From ssilva at sgvwater.com Tue Apr 1 00:41:00 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Apr 1 00:41:58 2008 Subject: wiki still suggesting ordb In-Reply-To: <47F14A3E.4000202@appstate.edu> References: <20080330132840.GA8303@ubuntu> <47EFAC0B.2000608@ecs.soton.ac.uk> <47EFB55C.8000909@vanderkooij.org> <47EFBC9D.5090606@ecs.soton.ac.uk> <223f97700803310332m7d686714o7abfa2d9437ff9ce@mail.gmail.com> <47F0C98E.3050401@ecs.soton.ac.uk> <625385e30803310535j53adc7e6tbac75f25a9fc31d3@mail.gmail.com> <47F0E2C8.3070807@ecs.soton.ac.uk> <47F13BEA.9010709@ecs.soton.ac.uk> <47F14A3E.4000202@appstate.edu> Message-ID: on 3-31-2008 1:31 PM Laramie Combs spake the following: > Julian Field wrote: >> >> >> Scott Silva wrote: >>> on 3-31-2008 6:10 AM Julian Field spake the following: >>>> Thanks for that. Fixed the problem now. Hopefully other people can >>>> edit the page too. >>>> >>>> shuttlebox wrote: >>>>> On Mon, Mar 31, 2008 at 1:22 PM, Julian Field >>>>> wrote: >>>>> >>>>>> I've fixed the perms as much as I can (currently everything is world >>>>>> writable) and it still complains. >>>>>> Damn wikis :-( >>>>>> >>>>> >>>>> I found this: >>>>> >>>>> http://wiki.splitbrain.org/wiki:acl >>>>> >>>>> Maybe its of some help. >>>>> >>>>> >>>> >>>> Jules >>>> >>> Looks to be working now, but the edit now points to a soon to be >>> obsolete since spamhaus recommends to use zen instead of sbl+xbl. >>> >> Didn't know that one. Fixed. >> I've changed the default shipped MailScanner.conf file so it uses >> spamhaus-ZEN by default. >> That should be okay for a new installation shouldn't it? >> I'll add a note saying that they shouldn't use spamhaus lists unless >> they are a low-volume site or they have paid for a direct feed. >> >> Does that sound okay? >> >> Jules >> > My 2 cents worth says that I don't like zen because it includes the PBL, > which has gotten us into hot water in the past. There is a discalimer > on their site that says > > "Caution: Because the PBL lists normal customer IP space, do not use PBL > on smarthosts or SMTP AUTH outbound servers for your own customers (or > you risk blocking your own customers if their dynamic IPs are in the > PBL). Do not use PBL in filters that do any ?deep parsing? of Received > headers, or for other than checking IP addresses that hand off to your > mailservers." > > This was the case for us, as these same boxes do in and outbound > traffic, and caused us to start marking our own mail. Dropping back to > sbl-xbl fixed it for us. > > -Laramie I dug through the spamhaus website and now I can't find any mention of dropping the sbl+xbl lookups. Maybe they had a change of heart, or clients have complained because they want to avoid the PBL lookups. I have to admit I haven't looked there since late november. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080331/a6f72750/signature.bin From ssilva at sgvwater.com Tue Apr 1 00:43:50 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Apr 1 00:45:16 2008 Subject: perms on bayes_journal In-Reply-To: <47F152C4.3030308@openenterprise.ca> References: <47F152C4.3030308@openenterprise.ca> Message-ID: on 3-31-2008 2:08 PM Johnny Stork spake the following: > I have found for some reason, on my MS (current) setup running on > Centos5, that the files in /etc/Mailcanner/bayes/ keep getting the > permissions changed and I am not sure how this is happening. Right now > they show > > root@gateway:/etc/MailScanner# ls -la bayes/ > total 14464 > drwxrwxrwx 2 777 root 4096 Mar 31 13:31 . > drwxr-xr-x 6 root root 4096 Mar 31 13:04 .. > -rw------- 1 777 root 48480 Mar 31 14:01 bayes_journal > -rwxrwxrwx 1 777 root 1152 Mar 31 13:41 bayes.mutex > -rwxrwxrwx 1 777 root 10514432 Mar 31 13:41 bayes_seen > -rw------- 1 777 root 5308416 Mar 31 13:41 bayes_toks > -rwxrwxrwx 1 777 root 423 Sep 24 2007 razor-agent.log > -rwxrwxrwx 1 777 root 0 Sep 24 2007 Starting > -rwxrwxrwx 1 777 root 0 Sep 24 2007 Update > > > > > And so bayes_journal and bayes_toks cant be accessed by MailScanner > which runs as root. I have to go in an chmod 777 bayes* in order for > MailScanner/SA to access those files, or to show the Bayes stats in the > MailWatch interface. > > Is there some place I should be setting the permissions for those files? > I dont want to have to keep going in an manually changing the modes. It looks like at one time you CHOWN'd to 777, which probably isn't what you wanted. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080331/4baa44fd/signature.bin From tech1 at computer-care.com.au Tue Apr 1 01:32:03 2008 From: tech1 at computer-care.com.au (Glen Prestidge) Date: Tue Apr 1 01:32:07 2008 Subject: [SPAM-LOW] Re: Every email is tagged as spam In-Reply-To: <20080331061959.0affeae7@scorpio> Message-ID: <001e01c8938f$cf092ab0$3c80a8c0@CWDOMAIN.local> Hi Gerard / others Not sure about where I am going to turn this off, I have only just starting playing around with this software ( or learning it) The items are now updated I have run portmanager p5-Mail-SpamAssassin-3.2.4_3 MailScanner-4.67.6_1 clamav-0.92.1_1 This server that these apps were installed on, has not been updated for about 6mths and this all started occurring prior to the portupgrade / portmanager Glen -----Original Message----- From: Gerard [mailto:gerard@seibercom.net] Sent: Monday, 31 March 2008 6:20 PM To: mailscanner@lists.mailscanner.info Cc: Glen Prestidge Subject: [SPAM-LOW] Re: Every email is tagged as spam On Mon, 31 Mar 2008 09:54:01 +0800 "Glen Prestidge" wrote: > I am having a problem with a customer's server running freebsd 6.2 > with Mailscanner + clamav + Spamassin > These are the version of what is currently installed > p5-Mail-SpamAssassin-3.1.7_1 > clamav-0.88. > MailScanner-4.55.10 > Every email that we get send to that server is classified as spam even > though no text in the email or it's from a legitimate source > I am reluctant to upgrade the software, using the portmanager program > on freebsd - it installs a new version of mail tools which knocks out > mailscanner. > This only started since Thursday of last week and nothing on the > server has been updated from what I can see, and staff at the office > don't have access to any of the servers there. First, check to see if you are using ordb.org. If you are, remove it. There are several postings on this list, and others, regarding it. Second, the program versions you listed above are seriously out-of-date. Especially, 'clamav', which I believe had a security problem that was corrected in the newest version. In any case, its scanning speed was improved vastly. I use FreeBSD myself, so I know something about it. I would recommend that you first update your ports tree. Then, assuming you are using the latest version of 'portmanager', run: 'portmanager -u -p -l -y' sans quotation marks. Reboot the system and check to see if 'Mailscanner' starts and runs correctly. It should. If not, reinstall 'MailScanner'. cd /usr/ports/mail/mailscanner make clean && make && make deinstall && make reinstall Actually, I do not have a problem when updating. I am not sure why you would either. -- Gerard gerard@seibercom.net The great nations have always acted like gangsters and the small nations like prostitutes. Stanley Kubrick From mark at msapiro.net Tue Apr 1 01:37:30 2008 From: mark at msapiro.net (Mark Sapiro) Date: Tue Apr 1 01:38:02 2008 Subject: what am I dealing with here? In-Reply-To: <10964996.201207001679729.JavaMail.root@mail.lctn.org> References: <20080331211705.GA1260@msapiro> <10964996.201207001679729.JavaMail.root@mail.lctn.org> Message-ID: <20080401003730.GA408@msapiro> On Mon, Mar 31, 2008 at 05:14:39PM -0500, admin@lctn.org wrote: > As long as kms.k12.mn.us has even just an A record in DNS, it will > get spam directed to that address. > > Removing the 10 kms.k12.mn.us MX might help, but probably not > completely. > > All our schools configure their firewall, so they only receive mail from our mailscanner. We leave the MX record in place, incase our server goes down, so they will still get their mail by removing the rule. It seems I misunderstood? I thought you said in your original post that the connect to kms.k12.mn.us was from a Venezuelan IP. You didn't show any Received: headers after the alleged connect from n75.bullet.mail.sp1.yahoo.com [98.136.44.51] to relay-4.lctn.org, so I don't see that, and maybe I got it wrong. Now that I look more closely, it seems that the Venezuelan IP was the possible original source of the message which then passed through some Yahoo servers to you. So if your question was how to give this message a higher score, I defer to Julian's response at . -- Mark Sapiro mark at msapiro net The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan From hvdkooij at vanderkooij.org Tue Apr 1 06:31:33 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Tue Apr 1 06:32:37 2008 Subject: [SPAM-LOW] Re: Every email is tagged as spam In-Reply-To: <001e01c8938f$cf092ab0$3c80a8c0@CWDOMAIN.local> References: <001e01c8938f$cf092ab0$3c80a8c0@CWDOMAIN.local> Message-ID: <47F1C8B5.3080801@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Glen Prestidge wrote: | Hi Gerard / others | | Not sure about where I am going to turn this off, I have only just starting | playing around with this software ( or learning it) Then you have not done what you should have done. Read the archives because this is what the mailinglist is chatting about all week. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFH8cizBvzDRVjxmYERAsSSAKCZEfRF3V9+2P6ZGWyLaeyibVYu1gCgoUbs kg3Bf0/JoA7lVpxIW+wNCbo= =YjpY -----END PGP SIGNATURE----- From hvdkooij at vanderkooij.org Tue Apr 1 06:44:02 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Tue Apr 1 06:44:34 2008 Subject: what am I dealing with here? In-Reply-To: <29632052.2921206978809589.JavaMail.root@mail.lctn.org> References: <29632052.2921206978809589.JavaMail.root@mail.lctn.org> Message-ID: <47F1CBA2.5080704@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 admin@lctn.org wrote: | I got a call from a school we scan mail for, complaining they are | getting some inappropriate email, which is sailing through our scanner | with a very low score. Think VERY, VERY hard on wether you need yahoo to send email to you. I have actually blocked it all together. I get shitloads of spam from their servers and no one I know is using Yahoo. So nothing is lost in blocking it. If you still want it then make sure you do not give them any credit by giving negative spam points for having a valid DKIM header for example. | 127.0.0.1 relay-4.lctn.org (GeoIP Lookup Failed) [ ] [ | ] [ ] [ ] This is a config problem on your host. It should not list a loopback address with your hostname attached to it. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFH8cugBvzDRVjxmYERAtF8AJ9YyMVu3hMZI0sKJj4YoJjKZ1MmNwCghDfS fyqqEfebkflRRHo6ryymo5M= =yQlr -----END PGP SIGNATURE----- From jan-peter at koopmann.eu Tue Apr 1 07:48:47 2008 From: jan-peter at koopmann.eu (Koopmann, Jan-Peter) Date: Tue Apr 1 07:50:14 2008 Subject: OT: Sendmail REJECT or DISCARD preference In-Reply-To: References: <47ED0443.6030502@cnpapers.com><47ED0F7F.7010502@fsl.com> <47ED2099.5040201@farrows.org><47ED2703.4030802@evi-inc.com> <47ED2C26.1070006@farrows.org><47F0F2EF.80307@evi-inc.com> <47F0FE33.2000509@farrows.org><47F12507.4070905@evi-inc.com> <47F129E7.6050803@farrows.org><223f97700803311144i202d008v7a88138a1566768a@mail.gmail.com> Message-ID: Hi, this will probably be my last comment to this as well since it really makes no sense any more. If (!) I understood Peters setup correctly - which due to some later comments is only a 90% fact - I totally agree with Matt, Glenn, Stephen etc. > Well I guess that it all comes down to what works best for you, I like > being on this list because we can all share stuff together and some > really good stuff comes up quite alot.... Good to here. But if your setup under any circumstances produces backscatter (and I am pretty sure there are joe-job attacks that your scenario will not DISCARD) it is not only your problem and your network anymore. However, since no backscatter will ever reach my clients or my mailserver I do not really care about that so much personally. So yes: Please continue whatever you are doing. > ~For me I like very much *not* to know about what my clients do with > their email servers which are all not MailScanners of any kind. I > like > very much to filter their email very effectively, without having to > even > go to their site or configure any of their servers. All of us agree to this point. And all solutions we presented fulfill this requirement 100%. And most of us here are not talking about small mail installations with a few thousand mails per day. I am pretty sure that Julians implementations scale far higher than that. And Stephen is actually living from a mail-filtering product that is doing exactly what you want and doing it so efficiently that even a very small box can filter millions of mails per day and do that for thousand of domains and backend servers. > For the avoidance of doubt my clients are the ones who pay my mortgage, > this way works supremely well for me and those clients. I still think some of the magic of your implementation did not reach us. What if I send a mail to one of your clients and do get the address wrong? I am not a spammer. I would expect to receive a valid NDR for that. - Is the message going to be discarded? If yes: by whom? - If being rejected: By whom? - Who/what is making the decision whether to accept, reject, discard, deliver the message (coming from a valid sender going to an invalid recipient) based on what? - Is my mail then finally going to your (not the client's) postmaster mailbox? If so, bare in mind that this is very unexpected behavior and in some countries even on the verge of being illegal. If you rejected at the correct level I would receive a NDR and the only person having to deal with it is the person who made the mistake in the first place: I. Not your clients, not you. In your explanation (which I am honestly looking forward to) please humor me and assume that there is no such thing as a reliable list of spammers (neither IP nor address based), since as Stephen pointed out, there is none. IPs keep changing every few days, even if you block all dial-in networks. Addresses of spammers are fluctuating as well and in many cases are perfectly valid due to spoofing. So how do you make that decision? > There might be one day where I might want to use a REJECT, but 3 > million+ messages a month and I still haven't found a use for it yet > over a discard. See my example above. And please try to answer to some of the points others made. If you accept a mail that you later have to discard/reject you are either wasting your mailscanner resources, lose information (or send it to someones postmaster box where it does not belong) or produce backscatter. > Things get messy real quick with this type of volume of mail, > especially > when you don't hold any mailboxes on any of your own machines. That is completely irrelevant. If you do a smart recipient verification with caching (using postfix, milter-ahead, exim, barricade mx) this will cost you very little. Even millions of mails a day will not bring this particular system down. A really DDossy joe-job might influence your system but from what I understand it will do so much more in your current setup. You only gain. And no: You do not need to know anything about the client's system. That is the beauty. Even if you encounter a dumb smarthost: Some implementation (exim for sure) will discover this and interpret the answer so that it will not ask that smarthost (let's call it proxy!) again since it would make no sense. >> It actually doesn't. Work better, that is:-). But I'm pretty certain >> I'll bnever convince you of that...;-). >> And the beuty of the call-ahead... is that you needn't care onewhit >> about smarthosts or anything. Because when that host accept the mail, >> you are out of the DSN-loop... it is their problem;-). >>you are out of the DSN-loop... it is their problem;-). >--I'm their postmaster--- remember--- my clients don't want it to be "their problem".. If they accept the mail (for whatever reason): How is it not their problem? The only point where the actual decision whether the recipient is correct or not can be determined is the final host with the mailboxes on it (this does not mean that the front-end MX could not automatically learn valid/invalid recipients and do the rejection where it should take place which is at the earliest possible time/position): The client's machine. Every installation I know (and I have seen quite a few) is capable of rejecting invalid recipients. Even Exchange 5.5 with proper tools is. And besides the obvious case of a deliberate spam-trap there is absolutely no point whatsoever in accepting mail for nonexistent recipients on the final machines since this will most definitely result in wasting of resources (theirs and ours). Even if you - with yet to be described magic - manage to discard all their unnecessary NDRs: They have to send it. Now if this is a small client with a small box and I would start a joe-job with about a million mails to them, this would really mean trouble for their MTA and their connectivity. :-) Therefore: Either their system is setup correctly and only accepts mails for valid recipients or they are doing something wrong. If you are their smarthost for outgoing mails as well I would demand that their system only accepts mails for valid recipients. Otherwise you have a totally unnecessary problem on your machine. We are not talking about rocket science. In most MTAs we are talking about either the default configuration or very few very well documented config-lines. In Exchange we are talking about two checkboxes (if I remember correctly) that need to be checked. If they fail to do this it is their problem. And yes: You have every right to do it differently and create problems you would not have with other solutions. As long as it stays your problem I am totally fine with that. And thanks to Stephen (and his crew) I could not care less about backscatter... :-) Kind regards, JP From MailScanner at ecs.soton.ac.uk Tue Apr 1 10:04:41 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Apr 1 10:05:27 2008 Subject: perms on bayes_journal In-Reply-To: <47F152C4.3030308@openenterprise.ca> References: <47F152C4.3030308@openenterprise.ca> Message-ID: <47F1FAA9.8080308@ecs.soton.ac.uk> Johnny Stork wrote: > I have found for some reason, on my MS (current) setup running on > Centos5, that the files in /etc/Mailcanner/bayes/ keep getting the > permissions changed and I am not sure how this is happening. Right now > they show > > root@gateway:/etc/MailScanner# ls -la bayes/ > total 14464 > drwxrwxrwx 2 777 root 4096 Mar 31 13:31 . > drwxr-xr-x 6 root root 4096 Mar 31 13:04 .. > -rw------- 1 777 root 48480 Mar 31 14:01 bayes_journal > -rwxrwxrwx 1 777 root 1152 Mar 31 13:41 bayes.mutex > -rwxrwxrwx 1 777 root 10514432 Mar 31 13:41 bayes_seen > -rw------- 1 777 root 5308416 Mar 31 13:41 bayes_toks > -rwxrwxrwx 1 777 root 423 Sep 24 2007 razor-agent.log > -rwxrwxrwx 1 777 root 0 Sep 24 2007 Starting > -rwxrwxrwx 1 777 root 0 Sep 24 2007 Update > > > > > And so bayes_journal and bayes_toks cant be accessed by MailScanner > which runs as root. I think you've got a typo here somewhere. If MailScanner is running as root, then by definition it can access all files. > I have to go in an chmod 777 bayes* in order for MailScanner/SA to > access those files, or to show the Bayes stats in the MailWatch > interface. > > Is there some place I should be setting the permissions for those > files? I dont want to have to keep going in an manually changing the > modes. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ben.tisdall at photobox.com Tue Apr 1 11:01:14 2008 From: ben.tisdall at photobox.com (Ben Tisdall) Date: Tue Apr 1 11:03:21 2008 Subject: Rationale of bumping bayes scores Message-ID: <47F207EA.9090907@photobox.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, what's the thinking behind the bumping up/down of SA scores for bayes rules in the default config? We've got spam that's tripping dcc, razor etc but being allowed due to bayes_00 subtracting 15 points. I'm guessing I'll be told to fix our bayes db :) Best regards, Ben. - -- Ben Tisdall Linux Systems Administrator www.photobox.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFH8gfqZ929emua3lsRAgd5AJ9WWZizhPv6qchKE/zRkW6U3BsQkgCfTy4z dSVyAKIVxYXUlqhdQM+B2sE= =9BIZ -----END PGP SIGNATURE----- From gerard at seibercom.net Tue Apr 1 11:28:30 2008 From: gerard at seibercom.net (Gerard) Date: Tue Apr 1 11:29:29 2008 Subject: Every email is tagged as spam In-Reply-To: <001e01c8938f$cf092ab0$3c80a8c0@CWDOMAIN.local> References: <20080331061959.0affeae7@scorpio> <001e01c8938f$cf092ab0$3c80a8c0@CWDOMAIN.local> Message-ID: <20080401062830.140a5dc7@scorpio> On Tue, 1 Apr 2008 08:32:03 +0800 "Glen Prestidge" wrote: > Gerard > "Glen Prestidge" wrote: > > > I am having a problem with a customer's server running freebsd 6.2 > > with Mailscanner + clamav + Spamassin > > > These are the version of what is currently installed > > p5-Mail-SpamAssassin-3.1.7_1 > > clamav-0.88. > > MailScanner-4.55.10 > > > Every email that we get send to that server is classified as spam > > even though no text in the email or it's from a legitimate source > > > I am reluctant to upgrade the software, using the portmanager > > program on freebsd - it installs a new version of mail tools which > > knocks out mailscanner. > > > This only started since Thursday of last week and nothing on the > > server has been updated from what I can see, and staff at the office > > don't have access to any of the servers there. > > First, check to see if you are using ordb.org. If you are, remove it. > There are several postings on this list, and others, regarding it. > > Second, the program versions you listed above are seriously > out-of-date. Especially, 'clamav', which I believe had a security > problem that was corrected in the newest version. In any case, its > scanning speed was improved vastly. > > I use FreeBSD myself, so I know something about it. I would recommend > that you first update your ports tree. Then, assuming you are using > the latest version of 'portmanager', run: 'portmanager -u -p -l -y' > sans quotation marks. Reboot the system and check to see if > 'Mailscanner' starts and runs correctly. It should. If not, reinstall > 'MailScanner'. > > cd /usr/ports/mail/mailscanner > make clean && make && make deinstall && make reinstall > > Actually, I do not have a problem when updating. I am not sure why you > would either. > Hi Gerard / others > > Not sure about where I am going to turn this off, I have only just > starting playing around with this software ( or learning it) > > The items are now updated I have run portmanager > > p5-Mail-SpamAssassin-3.2.4_3 > MailScanner-4.67.6_1 > clamav-0.92.1_1 > > This server that these apps were installed on, has not been updated > for about 6mths and this all started occurring prior to the > portupgrade / portmanager Glen, please don't top post. It makes following a thread a lot more difficult than it needs to be. Could you please describe in detail exactly what your problem is now. You will need to include logs, configuration files, etc. where relevant to the problem(s) you are experiencing. For the record, did you remove any reference to: ordb.org in your configuration file? Also, did you try rebooting your system after updating? You should also check out the clamd.conf file since it is significantly different from the one you were using with your older version of clamav. Changes made to these files will not be reflected until you restart the daemons; therefore, I would suggest that you make any required modifications to them prior to rebooting the system or restarting the programs. One last thing, since I do not know the specifics of your system, did you read the '/usr/ports/UPDATING' file to see if there were any notes that pertained to files being updated on your system? It is always a good place to start. -- Gerard gerard@seibercom.net The early worm gets the bird. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 195 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080401/fa82c623/signature.bin From veliogluh at itu.edu.tr Tue Apr 1 11:53:23 2008 From: veliogluh at itu.edu.tr (Hakan VELIOGLU) Date: Tue Apr 1 11:54:37 2008 Subject: clamd and clamav with failover In-Reply-To: <001e01c8938f$cf092ab0$3c80a8c0@CWDOMAIN.local> References: <001e01c8938f$cf092ab0$3c80a8c0@CWDOMAIN.local> Message-ID: <20080401135323.j2m8jtox354owwcs@webmail.itu.edu.tr> Hi, Can mailscanner use clamav and clamd with failover. I mean it uses clamd for primary scanner and when clamd gets down or crashed it could use clamav until the next reload ( or restart). Is there a trick that I can use this behaviour. Hakan ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. From MailScanner at ecs.soton.ac.uk Tue Apr 1 13:43:58 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Apr 1 13:44:47 2008 Subject: Rationale of bumping bayes scores In-Reply-To: <47F207EA.9090907@photobox.com> References: <47F207EA.9090907@photobox.com> Message-ID: <47F22E0E.6080103@ecs.soton.ac.uk> Ben Tisdall wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi, > > what's the thinking behind the bumping up/down of SA scores for bayes > rules in the default config? We've got spam that's tripping dcc, razor > etc but being allowed due to bayes_00 subtracting 15 points. Since when did bayes_00 score -15? I thought it was about -2.6. What version of SpamAssassin are you running? Are you running sa-update every night? > > I'm guessing I'll be told to fix our bayes db :) > > Best regards, > > Ben. > > - -- > Ben Tisdall > Linux Systems Administrator > www.photobox.com > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.7 (GNU/Linux) > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org > > iD8DBQFH8gfqZ929emua3lsRAgd5AJ9WWZizhPv6qchKE/zRkW6U3BsQkgCfTy4z > dSVyAKIVxYXUlqhdQM+B2sE= > =9BIZ > -----END PGP SIGNATURE----- Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From admin at lctn.org Tue Apr 1 13:45:11 2008 From: admin at lctn.org (admin@lctn.org) Date: Tue Apr 1 13:45:54 2008 Subject: what am I dealing with here? In-Reply-To: <5365473.401207053881908.JavaMail.root@mail.lctn.org> Message-ID: <10067728.421207053911694.JavaMail.root@mail.lctn.org> >If you still want it then make sure you do not give them any credit by >giving negative spam points for having a valid DKIM header for example. >This is a config problem on your host. It should not list a loopback >address with your hostname attached to it. Thanks much for the comments. I was messing with the host settings a few days ago, and didn't realize I had left the loopback address in place. Fixed that now. As far as blocking Yahoo, that is not a viable solution, since I cannot dictate who can send mail to the 20 school districts I manage. I had lost the doc that was sent to me from the school that has noticed the issue. I retrieved it last night, and was looking over the header info. Two that I looked at had bogus to, and from info, so I am not sure how it even ended up at the school. That was the info I meant to send with my first post. It almost seemed like the sender was bouncing off of my server, but I don't see any indication the server has been compromised. I included one header below. Received: from relay-4.lctn.org [64.8.148.4] by kms.k12.mn.us with ESMTP (SMTPD-9.22) id AECD01E4; Sat, 29 Mar 2008 06:58:05 -0500 Received: from n78.bullet.mail.sp1.yahoo.com (n78.bullet.mail.sp1.yahoo.com [98.136.44.42]) by relay-4.lctn.org (Postfix) with SMTP id D27BB3800C8 for ; Sat, 29 Mar 2008 06:58:00 -0500 (CDT), Found to be clean Received: from [216.252.122.217] by n78.bullet.mail.sp1.yahoo.com with NNFMP; 29 Mar 2008 11:57:44 -0000 Received: from [69.147.65.167] by t2.bullet.sp1.yahoo.com with NNFMP; 29 Mar 2008 11:57:44 -0000 Received: from [127.0.0.1] by omp502.mail.sp1.yahoo.com with NNFMP; 29 Mar 2008 11:57:44 -0000 X-Yahoo-Newman-Property: ymail-5 X-Yahoo-Newman-Id: 223248.63370.bm@omp502.mail.sp1.yahoo.com Received: (qmail 73645 invoked by uid 60001); 29 Mar 2008 11:57:44 -0000 X-YMail-OSG: ya5jHRQVM1kffY18TagCnS1ihBmgHFS_ulpGyHyQwVzTfSAuwOoldZGW9FojvBQlb18qMfMvN3MuLoq2.KCS_I9XqZK55uVSh__twWr_vWlplfoIsNtigd_4tqzQvBZURj1aoqnNzHZtajobmri5AowZIdKwaTQKD3Ge0QbN0isrvH4.gsG2Y_G4dmDX4a6gkZiJ7skAFIn24wV0qGtnc4Qi8.lGhzxxES0uoVwZjA-- Received: from [77.218.62.119] by web45109.mail.sp1.yahoo.com via HTTP; Sat, 29 Mar 2008 04:57:43 PDT Date: Sat, 29 Mar 2008 04:57:43 -0700 (PDT) From: elke vanzanten Subject: hey To: kelekia@interpac.net MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="0-1049636514-1206791863=:70178" Content-Transfer-Encoding: 8bit Message-ID: <8831.70178.qm@web45109.mail.sp1.yahoo.com> X-Spam-Status: No X-RCPT-TO: Status: ` X-UIDL: 436929799 X-IMail-ThreadID: 2ecc00ca00001b26 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080401/2d20c1e0/attachment.html From campbell at cnpapers.com Tue Apr 1 13:56:47 2008 From: campbell at cnpapers.com (Steve Campbell) Date: Tue Apr 1 13:57:26 2008 Subject: OT: Sendmail REJECT or DISCARD preference In-Reply-To: <47F16A55.7090508@fsl.com> References: <47ED0443.6030502@cnpapers.com> <47ED2099.5040201@farrows.org> <47ED2703.4030802@evi-inc.com> <47ED2C26.1070006@farrows.org> <47F0F2EF.80307@evi-inc.com> <47F0FE33.2000509@farrows.org> <47F12507.4070905@evi-inc.com> <47F129E7.6050803@farrows.org> <223f97700803311144i202d008v7a88138a1566768a@mail.gmail.com> <47F13C46.5080701@farrows.org> <223f97700803311345i1bc413e5pd108190f9ffaf49e@mail.gmail.com> <47F15D93.7030005@farrows.org> <47F16A55.7090508@fsl.com> Message-ID: <47F2310F.4020900@cnpapers.com> Sorry, all of you that have replied, but, as the original poster of this thread, I have to admit that I might have not asked the question very well, as it looks as if you are all misunderstanding the original question. Let me try to rephrase it, please: Which is better: sendmail or postfix? :-) Anyway, I think I get the point by the way this has drifted around. I'll put my servers to the test with both REJECT and DISCARD and see which does better. One thing I might add though, is that I can see the benefit of both ways, especially in my situation here. I have two servers that are primary for two different domains. Each primary is backup for the other domain. I do call-ahead using MimeDefang. I think I have all bases covered, and even think that using either option would result in pretty much the same end result. There are so many different ways an email network can be constructed that it appears to be a non-absolute answer. Thanks so much. Steve From campbell at cnpapers.com Tue Apr 1 14:00:24 2008 From: campbell at cnpapers.com (Steve Campbell) Date: Tue Apr 1 14:00:47 2008 Subject: perms on bayes_journal In-Reply-To: References: <47F152C4.3030308@openenterprise.ca> Message-ID: <47F231E8.7050109@cnpapers.com> Scott Silva wrote: > on 3-31-2008 2:08 PM Johnny Stork spake the following: >> I have found for some reason, on my MS (current) setup running on >> Centos5, that the files in /etc/Mailcanner/bayes/ keep getting the >> permissions changed and I am not sure how this is happening. Right >> now they show >> >> root@gateway:/etc/MailScanner# ls -la bayes/ >> total 14464 >> drwxrwxrwx 2 777 root 4096 Mar 31 13:31 . >> drwxr-xr-x 6 root root 4096 Mar 31 13:04 .. >> -rw------- 1 777 root 48480 Mar 31 14:01 bayes_journal >> -rwxrwxrwx 1 777 root 1152 Mar 31 13:41 bayes.mutex >> -rwxrwxrwx 1 777 root 10514432 Mar 31 13:41 bayes_seen >> -rw------- 1 777 root 5308416 Mar 31 13:41 bayes_toks >> -rwxrwxrwx 1 777 root 423 Sep 24 2007 razor-agent.log >> -rwxrwxrwx 1 777 root 0 Sep 24 2007 Starting >> -rwxrwxrwx 1 777 root 0 Sep 24 2007 Update >> >> >> >> >> And so bayes_journal and bayes_toks cant be accessed by MailScanner >> which runs as root. I have to go in an chmod 777 bayes* in order for >> MailScanner/SA to access those files, or to show the Bayes stats in >> the MailWatch interface. >> >> Is there some place I should be setting the permissions for those >> files? I dont want to have to keep going in an manually changing the >> modes. > It looks like at one time you CHOWN'd to 777, which probably isn't > what you wanted. > Isn't that an invalid user '777' and not a chmod '777'? Did you copy these from another machine that had a user with 777 as the user id and that doesn't exist on the current machine? Steve From martyn at invictawiz.com Tue Apr 1 13:59:42 2008 From: martyn at invictawiz.com (Martyn Routley) Date: Tue Apr 1 14:03:54 2008 Subject: what am I dealing with here? In-Reply-To: <47F1CBA2.5080704@vanderkooij.org> References: <29632052.2921206978809589.JavaMail.root@mail.lctn.org> <47F1CBA2.5080704@vanderkooij.org> Message-ID: <47F231BE.1060005@invictawiz.com> Hugo van der Kooij wrote: > admin@lctn.org wrote: > | I got a call from a school we scan mail for, complaining they are > | getting some inappropriate email, which is sailing through our scanner > | with a very low score. > > Think VERY, VERY hard on wether you need yahoo to send email to you. I > have actually blocked it all together. I get shitloads of spam from > their servers and no one I know is using Yahoo. So nothing is lost in > blocking it. > > If you still want it then make sure you do not give them any credit by > giving negative spam points for having a valid DKIM header for example. > > | 127.0.0.1 relay-4.lctn.org (GeoIP Lookup Failed) [ ] [ > | ] [ ] [ ] > > This is a config problem on your host. It should not list a loopback > address with your hostname attached to it. > > Hugo. > A general lookout for anyone in the UK. You should think very hard before you block Yahoo. Yahoo handle the email for BT Internet so block Yahoo, and you are blocking BT Internet. One or two unhappy users? Martyn Routley -------------------------------------------------------- Invictawiz - The Internet in Plain English, Guaranteed web: http://www.invictawiz.com voip: 6000@sip.invictawiz.com phone: 0845 003 9020 Reg Addr: 9 Eastmead Ave, Ashford, Kent, TN23 7SB Co. No: 04253262 -------------------------------------------------------- ----------------------------------------------------------------------------- This message has been scanned for viruses and dangerous content by the http://www.invictawiz.com MailScanner, and is believed to be clean. ----------------------------------------------------------------------------- From ajcartmell at fonant.com Tue Apr 1 14:27:37 2008 From: ajcartmell at fonant.com (Anthony Cartmell) Date: Tue Apr 1 14:28:19 2008 Subject: OT: Sendmail REJECT or DISCARD preference In-Reply-To: <47F2310F.4020900@cnpapers.com> References: <47ED0443.6030502@cnpapers.com> <47ED2099.5040201@farrows.org> <47ED2703.4030802@evi-inc.com> <47ED2C26.1070006@farrows.org> <47F0F2EF.80307@evi-inc.com> <47F0FE33.2000509@farrows.org> <47F12507.4070905@evi-inc.com> <47F129E7.6050803@farrows.org> <223f97700803311144i202d008v7a88138a1566768a@mail.gmail.com> <47F13C46.5080701@farrows.org> <223f97700803311345i1bc413e5pd108190f9ffaf49e@mail.gmail.com> <47F15D93.7030005@farrows.org> <47F16A55.7090508@fsl.com> <47F2310F.4020900@cnpapers.com> Message-ID: > Which is better: sendmail or postfix? :-) Running a production server under Fedora Core, or CentOS? ;) Anthony -- www.fonant.com - Quality web sites From ben.tisdall at photobox.com Tue Apr 1 15:10:01 2008 From: ben.tisdall at photobox.com (Ben Tisdall) Date: Tue Apr 1 15:10:50 2008 Subject: Rationale of bumping bayes scores In-Reply-To: <47F22E0E.6080103@ecs.soton.ac.uk> References: <47F207EA.9090907@photobox.com> <47F22E0E.6080103@ecs.soton.ac.uk> Message-ID: <47F24239.2050501@photobox.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Julian Field wrote: |> Since when did bayes_00 score -15? I thought it was about -2.6. |> What version of SpamAssassin are you running? Are you running sa-update |> every night? | Ah. I was looking at this in spam.assassin.prefs.conf on the box in question. # Bump up SpamAssassin scores on the high and low end score BAYES_00 -15.0 score BAYES_05 -10.0 score BAYES_95 10.0 score BAYES_99 15.0 In my haste I hadn't noticed that on my other two MS boxen these were commented. Chalk that one up to my predecessor I guess... And yes, update_spamassassin runs nightly. Thank you Jules. Best regards, Ben. - -- Ben Tisdall Linux Systems Administrator www.photobox.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFH8kI5Z929emua3lsRAjl1AKCP4ieNFy9euNGpA/5sLw7A6Lh0fQCfRjhN w3xoX296PkItN1+tVJSu1bs= =pe98 -----END PGP SIGNATURE----- From MailScanner at ecs.soton.ac.uk Tue Apr 1 15:31:33 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Apr 1 15:32:18 2008 Subject: MailScanner ANNOUNCE: 4.68.8 stable released Message-ID: <47F24745.2090703@ecs.soton.ac.uk> Folks, I have just released the latest stable release of MailScanner version 4.68.8. This is *not* an April Fool's joke :-) Major new improvements this month are: - Support for the *very fast* fpscand daemon supplied with F-Prot version 6. - New method of updating bad phishing sites configuration list to use major new fireproof delivery system. Many thanks to Matt Hampton for all his help with this. - filename.rules.conf and filetype.rules.conf can now list email addresses. Emails containing attachments matching these names or types will be diverted to these addresses instead of the original recipients. - New "Automatic Syntax Check" option (on by default) to check your configuration is syntactically correct before trying to start up. Download as usual from www.mailscanner.info. The full Change Log is this: * New Features and Improvements * 1 Support for the Fpscand daemon that is supplied with F-Prot version 6. Add this line to your virus.scanners.conf f-protd-6 /bin/false /usr/local/f-prot and set "Virus Scanners = f-protd-6" in your MailScanner.conf. This is very much faster than the f-prot-6 command-line scanner. 3 Improved the list of ignored web-bug filenames. 3 New update_bad_phishing_sites script to use major new fireproof delivery system. Many thanks to Matt Hampton for all his time and support with this. 3 Updated to Catalan translation. 3 Updated support for Vexira "vascan" virus scanner. 3 Changed location of Web-Bug Replacement image. upgrade_MailScanner_conf will put in the new URL. This will give significantly better response to your users. 3 Added new option "Log SpamAssassin Rule Actions" so that you can see exactly what actions fire on what messages from the "SpamAssassin Rule Actions" setting. 3 Added new option to the filename.rules.conf and filetype.rules.conf files. Instead of "allow", "deny" or "deny+delete", you can now specify a space or comma-separated list of email addresses. If the filename or filetype rule is matched, the message is sent to these new addresses instead of the ones given in the original email address. 3 Updated support for latest versions of Esets virus scanner from Nod32. 4 Added Net-DNS and Digest-SHA1 to the main MailScanner distributions so that they are installed appropriately ready for when you install Razor. This way they are installed as RPMs and not just plain Perl modules, as the RPM of Razor requires them to have been installed as RPMs. 4 New configuration option "Automatic Syntax Check" added, default is "yes", which causes a quick syntax check of the MailScanner.conf file and the other configuration files, printing out errors on the console, instead of just logging them to your system's mail log as it did before. This will hopefully make it easier for novices to get going successfully. 5 SpamAssassin Cache will no longer cache "timed out" responses. 5 Upgraded to perl-Digest-SHA1 version 2.11. 6 Added SpamAssassin MCP patch for 3.2.4. 7 Changed default supplied High-Scoring Spam Actions to "store". That way users don't have to work out how to change it, to reduce their spam a lot. * Fixes * 2 Improved MakeNameSafe() to fix problems caused by f-protd-6 working with filenames containing spaces (which it cannot handle!). 2-2 Fixed error in --lint support for F-Protd-6. 2-3 Typo, missed out a "$" :-( 3 Fixed important bug in f-protd handling code. 4 Fixes to Ruleset-From-Function.pm Custom Function code. 5 Fixed various issues with new automatic syntax check (--lintlite) code. 6 Fixed IPBlock problem with MailScanner --lintlite. 6 Fixed Postfix milter problem (thanks Glenn!). 7 Fixed problem with Inline images in HTML signatures. Now works with nested multiple replies. 8 Fixed bug where original unsafe filename wasn't used correctly when auto- replacing attachments with zipped copies to save space in mail stores. Thanks to Armand Leroux at Capgemini for finding this one. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From richard.siddall at elirion.net Tue Apr 1 16:00:16 2008 From: richard.siddall at elirion.net (Richard Siddall) Date: Tue Apr 1 16:01:05 2008 Subject: Way OT: What's the status of Julian's World Tour? Message-ID: <47F24E00.6040107@elirion.net> What's the status of Julian's World Tour? http://wiki.mailscanner.info/doku.php#jules_world_tour According to the MailScanner wiki, the USA section was supposed to happen in 2007: http://wiki.mailscanner.info/doku.php?id=worldtour:usa Presumably this didn't happen due to Julian's illness last year. Anyone want to post an updated target date? Regards, Richard Siddall From Kevin_Miller at ci.juneau.ak.us Tue Apr 1 16:07:11 2008 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Tue Apr 1 16:07:51 2008 Subject: How to check for existing mail accounts? In-Reply-To: <12776790.391206754928334.JavaMail.root@zimbra.mckerrs.net> References: <12776790.391206754928334.JavaMail.root@zimbra.mckerrs.net> Message-ID: Brian McKerr wrote: > > I have a Zimbra server which, of course, runs openldap and I *used* > to do dynamic LDAP look ups to see if user accounts were valid from > my MS/Postfix gateway. It worked well, but I have since changed to > *not* use LDAP dynamically because whenever I do maintenance on the > zimbra box, the gateway box cannot validate users and therefor > bounces mail. Not good. I now have a script that runs every hour and > it does an LDAP lookup and dumps all valid user account names into a > file that then gets hashed for postfix to look up. Now I can leave > the zimbra machine (vm) down for any amount of time during the night > to take a 'cold' backup of it, without worrying about bouncing > emails. One thing you can do is to have multiple MX hosts, so that when you do service on one, it isn't listening to inbound traffic, hence no bounces. All the traffic is handled by the other mail gateway(s). The backups don't necessarily have to be that beefy - just powerful enough to handle the load for a short time while you do the maintenance... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From MailScanner at ecs.soton.ac.uk Tue Apr 1 17:10:29 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Apr 1 17:11:15 2008 Subject: Way OT: What's the status of Julian's World Tour? In-Reply-To: <47F24E00.6040107@elirion.net> References: <47F24E00.6040107@elirion.net> Message-ID: <47F25E75.3070508@ecs.soton.ac.uk> Richard, Richard Siddall wrote: > What's the status of Julian's World Tour? > http://wiki.mailscanner.info/doku.php#jules_world_tour > > According to the MailScanner wiki, the USA section was supposed to > happen in 2007: http://wiki.mailscanner.info/doku.php?id=worldtour:usa > > Presumably this didn't happen due to Julian's illness last year. Anyone > want to post an updated target date? It's going to have to go on hold for a while, I'm afraid. I am currently awaiting an appointment date for my assessment week in hospital in Cambridge, UK, when they will decide if I qualify for a liver transplant. There is a lot of competition, and if you aren't sick enough they don't put you on the list. After that (I should hear a result within a few weeks of the assessment week) I will either be available, and not on the list, or I will be put on the waiting list for a new liver. At that point I can't go further than something like 3 or 4 hours from Cambridge as the call can come at any time of day or night, on any day of the year. So, as far as I understand it, holidays are off until your turn comes round, you have had the op, survived it, and recovered sufficiently to be able to travel. This whole process could easily take at least 2 years. Which is a bummer as it's one of many things I had planned for last year. Ho hum. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ssilva at sgvwater.com Tue Apr 1 17:17:17 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Apr 1 17:20:38 2008 Subject: OT: Sendmail REJECT or DISCARD preference In-Reply-To: <47F2310F.4020900@cnpapers.com> References: <47ED0443.6030502@cnpapers.com> <47ED2099.5040201@farrows.org> <47ED2703.4030802@evi-inc.com> <47ED2C26.1070006@farrows.org> <47F0F2EF.80307@evi-inc.com> <47F0FE33.2000509@farrows.org> <47F12507.4070905@evi-inc.com> <47F129E7.6050803@farrows.org> <223f97700803311144i202d008v7a88138a1566768a@mail.gmail.com> <47F13C46.5080701@farrows.org> <223f97700803311345i1bc413e5pd108190f9ffaf49e@mail.gmail.com> <47F15D93.7030005@farrows.org> <47F16A55.7090508@fsl.com> <47F2310F.4020900@cnpapers.com> Message-ID: on 4-1-2008 5:56 AM Steve Campbell spake the following: > Sorry, all of you that have replied, but, as the original poster of this > thread, I have to admit that I might have not asked the question very > well, as it looks as if you are all misunderstanding the original > question. Let me try to rephrase it, please: > > Which is better: sendmail or postfix? :-) > Linux or BSD? Blond, brunette, or redhead? Red, white, or Chablis? Pale, lager, or ale? So many questions, so little time!!! -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080401/12dc2e8b/signature.bin From alex at nkpanama.com Tue Apr 1 17:31:17 2008 From: alex at nkpanama.com (Alex Neuman) Date: Tue Apr 1 17:32:19 2008 Subject: OT: Sendmail REJECT or DISCARD preference In-Reply-To: References: <47ED0443.6030502@cnpapers.com> <47ED2099.5040201@farrows.org> <47ED2703.4030802@evi-inc.com> <47ED2C26.1070006@farrows.org> <47F0F2EF.80307@evi-inc.com> <47F0FE33.2000509@farrows.org> <47F12507.4070905@evi-inc.com> <47F129E7.6050803@farrows.org> <223f97700803311144i202d008v7a88138a1566768a@mail.gmail.com> <47F13C46.5080701@farrows.org> <223f97700803311345i1bc413e5pd108190f9ffaf49e@mail.gmail.com> <47F15D93.7030005@farrows.org> <47F16A55.7090508@fsl.com> <47F2310F.4020900@cnpapers.com> Message-ID: <145617D3-6E9F-4F05-93F9-D7E81049F165@nkpanama.com> The real question on everyone's mind is... have they fixed the SWAPPING!?!?! :-P On Apr 1, 2008, at 8:27 AM, Anthony Cartmell wrote: >> Which is better: sendmail or postfix? :-) > > Running a production server under Fedora Core, or CentOS? ;) > > Anthony > -- > www.fonant.com - Quality web sites > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From ssilva at sgvwater.com Tue Apr 1 17:35:10 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Apr 1 17:37:12 2008 Subject: clamd and clamav with failover In-Reply-To: <20080401135323.j2m8jtox354owwcs@webmail.itu.edu.tr> References: <001e01c8938f$cf092ab0$3c80a8c0@CWDOMAIN.local> <20080401135323.j2m8jtox354owwcs@webmail.itu.edu.tr> Message-ID: on 4-1-2008 3:53 AM Hakan VELIOGLU spake the following: > Hi, > > Can mailscanner use clamav and clamd with failover. I mean it uses clamd > for > primary scanner and when clamd gets down or crashed it could use clamav > until > the next reload ( or restart). > > Is there a trick that I can use this behaviour. > The trick is to run something like mon or monit (or even a well crafted cron script) that checks your critical services and restarts them if they die. You can also run a second virus scanner for backup. If you use a corporate desktop scanner, you might have an entitlement to a commandline scanner that is supported by MailScanner. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080401/91ff499c/signature.bin From ssilva at sgvwater.com Tue Apr 1 17:45:21 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Apr 1 17:45:40 2008 Subject: perms on bayes_journal In-Reply-To: <47F231E8.7050109@cnpapers.com> References: <47F152C4.3030308@openenterprise.ca> <47F231E8.7050109@cnpapers.com> Message-ID: on 4-1-2008 6:00 AM Steve Campbell spake the following: > > > Scott Silva wrote: >> on 3-31-2008 2:08 PM Johnny Stork spake the following: >>> I have found for some reason, on my MS (current) setup running on >>> Centos5, that the files in /etc/Mailcanner/bayes/ keep getting the >>> permissions changed and I am not sure how this is happening. Right >>> now they show >>> >>> root@gateway:/etc/MailScanner# ls -la bayes/ >>> total 14464 >>> drwxrwxrwx 2 777 root 4096 Mar 31 13:31 . >>> drwxr-xr-x 6 root root 4096 Mar 31 13:04 .. >>> -rw------- 1 777 root 48480 Mar 31 14:01 bayes_journal >>> -rwxrwxrwx 1 777 root 1152 Mar 31 13:41 bayes.mutex >>> -rwxrwxrwx 1 777 root 10514432 Mar 31 13:41 bayes_seen >>> -rw------- 1 777 root 5308416 Mar 31 13:41 bayes_toks >>> -rwxrwxrwx 1 777 root 423 Sep 24 2007 razor-agent.log >>> -rwxrwxrwx 1 777 root 0 Sep 24 2007 Starting >>> -rwxrwxrwx 1 777 root 0 Sep 24 2007 Update > >>> >>> >>> >>> >>> And so bayes_journal and bayes_toks cant be accessed by MailScanner >>> which runs as root. I have to go in an chmod 777 bayes* in order for >>> MailScanner/SA to access those files, or to show the Bayes stats in >>> the MailWatch interface. >>> >>> Is there some place I should be setting the permissions for those >>> files? I dont want to have to keep going in an manually changing the >>> modes. >> It looks like at one time you CHOWN'd to 777, which probably isn't >> what you wanted. >> > > Isn't that an invalid user '777' and not a chmod '777'? Did you copy > these from another machine that had a user with 777 as the user id and > that doesn't exist on the current machine? > > Steve > It could be, but I thing typing chown instead of chmod is a more reasonable explaination. You can chown by user or group id also. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080401/f772e636/signature.bin From alex at nkpanama.com Tue Apr 1 17:52:13 2008 From: alex at nkpanama.com (Alex Neuman) Date: Tue Apr 1 17:53:06 2008 Subject: OT: Sendmail REJECT or DISCARD preference In-Reply-To: References: <47ED0443.6030502@cnpapers.com> <47ED2099.5040201@farrows.org> <47ED2703.4030802@evi-inc.com> <47ED2C26.1070006@farrows.org> <47F0F2EF.80307@evi-inc.com> <47F0FE33.2000509@farrows.org> <47F12507.4070905@evi-inc.com> <47F129E7.6050803@farrows.org> <223f97700803311144i202d008v7a88138a1566768a@mail.gmail.com> <47F13C46.5080701@farrows.org> <223f97700803311345i1bc413e5pd108190f9ffaf49e@mail.gmail.com> <47F15D93.7030005@farrows.org> <47F16A55.7090508@fsl.com> <47F2310F.4020900@cnpapers.com> Message-ID: <66D363A7-9578-4064-89B2-94E897DD12FC@nkpanama.com> Baker, Eccleston or Tennant? On Apr 1, 2008, at 11:17 AM, Scott Silva wrote: >> Which is better: sendmail or postfix? :-) > Linux or BSD? > > Blond, brunette, or redhead? > > Red, white, or Chablis? > > Pale, lager, or ale? From campbell at cnpapers.com Tue Apr 1 18:16:32 2008 From: campbell at cnpapers.com (Steve Campbell) Date: Tue Apr 1 18:19:30 2008 Subject: perms on bayes_journal In-Reply-To: References: <47F152C4.3030308@openenterprise.ca> <47F231E8.7050109@cnpapers.com> Message-ID: <47F26DF0.5080307@cnpapers.com> Scott Silva wrote: > on 4-1-2008 6:00 AM Steve Campbell spake the following: >> >> >> Scott Silva wrote: >>> on 3-31-2008 2:08 PM Johnny Stork spake the following: >>>> I have found for some reason, on my MS (current) setup running on >>>> Centos5, that the files in /etc/Mailcanner/bayes/ keep getting the >>>> permissions changed and I am not sure how this is happening. Right >>>> now they show >>>> >>>> root@gateway:/etc/MailScanner# ls -la bayes/ >>>> total 14464 >>>> drwxrwxrwx 2 777 root 4096 Mar 31 13:31 . >>>> drwxr-xr-x 6 root root 4096 Mar 31 13:04 .. >>>> -rw------- 1 777 root 48480 Mar 31 14:01 bayes_journal >>>> -rwxrwxrwx 1 777 root 1152 Mar 31 13:41 bayes.mutex >>>> -rwxrwxrwx 1 777 root 10514432 Mar 31 13:41 bayes_seen >>>> -rw------- 1 777 root 5308416 Mar 31 13:41 bayes_toks >>>> -rwxrwxrwx 1 777 root 423 Sep 24 2007 razor-agent.log >>>> -rwxrwxrwx 1 777 root 0 Sep 24 2007 Starting >>>> -rwxrwxrwx 1 777 root 0 Sep 24 2007 Update >> >>>> >>>> >>>> >>>> >>>> And so bayes_journal and bayes_toks cant be accessed by MailScanner >>>> which runs as root. I have to go in an chmod 777 bayes* in order >>>> for MailScanner/SA to access those files, or to show the Bayes >>>> stats in the MailWatch interface. >>>> >>>> Is there some place I should be setting the permissions for those >>>> files? I dont want to have to keep going in an manually changing >>>> the modes. >>> It looks like at one time you CHOWN'd to 777, which probably isn't >>> what you wanted. >>> >> >> Isn't that an invalid user '777' and not a chmod '777'? Did you copy >> these from another machine that had a user with 777 as the user id >> and that doesn't exist on the current machine? >> >> Steve >> > It could be, but I thing typing chown instead of chmod is a more > reasonable explaination. You can chown by user or group id also. Somehow, Scott, I didn't see that in your previous post. We're on the same page, though. What every it was, it wasn't modded to 777. Old eyes and all Steve From empirical.humanist at gmail.com Tue Apr 1 18:45:33 2008 From: empirical.humanist at gmail.com (Kirk Lowery) Date: Tue Apr 1 18:46:09 2008 Subject: How to deliver quarantined email with exim Message-ID: I have a bunch of "false positives" in the quarantined directory of MailScanner. I want to use exim to deliver these messages, but they are the *-D *-H files that exim normally needs. Exim delivers mail to a cyrus imap server, and that is why I'd like exim to deliver these false positives. I've looked at the man pages, tried a bunch of options, googled and got no clear answer. Can anyone point me toward a solution? TIA! Kirk From empirical.humanist at gmail.com Tue Apr 1 18:46:59 2008 From: empirical.humanist at gmail.com (Kirk Lowery) Date: Tue Apr 1 18:47:10 2008 Subject: How to deliver quarantined email with exim In-Reply-To: References: Message-ID: On Tue, Apr 1, 2008 at 1:45 PM, Kirk Lowery wrote: > I have a bunch of "false positives" in the quarantined directory of > MailScanner. I want to use exim to deliver these messages, but they > are the *-D *-H files that exim normally needs. That should be: ".. but they are NOT the *-D *-H files..." :-) Kirk From MailScanner at ecs.soton.ac.uk Tue Apr 1 18:58:09 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Apr 1 18:59:02 2008 Subject: OT: Sendmail REJECT or DISCARD preference In-Reply-To: <66D363A7-9578-4064-89B2-94E897DD12FC@nkpanama.com> References: <47ED0443.6030502@cnpapers.com> <47ED2099.5040201@farrows.org> <47ED2703.4030802@evi-inc.com> <47ED2C26.1070006@farrows.org> <47F0F2EF.80307@evi-inc.com> <47F0FE33.2000509@farrows.org> <47F12507.4070905@evi-inc.com> <47F129E7.6050803@farrows.org> <223f97700803311144i202d008v7a88138a1566768a@mail.gmail.com> <47F13C46.5080701@farrows.org> <223f97700803311345i1bc413e5pd108190f9ffaf49e@mail.gmail.com> <47F15D93.7030005@farrows.org> <47F16A55.7090508@fsl.com> <47F2310F.4020900@cnpapers.com> <66D363A7-9578-4064-89B2-94E897DD12FC@nkpanama.com> Message-ID: <47F277B1.2080705@ecs.soton.ac.uk> Baker, without a doubt. Alex Neuman wrote: > Baker, Eccleston or Tennant? > > On Apr 1, 2008, at 11:17 AM, Scott Silva wrote: >>> Which is better: sendmail or postfix? :-) >> Linux or BSD? >> >> Blond, brunette, or redhead? >> >> Red, white, or Chablis? >> >> Pale, lager, or ale? > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Tue Apr 1 19:01:50 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Apr 1 19:02:17 2008 Subject: How to deliver quarantined email with exim In-Reply-To: References: Message-ID: <47F2788E.4060000@ecs.soton.ac.uk> Move them into /var/spool/exim/input, make sure they have exactly the same ownership, group and permissions as all the other files in there, and Exim should pick them up and deliver them. To hurry the process along, something like /usr/sbin/exim -C /etc/exit/exit_send.conf -Mc message-id-here should kick it into making a delivery attempt. Kirk Lowery wrote: > I have a bunch of "false positives" in the quarantined directory of > MailScanner. I want to use exim to deliver these messages, but they > are the *-D *-H files that exim normally needs. > > Exim delivers mail to a cyrus imap server, and that is why I'd like > exim to deliver these false positives. I've looked at the man pages, > tried a bunch of options, googled and got no clear answer. > > Can anyone point me toward a solution? > > TIA! > > Kirk > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From steve.freegard at fsl.com Tue Apr 1 19:18:44 2008 From: steve.freegard at fsl.com (Steve Freegard) Date: Tue Apr 1 19:20:35 2008 Subject: OT: Sendmail REJECT or DISCARD preference In-Reply-To: <66D363A7-9578-4064-89B2-94E897DD12FC@nkpanama.com> References: <47ED0443.6030502@cnpapers.com> <47ED2099.5040201@farrows.org> <47ED2703.4030802@evi-inc.com> <47ED2C26.1070006@farrows.org> <47F0F2EF.80307@evi-inc.com> <47F0FE33.2000509@farrows.org> <47F12507.4070905@evi-inc.com> <47F129E7.6050803@farrows.org> <223f97700803311144i202d008v7a88138a1566768a@mail.gmail.com> <47F13C46.5080701@farrows.org> <223f97700803311345i1bc413e5pd108190f9ffaf49e@mail.gmail.com> <47F15D93.7030005@farrows.org> <47F16A55.7090508@fsl.com> <47F2310F.4020900@cnpapers.com> <66D363A7-9578-4064-89B2-94E897DD12FC@nkpanama.com> Message-ID: <47F27C84.6070102@fsl.com> Alex Neuman wrote: > Baker Tom or Colin? Cheers, Steve. (Tom Baker was the best...) From campbell at cnpapers.com Tue Apr 1 19:25:58 2008 From: campbell at cnpapers.com (Steve Campbell) Date: Tue Apr 1 19:27:15 2008 Subject: OT: Sendmail REJECT or DISCARD preference In-Reply-To: <47F277B1.2080705@ecs.soton.ac.uk> References: <47ED0443.6030502@cnpapers.com> <47ED2099.5040201@farrows.org> <47ED2703.4030802@evi-inc.com> <47ED2C26.1070006@farrows.org> <47F0F2EF.80307@evi-inc.com> <47F0FE33.2000509@farrows.org> <47F12507.4070905@evi-inc.com> <47F129E7.6050803@farrows.org> <223f97700803311144i202d008v7a88138a1566768a@mail.gmail.com> <47F13C46.5080701@farrows.org> <223f97700803311345i1bc413e5pd108190f9ffaf49e@mail.gmail.com> <47F15D93.7030005@farrows.org> <47F16A55.7090508@fsl.com> <47F2310F.4020900@cnpapers.com> <66D363A7-9578-4064-89B2-94E897DD12FC@nkpanama.com> <47F277B1.2080705@ecs.soton.ac.uk> Message-ID: <47F27E36.6060509@cnpapers.com> I can see I have a lot to learn about system administration as I don't have a clue there about what these even are. Steve Julian Field wrote: > Baker, without a doubt. > > Alex Neuman wrote: >> Baker, Eccleston or Tennant? >> >> On Apr 1, 2008, at 11:17 AM, Scott Silva wrote: >>>> Which is better: sendmail or postfix? :-) >>> Linux or BSD? >>> >>> Blond, brunette, or redhead? >>> >>> Red, white, or Chablis? >>> >>> Pale, lager, or ale? >> > > Jules > From empirical.humanist at gmail.com Tue Apr 1 19:38:33 2008 From: empirical.humanist at gmail.com (Kirk Lowery) Date: Tue Apr 1 19:39:16 2008 Subject: How to deliver quarantined email with exim In-Reply-To: <47F2788E.4060000@ecs.soton.ac.uk> References: <47F2788E.4060000@ecs.soton.ac.uk> Message-ID: On Tue, Apr 1, 2008 at 2:01 PM, Julian Field wrote: > Move them into /var/spool/exim/input, make sure they have exactly the > same ownership, group and permissions as all the other files in there, > and Exim should pick them up and deliver them. > To hurry the process along, something like > /usr/sbin/exim -C /etc/exit/exit_send.conf -Mc message-id-here > should kick it into making a delivery attempt. Thanks for your response. Here's what happened: delivering 1Jgjhp-0003fH-PS LOG: MAIN Spool file 1Jgjhp-0003fH-PS-D not found Is there something wrong with my conf file? Kirk From bpirie at rma.edu Tue Apr 1 19:45:38 2008 From: bpirie at rma.edu (Brendan Pirie) Date: Tue Apr 1 19:44:39 2008 Subject: OT: Sendmail REJECT or DISCARD preference In-Reply-To: <47F27E36.6060509@cnpapers.com> References: <47ED0443.6030502@cnpapers.com> <47ED2099.5040201@farrows.org> <47ED2703.4030802@evi-inc.com> <47ED2C26.1070006@farrows.org> <47F0F2EF.80307@evi-inc.com> <47F0FE33.2000509@farrows.org> <47F12507.4070905@evi-inc.com> <47F129E7.6050803@farrows.org> <223f97700803311144i202d008v7a88138a1566768a@mail.gmail.com> <47F13C46.5080701@farrows.org> <223f97700803311345i1bc413e5pd108190f9ffaf49e@mail.gmail.com> <47F15D93.7030005@farrows.org> <47F16A55.7090508@fsl.com> <47F2310F.4020900@cnpapers.com> <66D363A7-9578-4064-89B2-94E897DD12FC@nkpanama.com> <47F277B1.2080705@ecs.soton.ac.uk> <47F27E36.6060509@cnpapers.com> Message-ID: <47F282D2.7040404@rma.edu> >>>> Pale, lager, or ale? What do you mean, OR?! ;) Brendan From steinkel at pa.net Tue Apr 1 19:47:09 2008 From: steinkel at pa.net (Leland J. Steinke) Date: Tue Apr 1 19:47:50 2008 Subject: The Good Doctor (was: Re: OT: Sendmail REJECT or DISCARD preference) In-Reply-To: <47F27E36.6060509@cnpapers.com> References: <47ED0443.6030502@cnpapers.com> <47ED2099.5040201@farrows.org> <47ED2703.4030802@evi-inc.com> <47ED2C26.1070006@farrows.org> <47F0F2EF.80307@evi-inc.com> <47F0FE33.2000509@farrows.org> <47F12507.4070905@evi-inc.com> <47F129E7.6050803@farrows.org> <223f97700803311144i202d008v7a88138a1566768a@mail.gmail.com> <47F13C46.5080701@farrows.org> <223f97700803311345i1bc413e5pd108190f9ffaf49e@mail.gmail.com> <47F15D93.7030005@farrows.org> <47F16A55.7090508@fsl.com> <47F2310F.4020900@cnpapers.com> <66D363A7-9578-4064-89B2-94E897DD12FC@nkpanama.com> <47F277B1.2080705@ecs.soton.ac.uk> <47F27E36.6060509@cnpapers.com> Message-ID: <47F2832D.6050807@pa.net> Steve Campbell wrote: > I can see I have a lot to learn about system administration as I don't > have a clue there about what these even are. http://en.wikipedia.org/wiki/Doctor_Who It's been on TV all over the world for the last 45 years. Even when on hiatus on the BBC for several years, it was still playing in the US on PBS. New-ish episodes are on BBC America Saturdays at 7PM Eastern. Sarah Jane, Leela, Peri, or either of the Romanas (or Rose or Martha? (or Jack, if one swings that way? (grin))) Leland From MailScanner at ecs.soton.ac.uk Tue Apr 1 19:49:51 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Apr 1 19:51:21 2008 Subject: How to deliver quarantined email with exim In-Reply-To: References: <47F2788E.4060000@ecs.soton.ac.uk> Message-ID: <47F283CF.10804@ecs.soton.ac.uk> Kirk Lowery wrote: > On Tue, Apr 1, 2008 at 2:01 PM, Julian Field > wrote: > > >> Move them into /var/spool/exim/input, make sure they have exactly the >> same ownership, group and permissions as all the other files in there, >> and Exim should pick them up and deliver them. >> To hurry the process along, something like >> /usr/sbin/exim -C /etc/exit/exit_send.conf -Mc message-id-here >> should kick it into making a delivery attempt. >> > > Thanks for your response. > > Here's what happened: > > delivering 1Jgjhp-0003fH-PS > LOG: MAIN > Spool file 1Jgjhp-0003fH-PS-D not found > > Is there something wrong with my conf file? > Not if it normally works. See if you can make the outgoing exim do a complete run of the queue. It should do this periodically anyway, so the reason it couldn't find the file might be that it has already been delivered. Has the files (-D and -H) gone since you moved them there? Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mkettler at evi-inc.com Tue Apr 1 19:50:14 2008 From: mkettler at evi-inc.com (Matt Kettler) Date: Tue Apr 1 19:51:32 2008 Subject: OT: Sendmail REJECT or DISCARD preference In-Reply-To: <47F27E36.6060509@cnpapers.com> References: <47ED0443.6030502@cnpapers.com> <47ED2099.5040201@farrows.org> <47ED2703.4030802@evi-inc.com> <47ED2C26.1070006@farrows.org> <47F0F2EF.80307@evi-inc.com> <47F0FE33.2000509@farrows.org> <47F12507.4070905@evi-inc.com> <47F129E7.6050803@farrows.org> <223f97700803311144i202d008v7a88138a1566768a@mail.gmail.com> <47F13C46.5080701@farrows.org> <223f97700803311345i1bc413e5pd108190f9ffaf49e@mail.gmail.com> <47F15D93.7030005@farrows.org> <47F16A55.7090508@fsl.com> <47F2310F.4020900@cnpapers.com> <66D363A7-9578-4064-89B2-94E897DD12FC@nkpanama.com> <47F277B1.2080705@ecs.soton.ac.uk> <47F27E36.6060509@cnpapers.com> Message-ID: <47F283E6.3060100@evi-inc.com> Yes, one of the earliest lessens systems admins should learn is that web-searching is your friend :) http://www.google.com/search?hl=en&sa=X&oi=spell&resnum=0&ct=result&cd=1&q=Baker+Eccleston+Tennant&spell=1 The entire first page of hits is all topic relevant :) Steve Campbell wrote: > I can see I have a lot to learn about system administration as I don't > have a clue there about what these even are. > > Steve > > Julian Field wrote: >> Baker, without a doubt. >> >> Alex Neuman wrote: >>> Baker, Eccleston or Tennant? >>> >>> On Apr 1, 2008, at 11:17 AM, Scott Silva wrote: >>>>> Which is better: sendmail or postfix? :-) >>>> Linux or BSD? >>>> >>>> Blond, brunette, or redhead? >>>> >>>> Red, white, or Chablis? >>>> >>>> Pale, lager, or ale? >>> >> >> Jules >> > From spamlists at coders.co.uk Tue Apr 1 19:53:16 2008 From: spamlists at coders.co.uk (Matt Hampton) Date: Tue Apr 1 19:54:28 2008 Subject: OT: Sendmail REJECT or DISCARD preference In-Reply-To: <47F282D2.7040404@rma.edu> References: <47ED0443.6030502@cnpapers.com> <47ED2099.5040201@farrows.org> <47ED2703.4030802@evi-inc.com> <47ED2C26.1070006@farrows.org> <47F0F2EF.80307@evi-inc.com> <47F0FE33.2000509@farrows.org> <47F12507.4070905@evi-inc.com> <47F129E7.6050803@farrows.org> <223f97700803311144i202d008v7a88138a1566768a@mail.gmail.com> <47F13C46.5080701@farrows.org> <223f97700803311345i1bc413e5pd108190f9ffaf49e@mail.gmail.com> <47F15D93.7030005@farrows.org> <47F16A55.7090508@fsl.com> <47F2310F.4020900@cnpapers.com> <66D363A7-9578-4064-89B2-94E897DD12FC@nkpanama.com> <47F277B1.2080705@ecs.soton.ac.uk> <47F27E36.6060509@cnpapers.com> <47F282D2.7040404@rma.edu> Message-ID: <47F2849C.6030509@coders.co.uk> Brendan Pirie wrote: >>>>> Pale, lager, or ale? > > What do you mean, OR?! ;) > > Brendan > When this popped up in message notifier in Thunderbird I was expecting this comment to be in reply to the Blonde, brunette, or redhead..... suppose I better get my mind out of the gutter...... matt From steve.freegard at fsl.com Tue Apr 1 20:01:38 2008 From: steve.freegard at fsl.com (Steve Freegard) Date: Tue Apr 1 20:03:31 2008 Subject: The Good Doctor In-Reply-To: <47F2832D.6050807@pa.net> References: <47ED0443.6030502@cnpapers.com> <47ED2099.5040201@farrows.org> <47ED2703.4030802@evi-inc.com> <47ED2C26.1070006@farrows.org> <47F0F2EF.80307@evi-inc.com> <47F0FE33.2000509@farrows.org> <47F12507.4070905@evi-inc.com> <47F129E7.6050803@farrows.org> <223f97700803311144i202d008v7a88138a1566768a@mail.gmail.com> <47F13C46.5080701@farrows.org> <223f97700803311345i1bc413e5pd108190f9ffaf49e@mail.gmail.com> <47F15D93.7030005@farrows.org> <47F16A55.7090508@fsl.com> <47F2310F.4020900@cnpapers.com> <66D363A7-9578-4064-89B2-94E897DD12FC@nkpanama.com> <47F277B1.2080705@ecs.soton.ac.uk> <47F27E36.6060509@cnpapers.com> <47F2832D.6050807@pa.net> Message-ID: <47F28692.7000809@fsl.com> Leland J. Steinke wrote: > Sarah Jane, Leela, Peri, or either of the Romanas (or Rose or Martha? > (or Jack, if one swings that way? (grin))) Romana Mk 2 without the shadow of a doubt ;-) From empirical.humanist at gmail.com Tue Apr 1 20:04:23 2008 From: empirical.humanist at gmail.com (Kirk Lowery) Date: Tue Apr 1 20:05:05 2008 Subject: How to deliver quarantined email with exim In-Reply-To: <47F283CF.10804@ecs.soton.ac.uk> References: <47F2788E.4060000@ecs.soton.ac.uk> <47F283CF.10804@ecs.soton.ac.uk> Message-ID: On Tue, Apr 1, 2008 at 2:49 PM, Julian Field wrote: > > > > Kirk Lowery wrote: > > On Tue, Apr 1, 2008 at 2:01 PM, Julian Field > > wrote: > > > > > >> Move them into /var/spool/exim/input, make sure they have exactly the > >> same ownership, group and permissions as all the other files in there, > >> and Exim should pick them up and deliver them. > >> To hurry the process along, something like > >> /usr/sbin/exim -C /etc/exit/exit_send.conf -Mc message-id-here > >> should kick it into making a delivery attempt. > >> > > > > Thanks for your response. > > > > Here's what happened: > > > > delivering 1Jgjhp-0003fH-PS > > LOG: MAIN > > Spool file 1Jgjhp-0003fH-PS-D not found > > > > Is there something wrong with my conf file? > > > Not if it normally works. See if you can make the outgoing exim do a > complete run of the queue. It should do this periodically anyway, so the > reason it couldn't find the file might be that it has already been > delivered. Has the files (-D and -H) gone since you moved them there? In the incoming exim queue new messages are coming in. They have the "-D" and "-H" suffix added to the message id. When I run "exim -q", they are delivered just fine. But the messages from the MailScanner quarantine directory do not have two files per message with these suffixes. There is only one file with the message id as the file name. Kirk From MailScanner at ecs.soton.ac.uk Tue Apr 1 20:33:14 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Apr 1 20:34:05 2008 Subject: OT: Sendmail REJECT or DISCARD preference In-Reply-To: <47F2849C.6030509@coders.co.uk> References: <47ED0443.6030502@cnpapers.com> <47ED2099.5040201@farrows.org> <47ED2703.4030802@evi-inc.com> <47ED2C26.1070006@farrows.org> <47F0F2EF.80307@evi-inc.com> <47F0FE33.2000509@farrows.org> <47F12507.4070905@evi-inc.com> <47F129E7.6050803@farrows.org> <223f97700803311144i202d008v7a88138a1566768a@mail.gmail.com> <47F13C46.5080701@farrows.org> <223f97700803311345i1bc413e5pd108190f9ffaf49e@mail.gmail.com> <47F15D93.7030005@farrows.org> <47F16A55.7090508@fsl.com> <47F2310F.4020900@cnpapers.com> <66D363A7-9578-4064-89B2-94E897DD12FC@nkpanama.com> <47F277B1.2080705@ecs.soton.ac.uk> <47F27E36.6060509@cnpapers.com> <47F282D2.7040404@rma.edu> <47F2849C.6030509@coders.co.uk> Message-ID: <47F28DFA.4020400@ecs.soton.ac.uk> Matt Hampton wrote: > Brendan Pirie wrote: >>>>>> Pale, lager, or ale? >> >> What do you mean, OR?! ;) >> >> Brendan >> > When this popped up in message notifier in Thunderbird I was expecting > this comment to be in reply to the Blonde, brunette, or redhead..... > > suppose I better get my mind out of the gutter...... > > matt I'm glad to see this thread has descended into a 100% harmless OT natter. It so easily could have gone the other way :-) By the way, has anyone tried the new version? It's working okay for me so far. Matt ---- Do your HTML image signatures still work? The code to generate them has changed quite a lot. They should work rather better now with luck (he says, automatically cursing the whole thing :-) Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From doc at maddoc.net Tue Apr 1 20:47:18 2008 From: doc at maddoc.net (Doc Schneider) Date: Tue Apr 1 20:48:18 2008 Subject: OT: Sendmail REJECT or DISCARD preference In-Reply-To: <47F28DFA.4020400@ecs.soton.ac.uk> References: <47ED0443.6030502@cnpapers.com> <47ED2099.5040201@farrows.org> <47ED2703.4030802@evi-inc.com> <47ED2C26.1070006@farrows.org> <47F0F2EF.80307@evi-inc.com> <47F0FE33.2000509@farrows.org> <47F12507.4070905@evi-inc.com> <47F129E7.6050803@farrows.org> <223f97700803311144i202d008v7a88138a1566768a@mail.gmail.com> <47F13C46.5080701@farrows.org> <223f97700803311345i1bc413e5pd108190f9ffaf49e@mail.gmail.com> <47F15D93.7030005@farrows.org> <47F16A55.7090508@fsl.com> <47F2310F.4020900@cnpapers.com> <66D363A7-9578-4064-89B2-94E897DD12FC@nkpanama.com> <47F277B1.2080705@ecs.soton.ac.uk> <47F27E36.6060509@cnpapers.com> <47F282D2.7040404@rma.edu> <47F2849C.6030509@coders.co.uk> <47F28DFA.4020400@ecs.soton.ac.uk> Message-ID: <47F29146.1000000@maddoc.net> Julian Field wrote: > > > Matt Hampton wrote: >> Brendan Pirie wrote: >>>>>>> Pale, lager, or ale? >>> >>> What do you mean, OR?! ;) >>> >>> Brendan >>> >> When this popped up in message notifier in Thunderbird I was expecting >> this comment to be in reply to the Blonde, brunette, or redhead..... >> >> suppose I better get my mind out of the gutter...... >> >> matt > I'm glad to see this thread has descended into a 100% harmless OT > natter. It so easily could have gone the other way :-) > By the way, has anyone tried the new version? It's working okay for me > so far. > > Matt ---- Do your HTML image signatures still work? The code to generate > them has changed quite a lot. They should work rather better now with > luck (he says, automatically cursing the whole thing :-) > > Jules > I installed the new version just now and it looks good.. But reserve the right to curse! HAR! -- -Doc Lincoln, NE. http://www.fsl.com/ http://www.genealogyforyou.com/ http://www.cairnproductions.com/ From MailScanner at ecs.soton.ac.uk Tue Apr 1 20:48:58 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Apr 1 20:49:51 2008 Subject: How to deliver quarantined email with exim In-Reply-To: References: <47F2788E.4060000@ecs.soton.ac.uk> <47F283CF.10804@ecs.soton.ac.uk> Message-ID: <47F291AA.70202@ecs.soton.ac.uk> Kirk Lowery wrote: > On Tue, Apr 1, 2008 at 2:49 PM, Julian Field > wrote: > >> >> Kirk Lowery wrote: >> > On Tue, Apr 1, 2008 at 2:01 PM, Julian Field >> > wrote: >> > >> > >> >> Move them into /var/spool/exim/input, make sure they have exactly the >> >> same ownership, group and permissions as all the other files in there, >> >> and Exim should pick them up and deliver them. >> >> To hurry the process along, something like >> >> /usr/sbin/exim -C /etc/exit/exit_send.conf -Mc message-id-here >> >> should kick it into making a delivery attempt. >> >> >> > >> > Thanks for your response. >> > >> > Here's what happened: >> > >> > delivering 1Jgjhp-0003fH-PS >> > LOG: MAIN >> > Spool file 1Jgjhp-0003fH-PS-D not found >> > >> > Is there something wrong with my conf file? >> > >> Not if it normally works. See if you can make the outgoing exim do a >> complete run of the queue. It should do this periodically anyway, so the >> reason it couldn't find the file might be that it has already been >> delivered. Has the files (-D and -H) gone since you moved them there? >> > > In the incoming exim queue new messages are coming in. They have the > "-D" and "-H" suffix added to the message id. When I run "exim -q", > they are delivered just fine. But the messages from the MailScanner > quarantine directory do not have two files per message with these > suffixes. There is only one file with the message id as the file name. > You need to look up the "Quarantine Whole Messages As Queue Files =" setting in MailScanner.conf. If you want to be able to release messages by dropping them back into the outgoing queue, this needs to be set to "yes". I guess yours is "no" right now. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ajos1 at onion.demon.co.uk Tue Apr 1 21:53:42 2008 From: ajos1 at onion.demon.co.uk (ajos1 at onion) Date: Tue Apr 1 20:54:21 2008 Subject: Which one? Message-ID: - I notice in the latest stable release... There are: MailScanner-perl-MIME-Base64-3.05-5.src.rpm and perl-MIME-Base64-3.07-1.src.rpm What is the preferred solution? (I use my own scripts to keep perl Spick and Span...) == ===================================================================== = = "What's it called when you put off procrastinating?" = ===================================================================== = Need help with: Parking Tickets, Bailiffs, Capita or HertsGrid??? = Call... +44 8457 90 90 90 http://www.samaritans.org/ ===================================================================== From ssilva at sgvwater.com Tue Apr 1 20:53:05 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Apr 1 20:55:49 2008 Subject: OT: Sendmail REJECT or DISCARD preference In-Reply-To: <47F28DFA.4020400@ecs.soton.ac.uk> References: <47ED0443.6030502@cnpapers.com> <47ED2099.5040201@farrows.org> <47ED2703.4030802@evi-inc.com> <47ED2C26.1070006@farrows.org> <47F0F2EF.80307@evi-inc.com> <47F0FE33.2000509@farrows.org> <47F12507.4070905@evi-inc.com> <47F129E7.6050803@farrows.org> <223f97700803311144i202d008v7a88138a1566768a@mail.gmail.com> <47F13C46.5080701@farrows.org> <223f97700803311345i1bc413e5pd108190f9ffaf49e@mail.gmail.com> <47F15D93.7030005@farrows.org> <47F16A55.7090508@fsl.com> <47F2310F.4020900@cnpapers.com> <66D363A7-9578-4064-89B2-94E897DD12FC@nkpanama.com> <47F277B1.2080705@ecs.soton.ac.uk> <47F27E36.6060509@cnpapers.com> <47F282D2.7040404@rma.edu> <47F2849C.6030509@coders.co.uk> <47F28DFA.4020400@ecs.soton.ac.uk> Message-ID: on 4-1-2008 12:33 PM Julian Field spake the following: > > > Matt Hampton wrote: >> Brendan Pirie wrote: >>>>>>> Pale, lager, or ale? >>> >>> What do you mean, OR?! ;) >>> >>> Brendan >>> >> When this popped up in message notifier in Thunderbird I was expecting >> this comment to be in reply to the Blonde, brunette, or redhead..... >> >> suppose I better get my mind out of the gutter...... >> >> matt > I'm glad to see this thread has descended into a 100% harmless OT > natter. It so easily could have gone the other way :-) > By the way, has anyone tried the new version? It's working okay for me > so far. > > Matt ---- Do your HTML image signatures still work? The code to generate > them has changed quite a lot. They should work rather better now with > luck (he says, automatically cursing the whole thing :-) > > Jules > Installing this afternoon (here at least) it is probably already night there! -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080401/04c8f5a7/signature.bin From ssilva at sgvwater.com Tue Apr 1 20:56:59 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Apr 1 21:00:13 2008 Subject: OT: Sendmail REJECT or DISCARD preference In-Reply-To: <47F277B1.2080705@ecs.soton.ac.uk> References: <47ED0443.6030502@cnpapers.com> <47ED2099.5040201@farrows.org> <47ED2703.4030802@evi-inc.com> <47ED2C26.1070006@farrows.org> <47F0F2EF.80307@evi-inc.com> <47F0FE33.2000509@farrows.org> <47F12507.4070905@evi-inc.com> <47F129E7.6050803@farrows.org> <223f97700803311144i202d008v7a88138a1566768a@mail.gmail.com> <47F13C46.5080701@farrows.org> <223f97700803311345i1bc413e5pd108190f9ffaf49e@mail.gmail.com> <47F15D93.7030005@farrows.org> <47F16A55.7090508@fsl.com> <47F2310F.4020900@cnpapers.com> <66D363A7-9578-4064-89B2-94E897DD12FC@nkpanama.com> <47F277B1.2080705@ecs.soton.ac.uk> Message-ID: on 4-1-2008 10:58 AM Julian Field spake the following: > Baker, without a doubt. > Tom or Colin? I'm assuming Tom. He was the first I remember. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080401/b9f7a206/signature.bin From MailScanner at ecs.soton.ac.uk Tue Apr 1 21:04:33 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Apr 1 21:05:00 2008 Subject: How to deliver quarantined email with exim In-Reply-To: <47F291AA.70202@ecs.soton.ac.uk> References: <47F2788E.4060000@ecs.soton.ac.uk> <47F283CF.10804@ecs.soton.ac.uk> <47F291AA.70202@ecs.soton.ac.uk> Message-ID: <47F29551.9090104@ecs.soton.ac.uk> Julian Field wrote: > > > Kirk Lowery wrote: >> On Tue, Apr 1, 2008 at 2:49 PM, Julian Field >> wrote: >> >>> >>> Kirk Lowery wrote: >>> > On Tue, Apr 1, 2008 at 2:01 PM, Julian Field >>> > wrote: >>> > >>> > >>> >> Move them into /var/spool/exim/input, make sure they have >>> exactly the >>> >> same ownership, group and permissions as all the other files in >>> there, >>> >> and Exim should pick them up and deliver them. >>> >> To hurry the process along, something like >>> >> /usr/sbin/exim -C /etc/exit/exit_send.conf -Mc message-id-here >>> >> should kick it into making a delivery attempt. >>> >> >>> > >>> > Thanks for your response. >>> > >>> > Here's what happened: >>> > >>> > delivering 1Jgjhp-0003fH-PS >>> > LOG: MAIN >>> > Spool file 1Jgjhp-0003fH-PS-D not found >>> > >>> > Is there something wrong with my conf file? >>> > >>> Not if it normally works. See if you can make the outgoing exim do a >>> complete run of the queue. It should do this periodically anyway, >>> so the >>> reason it couldn't find the file might be that it has already been >>> delivered. Has the files (-D and -H) gone since you moved them there? >>> >> >> In the incoming exim queue new messages are coming in. They have the >> "-D" and "-H" suffix added to the message id. When I run "exim -q", >> they are delivered just fine. But the messages from the MailScanner >> quarantine directory do not have two files per message with these >> suffixes. There is only one file with the message id as the file name. >> > You need to look up the "Quarantine Whole Messages As Queue Files =" > setting in MailScanner.conf. If you want to be able to release > messages by dropping them back into the outgoing queue, this needs to > be set to "yes". I guess yours is "no" right now. It is currently set to no by default when you install MailScanner the first time. Should I leave it at "no" or change it to "yes"? Discuss. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From glenn.steen at gmail.com Tue Apr 1 21:04:44 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Apr 1 21:05:18 2008 Subject: How to deliver quarantined email with exim In-Reply-To: <47F291AA.70202@ecs.soton.ac.uk> References: <47F2788E.4060000@ecs.soton.ac.uk> <47F283CF.10804@ecs.soton.ac.uk> <47F291AA.70202@ecs.soton.ac.uk> Message-ID: <223f97700804011304w1db9adb1k12be72ad291f489b@mail.gmail.com> On 01/04/2008, Julian Field wrote: > > > Kirk Lowery wrote: > > On Tue, Apr 1, 2008 at 2:49 PM, Julian Field > > wrote: > > > >> > >> Kirk Lowery wrote: > >> > On Tue, Apr 1, 2008 at 2:01 PM, Julian Field > >> > wrote: > >> > > >> > > >> >> Move them into /var/spool/exim/input, make sure they have exactly the > >> >> same ownership, group and permissions as all the other files in there, > >> >> and Exim should pick them up and deliver them. > >> >> To hurry the process along, something like > >> >> /usr/sbin/exim -C /etc/exit/exit_send.conf -Mc message-id-here > >> >> should kick it into making a delivery attempt. > >> >> > >> > > >> > Thanks for your response. > >> > > >> > Here's what happened: > >> > > >> > delivering 1Jgjhp-0003fH-PS > >> > LOG: MAIN > >> > Spool file 1Jgjhp-0003fH-PS-D not found > >> > > >> > Is there something wrong with my conf file? > >> > > >> Not if it normally works. See if you can make the outgoing exim do a > >> complete run of the queue. It should do this periodically anyway, so the > >> reason it couldn't find the file might be that it has already been > >> delivered. Has the files (-D and -H) gone since you moved them there? > >> > > > > In the incoming exim queue new messages are coming in. They have the > > "-D" and "-H" suffix added to the message id. When I run "exim -q", > > they are delivered just fine. But the messages from the MailScanner > > quarantine directory do not have two files per message with these > > suffixes. There is only one file with the message id as the file name. > > > > You need to look up the "Quarantine Whole Messages As Queue Files =" > setting in MailScanner.conf. If you want to be able to release messages > by dropping them back into the outgoing queue, this needs to be set to > "yes". I guess yours is "no" right now. > Um... Doesn't exim have the "convenience" sendmail command? In which case one should be able to do the usual "sendmail -t -o -i < file" thing ... These files would be RFC822 "coded" files, that that command should be able to handle directly. They're in the spam quarantine, right? Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From spamlists at coders.co.uk Tue Apr 1 21:10:02 2008 From: spamlists at coders.co.uk (Matt Hampton) Date: Tue Apr 1 21:11:32 2008 Subject: OT: Sendmail REJECT or DISCARD preference In-Reply-To: <47F28DFA.4020400@ecs.soton.ac.uk> References: <47ED0443.6030502@cnpapers.com> <47ED2099.5040201@farrows.org> <47ED2703.4030802@evi-inc.com> <47ED2C26.1070006@farrows.org> <47F0F2EF.80307@evi-inc.com> <47F0FE33.2000509@farrows.org> <47F12507.4070905@evi-inc.com> <47F129E7.6050803@farrows.org> <223f97700803311144i202d008v7a88138a1566768a@mail.gmail.com> <47F13C46.5080701@farrows.org> <223f97700803311345i1bc413e5pd108190f9ffaf49e@mail.gmail.com> <47F15D93.7030005@farrows.org> <47F16A55.7090508@fsl.com> <47F2310F.4020900@cnpapers.com> <66D363A7-9578-4064-89B2-94E897DD12FC@nkpanama.com> <47F277B1.2080705@ecs.soton.ac.uk> <47F27E36.6060509@cnpapers.com> <47F282D2.7040404@rma.edu> <47F2849C.6030509@coders.co.uk> <47F28DFA.4020400@ecs.soton.ac.uk> Message-ID: <47F2969A.4040802@coders.co.uk> Julian Field wrote: > I'm glad to see this thread has descended into a 100% harmless OT > natter. It so easily could have gone the other way :-) Well it got close - what with the talk about swapping ;-) > By the way, has anyone tried the new version? It's working okay for me > so far. Have been running the last beta for a few days - upgraded to the stable about 30 seconds after this email arrived. > > Matt ---- Do your HTML image signatures still work? The code to > generate them has changed quite a lot. They should work rather better > now with luck (he says, automatically cursing the whole thing :-) > Yup - working nicely thanks. Am looking to roll this out to our users this month after I get back from holiday. matt From MailScanner at ecs.soton.ac.uk Tue Apr 1 21:19:10 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Apr 1 21:20:08 2008 Subject: Which one? In-Reply-To: References: Message-ID: <47F298BE.501@ecs.soton.ac.uk> The 3.07 one is what you want to use. The other one is left over from when I used to have to distribute my own tweaked patched version of the RPM, but I believe that was quite a long time ago. I'll remove it from future releases. Thanks for letting me know about this one. Cheers, Jules. ajos1 at onion wrote: > - > > I notice in the latest stable release... There are: > > MailScanner-perl-MIME-Base64-3.05-5.src.rpm > > and > > perl-MIME-Base64-3.07-1.src.rpm > > What is the preferred solution? (I use my own scripts to keep perl Spick and Span...) > > == > ===================================================================== > = > = "What's it called when you put off procrastinating?" > = > ===================================================================== > = Need help with: Parking Tickets, Bailiffs, Capita or HertsGrid??? > = Call... +44 8457 90 90 90 http://www.samaritans.org/ > ===================================================================== > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From glenn.steen at gmail.com Tue Apr 1 21:52:15 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Apr 1 21:52:51 2008 Subject: How to deliver quarantined email with exim In-Reply-To: <47F29551.9090104@ecs.soton.ac.uk> References: <47F2788E.4060000@ecs.soton.ac.uk> <47F283CF.10804@ecs.soton.ac.uk> <47F291AA.70202@ecs.soton.ac.uk> <47F29551.9090104@ecs.soton.ac.uk> Message-ID: <223f97700804011352s68fdf03xb4818dbe39605729@mail.gmail.com> On 01/04/2008, Julian Field wrote: > > > Julian Field wrote: > > > > > > Kirk Lowery wrote: > >> On Tue, Apr 1, 2008 at 2:49 PM, Julian Field > >> wrote: > >> > >>> > >>> Kirk Lowery wrote: > >>> > On Tue, Apr 1, 2008 at 2:01 PM, Julian Field > >>> > wrote: > >>> > > >>> > > >>> >> Move them into /var/spool/exim/input, make sure they have > >>> exactly the > >>> >> same ownership, group and permissions as all the other files in > >>> there, > >>> >> and Exim should pick them up and deliver them. > >>> >> To hurry the process along, something like > >>> >> /usr/sbin/exim -C /etc/exit/exit_send.conf -Mc message-id-here > >>> >> should kick it into making a delivery attempt. > >>> >> > >>> > > >>> > Thanks for your response. > >>> > > >>> > Here's what happened: > >>> > > >>> > delivering 1Jgjhp-0003fH-PS > >>> > LOG: MAIN > >>> > Spool file 1Jgjhp-0003fH-PS-D not found > >>> > > >>> > Is there something wrong with my conf file? > >>> > > >>> Not if it normally works. See if you can make the outgoing exim do a > >>> complete run of the queue. It should do this periodically anyway, > >>> so the > >>> reason it couldn't find the file might be that it has already been > >>> delivered. Has the files (-D and -H) gone since you moved them there? > >>> > >> > >> In the incoming exim queue new messages are coming in. They have the > >> "-D" and "-H" suffix added to the message id. When I run "exim -q", > >> they are delivered just fine. But the messages from the MailScanner > >> quarantine directory do not have two files per message with these > >> suffixes. There is only one file with the message id as the file name. > >> > > You need to look up the "Quarantine Whole Messages As Queue Files =" > > setting in MailScanner.conf. If you want to be able to release > > messages by dropping them back into the outgoing queue, this needs to > > be set to "yes". I guess yours is "no" right now. > > It is currently set to no by default when you install MailScanner the > first time. > Should I leave it at "no" or change it to "yes"? > Discuss. I see little point in changing it. There are equally well-functioning methods for releasing a message. Only real difference is that it would be a bit harder to release to analternate recipient with "yes", and that you lose the envelope information with "no". For the latter, use of the logs (text or MailWatch) is needed, where MailWatch (of course) helps a lot... And need the setting, if one wants to use the envelope recipient for the release. Does it matter much either way? For both, there are gotchas for the "out-of-the-box" user/admin...:-). Probably a bit better with things as they are (means I needn't change that for MW:-):-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From martyn at invictawiz.com Tue Apr 1 21:54:32 2008 From: martyn at invictawiz.com (Martyn Routley) Date: Tue Apr 1 21:55:23 2008 Subject: The Good Doctor In-Reply-To: <47F28692.7000809@fsl.com> References: <47ED0443.6030502@cnpapers.com> <47ED2099.5040201@farrows.org> <47ED2703.4030802@evi-inc.com> <47ED2C26.1070006@farrows.org> <47F0F2EF.80307@evi-inc.com> <47F0FE33.2000509@farrows.org> <47F12507.4070905@evi-inc.com> <47F129E7.6050803@farrows.org> <223f97700803311144i202d008v7a88138a1566768a@mail.gmail.com> <47F13C46.5080701@farrows.org> <223f97700803311345i1bc413e5pd108190f9ffaf49e@mail.gmail.com> <47F15D93.7030005@farrows.org> <47F16A55.7090508@fsl.com> <47F2310F.4020900@cnpapers.com> <66D363A7-9578-4064-89B2-94E897DD12FC@nkpanama.com> <47F277B1.2080705@ecs.soton.ac.uk> <47F27E36.6060509@cnpapers.com> <47F2832D.6050807@pa.net> <47F28692.7000809@fsl.com> Message-ID: <47F2A108.1050308@invictawiz.com> Steve Freegard wrote: > Leland J. Steinke wrote: >> Sarah Jane, Leela, Peri, or either of the Romanas (or Rose or Martha? >> (or Jack, if one swings that way? (grin))) > > Romana Mk 2 without the shadow of a doubt ;-) No way! It has to be Donna. -- Martyn Routley -------------------------------------------------------- Invictawiz - The Internet in Plain English, Guaranteed web: http://www.invictawiz.com voip: 6000@sip.invictawiz.com phone: 0845 003 9020 Reg Addr: 9 Eastmead Ave, Ashford, Kent, TN23 7SB Co. No: 04253262 -------------------------------------------------------- ----------------------------------------------------------------------------- This message has been scanned for viruses and dangerous content by the http://www.invictawiz.com MailScanner, and is believed to be clean. ----------------------------------------------------------------------------- From dave.list at pixelhammer.com Tue Apr 1 22:27:40 2008 From: dave.list at pixelhammer.com (DAve) Date: Tue Apr 1 22:28:51 2008 Subject: The Good Doctor In-Reply-To: <47F2A108.1050308@invictawiz.com> References: <47ED0443.6030502@cnpapers.com> <47ED2099.5040201@farrows.org> <47ED2703.4030802@evi-inc.com> <47ED2C26.1070006@farrows.org> <47F0F2EF.80307@evi-inc.com> <47F0FE33.2000509@farrows.org> <47F12507.4070905@evi-inc.com> <47F129E7.6050803@farrows.org> <223f97700803311144i202d008v7a88138a1566768a@mail.gmail.com> <47F13C46.5080701@farrows.org> <223f97700803311345i1bc413e5pd108190f9ffaf49e@mail.gmail.com> <47F15D93.7030005@farrows.org> <47F16A55.7090508@fsl.com> <47F2310F.4020900@cnpapers.com> <66D363A7-9578-4064-89B2-94E897DD12FC@nkpanama.com> <47F277B1.2080705@ecs.soton.ac.uk> <47F27E36.6060509@cnpapers.com> <47F2832D.6050807@pa.net> <47F28692.7000809@fsl.com> <47F2A108.1050308@invictawiz.com> Message-ID: <47F2A8CC.1060603@pixelhammer.com> Martyn Routley wrote: > Steve Freegard wrote: >> Leland J. Steinke wrote: >>> Sarah Jane, Leela, Peri, or either of the Romanas (or Rose or Martha? >>> (or Jack, if one swings that way? (grin))) >> >> Romana Mk 2 without the shadow of a doubt ;-) > > No way! > It has to be Donna. > I liked Kaylee from Firefly, something about a girl half in coveralls with a bit of dirt on her face. I can't resist them, I always like the tomboys. Kaylee would sit down and talk Perl with Julian while she changed out a nic card on a running server with nothing but a butter knife. DAve -- In 50 years, our descendants will look back on the early years of the internet, and much like we now look back on men with rockets on their back and feathers glued to their arms, marvel that we had the intelligence to wipe the drool from our chins. From steve.freegard at fsl.com Tue Apr 1 23:06:45 2008 From: steve.freegard at fsl.com (Steve Freegard) Date: Tue Apr 1 23:08:34 2008 Subject: The Good Doctor In-Reply-To: <47F2A8CC.1060603@pixelhammer.com> References: <47ED0443.6030502@cnpapers.com> <47ED2099.5040201@farrows.org> <47ED2703.4030802@evi-inc.com> <47ED2C26.1070006@farrows.org> <47F0F2EF.80307@evi-inc.com> <47F0FE33.2000509@farrows.org> <47F12507.4070905@evi-inc.com> <47F129E7.6050803@farrows.org> <223f97700803311144i202d008v7a88138a1566768a@mail.gmail.com> <47F13C46.5080701@farrows.org> <223f97700803311345i1bc413e5pd108190f9ffaf49e@mail.gmail.com> <47F15D93.7030005@farrows.org> <47F16A55.7090508@fsl.com> <47F2310F.4020900@cnpapers.com> <66D363A7-9578-4064-89B2-94E897DD12FC@nkpanama.com> <47F277B1.2080705@ecs.soton.ac.uk> <47F27E36.6060509@cnpapers.com> <47F2832D.6050807@pa.net> <47F28692.7000809@fsl.com> <47F2A108.1050308@invictawiz.com> <47F2A8CC.1060603@pixelhammer.com> Message-ID: <47F2B1F5.90407@fsl.com> DAve wrote: > I liked Kaylee from Firefly, something about a girl half in coveralls > with a bit of dirt on her face. I can't resist them, I always like the > tomboys. > > Kaylee would sit down and talk Perl with Julian while she changed out a > nic card on a running server with nothing but a butter knife. > I think we have a winner! From doc at maddoc.net Tue Apr 1 23:22:21 2008 From: doc at maddoc.net (Doc Schneider) Date: Tue Apr 1 23:23:20 2008 Subject: The Good Doctor In-Reply-To: <47F2B1F5.90407@fsl.com> References: <47ED0443.6030502@cnpapers.com> <47ED2099.5040201@farrows.org> <47ED2703.4030802@evi-inc.com> <47ED2C26.1070006@farrows.org> <47F0F2EF.80307@evi-inc.com> <47F0FE33.2000509@farrows.org> <47F12507.4070905@evi-inc.com> <47F129E7.6050803@farrows.org> <223f97700803311144i202d008v7a88138a1566768a@mail.gmail.com> <47F13C46.5080701@farrows.org> <223f97700803311345i1bc413e5pd108190f9ffaf49e@mail.gmail.com> <47F15D93.7030005@farrows.org> <47F16A55.7090508@fsl.com> <47F2310F.4020900@cnpapers.com> <66D363A7-9578-4064-89B2-94E897DD12FC@nkpanama.com> <47F277B1.2080705@ecs.soton.ac.uk> <47F27E36.6060509@cnpapers.com> <47F2832D.6050807@pa.net> <47F28692.7000809@fsl.com> <47F2A108.1050308@invictawiz.com> <47F2A8CC.1060603@pixelhammer.com> <47F2B1F5.90407@fsl.com> Message-ID: <47F2B59D.8040903@maddoc.net> Steve Freegard wrote: > DAve wrote: >> I liked Kaylee from Firefly, something about a girl half in coveralls >> with a bit of dirt on her face. I can't resist them, I always like the >> tomboys. >> >> Kaylee would sit down and talk Perl with Julian while she changed out >> a nic card on a running server with nothing but a butter knife. >> > > I think we have a winner! FWIW: The same actress plays the new Doctor on Stargate Atlantis. -- -Doc Lincoln, NE. http://www.fsl.com/ http://www.genealogyforyou.com/ http://www.cairnproductions.com/ From ssilva at sgvwater.com Tue Apr 1 23:46:35 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Apr 1 23:46:53 2008 Subject: The Good Doctor In-Reply-To: <47F2B59D.8040903@maddoc.net> References: <47ED0443.6030502@cnpapers.com> <47ED2099.5040201@farrows.org> <47ED2703.4030802@evi-inc.com> <47ED2C26.1070006@farrows.org> <47F0F2EF.80307@evi-inc.com> <47F0FE33.2000509@farrows.org> <47F12507.4070905@evi-inc.com> <47F129E7.6050803@farrows.org> <223f97700803311144i202d008v7a88138a1566768a@mail.gmail.com> <47F13C46.5080701@farrows.org> <223f97700803311345i1bc413e5pd108190f9ffaf49e@mail.gmail.com> <47F15D93.7030005@farrows.org> <47F16A55.7090508@fsl.com> <47F2310F.4020900@cnpapers.com> <66D363A7-9578-4064-89B2-94E897DD12FC@nkpanama.com> <47F277B1.2080705@ecs.soton.ac.uk> <47F27E36.6060509@cnpapers.com> <47F2832D.6050807@pa.net> <47F28692.7000809@fsl.com> <47F2A108.1050308@invictawiz.com> <47F2A8CC.1060603@pixelhammer.com> <47F2B1F5.90407@fsl.com> <47F2B59D.8040903@maddoc.net> Message-ID: on 4-1-2008 3:22 PM Doc Schneider spake the following: > Steve Freegard wrote: >> DAve wrote: >>> I liked Kaylee from Firefly, something about a girl half in coveralls >>> with a bit of dirt on her face. I can't resist them, I always like the >>> tomboys. >>> >>> Kaylee would sit down and talk Perl with Julian while she changed out >>> a nic card on a running server with nothing but a butter knife. >>> >> I think we have a winner! > > FWIW: The same actress plays the new Doctor on Stargate Atlantis. > But she isn't half in coveralls anymore! ;-P You have to admit that Billie Piper had a certain "cuteness" about her as Rose Tyler. And isn't it amazing how many tech lists can veer off course when Sci-fi comes into the discussion. Forget politics and world hunger! -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080401/fccdb581/signature.bin From alex at nkpanama.com Tue Apr 1 23:55:28 2008 From: alex at nkpanama.com (Alex Neuman) Date: Tue Apr 1 23:56:26 2008 Subject: OT: Sendmail REJECT or DISCARD preference In-Reply-To: <47F277B1.2080705@ecs.soton.ac.uk> References: <47ED0443.6030502@cnpapers.com> <47ED2099.5040201@farrows.org> <47ED2703.4030802@evi-inc.com> <47ED2C26.1070006@farrows.org> <47F0F2EF.80307@evi-inc.com> <47F0FE33.2000509@farrows.org> <47F12507.4070905@evi-inc.com> <47F129E7.6050803@farrows.org> <223f97700803311144i202d008v7a88138a1566768a@mail.gmail.com> <47F13C46.5080701@farrows.org> <223f97700803311345i1bc413e5pd108190f9ffaf49e@mail.gmail.com> <47F15D93.7030005@farrows.org> <47F16A55.7090508@fsl.com> <47F2310F.4020900@cnpapers.com> <66D363A7-9578-4064-89B2-94E897DD12FC@nkpanama.com> <47F277B1.2080705@ecs.soton.ac.uk> Message-ID: We all remember our first doctor quite fondly. On Apr 1, 2008, at 12:58 PM, Julian Field wrote: > Baker, without a doubt. From jim.barber at ddihealth.com Wed Apr 2 00:43:59 2008 From: jim.barber at ddihealth.com (Jim Barber) Date: Wed Apr 2 00:44:44 2008 Subject: How to deliver quarantined email with exim In-Reply-To: References: <47F2788E.4060000@ecs.soton.ac.uk> Message-ID: <47F2C8BF.1090204@ddihealth.com> I just resubmit the quarantined message like so: cat 1Jgjhp-0003fH-PS | exim -ti However this assumes that you have your MailScanner set up to not check messages that originate from the local host otherwise it will just get quarantined again. ---------- Jim Barber DDI Health Kirk Lowery wrote: > On Tue, Apr 1, 2008 at 2:01 PM, Julian Field > wrote: > >> Move them into /var/spool/exim/input, make sure they have exactly the >> same ownership, group and permissions as all the other files in there, >> and Exim should pick them up and deliver them. >> To hurry the process along, something like >> /usr/sbin/exim -C /etc/exit/exit_send.conf -Mc message-id-here >> should kick it into making a delivery attempt. > > Thanks for your response. > > Here's what happened: > > delivering 1Jgjhp-0003fH-PS > LOG: MAIN > Spool file 1Jgjhp-0003fH-PS-D not found > > Is there something wrong with my conf file? > > Kirk From igueths at lava-net.com Wed Apr 2 00:44:23 2008 From: igueths at lava-net.com (Igor Gueths) Date: Wed Apr 2 00:44:59 2008 Subject: MailScanner-4.68.8 hangs at startup Message-ID: <20080401234423.GA31833@lava-net.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi all. I am attempting to upgrade from a previous MailSCanner-4.58.8 installation; however, I am running into a rather interesting problem. If I specify Run as User, and Run as Group to be postfix in MailScanner.conf, and then try to start MailSCanner with check_mailscanner, the parent hangs without starting any children. I was able to narrow down this precise cause by taking an original MailScanner.conf, and only editing the two above options, and specifying MTA to be Postfix. If I don't specify Run as USer or Run as Group to be Postfix, MailSCanner starts up just fine. I was also able to strace the parent, which seems to show the children attempting to start and then exiting: fork() = 32467 rt_sigprocmask(SIG_SETMASK, [CHLD], NULL, 8) = 0 close(4) = 0 close(4) = -1 EBADF (Bad file descriptor) Anyone have any other ideas that I could try to get this going? The only thing I modified from the previous 4.58.8 installation was a new version of SpamAssassin, and of course the newer configuration file. I am also running Postfix-2.3.7. Thanks in advance! - -- Igor -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iQIUAwUBR/LI16e2pgKIdGq4AQrsag/2M0qhXGlH+eAiLA1t+fUxBczVbYSbny9C X3YFuoPPooxOWoj11AeKObs1pc+YqlBqITdLC2m9TH0HMsOFpqFxAJq2S7HjlkiU iY88QbVfc68Di1MfGbM6qMpT6VOQtJb87HOS30yGEXhya/HGPNH/74zF1bgm7/UP 5rpBD9R+iZJzo/3R56AMPCsAgm6lg9NCbIRMZwqwaB/3cPn0k9QnCBduZ5xMAPil pQDd/QlBA8Bdv/FAfCK6j6pOukZPS0u8TK0dwZOxAQFm8uh3oe1YTPrxOX/ssMeX A4gJbQh4cq9GBwj1nEx3wzhI4Jss8dC32o7P386WLCTh6rXXl2vMiXcZbbuZc9Cl ic0h+aJ46IDz+1nXYf2Fk+9VFUjr1SAwr7CVIyW6aqhgawyn6f/a0vrLL3dyTGYu IgEA77BnvfKE/soxKLdqA8xdonLOC2YWvlo8tdTu9Ua+DKXoxf6OAZaBiO12FXC1 t1liDMsOpJLqR+qQ04LCLzv38/1iorgnhHTm/qY9bXz31k3zbIR7oKXLaAlypzaS UEHPm7mUELFc1A89K5Bu9YHzGB9TW2NInpL4JaZmN33Yi2J2DNls4snqO48GqDcI RJMcLBOjkOOgcw7bN9yV9eGfOXBp23pgACJzpS3upXAdYIzNgqzyh7HZS9U8f8nZ pYpcY1nJvQ== =Z73d -----END PGP SIGNATURE----- From doc at maddoc.net Wed Apr 2 00:46:43 2008 From: doc at maddoc.net (Doc Schneider) Date: Wed Apr 2 00:47:43 2008 Subject: The Good Doctor In-Reply-To: References: <47ED0443.6030502@cnpapers.com> <47ED2099.5040201@farrows.org> <47ED2703.4030802@evi-inc.com> <47ED2C26.1070006@farrows.org> <47F0F2EF.80307@evi-inc.com> <47F0FE33.2000509@farrows.org> <47F12507.4070905@evi-inc.com> <47F129E7.6050803@farrows.org> <223f97700803311144i202d008v7a88138a1566768a@mail.gmail.com> <47F13C46.5080701@farrows.org> <223f97700803311345i1bc413e5pd108190f9ffaf49e@mail.gmail.com> <47F15D93.7030005@farrows.org> <47F16A55.7090508@fsl.com> <47F2310F.4020900@cnpapers.com> <66D363A7-9578-4064-89B2-94E897DD12FC@nkpanama.com> <47F277B1.2080705@ecs.soton.ac.uk> <47F27E36.6060509@cnpapers.com> <47F2832D.6050807@pa.net> <47F28692.7000809@fsl.com> <47F2A108.1050308@invictawiz.com> <47F2A8CC.1060603@pixelhammer.com> <47F2B1F5.90407@fsl.com> <47F2B59D.8040903@maddoc.net> Message-ID: <47F2C963.7070507@maddoc.net> Scott Silva wrote: > on 4-1-2008 3:22 PM Doc Schneider spake the following: >> Steve Freegard wrote: >>> DAve wrote: >>>> I liked Kaylee from Firefly, something about a girl half in coveralls >>>> with a bit of dirt on her face. I can't resist them, I always like the >>>> tomboys. >>>> >>>> Kaylee would sit down and talk Perl with Julian while she changed out >>>> a nic card on a running server with nothing but a butter knife. >>>> >>> I think we have a winner! >> >> FWIW: The same actress plays the new Doctor on Stargate Atlantis. >> > But she isn't half in coveralls anymore! ;-P She is still sort of techie. > You have to admit that Billie Piper had a certain "cuteness" about her > as Rose Tyler. Yeppers there is a winner! > And isn't it amazing how many tech lists can veer off course when Sci-fi > comes into the discussion. Forget politics and world hunger! > Could that be cause most tech lists members are all living in a new frontier? Or just cause we're all an odd bunch? I vote the latter. -- -Doc Lincoln, NE. http://www.fsl.com/ http://www.genealogyforyou.com/ http://www.cairnproductions.com/ From hvdkooij at vanderkooij.org Wed Apr 2 06:09:28 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Wed Apr 2 06:10:38 2008 Subject: OT: Sendmail REJECT or DISCARD preference In-Reply-To: <47F2310F.4020900@cnpapers.com> References: <47ED0443.6030502@cnpapers.com> <47ED2099.5040201@farrows.org> <47ED2703.4030802@evi-inc.com> <47ED2C26.1070006@farrows.org> <47F0F2EF.80307@evi-inc.com> <47F0FE33.2000509@farrows.org> <47F12507.4070905@evi-inc.com> <47F129E7.6050803@farrows.org> <223f97700803311144i202d008v7a88138a1566768a@mail.gmail.com> <47F13C46.5080701@farrows.org> <223f97700803311345i1bc413e5pd108190f9ffaf49e@mail.gmail.com> <47F15D93.7030005@farrows.org> <47F16A55.7090508@fsl.com> <47F2310F.4020900@cnpapers.com> Message-ID: <47F31508.9010807@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Steve Campbell wrote: | Which is better: sendmail or postfix? :-) Which ever YOU are more familiar with. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFH8xUGBvzDRVjxmYERAqFgAKCLSpSIpQyt+dmKP9aPSnupT8KFGwCfSl46 JZ3H4RutF3jFjvf+Rem0Rgo= =DpkF -----END PGP SIGNATURE----- From Robert.Meurlin at se.fujitsu.com Wed Apr 2 09:38:11 2008 From: Robert.Meurlin at se.fujitsu.com (Meurlin Robert) Date: Wed Apr 2 09:41:39 2008 Subject: spam with score 0.0 Message-ID: <797363C57EE0884786F428AAABCD469201490BC0@sea0120sex2.nordic.x> Hello, gets a number of spam that slipps trough the filter with the score 0.0 and if i look in detail it says "rebuilding Spamassassin" . What does that mean? is it becouse it has to mutch work to do that some spam slipps trough? Spam Report: Score Matching Rule Description rebuilding SpamAssassin Rob. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080402/a8d657e2/attachment-0001.html From maillists at conactive.com Wed Apr 2 13:13:51 2008 From: maillists at conactive.com (Kai Schaetzl) Date: Wed Apr 2 13:15:01 2008 Subject: SA times out Message-ID: I'm getting a certain kind of Russian spam for some weeks now that always gets thru unscanned because SA times out. So, I set the SA timeout from 30 to 120 seconds and it still times out. However, timing on the command line shows that SA takes long for this kind of message (and it's a slow system by today's figures, anyway), but not *that* long that it could hit this limit. I takes about 1.4 minutes to process such a message, consistently. That's well below 2 minutes. So, why does MailScanner still let it time out? MailScanner 4.54.6 SA 3.2.4 *no* network tests mailscanner log shows only those timeouts, nothing else. I guess I would need to add more verbose logging, but then I would get logging for *all* messages, right? Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From empirical.humanist at gmail.com Wed Apr 2 13:51:20 2008 From: empirical.humanist at gmail.com (Kirk Lowery) Date: Wed Apr 2 13:51:56 2008 Subject: How to deliver quarantined email with exim In-Reply-To: <47F2C8BF.1090204@ddihealth.com> References: <47F2788E.4060000@ecs.soton.ac.uk> <47F2C8BF.1090204@ddihealth.com> Message-ID: On Tue, Apr 1, 2008 at 7:43 PM, Jim Barber wrote: > I just resubmit the quarantined message like so: > > cat 1Jgjhp-0003fH-PS | exim -ti > > However this assumes that you have your MailScanner set up to not check > messages that originate from the local host otherwise it will just get > quarantined again. *This* was what I was looking for. And, yes, MailScanner is off when I do this. Thanks to everyone who responded. I learned a lot. Best, Kirk From warren.guy at calorieking.com Wed Apr 2 14:49:06 2008 From: warren.guy at calorieking.com (Warren Guy) Date: Wed Apr 2 14:51:12 2008 Subject: MailScanner children hanging on startup when spam.lists.conf file is open by another process Message-ID: <47F38ED2.9010408@calorieking.com> Hello everyone, I encountered a strange problem this evening, where a colleague had inadvertently left open a terminal on our mail server with the spam.lists.conf configuration file open in vi, which seemed to cause the MailScanner child processes to die when they (re-)started. At first I thought perhaps SpamAssassin or ClamAV was causing some problem, but the problem still occurred with spam checks and virus scanning disabled from MailScanner.conf. Has anyone encountered similar behaviour? This machine is running MailScanner 4.64.3, Postfix 2.1, Perl 5.8.8 on FreeBSD 4. Output from mailscanner log: (from where MailScanner appeared to die, when the last child restarted): Apr 2 17:22:20 (mailserver) MailScanner[53468]: MailScanner child dying of old age Apr 2 17:22:20 (mailserver) MailScanner[46053]: MailScanner E-Mail Virus Scanner version 4.64.3 starting... (when restarting): Apr 2 20:56:46 (mailserver) MailScanner[35284]: MailScanner child caught a SIGHUP Apr 2 20:56:46 (mailserver) MailScanner[35209]: MailScanner child caught a SIGHUP Apr 2 20:56:46 (mailserver) MailScanner[33392]: MailScanner child caught a SIGHUP Apr 2 20:56:46 (mailserver) MailScanner[29785]: MailScanner child caught a SIGHUP Apr 2 20:56:46 (mailserver) MailScanner[46053]: MailScanner child caught a SIGHUP Apr 2 20:56:53 (mailserver) MailScanner[23048]: MailScanner E-Mail Virus Scanner version 4.64.3 starting... Apr 2 20:56:58 (mailserver) MailScanner[23050]: MailScanner E-Mail Virus Scanner version 4.64.3 starting... Apr 2 20:57:03 (mailserver) MailScanner[23054]: MailScanner E-Mail Virus Scanner version 4.64.3 starting... Apr 2 20:57:09 (mailserver) MailScanner[23058]: MailScanner E-Mail Virus Scanner version 4.64.3 starting... Apr 2 20:57:14 (mailserver) MailScanner[23069]: MailScanner E-Mail Virus Scanner version 4.64.3 starting... Which is where it hangs. Output from `ps`: postfix 25760 0.0 1.9 19936 19308 ?? I 9:05PM 0:00.11 MailScanner: starting children (perl5.8.8) postfix 25561 0.0 1.9 19936 19308 ?? I 9:05PM 0:00.11 MailScanner: starting children (perl5.8.8) postfix 25495 0.0 1.9 19936 19308 ?? I 9:04PM 0:00.11 MailScanner: starting children (perl5.8.8) postfix 25494 0.0 1.9 19936 19308 ?? I 9:04PM 0:00.11 MailScanner: starting children (perl5.8.8) postfix 25493 0.0 1.9 19936 19308 ?? I 9:04PM 0:00.12 MailScanner: starting children (perl5.8.8) postfix 25492 0.0 1.8 19300 18760 ?? Is 9:04PM 0:00.01 MailScanner: master waiting for children, sleeping (perl5.8.8) -- Warren Guy Senior System Administrator CalorieKing -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080402/02d37c8a/signature.bin From warren.guy at calorieking.com Wed Apr 2 15:00:21 2008 From: warren.guy at calorieking.com (Warren Guy) Date: Wed Apr 2 15:01:52 2008 Subject: MailScanner children hanging on startup when spam.lists.conf file is open by another process In-Reply-To: <47F38ED2.9010408@calorieking.com> References: <47F38ED2.9010408@calorieking.com> Message-ID: <47F39175.80908@calorieking.com> Sorry for the extraneous post, but just wanted to clarify a couple of things: Warren Guy wrote: > I encountered a strange problem this evening, where a colleague had > inadvertently left open a terminal on our mail server with the > spam.lists.conf configuration file open in vi, which seemed to cause the > MailScanner child processes to die when they (re-)started. The processes weren't "dying", but rather seemed to hang. > (from where MailScanner appeared to die, when the last child restarted): That is, when MailScanner stopped processing mail after the last child process hung on restarting. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080402/647b160c/signature.bin From MailScanner at ecs.soton.ac.uk Tue Apr 1 15:31:33 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Apr 2 15:06:39 2008 Subject: MailScanner ANNOUNCE: 4.68.8 stable released Message-ID: <47F24745.2090703@ecs.soton.ac.uk> Folks, I have just released the latest stable release of MailScanner version 4.68.8. This is *not* an April Fool's joke :-) Major new improvements this month are: - Support for the *very fast* fpscand daemon supplied with F-Prot version 6. - New method of updating bad phishing sites configuration list to use major new fireproof delivery system. Many thanks to Matt Hampton for all his help with this. - filename.rules.conf and filetype.rules.conf can now list email addresses. Emails containing attachments matching these names or types will be diverted to these addresses instead of the original recipients. - New "Automatic Syntax Check" option (on by default) to check your configuration is syntactically correct before trying to start up. Download as usual from www.mailscanner.info. The full Change Log is this: * New Features and Improvements * 1 Support for the Fpscand daemon that is supplied with F-Prot version 6. Add this line to your virus.scanners.conf f-protd-6 /bin/false /usr/local/f-prot and set "Virus Scanners = f-protd-6" in your MailScanner.conf. This is very much faster than the f-prot-6 command-line scanner. 3 Improved the list of ignored web-bug filenames. 3 New update_bad_phishing_sites script to use major new fireproof delivery system. Many thanks to Matt Hampton for all his time and support with this. 3 Updated to Catalan translation. 3 Updated support for Vexira "vascan" virus scanner. 3 Changed location of Web-Bug Replacement image. upgrade_MailScanner_conf will put in the new URL. This will give significantly better response to your users. 3 Added new option "Log SpamAssassin Rule Actions" so that you can see exactly what actions fire on what messages from the "SpamAssassin Rule Actions" setting. 3 Added new option to the filename.rules.conf and filetype.rules.conf files. Instead of "allow", "deny" or "deny+delete", you can now specify a space or comma-separated list of email addresses. If the filename or filetype rule is matched, the message is sent to these new addresses instead of the ones given in the original email address. 3 Updated support for latest versions of Esets virus scanner from Nod32. 4 Added Net-DNS and Digest-SHA1 to the main MailScanner distributions so that they are installed appropriately ready for when you install Razor. This way they are installed as RPMs and not just plain Perl modules, as the RPM of Razor requires them to have been installed as RPMs. 4 New configuration option "Automatic Syntax Check" added, default is "yes", which causes a quick syntax check of the MailScanner.conf file and the other configuration files, printing out errors on the console, instead of just logging them to your system's mail log as it did before. This will hopefully make it easier for novices to get going successfully. 5 SpamAssassin Cache will no longer cache "timed out" responses. 5 Upgraded to perl-Digest-SHA1 version 2.11. 6 Added SpamAssassin MCP patch for 3.2.4. 7 Changed default supplied High-Scoring Spam Actions to "store". That way users don't have to work out how to change it, to reduce their spam a lot. * Fixes * 2 Improved MakeNameSafe() to fix problems caused by f-protd-6 working with filenames containing spaces (which it cannot handle!). 2-2 Fixed error in --lint support for F-Protd-6. 2-3 Typo, missed out a "$" :-( 3 Fixed important bug in f-protd handling code. 4 Fixes to Ruleset-From-Function.pm Custom Function code. 5 Fixed various issues with new automatic syntax check (--lintlite) code. 6 Fixed IPBlock problem with MailScanner --lintlite. 6 Fixed Postfix milter problem (thanks Glenn!). 7 Fixed problem with Inline images in HTML signatures. Now works with nested multiple replies. 8 Fixed bug where original unsafe filename wasn't used correctly when auto- replacing attachments with zipped copies to save space in mail stores. Thanks to Armand Leroux at Capgemini for finding this one. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner-announce mailing list mailscanner-announce@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner-announce Before posting, read the Wiki (http://wiki.mailscanner.info/). Support MailScanner development - buy the book off the website! From MailScanner at ecs.soton.ac.uk Wed Apr 2 15:15:08 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Apr 2 15:15:32 2008 Subject: MailScanner children hanging on startup when spam.lists.conf file is open by another process In-Reply-To: <47F38ED2.9010408@calorieking.com> References: <47F38ED2.9010408@calorieking.com> Message-ID: <47F394EC.1020703@ecs.soton.ac.uk> Interesting locking problem. Does this only happen on BSD? Warren Guy wrote: > Hello everyone, > > I encountered a strange problem this evening, where a colleague had > inadvertently left open a terminal on our mail server with the > spam.lists.conf configuration file open in vi, which seemed to cause > the MailScanner child processes to die when they (re-)started. > > At first I thought perhaps SpamAssassin or ClamAV was causing some > problem, but the problem still occurred with spam checks and virus > scanning disabled from MailScanner.conf. > > Has anyone encountered similar behaviour? This machine is running > MailScanner 4.64.3, Postfix 2.1, Perl 5.8.8 on FreeBSD 4. > > Output from mailscanner log: > > (from where MailScanner appeared to die, when the last child restarted): > > Apr 2 17:22:20 (mailserver) MailScanner[53468]: MailScanner child > dying of old age > Apr 2 17:22:20 (mailserver) MailScanner[46053]: MailScanner E-Mail > Virus Scanner version 4.64.3 starting... > > (when restarting): > > Apr 2 20:56:46 (mailserver) MailScanner[35284]: MailScanner child > caught a SIGHUP > Apr 2 20:56:46 (mailserver) MailScanner[35209]: MailScanner child > caught a SIGHUP > Apr 2 20:56:46 (mailserver) MailScanner[33392]: MailScanner child > caught a SIGHUP > Apr 2 20:56:46 (mailserver) MailScanner[29785]: MailScanner child > caught a SIGHUP > Apr 2 20:56:46 (mailserver) MailScanner[46053]: MailScanner child > caught a SIGHUP > Apr 2 20:56:53 (mailserver) MailScanner[23048]: MailScanner E-Mail > Virus Scanner version 4.64.3 starting... > Apr 2 20:56:58 (mailserver) MailScanner[23050]: MailScanner E-Mail > Virus Scanner version 4.64.3 starting... > Apr 2 20:57:03 (mailserver) MailScanner[23054]: MailScanner E-Mail > Virus Scanner version 4.64.3 starting... > Apr 2 20:57:09 (mailserver) MailScanner[23058]: MailScanner E-Mail > Virus Scanner version 4.64.3 starting... > Apr 2 20:57:14 (mailserver) MailScanner[23069]: MailScanner E-Mail > Virus Scanner version 4.64.3 starting... > > Which is where it hangs. > > Output from `ps`: > > postfix 25760 0.0 1.9 19936 19308 ?? I 9:05PM 0:00.11 MailScanner: > starting children (perl5.8.8) > postfix 25561 0.0 1.9 19936 19308 ?? I 9:05PM 0:00.11 MailScanner: > starting children (perl5.8.8) > postfix 25495 0.0 1.9 19936 19308 ?? I 9:04PM 0:00.11 MailScanner: > starting children (perl5.8.8) > postfix 25494 0.0 1.9 19936 19308 ?? I 9:04PM 0:00.11 MailScanner: > starting children (perl5.8.8) > postfix 25493 0.0 1.9 19936 19308 ?? I 9:04PM 0:00.12 MailScanner: > starting children (perl5.8.8) > postfix 25492 0.0 1.8 19300 18760 ?? Is 9:04PM 0:00.01 MailScanner: > master waiting for children, sleeping (perl5.8.8) > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Wed Apr 2 15:23:06 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Apr 2 15:23:27 2008 Subject: spam with score 0.0 In-Reply-To: <797363C57EE0884786F428AAABCD469201490BC0@sea0120sex2.nordic.x> References: <797363C57EE0884786F428AAABCD469201490BC0@sea0120sex2.nordic.x> Message-ID: <47F396CA.3080807@ecs.soton.ac.uk> What are your settings in MailScanner.conf for these two? # If you are using the Bayesian statistics engine on a busy server, # you may well need to force a Bayesian database rebuild and expiry # at regular intervals. This is measures in seconds. # 1 day = 86400 seconds. # To disable this feature set this to 0. # Note: If you enable this feature, set "bayes_auto_expire 0" in # spam.assasssin.prefs.conf which you will find in the same # directory as this file. Rebuild Bayes Every = 0 # The Bayesian database rebuild and expiry may take a 2 or 3 minutes # to complete. During this time you can either wait, or simply # disable SpamAssassin checks until it has completed. Wait During Bayes Rebuild = no You may have a cron job that fires off sa-learn every night or something like that. Or else you have "bayes_auto_expire 1" in your spam.assassin.prefs.conf file or other SpamAssassin configuration file. Personally I would have MailScanner do the bayes rebuilds every night and wait for them to complete. This depends a bit on how long the nightly rebuild takes. The settings here are very much up to your own preference, but this is where to start looking for the solution to your problem. Hope that helps a bit! Jules. Meurlin Robert wrote: > Hello, > gets a number of spam that slipps trough the filter with the score 0.0 > and if i look in detail it says "rebuilding Spamassassin" . What does > that mean? is it becouse it has to mutch work to do that some spam > slipps trough? > > Spam Report: Score Matching Rule Description > rebuilding SpamAssassin > > Rob. > > > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Wed Apr 2 15:27:02 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Apr 2 15:27:44 2008 Subject: MailScanner children hanging on startup when spam.lists.conf file is open by another process In-Reply-To: <47F39175.80908@calorieking.com> References: <47F38ED2.9010408@calorieking.com> <47F39175.80908@calorieking.com> Message-ID: <47F397B6.9020109@ecs.soton.ac.uk> Warren Guy wrote: > Sorry for the extraneous post, but just wanted to clarify a couple of > things: > > Warren Guy wrote: >> I encountered a strange problem this evening, where a colleague had >> inadvertently left open a terminal on our mail server with the >> spam.lists.conf configuration file open in vi, which seemed to cause >> the MailScanner child processes to die when they (re-)started. > > The processes weren't "dying", but rather seemed to hang. If for some reason BSD vi was insisting on putting an all-out lock on the file while your colleague was editing it, then the child processes would indeed hang waiting for access to the file. It should only be opening it for read though. Never seen this one before. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Wed Apr 2 15:24:33 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Apr 2 15:31:03 2008 Subject: SA times out In-Reply-To: References: Message-ID: <47F39721.3000603@ecs.soton.ac.uk> What happens if you put one of those Russian spam in your incoming mail queue, run MailScanner --debug --debug-sa and watch what happens? The --debug-sa now outputs time stamps with every debug line output, so you can see exactly how long it is waiting at each stage. Kai Schaetzl wrote: > I'm getting a certain kind of Russian spam for some weeks now that always > gets thru unscanned because SA times out. So, I set the SA timeout from 30 > to 120 seconds and it still times out. However, timing on the command line > shows that SA takes long for this kind of message (and it's a slow system > by today's figures, anyway), but not *that* long that it could hit this > limit. I takes about 1.4 minutes to process such a message, consistently. > That's well below 2 minutes. > So, why does MailScanner still let it time out? > MailScanner 4.54.6 > SA 3.2.4 > *no* network tests > > mailscanner log shows only those timeouts, nothing else. I guess I would > need to add more verbose logging, but then I would get logging for *all* > messages, right? > > Kai > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From warren.guy at calorieking.com Wed Apr 2 15:47:55 2008 From: warren.guy at calorieking.com (Warren Guy) Date: Wed Apr 2 15:50:19 2008 Subject: MailScanner children hanging on startup when spam.lists.conf file is open by another process In-Reply-To: <47F394EC.1020703@ecs.soton.ac.uk> References: <47F38ED2.9010408@calorieking.com> <47F394EC.1020703@ecs.soton.ac.uk> Message-ID: <47F39C9B.1090805@calorieking.com> Julian Field wrote: > Interesting locking problem. Does this only happen on BSD? I can confirm that the problem also occurs on FreeBSD 6.3 and Postfix 2.5, however this machine is running the same version of MailScanner (4.64.3) and Perl (5.8.8). I can't speak for any other platforms. Is anyone else willing to try and replicate this? :) I've just noticed that the FreeBSD port was updated to 4.67.6 a few days ago, so I'll probably give that a go some time soon anyway. -- Warren Guy Senior System Administrator CalorieKing -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080402/09161bed/signature.bin From Kevin_Miller at ci.juneau.ak.us Wed Apr 2 15:56:36 2008 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Wed Apr 2 15:57:18 2008 Subject: SA times out In-Reply-To: <47F39721.3000603@ecs.soton.ac.uk> References: <47F39721.3000603@ecs.soton.ac.uk> Message-ID: Julian Field wrote: > What happens if you put one of those Russian spam in your incoming > mail queue, run MailScanner --debug --debug-sa and watch what > happens? The --debug-sa now outputs time stamps with every debug line > output, so you can see exactly how long it is waiting at each stage. If there's a bunch of messages in the incoming queue, how do you specify which message you want to test against? I don't know if that functionality is already there, but perhaps a feature request could be a CLI switch to specify the message ID so MS only scans the particular message(s) that you're interested in observing. Best... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From steinkel at pa.net Wed Apr 2 16:03:39 2008 From: steinkel at pa.net (Leland J. Steinke) Date: Wed Apr 2 16:04:18 2008 Subject: The Good Doctor In-Reply-To: <47F2A108.1050308@invictawiz.com> References: <47ED0443.6030502@cnpapers.com> <47ED2099.5040201@farrows.org> <47ED2703.4030802@evi-inc.com> <47ED2C26.1070006@farrows.org> <47F0F2EF.80307@evi-inc.com> <47F0FE33.2000509@farrows.org> <47F12507.4070905@evi-inc.com> <47F129E7.6050803@farrows.org> <223f97700803311144i202d008v7a88138a1566768a@mail.gmail.com> <47F13C46.5080701@farrows.org> <223f97700803311345i1bc413e5pd108190f9ffaf49e@mail.gmail.com> <47F15D93.7030005@farrows.org> <47F16A55.7090508@fsl.com> <47F2310F.4020900@cnpapers.com> <66D363A7-9578-4064-89B2-94E897DD12FC@nkpanama.com> <47F277B1.2080705@ecs.soton.ac.uk> <47F27E36.6060509@cnpapers.com> <47F2832D.6050807@pa.net> <47F28692.7000809@fsl.com> <47F2A108.1050308@invictawiz.com> Message-ID: <47F3A04B.4050203@pa.net> Martyn Routley wrote: > No way! > It has to be Donna. > Am I bowered? (Or is it "bovvered"?) Sorry, "Nan" on the Catherine Tate Show excluded her from the running entirely! Leland From MailScanner at ecs.soton.ac.uk Wed Apr 2 16:10:59 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Apr 2 16:11:44 2008 Subject: MailScanner children hanging on startup when spam.lists.conf file is open by another process In-Reply-To: <47F39C9B.1090805@calorieking.com> References: <47F38ED2.9010408@calorieking.com> <47F394EC.1020703@ecs.soton.ac.uk> <47F39C9B.1090805@calorieking.com> Message-ID: <47F3A203.8060907@ecs.soton.ac.uk> Warren Guy wrote: > Julian Field wrote: >> Interesting locking problem. Does this only happen on BSD? > > I can confirm that the problem also occurs on FreeBSD 6.3 and Postfix > 2.5, however this machine is running the same version of MailScanner > (4.64.3) and Perl (5.8.8). I can't speak for any other platforms. Is > anyone else willing to try and replicate this? :) > > I've just noticed that the FreeBSD port was updated to 4.67.6 a few > days ago, so I'll probably give that a go some time soon anyway. I have opened it read-only in MailScanner. So if vi on BSD is locking out even attempts to just read the file, there's not a whole lot I can do about this, sorry. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Wed Apr 2 16:16:58 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Apr 2 16:17:23 2008 Subject: SA times out In-Reply-To: References: <47F39721.3000603@ecs.soton.ac.uk> Message-ID: <47F3A36A.10008@ecs.soton.ac.uk> Kevin Miller wrote: > Julian Field wrote: > >> What happens if you put one of those Russian spam in your incoming >> mail queue, run MailScanner --debug --debug-sa and watch what >> happens? The --debug-sa now outputs time stamps with every debug line >> output, so you can see exactly how long it is waiting at each stage. >> > > If there's a bunch of messages in the incoming queue, how do you specify > which message you want to test against? You can't. > I don't know if that > functionality is already there, It's not. > but perhaps a feature request could be a > CLI switch to specify the message ID so MS only scans the particular > message(s) that you're interested in observing. > Good idea. I'll take a look. Would a single ID do? Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From warren.guy at calorieking.com Wed Apr 2 16:37:02 2008 From: warren.guy at calorieking.com (Warren Guy) Date: Wed Apr 2 16:39:09 2008 Subject: MailScanner children hanging on startup when spam.lists.conf file is open by another process In-Reply-To: <47F3A203.8060907@ecs.soton.ac.uk> References: <47F38ED2.9010408@calorieking.com> <47F394EC.1020703@ecs.soton.ac.uk> <47F39C9B.1090805@calorieking.com> <47F3A203.8060907@ecs.soton.ac.uk> Message-ID: <47F3A81E.6030601@calorieking.com> Julian Field wrote: > I have opened it read-only in MailScanner. So if vi on BSD is locking > out even attempts to just read the file, there's not a whole lot I can > do about this, sorry. This does indeed seem to be the case. From the vi man page, the "lock" configuration variable defaults to on: lock [on] Attempt to get an exclusive lock on any file being edited, read or written. I guess that would do it :>. Thanks for your help. -- Warren Guy Senior System Administrator CalorieKing -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080402/30033604/signature.bin From Kevin_Miller at ci.juneau.ak.us Wed Apr 2 16:46:00 2008 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Wed Apr 2 16:46:43 2008 Subject: SA times out In-Reply-To: <47F3A36A.10008@ecs.soton.ac.uk> References: <47F39721.3000603@ecs.soton.ac.uk> <47F3A36A.10008@ecs.soton.ac.uk> Message-ID: Julian Field wrote: > Kevin Miller wrote: >> If there's a bunch of messages in the incoming queue, how do you >> specify which message you want to test against? > You can't. >> I don't know if that >> functionality is already there, > It's not. >> but perhaps a feature request could be a >> CLI switch to specify the message ID so MS only scans the particular >> message(s) that you're interested in observing. >> > Good idea. I'll take a look. Would a single ID do? I'd think so, at this stage. Maybe someone will need multiple message functionality in the future, but I'd hazard a guess that if more than one message is problematic, that the trouble would be common amongst them, hence, a single test would probably be sufficient... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 From MailScanner at ecs.soton.ac.uk Wed Apr 2 16:45:54 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Apr 2 16:46:43 2008 Subject: SA times out In-Reply-To: <47F3A36A.10008@ecs.soton.ac.uk> References: <47F39721.3000603@ecs.soton.ac.uk> <47F3A36A.10008@ecs.soton.ac.uk> Message-ID: <47F3AA32.50303@ecs.soton.ac.uk> Julian Field wrote: > > > Kevin Miller wrote: >> Julian Field wrote: >> >>> What happens if you put one of those Russian spam in your incoming >>> mail queue, run MailScanner --debug --debug-sa and watch what >>> happens? The --debug-sa now outputs time stamps with every debug line >>> output, so you can see exactly how long it is waiting at each stage. >>> >> >> If there's a bunch of messages in the incoming queue, how do you specify >> which message you want to test against? > You can't. >> I don't know if that >> functionality is already there, > It's not. >> but perhaps a feature request could be a >> CLI switch to specify the message ID so MS only scans the particular >> message(s) that you're interested in observing. >> > Good idea. I'll take a look. Would a single ID do? All done. It will be in the next release. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From philip at zeiglers.net Wed Apr 2 16:47:39 2008 From: philip at zeiglers.net (Philip Zeigler) Date: Wed Apr 2 16:48:35 2008 Subject: SA times out In-Reply-To: <47F3A36A.10008@ecs.soton.ac.uk> References: <47F39721.3000603@ecs.soton.ac.uk> <47F3A36A.10008@ecs.soton.ac.uk> Message-ID: <47F3AA9B.1070908@zeiglers.net> Julian Field wrote: > > > Kevin Miller wrote: >> Julian Field wrote: >> >>> What happens if you put one of those Russian spam in your incoming >>> mail queue, run MailScanner --debug --debug-sa and watch what >>> happens? The --debug-sa now outputs time stamps with every debug line >>> output, so you can see exactly how long it is waiting at each stage. >>> >> >> If there's a bunch of messages in the incoming queue, how do you specify >> which message you want to test against? > You can't. >> I don't know if that >> functionality is already there, > It's not. >> but perhaps a feature request could be a >> CLI switch to specify the message ID so MS only scans the particular >> message(s) that you're interested in observing. >> > Good idea. I'll take a look. Would a single ID do? > > Jules > I'm having the same issue. Can't seem to catch on to run through the queue in debug mode. What is happening on my system is this: Load average jumps from 0.23 to > 20.0. Sendmail starts rejecting incoming messages due to load. Everything starts to timeout such as file checks. When I run top, I see that it is running the virus checks when this starts to occur (I'm running clamd, bitdefender, and avg). There are a lot of find processes running as well which is also eating resources. After is chews through the email, all jumps down to an average load around .2 and then processes everything normally. Philip Zeigler -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From maillists at conactive.com Wed Apr 2 17:18:02 2008 From: maillists at conactive.com (Kai Schaetzl) Date: Wed Apr 2 17:18:50 2008 Subject: SA times out In-Reply-To: <47F39721.3000603@ecs.soton.ac.uk> References: <47F39721.3000603@ecs.soton.ac.uk> Message-ID: Julian Field wrote on Wed, 02 Apr 2008 15:24:33 +0100: > What happens if you put one of those Russian spam in your incoming mail > queue I already thought about that, but I'm not saving in queue file format as I'm using Mailwatch. Can I use these parameters in the init script? I could then try to run it like this for one day or so and then dig up by sendmail queue id. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From steve.freegard at fsl.com Wed Apr 2 17:32:41 2008 From: steve.freegard at fsl.com (Steve Freegard) Date: Wed Apr 2 17:34:39 2008 Subject: SA times out In-Reply-To: References: <47F39721.3000603@ecs.soton.ac.uk> Message-ID: <47F3B529.5020500@fsl.com> Kai Schaetzl wrote: > Julian Field wrote on Wed, 02 Apr 2008 15:24:33 +0100: > >> What happens if you put one of those Russian spam in your incoming mail >> queue > > I already thought about that, but I'm not saving in queue file format as > I'm using Mailwatch. If you have the files quarantined in RFC822 format, then you can simply re-inject them back into the queue with 'sendmail -t -i < /path/to/message'. Otherwise, you could use the 'Archive Mail' directive, then you'll get a copy of everything in qf/df format. Cheers, Steve. From MailScanner at ecs.soton.ac.uk Wed Apr 2 17:44:30 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Apr 2 17:45:14 2008 Subject: SA times out In-Reply-To: <47F3AA9B.1070908@zeiglers.net> References: <47F39721.3000603@ecs.soton.ac.uk> <47F3A36A.10008@ecs.soton.ac.uk> <47F3AA9B.1070908@zeiglers.net> Message-ID: <47F3B7EE.5000104@ecs.soton.ac.uk> Philip Zeigler wrote: > Julian Field wrote: >> >> >> Kevin Miller wrote: >>> Julian Field wrote: >>> >>>> What happens if you put one of those Russian spam in your incoming >>>> mail queue, run MailScanner --debug --debug-sa and watch what >>>> happens? The --debug-sa now outputs time stamps with every debug line >>>> output, so you can see exactly how long it is waiting at each stage. >>>> >>> >>> If there's a bunch of messages in the incoming queue, how do you >>> specify >>> which message you want to test against? >> You can't. >>> I don't know if that >>> functionality is already there, >> It's not. >>> but perhaps a feature request could be a >>> CLI switch to specify the message ID so MS only scans the particular >>> message(s) that you're interested in observing. >>> >> Good idea. I'll take a look. Would a single ID do? >> >> Jules >> > I'm having the same issue. Can't seem to catch on to run through the > queue in debug mode. > > What is happening on my system is this: > > Load average jumps from 0.23 to > 20.0. Sendmail starts rejecting > incoming messages due to load. Everything starts to timeout such as > file checks. When I run top, I see that it is running the virus > checks when this starts to occur (I'm running clamd, bitdefender, and > avg). There are a lot of find processes running as well which is also > eating resources. Check out the -wrapper scripts for bitdefender and avg to make sure they aren't doing anything silly. I don't use either scanner myself, so have limited knowledge of them. > > After is chews through the email, all jumps down to an average load > around .2 and then processes everything normally. > > Philip Zeigler > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mailscanner at tecnowaydigital.com.br Wed Apr 2 17:41:57 2008 From: mailscanner at tecnowaydigital.com.br (mailscanner@tecnowaydigital.com.br) Date: Wed Apr 2 17:51:22 2008 Subject: MailScanner ignoring some rules Message-ID: <37937.201.41.210.20.1207154517.squirrel@www.tecnowaydigital.com.br> Hi all. At MailScanner recent versions, when I set some rules like: Scan Messages = /etc/MailScanner/rules/scan.messages.rules or Filename Rules = /etc/MailScanner/filename.rules The MailScanner simply ignore the rules and don't print any error message. Someone can help me. Thanks Rogerio From dave.list at pixelhammer.com Wed Apr 2 18:05:18 2008 From: dave.list at pixelhammer.com (DAve) Date: Wed Apr 2 18:06:03 2008 Subject: New MS install is slow to an extreme Message-ID: <47F3BCCE.7020301@pixelhammer.com> Not certain what is wrong here. I did a fresh clean install of FreeBSD 6.2, Julian's MS tarball and Julian's SA and Clam tarball. Everything went well, everything runs. But, now I am seeing batches like this. MailScanner[58796]: New Batch: Found 2907 messages waiting MailScanner[58796]: New Batch: Scanning 30 messages, 306454 bytes MailScanner[56909]: Batch completed at 790 bytes per second (398241 / 503) MailScanner[56909]: Batch (30 messages) processed in 503.55 seconds Previously we had maybe 4 messages per batch and processed them in 2 to 6 seconds. The current time to scan is killing me. mailscanner-install-4.67.6-1.tar.gz install-clam-0.92.1-sa-3.2.4.tar.gz SA plugins enabled, all others disabled = AutoLearnThreshold, Check, Shortcircuit, Bayes, BodyEval, HTMLEval, HeaderEval, MIMEEval, RelayEval, URIEval, WLBLEval, Rule2XSBody, ImageInfo, URIDNSBL. All SA rules have been compiled. Bayes is enabled. I have "skip_rbl_checks 1" shortcircuit ALL_TRUSTED on shortcircuit BAYES_99 spam shortcircuit BAYES_00 ham In MS I have the following, I can send a complete conf if needed. Max Children = 10 Queue Scan Interval = 5 Virus Scanners = clamavmodule Delivery Method = batch I don't zip attachments, I don't use MCP, I don't use Watermarks. I think I have done everything I can for speed, but I am losing ground. I am running a local caching name server on each MS server. Not sure where to go from here. DAve -- In 50 years, our descendants will look back on the early years of the internet, and much like we now look back on men with rockets on their back and feathers glued to their arms, marvel that we had the intelligence to wipe the drool from our chins. From ecasarero at gmail.com Wed Apr 2 18:34:27 2008 From: ecasarero at gmail.com (Eduardo Casarero) Date: Wed Apr 2 18:35:02 2008 Subject: New MS install is slow to an extreme In-Reply-To: <47F3BCCE.7020301@pixelhammer.com> References: <47F3BCCE.7020301@pixelhammer.com> Message-ID: <7d9b3cf20804021034p58087804kc4e3982fad042374@mail.gmail.com> Check this option in mailscanner.conf ClamAV Full Message Scan = no how do you do the bayes expire? if it's set to yes really slows down de process. Do you have /var/spool/MailScanner/incoming on tmpfs? hope this helps! 2008/4/2, DAve : > Not certain what is wrong here. I did a fresh clean install of FreeBSD 6.2, > Julian's MS tarball and Julian's SA and Clam tarball. Everything went well, > everything runs. But, now I am seeing batches like this. > > MailScanner[58796]: New Batch: Found 2907 messages waiting > MailScanner[58796]: New Batch: Scanning 30 messages, 306454 bytes > MailScanner[56909]: Batch completed at 790 bytes per second (398241 / 503) > MailScanner[56909]: Batch (30 messages) processed in 503.55 seconds > > Previously we had maybe 4 messages per batch and processed them in 2 to 6 > seconds. The current time to scan is killing me. > > mailscanner-install-4.67.6-1.tar.gz > > install-clam-0.92.1-sa-3.2.4.tar.gz > > SA plugins enabled, all others disabled = AutoLearnThreshold, Check, > Shortcircuit, Bayes, BodyEval, HTMLEval, HeaderEval, MIMEEval, RelayEval, > URIEval, WLBLEval, Rule2XSBody, ImageInfo, URIDNSBL. > All SA rules have been compiled. > Bayes is enabled. > I have "skip_rbl_checks 1" > shortcircuit ALL_TRUSTED on > shortcircuit BAYES_99 spam > shortcircuit BAYES_00 ham > > In MS I have the following, I can send a complete conf if needed. > Max Children = 10 > Queue Scan Interval = 5 > Virus Scanners = clamavmodule > Delivery Method = batch > > I don't zip attachments, I don't use MCP, I don't use Watermarks. I think I > have done everything I can for speed, but I am losing ground. > > I am running a local caching name server on each MS server. > > Not sure where to go from here. > > DAve > > > -- > In 50 years, our descendants will look back on the early years > of the internet, and much like we now look back on men with > rockets on their back and feathers glued to their arms, marvel > that we had the intelligence to wipe the drool from our chins. > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From MailScanner at ecs.soton.ac.uk Wed Apr 2 18:48:03 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Apr 2 18:48:47 2008 Subject: New MS install is slow to an extreme In-Reply-To: <47F3BCCE.7020301@pixelhammer.com> References: <47F3BCCE.7020301@pixelhammer.com> Message-ID: <47F3C6D3.10107@ecs.soton.ac.uk> Start by MailScanner --debug --debug-sa to see where the holdups are. Check you haven't got a screwed SpamAssassin cache as well. DAve wrote: > Not certain what is wrong here. I did a fresh clean install of FreeBSD > 6.2, Julian's MS tarball and Julian's SA and Clam tarball. Everything > went well, everything runs. But, now I am seeing batches like this. > > MailScanner[58796]: New Batch: Found 2907 messages waiting > MailScanner[58796]: New Batch: Scanning 30 messages, 306454 bytes > MailScanner[56909]: Batch completed at 790 bytes per second (398241 / > 503) > MailScanner[56909]: Batch (30 messages) processed in 503.55 seconds > > Previously we had maybe 4 messages per batch and processed them in 2 > to 6 seconds. The current time to scan is killing me. > > mailscanner-install-4.67.6-1.tar.gz > > install-clam-0.92.1-sa-3.2.4.tar.gz > > SA plugins enabled, all others disabled = AutoLearnThreshold, Check, > Shortcircuit, Bayes, BodyEval, HTMLEval, HeaderEval, MIMEEval, > RelayEval, URIEval, WLBLEval, Rule2XSBody, ImageInfo, URIDNSBL. > All SA rules have been compiled. > Bayes is enabled. > I have "skip_rbl_checks 1" > shortcircuit ALL_TRUSTED on > shortcircuit BAYES_99 spam > shortcircuit BAYES_00 ham > > In MS I have the following, I can send a complete conf if needed. > Max Children = 10 > Queue Scan Interval = 5 > Virus Scanners = clamavmodule > Delivery Method = batch > > I don't zip attachments, I don't use MCP, I don't use Watermarks. I > think I have done everything I can for speed, but I am losing ground. > > I am running a local caching name server on each MS server. > > Not sure where to go from here. > > DAve > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From Ron.Ghetti at town.barnstable.ma.us Wed Apr 2 18:59:52 2008 From: Ron.Ghetti at town.barnstable.ma.us (Ghetti, Ron) Date: Wed Apr 2 18:59:52 2008 Subject: MailScanner upgrade Message-ID: <3411CC12BB577F4FAEAC8A694780866B12C5CF@ITMAIL.town.barnstable.ma.us> Hello everyone, attempting upgrade from 4.60 to 4.68 on a unbuntu box. any particular things I should watch for or deal with before running the install ? I don't see much in the way of detail on this particular operation. Thanks -Ron From bpirie at rma.edu Wed Apr 2 19:01:49 2008 From: bpirie at rma.edu (Brendan Pirie) Date: Wed Apr 2 19:01:06 2008 Subject: New MS install is slow to an extreme In-Reply-To: <47F3BCCE.7020301@pixelhammer.com> References: <47F3BCCE.7020301@pixelhammer.com> Message-ID: <47F3CA0D.6040701@rma.edu> DAve wrote: > Not certain what is wrong here. I did a fresh clean install of FreeBSD > 6.2, Julian's MS tarball and Julian's SA and Clam tarball. Everything > went well, everything runs. But, now I am seeing batches like this. > > MailScanner[58796]: New Batch: Found 2907 messages waiting > MailScanner[58796]: New Batch: Scanning 30 messages, 306454 bytes > MailScanner[56909]: Batch completed at 790 bytes per second (398241 / 503) > MailScanner[56909]: Batch (30 messages) processed in 503.55 seconds > > Previously we had maybe 4 messages per batch and processed them in 2 to > 6 seconds. The current time to scan is killing me. > > mailscanner-install-4.67.6-1.tar.gz > > install-clam-0.92.1-sa-3.2.4.tar.gz > > SA plugins enabled, all others disabled = AutoLearnThreshold, Check, > Shortcircuit, Bayes, BodyEval, HTMLEval, HeaderEval, MIMEEval, > RelayEval, URIEval, WLBLEval, Rule2XSBody, ImageInfo, URIDNSBL. > All SA rules have been compiled. > Bayes is enabled. > I have "skip_rbl_checks 1" > shortcircuit ALL_TRUSTED on > shortcircuit BAYES_99 spam > shortcircuit BAYES_00 ham > > In MS I have the following, I can send a complete conf if needed. > Max Children = 10 > Queue Scan Interval = 5 > Virus Scanners = clamavmodule > Delivery Method = batch > > I don't zip attachments, I don't use MCP, I don't use Watermarks. I > think I have done everything I can for speed, but I am losing ground. > > I am running a local caching name server on each MS server. > > Not sure where to go from here. > > DAve > > Which MTA are you using? Brendan From dave.list at pixelhammer.com Wed Apr 2 19:17:03 2008 From: dave.list at pixelhammer.com (DAve) Date: Wed Apr 2 19:17:50 2008 Subject: New MS install is slow to an extreme Message-ID: <47F3CD9F.7070406@pixelhammer.com> Likely I am going to break threading, but I am reading via the archive, I am far to slow to get the messages. > Check this option in mailscanner.conf > ClamAV Full Message Scan = no Set to no > > how do you do the bayes expire? MailScanner, same as all previous installs. > > if it's set to yes really slows down de process. > > Do you have /var/spool/MailScanner/incoming on tmpfs? Not at this time, I didn't previously. > Start by > MailScanner --debug --debug-sa bash-2.05b# ./MailScanner --debug --debug-sa In Debugging mode, not forking... Trying to setlogsock(unix) ***** If 'awk' (with support for the function strftime) was available on your $PATH then all the SpamAssassin debug output would have the current time added to the start of every line, making debugging far easier. ***** SpamAssassin temp dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp [72851] dbg: logger: adding facilities: all [72851] dbg: logger: logging level is DBG [72851] dbg: generic: SpamAssassin version 3.2.4 [72851] dbg: config: score set 0 chosen. [72851] dbg: dns: no ipv6 [72851] dbg: dns: is Net::DNS::Resolver available? yes [72851] dbg: dns: Net::DNS version: 0.62 Use of uninitialized value in concatenation (.) or string at /usr/local/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin.pm line 1088. Use of uninitialized value in concatenation (.) or string at /usr/local/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin.pm line 1090. [72851] dbg: config: read_scoreonly_config: cannot open "": No such file or directory Building a message batch to scan... Have a batch of 30 messages. Stopping now as you are debugging me. > to see where the holdups are. > Check you haven't got a screwed SpamAssassin cache as well. I removed it an restarted MS, no change. > Which MTA are you using? Sendmail It is worth noting that spamassassin -D --lint runs fine. I checked after I moved all our config over to the new version. Thanks everyone. I'm still looking at what might be wrong. DAve -- In 50 years, our descendants will look back on the early years of the internet, and much like we now look back on men with rockets on their back and feathers glued to their arms, marvel that we had the intelligence to wipe the drool from our chins. From lists at openenterprise.ca Wed Apr 2 19:47:40 2008 From: lists at openenterprise.ca (Johnny Stork) Date: Wed Apr 2 19:48:20 2008 Subject: Error Messages on MailScanner startup Message-ID: <47F3D4CC.1040209@openenterprise.ca> When I s new start MailScanner now (just upgraded to latest today), I get the message below, which I guess comes from the new syntax checking. Can I fix this somewhere? commit ineffective with AutoCommit enabled at /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm line 93, line 81. Commmit ineffective while AutoCommit is on at /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm line 93, line 81. From dave.list at pixelhammer.com Wed Apr 2 19:59:49 2008 From: dave.list at pixelhammer.com (DAve) Date: Wed Apr 2 20:00:35 2008 Subject: New MS install is slow to an extreme In-Reply-To: <47F3CD9F.7070406@pixelhammer.com> References: <47F3CD9F.7070406@pixelhammer.com> Message-ID: <47F3D7A5.5040509@pixelhammer.com> DAve wrote: > Likely I am going to break threading, but I am reading via the archive, > I am far to slow to get the messages. > >> Check this option in mailscanner.conf >> ClamAV Full Message Scan = no > > Set to no > >> >> how do you do the bayes expire? > > MailScanner, same as all previous installs. > >> >> if it's set to yes really slows down de process. >> >> Do you have /var/spool/MailScanner/incoming on tmpfs? > > Not at this time, I didn't previously. I moved the incoming dir to a tmpfs mount (mdmfs on freebsd) no change in processing time. I am getting really stumped now. DAve -- In 50 years, our descendants will look back on the early years of the internet, and much like we now look back on men with rockets on their back and feathers glued to their arms, marvel that we had the intelligence to wipe the drool from our chins. From MailScanner at ecs.soton.ac.uk Wed Apr 2 20:10:03 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Apr 2 20:10:57 2008 Subject: Error Messages on MailScanner startup In-Reply-To: <47F3D4CC.1040209@openenterprise.ca> References: <47F3D4CC.1040209@openenterprise.ca> Message-ID: <47F3DA0B.9020803@ecs.soton.ac.uk> You can always turn it off by settings "Automatic Syntax Check = no" in MailScanner.conf. Johnny Stork wrote: > When I s new start MailScanner now (just upgraded to latest today), I > get the message below, which I guess comes from the new syntax > checking. Can I fix this somewhere? > > > > > commit ineffective with AutoCommit enabled at > /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm line 93, > line 81. > Commmit ineffective while AutoCommit is on at > /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm line 93, > line 81. > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From maillists at conactive.com Wed Apr 2 20:31:24 2008 From: maillists at conactive.com (Kai Schaetzl) Date: Wed Apr 2 20:32:20 2008 Subject: SA times out In-Reply-To: <47F3B529.5020500@fsl.com> References: <47F39721.3000603@ecs.soton.ac.uk> <47F3B529.5020500@fsl.com> Message-ID: Steve Freegard wrote on Wed, 02 Apr 2008 17:32:41 +0100: > If you have the files quarantined in RFC822 format, then you can simply > re-inject them back into the queue with 'sendmail -t -i < /path/to/message'. Might work if I stop whitelisting localhost for that. Thanks, Steve. > Otherwise, you could use the 'Archive Mail' directive, then you'll get a > copy of everything in qf/df format. The option if first one doesn't work, thanks again! Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From maillists at conactive.com Wed Apr 2 20:33:36 2008 From: maillists at conactive.com (Kai Schaetzl) Date: Wed Apr 2 20:33:58 2008 Subject: SA times out In-Reply-To: <47F39721.3000603@ecs.soton.ac.uk> References: <47F39721.3000603@ecs.soton.ac.uk> Message-ID: Julian Field wrote on Wed, 02 Apr 2008 15:24:33 +0100: > MailScanner --debug --debug-sa Ok. 2 Findings. The output from spamassassin -D and the one from MailScanner is not exactly identical. There are portions where they almost completely match and there are other portions that appear in different order or are completely different. Is this to be expected? I'm sure I'm using the same local config in /etc/mail/spamassassin for SA with and without MS. [15949] dbg: config: using "/etc/mail/spamassassin" for site rules pre files For instance one big difference is that MS does: [15949] dbg: config: using "/usr/share/spamassassin" for sys rules pre files [15949] dbg: config: using "/usr/share/spamassassin" for default rules dir [15949] dbg: config: read file /usr/share/spamassassin/10_default_prefs.cf while SA uses the new locations: [16547] dbg: config: using "/var/lib/spamassassin/3.002004" for sys rules pre files [16547] dbg: config: using "/var/lib/spamassassin/3.002004" for default rules dir [16547] dbg: config: read file /var/lib/spamassassin/3.002004/70_sare_adult_cf_sare_sa- update_dostech_net.cf There are other things where it differs, this is the most troubling one, for me. Then, later MS stops at this stage: [15949] dbg: auto-whitelist: tie-ing to DB file of type DB_File R/W in /home/spamd/awl/auto-whitelist [15949] dbg: auto-whitelist: db-based ignore@compiling.spamassassin.taint.org|ip=none scores 0/0 [15949] dbg: auto-whitelist: AWL active, pre-score: 3.053, autolearn score: 3.053, mean: undef, IP: undef [15949] dbg: auto-whitelist: DB addr list: untie-ing and unlocking [15949] dbg: auto-whitelist: DB addr list: file locked, breaking lock [15949] dbg: locker: safe_unlock: unlocked /home/spamd/awl/auto- whitelist.mutex [15949] dbg: auto-whitelist: post auto-whitelist score: 3.053 [15949] dbg: rules: running body tests; score so far=3.053 [15949] dbg: rules: compiled body tests [15949] dbg: rules: running uri tests; score so far=3.053 [15949] dbg: rules: compiled uri tests [15949] dbg: rules: running rawbody tests; score so far=3.053 [15949] dbg: rules: compiled rawbody tests [15949] dbg: rules: running full tests; score so far=3.053 [15949] dbg: rules: compiled full tests [15949] dbg: rules: running meta tests; score so far=3.053 [15949] dbg: rules: compiled meta tests [15949] dbg: check: is spam? score=3.053 required=5 [15949] dbg: check: tests=MISSING_DATE,MISSING_HEADERS,MISSING_SUBJECT,NO_RECEIVED,NO_RELAYS [15949] dbg: check: subtests=__BOTNET_NOTRUST,__HAS_MSGID,__MISSING_REF,__MSGID_OK_DIGITS,__MS GID_OK_HOST,__MSOE_MID_WRONG_CASE,__NONEMPTY_BODY,__SANE_MSGID,__UNUSABLE_ MSGID [15949] dbg: bayes: untie-ing here all activity drops (checked in top) to zero and eventually it goes on (without printing anything about a timeout, but I assume it hits the timeout at this stage) with this which is usually the last line: commit ineffective with AutoCommit enabled at /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm line 93. Commmit ineffective while AutoCommit is on at /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm line 93. (Steve, can one do something about this? It doesn't seem to hurt, I remember it's always been this way on this machine) On my first debug another message slipped in and I saw MailScanner printing that it stops now and exits because it is in debug mode. I assume this should happen each time? It didn't do this with this message but kept hanging after the above line, maybe it was still waiting for SA. I killed it. Now, the output from SA -D looks like this: [16547] dbg: rules: running uri tests; score so far=0 [16547] dbg: rules: compiled uri tests [16547] dbg: plugin: Mail::SpamAssassin::Plugin::WLBLEval=HASH(0x92183b8) implements 'check_wb_list', priority 0 [16547] dbg: bayes: DB journal sync: last sync: 1207137283 [16547] dbg: bayes: corpus size: nspam = 62507, nham = 42292 [16547] dbg: bayes: score = 1 [16547] dbg: bayes: DB journal sync: last sync: 1207137283 [16547] dbg: bayes: untie-ing [16547] dbg: rules: ran eval rule BAYES_99 ======> got hit (1) There is no noticable pause after "untie-ing". Also notice that there's no auto-whitelist check happening directly before this (that's why I quoted a bit more in the MS portion). In the SA output the auto-whitelist check happens much later. The MS output stops at about line 375. The same line in SA output is at about line 460 and the auto-whitelist check happens at line 650. It's actually the last thing what it does before auto-learning and creating mail output. The message itself is about 800 lines in KOI-8 Russian. I have a machine with a newer MS and a slightly older SA. I'll check later what output I get there. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From Lists at Tatorz.com Wed Apr 2 20:37:04 2008 From: Lists at Tatorz.com (Brian) Date: Wed Apr 2 20:37:32 2008 Subject: MailScanner ANNOUNCE: 4.68.8 stable released In-Reply-To: <47F24745.2090703@ecs.soton.ac.uk> References: <47F24745.2090703@ecs.soton.ac.uk> Message-ID: <47F3E060.7040203@Tatorz.com> Julian Field wrote: > Folks, > > I have just released the latest stable release of MailScanner version > 4.68.8. > This is *not* an April Fool's joke :-) > > Am I seeing double or is this an error? Brian From peter at farrows.org Wed Apr 2 20:39:45 2008 From: peter at farrows.org (Peter Farrow) Date: Wed Apr 2 20:40:33 2008 Subject: New MS install is slow to an extreme In-Reply-To: <47F3D7A5.5040509@pixelhammer.com> References: <47F3CD9F.7070406@pixelhammer.com> <47F3D7A5.5040509@pixelhammer.com> Message-ID: <47F3E101.4000006@farrows.org> DAve wrote: > DAve wrote: >> Likely I am going to break threading, but I am reading via the >> archive, I am far to slow to get the messages. >> >>> Check this option in mailscanner.conf >>> ClamAV Full Message Scan = no >> >> Set to no >> >>> >>> how do you do the bayes expire? >> >> MailScanner, same as all previous installs. >> >>> >>> if it's set to yes really slows down de process. >>> >>> Do you have /var/spool/MailScanner/incoming on tmpfs? >> >> Not at this time, I didn't previously. > > I moved the incoming dir to a tmpfs mount (mdmfs on freebsd) no change > in processing time. > > I am getting really stumped now. > > DAve > > > Does your load average creep up? P. From dave.list at pixelhammer.com Wed Apr 2 20:49:08 2008 From: dave.list at pixelhammer.com (DAve) Date: Wed Apr 2 20:49:51 2008 Subject: New MS install is slow to an extreme In-Reply-To: <47F3C6D3.10107@ecs.soton.ac.uk> References: <47F3BCCE.7020301@pixelhammer.com> <47F3C6D3.10107@ecs.soton.ac.uk> Message-ID: <47F3E334.7020106@pixelhammer.com> Julian Field wrote: > Start by > MailScanner --debug --debug-sa > to see where the holdups are. > Check you haven't got a screwed SpamAssassin cache as well. I changed my virus scanner from clamavmodule to clamav and my batch time went from 400/600 seconds to 60/140 seconds. As the system works through the queue I can watch the times increase up to 200 seconds. Possibly because they are large batches? I am considering removing the clamav phishing and spam checks to see if that helps. DAve > > DAve wrote: >> Not certain what is wrong here. I did a fresh clean install of FreeBSD >> 6.2, Julian's MS tarball and Julian's SA and Clam tarball. Everything >> went well, everything runs. But, now I am seeing batches like this. >> >> MailScanner[58796]: New Batch: Found 2907 messages waiting >> MailScanner[58796]: New Batch: Scanning 30 messages, 306454 bytes >> MailScanner[56909]: Batch completed at 790 bytes per second (398241 / >> 503) >> MailScanner[56909]: Batch (30 messages) processed in 503.55 seconds >> >> Previously we had maybe 4 messages per batch and processed them in 2 >> to 6 seconds. The current time to scan is killing me. >> >> mailscanner-install-4.67.6-1.tar.gz >> >> install-clam-0.92.1-sa-3.2.4.tar.gz >> >> SA plugins enabled, all others disabled = AutoLearnThreshold, Check, >> Shortcircuit, Bayes, BodyEval, HTMLEval, HeaderEval, MIMEEval, >> RelayEval, URIEval, WLBLEval, Rule2XSBody, ImageInfo, URIDNSBL. >> All SA rules have been compiled. >> Bayes is enabled. >> I have "skip_rbl_checks 1" >> shortcircuit ALL_TRUSTED on >> shortcircuit BAYES_99 spam >> shortcircuit BAYES_00 ham >> >> In MS I have the following, I can send a complete conf if needed. >> Max Children = 10 >> Queue Scan Interval = 5 >> Virus Scanners = clamavmodule >> Delivery Method = batch >> >> I don't zip attachments, I don't use MCP, I don't use Watermarks. I >> think I have done everything I can for speed, but I am losing ground. >> >> I am running a local caching name server on each MS server. >> >> Not sure where to go from here. >> >> DAve >> >> > > Jules > -- In 50 years, our descendants will look back on the early years of the internet, and much like we now look back on men with rockets on their back and feathers glued to their arms, marvel that we had the intelligence to wipe the drool from our chins. From peter at farrows.org Wed Apr 2 21:00:15 2008 From: peter at farrows.org (Peter Farrow) Date: Wed Apr 2 21:00:49 2008 Subject: New MS install is slow to an extreme In-Reply-To: <47F3CD9F.7070406@pixelhammer.com> References: <47F3CD9F.7070406@pixelhammer.com> Message-ID: <47F3E5CF.7080505@farrows.org> DAve wrote: > Likely I am going to break threading, but I am reading via the > archive, I am far to slow to get the messages. > >> Check this option in mailscanner.conf >> ClamAV Full Message Scan = no > > Set to no > >> >> how do you do the bayes expire? > > MailScanner, same as all previous installs. > >> >> if it's set to yes really slows down de process. >> >> Do you have /var/spool/MailScanner/incoming on tmpfs? > > Not at this time, I didn't previously. > >> Start by >> MailScanner --debug --debug-sa > > bash-2.05b# ./MailScanner --debug --debug-sa > In Debugging mode, not forking... > Trying to setlogsock(unix) > > > ***** > If 'awk' (with support for the function strftime) was > available on your $PATH then all the SpamAssassin debug > output would have the current time added to the start of > every line, making debugging far easier. > ***** > > SpamAssassin temp dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp > [72851] dbg: logger: adding facilities: all > [72851] dbg: logger: logging level is DBG > [72851] dbg: generic: SpamAssassin version 3.2.4 > [72851] dbg: config: score set 0 chosen. > [72851] dbg: dns: no ipv6 > [72851] dbg: dns: is Net::DNS::Resolver available? yes > [72851] dbg: dns: Net::DNS version: 0.62 > Use of uninitialized value in concatenation (.) or string at > /usr/local/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin.pm line 1088. > Use of uninitialized value in concatenation (.) or string at > /usr/local/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin.pm line 1090. > [72851] dbg: config: read_scoreonly_config: cannot open "": No such > file or directory > Building a message batch to scan... > Have a batch of 30 messages. > Stopping now as you are debugging me. > >> to see where the holdups are. >> Check you haven't got a screwed SpamAssassin cache as well. > > I removed it an restarted MS, no change. > >> Which MTA are you using? > > Sendmail > > It is worth noting that spamassassin -D --lint runs fine. I checked > after I moved all our config over to the new version. > > Thanks everyone. I'm still looking at what might be wrong. > > > DAve > I had this issue with the latest version on Centos 4.6. As I was in a hurry at the time I rolled it back to 4.65.3-1 and the problem went away just to prove it wasn't any of my Milters or modules causing the problem. I wasn't too bothered as I was upgrading from 4.5x so I still got a major upgrade.. I did notice that it wasn't just slow as you describe, it actaully was just queing everything, I didn't leave it long enough to verify that though as I got 600 messages in the queue quite quickly. The problem in debug mode was exactly as you describe with it halting at "Trying to setlogsock(unix)" The error seems to be to do with the perl sys::syslog , the perl -> syslog interface routine. By rolling back to the slightly earlier MailScanner version the problem was instantly fixed... Pete From glenn.steen at gmail.com Wed Apr 2 21:09:06 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Apr 2 21:15:58 2008 Subject: Error Messages on MailScanner startup In-Reply-To: <47F3DA0B.9020803@ecs.soton.ac.uk> References: <47F3D4CC.1040209@openenterprise.ca> <47F3DA0B.9020803@ecs.soton.ac.uk> Message-ID: <223f97700804021309x6a701287m22898763cf702fd2@mail.gmail.com> On 02/04/2008, Julian Field wrote: > You can always turn it off by settings "Automatic Syntax Check = no" in > MailScanner.conf. Or just ignore it... or turn off autocommit in mysql... or ...:-) The "error" is cosmetic in nature. -- Glenn > Johnny Stork wrote: > > > When I s new start MailScanner now (just upgraded to latest today), I get > the message below, which I guess comes from the new syntax checking. Can I > fix this somewhere? > > > > > > > > > > commit ineffective with AutoCommit enabled at > /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm > line 93, line 81. > > Commmit ineffective while AutoCommit is on at > /usr/lib/MailScanner/MailScanner/CustomFunctions/MailWatch.pm > line 93, line 81. > > > > > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > PGP public key: http://www.jules.fm/julesfm.asc > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From dave.list at pixelhammer.com Wed Apr 2 21:53:05 2008 From: dave.list at pixelhammer.com (DAve) Date: Wed Apr 2 21:53:48 2008 Subject: New MS install is slow to an extreme In-Reply-To: <47F3E5CF.7080505@farrows.org> References: <47F3CD9F.7070406@pixelhammer.com> <47F3E5CF.7080505@farrows.org> Message-ID: <47F3F231.7050008@pixelhammer.com> Peter Farrow wrote: > DAve wrote: >> Likely I am going to break threading, but I am reading via the >> archive, I am far to slow to get the messages. >> >>> Check this option in mailscanner.conf >>> ClamAV Full Message Scan = no >> >> Set to no >> >>> >>> how do you do the bayes expire? >> >> MailScanner, same as all previous installs. >> >>> >>> if it's set to yes really slows down de process. >>> >>> Do you have /var/spool/MailScanner/incoming on tmpfs? >> >> Not at this time, I didn't previously. >> >>> Start by >>> MailScanner --debug --debug-sa >> >> bash-2.05b# ./MailScanner --debug --debug-sa >> In Debugging mode, not forking... >> Trying to setlogsock(unix) >> >> >> ***** >> If 'awk' (with support for the function strftime) was >> available on your $PATH then all the SpamAssassin debug >> output would have the current time added to the start of >> every line, making debugging far easier. >> ***** >> >> SpamAssassin temp dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp >> [72851] dbg: logger: adding facilities: all >> [72851] dbg: logger: logging level is DBG >> [72851] dbg: generic: SpamAssassin version 3.2.4 >> [72851] dbg: config: score set 0 chosen. >> [72851] dbg: dns: no ipv6 >> [72851] dbg: dns: is Net::DNS::Resolver available? yes >> [72851] dbg: dns: Net::DNS version: 0.62 >> Use of uninitialized value in concatenation (.) or string at >> /usr/local/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin.pm line 1088. >> Use of uninitialized value in concatenation (.) or string at >> /usr/local/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin.pm line 1090. >> [72851] dbg: config: read_scoreonly_config: cannot open "": No such >> file or directory >> Building a message batch to scan... >> Have a batch of 30 messages. >> Stopping now as you are debugging me. >> >>> to see where the holdups are. >>> Check you haven't got a screwed SpamAssassin cache as well. >> >> I removed it an restarted MS, no change. >> >>> Which MTA are you using? >> >> Sendmail >> >> It is worth noting that spamassassin -D --lint runs fine. I checked >> after I moved all our config over to the new version. >> >> Thanks everyone. I'm still looking at what might be wrong. >> >> >> DAve >> > I had this issue with the latest version on Centos 4.6. As I was in a > hurry at the time I rolled it back to 4.65.3-1 and the problem went away > just to prove it wasn't any of my Milters or modules causing the > problem. I wasn't too bothered as I was upgrading from 4.5x so I still > got a major upgrade.. > > I did notice that it wasn't just slow as you describe, it actaully was > just queing everything, I didn't leave it long enough to verify that > though as I got 600 messages in the queue quite quickly. > > The problem in debug mode was exactly as you describe with it halting at > "Trying to setlogsock(unix)" > > The error seems to be to do with the perl sys::syslog , the perl -> > syslog interface routine. > > By rolling back to the slightly earlier MailScanner version the problem > was instantly fixed... > > Pete > I upgeaded the sys::syslog from .18 to .24 with no change. But, during debug I am getting this and it slows down consierably even with a single message batch. rules: failed to run DNS_FROM_OPENWHOIS RBL test, skipping: (Can't locate object method "check_rbl_envfrom" via package "Mail::SpamAssassin::PerMsgStatus" at /usr/local/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Plugin/Check.pm line 203. ) This seems to be the killer. I have no rbl checks configured with SA, so I don't understand this. DAve -- In 50 years, our descendants will look back on the early years of the internet, and much like we now look back on men with rockets on their back and feathers glued to their arms, marvel that we had the intelligence to wipe the drool from our chins. From MailScanner at ecs.soton.ac.uk Wed Apr 2 22:07:29 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Apr 2 22:08:18 2008 Subject: New MS install is slow to an extreme In-Reply-To: <47F3E5CF.7080505@farrows.org> References: <47F3CD9F.7070406@pixelhammer.com> <47F3E5CF.7080505@farrows.org> Message-ID: <47F3F591.8030300@ecs.soton.ac.uk> Peter Farrow wrote: > DAve wrote: >> Likely I am going to break threading, but I am reading via the >> archive, I am far to slow to get the messages. >> >>> Check this option in mailscanner.conf >>> ClamAV Full Message Scan = no >> >> Set to no >> >>> >>> how do you do the bayes expire? >> >> MailScanner, same as all previous installs. >> >>> >>> if it's set to yes really slows down de process. >>> >>> Do you have /var/spool/MailScanner/incoming on tmpfs? >> >> Not at this time, I didn't previously. >> >>> Start by >>> MailScanner --debug --debug-sa >> >> bash-2.05b# ./MailScanner --debug --debug-sa >> In Debugging mode, not forking... >> Trying to setlogsock(unix) >> >> >> ***** >> If 'awk' (with support for the function strftime) was >> available on your $PATH then all the SpamAssassin debug >> output would have the current time added to the start of >> every line, making debugging far easier. >> ***** >> >> SpamAssassin temp dir = >> /var/spool/MailScanner/incoming/SpamAssassin-Temp >> [72851] dbg: logger: adding facilities: all >> [72851] dbg: logger: logging level is DBG >> [72851] dbg: generic: SpamAssassin version 3.2.4 >> [72851] dbg: config: score set 0 chosen. >> [72851] dbg: dns: no ipv6 >> [72851] dbg: dns: is Net::DNS::Resolver available? yes >> [72851] dbg: dns: Net::DNS version: 0.62 >> Use of uninitialized value in concatenation (.) or string at >> /usr/local/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin.pm line 1088. >> Use of uninitialized value in concatenation (.) or string at >> /usr/local/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin.pm line 1090. >> [72851] dbg: config: read_scoreonly_config: cannot open "": No such >> file or directory >> Building a message batch to scan... >> Have a batch of 30 messages. >> Stopping now as you are debugging me. >> >>> to see where the holdups are. >>> Check you haven't got a screwed SpamAssassin cache as well. >> >> I removed it an restarted MS, no change. >> >>> Which MTA are you using? >> >> Sendmail >> >> It is worth noting that spamassassin -D --lint runs fine. I checked >> after I moved all our config over to the new version. >> >> Thanks everyone. I'm still looking at what might be wrong. >> >> >> DAve >> > I had this issue with the latest version on Centos 4.6. As I was in a > hurry at the time I rolled it back to 4.65.3-1 and the problem went > away just to prove it wasn't any of my Milters or modules causing the > problem. I wasn't too bothered as I was upgrading from 4.5x so I > still got a major upgrade.. > > I did notice that it wasn't just slow as you describe, it actaully was > just queing everything, I didn't leave it long enough to verify that > though as I got 600 messages in the queue quite quickly. > > The problem in debug mode was exactly as you describe with it halting > at "Trying to setlogsock(unix)" > > The error seems to be to do with the perl sys::syslog , the perl -> > syslog interface routine. > > By rolling back to the slightly earlier MailScanner version the > problem was instantly fixed... Do you get output like this from 'MailScanner --debug' ? Trying to setlogsock(unix) SpamAssassin temp dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp Building a message batch to scan... How long is the delay between the "Trying to setlogsock(unix)" and the next line of output? Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From dave.list at pixelhammer.com Wed Apr 2 22:31:55 2008 From: dave.list at pixelhammer.com (DAve) Date: Wed Apr 2 22:32:39 2008 Subject: New MS install is slow to an extreme In-Reply-To: <47F3F591.8030300@ecs.soton.ac.uk> References: <47F3CD9F.7070406@pixelhammer.com> <47F3E5CF.7080505@farrows.org> <47F3F591.8030300@ecs.soton.ac.uk> Message-ID: <47F3FB4B.4020306@pixelhammer.com> Julian Field wrote: > > > Peter Farrow wrote: >> DAve wrote: >>> Likely I am going to break threading, but I am reading via the >>> archive, I am far to slow to get the messages. >>> >>>> Check this option in mailscanner.conf >>>> ClamAV Full Message Scan = no >>> >>> Set to no >>> >>>> >>>> how do you do the bayes expire? >>> >>> MailScanner, same as all previous installs. >>> >>>> >>>> if it's set to yes really slows down de process. >>>> >>>> Do you have /var/spool/MailScanner/incoming on tmpfs? >>> >>> Not at this time, I didn't previously. >>> >>>> Start by >>>> MailScanner --debug --debug-sa >>> >>> bash-2.05b# ./MailScanner --debug --debug-sa >>> In Debugging mode, not forking... >>> Trying to setlogsock(unix) >>> >>> >>> ***** >>> If 'awk' (with support for the function strftime) was >>> available on your $PATH then all the SpamAssassin debug >>> output would have the current time added to the start of >>> every line, making debugging far easier. >>> ***** >>> >>> SpamAssassin temp dir = >>> /var/spool/MailScanner/incoming/SpamAssassin-Temp >>> [72851] dbg: logger: adding facilities: all >>> [72851] dbg: logger: logging level is DBG >>> [72851] dbg: generic: SpamAssassin version 3.2.4 >>> [72851] dbg: config: score set 0 chosen. >>> [72851] dbg: dns: no ipv6 >>> [72851] dbg: dns: is Net::DNS::Resolver available? yes >>> [72851] dbg: dns: Net::DNS version: 0.62 >>> Use of uninitialized value in concatenation (.) or string at >>> /usr/local/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin.pm line 1088. >>> Use of uninitialized value in concatenation (.) or string at >>> /usr/local/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin.pm line 1090. >>> [72851] dbg: config: read_scoreonly_config: cannot open "": No such >>> file or directory >>> Building a message batch to scan... >>> Have a batch of 30 messages. >>> Stopping now as you are debugging me. >>> >>>> to see where the holdups are. >>>> Check you haven't got a screwed SpamAssassin cache as well. >>> >>> I removed it an restarted MS, no change. >>> >>>> Which MTA are you using? >>> >>> Sendmail >>> >>> It is worth noting that spamassassin -D --lint runs fine. I checked >>> after I moved all our config over to the new version. >>> >>> Thanks everyone. I'm still looking at what might be wrong. >>> >>> >>> DAve >>> >> I had this issue with the latest version on Centos 4.6. As I was in a >> hurry at the time I rolled it back to 4.65.3-1 and the problem went >> away just to prove it wasn't any of my Milters or modules causing the >> problem. I wasn't too bothered as I was upgrading from 4.5x so I >> still got a major upgrade.. >> >> I did notice that it wasn't just slow as you describe, it actaully was >> just queing everything, I didn't leave it long enough to verify that >> though as I got 600 messages in the queue quite quickly. >> >> The problem in debug mode was exactly as you describe with it halting >> at "Trying to setlogsock(unix)" >> >> The error seems to be to do with the perl sys::syslog , the perl -> >> syslog interface routine. >> >> By rolling back to the slightly earlier MailScanner version the >> problem was instantly fixed... > Do you get output like this from 'MailScanner --debug' ? > > Trying to setlogsock(unix) > SpamAssassin temp dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp > Building a message batch to scan... > > How long is the delay between the "Trying to setlogsock(unix)" and the > next line of output? 7 seconds on one machine 2 seconds on the other. They are identical, I built one last night by rdumping the first. DAve -- In 50 years, our descendants will look back on the early years of the internet, and much like we now look back on men with rockets on their back and feathers glued to their arms, marvel that we had the intelligence to wipe the drool from our chins. From peter at farrows.org Wed Apr 2 23:13:52 2008 From: peter at farrows.org (Peter Farrow) Date: Wed Apr 2 23:14:39 2008 Subject: New MS install is slow to an extreme In-Reply-To: <47F3F231.7050008@pixelhammer.com> References: <47F3CD9F.7070406@pixelhammer.com> <47F3E5CF.7080505@farrows.org> <47F3F231.7050008@pixelhammer.com> Message-ID: <47F40520.5000201@farrows.org> DAve wrote: > Peter Farrow wrote: >> DAve wrote: >>> Likely I am going to break threading, but I am reading via the >>> archive, I am far to slow to get the messages. >>> >>>> Check this option in mailscanner.conf >>>> ClamAV Full Message Scan = no >>> >>> Set to no >>> >>>> >>>> how do you do the bayes expire? >>> >>> MailScanner, same as all previous installs. >>> >>>> >>>> if it's set to yes really slows down de process. >>>> >>>> Do you have /var/spool/MailScanner/incoming on tmpfs? >>> >>> Not at this time, I didn't previously. >>> >>>> Start by >>>> MailScanner --debug --debug-sa >>> >>> bash-2.05b# ./MailScanner --debug --debug-sa >>> In Debugging mode, not forking... >>> Trying to setlogsock(unix) >>> >>> >>> ***** >>> If 'awk' (with support for the function strftime) was >>> available on your $PATH then all the SpamAssassin debug >>> output would have the current time added to the start of >>> every line, making debugging far easier. >>> ***** >>> >>> SpamAssassin temp dir = >>> /var/spool/MailScanner/incoming/SpamAssassin-Temp >>> [72851] dbg: logger: adding facilities: all >>> [72851] dbg: logger: logging level is DBG >>> [72851] dbg: generic: SpamAssassin version 3.2.4 >>> [72851] dbg: config: score set 0 chosen. >>> [72851] dbg: dns: no ipv6 >>> [72851] dbg: dns: is Net::DNS::Resolver available? yes >>> [72851] dbg: dns: Net::DNS version: 0.62 >>> Use of uninitialized value in concatenation (.) or string at >>> /usr/local/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin.pm line 1088. >>> Use of uninitialized value in concatenation (.) or string at >>> /usr/local/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin.pm line 1090. >>> [72851] dbg: config: read_scoreonly_config: cannot open "": No such >>> file or directory >>> Building a message batch to scan... >>> Have a batch of 30 messages. >>> Stopping now as you are debugging me. >>> >>>> to see where the holdups are. >>>> Check you haven't got a screwed SpamAssassin cache as well. >>> >>> I removed it an restarted MS, no change. >>> >>>> Which MTA are you using? >>> >>> Sendmail >>> >>> It is worth noting that spamassassin -D --lint runs fine. I checked >>> after I moved all our config over to the new version. >>> >>> Thanks everyone. I'm still looking at what might be wrong. >>> >>> >>> DAve >>> >> I had this issue with the latest version on Centos 4.6. As I was in >> a hurry at the time I rolled it back to 4.65.3-1 and the problem went >> away just to prove it wasn't any of my Milters or modules causing the >> problem. I wasn't too bothered as I was upgrading from 4.5x so I >> still got a major upgrade.. >> >> I did notice that it wasn't just slow as you describe, it actaully >> was just queing everything, I didn't leave it long enough to verify >> that though as I got 600 messages in the queue quite quickly. >> >> The problem in debug mode was exactly as you describe with it halting >> at "Trying to setlogsock(unix)" >> >> The error seems to be to do with the perl sys::syslog , the perl -> >> syslog interface routine. >> >> By rolling back to the slightly earlier MailScanner version the >> problem was instantly fixed... >> >> Pete >> > > I upgeaded the sys::syslog from .18 to .24 with no change. But, during > debug I am getting this and it slows down consierably even with a > single message batch. > > rules: failed to run DNS_FROM_OPENWHOIS RBL test, skipping: > (Can't locate object method "check_rbl_envfrom" via package > "Mail::SpamAssassin::PerMsgStatus" at > /usr/local/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Plugin/Check.pm > line 203. > ) > > This seems to be the killer. I have no rbl checks configured with SA, > so I don't understand this. > > DAve > Is this useful... http://markmail.org/message/xzqi5fmrbj3tfgg2 P. From peter at farrows.org Wed Apr 2 23:21:09 2008 From: peter at farrows.org (Peter Farrow) Date: Wed Apr 2 23:21:18 2008 Subject: New MS install is slow to an extreme In-Reply-To: <47F3F231.7050008@pixelhammer.com> References: <47F3CD9F.7070406@pixelhammer.com> <47F3E5CF.7080505@farrows.org> <47F3F231.7050008@pixelhammer.com> Message-ID: <47F406D5.2020004@farrows.org> DAve wrote: > Peter Farrow wrote: >> DAve wrote: >>> Likely I am going to break threading, but I am reading via the >>> archive, I am far to slow to get the messages. >>> >>>> Check this option in mailscanner.conf >>>> ClamAV Full Message Scan = no >>> >>> Set to no >>> >>>> >>>> how do you do the bayes expire? >>> >>> MailScanner, same as all previous installs. >>> >>>> >>>> if it's set to yes really slows down de process. >>>> >>>> Do you have /var/spool/MailScanner/incoming on tmpfs? >>> >>> Not at this time, I didn't previously. >>> >>>> Start by >>>> MailScanner --debug --debug-sa >>> >>> bash-2.05b# ./MailScanner --debug --debug-sa >>> In Debugging mode, not forking... >>> Trying to setlogsock(unix) >>> >>> >>> ***** >>> If 'awk' (with support for the function strftime) was >>> available on your $PATH then all the SpamAssassin debug >>> output would have the current time added to the start of >>> every line, making debugging far easier. >>> ***** >>> >>> SpamAssassin temp dir = >>> /var/spool/MailScanner/incoming/SpamAssassin-Temp >>> [72851] dbg: logger: adding facilities: all >>> [72851] dbg: logger: logging level is DBG >>> [72851] dbg: generic: SpamAssassin version 3.2.4 >>> [72851] dbg: config: score set 0 chosen. >>> [72851] dbg: dns: no ipv6 >>> [72851] dbg: dns: is Net::DNS::Resolver available? yes >>> [72851] dbg: dns: Net::DNS version: 0.62 >>> Use of uninitialized value in concatenation (.) or string at >>> /usr/local/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin.pm line 1088. >>> Use of uninitialized value in concatenation (.) or string at >>> /usr/local/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin.pm line 1090. >>> [72851] dbg: config: read_scoreonly_config: cannot open "": No such >>> file or directory >>> Building a message batch to scan... >>> Have a batch of 30 messages. >>> Stopping now as you are debugging me. >>> >>>> to see where the holdups are. >>>> Check you haven't got a screwed SpamAssassin cache as well. >>> >>> I removed it an restarted MS, no change. >>> >>>> Which MTA are you using? >>> >>> Sendmail >>> >>> It is worth noting that spamassassin -D --lint runs fine. I checked >>> after I moved all our config over to the new version. >>> >>> Thanks everyone. I'm still looking at what might be wrong. >>> >>> >>> DAve >>> >> I had this issue with the latest version on Centos 4.6. As I was in >> a hurry at the time I rolled it back to 4.65.3-1 and the problem went >> away just to prove it wasn't any of my Milters or modules causing the >> problem. I wasn't too bothered as I was upgrading from 4.5x so I >> still got a major upgrade.. >> >> I did notice that it wasn't just slow as you describe, it actaully >> was just queing everything, I didn't leave it long enough to verify >> that though as I got 600 messages in the queue quite quickly. >> >> The problem in debug mode was exactly as you describe with it halting >> at "Trying to setlogsock(unix)" >> >> The error seems to be to do with the perl sys::syslog , the perl -> >> syslog interface routine. >> >> By rolling back to the slightly earlier MailScanner version the >> problem was instantly fixed... >> >> Pete >> > > I upgeaded the sys::syslog from .18 to .24 with no change. But, during > debug I am getting this and it slows down consierably even with a > single message batch. > > rules: failed to run DNS_FROM_OPENWHOIS RBL test, skipping: > (Can't locate object method "check_rbl_envfrom" via package > "Mail::SpamAssassin::PerMsgStatus" at > /usr/local/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Plugin/Check.pm > line 203. > ) > > This seems to be the killer. I have no rbl checks configured with SA, > so I don't understand this. > > DAve > What version of Spamassassin are you running? I followed a few related links and got to this entry in CPAN... http://search.cpan.org/dist/Mail-SpamAssassin/lib/Mail/SpamAssassin/DnsResolver.pm It mentions about a bug: "This is a DNS resolution engine for SpamAssassin, implemented in order to reduce file descriptor usage by Net::DNS and avoid a response collision bug in that module." This may or may not be significant...might be worth a look.. P. From dave.list at pixelhammer.com Thu Apr 3 02:08:08 2008 From: dave.list at pixelhammer.com (DAve) Date: Thu Apr 3 02:08:58 2008 Subject: New MS install is slow to an extreme In-Reply-To: <47F406D5.2020004@farrows.org> References: <47F3CD9F.7070406@pixelhammer.com> <47F3E5CF.7080505@farrows.org> <47F3F231.7050008@pixelhammer.com> <47F406D5.2020004@farrows.org> Message-ID: <47F42DF8.9080801@pixelhammer.com> After much plugging away, double checking, triple checking and herding of cats I *think* we may out of the woods. I won't know until tomorrow AM when traffic picks up again. Here are my findings so far. MailScanner 4.67.6 ClamAV 0.92.1 SpamAssassin 3.2.4 Virus Scanners = [clamav | clamavmodule] - There appears to be no real gain in running clamavmodule, some speed increase but not enough to be noticed. I have clamavmodule configured just to save some memory. ClamAV Full Message Scan = yes - That is a killer, it seems to really increase processing time. I have it now set to no, and I have removed my MSRBL sigs. Incoming Work Dir = tmpfs (mdmfs in FreeBSD) - Surprisingly little difference. I left it on a memory file system for now. mailscanner.cf -> skip_rbl_checks 1 - Oddly does not do what it claims. SA is still doing rbl checks. I commented out the DNSEval plugin in v320.pre file and was rewarded with errors for my effort. Not certain what the correct method of disabling rbl checks in SA is now. Peter Farrow found a message where this has been seen already. http://markmail.org/message/xzqi5fmrbj3tfgg2 MailScanner batch size - With version 4.54.6 MS processed 10 messages per batch and kept up just fine. With version 4.67.6 it will grab 30+ messages which takes longer to process. Increasing MS children has no effect. More children working slower doesn't process more mail for me. I don't see where I can configure this. I am currently seeing processing times of .8 to 20 seconds per message, generally around the 2 to 4 seconds mark. This is for batches of 1 to 10 messages. I was seeing as much as 800 seconds for a batch size of 30 messages this morning. So there has been improvement. I am compiling my SA rules and I run my RBLs in the MTA (hence why I do not want rbl checking in SA). Overall, my previous install of MS 4.54.6, Clam .92, and SA 3.1.9 would run rings around this install. I am seriously contemplating rolling back but I am uncertain if I have the original tarball for Julian's Clam+SA package. I believe my issue is configuration of MS or SA at this point. I am open to suggestions. Thanks for the help. DAve -- In 50 years, our descendants will look back on the early years of the internet, and much like we now look back on men with rockets on their back and feathers glued to their arms, marvel that we had the intelligence to wipe the drool from our chins. From rapin at linuxmail.org Thu Apr 3 04:16:57 2008 From: rapin at linuxmail.org (Linuxmail R.) Date: Thu Apr 3 04:17:42 2008 Subject: can't not login to website Message-ID: <20080403031657.C9115233C8@ws5-3.us4.outblaze.com> pls, help me, why i can't login with my password Thank -------------------------------------------------- Linuxmail Rapin P. = Buy Omron Blood Pressure Monitors Here Free shipping on orders over $100. 5% cash back on 2nd purchase. http://a8-asy.a8ww.net/a8-ads/adftrclick?redirectid=09e1928acda9b34bdbe17c1529ec0018 -- Powered by Outblaze From rapin at linuxmail.org Thu Apr 3 04:29:21 2008 From: rapin at linuxmail.org (Linuxmail R.) Date: Thu Apr 3 04:29:30 2008 Subject: Syntax Error spamwhitelist Message-ID: <20080403032921.764147B8F1@ws5-10.us4.outblaze.com> Dear all i have this error when i config vim /etc/MailScanner/MailScanner.conf this line : Is Definitely Not Spam = $SQLwhitelist Syntax error in line 1767, value "" for spamwhitelist is not one of allowed values "yes","no" pls, help Thx. -------------------------------------------------- Linuxmail Rapin P. = Buy Omron Blood Pressure Monitors Here Free shipping on orders over $100. 5% cash back on 2nd purchase. http://a8-asy.a8ww.net/a8-ads/adftrclick?redirectid=09e1928acda9b34bdbe17c1529ec0018 -- Powered by Outblaze From rapin at linuxmail.org Thu Apr 3 04:33:12 2008 From: rapin at linuxmail.org (Linuxmail R.) Date: Thu Apr 3 04:33:48 2008 Subject: can't not login to website Message-ID: <20080403033312.DA42ECBE77@ws5-11.us4.outblaze.com> Ok Thank. i understand > ----- Original Message ----- > From: "Linuxmail R." > To: mailscanner@lists.mailscanner.info > Subject: can't not login to website > Date: Thu, 3 Apr 2008 10:16:57 +0700 > > > pls, help me, why i can't login with my password > > Thank > > -------------------------------------------------- > Linuxmail Rapin P. > > > = > Buy Omron Blood Pressure Monitors Here > Free shipping on orders over $100. 5% cash back on 2nd purchase. > http://a8-asy.a8ww.net/a8-ads/adftrclick?redirectid=09e1928acda9b34bdbe17c1529ec0018 > > > -- > Powered by Outblaze > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------------------------------------------- Linuxmail Rapin P. = Compare Mortgage Quotes Up to 5 Free Quotes with 1 Form. Refi or Home Equity. Intro Terms. http://a8-asy.a8ww.net/a8-ads/adftrclick?redirectid=d33f0b87f6e6297dad30c521e5a0d7a6 -- Powered by Outblaze From mailscanner at pdscc.com Thu Apr 3 05:29:58 2008 From: mailscanner at pdscc.com (Harondel J. Sibble) Date: Thu Apr 3 05:30:46 2008 Subject: adding extra headers in MS scanned mails, with links to mailwatch item Message-ID: <20080403042958.6C39A82B87@sinclaire.sibble.net> Googling hasn't turned up anything so far, hope someone can suggest something, will also post this to the mailwatch list. Okay before I was using mailscanner/mailwatch, I was using popfile on the desktop, it would insert an additional header which could be made to show up in the client (pegasus) so you could open the popfile UI to that message for bayes reclassification. Now, I'd like to do the same thing with the X-MailScanner-ID header and point the link to my box so it would look say something like this X-MailScanner-ID: 05A32108520.36CCF X-MailWatch-Link: http://ipadd/mailscanner/detail.php?id=05A32108520.36CCF In hindsight, I'm vaguely sure I've seen discussion on this somewhere, but haven't found it yet. -- Harondel J. Sibble Sibble Computer Consulting Creating solutions for the small business and home computer user. help@pdscc.com (use pgp keyid 0x3AD5C11D) http://www.pdscc.com (604) 739-3709 (voice/fax) (604) 686-2253 (pager) From hvdkooij at vanderkooij.org Thu Apr 3 06:20:10 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Thu Apr 3 06:21:27 2008 Subject: MailScanner ANNOUNCE: 4.68.8 stable released In-Reply-To: <47F3E060.7040203@Tatorz.com> References: <47F24745.2090703@ecs.soton.ac.uk> <47F3E060.7040203@Tatorz.com> Message-ID: <47F4690A.4050004@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Brian wrote: | Julian Field wrote: |> Folks, |> |> I have just released the latest stable release of MailScanner version |> 4.68.8. |> This is *not* an April Fool's joke :-) |> |> | | Am I seeing double or is this an error? It is an error. But not by Jules as far as I can tell. Someone at whi.wts.edu sure did not finish school and is resending the message. I am sure Jules will take care of them. Return-Path: X-Original-To: hvdkooij@vanderkooij.org Delivered-To: hvdkooij@vanderkooij.org Received: from safir.blacknight.ie (safir.blacknight.ie [83.98.192.7]) by balin.waakhond.net (Postfix) with ESMTP id CCED817E806C for ; Wed, 2 Apr 2008 16:25:01 +0200 (CEST) Received: from safir.blacknight.ie (safir.blacknight.ie [127.0.0.1]) by safir.blacknight.ie (8.13.1/8.13.1) with ESMTP id m32EMqV8024842; Wed, 2 Apr 2008 15:23:12 +0100 X-Mailman-Handler: $Id: mm-handler,v 1.2 2002/04/05 19:41:09 bwarsaw Exp $ Received: from whi.wts.edu (whi.wts.edu [68.166.48.243]) by safir.blacknight.ie (8.13.1/8.13.1) with ESMTP id m32E65Ee023617; Wed, 2 Apr 2008 15:06:38 +0100 Received: from root by whi.wts.edu with local (Exim 4.69) (envelope-from ) id 1Jh3X5-0000QO-18; Wed, 02 Apr 2008 10:01:43 -0400 Received: from safir.blacknight.ie ([83.98.192.7]) by whi.wts.edu with esmtp (Exim 4.68) (envelope-from ) id 1JghpF-0003Mh-14 for klowery@whi.wts.edu; Tue, 01 Apr 2008 10:51:01 -0400 Received: from safir.blacknight.ie (safir.blacknight.ie [127.0.0.1]) by safir.blacknight.ie (8.13.1/8.13.1) with ESMTP id m31Elj04015650; Tue, 1 Apr 2008 15:49:39 +0100 X-Mailman-Handler: $Id: mm-handler,v 1.2 2002/04/05 19:41:09 bwarsaw Exp $ Received: from owl.ecs.soton.ac.uk (owl.ecs.soton.ac.uk [152.78.68.129]) by safir.blacknight.ie (8.13.1/8.13.1) with ESMTP id m31EVjkl014479; Tue, 1 Apr 2008 15:32:17 +0100 X-ECS-MailScanner-Watermark: 1207665102.39997@y1R0Rm1iFbQE2n4lgk2mxw Received: from goose.ecs.soton.ac.uk (goose.ecs.soton.ac.uk [IPv6:2001:630:d0:f102:230:48ff:fe78:67b5]) by owl.ecs.soton.ac.uk (8.13.1/8.13.1) with ESMTP id m31EVdjI031637; Tue, 1 Apr 2008 15:31:39 +0100 X-ECS-MailScanner-Watermark: 1207665094.58777@eXwqjdynfwPiouKMG6IgfA Received: from apothecary.ecs.soton.ac.uk (apothecary.ecs.soton.ac.uk [152.78.64.25]) (authenticated bits=0) by goose.ecs.soton.ac.uk (8.13.1/8.13.1) with ESMTP id m31EVXqI027345; Tue, 1 Apr 2008 15:31:33 +0100 Message-ID: <47F24745.2090703@ecs.soton.ac.uk> Date: Tue, 01 Apr 2008 15:31:33 +0100 From: Julian Field Organization: MailScanner User-Agent: Thunderbird 2.0.0.12 (Macintosh/20080213) MIME-Version: 1.0 .... Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFH9Gj+BvzDRVjxmYERAiLqAJ0WYnJWdHF1+Fvi2+KbapcLoeDcigCfYitq n4TwWVncyVZ1lPeVDDHw5Q4= =100Y -----END PGP SIGNATURE----- From hvdkooij at vanderkooij.org Thu Apr 3 06:29:12 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Thu Apr 3 06:30:20 2008 Subject: MailScanner ignoring some rules In-Reply-To: <37937.201.41.210.20.1207154517.squirrel@www.tecnowaydigital.com.br> References: <37937.201.41.210.20.1207154517.squirrel@www.tecnowaydigital.com.br> Message-ID: <47F46B28.2050507@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 mailscanner@tecnowaydigital.com.br wrote: | At MailScanner recent versions, when I set some rules like: | Scan Messages = /etc/MailScanner/rules/scan.messages.rules | or | Filename Rules = /etc/MailScanner/filename.rules | | The MailScanner simply ignore the rules and don't print any error message. Since you didn not include anything about the rules you have there we must assume MS is right and your rules are wrong. In what way we can not tell you by lack of any information. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFH9GslBvzDRVjxmYERAiOiAKCcKHWSpoYBUC+M2k0uPSEhertCnACfQEa+ KnYl0Qt9kzlzy4m99EgvKhU= =LsQL -----END PGP SIGNATURE----- From hvdkooij at vanderkooij.org Thu Apr 3 06:31:15 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Thu Apr 3 06:32:22 2008 Subject: Syntax Error spamwhitelist In-Reply-To: <20080403032921.764147B8F1@ws5-10.us4.outblaze.com> References: <20080403032921.764147B8F1@ws5-10.us4.outblaze.com> Message-ID: <47F46BA3.2070701@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Linuxmail R. wrote: | i have this error when i config vim /etc/MailScanner/MailScanner.conf this line : Is Definitely Not Spam = $SQLwhitelist | | Syntax error in line 1767, value "" for spamwhitelist is not one of allowed values "yes","no" What version is this? MS 0.99? Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFH9GugBvzDRVjxmYERAhPDAJ9qfR7QrznkWrtJR5OBVrzJVg3FvwCfW6PM D3ooCmA+9NYBCLk4Ip+2uSg= =MOR4 -----END PGP SIGNATURE----- From J.Ede at birchenallhowden.co.uk Thu Apr 3 08:45:03 2008 From: J.Ede at birchenallhowden.co.uk (Jason Ede) Date: Thu Apr 3 08:47:03 2008 Subject: Syntax Error spamwhitelist In-Reply-To: <20080403032921.764147B8F1@ws5-10.us4.outblaze.com> References: <20080403032921.764147B8F1@ws5-10.us4.outblaze.com> Message-ID: <4CAB0118AEC63A4FAAE77E6BCBDF760C406758E2F7@server02.bhl.local> It should be &SQLwhitelist not $SQLwhitelist Jason > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > bounces@lists.mailscanner.info] On Behalf Of Linuxmail R. > Sent: 03 April 2008 04:29 > To: mailscanner@lists.mailscanner.info > Subject: Syntax Error spamwhitelist > > Dear all > > i have this error when i config vim /etc/MailScanner/MailScanner.conf > this line : Is Definitely Not Spam = $SQLwhitelist > > Syntax error in line 1767, value "" for spamwhitelist is not one of > allowed values "yes","no" > > pls, help > Thx. > -------------------------------------------------- > Linuxmail Rapin P. > > > = > Buy Omron Blood Pressure Monitors Here > Free shipping on orders over $100. 5% cash back on 2nd purchase. > http://a8-asy.a8ww.net/a8- > ads/adftrclick?redirectid=09e1928acda9b34bdbe17c1529ec0018 > > > -- > Powered by Outblaze > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From MailScanner at ecs.soton.ac.uk Thu Apr 3 09:11:43 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Apr 3 09:12:34 2008 Subject: New MS install is slow to an extreme In-Reply-To: <47F42DF8.9080801@pixelhammer.com> References: <47F3CD9F.7070406@pixelhammer.com> <47F3E5CF.7080505@farrows.org> <47F3F231.7050008@pixelhammer.com> <47F406D5.2020004@farrows.org> <47F42DF8.9080801@pixelhammer.com> Message-ID: <47F4913F.7040100@ecs.soton.ac.uk> DAve wrote: > After much plugging away, double checking, triple checking and herding > of cats I *think* we may out of the woods. I won't know until tomorrow > AM when traffic picks up again. Here are my findings so far. > > MailScanner 4.67.6 > ClamAV 0.92.1 > SpamAssassin 3.2.4 > > Virus Scanners = [clamav | clamavmodule] - There appears to be no real > gain in running clamavmodule, some speed increase but not enough to be > noticed. I have clamavmodule configured just to save some memory. > > ClamAV Full Message Scan = yes - That is a killer, it seems to really > increase processing time. I have it now set to no, and I have removed > my MSRBL sigs. > > Incoming Work Dir = tmpfs (mdmfs in FreeBSD) - Surprisingly little > difference. I left it on a memory file system for now. > > mailscanner.cf -> skip_rbl_checks 1 - Oddly does not do what it > claims. SA is still doing rbl checks. I commented out the DNSEval > plugin in v320.pre file and was rewarded with errors for my effort. > Not certain what the correct method of disabling rbl checks in SA is > now. Peter Farrow found a message where this has been seen already. > http://markmail.org/message/xzqi5fmrbj3tfgg2 > > MailScanner batch size - With version 4.54.6 MS processed 10 messages > per batch and kept up just fine. With version 4.67.6 it will grab 30+ > messages which takes longer to process. Increasing MS children has no > effect. More children working slower doesn't process more mail for me. > I don't see where I can configure this. "Max Children =" in MailScanner.conf. If you were using upgrade_MailScanner_conf to upgrade your MailScanner.conf file then this setting would not have been changed between versions. Do you really copy over all your settings by hand into the new MailScanner.conf file? Wow! That must take *hours*. > > I am currently seeing processing times of .8 to 20 seconds per > message, generally around the 2 to 4 seconds mark. This is for batches > of 1 to 10 messages. I was seeing as much as 800 seconds for a batch > size of 30 messages this morning. So there has been improvement. > > I am compiling my SA rules and I run my RBLs in the MTA (hence why I > do not want rbl checking in SA). > > Overall, my previous install of MS 4.54.6, Clam .92, and SA 3.1.9 > would run rings around this install. I am seriously contemplating > rolling back but I am uncertain if I have the original tarball for > Julian's Clam+SA package. > > I believe my issue is configuration of MS or SA at this point. I am > open to suggestions. > > Thanks for the help. > > DAve > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Thu Apr 3 09:16:02 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Apr 3 09:16:31 2008 Subject: MailScanner ANNOUNCE: 4.68.8 stable released In-Reply-To: <47F4690A.4050004@vanderkooij.org> References: <47F24745.2090703@ecs.soton.ac.uk> <47F3E060.7040203@Tatorz.com> <47F4690A.4050004@vanderkooij.org> Message-ID: <47F49242.7040901@ecs.soton.ac.uk> Dealt with :-) Hugo van der Kooij wrote: > * PGP Signed by an unverified key: 04/03/08 at 06:19:58 > > Brian wrote: > | Julian Field wrote: > |> Folks, > |> > |> I have just released the latest stable release of MailScanner version > |> 4.68.8. > |> This is *not* an April Fool's joke :-) > |> > |> > | > | Am I seeing double or is this an error? > > It is an error. But not by Jules as far as I can tell. Someone at > whi.wts.edu sure did not finish school and is resending the message. > > I am sure Jules will take care of them. > > Return-Path: > X-Original-To: hvdkooij@vanderkooij.org > Delivered-To: hvdkooij@vanderkooij.org > Received: from safir.blacknight.ie (safir.blacknight.ie [83.98.192.7]) > by balin.waakhond.net (Postfix) with ESMTP id CCED817E806C > for ; Wed, 2 Apr 2008 16:25:01 +0200 > (CEST) > Received: from safir.blacknight.ie (safir.blacknight.ie [127.0.0.1]) > by safir.blacknight.ie (8.13.1/8.13.1) with ESMTP id m32EMqV8024842; > Wed, 2 Apr 2008 15:23:12 +0100 > X-Mailman-Handler: $Id: mm-handler,v 1.2 2002/04/05 19:41:09 bwarsaw > Exp $ > Received: from whi.wts.edu (whi.wts.edu [68.166.48.243]) > by safir.blacknight.ie (8.13.1/8.13.1) with ESMTP id m32E65Ee023617; > Wed, 2 Apr 2008 15:06:38 +0100 > Received: from root by whi.wts.edu with local (Exim 4.69) > (envelope-from ) > id 1Jh3X5-0000QO-18; Wed, 02 Apr 2008 10:01:43 -0400 > Received: from safir.blacknight.ie ([83.98.192.7]) > by whi.wts.edu with esmtp (Exim 4.68) > (envelope-from ) > id 1JghpF-0003Mh-14 > for klowery@whi.wts.edu; Tue, 01 Apr 2008 10:51:01 -0400 > Received: from safir.blacknight.ie (safir.blacknight.ie [127.0.0.1]) > by safir.blacknight.ie (8.13.1/8.13.1) with ESMTP id m31Elj04015650; > Tue, 1 Apr 2008 15:49:39 +0100 > X-Mailman-Handler: $Id: mm-handler,v 1.2 2002/04/05 19:41:09 bwarsaw > Exp $ > Received: from owl.ecs.soton.ac.uk (owl.ecs.soton.ac.uk [152.78.68.129]) > by safir.blacknight.ie (8.13.1/8.13.1) with ESMTP id m31EVjkl014479; > Tue, 1 Apr 2008 15:32:17 +0100 > X-ECS-MailScanner-Watermark: 1207665102.39997@y1R0Rm1iFbQE2n4lgk2mxw > Received: from goose.ecs.soton.ac.uk (goose.ecs.soton.ac.uk > [IPv6:2001:630:d0:f102:230:48ff:fe78:67b5]) > by owl.ecs.soton.ac.uk (8.13.1/8.13.1) with ESMTP id m31EVdjI031637; > Tue, 1 Apr 2008 15:31:39 +0100 > X-ECS-MailScanner-Watermark: 1207665094.58777@eXwqjdynfwPiouKMG6IgfA > Received: from apothecary.ecs.soton.ac.uk (apothecary.ecs.soton.ac.uk > [152.78.64.25]) (authenticated bits=0) > by goose.ecs.soton.ac.uk (8.13.1/8.13.1) with ESMTP id > m31EVXqI027345; > Tue, 1 Apr 2008 15:31:33 +0100 > Message-ID: <47F24745.2090703@ecs.soton.ac.uk> > Date: Tue, 01 Apr 2008 15:31:33 +0100 > From: Julian Field > Organization: MailScanner > User-Agent: Thunderbird 2.0.0.12 (Macintosh/20080213) > MIME-Version: 1.0 > .... > > Hugo. > > -- > hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ > PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc > > A: Yes. > >Q: Are you sure? > >>A: Because it reverses the logical flow of conversation. > >>>Q: Why is top posting frowned upon? > > Bored? Click on http://spamornot.org/ and rate those images. > > * Hugo van der Kooij > * 0x58F19981 - Unverified(L) > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From prandal at herefordshire.gov.uk Thu Apr 3 09:44:29 2008 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Thu Apr 3 09:45:24 2008 Subject: New MS install is slow to an extreme In-Reply-To: <47F42DF8.9080801@pixelhammer.com> References: <47F3CD9F.7070406@pixelhammer.com><47F3E5CF.7080505@farrows.org> <47F3F231.7050008@pixelhammer.com><47F406D5.2020004@farrows.org> <47F42DF8.9080801@pixelhammer.com> Message-ID: <7EF0EE5CB3B263488C8C18823239BEBA0360A9AE@HC-MBX02.herefordshire.gov.uk> Did do an sa-update to get the current SA ruleset? If you run sa-update -D You can visually verify that it's working. Cheers, Phil -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of DAve Sent: 03 April 2008 02:08 To: MailScanner discussion Subject: Re: New MS install is slow to an extreme After much plugging away, double checking, triple checking and herding of cats I *think* we may out of the woods. I won't know until tomorrow AM when traffic picks up again. Here are my findings so far. MailScanner 4.67.6 ClamAV 0.92.1 SpamAssassin 3.2.4 Virus Scanners = [clamav | clamavmodule] - There appears to be no real gain in running clamavmodule, some speed increase but not enough to be noticed. I have clamavmodule configured just to save some memory. ClamAV Full Message Scan = yes - That is a killer, it seems to really increase processing time. I have it now set to no, and I have removed my MSRBL sigs. Incoming Work Dir = tmpfs (mdmfs in FreeBSD) - Surprisingly little difference. I left it on a memory file system for now. mailscanner.cf -> skip_rbl_checks 1 - Oddly does not do what it claims. SA is still doing rbl checks. I commented out the DNSEval plugin in v320.pre file and was rewarded with errors for my effort. Not certain what the correct method of disabling rbl checks in SA is now. Peter Farrow found a message where this has been seen already. http://markmail.org/message/xzqi5fmrbj3tfgg2 MailScanner batch size - With version 4.54.6 MS processed 10 messages per batch and kept up just fine. With version 4.67.6 it will grab 30+ messages which takes longer to process. Increasing MS children has no effect. More children working slower doesn't process more mail for me. I don't see where I can configure this. I am currently seeing processing times of .8 to 20 seconds per message, generally around the 2 to 4 seconds mark. This is for batches of 1 to 10 messages. I was seeing as much as 800 seconds for a batch size of 30 messages this morning. So there has been improvement. I am compiling my SA rules and I run my RBLs in the MTA (hence why I do not want rbl checking in SA). Overall, my previous install of MS 4.54.6, Clam .92, and SA 3.1.9 would run rings around this install. I am seriously contemplating rolling back but I am uncertain if I have the original tarball for Julian's Clam+SA package. I believe my issue is configuration of MS or SA at this point. I am open to suggestions. Thanks for the help. DAve -- In 50 years, our descendants will look back on the early years of the internet, and much like we now look back on men with rockets on their back and feathers glued to their arms, marvel that we had the intelligence to wipe the drool from our chins. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From rapin at linuxmail.org Thu Apr 3 10:05:15 2008 From: rapin at linuxmail.org (Linuxmail R.) Date: Thu Apr 3 10:05:51 2008 Subject: Syntax Error spamwhitelist Message-ID: <20080403090515.02698CBE77@ws5-11.us4.outblaze.com> Thank you. I can't see this problem. > ----- Original Message ----- > From: "Jason Ede" > To: "MailScanner discussion" > Subject: RE: Syntax Error spamwhitelist > Date: Thu, 3 Apr 2008 08:45:03 +0100 > > > > It should be &SQLwhitelist not $SQLwhitelist > > Jason > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner- > > bounces@lists.mailscanner.info] On Behalf Of Linuxmail R. > > Sent: 03 April 2008 04:29 > > To: mailscanner@lists.mailscanner.info > > Subject: Syntax Error spamwhitelist > > > > Dear all > > > > i have this error when i config vim /etc/MailScanner/MailScanner.conf > > this line : Is Definitely Not Spam = $SQLwhitelist > > > > Syntax error in line 1767, value "" for spamwhitelist is not one of > > allowed values "yes","no" > > > > pls, help > > Thx. > > -------------------------------------------------- > > Linuxmail Rapin P. > > > > > > = > > Buy Omron Blood Pressure Monitors Here > > Free shipping on orders over $100. 5% cash back on 2nd purchase. > > http://a8-asy.a8ww.net/a8- > > ads/adftrclick?redirectid=09e1928acda9b34bdbe17c1529ec0018 > > > > > > -- > > Powered by Outblaze > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------------------------------------------- Linuxmail Rapin P. = -- Powered by Outblaze From rapin at linuxmail.org Thu Apr 3 10:18:00 2008 From: rapin at linuxmail.org (Linuxmail R.) Date: Thu Apr 3 10:18:10 2008 Subject: Error when update Geoip Message-ID: <20080403091800.C35B0233C8@ws5-3.us4.outblaze.com> Dear All I got this error when i update GeoIp,pls help me. thx.. ------------------------------------------------------------------- Downloading file, please wait.... Error executing query: Access denied for user 'mailwatch'@'localhost' (using password: YES) SQL: LOAD DATA INFILE '/home/crisgo/mailscanner/temp/GeoIPCountryWhois.csv' INTO TABLE geoip_country FIELDS TERMINATED BY ',' ENCLOSED BY '"' -------------------------------------------------- Linuxmail Rapin P. = -- Powered by Outblaze From MailScanner at ecs.soton.ac.uk Thu Apr 3 11:05:10 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Apr 3 11:06:02 2008 Subject: Error when update Geoip In-Reply-To: <20080403091800.C35B0233C8@ws5-3.us4.outblaze.com> References: <20080403091800.C35B0233C8@ws5-3.us4.outblaze.com> Message-ID: <47F4ABD6.8040505@ecs.soton.ac.uk> Please ask on the MailWatch mailing list, not this one. Linuxmail R. wrote: > Dear All > > I got this error when i update GeoIp,pls help me. thx.. > ------------------------------------------------------------------- > Downloading file, please wait.... > Error executing query: > > Access denied for user 'mailwatch'@'localhost' (using password: YES) > > SQL: > > LOAD DATA INFILE '/home/crisgo/mailscanner/temp/GeoIPCountryWhois.csv' INTO TABLE geoip_country FIELDS TERMINATED BY ',' ENCLOSED BY '"' > > -------------------------------------------------- > Linuxmail Rapin P. > > > = > > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From martyn at invictawiz.com Thu Apr 3 12:17:12 2008 From: martyn at invictawiz.com (Martyn Routley) Date: Thu Apr 3 12:18:33 2008 Subject: New MS install is slow to an extreme In-Reply-To: <47F3D7A5.5040509@pixelhammer.com> References: <47F3CD9F.7070406@pixelhammer.com> <47F3D7A5.5040509@pixelhammer.com> Message-ID: <47F4BCB8.7030000@invictawiz.com> DAve wrote: > DAve wrote: > > I moved the incoming dir to a tmpfs mount (mdmfs on freebsd) no change > in processing time. > > I am getting really stumped now. > > DAve > > > What is your hardware? We had random processing times when running 6.2 on one of our servers. (Single P4 dual core) I upgraded in place to 7.0 (using FreeBsd Update (http://www.freebsd.org/releases/7.0R/announce.html) and now the emails don't touch the sides. Getting Sophos to work was a bind though. -- Martyn Routley -------------------------------------------------------- Invictawiz - The Internet in Plain English, Guaranteed web: http://www.invictawiz.com voip: 6000@sip.invictawiz.com phone: 0845 003 9020 Reg Addr: 9 Eastmead Ave, Ashford, Kent, TN23 7SB Co. No: 04253262 -------------------------------------------------------- ----------------------------------------------------------------------------- This message has been scanned for viruses and dangerous content by the http://www.invictawiz.com MailScanner, and is believed to be clean. ----------------------------------------------------------------------------- From dave.list at pixelhammer.com Thu Apr 3 12:44:44 2008 From: dave.list at pixelhammer.com (DAve) Date: Thu Apr 3 12:45:27 2008 Subject: New MS install is slow to an extreme In-Reply-To: <47F4913F.7040100@ecs.soton.ac.uk> References: <47F3CD9F.7070406@pixelhammer.com> <47F3E5CF.7080505@farrows.org> <47F3F231.7050008@pixelhammer.com> <47F406D5.2020004@farrows.org> <47F42DF8.9080801@pixelhammer.com> <47F4913F.7040100@ecs.soton.ac.uk> Message-ID: <47F4C32C.5050200@pixelhammer.com> Julian Field wrote: > > > DAve wrote: >> After much plugging away, double checking, triple checking and herding >> of cats I *think* we may out of the woods. I won't know until tomorrow >> AM when traffic picks up again. Here are my findings so far. >> >> MailScanner 4.67.6 >> ClamAV 0.92.1 >> SpamAssassin 3.2.4 >> >> Virus Scanners = [clamav | clamavmodule] - There appears to be no real >> gain in running clamavmodule, some speed increase but not enough to be >> noticed. I have clamavmodule configured just to save some memory. >> >> ClamAV Full Message Scan = yes - That is a killer, it seems to really >> increase processing time. I have it now set to no, and I have removed >> my MSRBL sigs. >> >> Incoming Work Dir = tmpfs (mdmfs in FreeBSD) - Surprisingly little >> difference. I left it on a memory file system for now. >> >> mailscanner.cf -> skip_rbl_checks 1 - Oddly does not do what it >> claims. SA is still doing rbl checks. I commented out the DNSEval >> plugin in v320.pre file and was rewarded with errors for my effort. >> Not certain what the correct method of disabling rbl checks in SA is >> now. Peter Farrow found a message where this has been seen already. >> http://markmail.org/message/xzqi5fmrbj3tfgg2 >> >> MailScanner batch size - With version 4.54.6 MS processed 10 messages >> per batch and kept up just fine. With version 4.67.6 it will grab 30+ >> messages which takes longer to process. Increasing MS children has no >> effect. More children working slower doesn't process more mail for me. >> I don't see where I can configure this. > "Max Children =" in MailScanner.conf. If you were using > upgrade_MailScanner_conf to upgrade your MailScanner.conf file then this > setting would not have been changed between versions. Do you really copy > over all your settings by hand into the new MailScanner.conf file? Wow! > That must take *hours*. > Nope, I can modify Max Children, my question is can I control how large a batch size each child will process? Previously if I had 500 messages waiting each child would pick up 10 messages, now they will each pick up 30 messages. This is clearly evident in my MRTG graphs where I show over the last four months I never had a batch over 10, yesterday I had batch sizes of 30 for several hours. I do use upgrade_MailScanner_conf, and works a treat ;^) DAve >> >> I am currently seeing processing times of .8 to 20 seconds per >> message, generally around the 2 to 4 seconds mark. This is for batches >> of 1 to 10 messages. I was seeing as much as 800 seconds for a batch >> size of 30 messages this morning. So there has been improvement. >> >> I am compiling my SA rules and I run my RBLs in the MTA (hence why I >> do not want rbl checking in SA). >> >> Overall, my previous install of MS 4.54.6, Clam .92, and SA 3.1.9 >> would run rings around this install. I am seriously contemplating >> rolling back but I am uncertain if I have the original tarball for >> Julian's Clam+SA package. >> >> I believe my issue is configuration of MS or SA at this point. I am >> open to suggestions. >> >> Thanks for the help. >> >> DAve >> > > Jules > -- In 50 years, our descendants will look back on the early years of the internet, and much like we now look back on men with rockets on their back and feathers glued to their arms, marvel that we had the intelligence to wipe the drool from our chins. From dave.list at pixelhammer.com Thu Apr 3 12:46:29 2008 From: dave.list at pixelhammer.com (DAve) Date: Thu Apr 3 12:47:14 2008 Subject: New MS install is slow to an extreme In-Reply-To: <7EF0EE5CB3B263488C8C18823239BEBA0360A9AE@HC-MBX02.herefordshire.gov.uk> References: <47F3CD9F.7070406@pixelhammer.com><47F3E5CF.7080505@farrows.org> <47F3F231.7050008@pixelhammer.com><47F406D5.2020004@farrows.org> <47F42DF8.9080801@pixelhammer.com> <7EF0EE5CB3B263488C8C18823239BEBA0360A9AE@HC-MBX02.herefordshire.gov.uk> Message-ID: <47F4C395.7010005@pixelhammer.com> Randal, Phil wrote: > Did do an sa-update to get the current SA ruleset? > > If you run > > sa-update -D > > You can visually verify that it's working. Yes I did. I ran sa-compile as well before starting MS. DAve > > Cheers, > > Phil > > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of DAve > Sent: 03 April 2008 02:08 > To: MailScanner discussion > Subject: Re: New MS install is slow to an extreme > > After much plugging away, double checking, triple checking and herding > of cats I *think* we may out of the woods. I won't know until tomorrow > AM when traffic picks up again. Here are my findings so far. > > MailScanner 4.67.6 > ClamAV 0.92.1 > SpamAssassin 3.2.4 > > Virus Scanners = [clamav | clamavmodule] - There appears to be no real > gain in running clamavmodule, some speed increase but not enough to be > noticed. I have clamavmodule configured just to save some memory. > > ClamAV Full Message Scan = yes - That is a killer, it seems to really > increase processing time. I have it now set to no, and I have removed my > MSRBL sigs. > > Incoming Work Dir = tmpfs (mdmfs in FreeBSD) - Surprisingly little > difference. I left it on a memory file system for now. > > mailscanner.cf -> skip_rbl_checks 1 - Oddly does not do what it claims. > SA is still doing rbl checks. I commented out the DNSEval plugin in > v320.pre file and was rewarded with errors for my effort. Not certain > what the correct method of disabling rbl checks in SA is now. Peter > Farrow found a message where this has been seen already. > http://markmail.org/message/xzqi5fmrbj3tfgg2 > > MailScanner batch size - With version 4.54.6 MS processed 10 messages > per batch and kept up just fine. With version 4.67.6 it will grab 30+ > messages which takes longer to process. Increasing MS children has no > effect. More children working slower doesn't process more mail for me. I > don't see where I can configure this. > > I am currently seeing processing times of .8 to 20 seconds per message, > generally around the 2 to 4 seconds mark. This is for batches of 1 to 10 > messages. I was seeing as much as 800 seconds for a batch size of 30 > messages this morning. So there has been improvement. > > I am compiling my SA rules and I run my RBLs in the MTA (hence why I do > not want rbl checking in SA). > > Overall, my previous install of MS 4.54.6, Clam .92, and SA 3.1.9 would > run rings around this install. I am seriously contemplating rolling back > but I am uncertain if I have the original tarball for Julian's Clam+SA > package. > > I believe my issue is configuration of MS or SA at this point. I am open > to suggestions. > > Thanks for the help. > > DAve > > -- > In 50 years, our descendants will look back on the early years of the > internet, and much like we now look back on men with rockets on their > back and feathers glued to their arms, marvel that we had the > intelligence to wipe the drool from our chins. > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -- In 50 years, our descendants will look back on the early years of the internet, and much like we now look back on men with rockets on their back and feathers glued to their arms, marvel that we had the intelligence to wipe the drool from our chins. From lists at openenterprise.ca Thu Apr 3 12:53:13 2008 From: lists at openenterprise.ca (Johnny Stork) Date: Thu Apr 3 12:53:51 2008 Subject: Problem with Sendmail smf-sav Milter Message-ID: <47F4C529.8090603@openenterprise.ca> I recently installed the sendmail smf-sav mitler to do sender and recipient address verification on my MailScanner gateway running the latest release on Centos5. However, the recipient checks dont appear to be working since I still get all the spam coming in to non-existent addresses. I beleive I know where the problem might be. The MailScanner gateway accepts mail for the mydomain.ca domain, but after processing simply forwards to an internal Scalix server through a sendmail mailertable entry. For instance, the email address below, or username, does not exist on the MailScanner gateway running smf-sav. Nor does that email address or account exist on the internal Scalix server, but the message passed recpient verification. recipient check succeeded: Would I need to setup checks through ldap or something to have the smf-sav milter. I know I should be checking the smf-sav forums and so will also check there. Thanks From edward.prendergast at netring.co.uk Thu Apr 3 13:05:34 2008 From: edward.prendergast at netring.co.uk (Edward Prendergast) Date: Thu Apr 3 13:06:02 2008 Subject: Using watermark to fight spam backscatter Message-ID: <47F4C80E.6020608@netring.co.uk> Hi, More and more of our users are receiving large quantities of spam backscatter. One received 200 messages this week. I've been investigating various options (Postfix rules: http://tinyurl.com/2vdes7, BATV: http://mipassoc.org/batv/) but the easiest to implement seems to be MailScanner's watermarking, especially as my system already uses watermarking (we have a postfix + mailscanner gateway in front of a cPanel exim + mailscanner box). Watermarking is already successfully implemented and working properly between the two machines. I've altered this setting for testing: Treat Invalid Watermarks With No Sender as Spam = 0.1 But after changing this and checking the incoming mail I've noticed a lot of backscatter doesn't come with From: <> but rather real e-mail addresses (e.g. MAILER-DAEMON@mx-8.masterhost.ru). Is this the right area to be looking in? Could this be modified, or should I be using some other feature to help cut down on this? Thanks, Edward ************ The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorised. If you are not the intended recipient, any action taken or omitted to be taken in reliance on it, any form of reproduction, dissemination, copying, disclosure, modification, distribution and/or publication of this E-mail message is strictly prohibited and may be unlawful. If you have received this E-mail message in error, please notify us immediately. Please also destroy and delete the message from your computer. ************ From brose at med.wayne.edu Thu Apr 3 13:17:27 2008 From: brose at med.wayne.edu (Rose, Bobby) Date: Thu Apr 3 13:18:18 2008 Subject: Using watermark to fight spam backscatter In-Reply-To: <47F4C80E.6020608@netring.co.uk> References: <47F4C80E.6020608@netring.co.uk> Message-ID: <610C64469748E84DB6BDD5BD23F01A7618022B@MED-CORE03-MS1.med.wayne.edu> Are you using the vbounce plugin in SpamAssassin? It has rules for that kind of stuff. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Edward Prendergast Sent: Thursday, April 03, 2008 8:06 AM To: MailScanner discussion Subject: Using watermark to fight spam backscatter Hi, More and more of our users are receiving large quantities of spam backscatter. One received 200 messages this week. I've been investigating various options (Postfix rules: http://tinyurl.com/2vdes7, BATV: http://mipassoc.org/batv/) but the easiest to implement seems to be MailScanner's watermarking, especially as my system already uses watermarking (we have a postfix + mailscanner gateway in front of a cPanel exim + mailscanner box). Watermarking is already successfully implemented and working properly between the two machines. I've altered this setting for testing: Treat Invalid Watermarks With No Sender as Spam = 0.1 But after changing this and checking the incoming mail I've noticed a lot of backscatter doesn't come with From: <> but rather real e-mail addresses (e.g. MAILER-DAEMON@mx-8.masterhost.ru). Is this the right area to be looking in? Could this be modified, or should I be using some other feature to help cut down on this? Thanks, Edward ************ The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorised. If you are not the intended recipient, any action taken or omitted to be taken in reliance on it, any form of reproduction, dissemination, copying, disclosure, modification, distribution and/or publication of this E-mail message is strictly prohibited and may be unlawful. If you have received this E-mail message in error, please notify us immediately. Please also destroy and delete the message from your computer. ************ -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From dave.list at pixelhammer.com Thu Apr 3 13:22:09 2008 From: dave.list at pixelhammer.com (DAve) Date: Thu Apr 3 13:22:52 2008 Subject: New MS install is slow to an extreme In-Reply-To: <47F4BCB8.7030000@invictawiz.com> References: <47F3CD9F.7070406@pixelhammer.com> <47F3D7A5.5040509@pixelhammer.com> <47F4BCB8.7030000@invictawiz.com> Message-ID: <47F4CBF1.70708@pixelhammer.com> Martyn Routley wrote: > DAve wrote: >> DAve wrote: >> >> I moved the incoming dir to a tmpfs mount (mdmfs on freebsd) no change >> in processing time. >> >> I am getting really stumped now. >> >> DAve >> >> >> > What is your hardware? > We had random processing times when running 6.2 on one of our servers. > (Single P4 dual core) > I upgraded in place to 7.0 (using FreeBsd Update > (http://www.freebsd.org/releases/7.0R/announce.html) and now the emails > don't touch the sides. > Getting Sophos to work was a bind though. > Interesting, do you know the upgrade helped? I am always leery of "upgrade" as a solution unless I know why the upgrade is the solution. Server 1 Intel(R) Xeon(TM) CPU 2.40GHz Quad Core 2GB ram Quatum Atlas SCSI drives, one for the system and one for the spool dir Server 2 Intel(R) Xeon(TM) CPU 2.40GHz Quad Core 2GB ram Maxtor SATA drives, one for the system and one for the spool dir DAve -- In 50 years, our descendants will look back on the early years of the internet, and much like we now look back on men with rockets on their back and feathers glued to their arms, marvel that we had the intelligence to wipe the drool from our chins. From bpirie at rma.edu Thu Apr 3 13:25:19 2008 From: bpirie at rma.edu (Brendan Pirie) Date: Thu Apr 3 13:24:17 2008 Subject: Problem with Sendmail smf-sav Milter In-Reply-To: <47F4C529.8090603@openenterprise.ca> References: <47F4C529.8090603@openenterprise.ca> Message-ID: <47F4CCAF.2010500@rma.edu> Johnny Stork wrote: > I recently installed the sendmail smf-sav mitler to do sender and > recipient address verification on my MailScanner gateway running the > latest release on Centos5. However, the recipient checks dont appear to > be working since I still get all the spam coming in to non-existent > addresses. I beleive I know where the problem might be. The MailScanner > gateway accepts mail for the mydomain.ca domain, but after processing > simply forwards to an internal Scalix server through a sendmail > mailertable entry. For instance, the email address below, or username, > does not exist on the MailScanner gateway running smf-sav. Nor does that > email address or account exist on the internal Scalix server, but the > message passed recpient verification. > > recipient check succeeded: > > Would I need to setup checks through ldap or something to have the > smf-sav milter. I know I should be checking the smf-sav forums and so > will also check there. > > Thanks Johnny, I'm using smf-sav milter with sendmail 8.13.8 and it works wonderfully, without the use of ldap anywhere. My MailStore is running sendmail 8.12.11 (soon to be upgraded). smf-sav uses call-ahead to verify addresses, so ldap isn't necessary, and it should work with any RFC compliant MTA. If you can post your configs for sendmail and smf-sav I/we can take a look. I do recall running into an issue where the documentation on adding smf-sav milter to sendmail.mc was outdated for recent sendmail versions. Brendan From gmatt at nerc.ac.uk Thu Apr 3 13:49:35 2008 From: gmatt at nerc.ac.uk (Greg Matthews) Date: Thu Apr 3 13:50:35 2008 Subject: SA times out In-Reply-To: <47F3AA32.50303@ecs.soton.ac.uk> References: <47F39721.3000603@ecs.soton.ac.uk> <47F3A36A.10008@ecs.soton.ac.uk> <47F3AA32.50303@ecs.soton.ac.uk> Message-ID: <47F4D25F.5040806@nerc.ac.uk> Julian Field wrote: >>> but perhaps a feature request could be a >>> CLI switch to specify the message ID so MS only scans the particular >>> message(s) that you're interested in observing. >>> >> Good idea. I'll take a look. Would a single ID do? excellent idea, I was going to suggest that you could implement it as a queue directory so that you could copy one or more messages into the queue and point MS at it. > All done. It will be in the next release. oops, too late! GREG > > Jules > -- Greg Matthews 01491 692445 Head of UNIX/Linux, iTSS Wallingford -- This message (and any attachments) is for the recipient only. NERC is subject to the Freedom of Information Act 2000 and the contents of this email and any reply you make may be disclosed by NERC unless it is exempt from release under the Act. Any material supplied to NERC may be stored in an electronic records management system. From MailScanner at ecs.soton.ac.uk Thu Apr 3 14:17:26 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Apr 3 14:18:12 2008 Subject: New MS install is slow to an extreme In-Reply-To: <47F4C32C.5050200@pixelhammer.com> References: <47F3CD9F.7070406@pixelhammer.com> <47F3E5CF.7080505@farrows.org> <47F3F231.7050008@pixelhammer.com> <47F406D5.2020004@farrows.org> <47F42DF8.9080801@pixelhammer.com> <47F4913F.7040100@ecs.soton.ac.uk> <47F4C32C.5050200@pixelhammer.com> Message-ID: <47F4D8E6.3050303@ecs.soton.ac.uk> DAve wrote: > Julian Field wrote: >> >> >> DAve wrote: >>> After much plugging away, double checking, triple checking and >>> herding of cats I *think* we may out of the woods. I won't know >>> until tomorrow AM when traffic picks up again. Here are my findings >>> so far. >>> >>> MailScanner 4.67.6 >>> ClamAV 0.92.1 >>> SpamAssassin 3.2.4 >>> >>> Virus Scanners = [clamav | clamavmodule] - There appears to be no >>> real gain in running clamavmodule, some speed increase but not >>> enough to be noticed. I have clamavmodule configured just to save >>> some memory. >>> >>> ClamAV Full Message Scan = yes - That is a killer, it seems to >>> really increase processing time. I have it now set to no, and I have >>> removed my MSRBL sigs. >>> >>> Incoming Work Dir = tmpfs (mdmfs in FreeBSD) - Surprisingly little >>> difference. I left it on a memory file system for now. >>> >>> mailscanner.cf -> skip_rbl_checks 1 - Oddly does not do what it >>> claims. SA is still doing rbl checks. I commented out the DNSEval >>> plugin in v320.pre file and was rewarded with errors for my effort. >>> Not certain what the correct method of disabling rbl checks in SA is >>> now. Peter Farrow found a message where this has been seen already. >>> http://markmail.org/message/xzqi5fmrbj3tfgg2 >>> >>> MailScanner batch size - With version 4.54.6 MS processed 10 >>> messages per batch and kept up just fine. With version 4.67.6 it >>> will grab 30+ messages which takes longer to process. Increasing MS >>> children has no effect. More children working slower doesn't process >>> more mail for me. I don't see where I can configure this. >> "Max Children =" in MailScanner.conf. If you were using >> upgrade_MailScanner_conf to upgrade your MailScanner.conf file then >> this setting would not have been changed between versions. Do you >> really copy over all your settings by hand into the new >> MailScanner.conf file? Wow! That must take *hours*. >> > > Nope, I can modify Max Children, my question is can I control how > large a batch size each child will process? Previously if I had 500 > messages waiting each child would pick up 10 messages, now they will > each pick up 30 messages. This is clearly evident in my MRTG graphs > where I show over the last four months I never had a batch over 10, > yesterday I had batch sizes of 30 for several hours. Max Unscanned Bytes Per Scan = 100m Max Unsafe Bytes Per Scan = 50m Max Unscanned Messages Per Scan = 30 Max Unsafe Messages Per Scan = 30 > > I do use upgrade_MailScanner_conf, and works a treat ;^) Phew! You had me worried for a moment there :-) > > DAve > >>> >>> I am currently seeing processing times of .8 to 20 seconds per >>> message, generally around the 2 to 4 seconds mark. This is for >>> batches of 1 to 10 messages. I was seeing as much as 800 seconds for >>> a batch size of 30 messages this morning. So there has been >>> improvement. >>> >>> I am compiling my SA rules and I run my RBLs in the MTA (hence why I >>> do not want rbl checking in SA). >>> >>> Overall, my previous install of MS 4.54.6, Clam .92, and SA 3.1.9 >>> would run rings around this install. I am seriously contemplating >>> rolling back but I am uncertain if I have the original tarball for >>> Julian's Clam+SA package. >>> >>> I believe my issue is configuration of MS or SA at this point. I am >>> open to suggestions. >>> >>> Thanks for the help. >>> >>> DAve >>> >> >> Jules >> > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From glenn.steen at gmail.com Thu Apr 3 14:24:22 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Apr 3 14:24:57 2008 Subject: New MS install is slow to an extreme In-Reply-To: <47F42DF8.9080801@pixelhammer.com> References: <47F3CD9F.7070406@pixelhammer.com> <47F3E5CF.7080505@farrows.org> <47F3F231.7050008@pixelhammer.com> <47F406D5.2020004@farrows.org> <47F42DF8.9080801@pixelhammer.com> Message-ID: <223f97700804030624w7011f33cr6f7b354e3607904d@mail.gmail.com> On 03/04/2008, DAve wrote: (snip) > mailscanner.cf -> skip_rbl_checks 1 - Oddly does not do what it claims. SA > is still doing rbl checks. I commented out the DNSEval plugin in v320.pre > file and was rewarded with errors for my effort. Not certain what the > correct method of disabling rbl checks in SA is now. Peter Farrow found a > message where this has been seen already. > http://markmail.org/message/xzqi5fmrbj3tfgg2 (snip) So the previous version(s) ran without RBL checking in MS or SA? And now you get RBLs in SA regardless...? That would indeed be a killer:-). Tried setting "dns_available no", with same result? Perhaps not what you want... And BTW... You don't load teh ASN plugin, right? Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Thu Apr 3 14:30:59 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Thu Apr 3 14:31:34 2008 Subject: Problem with Sendmail smf-sav Milter In-Reply-To: <47F4CCAF.2010500@rma.edu> References: <47F4C529.8090603@openenterprise.ca> <47F4CCAF.2010500@rma.edu> Message-ID: <223f97700804030630y62778f42r34ac546cc1648434@mail.gmail.com> On 03/04/2008, Brendan Pirie wrote: > Johnny Stork wrote: > > > I recently installed the sendmail smf-sav mitler to do sender and > recipient address verification on my MailScanner gateway running the latest > release on Centos5. However, the recipient checks dont appear to be working > since I still get all the spam coming in to non-existent addresses. I > beleive I know where the problem might be. The MailScanner gateway accepts > mail for the mydomain.ca domain, but after processing simply forwards to an > internal Scalix server through a sendmail mailertable entry. For instance, > the email address below, or username, does not exist on the MailScanner > gateway running smf-sav. Nor does that email address or account exist on the > internal Scalix server, but the message passed recpient verification. > > > > recipient check succeeded: > > > > Would I need to setup checks through ldap or something to have the smf-sav > milter. I know I should be checking the smf-sav forums and so will also > check there. > > > > Thanks > > > > Johnny, > > I'm using smf-sav milter with sendmail 8.13.8 and it works wonderfully, > without the use of ldap anywhere. My MailStore is running sendmail 8.12.11 > (soon to be upgraded). smf-sav uses call-ahead to verify addresses, so ldap > isn't necessary, and it should work with any RFC compliant MTA. If you can > post your configs for sendmail and smf-sav I/we can take a look. I do > recall running into an issue where the documentation on adding smf-sav > milter to sendmail.mc was outdated for recent sendmail versions. > > Brendan > Might be it... Or the Scalix box might be misconfigured, accepting anything... You know ... "It's important we get all mails, even the typo'd ones, so we setup a catchall mailbox"... Or similar stupidity:-). Johnny, use telnet (from your MailScanner box) to verify that the Scalix box does the right thing (look in the MS wiki for how to do this... Somewhere like http://wiki.mailscanner.info/doku.php?id=documentation:test_troubleshoot:mta:connexion). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From maillists at conactive.com Thu Apr 3 14:31:17 2008 From: maillists at conactive.com (Kai Schaetzl) Date: Thu Apr 3 14:32:14 2008 Subject: Using watermark to fight spam backscatter In-Reply-To: <47F4C80E.6020608@netring.co.uk> References: <47F4C80E.6020608@netring.co.uk> Message-ID: Edward Prendergast wrote on Thu, 03 Apr 2008 13:05:34 +0100: > But after changing this and checking the incoming mail I've noticed > a lot of backscatter doesn't come with From: <> but rather real > e-mail addresses (e.g. MAILER-DAEMON@mx-8.masterhost.ru). Are you sure that this is the *envelope-from* ? The *mail header* may indeed contain an address like the above! Be aware that using watermarking to reject may also reject legitimate mail and receipts. Search this list for old discussions about this. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From edward.prendergast at netring.co.uk Thu Apr 3 14:47:28 2008 From: edward.prendergast at netring.co.uk (Edward Prendergast) Date: Thu Apr 3 14:47:57 2008 Subject: Using watermark to fight spam backscatter In-Reply-To: <610C64469748E84DB6BDD5BD23F01A7618022B@MED-CORE03-MS1.med.wayne.edu> References: <47F4C80E.6020608@netring.co.uk> <610C64469748E84DB6BDD5BD23F01A7618022B@MED-CORE03-MS1.med.wayne.edu> Message-ID: <47F4DFF0.4010701@netring.co.uk> Rose, Bobby wrote: > Are you using the vbounce plugin in SpamAssassin? It has rules for that > kind of stuff. > No - I'm not using this plugin, I will check it out. Are you using it with success? ************ The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorised. If you are not the intended recipient, any action taken or omitted to be taken in reliance on it, any form of reproduction, dissemination, copying, disclosure, modification, distribution and/or publication of this E-mail message is strictly prohibited and may be unlawful. If you have received this E-mail message in error, please notify us immediately. Please also destroy and delete the message from your computer. ************ From dave.list at pixelhammer.com Thu Apr 3 15:03:15 2008 From: dave.list at pixelhammer.com (DAve) Date: Thu Apr 3 15:04:02 2008 Subject: New MS install is slow to an extreme In-Reply-To: <47F4D8E6.3050303@ecs.soton.ac.uk> References: <47F3CD9F.7070406@pixelhammer.com> <47F3E5CF.7080505@farrows.org> <47F3F231.7050008@pixelhammer.com> <47F406D5.2020004@farrows.org> <47F42DF8.9080801@pixelhammer.com> <47F4913F.7040100@ecs.soton.ac.uk> <47F4C32C.5050200@pixelhammer.com> <47F4D8E6.3050303@ecs.soton.ac.uk> Message-ID: <47F4E3A3.5040607@pixelhammer.com> Julian Field wrote: > > > DAve wrote: >> Julian Field wrote: >>> >>> >>> DAve wrote: >>>> After much plugging away, double checking, triple checking and >>>> herding of cats I *think* we may out of the woods. I won't know >>>> until tomorrow AM when traffic picks up again. Here are my findings >>>> so far. >>>> >>>> MailScanner 4.67.6 >>>> ClamAV 0.92.1 >>>> SpamAssassin 3.2.4 >>>> >>>> Virus Scanners = [clamav | clamavmodule] - There appears to be no >>>> real gain in running clamavmodule, some speed increase but not >>>> enough to be noticed. I have clamavmodule configured just to save >>>> some memory. >>>> >>>> ClamAV Full Message Scan = yes - That is a killer, it seems to >>>> really increase processing time. I have it now set to no, and I have >>>> removed my MSRBL sigs. >>>> >>>> Incoming Work Dir = tmpfs (mdmfs in FreeBSD) - Surprisingly little >>>> difference. I left it on a memory file system for now. >>>> >>>> mailscanner.cf -> skip_rbl_checks 1 - Oddly does not do what it >>>> claims. SA is still doing rbl checks. I commented out the DNSEval >>>> plugin in v320.pre file and was rewarded with errors for my effort. >>>> Not certain what the correct method of disabling rbl checks in SA is >>>> now. Peter Farrow found a message where this has been seen already. >>>> http://markmail.org/message/xzqi5fmrbj3tfgg2 >>>> >>>> MailScanner batch size - With version 4.54.6 MS processed 10 >>>> messages per batch and kept up just fine. With version 4.67.6 it >>>> will grab 30+ messages which takes longer to process. Increasing MS >>>> children has no effect. More children working slower doesn't process >>>> more mail for me. I don't see where I can configure this. >>> "Max Children =" in MailScanner.conf. If you were using >>> upgrade_MailScanner_conf to upgrade your MailScanner.conf file then >>> this setting would not have been changed between versions. Do you >>> really copy over all your settings by hand into the new >>> MailScanner.conf file? Wow! That must take *hours*. >>> >> >> Nope, I can modify Max Children, my question is can I control how >> large a batch size each child will process? Previously if I had 500 >> messages waiting each child would pick up 10 messages, now they will >> each pick up 30 messages. This is clearly evident in my MRTG graphs >> where I show over the last four months I never had a batch over 10, >> yesterday I had batch sizes of 30 for several hours. > Max Unscanned Bytes Per Scan = 100m > Max Unsafe Bytes Per Scan = 50m > Max Unscanned Messages Per Scan = 30 > Max Unsafe Messages Per Scan = 30 I thought so, but my setting is unchanged from the default on the old and the new installs. Which is why I doubted my understanding of the option. At this point, 10:00am, we have survived the morning rush of email with no obvious issues and mail is flowing nicely. My largest number of waiting messages has been 120 (yesterday it was 2k at this time, 4k by noon). DAve > >> >> I do use upgrade_MailScanner_conf, and works a treat ;^) > Phew! You had me worried for a moment there :-) > >> >> DAve >> >>>> >>>> I am currently seeing processing times of .8 to 20 seconds per >>>> message, generally around the 2 to 4 seconds mark. This is for >>>> batches of 1 to 10 messages. I was seeing as much as 800 seconds for >>>> a batch size of 30 messages this morning. So there has been >>>> improvement. >>>> >>>> I am compiling my SA rules and I run my RBLs in the MTA (hence why I >>>> do not want rbl checking in SA). >>>> >>>> Overall, my previous install of MS 4.54.6, Clam .92, and SA 3.1.9 >>>> would run rings around this install. I am seriously contemplating >>>> rolling back but I am uncertain if I have the original tarball for >>>> Julian's Clam+SA package. >>>> >>>> I believe my issue is configuration of MS or SA at this point. I am >>>> open to suggestions. >>>> >>>> Thanks for the help. >>>> >>>> DAve >>>> >>> >>> Jules >>> >> >> > > Jules > -- In 50 years, our descendants will look back on the early years of the internet, and much like we now look back on men with rockets on their back and feathers glued to their arms, marvel that we had the intelligence to wipe the drool from our chins. From dave.list at pixelhammer.com Thu Apr 3 15:05:30 2008 From: dave.list at pixelhammer.com (DAve) Date: Thu Apr 3 15:05:50 2008 Subject: New MS install is slow to an extreme In-Reply-To: <223f97700804030624w7011f33cr6f7b354e3607904d@mail.gmail.com> References: <47F3CD9F.7070406@pixelhammer.com> <47F3E5CF.7080505@farrows.org> <47F3F231.7050008@pixelhammer.com> <47F406D5.2020004@farrows.org> <47F42DF8.9080801@pixelhammer.com> <223f97700804030624w7011f33cr6f7b354e3607904d@mail.gmail.com> Message-ID: <47F4E42A.4030307@pixelhammer.com> Glenn Steen wrote: > On 03/04/2008, DAve wrote: > (snip) >> mailscanner.cf -> skip_rbl_checks 1 - Oddly does not do what it claims. SA >> is still doing rbl checks. I commented out the DNSEval plugin in v320.pre >> file and was rewarded with errors for my effort. Not certain what the >> correct method of disabling rbl checks in SA is now. Peter Farrow found a >> message where this has been seen already. >> http://markmail.org/message/xzqi5fmrbj3tfgg2 > (snip) > So the previous version(s) ran without RBL checking in MS or SA? And > now you get RBLs in SA regardless...? That would indeed be a > killer:-). > > Tried setting "dns_available no", with same result? Perhaps not what > you want... And BTW... You don't load teh ASN plugin, right? > dns_available_no? I should read about that rule again. No to the ASN plugin. DAve > Cheers -- In 50 years, our descendants will look back on the early years of the internet, and much like we now look back on men with rockets on their back and feathers glued to their arms, marvel that we had the intelligence to wipe the drool from our chins. From dominian at slackadelic.com Thu Apr 3 15:16:56 2008 From: dominian at slackadelic.com (Matt Hayes) Date: Thu Apr 3 15:17:44 2008 Subject: New MS install is slow to an extreme In-Reply-To: <47F4E3A3.5040607@pixelhammer.com> References: <47F3CD9F.7070406@pixelhammer.com> <47F3E5CF.7080505@farrows.org> <47F3F231.7050008@pixelhammer.com> <47F406D5.2020004@farrows.org> <47F42DF8.9080801@pixelhammer.com> <47F4913F.7040100@ecs.soton.ac.uk> <47F4C32C.5050200@pixelhammer.com> <47F4D8E6.3050303@ecs.soton.ac.uk> <47F4E3A3.5040607@pixelhammer.com> Message-ID: <47F4E6D8.7090406@slackadelic.com> DAve wrote: > > At this point, 10:00am, we have survived the morning rush of email with > no obvious issues and mail is flowing nicely. My largest number of > waiting messages has been 120 (yesterday it was 2k at this time, 4k by > noon). > > DAve Stop the madness!! :) -Matt From steve.freegard at fsl.com Thu Apr 3 15:20:31 2008 From: steve.freegard at fsl.com (Steve Freegard) Date: Thu Apr 3 15:22:26 2008 Subject: Problem with Sendmail smf-sav Milter In-Reply-To: <223f97700804030630y62778f42r34ac546cc1648434@mail.gmail.com> References: <47F4C529.8090603@openenterprise.ca> <47F4CCAF.2010500@rma.edu> <223f97700804030630y62778f42r34ac546cc1648434@mail.gmail.com> Message-ID: <47F4E7AF.2050807@fsl.com> Glenn Steen wrote: > Might be it... Or the Scalix box might be misconfigured, accepting > anything... You know ... "It's important we get all mails, even the > typo'd ones, so we setup a catchall mailbox"... Or similar > stupidity:-). If this is the case then it goes to show how much better milter-ahead is as it actually verifies that the remote-end is capable of rejecting invalid recipients to prevent continual call-aheads to a host that isn't capable. You can then check the cache database (easy if you use the SQLite3 DB) and get a list of the servers that can't do this. Regards, Steve. From mailscanner at tecnowaydigital.com.br Thu Apr 3 15:39:53 2008 From: mailscanner at tecnowaydigital.com.br (TecnoWay Digital) Date: Thu Apr 3 15:41:28 2008 Subject: MailScanner ignoring some rules In-Reply-To: <47F46B28.2050507@vanderkooij.org> References: <37937.201.41.210.20.1207154517.squirrel@www.tecnowaydigital.com.br> <47F46B28.2050507@vanderkooij.org> Message-ID: For example: %rules-dir%/scan.messages.rules then content of scan.messages.rules file is: FromOrTo: marketing@silmaq.com.br no FromOrTo: default yes On a server with mailscanner-4.46.2-2 (the rule works) but another server with mailscanner-4.68.8-1 the rule doesn't work the mailbox marketing@silmaq.com.br continue has still being processed by mailscanner. To certify that using the correct MailScanner.conf after upgrade, I'd put a wrong set example "Sca Messages" and MailScanner report syntax error. Best Regards ----- Original Message ----- From: "Hugo van der Kooij" To: "MailScanner discussion" Sent: Thursday, April 03, 2008 2:29 AM Subject: Re: MailScanner ignoring some rules > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > mailscanner@tecnowaydigital.com.br wrote: > > | At MailScanner recent versions, when I set some rules like: > | Scan Messages = /etc/MailScanner/rules/scan.messages.rules > | or > | Filename Rules = /etc/MailScanner/filename.rules > | > | The MailScanner simply ignore the rules and don't print any error > message. > > Since you didn not include anything about the rules you have there we > must assume MS is right and your rules are wrong. In what way we can not > tell you by lack of any information. > > Hugo. > > - -- > hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ > PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc > > A: Yes. > >Q: Are you sure? > >>A: Because it reverses the logical flow of conversation. > >>>Q: Why is top posting frowned upon? > > Bored? Click on http://spamornot.org/ and rate those images. > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.7 (GNU/Linux) > > iD8DBQFH9GslBvzDRVjxmYERAiOiAKCcKHWSpoYBUC+M2k0uPSEhertCnACfQEa+ > KnYl0Qt9kzlzy4m99EgvKhU= > =LsQL > -----END PGP SIGNATURE----- > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From mkercher at nfsmith.com Thu Apr 3 15:50:13 2008 From: mkercher at nfsmith.com (Mike Kercher) Date: Thu Apr 3 15:51:15 2008 Subject: File Type Check Problem Message-ID: <224FA7E11EA39E45843E11CEBBD3A36F8E0C23@HOUPEX01.nfsmith.info> I've been searching and haven't found a resolution for this yet. Periodically, we get emails with attachments coming through that are not being detected properly. MailScanner reports: MailScanner: No programs allowed (msg-10410-101.txt) If I go look at the quarantined email in MailWatch and download the attachment, it is a PDF. There was talk of the file -i command switch. Is this something that needs to be set in MailScanner.conf? TIA Mike From peter at farrows.org Thu Apr 3 16:02:14 2008 From: peter at farrows.org (Peter Farrow) Date: Thu Apr 3 16:03:02 2008 Subject: Error when update Geoip In-Reply-To: <20080403091800.C35B0233C8@ws5-3.us4.outblaze.com> References: <20080403091800.C35B0233C8@ws5-3.us4.outblaze.com> Message-ID: <47F4F176.1070305@farrows.org> Linuxmail R. wrote: > Dear All > > I got this error when i update GeoIp,pls help me. thx.. > ------------------------------------------------------------------- > Downloading file, please wait.... > Error executing query: > > Access denied for user 'mailwatch'@'localhost' (using password: YES) > > SQL: > > LOAD DATA INFILE '/home/crisgo/mailscanner/temp/GeoIPCountryWhois.csv' INTO TABLE geoip_country FIELDS TERMINATED BY ',' ENCLOSED BY '"' > > -------------------------------------------------- > Linuxmail Rapin P. > > > = > > > The mysql database password for the user "mailwatch" is incorrect, or is not set for access from Localhost. You'll need to execute a command like this from the mysql CLI: GRANT ALL ON mailscanner.* TO mailwatch@localhost IDENTIFIED BY 'mailwatch'; If your database is called "mailscanner" Regards Pete From lists at openenterprise.ca Thu Apr 3 16:45:19 2008 From: lists at openenterprise.ca (Johnny Stork) Date: Thu Apr 3 16:45:57 2008 Subject: Problem with Sendmail smf-sav Milter In-Reply-To: <47F4CCAF.2010500@rma.edu> References: <47F4C529.8090603@openenterprise.ca> <47F4CCAF.2010500@rma.edu> Message-ID: <47F4FB8F.7020607@openenterprise.ca> Here are those files and thanks for offering to take a look. My MailScanner machine has only an internal non-routable ip in a DMZ (192.168.10.2) which accepts external SMTP connection routed from the firewall. The Scalix server is also internal with the ip 192.168.1.3. I also changed the "MailStore johnnystork.ca " settings to "MailStore 192.168.1.3" but this did not make any difference. sendmail.mc (last line is smf rule) divert(-1)dnl dnl # dnl # This is the sendmail macro config file for m4. If you make changes to dnl # /etc/mail/sendmail.mc, you will need to regenerate the dnl # /etc/mail/sendmail.cf file by confirming that the sendmail-cf package is dnl # installed and then performing a dnl # dnl # make -C /etc/mail dnl # include(`/usr/share/sendmail-cf/m4/cf.m4')dnl VERSIONID(`setup for linux')dnl OSTYPE(`linux')dnl dnl # dnl # Do not advertize sendmail version. dnl # dnl define(`confSMTP_LOGIN_MSG', `$j Sendmail; $b')dnl dnl # dnl # default logging level is 9, you might want to set it higher to dnl # debug the configuration dnl # dnl define(`confLOG_LEVEL', `9')dnl dnl # dnl # Uncomment and edit the following line if your outgoing mail needs to dnl # be sent out through an external mail server: dnl # dnl define(`SMART_HOST', `smtp.your.provider')dnl dnl # define(`confDEF_USER_ID', ``8:12'')dnl dnl define(`confAUTO_REBUILD')dnl define(`confTO_CONNECT', `1m')dnl define(`confTRY_NULL_MX_LIST', `True')dnl define(`confDONT_PROBE_INTERFACES', `True')dnl define(`PROCMAIL_MAILER_PATH', `/usr/bin/procmail')dnl define(`ALIAS_FILE', `/etc/aliases')dnl define(`STATUS_FILE', `/var/log/mail/statistics')dnl define(`UUCP_MAILER_MAX', `2000000')dnl define(`confUSERDB_SPEC', `/etc/mail/userdb.db')dnl define(`confPRIVACY_FLAGS', `authwarnings,novrfy,noexpn,restrictqrun')dnl define(`confAUTH_OPTIONS', `A')dnl dnl # dnl # The following allows relaying if the user authenticates, and disallows dnl # plaintext authentication (PLAIN/LOGIN) on non-TLS links dnl # dnl define(`confAUTH_OPTIONS', `A p')dnl dnl # dnl # PLAIN is the preferred plaintext authentication method and used by dnl # Mozilla Mail and Evolution, though Outlook Express and other MUAs do dnl # use LOGIN. Other mechanisms should be used if the connection is not dnl # guaranteed secure. dnl # Please remember that saslauthd needs to be running for AUTH. dnl # dnl TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl dnl define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl dnl # dnl # Rudimentary information on creating certificates for sendmail TLS: dnl # cd /usr/share/ssl/certs; make sendmail.pem dnl # Complete usage: dnl # make -C /usr/share/ssl/certs usage dnl # dnl define(`confCACERT_PATH', `/etc/pki/tls/certs')dnl dnl define(`confCACERT', `/etc/pki/tls/certs/ca-bundle.crt')dnl dnl define(`confSERVER_CERT', `/etc/pki/tls/certs/sendmail.pem')dnl dnl define(`confSERVER_KEY', `/etc/pki/tls/certs/sendmail.pem')dnl dnl # dnl # This allows sendmail to use a keyfile that is shared with OpenLDAP's dnl # slapd, which requires the file to be readble by group ldap dnl # dnl define(`confDONT_BLAME_SENDMAIL', `groupreadablekeyfile')dnl dnl # dnl define(`confTO_QUEUEWARN', `4h')dnl dnl define(`confTO_QUEUERETURN', `5d')dnl dnl define(`confQUEUE_LA', `12')dnl dnl define(`confREFUSE_LA', `18')dnl define(`confTO_IDENT', `0')dnl dnl FEATURE(delay_checks)dnl FEATURE(`no_default_msa', `dnl')dnl FEATURE(`smrsh', `/usr/sbin/smrsh')dnl FEATURE(`mailertable', `hash -o /etc/mail/mailertable.db')dnl FEATURE(`virtusertable', `hash -o /etc/mail/virtusertable.db')dnl FEATURE(redirect)dnl FEATURE(always_add_domain)dnl FEATURE(use_cw_file)dnl FEATURE(use_ct_file)dnl dnl # dnl # The following limits the number of processes sendmail can fork to accept dnl # incoming messages or process its message queues to 20.) sendmail refuses dnl # to accept connections once it has reached its quota of child processes. dnl # dnl define(`confMAX_DAEMON_CHILDREN', `20')dnl dnl # dnl # Limits the number of new connections per second. This caps the overhead dnl # incurred due to forking new sendmail processes. May be useful against dnl # DoS attacks or barrages of spam. (As mentioned below, a per-IP address dnl # limit would be useful but is not available as an option at this writing.) dnl # dnl define(`confCONNECTION_RATE_THROTTLE', `3')dnl dnl # dnl # The -t option will retry delivery if e.g. the user runs over his quota. dnl # FEATURE(local_procmail, `', `procmail -t -Y -a $h -d $u')dnl FEATURE(`access_db', `hash -T -o /etc/mail/access.db')dnl FEATURE(`blacklist_recipients')dnl EXPOSED_USER(`root')dnl dnl # dnl # For using Cyrus-IMAPd as POP3/IMAP server through LMTP delivery uncomment dnl # the following 2 definitions and activate below in the MAILER section the dnl # cyrusv2 mailer. dnl # dnl define(`confLOCAL_MAILER', `cyrusv2')dnl dnl define(`CYRUSV2_MAILER_ARGS', `FILE /var/lib/imap/socket/lmtp')dnl dnl # dnl # The following causes sendmail to only listen on the IPv4 loopback address dnl # 127.0.0.1 and not on any other network devices. Remove the loopback dnl # address restriction to accept email from the internet or intranet. dnl # DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl dnl # dnl # The following causes sendmail to additionally listen to port 587 for dnl # mail from MUAs that authenticate. Roaming users who can't reach their dnl # preferred sendmail daemon due to port 25 being blocked or redirected find dnl # this useful. dnl # dnl DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')dnl dnl # dnl # The following causes sendmail to additionally listen to port 465, but dnl # starting immediately in TLS mode upon connecting. Port 25 or 587 followed dnl # by STARTTLS is preferred, but roaming clients using Outlook Express can't dnl # do STARTTLS on ports other than 25. Mozilla Mail can ONLY use STARTTLS dnl # and doesn't support the deprecated smtps; Evolution <1.1.1 uses smtps dnl # when SSL is enabled-- STARTTLS support is available in version 1.1.1. dnl # dnl # For this to work your OpenSSL certificates must be configured. dnl # dnl DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl dnl # dnl # The following causes sendmail to additionally listen on the IPv6 loopback dnl # device. Remove the loopback address restriction listen to the network. dnl # dnl DAEMON_OPTIONS(`port=smtp,Addr=::1, Name=MTA-v6, Family=inet6')dnl dnl # dnl # enable both ipv6 and ipv4 in sendmail: dnl # dnl DAEMON_OPTIONS(`Name=MTA-v4, Family=inet, Name=MTA-v6, Family=inet6') dnl # dnl # We strongly recommend not accepting unresolvable domains if you want to dnl # protect yourself from spam. However, the laptop and users on computers dnl # that do not have 24x7 DNS do need this. dnl # FEATURE(`accept_unresolvable_domains')dnl dnl # dnl FEATURE(`relay_based_on_MX')dnl dnl # dnl # Also accept email sent to "localhost.localdomain" as local email. dnl # LOCAL_DOMAIN(`localhost.localdomain')dnl dnl # dnl # The following example makes mail from this host and any additional dnl # specified domains appear to be sent from mydomain.com dnl # dnl MASQUERADE_AS(`openenterprise.ca')dnl dnl # dnl # masquerade not just the headers, but the envelope as well dnl # dnl FEATURE(masquerade_envelope)dnl dnl # dnl # masquerade not just @mydomainalias.com, but @*.mydomainalias.com as well dnl # dnl FEATURE(masquerade_entire_domain)dnl dnl # dnl MASQUERADE_DOMAIN(localhost)dnl dnl MASQUERADE_DOMAIN(localhost.localdomain)dnl dnl MASQUERADE_DOMAIN(mydomainalias.com)dnl dnl MASQUERADE_DOMAIN(mydomain.lan)dnl dnl # START ADDED BY JPS FROM http://www.leap-cf.org/presentations/MailScanner/MailScanner.html define(`confDOUBLE_BOUNCE_ADDRESS', `')dnl dnl # define(`confBAD_RCPT_THROTTLE', `1')dnl dnl # define(`confCONNECTION_RATE_THROTTLE', `100')dnl dnl # define(`confMAX_DAEMON_CHILDREN', `500')dnl dnl # define(`confQUEUE_LA', `5')dnl define(`confREFUSE_LA', `10')dnl dnl # define(`confTO_ICONNECT', `15s')dnl define(`confTO_CONNECT', `3m')dnl define(`confTO_HELO', `2m')dnl define(`confTO_MAIL', `1m')dnl define(`confTO_RCPT', `1m')dnl define(`confTO_DATAINIT', `1m')dnl define(`confTO_DATABLOCK', `1m')dnl define(`confTO_DATAFINAL', `1m')dnl define(`confTO_RSET', `1m')dnl define(`confTO_QUIT', `1m')dnl define(`confTO_MISC', `1m')dnl define(`confTO_COMMAND', `1m')dnl define(`confTO_STARTTLS', `2m')dnl dnl # FEATURE(access_db)dnl FEATURE(`greet_pause',10000) dnl # dnl # dnl# FEATURE(`dnsbl',`dnsbl.sorbs.net',`"554 Rejected " $&{client_addr} " found in dnsbl.sorbs.net"')dnl dnl# FEATURE(`dnsbl', `dnsbl.njabl.org', `"554 Rejected " $&{client_addr} " - see http://dnsbl.njabl.org/method.html"')dnl dnl# FEATURE(`dnsbl', `bl.spamcop.net', `"554 Rejected " $&{client_addr} " found in bl.spamcop.net"')dnl dnl# FEATURE(`dnsbl', `chinanet.blackholes.us', `"554 Rejected " $&{client_addr} " found in chinanet.blackholes.us"')dnl dnl# FEATURE(`dnsbl',`zen.spamhaus.org', `"554 Rejected " $&{client_addr} " - see http://www.spamhaus.org/SBL/"')dnl DAEMON_OPTIONS(`Addr=192.168.10.2')dnl dnl # END ADDED BY JPS FROM http://www.leap-cf.org/presentations/MailScanner/MailScanner.html MAILER(smtp)dnl MAILER(procmail)dnl dnl MAILER(cyrusv2)dnl define(`confMILTER_MACROS_HELO', confMILTER_MACROS_HELO`, {verify}')dnl INPUT_MAIL_FILTER(`smf-sav', `S=unix:/var/run/smfs/smf-sav.sock, T=S:30s;R:4m')dnl smf-sav.conf: # /etc/mail/smfs/smf-sav.conf # # smf-sav configuration file v1.4.0 (it's read at start) # # Whitelist by a sender IP address # # The syntax is an IP address followed by a slash # and a CIDR netmask (if the netmask is omitted, /32 is assumed) # WhitelistIP 127.0.0.0/8 WhitelistIP 10.0.0.0/8 WhitelistIP 172.16.0.0/12 WhitelistIP 192.168.0.0/16 # Whitelist by a sender PTR (reverse DNS) record # # Performs a case insensitive substring match # #WhitelistPTR .friendlydomain.tld #WhitelistPTR friendlyhost.friendlydomain.tld # Whitelist by an envelope sender e-Mail address # # Performs a case insensitive substring match # #WhitelistFrom friend@ #WhitelistFrom @friendlydomain.tld #WhitelistFrom friend@friendlydomain.tld # Whitelist by an envelope recipient e-Mail address # # Performs a case insensitive substring match # #WhitelistTo postmaster@ #WhitelistTo abuse@ #WhitelistTo spamlover@yourdomain.tld #WhitelistTo @yourspamloverdomain.tld # FQDN of the publicly visible IP address of the interface # of an outgoing connection of your Sendmail daemon # It will be used with the SMTP HELO command for SAV and RAV # PublicName johnnystork.ca # it *MUST* be corrected properly # Any valid e-Mail address of your local domain for the safe call-out purposes # SafeCallBack stork@johnnystork.ca # it *MUST* be corrected properly # Sender e-Mail Address Verification # # Default: on # #SAV on # (on|off) # Ignore tempfailed results of SAV # # Default: off # #IgnoreTempFail off # (on|off) # Refuse e-Mail messages from systems that don't accept the null reverse-path <> # # Default: off # #BlockIgnorants off # (on|off) # Recipient e-Mail Address Verification # # Primary authoritative e-Mail store hostname (IP address) or # the hostname (IP address) associated with the interface # of an incoming connection of your Sendmail daemon # In most cases it will be equal to the PublicName value # Do not set to 'localhost' or 127.0.0.1 # MailStore johnnystork.ca # uncomment and set it properly # In-memory cache engine TTL settings # # The time is given in seconds, except if a unit is given: # m for minutes, h for hours, and d for days # Specify zero to disable caching of particular items # # Defaults: # #FromPassTTL 1d # senders that successfully pass the MX callback test # #FromTFailTTL 5m # senders that pass the MX callback test with tempfail results # #FromFailTTL 1h # senders that did not successfully pass the MX callback test # #ToPassTTL 1h # recipients that successfully pass the call ahead test # #ToTFailTTL 5m # recipients that pass the call ahead test with tempfail results # #ToFailTTL 1h # recipients that did not successfully pass the call ahead test # Run as a selected user (smf-sav must be started by root) # # Default: smfs # #User smfs # Socket used to communicate with a Sendmail daemon # # Default: unix:/var/run/smfs/smf-sav.sock # #Socket unix:/var/run/smfs/smf-sav.sock # Facility for logging via a Syslog daemon # # Default: mail # #Syslog mail # (daemon|mail|local0...local7) Brendan Pirie wrote: > Johnny Stork wrote: >> I recently installed the sendmail smf-sav mitler to do sender and >> recipient address verification on my MailScanner gateway running the >> latest release on Centos5. However, the recipient checks dont appear >> to be working since I still get all the spam coming in to >> non-existent addresses. I beleive I know where the problem might be. >> The MailScanner gateway accepts mail for the mydomain.ca domain, but >> after processing simply forwards to an internal Scalix server through >> a sendmail mailertable entry. For instance, the email address below, >> or username, does not exist on the MailScanner gateway running >> smf-sav. Nor does that email address or account exist on the internal >> Scalix server, but the message passed recpient verification. >> >> recipient check succeeded: >> >> Would I need to setup checks through ldap or something to have the >> smf-sav milter. I know I should be checking the smf-sav forums and so >> will also check there. >> >> Thanks > > Johnny, > > I'm using smf-sav milter with sendmail 8.13.8 and it works > wonderfully, without the use of ldap anywhere. My MailStore is > running sendmail 8.12.11 (soon to be upgraded). smf-sav uses > call-ahead to verify addresses, so ldap isn't necessary, and it should > work with any RFC compliant MTA. If you can post your configs for > sendmail and smf-sav I/we can take a look. I do recall running into > an issue where the documentation on adding smf-sav milter to > sendmail.mc was outdated for recent sendmail versions. > > Brendan > From ryanb at aacrao.org Thu Apr 3 16:53:55 2008 From: ryanb at aacrao.org (Ryan Bingham) Date: Thu Apr 3 16:55:24 2008 Subject: perl with threading enabled: bad? Message-ID: <47F4FD93.5010001@aacrao.org> Hi All, I checked the archives but couldn't find the answer to this question, so I apologize if it has be previously addressed. We recently upgraded from MailScanner 4.56.8 to 4.68.8. Everything went well and we're not experiencing any problems, but I did have a question about a comment Julian makes during the install script. At one point it says: *** You are using a perl configured with threading enabled. *** You should be aware that using multiple threads is *** not recommended for production environments. We are running perl v5.8.8 on CentOS 5.1 and threading is enabled (we see "usethreads=define" when we run perl -V). Is this bad? Is there a way to turn it off? Thanks again and sorry if this has already been discussed. Cheers! Ryan -- Ryan Bingham Chief Information Officer AACRAO 202-263-0295 ryanb@aacrao.org From bpirie at rma.edu Thu Apr 3 17:32:50 2008 From: bpirie at rma.edu (Brendan Pirie) Date: Thu Apr 3 17:31:52 2008 Subject: Problem with Sendmail smf-sav Milter In-Reply-To: <47F4FB8F.7020607@openenterprise.ca> References: <47F4C529.8090603@openenterprise.ca> <47F4CCAF.2010500@rma.edu> <47F4FB8F.7020607@openenterprise.ca> Message-ID: <47F506B2.600@rma.edu> Johnny Stork wrote: > Here are those files and thanks for offering to take a look. My > MailScanner machine has only an internal non-routable ip in a DMZ > (192.168.10.2) which accepts external SMTP connection routed from the > firewall. The Scalix server is also internal with the ip 192.168.1.3. I > also changed the "MailStore johnnystork.ca " settings to > "MailStore 192.168.1.3" but this did not make any difference. > > > sendmail.mc (last line is smf rule) > > divert(-1)dnl > dnl # > dnl # This is the sendmail macro config file for m4. If you make changes to > dnl # /etc/mail/sendmail.mc, you will need to regenerate the > dnl # /etc/mail/sendmail.cf file by confirming that the sendmail-cf > package is > dnl # installed and then performing a > dnl # > dnl # make -C /etc/mail > dnl # > include(`/usr/share/sendmail-cf/m4/cf.m4')dnl > VERSIONID(`setup for linux')dnl > OSTYPE(`linux')dnl > dnl # > dnl # Do not advertize sendmail version. > dnl # > dnl define(`confSMTP_LOGIN_MSG', `$j Sendmail; $b')dnl > dnl # > dnl # default logging level is 9, you might want to set it higher to > dnl # debug the configuration > dnl # > dnl define(`confLOG_LEVEL', `9')dnl > dnl # > dnl # Uncomment and edit the following line if your outgoing mail needs to > dnl # be sent out through an external mail server: > dnl # > dnl define(`SMART_HOST', `smtp.your.provider')dnl > dnl # > define(`confDEF_USER_ID', ``8:12'')dnl > dnl define(`confAUTO_REBUILD')dnl > define(`confTO_CONNECT', `1m')dnl > define(`confTRY_NULL_MX_LIST', `True')dnl > define(`confDONT_PROBE_INTERFACES', `True')dnl > define(`PROCMAIL_MAILER_PATH', `/usr/bin/procmail')dnl > define(`ALIAS_FILE', `/etc/aliases')dnl > define(`STATUS_FILE', `/var/log/mail/statistics')dnl > define(`UUCP_MAILER_MAX', `2000000')dnl > define(`confUSERDB_SPEC', `/etc/mail/userdb.db')dnl > define(`confPRIVACY_FLAGS', `authwarnings,novrfy,noexpn,restrictqrun')dnl > define(`confAUTH_OPTIONS', `A')dnl > dnl # > dnl # The following allows relaying if the user authenticates, and > disallows > dnl # plaintext authentication (PLAIN/LOGIN) on non-TLS links > dnl # > dnl define(`confAUTH_OPTIONS', `A p')dnl > dnl # > dnl # PLAIN is the preferred plaintext authentication method and used by > dnl # Mozilla Mail and Evolution, though Outlook Express and other MUAs do > dnl # use LOGIN. Other mechanisms should be used if the connection is not > dnl # guaranteed secure. > dnl # Please remember that saslauthd needs to be running for AUTH. > dnl # > dnl TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl > dnl define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 > LOGIN PLAIN')dnl > dnl # > dnl # Rudimentary information on creating certificates for sendmail TLS: > dnl # cd /usr/share/ssl/certs; make sendmail.pem > dnl # Complete usage: > dnl # make -C /usr/share/ssl/certs usage > dnl # > dnl define(`confCACERT_PATH', `/etc/pki/tls/certs')dnl > dnl define(`confCACERT', `/etc/pki/tls/certs/ca-bundle.crt')dnl > dnl define(`confSERVER_CERT', `/etc/pki/tls/certs/sendmail.pem')dnl > dnl define(`confSERVER_KEY', `/etc/pki/tls/certs/sendmail.pem')dnl > dnl # > dnl # This allows sendmail to use a keyfile that is shared with OpenLDAP's > dnl # slapd, which requires the file to be readble by group ldap > dnl # > dnl define(`confDONT_BLAME_SENDMAIL', `groupreadablekeyfile')dnl > dnl # > dnl define(`confTO_QUEUEWARN', `4h')dnl > dnl define(`confTO_QUEUERETURN', `5d')dnl > dnl define(`confQUEUE_LA', `12')dnl > dnl define(`confREFUSE_LA', `18')dnl > define(`confTO_IDENT', `0')dnl > dnl FEATURE(delay_checks)dnl > FEATURE(`no_default_msa', `dnl')dnl > FEATURE(`smrsh', `/usr/sbin/smrsh')dnl > FEATURE(`mailertable', `hash -o /etc/mail/mailertable.db')dnl > FEATURE(`virtusertable', `hash -o /etc/mail/virtusertable.db')dnl > FEATURE(redirect)dnl > FEATURE(always_add_domain)dnl > FEATURE(use_cw_file)dnl > FEATURE(use_ct_file)dnl > dnl # > dnl # The following limits the number of processes sendmail can fork to > accept > dnl # incoming messages or process its message queues to 20.) sendmail > refuses > dnl # to accept connections once it has reached its quota of child > processes. > dnl # > dnl define(`confMAX_DAEMON_CHILDREN', `20')dnl > dnl # > dnl # Limits the number of new connections per second. This caps the > overhead > dnl # incurred due to forking new sendmail processes. May be useful against > dnl # DoS attacks or barrages of spam. (As mentioned below, a per-IP > address > dnl # limit would be useful but is not available as an option at this > writing.) > dnl # > dnl define(`confCONNECTION_RATE_THROTTLE', `3')dnl > dnl # > dnl # The -t option will retry delivery if e.g. the user runs over his > quota. > dnl # > FEATURE(local_procmail, `', `procmail -t -Y -a $h -d $u')dnl > FEATURE(`access_db', `hash -T -o /etc/mail/access.db')dnl > FEATURE(`blacklist_recipients')dnl > EXPOSED_USER(`root')dnl > dnl # > dnl # For using Cyrus-IMAPd as POP3/IMAP server through LMTP delivery > uncomment > dnl # the following 2 definitions and activate below in the MAILER > section the > dnl # cyrusv2 mailer. > dnl # > dnl define(`confLOCAL_MAILER', `cyrusv2')dnl > dnl define(`CYRUSV2_MAILER_ARGS', `FILE /var/lib/imap/socket/lmtp')dnl > dnl # > dnl # The following causes sendmail to only listen on the IPv4 loopback > address > dnl # 127.0.0.1 and not on any other network devices. Remove the loopback > dnl # address restriction to accept email from the internet or intranet. > dnl # > DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl > dnl # > dnl # The following causes sendmail to additionally listen to port 587 for > dnl # mail from MUAs that authenticate. Roaming users who can't reach their > dnl # preferred sendmail daemon due to port 25 being blocked or > redirected find > dnl # this useful. > dnl # > dnl DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')dnl > dnl # > dnl # The following causes sendmail to additionally listen to port 465, but > dnl # starting immediately in TLS mode upon connecting. Port 25 or 587 > followed > dnl # by STARTTLS is preferred, but roaming clients using Outlook > Express can't > dnl # do STARTTLS on ports other than 25. Mozilla Mail can ONLY use > STARTTLS > dnl # and doesn't support the deprecated smtps; Evolution <1.1.1 uses smtps > dnl # when SSL is enabled-- STARTTLS support is available in version 1.1.1. > dnl # > dnl # For this to work your OpenSSL certificates must be configured. > dnl # > dnl DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl > dnl # > dnl # The following causes sendmail to additionally listen on the IPv6 > loopback > dnl # device. Remove the loopback address restriction listen to the > network. > dnl # > dnl DAEMON_OPTIONS(`port=smtp,Addr=::1, Name=MTA-v6, Family=inet6')dnl > dnl # > dnl # enable both ipv6 and ipv4 in sendmail: > dnl # > dnl DAEMON_OPTIONS(`Name=MTA-v4, Family=inet, Name=MTA-v6, Family=inet6') > dnl # > dnl # We strongly recommend not accepting unresolvable domains if you > want to > dnl # protect yourself from spam. However, the laptop and users on > computers > dnl # that do not have 24x7 DNS do need this. > dnl # > FEATURE(`accept_unresolvable_domains')dnl > dnl # > dnl FEATURE(`relay_based_on_MX')dnl > dnl # > dnl # Also accept email sent to "localhost.localdomain" as local email. > dnl # > LOCAL_DOMAIN(`localhost.localdomain')dnl > dnl # > dnl # The following example makes mail from this host and any additional > dnl # specified domains appear to be sent from mydomain.com > dnl # > dnl MASQUERADE_AS(`openenterprise.ca')dnl > dnl # > dnl # masquerade not just the headers, but the envelope as well > dnl # > dnl FEATURE(masquerade_envelope)dnl > dnl # > dnl # masquerade not just @mydomainalias.com, but @*.mydomainalias.com > as well > dnl # > dnl FEATURE(masquerade_entire_domain)dnl > dnl # > dnl MASQUERADE_DOMAIN(localhost)dnl > dnl MASQUERADE_DOMAIN(localhost.localdomain)dnl > dnl MASQUERADE_DOMAIN(mydomainalias.com)dnl > dnl MASQUERADE_DOMAIN(mydomain.lan)dnl > dnl # START ADDED BY JPS FROM > http://www.leap-cf.org/presentations/MailScanner/MailScanner.html > define(`confDOUBLE_BOUNCE_ADDRESS', `')dnl > dnl # > define(`confBAD_RCPT_THROTTLE', `1')dnl > dnl # > define(`confCONNECTION_RATE_THROTTLE', `100')dnl > dnl # > define(`confMAX_DAEMON_CHILDREN', `500')dnl > dnl # > define(`confQUEUE_LA', `5')dnl > define(`confREFUSE_LA', `10')dnl > dnl # > define(`confTO_ICONNECT', `15s')dnl > define(`confTO_CONNECT', `3m')dnl > define(`confTO_HELO', `2m')dnl > define(`confTO_MAIL', `1m')dnl > define(`confTO_RCPT', `1m')dnl > define(`confTO_DATAINIT', `1m')dnl > define(`confTO_DATABLOCK', `1m')dnl > define(`confTO_DATAFINAL', `1m')dnl > define(`confTO_RSET', `1m')dnl > define(`confTO_QUIT', `1m')dnl > define(`confTO_MISC', `1m')dnl > define(`confTO_COMMAND', `1m')dnl > define(`confTO_STARTTLS', `2m')dnl > dnl # > FEATURE(access_db)dnl > FEATURE(`greet_pause',10000) > dnl # > dnl # > dnl# FEATURE(`dnsbl',`dnsbl.sorbs.net',`"554 Rejected " $&{client_addr} > " found in dnsbl.sorbs.net"')dnl > dnl# FEATURE(`dnsbl', `dnsbl.njabl.org', `"554 Rejected " > $&{client_addr} " - see http://dnsbl.njabl.org/method.html"')dnl > dnl# FEATURE(`dnsbl', `bl.spamcop.net', `"554 Rejected " > $&{client_addr} " found in bl.spamcop.net"')dnl > dnl# FEATURE(`dnsbl', `chinanet.blackholes.us', `"554 Rejected " > $&{client_addr} " found in chinanet.blackholes.us"')dnl > dnl# FEATURE(`dnsbl',`zen.spamhaus.org', `"554 Rejected " > $&{client_addr} " - see http://www.spamhaus.org/SBL/"')dnl > DAEMON_OPTIONS(`Addr=192.168.10.2')dnl > dnl # END ADDED BY JPS FROM > http://www.leap-cf.org/presentations/MailScanner/MailScanner.html > MAILER(smtp)dnl > MAILER(procmail)dnl > dnl MAILER(cyrusv2)dnl > define(`confMILTER_MACROS_HELO', confMILTER_MACROS_HELO`, {verify}')dnl The above line needs to be commented out (or removed), unless you're using a fairly outdated version of sendmail. This is where the documentation is outdated. dnl define(`confMILTER_MACROS_HELO', confMILTER_MACROS_HELO`, {verify}')dnl > INPUT_MAIL_FILTER(`smf-sav', `S=unix:/var/run/smfs/smf-sav.sock, > T=S:30s;R:4m')dnl > > > smf-sav.conf: > > # /etc/mail/smfs/smf-sav.conf > # > # smf-sav configuration file v1.4.0 (it's read at start) > # > > # Whitelist by a sender IP address > # > # The syntax is an IP address followed by a slash > # and a CIDR netmask (if the netmask is omitted, /32 is assumed) > # > WhitelistIP 127.0.0.0/8 > WhitelistIP 10.0.0.0/8 > WhitelistIP 172.16.0.0/12 > WhitelistIP 192.168.0.0/16 > > # Whitelist by a sender PTR (reverse DNS) record > # > # Performs a case insensitive substring match > # > #WhitelistPTR .friendlydomain.tld > #WhitelistPTR friendlyhost.friendlydomain.tld > > # Whitelist by an envelope sender e-Mail address > # > # Performs a case insensitive substring match > # > #WhitelistFrom friend@ > #WhitelistFrom @friendlydomain.tld > #WhitelistFrom friend@friendlydomain.tld > > # Whitelist by an envelope recipient e-Mail address > # > # Performs a case insensitive substring match > # > #WhitelistTo postmaster@ > #WhitelistTo abuse@ > #WhitelistTo spamlover@yourdomain.tld > #WhitelistTo @yourspamloverdomain.tld > > # FQDN of the publicly visible IP address of the interface > # of an outgoing connection of your Sendmail daemon > # It will be used with the SMTP HELO command for SAV and RAV > # > PublicName johnnystork.ca # it *MUST* be corrected properly PublicName should be the FQDN of the box smf-sav is running on, e.g. smpthost.johnnystork.ca > > # Any valid e-Mail address of your local domain for the safe call-out > purposes > # > SafeCallBack stork@johnnystork.ca # it *MUST* be corrected properly > > # Sender e-Mail Address Verification > # > # Default: on > # > #SAV on # (on|off) > > # Ignore tempfailed results of SAV > # > # Default: off > # > #IgnoreTempFail off # (on|off) > > # Refuse e-Mail messages from systems that don't accept the null > reverse-path <> > # > # Default: off > # > #BlockIgnorants off # (on|off) > > # Recipient e-Mail Address Verification > # > # Primary authoritative e-Mail store hostname (IP address) or > # the hostname (IP address) associated with the interface > # of an incoming connection of your Sendmail daemon > # In most cases it will be equal to the PublicName value > # Do not set to 'localhost' or 127.0.0.1 > # > > MailStore johnnystork.ca # uncomment and set it properly This also should be a FQDN, e.g. scalixhost.johnnystork.ca > > # In-memory cache engine TTL settings > # > # The time is given in seconds, except if a unit is given: > # m for minutes, h for hours, and d for days > # Specify zero to disable caching of particular items > # > # Defaults: > # > #FromPassTTL 1d # senders that successfully pass the MX callback test > # > #FromTFailTTL 5m # senders that pass the MX callback test with > tempfail results > # > #FromFailTTL 1h # senders that did not successfully pass the MX > callback test > # > #ToPassTTL 1h # recipients that successfully pass the call ahead test > # > #ToTFailTTL 5m # recipients that pass the call ahead test with > tempfail results > # > #ToFailTTL 1h # recipients that did not successfully pass the call > ahead test > > # Run as a selected user (smf-sav must be started by root) > # > # Default: smfs > # > #User smfs > > # Socket used to communicate with a Sendmail daemon > # > # Default: unix:/var/run/smfs/smf-sav.sock > # > #Socket unix:/var/run/smfs/smf-sav.sock > > # Facility for logging via a Syslog daemon > # > # Default: mail > # > #Syslog mail # (daemon|mail|local0...local7) > Make the suggested changes and let us know how it behaves. Brendan From steve.freegard at fsl.com Thu Apr 3 17:30:53 2008 From: steve.freegard at fsl.com (Steve Freegard) Date: Thu Apr 3 17:32:49 2008 Subject: perl with threading enabled: bad? In-Reply-To: <47F4FD93.5010001@aacrao.org> References: <47F4FD93.5010001@aacrao.org> Message-ID: <47F5063D.3010702@fsl.com> Ryan Bingham wrote: > Hi All, > > I checked the archives but couldn't find the answer to this question, so > I apologize if it has be previously addressed. > > We recently upgraded from MailScanner 4.56.8 to 4.68.8. Everything went > well and we're not experiencing any problems, but I did have a question > about a comment Julian makes during the install script. At one point it > says: > > *** You are using a perl configured with threading enabled. > *** You should be aware that using multiple threads is > *** not recommended for production environments. > > > We are running perl v5.8.8 on CentOS 5.1 and threading is enabled (we > see "usethreads=define" when we run perl -V). Is this bad? Is there a > way to turn it off? That message comes from the DBI module when it is being built. You can safely ignore it. Neither MailScanner or SA use threads. Cheers, Steve. From dave.list at pixelhammer.com Thu Apr 3 17:35:20 2008 From: dave.list at pixelhammer.com (DAve) Date: Thu Apr 3 17:36:06 2008 Subject: New MS install is slow to an extreme In-Reply-To: <47F4E3A3.5040607@pixelhammer.com> References: <47F3CD9F.7070406@pixelhammer.com> <47F3E5CF.7080505@farrows.org> <47F3F231.7050008@pixelhammer.com> <47F406D5.2020004@farrows.org> <47F42DF8.9080801@pixelhammer.com> <47F4913F.7040100@ecs.soton.ac.uk> <47F4C32C.5050200@pixelhammer.com> <47F4D8E6.3050303@ecs.soton.ac.uk> <47F4E3A3.5040607@pixelhammer.com> Message-ID: <47F50748.1080100@pixelhammer.com> DAve wrote: > Julian Field wrote: >> Max Unscanned Bytes Per Scan = 100m >> Max Unsafe Bytes Per Scan = 50m >> Max Unscanned Messages Per Scan = 30 >> Max Unsafe Messages Per Scan = 30 > > I thought so, but my setting is unchanged from the default on the old > and the new installs. Which is why I doubted my understanding of the > option. I've changed that setting to Max Unscanned Messages Per Scan = 10 Max Unsafe Messages Per Scan = 10 this has reduced scan time a bit more. It seems more children scanning small batches is faster than fewer children scanning large batches. I've no idea if that is relevant to anyone else's mail but mine. > > At this point, 10:00am, we have survived the morning rush of email with > no obvious issues and mail is flowing nicely. My largest number of > waiting messages has been 120 (yesterday it was 2k at this time, 4k by > noon). > Julian, in the spam.assassin.prefs.conf file you include the rules for URIBL_BLACK and URIBL_GREY. The rules for SpamAssassin 3.2.X includes those rules now. http://spamassassin.apache.org/tests_3_2_x.html Might want to remove them or add a note that they do not need uncommented unless you are running SpamAssassin 3.1.X or earlier. I had them uncommented, shame on me for not checking the SA change log better than I did. DAve -- In 50 years, our descendants will look back on the early years of the internet, and much like we now look back on men with rockets on their back and feathers glued to their arms, marvel that we had the intelligence to wipe the drool from our chins. From maillists at conactive.com Thu Apr 3 18:51:09 2008 From: maillists at conactive.com (Kai Schaetzl) Date: Thu Apr 3 18:52:03 2008 Subject: SA times out In-Reply-To: References: <47F39721.3000603@ecs.soton.ac.uk> Message-ID: Kai Schaetzl wrote on Wed, 02 Apr 2008 21:33:36 +0200: I found out later that the message actually scanned was not the one I wanted to scan but the SA default message that is used on start up. The long wait at dbg: bayes: untie-ing simply is MS waiting for the real message. However, this doesn't change anything in this respect: > [15949] dbg: config: using "/usr/share/spamassassin" for sys rules pre > files > [15949] dbg: config: using "/usr/share/spamassassin" for default rules dir > [15949] dbg: config: read file /usr/share/spamassassin/10_default_prefs.cf SA run under MS uses the wrong config directories. This seems to result in a much longer time for processing the rules. Maybe there is more. There are different hits than for the command-line SA and it takes *much* longer in the body scan phase. So, it eventually times out under MS. I can't see a reason why this might happen. SA is identified as dbg: generic: SpamAssassin version 3.2.4 I compared the Mail/Spamassassin in /usr/lib/perl5/site_perl/5.8.8/Mail with the one built by the source and they are identical except for dates (it seems the Perl upgrade process replaces an existing file only when it got changed, otherwise it keeps the existing file with the old date). I have some more, very old perl directories with different names in /usr/lib. However, if any of these would get used for a very obscure reason then it couldn't report 3.2.4 as the SA version. Anyway, I set all permissions to access these directories to 0, no change. What's wrong here, Jules? Could this be a problem with this somewhat old version of MS? (4.54.6) Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From william at raidbr.com.br Thu Apr 3 20:40:22 2008 From: william at raidbr.com.br (William A. Knob) Date: Thu Apr 3 20:38:10 2008 Subject: MailScanner with postfix-gld Message-ID: <47F532A6.9040501@raidbr.com.br> Hi, Anyone has using MailScanner with postfix-gld (greylist daemon) ? Regards, -- *William A. Knob - Divis?o Desenvolvimento* Raidbr Solu??es em Inform?tica Ltda. Rua Jos? Albino Reuse, 1125. Cinquenten?rio. Caxias do Sul - RS Fone/ Fax: (54) 3223.7074 Visite nosso site: www.raidbr.com.br From TGFurnish at herffjones.com Thu Apr 3 21:04:49 2008 From: TGFurnish at herffjones.com (Furnish, Trever G) Date: Thu Apr 3 21:05:30 2008 Subject: detect executables embedded inside MS Office documents? Message-ID: <57573D714A832C43B9D80EAFBDA48D030A03EC01@inex3.herffjones.hj-int> Anyone know a way to get MailScanner/SA to detect executables embedded within Microsoft Office documents? We've had a word file come in with a .scr file embedded inside, wasn't detected by antivirus, but was definitely malware. Would love to be able to block files embedded into office docs based on file extension / file type. Didn't even know it was possible to do that (embed an executable inside a word file) until today. -- Trever Furnish, tgfurnish@herffjones.com Herff Jones, Inc. Unix / Network Administrator Phone: 317.612.3519 Any sufficiently advanced technology is indistinguishable from Unix. From MailScanner at ecs.soton.ac.uk Thu Apr 3 21:17:27 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Apr 3 21:18:16 2008 Subject: MailScanner ignoring some rules In-Reply-To: References: <37937.201.41.210.20.1207154517.squirrel@www.tecnowaydigital.com.br> <47F46B28.2050507@vanderkooij.org> Message-ID: <47F53B57.1070307@ecs.soton.ac.uk> I have just done a thorough test of a %rules-dir%/scan.messages.rules with 4 combinations: FromOrTo: ntl.com no FromOrTo: default yes FromOrTo: soton.ac.uk no FromOrTo: default yes FromOrTo: ecs.soton.ac.uk no FromOrTo: default yes FromOrTo: jkf@soton.ac.uk no FromOrTo: default yes with 2 messages. 1st from ntl@ntl.com to jkf@soton.ac.uk, 2nd from jkf@ecs.soton.ac.uk to root@ecs.soton.ac.uk. In all combinations, it worked exactly as expected. What I would like you to do is show me the output of the following 5 commands: ls -lu /etc/MailScanner/rules/scan.messages.rules sleep 60 MailScanner --value=scanmessages --from=marketing@silmaq.com.br --to=root@localhost MailScanner --value=scanmessages --from=root@localhost --to=marketing@silmaq.com.br ls -lu /etc/MailScanner/rules/scan.messages.rules Just cut and paste the whole block into your terminal window. It will take just over a minute to run. Cut and paste *all* the output into a reply to this message. The 'sleep 60' is to force the MailScanner commands into the next minute on the clock. The "ls" commands will show the "last accessed" date stamp on rules file. If the rules file is being read at all, the 2nd ls will print a different date and/or time than the 1st ls. If it is not being read for some reason, the 2 ls commands will print the same date and time. Then we'll be able to see what is going wrong with your setup. Best regards, Jules. TecnoWay Digital wrote: > For example: %rules-dir%/scan.messages.rules then content of > scan.messages.rules file is: > > FromOrTo: marketing@silmaq.com.br no > FromOrTo: default yes > > > On a server with mailscanner-4.46.2-2 (the rule works) > > but another server with mailscanner-4.68.8-1 the rule doesn't work > the mailbox marketing@silmaq.com.br continue has still being processed by > mailscanner. > > To certify that using the correct MailScanner.conf after upgrade, I'd > put a wrong set > example "Sca Messages" and MailScanner report syntax error. > > > Best Regards > > ----- Original Message ----- From: "Hugo van der Kooij" > > To: "MailScanner discussion" > Sent: Thursday, April 03, 2008 2:29 AM > Subject: Re: MailScanner ignoring some rules > > >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> mailscanner@tecnowaydigital.com.br wrote: >> >> | At MailScanner recent versions, when I set some rules like: >> | Scan Messages = /etc/MailScanner/rules/scan.messages.rules >> | or >> | Filename Rules = /etc/MailScanner/filename.rules >> | >> | The MailScanner simply ignore the rules and don't print any error >> message. >> >> Since you didn not include anything about the rules you have there we >> must assume MS is right and your rules are wrong. In what way we can not >> tell you by lack of any information. >> >> Hugo. >> >> - -- >> hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ >> PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc >> >> A: Yes. >> >Q: Are you sure? >> >>A: Because it reverses the logical flow of conversation. >> >>>Q: Why is top posting frowned upon? >> >> Bored? Click on http://spamornot.org/ and rate those images. >> >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG v1.4.7 (GNU/Linux) >> >> iD8DBQFH9GslBvzDRVjxmYERAiOiAKCcKHWSpoYBUC+M2k0uPSEhertCnACfQEa+ >> KnYl0Qt9kzlzy4m99EgvKhU= >> =LsQL >> -----END PGP SIGNATURE----- >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Thu Apr 3 21:21:01 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Apr 3 21:21:30 2008 Subject: File Type Check Problem In-Reply-To: <224FA7E11EA39E45843E11CEBBD3A36F8E0C23@HOUPEX01.nfsmith.info> References: <224FA7E11EA39E45843E11CEBBD3A36F8E0C23@HOUPEX01.nfsmith.info> Message-ID: <47F53C2D.5090207@ecs.soton.ac.uk> Mike Kercher wrote: > I've been searching and haven't found a resolution for this yet. > > Periodically, we get emails with attachments coming through that are not > being detected properly. MailScanner reports: > > MailScanner: No programs allowed (msg-10410-101.txt) > This is being caught by the filetype trap. > If I go look at the quarantined email in MailWatch and download the > attachment, it is a PDF. That may be what the filename says, but what does the "file" command report? > There was talk of the file -i command switch. > Is this something that needs to be set in MailScanner.conf? > No, just read the latest filetype.rules.conf and filename.rules.conf files, the comments at the top of each file tell you how to use it. There is also an example line in filetype.rules.conf for you to copy. > TIA > > Mike > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ugob at lubik.ca Thu Apr 3 21:22:33 2008 From: ugob at lubik.ca (Ugo Bellavance) Date: Thu Apr 3 21:23:52 2008 Subject: New MS install is slow to an extreme In-Reply-To: <47F3CD9F.7070406@pixelhammer.com> References: <47F3CD9F.7070406@pixelhammer.com> Message-ID: DAve wrote: > > bash-2.05b# ./MailScanner --debug --debug-sa > In Debugging mode, not forking... > Trying to setlogsock(unix) > > > ***** > If 'awk' (with support for the function strftime) was > available on your $PATH then all the SpamAssassin debug > output would have the current time added to the start of > every line, making debugging far easier. > ***** You should install awk and this way you'll see timestamps in the debug output, revealing what is taking so much time. Ugo From mkercher at nfsmith.com Thu Apr 3 21:46:30 2008 From: mkercher at nfsmith.com (Mike Kercher) Date: Thu Apr 3 21:47:29 2008 Subject: File Type Check Problem In-Reply-To: <47F53C2D.5090207@ecs.soton.ac.uk> References: <224FA7E11EA39E45843E11CEBBD3A36F8E0C23@HOUPEX01.nfsmith.info> <47F53C2D.5090207@ecs.soton.ac.uk> Message-ID: <224FA7E11EA39E45843E11CEBBD3A36F8E0D27@HOUPEX01.nfsmith.info> -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian Field Sent: Thursday, April 03, 2008 3:21 PM To: MailScanner discussion Subject: Re: File Type Check Problem Mike Kercher wrote: > I've been searching and haven't found a resolution for this yet. > > Periodically, we get emails with attachments coming through that are > not being detected properly. MailScanner reports: > > MailScanner: No programs allowed (msg-10410-101.txt) > This is being caught by the filetype trap. > If I go look at the quarantined email in MailWatch and download the > attachment, it is a PDF. That may be what the filename says, but what does the "file" command report? > There was talk of the file -i command switch. > Is this something that needs to be set in MailScanner.conf? > No, just read the latest filetype.rules.conf and filename.rules.conf files, the comments at the top of each file tell you how to use it. There is also an example line in filetype.rules.conf for you to copy. > TIA > > Mike > Jules -- Jules, Running file against the message yields the following: [root@HOUPMS02 m334jSTE009852]# file message message: smtp mail text [root@HOUPMS02 m334jSTE009852]# file -i message message: message/rfc822\011 Not quite sure what changing the filetype.rules.conf would do for me here. Thanks! Mike From dave.list at pixelhammer.com Thu Apr 3 22:09:10 2008 From: dave.list at pixelhammer.com (DAve) Date: Thu Apr 3 22:09:55 2008 Subject: New MS install is slow to an extreme In-Reply-To: References: <47F3CD9F.7070406@pixelhammer.com> Message-ID: <47F54776.6080002@pixelhammer.com> Ugo Bellavance wrote: > DAve wrote: > >> >> bash-2.05b# ./MailScanner --debug --debug-sa >> In Debugging mode, not forking... >> Trying to setlogsock(unix) >> >> >> ***** >> If 'awk' (with support for the function strftime) was >> available on your $PATH then all the SpamAssassin debug >> output would have the current time added to the start of >> every line, making debugging far easier. >> ***** > > You should install awk and this way you'll see timestamps in the debug > output, revealing what is taking so much time. awk is installed in /usr/bin, but this version doesn't support strftime, I'll need to install gawk for that. No idea why they don't check awk capabilities during install, most anything else I install tells me I need GNU awk if the app requires it. Since this machine is MS only, I've installed nothing else on it, so nothing required GNU awk. Sendmail compiled fine with awk vs gawk. DAve -- In 50 years, our descendants will look back on the early years of the internet, and much like we now look back on men with rockets on their back and feathers glued to their arms, marvel that we had the intelligence to wipe the drool from our chins. From gerard at seibercom.net Thu Apr 3 22:12:04 2008 From: gerard at seibercom.net (Gerard) Date: Thu Apr 3 22:13:03 2008 Subject: MailScanner with postfix-gld In-Reply-To: <47F532A6.9040501@raidbr.com.br> References: <47F532A6.9040501@raidbr.com.br> Message-ID: <20080403171204.115d8111@scorpio> On Thu, 03 Apr 2008 16:40:22 -0300 "William A. Knob" wrote: > Anyone has using MailScanner with postfix-gld (greylist daemon) ? Is there a specific reason that you are inquiring, or are you compiling a statistical record of some sort? It it is the former, I would suggest that you clearly state what your problem is, show detailed log and configuration file data and what if any steps you have already taken to alleviate the situation. If you simply desire information on how to configure for such a setup, simply ask, stating the versions of Postfix, etc. as well as possibly your OS. -- Gerard gerard@seibercom.net If you think before you speak the other guy gets his joke in first. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 195 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080403/361afdbf/signature.bin From MailScanner at ecs.soton.ac.uk Thu Apr 3 22:14:38 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Thu Apr 3 22:15:45 2008 Subject: File Type Check Problem In-Reply-To: <224FA7E11EA39E45843E11CEBBD3A36F8E0D27@HOUPEX01.nfsmith.info> References: <224FA7E11EA39E45843E11CEBBD3A36F8E0C23@HOUPEX01.nfsmith.info> <47F53C2D.5090207@ecs.soton.ac.uk> <224FA7E11EA39E45843E11CEBBD3A36F8E0D27@HOUPEX01.nfsmith.info> Message-ID: <47F548BE.8030804@ecs.soton.ac.uk> Mike Kercher wrote: > > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian > Field > Sent: Thursday, April 03, 2008 3:21 PM > To: MailScanner discussion > Subject: Re: File Type Check Problem > > > > Mike Kercher wrote: > >> I've been searching and haven't found a resolution for this yet. >> >> Periodically, we get emails with attachments coming through that are >> not being detected properly. MailScanner reports: >> >> MailScanner: No programs allowed (msg-10410-101.txt) >> >> > This is being caught by the filetype trap. > >> If I go look at the quarantined email in MailWatch and download the >> attachment, it is a PDF. >> > That may be what the filename says, but what does the "file" command > report? > >> There was talk of the file -i command switch. >> Is this something that needs to be set in MailScanner.conf? >> >> > No, just read the latest filetype.rules.conf and filename.rules.conf > files, the comments at the top of each file tell you how to use it. > There is also an example line in filetype.rules.conf for you to copy. > > >> TIA >> >> Mike >> >> > > Jules > > -- > > Jules, > > Running file against the message yields the following: > > [root@HOUPMS02 m334jSTE009852]# file message > message: smtp mail text > [root@HOUPMS02 m334jSTE009852]# file -i message > message: message/rfc822\011 > > Not quite sure what changing the filetype.rules.conf would do for me > here. > No! I meat you to run the "file" command on the attachment, not the message! :-( Funnily enough, when you run it on the message it says it's a message :-) Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mailscanner at tecnowaydigital.com.br Fri Apr 4 01:49:16 2008 From: mailscanner at tecnowaydigital.com.br (TecnoWay Digital) Date: Fri Apr 4 01:50:55 2008 Subject: MailScanner ignoring some rules In-Reply-To: <47F53B57.1070307@ecs.soton.ac.uk> References: <37937.201.41.210.20.1207154517.squirrel@www.tecnowaydigital.com.br> <47F46B28.2050507@vanderkooij.org> <47F53B57.1070307@ecs.soton.ac.uk> Message-ID: <8F1DE832AFD34082A4D0CB25E4E7D7E7@TWDNB03> [root@firewall.silmaq.com.br ~]# ls -lu /etc/MailScanner/rules/scan.messages.rules -rwxrwxrwx 1 root root 76 2008-04-03 21:38 /etc/MailScanner/rules/scan.messages.rules [root@firewall.silmaq.com.br ~]# sleep 60 MailScanner --value=scanmessages --from=marketing@silmaq.com.br --to=root@localhost MailScanner --value=scanmessages --from=root@localhost --to=marketing@silmaq.com.br ls -lu /etc/MailScanner/rules/scan.messages.rules [root@firewall.silmaq.com.br ~]# MailScanner --value=scanmessages --from=marketing@silmaq.com.br --to=root@localhost Looked up internal option name "scanmail" With sender = marketing@silmaq.com.br recipient = root@localhost Client IP = Virus = Result is "0" 0=No 1=Yes [root@firewall.silmaq.com.br ~]# MailScanner --value=scanmessages --from=root@localhost --to=marketing@silmaq.com.br Looked up internal option name "scanmail" With sender = root@localhost recipient = marketing@silmaq.com.br Client IP = Virus = Result is "0" 0=No 1=Yes [root@firewall.silmaq.com.br ~]# ls -lu /etc/MailScanner/rules/scan.messages.rules -rwxrwxrwx 1 root root 76 2008-04-03 21:38 /etc/MailScanner/rules/scan.messages.rules [root@firewall.silmaq.com.br ~]# ----- Original Message ----- From: "Julian Field" To: "MailScanner discussion" Sent: Thursday, April 03, 2008 5:17 PM Subject: Re: MailScanner ignoring some rules >I have just done a thorough test of a %rules-dir%/scan.messages.rules with >4 combinations: > > FromOrTo: ntl.com no > FromOrTo: default yes > > FromOrTo: soton.ac.uk no > FromOrTo: default yes > > FromOrTo: ecs.soton.ac.uk no > FromOrTo: default yes > > FromOrTo: jkf@soton.ac.uk no > FromOrTo: default yes > > with 2 messages. 1st from ntl@ntl.com to jkf@soton.ac.uk, 2nd from > jkf@ecs.soton.ac.uk to root@ecs.soton.ac.uk. > > In all combinations, it worked exactly as expected. > > What I would like you to do is show me the output of the following 5 > commands: > > ls -lu /etc/MailScanner/rules/scan.messages.rules > sleep 60 > MailScanner --value=scanmessages --from=marketing@silmaq.com.br --to=root@localhost > MailScanner --value=scanmessages --from=root@localhost --to=marketing@silmaq.com.br > ls -lu /etc/MailScanner/rules/scan.messages.rules > > Just cut and paste the whole block into your terminal window. It will take > just over a minute to run. Cut and paste *all* the output into a reply to > this message. > > The 'sleep 60' is to force the MailScanner commands into the next minute > on the clock. The "ls" commands will show the "last accessed" date stamp > on rules file. If the rules file is being read at all, the 2nd ls will > print a different date and/or time than the 1st ls. If it is not being > read for some reason, the 2 ls commands will print the same date and time. > > Then we'll be able to see what is going wrong with your setup. > > Best regards, > Jules. > > TecnoWay Digital wrote: >> For example: %rules-dir%/scan.messages.rules then content of >> scan.messages.rules file is: >> >> FromOrTo: marketing@silmaq.com.br no >> FromOrTo: default yes >> >> >> On a server with mailscanner-4.46.2-2 (the rule works) >> >> but another server with mailscanner-4.68.8-1 the rule doesn't work >> the mailbox marketing@silmaq.com.br continue has still being processed by >> mailscanner. >> >> To certify that using the correct MailScanner.conf after upgrade, I'd put >> a wrong set >> example "Sca Messages" and MailScanner report syntax error. >> >> >> Best Regards >> >> ----- Original Message ----- From: "Hugo van der Kooij" >> >> To: "MailScanner discussion" >> Sent: Thursday, April 03, 2008 2:29 AM >> Subject: Re: MailScanner ignoring some rules >> >> >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> mailscanner@tecnowaydigital.com.br wrote: >>> >>> | At MailScanner recent versions, when I set some rules like: >>> | Scan Messages = /etc/MailScanner/rules/scan.messages.rules >>> | or >>> | Filename Rules = /etc/MailScanner/filename.rules >>> | >>> | The MailScanner simply ignore the rules and don't print any error >>> message. >>> >>> Since you didn not include anything about the rules you have there we >>> must assume MS is right and your rules are wrong. In what way we can not >>> tell you by lack of any information. >>> >>> Hugo. >>> >>> - -- >>> hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ >>> PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc >>> >>> A: Yes. >>> >Q: Are you sure? >>> >>A: Because it reverses the logical flow of conversation. >>> >>>Q: Why is top posting frowned upon? >>> >>> Bored? Click on http://spamornot.org/ and rate those images. >>> >>> -----BEGIN PGP SIGNATURE----- >>> Version: GnuPG v1.4.7 (GNU/Linux) >>> >>> iD8DBQFH9GslBvzDRVjxmYERAiOiAKCcKHWSpoYBUC+M2k0uPSEhertCnACfQEa+ >>> KnYl0Qt9kzlzy4m99EgvKhU= >>> =LsQL >>> -----END PGP SIGNATURE----- >>> -- >>> MailScanner mailing list >>> mailscanner@lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! >> > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > PGP public key: http://www.jules.fm/julesfm.asc > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From mailscanner at tecnowaydigital.com.br Fri Apr 4 01:59:41 2008 From: mailscanner at tecnowaydigital.com.br (TecnoWay Digital) Date: Fri Apr 4 02:00:49 2008 Subject: MailScanner ignoring some rules In-Reply-To: <47F53B57.1070307@ecs.soton.ac.uk> References: <37937.201.41.210.20.1207154517.squirrel@www.tecnowaydigital.com.br> <47F46B28.2050507@vanderkooij.org> <47F53B57.1070307@ecs.soton.ac.uk> Message-ID: <6FDE866AAB924CC68FC64A2B0E04BBBB@TWDNB03> Julian, another information about my server. I'm using mailwatch too. If the mailbox marketing@silmaq.com.br is not set to be scanned, why it continue been logged to mailWatch SQL ? I imagine the "MailWatch.pm" is called from MailScanner to log only scanned messages. Thanks Rog?rio ----- Original Message ----- From: "Julian Field" To: "MailScanner discussion" Sent: Thursday, April 03, 2008 5:17 PM Subject: Re: MailScanner ignoring some rules >I have just done a thorough test of a %rules-dir%/scan.messages.rules with >4 combinations: > > FromOrTo: ntl.com no > FromOrTo: default yes > > FromOrTo: soton.ac.uk no > FromOrTo: default yes > > FromOrTo: ecs.soton.ac.uk no > FromOrTo: default yes > > FromOrTo: jkf@soton.ac.uk no > FromOrTo: default yes > > with 2 messages. 1st from ntl@ntl.com to jkf@soton.ac.uk, 2nd from > jkf@ecs.soton.ac.uk to root@ecs.soton.ac.uk. > > In all combinations, it worked exactly as expected. > > What I would like you to do is show me the output of the following 5 > commands: > > ls -lu /etc/MailScanner/rules/scan.messages.rules > sleep 60 > MailScanner --value=scanmessages --from=marketing@silmaq.com.br --to=root@localhost > MailScanner --value=scanmessages --from=root@localhost --to=marketing@silmaq.com.br > ls -lu /etc/MailScanner/rules/scan.messages.rules > > Just cut and paste the whole block into your terminal window. It will take > just over a minute to run. Cut and paste *all* the output into a reply to > this message. > > The 'sleep 60' is to force the MailScanner commands into the next minute > on the clock. The "ls" commands will show the "last accessed" date stamp > on rules file. If the rules file is being read at all, the 2nd ls will > print a different date and/or time than the 1st ls. If it is not being > read for some reason, the 2 ls commands will print the same date and time. > > Then we'll be able to see what is going wrong with your setup. > > Best regards, > Jules. > > TecnoWay Digital wrote: >> For example: %rules-dir%/scan.messages.rules then content of >> scan.messages.rules file is: >> >> FromOrTo: marketing@silmaq.com.br no >> FromOrTo: default yes >> >> >> On a server with mailscanner-4.46.2-2 (the rule works) >> >> but another server with mailscanner-4.68.8-1 the rule doesn't work >> the mailbox marketing@silmaq.com.br continue has still being processed by >> mailscanner. >> >> To certify that using the correct MailScanner.conf after upgrade, I'd put >> a wrong set >> example "Sca Messages" and MailScanner report syntax error. >> >> >> Best Regards >> >> ----- Original Message ----- From: "Hugo van der Kooij" >> >> To: "MailScanner discussion" >> Sent: Thursday, April 03, 2008 2:29 AM >> Subject: Re: MailScanner ignoring some rules >> >> >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> mailscanner@tecnowaydigital.com.br wrote: >>> >>> | At MailScanner recent versions, when I set some rules like: >>> | Scan Messages = /etc/MailScanner/rules/scan.messages.rules >>> | or >>> | Filename Rules = /etc/MailScanner/filename.rules >>> | >>> | The MailScanner simply ignore the rules and don't print any error >>> message. >>> >>> Since you didn not include anything about the rules you have there we >>> must assume MS is right and your rules are wrong. In what way we can not >>> tell you by lack of any information. >>> >>> Hugo. >>> >>> - -- >>> hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ >>> PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc >>> >>> A: Yes. >>> >Q: Are you sure? >>> >>A: Because it reverses the logical flow of conversation. >>> >>>Q: Why is top posting frowned upon? >>> >>> Bored? Click on http://spamornot.org/ and rate those images. >>> >>> -----BEGIN PGP SIGNATURE----- >>> Version: GnuPG v1.4.7 (GNU/Linux) >>> >>> iD8DBQFH9GslBvzDRVjxmYERAiOiAKCcKHWSpoYBUC+M2k0uPSEhertCnACfQEa+ >>> KnYl0Qt9kzlzy4m99EgvKhU= >>> =LsQL >>> -----END PGP SIGNATURE----- >>> -- >>> MailScanner mailing list >>> mailscanner@lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! >> > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > PGP public key: http://www.jules.fm/julesfm.asc > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From glenn.steen at gmail.com Fri Apr 4 08:57:21 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Apr 4 08:57:56 2008 Subject: SA times out In-Reply-To: References: <47F39721.3000603@ecs.soton.ac.uk> Message-ID: <223f97700804040057j39668387sad309a47257d7722@mail.gmail.com> On 03/04/2008, Kai Schaetzl wrote: > Kai Schaetzl wrote on Wed, 02 Apr 2008 21:33:36 +0200: > > I found out later that the message actually scanned was not the one I wanted > to scan but the SA default message that is used on start up. The long wait at > dbg: bayes: untie-ing simply is MS waiting for the real message. > > However, this doesn't change anything in this respect: > > > > [15949] dbg: config: using "/usr/share/spamassassin" for sys rules pre > > files > > [15949] dbg: config: using "/usr/share/spamassassin" for default rules dir > > [15949] dbg: config: read file /usr/share/spamassassin/10_default_prefs.cf > > > SA run under MS uses the wrong config directories. This seems to result in a > much longer time for processing the rules. Maybe there is more. There are > different hits than for the command-line SA and it takes *much* longer in the > body scan phase. So, it eventually times out under MS. > > I can't see a reason why this might happen. SA is identified as > dbg: generic: SpamAssassin version 3.2.4 > I compared the Mail/Spamassassin in /usr/lib/perl5/site_perl/5.8.8/Mail with > the one built by the source and they are identical except for dates (it seems > the Perl upgrade process replaces an existing file only when it got changed, > otherwise it keeps the existing file with the old date). I have some more, > very old perl directories with different names in /usr/lib. However, if any > of these would get used for a very obscure reason then it couldn't report > 3.2.4 as the SA version. Anyway, I set all permissions to access these > directories to 0, no change. Sorry if you already supplied this, but what do you have for the different SA paths in MailScanner.conf? > What's wrong here, Jules? Could this be a problem with this somewhat old > version of MS? (4.54.6) > Might be, there's been a lot of water under the bridge... and all that:-). ISTR there being a rather heated discussion back somewhere there on how to make MS notice the sa-update stuff, leading to some rather bad setups with wrongly specified paths in MailScanner.conf (a modern SA should be able to find these things by itself, no need to "help" it... mostly:-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Fri Apr 4 09:09:11 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Apr 4 09:09:46 2008 Subject: MailScanner ignoring some rules In-Reply-To: <8F1DE832AFD34082A4D0CB25E4E7D7E7@TWDNB03> References: <37937.201.41.210.20.1207154517.squirrel@www.tecnowaydigital.com.br> <47F46B28.2050507@vanderkooij.org> <47F53B57.1070307@ecs.soton.ac.uk> <8F1DE832AFD34082A4D0CB25E4E7D7E7@TWDNB03> Message-ID: <223f97700804040109p3a5d97a5w439ef4d77ba879b1@mail.gmail.com> On 04/04/2008, TecnoWay Digital wrote: > [root@firewall.silmaq.com.br ~]# ls -lu > /etc/MailScanner/rules/scan.messages.rules > -rwxrwxrwx 1 root root 76 2008-04-03 21:38 > /etc/MailScanner/rules/scan.messages.rules (snip) > [root@firewall.silmaq.com.br ~]# ls -lu > /etc/MailScanner/rules/scan.messages.rules > -rwxrwxrwx 1 root root 76 2008-04-03 21:38 > /etc/MailScanner/rules/scan.messages.rules So your rule file doesn't egt read at all... Have you shown us the snippet of your MailScanner.conf where you use it? Could you do so? Also, have you run a "MailScanner --lint" and shown us that output? Please do... Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From MailScanner at ecs.soton.ac.uk Fri Apr 4 09:20:33 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Apr 4 09:21:20 2008 Subject: MailScanner ignoring some rules In-Reply-To: <8F1DE832AFD34082A4D0CB25E4E7D7E7@TWDNB03> References: <37937.201.41.210.20.1207154517.squirrel@www.tecnowaydigital.com.br> <47F46B28.2050507@vanderkooij.org> <47F53B57.1070307@ecs.soton.ac.uk> <8F1DE832AFD34082A4D0CB25E4E7D7E7@TWDNB03> Message-ID: <47F5E4D1.30800@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 TecnoWay Digital wrote: > [root@firewall.silmaq.com.br ~]# ls -lu > /etc/MailScanner/rules/scan.messages.rules > -rwxrwxrwx 1 root root 76 2008-04-03 21:38 > /etc/MailScanner/rules/scan.messages.rules > [root@firewall.silmaq.com.br ~]# sleep 60 > MailScanner --value=scanmessages --from=marketing@silmaq.com.br > --to=root@localhost > MailScanner --value=scanmessages --from=root@localhost > --to=marketing@silmaq.com.br > ls -lu /etc/MailScanner/rules/scan.messages.rules > [root@firewall.silmaq.com.br ~]# MailScanner --value=scanmessages > --from=marketing@silmaq.com.br --to=root@localhost > Looked up internal option name "scanmail" > With sender = marketing@silmaq.com.br > recipient = root@localhost > Client IP = > Virus = > Result is "0" > > 0=No 1=Yes > [root@firewall.silmaq.com.br ~]# MailScanner --value=scanmessages > --from=root@localhost --to=marketing@silmaq.com.br > Looked up internal option name "scanmail" > With sender = root@localhost > recipient = marketing@silmaq.com.br > Client IP = > Virus = > Result is "0" > > 0=No 1=Yes > [root@firewall.silmaq.com.br ~]# ls -lu > /etc/MailScanner/rules/scan.messages.rules > -rwxrwxrwx 1 root root 76 2008-04-03 21:38 > /etc/MailScanner/rules/scan.messages.rules You have a typo in your MailScanner.conf somewhere. This rules file isn't being read. Notice the "last read" date stamp is the same as it was a minute ago. > [root@firewall.silmaq.com.br ~]# > ----- Original Message ----- From: "Julian Field" > > To: "MailScanner discussion" > Sent: Thursday, April 03, 2008 5:17 PM > Subject: Re: MailScanner ignoring some rules > > >> I have just done a thorough test of a %rules-dir%/scan.messages.rules >> with 4 combinations: >> >> FromOrTo: ntl.com no >> FromOrTo: default yes >> >> FromOrTo: soton.ac.uk no >> FromOrTo: default yes >> >> FromOrTo: ecs.soton.ac.uk no >> FromOrTo: default yes >> >> FromOrTo: jkf@soton.ac.uk no >> FromOrTo: default yes >> >> with 2 messages. 1st from ntl@ntl.com to jkf@soton.ac.uk, 2nd from >> jkf@ecs.soton.ac.uk to root@ecs.soton.ac.uk. >> >> In all combinations, it worked exactly as expected. >> >> What I would like you to do is show me the output of the following 5 >> commands: >> >> ls -lu /etc/MailScanner/rules/scan.messages.rules >> sleep 60 >> MailScanner --value=scanmessages --from=marketing@silmaq.com.br >> --to=root@localhost >> MailScanner --value=scanmessages --from=root@localhost >> --to=marketing@silmaq.com.br >> ls -lu /etc/MailScanner/rules/scan.messages.rules >> >> Just cut and paste the whole block into your terminal window. It will >> take just over a minute to run. Cut and paste *all* the output into a >> reply to this message. >> >> The 'sleep 60' is to force the MailScanner commands into the next >> minute on the clock. The "ls" commands will show the "last accessed" >> date stamp on rules file. If the rules file is being read at all, the >> 2nd ls will print a different date and/or time than the 1st ls. If it >> is not being read for some reason, the 2 ls commands will print the >> same date and time. >> >> Then we'll be able to see what is going wrong with your setup. >> >> Best regards, >> Jules. >> >> TecnoWay Digital wrote: >>> For example: %rules-dir%/scan.messages.rules then content of >>> scan.messages.rules file is: >>> >>> FromOrTo: marketing@silmaq.com.br no >>> FromOrTo: default yes >>> >>> >>> On a server with mailscanner-4.46.2-2 (the rule works) >>> >>> but another server with mailscanner-4.68.8-1 the rule doesn't work >>> the mailbox marketing@silmaq.com.br continue has still being >>> processed by >>> mailscanner. >>> >>> To certify that using the correct MailScanner.conf after upgrade, >>> I'd put a wrong set >>> example "Sca Messages" and MailScanner report syntax error. >>> >>> >>> Best Regards >>> >>> ----- Original Message ----- From: "Hugo van der Kooij" >>> >>> To: "MailScanner discussion" >>> Sent: Thursday, April 03, 2008 2:29 AM >>> Subject: Re: MailScanner ignoring some rules >>> >>> >>>> -----BEGIN PGP SIGNED MESSAGE----- >>>> Hash: SHA1 >>>> >>>> mailscanner@tecnowaydigital.com.br wrote: >>>> >>>> | At MailScanner recent versions, when I set some rules like: >>>> | Scan Messages = /etc/MailScanner/rules/scan.messages.rules >>>> | or >>>> | Filename Rules = /etc/MailScanner/filename.rules >>>> | >>>> | The MailScanner simply ignore the rules and don't print any error >>>> message. >>>> >>>> Since you didn not include anything about the rules you have there we >>>> must assume MS is right and your rules are wrong. In what way we >>>> can not >>>> tell you by lack of any information. >>>> >>>> Hugo. >>>> >>>> - -- >>>> hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ >>>> PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc >>>> >>>> A: Yes. >>>> >Q: Are you sure? >>>> >>A: Because it reverses the logical flow of conversation. >>>> >>>Q: Why is top posting frowned upon? >>>> >>>> Bored? Click on http://spamornot.org/ and rate those images. >>>> >>>> -----BEGIN PGP SIGNATURE----- >>>> Version: GnuPG v1.4.7 (GNU/Linux) >>>> >>>> iD8DBQFH9GslBvzDRVjxmYERAiOiAKCcKHWSpoYBUC+M2k0uPSEhertCnACfQEa+ >>>> KnYl0Qt9kzlzy4m99EgvKhU= >>>> =LsQL >>>> -----END PGP SIGNATURE----- >>>> -- >>>> MailScanner mailing list >>>> mailscanner@lists.mailscanner.info >>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>> >>>> Before posting, read http://wiki.mailscanner.info/posting >>>> >>>> Support MailScanner development - buy the book off the website! >>> >> >> Jules >> >> -- >> Julian Field MEng CITP CEng >> www.MailScanner.info >> Buy the MailScanner book at www.MailScanner.info/store >> >> MailScanner customisation, or any advanced system administration help? >> Contact me at Jules@Jules.FM >> >> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >> PGP public key: http://www.jules.fm/julesfm.asc >> >> >> -- >> This message has been scanned for viruses and >> dangerous content by MailScanner, and is >> believed to be clean. >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! > Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.2 (Build 3005) Comment: (pgp-secured) Charset: UTF-8 wj8DBQFH9eTSEfZZRxQVtlQRAlRwAJ48Ta/sWGyvnyiybMsFvMOTQ8xzmgCgr+Rk hUU0BGj7P4lquwBY8e1pM9w= =cSQz -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From Marco.Induni at rtsi.ch Fri Apr 4 10:45:39 2008 From: Marco.Induni at rtsi.ch (Induni Marco) Date: Fri Apr 4 10:46:23 2008 Subject: Remove big attachements, but deliver the email Message-ID: Skipped content of type multipart/alternative-------------- next part -------------- A non-text attachment was scrubbed... Name: Induni Marco.vcf Type: text/x-vcard Size: 306 bytes Desc: Induni Marco.vcf Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080404/6e93afb7/InduniMarco-0001.vcf From stef at aoc-uk.com Fri Apr 4 13:53:05 2008 From: stef at aoc-uk.com (Stef Morrell) Date: Fri Apr 4 13:53:38 2008 Subject: Sophos not running correctly after most recent update Message-ID: <200804041253.m34Cr4TI032030@safir.blacknight.ie> Hello all, Overnight, MajorSophos script fired via cron as normal and downloaded the latest Sophos (4.28) installing via the install scripts in Mailscanner as usual. At this point, Sophos stopped working completely # /opt/MailScanner/lib/sophos-wrapper /usr/local/Sophos Error initialising detection engine - missing part of virus data I've tried completely removing /usr/local/Sophos and reinstalling, but get the same error. I'm presuming it can see the ide directory, as without it I instead get the error Error initialising detection engine - missing main virus data It's as though the virus data itself is nerfed in this release. Perhaps I can get an older version from somewhere and use more ide files until the next release, though the Sophos website is unhelpful in this regard. Has anyone the same problem, or a brilliant idea? Regards Stef Stefan Morrell | Operations Director Tel: 0845 3452820 | Alpha Omega Computers Ltd Fax: 0845 3452830 | Incorporating Level 5 Internet stef@aoc-uk.com | stef@l5net.net Alpha Omega Computers Ltd, Unit 57, BBTC, Grange Road, Batley, WF17 6ER. Registered in England No. 3867142. VAT No. GB734421454 From MailScanner at ecs.soton.ac.uk Fri Apr 4 13:59:34 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Apr 4 14:00:23 2008 Subject: Remove big attachements, but deliver the email In-Reply-To: References: Message-ID: <47F62636.1040206@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 You would need to write a Custom Function in order to actually remove large attachments. However, what may be useful is the setting "Zip Attachments" in MailScanner.conf, as this will make it replace large attachments with a zip file containing the attachments. This preserves the attachments while still usually making the message a lot smaller. Is this of any use to you instead? If you were to write a Custom Function to remove large attachments, the "Zip Attachments" code would certainly show you how to do it. If you are prepared to pay me a decent rate, I will write the Custom Function for you... Best regards, Jules. Induni Marco wrote: > > Dear all, > as many people we limit the size of an incoming email message (on our > case to 10 MB) via max.message.size.rules. > So when a message reach this limit, we will keep the message in > quarantine, and we send a Warnig message to the sender and the recevier. > > I was wondering if there is a way to eventually remove the "big" > attachment, but delivery the email text (message) anyway. > > Thank you and best regards > > Marco > > > -- > Radiotelevisione Svizzera di Lingua Italiana > Casella Postale > 6903 LUGANO > > Tel. +41 (0)91 803 63 83 > > <> > > > **************************************************************** > > Visit: www.rtsi.ch > > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they > are addressed. If you have received this email in error please notify > postmaster@rtsi.ch. Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.2 (Build 3005) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFH9iY3EfZZRxQVtlQRAnurAKCvh9O8bpf3VX7oSeB6Ksijuhc49gCgt05+ 7ODiWSfAd+HfiF8haWL8sqI= =QGC2 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From Andrew.Chester at ukuvuma.co.za Fri Apr 4 14:03:15 2008 From: Andrew.Chester at ukuvuma.co.za (Andrew Chester) Date: Fri Apr 4 14:04:10 2008 Subject: Having problems installing on FreeBSD 64 Bit Message-ID: Hi All I'm having a problem installing MS on FreeBSD 6.3 64 Bit, I've updated the ports tree a few times now and it has MailScanner 4.67.6_1 - but when I try install it thru the ports tree, I keep getting this error: "bdc-7.0.1_2 is only for i386, while you are running amd64". This happens when the MS installation runs through it's dependancy list, I have tried to find a 64bit package for bdc but can only find the i386 package. I dont know why this is happening or what's gone wrong as I've installed MS on the same version of FreeBSD on another gateway, also 64 Bit, without a problem. If anyone can advise on what to do, it would be greatly appreciated - thank you. Kind Regards, Andrew CONFIDENTIALITY CLAUSE This message is intended only for the use of the individual or entity to which it is addressed and contains information that is privileged and confidential. If the reader of this message is not the intended recipient, or the employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender by telephone. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080404/3d8db0be/attachment.html From dave.list at pixelhammer.com Fri Apr 4 14:28:00 2008 From: dave.list at pixelhammer.com (DAve) Date: Fri Apr 4 14:28:46 2008 Subject: OT - Need info Message-ID: <47F62CE0.7090805@pixelhammer.com> Excuse the OT post, please respond directly to me so as to not clutter the list. I have a client who needs their mail sent to their server via TLS. We are using Sendmail and I can find oodles of info on setting up TLS, but very little on sending messages destined for one specific host via a TLS connection. I am assuming, possibly incorrectly, that the secret lies in access and or the mailertable. Can anyone point me to better information than I have found? Thanks, DAve -- In 50 years, our descendants will look back on the early years of the internet, and much like we now look back on men with rockets on their back and feathers glued to their arms, marvel that we had the intelligence to wipe the drool from our chins. From MailScanner at ecs.soton.ac.uk Fri Apr 4 14:32:45 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Apr 4 14:33:29 2008 Subject: Sophos not running correctly after most recent update In-Reply-To: <200804041253.m34Cr4TI032030@safir.blacknight.ie> References: <200804041253.m34Cr4TI032030@safir.blacknight.ie> Message-ID: <47F62DFD.6020100@ecs.soton.ac.uk> Skipped content of type multipart/mixed-------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 218 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080404/c71cfacf/PGP.bin From mkercher at nfsmith.com Fri Apr 4 14:55:33 2008 From: mkercher at nfsmith.com (Mike Kercher) Date: Fri Apr 4 14:56:33 2008 Subject: File Type Check Problem In-Reply-To: <47F548BE.8030804@ecs.soton.ac.uk> References: <224FA7E11EA39E45843E11CEBBD3A36F8E0C23@HOUPEX01.nfsmith.info> <47F53C2D.5090207@ecs.soton.ac.uk><224FA7E11EA39E45843E11CEBBD3A36F8E0D27@HOUPEX01.nfsmith.info> <47F548BE.8030804@ecs.soton.ac.uk> Message-ID: <224FA7E11EA39E45843E11CEBBD3A36F8E0E20@HOUPEX01.nfsmith.info> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of > Julian Field > Sent: Thursday, April 03, 2008 3:21 PM > To: MailScanner discussion > Subject: Re: File Type Check Problem > > > > Mike Kercher wrote: > >> I've been searching and haven't found a resolution for this yet. >> >> Periodically, we get emails with attachments coming through that are >> not being detected properly. MailScanner reports: >> >> MailScanner: No programs allowed (msg-10410-101.txt) >> >> > This is being caught by the filetype trap. > >> If I go look at the quarantined email in MailWatch and download the >> attachment, it is a PDF. >> > That may be what the filename says, but what does the "file" command > report? > >> There was talk of the file -i command switch. >> Is this something that needs to be set in MailScanner.conf? >> >> > No, just read the latest filetype.rules.conf and filename.rules.conf > files, the comments at the top of each file tell you how to use it. > There is also an example line in filetype.rules.conf for you to copy. > > >> TIA >> >> Mike >> >> > > Jules > > -- > > Jules, > > Running file against the message yields the following: > > [root@HOUPMS02 m334jSTE009852]# file message > message: smtp mail text > [root@HOUPMS02 m334jSTE009852]# file -i message > message: message/rfc822\011 > > Not quite sure what changing the filetype.rules.conf would do for me > here. > No! I meat you to run the "file" command on the attachment, not the message! :-( Funnily enough, when you run it on the message it says it's a message :-) Jules -------- Sorry about that :) Here's the output of file run against the attachment itself: [root@HOUPMS01 ~]# file OSC81.pdf OSC81.pdf: PDF document, version 1.3 [root@HOUPMS01 ~]# file -i OSC81.pdf OSC81.pdf: application/pdf Mike From Denis.Beauchemin at USherbrooke.ca Fri Apr 4 14:59:33 2008 From: Denis.Beauchemin at USherbrooke.ca (Denis Beauchemin) Date: Fri Apr 4 15:00:21 2008 Subject: OT - Need info In-Reply-To: <47F62CE0.7090805@pixelhammer.com> References: <47F62CE0.7090805@pixelhammer.com> Message-ID: <47F63445.7000600@USherbrooke.ca> DAve a ?crit : > Excuse the OT post, please respond directly to me so as to not clutter > the list. I have a client who needs their mail sent to their server > via TLS. We are using Sendmail and I can find oodles of info on > setting up TLS, but very little on sending messages destined for one > specific host via a TLS connection. > > I am assuming, possibly incorrectly, that the secret lies in access > and or the mailertable. Can anyone point me to better information than > I have found? > > Thanks, > > DAve Dave, I use the following in the access file to require a TLS connection to some remote servers: TLS_Srv:ip.ad.dre.ss ENCR:128 Denis -- _ ?v? Denis Beauchemin, analyste /(_)\ Universit? de Sherbrooke, S.T.I. ^ ^ T: 819.821.8000x62252 F: 819.821.8045 From mailscanner at tecnowaydigital.com.br Fri Apr 4 15:19:46 2008 From: mailscanner at tecnowaydigital.com.br (TecnoWay Digital) Date: Fri Apr 4 15:22:16 2008 Subject: MailScanner ignoring some rules In-Reply-To: <223f97700804040109p3a5d97a5w439ef4d77ba879b1@mail.gmail.com> References: <37937.201.41.210.20.1207154517.squirrel@www.tecnowaydigital.com.br><47F46B28.2050507@vanderkooij.org><47F53B57.1070307@ecs.soton.ac.uk><8F1DE832AFD34082A4D0CB25E4E7D7E7@TWDNB03> <223f97700804040109p3a5d97a5w439ef4d77ba879b1@mail.gmail.com> Message-ID: MailScanner --lint Trying to setlogsock(unix) Read 817 hostnames from the phishing whitelist Read 5549 hostnames from the phishing blacklist Config: calling custom init function SQLBlacklist Starting up SQL Blacklist Read 326 blacklist entries Config: calling custom init function MailWatchLogging Started SQL Logging child Config: calling custom init function SQLWhitelist Starting up SQL Whitelist Read 40 whitelist entries Checking version numbers... Version number in MailScanner.conf (4.68.8) is correct. Your envelope_sender_header in spam.assassin.prefs.conf is correct. MailScanner setting GID to (89) MailScanner setting UID to (89) Checking for SpamAssassin errors (if you use it)... SpamAssassin temporary working directory is /var/spool/MailScanner/incoming/SpamAssassin-Temp SpamAssassin temp dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp Using SpamAssassin results cache Connected to SpamAssassin cache database SpamAssassin reported no errors. Using locktype = posix MailScanner.conf says "Virus Scanners = mcafee" Found these virus scanners installed: clamav, mcafee =========================================================================== Virus and Content Scanning: Starting /1/eicar.com Found: EICAR test file NOT a virus. Virus Scanning: McAfee found 1 infections Infected message 1 came from 10.1.1.1 Virus Scanning: Found 1 viruses =========================================================================== Virus Scanner test reports: McAfee said "/1/eicar.com Found: EICAR test file NOT a virus." If any of your virus scanners (clamav,mcafee) are not listed there, you should check that they are installed correctly and that MailScanner is finding them correctly via its virus.scanners.conf. Config: calling custom end function SQLBlacklist Closing down by-domain spam blacklist Config: calling custom end function MailWatchLogging Config: calling custom end function SQLWhitelist Closing down by-domain spam whitelist -------------------------------------------------------------------- My MailScanner.conf %org-name% = Silmaq %org-long-name% = Silmaq S.A %web-site% = www.silmaq.com.br %etc-dir% = /etc/MailScanner %report-dir% = /etc/MailScanner/reports/pt_br %rules-dir% = /etc/MailScanner/rules %mcp-dir% = /etc/MailScanner/mcp Max Children = 5 Run As User = postfix Run As Group = postfix Queue Scan Interval = 6 Incoming Queue Dir = /var/spool/postfix/hold Outgoing Queue Dir = /var/spool/postfix/incoming Incoming Work Dir = /var/spool/MailScanner/incoming Quarantine Dir = /var/spool/MailScanner/quarantine PID file = /var/run/MailScanner.pid Restart Every = 7200 MTA = postfix Sendmail = /usr/sbin/sendmail Sendmail2 = /usr/sbin/sendmail Incoming Work User = Incoming Work Group = Incoming Work Permissions = 0600 Quarantine User = root Quarantine Group = apache Quarantine Permissions = 0660 Max Unscanned Bytes Per Scan = 100m Max Unsafe Bytes Per Scan = 50m Max Unscanned Messages Per Scan = 30 Max Unsafe Messages Per Scan = 30 Max Normal Queue Size = 800 Scan Messages = %rules-dir%/scan.messages.rules Reject Message = no Maximum Attachments Per Message = 200 Expand TNEF = yes Use TNEF Contents = replace Deliver Unparsable TNEF = no TNEF Expander = /usr/bin/tnef --maxsize=100000000 TNEF Timeout = 120 File Command = /usr/bin/file File Timeout = 20 Gunzip Command = /bin/gunzip Gunzip Timeout = 50 Unrar Command = /usr/bin/unrar Unrar Timeout = 50 Find UU-Encoded Files = no Maximum Message Size = %rules-dir%/max.message.size.rules Maximum Attachment Size = -1 Minimum Attachment Size = -1 Maximum Archive Depth = 0 Find Archives By Content = yes Zip Attachments = no Attachments Zip Filename = MessageAttachments.zip Attachments Min Total Size To Zip = 100k Attachment Extensions Not To Zip = .zip .rar .gz .tgz .jpg .jpeg .mpg .mpe .mpeg .mp3 .rpm .htm .html .eml Virus Scanning = yes Virus Scanners = mcafee Virus Scanner Timeout = 300 Deliver Disinfected Files = no Silent Viruses = HTML-IFrame All-Viruses Still Deliver Silent Viruses = no Non-Forging Viruses = Joke/ OF97/ WM97/ W97M/ eicar Block Encrypted Messages = no Block Unencrypted Messages = no Allow Password-Protected Archives = no Check Filenames In Password-Protected Archives = yes Allowed Sophos Error Messages = Sophos IDE Dir = /opt/sophos-av/lib/sav Sophos Lib Dir = /opt/sophos-av/lib Monitors For Sophos Updates = /opt/sophos-av/lib/sav/*.ide Monitors for ClamAV Updates = /usr/local/share/clamav/*.inc/* /usr/local/share/clamav/*.cvd ClamAVmodule Maximum Recursion Level = 8 ClamAVmodule Maximum Files = 1000 ClamAVmodule Maximum File Size = 10000000 # (10 Mbytes) ClamAVmodule Maximum Compression Ratio = 250 Clamd Port = 3310 Clamd Socket = /tmp/clamd Clamd Lock File = # /var/lock/subsys/clamd Clamd Use Threads = no ClamAV Full Message Scan = yes Fpscand Port = 10200 Dangerous Content Scanning = yes Allow Partial Messages = no Allow External Message Bodies = no Find Phishing Fraud = yes Also Find Numeric Phishing = yes Use Stricter Phishing Net = yes Highlight Phishing Fraud = yes Phishing Safe Sites File = %etc-dir%/phishing.safe.sites.conf Phishing Bad Sites File = %etc-dir%/phishing.bad.sites.conf Country Sub-Domains List = %etc-dir%/country.domains.conf Allow IFrame Tags = disarm Allow Form Tags = disarm Allow Script Tags = disarm Allow WebBugs = disarm Ignored Web Bug Filenames = spacer pixel.gif pixel.png gap Known Web Bug Servers = msgtag.com Web Bug Replacement = http://www.mailscanner.tv/1x1spacer.gif Allow Object Codebase Tags = disarm Convert Dangerous HTML To Text = no Convert HTML To Text = no Allow Filenames = Deny Filenames = Filename Rules = %etc-dir%/filename.regra.rules Allow Filetypes = Allow File MIME Types = Deny Filetypes = Deny File MIME Types = Filetype Rules = %etc-dir%/filetype.rules.conf Quarantine Infections = yes Quarantine Silent Viruses = no Quarantine Modified Body = no Quarantine Whole Message = yes Quarantine Whole Messages As Queue Files = no Keep Spam And MCP Archive Clean = no Language Strings = %report-dir%/languages.conf Rejection Report = %report-dir%/rejection.report.txt Deleted Bad Content Message Report = %report-dir%/deleted.content.message.txt Deleted Bad Filename Message Report = %report-dir%/deleted.filename.message.txt Deleted Virus Message Report = %report-dir%/deleted.virus.message.txt Deleted Size Message Report = %report-dir%/deleted.size.message.txt Stored Bad Content Message Report = %report-dir%/stored.content.message.txt Stored Bad Filename Message Report = %report-dir%/stored.filename.message.txt Stored Virus Message Report = %report-dir%/stored.virus.message.txt Stored Size Message Report = %report-dir%/stored.size.message.txt Disinfected Report = %report-dir%/disinfected.report.txt Inline HTML Signature = %report-dir%/inline.sig.html Inline Text Signature = %report-dir%/inline.sig.txt Signature Image Filename = %report-dir%/sig.jpg Signature Image Filename = signature.jpg Inline HTML Warning = %report-dir%/inline.warning.html Inline Text Warning = %report-dir%/inline.warning.txt Sender Content Report = %report-dir%/sender.content.report.txt Sender Error Report = %report-dir%/sender.error.report.txt Sender Bad Filename Report = %report-dir%/sender.filename.report.txt Sender Virus Report = %report-dir%/sender.virus.report.txt Sender Size Report = %report-dir%/sender.size.report.txt Hide Incoming Work Dir = yes Include Scanner Name In Reports = yes Mail Header = X-%org-name%-MailScanner: Spam Header = X-%org-name%-MailScanner-SpamCheck: Spam Score Header = X-%org-name%-MailScanner-SpamScore: Information Header = X-%org-name%-MailScanner-Information: Add Envelope From Header = yes Add Envelope To Header = no Envelope From Header = X-%org-name%-MailScanner-From: Envelope To Header = X-%org-name%-MailScanner-To: Spam Score Character = s SpamScore Number Instead Of Stars = no Minimum Stars If On Spam List = 0 Clean Header Value = Found to be clean Infected Header Value = Found to be infected Disinfected Header Value = Disinfected Information Header Value = Please contact the ISP for more information Detailed Spam Report = yes Include Scores In SpamAssassin Report = yes Always Include SpamAssassin Report = no Multiple Headers = append Hostname = the %org-name% ($HOSTNAME) MailScanner Sign Messages Already Processed = no Sign Clean Messages = %rules-dir%/regras_assinatura.rules Attach Image To Signature = no Attach Image To HTML Message Only = yes Mark Infected Messages = yes Mark Unscanned Messages = yes Unscanned Header Value = Not scanned: please contact your Internet E-Mail Service Provider for details Remove These Headers = X-Mozilla-Status: X-Mozilla-Status2: Deliver Cleaned Messages = yes Notify Senders = yes Notify Senders Of Viruses = no Notify Senders Of Blocked Filenames Or Filetypes = yes Notify Senders Of Blocked Size Attachments = no Notify Senders Of Other Blocked Content = yes Never Notify Senders Of Precedence = list bulk Scanned Subject Text = {Scanned} Virus Modify Subject = start Virus Subject Text = {Virus?} Filename Modify Subject = start Filename Subject Text = {Filename?} Content Modify Subject = start Content Subject Text = {Dangerous Content?} Size Modify Subject = start Size Subject Text = {Size} Disarmed Modify Subject = start Disarmed Subject Text = {Disarmed} Phishing Modify Subject = no Phishing Subject Text = {Fraud?} Spam Modify Subject = start Spam Subject Text = {Spam?} High Scoring Spam Modify Subject = start High Scoring Spam Subject Text = {Spam?} Warning Is Attachment = yes Attachment Warning Filename = %org-name%-Attachment-Warning.txt Attachment Encoding Charset = ISO-8859-1 Archive Mail = %rules-dir%/copia-email.rules Send Notices = no Notices Include Full Headers = yes Hide Incoming Work Dir in Notices = no Notice Signature = -- \nMailScanner\nEmail Virus Scanner\nwww.mailscanner.info Notices From = teste Notices To = postmaster Local Postmaster = postmaster Spam List Definitions = %etc-dir%/spam.lists.conf Virus Scanner Definitions = %etc-dir%/virus.scanners.conf Spam Checks = yes Spam Domain List = Spam Lists To Be Spam = 1 Spam Lists To Reach High Score = 3 Spam List Timeout = 10 Max Spam List Timeouts = 7 Spam List Timeouts History = 10 Is Definitely Not Spam = &SQLWhitelist Is Definitely Spam = &SQLBlacklist Definite Spam Is High Scoring = no Ignore Spam Whitelist If Recipients Exceed = 50 Max Spam Check Size = 200k Use Watermarking = no Add Watermark = yes Check Watermarks With No Sender = yes Treat Invalid Watermarks With No Sender as Spam = nothing Check Watermarks To Skip Spam Checks = yes Watermark Secret = %org-name%-Secret Watermark Lifetime = 604800 Watermark Header = X-%org-name%-MailScanner-Watermark: Use SpamAssassin = yes Max SpamAssassin Size = 200k Required SpamAssassin Score = 6 High SpamAssassin Score = 10 SpamAssassin Auto Whitelist = yes SpamAssassin Timeout = 75 Max SpamAssassin Timeouts = 10 SpamAssassin Timeouts History = 30 Check SpamAssassin If On Spam List = yes Include Binary Attachments In SpamAssassin = no Spam Score = yes Cache SpamAssassin Results = yes SpamAssassin Cache Database File = /var/spool/MailScanner/incoming/SpamAssassin.cache.db Rebuild Bayes Every = 0 Wait During Bayes Rebuild = no Use Custom Spam Scanner = no Max Custom Spam Scanner Size = 20k Custom Spam Scanner Timeout = 20 Max Custom Spam Scanner Timeouts = 10 Custom Spam Scanner Timeout History = 20 Spam Actions = store High Scoring Spam Actions = store Non Spam Actions = deliver header "X-Spam-Status: No" SpamAssassin Rule Actions = Sender Spam Report = %report-dir%/sender.spam.report.txt Sender Spam List Report = %report-dir%/sender.spam.rbl.report.txt Sender SpamAssassin Report = %report-dir%/sender.spam.sa.report.txt Inline Spam Warning = %report-dir%/inline.spam.warning.txt Recipient Spam Report = %report-dir%/recipient.spam.report.txt Enable Spam Bounce = %rules-dir%/bounce.rules Bounce Spam As Attachment = no Syslog Facility = mail Log Speed = no Log Spam = no Log Non Spam = no Log Permitted Filenames = no Log Permitted Filetypes = no Log Permitted File MIME Types = no Log Silent Viruses = no Log Dangerous HTML Tags = no Log SpamAssassin Rule Actions = no SpamAssassin Temporary Dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp SpamAssassin User State Dir = /var/spool/MailScanner/spamassassin SpamAssassin Install Prefix = SpamAssassin Site Rules Dir = /etc/mail/spamassassin SpamAssassin Local Rules Dir = SpamAssassin Default Rules Dir = MCP Checks = yes First Check = mcp MCP Required SpamAssassin Score = 1 MCP High SpamAssassin Score = 10 MCP Error Score = 1 MCP Header = X-%org-name%-MailScanner-MCPCheck: Non MCP Actions = deliver MCP Actions = forward spam@silmaq.com.br High Scoring MCP Actions = forward spam@silmaq.com.br Bounce MCP As Attachment = no MCP Modify Subject = start MCP Subject Text = {Lista de Bloqueio} High Scoring MCP Modify Subject = start High Scoring MCP Subject Text = {Lista de Bloqueio} Is Definitely MCP = no Is Definitely Not MCP = no Definite MCP Is High Scoring = no Always Include MCP Report = no Detailed MCP Report = yes Include Scores In MCP Report = no Log MCP = no MCP Max SpamAssassin Timeouts = 20 MCP Max SpamAssassin Size = 100k MCP SpamAssassin Timeout = 10 MCP SpamAssassin Prefs File = %mcp-dir%/mcp.spam.assassin.prefs.conf MCP SpamAssassin User State Dir = MCP SpamAssassin Local Rules Dir = %mcp-dir% MCP SpamAssassin Default Rules Dir = %mcp-dir% MCP SpamAssassin Install Prefix = %mcp-dir% Recipient MCP Report = %report-dir%/recipient.mcp.report.txt Sender MCP Report = %report-dir%/sender.mcp.report.txt Use Default Rules With Multiple Recipients = no Spam Score Number Format = %d MailScanner Version Number = 4.68.8 SpamAssassin Cache Timings = 1800,300,10800,172800,600 Debug = no Debug SpamAssassin = no Run In Foreground = no Always Looked Up Last = &MailWatchLogging Always Looked Up Last After Batch = no Deliver In Background = yes Delivery Method = batch Split Exim Spool = no Lockfile Dir = /tmp Custom Functions Dir = /usr/lib/MailScanner/MailScanner/CustomFunctions Lock Type = Syslog Socket Type = Automatic Syntax Check = yes Minimum Code Status = supported ----- Original Message ----- From: "Glenn Steen" To: "MailScanner discussion" Sent: Friday, April 04, 2008 5:09 AM Subject: Re: MailScanner ignoring some rules > On 04/04/2008, TecnoWay Digital > wrote: >> [root@firewall.silmaq.com.br ~]# ls -lu >> /etc/MailScanner/rules/scan.messages.rules >> -rwxrwxrwx 1 root root 76 2008-04-03 21:38 >> /etc/MailScanner/rules/scan.messages.rules > (snip) >> [root@firewall.silmaq.com.br ~]# ls -lu >> /etc/MailScanner/rules/scan.messages.rules >> -rwxrwxrwx 1 root root 76 2008-04-03 21:38 >> /etc/MailScanner/rules/scan.messages.rules > > So your rule file doesn't egt read at all... Have you shown us the > snippet of your MailScanner.conf where you use it? Could you do so? > Also, have you run a "MailScanner --lint" and shown us that output? Please > do... > > Cheers > -- > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From MailScanner at ecs.soton.ac.uk Fri Apr 4 15:39:09 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Apr 4 15:40:05 2008 Subject: File Type Check Problem In-Reply-To: <224FA7E11EA39E45843E11CEBBD3A36F8E0E20@HOUPEX01.nfsmith.info> References: <224FA7E11EA39E45843E11CEBBD3A36F8E0C23@HOUPEX01.nfsmith.info> <47F53C2D.5090207@ecs.soton.ac.uk><224FA7E11EA39E45843E11CEBBD3A36F8E0D27@HOUPEX01.nfsmith.info> <47F548BE.8030804@ecs.soton.ac.uk> <224FA7E11EA39E45843E11CEBBD3A36F8E0E20@HOUPEX01.nfsmith.info> Message-ID: <47F63D8D.3070105@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mike Kercher wrote: >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of >> Julian Field >> Sent: Thursday, April 03, 2008 3:21 PM >> To: MailScanner discussion >> Subject: Re: File Type Check Problem >> >> >> >> Mike Kercher wrote: >> >> >>> I've been searching and haven't found a resolution for this yet. >>> >>> Periodically, we get emails with attachments coming through that are >>> not being detected properly. MailScanner reports: >>> >>> MailScanner: No programs allowed (msg-10410-101.txt) >>> >>> >>> >> This is being caught by the filetype trap. >> >> >>> If I go look at the quarantined email in MailWatch and download the >>> attachment, it is a PDF. >>> >>> >> That may be what the filename says, but what does the "file" command >> report? >> >> >>> There was talk of the file -i command switch. >>> Is this something that needs to be set in MailScanner.conf? >>> >>> >>> >> No, just read the latest filetype.rules.conf and filename.rules.conf >> files, the comments at the top of each file tell you how to use it. >> There is also an example line in filetype.rules.conf for you to copy. >> >> >> >>> TIA >>> >>> Mike >>> >>> >>> >> Jules >> >> -- >> >> Jules, >> >> Running file against the message yields the following: >> >> [root@HOUPMS02 m334jSTE009852]# file message >> message: smtp mail text >> [root@HOUPMS02 m334jSTE009852]# file -i message >> message: message/rfc822\011 >> >> Not quite sure what changing the filetype.rules.conf would do for me >> here. >> >> > No! I meat you to run the "file" command on the attachment, not the > message! :-( Funnily enough, when you run it on the message it says it's > a message :-) > > Jules > > -------- > > Sorry about that :) Here's the output of file run against the > attachment itself: > > [root@HOUPMS01 ~]# file OSC81.pdf > OSC81.pdf: PDF document, version 1.3 > > [root@HOUPMS01 ~]# file -i OSC81.pdf > OSC81.pdf: application/pdf > Have just checked your original report, and it wasn't the attachment it blocked, it was the main message body (hence the "txt" extension with the unusual filename). Harder to stop that unless you switch from using the "executable" trap in filetype.rules.conf to a replacement trap using the MIME type reported by file -i instead (see comments at the start of filetype.rules.conf). > Mike > > Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.2 (Build 3005) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFH9j2OEfZZRxQVtlQRAmZiAJwPS5jjxhoukvmFSoj5JYyMGP8U+QCgzMdS bHrfC2GyNSDz4ZOdqsl9zSw= =knIJ -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From butler at globeserver.com Fri Apr 4 15:49:52 2008 From: butler at globeserver.com (Philip Butler) Date: Fri Apr 4 15:52:25 2008 Subject: Ruleset patterns... Message-ID: <6041A315-0699-43C4-8E27-1117DDE92C27@globeserver.com> Hi all, I don't think this is possible, but I thought I'd ask anyway.... In a MailScanner ruleset, is it possible to use a netmask in a pattern ?? For example: From: 10.0.0.0/255.255.252.0 yes I know that this could be expanded to multiple lines and I see things like: /^192\.168\.1[4567]\./ in the documentation, but it would be much easier to read with an ip/ netmask format. Please excuse me if I am off-base. Thanks, Phil From MailScanner at ecs.soton.ac.uk Fri Apr 4 16:04:01 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Apr 4 16:04:45 2008 Subject: Ruleset patterns... In-Reply-To: <6041A315-0699-43C4-8E27-1117DDE92C27@globeserver.com> References: <6041A315-0699-43C4-8E27-1117DDE92C27@globeserver.com> Message-ID: <47F64361.2040107@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Philip Butler wrote: > Hi all, > > I don't think this is possible, but I thought I'd ask anyway.... > > In a MailScanner ruleset, is it possible to use a netmask in a pattern ?? Of course! It supports several different formats. Cut straight from /etc/MailScanner/rules/README, here they are: 192.168.21. # Any SMTP client IP address in this network 192.168.21 # Any SMTP client IP address in this network 192.168.21.0/255.255.255.0 # Any SMTP client IP address in this network 192.168.21.0/24 # Any SMTP client IP address in this network /pattern-with-no-letters/ # Any SMTP client IP address matching this # Perl regular expression /^192\.168\.1[4567]\./ # Any SMTP client IP address in the networks # 192.168.14 - 192.168.17 > > For example: > > From: 10.0.0.0/255.255.252.0 yes > > I know that this could be expanded to multiple lines and I see things > like: > > /^192\.168\.1[4567]\./ > > in the documentation, but it would be much easier to read with an > ip/netmask format. > > Please excuse me if I am off-base. > > Thanks, > > Phil > Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.2 (Build 3005) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFH9kNiEfZZRxQVtlQRApA4AJ9q69qw/aVrvPP+1skSDDr6RglPgwCeI1nS H48KEvdVvS6wfAz6wypop/4= =7e7t -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From Marco.Induni at rtsi.ch Fri Apr 4 16:07:36 2008 From: Marco.Induni at rtsi.ch (Induni Marco) Date: Fri Apr 4 16:08:12 2008 Subject: Remove big attachements, but deliver the email In-Reply-To: <47F62636.1040206@ecs.soton.ac.uk> Message-ID: Hi Jules, thank you for the infos. I will try with the zip flag, but think I've to investigate the Custom Function. Thank you and best regards. Marco -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info]On Behalf Of Julian Field Sent: venerd?, 4. aprile 2008 15:00 To: MailScanner discussion Subject: Re: Remove big attachements, but deliver the email -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 You would need to write a Custom Function in order to actually remove large attachments. However, what may be useful is the setting "Zip Attachments" in MailScanner.conf, as this will make it replace large attachments with a zip file containing the attachments. This preserves the attachments while still usually making the message a lot smaller. Is this of any use to you instead? If you were to write a Custom Function to remove large attachments, the "Zip Attachments" code would certainly show you how to do it. If you are prepared to pay me a decent rate, I will write the Custom Function for you... Best regards, Jules. Induni Marco wrote: > > Dear all, > as many people we limit the size of an incoming email message (on our > case to 10 MB) via max.message.size.rules. > So when a message reach this limit, we will keep the message in > quarantine, and we send a Warnig message to the sender and the recevier. > > I was wondering if there is a way to eventually remove the "big" > attachment, but delivery the email text (message) anyway. > > Thank you and best regards > > Marco > > > -- > Radiotelevisione Svizzera di Lingua Italiana > Casella Postale > 6903 LUGANO > > Tel. +41 (0)91 803 63 83 > > <> > > > **************************************************************** > > Visit: www.rtsi.ch > > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they > are addressed. If you have received this email in error please notify > postmaster@rtsi.ch. Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.2 (Build 3005) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFH9iY3EfZZRxQVtlQRAnurAKCvh9O8bpf3VX7oSeB6Ksijuhc49gCgt05+ 7ODiWSfAd+HfiF8haWL8sqI= =QGC2 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! ****************************************************** Visit: http://www.rtsi.ch This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify postmaster@rtsi.ch From butler at globeserver.com Fri Apr 4 16:18:22 2008 From: butler at globeserver.com (Philip Butler) Date: Fri Apr 4 16:19:46 2008 Subject: Ruleset patterns... In-Reply-To: <47F64361.2040107@ecs.soton.ac.uk> References: <6041A315-0699-43C4-8E27-1117DDE92C27@globeserver.com> <47F64361.2040107@ecs.soton.ac.uk> Message-ID: <057CC7AA-BC4B-4A52-9BFD-ACC559CD5761@globeserver.com> Ahhh - I didn't see the README. I was looking at the docs online (wiki). Thanks Julian !!! Phil On Apr 4, 2008, at 11:04 AM, Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > Philip Butler wrote: >> Hi all, >> >> I don't think this is possible, but I thought I'd ask anyway.... >> >> In a MailScanner ruleset, is it possible to use a netmask in a >> pattern ?? > Of course! > > It supports several different formats. > Cut straight from /etc/MailScanner/rules/README, here they are: > 192.168.21. # Any SMTP client IP address in this network > 192.168.21 # Any SMTP client IP address in this network > 192.168.21.0/255.255.255.0 # Any SMTP client IP address in this > network > 192.168.21.0/24 # Any SMTP client IP address in this network > /pattern-with-no-letters/ # Any SMTP client IP address matching > this > # Perl regular expression > /^192\.168\.1[4567]\./ # Any SMTP client IP address in the > networks > # 192.168.14 - 192.168.17 > >> >> For example: >> >> From: 10.0.0.0/255.255.252.0 yes >> >> I know that this could be expanded to multiple lines and I see things >> like: >> >> /^192\.168\.1[4567]\./ >> >> in the documentation, but it would be much easier to read with an >> ip/netmask format. >> >> Please excuse me if I am off-base. >> >> Thanks, >> >> Phil >> > > Jules > > - -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.8.2 (Build 3005) > Comment: (pgp-secured) > Charset: ISO-8859-1 > > wj8DBQFH9kNiEfZZRxQVtlQRApA4AJ9q69qw/aVrvPP+1skSDDr6RglPgwCeI1nS > H48KEvdVvS6wfAz6wypop/4= > =7e7t > -----END PGP SIGNATURE----- > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From vernon at comp-wiz.com Fri Apr 4 16:24:46 2008 From: vernon at comp-wiz.com (Vernon Webb) Date: Fri Apr 4 16:25:53 2008 Subject: False Positive, How do I resolve this? In-Reply-To: References: <47F62636.1040206@ecs.soton.ac.uk> Message-ID: <07b601c89668$0a7b3130$1f719390$@com> I have a client who sends email attachments in a zip file. The files (as you can see below) are named the way the client needs them to be. How do I get around this? The virus detector said this about the message: Report: Report: MailScanner: Found possible filename hiding (Supervisor.Sales.Rep.htm) Report: MailScanner: Found possible filename hiding (Director.of.Mktg.Corp.Sales.Mgr.Recruiting.Mgr.htm) Report: MailScanner: Found possible filename hiding (Sales.Call.Cen.htm) Report: MailScanner: Found possible filename hiding (Medical.Sales.Rep.htm) Report: MailScanner: Found possible filename hiding (Sales.agent.Customer.service.Adm.htm) Report: MailScanner: Found possible filename hiding (E.5.Sgt.htm) Report: MailScanner: Found possible filename hiding (Successful.and.htm) Report: MailScanner: Found possible filename hiding (Focused.on.Res.htm) Report: MailScanner: Found possible filename hiding (Area.Sales.Mgr.htm) Report: MailScanner: Found possible filename hiding (Operations.Man.htm) Report: MailScanner: Found possible filename hiding (SALES.REP.htm) Report: MailScanner: Found possible filename hiding (sales.man.htm) Report: MailScanner: Found possible filename hiding (insurancec.rep.htm) Report: MailScanner: Found possible filename hiding (Senior.Sales.Rep.htm) -- This message has been scanned for viruses and dangerous content at comp-wiz.com, and is believed to be clean. From martyn at invictawiz.com Fri Apr 4 16:37:21 2008 From: martyn at invictawiz.com (Martyn Routley) Date: Fri Apr 4 16:39:31 2008 Subject: New MS install is slow to an extreme In-Reply-To: <47F4CBF1.70708@pixelhammer.com> References: <47F3CD9F.7070406@pixelhammer.com> <47F3D7A5.5040509@pixelhammer.com> <47F4BCB8.7030000@invictawiz.com> <47F4CBF1.70708@pixelhammer.com> Message-ID: <47F64B31.6090706@invictawiz.com> DAve wrote: > Martyn Routley wrote: >> DAve wrote: >>> DAve wrote: >>> >>> I moved the incoming dir to a tmpfs mount (mdmfs on freebsd) no >>> change in processing time. >>> >>> I am getting really stumped now. >>> >>> DAve >>> >>> >>> >> What is your hardware? >> We had random processing times when running 6.2 on one of our >> servers. (Single P4 dual core) >> I upgraded in place to 7.0 (using FreeBsd Update >> (http://www.freebsd.org/releases/7.0R/announce.html) and now the >> emails don't touch the sides. >> Getting Sophos to work was a bind though. >> > > Interesting, do you know the upgrade helped? I am always leery of > "upgrade" as a solution unless I know why the upgrade is the solution. > > Server 1 > Intel(R) Xeon(TM) CPU 2.40GHz Quad Core > 2GB ram > Quatum Atlas SCSI drives, one for the system and one for the spool dir > > Server 2 > Intel(R) Xeon(TM) CPU 2.40GHz Quad Core > 2GB ram > Maxtor SATA drives, one for the system and one for the spool dir > > DAve > Good question. All that changed was the os version and the fact that I rebuilt all installed ports. The server went from a 5 minute av of 7+ to 3.5 or less and from having 30 + messages waiting to be processed to having MailScanner waiting for messages most of the time. MS config/version didn't change I don't discount the possibility that rebuilding all of the installed ports helped. -- Martyn Routley -------------------------------------------------------- Invictawiz - The Internet in Plain English, Guaranteed web: http://www.invictawiz.com voip: 6000@sip.invictawiz.com phone: 0845 003 9020 Reg Addr: 9 Eastmead Ave, Ashford, Kent, TN23 7SB Co. No: 04253262 -------------------------------------------------------- ----------------------------------------------------------------------------- This message has been scanned for viruses and dangerous content by the http://www.invictawiz.com MailScanner, and is believed to be clean. ----------------------------------------------------------------------------- From brose at med.wayne.edu Fri Apr 4 16:39:39 2008 From: brose at med.wayne.edu (Rose, Bobby) Date: Fri Apr 4 16:40:25 2008 Subject: False Positive, How do I resolve this? In-Reply-To: <07b601c89668$0a7b3130$1f719390$@com> References: <47F62636.1040206@ecs.soton.ac.uk> <07b601c89668$0a7b3130$1f719390$@com> Message-ID: <610C64469748E84DB6BDD5BD23F01A761802FC@MED-CORE03-MS1.med.wayne.edu> Zip or rename the files without all those periods. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Vernon Webb Sent: Friday, April 04, 2008 11:25 AM To: 'MailScanner discussion' Subject: False Positive, How do I resolve this? I have a client who sends email attachments in a zip file. The files (as you can see below) are named the way the client needs them to be. How do I get around this? The virus detector said this about the message: Report: Report: MailScanner: Found possible filename hiding (Supervisor.Sales.Rep.htm) Report: MailScanner: Found possible filename hiding (Director.of.Mktg.Corp.Sales.Mgr.Recruiting.Mgr.htm) Report: MailScanner: Found possible filename hiding (Sales.Call.Cen.htm) Report: MailScanner: Found possible filename hiding (Medical.Sales.Rep.htm) Report: MailScanner: Found possible filename hiding (Sales.agent.Customer.service.Adm.htm) Report: MailScanner: Found possible filename hiding (E.5.Sgt.htm) Report: MailScanner: Found possible filename hiding (Successful.and.htm) Report: MailScanner: Found possible filename hiding (Focused.on.Res.htm) Report: MailScanner: Found possible filename hiding (Area.Sales.Mgr.htm) Report: MailScanner: Found possible filename hiding (Operations.Man.htm) Report: MailScanner: Found possible filename hiding (SALES.REP.htm) Report: MailScanner: Found possible filename hiding (sales.man.htm) Report: MailScanner: Found possible filename hiding (insurancec.rep.htm) Report: MailScanner: Found possible filename hiding (Senior.Sales.Rep.htm) -- This message has been scanned for viruses and dangerous content at comp-wiz.com, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From thenrique at gmail.com Fri Apr 4 16:45:07 2008 From: thenrique at gmail.com (Thiago Henrique) Date: Fri Apr 4 16:45:47 2008 Subject: File Type Check Problem In-Reply-To: <47F63D8D.3070105@ecs.soton.ac.uk> References: <224FA7E11EA39E45843E11CEBBD3A36F8E0C23@HOUPEX01.nfsmith.info> <47F53C2D.5090207@ecs.soton.ac.uk> <224FA7E11EA39E45843E11CEBBD3A36F8E0D27@HOUPEX01.nfsmith.info> <47F548BE.8030804@ecs.soton.ac.uk> <224FA7E11EA39E45843E11CEBBD3A36F8E0E20@HOUPEX01.nfsmith.info> <47F63D8D.3070105@ecs.soton.ac.uk> Message-ID: Hy Jules, I have changed the rules in filetype.rules.conf to: deny - x-dosexec No DOS executables No DOS programs allowed But a simple mail with png attachment is considered DOS program: Reporte: MailScanner: No DOS programs allowed (powerphplist.png) When i run file command in the blocked attachment the result is: mail01 1ADE250F95.6ACCF # file -i powerphplist.png powerphplist.png: image/png mail01 1ADE250F95.6ACCF # file powerphplist.png powerphplist.png: PNG image data, 70 x 30, 8-bit colormap, non-interlaced I try to write a new rule: allow - text/plain - permited permited But the mail has blocked again. What is magical to work? On Fri, Apr 4, 2008 at 11:39 AM, Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > Mike Kercher wrote: > >> -----Original Message----- > >> From: mailscanner-bounces@lists.mailscanner.info > >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of > >> Julian Field > >> Sent: Thursday, April 03, 2008 3:21 PM > >> To: MailScanner discussion > >> Subject: Re: File Type Check Problem > >> > >> > >> > >> Mike Kercher wrote: > >> > >> > >>> I've been searching and haven't found a resolution for this yet. > >>> > >>> Periodically, we get emails with attachments coming through that are > >>> not being detected properly. MailScanner reports: > >>> > >>> MailScanner: No programs allowed (msg-10410-101.txt) > >>> > >>> > >>> > >> This is being caught by the filetype trap. > >> > >> > >>> If I go look at the quarantined email in MailWatch and download the > >>> attachment, it is a PDF. > >>> > >>> > >> That may be what the filename says, but what does the "file" command > >> report? > >> > >> > >>> There was talk of the file -i command switch. > >>> Is this something that needs to be set in MailScanner.conf? > >>> > >>> > >>> > >> No, just read the latest filetype.rules.conf and filename.rules.conf > >> files, the comments at the top of each file tell you how to use it. > >> There is also an example line in filetype.rules.conf for you to copy. > >> > >> > >> > >>> TIA > >>> > >>> Mike > >>> > >>> > >>> > >> Jules > >> > >> -- > >> > >> Jules, > >> > >> Running file against the message yields the following: > >> > >> [root@HOUPMS02 m334jSTE009852]# file message > >> message: smtp mail text > >> [root@HOUPMS02 m334jSTE009852]# file -i message > >> message: message/rfc822\011 > >> > >> Not quite sure what changing the filetype.rules.conf would do for me > >> here. > >> > >> > > No! I meat you to run the "file" command on the attachment, not the > > message! :-( Funnily enough, when you run it on the message it says it's > > a message :-) > > > > Jules > > > > -------- > > > > Sorry about that :) Here's the output of file run against the > > attachment itself: > > > > [root@HOUPMS01 ~]# file OSC81.pdf > > OSC81.pdf: PDF document, version 1.3 > > > > [root@HOUPMS01 ~]# file -i OSC81.pdf > > OSC81.pdf: application/pdf > > > Have just checked your original report, and it wasn't the attachment it > blocked, it was the main message body (hence the "txt" extension with > the unusual filename). Harder to stop that unless you switch from using > the "executable" trap in filetype.rules.conf to a replacement trap using > the MIME type reported by file -i instead (see comments at the start of > filetype.rules.conf). > > Mike > > > > > > Jules > > - -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.8.2 (Build 3005) > Comment: (pgp-secured) > Charset: ISO-8859-1 > > wj8DBQFH9j2OEfZZRxQVtlQRAmZiAJwPS5jjxhoukvmFSoj5JYyMGP8U+QCgzMdS > bHrfC2GyNSDz4ZOdqsl9zSw= > =knIJ > -----END PGP SIGNATURE----- > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080404/f9c5462b/attachment-0001.html From maillists at conactive.com Fri Apr 4 16:45:59 2008 From: maillists at conactive.com (Kai Schaetzl) Date: Fri Apr 4 16:47:00 2008 Subject: SA times out In-Reply-To: <223f97700804040057j39668387sad309a47257d7722@mail.gmail.com> References: <47F39721.3000603@ecs.soton.ac.uk> <223f97700804040057j39668387sad309a47257d7722@mail.gmail.com> Message-ID: Glenn Steen wrote on Fri, 4 Apr 2008 09:57:21 +0200: > Sorry if you already supplied this, but what do you have for the > different SA paths in MailScanner.conf? Good suggestion. There must have been indeed a bug in that MS version. # The rules created by the "sa-update" tool are searched for here. # This directory contains the spamassassin/3.001001/updates_spamassassin_org # directory structure beneath it. # Only un-comment this setting once you have proved that the sa-update # cron job has run successfully and has created a directory structure under # the spamassassin directory within this one and has put some *.cf files in # there. Otherwise it will ignore all your current rules! # The default location may be /var/opt on Solaris systems. SpamAssassin Local State Dir = /var/lib A newer MS version has this: # The rules created by the "sa-update" tool are searched for here. # This directory contains the 3.001001/updates_spamassassin_org # directory structure beneath it. # Only un-comment this setting once you have proved that the sa-update # cron job has run successfully and has created a directory structure under # the spamassassin directory within this one and has put some *.cf files in # there. Otherwise it will ignore all your current rules! # The default location may be /var/opt on Solaris systems. SpamAssassin Local State Dir = # /var/lib/spamassassin It seems the code is the same, but documentation (compare the second line!) and update_mailscanner_conf where not correct. I changed that line to SpamAssassin Local State Dir = /var/lib/spamassassin and it uses now the correct rules. However, MS still times out. The first time I tried it almost came to an end, but eventually timed out, anyway. It definitely takes much longer than via command-line. I then upped the time-out to 240 seconds, but now I hit a new phenomenon. The message is just removed from mqueue.in and Mailwatch shows again that it times out. But MailScanner doesn't print anymore (to the log, it doesn't do this in the debug output) that it hits a timeout. It almost immediately finishes and doesn't process the message. Could this be the sa cache of MS? If so, I don't understand why that didn't hit earlier and also I don't see anything about it in the debug output. > > > What's wrong here, Jules? Could this be a problem with this somewhat old > > version of MS? (4.54.6) > > > Might be, there's been a lot of water under the bridge... and all that:-). > ISTR there being a rather heated discussion back somewhere there on > how to make MS notice the sa-update stuff, leading to some rather bad > setups with wrongly specified paths in MailScanner.conf (a modern SA > should be able to find these things by itself, no need to "help" it... > mostly:-). The command-line SA doesn't have this problem. It's the Mail::Spamassassin perl module. Either it needs these data or it should not get these data as it can determine them by itself (then they shouldn't be set in MailScanner.conf) - I don't know. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From stef at aoc-uk.com Fri Apr 4 16:47:22 2008 From: stef at aoc-uk.com (Stef Morrell) Date: Fri Apr 4 16:48:11 2008 Subject: Sophos not running correctly after most recent update - Fixed! In-Reply-To: References: <200804041253.m34Cr4TI032030@safir.blacknight.ie> Message-ID: <200804041548.m34FlcSa010929@safir.blacknight.ie> Hi, -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian Field Sent: 04 April 2008 14:33 To: MailScanner discussion Subject: Re: Sophos not running correctly after most recent update You're running an old MailScanner, and need (at least) a newer sophos-autoupdate. I have attached the latest version of this script to this message. Replace the one in /usr/lib/MailScanner/sophos-autoupdate with the uncompressed copy from this message. --- All working now - Many thanks Julian! I guess I had better schedule an MS upgrade. # ./sophos-wrapper /usr/local/Sophos SWEEP virus detection utility Version 4.28.0 [Linux/Intel] Virus data version 4.28, April 2008 Includes detection for 381187 viruses, trojans and worms Copyright (c) 1989-2008 Sophos Plc, www.sophos.com Regards Stef Stefan Morrell | Operations Director Tel: 0845 3452820 | Alpha Omega Computers Ltd Fax: 0845 3452830 | Incorporating Level 5 Internet stef@aoc-uk.com | stef@l5net.net Alpha Omega Computers Ltd, Unit 57, BBTC, Grange Road, Batley, WF17 6ER. Registered in England No. 3867142. VAT No. GB734421454 From mkettler at evi-inc.com Fri Apr 4 16:59:48 2008 From: mkettler at evi-inc.com (Matt Kettler) Date: Fri Apr 4 17:00:33 2008 Subject: False Positive, How do I resolve this? In-Reply-To: <07b601c89668$0a7b3130$1f719390$@com> References: <47F62636.1040206@ecs.soton.ac.uk> <07b601c89668$0a7b3130$1f719390$@com> Message-ID: <47F65074.6060302@evi-inc.com> Vernon Webb wrote: > I have a client who sends email attachments in a zip file. The files (as you > can see below) are named the way the client needs them to be. How do I get > around this? Maximum Archive Depth = 0 Otherwise, MailScanner will traverse into zipfiles and apply filename.rules to files inside the archive. Note this doesn't affect AV scanning, as the AV engines themselves decompress archives. MailScanner doesn't traverse into archives for AV purposes. From kkobb at skylinecorp.com Fri Apr 4 16:57:15 2008 From: kkobb at skylinecorp.com (Kevin Kobb) Date: Fri Apr 4 17:00:40 2008 Subject: Having problems installing on FreeBSD 64 Bit In-Reply-To: References: Message-ID: Andrew Chester wrote: > > Hi All > > I'm having a problem installing MS on FreeBSD 6.3 64 Bit, I've updated > the ports tree a few times now and it has MailScanner 4.67.6_1 - but > when I try install it thru the ports tree, I keep getting this error: > "bdc-7.0.1_2 is only for i386, while you are running amd64". This > happens when the MS installation runs through it's dependancy list, I > have tried to find a 64bit package for bdc but can only find the i386 > package. > > I dont know why this is happening or what's gone wrong as I've installed > MS on the same version of FreeBSD on another gateway, also 64 Bit, > without a problem. > > If anyone can advise on what to do, it would be greatly appreciated - > thank you. > > Kind Regards, > Andrew > ------------------------------------------------------------------------ > CONFIDENTIALITY CLAUSE > This message is intended only for the use of the individual or entity to > which it is addressed and contains information that is privileged and > confidential. If the reader of this message is not the intended > recipient, or the employee or agent responsible for delivering the > message to the intended recipient, you are hereby notified that any > dissemination, distribution or copying of this communication is strictly > prohibited. If you have received this communication in error, please > notify the sender by telephone. > Perhaps you could try this. cd /usr/ports/mail/mailscanner make clean make rmconfig make config When you run 'make config' to not check the box for BitDefender. Then, try to install as usual. From mkettler at evi-inc.com Fri Apr 4 17:01:25 2008 From: mkettler at evi-inc.com (Matt Kettler) Date: Fri Apr 4 17:01:48 2008 Subject: False Positive, How do I resolve this? In-Reply-To: <610C64469748E84DB6BDD5BD23F01A761802FC@MED-CORE03-MS1.med.wayne.edu> References: <47F62636.1040206@ecs.soton.ac.uk> <07b601c89668$0a7b3130$1f719390$@com> <610C64469748E84DB6BDD5BD23F01A761802FC@MED-CORE03-MS1.med.wayne.edu> Message-ID: <47F650D5.6080900@evi-inc.com> Rose, Bobby wrote: > Zip or rename the files without all those periods. They are in a zipfile, as per Vernon's original message. However, MailScanner by default digs into zipfiles and applies filename rules there. So zipping won't help you with a MailScanner config where "Maximum Archive Depth" isn't set to 0. > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Vernon > Webb > Sent: Friday, April 04, 2008 11:25 AM > To: 'MailScanner discussion' > Subject: False Positive, How do I resolve this? > > I have a client who sends email attachments in a zip file. The files (as > you can see below) are named the way the client needs them to be. How do > I get around this? From MailScanner at ecs.soton.ac.uk Fri Apr 4 17:08:57 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Apr 4 17:09:43 2008 Subject: New MS install is slow to an extreme In-Reply-To: <47F64B31.6090706@invictawiz.com> References: <47F3CD9F.7070406@pixelhammer.com> <47F3D7A5.5040509@pixelhammer.com> <47F4BCB8.7030000@invictawiz.com> <47F4CBF1.70708@pixelhammer.com> <47F64B31.6090706@invictawiz.com> Message-ID: <47F65299.70006@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Martyn Routley wrote: > DAve wrote: >> Martyn Routley wrote: >>> DAve wrote: >>>> DAve wrote: >>>> >>>> I moved the incoming dir to a tmpfs mount (mdmfs on freebsd) no >>>> change in processing time. >>>> >>>> I am getting really stumped now. >>>> >>>> DAve >>>> >>>> >>>> >>> What is your hardware? >>> We had random processing times when running 6.2 on one of our >>> servers. (Single P4 dual core) >>> I upgraded in place to 7.0 (using FreeBsd Update >>> (http://www.freebsd.org/releases/7.0R/announce.html) and now the >>> emails don't touch the sides. >>> Getting Sophos to work was a bind though. >>> >> >> Interesting, do you know the upgrade helped? I am always leery of >> "upgrade" as a solution unless I know why the upgrade is the solution. >> >> Server 1 >> Intel(R) Xeon(TM) CPU 2.40GHz Quad Core >> 2GB ram >> Quatum Atlas SCSI drives, one for the system and one for the spool dir >> >> Server 2 >> Intel(R) Xeon(TM) CPU 2.40GHz Quad Core >> 2GB ram >> Maxtor SATA drives, one for the system and one for the spool dir >> >> DAve >> > Good question. > All that changed was the os version and the fact that I rebuilt all > installed ports. So, in short, you changed "everything" :-) > > The server went from a 5 minute av of 7+ to 3.5 or less and from > having 30 + messages waiting to be processed to having MailScanner > waiting for messages most of the time. > MS config/version didn't change > I don't discount the possibility that rebuilding all of the installed > ports helped. > Sounds like it's sorted out then, and not really MailScanner's fault after all :-) :-) Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.2 (Build 3005) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFH9lKaEfZZRxQVtlQRAhMEAKDOYKgEPBPd99bf1fhh47LMuaGiugCdFVoq GZqc1Ihnm4Cowfb1Xnm01n0= =sOQl -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Fri Apr 4 17:09:43 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Apr 4 17:10:02 2008 Subject: False Positive, How do I resolve this? In-Reply-To: <610C64469748E84DB6BDD5BD23F01A761802FC@MED-CORE03-MS1.med.wayne.edu> References: <47F62636.1040206@ecs.soton.ac.uk> <07b601c89668$0a7b3130$1f719390$@com> <610C64469748E84DB6BDD5BD23F01A761802FC@MED-CORE03-MS1.med.wayne.edu> Message-ID: <47F652C7.80702@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Or add an 'allow' rule to filename.rules.conf that allows everything ending in \.htm$ Rose, Bobby wrote: > Zip or rename the files without all those periods. > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Vernon > Webb > Sent: Friday, April 04, 2008 11:25 AM > To: 'MailScanner discussion' > Subject: False Positive, How do I resolve this? > > I have a client who sends email attachments in a zip file. The files (as > you can see below) are named the way the client needs them to be. How do > I get around this? > > The virus detector said this about the message: > Report: Report: MailScanner: Found possible filename hiding > (Supervisor.Sales.Rep.htm) > Report: MailScanner: Found possible filename hiding > (Director.of.Mktg.Corp.Sales.Mgr.Recruiting.Mgr.htm) > Report: MailScanner: Found possible filename hiding (Sales.Call.Cen.htm) > Report: MailScanner: Found possible filename hiding > (Medical.Sales.Rep.htm) > Report: MailScanner: Found possible filename hiding > (Sales.agent.Customer.service.Adm.htm) > Report: MailScanner: Found possible filename hiding (E.5.Sgt.htm) > Report: MailScanner: Found possible filename hiding (Successful.and.htm) > Report: MailScanner: Found possible filename hiding (Focused.on.Res.htm) > Report: MailScanner: Found possible filename hiding (Area.Sales.Mgr.htm) > Report: MailScanner: Found possible filename hiding (Operations.Man.htm) > Report: MailScanner: Found possible filename hiding (SALES.REP.htm) > Report: MailScanner: Found possible filename hiding (sales.man.htm) > Report: MailScanner: Found possible filename hiding (insurancec.rep.htm) > Report: MailScanner: Found possible filename hiding > (Senior.Sales.Rep.htm) > > > -- > This message has been scanned for viruses and dangerous content at > comp-wiz.com, and is believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.2 (Build 3005) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFH9lLIEfZZRxQVtlQRAsvyAKDJWkaH1Qa+kzTGVQ/kmBDTxcNL0gCgyUdu 6TyA4sBIloiSyJKWaagfu2Y= =cdES -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From jlcostinha at halla.pt Fri Apr 4 17:15:38 2008 From: jlcostinha at halla.pt (Jorge Costinha) Date: Fri Apr 4 17:16:15 2008 Subject: Zip Attachments Message-ID: <47F6542A.6090204@halla.pt> i got Zip Attachment = %rules-dir%/filename.rules Attachments min total size to zip = 5000k where in filename.rules i got: From: yes FromOrTo: default no what am i missing? PS- i also have the Maximum Message Size = %rules-dir%/anotherfilename.rules. this is working as it should. thanks in advance. Jorge From MailScanner at ecs.soton.ac.uk Fri Apr 4 17:23:15 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Apr 4 17:23:35 2008 Subject: SA times out In-Reply-To: References: <47F39721.3000603@ecs.soton.ac.uk> <223f97700804040057j39668387sad309a47257d7722@mail.gmail.com> Message-ID: <47F655F3.8000903@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Kai Schaetzl wrote: > Glenn Steen wrote on Fri, 4 Apr 2008 09:57:21 +0200: > > >> Sorry if you already supplied this, but what do you have for the >> different SA paths in MailScanner.conf? >> > > Good suggestion. There must have been indeed a bug in that MS version. > > # The rules created by the "sa-update" tool are searched for here. > # This directory contains the spamassassin/3.001001/updates_spamassassin_org > # directory structure beneath it. > # Only un-comment this setting once you have proved that the sa-update > # cron job has run successfully and has created a directory structure under > # the spamassassin directory within this one and has put some *.cf files in > # there. Otherwise it will ignore all your current rules! > # The default location may be /var/opt on Solaris systems. > SpamAssassin Local State Dir = /var/lib > > A newer MS version has this: > > # The rules created by the "sa-update" tool are searched for here. > # This directory contains the 3.001001/updates_spamassassin_org > # directory structure beneath it. > # Only un-comment this setting once you have proved that the sa-update > # cron job has run successfully and has created a directory structure under > # the spamassassin directory within this one and has put some *.cf files in > # there. Otherwise it will ignore all your current rules! > # The default location may be /var/opt on Solaris systems. > SpamAssassin Local State Dir = # /var/lib/spamassassin > > It seems the code is the same, but documentation (compare the second line!) > and update_mailscanner_conf where not correct. I changed that line to > SpamAssassin Local State Dir = /var/lib/spamassassin > and it uses now the correct rules. > > However, MS still times out. The first time I tried it almost came to an end, > but eventually timed out, anyway. It definitely takes much longer than via > command-line. I then upped the time-out to 240 seconds, but now I hit a new > phenomenon. The message is just removed from mqueue.in and Mailwatch shows > again that it times out. But MailScanner doesn't print anymore (to the log, > it doesn't do this in the debug output) that it hits a timeout. It almost > immediately finishes and doesn't process the message. Could this be the sa > cache of MS? If so, I don't understand why that didn't hit earlier and also I > don't see anything about it in the debug output. > There was a bug (fixed fairly recently, it should be in the ChangeLog) where 'timed out' results were incorrectly cached, as they obviously should not be cached at all. > >>> What's wrong here, Jules? Could this be a problem with this somewhat old >>> version of MS? (4.54.6) >>> >>> >> Might be, there's been a lot of water under the bridge... and all that:-). >> ISTR there being a rather heated discussion back somewhere there on >> how to make MS notice the sa-update stuff, leading to some rather bad >> setups with wrongly specified paths in MailScanner.conf (a modern SA >> should be able to find these things by itself, no need to "help" it... >> mostly:-). >> > > The command-line SA doesn't have this problem. It's the Mail::Spamassassin > perl module. The command-line SA calls the Mail::SpamAssassin perl module to do all the hard work. > Either it needs these data or it should not get these data as it > can determine them by itself (then they shouldn't be set in MailScanner.conf) > - I don't know. > You should usually leave SpamAssassin to work out its paths on its own, it's very rare that you need to specify these paths. Which is why they are in the "*Advanced* SpamAssassin Settings" section of MailScanner.conf. Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.2 (Build 3005) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFH9lX0EfZZRxQVtlQRAjUCAJ414CrAK0zjcqGunHuNXKc50paBwwCg0z8I fVdQry9QVRv1ekhGGAGdKVI= =aP/7 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From butler at globeserver.com Fri Apr 4 17:40:57 2008 From: butler at globeserver.com (Philip Butler) Date: Fri Apr 4 17:42:14 2008 Subject: Another question about rulesets... Message-ID: Hi all, I have another question about rulesets. I am trying to sign outgoing messages with a signature. Here is my ruleset. 'domain123.com' and 'domain456.com' are "my" test domains (not really mine, but using this as a test). ------------- From: *@domain123.com and to: *@domain123.com no From: *@domain123.com and to: *@domain456.com no From: *@domain123.com yes From: *@domain456.com and to: *@domain123.com no From: *@domain456.com and to: *@domain456.com no From: *@domain456.com yes FromOrTo: default no ------------- It works properly if there is one recipient (internal/external) but the problem is that when I send from test1@domain123.com to test2@domain123.com AND test@anotherdomain.com, the message does not get signed. In other words, if ANY recipient is from a local domain, then the message does not get signed. I would prefer it to be the other way around. Any suggestions as to how I can change the ruleset ?? In a way, I want: ------------- # incoming messages not signed From: NOT *@domain123.com and to: *@domain123.com no From: NOT *@domain123.com and to: *@domain456.com no From: NOT *@domain456.com and to: *@domain123.com no From: NOT *@domain456.com and to: *@domain456.com no # internal messages not signed From: *@domain123.com and ONLY to: *@domain123.com no From: *@domain123.com and ONLY to: *@domain456.com no From: *@domain456.com and ONLY to: *@domain123.com no From: *@domain456.com and ONLY to: *@domain456.com no # All others signed - including mixed local/non-local recipients FromOrTo: default yes ------------- Also, I tried adding: ---- From: 10.1.1.0/255.255.255.0 and to: *@domain123.com no From: 10.1.1.0/255.255.255.0 and to: *@domain456.com no From: 10.1.1.0/255.255.255.0 yes From: 10.34.56.0/255.255.255.0 and to: *@domain123.com no From: 10.34.56.0/255.255.255.0 and to: *@domain456.com no From: 10.34.56.0/255.255.255.0 yes ---- to the ruleset (10.1.1.0 and 10.34.56.0 are "internal" networks) and I kept getting defunct mailscanner processes. This is based on a previous email response from Julian. I am running MS 4.66.5 - I haven't upgraded to the latest and greatest yet. Do I have a syntax problem here ?? Phil From brose at med.wayne.edu Fri Apr 4 18:18:27 2008 From: brose at med.wayne.edu (Rose, Bobby) Date: Fri Apr 4 18:19:07 2008 Subject: False Positive, How do I resolve this? In-Reply-To: <47F650D5.6080900@evi-inc.com> References: <47F62636.1040206@ecs.soton.ac.uk> <07b601c89668$0a7b3130$1f719390$@com><610C64469748E84DB6BDD5BD23F01A761802FC@MED-CORE03-MS1.med.wayne.edu> <47F650D5.6080900@evi-inc.com> Message-ID: <610C64469748E84DB6BDD5BD23F01A76180313@MED-CORE03-MS1.med.wayne.edu> Password protect zip unless you are blocking that. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Matt Kettler Sent: Friday, April 04, 2008 12:01 PM To: MailScanner discussion Subject: Re: False Positive, How do I resolve this? Rose, Bobby wrote: > Zip or rename the files without all those periods. They are in a zipfile, as per Vernon's original message. However, MailScanner by default digs into zipfiles and applies filename rules there. So zipping won't help you with a MailScanner config where "Maximum Archive Depth" isn't set to 0. > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of > Vernon Webb > Sent: Friday, April 04, 2008 11:25 AM > To: 'MailScanner discussion' > Subject: False Positive, How do I resolve this? > > I have a client who sends email attachments in a zip file. The files > (as you can see below) are named the way the client needs them to be. > How do I get around this? -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From dave.list at pixelhammer.com Fri Apr 4 19:04:13 2008 From: dave.list at pixelhammer.com (DAve) Date: Fri Apr 4 19:04:57 2008 Subject: New MS install is slow to an extreme In-Reply-To: <47F65299.70006@ecs.soton.ac.uk> References: <47F3CD9F.7070406@pixelhammer.com> <47F3D7A5.5040509@pixelhammer.com> <47F4BCB8.7030000@invictawiz.com> <47F4CBF1.70708@pixelhammer.com> <47F64B31.6090706@invictawiz.com> <47F65299.70006@ecs.soton.ac.uk> Message-ID: <47F66D9D.5060902@pixelhammer.com> Julian Field wrote: > Sounds like it's sorted out then, and not really MailScanner's fault > after all :-) :-) > > Jules Every problem I have ever encountered with MailScanner has been an issue with a loose nut between the keyboard and chair. Though I heard rumors of swapping once. DAve -- In 50 years, our descendants will look back on the early years of the internet, and much like we now look back on men with rockets on their back and feathers glued to their arms, marvel that we had the intelligence to wipe the drool from our chins. From glenn.steen at gmail.com Fri Apr 4 19:12:57 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Apr 4 19:13:33 2008 Subject: SA times out In-Reply-To: References: <47F39721.3000603@ecs.soton.ac.uk> <223f97700804040057j39668387sad309a47257d7722@mail.gmail.com> Message-ID: <223f97700804041112l50a424e8o1e009a7ac09143a@mail.gmail.com> On 04/04/2008, Kai Schaetzl wrote: > Glenn Steen wrote on Fri, 4 Apr 2008 09:57:21 +0200: > > > > Sorry if you already supplied this, but what do you have for the > > different SA paths in MailScanner.conf? > > > Good suggestion. There must have been indeed a bug in that MS version. > > # The rules created by the "sa-update" tool are searched for here. > # This directory contains the spamassassin/3.001001/updates_spamassassin_org > # directory structure beneath it. > # Only un-comment this setting once you have proved that the sa-update > # cron job has run successfully and has created a directory structure under > # the spamassassin directory within this one and has put some *.cf files in > # there. Otherwise it will ignore all your current rules! > # The default location may be /var/opt on Solaris systems. > SpamAssassin Local State Dir = /var/lib > > A newer MS version has this: > > # The rules created by the "sa-update" tool are searched for here. > # This directory contains the 3.001001/updates_spamassassin_org > # directory structure beneath it. > # Only un-comment this setting once you have proved that the sa-update > # cron job has run successfully and has created a directory structure under > # the spamassassin directory within this one and has put some *.cf files in > # there. Otherwise it will ignore all your current rules! > # The default location may be /var/opt on Solaris systems. > SpamAssassin Local State Dir = # /var/lib/spamassassin > > It seems the code is the same, but documentation (compare the second line!) > and update_mailscanner_conf where not correct. I changed that line to > SpamAssassin Local State Dir = /var/lib/spamassassin > and it uses now the correct rules. Go all the way and set a hashmark efore the path (effectively leaving the setting blank, which is how the commandline spamassassing tool does it... See if that doesn't work even better. > However, MS still times out. The first time I tried it almost came to an end, > but eventually timed out, anyway. It definitely takes much longer than via > command-line. I then upped the time-out to 240 seconds, but now I hit a new > phenomenon. The message is just removed from mqueue.in and Mailwatch shows > again that it times out. But MailScanner doesn't print anymore (to the log, > it doesn't do this in the debug output) that it hits a timeout. It almost > immediately finishes and doesn't process the message. Could this be the sa > cache of MS? If so, I don't understand why that didn't hit earlier and also I > don't see anything about it in the debug output. See Jules suggestion... alluded/implied, but still... Time to upgrade;-). Or turn off the SA cache. > > > > > What's wrong here, Jules? Could this be a problem with this somewhat old > > > version of MS? (4.54.6) > > > > > Might be, there's been a lot of water under the bridge... and all that:-). > > ISTR there being a rather heated discussion back somewhere there on > > how to make MS notice the sa-update stuff, leading to some rather bad > > setups with wrongly specified paths in MailScanner.conf (a modern SA > > should be able to find these things by itself, no need to "help" it... > > mostly:-). > > > The command-line SA doesn't have this problem. It's the Mail::Spamassassin > perl module. Either it needs these data or it should not get these data as it > can determine them by itself (then they shouldn't be set in MailScanner.conf) > - I don't know. *If* you need it is pretty obvious... MailScanner won't have a working SA, no rules from the sa-update will fire, while they will with the cmd-line tool... You likely don't need it. Try it and see what happens:-). Perhaps best way to test is to do that long-overdue update:-):-) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From maillists at conactive.com Fri Apr 4 19:18:25 2008 From: maillists at conactive.com (Kai Schaetzl) Date: Fri Apr 4 19:19:25 2008 Subject: SA times out In-Reply-To: <47F3AA32.50303@ecs.soton.ac.uk> References: <47F39721.3000603@ecs.soton.ac.uk> <47F3A36A.10008@ecs.soton.ac.uk> <47F3AA32.50303@ecs.soton.ac.uk> Message-ID: Julian Field wrote on Wed, 02 Apr 2008 16:45:54 +0100: > >> but perhaps a feature request could be a > >> CLI switch to specify the message ID so MS only scans the particular > >> message(s) that you're interested in observing. > >> > > Good idea. I'll take a look. Would a single ID do? > All done. It will be in the next release. Ahm, Julian, now that I have used the MS debugging feature a few times I think being able to grab a single ID may be nice, but not really helpful for a production machine. I have to disable at least MS if I want to debug (otherwise it would "steal" the queue files) and usually this is not done within a few seconds, but takes at least five minutes or more, maybe repeatedly. It would be nice if I could specify an alternative queue directory, so I can run a MailScanner instance in parallel to the production daemon and debug files from that directory while the normal sendmail/MS operation isn't affected. I think this would be much more helpful than specifying a certain ID. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From maillists at conactive.com Fri Apr 4 19:18:25 2008 From: maillists at conactive.com (Kai Schaetzl) Date: Fri Apr 4 19:19:32 2008 Subject: SA times out In-Reply-To: <47F655F3.8000903@ecs.soton.ac.uk> References: <47F39721.3000603@ecs.soton.ac.uk> <223f97700804040057j39668387sad309a47257d7722@mail.gmail.com> <47F655F3.8000903@ecs.soton.ac.uk> Message-ID: Julian Field wrote on Fri, 04 Apr 2008 17:23:15 +0100: > The command-line SA calls the Mail::SpamAssassin perl module to do all > the hard work. But why is it then much faster? At least for this message. I notice that when I debug with MS it first scans some default message, maybe the one SA scans when using "spamassassin -D --lint", only then it grabs a message from the queue. Does this only happen with MS in debug mode? Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From campbell at cnpapers.com Fri Apr 4 19:14:09 2008 From: campbell at cnpapers.com (Steve Campbell) Date: Fri Apr 4 19:19:55 2008 Subject: False Positive, How do I resolve this? In-Reply-To: <47F652C7.80702@ecs.soton.ac.uk> References: <47F62636.1040206@ecs.soton.ac.uk> <07b601c89668$0a7b3130$1f719390$@com> <610C64469748E84DB6BDD5BD23F01A761802FC@MED-CORE03-MS1.med.wayne.edu> <47F652C7.80702@ecs.soton.ac.uk> Message-ID: <47F66FF1.7090601@cnpapers.com> Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Or add an 'allow' rule to filename.rules.conf that allows everything > ending in \.htm$ > > Rose, Bobby wrote: > >> Zip or rename the files without all those periods. >> >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Vernon >> Webb >> Sent: Friday, April 04, 2008 11:25 AM >> To: 'MailScanner discussion' >> Subject: False Positive, How do I resolve this? >> >> I have a client who sends email attachments in a zip file. The files (as >> you can see below) are named the way the client needs them to be. How do >> I get around this? >> >> The virus detector said this about the message: >> Report: Report: MailScanner: Found possible filename hiding >> (Supervisor.Sales.Rep.htm) >> Report: MailScanner: Found possible filename hiding >> (Director.of.Mktg.Corp.Sales.Mgr.Recruiting.Mgr.htm) >> Report: MailScanner: Found possible filename hiding (Sales.Call.Cen.htm) >> Report: MailScanner: Found possible filename hiding >> (Medical.Sales.Rep.htm) >> Report: MailScanner: Found possible filename hiding >> (Sales.agent.Customer.service.Adm.htm) >> Report: MailScanner: Found possible filename hiding (E.5.Sgt.htm) >> Report: MailScanner: Found possible filename hiding (Successful.and.htm) >> Report: MailScanner: Found possible filename hiding (Focused.on.Res.htm) >> Report: MailScanner: Found possible filename hiding (Area.Sales.Mgr.htm) >> Report: MailScanner: Found possible filename hiding (Operations.Man.htm) >> Report: MailScanner: Found possible filename hiding (SALES.REP.htm) >> Report: MailScanner: Found possible filename hiding (sales.man.htm) >> Report: MailScanner: Found possible filename hiding (insurancec.rep.htm) >> Report: MailScanner: Found possible filename hiding >> (Senior.Sales.Rep.htm) >> >> >> -- >> This message has been scanned for viruses and dangerous content at >> comp-wiz.com, and is believed to be clean. >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> >> >> > > Jules > > - -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.8.2 (Build 3005) > Comment: (pgp-secured) > Charset: ISO-8859-1 > > wj8DBQFH9lLIEfZZRxQVtlQRAsvyAKDJWkaH1Qa+kzTGVQ/kmBDTxcNL0gCgyUdu > 6TyA4sBIloiSyJKWaagfu2Y= > =cdES > -----END PGP SIGNATURE----- > > Not really being much help here, but wasn't the underlying reason for this rule fixed by Microsoft in Outlook & Outlook Express ages ago and couldn't the rule that it's tripping over just be deleted? If I am recalling correctly, then, I would find it really strange to still have one of those versions of O or OE still around. I could be wrong though. Since this is such a specific sender with special requirements for file naming, and I am wrong about the M$ fix, I would think a ruleset would work for a solution (if rulesets can be used for the parm). Steve Campbell From glenn.steen at gmail.com Fri Apr 4 19:20:18 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Apr 4 19:20:53 2008 Subject: MailScanner ignoring some rules In-Reply-To: References: <37937.201.41.210.20.1207154517.squirrel@www.tecnowaydigital.com.br> <47F46B28.2050507@vanderkooij.org> <47F53B57.1070307@ecs.soton.ac.uk> <8F1DE832AFD34082A4D0CB25E4E7D7E7@TWDNB03> <223f97700804040109p3a5d97a5w439ef4d77ba879b1@mail.gmail.com> Message-ID: <223f97700804041120q3eaf3f90j4a0cce865e66b12@mail.gmail.com> Sorry all, for the top post... a bit too tipsy to really safely (snip) with even a virtual scissor...:-) That all _looks_ mostly OK... So, plan B... You've never used another system to edit the MailScanner.conf or rules file? Like crappy windoze? If so, there might be "non-printable" characters on the end of the line (like a spurious )... Then again, I thought the --lint would catch that... Oh well. Cheers -- Glenn On 04/04/2008, TecnoWay Digital wrote: > MailScanner --lint > > Trying to setlogsock(unix) > Read 817 hostnames from the phishing whitelist > Read 5549 hostnames from the phishing blacklist > Config: calling custom init function SQLBlacklist > Starting up SQL Blacklist > Read 326 blacklist entries > Config: calling custom init function MailWatchLogging > Started SQL Logging child > Config: calling custom init function SQLWhitelist > Starting up SQL Whitelist > Read 40 whitelist entries > Checking version numbers... > Version number in MailScanner.conf (4.68.8) is correct. > > Your envelope_sender_header in spam.assassin.prefs.conf is correct. > MailScanner setting GID to (89) > MailScanner setting UID to (89) > > Checking for SpamAssassin errors (if you use it)... > SpamAssassin temporary working directory is > /var/spool/MailScanner/incoming/SpamAssassin-Temp > SpamAssassin temp dir = > /var/spool/MailScanner/incoming/SpamAssassin-Temp > Using SpamAssassin results cache > Connected to SpamAssassin cache database > SpamAssassin reported no errors. > Using locktype = posix > MailScanner.conf says "Virus Scanners = mcafee" > Found these virus scanners installed: clamav, mcafee > =========================================================================== > Virus and Content Scanning: Starting > /1/eicar.com Found: EICAR test file NOT a virus. > Virus Scanning: McAfee found 1 infections > Infected message 1 came from 10.1.1.1 > Virus Scanning: Found 1 viruses > =========================================================================== > Virus Scanner test reports: > McAfee said "/1/eicar.com Found: EICAR test file NOT a virus." > > If any of your virus scanners (clamav,mcafee) > are not listed there, you should check that they are installed correctly > and that MailScanner is finding them correctly via its virus.scanners.conf. > Config: calling custom end function SQLBlacklist > Closing down by-domain spam blacklist > Config: calling custom end function MailWatchLogging > Config: calling custom end function SQLWhitelist > Closing down by-domain spam whitelist > -------------------------------------------------------------------- > > My MailScanner.conf > > %org-name% = Silmaq > %org-long-name% = Silmaq S.A > %web-site% = www.silmaq.com.br > %etc-dir% = /etc/MailScanner > %report-dir% = /etc/MailScanner/reports/pt_br > %rules-dir% = /etc/MailScanner/rules > %mcp-dir% = /etc/MailScanner/mcp > Max Children = 5 > Run As User = postfix > Run As Group = postfix > Queue Scan Interval = 6 > Incoming Queue Dir = /var/spool/postfix/hold > Outgoing Queue Dir = /var/spool/postfix/incoming > Incoming Work Dir = /var/spool/MailScanner/incoming > Quarantine Dir = /var/spool/MailScanner/quarantine > PID file = /var/run/MailScanner.pid > Restart Every = 7200 > MTA = postfix > Sendmail = /usr/sbin/sendmail > Sendmail2 = /usr/sbin/sendmail > Incoming Work User = > Incoming Work Group = > Incoming Work Permissions = 0600 > Quarantine User = root > Quarantine Group = apache > Quarantine Permissions = 0660 > Max Unscanned Bytes Per Scan = 100m > Max Unsafe Bytes Per Scan = 50m > Max Unscanned Messages Per Scan = 30 > Max Unsafe Messages Per Scan = 30 > Max Normal Queue Size = 800 > Scan Messages = %rules-dir%/scan.messages.rules > Reject Message = no > Maximum Attachments Per Message = 200 > Expand TNEF = yes > Use TNEF Contents = replace > Deliver Unparsable TNEF = no > TNEF Expander = /usr/bin/tnef --maxsize=100000000 > TNEF Timeout = 120 > File Command = /usr/bin/file > File Timeout = 20 > Gunzip Command = /bin/gunzip > Gunzip Timeout = 50 > Unrar Command = /usr/bin/unrar > Unrar Timeout = 50 > Find UU-Encoded Files = no > Maximum Message Size = %rules-dir%/max.message.size.rules > Maximum Attachment Size = -1 > Minimum Attachment Size = -1 > Maximum Archive Depth = 0 > Find Archives By Content = yes > Zip Attachments = no > Attachments Zip Filename = MessageAttachments.zip > Attachments Min Total Size To Zip = 100k > Attachment Extensions Not To Zip = .zip .rar .gz .tgz .jpg .jpeg .mpg .mpe > .mpeg .mp3 .rpm .htm .html .eml > Virus Scanning = yes > Virus Scanners = mcafee > Virus Scanner Timeout = 300 > Deliver Disinfected Files = no > Silent Viruses = HTML-IFrame All-Viruses > Still Deliver Silent Viruses = no > Non-Forging Viruses = Joke/ OF97/ WM97/ W97M/ eicar > Block Encrypted Messages = no > Block Unencrypted Messages = no > Allow Password-Protected Archives = no > Check Filenames In Password-Protected Archives = yes > Allowed Sophos Error Messages = > Sophos IDE Dir = /opt/sophos-av/lib/sav > Sophos Lib Dir = /opt/sophos-av/lib > Monitors For Sophos Updates = /opt/sophos-av/lib/sav/*.ide > Monitors for ClamAV Updates = /usr/local/share/clamav/*.inc/* > /usr/local/share/clamav/*.cvd > ClamAVmodule Maximum Recursion Level = 8 > ClamAVmodule Maximum Files = 1000 > ClamAVmodule Maximum File Size = 10000000 # (10 Mbytes) > ClamAVmodule Maximum Compression Ratio = 250 > Clamd Port = 3310 > Clamd Socket = /tmp/clamd > Clamd Lock File = # /var/lock/subsys/clamd > Clamd Use Threads = no > ClamAV Full Message Scan = yes > Fpscand Port = 10200 > Dangerous Content Scanning = yes > Allow Partial Messages = no > Allow External Message Bodies = no > Find Phishing Fraud = yes > Also Find Numeric Phishing = yes > Use Stricter Phishing Net = yes > Highlight Phishing Fraud = yes > Phishing Safe Sites File = > %etc-dir%/phishing.safe.sites.conf > Phishing Bad Sites File = > %etc-dir%/phishing.bad.sites.conf > Country Sub-Domains List = %etc-dir%/country.domains.conf > Allow IFrame Tags = disarm > Allow Form Tags = disarm > Allow Script Tags = disarm > Allow WebBugs = disarm > Ignored Web Bug Filenames = spacer pixel.gif pixel.png gap > Known Web Bug Servers = msgtag.com > Web Bug Replacement = > http://www.mailscanner.tv/1x1spacer.gif > Allow Object Codebase Tags = disarm > Convert Dangerous HTML To Text = no > Convert HTML To Text = no > Allow Filenames = > Deny Filenames = > Filename Rules = %etc-dir%/filename.regra.rules > Allow Filetypes = > Allow File MIME Types = > Deny Filetypes = > Deny File MIME Types = > Filetype Rules = %etc-dir%/filetype.rules.conf > Quarantine Infections = yes > Quarantine Silent Viruses = no > Quarantine Modified Body = no > Quarantine Whole Message = yes > Quarantine Whole Messages As Queue Files = no > Keep Spam And MCP Archive Clean = no > Language Strings = %report-dir%/languages.conf > Rejection Report = %report-dir%/rejection.report.txt > Deleted Bad Content Message Report = > %report-dir%/deleted.content.message.txt > Deleted Bad Filename Message Report = > %report-dir%/deleted.filename.message.txt > Deleted Virus Message Report = > %report-dir%/deleted.virus.message.txt > Deleted Size Message Report = > %report-dir%/deleted.size.message.txt > Stored Bad Content Message Report = > %report-dir%/stored.content.message.txt > Stored Bad Filename Message Report = > %report-dir%/stored.filename.message.txt > Stored Virus Message Report = > %report-dir%/stored.virus.message.txt > Stored Size Message Report = > %report-dir%/stored.size.message.txt > Disinfected Report = %report-dir%/disinfected.report.txt > Inline HTML Signature = %report-dir%/inline.sig.html > Inline Text Signature = %report-dir%/inline.sig.txt > Signature Image Filename = %report-dir%/sig.jpg > Signature Image Filename = signature.jpg > Inline HTML Warning = %report-dir%/inline.warning.html > Inline Text Warning = %report-dir%/inline.warning.txt > Sender Content Report = > %report-dir%/sender.content.report.txt > Sender Error Report = %report-dir%/sender.error.report.txt > Sender Bad Filename Report = > %report-dir%/sender.filename.report.txt > Sender Virus Report = %report-dir%/sender.virus.report.txt > Sender Size Report = %report-dir%/sender.size.report.txt > Hide Incoming Work Dir = yes > Include Scanner Name In Reports = yes > Mail Header = X-%org-name%-MailScanner: > Spam Header = X-%org-name%-MailScanner-SpamCheck: > Spam Score Header = X-%org-name%-MailScanner-SpamScore: > Information Header = X-%org-name%-MailScanner-Information: > Add Envelope From Header = yes > Add Envelope To Header = no > Envelope From Header = X-%org-name%-MailScanner-From: > Envelope To Header = X-%org-name%-MailScanner-To: > Spam Score Character = s > SpamScore Number Instead Of Stars = no > Minimum Stars If On Spam List = 0 > Clean Header Value = Found to be clean > Infected Header Value = Found to be infected > Disinfected Header Value = Disinfected > Information Header Value = Please contact the ISP for more information > Detailed Spam Report = yes > Include Scores In SpamAssassin Report = yes > Always Include SpamAssassin Report = no > Multiple Headers = append > Hostname = the %org-name% ($HOSTNAME) MailScanner > Sign Messages Already Processed = no > Sign Clean Messages = %rules-dir%/regras_assinatura.rules > Attach Image To Signature = no > Attach Image To HTML Message Only = yes > Mark Infected Messages = yes > Mark Unscanned Messages = yes > Unscanned Header Value = Not scanned: please contact your Internet E-Mail > Service Provider for details > Remove These Headers = X-Mozilla-Status: X-Mozilla-Status2: > Deliver Cleaned Messages = yes > Notify Senders = yes > Notify Senders Of Viruses = no > Notify Senders Of Blocked Filenames Or Filetypes = yes > Notify Senders Of Blocked Size Attachments = no > Notify Senders Of Other Blocked Content = yes > Never Notify Senders Of Precedence = list bulk > Scanned Subject Text = {Scanned} > Virus Modify Subject = start > Virus Subject Text = {Virus?} > Filename Modify Subject = start > Filename Subject Text = {Filename?} > Content Modify Subject = start > Content Subject Text = {Dangerous Content?} > Size Modify Subject = start > Size Subject Text = {Size} > Disarmed Modify Subject = start > Disarmed Subject Text = {Disarmed} > Phishing Modify Subject = no > Phishing Subject Text = {Fraud?} > Spam Modify Subject = start > Spam Subject Text = {Spam?} > High Scoring Spam Modify Subject = start > High Scoring Spam Subject Text = {Spam?} > Warning Is Attachment = yes > Attachment Warning Filename = > %org-name%-Attachment-Warning.txt > Attachment Encoding Charset = ISO-8859-1 > Archive Mail = %rules-dir%/copia-email.rules > Send Notices = no > Notices Include Full Headers = yes > Hide Incoming Work Dir in Notices = no > Notice Signature = -- \nMailScanner\nEmail Virus > Scanner\nwww.mailscanner.info > Notices From = teste > Notices To = postmaster > Local Postmaster = postmaster > Spam List Definitions = %etc-dir%/spam.lists.conf > Virus Scanner Definitions = %etc-dir%/virus.scanners.conf > Spam Checks = yes > Spam Domain List = > Spam Lists To Be Spam = 1 > Spam Lists To Reach High Score = 3 > Spam List Timeout = 10 > Max Spam List Timeouts = 7 > Spam List Timeouts History = 10 > Is Definitely Not Spam = &SQLWhitelist > Is Definitely Spam = &SQLBlacklist > Definite Spam Is High Scoring = no > Ignore Spam Whitelist If Recipients Exceed = 50 > Max Spam Check Size = 200k > Use Watermarking = no > Add Watermark = yes > Check Watermarks With No Sender = yes > Treat Invalid Watermarks With No Sender as Spam = nothing > Check Watermarks To Skip Spam Checks = yes > Watermark Secret = %org-name%-Secret > Watermark Lifetime = 604800 > Watermark Header = X-%org-name%-MailScanner-Watermark: > Use SpamAssassin = yes > Max SpamAssassin Size = 200k > Required SpamAssassin Score = 6 > High SpamAssassin Score = 10 > SpamAssassin Auto Whitelist = yes > SpamAssassin Timeout = 75 > Max SpamAssassin Timeouts = 10 > SpamAssassin Timeouts History = 30 > Check SpamAssassin If On Spam List = yes > Include Binary Attachments In SpamAssassin = no > Spam Score = yes > Cache SpamAssassin Results = yes > SpamAssassin Cache Database File = > /var/spool/MailScanner/incoming/SpamAssassin.cache.db > Rebuild Bayes Every = 0 > Wait During Bayes Rebuild = no > Use Custom Spam Scanner = no > Max Custom Spam Scanner Size = 20k > Custom Spam Scanner Timeout = 20 > Max Custom Spam Scanner Timeouts = 10 > Custom Spam Scanner Timeout History = 20 > Spam Actions = store > High Scoring Spam Actions = store > Non Spam Actions = deliver header "X-Spam-Status: No" > SpamAssassin Rule Actions = > Sender Spam Report = %report-dir%/sender.spam.report.txt > Sender Spam List Report = > %report-dir%/sender.spam.rbl.report.txt > Sender SpamAssassin Report = > %report-dir%/sender.spam.sa.report.txt > Inline Spam Warning = %report-dir%/inline.spam.warning.txt > Recipient Spam Report = > %report-dir%/recipient.spam.report.txt > Enable Spam Bounce = %rules-dir%/bounce.rules > Bounce Spam As Attachment = no > Syslog Facility = mail > Log Speed = no > Log Spam = no > Log Non Spam = no > Log Permitted Filenames = no > Log Permitted Filetypes = no > Log Permitted File MIME Types = no > Log Silent Viruses = no > Log Dangerous HTML Tags = no > Log SpamAssassin Rule Actions = no > SpamAssassin Temporary Dir = > /var/spool/MailScanner/incoming/SpamAssassin-Temp > SpamAssassin User State Dir = > /var/spool/MailScanner/spamassassin > SpamAssassin Install Prefix = > SpamAssassin Site Rules Dir = /etc/mail/spamassassin > SpamAssassin Local Rules Dir = > SpamAssassin Default Rules Dir = > MCP Checks = yes > First Check = mcp > MCP Required SpamAssassin Score = 1 > MCP High SpamAssassin Score = 10 > MCP Error Score = 1 > MCP Header = X-%org-name%-MailScanner-MCPCheck: > Non MCP Actions = deliver > MCP Actions = forward spam@silmaq.com.br > High Scoring MCP Actions = forward spam@silmaq.com.br > Bounce MCP As Attachment = no > MCP Modify Subject = start > MCP Subject Text = {Lista de Bloqueio} > High Scoring MCP Modify Subject = start > High Scoring MCP Subject Text = {Lista de Bloqueio} > Is Definitely MCP = no > Is Definitely Not MCP = no > Definite MCP Is High Scoring = no > Always Include MCP Report = no > Detailed MCP Report = yes > Include Scores In MCP Report = no > Log MCP = no > MCP Max SpamAssassin Timeouts = 20 > MCP Max SpamAssassin Size = 100k > MCP SpamAssassin Timeout = 10 > MCP SpamAssassin Prefs File = > %mcp-dir%/mcp.spam.assassin.prefs.conf > MCP SpamAssassin User State Dir = > MCP SpamAssassin Local Rules Dir = %mcp-dir% > MCP SpamAssassin Default Rules Dir = %mcp-dir% > MCP SpamAssassin Install Prefix = %mcp-dir% > Recipient MCP Report = > %report-dir%/recipient.mcp.report.txt > Sender MCP Report = %report-dir%/sender.mcp.report.txt > Use Default Rules With Multiple Recipients = no > Spam Score Number Format = %d > MailScanner Version Number = 4.68.8 > SpamAssassin Cache Timings = 1800,300,10800,172800,600 > Debug = no > Debug SpamAssassin = no > Run In Foreground = no > Always Looked Up Last = &MailWatchLogging > Always Looked Up Last After Batch = no > Deliver In Background = yes > Delivery Method = batch > Split Exim Spool = no > Lockfile Dir = /tmp > Custom Functions Dir = > /usr/lib/MailScanner/MailScanner/CustomFunctions > Lock Type = > Syslog Socket Type = > Automatic Syntax Check = yes > Minimum Code Status = supported > > > > > > > > > > ----- Original Message ----- From: "Glenn Steen" > To: "MailScanner discussion" > > Sent: Friday, April 04, 2008 5:09 AM > Subject: Re: MailScanner ignoring some rules > > > > > > > On 04/04/2008, TecnoWay Digital > wrote: > > > > > [root@firewall.silmaq.com.br ~]# ls -lu > > > /etc/MailScanner/rules/scan.messages.rules > > > -rwxrwxrwx 1 root root 76 2008-04-03 21:38 > > > /etc/MailScanner/rules/scan.messages.rules > > > > > (snip) > > > > > [root@firewall.silmaq.com.br ~]# ls -lu > > > /etc/MailScanner/rules/scan.messages.rules > > > -rwxrwxrwx 1 root root 76 2008-04-03 21:38 > > > /etc/MailScanner/rules/scan.messages.rules > > > > > > > So your rule file doesn't egt read at all... Have you shown us the > > snippet of your MailScanner.conf where you use it? Could you do so? > > Also, have you run a "MailScanner --lint" and shown us that output? Please > do... > > > > Cheers > > -- > > -- Glenn > > email: glenn < dot > steen < at > gmail < dot > com > > work: glenn < dot > steen < at > ap1 < dot > se > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From mkettler at evi-inc.com Fri Apr 4 19:29:17 2008 From: mkettler at evi-inc.com (Matt Kettler) Date: Fri Apr 4 19:30:03 2008 Subject: False Positive, How do I resolve this? In-Reply-To: <610C64469748E84DB6BDD5BD23F01A76180313@MED-CORE03-MS1.med.wayne.edu> References: <47F62636.1040206@ecs.soton.ac.uk> <07b601c89668$0a7b3130$1f719390$@com><610C64469748E84DB6BDD5BD23F01A761802FC@MED-CORE03-MS1.med.wayne.edu> <47F650D5.6080900@evi-inc.com> <610C64469748E84DB6BDD5BD23F01A76180313@MED-CORE03-MS1.med.wayne.edu> Message-ID: <47F6737D.4050309@evi-inc.com> Rose, Bobby wrote: > Password protect zip unless you are blocking that. That shouldn't matter either. It might stop it, but it shouldn't. You can still read the filenames of a password protected zipfile without the password, so there's no technical reason why MailScanner can't still apply filename rules to encrypted zipfiles. From maillists at conactive.com Fri Apr 4 19:31:29 2008 From: maillists at conactive.com (Kai Schaetzl) Date: Fri Apr 4 19:31:57 2008 Subject: Zip Attachments In-Reply-To: <47F6542A.6090204@halla.pt> References: <47F6542A.6090204@halla.pt> Message-ID: Jorge, you didn't tell what your problem is! Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From dave.list at pixelhammer.com Fri Apr 4 20:14:23 2008 From: dave.list at pixelhammer.com (DAve) Date: Fri Apr 4 20:15:11 2008 Subject: SA times out In-Reply-To: References: <47F39721.3000603@ecs.soton.ac.uk> <47F3A36A.10008@ecs.soton.ac.uk> <47F3AA32.50303@ecs.soton.ac.uk> Message-ID: <47F67E0F.2040006@pixelhammer.com> Kai Schaetzl wrote: > Julian Field wrote on Wed, 02 Apr 2008 16:45:54 +0100: > >>>> but perhaps a feature request could be a >>>> CLI switch to specify the message ID so MS only scans the particular >>>> message(s) that you're interested in observing. >>>> >>> Good idea. I'll take a look. Would a single ID do? >> All done. It will be in the next release. > > Ahm, Julian, now that I have used the MS debugging feature a few times I > think being able to grab a single ID may be nice, but not really helpful > for a production machine. I have to disable at least MS if I want to debug > (otherwise it would "steal" the queue files) and usually this is not done > within a few seconds, but takes at least five minutes or more, maybe > repeatedly. It would be nice if I could specify an alternative queue > directory, so I can run a MailScanner instance in parallel to the > production daemon and debug files from that directory while the normal > sendmail/MS operation isn't affected. I think this would be much more > helpful than specifying a certain ID. > > Kai > I second the proposal, having used the debug feature several times in the last few days that would be a most excellent addition. DAve -- In 50 years, our descendants will look back on the early years of the internet, and much like we now look back on men with rockets on their back and feathers glued to their arms, marvel that we had the intelligence to wipe the drool from our chins. From ssilva at sgvwater.com Fri Apr 4 21:04:31 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Fri Apr 4 21:05:18 2008 Subject: Old free Bitdefender and hit rate Message-ID: Just out of curiosity, has anyone that is still running the old free version of bitdefender (BDC/Linux-Console v7.1 (build 2559))still been getting virus hits with it? I haven't seen anything hit with it for 6 months or so, even though it still updates and shows current. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080404/086433c0/signature-0001.bin From ssilva at sgvwater.com Fri Apr 4 21:15:08 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Fri Apr 4 21:15:29 2008 Subject: MailScanner ignoring some rules In-Reply-To: <223f97700804041120q3eaf3f90j4a0cce865e66b12@mail.gmail.com> References: <37937.201.41.210.20.1207154517.squirrel@www.tecnowaydigital.com.br> <47F46B28.2050507@vanderkooij.org> <47F53B57.1070307@ecs.soton.ac.uk> <8F1DE832AFD34082A4D0CB25E4E7D7E7@TWDNB03> <223f97700804040109p3a5d97a5w439ef4d77ba879b1@mail.gmail.com> <223f97700804041120q3eaf3f90j4a0cce865e66b12@mail.gmail.com> Message-ID: on 4-4-2008 11:20 AM Glenn Steen spake the following: > Sorry all, for the top post... a bit too tipsy to really safely (snip) > with even a virtual scissor...:-) > Happy Friday, Glenn!! -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080404/f147efbe/signature.bin From glenn.steen at gmail.com Fri Apr 4 21:15:40 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Fri Apr 4 21:16:16 2008 Subject: SA times out In-Reply-To: References: <47F39721.3000603@ecs.soton.ac.uk> <223f97700804040057j39668387sad309a47257d7722@mail.gmail.com> <47F655F3.8000903@ecs.soton.ac.uk> Message-ID: <223f97700804041315h42fc6e13h26a0f1c5ceae815d@mail.gmail.com> On 04/04/2008, Kai Schaetzl wrote: > Julian Field wrote on Fri, 04 Apr 2008 17:23:15 +0100: > > > > The command-line SA calls the Mail::SpamAssassin perl module to do all > > the hard work. > > > But why is it then much faster? At least for this message. I notice that > when I debug with MS it first scans some default message, maybe the one SA > scans when using "spamassassin -D --lint", only then it grabs a message > from the queue. Does this only happen with MS in debug mode? Yes. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From dave.list at pixelhammer.com Fri Apr 4 22:03:40 2008 From: dave.list at pixelhammer.com (DAve) Date: Fri Apr 4 22:04:24 2008 Subject: Old free Bitdefender and hit rate In-Reply-To: References: Message-ID: <47F697AC.4080400@pixelhammer.com> Scott Silva wrote: > Just out of curiosity, has anyone that is still running the old free > version of bitdefender (BDC/Linux-Console v7.1 (build 2559))still been > getting virus hits with it? > > I haven't seen anything hit with it for 6 months or so, even though it > still updates and shows current. > We stopped running it last June for that same reason. DAve -- In 50 years, our descendants will look back on the early years of the internet, and much like we now look back on men with rockets on their back and feathers glued to their arms, marvel that we had the intelligence to wipe the drool from our chins. From MailScanner at ecs.soton.ac.uk Fri Apr 4 22:33:33 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Apr 4 22:34:34 2008 Subject: Zip Attachments In-Reply-To: <47F6542A.6090204@halla.pt> References: <47F6542A.6090204@halla.pt> Message-ID: <47F69EAD.7000808@ecs.soton.ac.uk> Are you saying something doesn't work as expected? You haven't actually said you have a problem, or what the problem is. Plus some basic information such as the output of MailScanner -v would help us to help you. Jorge Costinha wrote: > i got > > Zip Attachment = %rules-dir%/filename.rules > Attachments min total size to zip = 5000k > > where in filename.rules i got: > > From: yes > FromOrTo: default no > > what am i missing? > > PS- i also have the Maximum Message Size = > %rules-dir%/anotherfilename.rules. this is working as it should. > > thanks in advance. > > Jorge > > > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Fri Apr 4 22:38:53 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Apr 4 22:39:13 2008 Subject: Another question about rulesets... In-Reply-To: References: Message-ID: <47F69FED.5070003@ecs.soton.ac.uk> You are suffering from an inevitable problem when a message has multiple recipients. MailScanner does not split messages into 1-recipient-per-message itself. If you want to do that, you have to do it separately. This is quite possible in MailScanner using 'queue groups' and has been fairly well documented here before. I believe it is possible in other MTAs as well. I will leave that to other people to explain to you, once you have told us what MTA you are using. The other, easier, alternative that *may* do what you want is to use the MailScanner.conf setting "Use Default Rules With Multiple Recipients". The comments above that explain what its effects are. Hope that helps get you going in the right direction, Jules. Philip Butler wrote: > Hi all, > > I have another question about rulesets. I am trying to sign outgoing > messages with a signature. > > Here is my ruleset. 'domain123.com' and 'domain456.com' are "my" test > domains (not really mine, but using this as a test). > > ------------- > From: *@domain123.com and to: *@domain123.com no > From: *@domain123.com and to: *@domain456.com no > From: *@domain123.com yes > From: *@domain456.com and to: *@domain123.com no > From: *@domain456.com and to: *@domain456.com no > From: *@domain456.com yes > > FromOrTo: default no > ------------- > > > It works properly if there is one recipient (internal/external) but > the problem is that when I send from test1@domain123.com to > test2@domain123.com AND test@anotherdomain.com, the message does not > get signed. In other words, if ANY recipient is from a local domain, > then the message does not get signed. I would prefer it to be the > other way around. > > Any suggestions as to how I can change the ruleset ?? In a way, I want: > > ------------- > # incoming messages not signed > From: NOT *@domain123.com and to: *@domain123.com no > From: NOT *@domain123.com and to: *@domain456.com no > From: NOT *@domain456.com and to: *@domain123.com no > From: NOT *@domain456.com and to: *@domain456.com no > > # internal messages not signed > From: *@domain123.com and ONLY to: *@domain123.com no > From: *@domain123.com and ONLY to: *@domain456.com no > From: *@domain456.com and ONLY to: *@domain123.com no > From: *@domain456.com and ONLY to: *@domain456.com no > > # All others signed - including mixed local/non-local recipients > FromOrTo: default yes > ------------- > > > Also, I tried adding: > > ---- > From: 10.1.1.0/255.255.255.0 and to: *@domain123.com no > From: 10.1.1.0/255.255.255.0 and to: *@domain456.com no > From: 10.1.1.0/255.255.255.0 yes > From: 10.34.56.0/255.255.255.0 and to: *@domain123.com no > From: 10.34.56.0/255.255.255.0 and to: *@domain456.com no > From: 10.34.56.0/255.255.255.0 yes > ---- > > to the ruleset (10.1.1.0 and 10.34.56.0 are "internal" networks) and I > kept getting defunct mailscanner processes. This is based on a > previous email response from Julian. I am running MS 4.66.5 - I > haven't upgraded to the latest and greatest yet. Do I have a syntax > problem here ?? > > Phil > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Fri Apr 4 22:45:15 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Apr 4 22:45:40 2008 Subject: SA times out In-Reply-To: References: <47F39721.3000603@ecs.soton.ac.uk> <47F3A36A.10008@ecs.soton.ac.uk> <47F3AA32.50303@ecs.soton.ac.uk> Message-ID: <47F6A16B.5070607@ecs.soton.ac.uk> Kai Schaetzl wrote: > Julian Field wrote on Wed, 02 Apr 2008 16:45:54 +0100: > > >>>> but perhaps a feature request could be a >>>> CLI switch to specify the message ID so MS only scans the particular >>>> message(s) that you're interested in observing. >>>> >>>> >>> Good idea. I'll take a look. Would a single ID do? >>> >> All done. It will be in the next release. >> > > Ahm, Julian, now that I have used the MS debugging feature a few times I > think being able to grab a single ID may be nice, but not really helpful > for a production machine. I have to disable at least MS if I want to debug > (otherwise it would "steal" the queue files) and usually this is not done > within a few seconds, but takes at least five minutes or more, maybe > repeatedly. It would be nice if I could specify an alternative queue > directory, so I can run a MailScanner instance in parallel to the > production daemon and debug files from that directory while the normal > sendmail/MS operation isn't affected. I think this would be much more > helpful than specifying a certain ID. > You can stop MailScanner completely, then restart the incoming sendmail (or whatever MTA you use) so that you are providing email service to your users. Then run MailScanner on the particular ID you want to test it with. Then when you are happy, resume normal operation. Stop everything and start incoming MTA: service MailScanner stop service MailScanner startin Run it on 1 id: MailScanner --debug --id= Start up everything normally service MailScanner restart Should solve the problem for you. Saves me writing more code :-) Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Fri Apr 4 22:50:44 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Apr 4 22:51:31 2008 Subject: SA times out In-Reply-To: References: <47F39721.3000603@ecs.soton.ac.uk> <223f97700804040057j39668387sad309a47257d7722@mail.gmail.com> <47F655F3.8000903@ecs.soton.ac.uk> Message-ID: <47F6A2B4.70706@ecs.soton.ac.uk> Kai Schaetzl wrote: > Julian Field wrote on Fri, 04 Apr 2008 17:23:15 +0100: > > >> The command-line SA calls the Mail::SpamAssassin perl module to do all >> the hard work. >> > > But why is it then much faster? At least for this message. I notice that > when I debug with MS it first scans some default message, maybe the one SA > scans when using "spamassassin -D --lint", only then it grabs a message > from the queue. Does this only happen with MS in debug mode? > SpamAssassin (by design) has 'compile_once' functionality. This forces Perl to load all the functions required for its operation, and therefore compile them, so that all future messages are processed at the same speed. It implements this by processing a dummy message and throwing away the result. SpamAssassin, like many Perl modules, only loads and compiles the code of functions when they are used for the first time, thereby greatly improving the startup speed and memory footprint of large modules. In Perl terminology, it is called the Dyna-Loader. So to force this to happen, you have to execute all the functions once. SpamAssassin does this by working out the spam score for a dummy message. This is what you see happening when you have --debug-sa specified on the MailScanner command-line. Hopefully that explains what you see happening. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Fri Apr 4 22:54:29 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Apr 4 22:54:50 2008 Subject: False Positive, How do I resolve this? In-Reply-To: <47F6737D.4050309@evi-inc.com> References: <47F62636.1040206@ecs.soton.ac.uk> <07b601c89668$0a7b3130$1f719390$@com><610C64469748E84DB6BDD5BD23F01A761802FC@MED-CORE03-MS1.med.wayne.edu> <47F650D5.6080900@evi-inc.com> <610C64469748E84DB6BDD5BD23F01A76180313@MED-CORE03-MS1.med.wayne.edu> <47F6737D.4050309@evi-inc.com> Message-ID: <47F6A395.6030006@ecs.soton.ac.uk> Matt Kettler wrote: > Rose, Bobby wrote: >> Password protect zip unless you are blocking that. > > That shouldn't matter either. It might stop it, but it shouldn't. > > You can still read the filenames of a password protected zipfile > without the password, so there's no technical reason why MailScanner > can't still apply filename rules to encrypted zipfiles. And indeed it does. You can even switch it on and off, of course :-) Straight out of MailScanner.conf: # Normally, you can still get the filenames out of a password-protected # archive, despite the encryption. So by default filename checks are still # done on these files. However, some people want to suppress this checking # as they allow a few people to receive password-protected archives that # contain things such as .exe's as part of their business needs. This option # can be used to suppress filename checks inside password-protected archives. # This can also be the filename of a ruleset. Check Filenames In Password-Protected Archives = yes Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Fri Apr 4 22:57:22 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Fri Apr 4 22:57:45 2008 Subject: SA times out In-Reply-To: <47F67E0F.2040006@pixelhammer.com> References: <47F39721.3000603@ecs.soton.ac.uk> <47F3A36A.10008@ecs.soton.ac.uk> <47F3AA32.50303@ecs.soton.ac.uk> <47F67E0F.2040006@pixelhammer.com> Message-ID: <47F6A442.90109@ecs.soton.ac.uk> DAve wrote: > Kai Schaetzl wrote: >> Julian Field wrote on Wed, 02 Apr 2008 16:45:54 +0100: >> >>>>> but perhaps a feature request could be a >>>>> CLI switch to specify the message ID so MS only scans the particular >>>>> message(s) that you're interested in observing. >>>>> >>>> Good idea. I'll take a look. Would a single ID do? >>> All done. It will be in the next release. >> >> Ahm, Julian, now that I have used the MS debugging feature a few >> times I think being able to grab a single ID may be nice, but not >> really helpful for a production machine. I have to disable at least >> MS if I want to debug (otherwise it would "steal" the queue files) >> and usually this is not done within a few seconds, but takes at least >> five minutes or more, maybe repeatedly. It would be nice if I could >> specify an alternative queue directory, so I can run a MailScanner >> instance in parallel to the production daemon and debug files from >> that directory while the normal sendmail/MS operation isn't affected. >> I think this would be much more helpful than specifying a certain ID. >> >> Kai >> > > I second the proposal, having used the debug feature several times in > the last few days that would be a most excellent addition. Okay, I'll take a look this weekend. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From rcooper at dwford.com Fri Apr 4 23:15:30 2008 From: rcooper at dwford.com (Rick Cooper) Date: Fri Apr 4 23:16:14 2008 Subject: False Positive, How do I resolve this? In-Reply-To: <610C64469748E84DB6BDD5BD23F01A76180313@MED-CORE03-MS1.med.wayne.edu> References: <47F62636.1040206@ecs.soton.ac.uk><07b601c89668$0a7b3130$1f719390$@com><610C64469748E84DB6BDD5BD23F01A761802FC@MED-CORE03-MS1.med.wayne.edu><47F650D5.6080900@evi-inc.com> <610C64469748E84DB6BDD5BD23F01A76180313@MED-CORE03-MS1.med.wayne.edu> Message-ID: <024d01c896a1$64e7c0f0$0301a8c0@SAHOMELT> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On > Behalf Of Rose, Bobby > Sent: Friday, April 04, 2008 1:18 PM > To: MailScanner discussion > Subject: RE: False Positive, How do I resolve this? > > Password protect zip unless you are blocking that. > > This is not true, the directory of the zip can still be accessed and MS still checks the file names in password protected zip/rar files it just can't virus scan or check the actual "type" Rick > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Matt > Kettler > Sent: Friday, April 04, 2008 12:01 PM > To: MailScanner discussion > Subject: Re: False Positive, How do I resolve this? > > Rose, Bobby wrote: > > Zip or rename the files without all those periods. > > They are in a zipfile, as per Vernon's original message. > > However, MailScanner by default digs into zipfiles and > applies filename > rules there. So zipping won't help you with a MailScanner > config where > "Maximum Archive Depth" isn't set to 0. > > > > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info > > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of > > Vernon Webb > > Sent: Friday, April 04, 2008 11:25 AM > > To: 'MailScanner discussion' > > Subject: False Positive, How do I resolve this? > > > > I have a client who sends email attachments in a zip file. > The files > > (as you can see below) are named the way the client needs > them to be. > > How do I get around this? > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From rcooper at dwford.com Fri Apr 4 23:26:31 2008 From: rcooper at dwford.com (Rick Cooper) Date: Fri Apr 4 23:26:49 2008 Subject: MailScanner ignoring some rules In-Reply-To: <223f97700804041120q3eaf3f90j4a0cce865e66b12@mail.gmail.com> References: <37937.201.41.210.20.1207154517.squirrel@www.tecnowaydigital.com.br><47F46B28.2050507@vanderkooij.org><47F53B57.1070307@ecs.soton.ac.uk><8F1DE832AFD34082A4D0CB25E4E7D7E7@TWDNB03><223f97700804040109p3a5d97a5w439ef4d77ba879b1@mail.gmail.com> <223f97700804041120q3eaf3f90j4a0cce865e66b12@mail.gmail.com> Message-ID: <024e01c896a2$ef080e10$0301a8c0@SAHOMELT> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On > Behalf Of Glenn Steen > Sent: Friday, April 04, 2008 2:20 PM > To: MailScanner discussion > Subject: Re: MailScanner ignoring some rules > > Sorry all, for the top post... a bit too tipsy to really > safely (snip) > with even a virtual scissor...:-) > > That all _looks_ mostly OK... So, plan B... You've never used another > system to edit the MailScanner.conf or rules file? Like crappy > windoze? If so, there might be "non-printable" characters on the end > of the line (like a spurious )... Then again, I thought > the --lint > would catch that... Oh well. > > Cheers > -- Glenn Hey, Glenn, 99.9% of the time I edit all my *nix files with a windows only program. Boxer text editor. Been using it since it was a little dos pup. It's a really nice editor geared primarily towards programming and it handles DOS, Unix and MAC files as it sees them and I have the default save mode set to unix. Since I haven't the luxury of choosing my primary desktop OS I find boxer invaluable as all my servers (except 3 vendor managed specialty servers) are Linux boxes and with it's built in ftp open/save and projects I can't imagine living without it. BTW: You have given me a great idea, instead of worrying about running out of my Oxicotin, Percocet and vicodon I should just grab a bottle of Jack or 151 and I bet I can keep the pain down all weekend long without a single pill! ;->) > > On 04/04/2008, TecnoWay Digital > wrote: > > MailScanner --lint > > > > Trying to setlogsock(unix) > > Read 817 hostnames from the phishing whitelist > > Read 5549 hostnames from the phishing blacklist > > Config: calling custom init function SQLBlacklist > > Starting up SQL Blacklist > > Read 326 blacklist entries > > Config: calling custom init function MailWatchLogging > > Started SQL Logging child > > Config: calling custom init function SQLWhitelist > > Starting up SQL Whitelist > > Read 40 whitelist entries > > Checking version numbers... > > Version number in MailScanner.conf (4.68.8) is correct. > > > > Your envelope_sender_header in spam.assassin.prefs.conf > is correct. > > MailScanner setting GID to (89) > > MailScanner setting UID to (89) > > > > Checking for SpamAssassin errors (if you use it)... > > SpamAssassin temporary working directory is > > /var/spool/MailScanner/incoming/SpamAssassin-Temp > > SpamAssassin temp dir = > > /var/spool/MailScanner/incoming/SpamAssassin-Temp > > Using SpamAssassin results cache > > Connected to SpamAssassin cache database > > SpamAssassin reported no errors. > > Using locktype = posix > > MailScanner.conf says "Virus Scanners = mcafee" > > Found these virus scanners installed: clamav, mcafee > > > ============================================================= > ============== > > Virus and Content Scanning: Starting > > /1/eicar.com Found: EICAR test file NOT a virus. > > Virus Scanning: McAfee found 1 infections > > Infected message 1 came from 10.1.1.1 > > Virus Scanning: Found 1 viruses > > > ============================================================= > ============== > > Virus Scanner test reports: > > McAfee said "/1/eicar.com Found: EICAR test file > NOT a virus." > > > > If any of your virus scanners (clamav,mcafee) > > are not listed there, you should check that they are > installed correctly > > and that MailScanner is finding them correctly via its > virus.scanners.conf. > > Config: calling custom end function SQLBlacklist > > Closing down by-domain spam blacklist > > Config: calling custom end function MailWatchLogging > > Config: calling custom end function SQLWhitelist > > Closing down by-domain spam whitelist > > > -------------------------------------------------------------------- > > > > My MailScanner.conf > > > > %org-name% = Silmaq > > %org-long-name% = Silmaq S.A > > %web-site% = www.silmaq.com.br > > %etc-dir% = /etc/MailScanner > > %report-dir% = /etc/MailScanner/reports/pt_br > > %rules-dir% = /etc/MailScanner/rules > > %mcp-dir% = /etc/MailScanner/mcp > > Max Children = 5 > > Run As User = postfix > > Run As Group = postfix > > Queue Scan Interval = 6 > > Incoming Queue Dir = /var/spool/postfix/hold > > Outgoing Queue Dir = /var/spool/postfix/incoming > > Incoming Work Dir = /var/spool/MailScanner/incoming > > Quarantine Dir = /var/spool/MailScanner/quarantine > > PID file = /var/run/MailScanner.pid > > Restart Every = 7200 > > MTA = postfix > > Sendmail = /usr/sbin/sendmail > > Sendmail2 = /usr/sbin/sendmail > > Incoming Work User = > > Incoming Work Group = > > Incoming Work Permissions = 0600 > > Quarantine User = root > > Quarantine Group = apache > > Quarantine Permissions = 0660 > > Max Unscanned Bytes Per Scan = 100m > > Max Unsafe Bytes Per Scan = 50m > > Max Unscanned Messages Per Scan = 30 > > Max Unsafe Messages Per Scan = 30 > > Max Normal Queue Size = 800 > > Scan Messages = %rules-dir%/scan.messages.rules > > Reject Message = no > > Maximum Attachments Per Message = 200 > > Expand TNEF = yes > > Use TNEF Contents = replace > > Deliver Unparsable TNEF = no > > TNEF Expander = /usr/bin/tnef --maxsize=100000000 > > TNEF Timeout = 120 > > File Command = /usr/bin/file > > File Timeout = 20 > > Gunzip Command = /bin/gunzip > > Gunzip Timeout = 50 > > Unrar Command = /usr/bin/unrar > > Unrar Timeout = 50 > > Find UU-Encoded Files = no > > Maximum Message Size = %rules-dir%/max.message.size.rules > > Maximum Attachment Size = -1 > > Minimum Attachment Size = -1 > > Maximum Archive Depth = 0 > > Find Archives By Content = yes > > Zip Attachments = no > > Attachments Zip Filename = MessageAttachments.zip > > Attachments Min Total Size To Zip = 100k > > Attachment Extensions Not To Zip = .zip .rar .gz .tgz > .jpg .jpeg .mpg .mpe > > .mpeg .mp3 .rpm .htm .html .eml > > Virus Scanning = yes > > Virus Scanners = mcafee > > Virus Scanner Timeout = 300 > > Deliver Disinfected Files = no > > Silent Viruses = HTML-IFrame All-Viruses > > Still Deliver Silent Viruses = no > > Non-Forging Viruses = Joke/ OF97/ WM97/ W97M/ eicar > > Block Encrypted Messages = no > > Block Unencrypted Messages = no > > Allow Password-Protected Archives = no > > Check Filenames In Password-Protected Archives = yes > > Allowed Sophos Error Messages = > > Sophos IDE Dir = /opt/sophos-av/lib/sav > > Sophos Lib Dir = /opt/sophos-av/lib > > Monitors For Sophos Updates = /opt/sophos-av/lib/sav/*.ide > > Monitors for ClamAV Updates = /usr/local/share/clamav/*.inc/* > > /usr/local/share/clamav/*.cvd > > ClamAVmodule Maximum Recursion Level = 8 > > ClamAVmodule Maximum Files = 1000 > > ClamAVmodule Maximum File Size = 10000000 # (10 Mbytes) > > ClamAVmodule Maximum Compression Ratio = 250 > > Clamd Port = 3310 > > Clamd Socket = /tmp/clamd > > Clamd Lock File = # /var/lock/subsys/clamd > > Clamd Use Threads = no > > ClamAV Full Message Scan = yes > > Fpscand Port = 10200 > > Dangerous Content Scanning = yes > > Allow Partial Messages = no > > Allow External Message Bodies = no > > Find Phishing Fraud = yes > > Also Find Numeric Phishing = yes > > Use Stricter Phishing Net = yes > > Highlight Phishing Fraud = yes > > Phishing Safe Sites File = > > %etc-dir%/phishing.safe.sites.conf > > Phishing Bad Sites File = > > %etc-dir%/phishing.bad.sites.conf > > Country Sub-Domains List = %etc-dir%/country.domains.conf > > Allow IFrame Tags = disarm > > Allow Form Tags = disarm > > Allow Script Tags = disarm > > Allow WebBugs = disarm > > Ignored Web Bug Filenames = spacer pixel.gif pixel.png gap > > Known Web Bug Servers = msgtag.com > > Web Bug Replacement = > > http://www.mailscanner.tv/1x1spacer.gif > > Allow Object Codebase Tags = disarm > > Convert Dangerous HTML To Text = no > > Convert HTML To Text = no > > Allow Filenames = > > Deny Filenames = > > Filename Rules = %etc-dir%/filename.regra.rules > > Allow Filetypes = > > Allow File MIME Types = > > Deny Filetypes = > > Deny File MIME Types = > > Filetype Rules = %etc-dir%/filetype.rules.conf > > Quarantine Infections = yes > > Quarantine Silent Viruses = no > > Quarantine Modified Body = no > > Quarantine Whole Message = yes > > Quarantine Whole Messages As Queue Files = no > > Keep Spam And MCP Archive Clean = no > > Language Strings = %report-dir%/languages.conf > > Rejection Report = %report-dir%/rejection.report.txt > > Deleted Bad Content Message Report = > > %report-dir%/deleted.content.message.txt > > Deleted Bad Filename Message Report = > > %report-dir%/deleted.filename.message.txt > > Deleted Virus Message Report = > > %report-dir%/deleted.virus.message.txt > > Deleted Size Message Report = > > %report-dir%/deleted.size.message.txt > > Stored Bad Content Message Report = > > %report-dir%/stored.content.message.txt > > Stored Bad Filename Message Report = > > %report-dir%/stored.filename.message.txt > > Stored Virus Message Report = > > %report-dir%/stored.virus.message.txt > > Stored Size Message Report = > > %report-dir%/stored.size.message.txt > > Disinfected Report = %report-dir%/disinfected.report.txt > > Inline HTML Signature = %report-dir%/inline.sig.html > > Inline Text Signature = %report-dir%/inline.sig.txt > > Signature Image Filename = %report-dir%/sig.jpg > > Signature Image Filename = signature.jpg > > Inline HTML Warning = %report-dir%/inline.warning.html > > Inline Text Warning = %report-dir%/inline.warning.txt > > Sender Content Report = > > %report-dir%/sender.content.report.txt > > Sender Error Report = %report-dir%/sender.error.report.txt > > Sender Bad Filename Report = > > %report-dir%/sender.filename.report.txt > > Sender Virus Report = %report-dir%/sender.virus.report.txt > > Sender Size Report = %report-dir%/sender.size.report.txt > > Hide Incoming Work Dir = yes > > Include Scanner Name In Reports = yes > > Mail Header = X-%org-name%-MailScanner: > > Spam Header = X-%org-name%-MailScanner-SpamCheck: > > Spam Score Header = X-%org-name%-MailScanner-SpamScore: > > Information Header = X-%org-name%-MailScanner-Information: > > Add Envelope From Header = yes > > Add Envelope To Header = no > > Envelope From Header = X-%org-name%-MailScanner-From: > > Envelope To Header = X-%org-name%-MailScanner-To: > > Spam Score Character = s > > SpamScore Number Instead Of Stars = no > > Minimum Stars If On Spam List = 0 > > Clean Header Value = Found to be clean > > Infected Header Value = Found to be infected > > Disinfected Header Value = Disinfected > > Information Header Value = Please contact the ISP for > more information > > Detailed Spam Report = yes > > Include Scores In SpamAssassin Report = yes > > Always Include SpamAssassin Report = no > > Multiple Headers = append > > Hostname = the %org-name% ($HOSTNAME) MailScanner > > Sign Messages Already Processed = no > > Sign Clean Messages = %rules-dir%/regras_assinatura.rules > > Attach Image To Signature = no > > Attach Image To HTML Message Only = yes > > Mark Infected Messages = yes > > Mark Unscanned Messages = yes > > Unscanned Header Value = Not scanned: please contact your > Internet E-Mail > > Service Provider for details > > Remove These Headers = X-Mozilla-Status: X-Mozilla-Status2: > > Deliver Cleaned Messages = yes > > Notify Senders = yes > > Notify Senders Of Viruses = no > > Notify Senders Of Blocked Filenames Or Filetypes = yes > > Notify Senders Of Blocked Size Attachments = no > > Notify Senders Of Other Blocked Content = yes > > Never Notify Senders Of Precedence = list bulk > > Scanned Subject Text = {Scanned} > > Virus Modify Subject = start > > Virus Subject Text = {Virus?} > > Filename Modify Subject = start > > Filename Subject Text = {Filename?} > > Content Modify Subject = start > > Content Subject Text = {Dangerous Content?} > > Size Modify Subject = start > > Size Subject Text = {Size} > > Disarmed Modify Subject = start > > Disarmed Subject Text = {Disarmed} > > Phishing Modify Subject = no > > Phishing Subject Text = {Fraud?} > > Spam Modify Subject = start > > Spam Subject Text = {Spam?} > > High Scoring Spam Modify Subject = start > > High Scoring Spam Subject Text = {Spam?} > > Warning Is Attachment = yes > > Attachment Warning Filename = > > %org-name%-Attachment-Warning.txt > > Attachment Encoding Charset = ISO-8859-1 > > Archive Mail = %rules-dir%/copia-email.rules > > Send Notices = no > > Notices Include Full Headers = yes > > Hide Incoming Work Dir in Notices = no > > Notice Signature = -- \nMailScanner\nEmail Virus > > Scanner\nwww.mailscanner.info > > Notices From = teste > > Notices To = postmaster > > Local Postmaster = postmaster > > Spam List Definitions = %etc-dir%/spam.lists.conf > > Virus Scanner Definitions = %etc-dir%/virus.scanners.conf > > Spam Checks = yes > > Spam Domain List = > > Spam Lists To Be Spam = 1 > > Spam Lists To Reach High Score = 3 > > Spam List Timeout = 10 > > Max Spam List Timeouts = 7 > > Spam List Timeouts History = 10 > > Is Definitely Not Spam = &SQLWhitelist > > Is Definitely Spam = &SQLBlacklist > > Definite Spam Is High Scoring = no > > Ignore Spam Whitelist If Recipients Exceed = 50 > > Max Spam Check Size = 200k > > Use Watermarking = no > > Add Watermark = yes > > Check Watermarks With No Sender = yes > > Treat Invalid Watermarks With No Sender as Spam = nothing > > Check Watermarks To Skip Spam Checks = yes > > Watermark Secret = %org-name%-Secret > > Watermark Lifetime = 604800 > > Watermark Header = X-%org-name%-MailScanner-Watermark: > > Use SpamAssassin = yes > > Max SpamAssassin Size = 200k > > Required SpamAssassin Score = 6 > > High SpamAssassin Score = 10 > > SpamAssassin Auto Whitelist = yes > > SpamAssassin Timeout = 75 > > Max SpamAssassin Timeouts = 10 > > SpamAssassin Timeouts History = 30 > > Check SpamAssassin If On Spam List = yes > > Include Binary Attachments In SpamAssassin = no > > Spam Score = yes > > Cache SpamAssassin Results = yes > > SpamAssassin Cache Database File = > > /var/spool/MailScanner/incoming/SpamAssassin.cache.db > > Rebuild Bayes Every = 0 > > Wait During Bayes Rebuild = no > > Use Custom Spam Scanner = no > > Max Custom Spam Scanner Size = 20k > > Custom Spam Scanner Timeout = 20 > > Max Custom Spam Scanner Timeouts = 10 > > Custom Spam Scanner Timeout History = 20 > > Spam Actions = store > > High Scoring Spam Actions = store > > Non Spam Actions = deliver header "X-Spam-Status: No" > > SpamAssassin Rule Actions = > > Sender Spam Report = %report-dir%/sender.spam.report.txt > > Sender Spam List Report = > > %report-dir%/sender.spam.rbl.report.txt > > Sender SpamAssassin Report = > > %report-dir%/sender.spam.sa.report.txt > > Inline Spam Warning = %report-dir%/inline.spam.warning.txt > > Recipient Spam Report = > > %report-dir%/recipient.spam.report.txt > > Enable Spam Bounce = %rules-dir%/bounce.rules > > Bounce Spam As Attachment = no > > Syslog Facility = mail > > Log Speed = no > > Log Spam = no > > Log Non Spam = no > > Log Permitted Filenames = no > > Log Permitted Filetypes = no > > Log Permitted File MIME Types = no > > Log Silent Viruses = no > > Log Dangerous HTML Tags = no > > Log SpamAssassin Rule Actions = no > > SpamAssassin Temporary Dir = > > /var/spool/MailScanner/incoming/SpamAssassin-Temp > > SpamAssassin User State Dir = > > /var/spool/MailScanner/spamassassin > > SpamAssassin Install Prefix = > > SpamAssassin Site Rules Dir = /etc/mail/spamassassin > > SpamAssassin Local Rules Dir = > > SpamAssassin Default Rules Dir = > > MCP Checks = yes > > First Check = mcp > > MCP Required SpamAssassin Score = 1 > > MCP High SpamAssassin Score = 10 > > MCP Error Score = 1 > > MCP Header = X-%org-name%-MailScanner-MCPCheck: > > Non MCP Actions = deliver > > MCP Actions = forward spam@silmaq.com.br > > High Scoring MCP Actions = forward spam@silmaq.com.br > > Bounce MCP As Attachment = no > > MCP Modify Subject = start > > MCP Subject Text = {Lista de Bloqueio} > > High Scoring MCP Modify Subject = start > > High Scoring MCP Subject Text = {Lista de Bloqueio} > > Is Definitely MCP = no > > Is Definitely Not MCP = no > > Definite MCP Is High Scoring = no > > Always Include MCP Report = no > > Detailed MCP Report = yes > > Include Scores In MCP Report = no > > Log MCP = no > > MCP Max SpamAssassin Timeouts = 20 > > MCP Max SpamAssassin Size = 100k > > MCP SpamAssassin Timeout = 10 > > MCP SpamAssassin Prefs File = > > %mcp-dir%/mcp.spam.assassin.prefs.conf > > MCP SpamAssassin User State Dir = > > MCP SpamAssassin Local Rules Dir = %mcp-dir% > > MCP SpamAssassin Default Rules Dir = %mcp-dir% > > MCP SpamAssassin Install Prefix = %mcp-dir% > > Recipient MCP Report = > > %report-dir%/recipient.mcp.report.txt > > Sender MCP Report = %report-dir%/sender.mcp.report.txt > > Use Default Rules With Multiple Recipients = no > > Spam Score Number Format = %d > > MailScanner Version Number = 4.68.8 > > SpamAssassin Cache Timings = 1800,300,10800,172800,600 > > Debug = no > > Debug SpamAssassin = no > > Run In Foreground = no > > Always Looked Up Last = &MailWatchLogging > > Always Looked Up Last After Batch = no > > Deliver In Background = yes > > Delivery Method = batch > > Split Exim Spool = no > > Lockfile Dir = /tmp > > Custom Functions Dir = > > /usr/lib/MailScanner/MailScanner/CustomFunctions > > Lock Type = > > Syslog Socket Type = > > Automatic Syntax Check = yes > > Minimum Code Status = supported > > > > > > > > > > > > > > > > > > > > ----- Original Message ----- From: "Glenn Steen" > > > To: "MailScanner discussion" > > > > Sent: Friday, April 04, 2008 5:09 AM > > Subject: Re: MailScanner ignoring some rules > > > > > > > > > > > > On 04/04/2008, TecnoWay Digital > > wrote: > > > > > > > [root@firewall.silmaq.com.br ~]# ls -lu > > > > /etc/MailScanner/rules/scan.messages.rules > > > > -rwxrwxrwx 1 root root 76 2008-04-03 21:38 > > > > /etc/MailScanner/rules/scan.messages.rules > > > > > > > (snip) > > > > > > > [root@firewall.silmaq.com.br ~]# ls -lu > > > > /etc/MailScanner/rules/scan.messages.rules > > > > -rwxrwxrwx 1 root root 76 2008-04-03 21:38 > > > > /etc/MailScanner/rules/scan.messages.rules > > > > > > > > > > So your rule file doesn't egt read at all... Have you > shown us the > > > snippet of your MailScanner.conf where you use it? Could > you do so? > > > Also, have you run a "MailScanner --lint" and shown us > that output? Please > > do... > > > > > > Cheers > > > -- > > > -- Glenn > > > email: glenn < dot > steen < at > gmail < dot > com > > > work: glenn < dot > steen < at > ap1 < dot > se > > > -- > > > MailScanner mailing list > > > mailscanner@lists.mailscanner.info > > > > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > > > Support MailScanner development - buy the book off the website! > > > > > > > > > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > > > -- > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From rcooper at dwford.com Fri Apr 4 23:28:52 2008 From: rcooper at dwford.com (Rick Cooper) Date: Fri Apr 4 23:29:04 2008 Subject: Old free Bitdefender and hit rate In-Reply-To: References: Message-ID: <024f01c896a3$42fb24d0$0301a8c0@SAHOMELT> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On > Behalf Of Scott Silva > Sent: Friday, April 04, 2008 4:05 PM > To: mailscanner@lists.mailscanner.info > Subject: Old free Bitdefender and hit rate > > Just out of curiosity, has anyone that is still running the > old free version > of bitdefender (BDC/Linux-Console v7.1 (build 2559))still > been getting virus > hits with it? > > I haven't seen anything hit with it for 6 months or so, even > though it still > updates and shows current. > I mentioned this a looong time ago. Running from the command line it will hit but from within MS it does not. IIRC it doesn't even hit EICAR. Rick -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From rcooper at dwford.com Fri Apr 4 23:33:45 2008 From: rcooper at dwford.com (Rick Cooper) Date: Fri Apr 4 23:34:22 2008 Subject: False Positive, How do I resolve this? In-Reply-To: <610C64469748E84DB6BDD5BD23F01A76180313@MED-CORE03-MS1.med.wayne.edu> References: <47F62636.1040206@ecs.soton.ac.uk><07b601c89668$0a7b3130$1f719390$@com><610C64469748E84DB6BDD5BD23F01A761802FC@MED-CORE03-MS1.med.wayne.edu><47F650D5.6080900@evi-inc.com> <610C64469748E84DB6BDD5BD23F01A76180313@MED-CORE03-MS1.med.wayne.edu> Message-ID: <025001c896a3$f1dfc9b0$0301a8c0@SAHOMELT> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On > Behalf Of Rose, Bobby > Sent: Friday, April 04, 2008 1:18 PM > To: MailScanner discussion > Subject: RE: False Positive, How do I resolve this? > > Password protect zip unless you are blocking that. > > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Matt > Kettler > Sent: Friday, April 04, 2008 12:01 PM > To: MailScanner discussion > Subject: Re: False Positive, How do I resolve this? > > Rose, Bobby wrote: > > Zip or rename the files without all those periods. > > They are in a zipfile, as per Vernon's original message. > > However, MailScanner by default digs into zipfiles and > applies filename > rules there. So zipping won't help you with a MailScanner > config where > "Maximum Archive Depth" isn't set to 0. > > I think the answer is that Julian takes my ArchivedFileName and ArchivedFileType rules patch and mainstreams it. Then you can have completely different (read relaxed) rules for files within archives. Of course I am prejudiced because that would save me having to re-patch every time I build MailScanner |-) Rick > > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info > > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of > > Vernon Webb > > Sent: Friday, April 04, 2008 11:25 AM > > To: 'MailScanner discussion' > > Subject: False Positive, How do I resolve this? > > > > I have a client who sends email attachments in a zip file. > The files > > (as you can see below) are named the way the client needs > them to be. > > How do I get around this? > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ssilva at sgvwater.com Fri Apr 4 23:50:53 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Fri Apr 4 23:51:52 2008 Subject: False Positive, How do I resolve this? In-Reply-To: <47F6A395.6030006@ecs.soton.ac.uk> References: <47F62636.1040206@ecs.soton.ac.uk> <07b601c89668$0a7b3130$1f719390$@com><610C64469748E84DB6BDD5BD23F01A761802FC@MED-CORE03-MS1.med.wayne.edu> <47F650D5.6080900@evi-inc.com> <610C64469748E84DB6BDD5BD23F01A76180313@MED-CORE03-MS1.med.wayne.edu> <47F6737D.4050309@evi-inc.com> <47F6A395.6030006@ecs.soton.ac.uk> Message-ID: on 4-4-2008 2:54 PM Julian Field spake the following: > > > Matt Kettler wrote: >> Rose, Bobby wrote: >>> Password protect zip unless you are blocking that. >> >> That shouldn't matter either. It might stop it, but it shouldn't. >> >> You can still read the filenames of a password protected zipfile >> without the password, so there's no technical reason why MailScanner >> can't still apply filename rules to encrypted zipfiles. > And indeed it does. You can even switch it on and off, of course :-) > Straight out of MailScanner.conf: > > # Normally, you can still get the filenames out of a password-protected > # archive, despite the encryption. So by default filename checks are still > # done on these files. However, some people want to suppress this checking > # as they allow a few people to receive password-protected archives that > # contain things such as .exe's as part of their business needs. This > option > # can be used to suppress filename checks inside password-protected > archives. > # This can also be the filename of a ruleset. > Check Filenames In Password-Protected Archives = yes > > Jules > The only thing with that is there were password protected zip files with exe's that were virulent malware. So an admin needs to weigh this very carefully. "There is no such thing as "user proof". The best you can hope for is "user resistant". -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080404/de03c64b/signature.bin From ssilva at sgvwater.com Sat Apr 5 00:45:03 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Sat Apr 5 00:45:46 2008 Subject: MailScanner ignoring some rules In-Reply-To: <024e01c896a2$ef080e10$0301a8c0@SAHOMELT> References: <37937.201.41.210.20.1207154517.squirrel@www.tecnowaydigital.com.br><47F46B28.2050507@vanderkooij.org><47F53B57.1070307@ecs.soton.ac.uk><8F1DE832AFD34082A4D0CB25E4E7D7E7@TWDNB03><223f97700804040109p3a5d97a5w439ef4d77ba879b1@mail.gmail.com> <223f97700804041120q3eaf3f90j4a0cce865e66b12@mail.gmail.com> <024e01c896a2$ef080e10$0301a8c0@SAHOMELT> Message-ID: on 4-4-2008 3:26 PM Rick Cooper spake the following: > > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info > > [mailto:mailscanner-bounces@lists.mailscanner.info] On > > Behalf Of Glenn Steen > > Sent: Friday, April 04, 2008 2:20 PM > > To: MailScanner discussion > > Subject: Re: MailScanner ignoring some rules > > > > Sorry all, for the top post... a bit too tipsy to really > > safely (snip) > > with even a virtual scissor...:-) > > > > That all _looks_ mostly OK... So, plan B... You've never used another > > system to edit the MailScanner.conf or rules file? Like crappy > > windoze? If so, there might be "non-printable" characters on the end > > of the line (like a spurious )... Then again, I thought > > the --lint > > would catch that... Oh well. > > > > Cheers > > -- Glenn > > Hey, Glenn, 99.9% of the time I edit all my *nix files with a windows only > program. Boxer text editor. Been using it since it was a little dos pup. > It's a really nice editor geared primarily towards programming and it > handles DOS, Unix and MAC files as it sees them and I have the default save > mode set to unix. Since I haven't the luxury of choosing my primary desktop > OS I find boxer invaluable as all my servers (except 3 vendor managed > specialty servers) are Linux boxes and with it's built in ftp open/save and > projects I can't imagine living without it. > > BTW: You have given me a great idea, instead of worrying about running out > of my Oxicotin, Percocet and vicodon I should just grab a bottle of Jack or > 151 and I bet I can keep the pain down all weekend long without a single > pill! ;->) > >I usually use winscp to access and edit my systems if I don't just ssh in with putty and us vim on them. I too have to be stuck on a windows machine because that is what my user base is on. I can't have something better, they would get jealous!! But I'm on the same page with the "liquid painkiller"!! ;-P Now just an hour on the train and 10 minutes to home, and I'm there.. Hurry up 5:00!!! -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080404/40ea5ceb/signature.bin From ssilva at sgvwater.com Sat Apr 5 00:46:44 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Sat Apr 5 00:50:13 2008 Subject: Old free Bitdefender and hit rate In-Reply-To: <024f01c896a3$42fb24d0$0301a8c0@SAHOMELT> References: <024f01c896a3$42fb24d0$0301a8c0@SAHOMELT> Message-ID: on 4-4-2008 3:28 PM Rick Cooper spake the following: > > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info > > [mailto:mailscanner-bounces@lists.mailscanner.info] On > > Behalf Of Scott Silva > > Sent: Friday, April 04, 2008 4:05 PM > > To: mailscanner@lists.mailscanner.info > > Subject: Old free Bitdefender and hit rate > > > > Just out of curiosity, has anyone that is still running the > > old free version > > of bitdefender (BDC/Linux-Console v7.1 (build 2559))still > > been getting virus > > hits with it? > > > > I haven't seen anything hit with it for 6 months or so, even > > though it still > > updates and shows current. > > > > I mentioned this a looong time ago. Running from the command line it will > hit but from within MS it does not. IIRC it doesn't even hit EICAR. > > Rick Mine hits eicar just fine, but I'm not too worried about a deluge of "non viruses"! -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080404/e617155d/signature.bin From rcooper at dwford.com Sat Apr 5 01:29:22 2008 From: rcooper at dwford.com (Rick Cooper) Date: Sat Apr 5 01:30:05 2008 Subject: MailScanner ignoring some rules In-Reply-To: References: <37937.201.41.210.20.1207154517.squirrel@www.tecnowaydigital.com.br><47F46B28.2050507@vanderkooij.org><47F53B57.1070307@ecs.soton.ac.uk><8F1DE832AFD34082A4D0CB25E4E7D7E7@TWDNB03><223f97700804040109p3a5d97a5w439ef4d77ba879b1@mail.gmail.com> <223f97700804041120q3eaf3f90j4a0cce865e66b12@mail.gmail.com><024e01c896a2$ef080e10$0301a8c0@SAHOMELT> Message-ID: <027201c896b4$186f34c0$0301a8c0@SAHOMELT> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On > Behalf Of Scott Silva > Sent: Friday, April 04, 2008 7:45 PM > To: mailscanner@lists.mailscanner.info > Subject: Re: MailScanner ignoring some rules > > on 4-4-2008 3:26 PM Rick Cooper spake the following: > > > > > > > -----Original Message----- > > > From: mailscanner-bounces@lists.mailscanner.info > > > [mailto:mailscanner-bounces@lists.mailscanner.info] On > > > Behalf Of Glenn Steen > > > Sent: Friday, April 04, 2008 2:20 PM > > > To: MailScanner discussion > > > Subject: Re: MailScanner ignoring some rules > > > > > > Sorry all, for the top post... a bit too tipsy to really > > > safely (snip) > > > with even a virtual scissor...:-) > > > > > > That all _looks_ mostly OK... So, plan B... You've > never used another > > > system to edit the MailScanner.conf or rules file? Like crappy > > > windoze? If so, there might be "non-printable" > characters on the end > > > of the line (like a spurious )... Then again, I thought > > > the --lint > > > would catch that... Oh well. > > > > > > Cheers > > > -- Glenn > > > > Hey, Glenn, 99.9% of the time I edit all my *nix files > with a windows only > > program. Boxer text editor. Been using it since it was a > little dos pup. > > It's a really nice editor geared primarily towards > programming and it > > handles DOS, Unix and MAC files as it sees them and I have > the default save > > mode set to unix. Since I haven't the luxury of choosing > my primary desktop > > OS I find boxer invaluable as all my servers (except 3 > vendor managed > > specialty servers) are Linux boxes and with it's built in > ftp open/save and > > projects I can't imagine living without it. > > > > BTW: You have given me a great idea, instead of worrying > about running out > > of my Oxicotin, Percocet and vicodon I should just grab a > bottle of Jack or > > 151 and I bet I can keep the pain down all weekend long > without a single > > pill! ;->) > > > >I usually use winscp to access and edit my systems if I > don't just ssh in with > putty and us vim on them. > I too have to be stuck on a windows machine because that is > what my user base > is on. I can't have something better, they would get jealous!! > > But I'm on the same page with the "liquid painkiller"!! ;-P > > Now just an hour on the train and 10 minutes to home, and I'm there.. > > > Hurry up 5:00!!! > Putty is a life saver in the windows world for sure. I do system maint and such via putty but I like the syntax highlighting and block operations, macros and so forth of a real programmer's editor and Boxer is just hands down the best I have yet to see. It's not a corporate thing that keeps me on windows so much as vendors. For instance the 7 Ford Dealerships the company owns. Ford is totally in bed with Microsoft products so without running windows a technician cannot even access shop manuals or the online tech bulletins. Almost all our banking and finance vendors use ActiveX over Java so there goes accounting and finance. I bitch to vendors all the time because were it not for them there wouldn't be a windows box in the company. Interesting note, we have a older CRM application written in MS access that used to keep the data files on a window based box and it was constantly locking up and crashing daily, multiple times, with six ti seven users. They updated to windows XP, same thing. I moved the data to one of the Samba servers and have never had a call yet in nearly three years, I almost forget that department exists now. Rick -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From dave.list at pixelhammer.com Sat Apr 5 04:29:13 2008 From: dave.list at pixelhammer.com (DAve) Date: Sat Apr 5 04:29:57 2008 Subject: SA times out In-Reply-To: <47F6A16B.5070607@ecs.soton.ac.uk> References: <47F39721.3000603@ecs.soton.ac.uk> <47F3A36A.10008@ecs.soton.ac.uk> <47F3AA32.50303@ecs.soton.ac.uk> <47F6A16B.5070607@ecs.soton.ac.uk> Message-ID: <47F6F209.7090704@pixelhammer.com> Julian Field wrote: > > > Kai Schaetzl wrote: >> Julian Field wrote on Wed, 02 Apr 2008 16:45:54 +0100: >> >> >>>>> but perhaps a feature request could be a >>>>> CLI switch to specify the message ID so MS only scans the particular >>>>> message(s) that you're interested in observing. >>>>> >>>> Good idea. I'll take a look. Would a single ID do? >>>> >>> All done. It will be in the next release. >>> >> >> Ahm, Julian, now that I have used the MS debugging feature a few times >> I think being able to grab a single ID may be nice, but not really >> helpful for a production machine. I have to disable at least MS if I >> want to debug (otherwise it would "steal" the queue files) and usually >> this is not done within a few seconds, but takes at least five minutes >> or more, maybe repeatedly. It would be nice if I could specify an >> alternative queue directory, so I can run a MailScanner instance in >> parallel to the production daemon and debug files from that directory >> while the normal sendmail/MS operation isn't affected. I think this >> would be much more helpful than specifying a certain ID. >> > You can stop MailScanner completely, then restart the incoming sendmail > (or whatever MTA you use) so that you are providing email service to > your users. Then run MailScanner on the particular ID you want to test > it with. Then when you are happy, resume normal operation. > Stop everything and start incoming MTA: > service MailScanner stop > service MailScanner startin > Run it on 1 id: > MailScanner --debug --id= > Start up everything normally > service MailScanner restart > > Should solve the problem for you. Saves me writing more code :-) In my case, in the time it took to run debug four times I gained 400 messages in the queue. I don't get much time to ponder the results. What I did this week was dump the output to file and then alternate which of the servers I stopped MS on so as to spread the downtime. I am considering pushing a VMWare install up on the network and then installing roundhouse, just for testing with future upgrades. Which is arguably the smart option. DAve -- In 50 years, our descendants will look back on the early years of the internet, and much like we now look back on men with rockets on their back and feathers glued to their arms, marvel that we had the intelligence to wipe the drool from our chins. From hvdkooij at vanderkooij.org Sat Apr 5 07:44:45 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sat Apr 5 07:45:59 2008 Subject: MailScanner ignoring some rules In-Reply-To: <6FDE866AAB924CC68FC64A2B0E04BBBB@TWDNB03> References: <37937.201.41.210.20.1207154517.squirrel@www.tecnowaydigital.com.br> <47F46B28.2050507@vanderkooij.org> <47F53B57.1070307@ecs.soton.ac.uk> <6FDE866AAB924CC68FC64A2B0E04BBBB@TWDNB03> Message-ID: <47F71FDD.4030401@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 TecnoWay Digital wrote: | Julian, another information about my server. | | I'm using mailwatch too. | | If the mailbox marketing@silmaq.com.br is not set to be scanned, | why it continue been logged to mailWatch SQL ? | I imagine the "MailWatch.pm" is called from MailScanner to log only | scanned messages. No. You have called upon MS to look at the message. So the message gets logged by MS. Even when after a minimal glance it decided not to scan the content for ...... Actually I put a lot of other info in the same table by parsing the postfix syslog file. Just to make sure I present the whole picture in the tables for my family. There are limits to MailWatch 1 and I am not sure how many of them will be tackled in v2 and wether or not I will actually ever use MailWatch v2. But that is a discussion for another mailinglist. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFH9x/bBvzDRVjxmYERAgm5AJ9BAy5hGz1RhjH7kFJ6qSDoPgrQLwCgrkQa c/vm2DOOkAQwOhef82CZ/Uc= =SpRF -----END PGP SIGNATURE----- From hvdkooij at vanderkooij.org Sat Apr 5 08:06:15 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sat Apr 5 08:07:20 2008 Subject: Error when update Geoip In-Reply-To: <47F4ABD6.8040505@ecs.soton.ac.uk> References: <20080403091800.C35B0233C8@ws5-3.us4.outblaze.com> <47F4ABD6.8040505@ecs.soton.ac.uk> Message-ID: <47F724E7.8040607@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Julian Field wrote: | Please ask on the MailWatch mailing list, not this one. Better yet. Read the documentation on the MailWatch website. This is listed as a known issue and solutions are provided. The original sender has lost many many karma points. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFH9yTlBvzDRVjxmYERAmMFAJwJOA/YWzHM7V0IrVJlkuaRggC9bACgjg+t ndqQxgBOYbJzsdkKa241/N8= =AFK1 -----END PGP SIGNATURE----- From hvdkooij at vanderkooij.org Sat Apr 5 08:09:59 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sat Apr 5 08:10:46 2008 Subject: detect executables embedded inside MS Office documents? In-Reply-To: <57573D714A832C43B9D80EAFBDA48D030A03EC01@inex3.herffjones.hj-int> References: <57573D714A832C43B9D80EAFBDA48D030A03EC01@inex3.herffjones.hj-int> Message-ID: <47F725C7.4070103@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Furnish, Trever G wrote: | Anyone know a way to get MailScanner/SA to detect executables embedded | within Microsoft Office documents? We've had a word file come in with a | .scr file embedded inside, wasn't detected by antivirus, but was | definitely malware. Would love to be able to block files embedded into | office docs based on file extension / file type. Didn't even know it | was possible to do that (embed an executable inside a word file) until | today. How will an open source community work with closed source solutions? Perhaps it safer to block them all together. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFH9yXFBvzDRVjxmYERAqWcAKC0rT5sHA5O86RE06VKMmHsDQKmcgCgqFKo mnXOTVEda8lvSlz5KhGSxRc= =rH+q -----END PGP SIGNATURE----- From hvdkooij at vanderkooij.org Sat Apr 5 08:13:08 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sat Apr 5 08:13:49 2008 Subject: False Positive, How do I resolve this? In-Reply-To: <07b601c89668$0a7b3130$1f719390$@com> References: <47F62636.1040206@ecs.soton.ac.uk> <07b601c89668$0a7b3130$1f719390$@com> Message-ID: <47F72684.3000502@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Vernon Webb wrote: | I have a client who sends email attachments in a zip file. The files (as you | can see below) are named the way the client needs them to be. How do I get | around this? By stealing a thread on a mailinglist. Evidence provided by your own message: References: <47F62636.1040206@ecs.soton.ac.uk> In-Reply-To: Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFH9yaCBvzDRVjxmYERAijwAJ9xKZynhyrV81fdv5u2njti+++zcgCdGadS 0uCIldc20vqxCu/fae6aOt0= =iUu/ -----END PGP SIGNATURE----- From glenn.steen at gmail.com Sat Apr 5 08:40:43 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Sat Apr 5 08:41:19 2008 Subject: Another question about rulesets... In-Reply-To: <47F69FED.5070003@ecs.soton.ac.uk> References: <47F69FED.5070003@ecs.soton.ac.uk> Message-ID: <223f97700804050040h681db447w4cb9b11e16e9fef3@mail.gmail.com> On 04/04/2008, Julian Field wrote: > You are suffering from an inevitable problem when a message has multiple > recipients. MailScanner does not split messages into 1-recipient-per-message > itself. If you want to do that, you have to do it separately. This is quite > possible in MailScanner using 'queue groups' and has been fairly well Errr... You mean "quite possible in Sendmail..." ;-) > documented here before. I believe it is possible in other MTAs as well. I > will leave that to other people to explain to you, once you have told us > what MTA you are using. Postfix docs are in the wiki, warts and all:-). > The other, easier, alternative that *may* do what you want is to use the > MailScanner.conf setting "Use Default Rules With Multiple Recipients". The > comments above that explain what its effects are. > > Hope that helps get you going in the right direction, > Jules. > (snip) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Sat Apr 5 08:45:32 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Sat Apr 5 08:46:06 2008 Subject: Old free Bitdefender and hit rate In-Reply-To: References: Message-ID: <223f97700804050045s52c06609xae5218dbef76467@mail.gmail.com> On 04/04/2008, Scott Silva wrote: > Just out of curiosity, has anyone that is still running the old free version > of bitdefender (BDC/Linux-Console v7.1 (build 2559))still been getting virus > hits with it? > > I haven't seen anything hit with it for 6 months or so, even though it > still updates and shows current. > Yes, but few and faar apart... Not that much worse than McAfee, but ... ClamAV is king, and MailScanner itself get to lock quite a few of the fast-mutating stuff. Thank God (a.k.a. Jules...?:-) for filetype/name blocking. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Sat Apr 5 08:51:12 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Sat Apr 5 08:51:47 2008 Subject: Old free Bitdefender and hit rate In-Reply-To: <024f01c896a3$42fb24d0$0301a8c0@SAHOMELT> References: <024f01c896a3$42fb24d0$0301a8c0@SAHOMELT> Message-ID: <223f97700804050051h69fa47cfu6378e4f95d336bc7@mail.gmail.com> On 05/04/2008, Rick Cooper wrote: > > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info > > [mailto:mailscanner-bounces@lists.mailscanner.info] On > > Behalf Of Scott Silva > > Sent: Friday, April 04, 2008 4:05 PM > > To: mailscanner@lists.mailscanner.info > > Subject: Old free Bitdefender and hit rate > > > > Just out of curiosity, has anyone that is still running the > > old free version > > of bitdefender (BDC/Linux-Console v7.1 (build 2559))still > > been getting virus > > hits with it? > > > > I haven't seen anything hit with it for 6 months or so, even > > though it still > > updates and shows current. > > > > > I mentioned this a looong time ago. Running from the command line it will > hit but from within MS it does not. IIRC it doesn't even hit EICAR. > > Rick > Hm, strange. Mine hits things like Kobca (or whatever it's named... Not at the machine ATM...) teh occasional old MyDoom etc. I can probably massage my MailWatch maillog table for some real stats, not just my foggy recollections...:-) But however foggy they are, it's been hitting within the last 6 months, that is for sure. Anyway, it's just a matter of time before this one is completely obsoleted. Since it is a CPU pig, one should probably look elsewhere for a secondary/tertiary scanner... Even if one has it, and it still works... after a fashion. On my very long TODO-list. Sigh. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Sat Apr 5 08:57:51 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Sat Apr 5 08:58:26 2008 Subject: MailScanner ignoring some rules In-Reply-To: References: <37937.201.41.210.20.1207154517.squirrel@www.tecnowaydigital.com.br> <47F46B28.2050507@vanderkooij.org> <47F53B57.1070307@ecs.soton.ac.uk> <8F1DE832AFD34082A4D0CB25E4E7D7E7@TWDNB03> <223f97700804040109p3a5d97a5w439ef4d77ba879b1@mail.gmail.com> <223f97700804041120q3eaf3f90j4a0cce865e66b12@mail.gmail.com> Message-ID: <223f97700804050057v7d8a662q5e20c63ff16c648a@mail.gmail.com> On 04/04/2008, Scott Silva wrote: > on 4-4-2008 11:20 AM Glenn Steen spake the following: > > > Sorry all, for the top post... a bit too tipsy to really safely (snip) > > with even a virtual scissor...:-) > > > > > Happy Friday, Glenn!! > There'salways something to celebrate....:-) This time it was "first day this week that I didn't need work underpaid(!!!) overtime"... It's been a b*tch of a week. Again. So friday just couldn't come quite fast eenough:-):-) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Sat Apr 5 09:04:33 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Sat Apr 5 09:05:09 2008 Subject: MailScanner ignoring some rules In-Reply-To: <024e01c896a2$ef080e10$0301a8c0@SAHOMELT> References: <37937.201.41.210.20.1207154517.squirrel@www.tecnowaydigital.com.br> <47F46B28.2050507@vanderkooij.org> <47F53B57.1070307@ecs.soton.ac.uk> <8F1DE832AFD34082A4D0CB25E4E7D7E7@TWDNB03> <223f97700804040109p3a5d97a5w439ef4d77ba879b1@mail.gmail.com> <223f97700804041120q3eaf3f90j4a0cce865e66b12@mail.gmail.com> <024e01c896a2$ef080e10$0301a8c0@SAHOMELT> Message-ID: <223f97700804050104j3d8954ecq78be7cfed37d96d6@mail.gmail.com> On 05/04/2008, Rick Cooper wrote: > > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info > > [mailto:mailscanner-bounces@lists.mailscanner.info] On > > Behalf Of Glenn Steen > > Sent: Friday, April 04, 2008 2:20 PM > > To: MailScanner discussion > > Subject: Re: MailScanner ignoring some rules > > > > > Sorry all, for the top post... a bit too tipsy to really > > safely (snip) > > with even a virtual scissor...:-) > > > > That all _looks_ mostly OK... So, plan B... You've never used another > > system to edit the MailScanner.conf or rules file? Like crappy > > windoze? If so, there might be "non-printable" characters on the end > > of the line (like a spurious )... Then again, I thought > > the --lint > > would catch that... Oh well. > > > > Cheers > > -- Glenn > > > Hey, Glenn, 99.9% of the time I edit all my *nix files with a windows only > program. Haha, don't you pretend you don't know what I mean....:-) > Boxer text editor. Been using it since it was a little dos pup. > It's a really nice editor geared primarily towards programming and it > handles DOS, Unix and MAC files as it sees them and I have the default save > mode set to unix. Since I haven't the luxury of choosing my primary desktop > OS I find boxer invaluable as all my servers (except 3 vendor managed > specialty servers) are Linux boxes and with it's built in ftp open/save and > projects I can't imagine living without it. On the Windoze box sitting on my desktop (no, I don't get to choose that one... It is compensated by being flanked by 7 linux/unix boxes, with more just a PuTTY/VNC away...) I of course have both Vim and Emacs. Wouldn't survive without them! As usual when it comes to editors... it is what you're used/whatever works for you ... that matters:-). And as said, you know full well that some will use the useless Notepad or similar idiotic app... that will insert gratuitous malformed line endings. > BTW: You have given me a great idea, instead of worrying about running out > of my Oxicotin, Percocet and vicodon I should just grab a bottle of Jack or > 151 and I bet I can keep the pain down all weekend long without a single > pill! ;->) > (snip... Yeah, sober now) Watch it... We're going to get in trouble with Hugo now....:-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Sat Apr 5 09:21:55 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Sat Apr 5 09:22:31 2008 Subject: MailScanner ignoring some rules In-Reply-To: <027201c896b4$186f34c0$0301a8c0@SAHOMELT> References: <37937.201.41.210.20.1207154517.squirrel@www.tecnowaydigital.com.br> <47F53B57.1070307@ecs.soton.ac.uk> <8F1DE832AFD34082A4D0CB25E4E7D7E7@TWDNB03> <223f97700804040109p3a5d97a5w439ef4d77ba879b1@mail.gmail.com> <223f97700804041120q3eaf3f90j4a0cce865e66b12@mail.gmail.com> <024e01c896a2$ef080e10$0301a8c0@SAHOMELT> <027201c896b4$186f34c0$0301a8c0@SAHOMELT> Message-ID: <223f97700804050121i426a0a30k390de1a009b90682@mail.gmail.com> On 05/04/2008, Rick Cooper wrote: > > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info > > [mailto:mailscanner-bounces@lists.mailscanner.info] On > > > Behalf Of Scott Silva > > Sent: Friday, April 04, 2008 7:45 PM > > To: mailscanner@lists.mailscanner.info > > Subject: Re: MailScanner ignoring some rules > > > > on 4-4-2008 3:26 PM Rick Cooper spake the following: > > > > > > > > > > -----Original Message----- > > > > From: mailscanner-bounces@lists.mailscanner.info > > > > [mailto:mailscanner-bounces@lists.mailscanner.info] On > > > > Behalf Of Glenn Steen > > > > Sent: Friday, April 04, 2008 2:20 PM > > > > To: MailScanner discussion > > > > Subject: Re: MailScanner ignoring some rules > > > > > > > > Sorry all, for the top post... a bit too tipsy to really > > > > safely (snip) > > > > with even a virtual scissor...:-) > > > > > > > > That all _looks_ mostly OK... So, plan B... You've > > never used another > > > > system to edit the MailScanner.conf or rules file? Like crappy > > > > windoze? If so, there might be "non-printable" > > characters on the end > > > > of the line (like a spurious )... Then again, I thought > > > > the --lint > > > > would catch that... Oh well. > > > > > > > > Cheers > > > > -- Glenn > > > > > > Hey, Glenn, 99.9% of the time I edit all my *nix files > > with a windows only > > > program. Boxer text editor. Been using it since it was a > > little dos pup. > > > It's a really nice editor geared primarily towards > > programming and it > > > handles DOS, Unix and MAC files as it sees them and I have > > the default save > > > mode set to unix. Since I haven't the luxury of choosing > > my primary desktop > > > OS I find boxer invaluable as all my servers (except 3 > > vendor managed > > > specialty servers) are Linux boxes and with it's built in > > ftp open/save and > > > projects I can't imagine living without it. > > > > > > BTW: You have given me a great idea, instead of worrying > > about running out > > > of my Oxicotin, Percocet and vicodon I should just grab a > > bottle of Jack or > > > 151 and I bet I can keep the pain down all weekend long > > without a single > > > pill! ;->) > > > > > >I usually use winscp to access and edit my systems if I > > don't just ssh in with > > putty and us vim on them. > > I too have to be stuck on a windows machine because that is > > what my user base > > is on. I can't have something better, they would get jealous!! > > > > But I'm on the same page with the "liquid painkiller"!! ;-P > > > > Now just an hour on the train and 10 minutes to home, and I'm there.. > > > > > > Hurry up 5:00!!! > > > > > > Putty is a life saver in the windows world for sure. I do system maint and > such via putty but I like the syntax highlighting and block operations, > macros and so forth of a real programmer's editor and Boxer is just hands > down the best I have yet to see. vim/emacs (yeah, I'm weird that way... I use either... equally well...) can do that for me. As said, whatever works for you:-). vi/vim is always there... no need to scp anything anywhere... just to tap-tap-tap away...:-) > It's not a corporate thing that keeps me on windows so much as vendors. For > instance the 7 Ford Dealerships the company owns. Ford is totally in bed > with Microsoft products so without running windows a technician cannot even > access shop manuals or the online tech bulletins. Almost all our banking and > finance vendors use ActiveX over Java so there goes accounting and finance. > I bitch to vendors all the time because were it not for them there wouldn't > be a windows box in the company. My users are heavily into Reuters, Bloomberg, SimCorp Dimension etc etc (all big-wigs in the financial sector)... which are pretty much in bed with M$ too. Frustrating, that... And the PHB has foisted (quite a few years back) M-Sexchange on us... So in my case ... it is company policy that decree I must do things this way. Sigh. Compensating with a *lot* of alternative systems helps a bit though:-). > Interesting note, we have a older CRM application written in MS access that > used to keep the data files on a window based box and it was constantly > locking up and crashing daily, multiple times, with six ti seven users. They 67 or 6-7? > updated to windows XP, same thing. I moved the data to one of the Samba > servers and have never had a call yet in nearly three years, I almost forget > that department exists now. :-) Love your Samba... And it'll love you:-) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From butler at globeserver.com Sat Apr 5 11:56:04 2008 From: butler at globeserver.com (Philip Butler) Date: Sat Apr 5 11:57:16 2008 Subject: Another question about rulesets... In-Reply-To: <223f97700804050040h681db447w4cb9b11e16e9fef3@mail.gmail.com> References: <47F69FED.5070003@ecs.soton.ac.uk> <223f97700804050040h681db447w4cb9b11e16e9fef3@mail.gmail.com> Message-ID: <231ABE57-C7A4-4D4E-94AB-0A9B3FABA40D@globeserver.com> I am running sendmail - how does one get sendmail to split messages into 1 recipient per message ?? Thanks, Phil On Apr 5, 2008, at 3:40 AM, Glenn Steen wrote: > On 04/04/2008, Julian Field wrote: >> You are suffering from an inevitable problem when a message has >> multiple >> recipients. MailScanner does not split messages into 1-recipient- >> per-message >> itself. If you want to do that, you have to do it separately. This >> is quite >> possible in MailScanner using 'queue groups' and has been fairly well > Errr... You mean "quite possible in Sendmail..." ;-) > >> documented here before. I believe it is possible in other MTAs as >> well. I >> will leave that to other people to explain to you, once you have >> told us >> what MTA you are using. > Postfix docs are in the wiki, warts and all:-). > >> The other, easier, alternative that *may* do what you want is to >> use the >> MailScanner.conf setting "Use Default Rules With Multiple >> Recipients". The >> comments above that explain what its effects are. >> >> Hope that helps get you going in the right direction, >> Jules. >> > (snip) > > Cheers > -- > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From maillists at conactive.com Sat Apr 5 12:31:19 2008 From: maillists at conactive.com (Kai Schaetzl) Date: Sat Apr 5 12:32:09 2008 Subject: SA times out In-Reply-To: <47F6A16B.5070607@ecs.soton.ac.uk> References: <47F39721.3000603@ecs.soton.ac.uk> <47F3A36A.10008@ecs.soton.ac.uk> <47F3AA32.50303@ecs.soton.ac.uk> <47F6A16B.5070607@ecs.soton.ac.uk> Message-ID: Julian Field wrote on Fri, 04 Apr 2008 22:45:15 +0100: > You can stop MailScanner completely, then restart the incoming sendmail > (or whatever MTA you use) so that you are providing email service to > your users. Then run MailScanner on the particular ID you want to test > it with. Then when you are happy, resume normal operation. That is what I did (just killall MailScanner), but you can have a few mails piling up there ;-) With the option of a separate queue directory you have "all the time of the world". Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From glenn.steen at gmail.com Sat Apr 5 12:32:34 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Sat Apr 5 12:33:15 2008 Subject: Another question about rulesets... In-Reply-To: <231ABE57-C7A4-4D4E-94AB-0A9B3FABA40D@globeserver.com> References: <47F69FED.5070003@ecs.soton.ac.uk> <223f97700804050040h681db447w4cb9b11e16e9fef3@mail.gmail.com> <231ABE57-C7A4-4D4E-94AB-0A9B3FABA40D@globeserver.com> Message-ID: <223f97700804050432n653d0f41t87f6b93a39dc73a9@mail.gmail.com> On 05/04/2008, Philip Butler wrote: > I am running sendmail - how does one get sendmail to split messages into 1 > recipient per message ?? That's in the wiki too....: http://wiki.mailscanner.info/doku.php?id=documentation:configuration:mta:sendmail:how_to:split_mails_per_recipient Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From maillists at conactive.com Sat Apr 5 14:31:14 2008 From: maillists at conactive.com (Kai Schaetzl) Date: Sat Apr 5 14:32:05 2008 Subject: SA times out In-Reply-To: <47F6A2B4.70706@ecs.soton.ac.uk> References: <47F39721.3000603@ecs.soton.ac.uk> <223f97700804040057j39668387sad309a47257d7722@mail.gmail.com> <47F655F3.8000903@ecs.soton.ac.uk> <47F6A2B4.70706@ecs.soton.ac.uk> Message-ID: Julian Field wrote on Fri, 04 Apr 2008 22:50:44 +0100: > Hopefully that explains what you see happening. Yeah, thanks for the explanation. Although it doesn't explain why it takes longer via MS than via command-line. Anyway, those messages get caught now after I upped the timeout from 120 to 240 seconds. Have a nice weekend, Jules! Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From MailScanner at ecs.soton.ac.uk Sat Apr 5 15:19:12 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sat Apr 5 15:20:02 2008 Subject: False Positive, How do I resolve this? In-Reply-To: <025001c896a3$f1dfc9b0$0301a8c0@SAHOMELT> References: <47F62636.1040206@ecs.soton.ac.uk><07b601c89668$0a7b3130$1f719390$@com><610C64469748E84DB6BDD5BD23F01A761802FC@MED-CORE03-MS1.med.wayne.edu><47F650D5.6080900@evi-inc.com> <610C64469748E84DB6BDD5BD23F01A76180313@MED-CORE03-MS1.med.wayne.edu> <025001c896a3$f1dfc9b0$0301a8c0@SAHOMELT> Message-ID: <47F78A60.8020703@ecs.soton.ac.uk> Rick Cooper wrote: > > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info > > [mailto:mailscanner-bounces@lists.mailscanner.info] On > > Behalf Of Rose, Bobby > > Sent: Friday, April 04, 2008 1:18 PM > > To: MailScanner discussion > > Subject: RE: False Positive, How do I resolve this? > > > > Password protect zip unless you are blocking that. > > > > > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info > > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Matt > > Kettler > > Sent: Friday, April 04, 2008 12:01 PM > > To: MailScanner discussion > > Subject: Re: False Positive, How do I resolve this? > > > > Rose, Bobby wrote: > > > Zip or rename the files without all those periods. > > > > They are in a zipfile, as per Vernon's original message. > > > > However, MailScanner by default digs into zipfiles and > > applies filename > > rules there. So zipping won't help you with a MailScanner > > config where > > "Maximum Archive Depth" isn't set to 0. > > > > > > I think the answer is that Julian takes my ArchivedFileName and > ArchivedFileType rules patch and mainstreams it. Then you can have > completely different (read relaxed) rules for files within archives. Personally, I think that the extra complexity this adds to understanding MailScanner for new guys is not really worth it for the number of people that really need this level of extra functionality. You can already switch on and off the filename checking within password-protected archives, I think that's enough for 99.9% of people. Sorry. > Of > course I am prejudiced because that would save me having to re-patch every > time I build MailScanner |-) > > > > Rick > > > > > > > -----Original Message----- > > > From: mailscanner-bounces@lists.mailscanner.info > > > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of > > > Vernon Webb > > > Sent: Friday, April 04, 2008 11:25 AM > > > To: 'MailScanner discussion' > > > Subject: False Positive, How do I resolve this? > > > > > > I have a client who sends email attachments in a zip file. > > The files > > > (as you can see below) are named the way the client needs > > them to be. > > > How do I get around this? > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > > -- > > This message has been scanned for viruses and > > dangerous content by MailScanner, and is > > believed to be clean. > > > > > > > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Sat Apr 5 15:23:04 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sat Apr 5 15:23:23 2008 Subject: SA times out In-Reply-To: <47F6F209.7090704@pixelhammer.com> References: <47F39721.3000603@ecs.soton.ac.uk> <47F3A36A.10008@ecs.soton.ac.uk> <47F3AA32.50303@ecs.soton.ac.uk> <47F6A16B.5070607@ecs.soton.ac.uk> <47F6F209.7090704@pixelhammer.com> Message-ID: <47F78B48.4080307@ecs.soton.ac.uk> DAve wrote: > Julian Field wrote: >> >> >> Kai Schaetzl wrote: >>> Julian Field wrote on Wed, 02 Apr 2008 16:45:54 +0100: >>> >>> >>>>>> but perhaps a feature request could be a >>>>>> CLI switch to specify the message ID so MS only scans the particular >>>>>> message(s) that you're interested in observing. >>>>>> >>>>> Good idea. I'll take a look. Would a single ID do? >>>>> >>>> All done. It will be in the next release. >>>> >>> >>> Ahm, Julian, now that I have used the MS debugging feature a few >>> times I think being able to grab a single ID may be nice, but not >>> really helpful for a production machine. I have to disable at least >>> MS if I want to debug (otherwise it would "steal" the queue files) >>> and usually this is not done within a few seconds, but takes at >>> least five minutes or more, maybe repeatedly. It would be nice if I >>> could specify an alternative queue directory, so I can run a >>> MailScanner instance in parallel to the production daemon and debug >>> files from that directory while the normal sendmail/MS operation >>> isn't affected. I think this would be much more helpful than >>> specifying a certain ID. >>> >> You can stop MailScanner completely, then restart the incoming >> sendmail (or whatever MTA you use) so that you are providing email >> service to your users. Then run MailScanner on the particular ID you >> want to test it with. Then when you are happy, resume normal operation. >> Stop everything and start incoming MTA: >> service MailScanner stop >> service MailScanner startin >> Run it on 1 id: >> MailScanner --debug --id= >> Start up everything normally >> service MailScanner restart >> >> Should solve the problem for you. Saves me writing more code :-) > > In my case, in the time it took to run debug four times I gained 400 > messages in the queue. I don't get much time to ponder the results. > What I did this week was dump the output to file and then alternate > which of the servers I stopped MS on so as to spread the downtime. > > I am considering pushing a VMWare install up on the network and then > installing roundhouse, just for testing with future upgrades. Which is > arguably the smart option. milter-bcc is a simple solution that roundhouse, much faster to setup. You just put in a mailertable entry for the recipient you bcc to, can be any domain name you make up. That's what I do (except I didn't know about milter-bcc at the time so use a home-grown version of it written in a few lines of Perl). Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Sat Apr 5 15:25:49 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sat Apr 5 15:26:08 2008 Subject: detect executables embedded inside MS Office documents? In-Reply-To: <47F725C7.4070103@vanderkooij.org> References: <57573D714A832C43B9D80EAFBDA48D030A03EC01@inex3.herffjones.hj-int> <47F725C7.4070103@vanderkooij.org> Message-ID: <47F78BED.5020606@ecs.soton.ac.uk> Hugo van der Kooij wrote: > * PGP Signed by an unverified key: 04/05/08 at 08:09:57 > > Furnish, Trever G wrote: > | Anyone know a way to get MailScanner/SA to detect executables embedded > | within Microsoft Office documents? We've had a word file come in > with a > | .scr file embedded inside, wasn't detected by antivirus, but was > | definitely malware. Would love to be able to block files embedded into > | office docs based on file extension / file type. Didn't even know it > | was possible to do that (embed an executable inside a word file) until > | today. > > How will an open source community work with closed source solutions? > Perhaps it safer to block them all together. There are open-source programs that can extract information from OLE documents (i.e. up to Office 2004). I suspect there is not a problem with Office 2007/2008 documents as they are just zip archives. I just wish I could remember the names of any of the stuff that reads OLE documents... Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From dyioulos at firstbhph.com Sat Apr 5 15:40:39 2008 From: dyioulos at firstbhph.com (Dimitri Yioulos) Date: Sat Apr 5 15:41:23 2008 Subject: Old free Bitdefender and hit rate In-Reply-To: <024f01c896a3$42fb24d0$0301a8c0@SAHOMELT> References: <024f01c896a3$42fb24d0$0301a8c0@SAHOMELT> Message-ID: <20080405143624.M36381@firstbhph.com> On Fri, 4 Apr 2008 18:28:52 -0400, Rick Cooper wrote > > -----Original Message----- > > From: mailscanner-bounces@lists.mailscanner.info > > [mailto:mailscanner-bounces@lists.mailscanner.info] On > > Behalf Of Scott Silva > > Sent: Friday, April 04, 2008 4:05 PM > > To: mailscanner@lists.mailscanner.info > > Subject: Old free Bitdefender and hit rate > > > > Just out of curiosity, has anyone that is still running the > > old free version > > of bitdefender (BDC/Linux-Console v7.1 (build 2559))still > > been getting virus > > hits with it? > > > > I haven't seen anything hit with it for 6 months or so, even > > though it still > > updates and shows current. > > > > I mentioned this a looong time ago. Running from the command line it will > hit but from within MS it does not. IIRC it doesn't even hit EICAR. > > Rick > > -- At least on our system, it does hit Eicar via MailScanner lint, for what that's worth. Ours is a small system, though, and rarely do we see email-born viruses hit, regardless of the anti-virus system we have in place. So, I can't really say whether Bitdefender is working or not. Maybe it's providing a false sense of security. Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Sat Apr 5 15:57:51 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sat Apr 5 15:58:49 2008 Subject: SA times out In-Reply-To: References: <47F39721.3000603@ecs.soton.ac.uk> <47F3A36A.10008@ecs.soton.ac.uk> <47F3AA32.50303@ecs.soton.ac.uk> <47F6A16B.5070607@ecs.soton.ac.uk> Message-ID: <47F7936F.6080401@ecs.soton.ac.uk> Kai Schaetzl wrote: > Julian Field wrote on Fri, 04 Apr 2008 22:45:15 +0100: > > >> You can stop MailScanner completely, then restart the incoming sendmail >> (or whatever MTA you use) so that you are providing email service to >> your users. Then run MailScanner on the particular ID you want to test >> it with. Then when you are happy, resume normal operation. >> > > That is what I did (just killall MailScanner), but you can have a few > mails piling up there ;-) With the option of a separate queue directory > you have "all the time of the world". > All done. It will be in the next release. For reference, "MailScanner --help" does what you would expect. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From warren.guy at calorieking.com Sat Apr 5 17:19:00 2008 From: warren.guy at calorieking.com (Warren Guy) Date: Sat Apr 5 17:21:22 2008 Subject: detect executables embedded inside MS Office documents? In-Reply-To: <47F78BED.5020606@ecs.soton.ac.uk> References: <57573D714A832C43B9D80EAFBDA48D030A03EC01@inex3.herffjones.hj-int> <47F725C7.4070103@vanderkooij.org> <47F78BED.5020606@ecs.soton.ac.uk> Message-ID: <47F7A674.1040501@calorieking.com> Julian Field wrote: > There are open-source programs that can extract information from OLE > documents (i.e. up to Office 2004). I suspect there is not a problem > with Office 2007/2008 documents as they are just zip archives. > > I just wish I could remember the names of any of the stuff that reads > OLE documents... http://www.pldaniels.com/ripole/ http://search.cpan.org/dist/OLE-Storage_Lite/Storage_Lite.pm There's also the libcole library, but I can't find it on the web -- Warren Guy Senior System Administrator, CalorieKing Direct +61 8 6468 3877 Suite 1, 88 Broadway Tel +61 8 9389 8777 Nedlands WA 6009, Australia Fax +61 8 9389 8444 www.calorieking.com -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080406/c44501f5/signature.bin From J.Ede at birchenallhowden.co.uk Sat Apr 5 20:53:53 2008 From: J.Ede at birchenallhowden.co.uk (Jason Ede) Date: Sat Apr 5 20:56:37 2008 Subject: SA times out Message-ID: <4CAB0118AEC63A4FAAE77E6BCBDF760C406871CBF7@server02.bhl.local> How about ability to define an action for an email if sa times out? Such as quarantine etc? If could store it in queue format then could easily pipe it back in to ms to debug? jason -----Original Message----- From: Julian Field Sent: 05 April 2008 16:09 To: MailScanner discussion Subject: Re: SA times out Kai Schaetzl wrote: > Julian Field wrote on Fri, 04 Apr 2008 22:45:15 +0100: > > >> You can stop MailScanner completely, then restart the incoming sendmail >> (or whatever MTA you use) so that you are providing email service to >> your users. Then run MailScanner on the particular ID you want to test >> it with. Then when you are happy, resume normal operation. >> > > That is what I did (just killall MailScanner), but you can have a few > mails piling up there ;-) With the option of a separate queue directory > you have "all the time of the world". > All done. It will be in the next release. For reference, "MailScanner --help" does what you would expect. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From hvdkooij at vanderkooij.org Sun Apr 6 09:30:37 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sun Apr 6 09:31:21 2008 Subject: MS+Postfix, Selective HOLD Message-ID: <47F88A2D.9060508@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, I have been trying to get my head around this question before. I find that I have a scalability problem that I could resolve if I can put messages on HOLD for MS to pickup only if it is not for a certain recipient. There is one recipient that goes straight into a procmail parser to extract specific information. There is no need to fire up the whole MS circus for each message. This is an automated system that will get 1 message per monitored SMTP server per minute. The normal config is: # Do some header checks # This includes setting almost anything on hold for MailScanner to pick up header_checks = regexp:/etc/postfix/regexp/header-checks So I have tried a number of setups. Most of them failed miserably. This morning I woke up whith what seems to be the answer so I gave it a spin and here are my findings. What does work is at the end of my smtpd checks add a table to list explicit addresses to scan. In the main.cf it looks like: # Access rules smtpd_client_restrictions = ~ permit_mynetworks, ~ permit_sasl_authenticated, ....Long list removed....... ~ reject_unauth_destination, ~ check_recipient_access hash:/etc/postfix/hash/valid-recipients And the hash tables explicit lists everyone for whome MS should be called upon. Like: hugo@vanderkooij.org HOLD hvdkooij@vanderkooij.org HOLD (I know putting email in the clear scares some people. But if you ever see a Megalist without these two then do not buy it. ;-) But the drawback is it only works for a simple setup at home with only a moderate list of recipients. And where you actually know all the recipients. But if you want to have just a few exceptions then you better use regular expressions. So replace: check_recipient_access hash:/etc/postfix/hash/valid-recipients with: check_recipient_access regexp:/etc/postfix/regexp/MailScanner With /etc/postfix/regexp/MailScanner looking like: # # header_checks - Postfix built-in header/body inspection # /exclusion@test\.example\.net/ OK # Everyone else will go through MailScanner! /.*/ HOLD # EOF This does the trick for me. It might work for others. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFH+IorBvzDRVjxmYERAgMyAJ4xhxORHyI5FCR4+SmqBsHF0hEG6ACdEsxF Rc+yfJOmfToGmB65GW0nQ1I= =u3N0 -----END PGP SIGNATURE----- From test at remedial-teacher.nl Sun Apr 6 09:32:05 2008 From: test at remedial-teacher.nl (Test) Date: Sun Apr 6 09:32:45 2008 Subject: Trouble with Mailscanner after upgrading to 4.68 (plz help) Message-ID: <20080406102121.B0EE.EE63E960@remedial-teacher.nl> I decided to upgrade to 4.68 yesterday, and since that upgrade, mailscanner is not working. (i did'nt change anything else on the system) I i run mailscanner --debug, it shows following messages: 10:20:16 Building a message batch to scan... 10:20:16 Have a batch of 2 messages. max message size is '30000' max message size is '30000' and stops processing. In the process list i see the MailScanner proces consuming 100% cpu, and also an awk process with the following parameters: awk {printf "%s %s\n", strftime("%T"), $0} It seems that it hangs at that point. I remove the whole of the mailscanner installation and installed 4.67.. But i still have the same problem (4.67 has been running fine before) I manually adjusted the MailScanner.conf file to make sure there are no strange characters or other fuzzy things in there. I did an strace of the MailScanner --debug session, with the following last lines which keep on scrolling (debugging did not give any strange messages or errors): waitpid(-1, 0xbf9b9b18, WNOHANG) = 0 waitpid(-1, 0xbf9b9b18, WNOHANG) = 0 waitpid(-1, 0xbf9b9b18, WNOHANG) = 0 waitpid(-1, 0xbf9b9b18, WNOHANG) = 0 waitpid(-1, 0xbf9b9b18, WNOHANG) = 0 waitpid(-1, 0xbf9b9b18, WNOHANG) = 0 waitpid(-1, 0xbf9b9b18, WNOHANG) = 0 Anyone ? -- Test From hvdkooij at vanderkooij.org Sun Apr 6 10:27:04 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Sun Apr 6 10:27:38 2008 Subject: Trouble with Mailscanner after upgrading to 4.68 (plz help) In-Reply-To: <20080406102121.B0EE.EE63E960@remedial-teacher.nl> References: <20080406102121.B0EE.EE63E960@remedial-teacher.nl> Message-ID: <47F89768.2060705@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Test wrote: | I decided to upgrade to 4.68 yesterday, and since that upgrade, | mailscanner is not working. (i did'nt change anything else on the system) | | I i run mailscanner --debug, it shows following messages: | | 10:20:16 Building a message batch to scan... | 10:20:16 Have a batch of 2 messages. | max message size is '30000' | max message size is '30000' | | and stops processing. | | In the process list i see the MailScanner proces consuming 100% cpu, and | also an awk process with the following parameters: | | awk {printf "%s %s\n", strftime("%T"), $0} | | It seems that it hangs at that point. | | I remove the whole of the mailscanner installation and installed 4.67.. | | But i still have the same problem (4.67 has been running fine before) My guess: A previous change did have an impact on MS. But only if you restart MS. So it surfaces as a problem with an upgrade but the problem was introduced (long) before the upgrade. You just were not hit before. So go over ALL other changes to the system. Wether they are explicit changes you made or implicit changes made by daily, weekly or monthly cron jobs for example. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFH+JdmBvzDRVjxmYERAiZEAJ4qFm85L1Go3M9fUpfpr412BTgqPQCdEC4k vylI+TCpED3f/+KAhs2GFuQ= =c02i -----END PGP SIGNATURE----- From maillists at conactive.com Sun Apr 6 12:31:15 2008 From: maillists at conactive.com (Kai Schaetzl) Date: Sun Apr 6 12:32:20 2008 Subject: Trouble with Mailscanner after upgrading to 4.68 (plz help) In-Reply-To: <47F89768.2060705@vanderkooij.org> References: <20080406102121.B0EE.EE63E960@remedial-teacher.nl> <47F89768.2060705@vanderkooij.org> Message-ID: Hugo van der Kooij wrote on Sun, 06 Apr 2008 11:27:04 +0200: > My guess: A previous change did have an impact on MS. But only if you > restart MS. So it surfaces as a problem with an upgrade but the problem > was introduced (long) before the upgrade. MS restarts every 6 hours or so. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From test at remedial-teacher.nl Sun Apr 6 13:02:12 2008 From: test at remedial-teacher.nl (Test) Date: Sun Apr 6 13:05:21 2008 Subject: Trouble with Mailscanner after upgrading to 4.68 (plz help) (SOLVED) In-Reply-To: <20080406102121.B0EE.EE63E960@remedial-teacher.nl> References: <20080406102121.B0EE.EE63E960@remedial-teacher.nl> Message-ID: <20080406140156.B103.EE63E960@remedial-teacher.nl> Phew, i solved it... In SA.pm (/usr/lib/MailScanner/MailScanner/SA.pm) comment the line starting with $result... # Do a trial run of awk to see if it is going to work on this system. eval { #$result = `echo 'Hello,World' | awk '{printf \"%s %s\\n\", strftime(\"%T\"), \$0}' 2>&1`; #print "Result is \"$result\"\n"; As far as i can tell, it then skips the awk check, and runs as it should... -- Test From MailScanner at ecs.soton.ac.uk Sun Apr 6 16:09:05 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sun Apr 6 16:09:51 2008 Subject: detect executables embedded inside MS Office documents? In-Reply-To: <47F7A674.1040501@calorieking.com> References: <57573D714A832C43B9D80EAFBDA48D030A03EC01@inex3.herffjones.hj-int> <47F725C7.4070103@vanderkooij.org> <47F78BED.5020606@ecs.soton.ac.uk> <47F7A674.1040501@calorieking.com> Message-ID: <47F8E791.10709@ecs.soton.ac.uk> Ignore all previous requests for information. I've got enough of it, pretty much. The only thing I cannot handle is inserted OLE "Packages" that contain multiple files. If someone fancies creating one of those and sending it to me, I'll improve the Package parser to cope with it. But it now works with files inserted into Microsoft Office documents just fine. This will be in the next release. I guess it's a fairly major new feature, the ability to extract embedded files from Microsoft Office documents. :-) I think I'm going to have a rest now... Jules. Warren Guy wrote: > Julian Field wrote: >> There are open-source programs that can extract information from OLE >> documents (i.e. up to Office 2004). I suspect there is not a problem >> with Office 2007/2008 documents as they are just zip archives. >> >> I just wish I could remember the names of any of the stuff that reads >> OLE documents... > > http://www.pldaniels.com/ripole/ > > http://search.cpan.org/dist/OLE-Storage_Lite/Storage_Lite.pm > > There's also the libcole library, but I can't find it on the web > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Sun Apr 6 18:45:37 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Sun Apr 6 18:46:20 2008 Subject: Beta 4.69.1 -- can find files embedded in MS Office docs Message-ID: <47F90C41.9060401@ecs.soton.ac.uk> Folks, I have just released the first beta of version 4.69. It has a few new features, the most obviously important of which is its ability to extract files embedded within Microsoft Office documents, and subject them to the same filename and filetype tests that the contents of other archives have to pass. The other new useful things are a couple of new command-line options to help when debugging systems, notably the "--id" and "--inqueuedir" options to restrict what messages the MailScanner instance will process. For the embedded-in-Office-documents tests, I *strongly* recommend you change your "Maximum Archive Depth" setting to at least 3, or else a lot of your users will get really annoyed that their files are being rejected as being nested too deeply within an archive. The "upgrade_MailScanner_conf" script will warn you of this if it is set to 1 or 2. People who have set this to 0 will obviously be left in peace :-) Please can you give this release a good hammering, particularly in the area of the new Microsoft Office document handling. Download as usual from www.mailscanner.info. Best regards, Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From richard.siddall at elirion.net Sun Apr 6 20:00:32 2008 From: richard.siddall at elirion.net (Richard Siddall) Date: Sun Apr 6 20:01:16 2008 Subject: Way OT: What's the status of Julian's World Tour? In-Reply-To: <47F25E75.3070508@ecs.soton.ac.uk> References: <47F24E00.6040107@elirion.net> <47F25E75.3070508@ecs.soton.ac.uk> Message-ID: <47F91DD0.8070609@elirion.net> Julian Field wrote: > It's going to have to go on hold for a while, I'm afraid. > I am currently awaiting an appointment date for my assessment week in > hospital in Cambridge, UK, when they will decide if I qualify for a > liver transplant. There is a lot of competition, and if you aren't sick > enough they don't put you on the list. > [snip] I'm beginning to wish I hadn't asked. ;> If they're making you go all the way to Cambridge it sounds like they're sending you to a specialist hospital (maybe Addenbrooke's?), which is good. You don't want someone who's doing his first transplant experimenting on you. I just updated the wiki to say that the US tour didn't take place. Regards, Richard. From glenn.steen at gmail.com Sun Apr 6 20:38:41 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Sun Apr 6 20:39:19 2008 Subject: MS+Postfix, Selective HOLD In-Reply-To: <47F88A2D.9060508@vanderkooij.org> References: <47F88A2D.9060508@vanderkooij.org> Message-ID: <223f97700804061238jd43245bhb766df569190555f@mail.gmail.com> On 06/04/2008, Hugo van der Kooij wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi, > > I have been trying to get my head around this question before. I find > that I have a scalability problem that I could resolve if I can put > messages on HOLD for MS to pickup only if it is not for a certain > recipient. > > There is one recipient that goes straight into a procmail parser to > extract specific information. There is no need to fire up the whole MS > circus for each message. This is an automated system that will get 1 > message per monitored SMTP server per minute. > > The normal config is: > # Do some header checks > # This includes setting almost anything on hold for MailScanner to > pick up > header_checks = regexp:/etc/postfix/regexp/header-checks > > So I have tried a number of setups. Most of them failed miserably. > > This morning I woke up whith what seems to be the answer so I gave it a > spin and here are my findings. > > > What does work is at the end of my smtpd checks add a table to list > explicit addresses to scan. In the main.cf it looks like: > > # Access rules > smtpd_client_restrictions = > ~ permit_mynetworks, > ~ permit_sasl_authenticated, > ....Long list removed....... > ~ reject_unauth_destination, > ~ check_recipient_access > hash:/etc/postfix/hash/valid-recipients > > And the hash tables explicit lists everyone for whome MS should be > called upon. Like: > > hugo@vanderkooij.org HOLD > hvdkooij@vanderkooij.org HOLD > > (I know putting email in the clear scares some people. But if you ever > see a Megalist without these two then do not buy it. ;-) > > But the drawback is it only works for a simple setup at home with only a > moderate list of recipients. And where you actually know all the > recipients. > Actually... If you (as ) already use the relay_recipient_map thing, it'd be trivial to rewrite the script that generates the relay_recipient_map to also do an access_map...:). But then again... > > But if you want to have just a few exceptions then you better use > regular expressions. > > So replace: > check_recipient_access > hash:/etc/postfix/hash/valid-recipients > > with: > check_recipient_access > regexp:/etc/postfix/regexp/MailScanner > > With /etc/postfix/regexp/MailScanner looking like: > > # > # header_checks - Postfix built-in header/body inspection > # > /exclusion@test\.example\.net/ OK > > # Everyone else will go through MailScanner! > /.*/ HOLD > > # EOF > > > This does the trick for me. It might work for others. This would be a better replacement for the header check thing, in cases where you'd like to be selective. Thanks for thinking it up, and sharing. > Hugo. > Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From ssilva at sgvwater.com Sun Apr 6 23:53:28 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Sun Apr 6 23:55:00 2008 Subject: MailScanner ignoring some rules In-Reply-To: <223f97700804050057v7d8a662q5e20c63ff16c648a@mail.gmail.com> References: <37937.201.41.210.20.1207154517.squirrel@www.tecnowaydigital.com.br> <47F46B28.2050507@vanderkooij.org> <47F53B57.1070307@ecs.soton.ac.uk> <8F1DE832AFD34082A4D0CB25E4E7D7E7@TWDNB03> <223f97700804040109p3a5d97a5w439ef4d77ba879b1@mail.gmail.com> <223f97700804041120q3eaf3f90j4a0cce865e66b12@mail.gmail.com> <223f97700804050057v7d8a662q5e20c63ff16c648a@mail.gmail.com> Message-ID: on 4-5-2008 12:57 AM Glenn Steen spake the following: > On 04/04/2008, Scott Silva wrote: >> on 4-4-2008 11:20 AM Glenn Steen spake the following: >> >>> Sorry all, for the top post... a bit too tipsy to really safely (snip) >>> with even a virtual scissor...:-) >>> >>> >> Happy Friday, Glenn!! >> > There'salways something to celebrate....:-) > This time it was "first day this week that I didn't need work > underpaid(!!!) overtime"... It's been a b*tch of a week. Again. So > friday just couldn't come quite fast eenough:-):-) > > Cheers I understand that! I get non-paid overtime, so I feel your pain!! Don't get me wrong, as my pay isn't that bad, but it goes down very quickly as you add hours :-( -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080406/57bd4fe7/signature.bin From ssilva at sgvwater.com Mon Apr 7 00:00:45 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Mon Apr 7 00:01:26 2008 Subject: detect executables embedded inside MS Office documents? In-Reply-To: <47F8E791.10709@ecs.soton.ac.uk> References: <57573D714A832C43B9D80EAFBDA48D030A03EC01@inex3.herffjones.hj-int> <47F725C7.4070103@vanderkooij.org> <47F78BED.5020606@ecs.soton.ac.uk> <47F7A674.1040501@calorieking.com> <47F8E791.10709@ecs.soton.ac.uk> Message-ID: on 4-6-2008 8:09 AM Julian Field spake the following: > Ignore all previous requests for information. I've got enough of it, > pretty much. > The only thing I cannot handle is inserted OLE "Packages" that contain > multiple files. If someone fancies creating one of those and sending it > to me, I'll improve the Package parser to cope with it. > > But it now works with files inserted into Microsoft Office documents > just fine. > > This will be in the next release. > I guess it's a fairly major new feature, the ability to extract embedded > files from Microsoft Office documents. > :-) > > I think I'm going to have a rest now... > Poking another hole in the Microsoft armor was a big task. A well deserved rest it will be!! -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080406/d07990aa/signature.bin From steinmb at tbsk.no Mon Apr 7 00:49:06 2008 From: steinmb at tbsk.no (steinmb) Date: Mon Apr 7 00:49:51 2008 Subject: Moving black hole test to Postfix Message-ID: Hi Have been thinking about moving some of the blackhole testing to Postfix (SMTP level). In my head this is cheaper? My mail server is old so less scanning Mailscanner have to do the better. In /etc/postfix I changed smtpd_recipient_restrictions to: smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_unknown_recipient_domain, reject_unverified_recip ient, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net, reject_rbl_client autoblock.dnsbl Now what? Do I remove those I run on SMTP level from my /etc/Mailscanner/spam.lists.conf ? Doing those checks twice makes no sense. In spam.lists.conf I find lines like: spamhaus.org sbl.spamhaus.org. spamhaus-XBL xbl.spamhaus.org. spamhaus-PBL pbl.spamhaus.org. spamhaus-ZEN zen.spamhaus.org. SBL+XBL sbl-xbl.spamhaus.org. -- Stein From rapin at linuxmail.org Mon Apr 7 05:29:03 2008 From: rapin at linuxmail.org (Linuxmail R.) Date: Mon Apr 7 05:29:49 2008 Subject: how to config Message Content Protection (MCP) Message-ID: <20080407042903.2D58F7B8F1@ws5-10.us4.outblaze.com> Dear all I want to know how to config Message Content Protection (MCP)? Thx.. -------------------------------------------------- Linuxmail Rapin P. = Tax Planning for Travel Nurses As a Travel nurse, you need accurate tax information. TravelTax offers the solutions you need. http://a8-asy.a8ww.net/a8-ads/adftrclick?redirectid=115328fc5e72e7c03c2be1a4cc3116ed -- Powered by Outblaze From hvdkooij at vanderkooij.org Mon Apr 7 06:18:46 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Mon Apr 7 06:19:31 2008 Subject: Moving black hole test to Postfix In-Reply-To: References: Message-ID: <47F9AEB6.9000308@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 steinmb wrote: | Hi | Have been thinking about moving some of the blackhole testing to Postfix | (SMTP level). In my head this is cheaper? My mail server is old so less | scanning Mailscanner have to do the better. | | In /etc/postfix I changed smtpd_recipient_restrictions to: | | smtpd_recipient_restrictions = permit_sasl_authenticated, | permit_mynetworks, reject_unauth_destination, | reject_unknown_recipient_domain, reject_unverified_recip | ient, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net, | reject_rbl_client autoblock.dnsbl | | Now what? Do I remove those I run on SMTP level from my | /etc/Mailscanner/spam.lists.conf ? Doing those checks twice makes no sense. | In spam.lists.conf I find lines like: | | spamhaus.org sbl.spamhaus.org. | spamhaus-XBL xbl.spamhaus.org. | spamhaus-PBL pbl.spamhaus.org. | spamhaus-ZEN zen.spamhaus.org. | SBL+XBL sbl-xbl.spamhaus.org. Keep in mind that SA runs them on all the Received: headers. So your contact might be clean but it may have received them from a system that is on every known list. You might want to take that into account handing out points. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD4DBQFH+a61BvzDRVjxmYERAmHxAJi3pQEQcYQWobCvSHeEVxfMq6n1AJwMkLWZ qa44c6qNMFKTlmqwXGlGKQ== =DI69 -----END PGP SIGNATURE----- From hvdkooij at vanderkooij.org Mon Apr 7 06:29:42 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Mon Apr 7 06:29:51 2008 Subject: how to config Message Content Protection (MCP) In-Reply-To: <20080407042903.2D58F7B8F1@ws5-10.us4.outblaze.com> References: <20080407042903.2D58F7B8F1@ws5-10.us4.outblaze.com> Message-ID: <47F9B146.8050402@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Linuxmail R. wrote: | I want to know how to config Message Content Protection (MCP)? And what effort have you put into this yourself? What have you read? What have you searched for? I am afraid that every posting on this or any other mailinglist from you that I have seen so far shows that you have put in zero effort before you start sending questions to a mailinglist. That is simply the way to being ignored. Please read the fine introduction to asking questions on mailinglists: http://catb.org/%7Eesr/faqs/smart-questions.html We all make incidental mistakes in this regard but at least show the rest of the world you understood the spirit in which the manual was written and show you have put in some work of yourself. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFH+bFEBvzDRVjxmYERAhDqAJ0eDyRu7OSavKb33o53rvyslWXCUACeMu/Z xx+LJQvwBlHYa36I43c0LdA= =goTW -----END PGP SIGNATURE----- From Robert.Meurlin at se.fujitsu.com Mon Apr 7 08:32:17 2008 From: Robert.Meurlin at se.fujitsu.com (Meurlin Robert) Date: Mon Apr 7 08:33:35 2008 Subject: a lot of mail delivery failed mail slips trough the filter Message-ID: <797363C57EE0884786F428AAABCD469201490BD9@sea0120sex2.nordic.x> Hello, i have seen recent week that a lot of spam that have these subject lines: failure notice Delivery Status Notification (Failure) Delivery failure WARNING. Mail Delayed Returned mail: see transcript for detail slipps trough the filter, is there any other way to stop them without header FRIEND_GREETINGS7 Subject =~ /Delivery Status Notification (Failure)/i describe FRIEND_GREETINGS7 blabla score FRIEND_GREETINGS7 100.0 ? /Rob. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080407/987fb76a/attachment.html From glenn.steen at gmail.com Mon Apr 7 08:46:10 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Apr 7 08:46:46 2008 Subject: MailScanner ignoring some rules In-Reply-To: References: <37937.201.41.210.20.1207154517.squirrel@www.tecnowaydigital.com.br> <47F53B57.1070307@ecs.soton.ac.uk> <8F1DE832AFD34082A4D0CB25E4E7D7E7@TWDNB03> <223f97700804040109p3a5d97a5w439ef4d77ba879b1@mail.gmail.com> <223f97700804041120q3eaf3f90j4a0cce865e66b12@mail.gmail.com> <223f97700804050057v7d8a662q5e20c63ff16c648a@mail.gmail.com> Message-ID: <223f97700804070046x244cdf03t7f15378ec77fcbe8@mail.gmail.com> On 07/04/2008, Scott Silva wrote: > on 4-5-2008 12:57 AM Glenn Steen spake the following: > > > On 04/04/2008, Scott Silva wrote: > > > > > on 4-4-2008 11:20 AM Glenn Steen spake the following: > > > > > > > > > > Sorry all, for the top post... a bit too tipsy to really safely (snip) > > > > with even a virtual scissor...:-) > > > > > > > > > > > > > > > Happy Friday, Glenn!! > > > > > > > > There'salways something to celebrate....:-) > > This time it was "first day this week that I didn't need work > > underpaid(!!!) overtime"... It's been a b*tch of a week. Again. So > > friday just couldn't come quite fast eenough:-):-) > > > > Cheers > > > I understand that! I get non-paid overtime, so I feel your pain!! > > Don't get me wrong, as my pay isn't that bad, but it goes down very quickly > as you add hours :-( > Once you earn enough you get three extra days vacation-time... Which is supposed to be enough compensation for ones overtime... Didn't quite take three easy weeks to "earn up" that time, once I crossed over. Not really complaining, and it's not really unpaid (well...:-), but... Not that great either:/. Oh well, a luxury problem, I guess...:-) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Mon Apr 7 09:04:59 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Apr 7 09:05:35 2008 Subject: Moving black hole test to Postfix In-Reply-To: <47F9AEB6.9000308@vanderkooij.org> References: <47F9AEB6.9000308@vanderkooij.org> Message-ID: <223f97700804070104v4fc2bf2bo56bdfbbfd052799d@mail.gmail.com> On 07/04/2008, Hugo van der Kooij wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > steinmb wrote: > | Hi > | Have been thinking about moving some of the blackhole testing to Postfix > | (SMTP level). In my head this is cheaper? My mail server is old so less > | scanning Mailscanner have to do the better. > | > | In /etc/postfix I changed smtpd_recipient_restrictions to: > | > | smtpd_recipient_restrictions = permit_sasl_authenticated, > | permit_mynetworks, reject_unauth_destination, > | reject_unknown_recipient_domain, reject_unverified_recip > | ient, reject_rbl_client zen.spamhaus.org, reject_rbl_client > bl.spamcop.net, > | reject_rbl_client autoblock.dnsbl > | > | Now what? Do I remove those I run on SMTP level from my > | /etc/Mailscanner/spam.lists.conf ? Doing those checks > twice makes no > sense. > | In spam.lists.conf I find lines like: > | > | spamhaus.org sbl.spamhaus.org. > | spamhaus-XBL xbl.spamhaus.org. > | spamhaus-PBL pbl.spamhaus.org. > | spamhaus-ZEN zen.spamhaus.org. > | SBL+XBL sbl-xbl.spamhaus.org. > > Keep in mind that SA runs them on all the Received: headers. So your > contact might be clean but it may have received them from a system that > is on every known list. You might want to take that into account handing > out points. > ... Which is good for SA, but ... Stein is looking at MS...:-). One shouldn't touch spam.lists.conf, only the Spam Lists settings in MailScanner.conf ... And of course, Stein, don't include the lists you have in PF in MS. As Hugo says, the ones that get past the initial check can benefit from getting checked in SA, so let that be as is for a while. And monitor your logs. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From jlcostinha at halla.pt Mon Apr 7 09:04:54 2008 From: jlcostinha at halla.pt (Jorge Costinha) Date: Mon Apr 7 09:05:46 2008 Subject: Zip Attachments In-Reply-To: <47F69EAD.7000808@ecs.soton.ac.uk> References: <47F6542A.6090204@halla.pt> <47F69EAD.7000808@ecs.soton.ac.uk> Message-ID: <47F9D5A6.5030603@halla.pt> i want to zip the attachments everytime their size > 5000k and are coming From a specific email address. but it's not working... nothing is getting zip at all. thanks in advance, Jorge here's the MailScanner -v output: Running on Linux mx.halla.pt 2.6.22.14-72.fc6 #1 SMP Wed Nov 21 13:44:07 EST 2007 i686 i686 i386 GNU/Linux This is Fedora Core release 6 (Zod) This is Perl version 5.008008 (5.8.8) This is MailScanner version 4.65.3 Module versions are: 1.00 AnyDBM_File 1.18 Archive::Zip 1.04 Carp 1.119 Convert::BinHex 2.27 Date::Parse 1.00 DirHandle 1.05 Fcntl 2.74 File::Basename 2.09 File::Copy 2.01 FileHandle 1.08 File::Path 0.18 File::Temp 0.90 Filesys::Df 1.35 HTML::Entities 3.56 HTML::Parser 2.37 HTML::TokeParser 1.22 IO 1.13 IO::File 1.13 IO::Pipe 1.74 Mail::Header 1.86 Math::BigInt 3.05 MIME::Base64 5.420 MIME::Decoder 5.420 MIME::Decoder::UU 5.420 MIME::Head 5.420 MIME::Parser 3.03 MIME::QuotedPrint 5.420 MIME::Tools 0.11 Net::CIDR 1.09 POSIX 1.19 Scalar::Util 1.78 Socket 1.4 Sys::Hostname::Long 0.18 Sys::Syslog 1.86 Time::HiRes 1.02 Time::localtime Optional module versions are: 1.30 Archive::Tar 0.21 bignum missing Business::ISBN missing Business::ISBN::Data 0.17 Convert::TNEF missing Data::Dump 1.814 DB_File 1.13 DBD::SQLite 1.56 DBI 1.14 Digest 1.01 Digest::HMAC 2.36 Digest::MD5 2.11 Digest::SHA1 missing Encode::Detect 0.17008 Error 0.18 ExtUtils::CBuilder missing ExtUtils::ParseXS missing Inline missing IO::String 1.04 IO::Zlib 2.23 IP::Country missing Mail::ClamAV 3.002000 Mail::SpamAssassin v2.005 Mail::SPF 1.999001 Mail::SPF::Query 0.19 Math::BigRat 0.2806 Module::Build 0.20 Net::CIDR::Lite 0.61 Net::DNS v0.003 Net::DNS::Resolver::Programmable missing Net::LDAP 4.004 NetAddr::IP missing Parse::RecDescent missing SAVI 2.64 Test::Harness missing Test::Manifest 1.95 Text::Balanced 1.35 URI 0.7203 version 0.62 YAML Julian Field wrote: > Are you saying something doesn't work as expected? > You haven't actually said you have a problem, or what the problem is. > Plus some basic information such as the output of MailScanner -v would > help us to help you. > > Jorge Costinha wrote: >> i got >> >> Zip Attachment = %rules-dir%/filename.rules >> Attachments min total size to zip = 5000k >> >> where in filename.rules i got: >> >> From: yes >> FromOrTo: default no >> >> what am i missing? >> >> PS- i also have the Maximum Message Size = >> %rules-dir%/anotherfilename.rules. this is working as it should. >> >> thanks in advance. >> >> Jorge >> >> >> >> > > Jules > From glenn.steen at gmail.com Mon Apr 7 09:10:18 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Apr 7 09:10:53 2008 Subject: a lot of mail delivery failed mail slips trough the filter In-Reply-To: <797363C57EE0884786F428AAABCD469201490BD9@sea0120sex2.nordic.x> References: <797363C57EE0884786F428AAABCD469201490BD9@sea0120sex2.nordic.x> Message-ID: <223f97700804070110t5d421443m9a82743e1964e397@mail.gmail.com> On 07/04/2008, Meurlin Robert wrote: > > > Hello, > i have seen recent week that a lot of spam that have these subject lines: > failure notice > Delivery Status Notification (Failure) > Delivery failure > WARNING. Mail Delayed > Returned mail: see transcript for detail > > > slipps trough the filter, is there any other way to stop them without > > header FRIEND_GREETINGS7 Subject =~ /Delivery Status Notification > (Failure)/i > describe FRIEND_GREETINGS7 blabla > > score FRIEND_GREETINGS7 100.0 > > > ? If they are truly sent from <> (a.k.a. MAILER-DAEMON:-), the Watermark feature of a fairly recent MailScanner can help a bit, or perhaps milter-null. If they're not really DSNs, only pretending... other measures are what you need. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From steve.freegard at fsl.com Mon Apr 7 09:13:35 2008 From: steve.freegard at fsl.com (Steve Freegard) Date: Mon Apr 7 09:15:31 2008 Subject: Moving black hole test to Postfix In-Reply-To: References: Message-ID: <47F9D7AF.7050504@fsl.com> Hi Stein, steinmb wrote: > Hi > Have been thinking about moving some of the blackhole testing to Postfix > (SMTP level). In my head this is cheaper? My mail server is old so less > scanning Mailscanner have to do the better. > > In /etc/postfix I changed smtpd_recipient_restrictions to: > > smtpd_recipient_restrictions = permit_sasl_authenticated, > permit_mynetworks, reject_unauth_destination, > reject_unknown_recipient_domain, reject_unverified_recip > ient, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net, > reject_rbl_client autoblock.dnsbl Looks good to my novice Postfix eyes. > Now what? Do I remove those I run on SMTP level from my > /etc/Mailscanner/spam.lists.conf ? Doing those checks twice makes no sense. > In spam.lists.conf I find lines like: > > spamhaus.org sbl.spamhaus.org. > spamhaus-XBL xbl.spamhaus.org. > spamhaus-PBL pbl.spamhaus.org. > spamhaus-ZEN zen.spamhaus.org. > SBL+XBL sbl-xbl.spamhaus.org. Whoa, yes - you want to remove those. You only ever want to query Spamhaus *once* as those lines cause each list to be queried around 2-3 times each (which is slow as MailScanner does these sequentially). For anyone else that has similar in their spam.lists.conf file - you really want just one entry: spamhaus-ZEN zen.spamhaus.org OR (if you don't want to mark dial-up/dynamic + ISP policy listed space as spam) spamhaus-SBL+XBL sbl-xbl.spamhaus.org As the SBL+XBL contains, the SBL and XBL lists (duh!) and Zen includes SBL+XBL+PBL, so you see that querying the lists separately just wastes time and packets. Cheers, Steve. From list-mailscanner at linguaphone.com Mon Apr 7 08:57:50 2008 From: list-mailscanner at linguaphone.com (Gareth) Date: Mon Apr 7 09:18:06 2008 Subject: Moving black hole test to Postfix In-Reply-To: References: Message-ID: <1207555070.31630.1.camel@gblades-suse.linguaphone-intranet.co.uk> Thats exactly the same configuration I have :) Make sure you really do need 'reject_rbl_client autoblock.dnsbl' as that is what I use to reject mail based upon my mailwatch2rbl program. On Mon, 2008-04-07 at 00:49, steinmb wrote: > Hi > Have been thinking about moving some of the blackhole testing to Postfix > (SMTP level). In my head this is cheaper? My mail server is old so less > scanning Mailscanner have to do the better. > > In /etc/postfix I changed smtpd_recipient_restrictions to: > > smtpd_recipient_restrictions = permit_sasl_authenticated, > permit_mynetworks, reject_unauth_destination, > reject_unknown_recipient_domain, reject_unverified_recip > ient, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net, > reject_rbl_client autoblock.dnsbl > > Now what? Do I remove those I run on SMTP level from my > /etc/Mailscanner/spam.lists.conf ? Doing those checks twice makes no sense. > In spam.lists.conf I find lines like: > > spamhaus.org sbl.spamhaus.org. > spamhaus-XBL xbl.spamhaus.org. > spamhaus-PBL pbl.spamhaus.org. > spamhaus-ZEN zen.spamhaus.org. > SBL+XBL sbl-xbl.spamhaus.org. > > -- > Stein From martyn at invictawiz.com Mon Apr 7 09:37:36 2008 From: martyn at invictawiz.com (Martyn Routley) Date: Mon Apr 7 09:38:56 2008 Subject: New MS install is slow to an extreme In-Reply-To: <47F65299.70006@ecs.soton.ac.uk> References: <47F3CD9F.7070406@pixelhammer.com> <47F3D7A5.5040509@pixelhammer.com> <47F4BCB8.7030000@invictawiz.com> <47F4CBF1.70708@pixelhammer.com> <47F64B31.6090706@invictawiz.com> <47F65299.70006@ecs.soton.ac.uk> Message-ID: <47F9DD50.1060401@invictawiz.com> Julian Field wrote: > > > Martyn Routley wrote: > > DAve wrote: > >> Martyn Routley wrote: > >>> DAve wrote: > >>>> DAve wrote: > >>>> > >>>> I moved the incoming dir to a tmpfs mount (mdmfs on freebsd) no > >>>> change in processing time. > >>>> > >>>> I am getting really stumped now. > >>>> > >>>> DAve > >>>> > >>>> > >>>> > >>> What is your hardware? > >>> We had random processing times when running 6.2 on one of our > >>> servers. (Single P4 dual core) > >>> I upgraded in place to 7.0 (using FreeBsd Update > >>> (http://www.freebsd.org/releases/7.0R/announce.html) and now the > >>> emails don't touch the sides. > >>> Getting Sophos to work was a bind though. > >>> > >> Interesting, do you know the upgrade helped? I am always leery of > >> "upgrade" as a solution unless I know why the upgrade is the solution. > >> > >> Server 1 > >> Intel(R) Xeon(TM) CPU 2.40GHz Quad Core > >> 2GB ram > >> Quatum Atlas SCSI drives, one for the system and one for the spool dir > >> > >> Server 2 > >> Intel(R) Xeon(TM) CPU 2.40GHz Quad Core > >> 2GB ram > >> Maxtor SATA drives, one for the system and one for the spool dir > >> > >> DAve > >> > > Good question. > > All that changed was the os version and the fact that I rebuilt all > > installed ports. > So, in short, you changed "everything" :-) > > The server went from a 5 minute av of 7+ to 3.5 or less and from > > having 30 + messages waiting to be processed to having MailScanner > > waiting for messages most of the time. > > MS config/version didn't change > > I don't discount the possibility that rebuilding all of the installed > > ports helped. > > Sounds like it's sorted out then, and not really MailScanner's fault > after all :-) :-) > > Jules > Did I imply that? If it seemed like I did, I humbly apologise. What I omitted from the earlier message was that there have been reports of "Dramatic" improvements in multi processor operation over previous versions (see the FreeBsd announcement referred to above.) -- Martyn Routley ----------------------------------------------------------------------------- This message has been scanned for viruses and dangerous content by the http://www.invictawiz.com MailScanner, and is believed to be clean. ----------------------------------------------------------------------------- From rapin at linuxmail.org Mon Apr 7 09:49:55 2008 From: rapin at linuxmail.org (Linuxmail R.) Date: Mon Apr 7 09:50:31 2008 Subject: why ClamAV not show identities Message-ID: <20080407084955.412F3CBE80@ws5-11.us4.outblaze.com> Dear all why clamav not show this detail. how to fix it ClamAV Status Version: ClamAV 0.92.1 Virus Identities: Database Timestamp: Thank. -------------------------------------------------- Linuxmail Rapin P. = -- Powered by Outblaze From gerard at seibercom.net Mon Apr 7 11:08:25 2008 From: gerard at seibercom.net (Gerard) Date: Mon Apr 7 11:09:26 2008 Subject: detect executables embedded inside MS Office documents? In-Reply-To: References: <57573D714A832C43B9D80EAFBDA48D030A03EC01@inex3.herffjones.hj-int> <47F725C7.4070103@vanderkooij.org> <47F78BED.5020606@ecs.soton.ac.uk> <47F7A674.1040501@calorieking.com> <47F8E791.10709@ecs.soton.ac.uk> Message-ID: <20080407060825.50bf671f@scorpio> On Sun, 06 Apr 2008 16:00:45 -0700 Scott Silva wrote: > on 4-6-2008 8:09 AM Julian Field spake the following: > > Ignore all previous requests for information. I've got enough of > > it, pretty much. > > The only thing I cannot handle is inserted OLE "Packages" that > > contain multiple files. If someone fancies creating one of those > > and sending it to me, I'll improve the Package parser to cope with > > it. > > > > But it now works with files inserted into Microsoft Office > > documents just fine. > > > > This will be in the next release. > > I guess it's a fairly major new feature, the ability to extract > > embedded files from Microsoft Office documents. > > :-) > > > > I think I'm going to have a rest now... > > > Poking another hole in the Microsoft armor was a big task. A well > deserved rest it will be!! The use of OLE makes the creation of highly detailed documents far easier and accurate. The scanning of said documents when emailed I would assume to be a plus. However, if the scanning action breaks the OLE bonds then then cure is far worst than the disease. I have been sending these type of documents to colleagues for years without incident. A few years ago Symantec did categorize some of them as a VIRUS; however, that was a false positive and they quickly revised their definition files to reflect that. By the way, I usually send these files encrypted via PGP. How will/does MailScanner work on that type of document? -- Gerard gerard@seibercom.net My favorite sandwich is peanut butter, baloney, cheddar cheese, lettuce and mayonnaise on toasted bread with catsup on the side. Senator Hubert Humphrey -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 195 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080407/063e7fb1/signature.bin From gerard at seibercom.net Mon Apr 7 11:08:25 2008 From: gerard at seibercom.net (Gerard) Date: Mon Apr 7 11:09:57 2008 Subject: detect executables embedded inside MS Office documents? In-Reply-To: References: <57573D714A832C43B9D80EAFBDA48D030A03EC01@inex3.herffjones.hj-int> <47F725C7.4070103@vanderkooij.org> <47F78BED.5020606@ecs.soton.ac.uk> <47F7A674.1040501@calorieking.com> <47F8E791.10709@ecs.soton.ac.uk> Message-ID: <20080407060825.50bf671f@scorpio> On Sun, 06 Apr 2008 16:00:45 -0700 Scott Silva wrote: > on 4-6-2008 8:09 AM Julian Field spake the following: > > Ignore all previous requests for information. I've got enough of > > it, pretty much. > > The only thing I cannot handle is inserted OLE "Packages" that > > contain multiple files. If someone fancies creating one of those > > and sending it to me, I'll improve the Package parser to cope with > > it. > > > > But it now works with files inserted into Microsoft Office > > documents just fine. > > > > This will be in the next release. > > I guess it's a fairly major new feature, the ability to extract > > embedded files from Microsoft Office documents. > > :-) > > > > I think I'm going to have a rest now... > > > Poking another hole in the Microsoft armor was a big task. A well > deserved rest it will be!! The use of OLE makes the creation of highly detailed documents far easier and accurate. The scanning of said documents when emailed I would assume to be a plus. However, if the scanning action breaks the OLE bonds then then cure is far worst than the disease. I have been sending these type of documents to colleagues for years without incident. A few years ago Symantec did categorize some of them as a VIRUS; however, that was a false positive and they quickly revised their definition files to reflect that. By the way, I usually send these files encrypted via PGP. How will/does MailScanner work on that type of document? -- Gerard gerard@seibercom.net My favorite sandwich is peanut butter, baloney, cheddar cheese, lettuce and mayonnaise on toasted bread with catsup on the side. Senator Hubert Humphrey -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 195 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080407/063e7fb1/signature-0001.bin From maillists at conactive.com Mon Apr 7 11:31:14 2008 From: maillists at conactive.com (Kai Schaetzl) Date: Mon Apr 7 11:32:01 2008 Subject: why ClamAV not show identities In-Reply-To: <20080407084955.412F3CBE80@ws5-11.us4.outblaze.com> References: <20080407084955.412F3CBE80@ws5-11.us4.outblaze.com> Message-ID: Linuxmail R. wrote on Mon, 7 Apr 2008 15:49:55 +0700: > why clamav not show this detail. Because you and you need a database. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From MailScanner at ecs.soton.ac.uk Mon Apr 7 11:43:15 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Apr 7 11:44:06 2008 Subject: detect executables embedded inside MS Office documents? In-Reply-To: <20080407060825.50bf671f@scorpio> References: <57573D714A832C43B9D80EAFBDA48D030A03EC01@inex3.herffjones.hj-int> <47F725C7.4070103@vanderkooij.org> <47F78BED.5020606@ecs.soton.ac.uk> <47F7A674.1040501@calorieking.com> <47F8E791.10709@ecs.soton.ac.uk> <20080407060825.50bf671f@scorpio> Message-ID: <47F9FAC3.5010605@ecs.soton.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Gerard wrote: > On Sun, 06 Apr 2008 16:00:45 -0700 > Scott Silva wrote: > > >> on 4-6-2008 8:09 AM Julian Field spake the following: >> >>> Ignore all previous requests for information. I've got enough of >>> it, pretty much. >>> The only thing I cannot handle is inserted OLE "Packages" that >>> contain multiple files. If someone fancies creating one of those >>> and sending it to me, I'll improve the Package parser to cope with >>> it. >>> >>> But it now works with files inserted into Microsoft Office >>> documents just fine. >>> >>> This will be in the next release. >>> I guess it's a fairly major new feature, the ability to extract >>> embedded files from Microsoft Office documents. >>> :-) >>> >>> I think I'm going to have a rest now... >>> >>> >> Poking another hole in the Microsoft armor was a big task. A well >> deserved rest it will be!! >> > > The use of OLE makes the creation of highly detailed documents far > easier and accurate. The scanning of said documents when emailed I > would assume to be a plus. However, if the scanning action breaks the > OLE bonds then then cure is far worst than the disease. > What do you mean, "breaks the OLE bonds"? I don't have a clue what you're talking about. > I have been sending these type of documents to colleagues for years > without incident. A few years ago Symantec did categorize some of them > as a VIRUS; however, that was a false positive and they quickly revised > their definition files to reflect that. > > By the way, I usually send these files encrypted via PGP. How will/does > MailScanner work on that type of document? > Obviously MailScanner cannot parse messages which have been encrypted with PGP. Whether such things are allowed is controlled by the relevant Encryption settings in MailScanner.conf. Jules - -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.2 (Build 3005) Comment: (pgp-secured) Charset: ISO-8859-1 wj8DBQFH+frEEfZZRxQVtlQRAkJjAJ9oFUpeOJZ/4rMjiK5bMtwKUqQ85QCg8TeL 1RGq0guPfjtoPE2tk6fu3Jo= =O33p -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From telecaadmin at gmail.com Mon Apr 7 12:29:07 2008 From: telecaadmin at gmail.com (Ronny T. Lampert) Date: Mon Apr 7 12:29:48 2008 Subject: MS hangs with strange clamav database Message-ID: <47FA0583.1060509@gmail.com> Hi, Usually the clamav database looks like this: #> ls -l /var/clamav/ total 13152 -rw-r--r-- 1 clamav clamav 396261 Apr 7 12:39 daily.cvd -rw-r--r-- 1 clamav clamav 13050207 Apr 7 12:39 main.cvd -rw------- 1 clamav clamav 52 Apr 7 12:40 mirrors.dat But sometimes the daily.cvd and main.cvd get strangely converted to subdirectories with around 10 files in them - that's when MS starts to hang and not process any mail at all. Error is: Apr 7 12:34:10 SERVER MailScanner[24956]: None of the files matched by the "Monitors For ClamAV Updates" patterns exist! ... which of course is true because of my setting Monitors for ClamAV Updates = /var/clamav/*.cvd My question is twofold: 1) Has anybody seen a similar thing and why do the clamav files get strange? 2) What is the best value for "Monitors for ClamAV Updates" to prevent such a breakdown in case clamav gets strange again? Thanks and cheers, Ronny From dyioulos at firstbhph.com Mon Apr 7 12:53:56 2008 From: dyioulos at firstbhph.com (Dimitri Yioulos) Date: Mon Apr 7 12:54:40 2008 Subject: MailScanner --lint errors Message-ID: <200804070753.57730.dyioulos@firstbhph.com> All, I'm now running mailscanner-4.68.8-1 on a CentOS 3 box, along with spamassassin-3.2.4-1.el3.rf. When I run MailScanner --lint, I get the following: Checking for SpamAssassin errors (if you use it)... SpamAssassin temporary working directory is /var/spool/MailScanner/incoming/SpamAssassin-Temp SpamAssassin temp dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp Using SpamAssassin results cache Connected to SpamAssassin cache database Use of uninitialized value in addition (+) at /usr/lib/perl5/vendor_perl/5.8.0/Mail/SpamAssassin/Dns.pm line 371. plugin: eval failed: Can't locate object method "log_lookups_timing" via package "Mail::SpamAssassin::AsyncLoop" at /usr/lib/perl5/vendor_perl/5.8.0/Mail/SpamAssassin/Dns.pm line 381. SpamAssassin reported no errors. I didn't get that with mailscanner-4.65.3-1, my last version before upgrading to the latest. My mail system seems to work fine, but I'd like to eliminate these errors if possible. Thanks. Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From glenn.steen at gmail.com Mon Apr 7 12:54:50 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Apr 7 12:55:24 2008 Subject: MS hangs with strange clamav database In-Reply-To: <47FA0583.1060509@gmail.com> References: <47FA0583.1060509@gmail.com> Message-ID: <223f97700804070454m89e2dc2s4e1079e19efef1f8@mail.gmail.com> On 07/04/2008, Ronny T. Lampert wrote: > Hi, > > Usually the clamav database looks like this: > > #> ls -l /var/clamav/ > total 13152 > -rw-r--r-- 1 clamav clamav 396261 Apr 7 12:39 daily.cvd > -rw-r--r-- 1 clamav clamav 13050207 Apr 7 12:39 main.cvd > -rw------- 1 clamav clamav 52 Apr 7 12:40 mirrors.dat > > > But sometimes the daily.cvd and main.cvd get strangely converted to > subdirectories with around 10 files in them - that's when MS starts to > hang and not process any mail at all. > > Error is: > > Apr 7 12:34:10 SERVER MailScanner[24956]: None of the files matched by > the "Monitors For ClamAV Updates" patterns exist! > > ... which of course is true because of my setting > > Monitors for ClamAV Updates = /var/clamav/*.cvd So you are using ClamAVModule... Then that one is wrong, and has been for quite some time now. If you search the archives you'll see that it need look something like: Monitors for ClamAV Updates = /var/clamav/*.inc/* /var/clamav/*.?db /var/clamav/*.cvd .... Assuming /var/clamav to be correct for your ClamAV signature DBs. The first one is for the incremental updates you are normally seeing, the second for any "extra" signatires you might have, the third one is for the "normal" monolithic DBs. > > My question is twofold: > > 1) Has anybody seen a similar thing and why do the clamav files get > strange? Yes. Incremental updates. > > 2) What is the best value for "Monitors for ClamAV Updates" to prevent > such a breakdown in case clamav gets strange again? "Best" is a relative tierm:-). The above is what I use... Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Mon Apr 7 12:56:17 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Mon Apr 7 12:56:53 2008 Subject: MS hangs with strange clamav database In-Reply-To: <223f97700804070454m89e2dc2s4e1079e19efef1f8@mail.gmail.com> References: <47FA0583.1060509@gmail.com> <223f97700804070454m89e2dc2s4e1079e19efef1f8@mail.gmail.com> Message-ID: <223f97700804070456j39092b34i93a4b07628ee041b@mail.gmail.com> On 07/04/2008, Glenn Steen wrote: > On 07/04/2008, Ronny T. Lampert wrote: > > Hi, > > > > Usually the clamav database looks like this: > > > > #> ls -l /var/clamav/ > > total 13152 > > -rw-r--r-- 1 clamav clamav 396261 Apr 7 12:39 daily.cvd > > -rw-r--r-- 1 clamav clamav 13050207 Apr 7 12:39 main.cvd > > -rw------- 1 clamav clamav 52 Apr 7 12:40 mirrors.dat > > > > > > But sometimes the daily.cvd and main.cvd get strangely converted to > > subdirectories with around 10 files in them - that's when MS starts to > > hang and not process any mail at all. > > > > Error is: > > > > Apr 7 12:34:10 SERVER MailScanner[24956]: None of the files matched by > > the "Monitors For ClamAV Updates" patterns exist! > > > > ... which of course is true because of my setting > > > > Monitors for ClamAV Updates = /var/clamav/*.cvd > > So you are using ClamAVModule... Then that one is wrong, and has been > for quite some time now. If you search the archives you'll see that it > need look something like: > > Monitors for ClamAV Updates = /var/clamav/*.inc/* /var/clamav/*.?db > /var/clamav/*.cvd Beware line wrapping... the above is (of course:-) meant to be on one line. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From thenrique at gmail.com Mon Apr 7 13:32:15 2008 From: thenrique at gmail.com (Thiago Henrique) Date: Mon Apr 7 13:32:49 2008 Subject: File Type Check Problem In-Reply-To: <47F63D8D.3070105@ecs.soton.ac.uk> References: <224FA7E11EA39E45843E11CEBBD3A36F8E0C23@HOUPEX01.nfsmith.info> <47F53C2D.5090207@ecs.soton.ac.uk> <224FA7E11EA39E45843E11CEBBD3A36F8E0D27@HOUPEX01.nfsmith.info> <47F548BE.8030804@ecs.soton.ac.uk> <224FA7E11EA39E45843E11CEBBD3A36F8E0E20@HOUPEX01.nfsmith.info> <47F63D8D.3070105@ecs.soton.ac.uk> Message-ID: Hy Jules, I have changed the rules in filetype.rules.conf to: deny - x-dosexec No DOS executables No DOS programs allowed But a simple mail with png attachment is considered DOS program: Reporte: MailScanner: No DOS programs allowed (powerphplist.png) When i run file command in the blocked attachment the result is: mail01 1ADE250F95.6ACCF # file -i powerphplist.png powerphplist.png: image/png mail01 1ADE250F95.6ACCF # file powerphplist.png powerphplist.png: PNG image data, 70 x 30, 8-bit colormap, non-interlaced I try to write a new rule: allow - text/plain - permited permited But the mail has blocked again. What is magical to work? On Fri, Apr 4, 2008 at 11:39 AM, Julian Field wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > Mike Kercher wrote: > >> -----Original Message----- > >> From: mailscanner-bounces@lists.mailscanner.info > >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of > >> Julian Field > >> Sent: Thursday, April 03, 2008 3:21 PM > >> To: MailScanner discussion > >> Subject: Re: File Type Check Problem > >> > >> > >> > >> Mike Kercher wrote: > >> > >> > >>> I've been searching and haven't found a resolution for this yet. > >>> > >>> Periodically, we get emails with attachments coming through that are > >>> not being detected properly. MailScanner reports: > >>> > >>> MailScanner: No programs allowed (msg-10410-101.txt) > >>> > >>> > >>> > >> This is being caught by the filetype trap. > >> > >> > >>> If I go look at the quarantined email in MailWatch and download the > >>> attachment, it is a PDF. > >>> > >>> > >> That may be what the filename says, but what does the "file" command > >> report? > >> > >> > >>> There was talk of the file -i command switch. > >>> Is this something that needs to be set in MailScanner.conf? > >>> > >>> > >>> > >> No, just read the latest filetype.rules.conf and filename.rules.conf > >> files, the comments at the top of each file tell you how to use it. > >> There is also an example line in filetype.rules.conf for you to copy. > >> > >> > >> > >>> TIA > >>> > >>> Mike > >>> > >>> > >>> > >> Jules > >> > >> -- > >> > >> Jules, > >> > >> Running file against the message yields the following: > >> > >> [root@HOUPMS02 m334jSTE009852]# file message > >> message: smtp mail text > >> [root@HOUPMS02 m334jSTE009852]# file -i message > >> message: message/rfc822\011 > >> > >> Not quite sure what changing the filetype.rules.conf would do for me > >> here. > >> > >> > > No! I meat you to run the "file" command on the attachment, not the > > message! :-( Funnily enough, when you run it on the message it says it's > > a message :-) > > > > Jules > > > > -------- > > > > Sorry about that :) Here's the output of file run against the > > attachment itself: > > > > [root@HOUPMS01 ~]# file OSC81.pdf > > OSC81.pdf: PDF document, version 1.3 > > > > [root@HOUPMS01 ~]# file -i OSC81.pdf > > OSC81.pdf: application/pdf > > > Have just checked your original report, and it wasn't the attachment it > blocked, it was the main message body (hence the "txt" extension with > the unusual filename). Harder to stop that unless you switch from using > the "executable" trap in filetype.rules.conf to a replacement trap using > the MIME type reported by file -i instead (see comments at the start of > filetype.rules.conf). > > Mike > > > > > > Jules > > - -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.8.2 (Build 3005) > Comment: (pgp-secured) > Charset: ISO-8859-1 > > wj8DBQFH9j2OEfZZRxQVtlQRAmZiAJwPS5jjxhoukvmFSoj5JYyMGP8U+QCgzMdS > bHrfC2GyNSDz4ZOdqsl9zSw= > =knIJ > -----END PGP SIGNATURE----- > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080407/fcf7cdbc/attachment.html From dave.list at pixelhammer.com Mon Apr 7 13:47:19 2008 From: dave.list at pixelhammer.com (DAve) Date: Mon Apr 7 13:48:05 2008 Subject: New MS install is slow to an extreme In-Reply-To: <47F9DD50.1060401@invictawiz.com> References: <47F3CD9F.7070406@pixelhammer.com> <47F3D7A5.5040509@pixelhammer.com> <47F4BCB8.7030000@invictawiz.com> <47F4CBF1.70708@pixelhammer.com> <47F64B31.6090706@invictawiz.com> <47F65299.70006@ecs.soton.ac.uk> <47F9DD50.1060401@invictawiz.com> Message-ID: <47FA17D7.8000309@pixelhammer.com> Martyn Routley wrote: > Julian Field wrote: >> >> >> Martyn Routley wrote: >> > DAve wrote: >> >> Martyn Routley wrote: >> >>> DAve wrote: >> >>>> DAve wrote: >> >>>> >> >>>> I moved the incoming dir to a tmpfs mount (mdmfs on freebsd) no >> >>>> change in processing time. >> >>>> >> >>>> I am getting really stumped now. >> >>>> >> >>>> DAve >> >>>> >> >>>> >> >>>> >> >>> What is your hardware? >> >>> We had random processing times when running 6.2 on one of our >> >>> servers. (Single P4 dual core) >> >>> I upgraded in place to 7.0 (using FreeBsd Update >> >>> (http://www.freebsd.org/releases/7.0R/announce.html) and now the >> >>> emails don't touch the sides. >> >>> Getting Sophos to work was a bind though. >> >>> >> >> Interesting, do you know the upgrade helped? I am always leery of >> >> "upgrade" as a solution unless I know why the upgrade is the solution. >> >> >> >> Server 1 >> >> Intel(R) Xeon(TM) CPU 2.40GHz Quad Core >> >> 2GB ram >> >> Quatum Atlas SCSI drives, one for the system and one for the spool dir >> >> >> >> Server 2 >> >> Intel(R) Xeon(TM) CPU 2.40GHz Quad Core >> >> 2GB ram >> >> Maxtor SATA drives, one for the system and one for the spool dir >> >> >> >> DAve >> >> >> > Good question. >> > All that changed was the os version and the fact that I rebuilt all >> > installed ports. >> So, in short, you changed "everything" :-) >> > The server went from a 5 minute av of 7+ to 3.5 or less and from >> > having 30 + messages waiting to be processed to having MailScanner >> > waiting for messages most of the time. >> > MS config/version didn't change >> > I don't discount the possibility that rebuilding all of the installed >> > ports helped. >> >> Sounds like it's sorted out then, and not really MailScanner's fault >> after all :-) :-) >> >> Jules >> > Did I imply that? If it seemed like I did, I humbly apologise. > What I omitted from the earlier message was that there have been reports > of "Dramatic" improvements in multi processor operation over previous > versions (see the FreeBsd announcement referred to above.) I didn't get that impression. My big issue was a normal run through of the change log didn't prepare me for how much of a difference the new MS made. I knew from the start, and I hope everyone got that, my issues were my own failure to tune/config/adjust something. Which in the end proved to be true. Once pointed in the right direction we smoothed out. DAve -- In 50 years, our descendants will look back on the early years of the internet, and much like we now look back on men with rockets on their back and feathers glued to their arms, marvel that we had the intelligence to wipe the drool from our chins. From telecaadmin at gmail.com Mon Apr 7 13:49:22 2008 From: telecaadmin at gmail.com (Ronny T. Lampert) Date: Mon Apr 7 13:49:57 2008 Subject: MS hangs with strange clamav database (SOLVED) In-Reply-To: <223f97700804070456j39092b34i93a4b07628ee041b@mail.gmail.com> References: <47FA0583.1060509@gmail.com> <223f97700804070454m89e2dc2s4e1079e19efef1f8@mail.gmail.com> <223f97700804070456j39092b34i93a4b07628ee041b@mail.gmail.com> Message-ID: <47FA1852.6040906@gmail.com> >> need look something like: >> >> Monitors for ClamAV Updates = /var/clamav/*.inc/* /var/clamav/*.?db >> /var/clamav/*.cvd I completely seem to have forgotten about the incrementals... shame on me. Don't know when that setting got wrong. But alas, I've changed it because it really does look sensible. Thanks Glen! From gmatt at nerc.ac.uk Mon Apr 7 14:01:39 2008 From: gmatt at nerc.ac.uk (Greg Matthews) Date: Mon Apr 7 14:02:49 2008 Subject: Old free Bitdefender and hit rate In-Reply-To: References: Message-ID: <47FA1B33.3020001@nerc.ac.uk> Scott Silva wrote: > Just out of curiosity, has anyone that is still running the old free > version of bitdefender (BDC/Linux-Console v7.1 (build 2559))still been > getting virus hits with it? it still hits a handful for us - comparable with the hit rate for Sophos and both Sophos and Bitdefender often hit different positives. As someone else said - it is a resource hog... > > I haven't seen anything hit with it for 6 months or so, even though it > still updates and shows current. > -- Greg Matthews 01491 692445 Head of UNIX/Linux, iTSS Wallingford -- This message (and any attachments) is for the recipient only. NERC is subject to the Freedom of Information Act 2000 and the contents of this email and any reply you make may be disclosed by NERC unless it is exempt from release under the Act. Any material supplied to NERC may be stored in an electronic records management system. From shuttlebox at gmail.com Mon Apr 7 15:30:05 2008 From: shuttlebox at gmail.com (shuttlebox) Date: Mon Apr 7 15:30:44 2008 Subject: Timestamp problem when running --debug-sa Message-ID: <625385e30804070730u38f2968cwf7412ee5c7bbc6d4@mail.gmail.com> I tried the new timestamp feature in --debug-sa introduced in 4.67 and it complained about awk not supporting strftime, I kind of expected that since Solaris comes with a legacy awk in /bin. I installed gawk and it's in my path as can be seen below: # which awk /bin/awk # which gawk /opt/csw/bin/gawk I then changed the two awk calls in SA.pm to gawk but still got this: # MailScanner --debug --debug-sa In Debugging mode, not forking... Trying to setlogsock(udp) sh: gawk: not found ***** If 'awk' (with support for the function strftime) was available on your $PATH then all the SpamAssassin debug output would have the current time added to the start of every line, making debugging far easier. ***** I assume MailScanner uses some short custom path even though it claims that it would work if I had gawk in my path which I do. If I hardcode the complete path to my gawk (opt/csw/bin/gawk) I get the correct result: # MailScanner --debug --debug-sa In Debugging mode, not forking... Trying to setlogsock(udp) 16:17:44 SpamAssassin temp dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp On a single system this could simply be solved by symlinking old awk to new gawk but I would like a "clean" solution for my Solaris packages, I will of course have to add gawk as a dependency to MailScanner but should I just change the paths in SA.pm for my package (that will have to be done for every release) or should MS look for awk/gawk in more places or should we have a new config option for the location of awk? I'm fine with me changing the paths for every release, I have a totally automated build script, but I'm a little surprised that no one else has had problems. I guess most have GNU tools as the default... -- /peter From maillists at conactive.com Mon Apr 7 15:31:14 2008 From: maillists at conactive.com (Kai Schaetzl) Date: Mon Apr 7 15:32:16 2008 Subject: MailScanner --lint errors In-Reply-To: <200804070753.57730.dyioulos@firstbhph.com> References: <200804070753.57730.dyioulos@firstbhph.com> Message-ID: Dimitri Yioulos wrote on Mon, 7 Apr 2008 07:53:56 -0400: > I didn't get that with mailscanner-4.65.3-1, my last version before upgrading > to the latest. sounds rather like a problem with SA. Did you also upgrade SA? You may be missing a now required Perl module. A timing package? Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com From MailScanner at ecs.soton.ac.uk Mon Apr 7 15:46:49 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Apr 7 15:47:30 2008 Subject: File Type Check Problem In-Reply-To: References: <224FA7E11EA39E45843E11CEBBD3A36F8E0C23@HOUPEX01.nfsmith.info> <47F53C2D.5090207@ecs.soton.ac.uk> <224FA7E11EA39E45843E11CEBBD3A36F8E0D27@HOUPEX01.nfsmith.info> <47F548BE.8030804@ecs.soton.ac.uk> <224FA7E11EA39E45843E11CEBBD3A36F8E0E20@HOUPEX01.nfsmith.info> <47F63D8D.3070105@ecs.soton.ac.uk> Message-ID: <47FA33D9.7010605@ecs.soton.ac.uk> Attached is a zip of a new SweepOther.pm (goes in /usr/lib/MailScanner/MailScanner) that will solve the problem for you. This will be in the next release. Sorry! Jules. Thiago Henrique wrote: > Hy Jules, > > I have changed the rules in filetype.rules.conf to: > deny - x-dosexec No DOS executables No DOS programs > allowed > > But a simple mail with png attachment is considered DOS program: > > Reporte: MailScanner: No DOS programs allowed (powerphplist.png) > > When i run file command in the blocked attachment the result is: > mail01 1ADE250F95.6ACCF # file -i powerphplist.png > powerphplist.png: image/png > > mail01 1ADE250F95.6ACCF # file powerphplist.png > powerphplist.png: PNG image data, 70 x 30, 8-bit colormap, non-interlaced > > > I try to write a new rule: > allow - text/plain - permited permited > > But the mail has blocked again. > > What is magical to work? > > On Fri, Apr 4, 2008 at 11:39 AM, Julian Field > > wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > Mike Kercher wrote: > >> -----Original Message----- > >> From: mailscanner-bounces@lists.mailscanner.info > > >> [mailto:mailscanner-bounces@lists.mailscanner.info > ] On Behalf Of > >> Julian Field > >> Sent: Thursday, April 03, 2008 3:21 PM > >> To: MailScanner discussion > >> Subject: Re: File Type Check Problem > >> > >> > >> > >> Mike Kercher wrote: > >> > >> > >>> I've been searching and haven't found a resolution for this yet. > >>> > >>> Periodically, we get emails with attachments coming through > that are > >>> not being detected properly. MailScanner reports: > >>> > >>> MailScanner: No programs allowed (msg-10410-101.txt) > >>> > >>> > >>> > >> This is being caught by the filetype trap. > >> > >> > >>> If I go look at the quarantined email in MailWatch and > download the > >>> attachment, it is a PDF. > >>> > >>> > >> That may be what the filename says, but what does the "file" > command > >> report? > >> > >> > >>> There was talk of the file -i command switch. > >>> Is this something that needs to be set in MailScanner.conf? > >>> > >>> > >>> > >> No, just read the latest filetype.rules.conf and > filename.rules.conf > >> files, the comments at the top of each file tell you how to use it. > >> There is also an example line in filetype.rules.conf for you to > copy. > >> > >> > >> > >>> TIA > >>> > >>> Mike > >>> > >>> > >>> > >> Jules > >> > >> -- > >> > >> Jules, > >> > >> Running file against the message yields the following: > >> > >> [root@HOUPMS02 m334jSTE009852]# file message > >> message: smtp mail text > >> [root@HOUPMS02 m334jSTE009852]# file -i message > >> message: message/rfc822\011 > >> > >> Not quite sure what changing the filetype.rules.conf would do > for me > >> here. > >> > >> > > No! I meat you to run the "file" command on the attachment, not the > > message! :-( Funnily enough, when you run it on the message it > says it's > > a message :-) > > > > Jules > > > > -------- > > > > Sorry about that :) Here's the output of file run against the > > attachment itself: > > > > [root@HOUPMS01 ~]# file OSC81.pdf > > OSC81.pdf: PDF document, version 1.3 > > > > [root@HOUPMS01 ~]# file -i OSC81.pdf > > OSC81.pdf: application/pdf > > > Have just checked your original report, and it wasn't the > attachment it > blocked, it was the main message body (hence the "txt" extension with > the unusual filename). Harder to stop that unless you switch from > using > the "executable" trap in filetype.rules.conf to a replacement trap > using > the MIME type reported by file -i instead (see comments at the > start of > filetype.rules.conf). > > Mike > > > > > > Jules > > - -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.8.2 (Build 3005) > Comment: (pgp-secured) > Charset: ISO-8859-1 > > wj8DBQFH9j2OEfZZRxQVtlQRAmZiAJwPS5jjxhoukvmFSoj5JYyMGP8U+QCgzMdS > bHrfC2GyNSDz4ZOdqsl9zSw= > =knIJ > -----END PGP SIGNATURE----- > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- A non-text attachment was scrubbed... Name: SweepOther.pm.zip Type: application/x-zip-compressed Size: 6325 bytes Desc: not available Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080407/ad7c827d/SweepOther.pm.bin From TGFurnish at herffjones.com Mon Apr 7 16:06:49 2008 From: TGFurnish at herffjones.com (Furnish, Trever G) Date: Mon Apr 7 16:07:26 2008 Subject: detect executables embedded inside MS Office documents? In-Reply-To: <47F8E791.10709@ecs.soton.ac.uk> References: <57573D714A832C43B9D80EAFBDA48D030A03EC01@inex3.herffjones.hj-int> <47F725C7.4070103@vanderkooij.org> <47F78BED.5020606@ecs.soton.ac.uk><47F7A674.1040501@calorieking.com> <47F8E791.10709@ecs.soton.ac.uk> Message-ID: <57573D714A832C43B9D80EAFBDA48D030A03EC28@inex3.herffjones.hj-int> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Julian Field > Sent: Sunday, April 06, 2008 11:09 AM > To: MailScanner discussion > Subject: Re: detect executables embedded inside MS Office documents? > > Ignore all previous requests for information. I've got enough > of it, pretty much. > The only thing I cannot handle is inserted OLE "Packages" > that contain multiple files. If someone fancies creating one > of those and sending it to me, I'll improve the Package > parser to cope with it. > > But it now works with files inserted into Microsoft Office > documents just fine. > > This will be in the next release. > I guess it's a fairly major new feature, the ability to > extract embedded files from Microsoft Office documents. > :-) > > I think I'm going to have a rest now... > > Jules. Wow! I didn't really expect much response on that request! Thank you very much! I look forward to testing, although I'll admit I'm also hoping the method itself never takes off in the malware world. -- Trever From MailScanner at ecs.soton.ac.uk Mon Apr 7 16:41:21 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Apr 7 16:42:14 2008 Subject: detect executables embedded inside MS Office documents? In-Reply-To: <57573D714A832C43B9D80EAFBDA48D030A03EC28@inex3.herffjones.hj-int> References: <57573D714A832C43B9D80EAFBDA48D030A03EC01@inex3.herffjones.hj-int> <47F725C7.4070103@vanderkooij.org> <47F78BED.5020606@ecs.soton.ac.uk><47F7A674.1040501@calorieking.com> <47F8E791.10709@ecs.soton.ac.uk> <57573D714A832C43B9D80EAFBDA48D030A03EC28@inex3.herffjones.hj-int> Message-ID: <47FA40A1.7070108@ecs.soton.ac.uk> Furnish, Trever G wrote: >> -----Original Message----- >> From: mailscanner-bounces@lists.mailscanner.info >> [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf >> Of Julian Field >> Sent: Sunday, April 06, 2008 11:09 AM >> To: MailScanner discussion >> Subject: Re: detect executables embedded inside MS Office documents? >> >> Ignore all previous requests for information. I've got enough >> of it, pretty much. >> The only thing I cannot handle is inserted OLE "Packages" >> that contain multiple files. If someone fancies creating one >> of those and sending it to me, I'll improve the Package >> parser to cope with it. >> >> But it now works with files inserted into Microsoft Office >> documents just fine. >> >> This will be in the next release. >> I guess it's a fairly major new feature, the ability to >> extract embedded files from Microsoft Office documents. >> :-) >> >> I think I'm going to have a rest now... >> >> Jules. >> > > > Wow! I didn't really expect much response on that request! Thank you > very much! I look forward to testing, although I'll admit I'm also > hoping the method itself never takes off in the malware world. > No problem, I thought it was a nice idea. Fortunately Microsoft have actually published the spec of the Office documents, so it's now possible for people to write parsers without having to reverse engineer everything. I still had to reverse engineer the "Microsoft Packager" format by hand, as files are embedded in a Microsoft Package before being put into the Office document. I have already released a beta with the code in it, so you can test it now. If you want to show your gratitude, please feel free to make a donation or buy me some stuff from my amazon.co.uk wishlist. Full directions are on the website. Cheers, Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080407/2edaa79b/attachment.html From dyioulos at firstbhph.com Mon Apr 7 17:10:50 2008 From: dyioulos at firstbhph.com (Dimitri Yioulos) Date: Mon Apr 7 17:11:32 2008 Subject: MailScanner --lint errors In-Reply-To: References: <200804070753.57730.dyioulos@firstbhph.com> Message-ID: <200804071210.51683.dyioulos@firstbhph.com> On Monday 07 April 2008 10:31 am, Kai Schaetzl wrote: > Dimitri Yioulos wrote on Mon, 7 Apr 2008 07:53:56 -0400: > > I didn't get that with mailscanner-4.65.3-1, my last version before > > upgrading to the latest. > > sounds rather like a problem with SA. Did you also upgrade SA? You may be > missing a now required Perl module. A timing package? > > Kai > > -- > Kai Sch?tzl, Berlin, Germany > Get your web at Conactive Internet Services: http://www.conactive.com Kai, I'm running the latest (RPM) version of SA - 3.2.4. All of the perl SA modules look to be up-to-date, too. I took a look at /usr/lib/perl5/vendor_perl/5.8.0/Mail/SpqamAssassin/Dns.pm line 371, which read "$total_waiting_time += $waiting_time". Just for fun, I deleted the +, ran MS --lint, and the first error was gone. However, I'm not sure if the "+=" isn't a valid construct, and what the consequences of my change would be (and so may just put back the +). As to the second error, I see the line in Dns.pm, but have no idea what it does. Googling has turned up little. Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From astephens at ptera.net Mon Apr 7 17:56:07 2008 From: astephens at ptera.net (Arthur Stephens) Date: Mon Apr 7 17:57:05 2008 Subject: user opt-out Message-ID: <47FA5227.60006@ptera.net> I am running Maillscanner 4.55.10-3 and PostFix 2.3.8-1.fc5 on Fedora Core 5 I get requests from our customers saying they do not want the mailscanner service. Is there some way to tell mailscanner to pass thru emails to certain destinations? -- Arthur Stephens Senior Sales Technician Ptera Wireless Internet Service PO Box 135 Liberty Lake, WA 99019 509-927-7837 http://www.ptera.net -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080407/a03d0358/attachment.html From Kevin_Miller at ci.juneau.ak.us Mon Apr 7 18:02:20 2008 From: Kevin_Miller at ci.juneau.ak.us (Kevin Miller) Date: Mon Apr 7 18:02:58 2008 Subject: user opt-out In-Reply-To: <47FA5227.60006@ptera.net> References: <47FA5227.60006@ptera.net> Message-ID: Just whitelist all messages to those users. See the sample files in the /etc/MailScanner/rules directory for examples... ...Kevin -- Kevin Miller Registered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801 fax: (907 586-4500 ________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Arthur Stephens Sent: Monday, April 07, 2008 8:56 AM To: mailscanner@lists.mailscanner.info Subject: user opt-out I am running Maillscanner 4.55.10-3 and PostFix 2.3.8-1.fc5 on Fedora Core 5 I get requests from our customers saying they do not want the mailscanner service. Is there some way to tell mailscanner to pass thru emails to certain destinations? -- Arthur Stephens Senior Sales Technician Ptera Wireless Internet Service PO Box 135 Liberty Lake, WA 99019 509-927-7837 http://www.ptera.net -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080407/43ae9651/attachment.html From MailScanner at ecs.soton.ac.uk Mon Apr 7 18:18:07 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Apr 7 18:18:55 2008 Subject: MailScanner --lint errors In-Reply-To: <200804071210.51683.dyioulos@firstbhph.com> References: <200804070753.57730.dyioulos@firstbhph.com> <200804071210.51683.dyioulos@firstbhph.com> Message-ID: <47FA574F.9020708@ecs.soton.ac.uk> Dimitri Yioulos wrote: > On Monday 07 April 2008 10:31 am, Kai Schaetzl wrote: > >> Dimitri Yioulos wrote on Mon, 7 Apr 2008 07:53:56 -0400: >> >>> I didn't get that with mailscanner-4.65.3-1, my last version before >>> upgrading to the latest. >>> >> sounds rather like a problem with SA. Did you also upgrade SA? You may be >> missing a now required Perl module. A timing package? >> >> Kai >> >> -- >> Kai Sch?tzl, Berlin, Germany >> Get your web at Conactive Internet Services: http://www.conactive.com >> > > Kai, > > I'm running the latest (RPM) version of SA - 3.2.4. All of the perl SA > modules look to be up-to-date, too. > > I took a look at /usr/lib/perl5/vendor_perl/5.8.0/Mail/SpqamAssassin/Dns.pm > line 371, which read "$total_waiting_time += $waiting_time". Just for fun, I > deleted the +, ran MS --lint, and the first error was gone. However, I'm not > sure if the "+=" isn't a valid construct, and what the consequences of my > change would be (and so may just put back the +). > You can't just remove "+" signs like that, sorry! That line is a shorthand for $total_waiting_time = $total_waiting_time + $waiting_time; > As to the second error, I see the line in Dns.pm, but have no idea what it > does. Googling has turned up little. > > Dimitri > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From thenrique at gmail.com Mon Apr 7 18:21:34 2008 From: thenrique at gmail.com (Thiago Henrique) Date: Mon Apr 7 18:22:09 2008 Subject: File Type Check Problem In-Reply-To: <47FA33D9.7010605@ecs.soton.ac.uk> References: <224FA7E11EA39E45843E11CEBBD3A36F8E0C23@HOUPEX01.nfsmith.info> <47F53C2D.5090207@ecs.soton.ac.uk> <224FA7E11EA39E45843E11CEBBD3A36F8E0D27@HOUPEX01.nfsmith.info> <47F548BE.8030804@ecs.soton.ac.uk> <224FA7E11EA39E45843E11CEBBD3A36F8E0E20@HOUPEX01.nfsmith.info> <47F63D8D.3070105@ecs.soton.ac.uk> <47FA33D9.7010605@ecs.soton.ac.uk> Message-ID: Hy Jules, I have applied this patch in 2 servers, and the problem is solved, Thanks... On Mon, Apr 7, 2008 at 11:46 AM, Julian Field wrote: > Attached is a zip of a new SweepOther.pm (goes in > /usr/lib/MailScanner/MailScanner) that will solve the problem for you. This > will be in the next release. > Sorry! > > Jules. > > Thiago Henrique wrote: > > > Hy Jules, > > > > I have changed the rules in filetype.rules.conf to: > > deny - x-dosexec No DOS executables No DOS programs > > allowed > > > > But a simple mail with png attachment is considered DOS program: > > > > Reporte: MailScanner: No DOS programs allowed (powerphplist.png) > > > > When i run file command in the blocked attachment the result is: > > mail01 1ADE250F95.6ACCF # file -i powerphplist.png > > powerphplist.png: image/png > > > > mail01 1ADE250F95.6ACCF # file powerphplist.png > > powerphplist.png: PNG image data, 70 x 30, 8-bit colormap, > > non-interlaced > > > > > > I try to write a new rule: > > allow - text/plain - permited permited > > > > But the mail has blocked again. > > > > What is magical to work? > > > > On Fri, Apr 4, 2008 at 11:39 AM, Julian Field < > > MailScanner@ecs.soton.ac.uk > wrote: > > > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > > > > > Mike Kercher wrote: > > >> -----Original Message----- > > >> From: mailscanner-bounces@lists.mailscanner.info > > > > >> [mailto:mailscanner-bounces@lists.mailscanner.info > > ] On Behalf Of > > >> Julian Field > > >> Sent: Thursday, April 03, 2008 3:21 PM > > >> To: MailScanner discussion > > >> Subject: Re: File Type Check Problem > > >> > > >> > > >> > > >> Mike Kercher wrote: > > >> > > >> > > >>> I've been searching and haven't found a resolution for this yet. > > >>> > > >>> Periodically, we get emails with attachments coming through > > that are > > >>> not being detected properly. MailScanner reports: > > >>> > > >>> MailScanner: No programs allowed (msg-10410-101.txt) > > >>> > > >>> > > >>> > > >> This is being caught by the filetype trap. > > >> > > >> > > >>> If I go look at the quarantined email in MailWatch and > > download the > > >>> attachment, it is a PDF. > > >>> > > >>> > > >> That may be what the filename says, but what does the "file" > > command > > >> report? > > >> > > >> > > >>> There was talk of the file -i command switch. > > >>> Is this something that needs to be set in MailScanner.conf? > > >>> > > >>> > > >>> > > >> No, just read the latest filetype.rules.conf and > > filename.rules.conf > > >> files, the comments at the top of each file tell you how to use > > it. > > >> There is also an example line in filetype.rules.conf for you to > > copy. > > >> > > >> > > >> > > >>> TIA > > >>> > > >>> Mike > > >>> > > >>> > > >>> > > >> Jules > > >> > > >> -- > > >> > > >> Jules, > > >> > > >> Running file against the message yields the following: > > >> > > >> [root@HOUPMS02 m334jSTE009852]# file message > > >> message: smtp mail text > > >> [root@HOUPMS02 m334jSTE009852]# file -i message > > >> message: message/rfc822\011 > > >> > > >> Not quite sure what changing the filetype.rules.conf would do > > for me > > >> here. > > >> > > >> > > > No! I meat you to run the "file" command on the attachment, not the > > > message! :-( Funnily enough, when you run it on the message it > > says it's > > > a message :-) > > > > > > Jules > > > > > > -------- > > > > > > Sorry about that :) Here's the output of file run against the > > > attachment itself: > > > > > > [root@HOUPMS01 ~]# file OSC81.pdf > > > OSC81.pdf: PDF document, version 1.3 > > > > > > [root@HOUPMS01 ~]# file -i OSC81.pdf > > > OSC81.pdf: application/pdf > > > > > Have just checked your original report, and it wasn't the > > attachment it > > blocked, it was the main message body (hence the "txt" extension with > > the unusual filename). Harder to stop that unless you switch from > > using > > the "executable" trap in filetype.rules.conf to a replacement trap > > using > > the MIME type reported by file -i instead (see comments at the > > start of > > filetype.rules.conf). > > > Mike > > > > > > > > > > Jules > > > > - -- > > Julian Field MEng CITP CEng > > www.MailScanner.info > > Buy the MailScanner book at www.MailScanner.info/store > > > > > > Need help customising MailScanner? > > Contact me! > > Need help fixing or optimising your systems? > > Contact me! > > Need help getting you started solving new requirements from your > > boss? > > Contact me! > > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > > > > -----BEGIN PGP SIGNATURE----- > > Version: PGP Desktop 9.8.2 (Build 3005) > > Comment: (pgp-secured) > > Charset: ISO-8859-1 > > > > wj8DBQFH9j2OEfZZRxQVtlQRAmZiAJwPS5jjxhoukvmFSoj5JYyMGP8U+QCgzMdS > > bHrfC2GyNSDz4ZOdqsl9zSw= > > =knIJ > > -----END PGP SIGNATURE----- > > > > -- > > This message has been scanned for viruses and > > dangerous content by MailScanner, and is > > believed to be clean. > > > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > > > > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080407/662ddc76/attachment-0001.html From thenrique at gmail.com Mon Apr 7 18:21:34 2008 From: thenrique at gmail.com (Thiago Henrique) Date: Mon Apr 7 18:22:41 2008 Subject: File Type Check Problem In-Reply-To: <47FA33D9.7010605@ecs.soton.ac.uk> References: <224FA7E11EA39E45843E11CEBBD3A36F8E0C23@HOUPEX01.nfsmith.info> <47F53C2D.5090207@ecs.soton.ac.uk> <224FA7E11EA39E45843E11CEBBD3A36F8E0D27@HOUPEX01.nfsmith.info> <47F548BE.8030804@ecs.soton.ac.uk> <224FA7E11EA39E45843E11CEBBD3A36F8E0E20@HOUPEX01.nfsmith.info> <47F63D8D.3070105@ecs.soton.ac.uk> <47FA33D9.7010605@ecs.soton.ac.uk> Message-ID: Hy Jules, I have applied this patch in 2 servers, and the problem is solved, Thanks... On Mon, Apr 7, 2008 at 11:46 AM, Julian Field wrote: > Attached is a zip of a new SweepOther.pm (goes in > /usr/lib/MailScanner/MailScanner) that will solve the problem for you. This > will be in the next release. > Sorry! > > Jules. > > Thiago Henrique wrote: > > > Hy Jules, > > > > I have changed the rules in filetype.rules.conf to: > > deny - x-dosexec No DOS executables No DOS programs > > allowed > > > > But a simple mail with png attachment is considered DOS program: > > > > Reporte: MailScanner: No DOS programs allowed (powerphplist.png) > > > > When i run file command in the blocked attachment the result is: > > mail01 1ADE250F95.6ACCF # file -i powerphplist.png > > powerphplist.png: image/png > > > > mail01 1ADE250F95.6ACCF # file powerphplist.png > > powerphplist.png: PNG image data, 70 x 30, 8-bit colormap, > > non-interlaced > > > > > > I try to write a new rule: > > allow - text/plain - permited permited > > > > But the mail has blocked again. > > > > What is magical to work? > > > > On Fri, Apr 4, 2008 at 11:39 AM, Julian Field < > > MailScanner@ecs.soton.ac.uk > wrote: > > > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > > > > > Mike Kercher wrote: > > >> -----Original Message----- > > >> From: mailscanner-bounces@lists.mailscanner.info > > > > >> [mailto:mailscanner-bounces@lists.mailscanner.info > > ] On Behalf Of > > >> Julian Field > > >> Sent: Thursday, April 03, 2008 3:21 PM > > >> To: MailScanner discussion > > >> Subject: Re: File Type Check Problem > > >> > > >> > > >> > > >> Mike Kercher wrote: > > >> > > >> > > >>> I've been searching and haven't found a resolution for this yet. > > >>> > > >>> Periodically, we get emails with attachments coming through > > that are > > >>> not being detected properly. MailScanner reports: > > >>> > > >>> MailScanner: No programs allowed (msg-10410-101.txt) > > >>> > > >>> > > >>> > > >> This is being caught by the filetype trap. > > >> > > >> > > >>> If I go look at the quarantined email in MailWatch and > > download the > > >>> attachment, it is a PDF. > > >>> > > >>> > > >> That may be what the filename says, but what does the "file" > > command > > >> report? > > >> > > >> > > >>> There was talk of the file -i command switch. > > >>> Is this something that needs to be set in MailScanner.conf? > > >>> > > >>> > > >>> > > >> No, just read the latest filetype.rules.conf and > > filename.rules.conf > > >> files, the comments at the top of each file tell you how to use > > it. > > >> There is also an example line in filetype.rules.conf for you to > > copy. > > >> > > >> > > >> > > >>> TIA > > >>> > > >>> Mike > > >>> > > >>> > > >>> > > >> Jules > > >> > > >> -- > > >> > > >> Jules, > > >> > > >> Running file against the message yields the following: > > >> > > >> [root@HOUPMS02 m334jSTE009852]# file message > > >> message: smtp mail text > > >> [root@HOUPMS02 m334jSTE009852]# file -i message > > >> message: message/rfc822\011 > > >> > > >> Not quite sure what changing the filetype.rules.conf would do > > for me > > >> here. > > >> > > >> > > > No! I meat you to run the "file" command on the attachment, not the > > > message! :-( Funnily enough, when you run it on the message it > > says it's > > > a message :-) > > > > > > Jules > > > > > > -------- > > > > > > Sorry about that :) Here's the output of file run against the > > > attachment itself: > > > > > > [root@HOUPMS01 ~]# file OSC81.pdf > > > OSC81.pdf: PDF document, version 1.3 > > > > > > [root@HOUPMS01 ~]# file -i OSC81.pdf > > > OSC81.pdf: application/pdf > > > > > Have just checked your original report, and it wasn't the > > attachment it > > blocked, it was the main message body (hence the "txt" extension with > > the unusual filename). Harder to stop that unless you switch from > > using > > the "executable" trap in filetype.rules.conf to a replacement trap > > using > > the MIME type reported by file -i instead (see comments at the > > start of > > filetype.rules.conf). > > > Mike > > > > > > > > > > Jules > > > > - -- > > Julian Field MEng CITP CEng > > www.MailScanner.info > > Buy the MailScanner book at www.MailScanner.info/store > > > > > > Need help customising MailScanner? > > Contact me! > > Need help fixing or optimising your systems? > > Contact me! > > Need help getting you started solving new requirements from your > > boss? > > Contact me! > > > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > > > > -----BEGIN PGP SIGNATURE----- > > Version: PGP Desktop 9.8.2 (Build 3005) > > Comment: (pgp-secured) > > Charset: ISO-8859-1 > > > > wj8DBQFH9j2OEfZZRxQVtlQRAmZiAJwPS5jjxhoukvmFSoj5JYyMGP8U+QCgzMdS > > bHrfC2GyNSDz4ZOdqsl9zSw= > > =knIJ > > -----END PGP SIGNATURE----- > > > > -- > > This message has been scanned for viruses and > > dangerous content by MailScanner, and is > > believed to be clean. > > > > -- > > MailScanner mailing list > > mailscanner@lists.mailscanner.info > > > > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > > > Before posting, read http://wiki.mailscanner.info/posting > > > > Support MailScanner development - buy the book off the website! > > > > > > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080407/662ddc76/attachment-0002.html From MailScanner at ecs.soton.ac.uk Mon Apr 7 18:31:25 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Apr 7 18:31:34 2008 Subject: user opt-out In-Reply-To: <47FA5227.60006@ptera.net> References: <47FA5227.60006@ptera.net> Message-ID: <47FA5A6D.5060909@ecs.soton.ac.uk> Please read about rulesets in the documentation. There are many explanations of it and many examples provided on the website, in the wiki, in the mailing list archives and in the book. Arthur Stephens wrote: > I am running Maillscanner 4.55.10-3 and PostFix 2.3.8-1.fc5 on Fedora > Core 5 > > > I get requests from our customers saying they do not want the > mailscanner service. > Is there some way to tell mailscanner to pass thru emails to certain > destinations? > -- > Arthur Stephens > Senior Sales Technician > Ptera Wireless Internet Service > PO Box 135 > Liberty Lake, WA 99019 > 509-927-7837 > http://www.ptera.net Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From dyioulos at firstbhph.com Mon Apr 7 18:47:14 2008 From: dyioulos at firstbhph.com (Dimitri Yioulos) Date: Mon Apr 7 18:47:58 2008 Subject: MailScanner --lint errors In-Reply-To: <47FA574F.9020708@ecs.soton.ac.uk> References: <200804070753.57730.dyioulos@firstbhph.com> <200804071210.51683.dyioulos@firstbhph.com> <47FA574F.9020708@ecs.soton.ac.uk> Message-ID: <200804071347.15009.dyioulos@firstbhph.com> On Monday 07 April 2008 1:18 pm, Julian Field wrote: > Dimitri Yioulos wrote: > > On Monday 07 April 2008 10:31 am, Kai Schaetzl wrote: > >> Dimitri Yioulos wrote on Mon, 7 Apr 2008 07:53:56 -0400: > >>> I didn't get that with mailscanner-4.65.3-1, my last version before > >>> upgrading to the latest. > >> > >> sounds rather like a problem with SA. Did you also upgrade SA? You may > >> be missing a now required Perl module. A timing package? > >> > >> Kai > >> > >> -- > >> Kai Sch?tzl, Berlin, Germany > >> Get your web at Conactive Internet Services: http://www.conactive.com > > > > Kai, > > > > I'm running the latest (RPM) version of SA - 3.2.4. All of the perl SA > > modules look to be up-to-date, too. > > > > I took a look at > > /usr/lib/perl5/vendor_perl/5.8.0/Mail/SpqamAssassin/Dns.pm line 371, > > which read "$total_waiting_time += $waiting_time". Just for fun, I > > deleted the +, ran MS --lint, and the first error was gone. However, I'm > > not sure if the "+=" isn't a valid construct, and what the consequences > > of my change would be (and so may just put back the +). > > You can't just remove "+" signs like that, sorry! > That line is a shorthand for > $total_waiting_time = $total_waiting_time + $waiting_time; > > > As to the second error, I see the line in Dns.pm, but have no idea what > > it does. Googling has turned up little. > > > > Dimitri > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > Thanks, Jules. I figured as much. So that's what "+=" means. Can these errors be ignored as being tivial? Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From vincent at zijnemail.nl Mon Apr 7 19:44:19 2008 From: vincent at zijnemail.nl (Vincent Verhagen) Date: Mon Apr 7 19:45:06 2008 Subject: Fire message action on specific SA rule hit? Message-ID: <47FA6B83.6040908@zijnemail.nl> Hi all, Is it possible to configure MailScanner so that it would use a specific message action if a certain SA rule scored? I'm looking to forward messages that hit rules that start with MYRULE_ to a certain address. If I had to do some programming for it, I guess I could manage that :) Thanks in advance, Vincent. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080407/3376f99f/attachment.html From MailScanner at ecs.soton.ac.uk Mon Apr 7 20:00:44 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Apr 7 20:01:25 2008 Subject: MailScanner --lint errors In-Reply-To: <200804071347.15009.dyioulos@firstbhph.com> References: <200804070753.57730.dyioulos@firstbhph.com> <200804071210.51683.dyioulos@firstbhph.com> <47FA574F.9020708@ecs.soton.ac.uk> <200804071347.15009.dyioulos@firstbhph.com> Message-ID: <47FA6F5C.30802@ecs.soton.ac.uk> Dimitri Yioulos wrote: > On Monday 07 April 2008 1:18 pm, Julian Field wrote: > >> Dimitri Yioulos wrote: >> >>> On Monday 07 April 2008 10:31 am, Kai Schaetzl wrote: >>> >>>> Dimitri Yioulos wrote on Mon, 7 Apr 2008 07:53:56 -0400: >>>> >>>>> I didn't get that with mailscanner-4.65.3-1, my last version before >>>>> upgrading to the latest. >>>>> >>>> sounds rather like a problem with SA. Did you also upgrade SA? You may >>>> be missing a now required Perl module. A timing package? >>>> >>>> Kai >>>> >>>> -- >>>> Kai Sch?tzl, Berlin, Germany >>>> Get your web at Conactive Internet Services: http://www.conactive.com >>>> >>> Kai, >>> >>> I'm running the latest (RPM) version of SA - 3.2.4. All of the perl SA >>> modules look to be up-to-date, too. >>> >>> I took a look at >>> /usr/lib/perl5/vendor_perl/5.8.0/Mail/SpqamAssassin/Dns.pm line 371, >>> which read "$total_waiting_time += $waiting_time". Just for fun, I >>> deleted the +, ran MS --lint, and the first error was gone. However, I'm >>> not sure if the "+=" isn't a valid construct, and what the consequences >>> of my change would be (and so may just put back the +). >>> >> You can't just remove "+" signs like that, sorry! >> That line is a shorthand for >> $total_waiting_time = $total_waiting_time + $waiting_time; >> >> >>> As to the second error, I see the line in Dns.pm, but have no idea what >>> it does. Googling has turned up little. >>> >>> Dimitri >>> >> Jules >> >> -- >> Julian Field MEng CITP CEng >> www.MailScanner.info >> Buy the MailScanner book at www.MailScanner.info/store >> >> > > Thanks, Jules. I figured as much. So that's what "+=" means. Can these > errors be ignored as being tivial? > Depends what the errors were. Your previous message didn't include the error messages. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Mon Apr 7 20:01:22 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Apr 7 20:01:43 2008 Subject: Fire message action on specific SA rule hit? In-Reply-To: <47FA6B83.6040908@zijnemail.nl> References: <47FA6B83.6040908@zijnemail.nl> Message-ID: <47FA6F82.2080209@ecs.soton.ac.uk> Read "SpamAssassin Rule Actions". The comments above it in MailScanner.conf will tell you how to use it. Vincent Verhagen wrote: > Hi all, > > Is it possible to configure MailScanner so that it would use a > specific message action if a certain SA rule scored? > I'm looking to forward messages that hit rules that start with MYRULE_ > to a certain address. > If I had to do some programming for it, I guess I could manage that :) > > Thanks in advance, > > Vincent. > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From dyioulos at firstbhph.com Mon Apr 7 20:10:43 2008 From: dyioulos at firstbhph.com (Dimitri Yioulos) Date: Mon Apr 7 20:11:28 2008 Subject: MailScanner --lint errors In-Reply-To: <47FA6F5C.30802@ecs.soton.ac.uk> References: <200804070753.57730.dyioulos@firstbhph.com> <200804071347.15009.dyioulos@firstbhph.com> <47FA6F5C.30802@ecs.soton.ac.uk> Message-ID: <200804071510.44272.dyioulos@firstbhph.com> On Monday 07 April 2008 3:00 pm, Julian Field wrote: > Dimitri Yioulos wrote: > > On Monday 07 April 2008 1:18 pm, Julian Field wrote: > >> Dimitri Yioulos wrote: > >>> On Monday 07 April 2008 10:31 am, Kai Schaetzl wrote: > >>>> Dimitri Yioulos wrote on Mon, 7 Apr 2008 07:53:56 -0400: > >>>>> I didn't get that with mailscanner-4.65.3-1, my last version before > >>>>> upgrading to the latest. > >>>> > >>>> sounds rather like a problem with SA. Did you also upgrade SA? You may > >>>> be missing a now required Perl module. A timing package? > >>>> > >>>> Kai > >>>> > >>>> -- > >>>> Kai Sch?tzl, Berlin, Germany > >>>> Get your web at Conactive Internet Services: http://www.conactive.com > >>> > >>> Kai, > >>> > >>> I'm running the latest (RPM) version of SA - 3.2.4. All of the perl SA > >>> modules look to be up-to-date, too. > >>> > >>> I took a look at > >>> /usr/lib/perl5/vendor_perl/5.8.0/Mail/SpqamAssassin/Dns.pm line 371, > >>> which read "$total_waiting_time += $waiting_time". Just for fun, I > >>> deleted the +, ran MS --lint, and the first error was gone. However, > >>> I'm not sure if the "+=" isn't a valid construct, and what the > >>> consequences of my change would be (and so may just put back the +). > >> > >> You can't just remove "+" signs like that, sorry! > >> That line is a shorthand for > >> $total_waiting_time = $total_waiting_time + $waiting_time; > >> > >>> As to the second error, I see the line in Dns.pm, but have no idea what > >>> it does. Googling has turned up little. > >>> > >>> Dimitri > >> > >> Jules > >> > >> -- > >> Julian Field MEng CITP CEng > >> www.MailScanner.info > >> Buy the MailScanner book at www.MailScanner.info/store > > > > Thanks, Jules. I figured as much. So that's what "+=" means. Can these > > errors be ignored as being tivial? > > Depends what the errors were. Your previous message didn't include the > error messages. > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > Sorry, they were edited out by a previous poster. MailScanner --lint returns: Checking for SpamAssassin errors (if you use it)... SpamAssassin temporary working directory is /var/spool/MailScanner/incoming/SpamAssassin-Temp SpamAssassin temp dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp Using SpamAssassin results cache Connected to SpamAssassin cache database Use of uninitialized value in addition (+) at /usr/lib/perl5/vendor_perl/5.8.0/Mail/SpamAssassin/Dns.pm line 371. plugin: eval failed: Can't locate object method "log_lookups_timing" via package "Mail::SpamAssassin::AsyncLoop" at /usr/lib/perl5/vendor_perl/5.8.0/Mail/SpamAssassin/Dns.pm line 381. SpamAssassin reported no errors. spamassassin --lint retuns no errors. Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Mon Apr 7 20:56:15 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Apr 7 20:56:58 2008 Subject: MailScanner --lint errors In-Reply-To: <200804071510.44272.dyioulos@firstbhph.com> References: <200804070753.57730.dyioulos@firstbhph.com> <200804071347.15009.dyioulos@firstbhph.com> <47FA6F5C.30802@ecs.soton.ac.uk> <200804071510.44272.dyioulos@firstbhph.com> Message-ID: <47FA7C5F.5000602@ecs.soton.ac.uk> Dimitri Yioulos wrote: > On Monday 07 April 2008 3:00 pm, Julian Field wrote: > >> Dimitri Yioulos wrote: >> >>> On Monday 07 April 2008 1:18 pm, Julian Field wrote: >>> >>>> Dimitri Yioulos wrote: >>>> >>>>> On Monday 07 April 2008 10:31 am, Kai Schaetzl wrote: >>>>> >>>>>> Dimitri Yioulos wrote on Mon, 7 Apr 2008 07:53:56 -0400: >>>>>> >>>>>>> I didn't get that with mailscanner-4.65.3-1, my last version before >>>>>>> upgrading to the latest. >>>>>>> >>>>>> sounds rather like a problem with SA. Did you also upgrade SA? You may >>>>>> be missing a now required Perl module. A timing package? >>>>>> >>>>>> Kai >>>>>> >>>>>> -- >>>>>> Kai Sch?tzl, Berlin, Germany >>>>>> Get your web at Conactive Internet Services: http://www.conactive.com >>>>>> >>>>> Kai, >>>>> >>>>> I'm running the latest (RPM) version of SA - 3.2.4. All of the perl SA >>>>> modules look to be up-to-date, too. >>>>> >>>>> I took a look at >>>>> /usr/lib/perl5/vendor_perl/5.8.0/Mail/SpqamAssassin/Dns.pm line 371, >>>>> which read "$total_waiting_time += $waiting_time". Just for fun, I >>>>> deleted the +, ran MS --lint, and the first error was gone. However, >>>>> I'm not sure if the "+=" isn't a valid construct, and what the >>>>> consequences of my change would be (and so may just put back the +). >>>>> >>>> You can't just remove "+" signs like that, sorry! >>>> That line is a shorthand for >>>> $total_waiting_time = $total_waiting_time + $waiting_time; >>>> >>>> >>>>> As to the second error, I see the line in Dns.pm, but have no idea what >>>>> it does. Googling has turned up little. >>>>> >>>>> Dimitri >>>>> >>>> Jules >>>> >>>> -- >>>> Julian Field MEng CITP CEng >>>> www.MailScanner.info >>>> Buy the MailScanner book at www.MailScanner.info/store >>>> >>> Thanks, Jules. I figured as much. So that's what "+=" means. Can these >>> errors be ignored as being tivial? >>> >> Depends what the errors were. Your previous message didn't include the >> error messages. >> >> Jules >> >> -- >> Julian Field MEng CITP CEng >> www.MailScanner.info >> Buy the MailScanner book at www.MailScanner.info/store >> >> > > Sorry, they were edited out by a previous poster. MailScanner --lint returns: > > Checking for SpamAssassin errors (if you use it)... > SpamAssassin temporary working directory > is /var/spool/MailScanner/incoming/SpamAssassin-Temp > SpamAssassin temp dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp > Using SpamAssassin results cache > Connected to SpamAssassin cache database > Use of uninitialized value in addition (+) > at /usr/lib/perl5/vendor_perl/5.8.0/Mail/SpamAssassin/Dns.pm line 371. > That's pretty irrelevant, just a minor warning. > plugin: eval failed: Can't locate object method "log_lookups_timing" via > package "Mail::SpamAssassin::AsyncLoop" > at /usr/lib/perl5/vendor_perl/5.8.0/Mail/SpamAssassin/Dns.pm line 381. > SpamAssassin reported no errors. > This appears to imply a problem in the DNS lookups done by SpamAssassin. Do the DNS lookups done by SpamAssassin still appear to work okay? If so, ignore it. If not, then I would take that problem to the SpamAssassin mailing list, once you have made sure you are running the latest version of SpamAssassin ("MailScanner -v" will tell you what version it is). > spamassassin --lint retuns no errors. > What about "spamassassin --lint -D"? Does its output show any warnings about DNS lookups? Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From jaearick at colby.edu Mon Apr 7 21:53:57 2008 From: jaearick at colby.edu (Jeff A. Earickson) Date: Mon Apr 7 21:54:45 2008 Subject: Timestamp problem when running --debug-sa In-Reply-To: <625385e30804070730u38f2968cwf7412ee5c7bbc6d4@mail.gmail.com> References: <625385e30804070730u38f2968cwf7412ee5c7bbc6d4@mail.gmail.com> Message-ID: Hi, I played with this on Friday, by fiddling with check_mailscanner.sh and changing the PATH and AWK definitions there. My GNU gawk is in /usr/local/bin so I put that in the path first. I use Solaris 10 (sparc) too. I got debug mode to work with timestamps from gawk, but version 4.68.8 would just hang in the middle of a debug run with gawk in play. :( Haven't had time to chase it further. Yes, I would like this working for Solaris as well. Jeff Earickson Colby College On Mon, 7 Apr 2008, shuttlebox wrote: > Date: Mon, 7 Apr 2008 16:30:05 +0200 > From: shuttlebox > Reply-To: MailScanner discussion > To: MailScanner discussion > Subject: Timestamp problem when running --debug-sa > > I tried the new timestamp feature in --debug-sa introduced in 4.67 and > it complained about awk not supporting strftime, I kind of expected > that since Solaris comes with a legacy awk in /bin. I installed gawk > and it's in my path as can be seen below: > > # which awk > /bin/awk > # which gawk > /opt/csw/bin/gawk > > I then changed the two awk calls in SA.pm to gawk but still got this: > > # MailScanner --debug --debug-sa > In Debugging mode, not forking... > Trying to setlogsock(udp) > sh: gawk: not found > > ***** > If 'awk' (with support for the function strftime) was > available on your $PATH then all the SpamAssassin debug > output would have the current time added to the start of > every line, making debugging far easier. > ***** > > I assume MailScanner uses some short custom path even though it claims > that it would work if I had gawk in my path which I do. If I hardcode > the complete path to my gawk (opt/csw/bin/gawk) I get the correct > result: > > # MailScanner --debug --debug-sa > In Debugging mode, not forking... > Trying to setlogsock(udp) > 16:17:44 SpamAssassin temp dir = > /var/spool/MailScanner/incoming/SpamAssassin-Temp > > On a single system this could simply be solved by symlinking old awk > to new gawk but I would like a "clean" solution for my Solaris > packages, I will of course have to add gawk as a dependency to > MailScanner but should I just change the paths in SA.pm for my package > (that will have to be done for every release) or should MS look for > awk/gawk in more places or should we have a new config option for the > location of awk? > > I'm fine with me changing the paths for every release, I have a > totally automated build script, but I'm a little surprised that no one > else has had problems. I guess most have GNU tools as the default... > > -- > /peter > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From dyioulos at firstbhph.com Mon Apr 7 22:07:05 2008 From: dyioulos at firstbhph.com (Dimitri Yioulos) Date: Mon Apr 7 22:07:56 2008 Subject: MailScanner --lint errors In-Reply-To: <47FA7C5F.5000602@ecs.soton.ac.uk> References: <200804070753.57730.dyioulos@firstbhph.com> <200804071510.44272.dyioulos@firstbhph.com> <47FA7C5F.5000602@ecs.soton.ac.uk> Message-ID: <200804071707.06994.dyioulos@firstbhph.com> On Monday 07 April 2008 3:56 pm, Julian Field wrote: > Dimitri Yioulos wrote: > > On Monday 07 April 2008 3:00 pm, Julian Field wrote: > >> Dimitri Yioulos wrote: > >>> On Monday 07 April 2008 1:18 pm, Julian Field wrote: > >>>> Dimitri Yioulos wrote: > >>>>> On Monday 07 April 2008 10:31 am, Kai Schaetzl wrote: > >>>>>> Dimitri Yioulos wrote on Mon, 7 Apr 2008 07:53:56 -0400: > >>>>>>> I didn't get that with mailscanner-4.65.3-1, my last version before > >>>>>>> upgrading to the latest. > >>>>>> > >>>>>> sounds rather like a problem with SA. Did you also upgrade SA? You > >>>>>> may be missing a now required Perl module. A timing package? > >>>>>> > >>>>>> Kai > >>>>>> > >>>>>> -- > >>>>>> Kai Sch?tzl, Berlin, Germany > >>>>>> Get your web at Conactive Internet Services: > >>>>>> http://www.conactive.com > >>>>> > >>>>> Kai, > >>>>> > >>>>> I'm running the latest (RPM) version of SA - 3.2.4. All of the perl > >>>>> SA modules look to be up-to-date, too. > >>>>> > >>>>> I took a look at > >>>>> /usr/lib/perl5/vendor_perl/5.8.0/Mail/SpqamAssassin/Dns.pm line 371, > >>>>> which read "$total_waiting_time += $waiting_time". Just for fun, I > >>>>> deleted the +, ran MS --lint, and the first error was gone. However, > >>>>> I'm not sure if the "+=" isn't a valid construct, and what the > >>>>> consequences of my change would be (and so may just put back the +). > >>>> > >>>> You can't just remove "+" signs like that, sorry! > >>>> That line is a shorthand for > >>>> $total_waiting_time = $total_waiting_time + $waiting_time; > >>>> > >>>>> As to the second error, I see the line in Dns.pm, but have no idea > >>>>> what it does. Googling has turned up little. > >>>>> > >>>>> Dimitri > >>>> > >>>> Jules > >>>> > >>>> -- > >>>> Julian Field MEng CITP CEng > >>>> www.MailScanner.info > >>>> Buy the MailScanner book at www.MailScanner.info/store > >>> > >>> Thanks, Jules. I figured as much. So that's what "+=" means. Can > >>> these errors be ignored as being tivial? > >> > >> Depends what the errors were. Your previous message didn't include the > >> error messages. > >> > >> Jules > >> > >> -- > >> Julian Field MEng CITP CEng > >> www.MailScanner.info > >> Buy the MailScanner book at www.MailScanner.info/store > > > > Sorry, they were edited out by a previous poster. MailScanner --lint > > returns: > > > > Checking for SpamAssassin errors (if you use it)... > > SpamAssassin temporary working directory > > is /var/spool/MailScanner/incoming/SpamAssassin-Temp > > SpamAssassin temp dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp > > Using SpamAssassin results cache > > Connected to SpamAssassin cache database > > Use of uninitialized value in addition (+) > > at /usr/lib/perl5/vendor_perl/5.8.0/Mail/SpamAssassin/Dns.pm line 371. > > That's pretty irrelevant, just a minor warning. > > > plugin: eval failed: Can't locate object method "log_lookups_timing" via > > package "Mail::SpamAssassin::AsyncLoop" > > at /usr/lib/perl5/vendor_perl/5.8.0/Mail/SpamAssassin/Dns.pm line 381. > > SpamAssassin reported no errors. > > This appears to imply a problem in the DNS lookups done by SpamAssassin. > Do the DNS lookups done by SpamAssassin still appear to work okay? If > so, ignore it. If not, then I would take that problem to the > SpamAssassin mailing list, once you have made sure you are running the > latest version of SpamAssassin ("MailScanner -v" will tell you what > version it is). > > > spamassassin --lint retuns no errors. > > What about "spamassassin --lint -D"? Does its output show any warnings > about DNS lookups? > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > PGP public key: http://www.jules.fm/julesfm.asc > > Julian, Your points are well taken. I did run spamassassin -D --lint and got no errors. MailScanner -v output appears fine, and only the SAVI module is missing (and I don't need it, anyway). SA DNS lookups appear to be working fine. And, as I mentioned, our mail system, in general, appears to be working just fine, as it always has. That notwithstanding, I think I will take this to the SA mailing list. My thanks to you and Kai. Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From gwong at linktechit.com Mon Apr 7 22:29:51 2008 From: gwong at linktechit.com (Gregory Wong) Date: Mon Apr 7 22:30:32 2008 Subject: Excessive Swapping Message-ID: Hi everyone, I have a server that has 256MB of RAM. It is running Postfix, MS, MailScanner-MRTG on Ubuntu Server. I have noticed recently that it has been swapping a lot. total used free shared buffers cached Mem: 256 204 51 0 0 18 -/+ buffers/cache: 185 70 Swap: 511 152 359 I am looking to implement MailWatch but am concerned that the server doesn't have an adequate amount of memory. Is this excessive swapping normal? Should I be upgrading the RAM? Also, my company got hit on Saturday with nearly 1600 spam messages (which is unusual since we only get about 200-300 spam per day). Besides running MS and the default SA rules, what other things do you recommend I configure to help combat the spam? Thanks. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080407/c96a1be7/attachment.html From MailScanner at ecs.soton.ac.uk Mon Apr 7 22:52:10 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Mon Apr 7 22:52:52 2008 Subject: Excessive Swapping In-Reply-To: References: Message-ID: <47FA978A.4010501@ecs.soton.ac.uk> Gregory Wong wrote: > Hi everyone, > > I have a server that has 256MB of RAM. It is running Postfix, MS, > MailScanner-MRTG on Ubuntu Server. Ouch! > I have noticed recently that it has been swapping a lot. Funny, that... > > total used free shared buffers cached > Mem: 256 204 51 0 0 18 > -/+ buffers/cache: 185 70 > Swap: 511 152 359 > > I am looking to implement MailWatch but am concerned that the server > doesn?t have an adequate amount of memory. Is this excessive swapping > normal? Should I be upgrading the RAM? MailScanner wants about 1Gb of RAM per CPU. MailWatch will need another few hundred megs probably. > > Also, my company got hit on Saturday with nearly 1600 spam messages > (which is unusual since we only get about 200-300 spam per day). > Besides running MS and the default SA rules, what other things do you > recommend I configure to help combat the spam? Start by adding a couple of Gigs of RAM, as then you can reasonably run Razor, DCC and a pile of extra rulesets for SpamAssassin. Look through the mailing list archives (or the wiki) for a "HOWTO" I posted last July 2007. Get all that lot going and your spam rate will improve a lot. But you aren't going to be able to do anything until you spend a few dollars on some RAM. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From alex at nkpanama.com Mon Apr 7 22:58:17 2008 From: alex at nkpanama.com (Alex Neuman) Date: Mon Apr 7 22:59:14 2008 Subject: Excessive Swapping In-Reply-To: References: Message-ID: <7464B825-4FE5-47EC-998D-DB6C2C2EA360@nkpanama.com> It's too little. Besides, running MS + Postfix causes swapping! ;-P On Apr 7, 2008, at 4:29 PM, Gregory Wong wrote: > Hi everyone, > > I have a server that has 256MB of RAM. It is running Postfix, MS, > MailScanner-MRTG on Ubuntu Server. I have noticed recently that it > has been swapping a lot. > > total used free shared buffers > cached > Mem: 256 204 51 0 > 0 18 > -/+ buffers/cache: 185 70 > Swap: 511 152 359 > > I am looking to implement MailWatch but am concerned that the server > doesn?t have an adequate amount of memory. Is this excessive > swapping normal? Should I be upgrading the RAM? > > Also, my company got hit on Saturday with nearly 1600 spam messages > (which is unusual since we only get about 200-300 spam per day). > Besides running MS and the default SA rules, what other things do > you recommend I configure to help combat the spam? > > Thanks. > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From mi6 at orcon.net.nz Tue Apr 8 01:12:51 2008 From: mi6 at orcon.net.nz (Charlie) Date: Tue Apr 8 01:13:30 2008 Subject: Send error email to myself Message-ID: <04a001c8990d$4a4e01f0$0200a8c0@CharlieCompaq> Hi, I have been trying to find out how to get Mailscanner to send an email to myself whenever someone tries to send an email that gets caught/altered by the filename/filetype rules that I have set in filename.rules.conf and filetype.rules.conf. Thanks Charlie From MailScanner at ecs.soton.ac.uk Tue Apr 8 01:55:44 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Apr 8 01:56:33 2008 Subject: Send error email to myself In-Reply-To: <04a001c8990d$4a4e01f0$0200a8c0@CharlieCompaq> References: <04a001c8990d$4a4e01f0$0200a8c0@CharlieCompaq> Message-ID: <47FAC290.8070202@ecs.soton.ac.uk> Have you checked out the entire "Send Notices" section of MailScanner.conf? Charlie wrote: > Hi, > I have been trying to find out how to get Mailscanner to send an email > to myself whenever someone tries to send an email that gets > caught/altered by the filename/filetype rules that I have set in > filename.rules.conf and filetype.rules.conf. > Thanks > Charlie Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mi6 at orcon.net.nz Tue Apr 8 02:40:47 2008 From: mi6 at orcon.net.nz (Charlie) Date: Tue Apr 8 02:41:20 2008 Subject: Send error email to myself Message-ID: <053a01c89919$92faef10$0200a8c0@CharlieCompaq> Yes - I only see the ability to receive emails when a virus is found. Nowhere can I find the setting that allows me to receive the emails that I mentioned. If you can see it then please do let me know. Thanks >Have you checked out the entire "Send Notices" section of MailScanner.conf? >Charlie wrote: > Hi, > I have been trying to find out how to get Mailscanner to send an email > to myself whenever someone tries to send an email that gets > caught/altered by the filename/filetype rules that I have set in > filename.rules.conf and filetype.rules.conf. > Thanks > Charlie >Jules From rapin at linuxmail.org Tue Apr 8 04:23:31 2008 From: rapin at linuxmail.org (Linuxmail R.) Date: Tue Apr 8 04:24:06 2008 Subject: how to fix Blacklist Message-ID: <20080408032331.91561CBE80@ws5-11.us4.outblaze.com> hi i config blacklist >From To *@* postmaster@mydomain.com why i yet receive all email to postmaster Thank you. for help. -------------------------------------------------- Linuxmail Rapin P. = -- Powered by Outblaze From rapin at linuxmail.org Tue Apr 8 04:33:38 2008 From: rapin at linuxmail.org (Linuxmail R.) Date: Tue Apr 8 04:33:47 2008 Subject: why ClamAV not show identities Message-ID: <20080408033338.16884233C9@ws5-3.us4.outblaze.com> Thank you and how i fix it. Rapin. > ----- Original Message ----- > From: "Kai Schaetzl" > To: mailscanner@lists.mailscanner.info > Subject: Re: why ClamAV not show identities > Date: Mon, 07 Apr 2008 12:31:14 +0200 > > > Linuxmail R. wrote on Mon, 7 Apr 2008 15:49:55 +0700: > > > why clamav not show this detail. > > Because you and you need a database. > > Kai > > -- > Kai Sch?tzl, Berlin, Germany > Get your web at Conactive Internet Services: http://www.conactive.com > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------------------------------------------- Linuxmail Rapin P. = -- Powered by Outblaze From dominian at slackadelic.com Tue Apr 8 05:04:49 2008 From: dominian at slackadelic.com (Matt Hayes) Date: Tue Apr 8 05:05:39 2008 Subject: how to fix Blacklist In-Reply-To: <20080408032331.91561CBE80@ws5-11.us4.outblaze.com> References: <20080408032331.91561CBE80@ws5-11.us4.outblaze.com> Message-ID: <47FAEEE1.9080506@slackadelic.com> Linuxmail R. wrote: > hi i config blacklist > >>From To > *@* postmaster@mydomain.com > > why i yet receive all email to postmaster > > Thank you. for help. > > -------------------------------------------------- > Linuxmail Rapin P. > > > = > > Er.. the RFC requires that you receive email to postmaster. -Matt From rapin at linuxmail.org Tue Apr 8 05:18:36 2008 From: rapin at linuxmail.org (Linuxmail R.) Date: Tue Apr 8 05:19:11 2008 Subject: how to fix Blacklist Message-ID: <20080408041836.3585ECBE80@ws5-11.us4.outblaze.com> ok thx. but i receive spammail send to postmaster so much, how i fix it > ----- Original Message ----- > From: "Matt Hayes" > To: "MailScanner discussion" > Subject: Re: how to fix Blacklist > Date: Tue, 08 Apr 2008 00:04:49 -0400 > > > Linuxmail R. wrote: > > hi i config blacklist > >> From To > > *@* postmaster@mydomain.com > > > > why i yet receive all email to postmaster > > > > Thank you. for help. > > > > -------------------------------------------------- > > Linuxmail Rapin P. > > > > > > = > > > > > > Er.. the RFC requires that you receive email to postmaster. > > -Matt > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -------------------------------------------------- Linuxmail Rapin P. = -- Powered by Outblaze From dominian at slackadelic.com Tue Apr 8 05:56:37 2008 From: dominian at slackadelic.com (Matt Hayes) Date: Tue Apr 8 05:57:21 2008 Subject: how to fix Blacklist In-Reply-To: <20080408041836.3585ECBE80@ws5-11.us4.outblaze.com> References: <20080408041836.3585ECBE80@ws5-11.us4.outblaze.com> Message-ID: <47FAFB05.2030400@slackadelic.com> Linuxmail R. wrote: > ok thx. but i receive spammail send to postmaster so much, how i fix it > *snip* *babblessomethingabouttopposting* Look at greylisting, greet pause, spam filtering.. its something that will happen.. its email... -Matt From hvdkooij at vanderkooij.org Tue Apr 8 06:01:01 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Tue Apr 8 06:01:48 2008 Subject: how to fix Blacklist In-Reply-To: <20080408041836.3585ECBE80@ws5-11.us4.outblaze.com> References: <20080408041836.3585ECBE80@ws5-11.us4.outblaze.com> Message-ID: <47FAFC0D.1000607@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Linuxmail R. wrote: | ok thx. but i receive spammail send to postmaster so much, how i fix it Well. You have the messages. Look a them. Find criteria that are spammy and adjust your config to match them. None of us have seen those messages so we have no clue what to tell you. If you want advise them make your homework. Your assignments are: ~ - show current config ~ - show MTA, distro, ... ~ - Show sample collection of messages in full as scanned by MS. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFH+vwLBvzDRVjxmYERAsnwAJ4jeKIiI7vYQHrXFVzSQbX7iNnL4ACfXH03 jFUFhl1IzPPxPtx5p08cKeM= =6PRH -----END PGP SIGNATURE----- From hvdkooij at vanderkooij.org Tue Apr 8 06:04:20 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Tue Apr 8 06:04:29 2008 Subject: why ClamAV not show identities In-Reply-To: <20080408033338.16884233C9@ws5-3.us4.outblaze.com> References: <20080408033338.16884233C9@ws5-3.us4.outblaze.com> Message-ID: <47FAFCD4.4000108@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Linuxmail R. wrote: | Thank you and how i fix it. How much money are you willing to spend on someone holding your hand and doing things for you? Because I have some serious doubts you have the skills to find answers yourself and you need someone to do things for you. I suggest you contact Julian, describe your needs and pay whatever he wants to charge you. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFH+vzSBvzDRVjxmYERAlqzAJ9uHgsYSxu169WlKtJ3xKlspW0KyQCgp+ix Ze9jBiA3hCeZ8JpLB4FcWi4= =xwWK -----END PGP SIGNATURE----- From vincent at zijnemail.nl Tue Apr 8 08:09:17 2008 From: vincent at zijnemail.nl (Vincent Verhagen) Date: Tue Apr 8 08:10:08 2008 Subject: Fire message action on specific SA rule hit? In-Reply-To: <47FA6F82.2080209@ecs.soton.ac.uk> References: <47FA6B83.6040908@zijnemail.nl> <47FA6F82.2080209@ecs.soton.ac.uk> Message-ID: <47FB1A1D.9000401@zijnemail.nl> Thanks Jules. I really should update my software more often... :) Julian Field wrote: > Read "SpamAssassin Rule Actions". The comments above it in > MailScanner.conf will tell you how to use it. > > Vincent Verhagen wrote: >> Hi all, >> >> Is it possible to configure MailScanner so that it would use a >> specific message action if a certain SA rule scored? >> I'm looking to forward messages that hit rules that start with >> MYRULE_ to a certain address. >> If I had to do some programming for it, I guess I could manage that :) >> >> Thanks in advance, >> >> Vincent. >> > > Jules > From wm at meta.net Tue Apr 8 10:26:59 2008 From: wm at meta.net (Michael Weis) Date: Tue Apr 8 10:28:59 2008 Subject: misuse MailScanner Message-ID: <47FB3A63.2040602@meta.net> Hello everyone, we are planing to create an email-account to which only mails with attachments will be send. I have the job to extract this attachments from the mail and handle them (save, print, archive) So far so good, but I have no idea how to get the attachments to a disk. I know mailscanner does this while scanning for viruses (right?). So how can I tell mailscanner to just save attachments from a certain user's emails ? (no problem if they were scanned before) I searched the mailing-list-archive but it seemed that nobody has to do this before. Greetings and thanks in advance Michael -- meta Trennwandanlagen, meta Stra?e, D-56579 Rengsdorf Rechtsform: GmbH & Co. KG, Amtsgericht Montabaur HRA 10582 Pers?nlich haftende Gesellschafterin: meta Trennwandanlagen Verwaltungsgesellschaft mbH Amtsgericht Montabaur HRB 10061, Sitz der Gesellschaft: D-56579 Rengsdorf Gesch?ftsf?hrer: Klaus Weidemann, Uwe Weidemann Ust-Id-Nr. DE 149513506 From edward.prendergast at netring.co.uk Tue Apr 8 11:08:41 2008 From: edward.prendergast at netring.co.uk (Edward Prendergast) Date: Tue Apr 8 11:09:08 2008 Subject: MailScanner increasing score over threshold but message passed as clean? Message-ID: <030801c89960$868bd400$93a37c00$@prendergast@netring.co.uk> I've hiked up the score below: Treat Invalid Watermarks With No Sender as Spam = 3 But when this pushes the spam score over 5 with the addition of SpamAssassin hits (my spam threshold is 5, high scoring spam is 10) the message gets passed as clean. It appears that the score is getting added but ignored. These are the hits from SpamAssassin: cached not score=2.197 5 required 2.00 ANY_BOUNCE_MESSAGE Message is some kind of bounce message -2.60 BAYES_00 Bayesian spam probability is 0 to 1% 0.10 BOUNCE_MESSAGE MTA bounce message 2.70 FH_FROMEML_NOTLD E-mail address doesn't have TLD (.com, etc. This is the total score (as reported in MailWatch): SpamAssassin Score: 5.20 Am I doing something wrong here or is this a bug? MailScanner -v output: Running on Linux server10.netring.co.uk 2.6.18-53.1.4.el5 #1 SMP Wed Nov 14 10:37:33 EST 2007 i686 i686 i386 GNU/Linux This is Red Hat Enterprise Linux Server release 5.1 (Tikanga) This is Perl version 5.008008 (5.8.8) This is MailScanner version 4.66.4 Module versions are: 1.00 AnyDBM_File 1.16 Archive::Zip 1.04 Carp 1.119 Convert::BinHex 2.27 Date::Parse 1.00 DirHandle 1.05 Fcntl 2.74 File::Basename 2.09 File::Copy 2.01 FileHandle 1.08 File::Path 0.19 File::Temp 0.90 Filesys::Df 1.35 HTML::Entities 3.56 HTML::Parser 2.37 HTML::TokeParser 1.23 IO 1.14 IO::File 1.13 IO::Pipe 2.02 Mail::Header 1.86 Math::BigInt 3.07 MIME::Base64 5.425 MIME::Decoder 5.425 MIME::Decoder::UU 5.425 MIME::Head 5.425 MIME::Parser 3.07 MIME::QuotedPrint 5.425 MIME::Tools 0.11 Net::CIDR 1.09 POSIX 1.18 Scalar::Util 1.78 Socket 1.4 Sys::Hostname::Long 0.13 Sys::Syslog 1.86 Time::HiRes 1.02 Time::localtime Optional module versions are: 1.36 Archive::Tar 0.21 bignum 1.82 Business::ISBN 1.10 Business::ISBN::Data 0.17 Convert::TNEF 1.08 Data::Dump 1.814 DB_File 1.14 DBD::SQLite 1.56 DBI 1.15 Digest 1.01 Digest::HMAC 2.36 Digest::MD5 2.11 Digest::SHA1 1.00 Encode::Detect 0.17008 Error 0.18 ExtUtils::CBuilder 2.18 ExtUtils::ParseXS 0.44 Inline 1.08 IO::String 1.08 IO::Zlib 2.21 IP::Country 0.21 Mail::ClamAV 3.002004 Mail::SpamAssassin v2.004 Mail::SPF 1.999001 Mail::SPF::Query 0.19 Math::BigRat 0.2808 Module::Build 0.20 Net::CIDR::Lite 0.62 Net::DNS 0.002.2 Net::DNS::Resolver::Programmable missing Net::LDAP 4.004 NetAddr::IP 1.94 Parse::RecDescent missing SAVI 2.56 Test::Harness 0.95 Test::Manifest 1.98 Text::Balanced 1.35 URI 0.7203 version 0.62 YAML ************ The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorised. If you are not the intended recipient, any action taken or omitted to be taken in reliance on it, any form of reproduction, dissemination, copying, disclosure, modification, distribution and/or publication of this E-mail message is strictly prohibited and may be unlawful. If you have received this E-mail message in error, please notify us immediately. Please also destroy and delete the message from your computer. ************ From MailScanner at ecs.soton.ac.uk Tue Apr 8 11:44:44 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Apr 8 11:45:34 2008 Subject: MailScanner increasing score over threshold but message passed as clean? In-Reply-To: <030801c89960$868bd400$93a37c00$@prendergast@netring.co.uk> References: <030801c89960$868bd400$93a37c00$@prendergast@netring.co.uk> Message-ID: <47FB4C9C.8040603@ecs.soton.ac.uk> In /usr/lib/MailScanner/MailScanner/Message.pm, at line 567, you should find a line that looks like this: my($mshspam, $mshhigh) = MailScanner::SA::SATest_spam($this, 0.0, $this->{sascore}+0.0); Immediately *after* this line, please add this line: print STDERR "mshspam = $mshspam\nmshhigh = $mshhigh\n"; Then run "MailScanner --debug" on some test messages that should push the spam score over your spam threshold of 5, and mshspam should equal 1. Please can you let me know what it outputs. Thanks! Edward Prendergast wrote: > I've hiked up the score below: > > Treat Invalid Watermarks With No Sender as Spam = 3 > > But when this pushes the spam score over 5 with the addition of SpamAssassin > hits (my spam threshold is 5, high scoring spam is 10) the message gets > passed as clean. It appears that the score is getting added but ignored. > > These are the hits from SpamAssassin: > cached not > score=2.197 > 5 required > 2.00 ANY_BOUNCE_MESSAGE Message is some kind of bounce message > -2.60 BAYES_00 Bayesian spam probability is 0 to 1% > 0.10 BOUNCE_MESSAGE MTA bounce message > 2.70 FH_FROMEML_NOTLD E-mail address doesn't have TLD (.com, etc. > > This is the total score (as reported in MailWatch): > SpamAssassin Score: 5.20 > > Am I doing something wrong here or is this a bug? > > MailScanner -v output: > Running on > Linux server10.netring.co.uk 2.6.18-53.1.4.el5 #1 SMP Wed Nov 14 10:37:33 > EST 2007 i686 i686 i386 GNU/Linux > This is Red Hat Enterprise Linux Server release 5.1 (Tikanga) > This is Perl version 5.008008 (5.8.8) > > This is MailScanner version 4.66.4 > Module versions are: > 1.00 AnyDBM_File > 1.16 Archive::Zip > 1.04 Carp > 1.119 Convert::BinHex > 2.27 Date::Parse > 1.00 DirHandle > 1.05 Fcntl > 2.74 File::Basename > 2.09 File::Copy > 2.01 FileHandle > 1.08 File::Path > 0.19 File::Temp > 0.90 Filesys::Df > 1.35 HTML::Entities > 3.56 HTML::Parser > 2.37 HTML::TokeParser > 1.23 IO > 1.14 IO::File > 1.13 IO::Pipe > 2.02 Mail::Header > 1.86 Math::BigInt > 3.07 MIME::Base64 > 5.425 MIME::Decoder > 5.425 MIME::Decoder::UU > 5.425 MIME::Head > 5.425 MIME::Parser > 3.07 MIME::QuotedPrint > 5.425 MIME::Tools > 0.11 Net::CIDR > 1.09 POSIX > 1.18 Scalar::Util > 1.78 Socket > 1.4 Sys::Hostname::Long > 0.13 Sys::Syslog > 1.86 Time::HiRes > 1.02 Time::localtime > > Optional module versions are: > 1.36 Archive::Tar > 0.21 bignum > 1.82 Business::ISBN > 1.10 Business::ISBN::Data > 0.17 Convert::TNEF > 1.08 Data::Dump > 1.814 DB_File > 1.14 DBD::SQLite > 1.56 DBI > 1.15 Digest > 1.01 Digest::HMAC > 2.36 Digest::MD5 > 2.11 Digest::SHA1 > 1.00 Encode::Detect > 0.17008 Error > 0.18 ExtUtils::CBuilder > 2.18 ExtUtils::ParseXS > 0.44 Inline > 1.08 IO::String > 1.08 IO::Zlib > 2.21 IP::Country > 0.21 Mail::ClamAV > 3.002004 Mail::SpamAssassin > v2.004 Mail::SPF > 1.999001 Mail::SPF::Query > 0.19 Math::BigRat > 0.2808 Module::Build > 0.20 Net::CIDR::Lite > 0.62 Net::DNS > 0.002.2 Net::DNS::Resolver::Programmable > missing Net::LDAP > 4.004 NetAddr::IP > 1.94 Parse::RecDescent > missing SAVI > 2.56 Test::Harness > 0.95 Test::Manifest > 1.98 Text::Balanced > 1.35 URI > 0.7203 version > 0.62 YAML > > > ************ > The information in this email is confidential and may be legally privileged. > It is intended solely for the addressee. Access to this email by anyone else > is unauthorised. If you are not the intended recipient, any action taken or > omitted to be taken in reliance on it, any form of reproduction, > dissemination, copying, disclosure, modification, distribution and/or > publication of this E-mail message is strictly prohibited and may be > unlawful. If you have received this E-mail message in error, please notify > us immediately. Please also destroy and delete the message from your > computer. > ************ > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From glenn.steen at gmail.com Tue Apr 8 12:14:44 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Apr 8 12:15:21 2008 Subject: Send error email to myself In-Reply-To: <053a01c89919$92faef10$0200a8c0@CharlieCompaq> References: <053a01c89919$92faef10$0200a8c0@CharlieCompaq> Message-ID: <223f97700804080414k57eeb6aex5d49b2e349acb304@mail.gmail.com> On 08/04/2008, Charlie wrote: > Yes - I only see the ability to receive emails when a virus is found. > Nowhere can I find the setting that allows me to receive the emails that I > mentioned. If you can see it then please do let me know. > Thanks Perhaps you'd like to add yourself to "Send Notices To = ..."? Might be able to do something with a ruleset, I suppose, if you want soem kind of ... diversification:-) Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Tue Apr 8 12:25:10 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Apr 8 12:25:46 2008 Subject: misuse MailScanner In-Reply-To: <47FB3A63.2040602@meta.net> References: <47FB3A63.2040602@meta.net> Message-ID: <223f97700804080425y7058a376v8b95b558e6ba3d27@mail.gmail.com> On 08/04/2008, Michael Weis wrote: > Hello everyone, > > we are planing to create an email-account to which > only mails with attachments will be send. > > I have the job to extract this attachments from > the mail and handle them > (save, print, archive) > > So far so good, but I have no idea > how to get the attachments to a disk. > > I know mailscanner does this while scanning > for viruses (right?). > > So how can I tell mailscanner to just save > attachments from a certain user's emails ? > (no problem if they were scanned before) > > I searched the mailing-list-archive > but it seemed that nobody has to do this > before. > You can use numerous tools and do this at several "levels"... Since the non-spam quarantine wouldn't contain the "decoded" attachment, you can't use that (a simple "store" for that user in a ruleset on Non Spam Actions), but rather would have to do something else ... a CustomFunction or perhaps the spiffy SpamAssassin rule actions... But simplest would perhaps be to use procmail at delivery and/or some tool like mmdecode/metamail or whatnot. Been a few years (... like ... 10...:-) since last I needed do anything like that... might be easier now:-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From ms-list at alexb.ch Tue Apr 8 12:46:34 2008 From: ms-list at alexb.ch (Alex Broens) Date: Tue Apr 8 12:47:12 2008 Subject: SA/MS Installer dependencies Message-ID: <47FB5B1A.1090907@alexb.ch> Jules, - Seems SA dependencies are added by the MS installer. why? This breaks possible SA updates and forces the admin into setup methods which *could* cause isssues in the future The one more noticeably missing are REQUIRED module missing: HTML::Parser optional module missing: LWP::UserAgent (for sa-update) optional module missing: HTTP::Date (for sa-update) I came across this when I wanted to update an older MailScanner box with the latest SA/Clam installer. Could you please keep SA's dependencies in SA's installer and not in MS's thanks Alex From shuttlebox at gmail.com Tue Apr 8 13:09:00 2008 From: shuttlebox at gmail.com (shuttlebox) Date: Tue Apr 8 13:09:34 2008 Subject: Beta 4.69.1 -- can find files embedded in MS Office docs In-Reply-To: <47F90C41.9060401@ecs.soton.ac.uk> References: <47F90C41.9060401@ecs.soton.ac.uk> Message-ID: <625385e30804080509q43762cbsc39c7a5d87cb9939@mail.gmail.com> On Sun, Apr 6, 2008 at 7:45 PM, Julian Field wrote: > Folks, > > I have just released the first beta of version 4.69. > > It has a few new features, the most obviously important of which is its > ability to extract files embedded within Microsoft Office documents, and > subject them to the same filename and filetype tests that the contents of > other archives have to pass. Could you add OLE::Storage_Lite to the required list when one does "MailScanner -v" since MailScanner doesn't start without it? -- /peter From dave.list at pixelhammer.com Tue Apr 8 13:13:48 2008 From: dave.list at pixelhammer.com (DAve) Date: Tue Apr 8 13:14:37 2008 Subject: how to fix Blacklist In-Reply-To: <20080408041836.3585ECBE80@ws5-11.us4.outblaze.com> References: <20080408041836.3585ECBE80@ws5-11.us4.outblaze.com> Message-ID: <47FB617C.8040104@pixelhammer.com> Linuxmail R. wrote: > ok thx. but i receive spammail send to postmaster so much, how i fix it > You don't, or you shouldn't. All postmaster mail should come through. That is how you determine what isn't working and what is not. It is how people you block and greylist get in touch with you. If you run a mail server you should be reading your postmaster mail everyday. If you do not want to, then you should outsource your email to someone who will. DAve -- In 50 years, our descendants will look back on the early years of the internet, and much like we now look back on men with rockets on their back and feathers glued to their arms, marvel that we had the intelligence to wipe the drool from our chins. From mailscanner at lists.com.ar Tue Apr 8 13:14:55 2008 From: mailscanner at lists.com.ar (Leonardo Helman) Date: Tue Apr 8 13:15:46 2008 Subject: misuse MailScanner In-Reply-To: <223f97700804080425y7058a376v8b95b558e6ba3d27@mail.gmail.com> References: <47FB3A63.2040602@meta.net> <223f97700804080425y7058a376v8b95b558e6ba3d27@mail.gmail.com> Message-ID: <1207656895.2995.13.camel@morticia.pert.com.ar> I don't think ms is the right tool for this. You don't have retries and you will not have a good error management inside MS. I would let the mail server manage the mails, and get the mails like every other user. Why don't you try for example getmail or fetchmail Or maybe in the storage part of your mail server. Saludos Leonardo Helman Pert Consultores Argentina On Tue, 2008-04-08 at 13:25 +0200, Glenn Steen wrote: > On 08/04/2008, Michael Weis wrote: > > Hello everyone, > > > > we are planing to create an email-account to which > > only mails with attachments will be send. > > > > I have the job to extract this attachments from > > the mail and handle them > > (save, print, archive) > > > > So far so good, but I have no idea > > how to get the attachments to a disk. > > > > I know mailscanner does this while scanning > > for viruses (right?). > > > > So how can I tell mailscanner to just save > > attachments from a certain user's emails ? > > (no problem if they were scanned before) > > > > I searched the mailing-list-archive > > but it seemed that nobody has to do this > > before. > > > > You can use numerous tools and do this at several "levels"... Since > the non-spam quarantine wouldn't contain the "decoded" attachment, you > can't use that (a simple "store" for that user in a ruleset on Non > Spam Actions), but rather would have to do something else ... a > CustomFunction or perhaps the spiffy SpamAssassin rule actions... But > simplest would perhaps be to use procmail at delivery and/or some tool > like mmdecode/metamail or whatnot. > Been a few years (... like ... 10...:-) since last I needed do > anything like that... might be easier now:-). > > Cheers > -- > -- Glenn > email: glenn < dot > steen < at > gmail < dot > com > work: glenn < dot > steen < at > ap1 < dot > se From shuttlebox at gmail.com Tue Apr 8 13:40:25 2008 From: shuttlebox at gmail.com (shuttlebox) Date: Tue Apr 8 13:41:00 2008 Subject: Timestamp problem when running --debug-sa In-Reply-To: References: <625385e30804070730u38f2968cwf7412ee5c7bbc6d4@mail.gmail.com> Message-ID: <625385e30804080540t600a254g62f7dada154d7b28@mail.gmail.com> On Mon, Apr 7, 2008 at 10:53 PM, Jeff A. Earickson wrote: > Hi, > > I played with this on Friday, by fiddling with check_mailscanner.sh > and changing the PATH and AWK definitions there. My GNU gawk is > in /usr/local/bin so I put that in the path first. I use Solaris > 10 (sparc) too. I changed the paths in SA.pm instead. > I got debug mode to work with timestamps from gawk, but version > 4.68.8 would just hang in the middle of a debug run with gawk > in play. :( Haven't had time to chase it further. What is the expected behavior of --debug-sa? I have never really used it. What it does for me it picks up messages already in mqueue.in and then stops at the below line: 14:26:36 [29919] dbg: learn: auto-learn? no: inside auto-learn thresholds, not considered ham or spam It doesn't seem to be active after that though. I tried feeding another message to it with mailx but it didn't pick that up so I had to break it with ctrl-c. If I use only --debug (not both --debug and --debug-sa) it returns after processing the current mail. Is that what is to be expected? -- /peter From MailScanner at ecs.soton.ac.uk Tue Apr 8 13:51:09 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Apr 8 13:52:03 2008 Subject: SA/MS Installer dependencies In-Reply-To: <47FB5B1A.1090907@alexb.ch> References: <47FB5B1A.1090907@alexb.ch> Message-ID: <47FB6A3D.4010304@ecs.soton.ac.uk> Alex Broens wrote: > Jules, > - Seems SA dependencies are added by the MS installer. > why? > This breaks possible SA updates and forces the admin into setup > methods which *could* cause isssues in the future > > The one more noticeably missing are > > > REQUIRED module missing: HTML::Parser This is in both packages, as both of them need it. > optional module missing: LWP::UserAgent (for sa-update) > optional module missing: HTTP::Date (for sa-update) > > I came across this when I wanted to update an older MailScanner box > with the latest SA/Clam installer. > > Could you please keep SA's dependencies in SA's installer and not in MS's What are you saying do you think is wrong? HTML::Parser is the only important one here, and is in both the MailScanner and ClamAV+SA distributions as both of them need it. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Tue Apr 8 13:52:24 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Apr 8 13:52:40 2008 Subject: Beta 4.69.1 -- can find files embedded in MS Office docs In-Reply-To: <625385e30804080509q43762cbsc39c7a5d87cb9939@mail.gmail.com> References: <47F90C41.9060401@ecs.soton.ac.uk> <625385e30804080509q43762cbsc39c7a5d87cb9939@mail.gmail.com> Message-ID: <47FB6A88.4000608@ecs.soton.ac.uk> Fixed. shuttlebox wrote: > On Sun, Apr 6, 2008 at 7:45 PM, Julian Field > wrote: > >> Folks, >> >> I have just released the first beta of version 4.69. >> >> It has a few new features, the most obviously important of which is its >> ability to extract files embedded within Microsoft Office documents, and >> subject them to the same filename and filetype tests that the contents of >> other archives have to pass. >> > > Could you add OLE::Storage_Lite to the required list when one does > "MailScanner -v" since MailScanner doesn't start without it? > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Tue Apr 8 13:54:13 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Apr 8 13:54:34 2008 Subject: Timestamp problem when running --debug-sa In-Reply-To: <625385e30804080540t600a254g62f7dada154d7b28@mail.gmail.com> References: <625385e30804070730u38f2968cwf7412ee5c7bbc6d4@mail.gmail.com> <625385e30804080540t600a254g62f7dada154d7b28@mail.gmail.com> Message-ID: <47FB6AF5.3040005@ecs.soton.ac.uk> shuttlebox wrote: > On Mon, Apr 7, 2008 at 10:53 PM, Jeff A. Earickson wrote: > >> Hi, >> >> I played with this on Friday, by fiddling with check_mailscanner.sh >> and changing the PATH and AWK definitions there. My GNU gawk is >> in /usr/local/bin so I put that in the path first. I use Solaris >> 10 (sparc) too. >> > > I changed the paths in SA.pm instead. > > >> I got debug mode to work with timestamps from gawk, but version >> 4.68.8 would just hang in the middle of a debug run with gawk >> in play. :( Haven't had time to chase it further. >> > > What is the expected behavior of --debug-sa? I have never really used > it. What it does for me it picks up messages already in mqueue.in and > then stops at the below line: > Use it with --debug and it will do exactly the same as --debug except it will also output all the SpamAssassin debug information, with a timestamp on the front of each line. > 14:26:36 [29919] dbg: learn: auto-learn? no: inside auto-learn > thresholds, not considered ham or spam > > It doesn't seem to be active after that though. It only makes sense to use it with --debug. I don't guarantee what will happen if you use it without --debug. > I tried feeding > another message to it with mailx but it didn't pick that up so I had > to break it with ctrl-c. If I use only --debug (not both --debug and > --debug-sa) it returns after processing the current mail. > > Is that what is to be expected? > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From shuttlebox at gmail.com Tue Apr 8 14:17:55 2008 From: shuttlebox at gmail.com (shuttlebox) Date: Tue Apr 8 14:18:29 2008 Subject: Timestamp problem when running --debug-sa In-Reply-To: <47FB6AF5.3040005@ecs.soton.ac.uk> References: <625385e30804070730u38f2968cwf7412ee5c7bbc6d4@mail.gmail.com> <625385e30804080540t600a254g62f7dada154d7b28@mail.gmail.com> <47FB6AF5.3040005@ecs.soton.ac.uk> Message-ID: <625385e30804080617y4bddb94bmef9b31ce4109f4bc@mail.gmail.com> On Tue, Apr 8, 2008 at 2:54 PM, Julian Field wrote: > Use it with --debug and it will do exactly the same as --debug except it > will also output all the SpamAssassin debug information, with a timestamp on > the front of each line. > > It only makes sense to use it with --debug. I don't guarantee what will > happen if you use it without --debug. That's what I meant, I used "--debug --debug-sa", sorry for not being clear on that. -- /peter From ms-list at alexb.ch Tue Apr 8 14:34:12 2008 From: ms-list at alexb.ch (Alex Broens) Date: Tue Apr 8 14:34:53 2008 Subject: SA/MS Installer dependencies In-Reply-To: <47FB6A3D.4010304@ecs.soton.ac.uk> References: <47FB5B1A.1090907@alexb.ch> <47FB6A3D.4010304@ecs.soton.ac.uk> Message-ID: <47FB7454.2090005@alexb.ch> On 4/8/2008 2:51 PM, Julian Field wrote: Alex Broens wrote: >> Jules, >> - Seems SA dependencies are added by the MS installer. >> why? >> This breaks possible SA updates and forces the admin into setup methods which *could* cause isssues in the future >> >> The one more noticeably missing are >> >> >> REQUIRED module missing: HTML::Parser >This is in both packages, as both of them need it. > optional module missing: LWP::UserAgent (for sa-update) > optional module missing: HTTP::Date (for sa-update) > > I came across this when I wanted to update an older MailScanner box with the latest SA/Clam installer. > >> Could you please keep SA's dependencies in SA's installer and not in MS's >What are you saying do you think is wrong? HTML::Parser is the only >important one here, and is in both the MailScanner and ClamAV+SA >distributions as both of them need it. I see them there... but as said. The installer borked with that msg. Thanks for (hopefully) adding the others required by sa-update: _______________________________ NOTE: the optional LWP::UserAgent module is not installed. NOTE: the optional HTTP::Date module is not installed. The "sa-update" script requires this module to make HTTP If-Modified-Since GET requests. optional module missing: HTTP::Date _______________________________ Alex From dave.list at pixelhammer.com Tue Apr 8 14:42:51 2008 From: dave.list at pixelhammer.com (DAve) Date: Tue Apr 8 14:43:37 2008 Subject: New server request Message-ID: <47FB765B.6030402@pixelhammer.com> Currently we get hit with 200k to 300k connections a day that hit an RBL. We see 15k to 25k pipeline attempts. We spam scan almost 50% of our mail and we Virus scan everything that comes in. We process 4gb of mail a day on two servers, total around 50k to 65k message we actually deliver. We process 16,908 whitelist and 14,348 blacklist entries from MailWatch. Mail delivery for our clients *INCLUDES* outbound scanning and filtering through my smtp servers (different hardware) and coming back in through my MailScanner servers. I can get that done in 5 minutes round trip time for a message. 90% of that time is spent in the MS server, queues, waiting for pickup, etc. I think that is pretty darned good. That is apparently not good enough. Every month or so I get told that mail delivery in incredibly slow and I need to look at the servers. I do, and every message I check takes around five minutes. I need a recommendation for the root'n toot'nist, rockem sockem, nuklear powered, rocket fuel fed servers money can buy. I want to push a batch of 30 messages through a full featured install of SA, Clamav, and local rulesets in less than 5 seconds. Tops. When my sales director hits send in his outlook, I want the message to deliver so fast his laptop jumps from his desk. I think I need striped SAS disks with 15k spindles, four CPUs, and 16gb of ram. I am open to realistic suggestions, though humor is still welcome. I intend to submit a quote this week. Thanks, DAve -- In 50 years, our descendants will look back on the early years of the internet, and much like we now look back on men with rockets on their back and feathers glued to their arms, marvel that we had the intelligence to wipe the drool from our chins. From alex at nkpanama.com Tue Apr 8 14:51:30 2008 From: alex at nkpanama.com (Alex Neuman) Date: Tue Apr 8 14:52:40 2008 Subject: New server request In-Reply-To: <47FB765B.6030402@pixelhammer.com> References: <47FB765B.6030402@pixelhammer.com> Message-ID: <67E30A7B-ACBA-4158-A266-F3D8950992F8@nkpanama.com> Are you using SA with sa-compile'd rules? Local caching DNS? /var/ spool/Mailscanner/incoming and /root/.spamassassin mounted as tmpfs? On Apr 8, 2008, at 8:42 AM, DAve wrote: > Currently we get hit with 200k to 300k connections a day that hit an > RBL. We see 15k to 25k pipeline attempts. We spam scan almost 50% of > our mail and we Virus scan everything that comes in. We process 4gb > of mail a day on two servers, total around 50k to 65k message we > actually deliver. We process 16,908 whitelist and 14,348 blacklist > entries from MailWatch. > > Mail delivery for our clients *INCLUDES* outbound scanning and > filtering through my smtp servers (different hardware) and coming > back in through my MailScanner servers. > > I can get that done in 5 minutes round trip time for a message. 90% > of that time is spent in the MS server, queues, waiting for pickup, > etc. I think that is pretty darned good. > > That is apparently not good enough. Every month or so I get told > that mail delivery in incredibly slow and I need to look at the > servers. I do, and every message I check takes around five minutes. > > I need a recommendation for the root'n toot'nist, rockem sockem, > nuklear powered, rocket fuel fed servers money can buy. I want to > push a batch of 30 messages through a full featured install of SA, > Clamav, and local rulesets in less than 5 seconds. Tops. When my > sales director hits send in his outlook, I want the message to > deliver so fast his laptop jumps from his desk. > > I think I need striped SAS disks with 15k spindles, four CPUs, and > 16gb of ram. I am open to realistic suggestions, though humor is > still welcome. I intend to submit a quote this week. > > Thanks, > > DAve > > -- > In 50 years, our descendants will look back on the early years > of the internet, and much like we now look back on men with > rockets on their back and feathers glued to their arms, marvel > that we had the intelligence to wipe the drool from our chins. > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From mkercher at nfsmith.com Tue Apr 8 14:53:13 2008 From: mkercher at nfsmith.com (Mike Kercher) Date: Tue Apr 8 14:54:10 2008 Subject: New server request In-Reply-To: <47FB765B.6030402@pixelhammer.com> References: <47FB765B.6030402@pixelhammer.com> Message-ID: <224FA7E11EA39E45843E11CEBBD3A36F8E1225@HOUPEX01.nfsmith.info> When speaking of your disks, you say striped. Do you mean RAID5? I'd think the more spindles you can get into your RAID, the better your I/O will be. Mike -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of DAve Sent: Tuesday, April 08, 2008 8:43 AM To: MailScanner discussion Subject: New server request Currently we get hit with 200k to 300k connections a day that hit an RBL. We see 15k to 25k pipeline attempts. We spam scan almost 50% of our mail and we Virus scan everything that comes in. We process 4gb of mail a day on two servers, total around 50k to 65k message we actually deliver. We process 16,908 whitelist and 14,348 blacklist entries from MailWatch. Mail delivery for our clients *INCLUDES* outbound scanning and filtering through my smtp servers (different hardware) and coming back in through my MailScanner servers. I can get that done in 5 minutes round trip time for a message. 90% of that time is spent in the MS server, queues, waiting for pickup, etc. I think that is pretty darned good. That is apparently not good enough. Every month or so I get told that mail delivery in incredibly slow and I need to look at the servers. I do, and every message I check takes around five minutes. I need a recommendation for the root'n toot'nist, rockem sockem, nuklear powered, rocket fuel fed servers money can buy. I want to push a batch of 30 messages through a full featured install of SA, Clamav, and local rulesets in less than 5 seconds. Tops. When my sales director hits send in his outlook, I want the message to deliver so fast his laptop jumps from his desk. I think I need striped SAS disks with 15k spindles, four CPUs, and 16gb of ram. I am open to realistic suggestions, though humor is still welcome. I intend to submit a quote this week. Thanks, DAve -- In 50 years, our descendants will look back on the early years of the internet, and much like we now look back on men with rockets on their back and feathers glued to their arms, marvel that we had the intelligence to wipe the drool from our chins. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From dominian at slackadelic.com Tue Apr 8 14:56:48 2008 From: dominian at slackadelic.com (Matt Hayes) Date: Tue Apr 8 14:57:37 2008 Subject: New server request In-Reply-To: <47FB765B.6030402@pixelhammer.com> References: <47FB765B.6030402@pixelhammer.com> Message-ID: <47FB79A0.3030605@slackadelic.com> DAve wrote: > Currently we get hit with 200k to 300k connections a day that hit an > RBL. We see 15k to 25k pipeline attempts. We spam scan almost 50% of our > mail and we Virus scan everything that comes in. We process 4gb of mail > a day on two servers, total around 50k to 65k message we actually > deliver. We process 16,908 whitelist and 14,348 blacklist entries from > MailWatch. > > Mail delivery for our clients *INCLUDES* outbound scanning and filtering > through my smtp servers (different hardware) and coming back in through > my MailScanner servers. > > I can get that done in 5 minutes round trip time for a message. 90% of > that time is spent in the MS server, queues, waiting for pickup, etc. I > think that is pretty darned good. > > That is apparently not good enough. Every month or so I get told that > mail delivery in incredibly slow and I need to look at the servers. I > do, and every message I check takes around five minutes. > > I need a recommendation for the root'n toot'nist, rockem sockem, nuklear > powered, rocket fuel fed servers money can buy. I want to push a batch > of 30 messages through a full featured install of SA, Clamav, and local > rulesets in less than 5 seconds. Tops. When my sales director hits send > in his outlook, I want the message to deliver so fast his laptop jumps > from his desk. > > I think I need striped SAS disks with 15k spindles, four CPUs, and 16gb > of ram. I am open to realistic suggestions, though humor is still > welcome. I intend to submit a quote this week. > > Thanks, > > DAve > Lets put a quote in for a Cray.. however.. we'd have to talk the landlord into allowing us to take over the entire half of the second floor above us here at corporate :) -Matt From MailScanner at ecs.soton.ac.uk Tue Apr 8 14:57:50 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Apr 8 14:58:37 2008 Subject: SA/MS Installer dependencies In-Reply-To: <47FB7454.2090005@alexb.ch> References: <47FB5B1A.1090907@alexb.ch> <47FB6A3D.4010304@ecs.soton.ac.uk> <47FB7454.2090005@alexb.ch> Message-ID: <47FB79DE.7070907@ecs.soton.ac.uk> Alex Broens wrote: > On 4/8/2008 2:51 PM, Julian Field wrote: > > > Alex Broens wrote: > >> Jules, > >> - Seems SA dependencies are added by the MS installer. > >> why? > >> This breaks possible SA updates and forces the admin into setup > methods which *could* cause isssues in the future > >> > >> The one more noticeably missing are > >> > >> > >> REQUIRED module missing: HTML::Parser > >This is in both packages, as both of them need it. > > optional module missing: LWP::UserAgent (for sa-update) > > optional module missing: HTTP::Date (for sa-update) > > > > I came across this when I wanted to update an older MailScanner box > with the latest SA/Clam installer. > > > >> Could you please keep SA's dependencies in SA's installer and not > in MS's > > >What are you saying do you think is wrong? HTML::Parser is the only > >important one here, and is in both the MailScanner and ClamAV+SA > >distributions as both of them need it. > > I see them there... but as said. The installer borked with that msg. > > Thanks for (hopefully) adding the others required by sa-update: > > _______________________________ > NOTE: the optional LWP::UserAgent module is not installed. > NOTE: the optional HTTP::Date module is not installed. > > > The "sa-update" script requires this module to make HTTP > If-Modified-Since GET requests. > > optional module missing: HTTP::Date So what you would actually like me to do is add HTTP::Date to the SpamAssassin installation package? Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From alex at nkpanama.com Tue Apr 8 15:01:58 2008 From: alex at nkpanama.com (Alex Neuman) Date: Tue Apr 8 15:02:44 2008 Subject: New server request In-Reply-To: <47FB765B.6030402@pixelhammer.com> References: <47FB765B.6030402@pixelhammer.com> Message-ID: <3306998A-42E4-4DEF-B074-F1C3D61B5540@nkpanama.com> Also, have you tried *not* scanning internal-to-internal mail (perhaps mail coming from:192.168. and to:yourdomain.com) for spam? On Apr 8, 2008, at 8:42 AM, DAve wrote: > Currently we get hit with 200k to 300k connections a day that hit an > RBL. We see 15k to 25k pipeline attempts. We spam scan almost 50% of > our mail and we Virus scan everything that comes in. We process 4gb > of mail a day on two servers, total around 50k to 65k message we > actually deliver. We process 16,908 whitelist and 14,348 blacklist > entries from MailWatch. > > Mail delivery for our clients *INCLUDES* outbound scanning and > filtering through my smtp servers (different hardware) and coming > back in through my MailScanner servers. > > I can get that done in 5 minutes round trip time for a message. 90% > of that time is spent in the MS server, queues, waiting for pickup, > etc. I think that is pretty darned good. > > That is apparently not good enough. Every month or so I get told > that mail delivery in incredibly slow and I need to look at the > servers. I do, and every message I check takes around five minutes. > > I need a recommendation for the root'n toot'nist, rockem sockem, > nuklear powered, rocket fuel fed servers money can buy. I want to > push a batch of 30 messages through a full featured install of SA, > Clamav, and local rulesets in less than 5 seconds. Tops. When my > sales director hits send in his outlook, I want the message to > deliver so fast his laptop jumps from his desk. > > I think I need striped SAS disks with 15k spindles, four CPUs, and > 16gb of ram. I am open to realistic suggestions, though humor is > still welcome. I intend to submit a quote this week. > > Thanks, > > DAve > > -- > In 50 years, our descendants will look back on the early years > of the internet, and much like we now look back on men with > rockets on their back and feathers glued to their arms, marvel > that we had the intelligence to wipe the drool from our chins. > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! From root at doctor.nl2k.ab.ca Tue Apr 8 14:57:56 2008 From: root at doctor.nl2k.ab.ca (Dave Shariff Yadallee - System Administrator a.k.a. The Root of the Problem) Date: Tue Apr 8 15:03:05 2008 Subject: A couple of notes Message-ID: <20080408135755.GA17313@doctor.nl2k.ab.ca> 1) http://www.nk.ca/blog . This is spam and phish section for your research. 2) The latest beta sent my CPUs up the wall. What did you do Julian? -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Tue Apr 8 15:06:16 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Apr 8 15:06:38 2008 Subject: New server request In-Reply-To: <67E30A7B-ACBA-4158-A266-F3D8950992F8@nkpanama.com> References: <47FB765B.6030402@pixelhammer.com> <67E30A7B-ACBA-4158-A266-F3D8950992F8@nkpanama.com> Message-ID: <47FB7BD8.1030604@ecs.soton.ac.uk> You can delete the /root/.spamassassin/bayes_seen quite frequently too, it will speed things up too. Alex Neuman wrote: > Are you using SA with sa-compile'd rules? Local caching DNS? > /var/spool/Mailscanner/incoming and /root/.spamassassin mounted as tmpfs? > > On Apr 8, 2008, at 8:42 AM, DAve wrote: >> Currently we get hit with 200k to 300k connections a day that hit an >> RBL. We see 15k to 25k pipeline attempts. We spam scan almost 50% of >> our mail and we Virus scan everything that comes in. We process 4gb >> of mail a day on two servers, total around 50k to 65k message we >> actually deliver. We process 16,908 whitelist and 14,348 blacklist >> entries from MailWatch. >> >> Mail delivery for our clients *INCLUDES* outbound scanning and >> filtering through my smtp servers (different hardware) and coming >> back in through my MailScanner servers. >> >> I can get that done in 5 minutes round trip time for a message. 90% >> of that time is spent in the MS server, queues, waiting for pickup, >> etc. I think that is pretty darned good. >> >> That is apparently not good enough. Every month or so I get told that >> mail delivery in incredibly slow and I need to look at the servers. I >> do, and every message I check takes around five minutes. >> >> I need a recommendation for the root'n toot'nist, rockem sockem, >> nuklear powered, rocket fuel fed servers money can buy. I want to >> push a batch of 30 messages through a full featured install of SA, >> Clamav, and local rulesets in less than 5 seconds. Tops. When my >> sales director hits send in his outlook, I want the message to >> deliver so fast his laptop jumps from his desk. >> >> I think I need striped SAS disks with 15k spindles, four CPUs, and >> 16gb of ram. I am open to realistic suggestions, though humor is >> still welcome. I intend to submit a quote this week. >> >> Thanks, >> >> DAve >> >> -- >> In 50 years, our descendants will look back on the early years >> of the internet, and much like we now look back on men with >> rockets on their back and feathers glued to their arms, marvel >> that we had the intelligence to wipe the drool from our chins. >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From glenn.steen at gmail.com Tue Apr 8 15:11:16 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Apr 8 15:12:18 2008 Subject: New server request In-Reply-To: <47FB765B.6030402@pixelhammer.com> References: <47FB765B.6030402@pixelhammer.com> Message-ID: <223f97700804080711x4d3e1ae0g46d0577d7ac00aa7@mail.gmail.com> On 08/04/2008, DAve wrote: > Currently we get hit with 200k to 300k connections a day that hit an RBL. We > see 15k to 25k pipeline attempts. We spam scan almost 50% of our mail and we > Virus scan everything that comes in. We process 4gb of mail a day on two > servers, total around 50k to 65k message we actually deliver. We process > 16,908 whitelist and 14,348 blacklist entries from MailWatch. > > Mail delivery for our clients *INCLUDES* outbound scanning and filtering > through my smtp servers (different hardware) and coming back in through my > MailScanner servers. > > I can get that done in 5 minutes round trip time for a message. 90% of that > time is spent in the MS server, queues, waiting for pickup, etc. I think > that is pretty darned good. > > That is apparently not good enough. Every month or so I get told that mail > delivery in incredibly slow and I need to look at the servers. I do, and > every message I check takes around five minutes. > > I need a recommendation for the root'n toot'nist, rockem sockem, nuklear > powered, rocket fuel fed servers money can buy. I want to push a batch of 30 > messages through a full featured install of SA, Clamav, and local rulesets > in less than 5 seconds. Tops. When my sales director hits send in his > outlook, I want the message to deliver so fast his laptop jumps from his > desk. > > I think I need striped SAS disks with 15k spindles, four CPUs, and 16gb of > ram. I am open to realistic suggestions, though humor is still welcome. I > intend to submit a quote this week. > > Thanks, > > DAve > I'd look long and hard at where you're time is spent ATM... HW can only solve HW type problems:-). For instance.... Making sure you only use "feeded" BLs (meaning only query to local copy) would probably be ... good. Having your MailWatch database non-local to the machine... might tip you either way (cheaper to buy two boxes with semi-extreme HW, instead of one monster). I suppose you already do most of the "normal" tricks, like tmpfs, caching nameserver, perhaps noatime on selected filesystems etc? Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From glenn.steen at gmail.com Tue Apr 8 15:11:16 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Apr 8 15:12:27 2008 Subject: New server request In-Reply-To: <47FB765B.6030402@pixelhammer.com> References: <47FB765B.6030402@pixelhammer.com> Message-ID: <223f97700804080711x4d3e1ae0g46d0577d7ac00aa7@mail.gmail.com> On 08/04/2008, DAve wrote: > Currently we get hit with 200k to 300k connections a day that hit an RBL. We > see 15k to 25k pipeline attempts. We spam scan almost 50% of our mail and we > Virus scan everything that comes in. We process 4gb of mail a day on two > servers, total around 50k to 65k message we actually deliver. We process > 16,908 whitelist and 14,348 blacklist entries from MailWatch. > > Mail delivery for our clients *INCLUDES* outbound scanning and filtering > through my smtp servers (different hardware) and coming back in through my > MailScanner servers. > > I can get that done in 5 minutes round trip time for a message. 90% of that > time is spent in the MS server, queues, waiting for pickup, etc. I think > that is pretty darned good. > > That is apparently not good enough. Every month or so I get told that mail > delivery in incredibly slow and I need to look at the servers. I do, and > every message I check takes around five minutes. > > I need a recommendation for the root'n toot'nist, rockem sockem, nuklear > powered, rocket fuel fed servers money can buy. I want to push a batch of 30 > messages through a full featured install of SA, Clamav, and local rulesets > in less than 5 seconds. Tops. When my sales director hits send in his > outlook, I want the message to deliver so fast his laptop jumps from his > desk. > > I think I need striped SAS disks with 15k spindles, four CPUs, and 16gb of > ram. I am open to realistic suggestions, though humor is still welcome. I > intend to submit a quote this week. > > Thanks, > > DAve > I'd look long and hard at where you're time is spent ATM... HW can only solve HW type problems:-). For instance.... Making sure you only use "feeded" BLs (meaning only query to local copy) would probably be ... good. Having your MailWatch database non-local to the machine... might tip you either way (cheaper to buy two boxes with semi-extreme HW, instead of one monster). I suppose you already do most of the "normal" tricks, like tmpfs, caching nameserver, perhaps noatime on selected filesystems etc? Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From MailScanner at ecs.soton.ac.uk Tue Apr 8 15:13:40 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Apr 8 15:14:23 2008 Subject: New server request In-Reply-To: <224FA7E11EA39E45843E11CEBBD3A36F8E1225@HOUPEX01.nfsmith.info> References: <47FB765B.6030402@pixelhammer.com> <224FA7E11EA39E45843E11CEBBD3A36F8E1225@HOUPEX01.nfsmith.info> Message-ID: <47FB7D94.5050506@ecs.soton.ac.uk> Striped will be faster than RAID5. I would go striped, striped+mirrored (RAID10) on your root disk if at all possible. Mike Kercher wrote: > When speaking of your disks, you say striped. Do you mean RAID5? I'd > think the more spindles you can get into your RAID, the better your I/O > will be. > > Mike > > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of DAve > Sent: Tuesday, April 08, 2008 8:43 AM > To: MailScanner discussion > Subject: New server request > > Currently we get hit with 200k to 300k connections a day that hit an > RBL. We see 15k to 25k pipeline attempts. We spam scan almost 50% of our > mail and we Virus scan everything that comes in. We process 4gb of mail > a day on two servers, total around 50k to 65k message we actually > deliver. We process 16,908 whitelist and 14,348 blacklist entries from > MailWatch. > > Mail delivery for our clients *INCLUDES* outbound scanning and filtering > through my smtp servers (different hardware) and coming back in through > my MailScanner servers. > > I can get that done in 5 minutes round trip time for a message. 90% of > that time is spent in the MS server, queues, waiting for pickup, etc. I > think that is pretty darned good. > > That is apparently not good enough. Every month or so I get told that > mail delivery in incredibly slow and I need to look at the servers. I > do, and every message I check takes around five minutes. > > I need a recommendation for the root'n toot'nist, rockem sockem, nuklear > powered, rocket fuel fed servers money can buy. I want to push a batch > of 30 messages through a full featured install of SA, Clamav, and local > rulesets in less than 5 seconds. Tops. When my sales director hits send > in his outlook, I want the message to deliver so fast his laptop jumps > from his desk. > > I think I need striped SAS disks with 15k spindles, four CPUs, and 16gb > of ram. I am open to realistic suggestions, though humor is still > welcome. I intend to submit a quote this week. > > Thanks, > > DAve > > -- > In 50 years, our descendants will look back on the early years of the > internet, and much like we now look back on men with rockets on their > back and feathers glued to their arms, marvel that we had the > intelligence to wipe the drool from our chins. > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From glenn.steen at gmail.com Tue Apr 8 15:14:12 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Apr 8 15:14:51 2008 Subject: New server request In-Reply-To: <224FA7E11EA39E45843E11CEBBD3A36F8E1225@HOUPEX01.nfsmith.info> References: <47FB765B.6030402@pixelhammer.com> <224FA7E11EA39E45843E11CEBBD3A36F8E1225@HOUPEX01.nfsmith.info> Message-ID: <223f97700804080714u7af3cc71q18162e1972479ca2@mail.gmail.com> On 08/04/2008, Mike Kercher wrote: > When speaking of your disks, you say striped. Do you mean RAID5? I'd > think the more spindles you can get into your RAID, the better your I/O > will be. > > > Mike I would think he means Raid0 or Raid1+0... In any case, a huge amount of write cache on the Raid-controller would likely be a good thing. Think "dedicated SAN" (which isn't SAN at all, just cost like it and behaves like DAS:-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From prandal at herefordshire.gov.uk Tue Apr 8 15:21:53 2008 From: prandal at herefordshire.gov.uk (Randal, Phil) Date: Tue Apr 8 15:22:45 2008 Subject: New server request In-Reply-To: <47FB765B.6030402@pixelhammer.com> References: <47FB765B.6030402@pixelhammer.com> Message-ID: <7EF0EE5CB3B263488C8C18823239BEBA0360B0E2@HC-MBX02.herefordshire.gov.uk> We're running CentOS 5.1 64-bit on a couple of 4GB quad-core Dell 2950s here as our MailScanner boxes. 120K connections to each box every day (100K or so of which are rejected at the sendmail level). All messages are both virus scanned (ClamAVModule and McAfee uvscan) and fed to SpamAssassin. Images in low-scoring emails are also FuzzyOCR'd. Local caching DNS, tmpfs, but no compiled SA rules. MailWatch says there are 16 MailScanner children currently running. Typical message time is 5 seconds, which, for a batch of 30 emails, would create a maximum latency of 2 1/2 minutes. If we reduced DNS timeouts this might improve (our internet feed is often maxed out with other traffic). If you want to reduce maximum message delay then you'd need to increase the number of MailScanner instances and reduce batch sizes. Hope this helps, Phil -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of DAve Sent: 08 April 2008 14:43 To: MailScanner discussion Subject: New server request Currently we get hit with 200k to 300k connections a day that hit an RBL. We see 15k to 25k pipeline attempts. We spam scan almost 50% of our mail and we Virus scan everything that comes in. We process 4gb of mail a day on two servers, total around 50k to 65k message we actually deliver. We process 16,908 whitelist and 14,348 blacklist entries from MailWatch. Mail delivery for our clients *INCLUDES* outbound scanning and filtering through my smtp servers (different hardware) and coming back in through my MailScanner servers. I can get that done in 5 minutes round trip time for a message. 90% of that time is spent in the MS server, queues, waiting for pickup, etc. I think that is pretty darned good. That is apparently not good enough. Every month or so I get told that mail delivery in incredibly slow and I need to look at the servers. I do, and every message I check takes around five minutes. I need a recommendation for the root'n toot'nist, rockem sockem, nuklear powered, rocket fuel fed servers money can buy. I want to push a batch of 30 messages through a full featured install of SA, Clamav, and local rulesets in less than 5 seconds. Tops. When my sales director hits send in his outlook, I want the message to deliver so fast his laptop jumps from his desk. I think I need striped SAS disks with 15k spindles, four CPUs, and 16gb of ram. I am open to realistic suggestions, though humor is still welcome. I intend to submit a quote this week. Thanks, DAve -- In 50 years, our descendants will look back on the early years of the internet, and much like we now look back on men with rockets on their back and feathers glued to their arms, marvel that we had the intelligence to wipe the drool from our chins. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! From richard.frovarp at sendit.nodak.edu Tue Apr 8 15:26:09 2008 From: richard.frovarp at sendit.nodak.edu (Richard Frovarp) Date: Tue Apr 8 15:26:45 2008 Subject: New server request In-Reply-To: <47FB765B.6030402@pixelhammer.com> References: <47FB765B.6030402@pixelhammer.com> Message-ID: <47FB8081.4090208@sendit.nodak.edu> DAve wrote: > Currently we get hit with 200k to 300k connections a day that hit an > RBL. We see 15k to 25k pipeline attempts. We spam scan almost 50% of > our mail and we Virus scan everything that comes in. We process 4gb of > mail a day on two servers, total around 50k to 65k message we actually > deliver. We process 16,908 whitelist and 14,348 blacklist entries from > MailWatch. > > Mail delivery for our clients *INCLUDES* outbound scanning and > filtering through my smtp servers (different hardware) and coming back > in through my MailScanner servers. > > I can get that done in 5 minutes round trip time for a message. 90% of > that time is spent in the MS server, queues, waiting for pickup, etc. > I think that is pretty darned good. > > That is apparently not good enough. Every month or so I get told that > mail delivery in incredibly slow and I need to look at the servers. I > do, and every message I check takes around five minutes. > > I need a recommendation for the root'n toot'nist, rockem sockem, > nuklear powered, rocket fuel fed servers money can buy. I want to push > a batch of 30 messages through a full featured install of SA, Clamav, > and local rulesets in less than 5 seconds. Tops. When my sales > director hits send in his outlook, I want the message to deliver so > fast his laptop jumps from his desk. > > I think I need striped SAS disks with 15k spindles, four CPUs, and > 16gb of ram. I am open to realistic suggestions, though humor is still > welcome. I intend to submit a quote this week. > > Thanks, > > DAve > I've got an old 2.66 GHz dual Xeon with 2 GB of RAM that pushes through mail relatively well. Standard RAID 1 SCSI disks. Right now it's doing batches of 2 in about 15 seconds. It handles about 4 GB of of traffic and scans about 46 K a day. I would expect a dual quad core with the requisite amount of RAM would be plenty. Network tests take a while anyway, and there isn't much you can do to speed that up. I am running greylist, greet pause, valid user lookup, and blacklists in sendmail to reduce the load. I also have two other machines that see similar load. Heck, I've got a VM that scans 28 K internal messages a day with only 1 GB of RAM and seeing 2 3.2 GHz virtual processors. That one is doing 2 message batches in the 6 to 8 second range, most 1 message batches are sub 4 seconds. Dual quad cores would probably be more than enough. -- Richard Frovarp EduTech System Administrator 1-701-231-5127 or 1-800-774-1091 From richard.frovarp at sendit.nodak.edu Tue Apr 8 15:32:26 2008 From: richard.frovarp at sendit.nodak.edu (Richard Frovarp) Date: Tue Apr 8 15:32:36 2008 Subject: Excessive Swapping In-Reply-To: References: Message-ID: <47FB81FA.5040307@sendit.nodak.edu> Gregory Wong wrote: > Hi everyone, > > I have a server that has 256MB of RAM. It is running Postfix, MS, > MailScanner-MRTG on Ubuntu Server. I have noticed recently that it has > been swapping a lot. > > total used free shared buffers cached > Mem: 256 204 51 0 0 18 > -/+ buffers/cache: 185 70 > Swap: 511 152 359 > > I am looking to implement MailWatch but am concerned that the server > doesn?t have an adequate amount of memory. Is this excessive swapping > normal? Should I be upgrading the RAM? > > Also, my company got hit on Saturday with nearly 1600 spam messages > (which is unusual since we only get about 200-300 spam per day). > Besides running MS and the default SA rules, what other things do you > recommend I configure to help combat the spam? > > Thanks. MailWatch might not be too bad, if you can move the DB and primary web interface off to another machine. Of course this is assuming you are only going to use MailWatch for quarantine management. Your problem is you are receiving more spam than normal, so you probably are processing larger batch sizes, which requires more ram per batch. I've seen this with one of my boxes that only has 1 GB of RAM. Three things you can do while waiting for more RAM in MailScanner.conf: Change Max Children to a small number Change Max Unscanned Messages Per Scan to a small number Change Max Unsafe Messages Per Scan to a small number It may take longer to process mail, but swapping will make things slow to a horrible crawl, which is worse. Max Children would probably only be 2 or 3, with messages per scan probably being something like 5 each. From edward.prendergast at netring.co.uk Tue Apr 8 15:33:56 2008 From: edward.prendergast at netring.co.uk (Edward Prendergast) Date: Tue Apr 8 15:34:23 2008 Subject: MailScanner increasing score over threshold but message passed as clean? In-Reply-To: <47FB4C9C.8040603@ecs.soton.ac.uk> References: <030801c89960$868bd400$93a37c00$@prendergast@netring.co.uk> <47FB4C9C.8040603@ecs.soton.ac.uk> Message-ID: <03a501c89985$9485dcc0$bd919640$@prendergast@netring.co.uk> -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Julian Field > Then run "MailScanner --debug" on some test messages that should push > the spam score over your spam threshold of 5, and mshspam should equal > 1. Please can you let me know what it outputs. A segment from the debug: max message size is '200k' max message size is '200k' max message size is '200k' max message size is '200k' max message size is '200k' max message size is '200k' max message size is '200k' mshspam = 0 mshhigh = 0 max message size is '200k' The msh* messages didn't show up frequently - I had to debug 3 times to get these. Haven't seen you on the IRC channel for a while Jules, is all well? Thanks! ************ The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorised. If you are not the intended recipient, any action taken or omitted to be taken in reliance on it, any form of reproduction, dissemination, copying, disclosure, modification, distribution and/or publication of this E-mail message is strictly prohibited and may be unlawful. If you have received this E-mail message in error, please notify us immediately. Please also destroy and delete the message from your computer. ************ From MailScanner at ecs.soton.ac.uk Tue Apr 8 15:54:44 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Apr 8 15:55:28 2008 Subject: A couple of notes In-Reply-To: <20080408135755.GA17313@doctor.nl2k.ab.ca> References: <20080408135755.GA17313@doctor.nl2k.ab.ca> Message-ID: <47FB8734.5050002@ecs.soton.ac.uk> Dave Shariff Yadallee - System Administrator a.k.a. The Root of the Problem wrote: > 1) http://www.nk.ca/blog . This is spam and phish section for your research. > > 2) The latest beta sent my CPUs up the wall. What did you do Julian? > What has changed in your system performance? It should only affect messages with Office documents embedded in them. Was the change in the last beta, or was the previous stable the same as the new beta? Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From dave.list at pixelhammer.com Tue Apr 8 16:01:53 2008 From: dave.list at pixelhammer.com (DAve) Date: Tue Apr 8 16:02:40 2008 Subject: New server request In-Reply-To: <67E30A7B-ACBA-4158-A266-F3D8950992F8@nkpanama.com> References: <47FB765B.6030402@pixelhammer.com> <67E30A7B-ACBA-4158-A266-F3D8950992F8@nkpanama.com> Message-ID: <47FB88E1.10304@pixelhammer.com> Alex Neuman wrote: > Are you using SA with sa-compile'd rules? Local caching DNS? > /var/spool/Mailscanner/incoming and /root/.spamassassin mounted as tmpfs? > You betcha. DAve > On Apr 8, 2008, at 8:42 AM, DAve wrote: >> Currently we get hit with 200k to 300k connections a day that hit an >> RBL. We see 15k to 25k pipeline attempts. We spam scan almost 50% of >> our mail and we Virus scan everything that comes in. We process 4gb of >> mail a day on two servers, total around 50k to 65k message we actually >> deliver. We process 16,908 whitelist and 14,348 blacklist entries from >> MailWatch. >> >> Mail delivery for our clients *INCLUDES* outbound scanning and >> filtering through my smtp servers (different hardware) and coming back >> in through my MailScanner servers. >> >> I can get that done in 5 minutes round trip time for a message. 90% of >> that time is spent in the MS server, queues, waiting for pickup, etc. >> I think that is pretty darned good. >> >> That is apparently not good enough. Every month or so I get told that >> mail delivery in incredibly slow and I need to look at the servers. I >> do, and every message I check takes around five minutes. >> >> I need a recommendation for the root'n toot'nist, rockem sockem, >> nuklear powered, rocket fuel fed servers money can buy. I want to push >> a batch of 30 messages through a full featured install of SA, Clamav, >> and local rulesets in less than 5 seconds. Tops. When my sales >> director hits send in his outlook, I want the message to deliver so >> fast his laptop jumps from his desk. >> >> I think I need striped SAS disks with 15k spindles, four CPUs, and >> 16gb of ram. I am open to realistic suggestions, though humor is still >> welcome. I intend to submit a quote this week. >> >> Thanks, >> >> DAve >> >> -- >> In 50 years, our descendants will look back on the early years >> of the internet, and much like we now look back on men with >> rockets on their back and feathers glued to their arms, marvel >> that we had the intelligence to wipe the drool from our chins. >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! > -- In 50 years, our descendants will look back on the early years of the internet, and much like we now look back on men with rockets on their back and feathers glued to their arms, marvel that we had the intelligence to wipe the drool from our chins. From alex at nkpanama.com Tue Apr 8 16:01:43 2008 From: alex at nkpanama.com (Alex Neuman) Date: Tue Apr 8 16:02:45 2008 Subject: New server request In-Reply-To: <223f97700804080711x4d3e1ae0g46d0577d7ac00aa7@mail.gmail.com> References: <47FB765B.6030402@pixelhammer.com> <223f97700804080711x4d3e1ae0g46d0577d7ac00aa7@mail.gmail.com> Message-ID: <0FB7F0C0-2F74-4164-9D19-A5C8D457FFAD@nkpanama.com> noatime + nodiratime too! On Apr 8, 2008, at 9:11 AM, Glenn Steen wrote: > caching nameserver, perhaps noatime on selected filesystems etc? From dave.list at pixelhammer.com Tue Apr 8 16:04:11 2008 From: dave.list at pixelhammer.com (DAve) Date: Tue Apr 8 16:04:31 2008 Subject: New server request In-Reply-To: <3306998A-42E4-4DEF-B074-F1C3D61B5540@nkpanama.com> References: <47FB765B.6030402@pixelhammer.com> <3306998A-42E4-4DEF-B074-F1C3D61B5540@nkpanama.com> Message-ID: <47FB896B.7050502@pixelhammer.com> Alex Neuman wrote: > Also, have you tried *not* scanning internal-to-internal mail (perhaps > mail coming from:192.168. and to:yourdomain.com) for spam? I short circuit for trusted networks. Is that not the same? DAve > > On Apr 8, 2008, at 8:42 AM, DAve wrote: >> Currently we get hit with 200k to 300k connections a day that hit an >> RBL. We see 15k to 25k pipeline attempts. We spam scan almost 50% of >> our mail and we Virus scan everything that comes in. We process 4gb of >> mail a day on two servers, total around 50k to 65k message we actually >> deliver. We process 16,908 whitelist and 14,348 blacklist entries from >> MailWatch. >> >> Mail delivery for our clients *INCLUDES* outbound scanning and >> filtering through my smtp servers (different hardware) and coming back >> in through my MailScanner servers. >> >> I can get that done in 5 minutes round trip time for a message. 90% of >> that time is spent in the MS server, queues, waiting for pickup, etc. >> I think that is pretty darned good. >> >> That is apparently not good enough. Every month or so I get told that >> mail delivery in incredibly slow and I need to look at the servers. I >> do, and every message I check takes around five minutes. >> >> I need a recommendation for the root'n toot'nist, rockem sockem, >> nuklear powered, rocket fuel fed servers money can buy. I want to push >> a batch of 30 messages through a full featured install of SA, Clamav, >> and local rulesets in less than 5 seconds. Tops. When my sales >> director hits send in his outlook, I want the message to deliver so >> fast his laptop jumps from his desk. >> >> I think I need striped SAS disks with 15k spindles, four CPUs, and >> 16gb of ram. I am open to realistic suggestions, though humor is still >> welcome. I intend to submit a quote this week. >> >> Thanks, >> >> DAve >> >> -- >> In 50 years, our descendants will look back on the early years >> of the internet, and much like we now look back on men with >> rockets on their back and feathers glued to their arms, marvel >> that we had the intelligence to wipe the drool from our chins. >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! > -- In 50 years, our descendants will look back on the early years of the internet, and much like we now look back on men with rockets on their back and feathers glued to their arms, marvel that we had the intelligence to wipe the drool from our chins. From alex at nkpanama.com Tue Apr 8 16:04:28 2008 From: alex at nkpanama.com (Alex Neuman) Date: Tue Apr 8 16:05:01 2008 Subject: New server request In-Reply-To: <47FB7D94.5050506@ecs.soton.ac.uk> References: <47FB765B.6030402@pixelhammer.com> <224FA7E11EA39E45843E11CEBBD3A36F8E1225@HOUPEX01.nfsmith.info> <47FB7D94.5050506@ecs.soton.ac.uk> Message-ID: <1FD04BDF-12F7-444D-9952-4291E4B744AB@nkpanama.com> How about SSD's? At that size it'd probably be cost prohibitive, though... On Apr 8, 2008, at 9:13 AM, Julian Field wrote: > Striped will be faster than RAID5. I would go striped, striped > +mirrored (RAID10) on your root disk if at all possible. From dave.list at pixelhammer.com Tue Apr 8 16:09:09 2008 From: dave.list at pixelhammer.com (DAve) Date: Tue Apr 8 16:09:54 2008 Subject: New server request In-Reply-To: <47FB7BD8.1030604@ecs.soton.ac.uk> References: <47FB765B.6030402@pixelhammer.com> <67E30A7B-ACBA-4158-A266-F3D8950992F8@nkpanama.com> <47FB7BD8.1030604@ecs.soton.ac.uk> Message-ID: <47FB8A95.2090408@pixelhammer.com> Julian Field wrote: > You can delete the /root/.spamassassin/bayes_seen quite frequently too, > it will speed things up too. bash-2.05b# ls -lah /opt/MailScanner/bayes/ total 6082 drwx------ 2 root wheel 512B Apr 8 11:05 . drwxr-xr-x 8 root wheel 512B Mar 22 16:46 .. -rw-rw---- 1 root wheel 1.7K Apr 8 11:05 bayes.mutex -rw-rw---- 1 root wheel 91K Apr 8 11:06 bayes_journal -rw-rw---- 1 root wheel 2.5M Apr 8 11:05 bayes_seen -rw-rw---- 1 root wheel 4.9M Apr 8 11:05 bayes_toks It doesn't seem very large. I currently, and previously have, allowed MS to expire/cleanup the bayes system. Never had an issue. DAve > > Alex Neuman wrote: >> Are you using SA with sa-compile'd rules? Local caching DNS? >> /var/spool/Mailscanner/incoming and /root/.spamassassin mounted as tmpfs? >> >> On Apr 8, 2008, at 8:42 AM, DAve wrote: >>> Currently we get hit with 200k to 300k connections a day that hit an >>> RBL. We see 15k to 25k pipeline attempts. We spam scan almost 50% of >>> our mail and we Virus scan everything that comes in. We process 4gb >>> of mail a day on two servers, total around 50k to 65k message we >>> actually deliver. We process 16,908 whitelist and 14,348 blacklist >>> entries from MailWatch. >>> >>> Mail delivery for our clients *INCLUDES* outbound scanning and >>> filtering through my smtp servers (different hardware) and coming >>> back in through my MailScanner servers. >>> >>> I can get that done in 5 minutes round trip time for a message. 90% >>> of that time is spent in the MS server, queues, waiting for pickup, >>> etc. I think that is pretty darned good. >>> >>> That is apparently not good enough. Every month or so I get told that >>> mail delivery in incredibly slow and I need to look at the servers. I >>> do, and every message I check takes around five minutes. >>> >>> I need a recommendation for the root'n toot'nist, rockem sockem, >>> nuklear powered, rocket fuel fed servers money can buy. I want to >>> push a batch of 30 messages through a full featured install of SA, >>> Clamav, and local rulesets in less than 5 seconds. Tops. When my >>> sales director hits send in his outlook, I want the message to >>> deliver so fast his laptop jumps from his desk. >>> >>> I think I need striped SAS disks with 15k spindles, four CPUs, and >>> 16gb of ram. I am open to realistic suggestions, though humor is >>> still welcome. I intend to submit a quote this week. >>> >>> Thanks, >>> >>> DAve >>> >>> -- >>> In 50 years, our descendants will look back on the early years >>> of the internet, and much like we now look back on men with >>> rockets on their back and feathers glued to their arms, marvel >>> that we had the intelligence to wipe the drool from our chins. >>> -- >>> MailScanner mailing list >>> mailscanner@lists.mailscanner.info >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>> >>> Before posting, read http://wiki.mailscanner.info/posting >>> >>> Support MailScanner development - buy the book off the website! >> > > Jules > -- In 50 years, our descendants will look back on the early years of the internet, and much like we now look back on men with rockets on their back and feathers glued to their arms, marvel that we had the intelligence to wipe the drool from our chins. From heath at agdog.com Tue Apr 8 16:18:35 2008 From: heath at agdog.com (Heath Carson) Date: Tue Apr 8 16:19:18 2008 Subject: MailScanner Digest, Vol 28, Issue 18 Message-ID: I'll be out of the office until April 14th, please contact support@agdog.com if it's an emergency. Thanks. -Heath From alex at nkpanama.com Tue Apr 8 16:19:06 2008 From: alex at nkpanama.com (Alex Neuman) Date: Tue Apr 8 16:20:10 2008 Subject: New server request In-Reply-To: <47FB7BD8.1030604@ecs.soton.ac.uk> References: <47FB765B.6030402@pixelhammer.com> <67E30A7B-ACBA-4158-A266-F3D8950992F8@nkpanama.com> <47FB7BD8.1030604@ecs.soton.ac.uk> Message-ID: <70F2D897-4E7F-4F59-B2AD-5C1F897C281C@nkpanama.com> Can this by cronjobbed? On Apr 8, 2008, at 9:06 AM, Julian Field wrote: > You can delete the /root/.spamassassin/bayes_seen quite frequently > too, it will speed things up too. From ms-list at alexb.ch Tue Apr 8 16:20:48 2008 From: ms-list at alexb.ch (Alex Broens) Date: Tue Apr 8 16:21:28 2008 Subject: SA installer oddities: Message-ID: <47FB8D50.6080703@alexb.ch> Jules Finsihed the install and BEFORE adding my own stuff to /etc/mail/spamassassin I checked the *.pre files for redundant loads: init.pre includes: loadplugin Mail::SpamAssassin::Plugin::URIDNSBL loadplugin Mail::SpamAssassin::Plugin::SPF loadplugin Mail::SpamAssassin::Plugin::RelayCountry loadplugin Mail::SpamAssassin::Plugin::Razor2 v310.pre includes: loadplugin Mail::SpamAssassin::Plugin::RelayCountry loadplugin Mail::SpamAssassin::Plugin::SPF loadplugin Mail::SpamAssassin::Plugin::URIDNSBL v320.pre includes: loadplugin Mail::SpamAssassin::Plugin::RelayCountry loadplugin Mail::SpamAssassin::Plugin::SPF loadplugin Mail::SpamAssassin::Plugin::URIDNSBL loadplugin Mail::SpamAssassin::Plugin::Razor2 [13756] dbg: plugin: did not register Mail::SpamAssassin::Plugin::RelayCountry, already registered [13756] dbg: plugin: did not register Mail::SpamAssassin::Plugin::SPF, already registered [13756] dbg: plugin: did not register Mail::SpamAssassin::Plugin::URIDNSBL, already registered [13756] dbg: plugin: did not register Mail::SpamAssassin::Plugin::RelayCountry, already registered [13756] dbg: plugin: did not register Mail::SpamAssassin::Plugin::SPF, already registered [13756] dbg: plugin: did not register Mail::SpamAssassin::Plugin::URIDNSBL, already registered [13756] dbg: plugin: did not register Mail::SpamAssassin::Plugin::Razor2, already registered seems to me there a lot of redundant stuff being loaded and reloaded and reloaded - not sure at this point what you added and what's default (need to take SA source apart and check) May I suggest you don't modify the .pre files after install and point admins to check the stuff being loaded in the 3 .pre files and enable whatever specials they may need. The standard enabled SA plugins will produce a decent working SA withotu any pain. Thanks Alex From uxbod at splatnix.net Tue Apr 8 16:36:10 2008 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Tue Apr 8 16:37:27 2008 Subject: New server request In-Reply-To: <47FB765B.6030402@pixelhammer.com> Message-ID: <9283241.1441207668970459.JavaMail.root@office.splatnix.net> Remove all checking ? ;) 5 mins for something that does not have a guaranteed (RFC) delivery time anyway is damn good! Yes you could put in a SAN/iSCSI but as already been said make sure loads of cache. Why not put the OS etc on SSDs ? Man, you could keep going all day and spend loads of dosh, but what great fun :D I would run numerous tests throughout different loads on the system to truly ascertain where the issue is. Regards, -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- "DAve" wrote: > Currently we get hit with 200k to 300k connections a day that hit an > RBL. We see 15k to 25k pipeline attempts. We spam scan almost 50% of > our > mail and we Virus scan everything that comes in. We process 4gb of > mail > a day on two servers, total around 50k to 65k message we actually > deliver. We process 16,908 whitelist and 14,348 blacklist entries from > > MailWatch. > > Mail delivery for our clients *INCLUDES* outbound scanning and > filtering > through my smtp servers (different hardware) and coming back in > through > my MailScanner servers. > > I can get that done in 5 minutes round trip time for a message. 90% of > > that time is spent in the MS server, queues, waiting for pickup, etc. > I > think that is pretty darned good. > > That is apparently not good enough. Every month or so I get told that > > mail delivery in incredibly slow and I need to look at the servers. I > > do, and every message I check takes around five minutes. > > I need a recommendation for the root'n toot'nist, rockem sockem, > nuklear > powered, rocket fuel fed servers money can buy. I want to push a batch > > of 30 messages through a full featured install of SA, Clamav, and > local > rulesets in less than 5 seconds. Tops. When my sales director hits > send > in his outlook, I want the message to deliver so fast his laptop jumps > > from his desk. > > I think I need striped SAS disks with 15k spindles, four CPUs, and > 16gb > of ram. I am open to realistic suggestions, though humor is still > welcome. I intend to submit a quote this week. > > Thanks, > > DAve -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From dave.list at pixelhammer.com Tue Apr 8 16:41:17 2008 From: dave.list at pixelhammer.com (DAve) Date: Tue Apr 8 16:42:03 2008 Subject: New server request In-Reply-To: <224FA7E11EA39E45843E11CEBBD3A36F8E1225@HOUPEX01.nfsmith.info> References: <47FB765B.6030402@pixelhammer.com> <224FA7E11EA39E45843E11CEBBD3A36F8E1225@HOUPEX01.nfsmith.info> Message-ID: <47FB921D.4000508@pixelhammer.com> Mike Kercher wrote: > When speaking of your disks, you say striped. Do you mean RAID5? I'd > think the more spindles you can get into your RAID, the better your I/O > will be. Raid 0+1 on my spool directory. DAve > > Mike > > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of DAve > Sent: Tuesday, April 08, 2008 8:43 AM > To: MailScanner discussion > Subject: New server request > > Currently we get hit with 200k to 300k connections a day that hit an > RBL. We see 15k to 25k pipeline attempts. We spam scan almost 50% of our > mail and we Virus scan everything that comes in. We process 4gb of mail > a day on two servers, total around 50k to 65k message we actually > deliver. We process 16,908 whitelist and 14,348 blacklist entries from > MailWatch. > > Mail delivery for our clients *INCLUDES* outbound scanning and filtering > through my smtp servers (different hardware) and coming back in through > my MailScanner servers. > > I can get that done in 5 minutes round trip time for a message. 90% of > that time is spent in the MS server, queues, waiting for pickup, etc. I > think that is pretty darned good. > > That is apparently not good enough. Every month or so I get told that > mail delivery in incredibly slow and I need to look at the servers. I > do, and every message I check takes around five minutes. > > I need a recommendation for the root'n toot'nist, rockem sockem, nuklear > powered, rocket fuel fed servers money can buy. I want to push a batch > of 30 messages through a full featured install of SA, Clamav, and local > rulesets in less than 5 seconds. Tops. When my sales director hits send > in his outlook, I want the message to deliver so fast his laptop jumps > from his desk. > > I think I need striped SAS disks with 15k spindles, four CPUs, and 16gb > of ram. I am open to realistic suggestions, though humor is still > welcome. I intend to submit a quote this week. > > Thanks, > > DAve > > -- > In 50 years, our descendants will look back on the early years of the > internet, and much like we now look back on men with rockets on their > back and feathers glued to their arms, marvel that we had the > intelligence to wipe the drool from our chins. > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! -- In 50 years, our descendants will look back on the early years of the internet, and much like we now look back on men with rockets on their back and feathers glued to their arms, marvel that we had the intelligence to wipe the drool from our chins. From ms-list at alexb.ch Tue Apr 8 16:42:04 2008 From: ms-list at alexb.ch (Alex Broens) Date: Tue Apr 8 16:42:43 2008 Subject: SA/MS Installer dependencies In-Reply-To: <47FB79DE.7070907@ecs.soton.ac.uk> References: <47FB5B1A.1090907@alexb.ch> <47FB6A3D.4010304@ecs.soton.ac.uk> <47FB7454.2090005@alexb.ch> <47FB79DE.7070907@ecs.soton.ac.uk> Message-ID: <47FB924C.1020609@alexb.ch> On 4/8/2008 3:57 PM, Julian Field wrote: > > > Alex Broens wrote: >> On 4/8/2008 2:51 PM, Julian Field wrote: >> >> >> Alex Broens wrote: >> >> Jules, >> >> - Seems SA dependencies are added by the MS installer. >> >> why? >> >> This breaks possible SA updates and forces the admin into setup >> methods which *could* cause isssues in the future >> >> >> >> The one more noticeably missing are >> >> >> >> >> >> REQUIRED module missing: HTML::Parser >> >This is in both packages, as both of them need it. >> > optional module missing: LWP::UserAgent (for sa-update) >> > optional module missing: HTTP::Date (for sa-update) >> > >> > I came across this when I wanted to update an older MailScanner box >> with the latest SA/Clam installer. >> > >> >> Could you please keep SA's dependencies in SA's installer and not >> in MS's >> >> >What are you saying do you think is wrong? HTML::Parser is the only >> >important one here, and is in both the MailScanner and ClamAV+SA >> >distributions as both of them need it. >> >> I see them there... but as said. The installer borked with that msg. >> >> Thanks for (hopefully) adding the others required by sa-update: >> >> _______________________________ >> NOTE: the optional LWP::UserAgent module is not installed. >> NOTE: the optional HTTP::Date module is not installed. >> >> >> The "sa-update" script requires this module to make HTTP >> If-Modified-Since GET requests. >> >> optional module missing: HTTP::Date > So what you would actually like me to do is add HTTP::Date to the > SpamAssassin installation package? Yep, AND: If you & other admins agree, LWP::UserAgent and its *immediate* dependencies to be able to run sa-update out of the box. thanks Alex From dave.list at pixelhammer.com Tue Apr 8 16:44:45 2008 From: dave.list at pixelhammer.com (DAve) Date: Tue Apr 8 16:45:34 2008 Subject: New server request In-Reply-To: <47FB79A0.3030605@slackadelic.com> References: <47FB765B.6030402@pixelhammer.com> <47FB79A0.3030605@slackadelic.com> Message-ID: <47FB92ED.4040504@pixelhammer.com> Matt Hayes wrote: > DAve wrote: >> I need a recommendation for the root'n toot'nist, rockem sockem, >> nuklear powered, rocket fuel fed servers money can buy. I want to push >> a batch of 30 messages through a full featured install of SA, Clamav, >> and local rulesets in less than 5 seconds. Tops. When my sales >> director hits send in his outlook, I want the message to deliver so >> fast his laptop jumps from his desk. >> >> I think I need striped SAS disks with 15k spindles, four CPUs, and >> 16gb of ram. I am open to realistic suggestions, though humor is still >> welcome. I intend to submit a quote this week. >> >> Thanks, >> >> DAve >> > > Lets put a quote in for a Cray.. however.. we'd have to talk the > landlord into allowing us to take over the entire half of the second > floor above us here at corporate :) > > -Matt I forget you read this list. You never saw this message, you know nothing of a quote, you never saw me here. DAve -- In 50 years, our descendants will look back on the early years of the internet, and much like we now look back on men with rockets on their back and feathers glued to their arms, marvel that we had the intelligence to wipe the drool from our chins. From dave.list at pixelhammer.com Tue Apr 8 16:54:40 2008 From: dave.list at pixelhammer.com (DAve) Date: Tue Apr 8 16:55:00 2008 Subject: New server request In-Reply-To: <47FB8081.4090208@sendit.nodak.edu> References: <47FB765B.6030402@pixelhammer.com> <47FB8081.4090208@sendit.nodak.edu> Message-ID: <47FB9540.7090004@pixelhammer.com> Richard Frovarp wrote: > DAve wrote: >> Currently we get hit with 200k to 300k connections a day that hit an >> RBL. We see 15k to 25k pipeline attempts. We spam scan almost 50% of >> our mail and we Virus scan everything that comes in. We process 4gb of >> mail a day on two servers, total around 50k to 65k message we actually >> deliver. We process 16,908 whitelist and 14,348 blacklist entries from >> MailWatch. >> >> Mail delivery for our clients *INCLUDES* outbound scanning and >> filtering through my smtp servers (different hardware) and coming back >> in through my MailScanner servers. >> >> I can get that done in 5 minutes round trip time for a message. 90% of >> that time is spent in the MS server, queues, waiting for pickup, etc. >> I think that is pretty darned good. >> >> That is apparently not good enough. Every month or so I get told that >> mail delivery in incredibly slow and I need to look at the servers. I >> do, and every message I check takes around five minutes. >> >> I need a recommendation for the root'n toot'nist, rockem sockem, >> nuklear powered, rocket fuel fed servers money can buy. I want to push >> a batch of 30 messages through a full featured install of SA, Clamav, >> and local rulesets in less than 5 seconds. Tops. When my sales >> director hits send in his outlook, I want the message to deliver so >> fast his laptop jumps from his desk. >> >> I think I need striped SAS disks with 15k spindles, four CPUs, and >> 16gb of ram. I am open to realistic suggestions, though humor is still >> welcome. I intend to submit a quote this week. >> >> Thanks, >> >> DAve >> > > I've got an old 2.66 GHz dual Xeon with 2 GB of RAM that pushes through > mail relatively well. Standard RAID 1 SCSI disks. Right now it's doing > batches of 2 in about 15 seconds. It handles about 4 GB of of traffic > and scans about 46 K a day. I would expect a dual quad core with the > requisite amount of RAM would be plenty. Network tests take a while > anyway, and there isn't much you can do to speed that up. I am running > greylist, greet pause, valid user lookup, and blacklists in sendmail to > reduce the load. I also have two other machines that see similar load. > Not much different that the servers we currently run. We do not run RAID at the moment. Except I have two servers were you have one. Batches of 2 take about 6 seconds, in the evening. During peak hours I get batches of 10 that require anywhere from 60 to 190 seconds. I can go from 7 messages waiting to 300 messages waiting in the blink of an eye. Though left to it's own, MS will chew through them just fine. We also run greylisting (with client's whitelisted), greetpause (with our own network whitelisted), RBL (in MTA), caching DNS, and milter-ahead to the pop toasters. DAve -- In 50 years, our descendants will look back on the early years of the internet, and much like we now look back on men with rockets on their back and feathers glued to their arms, marvel that we had the intelligence to wipe the drool from our chins. From dave.list at pixelhammer.com Tue Apr 8 17:19:42 2008 From: dave.list at pixelhammer.com (DAve) Date: Tue Apr 8 17:20:27 2008 Subject: New server request In-Reply-To: <223f97700804080711x4d3e1ae0g46d0577d7ac00aa7@mail.gmail.com> References: <47FB765B.6030402@pixelhammer.com> <223f97700804080711x4d3e1ae0g46d0577d7ac00aa7@mail.gmail.com> Message-ID: <47FB9B1E.80702@pixelhammer.com> Glenn Steen wrote: > On 08/04/2008, DAve wrote: >> Currently we get hit with 200k to 300k connections a day that hit an RBL. We >> see 15k to 25k pipeline attempts. We spam scan almost 50% of our mail and we >> Virus scan everything that comes in. We process 4gb of mail a day on two >> servers, total around 50k to 65k message we actually deliver. We process >> 16,908 whitelist and 14,348 blacklist entries from MailWatch. >> >> Mail delivery for our clients *INCLUDES* outbound scanning and filtering >> through my smtp servers (different hardware) and coming back in through my >> MailScanner servers. >> >> I can get that done in 5 minutes round trip time for a message. 90% of that >> time is spent in the MS server, queues, waiting for pickup, etc. I think >> that is pretty darned good. >> >> That is apparently not good enough. Every month or so I get told that mail >> delivery in incredibly slow and I need to look at the servers. I do, and >> every message I check takes around five minutes. >> >> I need a recommendation for the root'n toot'nist, rockem sockem, nuklear >> powered, rocket fuel fed servers money can buy. I want to push a batch of 30 >> messages through a full featured install of SA, Clamav, and local rulesets >> in less than 5 seconds. Tops. When my sales director hits send in his >> outlook, I want the message to deliver so fast his laptop jumps from his >> desk. >> >> I think I need striped SAS disks with 15k spindles, four CPUs, and 16gb of >> ram. I am open to realistic suggestions, though humor is still welcome. I >> intend to submit a quote this week. >> >> Thanks, >> >> DAve >> > I'd look long and hard at where you're time is spent ATM... HW can > only solve HW type problems:-). ATM? > > For instance.... Making sure you only use "feeded" BLs (meaning only > query to local copy) would probably be ... good. We cache DNS lookups heavily. > Having your MailWatch database non-local to the machine... might tip > you either way (cheaper to buy two boxes with semi-extreme HW, instead > of one monster). We currently do that as we have two MS servers reporting to a single MailWatch server. > > I suppose you already do most of the "normal" tricks, like tmpfs, > caching nameserver, perhaps noatime on selected filesystems etc? > Yep, all of the above. DAve -- In 50 years, our descendants will look back on the early years of the internet, and much like we now look back on men with rockets on their back and feathers glued to their arms, marvel that we had the intelligence to wipe the drool from our chins. From ssilva at sgvwater.com Tue Apr 8 17:26:20 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Apr 8 17:26:30 2008 Subject: MailScanner ignoring some rules In-Reply-To: <223f97700804070046x244cdf03t7f15378ec77fcbe8@mail.gmail.com> References: <37937.201.41.210.20.1207154517.squirrel@www.tecnowaydigital.com.br> <47F53B57.1070307@ecs.soton.ac.uk> <8F1DE832AFD34082A4D0CB25E4E7D7E7@TWDNB03> <223f97700804040109p3a5d97a5w439ef4d77ba879b1@mail.gmail.com> <223f97700804041120q3eaf3f90j4a0cce865e66b12@mail.gmail.com> <223f97700804050057v7d8a662q5e20c63ff16c648a@mail.gmail.com> <223f97700804070046x244cdf03t7f15378ec77fcbe8@mail.gmail.com> Message-ID: on 4-7-2008 12:46 AM Glenn Steen spake the following: > On 07/04/2008, Scott Silva wrote: >> on 4-5-2008 12:57 AM Glenn Steen spake the following: >> >>> On 04/04/2008, Scott Silva wrote: >>> >>>> on 4-4-2008 11:20 AM Glenn Steen spake the following: >>>> >>>> >>>>> Sorry all, for the top post... a bit too tipsy to really safely (snip) >>>>> with even a virtual scissor...:-) >>>>> >>>>> >>>>> >>>> Happy Friday, Glenn!! >>>> >>>> >>> There'salways something to celebrate....:-) >>> This time it was "first day this week that I didn't need work >>> underpaid(!!!) overtime"... It's been a b*tch of a week. Again. So >>> friday just couldn't come quite fast eenough:-):-) >>> >>> Cheers >>> >> I understand that! I get non-paid overtime, so I feel your pain!! >> >> Don't get me wrong, as my pay isn't that bad, but it goes down very quickly >> as you add hours :-( >> > > Once you earn enough you get three extra days vacation-time... Which > is supposed to be enough compensation for ones overtime... Didn't > quite take three easy weeks to "earn up" that time, once I crossed > over. Not really complaining, and it's not really unpaid (well...:-), > but... Not that great either:/. > Oh well, a luxury problem, I guess...:-) > > Cheers We could be digging ditches for minimum wage, so I'll stop complaining! -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080408/a9801640/signature.bin From alex at nkpanama.com Tue Apr 8 17:30:01 2008 From: alex at nkpanama.com (Alex Neuman) Date: Tue Apr 8 17:31:00 2008 Subject: New server request In-Reply-To: <47FB896B.7050502@pixelhammer.com> References: <47FB765B.6030402@pixelhammer.com> <3306998A-42E4-4DEF-B074-F1C3D61B5540@nkpanama.com> <47FB896B.7050502@pixelhammer.com> Message-ID: <3DF41629-A83B-4038-988A-1441F2937121@nkpanama.com> Not exactly. As Pat Morita said: "Best block, no be there, ok?" - *Not* scanning is ever so slightly faster than "scanning but short- circuiting". On Apr 8, 2008, at 10:04 AM, DAve wrote: > I short circuit for trusted networks. Is that not the same? From ssilva at sgvwater.com Tue Apr 8 17:34:39 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Apr 8 17:34:04 2008 Subject: detect executables embedded inside MS Office documents? In-Reply-To: <20080407060825.50bf671f@scorpio> References: <57573D714A832C43B9D80EAFBDA48D030A03EC01@inex3.herffjones.hj-int> <47F725C7.4070103@vanderkooij.org> <47F78BED.5020606@ecs.soton.ac.uk> <47F7A674.1040501@calorieking.com> <47F8E791.10709@ecs.soton.ac.uk> <20080407060825.50bf671f@scorpio> Message-ID: on 4-7-2008 3:08 AM Gerard spake the following: > On Sun, 06 Apr 2008 16:00:45 -0700 > Scott Silva wrote: > >> on 4-6-2008 8:09 AM Julian Field spake the following: >>> Ignore all previous requests for information. I've got enough of >>> it, pretty much. >>> The only thing I cannot handle is inserted OLE "Packages" that >>> contain multiple files. If someone fancies creating one of those >>> and sending it to me, I'll improve the Package parser to cope with >>> it. >>> >>> But it now works with files inserted into Microsoft Office >>> documents just fine. >>> >>> This will be in the next release. >>> I guess it's a fairly major new feature, the ability to extract >>> embedded files from Microsoft Office documents. >>> :-) >>> >>> I think I'm going to have a rest now... >>> >> Poking another hole in the Microsoft armor was a big task. A well >> deserved rest it will be!! > > The use of OLE makes the creation of highly detailed documents far > easier and accurate. The scanning of said documents when emailed I > would assume to be a plus. However, if the scanning action breaks the > OLE bonds then then cure is far worst than the disease. MailScanner only scans a copy of the attachments to check their content. The original isn't harmed. > > I have been sending these type of documents to colleagues for years > without incident. A few years ago Symantec did categorize some of them > as a VIRUS; however, that was a false positive and they quickly revised > their definition files to reflect that. > > By the way, I usually send these files encrypted via PGP. How will/does > MailScanner work on that type of document? > > > -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080408/4d0e7959/signature.bin From MailScanner at ecs.soton.ac.uk Tue Apr 8 17:52:37 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Apr 8 17:53:16 2008 Subject: New server request In-Reply-To: <47FB8A95.2090408@pixelhammer.com> References: <47FB765B.6030402@pixelhammer.com> <67E30A7B-ACBA-4158-A266-F3D8950992F8@nkpanama.com> <47FB7BD8.1030604@ecs.soton.ac.uk> <47FB8A95.2090408@pixelhammer.com> Message-ID: <47FBA2D5.4080309@ecs.soton.ac.uk> DAve wrote: > Julian Field wrote: >> You can delete the /root/.spamassassin/bayes_seen quite frequently >> too, it will speed things up too. > > bash-2.05b# ls -lah /opt/MailScanner/bayes/ > total 6082 > drwx------ 2 root wheel 512B Apr 8 11:05 . > drwxr-xr-x 8 root wheel 512B Mar 22 16:46 .. > -rw-rw---- 1 root wheel 1.7K Apr 8 11:05 bayes.mutex > -rw-rw---- 1 root wheel 91K Apr 8 11:06 bayes_journal > -rw-rw---- 1 root wheel 2.5M Apr 8 11:05 bayes_seen > -rw-rw---- 1 root wheel 4.9M Apr 8 11:05 bayes_toks > > It doesn't seem very large. I currently, and previously have, allowed > MS to expire/cleanup the bayes system. Never had an issue. Yes, that's nice and small. I've had mine blow up to hundreds of Mb and binding to it takes a while. I never unlearn a message so bayes_seen is pointless. > > DAve > >> >> Alex Neuman wrote: >>> Are you using SA with sa-compile'd rules? Local caching DNS? >>> /var/spool/Mailscanner/incoming and /root/.spamassassin mounted as >>> tmpfs? >>> >>> On Apr 8, 2008, at 8:42 AM, DAve wrote: >>>> Currently we get hit with 200k to 300k connections a day that hit >>>> an RBL. We see 15k to 25k pipeline attempts. We spam scan almost >>>> 50% of our mail and we Virus scan everything that comes in. We >>>> process 4gb of mail a day on two servers, total around 50k to 65k >>>> message we actually deliver. We process 16,908 whitelist and 14,348 >>>> blacklist entries from MailWatch. >>>> >>>> Mail delivery for our clients *INCLUDES* outbound scanning and >>>> filtering through my smtp servers (different hardware) and coming >>>> back in through my MailScanner servers. >>>> >>>> I can get that done in 5 minutes round trip time for a message. 90% >>>> of that time is spent in the MS server, queues, waiting for pickup, >>>> etc. I think that is pretty darned good. >>>> >>>> That is apparently not good enough. Every month or so I get told >>>> that mail delivery in incredibly slow and I need to look at the >>>> servers. I do, and every message I check takes around five minutes. >>>> >>>> I need a recommendation for the root'n toot'nist, rockem sockem, >>>> nuklear powered, rocket fuel fed servers money can buy. I want to >>>> push a batch of 30 messages through a full featured install of SA, >>>> Clamav, and local rulesets in less than 5 seconds. Tops. When my >>>> sales director hits send in his outlook, I want the message to >>>> deliver so fast his laptop jumps from his desk. >>>> >>>> I think I need striped SAS disks with 15k spindles, four CPUs, and >>>> 16gb of ram. I am open to realistic suggestions, though humor is >>>> still welcome. I intend to submit a quote this week. >>>> >>>> Thanks, >>>> >>>> DAve >>>> >>>> -- >>>> In 50 years, our descendants will look back on the early years >>>> of the internet, and much like we now look back on men with >>>> rockets on their back and feathers glued to their arms, marvel >>>> that we had the intelligence to wipe the drool from our chins. >>>> -- >>>> MailScanner mailing list >>>> mailscanner@lists.mailscanner.info >>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner >>>> >>>> Before posting, read http://wiki.mailscanner.info/posting >>>> >>>> Support MailScanner development - buy the book off the website! >>> >> >> Jules >> > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Tue Apr 8 17:54:59 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Apr 8 17:55:18 2008 Subject: MailScanner Digest, Vol 28, Issue 18 In-Reply-To: References: Message-ID: <47FBA363.5010100@ecs.soton.ac.uk> As your auto-responder is not set to ignore mailing list postings, and is replying to everything, I have had to suspend your mailing list membership. You can resume your normal mailing list activity when you return, or email me and I'll do it for you. Please use an auto-responder that is intelligent enough to ignore mailing lists. Heath Carson wrote: > I'll be out of the office until April 14th, please contact > support@agdog.com if it's an emergency. Thanks. > > -Heath > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From dgottsc at emory.edu Tue Apr 8 18:01:08 2008 From: dgottsc at emory.edu (Gottschalk, David) Date: Tue Apr 8 18:01:48 2008 Subject: New server request In-Reply-To: <70F2D897-4E7F-4F59-B2AD-5C1F897C281C@nkpanama.com> References: <47FB765B.6030402@pixelhammer.com> <67E30A7B-ACBA-4158-A266-F3D8950992F8@nkpanama.com> <47FB7BD8.1030604@ecs.soton.ac.uk> <70F2D897-4E7F-4F59-B2AD-5C1F897C281C@nkpanama.com> Message-ID: I don't see any reason why not. I just tested it on one of my MailScanner servers. David Gottschalk UTS Email Team david.gottschalk@emory.edu -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Alex Neuman Sent: Tuesday, April 08, 2008 11:19 AM To: MailScanner discussion Subject: Re: New server request Can this by cronjobbed? On Apr 8, 2008, at 9:06 AM, Julian Field wrote: > You can delete the /root/.spamassassin/bayes_seen quite frequently > too, it will speed things up too. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! This e-mail message (including any attachments) is for the sole use of the intended recipient(s) and may contain confidential and privileged information. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this message (including any attachments) is strictly prohibited. If you have received this message in error, please contact the sender by reply e-mail message and destroy all copies of the original message (including attachments). From astephens at ptera.net Tue Apr 8 18:04:51 2008 From: astephens at ptera.net (Arthur Stephens) Date: Tue Apr 8 18:05:54 2008 Subject: user opt-out In-Reply-To: <47FA5A6D.5060909@ecs.soton.ac.uk> References: <47FA5227.60006@ptera.net> <47FA5A6D.5060909@ecs.soton.ac.uk> Message-ID: <47FBA5B3.9090601@ptera.net> Yes I have found that - but I could not find if that stops all processing including file names, file types, attachment checking, web bugs etc. Julian Field wrote: > Please read about rulesets in the documentation. There are many > explanations of it and many examples provided on the website, in the > wiki, in the mailing list archives and in the book. > > Arthur Stephens wrote: >> I am running Maillscanner 4.55.10-3 and PostFix 2.3.8-1.fc5 on Fedora >> Core 5 >> >> >> >> I get requests from our customers saying they do not want the >> mailscanner service. >> Is there some way to tell mailscanner to pass thru emails to certain >> destinations? >> -- >> Arthur Stephens >> Senior Sales Technician >> Ptera Wireless Internet Service >> PO Box 135 >> Liberty Lake, WA 99019 >> 509-927-7837 >> http://www.ptera.net > > Jules > -- Arthur Stephens Senior Sales Technician Ptera Wireless Internet Service PO Box 135 Liberty Lake, WA 99019 509-927-7837 http://www.ptera.net From ssilva at sgvwater.com Tue Apr 8 18:15:58 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Apr 8 18:15:33 2008 Subject: MS hangs with strange clamav database (SOLVED) In-Reply-To: <47FA1852.6040906@gmail.com> References: <47FA0583.1060509@gmail.com> <223f97700804070454m89e2dc2s4e1079e19efef1f8@mail.gmail.com> <223f97700804070456j39092b34i93a4b07628ee041b@mail.gmail.com> <47FA1852.6040906@gmail.com> Message-ID: on 4-7-2008 5:49 AM Ronny T. Lampert spake the following: > > >> need look something like: > >> > >> Monitors for ClamAV Updates = /var/clamav/*.inc/* /var/clamav/*.?db > >> /var/clamav/*.cvd > > I completely seem to have forgotten about the incrementals... shame on me. > Don't know when that setting got wrong. But alas, I've changed it > because it really does look sensible. > > Thanks Glen! Make sure that it is the right directory for your system, as Julian's install package of clam seems to use the clamav default of /usr/local/share/clamav/ -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080408/3a9cef09/signature-0001.bin From MailScanner at ecs.soton.ac.uk Tue Apr 8 18:28:22 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Apr 8 18:29:16 2008 Subject: New server request In-Reply-To: <70F2D897-4E7F-4F59-B2AD-5C1F897C281C@nkpanama.com> References: <47FB765B.6030402@pixelhammer.com> <67E30A7B-ACBA-4158-A266-F3D8950992F8@nkpanama.com> <47FB7BD8.1030604@ecs.soton.ac.uk> <70F2D897-4E7F-4F59-B2AD-5C1F897C281C@nkpanama.com> Message-ID: <47FBAB36.5040208@ecs.soton.ac.uk> I don't see why not. Alex Neuman wrote: > Can this by cronjobbed? > > On Apr 8, 2008, at 9:06 AM, Julian Field wrote: >> You can delete the /root/.spamassassin/bayes_seen quite frequently >> too, it will speed things up too. > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Tue Apr 8 18:29:42 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Apr 8 18:29:59 2008 Subject: New server request In-Reply-To: <9283241.1441207668970459.JavaMail.root@office.splatnix.net> References: <9283241.1441207668970459.JavaMail.root@office.splatnix.net> Message-ID: <47FBAB86.3090608@ecs.soton.ac.uk> --[ UxBoD ]-- wrote: > Remove all checking ? ;) 5 mins for something that does not have a guaranteed (RFC) delivery time anyway is damn good! Yes you could put in a SAN/iSCSI but as already been said make sure loads of cache. Why not put the OS etc on SSDs ? Man, you could keep going all day and spend loads of dosh, but what great fun :D > > I would run numerous tests throughout different loads on the system to truly ascertain where the issue is. > Definitely. Work out exactly where to target the money. And in my view you'll get better value from 2 half-price servers than 1 very expensive one. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Tue Apr 8 18:35:16 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Apr 8 18:35:35 2008 Subject: SA installer oddities: In-Reply-To: <47FB8D50.6080703@alexb.ch> References: <47FB8D50.6080703@alexb.ch> Message-ID: <47FBACD4.3020804@ecs.soton.ac.uk> Alex Broens wrote: > Jules > > Finsihed the install and BEFORE adding my own stuff to > /etc/mail/spamassassin I checked the *.pre files for redundant loads: > > init.pre > > includes: > > loadplugin Mail::SpamAssassin::Plugin::URIDNSBL > loadplugin Mail::SpamAssassin::Plugin::SPF > loadplugin Mail::SpamAssassin::Plugin::RelayCountry > loadplugin Mail::SpamAssassin::Plugin::Razor2 > > > v310.pre > > includes: > > loadplugin Mail::SpamAssassin::Plugin::RelayCountry > loadplugin Mail::SpamAssassin::Plugin::SPF > loadplugin Mail::SpamAssassin::Plugin::URIDNSBL > > > > v320.pre > > includes: > > loadplugin Mail::SpamAssassin::Plugin::RelayCountry > loadplugin Mail::SpamAssassin::Plugin::SPF > loadplugin Mail::SpamAssassin::Plugin::URIDNSBL > loadplugin Mail::SpamAssassin::Plugin::Razor2 > > > > [13756] dbg: plugin: did not register > Mail::SpamAssassin::Plugin::RelayCountry, already registered > [13756] dbg: plugin: did not register Mail::SpamAssassin::Plugin::SPF, > already registered [13756] dbg: plugin: did not register > Mail::SpamAssassin::Plugin::URIDNSBL, already registered > > [13756] dbg: plugin: did not register > Mail::SpamAssassin::Plugin::RelayCountry, already registered > [13756] dbg: plugin: did not register Mail::SpamAssassin::Plugin::SPF, > already registered > [13756] dbg: plugin: did not register > Mail::SpamAssassin::Plugin::URIDNSBL, already registered > [13756] dbg: plugin: did not register > Mail::SpamAssassin::Plugin::Razor2, already registered > > > seems to me there a lot of redundant stuff being loaded and reloaded > and reloaded - not sure at this point what you added and what's > default (need to take SA source apart and check) All this registering of plugins is done once when each MailScanner child starts up. It makes no difference to mail processing speed at all. > > May I suggest you don't modify the .pre files after install and point > admins to check the stuff being loaded in the 3 .pre files and enable > whatever specials they may need. > The standard enabled SA plugins will produce a decent working SA > withotu any pain. My ClamAV+SpamAssassin package automatically enables these plugins: Mail::SpamAssassin::Plugin::RelayCountry Mail::SpamAssassin::Plugin::SPF Mail::SpamAssassin::Plugin::URIDNSBL Mail::SpamAssassin::Plugin::Razor2 To make sure these get loaded regardless of what version of SpamAssassin you are using, it writes these into all of v320.pre, v310.pre and init.pre. Attempting to load them all 3 times probably adds a millisecond to the startup time of MailScanner, but I really don't care a hoot about that :-) Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From dominian at slackadelic.com Tue Apr 8 18:49:59 2008 From: dominian at slackadelic.com (Matt Hayes) Date: Tue Apr 8 18:50:51 2008 Subject: New server request In-Reply-To: <47FB92ED.4040504@pixelhammer.com> References: <47FB765B.6030402@pixelhammer.com> <47FB79A0.3030605@slackadelic.com> <47FB92ED.4040504@pixelhammer.com> Message-ID: <47FBB047.2050109@slackadelic.com> DAve wrote: > Matt Hayes wrote: >> DAve wrote: >>> I need a recommendation for the root'n toot'nist, rockem sockem, >>> nuklear powered, rocket fuel fed servers money can buy. I want to >>> push a batch of 30 messages through a full featured install of SA, >>> Clamav, and local rulesets in less than 5 seconds. Tops. When my >>> sales director hits send in his outlook, I want the message to >>> deliver so fast his laptop jumps from his desk. >>> >>> I think I need striped SAS disks with 15k spindles, four CPUs, and >>> 16gb of ram. I am open to realistic suggestions, though humor is >>> still welcome. I intend to submit a quote this week. >>> >>> Thanks, >>> >>> DAve >>> >> >> Lets put a quote in for a Cray.. however.. we'd have to talk the >> landlord into allowing us to take over the entire half of the second >> floor above us here at corporate :) >> >> -Matt > > I forget you read this list. You never saw this message, you know > nothing of a quote, you never saw me here. > > DAve > Who the hell are you? -Matt From mikes at hartwellcorp.com Tue Apr 8 19:08:19 2008 From: mikes at hartwellcorp.com (Michael St. Laurent) Date: Tue Apr 8 19:12:10 2008 Subject: Where to increase the RAZOR2_CF scores? Message-ID: <3BF93070B3D1B047BA7ABF612958950D02CF60C8@hcex.hartwellcorp.com> I was wondering how I would see all the rule names for Razor2 matches and which file would be the best place to add increased scores for them. Thanks. ;) From ssilva at sgvwater.com Tue Apr 8 19:12:36 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Apr 8 19:13:27 2008 Subject: New server request In-Reply-To: <47FB92ED.4040504@pixelhammer.com> References: <47FB765B.6030402@pixelhammer.com> <47FB79A0.3030605@slackadelic.com> <47FB92ED.4040504@pixelhammer.com> Message-ID: on 4-8-2008 8:44 AM DAve spake the following: > Matt Hayes wrote: >> DAve wrote: >>> I need a recommendation for the root'n toot'nist, rockem sockem, >>> nuklear powered, rocket fuel fed servers money can buy. I want to >>> push a batch of 30 messages through a full featured install of SA, >>> Clamav, and local rulesets in less than 5 seconds. Tops. When my >>> sales director hits send in his outlook, I want the message to >>> deliver so fast his laptop jumps from his desk. >>> >>> I think I need striped SAS disks with 15k spindles, four CPUs, and >>> 16gb of ram. I am open to realistic suggestions, though humor is >>> still welcome. I intend to submit a quote this week. >>> >>> Thanks, >>> >>> DAve >>> >> >> Lets put a quote in for a Cray.. however.. we'd have to talk the >> landlord into allowing us to take over the entire half of the second >> floor above us here at corporate :) >> >> -Matt > > I forget you read this list. You never saw this message, you know > nothing of a quote, you never saw me here. > Your Jedi e-mail admin powers don't work on this one! -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080408/404e0984/signature.bin From MailScanner at ecs.soton.ac.uk Tue Apr 8 19:22:38 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Apr 8 19:23:26 2008 Subject: SA/MS Installer dependencies In-Reply-To: <47FB924C.1020609@alexb.ch> References: <47FB5B1A.1090907@alexb.ch> <47FB6A3D.4010304@ecs.soton.ac.uk> <47FB7454.2090005@alexb.ch> <47FB79DE.7070907@ecs.soton.ac.uk> <47FB924C.1020609@alexb.ch> Message-ID: <47FBB7EE.3060805@ecs.soton.ac.uk> Alex Broens wrote: > On 4/8/2008 3:57 PM, Julian Field wrote: >> >> >> Alex Broens wrote: >>> On 4/8/2008 2:51 PM, Julian Field wrote: >>> >>> >>> Alex Broens wrote: >>> >> Jules, >>> >> - Seems SA dependencies are added by the MS installer. >>> >> why? >>> >> This breaks possible SA updates and forces the admin into setup >>> methods which *could* cause isssues in the future >>> >> >>> >> The one more noticeably missing are >>> >> >>> >> >>> >> REQUIRED module missing: HTML::Parser >>> >This is in both packages, as both of them need it. >>> > optional module missing: LWP::UserAgent (for sa-update) >>> > optional module missing: HTTP::Date (for sa-update) >>> > >>> > I came across this when I wanted to update an older MailScanner >>> box with the latest SA/Clam installer. >>> > >>> >> Could you please keep SA's dependencies in SA's installer and not >>> in MS's >>> >>> >What are you saying do you think is wrong? HTML::Parser is the only >>> >important one here, and is in both the MailScanner and ClamAV+SA >>> >distributions as both of them need it. >>> >>> I see them there... but as said. The installer borked with that msg. >>> >>> Thanks for (hopefully) adding the others required by sa-update: >>> >>> _______________________________ >>> NOTE: the optional LWP::UserAgent module is not installed. >>> NOTE: the optional HTTP::Date module is not installed. >>> >>> >>> The "sa-update" script requires this module to make HTTP >>> If-Modified-Since GET requests. >>> >>> optional module missing: HTTP::Date >> So what you would actually like me to do is add HTTP::Date to the >> SpamAssassin installation package? > > Yep, > AND: If you & other admins agree, LWP::UserAgent and its *immediate* > dependencies to be able to run sa-update out of the box. All done. I have added libnet and libwww-perl to the (long) list already there. They both appear to install unattended just fine, with the odd "-n" and "yes n" commands here and there :-) I have updated the copy of the ClamAV+SpamAssassin on the website. If you download it and get an old version, your web browser / proxy / cache is caching an out of date one somewhere, the version linked on the website is definitely the right version. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From MailScanner at ecs.soton.ac.uk Tue Apr 8 19:36:05 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Apr 8 19:36:24 2008 Subject: detect executables embedded inside MS Office documents? In-Reply-To: References: <57573D714A832C43B9D80EAFBDA48D030A03EC01@inex3.herffjones.hj-int> <47F725C7.4070103@vanderkooij.org> <47F78BED.5020606@ecs.soton.ac.uk> <47F7A674.1040501@calorieking.com> <47F8E791.10709@ecs.soton.ac.uk> <20080407060825.50bf671f@scorpio> Message-ID: <47FBBB15.1020007@ecs.soton.ac.uk> Scott Silva wrote: > on 4-7-2008 3:08 AM Gerard spake the following: >> On Sun, 06 Apr 2008 16:00:45 -0700 >> Scott Silva wrote: >> >>> on 4-6-2008 8:09 AM Julian Field spake the following: >>>> Ignore all previous requests for information. I've got enough of >>>> it, pretty much. >>>> The only thing I cannot handle is inserted OLE "Packages" that >>>> contain multiple files. If someone fancies creating one of those >>>> and sending it to me, I'll improve the Package parser to cope with >>>> it. >>>> >>>> But it now works with files inserted into Microsoft Office >>>> documents just fine. >>>> >>>> This will be in the next release. >>>> I guess it's a fairly major new feature, the ability to extract >>>> embedded files from Microsoft Office documents. >>>> :-) >>>> >>>> I think I'm going to have a rest now... >>>> >>> Poking another hole in the Microsoft armor was a big task. A well >>> deserved rest it will be!! >> >> The use of OLE makes the creation of highly detailed documents far >> easier and accurate. The scanning of said documents when emailed I >> would assume to be a plus. However, if the scanning action breaks the >> OLE bonds then then cure is far worst than the disease. > MailScanner only scans a copy of the attachments to check their > content. The original isn't harmed. He didn't really think that did he? How stoopid do people think I am? :-) Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From Neal at Morgan-Systems.com Tue Apr 8 19:47:26 2008 From: Neal at Morgan-Systems.com (Neal Morgan) Date: Tue Apr 8 19:48:36 2008 Subject: New server request In-Reply-To: <47FB765B.6030402@pixelhammer.com> References: <47FB765B.6030402@pixelhammer.com> Message-ID: <7D1CC61717004141A57CA6CA1C8087EC18A2E9@server-16.MorganSys.net> > I think I need striped SAS disks with 15k spindles, four CPUs, and 16gb > of ram. I am open to realistic suggestions, though humor is still > welcome. I intend to submit a quote this week. > > Thanks, > > Dave Dave: If you're open to a suggestion different than one or two high powered servers: we use several virtual machines as "border servers". These handle just the inbound messages. Bots and bad guys seem to prefer to work through the MX records in reverse order, so we make the first MX record point to physical hardware and the latter MX records point to the virts. We're also using RBL at the MTA, graylisting, and local caching DNS. Our users connect to a server that is NOT in the MX list. The border servers relay only the accepted inbound messages to this guy - so its workload is substantially reduced. With things spread across multiple servers, most of our batches during the day are under ten messages - the longest one I've seen today was 76 seconds. Most batches are processed in 10 seconds or less. We've used both MS Virtual Server and VMWare for these. Both work OK - though VMWare seems better. So my suggestion is you consider spending your hardware budget on one or two Virt servers and spread the workload a bit. All the best, Neal Morgan From MailScanner at ecs.soton.ac.uk Tue Apr 8 19:57:11 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Apr 8 19:58:01 2008 Subject: user opt-out In-Reply-To: <47FBA5B3.9090601@ptera.net> References: <47FA5227.60006@ptera.net> <47FA5A6D.5060909@ecs.soton.ac.uk> <47FBA5B3.9090601@ptera.net> Message-ID: <47FBC007.3030900@ecs.soton.ac.uk> Just about every configuration setting can have its own ruleset, and all of these can be different if you want, or the same, or any combination you choose. However, some are "big switches" that control whole chunks of the process, such as "Virus Scanning", "Dangerous Content Scanning" and "Spam Checks". The biggest switch of them all is "Scan Messages" which is probably the one you're looking for. Jules. Arthur Stephens wrote: > Yes I have found that - but I could not find if that stops all > processing including file names, file types, attachment checking, web > bugs etc. > > Julian Field wrote: >> Please read about rulesets in the documentation. There are many >> explanations of it and many examples provided on the website, in the >> wiki, in the mailing list archives and in the book. >> >> Arthur Stephens wrote: >>> I am running Maillscanner 4.55.10-3 and PostFix 2.3.8-1.fc5 on >>> Fedora Core 5 >>> >>> >>> >>> I get requests from our customers saying they do not want the >>> mailscanner service. >>> Is there some way to tell mailscanner to pass thru emails to certain >>> destinations? >>> -- >>> Arthur Stephens >>> Senior Sales Technician >>> Ptera Wireless Internet Service >>> PO Box 135 >>> Liberty Lake, WA 99019 >>> 509-927-7837 >>> http://www.ptera.net >> >> Jules >> > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From richard.frovarp at sendit.nodak.edu Tue Apr 8 20:11:44 2008 From: richard.frovarp at sendit.nodak.edu (Richard Frovarp) Date: Tue Apr 8 20:12:19 2008 Subject: New server request In-Reply-To: <47FB9540.7090004@pixelhammer.com> References: <47FB765B.6030402@pixelhammer.com> <47FB8081.4090208@sendit.nodak.edu> <47FB9540.7090004@pixelhammer.com> Message-ID: <47FBC370.4090906@sendit.nodak.edu> DAve wrote: > Richard Frovarp wrote: >> DAve wrote: >>> Currently we get hit with 200k to 300k connections a day that hit an >>> RBL. We see 15k to 25k pipeline attempts. We spam scan almost 50% of >>> our mail and we Virus scan everything that comes in. We process 4gb >>> of mail a day on two servers, total around 50k to 65k message we >>> actually deliver. We process 16,908 whitelist and 14,348 blacklist >>> entries from MailWatch. >>> >>> Mail delivery for our clients *INCLUDES* outbound scanning and >>> filtering through my smtp servers (different hardware) and coming >>> back in through my MailScanner servers. >>> >>> I can get that done in 5 minutes round trip time for a message. 90% >>> of that time is spent in the MS server, queues, waiting for pickup, >>> etc. I think that is pretty darned good. >>> >>> That is apparently not good enough. Every month or so I get told >>> that mail delivery in incredibly slow and I need to look at the >>> servers. I do, and every message I check takes around five minutes. >>> >>> I need a recommendation for the root'n toot'nist, rockem sockem, >>> nuklear powered, rocket fuel fed servers money can buy. I want to >>> push a batch of 30 messages through a full featured install of SA, >>> Clamav, and local rulesets in less than 5 seconds. Tops. When my >>> sales director hits send in his outlook, I want the message to >>> deliver so fast his laptop jumps from his desk. >>> >>> I think I need striped SAS disks with 15k spindles, four CPUs, and >>> 16gb of ram. I am open to realistic suggestions, though humor is >>> still welcome. I intend to submit a quote this week. >>> >>> Thanks, >>> >>> DAve >>> >> >> I've got an old 2.66 GHz dual Xeon with 2 GB of RAM that pushes >> through mail relatively well. Standard RAID 1 SCSI disks. Right now >> it's doing batches of 2 in about 15 seconds. It handles about 4 GB of >> of traffic and scans about 46 K a day. I would expect a dual quad >> core with the requisite amount of RAM would be plenty. Network tests >> take a while anyway, and there isn't much you can do to speed that >> up. I am running greylist, greet pause, valid user lookup, and >> blacklists in sendmail to reduce the load. I also have two other >> machines that see similar load. >> > > Not much different that the servers we currently run. We do not run > RAID at the moment. Except I have two servers were you have one. > Batches of 2 take about 6 seconds, in the evening. During peak hours I > get batches of 10 that require anywhere from 60 to 190 seconds. I can > go from 7 messages waiting to 300 messages waiting in the blink of an > eye. Though left to it's own, MS will chew through them just fine. > > We also run greylisting (with client's whitelisted), greetpause (with > our own network whitelisted), RBL (in MTA), caching DNS, and > milter-ahead to the pop toasters. > > DAve > > Actually I have 3 public facing and 1 internal MailScanner boxes. Lower your batch sizes. How many of those 300 are really waiting? If you are doing batches of max of 10 with 10 children, that's 100 messages being processed at the moment. If you have max batch sizes of 30, that's all 300 being processed. Assuming that other aspects aren't affecting load, the batch performance would seem to be better with smaller numbers of messages. You may want to try lowering the batch sizes. Sometimes less is more. From root at doctor.nl2k.ab.ca Tue Apr 8 20:17:28 2008 From: root at doctor.nl2k.ab.ca (Dave Shariff Yadallee - System Administrator a.k.a. The Root of the Problem) Date: Tue Apr 8 20:21:34 2008 Subject: A couple of notes In-Reply-To: <47FB8734.5050002@ecs.soton.ac.uk> References: <20080408135755.GA17313@doctor.nl2k.ab.ca> <47FB8734.5050002@ecs.soton.ac.uk> Message-ID: <20080408191728.GA23795@doctor.nl2k.ab.ca> On Tue, Apr 08, 2008 at 03:54:44PM +0100, Julian Field wrote: > > > Dave Shariff Yadallee - System Administrator a.k.a. The Root of the Problem > wrote: >> 1) http://www.nk.ca/blog . This is spam and phish section for your research. >> >> 2) The latest beta sent my CPUs up the wall. What did you do Julian? >> > What has changed in your system performance? It should only affect messages > with Office documents embedded in them. Was the change in the last beta, or > was the previous stable the same as the new beta? > Stable to beta. > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > Need help customising MailScanner? > Contact me! > Need help fixing or optimising your systems? > Contact me! > Need help getting you started solving new requirements from your boss? > Contact me! > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From ssilva at sgvwater.com Tue Apr 8 20:23:48 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Apr 8 20:24:46 2008 Subject: New server request In-Reply-To: <47FB765B.6030402@pixelhammer.com> References: <47FB765B.6030402@pixelhammer.com> Message-ID: on 4-8-2008 6:42 AM DAve spake the following: > Currently we get hit with 200k to 300k connections a day that hit an > RBL. We see 15k to 25k pipeline attempts. We spam scan almost 50% of our > mail and we Virus scan everything that comes in. We process 4gb of mail > a day on two servers, total around 50k to 65k message we actually > deliver. We process 16,908 whitelist and 14,348 blacklist entries from > MailWatch. > > Mail delivery for our clients *INCLUDES* outbound scanning and filtering > through my smtp servers (different hardware) and coming back in through > my MailScanner servers. > > I can get that done in 5 minutes round trip time for a message. 90% of > that time is spent in the MS server, queues, waiting for pickup, etc. I > think that is pretty darned good. > > That is apparently not good enough. Every month or so I get told that > mail delivery in incredibly slow and I need to look at the servers. I > do, and every message I check takes around five minutes. > Tell them to use the fax machine. Point to point delivery, and fairly reliable technology! ;-P I spend lots of time telling clueless upperlings the basics of how e-mail works. They may be wiz-bang at running multi-million dollar corporations, but technology is not their strong point. I tell them that is what they pay me for, so they don't have to know everything. But 5 minutes round trip is extremely good for your volume. Most MUA's don't even check that often. My bosses are very happy with 15 minutes, and usually only complain if they get timeouts. But if the complaints will get an increase in your hardware budget, then go for it. It won't make it slower. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080408/cbbf63ae/signature.bin From uxbod at splatnix.net Tue Apr 8 20:27:19 2008 From: uxbod at splatnix.net (--[ UxBoD ]--) Date: Tue Apr 8 20:28:09 2008 Subject: New server request In-Reply-To: <47FBAB86.3090608@ecs.soton.ac.uk> Message-ID: <11083949.1471207682839291.JavaMail.root@office.splatnix.net> plus removing a single point of failure. Regards, -- --[ UxBoD ]-- // PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net ----- "Julian Field" wrote: --[ UxBoD ]-- wrote: > Remove all checking ? ;) 5 mins for something that does not have a guaranteed (RFC) delivery time anyway is damn good! Yes you could put in a SAN/iSCSI but as already been said make sure loads of cache. Why not put the OS etc on SSDs ? Man, you could keep going all day and spend loads of dosh, but what great fun :D > > I would run numerous tests throughout different loads on the system to truly ascertain where the issue is. > Definitely. Work out exactly where to target the money. And in my view you'll get better value from 2 half-price servers than 1 very expensive one. Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From glenn.steen at gmail.com Tue Apr 8 20:28:20 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Tue Apr 8 20:28:56 2008 Subject: MS hangs with strange clamav database (SOLVED) In-Reply-To: References: <47FA0583.1060509@gmail.com> <223f97700804070454m89e2dc2s4e1079e19efef1f8@mail.gmail.com> <223f97700804070456j39092b34i93a4b07628ee041b@mail.gmail.com> <47FA1852.6040906@gmail.com> Message-ID: <223f97700804081228j25a0a3cbt77129880b03010a9@mail.gmail.com> On 08/04/2008, Scott Silva wrote: > on 4-7-2008 5:49 AM Ronny T. Lampert spake the following: > > > > > >> need look something like: > > >> > > >> Monitors for ClamAV Updates = /var/clamav/*.inc/* /var/clamav/*.?db > > >> /var/clamav/*.cvd > > > > I completely seem to have forgotten about the incrementals... shame on me. > > Don't know when that setting got wrong. But alas, I've changed it > > because it really does look sensible. > > > > Thanks Glen! > > > Make sure that it is the right directory for your system, as Julian's > install package of clam seems to use the clamav default of > /usr/local/share/clamav/ Yeah... I modified mine (which is set for the default) to work with what Ronny showed us;)... but a very valid point. Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From ssilva at sgvwater.com Tue Apr 8 20:56:53 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Apr 8 20:57:58 2008 Subject: Where to increase the RAZOR2_CF scores? In-Reply-To: <3BF93070B3D1B047BA7ABF612958950D02CF60C8@hcex.hartwellcorp.com> References: <3BF93070B3D1B047BA7ABF612958950D02CF60C8@hcex.hartwellcorp.com> Message-ID: on 4-8-2008 11:08 AM Michael St. Laurent spake the following: > I was wondering how I would see all the rule names for Razor2 matches > and which file would be the best place to add increased scores for them. > > Thanks. ;) http://spamassassin.apache.org/tests.html Look at the link for your version and you will see all the rules that are included. You can just add lines in your spam.assassin.prefs.conf for each one you want to modify in the form score -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080408/68207403/signature.bin From alex at nkpanama.com Tue Apr 8 21:11:15 2008 From: alex at nkpanama.com (Alex Neuman) Date: Tue Apr 8 21:12:37 2008 Subject: New server request In-Reply-To: References: <47FB765B.6030402@pixelhammer.com> <67E30A7B-ACBA-4158-A266-F3D8950992F8@nkpanama.com> <47FB7BD8.1030604@ecs.soton.ac.uk> <70F2D897-4E7F-4F59-B2AD-5C1F897C281C@nkpanama.com> Message-ID: <2E72D2BD-44D2-4C50-9263-28B350AC546E@nkpanama.com> Perhaps another one for the wiki? On Apr 8, 2008, at 12:01 PM, Gottschalk, David wrote: > I don't see any reason why not. > > I just tested it on one of my MailScanner servers. > > David Gottschalk > UTS Email Team > david.gottschalk@emory.edu > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info > ] On Behalf Of Alex Neuman > Sent: Tuesday, April 08, 2008 11:19 AM > To: MailScanner discussion > Subject: Re: New server request > > Can this by cronjobbed? > From mikes at hartwellcorp.com Tue Apr 8 21:12:41 2008 From: mikes at hartwellcorp.com (Michael St. Laurent) Date: Tue Apr 8 21:13:26 2008 Subject: Where to increase the RAZOR2_CF scores? Message-ID: <3BF93070B3D1B047BA7ABF612958950D02CF60C9@hcex.hartwellcorp.com> I was wondering how I would see all the rule names for Razor2 matches and which file would be the best place to add increased scores for them. Thanks. ;) From alex at nkpanama.com Tue Apr 8 21:12:54 2008 From: alex at nkpanama.com (Alex Neuman) Date: Tue Apr 8 21:14:44 2008 Subject: New server request In-Reply-To: References: <47FB765B.6030402@pixelhammer.com> <47FB79A0.3030605@slackadelic.com> <47FB92ED.4040504@pixelhammer.com> Message-ID: <6AD517C7-93DA-4309-BF01-C2A9B7AD7E88@nkpanama.com> He must be a toydarian! Only credits work on him! On Apr 8, 2008, at 1:12 PM, Scott Silva wrote: > Your Jedi e-mail admin powers don't work on this one! From alex at nkpanama.com Tue Apr 8 21:12:29 2008 From: alex at nkpanama.com (Alex Neuman) Date: Tue Apr 8 21:14:47 2008 Subject: New server request In-Reply-To: <47FBB047.2050109@slackadelic.com> References: <47FB765B.6030402@pixelhammer.com> <47FB79A0.3030605@slackadelic.com> <47FB92ED.4040504@pixelhammer.com> <47FBB047.2050109@slackadelic.com> Message-ID: <8659132F-F9B3-4587-8E0E-A0A902AD091E@nkpanama.com> These are *not* the mailing list messages you're looking for. You do not need to see the headers. You will pass the message on to the next hop untouched. On Apr 8, 2008, at 12:49 PM, Matt Hayes wrote: >> I forget you read this list. You never saw this message, you know >> nothing of a quote, you never saw me here. >> DAve > > Who the hell are you? > > -Matt From jaearick at colby.edu Tue Apr 8 21:14:14 2008 From: jaearick at colby.edu (Jeff A. Earickson) Date: Tue Apr 8 21:14:48 2008 Subject: speed change between 4.67.6 and 4.68.8? Message-ID: Julian, Has something changed between these two versions to signifcantly slow down MailScanner? I have been doing email tests with an "emergency broadcast" company, to send mass emails to all of our community (think Virginia Tech). The test I ran on Apr 8 used 4.67.6 and the test I ran on Apr 7 used 4.68.8, see attached files. The 4.68.8 thruput clearly took longer per batch. I have also noticed that the overall load on my system no longer jumps way up with 4.68.8 when I have a big slug of inbound email to process (unlike 4.67.6). While lower loads are good, version 4.68.8 seems to be "loafing" on big inputs, while 4.67.6 puts the CPUs to use and gets busy chewing thru the input queue. I don't mean to throw rocks, but something doesn't seem right with 4.68.8, IMHO. Anybody else noticed this behavior? My setup: Solaris 10, SA 3.2.4, DCC 1.3.78, razor, caching DNS on the server. Running on a Sparc V490, 4 CPUs, max children = 20. Jeff Earickson Colby College -------------- next part -------------- Apr 8 13:30:26 jasper MailScanner[6198]: [ID 702911 mail.info] Batch (30 messages) processed in 172.91 seconds Apr 8 13:30:27 jasper MailScanner[6013]: [ID 702911 mail.info] Batch (30 messages) processed in 172.84 seconds Apr 8 13:30:33 jasper MailScanner[6488]: [ID 702911 mail.info] Batch (30 messages) processed in 179.83 seconds Apr 8 13:30:38 jasper MailScanner[6808]: [ID 702911 mail.info] Batch (30 messages) processed in 182.02 seconds Apr 8 13:30:47 jasper MailScanner[6420]: [ID 702911 mail.info] Batch (30 messages) processed in 155.68 seconds Apr 8 13:30:55 jasper MailScanner[5930]: [ID 702911 mail.info] Batch (30 messages) processed in 166.43 seconds Apr 8 13:31:06 jasper MailScanner[9110]: [ID 702911 mail.info] Batch (30 messages) processed in 178.72 seconds Apr 8 13:31:37 jasper MailScanner[6450]: [ID 702911 mail.info] Batch (30 messages) processed in 182.87 seconds Apr 8 13:31:47 jasper MailScanner[6078]: [ID 702911 mail.info] Batch (30 messages) processed in 170.40 seconds Apr 8 13:31:51 jasper MailScanner[6159]: [ID 702911 mail.info] Batch (30 messages) processed in 196.27 seconds Apr 8 13:31:58 jasper MailScanner[5957]: [ID 702911 mail.info] Batch (30 messages) processed in 201.71 seconds Apr 8 13:32:00 jasper MailScanner[7164]: [ID 702911 mail.info] Batch (30 messages) processed in 227.63 seconds Apr 8 13:32:05 jasper MailScanner[6117]: [ID 702911 mail.info] Batch (30 messages) processed in 198.26 seconds Apr 8 13:32:12 jasper MailScanner[6092]: [ID 702911 mail.info] Batch (30 messages) processed in 237.58 seconds Apr 8 13:32:15 jasper MailScanner[6226]: [ID 702911 mail.info] Batch (30 messages) processed in 246.03 seconds Apr 8 13:32:39 jasper MailScanner[7850]: [ID 702911 mail.info] Batch (30 messages) processed in 239.06 seconds Apr 8 13:33:08 jasper MailScanner[9910]: [ID 702911 mail.info] Batch (30 messages) processed in 211.98 seconds Apr 8 13:33:17 jasper MailScanner[8355]: [ID 702911 mail.info] Batch (30 messages) processed in 223.31 seconds Apr 8 13:33:21 jasper MailScanner[6013]: [ID 702911 mail.info] Batch (30 messages) processed in 168.87 seconds Apr 8 13:33:37 jasper MailScanner[6198]: [ID 702911 mail.info] Batch (30 messages) processed in 185.15 seconds Apr 8 13:34:00 jasper MailScanner[8604]: [ID 702911 mail.info] Batch (30 messages) processed in 177.44 seconds Apr 8 13:34:04 jasper MailScanner[6808]: [ID 702911 mail.info] Batch (30 messages) processed in 201.16 seconds Apr 8 13:34:12 jasper MailScanner[6420]: [ID 702911 mail.info] Batch (30 messages) processed in 201.36 seconds Apr 8 13:34:17 jasper MailScanner[9110]: [ID 702911 mail.info] Batch (30 messages) processed in 186.50 seconds Apr 8 13:34:32 jasper MailScanner[6488]: [ID 702911 mail.info] Batch (30 messages) processed in 235.57 seconds Apr 8 13:34:38 jasper MailScanner[6543]: [ID 702911 mail.info] Batch (30 messages) processed in 230.90 seconds Apr 8 13:34:47 jasper MailScanner[5930]: [ID 702911 mail.info] Batch (30 messages) processed in 228.57 seconds Apr 8 13:34:58 jasper MailScanner[5957]: [ID 702911 mail.info] Batch (30 messages) processed in 176.29 seconds Apr 8 13:35:13 jasper MailScanner[6159]: [ID 702911 mail.info] Batch (30 messages) processed in 198.02 seconds Apr 8 13:35:20 jasper MailScanner[7164]: [ID 702911 mail.info] Batch (30 messages) processed in 197.09 seconds Apr 8 13:35:25 jasper MailScanner[6092]: [ID 702911 mail.info] Batch (30 messages) processed in 189.04 seconds Apr 8 13:35:31 jasper MailScanner[6117]: [ID 702911 mail.info] Batch (30 messages) processed in 202.47 seconds Apr 8 13:35:33 jasper MailScanner[6450]: [ID 702911 mail.info] Batch (30 messages) processed in 231.71 seconds Apr 8 13:35:40 jasper MailScanner[6078]: [ID 702911 mail.info] Batch (30 messages) processed in 230.60 seconds Apr 8 13:35:50 jasper MailScanner[7850]: [ID 702911 mail.info] Batch (30 messages) processed in 186.84 seconds Apr 8 13:36:04 jasper MailScanner[6226]: [ID 702911 mail.info] Batch (30 messages) processed in 225.05 seconds Apr 8 13:36:20 jasper MailScanner[9910]: [ID 702911 mail.info] Batch (30 messages) processed in 188.94 seconds Apr 8 13:36:26 jasper MailScanner[8355]: [ID 702911 mail.info] Batch (30 messages) processed in 186.42 seconds Apr 8 13:36:43 jasper MailScanner[6013]: [ID 702911 mail.info] Batch (30 messages) processed in 199.50 seconds Apr 8 13:36:54 jasper MailScanner[6198]: [ID 702911 mail.info] Batch (30 messages) processed in 193.67 seconds Apr 8 13:37:22 jasper MailScanner[8604]: [ID 702911 mail.info] Batch (30 messages) processed in 199.09 seconds Apr 8 13:37:29 jasper MailScanner[6808]: [ID 702911 mail.info] Batch (30 messages) processed in 201.50 seconds Apr 8 13:37:37 jasper MailScanner[9110]: [ID 702911 mail.info] Batch (30 messages) processed in 195.75 seconds Apr 8 13:37:41 jasper MailScanner[6488]: [ID 702911 mail.info] Batch (30 messages) processed in 186.63 seconds Apr 8 13:38:03 jasper MailScanner[6420]: [ID 702911 mail.info] Batch (30 messages) processed in 226.99 seconds Apr 8 13:38:10 jasper MailScanner[5930]: [ID 702911 mail.info] Batch (30 messages) processed in 197.36 seconds Apr 8 13:38:16 jasper MailScanner[7164]: [ID 702911 mail.info] Batch (30 messages) processed in 172.05 seconds Apr 8 13:38:20 jasper MailScanner[6543]: [ID 702911 mail.info] Batch (30 messages) processed in 218.76 seconds Apr 8 13:38:24 jasper MailScanner[6092]: [ID 702911 mail.info] Batch (30 messages) processed in 175.31 seconds Apr 8 13:38:29 jasper MailScanner[5957]: [ID 702911 mail.info] Batch (30 messages) processed in 207.13 seconds Apr 8 13:38:45 jasper MailScanner[6159]: [ID 702911 mail.info] Batch (30 messages) processed in 209.03 seconds Apr 8 13:39:07 jasper MailScanner[6117]: [ID 702911 mail.info] Batch (30 messages) processed in 212.38 seconds Apr 8 13:39:13 jasper MailScanner[6450]: [ID 702911 mail.info] Batch (30 messages) processed in 216.94 seconds Apr 8 13:39:18 jasper MailScanner[9910]: [ID 702911 mail.info] Batch (30 messages) processed in 173.70 seconds Apr 8 13:39:25 jasper MailScanner[6078]: [ID 702911 mail.info] Batch (30 messages) processed in 219.48 seconds Apr 8 13:39:28 jasper MailScanner[7850]: [ID 702911 mail.info] Batch (30 messages) processed in 214.33 seconds Apr 8 13:39:58 jasper MailScanner[8355]: [ID 702911 mail.info] Batch (30 messages) processed in 208.26 seconds Apr 8 13:40:13 jasper MailScanner[6198]: [ID 702911 mail.info] Batch (30 messages) processed in 194.37 seconds Apr 8 13:40:21 jasper MailScanner[6226]: [ID 702911 mail.info] Batch (30 messages) processed in 252.81 seconds Apr 8 13:40:21 jasper MailScanner[9910]: [ID 702911 mail.info] Batch (30 messages) processed in 58.18 seconds Apr 8 13:40:25 jasper MailScanner[6013]: [ID 702911 mail.info] Batch (30 messages) processed in 216.76 seconds Apr 8 13:40:50 jasper MailScanner[6488]: [ID 702911 mail.info] Batch (30 messages) processed in 182.70 seconds Apr 8 13:41:17 jasper MailScanner[6808]: [ID 702911 mail.info] Batch (30 messages) processed in 224.94 seconds Apr 8 13:41:21 jasper MailScanner[9110]: [ID 702911 mail.info] Batch (30 messages) processed in 219.85 seconds Apr 8 13:41:26 jasper MailScanner[5930]: [ID 702911 mail.info] Batch (30 messages) processed in 190.86 seconds Apr 8 13:41:37 jasper MailScanner[6543]: [ID 702911 mail.info] Batch (30 messages) processed in 192.91 seconds Apr 8 13:41:54 jasper MailScanner[7164]: [ID 702911 mail.info] Batch (30 messages) processed in 214.74 seconds Apr 8 13:41:57 jasper MailScanner[6092]: [ID 702911 mail.info] Batch (30 messages) processed in 208.97 seconds Apr 8 13:42:03 jasper MailScanner[5957]: [ID 702911 mail.info] Batch (30 messages) processed in 208.24 seconds Apr 8 13:42:09 jasper MailScanner[8604]: [ID 702911 mail.info] Batch (30 messages) processed in 283.57 seconds Apr 8 13:42:10 jasper MailScanner[6450]: [ID 702911 mail.info] Batch (30 messages) processed in 172.93 seconds Apr 8 13:42:16 jasper MailScanner[6159]: [ID 702911 mail.info] Batch (30 messages) processed in 206.75 seconds Apr 8 13:42:21 jasper MailScanner[6117]: [ID 702911 mail.info] Batch (30 messages) processed in 190.24 seconds Apr 8 13:42:23 jasper MailScanner[6420]: [ID 702911 mail.info] Batch (30 messages) processed in 255.94 seconds Apr 8 13:42:27 jasper MailScanner[8355]: [ID 702911 mail.info] Batch (30 messages) processed in 141.77 seconds Apr 8 13:42:32 jasper MailScanner[7850]: [ID 702911 mail.info] Batch (30 messages) processed in 175.86 seconds Apr 8 13:42:37 jasper MailScanner[6078]: [ID 702911 mail.info] Batch (30 messages) processed in 185.75 seconds Apr 8 13:43:15 jasper MailScanner[6198]: [ID 702911 mail.info] Batch (30 messages) processed in 176.80 seconds Apr 8 13:43:21 jasper MailScanner[9910]: [ID 702911 mail.info] Batch (30 messages) processed in 175.92 seconds Apr 8 13:43:28 jasper MailScanner[6013]: [ID 702911 mail.info] Batch (30 messages) processed in 179.02 seconds Apr 8 13:43:43 jasper MailScanner[6226]: [ID 702911 mail.info] Batch (30 messages) processed in 197.44 seconds Apr 8 13:44:05 jasper MailScanner[6488]: [ID 702911 mail.info] Batch (30 messages) processed in 187.31 seconds Apr 8 13:44:39 jasper MailScanner[5930]: [ID 702911 mail.info] Batch (30 messages) processed in 189.31 seconds Apr 8 13:44:44 jasper MailScanner[6808]: [ID 702911 mail.info] Batch (30 messages) processed in 201.34 seconds Apr 8 13:44:50 jasper MailScanner[9110]: [ID 702911 mail.info] Batch (30 messages) processed in 205.24 seconds Apr 8 13:44:58 jasper MailScanner[5957]: [ID 702911 mail.info] Batch (30 messages) processed in 169.77 seconds Apr 8 13:45:06 jasper MailScanner[6543]: [ID 702911 mail.info] Batch (30 messages) processed in 204.40 seconds Apr 8 13:45:17 jasper MailScanner[6078]: [ID 702911 mail.info] Batch (30 messages) processed in 156.63 seconds Apr 8 13:45:24 jasper MailScanner[6159]: [ID 702911 mail.info] Batch (30 messages) processed in 184.38 seconds Apr 8 13:45:28 jasper MailScanner[7850]: [ID 702911 mail.info] Batch (30 messages) processed in 171.89 seconds Apr 8 13:45:32 jasper MailScanner[6092]: [ID 702911 mail.info] Batch (30 messages) processed in 209.60 seconds Apr 8 13:45:38 jasper MailScanner[8604]: [ID 702911 mail.info] Batch (30 messages) processed in 201.65 seconds Apr 8 13:45:41 jasper MailScanner[6450]: [ID 702911 mail.info] Batch (30 messages) processed in 204.05 seconds Apr 8 13:45:46 jasper MailScanner[8355]: [ID 702911 mail.info] Batch (30 messages) processed in 192.59 seconds Apr 8 13:45:51 jasper MailScanner[6117]: [ID 702911 mail.info] Batch (30 messages) processed in 202.72 seconds Apr 8 13:45:55 jasper MailScanner[6420]: [ID 702911 mail.info] Batch (30 messages) processed in 203.84 seconds Apr 8 13:46:37 jasper MailScanner[7164]: [ID 702911 mail.info] Batch (30 messages) processed in 277.72 seconds Apr 8 13:46:50 jasper MailScanner[6013]: [ID 702911 mail.info] Batch (30 messages) processed in 197.08 seconds Apr 8 13:47:08 jasper MailScanner[6198]: [ID 702911 mail.info] Batch (30 messages) processed in 230.04 seconds Apr 8 13:47:18 jasper MailScanner[9910]: [ID 702911 mail.info] Batch (30 messages) processed in 232.60 seconds Apr 8 13:47:21 jasper MailScanner[6488]: [ID 702911 mail.info] Batch (30 messages) processed in 190.34 seconds Apr 8 13:47:57 jasper MailScanner[6808]: [ID 702911 mail.info] Batch (30 messages) processed in 188.34 seconds Apr 8 13:48:24 jasper MailScanner[6226]: [ID 702911 mail.info] Batch (30 messages) processed in 275.83 seconds Apr 8 13:48:33 jasper MailScanner[5957]: [ID 702911 mail.info] Batch (30 messages) processed in 209.00 seconds Apr 8 13:48:46 jasper MailScanner[6543]: [ID 702911 mail.info] Batch (30 messages) processed in 212.93 seconds Apr 8 13:49:03 jasper MailScanner[5930]: [ID 702911 mail.info] Batch (30 messages) processed in 259.13 seconds Apr 8 13:51:26 jasper MailScanner[6488]: [ID 702911 mail.info] Batch (30 messages) processed in 63.42 seconds Apr 8 13:51:28 jasper MailScanner[6198]: [ID 702911 mail.info] Batch (30 messages) processed in 64.47 seconds Apr 8 13:51:29 jasper MailScanner[6117]: [ID 702911 mail.info] Batch (30 messages) processed in 57.34 seconds Apr 8 13:51:34 jasper MailScanner[7164]: [ID 702911 mail.info] Batch (30 messages) processed in 57.13 seconds Apr 8 13:51:38 jasper MailScanner[7850]: [ID 702911 mail.info] Batch (30 messages) processed in 66.16 seconds Apr 8 13:52:04 jasper MailScanner[5957]: [ID 702911 mail.info] Batch (30 messages) processed in 97.04 seconds Apr 8 13:52:07 jasper MailScanner[8604]: [ID 702911 mail.info] Batch (30 messages) processed in 95.16 seconds -------------- next part -------------- Apr 7 15:29:03 jasper MailScanner[14884]: [ID 702911 mail.info] Batch (30 messages) processed in 406.26 seconds Apr 7 15:29:46 jasper MailScanner[18716]: [ID 702911 mail.info] Batch (30 messages) processed in 498.18 seconds Apr 7 15:30:12 jasper MailScanner[21939]: [ID 702911 mail.info] Batch (30 messages) processed in 432.05 seconds Apr 7 15:30:16 jasper MailScanner[21522]: [ID 702911 mail.info] Batch (30 messages) processed in 438.40 seconds Apr 7 15:30:59 jasper MailScanner[18363]: [ID 702911 mail.info] Batch (30 messages) processed in 477.96 seconds Apr 7 15:31:04 jasper MailScanner[16649]: [ID 702911 mail.info] Batch (30 messages) processed in 517.89 seconds Apr 7 15:31:08 jasper MailScanner[19345]: [ID 702911 mail.info] Batch (30 messages) processed in 480.50 seconds Apr 7 15:31:40 jasper MailScanner[19568]: [ID 702911 mail.info] Batch (30 messages) processed in 501.01 seconds Apr 7 15:32:18 jasper MailScanner[22511]: [ID 702911 mail.info] Batch (30 messages) processed in 515.79 seconds Apr 7 15:32:34 jasper MailScanner[18589]: [ID 702911 mail.info] Batch (30 messages) processed in 531.86 seconds Apr 7 15:33:03 jasper MailScanner[21787]: [ID 702911 mail.info] Batch (30 messages) processed in 525.57 seconds Apr 7 15:33:10 jasper MailScanner[20718]: [ID 702911 mail.info] Batch (30 messages) processed in 553.90 seconds Apr 7 15:34:04 jasper MailScanner[22123]: [ID 702911 mail.info] Batch (30 messages) processed in 583.01 seconds Apr 7 15:34:14 jasper MailScanner[21719]: [ID 702911 mail.info] Batch (30 messages) processed in 501.81 seconds Apr 7 15:34:21 jasper MailScanner[21017]: [ID 702911 mail.info] Batch (30 messages) processed in 420.41 seconds Apr 7 15:34:27 jasper MailScanner[19174]: [ID 702911 mail.info] Batch (30 messages) processed in 551.79 seconds Apr 7 15:34:46 jasper MailScanner[24091]: [ID 702911 mail.info] Batch (30 messages) processed in 492.34 seconds Apr 7 15:34:51 jasper MailScanner[21867]: [ID 702911 mail.info] Batch (30 messages) processed in 478.46 seconds Apr 7 15:35:01 jasper MailScanner[13010]: [ID 702911 mail.info] Batch (30 messages) processed in 522.01 seconds Apr 7 15:35:30 jasper MailScanner[14884]: [ID 702911 mail.info] Batch (30 messages) processed in 379.40 seconds Apr 7 15:35:36 jasper MailScanner[21634]: [ID 702911 mail.info] Batch (30 messages) processed in 421.56 seconds Apr 7 15:37:59 jasper MailScanner[16649]: [ID 702911 mail.info] Batch (30 messages) processed in 410.52 seconds Apr 7 15:38:01 jasper MailScanner[18716]: [ID 702911 mail.info] Batch (30 messages) processed in 485.48 seconds Apr 7 15:38:10 jasper MailScanner[21522]: [ID 702911 mail.info] Batch (30 messages) processed in 468.35 seconds Apr 7 15:38:25 jasper MailScanner[19345]: [ID 702911 mail.info] Batch (30 messages) processed in 429.24 seconds Apr 7 15:38:41 jasper MailScanner[18363]: [ID 702911 mail.info] Batch (30 messages) processed in 454.86 seconds Apr 7 15:38:53 jasper MailScanner[21787]: [ID 702911 mail.info] Batch (30 messages) processed in 342.04 seconds Apr 7 15:39:19 jasper MailScanner[21939]: [ID 702911 mail.info] Batch (30 messages) processed in 542.59 seconds Apr 7 15:39:37 jasper MailScanner[20718]: [ID 702911 mail.info] Batch (30 messages) processed in 379.76 seconds Apr 7 15:40:02 jasper MailScanner[18589]: [ID 702911 mail.info] Batch (30 messages) processed in 439.88 seconds Apr 7 15:40:16 jasper MailScanner[19568]: [ID 702911 mail.info] Batch (30 messages) processed in 506.69 seconds Apr 7 15:40:30 jasper MailScanner[22511]: [ID 702911 mail.info] Batch (30 messages) processed in 484.65 seconds Apr 7 15:41:48 jasper MailScanner[19174]: [ID 702911 mail.info] Batch (30 messages) processed in 432.88 seconds Apr 7 15:41:55 jasper MailScanner[21867]: [ID 702911 mail.info] Batch (30 messages) processed in 416.24 seconds Apr 7 15:42:07 jasper MailScanner[21017]: [ID 702911 mail.info] Batch (30 messages) processed in 459.95 seconds Apr 7 15:42:10 jasper MailScanner[24091]: [ID 702911 mail.info] Batch (30 messages) processed in 439.52 seconds Apr 7 15:42:35 jasper MailScanner[22123]: [ID 702911 mail.info] Batch (30 messages) processed in 503.25 seconds Apr 7 15:42:38 jasper MailScanner[13010]: [ID 702911 mail.info] Batch (30 messages) processed in 450.33 seconds Apr 7 15:42:56 jasper MailScanner[21719]: [ID 702911 mail.info] Batch (30 messages) processed in 517.10 seconds Apr 7 15:43:08 jasper MailScanner[14884]: [ID 702911 mail.info] Batch (30 messages) processed in 452.90 seconds Apr 7 15:43:28 jasper MailScanner[21634]: [ID 702911 mail.info] Batch (30 messages) processed in 464.40 seconds Apr 7 15:44:26 jasper MailScanner[16649]: [ID 702911 mail.info] Batch (30 messages) processed in 376.96 seconds Apr 7 15:44:54 jasper MailScanner[21787]: [ID 702911 mail.info] Batch (30 messages) processed in 356.83 seconds Apr 7 15:45:00 jasper MailScanner[21522]: [ID 702911 mail.info] Batch (30 messages) processed in 402.89 seconds Apr 7 15:45:04 jasper MailScanner[18716]: [ID 702911 mail.info] Batch (30 messages) processed in 414.55 seconds Apr 7 15:45:12 jasper MailScanner[18363]: [ID 702911 mail.info] Batch (30 messages) processed in 385.14 seconds Apr 7 15:45:48 jasper MailScanner[20718]: [ID 702911 mail.info] Batch (30 messages) processed in 364.29 seconds Apr 7 15:45:51 jasper MailScanner[22511]: [ID 702911 mail.info] Batch (30 messages) processed in 314.06 seconds Apr 7 15:46:29 jasper MailScanner[21939]: [ID 702911 mail.info] Batch (30 messages) processed in 423.13 seconds Apr 7 15:46:46 jasper MailScanner[19568]: [ID 702911 mail.info] Batch (30 messages) processed in 385.45 seconds Apr 7 15:46:50 jasper MailScanner[19174]: [ID 702911 mail.info] Batch (30 messages) processed in 295.46 seconds Apr 7 15:46:53 jasper MailScanner[18589]: [ID 702911 mail.info] Batch (30 messages) processed in 403.29 seconds Apr 7 15:47:24 jasper MailScanner[19345]: [ID 702911 mail.info] Batch (30 messages) processed in 531.53 seconds Apr 7 15:47:47 jasper MailScanner[21867]: [ID 702911 mail.info] Batch (30 messages) processed in 343.20 seconds Apr 7 15:48:44 jasper MailScanner[21719]: [ID 702911 mail.info] Batch (30 messages) processed in 340.74 seconds Apr 7 15:48:49 jasper MailScanner[22123]: [ID 702911 mail.info] Batch (30 messages) processed in 365.27 seconds Apr 7 15:49:26 jasper MailScanner[21017]: [ID 702911 mail.info] Batch (30 messages) processed in 429.22 seconds Apr 7 15:49:38 jasper MailScanner[24091]: [ID 702911 mail.info] Batch (30 messages) processed in 440.68 seconds Apr 7 15:49:59 jasper MailScanner[14884]: [ID 702911 mail.info] Batch (30 messages) processed in 401.45 seconds Apr 7 15:50:10 jasper MailScanner[21634]: [ID 702911 mail.info] Batch (30 messages) processed in 391.67 seconds Apr 7 15:50:43 jasper MailScanner[13010]: [ID 702911 mail.info] Batch (30 messages) processed in 474.70 seconds Apr 7 15:51:08 jasper MailScanner[21787]: [ID 702911 mail.info] Batch (30 messages) processed in 367.96 seconds Apr 7 15:51:24 jasper MailScanner[16649]: [ID 702911 mail.info] Batch (30 messages) processed in 407.22 seconds Apr 7 15:51:33 jasper MailScanner[18716]: [ID 702911 mail.info] Batch (30 messages) processed in 380.83 seconds Apr 7 15:51:48 jasper MailScanner[20718]: [ID 702911 mail.info] Batch (30 messages) processed in 356.76 seconds Apr 7 15:52:22 jasper MailScanner[21522]: [ID 702911 mail.info] Batch (30 messages) processed in 436.40 seconds Apr 7 15:52:53 jasper MailScanner[22511]: [ID 702911 mail.info] Batch (30 messages) processed in 409.90 seconds Apr 7 15:53:17 jasper MailScanner[21719]: [ID 702911 mail.info] Batch (30 messages) processed in 261.58 seconds Apr 7 15:53:23 jasper MailScanner[21939]: [ID 702911 mail.info] Batch (30 messages) processed in 403.23 seconds Apr 7 15:53:24 jasper MailScanner[18363]: [ID 702911 mail.info] Batch (30 messages) processed in 487.01 seconds Apr 7 15:53:42 jasper MailScanner[19345]: [ID 702911 mail.info] Batch (30 messages) processed in 368.80 seconds Apr 7 15:53:58 jasper MailScanner[21867]: [ID 702911 mail.info] Batch (30 messages) processed in 360.89 seconds Apr 7 15:54:07 jasper MailScanner[19174]: [ID 702911 mail.info] Batch (30 messages) processed in 418.81 seconds Apr 7 15:54:10 jasper MailScanner[19568]: [ID 702911 mail.info] Batch (30 messages) processed in 426.22 seconds Apr 7 15:54:54 jasper MailScanner[21017]: [ID 702911 mail.info] Batch (30 messages) processed in 318.61 seconds Apr 7 15:55:26 jasper MailScanner[14884]: [ID 702911 mail.info] Batch (30 messages) processed in 319.82 seconds Apr 7 15:55:40 jasper MailScanner[18589]: [ID 702911 mail.info] Batch (30 messages) processed in 508.76 seconds Apr 7 15:56:22 jasper MailScanner[22123]: [ID 702911 mail.info] Batch (30 messages) processed in 440.21 seconds Apr 7 15:56:52 jasper MailScanner[21634]: [ID 702911 mail.info] Batch (30 messages) processed in 389.47 seconds Apr 7 15:57:08 jasper MailScanner[24091]: [ID 702911 mail.info] Batch (30 messages) processed in 442.42 seconds Apr 7 15:57:15 jasper MailScanner[16649]: [ID 702911 mail.info] Batch (30 messages) processed in 340.86 seconds Apr 7 15:57:28 jasper MailScanner[21787]: [ID 702911 mail.info] Batch (30 messages) processed in 369.70 seconds Apr 7 15:58:24 jasper MailScanner[13010]: [ID 702911 mail.info] Batch (30 messages) processed in 454.02 seconds Apr 7 15:58:59 jasper MailScanner[21017]: [ID 702911 mail.info] Batch (30 messages) processed in 233.00 seconds Apr 7 15:59:10 jasper MailScanner[21522]: [ID 702911 mail.info] Batch (30 messages) processed in 399.33 seconds Apr 7 15:59:23 jasper MailScanner[18716]: [ID 702911 mail.info] Batch (30 messages) processed in 460.67 seconds Apr 7 15:59:34 jasper MailScanner[20718]: [ID 702911 mail.info] Batch (30 messages) processed in 455.83 seconds Apr 7 15:59:44 jasper MailScanner[21719]: [ID 702911 mail.info] Batch (30 messages) processed in 374.07 seconds Apr 7 16:00:11 jasper MailScanner[19174]: [ID 702911 mail.info] Batch (30 messages) processed in 353.71 seconds Apr 7 16:00:18 jasper MailScanner[21939]: [ID 702911 mail.info] Batch (30 messages) processed in 396.78 seconds Apr 7 16:00:42 jasper MailScanner[22511]: [ID 702911 mail.info] Batch (30 messages) processed in 458.97 seconds Apr 7 16:00:48 jasper MailScanner[19345]: [ID 702911 mail.info] Batch (30 messages) processed in 417.51 seconds Apr 7 16:00:58 jasper MailScanner[21867]: [ID 702911 mail.info] Batch (30 messages) processed in 412.17 seconds Apr 7 16:01:11 jasper MailScanner[19568]: [ID 702911 mail.info] Batch (30 messages) processed in 410.52 seconds Apr 7 16:01:26 jasper MailScanner[18363]: [ID 702911 mail.info] Batch (30 messages) processed in 464.23 seconds Apr 7 16:01:28 jasper MailScanner[22123]: [ID 702911 mail.info] Batch (30 messages) processed in 298.17 seconds Apr 7 16:01:45 jasper MailScanner[14884]: [ID 702911 mail.info] Batch (30 messages) processed in 370.22 seconds Apr 7 16:02:21 jasper MailScanner[18589]: [ID 702911 mail.info] Batch (30 messages) processed in 394.15 seconds Apr 7 16:02:59 jasper MailScanner[21634]: [ID 702911 mail.info] Batch (30 messages) processed in 361.03 seconds Apr 7 16:03:13 jasper MailScanner[13010]: [ID 702911 mail.info] Batch (30 messages) processed in 278.35 seconds Apr 7 16:03:19 jasper MailScanner[16649]: [ID 702911 mail.info] Batch (30 messages) processed in 351.52 seconds Apr 7 16:04:38 jasper MailScanner[24091]: [ID 702911 mail.info] Batch (30 messages) processed in 444.51 seconds Apr 7 16:04:52 jasper MailScanner[21787]: [ID 702911 mail.info] Batch (30 messages) processed in 435.22 seconds Apr 7 16:04:58 jasper MailScanner[21017]: [ID 702911 mail.info] Batch (30 messages) processed in 349.23 seconds Apr 7 16:05:07 jasper MailScanner[18716]: [ID 702911 mail.info] Batch (30 messages) processed in 335.79 seconds Apr 7 16:05:10 jasper MailScanner[19345]: [ID 702911 mail.info] Batch (30 messages) processed in 253.59 seconds Apr 7 16:05:24 jasper MailScanner[21719]: [ID 702911 mail.info] Batch (30 messages) processed in 328.35 seconds Apr 7 16:05:32 jasper MailScanner[21867]: [ID 702911 mail.info] Batch (30 messages) processed in 263.42 seconds Apr 7 16:06:13 jasper MailScanner[19568]: [ID 702911 mail.info] Batch (30 messages) processed in 293.91 seconds Apr 7 16:06:18 jasper MailScanner[22511]: [ID 702911 mail.info] Batch (30 messages) processed in 325.14 seconds Apr 7 16:06:20 jasper MailScanner[19174]: [ID 702911 mail.info] Batch (30 messages) processed in 358.11 seconds Apr 7 16:06:31 jasper MailScanner[14884]: [ID 702911 mail.info] Batch (30 messages) processed in 269.11 seconds Apr 7 16:06:49 jasper MailScanner[21522]: [ID 702911 mail.info] Batch (30 messages) processed in 449.93 seconds Apr 7 16:06:52 jasper MailScanner[20718]: [ID 702911 mail.info] Batch (30 messages) processed in 429.35 seconds Apr 7 16:06:56 jasper MailScanner[22123]: [ID 702911 mail.info] Batch (30 messages) processed in 297.49 seconds Apr 7 16:07:07 jasper MailScanner[18363]: [ID 702911 mail.info] Batch (30 messages) processed in 312.49 seconds Apr 7 16:08:24 jasper MailScanner[21939]: [ID 702911 mail.info] Batch (30 messages) processed in 473.68 seconds Apr 7 16:08:39 jasper MailScanner[18589]: [ID 702911 mail.info] Batch (30 messages) processed in 368.53 seconds Apr 7 16:08:47 jasper MailScanner[21634]: [ID 702911 mail.info] Batch (30 messages) processed in 333.77 seconds Apr 7 16:08:49 jasper MailScanner[13010]: [ID 702911 mail.info] Batch (30 messages) processed in 320.76 seconds Apr 7 16:10:00 jasper MailScanner[24091]: [ID 702911 mail.info] Batch (30 messages) processed in 311.35 seconds Apr 7 16:10:22 jasper MailScanner[16649]: [ID 702911 mail.info] Batch (30 messages) processed in 407.81 seconds Apr 7 16:10:58 jasper MailScanner[21787]: [ID 702911 mail.info] Batch (30 messages) processed in 359.59 seconds Apr 7 16:11:08 jasper MailScanner[19568]: [ID 702911 mail.info] Batch (30 messages) processed in 283.00 seconds Apr 7 16:11:26 jasper MailScanner[19345]: [ID 702911 mail.info] Batch (30 messages) processed in 364.17 seconds Apr 7 16:11:46 jasper MailScanner[21017]: [ID 702911 mail.info] Batch (30 messages) processed in 394.07 seconds Apr 7 16:11:53 jasper MailScanner[22511]: [ID 702911 mail.info] Batch (30 messages) processed in 321.38 seconds Apr 7 16:12:07 jasper MailScanner[18716]: [ID 702911 mail.info] Batch (30 messages) processed in 405.53 seconds Apr 7 16:12:31 jasper MailScanner[21719]: [ID 702911 mail.info] Batch (30 messages) processed in 419.40 seconds Apr 7 16:12:46 jasper MailScanner[21867]: [ID 702911 mail.info] Batch (30 messages) processed in 423.70 seconds Apr 7 16:13:07 jasper MailScanner[21939]: [ID 702911 mail.info] Batch (30 messages) processed in 272.54 seconds Apr 7 16:13:12 jasper MailScanner[21522]: [ID 702911 mail.info] Batch (30 messages) processed in 376.76 seconds Apr 7 16:13:19 jasper MailScanner[14884]: [ID 702911 mail.info] Batch (30 messages) processed in 401.06 seconds Apr 7 16:13:25 jasper MailScanner[19174]: [ID 702911 mail.info] Batch (30 messages) processed in 408.84 seconds Apr 7 16:13:58 jasper MailScanner[18363]: [ID 702911 mail.info] Batch (30 messages) processed in 388.26 seconds Apr 7 16:14:10 jasper MailScanner[20718]: [ID 702911 mail.info] Batch (30 messages) processed in 416.94 seconds Apr 7 16:14:26 jasper MailScanner[22123]: [ID 702911 mail.info] Batch (30 messages) processed in 425.60 seconds Apr 7 16:14:49 jasper MailScanner[13010]: [ID 702911 mail.info] Batch (30 messages) processed in 344.12 seconds Apr 7 16:14:53 jasper MailScanner[18589]: [ID 702911 mail.info] Batch (30 messages) processed in 362.72 seconds Apr 7 16:15:13 jasper MailScanner[16649]: [ID 702911 mail.info] Batch (30 messages) processed in 284.02 seconds Apr 7 16:15:22 jasper MailScanner[24091]: [ID 702911 mail.info] Batch (30 messages) processed in 307.45 seconds Apr 7 16:15:39 jasper MailScanner[21787]: [ID 702911 mail.info] Batch (30 messages) processed in 269.35 seconds Apr 7 16:16:25 jasper MailScanner[19568]: [ID 702911 mail.info] Batch (30 messages) processed in 303.84 seconds From MailScanner at ecs.soton.ac.uk Tue Apr 8 21:53:51 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Apr 8 21:54:48 2008 Subject: A couple of notes In-Reply-To: <20080408191728.GA23795@doctor.nl2k.ab.ca> References: <20080408135755.GA17313@doctor.nl2k.ab.ca> <47FB8734.5050002@ecs.soton.ac.uk> <20080408191728.GA23795@doctor.nl2k.ab.ca> Message-ID: <47FBDB5F.5000301@ecs.soton.ac.uk> Dave Shariff Yadallee - System Administrator a.k.a. The Root of the Problem wrote: > On Tue, Apr 08, 2008 at 03:54:44PM +0100, Julian Field wrote: > >> Dave Shariff Yadallee - System Administrator a.k.a. The Root of the Problem >> wrote: >> >>> 1) http://www.nk.ca/blog . This is spam and phish section for your research. >>> >>> 2) The latest beta sent my CPUs up the wall. What did you do Julian? >>> >>> >> What has changed in your system performance? It should only affect messages >> with Office documents embedded in them. Was the change in the last beta, or >> was the previous stable the same as the new beta? >> >> > > Stable to beta. > Well, you've got the Change Log. Take a look :) > >> Jules >> >> -- >> Julian Field MEng CITP CEng >> www.MailScanner.info >> Buy the MailScanner book at www.MailScanner.info/store >> >> Need help customising MailScanner? >> Contact me! >> Need help fixing or optimising your systems? >> Contact me! >> Need help getting you started solving new requirements from your boss? >> Contact me! >> >> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 >> >> >> -- >> This message has been scanned for viruses and >> dangerous content by MailScanner, and is >> believed to be clean. >> >> -- >> MailScanner mailing list >> mailscanner@lists.mailscanner.info >> http://lists.mailscanner.info/mailman/listinfo/mailscanner >> >> Before posting, read http://wiki.mailscanner.info/posting >> >> Support MailScanner development - buy the book off the website! >> -- >> This message has been scanned for viruses and >> dangerous content by MailScanner, and is >> believed to be clean. >> >> > > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From dave.list at pixelhammer.com Tue Apr 8 21:54:10 2008 From: dave.list at pixelhammer.com (DAve) Date: Tue Apr 8 21:54:51 2008 Subject: New server request In-Reply-To: <47FBAB86.3090608@ecs.soton.ac.uk> References: <9283241.1441207668970459.JavaMail.root@office.splatnix.net> <47FBAB86.3090608@ecs.soton.ac.uk> Message-ID: <47FBDB72.2040809@pixelhammer.com> Julian Field wrote: > > > --[ UxBoD ]-- wrote: >> Remove all checking ? ;) 5 mins for something that does not have a >> guaranteed (RFC) delivery time anyway is damn good! Yes you could put >> in a SAN/iSCSI but as already been said make sure loads of cache. Why >> not put the OS etc on SSDs ? Man, you could keep going all day and >> spend loads of dosh, but what great fun :D >> >> I would run numerous tests throughout different loads on the system to >> truly ascertain where the issue is. >> > Definitely. Work out exactly where to target the money. And in my view > you'll get better value from 2 half-price servers than 1 very expensive > one. > > Jules > Yep, but they seems to like hardware solutions, so I like giving them hardware solutions ;^) In reality we are in good shape, we are processing at the same speed now as before, but at a higher load. My inclination is to test more but I don't want to turn off MailScanner to run in debug. So I need to get a schedule to upgrade to Julian's new version to I can actually run a debug child on a test queue during peak load. I am suspicious that the high load is SA, but I don't think there is much I can do tuning wise that has not already been done. I will make some changes to the disks/kernel/etc in the next few evenings and see where I end up. Still gonna turn in a quote for hot rod servers though. The current ones would make excellent web mirrors ;^) DAve -- In 50 years, our descendants will look back on the early years of the internet, and much like we now look back on men with rockets on their back and feathers glued to their arms, marvel that we had the intelligence to wipe the drool from our chins. From dave.list at pixelhammer.com Tue Apr 8 21:56:03 2008 From: dave.list at pixelhammer.com (DAve) Date: Tue Apr 8 21:56:50 2008 Subject: New server request In-Reply-To: <47FBC370.4090906@sendit.nodak.edu> References: <47FB765B.6030402@pixelhammer.com> <47FB8081.4090208@sendit.nodak.edu> <47FB9540.7090004@pixelhammer.com> <47FBC370.4090906@sendit.nodak.edu> Message-ID: <47FBDBE3.3080204@pixelhammer.com> Richard Frovarp wrote: > DAve wrote: >> Richard Frovarp wrote: >>> DAve wrote: >>>> Currently we get hit with 200k to 300k connections a day that hit an >>>> RBL. We see 15k to 25k pipeline attempts. We spam scan almost 50% of >>>> our mail and we Virus scan everything that comes in. We process 4gb >>>> of mail a day on two servers, total around 50k to 65k message we >>>> actually deliver. We process 16,908 whitelist and 14,348 blacklist >>>> entries from MailWatch. >>>> >>>> Mail delivery for our clients *INCLUDES* outbound scanning and >>>> filtering through my smtp servers (different hardware) and coming >>>> back in through my MailScanner servers. >>>> >>>> I can get that done in 5 minutes round trip time for a message. 90% >>>> of that time is spent in the MS server, queues, waiting for pickup, >>>> etc. I think that is pretty darned good. >>>> >>>> That is apparently not good enough. Every month or so I get told >>>> that mail delivery in incredibly slow and I need to look at the >>>> servers. I do, and every message I check takes around five minutes. >>>> >>>> I need a recommendation for the root'n toot'nist, rockem sockem, >>>> nuklear powered, rocket fuel fed servers money can buy. I want to >>>> push a batch of 30 messages through a full featured install of SA, >>>> Clamav, and local rulesets in less than 5 seconds. Tops. When my >>>> sales director hits send in his outlook, I want the message to >>>> deliver so fast his laptop jumps from his desk. >>>> >>>> I think I need striped SAS disks with 15k spindles, four CPUs, and >>>> 16gb of ram. I am open to realistic suggestions, though humor is >>>> still welcome. I intend to submit a quote this week. >>>> >>>> Thanks, >>>> >>>> DAve >>>> >>> >>> I've got an old 2.66 GHz dual Xeon with 2 GB of RAM that pushes >>> through mail relatively well. Standard RAID 1 SCSI disks. Right now >>> it's doing batches of 2 in about 15 seconds. It handles about 4 GB of >>> of traffic and scans about 46 K a day. I would expect a dual quad >>> core with the requisite amount of RAM would be plenty. Network tests >>> take a while anyway, and there isn't much you can do to speed that >>> up. I am running greylist, greet pause, valid user lookup, and >>> blacklists in sendmail to reduce the load. I also have two other >>> machines that see similar load. >>> >> >> Not much different that the servers we currently run. We do not run >> RAID at the moment. Except I have two servers were you have one. >> Batches of 2 take about 6 seconds, in the evening. During peak hours I >> get batches of 10 that require anywhere from 60 to 190 seconds. I can >> go from 7 messages waiting to 300 messages waiting in the blink of an >> eye. Though left to it's own, MS will chew through them just fine. >> >> We also run greylisting (with client's whitelisted), greetpause (with >> our own network whitelisted), RBL (in MTA), caching DNS, and >> milter-ahead to the pop toasters. >> >> DAve >> >> > Actually I have 3 public facing and 1 internal MailScanner boxes. Lower > your batch sizes. How many of those 300 are really waiting? If you are > doing batches of max of 10 with 10 children, that's 100 messages being > processed at the moment. If you have max batch sizes of 30, that's all > 300 being processed. > > Assuming that other aspects aren't affecting load, the batch performance > would seem to be better with smaller numbers of messages. You may want > to try lowering the batch sizes. Sometimes less is more. I thought so too, it seems at least with our mail, more children processing smaller batches is faster than large batches and fewer children. I currently run 15 children and batch size of 10 and doing well. DAve -- In 50 years, our descendants will look back on the early years of the internet, and much like we now look back on men with rockets on their back and feathers glued to their arms, marvel that we had the intelligence to wipe the drool from our chins. From ssilva at sgvwater.com Tue Apr 8 21:59:01 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Tue Apr 8 22:00:08 2008 Subject: detect executables embedded inside MS Office documents? In-Reply-To: <47FBBB15.1020007@ecs.soton.ac.uk> References: <57573D714A832C43B9D80EAFBDA48D030A03EC01@inex3.herffjones.hj-int> <47F725C7.4070103@vanderkooij.org> <47F78BED.5020606@ecs.soton.ac.uk> <47F7A674.1040501@calorieking.com> <47F8E791.10709@ecs.soton.ac.uk> <20080407060825.50bf671f@scorpio> <47FBBB15.1020007@ecs.soton.ac.uk> Message-ID: on 4-8-2008 11:36 AM Julian Field spake the following: > > > Scott Silva wrote: >> on 4-7-2008 3:08 AM Gerard spake the following: >>> On Sun, 06 Apr 2008 16:00:45 -0700 >>> Scott Silva wrote: >>> >>>> on 4-6-2008 8:09 AM Julian Field spake the following: >>>>> Ignore all previous requests for information. I've got enough of >>>>> it, pretty much. >>>>> The only thing I cannot handle is inserted OLE "Packages" that >>>>> contain multiple files. If someone fancies creating one of those >>>>> and sending it to me, I'll improve the Package parser to cope with >>>>> it. >>>>> >>>>> But it now works with files inserted into Microsoft Office >>>>> documents just fine. >>>>> >>>>> This will be in the next release. >>>>> I guess it's a fairly major new feature, the ability to extract >>>>> embedded files from Microsoft Office documents. >>>>> :-) >>>>> >>>>> I think I'm going to have a rest now... >>>>> >>>> Poking another hole in the Microsoft armor was a big task. A well >>>> deserved rest it will be!! >>> >>> The use of OLE makes the creation of highly detailed documents far >>> easier and accurate. The scanning of said documents when emailed I >>> would assume to be a plus. However, if the scanning action breaks the >>> OLE bonds then then cure is far worst than the disease. >> MailScanner only scans a copy of the attachments to check their >> content. The original isn't harmed. > He didn't really think that did he? How stoopid do people think I am? :-) > > Jules > That is how I took it. No smileys, no other indication of being funny, no swapping jokes, etc... -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080408/f8fc1681/signature.bin From MailScanner at ecs.soton.ac.uk Tue Apr 8 22:02:35 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Tue Apr 8 22:02:51 2008 Subject: Where to increase the RAZOR2_CF scores? In-Reply-To: <3BF93070B3D1B047BA7ABF612958950D02CF60C8@hcex.hartwellcorp.com> References: <3BF93070B3D1B047BA7ABF612958950D02CF60C8@hcex.hartwellcorp.com> Message-ID: <47FBDD6B.1000602@ecs.soton.ac.uk> cd /usr/share/spamassassin grep RAZOR 50_scores.cf (or something similar) Then put the new scores in /etc/MailScanner/spam.assassin.prefs.conf and restart MailScanner. Michael St. Laurent wrote: > I was wondering how I would see all the rule names for Razor2 matches > and which file would be the best place to add increased scores for them. > > Thanks. ;) > Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From bpirie at rma.edu Tue Apr 8 22:20:33 2008 From: bpirie at rma.edu (Brendan Pirie) Date: Tue Apr 8 22:19:19 2008 Subject: New server request In-Reply-To: <7D1CC61717004141A57CA6CA1C8087EC18A2E9@server-16.MorganSys.net> References: <47FB765B.6030402@pixelhammer.com> <7D1CC61717004141A57CA6CA1C8087EC18A2E9@server-16.MorganSys.net> Message-ID: <47FBE1A1.9070704@rma.edu> Neal Morgan wrote: > > > We've used both MS Virtual Server and VMWare for these. Both work OK - > though VMWare seems better. > Works great with xen virtual servers here. Brendan From ms-list at alexb.ch Tue Apr 8 22:27:38 2008 From: ms-list at alexb.ch (Alex Broens) Date: Tue Apr 8 22:28:22 2008 Subject: SA installer oddities: In-Reply-To: <47FBACD4.3020804@ecs.soton.ac.uk> References: <47FB8D50.6080703@alexb.ch> <47FBACD4.3020804@ecs.soton.ac.uk> Message-ID: <47FBE34A.9010403@alexb.ch> On 4/8/2008 7:35 PM, Julian Field wrote: > > > Alex Broens wrote: >> Jules >> >> Finsihed the install and BEFORE adding my own stuff to >> /etc/mail/spamassassin I checked the *.pre files for redundant loads: >> >> init.pre >> >> includes: >> >> loadplugin Mail::SpamAssassin::Plugin::URIDNSBL >> loadplugin Mail::SpamAssassin::Plugin::SPF >> loadplugin Mail::SpamAssassin::Plugin::RelayCountry >> loadplugin Mail::SpamAssassin::Plugin::Razor2 >> >> >> v310.pre >> >> includes: >> >> loadplugin Mail::SpamAssassin::Plugin::RelayCountry >> loadplugin Mail::SpamAssassin::Plugin::SPF >> loadplugin Mail::SpamAssassin::Plugin::URIDNSBL >> >> >> >> v320.pre >> >> includes: >> >> loadplugin Mail::SpamAssassin::Plugin::RelayCountry >> loadplugin Mail::SpamAssassin::Plugin::SPF >> loadplugin Mail::SpamAssassin::Plugin::URIDNSBL >> loadplugin Mail::SpamAssassin::Plugin::Razor2 >> >> >> >> [13756] dbg: plugin: did not register >> Mail::SpamAssassin::Plugin::RelayCountry, already registered >> [13756] dbg: plugin: did not register Mail::SpamAssassin::Plugin::SPF, >> already registered [13756] dbg: plugin: did not register >> Mail::SpamAssassin::Plugin::URIDNSBL, already registered >> >> [13756] dbg: plugin: did not register >> Mail::SpamAssassin::Plugin::RelayCountry, already registered >> [13756] dbg: plugin: did not register Mail::SpamAssassin::Plugin::SPF, >> already registered >> [13756] dbg: plugin: did not register >> Mail::SpamAssassin::Plugin::URIDNSBL, already registered >> [13756] dbg: plugin: did not register >> Mail::SpamAssassin::Plugin::Razor2, already registered >> >> >> seems to me there a lot of redundant stuff being loaded and reloaded >> and reloaded - not sure at this point what you added and what's >> default (need to take SA source apart and check) > All this registering of plugins is done once when each MailScanner child > starts up. It makes no difference to mail processing speed at all. >> >> May I suggest you don't modify the .pre files after install and point >> admins to check the stuff being loaded in the 3 .pre files and enable >> whatever specials they may need. >> The standard enabled SA plugins will produce a decent working SA >> withotu any pain. > My ClamAV+SpamAssassin package automatically enables these plugins: > Mail::SpamAssassin::Plugin::RelayCountry > Mail::SpamAssassin::Plugin::SPF > Mail::SpamAssassin::Plugin::URIDNSBL > Mail::SpamAssassin::Plugin::Razor2 > > To make sure these get loaded regardless of what version of SpamAssassin > you are using, it writes these into all of v320.pre, v310.pre and > init.pre. Attempting to load them all 3 times probably adds a > millisecond to the startup time of MailScanner, but I really don't care > a hoot about that :-) forcing loads on a possible older SA version which doesn't support certain plugins will cause lint errors and fail an sa-update or sa-compile. Mail::SpamAssassin::Plugin::URIDNSBL is in init.pre been there for ages -what can your installer fix if its already enabled by default? Mail::SpamAssassin::Plugin::RelayCountry is not enabled by default as it adds a certain overhead Razor2 is enabled BEFORE its installed - if you warn ppl they must install it, why not let them enable the plugin? you may say, mainly cosmetics, but when linting they just don't make the results look MS-like :-) From hvdkooij at vanderkooij.org Tue Apr 8 22:33:17 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Tue Apr 8 22:34:02 2008 Subject: MailScanner Digest, Vol 28, Issue 18 In-Reply-To: <47FBA363.5010100@ecs.soton.ac.uk> References: <47FBA363.5010100@ecs.soton.ac.uk> Message-ID: <47FBE49D.9060109@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Julian Field wrote: | Please use an auto-responder that is intelligent enough to ignore | mailing lists. Hmm. That means that everyone reading this mailinglist from an exchange server is not entitled to any vacation. But anyone running exchange would allready know that exchange does not allow you to be away from the office too much anyway ;-) Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFH++SbBvzDRVjxmYERAgnXAJ9OTynU9aznG5Vc6jCcuR2tAM/egwCgpLaD OHzg0k6/U+dkfh5gDT0gOag= =u5Bd -----END PGP SIGNATURE----- From hvdkooij at vanderkooij.org Tue Apr 8 22:37:18 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Tue Apr 8 22:37:29 2008 Subject: New server request In-Reply-To: References: <47FB765B.6030402@pixelhammer.com> Message-ID: <47FBE58E.3070700@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Scott Silva wrote: | But if the complaints will get an increase in your hardware budget, then | go for it. It won't make it slower. Hmm. Perhaps a better paycheck may even refresh your memory where you left the sleep commands in the scripts. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFH++WNBvzDRVjxmYERAilbAJwPQaloWAG1wIqos1k8fFoRMnugUgCfRiBM OCE4shaYhxf4ECcjle2HU1M= =iTym -----END PGP SIGNATURE----- From hvdkooij at vanderkooij.org Tue Apr 8 22:41:01 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Tue Apr 8 22:41:12 2008 Subject: Where to increase the RAZOR2_CF scores? In-Reply-To: <3BF93070B3D1B047BA7ABF612958950D02CF60C9@hcex.hartwellcorp.com> References: <3BF93070B3D1B047BA7ABF612958950D02CF60C9@hcex.hartwellcorp.com> Message-ID: <47FBE66D.9@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Michael St. Laurent wrote: | I was wondering how I would see all the rule names for Razor2 matches | and which file would be the best place to add increased scores for them. Could you fix the loop in your SMTP network FIRST? This is bound to get you into trouble sooner or later. Check out these headers: Received: from safir.blacknight.ie (safir.blacknight.ie [83.98.192.7]) by balin.waakhond.net (Postfix) with ESMTP id 4F19417E83BF for ; Tue, 8 Apr 2008 23:22:34 +0200 (CEST) Received: from safir.blacknight.ie (safir.blacknight.ie [127.0.0.1]) by safir.blacknight.ie (8.13.1/8.13.1) with ESMTP id m38LJOXw000373; Tue, 8 Apr 2008 22:19:32 +0100 X-Mailman-Handler: $Id: mm-handler,v 1.2 2002/04/05 19:41:09 bwarsaw Exp $ Received: from hcfw1.hartwellcorp.com (guardian.hartwellcorp.com [216.237.48.18]) by safir.blacknight.ie (8.13.1/8.13.1) with ESMTP id m38KCqva028641 for ; Tue, 8 Apr 2008 21:13:25 +0100 X-Hartwell-MailScanner-Watermark: 1208290368.35685@76WyA74NVfugdnG4EGswsQ Received: (from mail@localhost) by hcfw1.hartwellcorp.com (8.13.8/8.12.8) id m38KCmbW020237 for ; Tue, 8 Apr 2008 13:12:48 -0700 X-Authentication-Warning: hcfw1.hartwellcorp.com: mail set sender to using -f X-Authentication-Warning: hcfw1.hartwellcorp.com: Processed from queue /var/spool/mqueue.in/ Received: from hcex.hartwellcorp.com (EHLO hcex.hartwellcorp.com) (10.11.10.14) by hcfw1.hartwellcorp.com via smap (V2.1+anti-relay+anti-spam) id xma020233; Tue, 8 Apr 08 20:12:41 GMT X-MimeOLE: Produced By Microsoft Exchange V6.5 Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFH++ZrBvzDRVjxmYERAhXGAKCxvTwu6ZcTE5Qc9BCxdPypbxKGswCffxqD RHI9GzlxJxf51eDm0GvSD0I= =oy69 -----END PGP SIGNATURE----- From dave.list at pixelhammer.com Tue Apr 8 22:47:32 2008 From: dave.list at pixelhammer.com (DAve) Date: Tue Apr 8 22:48:13 2008 Subject: New server request In-Reply-To: <8659132F-F9B3-4587-8E0E-A0A902AD091E@nkpanama.com> References: <47FB765B.6030402@pixelhammer.com> <47FB79A0.3030605@slackadelic.com> <47FB92ED.4040504@pixelhammer.com> <47FBB047.2050109@slackadelic.com> <8659132F-F9B3-4587-8E0E-A0A902AD091E@nkpanama.com> Message-ID: <47FBE7F4.9000409@pixelhammer.com> Alex Neuman wrote: > > These are *not* the mailing list messages you're looking for. > You do not need to see the headers. > You will pass the message on to the next hop untouched. > > > On Apr 8, 2008, at 12:49 PM, Matt Hayes wrote: >>> I forget you read this list. You never saw this message, you know >>> nothing of a quote, you never saw me here. >>> DAve >> >> Who the hell are you? >> >> -Matt > Scott Silva wrote: > Your Jedi e-mail admin powers don't work on this one! > I needed a good laugh ;^) -- In 50 years, our descendants will look back on the early years of the internet, and much like we now look back on men with rockets on their back and feathers glued to their arms, marvel that we had the intelligence to wipe the drool from our chins. From mikes at hartwellcorp.com Tue Apr 8 23:24:01 2008 From: mikes at hartwellcorp.com (Michael St. Laurent) Date: Tue Apr 8 23:24:49 2008 Subject: Where to increase the RAZOR2_CF scores? Message-ID: <3BF93070B3D1B047BA7ABF612958950D02CF60CF@hcex.hartwellcorp.com> Perfect! Thanks. ;) > cd /usr/share/spamassassin > grep RAZOR 50_scores.cf > (or something similar) > Then put the new scores in > /etc/MailScanner/spam.assassin.prefs.conf and > restart MailScanner. > > Michael St. Laurent wrote: > > I was wondering how I would see all the rule names for > Razor2 matches > > and which file would be the best place to add increased > scores for them. > > > > Thanks. ;) From TGFurnish at herffjones.com Wed Apr 9 00:48:55 2008 From: TGFurnish at herffjones.com (Furnish, Trever G) Date: Wed Apr 9 00:49:33 2008 Subject: New server request In-Reply-To: <47FBDBE3.3080204@pixelhammer.com> References: <47FB765B.6030402@pixelhammer.com> <47FB8081.4090208@sendit.nodak.edu> <47FB9540.7090004@pixelhammer.com><47FBC370.4090906@sendit.nodak.edu> <47FBDBE3.3080204@pixelhammer.com> Message-ID: <57573D714A832C43B9D80EAFBDA48D030A03EC5A@inex3.herffjones.hj-int> > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of DAve > Sent: Tuesday, April 08, 2008 4:56 PM > To: MailScanner discussion > Subject: Re: New server request > > Richard Frovarp wrote: > > DAve wrote: > >> Richard Frovarp wrote: > >>> DAve wrote: > >>>> Currently we get hit with 200k to 300k connections a day > >>>> that hit > >>>> an RBL. We see 15k to 25k pipeline attempts. We spam scan almost > >>>> 50% of our mail and we Virus scan everything that comes in. We > >>>> process 4gb of mail a day on two servers, total around > >>>> 50k to 65k > >>>> message we actually deliver. We process 16,908 whitelist > >>>> and 14,348 > >>>> blacklist entries from MailWatch. > >>>> > >>>> Mail delivery for our clients *INCLUDES* outbound scanning and > >>>> filtering through my smtp servers (different hardware) > >>>> and coming > >>>> back in through my MailScanner servers. > >>>> > >>>> I can get that done in 5 minutes round trip time for a > >>>> message. 90% > >>>> of that time is spent in the MS server, queues, waiting > >>>> for pickup, > >>>> etc. I think that is pretty darned good. Not really what you're looking for, but I run a small shell script that sends a daily report of the previous day's delay reading as logged by the sendmail process that handles mail in the queue after MailScanner processes messages. My set-up only handles mail coming in from the Internet to internal users, which makes the logic simpler. YMMV -- you'd definitely need to change the code at least a little to fit your environment, especially to distinguish between "inbound Internet mail" and others. It produces output like so: Output from script /sysadm/scripts/local/report_delay.sh running on host relay2.public.herff-jones.com under account root. This report shows the delay for message delivery as reported by sendmail (...are you running sendmail?). These are only messages that were already passed through by MS -- some 180K msgs are blocked each day by the same system. Count of messages delivered: 25185 Messages delivered in under a minute: 23723 Messages delivered in between 1 and 10 minutes: 1456 Messages delivered in between 10 and 20 minutes: 2 Messages delivered in between 20 and 30 minutes: 1 Messages delivered in between 30 and 40 minutes: 1 Messages delivered in between 40 and 50 minutes: 1 Messages delivered in between 50 and 60 minutes: 0 Messages delivered in between 1 and 2 hours: 0 Messages delivered in between 2 and 10 hours: 0 The report only comes to me so I haven't worried about fixing the outlying cases that appear to have taken nearly an hour -- they're not real problems. You could easily get more granular if you need to. Having the report helps me rest more easily -- I had no stats to back up my claim that there wasn't a problem the first time I had a conversation with someone claiming delivery was unreasonably slow. The "anything under three days is good per the RFC" argument didn't go over very well. :-) I'm embarrassed by some of the code -- hit me up off-list if you want the script, but I mostly thought the idea might be useful. :-) From jan-peter at koopmann.eu Wed Apr 9 07:14:58 2008 From: jan-peter at koopmann.eu (Koopmann, Jan-Peter) Date: Wed Apr 9 07:16:47 2008 Subject: New server request In-Reply-To: References: <47FB765B.6030402@pixelhammer.com><7D1CC61717004141A57CA6CA1C8087EC18A2E9@server-16.MorganSys.net> Message-ID: > Works great with xen virtual servers here. I second that. Works like a charm on our Virtual Iron installations! From jan-peter at koopmann.eu Wed Apr 9 07:16:54 2008 From: jan-peter at koopmann.eu (Koopmann, Jan-Peter) Date: Wed Apr 9 07:17:46 2008 Subject: MailScanner Digest, Vol 28, Issue 18 In-Reply-To: References: <47FBA363.5010100@ecs.soton.ac.uk> Message-ID: > Hmm. That means that everyone reading this mailinglist from an exchange > server is not entitled to any vacation. You just need an intelligent auto-responder in front of the exchange box. > But anyone running exchange > would allready know that exchange does not allow you to be away from > the > office too much anyway ;-) On the contrary. :-) From jan-peter at koopmann.eu Wed Apr 9 07:28:03 2008 From: jan-peter at koopmann.eu (Koopmann, Jan-Peter) Date: Wed Apr 9 07:28:58 2008 Subject: how to fix Blacklist In-Reply-To: References: <20080408041836.3585ECBE80@ws5-11.us4.outblaze.com> Message-ID: > If you run a mail server you should be reading your postmaster mail > everyday. If you do not want to, then you should outsource your email > to > someone who will. Well spoken but far from reality. Most people don't and it really is not necessary that much. If our system blocks you it will tell you why and how to contact us via phone, chat, web whatever you like. In the real world (at least the one I know) managers send mails, these mails bounce for whatever reason and now one or several of the following happens: - manager never recognizes the bounce (since it is spam or looks like it...) - manager recognizes the bounce as a potential problem (not reading the MTAs error message telling him exactly what the problem is) - manager runs off to his/her IT guy telling him that he has "a" problem (obviously not sending enough information for the admin to find what is going on) - admin is either understanding e-mail or calling his/her IT company. - if admin is understanding e-mail he is trying to read the bounce and to fix the problem _if_ the problem is on his machine. - if not, the admin will most likely tell his manager that the problem is on the other side and he should contact the intended recipient by phone or else - assuming he survives this recommendation and that the manager is not pleased, he/she will then try to contact the other side himself. - IF the admin is intelligent and optimistic enough (being an admin himself that most probably does not even know he himself has a postmaster account let alone where e-mail to this account would end up) he might try to write to the postmaster at the other side. At this point his/her manager is already standing right behind him urging him to fix the problem so the admin will not wait for a potential reply and call the admin on the other side. This seems to be about true for all my customers. Maybe you have other experiences. All this works well even if the mails to postmaster are blocked as well. :-) In the past 10 years I can only remember about 5-10 cases in which my personal mails to postmaster/abuse whatever actually triggered some sort of reaction. All of them involved ISPs or alike and none of them privately held companies. So yes in theory you are absolutely correct. In reality having a postmaster box that is not scanned and really accepts all the junk and then have a highly paid admin or service going through all the junk is RFC conform but not happening all that much, is it? Kind regards, JP From J.Ede at birchenallhowden.co.uk Wed Apr 9 07:55:38 2008 From: J.Ede at birchenallhowden.co.uk (Jason Ede) Date: Wed Apr 9 07:59:24 2008 Subject: New server request In-Reply-To: <47FBDB72.2040809@pixelhammer.com> References: <9283241.1441207668970459.JavaMail.root@office.splatnix.net> <47FBAB86.3090608@ecs.soton.ac.uk>,<47FBDB72.2040809@pixelhammer.com> Message-ID: <4CAB0118AEC63A4FAAE77E6BCBDF760C406871CC04@server02.bhl.local> ________________________________________ From: mailscanner-bounces@lists.mailscanner.info [mailscanner-bounces@lists.mailscanner.info] On Behalf Of DAve [dave.list@pixelhammer.com] Sent: 08 April 2008 21:54 To: MailScanner discussion Subject: Re: New server request Julian Field wrote: > > > --[ UxBoD ]-- wrote: >> Remove all checking ? ;) 5 mins for something that does not have a >> guaranteed (RFC) delivery time anyway is damn good! Yes you could put >> in a SAN/iSCSI but as already been said make sure loads of cache. Why >> not put the OS etc on SSDs ? Man, you could keep going all day and >> spend loads of dosh, but what great fun :D >> >> I would run numerous tests throughout different loads on the system to >> truly ascertain where the issue is. >> > Definitely. Work out exactly where to target the money. And in my view > you'll get better value from 2 half-price servers than 1 very expensive > one. > > Jules > Yep, but they seems to like hardware solutions, so I like giving them hardware solutions ;^) In reality we are in good shape, we are processing at the same speed now as before, but at a higher load. My inclination is to test more but I don't want to turn off MailScanner to run in debug. So I need to get a schedule to upgrade to Julian's new version to I can actually run a debug child on a test queue during peak load. I am suspicious that the high load is SA, but I don't think there is much I can do tuning wise that has not already been done. I will make some changes to the disks/kernel/etc in the next few evenings and see where I end up. Still gonna turn in a quote for hot rod servers though. The current ones would make excellent web mirrors ;^) DAve Why not put log speed to yes in the config file and then just restart mailscanner. Then you can see where the messages are taking their time in the queue. Won't need to leave it on for that long to be able to work out what is taking the time.... I'm assuming you've also fed some of the test messages straight into spam assassin to see how long they take? Jason From arjan at anymore.nl Wed Apr 9 10:17:50 2008 From: arjan at anymore.nl (Arjan Schrijver) Date: Wed Apr 9 10:18:58 2008 Subject: Watermark checking doesn't work Message-ID: <47FC89BE.1090304@anymore.nl> Hi people, This watermarking feature sounds very good given all the spam backscatter I'm receiving the past weeks. So I set the following options in MailScanner.conf: Use Watermarking = yes Add Watermark = yes Check Watermarks With No Sender = yes Treat Invalid Watermarks With No Sender as Spam = spam Check Watermarks To Skip Spam Checks = no Watermark Secret = (this is secret) Watermark Lifetime = 432000 Watermark Header = X-%org-name%-MailScanner-Watermark: Now, the watermark is being added to each mail fine. I get the header in every outgoing mail. When I send a mail to a nonexisting address, it gets interesting. The DSN is being returned as it should, including my original X-%org-name%-MailScanner-Watermark header. However, MailScanner doesn't think it is a legitimate watermark, or it can't find the sender address. I get this logline for the DSN: Apr 9 10:53:37 arenta MailScanner[32447]: Message 82BDF1E018B.CC35D from ######### has no (or invalid) watermark or sender address Is there more configuration I need to do, or is this feature simply still in development and it doesn't work? Kind regards, Arjan From iamapo at ml520.dyndns.org Wed Apr 9 10:30:55 2008 From: iamapo at ml520.dyndns.org (Michael Lai) Date: Wed Apr 9 10:30:55 2008 Subject: Mailscanner not work on Fedora 8 Message-ID: I try to install MailScanner on Fedora 8(Postfix run on it), but I got the error messages. I have no idea to resolve the problem. Please suggest. Thank you, Michael [root@www MailScanner-4.68.8-1]# ./install.sh Good. You have the patch command. Good, you have /usr/src/redhat in place. But you are running Fedora, so I am going to force the installation of the Perl modules that normally require it. Good, unpackaged files will not break the build process. Good, far-too-clever Perl requirements will be ignored. Good, Fedora 8 options will be ignored. Good, you appear to only have 1 copy of Perl installed. I think you are running on RedHat Linux, Mandriva Linux or SuSE Linux. Good, you appear to have the basic development tools installed. This script will pause for a few seconds after each major step, so do not worry if it appears to stop for a while. If you want it to stop so you can scroll back through the output then press Ctrl-S to stop the output and Ctrl-Q to start it again. If this fails due to dependency checks, and you wish to ignore these problems, you can run ./install.sh nodeps Setting Perl5 search path I think your system will build architecture-dependent modules for i386 Rebuilding all the Perl RPMs for your version of Perl Attempting to build and install perl-File-Spec-0.82-1 --rebuild: unknown option Missing file /usr/src/redhat/RPMS/noarch/perl-File-Spec-0.82- 1.noarch.rpm. Maybe it did not build correctly? Attempting to build and install perl-ExtUtils-MakeMaker-6.32-1 --rebuild: unknown option Missing file /usr/src/redhat/RPMS/noarch/perl-ExtUtils-MakeMaker-6.32- 1.noarch.rpm. Maybe it did not build correctly? Attempting to build and install perl-Net-CIDR-0.11-1 --rebuild: unknown option Missing file /usr/src/redhat/RPMS/noarch/perl-Net-CIDR-0.11-1.noarch.rpm. Maybe it did not build correctly? Attempting to build and install perl-IO-stringy-2.110-1 --rebuild: unknown option Missing file /usr/src/redhat/RPMS/noarch/perl-IO-stringy-2.110- 1.noarch.rpm. Maybe it did not build correctly? Attempting to build and install perl-MIME-Base64-3.07-1 --rebuild: unknown option Missing file /usr/src/redhat/RPMS/i386/perl-MIME-Base64-3.07-1.i386.rpm. Maybe it did not build correctly? Attempting to build and install perl-TimeDate-1.16-3 --rebuild: unknown option Missing file /usr/src/redhat/RPMS/noarch/perl-TimeDate-1.16-3.noarch.rpm. Maybe it did not build correctly? Attempting to build and install perl-Pod-Escapes-1.04-1 --rebuild: unknown option Missing file /usr/src/redhat/RPMS/noarch/perl-Pod-Escapes-1.04- 1.noarch.rpm. Maybe it did not build correctly? Attempting to build and install perl-Pod-Simple-3.05-1 --rebuild: unknown option Missing file /usr/src/redhat/RPMS/noarch/perl-Pod-Simple-3.05- 1.noarch.rpm. Maybe it did not build correctly? Attempting to build and install perl-Test-Pod-1.26-1 --rebuild: unknown option Missing file /usr/src/redhat/RPMS/noarch/perl-Test-Pod-1.26-1.noarch.rpm. Maybe it did not build correctly? Attempting to build and install perl-MailTools-2.02-1 --rebuild: unknown option Missing file /usr/src/redhat/RPMS/noarch/perl-MailTools-2.02- 1.noarch.rpm. Maybe it did not build correctly? Attempting to build and install perl-IO-1.2301-1 --rebuild: unknown option Missing file /usr/src/redhat/RPMS/noarch/perl-IO-1.2301-1.noarch.rpm. Maybe it did not build correctly? Attempting to build and install perl-File-Temp-0.19-1 --rebuild: unknown option Missing file /usr/src/redhat/RPMS/noarch/perl-File-Temp-0.19- 1.noarch.rpm. Maybe it did not build correctly? Attempting to build and install perl-HTML-Tagset-3.03-1 --rebuild: unknown option Missing file /usr/src/redhat/RPMS/noarch/perl-HTML-Tagset-3.03- 1.noarch.rpm. Maybe it did not build correctly? Attempting to build and install perl-HTML-Parser-3.56-1 --rebuild: unknown option Missing file /usr/src/redhat/RPMS/i386/perl-HTML-Parser-3.56-1.i386.rpm. Maybe it did not build correctly? Attempting to build and install perl-Convert-BinHex-1.119-2 --rebuild: unknown option Missing file /usr/src/redhat/RPMS/noarch/perl-Convert-BinHex-1.119- 2.noarch.rpm. Maybe it did not build correctly? Attempting to build and install perl-MIME-tools-5.425-1 --rebuild: unknown option Missing file /usr/src/redhat/RPMS/noarch/perl-MIME-tools-5.425- 1.noarch.rpm. Maybe it did not build correctly? Attempting to build and install perl-Convert-TNEF-0.17-1 --rebuild: unknown option Missing file /usr/src/redhat/RPMS/noarch/perl-Convert-TNEF-0.17- 1.noarch.rpm. Maybe it did not build correctly? Attempting to build and install perl-Compress-Zlib-1.41-1 Detected Compress-Zlib, building appropriately... --rebuild: unknown option Missing file /usr/src/redhat/RPMS/i386/perl-Compress-Zlib-1.41- 1.i386.rpm. Maybe it did not build correctly? Attempting to build and install perl-Archive-Zip-1.16-1 --rebuild: unknown option Missing file /usr/src/redhat/RPMS/noarch/perl-Archive-Zip-1.16- 1.noarch.rpm. Maybe it did not build correctly? Attempting to build and install perl-Scalar-List-Utils-1.19-1 --rebuild: unknown option Missing file /usr/src/redhat/RPMS/noarch/perl-Scalar-List-Utils-1.19- 1.noarch.rpm. Maybe it did not build correctly? Attempting to build and install perl-Storable-2.16-1 --rebuild: unknown option Missing file /usr/src/redhat/RPMS/noarch/perl-Storable-2.16-1.noarch.rpm. Maybe it did not build correctly? Attempting to build and install perl-DBI-1.56-1 --rebuild: unknown option Missing file /usr/src/redhat/RPMS/noarch/perl-DBI-1.56-1.noarch.rpm. Maybe it did not build correctly? Attempting to build and install perl-DBD-SQLite-1.13-1 --rebuild: unknown option Missing file /usr/src/redhat/RPMS/noarch/perl-DBD-SQLite-1.13- 1.noarch.rpm. Maybe it did not build correctly? Attempting to build and install perl-Getopt-Long-2.36-1 --rebuild: unknown option Missing file /usr/src/redhat/RPMS/noarch/perl-Getopt-Long-2.36- 1.noarch.rpm. Maybe it did not build correctly? Attempting to build and install perl-Time-HiRes-1.9707-1 --rebuild: unknown option Missing file /usr/src/redhat/RPMS/noarch/perl-Time-HiRes-1.9707- 1.noarch.rpm. Maybe it did not build correctly? Attempting to build and install perl-Filesys-Df-0.90-1 --rebuild: unknown option Missing file /usr/src/redhat/RPMS/noarch/perl-Filesys-Df-0.90- 1.noarch.rpm. Maybe it did not build correctly? Attempting to build and install perl-Test-Harness-2.64-1 Detected Compress-Zlib, building appropriately... --rebuild: unknown option Missing file /usr/src/redhat/RPMS/noarch/perl-Test-Harness-2.64- 1.noarch.rpm. Maybe it did not build correctly? Attempting to build and install perl-Test-Simple-0.70-1 Detected Compress-Zlib, building appropriately... --rebuild: unknown option Missing file /usr/src/redhat/RPMS/noarch/perl-Test-Simple-0.70- 1.noarch.rpm. Maybe it did not build correctly? Attempting to build and install perl-Math-BigInt-1.86-1 --rebuild: unknown option Missing file /usr/src/redhat/RPMS/noarch/perl-Math-BigInt-1.86- 1.noarch.rpm. Maybe it did not build correctly? Attempting to build and install perl-Math-BigRat-0.19-1 --rebuild: unknown option Missing file /usr/src/redhat/RPMS/noarch/perl-Math-BigRat-0.19- 1.noarch.rpm. Maybe it did not build correctly? Attempting to build and install perl-bignum-0.21-1 --rebuild: unknown option Missing file /usr/src/redhat/RPMS/noarch/perl-bignum-0.21-1.noarch.rpm. Maybe it did not build correctly? Attempting to build and install perl-Net-IP-1.25-1 --rebuild: unknown option Missing file /usr/src/redhat/RPMS/noarch/perl-Net-IP-1.25-1.noarch.rpm. Maybe it did not build correctly? Attempting to build and install perl-Sys-Hostname-Long-1.4-1 --rebuild: unknown option Missing file /usr/src/redhat/RPMS/noarch/perl-Sys-Hostname-Long-1.4- 1.noarch.rpm. Maybe it did not build correctly? Attempting to build and install perl-Sys-Syslog-0.18-1 --rebuild: unknown option Missing file /usr/src/redhat/RPMS/noarch/perl-Sys-Syslog-0.18- 1.noarch.rpm. Maybe it did not build correctly? Attempting to build and install perl-Digest-MD5-2.36-1 --rebuild: unknown option Missing file /usr/src/redhat/RPMS/noarch/perl-Digest-MD5-2.36- 1.noarch.rpm. Maybe it did not build correctly? Attempting to build and install perl-Digest-SHA1-2.11-1 --rebuild: unknown option Missing file /usr/src/redhat/RPMS/noarch/perl-Digest-SHA1-2.11- 1.noarch.rpm. Maybe it did not build correctly? Attempting to build and install perl-Net-DNS-0.63-1 --rebuild: unknown option Missing file /usr/src/redhat/RPMS/noarch/perl-Net-DNS-0.63-1.noarch.rpm. Maybe it did not build correctly? Installing tnef decoder Preparing? ################################################## package tnef-1.4.3-1.i386 have installed Now to install MailScanner itself. NOTE: If you get lots of errors here, run the install.sh script NOTE: again with the command "./install.sh nodeps" Preparing? ########################################### [100%] Package mailscanner-4.68.8-1.noarch have installed ---------------------------------------------------------- Please buy the MailScanner book from www.mailscanner.info! It is a very useful administration guide and introduction to MailScanner. All the proceeds go directly to making MailScanner a better supported package than it is today. [root@www MailScanner-4.68.8-1]# service MailScanner start Starting MailScanner daemons: incoming postfix: [ok] outgoing postfix: [ok] MailScanner: Can't locate Filesys/Df.pm in @INC (@INC contains: /usr/lib/MailScanner /usr/lib/perl5/site_perl/5.8.8/i386-linux- thread-multi /usr/lib/perl5/site_perl/5.8.7/i386-linux-thread- multi /usr/lib/perl5/site_perl/5.8.6/i386-linux-thread- multi /usr/lib/perl5/site_perl/5.8.5/i386-linux-thread- multi /usr/lib/perl5/site_perl/5.8.8 /usr/lib/perl5/site_perl/5.8.7 /usr/ lib/perl5/site_perl/5.8.6 /usr/lib/perl5/site_perl/5.8.5 /usr/lib/perl5/s ite_perl /usr/lib/perl5/vendor_perl/5.8.8/i386-linux-thread- multi /usr/lib/perl5/vendor_perl/5.8.7/i386-linux-thread- multi /usr/lib/perl5/vendor_perl/5.8.6/i386-linux-thread- multi /usr/lib/perl5/vendor_perl/5.8.5/i386-linux-thread- multi /usr/lib/perl5/vendor_perl/5.8.8 /usr/lib/perl5/vendor_perl/5.8.7 / usr/lib/perl5/vendor_perl/5.8.6 /usr/lib/perl5/vendor_perl/5.8.5 /usr/lib /perl5/vendor_perl /usr/lib/perl5/5.8.8/i386-linux-thread- multi /usr/lib/perl5/5.8.8 . /usr/lib/MailScanner) at /usr/sbin/MailScanner line 66. BEGIN failed--compilation aborted at /usr/sbin/MailScanner line 66. [ok] [root@www MailScanner-4.68.8-1]# service MailScanner status Checking MailScanner daemons: MailScanner: [failed] [root@www MailScanner-4.68.8-1]# From rgreen at trayerproducts.com Wed Apr 9 12:07:51 2008 From: rgreen at trayerproducts.com (Rodney Green) Date: Wed Apr 9 12:08:21 2008 Subject: Where to increase the RAZOR2_CF scores? In-Reply-To: <3BF93070B3D1B047BA7ABF612958950D02CF60C9@hcex.hartwellcorp.com> References: <3BF93070B3D1B047BA7ABF612958950D02CF60C9@hcex.hartwellcorp.com> Message-ID: <47FCA387.6050805@trayerproducts.com> I believe the scores you are looking for are in /usr/share/spamassassin/50_scores.cf. You would want to actually change the scores in your MailScanner spam.assassin.prefs.conf file. You could find the score lines in the 50_scores.cf file and copy them to spam.assassin.prefs.conf and modify the scores there. spam.assassin.prefs.conf scores override 50_scores.cf. Hope that helps, Rod Michael St. Laurent wrote: > I was wondering how I would see all the rule names for Razor2 matches > and which file would be the best place to add increased scores for them. > > Thanks. ;) > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From root at doctor.nl2k.ab.ca Wed Apr 9 12:35:32 2008 From: root at doctor.nl2k.ab.ca (Dave Shariff Yadallee - System Administrator a.k.a. The Root of the Problem) Date: Wed Apr 9 12:36:59 2008 Subject: Now that is odd! Message-ID: <20080409113531.GA9136@doctor.nl2k.ab.ca> Julian, just woke up this morning to see that my seconday Mail Server was running 52 MailScanner processes. Looks as if they did not quit after finishing. This is the 4.68 stable. This is the same box I tried to run 4.69.1 . Any known issues? -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From telecaadmin at gmail.com Wed Apr 9 13:37:44 2008 From: telecaadmin at gmail.com (Ronny T. Lampert) Date: Wed Apr 9 13:38:22 2008 Subject: MS hangs with strange clamav database (SOLVED) In-Reply-To: References: <47FA0583.1060509@gmail.com> <223f97700804070454m89e2dc2s4e1079e19efef1f8@mail.gmail.com> <223f97700804070456j39092b34i93a4b07628ee041b@mail.gmail.com> <47FA1852.6040906@gmail.com> Message-ID: <47FCB898.5070905@gmail.com> >> >> need look something like: >> >> >> >> Monitors for ClamAV Updates = /var/clamav/*.inc/* /var/clamav/*.?db >> >> /var/clamav/*.cvd >> >> I completely seem to have forgotten about the incrementals... shame on >> me. >> Don't know when that setting got wrong. But alas, I've changed it >> because it really does look sensible. >> >> Thanks Glen! > Make sure that it is the right directory for your system, as Julian's > install package of clam seems to use the clamav default of > /usr/local/share/clamav/ Yes it is (/var/clamav); I'm rolling my own optimized packages which I build from SRPMS for easy updating across all my servers. Cheers! From alex at skynet-srl.com Wed Apr 9 14:20:16 2008 From: alex at skynet-srl.com (Alex) Date: Wed Apr 9 14:21:19 2008 Subject: Mailscanner not work on Fedora 8 In-Reply-To: <200804091100.m39B03vE001875@safir.blacknight.ie> References: <200804091100.m39B03vE001875@safir.blacknight.ie> Message-ID: <47FCC290.30503@skynet-srl.com> > Oggetto: > Mailscanner not work on Fedora 8 > Da: > "Michael Lai" > Data: > Wed, 09 Apr 2008 17:30:55 +0800 > A: > mailscanner@lists.mailscanner.info > > A: > mailscanner@lists.mailscanner.info > > Content-Transfer-Encoding: > 8bit > Precedence: > list > Versione-MIME: > 1.0 > Rispondi-a: > MailScanner discussion > ID-Messaggio: > > Content-Type: > text/plain; charset="UTF-8" > Message: > 19 > > > I try to install MailScanner on Fedora 8(Postfix run on it), but I got > the error messages. I have no idea to resolve the problem. Please > suggest. > Thank you, > Michael > > [root@www MailScanner-4.68.8-1]# ./install.sh > > Good. You have the patch command. > > Good, you have /usr/src/redhat in place. > But you are running Fedora, so I am going to force the installation > of the Perl modules that normally require it. > > Good, unpackaged files will not break the build process. > Good, far-too-clever Perl requirements will be ignored. > Good, Fedora 8 options will be ignored. > > Good, you appear to only have 1 copy of Perl installed. > > I think you are running on RedHat Linux, Mandriva Linux or SuSE Linux. > Good, you appear to have the basic development tools installed. > > This script will pause for a few seconds after each major step, > so do not worry if it appears to stop for a while. > If you want it to stop so you can scroll back through the output > then press Ctrl-S to stop the output and Ctrl-Q to start it again. > > If this fails due to dependency checks, and you wish to ignore > these problems, you can run > ./install.sh nodeps > > Setting Perl5 search path > > I think your system will build architecture-dependent modules for i386 > > Rebuilding all the Perl RPMs for your version of Perl > > Attempting to build and install perl-File-Spec-0.82-1 > --rebuild: unknown option > > Missing file /usr/src/redhat/RPMS/noarch/perl-File-Spec-0.82- > 1.noarch.rpm. > Maybe it did not build correctly? > > Attempting to build and install perl-ExtUtils-MakeMaker-6.32-1 > --rebuild: unknown option > > Missing file /usr/src/redhat/RPMS/noarch/perl-ExtUtils-MakeMaker-6.32- > 1.noarch.rpm. > Maybe it did not build correctly? > > Attempting to build and install perl-Net-CIDR-0.11-1 > --rebuild: unknown option > > Missing file /usr/src/redhat/RPMS/noarch/perl-Net-CIDR-0.11-1.noarch.rpm. > Maybe it did not build correctly? > > Attempting to build and install perl-IO-stringy-2.110-1 > --rebuild: unknown option > > Missing file /usr/src/redhat/RPMS/noarch/perl-IO-stringy-2.110- > 1.noarch.rpm. > Maybe it did not build correctly? > > Attempting to build and install perl-MIME-Base64-3.07-1 > --rebuild: unknown option > > Missing file /usr/src/redhat/RPMS/i386/perl-MIME-Base64-3.07-1.i386.rpm. > Maybe it did not build correctly? > > Attempting to build and install perl-TimeDate-1.16-3 > --rebuild: unknown option > > Missing file /usr/src/redhat/RPMS/noarch/perl-TimeDate-1.16-3.noarch.rpm. > Maybe it did not build correctly? > > Attempting to build and install perl-Pod-Escapes-1.04-1 > --rebuild: unknown option > > Missing file /usr/src/redhat/RPMS/noarch/perl-Pod-Escapes-1.04- > 1.noarch.rpm. > Maybe it did not build correctly? > > Attempting to build and install perl-Pod-Simple-3.05-1 > --rebuild: unknown option > > Missing file /usr/src/redhat/RPMS/noarch/perl-Pod-Simple-3.05- > 1.noarch.rpm. > Maybe it did not build correctly? > > Attempting to build and install perl-Test-Pod-1.26-1 > --rebuild: unknown option > > Missing file /usr/src/redhat/RPMS/noarch/perl-Test-Pod-1.26-1.noarch.rpm. > Maybe it did not build correctly? > > Attempting to build and install perl-MailTools-2.02-1 > --rebuild: unknown option > > Missing file /usr/src/redhat/RPMS/noarch/perl-MailTools-2.02- > 1.noarch.rpm. > Maybe it did not build correctly? > > Attempting to build and install perl-IO-1.2301-1 > --rebuild: unknown option > > Missing file /usr/src/redhat/RPMS/noarch/perl-IO-1.2301-1.noarch.rpm. > Maybe it did not build correctly? > > Attempting to build and install perl-File-Temp-0.19-1 > --rebuild: unknown option > > Missing file /usr/src/redhat/RPMS/noarch/perl-File-Temp-0.19- > 1.noarch.rpm. > Maybe it did not build correctly? > > Attempting to build and install perl-HTML-Tagset-3.03-1 > --rebuild: unknown option > > Missing file /usr/src/redhat/RPMS/noarch/perl-HTML-Tagset-3.03- > 1.noarch.rpm. > Maybe it did not build correctly? > > Attempting to build and install perl-HTML-Parser-3.56-1 > --rebuild: unknown option > > Missing file /usr/src/redhat/RPMS/i386/perl-HTML-Parser-3.56-1.i386.rpm. > Maybe it did not build correctly? > > Attempting to build and install perl-Convert-BinHex-1.119-2 > --rebuild: unknown option > > Missing file /usr/src/redhat/RPMS/noarch/perl-Convert-BinHex-1.119- > 2.noarch.rpm. > Maybe it did not build correctly? > > Attempting to build and install perl-MIME-tools-5.425-1 > --rebuild: unknown option > > Missing file /usr/src/redhat/RPMS/noarch/perl-MIME-tools-5.425- > 1.noarch.rpm. > Maybe it did not build correctly? > > Attempting to build and install perl-Convert-TNEF-0.17-1 > --rebuild: unknown option > > Missing file /usr/src/redhat/RPMS/noarch/perl-Convert-TNEF-0.17- > 1.noarch.rpm. > Maybe it did not build correctly? > > Attempting to build and install perl-Compress-Zlib-1.41-1 > Detected Compress-Zlib, building appropriately... > --rebuild: unknown option > > Missing file /usr/src/redhat/RPMS/i386/perl-Compress-Zlib-1.41- > 1.i386.rpm. > Maybe it did not build correctly? > > Attempting to build and install perl-Archive-Zip-1.16-1 > --rebuild: unknown option > > Missing file /usr/src/redhat/RPMS/noarch/perl-Archive-Zip-1.16- > 1.noarch.rpm. > Maybe it did not build correctly? > > Attempting to build and install perl-Scalar-List-Utils-1.19-1 > --rebuild: unknown option > > Missing file /usr/src/redhat/RPMS/noarch/perl-Scalar-List-Utils-1.19- > 1.noarch.rpm. > Maybe it did not build correctly? > > Attempting to build and install perl-Storable-2.16-1 > --rebuild: unknown option > > Missing file /usr/src/redhat/RPMS/noarch/perl-Storable-2.16-1.noarch.rpm. > Maybe it did not build correctly? > > Attempting to build and install perl-DBI-1.56-1 > --rebuild: unknown option > > Missing file /usr/src/redhat/RPMS/noarch/perl-DBI-1.56-1.noarch.rpm. > Maybe it did not build correctly? > > Attempting to build and install perl-DBD-SQLite-1.13-1 > --rebuild: unknown option > > Missing file /usr/src/redhat/RPMS/noarch/perl-DBD-SQLite-1.13- > 1.noarch.rpm. > Maybe it did not build correctly? > > Attempting to build and install perl-Getopt-Long-2.36-1 > --rebuild: unknown option > > Missing file /usr/src/redhat/RPMS/noarch/perl-Getopt-Long-2.36- > 1.noarch.rpm. > Maybe it did not build correctly? > > Attempting to build and install perl-Time-HiRes-1.9707-1 > --rebuild: unknown option > > Missing file /usr/src/redhat/RPMS/noarch/perl-Time-HiRes-1.9707- > 1.noarch.rpm. > Maybe it did not build correctly? > > Attempting to build and install perl-Filesys-Df-0.90-1 > --rebuild: unknown option > > Missing file /usr/src/redhat/RPMS/noarch/perl-Filesys-Df-0.90- > 1.noarch.rpm. > Maybe it did not build correctly? > > Attempting to build and install perl-Test-Harness-2.64-1 > Detected Compress-Zlib, building appropriately... > --rebuild: unknown option > > Missing file /usr/src/redhat/RPMS/noarch/perl-Test-Harness-2.64- > 1.noarch.rpm. > Maybe it did not build correctly? > > Attempting to build and install perl-Test-Simple-0.70-1 > Detected Compress-Zlib, building appropriately... > --rebuild: unknown option > > Missing file /usr/src/redhat/RPMS/noarch/perl-Test-Simple-0.70- > 1.noarch.rpm. > Maybe it did not build correctly? > > Attempting to build and install perl-Math-BigInt-1.86-1 > --rebuild: unknown option > > Missing file /usr/src/redhat/RPMS/noarch/perl-Math-BigInt-1.86- > 1.noarch.rpm. > Maybe it did not build correctly? > > Attempting to build and install perl-Math-BigRat-0.19-1 > --rebuild: unknown option > > Missing file /usr/src/redhat/RPMS/noarch/perl-Math-BigRat-0.19- > 1.noarch.rpm. > Maybe it did not build correctly? > > Attempting to build and install perl-bignum-0.21-1 > --rebuild: unknown option > > Missing file /usr/src/redhat/RPMS/noarch/perl-bignum-0.21-1.noarch.rpm. > Maybe it did not build correctly? > > Attempting to build and install perl-Net-IP-1.25-1 > --rebuild: unknown option > > Missing file /usr/src/redhat/RPMS/noarch/perl-Net-IP-1.25-1.noarch.rpm. > Maybe it did not build correctly? > > Attempting to build and install perl-Sys-Hostname-Long-1.4-1 > --rebuild: unknown option > > Missing file /usr/src/redhat/RPMS/noarch/perl-Sys-Hostname-Long-1.4- > 1.noarch.rpm. > Maybe it did not build correctly? > > Attempting to build and install perl-Sys-Syslog-0.18-1 > --rebuild: unknown option > > Missing file /usr/src/redhat/RPMS/noarch/perl-Sys-Syslog-0.18- > 1.noarch.rpm. > Maybe it did not build correctly? > > Attempting to build and install perl-Digest-MD5-2.36-1 > --rebuild: unknown option > > Missing file /usr/src/redhat/RPMS/noarch/perl-Digest-MD5-2.36- > 1.noarch.rpm. > Maybe it did not build correctly? > > Attempting to build and install perl-Digest-SHA1-2.11-1 > --rebuild: unknown option > > Missing file /usr/src/redhat/RPMS/noarch/perl-Digest-SHA1-2.11- > 1.noarch.rpm. > Maybe it did not build correctly? > > Attempting to build and install perl-Net-DNS-0.63-1 > --rebuild: unknown option > > Missing file /usr/src/redhat/RPMS/noarch/perl-Net-DNS-0.63-1.noarch.rpm. > Maybe it did not build correctly? > > Installing tnef decoder > > Preparing? > ################################################## > package tnef-1.4.3-1.i386 have installed > > Now to install MailScanner itself. > > NOTE: If you get lots of errors here, run the install.sh script > NOTE: again with the command "./install.sh nodeps" > > Preparing? ########################################### > [100%] > Package mailscanner-4.68.8-1.noarch have installed > ---------------------------------------------------------- > Please buy the MailScanner book from www.mailscanner.info! > It is a very useful administration guide and introduction > to MailScanner. All the proceeds go directly to making > MailScanner a better supported package than it is today. > > [root@www MailScanner-4.68.8-1]# service MailScanner start > Starting MailScanner daemons: > incoming postfix: [ok] > outgoing postfix: [ok] > MailScanner: Can't locate Filesys/Df.pm in @INC (@INC > contains: /usr/lib/MailScanner /usr/lib/perl5/site_perl/5.8.8/i386-linux- > thread-multi /usr/lib/perl5/site_perl/5.8.7/i386-linux-thread- > multi /usr/lib/perl5/site_perl/5.8.6/i386-linux-thread- > multi /usr/lib/perl5/site_perl/5.8.5/i386-linux-thread- > multi /usr/lib/perl5/site_perl/5.8.8 /usr/lib/perl5/site_perl/5.8.7 /usr/ > lib/perl5/site_perl/5.8.6 /usr/lib/perl5/site_perl/5.8.5 /usr/lib/perl5/s > ite_perl /usr/lib/perl5/vendor_perl/5.8.8/i386-linux-thread- > multi /usr/lib/perl5/vendor_perl/5.8.7/i386-linux-thread- > multi /usr/lib/perl5/vendor_perl/5.8.6/i386-linux-thread- > multi /usr/lib/perl5/vendor_perl/5.8.5/i386-linux-thread- > multi /usr/lib/perl5/vendor_perl/5.8.8 /usr/lib/perl5/vendor_perl/5.8.7 / > usr/lib/perl5/vendor_perl/5.8.6 /usr/lib/perl5/vendor_perl/5.8.5 /usr/lib > /perl5/vendor_perl /usr/lib/perl5/5.8.8/i386-linux-thread- > multi /usr/lib/perl5/5.8.8 . /usr/lib/MailScanner) > at /usr/sbin/MailScanner line 66. > BEGIN failed--compilation aborted at /usr/sbin/MailScanner line 66. > [ok] > [root@www MailScanner-4.68.8-1]# service MailScanner status > Checking MailScanner daemons: > MailScanner: [failed] > [root@www MailScanner-4.68.8-1]# > > > > 99 on 100 you have to compile the Scalar-List-Utils-1.19 (grab it from CPAN) It seems it is broken in F7 and F8 (F9? who knows) After doing that install MS and be happy Hope this helps Ciaoooo Alessandro Bianchi -- *SkyNet SRL* P.zza XXV Aprile 14 - 28021 Borgomanero (NO) - ITALY Tel. +39 0322 836487/834765 - Fax.+39 0322.836608 info@skynet-srl.com -www.skynet-srl.com Le informazioni contenute in questo messaggio sono riservate e confidenziali ed ? vietata la diffusione in qualunque forma. Qualora Lei non fosse la persona a cui il presente messaggio ? destinato, La invitiamo ad eliminarlo e a non leggerlo, dandocene gentilmente comunicazione. Per qualsiasi informazione in merito si prega di contattare info@skynet-srl.com . ( Rif. D.L. 196/200 ) -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080409/d4f3cd0f/attachment.html From gwong at linktechit.com Wed Apr 9 14:34:39 2008 From: gwong at linktechit.com (Gregory Wong) Date: Wed Apr 9 14:35:22 2008 Subject: SA-Update Problem Message-ID: I am having issues when I run SA-Update. I get the following error: Insecure dependency in open while running with -T switch at /usr/lib/perl/5.8/IO/File.pm line 188. I have searched and it looks like I am missing a perl module IO::File but when I try to install it in CPAN it says it cannot be found. Any suggestions? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080409/ea6834a9/attachment.html From wm at meta.net Wed Apr 9 14:47:29 2008 From: wm at meta.net (Michael Weis) Date: Wed Apr 9 14:49:56 2008 Subject: misuse MailScanner In-Reply-To: <223f97700804080425y7058a376v8b95b558e6ba3d27@mail.gmail.com> References: <47FB3A63.2040602@meta.net> <223f97700804080425y7058a376v8b95b558e6ba3d27@mail.gmail.com> Message-ID: <47FCC8F1.9020406@meta.net> Glenn Steen schrieb: > On 08/04/2008, Michael Weis wrote: > >> Hello everyone, >> >> we are planing to create an email-account to which >> only mails with attachments will be send. >> >> I have the job to extract this attachments from >> the mail and handle them >> (save, print, archive) >> >> So far so good, but I have no idea >> how to get the attachments to a disk. >> >> I know mailscanner does this while scanning >> for viruses (right?). >> >> So how can I tell mailscanner to just save >> attachments from a certain user's emails ? >> (no problem if they were scanned before) >> >> I searched the mailing-list-archive >> but it seemed that nobody has to do this >> before. >> >> > > You can use numerous tools and do this at several "levels"... Since > the non-spam quarantine wouldn't contain the "decoded" attachment, you > can't use that (a simple "store" for that user in a ruleset on Non > Spam Actions), but rather would have to do something else ... a > CustomFunction or perhaps the spiffy SpamAssassin rule actions... But > simplest would perhaps be to use procmail at delivery and/or some tool > like mmdecode/metamail or whatnot. > Been a few years (... like ... 10...:-) since last I needed do > anything like that... might be easier now:-). > > Cheers > Thanks for this quick reply Glenn, at first I want to apologize for my first mail, it has not a good subject; should be "let MailScanner save attachments" or so second I haven't told what I have done so far well: I configured fetchmail to fetch the mail from the account :-) next I configured procmail to process the mail with a python- script I downloaded from the internet. This script should extract the attachment from the mail. But the script has an error. I have to say that I'm just a "copy'n'past" programmer in python, so it was not possible for me to eleminate the error in the python-script So that took me over a day (procmail-receipts are awful). I had the idea to use MailScanner for the job after giving up on the procmail-way. MailScanner idea: All mail-attachments going to a certain user are stored in the quaratine-directory. To realize that MailScanner "just" has to not-delete the scanned messages. Is this a possible way? Greetings Michael -- meta Trennwandanlagen, meta Stra?e, D-56579 Rengsdorf Rechtsform: GmbH & Co. KG, Amtsgericht Montabaur HRA 10582 Pers?nlich haftende Gesellschafterin: meta Trennwandanlagen Verwaltungsgesellschaft mbH Amtsgericht Montabaur HRB 10061, Sitz der Gesellschaft: D-56579 Rengsdorf Gesch?ftsf?hrer: Klaus Weidemann, Uwe Weidemann Ust-Id-Nr. DE 149513506 From Amelein at dantumadeel.nl Wed Apr 9 15:11:52 2008 From: Amelein at dantumadeel.nl (Amelein@dantumadeel.nl) Date: Wed Apr 9 15:12:52 2008 Subject: Betr.: Re: misuse MailScanner In-Reply-To: <47FCC8F1.9020406@meta.net> References: <47FB3A63.2040602@meta.net> <223f97700804080425y7058a376v8b95b558e6ba3d27@mail.gmail.com> <47FCC8F1.9020406@meta.net> Message-ID: <47FCEAC8.BDBC.008E.3@Dantumadeel.nl> >>> Op 9-4-2008 om 3:47 is in bericht <47FCC8F1.9020406@meta.net> door Michael Weis geschreven: > > Glenn Steen schrieb: >> On 08/04/2008, Michael Weis wrote: >> >>> Hello everyone, >>> >>> we are planing to create an email-account to which >>> only mails with attachments will be send. >>> >>> I have the job to extract this attachments from >>> the mail and handle them >>> (save, print, archive) >>> >>> So far so good, but I have no idea >>> how to get the attachments to a disk. >>> >>> I know mailscanner does this while scanning >>> for viruses (right?). >>> >>> So how can I tell mailscanner to just save >>> attachments from a certain user's emails ? >>> (no problem if they were scanned before) >>> >>> I searched the mailing-list-archive >>> but it seemed that nobody has to do this >>> before. >>> >>> >> >> You can use numerous tools and do this at several "levels"... Since >> the non-spam quarantine wouldn't contain the "decoded" attachment, you >> can't use that (a simple "store" for that user in a ruleset on Non >> Spam Actions), but rather would have to do something else ... a >> CustomFunction or perhaps the spiffy SpamAssassin rule actions... But >> simplest would perhaps be to use procmail at delivery and/or some tool >> like mmdecode/metamail or whatnot. >> Been a few years (... like ... 10...:-) since last I needed do >> anything like that... might be easier now:-). >> >> Cheers >> > > Thanks for this quick reply Glenn, > > at first I want to apologize for my first mail, > it has not a good subject; should be "let MailScanner save attachments" > or so > > second I haven't told what I have done so far > well: > I configured fetchmail to fetch the mail from the account :-) > next I configured procmail to process the mail with a python- > script I downloaded from the internet. > This script should extract the attachment from the mail. > But the script has an error. > > I have to say that I'm just a "copy'n'past" programmer in python, > so it was not possible for me to eleminate the error in the python-script > > So that took me over a day (procmail-receipts are awful). > I had the idea to use MailScanner for the job after giving up on the > procmail-way. > > MailScanner idea: > All mail-attachments going to a certain user are stored in the > quaratine-directory. > To realize that MailScanner "just" has to not-delete the scanned messages. > > Is this a possible way? > > > Greetings > > Michael You could put a ruleset in the 'Non Spam Actions' to store anything for that certain address I think. Either that or try with archiving rules. - Arjan ************************************************************************** De inhoud van deze e-mail is uitsluitend bestemd voor de geadresseerde(n). Wanneer de e-mail ten onrechte bij u terecht is gekomen, wordt u verzocht contact op te nemen met de afzender. Gebruik van de inhoud van deze e-mail zonder toestemming van de afzender is niet toegestaan en onrechtmatig. Aan de inhoud van deze e-mail kunnen geen rechten worden ontleend. De gemeente Dantumadeel sluit iedere aansprakelijkheid uit die kan voortvloeien uit de inhoud van deze e-mail. DENK AAN ONS MILIEU VOORDAT U BESLUIT OM DEZE E-MAIL TE PRINTEN! ************************************************************************** From MailScanner at ecs.soton.ac.uk Wed Apr 9 15:17:20 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Apr 9 15:18:09 2008 Subject: SA-Update Problem In-Reply-To: References: Message-ID: <47FCCFF0.3080906@ecs.soton.ac.uk> Tell CPAN to install "IO" and not "IO::File" and it should find that one. Gregory Wong wrote: > I am having issues when I run SA-Update. I get the following error: > > Insecure dependency in open while running with -T switch at > /usr/lib/perl/5.8/IO/File.pm line 188. > > I have searched and it looks like I am missing a perl module IO::File > but when I try to install it in CPAN it says it cannot be found. > > Any suggestions? Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store Need help customising MailScanner? Contact me! Need help fixing or optimising your systems? Contact me! Need help getting you started solving new requirements from your boss? Contact me! PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From mkettler at evi-inc.com Wed Apr 9 15:33:54 2008 From: mkettler at evi-inc.com (Matt Kettler) Date: Wed Apr 9 15:34:59 2008 Subject: SA-Update Problem In-Reply-To: References: Message-ID: <47FCD3D2.9030002@evi-inc.com> Gregory Wong wrote: > I am having issues when I run SA-Update. I get the following error: > > Insecure dependency in open while running with -T switch at > /usr/lib/perl/5.8/IO/File.pm line 188. > > I have searched and it looks like I am missing a perl module IO::File > but when I try to install it in CPAN it says it cannot be found. > > Any suggestions? Well, you're definitely not missing IO::File.. It was running in that module when then error occurred. It's got to be present to be running ;) Anyway, CPAN should work for IO::File, ie: this command line should work: perl -MCPAN -e 'install IO::File' However, your problem could be one of two problems. Either your IO::File is corrupted or your SpamAssassin is old and buggy.. Are you by chance running a fairly old SpamAssassin (ie: pre 3.2.0?) Some possibly related bugs: https://issues.apache.org/SpamAssassin/show_bug.cgi?id=5061 https://issues.apache.org/SpamAssassin/show_bug.cgi?id=5216 Also in this post: http://mail-archives.apache.org/mod_mbox/spamassassin-users/200702.mbox/%3c45CBAB37.8060409@dostech.ca%3e Daryl O'Shea implies that this exact error message is a known issue in SA pre 3.1.0. From gborders at balanceconsult.com Wed Apr 9 17:16:55 2008 From: gborders at balanceconsult.com (Greg Borders) Date: Wed Apr 9 17:18:09 2008 Subject: misuse MailScanner In-Reply-To: <47FB3A63.2040602@meta.net> References: <47FB3A63.2040602@meta.net> Message-ID: <47FCEBF7.2070205@balanceconsult.com> Michael Weis wrote: > Hello everyone, > > we are planing to create an email-account to which > only mails with attachments will be send. > > I have the job to extract this attachments from > the mail and handle them > (save, print, archive) > > So far so good, but I have no idea > how to get the attachments to a disk. > > I know mailscanner does this while scanning > for viruses (right?). > > So how can I tell mailscanner to just save > attachments from a certain user's emails ? > (no problem if they were scanned before) > > I searched the mailing-list-archive > but it seemed that nobody has to do this > before. > > > Greetings and thanks in advance > > > Michael > I have used a combination of a procmail recipe and the oh so sweet tool *ripmime* (http://www.pldaniels.com/ripmime/) to auto extract attachments from mail in a sendmail environment. (should work with other MTAs.) With a simple bash script triggered by the procmail recipe, you can easily 'rip out' attachments and do what ever to it (save, print, archive) within the script, with no need to monkey around with your mailscanner setup whatsoever. Hope this helps! Greg. -- This email message and any document accompanying it may contain information intended only for the person(s) named. Any use, distribution, copying or disclosure by another person is strictly prohibited. NOTICE TO PERSONS SUBJECT TO UNITED STATES TAXATION: DISCLOSURE UNDER TREASURY CIRCULAR 230: Any tax advice included in this written or electronic communication was not intended or written to be used, and it cannot be used by the taxpayer, for the purpose of avoiding any penalties that may be imposed on the taxpayer by any governmental taxing authority or agency. This written or electronic communication does not represent legal advice. Persons in need of a legal opinion should seek competent counsel. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080409/1a15980c/attachment.html From glenn.steen at gmail.com Wed Apr 9 18:35:38 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Apr 9 18:36:14 2008 Subject: misuse MailScanner In-Reply-To: <47FCEBF7.2070205@balanceconsult.com> References: <47FB3A63.2040602@meta.net> <47FCEBF7.2070205@balanceconsult.com> Message-ID: <223f97700804091035h207cce08w32ac47e09d859ca6@mail.gmail.com> On 09/04/2008, Greg Borders wrote: > > Michael Weis wrote: > Hello everyone, > > we are planing to create an email-account to which > only mails with attachments will be send. > > I have the job to extract this attachments from > the mail and handle them > (save, print, archive) > > So far so good, but I have no idea > how to get the attachments to a disk. > > I know mailscanner does this while scanning > for viruses (right?). > > So how can I tell mailscanner to just save > attachments from a certain user's emails ? > (no problem if they were scanned before) > > I searched the mailing-list-archive > but it seemed that nobody has to do this > before. > > > Greetings and thanks in advance > > > Michael > > I have used a combination of a procmail recipe and the oh so sweet tool > ripmime (http://www.pldaniels.com/ripmime/) to auto extract > attachments from mail in a sendmail environment. (should work with other > MTAs.) With a simple bash script triggered by the procmail recipe, you can > easily 'rip out' attachments and do what ever to it (save, print, archive) > within the script, with no need to monkey around with your mailscanner setup > whatsoever. > > Hope this helps! > Greg. > Ah, thanks Greg.... I had a faint recollection that there had been a thread like this before, and that someone (you, likely) suggested a more ... modern tool:-). Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From Rich.West at wesmo.com Wed Apr 9 18:44:00 2008 From: Rich.West at wesmo.com (Rich West) Date: Wed Apr 9 18:46:06 2008 Subject: MailScanner + Sendmail = "user unknown" Message-ID: <47FD0060.3020302@wesmo.com> I've inherited a MailScanner setup that is pretty questionable (from a security standpoint), and I'm rebuilding the box from scratch. I've gotten everything installed (CentOS, clamav, SA, MailScanner, Sendmail) to have the system act as a relay to an exchange backend. Oddly, it does not seem to be picking up the messages that are being left in /var/spool/mqueue.in. I see the messages being deposited there, but they don't seem to be acted upon. Is there, perhaps, setting that I might have missed/glossed over that is obvious? -Rich From mikes at hartwellcorp.com Wed Apr 9 18:52:52 2008 From: mikes at hartwellcorp.com (Michael St. Laurent) Date: Wed Apr 9 18:54:21 2008 Subject: Where to increase the RAZOR2_CF scores? Message-ID: <3BF93070B3D1B047BA7ABF612958950D02CF60D5@hcex.hartwellcorp.com> There's no loop in there Hugo. There's a Proxy for SMTP connections involved in the transaction but there is no loop. > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf > Of Hugo van der Kooij > Sent: Tuesday, April 08, 2008 2:41 PM > To: MailScanner discussion > Subject: Re: Where to increase the RAZOR2_CF scores? > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Michael St. Laurent wrote: > | I was wondering how I would see all the rule names for > Razor2 matches > | and which file would be the best place to add increased > scores for them. > > Could you fix the loop in your SMTP network FIRST? This is > bound to get > you into trouble sooner or later. > > Check out these headers: > > Received: from safir.blacknight.ie (safir.blacknight.ie [83.98.192.7]) > by balin.waakhond.net (Postfix) with ESMTP id 4F19417E83BF > for ; Tue, 8 Apr 2008 > 23:22:34 +0200 (CEST) > Received: from safir.blacknight.ie (safir.blacknight.ie [127.0.0.1]) > by safir.blacknight.ie (8.13.1/8.13.1) with ESMTP id > m38LJOXw000373; > Tue, 8 Apr 2008 22:19:32 +0100 > X-Mailman-Handler: $Id: mm-handler,v 1.2 2002/04/05 19:41:09 > bwarsaw Exp $ > Received: from hcfw1.hartwellcorp.com (guardian.hartwellcorp.com > [216.237.48.18]) > by safir.blacknight.ie (8.13.1/8.13.1) with ESMTP id > m38KCqva028641 > for ; Tue, 8 Apr > 2008 21:13:25 +0100 > X-Hartwell-MailScanner-Watermark: > 1208290368.35685@76WyA74NVfugdnG4EGswsQ > Received: (from mail@localhost) > by hcfw1.hartwellcorp.com (8.13.8/8.12.8) id m38KCmbW020237 > for ; Tue, 8 Apr > 2008 13:12:48 -0700 > X-Authentication-Warning: hcfw1.hartwellcorp.com: mail set sender to > using -f > X-Authentication-Warning: hcfw1.hartwellcorp.com: Processed from queue > /var/spool/mqueue.in/ > Received: from hcex.hartwellcorp.com (EHLO hcex.hartwellcorp.com) > (10.11.10.14) by hcfw1.hartwellcorp.com via smap > (V2.1+anti-relay+anti-spam) id xma020233; Tue, 8 Apr 08 > 20:12:41 GMT > X-MimeOLE: Produced By Microsoft Exchange V6.5 > > > Hugo. > > - -- > hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ > PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc > > A: Yes. > >Q: Are you sure? > >>A: Because it reverses the logical flow of conversation. > >>>Q: Why is top posting frowned upon? > > Bored? Click on http://spamornot.org/ and rate those images. > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.7 (GNU/Linux) > > iD8DBQFH++ZrBvzDRVjxmYERAhXGAKCxvTwu6ZcTE5Qc9BCxdPypbxKGswCffxqD > RHI9GzlxJxf51eDm0GvSD0I= > =oy69 > -----END PGP SIGNATURE----- > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From glenn.steen at gmail.com Wed Apr 9 19:17:51 2008 From: glenn.steen at gmail.com (Glenn Steen) Date: Wed Apr 9 19:18:28 2008 Subject: MailScanner + Sendmail = "user unknown" In-Reply-To: <47FD0060.3020302@wesmo.com> References: <47FD0060.3020302@wesmo.com> Message-ID: <223f97700804091117m725ff4bekd5d5a883afc98569@mail.gmail.com> On 09/04/2008, Rich West wrote: > I've inherited a MailScanner setup that is pretty questionable (from a > security standpoint), and I'm rebuilding the box from scratch. I've > gotten everything installed (CentOS, clamav, SA, MailScanner, Sendmail) > to have the system act as a relay to an exchange backend. > > Oddly, it does not seem to be picking up the messages that are being > left in /var/spool/mqueue.in. I see the messages being deposited there, > but they don't seem to be acted upon. Is there, perhaps, setting that I > might have missed/glossed over that is obvious? > > -Rich Versions? Have you run "MailScanner --lint" and/or "MailScanner --debug"? What does "ps -ef" tell you? Is MailScanner running, and what does it claim it is doing? Cheers -- -- Glenn email: glenn < dot > steen < at > gmail < dot > com work: glenn < dot > steen < at > ap1 < dot > se From brose at med.wayne.edu Wed Apr 9 19:19:21 2008 From: brose at med.wayne.edu (Rose, Bobby) Date: Wed Apr 9 19:20:03 2008 Subject: Whitelist/Blacklists and BATV In-Reply-To: <47FB6A88.4000608@ecs.soton.ac.uk> References: <47F90C41.9060401@ecs.soton.ac.uk><625385e30804080509q43762cbsc39c7a5d87cb9939@mail.gmail.com> <47FB6A88.4000608@ecs.soton.ac.uk> Message-ID: <610C64469748E84DB6BDD5BD23F01A761804C7@MED-CORE03-MS1.med.wayne.edu> I'm staring to see BATV use increasing. Has anyone thought about how this effects whitelists, mta acls, etc? It looks like such things are broken because if an end-user whitelists joe@foo.com and BATV has the mail from as prvs=joe=1312@foo.com, then that whitelisting has no effect. And since the BATV signature changes, they can't whitelist that even if they new what batv signed address was for that sender. Any thought about how to resolve this? I was thinking of stripping out the batv stuff to get the senders address for matching but I see different kinds of prvs= addresses out there. Some have prvs=xxxxx=joe@foo.com and others have prvs=joe=xxxx@foo.com Bobby From mkercher at nfsmith.com Wed Apr 9 19:26:20 2008 From: mkercher at nfsmith.com (Mike Kercher) Date: Wed Apr 9 19:27:20 2008 Subject: MailScanner + Sendmail = "user unknown" In-Reply-To: <47FD0060.3020302@wesmo.com> References: <47FD0060.3020302@wesmo.com> Message-ID: <224FA7E11EA39E45843E11CEBBD3A36F96DE4D@HOUPEX01.nfsmith.info> -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Rich West Sent: Wednesday, April 09, 2008 12:44 PM To: mailscanner@lists.mailscanner.info Subject: MailScanner + Sendmail = "user unknown" I've inherited a MailScanner setup that is pretty questionable (from a security standpoint), and I'm rebuilding the box from scratch. I've gotten everything installed (CentOS, clamav, SA, MailScanner, Sendmail) to have the system act as a relay to an exchange backend. Oddly, it does not seem to be picking up the messages that are being left in /var/spool/mqueue.in. I see the messages being deposited there, but they don't seem to be acted upon. Is there, perhaps, setting that I might have missed/glossed over that is obvious? -Rich -- Did you: service sendmail stop chkconfig sendmail off chkconfig MailScanner on service MailScanner start Mike From izghitu at gmail.com Wed Apr 9 19:35:03 2008 From: izghitu at gmail.com (George) Date: Wed Apr 9 19:35:37 2008 Subject: Spamassassin not detecting spam Message-ID: <948a6d890804091135y4f6de66dn2c9cec8dead37f9@mail.gmail.com> Hi, I am new to MailScanner so please excuse me if this is a stupid help request. I have CentOS 5 with the latest MailScanner, the latest ClamAV, the latest SpamAssassin, the latest Postfix and the latest MailWatch. I set everything up using the docs from www.mailscanner.info I set up the SARE spamassassin rules. The issue is that all messages that are scanned by MS/SA get a 0 spam score. The SA lint show that all the rules/filters are parsed but in the end the spam score is almost always 0 Am I doing anything wrong? Where should I look at? Is this the right place to ask for help? Thanks From test at remedial-teacher.nl Wed Apr 9 19:57:38 2008 From: test at remedial-teacher.nl (Test) Date: Wed Apr 9 20:00:27 2008 Subject: Spamassassin not detecting spam In-Reply-To: <948a6d890804091135y4f6de66dn2c9cec8dead37f9@mail.gmail.com> References: <948a6d890804091135y4f6de66dn2c9cec8dead37f9@mail.gmail.com> Message-ID: <20080409205617.A8E0.EE63E960@remedial-teacher.nl> did you try the sample spam mails ? (/usr/share/doc/spamassassin-3.2.4/sample-spam.txt) -- Test From MailScanner at ecs.soton.ac.uk Wed Apr 9 20:01:02 2008 From: MailScanner at ecs.soton.ac.uk (Julian Field) Date: Wed Apr 9 20:01:45 2008 Subject: Spamassassin not detecting spam In-Reply-To: <948a6d890804091135y4f6de66dn2c9cec8dead37f9@mail.gmail.com> References: <948a6d890804091135y4f6de66dn2c9cec8dead37f9@mail.gmail.com> Message-ID: <47FD126E.2010205@ecs.soton.ac.uk> George wrote: > Hi, > > I am new to MailScanner so please excuse me if this is a stupid help request. > > I have CentOS 5 with the latest MailScanner, the latest ClamAV, the > latest SpamAssassin, the latest Postfix and the latest MailWatch. > > I set everything up using the docs from www.mailscanner.info > > I set up the SARE spamassassin rules. > > The issue is that all messages that are scanned by MS/SA get a 0 spam score. > > The SA lint show that all the rules/filters are parsed but in the end > the spam score is almost always 0 > spamassassin -t < sample-spam.txt will take the sample-spam.txt (shipped as part of the SpamAssassin distribution) and process it through your SpamAssassin setup and print a report on the end of it that shows what rules it hits and what its score is. Do that, and see what it says; do come back and tell us what it says. If it says 0 then you've got a SpamAssassin problem and really need to ask on the SpamAssassin list. If it gets 1000 points, then SpamAssassin is basically working, and the problem lies elsewhere. If so, then tell us what settings in MailScanner.conf you changed ("MailScanner --changed" will help you there). To start with, you don't actually need to change any settings in that file at all, except for the ones the "Installing MailScanner with Postfix" told you to. So I hope you didn't go through it randomly changing stuff :-) Jules -- Julian Field MEng CITP CEng www.MailScanner.info Buy the MailScanner book at www.MailScanner.info/store MailScanner customisation, or any advanced system administration help? Contact me at Jules@Jules.FM PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 PGP public key: http://www.jules.fm/julesfm.asc -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From vernon at comp-wiz.com Wed Apr 9 21:24:11 2008 From: vernon at comp-wiz.com (Vernon Webb) Date: Wed Apr 9 21:24:51 2008 Subject: Mail Within my own domain name is being labeled as Spam Message-ID: <026c01c89a7f$abdef960$039cec20$@com> I have recent removed and reinstalled MailScanner and since that time I have noticed that mail for email addresses that exist on my own server are being labeled as spam. Anyone have any ideas? Vernon Webb (201) 703-1232 web designs & web hosting by comp-wiz.com, inc. Information in this transmission is privileged & confidential. It is intended for the use of the individual or entity named above. Any review, dissemination, disclosure, alteration, printing, circulation or transmission of this email or it's attachments is prohibited and unlawful. -- This message has been scanned for viruses and dangerous content at comp-wiz.com, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080409/e878e5b4/attachment-0001.html From Rich.West at wesmo.com Wed Apr 9 21:47:45 2008 From: Rich.West at wesmo.com (Rich West) Date: Wed Apr 9 21:49:47 2008 Subject: MailScanner + Sendmail = stuck mail? In-Reply-To: <224FA7E11EA39E45843E11CEBBD3A36F96DE4D@HOUPEX01.nfsmith.info> References: <47FD0060.3020302@wesmo.com> <224FA7E11EA39E45843E11CEBBD3A36F96DE4D@HOUPEX01.nfsmith.info> Message-ID: <47FD2B71.5020908@wesmo.com> Mike Kercher wrote: > > > -----Original Message----- > From: mailscanner-bounces@lists.mailscanner.info > [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Rich > West > Sent: Wednesday, April 09, 2008 12:44 PM > To: mailscanner@lists.mailscanner.info > Subject: MailScanner + Sendmail = "user unknown" > > I've inherited a MailScanner setup that is pretty questionable (from a > security standpoint), and I'm rebuilding the box from scratch. I've > gotten everything installed (CentOS, clamav, SA, MailScanner, Sendmail) > to have the system act as a relay to an exchange backend. > > Oddly, it does not seem to be picking up the messages that are being > left in /var/spool/mqueue.in. I see the messages being deposited there, > but they don't seem to be acted upon. Is there, perhaps, setting that I > might have missed/glossed over that is obvious? > > -Rich > > > -- > > Did you: > > service sendmail stop > chkconfig sendmail off > chkconfig MailScanner on > service MailScanner start Yes, I let MailScanner control the sendmail process. I guess I am wondering if there is anything special that needs to be done with the sendmail.cf or submit.cf.. it sendmail just supposed to be configured as a nullclient? If I configure it as a null client, the message gets delivered immediately and seems to bypass MailScanner all together.. However, when I configure it with a smart host (vs doing a null client), it gets delivered to the /var/spool/mqueue.in directory and doesn't go any where from there.. -Rich From mkettler at evi-inc.com Wed Apr 9 22:02:12 2008 From: mkettler at evi-inc.com (Matt Kettler) Date: Wed Apr 9 22:03:10 2008 Subject: Mail Within my own domain name is being labeled as Spam In-Reply-To: <026c01c89a7f$abdef960$039cec20$@com> References: <026c01c89a7f$abdef960$039cec20$@com> Message-ID: <47FD2ED4.7060401@evi-inc.com> Vernon Webb wrote: > I have recent removed and reinstalled MailScanner and since that time I > have noticed that mail for email addresses that exist on my own server > are being labeled as spam. Anyone have any ideas? > Got a SpamCheck header from one of the messages? That should tell us what's going on, but without that it's anyone's guess... ie the one that looks similar to this: X-EVI-MailScanner-SpamCheck: not spam, SpamAssassin (score=0.349, required 5, FORGED_RCVD_HELO 0.14, HTML_MESSAGE 0.00, HTML_TEXT_AFTER_BODY 0.12, INFO_GREYLIST_NOTDELAYED -0.00, L_S_WORDGEN 0.10, SPF_PASS -0.00) From vernon at comp-wiz.com Wed Apr 9 22:21:25 2008 From: vernon at comp-wiz.com (Vernon Webb) Date: Wed Apr 9 22:22:03 2008 Subject: Mail Within my own domain name is being labeled as Spam Message-ID: <02df01c89a87$aa7b02f0$ff7108d0$@com> Actually let me make a correction. The problem seems to be when someone responds to an email that it is labeled as SPAM but on the same domain. From: Vernon Webb [mailto:vernon@comp-wiz.com] Sent: Wednesday, April 09, 2008 4:24 PM To: MailScanner discussion Subject: Mail Within my own domain name is being labeled as Spam I have recent removed and reinstalled MailScanner and since that time I have noticed that mail for email addresses that exist on my own server are being labeled as spam. Anyone have any ideas? Vernon Webb (201) 703-1232 web designs & web hosting by comp-wiz.com, inc. Information in this transmission is privileged & confidential. It is intended for the use of the individual or entity named above. Any review, dissemination, disclosure, alteration, printing, circulation or transmission of this email or it's attachments is prohibited and unlawful. -- This message has been scanned for viruses and dangerous content at comp-wiz.com, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080409/e5dff626/attachment.html From mikea at mikea.ath.cx Wed Apr 9 22:21:37 2008 From: mikea at mikea.ath.cx (mikea) Date: Wed Apr 9 22:22:14 2008 Subject: New server request In-Reply-To: <57573D714A832C43B9D80EAFBDA48D030A03EC5A@inex3.herffjones.hj-int> References: <47FB765B.6030402@pixelhammer.com> <47FB8081.4090208@sendit.nodak.edu> <47FBDBE3.3080204@pixelhammer.com> <57573D714A832C43B9D80EAFBDA48D030A03EC5A@inex3.herffjones.hj-int> Message-ID: <20080409212137.GD72084@mikea.ath.cx> On Tue, Apr 08, 2008 at 07:48:55PM -0400, Furnish, Trever G wrote: > Not really what you're looking for, but I run a small shell script that > sends a daily report of the previous day's delay reading as logged by > the sendmail process that handles mail in the queue after MailScanner > processes messages. My set-up only handles mail coming in from the > Internet to internal users, which makes the logic simpler. YMMV -- > you'd definitely need to change the code at least a little to fit your > environment, especially to distinguish between "inbound Internet mail" > and others. > > It produces output like so: > > Output from script /sysadm/scripts/local/report_delay.sh running on host > relay2.public.herff-jones.com under account root. > > This report shows the delay for message delivery as reported by sendmail > (...are you running sendmail?). These are only messages that were > already passed through by MS -- some 180K msgs are blocked each day by > the same system. [skip delay-length report] > The report only comes to me so I haven't worried about fixing the > outlying cases that appear to have taken nearly an hour -- they're not > real problems. > > You could easily get more granular if you need to. Having the report > helps me rest more easily -- I had no stats to back up my claim that > there wasn't a problem the first time I had a conversation with someone > claiming delivery was unreasonably slow. The "anything under three days > is good per the RFC" argument didn't go over very well. :-) > > I'm embarrassed by some of the code -- hit me up off-list if you want > the script, but I mostly thought the idea might be useful. :-) I've independently flanged up a similar script, which provides reports for me and (when people start complaining about delays) management. It has proven very useful to me for tweaking things, and to management for mollifying users. -- Mike Andrews, W5EGO mikea@mikea.ath.cx Tired old sysadmin From octaviomaiden at yahoo.com Wed Apr 9 22:25:43 2008 From: octaviomaiden at yahoo.com (Octavio) Date: Wed Apr 9 22:26:18 2008 Subject: Maximum Attachment Size In-Reply-To: <026c01c89a7f$abdef960$039cec20$@com> Message-ID: <964446.71032.qm@web38903.mail.mud.yahoo.com> Hi I try to use the parameter Max Attachment Size but it seems doesnt works, there is something wrong? here is what I use ###MailScanner.conf Maximum Attachment Size = /etc/MailScanner/rules/max.attachment.size ###/etc/MailScanner/rules/max.attachment.size To: userlocal@domainlocal.com 100 FromOrTo: default -1 I configure those parameters and test with a 500k mail attach and it is allowed without restrictions there is something else I have to do? thanks ____________________________________________________________________________________ ?Capacidad ilimitada de almacenamiento en tu correo! No te preocupes m?s por el espacio de tu cuenta con Correo Yahoo!: http://correo.espanol.yahoo.com/ From ishukor at gmail.com Wed Apr 9 22:27:19 2008 From: ishukor at gmail.com (ishukor) Date: Wed Apr 9 22:28:03 2008 Subject: MailScanner with DomainKey Message-ID: How to implement MailScanner with domainkey, DKIM, DKIMproxy or it does`nt support it yet. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080410/bbaf86af/attachment.html From izghitu at gmail.com Wed Apr 9 22:33:58 2008 From: izghitu at gmail.com (George) Date: Wed Apr 9 22:34:32 2008 Subject: Spamassassin not detecting spam In-Reply-To: <47FD126E.2010205@ecs.soton.ac.uk> References: <948a6d890804091135y4f6de66dn2c9cec8dead37f9@mail.gmail.com> <47FD126E.2010205@ecs.soton.ac.uk> Message-ID: <948a6d890804091433v5ed1a419ra588c40a1e5b0bdb@mail.gmail.com> Hi, Thanks for your replies. Here's what I get when running that command: [root@cpm-group Mail-SpamAssassin-3.2.4]# spamassassin -t < ./sample-spam.txt Subroutine FuzzyOcr::O_CREAT redefined at /usr/lib/perl5/5.8.8/Exporter.pm line 65. at /usr/lib/perl5/5.8.8/i386-linux-thread-multi/POSIX.pm line 19 Subroutine FuzzyOcr::O_EXCL redefined at /usr/lib/perl5/5.8.8/Exporter.pm line 65. at /usr/lib/perl5/5.8.8/i386-linux-thread-multi/POSIX.pm line 19 Subroutine FuzzyOcr::O_RDWR redefined at /usr/lib/perl5/5.8.8/Exporter.pm line 65. at /usr/lib/perl5/5.8.8/i386-linux-thread-multi/POSIX.pm line 19 X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on cpm-group.com Subject: Test spam mail (GTUBE) Message-ID: Date: Wed, 23 Jul 2003 23:30:00 +0200 From: Sender To: Recipient Precedence: junk MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit This is the GTUBE, the Generic Test for Unsolicited Bulk Email If your spam filter supports it, the GTUBE provides a test by which you can verify that the filter is installed correctly and is detecting incoming spam. You can send yourself a test mail containing the following string of characters (in upper case and with no white spaces and line breaks): XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X You should send this test mail from an account outside of your network. (no report template found) Also when I run: sendmail email@domain.com < ./sample-spam.txt it gets fine to my email marked as non spam X-CPMGroup-MailScanner: Found to be clean X-CPMGroup-MailScanner-From: root@cpm-group.com X-Spam-Status: No Please help. Thanks > spamassassin -t < sample-spam.txt > will take the sample-spam.txt (shipped as part of the SpamAssassin > distribution) and process it through your SpamAssassin setup and print a > report on the end of it that shows what rules it hits and what its score is. > Do that, and see what it says; do come back and tell us what it says. > > If it says 0 then you've got a SpamAssassin problem and really need to ask > on the SpamAssassin list. > > If it gets 1000 points, then SpamAssassin is basically working, and the > problem lies elsewhere. If so, then tell us what settings in > MailScanner.conf you changed ("MailScanner --changed" will help you there). > > To start with, you don't actually need to change any settings in that file > at all, except for the ones the "Installing MailScanner with Postfix" told > you to. So I hope you didn't go through it randomly changing stuff :-) > > Jules > > -- > Julian Field MEng CITP CEng > www.MailScanner.info > Buy the MailScanner book at www.MailScanner.info/store > > MailScanner customisation, or any advanced system administration help? > Contact me at Jules@Jules.FM > > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654 > PGP public key: http://www.jules.fm/julesfm.asc > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off the website! > From vernon at comp-wiz.com Wed Apr 9 22:39:19 2008 From: vernon at comp-wiz.com (Vernon Webb) Date: Wed Apr 9 22:39:56 2008 Subject: Mail Within my own domain name is being labeled as Spam In-Reply-To: <47FD2ED4.7060401@evi-inc.com> References: <026c01c89a7f$abdef960$039cec20$@com> <47FD2ED4.7060401@evi-inc.com> Message-ID: <02f001c89a8a$2b215bf0$816413d0$@com> > Got a SpamCheck header from one of the messages? That should tell us what's > going on, but without that it's anyone's guess... That the thing it doesn't really tell me much: Message-ID: <003f01c89a4f$99b8ad10$7301a8c0@D40C9HD1> MIME-Version: 1.0 Content-Type: multipart/alternative;boundary="----=_NextPart_000_0040_01C89A2E.12A70D10" X-Mailer: Microsoft Office Outlook 11 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198 thread-index: AciaT5mLuN92LnQaTJKdUVuW2DPBNw== X-COMP-WIZ-MailScanner-Information: Please contact the ISP for more information X-MailScanner-ID: m39Ee286005325 X-COMP-WIZ-MailScanner: Found to be clean X-COMP-WIZ-MailScanner-SpamScore: ss X-COMP-WIZ-MailScanner-From: kbednarski@recruitsavvy.com X-Spam-Status: Yes X-UID: 55066 Status: RO Content-Length: 5734 -- This message has been scanned for viruses and dangerous content at comp-wiz.com, and is believed to be clean. From gwong at linktechit.com Wed Apr 9 22:54:32 2008 From: gwong at linktechit.com (Gregory Wong) Date: Wed Apr 9 22:55:16 2008 Subject: SA-Update Problem In-Reply-To: <47FCD3D2.9030002@evi-inc.com> Message-ID: I am running version 3.1.0. I have been weary to upgrade to the latest because I've read that there are bugs in SA that allows all mail through even if its spam. On 4/9/08 10:33 AM, "Matt Kettler" wrote: Gregory Wong wrote: > I am having issues when I run SA-Update. I get the following error: > > Insecure dependency in open while running with -T switch at > /usr/lib/perl/5.8/IO/File.pm line 188. > > I have searched and it looks like I am missing a perl module IO::File > but when I try to install it in CPAN it says it cannot be found. > > Any suggestions? Well, you're definitely not missing IO::File.. It was running in that module when then error occurred. It's got to be present to be running ;) Anyway, CPAN should work for IO::File, ie: this command line should work: perl -MCPAN -e 'install IO::File' However, your problem could be one of two problems. Either your IO::File is corrupted or your SpamAssassin is old and buggy.. Are you by chance running a fairly old SpamAssassin (ie: pre 3.2.0?) Some possibly related bugs: https://issues.apache.org/SpamAssassin/show_bug.cgi?id=5061 https://issues.apache.org/SpamAssassin/show_bug.cgi?id=5216 Also in this post: http://mail-archives.apache.org/mod_mbox/spamassassin-users/200702.mbox/%3c45CBAB37.8060409@dostech.ca%3e Daryl O'Shea implies that this exact error message is a known issue in SA pre 3.1.0. -- MailScanner mailing list mailscanner@lists.mailscanner.info http://lists.mailscanner.info/mailman/listinfo/mailscanner Before posting, read http://wiki.mailscanner.info/posting Support MailScanner development - buy the book off the website! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080409/7a82b2be/attachment.html From ssilva at sgvwater.com Wed Apr 9 23:03:37 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Apr 9 23:04:41 2008 Subject: how to fix Blacklist In-Reply-To: References: <20080408041836.3585ECBE80@ws5-11.us4.outblaze.com> Message-ID: on 4-8-2008 11:28 PM Koopmann, Jan-Peter spake the following: >> If you run a mail server you should be reading your postmaster mail >> everyday. If you do not want to, then you should outsource your email >> to >> someone who will. > > Well spoken but far from reality. Most people don't and it really is not > necessary that much. If our system blocks you it will tell you why and > how to contact us via phone, chat, web whatever you like. In the real I get that everyday. My users couldn't/won't/are too stupid to read a bounce message and always assume it is our end. But then I still get a wrong number on the phone and instantly get the same caller because he hit the redial button (he/she just assumes that the phone or phone company dialed the number wrong). -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080409/28ef2ff6/signature.bin From ssilva at sgvwater.com Wed Apr 9 23:29:40 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Apr 9 23:30:22 2008 Subject: Spamassassin not detecting spam In-Reply-To: <948a6d890804091433v5ed1a419ra588c40a1e5b0bdb@mail.gmail.com> References: <948a6d890804091135y4f6de66dn2c9cec8dead37f9@mail.gmail.com> <47FD126E.2010205@ecs.soton.ac.uk> <948a6d890804091433v5ed1a419ra588c40a1e5b0bdb@mail.gmail.com> Message-ID: on 4-9-2008 2:33 PM George spake the following: > Hi, > > Thanks for your replies. Here's what I get when running that command: > [root@cpm-group Mail-SpamAssassin-3.2.4]# spamassassin -t < ./sample-spam.txt > Subroutine FuzzyOcr::O_CREAT redefined at > /usr/lib/perl5/5.8.8/Exporter.pm line 65. > at /usr/lib/perl5/5.8.8/i386-linux-thread-multi/POSIX.pm line 19 > Subroutine FuzzyOcr::O_EXCL redefined at > /usr/lib/perl5/5.8.8/Exporter.pm line 65. > at /usr/lib/perl5/5.8.8/i386-linux-thread-multi/POSIX.pm line 19 > Subroutine FuzzyOcr::O_RDWR redefined at > /usr/lib/perl5/5.8.8/Exporter.pm line 65. > at /usr/lib/perl5/5.8.8/i386-linux-thread-multi/POSIX.pm line 19 > X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on cpm-group.com > Subject: Test spam mail (GTUBE) > Message-ID: > Date: Wed, 23 Jul 2003 23:30:00 +0200 > From: Sender > To: Recipient > Precedence: junk > MIME-Version: 1.0 > Content-Type: text/plain; charset=us-ascii > Content-Transfer-Encoding: 7bit > Looks like a broken or misconfigured fuzzyocr plugin. Maybe you should remove it to get things working and then you can add it back later. Just remove (or move) the FuzzyOcr.cf and FuzzyOcr.pm files from /etc/mail/spamassassin and re run the tests. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080409/5dfa3fc6/signature.bin From ssilva at sgvwater.com Wed Apr 9 23:32:25 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Apr 9 23:35:14 2008 Subject: Mail Within my own domain name is being labeled as Spam In-Reply-To: <02df01c89a87$aa7b02f0$ff7108d0$@com> References: <02df01c89a87$aa7b02f0$ff7108d0$@com> Message-ID: on 4-9-2008 2:21 PM Vernon Webb spake the following: > Actually let me make a correction. The problem seems to be when someone > responds to an email that it is labeled as SPAM but on the same domain. > If they reply to spam, and quote the parts of the message that were detected as spam it will get caught again. If you don't want to scan your internal users for spam you can whitelist them. But whitelist by ip address, not domain name. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080409/9c1b8a03/signature.bin From ssilva at sgvwater.com Wed Apr 9 23:35:51 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Apr 9 23:40:13 2008 Subject: MailScanner with DomainKey In-Reply-To: References: Message-ID: on 4-9-2008 2:27 PM ishukor spake the following: > How to implement MailScanner with domainkey, DKIM, DKIMproxy or it does`nt > support it yet. > Use the spamassassin plugin for incoming tests, or one of the milters on your MTA if you want to sign your outgoing. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080409/c3a00499/signature.bin From ssilva at sgvwater.com Wed Apr 9 23:34:21 2008 From: ssilva at sgvwater.com (Scott Silva) Date: Wed Apr 9 23:45:11 2008 Subject: Maximum Attachment Size In-Reply-To: <964446.71032.qm@web38903.mail.mud.yahoo.com> References: <026c01c89a7f$abdef960$039cec20$@com> <964446.71032.qm@web38903.mail.mud.yahoo.com> Message-ID: on 4-9-2008 2:25 PM Octavio spake the following: > Hi > I try to use the parameter Max Attachment Size but it > seems doesnt works, there is something wrong? > > here is what I use > ###MailScanner.conf > Maximum Attachment Size = > /etc/MailScanner/rules/max.attachment.size Did you try this with .rules appended to the filename? In some cases the rules parser needs the file name to end in .rules so I just got in the habit of adding it on all of them to be safe. > > > ###/etc/MailScanner/rules/max.attachment.size > To: userlocal@domainlocal.com 100 > FromOrTo: default -1 > > > I configure those parameters and test with a 500k mail > attach and it is allowed without restrictions > > there is something else I have to do? > > thanks > > > > ____________________________________________________________________________________ > ?Capacidad ilimitada de almacenamiento en tu correo! > No te preocupes m?s por el espacio de tu cuenta con Correo Yahoo!: > http://correo.espanol.yahoo.com/ -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080409/9f2104ac/signature.bin From Rich.West at wesmo.com Thu Apr 10 01:51:42 2008 From: Rich.West at wesmo.com (Rich West) Date: Thu Apr 10 01:51:50 2008 Subject: MailScanner + Sendmail = "user unknown" In-Reply-To: <223f97700804091117m725ff4bekd5d5a883afc98569@mail.gmail.com> References: <47FD0060.3020302@wesmo.com> <223f97700804091117m725ff4bekd5d5a883afc98569@mail.gmail.com> Message-ID: <47FD649E.8030107@wesmo.com> Glenn Steen wrote: > On 09/04/2008, Rich West wrote: > >> I've inherited a MailScanner setup that is pretty questionable (from a >> security standpoint), and I'm rebuilding the box from scratch. I've >> gotten everything installed (CentOS, clamav, SA, MailScanner, Sendmail) >> to have the system act as a relay to an exchange backend. >> >> Oddly, it does not seem to be picking up the messages that are being >> left in /var/spool/mqueue.in. I see the messages being deposited there, >> but they don't seem to be acted upon. Is there, perhaps, setting that I >> might have missed/glossed over that is obvious? >> >> -Rich >> > > Versions? > > Have you run "MailScanner --lint" and/or "MailScanner --debug"? What > does "ps -ef" tell you? Is MailScanner running, and what does it claim > it is doing? Oh.. sorry.. it's a fresh install on CentOS using the latest version of MailScanner, Sendmail, SA, and clamav. I hadn't tried MailScanner --debug but I did enable debug within MailScanner.conf (didn't give me many hints), but while watching the logs, after it forks off all of it's processes, it just seems to sit there.. waiting. The MailScanner processes are definitely running. -Rich From bob.jones at usg.edu Thu Apr 10 02:27:15 2008 From: bob.jones at usg.edu (Bob Jones) Date: Thu Apr 10 02:28:09 2008 Subject: mailscanner install... mailtools requires perl 5.8 still? Message-ID: <47FD6CF3.10404@usg.edu> Hey all, I have a user I'm supporting running Solaris 9. He's trying to install version 4.68.8 and the installer is running into the error of mailtools requiring perl 5.8 and Solaris 9 only comes with 5.6. (I know the previous has probably all been covered before... sorry.) I found some discussion in the archives about the above fact in the "MailScanner --lint doesn't check Eicar virus - OK here!" thread, but never came across any final solution as to what to do about this problem for Solaris. Did a solution other than "find some way to use perl 5.8" ever present itself? Thanks for your help, Bob From octaviomaiden at yahoo.com Thu Apr 10 02:31:08 2008 From: octaviomaiden at yahoo.com (Octavio) Date: Thu Apr 10 02:31:42 2008 Subject: Maximum Attachment Size In-Reply-To: Message-ID: <321169.10461.qm@web38909.mail.mud.yahoo.com> Thanks Scott I tried put the .rules extension but it still doesnt work Octavio --- Scott Silva escribi?: > on 4-9-2008 2:25 PM Octavio spake the following: > > Hi > > I try to use the parameter Max Attachment Size but > it > > seems doesnt works, there is something wrong? > > > > here is what I use > > ###MailScanner.conf > > Maximum Attachment Size = > > /etc/MailScanner/rules/max.attachment.size > Did you try this with .rules appended to the > filename? In some cases the rules > parser needs the file name to end in .rules so I > just got in the habit of > adding it on all of them to be safe. > > > > > > ###/etc/MailScanner/rules/max.attachment.size > > To: userlocal@domainlocal.com 100 > > FromOrTo: default -1 > > > > > > I configure those parameters and test with a 500k > mail > > attach and it is allowed without restrictions > > > > there is something else I have to do? > > > > thanks > > > > > > > > > ____________________________________________________________________________________ > > ???Capacidad ilimitada de almacenamiento en tu > correo! > > No te preocupes m???s por el espacio de tu cuenta > con Correo Yahoo!: > > http://correo.espanol.yahoo.com/ > > > -- > MailScanner is like deodorant... > You hope everybody uses it, and > you notice quickly if they don't!!!! > > > -- > MailScanner mailing list > mailscanner@lists.mailscanner.info > http://lists.mailscanner.info/mailman/listinfo/mailscanner > > Before posting, read > http://wiki.mailscanner.info/posting > > Support MailScanner development - buy the book off > the website! > ____________________________________________________________________________________ ?Capacidad ilimitada de almacenamiento en tu correo! No te preocupes m?s por el espacio de tu cuenta con Correo Yahoo!: http://correo.espanol.yahoo.com/ From vernon at comp-wiz.com Thu Apr 10 02:34:14 2008 From: vernon at comp-wiz.com (Vernon Webb) Date: Thu Apr 10 02:34:51 2008 Subject: Mail Within my own domain name is being labeled as Spam In-Reply-To: References: <02df01c89a87$aa7b02f0$ff7108d0$@com> Message-ID: <036501c89aaa$fc70ae20$f5520a60$@com> They are not quoting something with Spam in it. The emails are being sent from me, to them and then when they respond they come back as Spam. -----Original Message----- From: mailscanner-bounces@lists.mailscanner.info [mailto:mailscanner-bounces@lists.mailscanner.info] On Behalf Of Scott Silva Sent: Wednesday, April 09, 2008 6:32 PM To: mailscanner@lists.mailscanner.info Subject: Re: Mail Within my own domain name is being labeled as Spam on 4-9-2008 2:21 PM Vernon Webb spake the following: > Actually let me make a correction. The problem seems to be when > someone responds to an email that it is labeled as SPAM but on the same domain. > If they reply to spam, and quote the parts of the message that were detected as spam it will get caught again. If you don't want to scan your internal users for spam you can whitelist them. But whitelist by ip address, not domain name. -- This message has been scanned for viruses and dangerous content at comp-wiz.com, and is believed to be clean. From hvdkooij at vanderkooij.org Thu Apr 10 06:00:09 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Thu Apr 10 06:00:54 2008 Subject: Mail Within my own domain name is being labeled as Spam In-Reply-To: <026c01c89a7f$abdef960$039cec20$@com> References: <026c01c89a7f$abdef960$039cec20$@com> Message-ID: <47FD9ED9.5040406@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Vernon Webb wrote: | I have recent removed and reinstalled MailScanner and since that time I | have noticed that mail for email addresses that exist on my own server | are being labeled as spam. Anyone have any ideas? Show mailscanner config, full message header of inbound and outbound message before and after MS, internal topology. Please do not expect others to answer this in the blind. And did you do a full job on training your bayesian database? Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFH/Z7YBvzDRVjxmYERAtqfAJwMy1fuziERxhUQQJqcUlxqaTiibQCgufjG VVr/SahH6CKVpyFDU4z3Ggg= =GBMy -----END PGP SIGNATURE----- From hvdkooij at vanderkooij.org Thu Apr 10 06:06:13 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Thu Apr 10 06:06:22 2008 Subject: Maximum Attachment Size In-Reply-To: <964446.71032.qm@web38903.mail.mud.yahoo.com> References: <964446.71032.qm@web38903.mail.mud.yahoo.com> Message-ID: <47FDA045.9090804@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Octavio wrote: | Hi | I try to use the parameter Max Attachment Size but it | seems doesnt works, there is something wrong? | | here is what I use | ###MailScanner.conf | Maximum Attachment Size = | /etc/MailScanner/rules/max.attachment.size | | | ###/etc/MailScanner/rules/max.attachment.size | To: userlocal@domainlocal.com 100 | FromOrTo: default -1 | | | I configure those parameters and test with a 500k mail | attach and it is allowed without restrictions | | there is something else I have to do? First of: Do not steal a thread. Show the real config section + rule file and the full message header after it passed MailScanner. What does your syslog show for the same message? Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFH/aBDBvzDRVjxmYERAiG8AKCrgxve+XZB5InpPJTwbFG2V3h4pgCbBhQV lQk6Jogtr79xapkJLTqnNlE= =3R6A -----END PGP SIGNATURE----- From hvdkooij at vanderkooij.org Thu Apr 10 06:08:05 2008 From: hvdkooij at vanderkooij.org (Hugo van der Kooij) Date: Thu Apr 10 06:08:15 2008 Subject: MailScanner with DomainKey In-Reply-To: References: Message-ID: <47FDA0B5.6070602@vanderkooij.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ishukor wrote: | How to implement MailScanner with domainkey, DKIM, DKIMproxy or it does`nt | support it yet. Keep in mind that the majority of DKIM messages I have seen so far are from ..... spammers. Hugo. - -- hvdkooij@vanderkooij.org http://hugo.vanderkooij.org/ PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc A: Yes. >Q: Are you sure? >>A: Because it reverses the logical flow of conversation. >>>Q: Why is top posting frowned upon? Bored? Click on http://spamornot.org/ and rate those images. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFH/aCyBvzDRVjxmYERAvXXAKCJQ/yfP/q8ihmUB1pvmpqjwPXw2wCeP+ZN GJdkOxBJXihwaitIFdFXeh0= =idz9 -----END PGP SIGNATURE----- From ram at netcore.co.in Thu Apr 10 07:29:08 2008 From: ram at netcore.co.in (ram) Date: Thu Apr 10 07:29:52 2008 Subject: After upgrade MailScanner to 4.68 just hangs at extracting attachments Message-ID: <1207808948.26556.16.camel@localhost.localdomain> I recently upgraded to MailScanner 4.68-8.1 from 4.5 Now After upgrading the conf file I can see no mails being scanned at all If I start MailScanner in debug mode it just hangs at "Trying to setlogsock(unix)" Can someone tell me what has gone wrong please MailScanner --lint output ---------- [root@spam4 MailScanner]# MailScanner --lint Trying to setlogsock(unix) Could not open ruleset's address pattern list file /o=fairplace/ou=firstadministrativegroup/cn=configuration/cn=servers/cn=fairplacedc/cn=microsoftpublicmdb, No such file or directory at /usr/lib/MailScanner/MailScanner/Config.pm line 2007 Could not open ruleset's address pattern list file /o=fairplace/ou=firstadministrativegroup/cn=recipients/cn=nicola.barker@mcmsltd.co.uk, No such file or directory at /usr/lib/MailScanner/MailScanner/Config.pm line 2007 Read 830 hostnames from the phishing whitelist Read 6192 hostnames from the phishing blacklist Config: calling custom init function NetcoreLog Starting Netcore Log ... Checking version numbers... Version number in MailScanner.conf (4.68.8) is correct. Unrar is not installed, it should be in . This is required for RAR archives to be read to check filenames and filetypes. Virus scanning is not affected. MailScanner setting GID to (102) MailScanner setting UID to (100) Checking for SpamAssassin errors (if you use it)... SpamAssassin temporary working directory is /var/spool/MailScanner/incoming/SpamAssassin-Temp SpamAssassin temp dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp Using SpamAssassin results cache Connected to SpamAssassin cache database Apr 10 11:57:34.703487 check[16480]: [ 2] [bootup] Logging initiated LogDebugLevel=3 to stdout Apr 10 11:57:38.924689 check[16480]: [ 3] mail 1 is not known spam. SpamAssassin reported no errors. lock.pl sees Config LockType = posix lock.pl sees have_module = 0 Using locktype = posix MailScanner.conf says "Virus Scanners = clamavmodule f-prot" Use of uninitialized value in split at /usr/lib/MailScanner/MailScanner/SweepViruses.pm line 3294. Use of uninitialized value in concatenation (.) or string at /usr/lib/MailScanner/MailScanner/SweepViruses.pm line 3295. Use of uninitialized value in concatenation (.) or string at /usr/lib/MailScanner/MailScanner/SweepViruses.pm line 3295. Can't exec "-IsItInstalled": No such file or directory at /usr/lib/MailScanner/MailScanner/SweepViruses.pm line 3297. Use of uninitialized value in split at /usr/lib/MailScanner/MailScanner/SweepViruses.pm line 3294. Use of uninitialized value in concatenation (.) or string at /usr/lib/MailScanner/MailScanner/SweepViruses.pm line 3295. Use of uninitialized value in concatenation (.) or string at /usr/lib/MailScanner/MailScanner/SweepViruses.pm line 3295. Can't exec "-IsItInstalled": No such file or directory at /usr/lib/MailScanner/MailScanner/SweepViruses.pm line 3297. Use of uninitialized value in split at /usr/lib/MailScanner/MailScanner/SweepViruses.pm line 3294. Use of uninitialized value in concatenation (.) or string at /usr/lib/MailScanner/MailScanner/SweepViruses.pm line 3295. Use of uninitialized value in concatenation (.) or string at /usr/lib/MailScanner/MailScanner/SweepViruses.pm line 3295. Can't exec "-IsItInstalled": No such file or directory at /usr/lib/MailScanner/MailScanner/SweepViruses.pm line 3297. Use of uninitialized value in split at /usr/lib/MailScanner/MailScanner/SweepViruses.pm line 3294. Use of uninitialized value in concatenation (.) or string at /usr/lib/MailScanner/MailScanner/SweepViruses.pm line 3295. Use of uninitialized value in concatenation (.) or string at /usr/lib/MailScanner/MailScanner/SweepViruses.pm line 3295. Can't exec "-IsItInstalled": No such file or directory at /usr/lib/MailScanner/MailScanner/SweepViruses.pm line 3297. Use of uninitialized value in split at /usr/lib/MailScanner/MailScanner/SweepViruses.pm line 3294. Use of uninitialized value in concatenation (.) or string at /usr/lib/MailScanner/MailScanner/SweepViruses.pm line 3295. Use of uninitialized value in concatenation (.) or string at /usr/lib/MailScanner/MailScanner/SweepViruses.pm line 3295. Can't exec "-IsItInstalled": No such file or directory at /usr/lib/MailScanner/MailScanner/SweepViruses.pm line 3297. Use of uninitialized value in split at /usr/lib/MailScanner/MailScanner/SweepViruses.pm line 3294. Use of uninitialized value in concatenation (.) or string at /usr/lib/MailScanner/MailScanner/SweepViruses.pm line 3295. Use of uninitialized value in concatenation (.) or string at /usr/lib/MailScanner/MailScanner/SweepViruses.pm line 3295. Can't exec "-IsItInstalled": No such file or directory at /usr/lib/MailScanner/MailScanner/SweepViruses.pm line 3297. Debug Mode Is On Use Threads : NO Socket : /tmp/clamd IP : Using Sockets Lock File : NOT USED Time Out : 300 Scan Dir : /var/spool/MailScanner/incoming/16480/ISITINSTALLED Found these virus scanners installed: clamavmodule, f-prot =========================================================================== Created attachment dirs for 1 messages sysseek() on unopened filehandle at /usr/lib/MailScanner/MailScanner/SMDiskStore.pm line 608. sysseek() on unopened filehandle at /usr/lib/MailScanner/MailScanner/SMDiskStore.pm line 609. sysseek() on unopened filehandle at /usr/lib/MailScanner/MailScanner/SMDiskStore.pm line 620. sysseek() on unopened filehandle at /usr/lib/MailScanner/MailScanner/SMDiskStore.pm line 621. Virus and Content Scanning: Starting Commencing scanning by clamavmodule... ProcessClamAVModOutput ClamAVModule ClamAVModule::INFECTED:: Eicar-Test-Signature:: ./1/eicar.com ProcessClamAVModOutput ClamAVModule Completed scanning by clamavmodule Virus Scanning: ClamAVModule found 1 infections Commencing scanning by f-prot... Use of uninitialized value in numeric gt (>) at /usr/lib/MailScanner/MailScanner/SweepViruses.pm line 2103, line 3. Argument "4.6.7" isn't numeric in numeric gt (>) at /usr/lib/MailScanner/MailScanner/SweepViruses.pm line 2103, line 4. Use of uninitialized value in numeric gt (>) at /usr/lib/MailScanner/MailScanner/SweepViruses.pm line 2103, line 7. Use of uninitialized value in numeric gt (>) at /usr/lib/MailScanner/MailScanner/SweepViruses.pm line 2103, line 8. Use of uninitialized value in numeric gt (>) at /usr/lib/MailScanner/MailScanner/SweepViruses.pm line 2103, line 9. Use of uninitialized value in numeric gt (>) at /usr/lib/MailScanner/MailScanner/SweepViruses.pm line 2103, line 10. Use of uninitialized value in numeric gt (>) at /usr/lib/MailScanner/MailScanner/SweepViruses.pm line 2103, line 11. /var/spool/MailScanner/incoming/16480/1/eicar.com Infection: EICAR_Test_File Virus Scanning: F-Prot found virus EICAR_Test_File Completed scanning by f-prot Virus Scanning: F-Prot found 1 infections Virus Scanning: Found 1 viruses Use of uninitialized value in split at /usr/sbin/MailScanner line 514. =========================================================================== If any of your virus scanners (clamavmodule,f-prot) are not listed there, you should check that they are installed correctly and that MailScanner is finding them correctly via its virus.scanners.conf. Config: calling custom end function NetcoreLog Terminating Netcore Log ... ------------- From iamapo at ml520.dyndns.org Thu Apr 10 07:34:33 2008 From: iamapo at ml520.dyndns.org (Michael Lai) Date: Thu Apr 10 07:34:30 2008 Subject: Mailscanner not work on Fedora 8 In-Reply-To: <47FCC290.30503@skynet-srl.com> References: <200804091100.m39B03vE001875@safir.blacknight.ie> <47FCC290.30503@skynet-srl.com> Message-ID: Thanks Alex, I have compiled the Scalar-List-Utils-1.19 by the following steps, but MailScanner is still not work. So have other suggestions ? Thanks a lot. Michael ---------------------------------------------------------------------------------- wget http://search.cpan.org/CPAN/authors/id/G/GB/GBARR/Scalar-List-Utils-1.19.tar.gz tar zxvf Scalar-List-Utils-1.19.tar.gz cd Scalar-List-Utils-1.19 [root@www Scalar-List-Utils-1.19]# perl Makefile.PL Writing Makefile for List::Util [root@www Scalar-List-Utils-1.19]# make test gcc -c -D_REENTRANT -D_GNU_SOURCE -fno-strict-aliasing -pipe -Wdeclaration-after-statement -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -I/usr/include/gdbm -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m32 -march=i386 -mtune=generic -fasynchronous-unwind-tables -DVERSION=\"1.19\" -DXS_VERSION=\"1.19\" -fPIC "-I/usr/lib/perl5/5.8.8/i386-linux-thread-multi/CORE" -DPERL_EXT Util.c Running Mkbootstrap for List::Util () chmod 644 Util.bs rm -f blib/arch/auto/List/Util/Util.so gcc -shared -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m32 -march=i386 -mtune=generic -fasynchronous-unwind-tables -L/usr/local/lib Util.o -o blib/arch/auto/List/Util/Util.so \ \ chmod 755 blib/arch/auto/List/Util/Util.so cp Util.bs blib/arch/auto/List/Util/Util.bs chmod 644 blib/arch/auto/List/Util/Util.bs PERL_DL_NONLAZY=1 /usr/bin/perl "-MExtUtils::Command::MM" "-e" "test_harness(0, 'inc', 'blib/lib', 'blib/arch')" t/*.t t/00version.....ok t/blessed.......ok t/dualvar.......ok t/first.........ok 2/17 skipped: Poor man's MULTICALL can't cope t/isvstring.....ok t/lln...........ok t/max...........ok t/maxstr........ok t/min...........ok t/minstr........ok t/openhan.......ok t/p_blessed.....ok t/p_first.......ok t/p_lln.........ok t/p_max.........ok t/p_maxstr......ok t/p_min.........ok t/p_minstr......ok t/p_openhan.....ok t/p_readonly....ok t/p_reduce......ok t/p_refaddr.....ok t/p_reftype.....ok t/p_shuffle.....ok t/p_sum.........ok t/p_tainted.....ok t/proto.........ok t/readonly......ok t/reduce........ok 2/23 skipped: Poor man's MULTICALL can't cope t/refaddr.......ok t/reftype.......ok t/shuffle.......ok t/sum...........ok t/tainted.......ok t/weak..........ok All tests successful, 4 subtests skipped. Files=35, Tests=380, 4 wallclock secs ( 2.69 cusr + 0.53 csys = 3.22 CPU) [root@www Scalar-List-Utils-1.19]#make install Manifying blib/man3/List::Util.3pm Manifying blib/man3/Scalar::Util.3pm Files found in blib/arch: installing files in blib/lib into architecture dependent library tree Writing /usr/lib/perl5/5.8.8/i386-linux-thread-multi/auto/List/Util/.packlist Appending installation info to /usr/lib/perl5/5.8.8/i386-linux-thread-multi/perllocal.pod [root@www Scalar-List-Utils-1.19]# -----Original Message----- From: Alex To: mailscanner@lists.mailscanner.info Date: Wed, 09 Apr 2008 15:20:16 +0200 Subject: Re: Mailscanner not work on Fedora 8 > > > Oggetto: > > Mailscanner not work on Fedora 8 > > Da: > > "Michael Lai" > > Data: > > Wed, 09 Apr 2008 17:30:55 +0800 > > A: > > mailscanner@lists.mailscanner.info > > > > A: > > mailscanner@lists.mailscanner.info > > > > Content-Transfer-Encoding: > > 8bit > > Precedence: > > list > > Versione-MIME: > > 1.0 > > Rispondi-a: > > MailScanner discussion > > ID-Messaggio: > > > > Content-Type: > > text/plain; charset="UTF-8" > > Message: > > 19 > > > > > > I try to install MailScanner on Fedora 8(Postfix run on it), but I > got > > the error messages. I have no idea to resolve the problem. Please > > suggest. > > Thank you, > > Michael > > > > [root@www MailScanner-4.68.8-1]# ./install.sh > > > > Good. You have the patch command. > > > > Good, you have /usr/src/redhat in place. > > But you are running Fedora, so I am going to force the installation > > of the Perl modules that normally require it. > > > > Good, unpackaged files will not break the build process. > > Good, far-too-clever Perl requirements will be ignored. > > Good, Fedora 8 options will be ignored. > > > > Good, you appear to only have 1 copy of Perl installed. > > > > I think you are running on RedHat Linux, Mandriva Linux or SuSE > Linux. > > Good, you appear to have the basic development tools installed. > > > > This script will pause for a few seconds after each major step, > > so do not worry if it appears to stop for a while. > > If you want it to stop so you can scroll back through the output > > then press Ctrl-S to stop the output and Ctrl-Q to start it again. > > > > If this fails due to dependency checks, and you wish to ignore > > these problems, you can run > > ./install.sh nodeps > > > > Setting Perl5 search path > > > > I think your system will build architecture-dependent modules for > i386 > > > > Rebuilding all the Perl RPMs for your version of Perl > > > > Attempting to build and install perl-File-Spec-0.82-1 > > --rebuild: unknown option > > > > Missing file /usr/src/redhat/RPMS/noarch/perl-File-Spec-0.82- > > 1.noarch.rpm. > > Maybe it did not build correctly? > > > > Attempting to build and install perl-ExtUtils-MakeMaker-6.32-1 > > --rebuild: unknown option > > > > Missing file > /usr/src/redhat/RPMS/noarch/perl-ExtUtils-MakeMaker-6.32- > > 1.noarch.rpm. > > Maybe it did not build correctly? > > > > Attempting to build and install perl-Net-CIDR-0.11-1 > > --rebuild: unknown option > > > > Missing file > /usr/src/redhat/RPMS/noarch/perl-Net-CIDR-0.11-1.noarch.rpm. > > Maybe it did not build correctly? > > > > Attempting to build and install perl-IO-stringy-2.110-1 > > --rebuild: unknown option > > > > Missing file /usr/src/redhat/RPMS/noarch/perl-IO-stringy-2.110- > > 1.noarch.rpm. > > Maybe it did not build correctly? > > > > Attempting to build and install perl-MIME-Base64-3.07-1 > > --rebuild: unknown option > > > > Missing file > /usr/src/redhat/RPMS/i386/perl-MIME-Base64-3.07-1.i386.rpm. > > Maybe it did not build correctly? > > > > Attempting to build and install perl-TimeDate-1.16-3 > > --rebuild: unknown option > > > > Missing file > /usr/src/redhat/RPMS/noarch/perl-TimeDate-1.16-3.noarch.rpm. > > Maybe it did not build correctly? > > > > Attempting to build and install perl-Pod-Escapes-1.04-1 > > --rebuild: unknown option > > > > Missing file /usr/src/redhat/RPMS/noarch/perl-Pod-Escapes-1.04- > > 1.noarch.rpm. > > Maybe it did not build correctly? > > > > Attempting to build and install perl-Pod-Simple-3.05-1 > > --rebuild: unknown option > > > > Missing file /usr/src/redhat/RPMS/noarch/perl-Pod-Simple-3.05- > > 1.noarch.rpm. > > Maybe it did not build correctly? > > > > Attempting to build and install perl-Test-Pod-1.26-1 > > --rebuild: unknown option > > > > Missing file > /usr/src/redhat/RPMS/noarch/perl-Test-Pod-1.26-1.noarch.rpm. > > Maybe it did not build correctly? > > > > Attempting to build and install perl-MailTools-2.02-1 > > --rebuild: unknown option > > > > Missing file /usr/src/redhat/RPMS/noarch/perl-MailTools-2.02- > > 1.noarch.rpm. > > Maybe it did not build correctly? > > > > Attempting to build and install perl-IO-1.2301-1 > > --rebuild: unknown option > > > > Missing file /usr/src/redhat/RPMS/noarch/perl-IO-1.2301-1.noarch.rpm. > > Maybe it did not build correctly? > > > > Attempting to build and install perl-File-Temp-0.19-1 > > --rebuild: unknown option > > > > Missing file /usr/src/redhat/RPMS/noarch/perl-File-Temp-0.19- > > 1.noarch.rpm. > > Maybe it did not build correctly? > > > > Attempting to build and install perl-HTML-Tagset-3.03-1 > > --rebuild: unknown option > > > > Missing file /usr/src/redhat/RPMS/noarch/perl-HTML-Tagset-3.03- > > 1.noarch.rpm. > > Maybe it did not build correctly? > > > > Attempting to build and install perl-HTML-Parser-3.56-1 > > --rebuild: unknown option > > > > Missing file > /usr/src/redhat/RPMS/i386/perl-HTML-Parser-3.56-1.i386.rpm. > > Maybe it did not build correctly? > > > > Attempting to build and install perl-Convert-BinHex-1.119-2 > > --rebuild: unknown option > > > > Missing file /usr/src/redhat/RPMS/noarch/perl-Convert-BinHex-1.119- > > 2.noarch.rpm. > > Maybe it did not build correctly? > > > > Attempting to build and install perl-MIME-tools-5.425-1 > > --rebuild: unknown option > > > > Missing file /usr/src/redhat/RPMS/noarch/perl-MIME-tools-5.425- > > 1.noarch.rpm. > > Maybe it did not build correctly? > > > > Attempting to build and install perl-Convert-TNEF-0.17-1 > > --rebuild: unknown option > > > > Missing file /usr/src/redhat/RPMS/noarch/perl-Convert-TNEF-0.17- > > 1.noarch.rpm. > > Maybe it did not build correctly? > > > > Attempting to build and install perl-Compress-Zlib-1.41-1 > > Detected Compress-Zlib, building appropriately... > > --rebuild: unknown option > > > > Missing file /usr/src/redhat/RPMS/i386/perl-Compress-Zlib-1.41- > > 1.i386.rpm. > > Maybe it did not build correctly? > > > > Attempting to build and install perl-Archive-Zip-1.16-1 > > --rebuild: unknown option > > > > Missing file /usr/src/redhat/RPMS/noarch/perl-Archive-Zip-1.16- > > 1.noarch.rpm. > > Maybe it did not build correctly? > > > > Attempting to build and install perl-Scalar-List-Utils-1.19-1 > > --rebuild: unknown option > > > > Missing file /usr/src/redhat/RPMS/noarch/perl-Scalar-List-Utils-1.19- > > 1.noarch.rpm. > > Maybe it did not build correctly? > > > > Attempting to build and install perl-Storable-2.16-1 > > --rebuild: unknown option > > > > Missing file > /usr/src/redhat/RPMS/noarch/perl-Storable-2.16-1.noarch.rpm. > > Maybe it did not build correctly? > > > > Attempting to build and install perl-DBI-1.56-1 > > --rebuild: unknown option > > > > Missing file /usr/src/redhat/RPMS/noarch/perl-DBI-1.56-1.noarch.rpm. > > Maybe it did not build correctly? > > > > Attempting to build and install perl-DBD-SQLite-1.13-1 > > --rebuild: unknown option > > > > Missing file /usr/src/redhat/RPMS/noarch/perl-DBD-SQLite-1.13- > > 1.noarch.rpm. > > Maybe it did not build correctly? > > > > Attempting to build and install perl-Getopt-Long-2.36-1 > > --rebuild: unknown option > > > > Missing file /usr/src/redhat/RPMS/noarch/perl-Getopt-Long-2.36- > > 1.noarch.rpm. > > Maybe it did not build correctly? > > > > Attempting to build and install perl-Time-HiRes-1.9707-1 > > --rebuild: unknown option > > > > Missing file /usr/src/redhat/RPMS/noarch/perl-Time-HiRes-1.9707- > > 1.noarch.rpm. > > Maybe it did not build correctly? > > > > Attempting to build and install perl-Filesys-Df-0.90-1 > > --rebuild: unknown option > > > > Missing file /usr/src/redhat/RPMS/noarch/perl-Filesys-Df-0.90- > > 1.noarch.rpm. > > Maybe it did not build correctly? > > > > Attempting to build and install perl-Test-Harness-2.64-1 > > Detected Compress-Zlib, building appropriately... > > --rebuild: unknown option > > > > Missing file /usr/src/redhat/RPMS/noarch/perl-Test-Harness-2.64- > > 1.noarch.rpm. > > Maybe it did not build correctly? > > > > Attempting to build and install perl-Test-Simple-0.70-1 > > Detected Compress-Zlib, building appropriately... > > --rebuild: unknown option > > > > Missing file /usr/src/redhat/RPMS/noarch/perl-Test-Simple-0.70- > > 1.noarch.rpm. > > Maybe it did not build correctly? > > > > Attempting to build and install perl-Math-BigInt-1.86-1 > > --rebuild: unknown option > > > > Missing file /usr/src/redhat/RPMS/noarch/perl-Math-BigInt-1.86- > > 1.noarch.rpm. > > Maybe it did not build correctly? > > > > Attempting to build and install perl-Math-BigRat-0.19-1 > > --rebuild: unknown option > > > > Missing file /usr/src/redhat/RPMS/noarch/perl-Math-BigRat-0.19- > > 1.noarch.rpm. > > Maybe it did not build correctly? > > > > Attempting to build and install perl-bignum-0.21-1 > > --rebuild: unknown option > > > > Missing file > /usr/src/redhat/RPMS/noarch/perl-bignum-0.21-1.noarch.rpm. > > Maybe it did not build correctly? > > > > Attempting to build and install perl-Net-IP-1.25-1 > > --rebuild: unknown option > > > > Missing file > /usr/src/redhat/RPMS/noarch/perl-Net-IP-1.25-1.noarch.rpm. > > Maybe it did not build correctly? > > > > Attempting to build and install perl-Sys-Hostname-Long-1.4-1 > > --rebuild: unknown option > > > > Missing file /usr/src/redhat/RPMS/noarch/perl-Sys-Hostname-Long-1.4- > > 1.noarch.rpm. > > Maybe it did not build correctly? > > > > Attempting to build and install perl-Sys-Syslog-0.18-1 > > --rebuild: unknown option > > > > Missing file /usr/src/redhat/RPMS/noarch/perl-Sys-Syslog-0.18- > > 1.noarch.rpm. > > Maybe it did not build correctly? > > > > Attempting to build and install perl-Digest-MD5-2.36-1 > > --rebuild: unknown option > > > > Missing file /usr/src/redhat/RPMS/noarch/perl-Digest-MD5-2.36- > > 1.noarch.rpm. > > Maybe it did not build correctly? > > > > Attempting to build and install perl-Digest-SHA1-2.11-1 > > --rebuild: unknown option > > > > Missing file /usr/src/redhat/RPMS/noarch/perl-Digest-SHA1-2.11- > > 1.noarch.rpm. > > Maybe it did not build correctly? > > > > Attempting to build and install perl-Net-DNS-0.63-1 > > --rebuild: unknown option > > > > Missing file > /usr/src/redhat/RPMS/noarch/perl-Net-DNS-0.63-1.noarch.rpm. > > Maybe it did not build correctly? > > > > Installing tnef decoder > > > > Preparing? > > ################################################## > > package tnef-1.4.3-1.i386 have installed > > > > Now to install MailScanner