Razor + Pyzor + DCC Message-ID: <45F83008.7010808@fcen.uba.ar> Hi, I am using Mailscanner with spamassassin. For what i've read you can define in Mailscanner.conf to use pyzor, razor and dcc, or tell spamassassin to use razor, pyzor and dcc in the local.cf file. What's the best choice? What happens if I tell both to use it? How can I know that razor pyzor and dcc are working? This is my spam.assassin.prefs.conf: # =============== RBSL related items =============== # By default, SpamAssassin will run RBL checks. If your ISP already # does this, stop RBL checks in SpamAssassin by un-commenting the # following line # skip_rbl_checks 1 # paths to utilities pyzor_path /usr/bin/pyzor dcc_path /usr/bin/dccproc # Uncomment the lines below to stop using the specific service # To stop Razor2 checks, uncomment the following line # use_razor2 0 # To stop DCC checks, uncomment the following line # use_dcc 0 # To stop Pyzor checks, uncomment the following line # use_pyzor 0 # ========================================================== And this is my local.cf file: use_dcc 1 use_pyzor 1 use_razor2 1 Thanks, -- *Nicol?s C?nepa* ncanepa@fcen.uba.ar www.ccc.fcen.uba.ar *Tel?fono* - /4576-3382/ *CCC* - /Centro de Comunicaci?n Cient?fica/ *UBA* - /Facultad de Ciencias Exactas y Naturales/ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070314/1633fa7a/attachment.html From mkettler at evi-inc.com Wed Mar 14 19:05:43 2007 From: mkettler at evi-inc.com (Matt Kettler) Date: Wed Mar 14 18:12:22 2007 Subject: Mailscanner + spamassassin +Razor + Pyzor + DCC In-Reply-To: <45F83008.7010808@fcen.uba.ar> References: <45F83008.7010808@fcen.uba.ar> Message-ID: <45F83977.3020502@evi-inc.com> Nicolas Canepa wrote: > Hi, I am using Mailscanner with spamassassin. For what i've read you can > define in Mailscanner.conf to use pyzor, razor and dcc, or tell > spamassassin to use razor, pyzor and dcc in the local.cf file. Em, no. you can define it in MailScanner.cf, spam.assassin.prefs.conf, or local.cf. You cannot define it in MailScanner.conf, which is a MailScanner config file. Mailscanner.cf on the other hand is a spamassassin config file, and lives in the spamassassin site rules directory. > What's the best choice? MailScanner.cf and local.cf are functionally equal to SA. Technically (by the SA docs) many of these settings don't belong in spam.assassin.prefs.conf, and will be ignored if present there (but in practice, SA currently honors them because of how MS invokes SA). For most of us, spam.assassin.prefs.conf is just a symlink to MailScanner.cf anyway. What happens if I tell both to use it? Should work fine. > How can I know that razor pyzor and dcc are working? First, get it working in SA: Assuming SA 3.1.0 or higher, make sure the plugins are not commented out in your spamassassin *.pre config files. If the plugin isn't loaded, it won't run. Run spamassassin --lint. Fix any complaints. Feed a test message into spamassassin -tD. Look at the debugs, you should see several debug messages for each tool SA is querying. >From there, reload (or restart) MailScanner, and check for the rules hitting in your logs. From arturs at netvision.net.il Wed Mar 14 18:32:54 2007 From: arturs at netvision.net.il (Arthur Sherman) Date: Wed Mar 14 18:17:47 2007 Subject: Don't check mail from localhost In-Reply-To: Message-ID: <028a01c7665e$cc5ffc30$3701a8c0@lapxp> > You can enhance this by adding an "and" clause. > Example ; > From: 127.0.0.1 and from root@localhost no > FromOrTo: default yes > > Just use the root address mail is sent from. Should I put semi-colon after second From ? Thanks! Best, -- Arthur Sherman +972-52-4878851 http://www.cpt.co.il/ From Kevin_Miller at ci.juneau.ak.us Wed Mar 14 19:17:10 2007 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Wed Mar 14 18:23:33 2007 Subject: Don't check mail from localhost In-Reply-To: <028a01c7665e$cc5ffc30$3701a8c0@lapxp> References: <028a01c7665e$cc5ffc30$3701a8c0@lapxp> Message-ID: Arthur Sherman wrote: >> You can enhance this by adding an "and" clause. >> Example ; >> From: 127.0.0.1 and from root@localhost no >> FromOrTo: default yes >> >> Just use the root address mail is sent from. > > Should I put semi-colon after second From ? I'd do: From: 127.0.0.1 no From: root@localhost no FromOrTo: default yes ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From james at gray.net.au Wed Mar 14 22:06:32 2007 From: james at gray.net.au (James Gray) Date: Wed Mar 14 23:30:46 2007 Subject: What MTA ... In-Reply-To: <45F5ACBB.8040108@syska.dk> References: <45F5ACBB.8040108@syska.dk> Message-ID: On 13/03/2007, at 6:40 AM, Mikael Syska wrote: > Hi, > > First off ... I dont want to start a flamewar of any kind > here ..... please. > > I have used Postfix for about a year and its fairly easy to use, > used it with VDA ... and multiple domains ... so I wanted to try a > new MTA. > > One of the 3 others ... > > So my question is ... what works best with MS? since Postfix got > some issues with MS ( not that it have any effect, after what I > have read ) I still wants to try a new ... maybe I will like > Postfix best after I have tried the other, you'll never know.... I've used sendmail, exim and postfix with MS. My order of preference is exactly as listed in the previous sentence, with sendmail first. The reasons vary but I'll list a few: Sendmail (Pro's): - extremely flexible - rich plugin (milter) library that can be used along side MS without major modification. - very powerful MTA-level anti-spam features (greet pause, bad recipient throttles, RBL's, etc, etc) - scales extremely well - easiest to integrate with MS. - easy to implement individual delivery for multi-recipient messages (split mail) allowing full use of MailScanner's per-recipient filtering. Sendmail (Con's): - mail routing can be a pain depending on your back-end (eg, LDAP, AD, NDS, etc) - configuration can be daunting to the inexperienced, but there are plenty of how-to's etc. - recipient verification can be cumbersome (see comments on mail routing). Exim (Pro's): - extremely flexible - most binary distributions have out-of-the-box MySQL support (exim4...if that's important) - very easy to configure and accomplish routine mail setups - easy to integrate with MS (requires 2 separate processes) - very powerful MTA-level anti-spam features...but not as many as sendmail in my experience. - very easy to enable TLS/SSL SMTP. - mail routing and recipient verification can be easily managed from a MySQL back-end. - scales very well. - powerful server-side delivery filtering and/or sieve scripts. Exim (Con's): - Requires two completely separate daemons and configurations for MS, but this is extremely well documented. - Limited "nataive plugin" support, but pretty much anything can be used as a "plugin" through Exim's "routers". - mail routing and recipient verification can be kludgy if your back- end is a little esoteric (Active Directory, I'm looking at you!) - can be used to split multi-recipient messages, but not as intuitively as sendmail. Postfix (Pro's): - Very easy to set-up and configure - good MTA-level anti-spam features (but lacks some of exim and sendmail's more advanced features) - IMHO it has a better security track-record than both sendmail and exim[1] - only requires a single daemon - later versions have support for some (most?) sendmail milters. - scales well. Postfix (Con's): - the Postfix author and community are very "anti" MS. - much more difficult to split multi-recipient messages, especially on heavily loaded system. - I don't like the plugin model (everything talks to each other over sockets)[2] Some footnotes: [1] Previous track-records in security have little relevance to actual security now. However, it seems the sendmail developers drag their heels on patches compared to both exim and postfix. I'm happy to be proven wrong on that count, but that's just my perception based on over 7 years as a full-time mail admin :) [2] Using sockets to talk to extensions/plugins can be a benefit in very large installations, as you can distribute your plugins across physical boxes to spread the load. However, the model also means that some information about the message is not passed to the plugins; which is why MS uses the queue files directly (are you reading this Wietse?). There are other Pro's and Con's for all three, but these are the ones that jump out at me. If I knew more about what you are trying to achieve, what existing infrastructure you have and how you would like to administer the whole system, then I (and others) could provide some more specific information. Take care, James -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2417 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070315/df0b8bde/smime.bin From ssilva at sgvwater.com Thu Mar 15 00:54:26 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Mar 15 00:01:15 2007 Subject: Don't check mail from localhost In-Reply-To: <028a01c7665e$cc5ffc30$3701a8c0@lapxp> References: <028a01c7665e$cc5ffc30$3701a8c0@lapxp> Message-ID: Arthur Sherman spake the following on 3/14/2007 10:32 AM: >> You can enhance this by adding an "and" clause. >> Example ; >> From: 127.0.0.1 and from root@localhost no >> FromOrTo: default yes >> >> Just use the root address mail is sent from. > > Should I put semi-colon after second From ? > > Thanks! > > > Best, > > -- > Arthur Sherman > > +972-52-4878851 > http://www.cpt.co.il/ > > Yes! I forgot the colon. The above will keep from whitelisting other local mail, like webmail if you provide that for a few roaming users. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From pete at enitech.com.au Thu Mar 15 01:40:43 2007 From: pete at enitech.com.au (Peter Russell) Date: Thu Mar 15 00:47:29 2007 Subject: MailScanner and Licensing In-Reply-To: References: <25a66d840703140916j6c95a1b7ge1f7d305b9b5de16@mail.gmail.com> Message-ID: <45F8960B.7060407@enitech.com.au> Kevin Miller wrote: > am.lists wrote: >> I am a value-added hosting provider. That is, I host domains, develop >> websites, and manage mail for my clients. >> >> I've recently come to know the love of MailScanner (with it's usual >> set of accessories), and have began migrating away from the commercial >> products we had been using. >> >> My question is now what, if anything, am I obligated to do, change, >> disclose, etc. to stay in line with the spirit and intent of using the >> software in this way? >> >> Angelo > > Pretty simple really: > Buy the book. > Follow the list, upgrade in a reasonably timely manner, & chime in > when you can to help others. > Send Julian a postcard. > > And if you really want to reward the architects, buy an appliance from > Fortress Systems... ...and make a donation - we are not for profit org. But consider we paid 10k for a CA appliance that simply did not work and was thrown out and replaced with MS. We saw the value we were getting made a small contribution. If it saves you money, or if it makes you money then you can afford a donation. From am.lists at gmail.com Thu Mar 15 02:40:17 2007 From: am.lists at gmail.com (am.lists) Date: Thu Mar 15 01:46:58 2007 Subject: Additional recipients within same lose mail when quarantined/released... Message-ID: <25a66d840703141840t32dbc5f5n9d43ba484ba15d34@mail.gmail.com> Sorry for the ramble of a subject line, but what I'm seeing is essentially lost mail to additional recipients. Scenario: (Config: Postfix, Mailscanner, Mailwatch.) Bob sends John and Mary an email. It gets tagged as spam. Both are at somedomain.net. As John's listed as the first to address in the envelope, he gets the message in his quarantine. He releases it. Mary knows nothing of the email. No quarantine file for her (in MailWatch), and when John releases it, it only goes to John. Variation: Bob sends to Tom and John. John is at somedomain.net but Tom is at anotherdomain.us. Both are handled by my mailscanner. Same exact behavior as above. I've been googling this and the solutions I've found have been really ancient (2003 vintage), and as such, several versions of released code old. I'm wondering if there's some new way of fixing this issue? I don't particularly want to rig up a second instance of postfix on some odd port just to fix this... unless I have to. 8-( Angelo From a.peacock at chime.ucl.ac.uk Thu Mar 15 09:34:08 2007 From: a.peacock at chime.ucl.ac.uk (Anthony Peacock) Date: Thu Mar 15 08:41:11 2007 Subject: Message Blocked In-Reply-To: References: Message-ID: <45F90500.8040908@chime.ucl.ac.uk> Fabio Silva wrote: > Hi all, i had a mail that was blocked on mailscanner, the message has > no executable file, just a attach with the name msg-29120-102.txt but > the message is marked with "Bad Content" and when i open the message > in mailwatch i have this line above in the report option > > "Report: MailScanner: No programs allowed (msg-29120-102.txt)" > > In my filename.rules.conf has no deny to .txt just one allow. > > Why?? Why this message is blocked? Hi, My MailScanner sometimes stops Russian language messages in this way. The text of the email message is passed to the file command which thinks that it has the characteristics of an executable. This has been discussed in the past, I can't remember the exact details. I have never bothered fixing this as all Russian language emails to us are junk mail anyway. -- Anthony Peacock CHIME, Royal Free & University College Medical School WWW: http://www.chime.ucl.ac.uk/~rmhiajp/ "If you have an apple and I have an apple and we exchange apples then you and I will still each have one apple. But if you have an idea and I have an idea and we exchange these ideas, then each of us will have two ideas." -- George Bernard Shaw From martinh at solidstatelogic.com Thu Mar 15 10:16:31 2007 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Thu Mar 15 09:23:19 2007 Subject: Mailscanner + spamassassin +Razor + Pyzor + DCC In-Reply-To: <45F83008.7010808@fcen.uba.ar> Message-ID: <7ef6ba6b90603b4392bb3379e48081cc@solidstatelogic.com> Hi Don't forget to enable the plugins in the /etc/mail/spamassassin/*.pre files as well.. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Nicolas Canepa > Sent: 14 March 2007 17:25 > To: mailscanner@lists.mailscanner.info > Subject: Mailscanner + spamassassin +Razor + Pyzor + DCC > > Hi, I am using Mailscanner with spamassassin. For what i've read you can > define in Mailscanner.conf to use pyzor, razor and dcc, or tell > spamassassin to use razor, pyzor and dcc in the local.cf file. What's the > best choice? What happens if I tell both to use it? How can I know that > razor pyzor and dcc are working? > > This is my spam.assassin.prefs.conf: > # =============== RBSL related items =============== > > # By default, SpamAssassin will run RBL checks. If your ISP already > # does this, stop RBL checks in SpamAssassin by un-commenting the > # following line > # skip_rbl_checks 1 > > # paths to utilities > pyzor_path /usr/bin/pyzor > dcc_path /usr/bin/dccproc > > # Uncomment the lines below to stop using the specific service > # To stop Razor2 checks, uncomment the following line > # use_razor2 0 > # To stop DCC checks, uncomment the following line > # use_dcc 0 > # To stop Pyzor checks, uncomment the following line > # use_pyzor 0 > # ========================================================== > > And this is my local.cf file: > > use_dcc 1 > use_pyzor 1 > use_razor2 1 > > > Thanks, > > -- > Nicol?s C?nepa > ncanepa@fcen.uba.ar > www.ccc.fcen.uba.ar > Tel?fono - 4576-3382 > CCC - Centro de Comunicaci?n Cient?fica > UBA - Facultad de Ciencias Exactas y Naturales ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From fssilva at gmail.com Thu Mar 15 12:11:05 2007 From: fssilva at gmail.com (Fabio Silva) Date: Thu Mar 15 11:17:44 2007 Subject: Message Blocked In-Reply-To: <45F90500.8040908@chime.ucl.ac.uk> References: <45F90500.8040908@chime.ucl.ac.uk> Message-ID: Hi all... i again... i checked the file and i can see that is a MS-DOC executable.... but... how to solve it? because it isnt an executable file... has any way to solve it?? # file /var/spool/MailScanner/quarantine/20070313/D71E1215BF1.1B141/msg-29120-102.txt /var/spool/MailScanner/quarantine/20070313/D71E1215BF1.1B141/msg-29120-102.txt: MS-DOS executable (COM) Best Regards, Fabio On 3/15/07, Anthony Peacock wrote: > Fabio Silva wrote: > > Hi all, i had a mail that was blocked on mailscanner, the message has > > no executable file, just a attach with the name msg-29120-102.txt but > > the message is marked with "Bad Content" and when i open the message > > in mailwatch i have this line above in the report option > > > > "Report: MailScanner: No programs allowed (msg-29120-102.txt)" > > > > In my filename.rules.conf has no deny to .txt just one allow. > > > > Why?? Why this message is blocked? > > Hi, > > My MailScanner sometimes stops Russian language messages in this way. > The text of the email message is passed to the file command which thinks > that it has the characteristics of an executable. > > This has been discussed in the past, I can't remember the exact details. > > I have never bothered fixing this as all Russian language emails to us > are junk mail anyway. > > > -- > Anthony Peacock > CHIME, Royal Free & University College Medical School > WWW: http://www.chime.ucl.ac.uk/~rmhiajp/ > "If you have an apple and I have an apple and we exchange apples > then you and I will still each have one apple. But if you have an > idea and I have an idea and we exchange these ideas, then each of us > will have two ideas." -- George Bernard Shaw > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- Fabio S. Silva From tonyc at foe.co.uk Thu Mar 15 13:10:20 2007 From: tonyc at foe.co.uk (Tony Canning) Date: Thu Mar 15 12:17:30 2007 Subject: Problem with password protected spreadsheets Message-ID: <200703151210.l2FCAK700789@portia.foe.co.uk> >>Tony Canning wrote: >> I have a problem which is upsetting several of our network users - password protected excel (.xls) files are not delivered, in-bound or out-bound. >> >> I am using MailScanner-4.57.6, with Sophos, ClamAV & Spamassassin under Solaris. >> Here is a sample of the problem from the system log: >> >> Mar 13 17:03:31 localhost MailScanner[6078]: Virus Scanning: ClamAV >> found 1 infections Mar 13 17:03:31 localhost MailScanner[6078]: >> Infected message l2DH2wid008740 came from 172.16.1.13 Mar 13 17:03:31 >> localhost MailScanner[6078]: Virus Scanning: Found 1 viruses Mar 13 >> 17:03:31 localhost MailScanner[6078]: tag found in message >> l2DH2wid008740 from v.harwood-smart@foe.co.uk Mar 13 17:03:31 >> localhost MailScanner[6078]: Virus Scanning completed at 959 bytes per >> second Mar 13 17:03:31 localhost MailScanner[6078]: Viruses marked as >> silent: Password protected file ./l2DH2wid008740/rolling phone upgrade >> gift aid decs.zip/rolling phone upgrade gift aid decs.txt >> >> It appears from the above that ClamAV is treating it as false positive virus? >That's not a password protected XLS, it's a password protected .zip file containing a .txt file. Yes, you're right of course from the example I provided - here is the same thing happening with a spreadsheet: Mar 8 10:01:59 localhost MailScanner[25266]: Virus Scanning: ClamAV found 1 infections Mar 8 10:01:59 localhost MailScanner[25266]: Infected message l28A1aid025590 came from 172.16.1.13 Mar 8 10:01:59 localhost MailScanner[25266]: Virus Scanning: Found 1 viruses Mar 8 10:01:59 localhost MailScanner[25266]: tag found in message l28A1aid025590 from v.harwood-smart@foe.co.uk Mar 8 10:01:59 localhost MailScanner[25266]: Virus Scanning completed at 24252 bytes per second Mar 8 10:01:59 localhost MailScanner[25266]: Viruses marked as silent: Password protected file ./l28A1aid025590/Rolling Phone Upgrade Data Output.xls >> I have the following parameters configured: >> >> Silent Viruses = HTML-IFrame All-Viruses Still Deliver Silent Viruses >> = no Block Encrypted Messages = no Allow Password-Protected Archives = >> yes Allowed Sophos Error Messages = "File was encrypted" >> >From the looks of it, you're using clamav, not clamavmodule. do you have the "block-encrypted" option in /usr/lib/MailScanner/clamav-wrapper? -- No, there is no entry relating the encryption at all. Thanks Tony From joost at waversveld.nl Thu Mar 15 13:50:21 2007 From: joost at waversveld.nl (Joost Waversveld) Date: Thu Mar 15 12:57:10 2007 Subject: Additional recipients within same lose mail when quarantined/released... In-Reply-To: <25a66d840703141840t32dbc5f5n9d43ba484ba15d34@mail.gmail.com> References: <25a66d840703141840t32dbc5f5n9d43ba484ba15d34@mail.gmail.com> Message-ID: <45F9410D.9020404@waversveld.nl> am.lists wrote: > Sorry for the ramble of a subject line, but what I'm seeing is > essentially lost mail to additional recipients. > > Scenario: (Config: Postfix, Mailscanner, Mailwatch.) > > Bob sends John and Mary an email. It gets tagged as spam. Both are at > somedomain.net. As John's listed as the first to address in the > envelope, he gets the message in his quarantine. He releases it. Mary > knows nothing of the email. No quarantine file for her (in MailWatch), > and when John releases it, it only goes to John. > > Variation: > > Bob sends to Tom and John. John is at somedomain.net but Tom is at > anotherdomain.us. Both are handled by my mailscanner. Same exact > behavior as above. > > I've been googling this and the solutions I've found have been really > ancient (2003 vintage), and as such, several versions of released code > old. > > I'm wondering if there's some new way of fixing this issue? I don't > particularly want to rig up a second instance of postfix on some odd > port just to fix this... unless I have to. 8-( > > Angelo What you could do is split the messages at the MTA level. See the page at http://wiki.mailscanner.info/doku.php?id=documentation:configuration:mta:postfix:how_to:split_mails_per_recipient&s=split%20postfix for an explanation. We use this on sendmail and it works great. Only downside is that your mailserver will have to scan more messages... regards, Joost Waversveld From campbell at cnpapers.com Thu Mar 15 14:05:51 2007 From: campbell at cnpapers.com (Steve Campbell) Date: Thu Mar 15 13:12:47 2007 Subject: Additional recipients within same lose mail whenquarantined/released... References: <25a66d840703141840t32dbc5f5n9d43ba484ba15d34@mail.gmail.com> Message-ID: <004d01c76702$a8f0fe30$0705000a@ddf5dw71> ----- Original Message ----- From: "am.lists" To: "MailScanner discussion" Sent: Wednesday, March 14, 2007 9:40 PM Subject: Additional recipients within same lose mail whenquarantined/released... > Sorry for the ramble of a subject line, but what I'm seeing is > essentially lost mail to additional recipients. > > Scenario: (Config: Postfix, Mailscanner, Mailwatch.) > > Bob sends John and Mary an email. It gets tagged as spam. Both are at > somedomain.net. As John's listed as the first to address in the > envelope, he gets the message in his quarantine. He releases it. Mary > knows nothing of the email. No quarantine file for her (in MailWatch), > and when John releases it, it only goes to John. > > Variation: > > Bob sends to Tom and John. John is at somedomain.net but Tom is at > anotherdomain.us. Both are handled by my mailscanner. Same exact > behavior as above. > > I've been googling this and the solutions I've found have been really > ancient (2003 vintage), and as such, several versions of released code > old. > > I'm wondering if there's some new way of fixing this issue? I don't > particularly want to rig up a second instance of postfix on some odd > port just to fix this... unless I have to. 8-( > > Angelo I'd blacklist Bob, he seems to be a problem sender;-) Now, for an alternate, and more serious reply. I believe this is the normal way for Mailwatch to handle things in the current release. If you are referring to a way to search in Reports for all email to, say, John or Mary, in the above examples, you can use the Filter: To: contains %John% or replace %John% with %Mary%. I'm not sure if the daily reports go to John or Mary indicating a blocked email. If not, you might try hacking the report code to do something similar to the above filter. I don't believe there are separate quarantine files for different individuals, either. So to solve this, you would probably need to break all multiple-recipient emails into individual emails. This has been discussed quite thoroughly on the list at different times as to why and how to do it. There is also the 'alternative recipient' section of releasing email once you have discovered John and Mary are missing email. I realize this isn't a definitive answer, but hope it helps in some way. Steve From arturs at netvision.net.il Thu Mar 15 15:29:39 2007 From: arturs at netvision.net.il (Arthur Sherman) Date: Thu Mar 15 14:46:42 2007 Subject: Don't check mail from localhost In-Reply-To: Message-ID: <033701c7670e$5d84b610$3701a8c0@lapxp> Thanks Best, -- Arthur Sherman +972-52-4878851 http://www.cpt.co.il/ > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Scott Silva > Sent: Thursday, March 15, 2007 1:54 AM > To: mailscanner@lists.mailscanner.info > Subject: Re: Don't check mail from localhost > > Arthur Sherman spake the following on 3/14/2007 10:32 AM: > >> You can enhance this by adding an "and" clause. > >> Example ; > >> From: 127.0.0.1 and from root@localhost no > >> FromOrTo: default yes > >> > >> Just use the root address mail is sent from. > > > > Should I put semi-colon after second From ? > > > > Thanks! > > > > > > Best, > > > > -- > > Arthur Sherman > > > > +972-52-4878851 > > http://www.cpt.co.il/ > > > > > Yes! I forgot the colon. The above will keep from > whitelisting other local > mail, like webmail if you provide that for a few roaming users. > > -- > > MailScanner is like deodorant... > You hope everybody uses it, and > you notice quickly if they don't!!!! > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From neilw at dcdata.co.za Thu Mar 15 16:04:40 2007 From: neilw at dcdata.co.za (Neil Wilson) Date: Thu Mar 15 15:11:35 2007 Subject: Report: Denial of Service attack in message! Message-ID: <45F96088.1010604@dcdata.co.za> Hi guys, One of my clients is seeing quite a few "Report: Denial of Service attack in message!" in Mailwatch. MailScanner is blocking these as "Anti-Virus/Dangerous Content Protection Virus: Y" The mails aren't being quarantined and bounced messages aren't being sent as I have notifications for virus mails turned off. Below is taken out of my email logs. Mar 14 14:59:50 mailgw MailScanner[6532]: Message 9615852E74.05ADD from 192.168.8.2 (patdewe@clientsdomain.co.za) to blabla.co.za Mar 14 15:30:31 mailgw MailScanner[6532]: Virus Scanning: Denial Of Service attack is in message 9615852E74.05ADD Mar 14 15:30:32 mailgw MailScanner[6532]: Infected message The mails are legitimate and it doesn't look like there is anything fishy about them. Why are these getting blocked, how can I stop these, and what check in MailScanner handles these as I've looked through all of the checks and the only thing I can find regarding "Denial of service" is "TNEF Expander = /usr/bin/tnef --maxsize=100000000", but this by default is set to nearly 100MB if my calculations are right, and these mails are no where near this size. Thanks any help will be appreciated. Regards. Neil -- This email and all contents are subject to the following disclaimer: http://www.dcdata.co.za/emaildisclaimer.html From mailscanner at yeticomputers.com Thu Mar 15 17:03:06 2007 From: mailscanner at yeticomputers.com (Rick Chadderdon) Date: Thu Mar 15 16:09:56 2007 Subject: Report: Denial of Service attack in message! In-Reply-To: <45F96088.1010604@dcdata.co.za> References: <45F96088.1010604@dcdata.co.za> Message-ID: <45F96E3A.6040607@yeticomputers.com> Neil Wilson wrote: > Why are these getting blocked, how can I stop these, and what check in > MailScanner handles these as I've looked through all of the checks and > the only thing I can find regarding "Denial of service" is "TNEF > Expander = /usr/bin/tnef --maxsize=100000000", but this by default is > set to nearly 100MB if my calculations are right, and these mails are > no where near this size. That denial of service message can be caused by timeouts while virus scanning the email in question. Is the server heavily loaded? Many versions of Microsoft Outlook are configured by default to send Rich Text messages. When Outlook does this, it attaches a TNEF file that contains the formatting info for the message. I've seen the TNEF decoder choke on these files from time to time, causing the above mentioned timeouts. You might want to try changing to the internal decoder, or upgrade your version of the external decoder if it's old. Rick From ssilva at sgvwater.com Thu Mar 15 16:59:11 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Mar 15 16:10:10 2007 Subject: Message Blocked In-Reply-To: References: <45F90500.8040908@chime.ucl.ac.uk> Message-ID: Fabio Silva spake the following on 3/15/2007 4:11 AM: > Hi all... i again... i checked the file and i can see that is a MS-DOC > executable.... but... how to solve it? because it isnt an executable > file... has any way to solve it?? > But if you can see that it is an executable file, then why do you say that it isn't executable? If it is an executable renamed to a text file, it can still be dangerous, and might be a virus. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ssilva at sgvwater.com Thu Mar 15 17:01:45 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Mar 15 16:11:56 2007 Subject: Mailscanner + spamassassin +Razor + Pyzor + DCC In-Reply-To: <45F83977.3020502@evi-inc.com> References: <45F83008.7010808@fcen.uba.ar> <45F83977.3020502@evi-inc.com> Message-ID: Matt Kettler spake the following on 3/14/2007 11:05 AM: > Nicolas Canepa wrote: >> Hi, I am using Mailscanner with spamassassin. For what i've read you can >> define in Mailscanner.conf to use pyzor, razor and dcc, or tell >> spamassassin to use razor, pyzor and dcc in the local.cf file. > > Em, no. you can define it in MailScanner.cf, spam.assassin.prefs.conf, or local.cf. > > You cannot define it in MailScanner.conf, which is a MailScanner config file. > Mailscanner.cf on the other hand is a spamassassin config file, and lives in the > spamassassin site rules directory. Actually, mailscanner.cf is supposed to be a softlink to spamassassin.prefs.conf. If you have something else, you are breaking the reason that this was done. > >> What's the best choice? > > MailScanner.cf and local.cf are functionally equal to SA. > > Technically (by the SA docs) many of these settings don't belong in > spam.assassin.prefs.conf, and will be ignored if present there (but in practice, > SA currently honors them because of how MS invokes SA). > For most of us, spam.assassin.prefs.conf is just a symlink to MailScanner.cf anyway. > > What happens if I tell both to use it? > > Should work fine. > >> How can I know that razor pyzor and dcc are working? > > First, get it working in SA: > > Assuming SA 3.1.0 or higher, make sure the plugins are not commented out in your > spamassassin *.pre config files. If the plugin isn't loaded, it won't run. > > Run spamassassin --lint. Fix any complaints. > > Feed a test message into spamassassin -tD. Look at the debugs, you should see > several debug messages for each tool SA is querying. > > >>From there, reload (or restart) MailScanner, and check for the rules hitting in > your logs. > > -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From mkettler at evi-inc.com Thu Mar 15 18:14:20 2007 From: mkettler at evi-inc.com (Matt Kettler) Date: Thu Mar 15 17:21:04 2007 Subject: Mailscanner + spamassassin +Razor + Pyzor + DCC In-Reply-To: References: <45F83008.7010808@fcen.uba.ar> <45F83977.3020502@evi-inc.com> Message-ID: <45F97EEC.30601@evi-inc.com> Scott Silva wrote: > Matt Kettler spake the following on 3/14/2007 11:05 AM: >> Nicolas Canepa wrote: >>> Hi, I am using Mailscanner with spamassassin. For what i've read you can >>> define in Mailscanner.conf to use pyzor, razor and dcc, or tell >>> spamassassin to use razor, pyzor and dcc in the local.cf file. >> Em, no. you can define it in MailScanner.cf, spam.assassin.prefs.conf, or local.cf. >> >> You cannot define it in MailScanner.conf, which is a MailScanner config file. >> Mailscanner.cf on the other hand is a spamassassin config file, and lives in the >> spamassassin site rules directory. > Actually, mailscanner.cf is supposed to be a softlink to > spamassassin.prefs.conf. If you have something else, you are breaking the > reason that this was done. First, *I* am the reason that was done. So please don't tell me I'm breaking the reason it was done. Second, I do acknowledge this is how it is by default later on in my message. IMHO, softlinking spamassassin.prefs.conf to MailScanner.cf is counterproductive. When I told Julian to move privileged settings to a .cf file, I meant for him to *MOVE* them. That said, the softlinking is probably the only usable solution that can be automatically applied to existing installs. But the intent is not to softlink the two, that's a compromise to avoid breaking peoples systems. Now you're all double-parsing the settings for no good reason. Which isn't terribly harmful, but it is pointless. You've also defeated all the benefit of having a spam.assassin.prefs.conf in the first place. IMHO this is the way it should be in a perfect world: Mailscanner.cf should contain settings you want to apply SA at all times, regardless of whether it's invoked via MailScanner or directly using a SA tool. bayes_path, dcc/pyzor/razor config, etc. This is important so sa-learn and such work properly. spam.assassin.prefs.conf should contain settings you *only* want to apply to MailScanner's run of SA. Most people don't need this, so the file should be empty, but if for some reason you have a side process that runs SA directly, you'd want to take advantage of it. This way your side-tool can run sa with one required_score, and MailScanner can run it with a different one, should you desire that. However, that separation has to be a manual process. Which is why we soft-link as a "punt". From glenn.steen at gmail.com Thu Mar 15 18:27:49 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Mar 15 17:34:30 2007 Subject: Mailscanner + spamassassin +Razor + Pyzor + DCC In-Reply-To: References: <45F83008.7010808@fcen.uba.ar> <45F83977.3020502@evi-inc.com> Message-ID: <223f97700703151027k2ab9de45h25cf6a1bf2acee97@mail.gmail.com> On 15/03/07, Scott Silva wrote: > Matt Kettler spake the following on 3/14/2007 11:05 AM: > > Nicolas Canepa wrote: > >> Hi, I am using Mailscanner with spamassassin. For what i've read you can > >> define in Mailscanner.conf to use pyzor, razor and dcc, or tell > >> spamassassin to use razor, pyzor and dcc in the local.cf file. > > > > Em, no. you can define it in MailScanner.cf, spam.assassin.prefs.conf, or local.cf. > > > > You cannot define it in MailScanner.conf, which is a MailScanner config file. > > Mailscanner.cf on the other hand is a spamassassin config file, and lives in the > > spamassassin site rules directory. > Actually, mailscanner.cf is supposed to be a softlink to > spamassassin.prefs.conf. If you have something else, you are breaking the > reason that this was done. Scott my friend, if you link from A to B or from B to A is immaterial... You can well have mailscanner.cf be a plain file and link it from spam.assassin.prefs.conf ... The only risk you run is at upgrades and such where things could become ... troubled, to say the least:-). So sure, it might be best to stick with the assumptions of the install.sh script, but there's really nothing functionally hindering you from doing it "backwards"... :) And I wouldn't "tickle" Matt about this (Wouldn't want to bring the Kettler to a boil:-)... He's the sole reason things are as they are today;-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Thu Mar 15 18:38:55 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Mar 15 17:45:36 2007 Subject: Mailscanner + spamassassin +Razor + Pyzor + DCC In-Reply-To: <45F97EEC.30601@evi-inc.com> References: <45F83008.7010808@fcen.uba.ar> <45F83977.3020502@evi-inc.com> <45F97EEC.30601@evi-inc.com> Message-ID: <223f97700703151038q1fc8f6ddy88fd6f25f30135c1@mail.gmail.com> On 15/03/07, Matt Kettler wrote: > Scott Silva wrote: > > Matt Kettler spake the following on 3/14/2007 11:05 AM: > >> Nicolas Canepa wrote: > >>> Hi, I am using Mailscanner with spamassassin. For what i've read you can > >>> define in Mailscanner.conf to use pyzor, razor and dcc, or tell > >>> spamassassin to use razor, pyzor and dcc in the local.cf file. > >> Em, no. you can define it in MailScanner.cf, spam.assassin.prefs.conf, or local.cf. > >> > >> You cannot define it in MailScanner.conf, which is a MailScanner config file. > >> Mailscanner.cf on the other hand is a spamassassin config file, and lives in the > >> spamassassin site rules directory. > > Actually, mailscanner.cf is supposed to be a softlink to > > spamassassin.prefs.conf. If you have something else, you are breaking the > > reason that this was done. > > First, *I* am the reason that was done. So please don't tell me I'm breaking the > reason it was done. > > Second, I do acknowledge this is how it is by default later on in my message. > > IMHO, softlinking spamassassin.prefs.conf to MailScanner.cf is counterproductive. > > When I told Julian to move privileged settings to a .cf file, I meant for him to > *MOVE* them. > > That said, the softlinking is probably the only usable solution that can be > automatically applied to existing installs. But the intent is not to softlink > the two, that's a compromise to avoid breaking peoples systems. > > Now you're all double-parsing the settings for no good reason. Which isn't > terribly harmful, but it is pointless. You've also defeated all the benefit of > having a spam.assassin.prefs.conf in the first place. Uh, correct me if I'm wrong, but AFAICR Jules removed the user-prefs setting entirely. So unless you have the link in place you will not get those settings spam.assassin.prefs.conf/mailscanner.cf at all (and this would imply no "double-parsing" happening). One might say that the name spam.assassin.prefs.conf is a real mis-nomer now:-). > IMHO this is the way it should be in a perfect world: > > Mailscanner.cf should contain settings you want to apply SA at all times, > regardless of whether it's invoked via MailScanner or directly using a SA tool. > bayes_path, dcc/pyzor/razor config, etc. This is important so sa-learn and such > work properly. > > spam.assassin.prefs.conf should contain settings you *only* want to apply to > MailScanner's run of SA. Most people don't need this, so the file should be > empty, but if for some reason you have a side process that runs SA directly, > you'd want to take advantage of it. This way your side-tool can run sa with one > required_score, and MailScanner can run it with a different one, should you > desire that. > > However, that separation has to be a manual process. Which is why we soft-link > as a "punt". Far from it would it be, for me to with you argue (yeah, I'm feeling especially Yoda today:-). When Jules gets a bit more mobile it might be a good idea to take up this discussion again. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From mkettler at evi-inc.com Thu Mar 15 18:43:12 2007 From: mkettler at evi-inc.com (Matt Kettler) Date: Thu Mar 15 17:49:56 2007 Subject: Mailscanner + spamassassin +Razor + Pyzor + DCC In-Reply-To: <223f97700703151027k2ab9de45h25cf6a1bf2acee97@mail.gmail.com> References: <45F83008.7010808@fcen.uba.ar> <45F83977.3020502@evi-inc.com> <223f97700703151027k2ab9de45h25cf6a1bf2acee97@mail.gmail.com> Message-ID: <45F985B0.7090504@evi-inc.com> Glenn Steen wrote: > > And I wouldn't "tickle" Matt about this (Wouldn't want to bring the > Kettler to a boil:-)... He's the sole reason things are as they are > today;-). Too late :) Actually, I'm not at a boil, but my reply to Scott's message might be a bit more gruff than it should be.. rough week here. From glenn.steen at gmail.com Thu Mar 15 18:46:58 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Mar 15 17:53:38 2007 Subject: OT: PHB time... In-Reply-To: <45F6EE83.8090501@pixelhammer.com> References: <45F6EE83.8090501@pixelhammer.com> Message-ID: <223f97700703151046l39ef4b8doefb3451bac63b427@mail.gmail.com> On 13/03/07, DAve wrote: > Kevin Miller wrote: > > OK, so my boss who is normally an otherwise reasonable guy, calls me > > into his office and says one of the department heads wants out of office > > turned on for internet mail. He knows that people are tarred and > > feathered for doing that on mail lists, but thinks that the mail lists > > should be filtering those - that with a short case statement they could > > easily do that. I tried to persuade him otherwise, but he's going to > > poll the other directors and see if it's something they want. Of course > > they will, not understanding a broader perspective. Sigh. > > > > It seems like there were other reasons than just list servers that make > > it a bad idea to have out of office messages turned on but I'm not > > really sure what they might be. I suggested that they provide feedback > > to spammers but he was unconvinced. So, although it's somewhat OT, I'm > > asking here because I can't think of a more enlightened group of mail > > admins; what are some good solid reasons beyond people on list servers > > hate them, not to publish an out of office reply over the internet? > > > > Thanks... > > > > ...Kevin > > Lots of good reasons, but I lost that battle. > > One good dictionary attack (if you don't have a really good, properly > functioning, intelligent, AR program) can get you blacklisted. See > "Joe-Job". CC... Since the OoO is very likely to be answering to spam, which in turn will go to either some poor spoofed "sender" or even a spamtrap or too (just for fun...not), this is a very real risk. So the question is... Is the non-sensical need to appear "reachable" is worth the risk of non-service for the organisations mail system. Having said that... I have to admit that my organisation opted for this "crucial" feature, over my very strong recomendation to _not_ allow it. Sigh. Some battles are just impossible to win. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From mailscanner at yeticomputers.com Thu Mar 15 18:55:12 2007 From: mailscanner at yeticomputers.com (Rick Chadderdon) Date: Thu Mar 15 18:01:59 2007 Subject: Message Blocked In-Reply-To: References: <45F90500.8040908@chime.ucl.ac.uk> Message-ID: <45F98880.9030201@yeticomputers.com> Fabio Silva wrote: > Hi all... i again... i checked the file and i can see that is a MS-DOC > executable.... but... how to solve it? because it isnt an executable > file... has any way to solve it?? > > > # file > /var/spool/MailScanner/quarantine/20070313/D71E1215BF1.1B141/msg-29120-102.txt > > /var/spool/MailScanner/quarantine/20070313/D71E1215BF1.1B141/msg-29120-102.txt: > > MS-DOS executable (COM) The file command looks for sequences of characters in certain positions within a file to identify the filetype. Sometimes, a text file will contain the sequence used to identify a particular kind of file in exactly the same position. This is relatively rare, but it happens from time to time. My magic file (which is used to determine which sequences are expected where) lists probably a dozen possible byte sequences for an MS-DOS com file. Your text file probably just matches one of those. It does seem, however, that your text file is not an attachment put on there by the original sender. I've seem files named like that when an Outlook "winmail.dat" file was decoded and reattached by MailScanner. Have you actually looked at the contents of the file? Rick From mkettler at evi-inc.com Thu Mar 15 18:55:13 2007 From: mkettler at evi-inc.com (Matt Kettler) Date: Thu Mar 15 18:02:04 2007 Subject: Mailscanner + spamassassin +Razor + Pyzor + DCC In-Reply-To: <223f97700703151038q1fc8f6ddy88fd6f25f30135c1@mail.gmail.com> References: <45F83008.7010808@fcen.uba.ar> <45F83977.3020502@evi-inc.com> <45F97EEC.30601@evi-inc.com> <223f97700703151038q1fc8f6ddy88fd6f25f30135c1@mail.gmail.com> Message-ID: <45F98881.7000307@evi-inc.com> Glenn Steen wrote: > On 15/03/07, Matt Kettler wrote: >> Scott Silva wrote: >> > Matt Kettler spake the following on 3/14/2007 11:05 AM: >> >> Nicolas Canepa wrote: >> >>> Hi, I am using Mailscanner with spamassassin. For what i've read >> you can >> >>> define in Mailscanner.conf to use pyzor, razor and dcc, or tell >> >>> spamassassin to use razor, pyzor and dcc in the local.cf file. >> >> Em, no. you can define it in MailScanner.cf, >> spam.assassin.prefs.conf, or local.cf. >> >> >> >> You cannot define it in MailScanner.conf, which is a MailScanner >> config file. >> >> Mailscanner.cf on the other hand is a spamassassin config file, and >> lives in the >> >> spamassassin site rules directory. >> > Actually, mailscanner.cf is supposed to be a softlink to >> > spamassassin.prefs.conf. If you have something else, you are >> breaking the >> > reason that this was done. >> >> First, *I* am the reason that was done. So please don't tell me I'm >> breaking the >> reason it was done. >> >> Second, I do acknowledge this is how it is by default later on in my >> message. >> >> IMHO, softlinking spamassassin.prefs.conf to MailScanner.cf is >> counterproductive. >> >> When I told Julian to move privileged settings to a .cf file, I meant >> for him to >> *MOVE* them. >> >> That said, the softlinking is probably the only usable solution that >> can be >> automatically applied to existing installs. But the intent is not to >> softlink >> the two, that's a compromise to avoid breaking peoples systems. >> >> Now you're all double-parsing the settings for no good reason. Which >> isn't >> terribly harmful, but it is pointless. You've also defeated all the >> benefit of >> having a spam.assassin.prefs.conf in the first place. > > Uh, correct me if I'm wrong, but AFAICR Jules removed the user-prefs > setting entirely. So unless you have the link in place you will not > get those settings spam.assassin.prefs.conf/mailscanner.cf at all (and > this would imply no "double-parsing" happening). One might say that > the name spam.assassin.prefs.conf is a real mis-nomer now:-). Actually, you appear to be right. I guess he just linked it to support folks who are used to editing spam.assassin.prefs.conf. From glenn.steen at gmail.com Thu Mar 15 19:08:23 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Mar 15 18:15:02 2007 Subject: Mailscanner + spamassassin +Razor + Pyzor + DCC In-Reply-To: <45F98881.7000307@evi-inc.com> References: <45F83008.7010808@fcen.uba.ar> <45F83977.3020502@evi-inc.com> <45F97EEC.30601@evi-inc.com> <223f97700703151038q1fc8f6ddy88fd6f25f30135c1@mail.gmail.com> <45F98881.7000307@evi-inc.com> Message-ID: <223f97700703151108t2c69b629j95764d1a6917d48d@mail.gmail.com> On 15/03/07, Matt Kettler wrote: > Glenn Steen wrote: > > On 15/03/07, Matt Kettler wrote: > >> Scott Silva wrote: > >> > Matt Kettler spake the following on 3/14/2007 11:05 AM: > >> >> Nicolas Canepa wrote: > >> >>> Hi, I am using Mailscanner with spamassassin. For what i've read > >> you can > >> >>> define in Mailscanner.conf to use pyzor, razor and dcc, or tell > >> >>> spamassassin to use razor, pyzor and dcc in the local.cf file. > >> >> Em, no. you can define it in MailScanner.cf, > >> spam.assassin.prefs.conf, or local.cf. > >> >> > >> >> You cannot define it in MailScanner.conf, which is a MailScanner > >> config file. > >> >> Mailscanner.cf on the other hand is a spamassassin config file, and > >> lives in the > >> >> spamassassin site rules directory. > >> > Actually, mailscanner.cf is supposed to be a softlink to > >> > spamassassin.prefs.conf. If you have something else, you are > >> breaking the > >> > reason that this was done. > >> > >> First, *I* am the reason that was done. So please don't tell me I'm > >> breaking the > >> reason it was done. > >> > >> Second, I do acknowledge this is how it is by default later on in my > >> message. > >> > >> IMHO, softlinking spamassassin.prefs.conf to MailScanner.cf is > >> counterproductive. > >> > >> When I told Julian to move privileged settings to a .cf file, I meant > >> for him to > >> *MOVE* them. > >> > >> That said, the softlinking is probably the only usable solution that > >> can be > >> automatically applied to existing installs. But the intent is not to > >> softlink > >> the two, that's a compromise to avoid breaking peoples systems. > >> > >> Now you're all double-parsing the settings for no good reason. Which > >> isn't > >> terribly harmful, but it is pointless. You've also defeated all the > >> benefit of > >> having a spam.assassin.prefs.conf in the first place. > > > > Uh, correct me if I'm wrong, but AFAICR Jules removed the user-prefs > > setting entirely. So unless you have the link in place you will not > > get those settings spam.assassin.prefs.conf/mailscanner.cf at all (and > > this would imply no "double-parsing" happening). One might say that > > the name spam.assassin.prefs.conf is a real mis-nomer now:-). > > Actually, you appear to be right. Don't sound so surprised, it actually happens from time to time:-D. > I guess he just linked it to support folks who are used to editing > spam.assassin.prefs.conf. IIRC from the Changelog (that I'm way too lazy to go look at:), that is exactly it. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From r.curtis at ywcaelpaso.org Thu Mar 15 19:23:24 2007 From: r.curtis at ywcaelpaso.org (Curtis, Roger) Date: Thu Mar 15 18:30:50 2007 Subject: OT: PHB time... In-Reply-To: <223f97700703151046l39ef4b8doefb3451bac63b427@mail.gmail.com> References: <45F6EE83.8090501@pixelhammer.com> <223f97700703151046l39ef4b8doefb3451bac63b427@mail.gmail.com> Message-ID: > On 13/03/07, DAve wrote: > > Kevin Miller wrote: > > > OK, so my boss who is normally an otherwise reasonable guy, calls me > > > into his office and says one of the department heads wants out of > office > > > turned on for internet mail. He knows that people are tarred and > > > feathered for doing that on mail lists, but thinks that the mail lists > > > should be filtering those - that with a short case statement they > could > > > easily do that. I tried to persuade him otherwise, but he's going to > > > poll the other directors and see if it's something they want. Of > course > > > they will, not understanding a broader perspective. Sigh. > > > > > > It seems like there were other reasons than just list servers that > make > > > it a bad idea to have out of office messages turned on but I'm not > > > really sure what they might be. I suggested that they provide > feedback > > > to spammers but he was unconvinced. So, although it's somewhat OT, > I'm > > > asking here because I can't think of a more enlightened group of mail > > > admins; what are some good solid reasons beyond people on list servers > > > hate them, not to publish an out of office reply over the internet? > > > > > > Thanks... > > > > > > ...Kevin > > > > Lots of good reasons, but I lost that battle. > > > > One good dictionary attack (if you don't have a really good, properly > > functioning, intelligent, AR program) can get you blacklisted. See > > "Joe-Job". > CC... Since the OoO is very likely to be answering to spam, which in > turn will go to either some poor spoofed "sender" or even a spamtrap > or too (just for fun...not), this is a very real risk. > So the question is... Is the non-sensical need to appear "reachable" > is worth the risk of non-service for the organisations mail system. > > Having said that... I have to admit that my organisation opted for > this "crucial" feature, over my very strong recomendation to _not_ > allow it. Sigh. Some battles are just impossible to win. > > Cheers > -- > -- Glenn Can anybody point me to the setting for OoO in Outlook 2003 that will keep from sending the message to a mailing list? I can't seem to find anything on it and cannot find the setting/combination of settings myself. I was out for two weeks for the birth of a baby and just didn't set the OoO for fear of being tarred-and-feathered! Thanks, Roger From Kevin_Miller at ci.juneau.ak.us Thu Mar 15 19:30:46 2007 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Thu Mar 15 18:37:20 2007 Subject: OT: PHB time... In-Reply-To: References: <45F6EE83.8090501@pixelhammer.com><223f97700703151046l39ef4b8doefb3451bac63b427@mail.gmail.com> Message-ID: Curtis, Roger wrote: > > Can anybody point me to the setting for OoO in Outlook 2003 that will > keep from sending the message to a mailing list? I can't seem to find > anything on it and cannot find the setting/combination of settings > myself. I was out for two weeks for the birth of a baby and just > didn't set the OoO for fear of being tarred-and-feathered! > > Thanks, > Roger It's a setting on the Exchange side. It disables all OoO messages to external addresses. Don't remember off the top of my head where it is, but if you have access to your Exchange server I'll dig it up for you when I get a chance... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From glenn.steen at gmail.com Thu Mar 15 19:35:46 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Mar 15 18:42:29 2007 Subject: How to convert a queue file to eml ou mbox? In-Reply-To: <001101c76647$2b4a28a0$1803010a@10205> References: <001101c76647$2b4a28a0$1803010a@10205> Message-ID: <223f97700703151135w799d41c8j92c53d33f5eead51@mail.gmail.com> On 14/03/07, Webmaster Boucinhas & Campos wrote: > > > > hello, > > I enable the option "Archive > Mail=/var/spool/MailScanner/archive" in > /etc/MailScanner/MailScanner.conf. > > How I convert the archived file to other format like mbox or eml? > Read the very informative comment just above the setting you enabled. You find it here as well: http://www.mailscanner.info/MailScanner.conf.index.html#Archive%20Mail Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From ka at pacific.net Thu Mar 15 19:40:08 2007 From: ka at pacific.net (Ken A) Date: Thu Mar 15 18:46:43 2007 Subject: OT: PHB time... In-Reply-To: References: <45F6EE83.8090501@pixelhammer.com><223f97700703151046l39ef4b8doefb3451bac63b427@mail.gmail.com> Message-ID: <45F99308.7070601@pacific.net> Kevin Miller wrote: > Curtis, Roger wrote: >> Can anybody point me to the setting for OoO in Outlook 2003 that will >> keep from sending the message to a mailing list? I can't seem to find >> anything on it and cannot find the setting/combination of settings >> myself. I was out for two weeks for the birth of a baby and just >> didn't set the OoO for fear of being tarred-and-feathered! >> >> Thanks, >> Roger > > It's a setting on the Exchange side. It disables all OoO messages to > external addresses. Don't remember off the top of my head where it is, > but if you have access to your Exchange server I'll dig it up for you > when I get a chance... > That's pretty lame. Why doesn't Exchange have a setting to look for common list headers; Precedence, List- X-Mailman, etc... At least Exchange could 'try' to avoid trouble without blocking all responses to external addresses. :-( My guess is that most people who use OoO would want the response to go to external addresses, so they don't even use this knob. :-( Ken A. Pacific.Net > ...Kevin From glenn.steen at gmail.com Thu Mar 15 19:40:12 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Mar 15 18:46:52 2007 Subject: MailScanner and Licensing In-Reply-To: <25a66d840703140916j6c95a1b7ge1f7d305b9b5de16@mail.gmail.com> References: <25a66d840703140916j6c95a1b7ge1f7d305b9b5de16@mail.gmail.com> Message-ID: <223f97700703151140p7e94cac4nf56351b300a2ce0d@mail.gmail.com> On 14/03/07, am.lists wrote: > I am a value-added hosting provider. That is, I host domains, develop > websites, and manage mail for my clients. > > I've recently come to know the love of MailScanner (with it's usual > set of accessories), and have began migrating away from the commercial > products we had been using. > > My question is now what, if anything, am I obligated to do, change, > disclose, etc. to stay in line with the spirit and intent of using the > software in this way? > > Angelo Give something nice to Jules (thing, money...:-), buy the book from the official cafepress shop, then start considering the other pieces of the MailScanner puzzle ... SA, DCC, Razor, Pyzor, ClamAV .... and chip in what you think is right for each:-). Depending on your operation you might have to look at individual packages as to licensing as well... At least for the digest checks. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From edwardbruce at sbcglobal.net Thu Mar 15 19:40:33 2007 From: edwardbruce at sbcglobal.net (Ed Bruce) Date: Thu Mar 15 18:47:04 2007 Subject: OT: PHB time... In-Reply-To: References: <45F6EE83.8090501@pixelhammer.com> <223f97700703151046l39ef4b8doefb3451bac63b427@mail.gmail.com> Message-ID: <45F99321.2000909@sbcglobal.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Curtis, Roger wrote: >> On 13/03/07, DAve wrote: >>> Kevin Miller wrote: >>>> OK, so my boss who is normally an otherwise reasonable guy, calls > me >>>> into his office and says one of the department heads wants out of >> office >>>> turned on for internet mail. He knows that people are tarred and >>>> feathered for doing that on mail lists, but thinks that the mail > lists >>>> should be filtering those - that with a short case statement they >> could >>>> easily do that. I tried to persuade him otherwise, but he's going > to >>>> poll the other directors and see if it's something they want. Of >> course >>>> they will, not understanding a broader perspective. Sigh. >>>> >>>> It seems like there were other reasons than just list servers that >> make >>>> it a bad idea to have out of office messages turned on but I'm not >>>> really sure what they might be. I suggested that they provide >> feedback >>>> to spammers but he was unconvinced. So, although it's somewhat > OT, >> I'm >>>> asking here because I can't think of a more enlightened group of > mail >>>> admins; what are some good solid reasons beyond people on list > servers >>>> hate them, not to publish an out of office reply over the > internet? >>>> Thanks... >>>> >>>> ...Kevin >>> Lots of good reasons, but I lost that battle. >>> >>> One good dictionary attack (if you don't have a really good, > properly >>> functioning, intelligent, AR program) can get you blacklisted. See >>> "Joe-Job". >> CC... Since the OoO is very likely to be answering to spam, which in >> turn will go to either some poor spoofed "sender" or even a spamtrap >> or too (just for fun...not), this is a very real risk. >> So the question is... Is the non-sensical need to appear "reachable" >> is worth the risk of non-service for the organisations mail system. >> >> Having said that... I have to admit that my organisation opted for >> this "crucial" feature, over my very strong recomendation to _not_ >> allow it. Sigh. Some battles are just impossible to win. >> >> Cheers >> -- >> -- Glenn > > Can anybody point me to the setting for OoO in Outlook 2003 that will > keep from sending the message to a mailing list? I can't seem to find > anything on it and cannot find the setting/combination of settings > myself. I was out for two weeks for the birth of a baby and just didn't > set the OoO for fear of being tarred-and-feathered! > > Thanks, > Roger I know it used to be available in earlier versions of Outlook. But I too can't find the option in 2003??? It would be nice to at least not respond to bulk and list emails. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (Cygwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFF+ZMhpdNaP9x3McgRAqf6AJ9LUWdAMYSyyjke+wuzrV7B27FHAgCcDVbu VVRzdO/8US7kmvaIGzXMTQY= =wSQl -----END PGP SIGNATURE----- From KGoods at AIAInsurance.com Thu Mar 15 20:41:41 2007 From: KGoods at AIAInsurance.com (Ken Goods) Date: Thu Mar 15 18:49:02 2007 Subject: OT: PHB time... Message-ID: <13C0059880FDD3118DC600508B6D4A6D01C29264@aiainsurance.com> Kevin Miller wrote: > Curtis, Roger wrote: >> >> Can anybody point me to the setting for OoO in Outlook 2003 that will >> keep from sending the message to a mailing list? I can't seem to >> find anything on it and cannot find the setting/combination of >> settings myself. I was out for two weeks for the birth of a baby >> and just didn't set the OoO for fear of being tarred-and-feathered! >> >> Thanks, >> Roger > > It's a setting on the Exchange side. It disables all OoO messages to > external addresses. Don't remember off the top of my head where it > is, but if you have access to your Exchange server I'll dig it up for > you when I get a chance... > In Exchange 5.5 it's in the properties for the Internet Mail Service -> Internet Mail (tab)-> Advanced options (button)-> Disable Out Of Office responses to the internet (check box). Sorry I can't help you with newer versions but it should be similar. HTH Kind regards, Ken Ken Goods Network Administrator CropUSA Insurance, Inc. From glenn.steen at gmail.com Thu Mar 15 19:43:43 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Mar 15 18:50:22 2007 Subject: Additional recipients within same lose mail when quarantined/released... In-Reply-To: <25a66d840703141840t32dbc5f5n9d43ba484ba15d34@mail.gmail.com> References: <25a66d840703141840t32dbc5f5n9d43ba484ba15d34@mail.gmail.com> Message-ID: <223f97700703151143l6fed5889mc44c40c2ff2a8eb5@mail.gmail.com> On 15/03/07, am.lists wrote: > Sorry for the ramble of a subject line, but what I'm seeing is > essentially lost mail to additional recipients. > > Scenario: (Config: Postfix, Mailscanner, Mailwatch.) > > Bob sends John and Mary an email. It gets tagged as spam. Both are at > somedomain.net. As John's listed as the first to address in the > envelope, he gets the message in his quarantine. He releases it. Mary > knows nothing of the email. No quarantine file for her (in MailWatch), > and when John releases it, it only goes to John. > > Variation: > > Bob sends to Tom and John. John is at somedomain.net but Tom is at > anotherdomain.us. Both are handled by my mailscanner. Same exact > behavior as above. > > I've been googling this and the solutions I've found have been really > ancient (2003 vintage), and as such, several versions of released code > old. > > I'm wondering if there's some new way of fixing this issue? I don't > particularly want to rig up a second instance of postfix on some odd > port just to fix this... unless I have to. 8-( > > Angelo Not yet, there isn't... Unless you patch MailWatch to handle this (ISTR there being some patches for this floating around). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From am.lists at gmail.com Thu Mar 15 19:47:45 2007 From: am.lists at gmail.com (am.lists) Date: Thu Mar 15 18:54:24 2007 Subject: Additional recipients within same lose mail when quarantined/released... In-Reply-To: <223f97700703151143l6fed5889mc44c40c2ff2a8eb5@mail.gmail.com> References: <25a66d840703141840t32dbc5f5n9d43ba484ba15d34@mail.gmail.com> <223f97700703151143l6fed5889mc44c40c2ff2a8eb5@mail.gmail.com> Message-ID: <25a66d840703151147w21c5c98ale50cb616852f0a19@mail.gmail.com> On 3/15/07, Glenn Steen wrote: > On 15/03/07, am.lists wrote: > > Sorry for the ramble of a subject line, but what I'm seeing is > > essentially lost mail to additional recipients. > > > > Scenario: (Config: Postfix, Mailscanner, Mailwatch.) > > > > Bob sends John and Mary an email. It gets tagged as spam. Both are at > > somedomain.net. As John's listed as the first to address in the > > envelope, he gets the message in his quarantine. He releases it. Mary > > knows nothing of the email. No quarantine file for her (in MailWatch), > > and when John releases it, it only goes to John. > > > > Variation: > > > > Bob sends to Tom and John. John is at somedomain.net but Tom is at > > anotherdomain.us. Both are handled by my mailscanner. Same exact > > behavior as above. > > > > I've been googling this and the solutions I've found have been really > > ancient (2003 vintage), and as such, several versions of released code > > old. > > > > I'm wondering if there's some new way of fixing this issue? I don't > > particularly want to rig up a second instance of postfix on some odd > > port just to fix this... unless I have to. 8-( > > > > Angelo > Not yet, there isn't... Unless you patch MailWatch to handle this > (ISTR there being some patches for this floating around). Well, I've made a right mess of my kit by trying Joost's referred article. There's at least one or two material typos in it, and it's a dickens to troubleshoot. I'm meddling a bit more with it before reverting back. Angelo From glenn.steen at gmail.com Thu Mar 15 19:56:22 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Mar 15 19:03:02 2007 Subject: Additional recipients within same lose mail when quarantined/released... In-Reply-To: <25a66d840703151147w21c5c98ale50cb616852f0a19@mail.gmail.com> References: <25a66d840703141840t32dbc5f5n9d43ba484ba15d34@mail.gmail.com> <223f97700703151143l6fed5889mc44c40c2ff2a8eb5@mail.gmail.com> <25a66d840703151147w21c5c98ale50cb616852f0a19@mail.gmail.com> Message-ID: <223f97700703151156o348ad305ub1246132c1026e4e@mail.gmail.com> On 15/03/07, am.lists wrote: > On 3/15/07, Glenn Steen wrote: > > On 15/03/07, am.lists wrote: > > > Sorry for the ramble of a subject line, but what I'm seeing is > > > essentially lost mail to additional recipients. > > > > > > Scenario: (Config: Postfix, Mailscanner, Mailwatch.) > > > > > > Bob sends John and Mary an email. It gets tagged as spam. Both are at > > > somedomain.net. As John's listed as the first to address in the > > > envelope, he gets the message in his quarantine. He releases it. Mary > > > knows nothing of the email. No quarantine file for her (in MailWatch), > > > and when John releases it, it only goes to John. > > > > > > Variation: > > > > > > Bob sends to Tom and John. John is at somedomain.net but Tom is at > > > anotherdomain.us. Both are handled by my mailscanner. Same exact > > > behavior as above. > > > > > > I've been googling this and the solutions I've found have been really > > > ancient (2003 vintage), and as such, several versions of released code > > > old. > > > > > > I'm wondering if there's some new way of fixing this issue? I don't > > > particularly want to rig up a second instance of postfix on some odd > > > port just to fix this... unless I have to. 8-( > > > > > > Angelo > > Not yet, there isn't... Unless you patch MailWatch to handle this > > (ISTR there being some patches for this floating around). > > > Well, I've made a right mess of my kit by trying Joost's referred > article. There's at least one or two material typos in it, and it's a > dickens to troubleshoot. I'm meddling a bit more with it before > reverting back. > > Angelo Being the author of that article, I'd like to be alerted to what typos you find... Might help the next guy/gal:-). And I can agree that it certainly isn't my most well-structured work:-). Next time I trundle through that mess, I'll try make it less obscure... For now... What is the current stumbling block? -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Thu Mar 15 20:02:28 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Mar 15 19:09:08 2007 Subject: Additional recipients within same lose mail when quarantined/released... In-Reply-To: <223f97700703151156o348ad305ub1246132c1026e4e@mail.gmail.com> References: <25a66d840703141840t32dbc5f5n9d43ba484ba15d34@mail.gmail.com> <223f97700703151143l6fed5889mc44c40c2ff2a8eb5@mail.gmail.com> <25a66d840703151147w21c5c98ale50cb616852f0a19@mail.gmail.com> <223f97700703151156o348ad305ub1246132c1026e4e@mail.gmail.com> Message-ID: <223f97700703151202j794342ffve742c77464121ad9@mail.gmail.com> On 15/03/07, Glenn Steen wrote: > On 15/03/07, am.lists wrote: > > On 3/15/07, Glenn Steen wrote: > > > On 15/03/07, am.lists wrote: > > > > Sorry for the ramble of a subject line, but what I'm seeing is > > > > essentially lost mail to additional recipients. > > > > > > > > Scenario: (Config: Postfix, Mailscanner, Mailwatch.) > > > > > > > > Bob sends John and Mary an email. It gets tagged as spam. Both are at > > > > somedomain.net. As John's listed as the first to address in the > > > > envelope, he gets the message in his quarantine. He releases it. Mary > > > > knows nothing of the email. No quarantine file for her (in MailWatch), > > > > and when John releases it, it only goes to John. > > > > > > > > Variation: > > > > > > > > Bob sends to Tom and John. John is at somedomain.net but Tom is at > > > > anotherdomain.us. Both are handled by my mailscanner. Same exact > > > > behavior as above. > > > > > > > > I've been googling this and the solutions I've found have been really > > > > ancient (2003 vintage), and as such, several versions of released code > > > > old. > > > > > > > > I'm wondering if there's some new way of fixing this issue? I don't > > > > particularly want to rig up a second instance of postfix on some odd > > > > port just to fix this... unless I have to. 8-( > > > > > > > > Angelo > > > Not yet, there isn't... Unless you patch MailWatch to handle this > > > (ISTR there being some patches for this floating around). > > > > > > Well, I've made a right mess of my kit by trying Joost's referred > > article. There's at least one or two material typos in it, and it's a > > dickens to troubleshoot. I'm meddling a bit more with it before > > reverting back. > > > > Angelo > Being the author of that article, I'd like to be alerted to what typos > you find... Might help the next guy/gal:-). Right, found one I thought I'd fixed (postfix.in/transport and postfix/transport.in mixup). Fixed that one good this time. Please reload your pages:-). Was there anything else (apart from a nonsensical "compare this OR this" example near the end:)? -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From edwardbruce at sbcglobal.net Thu Mar 15 20:15:14 2007 From: edwardbruce at sbcglobal.net (Ed Bruce) Date: Thu Mar 15 19:21:39 2007 Subject: OT: PHB time... In-Reply-To: <13C0059880FDD3118DC600508B6D4A6D01C29264@aiainsurance.com> References: <13C0059880FDD3118DC600508B6D4A6D01C29264@aiainsurance.com> Message-ID: <45F99B42.5010404@sbcglobal.net> Ken Goods wrote: > Kevin Miller wrote: >> Curtis, Roger wrote: >>> Can anybody point me to the setting for OoO in Outlook 2003 that will >>> keep from sending the message to a mailing list? I can't seem to >>> find anything on it and cannot find the setting/combination of >>> settings myself. I was out for two weeks for the birth of a baby >>> and just didn't set the OoO for fear of being tarred-and-feathered! >>> >>> Thanks, >>> Roger >> It's a setting on the Exchange side. It disables all OoO messages to >> external addresses. Don't remember off the top of my head where it >> is, but if you have access to your Exchange server I'll dig it up for >> you when I get a chance... >> > > In Exchange 5.5 it's in the properties for the Internet Mail Service -> > Internet Mail (tab)-> Advanced options (button)-> Disable Out Of Office > responses to the internet (check box). Sorry I can't help you with newer > versions but it should be similar. Well thats a no go option. The only reason our company uses OoO is for external emails. And I could swear there used to be an option in Outlook, but it could be it was an option added by Oracle when we used their Collaboration Suite instead of Exchange... From Kevin_Miller at ci.juneau.ak.us Thu Mar 15 20:21:41 2007 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Thu Mar 15 19:28:11 2007 Subject: OT: PHB time... In-Reply-To: <45F99321.2000909@sbcglobal.net> References: <45F6EE83.8090501@pixelhammer.com> <223f97700703151046l39ef4b8doefb3451bac63b427@mail.gmail.com> <45F99321.2000909@sbcglobal.net> Message-ID: Ed Bruce wrote: > I know it used to be available in earlier versions of Outlook. But I > too can't find the option in 2003??? It would be nice to at least not > respond to bulk and list emails. If you go into Tools, Out of Office Assistant, there's an Add Rule button. There you can specify who not to reply to. But depending on how the list is set up that may or may not work. Plus you need to add all your lists. May as well just got to each list server and disable messages for a time. Or not use OoO which will be my solution if it's imposed on me... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From am.lists at gmail.com Thu Mar 15 20:33:01 2007 From: am.lists at gmail.com (am.lists) Date: Thu Mar 15 19:39:42 2007 Subject: Additional recipients within same lose mail when quarantined/released... In-Reply-To: <223f97700703151202j794342ffve742c77464121ad9@mail.gmail.com> References: <25a66d840703141840t32dbc5f5n9d43ba484ba15d34@mail.gmail.com> <223f97700703151143l6fed5889mc44c40c2ff2a8eb5@mail.gmail.com> <25a66d840703151147w21c5c98ale50cb616852f0a19@mail.gmail.com> <223f97700703151156o348ad305ub1246132c1026e4e@mail.gmail.com> <223f97700703151202j794342ffve742c77464121ad9@mail.gmail.com> Message-ID: <25a66d840703151233t74ac700fo4f449f47002a0b5c@mail.gmail.com> On 3/15/07, Glenn Steen wrote: > On 15/03/07, Glenn Steen wrote: > > On 15/03/07, am.lists wrote: > > > On 3/15/07, Glenn Steen wrote: > > > > On 15/03/07, am.lists wrote: > > > > > Sorry for the ramble of a subject line, but what I'm seeing is > > > > > essentially lost mail to additional recipients. > > > > > > > > > > Scenario: (Config: Postfix, Mailscanner, Mailwatch.) > > > > > > > > > > Bob sends John and Mary an email. It gets tagged as spam. Both are at > > > > > somedomain.net. As John's listed as the first to address in the > > > > > envelope, he gets the message in his quarantine. He releases it. Mary > > > > > knows nothing of the email. No quarantine file for her (in MailWatch), > > > > > and when John releases it, it only goes to John. > > > > > > > > > > Variation: > > > > > > > > > > Bob sends to Tom and John. John is at somedomain.net but Tom is at > > > > > anotherdomain.us. Both are handled by my mailscanner. Same exact > > > > > behavior as above. > > > > > > > > > > I've been googling this and the solutions I've found have been really > > > > > ancient (2003 vintage), and as such, several versions of released code > > > > > old. > > > > > > > > > > I'm wondering if there's some new way of fixing this issue? I don't > > > > > particularly want to rig up a second instance of postfix on some odd > > > > > port just to fix this... unless I have to. 8-( > > > > > > > > > > Angelo > > > > Not yet, there isn't... Unless you patch MailWatch to handle this > > > > (ISTR there being some patches for this floating around). > > > > > > > > > Well, I've made a right mess of my kit by trying Joost's referred > > > article. There's at least one or two material typos in it, and it's a > > > dickens to troubleshoot. I'm meddling a bit more with it before > > > reverting back. > > > > > > Angelo > > Being the author of that article, I'd like to be alerted to what typos > > you find... Might help the next guy/gal:-). > > Right, found one I thought I'd fixed (postfix.in/transport and > postfix/transport.in mixup). Fixed that one good this time. Please > reload your pages:-). > > Was there anything else (apart from a nonsensical "compare this OR > this" example near the end:)? > Well, for one, the /etc/postfix/transport.in => /etc/postfix.in/transport was one problem. Also, let's consider why I'm after this article: the original post: about releasing properly to multiple recipients from within MailWatch. It was confusing to me that if I went out and grabbed mini_sendmail that I wouldn't need the postfix instance on port 10027. But it seems that the mini_sendmail is just a remailer, telling it to connect to localhost:10027... which implies that the 10027 instance /does/ need to be there. And... I'm not sure if it was needed or not, but I created /etc/init.d/postfix.in - copied from /etc/init.d/postfix, adding -c /etc/postfix.in as the config files to use. It wasn't clear if this was needed or not. I run as a gateway, and as such, rely on whitelisting 127.0.0.1 for releasing. The doc says to remove whitelisting of 127.0.0.1. But then what? I understand that it needs to be removed to pass the mail from one spool to the other, but how do I then resend it back out without the double (or looping) scanning? As of now, I've executed a rollback. But I'm missing something I think. If you have any ideas on what I've not done correctly, I'd love to hear. Backout: Restored /etc/postfix-bak to /etc/postfix (I copied it to -bak before I started mucking) Restored /var/www/html/mailscanner-bak to /var/www/html/mailscanner Removed /etc/init.d/postfix.in To be sure, I init-6'ed. Now, after the reboot, no mail is coming through, everything appears to be going into the /var/spool/postfix.in/hold directory. (I know this based on the reboot being at 15:09 and files in /var/spool/postfix.in/hold having a 15:18 timestamp. Any idea what I've missed??? Thanks, Angelo From r.curtis at ywcaelpaso.org Thu Mar 15 20:33:30 2007 From: r.curtis at ywcaelpaso.org (Curtis, Roger) Date: Thu Mar 15 19:40:32 2007 Subject: OT: PHB time... In-Reply-To: <45F99B42.5010404@sbcglobal.net> References: <13C0059880FDD3118DC600508B6D4A6D01C29264@aiainsurance.com> <45F99B42.5010404@sbcglobal.net> Message-ID: > Ken Goods wrote: > > Kevin Miller wrote: > >> Curtis, Roger wrote: > >>> Can anybody point me to the setting for OoO in Outlook 2003 that will > >>> keep from sending the message to a mailing list? I can't seem to > >>> find anything on it and cannot find the setting/combination of > >>> settings myself. I was out for two weeks for the birth of a baby > >>> and just didn't set the OoO for fear of being tarred-and-feathered! > >>> > >>> Thanks, > >>> Roger > >> It's a setting on the Exchange side. It disables all OoO messages to > >> external addresses. Don't remember off the top of my head where it > >> is, but if you have access to your Exchange server I'll dig it up for > >> you when I get a chance... > >> > > > > In Exchange 5.5 it's in the properties for the Internet Mail Service -> > > Internet Mail (tab)-> Advanced options (button)-> Disable Out Of Office > > responses to the internet (check box). Sorry I can't help you with newer > > versions but it should be similar. > > Well thats a no go option. The only reason our company uses OoO is for > external emails. And I could swear there used to be an option in > Outlook, but it could be it was an option added by Oracle when we used > their Collaboration Suite instead of Exchange... Per Microsoft, Exchange 2003 defaults to not sending OoO to the Internet: http://support.microsoft.com/kb/821899 I guess I would have been safe to turn it on while I was out then! From glenn.steen at gmail.com Thu Mar 15 20:50:36 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Mar 15 19:57:16 2007 Subject: Additional recipients within same lose mail when quarantined/released... In-Reply-To: <25a66d840703151233t74ac700fo4f449f47002a0b5c@mail.gmail.com> References: <25a66d840703141840t32dbc5f5n9d43ba484ba15d34@mail.gmail.com> <223f97700703151143l6fed5889mc44c40c2ff2a8eb5@mail.gmail.com> <25a66d840703151147w21c5c98ale50cb616852f0a19@mail.gmail.com> <223f97700703151156o348ad305ub1246132c1026e4e@mail.gmail.com> <223f97700703151202j794342ffve742c77464121ad9@mail.gmail.com> <25a66d840703151233t74ac700fo4f449f47002a0b5c@mail.gmail.com> Message-ID: <223f97700703151250y55a2538tab660aa2fd8cf6c2@mail.gmail.com> On 15/03/07, am.lists wrote: > On 3/15/07, Glenn Steen wrote: > > On 15/03/07, Glenn Steen wrote: > > > On 15/03/07, am.lists wrote: > > > > On 3/15/07, Glenn Steen wrote: > > > > > On 15/03/07, am.lists wrote: > > > > > > Sorry for the ramble of a subject line, but what I'm seeing is > > > > > > essentially lost mail to additional recipients. > > > > > > > > > > > > Scenario: (Config: Postfix, Mailscanner, Mailwatch.) > > > > > > > > > > > > Bob sends John and Mary an email. It gets tagged as spam. Both are at > > > > > > somedomain.net. As John's listed as the first to address in the > > > > > > envelope, he gets the message in his quarantine. He releases it. Mary > > > > > > knows nothing of the email. No quarantine file for her (in MailWatch), > > > > > > and when John releases it, it only goes to John. > > > > > > > > > > > > Variation: > > > > > > > > > > > > Bob sends to Tom and John. John is at somedomain.net but Tom is at > > > > > > anotherdomain.us. Both are handled by my mailscanner. Same exact > > > > > > behavior as above. > > > > > > > > > > > > I've been googling this and the solutions I've found have been really > > > > > > ancient (2003 vintage), and as such, several versions of released code > > > > > > old. > > > > > > > > > > > > I'm wondering if there's some new way of fixing this issue? I don't > > > > > > particularly want to rig up a second instance of postfix on some odd > > > > > > port just to fix this... unless I have to. 8-( > > > > > > > > > > > > Angelo > > > > > Not yet, there isn't... Unless you patch MailWatch to handle this > > > > > (ISTR there being some patches for this floating around). > > > > > > > > > > > > Well, I've made a right mess of my kit by trying Joost's referred > > > > article. There's at least one or two material typos in it, and it's a > > > > dickens to troubleshoot. I'm meddling a bit more with it before > > > > reverting back. > > > > > > > > Angelo > > > Being the author of that article, I'd like to be alerted to what typos > > > you find... Might help the next guy/gal:-). > > > > Right, found one I thought I'd fixed (postfix.in/transport and > > postfix/transport.in mixup). Fixed that one good this time. Please > > reload your pages:-). > > > > Was there anything else (apart from a nonsensical "compare this OR > > this" example near the end:)? > > > > Well, for one, the /etc/postfix/transport.in => > /etc/postfix.in/transport was one problem. Check. That one will make life very hard if one missed it, yes. As said ... all fixed now:). > Also, let's consider why I'm after this article: the original post: > about releasing properly to multiple recipients from within MailWatch. > It was confusing to me that if I went out and grabbed mini_sendmail > that I wouldn't need the postfix instance on port 10027. But it seems > that the mini_sendmail is just a remailer, telling it to connect to > localhost:10027... which implies that the 10027 instance /does/ need > to be there. I'm not sure I follow you here... It should be fairly obvious that that part of it was written at two different times, the first when I was just theorising about necessary tools to overcome the whole "how do I release mail when I no longer can whitelist 127.0.0.1" problem, the second a more thorough job on describing how to go about it... I'm fairly certain I never imply what you're saying above. But then again, the wording is a bit messy:-). > And... I'm not sure if it was needed or not, but I created > /etc/init.d/postfix.in - copied from /etc/init.d/postfix, adding -c > /etc/postfix.in as the config files to use. It wasn't clear if this > was needed or not. Why would you do a silly thing like that? Didn't you read step #13? It rather clearly (IMO:-) states that the MailScanner init script will find and use both instances. > I run as a gateway, and as such, rely on whitelisting 127.0.0.1 for > releasing. The doc says to remove whitelisting of 127.0.0.1. But then > what? I understand that it needs to be removed to pass the mail from > one spool to the other, but how do I then resend it back out without > the double (or looping) scanning? The whole ending note is _only_ about solving this problem.... After the "And the time is now:-)"... Did you read that part carefully? > As of now, I've executed a rollback. But I'm missing something I > think. If you have any ideas on what I've not done correctly, I'd love > to hear. > > Backout: > > Restored /etc/postfix-bak to /etc/postfix (I copied it to -bak before > I started mucking) > Restored /var/www/html/mailscanner-bak to /var/www/html/mailscanner > Removed /etc/init.d/postfix.in > > To be sure, I init-6'ed. Now, after the reboot, no mail is coming > through, everything appears to be going into the > /var/spool/postfix.in/hold directory. (I know this based on the reboot > being at 15:09 and files in /var/spool/postfix.in/hold having a 15:18 > timestamp. Did you muck about further with the init scripts? That might be something... I'm off to my commuter train, but ... keep me posted, I'll take up the thread once I'm home. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From am.lists at gmail.com Thu Mar 15 21:30:13 2007 From: am.lists at gmail.com (am.lists) Date: Thu Mar 15 20:44:12 2007 Subject: Additional recipients within same lose mail when quarantined/released... In-Reply-To: <223f97700703151250y55a2538tab660aa2fd8cf6c2@mail.gmail.com> References: <25a66d840703141840t32dbc5f5n9d43ba484ba15d34@mail.gmail.com> <223f97700703151143l6fed5889mc44c40c2ff2a8eb5@mail.gmail.com> <25a66d840703151147w21c5c98ale50cb616852f0a19@mail.gmail.com> <223f97700703151156o348ad305ub1246132c1026e4e@mail.gmail.com> <223f97700703151202j794342ffve742c77464121ad9@mail.gmail.com> <25a66d840703151233t74ac700fo4f449f47002a0b5c@mail.gmail.com> <223f97700703151250y55a2538tab660aa2fd8cf6c2@mail.gmail.com> Message-ID: <25a66d840703151330x28ab9b14tfac6887197ec720e@mail.gmail.com> > > Also, let's consider why I'm after this article: the original post: > > about releasing properly to multiple recipients from within MailWatch. > > It was confusing to me that if I went out and grabbed mini_sendmail > > that I wouldn't need the postfix instance on port 10027. But it seems > > that the mini_sendmail is just a remailer, telling it to connect to > > localhost:10027... which implies that the 10027 instance /does/ need > > to be there. > I'm not sure I follow you here... It should be fairly obvious that > that part of it was written at two different times, the first when I > was just theorising about necessary tools to overcome the whole "how > do I release mail when I no longer can whitelist 127.0.0.1" problem, > the second a more thorough job on describing how to go about it... I'm > fairly certain I never imply what you're saying above. But then again, > the wording is a bit messy:-). I guess it wasn't clear to me but if you see below, I did miss a step. :) > > And... I'm not sure if it was needed or not, but I created > > /etc/init.d/postfix.in - copied from /etc/init.d/postfix, adding -c > > /etc/postfix.in as the config files to use. It wasn't clear if this > > was needed or not. > Why would you do a silly thing like that? Didn't you read step #13? It > rather clearly (IMO:-) states that the MailScanner init script will > find and use both instances. Completely missed that... Obviously MailScanner was intended with the possible use of second postfix.in instance in the startup script already. Now that I see it, I understand it. > > I run as a gateway, and as such, rely on whitelisting 127.0.0.1 for > > releasing. The doc says to remove whitelisting of 127.0.0.1. But then > > what? I understand that it needs to be removed to pass the mail from > > one spool to the other, but how do I then resend it back out without > > the double (or looping) scanning? > > The whole ending note is _only_ about solving this problem.... After > the "And the time is now:-)"... Did you read that part carefully? Perhaps it would be more clear if you said something to the tune of "because we can't just whitelist everything from 127.0.0.1, as that would no longer check spam, we accomplish it by using a special instance of postfix on port 10027 that has the whitelist configured within the instance." Just a suggestion, I'm not even sure I have that 100% right, but I think so. > > > As of now, I've executed a rollback. But I'm missing something I > > think. If you have any ideas on what I've not done correctly, I'd love > > to hear. > > > > Backout: > > > > Restored /etc/postfix-bak to /etc/postfix (I copied it to -bak before > > I started mucking) > > Restored /var/www/html/mailscanner-bak to /var/www/html/mailscanner > > Removed /etc/init.d/postfix.in > > > > To be sure, I init-6'ed. Now, after the reboot, no mail is coming > > through, everything appears to be going into the > > /var/spool/postfix.in/hold directory. (I know this based on the reboot > > being at 15:09 and files in /var/spool/postfix.in/hold having a 15:18 > > timestamp. > > Did you muck about further with the init scripts? That might be something... > I'm off to my commuter train, but ... keep me posted, I'll take up the > thread once I'm home. Actually, a second init 6 seems to have things moving again. I notice 200+ files in /var/spool/postfix.in/hold -- I'm guessing it's safe to simply cp them over to /var/spool/postfix/hold and be processed? Angelo From am.lists at gmail.com Thu Mar 15 21:56:01 2007 From: am.lists at gmail.com (am.lists) Date: Thu Mar 15 21:02:41 2007 Subject: Additional recipients within same lose mail when quarantined/released... In-Reply-To: <25a66d840703151330x28ab9b14tfac6887197ec720e@mail.gmail.com> References: <25a66d840703141840t32dbc5f5n9d43ba484ba15d34@mail.gmail.com> <223f97700703151143l6fed5889mc44c40c2ff2a8eb5@mail.gmail.com> <25a66d840703151147w21c5c98ale50cb616852f0a19@mail.gmail.com> <223f97700703151156o348ad305ub1246132c1026e4e@mail.gmail.com> <223f97700703151202j794342ffve742c77464121ad9@mail.gmail.com> <25a66d840703151233t74ac700fo4f449f47002a0b5c@mail.gmail.com> <223f97700703151250y55a2538tab660aa2fd8cf6c2@mail.gmail.com> <25a66d840703151330x28ab9b14tfac6887197ec720e@mail.gmail.com> Message-ID: <25a66d840703151356j6540458ajd4e9c0032d867e2b@mail.gmail.com> On 3/15/07, am. lists wrote: > Actually, a second init 6 seems to have things moving again. > > I notice 200+ files in /var/spool/postfix.in/hold -- I'm guessing it's > safe to simply cp them over to /var/spool/postfix/hold and be > processed? > > Angelo > Update. Yes, moving the ...hold/* files over worked... once I chown'ed them back to postfix. All is up and running again. Still want to get this mod in place though. If someone ever wants to release a quarantined file that was sent to multiple recipients, I'm currently SOL until I have this fixed. Thanks, Glenn, for your dedication to this. Angelo From glenn.steen at gmail.com Thu Mar 15 22:28:00 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Mar 15 21:34:43 2007 Subject: Additional recipients within same lose mail when quarantined/released... In-Reply-To: <25a66d840703151330x28ab9b14tfac6887197ec720e@mail.gmail.com> References: <25a66d840703141840t32dbc5f5n9d43ba484ba15d34@mail.gmail.com> <223f97700703151143l6fed5889mc44c40c2ff2a8eb5@mail.gmail.com> <25a66d840703151147w21c5c98ale50cb616852f0a19@mail.gmail.com> <223f97700703151156o348ad305ub1246132c1026e4e@mail.gmail.com> <223f97700703151202j794342ffve742c77464121ad9@mail.gmail.com> <25a66d840703151233t74ac700fo4f449f47002a0b5c@mail.gmail.com> <223f97700703151250y55a2538tab660aa2fd8cf6c2@mail.gmail.com> <25a66d840703151330x28ab9b14tfac6887197ec720e@mail.gmail.com> Message-ID: <223f97700703151428q7ff30075gf34795faeb14aa53@mail.gmail.com> On 15/03/07, am.lists wrote: > > > Also, let's consider why I'm after this article: the original post: > > > about releasing properly to multiple recipients from within MailWatch. > > > It was confusing to me that if I went out and grabbed mini_sendmail > > > that I wouldn't need the postfix instance on port 10027. But it seems > > > that the mini_sendmail is just a remailer, telling it to connect to > > > localhost:10027... which implies that the 10027 instance /does/ need > > > to be there. > > I'm not sure I follow you here... It should be fairly obvious that > > that part of it was written at two different times, the first when I > > was just theorising about necessary tools to overcome the whole "how > > do I release mail when I no longer can whitelist 127.0.0.1" problem, > > the second a more thorough job on describing how to go about it... I'm > > fairly certain I never imply what you're saying above. But then again, > > the wording is a bit messy:-). > > I guess it wasn't clear to me but if you see below, I did miss a step. :) :-) > > > And... I'm not sure if it was needed or not, but I created > > > /etc/init.d/postfix.in - copied from /etc/init.d/postfix, adding -c > > > /etc/postfix.in as the config files to use. It wasn't clear if this > > > was needed or not. > > Why would you do a silly thing like that? Didn't you read step #13? It > > rather clearly (IMO:-) states that the MailScanner init script will > > find and use both instances. > > Completely missed that... Obviously MailScanner was intended with the > possible use of second postfix.in instance in the startup script > already. Now that I see it, I understand it. I'm "cheating" a bit.... MailScanner was initially using a "two instance defer" method for getting hold of the queue file, but since the qmgr could (and at rather rare intervals did!) touch the queue files while MS was handling them, one ended up with corruptted queue files, duplicated messages and generally bad things like that... So some clever soul (not me) dreamt up the "single instance HOLD" method, which is completely safe from the aforementioned problems, but... the "magic" in the init script survived. So ... it was a very easy thing to use for my own purposes:-). As usual, all praise to Jules;). > > > I run as a gateway, and as such, rely on whitelisting 127.0.0.1 for > > > releasing. The doc says to remove whitelisting of 127.0.0.1. But then > > > what? I understand that it needs to be removed to pass the mail from > > > one spool to the other, but how do I then resend it back out without > > > the double (or looping) scanning? > > > > The whole ending note is _only_ about solving this problem.... After > > the "And the time is now:-)"... Did you read that part carefully? > > Perhaps it would be more clear if you said something to the tune of > "because we can't just whitelist everything from 127.0.0.1, as that > would no longer check spam, we accomplish it by using a special > instance of postfix on port 10027 that has the whitelist configured > within the instance." Just a suggestion, I'm not even sure I have > that 100% right, but I think so. That might be a very good thing. I think I'll rephrase that whole section, I was never satisfied with it. Thanks for the input. > > > > > As of now, I've executed a rollback. But I'm missing something I > > > think. If you have any ideas on what I've not done correctly, I'd love > > > to hear. > > > > > > Backout: > > > > > > Restored /etc/postfix-bak to /etc/postfix (I copied it to -bak before > > > I started mucking) > > > Restored /var/www/html/mailscanner-bak to /var/www/html/mailscanner > > > Removed /etc/init.d/postfix.in > > > > > > To be sure, I init-6'ed. Now, after the reboot, no mail is coming > > > through, everything appears to be going into the > > > /var/spool/postfix.in/hold directory. (I know this based on the reboot > > > being at 15:09 and files in /var/spool/postfix.in/hold having a 15:18 > > > timestamp. > > > > Did you muck about further with the init scripts? That might be something... > > I'm off to my commuter train, but ... keep me posted, I'll take up the > > thread once I'm home. > > Actually, a second init 6 seems to have things moving again. Ah, Ok good. > I notice 200+ files in /var/spool/postfix.in/hold -- I'm guessing it's > safe to simply cp them over to /var/spool/postfix/hold and be > processed? Yep, just do the necessary things for it (as mentioned in the "release queue files from quarantine" wikipage ... Let's see ... http://wiki.mailscanner.info/doku.php?id=documentation:configuration:mta:postfix:how_to:release_quarantined_mail should give the basic ideas:). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Thu Mar 15 22:39:34 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Mar 15 21:46:15 2007 Subject: Additional recipients within same lose mail when quarantined/released... In-Reply-To: <25a66d840703151356j6540458ajd4e9c0032d867e2b@mail.gmail.com> References: <25a66d840703141840t32dbc5f5n9d43ba484ba15d34@mail.gmail.com> <223f97700703151143l6fed5889mc44c40c2ff2a8eb5@mail.gmail.com> <25a66d840703151147w21c5c98ale50cb616852f0a19@mail.gmail.com> <223f97700703151156o348ad305ub1246132c1026e4e@mail.gmail.com> <223f97700703151202j794342ffve742c77464121ad9@mail.gmail.com> <25a66d840703151233t74ac700fo4f449f47002a0b5c@mail.gmail.com> <223f97700703151250y55a2538tab660aa2fd8cf6c2@mail.gmail.com> <25a66d840703151330x28ab9b14tfac6887197ec720e@mail.gmail.com> <25a66d840703151356j6540458ajd4e9c0032d867e2b@mail.gmail.com> Message-ID: <223f97700703151439l470a54d3g37114afa2a0e74d@mail.gmail.com> On 15/03/07, am.lists wrote: > On 3/15/07, am. lists wrote: > > Actually, a second init 6 seems to have things moving again. > > > > I notice 200+ files in /var/spool/postfix.in/hold -- I'm guessing it's > > safe to simply cp them over to /var/spool/postfix/hold and be > > processed? > > > > Angelo > > > > Update. Yes, moving the ...hold/* files over worked... once I chown'ed > them back to postfix. Good. > All is up and running again. Still want to get this mod in place > though. If someone ever wants to release a quarantined file that was > sent to multiple recipients, I'm currently SOL until I have this > fixed. As I mentioned earlier, there are some kind of patches floating around (on the MailWatch list, IIRC) that kind of try to solve this "at the other end", but I'm not sure what state they're in, or if they would completely solve your problem. I'm too tired today to do the wiki rewrite (it'll probably have to wait to the weekend, way to much Real Work, revving up for our big trip (going to Singapore & Malaysia in a couple of weeks... Just for R&R! No work for two weeks! I wonder if my system can take it:-)... And so does the PHB... And my retiring (not in nature, he's really going off to pasture) DBA has dumped all Oracle on me, so ... things are pretty intense ATM:-)), but I'll look at it as soon as humanely possible. I'm toying with a "one instance/three smtp-handlers" idea or so, that might appeal to everyone a bit more, but that would need some real testing, and testing take time, so ... We'll see. I still think you could get this going, but best would be if you have a "throwaway testbed" to play around on first:). Always a good idea to have, for testing new versions of MailScanner, SA etc. > Thanks, Glenn, for your dedication to this. My pleasure! Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From ssilva at sgvwater.com Fri Mar 16 00:33:18 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Mar 15 23:40:20 2007 Subject: Mailscanner + spamassassin +Razor + Pyzor + DCC In-Reply-To: <223f97700703151027k2ab9de45h25cf6a1bf2acee97@mail.gmail.com> References: <45F83008.7010808@fcen.uba.ar> <45F83977.3020502@evi-inc.com> <223f97700703151027k2ab9de45h25cf6a1bf2acee97@mail.gmail.com> Message-ID: Glenn Steen spake the following on 3/15/2007 10:27 AM: > On 15/03/07, Scott Silva wrote: >> Matt Kettler spake the following on 3/14/2007 11:05 AM: >> > Nicolas Canepa wrote: >> >> Hi, I am using Mailscanner with spamassassin. For what i've read >> you can >> >> define in Mailscanner.conf to use pyzor, razor and dcc, or tell >> >> spamassassin to use razor, pyzor and dcc in the local.cf file. >> > >> > Em, no. you can define it in MailScanner.cf, >> spam.assassin.prefs.conf, or local.cf. >> > >> > You cannot define it in MailScanner.conf, which is a MailScanner >> config file. >> > Mailscanner.cf on the other hand is a spamassassin config file, and >> lives in the >> > spamassassin site rules directory. >> Actually, mailscanner.cf is supposed to be a softlink to >> spamassassin.prefs.conf. If you have something else, you are breaking the >> reason that this was done. > Scott my friend, if you link from A to B or from B to A is > immaterial... You can well have mailscanner.cf be a plain file and > link it from spam.assassin.prefs.conf ... The only risk you run is at > upgrades and such where things could become ... troubled, to say the > least:-). > So sure, it might be best to stick with the assumptions of the > install.sh script, but there's really nothing functionally hindering > you from doing it "backwards"... :) > > And I wouldn't "tickle" Matt about this (Wouldn't want to bring the > Kettler to a boil:-)... He's the sole reason things are as they are > today;-). > > Cheers I bow from my ignorance! :-) -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ssilva at sgvwater.com Fri Mar 16 00:37:07 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Mar 15 23:46:43 2007 Subject: Mailscanner + spamassassin +Razor + Pyzor + DCC In-Reply-To: <45F985B0.7090504@evi-inc.com> References: <45F83008.7010808@fcen.uba.ar> <45F83977.3020502@evi-inc.com> <223f97700703151027k2ab9de45h25cf6a1bf2acee97@mail.gmail.com> <45F985B0.7090504@evi-inc.com> Message-ID: Matt Kettler spake the following on 3/15/2007 10:43 AM: > Glenn Steen wrote: > >> And I wouldn't "tickle" Matt about this (Wouldn't want to bring the >> Kettler to a boil:-)... He's the sole reason things are as they are >> today;-). > > Too late :) > > Actually, I'm not at a boil, but my reply to Scott's message might be a bit more > gruff than it should be.. rough week here. My apologies! It has been pretty rough here also! Installing monit on a very feisty server that randomly stops services with no reason I can find as yet. Anybody have a good monit script for dhcp besides just looking at the pidfile and udp port 67? -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From paul at welshfamily.com Fri Mar 16 00:54:36 2007 From: paul at welshfamily.com (Paul Welsh) Date: Fri Mar 16 00:03:13 2007 Subject: OT: Router In-Reply-To: <200702181100.l1IB0DOR000620@safir.blacknight.ie> Message-ID: <200703160003.l2G03Clb031822@safir.blacknight.ie> Sorry this is OT but I'm sure I'll get some sensible answers here. I've been playing with the Sophos SC1000 appliance that scans web pages for nasties before end users get to see them. This web content scanning malarky is going to be "a big thing" I'm sure. Anyhow, for my sins I'm running MS ISA Server 2004. Stuck the Sophos appliance on its own DMZ and pointed its default gateway at the Internet via an el cheapo Netgear router configured to do NAT which is connected in turn to a high speed ADSL line via an el cheapo BT ADSL router operating in non-NAT mode. All works fine except certain web sites, eg, Natwest online banking. The https page where you enter your customer ID loads. You enter your ID and it hangs before reaching the page where you enter random characters of your PIN and password. Likewise, some web mail sites (non-secure) hang at certain points. I think the web mail site is hanging when it tries to run a .pl page. After a lot of head scratching it turned out to have nothing to do with the appliance. A different PC connected to the router exhibited the same problems. Gave the appliance a public IP and stuck it on the Internet and it works fine. This configuration is, I understand, not officially supported though. Time to buy a better router? Any recommendations? The router isn't configured to do anything odd and I have rebooted it. I intend placing 2 servers running MailScanner on the same DMZ at a later date. Is it sensible therefore to buy a decent router/firewall to protect this segment? Smoothwall / monowall worth a go? From arturs at netvision.net.il Fri Mar 16 01:09:00 2007 From: arturs at netvision.net.il (Arthur Sherman) Date: Fri Mar 16 00:17:16 2007 Subject: Router In-Reply-To: <200703160003.l2G03Clb031822@safir.blacknight.ie> Message-ID: <03b001c7675f$4c451ba0$3701a8c0@lapxp> > Time to buy a better router? Any recommendations? The router isn't Checkpoint S-Box 200 or 500 series Cheap, feature rich and very good, IMHO. Best, -- Arthur Sherman +972-52-4878851 http://www.cpt.co.il/ From mkettler at evi-inc.com Fri Mar 16 03:04:39 2007 From: mkettler at evi-inc.com (Matt Kettler) Date: Fri Mar 16 02:11:27 2007 Subject: Mailscanner + spamassassin +Razor + Pyzor + DCC In-Reply-To: <223f97700703151108t2c69b629j95764d1a6917d48d@mail.gmail.com> References: <45F83008.7010808@fcen.uba.ar> <45F83977.3020502@evi-inc.com> <45F97EEC.30601@evi-inc.com> <223f97700703151038q1fc8f6ddy88fd6f25f30135c1@mail.gmail.com> <45F98881.7000307@evi-inc.com> <223f97700703151108t2c69b629j95764d1a6917d48d@mail.gmail.com> Message-ID: <45F9FB37.8010007@evi-inc.com> Glenn Steen wrote: > On 15/03/07, Matt Kettler wrote: >> Glenn Steen wrote: >> > >> > Uh, correct me if I'm wrong, but AFAICR Jules removed the user-prefs >> > setting entirely. So unless you have the link in place you will not >> > get those settings spam.assassin.prefs.conf/mailscanner.cf at all (and >> > this would imply no "double-parsing" happening). One might say that >> > the name spam.assassin.prefs.conf is a real mis-nomer now:-). >> >> Actually, you appear to be right. > Don't sound so surprised, it actually happens from time to time:-D. This is IT.. I'm surprised when *ANYONE* is right. :) From csweeney at osubucks.org Fri Mar 16 03:10:38 2007 From: csweeney at osubucks.org (Chris Sweeney) Date: Fri Mar 16 02:17:27 2007 Subject: OT: Router In-Reply-To: <200703160003.l2G03Clb031822@safir.blacknight.ie> References: <200703160003.l2G03Clb031822@safir.blacknight.ie> Message-ID: <45F9FC9E.3030109@osubucks.org> smoothwall works great with the superkernel you can do about anything you would want and then some. Paul Welsh wrote: > Sorry this is OT but I'm sure I'll get some sensible answers here. > > I've been playing with the Sophos SC1000 appliance that scans web pages for > nasties before end users get to see them. This web content scanning malarky > is going to be "a big thing" I'm sure. > > > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From glenn.steen at gmail.com Fri Mar 16 10:17:39 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Mar 16 09:24:22 2007 Subject: OT: Router In-Reply-To: <45F9FC9E.3030109@osubucks.org> References: <200703160003.l2G03Clb031822@safir.blacknight.ie> <45F9FC9E.3030109@osubucks.org> Message-ID: <223f97700703160217l6dc1abfeifd10f20bb51eff3c@mail.gmail.com> On 16/03/07, Chris Sweeney wrote: > smoothwall works great with the superkernel you can do about anything > you would want and then some. > > Paul Welsh wrote: > > Sorry this is OT but I'm sure I'll get some sensible answers here. > > > > I've been playing with the Sophos SC1000 appliance that scans web pages for > > nasties before end users get to see them. This web content scanning malarky > > is going to be "a big thing" I'm sure. > > haven't more than sniffed at them but both monowall and IPCop (how should we term that... "Smoothwalls less commercial offshoot"?) seem like capable and affordable alternatives. Might be worth your time. But do go for something more "firewall" than "router". Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From martinh at solidstatelogic.com Fri Mar 16 10:25:27 2007 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Fri Mar 16 09:32:15 2007 Subject: OT: Router In-Reply-To: <223f97700703160217l6dc1abfeifd10f20bb51eff3c@mail.gmail.com> Message-ID: The GB range of firewalls from gta.com are good I find... -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Glenn Steen > Sent: 16 March 2007 09:18 > To: MailScanner discussion > Subject: Re: OT: Router > > On 16/03/07, Chris Sweeney wrote: > > smoothwall works great with the superkernel you can do about anything > > you would want and then some. > > > > Paul Welsh wrote: > > > Sorry this is OT but I'm sure I'll get some sensible answers here. > > > > > > I've been playing with the Sophos SC1000 appliance that scans web > pages for > > > nasties before end users get to see them. This web content scanning > malarky > > > is going to be "a big thing" I'm sure. > > > > haven't more than sniffed at them but both monowall and IPCop (how > should we term that... "Smoothwalls less commercial offshoot"?) seem > like capable and affordable alternatives. > Might be worth your time. > But do go for something more "firewall" than "router". > > Cheers > -- > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From fssilva at gmail.com Fri Mar 16 12:10:19 2007 From: fssilva at gmail.com (Fabio Silva) Date: Fri Mar 16 11:17:02 2007 Subject: Message Blocked In-Reply-To: References: <45F90500.8040908@chime.ucl.ac.uk> Message-ID: Look, i can open the file... and its only a Text file... i can see the message in the text file... but why this message arrives like a executable file ?? Regards, Fabio On 3/15/07, Scott Silva wrote: > Fabio Silva spake the following on 3/15/2007 4:11 AM: > > Hi all... i again... i checked the file and i can see that is a MS-DOC > > executable.... but... how to solve it? because it isnt an executable > > file... has any way to solve it?? > > > But if you can see that it is an executable file, then why do you say that it > isn't executable? > If it is an executable renamed to a text file, it can still be dangerous, and > might be a virus. > > > -- > > MailScanner is like deodorant... > You hope everybody uses it, and > you notice quickly if they don't!!!! > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- Fabio S. Silva From neilw at dcdata.co.za Fri Mar 16 12:32:16 2007 From: neilw at dcdata.co.za (Neil Wilson) Date: Fri Mar 16 11:39:23 2007 Subject: Report: Denial of Service attack in message! In-Reply-To: <45F96E3A.6040607@yeticomputers.com> References: <45F96088.1010604@dcdata.co.za> <45F96E3A.6040607@yeticomputers.com> Message-ID: <45FA8040.3010805@dcdata.co.za> Thanks for the reply. Rick Chadderdon wrote: > That denial of service message can be caused by timeouts while virus > scanning the email in question. Is the server heavily loaded? Sometimes it's the simple things, the server is using over a gig of swap space, so I'm sure this is the cause. Looking in the logs, it's taken over 30minutes to block the message. Mar 14 14:59:50 MailScanner[6532]: Message 9615852E74.05ADD from... Mar 14 15:30:31 MailScanner[6532]: Virus Scanning: Denial Of... Definitely a rescourses problem. Thanks again. Regards. Neil. -- This email and all contents are subject to the following disclaimer: http://www.dcdata.co.za/emaildisclaimer.html From neilw at dcdata.co.za Fri Mar 16 12:32:30 2007 From: neilw at dcdata.co.za (Neil Wilson) Date: Fri Mar 16 11:39:32 2007 Subject: Report: Denial of Service attack in message! In-Reply-To: <45F96E3A.6040607@yeticomputers.com> References: <45F96088.1010604@dcdata.co.za> <45F96E3A.6040607@yeticomputers.com> Message-ID: <45FA804E.7060706@dcdata.co.za> Thanks for the reply. Rick Chadderdon wrote: > That denial of service message can be caused by timeouts while virus > scanning the email in question. Is the server heavily loaded? Sometimes it's the simple things, the server is using over a gig of swap space, so I'm sure this is the cause. Looking in the logs, it's taken over 30minutes to block the message. Mar 14 14:59:50 MailScanner[6532]: Message 9615852E74.05ADD from... Mar 14 15:30:31 MailScanner[6532]: Virus Scanning: Denial Of... Definitely a recourses problem. Thanks again. Regards. Neil. -- This email and all contents are subject to the following disclaimer: http://www.dcdata.co.za/emaildisclaimer.html From glenn.steen at gmail.com Fri Mar 16 12:34:46 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Mar 16 11:41:33 2007 Subject: Message Blocked In-Reply-To: References: <45F90500.8040908@chime.ucl.ac.uk> Message-ID: <223f97700703160434l75c77686jfcb3768d12114893@mail.gmail.com> On 16/03/07, Fabio Silva wrote: > Look, i can open the file... and its only a Text file... i can see the > message in the text file... but why this message arrives like a > executable file ?? > As Rick very correctly and clearly explained to you, it isn't. It is your file command that is to blame for this missdetection. Either stop using it (and thus the Filetype Rules), or try determine what exact bytes make file command determine it is a "MS-DOS executable (com)" (or whatever it found it to be)... Know that some versions of the file command (or perhaps rather some version of the magic file) are very ... optimistic... when deciding this. When you know what lines in your magic file is responsible for the misdetection, you could just comment it/them out. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From am.lists at gmail.com Fri Mar 16 15:38:23 2007 From: am.lists at gmail.com (am.lists) Date: Fri Mar 16 14:45:06 2007 Subject: Additional recipients within same lose mail when quarantined/released... In-Reply-To: <223f97700703151439l470a54d3g37114afa2a0e74d@mail.gmail.com> References: <25a66d840703141840t32dbc5f5n9d43ba484ba15d34@mail.gmail.com> <223f97700703151143l6fed5889mc44c40c2ff2a8eb5@mail.gmail.com> <25a66d840703151147w21c5c98ale50cb616852f0a19@mail.gmail.com> <223f97700703151156o348ad305ub1246132c1026e4e@mail.gmail.com> <223f97700703151202j794342ffve742c77464121ad9@mail.gmail.com> <25a66d840703151233t74ac700fo4f449f47002a0b5c@mail.gmail.com> <223f97700703151250y55a2538tab660aa2fd8cf6c2@mail.gmail.com> <25a66d840703151330x28ab9b14tfac6887197ec720e@mail.gmail.com> <25a66d840703151356j6540458ajd4e9c0032d867e2b@mail.gmail.com> <223f97700703151439l470a54d3g37114afa2a0e74d@mail.gmail.com> Message-ID: <25a66d840703160738v1473f8a1v932763b954196db7@mail.gmail.com> On 3/15/07, Glenn Steen wrote: > As I mentioned earlier, there are some kind of patches floating around > (on the MailWatch list, IIRC) that kind of try to solve this "at the > other end", but I'm not sure what state they're in, or if they would > completely solve your problem. > Do we think this is a bit of functionality that might be solved in the elusive MailWatch 2.0 or is this issue rooted more deeply, e.g. at the MS or PF layer? It seems to me that MailWatch could log the message as separate rows in the DB per "known user", referencing the same quarantine file. Just a thought. To bastardize this in to the current system, I'd think about adding a separate routine that iterates through the actual listed recipients, and adding the intended recipient to a "deliver_this_copy_to" field (which would have to be added). > I'm too tired today to do the wiki rewrite (it'll probably have to > wait to the weekend, way to much Real Work, revving up for our big > trip (going to Singapore & Malaysia in a couple of weeks... Just for > R&R! No work for two weeks! I wonder if my system can take it:-)... > And so does the PHB... And my retiring (not in nature, he's really > going off to pasture) DBA has dumped all Oracle on me, so ... things > are pretty intense ATM:-)), but I'll look at it as soon as humanely > possible. I'm toying with a "one instance/three smtp-handlers" idea or > so, that might appeal to everyone a bit more, but that would need some > real testing, and testing take time, so ... We'll see. > Please enjoy your vacation. Remember to take lots of pictures! > I still think you could get this going, but best would be if you have > a "throwaway testbed" to play around on first:). Always a good idea to > have, for testing new versions of MailScanner, SA etc. > Thanks, and many props to the folks at VMWare for the ease at which I can rubber-stamp out a second copy of my environment. Now, if only I had followed my own advice, I could have avoided 5 hours of queued mail yesterday. :-# > -- Glenn --Angelo From matt at coders.co.uk Fri Mar 16 16:06:00 2007 From: matt at coders.co.uk (Matt Hampton) Date: Fri Mar 16 15:13:01 2007 Subject: Additional recipients within same lose mail when quarantined/released... In-Reply-To: <25a66d840703160738v1473f8a1v932763b954196db7@mail.gmail.com> References: <25a66d840703141840t32dbc5f5n9d43ba484ba15d34@mail.gmail.com> <223f97700703151143l6fed5889mc44c40c2ff2a8eb5@mail.gmail.com> <25a66d840703151147w21c5c98ale50cb616852f0a19@mail.gmail.com> <223f97700703151156o348ad305ub1246132c1026e4e@mail.gmail.com> <223f97700703151202j794342ffve742c77464121ad9@mail.gmail.com> <25a66d840703151233t74ac700fo4f449f47002a0b5c@mail.gmail.com> <223f97700703151250y55a2538tab660aa2fd8cf6c2@mail.gmail.com> <25a66d840703151330x28ab9b14tfac6887197ec720e@mail.gmail.com> <25a66d840703151356j6540458ajd4e9c0032d867e2b@mail.gmail.com> <223f97700703151439l470a54d3g37114afa2a0e74d@mail.gmail.com> <25a66d840703160738v1473f8a1v932763b954196db7@mail.gmail.com> Message-ID: <45FAB258.30008@coders.co.uk> am.lists wrote: > Do we think this is a bit of functionality that might be solved in the > elusive MailWatch 2.0 or is this issue rooted more deeply, e.g. at the > MS or PF layer? The problem is really pre MailWatch as has been discussed in previously. > It seems to me that MailWatch could log the message as > separate rows in the DB per "known user", referencing the same > quarantine file. I orginally did something similar - I split the recipients out into a separate table and then iterated through them. HOWEVER - the actual status of a message was still determined by the first recipient in the envelope. The minor hit I took by splitting recipients (I use Sendmail) was almost completely mitigated by the SpamAssassin Cache. This also allows a unique message ID for each individial message recipient. > Just a thought. To bastardize this in to the current > system, I'd think about adding a separate routine that iterates > through the actual listed recipients, and adding the intended > recipient to a "deliver_this_copy_to" field (which would have to be > added). Yep that would work but not as neat or traceable as the split envelope method. just my thoughts... matt From webmaster at boucinhas.com.br Fri Mar 16 17:47:53 2007 From: webmaster at boucinhas.com.br (Webmaster Boucinhas & Campos) Date: Fri Mar 16 16:54:47 2007 Subject: How to convert a queue file to eml ou mbox? References: <001101c76647$2b4a28a0$1803010a@10205> <223f97700703151135w799d41c8j92c53d33f5eead51@mail.gmail.com> Message-ID: <008901c767ea$d7661c30$1803010a@10205> Thanks for you information but I would like run a cron job like this ############### cd /var/spool/MailScanner/archive/ for i in `ls -1` do convert_raw_to_eml ${i} > ${i}.eml convert_raw_to_mbox ${i} > ${i}.eml convert_raw_to_html ${i} > ${i}.eml done ########### In the directory exist one directory per day and one file per message 20070315/D34085010F.A7559 is easy to identify the message, the filename is the mail ID, in a single mbox file is very hard to identify the mail Thanks ----- Original Message ----- From: "Glenn Steen" To: "MailScanner discussion" Sent: Thursday, March 15, 2007 3:35 PM Subject: Re: How to convert a queue file to eml ou mbox? > On 14/03/07, Webmaster Boucinhas & Campos > wrote: >> >> >> >> hello, >> >> I enable the option "Archive >> Mail=/var/spool/MailScanner/archive" in >> /etc/MailScanner/MailScanner.conf. >> >> How I convert the archived file to other format like mbox or eml? >> > Read the very informative comment just above the setting you enabled. > You find it here as well: > http://www.mailscanner.info/MailScanner.conf.index.html#Archive%20Mail > > Cheers > -- > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From ITDept at fractalweb.com Fri Mar 16 17:51:18 2007 From: ITDept at fractalweb.com (Chris Yuzik) Date: Fri Mar 16 16:58:20 2007 Subject: OT: system ignores .forward file Message-ID: <45FACB06.6020409@fractalweb.com> Hi everyone, I can't seem to get the system to look at the .forward file in the user's home dir. I've checked the permissions of the .forward file and it seems fine too. # pwd /home/domain1.com/homes/someguy # ls -lha total 20K drwxr-xr-x 4 someguy@domain1.com domain1.com 4.0K Mar 16 09:23 . drwxr-xr-x 4 domain1.com domain1.com 4.0K Feb 26 20:57 .. -rw-r--r-- 1 someguy@domain1.com domain1.com 21 Mar 16 09:23 .forward # cat .forward someotherguy@domain2.com When a message comes in to someguy@domain1.com , rather than the system reading the .forward file and forwarding it over to someotherguy@domain2.com , the system just puts it in the mailbox for someguy@domain1.com as though the .forward file wasn't there. The maillog isn't particularly helpful: # grep l2GGNf6t011416 /var/log/maillog Mar 16 09:23:45 devel sendmail[11416]: l2GGNf6t011416: from=, size=388, class=0, nrcpts=1, msgid=<45FAC486.40208@domain1.com>, proto=ESMTP, daemon=MSA, relay=S010600090f409322.vs.shawcable.net [xx.xxx.xx.xxx] Mar 16 09:23:56 devel MailScanner[23006]: Logging message l2GGNf6t011416 to SQL Mar 16 09:23:56 devel MailScanner[8197]: l2GGNf6t011416: Logged to MailWatch SQL Mar 16 09:23:56 devel sendmail[11464]: l2GGNf6t011416: to=, delay=00:00:11, xdelay=00:00:00, mailer=local, pri=120388, dsn=2.0.0, stat=Sent I'm running Sendmail 8.13 and Procmail 3.22 on Centos 4.4. I'm not sure how to troubleshoot this issue. Any thoughts? Thanks, Chris From ugob at lubik.ca Fri Mar 16 17:55:14 2007 From: ugob at lubik.ca (Ugo Bellavance) Date: Fri Mar 16 17:11:49 2007 Subject: OT: Router In-Reply-To: <223f97700703160217l6dc1abfeifd10f20bb51eff3c@mail.gmail.com> References: <200703160003.l2G03Clb031822@safir.blacknight.ie> <45F9FC9E.3030109@osubucks.org> <223f97700703160217l6dc1abfeifd10f20bb51eff3c@mail.gmail.com> Message-ID: Glenn Steen wrote: > On 16/03/07, Chris Sweeney wrote: >> smoothwall works great with the superkernel you can do about anything >> you would want and then some. >> >> Paul Welsh wrote: >> > Sorry this is OT but I'm sure I'll get some sensible answers here. >> > >> > I've been playing with the Sophos SC1000 appliance that scans web >> pages for >> > nasties before end users get to see them. This web content scanning >> malarky >> > is going to be "a big thing" I'm sure. >> > > haven't more than sniffed at them but both monowall and IPCop (how > should we term that... "Smoothwalls less commercial offshoot"?) seem > like capable and affordable alternatives. > Might be worth your time. > But do go for something more "firewall" than "router". I've worked with open-source version of smoothwall for a while and it went ok. Ipcop seems nice. I personnaly work more with m0n0wall and Pfsense on WRAP boards. Ugo From ssilva at sgvwater.com Fri Mar 16 18:49:19 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Fri Mar 16 17:56:36 2007 Subject: Mailscanner + spamassassin +Razor + Pyzor + DCC In-Reply-To: <45F9FB37.8010007@evi-inc.com> References: <45F83008.7010808@fcen.uba.ar> <45F83977.3020502@evi-inc.com> <45F97EEC.30601@evi-inc.com> <223f97700703151038q1fc8f6ddy88fd6f25f30135c1@mail.gmail.com> <45F98881.7000307@evi-inc.com> <223f97700703151108t2c69b629j95764d1a6917d48d@mail.gmail.com> <45F9FB37.8010007@evi-inc.com> Message-ID: Matt Kettler spake the following on 3/15/2007 7:04 PM: > Glenn Steen wrote: >> On 15/03/07, Matt Kettler wrote: >>> Glenn Steen wrote: >>>> Uh, correct me if I'm wrong, but AFAICR Jules removed the user-prefs >>>> setting entirely. So unless you have the link in place you will not >>>> get those settings spam.assassin.prefs.conf/mailscanner.cf at all (and >>>> this would imply no "double-parsing" happening). One might say that >>>> the name spam.assassin.prefs.conf is a real mis-nomer now:-). >>> Actually, you appear to be right. >> Don't sound so surprised, it actually happens from time to time:-D. > > This is IT.. I'm surprised when *ANYONE* is right. :) Here IT seems to stand for Idiot Trainers. Excuse me, I have to go train some more of them! ;-) -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ssilva at sgvwater.com Fri Mar 16 19:09:15 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Fri Mar 16 18:16:52 2007 Subject: OT: system ignores .forward file In-Reply-To: <45FACB06.6020409@fractalweb.com> References: <45FACB06.6020409@fractalweb.com> Message-ID: Chris Yuzik spake the following on 3/16/2007 9:51 AM: > Hi everyone, > > I can't seem to get the system to look at the .forward file in the > user's home dir. I've checked the permissions of the .forward file and > it seems fine too. > > # pwd > /home/domain1.com/homes/someguy > > # ls -lha > total 20K > drwxr-xr-x 4 someguy@domain1.com > domain1.com 4.0K Mar 16 09:23 . > drwxr-xr-x 4 domain1.com domain1.com 4.0K Feb 26 20:57 .. > -rw-r--r-- 1 someguy@domain1.com > domain1.com 21 Mar 16 09:23 .forward > > # cat .forward > someotherguy@domain2.com > > When a message comes in to someguy@domain1.com > , rather than the system reading the > .forward file and forwarding it over to someotherguy@domain2.com > , the system just puts it in the > mailbox for someguy@domain1.com as though > the .forward file wasn't there. > > The maillog isn't particularly helpful: > > # grep l2GGNf6t011416 /var/log/maillog > Mar 16 09:23:45 devel sendmail[11416]: l2GGNf6t011416: > from=, size=388, class=0, nrcpts=1, > msgid=<45FAC486.40208@domain1.com>, proto=ESMTP, daemon=MSA, > relay=S010600090f409322.vs.shawcable.net [xx.xxx.xx.xxx] > Mar 16 09:23:56 devel MailScanner[23006]: Logging message > l2GGNf6t011416 to SQL > Mar 16 09:23:56 devel MailScanner[8197]: l2GGNf6t011416: Logged to > MailWatch SQL > Mar 16 09:23:56 devel sendmail[11464]: l2GGNf6t011416: > to=, delay=00:00:11, xdelay=00:00:00, mailer=local, > pri=120388, dsn=2.0.0, stat=Sent > > I'm running Sendmail 8.13 and Procmail 3.22 on Centos 4.4. > > I'm not sure how to troubleshoot this issue. Any thoughts? > > Thanks, > Chris > Did gmane munge your .forward cat to have an e-mail address and a mailto: line? If it actually reads like this ; "someotherguy@domain2.com " that might be the problem. Otherwise, nevermind. ;-P -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ITDept at fractalweb.com Fri Mar 16 19:22:48 2007 From: ITDept at fractalweb.com (Chris Yuzik) Date: Fri Mar 16 18:29:48 2007 Subject: OT: system ignores .forward file In-Reply-To: References: <45FACB06.6020409@fractalweb.com> Message-ID: <45FAE078.4050404@fractalweb.com> Scott Silva wrote: > Did gmane munge your .forward cat to have an e-mail address and a mailto: line? > If it actually reads like this ; > > "someotherguy@domain2.com " > > that might be the problem. Otherwise, nevermind. ;-P > Scott, Hmmm. Something did. It was probably my email software. I'll paste the relevant logs here again, just to see. # pwd /home/domain1.com/homes/someguy # ls -lha total 20K drwxr-xr-x 4 someguy@domain1.com domain1.com 4.0K Mar 16 09:23 . drwxr-xr-x 4 domain1.com domain1.com 4.0K Feb 26 20:57 .. -rw-r--r-- 1 someguy@domain1.com domain1.com 21 Mar 16 09:23 .forward # cat .forward someotherguy@domain2.com # grep l2GGNf6t011416 /var/log/maillog Mar 16 09:23:45 devel sendmail[11416]: l2GGNf6t011416: from=, size=388, class=0, nrcpts=1, msgid=<45FAC486.40208@domain1.com>, proto=ESMTP, daemon=MSA, relay=S010600090f409322.vs.shawcable.net [xx.xxx.xx.xxx] Mar 16 09:23:56 devel MailScanner[23006]: Logging message l2GGNf6t011416 to SQL Mar 16 09:23:56 devel MailScanner[8197]: l2GGNf6t011416: Logged to MailWatch SQL Mar 16 09:23:56 devel sendmail[11464]: l2GGNf6t011416: to=, delay=00:00:11, xdelay=00:00:00, mailer=local, pri=120388, dsn=2.0.0, stat=Sent Chris From am.lists at gmail.com Fri Mar 16 20:15:45 2007 From: am.lists at gmail.com (am.lists) Date: Fri Mar 16 19:22:31 2007 Subject: Additional recipients within same lose mail when quarantined/released... In-Reply-To: <45FAB258.30008@coders.co.uk> References: <25a66d840703141840t32dbc5f5n9d43ba484ba15d34@mail.gmail.com> <223f97700703151156o348ad305ub1246132c1026e4e@mail.gmail.com> <223f97700703151202j794342ffve742c77464121ad9@mail.gmail.com> <25a66d840703151233t74ac700fo4f449f47002a0b5c@mail.gmail.com> <223f97700703151250y55a2538tab660aa2fd8cf6c2@mail.gmail.com> <25a66d840703151330x28ab9b14tfac6887197ec720e@mail.gmail.com> <25a66d840703151356j6540458ajd4e9c0032d867e2b@mail.gmail.com> <223f97700703151439l470a54d3g37114afa2a0e74d@mail.gmail.com> <25a66d840703160738v1473f8a1v932763b954196db7@mail.gmail.com> <45FAB258.30008@coders.co.uk> Message-ID: <25a66d840703161215l10cbe8baw5e738db20c25b1e0@mail.gmail.com> On 3/16/07, Matt Hampton wrote: > am.lists wrote: > > Do we think this is a bit of functionality that might be solved in the > > elusive MailWatch 2.0 or is this issue rooted more deeply, e.g. at the > > MS or PF layer? > > The problem is really pre MailWatch as has been discussed in previously. > > > It seems to me that MailWatch could log the message as > > separate rows in the DB per "known user", referencing the same > > quarantine file. > > I orginally did something similar - I split the recipients out into a > separate table and then iterated through them. > > HOWEVER - the actual status of a message was still determined by the > first recipient in the envelope. > This would be fine for me, as I'm not implementing per-user bayes or per-user rules aside from black/white lists, which I may have to consider.... hmm... > The minor hit I took by splitting recipients (I use Sendmail) was almost > completely mitigated by the SpamAssassin Cache. > > This also allows a unique message ID for each individial message recipient. > > > > Just a thought. To bastardize this in to the current > > system, I'd think about adding a separate routine that iterates > > through the actual listed recipients, and adding the intended > > recipient to a "deliver_this_copy_to" field (which would have to be > > added). > > > Yep that would work but not as neat or traceable as the split envelope > method. > But, IIRC, the split envelope is still a problem because of the original To: line of the message not being rewritten. Or does the split envelope break that apart? Thanks for your thoughts. > matt Angelo From mike at vesol.com Fri Mar 16 20:42:40 2007 From: mike at vesol.com (Mike Kercher) Date: Fri Mar 16 19:50:14 2007 Subject: OT: system ignores .forward file References: <45FACB06.6020409@fractalweb.com> <45FAE078.4050404@fractalweb.com> Message-ID: Sorry for the top post...OWA makes it a pain! Could I see your sendmail.mc? I'd like to see what procmail declarations you are running. Mike ________________________________ From: mailscanner-bounces@lists.mailscanner.info on behalf of Chris Yuzik Sent: Fri 3/16/2007 1:22 PM To: MailScanner discussion Subject: Re: OT: system ignores .forward file Scott, Hmmm. Something did. It was probably my email software. I'll paste the relevant logs here again, just to see. # pwd /home/domain1.com/homes/someguy # ls -lha total 20K drwxr-xr-x 4 someguy@domain1.com domain1.com 4.0K Mar 16 09:23 . drwxr-xr-x 4 domain1.com domain1.com 4.0K Feb 26 20:57 .. -rw-r--r-- 1 someguy@domain1.com domain1.com 21 Mar 16 09:23 .forward # cat .forward someotherguy@domain2.com # grep l2GGNf6t011416 /var/log/maillog Mar 16 09:23:45 devel sendmail[11416]: l2GGNf6t011416: from=, size=388, class=0, nrcpts=1, msgid=<45FAC486.40208@domain1.com>, proto=ESMTP, daemon=MSA, relay=S010600090f409322.vs.shawcable.net [xx.xxx.xx.xxx] Mar 16 09:23:56 devel MailScanner[23006]: Logging message l2GGNf6t011416 to SQL Mar 16 09:23:56 devel MailScanner[8197]: l2GGNf6t011416: Logged to MailWatch SQL Mar 16 09:23:56 devel sendmail[11464]: l2GGNf6t011416: to=, delay=00:00:11, xdelay=00:00:00, mailer=local, pri=120388, dsn=2.0.0, stat=Sent Chris -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- Sorry for the top post...OWA makes it a pain! Could I see your sendmail.mc? I'd like to see what procmail declarations you are running. Mike ________________________________ From: mailscanner-bounces@lists.mailscanner.info on behalf of Chris Yuzik Sent: Fri 3/16/2007 1:22 PM To: MailScanner discussion Subject: Re: OT: system ignores .forward file Scott, Hmmm. Something did. It was probably my email software. I'll paste the relevant logs here again, just to see. # pwd /home/domain1.com/homes/someguy # ls -lha total 20K drwxr-xr-x 4 someguy@domain1.com domain1.com 4.0K Mar 16 09:23 . drwxr-xr-x 4 domain1.com domain1.com 4.0K Feb 26 20:57 .. -rw-r--r-- 1 someguy@domain1.com domain1.com 21 Mar 16 09:23 .forward # cat .forward someotherguy@domain2.com # grep l2GGNf6t011416 /var/log/maillog Mar 16 09:23:45 devel sendmail[11416]: l2GGNf6t011416: from=, size=388, class=0, nrcpts=1, msgid=<45FAC486.40208@domain1.com>, proto=ESMTP, daemon=MSA, relay=S010600090f409322.vs.shawcable.net [xx.xxx.xx.xxx] Mar 16 09:23:56 devel MailScanner[23006]: Logging message l2GGNf6t011416 to SQL Mar 16 09:23:56 devel MailScanner[8197]: l2GGNf6t011416: Logged to MailWatch SQL Mar 16 09:23:56 devel sendmail[11464]: l2GGNf6t011416: to=, delay=00:00:11, xdelay=00:00:00, mailer=local, pri=120388, dsn=2.0.0, stat=Sent Chris -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From mike at vesol.com Fri Mar 16 20:49:10 2007 From: mike at vesol.com (Mike Kercher) Date: Fri Mar 16 19:55:54 2007 Subject: OT: system ignores .forward file References: <45FACB06.6020409@fractalweb.com> <45FAE078.4050404@fractalweb.com> Message-ID: Try to chmod 400 the .forward file and see if it works. Mike ________________________________ From: mailscanner-bounces@lists.mailscanner.info on behalf of Chris Yuzik Sent: Fri 3/16/2007 1:22 PM To: MailScanner discussion Subject: Re: OT: system ignores .forward file Scott Silva wrote: > Did gmane munge your .forward cat to have an e-mail address and a mailto: line? > If it actually reads like this ; > > "someotherguy@domain2.com " > > that might be the problem. Otherwise, nevermind. ;-P > Scott, Hmmm. Something did. It was probably my email software. I'll paste the relevant logs here again, just to see. # pwd /home/domain1.com/homes/someguy # ls -lha total 20K drwxr-xr-x 4 someguy@domain1.com domain1.com 4.0K Mar 16 09:23 . drwxr-xr-x 4 domain1.com domain1.com 4.0K Feb 26 20:57 .. -rw-r--r-- 1 someguy@domain1.com domain1.com 21 Mar 16 09:23 .forward # cat .forward someotherguy@domain2.com # grep l2GGNf6t011416 /var/log/maillog Mar 16 09:23:45 devel sendmail[11416]: l2GGNf6t011416: from=, size=388, class=0, nrcpts=1, msgid=<45FAC486.40208@domain1.com>, proto=ESMTP, daemon=MSA, relay=S010600090f409322.vs.shawcable.net [xx.xxx.xx.xxx] Mar 16 09:23:56 devel MailScanner[23006]: Logging message l2GGNf6t011416 to SQL Mar 16 09:23:56 devel MailScanner[8197]: l2GGNf6t011416: Logged to MailWatch SQL Mar 16 09:23:56 devel sendmail[11464]: l2GGNf6t011416: to=, delay=00:00:11, xdelay=00:00:00, mailer=local, pri=120388, dsn=2.0.0, stat=Sent Chris -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- Try to chmod 400 the .forward file and see if it works. Mike ________________________________ From: mailscanner-bounces@lists.mailscanner.info on behalf of Chris Yuzik Sent: Fri 3/16/2007 1:22 PM To: MailScanner discussion Subject: Re: OT: system ignores .forward file Scott Silva wrote: > Did gmane munge your .forward cat to have an e-mail address and a mailto: line? > If it actually reads like this ; > > "someotherguy@domain2.com " > > that might be the problem. Otherwise, nevermind. ;-P > Scott, Hmmm. Something did. It was probably my email software. I'll paste the relevant logs here again, just to see. # pwd /home/domain1.com/homes/someguy # ls -lha total 20K drwxr-xr-x 4 someguy@domain1.com domain1.com 4.0K Mar 16 09:23 . drwxr-xr-x 4 domain1.com domain1.com 4.0K Feb 26 20:57 .. -rw-r--r-- 1 someguy@domain1.com domain1.com 21 Mar 16 09:23 .forward # cat .forward someotherguy@domain2.com # grep l2GGNf6t011416 /var/log/maillog Mar 16 09:23:45 devel sendmail[11416]: l2GGNf6t011416: from=, size=388, class=0, nrcpts=1, msgid=<45FAC486.40208@domain1.com>, proto=ESMTP, daemon=MSA, relay=S010600090f409322.vs.shawcable.net [xx.xxx.xx.xxx] Mar 16 09:23:56 devel MailScanner[23006]: Logging message l2GGNf6t011416 to SQL Mar 16 09:23:56 devel MailScanner[8197]: l2GGNf6t011416: Logged to MailWatch SQL Mar 16 09:23:56 devel sendmail[11464]: l2GGNf6t011416: to=, delay=00:00:11, xdelay=00:00:00, mailer=local, pri=120388, dsn=2.0.0, stat=Sent Chris -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From ITDept at fractalweb.com Fri Mar 16 21:21:47 2007 From: ITDept at fractalweb.com (Chris Yuzik) Date: Fri Mar 16 20:28:52 2007 Subject: OT: system ignores .forward file In-Reply-To: References: <45FACB06.6020409@fractalweb.com> <45FAE078.4050404@fractalweb.com> Message-ID: <45FAFC5B.5000702@fractalweb.com> Mike Kercher wrote: > Try to chmod 400 the .forward file and see if it works. Mike, The chmod to 400 made no difference. Chris From alex at nkpanama.com Fri Mar 16 21:43:03 2007 From: alex at nkpanama.com (Alex Neuman van der Hans) Date: Fri Mar 16 20:51:10 2007 Subject: OT: Router In-Reply-To: <200703160003.l2G03Clb031822@safir.blacknight.ie> References: <200703160003.l2G03Clb031822@safir.blacknight.ie> Message-ID: <45FB0157.1040803@nkpanama.com> To all netiquette nazis, sorry for top posting... :-) Keyword here is ADSL. Lower the MTU across the board. I could bet everything starts to work, as if by magic. In every place you can set it, set it to somewhere between 1400 and 1460 bytes. For Windows you can use drtcp (dslreports.com/drtcp). The appliances can probably be set using their config pages. Paul Welsh wrote: > Sorry this is OT but I'm sure I'll get some sensible answers here. > > I've been playing with the Sophos SC1000 appliance that scans web pages for > nasties before end users get to see them. This web content scanning malarky > is going to be "a big thing" I'm sure. > > Anyhow, for my sins I'm running MS ISA Server 2004. Stuck the Sophos > appliance on its own DMZ and pointed its default gateway at the Internet via > an el cheapo Netgear router configured to do NAT which is connected in turn > to a high speed ADSL line via an el cheapo BT ADSL router operating in > non-NAT mode. > > All works fine except certain web sites, eg, Natwest online banking. The > https page where you enter your customer ID loads. You enter your ID and it > hangs before reaching the page where you enter random characters of your PIN > and password. Likewise, some web mail sites (non-secure) hang at certain > points. I think the web mail site is hanging when it tries to run a .pl > page. > > After a lot of head scratching it turned out to have nothing to do with the > appliance. A different PC connected to the router exhibited the same > problems. Gave the appliance a public IP and stuck it on the Internet and > it works fine. This configuration is, I understand, not officially > supported though. > > Time to buy a better router? Any recommendations? The router isn't > configured to do anything odd and I have rebooted it. > > I intend placing 2 servers running MailScanner on the same DMZ at a later > date. Is it sensible therefore to buy a decent router/firewall to protect > this segment? Smoothwall / monowall worth a go? > > From res at ausics.net Fri Mar 16 23:48:45 2007 From: res at ausics.net (Res) Date: Fri Mar 16 22:55:37 2007 Subject: OT: system ignores .forward file In-Reply-To: <45FACB06.6020409@fractalweb.com> References: <45FACB06.6020409@fractalweb.com> Message-ID: On Fri, 16 Mar 2007, Chris Yuzik wrote: > Hi everyone, > > I can't seem to get the system to look at the .forward file in the user's > home dir. I've checked the permissions of the .forward file and it seems fine > too. > > # pwd > /home/domain1.com/homes/someguy > > # ls -lha > total 20K > drwxr-xr-x 4 someguy@domain1.com > domain1.com 4.0K Mar 16 09:23 . > drwxr-xr-x 4 domain1.com domain1.com 4.0K Feb 26 20:57 .. > -rw-r--r-- 1 someguy@domain1.com > domain1.com 21 Mar 16 09:23 .forward > > # cat .forward > someotherguy@domain2.com > > When a message comes in to someguy@domain1.com , > rather than the system reading the .forward file and forwarding it over to > someotherguy@domain2.com , the system just > puts it in the mailbox for someguy@domain1.com > as though the .forward file wasn't there. Do any other user forwards work? If not check out whatever you are using to redirect (special procmail rules? or some vhost code?), Sendmails local mailer cant read what it does not know about. Perms should always be 600 on .forward, unless you need to pipe to a program like vacation in which case 611 may be needed on some systems. > The maillog isn't particularly helpful: Sendmail has looked up your user, seen its valid and passed it off to mail.local or procmail, this area is where you need to look at. You may in sendmail.mc add this to see if it shows anything more : define(`confLOG_LEVEL',`30')dnl I warn you, on busy systems your logs will grow huge fast. So dont define this for more than a few minutes on production boxes. -- Cheers Res Let Novell known what you think of their back door deal with the devil. Sign the petition today: http://techp.org/p/1/ From res at ausics.net Fri Mar 16 23:56:30 2007 From: res at ausics.net (Res) Date: Fri Mar 16 23:03:21 2007 Subject: OT: Router In-Reply-To: <45FB0157.1040803@nkpanama.com> References: <200703160003.l2G03Clb031822@safir.blacknight.ie> <45FB0157.1040803@nkpanama.com> Message-ID: I should top post and not be sorry :) On Fri, 16 Mar 2007, Alex Neuman van der Hans wrote: > To all netiquette nazis, sorry for top posting... :-) > Keyword here is ADSL. > > Lower the MTU across the board. I could bet everything starts to work, as if > by magic. In every place you can set it, set it to somewhere between 1400 and > 1460 bytes. Keyword here is really MTU, you hit nail on the head though... If useing PPPoE I'd agree, lots of our customers have problems and funnily enough even in this country, mostly all just with banks as well, lowering MTU to 1432 seemed to fix all, or just tell them to use PPPoA if they use a hardware router. -- Cheers Res Let Novell known what you think of their back door deal with the devil. Sign the petition today: http://techp.org/p/1/ From glenn.steen at gmail.com Sat Mar 17 11:37:10 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Sat Mar 17 10:43:59 2007 Subject: How to convert a queue file to eml ou mbox? In-Reply-To: <008901c767ea$d7661c30$1803010a@10205> References: <001101c76647$2b4a28a0$1803010a@10205> <223f97700703151135w799d41c8j92c53d33f5eead51@mail.gmail.com> <008901c767ea$d7661c30$1803010a@10205> Message-ID: <223f97700703170337r6444803bn264dbcaaf37ccf94@mail.gmail.com> On 16/03/07, Webmaster Boucinhas & Campos wrote: > > Thanks for you information but I would like run a cron job like this > > ############### > cd /var/spool/MailScanner/archive/ > > for i in `ls -1` > do > convert_raw_to_eml ${i} > ${i}.eml > convert_raw_to_mbox ${i} > ${i}.eml > convert_raw_to_html ${i} > ${i}.eml > done > ########### > > In the directory exist one directory per day and one file per message > > 20070315/D34085010F.A7559 > > is easy to identify the message, the filename is the mail ID, in a single > mbox file is very hard to identify the mail > Yes I know this. Why you'd want to do it like that .... Oh well. There is no generic tool for doing the conversion, you need do that yourself. It would need be tailored to your MTA, since the queue files you are seeing is simply the raw queue files. If this is Postfix, you would create your "convert_from_raw" script around postcat... Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Sat Mar 17 12:35:47 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Sat Mar 17 11:42:35 2007 Subject: OT: Router In-Reply-To: References: <200703160003.l2G03Clb031822@safir.blacknight.ie> <45FB0157.1040803@nkpanama.com> Message-ID: <223f97700703170435x43f28b7u5ba2976a2833f178@mail.gmail.com> On 16/03/07, Res wrote: > I should top post and not be sorry :) Don't say you?e top posting when you're not....:-D. > On Fri, 16 Mar 2007, Alex Neuman van der Hans wrote: > > > To all netiquette nazis, sorry for top posting... :-) > > > Keyword here is ADSL. > > > > Lower the MTU across the board. I could bet everything starts to work, as if > > by magic. In every place you can set it, set it to somewhere between 1400 and > > 1460 bytes. > > Keyword here is really MTU, you hit nail on the head though... > > If useing PPPoE I'd agree, lots of our customers have problems and funnily > enough even in this country, mostly all just with banks as well, lowering > MTU to 1432 seemed to fix all, or just tell them to use PPPoA if they > use a hardware router. I thought it was spelled "unhandled fragmentation"... Simply that _something_ gets very upset when your 1500 (or so) TUs get split to fit the ~1450 MTU of your PPPoE link. But fixing it by ensuring a smaller MTU on the originating side would be very fine, yes. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From sleclerc at actionweb.fr Sat Mar 17 21:46:16 2007 From: sleclerc at actionweb.fr (Stephane) Date: Sat Mar 17 20:57:02 2007 Subject: URL-encoded filenames in reports References: <87fy929ffm.fsf@hp-factory.de> <45DF2469.4090507@yeticomputers.com> Message-ID: Rick Chadderdon yeticomputers.com> writes: > > Simon Walter wrote: > > Hello > > > > Is there a way to get the filename of files which got stored in > > quarantine as url-encoded string? > > > > Using $filename in reportfiles doesn't work for files with spaces or > > special characters if the filename is used as part of an url. > > > > See: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=410647 > > > > I would probably handle this with PHP. The line in my corresponding > report .txt file would be something like: > > http://my.mailscannerbox.com/download.php?id=$id&filename=$filename&datenumber=$datenumber&hostname=$hostname > and I would use my script to handle directing people to the correct file. > > Unfortunately, I have too many users who would retrieve *any* file - > virus, spam or other - to give them this kind of a tool. > > I just fiddled with it a little bit, and it seems as if this would work > just fine. Now you made me want to test it... > > Rick > In fact, the problem is with $filename itself in Mailscanner. If the variable contains something as "WSComparison_#.DOC" or "WHform for summer 2008.doc", no way to passe this in an URL. I've on my side this kind of command. http://quarantine.tld/download.php?hostname=godalnet&date=20070317&id=1HSb00-0002U3-7R&filename=WSComparison_#.DOC We need a key or a simple urlencode version of $filename. An $URLfilename will be great. Or may be another solution that I haven't discovered. Stephane From alvaro at hostalia.com Sun Mar 18 17:21:14 2007 From: alvaro at hostalia.com (Alvaro Marin) Date: Sun Mar 18 16:28:12 2007 Subject: SPF and authenticated mail Message-ID: <20070318172114.2077ccd8@basajaun> Hello list! I'm having problems with SPF module of SpamAssassin that I use with MailScanner. I've a TXT record in a domain to set which IPs are allowed to send email from that domain; the problem is that in the mail server for that domain with MailScanner, if one SMTP authenticated user sends an email to other user (external o internal), SA sees that the client's IP address isn't declared on the TXT record so the SPF_FAIL test's score is added. I can't add every client's IPs to the TXT record (dynamic IPs...), so I've whitelisted the domain (From: *@domain yes) in spam.whitelist.rules file, but I think that it isn't a good solution... Any idea? Thanks! -- Alvaro Mar?n Illera Hostalia Internet www.hostalia.com From r.berber at computer.org Sun Mar 18 22:02:37 2007 From: r.berber at computer.org (=?ISO-8859-1?Q?Ren=E9_Berber?=) Date: Sun Mar 18 21:43:08 2007 Subject: SPF and authenticated mail In-Reply-To: <20070318172114.2077ccd8@basajaun> References: <20070318172114.2077ccd8@basajaun> Message-ID: Alvaro Marin wrote: > I'm having problems with SPF module of SpamAssassin that I use with > MailScanner. > > I've a TXT record in a domain to set which IPs are allowed to send > email from that domain; the problem is that in the mail server for that > domain with MailScanner, if one SMTP authenticated user sends an email > to other user (external o internal), SA sees that the client's IP > address isn't declared on the TXT record so the SPF_FAIL test's score > is added. > > I can't add every client's IPs to the TXT record (dynamic IPs...), so > I've whitelisted the domain (From: *@domain yes) in spam.whitelist.rules > file, but I think that it isn't a good solution... > Any idea? You used the wrong fix, the right way is to set trusted_networks. -- Ren? Berber From itdept at fractalweb.com Mon Mar 19 02:02:14 2007 From: itdept at fractalweb.com (Chris Yuzik) Date: Mon Mar 19 01:09:16 2007 Subject: SPF_Fail score too low? Message-ID: <45FDE116.4020205@fractalweb.com> Hi everyone, I was just going over some stats, and I see a rule called "SPF_FAIL" with the description, "SPF: sender does not match SPF record (fail)", which seems like a fairly major violation, yet the score assigned currently is only 1.14. So if I'm clear what this means, I believe this says that the domain administrator has specified the specific IPs that are allowed to send email from this domain, and furthermore anything that doesn't come from the allowed IPs should not be accepted or trusted. Right? This isn't a soft-fail, but a full fail. Seems to me this should be something that should be scored at 5.0 or higher. Or am I wrong? Chris From res at ausics.net Mon Mar 19 02:56:13 2007 From: res at ausics.net (Res) Date: Mon Mar 19 02:03:15 2007 Subject: SPF_Fail score too low? In-Reply-To: <45FDE116.4020205@fractalweb.com> References: <45FDE116.4020205@fractalweb.com> Message-ID: On Sun, 18 Mar 2007, Chris Yuzik wrote: > So if I'm clear what this means, I believe this says that the domain > administrator has specified the specific IPs that are allowed to send email > from this domain, and furthermore anything that doesn't come from the allowed > IPs should not be accepted or trusted. Right? This isn't a soft-fail, but a > full fail. It depends on how the domain owner configures the SPF 'all' option. Some admins don't want servers to completely reject, but do want them to warn to recipient, using the ' ~all ' option, as against those of us that want everybody to reject them with the ' -all ' option. I know I don't want people sending mail as us, so I choose '-all' on all of my domains. The only true way to enforce this is disable it in S.A and to use it at the MTA level. -- Cheers Res Let Novell known what you think of their back door deal with the devil. Sign the petition today: http://techp.org/p/1/ From res at ausics.net Mon Mar 19 07:52:24 2007 From: res at ausics.net (Res) Date: Mon Mar 19 06:59:26 2007 Subject: OT: F-Prot Message-ID: OK so I thought since everyone else around here posts OT, so will I... Anyone else seeing problems with f-prot updates for at least the past 12 hours? -- Cheers Res Let Novell known what you think of their back door deal with the devil. Sign the petition today: http://techp.org/p/1/ From drew at technologytiger.net Mon Mar 19 09:21:29 2007 From: drew at technologytiger.net (Drew Marshall) Date: Mon Mar 19 08:28:32 2007 Subject: OT: F-Prot In-Reply-To: References: Message-ID: On 19 Mar 2007, at 06:52, Res wrote: > OK so I thought since everyone else around here posts OT, so will I... > > Anyone else seeing problems with f-prot updates for at least the > past 12 hours? Yes. On my home box, updates.f-prot.com is not reachable or so the logs claim. Last attempt was at about 6.20am GMT. Just on another question, which licence do you buy from them? I have been running f-prot at home for ages on their FOC workstation licence (For home use) and I am now looking to roll it out for my main mxs. So I then go to the f-prot site to look for licensing, and none really fit. The machines are gateways so no mailboxes as required for the mail server version (So how many mailboxes would you buy for? This option could become expensive pretty quickly if you weren't careful) and the file server version says it's not for mail servers (But then MailScanner doesn't want the mail server version and doesn't really fall into the classic mail server category). Drew -- In line with our policy, this message has been scanned for viruses and dangerous content by the Technology Tiger MailScanner. Further information can be found at www.technologytiger.net/policy Technology Tiger Limited is registered in Scotland with registration number: 310997 Registered Office 55-57 West High Street Inverurie AB51 3QQ From alvaro at hostalia.com Mon Mar 19 09:43:57 2007 From: alvaro at hostalia.com (=?ISO-8859-1?Q?Alvaro_Mar=EDn?=) Date: Mon Mar 19 08:51:00 2007 Subject: SPF and authenticated mail In-Reply-To: References: <20070318172114.2077ccd8@basajaun> Message-ID: <45FE4D4D.6060602@hostalia.com> Hello, > You used the wrong fix, the right way is to set trusted_networks. As I said, the SMTP client's IPs are dynamic so I can't use trusted_networks. I think that there isn't any good solution for this (without using spf at MTA). Regards, -- Alvaro Mar?n Illera Hostalia Internet www.hostalia.com From r.berber at computer.org Mon Mar 19 09:51:37 2007 From: r.berber at computer.org (=?ISO-8859-1?Q?Ren=E9_Berber?=) Date: Mon Mar 19 08:58:40 2007 Subject: SPF and authenticated mail In-Reply-To: <45FE4D4D.6060602@hostalia.com> References: <20070318172114.2077ccd8@basajaun> <45FE4D4D.6060602@hostalia.com> Message-ID: Alvaro Mar?n wrote: >> You used the wrong fix, the right way is to set trusted_networks. > > As I said, the SMTP client's IPs are dynamic so I can't use > trusted_networks. I think that there isn't any good solution for this > (without using spf at MTA). Your server IP is the trusted_network. That way, anything that is received by your server from a dynamic IP is not tested for SPF, at least not if the client used authentication. -- Ren? Berber From pedretti at eco.unibs.it Mon Mar 19 10:09:45 2007 From: pedretti at eco.unibs.it (Fabio Pedretti) Date: Mon Mar 19 09:12:59 2007 Subject: OT: F-Prot In-Reply-To: References: Message-ID: <20070319100945.uiylo75m8oc80kcw@luna.eco.unibs.it> Hi, I recently upgraded some servers from f-prot 4.5.4 (with mail server licence) to clamav 0.90.1 and I am very satisfied. I am also using additional signatures from http://www.sanesecurity.com/clamav/ for filtering also phishing and scam mails. I suggest you to try clamav before buying a licence for a commercial AV. Fabio Citando Drew Marshall : > On 19 Mar 2007, at 06:52, Res wrote: > >> OK so I thought since everyone else around here posts OT, so will I... >> >> Anyone else seeing problems with f-prot updates for at least the >> past 12 hours? > > Yes. On my home box, updates.f-prot.com is not reachable or so the logs > claim. Last attempt was at about 6.20am GMT. > > Just on another question, which licence do you buy from them? I have > been running f-prot at home for ages on their FOC workstation licence > (For home use) and I am now looking to roll it out for my main mxs. So > I then go to the f-prot site to look for licensing, and none really > fit. The machines are gateways so no mailboxes as required for the mail > server version (So how many mailboxes would you buy for? This option > could become expensive pretty quickly if you weren't careful) and the > file server version says it's not for mail servers (But then > MailScanner doesn't want the mail server version and doesn't really > fall into the classic mail server category). > > Drew > > -- > In line with our policy, this message has been scannedfor viruses and > dangerous content by the Technology Tiger MailScanner. > Further information can be found at www.technologytiger.net/policy > > Technology Tiger Limited is registered in Scotland with registration > number: 310997 > Registered Office 55-57 West High Street Inverurie AB51 3QQ > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From alvaro at hostalia.com Mon Mar 19 10:12:10 2007 From: alvaro at hostalia.com (=?ISO-8859-1?Q?Alvaro_Mar=EDn?=) Date: Mon Mar 19 09:19:15 2007 Subject: SPF and authenticated mail In-Reply-To: References: <20070318172114.2077ccd8@basajaun> <45FE4D4D.6060602@hostalia.com> Message-ID: <45FE53EA.1010305@hostalia.com> Hello again, > Your server IP is the trusted_network. Yes, my server's IP is defined in trusted_networks. > That way, anything that is received by your server from a dynamic IP is not > tested for SPF, at least not if the client used authentication. AFAIK, SA can't difference beteween SMTP authenticated user and not one. Postfix, receives the message and is saved on the "Hold" queue; then MailScanner gets it and analises the message with SA (that sees that the client's IP is not in the TXT record of the domain, so it adds SPF_FAIL score). Am I right? Regards, -- Alvaro Mar?n Illera Hostalia Internet www.hostalia.com From drew at technologytiger.net Mon Mar 19 10:33:33 2007 From: drew at technologytiger.net (Drew Marshall) Date: Mon Mar 19 09:40:33 2007 Subject: OT: F-Prot In-Reply-To: <20070319100945.uiylo75m8oc80kcw@luna.eco.unibs.it> References: <20070319100945.uiylo75m8oc80kcw@luna.eco.unibs.it> Message-ID: <3A2FA8E6-BEE2-4905-9F68-283D47141F48@technologytiger.net> On 19 Mar 2007, at 09:09, Fabio Pedretti wrote: > Hi, I recently upgraded some servers from f-prot 4.5.4 (with mail > server licence) to clamav 0.90.1 and I am very satisfied. I am also > using additional signatures from http://www.sanesecurity.com/ > clamav/ for filtering also phishing and scam mails. I suggest you > to try clamav before buying a licence for a commercial AV. I run Clam and Bit Defender already but I want to put a commercial scanner into the mix too but thanks for your wise comments :-) Drew -- In line with our policy, this message has been scanned for viruses and dangerous content by the Technology Tiger MailScanner. Further information can be found at www.technologytiger.net/policy Technology Tiger Limited is registered in Scotland with registration number: 310997 Registered Office 55-57 West High Street Inverurie AB51 3QQ From Sylvain.Phaneuf at imsu.ox.ac.uk Mon Mar 19 10:34:25 2007 From: Sylvain.Phaneuf at imsu.ox.ac.uk (Sylvain Phaneuf) Date: Mon Mar 19 09:41:34 2007 Subject: OT: F-Prot In-Reply-To: References: Message-ID: <45FE5921.FEA8.00EB.0@imsu.ox.ac.uk> I saw the same problems. All cleared at about 8:30 AFICS. The updates are working well now. Sylvain >>> On 19/03/2007 at 06:52, Res wrote: > OK so I thought since everyone else around here posts OT, so will I... > > Anyone else seeing problems with f-prot updates for at least the past 12 > hours? > From glenn.steen at gmail.com Mon Mar 19 11:10:11 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Mar 19 10:17:06 2007 Subject: OT: F-Prot In-Reply-To: <3A2FA8E6-BEE2-4905-9F68-283D47141F48@technologytiger.net> References: <20070319100945.uiylo75m8oc80kcw@luna.eco.unibs.it> <3A2FA8E6-BEE2-4905-9F68-283D47141F48@technologytiger.net> Message-ID: <223f97700703190310y7615173ev7c5a634758afdc80@mail.gmail.com> On 19/03/07, Drew Marshall wrote: > On 19 Mar 2007, at 09:09, Fabio Pedretti wrote: > > > Hi, I recently upgraded some servers from f-prot 4.5.4 (with mail > > server licence) to clamav 0.90.1 and I am very satisfied. I am also > > using additional signatures from http://www.sanesecurity.com/ > > clamav/ for filtering also phishing and scam mails. I suggest you > > to try clamav before buying a licence for a commercial AV. > > I run Clam and Bit Defender already but I want to put a commercial > scanner into the mix too but thanks for your wise comments :-) > > Drew Wise in what way? Advocating single AV? "Don't go there, there be Dragons...":-). We had a "drive-by-download" incident rather recently where the much lauded ClamAV happened to be the _least_ effective of the trio BitDefender, McAfee(!) and ClamAV ... After less than 24 hours BDC caugth all viruses on the box, McAfee three (of seven), ClamAV none ... eigth days after the incident (despite reporting all) it still only caught three wile McAfee had moved up to five and BDC still got them all (just some by specific signatures that initially were "BehavesLike:" things). At the initial "outbreak" the AV on the box (McAfee) thought one file might be suspicious, and that (together with very restrictive FW rules) alerted us to the situation. It is _always_ better to have more than one engine/set of signatures/methods running at your perimeter... But you knew this already, just preaching to the choir:-) -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From r.berber at computer.org Mon Mar 19 11:57:12 2007 From: r.berber at computer.org (=?ISO-8859-1?Q?Ren=E9_Berber?=) Date: Mon Mar 19 11:04:51 2007 Subject: SPF and authenticated mail In-Reply-To: <45FE53EA.1010305@hostalia.com> References: <20070318172114.2077ccd8@basajaun> <45FE4D4D.6060602@hostalia.com> <45FE53EA.1010305@hostalia.com> Message-ID: Alvaro Mar?n wrote: > AFAIK, SA can't difference beteween SMTP authenticated user and not one. Yes, it can. > Postfix, receives the message and is saved on the "Hold" queue; then > MailScanner gets it and analises the message with SA (that sees that the > client's IP is not in the TXT record of the domain, so it adds SPF_FAIL > score). Am I right? Maybe, SA 3.1.6 used to have a bug, but that only affected sendmail, which is what I use; the bug was corrected in 3.1.8 . I'm not sure if it really works with postfix. -- Ren? Berber From alvaro at hostalia.com Mon Mar 19 12:10:06 2007 From: alvaro at hostalia.com (=?ISO-8859-1?Q?Alvaro_Mar=EDn?=) Date: Mon Mar 19 11:17:21 2007 Subject: SPF and authenticated mail In-Reply-To: References: <20070318172114.2077ccd8@basajaun> <45FE4D4D.6060602@hostalia.com> <45FE53EA.1010305@hostalia.com> Message-ID: <45FE6F8E.6040707@hostalia.com> Hello, >> AFAIK, SA can't difference beteween SMTP authenticated user and not one. > > Yes, it can. I don't know how...until version 2.3, Postfix can't add any header about this. > Maybe, SA 3.1.6 used to have a bug, but that only affected sendmail, which is > what I use; the bug was corrected in 3.1.8 . I'm not sure if it really works > with postfix. http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5235 :-/ Regards, -- Alvaro Mar?n Illera Hostalia Internet www.hostalia.com From gerard at seibercom.net Mon Mar 19 12:33:35 2007 From: gerard at seibercom.net (Gerard Seibert) Date: Mon Mar 19 11:40:35 2007 Subject: SPF and authenticated mail In-Reply-To: <45FE6F8E.6040707@hostalia.com> References: <20070318172114.2077ccd8@basajaun> <45FE4D4D.6060602@hostalia.com> <45FE53EA.1010305@hostalia.com> <45FE6F8E.6040707@hostalia.com> Message-ID: <20070319073335.5af9f0c9@localhost> On Mon, 19 Mar 2007 12:10:06 +0100 Alvaro Mar?n wrote: > >> AFAIK, SA can't difference beteween SMTP authenticated user and > >> not one. > > > > Yes, it can. > > I don't know how...until version 2.3, Postfix can't add any header > about this. Versions <2.3 are obsolete. Version 2.4 is due on or about 4/1/07 so it doesn't make any sense to use an outdated version, especially if it does not meet your requirements. -- Gerard The inherent vice of capitalism is the unequal sharing of blessings; the inherent virtue of socialism is the equal sharing of misery. Churchill -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 187 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070319/e6fa6b57/signature.bin From alvaro at hostalia.com Mon Mar 19 12:52:42 2007 From: alvaro at hostalia.com (=?ISO-8859-1?Q?Alvaro_Mar=EDn?=) Date: Mon Mar 19 11:59:46 2007 Subject: SPF and authenticated mail In-Reply-To: <20070319073335.5af9f0c9@localhost> References: <20070318172114.2077ccd8@basajaun> <45FE4D4D.6060602@hostalia.com> <45FE53EA.1010305@hostalia.com> <45FE6F8E.6040707@hostalia.com> <20070319073335.5af9f0c9@localhost> Message-ID: <45FE798A.7080008@hostalia.com> Hello, >>>> AFAIK, SA can't difference beteween SMTP authenticated user and >>>> not one. >>> Yes, it can. >> I don't know how...until version 2.3, Postfix can't add any header >> about this. > > Versions <2.3 are obsolete. Version 2.4 is due on or about 4/1/07 so it > doesn't make any sense to use an outdated version, especially if it > does not meet your requirements. Until now, Postfix 2.1 (Debian's stable version) is all what I needed. Now, there is a problem and I'm trying to resolve it :) I read in: http://wiki.apache.org/spamassassin/DynablockIssues Postfix 2.3 includes support for adding its own style of authentication info to its received headers by setting smtpd_sasl_authenticated_header = yes, which is disabled by default, in your Postfix config. SpamAssassin 3.1.4 and later includes support for this Postfix auth info. So I'll upgrade to Postfix 2.3 and try. Thanks for your time&help. Regards, -- Alvaro Mar?n Illera Hostalia Internet www.hostalia.com From drew at technologytiger.net Mon Mar 19 13:01:25 2007 From: drew at technologytiger.net (Drew Marshall) Date: Mon Mar 19 12:08:36 2007 Subject: OT: F-Prot In-Reply-To: <223f97700703190310y7615173ev7c5a634758afdc80@mail.gmail.com> References: <20070319100945.uiylo75m8oc80kcw@luna.eco.unibs.it> <3A2FA8E6-BEE2-4905-9F68-283D47141F48@technologytiger.net> <223f97700703190310y7615173ev7c5a634758afdc80@mail.gmail.com> Message-ID: <36992.194.70.180.170.1174305685.squirrel@www.technologytiger.net> On Mon, March 19, 2007 10:10, Glenn Steen wrote: > On 19/03/07, Drew Marshall wrote: >> On 19 Mar 2007, at 09:09, Fabio Pedretti wrote: >> >> > Hi, I recently upgraded some servers from f-prot 4.5.4 (with mail >> > server licence) to clamav 0.90.1 and I am very satisfied. I am also >> > using additional signatures from http://www.sanesecurity.com/ >> > clamav/ for filtering also phishing and scam mails. I suggest you >> > to try clamav before buying a licence for a commercial AV. >> >> I run Clam and Bit Defender already but I want to put a commercial >> scanner into the mix too but thanks for your wise comments :-) >> >> Drew > > Wise in what way? Advocating single AV? No, the use of ClamAV. Which is usually pretty good and being Open Source, great value for money. > "Don't go there, there be Dragons...":-). Indeed! > We had a "drive-by-download" incident rather recently where the much > lauded ClamAV happened to be the _least_ effective of the trio > BitDefender, McAfee(!) and ClamAV ... After less than 24 hours BDC > caugth all viruses on the box, McAfee three (of seven), ClamAV none > ... eigth days after the incident (despite reporting all) it still > only caught three wile McAfee had moved up to five and BDC still got > them all (just some by specific signatures that initially were > "BehavesLike:" things). At the initial "outbreak" the AV on the box > (McAfee) thought one file might be suspicious, and that (together with > very restrictive FW rules) alerted us to the situation. > > It is _always_ better to have more than one engine/set of > signatures/methods running at your perimeter... Yes, and another breed at the desktop. > But you knew this already, just preaching to the choir:-) It's always worth reminding the choir. From time to time they too will wander from the path but are usually the easiest brought back on track ;-) Drew -- In line with our policy, this message has been scanned for viruses and dangerous content by the Technology Tiger MailScanner. Further information can be found at www.technologytiger.net/policy Technology Tiger Limited is registered in Scotland with registration number: 310997 Registered Office 55-57 West High Street Inverurie AB51 3QQ From arturs at netvision.net.il Mon Mar 19 13:20:07 2007 From: arturs at netvision.net.il (Arthur Sherman) Date: Mon Mar 19 12:28:44 2007 Subject: F-Prot In-Reply-To: Message-ID: <00c901c76a20$eeb4ea00$3701a8c0@lapxp> > Anyone else seeing problems with f-prot updates for at least > the past 12 > hours? I did. At least, several days already. Eventually I get updates, but I had to run check-updates manually several times a day for it. Best, -- Arthur Sherman +972-52-4878851 http://www.cpt.co.il/ From am.lists at gmail.com Mon Mar 19 14:02:43 2007 From: am.lists at gmail.com (am.lists) Date: Mon Mar 19 13:09:41 2007 Subject: Phishing Filter Question Message-ID: <25a66d840703190602t290948ele93090cdf846a438@mail.gmail.com> I'm currently fighting some usability issues surrounding the phishing filter. The perfect example to share is Google Alert emails. Every link is flagged due to the way that the email is crafted. (sample screenshot: http://tinyurl.com/27yx68 ) In reading the phishing filter file, I understand how it works, but the way Google Alerts works, in particular, and combined with phishihg sites being updated daily, this seems to be quite a problem. How can I be more forgiving without losing the functionality? If I turn off highlighting, how can users still know that there is suspicious (but maybe harmless) content? I don't want to lose the functionality and security that this provides, but I don't want to alienate my users by continually alerting them to things that are actually harmless. My settings are: Find Phishing Fraud = yes Also Find Numeric Phishing = yes Use Stricter Phishing Net = yes Highlight Phishing Fraud = yes Phishing Safe Sites File = %etc-dir%/phishing.safe.sites.conf This is MailScanner 4.58.9 Best, Angelo From webmaster at boucinhas.com.br Mon Mar 19 14:39:39 2007 From: webmaster at boucinhas.com.br (Webmaster Boucinhas & Campos) Date: Mon Mar 19 13:46:47 2007 Subject: How to convert a queue file to eml ou mbox? References: <001101c76647$2b4a28a0$1803010a@10205><223f97700703151135w799d41c8j92c53d33f5eead51@mail.gmail.com><008901c767ea$d7661c30$1803010a@10205> <223f97700703170337r6444803bn264dbcaaf37ccf94@mail.gmail.com> Message-ID: <00c101c76a2c$0add9eb0$1803010a@10205> Thank very much, I am using postfix in my MTA. To generate the MBOX file I write the shell script below postcat -v QUEUE_FILE 2>/dev/null | grep "regular_text:" | grep "regular_text: " | sed "s/regular_text: //g" > MAIL.mbox Regards, Rodrigo ----- Original Message ----- From: "Glenn Steen" To: "MailScanner discussion" Sent: Saturday, March 17, 2007 7:37 AM Subject: Re: How to convert a queue file to eml ou mbox? > On 16/03/07, Webmaster Boucinhas & Campos > wrote: >> >> Thanks for you information but I would like run a cron job like this >> >> ############### >> cd /var/spool/MailScanner/archive/ >> >> for i in `ls -1` >> do >> convert_raw_to_eml ${i} > ${i}.eml >> convert_raw_to_mbox ${i} > ${i}.eml >> convert_raw_to_html ${i} > ${i}.eml >> done >> ########### >> >> In the directory exist one directory per day and one file per message >> >> 20070315/D34085010F.A7559 >> >> is easy to identify the message, the filename is the mail ID, in a single >> mbox file is very hard to identify the mail >> > Yes I know this. Why you'd want to do it like that .... Oh well. > There is no generic tool for doing the conversion, you need do that > yourself. > It would need be tailored to your MTA, since the queue files you are > seeing is simply the raw queue files. > If this is Postfix, you would create your "convert_from_raw" script > around postcat... > > Cheers > -- > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From Denis.Beauchemin at USherbrooke.ca Mon Mar 19 14:46:29 2007 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Mon Mar 19 13:54:23 2007 Subject: Phishing Filter Question In-Reply-To: <25a66d840703190602t290948ele93090cdf846a438@mail.gmail.com> References: <25a66d840703190602t290948ele93090cdf846a438@mail.gmail.com> Message-ID: <45FE9435.5010703@USherbrooke.ca> am.lists a ?crit : > I'm currently fighting some usability issues surrounding the phishing > filter. > > The perfect example to share is Google Alert emails. Every link is > flagged due to the way that the email is crafted. (sample screenshot: > http://tinyurl.com/27yx68 ) > > In reading the phishing filter file, I understand how it works, but > the way Google Alerts works, in particular, and combined with phishihg > sites being updated daily, this seems to be quite a problem. How can I > be more forgiving without losing the functionality? If I turn off > highlighting, how can users still know that there is suspicious (but > maybe harmless) content? > > I don't want to lose the functionality and security that this > provides, but I don't want to alienate my users by continually > alerting them to things that are actually harmless. > > My settings are: > > Find Phishing Fraud = yes > Also Find Numeric Phishing = yes > Use Stricter Phishing Net = yes > Highlight Phishing Fraud = yes > Phishing Safe Sites File = %etc-dir%/phishing.safe.sites.conf > > This is MailScanner 4.58.9 > > > Best, > > Angelo Angelo, Why don't you use a ruleset for "Find Phishing Fraud" with the value "false" for "googlealerts-noreply@google.com" (assuming this is the envelope sender) and true as default? Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3595 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070319/68564407/smime.bin From am.lists at gmail.com Mon Mar 19 15:24:38 2007 From: am.lists at gmail.com (am.lists) Date: Mon Mar 19 14:31:36 2007 Subject: Phishing Filter Question In-Reply-To: <45FE9435.5010703@USherbrooke.ca> References: <25a66d840703190602t290948ele93090cdf846a438@mail.gmail.com> <45FE9435.5010703@USherbrooke.ca> Message-ID: <25a66d840703190724o7ae28fb0v88cd38aaf15946a7@mail.gmail.com> On 3/19/07, Denis Beauchemin wrote: > am.lists a ?crit : > > I'm currently fighting some usability issues surrounding the phishing > > filter. > > > > The perfect example to share is Google Alert emails. Every link is > > flagged due to the way that the email is crafted. (sample screenshot: > > http://tinyurl.com/27yx68 ) > > > > In reading the phishing filter file, I understand how it works, but > > the way Google Alerts works, in particular, and combined with phishihg > > sites being updated daily, this seems to be quite a problem. How can I > > be more forgiving without losing the functionality? If I turn off > > highlighting, how can users still know that there is suspicious (but > > maybe harmless) content? > > > > I don't want to lose the functionality and security that this > > provides, but I don't want to alienate my users by continually > > alerting them to things that are actually harmless. > > > > My settings are: > > > > Find Phishing Fraud = yes > > Also Find Numeric Phishing = yes > > Use Stricter Phishing Net = yes > > Highlight Phishing Fraud = yes > > Phishing Safe Sites File = %etc-dir%/phishing.safe.sites.conf > > > > This is MailScanner 4.58.9 > > > > > > Best, > > > > Angelo > Angelo, > > Why don't you use a ruleset for "Find Phishing Fraud" with the value > "false" for "googlealerts-noreply@google.com" (assuming this is the > envelope sender) and true as default? > > Denis > Will that actually work? My understanding, after reading the comments in the config files said that if you have a message like so: from: bob@nowhere.org come see [a href=redir.nowhere.org/someplace]nowhere.org at your earliest convenience[/a] That would flag as redir.nowhere.org claiming to be nowhwere.org at your earliest convenience. And what goes in the whiltelist file is "redir.nowhere.org" But you're saying to add bob@nowhwere.org? I can't in the docs where that's supported as a fix. Angelo From Denis.Beauchemin at USherbrooke.ca Mon Mar 19 15:46:40 2007 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Mon Mar 19 14:53:48 2007 Subject: Phishing Filter Question In-Reply-To: <25a66d840703190724o7ae28fb0v88cd38aaf15946a7@mail.gmail.com> References: <25a66d840703190602t290948ele93090cdf846a438@mail.gmail.com> <45FE9435.5010703@USherbrooke.ca> <25a66d840703190724o7ae28fb0v88cd38aaf15946a7@mail.gmail.com> Message-ID: <45FEA250.3070702@USherbrooke.ca> am.lists a ?crit : > On 3/19/07, Denis Beauchemin wrote: >> am.lists a ?crit : >> > I'm currently fighting some usability issues surrounding the phishing >> > filter. >> > >> > The perfect example to share is Google Alert emails. Every link is >> > flagged due to the way that the email is crafted. (sample screenshot: >> > http://tinyurl.com/27yx68 ) >> > >> > In reading the phishing filter file, I understand how it works, but >> > the way Google Alerts works, in particular, and combined with phishihg >> > sites being updated daily, this seems to be quite a problem. How can I >> > be more forgiving without losing the functionality? If I turn off >> > highlighting, how can users still know that there is suspicious (but >> > maybe harmless) content? >> > >> > I don't want to lose the functionality and security that this >> > provides, but I don't want to alienate my users by continually >> > alerting them to things that are actually harmless. >> > >> > My settings are: >> > >> > Find Phishing Fraud = yes >> > Also Find Numeric Phishing = yes >> > Use Stricter Phishing Net = yes >> > Highlight Phishing Fraud = yes >> > Phishing Safe Sites File = %etc-dir%/phishing.safe.sites.conf >> > >> > This is MailScanner 4.58.9 >> > >> > >> > Best, >> > >> > Angelo >> Angelo, >> >> Why don't you use a ruleset for "Find Phishing Fraud" with the value >> "false" for "googlealerts-noreply@google.com" (assuming this is the >> envelope sender) and true as default? >> >> Denis >> > > Will that actually work? My understanding, after reading the comments > in the config files said that if you have a message like so: > > from: bob@nowhere.org > > come see [a href=redir.nowhere.org/someplace]nowhere.org at your > earliest convenience[/a] > > That would flag as redir.nowhere.org claiming to be nowhwere.org at > your earliest convenience. > > And what goes in the whiltelist file is "redir.nowhere.org" > > But you're saying to add bob@nowhwere.org? > > I can't in the docs where that's supported as a fix. > > Angelo Angelo, I am not suggesting using the phishing whitelist but rather not using the phishing net at all for some senders. I haven't tried it but I'm pretty sure you can do something like this: Find Phishing Fraud = %rules-dir%/phishing.rules where phishing.rules contains: From: googlealerts-noreply@google.com no FromOrTo: default yes Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3595 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070319/a1aece4b/smime.bin From am.lists at gmail.com Mon Mar 19 16:41:05 2007 From: am.lists at gmail.com (am.lists) Date: Mon Mar 19 15:48:03 2007 Subject: Phishing Filter Question In-Reply-To: <45FEA250.3070702@USherbrooke.ca> References: <25a66d840703190602t290948ele93090cdf846a438@mail.gmail.com> <45FE9435.5010703@USherbrooke.ca> <25a66d840703190724o7ae28fb0v88cd38aaf15946a7@mail.gmail.com> <45FEA250.3070702@USherbrooke.ca> Message-ID: <25a66d840703190841w21448b92t647ad4c0f5af6ec1@mail.gmail.com> On 3/19/07, Denis Beauchemin wrote: > am.lists a ?crit : > > On 3/19/07, Denis Beauchemin wrote: > >> am.lists a ?crit : > >> > I'm currently fighting some usability issues surrounding the phishing > >> > filter. > >> > > >> > The perfect example to share is Google Alert emails. Every link is > >> > flagged due to the way that the email is crafted. (sample screenshot: > >> > http://tinyurl.com/27yx68 ) > >> > > >> > In reading the phishing filter file, I understand how it works, but > >> > the way Google Alerts works, in particular, and combined with phishihg > >> > sites being updated daily, this seems to be quite a problem. How can I > >> > be more forgiving without losing the functionality? If I turn off > >> > highlighting, how can users still know that there is suspicious (but > >> > maybe harmless) content? > >> > > >> > I don't want to lose the functionality and security that this > >> > provides, but I don't want to alienate my users by continually > >> > alerting them to things that are actually harmless. > >> > > >> > My settings are: > >> > > >> > Find Phishing Fraud = yes > >> > Also Find Numeric Phishing = yes > >> > Use Stricter Phishing Net = yes > >> > Highlight Phishing Fraud = yes > >> > Phishing Safe Sites File = %etc-dir%/phishing.safe.sites.conf > >> > > >> > This is MailScanner 4.58.9 > >> > > >> > > >> > Best, > >> > > >> > Angelo > >> Angelo, > >> > >> Why don't you use a ruleset for "Find Phishing Fraud" with the value > >> "false" for "googlealerts-noreply@google.com" (assuming this is the > >> envelope sender) and true as default? > >> > >> Denis > >> > > > > Will that actually work? My understanding, after reading the comments > > in the config files said that if you have a message like so: > > > > from: bob@nowhere.org > > > > come see [a href=redir.nowhere.org/someplace]nowhere.org at your > > earliest convenience[/a] > > > > That would flag as redir.nowhere.org claiming to be nowhwere.org at > > your earliest convenience. > > > > And what goes in the whiltelist file is "redir.nowhere.org" > > > > But you're saying to add bob@nowhwere.org? > > > > I can't in the docs where that's supported as a fix. > > > > Angelo > Angelo, > > I am not suggesting using the phishing whitelist but rather not using > the phishing net at all for some senders. I haven't tried it but I'm > pretty sure you can do something like this: > Find Phishing Fraud = %rules-dir%/phishing.rules > > where phishing.rules contains: > From: googlealerts-noreply@google.com no > FromOrTo: default yes > > Denis Ahhhh.. I see. Well... I'm not sure I want to manage that, as I can see how this could go nuts keeping up with those entries. I've turned off the highlighting for now. Thanks aagain, Angelo From Mike.Young at atosorigin.com Mon Mar 19 17:23:20 2007 From: Mike.Young at atosorigin.com (Young, Mike) Date: Mon Mar 19 16:30:17 2007 Subject: Mailscanner not starting - PERL error! Message-ID: Hello, I've had Mailscanner working happily with postfix for over a year now, but something odd has happened. When I try to start mailscanner, I get the following error: bash-2.03# /etc/init.d/mailscanner start Starting MailScanner... Bad arg length for Socket::pack_sockaddr_in, length is 0, should be 4 at /usr/local/lib/perl5/5.8.5/sun4-solaris/Socket.pm line 373. It looks like it's bombing off in check_mailscanner somewhere. Support for the server was recently moved to another group, so I don't know what (if anything) was changed. Has anyone see this problem, and could I get a hint to start troubleshooting it? Thanks, Mike. From brent.bolin at gmail.com Mon Mar 19 18:45:26 2007 From: brent.bolin at gmail.com (BB) Date: Mon Mar 19 17:52:24 2007 Subject: Is it possible to quarantine all mail messages while delivering none spam ? Message-ID: <787dcac20703191045ib531ba3p3153066d182e87ba@mail.gmail.com> I have a setup with a company that archives all mail. Currently using webmin to read all users mail.from archives. Split into daily archives(cron scripts). While perl (webmin) is wonderful it is resource intensive. Is there a way to do this via mailwatch ? SQL reference message ID. Please... don't want to here about the politically correct blah. Most companies in the business of making money do this to protect them selfs from IP theft. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070319/ae35c800/attachment.html From gmane at tippingmar.com Mon Mar 19 19:22:47 2007 From: gmane at tippingmar.com (Mark Nienberg) Date: Mon Mar 19 18:30:29 2007 Subject: SPF_Fail score too low? In-Reply-To: <45FDE116.4020205@fractalweb.com> References: <45FDE116.4020205@fractalweb.com> Message-ID: Chris Yuzik wrote: > Hi everyone, > > I was just going over some stats, and I see a rule called "SPF_FAIL" > with the description, "SPF: sender does not match SPF record (fail)", > which seems like a fairly major violation, yet the score assigned > currently is only 1.14. > > So if I'm clear what this means, I believe this says that the domain > administrator has specified the specific IPs that are allowed to send > email from this domain, and furthermore anything that doesn't come from > the allowed IPs should not be accepted or trusted. Right? This isn't a > soft-fail, but a full fail. > > Seems to me this should be something that should be scored at 5.0 or > higher. Or am I wrong? I agree. In my /etc/MailScanner/spam.assassin.prefs.conf I put # standard SPF scores don't make much sense # only the last column matters to us score SPF_FAIL 0 0 0 3.50 score SPF_SOFTFAIL 0 0 0 1.50 score SPF_HELO_FAIL 0 0 0 1.00 score SPF_HELO_SOFTFAIL 0 0 0 0.50 Mark Nienberg From jfagan at firstlightnetworks.com Mon Mar 19 20:07:32 2007 From: jfagan at firstlightnetworks.com (James Fagan) Date: Mon Mar 19 19:13:14 2007 Subject: Mailscanner not starting - PERL error! In-Reply-To: References: Message-ID: <59E4A3A1069C2640959AD0F7518C48122F0907@FLN1.fln.local> > > Hello, > > I've had Mailscanner working happily with postfix for over a year now, but > something odd has happened. When I try to start mailscanner, I get the > following error: > > bash-2.03# /etc/init.d/mailscanner start > Starting MailScanner... > Bad arg length for Socket::pack_sockaddr_in, length is 0, should be 4 at > /usr/local/lib/perl5/5.8.5/sun4-solaris/Socket.pm line 373. > > It looks like it's bombing off in check_mailscanner somewhere. > > Support for the server was recently moved to another group, so I don't > know what (if anything) was changed. > > Has anyone see this problem, and could I get a hint to start > troubleshooting it? > > Thanks, > Mike. Not a Perl man myself, but from googling a bit it seems that your Perl install may be shot. From what I could tell Socket.pm is generaly built in to the install. Maybe you can reinstall Perl? I'm not familiar with solaris, so be carefull. I'm sure someone else has an idea? James From Mike.Young at atosorigin.com Mon Mar 19 21:32:03 2007 From: Mike.Young at atosorigin.com (Young, Mike) Date: Mon Mar 19 20:39:03 2007 Subject: Mailscanner not starting - PERL error! In-Reply-To: Message-ID: Everyone, Nevermind. The nsswitch.conf file had been badly modified. The operator has been duly flogged. Cheers, Mike. -----Original Message----- From: Young, Mike Sent: Monday, March 19, 2007 11:23 AM To: mailscanner@lists.mailscanner.info Subject: Mailscanner not starting - PERL error! Hello, I've had Mailscanner working happily with postfix for over a year now, but something odd has happened. When I try to start mailscanner, I get the following error: bash-2.03# /etc/init.d/mailscanner start Starting MailScanner... Bad arg length for Socket::pack_sockaddr_in, length is 0, should be 4 at /usr/local/lib/perl5/5.8.5/sun4-solaris/Socket.pm line 373. It looks like it's bombing off in check_mailscanner somewhere. Support for the server was recently moved to another group, so I don't know what (if anything) was changed. Has anyone see this problem, and could I get a hint to start troubleshooting it? Thanks, Mike. From taz at taz-mania.com Mon Mar 19 22:14:31 2007 From: taz at taz-mania.com (Dennis Willson) Date: Mon Mar 19 21:21:28 2007 Subject: SPF and authenticated mail In-Reply-To: <45FE53EA.1010305@hostalia.com> Message-ID: The way I solve this is to use a seperate mail hub for incoming mail (where the MX points) and the users authenticate against a different server which does not do SPF because ONLY authenticated users are allowed to talk to it. On Mon, 19 Mar 2007 10:12:10 +0100 Alvaro Mar?n wrote: >Hello again, > >> Your server IP is the trusted_network. > >Yes, my server's IP is defined in trusted_networks. > >> That way, anything that is received by your server from a dynamic IP >>is not >> tested for SPF, at least not if the client used authentication. > >AFAIK, SA can't difference beteween SMTP authenticated user and not >one. >Postfix, receives the message and is saved on the "Hold" queue; then >MailScanner gets it and analises the message with SA (that sees that >the > client's IP is not in the TXT record of the domain, so it adds >SPF_FAIL >score). Am I right? > >Regards, > >-- >Alvaro Mar?n Illera >Hostalia Internet >www.hostalia.com > >-- >MailScanner mailing list >mailscanner@lists.mailscanner.info >http://lists.mailscanner.info/mailman/listinfo/mailscanner > >Before posting, read http://wiki.mailscanner.info/posting > >Support MailScanner development - buy the book off the website! -------------------------------------------------- Dennis Willson taz@taz-mania.com http://www.taz-mania.com Ham (Extra Class): KA6LSW GMRS : WQGF680 Scuba: Rescue Diver, EANx, Wreck, Night, Alt, Equip, UW Photographer, Gas Blender Life should not be a journey to the grave with the intention of arriving safely in a nice looking and well preserved body, but rather to skid in broadside, thoroughly used up, totally worn out, and loudly proclaiming, "WOW! WHAT A RIDE!" From mikael at syska.dk Mon Mar 19 22:40:25 2007 From: mikael at syska.dk (Mikael Syska) Date: Mon Mar 19 21:47:44 2007 Subject: Is it possible to quarantine all mail messages while delivering none spam ? In-Reply-To: <787dcac20703191045ib531ba3p3153066d182e87ba@mail.gmail.com> References: <787dcac20703191045ib531ba3p3153066d182e87ba@mail.gmail.com> Message-ID: <45FF0349.7080407@syska.dk> Hey, # This is just like the "Spam Actions" option above, except that it applies # to messages that are *NOT* spam. # deliver - deliver the message as normal # delete - delete the message # store - store the message in the quarantine # forward user@domain.com - forward a copy of the message to user@domain.com # striphtml - convert all in-line HTML content to plain text # header "name: value" - Add the header # name: value # to the message. name must not contain any spaces. # # The default value I have set here enables Thunderbird 1.5 to automatically # handle spam when set to trust the "SpamAssassin" headers. # # This can also be the filename of a ruleset, in which case the filename # must end in ".rule" or ".rules". Non Spam Actions = deliver header "X-Spam-Status: No" so I guess its possible .... and the like wise rules with high score spam and normal score spam .... best regards Mikael Syska BB wrote: > I have a setup with a company that archives all mail. Currently using > webmin to read all users mail.from archives. Split into daily > archives(cron scripts). > > While perl (webmin) is wonderful it is resource intensive. > > Is there a way to do this via mailwatch ? SQL reference message ID. > > Please... don't want to here about the politically correct blah. > Most companies in the business of making money do this to protect them > selfs from IP theft. > > > > From res at ausics.net Mon Mar 19 23:25:11 2007 From: res at ausics.net (Res) Date: Mon Mar 19 22:32:15 2007 Subject: OT: F-Prot In-Reply-To: References: Message-ID: On Mon, 19 Mar 2007, Drew Marshall wrote: > Yes. On my home box, updates.f-prot.com is not reachable or so the logs > claim. Last attempt was at about 6.20am GMT. Seems to be OK this morning now. > Just on another question, which licence do you buy from them? I have been mail server, they clearly state it's the only way we can. > f-prot site to look for licensing, and none really fit. The machines are > gateways so no mailboxes as required for the mail server version (So how many > mailboxes would you buy for? This option could become expensive pretty This is exactly my sticking point with them, they do not take into account licenseing for gateways, however they state if a gateway we must use mail server, like you, my mail gateways also have no local users and as to the letter of their license reqiuirments, rightly or wrongly, I chose 1-10 users since they do not offer a 0 user mailbox license :) when I used to have time to IRC, I used to sit in a sys-adminy type channel on undernet, lot of network admins admited to doing it this way, so it was the way I opted for. Even more stupidly, they used to offer an IBM server linux license that covered both, their license scheme is a complete utter joke, I'd be more than happy to pay a file server license per server on gateway machines and sec MX's, if they made it clear, its currently confusing, and clear as mud. For those who want to pay per mailbox who have local users, thats clear, for the rest it's not, and I would have thought by now they would have ammended it to gateways being included in fileserver. Based on their current methods if I had to pay per user, just imagine a mere 100 clueless hosting clients all activating catch-alls and spammers finding them, I could be up for a horrendous amount in fees, even though the mailboxes are not on the same machine. -- Cheers Res Let Novell known what you think of their back door deal with the devil. Sign the petition today: http://techp.org/p/1/ From res at ausics.net Mon Mar 19 23:26:06 2007 From: res at ausics.net (Res) Date: Mon Mar 19 22:33:11 2007 Subject: OT: F-Prot In-Reply-To: <20070319100945.uiylo75m8oc80kcw@luna.eco.unibs.it> References: <20070319100945.uiylo75m8oc80kcw@luna.eco.unibs.it> Message-ID: On Mon, 19 Mar 2007, Fabio Pedretti wrote: > Hi, I recently upgraded some servers from f-prot 4.5.4 (with mail server > licence) to clamav 0.90.1 and I am very satisfied. I am also using additional > signatures from http://www.sanesecurity.com/clamav/ for filtering also > phishing and scam mails. I suggest you to try clamav before buying a licence > for a commercial AV. Be very very careful, I used to use clam, until I found its hit rate was less than a third of f-prots, have not used it since. -- Cheers Res Let Novell known what you think of their back door deal with the devil. Sign the petition today: http://techp.org/p/1/ From res at ausics.net Mon Mar 19 23:28:06 2007 From: res at ausics.net (Res) Date: Mon Mar 19 22:35:09 2007 Subject: OT: F-Prot In-Reply-To: <45FE5921.FEA8.00EB.0@imsu.ox.ac.uk> References: <45FE5921.FEA8.00EB.0@imsu.ox.ac.uk> Message-ID: On Mon, 19 Mar 2007, Sylvain Phaneuf wrote: > I saw the same problems. > > All cleared at about 8:30 AFICS. The updates are working well now. > Yep, allgood now, 830, hmmm that was like sometime lastnight here :) -- Cheers Res Let Novell known what you think of their back door deal with the devil. Sign the petition today: http://techp.org/p/1/ From res at ausics.net Mon Mar 19 23:30:28 2007 From: res at ausics.net (Res) Date: Mon Mar 19 22:37:32 2007 Subject: F-Prot In-Reply-To: <00c901c76a20$eeb4ea00$3701a8c0@lapxp> References: <00c901c76a20$eeb4ea00$3701a8c0@lapxp> Message-ID: On Mon, 19 Mar 2007, Arthur Sherman wrote: >> Anyone else seeing problems with f-prot updates for at least >> the past 12 >> hours? > > I did. > At least, several days already. > Eventually I get updates, but I had to run check-updates manually several > times a day for it. > Hmm OK, I only found it cause I was looking for a possible rejected email for a client adn came accross the error, then went back and found it been ongoing for 12 hours, a grep of previous days maillog shows no problems though, so you might want to keep an eye on that. -- Cheers Res Let Novell known what you think of their back door deal with the devil. Sign the petition today: http://techp.org/p/1/ From res at ausics.net Mon Mar 19 23:35:45 2007 From: res at ausics.net (Res) Date: Mon Mar 19 22:42:49 2007 Subject: Phishing Filter Question In-Reply-To: <25a66d840703190602t290948ele93090cdf846a438@mail.gmail.com> References: <25a66d840703190602t290948ele93090cdf846a438@mail.gmail.com> Message-ID: On Mon, 19 Mar 2007, am.lists wrote: > I'm currently fighting some usability issues surrounding the phishing filter. > > The perfect example to share is Google Alert emails. Every link is > flagged due to the way that the email is crafted. (sample screenshot: > http://tinyurl.com/27yx68 ) Cant see your screenshot as I dont use GUI for lists/newsgroups if google says < one_thing > one_thing , it should be OK, it will and rightfully so complain if either of those differ. > sites being updated daily, this seems to be quite a problem. How can I How is that? You can whitelist google, personal entries in that file are not over written by updates, its intelligent enough to leave it alone and just add the new entries from the update. I also think adding google to everyone by update is not a good idea, so just add it to yours :) -- Cheers Res Let Novell known what you think of their back door deal with the devil. Sign the petition today: http://techp.org/p/1/ From arturs at netvision.net.il Mon Mar 19 23:42:42 2007 From: arturs at netvision.net.il (Arthur Sherman) Date: Mon Mar 19 22:51:35 2007 Subject: F-Prot In-Reply-To: Message-ID: <011b01c76a77$e7fe6590$3701a8c0@lapxp> > Hmm OK, I only found it cause I was looking for a possible > rejected email > for a client adn came accross the error, then went back and > found it been > ongoing for 12 hours, a grep of previous days maillog shows > no problems > though, so you might want to keep an eye on that. > > > -- > Cheers > Res I do. It's OK by now. Thanks! Best, -- Arthur Sherman +972-52-4878851 http://www.cpt.co.il/ From am.lists at gmail.com Tue Mar 20 04:23:18 2007 From: am.lists at gmail.com (am.lists) Date: Tue Mar 20 03:30:18 2007 Subject: Phishing Filter Question In-Reply-To: References: <25a66d840703190602t290948ele93090cdf846a438@mail.gmail.com> Message-ID: <25a66d840703192023r489afe17p638b3d479577f1e3@mail.gmail.com> On 3/19/07, Res wrote: > On Mon, 19 Mar 2007, am.lists wrote: > > > I'm currently fighting some usability issues surrounding the phishing filter. > > > > The perfect example to share is Google Alert emails. Every link is > > flagged due to the way that the email is crafted. (sample screenshot: > > http://tinyurl.com/27yx68 ) > > Cant see your screenshot as I dont use GUI for lists/newsgroups > The problem, Res, is that Google Alerts takes a headline (e.g. "Blonde Bombers Make Potato Salad Sunday Night") and makes it a link to the article. The result is something that reads (text version here, mind you) MailScanner has detected a possible fraud attempt from "www.blondebombers.com" claiming to be Blonde Bombers Make Potato Salad Sunday Night. In the docs, it says for this to pass, I would whitelist (add to phishing safe sites file) www.blondebombers.com. Nothing about the envelope/sender. According to the docs, adding the google alerts email will be fruitless. Unless, there's an assertion in the docs that's implied that I'm just not picking up on. -Angelo From res at ausics.net Tue Mar 20 04:47:45 2007 From: res at ausics.net (Res) Date: Tue Mar 20 03:54:50 2007 Subject: Phishing Filter Question In-Reply-To: <25a66d840703192023r489afe17p638b3d479577f1e3@mail.gmail.com> References: <25a66d840703190602t290948ele93090cdf846a438@mail.gmail.com> <25a66d840703192023r489afe17p638b3d479577f1e3@mail.gmail.com> Message-ID: OK, not using GUI for this, did not show the true problem, as you have now explained, however, MailScanner is doing what it is supposed to do, detecting a ' diff ' if you like. It is for this reason MailScanner does not offer an option to delete phishing fraud. Your best option here would be to create a ruleset for phishing, the_googlealert_domain = no, and default = yes On Mon, 19 Mar 2007, am.lists wrote: > The problem, Res, is that Google Alerts takes a headline (e.g. "Blonde > Bombers Make Potato Salad Sunday Night") and makes it a link to the > article. > > The result is something that reads (text version here, mind you) > > MailScanner has detected a possible fraud attempt from > "www.blondebombers.com" claiming to be Blonde Bombers Make Potato > Salad Sunday Night. > -- Cheers Res Let Novell known what you think of their back door deal with the devil. Sign the petition today: http://techp.org/p/1/ From azfarhusain at yahoo.com Tue Mar 20 08:35:48 2007 From: azfarhusain at yahoo.com (Its Azfar) Date: Tue Mar 20 07:42:49 2007 Subject: Changing the Batch size value Message-ID: <605598.10414.qm@web39506.mail.mud.yahoo.com> Where do I change the no of mails per bacth value. Its set on 30 And I want to change it. BTW whats better loer value or higher or just default value ? ____________________________________________________________________________________ Looking for earth-friendly autos? Browse Top Cars by "Green Rating" at Yahoo! Autos' Green Center. http://autos.yahoo.com/green_center/ From deanm at ispone.com.au Tue Mar 20 09:57:52 2007 From: deanm at ispone.com.au (Dean Manners) Date: Tue Mar 20 09:04:55 2007 Subject: Changing the Batch size value In-Reply-To: <605598.10414.qm@web39506.mail.mud.yahoo.com> Message-ID: <200703200857.l2K8vplw014814@mail11.syd.optusnet.com.au> Its Azfar, Line ~260 of MailScanner.conf: Max Unscanned Messages Per Scan = 50 Max Unsafe Messages Per Scan = 50 During benchmarking I found 50 message batches with "Max Children = 6" to be the most efficient for my systems (Dell PE1950, 4Gb RAM, 2x Xeon 5110 processors, SAS storage), but only marginely faster. The ideal value would be unique to each system, but the default 30 is probably spot on for most. If your trying to speed up processing - and havent allready, try out mounting your MailScanner working directory in tmpfs (see http://wiki.mailscanner.info/doku.php?id=documentation:tweaking:some_things_ to_try_if_your_incoming_queue_is_running_slow&s=speed). -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Its Azfar Sent: Tuesday, March 20, 2007 6:36 PM To: mailscanner@lists.mailscanner.info Subject: Changing the Batch size value Where do I change the no of mails per bacth value. Its set on 30 And I want to change it. BTW whats better loer value or higher or just default value ? ____________________________________________________________________________ ________ Looking for earth-friendly autos? Browse Top Cars by "Green Rating" at Yahoo! Autos' Green Center. http://autos.yahoo.com/green_center/ -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From arturs at netvision.net.il Tue Mar 20 10:42:44 2007 From: arturs at netvision.net.il (Arthur Sherman) Date: Tue Mar 20 09:52:39 2007 Subject: Changing the Batch size value In-Reply-To: <200703200857.l2K8vplw014814@mail11.syd.optusnet.com.au> Message-ID: <015a01c76ad4$1c8aadd0$3701a8c0@lapxp> Dean, I followed the wiki section you've mentioned. Most tweaks were applied even before. I enabled speed and spam logging, then: -- Mar 20 11:30:05 ns1 MailScanner[14816]: New Batch: Scanning 1 messages, 2180 bytes Mar 20 11:30:05 ns1 MailScanner[14816]: Spam Checks: Starting Mar 20 11:30:05 ns1 MailScanner[14816]: Message l2K9U1ba014910 from 127.0.0.1 (root@ns1.cpt.co.il) is whitelisted Mar 20 11:30:12 ns1 MailScanner[14816]: Spam Checks completed at 310 bytes per second Mar 20 11:30:12 ns1 MailScanner[14816]: Virus and Content Scanning: Starting Mar 20 11:30:12 ns1 MailScanner[14816]: Virus Scanning completed at 8087 bytes per second Mar 20 11:30:12 ns1 MailScanner[14816]: Uninfected: Delivered 1 messages Mar 20 11:30:12 ns1 MailScanner[14816]: Virus Processing completed at 61320 bytes per second Mar 20 11:30:12 ns1 MailScanner[14816]: Batch completed at 297 bytes per second (2180 / 7) Mar 20 11:30:12 ns1 MailScanner[14816]: Batch (1 message) processed in 7.32 seconds -- Max Children = 3 Max Unscanned ... = 10 Top: top - 11:31:29 up 8 days, 10:35, 1 user, load average: 0.01, 0.04, 0.01 Tasks: 103 total, 2 running, 101 sleeping, 0 stopped, 0 zombie Cpu(s): 0.0% us, 0.3% sy, 0.0% ni, 99.7% id, 0.0% wa, 0.0% hi, 0.0% si Mem: 3115152k total, 1186836k used, 1928316k free, 143900k buffers Swap: 1052152k total, 548k used, 1051604k free, 619384k cached Can you tell why it takes so long? Thanks! Best, -- Arthur Sherman +972-52-4878851 http://www.cpt.co.il/ > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Dean Manners > Sent: Tuesday, March 20, 2007 10:58 AM > To: 'MailScanner discussion' > Subject: RE: Changing the Batch size value > > Its Azfar, > Line ~260 of MailScanner.conf: > > Max Unscanned Messages Per Scan = 50 > Max Unsafe Messages Per Scan = 50 > > During benchmarking I found 50 message batches with "Max > Children = 6" to be > the most efficient for my systems (Dell PE1950, 4Gb RAM, 2x Xeon 5110 > processors, SAS storage), but only marginely faster. The > ideal value would > be unique to each system, but the default 30 is probably spot > on for most. > If your trying to speed up processing - and havent allready, try out > mounting your MailScanner working directory in tmpfs (see > http://wiki.mailscanner.info/doku.php?id=documentation:tweakin > g:some_things_ > to_try_if_your_incoming_queue_is_running_slow&s=speed). > > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Its Azfar > Sent: Tuesday, March 20, 2007 6:36 PM > To: mailscanner@lists.mailscanner.info > Subject: Changing the Batch size value > > Where do I change the no of mails per bacth value. Its set on > 30 And I want > to change it. BTW whats better loer value or higher or just > default value ? > > > > ______________________________________________________________ > ______________ > ________ > Looking for earth-friendly autos? > Browse Top Cars by "Green Rating" at Yahoo! Autos' Green Center. > http://autos.yahoo.com/green_center/ > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From arturs at netvision.net.il Tue Mar 20 10:59:04 2007 From: arturs at netvision.net.il (Arthur Sherman) Date: Tue Mar 20 10:07:46 2007 Subject: DCC plugin and dccifd Message-ID: <015b01c76ad6$64d5b060$3701a8c0@lapxp> Dear List, Howdy? OS = CentOS-4.4.x86 (BlueQuartz Hosting Edition), right now ~1K messages/day, grows by 10%/month. I was running dccifd as explained in old wiki, until recently. Right now, I did enabled DCC plugin in *.pre file. It says it uses dccproc. I couldn't make it work with dccifd - where should I point it? To the socket? It didn't worked. How could I switch to dccifd? Should i? If not, so I have to shut down dccifd, right? Best, -- Arthur Sherman +972-52-4878851 http://www.cpt.co.il/ From res at ausics.net Tue Mar 20 11:21:31 2007 From: res at ausics.net (Res) Date: Tue Mar 20 10:28:38 2007 Subject: Changing the Batch size value In-Reply-To: <015a01c76ad4$1c8aadd0$3701a8c0@lapxp> References: <015a01c76ad4$1c8aadd0$3701a8c0@lapxp> Message-ID: On Tue, 20 Mar 2007, Arthur Sherman wrote: > Max Children = 3 You should use 5 per 'real' (not HT) CPU. -- Cheers Res Let Novell known what you think of their back door deal with the devil. Sign the petition today: http://techp.org/p/1/ From res at ausics.net Tue Mar 20 11:24:24 2007 From: res at ausics.net (Res) Date: Tue Mar 20 10:31:30 2007 Subject: DCC plugin and dccifd In-Reply-To: <015b01c76ad6$64d5b060$3701a8c0@lapxp> References: <015b01c76ad6$64d5b060$3701a8c0@lapxp> Message-ID: On Tue, 20 Mar 2007, Arthur Sherman wrote: > Right now, I did enabled DCC plugin in *.pre file. I'd forget DCC, if you think you have msg lag now, just wait till you get that horrid thing going, dump pyzor as well its in the same class, razor works OK, only adds a couple seconds, combined with all our local rules thats pretty good. Also of note I find razor has far better hit rates. but most of Freds rules and some other local ones of mine send them over 100 anyways :) -- Cheers Res Let Novell known what you think of their back door deal with the devil. Sign the petition today: http://techp.org/p/1/ From dean.plant at roke.co.uk Tue Mar 20 12:39:01 2007 From: dean.plant at roke.co.uk (Plant, Dean) Date: Tue Mar 20 11:46:11 2007 Subject: OT: F-Prot Message-ID: <2181C5F19DD0254692452BFF3EAF1D6802671E6C@rsys005a.comm.ad.roke.co.uk> Res wrote: > > Be very very careful, I used to use clam, until I found its hit rate > was less than a third of f-prots, have not used it since. Out of curiosity, how long ago was this? A couple of years ago we did the opposite and dropped F-prot as 99.9% of the time ClamAV caught everything before F-prot had signatures out. Mostly I still see ClamAV outperforming our commercial scanners for signature response times, although lately I see few viruses that not picked up by all of the scanners, maybe response times are getting better across the industry. Dean From res at ausics.net Tue Mar 20 12:58:41 2007 From: res at ausics.net (Res) Date: Tue Mar 20 12:05:53 2007 Subject: OT: F-Prot In-Reply-To: <2181C5F19DD0254692452BFF3EAF1D6802671E6C@rsys005a.comm.ad.roke.co.uk> References: <2181C5F19DD0254692452BFF3EAF1D6802671E6C@rsys005a.comm.ad.roke.co.uk> Message-ID: On Tue, 20 Mar 2007, Plant, Dean wrote: > Res wrote: >> >> Be very very careful, I used to use clam, until I found its hit rate >> was less than a third of f-prots, have not used it since. > > Out of curiosity, how long ago was this? 12 months ago -- Cheers Res Let Novell known what you think of their back door deal with the devil. Sign the petition today: http://techp.org/p/1/ From webmaster at boucinhas.com.br Tue Mar 20 13:12:11 2007 From: webmaster at boucinhas.com.br (Webmaster Boucinhas & Campos) Date: Tue Mar 20 12:19:24 2007 Subject: Is it possible to quarantine all mail messages while deliveringnone spam ? References: <787dcac20703191045ib531ba3p3153066d182e87ba@mail.gmail.com> Message-ID: <007a01c76ae8$fd6c5240$1803010a@10205> Hello, edit your MailScanner.conf search for line Non Spam Actions = deliver header "X-Spam-Status: No" change this line to Non Spam Actions = store deliver header "X-Spam-Status: No" the "store" option enable mailscanner for achive all message in quarentine dir and can view this message using mailwatch ----- Original Message ----- From: BB To: MailScanner discussion ; Mailwatch users list Sent: Monday, March 19, 2007 2:45 PM Subject: Is it possible to quarantine all mail messages while deliveringnone spam ? I have a setup with a company that archives all mail. Currently using webmin to read all users mail.from archives. Split into daily archives(cron scripts). While perl (webmin) is wonderful it is resource intensive. Is there a way to do this via mailwatch ? SQL reference message ID. Please... don't want to here about the politically correct blah. Most companies in the business of making money do this to protect them selfs from IP theft. ------------------------------------------------------------------------------ -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070320/095d148c/attachment.html From brent.bolin at gmail.com Tue Mar 20 13:24:51 2007 From: brent.bolin at gmail.com (BB) Date: Tue Mar 20 12:31:52 2007 Subject: Is it possible to quarantine all mail messages while delivering none spam ? In-Reply-To: <45FF0349.7080407@syska.dk> References: <787dcac20703191045ib531ba3p3153066d182e87ba@mail.gmail.com> <45FF0349.7080407@syska.dk> Message-ID: <787dcac20703200524i6e4deed7w3e0722d466dd9fac@mail.gmail.com> You are right. This does work. It gets quarantined and delivered :) Might put an end to the use of webmin for reading. And the end to using MailScanners option for archiving. tku On 3/19/07, Mikael Syska wrote: > > Hey, > > # This is just like the "Spam Actions" option above, except that it > applies > # to messages that are *NOT* spam. > # deliver - deliver the message as normal > # delete - delete the message > # store - store the message in the quarantine > # forward user@domain.com - forward a copy of the message to > user@domain.com > # striphtml - convert all in-line HTML content to plain > text > # header "name: value" - Add the header > # name: value > # to the message. name must not contain any > spaces. > # > # The default value I have set here enables Thunderbird 1.5 to > automatically > # handle spam when set to trust the "SpamAssassin" headers. > # > # This can also be the filename of a ruleset, in which case the filename > # must end in ".rule" or ".rules". > Non Spam Actions = deliver header "X-Spam-Status: No" > > so I guess its possible .... and the like wise rules with high score > spam and normal score spam .... > > best regards > Mikael Syska > > BB wrote: > > I have a setup with a company that archives all mail. Currently using > > webmin to read all users mail.from archives. Split into daily > > archives(cron scripts). > > > > While perl (webmin) is wonderful it is resource intensive. > > > > Is there a way to do this via mailwatch ? SQL reference message ID. > > > > Please... don't want to here about the politically correct blah. > > Most companies in the business of making money do this to protect them > > selfs from IP theft. > > > > > > > > > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070320/c3bcc39f/attachment.html From amoore at dekalbmemorial.com Tue Mar 20 14:00:33 2007 From: amoore at dekalbmemorial.com (Aaron K. Moore) Date: Tue Mar 20 13:07:38 2007 Subject: DCC plugin and dccifd In-Reply-To: References: Message-ID: <60D398EB2DB948409CA1F50D8AF12257021A4C30@exch1.dekalbmemorial.local> Arthur, You can read the plug-in documents at http://spamassassin.apache.org/full/3.1.x/doc/Mail_SpamAssassin_Plugin_D CC.html to check the configuration options so you can setup SpamAssassin to use DCC. You'll want to use the dccifd daemon and configure it to use the socket. Like any of the plug-ins, your mileage may vary. Here we get DCC hits on 50% of the spam. -- Aaron Kent Moore Information Technology Services DeKalb Memorial Hospital, Inc. Auburn, Indiana Phone: 260.920.2808 E-Mail: amoore@dekalbmemorial.com -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Arthur Sherman Sent: Tuesday, March 20, 2007 5:59 AM To: 'MailScanner discussion' Subject: DCC plugin and dccifd Dear List, Howdy? OS = CentOS-4.4.x86 (BlueQuartz Hosting Edition), right now ~1K messages/day, grows by 10%/month. I was running dccifd as explained in old wiki, until recently. Right now, I did enabled DCC plugin in *.pre file. It says it uses dccproc. I couldn't make it work with dccifd - where should I point it? To the socket? It didn't worked. How could I switch to dccifd? Should i? If not, so I have to shut down dccifd, right? Best, -- Arthur Sherman +972-52-4878851 http://www.cpt.co.il/ -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From azfarhusain at yahoo.com Tue Mar 20 14:04:43 2007 From: azfarhusain at yahoo.com (Its Azfar) Date: Tue Mar 20 13:11:45 2007 Subject: Changing the Batch size value In-Reply-To: Message-ID: <79263.18545.qm@web39515.mail.mud.yahoo.com> --- Res wrote: > On Tue, 20 Mar 2007, Arthur Sherman wrote: > > > Max Children = 3 > > You should use 5 per 'real' (not HT) CPU. > > > -- > Cheers > Res you mean batch 0f 5 mails with max children 3 I have currently 5 batch and 4 children. what should the average scan time ? ____________________________________________________________________________________ Expecting? Get great news right away with email Auto-Check. Try the Yahoo! Mail Beta. http://advision.webevents.yahoo.com/mailbeta/newmail_tools.html From martinh at solidstatelogic.com Tue Mar 20 14:31:09 2007 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Tue Mar 20 13:38:46 2007 Subject: Changing the Batch size value In-Reply-To: <79263.18545.qm@web39515.mail.mud.yahoo.com> Message-ID: <42aaaa1a21b65846be8f7245bb89a8c7@solidstatelogic.com> Depends As long as you're keeping up with the message flow... Normal advice is 5 children per CPU core and start at 30 for the batch and tune the batch size up down and see how things go. Normally I get batches done in under 30 seconds...sometimes as low as 3 seconds... -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Its Azfar > Sent: 20 March 2007 13:05 > To: MailScanner discussion > Subject: RE: Changing the Batch size value > > > --- Res wrote: > > > On Tue, 20 Mar 2007, Arthur Sherman wrote: > > > > > Max Children = 3 > > > > You should use 5 per 'real' (not HT) CPU. > > > > > > -- > > Cheers > > Res > > you mean batch 0f 5 mails with max children 3 > I have currently 5 batch and 4 children. > what should the average scan time ? > > > > ________________________________________________________________________ __ > __________ > Expecting? Get great news right away with email Auto-Check. > Try the Yahoo! Mail Beta. > http://advision.webevents.yahoo.com/mailbeta/newmail_tools.html > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From fssilva at gmail.com Tue Mar 20 14:51:50 2007 From: fssilva at gmail.com (Fabio Silva) Date: Tue Mar 20 13:58:58 2007 Subject: Control mail Message-ID: Hi all, i have a question, has any way to configure mailscanner to permit or restrict some users from sending aand/or receive mails?? Like procmail does. I permit the user@domain.com to send files .zip I permit user@otherdomain.com to send files .rar Any idea how to solve it? Best Regards, -- Fabio S. Silva From martinh at solidstatelogic.com Tue Mar 20 14:56:41 2007 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Tue Mar 20 14:03:50 2007 Subject: Control mail In-Reply-To: Message-ID: <7ba9762d724dd441a2ed2a210529885d@solidstatelogic.com> Fabio Have a look at this.. http://wiki.mailscanner.info/doku.php?id=documentation:configuration:rul esets:overloading I think it's what you're after -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Fabio Silva > Sent: 20 March 2007 13:52 > To: MailScanner discussion > Subject: Control mail > > Hi all, i have a question, has any way to configure mailscanner to > permit or restrict some users from sending aand/or receive mails?? > > Like procmail does. > > I permit the user@domain.com to send files .zip > I permit user@otherdomain.com to send files .rar > > Any idea how to solve it? > > Best Regards, > -- > Fabio S. Silva > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From fssilva at gmail.com Tue Mar 20 15:12:39 2007 From: fssilva at gmail.com (Fabio Silva) Date: Tue Mar 20 14:19:41 2007 Subject: Control mail In-Reply-To: <7ba9762d724dd441a2ed2a210529885d@solidstatelogic.com> References: <7ba9762d724dd441a2ed2a210529885d@solidstatelogic.com> Message-ID: Martin, is it what i need, but if i have about 10 users from different domains that need to send files .zip to me, i can configure it like this FromOrTo: user@domain2.com /etc/MailScaner/rules.domains.conf FromOrTo: user@domain3.com /etc/MailScanner/rules.domains.conf FromOrTo: user@domain4.com /etc/Mailscanner/.... FromOrTo: default /eetc/MailScanner/filename.rules.conf Is it? So, i can receive files from anyuser without check in thedefult filename.rules.conf !! Regards, Fabio On 3/20/07, Martin.Hepworth wrote: > Fabio > > Have a look at this.. > > http://wiki.mailscanner.info/doku.php?id=documentation:configuration:rul > esets:overloading > > I think it's what you're after > > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > > bounces@lists.mailscanner.info] On Behalf Of Fabio Silva > > Sent: 20 March 2007 13:52 > > To: MailScanner discussion > > Subject: Control mail > > > > Hi all, i have a question, has any way to configure mailscanner to > > permit or restrict some users from sending aand/or receive mails?? > > > > Like procmail does. > > > > I permit the user@domain.com to send files .zip > > I permit user@otherdomain.com to send files .rar > > > > Any idea how to solve it? > > > > Best Regards, > > -- > > Fabio S. Silva > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > > > ********************************************************************** > Confidentiality : This e-mail and any attachments are intended for the > addressee only and may be confidential. If they come to you in error > you must take no action based on them, nor must you copy or show them > to anyone. Please advise the sender by replying to this e-mail > immediately and then delete the original from your computer. > > Opinion : Any opinions expressed in this e-mail are entirely those of > the author and unless specifically stated to the contrary, are not > necessarily those of the author's employer. > > Security Warning : Internet e-mail is not necessarily a secure > communications medium and can be subject to data corruption. We advise > that you consider this fact when e-mailing us. > > Viruses : We have taken steps to ensure that this e-mail and any > attachments are free from known viruses but in keeping with good > computing practice, you should ensure that they are virus free. > > Red Lion 49 Ltd T/A Solid State Logic > Registered as a limited company in England and Wales > (Company No:5362730) > Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, > United Kingdom > ********************************************************************** > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- Fabio S. Silva From uxbod at splatnix.net Tue Mar 20 16:05:27 2007 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Tue Mar 20 15:12:53 2007 Subject: Virus Detected Messages Message-ID: How would I disable these in a rule ? -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: 543A E778 7F2D 98F1 3E50 9C1F F190 93E0 E8E8 0CF8 // Keyserver: www.keyserver.net Key-ID: 0xE8E80CF8 // SIP Phone: uxbod@sip.splatnix.net -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From martinh at solidstatelogic.com Tue Mar 20 16:12:20 2007 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Tue Mar 20 15:19:32 2007 Subject: Virus Detected Messages In-Reply-To: Message-ID: There's a nice ruleset from a chap call Tim.. http://www.timj.co.uk/linux/bogus-virus-warnings.cf You'll have to zero score the mailscanner rules!! -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of --[ UxBoD ]-- > Sent: 20 March 2007 15:05 > To: mailscanner@lists.mailscanner.info > Subject: Virus Detected Messages > > How would I disable these in a rule ? > -- > --[ UxBoD ]-- > // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" > // Fingerprint: 543A E778 7F2D 98F1 3E50 9C1F F190 93E0 E8E8 0CF8 > // Keyserver: www.keyserver.net Key-ID: 0xE8E80CF8 > // SIP Phone: uxbod@sip.splatnix.net > > > -- > This message has been scanned for viruses and dangerous content by > MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From uxbod at splatnix.net Tue Mar 20 16:24:45 2007 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Tue Mar 20 15:31:55 2007 Subject: Virus Detected Messages In-Reply-To: References: Message-ID: <3eb077eb827b4360a5994c7b47e28731@62.49.223.244> Thanks Martin :) On Tue, 20 Mar 2007 15:12:20 +0000, "Martin.Hepworth" wrote: > > There's a nice ruleset from a chap call Tim.. > > http://www.timj.co.uk/linux/bogus-virus-warnings.cf > > You'll have to zero score the mailscanner rules!! > > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >> bounces@lists.mailscanner.info] On Behalf Of --[ UxBoD ]-- >> Sent: 20 March 2007 15:05 >> To: mailscanner@lists.mailscanner.info >> Subject: Virus Detected Messages >> >> How would I disable these in a rule ? >> -- >> --[ UxBoD ]-- >> // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" >> // Fingerprint: 543A E778 7F2D 98F1 3E50 9C1F F190 93E0 E8E8 0CF8 >> // Keyserver: www.keyserver.net Key-ID: 0xE8E80CF8 >> // SIP Phone: uxbod@sip.splatnix.net >> >> >> -- >> This message has been scanned for viruses and dangerous content by >> MailScanner, and is >> believed to be clean. >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! > > > > > ********************************************************************** > Confidentiality : This e-mail and any attachments are intended for the > addressee only and may be confidential. If they come to you in error > you must take no action based on them, nor must you copy or show them > to anyone. Please advise the sender by replying to this e-mail > immediately and then delete the original from your computer. > > Opinion : Any opinions expressed in this e-mail are entirely those of > the author and unless specifically stated to the contrary, are not > necessarily those of the author's employer. > > Security Warning : Internet e-mail is not necessarily a secure > communications medium and can be subject to data corruption. We advise > that you consider this fact when e-mailing us. > > Viruses : We have taken steps to ensure that this e-mail and any > attachments are free from known viruses but in keeping with good > computing practice, you should ensure that they are virus free. > > Red Lion 49 Ltd T/A Solid State Logic > Registered as a limited company in England and Wales > (Company No:5362730) > Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, > United Kingdom > ********************************************************************** > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: 543A E778 7F2D 98F1 3E50 9C1F F190 93E0 E8E8 0CF8 // Keyserver: www.keyserver.net Key-ID: 0xE8E80CF8 // SIP Phone: uxbod@sip.splatnix.net -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ssilva at sgvwater.com Tue Mar 20 17:43:10 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Mar 20 16:52:20 2007 Subject: DCC plugin and dccifd In-Reply-To: References: <015b01c76ad6$64d5b060$3701a8c0@lapxp> Message-ID: Res spake the following on 3/20/2007 3:24 AM: > > On Tue, 20 Mar 2007, Arthur Sherman wrote: > >> Right now, I did enabled DCC plugin in *.pre file. > > > I'd forget DCC, if you think you have msg lag now, just wait till you > get that horrid thing going, dump pyzor as well its in the same class, > razor works OK, only adds a couple seconds, combined with all our local > rules thats pretty good. > > Also of note I find razor has far better hit rates. but most of Freds > rules and some other local ones of mine send them over 100 anyways :) > Pyzor is OK if you use the alternate server and skip running discover. I think it is 82.94.255.100:24441 -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From mailscanner at yeticomputers.com Tue Mar 20 21:03:23 2007 From: mailscanner at yeticomputers.com (Rick Chadderdon) Date: Tue Mar 20 20:10:32 2007 Subject: URL-encoded filenames in reports In-Reply-To: References: <87fy929ffm.fsf@hp-factory.de> <45DF2469.4090507@yeticomputers.com> Message-ID: <46003E0B.4080801@yeticomputers.com> Stephane wrote: > Rick Chadderdon yeticomputers.com> writes: > > >> Simon Walter wrote: >> >>> Hello >>> >>> Is there a way to get the filename of files which got stored in >>> quarantine as url-encoded string? [...] >> I would probably handle this with PHP. The line in my corresponding >> report .txt file would be something like: >> >> >> > http://my.mailscannerbox.com/download.php?id=$id&filename=$filename&datenumber=$datenumber&hostname=$hostname > >> and I would use my script to handle directing people to the correct file. >> > > In fact, the problem is with $filename itself in Mailscanner. If the variable > contains something as "WSComparison_#.DOC" or "WHform for summer 2008.doc", no > way to passe this in an URL. > > I've on my side this kind of command. > > http://quarantine.tld/download.php?hostname=godalnet&date=20070317&id=1HSb00-0002U3-7R&filename=WSComparison_#.DOC > > We need a key or a simple urlencode version of $filename. An $URLfilename will > be great. Or may be another solution that I haven't discovered. > While it's a less than optimal solution, my few tests with this have shown that all of the web browsers/email clients I've tried this on will URLize the spaces and odd characters automatically. The links work fine for me right now, although I have not done extensive testing. Yes, it would be nice if we had a properly URL encoded variable, but at the moment, I don't seem to need it. Rick From res at ausics.net Tue Mar 20 23:09:22 2007 From: res at ausics.net (Res) Date: Tue Mar 20 22:16:34 2007 Subject: Changing the Batch size value In-Reply-To: <79263.18545.qm@web39515.mail.mud.yahoo.com> References: <79263.18545.qm@web39515.mail.mud.yahoo.com> Message-ID: On Tue, 20 Mar 2007, Its Azfar wrote: > > --- Res wrote: > >> On Tue, 20 Mar 2007, Arthur Sherman wrote: >> >>> Max Children = 3 >> >> You should use 5 per 'real' (not HT) CPU. >> >> >> -- >> Cheers >> Res > > you mean batch 0f 5 mails with max children 3 > I have currently 5 batch and 4 children. > what should the average scan time ? No, I meant use the defaultand recommended settings, max children = 5 for 1 cpu, 10 for 2 cpu's and 20 if you have a quad processor box. hyperthreaded cpu's must only be counted as 1 cpu, because thats all they really are. Message batches? should = no less than 30, no more than 100, avg it at 50 if 30 is not enough to keep up. -- Cheers Res Let Novell known what you think of their back door deal with the devil. Sign the petition today: http://techp.org/p/1/ From res at ausics.net Tue Mar 20 23:13:41 2007 From: res at ausics.net (Res) Date: Tue Mar 20 22:20:49 2007 Subject: DCC plugin and dccifd In-Reply-To: References: <015b01c76ad6$64d5b060$3701a8c0@lapxp> Message-ID: On Tue, 20 Mar 2007, Scott Silva wrote: > Pyzor is OK if you use the alternate server and skip running discover. I think > it is 82.94.255.100:24441 They need to make these (pyzor/razor etc) geographically available, that would I'm sure speed things up dramatically by not only being less latency to, but less loading on all increasing the usefulness of them. -- Cheers Res Let Novell known what you think of their back door deal with the devil. Sign the petition today: http://techp.org/p/1/ From alex at nkpanama.com Wed Mar 21 01:57:41 2007 From: alex at nkpanama.com (Alex Neuman van der Hans) Date: Wed Mar 21 01:05:25 2007 Subject: SPF and authenticated mail In-Reply-To: References: Message-ID: <46008305.4030700@nkpanama.com> Dennis Willson wrote: > > The way I solve this is to use a seperate mail hub for incoming mail > (where the MX points) and the users authenticate against a different > server which does not do SPF because ONLY authenticated users are > allowed to talk to it. > Or you can use port 587 on the same server using a different process to receive mails that only allows authenticated users to use it. From uxbod at splatnix.net Wed Mar 21 09:37:14 2007 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Wed Mar 21 08:44:22 2007 Subject: Perl Path Message-ID: <062a5b5d15dbf61e9d43e977b28d1240@62.49.223.244> Hi, I have just built a new server based on RHES4 and have built all the executables from source ie. perl, mysql, apache, php etc etc ... When I built MailScanner I used the source and ran install.sh --perl=/usr/local/smartmail/bin/perl which installed all the modules fine. Though one thing I have noticed is that in the top of all the MailScanner code the perl path still points to /usr/bin/perl. I wondered why it wasn't working correctly ;) Is it worth changing the install script so that if the --perl option is used then the perl binary path in all scripts is changed aswell ? Thoughts? -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: 543A E778 7F2D 98F1 3E50 9C1F F190 93E0 E8E8 0CF8 // Keyserver: www.keyserver.net Key-ID: 0xE8E80CF8 // SIP Phone: uxbod@sip.splatnix.net -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From martinh at solidstatelogic.com Wed Mar 21 09:56:31 2007 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Wed Mar 21 09:04:03 2007 Subject: Perl Path In-Reply-To: <062a5b5d15dbf61e9d43e977b28d1240@62.49.223.244> Message-ID: Or going a sym link from /usr/bin/perl to /usr/local/smartmail/bin/perl ala FreeBSD with the sysperl and portsperl options... Most perl scripts expect perl to be /usr/bin/perl.... -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of --[ UxBoD ]-- > Sent: 21 March 2007 08:37 > To: mailscanner@lists.mailscanner.info > Subject: Perl Path > > Hi, > > I have just built a new server based on RHES4 and have built all the > executables from source ie. perl, mysql, apache, php etc etc ... > > When I built MailScanner I used the source and ran install.sh -- > perl=/usr/local/smartmail/bin/perl which installed all the modules fine. > Though one thing I have noticed is that in the top of all the MailScanner > code the perl path still points to /usr/bin/perl. I wondered why it wasn't > working correctly ;) > > Is it worth changing the install script so that if the --perl option is > used then the perl binary path in all scripts is changed aswell ? > > Thoughts? > > -- > --[ UxBoD ]-- > // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" > // Fingerprint: 543A E778 7F2D 98F1 3E50 9C1F F190 93E0 E8E8 0CF8 > // Keyserver: www.keyserver.net Key-ID: 0xE8E80CF8 > // SIP Phone: uxbod@sip.splatnix.net > > > -- > This message has been scanned for viruses and dangerous content by > MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From uxbod at splatnix.net Wed Mar 21 10:10:06 2007 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Wed Mar 21 09:17:15 2007 Subject: Perl Path In-Reply-To: References: Message-ID: <35cbd1c28ba0292218ae2179158375b5@62.49.223.244> Hi Martin, Yes I have symlinked for the time being. I agree that most scripts expect the perl path to be /usr/bin but by using a symlink the whole system will use it. The rationale for building under /usr/local/smartmail with all the necessary binaries is so that I can tar it all up, and transfer to another mailserver that has a vanilla RHES4 installation. This provides me with control of updating when I feel packages are ready for production. Best Regards, UxBoD On Wed, 21 Mar 2007 08:56:31 +0000, "Martin.Hepworth" wrote: > Or going a sym link from /usr/bin/perl to /usr/local/smartmail/bin/perl > ala FreeBSD with the sysperl and portsperl options... > > Most perl scripts expect perl to be /usr/bin/perl.... > > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >> bounces@lists.mailscanner.info] On Behalf Of --[ UxBoD ]-- >> Sent: 21 March 2007 08:37 >> To: mailscanner@lists.mailscanner.info >> Subject: Perl Path >> >> Hi, >> >> I have just built a new server based on RHES4 and have built all the >> executables from source ie. perl, mysql, apache, php etc etc ... >> >> When I built MailScanner I used the source and ran install.sh -- >> perl=/usr/local/smartmail/bin/perl which installed all the modules > fine. >> Though one thing I have noticed is that in the top of all the > MailScanner >> code the perl path still points to /usr/bin/perl. I wondered why it > wasn't >> working correctly ;) >> >> Is it worth changing the install script so that if the --perl option > is >> used then the perl binary path in all scripts is changed aswell ? >> >> Thoughts? >> >> -- >> --[ UxBoD ]-- >> // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" >> // Fingerprint: 543A E778 7F2D 98F1 3E50 9C1F F190 93E0 E8E8 0CF8 >> // Keyserver: www.keyserver.net Key-ID: 0xE8E80CF8 >> // SIP Phone: uxbod@sip.splatnix.net >> >> >> -- >> This message has been scanned for viruses and dangerous content by >> MailScanner, and is >> believed to be clean. >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! > > > > > ********************************************************************** > Confidentiality : This e-mail and any attachments are intended for the > addressee only and may be confidential. If they come to you in error > you must take no action based on them, nor must you copy or show them > to anyone. Please advise the sender by replying to this e-mail > immediately and then delete the original from your computer. > > Opinion : Any opinions expressed in this e-mail are entirely those of > the author and unless specifically stated to the contrary, are not > necessarily those of the author's employer. > > Security Warning : Internet e-mail is not necessarily a secure > communications medium and can be subject to data corruption. We advise > that you consider this fact when e-mailing us. > > Viruses : We have taken steps to ensure that this e-mail and any > attachments are free from known viruses but in keeping with good > computing practice, you should ensure that they are virus free. > > Red Lion 49 Ltd T/A Solid State Logic > Registered as a limited company in England and Wales > (Company No:5362730) > Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, > United Kingdom > ********************************************************************** > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: 543A E778 7F2D 98F1 3E50 9C1F F190 93E0 E8E8 0CF8 // Keyserver: www.keyserver.net Key-ID: 0xE8E80CF8 // SIP Phone: uxbod@sip.splatnix.net -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From martinh at solidstatelogic.com Wed Mar 21 10:18:23 2007 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Wed Mar 21 09:25:42 2007 Subject: Perl Path In-Reply-To: <35cbd1c28ba0292218ae2179158375b5@62.49.223.244> Message-ID: There's quite a bit of stuff that MailScanner expects to find in certain places (eg /opt/MailScanner for the tar.gz installs vs /usr/lib/MailScanner etc for RPM based installs). Now I know the FreeBSD package moves things to the default places FreeBSD expects, but not sure how much work that entails. But its definitely possible. Then there's all tbe perl mods - cpan or rpm can dump things in different places and confuse perl. As long as you're consistant about how you install all the dependancies you're OK. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of --[ UxBoD ]-- > Sent: 21 March 2007 09:10 > To: MailScanner discussion > Subject: RE: Perl Path > > Hi Martin, > > Yes I have symlinked for the time being. I agree that most scripts expect > the perl path to be /usr/bin but by using a symlink the whole system will > use it. > > The rationale for building under /usr/local/smartmail with all the > necessary binaries is so that I can tar it all up, and transfer to another > mailserver that has a vanilla RHES4 installation. > > This provides me with control of updating when I feel packages are ready > for production. > > Best Regards, > > UxBoD > > On Wed, 21 Mar 2007 08:56:31 +0000, "Martin.Hepworth" > wrote: > > Or going a sym link from /usr/bin/perl to /usr/local/smartmail/bin/perl > > ala FreeBSD with the sysperl and portsperl options... > > > > Most perl scripts expect perl to be /usr/bin/perl.... > > > > -- > > Martin Hepworth > > Snr Systems Administrator > > Solid State Logic > > Tel: +44 (0)1865 842300 > >> -----Original Message----- > >> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > >> bounces@lists.mailscanner.info] On Behalf Of --[ UxBoD ]-- > >> Sent: 21 March 2007 08:37 > >> To: mailscanner@lists.mailscanner.info > >> Subject: Perl Path > >> > >> Hi, > >> > >> I have just built a new server based on RHES4 and have built all the > >> executables from source ie. perl, mysql, apache, php etc etc ... > >> > >> When I built MailScanner I used the source and ran install.sh -- > >> perl=/usr/local/smartmail/bin/perl which installed all the modules > > fine. > >> Though one thing I have noticed is that in the top of all the > > MailScanner > >> code the perl path still points to /usr/bin/perl. I wondered why it > > wasn't > >> working correctly ;) > >> > >> Is it worth changing the install script so that if the --perl option > > is > >> used then the perl binary path in all scripts is changed aswell ? > >> > >> Thoughts? > >> > >> -- > >> --[ UxBoD ]-- > >> // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" > >> // Fingerprint: 543A E778 7F2D 98F1 3E50 9C1F F190 93E0 E8E8 0CF8 > >> // Keyserver: www.keyserver.net Key-ID: 0xE8E80CF8 > >> // SIP Phone: uxbod@sip.splatnix.net > >> > >> > >> -- > >> This message has been scanned for viruses and dangerous content by > >> MailScanner, and is > >> believed to be clean. > >> > >> -- > >> MailScanner mailing list > >> mailscanner@lists.mailscanner.info > >> http://lists.mailscanner.info/mailman/listinfo/mailscanner > >> > >> Before posting, read http://wiki.mailscanner.info/posting > >> > >> Support MailScanner development - buy the book off the website! > > > > > > > > > > ********************************************************************** > > Confidentiality : This e-mail and any attachments are intended for the > > addressee only and may be confidential. If they come to you in error > > you must take no action based on them, nor must you copy or show them > > to anyone. Please advise the sender by replying to this e-mail > > immediately and then delete the original from your computer. > > > > Opinion : Any opinions expressed in this e-mail are entirely those of > > the author and unless specifically stated to the contrary, are not > > necessarily those of the author's employer. > > > > Security Warning : Internet e-mail is not necessarily a secure > > communications medium and can be subject to data corruption. We advise > > that you consider this fact when e-mailing us. > > > > Viruses : We have taken steps to ensure that this e-mail and any > > attachments are free from known viruses but in keeping with good > > computing practice, you should ensure that they are virus free. > > > > Red Lion 49 Ltd T/A Solid State Logic > > Registered as a limited company in England and Wales > > (Company No:5362730) > > Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, > > United Kingdom > > ********************************************************************** > > > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > > > -- > --[ UxBoD ]-- > // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" > // Fingerprint: 543A E778 7F2D 98F1 3E50 9C1F F190 93E0 E8E8 0CF8 > // Keyserver: www.keyserver.net Key-ID: 0xE8E80CF8 > // SIP Phone: uxbod@sip.splatnix.net > > > -- > This message has been scanned for viruses and dangerous content by > MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From uxbod at splatnix.net Wed Mar 21 10:24:01 2007 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Wed Mar 21 09:31:11 2007 Subject: Perl Path In-Reply-To: References: Message-ID: <7ad30ef94760d1cb1c93a04f00e3013b@62.49.223.244> Yeah tell me about it :) I have downloaded all the dependancies from CPAN and compiled with the my new perl binary. Here is my source directory ! :- Algorithm-Diff-1.1902 File-Which-0.05 MIME-tools-5.420 Socket6-0.19 gifsicle-1.46 openssl-0.9.8d Archive-Tar-1.30 FuzzyOcr-3.5.1 Mail-SPF-Query-1.999.1 String-Approx-3.26 gocr-0.43 pcre-7.0 Archive-Zip-1.18 HTML-Parser-3.56 Mail-SpamAssassin-3.1.7 Sys-Hostname-Long-1.4 httpd-2.2.4 perl-5.8.8 Compress-Raw-Bzip2-2.003 HTML-Tagset-3.10 Mail-SpamAssassin-3.1.8 Text-Diff-0.35 jpeg-6b php-5.2.0 Compress-Raw-Zlib-2.003 IO-Compress-Base-2.003 MailScanner-install-4.58.8 Time-HiRes-1.9705 libidn-0.6.10 policyd-v1.80 Compress-Zlib-2.003 IO-Compress-Bzip2-2.003 MailTools-1.74 URI-1.35 libungif-4.1.4 postfix-2.3.6 Convert-BinHex-1.119 IO-Compress-Zlib-2.003 Net-CIDR-0.11 apr-1.2.8 libwww-perl-5.805 pyzor-0.4.0 Convert-TNEF-0.17 IO-Socket-INET6-2.51 Net-CIDR-Lite-0.20 apr-iconv-1.1.1 lpng1216 subversion-1.4.3 DBD-mysql-4.001 IO-Socket-SSL-1.02 Net-DNS-0.59 apr-util-1.2.8 mysql-5.0.33 tesseract-1.03 DBI-1.53 IO-Zlib-1.04 Net-IP-1.25 clamav-0.90.1 netpbm tiff-3.8.2 Digest-HMAC-1.01 IO-stringy-2.110 Net-Ident-1.20 curl-7.16.1 netpbm-10.26.39 zlib-1.2.3 Digest-SHA1-2.11 IP-Country-2.23 Net_SSLeay.pm-1.30 gd-2.0.34 netpbm-10.35 File-Temp-0.18 MIME-Base64-3.07 PathTools-3.24 giflib-4.1.4 ocrad-0.16 All seems to be working okay though. On Wed, 21 Mar 2007 09:18:23 +0000, "Martin.Hepworth" wrote: > > > There's quite a bit of stuff that MailScanner expects to find in certain > places (eg /opt/MailScanner for the tar.gz installs vs > /usr/lib/MailScanner etc for RPM based installs). > > Now I know the FreeBSD package moves things to the default places > FreeBSD expects, but not sure how much work that entails. But its > definitely possible. > > Then there's all tbe perl mods - cpan or rpm can dump things in > different places and confuse perl. As long as you're consistant about > how you install all the dependancies you're OK. > > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >> bounces@lists.mailscanner.info] On Behalf Of --[ UxBoD ]-- >> Sent: 21 March 2007 09:10 >> To: MailScanner discussion >> Subject: RE: Perl Path >> >> Hi Martin, >> >> Yes I have symlinked for the time being. I agree that most scripts > expect >> the perl path to be /usr/bin but by using a symlink the whole system > will >> use it. >> >> The rationale for building under /usr/local/smartmail with all the >> necessary binaries is so that I can tar it all up, and transfer to > another >> mailserver that has a vanilla RHES4 installation. >> >> This provides me with control of updating when I feel packages are > ready >> for production. >> >> Best Regards, >> >> UxBoD >> >> On Wed, 21 Mar 2007 08:56:31 +0000, "Martin.Hepworth" >> wrote: >> > Or going a sym link from /usr/bin/perl to > /usr/local/smartmail/bin/perl >> > ala FreeBSD with the sysperl and portsperl options... >> > >> > Most perl scripts expect perl to be /usr/bin/perl.... >> > >> > -- >> > Martin Hepworth >> > Snr Systems Administrator >> > Solid State Logic >> > Tel: +44 (0)1865 842300 >> >> -----Original Message----- >> >> From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner- >> >> bounces@lists.mailscanner.info] On Behalf Of --[ UxBoD ]-- >> >> Sent: 21 March 2007 08:37 >> >> To: mailscanner@lists.mailscanner.info >> >> Subject: Perl Path >> >> >> >> Hi, >> >> >> >> I have just built a new server based on RHES4 and have built all > the >> >> executables from source ie. perl, mysql, apache, php etc etc ... >> >> >> >> When I built MailScanner I used the source and ran install.sh -- >> >> perl=/usr/local/smartmail/bin/perl which installed all the modules >> > fine. >> >> Though one thing I have noticed is that in the top of all the >> > MailScanner >> >> code the perl path still points to /usr/bin/perl. I wondered why it >> > wasn't >> >> working correctly ;) >> >> >> >> Is it worth changing the install script so that if the --perl > option >> > is >> >> used then the perl binary path in all scripts is changed aswell ? >> >> >> >> Thoughts? >> >> >> >> -- >> >> --[ UxBoD ]-- >> >> // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg > --import" >> >> // Fingerprint: 543A E778 7F2D 98F1 3E50 9C1F F190 93E0 E8E8 0CF8 >> >> // Keyserver: www.keyserver.net Key-ID: 0xE8E80CF8 >> >> // SIP Phone: uxbod@sip.splatnix.net >> >> >> >> >> >> -- >> >> This message has been scanned for viruses and dangerous content by >> >> MailScanner, and is >> >> believed to be clean. >> >> >> >> -- >> >> MailScanner mailing list >> >> mailscanner@lists.mailscanner.info >> >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> >> >> Support MailScanner development - buy the book off the website! >> > >> > >> > >> > >> > > ********************************************************************** >> > Confidentiality : This e-mail and any attachments are intended for > the >> > addressee only and may be confidential. If they come to you in error >> > you must take no action based on them, nor must you copy or show > them >> > to anyone. Please advise the sender by replying to this e-mail >> > immediately and then delete the original from your computer. >> > >> > Opinion : Any opinions expressed in this e-mail are entirely those > of >> > the author and unless specifically stated to the contrary, are not >> > necessarily those of the author's employer. >> > >> > Security Warning : Internet e-mail is not necessarily a secure >> > communications medium and can be subject to data corruption. We > advise >> > that you consider this fact when e-mailing us. >> > >> > Viruses : We have taken steps to ensure that this e-mail and any >> > attachments are free from known viruses but in keeping with good >> > computing practice, you should ensure that they are virus free. >> > >> > Red Lion 49 Ltd T/A Solid State Logic >> > Registered as a limited company in England and Wales >> > (Company No:5362730) >> > Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, >> > United Kingdom >> > > ********************************************************************** >> > >> > -- >> > MailScanner mailing list >> > mailscanner@lists.mailscanner.info >> > http://lists.mailscanner.info/mailman/listinfo/mailscanner >> > >> > Before posting, read http://wiki.mailscanner.info/posting >> > >> > Support MailScanner development - buy the book off the website! >> > >> > >> -- >> --[ UxBoD ]-- >> // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" >> // Fingerprint: 543A E778 7F2D 98F1 3E50 9C1F F190 93E0 E8E8 0CF8 >> // Keyserver: www.keyserver.net Key-ID: 0xE8E80CF8 >> // SIP Phone: uxbod@sip.splatnix.net >> >> >> -- >> This message has been scanned for viruses and dangerous content by >> MailScanner, and is >> believed to be clean. >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! > > > > > ********************************************************************** > Confidentiality : This e-mail and any attachments are intended for the > addressee only and may be confidential. If they come to you in error > you must take no action based on them, nor must you copy or show them > to anyone. Please advise the sender by replying to this e-mail > immediately and then delete the original from your computer. > > Opinion : Any opinions expressed in this e-mail are entirely those of > the author and unless specifically stated to the contrary, are not > necessarily those of the author's employer. > > Security Warning : Internet e-mail is not necessarily a secure > communications medium and can be subject to data corruption. We advise > that you consider this fact when e-mailing us. > > Viruses : We have taken steps to ensure that this e-mail and any > attachments are free from known viruses but in keeping with good > computing practice, you should ensure that they are virus free. > > Red Lion 49 Ltd T/A Solid State Logic > Registered as a limited company in England and Wales > (Company No:5362730) > Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, > United Kingdom > ********************************************************************** > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: 543A E778 7F2D 98F1 3E50 9C1F F190 93E0 E8E8 0CF8 // Keyserver: www.keyserver.net Key-ID: 0xE8E80CF8 // SIP Phone: uxbod@sip.splatnix.net -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From andrei at inteligis.ro Wed Mar 21 14:35:47 2007 From: andrei at inteligis.ro (Andrei Ioachim) Date: Wed Mar 21 13:43:56 2007 Subject: mail::clamav 0.20 error Message-ID: <460134B3.1020101@inteligis.ro> Hello, i've just moved from clamav to clamavmodule scanner mailscanner --debug is working ok, but when i start normally i get: ClamAV Module ERROR:: Could not load databases from /opt/clamav/share/clamav it has something to do with multiple instances of mailscanner now i have Max Children = 0 in mailscanner.conf to get mailscanner to work but i would like to use more children From tjc at ecs.soton.ac.uk Wed Mar 21 14:47:16 2007 From: tjc at ecs.soton.ac.uk (Tim Chown) Date: Wed Mar 21 13:54:42 2007 Subject: More good news on Julian Message-ID: <20070321134716.GN16631@login.ecs.soton.ac.uk> Hi, I'm away from uni at the moment so haven't personally seen Jules for 4 or 5 days now, but colleagues tell me he's now walking around at the hospital, and continuing his recovery well. There's a suggestion he may be discharged this coming weekend if he continues his current progress. Obviously it's up to Jules, his parents and his doctors as to when he may go online again, but it's not infeasible to suggest he'll be online at least in moderation within a week. Cheers, Tim From itdept at fractalweb.com Wed Mar 21 14:55:01 2007 From: itdept at fractalweb.com (Chris Yuzik) Date: Wed Mar 21 14:02:11 2007 Subject: SPF and authenticated mail In-Reply-To: <46008305.4030700@nkpanama.com> References: <46008305.4030700@nkpanama.com> Message-ID: <46013935.90902@fractalweb.com> Alex Neuman van der Hans wrote: > Or you can use port 587 on the same server using a different process > to receive mails that only allows authenticated users to use it. Correct me if I'm wrong, but my understanding is that SPF checks are only done IF the inbound SMTP connection DOES NOT authenticate with the server. Same for RBL checks, etc. So why would anyone go to all this trouble? Chris From dave.list at pixelhammer.com Wed Mar 21 14:57:40 2007 From: dave.list at pixelhammer.com (DAve) Date: Wed Mar 21 14:06:11 2007 Subject: More good news on Julian In-Reply-To: <20070321134716.GN16631@login.ecs.soton.ac.uk> References: <20070321134716.GN16631@login.ecs.soton.ac.uk> Message-ID: <460139D4.8070406@pixelhammer.com> Tim Chown wrote: > Hi, > > I'm away from uni at the moment so haven't personally seen Jules for > 4 or 5 days now, but colleagues tell me he's now walking around at > the hospital, and continuing his recovery well. > > There's a suggestion he may be discharged this coming weekend if he > continues his current progress. > > Obviously it's up to Jules, his parents and his doctors as to when he > may go online again, but it's not infeasible to suggest he'll be online > at least in moderation within a week. > > Cheers, > Tim All good news, thanks for the report! DAve -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible. From itdept at fractalweb.com Wed Mar 21 15:00:36 2007 From: itdept at fractalweb.com (Chris Yuzik) Date: Wed Mar 21 14:07:56 2007 Subject: More good news on Julian In-Reply-To: <20070321134716.GN16631@login.ecs.soton.ac.uk> References: <20070321134716.GN16631@login.ecs.soton.ac.uk> Message-ID: <46013A84.1080505@fractalweb.com> Tim Chown wrote: > Hi, > > I'm away from uni at the moment so haven't personally seen Jules for > 4 or 5 days now, but colleagues tell me he's now walking around at > the hospital, and continuing his recovery well. > > There's a suggestion he may be discharged this coming weekend if he > continues his current progress. > > Obviously it's up to Jules, his parents and his doctors as to when he > may go online again, but it's not infeasible to suggest he'll be online > at least in moderation within a week. > > Cheers, > Tim > Tim, Thank you for your updates on Julian's status. Although we've never met him in person, we've come to know him over the years and have always appreciated his generosity with his time and willingness to help. The MailScanner community continues to prove to be one of the strongest open source communities I have ever seen, and Julian is behind all of that. Cheers, Chris From Denis.Beauchemin at USherbrooke.ca Wed Mar 21 15:15:05 2007 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Wed Mar 21 14:23:12 2007 Subject: More good news on Julian In-Reply-To: <46013A84.1080505@fractalweb.com> References: <20070321134716.GN16631@login.ecs.soton.ac.uk> <46013A84.1080505@fractalweb.com> Message-ID: <46013DE9.4050805@USherbrooke.ca> Chris Yuzik a ?crit : > Tim Chown wrote: >> Hi, >> >> I'm away from uni at the moment so haven't personally seen Jules for >> 4 or 5 days now, but colleagues tell me he's now walking around at >> the hospital, and continuing his recovery well. >> >> There's a suggestion he may be discharged this coming weekend if he >> continues his current progress. >> >> Obviously it's up to Jules, his parents and his doctors as to when he >> may go online again, but it's not infeasible to suggest he'll be online >> at least in moderation within a week. >> >> Cheers, >> Tim >> > Tim, > > Thank you for your updates on Julian's status. Although we've never > met him in person, we've come to know him over the years and have > always appreciated his generosity with his time and willingness to help. > > The MailScanner community continues to prove to be one of the > strongest open source communities I have ever seen, and Julian is > behind all of that. > > Cheers, > Chris I couldn't agree more! Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3595 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070321/57c0304e/smime.bin From denis at croombs.org Wed Mar 21 15:26:00 2007 From: denis at croombs.org (Denis Croombs) Date: Wed Mar 21 14:33:11 2007 Subject: More good news on Julian In-Reply-To: <20070321134716.GN16631@login.ecs.soton.ac.uk> References: <20070321134716.GN16631@login.ecs.soton.ac.uk> Message-ID: <6345.87.238.80.64.1174487160.squirrel@www.croombs.org> > Hi, > > I'm away from uni at the moment so haven't personally seen Jules for > 4 or 5 days now, but colleagues tell me he's now walking around at > the hospital, and continuing his recovery well. > > There's a suggestion he may be discharged this coming weekend if he > continues his current progress. > > Obviously it's up to Jules, his parents and his doctors as to when he > may go online again, but it's not infeasible to suggest he'll be online > at least in moderation within a week. > Thanks for this great news Regards Denis From taz at taz-mania.com Wed Mar 21 15:51:44 2007 From: taz at taz-mania.com (Dennis Willson) Date: Wed Mar 21 15:00:07 2007 Subject: SPF and authenticated mail In-Reply-To: <46013935.90902@fractalweb.com> References: <46008305.4030700@nkpanama.com> <46013935.90902@fractalweb.com> Message-ID: <46014680.3080109@taz-mania.com> He's having SpamAssassin do the checks which has no idea about authentication. Chris Yuzik wrote: > Alex Neuman van der Hans wrote: >> Or you can use port 587 on the same server using a different process >> to receive mails that only allows authenticated users to use it. > Correct me if I'm wrong, but my understanding is that SPF checks are > only done IF the inbound SMTP connection DOES NOT authenticate with > the server. Same for RBL checks, etc. So why would anyone go to all > this trouble? > > Chris -- -------------------------------------------------- Dennis Willson taz@taz-mania.com http://www.taz-mania.com Ham (Extra Class): KA6LSW GMRS : WQGF680 Scuba: Rescue Diver, EANx, Wreck, Night, Alt, Equip, UW Photographer, Gas Blender Life should not be a journey to the grave with the intention of arriving safely in a nice looking and well preserved body, but rather to skid in broadside, thoroughly used up, totally worn out, and loudly proclaiming, "WOW! WHAT A RIDE!" From ssilva at sgvwater.com Wed Mar 21 16:14:41 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Mar 21 15:22:23 2007 Subject: More good news on Julian In-Reply-To: <20070321134716.GN16631@login.ecs.soton.ac.uk> References: <20070321134716.GN16631@login.ecs.soton.ac.uk> Message-ID: Tim Chown spake the following on 3/21/2007 6:47 AM: > Hi, > > I'm away from uni at the moment so haven't personally seen Jules for > 4 or 5 days now, but colleagues tell me he's now walking around at > the hospital, and continuing his recovery well. > > There's a suggestion he may be discharged this coming weekend if he > continues his current progress. > > Obviously it's up to Jules, his parents and his doctors as to when he > may go online again, but it's not infeasible to suggest he'll be online > at least in moderation within a week. > > Cheers, > Tim We'll all be glad to hear from him when he is able! -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From uxbod at splatnix.net Wed Mar 21 16:21:46 2007 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Wed Mar 21 15:30:46 2007 Subject: Attachments Message-ID: <8df85f0ac3600246765a82fdfdff1e21@62.49.223.244> Hi, Is there any exposed field in MailScanner, which could be added to MailWatch.pm, for saying if their is a attachment and the name of it ? Reason why I ask is that I am using FuzzyOcr but some image spams do get through it, but get picked up by other rules. Therefore, if this was available I could query the maillog for any that have a SA score > X and include a attachment. Then check the email via MailWatch and tune the FuzzyOcr words accordingly. Ideas ? -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: 543A E778 7F2D 98F1 3E50 9C1F F190 93E0 E8E8 0CF8 // Keyserver: www.keyserver.net Key-ID: 0xE8E80CF8 // SIP Phone: uxbod@sip.splatnix.net -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From bpumphrey at woodmclaw.com Wed Mar 21 16:28:39 2007 From: bpumphrey at woodmclaw.com (Billy A. Pumphrey) Date: Wed Mar 21 15:35:46 2007 Subject: More good news on Julian In-Reply-To: <20070321134716.GN16631@login.ecs.soton.ac.uk> Message-ID: <04D932B0071FE34FA63EBB1977B48D15025D7DD6@woodenex.woodmaclaw.local> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Tim Chown > Sent: Wednesday, March 21, 2007 9:47 AM > To: MailScanner discussion > Subject: More good news on Julian > > Hi, > > I'm away from uni at the moment so haven't personally seen Jules for > 4 or 5 days now, but colleagues tell me he's now walking around at > the hospital, and continuing his recovery well. > > There's a suggestion he may be discharged this coming weekend if he > continues his current progress. > > Obviously it's up to Jules, his parents and his doctors as to when he > may go online again, but it's not infeasible to suggest he'll be online > at least in moderation within a week. > > Cheers, > Tim > -- Thank you for the update. From alex at nkpanama.com Wed Mar 21 17:17:14 2007 From: alex at nkpanama.com (Alex Neuman van der Hans) Date: Wed Mar 21 16:25:01 2007 Subject: mail::clamav 0.20 error In-Reply-To: <460134B3.1020101@inteligis.ro> References: <460134B3.1020101@inteligis.ro> Message-ID: <46015A8A.3050609@nkpanama.com> Andrei Ioachim wrote: > Hello, > > i've just moved from clamav to clamavmodule scanner > > mailscanner --debug is working ok, but when i start normally > i get: > ClamAV Module ERROR:: Could not load databases from > /opt/clamav/share/clamav > > > it has something to do with multiple instances of mailscanner > > now i have Max Children = 0 in mailscanner.conf to get mailscanner to > work > > but i would like to use more children > > > What would "max children = 0" do? Shut off MailScanner completely? From glenn.steen at gmail.com Wed Mar 21 17:24:44 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Mar 21 16:31:50 2007 Subject: More good news on Julian In-Reply-To: <20070321134716.GN16631@login.ecs.soton.ac.uk> References: <20070321134716.GN16631@login.ecs.soton.ac.uk> Message-ID: <223f97700703210924td42eb18l8adba3dc471c2550@mail.gmail.com> On 21/03/07, Tim Chown wrote: > Hi, > > I'm away from uni at the moment so haven't personally seen Jules for > 4 or 5 days now, but colleagues tell me he's now walking around at > the hospital, and continuing his recovery well. > > There's a suggestion he may be discharged this coming weekend if he > continues his current progress. > > Obviously it's up to Jules, his parents and his doctors as to when he > may go online again, but it's not infeasible to suggest he'll be online > at least in moderation within a week. > > Cheers, > Tim Yet again a heartfelt "Thank you Tim" for continuing to bring these updates to us! Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From shuttlebox at gmail.com Wed Mar 21 17:50:59 2007 From: shuttlebox at gmail.com (shuttlebox) Date: Wed Mar 21 16:58:06 2007 Subject: Perl Path In-Reply-To: <062a5b5d15dbf61e9d43e977b28d1240@62.49.223.244> References: <062a5b5d15dbf61e9d43e977b28d1240@62.49.223.244> Message-ID: <625385e30703210950k790fcb73oa4db10d8f2881a80@mail.gmail.com> On 3/21/07, --[ UxBoD ]-- wrote: > Is it worth changing the install script so that if the --perl option is used then the perl binary path in all scripts is changed aswell ? Yes it is, it has been asked before too, don't remember what was said then though. I also have to symlink /usr/bin/perl on my Solaris systems as well. I think the correct way would be the one you describe. -- /peter From andrei at inteligis.ro Wed Mar 21 18:51:46 2007 From: andrei at inteligis.ro (Andrei Ioachim) Date: Wed Mar 21 17:58:30 2007 Subject: mail::clamav 0.20 error In-Reply-To: <46015A8A.3050609@nkpanama.com> References: <460134B3.1020101@inteligis.ro> <46015A8A.3050609@nkpanama.com> Message-ID: <460170B2.3050808@inteligis.ro> Alex Neuman van der Hans wrote: > Andrei Ioachim wrote: >> Hello, >> >> i've just moved from clamav to clamavmodule scanner >> >> mailscanner --debug is working ok, but when i start normally >> i get: >> ClamAV Module ERROR:: Could not load databases from >> /opt/clamav/share/clamav >> >> >> it has something to do with multiple instances of mailscanner >> >> now i have Max Children = 0 in mailscanner.conf to get mailscanner to >> work >> >> but i would like to use more children >> >> >> > What would "max children = 0" do? Shut off MailScanner completely? :) it keeps only 1 child From res at ausics.net Wed Mar 21 22:01:51 2007 From: res at ausics.net (Res) Date: Wed Mar 21 21:09:08 2007 Subject: More good news on Julian In-Reply-To: <20070321134716.GN16631@login.ecs.soton.ac.uk> References: <20070321134716.GN16631@login.ecs.soton.ac.uk> Message-ID: Thanks Tim, much welcome news that Jules is up and about! On Wed, 21 Mar 2007, Tim Chown wrote: > Hi, > > I'm away from uni at the moment so haven't personally seen Jules for > 4 or 5 days now, but colleagues tell me he's now walking around at > the hospital, and continuing his recovery well. > > There's a suggestion he may be discharged this coming weekend if he > continues his current progress. > > Obviously it's up to Jules, his parents and his doctors as to when he > may go online again, but it's not infeasible to suggest he'll be online > at least in moderation within a week. > > Cheers, > Tim > -- Cheers Res Let Novell known what you think of their back door deal with the devil. Sign the petition today: http://techp.org/p/1/ From gcle at smcaus.com.au Wed Mar 21 22:08:52 2007 From: gcle at smcaus.com.au (Gerard Cleary) Date: Wed Mar 21 21:16:10 2007 Subject: More good news on Julian In-Reply-To: <20070321134716.GN16631@login.ecs.soton.ac.uk> References: <20070321134716.GN16631@login.ecs.soton.ac.uk> Message-ID: <200703220808.53025.gcle@smcaus.com.au> On Thu, 22 Mar 2007 00:47, Tim Chown wrote: > Hi, > > I'm away from uni at the moment so haven't personally seen Jules for > 4 or 5 days now, but colleagues tell me he's now walking around at > the hospital, and continuing his recovery well. > > There's a suggestion he may be discharged this coming weekend if he > continues his current progress. > > Obviously it's up to Jules, his parents and his doctors as to when he > may go online again, but it's not infeasible to suggest he'll be online > at least in moderation within a week. > > Cheers, > Tim Tim, thanks for your efforts in keeping us up to date with news of Julian. It'll be great to see him back on line whenever he is able to. All the best to yourself and Julian. Gerard. -- Gerard Cleary System Administrator SMC Pneumatics Australia Pty Ltd PH: (02) 9354 8222 -- This email message and any related attachments are confidential and should only be read by those persons to whom they were addressed. They may contain copyright, personal or legally privileged information. If you are not the intended recipient of this email, any use of this information is strictly prohibited and it must be deleted from your system. Views expressed in this message are the views of the sender and are not necessarily views of SMC Corporation, or it's subsidiaries, except where the message expressly states otherwise. Any advice contained herein should be treated as preliminary advice only and subject to formal written confirmation. Although this email and any attachments are believed to be free of any virus or any other defect which may cause damage or loss, it is the responsibility of the recipient to ensure that they are virus-free. SMC accepts no liability for any loss or damage that may occur as a result of the transmission of this email or its attachments to the recipient. From lhaig at haigmail.com Wed Mar 21 23:16:01 2007 From: lhaig at haigmail.com (Lance Haig) Date: Wed Mar 21 22:23:08 2007 Subject: More good news on Julian In-Reply-To: <20070321134716.GN16631@login.ecs.soton.ac.uk> References: <20070321134716.GN16631@login.ecs.soton.ac.uk> Message-ID: <4601AEA1.5060002@haigmail.com> Tim Chown wrote: > Hi, > > I'm away from uni at the moment so haven't personally seen Jules for > 4 or 5 days now, but colleagues tell me he's now walking around at > the hospital, and continuing his recovery well. > > There's a suggestion he may be discharged this coming weekend if he > continues his current progress. > > Obviously it's up to Jules, his parents and his doctors as to when he > may go online again, but it's not infeasible to suggest he'll be online > at least in moderation within a week. > > Cheers, > Tim > This is great news. Thanks Tim for keeping us informed Lance From sleclerc at actionweb.fr Thu Mar 22 10:21:08 2007 From: sleclerc at actionweb.fr (Stephane) Date: Thu Mar 22 09:28:53 2007 Subject: URL-encoded filenames in reports References: <87fy929ffm.fsf@hp-factory.de> <45DF2469.4090507@yeticomputers.com> <46003E0B.4080801@yeticomputers.com> Message-ID: Rick Chadderdon yeticomputers.com> writes: > While it's a less than optimal solution, my few tests with this have > shown that all of the web browsers/email clients I've tried this on will > URLize the spaces and odd characters automatically. The links work fine > for me right now, although I have not done extensive testing. Yes, it > would be nice if we had a properly URL encoded variable, but at the > moment, I don't seem to need it. > > Rick Hi Rick! This example doesn't work: http://quarantine.actionweb.fr/download.php?hostname=antispam2.actionweb.fr&date=20070317&id=1HSb00-0002U3-7R&filename=WSComparison_#.DOC No way to catch "#". Same probl?me with filename with special characters as "? ? @ $", etc. Working example: http://quarantine.actionweb.fr/download.php?hostname=antispam2.actionweb.fr&date=20070317&id=1HSb00-0002U3-7R&filename=message.zip Tested with Firefox Mac OSX. St?phane From gen2lists at paulbaily.com Thu Mar 22 10:22:46 2007 From: gen2lists at paulbaily.com (Paul Baily) Date: Thu Mar 22 09:30:02 2007 Subject: MailScanner gateway stats Message-ID: <18C84919-8734-4FD1-BA27-5D2669BD515A@paulbaily.com> Hi all, Apologies in advance if this is a FAQ or semi-OT, I did try searching the archives for an answer, really I did. I'm about to put a MailScanner/MailWatch/sendmail/spamassassin machine into production for the uni I work at and would dearly like to be able to produce some stats on how it's doing for Those That Manage (But Do Not Know Better.) My question is what do you use for high level trend reporting traffic stats? MailWatch itself? MailScanner-MRTG? Mailgraph? Vispan? I currently have charts available via MailWatch and MailScanner-MRTG but have also been trying to get trend analysis-type reports going via mailgraph since it provides really good day/week/month/year charts. The problem I'm having is that this is a gateway to an internal email system, and I'm trying to get mailgraph to accurately identify inbound and outbound traffic from a site context. Going from a gateway perspective (which is what it's currently doing) each email is logged as a sent email regardless of whether it's inbound or outbound sitewise. I'm guessing this is really a question of working out the correct regexes for mailgraph for each smtp transaction, but I just thought I'd ask in case anyone else has tried the same and has either hit a working solution or has given up and gone for something like Vispan. thanks in advance for your time and apologies for the semi-OTness. Paul. From uxbod at splatnix.net Thu Mar 22 10:53:57 2007 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Thu Mar 22 10:02:21 2007 Subject: MailScanner gateway stats In-Reply-To: <18C84919-8734-4FD1-BA27-5D2669BD515A@paulbaily.com> References: <18C84919-8734-4FD1-BA27-5D2669BD515A@paulbaily.com> Message-ID: <4198877553cadef2d5d39bd7edb0c016@62.49.223.244> Spooky as I am working on a similar thing. I have taken MailGraph as the base code, as it is well written, removing all the RRD stuff and having it write the information to MySQL instead. From here will then produce graphs in PHP using ChartDirector (very very cheap graph component which is wicked http://www.advsofteng.com). Once I have something up and running will OT a email to the list. On Thu, 22 Mar 2007 19:22:46 +1000, Paul Baily wrote: > Hi all, > > Apologies in advance if this is a FAQ or semi-OT, I did try searching > the archives for an answer, really I did. > > I'm about to put a MailScanner/MailWatch/sendmail/spamassassin > machine into production for the uni I work at and would dearly like > to be able to produce some stats on how it's doing for Those That > Manage (But Do Not Know Better.) > > My question is what do you use for high level trend reporting traffic > stats? MailWatch itself? MailScanner-MRTG? Mailgraph? Vispan? > > I currently have charts available via MailWatch and MailScanner-MRTG > but have also been trying to get trend analysis-type reports going > via mailgraph since it provides really good day/week/month/year > charts. The problem I'm having is that this is a gateway to an > internal email system, and I'm trying to get mailgraph to accurately > identify inbound and outbound traffic from a site context. Going from > a gateway perspective (which is what it's currently doing) each email > is logged as a sent email regardless of whether it's inbound or > outbound sitewise. > > I'm guessing this is really a question of working out the correct > regexes for mailgraph for each smtp transaction, but I just thought > I'd ask in case anyone else has tried the same and has either hit a > working solution or has given up and gone for something like Vispan. > > thanks in advance for your time and apologies for the semi-OTness. > > Paul. > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and dangerous content by > MailScanner, and is > believed to be clean. -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: 543A E778 7F2D 98F1 3E50 9C1F F190 93E0 E8E8 0CF8 // Keyserver: www.keyserver.net Key-ID: 0xE8E80CF8 // SIP Phone: uxbod@sip.splatnix.net -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From paul at firespam.com Thu Mar 22 11:04:20 2007 From: paul at firespam.com (Paul @ Firespam) Date: Thu Mar 22 10:12:57 2007 Subject: MailScanner gateway stats In-Reply-To: <4198877553cadef2d5d39bd7edb0c016@62.49.223.244> References: <18C84919-8734-4FD1-BA27-5D2669BD515A@paulbaily.com> <4198877553cadef2d5d39bd7edb0c016@62.49.223.244> Message-ID: <000001c76c69$75d24970$6176dc50$@com> >> using ChartDirector (very very cheap graph component which is wicked http://www.advsofteng.com) Haven't seen this before, looks like a nicer version of jpgraph (http://www.aditus.nu/jpgraph) Cheers this will come in use for a little project I'm working on too! -- Paul Maddox Technical Director tel: +44 (0) 121 288 6333 mob: +44 (0) 7983 990098 http://www.firespam.com -- This message has been scanned for spam, viruses and phishing attempts by firespam.com From uxbod at splatnix.net Thu Mar 22 17:49:32 2007 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Thu Mar 22 16:59:59 2007 Subject: MailScanner gateway stats In-Reply-To: <000001c76c69$75d24970$6176dc50$@com> References: <000001c76c69$75d24970$6176dc50$@com> Message-ID: <4c0233b51df61917ebc56cbdb3f46e57@62.49.223.244> So far so good. On Thu, 22 Mar 2007 10:04:20 -0000, "Paul @ Firespam" wrote: >>> using ChartDirector (very very cheap graph component which is wicked > http://www.advsofteng.com) > > Haven't seen this before, looks like a nicer version of jpgraph > (http://www.aditus.nu/jpgraph) > > Cheers this will come in use for a little project I'm working on too! > > > -- > Paul Maddox > Technical Director > tel: +44 (0) 121 288 6333 > mob: +44 (0) 7983 990098 > http://www.firespam.com > > > > > -- > This message has been scanned for spam, viruses and phishing attempts by > firespam.com > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: 543A E778 7F2D 98F1 3E50 9C1F F190 93E0 E8E8 0CF8 // Keyserver: www.keyserver.net Key-ID: 0xE8E80CF8 // SIP Phone: uxbod@sip.splatnix.net -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- A non-text attachment was scrubbed... Name: smartmail.png Type: image/png Size: 14576 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070322/7058f9e7/smartmail.png From am.lists at gmail.com Thu Mar 22 18:07:13 2007 From: am.lists at gmail.com (am.lists) Date: Thu Mar 22 17:14:27 2007 Subject: MailScanner gateway stats In-Reply-To: <4c0233b51df61917ebc56cbdb3f46e57@62.49.223.244> References: <000001c76c69$75d24970$6176dc50$@com> <4c0233b51df61917ebc56cbdb3f46e57@62.49.223.244> Message-ID: <25a66d840703221007t217927d9gde6c441902097c31@mail.gmail.com> On 3/22/07, --[ UxBoD ]-- wrote: > > Haven't seen this before, looks like a nicer version of jpgraph > > (http://www.aditus.nu/jpgraph) PMFJI but in MW2.0, they're discussing using this as the charting engine -- the samples are total eye candy, IMO. http://pear.veggerby.dk/samples/ The Gradient Filled Smoothed Area Chart made my heart skip a beat. :-) --Angelo From dhawal at netmagicsolutions.com Thu Mar 22 18:30:12 2007 From: dhawal at netmagicsolutions.com (Dhawal Doshy) Date: Thu Mar 22 17:37:40 2007 Subject: MailScanner gateway stats In-Reply-To: <4c0233b51df61917ebc56cbdb3f46e57@62.49.223.244> References: <000001c76c69$75d24970$6176dc50$@com> <4c0233b51df61917ebc56cbdb3f46e57@62.49.223.244> Message-ID: <4602BD24.5080709@netmagicsolutions.com> --[ UxBoD ]-- wrote: > So far so good. > > On Thu, 22 Mar 2007 10:04:20 -0000, "Paul @ Firespam" wrote: >>>> using ChartDirector (very very cheap graph component which is wicked >> http://www.advsofteng.com) >> >> Haven't seen this before, looks like a nicer version of jpgraph >> (http://www.aditus.nu/jpgraph) >> >> Cheers this will come in use for a little project I'm working on too! There is also Image_Graph (http://pear.veggerby.dk) available under lgpl.. and is intended for use in mailwatch 2.0 From mailscanner at yeticomputers.com Thu Mar 22 18:33:11 2007 From: mailscanner at yeticomputers.com (Rick Chadderdon) Date: Thu Mar 22 17:40:29 2007 Subject: URL-encoded filenames in reports In-Reply-To: References: <87fy929ffm.fsf@hp-factory.de> <45DF2469.4090507@yeticomputers.com> <46003E0B.4080801@yeticomputers.com> Message-ID: <4602BDD7.4020208@yeticomputers.com> Stephane wrote: > Hi Rick! > > This example doesn't work: > > http://quarantine.actionweb.fr/download.php?hostname=antispam2.actionweb.fr&date=20070317&id=1HSb00-0002U3-7R&filename=WSComparison_#.DOC > > No way to catch "#". Same probl?me with filename with special characters as "? ? > @ $", etc. > > Working example: > > http://quarantine.actionweb.fr/download.php?hostname=antispam2.actionweb.fr&date=20070317&id=1HSb00-0002U3-7R&filename=message.zip > > Tested with Firefox Mac OSX. > > St?phane Looks like you're right. Fortunately, my mail flow is low enough that I haven't had anyone use any non-working characters yet, and even if a few did, the support of those few that broke this would not be oppressive. With a bigger setup, this could certainly be a problem. It'd be pretty easy to modify the setup to not include the filename, though. Your message could read: ---- Mailscanner has removed one or more files from this message. To retrieve these files, please click: http://quarantine.actionweb.fr/download.php?hostname=antispam2.actionweb.fr&date=20070317&id=1HSb00-0002U3-7R --- At which point your PHP script could display a list of URLS created from a listing of the files in the directory, which it should be able to determine from the URL mailscanner generated. In fact, this seems trivial enough that I will probably do this myself. Rick From H.de.Vries at philos.rug.nl Thu Mar 22 19:50:04 2007 From: H.de.Vries at philos.rug.nl (Hauke de Vries) Date: Thu Mar 22 18:57:42 2007 Subject: Clamav 0.90.1 phishing problem Message-ID: <4602DDEC.7074.61F0EAF@H.de.Vries.philos.rug.nl> Compiled and installed Clamav, but no more phishing problems? I used to have average 10/day so I scanned an old mail. What am I missing? clamscan --verbose message message: HTML.Phishing.Bank-1156 FOUND ----------- SCAN SUMMARY ----------- Known viruses: 101233 Engine version: 0.90.1 Scanned files: 1 Infected files: 1 MailScanner -v This is Fedora Core release 4 (Stentz) This is Perl version 5.008006 (5.8.6) This is MailScanner version 4.56.7 Optional module versions are: 0.20 Mail::ClamAV 3.001008 Mail::SpamAssassin From blaze at lake.k12.ca.us Thu Mar 22 20:08:09 2007 From: blaze at lake.k12.ca.us (Blaze King) Date: Thu Mar 22 19:15:14 2007 Subject: upgraded mailscanner, no more quarantine Message-ID: <643717827D2BED469D39BE81B4AD635A1B558E@exchange.lake.k12.ca.us> Hey I'm a long time mailscanner user, but this is my first post to the list. I recently upgraded to 4.58.9-1 on my rhel3 server. Since then, nothing ends up in quarantine. Here's what I know... (/etc/MailScanner/MailScanner.conf) Quarantine Dir = /var/spool/MailScanner/quarantine Quarantine User = root Quarantine Group = apache (I'm using mailwatch) Quarantine Permissions = 0600 Quarantine Infections = yes Quarantine Whole Message = yes Quarantine Whole Messages As Queue Files = no [root@mail MailScanner]# ll /var/spool/MailScanner/quarantine total 0 Any suggestions? Thanks! Blaze King Senior Network Administrator Lake County Office of Education (707) 262-4147 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070322/4b26f1f3/attachment.html From itdept at fractalweb.com Thu Mar 22 22:39:00 2007 From: itdept at fractalweb.com (Chris Yuzik) Date: Thu Mar 22 21:46:19 2007 Subject: OT: IP address reputation, BorderWare Message-ID: <4602F774.2030007@fractalweb.com> Hi Everyone, While this is slightly off topic, it's likely of interest to most of us here. Today I attended a webinar on fighting image spam which was put on by a company called BorderWare. BorderWare makes rack-mount antispam devices, amongst other things. The webinar was pretty good and had some great statistics and such. One of the themes of the discussion was "reputation analysis" where they say that not only should we check a sender's IP address to see if it's blacklisted, but also should check what that IP's track record is--for viruses, spam, malformed messages, etc. You can manually do this yourself at bsn.borderware.com. Here's the interesting/disturbing part: when I looked up our "brand spankin new" mail server's IP address, I see we're not doing so well and that 87.5% of all our mail is to bad recipients. After getting up off of the floor and sitting back down in my chair, I started going over things. Have we been compromised? Is there a bad PHP script somewhere? Did our hosting provider give us an IP that was formerly used by a spammer? No to all questions. Turns out, it's the sender address verification milter we've got running at the MTA level. I ran a couple of reports that indicate that yes, about 87% of inbound email never makes it in to the inbound queue, so their data is correct. Obviously, in order to verify that an address exists, our server initiates an email to the recipient's mail server and finds out immediately that either the user is rejected or the system is going to accept an email for that user, and based on that information, we either allow the message in to the inbound queue for further processing or reject it. As a result of all of this, BorderWare's network of appliances out there that all report our server's activity back to the mothership that sees all these bad recipients and gives our server a less than stellar report indicating that we're likely spamming. Not good. So I phoned the company and talked to some sales guy about this. After looking up our IP and talking with me, he told me that it's a bad idea to have our server "perform these actions". I went over some stats with him and explained why it's so important that we do the address verification and that furthermore, their system shouldn't be penalizing white-hat mail servers that are actively protecting their users from bad stuff. At first he said that perhaps this is just a difference in philosophy, but at the end agreed to go talk with someone and get back to me. I suggested that there are a lot of mail servers that do sender address verification, and they're unlikely to stop using this incredibly powerful tool just because BorderWare thinks that it's a bad idea. My hope is that they'll either remove this from their scoring system or change their weighting formula. What do you guys (and gals) think? Cheers, Chris From denis at croombs.org Thu Mar 22 22:48:19 2007 From: denis at croombs.org (Denis Croombs) Date: Thu Mar 22 21:57:20 2007 Subject: IP address reputation, BorderWare In-Reply-To: <4602F774.2030007@fractalweb.com> Message-ID: <200703222149.l2MLnwvo030176@mail.deniscroombs.org> > While this is slightly off topic, it's likely of interest to > most of us here. > > Today I attended a webinar on fighting image spam which was > put on by a company called BorderWare. BorderWare makes > rack-mount antispam devices, amongst other things. The > webinar was pretty good and had some great statistics and > such. One of the themes of the discussion was "reputation > analysis" where they say that not only should we check a > sender's IP address to see if it's blacklisted, but also > should check what that IP's track record is--for viruses, > spam, malformed messages, etc. You can manually do this > yourself at bsn.borderware.com. > > Here's the interesting/disturbing part: when I looked up our > "brand spankin new" mail server's IP address, I see we're not > doing so well and that 87.5% of all our mail is to bad > recipients. After getting up off of the floor and sitting > back down in my chair, I started going over things. Have we > been compromised? Is there a bad PHP script somewhere? > Did our hosting provider give us an IP that was formerly used > by a spammer? No to all questions. > > Turns out, it's the sender address verification milter we've > got running at the MTA level. I ran a couple of reports that > indicate that yes, about 87% of inbound email never makes it > in to the inbound queue, so their data is correct. Obviously, > in order to verify that an address exists, our server > initiates an email to the recipient's mail server and finds > out immediately that either the user is rejected or the > system is going to accept an email for that user, and based > on that information, we either allow the message in to the > inbound queue for further processing or reject it. > > As a result of all of this, BorderWare's network of > appliances out there that all report our server's activity > back to the mothership that sees all these bad recipients and > gives our server a less than stellar report indicating that > we're likely spamming. Not good. > > So I phoned the company and talked to some sales guy about > this. After looking up our IP and talking with me, he told me > that it's a bad idea to have our server "perform these > actions". I went over some stats with him and explained why > it's so important that we do the address verification and > that furthermore, their system shouldn't be penalizing > white-hat mail servers that are actively protecting their > users from bad stuff. At first he said that perhaps this is > just a difference in philosophy, but at the end agreed to go > talk with someone and get back to me. I suggested that there > are a lot of mail servers that do sender address > verification, and they're unlikely to stop using this > incredibly powerful tool just because BorderWare thinks that > it's a bad idea. My hope is that they'll either remove this > from their scoring system or change their weighting formula. > > What do you guys (and gals) think? I have always felt that address verification was worse that spammers and will never deal with people who use it. Regards Denis From itdept at fractalweb.com Thu Mar 22 22:52:42 2007 From: itdept at fractalweb.com (Chris Yuzik) Date: Thu Mar 22 22:00:00 2007 Subject: IP address reputation, BorderWare In-Reply-To: <200703222149.l2MLnwvo030176@mail.deniscroombs.org> References: <200703222149.l2MLnwvo030176@mail.deniscroombs.org> Message-ID: <4602FAAA.20009@fractalweb.com> Denis Croombs wrote: > I have always felt that address verification was worse that spammers and > will never deal with people who use it. > Denis, That's interesting. Can you explain your position? Chris From denis at croombs.org Thu Mar 22 23:02:19 2007 From: denis at croombs.org (Denis Croombs) Date: Thu Mar 22 22:11:13 2007 Subject: IP address reputation, BorderWare In-Reply-To: <4602FAAA.20009@fractalweb.com> Message-ID: <200703222203.l2MM3wig030176@mail.deniscroombs.org> > Denis Croombs wrote: > > I have always felt that address verification was worse that > spammers > > and will never deal with people who use it. > > > Denis, > > That's interesting. Can you explain your position? > Over 90% of the email that the 200+ domains I protect is spam from spoofed email address's, why should I send an email to these poor sods who have had they email address spoofed just to fill up their email inbox. As far as I am concerned it is a joke system that compounds the spam issue. Yes I feel strongly about it, but that is my 2c Denis From Kevin_Miller at ci.juneau.ak.us Thu Mar 22 23:11:15 2007 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Thu Mar 22 22:18:18 2007 Subject: IP address reputation, BorderWare In-Reply-To: <200703222203.l2MM3wig030176@mail.deniscroombs.org> References: <4602FAAA.20009@fractalweb.com> <200703222203.l2MM3wig030176@mail.deniscroombs.org> Message-ID: Denis Croombs wrote: >> Denis Croombs wrote: >>> I have always felt that address verification was worse that spammers >>> and will never deal with people who use it. >>> >> Denis, >> >> That's interesting. Can you explain your position? >> > Over 90% of the email that the 200+ domains I protect is spam from > spoofed email address's, why should I send an email to these poor > sods who have had they email address spoofed just to fill up their > email inbox. > As far as I am concerned it is a joke system that compounds the spam > issue. > > Yes I feel strongly about it, but that is my 2c > > Denis You're misunderstanding how it works. The spoofed accounts never see an email. If joe.spammer sends a message to me with a forged from address from frieda.forged@somedomain, my milter initiates a connection to see if somedomain will accept mail for her. It *never* sends any mail - just verifies that the user exists. If it will, she's a valid user and I check to make sure it's to a valid recipient. If so the transaction continues. If not, the connection is dropped. The spoofed user never knows anything about the transaction and doesn't incure any additional junk email. Takes a couple of cpu cycles, sure, but far less than accepting & scanning spam... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From itdept at fractalweb.com Thu Mar 22 23:13:15 2007 From: itdept at fractalweb.com (Chris Yuzik) Date: Thu Mar 22 22:20:35 2007 Subject: IP address reputation, BorderWare In-Reply-To: <200703222203.l2MM3wig030176@mail.deniscroombs.org> References: <200703222203.l2MM3wig030176@mail.deniscroombs.org> Message-ID: <4602FF7B.2050106@fractalweb.com> Denis Croombs wrote: > Over 90% of the email that the 200+ domains I protect is spam from spoofed > email address's, why should I send an email to these poor sods who have had > they email address spoofed just to fill up their email inbox. > As far as I am concerned it is a joke system that compounds the spam issue. > But Denis, sender address verification (SAV) doesn't actually send an email to the recipient--it aborts the SMTP transaction before really sending a message. Nothing ends up in the recipient's mailbox, or in the recipient's mail server's queue. Here is an explanation from Wikipedia: A mail server can try to verify the an address by making an SMTP connection back to the mail exchanger for it (found via the usual MX records ), pretending to be creating a bounce, but stopping just before any e-mail is sent. The commands sent out are: HELO MAIL FROM:<> RCPT TO: QUIT This technique is technically compliant with the relevant SMTP RFCs (RFC 2821 ). Given this information, have you changed your opinion on SAV? Cheers, Chris From ssilva at sgvwater.com Thu Mar 22 23:13:17 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Mar 22 22:21:07 2007 Subject: IP address reputation, BorderWare In-Reply-To: <4602FAAA.20009@fractalweb.com> References: <200703222149.l2MLnwvo030176@mail.deniscroombs.org> <4602FAAA.20009@fractalweb.com> Message-ID: Chris Yuzik spake the following on 3/22/2007 2:52 PM: > Denis Croombs wrote: >> I have always felt that address verification was worse that spammers and >> will never deal with people who use it. >> > Denis, > > That's interesting. Can you explain your position? > > Chris -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From gerard at seibercom.net Thu Mar 22 23:15:18 2007 From: gerard at seibercom.net (Gerard Seibert) Date: Thu Mar 22 22:22:10 2007 Subject: IP address reputation, BorderWare In-Reply-To: <200703222203.l2MM3wig030176@mail.deniscroombs.org> References: <4602FAAA.20009@fractalweb.com> <200703222203.l2MM3wig030176@mail.deniscroombs.org> Message-ID: <20070322181247.99D6.GERARD@seibercom.net> On Thursday March 22, 2007 at 06:02:19 (PM) Denis Croombs wrote: > > That's interesting. Can you explain your position? > > > Over 90% of the email that the 200+ domains I protect is spam from spoofed > email address's, why should I send an email to these poor sods who have had > they email address spoofed just to fill up their email inbox. > As far as I am concerned it is a joke system that compounds the spam issue. There was a discussion on the postfix forum a few days ago that concurred with your thesis. I personally never employ it myself. A waste of time and bandwidth in my humble opinion. My 2? worth. -- Gerard From Kevin_Miller at ci.juneau.ak.us Thu Mar 22 23:19:58 2007 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Thu Mar 22 22:26:59 2007 Subject: IP address reputation, BorderWare In-Reply-To: <20070322181247.99D6.GERARD@seibercom.net> References: <4602FAAA.20009@fractalweb.com><200703222203.l2MM3wig030176@mail.deniscroombs.org> <20070322181247.99D6.GERARD@seibercom.net> Message-ID: Gerard Seibert wrote: > On Thursday March 22, 2007 at 06:02:19 (PM) Denis Croombs wrote: > >>> That's interesting. Can you explain your position? >>> >> Over 90% of the email that the 200+ domains I protect is spam from >> spoofed email address's, why should I send an email to these poor >> sods who have had they email address spoofed just to fill up their >> email inbox. >> As far as I am concerned it is a joke system that compounds the spam >> issue. > > There was a discussion on the postfix forum a few days ago that > concurred with your thesis. I personally never employ it myself. A > waste of time and bandwidth in my humble opinion. Well, we all know how those Postfix folks think, don't we! I think some people must be confusing bouncing spam with sender verification. Two different beasts entirely. Sender verification takes virtually no bandwidth, and the byte count it takes are certainly much fewer than what you'll find in the body of a spam message. If I can spend a nickle to not have to spend a dime it's worth it every time... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From ssilva at sgvwater.com Thu Mar 22 23:20:32 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Mar 22 22:28:08 2007 Subject: IP address reputation, BorderWare In-Reply-To: <4602FAAA.20009@fractalweb.com> References: <200703222149.l2MLnwvo030176@mail.deniscroombs.org> <4602FAAA.20009@fractalweb.com> Message-ID: Chris Yuzik spake the following on 3/22/2007 2:52 PM: > Denis Croombs wrote: >> I have always felt that address verification was worse that spammers and >> will never deal with people who use it. >> > Denis, > > That's interesting. Can you explain your position? > > Chris While I don't think that it is as bad as spammers, it does seem like throwing gasoline on the fire. Say I get 1000 bad addresses. I have just doubled that by verifying. If I got one million, now there is 2 million. And you aren't punishing the spammer. You are punishing the poor server that was spoofed. There needs to be a smart verifier that does a dns lookup first to see if the mail even came from a valid ip address for that domain BEFORE it even considers doing a verify. That would drop a lot of the crap without punishing poor Mr. Innocent's server. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From itdept at fractalweb.com Thu Mar 22 23:23:49 2007 From: itdept at fractalweb.com (Chris Yuzik) Date: Thu Mar 22 22:31:08 2007 Subject: IP address reputation, BorderWare In-Reply-To: References: <200703222149.l2MLnwvo030176@mail.deniscroombs.org> <4602FAAA.20009@fractalweb.com> Message-ID: <460301F5.8080405@fractalweb.com> Scott Silva wrote: > > > > Scott, My ESP module is currently not working. ;-) Chris From mailscanner at yeticomputers.com Thu Mar 22 23:29:28 2007 From: mailscanner at yeticomputers.com (Rick Chadderdon) Date: Thu Mar 22 22:36:52 2007 Subject: IP address reputation, BorderWare In-Reply-To: <4602FAAA.20009@fractalweb.com> References: <200703222149.l2MLnwvo030176@mail.deniscroombs.org> <4602FAAA.20009@fractalweb.com> Message-ID: <46030348.70100@yeticomputers.com> Chris Yuzik wrote: > Denis Croombs wrote: >> I have always felt that address verification was worse that spammers and >> will never deal with people who use it. >> > Denis, > > That's interesting. Can you explain your position? > > Chris I get the feeling that Denis is thinking of various challenge/response methods like TMDA, which I also refuse to work with. I, however, also don't like address verification for the same reason that I don't like bogus spam and virus bounces - you're eating *my* bandwidth (and log space, and cpu time, and SMTP connections, and...) up to make *your* job easier. I don't like it when people "spread the load" indiscriminately and to people who did not offer their resources. If you get a dictionary spam flood from someone forging one of my domains, I get a connection flood from you while your system tries to validate those thousands of bogus addresses. Uncool and unwelcome. Likely to get your domain blacklisted, at least temporarily, by me. Not sure how other people handle it, but that's why I won't use sender address verification. Rick From Kevin_Miller at ci.juneau.ak.us Thu Mar 22 23:30:05 2007 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Thu Mar 22 22:37:06 2007 Subject: IP address reputation, BorderWare In-Reply-To: References: <200703222149.l2MLnwvo030176@mail.deniscroombs.org><4602FAAA.20009@fractalweb.com> Message-ID: Scott Silva wrote: > While I don't think that it is as bad as spammers, it does seem like > throwing gasoline on the fire. Say I get 1000 bad addresses. I have > just doubled that by verifying. If I got one million, now there is 2 > million. And you aren't punishing the spammer. You are punishing the > poor server that was spoofed. Granted, it's not optimal, but I think it's the lesser of various evils. What I can't fathom is why so many companies (even big ones like AOL) bounce spam, or send NDRs to the forged from. I'd much rather my server receive a recipient verification request, than an NDR to one of my users that clearly didn't send the original. Sigh. > There needs to be a smart verifier that does a dns lookup first to > see if the mail even came from a valid ip address for that domain > BEFORE it even considers doing a verify. That would drop a lot of the > crap without punishing poor Mr. Innocent's server. You mean like, er, SPF? ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From itdept at fractalweb.com Thu Mar 22 23:29:51 2007 From: itdept at fractalweb.com (Chris Yuzik) Date: Thu Mar 22 22:37:09 2007 Subject: IP address reputation, BorderWare In-Reply-To: <20070322181247.99D6.GERARD@seibercom.net> References: <4602FAAA.20009@fractalweb.com> <200703222203.l2MM3wig030176@mail.deniscroombs.org> <20070322181247.99D6.GERARD@seibercom.net> Message-ID: <4603035F.9060107@fractalweb.com> Gerard Seibert wrote: > There was a discussion on the postfix forum a few days ago that concurred > with your thesis. I personally never employ it myself. A waste of time > and bandwidth in my humble opinion. > Since we use Sendmail exclusively, I'm afraid I don't follow the Postfix forums. I'm not sure about the bandwidth, shouldn't be much more than a few bytes...perhaps equivalent to a DNS query or two. As for the time delay, we're not noticing any delay. According to our logs, most of this happens within the very second the mail gets to our server; a fraction of a second (or even a couple of seconds) delay is certainly worth it, IMHO. We're experiencing great success with this additional tool against the spammers. Chris From ssilva at sgvwater.com Thu Mar 22 23:29:09 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Mar 22 22:37:31 2007 Subject: IP address reputation, BorderWare In-Reply-To: <460301F5.8080405@fractalweb.com> References: <200703222149.l2MLnwvo030176@mail.deniscroombs.org> <4602FAAA.20009@fractalweb.com> <460301F5.8080405@fractalweb.com> Message-ID: Chris Yuzik spake the following on 3/22/2007 3:23 PM: > Scott Silva wrote: >> >> >> >> > Scott, > > My ESP module is currently not working. ;-) > > Chris Bumped the send button in a fit of stupidity. Where is the OOPS button! ;-P -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From Kevin_Miller at ci.juneau.ak.us Thu Mar 22 23:31:02 2007 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Thu Mar 22 22:38:02 2007 Subject: IP address reputation, BorderWare In-Reply-To: <4602F774.2030007@fractalweb.com> References: <4602F774.2030007@fractalweb.com> Message-ID: Chris Yuzik wrote: > Hi Everyone, > > While this is slightly off topic, it's likely of interest to most of > us here. snip > > What do you guys (and gals) think? You don't say what milter you're using, but I went to the test site mentioned and came up neutral. They didn't have any info on me at all. I'm running sendmail and smf-sav. Maybe your milter version is doing something other than mine? I think something is askew however. If you're dropping 87% of inbound mail and borderware is aware of virtually all of it, that implies that pretty much everybody that sends you mail is using a borderware applience, or virtually all the spoofed addresses are to borderware protected networks, and that virtually all the drops are due to invalid senders. I have a hard time believing that. An awful lot of my connections are dropped based on invalid forged from, but an awful lot of them are also based on valid forged froms, and directed to invalid recipients in my domain. That said, if this is what Borderware is doing, we can only hope they don't start autoreporting to the RBLs... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From mailscanner at yeticomputers.com Thu Mar 22 23:31:49 2007 From: mailscanner at yeticomputers.com (Rick Chadderdon) Date: Thu Mar 22 22:39:08 2007 Subject: IP address reputation, BorderWare In-Reply-To: References: <4602FAAA.20009@fractalweb.com><200703222203.l2MM3wig030176@mail.deniscroombs.org> <20070322181247.99D6.GERARD@seibercom.net> Message-ID: <460303D5.8070906@yeticomputers.com> Kevin Miller wrote: > If I can spend a nickle to not have to spend a dime it's worth it every time... > The problem comes when you start spending my nickles without asking. Which is exactly what sender address verification does. Rick From dave.list at pixelhammer.com Thu Mar 22 23:33:31 2007 From: dave.list at pixelhammer.com (DAve) Date: Thu Mar 22 22:41:33 2007 Subject: OT: IP address reputation, BorderWare In-Reply-To: <4602F774.2030007@fractalweb.com> References: <4602F774.2030007@fractalweb.com> Message-ID: <4603043B.8010402@pixelhammer.com> Chris Yuzik wrote: > Hi Everyone, > > While this is slightly off topic, it's likely of interest to most of us > here. > > Today I attended a webinar on fighting image spam which was put on by a > company called BorderWare. BorderWare makes rack-mount antispam devices, > amongst other things. The webinar was pretty good and had some great > statistics and such. One of the themes of the discussion was "reputation > analysis" where they say that not only should we check a sender's IP > address to see if it's blacklisted, but also should check what that IP's > track record is--for viruses, spam, malformed messages, etc. You can > manually do this yourself at bsn.borderware.com. > > Here's the interesting/disturbing part: when I looked up our "brand > spankin new" mail server's IP address, I see we're not doing so well and > that 87.5% of all our mail is to bad recipients. After getting up off of > the floor and sitting back down in my chair, I started going over > things. Have we been compromised? Is there a bad PHP script somewhere? > Did our hosting provider give us an IP that was formerly used by a > spammer? No to all questions. > > Turns out, it's the sender address verification milter we've got running > at the MTA level. I ran a couple of reports that indicate that yes, > about 87% of inbound email never makes it in to the inbound queue, so > their data is correct. Obviously, in order to verify that an address > exists, our server initiates an email to the recipient's mail server and > finds out immediately that either the user is rejected or the system is > going to accept an email for that user, and based on that information, > we either allow the message in to the inbound queue for further > processing or reject it. > > As a result of all of this, BorderWare's network of appliances out there > that all report our server's activity back to the mothership that sees > all these bad recipients and gives our server a less than stellar report > indicating that we're likely spamming. Not good. > > So I phoned the company and talked to some sales guy about this. After > looking up our IP and talking with me, he told me that it's a bad idea > to have our server "perform these actions". I went over some stats with > him and explained why it's so important that we do the address > verification and that furthermore, their system shouldn't be penalizing > white-hat mail servers that are actively protecting their users from bad > stuff. At first he said that perhaps this is just a difference in > philosophy, but at the end agreed to go talk with someone and get back > to me. I suggested that there are a lot of mail servers that do sender > address verification, and they're unlikely to stop using this incredibly > powerful tool just because BorderWare thinks that it's a bad idea. My > hope is that they'll either remove this from their scoring system or > change their weighting formula. > > What do you guys (and gals) think? > > Cheers, > Chris > If one of my users gets Joe Jobbed, and I see a few thousand connections comming my way to see if their account exists, never intending to deliver anything, I *will* block you. If my greylisting doesn't break your sender verification first. DAve -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible. From ssilva at sgvwater.com Thu Mar 22 23:31:32 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Mar 22 22:42:25 2007 Subject: IP address reputation, BorderWare In-Reply-To: References: <200703222149.l2MLnwvo030176@mail.deniscroombs.org> <4602FAAA.20009@fractalweb.com> Message-ID: Scott Silva spake the following on 3/22/2007 3:20 PM: > Chris Yuzik spake the following on 3/22/2007 2:52 PM: >> Denis Croombs wrote: >>> I have always felt that address verification was worse that spammers and >>> will never deal with people who use it. >>> >> Denis, >> >> That's interesting. Can you explain your position? >> >> Chris > While I don't think that it is as bad as spammers, it does seem like throwing > gasoline on the fire. Say I get 1000 bad addresses. I have just doubled that > by verifying. If I got one million, now there is 2 million. And you aren't > punishing the spammer. You are punishing the poor server that was spoofed. > > There needs to be a smart verifier that does a dns lookup first to see if the > mail even came from a valid ip address for that domain BEFORE it even > considers doing a verify. That would drop a lot of the crap without punishing > poor Mr. Innocent's server. > > I just did a little looking, and I change my vote. I think I am going to look at smf-sav next week. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ms-list at alexb.ch Thu Mar 22 23:36:13 2007 From: ms-list at alexb.ch (Alex Broens) Date: Thu Mar 22 22:43:32 2007 Subject: IP address reputation, BorderWare In-Reply-To: <4603035F.9060107@fractalweb.com> References: <4602FAAA.20009@fractalweb.com> <200703222203.l2MM3wig030176@mail.deniscroombs.org> <20070322181247.99D6.GERARD@seibercom.net> <4603035F.9060107@fractalweb.com> Message-ID: <460304DD.1030600@alexb.ch> On 3/22/2007 11:29 PM, Chris Yuzik wrote: > Gerard Seibert wrote: >> There was a discussion on the postfix forum a few days ago that concurred >> with your thesis. I personally never employ it myself. A waste of time >> and bandwidth in my humble opinion. >> > Since we use Sendmail exclusively, I'm afraid I don't follow the Postfix > forums. > > I'm not sure about the bandwidth, shouldn't be much more than a few > bytes...perhaps equivalent to a DNS query or two. As for the time delay, > we're not noticing any delay. According to our logs, most of this > happens within the very second the mail gets to our server; a fraction > of a second (or even a couple of seconds) delay is certainly worth it, > IMHO. > > We're experiencing great success with this additional tool against the > spammers. pls post you IPs... we'll gladly help you by firewalling your off - then you can reject all mail with our spoofed sender. From itdept at fractalweb.com Thu Mar 22 23:39:05 2007 From: itdept at fractalweb.com (Chris Yuzik) Date: Thu Mar 22 22:46:23 2007 Subject: IP address reputation, BorderWare In-Reply-To: References: <4602F774.2030007@fractalweb.com> Message-ID: <46030589.8080801@fractalweb.com> Kevin Miller wrote: > > You don't say what milter you're using, but I went to the test site > mentioned and came up neutral. They didn't have any info on me at all. > I'm running sendmail and smf-sav. Maybe your milter version is doing > something other than mine? > Using SMF-SAV with Sendmail, same as you. > I think something is askew however. If you're dropping 87% of inbound > mail and borderware is aware of virtually all of it, that implies that > pretty much everybody that sends you mail is using a borderware > applience, or virtually all the spoofed addresses are to borderware > protected networks, and that virtually all the drops are due to invalid > senders. I have a hard time believing that. An awful lot of my > connections are dropped based on invalid forged from, but an awful lot > of them are also based on valid forged froms, and directed to invalid > recipients in my domain. > Here's how I *think* the BorderWare product works. When an email comes in for a valid recipient, it reports the server's IP and gives it 1 point in the "good" column and sends this back to the mothership, and vice versa. I don't think for a second that they know about all of my server's lookups, but that they know the % of lookups that are done. > That said, if this is what Borderware is doing, we can only hope they > don't start autoreporting to the RBLs... > Yes, certainly a concern of mine as well. Chris From raymond at prolocation.net Thu Mar 22 23:42:18 2007 From: raymond at prolocation.net (Raymond Dijkxhoorn) Date: Thu Mar 22 22:49:25 2007 Subject: IP address reputation, BorderWare In-Reply-To: <200703222203.l2MM3wig030176@mail.deniscroombs.org> References: <200703222203.l2MM3wig030176@mail.deniscroombs.org> Message-ID: Hi! >> That's interesting. Can you explain your position? > Over 90% of the email that the 200+ domains I protect is spam from spoofed > email address's, why should I send an email to these poor sods who have had > they email address spoofed just to fill up their email inbox. > As far as I am concerned it is a joke system that compounds the spam issue. Fill up their mailbox? Perhaps i am missing the point completely, but this isnt what our sender verification does. It CHECKS with a test on the remote mailserver, it dont fill up mailboxes. Why do ytou think it will fill up mailboxes? It dont SEND mail its just a check/test. I think you completely misunderstand what its supposed to do, or am i? Bye, Raymond. From itdept at fractalweb.com Thu Mar 22 23:50:32 2007 From: itdept at fractalweb.com (Chris Yuzik) Date: Thu Mar 22 22:57:52 2007 Subject: IP address reputation, BorderWare In-Reply-To: <46030348.70100@yeticomputers.com> References: <200703222149.l2MLnwvo030176@mail.deniscroombs.org> <4602FAAA.20009@fractalweb.com> <46030348.70100@yeticomputers.com> Message-ID: <46030838.60809@fractalweb.com> Rick Chadderdon wrote: > > I get the feeling that Denis is thinking of various challenge/response > methods like TMDA, which I also refuse to work with. I, however, also > don't like address verification for the same reason that I don't like > bogus spam and virus bounces - you're eating *my* bandwidth (and log > space, and cpu time, and SMTP connections, and...) up to make *your* job > easier. I don't like it when people "spread the load" indiscriminately > and to people who did not offer their resources. If you get a > dictionary spam flood from someone forging one of my domains, I get a > connection flood from you while your system tries to validate those > thousands of bogus addresses. Uncool and unwelcome. Likely to get your > domain blacklisted, at least temporarily, by me. Not sure how other > people handle it, but that's why I won't use sender address verification. > Rick, I see your point. Perhaps it depends on the order with which these checks happen. My understanding is that our servers don't do SAV unless the inbound message is for a real recipient (or alias). We prohibit the use of a "catch-all" alias, so a dictionary attack on our server won't really have much effect on you. Or am I wrong (we use SMF-SAV with Sendmail)? If I'm wrong, and the milter initiates a verification even before checking to see if a recipient exists, then I may have to re-evaluate our stance. What do you think? Chris From matt at coders.co.uk Thu Mar 22 23:57:38 2007 From: matt at coders.co.uk (Matt Hampton) Date: Thu Mar 22 23:04:50 2007 Subject: IP address reputation, BorderWare In-Reply-To: <46030838.60809@fractalweb.com> References: <200703222149.l2MLnwvo030176@mail.deniscroombs.org> <4602FAAA.20009@fractalweb.com> <46030348.70100@yeticomputers.com> <46030838.60809@fractalweb.com> Message-ID: <460309E2.7060608@coders.co.uk> Chris Yuzik wrote: > My understanding is that our servers don't do SAV unless the inbound > message is for a real recipient (or alias). We prohibit the use of a > "catch-all" alias, so a dictionary attack on our server won't really > have much effect on you. Or am I wrong (we use SMF-SAV with Sendmail)? > If I'm wrong, and the milter initiates a verification even before > checking to see if a recipient exists, then I may have to re-evaluate > our stance. You are wrong! The standard version does the checks at MAIL FROM stage. I am currently re-writing smf-sav to do exactly what you have suggested. It should be completed tommorrow.... Contact me off list if you are interested... matt From raymond at prolocation.net Thu Mar 22 23:58:13 2007 From: raymond at prolocation.net (Raymond Dijkxhoorn) Date: Thu Mar 22 23:05:19 2007 Subject: IP address reputation, BorderWare In-Reply-To: <46030838.60809@fractalweb.com> References: <200703222149.l2MLnwvo030176@mail.deniscroombs.org> <4602FAAA.20009@fractalweb.com> <46030348.70100@yeticomputers.com> <46030838.60809@fractalweb.com> Message-ID: Hi! > I see your point. Perhaps it depends on the order with which these checks > happen. > > My understanding is that our servers don't do SAV unless the inbound message > is for a real recipient (or alias). We prohibit the use of a "catch-all" > alias, so a dictionary attack on our server won't really have much effect on > you. Or am I wrong (we use SMF-SAV with Sendmail)? If I'm wrong, and the > milter initiates a verification even before checking to see if a recipient > exists, then I may have to re-evaluate our stance. We do the same, only check on valid users ... on our end, then check the remote. Bye, Raymond. From ssilva at sgvwater.com Thu Mar 22 23:57:58 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Mar 22 23:05:42 2007 Subject: IP address reputation, BorderWare In-Reply-To: References: <200703222149.l2MLnwvo030176@mail.deniscroombs.org><4602FAAA.20009@fractalweb.com> Message-ID: Kevin Miller spake the following on 3/22/2007 3:30 PM: > Scott Silva wrote: > >> While I don't think that it is as bad as spammers, it does seem like >> throwing gasoline on the fire. Say I get 1000 bad addresses. I have >> just doubled that by verifying. If I got one million, now there is 2 >> million. And you aren't punishing the spammer. You are punishing the >> poor server that was spoofed. > > Granted, it's not optimal, but I think it's the lesser of various evils. > What I can't fathom is why so many companies (even big ones like AOL) > bounce spam, or send NDRs to the forged from. I'd much rather my server > receive a recipient verification request, than an NDR to one of my users > that clearly didn't send the original. Sigh. > >> There needs to be a smart verifier that does a dns lookup first to >> see if the mail even came from a valid ip address for that domain >> BEFORE it even considers doing a verify. That would drop a lot of the >> crap without punishing poor Mr. Innocent's server. > > You mean like, er, SPF? > > > ...Kevin Yes ... like SPF but without all the people who have ~all in their records! -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From Kevin_Miller at ci.juneau.ak.us Fri Mar 23 00:00:34 2007 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Thu Mar 22 23:07:37 2007 Subject: IP address reputation, BorderWare In-Reply-To: <460303D5.8070906@yeticomputers.com> References: <4602FAAA.20009@fractalweb.com><200703222203.l2MM3wig030176@mail.deniscroombs.org> <20070322181247.99D6.GERARD@seibercom.net> <460303D5.8070906@yeticomputers.com> Message-ID: Rick Chadderdon wrote: > Kevin Miller wrote: >> If I can spend a nickle to not have to spend a dime it's worth it >> every time... >> > > The problem comes when you start spending my nickles without asking. > Which is exactly what sender address verification does. > > Rick It depends on the spam flood. SMF-SAV caches the lookups, so if the from address is reused on the inbounds, it only has to do a single lookup. If they use a new from username, then yeah, your server gets pinged multiple times. But the thing is, if spam is dropped before it is sent, it diminishes "internet background noise". You benefit from that, along with everybody else. It's an indirect benefit, but quite real none-the-less. For instance, today I've received over 200 MB of mail. Borrowing the 87% figure from Chris' original post, that means I'd reject out of hand around 174 MB of spam. And I'm small fry. Don't know how many packets I injected on to the network but I bet it's in the KB range, not MB range. We all pay a little, and receive a greater synergestic common good... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From Kevin_Miller at ci.juneau.ak.us Fri Mar 23 00:03:12 2007 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Thu Mar 22 23:10:12 2007 Subject: IP address reputation, BorderWare In-Reply-To: <460309E2.7060608@coders.co.uk> References: <200703222149.l2MLnwvo030176@mail.deniscroombs.org> <4602FAAA.20009@fractalweb.com> <46030348.70100@yeticomputers.com><46030838.60809@fractalweb.com> <460309E2.7060608@coders.co.uk> Message-ID: Matt Hampton wrote: > Chris Yuzik wrote: > >> My understanding is that our servers don't do SAV unless the inbound >> message is for a real recipient (or alias). We prohibit the use of a >> "catch-all" alias, so a dictionary attack on our server won't really >> have much effect on you. Or am I wrong (we use SMF-SAV with >> Sendmail)? If I'm wrong, and the milter initiates a verification >> even before checking to see if a recipient exists, then I may have >> to re-evaluate our stance. > > > You are wrong! The standard version does the checks at MAIL FROM > stage. > > I am currently re-writing smf-sav to do exactly what you have > suggested. It should be completed tommorrow.... > > Contact me off list if you are interested... Are you going to let Eugene know - or send the patch back to him? Perhaps he could make it a configurable option. Simple case statement and a .conf flag outta be pretty easy to implement. ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From Kevin_Miller at ci.juneau.ak.us Fri Mar 23 00:04:45 2007 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Thu Mar 22 23:11:47 2007 Subject: IP address reputation, BorderWare In-Reply-To: References: <200703222149.l2MLnwvo030176@mail.deniscroombs.org><4602FAAA.20009@fractalweb.com> Message-ID: Scott Silva wrote: > Yes ... like SPF but without all the people who have ~all in their > records! I've never understood that. Mine are all hard fails. Soft fails are for people that are soft in the head, me thinks. Oh well. Quittin' time... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From ssilva at sgvwater.com Fri Mar 23 00:23:00 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Mar 22 23:30:29 2007 Subject: IP address reputation, BorderWare In-Reply-To: References: <200703222149.l2MLnwvo030176@mail.deniscroombs.org><4602FAAA.20009@fractalweb.com> Message-ID: Kevin Miller spake the following on 3/22/2007 4:04 PM: > Scott Silva wrote: >> Yes ... like SPF but without all the people who have ~all in their >> records! > > I've never understood that. Mine are all hard fails. Soft fails are > for people that are soft in the head, me thinks. > > Oh well. Quittin' time... > > > ...Kevin If you have access to update the spf record, you should at least know which IP addresses you send mail from! I think it is just fear that they will miss something. So have soft-fails for 30 days or something, and then go back and fix it. I wish it was quitting time... Gotta stay after and install a 3ware raid card. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From res at ausics.net Fri Mar 23 00:35:48 2007 From: res at ausics.net (Res) Date: Thu Mar 22 23:43:25 2007 Subject: OT: IP address reputation, BorderWare In-Reply-To: <4602F774.2030007@fractalweb.com> References: <4602F774.2030007@fractalweb.com> Message-ID: On Thu, 22 Mar 2007, Chris Yuzik wrote: > So I phoned the company and talked to some sales guy about this. After > looking up our IP and talking with me, he told me that it's a bad idea to > have our server "perform these actions". I went over some stats with him and The key here, you spoke to a salesman. Many ISP's are doing this and it upsets their stats so of course they dont want you to use it. Word gets around that it does this, more people will shy away from their product, they dont care at all about you protecting your users...unless you buy and use their product. Keep using the milter. -- Cheers Res Let Novell known what you think of their back door deal with the devil. Sign the petition today: http://techp.org/p/1/ From res at ausics.net Fri Mar 23 00:43:44 2007 From: res at ausics.net (Res) Date: Thu Mar 22 23:51:05 2007 Subject: IP address reputation, BorderWare In-Reply-To: <4603035F.9060107@fractalweb.com> References: <4602FAAA.20009@fractalweb.com> <200703222203.l2MM3wig030176@mail.deniscroombs.org> <20070322181247.99D6.GERARD@seibercom.net> <4603035F.9060107@fractalweb.com> Message-ID: On Thu, 22 Mar 2007, Chris Yuzik wrote: > Gerard Seibert wrote: >> There was a discussion on the postfix forum a few days ago that concurred >> with your thesis. I personally never employ it myself. A waste of time >> and bandwidth in my humble opinion. >> > Since we use Sendmail exclusively, I'm afraid I don't follow the Postfix > forums. > > I'm not sure about the bandwidth, shouldn't be much more than a few > bytes...perhaps equivalent to a DNS query or two. As for the time delay, Thats exactly all it is like. On cheap nasty setups I've done, with multi front ends talking to one backend using milter-ahead type setups. It's the EXACT same principle, and uses less than a couple of kilobytes per second, thats with well over a million emails a day, so I cant see how its going to hurt ANYONE. Except maybe annoy the paranoid daily log reading admins having larger logs to sift through :) -- Cheers Res Let Novell known what you think of their back door deal with the devil. Sign the petition today: http://techp.org/p/1/ From itdept at fractalweb.com Fri Mar 23 00:54:47 2007 From: itdept at fractalweb.com (Chris Yuzik) Date: Fri Mar 23 00:02:06 2007 Subject: OT: IP address reputation, BorderWare In-Reply-To: References: <4602F774.2030007@fractalweb.com> Message-ID: <46031747.9000000@fractalweb.com> Res wrote: > The key here, you spoke to a salesman. Heh. It could have been worse...I might have talked to a marketing guy. ;-) > Many ISP's are doing this and it upsets their stats so of course they > dont want you to use it. Word gets around that it does this, more > people will shy away from their product, they dont care at all about > you protecting your users...unless you buy and use their product. > > Keep using the milter. Apparently, Matt is working on a modification to SMF-SAV that will change the order of the checks so that the sender is only verified IF they're sending to a real recipient on our end. As soon as that comes out, we'll implement that. Cheers, Chris PS - I really like how "to the point" you are. :-) From res at ausics.net Fri Mar 23 01:21:04 2007 From: res at ausics.net (Res) Date: Fri Mar 23 00:28:22 2007 Subject: OT: IP address reputation, BorderWare In-Reply-To: <46031747.9000000@fractalweb.com> References: <4602F774.2030007@fractalweb.com> <46031747.9000000@fractalweb.com> Message-ID: On Thu, 22 Mar 2007, Chris Yuzik wrote: > Res wrote: >> The key here, you spoke to a salesman. > Heh. It could have been worse...I might have talked to a marketing guy. ;-) >> Many ISP's are doing this and it upsets their stats so of course they dont >> want you to use it. Word gets around that it does this, more people will >> shy away from their product, they dont care at all about you protecting >> your users...unless you buy and use their product. >> >> Keep using the milter. > Apparently, Matt is working on a modification to SMF-SAV that will change the > order of the checks so that the sender is only verified IF they're sending to > a real recipient on our end. As soon as that comes out, we'll implement that. > > Cheers, > Chris > > PS - I really like how "to the point" you are. :-) > > hehehe, I dont beat about the bush, also no point in saying the exact same thing in 700 words that can be said in 100 :) I always been a straight shooter, even my enemies repsect that, because they know I call it how I see it, and they know where they stand with me. They don't call me the evil bunny for nothing :) -- Cheers Res Let Novell known what you think of their back door deal with the devil. Sign the petition today: http://techp.org/p/1/ From dave.list at pixelhammer.com Fri Mar 23 05:11:56 2007 From: dave.list at pixelhammer.com (DAve) Date: Fri Mar 23 04:20:07 2007 Subject: OT: IP address reputation, BorderWare In-Reply-To: <46031747.9000000@fractalweb.com> References: <4602F774.2030007@fractalweb.com> <46031747.9000000@fractalweb.com> Message-ID: <4603538C.7000603@pixelhammer.com> Chris Yuzik wrote: > Res wrote: >> The key here, you spoke to a salesman. > Heh. It could have been worse...I might have talked to a marketing guy. ;-) >> Many ISP's are doing this and it upsets their stats so of course they >> dont want you to use it. Word gets around that it does this, more >> people will shy away from their product, they dont care at all about >> you protecting your users...unless you buy and use their product. >> >> Keep using the milter. > Apparently, Matt is working on a modification to SMF-SAV that will > change the order of the checks so that the sender is only verified IF > they're sending to a real recipient on our end. As soon as that comes > out, we'll implement that. > Does anyone know how greylisting affects milter-sav? What happens when I send an email to you and you attempt to verify me, and I greylist your attempt? You surely don't try to hold my delivery connection for 5 minutes waiting to try again do you? If you refuse the delivery, I'll try again later and the whole cycle would begin anew because without a successful connection within a specified time, you will never get make it into my whitelist correct? DAve -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible. From dave.list at pixelhammer.com Fri Mar 23 05:24:09 2007 From: dave.list at pixelhammer.com (DAve) Date: Fri Mar 23 04:32:10 2007 Subject: OT: IP address reputation, BorderWare In-Reply-To: <4603538C.7000603@pixelhammer.com> References: <4602F774.2030007@fractalweb.com> <46031747.9000000@fractalweb.com> <4603538C.7000603@pixelhammer.com> Message-ID: <46035669.8060405@pixelhammer.com> DAve wrote: > Chris Yuzik wrote: >> Res wrote: >>> The key here, you spoke to a salesman. >> Heh. It could have been worse...I might have talked to a marketing >> guy. ;-) >>> Many ISP's are doing this and it upsets their stats so of course they >>> dont want you to use it. Word gets around that it does this, more >>> people will shy away from their product, they dont care at all about >>> you protecting your users...unless you buy and use their product. >>> >>> Keep using the milter. >> Apparently, Matt is working on a modification to SMF-SAV that will >> change the order of the checks so that the sender is only verified IF >> they're sending to a real recipient on our end. As soon as that comes >> out, we'll implement that. >> > > Does anyone know how greylisting affects milter-sav? What happens when I > send an email to you and you attempt to verify me, and I greylist your > attempt? You surely don't try to hold my delivery connection for 5 > minutes waiting to try again do you? > > If you refuse the delivery, I'll try again later and the whole cycle > would begin anew because without a successful connection within a > specified time, you will never get make it into my whitelist correct? > > DAve > Hmm, likely questions for the SMF-SAV list, but looking through my MW current messages I wonder how SMF-SAV handles the many messages from web forms my users get, IE "nobody@some-webserver.com"? (I am constantly needling our developers to fix those when I see them. I flat refuse to turn up a new website until I can reply to anything that comes off a webform ;^) DAve -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible. From liz at indract.freeserve.co.uk Fri Mar 23 09:02:12 2007 From: liz at indract.freeserve.co.uk (Francies Moore) Date: Fri Mar 23 08:14:00 2007 Subject: More good news on Julian Message-ID: <46038984.8000103@indract.freeserve.co.uk> Thnaks, Tim. Wonderful news. Looks like everyone's prayers and good wishes are answered! All the best to Julian for a speedy recovery and look forward to his return online when he is ready. Best regards, Francies From P.G.M.Peters at utwente.nl Fri Mar 23 09:55:20 2007 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Fri Mar 23 09:02:37 2007 Subject: IP address reputation, BorderWare In-Reply-To: <4603035F.9060107@fractalweb.com> References: <4602FAAA.20009@fractalweb.com> <200703222203.l2MM3wig030176@mail.deniscroombs.org> <20070322181247.99D6.GERARD@seibercom.net> <4603035F.9060107@fractalweb.com> Message-ID: <460395F8.2030707@utwente.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Chris Yuzik wrote on 22-3-2007 23:29: > Gerard Seibert wrote: >> There was a discussion on the postfix forum a few days ago that concurred >> with your thesis. I personally never employ it myself. A waste of time >> and bandwidth in my humble opinion. >> > Since we use Sendmail exclusively, I'm afraid I don't follow the Postfix > forums. > > I'm not sure about the bandwidth, shouldn't be much more than a few > bytes...perhaps equivalent to a DNS query or two. As for the time delay, > we're not noticing any delay. According to our logs, most of this > happens within the very second the mail gets to our server; a fraction > of a second (or even a couple of seconds) delay is certainly worth it, > IMHO. It can take a lot of time if spammers start to use domains pointing to servers that are not responding. Your server will timeout eventually but it keeps your connections open. It could act as an DDoS against your mailserver. - -- Peter Peters, senior beheerder (Security) Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/itbe -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGA5X4elLo80lrIdIRAmY5AJ4rnpU4lq97eQCU2vo5gkNXwwG/OwCeMVXT 2Ot1//d1XA0gS4CO0GTSUwc= =wJ41 -----END PGP SIGNATURE----- From P.G.M.Peters at utwente.nl Fri Mar 23 09:58:09 2007 From: P.G.M.Peters at utwente.nl (Peter Peters) Date: Fri Mar 23 09:05:26 2007 Subject: IP address reputation, BorderWare In-Reply-To: References: <200703222149.l2MLnwvo030176@mail.deniscroombs.org><4602FAAA.20009@fractalweb.com> Message-ID: <460396A1.2050808@utwente.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Kevin Miller wrote on 23-3-2007 0:04: > Scott Silva wrote: >> Yes ... like SPF but without all the people who have ~all in their >> records! > > I've never understood that. Mine are all hard fails. Soft fails are > for people that are soft in the head, me thinks. Some organizations allow their user to use the e-mail addresses outside to organization. And spammers start to use SPF too. They control the sending hosts. The control the nameservers. Why not control the SPF too? - -- Peter Peters, senior beheerder (Security) Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/itbe -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGA5ahelLo80lrIdIRAgEbAKCI7mDV4YqZQAOKzpt7AYp0p/fYrwCfVFy2 MHY8cfbRdzLmnQ6FDbdgfoA= =Uh4K -----END PGP SIGNATURE----- From martinh at solidstatelogic.com Fri Mar 23 10:26:28 2007 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Fri Mar 23 09:33:54 2007 Subject: upgraded mailscanner, no more quarantine In-Reply-To: <643717827D2BED469D39BE81B4AD635A1B558E@exchange.lake.k12.ca.us> Message-ID: Blaze Where's the old stuff then???? Odd Make sure /var/spool/MailScanner/quarantine isn't a sym link to somewhere else. make sure the user you're running as (eg postfix or mailnull) can write to that dir. Also make I'd say the perms should be 640 at minimum, otherwise the apache group won't be able to read the files/dirs! You can run in debug mode and see what happens... su - -c "/MailScanner -debug" and see if it's comlaining about anything on the quarantine.. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Blaze King > Sent: 22 March 2007 19:08 > To: mailscanner@lists.mailscanner.info > Subject: upgraded mailscanner, no more quarantine > > Hey I'm a long time mailscanner user, but this is my first post to the > list. I recently upgraded to 4.58.9-1 on my rhel3 server. Since then, > nothing ends up in quarantine. Here's what I know... > > > > (/etc/MailScanner/MailScanner.conf) > > Quarantine Dir = /var/spool/MailScanner/quarantine > > Quarantine User = root > > Quarantine Group = apache (I'm using mailwatch) > > Quarantine Permissions = 0600 > > Quarantine Infections = yes > > Quarantine Whole Message = yes > > Quarantine Whole Messages As Queue Files = no > > > > [root@mail MailScanner]# ll /var/spool/MailScanner/quarantine > > total 0 > > > > Any suggestions? Thanks! > > > > Blaze King > > Senior Network Administrator > > Lake County Office of Education > > (707) 262-4147 > > ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From dhawal at netmagicsolutions.com Fri Mar 23 11:54:26 2007 From: dhawal at netmagicsolutions.com (Dhawal Doshy) Date: Fri Mar 23 11:01:57 2007 Subject: IP address reputation, BorderWare In-Reply-To: <20070322181247.99D6.GERARD@seibercom.net> References: <4602FAAA.20009@fractalweb.com> <200703222203.l2MM3wig030176@mail.deniscroombs.org> <20070322181247.99D6.GERARD@seibercom.net> Message-ID: <4603B1E2.8040801@netmagicsolutions.com> Gerard Seibert wrote: > On Thursday March 22, 2007 at 06:02:19 (PM) Denis Croombs wrote: > >>> That's interesting. Can you explain your position? >>> >> Over 90% of the email that the 200+ domains I protect is spam from spoofed >> email address's, why should I send an email to these poor sods who have had >> they email address spoofed just to fill up their email inbox. >> As far as I am concerned it is a joke system that compounds the spam issue. > > There was a discussion on the postfix forum a few days ago that concurred > with your thesis. I personally never employ it myself. A waste of time > and bandwidth in my humble opinion. To add further if you are a really low traffic (< a few thousand mails a day) sender verification is a probable option else don't even think about it.. Also there are some sites that might blacklist you for repeated sender verification. Finally sender verification fails with sites like yahoo who will accept any address in the 'helo/mailfrom/rcptto' part but will reject during 'data' From am.lists at gmail.com Fri Mar 23 11:55:51 2007 From: am.lists at gmail.com (am.lists) Date: Fri Mar 23 11:03:06 2007 Subject: IP address reputation, BorderWare In-Reply-To: References: <200703222149.l2MLnwvo030176@mail.deniscroombs.org> <4602FAAA.20009@fractalweb.com> Message-ID: <25a66d840703230355j774d8988q6d50c8c53921186f@mail.gmail.com> On 3/22/07, Kevin Miller wrote: > Scott Silva wrote: > > Yes ... like SPF but without all the people who have ~all in their > > records! > > I've never understood that. Mine are all hard fails. Soft fails are > for people that are soft in the head, me thinks. > The problem with hard fails is the following scenario: You are on a website that has a "send to a friend" -- and it imitates your from address so that your "friend" recognizes the mail from you. I'm not sure I like it this way, but in some circumstances, on poorly designed sites, a -all would kill this message. Angelo From am.lists at gmail.com Fri Mar 23 12:00:38 2007 From: am.lists at gmail.com (am.lists) Date: Fri Mar 23 11:07:53 2007 Subject: IP address reputation, BorderWare In-Reply-To: References: <200703222149.l2MLnwvo030176@mail.deniscroombs.org> <4602FAAA.20009@fractalweb.com> <46030348.70100@yeticomputers.com> <46030838.60809@fractalweb.com> Message-ID: <25a66d840703230400t5b2020ci102c4dba502a48dc@mail.gmail.com> On 3/22/07, Raymond Dijkxhoorn wrote: > Hi! > > > I see your point. Perhaps it depends on the order with which these checks > > happen. > > > > My understanding is that our servers don't do SAV unless the inbound message > > is for a real recipient (or alias). We prohibit the use of a "catch-all" > > alias, so a dictionary attack on our server won't really have much effect on > > you. Or am I wrong (we use SMF-SAV with Sendmail)? If I'm wrong, and the > > milter initiates a verification even before checking to see if a recipient > > exists, then I may have to re-evaluate our stance. > > We do the same, only check on valid users ... on our end, then check the > remote. > I'm running MS on a gateway box (using Postfix). I recently added recipient verification at the MTA after policyd. I figure that the difference in disk utilization (more for the verify.db) is offset by not quarantining junk to non-existent users and backscatter attacks. I think that with everything else I'm doing to protect my users, SAV isn't needed. But that's my $0.02 worth. Angelo From andoni.auzmendi at robertwalters.com Fri Mar 23 12:31:06 2007 From: andoni.auzmendi at robertwalters.com (Andoni Auzmendi) Date: Fri Mar 23 11:39:53 2007 Subject: OT: IP address reputation, BorderWare Message-ID: <5450254EC7E7B54193C8AEFD904AA36325E57F@pat.internal.robertwalters.com> In defense on sender address verification technique I would like to point out that the root of the cause is the spammers for forging the sender address. I think it wastes fewer resources to receive connections to verify senders than receiving NDRs with sometimes attached messages. At the end of the day the forged address domain mail servers will suffer whether they like it or not. Andoni -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of DAve Sent: 22 March 2007 22:34 To: MailScanner discussion Subject: Re: OT: IP address reputation, BorderWare Chris Yuzik wrote: > Hi Everyone, > > While this is slightly off topic, it's likely of interest to most of us > here. > > Today I attended a webinar on fighting image spam which was put on by a > company called BorderWare. BorderWare makes rack-mount antispam devices, > amongst other things. The webinar was pretty good and had some great > statistics and such. One of the themes of the discussion was "reputation > analysis" where they say that not only should we check a sender's IP > address to see if it's blacklisted, but also should check what that IP's > track record is--for viruses, spam, malformed messages, etc. You can > manually do this yourself at bsn.borderware.com. > > Here's the interesting/disturbing part: when I looked up our "brand > spankin new" mail server's IP address, I see we're not doing so well and > that 87.5% of all our mail is to bad recipients. After getting up off of > the floor and sitting back down in my chair, I started going over > things. Have we been compromised? Is there a bad PHP script somewhere? > Did our hosting provider give us an IP that was formerly used by a > spammer? No to all questions. > > Turns out, it's the sender address verification milter we've got running > at the MTA level. I ran a couple of reports that indicate that yes, > about 87% of inbound email never makes it in to the inbound queue, so > their data is correct. Obviously, in order to verify that an address > exists, our server initiates an email to the recipient's mail server and > finds out immediately that either the user is rejected or the system is > going to accept an email for that user, and based on that information, > we either allow the message in to the inbound queue for further > processing or reject it. > > As a result of all of this, BorderWare's network of appliances out there > that all report our server's activity back to the mothership that sees > all these bad recipients and gives our server a less than stellar report > indicating that we're likely spamming. Not good. > > So I phoned the company and talked to some sales guy about this. After > looking up our IP and talking with me, he told me that it's a bad idea > to have our server "perform these actions". I went over some stats with > him and explained why it's so important that we do the address > verification and that furthermore, their system shouldn't be penalizing > white-hat mail servers that are actively protecting their users from bad > stuff. At first he said that perhaps this is just a difference in > philosophy, but at the end agreed to go talk with someone and get back > to me. I suggested that there are a lot of mail servers that do sender > address verification, and they're unlikely to stop using this incredibly > powerful tool just because BorderWare thinks that it's a bad idea. My > hope is that they'll either remove this from their scoring system or > change their weighting formula. > > What do you guys (and gals) think? > > Cheers, > Chris > If one of my users gets Joe Jobbed, and I see a few thousand connections comming my way to see if their account exists, never intending to deliver anything, I *will* block you. If my greylisting doesn't break your sender verification first. DAve -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. www.mimesweeper.com ********************************************************************** From daniel at danielf.ch Fri Mar 23 13:51:34 2007 From: daniel at danielf.ch (Daniel Fuhrer) Date: Fri Mar 23 12:58:57 2007 Subject: Mails not processed Message-ID: <96EF3FB3C374A64187CCB0D0DA716F2446A9@idefix.danielf.local> Hi all I have the following problem. In the logfile is a entry like: SpamAssassin cache hit for message l2J1GmG0001768 But the mail will not be processed. That fills up my queue and mailscanner always tries to process them until I move the mail away. Any Ideas what's going on? I have MailScanner version 4.58.9 And the version 3.001008 the module Mail::SpamAssassin On a FreeBSD Box 5.5-RELEASE-p8 and Sendmail 8.14.0/8.13.6 Thanks for your help -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070323/074f080e/attachment.html From martinh at solidstatelogic.com Fri Mar 23 14:07:23 2007 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Fri Mar 23 13:14:41 2007 Subject: Mails not processed In-Reply-To: <96EF3FB3C374A64187CCB0D0DA716F2446A9@idefix.danielf.local> Message-ID: <23ec4360fef74a47a2935bd2aa99a77d@solidstatelogic.com> Dan Make sure you've got the Lock Type in MailScanner.conf set to 'blank'. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Daniel Fuhrer > Sent: 23 March 2007 12:52 > To: Mailscanner > Subject: Mails not processed > > Hi all > > I have the following problem. In the logfile is a entry like: > > SpamAssassin cache hit for message l2J1GmG0001768 > > But the mail will not be processed. That fills up my queue and mailscanner > always tries to process them until I move the mail away. > > Any Ideas what's going on? > > > > I have MailScanner version 4.58.9 > > And the version 3.001008 the module Mail::SpamAssassin > > On a FreeBSD Box 5.5-RELEASE-p8 and Sendmail 8.14.0/8.13.6 > > > > Thanks for your help ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From matt at coders.co.uk Fri Mar 23 14:08:20 2007 From: matt at coders.co.uk (Matt Hampton) Date: Fri Mar 23 13:15:44 2007 Subject: Mails not processed In-Reply-To: <96EF3FB3C374A64187CCB0D0DA716F2446A9@idefix.danielf.local> References: <96EF3FB3C374A64187CCB0D0DA716F2446A9@idefix.danielf.local> Message-ID: <4603D144.6030508@coders.co.uk> Daniel Fuhrer wrote: > Hi all > > I have the following problem. In the logfile is a entry like: > > SpamAssassin cache hit for message l2J1GmG0001768 > > But the mail will not be processed. That fills up my queue and > mailscanner always tries to process them until I move the mail away. > > Any Ideas what?s going on? > Try running MailScanner in the foreground with debugging turned on and see what happens matt From daniel at danielf.ch Fri Mar 23 15:22:37 2007 From: daniel at danielf.ch (Daniel Fuhrer) Date: Fri Mar 23 14:29:59 2007 Subject: AW: Mails not processed In-Reply-To: <23ec4360fef74a47a2935bd2aa99a77d@solidstatelogic.com> References: <96EF3FB3C374A64187CCB0D0DA716F2446A9@idefix.danielf.local> <23ec4360fef74a47a2935bd2aa99a77d@solidstatelogic.com> Message-ID: <96EF3FB3C374A64187CCB0D0DA716F2446AA@idefix.danielf.local> Hi Martin Thanks fort he quick answer. The Lock Type in the config is empty. This exception happens only on some mails. When I copy them to a other mailscanner it will be processed (most of them). I tried to copy the config from the other machine. But that didn't help. Cheers Daniel -----Urspr?ngliche Nachricht----- Von: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] Im Auftrag von Martin.Hepworth Gesendet: Freitag, 23. M?rz 2007 14:07 An: Mailscanner Betreff: RE: Mails not processed Dan Make sure you've got the Lock Type in MailScanner.conf set to 'blank'. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Daniel Fuhrer > Sent: 23 March 2007 12:52 > To: Mailscanner > Subject: Mails not processed > > Hi all > > I have the following problem. In the logfile is a entry like: > > SpamAssassin cache hit for message l2J1GmG0001768 > > But the mail will not be processed. That fills up my queue and mailscanner > always tries to process them until I move the mail away. > > Any Ideas what's going on? > > > > I have MailScanner version 4.58.9 > > And the version 3.001008 the module Mail::SpamAssassin > > On a FreeBSD Box 5.5-RELEASE-p8 and Sendmail 8.14.0/8.13.6 > > > > Thanks for your help ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From daniel at danielf.ch Fri Mar 23 15:28:27 2007 From: daniel at danielf.ch (Daniel Fuhrer) Date: Fri Mar 23 14:35:48 2007 Subject: AW: Mails not processed In-Reply-To: <4603D144.6030508@coders.co.uk> References: <96EF3FB3C374A64187CCB0D0DA716F2446A9@idefix.danielf.local> <4603D144.6030508@coders.co.uk> Message-ID: <96EF3FB3C374A64187CCB0D0DA716F2446AB@idefix.danielf.local> Hi Matt Thanks fort he quick answer. How can I do that? I'm new on MailScanner. I didn't find any option in the config file. Did I overlook it? Cheers Daniel -----Urspr?ngliche Nachricht----- Von: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] Im Auftrag von Matt Hampton Gesendet: Freitag, 23. M?rz 2007 14:08 An: Mailscanner Betreff: Re: Mails not processed Daniel Fuhrer wrote: > Hi all > > I have the following problem. In the logfile is a entry like: > > SpamAssassin cache hit for message l2J1GmG0001768 > > But the mail will not be processed. That fills up my queue and > mailscanner always tries to process them until I move the mail away. > > Any Ideas what's going on? > Try running MailScanner in the foreground with debugging turned on and see what happens matt -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From matt at coders.co.uk Fri Mar 23 15:31:42 2007 From: matt at coders.co.uk (Matt Hampton) Date: Fri Mar 23 14:39:06 2007 Subject: AW: Mails not processed In-Reply-To: <96EF3FB3C374A64187CCB0D0DA716F2446AB@idefix.danielf.local> References: <96EF3FB3C374A64187CCB0D0DA716F2446A9@idefix.danielf.local> <4603D144.6030508@coders.co.uk> <96EF3FB3C374A64187CCB0D0DA716F2446AB@idefix.danielf.local> Message-ID: <4603E4CE.8090706@coders.co.uk> Daniel Fuhrer wrote: > Hi Matt > Thanks fort he quick answer. > How can I do that? I'm new on MailScanner. I didn't find any option in the config file. Did I overlook it? > > Cheers > Daniel stop mailscanner and then run it as /path/to/MailScanner --debug matt From daniel at danielf.ch Fri Mar 23 15:38:30 2007 From: daniel at danielf.ch (Daniel Fuhrer) Date: Fri Mar 23 14:45:52 2007 Subject: AW: Mails not processed In-Reply-To: <96EF3FB3C374A64187CCB0D0DA716F2446AB@idefix.danielf.local> References: <96EF3FB3C374A64187CCB0D0DA716F2446A9@idefix.danielf.local><4603D144.6030508@coders.co.uk> <96EF3FB3C374A64187CCB0D0DA716F2446AB@idefix.danielf.local> Message-ID: <96EF3FB3C374A64187CCB0D0DA716F2446AC@idefix.danielf.local> Hi Matt Sorry fort his post. I found the option. I get the following output. Use of uninitialized value in concatenation (.) or string at /usr/local/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin.pm line 1052. Line 1052 is: dbg("config: read_scoreonly_config: cannot open \"$filename\": $!"); Ignore errors about failing to find EOCD signature /usr/local/bin/clamscan: unrecognized option `--unarj' ERROR: Unknown option passed. ERROR: Can't parse the command line But that seams to be another "problem". Mailscanner processes these Mails anyway. What can that be? Cheers Daniel -----Urspr?ngliche Nachricht----- Von: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] Im Auftrag von Daniel Fuhrer Gesendet: Freitag, 23. M?rz 2007 15:28 An: Mailscanner Betreff: AW: Mails not processed Hi Matt Thanks fort he quick answer. How can I do that? I'm new on MailScanner. I didn't find any option in the config file. Did I overlook it? Cheers Daniel -----Urspr?ngliche Nachricht----- Von: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] Im Auftrag von Matt Hampton Gesendet: Freitag, 23. M?rz 2007 14:08 An: Mailscanner Betreff: Re: Mails not processed Daniel Fuhrer wrote: > Hi all > > I have the following problem. In the logfile is a entry like: > > SpamAssassin cache hit for message l2J1GmG0001768 > > But the mail will not be processed. That fills up my queue and > mailscanner always tries to process them until I move the mail away. > > Any Ideas what's going on? > Try running MailScanner in the foreground with debugging turned on and see what happens matt -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From taz at taz-mania.com Fri Mar 23 16:18:36 2007 From: taz at taz-mania.com (Dennis Willson) Date: Fri Mar 23 15:27:17 2007 Subject: OT: IP address reputation, BorderWare In-Reply-To: <4603538C.7000603@pixelhammer.com> References: <4602F774.2030007@fractalweb.com> <46031747.9000000@fractalweb.com> <4603538C.7000603@pixelhammer.com> Message-ID: <4603EFCC.1030707@taz-mania.com> Why yes, I know how SAV handles greylisting. When SAV receives a temp failure, SAV returns a temp failure. A real mail server will try again later which will cause SAV to verify again when the sending server retrys. This works just fine. However, if you run greylisting too, this adds a double delay on th delivery of the email. I can live with that. DAve wrote: > Chris Yuzik wrote: >> Res wrote: >>> The key here, you spoke to a salesman. >> Heh. It could have been worse...I might have talked to a marketing >> guy. ;-) >>> Many ISP's are doing this and it upsets their stats so of course >>> they dont want you to use it. Word gets around that it does this, >>> more people will shy away from their product, they dont care at all >>> about you protecting your users...unless you buy and use their product. >>> >>> Keep using the milter. >> Apparently, Matt is working on a modification to SMF-SAV that will >> change the order of the checks so that the sender is only verified IF >> they're sending to a real recipient on our end. As soon as that comes >> out, we'll implement that. >> > > Does anyone know how greylisting affects milter-sav? What happens when > I send an email to you and you attempt to verify me, and I greylist > your attempt? You surely don't try to hold my delivery connection for > 5 minutes waiting to try again do you? > > If you refuse the delivery, I'll try again later and the whole cycle > would begin anew because without a successful connection within a > specified time, you will never get make it into my whitelist correct? > > DAve > -- -------------------------------------------------- Dennis Willson taz@taz-mania.com http://www.taz-mania.com Ham (Extra Class): KA6LSW GMRS : WQGF680 Scuba: Rescue Diver, EANx, Wreck, Night, Alt, Equip, UW Photographer, Gas Blender Life should not be a journey to the grave with the intention of arriving safely in a nice looking and well preserved body, but rather to skid in broadside, thoroughly used up, totally worn out, and loudly proclaiming, "WOW! WHAT A RIDE!" From blaze at lake.k12.ca.us Fri Mar 23 16:44:36 2007 From: blaze at lake.k12.ca.us (Blaze King) Date: Fri Mar 23 15:51:44 2007 Subject: upgraded mailscanner, no more quarantine In-Reply-To: References: <643717827D2BED469D39BE81B4AD635A1B558E@exchange.lake.k12.ca.us> Message-ID: <643717827D2BED469D39BE81B4AD635A1B55C9@exchange.lake.k12.ca.us> Ok I feel stupid. MailScanner's quarantine was working just fine... I thought it wasn't because nothing new was in quarantine since the upgrade. Well when just I sent myself an unacceptable file (.bat), it was blocked and quarantined. I was testing the MailScanner with the "eicar" test virus, which it picked up and sent a notice to the postmaster e-mail account. While watching the maillog, no quarantine was ever attempted, so there was no error. Maybe the better question would be how do I modify what is quarantined and what isn't? I'll be looking through MailScanner's config again... Thanks! Blaze King Senior Network Administrator Lake County Office of Education (707) 262-4147 -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Martin.Hepworth Sent: Friday, March 23, 2007 2:26 AM To: MailScanner discussion Subject: RE: upgraded mailscanner, no more quarantine Blaze Where's the old stuff then???? Odd Make sure /var/spool/MailScanner/quarantine isn't a sym link to somewhere else. make sure the user you're running as (eg postfix or mailnull) can write to that dir. Also make I'd say the perms should be 640 at minimum, otherwise the apache group won't be able to read the files/dirs! You can run in debug mode and see what happens... su - -c "/MailScanner -debug" and see if it's comlaining about anything on the quarantine.. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Blaze King > Sent: 22 March 2007 19:08 > To: mailscanner@lists.mailscanner.info > Subject: upgraded mailscanner, no more quarantine > > Hey I'm a long time mailscanner user, but this is my first post to the > list. I recently upgraded to 4.58.9-1 on my rhel3 server. Since then, > nothing ends up in quarantine. Here's what I know... > > > > (/etc/MailScanner/MailScanner.conf) > > Quarantine Dir = /var/spool/MailScanner/quarantine > > Quarantine User = root > > Quarantine Group = apache (I'm using mailwatch) > > Quarantine Permissions = 0600 > > Quarantine Infections = yes > > Quarantine Whole Message = yes > > Quarantine Whole Messages As Queue Files = no > > > > [root@mail MailScanner]# ll /var/spool/MailScanner/quarantine > > total 0 > > > > Any suggestions? Thanks! > > > > Blaze King > > Senior Network Administrator > > Lake County Office of Education > > (707) 262-4147 > > ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From ka at pacific.net Fri Mar 23 16:50:59 2007 From: ka at pacific.net (Ken A) Date: Fri Mar 23 15:58:14 2007 Subject: IP address reputation, BorderWare In-Reply-To: <460396A1.2050808@utwente.nl> References: <200703222149.l2MLnwvo030176@mail.deniscroombs.org><4602FAAA.20009@fractalweb.com> <460396A1.2050808@utwente.nl> Message-ID: <4603F763.1070007@pacific.net> Peter Peters wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Kevin Miller wrote on 23-3-2007 0:04: >> Scott Silva wrote: >>> Yes ... like SPF but without all the people who have ~all in their >>> records! >> I've never understood that. Mine are all hard fails. Soft fails are >> for people that are soft in the head, me thinks. > > Some organizations allow their user to use the e-mail addresses outside > to organization. And spammers start to use SPF too. They control the > sending hosts. The control the nameservers. Why not control the SPF too? Exactly. How many DoS vectors do you want to give to ANYONE who connects to your mailserver. SAV is just one more fish in that kettle. It should be implemented VERY carefully. Ken A. Pacific.Net > - -- > Peter Peters, senior beheerder (Security) > Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) > Universiteit Twente, Postbus 217, 7500 AE Enschede > telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/itbe > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.2.2 (MingW32) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iD8DBQFGA5ahelLo80lrIdIRAgEbAKCI7mDV4YqZQAOKzpt7AYp0p/fYrwCfVFy2 > MHY8cfbRdzLmnQ6FDbdgfoA= > =Uh4K > -----END PGP SIGNATURE----- > From ka at pacific.net Fri Mar 23 16:52:38 2007 From: ka at pacific.net (Ken A) Date: Fri Mar 23 15:59:53 2007 Subject: OT: IP address reputation, BorderWare In-Reply-To: <5450254EC7E7B54193C8AEFD904AA36325E57F@pat.internal.robertwalters.com> References: <5450254EC7E7B54193C8AEFD904AA36325E57F@pat.internal.robertwalters.com> Message-ID: <4603F7C6.8020200@pacific.net> Andoni Auzmendi wrote: > In defense on sender address verification technique I would like to > point out that the root of the cause is the spammers for forging the > sender address. I think it wastes fewer resources to receive connections > to verify senders than receiving NDRs with sometimes attached messages. > > At the end of the day the forged address domain mail servers will suffer > whether they like it or not. milter-null. Ken A. Pacific.Net > > Andoni > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of DAve > Sent: 22 March 2007 22:34 > To: MailScanner discussion > Subject: Re: OT: IP address reputation, BorderWare > > Chris Yuzik wrote: >> Hi Everyone, >> >> While this is slightly off topic, it's likely of interest to most of > us >> here. >> >> Today I attended a webinar on fighting image spam which was put on by > a >> company called BorderWare. BorderWare makes rack-mount antispam > devices, >> amongst other things. The webinar was pretty good and had some great >> statistics and such. One of the themes of the discussion was > "reputation >> analysis" where they say that not only should we check a sender's IP >> address to see if it's blacklisted, but also should check what that > IP's >> track record is--for viruses, spam, malformed messages, etc. You can >> manually do this yourself at bsn.borderware.com. >> >> Here's the interesting/disturbing part: when I looked up our "brand >> spankin new" mail server's IP address, I see we're not doing so well > and >> that 87.5% of all our mail is to bad recipients. After getting up off > of >> the floor and sitting back down in my chair, I started going over >> things. Have we been compromised? Is there a bad PHP script somewhere? > >> Did our hosting provider give us an IP that was formerly used by a >> spammer? No to all questions. >> >> Turns out, it's the sender address verification milter we've got > running >> at the MTA level. I ran a couple of reports that indicate that yes, >> about 87% of inbound email never makes it in to the inbound queue, so >> their data is correct. Obviously, in order to verify that an address >> exists, our server initiates an email to the recipient's mail server > and >> finds out immediately that either the user is rejected or the system > is >> going to accept an email for that user, and based on that information, > >> we either allow the message in to the inbound queue for further >> processing or reject it. >> >> As a result of all of this, BorderWare's network of appliances out > there >> that all report our server's activity back to the mothership that sees > >> all these bad recipients and gives our server a less than stellar > report >> indicating that we're likely spamming. Not good. >> >> So I phoned the company and talked to some sales guy about this. After > >> looking up our IP and talking with me, he told me that it's a bad idea > >> to have our server "perform these actions". I went over some stats > with >> him and explained why it's so important that we do the address >> verification and that furthermore, their system shouldn't be > penalizing >> white-hat mail servers that are actively protecting their users from > bad >> stuff. At first he said that perhaps this is just a difference in >> philosophy, but at the end agreed to go talk with someone and get back > >> to me. I suggested that there are a lot of mail servers that do sender > >> address verification, and they're unlikely to stop using this > incredibly >> powerful tool just because BorderWare thinks that it's a bad idea. My >> hope is that they'll either remove this from their scoring system or >> change their weighting formula. >> >> What do you guys (and gals) think? >> >> Cheers, >> Chris >> > > If one of my users gets Joe Jobbed, and I see a few thousand connections > > comming my way to see if their account exists, never intending to > deliver anything, I *will* block you. > > If my greylisting doesn't break your sender verification first. > > DAve > > From mailscanner at yeticomputers.com Fri Mar 23 17:22:26 2007 From: mailscanner at yeticomputers.com (Rick Chadderdon) Date: Fri Mar 23 16:29:49 2007 Subject: IP address reputation, BorderWare In-Reply-To: <46030838.60809@fractalweb.com> References: <200703222149.l2MLnwvo030176@mail.deniscroombs.org> <4602FAAA.20009@fractalweb.com> <46030348.70100@yeticomputers.com> <46030838.60809@fractalweb.com> Message-ID: <4603FEC2.3000004@yeticomputers.com> Chris Yuzik wrote: > Rick Chadderdon wrote: >> If you get a >> dictionary spam flood from someone forging one of my domains, I get a >> connection flood from you while your system tries to validate those >> thousands of bogus addresses. Uncool and unwelcome. > Rick, > > I see your point. Perhaps it depends on the order with which these > checks happen. > > My understanding is that our servers don't do SAV unless the inbound > message is for a real recipient (or alias). We prohibit the use of a > "catch-all" alias, so a dictionary attack on our server won't really > have much effect on you. Or am I wrong (we use SMF-SAV with Sendmail)? > If I'm wrong, and the milter initiates a verification even before > checking to see if a recipient exists, then I may have to re-evaluate > our stance. > > What do you think? I certainly appreciate the effort to minimize the impact of SAV on others. I am, however, somewhat of an absolutist when it comes to certain issues, and I don't like my resources used without my consent, in a way not required by the act of offering a given kind of resource to the world. Now, I suppose it all really boils down to the question of what "normal" use is. I'd probably not have a problem with SAV at all if it was part of the *standard* for email communications. Then it would just be something one had to deal with, and those verification floods would be just another thing to deal with - and blame on the bad guys. But it's not. Maybe it should be. If Matt makes the changes he spoke of, I'd be a lot less grumpy about the use of this milter. Still, if a large provider using SAV were dictionary-spammed with a joe-job of one of my users, I'd be sharing their pain, quite unwillingly, simply because of the number of valid addresses they'd hit. I *have* had days where my logs were so full of SAV junk that working with them was made far more painful than it needed to be. I also don't like the fact that my logs are full of portscans, but those guys don't step out where I can tell 'em how I feel. :) Rick From mailscanner at yeticomputers.com Fri Mar 23 17:22:23 2007 From: mailscanner at yeticomputers.com (Rick Chadderdon) Date: Fri Mar 23 16:29:50 2007 Subject: IP address reputation, BorderWare In-Reply-To: References: <4602FAAA.20009@fractalweb.com><200703222203.l2MM3wig030176@mail.deniscroombs.org> <20070322181247.99D6.GERARD@seibercom.net> <460303D5.8070906@yeticomputers.com> Message-ID: <4603FEBF.3030401@yeticomputers.com> Kevin Miller wrote: > Rick Chadderdon wrote: > >> Kevin Miller wrote: >> >>> If I can spend a nickle to not have to spend a dime it's worth it >>> every time... >>> >>> >> The problem comes when you start spending my nickles without asking. >> Which is exactly what sender address verification does. >> >> Rick >> > > It depends on the spam flood. SMF-SAV caches the lookups, so if the > from address is reused on the inbounds, it only has to do a single > lookup. If they use a new from username, then yeah, your server gets > pinged multiple times. > Which is nearly always the case in a "flood". I don't recall ever seeing a spam flood that consisted of ten thousand different spam messages to the same name. Ten thousand different names on the same domain? All of the time. Even if address reuse in a flood *were* common, your response would only apply if all milters and other methods for doing SAV cached the lookups. > But the thing is, if spam is dropped before it is sent, it diminishes > "internet background noise". You benefit from that, along with > everybody else. No, I don't. Nobody benefits from the spam you reject other than yourself. And if you reject spam using my resources, you're *creating* background noise, at least on my server. If you are suggesting that a cooperative use of this technique by everyone would reduce overall Internet bandwidth usage and perhaps lower the prices that providers charge for said bandwidth... Well, that theory would take quite a bit of work to support. A T1 today costs probably an eighth or less of what it did when I first had to price one and that is not because bandwidth usage has dropped. > We all pay a little, and receive a greater synergestic common good... > Before I'd consider this a valid argument, I'd want to see some evidence that the bandwidth you and the spammer save from the use of SAV actually contributes *anything* to a 'common good'. My impression is that it benefits only the user of the technique. Even at that, I'm philosophically opposed to the non-consensual use of the resources of others. I even feel slightly guilty about the use of greylisting because I'm asking other servers to make two delivery attempts the first time they send mail to a domain I control. I only justify it by remembering that they're initiating the contact. They can choose *not* to resend (and some do) and they can set their policies as to whether they want to talk to servers that use greylisting. In the case of SAV, nearly all of the time you're harassing a server that never tried to talk to you. Rick From dave.list at pixelhammer.com Fri Mar 23 17:22:04 2007 From: dave.list at pixelhammer.com (DAve) Date: Fri Mar 23 16:30:14 2007 Subject: OT: IP address reputation, BorderWare In-Reply-To: <4603EFCC.1030707@taz-mania.com> References: <4602F774.2030007@fractalweb.com> <46031747.9000000@fractalweb.com> <4603538C.7000603@pixelhammer.com> <4603EFCC.1030707@taz-mania.com> Message-ID: <4603FEAC.5000205@pixelhammer.com> Dennis Willson wrote: > Why yes, I know how SAV handles greylisting. > > When SAV receives a temp failure, SAV returns a temp failure. A real > mail server will try again later which will cause SAV to verify again > when the sending server retrys. This works just fine. However, if you > run greylisting too, this adds a double delay on th delivery of the email. > We have several real mail servers, they all retry within 30 minutes. My question was would the tuple expire from the greylist DB *before* the retry took place. Checking the SAV archives and then the config for milter-greylist I see this, # This option attempts to make milter-greylist more # friendly with sender callback systems. When the # message is from <>, it will be temporarily # rejected at the DATA stage instead of the RCPT # stage of the SMTP transaction. In the case of a # multi recipient DSN, whitelisted recipient will # not be honoured. delayedreject So milter-greylist is already making exceptions so we don't break SAV. That is good to know, though we hadn't any complaints. Thanks, DAve > I can live with that. > > > > DAve wrote: >> Chris Yuzik wrote: >>> Res wrote: >>>> The key here, you spoke to a salesman. >>> Heh. It could have been worse...I might have talked to a marketing >>> guy. ;-) >>>> Many ISP's are doing this and it upsets their stats so of course >>>> they dont want you to use it. Word gets around that it does this, >>>> more people will shy away from their product, they dont care at all >>>> about you protecting your users...unless you buy and use their product. >>>> >>>> Keep using the milter. >>> Apparently, Matt is working on a modification to SMF-SAV that will >>> change the order of the checks so that the sender is only verified IF >>> they're sending to a real recipient on our end. As soon as that comes >>> out, we'll implement that. >>> >> >> Does anyone know how greylisting affects milter-sav? What happens when >> I send an email to you and you attempt to verify me, and I greylist >> your attempt? You surely don't try to hold my delivery connection for >> 5 minutes waiting to try again do you? >> >> If you refuse the delivery, I'll try again later and the whole cycle >> would begin anew because without a successful connection within a >> specified time, you will never get make it into my whitelist correct? >> >> DAve >> > -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible. From blaze at lake.k12.ca.us Fri Mar 23 17:30:19 2007 From: blaze at lake.k12.ca.us (Blaze King) Date: Fri Mar 23 16:37:30 2007 Subject: FW: upgraded mailscanner, no more quarantine Message-ID: <643717827D2BED469D39BE81B4AD635A1B55D0@exchange.lake.k12.ca.us> A new error, after I upgraded spamassassin (I'm not upgrading anything else, I swear)... Mar 23 09:23:55 mail MailScanner[23766]: You want to use SpamAssassin but have not installed it. Mar 23 09:23:55 mail MailScanner[23766]: Please download http://www.sng.ecs.soton.ac.uk/mailscanner/files/4/install-Clam-SA.tar.g z and unpack it and run ./install.sh to install it, then restart MailScanner. Mar 23 09:23:55 mail MailScanner[23766]: I will run without SpamAssassin for now, you will not detect much spam until you install SpamAssassin. I have no idea how to configure SpamAssassin any further with MailScanner. By the way, I did download that file and followed directions. Didn't help. Blaze King Senior Network Administrator Lake County Office of Education (707) 262-4147 -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Blaze King Sent: Friday, March 23, 2007 8:45 AM To: MailScanner discussion Subject: RE: upgraded mailscanner, no more quarantine Ok I feel stupid. MailScanner's quarantine was working just fine... I thought it wasn't because nothing new was in quarantine since the upgrade. Well when just I sent myself an unacceptable file (.bat), it was blocked and quarantined. I was testing the MailScanner with the "eicar" test virus, which it picked up and sent a notice to the postmaster e-mail account. While watching the maillog, no quarantine was ever attempted, so there was no error. Maybe the better question would be how do I modify what is quarantined and what isn't? I'll be looking through MailScanner's config again... Thanks! Blaze King Senior Network Administrator Lake County Office of Education (707) 262-4147 -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Martin.Hepworth Sent: Friday, March 23, 2007 2:26 AM To: MailScanner discussion Subject: RE: upgraded mailscanner, no more quarantine Blaze Where's the old stuff then???? Odd Make sure /var/spool/MailScanner/quarantine isn't a sym link to somewhere else. make sure the user you're running as (eg postfix or mailnull) can write to that dir. Also make I'd say the perms should be 640 at minimum, otherwise the apache group won't be able to read the files/dirs! You can run in debug mode and see what happens... su - -c "/MailScanner -debug" and see if it's comlaining about anything on the quarantine.. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Blaze King > Sent: 22 March 2007 19:08 > To: mailscanner@lists.mailscanner.info > Subject: upgraded mailscanner, no more quarantine > > Hey I'm a long time mailscanner user, but this is my first post to the > list. I recently upgraded to 4.58.9-1 on my rhel3 server. Since then, > nothing ends up in quarantine. Here's what I know... > > > > (/etc/MailScanner/MailScanner.conf) > > Quarantine Dir = /var/spool/MailScanner/quarantine > > Quarantine User = root > > Quarantine Group = apache (I'm using mailwatch) > > Quarantine Permissions = 0600 > > Quarantine Infections = yes > > Quarantine Whole Message = yes > > Quarantine Whole Messages As Queue Files = no > > > > [root@mail MailScanner]# ll /var/spool/MailScanner/quarantine > > total 0 > > > > Any suggestions? Thanks! > > > > Blaze King > > Senior Network Administrator > > Lake County Office of Education > > (707) 262-4147 > > ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From itdept at fractalweb.com Fri Mar 23 18:11:38 2007 From: itdept at fractalweb.com (Chris Yuzik) Date: Fri Mar 23 17:19:01 2007 Subject: IP address reputation, BorderWare In-Reply-To: <4603FEBF.3030401@yeticomputers.com> References: <4602FAAA.20009@fractalweb.com><200703222203.l2MM3wig030176@mail.deniscroombs.org> <20070322181247.99D6.GERARD@seibercom.net> <460303D5.8070906@yeticomputers.com> <4603FEBF.3030401@yeticomputers.com> Message-ID: <46040A4A.90608@fractalweb.com> Rick Chadderdon wrote: > > Which is nearly always the case in a "flood". I don't recall ever > seeing a spam flood that consisted of ten thousand different spam > messages to the same name. Ten thousand different names on the same > domain? All of the time. Even if address reuse in a flood *were* > common, your response would only apply if all milters and other methods > for doing SAV cached the lookups. > Rick, My understanding is that milters like SMF-SAV do cache the lookups. So if one of your users gets "joe-jobbed" and a spammer sends 10k messages to our server, a server using SAV only check the address once, and use that data to deal with the rest of the flood. Chris From ka at pacific.net Fri Mar 23 18:20:54 2007 From: ka at pacific.net (Ken A) Date: Fri Mar 23 17:28:11 2007 Subject: FW: upgraded mailscanner, no more quarantine In-Reply-To: <643717827D2BED469D39BE81B4AD635A1B55D0@exchange.lake.k12.ca.us> References: <643717827D2BED469D39BE81B4AD635A1B55D0@exchange.lake.k12.ca.us> Message-ID: <46040C76.4010702@pacific.net> Blaze King wrote: > A new error, after I upgraded spamassassin (I'm not upgrading anything > else, I swear)... > > Mar 23 09:23:55 mail MailScanner[23766]: You want to use SpamAssassin > but have not installed it. > Mar 23 09:23:55 mail MailScanner[23766]: Please download > http://www.sng.ecs.soton.ac.uk/mailscanner/files/4/install-Clam-SA.tar.g > z and unpack it and run ./install.sh to install it, then restart > MailScanner. > Mar 23 09:23:55 mail MailScanner[23766]: I will run without SpamAssassin > for now, you will not detect much spam until you install SpamAssassin. > > I have no idea how to configure SpamAssassin any further with > MailScanner. By the way, I did download that file and followed > directions. Didn't help. Hi Blaze, The best way to install MailScanner and SA on a linux box is to use the packages from the MailScanner site. If your installed SA is from your linux disto, you might need to rpm -e it and then use the MailScanner packages. Ken A. (just over the hill from you in Ukiah) Pacific.Net > > Blaze King > Senior Network Administrator > Lake County Office of Education > (707) 262-4147 > > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Blaze > King > Sent: Friday, March 23, 2007 8:45 AM > To: MailScanner discussion > Subject: RE: upgraded mailscanner, no more quarantine > > Ok I feel stupid. > > MailScanner's quarantine was working just fine... I thought it wasn't > because nothing new was in quarantine since the upgrade. Well when just > I sent myself an unacceptable file (.bat), it was blocked and > quarantined. > > I was testing the MailScanner with the "eicar" test virus, which it > picked up and sent a notice to the postmaster e-mail account. While > watching the maillog, no quarantine was ever attempted, so there was no > error. > > Maybe the better question would be how do I modify what is quarantined > and what isn't? I'll be looking through MailScanner's config again... > > Thanks! > > Blaze King > Senior Network Administrator > Lake County Office of Education > (707) 262-4147 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of > Martin.Hepworth > Sent: Friday, March 23, 2007 2:26 AM > To: MailScanner discussion > Subject: RE: upgraded mailscanner, no more quarantine > > > Blaze > > Where's the old stuff then???? Odd > > Make sure /var/spool/MailScanner/quarantine isn't a sym link to > somewhere else. > > make sure the user you're running as (eg postfix or mailnull) can write > to that dir. Also make I'd say the perms should be 640 at minimum, > otherwise the apache group won't be able to read the files/dirs! > > You can run in debug mode and see what happens... > > su - -c "/MailScanner -debug" > > and see if it's comlaining about anything on the quarantine.. > > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >> bounces@lists.mailscanner.info] On Behalf Of Blaze King >> Sent: 22 March 2007 19:08 >> To: mailscanner@lists.mailscanner.info >> Subject: upgraded mailscanner, no more quarantine >> >> Hey I'm a long time mailscanner user, but this is my first post to the >> list. I recently upgraded to 4.58.9-1 on my rhel3 server. Since > then, >> nothing ends up in quarantine. Here's what I know... >> >> >> >> (/etc/MailScanner/MailScanner.conf) >> >> Quarantine Dir = /var/spool/MailScanner/quarantine >> >> Quarantine User = root >> >> Quarantine Group = apache (I'm using mailwatch) >> >> Quarantine Permissions = 0600 >> >> Quarantine Infections = yes >> >> Quarantine Whole Message = yes >> >> Quarantine Whole Messages As Queue Files = no >> >> >> >> [root@mail MailScanner]# ll /var/spool/MailScanner/quarantine >> >> total 0 >> >> >> >> Any suggestions? Thanks! >> >> >> >> Blaze King >> >> Senior Network Administrator >> >> Lake County Office of Education >> >> (707) 262-4147 >> >> > > > > > > ********************************************************************** > Confidentiality : This e-mail and any attachments are intended for the > addressee only and may be confidential. If they come to you in error > you must take no action based on them, nor must you copy or show them > to anyone. Please advise the sender by replying to this e-mail > immediately and then delete the original from your computer. > > Opinion : Any opinions expressed in this e-mail are entirely those of > the author and unless specifically stated to the contrary, are not > necessarily those of the author's employer. > > Security Warning : Internet e-mail is not necessarily a secure > communications medium and can be subject to data corruption. We advise > that you consider this fact when e-mailing us. > > Viruses : We have taken steps to ensure that this e-mail and any > attachments are free from known viruses but in keeping with good > computing practice, you should ensure that they are virus free. > > Red Lion 49 Ltd T/A Solid State Logic > Registered as a limited company in England and Wales > (Company No:5362730) > Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, > United Kingdom > ********************************************************************** > From ssilva at sgvwater.com Fri Mar 23 18:29:58 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Fri Mar 23 17:45:35 2007 Subject: upgraded mailscanner, no more quarantine In-Reply-To: <643717827D2BED469D39BE81B4AD635A1B55C9@exchange.lake.k12.ca.us> References: <643717827D2BED469D39BE81B4AD635A1B558E@exchange.lake.k12.ca.us> <643717827D2BED469D39BE81B4AD635A1B55C9@exchange.lake.k12.ca.us> Message-ID: Blaze King spake the following on 3/23/2007 8:44 AM: > Ok I feel stupid. > > MailScanner's quarantine was working just fine... I thought it wasn't > because nothing new was in quarantine since the upgrade. Well when just > I sent myself an unacceptable file (.bat), it was blocked and > quarantined. > > I was testing the MailScanner with the "eicar" test virus, which it > picked up and sent a notice to the postmaster e-mail account. While > watching the maillog, no quarantine was ever attempted, so there was no > error. > > Maybe the better question would be how do I modify what is quarantined > and what isn't? I'll be looking through MailScanner's config again... > Look around the stuff that deals with silent viruses. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From jfagan at firstlightnetworks.com Fri Mar 23 18:42:57 2007 From: jfagan at firstlightnetworks.com (James Fagan) Date: Fri Mar 23 17:48:58 2007 Subject: IP address reputation, BorderWare In-Reply-To: <46040A4A.90608@fractalweb.com> References: <4602FAAA.20009@fractalweb.com><200703222203.l2MM3wig030176@mail.deniscroombs.org> <20070322181247.99D6.GERARD@seibercom.net> <460303D5.8070906@yeticomputers.com> <4603FEBF.3030401@yeticomputers.com> <46040A4A.90608@fractalweb.com> Message-ID: <59E4A3A1069C2640959AD0F7518C4812052C7B@FLN1.fln.local> > > Which is nearly always the case in a "flood". I don't recall ever > seeing a spam flood that consisted of ten thousand different spam > messages to the same name. Ten thousand different names on the same > domain? All of the time. Even if address reuse in a flood *were* > common, your response would only apply if all milters and other methods > for doing SAV cached the lookups. > Rick, My understanding is that milters like SMF-SAV do cache the lookups. So if one of your users gets "joe-jobbed" and a spammer sends 10k messages to our server, a server using SAV only check the address once, and use that data to deal with the rest of the flood. Chris --------------------------------- SAV does cache and it can be configured. I have mine set to hold the cache for one week. It does this for senders and recipients. Has anyone actually lost service (DoS) due to this ? What are the real costs to other admins other than more log files, and hating people like me ? Has anyone actually lost time or money because another server wanted to verify if a sender actually existed ? Why is the ability to know if a user account is available on a system built into many MTA's ? Is SAV worse than any of the probes and scripted attacks ? I can see in a way that other systems "should" not interact with a system that may or not be responsible for a communication, but at some point there has to be accountability. I think the idea of SPF is good, but in practice, not so good. Based on some of the strong views presented here, I think I will extend the cache for SAV to two weeks and I hope that can take some of the sting out. Besides we are small in comparison. James From ssilva at sgvwater.com Fri Mar 23 18:33:21 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Fri Mar 23 17:50:43 2007 Subject: IP address reputation, BorderWare In-Reply-To: <25a66d840703230355j774d8988q6d50c8c53921186f@mail.gmail.com> References: <200703222149.l2MLnwvo030176@mail.deniscroombs.org> <4602FAAA.20009@fractalweb.com> <25a66d840703230355j774d8988q6d50c8c53921186f@mail.gmail.com> Message-ID: am.lists spake the following on 3/23/2007 3:55 AM: > On 3/22/07, Kevin Miller wrote: >> Scott Silva wrote: >> > Yes ... like SPF but without all the people who have ~all in their >> > records! >> >> I've never understood that. Mine are all hard fails. Soft fails are >> for people that are soft in the head, me thinks. >> > > The problem with hard fails is the following scenario: > > You are on a website that has a "send to a friend" -- and it imitates > your from address so that your "friend" recognizes the mail from you. > > I'm not sure I like it this way, but in some circumstances, on poorly > designed sites, a -all would kill this message. > > Angelo That is why if I want to send something to a friend, I cut and paste the link. Why give some third party an address that they might sell to a spammer? Or use to spam themselves. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ssilva at sgvwater.com Fri Mar 23 18:41:44 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Fri Mar 23 17:53:42 2007 Subject: OT: IP address reputation, BorderWare In-Reply-To: References: <4602F774.2030007@fractalweb.com> <46031747.9000000@fractalweb.com> Message-ID: Res spake the following on 3/22/2007 5:21 PM: > On Thu, 22 Mar 2007, Chris Yuzik wrote: > >> Res wrote: >>> The key here, you spoke to a salesman. >> Heh. It could have been worse...I might have talked to a marketing >> guy. ;-) >>> Many ISP's are doing this and it upsets their stats so of course they >>> dont want you to use it. Word gets around that it does this, more >>> people will shy away from their product, they dont care at all about >>> you protecting your users...unless you buy and use their product. >>> >>> Keep using the milter. >> Apparently, Matt is working on a modification to SMF-SAV that will >> change the order of the checks so that the sender is only verified IF >> they're sending to a real recipient on our end. As soon as that comes >> out, we'll implement that. >> >> Cheers, >> Chris >> >> PS - I really like how "to the point" you are. :-) >> >> > > > hehehe, I dont beat about the bush, also no point in saying the exact > same thing in 700 words that can be said in 100 :) > I always been a straight shooter, even my enemies repsect that, because > they know I call it how I see it, and they know where they stand with me. > > They don't call me the evil bunny for nothing :) > Tell them to kiss the bunnies; __ __ ,-' Y `-, .' .-"`"`"-. `. ; ,` `. ; `/ \' / \ { ;"";, } { /";`'`,; } \{ ;`,'`;. / { }`""` } /} { } { // {||} { / `"' `"' ;-P -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ssilva at sgvwater.com Fri Mar 23 18:47:18 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Fri Mar 23 17:57:24 2007 Subject: AW: Mails not processed In-Reply-To: <96EF3FB3C374A64187CCB0D0DA716F2446AA@idefix.danielf.local> References: <96EF3FB3C374A64187CCB0D0DA716F2446A9@idefix.danielf.local> <23ec4360fef74a47a2935bd2aa99a77d@solidstatelogic.com> <96EF3FB3C374A64187CCB0D0DA716F2446AA@idefix.danielf.local> Message-ID: Daniel Fuhrer spake the following on 3/23/2007 7:22 AM: > Hi Martin > Thanks fort he quick answer. The Lock Type in the config is empty. > This exception happens only on some mails. When I copy them to a other mailscanner it will be processed (most of them). I tried to copy the config from the other machine. But that didn't help. > Then look at versions of the dependencies on each of the machines with MailScanner -v. See if the offending machine has a newer or older version of something, and go from there. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From blaze at lake.k12.ca.us Fri Mar 23 18:54:05 2007 From: blaze at lake.k12.ca.us (Blaze King) Date: Fri Mar 23 18:01:14 2007 Subject: upgraded spamassassin, mailscanner can't see it In-Reply-To: <46040C76.4010702@pacific.net> References: <643717827D2BED469D39BE81B4AD635A1B55D0@exchange.lake.k12.ca.us> <46040C76.4010702@pacific.net> Message-ID: <643717827D2BED469D39BE81B4AD635A1B55DC@exchange.lake.k12.ca.us> Ok, I've uninstalled spamassassin... I downloaded and installed "http://mailscanner.info/files/4/install-Clam-0.88.7-SA-3.1.8.tar.gz", and there is no spamassassin installed. What package do I need to install to get MailScanner to use spamassassin? Thanks! Blaze King Senior Network Administrator Lake County Office of Education (707) 262-4147 -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Ken A Sent: Friday, March 23, 2007 10:21 AM To: MailScanner discussion Subject: Re: FW: upgraded mailscanner, no more quarantine Hi Blaze, The best way to install MailScanner and SA on a linux box is to use the packages from the MailScanner site. If your installed SA is from your linux disto, you might need to rpm -e it and then use the MailScanner packages. Ken A. (just over the hill from you in Ukiah) Pacific.Net > > Blaze King > Senior Network Administrator > Lake County Office of Education > (707) 262-4147 > > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Blaze > King > Sent: Friday, March 23, 2007 8:45 AM > To: MailScanner discussion > Subject: RE: upgraded mailscanner, no more quarantine > > Ok I feel stupid. > > MailScanner's quarantine was working just fine... I thought it wasn't > because nothing new was in quarantine since the upgrade. Well when just > I sent myself an unacceptable file (.bat), it was blocked and > quarantined. > > I was testing the MailScanner with the "eicar" test virus, which it > picked up and sent a notice to the postmaster e-mail account. While > watching the maillog, no quarantine was ever attempted, so there was no > error. > > Maybe the better question would be how do I modify what is quarantined > and what isn't? I'll be looking through MailScanner's config again... > > Thanks! > > Blaze King > Senior Network Administrator > Lake County Office of Education > (707) 262-4147 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of > Martin.Hepworth > Sent: Friday, March 23, 2007 2:26 AM > To: MailScanner discussion > Subject: RE: upgraded mailscanner, no more quarantine > > > Blaze > > Where's the old stuff then???? Odd > > Make sure /var/spool/MailScanner/quarantine isn't a sym link to > somewhere else. > > make sure the user you're running as (eg postfix or mailnull) can write > to that dir. Also make I'd say the perms should be 640 at minimum, > otherwise the apache group won't be able to read the files/dirs! > > You can run in debug mode and see what happens... > > su - -c "/MailScanner -debug" > > and see if it's comlaining about anything on the quarantine.. > > -- > Martin Hepworth > Snr Systems Administrator > Solid State Logic > Tel: +44 (0)1865 842300 > >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >> bounces@lists.mailscanner.info] On Behalf Of Blaze King >> Sent: 22 March 2007 19:08 >> To: mailscanner@lists.mailscanner.info >> Subject: upgraded mailscanner, no more quarantine >> >> Hey I'm a long time mailscanner user, but this is my first post to the >> list. I recently upgraded to 4.58.9-1 on my rhel3 server. Since > then, >> nothing ends up in quarantine. Here's what I know... >> >> >> >> (/etc/MailScanner/MailScanner.conf) >> >> Quarantine Dir = /var/spool/MailScanner/quarantine >> >> Quarantine User = root >> >> Quarantine Group = apache (I'm using mailwatch) >> >> Quarantine Permissions = 0600 >> >> Quarantine Infections = yes >> >> Quarantine Whole Message = yes >> >> Quarantine Whole Messages As Queue Files = no >> >> >> >> [root@mail MailScanner]# ll /var/spool/MailScanner/quarantine >> >> total 0 >> >> >> >> Any suggestions? Thanks! >> >> >> >> Blaze King >> >> Senior Network Administrator >> >> Lake County Office of Education >> >> (707) 262-4147 >> >> > > > > > > ********************************************************************** > Confidentiality : This e-mail and any attachments are intended for the > addressee only and may be confidential. If they come to you in error > you must take no action based on them, nor must you copy or show them > to anyone. Please advise the sender by replying to this e-mail > immediately and then delete the original from your computer. > > Opinion : Any opinions expressed in this e-mail are entirely those of > the author and unless specifically stated to the contrary, are not > necessarily those of the author's employer. > > Security Warning : Internet e-mail is not necessarily a secure > communications medium and can be subject to data corruption. We advise > that you consider this fact when e-mailing us. > > Viruses : We have taken steps to ensure that this e-mail and any > attachments are free from known viruses but in keeping with good > computing practice, you should ensure that they are virus free. > > Red Lion 49 Ltd T/A Solid State Logic > Registered as a limited company in England and Wales > (Company No:5362730) > Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, > United Kingdom > ********************************************************************** > -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From Kevin_Miller at ci.juneau.ak.us Fri Mar 23 19:01:36 2007 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Fri Mar 23 18:08:42 2007 Subject: IP address reputation, BorderWare In-Reply-To: <4603FEBF.3030401@yeticomputers.com> References: <4602FAAA.20009@fractalweb.com><200703222203.l2MM3wig030176@mail.deniscroombs.org> <20070322181247.99D6.GERARD@seibercom.net> <460303D5.8070906@yeticomputers.com> <4603FEBF.3030401@yeticomputers.com> Message-ID: Rick Chadderdon wrote: > Kevin Miller wrote: >> Rick Chadderdon wrote: >> >>> Kevin Miller wrote: >>> >>>> If I can spend a nickle to not have to spend a dime it's worth it >>>> every time... >>>> >>>> >>> The problem comes when you start spending my nickles without asking. >>> Which is exactly what sender address verification does. >>> >>> Rick >>> >> >> It depends on the spam flood. SMF-SAV caches the lookups, so if the >> from address is reused on the inbounds, it only has to do a single >> lookup. If they use a new from username, then yeah, your server >> gets pinged multiple times. >> > > Which is nearly always the case in a "flood". I don't recall ever > seeing a spam flood that consisted of ten thousand different spam > messages to the same name. Ten thousand different names on the same > domain? All of the time. Even if address reuse in a flood *were* > common, your response would only apply if all milters and other > methods for doing SAV cached the lookups. The question isn't messages *to* the same name. It's the from address that matters here. SMF-SAV does cache the addresses (both to and from). I see plenty of from addresses rejected by a cache hit. >> But the thing is, if spam is dropped before it is sent, it diminishes >> "internet background noise". You benefit from that, along with >> everybody else. > > No, I don't. Nobody benefits from the spam you reject other than > yourself. And if you reject spam using my resources, you're > *creating* background noise, at least on my server. If you are > suggesting that a cooperative use of this technique by everyone would > reduce overall Internet bandwidth usage and perhaps lower the prices > that providers charge for said bandwidth... Well, that theory would > take quite a bit of work to support. A T1 today costs probably an > eighth or less of what it did when I first had to price one and that > is not because bandwidth usage has dropped. I never said anything about what people charge for bandwidth. The market can decide that. My point is, you and I share a pipe. Or a 'tube' as my illustrious senator would say. I don't know where you're located, but mail comes in from all over the world along with web requests/responses, and all the other stuff that crosses the net. I'd hazard a guess that not too infrequently, packets destined for our respective servers will cross the same core routers. If I can stop the transmission of a couple hundred mebabytes of spam to me, it doesn't cross that core router. OK, I've added a few K of 'background noise'. But I've stopped megabytes from being transmitted on the core routers by doing so. That benefits everyone. It isn't a last mile benefit, directly to you, but the net result is more bandwidth for everybody and you get that shared benefit along with everybody else. >> We all pay a little, and receive a greater synergestic common good... >> > > Before I'd consider this a valid argument, I'd want to see some > evidence that the bandwidth you and the spammer save from the use of > SAV actually contributes *anything* to a 'common good'. My Bandwidth that isn't used by a spammer is bandwidth that is available for your users to use. No magic there. Think freeway - would you rather drive it under rush hour conditions or 3am conditions? > impression is that it benefits only the user of the technique. Even > at that, I'm philosophically opposed to the non-consensual use of the > resources of others. I even feel slightly guilty about the use of > greylisting because I'm asking other servers to make two delivery > attempts the first time they send mail to a domain I control. I only > justify it by remembering that they're initiating the contact. They > can choose *not* to resend (and some do) and they can set their > policies as to whether they want to talk to servers that use > greylisting. In the case of SAV, nearly all of the time you're > harassing a server that never tried to talk to you. Well, as someone else pointed out, that server will get hassled either way. Without SAV I'm accepting mail from invalid users. If someone uses phoney from addresses with your domain, and runs a dictionary attack against me, I'm going to send an NDR back to your server for each address that is invalid on my side. That will take a lot more server resources and bandwidth on your side than a simple SAV query would have. With SAV, I never accept the message from the original sender, saving that bandwidth on both the last mile as well as the core routers, and I never send you an unnecessary NDR saving you server usage, lastmile bandwidth, and core router usage. Personally, I'd rather someone query my server, than send my users NDRs from Joe jobbed spam. It's a lot less resouce intensive as nearly as I can see.. ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From ka at pacific.net Fri Mar 23 19:01:45 2007 From: ka at pacific.net (Ken A) Date: Fri Mar 23 18:09:01 2007 Subject: upgraded spamassassin, mailscanner can't see it In-Reply-To: <643717827D2BED469D39BE81B4AD635A1B55DC@exchange.lake.k12.ca.us> References: <643717827D2BED469D39BE81B4AD635A1B55D0@exchange.lake.k12.ca.us> <46040C76.4010702@pacific.net> <643717827D2BED469D39BE81B4AD635A1B55DC@exchange.lake.k12.ca.us> Message-ID: <46041609.10009@pacific.net> Blaze King wrote: > Ok, I've uninstalled spamassassin... I downloaded and installed > "http://mailscanner.info/files/4/install-Clam-0.88.7-SA-3.1.8.tar.gz", > and there is no spamassassin installed. What package do I need to > install to get MailScanner to use spamassassin? Thanks! If you downloaded and installed install-Clam-0.88.7-SA-3.1.8.tar.gz and it installed properly, then you do have spamassassin installed. You might want to run ./install.sh again from within the install-Clam-0.88.7-SA-3.1.8 directory and watch the output. If it fails to cleanly finish the install, paste the errors here and someone will be able to advise you what to do next. If there are no errors, then try running 'spamassassin --lint' and see what you get. If no errors, then check that MailScanner is set to "Use SpamAssassin = yes" in MailScanner.conf. Ken A. Pacific.Net > > Blaze King > Senior Network Administrator > Lake County Office of Education > (707) 262-4147 > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Ken A > Sent: Friday, March 23, 2007 10:21 AM > To: MailScanner discussion > Subject: Re: FW: upgraded mailscanner, no more quarantine > > > Hi Blaze, > The best way to install MailScanner and SA on a linux box is to use the > packages from the MailScanner site. If your installed SA is from your > linux disto, you might need to rpm -e it and then use the MailScanner > packages. > Ken A. (just over the hill from you in Ukiah) > Pacific.Net > >> Blaze King >> Senior Network Administrator >> Lake County Office of Education >> (707) 262-4147 >> >> >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Blaze >> King >> Sent: Friday, March 23, 2007 8:45 AM >> To: MailScanner discussion >> Subject: RE: upgraded mailscanner, no more quarantine >> >> Ok I feel stupid. >> >> MailScanner's quarantine was working just fine... I thought it wasn't >> because nothing new was in quarantine since the upgrade. Well when > just >> I sent myself an unacceptable file (.bat), it was blocked and >> quarantined. >> >> I was testing the MailScanner with the "eicar" test virus, which it >> picked up and sent a notice to the postmaster e-mail account. While >> watching the maillog, no quarantine was ever attempted, so there was > no >> error. >> >> Maybe the better question would be how do I modify what is quarantined >> and what isn't? I'll be looking through MailScanner's config again... >> >> Thanks! >> >> Blaze King >> Senior Network Administrator >> Lake County Office of Education >> (707) 262-4147 >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of >> Martin.Hepworth >> Sent: Friday, March 23, 2007 2:26 AM >> To: MailScanner discussion >> Subject: RE: upgraded mailscanner, no more quarantine >> >> >> Blaze >> >> Where's the old stuff then???? Odd >> >> Make sure /var/spool/MailScanner/quarantine isn't a sym link to >> somewhere else. >> >> make sure the user you're running as (eg postfix or mailnull) can > write >> to that dir. Also make I'd say the perms should be 640 at minimum, >> otherwise the apache group won't be able to read the files/dirs! >> >> You can run in debug mode and see what happens... >> >> su - -c "/MailScanner -debug" >> >> and see if it's comlaining about anything on the quarantine.. >> >> -- >> Martin Hepworth >> Snr Systems Administrator >> Solid State Logic >> Tel: +44 (0)1865 842300 >> >>> -----Original Message----- >>> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >>> bounces@lists.mailscanner.info] On Behalf Of Blaze King >>> Sent: 22 March 2007 19:08 >>> To: mailscanner@lists.mailscanner.info >>> Subject: upgraded mailscanner, no more quarantine >>> >>> Hey I'm a long time mailscanner user, but this is my first post to > the >>> list. I recently upgraded to 4.58.9-1 on my rhel3 server. Since >> then, >>> nothing ends up in quarantine. Here's what I know... >>> >>> >>> >>> (/etc/MailScanner/MailScanner.conf) >>> >>> Quarantine Dir = /var/spool/MailScanner/quarantine >>> >>> Quarantine User = root >>> >>> Quarantine Group = apache (I'm using mailwatch) >>> >>> Quarantine Permissions = 0600 >>> >>> Quarantine Infections = yes >>> >>> Quarantine Whole Message = yes >>> >>> Quarantine Whole Messages As Queue Files = no >>> >>> >>> >>> [root@mail MailScanner]# ll /var/spool/MailScanner/quarantine >>> >>> total 0 >>> >>> >>> >>> Any suggestions? Thanks! >>> >>> >>> >>> Blaze King >>> >>> Senior Network Administrator >>> >>> Lake County Office of Education >>> >>> (707) 262-4147 >>> >>> >> >> >> >> >> ********************************************************************** >> Confidentiality : This e-mail and any attachments are intended for the > >> addressee only and may be confidential. If they come to you in error >> you must take no action based on them, nor must you copy or show them >> to anyone. Please advise the sender by replying to this e-mail >> immediately and then delete the original from your computer. >> >> Opinion : Any opinions expressed in this e-mail are entirely those of >> the author and unless specifically stated to the contrary, are not >> necessarily those of the author's employer. >> >> Security Warning : Internet e-mail is not necessarily a secure >> communications medium and can be subject to data corruption. We advise > >> that you consider this fact when e-mailing us. >> >> Viruses : We have taken steps to ensure that this e-mail and any >> attachments are free from known viruses but in keeping with good >> computing practice, you should ensure that they are virus free. >> >> Red Lion 49 Ltd T/A Solid State Logic >> Registered as a limited company in England and Wales >> (Company No:5362730) >> Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, >> United Kingdom >> ********************************************************************** >> From mailscanner at yeticomputers.com Fri Mar 23 19:01:32 2007 From: mailscanner at yeticomputers.com (Rick Chadderdon) Date: Fri Mar 23 18:09:05 2007 Subject: IP address reputation, BorderWare In-Reply-To: <46040A4A.90608@fractalweb.com> References: <4602FAAA.20009@fractalweb.com><200703222203.l2MM3wig030176@mail.deniscroombs.org> <20070322181247.99D6.GERARD@seibercom.net> <460303D5.8070906@yeticomputers.com> <4603FEBF.3030401@yeticomputers.com> <46040A4A.90608@fractalweb.com> Message-ID: <460415FC.9070209@yeticomputers.com> Chris Yuzik wrote: > Rick Chadderdon wrote: >> >> Which is nearly always the case in a "flood". I don't recall ever >> seeing a spam flood that consisted of ten thousand different spam >> messages to the same name. Ten thousand different names on the same >> domain? All of the time. Even if address reuse in a flood *were* >> common, your response would only apply if all milters and other methods >> for doing SAV cached the lookups. >> > Rick, > > My understanding is that milters like SMF-SAV do cache the lookups. So > if one of your users gets "joe-jobbed" and a spammer sends 10k > messages to our server, a server using SAV only check the address > once, and use that data to deal with the rest of the flood. My experience with dictionary attacks has been that the forged sender address changes with the recipient address, so a cache would do almost nothing to mitigate the problem I refer to. Perhaps someone with some solid statistics of cache hits for this milter could offer a rebuttal? I'd like to know how this works in practice, since I only see the bad effects at my end. The last flood of this type that I experienced as a joe-job of one of my domains used the same dictionary name before the @ for both sender and receiver, and many of the bogus NDRs I've received bear this out too. Someone sending to jim@target.com will forge the sender address as jim@joe-job.com, the next one goes out to joe@target.com with a forged sender of joe@joe-job.com, etc... Caching doesn't help here. Rick From blaze at lake.k12.ca.us Fri Mar 23 19:33:04 2007 From: blaze at lake.k12.ca.us (Blaze King) Date: Fri Mar 23 18:40:21 2007 Subject: upgraded spamassassin, mailscanner can't see it In-Reply-To: <46041609.10009@pacific.net> References: <643717827D2BED469D39BE81B4AD635A1B55D0@exchange.lake.k12.ca.us> <46040C76.4010702@pacific.net><643717827D2BED469D39BE81B4AD635A1B55DC@exchange.lake.k12.ca.us> <46041609.10009@pacific.net> Message-ID: <643717827D2BED469D39BE81B4AD635A1B55E9@exchange.lake.k12.ca.us> Here's the errors when running ./install from that folder: t/prefs_include............. Not found: qp-encoded-desc = Invalid Date: header =ae =af =b0 foo # Failed test 1 in t/SATest.pm at line 592 t/prefs_include.............FAILED test 1 Failed 1/2 tests, 50.00% okay t/razor2....................skipped all skipped: no reason given ... Failed Test Stat Wstat Total Fail Failed List of Failed ------------------------------------------------------------------------ ------- t/prefs_include.t 2 1 50.00% 1 9 tests skipped. Failed 1/67 test scripts, 98.51% okay. 1/1878 subtests failed, 99.95% okay. make: *** [test_dynamic] Error 29 ... Perl could not find your SpamAssassin installation. Strange, I just installed it. You should fix this! Blaze King Senior Network Administrator Lake County Office of Education (707) 262-4147 -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Ken A Sent: Friday, March 23, 2007 11:02 AM To: MailScanner discussion Subject: Re: upgraded spamassassin, mailscanner can't see it Blaze King wrote: > Ok, I've uninstalled spamassassin... I downloaded and installed > "http://mailscanner.info/files/4/install-Clam-0.88.7-SA-3.1.8.tar.gz", > and there is no spamassassin installed. What package do I need to > install to get MailScanner to use spamassassin? Thanks! If you downloaded and installed install-Clam-0.88.7-SA-3.1.8.tar.gz and it installed properly, then you do have spamassassin installed. You might want to run ./install.sh again from within the install-Clam-0.88.7-SA-3.1.8 directory and watch the output. If it fails to cleanly finish the install, paste the errors here and someone will be able to advise you what to do next. If there are no errors, then try running 'spamassassin --lint' and see what you get. If no errors, then check that MailScanner is set to "Use SpamAssassin = yes" in MailScanner.conf. Ken A. Pacific.Net > > Blaze King > Senior Network Administrator > Lake County Office of Education > (707) 262-4147 > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Ken A > Sent: Friday, March 23, 2007 10:21 AM > To: MailScanner discussion > Subject: Re: FW: upgraded mailscanner, no more quarantine > > > Hi Blaze, > The best way to install MailScanner and SA on a linux box is to use the > packages from the MailScanner site. If your installed SA is from your > linux disto, you might need to rpm -e it and then use the MailScanner > packages. > Ken A. (just over the hill from you in Ukiah) > Pacific.Net > >> Blaze King >> Senior Network Administrator >> Lake County Office of Education >> (707) 262-4147 >> >> >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Blaze >> King >> Sent: Friday, March 23, 2007 8:45 AM >> To: MailScanner discussion >> Subject: RE: upgraded mailscanner, no more quarantine >> >> Ok I feel stupid. >> >> MailScanner's quarantine was working just fine... I thought it wasn't >> because nothing new was in quarantine since the upgrade. Well when > just >> I sent myself an unacceptable file (.bat), it was blocked and >> quarantined. >> >> I was testing the MailScanner with the "eicar" test virus, which it >> picked up and sent a notice to the postmaster e-mail account. While >> watching the maillog, no quarantine was ever attempted, so there was > no >> error. >> >> Maybe the better question would be how do I modify what is quarantined >> and what isn't? I'll be looking through MailScanner's config again... >> >> Thanks! >> >> Blaze King >> Senior Network Administrator >> Lake County Office of Education >> (707) 262-4147 >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of >> Martin.Hepworth >> Sent: Friday, March 23, 2007 2:26 AM >> To: MailScanner discussion >> Subject: RE: upgraded mailscanner, no more quarantine >> >> >> Blaze >> >> Where's the old stuff then???? Odd >> >> Make sure /var/spool/MailScanner/quarantine isn't a sym link to >> somewhere else. >> >> make sure the user you're running as (eg postfix or mailnull) can > write >> to that dir. Also make I'd say the perms should be 640 at minimum, >> otherwise the apache group won't be able to read the files/dirs! >> >> You can run in debug mode and see what happens... >> >> su - -c "/MailScanner -debug" >> >> and see if it's comlaining about anything on the quarantine.. >> >> -- >> Martin Hepworth >> Snr Systems Administrator >> Solid State Logic >> Tel: +44 (0)1865 842300 >> >>> -----Original Message----- >>> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >>> bounces@lists.mailscanner.info] On Behalf Of Blaze King >>> Sent: 22 March 2007 19:08 >>> To: mailscanner@lists.mailscanner.info >>> Subject: upgraded mailscanner, no more quarantine >>> >>> Hey I'm a long time mailscanner user, but this is my first post to > the >>> list. I recently upgraded to 4.58.9-1 on my rhel3 server. Since >> then, >>> nothing ends up in quarantine. Here's what I know... >>> >>> >>> >>> (/etc/MailScanner/MailScanner.conf) >>> >>> Quarantine Dir = /var/spool/MailScanner/quarantine >>> >>> Quarantine User = root >>> >>> Quarantine Group = apache (I'm using mailwatch) >>> >>> Quarantine Permissions = 0600 >>> >>> Quarantine Infections = yes >>> >>> Quarantine Whole Message = yes >>> >>> Quarantine Whole Messages As Queue Files = no >>> >>> >>> >>> [root@mail MailScanner]# ll /var/spool/MailScanner/quarantine >>> >>> total 0 >>> >>> >>> >>> Any suggestions? Thanks! >>> >>> >>> >>> Blaze King >>> >>> Senior Network Administrator >>> >>> Lake County Office of Education >>> >>> (707) 262-4147 >>> >>> >> >> >> >> >> ********************************************************************** >> Confidentiality : This e-mail and any attachments are intended for the > >> addressee only and may be confidential. If they come to you in error >> you must take no action based on them, nor must you copy or show them >> to anyone. Please advise the sender by replying to this e-mail >> immediately and then delete the original from your computer. >> >> Opinion : Any opinions expressed in this e-mail are entirely those of >> the author and unless specifically stated to the contrary, are not >> necessarily those of the author's employer. >> >> Security Warning : Internet e-mail is not necessarily a secure >> communications medium and can be subject to data corruption. We advise > >> that you consider this fact when e-mailing us. >> >> Viruses : We have taken steps to ensure that this e-mail and any >> attachments are free from known viruses but in keeping with good >> computing practice, you should ensure that they are virus free. >> >> Red Lion 49 Ltd T/A Solid State Logic >> Registered as a limited company in England and Wales >> (Company No:5362730) >> Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, >> United Kingdom >> ********************************************************************** >> -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From campbell at cnpapers.com Fri Mar 23 20:52:38 2007 From: campbell at cnpapers.com (Steve Campbell) Date: Fri Mar 23 20:00:24 2007 Subject: OT - Sendmail Auth Message-ID: <001801c76d84$cf565240$0705000a@ddf5dw71> I need to set up SMTP Auth on a server to allow a roaming user to send mail using one of our servers. The user will have a dynamic IP. The server is not in the MX lists for our domains. I have the sendmail Cookbook, and an older version of the Bat book, but every thing I do seems pointless and doesn't work, as far as I can tell. The cookbook seems to make it sound real simple, and I do get sendmail to acknowedge and advertise DIGEST-MD5 and CRAM-MD5. After that, AuthInfo to the access db, and every thing after seems to avoid the Sasl. I have also started the saslauthd daemon. I have also created the user with the saslpasswd command. Does anyone have a good URL for setting up a Centos 3 server running Sendmail 8.13 and the MUA being used by this user, which I think is either Outlook Express or Thunderbird? Thanks for any pointers to a good site. Steve Campbell campbell@cnpapers.com Charleston Newspapers From matt at coders.co.uk Fri Mar 23 20:57:24 2007 From: matt at coders.co.uk (Matt Hampton) Date: Fri Mar 23 20:04:43 2007 Subject: IP address reputation, BorderWare In-Reply-To: <4603FEC2.3000004@yeticomputers.com> References: <200703222149.l2MLnwvo030176@mail.deniscroombs.org> <4602FAAA.20009@fractalweb.com> <46030348.70100@yeticomputers.com> <46030838.60809@fractalweb.com> <4603FEC2.3000004@yeticomputers.com> Message-ID: <46043124.3060501@coders.co.uk> Rick Chadderdon wrote: > Someone sending to jim@target.com will forge the > sender address as jim@joe-job.com, the next one goes out to > joe@target.com with a forged sender of joe@joe-job.com, etc... > Caching doesn't help here. Agreed. I might make a further change to limit the number the number of call backs to a particular server or domain. I'll have to think about this - I have a fair bit of work on rolling out some new services at work.... > If Matt makes the changes he spoke of, I'd be a lot less grumpy about > the use of this milter. Yup - I have. Patch has been submitted to Eugene and am awaiting feeback. If you want access to it : It is based on smf-sav-1.4.0 Apply the patch from here: https://secure.bastionmail.co.uk/smf-sav-1.4.0.patch.tar.gz rebuild it and install Then add the following configuration option: DelayChecks on and restart..... Before Res or anyone else get's uppity ( ;-) ) please contact me off list. matt From mailscanner at yeticomputers.com Fri Mar 23 21:16:37 2007 From: mailscanner at yeticomputers.com (Rick Chadderdon) Date: Fri Mar 23 20:24:03 2007 Subject: IP address reputation, BorderWare In-Reply-To: References: <4602FAAA.20009@fractalweb.com><200703222203.l2MM3wig030176@mail.deniscroombs.org> <20070322181247.99D6.GERARD@seibercom.net> <460303D5.8070906@yeticomputers.com> <4603FEBF.3030401@yeticomputers.com> Message-ID: <460435A5.8020507@yeticomputers.com> Kevin Miller wrote: > The question isn't messages *to* the same name. It's the from address > that matters here. SMF-SAV does cache the addresses (both to and from). > I see plenty of from addresses rejected by a cache hit. > Yes, I realize that I wasn't suitably clear there... I guess I was working from the assumption that everyone else had seen the same behavior I had. Each new delivery attempt comes with a new forged sender. I tried to clarify in my last post. If you have any statistics showing the ratio of cache hits to new addresses, at least in your case, I'd be interested in seeing them. > I never said anything about what people charge for bandwidth. I know. I didn't think you were going to go metaphysical on me... :) > OK, I've added a few K of 'background noise'. > But I've stopped megabytes from being transmitted on the core routers by > doing so. That benefits everyone. How so? I get exactly the bandwidth I pay for, no matter who else is using how much. > It isn't a last mile benefit, > directly to you, but the net result is more bandwidth for everybody and > you get that shared benefit along with everybody else. > This is an imaginary benefit, Kevin, until the pipe is so full that nobody is able to get what they're paying for. I don't see that happening anytime soon because the pipe just keeps getting bigger - there's plenty of room in it. I can think of a couple of possible edge cases where there might be some peripheral benefit to others from minimizing your own spam bandwidth, but nothing very compelling. > Bandwidth that isn't used by a spammer is bandwidth that is available > for your users to use. No magic there. Think freeway - would you > rather drive it under rush hour conditions or 3am conditions? > This is, as always, a poor analogy. And in this argument, it presumes that those "rush hour" conditions affect me adversely. My users get use of as much bandwidth as I pay for, regardless of who is spamming whom, or in what volume. >> Well, as someone else pointed out, that server will get hassled either >> way. Without SAV I'm accepting mail from invalid users. If someone >> uses phoney from addresses with your domain, and runs a dictionary >> attack against me, I'm going to send an NDR back to your server for each >> address that is invalid on my side. That will take a lot more server >> resources and bandwidth on your side than a simple SAV query would have. >> Not really. I reject mail to invalid recipients, so it's pretty much a wash. I get the same transaction, either way. I can control normal backscatter well enough. I don't care much for the practice of sending NDRs *after* accepting a message. Check your valid users *before* you have to bounce an incoming message. Failure to do so is just another way of letting spammers cause you to use the resources of others. You sure don't want to be sending actual NDRs to people who never mailed you. Let this be handled during the SMTP transaction, where it belongs. My point is that I can handle the stuff that happens as a normal part of running a mail server. It's deliberate and unwanted use of my resources that bothers me. Misconfigured servers bother me. Bad autoresponders bother me. I don't mind so much when it's because someone hasn't learned better yet, but when it's a considered decision on their part that my resources are ok to use, whether I like it or not... That's when I get grumpy. >> Personally, I'd rather someone query my server, than send my users NDRs >> from Joe jobbed spam. It's a lot less resouce intensive as nearly as I >> can see.. It seems as though the IT industry is filled with two extremes: pure pragmatists and pure idealists. I'm a weird mix of the two, but when something goes against one of my 'ideals', I have a hard time looking at it pragmatically. As a pragmatist, I'd probably agree that a query is better than an NDR. As an idealist, I believe that the majority of NDRs being sent out are being done by servers configured by people who didn't know any better, so it's more tolerable than someone who is deliberately and knowingly hammering on my system to save his own bandwidth. I know I'm not going to change your behavior, but I hope I've managed to explain why SAV bothers me. Rick From ka at pacific.net Fri Mar 23 21:16:49 2007 From: ka at pacific.net (Ken A) Date: Fri Mar 23 20:24:06 2007 Subject: upgraded spamassassin, mailscanner can't see it In-Reply-To: <643717827D2BED469D39BE81B4AD635A1B55E9@exchange.lake.k12.ca.us> References: <643717827D2BED469D39BE81B4AD635A1B55D0@exchange.lake.k12.ca.us> <46040C76.4010702@pacific.net><643717827D2BED469D39BE81B4AD635A1B55DC@exchange.lake.k12.ca.us> <46041609.10009@pacific.net> <643717827D2BED469D39BE81B4AD635A1B55E9@exchange.lake.k12.ca.us> Message-ID: <460435B1.9070301@pacific.net> Blaze King wrote: > Here's the errors when running ./install from that folder: > > > > t/prefs_include............. Not found: qp-encoded-desc = Invalid > Date: header =ae =af =b0 foo > # Failed test 1 in t/SATest.pm at line 592 > t/prefs_include.............FAILED test 1 > Failed 1/2 tests, 50.00% okay > t/razor2....................skipped > all skipped: no reason given > > ... > > > Failed Test Stat Wstat Total Fail Failed List of Failed > ------------------------------------------------------------------------ > ------- > t/prefs_include.t 2 1 50.00% 1 > 9 tests skipped. > Failed 1/67 test scripts, 98.51% okay. 1/1878 subtests failed, 99.95% > okay. > make: *** [test_dynamic] Error 29 > Might be UTF-8 language ENV messing up the test. Edit /etc/sysconfig/i18n and remove the utf-8 stuff, then try again. You might need to logout/login to fixup the ENV, not sure. My i18n looks like this: LANG="en_US" SYSFONT="latarcyrheb-sun16" SUPPORTED="en_US:en" I thought there was a workaround already in the source, but perhaps it's not working automatically for you. Ken Pacific.Net > ... > > > Perl could not find your SpamAssassin installation. > Strange, I just installed it. > You should fix this! > > > > Blaze King > Senior Network Administrator > Lake County Office of Education > (707) 262-4147 > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Ken A > Sent: Friday, March 23, 2007 11:02 AM > To: MailScanner discussion > Subject: Re: upgraded spamassassin, mailscanner can't see it > > > > Blaze King wrote: >> Ok, I've uninstalled spamassassin... I downloaded and installed >> "http://mailscanner.info/files/4/install-Clam-0.88.7-SA-3.1.8.tar.gz", >> and there is no spamassassin installed. What package do I need to >> install to get MailScanner to use spamassassin? Thanks! > > If you downloaded and installed install-Clam-0.88.7-SA-3.1.8.tar.gz and > it installed properly, then you do have spamassassin installed. > > You might want to run ./install.sh again from within the > install-Clam-0.88.7-SA-3.1.8 directory and watch the output. If it fails > > to cleanly finish the install, paste the errors here and someone will be > > able to advise you what to do next. > > If there are no errors, then try running > 'spamassassin --lint' and see what you get. If no errors, then check > that MailScanner is set to "Use SpamAssassin = yes" in MailScanner.conf. > > Ken A. > Pacific.Net > > >> Blaze King >> Senior Network Administrator >> Lake County Office of Education >> (707) 262-4147 >> >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Ken A >> Sent: Friday, March 23, 2007 10:21 AM >> To: MailScanner discussion >> Subject: Re: FW: upgraded mailscanner, no more quarantine >> >> >> Hi Blaze, >> The best way to install MailScanner and SA on a linux box is to use > the >> packages from the MailScanner site. If your installed SA is from your >> linux disto, you might need to rpm -e it and then use the MailScanner >> packages. >> Ken A. (just over the hill from you in Ukiah) >> Pacific.Net >> >>> Blaze King >>> Senior Network Administrator >>> Lake County Office of Education >>> (707) 262-4147 >>> >>> >>> -----Original Message----- >>> From: mailscanner-bounces@lists.mailscanner.info >>> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of > Blaze >>> King >>> Sent: Friday, March 23, 2007 8:45 AM >>> To: MailScanner discussion >>> Subject: RE: upgraded mailscanner, no more quarantine >>> >>> Ok I feel stupid. >>> >>> MailScanner's quarantine was working just fine... I thought it wasn't >>> because nothing new was in quarantine since the upgrade. Well when >> just >>> I sent myself an unacceptable file (.bat), it was blocked and >>> quarantined. >>> >>> I was testing the MailScanner with the "eicar" test virus, which it >>> picked up and sent a notice to the postmaster e-mail account. While >>> watching the maillog, no quarantine was ever attempted, so there was >> no >>> error. >>> >>> Maybe the better question would be how do I modify what is > quarantined >>> and what isn't? I'll be looking through MailScanner's config > again... >>> Thanks! >>> >>> Blaze King >>> Senior Network Administrator >>> Lake County Office of Education >>> (707) 262-4147 >>> -----Original Message----- >>> From: mailscanner-bounces@lists.mailscanner.info >>> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of >>> Martin.Hepworth >>> Sent: Friday, March 23, 2007 2:26 AM >>> To: MailScanner discussion >>> Subject: RE: upgraded mailscanner, no more quarantine >>> >>> >>> Blaze >>> >>> Where's the old stuff then???? Odd >>> >>> Make sure /var/spool/MailScanner/quarantine isn't a sym link to >>> somewhere else. >>> >>> make sure the user you're running as (eg postfix or mailnull) can >> write >>> to that dir. Also make I'd say the perms should be 640 at minimum, >>> otherwise the apache group won't be able to read the files/dirs! >>> >>> You can run in debug mode and see what happens... >>> >>> su - -c "/MailScanner -debug" >>> >>> and see if it's comlaining about anything on the quarantine.. >>> >>> -- >>> Martin Hepworth >>> Snr Systems Administrator >>> Solid State Logic >>> Tel: +44 (0)1865 842300 >>> >>>> -----Original Message----- >>>> From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner- >>>> bounces@lists.mailscanner.info] On Behalf Of Blaze King >>>> Sent: 22 March 2007 19:08 >>>> To: mailscanner@lists.mailscanner.info >>>> Subject: upgraded mailscanner, no more quarantine >>>> >>>> Hey I'm a long time mailscanner user, but this is my first post to >> the >>>> list. I recently upgraded to 4.58.9-1 on my rhel3 server. Since >>> then, >>>> nothing ends up in quarantine. Here's what I know... >>>> >>>> >>>> >>>> (/etc/MailScanner/MailScanner.conf) >>>> >>>> Quarantine Dir = /var/spool/MailScanner/quarantine >>>> >>>> Quarantine User = root >>>> >>>> Quarantine Group = apache (I'm using mailwatch) >>>> >>>> Quarantine Permissions = 0600 >>>> >>>> Quarantine Infections = yes >>>> >>>> Quarantine Whole Message = yes >>>> >>>> Quarantine Whole Messages As Queue Files = no >>>> >>>> >>>> >>>> [root@mail MailScanner]# ll /var/spool/MailScanner/quarantine >>>> >>>> total 0 >>>> >>>> >>>> >>>> Any suggestions? Thanks! >>>> >>>> >>>> >>>> Blaze King >>>> >>>> Senior Network Administrator >>>> >>>> Lake County Office of Education >>>> >>>> (707) 262-4147 >>>> >>>> >>> >>> >>> >>> > ********************************************************************** >>> Confidentiality : This e-mail and any attachments are intended for > the >>> addressee only and may be confidential. If they come to you in error >>> you must take no action based on them, nor must you copy or show them > >>> to anyone. Please advise the sender by replying to this e-mail >>> immediately and then delete the original from your computer. >>> >>> Opinion : Any opinions expressed in this e-mail are entirely those of > >>> the author and unless specifically stated to the contrary, are not >>> necessarily those of the author's employer. >>> >>> Security Warning : Internet e-mail is not necessarily a secure >>> communications medium and can be subject to data corruption. We > advise >>> that you consider this fact when e-mailing us. >>> >>> Viruses : We have taken steps to ensure that this e-mail and any >>> attachments are free from known viruses but in keeping with good >>> computing practice, you should ensure that they are virus free. >>> >>> Red Lion 49 Ltd T/A Solid State Logic >>> Registered as a limited company in England and Wales >>> (Company No:5362730) >>> Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, >>> United Kingdom >>> > ********************************************************************** From ssilva at sgvwater.com Fri Mar 23 21:17:19 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Fri Mar 23 20:25:42 2007 Subject: upgraded spamassassin, mailscanner can't see it In-Reply-To: <643717827D2BED469D39BE81B4AD635A1B55E9@exchange.lake.k12.ca.us> References: <643717827D2BED469D39BE81B4AD635A1B55D0@exchange.lake.k12.ca.us> <46040C76.4010702@pacific.net><643717827D2BED469D39BE81B4AD635A1B55DC@exchange.lake.k12.ca.us> <46041609.10009@pacific.net> <643717827D2BED469D39BE81B4AD635A1B55E9@exchange.lake.k12.ca.us> Message-ID: Blaze King spake the following on 3/23/2007 11:33 AM: > Here's the errors when running ./install from that folder: > > > > t/prefs_include............. Not found: qp-encoded-desc = Invalid > Date: header =ae =af =b0 foo > # Failed test 1 in t/SATest.pm at line 592 > t/prefs_include.............FAILED test 1 > Failed 1/2 tests, 50.00% okay > t/razor2....................skipped > all skipped: no reason given > > ... > > > Failed Test Stat Wstat Total Fail Failed List of Failed > ------------------------------------------------------------------------ > ------- > t/prefs_include.t 2 1 50.00% 1 > 9 tests skipped. > Failed 1/67 test scripts, 98.51% okay. 1/1878 subtests failed, 99.95% > okay. > make: *** [test_dynamic] Error 29 > > > ... > > > Perl could not find your SpamAssassin installation. > Strange, I just installed it. > You should fix this! > > What does MailScanner -v say? And MailScanner --lint? -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From dnsadmin at 1bigthink.com Fri Mar 23 21:20:49 2007 From: dnsadmin at 1bigthink.com (dnsadmin 1bigthink.com) Date: Fri Mar 23 20:28:17 2007 Subject: OT - Sendmail Auth In-Reply-To: <001801c76d84$cf565240$0705000a@ddf5dw71> References: <001801c76d84$cf565240$0705000a@ddf5dw71> Message-ID: <200703232021.l2NKL7sl013718@mxt.1bigthink.com> At 03:52 PM 3/23/2007, you wrote: >I need to set up SMTP Auth on a server to allow a roaming user to >send mail using one of our servers. The user will have a dynamic >IP. The server is not in the MX lists for our domains. > >I have the sendmail Cookbook, and an older version of the Bat book, >but every thing I do seems pointless and doesn't work, as far as I >can tell. The cookbook seems to make it sound real simple, and I do >get sendmail to acknowedge and advertise DIGEST-MD5 and CRAM-MD5. >After that, AuthInfo to the access db, and every thing after seems >to avoid the Sasl. I have also started the saslauthd daemon. I have >also created the user with the saslpasswd command. > >Does anyone have a good URL for setting up a Centos 3 server running >Sendmail 8.13 and the MUA being used by this user, which I think is >either Outlook Express or Thunderbird? > >Thanks for any pointers to a good site. Hello Steve, It's been a while since I did this myself, but I saved some bookmarks. These are related: http://www.vanemery.com/Protocols/POP/pop3-rh9-howto.html http://www.falkotimme.com/howtos/sendmail_smtp_auth_tls/ http://www.technoids.org/ I hope these help! Cheers, Glenn From mailscanner at yeticomputers.com Fri Mar 23 21:35:09 2007 From: mailscanner at yeticomputers.com (Rick Chadderdon) Date: Fri Mar 23 20:42:31 2007 Subject: IP address reputation, BorderWare In-Reply-To: <59E4A3A1069C2640959AD0F7518C4812052C7B@FLN1.fln.local> References: <4602FAAA.20009@fractalweb.com><200703222203.l2MM3wig030176@mail.deniscroombs.org> <20070322181247.99D6.GERARD@seibercom.net> <460303D5.8070906@yeticomputers.com> <4603FEBF.3030401@yeticomputers.com> <46040A4A.90608@fractalweb.com> <59E4A3A1069C2640959AD0F7518C4812052C7B@FLN1.fln.local> Message-ID: <460439FD.3020307@yeticomputers.com> James Fagan wrote: > Has anyone actually lost service (DoS) due to this ? > I doubt that anyone running a serious mail server has actually lost service due to the minimal impact of this, as yet. > What are the real costs to other admins other than more log files, and > hating people like me ? > Please don't trivialize "more log files" or anything else that impacts the way other people prefer to handle their work flow. I don't hate "people like you", either. I just think that you assume too much about how much work it's okay for other people to absorb on your behalf. Without their consent, I mean. This line of thought is what leads spammers to say, "Just hit delete." They don't want to change something that's beneficial to them, so they expect us to handle the overflow work. Would this list even exist if spam was still at 1995 levels? Back then, *most* people I spoke with said, "What's the big deal? Let your users hit delete - it's what I do." Nowadays? Well, you know the score now. > Has anyone actually lost time or money because another server wanted to > verify if a sender actually existed ? > Yes. I have. I've spent hours more parsing logs than I should have because there were a ton of SAV log entries. Money? Mmf... Some people say "time is money." I don't know if I'd go that far, but I have certainly lost time. I don't pay myself any more regardless of how much time I sit in front of my servers trying to track down a problem. > Why is the ability to know if a user account is available on a system > built into many MTA's ? > Because it's not a bad idea on the surface. Neither are NDRs, if you leave out the existence of spam. Or a lot of other features which are abused by spammers. Most, if not all, of the top MTAs were designed well before spam reached anywhere close to the current volume. > Is SAV worse than any of the probes and scripted attacks ? > No, since most of the users of SAV are not being deliberately malicious. Just intrusively selfish. Hm... "intrusively selfish" There's something weird about that phrase. :) > I think I will extend the cache for SAV to two weeks and > I hope that can take some of the sting out. Besides we are small in > comparison. Thanks for making at least that effort. :) Rick From campbell at cnpapers.com Fri Mar 23 21:38:08 2007 From: campbell at cnpapers.com (Steve Campbell) Date: Fri Mar 23 20:45:41 2007 Subject: OT - Sendmail Auth References: <001801c76d84$cf565240$0705000a@ddf5dw71> <200703232021.l2NKL7sl013718@mxt.1bigthink.com> Message-ID: <001001c76d8b$2acb8090$0705000a@ddf5dw71> Thanks Steve ----- Original Message ----- From: "dnsadmin 1bigthink.com" To: "MailScanner discussion" Sent: Friday, March 23, 2007 4:20 PM Subject: Re: OT - Sendmail Auth > At 03:52 PM 3/23/2007, you wrote: > >>I need to set up SMTP Auth on a server to allow a roaming user to >>send mail using one of our servers. The user will have a dynamic >>IP. The server is not in the MX lists for our domains. >> >>I have the sendmail Cookbook, and an older version of the Bat book, >>but every thing I do seems pointless and doesn't work, as far as I >>can tell. The cookbook seems to make it sound real simple, and I do >>get sendmail to acknowedge and advertise DIGEST-MD5 and CRAM-MD5. >>After that, AuthInfo to the access db, and every thing after seems >>to avoid the Sasl. I have also started the saslauthd daemon. I have >>also created the user with the saslpasswd command. >> >>Does anyone have a good URL for setting up a Centos 3 server running >>Sendmail 8.13 and the MUA being used by this user, which I think is >>either Outlook Express or Thunderbird? >> >>Thanks for any pointers to a good site. > > > Hello Steve, > > It's been a while since I did this myself, but I saved some bookmarks. > > These are related: > http://www.vanemery.com/Protocols/POP/pop3-rh9-howto.html > http://www.falkotimme.com/howtos/sendmail_smtp_auth_tls/ > http://www.technoids.org/ > > I hope these help! > > Cheers, > Glenn > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From blaze at lake.k12.ca.us Fri Mar 23 21:39:12 2007 From: blaze at lake.k12.ca.us (Blaze King) Date: Fri Mar 23 20:46:28 2007 Subject: upgraded spamassassin, mailscanner can't see it (fixed) In-Reply-To: <460435B1.9070301@pacific.net> References: <643717827D2BED469D39BE81B4AD635A1B55D0@exchange.lake.k12.ca.us> <46040C76.4010702@pacific.net><643717827D2BED469D39BE81B4AD635A1B55DC@exchange.lake.k12.ca.us> <46041609.10009@pacific.net><643717827D2BED469D39BE81B4AD635A1B55E9@exchange.lake.k12.ca.us> <460435B1.9070301@pacific.net> Message-ID: <643717827D2BED469D39BE81B4AD635A1B5609@exchange.lake.k12.ca.us> Yeah that worked! I took out the references to "UTF-8" at "/etc/sysconfig/i18n", login/logout, and ran /install.sh again. Didn't' see the error, so I started MailScanner, and all is well! Thank you so much! Blaze King Senior Network Administrator Lake County Office of Education (707) 262-4147 -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Ken A Sent: Friday, March 23, 2007 1:17 PM To: MailScanner discussion Subject: Re: upgraded spamassassin, mailscanner can't see it Blaze King wrote: > Here's the errors when running ./install from that folder: > > > > t/prefs_include............. Not found: qp-encoded-desc = Invalid > Date: header =ae =af =b0 foo > # Failed test 1 in t/SATest.pm at line 592 > t/prefs_include.............FAILED test 1 > Failed 1/2 tests, 50.00% okay > t/razor2....................skipped > all skipped: no reason given > > ... > > > Failed Test Stat Wstat Total Fail Failed List of Failed > ------------------------------------------------------------------------ > ------- > t/prefs_include.t 2 1 50.00% 1 > 9 tests skipped. > Failed 1/67 test scripts, 98.51% okay. 1/1878 subtests failed, 99.95% > okay. > make: *** [test_dynamic] Error 29 > Might be UTF-8 language ENV messing up the test. Edit /etc/sysconfig/i18n and remove the utf-8 stuff, then try again. You might need to logout/login to fixup the ENV, not sure. My i18n looks like this: LANG="en_US" SYSFONT="latarcyrheb-sun16" SUPPORTED="en_US:en" I thought there was a workaround already in the source, but perhaps it's not working automatically for you. Ken Pacific.Net > ... > > > Perl could not find your SpamAssassin installation. > Strange, I just installed it. > You should fix this! > > > > Blaze King > Senior Network Administrator > Lake County Office of Education > (707) 262-4147 > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Ken A > Sent: Friday, March 23, 2007 11:02 AM > To: MailScanner discussion > Subject: Re: upgraded spamassassin, mailscanner can't see it > > > > Blaze King wrote: >> Ok, I've uninstalled spamassassin... I downloaded and installed >> "http://mailscanner.info/files/4/install-Clam-0.88.7-SA-3.1.8.tar.gz", >> and there is no spamassassin installed. What package do I need to >> install to get MailScanner to use spamassassin? Thanks! > > If you downloaded and installed install-Clam-0.88.7-SA-3.1.8.tar.gz and > it installed properly, then you do have spamassassin installed. > > You might want to run ./install.sh again from within the > install-Clam-0.88.7-SA-3.1.8 directory and watch the output. If it fails > > to cleanly finish the install, paste the errors here and someone will be > > able to advise you what to do next. > > If there are no errors, then try running > 'spamassassin --lint' and see what you get. If no errors, then check > that MailScanner is set to "Use SpamAssassin = yes" in MailScanner.conf. > > Ken A. > Pacific.Net > > >> Blaze King >> Senior Network Administrator >> Lake County Office of Education >> (707) 262-4147 >> >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Ken A >> Sent: Friday, March 23, 2007 10:21 AM >> To: MailScanner discussion >> Subject: Re: FW: upgraded mailscanner, no more quarantine >> >> >> Hi Blaze, >> The best way to install MailScanner and SA on a linux box is to use > the >> packages from the MailScanner site. If your installed SA is from your >> linux disto, you might need to rpm -e it and then use the MailScanner >> packages. >> Ken A. (just over the hill from you in Ukiah) >> Pacific.Net >> >>> Blaze King >>> Senior Network Administrator >>> Lake County Office of Education >>> (707) 262-4147 >>> >>> >>> -----Original Message----- >>> From: mailscanner-bounces@lists.mailscanner.info >>> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of > Blaze >>> King >>> Sent: Friday, March 23, 2007 8:45 AM >>> To: MailScanner discussion >>> Subject: RE: upgraded mailscanner, no more quarantine >>> >>> Ok I feel stupid. >>> >>> MailScanner's quarantine was working just fine... I thought it wasn't >>> because nothing new was in quarantine since the upgrade. Well when >> just >>> I sent myself an unacceptable file (.bat), it was blocked and >>> quarantined. >>> >>> I was testing the MailScanner with the "eicar" test virus, which it >>> picked up and sent a notice to the postmaster e-mail account. While >>> watching the maillog, no quarantine was ever attempted, so there was >> no >>> error. >>> >>> Maybe the better question would be how do I modify what is > quarantined >>> and what isn't? I'll be looking through MailScanner's config > again... >>> Thanks! >>> >>> Blaze King >>> Senior Network Administrator >>> Lake County Office of Education >>> (707) 262-4147 >>> -----Original Message----- >>> From: mailscanner-bounces@lists.mailscanner.info >>> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of >>> Martin.Hepworth >>> Sent: Friday, March 23, 2007 2:26 AM >>> To: MailScanner discussion >>> Subject: RE: upgraded mailscanner, no more quarantine >>> >>> >>> Blaze >>> >>> Where's the old stuff then???? Odd >>> >>> Make sure /var/spool/MailScanner/quarantine isn't a sym link to >>> somewhere else. >>> >>> make sure the user you're running as (eg postfix or mailnull) can >> write >>> to that dir. Also make I'd say the perms should be 640 at minimum, >>> otherwise the apache group won't be able to read the files/dirs! >>> >>> You can run in debug mode and see what happens... >>> >>> su - -c "/MailScanner -debug" >>> >>> and see if it's comlaining about anything on the quarantine.. >>> >>> -- >>> Martin Hepworth >>> Snr Systems Administrator >>> Solid State Logic >>> Tel: +44 (0)1865 842300 >>> >>>> -----Original Message----- >>>> From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner- >>>> bounces@lists.mailscanner.info] On Behalf Of Blaze King >>>> Sent: 22 March 2007 19:08 >>>> To: mailscanner@lists.mailscanner.info >>>> Subject: upgraded mailscanner, no more quarantine >>>> >>>> Hey I'm a long time mailscanner user, but this is my first post to >> the >>>> list. I recently upgraded to 4.58.9-1 on my rhel3 server. Since >>> then, >>>> nothing ends up in quarantine. Here's what I know... >>>> >>>> >>>> >>>> (/etc/MailScanner/MailScanner.conf) >>>> >>>> Quarantine Dir = /var/spool/MailScanner/quarantine >>>> >>>> Quarantine User = root >>>> >>>> Quarantine Group = apache (I'm using mailwatch) >>>> >>>> Quarantine Permissions = 0600 >>>> >>>> Quarantine Infections = yes >>>> >>>> Quarantine Whole Message = yes >>>> >>>> Quarantine Whole Messages As Queue Files = no >>>> >>>> >>>> >>>> [root@mail MailScanner]# ll /var/spool/MailScanner/quarantine >>>> >>>> total 0 >>>> >>>> >>>> >>>> Any suggestions? Thanks! >>>> >>>> >>>> >>>> Blaze King >>>> >>>> Senior Network Administrator >>>> >>>> Lake County Office of Education >>>> >>>> (707) 262-4147 >>>> >>>> >>> >>> >>> >>> > ********************************************************************** >>> Confidentiality : This e-mail and any attachments are intended for > the >>> addressee only and may be confidential. If they come to you in error >>> you must take no action based on them, nor must you copy or show them > >>> to anyone. Please advise the sender by replying to this e-mail >>> immediately and then delete the original from your computer. >>> >>> Opinion : Any opinions expressed in this e-mail are entirely those of > >>> the author and unless specifically stated to the contrary, are not >>> necessarily those of the author's employer. >>> >>> Security Warning : Internet e-mail is not necessarily a secure >>> communications medium and can be subject to data corruption. We > advise >>> that you consider this fact when e-mailing us. >>> >>> Viruses : We have taken steps to ensure that this e-mail and any >>> attachments are free from known viruses but in keeping with good >>> computing practice, you should ensure that they are virus free. >>> >>> Red Lion 49 Ltd T/A Solid State Logic >>> Registered as a limited company in England and Wales >>> (Company No:5362730) >>> Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, >>> United Kingdom >>> > ********************************************************************** -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From r.berber at computer.org Fri Mar 23 22:35:11 2007 From: r.berber at computer.org (=?windows-1252?Q?Ren=E9_Berber?=) Date: Fri Mar 23 21:42:57 2007 Subject: OT - Sendmail Auth In-Reply-To: <001801c76d84$cf565240$0705000a@ddf5dw71> References: <001801c76d84$cf565240$0705000a@ddf5dw71> Message-ID: Steve Campbell wrote: > I need to set up SMTP Auth on a server to allow a roaming user to send > mail using one of our servers. The user will have a dynamic IP. The > server is not in the MX lists for our domains. > > I have the sendmail Cookbook, and an older version of the Bat book, but > every thing I do seems pointless and doesn't work, as far as I can tell. > The cookbook seems to make it sound real simple, and I do get sendmail > to acknowedge and advertise DIGEST-MD5 and CRAM-MD5. After that, > AuthInfo to the access db, and every thing after seems to avoid the > Sasl. I have also started the saslauthd daemon. I have also created the > user with the saslpasswd command. [snip] Start by using LOGIN or PLAIN, saslauthd/sendmail don't do the ones you are trying. -- Ren? Berber From itdept at fractalweb.com Fri Mar 23 22:54:10 2007 From: itdept at fractalweb.com (Chris Yuzik) Date: Fri Mar 23 22:01:37 2007 Subject: IP address reputation, BorderWare In-Reply-To: References: <4602FAAA.20009@fractalweb.com><200703222203.l2MM3wig030176@mail.deniscroombs.org> <20070322181247.99D6.GERARD@seibercom.net> <460303D5.8070906@yeticomputers.com> <4603FEBF.3030401@yeticomputers.com> Message-ID: <46044C82.8090206@fractalweb.com> Kevin Miller wrote: > > Well, as someone else pointed out, that server will get hassled either > way. Without SAV I'm accepting mail from invalid users. If someone > uses phoney from addresses with your domain, and runs a dictionary > attack against me, I'm going to send an NDR back to your server for each > address that is invalid on my side. That will take a lot more server > resources and bandwidth on your side than a simple SAV query would have. > With SAV, I never accept the message from the original sender, saving > that bandwidth on both the last mile as well as the core routers, and I > never send you an unnecessary NDR saving you server usage, lastmile > bandwidth, and core router usage. > > Personally, I'd rather someone query my server, than send my users NDRs > from Joe jobbed spam. It's a lot less resouce intensive as nearly as I > can see.. > Kevin, You make a good point here. As part of the default setup for most (all?) MTAs, a message to an invalid recipient results in a fail message being sent back to the joe-jobbed sender's server. So, if someone sends to hundreds of non-existent users at a server from hundreds of non-existent users at the joe-jobbed server, the recipient's server will automatically send fail messages back. On the other hand, if the recipient's server is doing SAV, then it will check each of the hundreds of fake senders, find out they don't exist, and NOT send a fail message back to the joe-jobbed domain's server. So, for example let's say a piece of spam arrives that is 20 KB in size from a non-existent user at a joe-jobbed domain to a non-existant user at the recipient's domain, and assume that the recipient has a current and somewhat sanely configured MTA (no catch-all account, etc). Let's give these sallydoe@joe-jobbed.tld and bgates12345@domain1.com. If domain1.com is not using SAV, then it will (likely) reject the message and a fail message will be sent to sallydoe@joe-jobbed.tld, possibly with the contents of the original message attached. Since sallydoe is not a valid user on joe-jobbed.tld, the fail message will also fail, end of transaction. On the other hand, if domain1.com IS using SAV, then it will connect to the recipient's server to check to see if sallydoe has a valid account, and if not, reject the inbound message. In either case, there is traffic to the joe-jobbed.tld domain's mail server, whether from SAV or backsplatter, and likely LESS traffic from SAV than from backsplatter. Or am I completely missing something? Chris From taz at taz-mania.com Fri Mar 23 22:56:23 2007 From: taz at taz-mania.com (Dennis Willson) Date: Fri Mar 23 22:03:37 2007 Subject: OT: IP address reputation, BorderWare In-Reply-To: <4603FEAC.5000205@pixelhammer.com> Message-ID: Except in SMF-SAV it doesn't call back with <>. There is an entry in the config where you put the 'from' address. Last time I tried, it complained and would not start if I set that to blank (<>). On Fri, 23 Mar 2007 12:22:04 -0400 DAve wrote: >Dennis Willson wrote: >>Why yes, I know how SAV handles greylisting. >> >>When SAV receives a temp failure, SAV returns a temp failure. A real >>mail server will try again later which will cause SAV to verify again >>when the sending server retrys. This works just fine. However, if you >>run greylisting too, this adds a double delay on th delivery of the >>email. >> > >We have several real mail servers, they all retry within 30 minutes. >My question was would the tuple expire from the greylist DB *before* >the retry took place. Checking the SAV archives and then the config >for milter-greylist I see this, > ># This option attempts to make milter-greylist more ># friendly with sender callback systems. When the ># message is from <>, it will be temporarily ># rejected at the DATA stage instead of the RCPT ># stage of the SMTP transaction. In the case of a ># multi recipient DSN, whitelisted recipient will ># not be honoured. >delayedreject > >So milter-greylist is already making exceptions so we don't break >SAV. That is good to know, though we hadn't any complaints. > >Thanks, > >DAve > > >>I can live with that. >> >> >> >>DAve wrote: >>>Chris Yuzik wrote: >>>>Res wrote: >>>>>The key here, you spoke to a salesman. >>>>Heh. It could have been worse...I might have talked to a marketing >>>>guy. ;-) >>>>>Many ISP's are doing this and it upsets their stats so of course >>>>>they dont want you to use it. Word gets around that it does this, >>>>>more people will shy away from their product, they dont care at all >>>>>about you protecting your users...unless you buy and use their >>>>>product. >>>>> >>>>>Keep using the milter. >>>>Apparently, Matt is working on a modification to SMF-SAV that will >>>>change the order of the checks so that the sender is only verified IF >>>>they're sending to a real recipient on our end. As soon as that comes >>>>out, we'll implement that. >>>> >>> >>>Does anyone know how greylisting affects milter-sav? What happens >>>when >>>I send an email to you and you attempt to verify me, and I greylist >>>your attempt? You surely don't try to hold my delivery connection for >>>5 minutes waiting to try again do you? >>> >>>If you refuse the delivery, I'll try again later and the whole cycle >>>would begin anew because without a successful connection within a >>>specified time, you will never get make it into my whitelist correct? >>> >>>DAve >>> >> > > >-- >Three years now I've asked Google why they don't have a >logo change for Memorial Day. Why do they choose to do logos >for other non-international holidays, but nothing for >Veterans? > >Maybe they forgot who made that choice possible. >-- >MailScanner mailing list >mailscanner@lists.mailscanner.info >http://lists.mailscanner.info/mailman/listinfo/mailscanner > >Before posting, read http://wiki.mailscanner.info/posting > >Support MailScanner development - buy the book off the website! -------------------------------------------------- Dennis Willson taz@taz-mania.com http://www.taz-mania.com Ham (Extra Class): KA6LSW GMRS : WQGF680 Scuba: Rescue Diver, EANx, Wreck, Night, Alt, Equip, UW Photographer, Gas Blender Life should not be a journey to the grave with the intention of arriving safely in a nice looking and well preserved body, but rather to skid in broadside, thoroughly used up, totally worn out, and loudly proclaiming, "WOW! WHAT A RIDE!" From res at ausics.net Fri Mar 23 23:02:36 2007 From: res at ausics.net (Res) Date: Fri Mar 23 22:09:58 2007 Subject: OT: IP address reputation, BorderWare In-Reply-To: References: <4602F774.2030007@fractalweb.com> <46031747.9000000@fractalweb.com> Message-ID: On Fri, 23 Mar 2007, Scott Silva wrote: hahahahaha, I gota use this !!!! :P > Tell them to kiss the bunnies; > > __ __ > ,-' Y `-, > .' .-"`"`"-. `. > ; ,` `. ; > `/ \' > / \ > { ;"";, } > { /";`'`,; } > \{ ;`,'`;. / > { }`""` } /} > { } { // > {||} { / > `"' `"' > ;-P > > > -- Cheers Res Let Novell known what you think of their back door deal with the devil. Sign the petition today: http://techp.org/p/1/ From res at ausics.net Fri Mar 23 23:12:16 2007 From: res at ausics.net (Res) Date: Fri Mar 23 22:19:46 2007 Subject: IP address reputation, BorderWare In-Reply-To: References: <4602FAAA.20009@fractalweb.com><200703222203.l2MM3wig030176@mail.deniscroombs.org> <20070322181247.99D6.GERARD@seibercom.net> <460303D5.8070906@yeticomputers.com> <4603FEBF.3030401@yeticomputers.com> Message-ID: On Fri, 23 Mar 2007, Kevin Miller wrote: > Bandwidth that isn't used by a spammer is bandwidth that is available > for your users to use. No magic there. Think freeway - would you > rather drive it under rush hour conditions or 3am conditions? > And since 75% of all internet pkts these days is spam your point is valid. SV is no worse then grey-listing in fact probably LESS, it causes more retries and bandwith yet nobody seems to have a problem with those that do that. It's simple, if anyone is so concerned about a few extra bytes of traffic in SV, you can solve all of your paranoia simply like this telnet core conf t access-list 191 deny tcp any any eq 25 int FastEthernet0 ip access-group 191 in ..there all your problems have now gone away :P -- Cheers Res Let Novell known what you think of their back door deal with the devil. Sign the petition today: http://techp.org/p/1/ From Kevin_Miller at ci.juneau.ak.us Fri Mar 23 23:27:03 2007 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Fri Mar 23 22:34:10 2007 Subject: IP address reputation, BorderWare In-Reply-To: <460435A5.8020507@yeticomputers.com> References: <4602FAAA.20009@fractalweb.com><200703222203.l2MM3wig030176@mail.deniscroombs.org> <20070322181247.99D6.GERARD@seibercom.net> <460303D5.8070906@yeticomputers.com> <4603FEBF.3030401@yeticomputers.com> <460435A5.8020507@yeticomputers.com> Message-ID: Rick Chadderdon wrote: > Kevin Miller wrote: > Yes, I realize that I wasn't suitably clear there... I guess I was > working from the assumption that everyone else had seen the same > behavior I had. Each new delivery attempt comes with a new forged > sender. I tried to clarify in my last post. If you have any > statistics showing the ratio of cache hits to new addresses, at least > in your case, I'd be interested in seeing them. Between 7 am yesterday and 7 am today I got the following results: Sender 1st time fails: 4697 Sender cache fails: 547 Total Sender fails: 5244 Recipient 1st time fail: 2355 Recipient cache fails: 766 Total Recipient fails: 3121 I rejected 1735 due to greet-pause. Those are dropped before SAV is attempted. Not overwhelming cache hits, but somewhere around 10% for the sender fails. I usually accept around 5000 messages a day. Considering that I'm doing 200 megs a day, give or take, imagine the amount of bandwidth someone moving 500,000 messages a day generates. What's that 200,000 megs? I whole heartedly agree I should be doing recipient checks first - it will be interesting to see where the numbers fall when that change is implemented. >> I never said anything about what people charge for bandwidth. > > I know. I didn't think you were going to go metaphysical on me... :) > >> OK, I've added a few K of 'background noise'. >> But I've stopped megabytes from being transmitted on the core >> routers by doing so. That benefits everyone. > > How so? I get exactly the bandwidth I pay for, no matter who else is > using how much. Yes, but only for the last mile. >> It isn't a last mile benefit, >> directly to you, but the net result is more bandwidth for everybody >> and you get that shared benefit along with everybody else. >> > > This is an imaginary benefit, Kevin, until the pipe is so full that > nobody is able to get what they're paying for. I don't see that > happening anytime soon because the pipe just keeps getting bigger - > there's plenty of room in it. I can think of a couple of possible > edge cases where there might be some peripheral benefit to others from > minimizing your own spam bandwidth, but nothing very compelling. The pipe does just keep getting bigger, but it wouldn't have to if more spam was stopped before it's sent. In a very real sense, by accepting spam I'm passing on the cost of bigger pipes to someone else. They have to keep adding bigger pipes so we don't max it out in order to accommodate that 200,000 megs mentioned above. >> Bandwidth that isn't used by a spammer is bandwidth that is available >> for your users to use. No magic there. Think freeway - would you >> rather drive it under rush hour conditions or 3am conditions? >> > > This is, as always, a poor analogy. And in this argument, it presumes > that those "rush hour" conditions affect me adversely. My users get > use of as much bandwidth as I pay for, regardless of who is spamming > whom, or in what volume. No, because your users aren't constrained to just your network. Once you leave your local ISP you're riding someone else's lightning. But I guess we'll have to agree to disagree on this one. >>> Well, as someone else pointed out, that server will get hassled >>> either way. Without SAV I'm accepting mail from invalid users. If >>> someone uses phoney from addresses with your domain, and runs a >>> dictionary attack against me, I'm going to send an NDR back to your >>> server for each address that is invalid on my side. That will take >>> a lot more server resources and bandwidth on your side than a >>> simple SAV query would have. >>> > > Not really. I reject mail to invalid recipients, so it's pretty much > a wash. I get the same transaction, either way. I can control normal > backscatter well enough. OK, I see what you mean there. > I don't care much for the practice of sending NDRs *after* accepting a > message. Check your valid users *before* you have to bounce an > incoming message. Failure to do so is just another way of letting > spammers cause you to use the resources of others. You sure don't > want to be sending actual NDRs to people who never mailed you. Let > this be handled during the SMTP transaction, where it belongs. We're in absolute agreement there. > My point is that I can handle the stuff that happens as a normal part > of running a mail server. It's deliberate and unwanted use of my > resources that bothers me. Misconfigured servers bother me. Bad > autoresponders bother me. I don't mind so much when it's because > someone hasn't learned better yet, but when it's a considered > decision on their part that my resources are ok to use, whether I > like it or not... That's when I get grumpy. I guess I consider a sender lookup against my server a normal part of running it, similar to SPF record queries being a normal part. SPF doesn't stop spam to me as a rule. It can help stop spam from someone forging my domain however. I like that. If someone using SAV queries my server, I've helpped stop spam again. I like that too. I may or may not see a benefit, but I don't have to. I'm happy knowing some spammer isn't. On the other hand, I do see a benefit, because my users don't get an NDR for mail they didn't send because the spam was squelched. But hey, that's just me. >>> Personally, I'd rather someone query my server, than send my users >>> NDRs from Joe jobbed spam. It's a lot less resouce intensive as >>> nearly as I can see.. > > > It seems as though the IT industry is filled with two extremes: pure > pragmatists and pure idealists. I'm a weird mix of the two, but when > something goes against one of my 'ideals', I have a hard time looking > at it pragmatically. As a pragmatist, I'd probably agree that a > query is better than an NDR. As an idealist, I believe that the > majority of NDRs being sent out are being done by servers configured > by people who didn't know any better, so it's more tolerable than > someone who is deliberately and knowingly hammering on my system to > save his own bandwidth. But NDRs are sent by servers administered by people who *should* know better. Like Yahoo and AOL. If it was your average user sending them out I'd agree with you but that's not who's configuring servers. > I know I'm not going to change your behavior, but I hope I've managed > to explain why SAV bothers me. Sure, and I respect your position. Nor do I expect to change yours necessarily. I just think SAV is the lesser of two evils. Now if they would just let us cane spammers we would see spam disappear overnight. But that's more of that idealism... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From itdept at fractalweb.com Sat Mar 24 01:18:36 2007 From: itdept at fractalweb.com (Chris Yuzik) Date: Sat Mar 24 00:26:00 2007 Subject: IP address reputation, BorderWare In-Reply-To: References: <4602FAAA.20009@fractalweb.com><200703222203.l2MM3wig030176@mail.deniscroombs.org> <20070322181247.99D6.GERARD@seibercom.net> <460303D5.8070906@yeticomputers.com> <4603FEBF.3030401@yeticomputers.com> Message-ID: <46046E5C.8020209@fractalweb.com> Res wrote: > > It's simple, if anyone is so concerned about a few extra bytes of > traffic in SV, you can solve all of your paranoia simply like this > > telnet core > conf t > access-list 191 deny tcp any any eq 25 > > int FastEthernet0 > ip access-group 191 in > > Res, Somebody's gonna type that in! Hopefully they won't. But somebody might! Oy! Chris From lars+lister.mailscanner at adventuras.no Sat Mar 24 01:17:57 2007 From: lars+lister.mailscanner at adventuras.no (Lars Kristiansen) Date: Sat Mar 24 00:26:04 2007 Subject: OT - Sendmail Auth In-Reply-To: References: <001801c76d84$cf565240$0705000a@ddf5dw71> Message-ID: <46046E35.4010309@adventuras.no> Ren? Berber skrev: > Steve Campbell wrote: > >> I need to set up SMTP Auth on a server to allow a roaming user to send >> mail using one of our servers. The user will have a dynamic IP. The >> server is not in the MX lists for our domains. >> >> I have the sendmail Cookbook, and an older version of the Bat book, but >> every thing I do seems pointless and doesn't work, as far as I can tell. >> The cookbook seems to make it sound real simple, and I do get sendmail >> to acknowedge and advertise DIGEST-MD5 and CRAM-MD5. After that, >> AuthInfo to the access db, and every thing after seems to avoid the >> Sasl. I have also started the saslauthd daemon. I have also created the >> user with the saslpasswd command. > [snip] > > Start by using LOGIN or PLAIN, saslauthd/sendmail don't do the ones you are trying. Unless using sasldb and setting "auxprop" in the sasl2/Sendmail.conf. Since OP is using saslpasswd then he is using sasldb. Here is examples for Sendmail.conf: $ cat /usr/local/lib/sasl2/Sendmail.conf~ pwcheck_method: saslauthd $ cat /usr/local/lib/sasl2/Sendmail.conf pwcheck_method: auxprop -- Regards, Lars From campbell at cnpapers.com Sat Mar 24 01:32:48 2007 From: campbell at cnpapers.com (Steve Campbell) Date: Sat Mar 24 00:41:04 2007 Subject: OT - Sendmail Auth In-Reply-To: <46046E35.4010309@adventuras.no> References: <001801c76d84$cf565240$0705000a@ddf5dw71> <46046E35.4010309@adventuras.no> Message-ID: <1174696368.460471b0699b9@perdition.cnpapers.net> Quoting Lars Kristiansen : > Ren? Berber skrev: > > Steve Campbell wrote: > > > >> I need to set up SMTP Auth on a server to allow a roaming user to send > >> mail using one of our servers. The user will have a dynamic IP. The > >> server is not in the MX lists for our domains. > >> > >> I have the sendmail Cookbook, and an older version of the Bat book, but > >> every thing I do seems pointless and doesn't work, as far as I can tell. > >> The cookbook seems to make it sound real simple, and I do get sendmail > >> to acknowedge and advertise DIGEST-MD5 and CRAM-MD5. After that, > >> AuthInfo to the access db, and every thing after seems to avoid the > >> Sasl. I have also started the saslauthd daemon. I have also created the > >> user with the saslpasswd command. > > [snip] > > > > Start by using LOGIN or PLAIN, saslauthd/sendmail don't do the ones you are > trying. > > Unless using sasldb and setting "auxprop" in the sasl2/Sendmail.conf. > Since OP is using saslpasswd then he is using sasldb. > > Here is examples for Sendmail.conf: > $ cat /usr/local/lib/sasl2/Sendmail.conf~ > pwcheck_method: saslauthd > $ cat /usr/local/lib/sasl2/Sendmail.conf > pwcheck_method: auxprop This is the first I've seen the auxprop stuff. I'll lookup more on that next week. Thanks all, Steve > > > -- > Regards, > Lars > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > ------------------------------------------------- This mail sent through IMP: http://horde.org/imp/ From lars+lister.mailscanner at adventuras.no Sat Mar 24 03:48:47 2007 From: lars+lister.mailscanner at adventuras.no (Lars Kristiansen) Date: Sat Mar 24 02:56:36 2007 Subject: OT - Sendmail Auth In-Reply-To: <1174696368.460471b0699b9@perdition.cnpapers.net> References: <001801c76d84$cf565240$0705000a@ddf5dw71> <46046E35.4010309@adventuras.no> <1174696368.460471b0699b9@perdition.cnpapers.net> Message-ID: <4604918F.4070403@adventuras.no> Steve Campbell skrev: > Quoting Lars Kristiansen : > >> Ren? Berber skrev: >>> Steve Campbell wrote: >>> >>>> I need to set up SMTP Auth on a server to allow a roaming user to send >>>> mail using one of our servers. The user will have a dynamic IP. The >>>> server is not in the MX lists for our domains. >>>> >>>> I have the sendmail Cookbook, and an older version of the Bat book, but >>>> every thing I do seems pointless and doesn't work, as far as I can tell. >>>> The cookbook seems to make it sound real simple, and I do get sendmail >>>> to acknowedge and advertise DIGEST-MD5 and CRAM-MD5. After that, >>>> AuthInfo to the access db, and every thing after seems to avoid the >>>> Sasl. I have also started the saslauthd daemon. I have also created the >>>> user with the saslpasswd command. >>> [snip] >>> >>> Start by using LOGIN or PLAIN, saslauthd/sendmail don't do the ones you are >> trying. >> >> Unless using sasldb and setting "auxprop" in the sasl2/Sendmail.conf. >> Since OP is using saslpasswd then he is using sasldb. >> >> Here is examples for Sendmail.conf: >> $ cat /usr/local/lib/sasl2/Sendmail.conf~ >> pwcheck_method: saslauthd >> $ cat /usr/local/lib/sasl2/Sendmail.conf >> pwcheck_method: auxprop > > This is the first I've seen the auxprop stuff. I'll lookup more on that next week. For an independent user database on a single computer, auxprop and sasldb was the easy way for me. Other people may have more sophisticated needs. If your users are also unix-accounts I think you can use use saslauthd and PAM. Good night, Lars > Thanks all, > > Steve >> >> -- >> Regards, >> Lars >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> > > > > > ------------------------------------------------- > This mail sent through IMP: http://horde.org/imp/ From res at ausics.net Sat Mar 24 04:19:29 2007 From: res at ausics.net (Res) Date: Sat Mar 24 03:26:52 2007 Subject: IP address reputation, BorderWare In-Reply-To: <46046E5C.8020209@fractalweb.com> References: <4602FAAA.20009@fractalweb.com><200703222203.l2MM3wig030176@mail.deniscroombs.org> <20070322181247.99D6.GERARD@seibercom.net> <460303D5.8070906@yeticomputers.com> <4603FEBF.3030401@yeticomputers.com> <46046E5C.8020209@fractalweb.com> Message-ID: On Fri, 23 Mar 2007, Chris Yuzik wrote: > Res wrote: >> >> It's simple, if anyone is so concerned about a few extra bytes of traffic >> in SV, you can solve all of your paranoia simply like this >> >> telnet core >> conf t >> access-list 191 deny tcp any any eq 25 >> >> int FastEthernet0 >> ip access-group 191 in >> >> > Res, > > Somebody's gonna type that in! Hopefully they won't. But somebody might! Oy! Chris, thats the solution if they dont like the extra half a dozen TCP pkts :) Seriously, they need to get over it, like I said more traffic generation is caused by greylisting, yet 90% of this list try say we should all use it, there is just no difference really, its extra non-common smtp traffic generation, the same as SV. Personally I don'y use either, and for time being never will, however if I do, I'd more likely use SV then greylisting. -- Cheers Res Let Novell known what you think of their back door deal with the devil. Sign the petition today: http://techp.org/p/1/ From res at ausics.net Sat Mar 24 04:21:34 2007 From: res at ausics.net (Res) Date: Sat Mar 24 03:28:58 2007 Subject: IP address reputation, BorderWare In-Reply-To: <46046E5C.8020209@fractalweb.com> References: <4602FAAA.20009@fractalweb.com><200703222203.l2MM3wig030176@mail.deniscroombs.org> <20070322181247.99D6.GERARD@seibercom.net> <460303D5.8070906@yeticomputers.com> <4603FEBF.3030401@yeticomputers.com> <46046E5C.8020209@fractalweb.com> Message-ID: On Fri, 23 Mar 2007, Chris Yuzik wrote: > Res wrote: >> >> It's simple, if anyone is so concerned about a few extra bytes of traffic >> in SV, you can solve all of your paranoia simply like this >> >> telnet core >> conf t >> access-list 191 deny tcp any any eq 25 >> >> int FastEthernet0 >> ip access-group 191 in >> >> > Res, > > Somebody's gonna type that in! Hopefully they won't. But somebody might! Oy! Oh yeah, I forgot... If anyones silly enough to type that in without knowing what it does, they *deserve* the end result ;) -- Cheers Res Let Novell known what you think of their back door deal with the devil. Sign the petition today: http://techp.org/p/1/ From tjc at ecs.soton.ac.uk Sat Mar 24 13:42:53 2007 From: tjc at ecs.soton.ac.uk (Tim Chown) Date: Sat Mar 24 12:50:35 2007 Subject: Julian is out of hospital Message-ID: <20070324124253.GB3188@login.ecs.soton.ac.uk> Subject line says it all. No idea yet how much recuperation is needed before he'll be online in a personal or other capacity, but the fact that he's back in his own home with his parents looking after him is really good news. I'll not post any further updates. Hopefully the next update will, in due course, be from Jules himself. -- Tim From joost at waversveld.nl Sat Mar 24 13:59:30 2007 From: joost at waversveld.nl (Joost Waversveld) Date: Sat Mar 24 13:06:47 2007 Subject: Julian is out of hospital In-Reply-To: <20070324124253.GB3188@login.ecs.soton.ac.uk> References: <20070324124253.GB3188@login.ecs.soton.ac.uk> Message-ID: <20070324135930.ojnn279jwwgwkk4o@webmail.waversveld.nl> This is really great news. Hopefully he takes the time to recover well, before doing too much ;-) Tim, thanks for keeping us up to date all the time. We really appreciate it! ----- Bericht van tjc@ecs.soton.ac.uk --------- Datum: Sat, 24 Mar 2007 12:42:53 +0000 Van: Tim Chown Antwoorden aan:MailScanner discussion Onderwerp: Julian is out of hospital Aan: MailScanner discussion > Subject line says it all. > > No idea yet how much recuperation is needed before he'll be online in > a personal or other capacity, but the fact that he's back in his own home > with his parents looking after him is really good news. > > I'll not post any further updates. Hopefully the next update will, in > due course, be from Jules himself. > > -- > Tim > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > ----- Einde bericht van tjc@ecs.soton.ac.uk ----- From satya at fsl.com Sat Mar 24 14:00:21 2007 From: satya at fsl.com (SatyaDev Sharma) Date: Sat Mar 24 13:07:42 2007 Subject: Julian is out of hospital In-Reply-To: <20070324124253.GB3188@login.ecs.soton.ac.uk> References: <20070324124253.GB3188@login.ecs.soton.ac.uk> Message-ID: <8d5fd62c0703240600g5ec18632ke6321ea800e05ad0@mail.gmail.com> Hey TIM !!! WoW ! Thats Great NEWS !! Thanx to God and All the best Julian. I will have one extra beer tonight ;) Thanx and Regards.. -SatyaDev Fort Systems Ltd. On 3/24/07, Tim Chown wrote: > > Subject line says it all. > > No idea yet how much recuperation is needed before he'll be online in > a personal or other capacity, but the fact that he's back in his own home > with his parents looking after him is really good news. > > I'll not post any further updates. Hopefully the next update will, in > due course, be from Jules himself. > > -- > Tim > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070324/548703f2/attachment.html From res at ausics.net Sat Mar 24 14:00:41 2007 From: res at ausics.net (Res) Date: Sat Mar 24 13:08:06 2007 Subject: Julian is out of hospital In-Reply-To: <20070324124253.GB3188@login.ecs.soton.ac.uk> References: <20070324124253.GB3188@login.ecs.soton.ac.uk> Message-ID: Tim, This is great news, I suspect we wont hear from him for a few weeks at very least, nor should we, he needs lots of recouperation. Thanks very much for taking the time to keep us all informed, it has been very much appreciated. Cheers On Sat, 24 Mar 2007, Tim Chown wrote: > Subject line says it all. > > No idea yet how much recuperation is needed before he'll be online in > a personal or other capacity, but the fact that he's back in his own home > with his parents looking after him is really good news. > > I'll not post any further updates. Hopefully the next update will, in > due course, be from Jules himself. > > -- Cheers Res Let Novell known what you think of their back door deal with the devil. Sign the petition today: http://techp.org/p/1/ From root at doctor.nl2k.ab.ca Sat Mar 24 15:02:08 2007 From: root at doctor.nl2k.ab.ca (Dave Shariff Yadallee - System Administrator a.k.a. The Root of the Problem) Date: Sat Mar 24 14:21:59 2007 Subject: Julian is out of hospital In-Reply-To: <20070324124253.GB3188@login.ecs.soton.ac.uk> References: <20070324124253.GB3188@login.ecs.soton.ac.uk> Message-ID: <20070324140208.GA6767@doctor.nl2k.ab.ca> On Sat, Mar 24, 2007 at 12:42:53PM +0000, Tim Chown wrote: > Subject line says it all. > > No idea yet how much recuperation is needed before he'll be online in > a personal or other capacity, but the fact that he's back in his own home > with his parents looking after him is really good news. > > I'll not post any further updates. Hopefully the next update will, in > due course, be from Jules himself. > Hopefully a speedy and restful recovery. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From glenn.steen at gmail.com Sat Mar 24 15:28:50 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Sat Mar 24 14:36:10 2007 Subject: IP address reputation, BorderWare In-Reply-To: References: <4602FAAA.20009@fractalweb.com> <20070322181247.99D6.GERARD@seibercom.net> <460303D5.8070906@yeticomputers.com> <4603FEBF.3030401@yeticomputers.com> <46046E5C.8020209@fractalweb.com> Message-ID: <223f97700703240728v4368ade4u2c0ff9265ce2a78@mail.gmail.com> On 24/03/07, Res wrote: > On Fri, 23 Mar 2007, Chris Yuzik wrote: > > > Res wrote: > >> > >> It's simple, if anyone is so concerned about a few extra bytes of traffic > >> in SV, you can solve all of your paranoia simply like this > >> > >> telnet core > >> conf t > >> access-list 191 deny tcp any any eq 25 > >> > >> int FastEthernet0 > >> ip access-group 191 in > >> > >> > > Res, > > > > Somebody's gonna type that in! Hopefully they won't. But somebody might! Oy! > > > Oh yeah, I forgot... If anyones silly enough to type that in without > knowing what it does, they *deserve* the end result ;) > And that is the reason I dubbed you the evil bunny in the first place... An evil bunny we like and respect (well, at least I do:-), but still an evil bunny;-):-). On the subject, someone (was that Rick? Antoni? don't remember...) mentioned SAV not being part of the RFCs, which is technically correct... But AV _is_ part of them... A stupid, useless and unusable form (VRFY & EXPN), but still part of them. Not that anyone should have those enabled. Going from that thought to SAV isn't that far a leap (yeah, I'm playing devils advocate here:-). Another "devils advocate" perspective... Since we have publicly available mailservers, conforming to the RFCs (hopefully:-), we _have_ accepted the possibility of someone using the normal SMTP conversation commands to verify if the sender indeed is a legitimate address (which is more than an implied requirement in the RFCs, IIRC... always doubtful, that last bit, so please correct me if I do remember wrong:), so moaning about the little waste of resources it introduces becomes ... somewhat ludicrous... Having said that... For me, recipient verification is far more important than sender verification... I don't use it simply because it'd be less than effective, for me/my organization. But basically I'm with the Evil Bunny on this one;-). -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Sat Mar 24 15:31:50 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Sat Mar 24 14:39:10 2007 Subject: Julian is out of hospital In-Reply-To: References: <20070324124253.GB3188@login.ecs.soton.ac.uk> Message-ID: <223f97700703240731v55084685o40f2591a2f30ad8@mail.gmail.com> On 24/03/07, Res wrote: > Tim, > > This is great news, I suspect we wont hear from him for a few weeks at > very least, nor should we, he needs lots of recouperation. > > Thanks very much for taking the time to keep us all informed, it has been > very much appreciated. > > Cheers Another thing the Evil Bunny got right, couldn't agree more with Noel on this! Cheers Tim and Cheers Jules! -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From patrik at chorus.com.br Sat Mar 24 19:00:34 2007 From: patrik at chorus.com.br (patrik) Date: Sat Mar 24 18:07:58 2007 Subject: Trouble with Mailscanner and Postfix 2.2.10 Message-ID: <003901c76e3e$51b36ed0$150aa8c0@station21> Hi people. This is my first time in that list. Please i?m having the next trouble I sent a mail to destination and the system receive the messages MailScanner start to look for virus with deferred but he didn?t deliver the message to mail box, it remains at /var/spool/MailScanner/incoming. It happens with incoming and outgoing messages. I could note that its happens when I use Postfix 2.2 or high, if I use postfix 2.1.x no problem everything works fine. Now I?am using Centos 4.4 kernel 2.6.9-42, Postfix 2.2.10, MailScanner-4.58.9-1. Can some one help me Thanks Chorus Informatica Patrik Souza - Diretor Phone: 11 56216177 Mobile: 11 99018568 A informa??o contida nesta mensagem ? confidencial. ? destinada somente para uso do(s) indiv?duo(s) e/ou entidade(s) para os quais foi endere?ada. Se voc? n?o ? o destinat?rio pretendido, fica desde j? notificado de que qualquer revela??o, c?pia, dissemina??o ou uso desta mensagem ou das informa??es nela contidas ? estritamente proibido. Se voc? recebeu esta mensagem erroneamente, por favor, notifique-nos por correio eletr?nico e apague-a do seu sistema. / The information contained in this message is confidential. It is intended solely for the use of the individual(s) and/or entity (ies) addressed above. If you are not the intended recipient, you are hereby notified that any disclosure, copying, dissemination or using this message or the information contained herein is strictly prohibited. If you have received this message in error, please notify us by electronic mail and please delete the message from your system. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070324/8ec91b0d/attachment.html From jimc at laridian.com Sat Mar 24 19:08:51 2007 From: jimc at laridian.com (Jim Coates) Date: Sat Mar 24 18:18:37 2007 Subject: Julian is out of hospital In-Reply-To: <20070324124253.GB3188@login.ecs.soton.ac.uk> Message-ID: <012101c76e3f$7a647f30$6501a8c0@zorak> Awesome!!! Glad to hear it (and welcome home, Julian!!) Jim > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Tim Chown > Sent: Saturday, March 24, 2007 7:43 AM > To: MailScanner discussion > Subject: Julian is out of hospital > > > Subject line says it all. > > No idea yet how much recuperation is needed before he'll be > online in a personal or other capacity, but the fact that > he's back in his own home with his parents looking after him > is really good news. > > I'll not post any further updates. Hopefully the next > update will, in > due course, be from Jules himself. > > -- > Tim > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From john at katy.com Sat Mar 24 19:31:17 2007 From: john at katy.com (John Schmerold) Date: Sat Mar 24 18:38:50 2007 Subject: Alternative to /etc/mail/spamassassin/local.cf Message-ID: <46056E75.9040604@katy.com> I learned about /etc/mail/spamassassin/local.cf a few weeks ago, now I find myself adding quite a few rules like this: score LOCAL__H_from_newegg -2.5 header LOCAL__H_from_newegg From =~ /newegg\.com/i describe LOCAL__H_from_newegg newegg announcements I don't want to open the door to every idiot that forges NewEgg's email, so I don't want to whitelist newegg. The problem is I'm starting to get a lot of these rules and maintaining the list is getting more problematic, not to mention subject to human error. Anyone know of a better way to tell MailScanner &/or SpamAssassin to reduce the score by a few points when the sending is included in a list of domains? TIA -- John Schmerold Katy Computer & Wireless 347 Clarkson Rd Ellisville MO 63011 636-861-6900 v 775-227-6947 f From glenn.steen at gmail.com Sat Mar 24 19:36:48 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Sat Mar 24 18:44:09 2007 Subject: Trouble with Mailscanner and Postfix 2.2.10 In-Reply-To: <003901c76e3e$51b36ed0$150aa8c0@station21> References: <003901c76e3e$51b36ed0$150aa8c0@station21> Message-ID: <223f97700703241136v4bd06936wef630e88fcd7bd12@mail.gmail.com> On 24/03/07, patrik wrote: > > > > > Hi people. > > > > This is my first time in that list. > > > > Please i?m having the next trouble I sent a mail to destination and the > system receive the messages MailScanner start to look for virus with > deferred but he didn't deliver the message to mail box, it remains at > /var/spool/MailScanner/incoming. Don't tell me you are using the _very deprecated_ defer method (and two instances of Postfix)? You should be using the HOLD method (one instance of Postfix). Look at http://www.mailscanner.info/postfix.html and http://wiki.mailscanner.info/doku.php?id=&idx=documentation:configuration:mta:postfix (especially the howto subsection has a lot of good things, and there are some nice notes in the install wiki document). > It happens with incoming and outgoing messages. > > > > > > I could note that its happens when I use Postfix 2.2 or high, if I use > postfix 2.1.x no problem everything works fine. > MailScanner with the HOLD method works flawlessly with pretty much any version of postfox, especially the 2.2.x versions. > Now I'am using Centos 4.4 kernel 2.6.9-42, Postfix 2.2.10, > MailScanner-4.58.9-1. Which is a very supported combo, provided you use the HOLD method. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From gerard at seibercom.net Sat Mar 24 19:45:50 2007 From: gerard at seibercom.net (Gerard Seibert) Date: Sat Mar 24 18:53:13 2007 Subject: Trouble with Mailscanner and Postfix 2.2.10 In-Reply-To: <003901c76e3e$51b36ed0$150aa8c0@station21> References: <003901c76e3e$51b36ed0$150aa8c0@station21> Message-ID: <20070324144550.1f7122be@localhost> On Sat, 24 Mar 2007 15:00:34 -0300 "patrik" wrote: > This is my first time in that list. > > Please i?m having the next trouble I sent a mail to destination and > the system receive the messages MailScanner start to look for virus > with deferred but he didn?t deliver the message to mail box, it > remains at /var/spool/MailScanner/incoming. > > It happens with incoming and outgoing messages. > > I could note that its happens when I use Postfix 2.2 or high, if I use > postfix 2.1.x no problem everything works fine. > > Now I?am using Centos 4.4 kernel 2.6.9-42, Postfix 2.2.10, > MailScanner-4.58.9-1. This sounds more like a poorly configured postfix problem. Since my crystal ball is broken, and you failed to post any config files; i.e., for starters the output of: 'postconf -n', helping you is not really an option. You undoubtedly know that your version of Postfix is obsolete. Postfix-2.4 is due on or about April 1. You might be well served to update to that version. In addition, have you tried posting this problem on the 'postfix' forum. If yo are not a member, just follow these instructions: majordomo@postfix.org Place in body of message (not subject): subscribe postfix-users If you do post there, you MUST include the out put of 'postconf -n', both from the working configuration and the broken one, as well as the relevant portions of your maillog. HTH -- Gerard WARNING TO ALL PERSONNEL: Firings will continue until morale improves. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 187 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070324/3f34d12f/signature.bin From ssilva at sgvwater.com Sat Mar 24 19:49:10 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Sat Mar 24 18:57:25 2007 Subject: IP address reputation, BorderWare In-Reply-To: <46046E5C.8020209@fractalweb.com> References: <4602FAAA.20009@fractalweb.com><200703222203.l2MM3wig030176@mail.deniscroombs.org> <20070322181247.99D6.GERARD@seibercom.net> <460303D5.8070906@yeticomputers.com> <4603FEBF.3030401@yeticomputers.com> <46046E5C.8020209@fractalweb.com> Message-ID: Chris Yuzik spake the following on 3/23/2007 5:18 PM: > Res wrote: >> >> It's simple, if anyone is so concerned about a few extra bytes of >> traffic in SV, you can solve all of your paranoia simply like this >> >> telnet core >> conf t >> access-list 191 deny tcp any any eq 25 >> >> int FastEthernet0 >> ip access-group 191 in >> >> > Res, > > Somebody's gonna type that in! Hopefully they won't. But somebody might! > Oy! > > Chris The evil bunny strikes again!!!! No one could be that ..... nevermind, they could. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ssilva at sgvwater.com Sat Mar 24 19:57:03 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Sat Mar 24 19:04:40 2007 Subject: Julian is out of hospital In-Reply-To: <20070324124253.GB3188@login.ecs.soton.ac.uk> References: <20070324124253.GB3188@login.ecs.soton.ac.uk> Message-ID: Tim Chown spake the following on 3/24/2007 5:42 AM: > Subject line says it all. > > No idea yet how much recuperation is needed before he'll be online in > a personal or other capacity, but the fact that he's back in his own home > with his parents looking after him is really good news. > > I'll not post any further updates. Hopefully the next update will, in > due course, be from Jules himself. > That is the best news I have heard all month!!! Aces to Jules! -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From itdept at fractalweb.com Sat Mar 24 20:30:11 2007 From: itdept at fractalweb.com (Chris Yuzik) Date: Sat Mar 24 19:37:38 2007 Subject: IP address reputation, BorderWare In-Reply-To: References: <4602FAAA.20009@fractalweb.com><200703222203.l2MM3wig030176@mail.deniscroombs.org> <20070322181247.99D6.GERARD@seibercom.net> <460303D5.8070906@yeticomputers.com> <4603FEBF.3030401@yeticomputers.com> <46046E5C.8020209@fractalweb.com> Message-ID: <46057C43.3050901@fractalweb.com> Scott Silva wrote: > No one could be that ..... nevermind, they could. > Scott, Heh heh. I guess if someone were stupid / naive enough to type that in, we likely won't be hearing from them on this list for a while. ;-) Cheers, Chris From r.berber at computer.org Sat Mar 24 20:34:36 2007 From: r.berber at computer.org (=?ISO-8859-1?Q?Ren=E9_Berber?=) Date: Sat Mar 24 19:42:16 2007 Subject: Alternative to /etc/mail/spamassassin/local.cf In-Reply-To: <46056E75.9040604@katy.com> References: <46056E75.9040604@katy.com> Message-ID: John Schmerold wrote: > I learned about /etc/mail/spamassassin/local.cf a few weeks ago, now I > find myself adding quite a few rules like this: Wrong list? This is the MailScanner list, not the SpamAssassin list... and the MS documentation says "leave local.cf alone and use mailscanner.cf". > score LOCAL__H_from_newegg -2.5 > header LOCAL__H_from_newegg From =~ /newegg\.com/i > describe LOCAL__H_from_newegg newegg announcements > > I don't want to open the door to every idiot that forges NewEgg's email, > so I don't want to whitelist newegg. > > The problem is I'm starting to get a lot of these rules and maintaining > the list is getting more problematic, not to mention subject to human > error. > > Anyone know of a better way to tell MailScanner &/or SpamAssassin to > reduce the score by a few points when the sending is included in a list > of domains? That's what "white-listing" is for, it is documented in several places, the MS configuration file directs you to use the etc/rules/spam.whitelist.rules file, which has its own comments that show how to use it. -- Ren? Berber From gcle at smcaus.com.au Sun Mar 25 00:17:34 2007 From: gcle at smcaus.com.au (Gerard Cleary) Date: Sat Mar 24 23:25:13 2007 Subject: Julian is out of hospital In-Reply-To: <20070324124253.GB3188@login.ecs.soton.ac.uk> References: <20070324124253.GB3188@login.ecs.soton.ac.uk> Message-ID: <200703250917.39271.gcle@smcaus.com.au> On Sat, 24 Mar 2007 23:42, Tim Chown wrote: > Subject line says it all. > > No idea yet how much recuperation is needed before he'll be online in > a personal or other capacity, but the fact that he's back in his own home > with his parents looking after him is really good news. > > I'll not post any further updates. Hopefully the next update will, in > due course, be from Jules himself. > > -- > Tim This is good news indeed, Tim. Thanks very much for keeping us up to date with Julian's recovery. All the best, Julian. Gerard. -- Gerard Cleary System Administrator SMC Pneumatics Australia Pty Ltd PH: (02) 9354 8222 -- This email message and any related attachments are confidential and should only be read by those persons to whom they were addressed. They may contain copyright, personal or legally privileged information. If you are not the intended recipient of this email, any use of this information is strictly prohibited and it must be deleted from your system. Views expressed in this message are the views of the sender and are not necessarily views of SMC Corporation, or it's subsidiaries, except where the message expressly states otherwise. Any advice contained herein should be treated as preliminary advice only and subject to formal written confirmation. Although this email and any attachments are believed to be free of any virus or any other defect which may cause damage or loss, it is the responsibility of the recipient to ensure that they are virus-free. SMC accepts no liability for any loss or damage that may occur as a result of the transmission of this email or its attachments to the recipient. From mailscanner at yeticomputers.com Sun Mar 25 05:15:03 2007 From: mailscanner at yeticomputers.com (Rick Chadderdon) Date: Sun Mar 25 04:22:36 2007 Subject: IP address reputation, BorderWare In-Reply-To: References: <4602FAAA.20009@fractalweb.com><200703222203.l2MM3wig030176@mail.deniscroombs.org> <20070322181247.99D6.GERARD@seibercom.net> <460303D5.8070906@yeticomputers.com> <4603FEBF.3030401@yeticomputers.com> Message-ID: <4605E937.2020704@yeticomputers.com> Res wrote: > On Fri, 23 Mar 2007, Kevin Miller wrote: > >> Bandwidth that isn't used by a spammer is bandwidth that is available >> for your users to use. No magic there. Think freeway - would you >> rather drive it under rush hour conditions or 3am conditions? >> > > And since 75% of all internet pkts these days is spam your point is valid. Hardly. I've still seen nobody provide any evidence that any of this insane spam bandwidth directly affects the experience *any* of us have on the 'net. (Indirect effects, I mean. Obviously spam we receive affects us.) Kevin suggested that the last mile wasn't important, but that's all that *is* important to any consumer. If I'm getting what I pay for, and the price is one I'm willing to pay, as a consumer I *don't care* how much of the bandwidth I'm *not* getting is being used by spammers. In fact, to be fair, if the 75% figure is true then it's fairly safe to say that we'd be paying *more* for our bandwidth if the spammers hadn't placed such a demand on the infrastructure that it had to be improved and the amount of bandwidth available increased. Without them, the providers would still be charging us the old rates. I don't see anyone lining up to thank the spammers for making home broadband affordable. I remember a decade ago... At home, I was paying about five times what I currently pay for 10 megabits - just to get dual-channel DSL. (128K) > SV is no worse then grey-listing in fact probably LESS, it causes more > retries and bandwith yet nobody seems to have a problem with those > that do > that. I mentioned that I had some misgivings about greylisting. The most important difference from a moral viewpoint is that greylisting only affects people who are directly connecting to me, deliberately. SAV affects people who never tried to mail me. > It's simple, if anyone is so concerned about a few extra bytes of > traffic in SV, you can solve all of your paranoia simply like this > > telnet core > conf t > access-list 191 deny tcp any any eq 25 > > int FastEthernet0 > ip access-group 191 in > > > ..there all your problems have now gone away :P None of my routers are named "core". :P I think I've made it clear that it's not the volume of usage that bothers me (although there have been days where I've gotten more connections from a SAV flood than I did legitimate delivery attempts). It's the thoughtless, selfishly justified actions of people who think it's ok to hammer my server because it saves them bandwidth. Kevin's "community Internet" theory aside, there is no tangible benefit to *anyone* other than the user of SAV, and he's using the resources of others to attain that benefit. Anyone sophisticated enough to configure SAV also already has their system configured *not* to send NDRs after the SMTP transaction. I hope. In any case, it's not the amount of resources being consumed that bothers me - it's the fact that they're being used at all in a way that only *arguably* benefits me, without my consent, and that even with the awareness that there are people (even if it's only me, and I guarantee that it's not) who would prefer that you didn't do it to them, you'll do it anyway. Your above solution would also solve your spam problem, but here you are, with the rest of us, working to eliminate spam from our users lives - instead of just telling them to "deal with it." Rick From mailscanner at yeticomputers.com Sun Mar 25 05:20:14 2007 From: mailscanner at yeticomputers.com (Rick Chadderdon) Date: Sun Mar 25 04:27:44 2007 Subject: IP address reputation, BorderWare In-Reply-To: References: <4602FAAA.20009@fractalweb.com><200703222203.l2MM3wig030176@mail.deniscroombs.org> <20070322181247.99D6.GERARD@seibercom.net> <460303D5.8070906@yeticomputers.com> <4603FEBF.3030401@yeticomputers.com> <46046E5C.8020209@fractalweb.com> Message-ID: <4605EA6E.3070803@yeticomputers.com> Res wrote: > On Fri, 23 Mar 2007, Chris Yuzik wrote: > >> Res wrote: >>> >>> It's simple, if anyone is so concerned about a few extra bytes of >>> traffic in SV, you can solve all of your paranoia simply like this >>> >>> telnet core >>> conf t >>> access-list 191 deny tcp any any eq 25 >>> >>> int FastEthernet0 >>> ip access-group 191 in >>> >>> >> Res, >> >> Somebody's gonna type that in! Hopefully they won't. But somebody >> might! Oy! > > > Oh yeah, I forgot... If anyones silly enough to type that in without > knowing what it does, they *deserve* the end result ;) Not only that... If it works unaltered, someone shouldn't be working as a sysadmin. :) From mailscanner at yeticomputers.com Sun Mar 25 05:22:26 2007 From: mailscanner at yeticomputers.com (Rick Chadderdon) Date: Sun Mar 25 04:29:58 2007 Subject: IP address reputation, BorderWare In-Reply-To: <4605E937.2020704@yeticomputers.com> References: <4602FAAA.20009@fractalweb.com><200703222203.l2MM3wig030176@mail.deniscroombs.org> <20070322181247.99D6.GERARD@seibercom.net> <460303D5.8070906@yeticomputers.com> <4603FEBF.3030401@yeticomputers.com> <4605E937.2020704@yeticomputers.com> Message-ID: <4605EAF2.6010607@yeticomputers.com> Rick Chadderdon wrote: > At home, I was paying about five times what I currently pay for 10 > megabits - just to get dual-channel DSL. (128K) You can tell I'm a Postfix user - replying to myself... I, of course, meant dual-channel ISDN. Rick From hvdkooij at vanderkooij.org Sun Mar 25 08:49:49 2007 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sun Mar 25 07:57:30 2007 Subject: IP address reputation, BorderWare In-Reply-To: <4605E937.2020704@yeticomputers.com> References: <4602FAAA.20009@fractalweb.com><200703222203.l2MM3wig030176@mail.deniscroombs.org> <20070322181247.99D6.GERARD@seibercom.net> <460303D5.8070906@yeticomputers.com> <4603FEBF.3030401@yeticomputers.com> <4605E937.2020704@yeticomputers.com> Message-ID: On Sat, 24 Mar 2007, Rick Chadderdon wrote: > Res wrote: >> On Fri, 23 Mar 2007, Kevin Miller wrote: >> >> > Bandwidth that isn't used by a spammer is bandwidth that is available >> > for your users to use. No magic there. Think freeway - would you >> > rather drive it under rush hour conditions or 3am conditions? >> >> And since 75% of all internet pkts these days is spam your point is valid. > > Hardly. I've still seen nobody provide any evidence that any of this insane > spam bandwidth directly affects the experience *any* of us have on the 'net. > (Indirect effects, I mean. Obviously spam we receive affects us.) Kevin > suggested that the last mile wasn't important, but that's all that *is* > important to any consumer. If I'm getting what I pay for, and the price is > one I'm willing to pay, as a consumer I *don't care* how much of the > bandwidth I'm *not* getting is being used by spammers. In fact, to be fair, > if the 75% figure is true then it's fairly safe to say that we'd be paying > *more* for our bandwidth if the spammers hadn't placed such a demand on the > infrastructure that it had to be improved and the amount of bandwidth > available increased. Without them, the providers would still be charging us > the old rates. I don't see anyone lining up to thank the spammers for making > home broadband affordable. I remember a decade ago... At home, I was > paying about five times what I currently pay for 10 megabits - just to get > dual-channel DSL. (128K) Most interresting. But the 75% figures only accounts for the number of SPAM messages versus the total number of messages. I could get a lot of spam on an old 115k2 serial interface cable modem. Yet if someone was stupid enough to try and squeeze a 5 MB attachent through per email the links was stuck for minutes. (That was 10 years ago.) Today people fill their DSL bandwidth downloading movies and such. So wasting bandwidth needs to be redefined. Just how many spam messages can one squeeze in the bandwith taken by a single DVD rip? Which is propably why most home users never notice the spam bot on their machine. They use so much more bandwith for other things that a spam message send each minute is never noticed. Hugo. -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ This message is using 100% recycled electrons. Some men see computers as they are and say "Windows" I use computers with Linux and say "Why Windows?" (Thanks JFK, for the insight.) From gen2lists at paulbaily.com Sun Mar 25 09:54:10 2007 From: gen2lists at paulbaily.com (Paul Baily) Date: Sun Mar 25 09:01:41 2007 Subject: MailScanner gateway stats In-Reply-To: <4602BD24.5080709@netmagicsolutions.com> References: <000001c76c69$75d24970$6176dc50$@com> <4c0233b51df61917ebc56cbdb3f46e57@62.49.223.244> <4602BD24.5080709@netmagicsolutions.com> Message-ID: Hi all, [A belated] Thanks very much for your advice folks, UxBoD especially. I think I've got the mailgraph script reporting correctly now with MailScanner/sendmail. cheers, and thanks again, Paul. From res at ausics.net Sun Mar 25 10:26:47 2007 From: res at ausics.net (Res) Date: Sun Mar 25 09:34:16 2007 Subject: IP address reputation, BorderWare In-Reply-To: <223f97700703240728v4368ade4u2c0ff9265ce2a78@mail.gmail.com> References: <4602FAAA.20009@fractalweb.com> <20070322181247.99D6.GERARD@seibercom.net> <460303D5.8070906@yeticomputers.com> <4603FEBF.3030401@yeticomputers.com> <46046E5C.8020209@fractalweb.com> <223f97700703240728v4368ade4u2c0ff9265ce2a78@mail.gmail.com> Message-ID: On Sat, 24 Mar 2007, Glenn Steen wrote: >> > And that is the reason I dubbed you the evil bunny in the first > place... An evil bunny we like and respect (well, at least I do:-), > but still an evil bunny;-):-). hehehe some don't... but thats their problem not mine ;) > > On the subject, someone (was that Rick? Antoni? don't remember...) > mentioned SAV not being part of the RFCs, which is technically > correct... lets not forget greylist was not part of RFC's once, in fact I only know there was a rough draft, cause I have no interest in it I have no idea if it was made as an offical RFC or not :) so just because SV might not be in one now, doesn't mean it will always not be. > But basically I'm with the Evil Bunny on this one;-). wuddy hwell :) -- Cheers Res Let Novell known what you think of their back door deal with the devil. Sign the petition today: http://techp.org/p/1/ From res at ausics.net Sun Mar 25 10:27:22 2007 From: res at ausics.net (Res) Date: Sun Mar 25 09:34:51 2007 Subject: IP address reputation, BorderWare In-Reply-To: References: <4602FAAA.20009@fractalweb.com><200703222203.l2MM3wig030176@mail.deniscroombs.org> <20070322181247.99D6.GERARD@seibercom.net> <460303D5.8070906@yeticomputers.com> <4603FEBF.3030401@yeticomputers.com> <46046E5C.8020209@fractalweb.com> Message-ID: On Sat, 24 Mar 2007, Scott Silva wrote: >> Somebody's gonna type that in! Hopefully they won't. But somebody might! >> Oy! >> >> Chris > The evil bunny strikes again!!!! > No one could be that ..... nevermind, they could. u bwetya :) -- Cheers Res Let Novell known what you think of their back door deal with the devil. Sign the petition today: http://techp.org/p/1/ From res at ausics.net Sun Mar 25 10:39:36 2007 From: res at ausics.net (Res) Date: Sun Mar 25 09:47:04 2007 Subject: IP address reputation, BorderWare In-Reply-To: <4605E937.2020704@yeticomputers.com> References: <4602FAAA.20009@fractalweb.com><200703222203.l2MM3wig030176@mail.deniscroombs.org> <20070322181247.99D6.GERARD@seibercom.net> <460303D5.8070906@yeticomputers.com> <4603FEBF.3030401@yeticomputers.com> <4605E937.2020704@yeticomputers.com> Message-ID: On Sat, 24 Mar 2007, Rick Chadderdon wrote: > Res wrote: >> On Fri, 23 Mar 2007, Kevin Miller wrote: >> >>> Bandwidth that isn't used by a spammer is bandwidth that is available >>> for your users to use. No magic there. Think freeway - would you >>> rather drive it under rush hour conditions or 3am conditions? >>> >> >> And since 75% of all internet pkts these days is spam your point is valid. > > Hardly. I've still seen nobody provide any evidence that any of this insane > spam bandwidth directly affects the experience *any* of us have on the 'net. Really... more spam = higher data usage = more bandwith use = provision more bandwith to avoid whinging customers = more cost > important to any consumer. If I'm getting what I pay for, and the price is > one I'm willing to pay, as a consumer I *don't care* how much of the > bandwidth I'm *not* getting is being used by spammers. In fact, to be fair, thats a rather irresponsible attitude. > available increased. Without them, the providers would still be charging us > the old rates. I don't see anyone lining up to thank the spammers for making > home broadband affordable. I remember a decade ago... At home, I was > paying about five times what I currently pay for 10 megabits - just to get > dual-channel DSL. (128K) 10mb? try multi gigabit here. > >> SV is no worse then grey-listing in fact probably LESS, it causes more >> retries and bandwith yet nobody seems to have a problem with those that do >> that. > > I mentioned that I had some misgivings about greylisting. The most important > difference from a moral viewpoint is that greylisting only affects people who > are directly connecting to me, deliberately. SAV affects people who never > tried to mail me. right... now I see... you want to do it to waste others but get all hissy fitty when someone does a similar thing back, now I have no idea if you use greylisting now, but you could tomorrow be ordered to use it. > None of my routers are named "core". :P when you have a couple dozen you tend to name them somthing that helps you rtmember whats what :) > I think I've made it clear that it's not the volume of usage that bothers me > (although there have been days where I've gotten more connections from a SAV > flood than I did legitimate delivery attempts). It's the thoughtless, > selfishly justified actions of people who think it's ok to hammer my server > because it saves them bandwidth. Again if you dont like it or dont want the risks.. well replacecore above with your routers name, chuck in an enable and a write command and you wont have to worry about it ever again :) > there is no tangible benefit to *anyone* other than the user of SAV, and he's Wrong, any carried out action to protect someones network by ensuring the inbound mail is from someone legitimate is a benefit to the receiver by helping reduce the chances of it being spam and hence wasteing more of their resources. > with the rest of us, working to eliminate spam from our users lives - instead > of just telling them to "deal with it." You've just contradicted yourself :) you are in essence saying deal with it, by not wanting someone to run a measure they think benefits them. -- Cheers Res Let Novell known what you think of their back door deal with the devil. Sign the petition today: http://techp.org/p/1/ From uxbod at splatnix.net Sun Mar 25 12:02:01 2007 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Sun Mar 25 11:09:33 2007 Subject: MailScanner gateway stats In-Reply-To: References: Message-ID: <42e55b775bb16d4963a300185b252445@62.49.223.244> Excellent stuff Paul and no problem. Latest update includes top ten viruses. On Sun, 25 Mar 2007 17:54:10 +1000, Paul Baily wrote: > Hi all, > > [A belated] Thanks very much for your advice folks, UxBoD especially. > I think I've got the mailgraph script reporting correctly now with > MailScanner/sendmail. > > cheers, and thanks again, > > Paul. > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and dangerous content by > MailScanner, and is > believed to be clean. -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: 543A E778 7F2D 98F1 3E50 9C1F F190 93E0 E8E8 0CF8 // Keyserver: www.keyserver.net Key-ID: 0xE8E80CF8 // SIP Phone: uxbod@sip.splatnix.net -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- A non-text attachment was scrubbed... Name: smartmail.png Type: image/png Size: 47574 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070325/4953f3bc/smartmail.png From john at katy.com Sun Mar 25 14:16:36 2007 From: john at katy.com (John Schmerold) Date: Sun Mar 25 13:24:04 2007 Subject: Alternative to /etc/mail/spamassassin/local.cf In-Reply-To: References: <46056E75.9040604@katy.com> Message-ID: <46066824.3000607@katy.com> I use /etc/MailScanner/rules/spam.whitelist.rules I should have asked the question a different way: "Does MailScanner provide a mechanism to reduce the SA score?" The answer seems to be No, check with SA list to see if anyone has a better approach to reducing the score from a number of sender domains. Ren? Berber wrote: > John Schmerold wrote: > > >> I learned about /etc/mail/spamassassin/local.cf a few weeks ago, now I >> find myself adding quite a few rules like this: >> > > Wrong list? > > This is the MailScanner list, not the SpamAssassin list... and the MS > documentation says "leave local.cf alone and use mailscanner.cf". > > >> score LOCAL__H_from_newegg -2.5 >> header LOCAL__H_from_newegg From =~ /newegg\.com/i >> describe LOCAL__H_from_newegg newegg announcements >> >> I don't want to open the door to every idiot that forges NewEgg's email, >> so I don't want to whitelist newegg. >> >> The problem is I'm starting to get a lot of these rules and maintaining >> the list is getting more problematic, not to mention subject to human >> error. >> >> Anyone know of a better way to tell MailScanner &/or SpamAssassin to >> reduce the score by a few points when the sending is included in a list >> of domains? >> > > That's what "white-listing" is for, it is documented in several places, the MS > configuration file directs you to use the etc/rules/spam.whitelist.rules file, > which has its own comments that show how to use it. > -------------- next part -------------- A non-text attachment was scrubbed... Name: john.vcf Type: text/x-vcard Size: 241 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070325/edfbbbb2/john.vcf From glenn.steen at gmail.com Sun Mar 25 15:49:42 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Sun Mar 25 14:57:07 2007 Subject: Alternative to /etc/mail/spamassassin/local.cf In-Reply-To: <46066824.3000607@katy.com> References: <46056E75.9040604@katy.com> <46066824.3000607@katy.com> Message-ID: <223f97700703250649t40304fe7k9acbadb751cb4c8a@mail.gmail.com> On 25/03/07, John Schmerold wrote: > I use /etc/MailScanner/rules/spam.whitelist.rules > > I should have asked the question a different way: "Does MailScanner > provide a mechanism to reduce the SA score?" > > The answer seems to be No, check with SA list to see if anyone has a > better approach to reducing the score from a number of sender domains. > Use the "def_whitelist..." things (rcvd and spf) to add a small (relatively ... -7.5 on my systems, which is the default ISTR)... and be sparing with them:-) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From stork at openenterprise.ca Sun Mar 25 17:49:19 2007 From: stork at openenterprise.ca (Johnny Stork) Date: Sun Mar 25 16:56:56 2007 Subject: Bounced Mail - DNS Problems? Message-ID: <460699FF.6000005@openenterprise.ca> I believe I have my mail servers and/or DNS misconfigured and a bounced messages today has forced the issue to where I think I need to resolve. Let me first try to explain the network. Primary SMTP Server (gateway.johnnystork.ca) - Only an internal ip (192.168.1.2) - Runs Mailscanner and Sendmail An a-record exists as smtp.johnnystork.ca (so I figure this is where all outgoing messages should appear to be coming from) Since Sendmail is not running on gateway and I cant use the "Masquerade as smtp.johnnystork" setting (which runs Mailscanner), how can I set thing up so ALL outgoing mail appears to come from smtp.johnnystork.ca? Most messages appear to show up as coming from gateway.johnnystork.ca. I also need to retain the internal hostname of gateway.johnnystork.ca for other reasons. Any suggestions would really be appreciated. Sorry for my ignorance on dns issues. btw: How/why does the hostname and internal ip of the laptop sending the message also show up? (johnny-lt.johnnystork.ca) Recent bounced message: The original message was received at Sun, 25 Mar 2007 08:03:04 -0700 from johnny-lt.johnnystork.ca [192.168.1.10] ----- The following addresses had permanent fatal errors ----- (reason: 554 : Client host rejected: rDNS/DNS validation failed. Please setup matching DNS and rDNS records: http://bind8nt.meiway.com/itsaDNSmess.cfm) ----- Transcript of session follows ----- ... while talking to mxi1s.craigslist.org.: >>> >>> DATA >>> <<< 554 : Client host rejected: rDNS/DNS validation failed. Please setup matching DNS and rDNS records: http://bind8nt.meiway.com/itsaDNSmess.cfm 554 5.0.0 Service unavailable <<< 554 Error: no valid recipients ------- Johnny Stork -------------- next part -------------- A non-text attachment was scrubbed... Name: stork.vcf Type: text/x-vcard Size: 330 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070325/3647c129/stork.vcf From crichardson at cantella.com Sun Mar 25 22:22:09 2007 From: crichardson at cantella.com (Chris Richardson) Date: Sun Mar 25 21:29:34 2007 Subject: Cogent blacklisting ? Message-ID: <4606D9F1.1020307@cantella.com> Just wanted to ask any other customers out there if they are starting to recieve alot of rejects of outbound mail saying congent is black listed? i recieve two emails out of like 6 today and never had this problem untill last night was woundering if any one else was having this problem and if anyone know what blacklist might be doing this as the rejections didnt offer much insight thanks -Chris The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete this material from any computer. In accordance with industry regulations, all messages are retained and are subject to monitoring. This message has been scanned for viruses and dangerous content and is believed to be clean. Securities offered through Cantella & Co., Inc., Member NASD/SIPC. Home Office: 2 Oliver Street, 11th Floor, Boston, MA 02109 Telephone: (617)521-8630 From res at ausics.net Sun Mar 25 22:55:09 2007 From: res at ausics.net (Res) Date: Sun Mar 25 22:02:40 2007 Subject: Bounced Mail - DNS Problems? In-Reply-To: <460699FF.6000005@openenterprise.ca> References: <460699FF.6000005@openenterprise.ca> Message-ID: On Sun, 25 Mar 2007, Johnny Stork wrote: > ALL outgoing mail appears to come from smtp.johnnystork.ca? Most messages LOCAL_DOMAIN(`smtp.johnnystork.ca')dnl > btw: How/why does the hostname and internal ip of the laptop sending the > message also show up? (johnny-lt.johnnystork.ca) Not being a windows weenie I can't be sure but sounds like computer_name + domain_name on laptop. > (reason: 554 : Client host rejected: rDNS/DNS > validation failed. Please setup matching DNS and rDNS records: This guy is more anal that me...(and I didn't think thats possible) He will be blocking hundreds of thousands of hosted domains worldwide. Enforce forward looking and enforce PTR, BUT there should never ever be any full double match checking for reasons just mentioned, it's his problem, not yours. His mailer is completely broken.. He is trying to read an earleir irrelevant received line. The only one he should be concerend with is the connecting one, in your case: (certain data munged deliberately) Received: from gateway.johnnystork.xxx (sputnik.xxxx.ca [207.xxx.xxx.xx]) Nowhere in THAT line does it reflect and internal address. If you gave real world DNS to gateway.xx.xx I'd maybe think ok its very far remotely possible, but you haven't. -- Cheers Res Let Novell known what you think of their back door deal with the devil. Sign the petition today: http://techp.org/p/1/ From res at ausics.net Sun Mar 25 22:58:56 2007 From: res at ausics.net (Res) Date: Sun Mar 25 22:06:26 2007 Subject: Cogent blacklisting ? In-Reply-To: <4606D9F1.1020307@cantella.com> References: <4606D9F1.1020307@cantella.com> Message-ID: Chris, On Sun, 25 Mar 2007, Chris Richardson wrote: > Just wanted to ask any other customers out there if they are starting to > recieve alot of rejects of outbound mail saying congent is black listed? i > recieve two emails out of like 6 today and never had this problem untill last > night was woundering if any one else was having this problem and if anyone > know what blacklist might be doing this as the rejections didnt offer much > insight You mean they are blocking or others are blocking? If you know the IP of the server run it through an RBL tester, you can use one ar http://its.ausics.net without seeing any 5xx message we wont really be able to assist much further. -- Cheers Res Let Novell known what you think of their back door deal with the devil. Sign the petition today: http://techp.org/p/1/ From crichardson at cantella.com Mon Mar 26 00:14:52 2007 From: crichardson at cantella.com (Chris Richardson) Date: Sun Mar 25 23:22:17 2007 Subject: Cogent blacklisting ? In-Reply-To: References: <4606D9F1.1020307@cantella.com> Message-ID: <4606F45C.1010106@cantella.com> SMTP error from remote mail server after RCPT TO:: host queldor.net [66.103.13.8]: 550 IP is blacklisted: Performance Systems International 38.113.5.187 SMTP error from remote mail server after RCPT TO:: host smtp2.oreilly.com [209.58.173.22]: 550-Host 38.113.5.187 is blocked: 550 Mail refused from egregious spam haven 550 (CogentCo) by local blocking list Res wrote: > Chris, > > On Sun, 25 Mar 2007, Chris Richardson wrote: > >> Just wanted to ask any other customers out there if they are starting >> to recieve alot of rejects of outbound mail saying congent is black >> listed? i recieve two emails out of like 6 today and never had this >> problem untill last night was woundering if any one else was having >> this problem and if anyone know what blacklist might be doing this as >> the rejections didnt offer much insight > > > You mean they are blocking or others are blocking? > If you know the IP of the server run it through an RBL tester, you can > use one ar http://its.ausics.net > > without seeing any 5xx message we wont really be able to assist much > further. > > The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete this material from any computer. In accordance with industry regulations, all messages are retained and are subject to monitoring. This message has been scanned for viruses and dangerous content and is believed to be clean. Securities offered through Cantella & Co., Inc., Member NASD/SIPC. Home Office: 2 Oliver Street, 11th Floor, Boston, MA 02109 Telephone: (617)521-8630 From res at ausics.net Mon Mar 26 01:02:27 2007 From: res at ausics.net (Res) Date: Mon Mar 26 00:09:59 2007 Subject: Cogent blacklisting ? In-Reply-To: <4606F45C.1010106@cantella.com> References: <4606D9F1.1020307@cantella.com> <4606F45C.1010106@cantella.com> Message-ID: Chris, Sadly it seems Cogentco still don't do anyting about their spamming users (they were in my local block lists for well over 2 years, I took them out just prior to last christmas as the influx to here seemed to have died off) I guess they are still targeting others though. That IP is not in any common RBL's that I'm aware of as of 2 minutes ago but as O'rielly says " by local blocking list " chances are it'll be there for a long time, time to change ISP's since they wont clean their act up, and whatever you do, don't go to comcast because they are worse. On Sun, 25 Mar 2007, Chris Richardson wrote: > SMTP error from remote mail server after RCPT TO:: > host queldor.net [66.103.13.8]: 550 IP is blacklisted: > Performance Systems International 38.113.5.187 > > > SMTP error from remote mail server after RCPT TO:: > host smtp2.oreilly.com [209.58.173.22]: 550-Host 38.113.5.187 is blocked: > 550 Mail refused from egregious spam haven > 550 (CogentCo) by local blocking list -- Cheers Res Let Novell know what you think of their back door deal with the devil. Sign the petition today: http://techp.org/p/1/ From crichardson at cantella.com Mon Mar 26 01:10:57 2007 From: crichardson at cantella.com (Chris Richardson) Date: Mon Mar 26 00:18:22 2007 Subject: Cogent blacklisting ? In-Reply-To: References: <4606D9F1.1020307@cantella.com> <4606F45C.1010106@cantella.com> Message-ID: <46070181.8090909@cantella.com> In all my years on cogent i have never run into this problem that is why i asked to get both rejects today just caught me off gaurd o well no harm no foul thanks for your time and help Res wrote: > Chris, > > Sadly it seems Cogentco still don't do anyting about their spamming users > (they were in my local block lists for well over 2 years, I took them > out just prior to last christmas as the influx to here seemed to have > died off) I guess they are still targeting others though. > > That IP is not in any common RBL's that I'm aware of as of 2 minutes > ago but as O'rielly says " by local blocking list " chances are it'll > be there for a long time, time to change ISP's since they wont clean > their act up, and whatever you do, don't go to comcast because they > are worse. > > > On Sun, 25 Mar 2007, Chris Richardson wrote: > >> SMTP error from remote mail server after RCPT TO:: >> host queldor.net [66.103.13.8]: 550 IP is blacklisted: >> Performance Systems International 38.113.5.187 >> >> >> SMTP error from remote mail server after RCPT TO:: >> host smtp2.oreilly.com [209.58.173.22]: 550-Host 38.113.5.187 is >> blocked: >> 550 Mail refused from egregious spam haven >> 550 (CogentCo) by local blocking list > The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete this material from any computer. In accordance with industry regulations, all messages are retained and are subject to monitoring. This message has been scanned for viruses and dangerous content and is believed to be clean. Securities offered through Cantella & Co., Inc., Member NASD/SIPC. Home Office: 2 Oliver Street, 11th Floor, Boston, MA 02109 Telephone: (617)521-8630 From gmane at tippingmar.com Mon Mar 26 03:24:41 2007 From: gmane at tippingmar.com (Mark Nienberg) Date: Mon Mar 26 02:32:27 2007 Subject: OT - Sendmail Auth In-Reply-To: <001801c76d84$cf565240$0705000a@ddf5dw71> References: <001801c76d84$cf565240$0705000a@ddf5dw71> Message-ID: Steve Campbell wrote: > > Does anyone have a good URL for setting up a Centos 3 server running > Sendmail 8.13 and the MUA being used by this user, which I think is > either Outlook Express or Thunderbird? > > Thanks for any pointers to a good site. http://www.joreybump.com/code/howto/smtpauth.html Mark From john at katy.com Mon Mar 26 06:21:34 2007 From: john at katy.com (John Schmerold) Date: Mon Mar 26 05:29:11 2007 Subject: Alternative to /etc/mail/spamassassin/local.cf In-Reply-To: <223f97700703250649t40304fe7k9acbadb751cb4c8a@mail.gmail.com> References: <46056E75.9040604@katy.com> <46066824.3000607@katy.com> <223f97700703250649t40304fe7k9acbadb751cb4c8a@mail.gmail.com> Message-ID: <46074A4E.9060102@katy.com> What is the "def_whitelist..." things grep -ri def_whitelist /etc/* & http://google.com/search?q=def_whitelist+site%3Amailscanner.info yielded no joy John Schmerold Katy Computer & Wireless 347 Clarkson Rd Ellisville MO 63011 636-394-1900 v 775-227-6947 f Glenn Steen wrote: > On 25/03/07, John Schmerold wrote: >> I use /etc/MailScanner/rules/spam.whitelist.rules >> >> I should have asked the question a different way: "Does MailScanner >> provide a mechanism to reduce the SA score?" >> >> The answer seems to be No, check with SA list to see if anyone has a >> better approach to reducing the score from a number of sender domains. >> > Use the " (rcvd and spf) to add a small > (relatively ... -7.5 on my systems, which is the default ISTR)... and > be sparing with them:-) > > Cheers -------------- next part -------------- A non-text attachment was scrubbed... Name: john.vcf Type: text/x-vcard Size: 241 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070325/d400a1bf/john.vcf From mailscanner at yeticomputers.com Mon Mar 26 07:25:44 2007 From: mailscanner at yeticomputers.com (Rick Chadderdon) Date: Mon Mar 26 06:33:22 2007 Subject: IP address reputation, BorderWare In-Reply-To: References: <4602FAAA.20009@fractalweb.com><200703222203.l2MM3wig030176@mail.deniscroombs.org> <20070322181247.99D6.GERARD@seibercom.net> <460303D5.8070906@yeticomputers.com> <4603FEBF.3030401@yeticomputers.com> <4605E937.2020704@yeticomputers.com> Message-ID: <46075958.1000207@yeticomputers.com> Res wrote: >> Hardly. I've still seen nobody provide any evidence that any of this >> insane spam bandwidth directly affects the experience *any* of us >> have on the 'net. > > Really... more spam = higher data usage = more bandwith use = > provision more bandwith to avoid whinging customers = more cost You apparently missed the disclaimer I put in there explaining that I was referring to the indirect effect on *me* from the use of *Kevin's* bandwidth. It's easy enough to miss points I'm making the way I ramble, but still, it was in there. Again, for clarity: received spam is obviously a problem for the receiver's bandwidth. *Your* received spam is *not* obviously a problem for *my* bandwidth. And as such, I have little reason to enjoy your increased use of my resources to deflect some of the use of yours. > >> important to any consumer. If I'm getting what I pay for, and the >> price is one I'm willing to pay, as a consumer I *don't care* how >> much of the bandwidth I'm *not* getting is being used by spammers. >> In fact, to be fair, > > thats a rather irresponsible attitude. Note that I said, "as a consumer". Why do you think it's "irresponsible" for a consumer to fail to care about things that do not affect them in any perceivable way? The dollar per bit bandwidth costs of most consumers has been dropping steadily over the last decade, and I'm pretty sure that's true worldwide. If it's not true where you are, please feel free to correct me. I also don't see it as irresponsible to not think that anyone else's problems justify them harassing me if I'm *not the one causing (or even contributing to) their problem.* Keep in mind that I didn't say that spam wasn't a problem (it is), or that it didn't consume a lot of bandwidth (although as was implicitly pointed out by Hugo, the amount of bandwidth consumed by filesharing probably dwarfs the amount consumed by spam) or even that the receipt and processing of spam doesn't require *providers* like us to increase our bandwith expenses. I was stating that the consumer - the end user - has no reason to care how much bandwidth spammers use if they don't experience the effects of that spam in a way that the end user can perceive. How do you define "irresponsible"? >> At home, I was paying about five times what I currently pay for 10 >> megabits - just to get dual-channel DSL. (128K) > > 10mb? try multi gigabit here. You have multi-gigabit bandwidth at home? Impressive, and... well, I don't have a need for that much at home. If I did, it would be because I worked far too much from there, I think. Still, I'm not sure what relevance that has. Enlighten me? My point was that bandwidth costs have been steadily dropping for nearly as long as I've been in the business - which is a long time indeed. Not that large providers don't need a lot of it. Nor that spam doesn't increase that amount. I am curious though. With multi-gig consumption, you must have some idea what percentage of your total bandwidth is consumed by mail, what percentage by filesharing, web surfing, etc. Care to share? My mail flow consumes less than 10% of the total, even including spam, in case you want to compare. >> I mentioned that I had some misgivings about greylisting. The most >> important difference from a moral viewpoint is that greylisting only >> affects people who are directly connecting to me, deliberately. SAV >> affects people who never tried to mail me. > > right... now I see... you want to do it to waste others but get all > hissy fitty when someone does a similar thing back, now I have no idea > if you use greylisting now, but you could tomorrow be ordered to use it. As I said, the only bandwidth I waste is that of those who actually connect to *me*. You can feel free to blacklist, greylist or ignore anyone you want. If it's me on the blacklist, if I deem it important to communicate with you, I will work to comply with whatever needs you have to make it possible - perhaps while trying to convince you of why my way is better, but I'll work with you. When you do a lookup on *my* server because *someone else* said they were me, you're not even trying to communicate with me - you're expending my resources with no benefit to me. And you didn't ask. As I've said several times in this thread, however, it's not a resource problem, it's a moral problem. One about bad manners. Case one: You initiate the behavior, I respond by consuming your resources. Case two: A third party initiates the behavior. You respond by consuming *my* resources. I see a big difference. You, apparently, do not. Hence we're unlikely to ever agree. >> None of my routers are named "core". :P > > when you have a couple dozen you tend to name them somthing that helps > you rtmember whats what :) No doubt. I only have three of any importance. The rest are just for my own amusement. :) >> there is no tangible benefit to *anyone* other than the user of SAV, >> and he's > > > Wrong, any carried out action to protect someones network by ensuring > the inbound mail is from someone legitimate is a benefit to the > receiver by helping reduce the chances of it being spam and hence > wasteing more of their resources. Exactly what I said... It is of benefit to you, the user of SAV, not to the person you're hammering with your lookups. Unless you're being pedantic and not including a benefit to your users as a benefit to you. In which case I'll expand my statement to be: "The use of SAV if only of benefit to those targeted by the spam being address verfied." I see no material benefit to me from your use of SAV. And even if I did, I would think it impolite that you did it without permission. I did *not* send you that spam, and you have no non-selfish justfication for pestering me about it. > >> with the rest of us, working to eliminate spam from our users lives - >> instead of just telling them to "deal with it." > > You've just contradicted yourself :) > you are in essence saying deal with it, by not wanting someone to run > a measure they think benefits them. No, I'm saying "don't run your measures against me when I'm not the one spamming." Don't try to force me to solve your problems when I'm not the one causing them. If you and I do not have a relationship of some kind, it is not my responsibility (there's that word again) to even *try* to solve your problems, although I will usually offer my time freely *when asked*. When you just go ahead and take my help without asking, I'm bound to be irritated. Let's say that your neighborhood started a new crime watch program. Let's say that it *required* you to spend an hour per month contributing your time. You weren't asked. Several of your neighbors just started doing this thing, and due to the way it was implemented there is no way that you can avoid it's effects, or its drain on your time. You don't *want* to do this thing. Even though you can see that this plan does offer some benefit to the people who actually participate, you think that it's intrusive to both you and your other neighbors, and you're not willing to gain the benefits at the *moral* costs you perceive. While it's possible for you to avoid the actual intrusive behavior itself, you can *not* avoid spending time dealing with the way it has been implemented. The practical effects of moving out of the neighborhood are far too great to consider moving simply to avoid the hour of work each month. The work required of you does not constitute a violation of your ideals. Now... Do you donate your time to this endeavor you disapprove of without a word of protest? If you would, it goes against... well, nearly all of the posts I've ever seen you make. :) To make it even simpler, because it is not the amount of resources I'm bitching about, but the moral choice itself, I'll offer a last exaggerated case: A fellow walks up to you and offers you this deal: "Neither you nor anyone else you care about or provide services to will ever receive a single piece of spam again if you go to this address and kill the innocent person there." You believe (for whatever magical reason) that he can deliver on his end of the bargain. Do you take the deal? Hm. Your evil bunny status does make the answer less certain than I would like... :) One of us should have changed the subject of this thread to something regarding address verification a long time ago. Or ended it. :P Rick From mailscanner at yeticomputers.com Mon Mar 26 07:25:54 2007 From: mailscanner at yeticomputers.com (Rick Chadderdon) Date: Mon Mar 26 06:33:28 2007 Subject: IP address reputation, BorderWare In-Reply-To: References: <4602FAAA.20009@fractalweb.com><200703222203.l2MM3wig030176@mail.deniscroombs.org> <20070322181247.99D6.GERARD@seibercom.net> <460303D5.8070906@yeticomputers.com> <4603FEBF.3030401@yeticomputers.com> <460435A5.8020507@yeticomputers.com> Message-ID: <46075962.6070309@yeticomputers.com> Kevin Miller wrote: > Rick Chadderdon wrote: > >> If you have any >> statistics showing the ratio of cache hits to new addresses, at least >> in your case, I'd be interested in seeing them. >> > > Between 7 am yesterday and 7 am today I got the following results: > > Sender 1st time fails: 4697 > Sender cache fails: 547 > Total Sender fails: 5244 > > Recipient 1st time fail: 2355 > Recipient cache fails: 766 > Total Recipient fails: 3121 > > I rejected 1735 due to greet-pause. Those are dropped before SAV is > attempted. > > Not overwhelming cache hits, but somewhere around 10% for the sender > fails. Thanks! That's about what I'd have guessed. I'd also guess that probably 50% of those cache hits are made up of less than ten different addresses. Things like root@localhost or the defaults for various spam sending software packages. Wanna count 'em for me? :) > I whole heartedly agree I should be doing recipient checks first - it > will be interesting to see where the numbers fall when that change is > implemented. > I wait eagerly to hear more when that happens. >>>> But NDRs are sent by servers administered by people who *should* know >>>> better. Like Yahoo and AOL. If it was your average user sending them >>>> out I'd agree with you but that's not who's configuring servers. I can't recall ever noticing a bogus NDR from either of those providers, although I have three TOS notifications from AOL sitting in my global-postmaster mailbox because of joke one of my users sent to too many of his "friends". I also have a few bogus NDRs from some .jp domain because of a persistent joe job I've had to deal with on and off for a couple of years on one of my domains. > Now if they > would just let us cane spammers we would see spam disappear overnight. > But that's more of that idealism... > I prefer the Russian approach of just beating them to death, but I'm a moral absolutist. :) Rick From krishna.shekhar at viatel.com Mon Mar 26 12:46:53 2007 From: krishna.shekhar at viatel.com (Krishna) Date: Mon Mar 26 11:50:03 2007 Subject: mailscanner zombie and large output queue Message-ID: <1174906013.15441.20.camel@localhost.localdomain> Hi, Mailscanner is configured with exim and spamassassin and currently it has got some Zombie processes. This is the strace from one of the processes. EAGAIN shows that it cannot get lock on a file and ENOTTY relates to why mailscanner is looking for a character file. has this it do with the confguration of the mailscanner. I am having quite a large output queue which does not get cleared on its own. Has any one experienced this before. umask(0133) = 077 open("/mail/spool/exim.in/input/1HUTuF-0000Mj-DU-H", O_RDWR| O_LARGEFILE) = 6 ioctl(6, SNDCTL_TMR_TIMEBASE or TCGETS, 0xbfeb3b78) = -1 ENOTTY (Inappropriate ioctl for device) _llseek(6, 0, [0], SEEK_CUR) = 0 fstat64(6, {st_mode=S_IFREG|0640, st_size=1191, ...}) = 0 fcntl64(6, F_SETFD, FD_CLOEXEC) = 0 fcntl64(6, F_SETLK64, {type=F_WRLCK, whence=SEEK_SET, start=0, len=0}, 0xa4c0988) = -1 EAGAIN (Resource temporarily unavailable) close(6) = 0 open("/mail/spool/exim.in/input/1HUTuI-0000Ml-2H-H", O_RDWR| O_LARGEFILE) = 6 ioctl(6, SNDCTL_TMR_TIMEBASE or TCGETS, 0xbfeb3b78) = -1 ENOTTY (Inappropriate ioctl for device) _llseek(6, 0, [0], SEEK_CUR) = 0 fstat64(6, {st_mode=S_IFREG|0640, st_size=1027, ...}) = 0 fcntl64(6, F_SETFD, FD_CLOEXEC) = 0 fcntl64(6, F_SETLK64, {type=F_WRLCK, whence=SEEK_SET, start=0, len=0}, 0xa4c0988) = -1 EAGAIN (Resource temporarily unavailable) close(6) = 0 open("/mail/spool/exim.in/input/1HUTuR-0000N4-NO-H", O_RDWR| O_LARGEFILE) = 6 ioctl(6, SNDCTL_TMR_TIMEBASE or TCGETS, 0xbfeb3b78) = -1 ENOTTY (Inappropriate ioctl for device) _llseek(6, 0, [0], SEEK_CUR) = 0 fstat64(6, {st_mode=S_IFREG|0640, st_size=1065, ...}) = 0 fcntl64(6, F_SETFD, FD_CLOEXEC) = 0 fcntl64(6, F_SETLK64, {type=F_WRLCK, whence=SEEK_SET, start=0, len=0}, 0xa4c0988) = -1 EAGAIN (Resource temporarily unavailable) close(6) = 0 umask(077) = 0133 time(NULL) = 1174595367 Kind regards, Krishna For more information about the Viatel Group, please visit www.viatel.com THIS MESSAGE IS INTENDED ONLY FOR THE USE OF THE INTENDED RECIPIENT TO WHICH IT IS ADDRESSED AND MAY CONTAIN INFORMATION THAT IS PRIVILEGED, CONFIDENTIAL AND EXEMPT FROM DISCLOSURE. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering the message to the intended recipient, you are notified that any dissemination, distribution or copying of this e-mail is prohibited, and you should delete this e-mail from your system. This message has been scanned for viruses and spam by Viatel MailControl - www.viatel.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070326/83efac21/attachment.html From paul at blacknight.ie Mon Mar 26 13:00:58 2007 From: paul at blacknight.ie (Paul Kelly :: Blacknight Solutions) Date: Mon Mar 26 12:06:00 2007 Subject: mailscanner zombie and large output queue In-Reply-To: <1174906013.15441.20.camel@localhost.localdomain> References: <1174906013.15441.20.camel@localhost.localdomain> Message-ID: <4607A7EA.4070104@blacknight.ie> Krishna wrote: > Hi, > > Mailscanner is configured with exim and spamassassin and > currently it has got some Zombie processes. This is the strace from one > of the processes. > > EAGAIN shows that it cannot get lock on a file and ENOTTY relates > to why mailscanner is looking for a character file. > > has this it do with the confguration of the mailscanner. I am > having quite a large output queue which does not get cleared on its own. > > Has any one experienced this before. Have you upgraded MailScanner? There were patches in one of the last releases to stop zombie processes for people who use MailScanner with exim. Paul -- Paul Kelly Technical Director Blacknight Internet Solutions ltd Hosting, Colocation, Dedicated servers Lowest Cost .ie Domains 25 euro per year! IP Transit Services Lo-call: 1850 927 280 DDI: 059 9183091 e-mail: paul@blacknight.ie web: http://www.blacknight.ie Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park, Sleaty Road, Graiguecullen, Carlow, Ireland Company No.: 370845 From drew at technologytiger.net Mon Mar 26 14:34:15 2007 From: drew at technologytiger.net (Drew Marshall) Date: Mon Mar 26 13:41:52 2007 Subject: Trouble with Mailscanner and Postfix 2.2.10 In-Reply-To: <20070324144550.1f7122be@localhost> References: <003901c76e3e$51b36ed0$150aa8c0@station21> <20070324144550.1f7122be@localhost> Message-ID: <50803.194.70.180.170.1174912455.squirrel@www.technologytiger.net> On Sat, March 24, 2007 19:45, Gerard Seibert wrote: > On Sat, 24 Mar 2007 15:00:34 -0300 > "patrik" wrote: > >> This is my first time in that list. >> >> Please i?m having the next trouble I sent a mail to destination and >> the system receive the messages MailScanner start to look for virus >> with deferred but he didn?t deliver the message to mail box, it >> remains at /var/spool/MailScanner/incoming. Have you checked your queue depths? There is a section in the wiki that Glenn pointed you at which describes this. I think it was about 2.2.x that the standard default start up queue hashes were changed. If they are not the same between the hold and incoming queues then your mail will either not be be found or not delivered. (Assuming you are using the Hold method Glenn has already pointed out). > This sounds more like a poorly configured postfix problem. Since my > crystal ball is broken, and you failed to post any config files; i.e., > for starters the output of: 'postconf -n', helping you is not really an > option. It is much harder with out more information. I would also add some mail log extracts would also be useful. > In addition, have you tried posting this problem on the 'postfix' > forum. Now this might not yield the response you might hope if you also mention MailScanner. For the short term, I would concentrate here. Drew -- In line with our policy, this message has been scanned for viruses and dangerous content by the Technology Tiger MailScanner. Further information can be found at www.technologytiger.net/policy Technology Tiger Limited is registered in Scotland with registration number: 310997 Registered Office 55-57 West High Street Inverurie AB51 3QQ From krishna.shekhar at viatel.com Mon Mar 26 14:41:12 2007 From: krishna.shekhar at viatel.com (Krishna) Date: Mon Mar 26 13:44:20 2007 Subject: mailscanner zombie and large output queue In-Reply-To: <4607A7EA.4070104@blacknight.ie> References: <1174906013.15441.20.camel@localhost.localdomain> <4607A7EA.4070104@blacknight.ie> Message-ID: <1174912872.15441.23.camel@localhost.localdomain> Hi, MailScanner Version Number = 4.43.8 Not yet Krishna On Mon, 2007-03-26 at 12:00 +0100, Paul Kelly :: Blacknight Solutions wrote: > Krishna wrote: > > Hi, > > > > Mailscanner is configured with exim and spamassassin and > > currently it has got some Zombie processes. This is the strace from one > > of the processes. > > > > EAGAIN shows that it cannot get lock on a file and ENOTTY relates > > to why mailscanner is looking for a character file. > > > > has this it do with the confguration of the mailscanner. I am > > having quite a large output queue which does not get cleared on its own. > > > > Has any one experienced this before. > > Have you upgraded MailScanner? There were patches in one of the last > releases to stop zombie processes for people who use MailScanner with exim. > > Paul > > > -- > Paul Kelly > Technical Director > Blacknight Internet Solutions ltd > Hosting, Colocation, Dedicated servers > Lowest Cost .ie Domains 25 euro per year! > IP Transit Services > Lo-call: 1850 927 280 > DDI: 059 9183091 > > e-mail: paul@blacknight.ie > web: http://www.blacknight.ie > > Blacknight Internet Solutions Ltd, > Unit 12A,Barrowside Business Park, > Sleaty Road, > Graiguecullen, > Carlow, > Ireland > > Company No.: 370845 For more information about the Viatel Group, please visit www.viatel.com THIS MESSAGE IS INTENDED ONLY FOR THE USE OF THE INTENDED RECIPIENT TO WHICH IT IS ADDRESSED AND MAY CONTAIN INFORMATION THAT IS PRIVILEGED, CONFIDENTIAL AND EXEMPT FROM DISCLOSURE. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering the message to the intended recipient, you are notified that any dissemination, distribution or copying of this e-mail is prohibited, and you should delete this e-mail from your system. This message has been scanned for viruses and spam by Viatel MailControl - www.viatel.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070326/b5f2107d/attachment.html From Denis.Beauchemin at USherbrooke.ca Mon Mar 26 15:14:20 2007 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Mon Mar 26 14:22:14 2007 Subject: Julian is out of hospital In-Reply-To: <20070324124253.GB3188@login.ecs.soton.ac.uk> References: <20070324124253.GB3188@login.ecs.soton.ac.uk> Message-ID: <4607C72C.2000300@USherbrooke.ca> Tim Chown a ?crit : > Subject line says it all. > > No idea yet how much recuperation is needed before he'll be online in > a personal or other capacity, but the fact that he's back in his own home > with his parents looking after him is really good news. > > I'll not post any further updates. Hopefully the next update will, in > due course, be from Jules himself. > > Great news! Thanks Tim. Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3595 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070326/3c6c02f0/smime.bin From am.lists at gmail.com Mon Mar 26 15:15:40 2007 From: am.lists at gmail.com (am.lists) Date: Mon Mar 26 14:23:10 2007 Subject: IP address reputation, BorderWare In-Reply-To: References: <200703222149.l2MLnwvo030176@mail.deniscroombs.org> <4602FAAA.20009@fractalweb.com> <25a66d840703230355j774d8988q6d50c8c53921186f@mail.gmail.com> Message-ID: <25a66d840703260615p2ca3af13pbe4817232268d03@mail.gmail.com> On 3/23/07, Scott Silva wrote: > am.lists spake the following on 3/23/2007 3:55 AM: > > On 3/22/07, Kevin Miller wrote: > >> Scott Silva wrote: > >> > Yes ... like SPF but without all the people who have ~all in their > >> > records! > >> > >> I've never understood that. Mine are all hard fails. Soft fails are > >> for people that are soft in the head, me thinks. > >> > > > > The problem with hard fails is the following scenario: > > > > You are on a website that has a "send to a friend" -- and it imitates > > your from address so that your "friend" recognizes the mail from you. > > > > I'm not sure I like it this way, but in some circumstances, on poorly > > designed sites, a -all would kill this message. > > > > Angelo > That is why if I want to send something to a friend, I cut and paste the link. > Why give some third party an address that they might sell to a spammer? > Or use to spam themselves. > Yes. You do that, and I do that. But I had a user the other day complain that her attachment was taking a long time to send, and then it came back underliverable. I asked her how large it was? She replied "Oh, it's 41MB MS Publisher file". It's not us. It's the users we [have to] support. --Angelo From bpumphrey at woodmclaw.com Mon Mar 26 16:21:47 2007 From: bpumphrey at woodmclaw.com (Billy A. Pumphrey) Date: Mon Mar 26 15:29:16 2007 Subject: Julian is out of hospital In-Reply-To: <20070324124253.GB3188@login.ecs.soton.ac.uk> Message-ID: <04D932B0071FE34FA63EBB1977B48D1502646B06@woodenex.woodmaclaw.local> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Tim Chown > Sent: Saturday, March 24, 2007 8:43 AM > To: MailScanner discussion > Subject: Julian is out of hospital > > Subject line says it all. > > No idea yet how much recuperation is needed before he'll be online in > a personal or other capacity, but the fact that he's back in his own home > with his parents looking after him is really good news. > > I'll not post any further updates. Hopefully the next update will, in > due course, be from Jules himself. > > -- > Tim > -- I am glad to hear this! I wonder if somewhat the cause was that he overworked himself. He talked about having a lot to do and learning the new programming language. Was there any hint of him just doing to much? From ssilva at sgvwater.com Mon Mar 26 17:20:02 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Mar 26 16:27:46 2007 Subject: IP address reputation, BorderWare In-Reply-To: <25a66d840703260615p2ca3af13pbe4817232268d03@mail.gmail.com> References: <200703222149.l2MLnwvo030176@mail.deniscroombs.org> <4602FAAA.20009@fractalweb.com> <25a66d840703230355j774d8988q6d50c8c53921186f@mail.gmail.com> <25a66d840703260615p2ca3af13pbe4817232268d03@mail.gmail.com> Message-ID: am.lists spake the following on 3/26/2007 6:15 AM: > On 3/23/07, Scott Silva wrote: >> am.lists spake the following on 3/23/2007 3:55 AM: >> > On 3/22/07, Kevin Miller wrote: >> >> Scott Silva wrote: >> >> > Yes ... like SPF but without all the people who have ~all in their >> >> > records! >> >> >> >> I've never understood that. Mine are all hard fails. Soft fails are >> >> for people that are soft in the head, me thinks. >> >> >> > >> > The problem with hard fails is the following scenario: >> > >> > You are on a website that has a "send to a friend" -- and it imitates >> > your from address so that your "friend" recognizes the mail from you. >> > >> > I'm not sure I like it this way, but in some circumstances, on poorly >> > designed sites, a -all would kill this message. >> > >> > Angelo >> That is why if I want to send something to a friend, I cut and paste >> the link. >> Why give some third party an address that they might sell to a spammer? >> Or use to spam themselves. >> > > Yes. You do that, and I do that. But I had a user the other day > complain that her attachment was taking a long time to send, and then > it came back underliverable. > > I asked her how large it was? She replied "Oh, it's 41MB MS Publisher > file". > > It's not us. It's the users we [have to] support. > > --Angelo I guess beating them will not improve morale after all! At least not THEIR morale! Just thinking about it makes me smile... ;-P -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ssilva at sgvwater.com Mon Mar 26 17:21:55 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Mar 26 16:32:41 2007 Subject: Julian is out of hospital In-Reply-To: <04D932B0071FE34FA63EBB1977B48D1502646B06@woodenex.woodmaclaw.local> References: <20070324124253.GB3188@login.ecs.soton.ac.uk> <04D932B0071FE34FA63EBB1977B48D1502646B06@woodenex.woodmaclaw.local> Message-ID: Billy A. Pumphrey spake the following on 3/26/2007 7:21 AM: >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- >> bounces@lists.mailscanner.info] On Behalf Of Tim Chown >> Sent: Saturday, March 24, 2007 8:43 AM >> To: MailScanner discussion >> Subject: Julian is out of hospital >> >> Subject line says it all. >> >> No idea yet how much recuperation is needed before he'll be online in >> a personal or other capacity, but the fact that he's back in his own > home >> with his parents looking after him is really good news. >> >> I'll not post any further updates. Hopefully the next update will, > in >> due course, be from Jules himself. >> >> -- >> Tim >> -- > > I am glad to hear this! I wonder if somewhat the cause was that he > overworked himself. He talked about having a lot to do and learning the > new programming language. Was there any hint of him just doing to much? Julian has had a long term illness that he has just been "living with". There are more details in the archives if you are still curious. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From mailscanner at yeticomputers.com Mon Mar 26 17:35:01 2007 From: mailscanner at yeticomputers.com (Rick Chadderdon) Date: Mon Mar 26 16:42:35 2007 Subject: Julian is out of hospital In-Reply-To: <20070324124253.GB3188@login.ecs.soton.ac.uk> References: <20070324124253.GB3188@login.ecs.soton.ac.uk> Message-ID: <4607E825.3010206@yeticomputers.com> Tim Chown wrote: > Subject line says it all. Excellent news. Take it easy and slow, Julian. Get well. We haven't descended completely into anarchy yet. :) Rick From jfagan at firstlightnetworks.com Mon Mar 26 18:24:46 2007 From: jfagan at firstlightnetworks.com (James Fagan) Date: Mon Mar 26 17:31:01 2007 Subject: Julian is out of hospital In-Reply-To: <20070324124253.GB3188@login.ecs.soton.ac.uk> References: <20070324124253.GB3188@login.ecs.soton.ac.uk> Message-ID: <59E4A3A1069C2640959AD0F7518C4812052C7E@FLN1.fln.local> > > Subject line says it all. > > No idea yet how much recuperation is needed before he'll be online in > a personal or other capacity, but the fact that he's back in his own > home > with his parents looking after him is really good news. > > I'll not post any further updates. Hopefully the next update will, in > due course, be from Jules himself. > > -- > Tim Excellent news! Glad to see that Julian is recovering. Keep getting better Julian! James From cleveland at winnefox.org Mon Mar 26 19:36:52 2007 From: cleveland at winnefox.org (Jody Cleveland) Date: Mon Mar 26 18:44:23 2007 Subject: Julian is out of hospital In-Reply-To: <20070324124253.GB3188@login.ecs.soton.ac.uk> Message-ID: Outstanding! Welcome home Jules!! - jody On 3/24/07 7:42 AM, "Tim Chown" wrote: > Subject line says it all. > > No idea yet how much recuperation is needed before he'll be online in > a personal or other capacity, but the fact that he's back in his own home > with his parents looking after him is really good news. > > I'll not post any further updates. Hopefully the next update will, in > due course, be from Jules himself. From bryan.guest at bmts.com Mon Mar 26 20:15:50 2007 From: bryan.guest at bmts.com (Bryan Guest) Date: Mon Mar 26 19:23:43 2007 Subject: inbound queue piling up... suddenly Message-ID: <015901c76fd2$c8f652b0$0b01010a@DGPTBH91> Hello: We have been running MailScanner for months with everything fine. Last week I went on vacation... The people who watch these things in my absence started getting warnings about the inbound queue(s) increasing by large amounts. I have two Sun V20Z machines running RHEL ES4. They each have 2GB of RAM. I am running MailScanner 4.56.8 and Mailwatch. Here is what appears to happen... There is a pile of mail in the queue that needs to be processed. It doesn't seem to be getting processed. I stop MailScanner. I wait for the MailScanner processes to die off (takes several minutes). Then I restart MailScanner. Mail starts getting processed again. I can see messages like this: Mar 26 13:54:56 nicole MailScanner[7368]: New Batch: Found 1008 messages waiting Mar 26 13:54:56 nicole MailScanner[7368]: New Batch: Scanning 30 messages, 3660448 bytes The inbound Queue starts to come down. All appears good. Then I hit the maximum number of MailScanner processes (65 currently). Mail Starts to pile up in the outbound queue again. I no longer see messages like the above, IE about new batch. All I see are these messages: Mar 26 14:11:36 nicole MailScanner[4289]: Started SQL Logging child Mar 26 14:11:36 nicole MailScanner[5530]: Logging message l2QHUr1e026132 to SQL So it would seem that MailScanner is starting processes to it's maximum and then stops processing mail. And it would appear that this is because it it getting hung up logging to MailWatch. Therefore I would like to ask three questions... 1. Has anyone seen this before? 2. Why did it just magically happen (besides the fact I went on vacation?) 3. What can I do to correct the problem or stop SQL logging from holding up the show? Many Many thanks in advance, Bryan Guest bryan.guest@bmts.com bryan.guest@gmail.com From Denis.Beauchemin at USherbrooke.ca Mon Mar 26 20:34:21 2007 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Mon Mar 26 19:42:06 2007 Subject: inbound queue piling up... suddenly In-Reply-To: <015901c76fd2$c8f652b0$0b01010a@DGPTBH91> References: <015901c76fd2$c8f652b0$0b01010a@DGPTBH91> Message-ID: <4608122D.7030003@USherbrooke.ca> Bryan Guest a ?crit : > I have two Sun V20Z machines running RHEL ES4. They each have 2GB of > RAM. I am running MailScanner 4.56.8 and Mailwatch. > > ... > > Then I hit the maximum number of MailScanner processes (65 currently). > > Bryan, You have so many processes... My boxes only manage to get "Max Children" x 2 + 1 MailScanner processes at a given time. Could your SQL be hitting a "too many open files" limit? If your processes count like mine, your "Max Children" is way too high for the RAM you have! Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3595 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070326/59f17f72/smime.bin From itdept at fractalweb.com Mon Mar 26 20:46:02 2007 From: itdept at fractalweb.com (Chris Yuzik) Date: Mon Mar 26 19:53:38 2007 Subject: inbound queue piling up... suddenly In-Reply-To: <015901c76fd2$c8f652b0$0b01010a@DGPTBH91> References: <015901c76fd2$c8f652b0$0b01010a@DGPTBH91> Message-ID: <460814EA.1050407@fractalweb.com> Bryan Guest wrote: > Then I hit the maximum number of MailScanner processes (65 currently). Bryan, I agree with Denis--you have waaaay too many MailScanner processes. One of our production servers is a dual intel xeon and has 2 GB of RAM, and we're running 10 children on it. Unless your system has 13 CPU cores (hyperthreading doesn't count), you shouldn't have 65 children. Change it down to something like the recommended 5 per cpu and see what happens. Chris From ka at pacific.net Mon Mar 26 20:56:18 2007 From: ka at pacific.net (Ken A) Date: Mon Mar 26 20:03:46 2007 Subject: inbound queue piling up... suddenly In-Reply-To: <460814EA.1050407@fractalweb.com> References: <015901c76fd2$c8f652b0$0b01010a@DGPTBH91> <460814EA.1050407@fractalweb.com> Message-ID: <46081752.6000405@pacific.net> MailScanner causes swapping when I'm on vacation too! ;-) Ken A. Pacific.Net Chris Yuzik wrote: > Bryan Guest wrote: >> Then I hit the maximum number of MailScanner processes (65 currently). > Bryan, > > I agree with Denis--you have waaaay too many MailScanner processes. One > of our production servers is a dual intel xeon and has 2 GB of RAM, and > we're running 10 children on it. > > Unless your system has 13 CPU cores (hyperthreading doesn't count), you > shouldn't have 65 children. Change it down to something like the > recommended 5 per cpu and see what happens. > > Chris From hvdkooij at vanderkooij.org Mon Mar 26 21:30:09 2007 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Mon Mar 26 20:37:42 2007 Subject: inbound queue piling up... suddenly In-Reply-To: <46081752.6000405@pacific.net> References: <015901c76fd2$c8f652b0$0b01010a@DGPTBH91> <460814EA.1050407@fractalweb.com> <46081752.6000405@pacific.net> Message-ID: On Mon, 26 Mar 2007, Ken A wrote: > MailScanner causes swapping when I'm on vacation too! ;-) Management will be informed to scratch your vacations from now on to keep the system at peak efficiency. Hugo. -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ This message is using 100% recycled electrons. Some men see computers as they are and say "Windows" I use computers with Linux and say "Why Windows?" (Thanks JFK, for the insight.) From paul.hutchings at mira.co.uk Mon Mar 26 21:57:02 2007 From: paul.hutchings at mira.co.uk (Paul Hutchings) Date: Mon Mar 26 21:04:32 2007 Subject: Bypassing Mailscanner for Outgoing mail? Message-ID: Mailscanner/Linux newbie here (I know enough to get by). I'm building a new Suse/Postfix box as an SMTP gateway and want to achieve the following: Scan inbound mail for spam and viruses. Scan outbound mail for viruses only, and add a disclaimer. AIUI mailscanner looks at ALL mail that Postfix handles, so I'm trying to work out how I would achieve the above. >From what I've read, I believe that what I can do is use a single Postfix instance and use rulsets to do the following: 1) Set "Virus Scanning" to scan all mail for viruses (default). 2) Set "Spam Checks" to exclude outbound mail from spam scanning by IP address (it threw me that a "From:" rule can also refer to an IP/Subnet). 3) Set "Sign Clean Messages" to only include mail from our internal servers IP. I assume by default that if an outbound message passes the virus check, but does not get scanned for spam that it meets the criteria of being an "uninfected message" for "Sign Clean Messages" to fire? Have to say I felt rather daunted by MailScanner.config but it actually makes a lot more sense to me that trying to use the Webmin module. Anyway, appreciate any comments as to if I'm going about this the right way or not? cheers, Paul -- Paul Hutchings Network Administrator, MIRA Ltd. Tel: 44 (0)24 7635 5378, Fax: 44 (0)24 7635 8378 mailto:paul.hutchings@mira.co.uk From ssilva at sgvwater.com Mon Mar 26 22:43:11 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Mar 26 22:24:58 2007 Subject: inbound queue piling up... suddenly In-Reply-To: <46081752.6000405@pacific.net> References: <015901c76fd2$c8f652b0$0b01010a@DGPTBH91> <460814EA.1050407@fractalweb.com> <46081752.6000405@pacific.net> Message-ID: Ken A spake the following on 3/26/2007 11:56 AM: > MailScanner causes swapping when I'm on vacation too! ;-) > Ken A. > Pacific.Net Our mail filters were triggered by this notorious "vacation" word in an email you sent. Please consider a word that doesn't trigger fits of swapping, or runaway mail processes! ;-P -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From itdept at fractalweb.com Mon Mar 26 23:28:15 2007 From: itdept at fractalweb.com (Chris Yuzik) Date: Mon Mar 26 22:35:52 2007 Subject: IP address reputation, BorderWare In-Reply-To: <4605E937.2020704@yeticomputers.com> References: <4602FAAA.20009@fractalweb.com><200703222203.l2MM3wig030176@mail.deniscroombs.org> <20070322181247.99D6.GERARD@seibercom.net> <460303D5.8070906@yeticomputers.com> <4603FEBF.3030401@yeticomputers.com> <4605E937.2020704@yeticomputers.com> Message-ID: <46083AEF.8070100@fractalweb.com> Rick Chadderdon wrote: > I think I've made it clear that it's not the volume of usage that > bothers me (although there have been days where I've gotten more > connections from a SAV flood than I did legitimate delivery attempts). > It's the thoughtless, selfishly justified actions of people who think > it's ok to hammer my server because it saves them bandwidth. Kevin's > "community Internet" theory aside, there is no tangible benefit to > *anyone* other than the user of SAV, and he's using the resources of > others to attain that benefit. Anyone sophisticated enough to > configure SAV also already has their system configured *not* to send > NDRs after the SMTP transaction. I hope. In any case, it's not the > amount of resources being consumed that bothers me - it's the fact > that they're being used at all in a way that only *arguably* benefits > me, without my consent, and that even with the awareness that there > are people (even if it's only me, and I guarantee that it's not) who > would prefer that you didn't do it to them, you'll do it anyway. Rick, I've been thinking about this issue at length, and agree that it is a complex one. After much analysis, I consider responding to incoming SAV lookups on our end to simply be part of the deal with hosting a domain, much as is responding to DNS queries about the domain, subdomains, etc. As host to a domain, I believe it is my server's responsibility to answer queries regarding SAV, in an effort to defend a domain name's reputation including that of the company behind the domain name. Let's pretend, for example, that I host the domain for some well-known brand, let's say "Pepsi.com" (I don't, of course, but I do have a can of it on my desk at the moment :-). Some bozo decides to joe-job a fake address, or multple fake addresses that all end in @pepsi.com. In the process, the bozo is tarnishing the good name of the company behind the real domain. Anyone that gets spam in to their mailbox from addresses at Pepsi may very well get annoyed and frustrated and may make alternate beverage choices next time they're at the convenience store shopping for some pop. If SAV didn't exist, or was somehow actively prevented from working by the server hosting pepsi.com, then more of the joe-jobbed spam is going to end up in user's inboxes and that damages the reputation of the company getting joe-jobbed, Pepsi in this example. So why then is verifying a sender a bad thing? I've gone to all sorts of trouble to try to prevent the bozos from using our domain, and have SPF configured (with "-all"), but it still happens. At least once or twice a week, some idiot sends spam from fake addresses at our domains (we see a few spams...er...copies from people's "Barracuda Spam Firewall" with the messages attached). If the recipient of the spam did SAV, then they wouldn't accept the spam into their server and user's inboxes, and our company's reputation would not be tarnished. If your server gets spam allegedly from my domain, please, by all means, do whatever you can to ensure that the mail really did originate from us before letting it in to your user's inboxes, including SAV. Chris :-) From glenn.steen at gmail.com Mon Mar 26 23:55:14 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Mar 26 23:02:45 2007 Subject: Bypassing Mailscanner for Outgoing mail? In-Reply-To: References: Message-ID: <223f97700703261455y3e406dd8n3c447a996d7d7677@mail.gmail.com> On 26/03/07, Paul Hutchings wrote: > Mailscanner/Linux newbie here (I know enough to get by). > > I'm building a new Suse/Postfix box as an SMTP gateway and want to > achieve the following: > > Scan inbound mail for spam and viruses. > Scan outbound mail for viruses only, and add a disclaimer. > > AIUI mailscanner looks at ALL mail that Postfix handles, so I'm trying > to work out how I would achieve the above. > > >From what I've read, I believe that what I can do is use a single > Postfix instance and use rulsets to do the following: > > 1) Set "Virus Scanning" to scan all mail for viruses (default). > 2) Set "Spam Checks" to exclude outbound mail from spam scanning by IP > address (it threw me that a "From:" rule can also refer to an > IP/Subnet). > 3) Set "Sign Clean Messages" to only include mail from our internal > servers IP. > > I assume by default that if an outbound message passes the virus check, > but does not get scanned for spam that it meets the criteria of being an > "uninfected message" for "Sign Clean Messages" to fire? > > Have to say I felt rather daunted by MailScanner.config but it actually > makes a lot more sense to me that trying to use the Webmin module. > > Anyway, appreciate any comments as to if I'm going about this the right > way or not? You're coming along nicely:-). That is prtty much how I do it... Can't really remember if there was any more things to whitelist (than Scan...), I'll check tomorrow and let you know. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From daniel at danielf.ch Tue Mar 27 09:18:26 2007 From: daniel at danielf.ch (Daniel Fuhrer) Date: Tue Mar 27 08:26:22 2007 Subject: AW: Mails not processed In-Reply-To: <96EF3FB3C374A64187CCB0D0DA716F2446AC@idefix.danielf.local> References: <96EF3FB3C374A64187CCB0D0DA716F2446A9@idefix.danielf.local><4603D144.6030508@coders.co.uk><96EF3FB3C374A64187CCB0D0DA716F2446AB@idefix.danielf.local> <96EF3FB3C374A64187CCB0D0DA716F2446AC@idefix.danielf.local> Message-ID: <96EF3FB3C374A64187CCB0D0DA716F2446AE@idefix.danielf.local> Hi all So I found some Errors they seems to be related to my problem, that mailscanner doesent process some mails. When I start mailscanner I get the following error for each child process: Use of uninitialized value in concatenation (.) or string at /usr/local/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin.pm line 1050. Around that line 1050 is the code: 1047: sub read_scoreonly_config { 1048: my ($self, $filename) = @_; 1049: 1050: if (!open(IN,"<$filename")) { 1051: # the file may not exist; this should not be verbose 1052: dbg("config: read_scoreonly_config: cannot open \"$filename\": $!"); 1053: return; 1054: } After starting I get the following errors: Ignore errors about failing to find EOCD signature /usr/local/bin/clamscan: unrecognized option `--unarj' ERROR: Unknown option passed. ERROR: Can't parse the command line And I think when he tries to process some mail, that he can't I get the following message: format error: can't find EOCD signature at /usr/local/sbin/mailscanner line 832 Around that line 832 is the code: 829: # Extract all the attachments 829: $batch->StartTiming('virus', 'Virus Scanning'); 830: # Moved upwards: $global::MS->{work}->BuildInDirs($batch); 831: $0 = 'MailScanner: extracting attachments'; 832: $batch->Explode(); 833: 834: # Report all the unparsable messages, but don't delete anything 835: $batch->ReportBadMessages(); I hope someone can help me with these problems. Best Regards Daniel -----Urspr?ngliche Nachricht----- Von: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] Im Auftrag von Daniel Fuhrer Gesendet: Freitag, 23. M?rz 2007 15:39 An: Mailscanner Betreff: AW: Mails not processed Hi Matt Sorry fort his post. I found the option. I get the following output. Use of uninitialized value in concatenation (.) or string at /usr/local/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin.pm line 1052. Line 1052 is: dbg("config: read_scoreonly_config: cannot open \"$filename\": $!"); Ignore errors about failing to find EOCD signature /usr/local/bin/clamscan: unrecognized option `--unarj' ERROR: Unknown option passed. ERROR: Can't parse the command line But that seams to be another "problem". Mailscanner processes these Mails anyway. What can that be? Cheers Daniel -----Urspr?ngliche Nachricht----- Von: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] Im Auftrag von Daniel Fuhrer Gesendet: Freitag, 23. M?rz 2007 15:28 An: Mailscanner Betreff: AW: Mails not processed Hi Matt Thanks fort he quick answer. How can I do that? I'm new on MailScanner. I didn't find any option in the config file. Did I overlook it? Cheers Daniel -----Urspr?ngliche Nachricht----- Von: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] Im Auftrag von Matt Hampton Gesendet: Freitag, 23. M?rz 2007 14:08 An: Mailscanner Betreff: Re: Mails not processed Daniel Fuhrer wrote: > Hi all > > I have the following problem. In the logfile is a entry like: > > SpamAssassin cache hit for message l2J1GmG0001768 > > But the mail will not be processed. That fills up my queue and > mailscanner always tries to process them until I move the mail away. > > Any Ideas what's going on? > Try running MailScanner in the foreground with debugging turned on and see what happens matt -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From lodder at delodder.be Tue Mar 27 09:42:26 2007 From: lodder at delodder.be (Philippe Delodder) Date: Tue Mar 27 08:50:18 2007 Subject: Mailscanner and opensuse Message-ID: <4608CAE2.9080303@delodder.be> Hi, How can i install mailscanner on opensuse is there a repository for it ? Philippe Delodder From paul.hutchings at mira.co.uk Tue Mar 27 09:49:33 2007 From: paul.hutchings at mira.co.uk (Paul Hutchings) Date: Tue Mar 27 08:57:05 2007 Subject: Mailscanner and opensuse Message-ID: I don't know if there are better solutions, but I'm testing on an Opensuse 10.2 box right now and all I did was download the files directly from the Mailscanner website and run the install script. It appears the install script builds RPMs for you. It seems to have done everything (unless anyone can suggest otherwiese?). cheers, Paul -- Paul Hutchings Network Administrator, MIRA Ltd. Tel: 44 (0)24 7635 5378, Fax: 44 (0)24 7635 8378 mailto:paul.hutchings@mira.co.uk -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Philippe Delodder Sent: 27 March 2007 08:42 To: MailScanner discussion Subject: Mailscanner and opensuse Hi, How can i install mailscanner on opensuse is there a repository for it ? Philippe Delodder -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From lhaig at haigmail.com Tue Mar 27 10:10:38 2007 From: lhaig at haigmail.com (Lance Haig) Date: Tue Mar 27 09:18:10 2007 Subject: Mailscanner and opensuse In-Reply-To: References: Message-ID: <4608D17E.2040703@haigmail.com> Hi Paul, No that is the best way to install Mailscanner. Also don't use the installed spamassasin and clamav. Use Julians install script for them. Regards Lance Paul Hutchings wrote: > I don't know if there are better solutions, but I'm testing on an > Opensuse 10.2 box right now and all I did was download the files > directly from the Mailscanner website and run the install script. > > It appears the install script builds RPMs for you. > > It seems to have done everything (unless anyone can suggest > otherwiese?). > > cheers, > Paul > -- > Paul Hutchings > Network Administrator, MIRA Ltd. > Tel: 44 (0)24 7635 5378, Fax: 44 (0)24 7635 8378 > mailto:paul.hutchings@mira.co.uk > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of > Philippe Delodder > Sent: 27 March 2007 08:42 > To: MailScanner discussion > Subject: Mailscanner and opensuse > > Hi, > > How can i install mailscanner on opensuse is there a repository for it ? > > Philippe Delodder > From paul.hutchings at mira.co.uk Tue Mar 27 10:17:31 2007 From: paul.hutchings at mira.co.uk (Paul Hutchings) Date: Tue Mar 27 09:25:03 2007 Subject: Mailscanner and opensuse Message-ID: Could you expand on "Also don't use the installed spamassasin and clamav. Use Julians install script for them." please? I'm reading the Mailscanner PDF manual now and it suggests to do that, but does make it too clear why. Being very much a beginner, as you can imagine, using RPMs does make life much easier for me, and from my (very limited so far) testing spam and virus scanning seems to be working with the default OpenSuse RPMs? Basically I'd like to keep things simple, and if I need to change that I would like to know why so I can document the process etc. cheers, Paul -- Paul Hutchings Network Administrator, MIRA Ltd. Tel: 44 (0)24 7635 5378, Fax: 44 (0)24 7635 8378 mailto:paul.hutchings@mira.co.uk -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Lance Haig Sent: 27 March 2007 09:11 To: MailScanner discussion Subject: Re: Mailscanner and opensuse Hi Paul, No that is the best way to install Mailscanner. Also don't use the installed spamassasin and clamav. Use Julians install script for them. Regards Lance Paul Hutchings wrote: > I don't know if there are better solutions, but I'm testing on an > Opensuse 10.2 box right now and all I did was download the files > directly from the Mailscanner website and run the install script. > > It appears the install script builds RPMs for you. > > It seems to have done everything (unless anyone can suggest > otherwiese?). > > cheers, > Paul > -- > Paul Hutchings > Network Administrator, MIRA Ltd. > Tel: 44 (0)24 7635 5378, Fax: 44 (0)24 7635 8378 > mailto:paul.hutchings@mira.co.uk > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of > Philippe Delodder > Sent: 27 March 2007 08:42 > To: MailScanner discussion > Subject: Mailscanner and opensuse > > Hi, > > How can i install mailscanner on opensuse is there a repository for it ? > > Philippe Delodder > -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From lodder at delodder.be Tue Mar 27 10:17:59 2007 From: lodder at delodder.be (Philippe Delodder) Date: Tue Mar 27 09:25:32 2007 Subject: Mailscanner and opensuse In-Reply-To: References: Message-ID: <4608D337.8050705@delodder.be> Paul Hutchings wrote: > I don't know if there are better solutions, but I'm testing on an > Opensuse 10.2 box right now and all I did was download the files > directly from the Mailscanner website and run the install script. > > It appears the install script builds RPMs for you. > > It seems to have done everything (unless anyone can suggest > otherwiese?). > > cheers, > Paul > -- > Paul Hutchings > Network Administrator, MIRA Ltd. > Tel: 44 (0)24 7635 5378, Fax: 44 (0)24 7635 8378 > mailto:paul.hutchings@mira.co.uk > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of > Philippe Delodder > Sent: 27 March 2007 08:42 > To: MailScanner discussion > Subject: Mailscanner and opensuse > > Hi, > > How can i install mailscanner on opensuse is there a repository for it ? > > Philippe Delodder > Ok i'll try it From lodder at delodder.be Tue Mar 27 10:20:37 2007 From: lodder at delodder.be (Philippe Delodder) Date: Tue Mar 27 09:28:16 2007 Subject: Mailscanner and opensuse In-Reply-To: <4608D17E.2040703@haigmail.com> References: <4608D17E.2040703@haigmail.com> Message-ID: <4608D3D5.1080304@delodder.be> Lance Haig wrote: > Hi Paul, > > No that is the best way to install Mailscanner. > > Also don't use the installed spamassasin and clamav. Use Julians > install script for them. > > Regards > > Lance > > Paul Hutchings wrote: >> I don't know if there are better solutions, but I'm testing on an >> Opensuse 10.2 box right now and all I did was download the files >> directly from the Mailscanner website and run the install script. >> >> It appears the install script builds RPMs for you. >> >> It seems to have done everything (unless anyone can suggest >> otherwiese?). >> >> cheers, >> Paul >> -- >> Paul Hutchings >> Network Administrator, MIRA Ltd. >> Tel: 44 (0)24 7635 5378, Fax: 44 (0)24 7635 8378 >> mailto:paul.hutchings@mira.co.uk >> >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of >> Philippe Delodder >> Sent: 27 March 2007 08:42 >> To: MailScanner discussion >> Subject: Mailscanner and opensuse >> >> Hi, >> >> How can i install mailscanner on opensuse is there a repository for it ? >> >> Philippe Delodder >> > Where can I find that script your refering to? Philippe Delodder From glenn.steen at gmail.com Tue Mar 27 11:34:15 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Mar 27 10:41:48 2007 Subject: Mails not processed In-Reply-To: <96EF3FB3C374A64187CCB0D0DA716F2446AE@idefix.danielf.local> References: <96EF3FB3C374A64187CCB0D0DA716F2446A9@idefix.danielf.local> <4603D144.6030508@coders.co.uk> <96EF3FB3C374A64187CCB0D0DA716F2446AB@idefix.danielf.local> <96EF3FB3C374A64187CCB0D0DA716F2446AC@idefix.danielf.local> <96EF3FB3C374A64187CCB0D0DA716F2446AE@idefix.danielf.local> Message-ID: <223f97700703270234i37c70060sfb2a27b9a163e817@mail.gmail.com> On 27/03/07, Daniel Fuhrer wrote: > Hi all > So I found some Errors they seems to be related to my problem, that mailscanner doesent process some mails. > > When I start mailscanner I get the following error for each child process: > > Use of uninitialized value in concatenation (.) or string at /usr/local/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin.pm line 1050. > > Around that line 1050 is the code: > > 1047: sub read_scoreonly_config { > 1048: my ($self, $filename) = @_; > 1049: > 1050: if (!open(IN,"<$filename")) { > 1051: # the file may not exist; this should not be verbose > 1052: dbg("config: read_scoreonly_config: cannot open \"$filename\": $!"); > 1053: return; > 1054: } I'm not sure about this one, haven't seen it myself... Fix the next one and see if it persists... > > After starting I get the following errors: > > Ignore errors about failing to find EOCD signature > /usr/local/bin/clamscan: unrecognized option `--unarj' > ERROR: Unknown option passed. > ERROR: Can't parse the command line This error is due to you uncommenting (in /usr/lib/MailScanner/clamav-wrapper) one of the lines: # Uncomment ONE of the following lines if you have unarj installed #ExtraScanOptions="$ExtraScanOptions --unarj" #ExtraScanOptions="$ExtraScanOptions --unarj=/path/to/unarj" But teh thing is, with modern clamscan versions at least, that option has been renamed (snippet from clamscan --help): ... --unrar[=FULLPATH] Enable support for .rar files --arj[=FULLPATH] Enable support for .arj files --unzoo[=FULLPATH] Enable support for .zoo files ... So you should change it accordingly. > And I think when he tries to process some mail, that he can't I get the following message: > > format error: can't find EOCD signature > at /usr/local/sbin/mailscanner line 832 The "Cannot find EOCD" errors should be possible to safely ignore... As the comments tell you, when starting the debug;-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Tue Mar 27 11:39:18 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Mar 27 10:46:52 2007 Subject: Mailscanner and opensuse In-Reply-To: <4608D3D5.1080304@delodder.be> References: <4608D17E.2040703@haigmail.com> <4608D3D5.1080304@delodder.be> Message-ID: <223f97700703270239s6383cb9cv913174dcb4fbbc4f@mail.gmail.com> On 27/03/07, Philippe Delodder wrote: > Lance Haig wrote: > > Hi Paul, > > > > No that is the best way to install Mailscanner. > > > > Also don't use the installed spamassasin and clamav. Use Julians > > install script for them. > > > > Regards > > > > Lance > > > > Paul Hutchings wrote: > >> I don't know if there are better solutions, but I'm testing on an > >> Opensuse 10.2 box right now and all I did was download the files > >> directly from the Mailscanner website and run the install script. > >> > >> It appears the install script builds RPMs for you. > >> > >> It seems to have done everything (unless anyone can suggest > >> otherwiese?). > >> > >> cheers, > >> Paul > >> -- > >> Paul Hutchings > >> Network Administrator, MIRA Ltd. > >> Tel: 44 (0)24 7635 5378, Fax: 44 (0)24 7635 8378 > >> mailto:paul.hutchings@mira.co.uk > >> > >> -----Original Message----- > >> From: mailscanner-bounces@lists.mailscanner.info > >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of > >> Philippe Delodder > >> Sent: 27 March 2007 08:42 > >> To: MailScanner discussion > >> Subject: Mailscanner and opensuse > >> > >> Hi, > >> > >> How can i install mailscanner on opensuse is there a repository for it ? > >> > >> Philippe Delodder > >> > > > Where can I find that script your refering to? > In the tar-ball. Just download, unpack, cd into directory; ./install.sh It'll build&install the needed dependencies. Same goes for the Clam+SA package (which contain the Mail::Clamav perl module ...), but since Jules has been out, look throuigh the archives where you can find one updated for the latest ClamAV. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From daniel at danielf.ch Tue Mar 27 12:28:47 2007 From: daniel at danielf.ch (Daniel Fuhrer) Date: Tue Mar 27 11:36:33 2007 Subject: AW: Mails not processed In-Reply-To: <223f97700703270234i37c70060sfb2a27b9a163e817@mail.gmail.com> References: <96EF3FB3C374A64187CCB0D0DA716F2446A9@idefix.danielf.local><4603D144.6030508@coders.co.uk><96EF3FB3C374A64187CCB0D0DA716F2446AB@idefix.danielf.local><96EF3FB3C374A64187CCB0D0DA716F2446AC@idefix.danielf.local><96EF3FB3C374A64187CCB0D0DA716F2446AE@idefix.danielf.local> <223f97700703270234i37c70060sfb2a27b9a163e817@mail.gmail.com> Message-ID: <96EF3FB3C374A64187CCB0D0DA716F2446AF@idefix.danielf.local> Hi Glen Thanks fort he quick response. So I changed all the options in clamav-wrapper so these errors are fixed. But now is there a new Message: Quantifier follows nothing in regex; marked by <-- HERE in m/* <-- HERE / at /usr/local/lib/MailScanner/MailScanner/SweepOther.pm line 489. And the main problem still exists. Some mails are not processed. I still get a bunch of this EOCD signature failures. In the logfile is the following entry, for each mail that mailscanner can't scan: SpamAssassin cache hit for message Best Regards, Daniel -----Urspr?ngliche Nachricht----- Von: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] Im Auftrag von Glenn Steen Gesendet: Dienstag, 27. M?rz 2007 11:34 An: Mailscanner Betreff: Re: Mails not processed On 27/03/07, Daniel Fuhrer wrote: > Hi all > So I found some Errors they seems to be related to my problem, that mailscanner doesent process some mails. > > When I start mailscanner I get the following error for each child process: > > Use of uninitialized value in concatenation (.) or string at /usr/local/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin.pm line 1050. > > Around that line 1050 is the code: > > 1047: sub read_scoreonly_config { > 1048: my ($self, $filename) = @_; > 1049: > 1050: if (!open(IN,"<$filename")) { > 1051: # the file may not exist; this should not be verbose > 1052: dbg("config: read_scoreonly_config: cannot open \"$filename\": $!"); > 1053: return; > 1054: } I'm not sure about this one, haven't seen it myself... Fix the next one and see if it persists... > > After starting I get the following errors: > > Ignore errors about failing to find EOCD signature > /usr/local/bin/clamscan: unrecognized option `--unarj' > ERROR: Unknown option passed. > ERROR: Can't parse the command line This error is due to you uncommenting (in /usr/lib/MailScanner/clamav-wrapper) one of the lines: # Uncomment ONE of the following lines if you have unarj installed #ExtraScanOptions="$ExtraScanOptions --unarj" #ExtraScanOptions="$ExtraScanOptions --unarj=/path/to/unarj" But teh thing is, with modern clamscan versions at least, that option has been renamed (snippet from clamscan --help): ... --unrar[=FULLPATH] Enable support for .rar files --arj[=FULLPATH] Enable support for .arj files --unzoo[=FULLPATH] Enable support for .zoo files ... So you should change it accordingly. > And I think when he tries to process some mail, that he can't I get the following message: > > format error: can't find EOCD signature > at /usr/local/sbin/mailscanner line 832 The "Cannot find EOCD" errors should be possible to safely ignore... As the comments tell you, when starting the debug;-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From glenn.steen at gmail.com Tue Mar 27 13:30:44 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Mar 27 12:38:17 2007 Subject: Mails not processed In-Reply-To: <96EF3FB3C374A64187CCB0D0DA716F2446AF@idefix.danielf.local> References: <96EF3FB3C374A64187CCB0D0DA716F2446A9@idefix.danielf.local> <4603D144.6030508@coders.co.uk> <96EF3FB3C374A64187CCB0D0DA716F2446AB@idefix.danielf.local> <96EF3FB3C374A64187CCB0D0DA716F2446AC@idefix.danielf.local> <96EF3FB3C374A64187CCB0D0DA716F2446AE@idefix.danielf.local> <223f97700703270234i37c70060sfb2a27b9a163e817@mail.gmail.com> <96EF3FB3C374A64187CCB0D0DA716F2446AF@idefix.danielf.local> Message-ID: <223f97700703270430i7a3dd994n21e2a71c0b94e5bd@mail.gmail.com> On 27/03/07, Daniel Fuhrer wrote: > Hi Glen > > Thanks fort he quick response. > So I changed all the options in clamav-wrapper so these errors are fixed. > But now is there a new Message: > > Quantifier follows nothing in regex; marked by <-- HERE in m/* <-- HERE / at /usr/local/lib/MailScanner/MailScanner/SweepOther.pm line 489. > > And the main problem still exists. Some mails are not processed. I still get a bunch of this EOCD signature failures. > In the logfile is the following entry, for each mail that mailscanner can't scan: > SpamAssassin cache hit for message > I might be wrong, but... this actually might indicate a problem with (one of) your Filetype Rules files. Check them over with a fine comb... Make sure that all fields are separated by characters, that you don't have strange end of line characters (ie not edited under windoze), or that you've missed to fill in something meaningful in every field (even if it just a dash). You can check whether I'm on the right track here by simply disabling the filetype checks... clear out the setting for the file command File Command = #/usr/bin/file and restart MailScanner... If I'm right, the error you see should go away. If it does, either consider not using that, or grab a new copy of the filetype.rules.conf and start over:-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From alex at nkpanama.com Tue Mar 27 14:14:01 2007 From: alex at nkpanama.com (Alex Neuman van der Hans) Date: Tue Mar 27 13:22:30 2007 Subject: Mailscanner and opensuse In-Reply-To: <223f97700703270239s6383cb9cv913174dcb4fbbc4f@mail.gmail.com> References: <4608D17E.2040703@haigmail.com> <4608D3D5.1080304@delodder.be> <223f97700703270239s6383cb9cv913174dcb4fbbc4f@mail.gmail.com> Message-ID: <46090A89.6010208@nkpanama.com> Glenn Steen wrote: > Same goes for the Clam+SA package (which contain the Mail::Clamav perl > module ...), but since Jules has been out, look throuigh the archives > where you can find one updated for the latest ClamAV. You can find it at http://jfworks.net/files/install-Clam-0.90.1-SA-3.1.8.tar.gz for downloading, in the meantime. From bob.jones at usg.edu Tue Mar 27 14:26:54 2007 From: bob.jones at usg.edu (Bob Jones) Date: Tue Mar 27 13:34:31 2007 Subject: Perl Path In-Reply-To: <062a5b5d15dbf61e9d43e977b28d1240@62.49.223.244> References: <062a5b5d15dbf61e9d43e977b28d1240@62.49.223.244> Message-ID: <46090D8E.2010808@usg.edu> Thus spake --[ UxBoD ]--, with impeccable timing on 3/21/2007 4:37 AM: > Hi, > > I have just built a new server based on RHES4 and have built all the > executables from source ie. perl, mysql, apache, php etc etc ... > > When I built MailScanner I used the source and ran install.sh > --perl=/usr/local/smartmail/bin/perl which installed all the modules > fine. Though one thing I have noticed is that in the top of all the > MailScanner code the perl path still points to /usr/bin/perl. I > wondered why it wasn't working correctly ;) > > Is it worth changing the install script so that if the --perl option > is used then the perl binary path in all scripts is changed aswell ? > > Thoughts? I brought this up quite a while back (over a year ago I think) and no one really seemed to see an issue. I'm in the situation where I can't just replace /usr/bin/perl with a symlink as I have things that depend on the OS provided perl that is there so I have to point to the different perl I install with. What I end up doing is running a script that will go through each of the directories under /opt/Mailscanner and change any reference to /usr/bin/perl to the correct perl after every upgrade. A pain, I know, but what can you do if people don't see the problem. What has yet to be explained to me properly is if you are forced to use /usr/bin/perl to run Mailscanner, then why offer the option of specifying the perl path in the install script. Just have it check that /usr/bin/perl is there and if not bomb out. Don't pretend like you allow the user to specify the perl path and then really don't. Bob From paul.hutchings at mira.co.uk Tue Mar 27 14:38:34 2007 From: paul.hutchings at mira.co.uk (Paul Hutchings) Date: Tue Mar 27 13:46:06 2007 Subject: Spamassassin and ClamAV - Where From? Message-ID: I now appear to have a working Mailscanner system that does what I want (other than a little rulset tweaking). I've seen/heard talk of installing Spamassassin and ClamAV from the installer off the MailScanner site. My question is why? There are rpm's for both for OpenSuse (using 10.2) and being a newbie it makes life easier for me, so is there a specific reason or is it a bit of a "in the past X happened" issue? cheers, Paul -- Paul Hutchings Network Administrator, MIRA Ltd. Tel: 44 (0)24 7635 5378, Fax: 44 (0)24 7635 8378 mailto:paul.hutchings@mira.co.uk From martinh at solidstatelogic.com Tue Mar 27 14:47:38 2007 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Tue Mar 27 13:55:16 2007 Subject: Spamassassin and ClamAV - Where From? In-Reply-To: Message-ID: <72e7a04cca5be749b7ca59e3ced8656a@solidstatelogic.com> Paul Just making things a little easier for folk. Personally I CPAN Spamassassin and source build ClamAV. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Paul Hutchings > Sent: 27 March 2007 13:39 > To: MailScanner discussion > Subject: Spamassassin and ClamAV - Where From? > > I now appear to have a working Mailscanner system that does what I want > (other than a little rulset tweaking). > > I've seen/heard talk of installing Spamassassin and ClamAV from the > installer off the MailScanner site. > > My question is why? > > There are rpm's for both for OpenSuse (using 10.2) and being a newbie it > makes life easier for me, so is there a specific reason or is it a bit > of a "in the past X happened" issue? > > cheers, > Paul > -- > Paul Hutchings > Network Administrator, MIRA Ltd. > Tel: 44 (0)24 7635 5378, Fax: 44 (0)24 7635 8378 > mailto:paul.hutchings@mira.co.uk > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From steve.freegard at fsl.com Tue Mar 27 14:54:33 2007 From: steve.freegard at fsl.com (Steve Freegard) Date: Tue Mar 27 14:02:11 2007 Subject: Spamassassin and ClamAV - Where From? In-Reply-To: References: Message-ID: <46091409.70801@fsl.com> Hi Paul, Paul Hutchings wrote: > I now appear to have a working Mailscanner system that does what I want > (other than a little rulset tweaking). > > I've seen/heard talk of installing Spamassassin and ClamAV from the > installer off the MailScanner site. > > My question is why? > > There are rpm's for both for OpenSuse (using 10.2) and being a newbie it > makes life easier for me, so is there a specific reason or is it a bit > of a "in the past X happened" issue? It's because most RPMs supplied by the OS are already out-of-date by the time the OS actually ships. The installer from the MailScanner web site simply grabs all the necessary packages and build the RPMs from source and installs and configures them for you. Kind regards, Steve. -- Steve Freegard Development Director Fort Systems Ltd. UK Office From paul.hutchings at mira.co.uk Tue Mar 27 15:03:03 2007 From: paul.hutchings at mira.co.uk (Paul Hutchings) Date: Tue Mar 27 14:10:35 2007 Subject: Spamassassin and ClamAV - Where From? Message-ID: Thanks, that makes sense. I wasn't clear if it was that, or because some distro's maybe use odd/incompatible options as the defaults. If the MailScanner SA/Clam tarball compiles and builds RPMs anyway (i.e. easy for me to handle) I guess there is little reason not to use it. cheers, Paul -- Paul Hutchings Network Administrator, MIRA Ltd. Tel: 44 (0)24 7635 5378, Fax: 44 (0)24 7635 8378 mailto:paul.hutchings@mira.co.uk -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Steve Freegard Sent: 27 March 2007 13:55 To: MailScanner discussion Subject: Re: Spamassassin and ClamAV - Where From? Hi Paul, Paul Hutchings wrote: > I now appear to have a working Mailscanner system that does what I want > (other than a little rulset tweaking). > > I've seen/heard talk of installing Spamassassin and ClamAV from the > installer off the MailScanner site. > > My question is why? > > There are rpm's for both for OpenSuse (using 10.2) and being a newbie it > makes life easier for me, so is there a specific reason or is it a bit > of a "in the past X happened" issue? It's because most RPMs supplied by the OS are already out-of-date by the time the OS actually ships. The installer from the MailScanner web site simply grabs all the necessary packages and build the RPMs from source and installs and configures them for you. Kind regards, Steve. -- Steve Freegard Development Director Fort Systems Ltd. UK Office -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From steve.swaney at fsl.com Tue Mar 27 15:03:19 2007 From: steve.swaney at fsl.com (Stephen Swaney) Date: Tue Mar 27 14:10:44 2007 Subject: Spamassassin and ClamAV - Where From? In-Reply-To: References: Message-ID: <02a801c77070$4b190f10$e14b2d30$@swaney@fsl.com> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Paul Hutchings > Sent: Tuesday, March 27, 2007 8:39 AM > To: MailScanner discussion > Subject: Spamassassin and ClamAV - Where From? > > I now appear to have a working Mailscanner system that does what I want > (other than a little rulset tweaking). > > I've seen/heard talk of installing Spamassassin and ClamAV from the > installer off the MailScanner site. > > My question is why? > > There are rpm's for both for OpenSuse (using 10.2) and being a newbie > it > makes life easier for me, so is there a specific reason or is it a bit > of a "in the past X happened" issue? > > cheers, > Paul Paul, A lot of the problems with supplied SA and ClamAV rpms was related to the fact the Red Hat ships old versions of SpamAssassin with the Operating systems. I don't know what version is supplied with the SuSE rpms ao I really can't comment on that. I can tell you that Julian's ClamAV and SpamAssassin packages are very complete, typically updated more quickly than SuSE or Red Hat's rpms and also supply additional Perl modules that are useful to SpamAssassin and ClamAV. I (almost) always install from rpms but I make an exception for Julian's packages because they are very actually better than the rpms :) Steve Steve Swaney steve@fsl.com From arturs at netvision.net.il Tue Mar 27 15:55:35 2007 From: arturs at netvision.net.il (Arthur Sherman) Date: Tue Mar 27 15:04:58 2007 Subject: Changing the Batch size value In-Reply-To: <42aaaa1a21b65846be8f7245bb89a8c7@solidstatelogic.com> Message-ID: <01c801c77077$98232e10$3701a8c0@lapxp> > Depends > > As long as you're keeping up with the message flow... > > Normal advice is 5 children per CPU core and start at 30 for the batch > and tune the batch size up down and see how things go. > > Normally I get batches done in under 30 seconds...sometimes > as low as 3 > seconds... Sorry for delayed reply. I've changed the above values to recommended. Times are better but far from being ~3sec for a message, as per Glenn. Now, I have spam actions (both regular and high score) to 'delete forward spam@cpt.co.il'. Both the mailbox and localhost are whitelisted, nevertheless I see messages to them get scanned by MS: -- Mar 27 09:41:14 ns1 sendmail[11382]: l2RDf4eb011382: from=<1-89386-katzir.com?gil@mx170.savvytechy.com>, size=4076, class=0, nrcpts=1, msgid=<1-89386-7EX3IJHVqXxomUA@mx170.savvytechy.com>, proto=SMTP, daemon=MTA, relay=mx170.savvytechy.com [72.11.142.170] Mar 27 09:41:16 ns1 MailScanner[7978]: New Batch: Scanning 1 messages, 4718 bytes Mar 27 09:41:16 ns1 MailScanner[7978]: Spam Checks: Starting Mar 27 09:41:23 ns1 sendmail[11381]: l2RDfFi0011381: SYSERR(root): rewrite: excessive recursion (max 50), ruleset canonify Mar 27 09:41:24 ns1 sendmail[11381]: l2RDfFi0011381: lost input channel from cow135.neoplus.adsl.tpnet.pl [83.31.202.135] to MTA after rcpt Mar 27 09:41:24 ns1 sendmail[11381]: l2RDfFi0011381: from=, size=0, class=0, nrcpts=0, proto=SMTP, daemon=MTA, relay=cow135.neoplus.adsl.tpnet.pl [83.31.202.135] Mar 27 09:41:25 ns1 MailScanner[7978]: Message l2RDf4eb011382 from 72.11.142.170 (1-89386-katzir.com?gil@mx170.savvytechy.com) to katzir.com is spam, SpamAssassin (not cached, score=20.184, required 4.5, autolearn=spam, BAYES_99 3.00, DCC_CHECK 2.17, DIGEST_MULTIPLE 0.77, HTML_40_50 0.50, HTML_IMAGE_ONLY_20 1.16, HTML_MESSAGE 0.00, RAZOR2_CF_RANGE_51_100 0.50, RAZOR2_CF_RANGE_E8_51_100 1.50, RAZOR2_CHECK 0.50, URIBL_BLACK 3.00, URIBL_JP_SURBL 4.09, URIBL_OB_SURBL 3.01) Mar 27 09:41:25 ns1 MailScanner[7978]: Spam Checks: Found 1 spam messages Mar 27 09:41:25 ns1 MailScanner[7978]: Spam Actions: message l2RDf4eb011382 actions are forward,delete,spam@cpt.co.il Mar 27 09:41:25 ns1 MailScanner[7978]: Spam Checks completed at 502 bytes per second Mar 27 09:41:25 ns1 MailScanner[7978]: Virus and Content Scanning: Starting Mar 27 09:41:26 ns1 MailScanner[7978]: Virus Scanning completed at 17129 bytes per second Mar 27 09:41:26 ns1 MailScanner[7978]: Content Checks: Detected and have disarmed web bug tags in HTML message in l2RDf4eb011382 from 1-89386-katzir.com?gil@mx170.savvytechy.com Mar 27 09:41:26 ns1 MailScanner[7978]: Uninfected: Delivered 1 messages Mar 27 09:41:26 ns1 MailScanner[7978]: Virus Processing completed at 147065 bytes per second Mar 27 09:41:26 ns1 MailScanner[7978]: Batch completed at 486 bytes per second (4718 / 9) Mar 27 09:41:26 ns1 MailScanner[7978]: Batch (1 message) processed in 9.71 seconds Mar 27 09:41:26 ns1 sendmail[11408]: l2RDf4eb011382: to=, delay=00:00:14, xdelay=00:00:00, mailer=local, pri=124076, dsn=2.0.0, stat=Sent -- Why would it do this? Did I miss something? Best, -- Arthur Sherman +972-52-4878851 http://www.cpt.co.il/ From lodder at delodder.be Tue Mar 27 17:45:18 2007 From: lodder at delodder.be (Philippe Delodder) Date: Tue Mar 27 17:00:49 2007 Subject: Mailscanner 1 thread restarts after scanning mail Message-ID: <46093C0E.2050305@delodder.be> Hi, i yust installed mailscanner on opensuse with the install script and i just have seen something odd each time a mail comes in.,Mailscanner scans it and then start a new thread :s i'm using mailscanner, Version 4.58.9-1 for SuSE Opensuse 10.2 thx in advance lodder From rpoe at plattesheriff.org Tue Mar 27 17:54:10 2007 From: rpoe at plattesheriff.org (Rob Poe) Date: Tue Mar 27 17:03:07 2007 Subject: Skipping users In-Reply-To: <45ECD6F5.3010306@chapman.edu> References: <4DEBDDAFBB23C04BA17EFE3914442113014A9935@exchange.bostonpost.com> <45ECD6F5.3010306@chapman.edu> Message-ID: <4608F7D5.65ED.00A2.0@plattesheriff.org> Why can't you use them? default -> weirduser@example.com > My question is this. How can I tell MailScanner to blindly accept any email destined for several addresses? Would I be better off doing this on the postfix level with a header check that tests positive on every address except his few? I use the SQL whitelist function of MailWatch, so I can't whitelist wildcards for his address. Is it possible to chain rule files & modules for the "is definitely not spam" option? > > Any suggestions would REALLY be appreciated. This is such a backward idea, I'm not even sure what I would call it. > > -- > Thomas Cameron > Phone: 1.603.669.8551 > tomc@bostonpost.com > > > I do this right now for abuse@ here. Simple enough to set up, just put it in spam.whitelist.rules. I'd also do it within your MTA because I'm twisted like that... --Jay -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From Kevin_Miller at ci.juneau.ak.us Tue Mar 27 18:56:26 2007 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Tue Mar 27 18:03:49 2007 Subject: Mailscanner and opensuse In-Reply-To: <4608D3D5.1080304@delodder.be> References: <4608D17E.2040703@haigmail.com> <4608D3D5.1080304@delodder.be> Message-ID: Philippe Delodder wrote: > Where can I find that script your refering to? MailScanner: http://www.mailscanner.info/files/4/suse/MailScanner-4.58.9-1.suse.tar.g z ClamAV/SpamAssassin: http://www.mailscanner.info/files/4/install-Clam-0.88.7-SA-3.1.8.tar.gz ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From paul.hutchings at mira.co.uk Tue Mar 27 19:06:21 2007 From: paul.hutchings at mira.co.uk (Paul Hutchings) Date: Tue Mar 27 18:13:53 2007 Subject: Exchange/Outlook Specific Settings? Message-ID: At the risk of setting myself up for a fall, after printing out the manual and working my way through MailScanner.Conf I now appear to have a working Postfix + MailsScanner setup. For now it's sat on the LAN and is simply handling a few test messages. The intention is ultimately to have this configuration in our DMZ handling mail to/from our internal Exchange server. So, given the environment which is 99.9% Outlook sending through Exchange which smarthosts to the relay box, are there any suggested tweaks to MailScanner? I tend to do most of my attachment filtering via Postfix mime header checks and given how diverse our userbase is I have disabled "Dangerous Content Scanning" but will be doing virus and spam scanning on inbound mail (outbound will only be virus checked). cheers, Paul -- Paul Hutchings Network Administrator, MIRA Ltd. Tel: 44 (0)24 7635 5378, Fax: 44 (0)24 7635 8378 mailto:paul.hutchings@mira.co.uk From paul.hutchings at mira.co.uk Tue Mar 27 19:11:12 2007 From: paul.hutchings at mira.co.uk (Paul Hutchings) Date: Tue Mar 27 18:18:44 2007 Subject: Different Send/Receive Virus Notifications? Message-ID: On an inbound/outbound smtp relay box, is it possible to configure different virus notifications for outbound mail than for inbound mail? I ask because if a virus is detected in an inbound mail, I want the recipient to be notified (and the infected file discarded) and for the sender NOT to be notified. If by some chance something slips past the internal Antivirus and MailScanner detects a virus, I would prefer than the message were discared, and our sender notified but NOT the recipient. I see you can use a Ruleset but AFAICT the only actions are yes/no the notification method seems to be global? cheers, Paul -- Paul Hutchings Network Administrator, MIRA Ltd. Tel: 44 (0)24 7635 5378, Fax: 44 (0)24 7635 8378 mailto:paul.hutchings@mira.co.uk From alex at nkpanama.com Tue Mar 27 19:20:17 2007 From: alex at nkpanama.com (Alex Neuman van der Hans) Date: Tue Mar 27 18:28:35 2007 Subject: Different Send/Receive Virus Notifications? In-Reply-To: References: Message-ID: <46095251.2000103@nkpanama.com> Paul Hutchings wrote: > On an inbound/outbound smtp relay box, is it possible to configure > different virus notifications for outbound mail than for inbound mail? > > I ask because if a virus is detected in an inbound mail, I want the > recipient to be notified (and the infected file discarded) and for the > sender NOT to be notified. > > I'm sure there are those who will agree that notifying users that a virus was sent to them from a faked address (AFAIK every virus since the late 20th century does this) is unneeded traffic. > If by some chance something slips past the internal Antivirus and > MailScanner detects a virus, I would prefer than the message were > discared, and our sender notified but NOT the recipient. > > This also becomes a problem, since your original sender will be faked by the virus itself. The wrong people will most likely be notified, causing unnecessary false alarms. Virus notices, IMHO, are better silently discarded nowadays. > I see you can use a Ruleset but AFAICT the only actions are yes/no the > notification method seems to be global? > > cheers, > Paul > -- > Paul Hutchings > Network Administrator, MIRA Ltd. > Tel: 44 (0)24 7635 5378, Fax: 44 (0)24 7635 8378 > mailto:paul.hutchings@mira.co.uk > From paul.hutchings at mira.co.uk Tue Mar 27 19:53:37 2007 From: paul.hutchings at mira.co.uk (Paul Hutchings) Date: Tue Mar 27 19:01:11 2007 Subject: Different Send/Receive Virus Notifications? Message-ID: > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Alex Neuman van der Hans > Sent: 27 March 2007 18:20 > To: MailScanner discussion > Subject: Re: Different Send/Receive Virus Notifications? > > Paul Hutchings wrote: > > On an inbound/outbound smtp relay box, is it possible to configure > > different virus notifications for outbound mail than for > inbound mail? > > > > I ask because if a virus is detected in an inbound mail, I want the > > recipient to be notified (and the infected file discarded) > and for the > > sender NOT to be notified. > > > > > I'm sure there are those who will agree that notifying users that a > virus was sent to them from a faked address (AFAIK every > virus since the > late 20th century does this) is unneeded traffic. I couldn't see a way to disable recipient notification completely, only to disable sender notification? My logic behind wanting to notify anyone on our network who MailScanner detected an outbound virus from is that: Our Firewall only allows outbound smtp from our Exchange server so it should be the only thing talking to the relay from our network. Our Exchange server only allows authenticated SMTP so in theory a worm/virus shouldn't be able to get it to accept and relay mail? Because of this it would have to be a MAPI virus sent via Outlook which would not allow the Sender "From" address to be faked. We have very well regarded A/V on the Exchange server so I would hope it's never going to happen to begin with :) Not sure if anyone here uses Exchange/Outlook but that was the thinking behind it. From hvdkooij at vanderkooij.org Tue Mar 27 19:59:02 2007 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Tue Mar 27 19:06:39 2007 Subject: Spamassassin and ClamAV - Where From? In-Reply-To: <46091409.70801@fsl.com> References: <46091409.70801@fsl.com> Message-ID: On Tue, 27 Mar 2007, Steve Freegard wrote: > Paul Hutchings wrote: >> I now appear to have a working Mailscanner system that does what I want >> (other than a little rulset tweaking). >> >> I've seen/heard talk of installing Spamassassin and ClamAV from the >> installer off the MailScanner site. >> >> My question is why? >> >> There are rpm's for both for OpenSuse (using 10.2) and being a newbie it >> makes life easier for me, so is there a specific reason or is it a bit >> of a "in the past X happened" issue? > > It's because most RPMs supplied by the OS are already out-of-date by the time > the OS actually ships. > > The installer from the MailScanner web site simply grabs all the necessary > packages and build the RPMs from source and installs and configures them for > you. So using an up-to-date repository is propably even better as it will keep ClamAV up-to-date where this install method does not. (It is just up-to-date at the point you install the other bits. I run Centos 4.4 and use selective repositories and did not install anything from the installer. I rebuild mailscanner and took the remainder of the packages from the repositories. Hugo. -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ This message is using 100% recycled electrons. Some men see computers as they are and say "Windows" I use computers with Linux and say "Why Windows?" (Thanks JFK, for the insight.) From arturs at netvision.net.il Tue Mar 27 21:03:41 2007 From: arturs at netvision.net.il (Arthur Sherman) Date: Tue Mar 27 20:13:05 2007 Subject: Spamassassin and ClamAV - Where From? In-Reply-To: Message-ID: <01f901c770a2$a2a4a320$3701a8c0@lapxp> > So using an up-to-date repository is propably even better as > it will keep > ClamAV up-to-date where this install method does not. (It is just > up-to-date at the point you install the other bits. > > I run Centos 4.4 > > Hugo. I use DAG repo for that. Best, -- Arthur Sherman +972-52-4878851 http://www.cpt.co.il/ From ssilva at sgvwater.com Tue Mar 27 22:03:50 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Mar 27 21:11:42 2007 Subject: Mailscanner and opensuse In-Reply-To: References: Message-ID: Paul Hutchings spake the following on 3/27/2007 1:17 AM: > Could you expand on "Also don't use the installed spamassasin and > clamav. Use Julians install script for them." please? > > I'm reading the Mailscanner PDF manual now and it suggests to do that, > but does make it too clear why. Being very much a beginner, as you can > imagine, using RPMs does make life much easier for me, and from my (very > limited so far) testing spam and virus scanning seems to be working with > the default OpenSuse RPMs? > > Basically I'd like to keep things simple, and if I need to change that I > would like to know why so I can document the process etc. > Mailscanner looks for things to be in a certain place, and some distributions customize their rpm versions of things. You will also not usually have the latest versions of clamav and spamassassin, and they usually only perform at their peak if they are the latest versions. Rpm does simplify things, but having to download and install from only 2 tarballs every few months isn't that big of a deal. Mailscanner usually only comes out as stable every 2 months (although the developer has been sidelined due to illness), and spamassassin maybe a few times a year. Clamav will complain if it is one version back, and no one really knows how many versions it will go back before it's functionality with newer signatures starts to fail. Using the latest will help with your spam and virus detections, sometimes quite a lot, and it is worth the small extra effort. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From ssilva at sgvwater.com Tue Mar 27 22:06:28 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Mar 27 21:17:48 2007 Subject: Spamassassin and ClamAV - Where From? In-Reply-To: References: Message-ID: Paul Hutchings spake the following on 3/27/2007 6:03 AM: > Thanks, that makes sense. > > I wasn't clear if it was that, or because some distro's maybe use > odd/incompatible options as the defaults. > > If the MailScanner SA/Clam tarball compiles and builds RPMs anyway (i.e. > easy for me to handle) I guess there is little reason not to use it. > > cheers, > Paul > -- > Paul Hutchings > Network Administrator, MIRA Ltd. > Tel: 44 (0)24 7635 5378, Fax: 44 (0)24 7635 8378 > mailto:paul.hutchings@mira.co.uk > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Steve > Freegard > Sent: 27 March 2007 13:55 > To: MailScanner discussion > Subject: Re: Spamassassin and ClamAV - Where From? > > Hi Paul, > > Paul Hutchings wrote: >> I now appear to have a working Mailscanner system that does what I > want >> (other than a little rulset tweaking). >> >> I've seen/heard talk of installing Spamassassin and ClamAV from the >> installer off the MailScanner site. >> >> My question is why? >> >> There are rpm's for both for OpenSuse (using 10.2) and being a newbie > it >> makes life easier for me, so is there a specific reason or is it a bit >> of a "in the past X happened" issue? > > It's because most RPMs supplied by the OS are already out-of-date by the > > time the OS actually ships. > > The installer from the MailScanner web site simply grabs all the > necessary packages and build the RPMs from source and installs and > configures them for you. > I don't think the spamassassin-clamav tarball builds rpms, but I have been known to be wrong (at least once ;-P ) -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From alex at nkpanama.com Tue Mar 27 22:20:18 2007 From: alex at nkpanama.com (Alex Neuman van der Hans) Date: Tue Mar 27 21:28:31 2007 Subject: Spamassassin and ClamAV - Where From? In-Reply-To: References: <46091409.70801@fsl.com> Message-ID: <46097C82.4040404@nkpanama.com> Hugo van der Kooij wrote: > On Tue, 27 Mar 2007, Steve Freegard wrote: > > > So using an up-to-date repository is propably even better as it will > keep ClamAV up-to-date where this install method does not. (It is just > up-to-date at the point you install the other bits. > > I run Centos 4.4 and use selective repositories and did not install > anything from the installer. I rebuild mailscanner and took the > remainder of the packages from the repositories. > > Hugo. > That's almost always true, but clamav-0.90 did have *some* problems breaking stuff - and people using nightly yum updates and such had to deal with that. True, it's only happened once that I know of, but it's important to know the pros and cons. From alex at nkpanama.com Tue Mar 27 22:20:54 2007 From: alex at nkpanama.com (Alex Neuman van der Hans) Date: Tue Mar 27 21:29:06 2007 Subject: Different Send/Receive Virus Notifications? In-Reply-To: References: Message-ID: <46097CA6.6030401@nkpanama.com> Paul Hutchings wrote: > Our Firewall only allows outbound smtp from our Exchange server so it > should be the only thing talking to the relay from our network. > Our Exchange server only allows authenticated SMTP so in theory a > worm/virus shouldn't be able to get it to accept and relay mail? > Because of this it would have to be a MAPI virus sent via Outlook which > would not allow the Sender "From" address to be faked. > We have very well regarded A/V on the Exchange server so I would hope > it's never going to happen to begin with :) > > Not sure if anyone here uses Exchange/Outlook but that was the thinking > behind it. > IIRC, Exchange would allow messages that are both ("to your domain" **and** "apparently from your domain") without authentication since it thinks it's the owner of that domain. That being said, a "virus"/worm/whatever could fake the from as someone else from your domain, and send something "to" someone at your domain, leading you on a wild goose chase. I'm not sure many MAPI viruses are still out in the wild, but I don't suppose it would be difficult for such viruses to fake the from, even MAPI-wise (although IANAP). Example: Alice's machine sends a message "from bob@yourdomain.com" and "to charlie@yourdomain.com". You spend some time looking at Bob's PC while Alice keeps spewing out stuff unknowingly. From hvdkooij at vanderkooij.org Tue Mar 27 22:44:00 2007 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Tue Mar 27 21:51:42 2007 Subject: Spamassassin and ClamAV - Where From? In-Reply-To: <46097C82.4040404@nkpanama.com> References: <46091409.70801@fsl.com> <46097C82.4040404@nkpanama.com> Message-ID: On Tue, 27 Mar 2007, Alex Neuman van der Hans wrote: > Hugo van der Kooij wrote: >> On Tue, 27 Mar 2007, Steve Freegard wrote: >> >> >> So using an up-to-date repository is propably even better as it will keep >> ClamAV up-to-date where this install method does not. (It is just >> up-to-date at the point you install the other bits. >> >> I run Centos 4.4 and use selective repositories and did not install >> anything from the installer. I rebuild mailscanner and took the remainder >> of the packages from the repositories. >> > That's almost always true, but clamav-0.90 did have *some* problems breaking > stuff - and people using nightly yum updates and such had to deal with that. > True, it's only happened once that I know of, but it's important to know the > pros and cons. To get that fact straigh it should be noted that the commandline version of clamav never wavered. And much as I use yum to keep thing up-to-date. I do not run it automagically not do I intend to do so anywhere. Hugo. -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ This message is using 100% recycled electrons. Some men see computers as they are and say "Windows" I use computers with Linux and say "Why Windows?" (Thanks JFK, for the insight.) From jan-peter at koopmann.eu Tue Mar 27 23:41:01 2007 From: jan-peter at koopmann.eu (Koopmann, Jan-Peter) Date: Tue Mar 27 22:46:49 2007 Subject: Exchange/Outlook Specific Settings? In-Reply-To: References: Message-ID: On Tuesday, March 27, 2007 7:06 PM Paul Hutchings wrote: > So, given the environment which is 99.9% Outlook sending through > Exchange which smarthosts to the relay box, are there any suggested > tweaks to MailScanner? Configure Exchange to reject mails for unknown recipients (possible in Exchange 2003 upwards) and teach postfix to "ask" the exchange server, if an RCPT TO is valid before accepting mail for it. Not sure how this is done in Postfix since I do it with exim but I am sure postfix has some way to do this. > I tend to do most of my attachment filtering via Postfix mime header > checks and given how diverse our userbase is I have disabled Why? I might be wrong but consider an EXE file renamed in EX_ and put into an zip archive. You might want to allow zips but disallow executables. Can this be done by a "simple" mime header check? It can be done with MailScanner. Kind regards Jan-Peter Koopmann From arturs at netvision.net.il Tue Mar 27 23:37:45 2007 From: arturs at netvision.net.il (Arthur Sherman) Date: Tue Mar 27 22:47:09 2007 Subject: Spamassassin and ClamAV - Where From? In-Reply-To: Message-ID: <020a01c770b8$283517d0$3701a8c0@lapxp> > And much as I use yum to keep thing up-to-date. I do not run it > automagically not do I intend to do so anywhere. Absolutely agree. Maximum, I would set it to check-update and send me report. Best, -- Arthur Sherman +972-52-4878851 http://www.cpt.co.il/ From jan-peter at koopmann.eu Tue Mar 27 23:49:14 2007 From: jan-peter at koopmann.eu (Koopmann, Jan-Peter) Date: Tue Mar 27 22:55:05 2007 Subject: Different Send/Receive Virus Notifications? In-Reply-To: <46097CA6.6030401@nkpanama.com> References: <46097CA6.6030401@nkpanama.com> Message-ID: On Tuesday, March 27, 2007 10:21 PM Alex Neuman van der Hans wrote: > IIRC, Exchange would allow messages that are both ("to your domain" > **and** "apparently from your domain") without authentication since > it thinks it's the owner of that domain. Incorrect. You can setup Exchange to accept SMTP traffic to your domains but require SMTP auth for all mails that does not go to your domains. > Example: > > Alice's machine sends a message "from bob@yourdomain.com" and "to > charlie@yourdomain.com". You spend some time looking at Bob's PC > while Alice keeps spewing out stuff unknowingly. Agreed: If you try to deliver mail to recipients in your own domain Exchange will in normal setups not require SMTP auth. Yet on the other hand that is not a typical scenario. If a PC is infected it will typically try to deliver mails to everyone in your adress book and/or other recipients received from botnets. These would not make it through Exchange if you setup SMTP auth. And what is the problem if your example really happens? MailScanner will try to deliver mails to nonexisting people on your Exchange. Correctly setup exchange will simply reject these at RCPT TO time and that's it. No real harm done. And you can have a look at the Exchange logs and spot the IP of the spamming machine right away. Kind regards, JP From alex at nkpanama.com Wed Mar 28 01:06:07 2007 From: alex at nkpanama.com (Alex Neuman) Date: Wed Mar 28 00:13:51 2007 Subject: Different Send/Receive Virus Notifications? In-Reply-To: References: <46097CA6.6030401@nkpanama.com> Message-ID: <33594.200.46.52.39.1175036767.squirrel@nkpanama.com> > On Tuesday, March 27, 2007 10:21 PM Alex Neuman van der Hans wrote: > > > Incorrect. You can setup Exchange to accept SMTP traffic to your domains > but require SMTP auth for all mails that does not go to your domains. Thanks for pointing that out. > > Agreed: If you try to deliver mail to recipients in your own domain > Exchange will in normal setups not require SMTP auth. Yet on the other > hand that is not a typical scenario. If a PC is infected it will typically > try to deliver mails to everyone in your adress book and/or other > recipients received from botnets. These would not make it through Exchange > if you setup SMTP auth. Good to know. > > And what is the problem if your example really happens? MailScanner will > try to deliver mails to nonexisting people on your Exchange. Correctly > setup exchange will simply reject these at RCPT TO time and that's it. No > real harm done. And you can have a look at the Exchange logs and spot the > IP of the spamming machine right away. What I wouldn't like about doing something like that (besides the extra bandwidth used by the notices and by the users asking questions about notices they don't necessarily understand) is the fact that it's twice the work; once to set up the notifications to the users who, in any case, won't know what to do most of the time (perhaps a compromise would be to set up notifications to postmaster instead), and once more to explain to the users what the situation is. Perhaps a solution involving notifying the administrators so they can take necessary measures would be a better use of their time, IMHO. > > Kind regards, > JP > -- From stork at openenterprise.ca Wed Mar 28 01:43:18 2007 From: stork at openenterprise.ca (Johnny Stork) Date: Wed Mar 28 00:51:05 2007 Subject: Bounced Mail - DNS Problems? In-Reply-To: References: <460699FF.6000005@openenterprise.ca> Message-ID: <4609AC16.1010305@openenterprise.ca> Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: stork.vcf Type: text/x-vcard Size: 330 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070327/aa0eae5f/stork-0001.vcf From painethom at gmail.com Wed Mar 28 02:26:17 2007 From: painethom at gmail.com (Thom Paine) Date: Wed Mar 28 01:33:52 2007 Subject: Help: waiting for children to die: Process did not exit cleanly In-Reply-To: <5721CE352874114C9AD537E34C447392078084@lons124012.eu.rabonet.com> References: <5721CE352874114C9AD537E34C447392078076@lons124012.eu.rabonet.com> <2b06d98b13e53846acf78124caf1ce64@solidstatelogic.com> <5721CE352874114C9AD537E34C447392078077@lons124012.eu.rabonet.com> <223f97700701230350y5046ba59u52c7b2f54fd1f9f7@mail.gmail.com> <5721CE352874114C9AD537E34C44739207807D@lons124012.eu.rabonet.com> <223f97700701230503j7ff5524dsa01e029caa42c48b@mail.gmail.com> <5721CE352874114C9AD537E34C447392078084@lons124012.eu.rabonet.com> Message-ID: <9e1340d20703271726g23812ad8k65007481a798eb44@mail.gmail.com> I'm just getting this error on my RHEL3 U8 server but I can't seem to reinstall the cpan filesystem::df. Anyone have suggestions on what I can do to get mail flowing again? Thanks. -- -=/>Thom From painethom at gmail.com Wed Mar 28 05:54:58 2007 From: painethom at gmail.com (Thom Paine) Date: Wed Mar 28 05:02:34 2007 Subject: Waiting for children to die error Message-ID: <9e1340d20703272054i3232076ese580d9176a488968@mail.gmail.com> I just ran some updates on my RHEL3 box, and now my mail has stopped moving. I've turned on debugging and I'm getting this error. /usr/bin/perl: relocation error: /usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi/auto/DBD/SQLite/SQLite.so: undefined symbol: dbd_st_finish I searched, but I can't seem to figure out how to fix it. I found another post from Jan23 about the child die error, but that didn't fix mine. Anyone know how to resolve this? Thanks. -- -=/>Thom From mikechoo at opensos.net Wed Mar 28 07:25:26 2007 From: mikechoo at opensos.net (Michael Choo) Date: Wed Mar 28 06:33:22 2007 Subject: Skipping users In-Reply-To: <4DEBDDAFBB23C04BA17EFE3914442113014A9935@exchange.bostonpost.com> References: <4DEBDDAFBB23C04BA17EFE3914442113014A9935@exchange.bostonpost.com> Message-ID: <98BAC797-C206-4B3F-9DCF-6BDE0982BC7F@opensos.net> On 06 Mar 2007, at 10:24 AM, Thomas A. Cameron wrote: > Having said all of that, I have a user that believes he doesn't > need SPAM protection. He believes he can handle the problem better > than any tool. If I had a way to do it, I wouldn't block > connections with an RBL either, just to show him what he's in for. > But, that's not something I really want to get into. > > My question is this. How can I tell MailScanner to blindly accept > any email destined for several addresses? Would I be better off > doing this on the postfix level with a header check that tests > positive on every address except his few? I use the SQL whitelist > function of MailWatch, so I can't whitelist wildcards for his > address. Is it possible to chain rule files & modules for the "is > definitely not spam" option? I believe this is the portion you require... # The purpose of this option is to set it to be a ruleset, so that you # can skip all scanning of mail destined for some of your users/ customers # and still scan all the rest. # A sample ruleset would look like this: # To: bad.customer.com no # From: ignore.domain.com no # FromOrTo: default yes # That will scan all mail except mail to bad.customer.com and mail from # ignore.domain.com. To set this up, put the 3 lines above into a file # called /etc/MailScanner/rules/scan.messages.rules and set the next line to # Scan Messages = %rules-dir%/scan.messages.rules # This can also be the filename of a ruleset (as illustrated above). Scan Messages = yes -- Michael Choo ACTC, APP 2006 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070328/e7909492/attachment.html From martinh at solidstatelogic.com Wed Mar 28 10:15:28 2007 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Wed Mar 28 09:23:53 2007 Subject: Exchange/Outlook Specific Settings? In-Reply-To: Message-ID: Paul You'd be surprised how many times the "dangerous content" scanning has stopped .exes etc getting through, that 3-4 hours later start getting marked as malware ridden.... Normally we seem to be at the forefront of any outbreak (I guess we're just lucky!), this has saved my bacon many times in the last year. Yes I too have a diverse user base, with developers spread over many sites and test code going out to customers/suppliers all the time. But the small amount of time it takes for me to release valid stuff is more than covered by the time we save with viruses NOT getting on the user's machine using this setting. YMMV of course - but you know that, you work for MIRA ;-) I've got a similar environment to yours (no MS-Exch, but similar) and do things the same way, with the MTA doing valid address look ups which drops well over 50% of traffic to start with. In fact here's some scary stats from one day last week! Total Incoming: 17,000 Of these. Unknown recipient: 9,000 Rejected due to delay/syntax errors:3,000 Deleted due to spam:4,000 Valid: 1,000 -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Paul Hutchings > Sent: 27 March 2007 18:06 > To: MailScanner discussion > Subject: Exchange/Outlook Specific Settings? > > At the risk of setting myself up for a fall, after printing out the > manual and working my way through MailScanner.Conf I now appear to have > a working Postfix + MailsScanner setup. > > For now it's sat on the LAN and is simply handling a few test messages. > > The intention is ultimately to have this configuration in our DMZ > handling mail to/from our internal Exchange server. > > So, given the environment which is 99.9% Outlook sending through > Exchange which smarthosts to the relay box, are there any suggested > tweaks to MailScanner? > > I tend to do most of my attachment filtering via Postfix mime header > checks and given how diverse our userbase is I have disabled "Dangerous > Content Scanning" but will be doing virus and spam scanning on inbound > mail (outbound will only be virus checked). > > cheers, > Paul > -- > Paul Hutchings > Network Administrator, MIRA Ltd. > Tel: 44 (0)24 7635 5378, Fax: 44 (0)24 7635 8378 > mailto:paul.hutchings@mira.co.uk > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From martinh at solidstatelogic.com Wed Mar 28 10:23:57 2007 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Wed Mar 28 09:31:37 2007 Subject: Waiting for children to die error In-Reply-To: <9e1340d20703272054i3232076ese580d9176a488968@mail.gmail.com> Message-ID: Thom Looks like the RH updates broke the SQLLite Perl module. In the MailScanner tar.gz installer there's an RPM for just the SQLLite, reinstall this. I'd also check all the other required modules to make sure RH didn't 'update' those. EL3 is quite old and they don't update to latest versions, just back port a few fixes etc..so doing RH RPM updates can break lots of things... -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Thom Paine > Sent: 28 March 2007 04:55 > To: MailScanner discussion > Subject: Waiting for children to die error > > I just ran some updates on my RHEL3 box, and now my mail has stopped > moving. > > I've turned on debugging and I'm getting this error. > > /usr/bin/perl: relocation error: > /usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread- > multi/auto/DBD/SQLite/SQLite.so: > undefined symbol: dbd_st_finish > > I searched, but I can't seem to figure out how to fix it. I found > another post from Jan23 about the child die error, but that didn't fix > mine. > > Anyone know how to resolve this? > > Thanks. > > -- > -=/>Thom > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From glenn.steen at gmail.com Wed Mar 28 11:30:32 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Mar 28 10:38:10 2007 Subject: Alternative to /etc/mail/spamassassin/local.cf In-Reply-To: <46074A4E.9060102@katy.com> References: <46056E75.9040604@katy.com> <46066824.3000607@katy.com> <223f97700703250649t40304fe7k9acbadb751cb4c8a@mail.gmail.com> <46074A4E.9060102@katy.com> Message-ID: <223f97700703280230q8180c8eyf16fe79a0c0b9b13@mail.gmail.com> On 26/03/07, John Schmerold wrote: > What is the "def_whitelist..." things > grep -ri def_whitelist /etc/* & > http://google.com/search?q=def_whitelist+site%3Amailscanner.info > yielded no joy > They are (part of) the SpamAssassin "whitelist" functions ... The "default" ones add a smaller negative score (something like -7.5 by default, IIRC)... A good way of keeping "spammy-looking-non-spam-senders" in the clear, so to speak. documentation can be found in: man Mail::SpamAssassin::Conf or perldoc Mail::SpamAssassin::Conf for the def_whitelist_from_rcvd entry, and man Mail::SpamAssassin::Plugin::SPF or perldoc Mail::SpamAssassin::Plugin::SPF for the def_whitelist_spf. I'm sure there are appropriate and informative and just purely kosher dokumentation over at the spamassassin site, but I'm too lazy to dig them up for you:-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From arturs at netvision.net.il Wed Mar 28 12:07:19 2007 From: arturs at netvision.net.il (Arthur Sherman) Date: Wed Mar 28 11:19:01 2007 Subject: Waiting for children to die error In-Reply-To: <9e1340d20703272054i3232076ese580d9176a488968@mail.gmail.com> Message-ID: <024201c77120$df3d09c0$3701a8c0@lapxp> > I just ran some updates on my RHEL3 box, and now my mail has > stopped moving. > > I've turned on debugging and I'm getting this error. > > /usr/bin/perl: relocation error: > /usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi/auto/ > DBD/SQLite/SQLite.so: > undefined symbol: dbd_st_finish Try to reinstall the module with CPAN if you already made this mistake. If nothing helps, you'd wipe MANUALLY all files belonging to the module, and try to install it from rpm. Best, -- Arthur Sherman +972-52-4878851 http://www.cpt.co.il/ From arturs at netvision.net.il Wed Mar 28 12:07:19 2007 From: arturs at netvision.net.il (Arthur Sherman) Date: Wed Mar 28 11:19:02 2007 Subject: Bounced Mail - DNS Problems? In-Reply-To: <4609AC16.1010305@openenterprise.ca> Message-ID: <024301c77120$df599270$3701a8c0@lapxp> sendmail.mc is the right place. as for the setting not becoming active, probably there were sendmail processes active. Best, -- Arthur Sherman +972-52-4878851 http://www.cpt.co.il/ _____ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Johnny Stork Sent: Wednesday, March 28, 2007 1:43 AM To: MailScanner discussion Subject: Re: Bounced Mail - DNS Problems? Since the standard sendmail is not running, where do I put LOCAL_DOMAIN(`smtp.johnnystork.ca')dnl in /etc/mail/sendmail.mc and rebuild sendmail.cf? Or somewhere else? Putting it in /etc/mail/sendmail.mc, rebuilding and restarting the MailScanner service did not appear to make any difference Res wrote: On Sun, 25 Mar 2007, Johnny Stork wrote: ALL outgoing mail appears to come from smtp.johnnystork.ca? Most messages LOCAL_DOMAIN(`smtp.johnnystork.ca')dnl btw: How/why does the hostname and internal ip of the laptop sending the message also show up? (johnny-lt.johnnystork.ca) Not being a windows weenie I can't be sure but sounds like computer_name + domain_name on laptop. (reason: 554 : Client host rejected: rDNS/DNS validation failed. Please setup matching DNS and rDNS records: This guy is more anal that me...(and I didn't think thats possible) He will be blocking hundreds of thousands of hosted domains worldwide. Enforce forward looking and enforce PTR, BUT there should never ever be any full double match checking for reasons just mentioned, it's his problem, not yours. His mailer is completely broken.. He is trying to read an earleir irrelevant received line. The only one he should be concerend with is the connecting one, in your case: (certain data munged deliberately) Received: from gateway.johnnystork.xxx (sputnik.xxxx.ca [207.xxx.xxx.xx]) Nowhere in THAT line does it reflect and internal address. If you gave real world DNS to gateway.xx.xx I'd maybe think ok its very far remotely possible, but you haven't. -- Johnny Stork Open Enterprise Solutions "Empowering Business With Open Solutions" http://www.openenterprise.ca Photography and Multimedia http://www.dreamscapemedia.ca Open Source News http://www.opensourcenews.ca -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070328/36e7fd48/attachment.html From paul.hutchings at mira.co.uk Wed Mar 28 13:50:23 2007 From: paul.hutchings at mira.co.uk (Paul Hutchings) Date: Wed Mar 28 12:58:08 2007 Subject: Exchange/Outlook Specific Settings? Message-ID: Martin, I've been reading the manual on the dangerous content checking and it does look useful, though I would probably want to disable the phishing/tag type of checks. I guess I'm trying to understand how MailScanner recognizes file types to block vs. Postfix? Paul -- Paul Hutchings Network Administrator, MIRA Ltd. Tel: 44 (0)24 7635 5378, Fax: 44 (0)24 7635 8378 mailto:paul.hutchings@mira.co.uk -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Martin.Hepworth Sent: 28 March 2007 09:15 To: MailScanner discussion Subject: RE: Exchange/Outlook Specific Settings? Paul You'd be surprised how many times the "dangerous content" scanning has stopped .exes etc getting through, that 3-4 hours later start getting marked as malware ridden.... Normally we seem to be at the forefront of any outbreak (I guess we're just lucky!), this has saved my bacon many times in the last year. Yes I too have a diverse user base, with developers spread over many sites and test code going out to customers/suppliers all the time. But the small amount of time it takes for me to release valid stuff is more than covered by the time we save with viruses NOT getting on the user's machine using this setting. YMMV of course - but you know that, you work for MIRA ;-) I've got a similar environment to yours (no MS-Exch, but similar) and do things the same way, with the MTA doing valid address look ups which drops well over 50% of traffic to start with. In fact here's some scary stats from one day last week! Total Incoming: 17,000 Of these. Unknown recipient: 9,000 Rejected due to delay/syntax errors:3,000 Deleted due to spam:4,000 Valid: 1,000 -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Paul Hutchings > Sent: 27 March 2007 18:06 > To: MailScanner discussion > Subject: Exchange/Outlook Specific Settings? > > At the risk of setting myself up for a fall, after printing out the > manual and working my way through MailScanner.Conf I now appear to have > a working Postfix + MailsScanner setup. > > For now it's sat on the LAN and is simply handling a few test messages. > > The intention is ultimately to have this configuration in our DMZ > handling mail to/from our internal Exchange server. > > So, given the environment which is 99.9% Outlook sending through > Exchange which smarthosts to the relay box, are there any suggested > tweaks to MailScanner? > > I tend to do most of my attachment filtering via Postfix mime header > checks and given how diverse our userbase is I have disabled "Dangerous > Content Scanning" but will be doing virus and spam scanning on inbound > mail (outbound will only be virus checked). > > cheers, > Paul > -- > Paul Hutchings > Network Administrator, MIRA Ltd. > Tel: 44 (0)24 7635 5378, Fax: 44 (0)24 7635 8378 > mailto:paul.hutchings@mira.co.uk > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From john at netdirect.ca Wed Mar 28 14:23:55 2007 From: john at netdirect.ca (John Van Ostrand) Date: Wed Mar 28 13:31:48 2007 Subject: Bounced Mail - DNS Problems? In-Reply-To: <4609AC16.1010305@openenterprise.ca> References: <460699FF.6000005@openenterprise.ca> <4609AC16.1010305@openenterprise.ca> Message-ID: <1175084635.10825.55.camel@venture.office.netdirect.ca> On Tue, 2007-03-27 at 16:43 -0700, Johnny Stork wrote: > Since the standard sendmail is not running, where do I put > > > LOCAL_DOMAIN(`smtp.johnnystork.ca')dnl > > > in /etc/mail/sendmail.mc and rebuild sendmail.cf? > > Or somewhere else? Putting it in /etc/mail/sendmail.mc, rebuilding and > restarting the MailScanner service did not appear to make any > difference It should go into /etc/mail/submit.mc, then rebuild submit.cf (usually just make -C /etc/mail). -- John Van Ostrand Net Direct Inc. CTO, co-CEO 564 Weber St. N. Unit 12 Waterloo, ON N2L 5C6 map john@netdirect.ca Ph: 519-883-1172 ext.5102 Linux Solutions / IBM Hardware Fx: 519-883-8533 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070328/11cbd97b/attachment.bin From painethom at gmail.com Wed Mar 28 14:44:38 2007 From: painethom at gmail.com (Thom Paine) Date: Wed Mar 28 13:52:16 2007 Subject: Waiting for children to die error In-Reply-To: <024201c77120$df3d09c0$3701a8c0@lapxp> References: <9e1340d20703272054i3232076ese580d9176a488968@mail.gmail.com> <024201c77120$df3d09c0$3701a8c0@lapxp> Message-ID: <9e1340d20703280544t46f4e752i3ac582bb7169ee75@mail.gmail.com> > Try to reinstall the module with CPAN if you already made this mistake. > If nothing helps, you'd wipe MANUALLY all files belonging to the module, and > try to install it from rpm. What is the command to install the module from cpan? Thanks. -- -=/>Thom From glenn.steen at gmail.com Wed Mar 28 15:15:44 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Mar 28 14:23:23 2007 Subject: Exchange/Outlook Specific Settings? In-Reply-To: References: Message-ID: <223f97700703280615m1209180dx8a0d71d6a8ecb2d7@mail.gmail.com> On 28/03/07, Paul Hutchings wrote: > Martin, > > I've been reading the manual on the dangerous content checking and it > does look useful, though I would probably want to disable the > phishing/tag type of checks. > > I guess I'm trying to understand how MailScanner recognizes file types > to block vs. Postfix? > > Paul Postfix - on-the-fly, meaning it can't be as thorough as MailScanner. MailScanner - full decoding/unpacking of the message and possibly any contained archive, meaning it can do a thorough job of filename, filetype, virus and spam scanning (and then some:-). HtH -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Wed Mar 28 15:18:07 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Mar 28 14:25:45 2007 Subject: Waiting for children to die error In-Reply-To: <9e1340d20703280544t46f4e752i3ac582bb7169ee75@mail.gmail.com> References: <9e1340d20703272054i3232076ese580d9176a488968@mail.gmail.com> <024201c77120$df3d09c0$3701a8c0@lapxp> <9e1340d20703280544t46f4e752i3ac582bb7169ee75@mail.gmail.com> Message-ID: <223f97700703280618h38ad0ea5pc06febf94c659203@mail.gmail.com> On 28/03/07, Thom Paine wrote: > > Try to reinstall the module with CPAN if you already made this mistake. > > If nothing helps, you'd wipe MANUALLY all files belonging to the module, and > > try to install it from rpm. > > What is the command to install the module from cpan? > > Thanks. cpan> force install DBD::SQLite should do it. -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From arturs at netvision.net.il Wed Mar 28 15:28:04 2007 From: arturs at netvision.net.il (Arthur Sherman) Date: Wed Mar 28 14:37:32 2007 Subject: Waiting for children to die error In-Reply-To: <9e1340d20703280544t46f4e752i3ac582bb7169ee75@mail.gmail.com> Message-ID: <026801c7713c$ea603ae0$3701a8c0@lapxp> > What is the command to install the module from cpan? #perl -MCPAN -e shell Cpan>install Module::Name Or Cpan>i /part of modulename/ /* this gives you info on module. Usefull if you don't know exact name */ Or Cpan>help The latter will explain it all :) My 2p. Best, -- Arthur Sherman +972-52-4878851 http://www.cpt.co.il/ From painethom at gmail.com Wed Mar 28 15:32:25 2007 From: painethom at gmail.com (Thom Paine) Date: Wed Mar 28 14:40:03 2007 Subject: Waiting for children to die error In-Reply-To: <026801c7713c$ea603ae0$3701a8c0@lapxp> References: <9e1340d20703280544t46f4e752i3ac582bb7169ee75@mail.gmail.com> <026801c7713c$ea603ae0$3701a8c0@lapxp> Message-ID: <9e1340d20703280632u50f5ecc0r44b6e534ba65d5c4@mail.gmail.com> Thanks, mail is working again. On 3/28/07, Arthur Sherman wrote: > > What is the command to install the module from cpan? > > #perl -MCPAN -e shell > Cpan>install Module::Name > > Or > > Cpan>i /part of modulename/ > /* this gives you info on module. Usefull if you don't know exact name */ > > Or > > Cpan>help > > The latter will explain it all :) > > My 2p. > > > Best, > > -- > Arthur Sherman > > +972-52-4878851 > http://www.cpt.co.il/ > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- -=/>Thom From shuttlebox at gmail.com Wed Mar 28 15:50:06 2007 From: shuttlebox at gmail.com (shuttlebox) Date: Wed Mar 28 14:57:45 2007 Subject: Perl Path In-Reply-To: <46090D8E.2010808@usg.edu> References: <062a5b5d15dbf61e9d43e977b28d1240@62.49.223.244> <46090D8E.2010808@usg.edu> Message-ID: <625385e30703280650i2c895195n77fd2ab021cde894@mail.gmail.com> On 3/27/07, Bob Jones wrote: > I brought this up quite a while back (over a year ago I think) and no > one really seemed to see an issue. I'm in the situation where I can't > just replace /usr/bin/perl with a symlink as I have things that depend > on the OS provided perl that is there so I have to point to the > different perl I install with. What I end up doing is running a script > that will go through each of the directories under /opt/Mailscanner and > change any reference to /usr/bin/perl to the correct perl after every > upgrade. A pain, I know, but what can you do if people don't see the > problem. Maybe you could post your script to the list as something Julian could integrate into the install script? Help him out a little. > What has yet to be explained to me properly is if you are forced to use > /usr/bin/perl to run Mailscanner, then why offer the option of > specifying the perl path in the install script. Just have it check that > /usr/bin/perl is there and if not bomb out. Don't pretend like you > allow the user to specify the perl path and then really don't. Luckily for me in Solaris /usr/bin/perl is already a symlink and the system uses hard coded paths to the perl binary for its own needs so I can replace the symlink without breaking anything. I would like it fixed too though. -- /peter From hansklose at gmx.de Wed Mar 28 16:49:58 2007 From: hansklose at gmx.de (Hans Klose) Date: Wed Mar 28 15:57:35 2007 Subject: problem with umlauts in signature Message-ID: <20070328144958.229210@gmx.net> Hi i have a problem with german umlauts like "?" in the singnatures of mails. my locale settings are de_DE.UTF-8 What can i make to fix my problem? Sometimes they are ok and sometimes they are not. It seems to depending on the client who sends the mail but I'm not sure. Who knows the answere? Thanks! -- "Feel free" - 5 GB Mailbox, 50 FreeSMS/Monat ... Jetzt GMX ProMail testen: www.gmx.net/de/go/mailfooter/promail-out -- "Feel free" - 10 GB Mailbox, 100 FreeSMS/Monat ... Jetzt GMX TopMail testen: www.gmx.net/de/go/mailfooter/topmail-out -- "Feel free" - 10 GB Mailbox, 100 FreeSMS/Monat ... Jetzt GMX TopMail testen: http://www.gmx.net/de/go/topmail From paul.hutchings at mira.co.uk Wed Mar 28 18:53:26 2007 From: paul.hutchings at mira.co.uk (Paul Hutchings) Date: Wed Mar 28 18:01:03 2007 Subject: Spamassassin and ClamAV - Where From? Message-ID: Just to confirm it doesn't appear to build RPM's. I tried it on the box I've been testing MailScanner on and it looks like it just does a make/make install. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Scott Silva Sent: 27 March 2007 21:06 To: mailscanner@lists.mailscanner.info Subject: Re: Spamassassin and ClamAV - Where From? Paul Hutchings spake the following on 3/27/2007 6:03 AM: > Thanks, that makes sense. > > I wasn't clear if it was that, or because some distro's maybe use > odd/incompatible options as the defaults. > > If the MailScanner SA/Clam tarball compiles and builds RPMs anyway (i.e. > easy for me to handle) I guess there is little reason not to use it. > > cheers, > Paul > -- > Paul Hutchings > Network Administrator, MIRA Ltd. > Tel: 44 (0)24 7635 5378, Fax: 44 (0)24 7635 8378 > mailto:paul.hutchings@mira.co.uk > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Steve > Freegard > Sent: 27 March 2007 13:55 > To: MailScanner discussion > Subject: Re: Spamassassin and ClamAV - Where From? > > Hi Paul, > > Paul Hutchings wrote: >> I now appear to have a working Mailscanner system that does what I > want >> (other than a little rulset tweaking). >> >> I've seen/heard talk of installing Spamassassin and ClamAV from the >> installer off the MailScanner site. >> >> My question is why? >> >> There are rpm's for both for OpenSuse (using 10.2) and being a newbie > it >> makes life easier for me, so is there a specific reason or is it a bit >> of a "in the past X happened" issue? > > It's because most RPMs supplied by the OS are already out-of-date by the > > time the OS actually ships. > > The installer from the MailScanner web site simply grabs all the > necessary packages and build the RPMs from source and installs and > configures them for you. > I don't think the spamassassin-clamav tarball builds rpms, but I have been known to be wrong (at least once ;-P ) -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From rolands at solcraft.lv Wed Mar 28 19:43:35 2007 From: rolands at solcraft.lv (Rolands Mekss) Date: Wed Mar 28 18:51:29 2007 Subject: Mail conditional filtering and archiving Message-ID: <460AA947.2050009@solcraft.lv> Hi I need to block outgoing messages to speciffic domain for reviewing. So for example user sends mail to ripper@evilhacker.org, it needs to be caught, put somewhere for later inspection and if needed released as it is done with quarantine. I'm new to mailscanner, so first idea that i have is to craete ruleset and apply it to "Archive Mail" directive so these mails are stored somewhere. Also i could use "Reject Message" with similar ruleset (though i'll have to manually synchronize them). But i have no idea how to allow a reviewer to "release" messages that are "safe". "Archive Mail" stores messages in some format, but how to "release" them or forward if they are believed to be OK. Will appreciate any help. Corrections are welcome if i am wrong at my ideas. Thanks! From tmartins at gmail.com Wed Mar 28 20:05:21 2007 From: tmartins at gmail.com (Thiago Martins) Date: Wed Mar 28 19:12:59 2007 Subject: Mail conditional filtering and archiving In-Reply-To: <460AA947.2050009@solcraft.lv> References: <460AA947.2050009@solcraft.lv> Message-ID: You can use the "Is Definitely Spam" setting in MailScanner.conf. The option will be somthing like this: Is Definitely Spam = %rules-dir%/spam.blacklist.rules Edit that file and insert this: To: ripper@evilhacker.org yes All messages addressed to that mail will be flagged as SPAM and will be put in quarantine if you have defined that High score spam will be quarantined. You can review them and release if you want to. I hope this helps. On 3/28/07, Rolands Mekss wrote: > Hi > > I need to block outgoing messages to speciffic domain for reviewing. So > for example user sends mail to ripper@evilhacker.org, it needs to be > caught, put somewhere for later inspection and if needed released as it > is done with quarantine. I'm new to mailscanner, so first idea that i > have is to craete ruleset and apply it to "Archive Mail" directive so > these mails are stored somewhere. Also i could use "Reject Message" with > similar ruleset (though i'll have to manually synchronize them). > But i have no idea how to allow a reviewer to "release" messages > that are "safe". "Archive Mail" stores messages in some format, but how > to "release" them or forward if they are believed to be OK. > > Will appreciate any help. Corrections are welcome if i am wrong at my > ideas. Thanks! From rolands at solcraft.lv Wed Mar 28 20:12:03 2007 From: rolands at solcraft.lv (Rolands Mekss) Date: Wed Mar 28 19:19:59 2007 Subject: Mail conditional filtering and archiving In-Reply-To: References: <460AA947.2050009@solcraft.lv> Message-ID: <460AAFF3.9090708@solcraft.lv> Ok, sounds good. But can i somehow inform by email this person who is responsible for mail reviewing about this event? Thiago Martins wrote: > You can use the "Is Definitely Spam" setting in MailScanner.conf. > > The option will be somthing like this: > Is Definitely Spam = %rules-dir%/spam.blacklist.rules > > Edit that file and insert this: > To: ripper@evilhacker.org yes > > All messages addressed to that mail will be flagged as SPAM and will > be put in quarantine if you have defined that High score spam will be > quarantined. > > You can review them and release if you want to. > > I hope this helps. > > On 3/28/07, Rolands Mekss wrote: >> Hi >> >> I need to block outgoing messages to speciffic domain for reviewing. So >> for example user sends mail to ripper@evilhacker.org, it needs to be >> caught, put somewhere for later inspection and if needed released as it >> is done with quarantine. I'm new to mailscanner, so first idea that i >> have is to craete ruleset and apply it to "Archive Mail" directive so >> these mails are stored somewhere. Also i could use "Reject Message" with >> similar ruleset (though i'll have to manually synchronize them). >> But i have no idea how to allow a reviewer to "release" messages >> that are "safe". "Archive Mail" stores messages in some format, but how >> to "release" them or forward if they are believed to be OK. >> >> Will appreciate any help. Corrections are welcome if i am wrong at my >> ideas. Thanks! From tmartins at gmail.com Wed Mar 28 20:45:31 2007 From: tmartins at gmail.com (Thiago Martins) Date: Wed Mar 28 19:53:10 2007 Subject: Mail conditional filtering and archiving In-Reply-To: <460AAFF3.9090708@solcraft.lv> References: <460AA947.2050009@solcraft.lv> <460AAFF3.9090708@solcraft.lv> Message-ID: I don?t know how to do this. I use MailWatch (mailwatch.sourceforge.net) to manage the quarantine and I check it several times a day, so I don?t need any alerts. I know that this same tool (mailwatch) can mail reports about the quarantine. I never use it, but maybe this can help you. []?s On 3/28/07, Rolands Mekss wrote: > Ok, sounds good. But can i somehow inform by email this person who is > responsible for mail reviewing about this event? > > Thiago Martins wrote: > > You can use the "Is Definitely Spam" setting in MailScanner.conf. > > > > The option will be somthing like this: > > Is Definitely Spam = %rules-dir%/spam.blacklist.rules > > > > Edit that file and insert this: > > To: ripper@evilhacker.org yes > > > > All messages addressed to that mail will be flagged as SPAM and will > > be put in quarantine if you have defined that High score spam will be > > quarantined. > > > > You can review them and release if you want to. > > > > I hope this helps. > > > > On 3/28/07, Rolands Mekss wrote: > >> Hi > >> > >> I need to block outgoing messages to speciffic domain for reviewing. So > >> for example user sends mail to ripper@evilhacker.org, it needs to be > >> caught, put somewhere for later inspection and if needed released as it > >> is done with quarantine. I'm new to mailscanner, so first idea that i > >> have is to craete ruleset and apply it to "Archive Mail" directive so > >> these mails are stored somewhere. Also i could use "Reject Message" with > >> similar ruleset (though i'll have to manually synchronize them). > >> But i have no idea how to allow a reviewer to "release" messages > >> that are "safe". "Archive Mail" stores messages in some format, but how > >> to "release" them or forward if they are believed to be OK. > >> > >> Will appreciate any help. Corrections are welcome if i am wrong at my > >> ideas. Thanks! -- []?s Thiago Martins http://tmartins.blogsome.com From res at ausics.net Thu Mar 29 03:22:12 2007 From: res at ausics.net (Res) Date: Thu Mar 29 02:30:01 2007 Subject: IP address reputation, BorderWare In-Reply-To: <46075958.1000207@yeticomputers.com> References: <4602FAAA.20009@fractalweb.com><200703222203.l2MM3wig030176@mail.deniscroombs.org> <20070322181247.99D6.GERARD@seibercom.net> <460303D5.8070906@yeticomputers.com> <4603FEBF.3030401@yeticomputers.com> <4605E937.2020704@yeticomputers.com> <46075958.1000207@yeticomputers.com> Message-ID: On Mon, 26 Mar 2007, Rick Chadderdon wrote: > You apparently missed the disclaimer I put in there explaining that I was > referring to the indirect effect on *me* from the use of *Kevin's* bandwidth. > It's easy enough to miss points I'm making the way I ramble, but still, it > was in there. Again, for clarity: received spam is obviously a problem for > the receiver's bandwidth. *Your* received spam is *not* obviously a problem > for *my* bandwidth. And as such, I have little reason to enjoy your > increased use of my resources to deflect some of the use of yours. The fact remains you accept these risks if you run a public mail server, just like greylisting. I dont like it, I disagree with i5, it causes more problems for me and my staff then whats its worth by others using it, however, I accept many do it, I'd rather the resources of my mail servers not be taken up with constant retries because of that crud, but it goes on, I live with it,k you will have to live with it. >> thats a rather irresponsible attitude. > > Note that I said, "as a consumer". Why do you think it's "irresponsible" for > a consumer to fail to care about things that do not affect them in any > perceivable way? The dollar per bit bandwidth costs of most consumers has See below > > You have multi-gigabit bandwidth at home? Impressive, and... well, I don't No, I look at it for my companies point of view, however, if a HOME USER wishes to have an exposed smtp server, then they must accept and expect the exact same risks as any national telco or corporation that does. > idea what percentage of your total bandwidth is consumed by mail, what > percentage by filesharing, web surfing, etc. Care to share? My mail flow > consumes less than 10% of the total, even including spam, in case you want to > compare. p2p would be less than 40% ( QoS ensures these file sharing leaching warez pups don't take away bandwith from genuine uses ) Mail servers about 15%, web 10% ftp 20%, streaming about 5%, everything else about 10% (though big brother season 7 is about to start here in the next few weeks to streaming will likely skyrocket) > > As I said, the only bandwidth I waste is that of those who actually connect > to *me*. You can feel free to blacklist, greylist or ignore anyone you want. already covered above and earlier > > Case one: You initiate the behavior, I respond by consuming your resources. Thats ok, I think i can afford the couple hundred BYTES of conversation packets :) and if you run a 10mb link I doubt youd even know it was happening if you never looked in your logs. > Case two: A third party initiates the behavior. You respond by consuming > *my* resources. > I see a big difference. You, apparently, do not. Hence we're unlikely to > ever agree. We agree on that :) >> Wrong, any carried out action to protect someones network by ensuring the >> inbound mail is from someone legitimate is a benefit to the receiver by >> helping reduce the chances of it being spam and hence wasteing more of >> their resources. > > Exactly what I said... It is of benefit to you, the user of SAV, not to the Thats correct, just like those who use greylisting, its of benefit to them, not me >> >> You've just contradicted yourself :) >> you are in essence saying deal with it, by not wanting someone to run a >> measure they think benefits them. > > No, I'm saying "don't run your measures against me when I'm not the one > spamming." Don't try to force me to solve your problems when I'm not the one same could be said about those using greylisting. > and due to the way it was implemented there is no way that you can avoid it's > effects, or its drain on your time. You don't *want* to do this thing. Even but its no drain on time, your analogies are flawed, as it doesnt require anyone to sit in the server room and watch it happening, its no worse then dns lookups, greylisting, etc etc etc -- Cheers Res Let Novell know what you think of their back door deal with the devil. Sign the petition today: http://techp.org/p/1/ From res at ausics.net Thu Mar 29 03:24:09 2007 From: res at ausics.net (Res) Date: Thu Mar 29 02:31:55 2007 Subject: IP address reputation, BorderWare In-Reply-To: <46083AEF.8070100@fractalweb.com> References: <4602FAAA.20009@fractalweb.com><200703222203.l2MM3wig030176@mail.deniscroombs.org> <20070322181247.99D6.GERARD@seibercom.net> <460303D5.8070906@yeticomputers.com> <4603FEBF.3030401@yeticomputers.com> <4605E937.2020704@yeticomputers.com> <46083AEF.8070100@fractalweb.com> Message-ID: On Mon, 26 Mar 2007, Chris Yuzik wrote: > > After much analysis, I consider responding to incoming SAV lookups on our end > to simply be part of the deal with hosting a domain, much as is responding to > DNS queries about the domain, subdomains, etc. As host to a domain, I believe exactly! > it is my server's responsibility to answer queries regarding SAV, in an > effort to defend a domain name's reputation including that of the company > behind the domain name. Just as its your responsibility to repond to DNS queries else you wont have to worry much about SV, or anything else for that matter :P -- Cheers Res Let Novell know what you think of their back door deal with the devil. Sign the petition today: http://techp.org/p/1/ From fabien.garziano at caliseo.com Thu Mar 29 10:05:30 2007 From: fabien.garziano at caliseo.com (Fabien GARZIANO) Date: Thu Mar 29 09:13:35 2007 Subject: Exchange/Outlook Specific Settings? Message-ID: I also use Mailscanner on a box in my DMZ with postfix. I use MailScanner for content checking, and I'm very satisfied with it. For rejecting unknown recipients, I've found a very, well hmmm... , not very smart, but it's working. Everytime I change my user in the AD tree, I make a dump of the Email adresseses with a vb script, generated in a file. I get it to my postfix/MailScanner box and will use it like my recipients file. It's not a sophisticated way, but it's working. I can mail you the scripts if you need it Paul. > de Koopmann, Jan-Peter > Envoy? : mardi 27 mars 2007 23:41 > ? : MailScanner discussion > Objet : RE: Exchange/Outlook Specific Settings? > > Configure Exchange to reject mails for unknown recipients > (possible in Exchange 2003 upwards) and teach postfix to > "ask" the exchange server, if an RCPT TO is valid before > accepting mail for it. Not sure how this is done in Postfix > since I do it with exim but I am sure postfix has some way to do this. From drew at technologytiger.net Thu Mar 29 11:25:55 2007 From: drew at technologytiger.net (Drew Marshall) Date: Thu Mar 29 10:33:42 2007 Subject: Exchange/Outlook Specific Settings? In-Reply-To: <223f97700703280615m1209180dx8a0d71d6a8ecb2d7@mail.gmail.com> References: <223f97700703280615m1209180dx8a0d71d6a8ecb2d7@mail.gmail.com> Message-ID: <52663.194.70.180.170.1175160355.squirrel@www.technologytiger.net> On Wed, March 28, 2007 14:15, Glenn Steen wrote: > On 28/03/07, Paul Hutchings wrote: >> Martin, >> >> I've been reading the manual on the dangerous content checking and it >> does look useful, though I would probably want to disable the >> phishing/tag type of checks. >> >> I guess I'm trying to understand how MailScanner recognizes file types >> to block vs. Postfix? >> >> Paul > Postfix - on-the-fly, meaning it can't be as thorough as MailScanner. > MailScanner - full decoding/unpacking of the message and possibly any > contained archive, meaning it can do a thorough job of filename, > filetype, virus and spam scanning (and then some:-). You also have to remember that Postfix is checking MIME header for attachments that match your block list, eg *.exe, *.bat etc. Providing the sender has been kind enough to use a decent client, which has attached the attachment correctly, described it properly etc you will be fine. However if they have tried to disguise the file e.g. *.ex, *.exe.doc then Postfix will be quite happy and let it through. MailScanner uses (If you have it set up and installed correctly) the file command to try to magically identify any file, no matter what the extension. It will also allow more sophisticated file name blocking too because it is scanning 'off line' as opposed to on the fly. What I would suggest is to keep your Postfix MIME attachment block (But don't make the list too big or you will suffer speed issues. Postfix is a great MTA but not a wonderful filtering tool) so you get rejection at SMTP for obvious files saving you some CPU and then tailor the file name/ type filtering in MailScanner to catch any thing that slips through. You might want to consider that if you reject MIME attachments at SMTP stage you then have no record of the file or mail. If MailScanner does it, you have the offending item(s) in quarantine so you can always get them back/ release them if you need to. The challenge is that you will never totally understand the impact until it happens. Sometimes learning the hard way should be reserved for theory books and someone else's experience! :-) Regards Drew -- In line with our policy, this message has been scanned for viruses and dangerous content by the Technology Tiger MailScanner. Further information can be found at www.technologytiger.net/policy Technology Tiger Limited is registered in Scotland with registration number: 310997 Registered Office 55-57 West High Street Inverurie AB51 3QQ From sleclerc at actionweb.fr Thu Mar 29 11:25:50 2007 From: sleclerc at actionweb.fr (Stephane) Date: Thu Mar 29 10:33:51 2007 Subject: URL-encoded filenames in reports References: <87fy929ffm.fsf@hp-factory.de> <45DF2469.4090507@yeticomputers.com> <46003E0B.4080801@yeticomputers.com> <4602BDD7.4020208@yeticomputers.com> Message-ID: Rick Chadderdon yeticomputers.com> writes: > > Mailscanner has removed one or more files from this message. To > retrieve these files, please click: > > http://quarantine.actionweb.fr/download.php?hostname=antispam2.actionweb.fr&date=20070317&id=1HSb00-0002U3-7R > > --- > > At which point your PHP script could display a list of URLS created from > a listing of the files in the directory, which it should be able to > determine from the URL mailscanner generated. In fact, this seems > trivial enough that I will probably do this myself. > > Rick > I'll try this "backdoor" to solve the problem. ;-) Thanks. But It will better later to have a direct encoded variable. This will permit one step less for the end user and more security to retrieve files. Stef... From paul.hutchings at mira.co.uk Thu Mar 29 14:33:46 2007 From: paul.hutchings at mira.co.uk (Paul Hutchings) Date: Thu Mar 29 13:41:30 2007 Subject: Error message starting/restarting MailScanner? Message-ID: When I start/restart MailScanner I see the following: relay:/var/spool/MailScanner/incoming # /etc/init.d/MailScanner restart and MailScannerstfix done : No such file or directoryne 171: cd: /var/spool/MailScanner/incoming Initializing outgoing postfix done Initializing MailScanner If I look at line 171 in the startup script (the standard one the install.sh built) it says: cd $MAILSCANNER_WORKDIR && ls | egrep '^[0123456789]+$' | xargs /bin/rm -rf 2>/dev/null That directory exists (the variable is set to /var/spool/MailScanner/incoming) and MailScanner appears to be working so I'm not quite sure what the output is trying to tell me? cheers, Paul -- Paul Hutchings Network Administrator, MIRA Ltd. Tel: 44 (0)24 7635 5378, Fax: 44 (0)24 7635 8378 mailto:paul.hutchings@mira.co.uk From drew at technologytiger.net Thu Mar 29 15:19:31 2007 From: drew at technologytiger.net (Drew Marshall) Date: Thu Mar 29 14:27:23 2007 Subject: Error message starting/restarting MailScanner? In-Reply-To: References: Message-ID: <55720.194.70.180.170.1175174371.squirrel@www.technologytiger.net> On Thu, March 29, 2007 13:33, Paul Hutchings wrote: > When I start/restart MailScanner I see the following: > > relay:/var/spool/MailScanner/incoming # /etc/init.d/MailScanner restart > and MailScannerstfix > done > : No such file or directoryne 171: cd: /var/spool/MailScanner/incoming > Initializing outgoing postfix > done > Initializing MailScanner > > If I look at line 171 in the startup script (the standard one the > install.sh built) it says: > > cd $MAILSCANNER_WORKDIR && ls | egrep '^[0123456789]+$' | xargs /bin/rm > -rf 2>/dev/null > > That directory exists (the variable is set to > /var/spool/MailScanner/incoming) and MailScanner appears to be working > so I'm not quite sure what the output is trying to tell me? Are you running hashed queues? If so are they both the same depth either side of MailScanner? Drew -- In line with our policy, this message has been scanned for viruses and dangerous content by the Technology Tiger MailScanner. Further information can be found at www.technologytiger.net/policy Technology Tiger Limited is registered in Scotland with registration number: 310997 Registered Office 55-57 West High Street Inverurie AB51 3QQ From arturs at netvision.net.il Thu Mar 29 15:24:06 2007 From: arturs at netvision.net.il (Arthur Sherman) Date: Thu Mar 29 14:33:44 2007 Subject: Spam Actions & High Scoring Spam Actions Message-ID: <02f001c77205$86ca3430$3701a8c0@lapxp> Howdy, I set both Spam Actions & High Scoring Spam Actions to: delete forward spam@cpt.co.il Now I think: should I forward High Scoring Spam to the spamtrap or better just delete it? Best, -- Arthur Sherman +972-52-4878851 http://www.cpt.co.il/ From paul.hutchings at mira.co.uk Thu Mar 29 15:30:45 2007 From: paul.hutchings at mira.co.uk (Paul Hutchings) Date: Thu Mar 29 14:38:26 2007 Subject: Error message starting/restarting MailScanner? Message-ID: I'm not sure entirely what you mean, but from a quick google /var/spoolpostfix/incoming is empty. I'm running Postfix 2.3.3 on OpenSuse (the default rpm). MailScanner does seem to be working and processing mail (this is just a test box). ls -lh /var/spool/MailScanner/incoming drwx------ 2 postfix postfix 4.0K Mar 29 14:08 11431 drwx------ 2 postfix postfix 4.0K Mar 29 14:08 11475 drwx------ 2 postfix postfix 4.0K Mar 29 14:09 11513 drwx------ 2 postfix postfix 4.0K Mar 29 14:08 11547 drwx------ 2 postfix postfix 4.0K Mar 29 14:24 11581 -rw------- 1 postfix postfix 7.0K Mar 29 14:09 SpamAssassin.cache.db -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Drew Marshall Sent: 29 March 2007 14:20 To: MailScanner discussion Subject: Re: Error message starting/restarting MailScanner? On Thu, March 29, 2007 13:33, Paul Hutchings wrote: > When I start/restart MailScanner I see the following: > > relay:/var/spool/MailScanner/incoming # /etc/init.d/MailScanner restart > and MailScannerstfix > done > : No such file or directoryne 171: cd: /var/spool/MailScanner/incoming > Initializing outgoing postfix > done > Initializing MailScanner > > If I look at line 171 in the startup script (the standard one the > install.sh built) it says: > > cd $MAILSCANNER_WORKDIR && ls | egrep '^[0123456789]+$' | xargs /bin/rm > -rf 2>/dev/null > > That directory exists (the variable is set to > /var/spool/MailScanner/incoming) and MailScanner appears to be working > so I'm not quite sure what the output is trying to tell me? Are you running hashed queues? If so are they both the same depth either side of MailScanner? Drew -- In line with our policy, this message has been scanned for viruses and dangerous content by the Technology Tiger MailScanner. Further information can be found at www.technologytiger.net/policy Technology Tiger Limited is registered in Scotland with registration number: 310997 Registered Office 55-57 West High Street Inverurie AB51 3QQ -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From glenn.steen at gmail.com Thu Mar 29 15:52:50 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Mar 29 15:00:33 2007 Subject: Mail conditional filtering and archiving In-Reply-To: References: <460AA947.2050009@solcraft.lv> <460AAFF3.9090708@solcraft.lv> Message-ID: <223f97700703290652v595375f7g21b5ae230901cf6e@mail.gmail.com> On 28/03/07, Thiago Martins wrote: > I don?t know how to do this. > > I use MailWatch (mailwatch.sourceforge.net) to manage the quarantine > and I check it several times a day, so I don?t need any alerts. > > I know that this same tool (mailwatch) can mail reports about the > quarantine. I never use it, but maybe this can help you. > > []?s > Good advice, but I'd put the ruleset on "Non Spam Actions" instead. just use store instead of deliver for the users/mails you want to review. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From stork at openenterprise.ca Thu Mar 29 15:59:44 2007 From: stork at openenterprise.ca (Johnny Stork) Date: Thu Mar 29 15:07:42 2007 Subject: Bounced Mail - DNS Problems? In-Reply-To: <1175084635.10825.55.camel@venture.office.netdirect.ca> References: <460699FF.6000005@openenterprise.ca> <4609AC16.1010305@openenterprise.ca> <1175084635.10825.55.camel@venture.office.netdirect.ca> Message-ID: <460BC650.7010508@openenterprise.ca> Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: stork.vcf Type: text/x-vcard Size: 330 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070329/b68a28ec/stork.vcf From john at netdirect.ca Thu Mar 29 16:08:43 2007 From: john at netdirect.ca (John Van Ostrand) Date: Thu Mar 29 15:16:29 2007 Subject: Bounced Mail - DNS Problems? In-Reply-To: <460BC650.7010508@openenterprise.ca> References: <460699FF.6000005@openenterprise.ca> <4609AC16.1010305@openenterprise.ca> <1175084635.10825.55.camel@venture.office.netdirect.ca> <460BC650.7010508@openenterprise.ca> Message-ID: <1175177323.10825.200.camel@venture.office.netdirect.ca> On Thu, 2007-03-29 at 06:59 -0700, Johnny Stork wrote: > Well I updated both now, submit.mc and sendmail.mc. suhutdown > sendmail, rebuilt with "make -C /etc/mail" then restarted > sendmail...but the header still shows gateway.johnnystork.ca? > > Not sure what I am doing wrong here > Is it possible that your laptop is setup without a domain name in the email address field? -- John Van Ostrand Net Direct Inc. CTO, co-CEO 564 Weber St. N. Unit 12 Waterloo, ON N2L 5C6 john@netdirect.ca ph: 518-883-1172 x5102 Linux Solutions / IBM Hardware fx: 519-883-8533 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070329/02be0958/attachment.bin From arturs at netvision.net.il Thu Mar 29 16:21:41 2007 From: arturs at netvision.net.il (Arthur Sherman) Date: Thu Mar 29 15:31:15 2007 Subject: Content checks after a message was marked as SPAM Message-ID: <030101c7720d$92026400$3701a8c0@lapxp> I mentioned that even after spam checks marked a message as spam, MS continues with content checks. I'd like to set MS so that if for any reason a message is considerd spam, MS would stop processing it. That also means that if a message reached Spam Score, MS wouldn't check against further rulesets. Is this possible? I am sorry if this has been discussed before - if so, could someone point me to the right direction? TIA Best, -- Arthur Sherman +972-52-4878851 http://www.cpt.co.il/ From shuttlebox at gmail.com Thu Mar 29 16:36:17 2007 From: shuttlebox at gmail.com (shuttlebox) Date: Thu Mar 29 15:44:01 2007 Subject: Content checks after a message was marked as SPAM In-Reply-To: <030101c7720d$92026400$3701a8c0@lapxp> References: <030101c7720d$92026400$3701a8c0@lapxp> Message-ID: <625385e30703290736u2747e888vfecb9169748ddb49@mail.gmail.com> On 3/29/07, Arthur Sherman wrote: > > I mentioned that even after spam checks marked a message as spam, MS > continues with content checks. > > I'd like to set MS so that if for any reason a message is considerd spam, MS > would stop processing it. > That also means that if a message reached Spam Score, MS wouldn't check > against further rulesets. If I remember correctly - if your (High Score) Spam Actions are deliver/forward it's checked but if it's store/delete it's not. So basically if you send the mail on content and virus checks are done. -- /peter From dhawal at netmagicsolutions.com Thu Mar 29 17:04:27 2007 From: dhawal at netmagicsolutions.com (Dhawal Doshy) Date: Thu Mar 29 16:12:28 2007 Subject: Content checks after a message was marked as SPAM In-Reply-To: <030101c7720d$92026400$3701a8c0@lapxp> References: <030101c7720d$92026400$3701a8c0@lapxp> Message-ID: <460BD57B.2060208@netmagicsolutions.com> Arthur Sherman wrote: > I mentioned that even after spam checks marked a message as spam, MS > continues with content checks. > > I'd like to set MS so that if for any reason a message is considerd spam, MS > would stop processing it. > That also means that if a message reached Spam Score, MS wouldn't check > against further rulesets. > > Is this possible? > > I am sorry if this has been discussed before - if so, could someone point me > to the right direction? This is not currently possible.. however with SA 3.2 just around the corner this would be very much possible with the 'short circuiting' feature.. 3.2.0-rc1 was released about a week back btw. From drew at technologytiger.net Thu Mar 29 17:29:47 2007 From: drew at technologytiger.net (Drew Marshall) Date: Thu Mar 29 16:37:33 2007 Subject: Error message starting/restarting MailScanner? In-Reply-To: References: Message-ID: <15998286-880C-4EB5-8585-BAD0863B4C31@technologytiger.net> On 29 Mar 2007, at 14:30, Paul Hutchings wrote: > I'm not sure entirely what you mean, but from a quick google > /var/spoolpostfix/incoming is empty. No, that's me try to be helpful and miss reading your original mail :-( I misread that to be /var/spool/postfix/incoming not MailScanner/ incoming > > I'm running Postfix 2.3.3 on OpenSuse (the default rpm). > > MailScanner does seem to be working and processing mail (this is > just a > test box). > > ls -lh /var/spool/MailScanner/incoming > > drwx------ 2 postfix postfix 4.0K Mar 29 14:08 11431 > drwx------ 2 postfix postfix 4.0K Mar 29 14:08 11475 > drwx------ 2 postfix postfix 4.0K Mar 29 14:09 11513 > drwx------ 2 postfix postfix 4.0K Mar 29 14:08 11547 > drwx------ 2 postfix postfix 4.0K Mar 29 14:24 11581 > -rw------- 1 postfix postfix 7.0K Mar 29 14:09 SpamAssassin.cache.db Looks fine. Does this happen every time you (re)start MailScanner? Does MailScanner make any other comment in the log file? Does it do it if you restart in debug mode? Drew -- In line with our policy, this message has been scanned for viruses and dangerous content by the Technology Tiger MailScanner. Further information can be found at www.technologytiger.net/policy Technology Tiger Limited is registered in Scotland with registration number: 310997 Registered Office 55-57 West High Street Inverurie AB51 3QQ From dhawal at netmagicsolutions.com Thu Mar 29 17:39:49 2007 From: dhawal at netmagicsolutions.com (Dhawal Doshy) Date: Thu Mar 29 16:47:44 2007 Subject: Error message starting/restarting MailScanner? In-Reply-To: References: Message-ID: <460BDDC5.1070509@netmagicsolutions.com> Paul Hutchings wrote: > I'm not sure entirely what you mean, but from a quick google > /var/spoolpostfix/incoming is empty. > > I'm running Postfix 2.3.3 on OpenSuse (the default rpm). > > MailScanner does seem to be working and processing mail (this is just a > test box). > > ls -lh /var/spool/MailScanner/incoming > > drwx------ 2 postfix postfix 4.0K Mar 29 14:08 11431 > drwx------ 2 postfix postfix 4.0K Mar 29 14:08 11475 > drwx------ 2 postfix postfix 4.0K Mar 29 14:09 11513 > drwx------ 2 postfix postfix 4.0K Mar 29 14:08 11547 > drwx------ 2 postfix postfix 4.0K Mar 29 14:24 11581 > -rw------- 1 postfix postfix 7.0K Mar 29 14:09 SpamAssassin.cache.db ^^^^^^^^^^^^^^^^^^^^^ This file is not supposed to exist here, rather move it /var/spool/MailScanner/SpamAssassin.cache.db using the "SpamAssassin Cache Database File" configuration option in MailScanner.conf From paul.hutchings at mira.co.uk Thu Mar 29 17:43:35 2007 From: paul.hutchings at mira.co.uk (Paul Hutchings) Date: Thu Mar 29 16:51:17 2007 Subject: Error message starting/restarting MailScanner? Message-ID: OK it seems to be linked to running "/etc/init.d/MailScanner stop" rather than start. If I look at line 171 and simply run it manually - cd /var/spool/MailScanner/incoming && ls | egrep '^[0123456789]+$' | xargs /bin/rm -rf 2>/dev/null That command runs without any problem. I'm not convinced it's a problem so far as having a bad effect, I'm simply not sure why on earth it might be doing it? cheers, Paul -- Paul Hutchings Network Administrator, MIRA Ltd. Tel: 44 (0)24 7635 5378, Fax: 44 (0)24 7635 8378 mailto:paul.hutchings@mira.co.uk -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Drew Marshall Sent: 29 March 2007 16:30 To: MailScanner discussion Subject: Re: Error message starting/restarting MailScanner? On 29 Mar 2007, at 14:30, Paul Hutchings wrote: > I'm not sure entirely what you mean, but from a quick google > /var/spoolpostfix/incoming is empty. No, that's me try to be helpful and miss reading your original mail :-( I misread that to be /var/spool/postfix/incoming not MailScanner/ incoming > > I'm running Postfix 2.3.3 on OpenSuse (the default rpm). > > MailScanner does seem to be working and processing mail (this is > just a > test box). > > ls -lh /var/spool/MailScanner/incoming > > drwx------ 2 postfix postfix 4.0K Mar 29 14:08 11431 > drwx------ 2 postfix postfix 4.0K Mar 29 14:08 11475 > drwx------ 2 postfix postfix 4.0K Mar 29 14:09 11513 > drwx------ 2 postfix postfix 4.0K Mar 29 14:08 11547 > drwx------ 2 postfix postfix 4.0K Mar 29 14:24 11581 > -rw------- 1 postfix postfix 7.0K Mar 29 14:09 SpamAssassin.cache.db Looks fine. Does this happen every time you (re)start MailScanner? Does MailScanner make any other comment in the log file? Does it do it if you restart in debug mode? Drew -- In line with our policy, this message has been scanned for viruses and dangerous content by the Technology Tiger MailScanner. Further information can be found at www.technologytiger.net/policy Technology Tiger Limited is registered in Scotland with registration number: 310997 Registered Office 55-57 West High Street Inverurie AB51 3QQ -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From arturs at netvision.net.il Thu Mar 29 17:47:06 2007 From: arturs at netvision.net.il (Arthur Sherman) Date: Thu Mar 29 16:56:45 2007 Subject: Content checks after a message was marked as SPAM In-Reply-To: <460BD57B.2060208@netmagicsolutions.com> Message-ID: <031001c77219$80d4d850$3701a8c0@lapxp> > > I mentioned that even after spam checks marked a message as spam, MS > > continues with content checks. > > > > I'd like to set MS so that if for any reason a message is > considerd spam, MS > > would stop processing it. > > That also means that if a message reached Spam Score, MS > wouldn't check > > against further rulesets. > > > > Is this possible? > > > > I am sorry if this has been discussed before - if so, could > someone point me > > to the right direction? > > This is not currently possible.. however with SA 3.2 just around the > corner this would be very much possible with the 'short circuiting' > feature.. 3.2.0-rc1 was released about a week back btw. This is good news! Very nice... Thank you for the tip regarding the 3.2 release. I am just afraid to put it on production server, until it is considered stable. Best, -- Arthur Sherman +972-52-4878851 http://www.cpt.co.il/ From arturs at netvision.net.il Thu Mar 29 17:47:06 2007 From: arturs at netvision.net.il (Arthur Sherman) Date: Thu Mar 29 16:56:47 2007 Subject: Content checks after a message was marked as SPAM In-Reply-To: <625385e30703290736u2747e888vfecb9169748ddb49@mail.gmail.com> Message-ID: <031101c77219$810473d0$3701a8c0@lapxp> > > I mentioned that even after spam checks marked a message as spam, MS > > continues with content checks. > > > > I'd like to set MS so that if for any reason a message is > considerd spam, MS > > would stop processing it. > > That also means that if a message reached Spam Score, MS > wouldn't check > > against further rulesets. > > If I remember correctly - if your (High Score) Spam Actions are > deliver/forward it's checked but if it's store/delete it's not. So > basically if you send the mail on content and virus checks are done. Forgot to mention that the spam trap account is whitelisted in every rule possible, so basically MS shouldn't check the messages intended to it. But the problem is that MS continues processing the message AFTER it decided the message is spam. This is a waste of resources... Best, -- Arthur Sherman +972-52-4878851 http://www.cpt.co.il/ From drew at technologytiger.net Thu Mar 29 17:51:47 2007 From: drew at technologytiger.net (Drew Marshall) Date: Thu Mar 29 16:59:33 2007 Subject: Error message starting/restarting MailScanner? In-Reply-To: <460BDDC5.1070509@netmagicsolutions.com> References: <460BDDC5.1070509@netmagicsolutions.com> Message-ID: On 29 Mar 2007, at 16:39, Dhawal Doshy wrote: > Paul Hutchings wrote: >> I'm not sure entirely what you mean, but from a quick google >> /var/spoolpostfix/incoming is empty. >> I'm running Postfix 2.3.3 on OpenSuse (the default rpm). >> MailScanner does seem to be working and processing mail (this is >> just a >> test box). >> ls -lh /var/spool/MailScanner/incoming >> drwx------ 2 postfix postfix 4.0K Mar 29 14:08 11431 >> drwx------ 2 postfix postfix 4.0K Mar 29 14:08 11475 >> drwx------ 2 postfix postfix 4.0K Mar 29 14:09 11513 >> drwx------ 2 postfix postfix 4.0K Mar 29 14:08 11547 >> drwx------ 2 postfix postfix 4.0K Mar 29 14:24 11581 >> -rw------- 1 postfix postfix 7.0K Mar 29 14:09 SpamAssassin.cache.db > ^^^^^^^^^^^^^^^^^^^^^ > > This file is not supposed to exist here, rather move it /var/spool/ > MailScanner/SpamAssassin.cache.db using the "SpamAssassin Cache > Database File" configuration option in MailScanner.conf Mine's there too. I never noticed or worried about it before :-o Drew -- In line with our policy, this message has been scanned for viruses and dangerous content by the Technology Tiger MailScanner. Further information can be found at www.technologytiger.net/policy Technology Tiger Limited is registered in Scotland with registration number: 310997 Registered Office 55-57 West High Street Inverurie AB51 3QQ From dhawal at netmagicsolutions.com Thu Mar 29 17:56:12 2007 From: dhawal at netmagicsolutions.com (Dhawal Doshy) Date: Thu Mar 29 17:04:11 2007 Subject: Error message starting/restarting MailScanner? In-Reply-To: References: <460BDDC5.1070509@netmagicsolutions.com> Message-ID: <460BE19C.8050505@netmagicsolutions.com> Drew Marshall wrote: > On 29 Mar 2007, at 16:39, Dhawal Doshy wrote: > >> Paul Hutchings wrote: >>> I'm not sure entirely what you mean, but from a quick google >>> /var/spoolpostfix/incoming is empty. >>> I'm running Postfix 2.3.3 on OpenSuse (the default rpm). >>> MailScanner does seem to be working and processing mail (this is just a >>> test box). >>> ls -lh /var/spool/MailScanner/incoming >>> drwx------ 2 postfix postfix 4.0K Mar 29 14:08 11431 >>> drwx------ 2 postfix postfix 4.0K Mar 29 14:08 11475 >>> drwx------ 2 postfix postfix 4.0K Mar 29 14:09 11513 >>> drwx------ 2 postfix postfix 4.0K Mar 29 14:08 11547 >>> drwx------ 2 postfix postfix 4.0K Mar 29 14:24 11581 >>> -rw------- 1 postfix postfix 7.0K Mar 29 14:09 SpamAssassin.cache.db >> ^^^^^^^^^^^^^^^^^^^^^ >> >> This file is not supposed to exist here, rather move it >> /var/spool/MailScanner/SpamAssassin.cache.db using the "SpamAssassin >> Cache Database File" configuration option in MailScanner.conf > > Mine's there too. I never noticed or worried about it before :-o > > Drew Well this link mentions /var/spool/MailScanner/incoming/SpamAssassin.cache.db as the default value as well.. but why have non-queue/mail files in the MS workdir? http://mailscanner.info/MailScanner.conf.index.html#SpamAssassin%20Cache%20Database%20File From prandal at herefordshire.gov.uk Thu Mar 29 18:58:54 2007 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Thu Mar 29 18:07:00 2007 Subject: Error message starting/restarting MailScanner? In-Reply-To: <460BE19C.8050505@netmagicsolutions.com> References: <460BDDC5.1070509@netmagicsolutions.com> <460BE19C.8050505@netmagicsolutions.com> Message-ID: <7EF0EE5CB3B263488C8C18823239BEBA43DC82@HC-MBX02.herefordshire.gov.uk> mailscanner-bounces@lists.mailscanner.info wrote: > Drew Marshall wrote: >> On 29 Mar 2007, at 16:39, Dhawal Doshy wrote: >> >>> Paul Hutchings wrote: >>>> I'm not sure entirely what you mean, but from a quick google >>>> /var/spoolpostfix/incoming is empty. >>>> I'm running Postfix 2.3.3 on OpenSuse (the default rpm). >>>> MailScanner does seem to be working and processing mail (this is >>>> just a test box). ls -lh /var/spool/MailScanner/incoming >>>> drwx------ 2 postfix postfix 4.0K Mar 29 14:08 11431 >>>> drwx------ 2 postfix postfix 4.0K Mar 29 14:08 11475 >>>> drwx------ 2 postfix postfix 4.0K Mar 29 14:09 11513 >>>> drwx------ 2 postfix postfix 4.0K Mar 29 14:08 11547 >>>> drwx------ 2 postfix postfix 4.0K Mar 29 14:24 11581 >>>> -rw------- 1 postfix postfix 7.0K Mar 29 14:09 >>>> SpamAssassin.cache.db >>> > ^^^^^^^^^^^^^^^^^^^^^ >>> >>> This file is not supposed to exist here, rather move it >>> /var/spool/MailScanner/SpamAssassin.cache.db using the "SpamAssassin >>> Cache Database File" configuration option in MailScanner.conf >> >> Mine's there too. I never noticed or worried about it before :-o >> >> Drew > > Well this link mentions > /var/spool/MailScanner/incoming/SpamAssassin.cache.db as the default > value as well.. but why have non-queue/mail files in the MS workdir? > http://mailscanner.info/MailScanner.conf.index.html#SpamAssass > in%20Cache%20Database%20File It's a good place for it. If you mount /var/spool/MailScanner/incoming using tmpfs, you'll get performance improvements. And it doesn't matter if the SA cache DB is trashed on reboot, another will be built on the fly. Thar's method in yonder madness. Phil -- Phil Randal Network Engineer Herefordshire Council Hereford, UK From mailscanner at yeticomputers.com Thu Mar 29 19:29:00 2007 From: mailscanner at yeticomputers.com (Rick Chadderdon) Date: Thu Mar 29 18:36:51 2007 Subject: IP address reputation, BorderWare In-Reply-To: <46083AEF.8070100@fractalweb.com> References: <4602FAAA.20009@fractalweb.com><200703222203.l2MM3wig030176@mail.deniscroombs.org> <20070322181247.99D6.GERARD@seibercom.net> <460303D5.8070906@yeticomputers.com> <4603FEBF.3030401@yeticomputers.com> <4605E937.2020704@yeticomputers.com> <46083AEF.8070100@fractalweb.com> Message-ID: <460BF75C.8030504@yeticomputers.com> Chris Yuzik wrote: > Rick, > > I've been thinking about this issue at length, and agree that it is a > complex one. > > > After much analysis, I consider responding to incoming SAV lookups on > our end to simply be part of the deal with hosting a domain, much as > is responding to DNS queries about the domain, subdomains, etc. As > host to a domain, I believe it is my server's responsibility to answer > queries regarding SAV, in an effort to defend a domain name's > reputation including that of the company behind the domain name. > And I respect your decision to accept that responsibility. I would also do so quite willingly if it was a normal part of a mail server's load, or even an option that most MTAs came with by default. Hm. Is it? Postfix does. What about the other big ones? Which ones do/don't? Addons and milters don't count. > If your server gets spam allegedly from my domain, please, by all > means, do whatever you can to ensure that the mail really did > originate from us before letting it in to your user's inboxes, > including SAV. I'm not sure I'll ever be comfortable using SAV, even if it does turn out to exist in most MTAs. But thanks for your kind permission. :) Rick From mailscanner at yeticomputers.com Thu Mar 29 19:29:08 2007 From: mailscanner at yeticomputers.com (Rick Chadderdon) Date: Thu Mar 29 18:37:00 2007 Subject: IP address reputation, BorderWare In-Reply-To: References: <4602FAAA.20009@fractalweb.com><200703222203.l2MM3wig030176@mail.deniscroombs.org> <20070322181247.99D6.GERARD@seibercom.net> <460303D5.8070906@yeticomputers.com> <4603FEBF.3030401@yeticomputers.com> <4605E937.2020704@yeticomputers.com> <46075958.1000207@yeticomputers.com> Message-ID: <460BF764.3040105@yeticomputers.com> Res wrote: > The fact remains you accept these risks if you run a public mail > server, just like greylisting Yes, I know. And the fact remains that greylisting and SAV are two entirely different moral questions because of who is initiating the behavior against whom. The fact also remains that the "you accept these risks" attitude is the same attitude the spammers use to justify their crap, and the "it's only a few bytes" argument has no bearing on whether or not it's *right* to do it. I'll live with it, but it's rude behavior. And if a technological method were to offer itself that would allow me to block SAV checks without hindering the use of the server for its purpose, I'd do so, just like I do for spam. I'd prefer to see sender verification as a part of the SMTP protocol. If it were, most MTAs would log it in such a way that it was easier to filter when going through logs. Some would probably allow a log level at which SV was not logged. It would also possibly help with the spam problem in a couple of ways not currently possible with just the milter. This is really only a moral question for me. If sender verification was a normal part of SMTP, and it could be turned on or off, I'd leave it on to help others verify their incoming mail. Since it is not, and since I can *not* easily stop people from verifying against me, and since they're doing it anyway - it irritates me. > I dont like it, I disagree with i5, it causes more problems for me and > my staff then whats its worth by others using it, however, I accept > many do it, I'd rather the resources of my mail servers not be taken > up with constant retries because of that crud, but it goes on, I live > with it,k you will have to live with it. Okay, so we're in agreement. I guess the difference is that when I don't like something and I disagree with it, I don't tell people "keep using the filter." >> >> You have multi-gigabit bandwidth at home? Impressive, and... well, >> I don't > > No, I look at it for my companies point of view, however, if a HOME > USER wishes to have an exposed smtp server, then they must accept and > expect the exact same risks as any national telco or corporation that > does. Agreed. The entire "home user" point I was trying to make was that bandwidth has become ridiculously cheap for most people, in comparison to what it cost just a decade ago. I have 10M at home, 10M at the office (although it's split up a bit), and my complaints refer to the mail server at the office. I don't run one at home anymore. > p2p would be less than 40% [...] > Mail servers about 15% So, your mail consumes a slightly higher portion of your bandwidth than does mine, but we're really not that far apart. I have the advantage of not providing "public" internet access anymore. I provide access to a couple of companies, and none of them would dream of slowing down their business apps with filesharing. I do occasionally have to get on a couple of specific users for streaming radio stations and youtbe videos, though. They don't seem to want to believe that with a couple of apps talking to each other constantly across VPNs, normal Internet usage shared by about 35 people and the desire of typical users today to send multi-megabyte files back and forth in their email, that a few users streaming audio and video can actually have a negative impact. But, as they say, "I can do it at home with just my one little old computer, so with all of these big servers, why can't I do it here?" >> Case one: You initiate the behavior, I respond by consuming your >> resources. > > Thats ok, I think i can afford the couple hundred BYTES of conversation > packets :) and if you run a 10mb link I doubt youd even know it was > happening if you never looked in your logs. Right. And morally, it doesn't bother me when someone makes me jump through hoops to send them mail. I can choose to do so, or not. My choice. I don't respond to TDMA messages, but I happily retry when I hit a greylist. TDMA suffers from the same problem SAV does - it normally affects third-parties, not those directly trying to communicate with the user. >> >> Exactly what I said... It is of benefit to you, the user of SAV, not >> to the > > Thats correct, just like those who use greylisting, its of benefit to > them, not me Just so I know which it is... Do you honestly not see the difference between affecting a third party and affecting one who is directly dealing with you, or do you simply not care? I know we don't agree, but I'd kind of like to know whether it's because you're missing my point - or you don't think the difference is relevant. >> and due to the way it was implemented there is no way that you can >> avoid it's effects, or its drain on your time. You don't *want* to >> do this thing. Even > > but its no drain on time, your analogies are flawed, as it doesnt > require anyone to sit in the server room and watch it happening, its > no worse then dns lookups, greylisting, etc etc etc No, my first analogy was based on my own experience. I *do* spend a total of about an extra hour per month dealing with the results of all of this extra crap in my mail logs. Discarding the analogies as flawed (and then refusing to address them) strikes me as a cheap cop-out. Please understand that I'm talking only about the moral choices involved, which is why the second analogy was so exaggerated. If you rely on the *amount* of impact on the complainant, you can argue that spam itself was okay 'til it reached "x" level of messages per day/month/whatever. Spam has never been okay, in any amount, and I was one of the first people to implement a strict (rabid) anti-spam policy for my customers, back when everyone was saying, "just hit delete." DNS lookups are what the DNS server is for. SAV is *not* what my mail server is for. Until it's part of the normal operation of a mailserver, I don't want anyone using my resources just because a third party is using theirs. Greylisting... covered above. While I'm not sure that I've been clear enough for everyone to understand the moral flaws I'm pointing out, I do think I've made them as clear as I can without specific requests for further discussion. Since I've contributed heavily to this thread being almost *entirely* off-topic, and I don't see much more progress being made here, I invite anyone interested in continuing to explore this line of thought to do so off-list. Rick From itdept at fractalweb.com Thu Mar 29 19:45:19 2007 From: itdept at fractalweb.com (Chris Yuzik) Date: Thu Mar 29 18:53:13 2007 Subject: IP address reputation, BorderWare In-Reply-To: <460BF75C.8030504@yeticomputers.com> References: <4602FAAA.20009@fractalweb.com><200703222203.l2MM3wig030176@mail.deniscroombs.org> <20070322181247.99D6.GERARD@seibercom.net> <460303D5.8070906@yeticomputers.com> <4603FEBF.3030401@yeticomputers.com> <4605E937.2020704@yeticomputers.com> <46083AEF.8070100@fractalweb.com> <460BF75C.8030504@yeticomputers.com> Message-ID: <460BFB2F.6070406@fractalweb.com> Rick Chadderdon wrote: > Chris Yuzik wrote: >> Rick, >> >> I've been thinking about this issue at length, and agree that it is a >> complex one. >> >> >> After much analysis, I consider responding to incoming SAV lookups on >> our end to simply be part of the deal with hosting a domain, much as >> is responding to DNS queries about the domain, subdomains, etc. As >> host to a domain, I believe it is my server's responsibility to >> answer queries regarding SAV, in an effort to defend a domain name's >> reputation including that of the company behind the domain name. >> > > And I respect your decision to accept that responsibility. I would > also do so quite willingly if it was a normal part of a mail server's > load, or even an option that most MTAs came with by default. Hm. Is > it? Postfix does. What about the other big ones? Which ones > do/don't? Addons and milters don't count. > >> If your server gets spam allegedly from my domain, please, by all >> means, do whatever you can to ensure that the mail really did >> originate from us before letting it in to your user's inboxes, >> including SAV. > > I'm not sure I'll ever be comfortable using SAV, even if it does turn > out to exist in most MTAs. But thanks for your kind permission. :) > > Rick Rick, Although we apparently see this issue from two opposing sides, I really appreciate hearing your perspective. I'm not sure if anyone's opinion or actions were changed one way or the other as a result of the conversation, but a good debate is always useful, IMHO. And in the end, we wear hats of the same colour and continue our battle against the dark side. Here's to continuing the good fight! Cheers, Chris From dknott123 at gmail.com Thu Mar 29 19:48:54 2007 From: dknott123 at gmail.com (Don Knott) Date: Thu Mar 29 18:56:35 2007 Subject: Decode and store certain attachments Message-ID: <913ca19b0703291048m3c592a13x31748400cadcad32@mail.gmail.com> Hello- I would like to decode certain attachment types to a particular address. I get messages with .DBF file attachments that I need to decode and extract to a directory to be processed (imported into a DB) later by a cron job. I am struggling with procmail & metamail to do it but not having much luck. So far its too interactive. Googling only seems to find stuff about encoding from scripts, not decoding. Can I do this with a ruleset in Mailscanner? Any assistance would be most appreciated. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070329/fa6b3797/attachment.html From paul.hutchings at mira.co.uk Thu Mar 29 19:54:43 2007 From: paul.hutchings at mira.co.uk (Paul Hutchings) Date: Thu Mar 29 19:02:25 2007 Subject: Error message starting/restarting MailScanner? Message-ID: Right well I've found out what's been causing it and it's rather weird! When I rebuilt this box I made a tarball of the /etc/MailScanner folder and emailed it myself, blitzed the box, then used pscp (the scp client from the chap who writes Putty) to copy the files back over. It appears, goodness only knows how, that it's the way pscp copies the files back to the box. When I copied the tarball back to the box and untarred it it all worked just fine. It's as if there are some invisible spaces or line feeds or something being put into the files when they were copied that way.. sorry I'm not too clear myself what's gone on but at least I know what's causing it. cheers, Paul -- Paul Hutchings Network Administrator, MIRA Ltd. Tel: 44 (0)24 7635 5378, Fax: 44 (0)24 7635 8378 mailto:paul.hutchings@mira.co.uk -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Paul Hutchings Sent: 29 March 2007 13:34 To: MailScanner discussion Subject: Error message starting/restarting MailScanner? When I start/restart MailScanner I see the following: relay:/var/spool/MailScanner/incoming # /etc/init.d/MailScanner restart and MailScannerstfix done : No such file or directoryne 171: cd: /var/spool/MailScanner/incoming Initializing outgoing postfix done Initializing MailScanner If I look at line 171 in the startup script (the standard one the install.sh built) it says: cd $MAILSCANNER_WORKDIR && ls | egrep '^[0123456789]+$' | xargs /bin/rm -rf 2>/dev/null That directory exists (the variable is set to /var/spool/MailScanner/incoming) and MailScanner appears to be working so I'm not quite sure what the output is trying to tell me? cheers, Paul -- Paul Hutchings Network Administrator, MIRA Ltd. Tel: 44 (0)24 7635 5378, Fax: 44 (0)24 7635 8378 mailto:paul.hutchings@mira.co.uk -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From dave.list at pixelhammer.com Thu Mar 29 20:05:05 2007 From: dave.list at pixelhammer.com (DAve) Date: Thu Mar 29 19:14:10 2007 Subject: IP address reputation, BorderWare In-Reply-To: <460BFB2F.6070406@fractalweb.com> References: <4602FAAA.20009@fractalweb.com><200703222203.l2MM3wig030176@mail.deniscroombs.org> <20070322181247.99D6.GERARD@seibercom.net> <460303D5.8070906@yeticomputers.com> <4603FEBF.3030401@yeticomputers.com> <4605E937.2020704@yeticomputers.com> <46083AEF.8070100@fractalweb.com> <460BF75C.8030504@yeticomputers.com> <460BFB2F.6070406@fractalweb.com> Message-ID: <460BFFD1.30804@pixelhammer.com> Chris Yuzik wrote: > Rick Chadderdon wrote: >> Chris Yuzik wrote: >>> Rick, >>> >>> I've been thinking about this issue at length, and agree that it is a >>> complex one. >>> >>> >>> After much analysis, I consider responding to incoming SAV lookups on >>> our end to simply be part of the deal with hosting a domain, much as >>> is responding to DNS queries about the domain, subdomains, etc. As >>> host to a domain, I believe it is my server's responsibility to >>> answer queries regarding SAV, in an effort to defend a domain name's >>> reputation including that of the company behind the domain name. >>> >> >> And I respect your decision to accept that responsibility. I would >> also do so quite willingly if it was a normal part of a mail server's >> load, or even an option that most MTAs came with by default. Hm. Is >> it? Postfix does. What about the other big ones? Which ones >> do/don't? Addons and milters don't count. >> >>> If your server gets spam allegedly from my domain, please, by all >>> means, do whatever you can to ensure that the mail really did >>> originate from us before letting it in to your user's inboxes, >>> including SAV. >> >> I'm not sure I'll ever be comfortable using SAV, even if it does turn >> out to exist in most MTAs. But thanks for your kind permission. :) >> >> Rick > Rick, > > Although we apparently see this issue from two opposing sides, I really > appreciate hearing your perspective. I'm not sure if anyone's opinion or > actions were changed one way or the other as a result of the > conversation, but a good debate is always useful, IMHO. And in the end, > we wear hats of the same colour and continue our battle against the dark > side. > > Here's to continuing the good fight! > > Cheers, > Chris Agreed. I've enjoyed the civil discussion on SAV, civil discussions are so rare on MTA lists. I am better prepared to make a judgment for or against using it in the future because of this thread. Thank you both. DAve -- "What's gonna happen when I go to the job fair and I'm the only one in nice clothes and everyone else is wearing jeans and a tee shirt?!" My unemployed son..... From ssilva at sgvwater.com Thu Mar 29 22:16:04 2007 From: ssilva at sgvwater.com (Scott Silva) Date: Thu Mar 29 21:24:09 2007 Subject: Error message starting/restarting MailScanner? In-Reply-To: References: Message-ID: Paul Hutchings spake the following on 3/29/2007 10:54 AM: > Right well I've found out what's been causing it and it's rather weird! > > When I rebuilt this box I made a tarball of the /etc/MailScanner folder > and emailed it myself, blitzed the box, then used pscp (the scp client > from the chap who writes Putty) to copy the files back over. > > It appears, goodness only knows how, that it's the way pscp copies the > files back to the box. > > When I copied the tarball back to the box and untarred it it all worked > just fine. It's as if there are some invisible spaces or line feeds or > something being put into the files when they were copied that way.. > sorry I'm not too clear myself what's gone on but at least I know what's > causing it. No file transfer program should be changing a tar file. Your e-mail program might have done some damage when encoding/decoding it though. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! From glenn.steen at gmail.com Thu Mar 29 23:21:00 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Mar 29 22:28:44 2007 Subject: Decode and store certain attachments In-Reply-To: <913ca19b0703291048m3c592a13x31748400cadcad32@mail.gmail.com> References: <913ca19b0703291048m3c592a13x31748400cadcad32@mail.gmail.com> Message-ID: <223f97700703291421w7efaeebfh334e0c8016801315@mail.gmail.com> On 29/03/07, Don Knott wrote: > Hello- > > I would like to decode certain attachment types to a particular address. I > get messages with .DBF file attachments that I need to decode and extract to > a directory to be processed (imported into a DB) later by a cron job. > > I am struggling with procmail & metamail to do it but not having much luck. > So far its too interactive. Googling only seems to find stuff about encoding > from scripts, not decoding. > > Can I do this with a ruleset in Mailscanner? > > Any assistance would be most appreciated. Apart from doing something in a custom function, I can't see any reasonable way of doing it in MailScanner, and one could well question whether constructing a custom function for this is reasonable:-). Funnily enough, I did something like this with metamail ... ohhh... about 10-12 years ago... To long ago to remember it all, might've ended up wrapping it in an expect script, but ... i sort of doubt that: (I think I would've remembered something like that:-). Stick with it, you'll get it eventually:-). ,,,, Or use something else... munpack looks viable (http://linux.maruhn.com/sec/mpack.html after a quick google)... Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Thu Mar 29 23:29:22 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Mar 29 22:37:07 2007 Subject: Decode and store certain attachments In-Reply-To: <223f97700703291421w7efaeebfh334e0c8016801315@mail.gmail.com> References: <913ca19b0703291048m3c592a13x31748400cadcad32@mail.gmail.com> <223f97700703291421w7efaeebfh334e0c8016801315@mail.gmail.com> Message-ID: <223f97700703291429o3572fd54r395dcc064e55c450@mail.gmail.com> On 29/03/07, Glenn Steen wrote: > On 29/03/07, Don Knott wrote: > > Hello- > > > > I would like to decode certain attachment types to a particular address. I > > get messages with .DBF file attachments that I need to decode and extract to > > a directory to be processed (imported into a DB) later by a cron job. > > > > I am struggling with procmail & metamail to do it but not having much luck. > > So far its too interactive. Googling only seems to find stuff about encoding > > from scripts, not decoding. > > > > Can I do this with a ruleset in Mailscanner? > > > > Any assistance would be most appreciated. > > Apart from doing something in a custom function, I can't see any > reasonable way of doing it in MailScanner, and one could well question > whether constructing a custom function for this is reasonable:-). > Just had a thought.... If you _disallow_ .dbf files in filename rules, you'd get it quarantined _and decoded_ as a Bad Filename .... Perhaps usable? Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From dknott123 at gmail.com Fri Mar 30 05:43:02 2007 From: dknott123 at gmail.com (Don Knott) Date: Fri Mar 30 04:50:45 2007 Subject: Decode and store certain attachments In-Reply-To: <223f97700703291429o3572fd54r395dcc064e55c450@mail.gmail.com> References: <913ca19b0703291048m3c592a13x31748400cadcad32@mail.gmail.com> <223f97700703291421w7efaeebfh334e0c8016801315@mail.gmail.com> <223f97700703291429o3572fd54r395dcc064e55c450@mail.gmail.com> Message-ID: <913ca19b0703292043s6b909eb2pa2f7e73a6715e03d@mail.gmail.com> Metamail was frustrating me cause it was too interactive. Finally after much Googling, I found a perl script called mimedecode that did what I needed and worked well from procmail. http://search.cpan.org/dist/ppt/bin/mimedecode I had tried your idea to fetch the file from the quarantine and that would have probably worked had I not found the perl script. Thanks for the help. On 3/29/07, Glenn Steen wrote: > > On 29/03/07, Glenn Steen wrote: > > On 29/03/07, Don Knott wrote: > > > Hello- > > > > > > I would like to decode certain attachment types to a particular > address. I > > > get messages with .DBF file attachments that I need to decode and > extract to > > > a directory to be processed (imported into a DB) later by a cron job. > > > > > > I am struggling with procmail & metamail to do it but not having much > luck. > > > So far its too interactive. Googling only seems to find stuff about > encoding > > > from scripts, not decoding. > > > > > > Can I do this with a ruleset in Mailscanner? > > > > > > Any assistance would be most appreciated. > > > > Apart from doing something in a custom function, I can't see any > > reasonable way of doing it in MailScanner, and one could well question > > whether constructing a custom function for this is reasonable:-). > > > Just had a thought.... If you _disallow_ .dbf files in filename rules, > you'd get it quarantined _and decoded_ as a Bad Filename .... Perhaps > usable? > > Cheers > -- > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070329/fb18636a/attachment.html From tmitconsultancy at gmail.com Fri Mar 30 06:10:43 2007 From: tmitconsultancy at gmail.com (Tony Melia) Date: Fri Mar 30 05:18:27 2007 Subject: RBL Ignored Message-ID: <737f239c0703292110g65a13cf6qb9b0de3c6166a261@mail.gmail.com> Hi, I am running Mailscanner 4.58.9 with spamassassin 3.1.8-2.fc5.1 on Fedora Core 5. All was working well until I updated spamassassin via YUM a few weeks ago. Since then, a lot more spam than normal has got through that would previously have been blocked. It would appear that spamassassin is no longer doing RBL checks since the upgrade. The only RBL checking done at the moment is by Mailscanner of the URL's within emails, but no actual SMTP checking. Where can I check this, because I know there are a few different areas that this could be set it. Regards. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070330/39350afd/attachment.html From hvdkooij at vanderkooij.org Fri Mar 30 08:05:19 2007 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Fri Mar 30 07:13:09 2007 Subject: Error message starting/restarting MailScanner? In-Reply-To: References: Message-ID: On Thu, 29 Mar 2007, Paul Hutchings wrote: > I'm not sure entirely what you mean, but from a quick google > /var/spoolpostfix/incoming is empty. > > I'm running Postfix 2.3.3 on OpenSuse (the default rpm). > > MailScanner does seem to be working and processing mail (this is just a > test box). > > ls -lh /var/spool/MailScanner/incoming > > drwx------ 2 postfix postfix 4.0K Mar 29 14:08 11431 > drwx------ 2 postfix postfix 4.0K Mar 29 14:08 11475 > drwx------ 2 postfix postfix 4.0K Mar 29 14:09 11513 > drwx------ 2 postfix postfix 4.0K Mar 29 14:08 11547 > drwx------ 2 postfix postfix 4.0K Mar 29 14:24 11581 > -rw------- 1 postfix postfix 7.0K Mar 29 14:09 SpamAssassin.cache.db Tell us you are kidding us with the cache file living down here. But perhaps you are not and you have one big anomaly staring you in the face that you need to resolve. Hugo. -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ This message is using 100% recycled electrons. Some men see computers as they are and say "Windows" I use computers with Linux and say "Why Windows?" (Thanks JFK, for the insight.) From martinh at solidstatelogic.com Fri Mar 30 10:09:12 2007 From: martinh at solidstatelogic.com (Martin.Hepworth) Date: Fri Mar 30 09:17:11 2007 Subject: RBL Ignored In-Reply-To: <737f239c0703292110g65a13cf6qb9b0de3c6166a261@mail.gmail.com> Message-ID: Tony spamassassin -D --lint < file will show you what it's doing... stop mailscanner then Mailscanner -debug --debug-sa To find out what's happening from MS and what's maybe different from the stock SA. Did you originally install SA with yum? If not you may have two copies of SA on your system. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Tony Melia > Sent: 30 March 2007 05:11 > To: mailscanner@lists.mailscanner.info > Subject: RBL Ignored > > Hi, I am running Mailscanner 4.58.9 with spamassassin 3.1.8-2.fc5.1 on > Fedora Core 5. All was working well until I updated spamassassin via YUM > a few weeks ago. Since then, a lot more spam than normal has got through > that would previously have been blocked. It would appear that > spamassassin is no longer doing RBL checks since the upgrade. The only > RBL checking done at the moment is by Mailscanner of the URL's within > emails, but no actual SMTP checking. > > Where can I check this, because I know there are a few different areas > that this could be set it. > > Regards. ********************************************************************** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom ********************************************************************** From glenn.steen at gmail.com Fri Mar 30 10:25:45 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Mar 30 09:33:30 2007 Subject: Decode and store certain attachments In-Reply-To: <913ca19b0703292043s6b909eb2pa2f7e73a6715e03d@mail.gmail.com> References: <913ca19b0703291048m3c592a13x31748400cadcad32@mail.gmail.com> <223f97700703291421w7efaeebfh334e0c8016801315@mail.gmail.com> <223f97700703291429o3572fd54r395dcc064e55c450@mail.gmail.com> <913ca19b0703292043s6b909eb2pa2f7e73a6715e03d@mail.gmail.com> Message-ID: <223f97700703300125l7c7f7a4fkf5e02c680fe465fc@mail.gmail.com> On 30/03/07, Don Knott wrote: > Metamail was frustrating me cause it was too interactive. > > Finally after much Googling, I found a perl script called mimedecode that > did what I needed and worked well from procmail. > > http://search.cpan.org/dist/ppt/bin/mimedecode > > I had tried your idea to fetch the file from the quarantine and that would > have probably worked had I not found the perl script. > Thanks for the feedback. As said, it was a few years ago I did this... Come to think on it I probably _did_ wrap it in expect... Gotta love it, it's exactly right for curing those incurable bouts of uinterraction (to paraphrase Don Libes:). But using the tool you found is very likely the very best solution. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From KLekas at foxriver.com Fri Mar 30 19:02:41 2007 From: KLekas at foxriver.com (Kosta Lekas) Date: Fri Mar 30 18:10:22 2007 Subject: Content checks after a message was marked as SPAM In-Reply-To: <030101c7720d$92026400$3701a8c0@lapxp> Message-ID: <8D8A77DC1FA09546936E74FC3EEC627A0196F937@FREXGENEVA-01.frfr.foxriver.com> I use ripmime http://www.pldaniels.com/ripmime/ What I do is forward the mail that I want to capture attachments from to a postfix alias and pipe to ripmime like so: myalias: "|/usr/local/bin/ripmime -i - --no-nameless -d /targetdirectory" I have different aliases set up for different emails that I want to go in different directories. So all you have to do is configure a rule in Mailscanner to archive the mail coming from that sender to the alias you create. Kosta -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Arthur Sherman Sent: Thursday, March 29, 2007 9:22 AM To: 'MailScanner discussion' Subject: Content checks after a message was marked as SPAM I mentioned that even after spam checks marked a message as spam, MS continues with content checks. I'd like to set MS so that if for any reason a message is considerd spam, MS would stop processing it. That also means that if a message reached Spam Score, MS wouldn't check against further rulesets. Is this possible? I am sorry if this has been discussed before - if so, could someone point me to the right direction? TIA Best, -- Arthur Sherman +972-52-4878851 http://www.cpt.co.il/ -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From KLekas at foxriver.com Fri Mar 30 20:14:24 2007 From: KLekas at foxriver.com (Kosta Lekas) Date: Fri Mar 30 19:22:07 2007 Subject: Decode and store certain attachments In-Reply-To: <913ca19b0703291048m3c592a13x31748400cadcad32@mail.gmail.com> Message-ID: <8D8A77DC1FA09546936E74FC3EEC627A0196F938@FREXGENEVA-01.frfr.foxriver.com> I use ripmime http://www.pldaniels.com/ripmime/ What I do is forward the mail that I want to capture attachments from to a postfix alias and pipe to ripmime like so: myalias: "|/usr/local/bin/ripmime -i - --no-nameless -d /targetdirectory" I have different aliases set up for different emails that I want to go in different directories. So all you have to do is configure a rule in Mailscanner to archive the mail coming from that sender to the alias you create. Kosta ________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Don Knott Sent: Thursday, March 29, 2007 12:49 PM To: mailscanner@lists.mailscanner.info Subject: Decode and store certain attachments Hello- I would like to decode certain attachment types to a particular address. I get messages with .DBF file attachments that I need to decode and extract to a directory to be processed (imported into a DB) later by a cron job. I am struggling with procmail & metamail to do it but not having much luck. So far its too interactive. Googling only seems to find stuff about encoding from scripts, not decoding. Can I do this with a ruleset in Mailscanner? Any assistance would be most appreciated. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070330/e58ebc83/attachment.html From arturs at netvision.net.il Fri Mar 30 21:15:09 2007 From: arturs at netvision.net.il (Arthur Sherman) Date: Fri Mar 30 19:24:52 2007 Subject: Content checks after a message was marked as SPAM In-Reply-To: <8D8A77DC1FA09546936E74FC3EEC627A0196F937@FREXGENEVA-01.frfr.foxriver.com> Message-ID: <002d01c772ff$bbe59240$3701a8c0@lapxp> > I use ripmime http://www.pldaniels.com/ripmime/ Thanks, Kosta! Best, -- Arthur Sherman +972-52-4878851 http://www.cpt.co.il/ From ka at pacific.net Fri Mar 30 23:20:02 2007 From: ka at pacific.net (Ken A) Date: Fri Mar 30 22:27:51 2007 Subject: animated cursors Message-ID: <460D7F02.9020000@pacific.net> re: http://www.securityfocus.com/archive/1/464269 Am I correct that a line like so in filetype.rules.conf will block animated cursors. deny RIFF No animated cursors No animated cursor They are already blocked in filename.rules.conf, but you know how windows apps like to open files based on contents! Thanks, Ken Anderson Pacific.Net From Jamesp at MusicReports.com Sat Mar 31 00:26:24 2007 From: Jamesp at MusicReports.com (James D. Parra) Date: Fri Mar 30 23:34:13 2007 Subject: setting up Mailscanner rules Message-ID: <531F1E080638384C9623B00D71AA546D028FDF2B@exchange.musicreports.com> Hello, I'd like to create a rule that allows two specific internal e-mail addresses to only receive mail from two specific domains and from no other. How can I accomplish that? I was looking at some examples, but I couldn't see what was the best way to achieve this. I still want mail from the two domains to go to other internal mail accounts, however the two specific internal e-mail accounts should only receive mail from the two specified domains. Many thanks in advance. ~James From andrei at inteligis.ro Sat Mar 31 10:12:41 2007 From: andrei at inteligis.ro (Andrei Ioachim) Date: Sat Mar 31 09:20:14 2007 Subject: mail::clamav 0.20 error - SOLVED In-Reply-To: <460134B3.1020101@inteligis.ro> References: <460134B3.1020101@inteligis.ro> Message-ID: <460E17F9.7020205@inteligis.ro> Andrei Ioachim wrote: > Hello, > > i've just moved from clamav to clamavmodule scanner > > mailscanner --debug is working ok, but when i start normally > i get: > ClamAV Module ERROR:: Could not load databases from > /opt/clamav/share/clamav > > > it has something to do with multiple instances of mailscanner > > now i have Max Children = 0 in mailscanner.conf to get mailscanner to > work > > but i would like to use more children > > > > i found the problem: in check_mailscanner there is # Make it run SpamAssassin out of tmpfs if [ -d /dev/shm ]; then TMPDIR=/dev/shm export TMPDIR fi clamav uses TMPDIR variable to create temporary directory so i commented out that code in check_mailscanner and now everything works also i found that this was the problem by modifying SweepViruses.pm (this "patch" should be put in future MailScanner releases) $Clam = new Mail::ClamAV(Mail::ClamAV::retdbdir()) or MailScanner::Log::DieLog("ClamAV Module ERROR:: Could not load " . "databases from %s - error: %s", Mail::ClamAV::retdbdir(), $Mail::ClamAV::Error); (added "- error: %s" from $Mail::ClamAV::Error) $Mail::ClamAV::Error errors should/could be put in other places for better debugging From glenn.steen at gmail.com Sat Mar 31 11:27:05 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Sat Mar 31 10:34:56 2007 Subject: animated cursors In-Reply-To: <460D7F02.9020000@pacific.net> References: <460D7F02.9020000@pacific.net> Message-ID: <223f97700703310227v543acfc0p264418e6cdd147e5@mail.gmail.com> On 30/03/07, Ken A wrote: > re: http://www.securityfocus.com/archive/1/464269 > Am I correct that a line like so in filetype.rules.conf will block > animated cursors. > > deny RIFF No animated cursors No animated cursor > > They are already blocked in filename.rules.conf, but you know how > windows apps like to open files based on contents! > Yes... and then some (RIFF is a container thing)... Observe: # file /mnt/win_c/WINDOWS/Cursors/handno.ani /mnt/win_c/WINDOWS/Cursors/handno.ani: RIFF (little-endian) data, animated cursor # file /usr/lib/childsplay/lib/MultiTablesData/correct.wav /usr/lib/childsplay/lib/MultiTablesData/correct.wav: RIFF (little-endian) data, WAVE audio, Microsoft PCM, 8 bit, mono 22050 Hz # Might be OK for you, but perhaps you shouldn't assume it to be an animated cursor right off the bat:-). Why not use "cursor" or even "animated" instead? A plain cursor file (.cur) is identified as some Lotus 1-2-3 format on my system here:-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Sat Mar 31 11:32:59 2007 From: glenn.steen at gmail.com (Glenn Steen) Date: Sat Mar 31 10:40:49 2007 Subject: setting up Mailscanner rules In-Reply-To: <531F1E080638384C9623B00D71AA546D028FDF2B@exchange.musicreports.com> References: <531F1E080638384C9623B00D71AA546D028FDF2B@exchange.musicreports.com> Message-ID: <223f97700703310232w7fa730a7y565c1b2f59e0ba10@mail.gmail.com> On 31/03/07, James D. Parra wrote: > Hello, > > I'd like to create a rule that allows two specific internal e-mail addresses > to only receive mail from two specific domains and from no other. How can I > accomplish that? > > I was looking at some examples, but I couldn't see what was the best way to > achieve this. I still want mail from the two domains to go to other internal > mail accounts, however the two specific internal e-mail accounts should only > receive mail from the two specified domains. > > Many thanks in advance. > > ~James Why wait until MailScanner to do this? The RFCs will force you to bounce non-wanted messages .... not good. Use your MTA to reject all unwanted and only accept those very few for those addresses... That way you never assume responsibility for the unwanted messages. How to do this differs from MTA to MTA... Although it'll be somewhat off-topic for this list, I'm sure there are some nice persons here that will help you, if you don't know how to do that in your particular MTA. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From paul.hutchings at mira.co.uk Sat Mar 31 19:35:47 2007 From: paul.hutchings at mira.co.uk (Paul Hutchings) Date: Sat Mar 31 18:43:39 2007 Subject: Using Razor with MailScanner/Postfix? Message-ID: If I want to use Razor with MailScanner/Spamassassin and Postfix, can someone clarify the steps needed to make Razor work correctly? I'm finding by default I have a razor-agent.log being created in /var/spool/postfix/hold which Postfix complains about, and I can't seem to find a definitive answer on how best to solve this. TIA, Paul -- Paul Hutchings Network Administrator, MIRA Ltd. Tel: 44 (0)24 7635 5378, Fax: 44 (0)24 7635 8378 mailto:paul.hutchings@mira.co.uk From paul.hutchings at mira.co.uk Sat Mar 31 20:30:03 2007 From: paul.hutchings at mira.co.uk (Paul Hutchings) Date: Sat Mar 31 19:37:57 2007 Subject: Using Razor with MailScanner/Postfix? Message-ID: Just to follow up on my own post here, I've done something that seems to work, but would appreciate a sanity check. As root: Ran razor-admin -create Ran razor-admin -register cp -r /root/.razor /var/spool/MailScanner/ chown -R postfix.postfix /var/spool/MailScanner/ Which leaves me with a /var/spool/MailScanner/.razor folder with a bunch of razor config/registration files readable and writeable by Postfix. I then added to /etc/MailScanner/spam.assassin.prefs.conf the line: razor_config /var/spool/MailScanner/.razor/razor-agent.conf and restarted MailScanner. Everything looks to be working, the razor-agent.log file is being modified, have I missed anything obvious/crucial? cheers, Paul -- Paul Hutchings Network Administrator, MIRA Ltd. Tel: 44 (0)24 7635 5378, Fax: 44 (0)24 7635 8378 mailto:paul.hutchings@mira.co.uk -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Paul Hutchings Sent: 31 March 2007 18:36 To: MailScanner discussion Subject: Using Razor with MailScanner/Postfix? If I want to use Razor with MailScanner/Spamassassin and Postfix, can someone clarify the steps needed to make Razor work correctly? I'm finding by default I have a razor-agent.log being created in /var/spool/postfix/hold which Postfix complains about, and I can't seem to find a definitive answer on how best to solve this. TIA, Paul -- Paul Hutchings Network Administrator, MIRA Ltd. Tel: 44 (0)24 7635 5378, Fax: 44 (0)24 7635 8378 mailto:paul.hutchings@mira.co.uk -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From drew at technologytiger.net Sat Mar 31 22:33:44 2007 From: drew at technologytiger.net (Drew Marshall) Date: Sat Mar 31 21:41:41 2007 Subject: Using Razor with MailScanner/Postfix? In-Reply-To: References: Message-ID: <8C9F61AA-77A4-45DA-9C89-9BDF8709FF73@technologytiger.net> On 31 Mar 2007, at 19:30, Paul Hutchings wrote: > Just to follow up on my own post here, I've done something that > seems to > work, but would appreciate a sanity check. > > As root: > > Ran razor-admin -create > Ran razor-admin -register > cp -r /root/.razor /var/spool/MailScanner/ > chown -R postfix.postfix /var/spool/MailScanner/ > > Which leaves me with a /var/spool/MailScanner/.razor folder with a > bunch > of razor config/registration files readable and writeable by Postfix. > > I then added to /etc/MailScanner/spam.assassin.prefs.conf the line: > > razor_config /var/spool/MailScanner/.razor/razor-agent.conf > > and restarted MailScanner. > > Everything looks to be working, the razor-agent.log file is being > modified, have I missed anything obvious/crucial? No, that's one of the methods and it works fine. I use different directories/ files but the same method, so i would say you have done good :-) Drew -- In line with our policy, this message has been scanned for viruses and dangerous content by the Technology Tiger MailScanner. Further information can be found at www.technologytiger.net/policy Technology Tiger Limited is registered in Scotland with registration number: 310997 Registered Office 55-57 West High Street Inverurie AB51 3QQ